Privacy Policy

18 min read

1. Introduction and Scope

Welcome to Browser.lol (the "Service"), operated by Zesiger.net Individual Enterprise ("we," "us," or "our"). We are committed to protecting your personal data and respecting your privacy. This Privacy Policy ("Policy") explains how we collect, use, disclose, and safeguard your information when you visit our website https://browser.lol, use our services, or interact with us in any other way. It also describes your data protection rights and how you can exercise them.

This Policy applies to all personal data processed by us, whether collected online or offline. We adhere to the Swiss Federal Act on Data Protection (FADP), the EU General Data Protection Regulation (GDPR), and other applicable data protection laws. We are dedicated to implementing Privacy by Design and Privacy by Default principles in all our services, ensuring that data protection is an integral part of our operations from the outset.

We encourage you to read this Policy carefully to understand our practices regarding your personal data. We maintain a public data processing register documenting all processing activities, which is available upon request. Our commitment to transparency includes annual third-party audits of our data practices, public disclosure of data breach incidents, detailed data flow diagrams available in our knowledge base, and regular transparency reports published quarterly.

2. Responsible Entity and Contact Information

The entity responsible for the processing of your personal data (the "Controller") is:

Legal Entity: Browser.lol (operated by Zesiger.net Individual Enterprise)

Address: c/o Janis Zesiger, Mügeri 340, 5046 Schmiedrued, Switzerland

Commercial Register Number: CHE-488.503.816

For any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact our DPO:

Email: [email protected]

Postal Mail: Data Protection Officer, c/o Janis Zesiger, Mügeri 340, 5046 Schmiedrued, Switzerland

Website: https://browser.lol

Jurisdiction for data protection matters: Switzerland (primarily governed by the Swiss Federal Act on Data Protection).

3. Data We Collect and How We Use It

We collect and process your personal data only for specified, explicit, and legitimate purposes, and always based on a valid legal ground as per Article 6 GDPR (e.g., your consent, for the performance of a contract, compliance with a legal obligation, or our legitimate interests, provided these are not overridden by your interests or fundamental rights and freedoms). We practice data minimization, meaning we only collect personal data that is adequate, relevant, and limited to what is necessary for the purposes for which it is processed.

Below we detail the categories of personal data we collect and their primary purposes:

3.1. Personal Data You Provide to Us

This includes information you actively and voluntarily submit when you:

  • Account Registration:
    • Data: Full name, username, email address, password (stored securely using hashing algorithms like bcrypt), company name (if applicable), country, default language for Virtual Machines (VMs), default keyboard layout for VMs, mail alias for our integrated mail service, team affiliation details.
    • Purpose: To create and manage your user account, provide access to our services, identify you as a user, and for security purposes.
    • Legal Basis: Performance of a contract (Art. 6(1)(b) GDPR).
  • Contact and Communication:
    • Data: Email address, content of your communications with us (e.g., through support tickets, feedback forms, emails).
    • Purpose: To respond to your inquiries, provide customer support, send service-related communications (e.g., updates, security alerts, administrative messages), and gather feedback.
    • Legal Basis: Legitimate interests (Art. 6(1)(f) GDPR) to provide effective support and communication; Performance of a contract (Art. 6(1)(b) GDPR) if related to service provision.
  • Financial and Transactional Data:
    • Data: Billing address, payment card metadata (last 4 digits, expiration date, card type – we do not store full card numbers, which are processed by our payment provider), transaction history.
    • Purpose: To process payments for our services, manage subscriptions, prevent fraudulent transactions, and comply with financial and accounting obligations.
    • Legal Basis: Performance of a contract (Art. 6(1)(b) GDPR); Legal obligation (Art. 6(1)(c) GDPR).
  • Surveys, Promotions, and Content Submissions:
    • Data: Information you provide in surveys, feedback forms, beta program applications, content submissions (e.g., comments, attachments), or when participating in promotions.
    • Purpose: To improve our services, conduct market research, manage promotions, and publish user-generated content (with your consent where applicable).
    • Legal Basis: Consent (Art. 6(1)(a) GDPR) for specific submissions or promotions; Legitimate interests (Art. 6(1)(f) GDPR) for service improvement.

Note: We clearly indicate mandatory fields with an asterisk (*). Providing optional data helps us improve service quality but is never required for basic functionality. You are not obliged to provide personal data, but failure to do so may prevent us from providing certain services.

