Back to home

Privacy Policy

Last updated: 13 July 2026

This document is provided in five languages; in case of discrepancies, the German version prevails.

1. Controller and contact

This platform is operated under the name COCKPIT by Avidia.ai, a subdivision of Netgen Switzerland AG. The controller responsible for the processing described in this policy is:

Netgen Switzerland AG
Seestrasse 356
CH-8038 Zürich
Switzerland
E-mail: hello@avidia.ai
Phone: +41 44 244 59 59

Netgen Switzerland AG has not appointed a data protection officer, as it is not legally required to do so. Instead, we have designated a contact point for all data protection matters, reachable at hello@avidia.ai.

Where the designation of a representative in the European Union pursuant to Art. 27 GDPR is required, Netgen Switzerland AG will designate such a representative and publish the representative's contact details in an updated version of this policy.

2. Scope and applicable law

This Privacy Policy applies to the COCKPIT platform available at cockpit.avidia.ai and on customer-specific tenant subdomains (*.cockpit.avidia.ai), including all functions offered there (project and mandate management, time tracking, invoicing and collaboration).

Processing is governed primarily by the revised Swiss Federal Act on Data Protection (FADP). Where and to the extent that the EU General Data Protection Regulation (GDPR) applies — in particular to data subjects located in the EU/EEA — we additionally comply with the GDPR; references to GDPR articles in this policy serve that purpose.

3. Our roles: controller and processor

COCKPIT is a multi-tenant business platform. Depending on the category of data, Netgen Switzerland AG acts in one of two distinct roles. This distinction determines who is responsible for the processing and to whom you should address requests:

3.1 Netgen Switzerland AG as controller

We act as the controller for personal data that we process for our own purposes in operating the platform, namely:

  • account and authentication data (registration, login, password reset),
  • billing and subscription data,
  • support and contract-related communication,
  • platform telemetry, server logs and audit trails.

3.2 Netgen Switzerland AG as processor

We act as a processor for the content that customer organizations ("tenants") store and manage within their tenant, in particular records about clients, mandates and projects, time records, invoices and documents ("tenant content"). For tenant content, the respective tenant organization is the controller; we process this data exclusively on the tenant's instructions.

A data processing agreement (DPA) in accordance with Art. 28 GDPR and Art. 9 FADP forms part of the subscription contract and is available on request at hello@avidia.ai.

If you are recorded in COCKPIT as a client, contact or employee of one of our customers, please address data protection requests concerning that data to the customer organization concerned (see section 9).

4. Categories of data, purposes and legal bases

As controller, we process the following categories of data for the following purposes. Where the GDPR applies, the legal basis under Art. 6(1) GDPR is indicated; under the FADP, processing is based on the corresponding statutory grounds and the principles of Art. 6 FADP.

  • Account and profile data (name, e-mail address, password hash, language and display preferences, profile picture): provision of the platform, authentication and account management — Art. 6(1)(b) GDPR (performance of a contract).
  • Billing and subscription data (plan, seat count, invoices, payment status; payment card details are processed by Stripe and never stored by us): invoicing and collection — Art. 6(1)(b) GDPR (contract) and Art. 6(1)(c) GDPR (legal obligation, in particular commercial bookkeeping and retention duties).
  • Support and communication data (support requests, correspondence): handling of enquiries and support cases — Art. 6(1)(b) GDPR (contract) and Art. 6(1)(f) GDPR (legitimate interest in efficient customer service).
  • Telemetry, log and audit data (IP address, browser and device information, timestamps, actions performed): IT security, abuse prevention, error analysis and traceability of security-relevant actions — Art. 6(1)(f) GDPR (legitimate interest in the secure and reliable operation of the platform).
  • Optional data (e.g. optional integrations that you activate yourself, or optional product communications): only with your consent — Art. 6(1)(a) GDPR; consent can be withdrawn at any time with effect for the future.
  • Tenant content (clients, mandates/projects, time records, invoices, documents): processed exclusively as a processor on behalf and on the instructions of the tenant (see section 3.2); the legal basis is determined by the tenant as controller.

