Privacy policy

This privacy policy informs you how we process personal data. It has been drafted in accordance with the revised Swiss Federal Act on Data Protection (revFADP, in force since 1 September 2023) and additionally takes into account the requirements of the EU General Data Protection Regulation (GDPR) for data subjects in the European Economic Area.

1 · Controller

The controller of personal data within the meaning of Art. 5 lit. j revFADP and Art. 4 (7) GDPR is:

Tailored Intelligence GmbH
Reistelstrasse 294
5728 Gontenschwil, Switzerland
UID: CHE-348.980.291

Email: [email protected]
Phone: +41 79 270 25 59

1.1 Data-protection contact

Please direct data-protection enquiries to [email protected], attention Laurin Bassler. Given the nature and scope of our processing, the formal appointment of a Data Protection Officer under Art. 10 revFADP or Art. 37 GDPR is not currently required.

1.2 EU representative

As we operate exclusively from Switzerland and no representative obligation under Art. 27 GDPR applies to us, we have not appointed an EU representative. Should this change, the contact details will be added here.

2 · General principles

We process personal data only in good faith, lawfully and transparently. We collect only data that is necessary for the relevant processing purposes and delete it as soon as it is no longer required for those purposes and no retention obligations apply.

3 · Categories of data and purposes

3.1 Visiting the website

When you visit our website, technical data is processed in server log files, namely:

• anonymised IP address
• date and time of access
• resource accessed (URL, HTTP status, data volume)
• referring page (referrer)
• browser and device information (user agent)

This data is used solely for operational and failover security, error analysis, and the defence and investigation of attacks (legal basis: overriding legitimate interest, Art. 31 (1) revFADP and Art. 6 (1) lit. f GDPR). It is deleted after a maximum of 30 days.

3.2 Customer contractual relationship

When you book or trial Trophy, we process the data required to fulfil the contract:

• company name, address, billing data
• first and last name of contact person
• email address, phone number
• login data (email, hashed password)
• first names, possibly last names or initials of the staff you register
• review data (star rating, review text, timestamp, staff/NFC attribution) — retrieved via the official Google Business Profile API
• communication by email, WhatsApp, and phone

Legal basis is Art. 31 (2) lit. a revFADP and Art. 6 (1) lit. b GDPR (contract performance) and, for accounting and audit, Art. 6 (1) lit. c GDPR (legal obligation).

3.3 Google Business Profile sync and storage

As part of the Trophy service, we synchronise your venue’s reviews via the official Google Business Profile API into our systems. This covers star rating, public review text, timestamp, language, and the publicly displayed guest pseudonym. After the sync this data resides in our database to power dashboards, insights, AI replies, and statistics.

Access tokens for the Google API connection are stored encrypted and used solely for the authorised purposes. We only access the locations, reviews, profile names, and profile photos required for review management.

3.4 Guest data

Beyond the public Google reviews, Trophy does not collect personal data from your venue’s guests. We store no emails, phone numbers, IP addresses, or device information of the people writing reviews. The review itself is created on the Google platform and is additionally subject to Google’s privacy policy.

3.5 Demo bookings and enquiries

When you book a demo via our calendar (provider: Cal.com) or send us an email, the information submitted (name, email, preferred slot, request) is processed. Purpose: scheduling and preparation of the call. Retention: up to 24 months after last contact, then deletion unless you become a customer.

3.6 Newsletter

If you subscribe to our newsletter, we process your email address to send our monthly notes from Swiss hospitality. Legal basis: consent (Art. 6 (1) lit. a GDPR). You can unsubscribe at any time via the link at the end of each email or by emailing [email protected].

3.7 Service-quality analytics

Within the Trophy dashboard, we process staff data linked to reviews to produce statistics, insights, and ranking exports. This data is visible only to the owner and the individual concerned. Aggregated, anonymous data is used for product improvement.

4 · Google API Services — Limited Use

Trophy integrates the official Google Business Profile API to sync review and profile data of your venue into our dashboard and to write replies back to Google. We expressly confirm:

• The use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
• We use Google user data solely to provide Trophy’s review-management functionality.
• Google user data is not transferred to third parties and is not sold.
• Google user data is not used for advertising or marketing purposes.
• Humans read Google user data only with your express consent (e.g. to resolve a support ticket), to comply with statutory obligations, or for security/compliance review — and only through authorised personnel.

