Privacy Policy

We collect the following categories of personal data:

2.1 Account Information

• Name: Your full name provided during registration
• Email address: Used for account creation, authentication, and communication

2.2 Payment Information

For paid subscriptions, payment data (credit card information) is collected and processed directly by our payment processor, Stripe. We do not store your complete payment card details on our servers. We only receive confirmation of successful payments and basic transaction information from Stripe.

2.3 Service Data

When using Custal, Organizations and their End Clients may input data into the platform, including:

• Names and email addresses of End Clients (entered by Organizations)
• Messages exchanged through the secure messaging feature
• Documents uploaded to the platform
• Project information and tracking data

2.4 Technical Data

We collect basic technical information necessary for the operation of the Service, such as IP addresses and access logs, for security and troubleshooting purposes.

We process your personal data for the following purposes:

3.1 Providing the Service

• Creating and managing your account
• Authenticating your access to the platform
• Enabling the features of the Service (messaging, document sharing, project tracking)
• Processing payments for paid subscriptions

3.2 Communication

• Responding to your support requests
• Sending service-related notifications (e.g., billing, security alerts)
• Informing you of important changes to our Service or Terms

3.3 Service Improvement

We may use anonymized and aggregated data to analyze usage patterns and improve our products and services. This data cannot be used to identify you personally.

3.4 Legal Compliance

We may process data to comply with legal obligations, respond to legal requests, or protect our rights and the rights of our users.

We process your personal data based on the following legal grounds:

• Contract performance: Processing necessary to provide the Service you have subscribed to
• Legitimate interests: Processing necessary for our legitimate business interests, such as improving our Service and ensuring security
• Legal obligation: Processing required to comply with applicable laws
• Consent: Where required by law, we will obtain your consent before processing

We share your data with the following categories of third parties:

5.1 Payment Processor

Stripe: We use Stripe to process payments. When you make a payment, your payment information is transmitted directly to Stripe. Stripe's privacy policy governs their handling of your data. Stripe is certified under the Swiss-US Data Privacy Framework.

5.2 Hosting Provider

Vercel: Our Service is hosted on Vercel's infrastructure in Europe. Vercel processes data on our behalf as a data processor.

5.3 Legal Requirements

We may disclose your data if required by law, court order, or governmental authority, or to protect our rights, property, or safety.

We do not sell your personal data to third parties. We do not share your data for marketing purposes with third parties.

We do not use cookies for tracking or analytics purposes.

We do not use third-party analytics tools (such as Google Analytics) to track your activity on our website or Service.

The only cookies that may be used are essential technical cookies required for the proper functioning of the Service (such as session cookies for authentication).

7.1 Storage Location

Your data is stored on servers located in the European Union. We do not transfer your data outside of Switzerland or the European Economic Area (EEA).

7.2 Security Measures

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. This includes encryption in transit and at rest, access controls, and regular security reviews.

8.1 Active Accounts

We retain your personal data for as long as your account is active and as necessary to provide you with the Service.

8.2 After Account Termination

Upon termination of your account, we will delete or anonymize your personal data within 90 days, unless:

• We are required to retain data for legal, tax, or regulatory purposes
• The data is necessary to resolve disputes or enforce our agreements

8.3 Legal Retention

Certain data may be retained for up to 10 years where required by Swiss law (e.g., accounting records as per Art. 958f of the Swiss Code of Obligations).

Under the Swiss FADP and GDPR (where applicable), you have the following rights regarding your personal data:

• Right of access: You may request a copy of the personal data we hold about you
• Right to rectification: You may request correction of inaccurate or incomplete data
• Right to erasure: You may request deletion of your personal data, subject to legal retention requirements
• Right to restriction: You may request that we restrict processing of your data in certain circumstances
• Right to data portability: Where technically feasible, you may request your data in a structured, commonly used format
• Right to object: You may object to processing based on legitimate interests
• Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time

To exercise these rights, please contact us at nicolas@nsixdigital.com. We will respond to your request within 30 days.

When an Organization uses Custal to manage their client portal, they act as the data controller for the personal data of their End Clients. In this case, Nsix Digital GmbH acts as a data processor.

Organizations are responsible for:

• Obtaining appropriate consent or legal basis for processing their End Clients' data
• Providing privacy notices to their End Clients
• Responding to data subject requests from their End Clients

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority (Federal Data Protection and Information Commissioner - FDPIC) without undue delay and, where feasible, within 72 hours.

If the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly.

Our Service is primarily designed for business use (B2B). We do not knowingly collect personal data from children under the age of 16. If we become aware that we have collected personal data from a child under 16, we will take steps to delete that information.

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of any material changes by posting the updated policy on our website and, where appropriate, by email.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data.

If you believe that your data protection rights have been violated, you have the right to lodge a complaint with the competent supervisory authority:

Federal Data Protection and Information Commissioner (FDPIC)
Feldeggweg 1
3003 Bern
Switzerland
Website: www.edoeb.admin.ch

For any questions about this Privacy Policy or our data practices, please contact us:

Nsix Digital GmbH
Panoramastrasse 26
8903 Birmensdorf
Switzerland

Email: nicolas@nsixdigital.com