Privacy Policy
of Idea2Creat GmbH
As of: 09.03.2026
The contractual language is German. This translation is for information purposes only; in case of discrepancies, the German version shall prevail.
1. Data Controller
Idea2Creat GmbH
Karrenwaldstrasse 8, Switzerland
Email: Info@idea2create.ch
Phone: +41 79 894 55 56
Data Protection Officer/DPO: Daniel Schaufelbuehl
Supervisory Authority Switzerland: FDPIC (EDOB)
2. Scope
This Privacy Policy applies to: website/platform, login, pre-registration by email, listings, AI functions, Proof-of-Idea, search/matching, contact purchase and contact release, sharing of ideas, chat, support, payments, marketing communication, and all related services and tools.
3. Principles
We process personal data in a purpose-driven, proportionate manner with appropriate security measures. For EU/EEA, the transparency, legal basis, and accountability obligations of the GDPR additionally apply, including information obligations (e.g., Art. 13) and security measures (Art. 32).
4. Data Categories
We may process the following categories in particular:
- a) Account data: name/organization, email, phone, password hash, roles (idea creator/investor), verification status.
- b) Pre-registration data: email address and entered idea content before full registration.
- c) Profile/listing data: idea title, brief description, category, market/industry, price information, project status, optional documents/uploads.
- d) Communication data: chat messages, support tickets, emails, contact form entries.
- e) Usage/device data: IP address, timestamp, device/browser info, log files, click paths (depending on analytics configuration).
- f) Payment data: transaction IDs, status, billing data; payment instrument data is generally processed by the payment service provider.
- g) Verification/anti-fraud data: SMS verification, payment verification, automated security checks, risk analyses, KYC documents for ID checks if applicable.
- h) AI input/output: free-text inputs and generated structurings/business plan drafts.
- i) Social login data (if offered): When using social login services (e.g., Google, LinkedIn, Apple), we receive the data necessary for registration from the respective provider (e.g., name, email, profile picture). We do not gain access to your password at the third-party provider.
| Processing | Data (Examples) | Purpose | Legal Basis (EU/EEA) | Recipients / Processors | Retention Period (Guideline) |
|---|---|---|---|---|---|
| Pre-registration (Email + Idea) | Email, idea content | Securing the idea before registration | Art. 6(1)(b)/(f) | Hosting | Max. [30 days] without registration, then deletion |
| Registration & Account | Email, name, password hash | Create account, auth | Art. 6(1)(b) | Hosting/email provider | Account active + deletion policy |
| Verification / KYC-light / Anti-Fraud | Phone, payment verif., security checks, logs | Fake/fraud prevention | Art. 6(1)(f) | SMS provider, payment provider | After purpose + logs limited |
| Social Login | Name, email, profile ID | Registration / auth | Art. 6(1)(b) | Google/LinkedIn/Apple | Account active + deletion policy |
| Listing/Idea | Title, short text, category, price | Publication / matching | Art. 6(1)(b) | Hosting, moderation if applicable | Duration + archive policy |
| AI Elaboration | Texts, parameters, outputs | Structuring / business draft | Art. 6(1)(b) | AI service provider (sub-processor) | Output in project, inputs per policy |
| Proof-of-Idea | Hash, timestamp, version | Documentation / audit | Art. 6(1)(b) | Timestamp service (optional) | Long-term, while account/claims exist |
| Search/Matching | Tags, clicks, filters | Relevance / recommendation | Art. 6(1)(f) | Analytics (optional) | Short to medium |
| Contact purchase, release & chat | Name, email, idea details, chat, contact status | Contact facilitation, data sharing with counterparty | Art. 6(1)(b) | Payment, hosting; counterparty (after consent) | Chat retention to be defined; release logs permanent |
| Response time monitoring | Request timestamp, response status, non-response count | Platform quality, enforcement of response obligation (GTC §10) | Art. 6(1)(f) | Internal | While listing active + 12 months |
| Sharing ideas (share link, PDF export) | Released idea content, share metadata | User-initiated sharing | Art. 6(1)(b)/(a) | Hosting; recipients (per release) | Per link validity / revocation |
| Payment / billing | Billing data, transaction ID | Accounting, proof | Art. 6(1)(c)/(b) | Payment, accounting | Generally 10 years (CH) |
| Security/Logs | IP, events, errors | Security, debug, abuse | Art. 6(1)(f) | Hosting/security | Short, role-based |
| Support / contact form | Name, email, message, attachments | Processing support request | Art. 6(1)(b)/(f) | Ticketing system, hosting | 24 months after completion |
| Marketing (newsletter) | Email, opt-in | Product info | Art. 6(1)(a)/(f) | Email tool | Until unsubscribe |
| Anonymized / aggregated data | Statistics, trends (no personal reference) | Analyses, research, platform development | Art. 6(1)(f) / no personal reference | Internal, publication if applicable | Unlimited (anonymized) |
- j) Contact release data: Upon contact purchase and release, data released by the respective user is transmitted to the counterparty (e.g., name, email, idea details, phone number). Scope and timing are based on the explicit consent of the respective user.
