Privacy Policy

Privacy Policy — OnPrem AI (Emerging Evidence GmbH)

Last updated: 8 September 2025

This Privacy Policy explains how OnPrem AI, a brand of Emerging Evidence GmbH (“Emerging Evidence”, “we”, “us”, “our”), processes personal data in connection with our website, enterprise offerings, and on-premises AI solutions provided in Switzerland and across Europe.

Data Controller (unless stated otherwise): Emerging Evidence GmbH Zur Stahlgiesserei 8, 8200 Schaffhausen, Switzerland Phone: +41 76 446 36 73 Email: info@onprem.ai

Where we operate strictly as a processor on behalf of a customer (e.g., remote support for an on-prem deployment), the customer is the controller and our obligations are defined by the applicable Data Processing Agreement (DPA).

1) Scope

This Policy applies to:

  • Visitors to our websites and communications channels.
  • Business contacts (prospective and existing customers, suppliers, partners).
  • Processing performed to deliver, maintain, and support our on-premises AI software and services.
  • Processing performed from Switzerland and the European Economic Area (EEA).

This Policy complements any product-specific agreements (e.g., DPA, support terms). In case of conflict, the agreement with the customer prevails for that relationship.

2) Definitions (short form)

  • Personal data: Any information relating to an identified or identifiable natural person.
  • Processing: Any operation performed on personal data (collection, storage, use, disclosure, etc.).
  • Controller: Entity that determines the purposes and means of processing.
  • Processor: Entity that processes personal data on behalf of a controller.
  • Customer Content: Data that customers ingest into or generate with our on-prem solutions (including model inputs/outputs, logs, and configuration). Unless agreed otherwise, Customer Content remains under the customer’s control inside their environment.

3) Roles & Responsibilities

  • Our role: We act as controller for our own business operations (e.g., sales, billing, supplier management, website). We act as processor for certain activities when a customer instructs us (e.g., remote troubleshooting, managed services).
  • Customer role: For Customer Content inside on-prem deployments, customers are typically controllers (or processors for their own clients). Customers are responsible for ensuring a valid legal basis and providing notices to their users.
  • DPA: We offer a DPA with standard controller-processor terms, including confidentiality, security measures, sub-processor controls, and audit support.

4) What We Collect

A. Data we collect as Controller

  • Identity & Contact: Name, job title, employer, email, phone, postal address.
  • Business Relationship Data: Contract documents, purchase orders, billing, tax information, correspondence, meeting notes.
  • Web & Technical Data: IP address, device/browser metadata, pages viewed, timestamps, basic telemetry required to operate the website and defend against abuse.
  • Support Interactions: Ticket content, diagnostics you voluntarily provide, call recordings if announced/consented.
  • Recruitment Data (if you apply): CV/resume, cover letter, references (collected from you or your referees).

B. Data we process as Processor (on-prem/managed support)

  • Customer Content: Model inputs/outputs, logs, configuration, and performance metrics within the customer’s controlled environment.
    • Default: No Customer Content leaves the customer’s environment.
    • Exceptions: Only if expressly enabled or instructed (e.g., secure remote support session, curated anonymized telemetry, or backups to a location the customer controls).

We do not intentionally process special categories of data (e.g., health, biometrics) as controller. If customers handle such data, they must ensure appropriate legal basis and safeguards; our DPA and security controls support high-sensitivity contexts.

5) Purposes & Legal Bases (GDPR & FADP)

We rely on the legal bases listed below (GDPR Art. 6; Swiss FADP—legitimate interests, contract, legal obligations, consent where required).

PurposeExamplesLegal Basis
Sales & Pre-contractualRespond to enquiries, demos, proposalsContractual necessity; Legitimate interests
Contract FulfilmentProvision of software, licensing, invoicing, account managementContractual necessity; Legal obligation (tax/audit)
Security & Abuse PreventionAccess control, fraud prevention, incident handlingLegitimate interests; Legal obligation where applicable
Product Improvement (Controller data only)Aggregate, de-identified analytics to improve reliability and UXLegitimate interests; Consent where required (e.g., non-essential cookies)
Marketing to Business ContactsNewsletters, event invites to corporate emailsLegitimate interests; Consent where required
RecruitmentEvaluate candidates and manage hiringContractual necessity; Legitimate interests
ComplianceTax, accounting, regulatory requestsLegal obligation

When acting as processor, we process Customer Content only on documented instructions from the customer (controller).

6) Data Minimization & Retention

We keep personal data only as long as necessary for the purposes stated, plus any statutory retention periods (e.g., under Swiss/EU commercial and tax law, typically up to 10 years for certain records). We apply the following general schedule:

  • Contract & Billing: Contract term + up to 10 years (statutory).
  • Support Tickets: Active engagement + up to 3 years (or per contract).
  • Marketing Contacts: Until you opt out or after sustained inactivity (periodically reviewed).
  • Recruitment: Up to 6 months after decision unless you consent to a longer talent-pool period.

We delete or irreversibly anonymize data when retention ends, unless legal claims require a longer hold.

7) Disclosures & Recipients

We do not sell personal data. We may disclose data to:

  • Service Providers / Sub-processors: e.g., secure hosting of our corporate systems, email, CRM, accounting, and security tooling. These providers are bound by confidentiality and data protection terms.
  • Professional Advisors: auditors, legal counsel.
  • Authorities: where required by law or to protect rights, safety, or integrity.

For on-prem deployments, we design solutions so that Customer Content remains in the customer’s environment. Any remote access or export requires explicit authorization and is logged.

