Privacy Policy

1. Controller

The controller within the meaning of the Swiss Federal Act on Data Protection (FADP, SR 235.1) is:

ExposIQ
Andriu Isenring
8152 Glattbrugg, Switzerland (Canton of Zurich)
Email: info@exposiq.ch
Phone: +41 44 508 34 67
Website: exposiq.ch

If you have any questions regarding data protection or wish to exercise your data subject rights, you may contact us at any time at the address stated above.

2. Scope

This privacy policy applies to the use of the website exposiq.ch and the SaaS platform app.exposiq.ch (hereinafter collectively referred to as the “Platform”). It informs you about which personal data we collect, for what purpose and on what legal basis we process such data, and what rights you are entitled to.

ExposIQ is a cloud-based vulnerability management platform hosted in Switzerland. The Platform enables customers to scan their own IT infrastructure (IP addresses, domains) for security vulnerabilities. All data is stored and processed exclusively in Switzerland.

3. Data Collected

We collect and process various categories of personal data, depending on how you use our Platform.

3.1 Contact and Registration Data

When registering for a user account on our Platform and when contacting us via our contact form or by email, we collect the following data:

  • First and last name
  • Email address
  • Company name and company address (if provided)
  • Phone number (if provided)
  • Content of your message (for contact enquiries)
  • Password (stored in encrypted form)

3.2 Usage Data and Log Files

When you access our website and Platform, technical data is automatically collected and stored in server log files:

  • IP address (truncated in log files or anonymised in web analytics)
  • Date and time of access
  • Page or URL accessed
  • Referrer URL (previously visited page)
  • Browser and operating system used
  • Volume of data transferred
  • HTTP status code

This data is required to ensure technical operations, detect attacks, and perform error analysis. Server log files are automatically deleted after 90 days.

3.3 Scan Data (Platform Usage Data)

When you use the ExposIQ Platform to scan your IT infrastructure, the following technical data is collected and stored in the context of the service agreement:

  • Targets you have registered: IP addresses, hostnames, and domains
  • Scan results: open ports, detected software versions, operating system information
  • Detected vulnerabilities with associated CVE identifiers, severity ratings, and descriptions
  • Scan configuration: schedules, scan types, scan parameters
  • Historical scan data and trend reports

This scan data relates to the infrastructure you have entered and may indirectly contain personal data (e.g., IP addresses). It is processed exclusively for the purpose of providing the contractually agreed service and made available to you via the Platform. ExposIQ does not use scan data for its own purposes beyond service delivery.

3.4 Payment Data

Payment processing is handled by an external payment service provider. ExposIQ does not store complete credit card or bank account details. In the context of invoicing, we store:

  • Billing address (name, company, address)
  • Selected subscription and invoice amount
  • Payment method (type only, e.g., “credit card”)
  • Transaction references from the payment service provider

The processing of your payment data by the payment service provider is subject to its own privacy policy.

3.5 Newsletter

If you subscribe to our newsletter, we store your email address for the purpose of sending it. The newsletter is sent via the WordPress Newsletter Plugin, which operates on our own infrastructure in Switzerland. No data is shared with external newsletter services.

You may unsubscribe from the newsletter at any time via the unsubscribe link in each message or by sending an email to info@exposiq.ch. After unsubscription, your email address will be deleted without delay.

4. Purpose of Data Processing and Legal Bases

We process your personal data on the following legal bases of the Swiss Federal Act on Data Protection (FADP):

a) Performance of a contract (Art. 6 para. 6 and Art. 31 para. 1 FADP)

  • Provision and operation of the ExposIQ Platform (user account, scan execution, presentation of results)
  • Processing and storage of scan data to deliver the contractually agreed service
  • Payment processing and invoicing
  • Customer support and responding to enquiries

b) Consent (Art. 6 para. 6 FADP)

  • Sending the newsletter (your consent may be withdrawn at any time)
  • Use of non-essential cookies (web analytics with Matomo)

c) Overriding legitimate interests (Art. 31 para. 1 FADP)

  • Ensuring IT security and technical operations (server log files)
  • Improvement of our website and Platform
  • Detection and prevention of misuse

d) Legal obligations (Art. 31 para. 1 FADP)

  • Compliance with tax and commercial law retention obligations
  • Fulfilment of official disclosure requirements

5. Disclosure of Data to Third Parties

We only disclose your personal data to third parties where this is necessary for the performance of a contract, you have given your consent, or a legal obligation exists.

The following categories of recipients may be involved:

  • Hosting provider: Our Platform and website are operated by a Swiss hosting provider. The provider processes data exclusively in Switzerland and under a data processing agreement.
  • Payment service provider: For the processing of payments, we use an external payment service provider. Only the data necessary for payment processing is transmitted to this provider.

No international data transfers: No personal data is transferred to countries outside of Switzerland. We do not use US-based cloud services (no Google Analytics, no US cloud infrastructure). All data processing takes place exclusively in Switzerland.

6. Cookies

Our website and Platform use cookies. Cookies are small text files that are stored on your device.