3.2. Data We Collect Automatically

As you navigate through and interact with our Service, we may use automatic data collection technologies to collect certain information about your equipment, browsing actions, and patterns:

  • Technical and Device Data:
    • Data: IP addresses (which may be truncated or anonymized), device type, operating system, browser type and version (User-Agent), browser language, device identifiers, screen resolution, session ID. Our logs may also include server ID and VM ID if applicable to the logged event.
    • Purpose: To ensure the functionality, security, and stability of our website and services; to optimize user experience; for troubleshooting, analytics, and abuse detection; and for security purposes like fraud prevention and identifying malicious activity.
    • Legal Basis: Legitimate interests (Art. 6(1)(f) GDPR) to operate and secure our services; Performance of a contract (Art. 6(1)(b) GDPR) for essential functionality.
  • Usage Data:
    • Data: Pages visited, features used, session duration, clickstream data, referring/exit pages, date/time stamps of access (including last logon), interaction with service elements. For Virtual Machines: last activity timestamp (lastseen), last renewal timestamp. For user sessions: creation, update, expiration timestamps, and active status.
    • Purpose: To understand how users interact with our services, improve service design and functionality, personalize content recommendations, create aggregated statistics for business intelligence, and identify areas for improvement.
    • Legal Basis: Legitimate interests (Art. 6(1)(f) GDPR) for service improvement and analytics; Consent (Art. 6(1)(a) GDPR) for certain non-essential tracking or personalization.
  • Behavioral Biometric Data:
    • Data: Patterns such as typing rhythm and mouse movements.
    • Purpose: To enhance security by analyzing behavior to detect unauthorized access or fraudulent activities (e.g., bot detection, identity verification for sensitive operations). This processing is performed transparently and typically involves risk scoring.
    • Legal Basis: Explicit consent (Art. 9(2)(a) GDPR if considered special category data, or Art. 6(1)(a) GDPR otherwise) or where strictly necessary for security purposes under legitimate interests (Art. 6(1)(f) GDPR), with robust safeguards. We will clearly inform you when such data is collected.

This data is collected through server log files, application performance monitoring tools, client-side analytics scripts (see also Section 8 on Cookies and Tracking Technologies), security sensors, intrusion detection systems, and network flow analysis.

3.3. Virtual Machine Data

When you use our Virtual Machine (VM) services, we collect data related to the VM instance:

  • Data: Associated user ID (if logged in), session ID, browser image used, the server on which the VM runs, VM status (e.g., running, deleted), creation timestamp, last update timestamp, last activity (lastseen) and renewal timestamps, browser language, and keyboard layout settings within the VM.
  • Purpose: To provide and manage your VM sessions, monitor resource usage, ensure service stability, and for billing purposes.
  • Legal Basis: Performance of a contract (Art. 6(1)(b) GDPR).

It is important to note that we do not monitor, record, or log any activities or data generated by you *within* the Virtual Machine environment itself. The content of your VM sessions, including websites visited, data entered, or applications used, remains private and is not accessed or stored by us. However, to ensure the security of our platform and to prevent abuse, automated systems may analyze VM activity patterns, or in specific cases of suspected abuse, a manual review may be conducted. This is solely for security and abuse detection purposes, and any such data is not persistently stored.

3.4. Integrated Mail Service Data

If you use our integrated mail service, we process data related to your email messages:

  • Data: Sender and receiver email addresses, email title (subject), content (both plain text and HTML formats), and your user ID. We may also generate an AI-powered summary of the email, identify potential calls to action within the email, and store the details of such calls to action.
  • Purpose: To receive, store, and display your emails as part of the mail service; to provide AI-powered features for email management.
  • Legal Basis: Performance of a contract (Art. 6(1)(b) GDPR).
  • Retention: Email messages are automatically deleted after 30 days. Each user can store a maximum of 50 messages; if this limit is exceeded, the oldest messages are deleted.

3.5. Data Enrichment and Data from Third Parties

We may augment the data we collect with information lawfully obtained from public sources (e.g., WHOIS databases, company registers, public social media profiles) or from trusted third-party providers. This is done for purposes such as:

  • Fraud Prevention & Security: Verifying information to protect against fraudulent activities.
  • KYC (Know Your Customer) Verification: Fulfilling legal obligations related to customer identification.
  • Business Intelligence Analysis: Understanding market trends and improving our services.
  • Contact Information Updates: Ensuring our records are accurate and up-to-date.

