Civyx places the utmost importance on the protection of your personal data. This Privacy Policy describes how [COMPANY NAME] (hereinafter "Civyx", "we" or "our") collects, processes, stores and protects your data, in compliance with the General Data Protection Regulation (GDPR) and the Swiss Federal Act on Data Protection (nFADP / nLPD).
1. Data Controller
[COMPANY NAME]
[ADDRESS], [CITY], [CANTON], Switzerland
Email: dpo@civyx.com
For any questions regarding the processing of your personal data, you may contact our Data Protection Officer (DPO) at the address above.
2. Categories of Data Collected
We collect and process the following categories of personal data:
| Category | Examples |
|---|---|
| Identity data | First name, last name, email address, profile picture (optional) |
| Contact data | Email address, notification preferences |
| Professional data | Organisation name, role (volunteer, association, company), description |
| Behavioural data | Event participation, recognition points earned, engagement history |
| Technical data | IP address, browser type, login timestamps, session identifiers |
| Content data | Published events, comments, messages sent via the platform |
3. Purposes and Legal Bases of Processing
| Purpose | Legal basis (GDPR / nFADP) |
|---|---|
| Provision and management of platform services | Contract performance — Art. 6(1)(b) GDPR / Art. 31(2)(a) nFADP |
| User account creation and management | Contract performance — Art. 6(1)(b) GDPR / Art. 31(2)(a) nFADP |
| Sending activity-related notifications (events, points) | Contract performance — Art. 6(1)(b) GDPR / Art. 31(2)(a) nFADP |
| Platform improvement and statistical analysis (anonymised) | Legitimate interest — Art. 6(1)(f) GDPR / Art. 31(2)(c) nFADP |
| Security, fraud prevention and logging | Legitimate interest / legal obligation — Art. 6(1)(c)(f) GDPR |
| Compliance with legal and regulatory obligations | Legal obligation — Art. 6(1)(c) GDPR / Art. 31(2)(b) nFADP |
| Marketing communications (opt-in only) | Consent — Art. 6(1)(a) GDPR / Art. 31(1) nFADP |
| Non-essential cookies and audience measurement | Consent — Art. 6(1)(a) GDPR |
4. Hosting and International Data Transfers
Your data is primarily hosted on Microsoft Azure Switzerland North servers located in Switzerland, with disaster recovery capability via Azure West Europe (Netherlands). Both regions are considered to offer an adequate level of protection.
In certain operational circumstances, sub-processors located in the United States or other third countries may access data (for example, Microsoft's support or monitoring services). Such transfers are governed by Standard Contractual Clauses (SCCs) approved by the European Commission in accordance with Art. 46(2)(c) GDPR and recognised by the Swiss Federal Data Protection and Information Commissioner (FDPIC) under the nFADP.
Civyx does not sell or rent your personal data to third parties. No data is shared with advertising partners.
5. Retention Periods
| Data category | Retention period |
|---|---|
| User account data | 5 years after account closure |
| Engagement and event data | 3 years after the event ends |
| Login and server logs | 12 months |
| Financial and billing data | 10 years (legal obligation) |
| Analytics cookie data | Up to 13 months |
| Preference cookie data | 12 months |
After these periods, data is deleted or irreversibly anonymised.
6. Your Rights
Under the GDPR and the nFADP, you have the following rights:
- Right of access: obtain a copy of the data we hold about you (Art. 15 GDPR / Art. 25 nFADP).
- Right to rectification: have inaccurate data corrected (Art. 16 GDPR / Art. 32 nFADP).
- Right to erasure: request deletion of your data in the cases provided for by law (Art. 17 GDPR / Art. 32 nFADP).
- Right to restriction of processing: restrict the use of your data in certain circumstances (Art. 18 GDPR).
- Right to data portability: receive your data in a structured, machine-readable format (Art. 20 GDPR).
- Right to object: object to processing based on legitimate interests (Art. 21 GDPR / Art. 30 nFADP).
- Withdrawal of consent: withdraw your consent at any time, without affecting the lawfulness of prior processing.
- Right to lodge a complaint: file a complaint with the Federal Data Protection and Information Commissioner (FDPIC) for Swiss residents, or with the supervisory authority of your EU member state of residence.
To exercise your rights, contact us at: dpo@civyx.com. We will respond within 30 days.
7. Data Security
Civyx implements appropriate technical and organisational measures to protect your data against unauthorised access, disclosure, alteration or destruction. These measures include TLS encryption in transit, encryption at rest, role-based access control, access logging, and periodic security audits.
However, no computer system can guarantee absolute security. In the event of a data breach likely to give rise to a risk to your rights and freedoms, we will notify the competent authorities and, where applicable, the affected individuals, within the legally required timeframes.
8. Automated Decision-Making and Profiling
Civyx does not carry out fully automated decision-making that produces significant legal effects on users within the meaning of Art. 22 GDPR. Algorithms may be used for recommendation purposes (e.g. event suggestions), but such processing does not constitute profiling in the restrictive legal sense, and human oversight is maintained.
9. Cookies
We use cookies on the platform. For detailed information on cookie types, their duration and how to manage your preferences, please consult our Cookie Policy.
10. Changes to this Policy
We may update this policy at any time. In the event of material changes, we will notify you by email or via a platform notification within a reasonable period before the changes take effect. The version in force is the one published on this page.
11. Contact
For any questions regarding this policy or your personal data:
[COMPANY NAME] — Data Protection Officer
[ADDRESS], [CITY], [CANTON], Switzerland
Email: dpo@civyx.com