Privacy Policy
Revision 5, as of 29 March 2026
1. Controller
oneLynk AG, Riedstrasse 1, 8953 Dietikon, Switzerland
Email: support@onelynk.ch
This entity is responsible for the processing of personal data described in this Privacy Notice unless stated otherwise in a specific case.
2. Scope
This Privacy Notice applies to our website, including landing pages, coming-soon pages, and similar campaign or information pages, as well as to the oneLynk app and platform and related interactions. It also applies to our communications with you where we refer to this Privacy Notice.
2.1 Roles in relation to data
For the website, the app itself, and our own communications, we are generally the data controller. Where business customers record and manage their own project- or stakeholder-related data in the app, the relevant customer will typically be responsible for that content; in such cases, we process that data in the context of technical provision, operation, and support for that customer.
3. What data we process
We process personal data arising in connection with the use of our website and app, contact requests, registration and use of user accounts, support cases, contractual relationships, and the technical provision and protection of our services. Which data is processed in a specific case depends in particular on your use, your settings, your requests, and the functions enabled.
3.1 Usage, device and log data
This includes technical access and log data such as IP address, date and time, accessed content, referrer, browser and device information, operating system, language settings, logins, system events, error messages, and comparable security- and operations-related metadata. This may also include technically required session, security, error, audit, and evidencing data, including logs relating to logins, security-relevant events, confirmation processes, and consent and preference events where such logging is required for operations, security, traceability, compliance, or abuse prevention. Such log data must be distinguished from optional analytics and tracking data.
3.2 Contact, registration and account data
This includes name, email address, organisation, role, communication content, registration details, authentication data, password hashes or tokens, account settings, and data you provide to us in forms, waiting lists, enquiries, or support requests.
3.3 Project, communication and content data in the app
When the app is used, project-related content, contact details of participants, status information, messages, documents, tasks, notes, approvals, comments, and comparable content may be processed to the extent such data is entered, uploaded, or generated in the app.
3.4 Contract, billing and transaction data
Where relevant, we also process data for contract administration and billing, such as billing addresses, contact persons, contract data, service data, payment status, and records connected with statutory or commercial retention obligations.
3.5 Consent, preference, analytics and marketing data
Where you make relevant choices or give consent, we also process information about your consent decisions, preferences, communication choices, newsletter subscriptions, campaign attributions, and identifiers and usage data arising from analytics, tracking, or marketing technologies. In the logged-in area of the app or platform, this may, where the optional analytics function has been activated, also include deeper interaction data such as visited areas, features used, click, navigation and event data, usage frequency, technical context information, and comparable product-related interaction data. Such data is not described as anonymised where it is in fact processed only in pseudonymised, account-related, or otherwise personal form.
4. Purposes and legal bases
We process personal data in particular to provide our website and app, manage user accounts, respond to enquiries, provide support, technically operate and secure our services, initiate and perform contracts, comply with legal obligations, prevent misuse, and further develop our offerings. Where marketing, tracking, or comparable optional functions are used, we process data for those purposes only to the extent permitted by law. Under Swiss law, we process personal data for these purposes within the framework of applicable data protection law; where the GDPR applies, we rely in particular on contractual necessity, legal obligations, legitimate interests, and, where required, your consent.
4.1 Operation of the services and contract administration
These purposes include in particular providing functions, authentication, role and permission management, communication with users, handling support and service requests, organising ongoing operations, and, where relevant, quotation, contract, and billing processes.
4.2 Security, quality and abuse prevention
We also process data to ensure the confidentiality, integrity, availability, and resilience of our systems, detect and handle security incidents, analyse errors, improve the stability of our services, and prevent abusive or unlawful use. This also includes technically and organisationally required logging of system, security, access, confirmation, and preference events where such logging is required for operations, traceability, incident investigation, compliance, or evidencing.
4.3 Analytics, product improvement and marketing
Where enabled and legally permissible, we also use data for reach measurement on the public website, usage analytics, error and performance evaluation, product improvement, and to measure the effectiveness of campaigns and other marketing activities. In the logged-in area, we may, where the optional analytics function has been activated, additionally evaluate interaction and usage data in order to improve features, understand usability, and support product decisions on a data-informed basis. Non-essential analytics, tracking, or interaction evaluation takes place, where legally required, only on the basis of your consent or your activated setting.
5. Hosting and data location (EU)
We generally operate our services so that core system and content data are primarily stored and processed in data centres located within the European Union. This is the baseline for both the website and the app.
5.1 Meaning of EU hosting
EU hosting means that primary data storage takes place in the EU. However, EU hosting does not in every case exclude authorised access from other countries or the use of individual technical services with an international element.
5.2 Remote access from third countries
For development, operations, maintenance, troubleshooting, or support, authorised persons or specialised service providers from countries outside Switzerland and/or outside the EU/EEA may need to access systems or data. Such remote access may qualify as an international disclosure or transfer for data protection purposes, in particular where it is performed by an external recipient. We limit such access to the minimum necessary and manage it on a role-based need-to-know basis.
6. International data transfers
A disclosure or transfer of personal data abroad may occur in particular where we use service providers located outside Switzerland or outside the EU/EEA, where support or development access takes place from such countries, or where individual technical functions, communications, or analytics services are provided across borders.
6.1 Safeguards for international transfers
We transfer personal data abroad only where the legal requirements are met. Depending on the recipient country and the relevant setup, we rely in particular on an applicable adequacy decision or recognition, on Standard Contractual Clauses, or on other legally recognised appropriate safeguards. Where legally required, we assess such transfers on a risk basis and implement supplementary technical and organisational measures, such as encryption, access restrictions, and logging.
