Privacy at Aivie

This page describes how Aivie processes personal data on behalf of customers.
It is intended as a reference so that companies can easily link to this information in their own privacy policy.

In short: Customers remain controllers. Aivie is a processor and processes data exclusively according to instructions and for the agreed purpose.

Introduction

Aivie is a Marketing Automation Tool. Companies use Aivie to manage contacts,
segment target groups, and automatically deliver communication via channels such as email, SMS, or push.

Aivie is provided as a hosted solution. In doing so, Aivie processes personal data on behalf of customers. Customers remain responsible for content, purpose, lawfulness, retention obligations, and transparency toward their contacts.

Example Use Cases

Aivie is typically used to automate marketing and customer communication in a measurable and efficient way.
Examples:

  • Newsletters and campaigns: Segmented email campaigns with measurable opens and clicks
  • Lead generation: Landing pages and forms that capture leads and transfer them to lists or segments
  • Lead nurturing: Automated sequences based on interests, behavior, or funnel stage
  • Transactional communication: Confirmations, follow-ups, event information
  • Reactivation: Automated campaigns triggered by inactivity or abandoned journeys
  • Consent and preferences: Management of consents and communication preferences

What Data Is Processed with Aivie

Aivie is designed so that customers control data processing themselves. What data is collected
depends on the configuration, forms, and features used.

Typical Data Categories

  • Identification data: e.g., name, email address
  • Analytical data: e.g., responses to campaigns, opens, clicks, conversions
  • Technical data: e.g., IP address, device and browser information, log data for secure operation
  • Customer-defined profile data: e.g., company, role, interests, consent status

Data subjects are typically contacts, leads, or customers of Aivie customers.

Roles and Responsibilities

As a rule:

  • Controllers: Aivie customers who use Aivie in their organization
  • Processor: Aivie by Idea 2 Collective GmbH

Aivie processes personal data exclusively on documented instructions from the controller.
Processing for its own purposes is excluded.

Contact

Idea 2 Collective GmbH
Wengistrasse 6
CH-8004 Zurich
legal@aivie.ch

Data ownership and data sovereignty

Customers remain owners of their data at all times. Aivie processes personal data exclusively on behalf of and does not transfer any usage rights to third parties. Data can be exported, transferred, or completely deleted after contract termination.

Privacy and Data Security

Aivie protects client data with great care. Operations are organized so that only persons
who absolutely need access for operations and support receive it. Access is granted according to the need-to-know principle.

Confidentiality and Access

  • Persons with access are bound to confidentiality
  • Shared user accounts are avoided
  • Rights are granted on a role-based and minimal basis

Supporting Customers

Aivie supports customers in fulfilling data subject rights and obligations.
This includes, among other things, access, rectification, deletion, restriction, and data portability,
to the extent required within the scope of data processing.

Handling of data breaches

In the event of a personal data breach, Aivie will inform the responsible parties immediately upon becoming aware.
The notification will include at least the type of breach, potential consequences, and countermeasures already taken or planned.

Infrastructure and Security Architecture

The platform is designed to ensure security, scalability, and traceability at the infrastructure and application level. Below is an overview of the central security mechanisms.

Cloud Infrastructure

  • Hosting on a cloud platform with locations depending on the setup (e.g., Switzerland)
  • Global, highly available network architecture with redundant components
  • Separation of application, file system, database, cache, and email infrastructure
  • Isolated projects possible for special customer requirements

Encryption

  • Encryption of all data in transit using TLS
  • Encryption of all data at rest at the infrastructure and storage level
  • Support for Customer Managed Encryption Keys for increased requirements
  • Separated key management with clearly defined access rights

Access Control and Identity Management

  • Role-based access control based on the need-to-know principle
  • Granular rights assignment at project and system level
  • Avoidance of shared user accounts
  • Regular review and adjustment of permissions

Audit Logging and Monitoring

  • Logging of relevant system and data access
  • Monitoring of infrastructure and application metrics
  • Traceability of changes to configuration and permissions
  • Technical basis for forensic analysis if required

Network Security

  • Segmented network architecture
  • Firewall and traffic control mechanisms
  • Intrusion detection and threat detection at the cloud level
  • Zero-Trust principle for access control

Backups and Recovery

  • Regular backups of the database, files, and relevant system components
  • Defined recovery processes
  • Physically and logically separated backup storage locations (same jurisdiction)

Secure Software Development

  • Use of proven development standards
  • Regular updates and security patches
  • Controlled deployments with defined release processes
  • Separation of development, test, and production environments

Physical Security of Data Centers

  • Multi-layered access controls
  • 24/7 monitoring
  • Biometric access systems
  • Site redundancy to ensure high availability

Data Isolation for Regulated Industries

For customers with increased regulatory requirements, for example in the financial or government sector,
data can be operated in separate projects. This allows for clear logical and organizational separation of tenants and the implementation of individual access concepts.

Organizational Security Measures

  • Documented security concept
  • Defined roles and responsibilities
  • Processes for Business Continuity and Disaster Recovery
  • Regular training and awareness for employees
  • Controlled change management

Data storage: Switzerland, Germany, or a location of your choice

We understand that the location of your data is not just a technical, but a legal decision. That’s why Aivie adapts to your compliance strategy.