Legal Basis: Legitimate interests (Art. 6(1)(f) GDPR) for security and service improvement; Legal obligation (Art. 6(1)(c) GDPR) for KYC. We ensure that such third-party data is obtained and processed lawfully.

4. Legal Basis for Processing Personal Data

We process your personal data based on one or more of the following legal grounds as set out in Article 6(1) of the GDPR (and equivalent provisions under Swiss FADP where applicable):

  • Consent (Art. 6(1)(a) GDPR): Where you have given us explicit consent to process your personal data for one or more specific purposes (e.g., subscribing to a newsletter, using non-essential cookies, processing certain biometric data). You have the right to withdraw your consent at any time.
  • Performance of a Contract (Art. 6(1)(b) GDPR): Where processing is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract (e.g., creating your account, providing our services, processing payments).
  • Legal Obligation (Art. 6(1)(c) GDPR): Where processing is necessary for compliance with a legal obligation to which we are subject (e.g., financial record-keeping, KYC requirements, responding to lawful requests from authorities).
  • Vital Interests (Art. 6(1)(d) GDPR): Where processing is necessary to protect your vital interests or those of another natural person (rarely applicable in our context).
  • Public Task (Art. 6(1)(e) GDPR): Where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us (not typically applicable to our services).
  • Legitimate Interests (Art. 6(1)(f) GDPR): Where processing is necessary for the purposes of legitimate interests pursued by us or by a third party, except where such interests are overridden by your interests or fundamental rights and freedoms which require protection of personal data. Our legitimate interests include:
    • Providing, maintaining, and improving our services.
    • Ensuring the security and integrity of our systems and services.
    • Preventing fraud and unauthorized access.
    • Communicating with you regarding our services and important updates.
    • Conducting analytics and business intelligence.
    • Marketing our services to existing customers (within legal limits and with opt-out options).
    • Enforcing our terms and conditions and protecting our legal rights.
    When relying on legitimate interests, we conduct a balancing test to ensure your rights are protected.

If we process special categories of personal data (e.g., biometric data for identification, Article 9 GDPR), we will do so only if a specific exemption applies, such as your explicit consent or if processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law.

5. Data Processing Activities Overview

5.1. Automated Session Monitoring and Decision-Making

  • Real-time analysis using machine learning models trained on extensive threat pattern datasets (e.g., 10M+ patterns) to identify and mitigate security risks.
  • Behavioral analysis scoring system (e.g., 0-100 risk rating) to assess the likelihood of malicious activity.
  • Multi-layered detection covering network layer anomalies (e.g., unusual traffic patterns), application layer exploits (e.g., SQL injection attempts), and user behavior deviations (e.g., anomalous login attempts).

This automated session monitoring may involve automated decision-making, including profiling, which could produce legal effects concerning you or similarly significantly affect you (as per Article 22 GDPR). For instance, an automated system might temporarily block access if highly suspicious activity is detected. In such cases, we implement suitable measures to safeguard your rights, freedoms, and legitimate interests, including at least the right to obtain human intervention on our part, to express your point of view, and to contest the decision. Our human review protocol is a key safeguard in these situations. We will inform you when such automated decision-making is employed and provide you with information about the logic involved, as well as the significance and the envisaged consequences of such processing.

5.2. Data Retention and Deletion

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements, or as long as necessary for the establishment, exercise, or defense of legal claims. To determine the appropriate retention period, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure, the purposes for which we process it, whether we can achieve those purposes through other means, and applicable legal requirements.

Data Type / PurposeIllustrative Retention PeriodJustification / Destruction Method
Account Information (active users)Duration of account + grace period (e.g., 90 days) post-deletion requestService provision; Secure deletion/anonymization
Active session data (e.g., for security monitoring)Immediate termination + short buffer (e.g., 30 minutes - 24 hours)Security analysis; Cryptographic erasure or secure overwrite
Access logs / System Logs (including IP addresses, request details, user ID, session ID, server ID, VM ID where applicable)30-90 days (may be longer if required for security incident investigation or by third-party logging services like Axiom)Security, troubleshooting, system monitoring; Secure shredding, anonymization after period, or managed by third-party vendor policy.
Billing and Transactional RecordsUp to 10 years (or as legally required)Legal/tax obligations; Secure destruction (e.g., controlled incineration or certified shredding)
Customer Support CommunicationsDuration of account + period for follow-up/dispute resolution (e.g., 2 years)Service quality, dispute resolution; Secure deletion
Integrated Mail Service Messages30 days (or oldest messages deleted if user exceeds 50 message limit)Service provision; Secure deletion.
Backup data (for disaster recovery)90 days (rolling backups)Business continuity; Multi-pass overwrite when retired
Data collected via consent (e.g., marketing)Until consent is withdrawnRespecting user choice; Secure deletion

