HybridLLM

Privacy Policy

Last updated: February 15, 2026

This Privacy Policy explains how Adopt-AI SA ("Company", "we", "us", "our"), a Swiss corporation registered under CHE-147.175.593, with its registered office at Rue du Pré-de-la-Bichette 1, 1202 Genève, Switzerland, collects, uses, stores, and protects personal data in connection with the HybridLLM platform and website ("Service").

This Privacy Policy applies to all users of the Service, visitors to our website at hybridllm.ai, and individuals who interact with us through other channels (contact forms, email, phone).

We process personal data in accordance with the Swiss Federal Act on Data Protection (FADP/nDSG) of September 25, 2020, in force since September 1, 2023, the Ordinance on Data Protection (ODP), and, where applicable, the European Union General Data Protection Regulation (GDPR).

2. Data Controller

The data controller responsible for the processing of your personal data is:

Adopt-AI SA

Rue du Pré-de-la-Bichette 1

1202 Genève, Switzerland

CHE-147.175.593 | CHE-147.175.593 TVA

Email: [email protected]

3. Personal Data We Collect

3.1. Data You Provide to Us

  • Account Data: Name, email address, company name, job title, phone number, and password when you create an account.
  • Payment Data: Billing address, company VAT number, and payment-related information. Credit card details and sensitive payment credentials are processed directly by our payment service provider Payrexx AG and are never stored on our systems (see Section 8).
  • Contact Data: Name, email address, company name, phone number, and message content when you use our contact form or communicate with us.
  • Customer Data: Documents, files, and other content you upload to the Service for processing.

3.2. Data Collected Automatically

  • Technical Data: IP address, browser type and version, operating system, device type, screen resolution, and language preferences.
  • Usage Data: Pages visited, features used, session duration, clickstream data, timestamps, and referring URLs.
  • Log Data: Server logs containing IP addresses, timestamps, request details, and error information, collected for security and operational purposes.

3.3. Cookies and Similar Technologies

We use cookies and similar technologies on our website:

  • Strictly Necessary Cookies: Required for the website and Service to function (authentication, security, session management, cookie consent). These cannot be disabled. Duration: session or up to 12 months.
  • Analytics Cookies: Used to understand how visitors interact with our website by collecting anonymized information. Placed only with your prior consent. Duration: up to 26 months.
  • Preference Cookies: Remember your settings and preferences such as language selection. Duration: up to 12 months.

You can manage your cookie preferences at any time through the cookie consent banner displayed on your first visit, or through your browser settings. Blocking strictly necessary cookies may affect the functionality of the website.

4. Purposes and Legal Basis of Processing

We process personal data for the following purposes:

Providing the Service and managing your Account — We process your Account Data and Customer Data to deliver the Service, manage your subscription, and provide customer support. Under the FADP, this processing is justified by the performance of the contract. Under the GDPR, the legal basis is Art. 6(1)(b). Processing payments — We process Account Data and Payment Data to handle subscription payments, issue invoices, and manage billing. Payment credentials are processed by Payrexx AG. Under the FADP, this is justified by the performance of the contract. Under the GDPR, the legal basis is Art. 6(1)(b). Website operation and security — We process Technical Data and Log Data to ensure the security, stability, and proper functioning of the website and Service. Under the FADP, this is justified by our legitimate interest in maintaining security. Under the GDPR, the legal basis is Art. 6(1)(f). Analytics and improvement — With your consent, we process Usage Data and Technical Data to understand how the website is used and to improve our Service. Under the FADP, consent is required for non-essential analytics. Under the GDPR, the legal basis is Art. 6(1)(a). Marketing communications — With your explicit consent, we may send you information about our products and services. You can withdraw your consent at any time. Under the FADP and the GDPR, the legal basis is consent (Art. 6(1)(a) GDPR). Legal compliance — We process personal data as required to comply with applicable laws, regulations, and legal proceedings. Under the FADP, this is justified by legal obligation. Under the GDPR, the legal basis is Art. 6(1)(c).

5. Customer Data and AI Processing

5.1. Customer Data uploaded to the Service (documents, files, knowledge base content) is processed exclusively for the purpose of providing the Service — specifically, to enable AI-powered queries, document retrieval, and knowledge base interactions.

5.2. We do not use Customer Data to train, fine-tune, or improve any machine learning model, whether our own or third-party. This is a core commitment of our Service.

5.3. Queries and documents are processed by open-source AI language models hosted exclusively on Swiss infrastructure. No Customer Data leaves Switzerland during processing. For Enterprise Deployments, processing occurs within the Customer's designated Swiss infrastructure.

5.4. The Service generates audit logs of user queries and document access for compliance and governance purposes. These logs are accessible to the Customer's administrators and are part of the Customer Data.

6. Data Sharing and Disclosure

6.1. We do not sell, rent, or trade your personal data to third parties.

6.2. We may share personal data with the following categories of recipients, strictly for the purposes described:

Payrexx AG (Burgstrasse 20, 3600 Thun, Switzerland) — Payment processing. Payrexx is a regulated Swiss payment service provider supervised under FINMA regulations. Swiss hosting providers (e.g., Hidora SA, Switzerland) — Infrastructure and hosting for the HybridLLM platform. Email service providers (Switzerland / EEA) — Transactional email delivery (order confirmations, support communications).

6.3. All third-party service providers are contractually bound to protect personal data and are selected based on their compliance with the FADP and, where applicable, the GDPR.

6.4. Legal Disclosures. We may disclose personal data if required by Swiss law, regulation, or valid legal process (e.g., court order). We will notify the affected individual unless prohibited by law.