6.2 Transfers to the United States
For transfers from Switzerland to the United States, an adequate level of protection may exist where the relevant US recipient is certified under the Swiss-U.S. Data Privacy Framework. Where the GDPR applies, the same applies to transfers from the EU/EEA to recipients certified under the EU-U.S. Data Privacy Framework. If such certification is not in place or not relevant, we may rely, where legally permissible, in particular on Standard Contractual Clauses or other appropriate safeguards.
7. Use of service providers
We use external service providers to provide and further develop our services. Where they process personal data on our behalf, we select them carefully and integrate them with appropriate data protection and organisational controls. We do not currently publish a separate public subprocessors list; instead, the relevant categories are described transparently in this Privacy Notice.
7.1 Categories of service providers
The categories used may include in particular: cloud hosting and infrastructure, databases, authentication and access services, backup and recovery services, monitoring and logging, IT security and incident handling services, communication and support services, email and notification services, analytics and product improvement services, consent and tag management, and, where enabled and lawful, marketing and conversion measurement.
7.2 International element of service providers
Some service providers may be located outside Switzerland or outside the EU/EEA, or may access data from such locations. In those cases, the rules described in this Privacy Notice on hosting, remote access, and international transfers apply accordingly.
8. Analytics and tracking tools
We may use different analytics and tracking mechanisms on the public website and in the logged-in area of the app or platform. These differ in purpose, depth of evaluation, and legal basis. Non-essential analytics and tracking mechanisms are used, where legally required, only after your consent or after activation of the relevant setting.
8.1 Public website
On the public website, this typically concerns reach measurement, campaign attribution, performance evaluation, technical functional analysis, and comparable website-related analytics or marketing functions. Depending on the configuration, this may involve cookies, local storage technologies, tags, pixels, server-side measurement, or comparable technologies.
8.2 Logged-in area / app / platform
In the logged-in area, deeper product- and usage-related tracking may take place where the optional analytics function has been activated. This may in particular include interaction and event data regarding the use of specific areas, features, click paths, navigation steps, usage frequency, technical context information, and comparable application-related activities. Such evaluations serve in particular product improvement, error analysis, usability evaluation, and further development of the platform.
8.3 Distinction from technically required logging
Optional analytics and tracking functions must be distinguished from technically required logging. Irrespective of any optional analytics consent, we may process technically necessary logs and records where this is required for authentication, security, operations, stability, abuse prevention, auditability, incident investigation, compliance, or the documentation of consent and preference events.
9. Cookies and consent management
We may use cookies, local storage technologies, SDKs, and comparable mechanisms on our website and in our app. We distinguish between technically necessary technologies and optional technologies. The consent and preference logic may differ depending on whether you use the public website or the logged-in area of the app or platform.
9.1 Public website
For the public website, a cookie or tracking banner or a comparable preference mechanism may be provided. Through this mechanism, you may, where legally required, consent to optional analytics, convenience, or marketing technologies, reject them, or adjust your selection.
9.2 Logged-in area / app / platform
In the logged-in area, a separate optional toggle or a comparable preference mechanism for analytics and tracking functions may additionally be provided, in particular on first login and/or in settings. Confirmation or acknowledgement of terms of use, the privacy notice, customer-specific house rules, and later changes to consents or preferences may be logged technically. Acceptance of legal documents or project-related rules must not be equated with optional consent to analytics or tracking functions.
9.3 Technically necessary technologies, minimum logging and withdrawal
We use technically necessary technologies and the associated minimum logging where they are required to carry out the transmission of a communication, provide functions expressly requested, or ensure operations, security, stability, traceability, and compliance. Optional analytics, convenience, or marketing technologies are used, where legally required, only after your prior consent or activated setting. You may, where provided, change or withdraw your choice at any time with effect for the future. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
10. Retention period
We retain personal data only for as long as necessary for the purposes described, as long as we have a legitimate operational interest in retaining it, or as long as we are legally required to do so. We then delete or anonymise the data unless statutory retention or evidentiary obligations require otherwise. For app content for which our customer is responsible, the retention period may additionally depend on that customer's instructions, settings, or contractual usage framework. We may also retain records of consents, refusals, withdrawals, confirmation processes, and changes to tracking or preference settings for as long as required for traceability, compliance, evidencing, or handling related enquiries.
11. Data security
We implement appropriate technical and organisational security measures to protect personal data against unauthorised access, loss, misuse, alteration, or unlawful disclosure. These measures include, in particular, encryption of data in transit, role-based access controls, need-to-know principles, logging, monitoring, backup and recovery processes, patch and vulnerability management, and procedures for security incidents. However, absolute security cannot be guaranteed for electronic communications or data storage.
12. Rights of data subjects
Under applicable law, you may in particular have the right to obtain information about the processing of your personal data, to rectify inaccurate data, to request deletion or destruction within the scope provided by law, to restrict processing, to receive your data or have it transferred, to object to certain processing activities, and to withdraw consent with effect for the future. These rights apply within the framework and subject to the conditions of the applicable law. To process your request, we may require appropriate proof of identity.
12.1 Right to lodge a complaint
If you believe that the processing of your personal data violates applicable data protection law, you may contact us. You also have the right to lodge a complaint with the competent supervisory authority. In Switzerland, this is the Federal Data Protection and Information Commissioner. Where the GDPR applies, you may also lodge a complaint with a competent data protection supervisory authority in the EU/EEA.
13. Changes to this Privacy Notice
We may amend this Privacy Notice at any time with effect for the future, in particular if our services, our data processing, the technologies used, or the legal framework change. The current published version shall apply.
14. Prevailing language
This Privacy Notice may be provided in multiple languages. In the event of inconsistencies, interpretation issues, or deviations between language versions, the German version shall prevail.