Privacy Policy

As of: March 27, 2026 Version: 2.0

Language version notice: This German version is the legally binding and authoritative version. Any English translations are provided for information only; in the event of inconsistencies, the German version prevails.

This data protection declaration informs you about how Etzensperger Informatik AG (“we”, “us”) processes personal data when you: (a) use our website(s) and online services, (b) create or manage a customer account (SaaS account), (c) enter data about a customer into our platform as an end user/participant, (d) communicate with us (support, sales, marketing), (e) apply to us or have an employment relationship with us stand.

We particularly take into account the Swiss Data Protection Act (DSG) and – where applicable – the EU General Data Protection Regulation (GDPR/GDPR).

1. Responsible body (controller) and contact

Responsible for data processing within the meaning of the DSG and – where applicable – the person responsible within the meaning of the GDPR is:

Etzensperger Informatik AG Kirchweg 24 CH-3366 Bettenhausen Switzerland Email: support@edoobox.com Telephone: +41 43 434 65 91 Commercial register/UID: CHE-107.413.131

2. Data protection contact / data protection advisor / data protection officer (DPO)

For data protection concerns, you can contact us at: Data protection contact: support@edoobox.com Etzensperger Informatik AG Kirchweg 24 CH-3366 Bettenhausen Switzerland

Note: If we are required to appoint a data protection officer under applicable law or appoint one voluntarily, he or she can be reached using the contact details above.

3. Role model in SaaS (customer data vs. data about our own business activities)

3.1 Customer data (“Customer Content”) – we as the processor

When using our SaaS platform, our customers can enter personal data of end users/participants (e.g. participation data, booking/event data) into the platform. To the extent that we process this customer data on behalf of and in accordance with the customer's instructions:

• Customer = person responsible (controller),
• we = processor.

In these cases, we regulate order processing in a separate order processing agreement (AVV/DPA) with the customer.

3.2 Our own business data – we as the controller

We also process personal data for our own purposes, e.g. account administration, contract/billing, security, product improvement, marketing (where permitted), compliance. We are responsible for these processing operations.

4. Categories of personal data

Depending on the context, we work on the following categories in particular:

A) Account and contract data

• Last name, first name, company/organization, role/position
• Login/identification data (e.g. username), password hash
• Contact details (email, telephone, address)
• Contract and plan/subscription information, license scope

B) Billing and payment information

• Billing address, VAT information
• Payment status, transaction and reference data (not full card/bank details if payment provider processes this directly)

C) Usage and Device Data

• Usage data within the platform (e.g. feature usage, click paths in the app)
• Device/browser data, operating system, app version
• IP address, timestamp, rough location data (derived), language/time zone

D) Communication and support data

• Support requests, email/chat content, attachments
• Call notes, tickets, status and history history

E) Log, security and metadata

• System and access logs (e.g. login attempts, admin actions)
• Audit logs, error/crash reports
• Backups/restore points (including data copies)

F) Marketing and event data

• Newsletter opt-in/opt-out, consent status
• Campaign parameters (e.g. UTM), lead information

G) Application and employee data

• Application documents, communication content, HR administration (separate note possible)

5. Purposes of processing and legal basis

We process personal data according to the principles of purpose limitation, proportionality and data minimization. We destroy or anonymize data as soon as it is no longer required for the purpose (subject to legal retention obligations and legitimate archiving interests).

To the extent that the GDPR is applicable, we base processing on the following legal bases in particular:

• Fulfillment of contract/pre-contractual measures (Art. 6 Para. 1 lit. b GDPR),
• Legal obligation (Art. 6 Para. 1 lit. c GDPR),
• Legitimate interests (Art. 6 Para. 1 lit. f GDPR),
• Consent (Art. 6 Para. 1 lit. a GDPR) – e.g. for newsletters/marketing or non-essential cookies, if necessary,
• in exceptional cases: protection of vital interests or public tasks (Art. 6 Para. 1 lit. d/e GDPR).

Main purposes:

5.1 Operation of the SaaS platform and provision of functions

• Account creation, login, permissions, feature deployment
• Support, incident management, further development, quality assurance

5.2 Contract, billing, administration

• Contract conclusion/management, invoicing, payment, dunning
• Financial accounting, verification, internal administration

5.3 Security and misuse prevention

• IT security, access controls, logging, fraud/abuse detection
• Enforcement of terms and conditions, protection of rights, legal claims

5.4 Communication

• Service notifications (e.g. security-related information, system status)
• Support communication
• Marketing communication only if permitted or with consent

5.5 Website operation and cookies

We use necessary cookies/technologies to technically provide the website and platform. For non-essential cookies/technologies (e.g. range measurement, marketing, social media) we use consent management - if required by applicable law. You can revoke or adjust your consent at any time using the cookie settings in the footer of our website.

6. Recipients, service providers and sub-processors

We only pass on personal data if this is necessary for the stated purposes, if we are obliged to do so or if you have consented to it.

Recipient categories can be:

• Hosting/cloud provider (operation, storage, backups, monitoring)
• Communication service providers (email, SMS, telephony)
• Payment service provider (payment processing, invoice/subscription management)
• Analytics/performance/security service providers (e.g. error tracking, APM, CDN/WAF)
• CRM/support systems (ticketing, chat, knowledge base)
• Professional advisors (legal advice, audit), banks/debt collection, if necessary
• Authorities/courts, if required by law

Subprocessors: A current list of our subprocessors including purpose, location, data categories and transfer basis can be found at: https://www.edoobox.com/de/dsg-dsgvo-konform

7. Data processing abroad / cross-border transfers

Central platform data is generally stored and processed primarily in Switzerland. Depending on the service provider used, processing may also take place within the EU/EEA or in other countries. If we or our service providers process personal data outside Switzerland or outside the EEA, we ensure that appropriate data protection is guaranteed, in particular through:

• Adequacy decisions (Switzerland: states/organizations with adequate protection; EU: adequacy decisions),
• Standard contractual clauses/standard data protection clauses (SCC) and additional measures, if necessary,
• applicable data privacy frameworks (e.g. Swiss-U.S. DPF or EU-U.S. DPF), if applicable and the recipient is certified accordingly,
• or other guarantees provided by law/exceptionally applicable reasons for transfer.

8. Retention, deletion and offboarding

We define retention periods based on “need-to-know/need-to-keep”.

8.1 Guidelines

• Account/customer data: Duration of the contract + an appropriate transition period for migration and contract fulfillment
• Support tickets: as long as necessary for support, traceability and compliance
• Security/Access Logs: in accordance with our security and compliance requirements
• Backups: Rolling according to our rolling backup cycle (deletion possible with a delay)
• Marketing lead data: until revocation/opt-out or purpose no longer applies
• Accounting/invoice documents: in accordance with statutory retention requirements (usually up to 10 years), if applicable

8.2 Onboarding/Offboarding Customers

• During the contract term: Processing for the provision of services.
• After termination/end of contract: (i) return/export of customer data if necessary, (ii) blocking of the account, (iii) deletion/anonymization after the retention periods have expired, excluding data copies in backups until the next overwrite.
• If desired, an earlier deletion of customer data can be checked, provided that there are no legal obligations or overriding interests to the contrary.

9. Data security (technical and organizational measures)

We take appropriate technical and organizational measures (TOM) taking the risk into account, in particular:

Note: Absolute security cannot be guaranteed.

• Encryption during transmission (TLS) and – where appropriate – during storage (Encryption at Rest)
• Role and authorization concepts (least privilege), separation of environments
• Multi-factor authentication for admin access for administrative access and sensitive internal systems, if technically provided
• Logging/auditing of security-relevant actions
• Regular patches/updates, vulnerability management
• Backups, recovery and emergency concepts
• Training/obligation of employees (confidentiality)

10. Rights of those affected

10.1 Rights under the Swiss Data Protection Act

Depending on the circumstances and legal restrictions, you have in particular:

• Right to information, including information on purpose, retention period/criteria, recipients and automated individual decisions,
• Right to correct incorrect data,
• Right to deletion/destruction, to the extent permitted,
• Right to data release/transfer (portability) under the legal requirements,
• Rights in connection with automated individual decisions (see section 11).

10.2 Rights under GDPR (if applicable)

Depending on the circumstances, you have in particular:

• Information, correction, deletion, restriction of processing,
• data portability,
• Objection to processing based on legitimate interests,
• Revocation of consent with effect for the future,
• Right to lodge a complaint with a supervisory authority.

10.3 Exercise of Rights

Please direct inquiries to: support@edoobox.com We may request appropriate evidence for identification.

Important SaaS role principle:

• For “Customer Content” that is managed by our customers as controllers, we may not be authorized to change or delete data directly. In this case, we will forward inquiries from those affected - where permitted - to the respective customer or inform you how you can contact the customer directly.

11. Automated individual decisions and profiling

If we use automated individual decisions that have legal effects on you or have a significant impact on you, we will inform you about this. You have the right to express your point of view and to request verification by a natural person, to the extent provided for by applicable law. We currently do not generally use automated individual decisions that have legal effects on data subjects or significantly impact them in a similar way.

12. Reporting Data Breach

We have processes in place to detect, investigate, remediate and document data security breaches. To the extent required by law, we report relevant data security breaches to the relevant supervisory authority and inform affected individuals.

When processing orders, we will inform our customers without unnecessary delay if we discover a data security breach affecting customer data.

13. Applications and employee data

If you apply to us or are employed by us, we process personal data for the implementation of the application or employment relationship, for administration, wages/social insurance, compliance and IT security. We will provide a separate HR data protection information sheet if required or during the application process.

14. Minors

Our services are generally aimed at companies/adults. Persons under 16 should not use our Services without the consent of a legal guardian to the extent required by applicable law.

15. Compliance, Audit and Contracts

• Where legally required or organisationally appropriate, we maintain a record of processing activities and document security measures as well as relevant incidents. Customer-specific evidence, security questionnaires, reviews or audits are provided by prior agreement and, unless legally mandatory or triggered by an event caused by us, against separate remuneration.
• If necessary, we conclude an order processing agreement with customers (AVV/DPA).
• We conclude corresponding contracts with subcontractors including TOM and – if necessary – transfer instruments (e.g. SCC).

16. Changes to this Privacy Policy

We may update this data protection declaration, e.g. in the event of legal changes or product adjustments. The current version is published under /data protection declaration. We communicate significant changes appropriately.

17. Disclaimer/limitation of liability (where permitted)

This data protection declaration describes data processing to the best of our knowledge. We do not guarantee that external services (e.g. third-party websites, linked providers) will function the same at all times or that their content will remain unchanged. Legal liability provisions remain reserved.