Privacy Policy

Last updated: May 31, 2026

This privacy policy describes how Meda Esthetic Lukic, based in Zurich, Switzerland, collects, processes, and protects personal data in accordance with the Swiss Federal Act on Data Protection (nFADP).

Our services are directed exclusively to persons residing in Switzerland. The English version exists for Switzerland's multilingual community. Reading it in English does not mean we offer services outside Switzerland.

Responsible party

Branislav Lukić
Meda Esthetic Lukic
Goldbrunnenstrasse 149
8055 Zürich

info@meda-esthetic.ch
+41 79 840 88 13
https://meda-esthetic.ch

UID: CHE-245.867.775
VAT No.: CHE-245.867.775 MWST
CH-ID: CH-020-1102525-2

We are responsible for all processing described in this policy.

For customers receiving treatments at our studio

This section describes the personal data we process when you visit Meda Esthetic Lukic for an aesthetic treatment, separately from our website. If you scanned the QR code in the studio, this is the relevant section for you.

Persons under 18

Treatments may be performed on persons under 18 only with the explicit consent of a parent or legal guardian. The same requirement applies to photographs and any other personal data we process about a minor.

Information you share verbally before each treatment

Before every treatment, we ask you to inform the practitioner of anything that affects treatment safety — current conditions, medications, allergies, recent treatments, pregnancy or breastfeeding, and similar.

This information is provided verbally and is not recorded, transcribed, or stored in any file, paper or digital. The practitioner uses what you share in the moment to decide whether the treatment is safe and how to adjust it. Because nothing is carried forward, we ask you the same questions again at every visit.

You are responsible for keeping the practitioner informed each time you come in. If you choose not to share information that is relevant to treatment safety, we cannot proceed with the treatment.

What we record about your treatment

We keep an operational record of each visit so we can plan follow-ups, support continuity across sessions, and meet our accounting obligations. The record contains:

• The treatment(s) performed
• Device settings (e.g. Candela Nordlys parameters)
• Products applied
• Date of the visit
• Practitioner

This record contains no health, condition, or anamnesis fields. It is stored in our studio management system (see Booking and customer management below).

Photographs and video

We may take photographs (and occasionally short video) of the treatment area before, during, and after a treatment. We use them in two clearly separated ways:

a) For your treatment record

Used internally so the practitioner can compare results across sessions, plan adjustments, and document what was done. Stored alongside the rest of your treatment record. Legal basis: performance of the treatment contract.

If you do not wish photographs to be taken at all, please tell the practitioner before the treatment begins. In most cases we can still treat you. For some treatments, photographs are necessary to plan follow-up sessions safely — we will tell you before the treatment starts if that applies.

b) For marketing or educational use (Instagram, website, advertising)

Only with your separate, explicit, opt-in consent. You can withdraw it at any time, in writing, by email or in person. After withdrawal we will stop using your photographs in any new marketing or educational material, and we will remove them from channels we directly control (e.g. our website and Instagram account) as quickly as we reasonably can. We cannot guarantee removal in every case: material that has already been printed, distributed, indexed by search engines, embedded in third-party platforms, cached, or saved by other users may remain in circulation outside our control.

We will not use any photograph of you for marketing without your consent on record.

Other marketing communication

We do not send promotional newsletters or unsolicited marketing emails. We do not publish customer reviews or testimonials on our website or social media.

Communication with you

When you book or visit, we may contact you by:

• Email (appointment confirmation, follow-up care, reminders)
• WhatsApp Business or SMS (the same purposes, and to answer questions you send us)
• Appointment availability: we may proactively message you via WhatsApp or SMS if a relevant slot becomes available — only in connection with a stated interest from you (waiting list, prior request)

WhatsApp messages are processed by Meta, including a transfer to the United States — see WhatsApp (Meta) below for the processor details. If you prefer not to use WhatsApp, you can always use email or phone.

Booking and payment

Your bookings, contact details, and operational treatment record are stored in our studio management system (Phorest — see Booking and customer management). Payment data is processed by SumUp or TWINT — see Payment processing. We do not retain card numbers ourselves.

Effect of declining

• Declining to share safety-relevant information with the practitioner before treatment — we cannot perform the treatment.
• Declining marketing or photo consents — no impact on the treatment itself.

Your rights as a customer

The same rights described in Your rights under Swiss law apply to your customer data: access, correction, deletion (where the law allows), portability, objection, and complaint to the FDPIC.

To exercise any of these rights, contact us at info@meda-esthetic.ch.

How long we keep customer data

• Operational treatment record (treatments performed, device settings, products, dates, practitioner): 3 years after your last appointment.
• Photographs taken for the treatment record: 3 years after your last appointment.
• Photographs you have consented to for marketing or educational use: as long as your consent stands; on withdrawal we stop new use and remove from channels we directly control as quickly as we reasonably can — see Photographs and video above for limits.
• Booking and contact data: 3 years after your last appointment.
• Payment-related records (invoices, receipts): 10 years (Swiss Code of Obligations, Art. 958f).
• Customer communication (email, WhatsApp, SMS): 12 months; longer in case of a dispute.

