CRMPosition Privacy Policy

1. Introduction

CRMPosition ("we," "us," or "our") is committed to protecting the privacy and security of your personal data. This Privacy Policy explains how we collect, use, process, and safeguard your information when you visit our website [https://crmposition.ch/], use our services, or interact with us.

We provide strategic Artificial Intelligence (AI) consulting services tailored for Customer Relationship Management (CRM) applications, primarily targeting small and medium-sized enterprises (PYMEs/KMU/SMEs) and specialized divisions within larger corporations globally.

We adhere to applicable data protection laws, including the EU General Data Protection Regulation (GDPR), the UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018, the Swiss Federal Act on Data Protection (nLPD/revDSG), and other relevant global privacy standards.

2. Scope of this Policy

This policy applies to personal data collected through:

• Our website and online platforms.
• Our provision of consulting services to clients.
• Our marketing and business development activities.
• Our interactions with prospective clients, partners, and suppliers.
• Personal data processed on behalf of our clients in the course of providing our services (where we act as a Data Processor).

3. Information We Collect

We may collect different types of personal data depending on your interaction with us:

• Website Visitors: IP address, browser type, operating system, referring URLs, pages visited, time spent on pages, location data (if enabled), cookie data (see Section 13), and any information you voluntarily provide through contact forms or chatbots (e.g., name, email address, company, inquiry details).
• Clients and Prospective Clients: Contact details (name, job title, company name, email address, phone number, business address), communication records, billing and payment information (processed securely via third-party payment processors), information provided during consultations and project delivery.
• Data Processed on Behalf of Clients (as Data Processor): In the course of providing our AI and CRM consulting services, we may access or process personal data contained within our clients' CRM systems or datasets. This data belongs to our clients (who are the Data Controllers), and we process it strictly according to their instructions and the terms of our Data Processing Agreement (DPA). The types of data processed depend entirely on the client's CRM and the scope of the project, but could potentially include customer names, contact details, purchase history, communication logs, etc. We do not control this data.

4. How We Use Your Information

We use the information we collect for the following purposes:

• To Provide and Manage Services: Delivering consulting services, managing client projects, providing support, processing payments, and fulfilling contractual obligations.
• To Communicate: Responding to inquiries, sending service-related information, providing updates, and managing client relationships.
• For Marketing and Business Development: Sending relevant marketing communications (with your consent where required), informing you about services or events we believe may interest you, and understanding market trends. You can opt-out at any time.
• To Improve Our Website and Services: Analyzing website usage (using aggregated or anonymized data where possible), improving user experience, and enhancing our service offerings.
• For Security and Compliance: Protecting against fraud and security threats, complying with legal obligations, enforcing our terms, and defending our legal rights.
• AI Development (Internal): We may use anonymized or aggregated data derived from projects to improve our internal methodologies or AI tools. We will never use identifiable client personal data for general AI model training without explicit, specific consent and appropriate contractual safeguards.

5. Legal Basis for Processing (GDPR/UK GDPR)

We process personal data based on the following legal grounds:

• Consent: Where you have given explicit consent for specific processing activities (e.g., marketing emails, non-essential cookies).
• Contractual Necessity: To perform our contractual obligations to you (e.g., providing consulting services as per our agreement).
• Legal Obligation: To comply with applicable laws and regulations (e.g., financial record-keeping, responding to legal requests).
• Legitimate Interests: For purposes such as improving our services, website security, internal operational efficiency (including the use of AI tools as described in Section 11), and business development, provided these interests are not overridden by your data protection rights.

6. Data Sharing and Disclosure

We do not sell your personal data. We may share your information only in the following circumstances:

• With Service Providers (Subprocessors): We may engage third-party companies or individuals to perform services on our behalf or assist our internal operations. This includes payment processors, cloud hosting providers, IT support, secure communication tools, and providers of AI tools used internally for enhancing service delivery efficiency and quality (such as OpenAI for ChatGPT and Google for Gemini/Notebook). These subprocessors are contractually obligated (or bound by their terms of service regarding business use) to protect data input into their systems and process it only according to our instructions or for the purpose of providing their service to us. We take care to minimize the input of identifiable personal data into such tools and prioritize using them with anonymized or generalized information where possible. A list of key subprocessors can be provided upon request.
• With Clients (Regarding Data Processed on Their Behalf): We process client data based on their instructions as outlined in the DPA.
• For Legal Reasons: If required by law, regulation, legal process, or governmental request, or to protect the rights, property, or safety of CRMPosition, our clients, or others.
• Business Transfers: In connection with a merger, acquisition, reorganization, or sale of assets, your data may be transferred as part of that transaction, subject to standard confidentiality agreements.
• With Your Consent: We may share data with other third parties if we have your explicit consent to do so.

7. International Data Transfers

As a global consultancy, we may transfer personal data across borders. We operate from Switzerland and target clients globally. When transferring personal data outside its originating jurisdiction (e.g., transferring EU data outside the EU/EEA, including to service providers like OpenAI or Google based in the US), we ensure appropriate safeguards are in place:

• Adequacy Decisions: Transferring data to countries deemed to provide an adequate level of data protection by relevant authorities (e.g., EU Commission adequacy decisions for Switzerland and the UK; the EU-US Data Privacy Framework for certified US companies).
• Standard Contractual Clauses (SCCs): Using approved contractual clauses (e.g., EU SCCs, UK International Data Transfer Agreement) for transfers to countries without an adequacy decision or where the recipient is not certified under a relevant framework.
• Other Legal Mechanisms: Relying on other permitted transfer mechanisms under applicable law.

