Privacy Policy
Last updated: 2026-04-07
Document version: 2.0
Applies to: thesynergygroup.ch and all services operated by The Synergy Group AG
The Synergy Group AG (“TSG”, “we”, “us”, “our”) respects your privacy and complies with the revised Swiss Federal Act on Data Protection (revFADP / nDSG) and the EU General Data Protection Regulation (GDPR) where applicable. This Privacy Policy explains what personal data we collect, how we use it, who we share it with, and the rights you have.
If you have any question about this policy or wish to exercise your data protection rights, please contact us at andre@thesynergygroup.ch.
1. Who We Are (Data Controller)
The Synergy Group AG
c/o HAFIDA Treuhand AG
Dorfstrasse 59
8126 Zumikon, Switzerland
Commercial Register: CHE-497.254.492
Internal Data Protection Contact: andre@thesynergygroup.ch
We are a Swiss limited company (Aktiengesellschaft) registered with the Commercial Register of the Canton of Zürich.
2. What Personal Data We Collect
Depending on how you interact with us, we may collect:
- Contact data — name, email address, company name, phone number (optional), country
- Communication content — the content of messages you send via our contact form, consultation booking, or email
- Booking data — preferred date and time, topic of interest
- Audit data — the URL of the website you ask us to audit
- Technical data — IP address, browser type, pages visited, referrer, timestamps (collected automatically via server logs)
- Customer data (for paying customers) — billing information, subscription history, usage telemetry
We do not collect special categories of data (health, religion, political opinions, biometric data) through this website.
3. Why We Process Your Data (Purposes and Legal Basis)
| Purpose | Legal basis |
|---|---|
| Responding to your enquiry or consultation request | Pre-contractual measures (nDSG Art. 31(2)(a) / GDPR Art. 6(1)(b)) |
| Delivering a free website audit you requested | Contract performance (nDSG Art. 31(2)(a) / GDPR Art. 6(1)(b)) |
| Sending you our newsletter (if you opt in) | Consent (nDSG Art. 6(7) / GDPR Art. 6(1)(a)) |
| Operating our paid SaaS products (CoachPilot, JobTrackerPro, etc.) | Contract performance (nDSG Art. 31(2)(a) / GDPR Art. 6(1)(b)) |
| Securing our website and detecting abuse | Legitimate interest in security (nDSG Art. 31(2)(c) / GDPR Art. 6(1)(f)) |
| Complying with Swiss accounting and tax law | Legal obligation (Swiss Code of Obligations Art. 958f) |
| Improving our services | Legitimate interest balanced against your right to privacy |
4. Who We Share Your Data With
Your personal data is processed primarily by André Jankowitz, the sole administrator. We share data with the following categories of third parties only when necessary:
- Hosting: Exoscale (Switzerland), Hostinger (EU), Vercel (US — for Quiz Realm only)
- Payments: Stripe (EU)
- Authentication: Clerk (US — CoachPilot and JobTrackerPro only)
- AI providers: Anthropic, OpenAI, ElevenLabs, Deepgram (US) — only when an AI feature is invoked, and only for the duration of that request
- Calendars/email: Google (US — Calendar API and Gmail API where used)
- Professional advisors: Our accountants and lawyers, where required
We never sell your personal data. We never use your content to train AI models — this is verified at the organisation level with each AI provider.
A complete and current list of subprocessors is available in our [International Transfers Register](/trust-centre/) on request.
5. International Data Transfers
Our primary infrastructure is hosted in Switzerland (Exoscale, Zürich data centre ch-dk-2). Where transfers to non-adequate countries are necessary (primarily United States AI providers), we rely on:
- Standard Contractual Clauses (SCCs) — incorporated into each provider’s data processing agreement
- Supplementary technical measures — including no-training opt-outs at the organisation level, request-scoped processing, encryption in transit (TLS 1.3), and minimum-necessary disclosure
- EU-US Data Privacy Framework certification where the provider is certified
Switzerland is recognised by the European Commission as providing an adequate level of data protection, so transfers from EU to Switzerland do not require additional safeguards.
6. How Long We Keep Your Data
| Data | Retention |
|---|---|
| Server logs (IP addresses) | 90 days |
| Contact form submissions and consultation bookings | Until business purpose fulfilled, plus 36 months |
| Free website audits | 24 months |
| Customer accounts and content (paid services) | Duration of subscription, plus 30 days for export, then deletion within 90 days |
| Financial records (invoices, payment records) | 10 years (Swiss Code of Obligations Art. 958f) |
| Email correspondence | 24 months unless contract requires longer |
| Backups | 30 days rolling |
7. Your Rights
Under nDSG and GDPR you have the right to:
- Access — request a copy of the personal data we hold about you
- Rectification — ask us to correct inaccurate or incomplete data
- Erasure — ask us to delete your personal data, subject to our legal retention obligations
- Restriction — ask us to pause processing while a dispute is resolved
- Portability — receive your data in a structured, machine-readable format
- Objection — object to processing based on legitimate interest
- Withdraw consent — at any time, where processing is based on consent
- Lodge a complaint with the Swiss Federal Data Protection and Information Commissioner (FDPIC, https://www.edoeb.admin.ch/) or your local EU supervisory authority
To exercise any of these rights, please email andre@thesynergygroup.ch. We will respond within 30 days. We may need to verify your identity before disclosing or modifying any data — see our [Subject Rights Procedure](/trust-centre/) for the full workflow.
8. How We Protect Your Data
Our technical and organisational measures include:
- Swiss-sovereign infrastructure — 100% of production data hosted on Exoscale Zürich
- Encryption — TLS 1.3 in transit, encryption at rest, HashiCorp Vault for secrets
- Access control — multi-factor authentication on administrator accounts, application passwords scoped per service, role-based access control
- Monitoring — Prometheus metrics, Wordfence WAF, automated alerting
- Constitutional AI governance — every autonomous agent action validated against 10 immutable rules before execution
- Deployment guardrails — pre-deploy security checks, visual QA gates, immutable audit log
- Backups — automated daily backups with 30-day rolling retention
- Incident response — documented procedure with notification to FDPIC and affected subjects within the regulatory timeframes
For full details, see our [Security & Compliance documentation](/trust-centre/).
9. Cookies
We use a minimal set of cookies. Strictly necessary cookies are used to keep the site secure and functioning (including the language preference cookie `tsg_lang`). Analytics cookies are loaded only with your consent via the cookie banner. You can withdraw consent at any time through the cookie banner footer link.
10. Children
Our services are not directed to children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at andre@thesynergygroup.ch and we will delete it.
11. Changes to This Policy
We may update this Privacy Policy from time to time. The current version is always available at https://thesynergygroup.ch/privacy-policy/. The “Last updated” date at the top reflects the most recent change. For material changes, we will notify customers by email.
12. Supervisory Authority
You have the right to lodge a complaint with the Swiss Federal Data Protection and Information Commissioner:
Eidgenössischer Datenschutz- und Öffentlichkeitsbeauftragter (EDÖB / FDPIC)
Feldeggweg 1
3003 Bern
Switzerland
https://www.edoeb.admin.ch/
EU residents may also lodge a complaint with their local supervisory authority.
—
*This Privacy Policy is maintained by AZ-DP-COMPLIANCE-001 and synced to thesynergygroup.ch on update.*