Privacy Policy
Last updated: July 2026
This privacy policy explains how Lutheis (operated by Juliette Grieneisen, Schützenstrasse 34, 8280 Kreuzlingen, Switzerland, contact: contact@lutheis.com) collects, uses, and protects your personal data when you use lutheis.com. We are committed to compliance with the Swiss Federal Act on Data Protection (FADP/nDSG, in force since 1 September 2023) and, where applicable to clients based in the EU, the General Data Protection Regulation (GDPR).
1. Data Controller
The data controller responsible for your personal data is: Juliette Grieneisen, trading as Lutheis, Schützenstrasse 34, 8280 Kreuzlingen, Switzerland. Contact: contact@lutheis.com.
2. Data We Collect
Account data: When you create an account, we collect your username, email address, country, and a hashed password (if you register with email) or your Google profile identifier (if you sign in with Google).
Order data: When you place an order, we collect your brand name, brand description, industry, target audience, website goals, domain information, design preferences, logo files, color references, and any additional attachments you provide.
Payment data: We use Stripe to process payments. Lutheis never sees or stores your full card number. Stripe collects and processes your payment details directly. See stripe.com/privacy.
Contact form data: When you use the contact form, we collect your name, email address, and message content.
Order communication: Messages you exchange with us through the order chat are stored together with the related order.
Waitlist data: If you join the waitlist, we store your email address to notify you at launch.
Technical data: We may collect your IP address and browser information through our hosting provider (Railway) for security and performance purposes, including short-lived rate-limiting counters to prevent abuse.
3. Legal Basis and Purpose
Account and order data: Processing is necessary for the performance of a contract (FADP Art. 31(2)(a); GDPR Art. 6(1)(b)) — we need this data to deliver your project.
Payment processing: Processing is necessary for the performance of a contract and compliance with legal obligations (FADP Art. 31(2)(a) and (b); GDPR Art. 6(1)(b) and (c)).
Contact form: Processing is based on your consent and our legitimate interest in responding to enquiries (FADP Art. 31(1); GDPR Art. 6(1)(a) and (f)).
Technical/security data: Based on our legitimate interest in maintaining a secure and functional service (FADP Art. 31(1); GDPR Art. 6(1)(f)).
4. Data Storage and Retention
Your data is stored in Supabase (PostgreSQL database and file storage). Supabase is GDPR-compliant and stores data in the EU region.
Account data is retained for as long as your account is active. You may request deletion at any time.
Order data and related files are retained for a minimum of 10 years to comply with legal and accounting obligations.
Contact form messages are retained for up to 12 months.
5. Third Parties
Supabase (supabase.com) — database, authentication, and file storage. EU-hosted, GDPR-compliant.
Stripe (stripe.com) — payment processing. Certified PCI-DSS Level 1.
Google (google.com) — OAuth sign-in (optional). Google's privacy policy applies to this flow.
Railway (railway.com) — website hosting and deployment. May process request logs.
SMTP provider (udag.de) — email delivery for order confirmations and verification emails.
Umami (self-hosted on Railway) — cookie-free, privacy-friendly visit statistics. IP addresses are anonymized and no data is shared with any third party.
We do not sell, rent, or share your personal data with any third party for marketing purposes.
6. Cookies and Local Storage
We use a session cookie (managed by NextAuth) to keep you signed in. This is a strictly necessary cookie and does not require consent.
We store your language preference in your browser's localStorage under the key 'lutheis_lang'. This contains no personal data.
Stripe may set cookies during the payment process for fraud prevention and security purposes.
We do not use advertising cookies or third-party tracking cookies.
Note for visitors from the EU: If you are accessing this site from a country subject to the GDPR, the use of Stripe's payment cookies may require your consent under EU law. By proceeding to the payment step, you acknowledge that Stripe processes payment data on our behalf.
7. Your Rights
Under the Swiss FADP (nDSG) and, where applicable, the GDPR, you have the following rights regarding your personal data:
Right of access: You can request a copy of the data we hold about you (FADP Art. 25; GDPR Art. 15).
Right to rectification: You can request correction of inaccurate data (FADP Art. 32; GDPR Art. 16).
Right to erasure: You can request deletion of your data, subject to our legal retention obligations (FADP Art. 32; GDPR Art. 17).
Right to restriction: You can request that we restrict processing of your data (GDPR Art. 18).
Right to data portability: You can request your data in a machine-readable format (FADP Art. 28; GDPR Art. 20).
Right to object: You can object to processing based on legitimate interest (FADP Art. 32; GDPR Art. 21).
To exercise any of these rights, contact us at contact@lutheis.com. We will respond within 30 days.
8. Supervisory Authorities and Complaints
If you believe we are not handling your data in compliance with applicable law, you have the right to lodge a complaint with the relevant supervisory authority.
Switzerland: Federal Data Protection and Information Commissioner (FDPIC) — fdpic.ch
France: Commission Nationale de l'Informatique et des Libertés (CNIL) — cnil.fr
Germany: The relevant state data protection authority (Landesbeauftragter für Datenschutz).
9. Changes to This Policy
We may update this privacy policy from time to time. The date at the top of this page reflects the most recent revision. Continued use of the site after any update constitutes acceptance of the revised policy.
