Privacy Policy

Revizto Privacy/Data Protection Policy

1. Introduction

Revizto, SA, a Swiss company (“Revizto”) is committed to safeguarding the privacy of our visitors and customers. This Privacy Policy explains how Revizto (“Company”, “we”, “us”) processes personal data in connection with the Revizto Solution, related mobile/desktop applications, websites, support and professional services (together, the “Services”). 

Unless otherwise stated, Revizto SA, Av. De Gratta-Paille 2, 1018 Lausanne, Switzerland is the controller under the Swiss Federal Act on Data Protection (“nFADP”) and the EU/UK General Data Protection Regulation (“GDPR”) where they apply. If our Customer is the controller and we act as processor under a data processing agreement, this will be clearly specified in the relevant contract documentation.

This Policy applies where we are acting as a data controller regarding the personal data of our visitors and Customers of the Services; in other words, where we determine the purposes and means of the processing of that personal data. 

Where we are acting as a data processor regarding the personal data of our visitors and Customers of the Services; in other words, where we process data on behalf of our Customers per the purposes and means determined by the Customers as data controllers, the Revizto Customer Data Processing Agreement (https://revizto.com/en/customer-data-processing-agreement/) applies.

2. What Data do we Collect, and How

We apply the data minimisation principle and only process personal data that is necessary for the purposes set out in this Policy. Depending on how you interact with us, we may process the following categories of personal data:

  • Identification and contact data: name, business email address, business phone number, job title, role, company name, postal address, preferred language and authentication identifiers.
  • Account and profile data: username, password, access rights, user group, profile settings, communication preferences, support credentials and license identifiers.
  • Usage and device data: IP address, device identifiers, operating system, browser type and version, time zone, log data, date and time of access, pages and features used, crash logs, performance metrics and similar technical information generated by use of the Services.
  • Transaction and contractual data: subscription details, products and modules purchased, billing and invoicing data (excluding full payment card numbers processed by payment providers), contract dates, purchase history and support entitlements.
  • Support and communication data: content of emails, tickets, chat messages, call notes, meeting records, survey responses and any other correspondence, including metadata generated by our ticketing or CRM tools.
  • Marketing and event data: newsletter subscriptions, marketing preferences, registrations for webinars, demos or events, attendance information, campaign interactions, click statistics and cookie-based identifiers.
  • Content and collaboration data: information, files, models or other content you or your organisation upload, create, share or annotate within the Services, which may include personal data about you or other individuals.

We collect data directly from you (for example when you register for an account, use the Services, contact support or subscribe to communications), from our Customers or your employer (e.g. user provisioning), from our resellers and business partners, from publicly available sources, and from cookies and similar tracking technologies.

Where we request personal data that is necessary to enter into or perform a contract or to comply with legal obligations, failure to provide such data may mean we cannot provide part or all of the Services, respond to your requests or fulfil our contractual obligations. Where data is requested on a voluntary basis or based on consent, this will be clearly indicated, and there will be no adverse consequences other than not being able to benefit from the relevant optional feature or communication.

3. Purpose and Legal Basis

We process personal data for the purposes and on the legal bases listed below.

  • Provision and operation of the Services
    • Purposes: creating and managing user accounts, authenticating users, providing the contractually agreed Services, enabling collaboration, ensuring availability and performance, providing updates and new features to our Services.
    • Legal bases: performance of a contract or steps prior to entering into a contract; our legitimate interests in providing and improving the Services; in limited cases, consent (e.g. optional features).
  • Customer service and support
    • Purposes: responding to enquiries, providing technical and Customer support, providing implementation services, incident management, training and onboarding, Customer success management.
    • Legal bases: performance of a contract; legitimate interests in providing effective support and maintaining Customer relationships.
  • Security, abuse prevention and compliance
    • Purposes: securing accounts and infrastructure, monitoring and logging access, detecting and preventing fraud, misuse and cyber threats, managing backups and business continuity, and complying with legal obligations (e.g. retention, regulatory requests).
    • Legal bases: legitimate interests in protecting our Services, business and users; compliance with legal obligations.
  • Service improvement, analytics and product development
    • Purposes: analysing usage and performance, improving user experience, developing new features, quality assurance, training of internal teams and generation of aggregated statistics.
    • Legal bases: legitimate interests in improving and developing our Services; where required by law for certain analytics or cookies, consent.
  • Marketing and communication
    • Purposes: sending newsletters, product updates, invitations to events, surveys and other information that may be relevant to you; tailoring our communications based on your profile and interests; managing event registrations and follow-up.
    • Legal bases: legitimate interests in promoting our Services to business contacts; consent where required (e.g. certain electronic marketing, or where national laws require prior opt-in). You may opt out at any time.
  • Contract and business administration
    • Purposes: negotiating and performing contracts, invoicing and accounting, managing resellers and partners, corporate governance, and corporate transactions (e.g. mergers or acquisitions).
    • Legal bases: performance of a contract; compliance with legal obligations; legitimate interests in managing our business.