- k) Sharing data: When users share ideas via share link, PDF export, or forwarding, the released content becomes accessible to recipients. Metadata (e.g., timestamp, recipient access) may be logged.
- l) Support/contact form data: For support requests, we collect name, email, subject, message content, and any uploaded attachments and metadata (timestamp, ticket ID).
- m) Anonymized/aggregated data: Idea2Creat may use anonymized or aggregated data (that does not allow conclusions about individual users) for internal analyses, statistics, research, and development.
5. Purposes and Legal Bases
For EU/EEA, we typically base processing on GDPR Art. 6(1)(b) (contract), (f) (legitimate interest), (a) (consent) - depending on the process. For Switzerland, we follow the revised DPA.
6. Data Sharing in Contact Purchase and Contact Release
6.1 Upon contact purchase and subsequent release, personal data is exchanged between idea creator and investor. This occurs exclusively after explicit consent (opt-in) of the respective user.
6.2 The following data of the idea creator may be transmitted to the investor: name or organization, email address, released idea details (e.g., title, description, category, project status, relevant documents) and if applicable, additional released contact data (e.g., phone number, website).
6.3 The following data of the investor may be transmitted to the idea creator: name or organization, email address, and if applicable, additional released information (e.g., industry, investment focus).
6.4 The respective user can review which data will be transmitted before release and exclude individual fields. Consent is logged.
6.5 After data sharing, Idea2Creat has no influence on the use of data by the counterparty. The receiving party is responsible as an independent controller for further processing.
6.6 Response time monitoring: Idea2Creat records and monitors the response times of idea creators to contact requests (request timestamp, response status, number of non-responses). The purpose is to ensure platform quality and enforce the response obligation under GTC §10. Legal basis: legitimate interest (GDPR Art. 6(1)(f)) in a functioning platform and fair user experience for paying investors.
6.7 Legal basis for data sharing: GDPR Art. 6(1)(b) (contract performance) and Art. 6(1)(a) (consent).
7. Pre-Registration of Ideas by Email
7.1 Users can record an idea before completing full registration by entering an email address and idea content.
7.2 Purpose: Securing the idea and assignment to the later user account.
7.3 Legal basis: GDPR Art. 6(1)(b) (pre-contractual measures) and Art. 6(1)(f) (legitimate interest in user retention).
7.4 If registration is not completed within [e.g., 30 days], the pre-registered data (email and idea content) will be deleted.
7.5 The email address may be used to remind the user to complete registration (maximum [e.g., 3] reminders during the deletion period).
8. AI Data Processing and Training Data
8.1 User AI inputs (e.g., free texts, parameters) are processed exclusively for providing the requested AI function.
8.2 AI inputs are generally not used for training public AI models unless explicitly stated otherwise and separate consent has been obtained.
8.3 AI service providers are engaged as processors (sub-processors) and are subject to corresponding contractual obligations.
9. Automated Decisions, Profiling, AI Assessments
9.1 We may use AI/algorithms for structuring, matching, spam detection, fraud prevention, and possibly maturity indicators.
9.2 EU/EEA: If a decision is made "exclusively automated" and has legal effect or similarly significant impact, GDPR Art. 22 applies.
9.3 Switzerland: For automated individual decisions with significant impact, information and review rights exist; affected persons must be informed and can request review by a natural person.
9.4 Significant decisions (e.g., account suspension, hard rejection) have a human review path.
10. Recipients, Processors, International Data Transfers
10.1 We use service providers (hosting/cloud, payment, email, SMS, support, AI provider if applicable). We conclude processing agreements with processors (GDPR Art. 28).
10.2 Data may be processed outside Switzerland/EU (cloud/tools). For EU/EEA, Chapter V requirements for third-country transfers apply.
10.3 Switzerland: Data disclosure abroad is governed by the revised DPA and FDPIC requirements.
10.4 Safeguards: SCCs (EU) + supplementary measures (TOMs), TIA if applicable, encryption, least-privilege.
11. Sub-Processors
11.1 A current list of our key sub-processors (processors) with details of function and location is available on request or on the platform under "Privacy > Sub-Processors".
11.2 We inform about significant changes to the sub-processor list. If a right of objection exists, it is explained in the notification.
12. Retention and Deletion
12.1 We store data only as long as necessary for purposes or as required by legal obligations.
12.2 Accounting/billing records: in Switzerland generally 10 years (OR 958f).
12.3 Retention periods:
- Login/security logs: 30-180 days (depending on risk)
- Chat messages: 12-24 months after last contact (or until user deletes)
- Listings: active + 12 months archive
- Proof-of-Idea: while account active + [e.g., 5 years] thereafter
- Support tickets: 24 months
12.4 After account deletion, personal data is deleted or anonymized unless statutory retention obligations exist.
13. Data Security (TOMs)
13.1 We implement appropriate technical and organizational measures, including pseudonymization/encryption and ensuring confidentiality, integrity, and availability.