6.5. Business Transfers. In the event of a merger, acquisition, or sale of all or a portion of our assets, personal data may be transferred to the acquiring entity, subject to the same data protection obligations described in this Privacy Policy.

7. International Data Transfers

7.1. Customer Data processed through the HybridLLM Service is stored and processed exclusively in Switzerland.

7.2. Certain personal data (e.g., for website analytics or email communications) may be transferred to countries within the European Economic Area (EEA). Switzerland is recognized by the EU as providing an adequate level of data protection.

7.3. We do not transfer personal data to countries outside Switzerland and the EEA unless: (a) the destination country provides an adequate level of data protection as recognized by the Swiss Federal Council or the European Commission; (b) appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs); or (c) you have given your explicit consent.

8. Payment Processing and Payrexx

8.1. Online payments for subscriptions are processed by Payrexx AG (Burgstrasse 20, 3600 Thun, Switzerland), a regulated Swiss payment service provider supervised under FINMA regulations and member of the self-regulatory organization VQF.

8.2. When you make a payment, you interact with a Payrexx-hosted payment interface. The following data is shared with Payrexx for payment processing: your name, email address, billing address, payment amount, currency, and transaction reference.

8.3. Credit card numbers, CVV codes, and other sensitive payment credentials are processed directly by Payrexx and are never transmitted to or stored on Adopt-AI SA's systems. Payrexx processes this data in accordance with PCI-DSS (Payment Card Industry Data Security Standard) requirements.

8.4. Payrexx's processing of your personal data is governed by Payrexx's own privacy policy, available at payrexx.com/en/data-protection, and Payrexx's terms of use, available at payrexx.com/en/gtc.

8.5. We receive from Payrexx a payment confirmation, transaction ID, and a masked payment method identifier (e.g., last four digits of the card) for invoicing and accounting purposes. We retain this information for the duration required by Swiss commercial and tax law (currently ten years under Art. 958f CO).

9. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required by law.

Account Data — Duration of the Account plus thirty (30) days after Account deletion or subscription termination. Customer Data — Duration of the subscription plus thirty (30) days (Retention Period for data export), then permanently deleted within ninety (90) calendar days. Payment and Invoicing Data — Ten (10) years from the end of the relevant fiscal year, as required by Swiss commercial law (Art. 958f CO). Log Data (security) — Twelve (12) months, for security monitoring and incident response. Contact Form Submissions — Twenty-four (24) months, for follow-up and business relationship management. Analytics Data — Twenty-six (26) months, anonymized, for website improvement. Marketing Consent Records — Duration of consent plus three (3) years, as proof of consent.

After the applicable retention period, personal data is permanently deleted or anonymized so that it can no longer be attributed to an identifiable individual.

10. Your Rights

Under the FADP and, where applicable, the GDPR, you have the following rights regarding your personal data:

Right of Access (Art. 25 FADP / Art. 15 GDPR) — You may request information about whether and how we process your personal data, and obtain a copy of such data. Right to Rectification (Art. 6(5) FADP / Art. 16 GDPR) — You may request correction of inaccurate or incomplete personal data. Right to Erasure (Art. 17 GDPR) — Under the GDPR, you may request deletion of your personal data in certain circumstances. Under the FADP, you may request deletion where processing is unlawful. Right to Restriction of Processing (Art. 18 GDPR) — Under the GDPR, you may request restriction of processing in certain circumstances. Right to Data Portability (Art. 28 FADP / Art. 20 GDPR) — You may request your personal data in a structured, commonly used, machine-readable format. Right to Object (Art. 21 GDPR) — Under the GDPR, you may object to processing based on legitimate interest or for direct marketing purposes. Right to Withdraw Consent — Where processing is based on your consent, you may withdraw consent at any time without affecting the lawfulness of processing carried out prior to the withdrawal. Right to Lodge a Complaint — You may lodge a complaint with the Swiss Federal Data Protection and Information Commissioner (FDPIC) or, for EU residents, with a competent supervisory authority in the EEA.

To exercise any of these rights, please contact us at [email protected]. We will respond to your request within thirty (30) calendar days. We may request verification of your identity before processing your request.

11. Data Security

11.1. We implement appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

  • Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
  • Role-based access controls
  • Regular security assessments and vulnerability testing
  • Multi-factor authentication for administrative access
  • Security by design and by default principles
  • Documented incident response procedures

11.2. In the event of a personal data breach that is likely to result in a high risk to your rights, we will notify the FDPIC without delay and, where required, inform affected data subjects as soon as possible, in accordance with Art. 24 FADP and, where applicable, Art. 33-34 GDPR.

12. Data Processing Agreement

Where a Customer acts as a data controller and Adopt-AI SA processes personal data on behalf of the Customer in the course of providing the Service, a Data Processing Agreement (DPA) is available upon request. Please contact [email protected] to request a DPA. For Enterprise Customers, the DPA is included as part of the Enterprise Agreement.

13. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected personal data from a child under 18, we will take steps to delete such data promptly.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. Material changes will be communicated by email and/or through a prominent notice on our website at least thirty (30) days before taking effect. The "Last updated" date at the top of this page indicates when the Privacy Policy was last revised.

15. Contact

For any questions, requests, or complaints regarding this Privacy Policy or our data processing practices:

Adopt-AI SA — Data Protection

Rue du Pré-de-la-Bichette 1

1202 Genève, Switzerland

Email: [email protected]

Swiss Federal Data Protection and Information Commissioner (FDPIC)

Feldeggweg 1, 3003 Bern, Switzerland

edoeb.admin.ch