1. Introduction

Smitteck GmbH ("we," "us," or "our") operates the PayEquity Platform (the "Service") accessible at payequity-555754031013.us-west1.run.app and related domains. We are committed to protecting your personal data and respecting your privacy rights.

Data Controller:
Smitteck GmbH
Switzerland
Canton of Zurich

This Privacy Policy explains how we collect, use, disclose, and safeguard your information in compliance with the Swiss Federal Act on Data Protection (FADP) and applicable data protection regulations.

2. Information We Collect

2.1 Information You Provide

• Account Information: Name, email address, password (encrypted)
• Company Information: Company name, size, industry, locations
• Assessment Data: Compliance assessment responses (optional storage)
• RFP Submissions: Requirements, budget, timeline information
• Communication: Messages sent through contact forms or support channels

2.2 Automatically Collected Information

• Usage Data: Pages visited, features used, time spent on the platform
• Device Information: Browser type, operating system, IP address (anonymized)
• Cookies: Session cookies, authentication tokens (see Section 7)
• Log Data: Access times, error logs, API calls

2.3 Information We Do NOT Collect

• Employee salary data (unless voluntarily uploaded to Tool B, which processes locally)
• Social security numbers or national identification numbers
• Financial information (payment processing handled by Stripe)
• Biometric data

3. How We Use Your Information

We use collected information for the following purposes:

• Service Provision: To provide, maintain, and improve the PayEquity Platform
• Assessment Reports: To generate and email compliance assessment reports
• RFP Processing: To connect you with relevant pay equity vendors
• Communication: To send service updates, security alerts, and support messages
• Analytics: To understand usage patterns and improve user experience
• Legal Compliance: To comply with legal obligations and enforce our terms
• Security: To detect, prevent, and address fraud or security issues

Legal Basis (Swiss FADP): We process your data based on:

• Contract performance (providing the Service)
• Legitimate interests (service improvement, security)
• Your consent (where explicitly provided)
• Legal obligations (compliance with laws)

4. Data Sharing and Disclosure

4.1 Service Providers

We share data with trusted third-party service providers:

• Google Cloud Platform: Hosting and infrastructure (US-based servers)
• Resend: Email delivery service
• Stripe: Payment processing (for paid features)
• Database Provider: Data storage (Supabase/PostgreSQL)

All service providers are contractually bound to protect your data and use it only for specified purposes.

4.2 Vendors (RFP System)

When you submit an RFP, we share your contact information and requirements with selected vendors. This is necessary to fulfill your request. Vendors are independent data controllers responsible for their own data practices.

4.3 Legal Requirements

We may disclose information if required by law, legal process, or government request, or to protect the rights, property, or safety of Smitteck GmbH, users, or others.

4.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred. We will notify you before your data is transferred and becomes subject to a different privacy policy.

We do NOT sell your personal data to third parties.

5. Data Storage and Security

5.1 Data Location

Your data is primarily stored on servers located in the United States (Google Cloud Platform, us-west1 region). By using our Service, you consent to the transfer of your data to the US.

5.2 Security Measures

• Encryption in transit (HTTPS/TLS)
• Encryption at rest for sensitive data
• Password hashing (bcrypt)
• Regular security audits and updates
• Access controls and authentication
• Secure API key management

5.3 Tool B Desktop Application

The PayEquity Analyzer Pro (Tool B) processes all salary data locally on your device. No employee salary data is transmitted to our servers or any third party. The tool operates entirely offline for maximum data privacy.

5.4 Data Retention

• Account Data: Retained while your account is active
• Assessment Results: Retained for 24 months or until deletion
• RFP Submissions: Retained for 12 months after submission
• Log Data: Retained for 90 days
• Email Communications: Retained as required for service provision

After retention periods expire, data is securely deleted or anonymized.

6. Your Privacy Rights

Under Swiss data protection law, you have the following rights:

• Right to Access: Request a copy of your personal data
• Right to Rectification: Correct inaccurate or incomplete data
• Right to Erasure: Request deletion of your data ("right to be forgotten")
• Right to Restriction: Limit processing of your data
• Right to Data Portability: Receive your data in a machine-readable format
• Right to Object: Object to processing based on legitimate interests
• Right to Withdraw Consent: Withdraw consent at any time (where applicable)

To exercise these rights, please contact us at the address provided in Section 11.

Account Deletion

You can delete your account at any time through your account settings or by contacting us. Upon deletion, we will remove or anonymize your personal data within 30 days, except where retention is required by law.

7. Cookies and Tracking

7.1 Cookies We Use

• Essential Cookies: Required for authentication and security (session management)
• Functional Cookies: Remember your preferences and settings
• Analytics Cookies: Understand usage patterns (anonymized)

7.2 Cookie Control

You can control cookies through your browser settings. Note that disabling essential cookies may affect functionality. Analytics cookies can be disabled without impacting core features.

7.3 Third-Party Tracking

We do not use third-party advertising or tracking networks. Analytics are performed using privacy-focused tools with anonymized data.

8. Children's Privacy

Our Service is intended for business use and is not directed to individuals under 18 years of age. We do not knowingly collect personal information from children. If you believe we have inadvertently collected such data, please contact us immediately.

9. International Users

Our Service is accessible globally. If you access the Service from outside Switzerland or the United States, your data will be transferred to and processed in the US. By using the Service, you consent to this transfer.

For users in the European Economic Area (EEA), UK, or regions with GDPR-equivalent regulations, we provide the same rights and protections as outlined in this policy.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of material changes by:

• Posting the updated policy on this page
• Updating the "Last Updated" date
• Sending an email notification (for significant changes)

Your continued use of the Service after changes constitutes acceptance of the updated policy.

11. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

12. Supervisory Authority

If you believe we have not addressed your concerns adequately, you have the right to lodge a complaint with the Swiss Federal Data Protection and Information Commissioner (FDPIC):

13. Specific Service Features

13.1 Compliance Assessment Tool

Assessment results are not stored on our servers by default. If you choose to save results (requires account), we store your responses and generated reports for your reference. You can delete saved assessments at any time.

13.2 Email Reports

When you request an email report, we temporarily process your assessment data to generate the report. The report is sent via Resend (our email service provider) and the email address you provide is used solely for delivery.

13.3 RFP System

RFP submissions are shared with the vendors you select. Each vendor is an independent data controller responsible for their own privacy practices. We recommend reviewing each vendor's privacy policy before submitting an RFP.