Privacy Policy
Idea2Creat GmbH is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, and protect your data in compliance with the Swiss Federal Act on Data Protection (FADP) and the EU General Data Protection Regulation (GDPR).
Last updated: February 18, 2026
The German version of this Privacy Policy is authoritative. Translations are for informational purposes only.
1. Data Controller
Idea2Creat GmbH
Karrenwaldstrasse 8, Switzerland
Email: Info@idea2create.ch
+41 79 894 55 56
Data Protection Officer/DPO: Daniel Schaufelbühl
Supervisory Authority Switzerland: FDPIC (EDÖB)
2. Scope
This Privacy Policy applies to: website/platform, login, listings, AI features, Proof-of-Idea, search/matching, contact purchase, chat, support, payments, marketing communications.
3. Principles
We process personal data on a purpose-bound, proportionate basis with appropriate security measures. For EU/EEA, the transparency, legal basis, and accountability obligations of the GDPR also apply, including information obligations (e.g., Art. 13) and security measures (Art. 32).
4. Data Categories
We may process the following categories in particular:
- a) Account data: Name/organization, email, phone, password hash, roles (Idea Creator/Investor), verification status.
- b) Profile/listing data: Idea title, short description, category, market/industry, pricing, project status, optional documents/uploads.
- c) Communication data: Chat messages, support tickets, emails.
- d) Usage/device data: IP address, timestamps, device/browser info, log files, click paths (depending on analytics configuration).
- e) Payment data: Transaction IDs, status, billing data; payment instrument data is generally processed by the payment service provider.
- f) Verification/anti-fraud data: SMS verification, payment verification, KYC documents for ID checks if applicable.
- g) AI input/output: Free-text inputs and generated structurings/business plan drafts.
5. Purposes and Legal Bases
For EU/EEA, we typically base processing on GDPR Art. 6(1)(b) (contract), (f) (legitimate interest), (a) (consent) – depending on the operation. For Switzerland, we follow the revised FADP.
| Processing | Data (Examples) | Purpose | Legal Basis (EU/EEA) | Recipients / Processors | Retention Period (Guideline) |
|---|---|---|---|---|---|
| Registration & Account | Email, name, password hash | Account creation, auth | Art. 6(1)(b) | Hosting/email provider | Account active + deletion policy |
| Verification / KYC-light | Phone, payment verification, logs | Fake/fraud prevention | Art. 6(1)(f) | SMS provider, payment provider | Per purpose + limited logs |
| Listing/Idea | Title, short text, category, price | Publication / matching | Art. 6(1)(b) | Hosting, moderation if applicable | Duration + archive policy |
| AI Development | Texts, parameters, outputs | Structuring / business draft | Art. 6(1)(b) | AI service provider (sub-processor) | Output in project, inputs per policy |
| Proof-of-Idea | Hash, timestamp, version | Documentation / audit | Art. 6(1)(b) | Timestamp service (optional) | Long-term, as long as account/claims |
| Search/Matching | Tags, clicks, filters | Relevance / recommendation | Art. 6(1)(f) | Analytics (optional) | Short to medium |
| Contact Purchase & Chat | Chat, contact status | Contact facilitation | Art. 6(1)(b) | Payment, hosting | Chat retention to be defined |
| Payment / Billing | Billing data, transaction ID | Accounting, proof | Art. 6(1)(c)/(b) | Payment, accounting | Generally 10 years (CH) |
| Security/Logs | IP, events, errors | Security, debugging, abuse | Art. 6(1)(f) | Hosting/security | Short, role-based |
| Marketing (Newsletter) | Email, opt-in | Product information | Art. 6(1)(a)/(f) | Email tool | Until unsubscription |
6. Automated Decisions, Profiling, AI Assessments
6.1 We may use AI/algorithms for structuring, matching, spam detection, and maturity indicators where applicable.
6.2 EU/EEA: If a decision is made "solely automatically" and has legal effect or similarly significant impact, GDPR Art. 22 applies.
6.3 Switzerland: For automated individual decisions with significant impact, information and review rights exist; affected persons must be informed and may request review by a natural person.
6.4 Material decisions (e.g., account suspension, hard rejection) have a human review path.
7. Recipients, Processors, International Data Transfers
7.1 We engage service providers (hosting/cloud, payment, email, SMS, support, AI providers if applicable). We enter into data processing agreements with processors (GDPR Art. 28).
7.2 Data may be processed outside Switzerland/EU (cloud/tools). For EU/EEA, Chapter V requirements for third-country transfers apply.
7.3 Switzerland: Data disclosure abroad is governed by the revised FADP and FDPIC requirements.
7.4 Safeguards: SCCs (EU) + supplementary measures (TOMs), TIA where applicable, encryption, least privilege.
8. Retention and Deletion
8.1 We store data only as long as necessary for the purposes or as required by statutory obligations.
8.2 Accounting/billing records: generally 10 years in Switzerland (CO Art. 958f).
8.3 Retention periods:
- Login/security logs: 30–180 days (depending on risk)
- Chat messages: 12–24 months after last contact (or until user deletes)
- Listings: active + 12 months archive
- Proof-of-Idea: as long as account active + 5 years thereafter, unless deletion grounds exist
- Support tickets: 24 months
9. Data Security (TOMs)
9.1 We implement appropriate technical and organizational measures, including pseudonymization/encryption and ensuring confidentiality, integrity, and availability.
9.2 Minimum measures: TLS, encryption at rest, RBAC, backup strategy, monitoring, incident response plan, access logging for admin actions.
10. Data Breaches
10.1 EU/EEA: Notification obligation to supervisory authority within 72 hours (GDPR Art. 33) and notification of affected persons where applicable (Art. 34).
10.2 Switzerland: Notification obligation to FDPIC exists in case of expected high risk (Art. 24 FADP).
10.3 We document security incidents and take countermeasures.
11. Cookies and Similar Technologies
11.1 Technically necessary cookies (session, security) are used to provide the platform.
11.2 For non-necessary cookies/tracking, we obtain consent where required.
11.3 Cookie categories:
- Necessary (no opt-in required)
- Preferences
- Statistics/Analytics
- Marketing
11.4 Users can change their consent at any time (cookie banner/settings link).
12. Data Subject Rights and Contact
EU/EEA rights include access, rectification, erasure (Art. 17), restriction, data portability, objection, and withdrawal of consent.
Switzerland: Access rights and enforcement options under the revised FADP.
Contact: Info@idea2create.ch
Complaints (Switzerland): FDPIC (EDÖB); (EU/EEA): competent national supervisory authority.
13. Marketing Communications
Newsletters/product updates only with (i) consent or (ii) within permissible existing customer advertising – depending on configuration/region.
14. Minors
Our platform is intended for adults; use by persons under 18 is prohibited.
15. Changes to This Privacy Policy
In case of material changes, we will notify users; versioning includes dates.