6.1 Strictly Necessary Cookies

These cookies are essential for the operation of the website and Platform. They enable basic functions such as navigation, logging into your user account, and accessing protected areas. Without these cookies, the Platform cannot function properly. Strictly necessary cookies are set without your consent.

These include in particular:

  • Session cookies for authentication
  • CSRF protection cookies
  • Cookie preference cookie (stores your cookie preferences)

6.2 Analytics Cookies (Matomo)

We use Matomo (formerly Piwik) to analyse website usage. Matomo is operated on our own infrastructure in Switzerland (self-hosted). No data is transmitted to third parties or abroad.

Matomo sets cookies to recognise returning visitors and to statistically evaluate the use of our website. The following data is collected:

  • Anonymised IP address (the last two bytes are masked)
  • Pages visited and time spent
  • Referring page (referrer)
  • Browser, operating system, and screen resolution used
  • Approximate location (based on anonymised IP)

Analytics cookies are only set with your express consent. You may withdraw your consent at any time via the cookie banner. In addition, Matomo respects the “Do Not Track” setting of your browser.

7. Data Security

We implement appropriate technical and organisational measures (TOMs) to protect your personal data against unauthorised access, loss, destruction, or misuse. In particular:

  • Encryption in transit: All data transmissions between your browser and our servers are encrypted via TLS/SSL (HTTPS).
  • Encryption at rest: Sensitive data is stored in encrypted form on our servers.
  • Access control: Access to personal data is restricted to authorised personnel. Strict access permissions based on the principle of least privilege apply.
  • Password protection: Passwords are stored exclusively in hashed form and are not accessible in plain text.
  • Regular backups: Regular data backups are performed to prevent data loss.
  • Hosting in Switzerland: All servers are located in Switzerland and are subject to Swiss data protection law.

Despite all security measures, no data transmission over the Internet can be guaranteed to be absolutely secure. However, we undertake to comply with the statutory notification and reporting obligations pursuant to Art. 24 FADP in the event of a data protection breach.

8. Retention Period

We store your personal data only for as long as is necessary for the fulfilment of the respective purpose or as required by statutory retention obligations.

  • Account data: For the duration of the contractual relationship and thereafter in accordance with statutory retention periods.
  • Scan data: For the duration of your active subscription. After cancellation, scan data is deleted within 90 days, unless a statutory retention obligation applies.
  • Billing data: 10 years in accordance with commercial and tax law retention obligations (Art. 958f CO).
  • Server log files: 90 days.
  • Contact enquiries: 12 months after the enquiry has been concluded, provided no ongoing contractual relationship exists.
  • Newsletter data: Until unsubscription, followed by immediate deletion.
  • Web analytics data (Matomo): 12 months.

After the expiry of the respective retention period, data is securely deleted or anonymised.

9. Your Rights

Under the Swiss Federal Act on Data Protection (FADP), you are entitled to the following rights:

  • Right of access (Art. 25 FADP): You have the right to request information as to whether and what personal data we process about you. We will provide you with a copy of the relevant data free of charge.
  • Right to rectification (Art. 32 para. 1 FADP): You have the right to request the rectification of inaccurate personal data.
  • Right to erasure: You may request the deletion of your personal data, provided no statutory retention obligations or overriding interests apply.
  • Right to data portability (Art. 28 FADP): You have the right to request the personal data you have provided to us in a commonly used electronic format or to have it transferred to another controller.
  • Right to object: You may object to the processing of your personal data at any time, insofar as the processing is based on overriding interests.
  • Withdrawal of consent: Where processing is based on your consent, you may withdraw it at any time with effect for the future (e.g., newsletter unsubscription, cookie settings).

To exercise your rights, please contact us by email at info@exposiq.ch or by post. We will process your request within 30 days. We may require proof of your identity for verification purposes.

10. Right to Lodge a Complaint with the FDPIC

If you believe that the processing of your personal data violates data protection law, you have the right to lodge a complaint with the Federal Data Protection and Information Commissioner (FDPIC):

Federal Data Protection and Information Commissioner (FDPIC)
Feldeggweg 1
3003 Bern
Switzerland
Phone: +41 58 462 43 95
Website: www.edoeb.admin.ch

We recommend that you contact us first before filing a complaint, so that we can address your concern directly.

11. Changes to This Privacy Policy

We reserve the right to amend this privacy policy at any time, in particular to adapt it to changes in the legal situation, new features of the Platform, or changes in data processing activities. The current version is always available on this page.

In the event of material changes that affect your rights, we will inform you through appropriate channels (e.g., by email or by means of a notice on the Platform).

12. Applicable Law and Jurisdiction

This privacy policy and the associated data processing are governed by Swiss law, in particular the Federal Act on Data Protection (FADP). The place of jurisdiction is Zurich, Switzerland.

Last updated: March 2026

ExposIQ is the Swiss platform for automated vulnerability management. We help SMEs and IT service providers identify and remediate vulnerabilities – securely, clearly, and nDSG-compliant.

Zürich, Schweiz

info@exposiq.ch
+41 43 200 02 52

Company

About us Contact Blog
 Privacy Policy Terms of Use

Newsletter

Copyright © ExposIQ Switzerland 2026. All rights reserved.