Solvetia logoSolvetia
Sign in
Privacy Policy

Privacy Policy

How Solvetia collects, uses, stores, and protects your personal data — under the Swiss Federal Act on Data Protection (FADP / nLPD) and the EU General Data Protection Regulation (GDPR).

Last updated: 26 May 2026

Jump to:

1. Introduction & scope

This privacy policy informs you about the nature, scope, and purposes of the personal data we collect, use, and process when you visit the Solvetia marketing site, register an account on the Solvetia platform, contact us, or otherwise interact with our services. It applies to all websites, sub-domains, and applications operated by Enerphy Suisse AG under the Solvetia brand. Where you upload personal data about your own customers as a tenant of the platform, we act as your data processor under a separate Data Processing Agreement (DPA) that supplements this policy.

2. Data controller

The controller responsible for the processing of personal data on this website and on the Solvetia platform within the meaning of the FADP and the GDPR is Enerphy Suisse AG, Bahnhofstrasse 10, 8001 Zürich, Switzerland. For any data-protection matter — including access, rectification, deletion, objection, or withdrawal of consent — please contact us in writing at the address above or by email at [email protected]. Where required by law, we will appoint a representative in the European Union and publish their details here.

3. Categories of personal data we process

We process only the categories of personal data that we genuinely need to operate the service. The non-exhaustive list below summarises the data we may process about you:

  • Account data: name, work email, company, role, password (stored as a salted hash), preferred language.
  • Billing data: legal company name, VAT number, billing address, payment method tokens (the full card number is handled by Stripe and never touches our servers).
  • Usage data: pages visited, features used, calculator runs, leads generated, time stamps and the IP address used.
  • Customer data uploaded by you as a tenant: end-customer names, postal addresses, contact details, simulation inputs and outputs, offers, invoices.
  • Communication data: emails and support tickets you send us, and our replies.
  • Technical data: IP address, browser type and version, device type, operating system, referring URL, language preference, cookies.

4. Purposes of processing

We process personal data to: provide and operate the Solvetia platform under our contract with you; create and administer user accounts; bill for credits and subscriptions and recover unpaid invoices; provide customer support; communicate service updates and security notices; ensure the security, stability, and integrity of the service; prevent fraud, abuse, and unlawful use; analyse and improve the service in aggregate, anonymised form; and comply with our legal obligations under Swiss and EU law (in particular tax, accounting, and record-keeping obligations). We do not sell, rent, or otherwise transfer your personal data to third parties for their own marketing purposes.

5. Legal basis for processing

Where the GDPR applies, our legal bases for processing are: (a) Article 6(1)(b) GDPR — performance of a contract to which you are party, or pre-contractual measures at your request (e.g. account creation, billing, support); (b) Article 6(1)(c) GDPR — compliance with a legal obligation (e.g. retention of accounting records for ten years under Swiss law); (c) Article 6(1)(f) GDPR — our legitimate interests in operating, securing, and improving the service, subject to your interests and fundamental rights; and (d) Article 6(1)(a) GDPR — your consent, where required (e.g. analytics or marketing cookies, newsletters). Under the Swiss FADP, processing is justified by contractual necessity, legal obligation, overriding legitimate interest, or your consent.

6. Server log files

Each time you access our website, our infrastructure provider automatically collects technical access data in server log files. This data includes: the IP address of the requesting device, the date and time of access, the URL accessed, the HTTP status code returned, the size of the transferred data, the referring URL, and the user agent (browser, operating system). This data is processed solely to ensure the security, stability, and proper operation of the service, to detect and prevent abuse or attacks, and to diagnose technical errors. Log files are stored separately from any other personal data and are deleted automatically after 30 days, unless a security incident requires longer retention.

7. Cookies & similar technologies

We use cookies and similar technologies (local storage, session storage) to make our service work and to remember your preferences. Strictly necessary cookies — session, authentication, language, country, and CSRF protection — are set without your consent because the service cannot function without them; their legal basis is contractual necessity. Functional, analytics, and marketing cookies, where used, are loaded only after you give consent through the cookie banner, and their legal basis is your consent under Article 6(1)(a) GDPR or Article 6(3) FADP. You can withdraw your consent at any time from your account settings or your browser controls; withdrawal does not affect the lawfulness of processing before the withdrawal.

8. Contact form & email correspondence

When you contact us through the contact form, by email, or by phone, we process the data you provide (name, email address, phone number, the content of your message, and any attachments) solely to handle your enquiry. The legal basis is the performance of pre-contractual measures or our legitimate interest in responding to your enquiry. We retain contact correspondence for as long as necessary to handle the enquiry and any follow-up, and then in accordance with statutory retention obligations.

9. Newsletter & marketing communications

If you subscribe to our newsletter or other marketing communications, we process your email address, name, and language preference solely to send you the communications you requested. We use a double-opt-in procedure: after registration you receive a confirmation email and must click the confirmation link to activate the subscription. The legal basis is your consent (Article 6(1)(a) GDPR). You can withdraw your consent at any time by clicking the unsubscribe link in any newsletter or by contacting us; we will then delete your subscription data, subject to any statutory retention obligations.

