Privacy policy · v1.5 · 2026-06-20
Data is collected only to sell, generate, and deliver the report.
1. Controller
SemioXis – Chezaud Semiotics, the sole proprietorship (raison individuelle) of Alexandre Chezaud, Montreux, canton of Vaud, Switzerland, is the data controller for this site and the SemioXis Evidence Report service. Privacy contact: the contact form (select “Privacy and data request”). No external Data Protection Officer is appointed; this form serves as the single point of contact under Swiss nLPD art. 25 and GDPR art. 13.
2. Data collected
SemioXis processes only the data needed to sell, produce, and deliver the report:
- buyer email address;
- submitted public URL of the analyzed brand;
- payment reference and order identifier (no card data is stored by SemioXis; Stripe handles payment data);
- support correspondence, including the email address and message content submitted through the contact form;
- operational scan evidence (public HTML fetched from the analyzed URL, computed score, internal session identifier);
- delivery status (sent / opened — only if Resend tracking is active, see §8).
3. Legal bases
- Contract performance (GDPR art. 6.1.b / nLPD art. 31.1.a) — for sale, generation, and delivery of the report.
- Legal obligation (GDPR art. 6.1.c / nLPD art. 31.1.c) — for accounting records and tax retention under Swiss CO art. 127.
- Legitimate interest (GDPR art. 6.1.f / nLPD art. 31.1.d) — for fraud prevention, security logs, and minimal anonymized learnings to improve the methodology.
4. Processors and sub-processors
SemioXis uses the following processors. Each is bound by a data processing agreement or equivalent contractual terms.
| Processor | Purpose | Location | Transfer mechanism |
|---|---|---|---|
| Stripe Payments Europe Ltd. | Payment processing, Stripe Tax | Ireland (EU) with US affiliates | EU adequacy; Swiss-US DPF for US transfers |
| Resend, Inc. | Transactional email | United States | EU Standard Contractual Clauses (SCC) with transfer impact assessment |
| Netlify, Inc. | Static website hosting, content delivery (CDN), and contact-form submission intake | United States | EU Standard Contractual Clauses (SCC) with transfer impact assessment |
| Infomaniak Network SA | Object storage, mail relay, and hosting of SemioXis self-hosted capture, queue, and orchestration components | Switzerland | Domestic (no transfer) |
| OpenRouter and AI providers | Methodology computation (subject to documented gating) | United States | Used in production only when documented gating is satisfied (DPA, ZDR, transfer mechanism, transfer impact assessment); see terms boundary. |
If a sub-processor is added or replaced, this list is updated. Material changes are communicated by email to active customers before they take effect.
5. International transfers
Where data is transferred outside Switzerland or the European Economic Area, SemioXis relies on:
- the Swiss-US Data Privacy Framework (DPF) for self-certified US processors;
- EU Standard Contractual Clauses (SCC) as a backup mechanism;
- a written transfer impact assessment for US-bound flows;
- data minimization at source — the methodology pipeline sends no private email, private phone, AVS number, or patient data outside Switzerland (contact-form submissions handled by Netlify are covered by the SCC mechanism above).
6. Retention
- Buyer email and order metadata: 10 years (Swiss CO art. 127 — accounting retention).
- Operational scan state (Redis): 14 days TTL after order, then automatic purge.
- Generated report PDF on Swiss object storage: 30 days post-delivery, then automatic purge of the buyer-facing copy.
- Support tickets: 12 months from last interaction.
- Email tracking events (if enabled): 30 days.
- Anonymized methodology learnings (no identifiers, no original images): retained for ongoing calibration; subject to deletion if a residual link to the buyer can be reconstructed.
7. Your rights
You may request access, rectification, deletion, restriction, opposition to processing based on legitimate interest, and portability where applicable. Requests sent through the contact form (topic “Privacy and data request”) are answered within 30 days (Swiss nLPD art. 25.7).
If you believe your rights are not respected, you may lodge a complaint with the Swiss Federal Data Protection and Information Commissioner (PFPDT, edoeb.admin.ch) or, if you are in the EU/EEA, with your national supervisory authority.
California residents: under the CCPA / CPRA, you may request to know, delete, or correct personal information collected about you. SemioXis does not sell or share personal information for cross-context behavioral advertising. Send requests through the contact form.
8. Cookies and tracking
SemioXis uses strictly necessary cookies during Stripe Checkout to process payment. No analytics, advertising, or behavioral tracking cookies are placed on this site. Fonts and stylesheets are self-hosted. The site is delivered through Netlify's content delivery network (United States), which processes visitor IP addresses in server access logs for delivery and security purposes; these logs are not used for analytics, advertising, or behavioral profiling.
Transactional emails sent via Resend may include an open-tracking pixel for delivery diagnostics. The open-tracking pixel can be disabled on request through the contact form.
9. Security
SemioXis applies data minimization, secrets isolation, session isolation, restricted operator access, temporary purge of buyer deliverables, encrypted transport, and segregated storage tiers. Detailed controls are documented in the internal security registry.
10. Updates
This policy may be updated to reflect changes in processors, retention, or legal obligations. The version date appearing above is the binding version for orders placed under that version. Material changes are communicated to active customers by email.