For website visitors

This section describes the personal data we process for visitors to our website and people who contact us without booking a treatment. If you are a customer receiving treatment at our studio, see the section above.

Scope

This privacy policy applies exclusively to persons residing in Switzerland, including:

• Visitors to our website
• Customers and potential customers
• Persons who contact us (email, phone, WhatsApp)
• Anyone whose personal data we process for our aesthetic services in Switzerland

If you visit our website from outside Switzerland, basic technical data (such as IP address) may be processed by our infrastructure providers for security and analytics. We do not actively market our services to, or maintain customer records about, persons residing abroad.

Categories of personal data we process

We may collect and process the following data from website visitors and people who contact us without booking a treatment:

• Identity and contact data (when you reach out): name, email address, phone number
• Communication data: emails, WhatsApp or SMS messages
• Technical data: IP address, browser and device information, access time (used for security and aggregated analytics)

For data processed when you receive treatments at our studio, see For customers receiving treatments at our studio above.

We do not store sensitive personal data such as health data.

We collect personal data directly from you unless otherwise indicated in this policy.

Purpose of data processing

We use your data only for:

• To book, manage, and confirm appointments
• To respond to inquiries and communicate with customers
• To send reminders or service-related messages
• To operate, secure, and improve our website
• To comply with applicable retention and legal obligations in Switzerland

Data sharing and service providers

We work with service providers to host, secure, and run our digital infrastructure. Each one is contractually bound to Swiss data-protection standards.

a) Website hosting

Our website is hosted by:

Vercel Inc.
440 N Barranca Ave #4133
Covina, CA 91723
USA
www.vercel.com

Vercel hosts our website and processes technical data (e.g. IP address, access logs) for security and operational purposes. Hosting and data processing take place entirely in the EU region (Frankfurt, Germany). See Vercel's Privacy Policy for details.

b) DNS and security services

We use:

Cloudflare, Inc.
101 Townsend Street
San Francisco, CA 94107
USA
www.cloudflare.com

Cloudflare provides secure DNS routing, traffic filtering, and website performance optimization. Anonymized technical data may be transmitted through Cloudflare's global infrastructure. Cloudflare follows Swiss data-protection standards.

c) Analytics

We use the following analytics services:

Plausible Insights OÜ
Västriku tn 2, 50403 Tartu
Estonia
https://plausible.io

Plausible Analytics is a privacy-first analytics tool. It does not use cookies, does not collect personal data, and does not track individual visitors. All analytics data is aggregated and anonymous. Data is processed within the European Union.

Vercel Inc.
440 N Barranca Ave #4133
Covina, CA 91723
USA
https://vercel.com/analytics

We also use Vercel Analytics and Vercel Speed Insights. These services help us understand website usage and monitor performance (Web Vitals). They are loaded only after you opt in to analytics in our cookie settings.

These services do not use cookies and do not collect personally identifiable information. Data collected includes page views, referrers, browser type, operating system, device type, country, and performance metrics (e.g. page load time). All data is aggregated and cannot be traced to individual visitors. Data is processed on servers in the EU (Frankfurt, Germany).

We do not sell or rent your personal data.

d) Google Maps

Our website uses Google Maps to display maps.

Google Ireland Limited
Gordon House, Barrow Street
Dublin 4, Ireland
https://policies.google.com/privacy

To use Google Maps, your IP address needs to be stored. This information is typically transmitted to a Google server in the USA and stored there.

The use of Google Maps only occurs when you click "Load map" and thereby give your consent to data transmission.

Legal basis: Your consent under the Swiss Federal Act on Data Protection (nFADP). While Google Ireland Limited is an EU entity, our use of Google Maps and the processing of your data in this context is governed by Swiss law (nFADP), not the EU General Data Protection Regulation (GDPR).

e) WhatsApp (Meta)

We offer WhatsApp as one way to contact us and book appointments.

WhatsApp Ireland Limited
4 Grand Canal Square
Dublin 2, Ireland
https://www.whatsapp.com/legal/privacy-policy

When you contact us via WhatsApp, your phone number, name, message content, and metadata (e.g., timestamps) are processed by WhatsApp (Meta Platforms). WhatsApp uses end-to-end encryption for messages. Meta may process metadata under its own privacy policy.

The use of WhatsApp is voluntary. You may always contact us via email or phone instead.

f) Instagram (Meta)

Our website contains a link to our Instagram profile (@meda_estheticzh).

Meta Platforms Ireland Limited
4 Grand Canal Square
Dublin 2, Ireland
https://privacycenter.instagram.com/policy

We do not embed Instagram content on our website. However, if you visit our Instagram profile by following the link, Meta's privacy policy applies to your interaction with that platform. No data is transferred to Meta by visiting our website alone.

g) Email hosting

Our email is hosted by:

Infomaniak Network SA
Rue Eugène-Marziano 25
1227 Genève
Switzerland
https://www.infomaniak.com/en/legal/privacy-policy

Infomaniak stores all email data exclusively in Switzerland.

h) Booking and customer management

We use:

Phorest (nDevor Systems Ltd)
9 Anglesea Row
Dublin 7, D07 W5NE
Ireland
https://www.phorest.com/privacy/

Phorest is our studio management system used for appointment booking, customer profiles, service history, and appointment reminders. When you book an appointment, your name, contact details, and booking information are stored in Phorest. Phorest processes data under EU data-protection rules.

