Privacy Policy

With this privacy policy, we, Ontrex AG and Ontrex GmbH (both hereinafter "Ontrex"), would like to inform you about how we process and protect personal data in the context of our respective business relationship with you and inform you about your rights in connection with such data. Data and its protection are at the core of our business. Both Ontrex and our employees, contractors and service providers are committed to providing you with transparency and choice when it comes to personal data.
Certain products and services offered by Ontrex may have additional specific privacy notices that describe how we handle personal data for those products and services. If any other privacy notice conflicts with this Privacy Policy, the specific provisions shall prevail.
As an internationally oriented IT company, the EU General Data Protection Regulation (GDPR) may also be of importance to us in addition to the Swiss data protection provisions (FADP and implementing provisions). In this privacy policy, we have created a uniform standard taking into account the relevant legal basis.
Overview
Your business relationship with Ontrex can be complex and different rules apply depending on the specific relationship you have with us. This privacy policy is structured as follows:
1. Use of our website
1.1. Data recording and log files
1.2. Use of cookies
1.3. Newsletter
1.4. Contact form and e-mail contact
1.5. Applications
1.6. Web analysis through Google Analytics
1.7. Other types of information provision
2. Contractual relationships with business partners
2.1. Description and scope of data processing
2.2. Purposes of data processing
2.3. In particular: Use of Microsoft 365
3. Data protection
3.1. Protective measures
3.2. Transfer of data to third parties, processors and abroad
3.3. Storage / Duration
3.4. Measures in the event of breaches of personal data
4. Rights of the data subject
5. Amendment of this privacy policy
6. Contact us

1. Use of our website
1.1. Data recording and log files
When you visit our website, our system automatically collects data and information from the accessing computer/client. The following data is collected:

  • Information about the browser type and version used
  • The user's operating system
  • The IP address of the user
  • Date and time of access
  • Websites from which the user's system accesses our website
  • Pages viewed on the website and dwell time
  • The IP addresses are stored in the log files of our system. This does not apply to other data that allows the data to be assigned to a user. This data is not stored together with other personal data of the user.

Temporary storage of the IP address by the system is necessary to enable delivery of the website to the user's computer. For this purpose, the IP address must remain stored for the duration of the session. The data is stored in log files to ensure the functionality of the website. We also use the data to optimise the website and to ensure the security of our IT systems. The data is not analysed for marketing purposes in this context. Our legitimate interest in data processing also lies in these purposes.
The data is deleted as soon as it is no longer required to fulfil the purpose for which it was collected. In the case of the collection of data for the provision of the website, this is the case when the respective session has ended. If the data is stored in log files, this is the case after seven days at the latest . Storage beyond this period is possible. In this case, the IP addresses of the users are deleted or anonymised so that it is no longer possible to identify the accessing client.

1.2. Use of cookies
Cookies help to make your visit to our website easier, more pleasant and more efficient.
A cookie is a file containing an identifier (a sequence of letters and numbers) that is sent from a web server to a web browser and stored by the browser. The identifier is then sent back to the server each time the browser requests a page from the server.
Necessary cookies help to make a website usable by enabling basic functions such as page navigation and access to secure areas of the website. The website cannot function properly without these cookies.
Cookies can be either "persistent" cookies or "session" cookies: A persistent cookie is stored by a web browser and remains valid until its set expiry date, unless deleted by the user before the expiry date; a session cookie, on the other hand, expires at the end of the user session when the web browser is closed.
With most browsers, you can refuse to accept cookies and delete cookies. The methods for doing this vary from browser to browser and from version to version. As a rule, you can set your browser to notify you when you receive a cookie so that you can decide whether or not to accept it. You can also disable cookies. However, if you do not accept our cookies, you may not be able to use all the functions of your browser. In addition, you can prevent or stop the installation and storage of cookies through your browser settings by downloading and installing an opt-out browser add-on.
The user data collected via cookies is pseudonymised by technical precautions. It is therefore no longer possible to assign the data to the accessing user. The data is not stored together with other personal user data.
The purpose of using technically necessary cookies is to simplify the use of websites for users. Some functions of our website cannot be offered without the use of cookies. For these, it is necessary for the browser to be recognised even after a page change.
We need cookies for the following applications:

