yeos - Privacy Policy
Controller
The controller within the meaning of the Swiss Federal Act on Data Protection (FADP) is:
Cellconsult GmbHMeierhofrain 11
8820 Waedenswil
Switzerland
For privacy inquiries:
info@yeos.ai
Scope
This privacy policy describes how personal data is collected, processed, and managed in connection with the use of our services. It explains the purposes for which personal data is processed, the legal basis for such processing, and how we ensure the protection and confidentiality of your data. This policy applies to all interactions involving personal data and is intended to ensure transparency and compliance with applicable data protection law. Examples include:
- Use of the yeos SaaS platform
- Access to the website
- Customer accounts
- Billing and subscription management
- System monitoring and quality assurance
Customer data uploaded to the SaaS product remains under the responsibility of the respective customer as controller.
Roles under data protection law
With regard to customer data, the following applies:
- The customer acts as controller.
- The provider acts as processor within the meaning of the Swiss Federal Act on Data Protection (FADP).
The provider processes customer data exclusively:
- for the purpose of providing the cloud service
- in accordance with the contract
- based on the documented instructions of the customer
Legal basis for processing
Personal data is processed on the following legal grounds:
- Performance of a contract
- Compliance with legal obligations
- Legitimate interests of the provider, in particular:
- system security
- fraud prevention
- service stability
- quality assurance
Hosting and data location
Primary hosting and storage of customer data take place in data centers physically located in Switzerland.
The provider:
- does not combine data from different customers
- does not enrich customer data with external sources
- does not access public internet sources in connection with customer data unless this has been explicitly agreed
Categories of personal data processed
Account and registration data
- Name
- Email address
- Company name
- Login credentials
Customer data (uploaded documents)
- Documents uploaded by the customer
- Content of those documents
The provider does not control or verify the factual accuracy of uploaded documents.
Technical data and log data
- IP address
- Access timestamps
- System logs
- Device and browser information
This data is processed for operational security and system stability. Log data is retained for a limited period required for security monitoring and system integrity, generally no longer than 90 days, unless longer retention is required to investigate incidents.
Billing data
Payment processing is handled by Stripe.
Stripe may process the following data:
- Name
- Billing address
- Email address
- Payment information
Stripe acts as an independent controller and processes data in accordance with its own privacy policy available at https://stripe.com/privacy.
Purpose of processing
Personal data is processed for:
- providing the SaaS platform
- document retrieval and structured information extraction
- user authentication
- system security and fraud prevention
- billing and subscription management
- system monitoring and quality assurance
- compliance with legal obligations
Important guarantee
No use of customer data for model training
The provider will not:
- use customer data to train machine learning models
- fine-tune AI systems using customer data
- derive general knowledge applicable to other customers
- combine customer data from different customers
Customer data is used exclusively for the respective customer's processing session.
Sub-processors and third-party providers
The provider engages carefully selected third-party providers to support the cloud service.
Hosting provider
Infrastructure provider based in Switzerland. Hosting is provided by Infomaniak Network SA, Switzerland.
Payment processing
Stripe, Inc. (and affiliated companies).
The provider remains responsible for the selection and supervision of its sub-processors.
International data transfers
Certain service providers, including the payment processor Stripe, may process personal data outside Switzerland, including in the United States.
These countries may not offer a level of data protection equivalent to Swiss law. Where personal data is transferred to countries without an adequate level of protection, appropriate safeguards are implemented, such as standard contractual clauses or equivalent contractual protections.
Technical and organizational measures
The provider takes appropriate technical and organizational measures to protect personal data against:
- unauthorized access
- alteration
- loss
- disclosure
Security measures are aligned with Swiss data protection law and recognized industry standards. Further details may be provided on justified request.
Data retention
Customer data:
- remains accessible during the contractual term
- may be exported within 30 days after contract termination
After the export period expires, customer data is irreversibly deleted from production systems and backups unless mandatory Swiss legal retention obligations require longer storage.
Technical log data is retained only as long as required for operational and security purposes.
Automated decision-making
The SaaS product does not constitute an automated decision-making system within the meaning of applicable data protection law.
Outputs generated by the system are provided for information purposes only. The customer remains solely responsible for reviewing and verifying all outputs before relying on them.
Rights of data subjects
Under Swiss law, data subjects have the right to:
- access
- rectification
- erasure
- restriction of processing
- data portability, where applicable
Requests concerning uploaded customer data must be addressed to the respective customer as controller. Requests concerning account data may be directed to the provider.
Data subjects also have the right to lodge a complaint with the competent Swiss data protection authority, the FDPIC.
Website data
Technical website logging
When individuals access the website, certain technical information, including their IP address and the time of access, is recorded. This logging serves website security and the maintenance of system integrity. Collecting this data helps protect against unauthorized access and supports the reliable operation of website services.
Corporate restructuring and transfer
The provider may transfer all or part of the yeos business operations, including related assets, intellectual property, customer contracts, and data processing activities, to a newly established or existing affiliated company, including but not limited to a future yeos AG.
In the event of such a transfer:
- the acquiring entity assumes the role of controller and/or processor, as applicable,
- all contractual and data protection obligations remain unchanged,
- the purposes of processing remain materially unchanged,
- customers will be informed appropriately about the transfer.
Such a transfer constitutes a legitimate corporate restructuring and does not require renewed consent from data subjects provided that the level of protection and the purposes of processing remain unchanged.
Changes to this privacy policy
The provider may update this privacy policy from time to time. The current version is always available on the website.
Waedenswil, 2025-02-17