5. Subprocessors and data location

We use the following subprocessors to operate the platform. Data is stored in Switzerland and/or the EU. Where personal data is transferred to countries outside Switzerland or the EEA that do not provide an adequate level of data protection, the transfer is safeguarded by adequacy decisions or the EU Standard Contractual Clauses (SCCs), supplemented where necessary for Swiss law.

SubprocessorPurposeData location
Supabase Inc.Database and authenticationAWS eu-central-2, Zürich, Switzerland
Hetzner Online GmbHApplication hostingGermany / Finland (EU)
Stripe Payments Europe Ltd.Payment processing and subscription billingEU (Ireland); transfers per Stripe's safeguards (SCCs)
Resend Inc.Transactional e-mail (only when configured)USA / EU; transfers safeguarded by SCCs
Bexio AGAccounting synchronisation — only when the tenant connects its own Bexio account; the tenant is the controller of that data flowSwitzerland

Beyond the above, we disclose personal data only where we are legally obliged to do so (e.g. to authorities on the basis of a binding order) or where you have consented.

6. Cookies

COCKPIT uses essential cookies only, i.e. cookies that are strictly necessary for the operation of the platform:

  • session and authentication cookies (login session),
  • the language preference cookie (NEXT_LOCALE),
  • the theme preference (light/dark mode),
  • a technical cookie safeguarding tenant switching (tenant-switch guard).

We do not use advertising or tracking cookies and no third-party analytics services. Because only technically necessary cookies are used, no cookie consent banner is required; we list the cookies here for the sake of transparency.

7. Retention

  • Account and contract data: for the duration of the contractual relationship and thereafter for as long as statutory retention obligations require — in particular the ten-year retention period for business records under the Swiss Code of Obligations, where applicable.
  • Tenant content: until the tenant deletes it or the contract ends; after termination of the contract, an export window applies (see the Terms of Service), after which tenant content is deleted and backups are purged in a rolling cycle.
  • Logs and audit trails: as a rule approximately 12 months, unless a longer retention is required in individual cases to investigate security incidents or to comply with legal obligations.

8. Security

We take appropriate technical and organizational measures within the meaning of Art. 32 GDPR and Art. 8 FADP to protect personal data, in particular:

  • encryption in transit (TLS) and encryption at rest,
  • strict tenant isolation through row-level security in the database,
  • per-tenant encrypted storage of secrets and integration credentials (vault),
  • audit logging of security-relevant actions,
  • role-based access control,
  • hosting exclusively in Swiss and EU data centers,
  • regular backups.

9. Your rights

Subject to the statutory conditions, you have the following rights with respect to your personal data:

  • access to the data we hold about you,
  • rectification of inaccurate data,
  • erasure ("right to be forgotten"),
  • restriction of processing,
  • data portability (release in a structured, common, machine-readable format),
  • objection to processing based on legitimate interests,
  • withdrawal of consent at any time, with effect for the future.

To exercise these rights, contact us at hello@avidia.ai. We may request proof of identity to protect your data.

Requests concerning tenant content: where your data is contained in a tenant's content (e.g. you are a client or employee of one of our customers), the tenant organization is the controller. Please address your request to that organization; we support the tenant in fulfilling data subject requests within the scope of our role as processor.

You also have the right to lodge a complaint with the Swiss Federal Data Protection and Information Commissioner (FDPIC), www.edoeb.admin.ch. If you are located in the EU/EEA, you may additionally complain to the supervisory authority of your habitual residence, place of work or the place of the alleged infringement.

10. Automated decision-making and profiling

We do not carry out automated individual decision-making within the meaning of Art. 22 GDPR or Art. 21 FADP, and we do not perform profiling.

11. Changes to this policy

We may amend this Privacy Policy from time to time, in particular when the platform or the legal framework changes. The version published on this page applies; material changes will be announced in an appropriate manner (e.g. by e-mail or an in-app notice). This version is effective as of 13 July 2026.