Privacy Policy
As of July 2026 · Canvas Print Hero · foto-huwi.ch Huwiler
1. Data Controller (Art. 13(1)(a) GDPR)
foto-huwi.ch Huwiler
Michael Huwiler
Signalstrasse 17, 9400 Rorschach, Switzerland
Commercial Register: CH-320.1.070.547–3
VAT No.: CHE-178.883.869 MWST
Email: support@canvasprinthero.com
No Data Protection Officer has been appointed, as the conditions under Art. 37 GDPR are not met.
2. Data We Collect
2.1 Website (canvasprinthero.com)
- Newsletter signup: Email address, IP address, time of signup and confirmation. Legal basis: your consent (Art. 6(1)(a) GDPR), proven by Double-Opt-In. You may revoke your consent at any time with future effect.
- Server log files: IP address, browser type, access time. Legal basis: legitimate interest in ensuring operations (Art. 6(1)(f) GDPR). Automatically deleted after 30 days by the hosting provider.
2.2 Desktop App (Canvas Print Hero)
- License activation: License key, hardware fingerprint (anonymized HMAC-SHA256 hash), device name, platform (macOS/Windows), app version. Legal basis: contract performance (Art. 6(1)(b) GDPR) — required for license activation and device management.
- No usage data: The app collects no telemetry, analytics, or information about your images or projects.
- Local storage: Settings, presets, and the license cache are stored exclusively on your device and are not transmitted to us.
2.3 Purchase via Paddle (Merchant of Record)
Payment processing is handled by our online reseller and Merchant of Record Paddle.com Market Limited (15 Briery Close, Great Oakley, Corby, Northamptonshire, NN18 8JG, United Kingdom). Paddle acts as the seller and is your direct contractual partner for the purchase transaction.
Data collected by Paddle: Paddle processes, as an independent controller, the data required for payment processing, including: email address, name, billing address, payment data (credit card, PayPal, etc.), IP address, and device information.
Data received by us: We receive from Paddle only: email address, name, transaction ID, and the purchased product. Payment data (credit card numbers, etc.) is not transmitted to us.
The transfer to Paddle is based on contract performance (Art. 6(1)(b) GDPR). The United Kingdom has an EU Commission adequacy decision (Art. 45 GDPR).
The Paddle Privacy Policy and Paddle Buyer Terms apply. For order-related inquiries (invoices, refunds, payment issues), you can contact Paddle directly: paddle.com/support.
3. Purpose and Legal Basis of Data Processing
- Contract performance (Art. 6(1)(b) GDPR): License activation, device management, sending the license key by email.
- Consent (Art. 6(1)(a) GDPR): Newsletter notification when the app becomes available; web analytics and advertising measurement with Google Analytics 4 and Google Ads, including the storage of information on your device required for this purpose. Without your consent, no cookies are set and no identifiers are stored.
- Legitimate interest (Art. 6(1)(f) GDPR): Abuse protection (rate limiting), ensuring technical operations (server logs).
4. Data Retention
- License data: As long as the license is active, but at least for the duration of statutory retention obligations (generally 10 years for tax-relevant documents).
- Hardware fingerprints: Stored exclusively as HMAC-SHA256 hash (not reversible). Deleted upon license deactivation or on request.
- Newsletter: Until revocation of your consent. After revocation, the email address is deleted immediately.
- Server logs: 30 days (automatic deletion by hosting provider).
- Google click ID: Stored in your browser's local storage for a maximum of 90 days, then deleted automatically. If you make a purchase, it is stored alongside your license data (see section 11).
5. Recipients and Third-Country Transfers
Your data is generally not shared with third parties, with the following exceptions:
- Paddle.com Market Limited (UK): Payment processing. The UK has an EU Commission adequacy decision (Art. 45 GDPR).
- cyon GmbH (Switzerland): Hosting. Switzerland has an EU Commission adequacy decision.
