Payload Website Template

Privacy Policy for the Website (Data Innovation Alliance)

Last Updated: October 2025
(This Privacy Policy is provided as a comprehensive example for a Swiss website and addresses both Swiss and EU data protection requirements.)

1. Introduction

Your privacy is important to us. This Privacy Policy describes how Data Innovation Alliance (“we”, “us”, or “our”) collects, uses, and protects your personal data when you use our website. We are committed to processing personal data in accordance with the Swiss Federal Act on Data Protection (FADP) and, where applicable, the EU General Data Protection Regulation (GDPR). By using our website, you agree to the collection and use of information in accordance with this Privacy Policy.

2. Data Controller and Contact Information

The data controller responsible for your personal data is Data Innovation Alliance, a Swiss organization. If you have any questions or requests regarding your personal data, you can contact us at:

Data Innovation Alliance
Bälliz 62, 3600 Thun, Switzerland
Email: contact@data-innovation.org (or use the contact form on our website)

3. Personal Data We Collect

We collect several types of personal data from you for various purposes. This includes information that you provide to us directly as well as data collected automatically when you interact with our site. The categories of data we process include:

Identification and Contact Data: When you register an account or sign up on our site, we collect personal information such as your name and email address. This information is used to identify you, create your user account, and communicate with you (for example, to send login links or respond to inquiries). If you contact us or subscribe to any newsletter or updates, we will also collect any information you choose to provide (such as your name, email, and the content of your communications).

Authentication Data: If our website offers login via OAuth or magic link authentication (through our authentication service Stack Auth), we may collect the credentials necessary to log you in. Typically, this includes your email address (for magic link login) and any OAuth identifiers or tokens from third-party login providers (e.g. if you choose to log in via Google or another platform). This data is used only to authenticate your access to the site and manage user sessions.

Payment Information: If you make purchases or payments on our site (for example, for services, membership fees, or event tickets), we will process payment-related information. Payment details, such as credit or debit card numbers and expiration dates, are not stored on our servers; instead, they are collected directly by our secure payment processor Stripe. Stripe may collect your payment card details, billing address, and other information necessary to process the transaction. We receive limited information about the payment, such as a confirmation that payment was made, the type of card, and the last four digits of the card number, as well as your name and contact info for receipt purposes.

Usage Data and Analytics: When you visit our website, we automatically collect certain data about your device and how you use the site. This usage data includes information like your IP address, browser type, device type, operating system, the pages or content you view, the dates/times of your visits, and the page you visited before navigating to our site. We use this data for analytics and improving our services – for example, to see which pages are most popular, to troubleshoot performance issues, and to understand how users interact with our site. This usage information is collected through server logs and analytics tools and is generally aggregated and not directly identifiable to you. If we use analytics cookies or similar tracking technologies, we will do so in accordance with your consent preferences (see the Cookies section below).

Email Communications: If we send transactional emails (such as verification codes, login magic links, or purchase receipts) or newsletters, we will use your email address to deliver those messages. Our email service provider (we use Resend for sending emails) may log information about the emails sent (for instance, whether you received or opened an email) for deliverability and analytics purposes.

We do not collect any sensitive personal data (such as government ID numbers, health information, or data about racial/ethnic origin, etc.) through the website. We also do not intentionally collect data from children under the age of 16; our website and services are intended for general audiences and not directed at minors.

4. Purpose and Legal Basis for Processing

We process the personal data collected from you for the following purposes, and rely on the corresponding legal bases:

Providing and Improving Our Services: We use your information to operate the website and provide you with the services or features you request. This includes using your registration data to maintain your account and preferences, authenticating you upon login, and enabling core site functionalities. It also includes processing payments you initiate (through Stripe) and providing customer support. The legal basis for these activities in the EU context is typically contractual necessity (Art. 6(1)(b) GDPR) – we need to process your data to deliver the service you expect. Under Swiss law, these uses are justified by the service you have requested and our legitimate interest in running a functional website.

Communication: We use contact information (like your email) to send you important notifications related to your use of the site. For example, we may send a magic link to your email to verify your login, confirm your account creation, send receipts for payments, or respond to inquiries you send us. These communications are either part of providing our services (contractual necessity) or based on our legitimate interest in ensuring effective user support and service delivery. If we ever send promotional emails or newsletters, we will only do so with your consent (opt-in), and you will have the ability to unsubscribe at any time.

