Privacy Policy

Drafted to align with the EU GDPR and the Swiss Federal Act on Data Protection (FADP/revDSG). Replace bracketed placeholders and have this reviewed by qualified legal counsel before publishing.

1. Controller

The data controller for processing described in this policy is [Company legal name, address, email]. For Switzerland, this entity acts as the responsible party under the Federal Act on Data Protection (FADP/revDSG).

2. What We Collect

Account data (name, email), chat/document content you submit for processing, and technical data (pseudonymized IP hash, browser type, timestamps) collected for security and rate-limiting purposes only.

3. IP Address Handling

Raw IP addresses are never stored. We derive a salted, one-way hash used only to apply rate limits and detect abuse for a short retention window, then discard it. This is a privacy-protective measure, not a means of hiding identity from lawful requests.

4. Legal Basis (GDPR Art. 6)

Processing is based on contract performance (Art. 6(1)(b)), legitimate interest in security and abuse prevention (Art. 6(1)(f)), and consent for optional cookies/analytics (Art. 6(1)(a)).

5. Data Residency

Optional EU/Swiss data residency is available for enterprise customers; production deployments should pin storage and compute regions accordingly (see Compliance page).

6. Your Rights

Under GDPR (Art. 15–21) and the Swiss FADP, you have the right to access, correct, export, restrict, and delete your personal data, and to object to processing. Contact [privacy@hundredone-ai.com] to exercise these rights.

7. Retention

Chat content is retained only as long as necessary to provide the service or as required by law, per a documented retention schedule. Audit logs use pseudonymous identifiers and a limited retention window.

8. Sub-processors

Any third-party AI providers, hosting, or infrastructure vendors are listed in a vendor register with data processing agreements (DPAs) in place, per GDPR Art. 28.

9. International Transfers

Where data is processed outside the EU/Switzerland, we rely on Standard Contractual Clauses (SCCs) or an adequacy decision, as applicable.

10. Contact & Supervisory Authority

You may lodge a complaint with your local data protection authority, e.g. the Federal Data Protection and Information Commissioner (FDPIC) in Switzerland, or your national DPA within the EU.