Privacy Policy

Guard.ch (the "Service") is a website investigation service operated by Zesiger.net ("we", "us", "Guard.ch"). You submit a target URL; we open it inside an isolated, instrumented browser we host, capture what happens (network requests, console output, a display recording, cookies set by the visited site, TLS certificate details, whois and IP lookups, and the URL itself), generate an automated analysis with a verdict, and make the capture available to you for live review and later replay. We call one such run an investigation.

This Privacy Policy explains how we process personal data when you visit https://guard.ch, register an account, pay for the Service, run investigations, or contact us. It is written to satisfy the information duties of the revised Swiss Federal Act on Data Protection (FADP, in force since 1 September 2023, Articles 19 to 21), Article 13 of the EU General Data Protection Regulation (GDPR), and the UK GDPR. Section 11 adds disclosures for residents of US states with consumer privacy laws, and Section 12 covers other jurisdictions.

The entity responsible for the processing of personal data described in this Policy (the "Controller") is:

Controller

Zesiger.net (registered name), trading as Guard.ch, Switzerland

Legal representative

Janis Zesiger

Privacy contact

[email protected]

We have not appointed a data protection officer because none of the thresholds that would require one applies to our processing. You can reach us at [email protected] for all data protection matters. The full statutory disclosure, including the registered address, the commercial-register identifiers, and the competent supervisory authority, is published in the Imprint; postal mail reaches us at the address listed there.

Switzerland is recognised by the European Commission as providing an adequate level of data protection (Commission Decision 2000/518/EC, maintained under the GDPR), and by the United Kingdom under its adequacy regulations. Personal data transferred from the EEA or the UK to our Swiss establishment does not require additional transfer safeguards.

Under Article 27 GDPR and Article 27 UK GDPR, controllers established outside the EU or the UK that offer services to data subjects there may be required to designate a local representative in writing, unless a narrow exception applies. Guard.ch has not currently appointed an Article 27 representative in the EU or in the UK.

EU representative

None currently appointed.

UK representative

None currently appointed.

Direct contact

[email protected]

We practice data minimisation: we collect only what we need to deliver the Service, comply with the law, bill correctly, and keep the platform secure.

4.1 Account data

• Email address, first and last name where provided, country, verification status, newsletter preference, default browser language and keyboard layout, workspace membership, workspace role metadata, and plan/unlock fields.
• Password hash (bcrypt) when you use email-and-password sign-in.
• Authentication factors: WebAuthn passkey credential IDs, public keys, authenticator metadata, transports and labels; OAuth or SSO identifiers returned by Microsoft Azure / Entra ID or workspace SSO when you use those sign-in methods; Google profile data used to provision or look up the account when you choose Google sign-in.
• Session records: opaque session or API-token references, issuing IP address, user-agent / browser metadata, active status, and expiry timestamps.

4.2 Payment metadata

• Plan, billing cycle, cycle start, plan expiry, subscription or payment status, workspace billing customer ID, and order/payment references.
• Payment processor references such as Stripe customer, checkout, subscription, refund, dispute, or portal identifiers where they apply.
• Billing name, billing address, VAT or tax identifiers, and invoice data where you provide them through Stripe, an order form, or an invoice workflow. We do not see or store full card numbers; PCI-scoped fields stay with the processor.

4.3 Investigation captures (customer content)

Recording what a website does is the purpose of the Service. When you submit a URL, we launch an isolated, instrumented browser and record what the page does and what you do inside it for the duration of the investigation. Capture is global: every URL the browser navigates to during the investigation, including popups, cross-site navigations, and tracker iframes, is recorded; the URL you submit only seeds the initial navigation. A capture comprises:

