Privacy policy

Version: 3.2

Stand: June 16, 2026

ZEROVIA GmbH,Via Casti 52, 7151 Schluein, Switzerland

E-Mail: info@zerovia.ch · privacy@zerovia.ch

This privacy policy describes how the ZEROVIA GmbH, Via Casti 52, 7151 Schluein, Switzerland („ZEROVIA», „we») process personal data when you use our website or our SaaS platform. It applies to:

  •  the websites zerovia.ch, zerovia.ai and zerovia.academy
  • the platformzerovia.app,
  • all ESG, Supplier, and Procurement modules,
  • Verification and validation processes,
  • Data sharing with third parties (opt-in),
  • API and integration interfaces,
  • publicly published ESG profiles and their embedding on customer websites.

We process personal data in accordance with theSwiss Data Protection Act (DSG) and - where applicable - theGeneral Data Protection Regulation (GDPR).

1. responsible body and EU representation (Art. 27 GDPR)

1.1 Responsible body in Switzerland

ZEROVIA GmbH Via Casti 52 CH-7151 Schluein E-Mail:privacy@zerovia.ch

1.2 EU representation pursuant to Art. 27 GDPR

ZEROVIA has appointed the following representative for data subjects and supervisory authorities in the EU:

EU Representative (Art. 27 GDPR) iuro Rechtsanwälte GmbH t/a Prighter
Schellinggasse 3
1010 Vienna,
Austria
E-Mail:
privacy@zerovia.ch
Portal for inquiries from affected persons:https://app.prighter.com/portal/zerovia

1.3 Processing activities of the EU representation

The EU representation takes over:

  • Receiving requests from data subjects,
  • Receipt of inquiries from European data protection authorities,
  • Structuring and secure transmission of requests to ZEROVIA,
  • Provision of a Data Subject Request (DSR) Tool.

Processed data include: identification and contact details, information about the data subject's request, and the content of the request.

1.4 Role clarification

  • Prighter as the person responsible: for advice or support in accordance with Art. 27 GDPR.
  • Prighter as a processor: when providing the DSR tool. Prighter usesHetzner Online GmbH as a hosting provider.

2. types of personal data

2.1 Master data

Name, Given Name, Business Contact Information, Role and Position, Company Affiliation.

2.2 Technical and Usage Data

IP address, log files, timestamps, browser and device information, opt-in logs, API token usage.

2.3 ESG-related data

  • Master data (VAT ID, DUNS, address, number of employees, industry, etc.),
  • Information from self-declared ESG profiles,
  • Answers to ESG questionnaires (ESG Quick Check with 15-20 questions, ESG Self-Assessment with 49-58 questions),
  • uploaded documents (policies, reports, proof, receipts, certificates),
  • Details for verifications,
  • Data for external partner validations,
  • Profile and Validity Status,
  • Maturity level and profile type (see §5).

Data Source Information: All ESG-related data in the ESG profile — from master data and stage-specific self-disclosures to uploaded supporting documents and certificates — is provided exclusively by the client. ZEROVIA provides the technical infrastructure, data capture logic, and standardized methodology. The resulting ESG score and ESG profile are the client’s own outcome. ZEROVIA does not issue ESG ratings and is not an ESG rating provider within the meaning of Regulation (EU) 2024/3005 (ESGRR).

2.4 Customer ESG Contact Person Data

For publicly published ESG profiles, the name, function, and business email address of an ESG contact person designated by the customer are also processed and published. The publication is based on legitimate business interests (B2B context, Art. 6 (1) (f) GDPR, Art. 31 Data Protection Act). The customer ensures that the data subject is informed about the publication.

2.5 Communication Data

Email correspondence, support requests, feedback within the platform.

2.6 AI-Related Processing Data

Inputs (prompts) and output texts of the generative AI models used by us (see §10), associated log data for marking AI-assisted content in accordance with Art. 50 (4) EU Regulation 2024/1689.

3. purposes of data processing

3.1 Provision of the platform

Creation and management of user accounts, role and rights management, module operation, error diagnosis and stability.

3.2 ESG profiling

Creation and management of ESG profiles on the platform. The customer uses the ZEROvia platform license and methodology to create an ESG profile based on their own master data and self-disclosures — through the following stages:

  • ESG Quick Check (Level 1),
  • ESG Self-Assessment (Level 2),
  • VS Basic (Level 3),
  • VS Comprehensive (Level 4).
  • Formal plausibility and document checks («Verified by ZEROVIA»), technical support for validations by external partners, display of profile status, report generation.

3.3 Public Profile Publication and Machine Indexing

With active publication of an ESG profile underzerovia.app/profiles/{slug} will the data marked as public:

  • made publicly available,
  • played out as structured data (Schema.org JSON-LD) for discoverability in search engines and AI answer engines (including ChatGPT, Perplexity, Google AI Overviews, Claude).

