Privacy Policy

Urban Sympheny AG ("Sympheny"), based in Winterthur, is a technology company. Sympheny provides an energy systems optimization software as a service ("Service") to private and enterprise customers, and operates sympheny.com. Although our customers are the main actors involved in the upload and management of all content, including content containing Personal Data, this Privacy Policy describes in detail how your Personal Data is collected and used.

Our Privacy Policy fully applies and respects the highest protection standards set by the European Union General Data Protection Regulation ("GDPR") in force since May 25, 2018, which regulates the processing of personal data of natural persons. The geographical scope of application of the GDPR is very broad. The provisions of the GDPR apply within the territory of the EU and to all Controllers and Processors which process personal data of EU citizens (even if they live outside the EU). Accordingly, the GDPR also applies to companies not established in the territory of the EU. Sympheny, as a Swiss company, is therefore also subject to the provisions of the GDPR, as well as the Swiss Federal Act on Data Protection (nDSG), in force since 1 September 2023.

What is Personal Data?

According to art. 4 para. 1 GDPR, "Personal Data" means any information relating to an identified or identifiable natural person ("Data Subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

As we also process Personal Data of citizens who do not belong to and/or do not operate in a territory of the European Union, the term Personal Data for the purposes of this Privacy Policy encompasses both the meaning of article 4 of the GDPR and that of Personally Identifiable Information (PII) as defined in US legislation. We make an explicit difference where required.

Data Controller and Data Processor

The GDPR differentiates between Data Controller and Data Processor. Controllers are those who determine the purposes and means of the processing of personal data. Processors are those that process Personal Data on behalf of the Controller.

For providing the Service to its customers, Sympheny acts as a Data Processor in terms of GDPR. Natural persons or legal entities can purchase a subscription ("Sympheny Plan"). In order to provide the Service, we need to collect and use certain Personal Data. We process Personal Data only on behalf of, and on instruction of, our customers, and in accordance with applicable law. For this reason, our customers who purchase a Sympheny Plan are primarily responsible for the processing of Personal Data of all users (e.g. employees of the customer and/or other natural persons invited by the customer to join the platform).

In exceptional circumstances, Sympheny acts as Data Controller. This occurs in connection with: (i) natural persons who materially purchase a Sympheny Plan and do not sign in the name of a legal entity; (ii) visitors of our website; (iii) interested natural persons who consent to provide their Personal Data; and (iv) our employees.

Sympheny Processes Personal Data

Sympheny lawfully processes Personal Data in accordance with the meaning given to this term by article 4 of the GDPR. Article 6 of the GDPR prescribes that processing is lawful only if and to the extent that at least one of the following applies:

• The data subject has given consent to the processing of his or her personal data for one or more specific purposes.
• Processing is necessary for the performance of a contract to which the data subject is party, or in order to take steps at the request of the data subject prior to entering into a contract.
• Processing is necessary for compliance with a legal obligation to which the controller is subject.
• Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
• Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Sympheny Collects Personal Data

General individual information: In order to register for our Services, to show interest in getting more insights about our product, and in general to be contacted for marketing purposes, current and prospective users of Sympheny may — upon prior explicit consent — provide Personal Data in the form of their email address, name and surname, company name, job title, or similar.

User data: Every user of Sympheny, independently of their particular Sympheny Plan, must register and log in to our platform in order to use Sympheny. To sign up and log in, the following Personal Data is mandatory: name and surname, email address, and password.

Billing: In order to subscribe for Sympheny and purchase a Sympheny Plan, potential customers may need to provide credit card information and a billing address. Sympheny does not collect or store any credit card information itself.

Browser data: We may collect standard website visitor information supplied by your browser (e.g., your operating system, the browser you are using, IP addresses, language settings). This information depends on the type of device, browser, and settings you are using.

Other usage statistics: Besides browser data, we may collect statistics, usage information, and may record user sessions on how registered users use our Services in order to maintain and improve them.

Marketing: We might use the information collected for our own marketing purposes. This includes, but is not limited to, marketing campaigns, marketing events, and newsletters. This information will be used solely for marketing purposes by Sympheny and will not be shared with any third parties.

Exclusion of special categories of Personal Data: Sympheny will never ask current or prospective customers to provide Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person's sex life or sexual orientation. In case we might come across any of this data, its use by Sympheny is strictly prohibited.

Personal Data of job applicants: If you apply for a vacancy at Sympheny, we will collect and process information that you voluntarily communicate to us about yourself for purposes related to potential employment. Additionally, we may collect publicly available information (e.g., your LinkedIn profile). Sympheny will store and manage this information with a trusted third-party providing a state-of-the-art solution for recruiting processes. You can request access, correction, or deletion of job applicant information at any time using the contact details below.

Personal Data of children (under the age of sixteen): We do not voluntarily collect information from anyone under the age of sixteen. If we learn that we may have received information from someone under the age of sixteen, we will take immediate action and all reasonable measures to remove the information.

Sympheny Uses Personal Data

Sympheny will use the collected information to provide the Service to the customer and continuously improve the product and its features. Sympheny does not resell any Personal Data to any third party.

Occasionally, we may publicly release aggregated statistics (e.g., by publishing reports on trends in the usage of our sites). Any usage information used to monitor and improve our Service is anonymised and aggregated.

If you are a registered user of a Sympheny site or Service and have supplied your email address, Sympheny may occasionally send you an email to communicate the release of new features, solicit your feedback, or keep you up to date with what's going on with Sympheny and our products.

If you send us a request (for example, via a support email or one of our feedback mechanisms), we reserve the right to use this information to help us clarify or respond to your request, or to help us support other users. Sympheny takes all measures reasonably necessary to protect against the unauthorised access, use, alteration, or destruction of Personal Data.

