Privacy and Data Protection Notice
Valid from 15.8.2025
1. Scope and Status
1.1 This Privacy and Data Protection Notice (“Notice”)governs all processing of information that directly or indirectly identifies,or could reasonably identify, a natural person (“Personal Data”) by ProyAI(“Company,” “we,” “us”).
1.2 This Notice applies to any interaction with ourwebsites, applications, APIs, offline communication channels, and allcommercial relationships operated, offered, or maintained by the Company(“Service”).
1.3 Where the EU General Data Protection Regulation(“GDPR”), the revised Swiss Federal Act on Data Protection (“revFADP”), the UKGDPR, the California Consumer Privacy Act (“CCPA”), or any other mandatory lawapplies, we act as the “controller” (or equivalent legal term) where wedetermine the purposes and means of processing.
1.4 The binding language of this Notice is English. Anytranslations are for convenience only. In the event of discrepancies, theEnglish version prevails.
2. Principles
We process Personal Data in compliance with the followingprinciples:
2.1 Lawfulness, fairness, transparency: All processing isbased on a valid legal ground and is conducted transparently.
2.2 Purpose limitation: Processing occurs solely forspecified, explicit, and legitimate purposes.
2.3 Data minimisation: We collect only the data necessaryfor those purposes.
2.4 Accuracy: We take reasonable steps to keep data accurateand up to date.
2.5 Storage limitation: Personal Data is retained only aslong as necessary for the stated purposes or legal requirements.
2.6 Integrity and confidentiality: We implement appropriatetechnical and organisational measures (“TOMs”) to protect data.
2.7 Accountability: We maintain records of processingactivities, ensure processor compliance, and carry out Data Protection ImpactAssessments where required.
3. Categories of Personal Data
3.1 Identification data: Name, username, postal address,telephone number, email, and government-issued identifiers (where AML/KYCobligations apply).
3.2 Electronic identifiers: IP addresses, device IDs,browser fingerprints, session tokens, logs, telemetry, and analytics metadata.
3.3 Account and billing data: Login credentials, two-factorauthentication data, payment tokens, VAT numbers, transaction history, andinvoices.
3.4 User-provided content: Text prompts, files, code,feedback, and support communications.
3.5 Generated output: Model responses, embeddings, and usagestatistics, which may contain Personal Data.
3.6 Special category data: Processed only if explicitlyprovided by the user and solely for the intended purpose. Not required forService use.
3.7 Recruitment/vendor onboarding data: CVs, references, andbackground check information.
3.8 Legal compliance records: AML/KYC verification results,sanctions screening, and audit logs.
4. Sources
4.1 Directly from data subjects through Service interactionsor offline correspondence.
4.2 Automatically from devices accessing our Service.
4.3 From third parties such as payment processors, identityverification providers, marketing list suppliers, public registers, andsanctions lists.
4.4 Generated internally through analytics, algorithmicprocessing, and data aggregation.
5. Purposes and Legal Bases
We process Personal Data for the following purposes and onthe following legal bases:
We process Personal Data for account registration andauthentication on the basis of Art. 6(1)(b) GDPR and Art. 31 revFADP(performance of a contract), as this is necessary for fulfilling our Terms ofService.
We process Personal Data for service operation, includingmodel inference and delivery of outputs, on the basis of contract performance.
We process Personal Data for payment processing and fraudprevention on the basis of contract performance and Art. 6(1)(f) GDPR (ourlegitimate interest in ensuring secure and efficient monetisation andmaintaining platform integrity).
We process Personal Data for service maintenance, debugging,and detection of security incidents on the basis of our legitimate interest inensuring network and information security, as recognised in Recital 49 GDPR.
We process Personal Data for usage analytics, productimprovement, and model training on the basis of our legitimate interest inoptimising and developing our products, or, where legally required, on thebasis of your consent.
We process Personal Data for regulatory compliance,including tax, anti-money laundering (AML), and sanctions checks, on the basisof Art. 6(1)(c) GDPR (compliance with a legal obligation), which covers Swiss,EU, and other applicable laws.
We process Personal Data for business-to-business marketingcommunications on the basis of our legitimate interest in expanding ourbusiness, subject to a right to opt out at any time.
We process Personal Data for recruitment and vendoronboarding on the basis of contract performance, legal obligations, or ourlegitimate interests in effective talent and supplier management.
