Hutter Products GmbH Privacy and Cookie Policy

This policy covers our marketplace at hutterproducts.com, including the /privacyandcookie page, mobile experiences, and support channels.

It applies to buyers, suppliers, designers, and visitors interacting with accounts, orders, AI configurators, uploads, and sustainability insights.

We follow the EU General Data Protection Regulation (GDPR), the Swiss Federal Act on Data Protection (FADP), the ePrivacy Directive, and the California Consumer Privacy Act as amended by the CPRA (CCPA/CPRA).

Data controller: Hutter Products GmbH, Lagerstrasse 12, 8004 Zurich, Switzerland.

Swiss Chamber of Commerce Registration Number: CH-920.4.068.832-7; VAT: CHE-284.907.929.

Primary contact: privacy@hutterproducts.com | Phone: +41 71 723 12 18.

Data Protection Officer (DPO): privacy@hutterproducts.com.

Representative in the EU (for GDPR Art. 27): Hutter Products GmbH, c/o Hutter Products EU Services, 120 Rue de Lausanne, 1202 Genève, Switzerland/EU liaison office.

We collect only the data we need to operate the marketplace responsibly and lawfully.

Personal and account data: names, job titles, company details, billing and shipping addresses, emails, phone numbers, login credentials (hashed), marketing preferences.

Transaction and logistics data: orders, invoices, payment confirmations, refund history, customs declarations, carrier tracking updates, proof of delivery.

Design and upload content: user-generated logos, artwork, fonts, brand guidelines, AI prompts, real-time 3D previews, version history, annotations, and moderation flags.

Sustainability metrics: carbon footprint calculations, recycled content scores, certification evidence, aggregated eco-impact dashboards.

Device and usage data: IP addresses (shortened where feasible), browser and OS details, session logs, error reports, interaction data within AI configurators, support chats, and feedback forms.

Consent and compliance data: cookie choices, marketing opt-ins or opt-outs, Terms acceptance, fraud and sanctions screening results.

We do not intentionally collect sensitive personal data (e.g., health information, biometric identifiers). Please avoid uploading it.

Our AI 3D configurators process prompts, design selections, and uploads to generate previews, recommend materials, and streamline approvals.

Automated checks flag potential infringements (e.g., offensive or trademarked content) and route them to a human review team before any decision impacts your order.

We complete and review Data Protection Impact Assessments (DPIAs) for AI features, test for bias, and document mitigation steps.

You can request human review of an AI-driven outcome or ask for an explanation of how your data influenced a recommendation by emailing privacy@hutterproducts.com.

To deliver core services: register accounts, verify suppliers, manage catalogues, fulfil orders, arrange shipping, process payments, and handle returns (contract necessity).

To enable collaboration: share design briefs, sustainability metrics, and status updates between buyers and suppliers (contract + legitimate interest).

To power AI personalization: remember configurations, render previews, store approved assets, and recommend eco-friendly alternatives (legitimate interest; consent where local law requires).

To provide sustainability tracking: calculate emissions, produce eco-impact dashboards, and create anonymised environmental reports (legitimate interest + consent for optional analytics cookies).

To secure the platform: authenticate sessions, detect fraud, enforce Terms, and monitor for misuse (legitimate interest and legal obligation).

To communicate: send order updates, service notices, surveys, and marketing emails. Marketing to EU/Swiss users relies on consent; all users can opt out at any time.

To meet legal and regulatory obligations: maintain tax and accounting records, comply with customs and product safety rules, and respond to lawful requests (legal obligation).

Contract necessity covers account management, orders, supplier onboarding, and delivery workflows.

Legitimate interests include platform security, product improvement, sustainability analytics, and responsible marketing to existing customers. We balance these interests against your rights.

Consent applies to email and SMS marketing in the EU/EEA/Switzerland, optional profile data, and non-essential cookies or trackers. Withdraw consent anytime without affecting prior lawful processing.

Legal obligations include tax, accounting, customs compliance, sanctions screening, and responding to regulators.

Our cookie banner captures granular consent for analytics, personalization, advertising, and sustainability tracking cookies in line with GDPR and the ePrivacy Directive.

We use cookies, local storage, pixels, and device identifiers to operate the site, improve performance, personalise experiences, and report sustainability metrics.

Essential cookies load automatically. Analytics, personalization, advertising, and sustainability cookies load only after you provide consent via the banner or preferences centre.

We rely on privacy-focused analytics providers (e.g., Matomo, Plausible) configured with IP masking and limited data retention.

Cookie Type | Purpose | Examples | Retention | Consent Required

Essential (Strictly Necessary) | Maintain sessions, security, accessibility, cookie preferences | session_id, csrf_token | Session to 12 months | No (legitimate interest)

Analytics and Performance | Measure visits, detect errors, improve UX | Matomo visitor_id, Plausible metrics | Up to 13 months | Yes

Personalization | Save configurator settings, remember recent designs, tailor dashboards | design_pref, ai_material_choice | Up to 12 months | Yes

Advertising and Social | Measure campaign reach, prevent duplication, manage retargeting | LinkedIn Insight tag, Google Ads conversion | 3 to 6 months | Yes

Sustainability Tracking | Aggregate carbon savings and recycled content metrics | eco_dashboard, impact_session | Up to 24 months | Yes

Update your consent choices anytime through the "Manage cookies" link in the site footer.

