VediramPrivacy Policy
Last updated: April 11, 2026
1. Controller and contact information
The controller responsible for the processing of your personal data is:
Vediram GmbH (Sàrl)
Chemin des Bégonias 18
1018 Lausanne
Switzerland
Email: contact@vediram.com
For inquiries related to data protection, including requests to exercise your rights, please contact us at privacy@vediram.com.
2. Scope of this policy
This Privacy Policy explains how Vediram GmbH ("Vediram," "we," "us") collects, uses, stores, and discloses personal data in connection with:
- our website at vediram.com (the "Website"); and
- our enterprise software products and services, including desktop applications, cloud platforms, and related tools (collectively, the "Service").
This policy applies to personal data of natural persons only. Under the revised Swiss Federal Act on Data Protection (nFADP), effective 1 September 2023, data relating exclusively to legal entities is not considered personal data and falls outside the scope of this policy.
Where we process personal data on behalf of our enterprise customers as a data processor (e.g., personal data of our customers' employees contained within the Service), the relevant customer's privacy policy governs that processing. Our obligations as processor are set out in the Data Processing Agreement concluded with each customer.
3. Personal data we collect
3.1 Website contact form
When you use the contact form on our Website, we collect:
- Email address — to respond to your inquiry.
- Name (if provided) — to address you personally.
- Message content — which may contain additional personal data you choose to share.
We use this data solely to respond to your inquiry. We do not send marketing emails, newsletters, or other unsolicited communications based on contact form submissions.
3.2 Website analytics
We use Pirsch Analytics, a cookie-free web analytics service provided by Emvi Software GmbH (Germany), to understand how visitors use our Website. Pirsch generates a non-reversible hash from your IP address, browser user agent, the date, and a per-site salt. This hash serves as a temporary visitor identifier that cannot be traced back to you and expires within 24 hours. Your IP address is never stored. No cookies are placed on your device. Pirsch processes this data on servers located in Germany.
We collect: page views, referrer URLs, browser type, operating system, device type, screen resolution, country (derived from IP before hashing), and session duration. None of this data identifies you personally.
3.3 Service-related data (enterprise customers)
When enterprise customers use the Service, we may process the following categories of personal data as part of delivering the Service:
- User account data: Name, business email address, job title, and organizational role of authorized users.
- Authentication data: Single sign-on (SSO) tokens and session identifiers required to access the Service.
- Usage and telemetry data ("Service Data"): System performance metrics, feature usage patterns, error logs, device and browser information, and session data — collected to operate, maintain, secure, and improve the Service. Service Data does not include Customer Data (as defined in our Terms of Use).
We do not process special categories of personal data (sensitive data) such as health data, biometric data, racial or ethnic origin, political opinions, or religious beliefs.
4. Purposes and legal bases
Under Swiss law (nFADP)
Swiss data protection law follows a permission-based model: the processing of personal data is generally permitted, provided it does not unlawfully violate the personality of the data subject. We process personal data in compliance with the principles of lawfulness, good faith, proportionality, purpose limitation, accuracy, and data security (nFADP Art. 6–8).
Where a justification is needed (Art. 31 nFADP), we rely on:
- Consent — where you have voluntarily provided your data (e.g., through our contact form).
- Overriding legitimate interest — for operating and improving our Service and Website, ensuring security, and fulfilling contractual obligations.
- Contractual necessity — for processing required to perform our contractual obligations to enterprise customers.
Under EU law (GDPR)
For individuals located in the European Economic Area (EEA), we process personal data on the following legal bases pursuant to GDPR Art. 6(1):
| Processing activity | Legal basis |
|---|---|
| Responding to contact form inquiries | Art. 6(1)(b) — necessary for taking steps at the request of the data subject prior to entering into a contract |
| Providing and operating the Service under a customer agreement | Art. 6(1)(b) — necessary for performance of a contract |
| Website analytics (visitor statistics) | Art. 6(1)(f) — legitimate interest in understanding website usage to improve content and user experience |
| Collecting telemetry and Service Data for product improvement and security | Art. 6(1)(f) — legitimate interest in maintaining, securing, and improving the Service |
| Complying with legal obligations (e.g., tax, accounting) | Art. 6(1)(c) — necessary for compliance with a legal obligation |
Where we rely on legitimate interest, we have conducted a balancing test and concluded that our interests do not override the rights and freedoms of the data subjects, considering the B2B nature of the relationship, the limited sensitivity of the data processed, and the reasonable expectations of business professionals.
5. Data recipients and disclosures
We may disclose personal data to the following categories of recipients:
- Emvi Software GmbH (Pirsch Analytics), Rheda-Wiedenbrück, Germany — website analytics processor. Data is processed within the EU (Germany). A Data Processing Agreement is in place. Pirsch does not use cookies and does not transfer data outside the EU.
- Cloudflare, Inc., San Francisco, USA — we use Cloudflare Turnstile on our contact form to verify that submissions are made by humans. When you submit the contact form, Cloudflare processes your IP address and browser metadata to generate a challenge response. Cloudflare is certified under the EU-US Data Privacy Framework. A Data Processing Agreement is in place.
- Microsoft Corporation (Azure) — we use Microsoft Azure (Switzerland North and Switzerland West regions) to host the Service. Microsoft acts as a sub-processor under our Data Processing Agreement and Microsoft's Data Protection Addendum.
- Professional advisors: Auditors, legal counsel, and accountants, to the extent necessary for legal, tax, or accounting purposes.
