Skip to main content

Privacy Policy

Introduction

This privacy policy applies to CAOS Ltd., the websites it operates (including zitadel.ch, zitadel.cloud and zitadel.com) and the services and products it provides (including ZITADEL). This privacy policy describes how we process personal data for the provision of this websites and our products.

If any inconsistencies arise between this Privacy Policy and the otherwise applicable contractual terms, framework agreement, or general terms of service, the provisions of this Privacy Policy shall prevail. This privacy policy covers both existing personal data and personal data collected from you in the future.

The responsible party for the data processing described in this privacy policy and contact for questions and issues regarding data protection is

CAOS AG
Data Protection Officer
Teufener Strasse 19
9000 St. Gallen
Switzerland
legal@zitadel.com

Our representative in the EU is

VGS Datenschutzpartner UG
Am Kaiserkai 69
20457 Hamburg
Germany
info@datenschutzpartner.eu

General notes

Based on Article 13 of the Swiss Federal Constitution and the data protection provisions of the Swiss Confederation (Data Protection Act, DSG), every person has the right to protection of their privacy as well as protection against misuse of their personal data. The operators of these websites and services take the protection of your personal data very seriously. We treat your personal data confidentially and in accordance with the legal data protection regulations as well as this data protection declaration.

In cooperation with our suppliers, we make every effort to protect the databases and any of our users data as well as possible against unauthorized access, loss, misuse or falsification. We point out that data transmission over the internet in general may result in security risks. A complete protection of the data against access by third parties is not possible.

This website uses TLS encryption for security reasons and to protect the transmission of confidential content, such as requests that you send to us as the website operator. You can recognize an encrypted connection by the fact that the address line of the browser changes from "http://" to "https://".

Personal data is any information that relates to an identified or identifiable person. A data subject is a person about whom personal data is processed. Processing includes any handling of personal data, regardless of the means and procedures used, in particular the storage, disclosure, acquisition, deletion, storage, modification, destruction and use of personal data.

We process personal data in accordance with Swiss data protection law. In addition, we process - to the extent and insofar as the EU Data Protection Regulation is applicable - personal data in accordance with the following legal bases within the meaning of Art. 6 (1) DSGVO :

  • Insofar as we obtain the consent of the data subject for processing operations, Art. 6 (1) a) DSGVO serves as the legal basis.
  • When processing personal data for the fulfillment of a contract with the data subject as well as for the implementation of corresponding pre-contractual measures, Art. 6 para. 1 lit. b DSGVO serves as the legal basis.
  • To the extent that processing of personal data is necessary to comply with a legal obligation to which we are subject under any applicable law of the EU or under any applicable law of a country in which the GDPR applies in whole or in part, Art. 6 para. 1 lit. c GDPR serves as the legal basis.
  • For the processing of personal data in order to protect vital interests of the data subject or another natural person, Art. 6 para. 1 lit. d DSGVO serves as the legal basis.
  • If personal data is processed in order to protect the legitimate interests of us or of third parties and if the fundamental freedoms and rights and interests of the data subject do not override our interests and the interests of third parties, Article 6 (1) (f) of the GDPR serves as the legal basis. Legitimate interests are in particular our business interest in being able to provide our website and our products, information security, the enforcement of our own legal claims and compliance with Swiss law.

We will retain personal data for the period of time necessary for the particular purpose for which it was collected.

Subsequently, they are either deleted or made anonymous, unless we need them for a longer period of time in exceptional cases, e.g. due to legal storage and documentation obligations or our legitimate interests, such as the protection of rights to which we are entitled or the defense of claims.

Processing of personal data when using the website, contact forms and in connection with newsletters

Our websites can generally be visited without registration. Each time one of our website is requested, data such as content of the requested page, name of the requested file, IP address, date and time are automatically stored in log files on the server.

This data is processed to enable correct delivery and functioning of the website. In addition, we use the data to optimize the website and to ensure the security of our systems.

