Privacy Policy
As of: May 2026
1. Data Controller
Theia Solutions AG
For data protection inquiries, please contact info@theiasolutions.ch. We have not formally appointed a Data Protection Officer, as this is not mandatory under the Swiss DPA or EU GDPR for a company of our size.
2. Data Collection and Processing
When you visit our website, the following data is collected automatically in server logs:
- IP address (for abuse prevention only, deleted after 30 days)
- Date and time of access
- Pages visited
- Browser and operating system used (user agent)
- Referring website (HTTP referrer)
Legal basis: legitimate interest in operating the website and preventing abuse (Art. 6 (1) (f) GDPR / Art. 31 (1) Swiss DPA).
3. Cookies and Consent
On your first visit, a cookie banner lets you grant or decline consent separately for necessary, map, analytics and marketing cookies. Your choice is stored in your browser (localStorage under the key "cookie-consent-v5") and can be reset at any time.
Necessary Cookies
Strictly technical: the CSRF anti-forgery cookie for the contact form, the localStorage entry for your cookie choice, and the language preference. No tracking.
Analytics Cookies
With your consent (the «Analytics» category in the cookie banner) we use Google Analytics 4, a web-analytics service provided by Google Ireland Limited. We use it to evaluate how our website is used (pages viewed, time on page, referral source, approximate city-/region-level location, device/browser). Google processes your IP address in truncated form; data may be transferred to Google servers, including in the USA. The legal basis is your consent (Art. 6(1)(a) GDPR; Art. 6 revFADP); transfers rely on the EU Standard Contractual Clauses. You can withdraw your consent at any time, with future effect, via the cookie settings. Without consent, Google Analytics is not loaded.
With your consent (the «Analytics» category in the cookie banner) we use PostHog, a privacy-friendly product-analytics service provided by PostHog Inc., hosted in the EU (eu.i.posthog.com, EU/Frankfurt region). PostHog is loaded only after you grant «Analytics» consent in the cookie banner; before consent — and after you revoke it — PostHog is not loaded and sets no cookies. Event data is sent first-party via our own server (a reverse proxy at theiasolutions.ch/ingest), not directly to PostHog domains. What is processed: page views, clicks and interactions (autocapture), approximate device and browser information, and a randomly generated visitor ID stored in a first-party cookie. There is no cross-site tracking and no advertising use. The legal basis is your consent (Art. 6(1)(a) GDPR; Art. 6 revFADP), which you can withdraw at any time, with future effect, via the cookie banner. PostHog Inc. is US-based; international transfers rely, where applicable, on the EU Standard Contractual Clauses and/or the Data Privacy Framework, and event traffic is proxied through our own EU/CH infrastructure.
Marketing Cookies (Reddit, LinkedIn, Meta)
With your consent (the «Marketing» category in the cookie banner) we use the Reddit Pixel, a service of Reddit, Inc. (USA), to measure and optimize our Reddit advertising campaigns (e.g. page views and conversions after an ad click). This may transfer pseudonymous usage and device data and your IP address to Reddit, Inc. in the USA. The legal basis is your consent (Art. 6(1)(a) GDPR; Art. 6 revFADP); transfers rely on the EU Standard Contractual Clauses. You can withdraw your consent at any time, with future effect, via the cookie settings. Without consent, the Reddit Pixel is not loaded.
With your consent (the «Marketing» category in the cookie banner) we use the LinkedIn Insight Tag, a service of LinkedIn Ireland Unlimited Company (for users in the EEA/Switzerland; parent company LinkedIn Corporation, USA), to measure and optimize our LinkedIn advertising campaigns (e.g. page views and conversions after an ad click) and to analyze reach. This may process pseudonymous usage and device data and your IP address and transmit them to LinkedIn. The legal basis is your consent (Art. 6(1)(a) GDPR; Art. 6 revFADP); any transfer to the USA relies on the EU Standard Contractual Clauses and/or the Data Privacy Framework. You can withdraw your consent at any time, with future effect, via the cookie settings. Without consent, the LinkedIn Insight Tag is not loaded.
With your consent (the «Marketing» category in the cookie banner) we use the Meta Pixel (Facebook Pixel), a service of Meta Platforms Ireland Limited (parent company Meta Platforms, Inc., USA), to measure and optimize our advertising campaigns on Facebook and Instagram (e.g. page views and conversions after an ad click). This may process pseudonymous usage and device data, your IP address and — where present — Meta cookies (_fbp/_fbc) and transmit them to Meta. The legal basis is your consent (Art. 6(1)(a) GDPR; Art. 6 revFADP); any transfer to the USA relies on the EU Standard Contractual Clauses and/or the Data Privacy Framework. You can withdraw your consent at any time, with future effect, via the cookie settings. Without consent, the Meta Pixel is not loaded.
Maps (Google Maps)
On the "About" page we can show our location in a Google Maps embed. The map is only loaded after you accept the maps cookie in the banner. Until then you see a placeholder with the static address. Once you consent, Google LLC (USA) processes your IP address and browser information according to the Google privacy policy.
