Privacy Policy

Last updated: 26 June 2026

This privacy policy describes how DeepMed Zurich AG processes personal data when you use this website and our services.

1. Controller and contact

The controller responsible for the processing of personal data described in this privacy policy is: DeepMed Zurich AG Toblerstrasse 80 8044 Zurich, Switzerland Email: contact@deepmed.ch Website: www.deepmed.ch If you have questions about data protection or wish to exercise your rights, you can reach us at the contact details above.

2. Scope of this privacy policy

This privacy policy describes how we process personal data when you visit our website, communicate with us, use our products or services, or otherwise have a business relationship with us. Our offerings are primarily aimed at business customers, in particular organisations, practices, clinics, assessment bodies, and other companies or institutions. In addition, individual products — in particular our chat solution — may also be used directly by private individuals. Where we process personal data on behalf of a business customer, in particular content entered into our platform by the business customer or its users, that processing is also governed by the respective data processing agreement with the business customer. In such cases, this privacy policy primarily describes our own data processing activities, such as for the website, contract conclusion, account management, support, billing, and system security.

3. Our role in data protection

Depending on how our services are used, we may have different roles under data protection law. Where we process personal data for our own purposes, we act as controller. This applies in particular to data relating to our website, communications, contract initiation and conclusion, billing, account management, support, system security, administration, and compliance with legal obligations. Where a business customer uses our platform and enters its own content, patient data, assessment content, reports, chat histories, uploaded files, or other data into the platform, we generally process that data on behalf of the business customer. In such cases, the business customer remains responsible for the lawfulness of processing, informing data subjects, defining processing purposes, and handling data subject requests. Details are set out in the respective data processing agreement. Where a private individual uses our chat solution directly, we generally process the data required for that use as controller.

4. Types of personal data

Depending on your relationship with us, we process in particular the following categories of personal data: • Master data, such as name, address, email address, phone number, company, role, language, and other contact details. • Contract and billing data, such as information about the contractual relationship, selected products, terms, invoice data, payment status, and correspondence relating to contract performance. • Account data, such as username, email address, password hash, roles, permissions, organisational unit, login status, and technical settings. • Communication data, such as emails, support requests, feedback, meeting notes, and other communication content. • Technical and security data, such as IP address, timestamps, log files, device and browser information, authentication events, access logs, and error reports. • Usage data, such as information about which features are used, when access occurred, and which technical processes are required to provide, secure, and improve our services. • Content data, where you or a business customer enter, upload, or generate such data in our products. This may include chat content, prompts, uploaded files, transcripts, report drafts, final reports, medical information, assessment content, and other documentation content. Depending on the product and use, content data may also include specially protected personal data, in particular health data. For business customers, such content data is generally processed on behalf of the respective business customer.

5. Purposes of processing

We process personal data in particular for the following purposes: • Providing our website and products. • Initiating, concluding, performing, and terminating contracts. • Setting up and managing user accounts. • Authentication, rights management, and access control. • Providing SaaS functions, including storing, displaying, editing, and processing content on the instructions of the user or business customer. • Operating AI functions where these form part of the respective product. • Support, error analysis, maintenance, and improving technical stability. • Billing, accounting, and compliance with statutory retention obligations. • Ensuring information security, detecting misuse, logging, and traceability of security-relevant events. • Communication with customers, users, prospects, suppliers, and other business partners. • Enforcing and defending legal claims. • Compliance with legal obligations and official orders.

6. Legal bases

We process personal data in accordance with Swiss data protection law. Where the EU General Data Protection Regulation applies, we rely in particular on the following legal bases: • Contract performance or pre-contractual measures where processing is necessary to conclude or perform a contract. • Compliance with legal obligations, in particular in accounting, retention, security, and cooperation with authorities. • Legitimate interests, in particular in the secure, stable, and efficient operation of our website and products, managing business relationships, improving technical infrastructure, preventing misuse, and asserting or defending legal claims. • Consent where we obtain consent in individual cases. For specially protected personal data, in particular health data, processing takes place either on behalf of a business customer, on the basis of consent, for contract performance, to comply with legal obligations, or on another basis permitted under applicable law.

