Privacy Notice

Last updated: May 2026 

This privacy notice explains what personal data this website collects, why, how it is used, and your rights regarding it. The notice complies with the Swiss Federal Act on Data Protection (FADP) and, where applicable, the European Union General Data Protection Regulation (GDPR). 

1. Data Controller 

Francesco Castelli 

Zürich, Switzerland 

Email: francesco.castels@gmail.com 

I am the data controller for the personal data processed via this website. For any privacy-related question, request, or complaint, contact me at the email above. 

2. Categories of personal data collected 

This website collects four categories of personal data, described below. 

(a) Data submitted via the Contact form on the About page: 

  • Name 

  • Email address 

  • Organisation (optional) 

  • Topic of enquiry (dropdown selection) 

  • Free-text message content 

(b) Data exchanged with the Basel Regulatory Assistant chatbot on the Tools page: 

  • The text of the questions submitted to the assistant, transmitted to the language model endpoint hosted on Railway 

  • A counter and timestamp stored locally in your browser (localStorage) for the purpose of usage rate-limiting 

  • Your IP address and browser user-agent, logged by the Railway server 

(c) Data collected automatically by the hosting platform (Framer): 

  • IP address 

  • Browser type and user-agent string 

  • Pages visited and approximate session duration 

  • Standard session cookies set by Framer for site operation 

(d) Data shared with third-party content delivery networks (CDN) loaded by the site:

  • IP address shared with jsDelivr CDN, used to load the KaTeX library that renders mathematical formulas 

  • IP address shared with the Framer CDN, used to deliver images, fonts, and other static assets 

  • If Google Fonts is used by the site theme, IP address shared with Google LLC 

This website does NOT collect special categories of personal data within the meaning of FADP Article 5 or GDPR Article 9 (health, religion, race, political opinions, sexual orientation, trade union membership, biometric or genetic data). 

3. Purposes of processing 

The personal data described above is processed for the following purposes: 

  • Contact form data is used solely to read, understand, and reply to the enquiries you send. 

  • Chatbot data is used to generate responses to your questions and to enforce a usage limit of five questions per 24-hour session, in order to manage hosting costs. 

  • Hosting and CDN data is processed automatically as part of standard web hosting and content delivery operations. This includes ensuring site availability, security, and basic performance monitoring.

4. Legal basis for processing 

The legal basis for processing depends on the data category: 

  • Contact form data: explicit consent (FADP Article 6 letter c, GDPR Article 6(1)(a)), implied by your action of clicking SEND after entering your data. 

  • Chatbot data: explicit consent, implied by your action of typing and submitting a question to the assistant. 

  • Hosting and CDN data: legitimate interest (FADP Article 31, GDPR Article 6(1)(f)) in operating, securing, and improving the website. 

5. Retention period 

Personal data is retained no longer than necessary for the purposes for which it was collected: 

  • Contact form messages are retained in the controller's email inbox for up to 24 months from receipt, then deleted unless an ongoing conversation justifies further retention. 

  • Chatbot interaction logs on the Railway server are retained for up to 30 days, then automatically purged. 

  • Framer hosting logs are retained according to Framer's data retention policy (see framer.com/privacy). 

  • LocalStorage data stored in your browser for chatbot rate-limiting expires automatically after 24 hours, and can be cleared at any time via your browser settings. 

6. Recipients of personal data 

Personal data is shared with the following processors and service providers, which act on behalf of the data controller: 

  • Framer Inc., United States — website hosting and CMS platform 

  • Railway, United States — hosting of the Basel Regulatory Assistant language model endpoint 

  • jsDelivr (operated by Cloudflare and Fastly) — global content delivery network used to deliver the KaTeX JavaScript library 

  • Google LLC, United States — Google Fonts delivery, if used by the site theme 

These providers process personal data solely to perform their contracted service. 

7. International transfers of personal data 

Several of the recipients listed in section 6 are established in the United States or operate globally. Transfers of personal data outside Switzerland or the European Economic Area take place on the basis of the Standard Contractual Clauses approved by the European Commission and recognised by the Swiss Federal Data Protection and Information Commissioner (FDPIC), or under other valid transfer mechanisms recognised by the FADP and GDPR. 

8. Your rights

Under the FADP and, where applicable, the GDPR, you have the right to: 

  • Request access to the personal data the controller holds about you 

  • Request rectification of inaccurate or incomplete personal data 

  • Request erasure of personal data (right to be forgotten) 

  • Request restriction of processing 

  • Object to processing carried out on the basis of legitimate interest 

  • Request data portability for personal data you have actively provided 

To exercise any of these rights, contact the data controller at francesco.castels@gmail.com. Responses are provided within 30 days from receipt of the request. 

9. Right to lodge a complaint 

If you believe your personal data is being processed in a way that violates applicable privacy law, you have the right to file a complaint with the competent supervisory authority: 

  • For Switzerland: the Federal Data Protection and Information Commissioner (FDPIC), Feldeggweg 1, 3003 Bern, edoeb.admin.ch 

  • For the European Economic Area: the data protection authority in your country of residence 

10. Cookies 

This website uses essential session cookies set by Framer for site operation. No marketing or advertising cookies are set by the data controller. Third-party cookies may be set by the CDN and font providers listed in section 6, and their use is governed by those providers' respective privacy policies.

You can manage cookie preferences via your browser settings. 

11. Changes to this notice 

This notice may be updated to reflect changes in the website's functionality, the services used, or applicable law. The "Last updated" date at the top of this notice indicates the most recent revision. Material changes will be highlighted at the top of the notice for at least 30 days following the revision. 

End of Privacy Notice. For any question regarding this notice, contact francesco.castels@gmail.com.