  • Transfer of language settings
  • Adoption of filter settings

The user data collected by technically necessary cookies is not used to create user profiles.
Cookies that are not technically necessary are used for the purpose of maintaining and improving the quality of our website and its content. These cookies tell us how the website is used and enable us to constantly optimise our offering. Our legitimate interest in the processing of personal data also lies in the aforementioned purposes.

1.3. Newsletter
You have the option of subscribing to one or more free newsletters on our website or by giving your consent in another way. We send our existing and potential customers information about our products and solutions at irregular intervals, as well as general information or recommendations for action, for example in the area of security. We use external providers for the dispatch and administration of newsletters.
The following data is collected when you register for the newsletter:

  • First name and surname
  • E-mail address
  • Company
  • Preferred language

No data is passed on to third parties in connection with the data processing for sending newsletters. The data is used exclusively for sending the newsletter. The data in connection with the newsletters is also stored exclusively on Ontrex's own servers in Switzerland.
The purpose of collecting your e-mail address is to deliver the newsletter. The collection of other personal data as part of the registration process serves to prevent misuse of the services or the e-mail address used. While you are using the newsletter, we may collect information for statistical purposes about which links you click on in the newsletter.
We process your personal data collected when you register for the newsletter on the basis of your consent.
The user's data will be stored for as long as the subscription to the newsletter is active.
The subscription to the newsletter can be cancelled by the user concerned at any time. For this purpose, there is a corresponding link in every newsletter. This also makes it possible to revoke the consent to the storage of personal data collected during the registration process.

1.4. Contact form and e-mail contact
There is a contact form on our website for events, service enquiries and general contact. If a user makes use of this option, the data entered in the input mask will be transmitted to us and stored. These data are

  • First name and surname
  • E-mail address
  • Telephone (voluntary)
  • Company (voluntary)
  • Street / No. (optional)
  • Postcode / City (optional)
  • Background and question of your contact (voluntary)

The following data is also stored at the time the message is sent:

  • IP address
  • Date and time of the sending process
  • Page on which the form was filled out

Alternatively, you can contact us via the e-mail addresses provided. In this case, the personal data transmitted by you by e-mail will be stored.
You are responsible for the message and/or content you send us. We recommend that you do not transmit any confidential data. Personal data is only collected if you provide it to us voluntarily.
The processing of the personal data from the input mask or from the e-mail you send us serves us solely to process the contact. The other personal data processed during the sending process serves to prevent misuse of the contact form and to ensure the security of our information technology systems. This is also our legitimate interest in processing the data.
If the contact is aimed at the conclusion of a contract, data processing is also necessary for the purpose of implementing pre-contractual measures and for the fulfilment and execution of the contract.
In order to ensure compliance with our contractual and legal obligations, we require access to all user communication. Consequently, the personal data from the contact form or the personal data sent by e-mail are generally only deleted after ten years.

1.5. Applications
If you submit a letter of application by post or e-mail, we will process the personal data you provide in order to review your application and, if necessary, to contact you in this connection.
The legal basis for the processing of your personal data lies in pre-contractual measures and the fulfilment of a contract as well as in our legitimate interest. If we base data processing on our legitimate inter-est, you can object to this data processing at any time.
If no employment or other contract is concluded following the pre-contractual measures, the physical and electronic documents sent to us will be destroyed, unless we have your consent to retain this data for any subsequent contact.

