Privacy Policy

As of March 2026 · Canvas Print Hero · foto-huwi.ch Huwiler

1. Data Controller (Art. 13(1)(a) GDPR)

foto-huwi.ch Huwiler
Michael Huwiler
Signalstrasse 17, 9400 Rorschach, Switzerland
Commercial Register: CH-320.1.070.547–3
VAT No.: CHE-178.883.869 MWST
Email: support@canvasprinthero.com

No Data Protection Officer has been appointed, as the conditions under Art. 37 GDPR are not met.

2. Data We Collect

2.1 Website (canvasprinthero.com)

• Newsletter signup: Email address, IP address, time of signup and confirmation. Legal basis: your consent (Art. 6(1)(a) GDPR), proven by Double-Opt-In. You may revoke your consent at any time with future effect.
• Server log files: IP address, browser type, access time. Legal basis: legitimate interest in ensuring operations (Art. 6(1)(f) GDPR). Automatically deleted after 30 days by the hosting provider.

2.2 Desktop App (Canvas Print Hero)

• License activation: License key, hardware fingerprint (anonymized HMAC-SHA256 hash), device name, platform (macOS/Windows), app version. Legal basis: contract performance (Art. 6(1)(b) GDPR) — required for license activation and device management.
• No usage data: The app collects no telemetry, analytics, or information about your images or projects.
• Local storage: Settings, presets, and the license cache are stored exclusively on your device and are not transmitted to us.

2.3 Purchase via Paddle (Merchant of Record)

Payment processing is handled by our online reseller and Merchant of Record Paddle.com Market Limited (15 Briery Close, Great Oakley, Corby, Northamptonshire, NN18 8JG, United Kingdom). Paddle acts as the seller and is your direct contractual partner for the purchase transaction.

Data collected by Paddle: Paddle processes, as an independent controller, the data required for payment processing, including: email address, name, billing address, payment data (credit card, PayPal, etc.), IP address, and device information.

Data received by us: We receive from Paddle only: email address, name, transaction ID, and the purchased product. Payment data (credit card numbers, etc.) is not transmitted to us.

The transfer to Paddle is based on contract performance (Art. 6(1)(b) GDPR). The United Kingdom has an EU Commission adequacy decision (Art. 45 GDPR).

The Paddle Privacy Policy and Paddle Buyer Terms apply. For order-related inquiries (invoices, refunds, payment issues), you can contact Paddle directly: paddle.com/support.

3. Purpose and Legal Basis of Data Processing

• Contract performance (Art. 6(1)(b) GDPR): License activation, device management, sending the license key by email.
• Consent (Art. 6(1)(a) GDPR): Newsletter notification when the app becomes available.
• Legitimate interest (Art. 6(1)(f) GDPR): Abuse protection (rate limiting), ensuring technical operations (server logs).

4. Data Retention

• License data: As long as the license is active, but at least for the duration of statutory retention obligations (generally 10 years for tax-relevant documents).
• Hardware fingerprints: Stored exclusively as HMAC-SHA256 hash (not reversible). Deleted upon license deactivation or on request.
• Newsletter: Until revocation of your consent. After revocation, the email address is deleted immediately.
• Server logs: 30 days (automatic deletion by hosting provider).

5. Recipients and Third-Country Transfers

Your data is generally not shared with third parties, with the following exceptions:

• Paddle.com Market Limited (UK): Payment processing. The UK has an EU Commission adequacy decision (Art. 45 GDPR).
• cyon GmbH (Switzerland): Hosting. Switzerland has an EU Commission adequacy decision.

No further transfers to third countries take place.

6. Data Security (Art. 32 GDPR)

We implement appropriate technical and organizational measures to protect your data:

• Encrypted data transmission via HTTPS/TLS
• Cryptographic security of license tokens (Ed25519 signatures)
• Irreversible hashing of hardware fingerprints before storage
• Access restrictions at database level (file system permissions)
• Rate limiting for protection against brute-force attacks

7. Your Rights Under GDPR

You have the following rights regarding your personal data:

• Right of access (Art. 15 GDPR): You may request information about the data stored about you.
• Right to rectification (Art. 16 GDPR): You may request the correction of inaccurate data.
• Right to erasure (Art. 17 GDPR): You may request the deletion of your data, provided no statutory retention obligations apply.
• Right to restriction of processing (Art. 18 GDPR): You may request the restriction of processing of your data.
• Right to data portability (Art. 20 GDPR): You may request the provision of your data in a machine-readable format.
• Right to object (Art. 21 GDPR): You may object to the processing of your data based on legitimate interests.
• Right to withdraw consent (Art. 7(3) GDPR): You may withdraw consent at any time with future effect.

Contact us at support@canvasprinthero.com.

8. Right to Lodge a Complaint (Art. 77 GDPR)

You have the right to lodge a complaint with a data protection supervisory authority if you believe that the processing of your data violates the GDPR. The competent authority in Switzerland is the Federal Data Protection and Information Commissioner (FDPIC). For EU citizens, the supervisory authority of the respective country of residence is competent.

9. Hosting

The website and the license backend are hosted by cyon GmbH (Brunngässlein 12, 4052 Basel, Switzerland). Switzerland has an EU Commission adequacy decision pursuant to Art. 45 GDPR. A data processing agreement (DPA) pursuant to Art. 28 GDPR exists with cyon.

10. Cookies

This website uses no tracking cookies, analytics tools, or advertising cookies. A session cookie is used exclusively for the password-protected admin area (technically necessary, Art. 6(1)(f) GDPR).

11. Automated Decision-Making (Art. 22 GDPR)

No automated decision-making or profiling takes place.