Data protection provisions of Evoya AI GmbH

Last update: May 17, 2024

1. data types that are collected

A specific list of the personal information collected is not provided by the Data Controller. Comprehensive information on the various categories of personal data processed can be found in the relevant sections of this privacy policy or supplemented by information notices presented to users before their data is collected. Users have the option of voluntarily sharing their personal data or observing how certain usage data is automatically collected as soon as they visit the website. Unless otherwise stated, providing the information requested by the website is necessary to access the services offered. If users refuse to provide this information, the website may not be able to provide its services. If the website indicates the provision of certain data as optional, users are free to provide it or not, without this having any effect on the service. In case of uncertainty about the necessity of certain data, users can contact the person responsible. The use of Cookies or other tracking technologies on this Website and by external service providers serves to provide the services requested by the User, as well as other purposes described in this document and in the Cookie Policy. Users are responsible for any third-party Personal Data collected, published or shared through this Website.

2. data processing and storage

2.1. Processing methods

The controller processes the user’s data carefully and uses adequate protective measures to prevent unauthorized access, sharing, modification or destruction of the information. Processing is carried out with the help of computer technologies or IT-supported systems in accordance with defined organizational processes that are specifically geared towards the defined objectives. In addition to the Controller, internal parties (such as employees of the HR department, sales, marketing, legal department, system administrators) and external parties, if necessary and designated by the Controller as data processors (including technical service providers, delivery services, hosting providers, IT companies, communication agencies), may have access to the data in the context of the operation of this website. The controller can provide a list of these parties on request.

If we process personal data on behalf of customers, this is done on the basis of an order processing contract (AVV) in accordance with Art. 28 GDPR.

Our external service providers and partners who process personal data as part of the service are contractually obliged to comply with the same high data protection standards. These obligations include, among other things:

  • The processing of personal data only in accordance with documented instructions from Evoya AI GmbH.
  • The implementation of suitable technical and organizational measures for data security.
  • The obligation of confidentiality and training of the personnel deployed.
  • Support in the fulfillment of data subject rights in accordance with the GDPR.

2.2. Processing location

The processing of the data takes place both at the location of the controller and at other locations where the parties involved in the data processing may be located.

Depending on the user’s place of residence, the transfer of data may include a transfer to countries outside the user’s own country. Users can view the section with detailed information on data processing to find out more about the processing locations.

2.3. Storage location

Users’ personal data is generally stored and processed in Switzerland. Our servers are located in ISO-certified data centers in Switzerland that comply with the applicable data protection regulations, in particular the GDPR and the Swiss Data Protection Act (DSG).

Individual storage options for customers:
On request, we offer customers the option of storing their data on their own servers or with a cloud provider of their choice. This enables flexible adaptation to internal IT security guidelines and compliance requirements. In this case, responsibility for the security and management of the data lies with the respective customer or their cloud provider.

Further information on storage options and security measures can be provided on request.

2.4. Retention period

Personal Data will be retained for the period necessary to fulfill the purposes for which it was collected, and may be retained for longer periods where required by law or with the User’s consent, unless otherwise specified herein.

3. policy on cookies and tracking

This website uses tracking technologies. For detailed information, please refer to our cookie policy.

4. additional information for users from the European Union

This section is specifically aimed at users within the European Union in accordance with the General Data Protection Regulation (GDPR) and replaces any contradictory information in this privacy policy. Detailed information on the types of data processed, the purposes of data processing, categories of recipients of personal data and further details can be found under “Detailed description of data processing” in this document.

4.1. Basics for data processing

Personal data will only be processed under the following conditions:

  • Users have given their consent for specific processing purposes.
  • The processing is necessary for the performance of a contract with the user or for pre-contractual measures.
  • Processing is necessary for compliance with a legal obligation of the provider.
  • Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
  • Processing is necessary to protect the legitimate interests of the provider or a third party.

Upon request, the provider will provide information on the specific legal basis for any data processing, in particular with regard to the necessity of providing personal data.

4.2. Retention period

Personal data is processed and stored in accordance with the original purpose of its collection and, if necessary, stored for a longer period of time due to legal requirements or with the user’s consent.

In concrete terms, this means

  • Data that is collected for the fulfillment of the contract between the provider and the user remains stored until the contract has been completely fulfilled.
  • Data collected on the basis of the provider’s legitimate interests will be stored for as long as is necessary to fulfill these purposes. Users can obtain further information on these interests by contacting the provider.
  • The provider may store data beyond the originally required period with the user’s consent, as long as the consent is not withdrawn. In addition, longer storage may be necessary in order to comply with legal requirements or official orders.