Specific retention periods may vary. Upon expiry of the applicable retention period, personal data will be securely destroyed, deleted, or anonymized in accordance with applicable laws and our internal policies.

5.3. Data Security and Infrastructure Security

We have implemented comprehensive technical and organizational security measures (TOMs) to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures are regularly reviewed and updated to reflect technological advancements and evolving threat landscapes. Our data is primarily stored in a PostgreSQL database. Our security measures include:

  • Physical Security Measures:
    • Secure data center locations with restricted access.
    • Biometric access controls and multi-factor authentication for physical access.
    • 24/7 video surveillance and environmental controls (e.g., fire suppression, climate control).
    • Manned security perimeters and intrusion detection systems.
  • Network Security:
    • Next-generation firewalls with Intrusion Prevention/Detection Systems (IPS/IDS).
    • Implementation of a Zero Trust Architecture model.
    • Distributed Denial of Service (DDoS) mitigation mechanisms.
    • Regular vulnerability scanning, penetration testing (e.g., quarterly), and robust patch management processes.
    • Network segmentation and segregation of environments (development, testing, production).
  • Data Security:
    • Encryption of data at rest (e.g., using AES-256 or stronger algorithms) and in transit (e.g., using TLS 1.3 with strong cipher suites).
    • Strict access controls and identity management (e.g., role-based access control, principle of least privilege, multi-factor authentication for system access).
    • Regular employee training on data protection, information security, and privacy best practices.
    • Detailed logging of relevant system access and changes (audit logs) for monitoring and forensics.
    • Data loss prevention (DLP) mechanisms.
    • Anonymization and pseudonymization techniques where appropriate.
    • Secure software development lifecycle (SSDLC) practices.
    • Comprehensive data backup and recovery procedures, regularly tested.
    • A documented Incident Response Plan to ensure timely and effective reaction to security incidents and data breaches.
  • Certifications and Compliance:
    • ISO 27001:2022 (Information Security Management System)
    • SOC 2 Type II (Security, Availability, Processing Integrity, Confidentiality, Privacy)
    • PCI DSS 4.0 (Payment Card Industry Data Security Standard) for relevant payment processing environments.
    • Regular internal and external audits to verify compliance.

Despite our efforts, no security measures are perfect or impenetrable. While we strive to use commercially acceptable means to protect your Personal Data, we cannot guarantee its absolute security. In the event of a data breach that is likely to result in a high risk to your rights and freedoms, we will notify you and the relevant supervisory authorities without undue delay, in accordance with applicable law (see Section 10).

6. Third-Party Services and Data Sharing

We may share your personal data with third-party service providers (subprocessors or "processors") who perform services on our behalf. These providers are contractually bound to protect your data and may only use it for the purposes for which we disclose it to them. We conduct due diligence on all subprocessors to ensure they meet our security and privacy standards. We do not sell your personal data.

Categories of third parties we may share data with include:

  • Cloud hosting and infrastructure providers.
  • Payment processing providers.
  • Analytics and performance monitoring services.
  • Customer support platform providers.
  • Communication service providers (e.g., for email delivery).
  • Security service providers.
  • Log aggregation and analysis services.
  • Advertising platforms.
  • Professional advisors (lawyers, auditors, consultants).