• A display recording of the remote browser viewport (H.264 / MP4, no audio), showing everything rendered on screen during the investigation.
• Network traffic: request and response URLs, methods, headers, status codes, remote IP addresses, tracker classification, and the bodies of textual requests and responses (JSON, XML, forms, plain text, WebSocket text frames, Server-Sent Events), subject to the caps below.
• Cookies set by any origin the page contacts, and localStorage / sessionStorage changes, with their values.
• Page intelligence: console output, JavaScript errors, technology detection, TLS certificate details, a whois record for the investigated domain, and IP geolocation and ASN data for the hosts the page contacted.
• Your interactions inside the isolated browser: clicks, key presses, scrolls, focus changes, form submissions, and the committed value of non-password form inputs.
• Sensitive browser APIs: permission prompts the page triggered and WebRTC connection metadata, including ICE candidate IP addresses; media payloads are not captured.
• The automated analysis output: risk scores, classifications, and, where an AI-assisted summarisation feature is used, the generated summary and verdict text. Content submitted to an AI feature is processed by the AI summarisation subprocessor listed at /legal/subprocessors; a separate provider analyses only aggregated operational logs and never receives capture content. The retention and model-training position of each provider is recorded in the subprocessors register. See Section 16 on what the verdict is and is not.

The capture pipeline applies the following limits before anything is written to storage:

• Password fields are masked. Keystrokes in password fields are recorded as * and the committed value is dropped entirely.
• Character caps clip general string fields (default 5,000 characters), request bodies and WebSocket / Server-Sent Events messages (default 8,192), and persisted response bodies (default 32,768). The original length is preserved and the truncation is flagged.
• Binary bodies are skipped. Images, fonts, audio, video, PDFs, WebAssembly, archives, and other binary payloads are not persisted.
• Hard ceilings. Anonymous and Free investigations end automatically at 60 seconds or 3,000 events; paid Guard.ch investigations at 5 minutes or 10,000 events, unless a separate enterprise order or in-product configuration states otherwise. The first ceiling reached ends the recording, and you can end an investigation early from the dashboard.

Beyond these measures, content is stored as captured: collecting that evidence verbatim is what you use the Service for, and this description forms part of your Article 28 instruction to us. Do not start an investigation you are not prepared to record in full; your controllership duties under Section 6.2 apply to everything a capture contains.

4.4 Technical and security logs

• Server access logs: timestamp, IP address, user-agent, requested path, HTTP status, bytes transferred, referrer.
• Application logs identifying user ID, session ID, workspace ID, and the code path that produced the log line.
• Rate-limit counters, abuse-detection signals, and Web Application Firewall events.

4.5 Support correspondence

• Email threads, attachments, and the metadata our inbound mail pipeline records when you contact [email protected] or other support addresses.

Every processing activity below has at least one valid legal basis under Article 6(1) GDPR. For UK individuals, references to GDPR provisions in this Policy are to be read as references to the corresponding provisions of the UK GDPR and the Data Protection Act 2018.

We do not rely on consent (Art. 6(1)(a)) for any processing necessary to run the Service. Where consent is the basis (for example, optional product communications), you may withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.

Swiss FADP framing. The FADP does not require a legal basis for every private-sector processing operation. Instead, our processing complies with the principles of Articles 6 and 8 FADP (lawfulness, good faith, proportionality, purpose limitation, accuracy, and data security) and does not unlawfully breach the personality rights of data subjects (Arts. 30 and 31 FADP). Where we rely on legitimate interest under the GDPR, the corresponding overriding-interest justification under Art. 31 FADP applies.

Guard.ch exists to analyse URLs that you do not control: phishing kits, malware droppers, suspect ads, credential-harvesting pages, scams reported to your security team. When we open such a URL inside our isolated browser, the page may legitimately or illegitimately contain personal data about people who are not our customers (the suspected attacker, the operator of a fraudulent site, a victim quoted in the page, a named target of social engineering).

6.1 Roles

• You (the customer) choose the target and are the controller for the decision to investigate a particular URL and for what the resulting recording contains. You determine the purpose (incident response, fraud investigation, abuse takedown, research) and the means by selecting Guard.ch as the tool.
• Guard.ch is the processor for that capture content under Article 28 GDPR. We process it only to provide the Service, on your documented instructions and under the Data Processing Agreement, and we apply the security measures listed in our Security Statement.
• Guard.ch is an independent controller for a narrow slice of investigation data where we process it for our own purposes: detecting and preventing abuse of the platform, securing our infrastructure, and complying with legal obligations (for example, a binding order from a Swiss authority). We do not use investigation content for any other own purpose.
• Guard.ch is the controller for your account, billing, telemetry, security logs, and support correspondence. Those are described elsewhere in this Policy.

