Swiss Data Protection
1. Applicable law
lynox AI is operated by Brandfusion Burlet, a Swiss sole proprietorship based in Rapperswil-Jona, Canton of St. Gallen, Switzerland. As a Swiss data controller, lynox AI is subject to the revised Federal Act on Data Protection (nDSG / nFADP), which entered into force on September 1, 2023, along with the Data Protection Ordinance (DSV/DPO) and the Ordinance on Data Protection Certifications (VDSZ/ODPC).
This page explains how lynox complies with Swiss data protection law. It supplements our Privacy Policy and Data Processing Agreement.
2. Data processing principles (Art. 6 nDSG)
All processing of personal data by lynox AI adheres to the following principles enshrined in Art. 6 nDSG:
- Lawfulness — Personal data is processed lawfully, based on consent, contract performance, legitimate interests, or legal obligation.
- Good faith — Processing is conducted in good faith and in a manner consistent with the reasonable expectations of data subjects.
- Proportionality — Only personal data that is necessary for the stated purpose is collected and processed. We do not collect data speculatively or in excess of what is required.
- Purpose limitation — Personal data is collected for specified, explicit purposes and is not further processed in a manner incompatible with those purposes.
- Accuracy — We take reasonable steps to ensure that personal data is accurate and, where necessary, kept up to date.
- Storage limitation — Personal data is retained only for as long as necessary for the purposes for which it was collected. See our Privacy Policy for specific retention periods.
3. Information duty (Art. 19 nDSG)
In compliance with the duty to inform under Art. 19 nDSG, we disclose the following:
| Information | Details |
|---|---|
| Identity of the controller | Brandfusion Burlet (lynox AI), Rapperswil-Jona, Switzerland |
| Contact | [email protected] |
| Purpose of processing | Website operation, managed hosting provision, AI-assisted business services, billing, marketing (with consent) |
| Recipients | Sub-processors as listed in our DPA: Anthropic, AWS, Stripe, Hetzner, Cloudflare, Plausible |
| Cross-border transfers | See Section 4 below |
4. Cross-border data transfers (Art. 16-17 nDSG)
Under Art. 16 nDSG, personal data may be disclosed abroad if the Federal Council has determined that the legislation of the destination state or the international body ensures adequate protection. Under Art. 17 nDSG, where no adequacy decision exists, appropriate safeguards must be provided.
Countries with adequate protection
The EU/EEA is recognized by the Swiss Federal Council as providing adequate data protection (Annex 1 DSV). Transfers to Hetzner (Germany) and Plausible (Estonia) are covered by this adequacy decision.
Transfers to the United States
Certain sub-processors are based in the United States (Anthropic, Stripe, Cloudflare). For these transfers, we rely on:
- Standard Contractual Clauses (SCCs) — EU Commission-approved SCCs (Decision 2021/914), recognized as appropriate safeguards under Art. 16(2)(d) nDSG, are incorporated into all relevant sub-processor agreements.
- Swiss-US Data Privacy Framework — Where the sub-processor is certified under the Swiss-US Data Privacy Framework (recognized by the Federal Council), transfers may additionally rely on this framework.
- Supplementary measures — Encryption in transit (TLS 1.3) and at rest (AES-256-GCM) is applied to all data subject to cross-border transfers.
Bedrock EU: no cross-border transfer
Customers who select the Managed EU tier benefit from AI inference processed exclusively within the EU (AWS Bedrock, Frankfurt, eu-central-1). In this configuration, conversation data does not leave the EU for AI processing, eliminating cross-border transfer concerns for the most sensitive data category.
5. Data subject rights (Art. 25-29 nDSG)
Under the nDSG, data subjects have the following rights, which we fully uphold:
- Right of access (Art. 25 nDSG) — You may request information about whether and what personal data we process about you, the purpose of processing, the retention period, the origin of the data, and any recipients.
- Right to data portability (Art. 28 nDSG) — You may request that your personal data be provided to you or to a third party in a commonly used electronic format.
- Right to rectification — You may request correction of inaccurate personal data.
- Right to deletion — You may request deletion of your personal data, subject to any legal retention obligations.
- Right to object — You may object to processing based on legitimate interests.
To exercise any of these rights, contact [email protected]. We will respond within 30 days as required by Art. 25(6) nDSG.
6. Professional secrecy (Art. 321 StGB)
Certain professions in Switzerland are subject to professional secrecy obligations under Art. 321 of the Swiss Criminal Code (StGB) — including lawyers (Anwälte), doctors (Ärzte), auditors (Revisoren), and fiduciaries (Treuhänder). For these professionals, the choice of AI infrastructure has particular legal significance:
- Self-hosted with Bedrock EU — The safest configuration for professions with secrecy obligations. Data remains on your own infrastructure, AI inference stays within the EU (Frankfurt), and no third party accesses conversation content. This configuration minimizes the risk of a secrecy violation.
- Managed Hosting with Bedrock EU — Dedicated infrastructure on Hetzner (Germany), AI processing within the EU. lynox AI has no access to conversation content (zero admin visibility). An appropriate option subject to assessment of the specific professional secrecy requirements.
- Anthropic direct API (US jurisdiction) — Conversation data is transmitted to Anthropic's US infrastructure for inference. While covered by DPA and SCCs, this involves US jurisdiction. We recommend that professionals subject to Art. 321 StGB consult with legal counsel before using this configuration.
lynox does not provide legal advice. Professionals subject to secrecy obligations should independently assess which configuration meets their regulatory requirements.
7. Supervisory authority
The competent supervisory authority for data protection in Switzerland is the Federal Data Protection and Information Commissioner (FDPIC / EDÖB):
Eidgenössischer Datenschutz- und Öffentlichkeitsbeauftragter (EDÖB)
Feldeggweg 1
3003 Bern
Switzerland
www.edoeb.admin.ch
Data subjects have the right to lodge a complaint with the FDPIC if they believe their data protection rights have been violated.
8. Technical and organizational measures
In accordance with Art. 8 nDSG and Art. 1-4 DSV, we implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. Details of these measures are described in the security annex of our Data Processing Agreement.
9. Contact
For all questions regarding data protection under Swiss law:
[email protected]
Brandfusion Burlet (lynox AI)
Rapperswil-Jona, Switzerland