7. Use of our platform by business customers

Our products are predominantly used by business customers. In this case, the business customer provides its authorised users with access to the platform and determines which data is entered, processed, stored, or deleted. The business customer decides in particular on the purpose of processing, permitted users, roles and permissions, content to be processed, informing data subjects, and compliance with any professional confidentiality obligations. We generally process content entered by the business customer or its users only to provide the agreed services, operate the platform technically, provide support, implement security measures, and comply with legal or contractual obligations. Further details on processing on behalf of the business customer are set out in the data processing agreement.

8. Use of our chat solution by private individuals

Where we offer our chat solution directly to private individuals, we process the personal data required for that use as controller. This includes in particular data for registration, authentication, account management, providing the chat function, storing and displaying chat histories, processing entered content, support, billing, system security, and compliance with legal obligations. The user decides what content to enter into the chat solution. Specially protected personal data should only be entered where necessary for the respective purpose and where the data subject is authorised to do so.

9. AI functions and medical responsibility

Our products may include AI functions. These may in particular help structure text, generate drafts, suggest report sections, analyse documents, or support administrative workflows. Our platform supports the administrative creation, structuring, editing, and management of reports and documentation. It is not intended to make diagnoses, treatment decisions, assess medical emergencies, perform triage, or replace the professional judgement of a physician or other qualified specialist. AI-generated content constitutes drafts or suggestions. It must be reviewed, corrected, and approved by the responsible user before further use. Professional responsibility remains with the respective customer, user, or responsible physician. We do not use customer data, patient data, medical content, prompts, uploaded files, transcripts, chat histories, or generated report content to train general AI models, for advertising, for profiling, or for our own medical analyses. We may evaluate technical usage, security, and performance data in aggregated or anonymised form where necessary for security, stability, troubleshooting, and technical development of our products.

10. Cookies, Google Analytics and similar technologies

On our public website, we use cookies and similar technologies to provide the website technically and to analyse use of our website. We use Google Analytics, a web analytics service provided by Google. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google Analytics helps us understand how visitors use our website, which pages are accessed, how users arrive at our website, and how we can improve our information offering. Google Analytics may in particular process technical and usage information, such as IP address, device and browser information, approximate location, pages accessed, time and duration of the visit, referrer URL, interactions with the website, and randomly generated identifiers stored in cookies or similar technologies. We do not use Google Analytics to identify you directly, and we do not use Google Analytics to evaluate platform content, patient data, medical content, prompts, chat histories, uploaded files, or generated reports. Google Analytics is used only for the public website, not to analyse in detail the use of our protected platform areas. Where Google Analytics sets cookies or similar technologies, this is done only with your consent where such consent is required under applicable law. You can withdraw or adjust consent given at any time via the cookie settings on our website. Information generated by Google Analytics may be transmitted to Google entities and Google service providers and processed there, in particular in Ireland, other states of the European Economic Area, Switzerland, and the USA. For transmissions to states without an adequate level of data protection, Google relies, according to its own statements, on appropriate safeguards, in particular standard contractual clauses or other applicable transmission mechanisms. Further information on the processing of data by Google can be found in Google's privacy notices and terms.

11. Recipients of personal data

We disclose personal data only where necessary to provide our services, where required by law, where consent has been given, or where another legal basis exists. Recipients may in particular include: • Hosting, cloud, and infrastructure providers. • Providers of AI, speech recognition, language, or other technical services where required for the respective product function. • Email, communication, support, and maintenance providers. • Providers of analytics and cookie management services, in particular Google Analytics, where used on our public website. • Payment, accounting, and administration providers. • Advisers, in particular lawyers, trustees, auditors, and IT security experts. • Authorities, courts, or other public bodies where we are legally obliged or entitled to do so. • Business customers where a user uses the platform within an organisation and the business customer has access to data within its organisation under its roles and permissions concept. Service providers are carefully selected and, where required, contractually bound to confidentiality, data security, and processing in accordance with our instructions.