Personal data, in particular name, address or e-mail address are collected as far as possible on a voluntary basis, for example when you contact us via a contact form or by e-mail. Without your consent, the data will not be passed on to third parties, unless shown in this privacy policy.

If you send us inquiries via contact form, your data from the form, including any data you provided, will be stored by us for the purpose of processing the inquiry and in case of follow-up questions. We do not pass on this data without your consent, except insofar as this is shown in this privacy policy.

If you would like to receive newsletters offered on our websites, we require an e-mail address from you as well as information that allows us to verify that you are the owner of the specified e-mail address and agree to receive the newsletter. Further data will not be collected. We use this data exclusively for sending the requested information and do not pass it on to third parties, except as described in this privacy policy.

You can revoke your consent to the storage of the data, the e-mail address and their use for sending the newsletter at any time, for example via the "unsubscribe link" in the newsletter.

Processing of personal data in connection with the use of our products

The use of our services is generally only possible with registration. During registration and in the course of using the services, we collect and process various personal data.

In particular, the following personal data are part of the processing:

Type of personal dataExamplesAffected data subjects
Basic data
  • Surname and first name
  • Email addresses
  • User name
All users
Login data
  • Randomly generated ID
  • Password
  • Public keys / certificates ("FIDO2", "U2F", "x509", ...)
  • User names or identifiers of external login providers
  • Phone number(s)

All users

Password: Users who use authentication methods with password.

Public Keys: Users who use an authentication procedure with cryptographic keys.

External login provider identifiers: Users who use an external login provider.

Phone number: Users who use authentication methods with SMS

Profile data
  • Profile pictures
  • Gender
  • Language
  • Nickname
  • Display name
  • Phone number(s)
Users who voluntarily add profile data
Communication data
  • Emails
  • Chats
  • Call metadata
Customers and users who communicate with us directly (e.g. support)
Payment data
  • Billing address
  • Payment information
  • Customer number
  • Customer history
  • Credit rating information

Customers who use services that require payment

Credit rating information: Only customers who pay by invoice

Usage meta data
  • User agent
  • IP addresses
  • Operating system
  • Time and date
  • URL
  • Referrer URL
  • Accept Language
All users

Unless otherwise mentioned, the nature and purpose of the processing is as follows:

The data is uploaded by customers in our services or collected by us based on requests from users. The personal data is processed by us exclusively for the provision of the requested services or the use of the agreed services.

The fulfillment of the contract includes in particular, but is not limited to, the processing of personal data for the purpose of:

  • Authentication and authorization of users
  • Storage and processing of user actions in the audit trail
  • Processing of personal data and login information
  • Verification of communication means
  • Communication regarding service interruptions or service changes

Disclosure to third parties

We use third-party services to provide the website and our offers. An up-to-date list of all the providers we use and their areas of activity can be found on our "Trust Page".

This website uses external payment service providers through whose platforms users and we can make payment transactions. For example via

As an alternative, we offer customers the option to pay by invoice instead of using external payment providers. However, this may require a positive credit check in advance.

The data processed by the payment service providers includes personal data, such as the name and address, bank data, such as account numbers or credit card numbers, passwords, TANs and checksums, as well as the contract, totals and recipient-related information. The information is necessary to carry out the transactions. However, the data entered is only processed by the payment service providers and stored with them. We as the operator do not receive any information about (bank) account or credit card, but only information to confirm (accept) or reject the payment. Under certain circumstances, the data is transmitted by the payment service providers to credit agencies. The purpose of this transmission is to check the identity and creditworthiness of the payment service provider. In this regard, we refer to the terms and conditions and data protection information of the payment service providers.

For payment transactions, the terms and conditions and the data protection notices of the respective payment service providers apply, which can be accessed within the respective website or transaction applications. We also refer to these for the purpose of further information and assertion of revocation, information and other rights concerned.

We disclose personal information to law enforcement agencies, investigative authorities or in legal proceedings to the extent we are required to do so by law or when necessary to protect our rights or the rights of users.

