Legal

Privacy Policy.

Effective date26 May 2026
Last updated26 May 2026
Version2.0

This Privacy Policy explains how Acuvera Consulting GmbH ("Acuvera", "we", "us", "our") processes personal data of visitors to www.acuvera.ch, prospective and existing clients, event participants, and other individuals who interact with us. It is issued in compliance with the Swiss Federal Act on Data Protection ("FADP"), the UK General Data Protection Regulation and Data Protection Act 2018 ("UK GDPR"), the Protection of Personal Information Act 4 of 2013 ("POPIA") in South Africa, and the Data Protection Act 2017 of Mauritius ("Mauritius DPA"). Where we engage with individuals in the European Economic Area, the EU General Data Protection Regulation ("EU GDPR") also applies.

1. Controller and contact

The data controller (or "responsible party" under POPIA) is Acuvera Consulting GmbH, company number CHE-326.713.221, registered office Altendorfstrasse, 8852 Altendorf, Canton of Schwyz, Switzerland. For all privacy matters, including the exercise of data subject rights, please contact us at info@acuvera.ch. Where required by law, we will appoint a local representative or information officer; current details can be obtained on request.

2. Scope and applicable laws

Acuvera operates in Switzerland, the United Kingdom, South Africa, and Mauritius, and serves clients in these and other jurisdictions. We comply with the FADP, the UK GDPR, POPIA, and the Mauritius DPA, and with the EU GDPR where it applies. Where the laws of more than one jurisdiction apply to a given processing activity, we apply the standard that offers the higher level of protection to the data subject.

3. Categories of personal data we collect

Depending on how you interact with us, we may process the following categories of personal data:

  • Contact and business information: name, employer, role, postal address, email address, telephone number, and professional credentials.
  • Enquiry and correspondence content: the messages, attachments, and meeting notes you share with us.
  • Technical and usage data: IP address (truncated where feasible), device and browser information, referrer, language, pages viewed, and timestamps.
  • Analytics data: pseudonymous identifiers and aggregated interaction metrics collected via Google Analytics 4.
  • Session diagnostics: anonymised mouse movement, clicks, scrolls, and heatmaps collected via Microsoft Clarity, with form inputs and other sensitive fields masked by default.
  • Contractual and billing data where you engage our services: engagement letters, invoicing details, and records of services delivered.

We do not knowingly collect special category or sensitive personal data and ask that you do not submit such information through our website forms.

4. Sources of data

We obtain personal data directly from you when you contact us, register for an event, or engage our services; automatically when you use our website; and occasionally from third parties such as referrers, public registers, or professional networks where you have made your details available.

5. Purposes and legal bases

We process personal data for the following purposes, relying on the legal bases set out below:

  • Responding to enquiries and providing information you request: performance of pre-contractual steps and our legitimate interest in operating our practice (UK GDPR / EU GDPR Art. 6(1)(b) and (f); FADP Art. 31; POPIA s.11(1)(b) and (f); Mauritius DPA s.28(b) and (f)).
  • Delivering services under engagement: performance of a contract.
  • Operating, securing, and improving our website: legitimate interests and, for non-essential cookies, your consent.
  • Analytics and session diagnostics: your consent, which you may withdraw at any time.
  • Record-keeping and compliance with legal, tax, regulatory, and professional obligations: legal obligation.
  • Establishing, exercising, or defending legal claims: legitimate interests.

6. Cookies and similar technologies

Our use of cookies, local storage, and analytics tags is described in our Cookie Policy. Non-essential cookies are loaded only after you provide consent through our cookie banner, and you can change your choices at any time.

7. Disclosure to third parties

We do not sell or rent personal data. We share personal data only with carefully selected processors and recipients, including hosting and infrastructure providers, customer relationship management tools, email and productivity providers, analytics platforms, payment and accounting providers, and our professional advisors. Each processor is bound by a written agreement that requires confidentiality, appropriate security, and lawful processing. We may also disclose personal data where required by law, court order, or competent authority.

8. International data transfers

Because we operate in Switzerland, the United Kingdom, South Africa, and Mauritius, and use international service providers, personal data may be transferred between these jurisdictions and, where relevant, to the European Economic Area and the United States. We rely on adequacy decisions where available (including the Swiss and UK assessments for the EEA, and the EU–US and UK–US Data Privacy Framework for participating US providers) and otherwise on Standard Contractual Clauses with the Swiss and UK addenda, the conditions in POPIA s.72, and the transfer safeguards in section 36 of the Mauritius DPA. Copies of the safeguards in place for a specific transfer are available on request.

9. Retention

We retain personal data only for as long as necessary for the purposes set out in this policy and to meet our legal, tax, accounting, and regulatory obligations. Indicative retention periods are: enquiry correspondence, up to 24 months after last contact; contractual and engagement records, 10 years from the end of the engagement (Switzerland and the United Kingdom); accounting and tax records, 5 to 10 years depending on jurisdiction; server and security logs, up to 12 months; and consent records for the duration required to evidence lawful processing. When the applicable retention period ends, data is securely deleted or anonymised.

10. Security

We maintain technical and organisational measures appropriate to the risk, including TLS encryption in transit, encryption at rest where supported, role-based access controls, the principle of least privilege, multi-factor authentication for administrative access, vendor due diligence, regular review of access rights, and a documented incident response procedure. In the event of a personal data breach likely to result in a risk to data subjects, we will notify the competent supervisory authority and affected individuals within the timeframes required by applicable law.

11. Your rights

Subject to the conditions of the law that applies to you, you have the following rights:

  • Access to your personal data and information about how it is processed.
  • Rectification of inaccurate or incomplete data.
  • Erasure ("right to be forgotten") where the legal conditions are met.
  • Restriction of processing in defined circumstances.
  • Objection to processing based on legitimate interests or for direct marketing.
  • Data portability for data you have provided to us under contract or consent.
  • Withdrawal of consent at any time, without affecting the lawfulness of processing carried out before withdrawal.
  • Right not to be subject to a decision based solely on automated processing producing legal or similarly significant effects.
  • Right to lodge a complaint with a supervisory authority.

To exercise any of these rights, please write to info@acuvera.ch. We may need to verify your identity before responding and will reply within the timeframes set by applicable law.

12. Supervisory authorities

  • Switzerland: Federal Data Protection and Information Commissioner (FDPIC), www.edoeb.admin.ch.
  • United Kingdom: Information Commissioner's Office (ICO), www.ico.org.uk.
  • South Africa: Information Regulator (South Africa), www.inforegulator.org.za.
  • Mauritius: Data Protection Office, dataprotection.govmu.org.
  • European Economic Area: the data protection authority of your country of residence.

13. Children

Our website and services are directed at professionals and organisations, not children. We do not knowingly collect personal data from children under the age of 16, or under 13 where POPIA applies. If you believe a child has provided us with personal data, please contact us so we can take appropriate action.

14. Automated decision-making

We do not carry out automated decision-making, including profiling, that produces legal or similarly significant effects on individuals.

15. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or applicable law. The current version is always available on this page with the date of last update. Material changes will be highlighted prominently on our website.

16. Contact and complaints

If you have questions or concerns about this Privacy Policy or our handling of your personal data, please contact us at info@acuvera.ch. If you are not satisfied with our response, you have the right to lodge a complaint with the supervisory authority of the jurisdiction that applies to you, as listed above.