Data Privacy

We aim to provide you with the best possible user experience when you visit www.xovis.com. The protection of your personal data is our top priority. We process data only in accordance with the applicable legal requirements (GDPR/DSG).

1. Controller

2. Scope

This privacy policy applies to the website www.xovis.com including all subpages.

3. What data do we process?

• Contact details / communication content (e.g. contact form / email)
• Usage / device data (e.g. pages accessed, date/time, shortened/anonymised IP address, referrer)
• Cookie / tracking data (only if you actively use the relevant features or give consent)
• If applicable, account / login data

4. Processing activities

Below you will find the relevant processing activities and their corresponding legal bases.

4.1. Contact

Purpose: Processing your enquiry or fulfilling contractual or pre-contractual measures.

Legal basis: Art. 6(1)(a) or (b) GDPR.

4.2. Social media plugins

Purpose: Sharing and playing content, in particular embedded videos from the provider YouTube (Google Ireland Ltd.).

Legal basis: Art. 6(1)(a) GDPR.

4.3. Web analytics

4.3.1. Google Analytics (GA4)

Purpose: We use Google Analytics (GA4), a service provided by Google Ireland Ltd., to analyse user behaviour and continuously improve our website.

Legal basis: Art. 6(1)(a) GDPR in conjunction with Section 25(1) TDDDG.

Retention period: 14 months.

Third-country transfer: Google Ireland / if applicable Google LLC (USA) based on the EU-U.S. Data Privacy Framework (DPF).

4.3.2. Matomo (self-hosted)

Purpose: We use Matomo exclusively on our own servers (“self-hosted”); the purpose is to analyse user behaviour and improve our website.

Legal basis: Art. 6(1)(a) GDPR in conjunction with Section 25(1) TDDDG.

Retention period: 12 months.

4.3.3. Microsoft Azure Application Insights

Purpose: We use Microsoft Azure Application Insights exclusively within the Xovis HUB to analyse performance and detect technical errors. This applies exclusively to registered HUB users and not to visitors of other Xovis AG websites.

Legal basis: Art. 6(1)(a) GDPR in conjunction with Section 25(1) TDDDG.

Retention period: 90 days.

Third-country transfer: Microsoft Ireland / if applicable Microsoft Corporation (USA) based on the EU-U.S. Data Privacy Framework (DPF).

4.4. Newsletter

Purpose: Reach measurement.

Legal basis: Art. 6(1)(a) GDPR.

Retention period: Until withdrawal of consent.

Disclosure to third parties: CleverReach GmbH & Co. KG as a processor pursuant to Art. 28 GDPR.

4.5. Authentication & IT security

Purpose: We use Auth0 (Okta) for authentication and authorisation of user access.

Legal basis: Art. 6(1)(f) GDPR.

4.6. Server log files

Purpose: Processing, among other things, IP addresses (generally shortened/anonymised), date/time of access, requested resources and referrer for security, stability and error analysis purposes.

Legal basis: Art. 6(1)(f) GDPR.

Retention period: 14 days.

5. Transfer to third countries

Some recipients are located outside the EU/EEA, in particular in the USA. Transfers are carried out on the basis of EU Standard Contractual Clauses (SCCs) or the EU-U.S. Data Privacy Framework (DPF).

6. Data subject rights

You have the following rights: access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction of processing (Art. 18), data portability (Art. 20), objection (Art. 21), and withdrawal of consent given (Art. 7(3) GDPR). Contact: dataprivacy@xovis.com.

Right to lodge a complaint with a data protection supervisory authority: For Switzerland: FDPIC. For the EU: the respective competent national supervisory authority.

7. Automated decision-making & profiling

No automated decision-making within the meaning of Art. 22 GDPR takes place.

Last updated: January 2026