Effective: 01.09.2025

This Privacy Policy supersedes all prior Phoenix privacy statements.

Introduction

Phoenix Technologies AG ("Phoenix", "we", "our") is committed to protecting the privacy of its customers, users, and website visitors. This Privacy Policy explains how we collect, use, and protect personal data in connection with our Services. It must be read together with our Terms of Service ("ToS") and Data Processing Agreement ("DPA"), which govern the legal framework and data protection commitments. To avoid duplication or conflict, this Privacy Policy cross‑references those documents.

1. Scope

This Privacy Policy applies to personal data processed by Phoenix when providing our Services (IaaS, PaaS, SaaS, including AI model services), when you interact with our websites, and when we communicate with you. It does not cover third‑party services or integrations (see ToS Section 1.6).

2. Information We Collect

The categories of personal data processed depend on your use of the Services and may include identifiers (e.g., name, business email), account and usage data, support interactions, prompts/inputs, and model outputs where these relate to an identifiable person. Full details are described in DPA Section 2 and Annex A.

3. How We Use Personal Data

We use personal data only as necessary to provide, secure, and support the Services, as further described in ToS Section 6 and DPA Section 1. We do not use Customer Content, including personal data, to train or fine‑tune models unless expressly agreed in a Sub‑Annex to the DPA (see DPA Section 3.2).

4. Legal Bases for Processing

We process personal data on the basis of: (a) contractual necessity (providing the Services under the ToS); (b) compliance with legal obligations (e.g., tax, accounting, security reporting); and (c) legitimate interests such as improving security and providing support, balanced against your rights. Where consent is required, we will obtain it explicitly.

5. Sharing of Data

Phoenix does not sell or rent personal data. We may share personal data only: (a) with authorised sub‑processors bound by contractual safeguards (see DPA Section 6 and Annex C); (b) with professional advisors or auditors bound by confidentiality; or (c) where required by law. Phoenix remains responsible for sub‑processors as set out in the DPA.

6. International Data Transfers

All processing of personal data occurs in Switzerland by default. Phoenix does not transfer customer personal data outside Switzerland, unless expressly agreed in writing and subject to equivalent safeguards (see DPA Section 10).

7. Data Retention

Phoenix adheres to documented retention and disposal schedules consistent with legal, regulatory, and business requirements (see DPA Section 7). We do not unilaterally erase customer data. Upon request or termination, personal data may be returned or securely erased, subject to applicable law.

8. Security

Phoenix maintains an ISO 27001‑aligned Information Security Management System and employs technical and organisational measures, including encryption, access controls, logging, and confidential computing options (see ToS Section 10 and DPA Section 5). These measures protect data in transit, at rest, and in use.

9. Your Rights

Under applicable laws (nFADP, GDPR), you have rights to access, correct, erase, or restrict processing of your personal data, and to data portability. Requests should be directed to your employer or service provider (the Customer), who controls the data. Phoenix supports Customers in responding to these requests (see DPA Section 8).

10. Cookies and Website Data

Our websites use cookies and similar technologies for functionality, analytics, and security. You can control cookies through your browser settings. For more details, see our cookie notice (if applicable).

11. Children’s Data

The Services are intended for business and professional users. We do not knowingly collect personal data from individuals under 18 years of age (see ToS Section 2.1).

12. Changes to this Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via the portal or by email, consistent with ToS Section 14. Continued use of the Services after the effective date constitutes acceptance of the updated Policy.

13. Contact Us

If you have questions about this Privacy Policy, please contact: legal@phoenix-technologies.ch. Customers may also contact their designated Data Protection Officer as listed in DPA Annex D.