Privacy Policy

12 min read

Transparent Data Handling

Transparent handling of personal data is fundamental to our operations. This privacy policy explains what personal data we collect, its purpose, and who we share it with. We regularly update this policy to ensure maximum transparency.

Our data practices comply with the Swiss Federal Act on Data Protection (FADP), EU General Data Protection Regulation (GDPR), and other applicable regulations. We implement Privacy by Design and Privacy by Default principles in all our services, ensuring data protection is integrated into every aspect of our operations.

We maintain a public data processing register documenting all processing activities, which is available upon request. Our commitment to transparency includes:

  • Annual third-party audits of our data practices
  • Public disclosure of data breach incidents within 72 hours of discovery
  • Detailed data flow diagrams available in our knowledge base
  • Regular transparency reports published quarterly

Responsible Entity

Legal Entity: Guard.ch (operated by Zesiger.net Individual Enterprise)

Commercial Register Number: CHE-123.456.789

VAT Identification Number: EU123456789

Data Protection Officer: Dr. Markus Fischer (certified CIPP/E, CIPM)

Email: [email protected]

Website: https://guard.ch

Jurisdiction: Switzerland (Subject to Swiss Data Protection Act)

Our EU representative as required under GDPR Article 27:

Guard EU Rep GmbH
c/o DataRep, Marktplatz 1, 80331 München, Germany
Email: [email protected]

Data We Collect

1. General Personal Data

Any information relating to an identifiable natural person including:

  • Identity Data: Full name, username, government-issued ID numbers
  • Contact Data: Email address, phone number, physical address
  • Technical Data: IP addresses, device fingerprints, browser user agents
  • Usage Data: Pages visited, features used, session duration
  • Financial Data: Payment card metadata (last 4 digits, expiration date)
  • Biometric Data: Behavioral patterns (typing rhythm, mouse movements)

2. Voluntarily Provided Data

Information you actively submit through:

  • Account registration forms
  • Customer support tickets
  • User surveys and feedback forms
  • Beta program applications
  • Content submissions (attachments, comments)
  • Social media interactions

Note: We mark mandatory fields with an asterisk (*). Provision of optional data helps improve service quality but is never required for basic functionality.

3. Automatically Collected Data

Technical information gathered through:

  • Server log files
  • Application performance monitoring tools
  • Client-side analytics scripts
  • Security sensors and intrusion detection systems
  • Network flow analysis

Data Enrichment Processes

We may augment collected data with information from public sources (WHOIS databases, company registers) and trusted third-party providers for:

  • Fraud prevention
  • KYC (Know Your Customer) verification
  • Business intelligence analysis

Data Processing Overview

1. Automated Session Monitoring

  • Real-time analysis using machine learning models trained on 10M+ threat patterns
  • Behavioral analysis scoring system (0-100 risk rating)
  • Multi-layered detection covering:
    • Network layer anomalies
    • Application layer exploits
    • User behavior deviations
  • Human review protocol:
    • Dedicated security team on-call 24/7
    • Four-eye principle for critical decisions
    • Automated escalation matrix for severe threats

2. Data Retention

Data TypeRetention PeriodDestruction Method
Active session dataImmediate termination + 30m bufferCryptographic erasure
Access logs30 daysSecure shredding (DoD 5220.22-M)
Billing records10 yearsControlled incineration
Backup data90 daysMulti-pass overwrite

3. Infrastructure Security

  • Physical security measures:
    • Biometric access controls
    • 24/7 video surveillance
    • Manned security perimeters
  • Network security:
    • Next-gen firewalls with IPS/IDS
    • Zero Trust Architecture implementation
    • Quarterly penetration testing
  • Certifications:
    • ISO 27001:2022
    • SOC 2 Type II
    • PCI DSS 4.0

Third-Party Services

Cloudflare

CDN & security services. Processes IP addresses and browser metadata. Data transfer outside EU for threat intelligence purposes. Privacy Policy

Stripe

Payment processing. We never store payment details. PCI DSS Level 1 compliant. May transfer data to US under EU-US DPF framework. Privacy Policy

Google Workspace

Email and document collaboration. Data processing includes content scanning for security purposes. Privacy Policy

Sentry

Error tracking and performance monitoring. Collects stack traces and device information. Privacy Policy

Intercom

Customer support platform. Stores chat histories and user metadata. Privacy Policy

Subprocessor Management

We maintain strict vendor due diligence processes including:

  • Annual security assessments
  • Data Processing Agreement (DPA) requirements
  • Continuous monitoring via security scorecards
  • Right to audit clauses in all contracts

Technical Data Processing

Website Provision & Log Files

  • Automatically collected: IP address, HTTP headers, request method
  • Access log fields: timestamp, resource path, status code, bytes transferred
  • Storage architecture: Immutable logs in write-once-read-many (WORM) storage
  • Anonymization: IP truncation (/24 for IPv4, /56 for IPv6) after 7 days

Cookies

Detailed cookie usage:

NamePurposeExpiryCategory
sessionidAuthentication2 weeksEssential
_gaAnalytics2 yearsPerformance
cookie_consentPreferences1 yearFunctional

Manage cookies via our Cookie Preference Center or browser settings.

Tracking Technologies

Browser Fingerprinting

We collect passive device characteristics for security purposes:

  • Screen resolution
  • Installed fonts
  • WebGL renderer details
  • AudioContext fingerprint

Beacon Technologies

Used for performance monitoring:

  • Navigation Timing API
  • Resource Timing API
  • Paint Timing metrics

Your Rights

Under Swiss/EU Law

  • Access: Receive copy of personal data (Article 15 GDPR)
  • Rectification: Correct inaccurate data (Article 16)
  • Erasure: Request deletion under certain conditions (Article 17)
  • Restriction: Limit processing (Article 18)
  • Portability: Receive structured data (Article 20)
  • Object: Oppose processing (Article 21)

Exercise Your Rights

Requests must include:

  • Proof of identity (government-issued ID)
  • Specific data reference (account ID, email)
  • Notarized request for sensitive operations

Contact: [email protected] or postal mail with digital signature

Average response time: 15 working days (complex requests may take 60 days)

Policy Changes

VersionDateChanges
2.12025-03-15Added biometric data processing details
2.02025-01-20GDPR compliance updates
1.42024-11-01Third-party processor additions

Change Notification Protocol:

  • Major changes: 60-day advance notice via email and dashboard alerts
  • Minor changes: 14-day pre-notification period
  • Emergency changes: Immediate notification with 30-day rollback option

Last Updated: February 19, 2025