Privacy Policy

This Privacy Policy covers how we treat Personal Data that we gather when you access or use our Services. "Personal Data" means any information that identifies or relates to a particular individual and also includes information referred to as "personally identifiable information" or "personal information" under applicable data privacy laws, including the EU/UK GDPR and the Swiss Federal Act on Data Protection (nDSG).

This Privacy Policy does not cover the practices of companies we don't own or control or people we don't manage.

Depending on how you use our Services, we may collect the following categories of Personal Data:

• Profile or Contact Data: First and last name, email address, and password.
• Payment Data: Payment card type, billing address, billing email, and truncated card identifiers (e.g., last 4 digits).
• Device/IP Data: IP address, device type, operating system, and browser used to access the Services.
• Web Analytics: Web page interactions, referring source, request IDs, and interaction statistics.
• Social Network Data: Email and username associated with integrated social/professional profiles.
• Geolocation Data: IP-address-based location information.
• Inferences Drawn from Other Personal Data: Attributes, user behavior, and predispositions.
• Other Identifying Information: Information you voluntarily provide, such as emails and business-specific data.

We seek to protect your Personal Data using appropriate physical, technical, and organizational security measures, including encryption and access controls, based on the sensitivity of the data. For our AI-assisted features, we implement pseudonymization and masking protocols to ensure that no client-identifying clear text is processed by third-party LLM providers.

While we work to protect your account, please be aware that no method of transmitting data over the internet is completely secure. You are responsible for protecting your password and limiting access to your devices.

We retain Personal Data for as long as necessary to provide our Services or to perform our commercial purposes.

• Profile Information: Retained for the duration of your active account.
• Device/IP Data: Retained as long as necessary for system optimization and security auditing.
• Anonymized Data: We may retain information in an anonymous or aggregated form (where you can no longer be identified) indefinitely.

If you are a resident of the European Union (EU), United Kingdom (UK), Switzerland, Liechtenstein, Norway, or Iceland, you have specific rights under the GDPR and nDSG. WAARD is the controller of your Personal Data processed in connection with the Services.

We only process your Personal Data with a valid lawful basis:

• Contractual Necessity: To provide the Services (e.g., Profile and Payment data).
• Legitimate Interest: To improve our services, ensure security, and correspond with you (e.g., Device/IP Data and Analytics).
• Consent: Where you have expressly granted permission at the point of collection.
• Legal Obligation: To comply with Swiss or European legal requirements.

You have the following rights regarding your Personal Data:

• Access & Portability: Request a copy of your data in a machine-readable format.
• Rectification: Correct incomplete or inaccurate data.
• Erasure ("Right to be Forgotten"): Request deletion of your data from our systems.
• Withdrawal of Consent: Revoke permission at any time for consent-based processing.
• Objection & Restriction: Object to direct marketing or ask us to restrict further processing.
• Right to File Complaint: Lodge a complaint with the supervisory authority in your country (e.g., the FDPIC in Switzerland or the ICO in the UK).

Unlike many SaaS providers, WAARD's primary infrastructure and client data are hosted and operated within Switzerland and the European Union. To provide specific service enrichments, we may use sub-processors (such as AI model providers). In such cases:

• Data is Masked: No identifying personal data is sent to these providers in clear text.
• Opt-Out of Training: We use enterprise configurations to ensure your data is never used to train third-party models.
• Legal Safeguards: Any transfer of data (even masked) is governed by Data Processing Agreements (DPAs) incorporating Standard Contractual Clauses (SCCs) to ensure a level of protection equivalent to Swiss and EU standards.