Privacy policy for the use of the "Saley" application


1. introduction

The protection of your privacy and data is important to us. This Privacy Policy informs you about how FirstMedia Solutions GmbH (hereinafter "Saley", "we", "us") processes your personal data when you use our Software-as-a-Service platform "Saley" (hereinafter "App" or "Platform").

This declaration fulfills the information obligations according to the revised Swiss Data Protection Act (nDSG), in force since September 1, 2023, and - as far as applicable - Art. 13/14 EU-DSGVO.(kmu.admin.ch)


2. responsible person

FirstMedia Solutions GmbH
Lerchenfeldstrasse 3
CH-9014 St. Gallen
E-mail: info@saley.ch
Phone: +41 71 230 10 30


3. categories of processed data

Data categoryExamplesSource
Registration & contact detailsName, company name, e-mail address, telephone numberDirectly from the user
Contract & billing dataSubscription type, billing address, Stripe token, payment statusDirect / Stripe
Usage dataLog files, timestamp, IP address, browser info, API callsAutomatic
Content dataUploaded documents, images, comments, linksDirectly from the user
Integration data (optional)Data records from Bexio (e.g. contacts, offer IDs)Bexio API

4. purposes and legal bases

PurposeLegal basis (nDSG / GDPR)
Provision & operation of the appContract fulfillment (Art. 31 para. 2 lit. a nDSG / Art. 6 para. 1 b GDPR)
Payment processing via StripeContract fulfillment
Security & abuse preventionOverriding legitimate interest (Art. 31 para. 1 nDSG / Art. 6 para. 1 f GDPR)
Product improvement & error analysisLegitimate interest
Marketing communication (newsletter)Consent (Art. 31 para. 1 nDSG / Art. 6 para. 1 a GDPR)
Statutory retention obligationsLegal obligation

5. transfer to third parties & processors

We only pass on data if this is necessary for the fulfillment of the contract, for legitimate interest or due to legal obligations.

ReceiverPurposeLocation
Stripe Payments Europe Ltd.Payment processing (tokenized credit card data)Ireland / USA (SCC)
Hosting provider (AWS EU West / Hetzner)Cloud hosting & databaseEU / Switzerland
E-mail provider (SendGrid)Transactional e-mails, 2-FA codesUSA (SCC)
Bexio AG (optional)CRM/ERP integrationSwitzerland
Consultants & AuditorsTax & legal adviceSwitzerland / EU

There are contracts with all processors in accordance with Art. 9 nDSG and Art. 28 GDPR.


6. data transfers to third countries

Data may be transferred to countries without adequate data protection (e.g. USA). In such cases, we rely on EU standard contractual clauses (SCC) or other recognized guarantees to ensure an adequate level of data protection.


7. storage period

We only store personal data for as long as is necessary for the respective purpose.


8. safety

  • TLS encryption of all connections

  • Data at rest (RDS snapshots, S3 storage) AES-256 encrypted

  • 2-factor authentication (optional)

  • Role-based authorization system

  • Regular pen tests & patch management

  • Notification of data breaches to the FDPIC within 72 hours if there is a high risk.(privacydesk.ch)


9. rights of data subjects

You have the right to:

  • Information about processed personal data (Art. 25 nDSG)

  • Correction of incorrect data

  • Erasure or anonymization ("right to be forgotten"), provided there is no obligation to retain data

  • Restriction of processing

  • Data portability (Art. 28 nDSG)

  • Objection to direct marketing

  • Complaint to the supervisory authority. Responsible is:

    Federal Data Protection and Information Commissioner (FDPIC)
    Feldeggweg 1, CH-3003 Bern
    www.edoeb.admin.ch(edoeb.admin.ch)


10. cookies & tracking

The app sets session cookies (authentication token) and analytics cookies (Matomo, self-hosted). No Google Analytics. You can deactivate cookies in your browser; the app will then remain partially functional, but it will not be possible to log in without a session cookie.


11 Automated decision making

There is no exclusively automated decision-making with legal effect within the meaning of Art. 21 nDSG / Art. 22 GDPR.


12. links & document sharing

The app generates a cryptographically randomized link for sent documents. The customer is responsible for ensuring that the link is only sent to authorized persons. The links can optionally be provided with password protection or an expiration date (default: 12 months). Access is logged (time stamp, IP, user agent).


13. changes to this privacy policy

We may amend this privacy policy at any time. In the event of significant changes, we will inform registered users by e-mail at least 30 days before they come into force.


End of the privacy policy