Skip to content
Back to Legal

Privacy Policy

Edition : May 2026·Reference : PRIV-EN-2026-05

This policy describes how HIDORA SA collects and processes personal data through its hidora.io website and the related services (contact forms, meeting bookings, support services). It complements our General Terms and Conditions.

It is drafted to meet the requirements of the Swiss Federal Act on Data Protection (FADP, revised version effective 1 September 2023) and the EU General Data Protection Regulation (GDPR) where applicable (visitors or clients established in the EU/EEA).

Data Controller

HIDORA SA Avenue des Morgines 12 1213 Petit-Lancy, Geneva, Switzerland Swiss UID: CHE-286.910.173 — VAT: CHE-286.910.173 TVA

For any question regarding the processing of your personal data: legal@hidora.io.

Data Protection Officer

HIDORA SA has not formally appointed a DPO under Article 37 GDPR, as the threshold is not met. The single point of contact for data protection requests is legal@hidora.io. Requests are handled within 30 business days.

Data We Collect

Data you provide directly

  • Contact form: first name, last name, email address, phone (optional), company name, free-text message.
  • Meeting booking (HubSpot Meetings): identity, email, selected time slot, any contextual information you provide.
  • Services / customer accounts: credentials, billing information, technical configuration data.

Data collected automatically

  • Browsing data (when you accept analytics cookies): pages visited, time spent, traffic source, device type, browser, session identifiers.
  • Server logs: IP address, timestamp, requested URL, HTTP status, user-agent. Retained for 90 days for security, incident investigation and fraud prevention.
Purpose Legal basis (GDPR / FADP)
Reply to your contact request or schedule a meeting Pre-contractual measures at your request (Art. 6.1.b GDPR / Art. 31.2.a FADP)
Deliver the subscribed Services, manage your account and billing Performance of the contract (Art. 6.1.b GDPR)
Measure site traffic and improve content (analytics) Consent (Art. 6.1.a GDPR / Art. 31.1 FADP)
Marketing and email nurturing after a voluntary contact Legitimate interest (Art. 6.1.f GDPR) with opt-out in every email
Site security, abuse prevention, legal traceability Legitimate interest / legal obligation
Compliance with legal obligations (accounting, tax, KYC) Legal obligation (Art. 6.1.c GDPR)

No processing relies on automated decision-making within the meaning of Article 22 GDPR.

Recipients and Processors

Your data may be shared with the following categories of recipients, strictly for the purposes listed above:

  • Authorised HIDORA SA personnel (sales, support, administration), bound by a duty of confidentiality.
  • Technical processors, governed by data processing agreements (DPAs):
    • HubSpot, Inc. (United States / Ireland) — CRM, contact management, forms, meeting booking, marketing automation.
    • Google LLC (United States) — Google Analytics 4 and Google Tag Manager (audience measurement, only with consent).
    • LinkedIn Ireland Unlimited Company (Ireland, transfers to the United States) — Insight pixel for advertising audience measurement (only with consent).
    • Cloudflare, Inc. (United States / Switzerland) — DDoS protection and DNS resolution for external site assets.
  • Legal authorities when required by a legal obligation or judicial decision.

No personal data is sold to any third party.

International Transfers

Our website and core services are hosted in Switzerland. Some of the processors listed above are established or operate from the United States or other jurisdictions outside Switzerland / the EEA. These transfers rely on:

  • the European Commission's Standard Contractual Clauses (Decision 2021/914) with the Swiss addendum published by the FDPIC, and/or
  • the recipient's adherence to the EU-US Data Privacy Framework when applicable, and/or
  • supplementary measures (encryption in transit, data minimisation, restrictive contractual terms).

You may request a copy of the safeguards applicable to a specific transfer by writing to legal@hidora.io.

Retention Periods

Category Retention
Unconverted contact requests 24 months after the last exchange
Customer data (account, contracts, billing) Term of the contract + 10 years (Swiss CO Art. 958f)
Technical and security logs 90 days
Analytics and marketing cookies See Cookies Policy
Accounting and tax data 10 years (Swiss DBG / OTVA)
Litigation records As long as necessary + applicable statute of limitations

At the end of these periods, data is deleted or anonymised.

Your Rights

Under the FADP and the GDPR, you have the following rights:

  • Right of access (Art. 25 FADP / Art. 15 GDPR) — confirm whether data concerning you is processed and obtain a copy.
  • Right to rectification (Art. 32 FADP / Art. 16 GDPR) — correct inaccurate data.
  • Right to erasure / "right to be forgotten" (Art. 32 §2 FADP / Art. 17 GDPR) — except where retention is required by law.
  • Right to restriction of processing (Art. 18 GDPR).
  • Right to data portability (Art. 28 FADP / Art. 20 GDPR) — receive your data in a structured, machine-readable format.
  • Right to object (Art. 30 FADP / Art. 21 GDPR) — in particular to direct marketing, at any time and without justification.
  • Right to withdraw consent (Art. 7 GDPR), effective for the future, at any time.

To exercise any of these rights, write to legal@hidora.io describing the request. We may ask for a reasonable proof of identity. We respond within 30 days.

Right to Lodge a Complaint

If you believe the processing of your data does not comply with the law, you may file a complaint with:

  • Switzerland — Federal Data Protection and Information Commissioner (FDPIC): edoeb.admin.ch.
  • European Union — the supervisory authority of your place of residence (in France: CNIL cnil.fr; full list: edpb.europa.eu).

We invite you to contact us first: most requests are resolved without involving the authority.

Cookies and Trackers

The use of cookies and trackers is detailed in our dedicated Cookies Policy, which lists every cookie set, its purpose, duration and provider. No analytics or marketing cookie is set before your explicit consent.

Security

HIDORA SA implements technical and organisational measures appropriate to the risk level and consistent with our business (sovereign cloud): TLS 1.2+ encryption in transit, encryption at rest for sensitive data, network segmentation, logging, MFA-protected access controls, internal training, regular penetration tests, and an incident response plan.

In the event of a data breach likely to result in a high risk, HIDORA SA notifies the competent authority (FDPIC in Switzerland, relevant EU authorities where applicable) within 72 hours and informs the affected individuals as soon as reasonably possible, in accordance with Article 24 FADP and Articles 33-34 GDPR.

Minors

HIDORA's Services are aimed at a professional audience. The website is not directed at minors and we do not knowingly collect data concerning persons under the age of 16.

Changes

This policy may evolve, notably to reflect legal, technical or business changes. The edition date appears at the top of the document. Substantial changes will be notified through the usual channels (site banner, customer email).

For any question: legal@hidora.io