Privacy Policy

Privacy Policy

Last updated: 23 March 2026

This Privacy Notice explains how Exosys Sàrl (doing business as Exosys), a company registered in the Canton of Valais, Switzerland (UID CHE-272.220.665), collects, uses, stores, and shares your personal information when you use our services ("Services"), including when you visit www.exosys.ch or any website that links to this notice, or engage with us through sales, marketing, support, or events.

We are the controller of your personal data within the meaning of the Swiss Federal Act on Data Protection (FADP/nDSG), the EU General Data Protection Regulation (GDPR), the UK GDPR, and other applicable privacy laws described in this notice.

If you have questions, contact us at legal@exosys.ch.

1. What information do we collect?

Personal information you provide

We collect personal information you voluntarily provide when you create an account, express interest in our products or services, participate in activities on our Services, or contact us. This may include:

  • Names
  • Email addresses
  • Phone numbers
  • Mailing and billing addresses
  • Usernames and passwords
  • Contact preferences
  • Authentication data

We do not process sensitive personal information (such as racial or ethnic origin, political opinions, religious beliefs, health data, or sexual orientation).

We do not collect personal information from third parties.

We do not sell your personal information, nor do we share it with third parties for cross-context behavioural advertising.

Payment data

If you make a purchase, your payment data is collected and processed exclusively by Stripe. We do not store full credit card information on our servers. Stripe's privacy policy is available at stripe.com/privacy.

Accuracy

All personal information you provide must be true, complete, and accurate. You must notify us of any changes. You can update your information at any time via your account dashboard.

2. How do we process your information?

We process your personal information for a variety of reasons depending on how you interact with our Services, including to:

  • Manage accounts. Create, authenticate, and maintain your user account.
  • Deliver services. Provide the products and services you request.
  • Respond to inquiries. Address your questions and resolve issues.
  • Send administrative communications. Notify you of changes to terms, policies, or service updates.
  • Fulfil orders. Process payments, returns, and exchanges.
  • Request feedback. Contact you about your use of our Services.
  • Protect our Services. Monitor for fraud, security incidents, and abuse.
  • Protect vital interests. Act when necessary to prevent harm.
  • Product licensing. Generate licence data to protect our software products from piracy.

3. What legal bases do we rely on?

We only process your personal information when we have a valid legal basis to do so under applicable law.

Under the Swiss FADP (nDSG)

Under the Swiss Federal Act on Data Protection (in force since 1 September 2023), personal data may be processed in good faith and in a proportionate manner. We rely on:

  • Consent — where you have given explicit consent for a specific purpose.
  • Contract performance — where processing is necessary to perform or prepare a contract with you.
  • Overriding interest — where we or a third party have a legitimate overriding interest (e.g., security, fraud prevention, product improvement, software piracy protection), provided your fundamental rights are not adversely affected.
  • Legal obligation — where we are required to process data by Swiss law.

Under the EU GDPR and UK GDPR

If you are in the European Economic Area (EEA) or the United Kingdom, we rely on:

  • Consent. You may withdraw your consent at any time.
  • Performance of a contract. Processing is necessary to fulfil our contractual obligations to you.
  • Legitimate interests. Processing is reasonably necessary to achieve our business interests (such as diagnosing problems, improving user experience, and protecting software from piracy) and those interests do not outweigh your rights and freedoms.
  • Legal obligations. Processing is required to comply with applicable law.
  • Vital interests. Processing is necessary to protect someone's life or safety.

Under US privacy laws

If you are a resident of a US state with a comprehensive privacy law — including California (CCPA/CPRA), Virginia, Colorado, Connecticut, and others — we process your personal information in accordance with the applicable state law. In particular:

  • We do not sell your personal information as defined under any US state privacy law.
  • We do not use your personal information for targeted advertising or cross-context behavioural advertising.
  • We do not use or disclose sensitive personal information for purposes beyond those necessary to provide the Services.

For details on your rights under US state laws, see Section 13 — Region-specific rights.

Under Canadian law (PIPEDA)

If you are in Canada, we process your information with your express or implied consent. You may withdraw your consent at any time. In exceptional cases, we may process your information without consent as permitted by law — for example, for fraud investigation, compliance with court orders, or where collection is clearly in an individual's interest and consent cannot be obtained in time.

