Caprion Labs Caprion Labs
Caprion Labs
DE Contact
Legal

Privacy Policy

Your data and your privacy matter to us. The following sections provide transparent information about how we process your personal data.

1. Privacy Overview

Caprion Labs AG, headquartered in Baar (hereinafter also "Caprion Labs", "we", "us"), collects and processes personal data in the course of its business activities. This includes, in particular, personal data relating to our clients, affiliated persons, counterparties, public authorities, correspondents, visitors to our website, event participants, applicants and other entities or, in each case, their contact persons and employees (hereinafter also "you"). In this Privacy Policy we inform you about these data processing activities. We may additionally inform you separately about the processing of your data, e.g. through consent declarations, contractual terms or specific forms.

If you provide us with data about other persons (e.g. employees, representatives, counterparties or other affiliated persons), we assume that you are authorised to do so, that this data is correct and that – to the extent legally required – you have ensured that those persons have been informed of such disclosure (e.g. by making this Privacy Policy known to them in advance).

Applicable data protection law: We orient ourselves on the revised Swiss Federal Act on Data Protection (revFADP) and – where applicable to us – on the European General Data Protection Regulation (GDPR). Which framework applies in a given case depends on the specific processing activity and the data subject concerned. We collect personal data only where necessary, and process it in a purpose-limited and transparent manner.

2. Data Controller

The controller responsible for the data processing activities described herein within the meaning of Art. 5 lit. j revFADP and Art. 4 No. 7 GDPR is:

Caprion Labs AG
Ruessenstrasse 12
6340 Baar, Zug
Switzerland
Email: info@caprionlabs.ch

Contact person for data protection matters:
Stephan Wernli
Partner | Digital Engineering & Platform Solutions
Email: stephan.wernli@caprionlabs.ch

If you wish to contact us regarding the processing of your personal data or the exercise of your rights (e.g. access, correction, deletion, withdrawal of consent), you can do so directly using the contact details above or via our general contact information (see Legal Notice).

3. Data Protection Advisor and EU Representative

We have not formally appointed a data protection advisor within the meaning of Art. 10 revFADP. For all questions concerning data protection and the exercise of your rights as a data subject, please contact the contact person named in Section 2.

Our services are primarily directed at clients based in Switzerland. Any processing of personal data within the scope of Art. 3(2) GDPR takes place only occasionally, does not involve large-scale processing of special categories of personal data and does not present a high risk to the rights and freedoms of data subjects. We therefore rely on the exemption provided in Art. 27(2) GDPR; no representative in the European Union has been appointed.

4. Sources of Personal Data

We primarily process personal data which we receive from our clients, partners, applicants and other data subjects in the context of our business relationship, or which we collect when operating our website.

From you

Much of the data we process is provided by you yourself (e.g. in the context of a project or otherwise in connection with our services, the use of our website or communication with us). You are not obliged to disclose your data, except in individual cases (e.g. legal obligations). However, if you wish to use our services or otherwise enter into contracts with us, you must provide us with certain data. Use of our website is also not possible without some data processing (e.g. log file collection).

From third parties

We may also obtain data from publicly accessible sources (e.g. debt collection registers, land registers, the commercial register, media or the internet, including social media) or receive it from (i) authorities in Switzerland and abroad, (ii) your employer or principal, where such party has a business relationship with us, and (iii) other third parties (e.g. clients, counterparties, legal expenses insurers, credit reference agencies, associations or contractual partners). This particularly includes data we process in the context of a project or contract performance, as well as data from correspondence with third parties.

5. Purposes of Processing

When you use our services, our website or otherwise interact with us or are involved in a project we are handling for a client, we collect and process various categories of your personal data. We may collect and otherwise process this data, in particular, for the following purposes:

