Privacy Policy

Main data controller

Numezis SA
Chemin de Mornex 5
Lausanne
Switzerland
CHE-123.456.789

Data Protection Officer (DPO)
An external DPO is appointed.
Contact: dpo@numezis.com

Single point of contact for privacy
privacy@numezis.com
(or contact@numezis.com with subject “GDPR / FADP request”)

This Policy applies to the following categories of data subjects:

• End users (admins, employees, accountants, etc.) accessing the Service through an organizational account;
• Legal representatives and business contacts of customer organizations;
• Prospects and individuals who have interacted with our sales or marketing teams;
• Visitors of numezis.com and its subdomains; and
• Individuals whose data is processed as part of business flows imported by our Customers (data “imported” or “uploaded”).

Depending on the context, Numezis may act as a data controller or a data processor:

• Data necessary to provide the Service (account, billing, authentication logs, configuration): Numezis acts as controller based on contract performance and legitimate interest (Terms / customer agreement).
• Business data imported/generated by the Customer in modules (invoices, accounting entries, employees, etc.): Numezis acts as processor under the Customer’s documented instructions (DPA / Data Processing Addendum).
• Direct marketing data (newsletters, webinars, etc.): Numezis acts as controller based on consent or legitimate interest (opt-in/opt-out).

When we act as processor, the Customer remains the controller and we act strictly under its written instructions (as described in the DPA).

Depending on features used, we may process the following categories of personal data:

• Identification & account data: first name, last name, business email address, role, unique identifier.
• Authentication & security data: password hash, JWT/refresh tokens, IP address, browser fingerprint, MFA logs.
• Billing & contract data: company name, VAT number, billing address, payment details (via Stripe).
• Usage & telemetry data: actions performed (clicks, page views), time spent, application errors, quotas.
• Imported business data: PDF/XML invoices, accounting entries, employee records, bank statements, etc.
• Support & communications data: ticket content, email/chat exchanges, call recordings (if authorized).
• Marketing & events data: communication preferences, open history, webinar participation.

We process personal data for the following purposes, based on the legal grounds provided by the GDPR and Swiss data protection law (as applicable):

• Account creation, management, and authentication: contract performance.
• Provision of the Service (calculations, document generation, AI): contract performance.
• Billing, payment management, and collection: contract performance + legal obligation.
• Fraud/abuse/security incident prevention and detection: legitimate interest (protecting the platform and other customers).
• Logging for audit and accounting/tax traceability: legal obligation + legitimate interest (Swiss GAAP compliance, FTA requirements, external audits).
• Technical support and incident resolution: contract performance + legitimate interest (service quality).
• Product improvement (aggregated and anonymized analysis): legitimate interest (building useful features).
• Transactional communications (invoices, security alerts): contract performance.
• Non-essential marketing communications: consent or legitimate interest (with opt-out where applicable).
• Compliance with legal obligations (retention, responses to authorities): legal obligation.

We retain personal data for periods proportionate to the purposes and legal obligations:

• Active account data: duration of the contractual relationship + 90 days after termination (restoration period).
• Authentication logs & IP: rolling 12 months.
• Issued invoices & accounting data: 10 years (Swiss tax retention period).
• Imported business data: per Customer instructions (DPA) + 30 days after termination.
• Support data: 3 years after closing the last ticket.
• Marketing data (prospects): 3 years after the last meaningful contact or withdrawal of consent.

We never sell your personal data.

Categories of recipients include:

• Technical processors (cloud hosting, monitoring, transactional messaging, level-3 support);
• Stripe (payments & billing);
• Google Cloud Platform (cloud hosting and security services);
• MongoDB Atlas (managed database hosting);
• Microsoft Azure (Azure OpenAI) (AI models, where configured);
• Amazon Web Services (AWS) (inbound email ingestion and raw email storage);
• Infomaniak (DNS management for numezis.com and associated email services);
• Law firms / accountants (in case of dispute or audit); and
• Competent authorities (upon judicial request or legal obligation).

All processors sign agreements compliant with GDPR Art. 28 / Swiss law. The current list of key subprocessors is also described in our DPA.

Most data is hosted in Switzerland (ISO 27001 certified data centers, FINMA/Swiss hosting practices).

Where transfers outside Switzerland/EEA are necessary, we use in particular:

• 2021 Standard Contractual Clauses (SCC) + Transfer Impact Assessment (TIA);
• Approved sector codes of conduct; and
• Binding Corporate Rules (BCR) where available.

We apply a defense-in-depth approach, including:

• Encryption at rest and in transit (TLS);
• Strict access management (least privilege, MFA);
• Logical separation of environments (prod / staging / dev);
• Network protections (WAF / DDoS mitigation / rate limiting) using cloud security services (e.g., Google Cloud Armor);
• Centralized secrets management (Google Secret Manager);
• Logging and monitoring for security and reliability;
• Regular vulnerability management and security reviews; and
• Encrypted backups with defined retention.

Depending on applicable law, you may exercise the following rights:

• Right of access;
• Right to rectification;
• Right to erasure (“right to be forgotten”);
• Right to restriction;
• Right to object;
• Right to data portability;
• Right to withdraw consent (where consent is the legal basis); and
• Right to define post-mortem directives (Swiss law).

How to exercise: privacy@numezis.com
Response time: 1 month (extendable by 2 months in complex cases).
Reasonable identity verification may be required.

We may update this Policy. Material changes will be notified by email or via an in-app banner at least 30 days before they take effect.

Swiss law + Regulation (EU) 2016/679 where applicable.

Competent jurisdiction: courts of the district of Lausanne (Lausanne).