LEGAL

Data Privacy

Last updated: 2026-05-06

This Privacy Policy applies to influencers, clients, partner agencies, and website visitors interacting with Vishnu Media. It fulfils the transparency requirements under the EU GDPR (Regulation 2016/679), the Swiss revised Federal Act on Data Protection (revDSG / nFADP), the UK GDPR, the California Consumer Privacy Act and Privacy Rights Act (CCPA/CPRA), and other equivalent US state privacy laws.

1. Who We Are (Controller Information)

Lorenz Hampl, operating under the trade name “Vishnu Media” (“we”, “us”, “our”), acts as Data Controller, and in certain cases Data Processor, for influencer marketing, digital campaign execution, and talent management activities.

Contact for privacy matters:
hello@vishnumedia.com
Wildbachstrasse, 8008 Zurich, Switzerland

No Data Protection Officer (DPO) is legally required for our scale of processing, but privacy inquiries are handled directly by Lorenz Hampl.

2. Categories of Personal Data We Collect

We collect and process the following categories of data:

A. Influencers & Talents

  • Identification data (name, address, email, phone)
  • Social media handles & links
  • Analytics tokens / API keys
  • Content files (videos, images, captions)
  • Payment information
  • Contracts and communication records
  • Demographic data (e.g., age, gender, nationality)
  • Special-category data, agreed by collaborating with Vishnu Media under the terms of this Privacy Policy, including:
    • racial or ethnic origin
    • gender identity
    • beliefs
    • lifestyle details
    • hobbies and preferences
    • public social media profile information

B. Clients

  • Contact data
  • Billing data
  • Campaign documentation
  • Contracts
  • Communication records

C. Partner Agencies

  • Contact information
  • Influencer-related data shared for campaign execution
  • Contract data

D. Website Visitors

When you visit this website, we may process the following categories of data:

  • IP address— handled transiently by Vercel (our hosting provider) for request routing and standard access logging. Not stored beyond Vercel’s standard log retention.
  • Device/browser metadata transmitted to Google Analytics 4 — user-agent, viewport dimensions, screen resolution, language preference, referrer URL, and IP address. This data is transmitted as part of standard HTTP requests both before and after your consent. Before consent, it is sent as part of Google’s “cookieless pings” used for aggregate counting and approximate geographic reporting only — no cookies are set, no persistent identifier is created, and no individual tracking takes place. After you click “Accept all” on the consent banner, the same data flow is then tied to a _ga visitor cookie that enables session reconstruction and individual-visitor analytics.
  • Cookie identifiers _ga, _ga_*(set only after you click “Accept all” on the consent banner — these are NOT set during the pre-consent cookieless-pings flow described above); vm_consent (functional, exempt from consent — stores your consent choice).
  • Contact form submissions — name, email address, persona selection, brand or social handle (where provided), and your message text. Sent via Resend (transactional email service). Retention: 90 days unless an engagement begins, in which case retention follows §8.
  • Anti-spam telemetry — Cloudflare Turnstile token, which is a cryptographic challenge result. No personally identifiable information.
  • Rate-limit identifiers — your IP address is used as a key in our Upstash Redis rate-limiter to enforce per-IP request limits on /api/contact (5 requests per 1 hour, sliding window). Per the underlying Upstash sliding-window implementation, the IP is the cache key for transient rate-limit state; it is not stored beyond what Upstash needs to track the sliding window.

3. Purposes of Processing

We process data for:

  • Campaign execution & influencer coordination
  • Communication and contract management
  • Analytics & performance evaluation
  • Payment processing
  • CRM and business development
  • Fraud prevention & security
  • Website functionality and optimization
  • Compliance with legal obligations

4. Legal Basis (GDPR Art. 6)

Processing is based on:

  • Art. 6(1)(b) — Contractual necessity
  • Art. 6(1)(f) — Legitimate interests (marketing coordination, fraud prevention, analytics)
  • Art. 6(1)(a) — Consent (cookies, analytics, special-category data)
  • Art. 6(1)(c) — Legal obligation (invoicing, accounting)

We do not sell personal data.