If you use the Service as a private individual for purely personal purposes, the GDPR's household exemption (Art. 2(2)(c)) may mean the GDPR does not apply to your own activity. Our obligations under this Policy are unaffected either way.

6.2 Customer obligations

As controller for capture content, you are responsible for having a valid legal basis to investigate the target and to incidentally process personal data of third parties whose information appears in the capture. Common bases include legitimate interest (Art. 6(1)(f)) for fraud and security investigations, legal obligation (Art. 6(1)(c)) for regulated entities, and Art. 9(2)(f) or 10 GDPR exemptions when special categories or criminal-offence data are involved. Where applicable law requires a Data Protection Impact Assessment (Art. 35 GDPR), you must complete one before instructing us to capture at scale.

6.3 Our safeguards

• Captures live on Hetzner-hosted infrastructure in Helsinki, Finland (EEA) with at-rest encryption.
• Edge nodes (Singapore, Salt Lake City, Beauharnois) hold capture data only inside the investigation container's writable filesystem, for the duration of the investigation and the brief upload window that follows. The container is destroyed when the investigation ends and the writable layer (including the MP4, event log, and metadata sidecar) is discarded with it; nothing persists on an edge node between investigations. The only durable copy of a capture lives in Helsinki, where storage is encrypted at the block level.
• Access to capture content is limited to the account that produced it and to authorised platform engineers acting on documented support tickets, unless you enable link sharing for a replay (Section 6.5).
• We do not mine, profile, monetise, or use capture content to train models. Captures exist to be replayed by you and then deleted.
• Built-in minimisation (password masking, character caps, binary-body skip, hard ceilings) and its limits are documented in Section 4.3 so you can decide what is appropriate to submit.

6.4 Data subject requests touching captures

If a third-party data subject contacts Guard.ch about content inside a capture, we will forward the request to the controlling customer without identifying any other customer or investigation, and assist that customer in responding within the GDPR statutory deadline. We will not respond on substance ourselves because we are the processor of that content, not the controller, except where we process the same data as an independent controller under Section 6.1 (in which case Section 10 applies to that processing).

6.5 Replay link sharing

Replays are private to your account by default. You can switch an individual replay to link sharing from the dashboard, which makes it viewable by anyone who has the link, without signing in, until you switch it back to private or the replay's retention window expires. Enabling link sharing is your instruction to us to disclose that capture to anyone presenting the link. As controller, you decide who receives the link and you are responsible for what the shared replay discloses, including personal data of third parties, credentials, cookies, and form data recorded during the investigation.

We keep personal data only for as long as we have a lawful purpose to keep it. The headline windows are below; the operative rule is "delete when no longer necessary and no legal hold applies".

Where a specific window is not listed, we determine retention by these criteria: whether the data is still needed for the purpose it was collected for, whether a statutory retention or limitation period applies, and whether the data is subject to a legal hold or an ongoing dispute.

We disclose personal data only to recipients that have a contractual basis to receive it and a documented need. The full, versioned list of subprocessors (storage, edge compute, network and bot protection, identity, payments, email, AI analysis) is published at /legal/subprocessors, including each provider's role, location, and the safeguards in place.

Recipient categories:

• Infrastructure providers hosting our storage and edge-streaming layers (see Section 9).
• Network, DNS, and bot-protection providers (TLS termination, WAF, rate limiting, challenge widgets).
• Federated identity providers, only when you choose to sign in with them.
• Payment processors handling card data, SEPA, and invoicing.
• Transactional email providers for account verification, password reset, billing notices.
• AI analysis providers, with AI features scoped to the content you submit to them and operational-log analysis excluding capture content.
• Tax authorities, courts, and regulators when compelled by binding law in our jurisdiction.
• Professional advisors (lawyers, auditors) under confidentiality obligations.

