Legal

Privacy Policy

Effective date: March 8, 2026

Company: Spacesika GmbH — Registered Office: Switzerland

1. Scope

This Privacy Policy explains how we collect, process, and protect personal data when using our AI Operating System for Brands ("Platform").

The Platform is a business-to-business (B2B) system. We primarily process data on behalf of our customers (brands), who act as data controllers for their end-customer data.

2. Roles & Responsibilities

  • You (Customer / Brand): Data Controller for your business and customer data.
  • We (Platform Provider): Data Processor for customer data, Data Controller for account and platform usage data.

We process personal data strictly in accordance with:

  • Swiss Federal Act on Data Protection (FADP)
  • EU General Data Protection Regulation (GDPR), where applicable

3. Data We Process

3.1 Account Data

  • Name
  • Email address
  • Authentication data

3.2 Billing Data

  • Processed via third-party provider (Stripe)
  • We do not store full payment details

3.3 Customer Data (Processed on Your Behalf)

  • Order data
  • Customer communication (e.g., support emails)
  • Shipping and logistics data
  • CRM and marketing data

3.4 Platform Usage & Analytics

  • System interactions
  • Event data
  • Performance metrics
  • Behavioral usage patterns

3.5 AI Processing Data

  • Inputs (commands, files, content)
  • Outputs generated by the system
  • Decision history and execution logs

3.6 Decision Memory & Behavioral Learning

Our system stores structured operational data, including approved and rejected decisions, execution outcomes, and preference patterns at the brand level.

This data is:

  • Strictly scoped to your organization
  • Not used to profile individuals
  • Not shared across customers

4. Purpose of Processing

We process data to:

  • Provide and operate the Platform
  • Execute automated workflows and agent-based operations
  • Improve system performance and reliability
  • Maintain security and prevent abuse
  • Provide analytics and operational insights

We do not sell personal data.

5. AI & Automated Decision-Making

Our system performs automated operational decisions within your configured parameters.

  • Decisions are business-level (B2B) and do not produce legal effects on individuals.
  • High-risk actions require user approval or simulation.
  • Decision logic is based on defined rules, historical outcomes, and risk evaluation models.

6. Data Storage & Hosting

  • Hosting: EU-based infrastructure (Vercel, Supabase)
  • Data is stored within European data centers
  • Logical separation per customer (tenant isolation)

We implement:

  • Encryption at rest
  • Encryption in transit (TLS)
  • Access control mechanisms (RBAC)

7. Third-Party Services & Integrations

We integrate with external services via secure OAuth connections, including:

  • E-commerce platforms (e.g., Shopify)
  • Content and storage services (e.g., Google Drive)
  • Marketing platforms (e.g., Meta, TikTok)
  • Communication systems (e.g., Gmail, Microsoft)
  • Logistics providers (e.g., AfterShip)
  • Payment processing (Stripe)

Data is accessed only as necessary to provide functionality.

8. Analytics & Tracking

We use analytics tools (e.g., PostHog, Google Analytics) to understand system usage. Future implementations may include marketing tracking pixels.

Where required by law, we implement:

  • Cookie consent mechanisms
  • Opt-in tracking controls

9. Data Sharing

We do not share personal data except:

  • With service providers necessary to operate the platform
  • When required by law
  • Under contractual agreements ensuring data protection

No cross-customer data sharing occurs.

10. International Data Transfers

Where data is transferred outside Switzerland or the EU:

  • Appropriate safeguards are applied (e.g., Standard Contractual Clauses)
  • Transfers are limited to necessary service operations

11. Data Retention

We retain data:

  • As long as required to provide services
  • As required for legal obligations
  • Based on customer account status

Customers may request deletion at any time.

12. Your Rights

Subject to applicable law, you have the right to:

  • Access your data
  • Correct inaccurate data
  • Request deletion
  • Restrict processing
  • Request data portability

Requests can be submitted via: privacy@spacesika.ch

13. Security

We implement industry-standard safeguards, including:

  • Encryption (at rest and in transit)
  • Access controls
  • Audit logging
  • Continuous system monitoring

14. Cookies

We use cookies to:

  • Maintain sessions
  • Enable core functionality
  • Analyze usage

A cookie consent mechanism is provided where legally required.

15. Changes to This Policy

We may update this Privacy Policy periodically. Changes will be reflected with an updated effective date.

16. Contact

For privacy-related inquiries:

Spacesika GmbH

Switzerland

privacy@spacesika.ch

17. Governing Law

This Privacy Policy is governed by the laws of Switzerland, with consideration of applicable EU data protection laws.