Privacy Policy - AlphaLum

AlphaLum SA, located at EPFL Innovation Park, Building J, 1015 Lausanne, Switzerland is committed to protecting your privacy and ensuring the secure and transparent processing of personal data in accordance with the Swiss Federal Act on Data Protection (FADP) and, where applicable, the EU General Data Protection Regulation (GDPR). AlphaLum SA acts as the data controller for the processing of personal data described in this Privacy Policy.

This Privacy Policy provides information about how we process personal data and is intended to fulfil our duty to inform under applicable data protection laws, including the Swiss Federal Act on Data Protection (FADP).

1. Scope of Application

This Privacy Policy explains how AlphaLum SA collects and processes personal data in connection with its business activities. It applies to personal data relating to:

visitors to our website
customers, prospective customers, and their contact persons
suppliers, service providers, and business partners
applicants in recruitment processes; and
other individuals who contact us or otherwise interact with us.

This Privacy Policy applies to personal data that we collect through our website, by email, by telephone, through meetings and correspondence, in the context of contractual relationships, and through other business interactions.

It does not apply where a separate privacy notice is provided for a specific processing activity, product, service, or relationship.

2. What Personal Data We Collect

We may collect and process different categories of personal data depending on the nature of our relationship with you and the services we provide. This may include in particular:

Identification and contact data, such as your name, company name, job title, postal address, email address, telephone number, and other contact details
Account and access data, such as usernames, user IDs, authentication data, account settings, and other access-related information, where you use our digital services, platforms, or portals
Contract and transaction data, such as information relating to enquiries, quotations, orders, contracts, invoices, payments, billing details, transaction references, and the provision of our services
Communication data, such as correspondence by email, telephone, contact forms, meetings, and other interactions with us
Technical and usage data, such as IP address, device type, browser information, operating system, access times, log files, cookie identifiers or similar online identifiers, and information about the use of our website or digital services
Marketing and preference data, such as your communication preferences, newsletter subscriptions, interests, and responses to marketing activities
Application data, where you apply for a position with us, such as your CV, cover letter, qualifications, employment history, references, interview notes, and other information submitted as part of the recruitment process; and
Other personal data that you voluntarily provide to us or that we lawfully receive from third parties, public sources, or business partners in connection with our business activities.

We generally collect personal data directly from you. However, we may also receive personal data from third parties, such as your employer, business partners, service providers, public registers, publicly available sources, or other persons involved in a contractual or business relationship with us.

Where relevant, payment-related information may be processed by us or by external payment service providers acting on our behalf or, where applicable, as separate controllers.

If you provide us with documents or other information that include sensitive personal data, we will process such data only where permitted by applicable law and where relevant for the respective purpose.

We only collect personal data that is necessary for the purposes described in this Privacy Policy or that we are otherwise permitted or required to collect under applicable law.

3. Purpose of Data Processing

We process personal data for the following purposes:

to provide, operate, manage, maintain, and improve our services, products, website, and digital services
to communicate with you, respond to enquiries, provide customer support, and manage our business relationships
to create and administer user accounts and provide access to our platforms, portals, or other digital services, where applicable
to prepare, conclude, perform, and manage contracts, including processing orders, transactions, invoices, and payments
to ensure the security, confidentiality, availability, and proper functioning of our systems, website, and services, including fraud prevention, abuse detection, and IT security
to analyze the use of our website and services, improve user experience, and develop or enhance our products and services
to conduct marketing and business development activities, including sending information about our services where permitted by applicable law and, where required, on the basis of your consent. You may opt out of receiving marketing communications from us at any time by using the unsubscribe link included in our emails or by contacting us using the contact details provided in this Privacy Policy.
to carry out recruiting and hiring processes
to comply with legal, regulatory, and contractual obligations
to establish, exercise, or defend legal claims and to protect our rights and legitimate business interests.

4. Automated Decision-Making and Profiling

We do not use personal data for automated decision-making that produces legal effects concerning you or similarly significantly affects you within the meaning of applicable data protection law.

If we introduce such processing in the future, we will update this Privacy Policy and provide any additional information required by applicable law.