If we intend to process personal data for a purpose that is not compatible with the original purposes, we will provide you with appropriate additional information and, where required, seek your consent.

4. Sharing of Personal Data

We do not sell personal data. We may share personal data with the following categories of recipients, to the extent necessary for the purposes described above and subject to appropriate safeguards:

  • Group companies: other entities in our corporate group that support the provision and administration of the Services (e.g. hosting, support, finance, sales), in accordance with intra-group agreements reflecting applicable data protection requirements.
  • Service providers (processors): carefully selected third parties providing hosting, infrastructure, Customer support tools, email and SMS delivery, analytics, security monitoring, payment processing, marketing tools, event platforms and other IT or professional services. These providers process personal data only on our documented instructions and are bound by confidentiality and security obligations protecting your data.
  • Resellers, distributors and partners: where you purchase or access the Services through a partner, we may share necessary data (such as contact details, license status and usage information) with that partner for sales, billing, support and account management purposes.
  • Professional advisers and insurers: auditors, lawyers, accountants, and insurance providers where necessary for governance, legal, compliance or risk management reasons.
  • Public authorities and legal proceedings: regulators, law enforcement, courts or other public bodies where we are legally required or permitted to do so, or where disclosure is necessary to assert, exercise or defend legal claims or to protect the rights, property or safety of us, our users or others.
  • Corporate transactions: potential or actual buyers, investors and their advisers in connection with any merger, acquisition, restructuring or similar corporate transaction, subject to appropriate confidentiality protections and only to the extent permitted by law.
  • Where you publish or share content within the Services (for example in collaborative projects, forums or shared workspaces), certain information such as your name, profile and activity may be visible to other authorised users according to the configuration chosen by your organisation or by you.

5. Cookies and Similar Technologies

Our websites and Services use cookies and similar technologies (such as pixels, tags and local storage) to enable core functionality, secure access, analyse usage and, where allowed, support marketing activities. Cookies are small text files stored on your device that allow us or third parties to recognise your browser and collect certain information.

We generally use the following categories of cookies:

  • Strictly necessary cookies to enable you to navigate and use secure areas of our sites and Services, manage sessions and store technical preferences; these cannot usually be disabled without affecting the Service.
  • Functional cookies to remember your choices (e.g. language, region, display settings) and provide enhanced features.
  • Analytics cookies to collect information on how our websites and Services are used, such as pages visited, duration of sessions and interaction with features; for example, we may use tools such as Google Analytics or comparable solutions.
  • Marketing or advertising cookies, if implemented, to measure the effectiveness of campaigns and, where applicable, display relevant ads on our sites or third-party sites.

Where required by law (e.g. in the EEA, UK and certain other jurisdictions), we obtain your consent before setting non-essential cookies. You can manage your cookie preferences through our cookie banner or settings tool, and via your browser settings, although blocking certain cookies may impact your ability to use the Services.

6. International Transfers of your Personal Data

As a Swiss-headquartered provider operating globally, we may transfer personal data to countries outside Switzerland, the European Economic Area (“EEA”) and the United Kingdom, including to jurisdictions that may not provide the same level of data protection as your home country. This may include transfers to our group entities, service providers or partners located, for example, in the United States or other regions where our infrastructure is hosted or support is provided.

Where such transfers concern data subject to Swiss or EU/UK data protection law and the destination country has not been recognised as providing an adequate level of protection, we implement appropriate safeguards, typically standard contractual clauses approved by the European Commission or the Swiss Federal Council, possibly supplemented by additional measures following a transfer impact assessment. 

In certain limited situations, international transfers may also take place based on your explicit consent, the performance of a contract in your interest, the establishment, exercise or defence of legal claims, or other applicable derogations under data protection law.

The hosting facilities for our website and servers are situated in the USA (Virginia), Canada (Montreal), Ireland (Dublin), UK (London), Singapore (Singapore), Australia (Sydney), Brazil (San Paolo), Japan (Tokyo), United Arab Emirates (Dubai) (the “standard servers”). Transfers to these standard servers are protected by appropriate safeguards. 

Customers’ project info/data and models of the projects remain on each server for which the user has obtained an assigned licence. 

Limited user data, i.e. email, first name and last name replicated to the standard servers in regions above, for the purpose of allowing collaboration when using the Services: when any user from one location shares a project with another user in another location, both servers recognize the users.

We have a separate cloud environment (Alibaba Cloud) for China (Shanghai), Kingdom Saudi Arabia (Riyadh). There is no user data replication to or from these separate servers.

7. Retaining and Deleting Personal Data

Personal data is kept only for as long as necessary to fulfil the purposes for which it was collected, and to the extent required or permitted by applicable law. Retention periods are determined based on criteria such as:

  • the duration of your or your organisation’s subscription or business relationship with us;
  • statutory retention obligations (e.g. commercial and tax law);
  • the existence of actual or potential legal claims; and
  • technical and operational requirements (e.g. backup and archiving).

