Privacy for website and AI services — clear, structured and complete.

The controller responsible for processing personal data in connection with this website and the services operated through it is:
Management Consulting Mayr
Roman Mayr
Waldaustrasse 2
9500 Wil SG
Switzerland
info@x25lab.com | Tel. +41 71 554 72 93

This statement covers, in particular, the following activities where they are actually used by you:
– use of the website and access to individual pages
– use of the AI chatbot
– use of the BPMN bot, including entries relating to process descriptions and imported or exported BPMN/XML content
– use of the legal bot, where displayed or enabled
– contact by form, chat, email or callback function
– transmission of chat histories as part of a contact enquiry
– login, password reset, account activation and comparable account functions
– consent management for cookies and optional usage analytics
– security, abuse and error logging

Depending on how the services are used, we process, in particular, the following categories of personal data:
– content data: your entries, prompts, messages, BPMN/XML content, uploaded or pasted files, follow-up questions and information voluntarily provided by you
– response data: responses, interim results, status messages and error messages generated by the system
– communication data: first name, last name, email address, telephone number, contact content and, where applicable, chat histories in connection with contact enquiries
– account data: login data, activation and reset information, security and delivery status where such functions are used
– log and metadata: date, time, service used, bot type, origin, site URL, token/usage values, technical error messages and similar operational data
– device and access data: IP address, browser type, user agent, device information, language settings, access logs and error logs
– derived location data at a coarse level: country, region and city, where derived from IP-based geo-reference data

The data generally originate directly from you, from your browser or device, from server-side security and system logs and, where technically required, from IP-based geo-reference or infrastructure information. If you send us a contact enquiry from within a chat, the chat content you transmit may also be included in the enquiry.

We process personal data exclusively for the following purposes:
– providing, operating and improving the website and its functions
– handling enquiries and generating AI-supported responses
– providing the BPMN, legal and chatbot functions
– authentication, account security, activation and password management
– contact, follow-up questions and sending messages
– ensuring the stability, integrity, availability and confidentiality of the systems
– abuse detection, spam prevention, rate limiting, fraud prevention and preservation of evidence
– technical analysis, error diagnosis, troubleshooting, capacity planning and traceability
– privacy-friendly reach and usage analytics, where consent is required and has been given
– compliance with legal obligations and enforcement or defence of legal claims

Where the GDPR applies, processing takes place in particular on the basis of Art. 6(1)(b) GDPR where processing is necessary for pre-contractual measures or for providing requested functions, on Art. 6(1)(c) GDPR for compliance with legal obligations, on Art. 6(1)(f) GDPR based on our legitimate interest in a secure, traceable and economically viable operation of our website and AI services and, where required, on Art. 6(1)(a) GDPR on the basis of your consent, in particular for optional analytics, optional cookies or other activities requiring consent.

Under Swiss data protection law, processing takes place within the framework of legal permissibility, in particular for the proper provision of our offering, the safeguarding of legitimate business interests, system security and compliance with legal obligations. Where additional national data protection or telemedia/telecommunications law in Germany or Austria is applicable, the respective additional requirements are also taken into account.

For the provision of generative AI functions, we use technical service providers, in particular OpenAI via API-based business services. In addition, technical infrastructure, hosting, database, email, security, monitoring or geo-reference services may be integrated. If you submit a contact enquiry, your contact details and, depending on the function, any transmitted chat histories may be processed for sending the message to us or for responding to your enquiry.

We use external service providers only insofar as this is necessary for operation, security, communication or the provision of functions. Where these service providers process personal data on our behalf, we base this on appropriate contractual arrangements.

The chatbot, the BPMN bot and comparable AI functions generate responses automatically or semi-automatically based on your inputs. Such responses may be incomplete, shortened or factually incorrect and do not replace individual professional, legal, tax or medical advice. Where possible, please do not enter specially protected personal data, professional secrets, access credentials, full payment data, health data or confidential business secrets that are not necessary into the chat. If you nevertheless transmit such data, this takes place at your own responsibility and only where a lawful basis exists.