Analytics and Site Improvement: We analyze usage data (which may involve cookies or similar trackers) to understand how our site is used and to improve user experience. This analysis helps us troubleshoot problems, optimize content, and develop new features. We typically rely on legitimate interests (Art. 6(1)(f) GDPR) as a legal basis for this processing, as the data is processed in a privacy-friendly, aggregated manner that does not outweigh your rights. However, for any non-essential analytics cookies, we will obtain your consent in compliance with applicable laws (see Cookies below). You have the right to object to analytics processing – and you can do so by refusing or disabling analytics cookies as described in the Cookies section.

Security and Abuse Prevention: We may process personal data (such as IP addresses or log-in attempts) to protect the security of our website, our users, and our infrastructure. This includes detecting and preventing fraudulent activity, network intrusions, or other malicious actions. Such processing is based on our legitimate interest in maintaining a secure service and is also often necessary to comply with legal obligations related to security. For instance, services like Cloudflare help us prevent DDoS attacks and ensure reliable delivery of our website content to you.

Legal Compliance: In certain cases, we may need to process or retain personal data to comply with our legal obligations. For example, financial transaction records might be kept for accounting/tax purposes or to comply with regulations, and we might disclose information if required by law or a government authority (such as for lawful requests or court orders). The legal basis for any such processing is compliance with a legal obligation (Art. 6(1)(c) GDPR or the corresponding basis under Swiss law) or, in some cases, protection of vital interests or public interest if applicable.

We do not use your personal data for any automated decision-making that produces legal or similarly significant effects on you, nor do we engage in any form of profiling that would invasively analyze or predict aspects of your personality, behavior, or interests. Any profiling we do is limited to basic analytics as described, and it does not have a legal or significant impact on you.

5. Cookies and Tracking Technologies

Cookies are small text files stored on your device when you visit our website. We use cookies and similar technologies to ensure our site works properly, to remember your preferences, and to analyze website traffic. For example, cookies may keep you logged in during your session, remember your language preferences, or collect anonymized analytics data.

Essential Cookies: These cookies are necessary for the website to function. They enable core features such as user login, account management, and security (for instance, we might set a cookie to maintain your session after you log in). Because they are essential for delivering the service you requested, these cookies are used without requiring prior consent. You can disable them by changing your browser settings, but note that doing so may cause some parts of the site to not work correctly.

Analytics Cookies: We may use analytics or performance cookies to collect information about how visitors use our site (e.g., which pages are visited most, whether users encounter errors). This helps us improve the website over time. Our analytics cookies do not collect information that directly identifies you; they provide aggregated statistics. We will ask for your consent before setting analytics cookies, in compliance with Swiss and EU regulations. For example, when you first visit our site, you might see a cookie consent banner allowing you to accept or decline these non-essential cookies. If you opt out or decline, we will honor your choice and not load the analytics tools.

No Third-Party Advertising Cookies: We do not use third-party advertising or social media cookies on our site. This means we are not tracking you for advertising purposes across other sites, and we are not integrating outside ad networks that collect your data via cookies. (If this changes in the future, we will update this policy and obtain necessary consents.)

Cookie Consent Management: You have control over cookies. When you first visit our site, you will be given the option to accept or reject non-essential cookies. If at any time you change your mind, you can adjust your preferences by using our cookie management tool (for example, via a “Cookie Settings” link or by clearing cookies in your browser). Additionally, most web browsers allow you to refuse cookies through settings. Please note that rejecting or disabling certain cookies may impact your experience (for instance, parts of the site that rely on cookies might not remember your preferences).

For more detailed information about the cookies we use, you can refer to our Cookie Policy (if available on our site). That policy (if provided) lists each cookie, its purpose, and its duration. If you have any questions about our use of cookies, feel free to contact us.

6. Disclosure of Data to Third Parties

We treat your personal data with care and confidentiality. We do not sell your personal information to third parties. However, we do share certain data with trusted third-party service providers who help us operate our website and deliver our services. These providers process data only on our instructions and for the purposes described in this Privacy Policy. Our key service providers include:

Hosting and Infrastructure – Vercel: Our website is hosted on Vercel (a cloud hosting platform). When you visit our site, your requests (page visits, content downloads) are processed through Vercel’s servers. This means information like your IP address and other technical data may be transmitted to Vercel. Vercel stores website content and databases in order to serve the site to you. We rely on Vercel to securely store data and deliver our site with high performance. Vercel is a third-party processor acting on our behalf, and it is committed to protecting personal data in line with applicable laws.