1.6. Web analysis through Google Analytics
Information from the third-party provider Google:
Address: Google Dublin, Google Ireland Ltd, Gordon House, Barrow Street, Dublin 4, Ireland
User conditions: www.google.com/analytics/terms/de.html
Data protection: www.google.com/intl/de/analytics/learn/privacy.html
Privacy policy: www.google.de/intl/de/policies/privacy
We use Google Analytics on our website. Google Ireland (based in Ireland) is the provider of the "Google Analytics" service and acts as our processor. Google Ireland relies on Google LLC (based in the USA) as its processor (both "Google"). Google uses cookies to track the behaviour of visitors to our website (duration, frequency of pages accessed, geographical origin of access, etc.) and compiles reports for us on the use of our website on this basis. Although we can assume that the information we share with Google is not personal data for Google, it is possible that Google can use this data for its own purposes to draw conclusions about the identity of visitors, create personal profiles and link this data to the Google ac-counts of these persons. If you agree to the use of Google Analytics, you explicitly consent to such processing, which also includes the transfer of personal data (in particular usage data for the website and app, device information and individual IDs) to the USA and other countries.
The processing of the data enables us to analyse the surfing behaviour of our users. By analysing the data obtained, we are able to compile information about the use of the individual components of our website. This helps us to constantly improve our website and its user-friendliness. Our legitimate interest in processing the data also lies in these purposes. By anonymising the IP address, the interest of users in the protection of their personal data is adequately taken into account.
The data is deleted as soon as it is no longer required for our recording purposes. As a user, you have full control over the use of cookies. You can deactivate or restrict the transmission of cookies by changing the settings in your Internet browser. Cookies that have already been saved can be deleted at any time. This can also be done automatically. If cookies are deactivated for our website, it may no longer be possible to use all the functions of the website to their full extent.

1.7. Other types of information provision
If you share personal data with us on other channels (e.g. Kiteworks), you as the user directly determine which data is made available to Ontrex.
We process your personal data provided and collected via other channels based on your consent.

2. Contractual relationships with business partners
2.1. Description and scope of data processing
We primarily process personal data that we receive directly as part of our contractual relationships with our business partners. We may also receive or collect data from publicly accessible sources (e.g. public registers, media, internet).
The categories of personal data we collect may include the following:

  • General data (e.g. names, addresses, functions, organisational affiliation, etc.)
  • Contact details (e-mail address, telephone number, etc.)
  • Content data (e.g. text and image files, videos, etc.)
  • Usage data (e.g. access data)
  • Meta/communication data (e.g. IP addresses)
  • Information from public registers (debt collection register, commercial register)
  • Information in connection with their professional functions and activities
  • Information about you in correspondence and meetings with third parties
  • Credit information (insofar as we conduct business with you personally)
  • Information from banks, insurance companies, sales and other contractual partners of ours for the utilisation or provision of services by you (e.g. payments/purchases made)
  • Information about you from the media and the Internet (insofar as this is relevant in the specific case), as well as references for applications.

Ontrex and our products and services also process personal data for the purposes of network and information security. Network and information security means the ability of a network or information system to withstand events, attacks or unlawful or malicious behaviour that may compromise the availability, authenticity, integrity and confidentiality of stored or transmitted data or the security of related services provided by or accessible through these networks and systems. It also includes assisting organisations in ensuring that personal data is processed in a manner that ensures appropriate security and confidentiality, including preventing unauthorised access to or use of personal data and the equipment used for processing.
Ontrex is a provider of cyber security technologies and services that can be used to respond to security incidents. It is in our legitimate interests, as well as those of our customers, to collect and process personal data to the extent strictly necessary and proportionate to ensure the security of our own networks and our business partners' information systems. This includes the development of threat intelligence aimed at maintaining and continuously improving the ability of networks and systems to defend against unlawful or malicious acts and other harmful events ("cyber threats"). The personal data we process for these purposes includes, but is not limited to, network traffic data related to cyber threats such as

  • Sender e-mail addresses (e.g. from sources of spam);
  • Recipient email addresses (e.g. of victims of targeted email cyberattacks);
  • Reply-to email addresses (e.g. configured by cybercriminals who send malicious emails);
  • File names and execution paths (e.g. of malicious or otherwise harmful executable files attached to emails);
  • URLs and associated page titles (e.g. of websites distributing or hosting malicious or otherwise harmful content); and/or IP addresses (e.g. of web servers and connected devices involved in the generation, distribution, transmission, hosting, caching or other storage of cyber threats such as malicious or otherwise harmful content).