Sympheny Uses Third-Party Sub-Processors

Sympheny engages the following trusted third-party sub-processors, which provide parts of the Service on behalf of Sympheny in regard to the processing of Personal Data:

• Microsoft Azure — Location: Switzerland / EU — Service: Cloud hosting and infrastructure for the Sympheny platform
• Amazon Web Services (AWS) — Location: Stockholm, SE — Service: Data processing and hosting
• Salesforce — Location: Frankfurt, DE — Service: Customer information hosting
• Google LLC — Location: EU/US — Service: Website analytics (Google Analytics 4)
• Microsoft Corporation — Location: EU/US — Service: Session recording and heatmap analytics (Microsoft Clarity)
• Plausible Insights OÜ — Location: EU/EEA — Service: Privacy-preserving, cookieless website analytics
• Liid Oy (Leadfeeder) — Location: Helsinki, FI — Service: Company-level website visitor identification
• SalesViewer GmbH — Location: Bochum, DE — Service: Company-level website visitor identification
• Albacross Nordic AB — Location: Stockholm, SE — Service: Company-level website visitor identification

A full list of sub-processors is available at sympheny.com/sub-processors.

Sympheny Doesn't Disclose Personal Data

Sympheny provides the highest attainable standards of legal protection to Personal Data. We therefore apply a general policy of non-disclosure, and all our employees and third parties are bound by non-disclosure agreements.

In particular circumstances, disclosure of Personal Data is necessary, but encompasses only our employees, contractors, and affiliated organisations, and is limited to those cases where one of these parties needs to know that information in order to process it on behalf of Sympheny or to provide services available at Sympheny's sites.

Our employees, contractors, and affiliated organisations may also be located outside the home country of the user. By using Sympheny's site, users consent to the transfer of such information to them.

Other than the case described above, Sympheny may need to disclose Personal Data in response to a subpoena, court order, or other governmental request, or when Sympheny believes in good faith that disclosure is reasonably necessary to protect the property or rights of Sympheny, third parties, or the public at large.

Sympheny Uses Cookies and Analytics

We use cookies and similar technologies on sympheny.com. These fall into three categories:

Essential cookies are required for the site to work — things like remembering your cookie preferences. These are always active and do not require consent.

Analytics cookies help us understand how people find and use the site. We use Google Analytics 4 to track pages visited, session length, and traffic sources, and Microsoft Clarity for session recordings and heatmaps that show where people click and scroll. Both tools process data in pseudonymous form. We also use Plausible Analytics, a privacy-preserving, cookieless analytics tool that measures aggregated traffic without tracking individuals across sites or storing personal data. We use this information only to improve sympheny.com — not for advertising. For EU visitors, Google Analytics 4 and Microsoft Clarity are only activated after you give consent via the cookie banner.

Company-level identification (legitimate interests — Art. 6(1)(f) GDPR): We use Leadfeeder (Liid Oy, Helsinki, Finland), SalesViewer® (SalesViewer GmbH, Bochum, Germany), and Albacross (Albacross Nordic AB, Stockholm, Sweden) to identify which companies are exploring the site, for B2B sales and marketing purposes. No individual visitors are identified. We have conducted a Legitimate Interest Assessment for each service and concluded that our interest in understanding corporate demand for the platform is not overridden by visitors' rights, given that only company-level data is derived via reverse IP lookup and no individuals are profiled. Company-level data is retained for up to 90 days. SalesViewer® data is encrypted using a non-retrievable one-way function (hashing) and immediately pseudonymised. You can opt out of Leadfeeder tracking at any time by emailing support@sympheny.com. You can opt out of SalesViewer® tracking at any time by visiting salesviewer.com/opt-out. You can opt out of Albacross tracking at any time by visiting app.albacross.com/opt-out.

You can manage your cookie preferences at any time using the banner at the bottom of the page. You can also turn cookies off in your browser — most browsers have a Help section that explains how.

Sympheny Might Change

If Sympheny, or substantially all of its assets, are acquired, user information would be one of the assets transferred or acquired by a third party. You acknowledge that such transfers may occur, and that any acquirer of Sympheny may continue to use your Personal Data as set forth in this Privacy Policy.

Sympheny Updates its Privacy Policy

We may update this Privacy Policy from time to time. You can always find the latest version on our site. We undertake to inform our customers regarding updates to this Privacy Policy in our newsletters.

Your Rights

Under the GDPR (and the Swiss nDSG where applicable), you have the following rights regarding your Personal Data:

• Right of access (Art. 15 GDPR): You may request a copy of the Personal Data we hold about you and information on how it is used.
• Right to rectification (Art. 16 GDPR): You may ask us to correct inaccurate or incomplete Personal Data.
• Right to erasure (Art. 17 GDPR): You may request that we delete your Personal Data where there is no compelling reason for us to continue holding it.
• Right to restriction of processing (Art. 18 GDPR): You may ask us to restrict how we use your data in certain circumstances.
• Right to data portability (Art. 20 GDPR): Where processing is based on your consent or a contract, you may request a copy of your data in a structured, machine-readable format.
• Right to object (Art. 21 GDPR): Where we process your data on the basis of legitimate interests, you have the right to object at any time. We will stop processing unless we can demonstrate compelling legitimate grounds that override your rights, or processing is necessary for the establishment or defence of legal claims.
• Right to withdraw consent: Where processing is based on your consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.

To exercise any of these rights, contact us at support@sympheny.com. We will respond within one month. You also have the right to lodge a complaint with a supervisory authority — in Switzerland, the Federal Data Protection and Information Commissioner (FDPIC); for EU residents, your national data protection authority.

Contact

For questions about this Privacy Policy or any privacy-related matter, contact us at support@sympheny.com. For general product support, use support@sympheny.com.