We also share data with third parties in aggregate form and/or in a form that does not allow the recipient to identify the data subject from that data third parties, for example for analytics.

Cookies

Our websites use cookies. These are small text files that make it possible to store specific information related to the user on the user's terminal device while the user is using the website. Cookies enable us, in particular, to offer a single sign-on procedure, to control the performance of our services, but also to make our offer more customer-friendly. Cookies remain stored beyond the end of a browser session and can be retrieved when the user visits the site again.

In particular, we use the following cookies to provide our services:

ZITADEL

__useragent
__csrf

Customer Portal

__state
__pkce.code
__callback-url

Cookies are only used for technical purposes to enable the functionality and efficient use of our website and our offers, such as:

  • Session management
  • Single Sign On
  • Rate Limiting
  • DDoS Mitigation

If you do not want us to use cookies during your visit, you can disable their use in your browser settings. In this case, certain parts of our website (e.g. language selection) may not function or may not function fully.

Rights of data subjects

Right to information

Any person affected by the processing has the right to obtain information from the responsible data processor at any time about the personal data stored about him or her.

Right to rectification

Every person affected by the processing has the right to demand the correction of inaccurate personal data concerning him or her. Furthermore, the data subject has the right to request the completion of incomplete personal data, taking into account the purposes of the processing.

Right to erasure (right to be forgotten)

Any person affected by the processing has the right, in certain cases, to request from the responsible data processor to delete the personal data concerning him or her.

Right to restrict processing

Every person affected by the processing has the right in certain cases to request from the responsible data processor to restrict the processing.

Right to data portability

Every person affected by the processing has the right to receive the personal data concerning him or her in a structured, common and machine-readable format. He or she also has the right to have this data transferred to another data processor if the legal requirements are met.

Right to object

Every person affected by the processing has the right to object to the processing of personal data concerning him or her, insofar as we base the processing of his or her personal data on a balancing of interests. This is the case if the processing is not necessary, for example, to fulfill a contract or a legal obligation.

To exercise such an objection, the data subject must explain his or her reasons why we should not process his or her personal data as we have done. We will then review the situation and either stop or adjust the data processing or show the data subject our reasons for continuing the processing.

Insofar as our processing is based on consent, the data subject has the right to revoke this consent at any time with effect for the future.

Assertion of rights by the data subjects

If you wish to exercise your rights, you may do so by contacting the above-mentioned contact person.

A data subject also has the right to lodge a complaint with the competent data protection authority. The competent data protection authority in Switzerland is the Federal Data Protection and Information Commissioner (www.edoeb.admin.ch). The competent data protection authorities of EU countries can be viewed at this link: https://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm

Note on data transfer abroad

Our websites and services make use of tools from companies based in countries outside of Switzerland or the EU/EEA, namely those based in the USA. When these tools are active, your personal data may be transferred to the servers of the respective companies abroad. We would like to point out that some of these countries, namely the USA, are not a safe third country in the sense of Swiss and EU data protection law. In these cases, we only transfer personal data after we have implemented the legally required measures for this, such as concluding standard contractual clauses on data protection or obtaining the consent of the data subjects. If interested, the documentation on these measures can be obtained from the contact person mentioned above.

We actively try to minimize the use of tools from companies located in countries without equivalent data protection, however, due to the lack of alternatives, this is currently not always feasible without major inconvenience. If you have any concerns, please contact us directly and we will try to find a mutual solution for your needs.

Changes

We may amend this privacy policy at any time without prior notice. Always the current version published on our website applies to users and customers of our website and services. Insofar as the data protection declaration is part of an agreement with you, we will inform you of the change by e-mail or other suitable means in the event of an update.

Questions about data processing by us

If you have any questions about our data processing, please email us or contact the person in our organization listed at the beginning of this privacy statement directly.

Entry into force

This privacy policy is valid from July 15, 2022.

Last revised: December 2, 2022