Legal

Privacy Policy

Last updated: 23 February 2026

1. Who we are

LémanLoop (“we”, “us”, “our”) operates the LémanLoop platform, a circular lanyard programme serving Geneva’s event ecosystem. Our registered address is Geneva, Switzerland.

We are the data controller for personal data processed through this platform. Questions about this policy or your data rights may be directed to privacy@lemanloop.ch.

2. Data we collect

We collect only the data necessary to operate the programme:

CategoryDataWhen collected
Account dataEmail address, display name, city, profile photoWhen you create an account or update your profile
Role & activity dataPlatform role (volunteer/organiser), event applications, application statusAs you use the platform
Operational dataGPS coordinates at check-in, lanyard grades (A/B/C), material type, quantity, photo of lanyardsWhen volunteers perform a collection check-in
Event dataEvent name, location, date, estimated lanyard countWhen organisers register events
Financial reference dataDeposit amounts per event (CHF 2/lanyard)Calculated at event creation; no payment card data is stored by us
Usage dataServer access logs (IP address, browser type, pages visited, timestamp)Automatically, on each request

We do not collect payment card numbers. Any payment processing is handled by a third-party processor subject to their own privacy policy.

3. Legal basis for processing

We rely on the following legal bases under the Swiss Federal Act on Data Protection (revDSG) and, where applicable, the EU General Data Protection Regulation (GDPR):

  • Contract performance — processing your account and activity data to provide the services you have signed up for.
  • Legitimate interests — server logs for security monitoring and abuse prevention; aggregated impact statistics for environmental reporting.
  • Consent — GPS location data at check-in (you must explicitly trigger a check-in). You may refuse without losing access to other features.
  • Legal obligation — retaining records required by Swiss accounting law (CO Art. 957 et seq.).

4. How we use your data

  • Creating and managing your account
  • Matching volunteers with events and tracking application status
  • Recording lanyard collection check-ins and computing karma points
  • Calculating CO₂ savings and generating verified impact certificates for organisers
  • Communicating service-related updates (no marketing emails without separate consent)
  • Fraud prevention and platform security
  • Aggregate, anonymised reporting on environmental impact (no individual identification)

5. Data sharing and processors

We do not sell or rent your personal data. We share data only with:

CategoryDataWhen collected
Supabase Inc.Database hosting and authentication (PostgreSQL + Auth)EU/US — Standard Contractual Clauses
Vercel Inc.Platform hosting and edge deliveryEU/US — Standard Contractual Clauses
Upcycling partnersAnonymised lanyard grade and quantity data only (no personal data)Switzerland / EU
AuthoritiesIf required by law, court order, or to protect safetyAs required

6. Data retention

We retain personal data only as long as necessary:

  • Account data: until you delete your account, plus 30 days for recovery.
  • Operational data (check-ins, grades): 5 years, to support impact reporting and potential audit requirements.
  • Server logs: 90 days.
  • Financial reference data: 10 years (Swiss CO accounting obligation).

You may request earlier deletion where no legal retention obligation applies — see Section 7.

7. Your rights

Under the revDSG and GDPR, you have the right to:

  • Access — obtain a copy of your personal data.
  • Rectification — correct inaccurate data.
  • Erasure — request deletion of your data (subject to legal retention obligations).
  • Restriction — ask us to pause processing in certain circumstances.
  • Data portability — receive your data in a structured, machine-readable format.
  • Objection — object to processing based on legitimate interests.
  • Withdrawal of consent — withdraw consent (e.g. for GPS check-in) at any time without penalty.

To exercise any right, email privacy@lemanloop.ch. We will respond within 30 days. If you are unsatisfied with our response, you may lodge a complaint with the Swiss Federal Data Protection and Information Commissioner (FDPIC) at edoeb.admin.ch.

8. International data transfers

Your data is stored on servers in the European Union. Any transfer outside Switzerland or the EU is governed by Standard Contractual Clauses (SCCs) approved by the European Commission, which the Swiss FDPIC also recognises as providing adequate protection.

9. Cookies and local storage

We use the following minimal cookies and browser storage:

NameSet byPurposeDuration
Session cookiesb-* (Supabase)Strictly necessary — authenticates your session. Cannot be disabled.Session
CSRF tokensb-auth-tokenStrictly necessary — protects against cross-site request forgery.Session

We do not use advertising cookies, third-party tracking pixels, or analytics cookies. We do not serve ads.

10. Children's data

LémanLoop is not directed at children under 16. We do not knowingly collect data from anyone under 16. If you believe a child has provided us with personal data, please contact us at privacy@lemanloop.ch and we will delete it promptly.

11. Security

We apply industry-standard safeguards including TLS encryption in transit, AES-256 encryption at rest, row-level security policies on all database tables, and regular security reviews. However, no system is perfectly secure — please use a strong, unique password and contact us immediately if you suspect unauthorised access.

12. Changes to this policy

We may update this policy to reflect changes in law or our practices. Material changes will be announced on the platform at least 14 days before they take effect. The date at the top of this page indicates when it was last revised.

13. Contact

Data controller: LémanLoop
Address: Geneva, Switzerland
Privacy enquiries: privacy@lemanloop.ch

← HomeTerms of use