Privacy Policy

Last updated: February 16, 2026

1. Data Controller

The controller responsible for data processing on this website is:

Marcel Tobien
Weihermattweg 6
6353 Weggis
Canton Lucerne, Switzerland
Email: info@epos-ai.ch

2. Scope

This Privacy Policy explains the nature, scope, and purpose of the processing of personal data ("data") in connection with the provision of the EPOS-AI platform.

Legal bases: This Privacy Policy is based on:

Swiss Federal Act on Data Protection (FADP)
EU General Data Protection Regulation (GDPR) for EU customers
UK GDPR and Data Protection Act 2018 for UK customers

3. Data We Collect

3.1 Account Data

Upon registration we collect:

Email address (for login and communication)
Name (optional, for billing)
Password (stored encrypted)

3.2 Payment Data

Payments are processed by Stripe. We do NOT store credit card data on our servers.

The following data is stored for billing purposes:

Stripe Customer ID
Subscription ID
Billing address (if provided)

3.3 Usage Data

During use of the Service we process:

Your texts and projects (stored on servers in Switzerland)
Usage statistics (number of API calls, models used)
Technical logs (IP address, browser, timestamps)

3.4 Cookies and Tracking

We use the following cookies:

Cookie	Purpose	Duration
session_token	Authentication (strictly necessary)	1 hour
preferences	Storing UI settings	1 year

We do NOT use Google Analytics or any other third-party tracking tools.

4. Legal Bases for Processing

Data Type	Legal Basis (GDPR)
Account data, payment data	Art. 6(1)(b) GDPR (contract performance)
Usage data, logs	Art. 6(1)(f) GDPR (legitimate interests)
Marketing emails	Art. 6(1)(a) GDPR (consent)

5. Disclosure to Third Parties

5.1 Anthropic (Claude API)

IMPORTANT: Your texts are transmitted to Anthropic to provide AI features.

Purpose: Generating AI responses
Recipient: Anthropic PBC, USA
Privacy: anthropic.com/privacy

Guarantees:

Anthropic does NOT use your data for AI training (contractually guaranteed)
Data transmission is encrypted (TLS 1.3)
EU Standard Contractual Clauses in place

5.2 Stripe (Payment Processing)

Purpose: Processing payments
Recipient: Stripe Payments Europe Ltd., Ireland / Stripe Inc., USA
Privacy: stripe.com/privacy

5.3 Resend (Transactional Emails)

Purpose: Sending transactional emails (registration, password reset, subscription confirmations)
Recipient: Resend, Inc., USA
Data transmitted: Name, email address
Legal basis: Art. 6(1)(b) GDPR (contract performance)

5.4 No Other Recipients

We do NOT share your data with:

Advertising networks or data brokers
Social media platforms
Analytics services (e.g. Google Analytics)

6. Storage Location and Security

6.1 Server Location

Your data is stored on servers in Switzerland.

Hosting: FireStorm ISP GmbH, Kirchenrainstrasse 27, 8632 Tann (ZH), Switzerland — CHE-114.927.665 (Swiss company, servers in Switzerland, Swiss data protection law)

6.2 Security Measures

Encryption in transit: TLS 1.3 for all data transfers
Encryption at rest: Database encryption (AES-256)
Access control: Passwords hashed with bcrypt
Backups: Daily encrypted backups
Firewall: Access restricted to necessary ports

6.3 No Absolute Security

Despite all security measures, 100% security cannot be guaranteed. We strongly recommend keeping your own backups of your writing.

7. Retention Periods

Data Type	Retention Period
Account data	Until account deletion
Projects and texts	Until manual deletion
Payment data	10 years (statutory retention obligation)
Logs (IP addresses)	30 days
After account deletion	30 days (backup retention), then complete deletion

8. Your Rights

You have the following rights regarding your data:

8.1 Right of Access (Art. 15 GDPR)

You may request information about the data we hold about you.

8.2 Rectification (Art. 16 GDPR)

You may request correction of inaccurate data.

8.3 Erasure (Art. 17 GDPR)

You may request deletion of your data ("right to be forgotten").

8.4 Restriction (Art. 18 GDPR)

You may request restriction of processing.

8.5 Data Portability (Art. 20 GDPR)

You may download your data in a structured format (JSON/CSV).

8.6 Objection (Art. 21 GDPR)

You may object to processing on grounds relating to your particular situation.

8.7 Withdrawal of Consent

Where processing is based on consent, you may withdraw it at any time with effect for the future. This does not affect the lawfulness of processing carried out before withdrawal.

8.8 Complaint to a Supervisory Authority

Switzerland:
Federal Data Protection and Information Commissioner (FDPIC)
www.edoeb.admin.ch/en

UK:
Information Commissioner's Office (ICO)
ico.org.uk

EU:
The supervisory authority of your EU member state

9. Data Processing by Anthropic

IMPORTANT: When you use EPOS-AI, your text inputs are transmitted to Anthropic (USA) to generate AI responses.

9.1 What is transmitted?

Your text inputs and prompts
Conversation history within a project
Technical metadata (model, settings)

9.2 What is NOT transmitted?

Your name or email address
Payment information
Account data

9.3 Anthropic's Privacy Commitments

No use of your data for AI training (Commercial Terms)
Deletion after processing (unless otherwise configured)
SOC 2 Type 2 certified
GDPR-compliant Standard Contractual Clauses

10. No Training on Your Data

We confirm:

Your texts are NOT used to train any AI models
Your texts are NOT sold or shared with third parties
Your texts are NOT made public

11. Children

Our Service is not directed at persons under 18 years of age. We do not knowingly collect data from minors.

12. Changes to This Policy

We reserve the right to update this Privacy Policy to reflect changes in law or in our Service. Changes will be announced by email. The current version is always available on this page.

13. Contact and Data Requests

For questions about privacy or to exercise your rights, please contact:

Marcel Tobien
Email: info@epos-ai.ch
Subject line: "Privacy"

We respond within 30 days.

← Back to home | Terms | Privacy | Legal Notice