Privacy Notice of heyteo AG
Steigstrasse 18, 8463 Benken (ZH), Switzerland
Version 2.0 · Valid from 21 May 2026
1 What does this privacy notice cover?
The protection of your personal data is very important to us. With this privacy notice, we inform you which personal data we process, for what purpose we process it, how long we retain personal data, what rights you have in relation to your personal data and whom you can contact with any concerns. This privacy notice is aligned both with Swiss data protection legislation (revFADP) and the European General Data Protection Regulation (GDPR).
2 Who is responsible and how can you contact us?
The following company (“we” or “us”) is responsible for the processing of your personal data under this privacy notice:
heyteo AG
Steigstrasse 18, 8463 Benken (ZH), Switzerland
If you have any questions about the processing of your personal data, you can reach us at:
Chris Einsele · chris.einsele@heyteo.com · +41 52 533 63 63
3 Who is this privacy notice intended for?
“Personal data” means all information relating to an identified or identifiable natural person. This privacy notice applies to all persons (“you” or “your”) whose personal data we process. In addition to this privacy notice, other documents and policies of ours (e.g. terms of use, general project terms, DPA, cookie policy) may contain information on the processing of personal data.
4 What personal data do we process?
4.1 In the course of providing services
In connection with the offering and provision of our services (software agents / AI chat services, including product-specific variants such as Teo HR Coach), we collect and process the following data in our systems in particular:
Names of our customers and partners
Contact details of our customers/partners: address, email address, mobile number, website, correspondence
Contact details of the contact persons of our customers/partners: name, address, email address, mobile number, correspondence
Contact details of third parties with whom we have initiated or concluded contracts: name, address, email address, landline/mobile number, website, correspondence
Billing and payment information
4.2 When you use our services
In connection with the use of our services (software agents / chats), we collect and process the following data in our systems:
information entered by the user and responses provided by the system
information about user behaviour in the chat (e.g. activating links, chat latency)
technical data about our own systems (e.g. computing power used and latency times)
technical data about the systems used by the user (e.g. IP address, device and connection data)
5 For what purpose do we process your personal data?
5.1 In the course of providing services
We process personal data in connection with the initiation, conclusion and performance of contracts. The purpose covers everything that is appropriate and necessary to initiate, conclude, perform, terminate and enforce contracts — in particular:
Provision of contractual services (e.g. conversational engagement, up-/cross-selling, customer-driven innovation)
Decisions on contractual terms
Termination of contracts
Invoicing, reminders, accounting
Enforcement of legal claims arising from contracts
Archiving of contracts
We also process personal data for communication, marketing and information purposes (customer service, responding to enquiries, newsletters, advertising emails, printed materials, invitations to events) as well as for compliance with legal obligations and enforcement of our rights (clarification, enforcement and defence of claims, handling complaints, disclosure to authorities where required by law or for a substantive reason). Administration includes analysis and improvement of processes, accounting, IT and archiving.
5.2 When you use our services
We process personal data to continuously improve our services (product development, improving usability such as query refinement and dialog evaluation, improving acceptance such as intent recognition optimisation, benchmarking, further development of our technology) as well as to protect our IT systems (defence against and investigation of malware and cyberattacks, access control, backups, testing and analysis of our networks and IT systems).
6 On what legal bases do we rely for processing?
Where the GDPR applies to the personal data, we set out the legal basis below.
6.1 In the course of providing services
With regard to the personal data of our customers and partners, we process it on the basis of Art. 6(1)(b) GDPR (performance of a contract or pre-contractual measures).
With regard to personal data that does not relate to our customers/partners, we rely on Art. 6(1)(f) GDPR (legitimate interest), namely to offer, provide and invoice services to our customers/partners.
Where consent is required for marketing purposes, we rely on Art. 6(1)(a) GDPR.