Geographic scope and data transfers

Some data may be processed outside Switzerland by providers like Vercel, Cloudflare, Meta, SumUp, or Phorest. Where that happens, we rely on Standard Contractual Clauses (SCCs) or equivalent safeguards.

This website and our services are governed exclusively by Swiss law (nFADP) and are not subject to the privacy laws of other jurisdictions.

Cookies and website analytics

Our website uses a small number of cookies to ensure functionality:

• Essential cookies – necessary for navigation and storing your cookie preferences
• Functional cookies – such as Google Maps, only loaded with your consent

We use Plausible Analytics, Vercel Analytics, and Vercel Speed Insights for website statistics. These services are loaded only after you opt in to analytics in our cookie settings. None of them uses cookies or collects personal data (see section c above).

No advertising or behavioral profiling cookies are used. You can manage your cookie preferences at any time using the cookie settings in the footer of every page, or disable cookies directly in your browser.

For more details, please see our Cookie Policy.

Country-based language redirect

When you visit the site root, Vercel's edge infrastructure tells our server which country your request is coming from (derived from your IP address). We use this to send you to the German or English version of the site. The country and IP are not stored by us, and no profile is built from them.

Payment processing

Payments at our studio are processed via card terminals, TWINT, or cash. We do not store credit card numbers or payment details ourselves.

Card and cash payments are processed by:

SumUp Limited
Block 8, Harcourt Centre
Charlotte Way, Dublin 2
Ireland
https://www.sumup.com/privacy

SumUp processes payment data in accordance with applicable security standards (PCI DSS). We only retain proof of payment as required for accounting purposes.

TWINT transactions are processed by:

TWINT AG
Stauffacherstrasse 41
3014 Bern
Switzerland
https://www.twint.ch/en/privacy

Legal bases

We process personal data on the following bases under the nFADP:

• Performance of a contract — for processing needed to deliver the treatments and services you book with us, including the operational treatment record, photographs taken for that record, appointment confirmations, follow-up care, and reminders.
• Legitimate interest — for security and operational integrity of our website and infrastructure (e.g. server logs, abuse prevention), and for keeping treatment records to support follow-ups and defend against potential claims.
• Legal obligation — primarily to retain accounting and invoice records as required by the Swiss Code of Obligations (Art. 958f, ten years).
• Consent — for any processing where we ask for it explicitly: photographs used for marketing or educational purposes, loading of Google Maps, optional analytics services, and proactive availability messages where you have asked to be contacted.

Automated decision-making

We do not use automated decision-making or profiling that produces legal effects or similarly significant effects on you. All decisions regarding your treatments and services are made by our team personally.

AI-assisted tools

We use AI-assisted tools for limited administrative purposes — drafting communications, scheduling assistance, marketing content, and reviewing aggregate financial summaries. We do not enter personal data into these tools, and no customer data is used as input.

AI is not used for treatment decisions, treatment-safety assessment, or any decision affecting how we treat a customer. Treatment decisions are made by the practitioner, in person.

Data security

We implement technical and organizational measures to protect personal data, including:

• SSL-encrypted communication
• Two-factor authentication on administrative accounts
• Access to customer data restricted to staff on a need-to-know basis
• Secure access control for service providers
• Regular infrastructure backups

If a data breach occurs that poses a risk to your rights, we will notify the Federal Data Protection and Information Commissioner (FDPIC) and inform affected individuals as required by the nFADP.

Data storage

We store personal data only as long as necessary, according to Swiss legal provisions. Customer-specific retention is detailed in How long we keep customer data above. For website and general inquiries:

• Financial and accounting records: 10 years (Swiss Code of Obligations, Art. 958f)
• General communication (email, WhatsApp, SMS not tied to a customer record): 12 months
• Web analytics data: anonymized, up to 26 months

Your rights under Swiss law

Under the nFADP, you have the right to:

• Access to your personal data
• Correction of incorrect or outdated data
• Deletion of your data (to the extent legally permitted)
• Data portability (receiving your data in a commonly used format)
• Objection to processing in certain cases
• Information about how your data is used

To exercise these rights, please contact us at info@meda-esthetic.ch. We may require proof of identity to verify your request.

If you believe that our processing of your personal data violates data protection law, you have the right to lodge a complaint with the Federal Data Protection and Information Commissioner (FDPIC):

EDÖB
Feldeggweg 1
3003 Bern
https://www.edoeb.admin.ch

Changes to this privacy policy

We may update this privacy policy. The current version is always on this page.

Applicable law and jurisdiction

This privacy policy is subject exclusively to the laws of Switzerland. Jurisdiction is Zurich, Switzerland. The language of proceedings is German.