← Back to home Legal

Privacy Policy

Last updated: 12 May 2026 · Compliant with the FADP (Switzerland) and the GDPR (EU) · English translation, for information only — the French version is binding.

This privacy policy describes how HeyPapaya collects, uses, shares and protects the personal data of visitors to heypapaya.ch and of its clients. We process your data in line with the revised Swiss Federal Act on Data Protection (FADP), in force since 1 September 2023, and with the General Data Protection Regulation (GDPR) of the European Union where it applies.

Data controller
Data we collect
Purposes & legal bases
Recipients
Transfers outside Switzerland / EU
Cookies & similar technologies
Retention periods
Security
Your rights
Minors
Changes
Contact

1. Data controller

The data controller within the meaning of the FADP and the GDPR is:

HeyPapaya — Simple partnership
Partners: Gaetan Rieben and Lucas Jones
Avenue de France 54, 1004 Lausanne
Canton of Vaud, Switzerland
Email: gaetan.rieben@heypapaya.ch

HeyPapaya has not appointed a Data Protection Officer (DPO), as it is not required to do so by law. For any question about your data, write to gaetan.rieben@heypapaya.ch.

2. Data we collect

2.1 Data you provide us directly

Contact form & emails: first name, last name, email address, company, role, content of the message.
Free AI audit booking: name, company, email address, phone number (optional), description of your need.
Contractual relationship: billing details, data required to perform the engagement (contacts, technical access, business content provided).

2.2 Data collected automatically

Technical navigation data: IP address (truncated / anonymised where possible), browser type, operating system, pages viewed, date and time of visit, referring site.
Usage data: navigation path on the site, session duration, aggregated interactions.

2.3 Data we do not collect

We do not collect sensitive personal data within the meaning of art. 5 lit. c FADP (health data, religious or political opinions, ethnic origin, sex life, etc.) through the site. If a service required this, a specific contractual framework would be put in place.

3. Purposes & legal bases of processing

We process your data for the following purposes:

Responding to your requests (contact, quote, audit) — performance of pre-contractual measures at your request; legitimate interest (art. 6(1)(b) and (f) GDPR).
Performing our services (audit, design, deployment, operation of AI agents, training) — performance of the contract (art. 6(1)(b) GDPR).
Invoicing & accounting — compliance with legal obligations (Swiss CO, art. 6(1)(c) GDPR).
Improving the site & measuring audience on the basis of aggregated and anonymised statistics — legitimate interest (art. 6(1)(f) GDPR).
Marketing communications (newsletters, educational content) — only with your prior consent, which you may withdraw at any time.
Site security and fraud prevention — legitimate interest.

4. Recipients of the data

Your data is processed by HeyPapaya's founders and staff bound by a confidentiality obligation. It may be shared with the following categories of third parties, acting as processors within the meaning of art. 9 FADP / art. 28 GDPR:

Hosting and infrastructure: Infomaniak Network SA (Geneva, Switzerland) — hosting of the site, databases and technical logs. Data processed in Switzerland.
CRM & prospect tracking: Airtable, Inc. (United States) — recording of inbound requests, prospect management and relationship history.
Audience measurement: no audience-measurement tool is currently used. The site does not drop any analytics or advertising cookie.
AI providers: where we design or operate AI agents for your accounts, third-party model providers (e.g. OpenAI, Anthropic, ElevenLabs) may process content on your behalf, strictly within their own contractual and data protection commitments. Details are set out in the service contract.

We never sell or rent your personal data to third parties.

5. Transfers outside Switzerland / European Union

Some of our processors are established outside Switzerland and the European Union (notably in the United States). Where that is the case, we ensure appropriate safeguards frame the transfer:

adequacy decisions recognised by the Swiss Federal Council and the European Commission;
standard contractual clauses (SCCs) recognised by Switzerland and the EU;
additional technical measures (encryption, pseudonymisation, access control) where necessary.

You can write to gaetan.rieben@heypapaya.ch to request a copy of these safeguards.

6. Cookies & similar technologies

The heypapaya.ch site uses no analytics, advertising or tracking cookie. The only cookies that may be dropped are strictly necessary for the technical operation and security of the site (session, technical preferences). These cookies do not require prior consent under art. 45c TCA and the GDPR.

You can configure your browser at any time to refuse or delete cookies. Refusing strictly necessary cookies may affect the availability of certain site features.

7. Retention periods

Contact requests not converted into a contract: 24 months from the last exchange.
Contractual & accounting data: 10 years in accordance with art. 958f CO.
Navigation data & technical logs: 12 months at most.
Marketing consents: until consent is withdrawn, then archived for evidence for 3 years.

At the end of these periods, the data is irreversibly deleted or anonymised.

8. Security

HeyPapaya puts in place technical and organisational measures appropriate to the risk to protect your data against loss, misuse, unauthorised access, disclosure, alteration or destruction. These measures include in particular: default hosting in Switzerland or the EU, encryption in transit (TLS) and at rest where possible, access control, logging, backups, ongoing staff training.

9. Your rights

Under the FADP and the GDPR, you have the following rights over your personal data at any time:

Right of access — know what data we process about you and obtain a copy.
Right to rectification — correct inaccurate or incomplete data.
Right to erasure (“right to be forgotten”) — subject to contrary legal obligations (e.g. accounting).
Right to restriction of processing.
Right to object to processing based on legitimate interest.
Right to portability — receive your data in a structured, machine-readable format.
Right to withdraw consent at any time, without affecting the lawfulness of prior processing.
Right to lodge a complaint with a supervisory authority: the Federal Data Protection and Information Commissioner (FDPIC) in Switzerland, or the competent authority of your EU member state of residence (e.g. the CNIL in France).

To exercise your rights, write to gaetan.rieben@heypapaya.ch. We will respond within a maximum of 30 days. Proof of identity may be requested in the event of reasonable doubt.

10. Minors

HeyPapaya's site and services are aimed at a professional audience and are not intended for minors. We do not knowingly collect data concerning minors.

11. Changes to the policy

This policy may be updated to reflect changes in our practices, the tools used or applicable regulation. The version in force is the one published on this page. Material changes will be flagged through any appropriate means.

12. Contact

For any question about this policy or your personal data: gaetan.rieben@heypapaya.ch.

English version, for information only. In case of any discrepancy with the French original, the French version shall prevail. Page reviewed on 13 May 2026.