Depending on the context in which this data is collected, it may contain personal data about you or other data subjects. However, in such cases, we will only process the data concerned to the extent strictly necessary and proportionate to the purposes of detecting, blocking, reporting (by removing any personal elements) and mitigating the cyber threats that are relevant to you and any organisations that rely on our products and services.
When processing personal data in this context, we will not attempt to identify a data subject unless this is absolutely necessary for the elimination of the cyber threats in question or is required by law.

2.2. Purposes of data processing
We process the personal data collected to ensure the conclusion and fulfilment of the contract, for invoicing and for communication purposes. The processing of personal data is also necessary for the fulfilment of legal obligations.
We also process personal data, where permitted and necessary, for the following purposes, in particular but not limited to those in which we (and third parties) have a legitimate interest corresponding to the purpose:

  • Recording, processing and handling of tenders, orders, cancellations, complaints, fault rectification, etc.
  • Prevention and investigation of criminal offences and other misconduct (e.g. conducting internal investigations, data analyses to combat fraud)
  • Measures for IT, building and facility security and protection of our employees and other persons and assets entrusted to us (e.g. access controls, visitor lists, network and mail scanners)
  • Any transactions under company law and the associated transfer of personal data as well as measures for business management and to the extent necessary to comply with legal and regulatory obligations
  • Offering and further developing our products and services
  • Assertion of legal claims and defence
  • Advertising and marketing (including the organisation of training courses and events), provided you have not objected to the use of your data Market and opinion research, media monitoring
  • If you have given us your consent to process your personal data for specific purposes (e.g. to carry out a background check), we will process your personal data within the scope of and based on this consent, unless we have another legal basis and require one. Consent that has been granted can be revoked at any time in the future.

2.3. In particular: Use of Microsoft 365
Information from the third-party provider Microsoft:
Address: Microsoft Corporation, One Microsoft Way Redmond, WA 98052-6399 USA
Data protection: www.microsoft.com/en-us/privacy
Data protection report: www.microsoft.com/en-us/privacy/privacystatement
We use Microsoft 365 and the various applications it contains for our day-to-day work. The office suite contains numerous services that are used in everyday office life, such as Word, PowerPoint, Excel, Out-look and Teams. Microsoft 365 also offers additional online services. These include several cloud services, such as OneDrive, SharePoint and Exchange Online, where data is stored on Microsoft servers instead of in your own company. 
A direct exchange of personal data between you and our Microsoft 365 applications will primarily take place via email for communication and via "Microsoft Teams" for online meetings. In most cases, you will not be directly involved with the other functionalities of Microsoft 365. In exceptional cases, however, we may provide you with access to Microsoft 365 functions with your consent if this is necessary or useful for the provision of our services.
If we should exceptionally grant you direct access to Microsoft 365, even if only for a limited period of time, the following data will be processed by you:

  • IP address used to access the Microsoft 365 applications
  • Your user name (access data to the Microsoft 365 applications), data as part of the so-called multi-factor authentication that you have stored yourself in your Microsoft account (e.g. optionally the (private) mobile phone number)
  • Identification features: Information about your person that identifies you as a user, sender or recipient of data within the Microsoft 365 applications. This includes in particular the following master data: Surname, first name, business contact details such as telephone number, e-mail address, if provided by you. Other data (such as a profile picture you have stored) can also be viewed in your profile at any time. This information is visible to you at all times in your profile, but also in Outlook in particular, and can be customised by you
  • Data required for authentication and licence use. In the Microsoft 365 applications, all user activities, such as time of access, date, type of access, information on the data/files/documents accessed and all activities in connection with use, such as creating, changing, deleting a document, setting up a team (and channels in teams), making notes in the notebook, starting a chat, replying in the chat are processed