6.2 When you use our services
We process technical personal data on the basis of Art. 6(1)(f) GDPR (legitimate interest) in order to understand and resolve technical problems, improve, support and maintain systems, and carry out security-related analyses.
We process information entered by the user and responses provided by the system on the basis of Art. 6(1)(f) GDPR (legitimate interest) in order to improve our services.
7 To whom do we disclose personal data?
If we make use of third-party services, we may disclose your personal data to such third parties. These “data processors” are obliged to process the personal data in accordance with our instructions and to take suitable measures to ensure data security. Through contractual arrangements (in particular the DPA), we ensure that data protection is guaranteed throughout the entire processing.
In particular, personal data may be disclosed to third parties for the following services:
IT services
Payment services
Consultancy services such as fiduciary and tax advice
As part of providing our services (software agents / chats), personal data is also disclosed to the following sub-processors: OpenAI Ireland Ltd., Google Ireland Ltd., WhatsApp Ireland Ltd., Twilio Inc. (USA) and XIAG AG (Switzerland). An up-to-date list of sub-processors forms part of our data processing agreement (AVV).
Detailed information on the applicable data protection provisions can be found here: Google Ireland Ltd. · Google Cloud GDPR
8 Do we disclose personal data abroad?
Your personal data is usually stored and processed by us in Switzerland and in the European Union. However, it may be that we also process your personal data outside this area or have it processed outside this area (in particular by Twilio Inc. in the USA). If the relevant recipient country does not have an adequate statutory level of data protection, we ensure the protection of your personal data through suitable measures (e.g. EU standard contractual clauses, Swiss/EU-US Data Privacy Framework). Google is certified under the Swiss/EU-US Data Privacy Framework and therefore offers an adequate level of data protection in accordance with the GDPR and Art. 16(1) FADP.
9 Do we process particularly sensitive personal data?
We do not intend to process particularly sensitive personal data. We only process particularly sensitive personal data if you voluntarily provide it to us via our services without us requesting it. We do not carry out profiling using particularly sensitive personal data and do not use it for automated individual decisions.
10 How long do we store your personal data?
10.1 In the course of providing services
We store personal data that we process as part of our services for ten (10) years from the end of the service for the respective customer/partner, unless contractual or statutory requirements provide for a longer retention period. This period corresponds to clause 7 of our DPA. Your personal data will be deleted or anonymised after the expiry of the aforementioned periods.
10.2 When you use our services
Retention of technical data usually lasts only a few days, but can continue for up to 2 years. Certain technical data is deleted again after the end of the session or use of the service.
Information entered by the user and responses provided by the system are generally deleted or anonymised after 48 months.
11 What rights do you have?
If we process your personal data, you generally have the following rights:
Objection: If we process your personal data on the basis of a legitimate interest, you may object to the processing.
Right of access: You may request confirmation from us as to whether we process your personal data.
Rectification: You have the right to have inaccurate personal data corrected and incomplete personal data completed.
Restriction of processing: under the statutory conditions (e.g. where accuracy is disputed, unlawful processing or an objection has been lodged).
Erasure or anonymisation: You may request that your personal data be deleted or anonymised if the statutory conditions are met.
Data disclosure or transfer: You may request disclosure of the personal data you have provided in a commonly used electronic format.
Withdrawal of consent: You may withdraw any consent you have given at any time with effect for the future. Other legal bases remain reserved.
Right to be informed: In the event of rectification, erasure or restriction, we are obliged to inform all recipients of this, unless this proves impossible or involves disproportionate effort.
Right to lodge a complaint: You have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your place of residence, place of work or place of the alleged infringement.
The above rights may be restricted or excluded in individual cases if the statutory requirements are not met, legal obligations conflict with them or protected interests need to be safeguarded.
12 Changes to this privacy notice and language
We may amend this privacy notice from time to time. The published version applies in each case. In the event of any discrepancy between the German version and a version in another language, the German-language version shall prevail.
Version 2.0 of 21 May 2026