By way of example and subject to specific contractual terms or legal requirements:

  • account and contract data may generally be retained for the term of the contract and for a subsequent period (e.g. 10 years) in line with Swiss and other applicable record-keeping obligations;
  • technical logs and usage data are usually retained for shorter periods necessary for security, troubleshooting and analytics, after which they are deleted or irreversibly anonymised;
  • marketing-related data is normally retained until you withdraw your consent or object, or for a limited period after your last interaction with us.

Where data is deleted from active systems, it may remain in backups for a limited additional period for business continuity and disaster recovery purposes.

Note that the above information pertains strictly to personal data; any Customer project data is deleted no later than 90 days upon termination of the license agreement with the Customer.

8. Data Security

We implement a combination of technical and organisational measures designed to protect personal data against unauthorised access, loss, misuse, alteration or destruction. These measures may include, as appropriate: access controls and authentication, role-based authorisations, network and application security, encryption in transit and at rest, logging and monitoring, regular backups, secure development practices, staff confidentiality obligations and training, vendor due-diligence and incident response processes. For more detailed information about Revizto’s security engagements, please read https://security.revizto.com/

Access to personal data is limited to personnel, contractors and service providers who have a legitimate need to know the information for the purposes described in this Policy and who are bound by confidentiality and data protection obligations. Despite these measures, no system can be completely secure; if a data breach occurs that is likely to result in a risk to your rights and freedoms, we will notify you and the competent supervisory authority in accordance with applicable law and our contractual obligations.

9. Your Rights

Depending on your place of residence and applicable law (including the nFADP, GDPR and comparable laws), you may have some or all of the following rights in relation to your personal data:

  • Right of access: to obtain confirmation as to whether we process personal data about you and, if so, to receive information and a copy of such data, subject to legal restrictions and the rights of others.
  • Right to rectification: to have inaccurate or incomplete personal data corrected or completed.
  • Right to erasure: to request deletion of your personal data in certain circumstances, for example where it is no longer necessary for the purposes for which it was collected or where you withdraw consent on which the processing is based.
  • Right to restriction: to request restriction of processing in certain cases, such as where you contest the accuracy of the data or have objected to processing pending verification.
  • Right to object: to object, on grounds relating to your particular situation, to processing based on our legitimate interests, and to object at any time to processing for direct marketing purposes (including profiling to the extent related to such marketing).
  • Right to data portability: where processing is based on consent or on a contract and carried out by automated means, to receive the personal data you provided to us in a structured, commonly used and machine-readable format and to ask us to transmit it to another controller where technically feasible.
  • Right to withdraw consent: where processing is based on consent, to withdraw your consent at any time without affecting the lawfulness of processing before withdrawal.

To exercise your rights, please contact us using the details provided above, indicating which right you wish to exercise and, where necessary, providing information that allows us to verify your identity. We may request additional information where needed to confirm your identity or clarify your request and will respond within the time limits set by applicable law.

If you believe that our processing of your personal data infringes applicable data protection law, you also have the right to lodge a complaint with the competent supervisory authority, in particular in your country of habitual residence, your place of work or the place of the alleged infringement.

10. Marketing Communications and Preferences

If you have an account with us or otherwise interact with our Services, we may send you service-related communications (for example security or transactional notifications) which are necessary for the performance of the contract and cannot typically be opted out of while you use the Services.

For marketing communications (such as newsletters, product information and event invitations), you can manage your preferences or unsubscribe at any time by using the unsubscribe link in the email, adjusting your account settings (if available) or contacting us via the details above. If you opt out of marketing, we may still process limited contact information to record your preference and continue to send non-marketing communications.

11. Links to Third-Party Sites and Services

Our websites and Services may contain links to or integrations with third-party websites, platforms, plugins or services that are not operated by us. If you interact with such third-party content (for example social media buttons, embedded services or external payment providers), the relevant third parties may collect data about you and process it according to their own privacy policies. We are not responsible for the privacy practices of third parties and encourage you to review their privacy policies before providing them with personal data.

12. Changes to this Privacy Policy

We may update this Privacy Policy from time to time, for example to reflect changes in law, our Services or our data processing practices. The most current version will always be available on our website, showing the “Last updated” date at the top; in case of material changes, we will take reasonable steps to inform you in advance, for example by prominent Policy on our website or via email, where appropriate. Your continued use of the Services after the effective date of an updated Policy will be deemed acceptance of the changes, to the extent permitted by law.

13. Questions and Requests

For any questions or requests regarding this Policy or your personal data, you can contact our Data Protection Officer at privacy@revizto.com or Revizto SA, Attention: Data Protection Officer, Av. De Gratta-Paille 2, 1018 Lausanne, Switzerland.