Privacy Policy
1. Controller
The controller responsible for data processing is: codebar Solutions AG. Hauptstrasse 91, 4455 Zunzgen. Contact: info@codebar.ch.
2. Purpose
We use your data to provide the Sprintbox service, to authenticate you, to run AI text and image generation (via Anthropic, OpenAI, or PublicAI for text; OpenAI or Google Gemini for images, depending on your organization settings), and to send transactional emails (e.g. password reset, magic-link login).
3. Legal basis
Under the Swiss Federal Act on Data Protection (FADP), we process your data on the following grounds: performance of a contract (providing the service), your consent (optional profile data such as LinkedIn and skills), and our legitimate interest (session cookies, security).
4. Data we collect
When you register (via magic link), we store your name and email address. We store temporary tokens sent to your email for magic-link login. If you set a password (e.g. via password reset), it is stored in hashed form. When you use the app, we store organization membership, invitation data, sprint data, and phase outputs. If you provide a professional profile, we store LinkedIn URL, headline, skills, and a persona summary used for AI prompts. Uploaded file attachments (PDFs, images) and their AI-extracted content are stored. For AI image generation, we send prompts to the configured provider. Session data is stored for authentication.
5. Recipients and third parties
When you use "Generate with AI", your sprint context and phase prompts are sent to Anthropic (Claude), OpenAI (GPT), or PublicAI (Apertus) for text generation, depending on your organization configuration. For image generation, we use OpenAI (DALL-E) or Google Gemini. Each provider processes this data according to their privacy policy. Transactional emails may be sent via our mail provider. We do not share your data with third parties for marketing.
6. Transfers abroad
Anthropic, OpenAI, and Google are based in the United States. Switzerland has not recognized the US as providing adequate data protection. We ensure protection through contractual safeguards (e.g. standard contractual clauses, data processing agreements) with these US providers. PublicAI (Apertus) is Swiss-based and may process data in Switzerland or the EU. Our mail provider may also process data outside Switzerland depending on configuration. You can request details on safeguards for specific transfers.
7. Cookies and sessions
We use session cookies for authentication. These are necessary for the service to function. We do not use tracking or advertising cookies.
8. Retention
We retain your data as long as your account exists. You can delete your account and associated data from the profile settings.
9. Security
We protect your data with appropriate technical and organisational measures: passwords are hashed (bcrypt), connections use HTTPS, session management follows secure practices, and API keys stored for AI providers are encrypted. Access to personal data is restricted to authorised personnel.
10. Automated decisions
We do not use automated individual decisions within the meaning of Art. 21 FADP (e.g. profiling, credit scoring, or algorithmic decisions that significantly affect you). AI-generated content supports your work but does not constitute such a decision.
11. Your rights
Under the Swiss Federal Act on Data Protection (FADP), you have the right to information (Art. 25), rectification (Art. 32), erasure (Art. 33), restriction of processing, data portability (Art. 28), and to object to processing (Art. 30). You may also lodge a complaint with the Federal Data Protection and Information Commissioner (FDPIC). Contact us at the email above to exercise your rights.
12. Supervisory authority
You have the right to lodge a complaint with the Federal Data Protection and Information Commissioner (FDPIC) if you believe that the processing of your personal data violates Swiss data protection law. FDPIC: Feldeggweg 1, 3003 Bern, Switzerland. Website: https://www.edoeb.admin.ch.
13. Changes
We may update this privacy policy. Changes will be posted on this page.