We ensure that any data transferred internationally receives a level of protection consistent with this policy and applicable laws.

8. Data Security

We implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures include:

• Encryption of data where appropriate.
• Access controls and authentication mechanisms.
• Regular security assessments and updates.
• Secure data storage solutions.
• Confidentiality agreements with employees and contractors.
• Data Processing Agreements or review of robust provider terms for subprocessors.
• Training and awareness regarding secure handling of data, especially when using third-party tools.

However, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

9. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, including for satisfying any legal, accounting, or reporting requirements, or as necessary to resolve disputes.

• Client Data (Our Records): Retained for the duration of the client relationship plus a period afterward as required by law (e.g., financial records) or for legitimate business purposes.
• Data Processed for Clients (Processor Role): Retained according to the client's instructions as specified in the DPA, typically deleted or returned upon termination of the service agreement.
• Website/Marketing Data: Retained for as long as relevant for the purpose (e.g., until you unsubscribe from marketing lists).
• Data Input into Internal AI Tools: Transient data input for specific tasks is generally not retained long-term within the tools beyond what is necessary for session management or as per the tool provider's standard terms for business users (which typically preclude use for model training).

10. Your Data Protection Rights

Depending on your location and applicable law (particularly GDPR, UK GDPR, PDPA, nLPD), you may have the following rights regarding your personal data:

• Right to Access: Request a copy of the personal data we hold about you.
• Right to Rectification: Request correction of inaccurate or incomplete data.
• Right to Erasure ('Right to be Forgotten'): Request deletion of your data under certain conditions.
• Right to Restrict Processing: Request limitation of how we process your data under certain conditions.
• Right to Data Portability: Request transfer of your data to another organization in a structured, commonly used format (where processing is based on consent or contract).
• Right to Object: Object to processing based on legitimate interests or for direct marketing purposes.
• Rights Related to Automated Decision-Making: Rights concerning decisions made solely by automated means, including profiling (see Section 11).
• Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent.
• Right to Lodge a Complaint: Lodge a complaint with your local data protection authority.

To exercise these rights, please contact us using the details in Section 16. We will respond to your request in accordance with applicable law.

11. AI and Automated Decision-Making

As an AI consultancy, we are mindful of the implications of AI.

• Our Use of AI: To provide our services efficiently, maintain high quality, and offer competitive pricing, we utilize certain AI-powered tools internally. This includes tools like ChatGPT (provided by OpenAI) and Gemini/Notebook (provided by Google AI) for tasks such as research assistance, drafting documents (like reports or proposals), analyzing trends, generating code snippets (for illustrative purposes), and enhancing internal productivity. We use these tools responsibly, primarily with non-sensitive or anonymized information where possible. Any input of potentially sensitive or client-related information is done cautiously and in adherence to the security and confidentiality terms provided by these tool providers for their business or enterprise offerings. When providing services, we advise clients on strategic AI implementation.
• Client Data and AI: When processing client data for AI-related projects (e.g., feasibility studies, data readiness assessments), we do so strictly as a Data Processor under the client's instruction and DPA. We advise clients on responsible AI principles, including fairness, transparency, accountability, and bias mitigation.
• Automated Decision-Making: We generally do not use automated decision-making processes that produce legal effects or similarly significantly affect individuals based on data we control. If our clients implement such systems based on our advice, they remain the Data Controller responsible for compliance, including providing transparency and respecting individuals' rights regarding automated decisions.

12. Client Data Processing (Our Role as Data Processor)

When we process personal data solely on behalf of our clients as part of our consulting services, CRMPosition acts as a Data Processor. The client acts as the Data Controller. Our processing activities are governed by a formal Data Processing Agreement (DPA) with the client, which outlines:

• The subject matter, duration, nature, and purpose of the processing.
• The types of personal data and categories of data subjects involved.
• Our obligations regarding confidentiality, security, subprocessing (including notification and consent procedures if applicable), data subject rights assistance, audits, and data deletion/return.
• That we will only process data based on the documented instructions of the client (Data Controller).

Individuals whose data is processed within a client's CRM system should direct any data protection inquiries or rights requests to the respective client (the Data Controller).

13. Cookies and Tracking Technologies

Our website may use cookies and similar technologies (e.g., web beacons, pixels) to enhance user experience, analyze traffic, and personalize content. We distinguish between essential cookies (necessary for website function) and non-essential cookies (e.g., for analytics, marketing). We request your consent for non-essential cookies where required by law. You can manage your cookie preferences through your browser settings or our website's cookie consent tool.

14. Children's Privacy

Our services and website are not directed at individuals under the age of 16 (or the relevant age of digital consent in specific jurisdictions). We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected such data, we will take steps to delete it.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, services, or legal requirements. We will post the updated policy on our website and indicate the "Last Updated" date. We encourage you to review this policy periodically. For significant changes, we may provide more prominent notice (e.g., email notification).

16. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data protection practices, please contact us at: