Privacy Policy
Drafted to align with the EU GDPR and the Swiss Federal Act on Data Protection (FADP/revDSG). Replace bracketed placeholders and have this reviewed by qualified legal counsel before publishing.
1. Controller
The data controller for processing described in this policy is [Company legal name, address, email]. For Switzerland, this entity acts as the responsible party under the Federal Act on Data Protection (FADP/revDSG).
2. What We Collect
Account data (name, email), chat/document content you submit for processing, and technical data (pseudonymized IP hash, browser type, timestamps) collected for security and rate-limiting purposes only.
3. IP Address Handling
Raw IP addresses are never stored. We derive a salted, one-way hash used only to apply rate limits and detect abuse for a short retention window, then discard it. This is a privacy-protective measure, not a means of hiding identity from lawful requests.
4. Legal Basis (GDPR Art. 6)
Processing is based on contract performance (Art. 6(1)(b)), legitimate interest in security and abuse prevention (Art. 6(1)(f)), and consent for optional cookies/analytics (Art. 6(1)(a)).
5. Data Residency
Optional EU/Swiss data residency is available for enterprise customers; production deployments should pin storage and compute regions accordingly (see Compliance page).
6. Your Rights
Under GDPR (Art. 15–21) and the Swiss FADP, you have the right to access, correct, export, restrict, and delete your personal data, and to object to processing. Contact [privacy@hundredone-ai.com] to exercise these rights.
7. Retention
Chat content is retained only as long as necessary to provide the service or as required by law, per a documented retention schedule. Audit logs use pseudonymous identifiers and a limited retention window.
8. Sub-processors
Any third-party AI providers, hosting, or infrastructure vendors are listed in a vendor register with data processing agreements (DPAs) in place, per GDPR Art. 28.
9. International Transfers
Where data is processed outside the EU/Switzerland, we rely on Standard Contractual Clauses (SCCs) or an adequacy decision, as applicable.
10. Contact & Supervisory Authority
You may lodge a complaint with your local data protection authority, e.g. the Federal Data Protection and Information Commissioner (FDPIC) in Switzerland, or your national DPA within the EU.