Through the AI functions provided on this website, we do not make solely automated individual decisions with legal effect or similarly significant impact within the meaning of Art. 22 GDPR. The responses provided serve information, support and pre-structuring purposes and must be reviewed by humans.

Personal data may, where necessary, be disclosed to the following categories of recipients:
– hosting, infrastructure and database service providers
– AI and API service providers
– email and communication service providers
– security, monitoring, logging and geo-reference services
– external advisers, commissioned processors, processors or assistants, insofar as they are bound to confidentiality
– authorities, courts or other bodies where a legal obligation exists or a lawful order is in place

Processing may take place in whole or in part in Switzerland, in the European Economic Area or in third countries. Disclosure to third countries takes place only where this is technically or organisationally necessary for the use of the services employed or where we are legally obliged to do so. Where no statutory adequacy decision exists, we rely on appropriate safeguards such as standard contractual clauses or other recognised data protection mechanisms, together with supplementary technical and organisational protective measures.

We use technically necessary cookies and comparable local storage technologies insofar as they are required for operation, security, language settings, consent management, form functions or comparable basic functions. Optional analytics or reach functions are activated only where consent is required under applicable law and you have given it. You may change or withdraw your consent at any time with effect for the future. Additional information can be found in the separate Cookie Policy, where such a policy is linked.

We do not store personal data longer than necessary for the stated purposes. The specific duration depends in particular on the nature of the activity, security and evidentiary requirements, abuse and error analysis, communication history, statutory retention obligations and any limitation periods.

Short-term technical temporary storage may exist only for a short session or error-analysis phase. Security, system and usage logs as well as chat and response content may be retained for the period objectively required for operation, abuse prevention, error diagnosis, traceability and the preservation of evidence. Where fixed deletion or clean-up routines are productively implemented in individual systems, those specific periods prevail. Where immediate deletion is not possible due to legal obligations, ongoing incidents, security events or legal claims, processing is restricted accordingly.

We take appropriate technical and organisational security measures to protect personal data against unauthorised access, loss, misuse, manipulation, unlawful disclosure or unlawful processing. This includes, in particular, role-based access, transport encryption, logging, authentication and approval mechanisms, segmentation, error and abuse monitoring, patch and update processes, backups and organisational responsibilities for incident handling and recovery.

This Privacy Policy does not constitute a blanket statement that x25lab.com or Management Consulting Mayr falls within the scope of NIS, NIS2 or comparable sector-specific cyber security regimes in every case. Whether such obligations exist depends in particular on the sector, role, establishment, customer structure, company size, criticality of the services provided and the law applicable in the particular case. Irrespective of this, we align our security organisation with a risk-based approach. Where statutory notification or response duties apply in relation to data protection or cyber security incidents, these are fulfilled within the framework of the legal requirements.

Within the framework of applicable law, you have, in particular, the right of access, rectification, deletion, restriction of processing, objection to certain processing activities and, where applicable, the right to obtain or port your data. Any consent granted may be withdrawn at any time with effect for the future. If you believe that processing breaches applicable data protection law, you may also contact the competent data protection supervisory authority.

For matters relating to Switzerland, this may in particular be the Federal Data Protection and Information Commissioner (FDPIC). Where the GDPR applies, you may also contact a competent supervisory authority in the European Union, in particular in the Member State of your habitual residence, your place of work or the place of the alleged infringement. For Germany and Austria, the respective competent data protection supervisory authorities under the applicable law apply.

As a rule, you are not obliged to provide personal data. Without certain technical or substantive information, however, individual functions – such as chat, contact, login, activation or password reset – cannot be provided, or cannot be provided in full.

We reserve the right to amend this Privacy Policy at any time with effect for the future. The version published on this website is decisive.