Specific third-party services we use include:

Cloudflare

Function: Content Delivery Network (CDN) & security services (e.g., WAF, DDoS protection).
Data Processed: IP addresses, browser metadata, security logs.
Purpose: Website performance optimization, security enhancement, threat intelligence. Data may be transferred outside Switzerland/EU for these purposes under appropriate safeguards.
Privacy Policy

Stripe

Function: Payment processing.
Data Processed: Payment card metadata (last 4 digits, expiry), transaction details, billing information. We do not store full payment card details.
Purpose: Secure processing of payments. Stripe is PCI DSS Level 1 compliant. Data may be transferred to the US under the EU-U.S. Data Privacy Framework (DPF) or other valid transfer mechanisms.
Privacy Policy

Google Workspace (Google Cloud)

Function: Email, document collaboration, and internal communication tools.
Data Processed: Email content, documents, user metadata related to workspace usage.
Purpose: Internal operations and communication. Google processes data in accordance with their terms, which include security commitments. Data processing may include content scanning for security and service improvement purposes. Transfers are subject to Google's data processing terms and transfer mechanisms.
Security Information | Privacy Policy

Google Analytics

Function: Website usage analytics and performance monitoring.
Data Processed: IP addresses (can be configured for anonymization), cookie identifiers, device and browser information, pages visited, session duration, user interaction with website elements.
Purpose: To understand how users interact with our services, improve service design and functionality, create aggregated statistics for business intelligence, and identify areas for improvement.
Privacy Policy | Opt-out: Google Analytics Opt-out Browser Add-on

Hetzner

Function: Cloud hosting and infrastructure provider for Virtual Machines (VMs).
Data Processed: IP addresses, server usage data, account information related to server hosting. Specific data stored within VMs is managed by us, but Hetzner provides the underlying infrastructure.
Purpose: Provisioning and hosting of virtual machine infrastructure. Data may be processed in Germany/EU.
Privacy Policy

OVHcloud

Function: Cloud hosting and infrastructure provider for Virtual Machines (VMs).
Data Processed: IP addresses, server usage data, account information related to server hosting. Specific data stored within VMs is managed by us, but OVHcloud provides the underlying infrastructure.
Purpose: Provisioning and hosting of virtual machine infrastructure. Data may be processed in various locations, primarily EU; transfers subject to their data protection terms.
Privacy Policy

Zap-Hosting

Function: Cloud hosting and infrastructure provider, often for game servers and VMs.
Data Processed: IP addresses, server usage data, account information related to server hosting. Specific data stored within VMs/servers is managed by us, but Zap-Hosting provides the underlying infrastructure.
Purpose: Provisioning and hosting of virtual machine/server infrastructure. Data may be processed in Germany/EU.
Privacy Policy

Playwire

Function: Advertising services platform.
Data Processed: IP addresses, cookie data, browser and device information, browsing history on our site, ad interaction data (e.g., clicks, views).
Purpose: To display advertisements on our service, which may be targeted based on user interests and behavior. Data transfers may occur globally under appropriate safeguards.
Privacy Policy

Axiom

Function: Log aggregation and analysis services.
Data Processed: Log data which may include timestamp, log title, log message content, log level (e.g., ERROR, INFO), code location originating the log, IP address, user ID, user-agent string, session ID, server ID, VM ID, and application name (e.g., "api" or "api-dev").
Purpose: System monitoring, troubleshooting, security analysis, and improving service reliability. Data may be transferred outside Switzerland/EU for these purposes under appropriate safeguards (e.g., Standard Contractual Clauses or DPF certification).
Privacy Policy

We may also disclose your personal data if required by law, regulation, legal process (e.g., a subpoena or court order), or governmental request, or if we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request. In the event of a merger, acquisition, or sale of all or a portion of our assets, your personal data may be transferred as part of that transaction, subject to standard confidentiality agreements and notification where required by law.

6.1. International Data Transfers

Some of the third-party service providers we use, or our own operations, may involve transferring your personal data to countries outside of Switzerland and the European Economic Area (EEA). These countries may not have data protection laws equivalent to those in Switzerland or the EEA.

When we transfer your data to such countries, we ensure that appropriate safeguards are in place to protect your personal data to a standard equivalent to that in Switzerland/EEA. These safeguards may include:

  • Relying on an adequacy decision from the European Commission (or the Swiss Federal Data Protection and Information Commissioner - FDPIC) confirming that the third country provides an adequate level of data protection (e.g., for transfers to countries recognized as adequate).
  • Implementing Standard Contractual Clauses (SCCs) approved by the European Commission (and adapted for Swiss law where necessary) between us and the data importer. These SCCs impose data protection obligations on the data importer.
  • For transfers to the United States, relying on the EU-U.S. Data Privacy Framework (DPF), the Swiss-U.S. DPF, and/or the UK Extension to the EU-U.S. DPF, for transfers to U.S. companies certified under these frameworks.
  • Implementing Binding Corporate Rules (BCRs) for intra-group transfers, where applicable.
  • In specific situations, relying on derogations as per Article 49 GDPR (e.g., your explicit consent for a specific transfer, or if the transfer is necessary for the performance of a contract with you), after informing you of the potential risks.