- Authorities: Law enforcement or regulatory authorities where we are required to do so by applicable law or valid legal process.
- Business transfers: In the event of a merger, acquisition, or sale of assets, personal data may be transferred to the acquiring entity, subject to this Privacy Policy.
We do not sell personal data. We do not share personal data with third parties for their own marketing purposes.
A current list of our sub-processors is available upon request at privacy@vediram.com.
6. International data transfers
Transfers from Switzerland
The Swiss Federal Council recognizes all EU/EEA member states as providing adequate data protection. Transfers of personal data from Switzerland to the EU/EEA (including to Pirsch Analytics in Germany) therefore do not require additional safeguards.
For transfers to the United States, the Swiss Federal Council recognized the adequacy of the Swiss-US Data Privacy Framework (Swiss-US DPF) effective 15 September 2024, applicable to US companies certified under the framework. Our primary infrastructure provider, Microsoft Corporation, is certified under the Swiss-US DPF. Cloudflare, Inc. is also certified under the Swiss-US Data Privacy Framework.
For transfers to countries not recognized as adequate, we implement appropriate safeguards, including the EU Standard Contractual Clauses (2021 version) as recognized by the FDPIC, supplemented by additional technical and organizational measures where necessary.
Transfers from the EU/EEA
Switzerland benefits from an EU adequacy decision under GDPR Art. 45, reconfirmed by the European Commission on 15 January 2024. Personal data may therefore flow freely from the EU/EEA to Switzerland without additional transfer mechanisms.
7. Data retention
We retain personal data only for as long as necessary to fulfill the purposes described in this policy, unless a longer retention period is required or permitted by law.
| Data category | Retention period |
|---|---|
| Contact form inquiries | 12 months after the last interaction, then deleted |
| Website analytics data | Anonymized at collection (IP hashed and discarded); aggregated statistics retained indefinitely |
| Customer account data | Duration of the customer agreement, plus 10 years for records required under Swiss commercial law (Art. 958f OR) |
| Service Data / telemetry | 24 months in identifiable form; thereafter retained only in anonymized, aggregated form |
| Invoicing and payment data | 10 years from the end of the relevant fiscal year (Art. 958f OR; Swiss VAT Act Art. 70(2)) |
8. Cookies and tracking technologies
This Website does not use cookies or similar tracking technologies. Our analytics service (Pirsch Analytics) operates entirely without cookies — no data is stored on or read from your device. No cookie consent banner is required.
If we introduce cookies or tracking technologies in the future, we will update this policy and implement appropriate consent mechanisms in compliance with applicable law.
9. Data security
We implement appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction, in accordance with nFADP Art. 8 and GDPR Art. 32. These measures include:
- Encryption of data in transit (TLS 1.2+) and at rest (AES-256).
- Access controls based on the principle of least privilege.
- Regular security assessments and vulnerability testing.
- Hosting on Microsoft Azure infrastructure certified to ISO/IEC 27001, ISO 27017, ISO 27018, SOC 1/2/3, and CSA STAR.
- Incident response procedures with defined notification timelines.
10. Your rights
Under the Swiss nFADP
You have the following rights regarding your personal data:
- Right of access (Art. 25 nFADP): You may request confirmation of whether we process your personal data and obtain a copy. We will respond within 30 days.
- Right to data portability (Art. 28 nFADP): You may request to receive your data in a commonly used electronic format or have it transferred to another controller.
- Right to rectification and erasure: You may request the correction of inaccurate data or the deletion of data that is no longer necessary for the stated purposes.
- Right to object to automated individual decisions (Art. 21 nFADP): If we make decisions based exclusively on automated processing that have legal or significant effects on you, you may request human review.
Under the GDPR (for individuals in the EEA)
In addition to the rights above, you have the following rights under the GDPR:
- Right to rectification (Art. 16 GDPR)
- Right to erasure ("right to be forgotten") (Art. 17 GDPR)
- Right to restriction of processing (Art. 18 GDPR)
- Right to data portability (Art. 20 GDPR)
- Right to object to processing based on legitimate interest (Art. 21 GDPR)
- Right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal (Art. 7(3) GDPR)
To exercise any of these rights, please contact us at privacy@vediram.com. We will respond within 30 days (nFADP) or one month (GDPR), which may be extended by two additional months for complex requests.
We will not charge a fee for processing your request unless it is manifestly unfounded or excessive.
11. Right to lodge a complaint
If you believe that our processing of your personal data violates applicable data protection law, you have the right to lodge a complaint with a supervisory authority.
Swiss supervisory authority:
Federal Data Protection and Information Commissioner (FDPIC)
Feldeggweg 1
CH-3003 Berne, Switzerland
Website: https://www.edoeb.admin.ch
EU supervisory authorities:
If you are located in the EEA, you may lodge a complaint with the supervisory authority in the EU Member State of your habitual residence, place of work, or the place of the alleged infringement (GDPR Art. 77). A list of EU supervisory authorities is available at https://edpb.europa.eu.
12. Changes to this policy
We may update this Privacy Policy from time to time to reflect changes in our data processing practices, legal requirements, or business operations. Material changes will be communicated through a prominent notice on our Website. The "Last updated" date at the top of this policy indicates when it was most recently revised.
13. Applicable law
This Privacy Policy is governed by the Swiss Federal Act on Data Protection (nFADP, SR 235.1) and, to the extent applicable, the EU General Data Protection Regulation (Regulation (EU) 2016/679). In the event of conflict between the two regimes, we apply the standard that provides the higher level of protection for the data subject.