Our data protection declaration

1.1 Scope

This Privacy Policy describes how we process your personal data when you visit our website kaizuno.com or use the KAIZUNO® Platform. It supplements our Terms of Use, available at kaizuno.com.

1.2 Transparency

We want you to be able to understand what we do with your data and why.

1.3 Applicable version

The current version of this Privacy Policy, as published on kaizuno.com, shall apply at all times.

4.1 When visiting our website

When you visit kaizuno.com, our web server automatically collects technical data: your IP address, time of access, pages visited, browser and operating system information, and the referring page. We need this data for the secure operation and optimisation of the website. It is generally deleted after 12 months, unless security or legal reasons require longer retention.

4.2 Upon registration

When you create a user account, we collect: first and last name, email address, password (stored in encrypted form), account settings, your organisation and role affiliation, and usage data (features accessed, timestamps of activities). We need this data to provide you with access to the Platform, manage your account and assign the correct permissions.

Your account data is stored during active use. After your last activity, we retain it for as long as necessary for the purposes described — in particular for long-term development comparisons at both individual and organisational level. After that, it is deleted unless statutory retention obligations apply. Organisation administrators can remove invited users at any time.

4.3 When using the Platform

When you use the Platform, we process the data you enter and the data generated during use — in particular responses to assessment questions, information about the organisational context (such as industry, size and type of organisation), interim saves and the AI-powered results generated from this data.

Important: The Platform is not intended for the processing of business figures, customer lists, bank data or confidential strategic information. Should you enter such data, you do so at your own risk (see Terms of Use, Section 5.4).

Your usage data is stored during active use and beyond for as long as necessary for the purposes described. After that, it is deleted unless statutory retention obligations apply.

4.4 When inviting team members

Organisation administrators can invite team members by entering their name and email address. The invited person then receives an email with access information. This data is stored for as long as the person is part of the organisation and deleted within a reasonable period thereafter.

4.5 When contacting us

When you contact us via the contact form, by email or by telephone, we process the data you provide (name, email address, message content) to handle your enquiry. This data is deleted after the matter is concluded, unless further retention obligations apply.

4.6 When purchasing our services

When placing an order, we process your billing address, order details and invoice information. Credit card and bank data is processed exclusively by our payment service provider Stripe and is not stored on our own servers. Invoice data (addresses, amounts, invoice numbers) is stored and managed by us in accordance with statutory retention periods (generally 10 years under Swiss law, Code of Obligations Art. 958f).

4.7 Newsletter

If you subscribe to our newsletter, we collect your email address, subscription date and confirmation status. You can unsubscribe at any time via the link in each newsletter email or by emailing data(at)kaizuno.com.

4.8 Chatbot

When you interact with a chatbot on our website, we process your message text and technical data (IP address, browser, timestamp). This data is deleted within a reasonable period after the conversation ends, unless security or legal reasons require longer retention.

4.9 After account deletion

When you delete your account, we retain your data for a reasonable grace period — to protect against accidental deletion and to allow you to reactivate at a later time. After this grace period, the data is permanently deleted, unless statutory retention obligations or legitimate interests require otherwise — in particular the preservation of evidence in cases of suspected misuse or unlawful conduct (GDPR Art. 17(3)(e)).

4.10 Legal bases

For customers in the European Union: We process your data on the following legal bases under GDPR Art. 6(1): performance of a contract (lit. b) — for providing the Platform, account management and payment processing; legitimate interest (lit. f) — for the secure operation of the website, improvement of our services, website security and chatbot customer support; consent (lit. a) — for sending the newsletter.

For customers in Switzerland: The nDSG (Swiss Data Protection Act) does not have a catalogue of legal bases like the GDPR. Data processing is permissible provided it does not unlawfully infringe personality rights (nDSG Art. 30) and a justification exists (nDSG Art. 31).

5.1 What we use AI for

The AI supports various functions of the Platform — including the creation of assessment questions, the analysis of responses, the generation of reports and recommendations, and the processing of external information sources. The AI-powered scope of features may change and expand as the Platform evolves.

5.2 What data enters AI processing

The data you enter into the Platform and the data generated during use enter AI processing — in particular assessment responses, organisational context and general information you provide. Depending on the feature used, the Platform may also retrieve and process information from external sources. Payment data, trade secrets or bank data are not processed.

5.3 Where processing takes place

Data is stored on servers in Switzerland. AI processing takes place on servers within the European Union. Transfer to servers outside the EU/EEA and Switzerland only occurs if necessary for service provision and appropriate safeguards are in place (see Section 6).