Where none of the above legal bases apply and processing isnot otherwise permitted by law, we rely on your consent pursuant to Art.6(1)(a) GDPR and Art. 6 revFADP. You may withdraw your consent at any time, andwithdrawal is as easy as the provision of consent.
6. Automated Decision-Making
6.1 We use machine learning models to generate or rankcontent.
6.2 We do not make solely automated decisions that havelegal or similarly significant effects without meaningful human review.
6.3 You may request human intervention, express your views,and contest such decisions.
7. Data Retention
7.1 Operational logs: up to 12 months.
7.2 Account data: duration of account existence plus 3 yearsfor statutory limitation compliance.
7.3 Financial records: 10 years as required by the SwissCode of Obligations.
7.4 Training and analytics datasets: stored only inpseudonymised or anonymised form; indefinite retention if irreversiblyanonymised.
7.5 Upon expiry, data is securely deleted or anonymised,subject to backup overwrite cycles of no more than 35 days.
8. Recipients and International Transfers
8.1 Processors: Infrastructure, payment, communication,analytics, and support providers under written agreements incorporating EUStandard Contractual Clauses (SCC 2021/914) and Swiss/UK addenda as applicable.
8.2 Affiliates: Data shared under intra-group transferagreements using SCCs.
8.3 Authorities: Disclosure where legally required or toenforce our rights.
8.4 Business transfers: Data may be disclosed in mergers oracquisitions, subject to confidentiality and this Notice.
8.5 Processing locations: Switzerland, EEA, UK, USA, andother countries with adequacy decisions under Art. 45 GDPR or safeguards underArt. 46 GDPR, with Transfer Impact Assessments where required.
9. Security Measures
9.1 Security governance aligned with ISO 27001.
9.2 Encryption in transit (TLS 1.3) and at rest (AES-256).
9.3 Role-based access controls with multi-factorauthentication for administrators.
9.4 Ongoing vulnerability management, annual penetrationtesting, and bug bounty participation.
9.5 Vendor security assessments and binding DPAs.
9.6 Incident response procedures with 72-hour notificationto authorities per Art. 33 GDPR.
10. Data Subject Rights
10.1 Rights under applicable law: access, rectification,erasure, restriction, portability, objection, and withdrawal of consent whereapplicable.
10.2 To exercise rights, contact support@proy.ai or ourpostal address. We require identity verification and respond within one month(extendable by two months for complexity).
10.3 You may lodge complaints with the Swiss Federal DataProtection and Information Commissioner (FDPIC) or a competent EU supervisoryauthority.
10.4 California residents have rights under the CCPA toaccess, delete, correct, and opt-out of “sale/share” of data withoutdiscrimination.
11. Children
We do not knowingly process Personal Data of individualsunder 18. If such data is provided, contact privacy@proy.ai for promptdeletion.
12. Cookies and Similar Technologies
We use only strictly necessary cookies for essentialfunctions. Analytics cookies are deployed under legitimate interest or consentwhere legally required. Browser settings can be used to refuse cookies. Wecurrently do not use cookies.
13. External Links
External sites are outside our control, and we disclaimliability for their privacy practices. Accessing third-party domains is at yourown risk.
14. Liability Allocation
14.1 We apply commercially reasonable safeguards toprocessing activities.
14.2 To the maximum extent permitted by law, we disclaimliability for any unauthorised access, loss, or alteration of Personal Data,regardless of cause.
14.3 Our total aggregate liability is limited to CHF 100 orthe amount you paid to us in the preceding 12 months, whichever is greater.
14.4 We exclude liability for indirect or consequentialdamages, lost profits, or goodwill, except where liability cannot be excludedby law.
14.5 This clause does not limit liability for grossnegligence causing death or personal injury, or other non-excludable statutoryliabilities.
15. Indemnification
You agree to indemnify and hold harmless the Company and itsaffiliates against claims, damages, and expenses (including reasonable legalfees) resulting from your breach of this Notice, unlawful provision of PersonalData, or misrepresentation of your authority to share data.
16. Notice of Changes
We may amend this Notice at any time. Updated versions areposted at proy.ai/privacy with a revised “Effective Date.” Continued use of theService constitutes acceptance.
17. Relationship to Other Documents
This Notice supplements our Terms of Service and anyapplicable Data Processing Agreement (“DPA”). In case of conflict, the documentproviding higher data protection prevails unless explicitly agreed otherwise inwriting.
18. Contact
Data Protection Officer: support@proy.ai
Legal address: ProyAI, c/o Manuel Merki, Ormisstrasse 118,8706 Meilen