Fields marked as «Internal» in the publication center do not appear in the visible profile or in JSON-LD. Technical differentiation by individual indexing systems is not possible; a revocation of indexing only takes effect through complete de-publication of the profile. The indexing of public profiles by third parties, including AI response engines and procurement platforms, does not establish ZEROIA as an issuer of ESG ratings within the meaning of the ESGRR.

3.4 Data Sharing with Third Parties (Opt-In)

Upon express customer consent: disclosure to banks, insurance companies, large corporations, customers and suppliers, external validation or auditing organizations, API-based releases, releases via partner codes or sharing links.

3.5 Embedding on Customer Websites

When embedding a published ESG profile on a customer website (snippet, server-side, or JavaScript embed), data is technically transferred from zerovia.app to the end visitor of the customer's site. ZEROVIA does not use its own marketing or tracking cookies. The customer is responsible for providing data privacy information to their end visitors (privacy policy, cookie banner) on their third-party site.

3.6 AI-powered functions (see §10)

Classification and tagging, data cleansing, semantic search, text assistance and recommendations, consistency check of ESG statements, AI-powered text drafts for ESG profiles.

3.7 Improvement and Further Development

Anonymous statistical analysis, UI/UX improvement, platform development.

3.8 Communication

Support, security-relevant messages, notifications about changes to terms and conditions or privacy policy.

4. legal basis for data processing

4.1 Fulfillment of a contract

(Art. 6 (1) (b) GDPR; Art. 31 Swiss FDPA) Registration and account management, use of modules, creation of ESG profiles, execution of verifications, technical processing of validations, use of supplier and procurement modules, provision of API functions.

4.2 Legitimate interest

(Art. 6 (1) (f) GDPR; Art. 31 Data Protection Act) Maintaining IT security, abuse detection, and fraud prevention, further development of our software, documentation and quality assurance, creation of anonymized evaluations,Publication of the customer-named ESG contact person in a B2B context (name, position, business email address).

4.3 Consent (opt-in)

(Art. 6 (1) (a) GDPR; Art. 6 Data Protection Act) Disclosure of ESG data to banks, insurance companies and large companies, disclosure to validation or auditing partners,active publication of an ESG profile (incl. the associated indexing by search engines and AI answer engines), API accesses, partner codes or sharing links, certain AI-powered features (if explained separately). Consent can be withdrawn at any time with future effect.

4.4 Statutory Obligation

(Art. 6 (1) (c) GDPR) Retention obligations according to Swiss Code of Obligations and tax law.

5. ESG profiles and their processing

ZEROVIA distinguishes two orthogonal axes:Ripeness (Depth of disclosure) andProfile Type (Level of scrutiny). The full methodology is underzerovia.ch/methodology available.

5.1 Profile types

  1.  Self-Declared ESG Profile – sole self-disclosure, no verification by ZEROVIA, full responsibility with the company.
  2. Verified by ZEROVIA – formal plausibility and document review, no audit, no certification, no assurance according to ISAE 3000 or ISAE 3410, no product according to Regulation (EU) 2024/3005, opt-in required.

  3. Validated by External Partner – content review by external specialists (e.g., TÜV SÜD, SQS); ZEROVIA is exclusively a technical platform provider; disclosure only after opt-in; any assurance services are entirely the responsibility of the external partner.

5.2 Stages of Ripeness

  1. ESG Quick Check (Level 1) — Status update, 15–20 questions.
  2. ESG Self-Assessment (Level 2) — structured self-disclosure, 48–62 questions with evidence classes E0–E4.
  3. VS Basic (Level 3) — EU Voluntary Standard Base Modules B1–B5(formerly VSME Basic).
  4. VS Comprehensive (Level 4) — EU Voluntary Standard incl. C1–C9(formerly VSME Comprehensive).

The ESG profile summarizes the customer's master data, stage-specific self-disclosures, and documents, certificates, and self-disclosed information uploaded by the customer for each stage. All content is provided exclusively by the customer.

5.3 Publication

Profiles are only displayed publicly when actively shared. Visibility can be configured per data field (Public / Internal). Published profiles will be indexed by search engines and AI response engines in accordance with §3.3.

5.4 Depublication and Profile Lifecycle

Upon depublication or deletion of a profile, the ZEROVIA profile page will be removed within 14 days and served with an HTTP status 410. ZEROVIA will use commercially reasonable efforts to have indexed profile versions removed from search engines and AI answer engines, but does not guarantee complete removal from their cache and training data.

6. disclosure of personal data to third parties (opt-in)

Disclosure is made exclusively with the customer's express consent. Possible recipients: Banks and financial institutions, insurance companies, large companies, customers and suppliers, external validation and auditing organizations, API or webhook-based recipients, platform integrations of business partners.