4. When and with whom do we share your data?

We may share your personal information in the following situations:

  • Service providers. We share data with third-party vendors who perform services on our behalf (e.g., Stripe for payment processing). These providers are contractually bound to process your data only as instructed by us and in compliance with applicable data protection law.
  • Business transfers. In connection with a merger, acquisition, sale of assets, or similar transaction, your data may be transferred. Any acquiring entity will be required to honour the commitments made in this Privacy Notice.
  • Legal requirements. We may disclose your data where required by law, regulation, court order, or governmental authority.

We do not sell your personal information. We do not share your data with third parties for their own marketing or advertising purposes.

5. International data transfers

Our servers and service providers may be located outside Switzerland and the EEA, including in the United States. This means your personal data may be transferred to, stored, and processed in countries that may not provide the same level of data protection as your home country.

When we transfer personal data outside Switzerland or the EEA, we ensure an adequate level of protection through one or more of the following safeguards:

  • Transfer to a country recognised as providing adequate protection by the Swiss Federal Council or the European Commission.
  • Use of Standard Contractual Clauses (SCCs) approved by the European Commission, supplemented where necessary by the Swiss FDPIC.
  • Other lawful transfer mechanisms under Art. 16–17 of the Swiss FADP or Chapter V of the GDPR.
Key third-party processors based outside Switzerland/EEA:
Stripe (payment processing, USA) — transfers covered by SCCs and Stripe's Data Processing Agreement. See stripe.com/privacy.

You may request a copy of the safeguards we use for international transfers by contacting us at legal@exosys.ch.

6. Cookies and tracking technologies

We use cookies and similar technologies when you interact with our Services. Our use of cookies is limited to strictly necessary and functional purposes:

  • Session management — keeping you logged in and maintaining session state.
  • Security — preventing crashes, detecting fraud, and protecting your account.
  • Preferences — remembering your language and display settings.

We do not use cookies for analytics, advertising, behavioural tracking, or profiling. We do not permit third-party advertising trackers on our Services.

Most browsers accept cookies by default. You can configure your browser to reject or remove cookies, but doing so may affect certain features. For more details, see our Cookie Policy.

7. AI-based products and services

As part of our Services, we may offer products or features powered by artificial intelligence, machine learning, or similar technologies ("AI Products"). These are currently designed for:

  • Machine learning models (e.g., threat detection, anomaly classification)
  • Text analysis (e.g., log parsing, automated reporting)

How we handle your data in AI Products

  • Hosted entirely on our own infrastructure. All AI processing runs on Exosys-owned servers and neural processing units (NPUs). Your data is never sent to third-party AI providers, cloud-based AI APIs, or external machine learning platforms.
  • No training on customer data. We do not use your personal information or customer data to train our AI models. Model training is performed exclusively on anonymised or synthetic datasets.
  • Purpose limitation. Personal data processed by AI Products is used only for the specific service function you have requested or that is described in your service agreement.
  • No data leaves our systems. Because our AI infrastructure is self-hosted, your data remains within our controlled environment at all times during AI processing.
  • Human oversight. Automated decisions that may significantly affect you are subject to human review upon request.

8. How long do we keep your data?

We retain your personal information only for as long as necessary to fulfil the purposes described in this notice, unless a longer period is required by law.

Data category Retention period
Account information Duration of your account + 30 days after deletion request
Billing and transaction records 10 years (Swiss commercial record-keeping, Art. 958f CO)
Support and inquiry correspondence 3 years after resolution
Security and access logs 12 months
Marketing consent records Duration of consent + 3 years
Licence and anti-piracy data Duration of the licence + 2 years

When we no longer have a legitimate business need to process your information, we will delete or anonymise it. If deletion is not immediately possible (e.g., backup archives), we will securely isolate it from further processing until deletion is feasible.

9. How do we protect your data?

We implement appropriate technical and organisational security measures to protect your personal information, including encryption in transit (TLS) and at rest, access controls, regular security assessments, and incident response procedures.

10. Children's privacy

Our Services are not directed at children under 18 years of age (or under 16 in jurisdictions where that is the applicable threshold). We do not knowingly collect, solicit, or sell personal information from minors. If we learn that data has been collected from a person under the applicable age, we will deactivate the relevant account and promptly delete the data. If you believe a minor has provided us with personal information, please contact us at legal@exosys.ch.

11. Your privacy rights

Depending on your location, applicable data protection law grants you certain rights over your personal information. We provide self-service tools for the most common requests via your account dashboard, where you can:

  • Update your contact information and profile details.
  • Download a copy of your personal data in a portable format.
  • Delete your account and erase all associated personal data.

For any request that cannot be completed through self-service, contact us at legal@exosys.ch.

