Privacy policy

Version: 3.0
Stand: November 20, 2025
Zerovia GmbH, Via Casti 52, 7151 Schluein, Switzerland
E-mail: info@zerovia.ch


This privacy policy describes how theZEROVIA GmbH, Via Casti 52, 7151 Schluein, Switzerland („ZEROVIA“, „we“) processes personal data when you use our website or our SaaS platform. It applies to:

  • the websitezerovia.ch
  • the platformzerovia.app
  • All ESG, supplier and procurement modules
  • Verification and validation processes
  • Data sharing with third parties (opt-in)
  • API and integration interfaces

We process personal data in accordance with theSwiss Data Protection Act (DSG) and - where applicable - theGeneral Data Protection Regulation (GDPR).

1. responsible body and EU representation (Art. 27 GDPR)

1.1 Responsible body in Switzerland

ZEROVIA GmbH
Via Casti 52
CH-7151 Schluein
E-mail: privacy@zerovia.ch

1.2 EU representation pursuant to Art. 27 GDPR

ZEROVIA has appointed the following representative for data subjects and supervisory authorities in the EU:

EU Representative (Art. 27 GDPR)
iuro Rechtsanwälte GmbH t/a Prighter
Schellinggasse 3
1010 Vienna, Austria
E-mail: privacy@zerovia.ch

Portal for inquiries from affected persons:https://app.prighter.com/portal/zerovia

1.3 Processing activities of the EU representation

The EU representation takes over:

  • Receiving inquiries from affected persons
  • Receiving inquiries from European data protection supervisory authorities
  • Structuring and secure transmission of requests to ZEROVIA
  • Provision of a data subject request tool (DSR tool)

Processed data includes, among other things:

  • Identification and contact data
  • Details of the data subject's request
  • Contents of the request

1.4 Role clarification

  • Prighter as the person responsible:
    for advice or support in accordance with Art. 27 GDPR.
  • Prighter as a processor:
    when the DSR tool is provided.
    Prighter usesHetzner Online GmbH as a hosting provider.

2. types of personal data

We process the following categories of data in particular, depending on use:

2.1 Master data

  • Surname, first name
  • Business contact details
  • Role and position
  • Company affiliation

2.2 Technical and usage data

  • IP address
  • Log files, time stamp
  • Browser and device information
  • Opt-in protocols
  • API token usage

2.3 ESG-related data

  • Information from self-declared ESG profiles
  • Answers to ESG questionnaires
  • Uploaded documents (policies, reports, proofs)
  • Information for verifications
  • Data for validations of external partners
  • Profile and validity status

2.4 Communication data

  • E-mail correspondence
  • Support requests
  • Feedback within the platform

3. purposes of data processing

We process personal data for the following purposes:

3.1 Provision of the platform

  • Creation and management of user accounts
  • Role and rights management
  • Operation of the modules
  • Fault diagnosis and stability

3.2 ESG profiling

  • Creation and management of ESG profiles
  • Self-declared entries
  • Formal verifications („Verified by ZEROVIA“)
  • Technical support for validations by external partners
  • Display of the profile status

3.3 Data sharing with third parties (opt-in)

With the express consent of the customer:

  • Disclosure to banks
  • Forwarding to insurance companies
  • Transfer to large companies
  • Passing on to customers and suppliers
  • Transfer to external validation or testing organizations
  • API-based releases
  • Sharing via partner codes or sharing links

3.4 Improvement and further development

  • anonymous statistical evaluations
  • Improvement of UI/UX
  • Further development of the platform

3.5 Communication

  • Support
  • Security-related messages
  • Notifications of changes to terms and conditions or data protection

4. legal basis for data processing

ZEROVIA processes personal data on the following legal bases:

4.1 Fulfillment of a contract

(e.g. Art. 6 para. 1 lit. b GDPR; Art. 31 FADP)

We process data in order to provide our services or fulfill contracts. This includes

  • Registration and account management
  • Use of the modules
  • Creation of ESG profiles
  • Implementation of verifications
  • Technical processing of validations
  • Use of supplier and procurement modules
  • Provision of API functions

The platform cannot be operated without this data.

4.2 Legitimate interest

(e.g. Art. 6 para. 1 lit. f GDPR; Art. 31 FADP)

We process data to protect our legitimate interests, in particular to:

  • Maintaining IT security
  • Abuse detection and fraud prevention
  • Further development of our software
  • Documentation and quality assurance
  • Creation of anonymized evaluations

This processing will only take place within a framework that you can reasonably expect.