5 · Processors and recipients

We engage carefully selected processors who support us in providing our services. All processors are bound by a data processing agreement (Art. 9 revFADP / Art. 28 GDPR):

• Hosting and infrastructure: Hostinger International Ltd., 61 Lordou Vironos Street, 6023 Larnaca, Cyprus — data centres in the EU
• Review API: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland — Google Business Profile API
• Business email (Google Workspace): Google Ireland Limited, Dublin, Ireland — incoming and outgoing email correspondence
• Demo calendar: Cal.com, Inc., 350 Bay Street, Suite 100, San Francisco, CA 94133, USA — appointment booking
• Phone and WhatsApp: Swisscom AG (mobile lines, Switzerland) and WhatsApp Ireland Limited (messenger)
• Accounting and invoicing: bexio AG, Alter Postplatz 2, 6300 Zug, Switzerland

Payments are made exclusively via QR-invoice or bank transfer. No processing through card-payment providers takes place.

A current and complete list of processors is available on request.

6 · International data transfers

Within the framework of the processors listed above, personal data is transferred to the following countries:

• EU/EEA: Ireland, Cyprus — adequate level of data protection per Annex 1 of the Swiss DPO and Art. 45 GDPR
• United States: Cal.com is certified under the Swiss-U.S. Data Privacy Framework and the EU-U.S. DPF. Additionally, EU Standard Contractual Clauses (SCC) apply.

Where a recipient country does not provide an adequate level of data protection, we ensure protection via Standard Contractual Clauses, supplementary technical measures, and consent where required.

7 · Retention

We retain personal data only as long as is necessary for the relevant purposes and no statutory retention obligation applies:

• Server log files: maximum 30 days
• Customer and contractual data: for the duration of the contract plus 10 years after the end of the contract (commercial and tax retention obligation, Art. 958f Swiss CO)
• Newsletter subscription: until unsubscription
• Booking enquiries (no contract concluded): maximum 24 months from last contact
• Applications and unsolicited contacts: maximum 12 months from receipt

Upon contract termination, we export your review and staff data on request and delete them from operating systems no later than 30 days afterwards. Backups are overwritten after a maximum of 90 days.

8 · Cookies and comparable technologies

This website currently uses only strictly necessary cookies and comparable storage mechanisms (local storage) to save your selected language (DE/EN) and to display the demo calendar correctly. We do not use any tracking, marketing, or profiling cookies.

Should we later introduce reach measurement (e.g. Plausible, Posthog, Google Analytics), you will be informed here and asked for your consent to the extent required.

9 · Third-party content and fonts

Web fonts (Plus Jakarta Sans, Fraunces) are loaded locally from our own hosting — no connection is made to Google Fonts or comparable services. The Cal.com calendar is embedded via iframe; in doing so, only data required for the booking process is transferred to Cal.com.

10 · Your rights

You have the following rights vis-à-vis us:

• Right of access (Art. 25 revFADP, Art. 15 GDPR) — you can request that we tell you whether and what data we process about you.
• Right to rectification (Art. 32 revFADP, Art. 16 GDPR) — you can request the correction of inaccurate data.
• Right to erasure (Art. 32 revFADP, Art. 17 GDPR) — you can request the deletion of your data, provided no statutory retention obligation prevents it.
• Right to restriction (Art. 18 GDPR) — you can request restriction of processing.
• Right to data portability (Art. 28 revFADP, Art. 20 GDPR) — you have the right to receive the data you provided in a common electronic format.
• Right to object (Art. 21 GDPR) — for processing based on legitimate interests.
• Withdrawal of consent — you can withdraw consent given at any time with effect for the future.

Please address requests in writing (by post or email) to Tailored Intelligence GmbH. To safeguard your rights and prevent abusive requests, we may ask you for suitable proof of identity.

11 · Right to lodge a complaint

You have the right to lodge a complaint with a supervisory authority. Competent authorities are:

• Switzerland: Federal Data Protection and Information Commissioner (FDPIC), Feldeggweg 1, 3003 Bern, www.edoeb.admin.ch
• EU/EEA: the data-protection supervisory authority competent for your place of residence or habitual abode

12 · Data security

We take appropriate technical and organisational measures (Art. 8 revFADP, Art. 32 GDPR) to protect your data against loss, manipulation, and unauthorised access:

• Transport encryption (TLS 1.3) across the entire website
• Encrypted database backups
• Role-based access controls
• Two-factor authentication for administrative accounts
• Regular security updates and penetration testing
• Hosting in ISO-27001-certified data centres in Germany

13 · Automated decisions and profiling

We do not make decisions based solely on automated processing within the meaning of Art. 21 revFADP or Art. 22 GDPR that significantly affect you legally. The insights and rankings shown in the Trophy dashboard are intended solely as decision-support for the owner; decisions about bonuses, shift plans, etc. are always made by a human.

14 · Credit checks

We do not carry out credit checks.

15 · Up-to-dateness and changes

We may amend this privacy policy at any time to reflect changes in the legal situation or in our processing activities. The version published on this website at any given time applies. In the case of material changes, we will inform you actively (e.g. by email to contract customers).