Most browsers let you block or delete cookies; instructions vary by provider. Blocking essential cookies may limit access to secure areas or configurator features.

Opt out of advertising trackers via industry portals such as Your Online Choices (EU) and the Network Advertising Initiative (US).

We share personal data only with vetted partners who need it to provide services on our behalf.

Key recipients: certified suppliers and manufacturers, logistics and warehousing partners, payment processors, cloud hosting and AI infrastructure providers, sustainability analytics vendors, professional advisors, and auditors.

We require written data processing agreements, confidentiality, and security standards that meet GDPR and Swiss FADP expectations.

If data leaves Switzerland or the EU/EEA, we rely on adequacy decisions where available or the EU Standard Contractual Clauses with Swiss addenda and supplementary safeguards (encryption, access controls, transfer risk assessments).

You can request copies of transfer safeguards by contacting privacy@hutterproducts.com.

We encrypt data in transit (TLS 1.2+) and at rest, operate on hardened infrastructure, and implement role-based access controls with multi-factor authentication for team members.

We conduct regular penetration tests, vendor security reviews, and incident response simulations for AI and marketplace systems.

If a personal data breach occurs, we notify affected individuals and relevant supervisory authorities without undue delay in line with GDPR Articles 33 and 34, the Swiss FADP, and applicable US state laws.

Account, order, and financial records: retained for the duration of the business relationship plus up to 10 years to meet Swiss and EU statutory requirements.

Design files, AI prompts, and previews: stored for the active project lifecycle plus 24 months unless you delete them sooner or request removal.

Sustainability analytics containing identifiable data: retained for 36 months; aggregated or anonymised metrics may be kept longer.

Support tickets, chat transcripts, and audit logs: retained for up to 24 months unless legal obligations require longer storage.

Marketing consent records: retained for five years from the last interaction to prove compliance.

You can exercise these rights by emailing privacy@hutterproducts.com or using your account settings.

• Access: request a copy of personal data we hold about you.

• Rectification: correct inaccurate or incomplete data.

• Erasure: ask us to delete data when it is no longer needed or when you withdraw consent.

• Restriction: limit how we process data in specific circumstances.

• Objection: object to processing based on legitimate interests, including profiling for personalization or analytics.

• Portability: receive data in a structured, commonly used, machine-readable format or ask us to transfer it to another controller.

• Withdraw consent: change marketing and cookie preferences at any time.

We respond within one month (extendable by two months for complex requests) and may ask for proof of identity before acting.

You may lodge a complaint with the Swiss FDPIC or your local EU supervisory authority if you disagree with our response.

California residents can request disclosure of the categories and specific pieces of personal information collected, used, disclosed, or shared in the past 12 months.

You may request deletion of personal information, subject to legal exceptions such as completing transactions or detecting security incidents.

You can opt out of any sale or sharing of personal information for cross-context behavioural advertising; use our cookie preferences or email privacy@hutterproducts.com.

We do not sell personal information for monetary consideration and do not knowingly process sensitive personal information for purposes beyond limited, permitted uses.

We will not discriminate against you for exercising CCPA/CPRA rights.

We design data flows to support transparent sustainability claims while collecting only the metrics required to validate eco-impact (e.g., recycled material percentages, lifecycle savings).

User-generated content is stored in organised workspaces with access controls so teams keep only relevant artwork and delete outdated files easily.

We routinely anonymise or aggregate sustainability analytics before sharing externally, ensuring individual buyers or suppliers cannot be re-identified.

The marketplace targets professionals and is not intended for children under 16 or the minimum age defined by local law.

We do not knowingly collect personal data from children. If you believe a minor has provided data, contact us so we can delete it promptly.

We update this policy to reflect new services, legal requirements, or feedback.

Material changes trigger email or in-platform notifications at least 14 days before they take effect unless law requires faster updates.

We maintain previous versions on request so you can track how our practices evolve.

Email: privacy@hutterproducts.com (preferred channel for privacy rights and cookie preferences).

Postal: Data Protection Officer, Hutter Products GmbH, Lagerstrasse 12, 8004 Zurich, Switzerland.

Online: use the contact form at https://hutterproducts.com/contact for secure submissions.

Regulatory queries: authorities may reach our DPO at privacy@hutterproducts.com or call +41 71 723 12 18.

• Q: Can I delete AI designs or uploaded artwork? A: Yes. Remove files in your dashboard or request deletion via privacy@hutterproducts.com; backups purge within 30 days unless retention laws apply.

• Q: How do I opt out of marketing? A: Use the unsubscribe link in any message, update preferences in your profile, or email us. Transactional emails will still be sent when necessary.

• Q: What happens to sustainability data? A: Identifiable metrics stay within our secure systems and processors; public reports rely on aggregated or anonymised insights only.

• Q: How does the cookie banner work? A: The banner records granular consent and lets you revisit choices through the "Manage cookies" link at any time.

• Q: What if there is a breach? A: We follow a tested incident response plan and notify affected users and authorities without undue delay, including recommended protective steps.