We also conduct Transfer Impact Assessments (TIAs) where required to evaluate the level of protection in the recipient country and implement supplementary measures if necessary. Details regarding specific transfers and the safeguards implemented for each third-party provider can typically be found in their respective privacy policies or Data Processing Agreements (DPAs), or you can request this information from us. We are committed to working only with service providers who can demonstrate an adequate level of data protection.

6.2. Subprocessor Management

We maintain strict vendor due diligence and management processes for all subprocessors, including:

  • Thorough initial security and privacy assessments before engagement.
  • Requirement for Data Processing Agreements (DPAs) that comply with GDPR and FADP, outlining their obligations.
  • Regular (e.g., annual) security and compliance reviews and assessments.
  • Continuous monitoring where feasible (e.g., via security scorecards or alerts).
  • Clearly defined roles and responsibilities regarding data protection.
  • Contractual clauses ensuring subprocessors notify us of any data breaches without undue delay.
  • Right to audit clauses in our contracts with subprocessors.
  • A process for approving new subprocessors, with notification to our clients where applicable and as required by law.

A list of our current subprocessors can be made available upon request, subject to confidentiality obligations.

7. Technical Aspects of Data Processing

7.1. Website Provision & System Log Files

When you access our website or use our services, our systems (and third-party logging services like Axiom) automatically collect and store information in log files. This information is transmitted by your browser or our backend applications. This typically includes:

  • Log timestamp.
  • Log title or category.
  • The actual log message or event description.
  • Log level (e.g., ERROR, WARN, INFO, DEBUG).
  • The location in our code that generated the log entry.
  • Identifiers such as: IP address of the requesting computer, User ID (if authenticated), User-Agent string, Session ID, Server ID (if applicable), VM ID (if applicable).
  • Application name (e.g., "api" for our backend).
  • HTTP request details (method, URL, protocol version, status code, data transferred) might also be part of specific access logs.
  • Referrer URL (the previously visited page).

Purpose and Legal Basis: This data is processed for the purpose of enabling the use of the website and services (connection establishment), ensuring system security and stability, technical administration of the network infrastructure, troubleshooting, monitoring for malicious activity, and for optimizing our services. The legal basis is our legitimate interest (Art. 6(1)(f) GDPR) in providing a functional, secure, and reliable service. This data is generally not merged with other data sources beyond the scope of logging and analysis. We reserve the right to check this data retrospectively if we become aware of specific indications of illegal use.

Storage Architecture: Log files may be stored locally for a short period (e.g., `SYSTEM.Log` in our PostgreSQL database) or sent to third-party services like Axiom for longer retention and analysis. IP addresses in logs are typically handled according to the policies outlined (e.g., truncation where feasible or as per third-party agreements).

7.2. Cookies and Similar Tracking Technologies

Our website and services use cookies and similar tracking technologies (e.g., web beacons, pixels, local storage) to enhance user experience, analyze usage, manage sessions, and for security purposes. Cookies are small text files stored on your device.

Types of Cookies We Use:

  • Essential/Strictly Necessary Cookies: Required for the basic functionality of the website and services, such as user authentication, session management, and security. These cannot be disabled through our preference center. Legal basis: Legitimate interest (Art. 6(1)(f) GDPR) or performance of a contract (Art. 6(1)(b) GDPR).
  • Functional/Preference Cookies: Allow us to remember choices you make (e.g., language preferences, display settings) to provide a more personalized experience. Legal basis: Consent (Art. 6(1)(a) GDPR).
  • Performance/Analytics Cookies: Collect information about how you use our website (e.g., pages visited, time spent, error messages) to help us improve performance and design. Data is often aggregated and anonymized. Legal basis: Consent (Art. 6(1)(a) GDPR).
  • Marketing/Targeting Cookies: Used to deliver advertisements more relevant to you and your interests, or to measure the effectiveness of advertising campaigns. They may be set by us or by third-party advertising partners. Legal basis: Consent (Art. 6(1)(a) GDPR).
Cookie Name (Example)ProviderPurposeExpiryCategory
sessionid, csrftokenBrowser.lol (First-party)User authentication, session management, security (CSRF protection)Session / 2 weeksEssential
_ga, _gid, _gatGoogle Analytics (Third-party)Website usage analytics, distinguishing users, throttling request rate2 years / 24 hours / 1 minutePerformance
cookie_consent_statusBrowser.lol (First-party)Stores user's cookie consent preferences1 yearFunctional
langBrowser.lol (First-party)Stores user language preference1 yearFunctional