4. Contact Form
When you submit the contact form, the data you provide (name, email, optionally phone and company, message) is stored to process your inquiry. Processing is based on your express consent (checkbox on submit) and on our legitimate interest in communicating with prospects.
Retention: contact form entries are retained for up to 24 months after the last contact and then deleted automatically, unless statutory retention periods apply (e.g. Swiss CO / VAT Act for invoices).
This data is not shared with unauthorized third parties. It is processed by: the website host (see section 5), our transactional email provider for notifying our team, and Theia staff handling your request.
4.1 Maturity Check / Assessment
When you complete our maturity check (/assessment) we store your answers, the computed category scores and — if you opt to receive the report by email — the contact details provided in the lead form (name, email, optionally company, role, phone, employee band). Processing is based on your express consent (checkbox before submit).
Retention: assessment records are kept for up to 24 months after the last contact, identical to contact form entries, and then deleted automatically. Anonymized score distributions may continue to be used for benchmark analytics.
4.2 Email Communication via Microsoft Dynamics 365
We may use Microsoft Dynamics 365 Customer Insights - Journeys (formerly Dynamics 365 Marketing) for CRM, customer communication, consent management and sending service or marketing emails, and may synchronize data from forms or assessments to that system. This may include contact details (name, email address, company, role, phone), communication preferences, inquiry or assessment context, and technical delivery and sending data.
Service or assessment emails are sent to handle your inquiry or, at your request, to deliver a report. Marketing emails are sent only on the basis of your consent or another permitted legal basis. Every marketing email includes an unsubscribe option. If open or click tracking is used, we provide transparent information and use this data to measure and improve our communication.
5. Processors and Hosting
We use the following service providers as data processors. Data processing agreements (DPAs) are in place with each.
| Service | Purpose | Region |
|---|---|---|
| Microsoft Azure App Service | Website hosting and server runtime | EU / CH |
| Neon (Postgres) | Database for website content and contact form | EU (eu-central-1) |
| Microsoft Entra ID | Authentication for internal admin UI (/manage) — no visitor data processing | EU / CH |
| Transactional email service | Sending contact notifications and requested assessment reports | EU |
| Microsoft Dynamics 365 Customer Insights - Journeys | CRM, email sending, campaign and journey orchestration, consent and unsubscribe management | according to Microsoft tenant configuration |
| Google Maps (Google LLC) | Map embed on /about (consent-gated) | USA |
| PostHog (PostHog Inc.) | Product analytics | EU (Frankfurt) |
| LinkedIn Insight Tag (LinkedIn Ireland) | Marketing: LinkedIn ad conversion measurement (consent-gated) | EU / USA |
| Meta-Pixel (Meta Platforms Ireland) | Marketing: Facebook/Instagram ad conversion measurement (consent-gated) | EU / USA |
Data transfers to the US (Google, Reddit, LinkedIn, Meta) are based on the EU Standard Contractual Clauses (SCCs) and/or the Data Privacy Framework. The marketing services (Reddit, LinkedIn, Meta) are loaded only after your «Marketing» consent; visitors are informed and asked for consent via the cookie banner first.
6. Fonts (Webfonts)
The "Montserrat" typeface is served from our own servers (self-hosted via @fontsource). There is no connection to Google Fonts servers, so your IP address is not transmitted to Google when you visit our website.
7. Your Rights
Under the Swiss Data Protection Act (revised DPA, effective 1 September 2023) and the EU GDPR you have the following rights:
- Right to access your stored data (Art. 25 Swiss DPA / Art. 15 GDPR)
- Right to rectification of inaccurate data (Art. 32 Swiss DPA / Art. 16 GDPR)
- Right to erasure (Art. 32 Swiss DPA / Art. 17 GDPR)
- Right to restriction of processing (Art. 18 GDPR)
- Right to data portability (Art. 28 Swiss DPA / Art. 20 GDPR)
- Right to object to processing (Art. 30 Swiss DPA / Art. 21 GDPR)
- Right to withdraw consent — effective prospectively, not retroactively
Right to lodge a complaint: You have the right to lodge a complaint with the competent supervisory authority.
- Switzerland: Eidgenössischer Datenschutz- und Öffentlichkeitsbeauftragter (EDÖB)
- EU/EEA: the national data protection authority of your country of residence
8. Data Security
We implement technical and organizational measures to protect your data against accidental or intentional manipulation, loss, destruction or unauthorized access: TLS/SSL encryption for all data transfers, CSRF protection on forms, rate limiting to mitigate brute-force and spam attacks, role-based access in the admin UI, and regular security updates of all components.
9. Changes
We reserve the right to update this privacy policy to meet current legal requirements or to reflect changes in our services. The current version is always available on this page.
10. Contact
For questions about data protection, please contact us at: info@theiasolutions.ch