Data protection provisions of Evoya AI GmbH

Last update: June 20, 2025

1. introduction and scope of application

The protection of your personal data is our top priority. This Privacy Policy applies to all digital offers, platforms and services of Evoya AI GmbH (hereinafter “Evoya AI”, “we”, “us”), Brunnenstrasse 27, 8610 Uster, Switzerland. It is aimed at users in Switzerland, the European Economic Area (EEA), the EU and beyond.

Our platform brings together various AI models and providers from Switzerland, the EU and international markets. We guarantee maximum transparency, security and compliance with all applicable data protection laws – in particular the Swiss Data Protection Act (DPA) and the EU General Data Protection Regulation (GDPR).

2. responsible person and contact

Data controller:
Evoya AI GmbH
Brunnenstrasse 27
8610 Uster
Switzerland
[email protected]

Data Protection Officer (DPO):
Steven Chareonbood
Tel.: +41 (0)44 520 16 48

3. categories of personal data

Depending on the use of our platform, we process the following categories of data in particular:

  • Contact details (surname, first name, e-mail, address, telephone number)

  • Contract and payment data (invoice data, payment method, services booked)

  • Login and profile data (user name, password hash, roles/profile)

  • Platform usage data (chat content, questions asked, answers generated, system logs, IP address, device data)

  • Support and communication data (requests, tickets, feedback, logs)

  • Cookie and tracking data (e.g. session ID, preferences, pseudonymized analysis and marketing data)

Special categories of personal data (such as health data) are only processed if you explicitly enter them into the platform.

4. purposes and legal bases of the processing

Your data will only be processed for clearly defined, legitimate purposes:

  • Provision, operation and technical safeguarding of the platform, its modules and interfaces

  • Enabling access to various AI models and providers (incl. Swiss, European and international providers)

  • Contract processing, invoicing and accounting

  • Support, user communication and assistance

  • Analysis and further development of the platform and services (pseudonymized/anonymized)

  • Marketing, information on new functions, product information and events

  • Compliance with legal obligations and official requirements

  • Safeguarding legitimate interests (e.g. prevention of misuse, IT security, law enforcement)

Legal bases:

  • Performance of the contract (Art. 6 para. 1 lit. b GDPR / Art. 31 para. 2 FADP)

  • Consent (Art. 6 para. 1 lit. a GDPR)

  • Legal obligation (Art. 6 para. 1 lit. c GDPR)

  • Legitimate interest (Art. 6 para. 1 lit. f GDPR; careful consideration, your interests and fundamental rights are always taken into account)

5. processing, storage and security of data

  • Your data is stored in an ISO-certified data center in Switzerland as standard.

  • Unless otherwise instructed by the customer, the data will not be stored outside Switzerland.

  • Customers can also choose to store their data on their own servers (on-premise) or with a cloud provider of their choice; in this case, responsibility for data security and compliance with data protection requirements lies with the customer.

  • We implement modern technical and organizational security measures, such as encrypted transmission, a role-based authorization concept, access restrictions and ongoing data security checks.

  • We only pass on data to authorized persons and contractually bound service providers insofar as this is necessary and a data protection-compliant contract exists.

6. order processing and transfer to third parties

  • External service providers (e.g. hosting, IT support, payment processing, communication) only receive access to personal data insofar as this is necessary for the provision of their service and a valid, GDPR/DSG-compliant order processing contract (AVV) has been concluded.

  • We will provide you with a current list of the relevant processors on request or as part of the DPA.

  • Subcontractors (sub-processors) can be used and are contractually bound by the same data protection standards.

7 International data transmission and location transparency

  • The Evoya AI platform integrates various AI models that enable data processing in Switzerland, the EU and international markets (including the USA).

  • Before using an AI model or service, we provide transparent information about where the respective provider is located (Switzerland, EU/EEA, USA or other countries).

  • For transfers to third countries outside Switzerland/EU/EEA, we ensure that an adequate level of data protection is guaranteed by appropriate safeguards (e.g. standard contractual clauses of the EU Commission/SCC or adequacy decision).

  • Unless you as a customer instruct otherwise, your personal data will be stored and processed exclusively in Switzerland.

8. storage period and deletion

  • Your personal data will only be stored for as long as is necessary for the stated purposes or as required by law.

  • The storage duration of chat content and other usage data can be configured individually by you as the customer on our platform – from a few days to zero data retention (no storage after the end of the session).

  • Your data will be deleted or, if technically not possible, anonymized after the respective period has expired or after the purpose has ceased to exist.

9. automated decision-making / profiling

  • Our platform does not make automated decisions with legal effect for data subjects.

  • The integrated AI models only provide assisting suggestions, answers or analyses.

  • If you as a customer implement profiling or scoring functions based on the platform yourself, the legal responsibility for their permissibility and transparency lies with you.

10. rights of the data subjects

You have the following rights under the FADP and GDPR at all times:

  • Information about the personal data stored about you

  • Correction of incorrect or incomplete data

  • Deletion of your data, provided there are no statutory retention obligations to the contrary

  • Restriction of the processing of your data

  • Data portability (provision of your data in a machine-readable format)

  • Objection to processing for reasons arising from your particular situation

  • Revocation of granted consent with effect for the future

  • Right to lodge a complaint with a data protection supervisory authority (Switzerland: FDPIC, EU: national supervisory authority)

Please send your inquiries to [email protected]. We will process your request immediately, at the latest within one month.

11. cookies and tracking

Our platform and website use cookies and similar technologies:

  • Technically necessary cookies (login, security, session management)

  • Functional cookies (preferences, language settings)

  • Analysis and statistics cookies (usage statistics, error analyses – pseudonymized)

  • Marketing/tracking cookies (only with consent)

Further information and your setting options can be found in our cookie policy. You can customize your cookie preferences at any time.

12. data protection for minors and school use

Our services are generally aimed at persons aged 16 and over or persons for whom the relevant consent has been given by a responsible person (e.g. school authority, school management, directorate). When schools use our platform, the use is based on a contract with the respective institution, which is responsible for complying with data protection requirements and obtaining the necessary consent.

13. changes to the data protection provisions

We reserve the right to amend these data protection provisions at any time, for example in the event of legal or technical changes. The current version is always available on our website. You will be notified of any significant changes by e-mail before they come into force or the next time you log in.

14 Validity and supplementary information

This Privacy Policy applies to all digital offerings and services of Evoya AI GmbH, including our platform, website, APIs and subdomains. We assume no responsibility for linked third-party offers or services – their own data protection provisions apply.

Should individual provisions of this declaration be or become invalid, this shall not affect the validity of the remaining provisions.

Contact and exercise your rights:
For questions, concerns or to exercise your data protection rights, please contact [email protected] or send a letter to the above address.

Table of contents