  • Communication: We process personal data so that we can communicate with you and with third parties by email, telephone, mail or otherwise (e.g. to respond to enquiries, in the context of consulting and the initiation and performance of contracts). For this purpose, we process in particular the content of communications, your contact details, communications metadata and any audio or video recordings of (video) calls. Where audio or video recording takes place (e.g. in a video conference), we will inform you separately and you are free to indicate that you do not wish to be recorded, or to end the communication. If we need to verify your identity, we will collect additional data. We may also send our clients, contractual partners and interested persons information about services or company news. You can decline such communications at any time.
  • Initiation and conclusion of contracts: With a view to concluding a contract with you or with your principal or employer, we may collect and process in particular names, contact details, powers of attorney, consent declarations, information about third parties, contract content and any further data which you provide to us or which we collect. We also process this data when you or your principal enters into a contract with us. This also includes the clarification of any conflicts of interest at Caprion Labs.
  • Administration and performance of contracts: We collect and process personal data to comply with our contractual obligations vis-à-vis our clients and other contractual partners (e.g. suppliers, project partners) and in particular to render and enforce contractual services. For this purpose, we process the data we have received during the initiation, conclusion and performance of the contract. This data may include meeting and consultation minutes, notes, correspondence, contract documents, project-related information, documents, performance records, invoices and financial and payment information.
  • Operation of our website: In order to operate our website securely and reliably, we collect the following technical data in server-side log files in particular: the (typically truncated or promptly anonymised) IP address, date and time of access, the resource accessed, the referrer (previously visited page), browser type and version, and information about the operating system and settings of your end device. This data is not analysed for marketing or profiling purposes. We also use locally hosted technologies for consent management.
  • Improvement of our offerings: In order to continuously improve our website and our offerings (e.g. services), we process direct or indirect feedback from you as well as other feedback regarding our services.
  • Registration: In order to use certain services or offerings, you may need to register. For this purpose, we process the data provided during registration.
  • Security and access controls: We collect and process personal data to ensure adequate security of our IT and infrastructure. This includes, for example, the monitoring and control of electronic access to our IT systems as well as system and error checks.
  • Legal compliance: We collect and process personal data to comply with applicable laws (e.g. tax obligations) and our corporate governance. For this purpose, we collect in particular master and transactional data as well as financial data.
  • Risk management and corporate governance: We collect and process personal data in the context of risk management and corporate governance, in particular for our operational organisation (e.g. resource planning) and corporate development.
  • Job applications: If you apply for a position with us, we collect and process the corresponding data for the purpose of reviewing the application, conducting the recruitment process and, where applications are successful, for preparing and concluding an employment contract. In addition to your contact details, we process in particular the data contained in your application materials and, where applicable, data from professional networks. Processing during an existing employment relationship is governed by separate policies.
  • Other purposes: Other purposes include, for example, training and education, administrative purposes (e.g. accounting) as well as the organisation, conduct and follow-up of business events. The protection of further legitimate interests is also among these purposes, which cannot be exhaustively listed.

6. To Whom Do We Disclose Your Data?

In connection with the purposes set out in Section 5, we transfer your personal data in particular to the categories of recipients listed below. Where required, we obtain your consent or rely on other permitted legal bases.

  • Service providers: We work with service providers in Switzerland and abroad which process personal data on our behalf, in joint responsibility with us, or under their own responsibility. These service providers in particular include IT and cloud providers as well as further business partners (e.g. banks, insurers, other consultancies). A specific list of our key IT service providers, including their location and the legal basis for any cross-border transfer, can be found in Section 7. We generally enter into a data processing agreement (DPA) with our processors, which contractually governs the handling of personal data and the level of protection.
  • Clients and other contractual partners: This refers in the first place to clients and contractual partners of ours, where transfer of your data results from the project or contract (e.g. because you work for a contractual partner or that party provides services for you). This category of recipients also includes parties with whom we cooperate, such as project partners in Switzerland and abroad. The recipients generally process the data under their own responsibility, in some cases jointly with us.
  • Authorities and courts: We may pass on personal data to public bodies, courts and other authorities in Switzerland and abroad where this is necessary for the performance of our contractual obligations, in particular for project execution, where we are entitled or legally obliged to do so or where this appears necessary to safeguard our interests or those of our clients or third parties. These recipients process the data under their own responsibility.
  • Counterparties and persons involved: Where this is necessary or appears appropriate for the performance of our contractual obligations – in particular in a project context – we also pass on your personal data to persons involved (e.g. affiliated companies, project participants, subject-matter experts, witnesses).
  • Other persons: This refers to other cases where the involvement of third parties results from the purposes set out in Section 5. This concerns, for example, recipients of deliveries or payments designated by you, third parties in the context of representation relationships (e.g. your lawyer or your bank) or persons involved in administrative proceedings. We may also forward your personal data to competent supervisory authorities. If we cooperate with media outlets and provide them with material, this may also affect you. In the context of corporate development, we may sell or acquire businesses, parts of operations or companies, or enter into partnerships, which may also entail the disclosure of data (also concerning you, e.g. as a client or supplier or representative thereof) to the persons involved in such transactions. Data exchanges may also occur in the context of communication with our competitors, industry organisations, associations, market observers and other bodies.