4.3 Consent (opt-in)

In certain cases, we only process data with your express consent. This concerns

  • Disclosure of ESG data to banks, insurance companies and large corporations
  • Forwarding to validation or testing partners
  • Publication of an ESG profile
  • API access, partner codes or sharing links
  • certain AI-supported functions (if explained separately)

Consent can be revoked at any time with effect for the future.

5. ESG profiles and their processing

ZEROVIA supports three profile types:

5.1 Self-declared ESG profiles

  • pure self-disclosure
  • No testing by ZEROVIA
  • Full responsibility lies with the company

5.2 Verified by ZEROVIA

  • Formal document review
  • Plausibility checks
  • No audit, no certification
  • Opt-in required

5.3 Validated by External Partner

  • Content review by external specialists
  • ZEROVIA = exclusively technical platform provider
  • Forwarding only after opt-in
  • Validation assessments come from external partners

5.4 Publication

Profiles are only displayed publicly if this is actively enabled.

6. disclosure of personal data to third parties (opt-in)

They will only be passed on with the express consent of the customer.

Possible recipients:

  • Banks and financial institutions
  • Insurances
  • Large companies
  • Customers and suppliers
  • External validation and testing organizations
  • API- or webhook-based receivers
  • Platform integrations from business partners

ZEROVIA does not check the legitimacy of the recipients.
Revocation only applies to future access.

7. clarification of roles: controller / processor

7.1 ZEROVIA as the responsible party

with:

  • Operation of the platform
  • Profile management
  • Verifications
  • User data
  • safety-relevant processing
  • Logs and monitoring

7.2 External validators as responsible parties

with:

  • Test decisions
  • ESG validation reports

7.3 ZEROVIA as a processor

with:

  • Processing of personal data on behalf of the customer
  • API integrations
  • technical verification processes

TheZEROVIA Data Processing Agreement (DPA).

8. sub-processors

We use carefully selected service providers, e.g:

  • Hosting provider (CH/EU)
  • E-mail and communication services
  • Security and monitoring provider
  • Validation service provider (opt-in)
  • AI tools for structuring tasks

A list can be requested from the DPA.

9. data transmission to other countries

Data can be transmitted:

  • in countries with adequacy decision
  • on the basis of standard contractual clauses (SCC)
  • on the basis of express consent
  • due to legal obligations

Transmissions to validation partners are only made by opt-in.

10 AI-supported functions

ZEROVIA uses AI-supported functions for, among other things:

  • Classification and tagging
  • Data cleansing
  • semantic search
  • Text aids and recommendations

No automated decision has any legal effect.
Data is not used to train external AI models.

11. storage period

We store personal data:

  • as long as a user account exists
  • as long as statutory retention obligations exist
  • as long as there is a legitimate interest
  • until a permissible deletion is requested

ESG profiles are saved according to their validity period and then marked.

12. IT security and technical and organizational measures (TOM)

We protect data through modern organizational and technical measures, e.g:

  • SSL/TLS encryption
  • Role-based access controls and optional 2FA
  • Firewalls, IDS/IPS
  • System monitoring
  • Regular backups
  • Internal audits and external security tests

Our security architecture is based onISO/IEC 27001 and the recommendations of theFDPIC.

13. rights of data subjects

Depending on the applicable law, you have the following rights:

  • Information
  • Correction
  • Deletion
  • Restriction
  • Data portability
  • Contradiction
  • Revocation of consent

Inquiries to:privacy@zerovia.ch

EU citizens:https://app.prighter.com/portal/zerovia

14 Data Processing Agreement (DPA)

If ZEROVIA processes personal data for business customers on behalf of business customers, theZEROVIA DPA, which regulates:

  • Purpose and scope of processing
  • Responsibilities
  • Technical and organizational measures
  • Sub-Processors
  • International transmissions

15. changes to this privacy policy

This privacy policy may be adapted, in particular in the event of

  • Product changes
  • Changed legal requirements
  • new modules
  • Revised validation processes

The current version is available athttps://zerovia.ch/datenschutzerklaerung/
available.

16. contact

ZEROVIA GmbH
Via Casti 52
7151 Schluein
privacy@zerovia.ch



Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None