5. Data Sources (GDPR Art. 14)

When data is not collected directly, we may receive it from:

  • Clients
  • Partner agencies
  • Public social media profiles
  • Public websites
  • Tools such as Google Analytics
  • Website contact form submissions

6. Sharing & Disclosure of Data

6.1 Website-data subprocessors

The following subprocessors may process data of website visitors. All are bound by data processing agreements; data leaves Switzerland in some cases (US-based providers) under EU Standard Contractual Clauses + Swiss Addendum + UK Addendum where applicable.

SubprocessorPurposeCountry
Vercel Inc.Hosting, edge compute, access logsUS
Cloudflare Inc.Turnstile anti-spam (cookieless)US
Resend Inc.Transactional email (contact form delivery)US
Upstash Inc.Rate-limit Redis (per-IP sliding-window state for 5 requests / 1 hour)US
Google LLCGoogle Analytics 4 — advanced Consent Mode v2: cookieless pings (UA / referrer / IP / screen-res transmitted in standard HTTP, no cookies set) before consent; _ga / _ga_* analytics cookies after consentUS

6.2 Service-delivery subprocessors

When you engage Vishnu Media for influencer marketing services or partner with us as an influencer or partner agency, the following subprocessors may process your data:

  • Google Workspace — internal collaboration, email, document storage
  • Airtable — campaign coordination and CRM
  • Stripe / PayPal / Wise — payment processing (used per engagement)
  • Other cloud providers and contractual partners as required for specific engagements

All subprocessors are bound by data processing agreements. A full current list is available on request to hello@vishnumedia.com.

7. International Transfers

Data may be transferred internationally. Transfers are safeguarded by:

  • EU Standard Contractual Clauses (SCCs)
  • Swiss Addendum (revDSG)
  • UK Addendum
  • Adequacy decisions, where applicable

8. Retention Periods

Data is kept only as long as necessary.

  • Financial records: 10 years (Swiss commercial law requirement)
  • Contractual data: duration of the relationship + statutory limits
  • Analytics data (GA4): Google-defined retention periods
  • Contact form submissions: 90 days (see §2.D)

Data may be anonymized when possible.

9. Rights of Data Subjects

EU, CH, UK, and US users may request:

  • Access
  • Correction
  • Deletion
  • Restriction
  • Objection
  • Data portability
  • Withdrawal of consent

US users (CPRA/CCPA) additionally have the right to:

  • Know personal data categories sold/shared (we do not share for cross-context advertising)
  • Non-discrimination
  • Limit use of sensitive data

Requests: hello@vishnumedia.com

10. Automated Decision-Making & Profiling

We may conduct non-automated profiling related to:

  • Influencer selection
  • Campaign matching
  • Performance analytics

No automated decisions producing legal effects are made.

11. Security Measures (TOMs)

We implement the following technical and organizational measures:

  • Encryption (data in transit and at rest, where supported by the underlying service)
  • Access controls (role-based, principle of least privilege)
  • Secure storage (managed cloud services with industry-standard security)
  • 2FA on tools that support it
  • Audit logging where available
  • Endpoint protection (operating-system-level)
  • Data minimization (we collect only what is needed)

12. Joint Controller Information (Social Media Platforms)

When you interact with Vishnu Media on social platforms, joint controllership may apply under GDPR (e.g., Facebook/Instagram Insights). Data may be co-processed by:

  • Meta Platforms Ireland Ltd.
  • TikTok Technology Limited
  • YouTube/Google LLC

Each platform’s privacy policy applies.

13. Cookies & Tracking Tools

We use a minimal cookie footprint. There are no marketing cookies, no advertising trackers, no social-media pixels, and no third-party embeds that set cookies on this site.

Strictly necessary cookies

Set without your consent — exempt under EU ePrivacy Directive Art. 5(3) and Swiss revDSG.

CookiePurposeRetention
vm_consentStores your consent choice for analytics cookies1 year

Analytics cookies

Set only after you click “Accept all” on the consent banner.