At the end of the retention period, the data will be deleted, which means that rights such as access, deletion, rectification and data portability can no longer be asserted.

4.3. Users’ rights under the GDPR

Users have extensive rights regarding the processing of their data, including:

  • Withdrawal of consent at any time.
  • Objection to data processing if this is not based on consent.
  • Requesting information about your own data, its processing and receiving a copy.
  • Request correction or updating of the data.
  • Request the restriction of processing.
  • Request the deletion of personal data.
  • Receiving the data in a transferable format and transmitting it to another controller.
  • Filing a complaint with the competent supervisory authority.

Users also have the right to be informed about the legal basis for data transfers abroad or to international organizations and about the protective measures taken by the provider.

4.4. Details on the right to object to data processing

If personal data is processed in the public interest, in the exercise of official authority or to pursue the legitimate interests of the provider, users have the right to object to this processing. Such an objection can be made with a justification that addresses the specific situation of the user.

Users are also informed that they can object to the use of their personal data for direct marketing purposes at any time and without giving reasons. If a user objects to processing for these purposes, their data will no longer be used for direct marketing. Users can find information on whether the provider uses personal data for direct marketing purposes in the relevant sections of this document.

4.5. Exercise of user rights

Requests to exercise users’ rights should be sent to the provider using the contact details provided in this document. These requests will be processed by the Owner free of charge and responded to as soon as possible, but no later than one month. The provider will also inform all third-party recipients of any correction, deletion of the data or restriction of processing, unless this is not possible or involves a disproportionate effort. Users will be informed about these third-party recipients on request.

4.6. Procedure for asserting user rights

Users can exercise their data protection rights at any time by contacting us using the contact details provided in this document. Requests for information, rectification, erasure or restriction of processing are usually processed within one month. If a longer processing time is required, users will be informed accordingly.

For proof of identity, it may be necessary for users to provide additional information in order to prevent misuse. If a request is rejected, a reason will be provided.

Complaints in connection with data processing can be submitted to the competent data protection supervisory authority. For users in Switzerland, this is the Federal Data Protection and Information Commissioner (FDPIC), for users within the EU the respective national data protection authority.

5. additional information on data collection and processing

5.1. Legal steps

Users’ personal data may be used for legal purposes, in particular if legal action needs to be taken due to improper use of this website or its services. Users acknowledge that the provider may be obliged to disclose personal data in response to an official request.

5.2. Supplementary user data information

In addition to the information provided in this Privacy Policy, the website may provide the user with specific additional information related to certain services or the processing of personal data upon request.

5.3. System logs and maintenance

For operational and maintenance purposes, this website and third-party services may keep system logs that record interactions through this website or use other personal data such as IP address for this purpose.

5.4. Requests for information not listed

If users require further information on data collection or processing that is not contained in this privacy policy, they can contact the provider.

5.5. Changes to the privacy policy

The provider reserves the right to make changes to this privacy policy at any time. Users will be informed on this website and, if necessary, by direct communication, provided this is technically and legally feasible. It is recommended to visit this page regularly to check for any changes, especially with regard to the date of the last update indicated at the bottom of the page. If changes affect the use of data based on the user’s consent, the provider will, if necessary, obtain renewed consent.

6 Definitions and legal framework

6.1. Personal data

Any information that makes it possible to identify a natural person directly or by combining it with other data.

6.2. Usage data

Data collected automatically by this website (or by third-party service providers who provide services for this website). This includes IP addresses or domain names of users’ computers, URI addresses, time of the request to the server, method used to submit the request, size of the response received, status code of the server response, country of origin, details of the browser and operating system used, time spent on individual pages, navigation path in the application and other technical information about the user’s device and IT environment.

6.3. Users

Person who uses the website and is usually identical to the data subject.

6.4. Affected party

Natural person whose personal data is processed.

6.5. Processor

Natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

6.6. Responsible person (or operator)

Natural or legal person, public authority, agency or body which determines the purposes and means of the processing of personal data. Unless otherwise specified, this is the operator of the website.

6.7. This website (or application)

The means by which the user’s personal data is collected.

6.8. Service

The service provided by this website as described in the terms of use (if any) and on this website.

6.9. European Union (EU)

Refers to all EU and EEA member states, unless otherwise defined.

6.10. Legal notice

This privacy policy applies solely to this website and the Evoya platform, unless otherwise stated in this document. It should be noted that this Privacy Policy does not cover the data processing practices of third parties that may be accessible through links on this website or within the Evoya platform. We encourage users to consult the privacy policies of such third parties directly, as we are not responsible for their practices and handling of personal data.

Table of contents