ZEROVIA does not check the legitimacy of recipients. A revocation is only effective for future accesses.

7. clarification of roles: controller / processor

7.1 ZEROVIA as the responsible partyduring platform operation, profile management, verifications, user data, security-relevant processing, logs and monitoring.

7.2 External validators as responsible partiesin audit decisions and ESG validation reports.

7.3 ZEROVIA as a processorwhen processing personal data on behalf of the customer, API integrations, technical verification processes. The following appliesZEROVIA Data Processing Agreement (DPA), available viaprivacy@zerovia.ch.

8. sub-processors

We use carefully selected service providers. A consolidated, up-to-date list is part of theData Processing Agreement (DPA, Appendix C to the Subscription Terms). As of 06/02/2026, the productive list includes:

8.1 Hosting and Infrastructure

Provider

Purpose

Location / Data location

Legal basis for transmission

Infomaniak Network SA

Hosting Production Environment zerovia.app and zerovia.ch

Switzerland (Geneva)

Within Switzerland, no third-country transfer

Uvensys GmbH

Hosting Development and Test Environment

Germany (Gießen)

within the EU

8.2 EU Representation and Data Subject Rights

Provider

Purpose

Location / Data location

Legal basis for transmission

iuro Rechtsanwälte GmbH (Prighter)

EU Representation GDPR Art. 27, Operation of DSR Tool

Austria

within the EU

Hetzner Online GmbH(Sub-processor of Prighter)

Hosting Prighter DSR-Tool

Germany

within the EU

8.3 AI Models

Provider

Purpose

Location / Data location

Legal basis for transmission

OpenAI Ireland Ltd.

Generative AI models (GPT series) for text drafting and consistency checks in ESG profiles

Ireland (EU data residency), processing partly USA

SCC + Transfer Impact Assessment + technical protective measures

Anthropic PBC

Generative AI Models (Claude Series) for Text Drafting and Consistency Checking

USA

SCC + Transfer Impact Assessment + technical protective measures

Mistral AI(planned fallback)

Generative AI models as a European fallback provider

France

within the EU

8.4 Website Operation zerovia.ch

Provider

Purpose

Location / Data location

Legal basis for transmission

Google LLC (Site Kit / Analytics)

Reach measurement zerovia.ch

EU/USA

only after cookie consent; SCC

TranslatePress (DevriX)

Multilingualism zerovia.ch

European Union

within the EU

SpeedyCache

Page Caching zerovia.ch

European Union

within the EU

CookieAdmin Pro

Cookie Consent Management

European Union

within the EU

Note: We primarily use providers based in the EU or Switzerland. For AI models with US data processing (OpenAI, Anthropic), an extension applies including SCCs, TIAs, and supplementary technical security measures (encryption in transit and at rest, no use of customer data for model training). Mistral AI is on the roadmap as a European fallback to reduce third-country dependency.

9. data transmission to other countries

Data can be transmitted:

  • in countries with an adequacy decision by the European Commission or recognized third countries according to Annex 1 of the Federal Data Protection Act,
  • in third countries based onStandard Contractual Clauses (SCC) of the EU Commission, supplemented by Transfer Impact Assessment (TIA) and technical safeguards,
  • with express consent,
  • due to legal obligations.

Submissions to validation partners are opt-in only. Submissions to AI model providers based in the US are exclusively based on SCC with the addition of supplementary measures (encryption, pseudonymization where possible).

10. AI-powered functions — Transparency pursuant to Art. 50 EU Reg 2024/1689

10.1 Functions Used

ZEROVIA uses generative AI models for:

  • AI-powered text drafts in ESG profiles (sustainability strategy, key measures, industry-specific information),
  • Consistency check of ESG statements (plausibility check, greenwashing indicator),
  • Classification and tagging of uploaded documents,
  • semantic search.

10.2 Labeling Requirement

AI-generated content on public profiles will be marked as such — visible on the profile and machine-readable in JSON-LD via the fieldcreativeWorkStatus. This labeling is already carried out before Art. 50 (4) EU-VO 2024/1689 comes into regulatory force (applicable from 02.08.2026).

10.3 AI Model Providers Used

Currently in productive useOpenAI Ireland Ltd. (GPT models) andAnthropic PBC (Claude Models). As a European fallback, the connection ofMistral AI (France) planned to further reduce dependence on third countries. Changes of providers will be updated in the sub-processor list (§8.3) and in the DPA; significant changes will be communicated to customers in advance according to the subscription terms §13.

10.4 Training Data

Customer data isnot used to train publicly accessible AI models. The use of anonymized aggregate data for internal model improvement is only permitted with explicit customer opt-in.