13.2 Minimum measures: TLS, encryption at rest, RBAC, backup strategy, monitoring, incident response plan, access logging for admin actions.
14. Data Breaches
14.1 EU/EEA: Notification to supervisory authority within 72 hours (GDPR Art. 33) and notification of affected persons if applicable (Art. 34).
14.2 Switzerland: Notification to FDPIC is required for likely high risk (Art. 24 DPA).
14.3 We document security incidents and take countermeasures.
15. Cookies and Similar Technologies
15.1 Technically necessary cookies (session, security) are used to provide the platform.
15.2 For non-essential cookies/tracking, we obtain consent where required.
15.3 Cookie categories:
- Necessary (no opt-in): session management, security, load balancing, cookie consent storage
- Preferences: language, display settings
- Statistics/Analytics: anonymized usage analysis
- Marketing: personalized advertising (if used)
15.4 Users can change consents at any time (cookie banner/settings link).
15.5 Information on managing cookies can also be found in the browser settings of the respective device.
16. Data Subject Rights and Contact
EU/EEA rights include, among others:
- Right of access (Art. 15 GDPR)
- Rectification (Art. 16 GDPR)
- Erasure / "right to be forgotten" (Art. 17 GDPR)
- Restriction of processing (Art. 18 GDPR)
- Data portability (Art. 20 GDPR)
- Objection (Art. 21 GDPR)
- Withdrawal of consent (at any time, without retroactive effect)
- Right not to be subject to solely automated decisions (Art. 22 GDPR)
Switzerland: Access rights and enforcement options under the revised DPA. We may require identity verification to process data subject requests.
Contact: [datenschutz@...]
Complaint (Switzerland): FDPIC; (EU/EEA): competent national supervisory authority.
17. Marketing Communication
Newsletter/product updates only with (i) consent or (ii) within the scope of permissible existing customer advertising - depending on design/region. Each newsletter contains an unsubscribe link. After unsubscription, data is no longer used for newsletter delivery; retention of unsubscription is for evidentiary purposes.
18. Minors
Our platform is aimed at adults; use under 18 is prohibited. We do not knowingly collect data from minors. Should we become aware that data of a minor has been collected, it will be deleted immediately.
19. Social Login / Single Sign-On
19.1 We may offer the option to register or sign in via third-party accounts (e.g., Google, LinkedIn, Apple).
19.2 When using a social login service, the third-party provider transmits certain profile data to us. The scope depends on the settings and privacy policies of the respective third-party provider.
19.3 We use this data exclusively for account creation and authentication.
19.4 Users can revoke the connection at any time in their profile settings or at the third-party provider.
20. Supplementary Information for Users from the United Kingdom
20.1 For users in the United Kingdom (UK), the provisions of the UK General Data Protection Regulation (UK-GDPR) and the Data Protection Act 2018 apply.
20.2 The rights and protective measures described in this Privacy Policy apply equally to UK users.
20.3 The competent supervisory authority in the UK is the Information Commissioner's Office (ICO).
20.4 Data transfers between Switzerland/EU and the UK are based on the UK adequacy decision or appropriate safeguards.
21. Data Protection Impact Assessment (DPIA)
21.1 Where processing activities may pose a high risk to the rights and freedoms of natural persons (e.g., extensive profiling, AI-based assessments), we conduct a Data Protection Impact Assessment pursuant to GDPR Art. 35.
21.2 Results and measures are documented and submitted to the supervisory authority if needed.
22. Anonymized and Aggregated Data Use
22.1 Idea2Creat may use anonymized or aggregated data (that does not allow conclusions about individual users) for internal analyses, statistics, research, and platform development.
22.2 Such data may also be published in summarized form (e.g., market trends, platform statistics) without allowing conclusions about individual users.
23. Company Transfer
23.1 In the event of a company transfer (e.g., sale, merger, reorganization), personal data may be transferred to the successor insofar as this is necessary for the continuation of the platform.
23.2 Users will be informed about such a transfer. The rights of users under this Privacy Policy remain unaffected.
24. Links to Third-Party Websites
24.1 Our platform may contain links to third-party websites. We have no influence on their content and privacy practices.
24.2 The privacy policies of the respective third-party websites apply to data processing by those websites.
25. Changes to this Privacy Policy
25.1 We may update this Privacy Policy at any time, particularly for legal changes, new processing activities, or technical adjustments.
25.2 For significant changes, we inform users via email and/or in-app notification.
25.3 Versioning is done by date; previous versions are available on request.