Privacy Notice

Status: baseline notice for product use. Customer-specific contracts, signed DPA documents, and private handover evidence are separate from this notice.

Controller and processor roles

Hefti Web Solutions operates the platform. For account, security, billing, support, legal notice, and platform operation data, Hefti Web Solutions usually acts as controller.

For customer project content, application configuration, public application runtime data, knowledge sources, chatbot sessions, feedback, and derived retrieval evidence, Hefti Web Solutions usually acts as processor for the customer organization that configures and publishes the application.

Personal data we process

Depending on how the platform is used, we may process account details, organization membership and invitation data, authentication and security events, audit records, project and application settings, public application identity and privacy-contact settings, knowledge-source content, chatbot messages, feedback, usage and accounting records, provider metadata, mail delivery records, support records, and privacy request case records.

Public chatbot visitors should not submit sensitive personal data unless the customer has explicitly approved that application scope. The baseline public chatbot is for website navigation and answers over customer-approved public sources. It is not intended for medical diagnosis, therapy, triage, emergency support, patient intake, legal or financial advice, HR eligibility, or automated decisions with legal or similarly significant effect.

Purposes and legal bases

We process personal data to provide and secure the platform, administer organizations, projects, and applications, deliver public application runtime features, support operators, maintain audit and accounting evidence, send transactional email where configured, respond to privacy and security requests, and meet legal obligations.

The applicable legal basis depends on the role and context. It may include contract performance, steps before a contract, legitimate interests in operating and securing the platform, legal obligations, consent for optional preferences or non-essential storage, and the customer's instructions for processor activities.

Providers and locations

The production baseline for platform-operator-controlled infrastructure uses Infomaniak services in Switzerland, including hosting, object storage, backups, and the approved Infomaniak AI Services provider family. AI processing may receive prompts, selected conversation context, retrieval snippets, embedding inputs, provider metadata, and generated outputs for the configured application purpose.

Transactional email is organization-scoped. Brevo is the first managed mail provider for the baseline. If the organization owns the Brevo account or API key, that provider belongs to the organization's provider chain. If Hefti Web Solutions controls the sending account, Brevo must be treated as a Hefti subprocessor/provider exception.

No additional production provider is approved by default. Provider exceptions must be documented before production use.

Retention

Retention depends on the data category and configured application policy. Chatbot transcript retention defaults to ephemeral history: cleanup after 1 hour of inactivity and a 24-hour hard cap unless an approved application policy changes it. Chatbot feedback snapshots, debug artifacts, audit records, privacy request cases, usage accounting records, knowledge-source artifacts, vectors, and embeddings follow their documented domain retention rules.

Archived or deleted organizations, projects, applications, sources, sessions, and objects are removed or redacted according to the implemented lifecycle rules. Some records may remain longer where security, legal, accounting, or retention-hold requirements apply.

Your rights and requests

Depending on the applicable law and role, data subjects may request access, correction, deletion, restriction, objection, portability, or human review of automated individual decisions where such rights apply.

For platform-account and operator data, contact `privacy@heftiweb.ch`. For customer-controlled public application or chatbot data, requests may need to be routed to the customer organization that controls the application. Hefti Web Solutions assists that organization according to the applicable contract and implemented platform controls.

Security issues can be reported to `security@heftiweb.ch`. Legal and DPA requests can be sent to `legal@heftiweb.ch`.