This Privacy Policy explains how Healio Technologies Ltd (“Healio”, “we”, “our”) collects, uses, stores, and protects personal data when you access or use our services on healio.ch and related applications (“Service”).The Service is intended for professional/B2B use only.

- Customer (Company) is generally the Data Controller, deciding what employee/user data is entered into the platform.

- Healio acts as a Data Processor, processing data only to provide the Service and according to Customer instructions.

- For certain limited data (billing, support requests, account management), Healio acts as the Data Controller.

Where Healio processes data on behalf of a Customer, a Data Processing Addendum (DPA) applies.

We may process:

‍A. Customer & User Data (processed on behalf of Customers)Employee names, roles, schedules, work assignmentsMessages posted by managers to employeesAccount information created by the CustomerUsage data necessary for platform functions. The Customer is responsible for ensuring lawful collection, employee notification, and consent where required.

B. Data we collect as ControllerAccount owner and administrator information (name, email, position)Billing details (handled via Stripe, not stored directly by Healio)Support inquiries and communication historyTechnical logs (IP, device, browser) for security and performance

We process data only to:

✔ Provide and maintain the Service
✔ Enable scheduling, internal communication, and team coordination
✔ Manage authentication, roles, user access, and security
✔ Provide customer support
✔ Process payments (via Stripe)
✔ Monitor platform performance and reliability
✔ Meet legal or contractual obligations

We do not sell personal data.

Depending on the data and jurisdiction, we rely on:

- Contract performance (providing the Service to our Customers)

- Legitimate business interest (support, security, analytics)

- Legal obligations (invoicing, compliance)

- Customer instructions (when acting as Processor)

- All platform data is hosted in Switzerland / EEA via Infomaniak.
‍
- We implement appropriate technical and organizational security measures, including: Encrypted communications (TLS), Role-based access controls, Regular backups, Operational monitoring, Restricted administrator access

Customers are responsible for safeguarding their account credentials and internal compliance.

Healio uses trusted third parties as sub-processors, including:
‍
Infomaniak: Hosting & infrastructure / infomaniak.com
‍Stripe: Payment processing / stripe.com/privacy
Email providers: Support communication

These providers only use data to deliver their services and offer adequate security safeguards.

- Customer data is stored as long as an active subscription exists.
- Upon termination: Customers may request a data export within 30 days. After 30 days, data may be deleted or anonymized, unless retention is legally required.

Support and billing records are retained according to Swiss legal obligations.

When managers communicate with employees via the platform:

- The Customer chooses recipients and content
- The Customer must ensure compliance with employment and data-protection laws
- Healio does not validate message content
- Misuse may lead to account restriction if Terms are violated

Healio may use essential cookies to: Keep users authenticated, Ensure security, Monitor platform stability

We do not run intrusive advertising tracking or sell analytics data.

11.1. Customer shall ensure that use of the Service complies with applicable laws (including data protection, employment, and e-communications laws).

11.2. Customer shall not upload or process special-category data unless permitted by law and appropriate safeguards are in place. Customer will not upload unlawful, harmful, infringing, or offensive content.

11.3. Provider may remove or disable access to content that it reasonably believes violates these Terms or applicable law.

Depending on your jurisdiction, you or your staff may have rights to:- Access or request a copy of personal data
‍
- Request correction of incorrect data
- Request deletion or restriction
- Object to processing in certain casesAs the Controller, your employer/organization must handle these requests first.
‍
Healio will assist as Processor when necessary.Requests can be sent to: raphael.breitschmid@healio.ch

If Healio detects a personal-data breach that poses a risk, we will notify impacted Customers without undue delay, so they can fulfill regulatory obligations.

We may update this Privacy Policy to reflect legal or service changes. Material changes will be communicated via email or in-platform notice.

For privacy or data-protection questions:DPO: raphael.breitschmid@healio.ch
General inquiries: contact@healio.ch
Address: Healio Technologies Ltd (en formation), Chemin de la Vulliette 29i, 1000 Lausanne 25, Switzerland

This Privacy Policy and any disputes relating to the processing of personal data are governed by Swiss law, in particular the Swiss Federal Act on Data Protection (FADP).

‍Any dispute, claim or litigation shall be subject to the exclusive jurisdiction of the courts of Lausanne, Switzerland, unless otherwise required by mandatory applicable law.