Privacy policy.

Nordfold GmbH ("we", "our", or "us"), based in Zurich, Switzerland, is the data controller and is committed to protecting your privacy and ensuring the security of your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website or use our services.

We comply with the revised Swiss Federal Act on Data Protection (nFADP) and, in applicable cases, the GDPR (European Union General Data Protection Regulation). We operate under the principles of privacy by design and by default as required under nFADP.

We may collect personal data such as your name, email, company details, and any information you provide through our forms.

Our servers automatically process minimal technical logs such as IP address and user agent to deliver the site and maintain security. We do not run analytics, tracking pixels, or third-party tags.

If we collect sensitive personal data (e.g. biometric, genetic, health data), we will only do so with your explicit consent.

If you refuse to provide required personal data, we may be unable to provide you with the service or parts of it.

We use the collected information for the following purposes:

• Communication: To respond to your inquiries, provide information about our services, and maintain business communication. GDPR only legal bases: legitimate interests or steps prior to a contract.
• Demo Requests: To process and schedule demonstration sessions with interested parties. GDPR only legal basis: contract performance.
• Service Improvement: To improve our website based on support requests and aggregated server logs. GDPR only legal basis: legitimate interests.
• Marketing: We send marketing communications only with your prior consent or as permitted by Swiss law for existing customers, and always provide an easy unsubscribe.
• Legal Compliance & Protection: To comply with legal obligations, detect fraud, and protect our rights and interests. GDPR only legal bases: legal obligation and legitimate interests.

Switzerland: We process personal data in line with FADP principles, including lawfulness, good faith, proportionality, purpose limitation, data minimization, and privacy by design and default.

EEA/UK only: Under GDPR, we rely on consent, contract performance, legitimate interest, or legal obligation as our legal basis for processing personal data.

Where processing is based on consent, you have the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

We may share personal data with service providers or partners who support our operations, subject to confidentiality and security obligations. We require all service providers and subprocessors to enter into written contracts imposing obligations equivalent to ours, including security, confidentiality, limitation of processing, and restrictions on further transfer.

Our website is hosted by Hostpoint AG, which processes data on our behalf under a data-processing agreement.

We may also disclose data to competent authorities when legally required or to protect our rights, property, or safety.

We implement appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, and misuse. These measures include encryption (both in transit and at rest), access controls, activity logging, regular security assessments, and staff training on data protection.

However, no method of transmission over the internet or electronic storage is completely secure, and we cannot guarantee absolute security.

We retain personal data only as long as necessary to fulfill the purposes for which it was collected, to comply with our legal and regulatory obligations, to resolve disputes, to enforce our agreements, and for other legitimate business purposes.

Retention periods vary depending on the nature of the data, the purpose of processing, and applicable legal requirements. We regularly review the data we hold and delete or anonymize it when it is no longer needed, unless we are required to retain it for legal, regulatory, or contractual purposes.

Detailed retention criteria for different categories of personal data are documented in our internal Record of Processing Activities, which is maintained in accordance with applicable data protection laws.

Under Swiss FADP: You can request access, correction, deletion, and data portability (for data you provided, processed by automated means, and based on consent or a contract; and where technically feasible). We respond within 30 days.

Additional GDPR rights when GDPR applies: You also have the right to restriction of processing and the right to object to processing based on legitimate interests or for direct marketing.

Right to Withdraw Consent: Where processing is based on consent, you may withdraw your consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

To exercise any of these rights, please contact us using the contact information provided below. We will respond to your request without undue delay and in any event within 30 days (this may be extended for complex requests, in which case we will inform you).

Please note that these rights are subject to certain exceptions, such as when disclosure would reveal trade secrets, conflict with legal obligations, or when we have overriding legitimate grounds for processing.

Our website does not use cookies or similar tracking technologies.

If we ever introduce non-essential cookies or similar technologies, we will implement a compliant banner and collect consent where required by the FDPIC guidelines.

We may transfer personal data to countries outside Switzerland or the European Economic Area (EEA). We identify the countries of our recipients. Where a destination is not on the Swiss adequacy list, we use Standard Contractual Clauses (SCCs) with the Swiss addendum and perform transfer impact assessments. We maintain a current list of subprocessors and destination countries.

For our current list of destination countries and subprocessors, please contact us using the contact information provided in Section 16.

When we transfer data internationally, we ensure an adequate level of protection through:

• European Commission and Swiss adequacy decisions
• Standard Contractual Clauses (SCCs) with Swiss addendum where required
• Binding corporate rules
• Other mechanisms recognized under applicable data protection laws

Where countries do not provide adequate protection, we implement additional safeguards or obtain your explicit consent.

Our website and services are not directed to children. Where GDPR applies, we do not knowingly collect personal data from individuals under the age of 16 without parental consent. Switzerland has no fixed age threshold for consent in general law. If you become aware that a child has provided us with personal data, please contact us, and we will take steps to delete such information.

We maintain a record of processing activities under nFADP. This record includes the purpose of processing, categories of personal data, recipients, international transfers, security measures, and retention criteria for each processing activity.

In the event of a data security breach likely to result in a high risk to the personality or fundamental rights of the data subjects, we will notify the Federal Data Protection and Information Commissioner (FDPIC) as soon as possible and, where required, notify affected data subjects unless notification is disproportionate or would involve excessive effort.

The notification will include the nature of the breach, categories and approximate number of affected data subjects, affected data categories, likely consequences, and measures taken or proposed to address the breach and mitigate its effects.

We do not perform decisions based solely on automated processing, including profiling, that produce legal effects concerning you or similarly significantly affect you, unless we have obtained your explicit consent or it is necessary for contract performance.

If we ever use automated individual decisions, we will inform you and on request allow you to express your view and obtain human review.

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of any material changes by posting the updated policy on our website with a new "Last updated" date. For significant changes, we may also notify you by email where appropriate. We encourage you to review this Privacy Policy periodically.

For questions about this Privacy Policy, to exercise your data protection rights, or to raise concerns about our data practices, please contact us at:

Data Controller:
Nordfold GmbH
c/o Genossenschaft coalist
Seefeldstrasse 62
8008 Zürich
Switzerland

Swiss Supervisory Authority: Federal Data Protection and Information Commissioner (FDPIC)

https://www.edoeb.admin.ch

You have the right to lodge a complaint with the FDPIC or your local data protection authority if you believe we have not complied with applicable data protection laws.