This draft was prepared by the marketing/engineering team and is currently undergoing review by external counsel. It targets GDPR (EU) + Swiss FADP (nDSG, in force since 1 September 2023). Last updated: 2026-05-18.
Privacy Policy
1. Controller
The controller responsible for the processing of personal data on this website is:
nextX AG
Hauptstrasse 20
6418 Rothenthurm SZ
Switzerland
Commercial register: CHE-272.988.499
Email: info@nextx.ch
For all matters relating to data protection you may contact us at: info@nextx.ch (subject line: "Data protection").
No DPO required (corporate website scope, Art. 37 GDPR not triggered — confirmed by counsel review). No EU representative required (Art. 27(2) GDPR exemption — occasional processing, no high-risk data).
2. Scope
This Privacy Policy describes how nextX AG ("we", "us", "our") processes personal data when you visit https://nextx.ch ("the Website") or contact us through it. It does not cover separately contracted products or services, which are governed by their own terms and data-processing agreements.
3. Categories of personal data we process
We process only the categories of personal data that are necessary to operate the Website and to respond to your requests.
3.1 Server log data (technical)
When you visit the Website, our hosting provider (see §6) automatically processes:
- IP address (truncated where technically feasible)
- Date and time of the request
- Browser type, version, and operating system
- Referring URL and requested URL
- HTTP status code and bytes transferred
Purpose: delivery of the Website, security, fraud and abuse prevention.
Legal basis (GDPR): Art. 6(1)(f) — legitimate interest in operating a secure website.
Legal basis (FADP): Art. 31 para. 2 lit. c — processing necessary for the conclusion or performance of a contract / operation of the service.
Retention: Server logs: 90 days. Backups: 30 days rolling.
3.2 Contact-form and email submissions
When you write to us via the contact form or by email, we process:
- Name
- Email address
- Company / organisation (if provided)
- The content of your message and any attachments
Purpose: to respond to your enquiry.
Legal basis (GDPR): Art. 6(1)(b) (pre-contractual measures) and/or Art. 6(1)(f) (legitimate interest in responding to enquiries).
Retention: Form submissions: 6 months. Beyond that, only what statutory retention obligations under Swiss law require (typically 10 years for accounting-relevant correspondence).
3.3 Cookies and similar technologies
We aim to operate the Website with the minimum necessary number of cookies. At launch we use:
- Strictly necessary cookies only (session, security, CSRF-protection).
We do not use marketing or advertising cookies at launch.
Strictly-necessary cookies only: Netlify session cookie, CSRF token. No tracking/marketing cookies.
3.4 Analytics
No analytics in use at launch (privacy-by-default). Should a privacy-respecting, cookieless analytics provider be introduced in the future (e.g. Plausible Analytics or Fathom, EU-hosted; Google Analytics is excluded), this section will be updated to describe scope, retention, and the recipient.
4. Who has access to your data
- Authorised employees and contractors of nextX AG, on a strict need-to-know basis
- Our hosting provider (see §6) as a processor
- Service providers strictly necessary to operate the Website (e.g. email delivery, see §6)
- Public authorities where we are required to disclose under applicable law
We do not sell personal data and we do not engage in advertising-based profiling.
5. International transfers
Where we engage processors outside Switzerland and the EU/EEA, we ensure an adequate level of data protection via:
- An adequacy decision (Switzerland: FDPIC list; EU: European Commission), or
- Standard Contractual Clauses (SCCs) under GDPR Art. 46(2)(c) and the corresponding Swiss FDPIC clauses, with supplementary measures as needed.
Current cross-border transfers: Netlify, Inc. (United States) — Hosting + Form handling, certified under the EU-US Data Privacy Framework, complemented by Standard Contractual Clauses and Swiss FDPIC clauses. See the processor table in §6.
6. Processors and sub-processors
Current production processors used to operate the Website:
| Processor | Purpose | Location | Safeguard |
|---|---|---|---|
| Netlify, Inc. | Hosting, CDN, edge-functions, form handling | United States | EU-US Data Privacy Framework certified · SCCs + Swiss FDPIC clauses · DPA on file |
| Email-Provider (to be confirmed by counsel) | Transactional email | [counsel-review: to be confirmed within 14 days] | [counsel-review: to be confirmed within 14 days] |
Updates to this list will be reflected in this Privacy Policy.
7. Your rights
Subject to the limits set out in applicable law, you have the right to:
- Access the personal data we hold about you
- Have inaccurate data corrected
- Have your personal data erased ("right to be forgotten")
- Restrict or object to specific processing activities
- Receive your data in a portable format (GDPR Art. 20)
- Withdraw consent (where processing is based on consent) without affecting the lawfulness of prior processing
- Lodge a complaint with a supervisory authority:
- Switzerland: Federal Data Protection and Information Commissioner (FDPIC / EDÖB), Feldeggweg 1, 3003 Bern — https://www.edoeb.admin.ch
- EU/EEA: your local data-protection authority
To exercise any of these rights, please write to info@nextx.ch. We will respond within 30 days (extendable in justified cases).
8. Security
We implement state-of-the-art technical and organisational measures appropriate to the risk, including TLS in transit, access controls, principle of least privilege, and periodic security review. See also our Security & Responsible Disclosure Policy.
9. Children
The Website is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us so we can delete it.
10. Automated decision-making
We do not make decisions about you based solely on automated processing that produce legal effects or similarly significantly affect you (GDPR Art. 22 / FADP Art. 21).
11. Changes to this Policy
We may update this Privacy Policy from time to time. The current version is always available at https://nextx.ch/privacy. Material changes will be highlighted on this page for at least 30 days.
12. Contact
Questions about this Privacy Policy or our processing of your personal data:
nextX AG
Hauptstrasse 20
6418 Rothenthurm SZ
Switzerland
Email: info@nextx.ch
Version: 2026-05-18 — DRAFT for counsel review.