10. Applicant data

If you apply for a position with Enerphy Suisse AG, we process the data you provide in your application (CV, cover letter, references, certificates, contact details, salary expectations, and any further information you supply) solely to assess your suitability for the role. The legal basis is the initiation of an employment relationship at your request. If you are not hired, we delete your application data within six months of the conclusion of the recruitment process, unless you have expressly consented to longer retention in our talent pool.

11. Social media & external platforms

Our marketing site may contain links to our profiles on LinkedIn, X (Twitter), GitHub, or other social networks. These links are simple HTML links and do not transmit personal data to the respective network unless you click them. Clicking a link transfers you to the third-party platform, at which point that platform's privacy policy and terms apply. We have no influence over the data processing of these third parties. If you visit our profiles on these platforms, the platform operators are joint controllers with us only for the limited data processed in connection with our page, in line with the platform's standard joint-controllership terms.

12. Recipients & sub-processors

To deliver the service we rely on a limited number of carefully selected sub-processors and service providers, including infrastructure and hosting providers, managed-database providers, payment-service providers, transactional-email providers, SMS providers, content-delivery and security providers, and monitoring providers. All sub-processors are based in Switzerland, the European Economic Area, or in countries offering an adequate level of protection, or are subject to appropriate safeguards (in particular Standard Contractual Clauses including the Swiss addendum). Each sub-processor is bound by a written data-processing agreement that imposes obligations equivalent to those set out in this policy. A current list of sub-processors and the safeguards in place is available on request by contacting us at the address below.

13. International transfers

Where personal data is transferred outside Switzerland or the European Economic Area (in particular to sub-processors with infrastructure in the United States), we ensure that the transfer is protected by appropriate safeguards under the FADP and the GDPR: (a) an adequacy decision of the European Commission or the Swiss Federal Council, where one exists for the destination country; (b) the EU Standard Contractual Clauses (SCCs) including the Swiss addendum; or (c) other lawful transfer mechanisms. We complement these legal safeguards with technical measures such as end-to-end encryption in transit (TLS 1.2+) and at rest (AES-256). A copy of the safeguards in place for a specific transfer is available on request.

14. Retention periods

We retain personal data only for as long as necessary for the purpose for which it was collected, or as required by applicable law. Specifically: account data is retained while your account is active and for thirty days after closure; accounting and billing records are retained for ten years in accordance with Article 958f of the Swiss Code of Obligations; usage logs are retained for twelve months; technical server logs are retained for thirty days; customer data uploaded by tenants is retained according to the tenant's retention settings or deleted within thirty days of contract termination; applicant data is deleted within six months unless a talent-pool consent applies; newsletter subscription data is retained until you unsubscribe.

15. Security measures

We protect your personal data by appropriate technical and organisational measures aligned with the state of the art and the risk of the processing. These include TLS 1.2+ encryption for all data in transit, AES-256 encryption for data at rest, hashed and salted password storage, role-based access control with the principle of least privilege, mandatory two-factor authentication for staff access, structured audit logging, segregation of duties between development and production environments, regular vulnerability scans and penetration tests, and a documented incident-response procedure. We strongly encourage you to use a strong, unique password and to enable two-factor authentication on your own account. No system is one-hundred-percent secure, and the transmission of data over the internet always carries residual risk.

16. Your rights

Subject to the conditions and limits of applicable law, you have the following rights regarding your personal data — you may exercise any of them at any time by writing to [email protected], and we will reply within one month of receipt:

  • Right of access — to obtain confirmation of whether we process personal data about you and, if so, a copy of that data and information about the processing.
  • Right to rectification — to have inaccurate personal data corrected and incomplete data completed.
  • Right to erasure — to have your data deleted, subject to statutory retention obligations.
  • Right to restriction — to have processing restricted in specific circumstances defined by law.
  • Right to data portability — to receive your data in a structured, commonly used, machine-readable format and to transmit it to another controller.
  • Right to object — to object to processing based on our legitimate interests, on grounds relating to your particular situation, and to object at any time to processing for direct-marketing purposes.
  • Right to withdraw consent — at any time and without reason, with effect for the future, where processing is based on your consent.
  • Right not to be subject to automated decisions — including profiling, that produce legal or similarly significant effects, except where permitted by law and subject to appropriate safeguards.

17. Right to lodge a complaint

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a competent supervisory authority. In Switzerland, the competent authority is the Federal Data Protection and Information Commissioner (FDPIC), Feldeggweg 1, 3003 Bern, https://www.edoeb.admin.ch. In the European Union, you may lodge a complaint with the supervisory authority of your country of residence, your place of work, or the place of the alleged infringement. We would, however, appreciate the opportunity to address your concerns directly before you contact a supervisory authority.

18. Children's data

Solvetia is a business-to-business platform addressed exclusively to professional users acting in the course of their business. The service is not intended for individuals under the age of sixteen, and we do not knowingly collect personal data from minors. If you become aware that a minor has provided us with personal data, please contact us and we will delete the data promptly.

19. Changes to this policy

We may update this privacy policy from time to time to reflect changes in our service, legal requirements, or industry practice. The current version is identified by the last-updated date shown at the top of this page. Material changes will be communicated by email to registered users, or via an in-product banner, at least thirty days before they take effect. Your continued use of the service after the effective date of an updated policy constitutes acceptance of the changes, to the extent permitted by applicable law.

Privacy questions?

Contact our team for access requests, deletion requests, or any other data-protection enquiry — we reply within one month.

Contact us