5. Legal Basis for Processing

Under Swiss data protection law, we process personal data where permitted by applicable law and in accordance with the principles of lawful, good-faith, proportionate, and transparent processing. Depending on the circumstances, this may include processing that is necessary for the performance of a contract, compliance with legal obligations, the protection of our legitimate interests, or based on your consent where required. Swiss law also requires transparency when personal data is collected.

To the extent the GDPR applies, we process personal data on one or more of the following legal bases:

Consent (Art. 6(1)(a) GDPR)
Performance of a contract or steps prior to entering into a contract (Art. 6(1)(b) GDPR)
Compliance with a legal obligation (Art. 6(1)(c) GDPR)
Legitimate interests pursued by us or a third party (Art. 6(1)(f) GDPR), provided such interests are not overridden by your interests or fundamental rights and freedoms.

Our legitimate interests may include, in particular, operating and improving our business and services, customer relationship management, IT and information security, fraud prevention, internal administration, legal compliance, the establishment, exercise or defense of legal claims, and direct marketing to business contacts where permitted by applicable law.

6. Data Sharing and Transfers

Within AlphaLum SA, personal data may be accessed by authorized employees or representatives where this is necessary for the purposes described in this Privacy Policy and in accordance with applicable confidentiality and data protection obligations.

We may disclose personal data to third parties where this is necessary for the purposes described in this Privacy Policy, in particular to the following categories of recipients:

service providers that support our business operations, such as providers of IT services, cloud hosting, website hosting, communication tools, customer relationship management systems, marketing services, payment services, recruitment services, and professional advisory services
business partners and suppliers, where this is necessary in connection with our services, contracts, or general business operations
authorities, courts, regulators, or other public bodies, where we are legally required or permitted to do so, or where disclosure is necessary to establish, exercise, or defend legal claims
affiliated companies, to the extent such entities exist and the disclosure is necessary for internal administration or the provision of our services.

Where third parties process personal data on our behalf, we require them to process such data only in accordance with our instructions and applicable law, and to implement appropriate technical and organizational security measures.

Personal data may be processed in Switzerland, the European Economic Area (EEA), the United States, or other countries where our service providers operate. If personal data is transferred to a country that does not provide an adequate level of data protection under applicable law, we will ensure appropriate safeguards, for example by entering into standard contractual clauses or relying on other legally recognized transfer mechanisms.

You may contact us using the details set out in this Privacy Policy if you would like further information about such recipients or the applicable safeguards for international data transfers.

7. Data Retention

We retain personal data only for as long as necessary for the purposes described in this Privacy Policy, for the duration of the relevant business relationship, and for any additional period required or permitted by applicable law.

The retention period depends on the category of personal data and the purpose of the processing. In particular:

contract, transaction, and business records are retained for as long as necessary to perform the relevant contract and thereafter for the period required to comply with legal, tax, accounting, and record-keeping obligations or to establish, exercise, or defend legal claims
communication data is retained for as long as necessary to handle the relevant enquiry, request, or business relationship and for an appropriate period thereafter for documentation and follow-up purposes
account and access data is retained for as long as an account remains active and thereafter for a limited period where necessary for security, compliance, or dispute-resolution purposes
technical and usage data is retained for as long as necessary to operate, maintain, and secure our website and digital services and to analyze and improve their performance
marketing and preference data is retained until you withdraw your consent, object to the relevant processing, or the data is no longer needed for the relevant purpose
application data is retained for the duration of the recruitment process and, if no employment relationship is established, for a 12 months period thereafter, unless longer retention is required or permitted by law or you consent to a longer retention period.

At the end of the applicable retention period, personal data will be deleted, anonymized, or retained in a restricted manner where continued retention is necessary to comply with legal obligations or for the establishment, exercise, or defense of legal claims. Swiss transparency rules require the controller to provide the storage period or, if that is not possible, the criteria used to determine it.

