Privacy policy

Gridwork AG

Effective date: 19 September 2025

This Privacy Policy explains how Gridwork AG ("Gridwork", "we", "us") collects, uses, and protects personal data when you visit our website or use our digital services.

We comply with the Swiss Federal Act on Data Protection (FADP) and, where applicable, the EU General Data Protection Regulation (GDPR).

1. Who We Are

Controller:

Gridwork AG

Ernastrasse 22

8004 Zürich, Switzerland

Email: legal@gridwork.ch

  • For website visitors (gridwork.ch, demo requests, newsletters) and Clients (agencies, banks, institutions), Gridwork acts as the data controller.
  • For End-Users (property sellers or buyers using an agency/bank portal powered by Gridwork), Gridwork acts solely as a data processor. The respective agency or bank remains the controller.

2. What Data We Collect

Depending on how you interact with us, we may collect:

  • Website Visitors
    • Contact details: name, email (e.g., demo requests, newsletter sign-ups)
    • Technical data: IP address, browser type, device info
    • Usage data: basic analytics (via Plausible)
  • Clients (agencies, banks, institutions)
    • Contact details of client representatives (name, email, phone number, role)
    • Contract and billing data
    • Login/account information (via Keycloak)
  • End-Users (sellers/buyers using Client portals)
    • Property information, contact details, uploaded documents, and financial preferences
    • Communication data (messages, requests, offers)
    • This data is processed only on behalf of the Client, who remains the controller.

3. Why We Use Your Data

We process data for the following purposes and legal bases:

Purpose
Legal Basis
Retention Period
To provide and manage access to the Gridwork platform
Contractual necessity
Duration of contract + 2 years
To process demo requests, newsletters, or inquiries
Consent / Legitimate interest
24 months / Until withdrawal
To maintain secure authentication (Keycloak IAM)
Contractual necessity / Legitimate interest
Duration of access + 13 months
To send automated emails (e.g., confirmations, updates)
Contractual necessity
24 months / Until withdrawal
To improve services, monitor performance (e.g., Plausible analytics)
Legitimate interest
24 months / Until withdrawal
To comply with legal and regulatory obligations
Legal obligation
10 years

4. How We Share Your Data

We never sell personal data. We may share it with:

  • Our infrastructure providers:
    • AWS Switzerland – hosting, servers located in Switzerland.
  • Keycloak – Identity and Access Management for Secure Authentication.
  • Email services:
    • Mailjet – transactional/automated emails (e.g., confirmations, system notifications).
    • Mandrill (part of Mailchimp, US/EU) – additional email delivery service, protected by Standard Contractual Clauses (SCCs).
  • Frontend hosting:
    • Vercel – used to run our frontend and deliver serverless infrastructure. While requests may pass through their systems, Vercel does not permanently store personal data on our behalf.
  • Analytics:
    • Plausible (EU-based) – privacy-friendly web analytics, without cookies or personal tracking.
  • Clients: If you are an End-User, your data is processed solely on behalf of the Client (agency/bank) with whom you interact.
  • Authorities: Where required by law.

All third-party processors are bound by Data Processing Agreements (DPAs) ensuring FADP/GDPR compliance and limiting data use to our instructions only.

5. Cookies and Tracking

  • Essential cookies for website functionality (no consent required)
  • Analytics cookies (Plausible) - you can opt out via browser settings
  • No advertising or invasive tracking cookies

6. Data Retention

We retain data only as long as necessary:Data no longer required is securely deleted or anonymised.

  • Demo requests, inquiries: 24 months after last contact
  • Newsletter subscriptions: until consent is withdrawn
  • Client contract data: 10 years (Swiss commercial law)
  • Technical data/logs: 13 months
  • End-User data: according to instructions of the Client (agency/bank)

7. Your Rights

Under FADP and GDPR, you have the right to:To exercise your rights, contact us at legal@gridwork.ch. We may require proof of identity.

  • Access your data
  • Correct inaccurate data
  • Request deletion (“right to be forgotten”)
  • Restrict or object to processing
  • Receive a copy in a structured format (portability)
  • Withdraw consent at any time
  • Lodge a complaint with the FDPIC (Switzerland) or your local EU authority
  • Right not to be subject to automated decision-making with legal effects

8. Data Security

We use industry-standard measures to protect your data, including:

  • Hosting on AWS Switzerland
  • Secure frontend delivery via Vercel (no permanent storage of personal data)
  • Encryption in transit (TLS 1.3) and at rest (AES-256)
  • Role-based access controls
  • Regular audits and monitoring

In case of a data breach with high risk to your rights, we will notify Clients and/or affected individuals without undue delay.

9. International Transfers

Data is primarily stored in Switzerland.

If transfer outside Switzerland/EU/EEA is necessary (e.g., Mailjet in the EU/US), safeguards such as Standard Contractual Clauses (SCCs) are applied.

10. Changes to This Policy

We may update this Privacy Policy from time to time. The latest version will always be available on our website. Significant changes will be communicated directly to Clients.

11. Contact

For questions about this Privacy Policy, please contact:

Gridwork AG
Ernastrasse 22
8004 Zürich, Switzerland

Email: legal@gridwork.ch