Managing Cookies: You can manage your cookie preferences at any time through our Cookie Preference Center (if available) or by adjusting your browser settings. Most browsers allow you to refuse cookies or to alert you when cookies are being sent. However, if you disable essential cookies, some parts of our website or services may not function properly. For more information on how to manage cookies in popular browsers, please consult their help documentation.

Do Not Track (DNT) Signals: Some web browsers may transmit "Do Not Track" signals. We currently do not take action in response to DNT signals because there is no universally accepted standard for how to respond. We will continue to monitor developments in this area.

8. Your Data Protection Rights

Under the Swiss FADP and the GDPR (for individuals in the EU/EEA), you have certain rights regarding your personal data. We are committed to upholding these rights. Subject to applicable law, these rights include:

Your Rights Under Swiss FADP and GDPR

  • Right of Access (Art. 15 GDPR): You have the right to obtain confirmation as to whether or not personal data concerning you is being processed, and, where that is the case, access to the personal data and specific information (e.g., purposes of processing, categories of data, recipients, retention periods).
  • Right to Rectification (Art. 16 GDPR): You have the right to obtain the rectification of inaccurate personal data concerning you without undue delay. You also have the right to have incomplete personal data completed.
  • Right to Erasure ("Right to be Forgotten") (Art. 17 GDPR): You have the right to obtain the erasure of personal data concerning you without undue delay under certain conditions (e.g., data is no longer necessary, you withdraw consent and there is no other legal ground, you object to processing and there are no overriding legitimate grounds).
  • Right to Restriction of Processing (Art. 18 GDPR): You have the right to obtain restriction of processing under certain circumstances (e.g., accuracy of data is contested, processing is unlawful but you oppose erasure, we no longer need the data but you require it for legal claims).
  • Right to Data Portability (Art. 20 GDPR): You have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used, and machine-readable format, and have the right to transmit those data to another controller without hindrance from us, where processing is based on consent or on a contract and is carried out by automated means.
  • Right to Object (Art. 21 GDPR): You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on legitimate interests (Art. 6(1)(f) GDPR) or processing for direct marketing purposes (including profiling related to direct marketing). If you object to processing for direct marketing, the personal data shall no longer be processed for such purposes.
  • Right to Withdraw Consent (Art. 7(3) GDPR): Where processing is based on your consent, you have the right to withdraw your consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
  • Rights Related to Automated Individual Decision-Making, Including Profiling (Art. 22 GDPR): You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you, subject to certain exceptions. We ensure human intervention or the right to contest such decisions.
  • Right to Lodge a Complaint with a Supervisory Authority (Art. 77 GDPR): You have the right to lodge a complaint with a data protection supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR.
    • For Switzerland: Federal Data Protection and Information Commissioner (FDPIC), Feldeggweg 1, CH-3003 Bern, Switzerland. https://www.edoeb.admin.ch
    • A list of EU/EEA supervisory authorities can be found here.

How to Exercise Your Rights

To exercise any of these rights, please contact our Data Protection Officer using the contact details provided in Section 2. To protect your privacy and security, we may require you to verify your identity before responding to such requests. Requests should include:

  • Sufficient information to allow us to reasonably verify you are the person about whom we collected personal data or an authorized representative. This may include proof of identity (e.g., a copy of a government-issued ID, which will be used solely for verification and then deleted).
  • A clear description of your request and the specific personal data it relates to (e.g., account ID, email address associated with the account).
  • For sensitive operations or if there are doubts about identity, we may request a notarized request or other forms of secure identity verification.

You can submit requests via email to [email protected] or by postal mail (a digital signature may expedite processing for mail requests).