All of these categories of recipients may in turn engage third parties, so that your data may also become accessible to them. We can restrict processing by certain third parties (e.g. IT providers), but not by other third parties (e.g. authorities, banks etc.).

We allow certain third parties to collect personal data from you on our website and at our events, in their own responsibility (e.g. media photographers, providers of tools we have integrated on our website, etc.). To the extent we are not decisively involved in such collections, those third parties are solely responsible for them.

7. International Data Transfers

We process and store personal data primarily in Switzerland and – where necessary – within the European Economic Area (EEA). Where a recipient is located in a third country without an adequate level of statutory data protection, we contractually require it to maintain an adequate level of data protection. For this purpose we typically use the Standard Contractual Clauses (SCCs) of the European Commission, including the supplements required for Switzerland, or rely on certified safeguards such as the Swiss-US Data Privacy Framework.

Below we list our key IT service providers, their location and the legal basis for any cross-border transfer:

Recipient Location / Processing Region Role Legal Basis for Transfer
Infomaniak Network SA Switzerland Website hosting (processor) Processing within Switzerland; no transfer to a third country.
Odoo S.A. Belgium (EU) ERP and business applications (processor) Processing within the EU; transfer based on the mutual adequacy decision between Switzerland and the EU and a data processing agreement (DPA).
Microsoft Corporation / Microsoft Ireland Operations Ltd. Primarily Switzerland (Microsoft 365 tenant "Switzerland"); residual access (support, telemetry, sub-processors) also in the USA and EU/EFTA Microsoft 365: Exchange Online, Microsoft Teams, SharePoint Online, OneDrive for Business (processor) Microsoft Products and Services Data Protection Addendum (DPA) including EU Standard Contractual Clauses and Swiss supplements; Microsoft Corporation is additionally certified under the Swiss-US Data Privacy Framework.

The service providers listed above may in turn engage sub-processors which may operate in further countries. We require our service providers to engage sub-processors only under equivalent contractual safeguards.

In individual cases, we may disclose personal data to a third country without an adequate level of data protection without entering into a separate contract, where we can rely on a statutory exemption (e.g. legal proceedings abroad, performance of a contract in your interest, your express consent, or to safeguard overriding public interests).

8. Cookies, Tracking and Social Media

Website and cookies: We respect your digital privacy. We do not use any tracking or analytics cookies on our website (such as Google Analytics). We also embed web fonts locally so that no data is transmitted to Google Fonts. To manage your privacy settings (cookie banner) we use the locally hosted "Vanilla CookieConsent" tool.

Our website sets exclusively the following strictly necessary cookie:

Name Provider Purpose Duration
cc_cookie Caprion Labs AG (first-party, locally hosted) Stores the cookie preferences you have set so that the banner is not displayed again on every visit. up to 6 months

Social media presences: We operate our own online presences on social networks, in particular a company page on LinkedIn. In doing so we receive data from you (e.g. when you communicate with us) and in aggregated form from the platform itself (e.g. page and post statistics via "Page Insights"). The platform operators may further analyse your use and process such data under their own responsibility for their own purposes (e.g. marketing, market research).

Joint controllership with LinkedIn: For the processing of personal data in the context of the "Page Insights" statistics relating to our LinkedIn company page, we are jointly responsible with LinkedIn Ireland Unlimited Company (Wilton Plaza, Wilton Place, Dublin 2, Ireland) within the meaning of Art. 26 GDPR. The allocation of responsibilities is governed by the Page Insights Joint Controller Addendum made available by LinkedIn; under that addendum, LinkedIn assumes primary responsibility for fulfilling data subject rights. You can exercise your rights both vis-à-vis us and directly vis-à-vis LinkedIn. Further information on data processing by LinkedIn can be found in the LinkedIn Privacy Policy and, specifically regarding Page Insights, in the corresponding information on Page Insights.

