Privacy.

The controller responsible for the processing of personal data on hrit.ch and in the course of our services is:

HRIT.ch GmbH

Ruhsitzweg 12, 9000 St. Gallen
Mail: hallo [at] hrit [dot] ch

For information requests, corrections, deletions or other data protection matters, you can reach us at any time at the email address given. Given our size, we have not appointed an internal data protection officer. The point of contact for data protection matters is the management.

We process as little personal data as possible, only for clearly defined purposes, and delete it when the purpose ceases to apply. We do not sell personal data. We do not build personal advertising or profiling data about visits to our website. We do not make automated individual decisions with legal or similarly significant effect within the meaning of Art. 21 DSG or Art. 22 GDPR.

We use the following service providers for processing. With all of them, the necessary order-processing agreements (DPA) and the necessary guarantees for appropriate data processing are in place.

• Website hosting
  The website runs on a cloud platform with edge delivery. Hosting region: Europe. Log data is processed truncated at IP level. Providers are kept in the record of processing activities and named on request.
• Email delivery (Resend)
  Emails from the contact form (notification to us, optional confirmation to you) are sent via Resend. Resend stores the email metadata for delivery. Provider: Resend, Inc., based in the USA with an EU subsidiary. The data transfer to the USA is based on the EU-US Data Privacy Framework or Swiss-US Data Privacy Framework as well as supplementary standard contractual clauses.
• Statistics (optional, anonymising)
  Where used, we employ a DSG-compliant, anonymising tracker (e.g. Plausible with EU hosting) that uses no cookies and builds no personal profiles. If this tracker is not active, no statistics data is collected accordingly.
• AI tools in service delivery
  We use AI tools for code generation, research and analysis. Providers are Anthropic (based in the USA, with an EU data-residency option) and comparable services. We configure no-train options where available and avoid transferring personal or confidential client data to these services unless contractually secured.

Insofar as we transfer personal data to service providers abroad, this is done to countries with an adequate level of protection according to the list of the Swiss Federal Data Protection and Information Commissioner (FDPIC / EDÖB).

For transfers to the USA we rely on:

• The Swiss-US Data Privacy Framework (for Swiss cases)
• The EU-US Data Privacy Framework (for EU GDPR cases)
• Supplementary standard contractual clauses (SCC) of the EU Commission
• Technical and organisational measures for encryption and data minimisation

We use exclusively technically necessary cookies or none at all. Specifically, the following cookies may occur:

• Session cookie (name: variable, lifetime: session, purpose: technical page function)
• Cookie preference (if a cookie banner is active, lifetime: 12 months, purpose: storing your cookie settings)

We use no tracking cookies, no profiling, no advertising retargeting. Should non-essential cookies be used in the future, we obtain your consent beforehand via a cookie banner. You can withdraw your consent at any time.

Under the Swiss DSG (Art. 25 et seq.) and the GDPR (Art. 15 et seq.), where applicable, you have the right to:

• Information about the data processed about you (Art. 25 DSG / Art. 15 GDPR)
• Correction of inaccurate or incomplete data (Art. 32 DSG / Art. 16 GDPR)
• Deletion of data no longer needed (Art. 32 DSG / Art. 17 GDPR)
• Restriction of processing (Art. 18 GDPR)
• Data release or portability in a common format (Art. 28 DSG / Art. 20 GDPR)
• Objection to processing based on legitimate interests (Art. 30 DSG / Art. 21 GDPR)
• Withdrawal of consent with effect for the future
• Complaint to the competent supervisory authority

Send requests informally by email to hallo [at] hrit [dot] ch. For identity verification we may ask follow-up questions. We generally respond within 30 days.

Supervisory authority Switzerland: Federal Data Protection and Information Commissioner (FDPIC / EDÖB), Feldeggweg 1, 3003 Bern, www.edoeb.admin.ch.

We take appropriate technical and organisational measures to protect the personal data we process:

• Transport encryption (TLS) for all pages and form submissions
• Encryption of data at rest at hosting and email service providers
• Access control on a need-to-know basis, individual accounts, multi-factor authentication
• Regular vulnerability checks of the components used and updates
• Contractual obligation of service providers to equivalent security and data protection standards
• Awareness and training of employees on data protection and information security
• Data backup with encrypted backups and defined recovery times

In the event of a data protection breach with a high risk to the persons concerned, we report the incident within the statutory deadline (Art. 24 DSG: «as quickly as possible»; Art. 33 GDPR: 72 hours) to the EDÖB or the competent EU supervisory authority and notify the persons concerned where provided for by law.

For incidents within our order processing, we notify the client without delay in accordance with the provisions of the respective data processing agreement.

Version 2026-06-08. This policy applies from the time of publication on hrit.ch. In the event of material changes, we update the policy and communicate this on the homepage. The version in force at any given time can be found on this page.