We will respond to your request without undue delay and typically within one month of receipt. This period may be extended by two further months where necessary, taking into account the complexity and number of the requests. We will inform you of any such extension within one month of receipt of the request, together with the reasons for the delay. If we do not take action on your request, we will inform you without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

Exercising your rights is generally free of charge. However, we may charge a reasonable fee or refuse to act on a request if it is manifestly unfounded, excessive, or repetitive, in accordance with applicable data protection laws.

9. Children's Privacy

Our Service is not directed to individuals under the age of 16 (or a higher age threshold as required by applicable local law for processing personal data based on consent). We do not knowingly collect personal data from children under 16. If you are a parent or guardian and you believe that your child has provided us with personal data without your consent, please contact us using the details in Section 2. If we become aware that we have collected personal data from a child under 16 without verification of parental consent, we will take steps to remove that information from our servers promptly.

10. Data Breach Notification

We have implemented procedures to detect, investigate, and respond to data breaches. In the event of a personal data breach that is likely to result in a high risk to the rights and freedoms of natural persons, we will notify the competent supervisory authority without undue delay, and where feasible, not later than 72 hours after having become aware of it, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.

When the personal data breach is likely to result in a high risk to your rights and freedoms, we will also communicate the personal data breach to you without undue delay, unless:
  • We have implemented appropriate technical and organizational protection measures, and those measures were applied to the personal data affected by the breach, in particular those that render the personal data unintelligible to any person who is not authorized to access it, such as encryption.
  • We have taken subsequent measures which ensure that the high risk to your rights and freedoms is no longer likely to materialize.
  • It would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby you are informed in an equally effective manner.
Our notification to you will describe in clear and plain language the nature of the data breach, the name and contact details of our DPO, the likely consequences of the breach, and the measures taken or proposed to be taken by us to address the breach, including, where appropriate, measures to mitigate its possible adverse effects.

11. Links to Other Websites

Our Service may contain links to other websites that are not operated by us. If you click on a third-party link, you will be directed to that third party's site. We strongly advise you to review the Privacy Policy of every site you visit. We have no control over and assume no responsibility for the content, privacy policies, or practices of any third-party sites or services.

12. Policy Changes and Updates

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will post any changes on this page and update the "Last Updated" date at the top or bottom of this Policy. We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information.

VersionEffective DateSummary of Key Changes
3.12025-05-15Updated data collection details in Section 3 (Account Registration, Technical Data, Usage Data, new VM Data, new Mail Data). Updated Section 5.2 (Data Retention) for mail and logs. Added PostgreSQL mention in 5.3. Added Axiom to Section 6 (Third-Party Services). Revised Section 7.1 (System Log Files) to align with backend logging. Updated third-party services list in Section 6.
2.12025-03-15Added biometric data processing details (original German version)
2.02025-01-20GDPR compliance updates and German language additions (original version)
3.02024-10-24Comprehensive update: Full translation to English, significant expansion of all sections, added new sections (Children's Privacy, Breach Notification, Links to Other Sites), more details on legal bases, data processing activities, security measures, international transfers, and user rights. Company details updated.
1.42024-11-01Third-party processor additions (original version)
1.02022-08-16Initial version of the Privacy Policy.

Change Notification Protocol:

  • Material Changes: For significant changes that materially affect your rights or the way we handle your personal data, we will provide prominent notice (e.g., 30-60 day advance notice via email to registered users and/or a clear notification on our website or service dashboard) before the changes take effect. We may also seek your consent for certain changes if required by law.
  • Minor Changes: For less significant changes, updating the "Last Updated" date and posting the revised policy may be sufficient. We encourage you to periodically review this Policy.
  • Emergency Changes: In rare cases, urgent changes may be necessary for security or legal reasons. We will notify you as soon as practicable. Certain changes might offer a rollback option for a limited period if feasible.

Your continued use of our Service after the effective date of the revised Policy constitutes your acknowledgment of the changes (unless consent is specifically required and not obtained).

Last Updated: 13.05.2025

13. Governing Law and Dispute Resolution

This Privacy Policy and any disputes arising out of or related to it shall be governed by and construed in accordance with the laws of Switzerland, without regard to its conflict of law provisions. The United Nations Convention on Contracts for the International Sale of Goods does not apply.

Any disputes arising from or in connection with this Privacy Policy that cannot be resolved amicably shall be subject to the exclusive jurisdiction of the competent courts in Schmiedrued, Switzerland. This does not affect your right to lodge a complaint with a data protection supervisory authority as described in Section 8.