12. Data location and processing abroad

Productive storage and regular processing of customer data takes place, according to the current product- and customer-specific system configuration, in Switzerland or at a contractually defined data location. Individual products or product components may be operated on different cloud infrastructures. The specific data location and any subprocessors are determined for business customers in the respective contract, the data processing agreement, or separate documentation. Where AI services are used, regular use takes place, according to the current system configuration, via Microsoft Azure services in Switzerland and the EU (Sweden). Productive customer data is not transferred to third countries under the current system configuration. It cannot be ruled out that individual administrative or legally required processes may have a foreign connection, for example in communication with service providers, support cases, billing, legally required disclosures, or use of individual services outside productive platform operation. In such cases, we ensure that legal requirements are met, in particular through adequacy decisions, standard contractual clauses, contractual obligations, technical safeguards, or other appropriate guarantees. For business customers, details on data location, subprocessors, and any foreign connections are generally set out in the data processing agreement or separate documentation. The above information on productive storage and regular processing of customer data concerns our platform and the content processed there. For use of our public website, individual services with a foreign connection may be used, in particular Google Analytics. Such services do not process platform content, patient data, medical content, prompts, chat histories, uploaded files, or generated reports.

13. Retention and deletion

We store personal data only for as long as necessary for the respective purpose, as contractually agreed, or as required by law. Contract, billing, and accounting data are generally stored for the duration of the contractual relationship and thereafter within statutory retention periods, typically up to ten years. Account data are generally stored for as long as the respective user account exists or as required for contract performance, security, traceability, or compliance with legal obligations. Content data on the platform are stored according to the settings, contractual terms, or instructions applicable to the respective product. Unless otherwise agreed, the standard retention period for productive platform content is one year. After the respective retention period expires, data are deleted, anonymised, or marked for deletion. Where data are marked for deletion, complete deletion takes place within a reasonable period according to the technical processes. Backups are used solely to restore system availability after security incidents or technical disruptions and are overwritten or deleted in accordance with the intended backup and deletion processes. Where statutory retention obligations, evidence preservation interests, or legal claims preclude immediate deletion, we restrict further processing to the extent necessary for this purpose.

14. Data security

We implement appropriate technical and organisational measures to protect personal data against loss, misuse, unauthorised access, unauthorised disclosure, alteration, or destruction. These include in particular: • Encrypted transmission via HTTPS/TLS. • Encrypted storage in the database. • Additional encryption of patient data with customer-specific keys. • Role and permission concepts. • Individual user accounts. • Multi-factor authentication for internal access. • Restricting access to authorised personnel. • Logging of access to patient data. • Separation of development, test, demo, and production environments. • Use of synthetic data in development and test environments. • Regular security reviews, audits, and technical controls. • Training and binding of employees with access to personal data. The specific technical and organisational measures may vary depending on the product, customer, and protection requirements. For business customers, further details are generally set out in the TOM and data processing agreement.

15. Confidentiality

Our employees and engaged third parties are bound to confidentiality where they may have access to personal data or confidential information. Access to specially protected personal data, in particular health data, is granted only to persons who need such access for their duties and have been appropriately instructed.

16. Rights of data subjects

Under applicable data protection law, you have in particular the right to request information about the processing of your personal data, to have inaccurate personal data corrected, to request deletion of personal data, to request restriction of processing, to object to processing, to withdraw consent given, and, where applicable, to request disclosure or transfer of certain data. To exercise your rights, contact us using the details in section 1. We may require appropriate proof of your identity to prevent misuse. Where we process personal data on behalf of a business customer, the respective business customer is generally responsible for handling such requests. In such cases, we may forward your request to the business customer or ask you to contact the business customer directly. We support the business customer in accordance with the data processing agreement. If you believe that the processing of your personal data violates data protection law, you may contact the competent supervisory authority. In Switzerland, this is the Federal Data Protection and Information Commissioner.

17. Communication by email

When you communicate with us by email, we process the information you provide to handle your enquiry and maintain the business relationship. Email communication may involve security risks. Please send us highly confidential or specially protected information by email only where necessary or where appropriate safeguards are in place.

18. Changes to this privacy policy

We may amend this privacy policy at any time, in particular when our products, data processing activities, or legal requirements change. The version published on our website applies. For material changes, we may additionally inform registered users or business customers in an appropriate manner.