Privacy Policy

    Last updated: January 2025

    Our Promise to You

    At Otterino, we take data protection seriously not just as a legal obligation, but as a fundamental principle of our actions. We understand that your data is confidential and deserves the highest level of protection. This privacy policy explains in clear terms how we handle your data, what rights you have, and how we protect your privacy.

    All our data processing activities are fully compliant with the Swiss Federal Act on Data Protection (FADP) and the EU General Data Protection Regulation (GDPR). We exclusively process data hosted in Switzerland and only use Swiss or EU-compliant cloud infrastructures.

    Important Note: This privacy policy is not legal advice, but a transparent representation of our data processing. It does not replace consultation with a data protection expert for your specific situation.

    Our Fundamental Legal Obligations

    The Swiss Data Protection Act (DSG) mandates certain formal obligations that are non-negotiable. These are binding for all companies that process personal data.

    Obligation 1: Privacy Policy

    We maintain a public privacy policy that transparently explains what data we process, how and why. This includes our contact details, the purpose of data processing, recipients of data, and explanations of data transfers abroad.

    Obligation 2: Processing Activities Register

    We maintain an internal document listing all our data processing activities. This includes the purpose of processing, categories of processed data, categories of recipients, retention periods, and countries to which data is transferred. This is the central document that the Data Protection Authority (EDÖB) wants to see during an audit.

    Obligation 3: Data Breach Notification

    In case of a data breach that is likely to result in a high risk to the affected individuals, we report it "as quickly as possible" to the EDÖB. We have implemented appropriate procedures to quickly detect and report such incidents.

    Your Rights under FADP

    The Swiss Data Protection Act grants you comprehensive rights regarding your personal data. These rights are not just on paper, but are actively supported and respected by us.

    Right of Access

    You have the right at any time to find out what personal data we process about you, for what purpose and on what legal basis. We provide you with this information free of charge and in an understandable format.

    Right to Rectification

    If your data stored with us is inaccurate or incomplete, you have the right to have it corrected or completed. We immediately correct any errors you inform us about.

    Right to Erasure

    You can request the deletion of your personal data at any time, provided there are no legal retention periods. We delete your data completely and irrevocably from all our systems.

    Data Portability

    You have the right to receive your data in a structured, common and machine-readable format and to transmit it to another controller, insofar as this is technically feasible.

    Right to Object

    You can object to the processing of your personal data for certain purposes. We carefully examine each objection and only continue processing if there are compelling legitimate reasons.

    What Data Do We Collect and Why?

    We only collect data that is absolutely necessary for providing our services. Our principle is: As little as possible, as much as necessary. We deliberately refrain from tracking, cookies or other invasive data collection.

    Contact Forms

    When you contact us through our contact form, we collect your name, email address, company and message. We use this data exclusively to respond to your inquiry and offer you our services. The legal basis for this is contract fulfillment and our legitimate interest in the business relationship.

    Technical Data

    Our server automatically collects technical information such as your IP address, browser type and access times. This data serves exclusively for security and proper operation of our website. It is not linked to other data and is deleted after a maximum of 30 days.

    No Cookies, No Tracking

    We do not use cookies, tracking tools, analytics software or social media plugins. Your privacy is our top priority, not optimizing our website.

    Swiss Hosting - Your Data Stays in Switzerland

    All your data is exclusively hosted and processed in Switzerland. We use the Azure Switzerland North region in Zurich, which guarantees that none of your data leaves Switzerland. This is not just a technical decision, but our clear commitment to Swiss data sovereignty.

    Azure Switzerland North

    Our entire infrastructure runs on Microsoft Azure Switzerland North. All servers, databases and backup systems are physically located in Switzerland. Microsoft has built a separate data center specifically for Switzerland that meets the highest Swiss data protection standards.

    No Third-Country Transfers

    We do not transfer data to third countries outside the EU/EEA area. Even within the EU, data transfers only occur if this is technically unavoidable and appropriate guarantees are in place. In practice, this means: Your data does not leave Switzerland.

    Backup and Disaster Recovery

    Our backup systems and disaster recovery procedures are also fully implemented in Switzerland. Even in the event of a technical failure, your data remains in Switzerland.

