top of page
1_edited.jpg
download (1).png

Privacy Policy

Effective as of: 16 October 2025
Last updated: 16 October 2025

This document is a verified template for companies based in Switzerland with potential relevance to EU law. Please adapt all placeholders in square brackets to your organisation.

1. Controller

Phoenix IT AG
Speerstrasse 4a
8832 Freienbach, Switzerland
Phone: 044 512 44 43
Email: info@phoenixit.ch
Website: www.phoenixit.ch

2. Data Protection Contact / Data Protection Officer

For data protection enquiries, please contact:
Email: info@phoenixit.ch
Postal address: as above

3. Scope

This statement explains how we process personal data when you visit our digital services, interact with us in business relationships, apply for positions, attend events, or use our products and services. It applies to all natural persons whose data we process, regardless of the source of the data.

4. Categories of Personal Data

Depending on the situation, we may process the following categories of personal data in particular:

Master data: name, contact details, company affiliation, role/function
Contract and transaction data: quotes, orders, contracts, payments, support tickets
Communication data: emails, letters, telephone notes, minutes of conversations
Usage and device data: IP address, log files, cookie IDs, timestamps, referrer, interactions on the website or within apps
Marketing data: newsletter consents, preferences, campaign interactions
Application data: CV, certificates, references, interview notes
Security and compliance data: access controls, audit trails, incident information

We process special categories of sensitive personal data only when necessary and permitted, for example in the recruitment process, due to legal obligations, or with explicit consent.

5. Source of Data

We generally obtain personal data directly from the data subjects. Additionally, data may originate from: business partners, public registers, conferences and events, third parties involved in outsourced processing, and publicly accessible sources such as company websites or professional networks.

6. Purposes of Processing

We process personal data for the following purposes:

  • Initiating, concluding and managing contracts

  • Operating websites, apps and IT systems, including ensuring security and stability

  • Customer support, consulting and training

  • Communication, including responding to enquiries

  • Marketing and market analysis, including newsletters, events and personalised content

  • Application management

  • Compliance with legal obligations and enforcement of claims

  • Prevention, investigation and mitigation of security incidents

7. Legal Bases and Balancing of Interests

We process personal data in accordance with applicable law. For data subjects in the EEA/EU, our processing is based on the purpose and supported in particular by contractual necessity, legal obligations, consent, or legitimate interests. Our legitimate interests include the efficient operation and development of products and services, IT security, needs-based communication, and fraud prevention.

8. Retention Period

We retain personal data only for as long as necessary for the respective purposes, as required by law, or when legitimate interests justify ongoing storage. Afterwards, data are deleted or anonymised. Typical retention periods:

  • Contract and accounting documents: 10 years

  • Application documents: 6 to 12 months

  • Log data: several weeks to months, unless longer retention is required for IT security

9. Disclosure to Third Parties and Processors

We may disclose personal data to the following recipients, where permitted and necessary:

  • Processors such as hosting, cloud, CRM, email, newsletter, analytics, and payment service providers

  • Business partners for joint service delivery or subcontractors

  • Authorities, courts and legal advisors where legally required or necessary for legal protection

We select processors carefully, bind them contractually to data protection requirements, and review appropriate technical and organisational measures.

10. Data Transfers Abroad

Data may be transferred to other countries when necessary for contract fulfilment, the use of services, or organisational reasons. We ensure an adequate level of protection. Where no adequacy decision exists, we implement appropriate safeguards, such as standard contractual clauses with Swiss addenda and additional protective measures. Transfers to certified US organisations may rely on the Swiss-US Data Privacy Framework. Details on individual recipients can be found in Section 12 and are available upon request.

11. Security

We implement appropriate technical and organisational measures to protect personal data from unauthorised access, loss, manipulation, and misuse. These include access and permission concepts, encryption, network and application security, logging, data separation, backups, training, and supplier assessments.

12. Cookies, Tracking and Similar Technologies

We use cookies and similar technologies to provide, secure, and improve our services.

12.1 Necessary Cookies

These are required for the website to function and cannot be disabled. Examples include session cookies, login and shopping-cart functions, security cookies and load-balancing cookies.

12.2 Optional Cookies and Tracking

Analytics, preference and marketing cookies and similar technologies are used only when legally permitted. For users in the EEA/EU, we obtain consent through a consent banner. In Switzerland, we follow the current guidelines of the supervisory authority and obtain consent particularly for unexpected, marketing-related or profiling technologies. Consent may be withdrawn at any time with future effect.

12.3 Consent Management

Through our consent-management tool, you may enable or disable categories, withdraw previously given consent, and access additional information. The link is available in the footer of the website under “Cookie Settings.”

12.4 Third-Party Services

We may use the following services. The list is an example and must be adjusted for each project:

  • Web analytics: [e.g., Matomo self-hosted, Google Analytics with IP anonymisation]

  • Tag management: [e.g., Google Tag Manager]

  • Marketing and remarketing: [e.g., Google Ads, LinkedIn Insight Tag]

  • CDN and performance: [e.g., Cloudflare]

  • Videos, maps, fonts: [e.g., YouTube, Vimeo, Mapbox, Google Fonts locally hosted]

For each service, the detailed cookie overview specifies the provider, purpose, retention period, data category, legal basis, and opt-out options.

13. Newsletter and Electronic Communications

With your consent, we may send newsletters or similar information. We log registrations and interactions for documentation and optimisation purposes. You may unsubscribe at any time, for example using the link at the end of each email.

14. Customer Account and E-Commerce

Where offered, orders may be placed without creating a customer account. A customer account is created only voluntarily. Account data can be managed or deleted within the account, unless retention obligations prevent deletion.

15. Applications

We process application data solely for evaluating and filling positions. Without your consent, we delete application documents no later than 6 months after the process concludes, unless an employment relationship is established.

16. Profiling and Automated Decision-Making

Profiling—such as evaluating personal aspects for marketing or risk-analysis purposes—may occur. We do not make fully automated individual decisions with legal effect unless legally permitted or based on your explicit consent. In such cases, we provide separate information regarding the logic, significance and consequences.

17. Rights of Data Subjects

Under applicable law, you have the following rights in particular:

  • Right to access, rectification and deletion

  • Right to restrict processing

  • Right to data disclosure and portability

  • Right to object to processing for direct marketing and to withdraw consent

To exercise your rights, please contact the person listed in Section 2. We may request suitable proof of identity.

18. Reporting Data Protection Incidents

In the event of a security breach that poses a high risk to the personality or fundamental rights of affected persons, we notify the competent supervisory authority. Where required, we also inform the affected individuals directly.

19. Supervisory Authorities

Switzerland
Federal Data Protection and Information Commissioner (FDPIC)
Feldeggweg 1, CH-3003 Bern
www.edoeb.admin.ch

EU/EEA
You have the right to lodge a complaint with a European supervisory authority in your place of residence, place of work, or the place of the alleged infringement.

20. Amendments to this Privacy Policy

We may amend this statement at any time. The version published on the website is binding. Significant changes will be communicated proactively.

21. Contact

If you have any questions regarding this privacy policy, please contact the person listed in Section 2.

bottom of page