CookiePurposeRetention
_ga, _ga_*Google Analytics 4 visitor and session identifiers; configured with anonymize_ip: true13 months (explicitly set via cookie_expires: 33696000 — GA4 default is 2 years; we shorten it to 13 months)

Default state — what happens before you choose

When you first arrive on this site, only the vm_consent cookie is absent and the consent banner is displayed. Google Analytics 4 runs in advanced Consent Mode v2 with analytics_storage defaulted to “denied”. In this state, GA4 emits anonymous “cookieless pings”: no _ga cookies are set, no persistent identifier is created, and no individual tracking takes place. However, these pings DO transmit your IP address, user-agent, referrer URL, and screen resolution to Google as part of standard HTTP request data — used for aggregate counting and approximate geographic reporting only. We disclose this honestly because hiding it would be inaccurate under GDPR Art. 13 transparency requirements. We chose advanced Consent Mode (over a banner-gated load) because it preserves aggregate visibility on visitors who decline analytics consent without setting any cookies on their device.

After you accept

When you click “Accept all” on the banner, only analytics_storage is granted to _ga cookies. We do not grant ad_storage, ad_user_data, or ad_personalization consent because we run no advertising, no remarketing, and no Google Ads tags on this site.

After you reject

Cookieless pings continue (same data transmitted as before consent — IP / UA / referrer / screen-res — for aggregate counting only). No _ga cookies are set. No individual tracking.

Withdrawing consent

Click “Manage cookies” in the site footer. This immediately updates Google Analytics consent to denied, clears all _ga / _ga_* cookies, clears the vm_consentcookie, and re-displays the banner — so withdrawal takes effect from the moment you click, not only after you re-click “Reject all”. Clicking “Reject all” on the re-displayed banner keeps you in the same denied state. You can re-grant consent at any time by clicking “Accept all” on the re-displayed banner.

Legal basis

Consent (GDPR Art. 6(1)(a) + Swiss revDSG equivalent) for the post-consent analytics cookies. Legitimate interest (Art. 6(1)(f)) for the cookieless-ping data flow described above (aggregate analytics on a small studio’s marketing site, balanced against minimal privacy impact). Functional necessity for vm_consent itself (stores your consent decision).

14. Children

We do not knowingly process data from individuals under 16 in the EU, or under 13 in the US, unless explicit parental consent is provided.

15. Changes to the Policy

We may update this Policy to reflect operational or legal changes. The updated version replaces prior versions.

16. Supervisory Authorities

  • EU: You may lodge a complaint with your local Data Protection Authority.
  • CH: FDPIC — Eidgenössischer Datenschutz- und Öffentlichkeitsbeauftragter
  • UK:ICO — Information Commissioner’s Office

Data Processing Agreement (DPA)

1. Parties

This DPA forms part of the commercial agreement between Lorenz Hampl, operating under the trade name “Vishnu Media” (Processor) and the Client or Partner (Controller).

2. Subject Matter

Processing personal data for influencer campaigns, communication, coordination, payments, analytics, and reporting.

3. Duration

During the contractual relationship and as required by law.

4. Nature & Purpose of Processing

Campaign management, influencer communications, performance analytics, administration, and payment management.

5. Data Subjects

Influencers, clients, partners, staff, contractors.

6. Personal Data Categories

Identifiers, influencer data, analytics, communication logs, payment data.

7. Processor Obligations

  • Follow controller instructions
  • Maintain confidentiality
  • Implement TOMs (see §11 above)
  • Assist with data subject requests
  • Notify breaches within 72 hours
  • Maintain processing records

8. Subprocessors

Controller authorizes use of subprocessors such as: Google Workspace, Airtable, PayPal, Stripe, Wise, Vercel hosting. A full list is available on request.

9. International Transfers

Protected by SCCs, Swiss Addendum, UK Addendum, adequacy decisions.

10. Security

Industry-standard technical and organizational measures (see §11 above for the published list).

11. Data Return/Deletion

At contract end or by request unless legal retention is required.

12. Audits

Controller may request audit documentation or conduct audits.

13. Liability

Liability follows applicable privacy laws and the underlying contract.

14. Governing Law

Swiss law, courts of Zurich, Switzerland.

15. Consent by Continued Engagement (Influencers, Clients & Partners)

By continuing any form of collaboration with Vishnu Media, including participation in campaigns, sharing influencer data, reviewing briefs, onboarding, using our services, or ongoing communication, you:

  • acknowledge that you have access to this Privacy Policy and DPA,
  • understand how your data is processed, and
  • agree to the collection, use, storage, and processing of your personal data (including voluntarily provided demographic or special-category data) in accordance with this Policy.

If you do not agree, you must discontinue all collaboration and notify us immediately.