Privacy Policy

Controller. For the processing activities described in this Policy, the main controller is Numezis SA, Lausanne, Switzerland.

General privacy contact. privacy@numezis.com
General business contact. hello@numezis.com
Data protection escalation. dpo@numezis.com or the contact point specified in an applicable procurement or compliance package.

Where a local representative, external data protection advisor, or affiliate is relevant to a specific processing activity or jurisdiction, Numezis may provide additional details in a contract, notice, or regional supplement.

This Privacy Policy applies where Numezis acts as a controller for personal data processed in connection with our public website, event and marketing programs, demos, prospecting, account creation, billing administration, procurement and due diligence exchanges, support communications, security operations, vendor management, and general business administration.

This Policy does not primarily govern customer data that Numezis processes inside the subscribed Service on behalf of a customer acting as controller. That processor-side activity is governed by the applicable customer agreement and the Numezis DPA, although certain explanations in this Policy may help distinguish the respective roles.

Numezis acts as a controller when it decides why and how personal data is processed for its own business purposes, for example to manage commercial relationships, invoices, account administration, compliance, website security, or product communications.

Numezis acts as a processor or similar service provider when it processes customer-submitted personal data within the Service on documented instructions from the relevant customer. In that context, the customer remains responsible for its own privacy notices, legal bases, retention choices, and regulatory assessments, and Numezis processes such data under the DPA and the applicable contract.

Depending on the relationship with Numezis, we may collect categories of personal data such as:

• Identity and business contact data, such as name, employer, role, business email, telephone number, postal address, and professional profile details.
• Account and administrative data, such as login identifiers, account ownership records, subscription details, support entitlements, billing contacts, and account preferences.
• Commercial and billing data, such as quotes, orders, invoices, payment status, tax information, procurement records, and customer success history.
• Technical and usage data, such as IP address, browser metadata, device information, log data, cookies or similar technologies, and security telemetry associated with visits to our website or use of controller-side services.
• Communications and support data, such as emails, meeting notes, call summaries, support tickets, security follow-up information, and other interactions with our teams.
• Compliance and due diligence data, such as information reasonably necessary to screen sanctions, fraud, anti-money-laundering, procurement, or regulatory risks where applicable.

Numezis processes personal data for purposes such as providing website functionality, responding to inquiries, managing subscriptions and contracts, administering billing, securing systems, preventing fraud, operating support, improving the Service, conducting business relationship management, and complying with legal or regulatory obligations.

Depending on the context, our legal bases may include: (i) performance of a contract or pre-contractual steps requested by the data subject; (ii) our legitimate interests in operating, securing, improving, and marketing our business in a proportionate manner; (iii) compliance with legal obligations; and (iv) consent, where consent is required or specifically requested, such as for certain marketing or cookie-related activities.

Where we rely on legitimate interests, we seek to balance those interests against the rights and expectations of the affected individuals and to apply safeguards appropriate to the context.

Numezis keeps personal data only for as long as necessary for the purposes described above, subject to applicable contractual, legal, accounting, tax, security, and evidentiary obligations. Typical retention principles include the following:

• Prospect and marketing records: for the duration of the active prospect relationship and, thereafter, for a limited period unless consent is withdrawn earlier or a suppression record must be retained.
• Customer account and billing records: for the duration of the subscription and thereafter for the period required by accounting, tax, contractual, and evidentiary obligations.
• Authentication, audit, and security logs: for a rolling period proportionate to security, fraud prevention, and compliance needs.
• Support records: for the period necessary to manage support history, quality, dispute prevention, and contractual follow-up.
• Processor-side customer data: as instructed by the customer and as described in the DPA and the applicable contract.

When retention is no longer necessary, Numezis deletes, anonymizes, or securely archives the data in accordance with its internal retention and information security practices.

Numezis may disclose personal data to affiliates, infrastructure providers, hosting providers, identity and authentication providers, email and communication providers, support and ticketing tools, analytics tools, CRM and marketing systems, payment or billing processors, professional advisers, auditors, insurers, and other service providers that need the data to support legitimate business operations.

We may also disclose personal data where necessary in connection with legal claims, compliance obligations, a court order, a regulatory request, fraud prevention, a corporate transaction, or the protection of rights, security, or property. Recipients are bound by contractual, legal, or professional confidentiality and data protection obligations where appropriate.

Numezis is based in Switzerland and may process or make accessible personal data in Switzerland, the European Economic Area, the United Kingdom, and other jurisdictions where Numezis, its affiliates, or its service providers operate. Where personal data is transferred across borders, Numezis implements a transfer mechanism recognized by Applicable Data Protection Law, such as an adequacy decision, the EU Standard Contractual Clauses, the Swiss addendum, the UK addendum, or another approved safeguard.

Depending on the transfer context, Numezis may supplement those safeguards with organizational, contractual, and technical measures designed to reduce transfer-related risk, taking into account the type of data, destination, access profile, and relevant threat model.

Numezis applies a defense-in-depth security program designed to protect confidentiality, integrity, availability, and resilience. Depending on the relevant environment and service component, safeguards may include access control based on least privilege, role segregation, strong authentication, encryption in transit, encryption at rest where appropriate, logging, monitoring, alerting, backup procedures, vulnerability management, patching, and incident response workflows.

No system can be guaranteed to be absolutely secure. Individuals should therefore also use appropriate security hygiene, including protecting business email accounts, enabling multi-factor authentication where available, and avoiding transmission of unnecessary sensitive information through unapproved channels.

Depending on applicable law and the context of processing, you may have the right to request access, rectification, deletion, restriction, objection, portability, withdrawal of consent, or another lawful remedy in relation to your personal data. These rights are not absolute and may be limited where Numezis has overriding legal obligations, legitimate grounds, or a need to preserve security and evidentiary records.

Requests may be sent to privacy@numezis.com. Numezis may request information necessary to verify identity and scope the request. Where Numezis acts only as processor for customer data, we may redirect the request to the relevant customer or cooperate with that customer in order to respond appropriately.

If you believe that your personal data has been processed unlawfully, you may also lodge a complaint with the Swiss Federal Data Protection and Information Commissioner (FDPIC) or with another competent supervisory authority in the jurisdiction where you are located, work, or believe the infringement occurred.

Numezis may update this Privacy Policy from time to time to reflect changes to legal requirements, regulatory guidance, business practices, service features, or security controls. The date of the latest revision appears at the top of the page.

If a change is material, Numezis may provide additional notice by website banner, email, in-product notice, or another reasonable channel. Continued interaction with Numezis after the effective date of an updated Policy means the updated version will apply to the relevant controller-side processing, subject to mandatory rights under applicable law.

This Privacy Policy should be read in conjunction with Applicable Data Protection Law, including, where relevant, the Swiss Federal Act on Data Protection and the GDPR. Nothing in this Policy is intended to restrict non-waivable rights granted to individuals under those laws.

Individuals may contact Numezis first so that we can attempt to resolve concerns directly. They may also lodge a complaint with the Swiss Federal Data Protection and Information Commissioner or another competent supervisory authority, as described above, where they believe their rights have been infringed.