    How We Protect Your Data

    Data protection is not just a legal obligation for us, but a technical and organizational goal. We have implemented comprehensive measures to protect your data from unauthorized access, loss or misuse.

    Encryption

    All data transmissions occur over encrypted connections (TLS 1.3). Data at rest is encrypted with AES-256. We exclusively use encryption standards that are classified as secure by the Swiss Confederation.

    Access Control

    Only authorized employees have access to personal data, and only within the scope of their professional duties. All access is logged and regularly reviewed. We implement a strict need-to-know principle.

    Regular Security Updates

    Our systems are continuously updated with the latest security patches. We monitor our infrastructure 24/7 for suspicious activities and respond immediately to security incidents.

    Staff Training

    All our employees are regularly trained in data protection and IT security. Data protection is part of our corporate culture, not just a compliance requirement.

    Handling US Tools and Swiss-US Data Privacy Framework

    Since September 2024, the Swiss-US Data Privacy Framework (DPF) simplifies data exchange with the USA. This changes the rules for data transfer, but not our fundamental responsibility as a company.

    DPF-Certified Providers

    For most data transfers to DPF-certified providers, certification is sufficient as a guarantee. We do not necessarily need separate Standard Contractual Clauses (SCCs). We document our review of whether a provider is certified or what contracts we have concluded.

    The Remaining Risk

    Even with the DPF, US authorities can request access to data under certain circumstances, even if it is stored on European servers (CLOUD Act). Therefore, for highly sensitive data, we rely on providers with headquarters and servers in Switzerland or the EU.

    Our Solution

    We deliberately refrain from US services and exclusively use Swiss or EU-compliant technologies. This is a conscious decision for maximum data sovereignty and FADP compatibility.

    Our Swiss Technology Strategy

    All technologies we use are either Swiss or EU-compliant and FADP-compatible. This is a conscious decision for maximum data sovereignty.

    • n8n Workflow Automation: Self-hosted on Azure Switzerland. No external third parties, no data transfers to foreign servers. All workflows run exclusively in Switzerland.
    • Supabase Databases: EU-compliant databases with Swiss hosting options. Here too, there is no data transfer to third countries.
    • OpenAI API: Exclusively EU endpoint, no US data processing. Even when using AI services, we adhere to Swiss data protection standards.

    How Long Do We Store Your Data?

    We only store your personal data for as long as necessary to fulfill the respective purpose. After the storage periods expire, your data is automatically and irrevocably deleted.

    Contact Data

    Deleted after the business relationship ends or after 3 years of inactivity, unless legal retention periods apply.

    Technical Logs

    Automatically deleted after a maximum of 30 days. These contain no personal data, only technical information for security purposes.

    Project Data

    Deleted after project completion and expiry of legal retention periods. You will receive a notification before deletion and can export your data.

    When You Need Professional Help

    Managing data protection yourself has limits. In the following cases, you should not hesitate to consult an expert (lawyer or specialized consultant).

    Especially Protected Data

    If you process health data, biometric data or other especially protected data, the requirements are significantly stricter and require specialized expertise.

    Regulated Industries

    If you operate in a regulated industry (e.g. FINMA, doctors, lawyers), additional specific data protection requirements apply that go beyond the general DSG.

    High-Risk Profiling

    If you perform "high-risk profiling" (i.e. having AI systems automatically make important decisions about people, e.g. in lending or recruiting), the legal requirements are particularly complex.

    When Uncertain

    If you are uncertain, consultation is cheaper than an investigation by the EDÖB. We always recommend seeking professional help when in doubt.

    Your Data Protection Contacts

    For questions about data protection, exercising your rights or complaints, we are happy to assist you. We take every hint seriously and respond quickly and transparently.

    • Data Protection Officer: Otterino Team
    • Email: info@otterino.com
    • Address: Otterino, Switzerland

    You can contact us at any time to exercise your data protection rights. We respond to all requests within 30 days and provide you with the requested information free of charge.

    Right to Complaint: If you do not agree with our data processing, you have the right to complain to the Federal Data Protection and Information Commissioner (EDÖB). We work constructively with authorities and respect all official decisions.

    Changes to This Privacy Policy

    We may update this privacy policy from time to time to adapt it to changes in legislation or our business practices. We will notify you of material changes at least 30 days before they take effect.