We do not sell personal data and we do not share it for cross-context behavioural advertising. If the business were ever transferred (merger, acquisition, asset sale), personal data could be disclosed to the acquirer under confidentiality; we would notify you and this Policy would continue to apply until amended under Section 18.

We are established in Switzerland and store all durable customer content, including investigation captures, account records, and the production database, at Hetzner Online GmbH's datacenter in Helsinki, Finland (EU/EEA). Capture artefacts have no durable copy anywhere else.

To keep latency acceptable, we run capture and streaming nodes outside the EEA. These nodes host the investigation container, render the page, and write three capture artefacts (MP4 recording, event log, metadata sidecar) to the container's writable filesystem (/recording/) for the duration of the investigation, with a flush every 30 seconds. At the end of the investigation the artefacts are uploaded to the Helsinki primary store over TLS and the container is destroyed; its writable layer is removed with it, so no capture survives on an edge node between investigations. Edge nodes hold no long-term storage.

In addition, some supporting categories of personal data are processed by subprocessors in the United States: payment records for customers billed outside the EEA, the UK, and Switzerland (Stripe, Inc.), transactional email (Google Workspace, contracted via Google Ireland Limited; mail data may be processed by Google LLC in the US), network and bot protection (Cloudflare), federated sign-in where you choose it (Google, Microsoft), and AI analysis features (OpenRouter for content you submit to AI features, Google Web Risk for hostname reputation lookups, and OpenAI for aggregated operational logs only). The roles, locations, and safeguards for each are listed at /legal/subprocessors.

For transfers to US-based subprocessors, where an individual vendor is certified under the EU-US Data Privacy Framework and its Swiss extension (as identified per vendor at /legal/subprocessors), that certification is the primary transfer mechanism and the EU Standard Contractual Clauses operate as a fallback; for all other US transfers the EU Standard Contractual Clauses and the Swiss FDPIC-recognised equivalent apply. Guard.ch itself is a Swiss entity and is not, and cannot be, certified under the Data Privacy Framework; we do not claim otherwise.

Where the UK GDPR applies to a transfer, we rely on the UK adequacy regulations for Switzerland and the EEA and on contractual safeguards equivalent to those described above for onward transfers. A copy of the SCCs and the relevant transfer impact assessments is available on written request to [email protected].

You have the rights below in respect of the personal data we process about you as controller, under the Swiss FADP, the GDPR, or the UK GDPR as applicable to you. Where we process data as a processor on behalf of one of our customers, exercise those rights with that customer; we will assist them within the statutory deadlines.

• Right of access (Art. 15 GDPR; Art. 25 FADP). Obtain confirmation of whether we process your data, a copy of it, and information about purposes, recipients, retention, and sources.
• Right to rectification (Art. 16 GDPR; Art. 32(1) FADP). Correct inaccurate data and complete incomplete data.
• Right to erasure (Art. 17 GDPR; Art. 32(2)(c) FADP). Have your data deleted when one of the conditions applies, subject to overriding legal retention duties listed in Section 7.
• Right to restriction (Art. 18 GDPR). Pause processing while a dispute is resolved.
• Right to data portability (Art. 20 GDPR; Art. 28 FADP). Receive your account data in a structured, commonly used, machine-readable format and transmit it to another controller.
• Right to object (Art. 21 GDPR). Object to processing based on legitimate interests on grounds related to your particular situation. Under the FADP you may object to processing as such; we will stop unless a justification under Art. 31 FADP applies.
• Right not to be subject to automated decisions (Art. 22 GDPR; Art. 21 FADP). See Section 16: we do not run automated decisions with legal effect against you.
• Right to withdraw consent (Art. 7(3) GDPR). Where consent is the basis, withdraw it at any time.
• Right to lodge a complaint. Contact the Swiss Federal Data Protection and Information Commissioner (FDPIC, Feldeggweg 1, 3003 Bern, https://www.edoeb.admin.ch); if you are in the EEA, your local supervisory authority (the list is maintained by the European Data Protection Board at edpb.europa.eu); if you are in the UK, the Information Commissioner's Office (ico.org.uk); or the authority competent at your place of residence.

