Privacy Policy

1.Controller

Swiss Lab of Intelligence (“SwissLI AG”, “we”, “us”) is the controller of personal data processed in connection with its website and business activities.

For data protection inquiries, including data subject requests: info@aodit.ai

2.Scope of this Policy

This Privacy Policy describes how SwissLI AG processes personal data in relation to:

• The website www.aodit.ai

• Client onboarding, contracting, and communication

• Optional support or analysis services

The aodit platform itself is designed to operate without requiring SwissLI AG to access client AI system data.

3.Core Principle — Data Sovereignty

aodit is designed as an on-premise evaluation system. This means:

• AI agent inputs, outputs, and logs remain within the Client's infrastructure

• SwissLI AG does not receive, store, or process client AI system data by default

• No client AI data is transferred to SwissLI AG systems unless explicitly provided by the Client

SwissLI AG acts as an independent evaluation provider, not as a processor of client AI workloads.

3A.No Data Processor Role

SwissLI AG does not act as a data processor for client AI system data in the ordinary course of its services. Unless explicitly agreed:

• SwissLI AG does not process personal data on behalf of the Client

• SwissLI AG does not host or operate Client systems

• SwissLI AG does not access production environments

Where limited processing may occur (e.g. optional analysis), this is governed by a separate agreement (e.g. Data Processing Agreement).

4.Access to Client Data

aodit is designed to operate without requiring direct access to live production systems. SwissLI AG:

• Does not access AI agent outputs or transcripts by default

• Does not store or replicate client AI data

• Does not use client data for training or development

If access is required:

• It is explicitly approved by the Client

• Limited in scope and duration

• Technically controlled

• Logged where applicable

5.Development vs Client Environments

SwissLI AG develops evaluation methodologies using controlled environments, which may include cloud-based language models. However:

• No client data is used in development or testing

• Client-specific evaluations are executed within client-controlled infrastructure

• External systems and models have no visibility into client environments

6.Categories of Personal Data Processed

6.1 Website and Communication

• Name

• Email address

• Company information

• Technical data (e.g. IP address, browser type)

6.2 Client Relationship Management

• Contact details of client representatives

• Contracts, billing information, and communication records

6.3 Documents Provided by Clients (Optional)

Clients may voluntarily provide documents (e.g. reports or outputs) for analysis. Such documents:

• Are not required for AODIT operation

• Are handled within SwissLI AG's secured environment

• Remain under client control

SwissLI AG does not process end-user data generated within client AI systems.

7.Legal Basis for Processing

SwissLI AG processes personal data based on:

• Contract performance

• Legitimate interest (business communication and operations)

• Consent (where applicable)

• Legal obligations

In accordance with:

• Swiss Federal Act on Data Protection (nDSG)

• EU General Data Protection Regulation (GDPR), where applicable

SwissLI AG applies principles of data minimisation and processes only personal data necessary for the stated purposes.

8.Use of Google Workspace

SwissLI AG uses Google Workspace (including Gmail, Google Drive, and Google Sheets) for business communication and document management. This includes:

• Email communication

• Storage of business documents

• Analysis of documents voluntarily shared by clients

Data processed within Google Workspace is subject to Google's security and data protection measures. SwissLI AG does not transfer client AI system data to Google systems.

8A.No Use for Training or Cross-Client Reuse

SwissLI AG does not use client-provided data for:

• Training machine learning models

• Fine-tuning models

• Improving third-party models

• Benchmarking one client against another using identifiable client data

SwissLI AG may use generalized, anonymized, and non-client-identifiable learnings to refine its methodologies, taxonomies, and scenario design, provided that no client confidential information, personal data, or client-identifiable materials are disclosed or reused across clients.

9.Data Sharing

SwissLI AG does not sell personal data. Limited sharing may occur with:

• Infrastructure providers (e.g. Google Workspace)

• Professional advisors (legal, financial)

• Regulatory authorities where required by law

SwissLI AG maintains a limited set of infrastructure providers necessary for business operations. A list of key subprocessors may be provided upon request. Client AI system data is not shared externally.

10.International Data Transfers

SwissLI AG operates primarily in Switzerland. Where third-party providers are used, data may be processed outside Switzerland. Such transfers are safeguarded through:

• Adequacy decisions

• Standard contractual clauses

Client AI system data remains within client-controlled infrastructure.

11.Cookies and Analytics

The website uses cookies to ensure functionality and improve user experience.

11.1 Essential Cookies

Used for:

• Website operation

• Security

11.2 Analytics Cookies (Google Analytics)

SwissLI AG uses Google Analytics to understand website usage. Google Analytics may collect:

• Anonymized IP address

• Device and browser information

• Pages visited and interaction data

This data does not directly identify individuals.

11.3 Cookie Consent

Analytics cookies are activated only after user consent via a cookie banner. Users can:

• Accept or reject cookies

• Withdraw consent at any time

11.4 Additional Information

Further information on Google's data processing: https://policies.google.com/privacy

12.Data Retention

SwissLI AG retains personal data as follows:

• Client relationship data (contracts, communication, billing): up to 10 years

• Contact data provided voluntarily: retained as long as necessary

• Website analytics data: up to 12 months

SwissLI AG does not retain AI system data.

13.Security Measures

SwissLI AG implements appropriate technical and organisational measures, including:

• Encryption of communications (e.g. TLS)

• Restricted access controls based on least-privilege principles

• Strong authentication controls, including multi-factor authentication (MFA)

• Controlled access to internal systems and documents

• Use of secure infrastructure providers (e.g. Google Workspace)

• Logging of administrative access where applicable

SwissLI AG maintains internal documentation covering its security, development, and operational practices. Such documentation may be made available to clients upon reasonable request as part of vendor due diligence processes.

13A.Incident Handling

SwissLI AG maintains procedures for handling security incidents affecting systems or data under its control. Where legally required, SwissLI AG will notify affected parties or authorities of relevant incidents and cooperate in appropriate remediation steps.

14.Your Rights

Under applicable law, you have the right to:

• Access your personal data

• Request correction or deletion

• Object to processing

• Withdraw consent

You may lodge a complaint with:
Swiss Federal Data Protection and Information Commissioner (FDPIC)
www.edoeb.admin.ch

15.Changes to this Policy

This Privacy Policy may be updated from time to time. The latest version is available at: www.aodit.ai/privacy