Rights under Swiss, EU, and UK law

If you are in Switzerland, the EEA, or the UK, you may have the right to:

  • Access your personal data and obtain a copy.
  • Rectify inaccurate or incomplete data.
  • Erase your data ("right to be forgotten").
  • Restrict processing in certain circumstances.
  • Data portability — receive your data in a structured, machine-readable format.
  • Object to processing based on legitimate interests or for direct marketing.
  • Automated decision-making — not be subject to decisions based solely on automated processing that produce legal or similarly significant effects, subject to exceptions.

Filing a complaint

If you believe we are processing your data unlawfully, you have the right to lodge a complaint with the relevant supervisory authority:

We appreciate the opportunity to address your concerns before you contact a supervisory authority.

Opting out of marketing

You can unsubscribe from marketing communications at any time by clicking the unsubscribe link in our emails or by contacting us. We may still send you non-marketing, service-related messages.

12. Do-Not-Track and opt-out signals

Some browsers and devices transmit Do-Not-Track ("DNT") or Global Privacy Control ("GPC") signals. Since our website does not use analytics, advertising, or behavioural tracking cookies, we do not engage in the types of tracking these signals are designed to prevent.

Where required by applicable US state law, we treat GPC signals as a valid opt-out of the sale or sharing of personal information. As we do not sell or share personal information for advertising, this has no practical effect on our processing — but we honour the signal as a matter of principle.

13. Region-specific rights

United States — California and other state privacy laws

If you are a California resident, the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA) grants you the following rights:

  • Right to know — request the categories and specific pieces of personal information we have collected about you, the sources, the purposes, and the third parties with whom we share it.
  • Right to delete — request deletion of your personal information, subject to certain legal exceptions.
  • Right to correct — request correction of inaccurate personal information.
  • Right to opt out of the sale or sharing of your personal information. We do not sell or share your personal information, so no opt-out action is required.
  • Right to non-discrimination — we will not discriminate against you for exercising any of your privacy rights.

You can exercise these rights through your account dashboard or by emailing legal@exosys.ch. We will verify your identity before processing your request.

If you are a resident of another US state with a comprehensive privacy law (such as Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, or others), you generally have similar rights to access, delete, correct, and port your data, as well as the right to opt out of targeted advertising and profiling. We honour these rights consistently for all US residents. If we deny a request, you may appeal by contacting legal@exosys.ch with "APPEAL" in the subject line.

Categories of personal information collected (for CCPA/CPRA disclosure): Identifiers (name, email, phone, address); commercial information (transaction history); internet/electronic activity (session logs, IP address); professional information (company name, job title, if provided). We do not collect biometric data, geolocation data, or data from minors.

Canada

Under Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and substantially similar provincial legislation, you have the right to access your personal information, challenge its accuracy, and withdraw consent. We may process data without consent in limited circumstances as described in Section 3.

Australia and New Zealand

We collect and process your personal information under Australia's Privacy Act 1988 and New Zealand's Privacy Act 2020. You have the right to request access to and correction of your personal information at any time. If you do not provide requested information, it may affect our ability to provide services, manage your account, or verify your identity.

For complaints, contact the Office of the Australian Information Commissioner or the New Zealand Privacy Commissioner.

14. Updates to this notice

We may update this Privacy Notice from time to time. The updated version will be indicated by a new "Last updated" date at the top. If we make material changes, we will notify you by posting a prominent notice on our website or by sending you a direct notification. We encourage you to review this notice periodically.

15. How to contact us

If you have questions, comments, or requests regarding this Privacy Notice or our data practices:

Exosys Sàrl

Data Protection Contact

Route du Champ de la Grange 18

CH-1966 Saxonne (Ayent)

Switzerland


Email: legal@exosys.ch

Phone: +41 27 508 02 86

16. How to review, update, or delete your data

We provide self-service tools so you can manage your data directly. Visit your account dashboard to:

  • Update your contact information — edit your name, email, address, phone number, and other profile details.
  • Download your data — export a machine-readable copy of the personal information we hold about you.
  • Erase your account — permanently delete your account and all associated personal data from our active systems.

For requests that cannot be completed through self-service, or if you do not have an account, email legal@exosys.ch.

We will respond to all verified requests within 30 days, as required by applicable law. In complex cases, we may extend this period by an additional 60 days, and we will notify you of any extension. Account erasure requests are processed within 30 days; billing records subject to legal retention obligations (see Section 8) will be retained for the legally required period and then permanently deleted.