Database – Neon: We use Neon as our database solution to store and manage information (such as your account details, and other data generated by the website). Personal data you provide (like your name, email, account info) is stored in this database. Neon acts as a data processor, hosting the database environment. We ensure that access to the database is secured and limited to authorized personnel. Neon’s infrastructure may be located in the European Union; thus, your data may be stored on servers within the EU (which is an approved jurisdiction for Swiss data transfers). We have agreements in place to ensure Neon protects the data according to required standards.

User Authentication – Stack Auth: For handling user login and authentication, we utilize Stack Auth, an authentication service (which provides features like OAuth login and magic link emails). When you log in or register, Stack Auth will process your email address and authentication credentials. For example, if you choose to log in via a magic link, Stack Auth sends an email on our behalf to verify your identity. Or, if you log in with a third-party account (OAuth), Stack Auth handles the connection with that provider (like Google) and returns your basic profile info (e.g., name, email) to our site. Stack Auth operates under strict security protocols and uses your data only for authentication purposes. It may store some of your account data to manage logins (such as an encrypted version of your password or tokens). We treat Stack Auth as a processor and have ensured it adheres to data protection requirements.

Email Delivery – Resend: We use Resend (an email service provider) to send out emails such as verification links, passwordless login links, confirmations, and other transactional messages. When we send you an email, your email address and the content of the message are transmitted to Resend’s systems for delivery. Resend may temporarily log information about the email (like when it was sent, and whether it bounced or was opened) for performance monitoring. Resend is a specialized third-party that processes email data on our behalf, and they implement security measures to protect this data. They are not allowed to use your email address for their own purposes.

Payment Processing – Stripe: If you enter payment details on our site (for instance, to purchase a service or pay a membership fee), those details are processed directly by Stripe, our third-party payment processor. Stripe will collect your payment card information and perform the transaction. In the process, Stripe will also receive identifying information such as your name, email, and billing info to associate with the payment. Stripe is PCI-DSS compliant, meaning it adheres to stringent security standards for processing payment data. We do not see or store your full credit card number or security code on our servers; Stripe handles that entirely. We share only the necessary data with Stripe and only for the purpose of completing the transaction. Stripe may also be required to retain transaction data to comply with financial regulations. (For more details, you can refer to Stripe’s own privacy policy on how they handle personal data.)

Content Delivery and Security – Cloudflare: Our website uses Cloudflare for DNS management and as a content delivery network (CDN) to improve security and performance. Whenever you access our site, your requests pass through Cloudflare’s global network. As a result, Cloudflare will process data such as your IP address, geographic location (based on IP), and possibly device information, in order to route you to the nearest server, detect malicious traffic, and speed up content delivery. Cloudflare also may set a security cookie (_cfduid or similar) on your browser to distinguish legitimate users from bots. Cloudflare is a US-based company, but it is certified under international data protection frameworks and commits to keeping data secure. Cloudflare acts as our data processor for these network and security functions.

All these third-party service providers are bound by contracts to only process your personal data for the purposes we specify and to implement adequate privacy and security measures. They do not have the right to use your data for their own independent marketing or other purposes. We carefully select our vendors and aim to use reputable providers with strong data protection commitments.

Aside from the processors listed above, we will not share your personal data with third parties unless one of the following applies: (a) you have given us explicit consent to do so; (b) it is necessary to fulfill our contract with you (e.g., collaborating with a partner service you have signed up for); (c) it is required by law or a lawful government request; or (d) we need to enforce our terms, protect our rights, property, or safety (or those of our users) – for instance, disclosing information to prevent fraud or attack. In any such case, we will only share the minimum information necessary.

7. International Data Transfers

We are based in Switzerland, and to the extent possible we store and process data within Switzerland or the European Union. However, some of our service providers operate in other countries (for example, the United States). This means that your personal data may be transferred to or accessed from jurisdictions outside of Switzerland. In particular, data processed by providers like Vercel, Resend, Cloudflare, or Stripe might be transferred to or stored on servers in the United States or other countries that may not be deemed to have equivalent data protection laws to Switzerland or the EU.

When we transfer personal data internationally, we take steps to ensure that adequate safeguards are in place to protect your information. These safeguards may include:

Relying on countries or entities that have been officially recognized by Switzerland (or the EU) as providing an adequate level of data protection. (For example, the European Union is recognized by Switzerland as adequate for data transfers, and as of 2024, certain certified companies in the U.S. may be recognized under the Swiss-U.S. Data Privacy Framework as having adequate protectionworkplaceprivacyreport.com.)