To exercise any right, write to [email protected]. Exercising your rights is free of charge except in the narrow cases where the law allows a fee for manifestly unfounded or excessive requests. We will respond without undue delay and at the latest within one month of receipt (Art. 12(3) GDPR; 30 days under Art. 25(7) FADP), extendable where the law permits for complex requests. We may ask you to confirm your identity to prevent unlawful disclosure.

This Section applies to residents of US states with consumer privacy laws, including California (CCPA as amended by the CPRA), Colorado, Connecticut, Utah, Virginia, Texas, Oregon, and other states, only to the extent those laws apply to Guard.ch and to the personal data at issue. It supplements the rights listed in Section 10 and does not reduce any rights you have under the GDPR, Swiss FADP, or another applicable law.

The categories of personal data we collect are described in Section 4. They include account and authentication data, payment metadata, investigation captures, technical and security logs, support correspondence, and analytical outputs produced by the Service. Sources include you, your workspace or employer, the isolated browser investigation you instruct us to run, payment and identity providers you choose to use, security providers, and public or third-party lookup sources used for URL analysis.

We use those categories for the purposes described in Section 5: providing the Service, authenticating users, billing, security and abuse prevention, support, legal compliance, and defending or pursuing legal claims. We disclose personal data to the recipient categories in Section 8 and to the subprocessors listed at /legal/subprocessors.

• No sale or sharing. We do not sell personal information and we do not share personal information for cross-context behavioural advertising, as "sell" and "share" are defined in the CCPA/CPRA, and we have not done so in the preceding 12 months. We do not use personal information for targeted advertising as defined in other state laws, and we do not use analytics cookies, advertising cookies, or ad pixels on Guard.ch. We have no actual knowledge of selling or sharing the personal information of consumers under 16 years of age. Because we do not sell or share personal information, there is nothing to opt out of, and opt-out preference signals such as Global Privacy Control do not change any processing.
• Sensitive personal data. Investigation captures may incidentally include credentials, account identifiers, precise geolocation, financial information, government identifiers, health information, communications content, or other sensitive data if such information is visible on or submitted to a page you instruct us to capture. We process that content only to provide, secure, support, and delete the Service as described in this Policy, and not to infer characteristics about US consumers.
• US privacy requests. Where applicable, you may request to know or access, confirm, delete, and correct personal information, obtain it in a portable format, receive information about disclosures, and limit the use of sensitive personal information where state law grants that right. The opt-out rights for sale, sharing, targeted advertising, and profiling in furtherance of decisions that produce legal or similarly significant effects are noted for completeness; we do not engage in those activities as described above.
• Appeals and authorised agents. Where state law grants an appeal right, you may appeal a denied request by replying to our decision email; we will respond within the statutory appeal deadline and, if we deny the appeal, tell you how to contact your state attorney general or privacy regulator. Authorised agents may submit requests where state law permits, but we may require proof of authority and may ask the data subject to verify identity directly.
• No discrimination. We will not deny service, charge a different price, or provide a different level of service because you exercised a privacy right, except where the requested deletion or restriction makes it impossible to provide the Service or where a lawful exception applies.

Submit US state privacy requests to [email protected]. We will verify requests to protect against unauthorised disclosure or deletion, and will respond within the deadline required by the applicable state law.

The Service is offered worldwide. If you are located in a jurisdiction whose data protection law grants you rights beyond those described in this Policy (for example Brazil's LGPD, Canada's PIPEDA, or Australia's Privacy Act), we will honour the rights that mandatorily apply to our processing of your personal data. Nothing in this Policy limits any protection that the mandatory law of your place of habitual residence grants you and that cannot be waived by agreement.

To exercise a right under any such law, write to [email protected] and tell us which jurisdiction's law you are invoking. We will assess applicability in good faith and respond within the deadline that law requires, or within one month if it sets none.

Guard.ch is a professional security tool. It is not directed at children and we do not knowingly process personal data of users under 16, which is also the minimum age set by our Terms of Service (or the minimum age at which you can validly consent to those Terms in your jurisdiction, if higher). If you believe a person under 16 has registered an account, contact [email protected] and we will close the account and delete the data unless the law requires us to retain specific elements.