We use Microsoft 365 to process all data that you provide to us by telephone or e-mail when you contact us or in the course of our business relationship.
The following Microsoft 365 applications currently store data at rest in Switzerland: Exchange Online, SharePoint, OneDrive, Teams, Azure. However, data at rest in Switzerland can be transferred to other countries while these applications are in use. Microsoft 365 applications other than those mentioned above can also store data at rest outside of Switzerland. According to Microsoft, the data in this case is primarily stored on servers in the EU. Microsoft is a participant in the Data Privacy Framework Programme.
The legal basis for the processing of personal data for data processing in Microsoft 365 is primarily the processing for pre-contractual actions and the execution of a contract, i.e. the provision of our services. You can object to this data processing at any time; in this case, however, we may no longer be able to process your enquiry.
We use the Microsoft Teams application to conduct telephone conferences, online meetings, video conferences and/or webinars (hereinafter: "Online Meetings"). Microsoft Teams is part of Microsoft 365.
Various types of data are processed when using Microsoft Teams. The scope of the data also depends on the data you provide before or when participating in an online meeting.
The following personal data may be subject to processing:

  • User details: e.g. display name, e-mail address if applicable, profile picture (optional), preferred language
  • Meeting metadata: e.g. date, time, meeting ID, telephone numbers, location, text, audio and video data
  • Authentication data
  • Log files, log data
  • Contents of the online meeting (if you appear in person with contributions)
  • You have the option of using the chat function in an online meeting. In this respect, the text entries you make are processed in order to display them in the online meeting. In order to enable the dis-play of video and the playback of audio, the data from the microphone of your end device and from any video camera of the end device will be processed accordingly for the duration of the meeting. You can switch off or mute the camera or microphone yourself at any time via the Microsoft Teams application
  • When dialling in with the telephone: information on the incoming and outgoing call number, country name, start and end time. Additional connection data such as the IP address of the device may al-so be saved
    If we want to record online meetings, we will inform you transparently before the online meeting and - if necessary - ask for your consent. If it is necessary for the purposes of logging the results of an online meeting, we will log the chat content. However, this will not usually be the case.

The legal basis for this data processing is pre-contractual measures and the fulfilment of a contract, provided that the meetings or telephone communication take place as part of the customer relationship. Out-side the customer relationship, the legal basis is our legitimate interest, namely in responding in the best possible way to your request for contact by telephone or in the form of a meeting. If our legal basis is our legitimate interest, you can object to this data processing at any time.
Microsoft reserves the right to process the personal data processed with Microsoft Teams for its own business purposes, provided that Microsoft has access to this data at all. This poses a data protection risk for users of Microsoft Teams. However, Microsoft is a participant in the Data Privacy Framework Programme and must therefore comply with important data protection requirements.

3. Data protection
3.1. Protective measures
Securing personal data is an important aspect of privacy protection. We take reasonable and appropriate administrative, technical, organisational and physical security and risk management measures in accordance with market standards and applicable laws to ensure that your personal data is adequately protected against accidental or unlawful destruction, tampering, damage, loss or alteration, unauthorised or unlawful access, disclosure or misuse and against all other unlawful forms of processing of your personal data in our possession.
These measures include:

  • Physical security measures: We lock doors and filing cabinets, control access to our facilities, implement a clean desk policy and utilise secure destruction of media containing personal data.
  • Technological security precautions: We use network and information security technologies and monitor our systems and data centres to ensure that they comply with our security guidelines. For example, the connection to our servers is established via secure connections and we regularly create backup copies of the data, encrypt these backup copies and store them in data centres in Switzerland. Our technical security precautions are continuously adapted and improved in line with technological developments.
  • Organisational security measures: We conduct regular training and awareness programmes on security and data protection to ensure that our employees and contractors understand the importance of protecting your personal data and that they acquire and maintain the necessary knowledge. They are obliged to maintain confidentiality and to comply with data protection regulations.