5.4 Transparency

AI-generated content is labelled as such. As described in our Terms of Use (Section “AI inspires — it does not decide”), AI-powered results may contain inaccuracies, errors or biases. They serve as impulses and do not replace independent review, professional expert advice, or regulatory inspections or certifications.

5.5 Responsibility for inputs

The Platform may employ technical safeguards to detect inappropriate inputs. Responsibility for the nature and content of the data entered lies with you and your organisation.

5.6 Classification under the EU AI Act

Based on the current state, the KAIZUNO® Platform is classified as a limited-risk system under Regulation (EU) 2024/1689 (EU AI Act). The system supports users in assessment and analysis processes, does not make automated decisions with significant impact on people’s rights or wellbeing, and requires human oversight of results. This classification may be adjusted as the Platform evolves or regulatory requirements change.

6.1 Amazon AWS (infrastructure and storage)

Our Platform is hosted on Amazon AWS. Data is stored in Switzerland. AI processing takes place in the EU. If a transfer to the USA is required, it is carried out on the basis of Standard Contractual Clauses (GDPR Art. 46(2)(c)) and the EU-US Data Privacy Framework.

Privacy policy:
https://aws.amazon.com/privacy/

6.2 Stripe (payment processing)

Payments are processed by Stripe. The primary storage location is the EU, with redundant backup in the USA. The legal basis is the EU-US Data Privacy Framework, supplemented by Standard Contractual Clauses. Credit card and bank data is processed exclusively by Stripe and is not stored on our own servers. Invoice data (addresses, amounts, invoice numbers) is stored and managed by us.

Privacy policy:
https://stripe.com/privacy

6.3 Wordfence (website security)

To protect our website, we use Wordfence (DDoS protection, malware scanning). IP addresses and browser information are processed in this context. The storage location is the USA. The legal basis is Standard Contractual Clauses and legitimate interest.

Privacy policy:
https://www.wordfence.com/privacy-policy/

6.4 Security standards of our partners

We only work with service providers that implement appropriate security measures (encryption, access control, audits). All partners are bound by appropriate contractual arrangements — depending on the provider, such as data processing agreements, Standard Contractual Clauses or comparable data protection agreements.

7.1 Access

You can find out at any time what personal data we process about you and receive a copy in an understandable format.

nDSG Art. 25 / GDPR Art. 15

7.2 Rectification

You have the right to have incorrect or incomplete data corrected.

nDSG Art. 6(5) (principle of data accuracy) / GDPR Art. 16

7.3 Erasure

You may request the deletion of your data, provided no statutory retention obligations apply. This does not apply to data required for the performance of a contract, data we are legally required to retain (such as invoices) or data necessary for the assertion of legal claims.

nDSG Art. 6(4) (proportionality) / GDPR Art. 17

7.4 Restriction of processing

You may request that we restrict the processing of your data — for example, if you contest the accuracy of the data.

GDPR Art. 18

7.5 Data portability

You have the right to receive your data in a structured, commonly used and machine-readable format. This includes your account settings, assessment data and assessment reports.

nDSG Art. 28 / GDPR Art. 20

7.6 Objection to automated decisions

You have the right to object to a decision based solely on automated processing that significantly affects your rights. The KAIZUNO® Platform does not make such automated decisions — the assessment reports are analytical results intended for human evaluation.

nDSG Art. 21 / GDPR Art. 22

7.7 Objection to processing

Where we process your data on the basis of a legitimate interest (such as for website security or the improvement of our services), you may object to this processing if your particular situation so justifies.

GDPR Art. 21

7.8 Withdrawal of consent

Where we process your data on the basis of consent (such as for the newsletter), you may withdraw your consent at any time. The withdrawal takes effect from the moment it reaches us — the lawfulness of previous processing remains unaffected.

GDPR Art. 7(3)

7.9 Complaint to a supervisory authority

If you believe that the processing of your data violates applicable law, you may lodge a complaint with a data protection supervisory authority.

For Switzerland:
Federal Data Protection and Information Commissioner (FDPIC)
https://www.edoeb.admin.ch

For the European Union:
The competent supervisory authority in your Member State.

7.10 How to exercise your rights

Contact us at data(at)kaizuno.com or in writing to:

Anrok GmbH
Via Larisch 2, 7031 Laax, Switzerland

Please provide your name and email address and describe your concern. A copy of an identity document may be required to verify your identity. We generally process your request within 30 days (nDSG Art. 25(6)). For particularly complex requests, the deadline may be extended — in that case, we will inform you of the reason and the expected duration. Access requests are free of charge.