Implementing Standard Contractual Clauses (SCCs) or equivalent contractual protections with our service providers, obligating them to protect your data according to Swiss/EU privacy standards.

Ensuring that our U.S.-based providers participate in frameworks like the EU-U.S. and Swiss-U.S. Data Privacy Framework or otherwise have robust privacy and security programs.

By using our website or submitting your information to us, you acknowledge that your data may be transferred to third parties in other countries as described. If you have questions about international data transfers or want more information about the safeguards we have in place, please contact us.

8. Data Retention

We retain personal data only as long as necessary to fulfill the purposes for which it was collected, or to comply with legal or contractual obligations. In practical terms:

Account information (like your name, email, profile data) is kept as long as you have an active account with us. If you delete your account or it becomes inactive, we will delete or anonymize that information after a reasonable period, unless we need to keep it for legal reasons.

Transaction data and payment records are retained for the duration needed to process the payment and thereafter as required for accounting and tax purposes or by financial regulations. For instance, Swiss law or other applicable laws may require that we keep certain financial records for a number of years.

Communications (emails, support inquiries) may be retained as long as necessary to address your request and for our reference, and then archived or deleted according to our retention schedules.

Analytics data is typically aggregated and retained for internal analysis. Where possible, we anonymize or pseudonymize usage data over time. Raw web server logs containing IP addresses are usually kept for a short duration (e.g., a few weeks) unless required for security investigations.

Cookies and similar tracking data expire as per their defined lifespans (see Cookies section or our cookie policy). For example, if an analytics cookie has a 6-month lifespan, data associated with that cookie is kept at most 6 months unless renewed by a new visit and consent.

When we have no ongoing legitimate business need to process your personal data, we will either delete it or anonymize it (so it can no longer be associated with you). If deletion or anonymization is not immediately feasible (for example, because the data is stored in backup archives), we will securely store the data and isolate it from further processing until deletion is possible.

9. Data Security

We take the security of your personal data seriously. We have implemented appropriate technical and organizational measures to protect your information from unauthorized access, loss, alteration, or disclosure. These measures include, for example:

Encryption: Our website is secured via SSL/TLS encryption. This means that when you enter personal information on the site (such as logging in or making a payment), that data is encrypted in transit between your browser and our serversdata-innovation.org. You can verify this by looking for the padlock icon in your browser’s address bar and the "https://" prefix in the URL.

Access Controls: Personal data stored in our database (Neon) or processed through our platform is accessible only to authorized personnel who require access to perform their duties. We restrict administrative access to systems that store sensitive data, and we regularly review user permissions.

Password Protection: If you have an account on our site, we store your account password in hashed form (i.e., not in plain text), using industry-standard hashing algorithms. This ensures that even if our database were compromised, your actual password remains protected. For passwordless authentication (magic links), one-time tokens are used which expire after a short period.

Network Security: We utilize firewalls, monitoring, and Cloudflare’s security features to guard against attacks and unauthorized traffic. Cloudflare helps filter out malicious requests (like DDoS attacks) before they reach our site. We also keep our software (such as the Payload CMS, Next.js framework, and server runtime) up to date with security patches to mitigate vulnerabilities.

Secure Development Practices: Our developers follow best practices for secure coding. We regularly test our website for common security issues (such as SQL injection, XSS, etc.) and fix any identified vulnerabilities.

Third-Party Audits/Compliance: Our key third-party providers (like Stripe, Cloudflare, Vercel) have their own security certifications and compliance regimes. For example, Stripe is PCI compliant for handling payment data, and Cloudflare has certifications such as ISO 27001. We rely on their security attestations for the parts of the system under their control.

Despite our efforts, no system can be 100% secure. The internet itself is not completely secure, and we cannot guarantee absolute security of data transmitted through our site. However, we strive to use commercially acceptable means to protect your personal information. If we ever experience a data breach that affects your personal data, we will follow all applicable breach notification laws, which may include notifying you and relevant authorities of the incident.

10. Your Rights as a Data Subject

You have rights regarding your personal data that we respect and uphold. These rights include:

Right to Access: You have the right to request a copy of the personal data we hold about you, and to obtain information about how we process it. We will provide you with a summary of your data upon request (subject to verifying your identity).

Right to Rectification: If any of your personal information is inaccurate or incomplete, you have the right to ask us to correct or update it. For example, if you change your email address or discover an error in our records, you can request correction.