We implement technical and organisational measures appropriate to the risk, in line with Article 32 GDPR and Article 8 FADP. Encryption in transit (TLS 1.3, DTLS-SRTP for WebRTC) and at rest, hardened isolated browser containers, least-privilege production access with an append-only audit log for sensitive operations, and regular vulnerability management are part of the baseline.

No method of transmission or storage is 100% secure, and we cannot guarantee absolute security. The current security overview, including the platform architecture, how we isolate investigation traffic, and an honest statement of which certifications we do and do not hold, is published at /legal/security.

Guard.ch uses only strictly-necessary cookies (and equivalent local-storage entries) required to keep you signed in and to keep your dashboard session safe from cross-site request forgery. We do not use analytics cookies, advertising cookies, or third-party trackers. The complete inventory, the legal basis, and how to clear or refuse storage are documented in the Cookie Policy. Cookies captured inside the isolated browser during an investigation belong to the sites visited there and are covered by Sections 4.3 and 6 of this Policy, not by the Cookie Policy.

The Service produces automated analysis of investigated websites: risk scores, classifications, AI-generated summaries, and a verdict. That output is an analytical opinion about the investigated website, produced by automated tooling at a point in time from the signals the capture happened to contain. It is not legal, financial, or other professional advice, not a determination about any person, and not a guarantee that a site is safe or unsafe. You remain responsible for how you act on it.

We do not subject you, as the user of the dashboard, to a decision based solely on automated processing that produces legal effects concerning you or similarly significantly affects you within the meaning of Article 22 GDPR or Article 21 FADP. Verdicts and risk scores are made about pages, not about the customer who submitted them and not about identifiable third parties; they support your triage and produce no legal or similarly significant effect on any data subject.

Our security tooling may automatically rate-limit, challenge, or block traffic that matches abuse patterns. These measures protect the platform, are short-lived, and do not produce legal effects; if you believe you were blocked in error, contact [email protected] and a human will review the decision.

We operate a written incident response process. If we become aware of a personal data breach within the meaning of Article 4(12) GDPR, we will notify the competent supervisory authority without undue delay and, where feasible, not later than 72 hours after becoming aware of it where Article 33 GDPR applies, and as soon as possible where a breach is likely to result in a high risk for the data subjects under Article 24 FADP, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons.

Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay (Art. 34 GDPR), unless the data was encrypted with a strong key we have not lost, the high risk has been mitigated by subsequent measures, or individual notification would involve disproportionate effort (in which case we will issue a public communication).

For incidents touching investigation captures where we act as processor, we will notify the affected controlling customer without undue delay and in any event within 48 hours after becoming aware of the breach. We provide the information reasonably available to us so the controlling customer can meet its own notification duties under Articles 33 and 34 GDPR (supervisory authority and data subjects).

We update this Policy when our processing changes, when the law changes, or when we identify a clearer way to describe what we already do. The current version, effective date, and the summary of changes for each version are below. Material changes will be announced to registered customers by email or by a visible notice in the dashboard with reasonable advance notice before they take effect; non-material clarifications take effect on publication. Continued use of the Service after the effective date of a change constitutes acceptance only to the extent the applicable law allows; where consent is required, we will ask for it.

This Privacy Policy is governed by the substantive laws of Switzerland, without regard to conflict-of-laws rules. The United Nations Convention on Contracts for the International Sale of Goods does not apply.

The courts at the seat of the operator (Schmiedrued, canton of Aargau, Switzerland) have jurisdiction over disputes arising from or in connection with this Policy. This choice of law and venue does not deprive you of the protection of mandatory data protection or consumer protection provisions of the law of your place of habitual residence, and it does not affect mandatory forum rules that allow you to bring or defend a claim at your place of residence.

This clause also does not affect your right to lodge a complaint with the Swiss FDPIC, with your local EEA supervisory authority, with the UK ICO, or to pursue a judicial remedy under Article 79 GDPR or the equivalent provision of the law applicable to you. Should any provision of this Policy be held invalid or unenforceable, the remaining provisions remain in effect, and the invalid provision is to be read as the enforceable provision that comes closest to its intent.