Privacy policy.

Effective date: 26 October 2025

1) Who we are (Controller)

ella studios (“we”, “us”, “our”)
Responsible for content / Owner: Ella Mettler
Registered location: Zurich, Switzerland
Contact (privacy): hello@ellastudios.com

This Privacy Policy explains how we collect, use, disclose and protect personal data when you visit our website (the “Site”), make an enquiry, book a session, or appear in our photographs.

2) What we collect

Depending on how you interact with us, we collect:

  • Contact & booking details: name, email, phone number, event/date, location, session preferences, contract and invoice information.

  • Photos & related materials: images we capture; images or mood boards you send us; model releases/permissions; and metadata embedded in image files (e.g., time, device, location if enabled).

  • Communications: emails and messages you send us.

  • Usage & device data: IP address, browser/device type, pages viewed, and similar technical data generated when you browse our Site.

  • Payment status data: we receive transaction confirmations from our payment provider (we do not store full card numbers).

We do not intentionally collect “especially sensitive” data. If such data is visible in images (e.g., from context), we handle it with heightened care and only with an appropriate justification (see Section 4).

3) Why we process your data & our grounds for justification (Swiss FADP)

Under Swiss law, private controllers must have a justification whenever processing would otherwise infringe personality rights. The law recognises consent, overriding private or public interest (e.g., to perform a contract or operate the Site), or a legal obligation. Lawbrary

We use your data for:

  • Enquiries, quotes & bookings – to respond to your request, prepare/perform our contract, schedule and manage sessions; overriding private interest (including processing data of a contracting party directly connected to contract performance). Lawbrary

  • Photography services – planning, shooting and editing; delivering galleries/files; arranging assistants/vendors; overriding private interest (service delivery/operations). Lawbrary

  • Portfolio & marketing – featuring selected images on our Site or social channels only with your consent (e.g., model release). You may withdraw consent at any time (see Section 9).

  • Communications – service messages (confirmations, logistics), and if you opt in, newsletters or offers; consent for marketing.

  • Site operation, security & analytics – to run the Site, prevent abuse/fraud, and understand performance; overriding private interest (security/quality).

  • Legal & tax compliance – accounting and record‑keeping; legal obligation (e.g., Swiss commercial record‑keeping).

4) Cookies & similar technologies

We use essential cookies to operate the Site and (if enabled) performance/analytics cookies to improve it. You can control cookies in your browser. If we implement analytics/marketing cookies, we will provide simple controls or obtain consent where required. (A separate Cookie notice can be linked here.)

5) Disclosures (who receives your data)

We share personal data, where necessary, with:

  • Service providers (“processors”) that help us run the business: secure hosting/CDN, email & gallery delivery, payment and accounting tools, scheduling, and anti‑abuse/security.

  • Professional advisers & authorities where required by law (e.g., tax authorities, auditors, or to defend legal claims).

We require service providers to protect your data and use it only on our instructions.

6) International transfers

We primarily store/process data in Switzerland or the EEA. If we transfer data abroad, we do so only where permitted by Swiss law:

  • To countries that the Swiss Federal Council recognises as providing an “adequate” level of protection (Annex 1 to the Swiss Data Protection Ordinance); or

  • With appropriate safeguards (e.g., Swiss‑adapted Standard Contractual Clauses) when the destination is not on the adequacy list; or

  • To U.S. recipients certified under the Swiss‑U.S. Data Privacy Framework (Swiss‑U.S. DPF), which—since 15 September 2024—ensures adequate protection for transfers to certified U.S. companies. Swiss Data Protection Authority+2Swiss Data Protection Authority+2

If you would like details of the safeguards used for a specific transfer, contact us.

7) How long we keep data

We keep personal data only as long as needed for the purposes above, plus any legally required periods. For example:

  • Contracts, invoices and accounting records: 10 years from the end of the financial year, as required by the Swiss Code of Obligations (Art. 958f). Lawbrary

  • Enquiry emails: usually up to 12 months after our last communication if no booking follows.