Right to Erasure: You can request that we delete your personal data under certain circumstances – for instance, if the data is no longer needed for the purposes it was collected, or if you withdraw your consent and no other legal basis for processing applies. We will honor valid requests for deletion (“right to be forgotten”) and will also instruct our processors to delete data they hold on our behalf, provided there is no legal requirement for us to retain the data.

Right to Restrict Processing: You have the right to ask us to limit the processing of your data in certain situations. For example, if you contest the accuracy of your data, you can request that we restrict processing until we verify the accuracy; or if you object to our legitimate interest processing, you can request restriction pending review.

Right to Object: You may object to our processing of your personal data when we process it based on legitimate interests or for direct marketing. For example, you can opt out of analytics tracking by adjusting your cookie settings (which is a way of objecting to that form of processing). If we were to send marketing emails, you can object (unsubscribe) at any time. If you object to processing that is based on our legitimate interests, we will evaluate your request and will stop or adjust the processing unless we have a compelling legitimate ground to continue.

Right to Data Portability (EU users): To the extent required by GDPR, you have the right to request a copy of certain data in a machine-readable format. For example, if you provided us with personal data and the processing is based on your consent or a contract, you can ask for that data in a structured, commonly used format so you can transfer it to another service provider. (Note: This right may not apply to all data, only to data you provided and that is processed by automated means.)

Right to Withdraw Consent: If we are processing any personal data based on your consent, you have the right to withdraw that consent at any time. For instance, if you consented to optional cookies or subscribed to a newsletter, you can later withdraw your consent (disable the cookies, unsubscribe from the newsletter, etc.). Withdrawing consent will not affect the lawfulness of any processing we conducted prior to your withdrawal.

To exercise any of your rights, please contact us at the contact information provided above (see Data Controller and Contact Information). We may need to verify your identity before fulfilling certain requests, to ensure we do not disclose or delete data to the wrong person. We will respond to your request within the timeframes required by law (generally within 30 days for Swiss law and GDPR, with the possibility of extension if necessary). There is no fee for making a request, though in rare cases if a request is manifestly unfounded or excessive, we might charge a reasonable fee or refuse the request as permitted by law.

Finally, if you believe we have not handled your personal data properly or have concerns about your data rights, you have the right to lodge a complaint with a supervisory authority. In Switzerland, you can contact the Federal Data Protection and Information Commissioner (FDPIC). If you are in the EU, you can contact the data protection authority in your country of residence. We would, however, appreciate the chance to address your concerns directly before you do this, so we encourage you to reach out to us first.

11. Links to Other Websites

Our website may contain links to external sites or services that are not operated by us (for example, project partners, event pages, or social media links). If you click a third-party link, you will be directed to that third party’s site. This Privacy Policy does not apply to external websites, and we have no control over the content, privacy practices, or cookies of those sites. We strongly advise you to review the privacy policy of every site you visit when you leave our website. We are not responsible for the policies or practices of third parties.

12. Organizational Affiliation

(Note: This section is added since the website is said to belong to the Data Innovation Alliance.)
Our website is part of the Data Innovation Alliance, which is a Swiss organization. If you are interacting as a member or participant of the Alliance’s programs, please be aware that your data may also be subject to internal policies of the Alliance. However, the Data Innovation Alliance does not share your personal data with unrelated third parties. Any data you provide through this website is used for the Alliance’s purposes as described and handled in accordance with this Privacy Policy. In cases where we collaborate with partner institutions or co-organizers for events and you register through our site, we will inform you and seek consent if your information needs to be shared with those partners.

13. Updates to This Privacy Policy

We may update or revise this Privacy Policy from time to time to reflect changes in our practices or for other operational, legal, or regulatory reasons. When we update the policy, we will change the "Last Updated" date at the top of this page. If the changes are significant, we may also provide a more prominent notice (such as a notification on our website or an email to registered users). We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information.

Your continued use of our website after any modifications to this Privacy Policy will signify your acceptance of the changes. If you do not agree with any updates or modifications, you should stop using the site and, if applicable, deactivate your account.

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us at:

Data Protection Contact – Data Innovation Alliance
Email: contact@data-innovation.org
Address: Bälliz 62, 3600 Thun, Switzerland
(Contact person: You may address your inquiry to our data protection officer or the Alliance’s Secretariat.)

We will be happy to assist you and answer any questions you might have about how we handle your personal information.

Applicable law and jurisdiction
Swiss law shall apply to any legal disputes arising in connection with the event. The exclusive place of jurisdiction is Thun.