We maintain an internal register of sub-processors and can provide details on request under NDA where appropriate.

8) International Transfers

We primarily process data in Switzerland and the EU/EEA. Where transfers outside these jurisdictions occur, we ensure an adequate level of protection using:

  • Adequacy decisions (e.g., Switzerland ↔ EU/EEA), and/or
  • Standard Contractual Clauses (SCCs) with supplementary measures, and
  • Transfer impact assessments (as applicable).

9) Security Measures (overview)

We maintain technical and organizational measures proportionate to risk, including:

  • Network segregation; least-privilege RBAC and MFA for administrative access.
  • Encryption in transit (TLS) and at rest for supported components; options for customer-managed keys.
  • Secure SDLC practices: code review, dependency management, vulnerability scanning.
  • Hardening baselines, patch management, security logging and monitoring.
  • Incident response runbooks, business continuity, and tested backup/restore procedures.
  • Employee confidentiality agreements and role-based training.

We align our information security management with recognized frameworks (e.g., ISO/IEC 27001 principles). We do not claim certification unless explicitly stated in a signed agreement.

10) Cookies & Similar Technologies

Our websites use essential cookies for operation and security. We may use analytics cookies to understand usage and improve services. Where required, we obtain your consent via a banner and provide granular controls. You can withdraw consent at any time via the banner settings or your browser.

We do not use third-party advertising cookies.

11) Automated Decision-Making & AI Model Use

  • We do not make decisions solely based on automated processing that produce legal or similarly significant effects on individuals without appropriate safeguards and human review.
  • Model Training: We do not use Customer Content from on-prem deployments to train shared models unless expressly agreed in writing. Customers may enable local fine-tuning fully under their control.
  • Evaluation/Telemetry: Any diagnostic data leaving the customer environment is off by default and only enabled by the customer. If enabled, we encourage anonymization/pseudonymization and minimal scope.

12) Your Rights (GDPR & FADP)

Subject to conditions and exemptions, you have rights to:

  • Access your personal data and obtain a copy.
  • Rectify inaccurate or incomplete data.
  • Erase data (right to be forgotten).
  • Restrict processing.
  • Data portability (machine-readable copy for data you provided).
  • Object to processing based on legitimate interests or direct marketing.
  • Withdraw consent at any time (without affecting prior lawful processing).

How to exercise your rights: Contact us at info@onprem.ai. We may need to verify your identity. We aim to respond within one month (GDPR), extendable by two months where necessary due to complexity.

Complaints: You may lodge a complaint with your local EU supervisory authority (GDPR Art. 77). In Switzerland, you may contact the Federal Data Protection and Information Commissioner (FDPIC).

13) Children’s Data

Our services target enterprise and professional users. We do not knowingly collect data relating to children under 16.

14) Breach Notification

We assess personal data breaches and, where required, notify competent authorities without undue delay (and within GDPR timelines) and affected individuals when there is a high risk to their rights and freedoms.

15) EU/EEA & UK Representatives

If and where GDPR Art. 27 requires appointment of an EU/EEA representative (for processing related to offering goods/services to individuals in the EU where we lack an EU establishment), we will appoint one and provide details upon request. The same applies for a UK representative under UK GDPR, if applicable.

16) Sub-processors & Vendors (categories)

  • Corporate IT & Communications (email, office productivity, CRM, ticketing).
  • Accounting & Compliance (billing, tax, audit).
  • Security Tooling (vulnerability management, monitoring).
  • Hosting for our corporate systems (separate from customer on-prem environments).

On-prem solutions are designed so that production Customer Content is not routed through our corporate SaaS tools. Any exception requires explicit written authorization and documented controls.

17) Data Protection by Design & Default

We embed privacy principles into our architecture:

  • On-prem first: processing occurs inside the customer’s trust boundary by default.
  • Configurable data flows: customers can disable outbound telemetry and support channels completely.
  • Access transparency: admin actions and support sessions are logged; just-in-time access with expiry.
  • Data minimization: collect only what is necessary; default to pseudonymization where feasible.

18) How to Contact Us

Emerging Evidence GmbH (OnPrem AI) Zur Stahlgiesserei 8 8200 Schaffhausen, Switzerland Phone: +41 76 446 36 73 Email: info@onprem.ai

Please include “Privacy Request” in your subject line.

19) Changes to this Policy

We may update this Policy to reflect legal, technical, or business developments. The updated version will be indicated by the “Last updated” date. Material changes will be communicated via appropriate channels (e.g., website notice or email to customers).

20) Document Governance

We maintain Records of Processing Activities (RoPA), vendor risk assessments, and security measure inventories. Copies or summaries relevant to your engagement are available upon reasonable request and subject to confidentiality.

Annex: Summary of Typical Retention (Controller context)

Data CategoryTypical Retention
Contracts, invoices, tax recordsContract term + up to 10 years (statutory)
Support tickets & diagnosticsEngagement + up to 3 years (unless longer needed to establish/defend claims)
Sales/CRM recordsActive relationship + 3 years after last interaction, or until opt-out
Recruitment data (unsuccessful)Up to 6 months after decision, unless consented otherwise
Web server logs (security)90 days (typical), adjustable based on risk

Per-engagement DPAs may specify different retention aligned with your controls.

Note to Customers: For on-prem deployments, please ensure your internal privacy notices, legal bases, and retention schedules cover your processing as controller. Our DPA and technical documentation describe how to keep Customer Content confined to your environment and how to configure telemetry/support options.