  • Galleries/working files: as agreed in your contract or until delivery is complete (and for limited archival back‑ups if needed to remedy file loss or handle claims).

  • Marketing lists: until you unsubscribe or we delete inactive subscribers.

8) Your rights (Swiss FADP)

You can:

  • Request access to your personal data and receive a copy;

  • Ask for rectification of inaccurate data;

  • Request deletion where no justification applies or the purpose is fulfilled;

  • Request portability for data you provided to us and that we process by automated means (where applicable under Swiss law); and

  • Object to or withdraw consent (e.g., for portfolio use or marketing).

We will respond without undue delay. You also have the right to raise concerns with the Federal Data Protection and Information Commissioner (FDPIC) (address below). See also our duty to inform you about our processing (Art. 19 FADP). Lawbrary

Automated decisions

We do not make decisions that are solely automated and produce legal or similarly significant effects for you. If this ever changes, we will inform you and enable human review of the decision, as required by Swiss law. BF Admin

9) Photography‑specific notes (consents, releases & removals)

  • Model releases / permissions: We will only publish identifiable client images in our portfolio, social media or marketing with your written consent (e.g., a release signed in the contract). You can withdraw consent at any time; we will stop future use and, where practicable, remove images we control.

  • Third‑party platforms: If images were shared on third‑party platforms (e.g., media outlets or client posts), removal may require you to contact those third parties directly. We will assist where we reasonably can.

  • Minors: For children under 16, a parent/guardian must sign the release.

10) Security

We use reasonable technical and organisational measures appropriate to the risks of a photography business (e.g., TLS encryption in transit, access controls, device protection, least‑privilege access, and secure deletion routines).

11) Data breaches

If a data security breach occurs that is likely to lead to a high risk to individuals’ personality or fundamental rights, we will notify the FDPIC as quickly as possible and inform affected individuals where required. Swiss Data Protection Authority+1

12) Third‑party links

Our Site may link to other sites or platforms (e.g., social networks, gallery hosts). Their privacy practices are governed by their own policies.

13) Changes to this Policy

We may update this Policy from time to time. When we make material changes, we will post the updated version here and adjust the “Last updated” date.

14) Contact

Questions or requests about this Policy or your data?

ella studios
Attn: Privacy
Zurich, Switzerland
Email: hello@ellastudios.com

Swiss supervisory authority

Federal Data Protection and Information Commissioner (FDPIC)
Feldeggweg 1, CH‑3003 Bern
Tel. +41 (0)58 462 43 95 (hotline hours per FDPIC site) Swiss Data Protection Authority

Notes for your website admin (you can keep this paragraph hidden)

  • This text reflects the Swiss FADP in force since 1 September 2023 and the Swiss‑U.S. DPF (effective 15 September 2024 for certified U.S. recipients). If you use U.S. tools (e.g., gallery hosting, newsletters, analytics), list them in Section 5 and verify whether the vendors are Swiss‑U.S. DPF‑certified or have Swiss‑adapted SCCsin place. Federal Administration of Switzerland+2Swiss Data Protection Authority+2

  • If you also target or regularly serve EEA/UK clients, consider adding a short GDPR/UK‑GDPR paragraph (rights list is similar but not identical) and mapping cookies/analytics to consent rules for those regions.

  • If you want, tell me which providers you use (hosting, galleries, newsletters, analytics, payments, scheduling). I can slot them into the policy, add a concise Cookie notice, and trim wording for your specific setup.

Key legal references (for transparency)

  • Duty to inform when collecting personal data (Art. 19 FADP). Lawbrary

  • Grounds for justification (consent, overriding interests, or law) (Art. 31 FADP). Lawbrary

  • Cross‑border transfers (adequacy list; safeguards; Swiss‑U.S. DPF for certified recipients). Swiss Data Protection Authority+2Swiss Data Protection Authority+2

  • Breach notification to the FDPIC for likely high‑risk incidents (Art. 24 FADP; FDPIC guidelines). SwissRights+1

  • Record‑keeping (10‑year retention of accounting records) — Swiss Code of Obligations Art. 958f. Lawbrary