9. Newsletter and Direct Marketing

We do not operate a classic newsletter with a public sign-up form. In individual cases we send our clients, contractual partners and persons who have actively contacted us information about our services, events or company news ("communications"). Such communications are sent either based on your express consent or based on our legitimate interest in maintaining existing business relationships (see Section 10).

Should we introduce a newsletter with a sign-up form in the future, we will use the double opt-in procedure: you will receive a verification email to confirm your sign-up, and your address will only be added to the distribution list once confirmed.

Unsubscribe at any time: You may object to the use of your address for such communications at any time and without giving reasons. An informal message to info@caprionlabs.ch is sufficient, or – where included in the relevant message – a click on the unsubscribe link. You will not incur any costs beyond the basic transmission costs.

10. Legal Bases for Processing

To the extent the European General Data Protection Regulation (GDPR) is applicable to us in a given case, we base the processing of your personal data in particular on the following grounds:

  • processing is necessary for the initiation, conclusion and performance of contracts (Art. 6(1)(b) GDPR);
  • processing is necessary for the purposes of our legitimate interests or those of third parties (Art. 6(1)(f) GDPR), in particular for communication, the secure operation of our website, corporate management, IT security and the further development of our services;
  • processing is required by law (Art. 6(1)(c) GDPR);
  • you have separately consented to the processing (Art. 6(1)(a) GDPR).

11. Retention Period

We process and store your data, in principle, for as long as our processing purposes (see Section 5), statutory retention requirements and our legitimate interests (in particular for documentation and evidentiary purposes) so require, or where storage is technically conditioned (e.g. IT backups). Unless legal or contractual obligations require otherwise, we delete or anonymise your data after expiry of the relevant retention period as part of our routine procedures.

By way of example, we typically retain contract and business records for 10 years after the end of the financial year or after termination of the contract (statutory retention obligation under Art. 958f of the Swiss Code of Obligations), and application materials from unsuccessful applications typically for around 6 months after the end of the recruitment process, unless you have agreed to a longer retention period.

12. Data Security

We take appropriate technical and organisational security measures (e.g. TLS/SSL encryption on our website, access restrictions, backups) to protect your personal data against unauthorised access, loss, misuse or alteration.

13. Profiling and Automated Individual Decisions

We do not use any procedures that result in a solely automated individual decision within the meaning of Art. 21 revFADP or Art. 22 GDPR – that is, automated decisions which produce legal effects concerning you or which similarly significantly affect you. High-risk profiling within the meaning of Art. 5 lit. g revFADP also does not take place.

Should we adopt such procedures in the future, we will inform you separately in advance and grant you the rights available under the applicable law (e.g. the right to human review of the decision, the right to be heard and the right to express your point of view).

14. Your Rights

In connection with our data processing, you have certain rights under the applicable law. In particular, you may request information about the processing, have inaccurate data corrected, request the deletion of data, object to processing (in particular for direct marketing purposes), request the release or transfer of certain personal data, or withdraw any consent given.

If you wish to exercise your rights vis-à-vis us, please contact the address set out in Section 2. As a rule, a request via an email address known to us or via other existing communication channels is sufficient. Where reasonable doubts exist as to your identity (e.g. for requests from addresses not known to us or where there are indications of potential misuse), we may, applying the principle of proportionality, request additional information or evidence necessary for identification. We only request a copy of your ID where reliable identification is not otherwise possible.

Please note that conditions, exceptions or restrictions may apply to these rights (e.g. to protect third parties, business secrets or to comply with statutory retention obligations).

If you disagree with our handling of data protection, you also have the right to lodge a complaint with the competent supervisory authority. In Switzerland, this is the Federal Data Protection and Information Commissioner (FDPIC / EDÖB), Feldeggweg 1, 3003 Bern. Where the GDPR applies, you may also turn to the competent data protection supervisory authority in the EEA.

15. Changes to this Privacy Policy

This Privacy Policy is not part of any contract with you. We may amend this Privacy Policy at any time and without prior notice. The version published on this website is always the current version.

Last updated: 10 May 2026