It is not possible to guarantee the absolute security of personal data. For example, data that you transmit to us via an open network such as the Internet or an e-mail service is openly accessible. We cannot guarantee the confidentiality of messages or content shared via these networks. If you pass on personal data via an open network, you should be aware that third parties can access this data and collect and use it for their own purposes.

3.2. Transfer of data to third parties, processors and abroad
As part of our business activities, we may disclose your personal data to third parties (such as software manufacturers, authorities, distributors, suppliers, auxiliary persons and other business partners, as well as to service providers who process data on our behalf) for the purposes set out and where appropriate. We may also be required to disclose your personal data in order to fulfil legal or regulatory requirements. The recipients may be based in Switzerland, the EU or any other country in the world.
If we transfer data to a country without adequate legal data protection, we ensure an adequate level of protection as provided for by law (in particular on the basis of the so-called standard contractual clauses of the European Commission) or rely on the legal exceptions of consent, contract processing, the establishment, exercise or enforcement of legal claims, overriding public interests or because it is necessary to protect the integrity of the data subjects.
Special case USA: We work exclusively with third-party providers from the USA who are participants in the Data Privacy Framework.

3.3. Storage / Duration
The data we collect may be stored on our own servers and on third-party servers in Switzerland using risk-appropriate technical and organisational security measures.
The personal data collected by us will only be stored for as long as is necessary for the processing of the contractual relationship (from the initiation to the termination of a contract) or for the purposes otherwise pursued with the processing and/or for as long as there is a legal obligation to retain and document data or an overriding private or public interest. As soon as the personal data collected by us is no longer required for the above-mentioned purposes, it will be deleted or anonymised.

3.4. Measures in the event of breaches of personal data
We take all reasonable measures to prevent personal data breaches. Should a breach nevertheless occur, we have set up a procedure to enable us to act quickly within the scope of our responsibilities. These measures are in line with the role we have in relation to the products, services or processes affected by the breach. In all cases, we will work with the affected parties to minimise the impact, provide all notifications and disclosures required or otherwise warranted by applicable law, and take steps to prevent future breaches.

4. Rights of the data subject
You have the possibility to exercise the following rights under the conditions and within the limits of the law
Right to information: You have the right to request access to your personal data stored by us at any time free of charge if we process it. This gives you the opportunity to check what personal data we process about you and that we use it in accordance with the applicable data protection regulations.
Right to rectification: You have the right to have inaccurate or incomplete personal data rectified and to be informed of the rectification. In this case, we will inform the recipients of the data concerned of the adjustments made, unless this is impossible or involves disproportionate effort.
Right to erasure: You have the right to have your personal data erased under certain circumstances. In individual cases, the right to erasure may be excluded.
Right to restriction of processing: Under certain conditions, you have the right to request that the processing of your personal data be restricted.
Right to judicial enforcement and complaint to a supervisory authority: You have the right to enforce your claims in court or to lodge a complaint with the competent data protection authority. The competent data protection authority in Switzerland is the Federal Data Protection and Information Commissioner.
Right of withdrawal: In principle, you have the right to withdraw your consent at any time. However, processing activities based on your consent in the past are not rendered unlawful by your revocation.
In order to establish your identity and the legitimacy of your request, we may ask you to provide us with the information necessary for this purpose.

5. Amendment of this privacy policy
We reserve the right to amend this privacy policy at any time without prior notice. We will notify you of any changes by publishing the updated privacy policy on our website. Any changes we make will apply from the date on which we publish them on our website.

6. Contact us
If you have any questions about data protection at Ontrex, you can contact us as follows:

Ontrex AG
Compliance
Haldenstrasse 23
8306 Brüttisellen
Switzerland
compliance@ontrex.ch

Ontrex GmbH
Compliance
Konrad-Zuse-Platz 8
81829 Munich
Germany
compliance@ontrex.ch

31 March 2025