Our infrastructure is designed so that your data remains within your jurisdiction:

For customers from Switzerland:

  • Location: Zurich.
  • Advantage: Your data is guaranteed to remain on Swiss soil. Ideal for compliance with the nFADP and for industries with strict regulations (finance, health, government).

For customers from Germany & the EU:

  • Location: Frankfurt.
  • Advantage: Your data is stored exclusively on servers in Germany. This guarantees full conformity with the GDPR and ensures that no storage takes place in third countries.

Note: For the technical delivery of emails, we use the specialized infrastructure of AWS. Since emails, as a global medium, inherently cross national borders (e.g., as soon as the recipient uses an international provider like Gmail or Outlook), we prioritize maximum deliverability here. This ensures that your messages arrive reliably and do not end up in spam. And this is achieved with full data protection compliance (FADP, GDPR).

Sub-processors

Aivie uses sub-processors to operate the platform securely and to provide certain sub-processes. All sub-processors are contractually bound.

Aivie informs customers at least 2 weeks before intended changes to sub-processors,
so that objections can be raised.

Current Sub-processors

Sub-processorsActivityProcessing Location
Google (Google Ireland Limited)Hosting of the Marketing Automation SolutionZurich, Frankfurt, or another location of your choice.
Amazon Web Services (AWS EMEA)Email SendingFrankfurt

Note:
If transmission to a third country is required as part of the infrastructure used, this is done exclusively in compliance with legal requirements and with appropriate safeguards such as standard contractual clauses.

Protection against US Cloud Act & Third-Party Access

Regardless of where the data is located: Since we build on global cloud infrastructure, many customers ask about access by US authorities (US Cloud Act).

Our security architecture technically prevents this risk. We do not rely solely on contracts, but on encryption and data ownership:

1. Encryption by Default

All data is encrypted both during transmission (in transit) and on the hard drives (at rest). The infrastructure provider only sees encrypted data blocks, but never readable personal or marketing data.

2. Your Data, Your Key (CMEK, HYOK)

To effectively eliminate the risk of the US Cloud Act, we support Customer Managed Encryption Keys (CMEK) and Hold Your Own Key (HYOK).

  • The principle: The key for decrypting the data is not held by the cloud provider, but is managed separately.
  • Security: Even in the theoretical event of a government order for data disclosure to the provider, the data handed over would be worthless junk without your key.

In other words: You hold the key to your data.

Note: This functionality is available as an optional add-on.

3. Separation of Infrastructure and Application

We use the cloud infrastructure purely as a “digital data center”. Logical management and access to the databases are handled exclusively by the Aivie application and our team from Switzerland.

Data Processing Agreement (DPA)

Aivie provides a Data Processing Agreement upon request to formally regulate rights and obligations in the contractual relationship.

What the DPA Regulates

  • Subject matter, duration, nature, and purpose of processing
  • Processing only according to documented instructions
  • Confidentiality and access restrictions
  • Technical and organizational measures and their development
  • Use and change of sub-processors with advance notice
  • Support with data subject rights and obligations of the controller
  • Control and audit rights of the controller
  • Deletion or return of data after contract termination

Request DPA: legal@aivie.ch

Certifications and Compliance

Our infrastructure provider Google Cloud has extensive security and compliance certifications, including ISO 27001 as well as SOC 1, SOC 2, and SOC 3 audit reports. Aivie itself does not operate its own data centers and is not independently certified according to ISO 27001. However, Aivie meets the relevant requirements, even without its own certification.

Aivie uses these audited infrastructure controls as a technical basis for the secure operation of the platform. The certifications particularly concern physical data center security, network protection, encryption, access management, and auditability.

Examples of relevant certificates and standards

  • FADP and GDPR
  • ISO 27001, ISO 27017, and ISO 27018
  • ISAE 3000 Type 2 Report (FINMA)
  • SOC 1, SOC 2, and SOC 3
  • C5 and CSA STAR

Further details on Google Cloud Platform certifications and audit reports can be found here:
Google Cloud Compliance Overview

Compliance with FADP and GDPR

Aivie is designed so that customers can meet requirements from the Swiss FADP and the EU GDPR.
From the EU perspective, Switzerland has a recognized adequate level of data protection.

What Customers Typically Implement Themselves

  • Legal basis and information obligations toward their contacts
  • Cookie consents on their own website, if tracking technologies are used
  • Retention periods and internal processes for access, deletion, or objection

Text Module for Your Own Privacy Policy

So that visitors can quickly understand how Aivie works as a processor, the following notice can be included in your own privacy policy.
Please link to this page.

Example Data Protection Text Module

We use Aivie as a Marketing Automation Tool to deliver newsletters, campaigns, and automated communication flows.
Aivie processes personal data on our behalf and exclusively according to our instructions.
Details on data protection, data security, sub-processors, and the data processing agreement are described here:
https://aivie.ch/datenschutz-aivie

Status

As of: March 3, 2026