NewGraphRAG now in early beta
Swiss Knowledge Hub

Legal

Privacy Policy

Last updated: April 22, 2026

This privacy policy informs you about the personal data that Swiss Knowledge Hub GmbH ("we", "the provider") collects when you use the marketing website (swissknowledgehub.ch) and the Swiss Knowledge Hub platform ("SKH", "the platform"), the purposes and legal basis on which we process it, and the rights you have as a data subject.

We process your data in accordance with the Swiss Federal Act on Data Protection (FADP) and — where applicable — the EU General Data Protection Regulation (GDPR).

1. Data controller

Swiss Knowledge Hub GmbH
Könizstrasse 161, 3097 Liebefeld
CHE-219.860.750
Email: hurni@swissknowledgehub.ch

2. Data we process

2.1 When you visit the website

  • Technical connection data (IP address, browser type, operating system)
  • Page views, time on page, referrer
  • Cookies subject to your consent (see the "Cookies" section)

2.2 When you use the platform

  • Registration data (name, email, password hash, organization)
  • Uploaded documents and the vector embeddings derived from them
  • Chat queries and AI responses
  • Usage and billing data (token consumption, storage usage)
  • Audit log of access events and queries

2.3 Sensitive fields

Fields with a personal-data character (e.g. name, email address) are additionally stored with field-level encryption (prisma-field-encryption with @47ng/cloak).

3. Purposes and legal bases

  • Providing the platform and performing the contract (Art. 31(2)(a) FADP, Art. 6(1)(b) GDPR)
  • Billing and invoicing (legal obligations, Art. 31(2)(c) FADP, Art. 6(1)(c) GDPR)
  • Operating the service, abuse detection, and error analysis (legitimate interest, Art. 31(1) FADP, Art. 6(1)(f) GDPR)
  • Communication with prospective customers (consent or pre-contractual measures, Art. 31(1) FADP, Art. 6(1)(a)/(b) GDPR)

4. Subprocessors

We use selected subprocessors to deliver the platform. We make a current list — including location, purpose, and the legal basis for international data transfers — available on request and as a binding annex to our DPA (Data Processing Agreement).

4.1 Infrastructure and operations

  • Microsoft Azure (Switzerland North, CH) — hosting of the platform, database, pgvector vector store, Service Bus
  • Hostinger (DE) — hosting of this marketing website
  • Azure Video Indexer (Switzerland North, CH) — transcription of audio and video files

4.2 LLM providers (depending on the chosen configuration)

Customers choose, per organization, which language model is used. The default runs in Switzerland and is provided by us as a subprocessor under our DPA.

  • Azure OpenAI (Switzerland North, CH): default; processing inside Switzerland under our DPA.

BYOK (Bring Your Own Key). If a customer organization optionally enables its own key for an external LLM provider, the corresponding requests are sent directly to that provider's infrastructure. In this setup, the external provider is not a subprocessor of ours but an independent data processor of the customer organization. Concluding the required agreements (DPA, EU Standard Contractual Clauses, any additional safeguards required under the FADP/GDPR) with the chosen provider is the sole responsibility of the customer organization. We merely provide the technical interface and record the activation in an auditable manner. If the customer organization fails to meet these obligations, the use is at its own risk.

  • OpenAI, Inc. (USA): BYOK, contractual partner of the customer organization
  • Anthropic PBC (USA): BYOK, contractual partner of the customer organization
  • Google LLC (Gemini API) (USA/EU): BYOK, contractual partner of the customer organization
  • Mistral AI SAS (France): BYOK, contractual partner of the customer organization
  • DeepSeek, Azure DeepSeek, AI Foundry, custom endpoints: depending on the configuration chosen by the customer; contractual partner of the customer organization

No training use by default. In the standard Swiss setup, all inference runs through enterprise API tiers that contractually exclude the use of submitted content for training. Under BYOK, training use, retention, and location depend solely on the terms the customer organization has agreed with the chosen provider.

4.3 Other service providers

  • Stripe Payments Europe Ltd. (IE) — billing and payment processing
  • Datadog, Inc. (USA/EU) — observability and error monitoring (anonymized, without document content)

5. International data transfers

In the default configuration, your documents and AI requests do not leave Switzerland; the data transfer takes place within the Azure Switzerland North region and is covered by our DPA.

For BYOK configurations with providers outside Switzerland or the EU, the platform sends requests directly to the infrastructure chosen by the customer. The legal basis for this cross-border transfer — in particular concluding the EU Standard Contractual Clauses (Module 2), a Transfer Impact Assessment, and any supplementary safeguards — is established exclusively between the customer organization and the chosen provider. We are not a party to those agreements. Activating a BYOK configuration is the decision of an authorized signatory of the customer organization, is logged in an auditable manner, and is at the customer's own risk where the required agreements and safeguards have not been put in place.

6. Retention periods

  • Account and billing data: until the end of the statutory retention period (10 years for financial documents under the Swiss Code of Obligations)
  • Content and vector data: until deletion by the customer or 30 days after the end of the contract (deletion by default)
  • Server and audit logs: 90 days, then automatic deletion or anonymization
  • Contact inquiries: 24 months after the last contact

7. Cookies and tracking

This website sets strictly necessary cookies (session, language, theme) without consent. Analytics and marketing cookies are activated only after your explicit consent via our consent banner. Consent can be withdrawn at any time in the cookie settings.

8. Automated decisions

The platform generates AI responses as an aid; we do not make automated individual decisions with legal effect or similarly significant impact within the meaning of Art. 21 FADP or Art. 22 GDPR. Output from SKH should always be validated by a human.

9. Your rights

As a data subject, you have the right to:

  • Access to the data we process about you
  • Rectification of inaccurate data
  • Deletion, unless statutory retention obligations apply
  • Restriction of processing
  • Data portability (GDPR)
  • Withdraw any consent given
  • Object to processing based on legitimate interests
  • Lodge a complaint with the competent supervisory authority (Switzerland: FDPIC, edoeb.admin.ch)

To exercise your rights, please contact hurni@swissknowledgehub.ch.

10. Security

We use TLS 1.3 in transit, encryption at rest, and field-level encryption for personal data. Access events are logged in an auditable manner. Employees are bound by confidentiality.

11. Changes to this policy

We update this privacy policy when legal or technical conditions change. The current version is always available on this page.