Privacy Policy

Last updated: 09 October 2025

1. Controller

The controller responsible for the processing of personal data on this site is [Legal entity name], [address]. You can reach us at hello@easyrisk.io.

2. Scope

This policy applies to personal data processed through the EasyRisk.io web application and marketing site. It is drafted to comply with the EU General Data Protection Regulation (GDPR) and the revised Swiss Federal Act on Data Protection (revDSG).

3. What we process

  • Account data: name, email, hashed password, workspace membership and role.
  • Product data you enter: risks, treatment actions, comments, audit trail entries.
  • Usage data: server logs (IP, timestamps, request paths) kept for security and abuse prevention.
  • Billing data (if you subscribe to a paid plan): handled by our payment processor; we do not store card numbers.

4. Legal basis

  • Performance of the contract with you (Art. 6 (1) (b) GDPR / Art. 31 (2) (a) revDSG).
  • Legitimate interests in operating and securing the service (Art. 6 (1) (f) GDPR).
  • Consent, where explicitly requested (e.g. marketing emails).

5. Hosting and processors

The application and its data are self-hosted on server infrastructure we operate in the EU / Switzerland, so that customer data remains inside the EU/EEA and Switzerland. Transactional emails (such as account confirmation and review reminders) are sent via our email provider, Resend. Each external processor is bound by a data processing agreement in line with Art. 28 GDPR.

6. International transfers

Where a sub-processor operates outside the EU/EEA or Switzerland, transfers are covered by EU Standard Contractual Clauses and, where applicable, the Swiss addendum, together with supplementary measures.

7. Retention

We retain account and workspace data for as long as your workspace is active, and delete or anonymize it within 90 days of workspace deletion, subject to legal retention obligations. Audit-log entries are append-only (they cannot be changed or deleted) and retained for the lifetime of the workspace.

8. Your rights

You have the right to access, rectify, erase, restrict, and port your personal data, to object to processing, and to withdraw consent at any time. Under GDPR you may lodge a complaint with your local supervisory authority; under the revDSG you may complain to the Swiss Federal Data Protection and Information Commissioner (FDPIC).

9. Cookies and local storage

We do not use cookies. To keep you signed in and to remember interface preferences (such as light or dark mode), we store a small amount of data locally in your browser using local storage. This is strictly necessary for the service to work, stays on your device, and is never used for advertising or cross-site tracking.

10. Analytics

On our public marketing pages (never inside the application) we measure how the pages are used with Umami, an analytics tool we self-host on our own infrastructure. It is cookieless, stores nothing on the device, shares no data with any third party, and does not track you across other sites.

We record page views and, on those same public pages, where visitors click and how far they scroll, so we can tell which content is useful. Alongside each visit we store the browser, operating system, device type, screen size, language, and an approximate location (country and city) derived from the IP address. The IP address itself is never stored. Entries from the same visit share a session identifier, derived from the request rather than kept as such; it is scoped to this site and linked to no account.

11. Contact

Requests concerning this policy or your rights can be sent to hello@easyrisk.io.