10.5 No automated individual decision-making, including profiling, which produces legal effects concerning you or similarly significantly affects you.

No automated decision-making within the meaning of Art. 22 GDPR has legal effect. AI drafts and consistency checks are assistance functions that the customer reviews and approves.

11. storage period

We store personal data:

  • as long as a user account exists,
  • as long as statutory retention periods exist (10 years according to Swiss OR Art. 958f for business ledgers and records),
  • as long as there is a legitimate interest,
  • until a lawful deletion is requested.

ESG profiles are stored according to their validity period and then flagged. After depublication: Profile page removal within 14 days, HTTP 410 response, further instructions according to §5.4.

12. IT security and technical and organizational measures (TOM)

We protect data through modern organizational and technical measures, including:

  • SSL/TLS Encryption,
  • role-based access controls and optional 2FA,
  • Firewalls, Intrusion Detection/Prevention Systems,
  • System Monitoring,
  • regular backups,
  • internal audits and external security tests.

Our security architecture is based onISO/IEC 27001 and the recommendations of theFDPIC.

13. rights of data subjects

Depending on the applicable law, you have the following rights:

  • Information (Art. 15 GDPR / Art. 25 Data Protection Act),
  • Rectification (Art. 16 GDPR / Art. 32 German Data Protection Act),
  • Erasure (Art. 17 GDPR / Art. 32 DPPA),
  • Restriction (Art. 18 GDPR),
  • Data portability (Art. 20 GDPR / Art. 28 Data Protection Act),
  • Objection (Art. 21 GDPR),
  • Revocation of consents (Art. 7 (3) GDPR).

Inquiries to:privacy@zerovia.ch

EU citizens:https://app.prighter.com/portal/zerovia

Right to complain Individuals residing in Switzerland can contact the Federal Data Protection and Information Commissioner (FDPIC). Individuals residing in the EU can contact their respective national data protection supervisory authority.

14. Cookies and Tracking

The website zerovia.ch uses:

  • Technically necessary cookies (Session, Language Setting, Cookie Consent) — Legal Basis: Legitimate Interest.
  • Functional Cookies (e.g., Performance, Caching) — Legal basis: legitimate interest or consent.
  • Analysis Cookies (Google Site Kit / Analytics) — exclusively with explicit consent via the cookie banner.
  • Advertising cookies — currently not in use; if used in the future, only with explicit consent.

The ZEROVIA platform zerovia.app uses only technically necessary cookies for authentication and session management.

Cookie settings can be changed at any time via the „Cookie Settings» link in the website footer.

15. Data Processing Agreement (DPA)

If ZEROVIA processes personal data for business customers on behalf of business customers, theZEROVIA DPA, which regulates: Purpose and scope of processing, responsibilities, technical and organizational measures, sub-processors (including AI model providers), international transfers. Requirement regardingprivacy@zerovia.ch.

16. Embedding on customer websites

When a customer embeds a published ESG profile on their own website:

  • Snippet and Server-Side Embed ZEROVIA provides static HTML code with inline JSON-LD. There is no live connection from the customer's website to ZEROVIA. ZEROVIA does not process data from end visitors.
  • JavaScript Embed: The end-user of the customer website loads a resource from embed.zerovia.app. Technically necessary data (IP address, user agent, timestamp) is processed for delivery. ZEROVIA does not use tracking cookies.

The customer is responsible for data protection regarding their website visitors and must inform them about the embedding in their own privacy policy.

17. Changes to this Privacy Policy

This privacy policy may be updated, particularly in the event of product changes, altered legal requirements, new modules, or revised validation processes. Customers will be adequately informed in advance of any significant changes. The current version is available athttps://zerovia.ch/datenschutzerklaerung/ available.

Version History:

  • v3.2 (06.16.2026) — Platform and Methodology License Clarification (§2.3 Data Origin Notice); Renaming «ESG Rating» to «ESG Self-Assessment (Level 2)» in §2.3, §3.2, §5.2; ESGRR Scope Definition (§2.3, §3.3); Clarification of Profile Type «Verified by ZEROVIA» without ISAE Assurance Character (§5.1b); ESG Profile Structure as a Customer-Provided Document (§5.2).
  • v3.1 (06.02.2026) — KI-VO Art. 50, ESG contact person publication, AI indexing, embed data protection, specific subprocessor table (Infomaniak, Uvensys, OpenAI, Anthropic, Mistral-planned), maturity levels, DPA referenced as appendix C of the AB.
  • v3.0 (20.11.2025) — Introduction of Prighter EU Representation, three profile types, DPA reference.

18. Contact

ZEROVIA GmbH
Via Casti 52
CH-7151 Schluein
privacy@zerovia.ch ·info@zerovia.ch