Skip to content
Sign in

Privacy and Data Protection Notice

 

1. Who we are

The controller for the processing described in this Privacy Notice is: Proy.AI c/o CorePiece GmbH, Am Stadtrand 56, 8600 Dubendorf, Switzerland.

Email: privacy@proy.ai
Website: https://proy.ai
Privacy contact: Manuel Merki

 

2. What this Privacy Notice is about

We process personal data when you visit our website, communicate with us, use or inquire about our services, request a demo, subscribe to marketing communications, apply for a job, or when data is processed in connection with the use of our software and integrations.

This Privacy Notice describes our role as controller for our own processing activities. Where we process personal data on behalf of our customers within our software and services, this is additionally governed by the relevant customer agreements and data processing agreements.

 

3. What personal data we process

We may process master and contact data, contract and relationship data, usage and product data, technical data, communication data, marketing and CRM data, and applicant data.

Special categories of personal data are not required and are not intended for our standard services. If such data is exceptionally processed, this will only take place based on a separate agreement and with additional safeguards.

 

4. Where the data comes from

We usually receive personal data directly from you, from your employer or team, from our customers, from integrations activated by you or our customers, from the use of our website and services, or from publicly available sources where permitted by law.

 

5. Why we process your data

We may process your personal data to prepare, conclude, perform, and administer contracts; provide, operate, maintain, troubleshoot, and improve our website, software, and services; handle inquiries, demos, sales conversations, support requests, and customer communications; carry out security, abuse prevention, stability, and performance measures; analyze service usage for product improvement, quality assurance, and usability; conduct marketing and communications where legally permitted; process job applications; and comply with legal obligations or protect legal rights.

Where we use data for our own purposes, this is limited to security, abuse prevention, troubleshooting, performance, compliance, and service improvement in aggregated, de-identified, pseudonymized, or otherwise minimized form.

We do not use customer content or personal data to train general-purpose AI models, whether our own or those of third-party providers. We do not reuse identifiable customer content, personal data, or confidential project information across customers.

 

6. Legal basis for processing

Where the GDPR applies, we process personal data where necessary for a contract, pre-contractual steps, legal obligations, consent, or legitimate interests.

Where the Swiss FADP applies, processing is carried out in good faith, proportionately, and for a recognizable purpose.

 

7. With whom we share data

We may disclose personal data to hosting, infrastructure, and database providers; CRM, marketing, and analytics providers; communication, support, and productivity providers; AI providers and integration services where needed; advisors, auditors, legal counsel, insurers, and authorities; and group companies where applicable.

A current overview of key subprocessors and service providers is available in our Subprocessor Register or can be provided on request.

 

8. Providers we use

Vercel for frontend hosting and stateless functions.

Railway for backend hosting and database infrastructure.

GitHub for code repository and CI/CD.

HubSpot for CRM, marketing, and sales processes.

PostHog for product analytics.

OpenAI, Anthropic, Azure OpenAI, Google Gemini, and others for AI inference depending on configuration.

MCPs and integrations only where activated by the customer or enabled by us.

 

9. International data transfers

We primarily process or transfer personal data in Switzerland and the EEA or EU. Depending on provider, configuration, and customer setup, processing or disclosure may also take place in other countries.

Where required, we rely on appropriate safeguards such as standard contractual clauses or another legally permitted basis.

Recipient countries or regions may include Switzerland, Germany, the Netherlands, other EEA countries, and where applicable the United States.

 

10. AI-specific information

If you or our customers use AI features, inputs, files, project information, and comparable content may be transmitted to the relevant AI provider where necessary to provide the requested functionality.

For production personal data, we aim for European or Swiss processing where technically and contractually available.

Where possible, we configure AI providers so that customer content is excluded from training of general-purpose models.

 

11. Website, cookies, and analytics

Our website uses technically necessary cookies and similar technologies where required for operation, security, and delivery.

Where we use analytics or marketing tools, we provide information in this Privacy Notice, in our consent banner, or in a separate notice interface. For non-essential technologies, we obtain consent where required by law.

For product analytics, we typically use PostHog. Where possible, we use pseudonymized identifiers and avoid directly identifying free-text content.

 

12. How long we keep data

We keep personal data for as long as necessary for the relevant purpose, legal retention obligations, legal enforcement, or legitimate documentation and security interests. After that, we delete or anonymize the data.

 

13. How we protect data

We implement appropriate technical and organizational measures to ensure confidentiality, integrity, availability, and traceability of processing. These include role-based access controls, need-to-know and least-privilege principles, authentication, encryption, logging, patch and vulnerability management, backups, and incident handling procedures.

Access by employees or authorized contractors to customer-related data is limited, logged, subject to confidentiality obligations, and only permitted where necessary.

 

14. Your rights

Subject to applicable law, you may have rights of access, correction, deletion, restriction, objection, withdrawal of consent, data portability, and complaint to a competent supervisory authority.

In Switzerland, the competent authority is the Federal Data Protection and Information Commissioner.

 

15. Changes to this Privacy Notice

We may update this Privacy Notice at any time. The version published on our website at the relevant time applies.

Version / last updated: April 10, 2026