Legal document
Privacy Policy
1. Who we are
The websites www.lucabertone.net and www.atelier71.net are owned by Luca Bertone, a professional photographer based in Canton Ticino, Switzerland, acting as the Data Controller for all personal data collected through his professional activity. The two brands represent two operating modes of the same professional: Luca Bertone for bespoke projects on quote (architecture, editorial, industrial portraiture, heritage documentation) and Atelier71 for standard services on price list (real estate and commercial photography). This Privacy Policy applies to both operating modes and to all contractual relationships established with the Controller.
- Data Controller: Luca Bertone
- Operating address: Via alla Chiesa 22, 6808 Torricella (Switzerland)
- Email: info@atelier71.net · welcome@lucabertone.net
2. Types of data collected and purposes
The Controller collects only the data necessary for contractual and administrative purposes, and for the legitimate interest of protecting his professional activity and intellectual property rights.
- Contact data: name, surname, address, email, phone number and project details. Used for quotations, scheduling, invoicing and delivery of photographic material.
- Navigation and analytics data: anonymised IP address, browser type and pages visited via Google Analytics. Collected in aggregated form for statistical purposes only.
- Operational communication data: metadata arising from the use of messaging tools (e.g. WhatsApp, Telegram, email) for coordination between the Controller and the client.
- Copyright monitoring data: information collected through online image monitoring systems, including via specialised third-party services (see art. 5).
3. Legal bases for processing
Processing of personal data is based on the following legal grounds:
- Performance of a contract (Art. 6(1)(b) GDPR / Art. 31 nFADP): for managing assignments, invoicing and delivery of material.
- Legal obligation (Art. 6(1)(c) GDPR): for the retention of tax and accounting data and disclosure to competent authorities.
- Legitimate interests (Art. 6(1)(f) GDPR / Art. 31 nFADP): for the protection of copyright, website security and administrative management of the business.
- Consent (Art. 6(1)(a) GDPR): for statistical cookies and any marketing communications, withdrawable at any time.
4. Infrastructure, data retention and transfers
The Controller favours providers based in Switzerland or the European Union, in accordance with the principles of the nFADP and GDPR.
- Infomaniak SA (Switzerland): primary provider for website hosting, email service, storage of project files and delivery of photographic material to clients via secure link. Servers are located in Switzerland. Further information: infomaniak.com.
- Internal systems: management data (client database, project archives, accounting files) is stored on the Controller’s local devices, protected by encryption.
- Scheduling and booking services: appointment management is handled through digital tools with European or Swiss instances.
- Operational communications: the use of tools such as WhatsApp and Telegram involves metadata being processed on third-party servers potentially located outside Switzerland or the EU. The Controller ensures that such providers offer adequate safeguards (e.g. Standard Contractual Clauses).
- Traffic analytics: Google Analytics processes anonymised navigation data on Google infrastructure, potentially outside Switzerland or the EU, subject to Standard Contractual Clauses.
Data is not transferred to third parties for commercial or advertising purposes.
5. Copyright monitoring and specialised services
All images produced by Luca Bertone are protected under the Swiss Federal Act on Copyright and Related Rights (CopA, SR 231.1). The Controller uses digital watermarking systems and specialised services for monitoring the online use of images, including — by way of example and without limitation — Pixsy, Copytrack, PicRights or similar services.
These services operate through reverse image search technology and artificial intelligence to identify any unauthorised use of images on the web. Where an infringement is detected, the data collected (including URLs, screenshots and metadata) is used solely for the purpose of enforcing copyright, and may be transmitted to the specialised services engaged to handle the case.
Copyright monitoring service providers may process data on servers located outside Switzerland or the EU. The Controller favours providers that declare compliance with applicable data protection law.
6. Use of artificial intelligence tools
In the course of his professional activity, the Controller may use AI-based tools for photographic post-production, moodboard preparation, virtual staging, editing and project file organisation.
The Controller notes that the data processing policies adopted by AI tool providers can vary significantly and are not always fully transparent — in particular regarding: the use of uploaded data for model training, temporary storage of processed content, and the location of processing servers. For this reason, the Controller undertakes not to upload identifiable personal data or confidential material to such platforms, unless strictly necessary and compatible with the purposes of the assignment.
Clients with specific confidentiality requirements — for example for assignments subject to NDAs, sensitive data or unpublished material — are invited to notify the Controller in writing before work begins, so that appropriate operational measures can be agreed upon.
8. Retention periods
- Tax and invoicing data: 10 years (Swiss legal obligation).
- Project data and photographic files: until completion of the contract, or in accordance with specific archiving arrangements agreed with the client (see art. 10 of the General Terms and Conditions, Rev. 05).
- Navigation data: 14–26 months (Google Analytics default setting).
- Copyright monitoring data: retained for the time necessary to manage the case and any resulting legal proceedings.
9. Data security
The Controller implements appropriate technical and organisational measures proportionate to the risk:
- SSL/HTTPS encryption across the entire website.
- Storage on encrypted local devices and on Infomaniak infrastructure with ISO 27001-certified Swiss data centres.
- Access to data restricted to the Controller only.
- No data is sold or shared with third parties for advertising or commercial purposes.
10. Profiling and automated decision-making
The Controller does not carry out any processing involving automated decision-making or high-risk profiling of users within the meaning of Art. 22 GDPR.
11. Rights of the data subject
In accordance with the nFADP and GDPR, data subjects have the right to request at any time:
- Access to their personal data.
- Rectification of inaccurate or incomplete data.
- Erasure of data (right to be forgotten), subject to statutory retention obligations.
- Restriction of processing.
- Data portability.
- Objection to processing based on legitimate interests.
- Withdrawal of consent previously given, without affecting the lawfulness of prior processing.
To exercise your rights, contact: info@atelier71.net
12. Jurisdiction and complaints
This Privacy Policy is governed exclusively by Swiss law. The exclusive place of jurisdiction is the Tribunal of Lugano (Canton Ticino, Switzerland).
Data subjects have the right to lodge a complaint with the competent supervisory authority. For data subjects resident in Switzerland: the Federal Data Protection and Information Commissioner (FDPIC), www.edoeb.admin.ch. For data subjects resident in the EU: the data protection authority of their country of residence.