Privacy policy for the use of the "Saley" application
1. introduction
The protection of your privacy and data is important to us. This Privacy Policy informs you about how FirstMedia Solutions GmbH (hereinafter "Saley", "we", "us") processes your personal data when you use our Software-as-a-Service platform "Saley" (hereinafter "App" or "Platform").
This declaration fulfills the information obligations according to the revised Swiss Data Protection Act (nDSG), in force since September 1, 2023, and - as far as applicable - Art. 13/14 EU-DSGVO.(kmu.admin.ch)
2. responsible person
FirstMedia Solutions GmbH
Lerchenfeldstrasse 3
CH-9014 St. Gallen
E-mail: info@saley.ch
Phone: +41 71 230 10 30
3. categories of processed data
| Data category | Examples | Source |
|---|---|---|
| Registration & contact details | Name, company name, e-mail address, telephone number | Directly from the user |
| Contract & billing data | Subscription type, billing address, Stripe token, payment status | Direct / Stripe |
| Usage data | Log files, timestamp, IP address, browser info, API calls | Automatic |
| Content data | Uploaded documents, images, comments, links | Directly from the user |
| Integration data (optional) | Data records from Bexio (e.g. contacts, offer IDs) | Bexio API |
4. purposes and legal bases
| Purpose | Legal basis (nDSG / GDPR) |
| Provision & operation of the app | Contract fulfillment (Art. 31 para. 2 lit. a nDSG / Art. 6 para. 1 b GDPR) |
| Payment processing via Stripe | Contract fulfillment |
| Security & abuse prevention | Overriding legitimate interest (Art. 31 para. 1 nDSG / Art. 6 para. 1 f GDPR) |
| Product improvement & error analysis | Legitimate interest |
| Marketing communication (newsletter) | Consent (Art. 31 para. 1 nDSG / Art. 6 para. 1 a GDPR) |
| Statutory retention obligations | Legal obligation |
5. transfer to third parties & processors
We only pass on data if this is necessary for the fulfillment of the contract, for legitimate interest or due to legal obligations.
| Receiver | Purpose | Location |
| Stripe Payments Europe Ltd. | Payment processing (tokenized credit card data) | Ireland / USA (SCC) |
| Hosting provider (AWS EU West / Hetzner) | Cloud hosting & database | EU / Switzerland |
| E-mail provider (SendGrid) | Transactional e-mails, 2-FA codes | USA (SCC) |
| Bexio AG (optional) | CRM/ERP integration | Switzerland |
| Consultants & Auditors | Tax & legal advice | Switzerland / EU |
There are contracts with all processors in accordance with Art. 9 nDSG and Art. 28 GDPR.
6. data transfers to third countries
Data may be transferred to countries without adequate data protection (e.g. USA). In such cases, we rely on EU standard contractual clauses (SCC) or other recognized guarantees to ensure an adequate level of data protection.
7. storage period
We only store personal data for as long as is necessary for the respective purpose.
8. safety
TLS encryption of all connections
Data at rest (RDS snapshots, S3 storage) AES-256 encrypted
2-factor authentication (optional)
Role-based authorization system
Regular pen tests & patch management
Notification of data breaches to the FDPIC within 72 hours if there is a high risk.(privacydesk.ch)
9. rights of data subjects
You have the right to:
Information about processed personal data (Art. 25 nDSG)
Correction of incorrect data
Erasure or anonymization ("right to be forgotten"), provided there is no obligation to retain data
Restriction of processing
Data portability (Art. 28 nDSG)
Objection to direct marketing
Complaint to the supervisory authority. Responsible is:
Federal Data Protection and Information Commissioner (FDPIC)
Feldeggweg 1, CH-3003 Bern
www.edoeb.admin.ch(edoeb.admin.ch)
10. cookies & tracking
The app sets session cookies (authentication token) and analytics cookies (Matomo, self-hosted). No Google Analytics. You can deactivate cookies in your browser; the app will then remain partially functional, but it will not be possible to log in without a session cookie.
11 Automated decision making
There is no exclusively automated decision-making with legal effect within the meaning of Art. 21 nDSG / Art. 22 GDPR.
12. links & document sharing
The app generates a cryptographically randomized link for sent documents. The customer is responsible for ensuring that the link is only sent to authorized persons. The links can optionally be provided with password protection or an expiration date (default: 12 months). Access is logged (time stamp, IP, user agent).
13. changes to this privacy policy
We may amend this privacy policy at any time. In the event of significant changes, we will inform registered users by e-mail at least 30 days before they come into force.
End of the privacy policy