8. Your Rights

Subject to applicable law and the conditions and limitations set out therein, you have the following rights in relation to your personal data:

to request information about whether we process your personal data and, if so, to obtain access to such data and related information
to request the correction of inaccurate or incomplete personal data
to request the deletion of your personal data, where applicable
to request the restriction of processing, where applicable
to object to the processing of your personal data, where applicable
to withdraw your consent at any time with effect for the future, where processing is based on your consent
to receive certain personal data in a structured, commonly used, and machine-readable format or to request its transfer to another controller, where applicable; and
to lodge a complaint with the competent data protection authority, in particular with the Swiss Federal Data Protection and Information Commissioner (“FDPIC”), if you believe that the processing of your personal data violates applicable data protection law. Under Swiss law, data subjects can request information, correction, deletion, or restriction, and Swiss guidance notes that access is generally provided free of charge and usually within 30 days.

To exercise your rights, please contact us at info@alphalum.com.

We may request appropriate proof of identity before processing your request, and we may limit or decline a request where this is permitted by applicable law. We will respond to your request in accordance with applicable legal requirements. Swiss guidance explains that requests may be made electronically, provided the controller verifies identity appropriately.

9. Security Measures

We take appropriate technical and organizational measures to protect personal data against unauthorized access, disclosure, alteration, loss, misuse, or destruction.

These measures may include, in particular, access controls, role-based access restrictions, authentication measures, encryption where appropriate, secure transmission of data, backup and recovery procedures, system monitoring, and measures designed to ensure the confidentiality, integrity, availability, and resilience of our systems and services.

We also take reasonable steps to ensure that persons who have access to personal data are subject to appropriate confidentiality obligations and that service providers processing personal data on our behalf implement appropriate security measures.

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, we will notify the competent supervisory authority and, where required, affected individuals in accordance with applicable data protection law.

10. Cookies and Tracking

Our website may use cookies and similar technologies, such as pixels, tags, plug-ins, scripts, or local storage, to ensure the proper functioning of the website, enhance user experience, analyze website usage, and, where applicable, support our communication and marketing activities.

These technologies may collect or generate information such as IP address, browser type, device information, operating system, access times, referring URLs, online identifiers, and information about how you interact with our website or digital services.

We may use the following categories of cookies and similar technologies:

strictly necessary technologies, which are required for the operation, security, and functionality of the website
performance and analytics technologies, which help us understand how the website is used and improve its performance and content
functional or marketing technologies, where applicable, which help us remember preferences, measure the effectiveness of communications, or provide relevant information about our services.

Where required by applicable law, we will request your consent before using non-essential cookies or similar technologies. You can also manage or disable cookies through your browser settings and, where available, through our cookie preference tools.

Further information about how we use cookies and similar technologies may be obtained by contacting us using the contact details provided in this Privacy Policy.

Our website may also integrate services or content provided by third parties, such as analytics providers, hosting providers, embedded media, maps, or other external tools. These providers may process technical information such as IP addresses, device identifiers, browser information, or interaction data when you access or interact with such services.

These third parties may act as independent controllers of the data they process in accordance with their own privacy policies. We encourage you to review the privacy policies of such providers for further information about how they process personal data.

11. Children’s Data

Our website, services, and business activities are not directed to children, and we do not knowingly collect personal data from children under the age of 16.

If we become aware that personal data of a child has been collected without appropriate consent where required by law, we will take reasonable steps to delete such data.

If you believe that a child has provided personal data to us, please contact us using the contact details provided in this Privacy Policy.

12. Links to Third-Party Websites

Our website may contain links to third-party websites or services that are not operated or controlled by AlphaLum SA.

This Privacy Policy does not apply to such third-party websites or services. We are not responsible for their privacy practices or the content of those websites.

We encourage you to review the privacy policies of any third-party websites you visit.

13. Changes to This Policy

We may amend this Privacy Policy from time to time to reflect changes in our data processing practices, legal requirements, or our services.

The current version of this Privacy Policy will always be made available on our website and will indicate the date of the last update.

Where required by applicable law or where changes are material, we will take appropriate steps to inform affected individuals in an appropriate manner.

14. Contact

If you have any questions about this Privacy Policy or about how we process personal data, you may contact us at:

AlphaLum SA
EPFL Innovation Park, Building J
1015 Lausanne
Switzerland
Email: info@alphalum.com

Where applicable, requests relating to your rights under data protection law may also be submitted using the contact details above.