- Google Ireland Limited (Ireland): Web analytics and advertising measurement (see section 11) — only with your consent. Data may be transferred to Google LLC in the USA. Google LLC is certified under the EU-US Data Privacy Framework; the EU Commission established an adequate level of protection by decision of 10 July 2023 (Art. 45 GDPR).
No further transfers to third countries take place.
6. Data Security (Art. 32 GDPR)
We implement appropriate technical and organizational measures to protect your data:
- Encrypted data transmission via HTTPS/TLS
- Cryptographic security of license tokens (Ed25519 signatures)
- Irreversible hashing of hardware fingerprints before storage
- Access restrictions at database level (file system permissions)
- Rate limiting for protection against brute-force attacks
7. Your Rights Under GDPR
You have the following rights regarding your personal data:
- Right of access (Art. 15 GDPR): You may request information about the data stored about you.
- Right to rectification (Art. 16 GDPR): You may request the correction of inaccurate data.
- Right to erasure (Art. 17 GDPR): You may request the deletion of your data, provided no statutory retention obligations apply.
- Right to restriction of processing (Art. 18 GDPR): You may request the restriction of processing of your data.
- Right to data portability (Art. 20 GDPR): You may request the provision of your data in a machine-readable format.
- Right to object (Art. 21 GDPR): You may object to the processing of your data based on legitimate interests.
- Right to withdraw consent (Art. 7(3) GDPR): You may withdraw consent at any time with future effect.
Contact us at support@canvasprinthero.com.
8. Right to Lodge a Complaint (Art. 77 GDPR)
You have the right to lodge a complaint with a data protection supervisory authority if you believe that the processing of your data violates the GDPR. The competent authority in Switzerland is the Federal Data Protection and Information Commissioner (FDPIC). For EU citizens, the supervisory authority of the respective country of residence is competent.
9. Hosting
The website and the license backend are hosted by cyon GmbH (Brunngässlein 12, 4052 Basel, Switzerland). Switzerland has an EU Commission adequacy decision pursuant to Art. 45 GDPR. A data processing agreement (DPA) pursuant to Art. 28 GDPR exists with cyon.
10. Cookies and Storage on Your Device
Technically necessary (Art. 6(1)(f) GDPR): A session cookie for the password-protected admin area. We also store your language and currency selection as well as your cookie choice in your browser's local storage. This information is not transmitted to us.
Only with your consent (Art. 6(1)(a) GDPR): Cookies and identifiers for Google Analytics 4 and Google Ads, including the Google click ID (see section 11).
You can change or withdraw your choice at any time via the Cookie settings link in the footer. Withdrawal takes effect for the future; identifiers already stored are deleted in the process.
11. Web Analytics and Advertising Measurement (Google Analytics 4, Google Ads)
This website uses Google Analytics 4 to measure reach and Google Ads to measure the performance of our advertisements. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. The legal basis is exclusively your consent.
We use Google Consent Mode v2. This means:
- Without your consent, no cookies are set, no identifiers are stored and no advertising click IDs are processed. Google only receives cookieless, non-personal signals indicating that a page view occurred (including your consent status and redacted technical information). These signals allow Google to perform statistical modelling; they do not permit you or your device to be recognised.
- With your consent, cookies are set and usage data (including truncated IP address, device and browser information, pages visited, timestamp, referrer) is transmitted to Google.
If you reach our website via a Google ad, the address bar contains a Google click ID (gclid, gbraid or wbraid). Only if you have consented do we store this identifier in your browser's local storage for a maximum of 90 days. If you purchase a license within that period, we transmit the identifier together with the purchase amount via our payment provider to our server and report the purchase to Google Ads as a conversion. The purpose is to measure the performance of our advertising (attributing a purchase to an ad). The identifier is stored alongside your license data and is not used for profiling.
If you withdraw your consent, any stored click ID is deleted immediately.
Further information: Google Privacy Policy and How Google uses data from sites that use its services.
12. Automated Decision-Making (Art. 22 GDPR)
No automated decision-making or profiling takes place.