Guard.ch Logo

Privacy Policy

Last Updated: November 14, 2025

Effective Date: November 14, 2025

1. Introduction

Guard.ch is a privacy-focused virtual machine management platform ("we," "us," or "our"). For our full legal information, please see our Imprint. This Privacy Policy explains how we collect, use, disclose, and protect your personal data when you use our services in accordance with the Swiss Federal Act on Data Protection (FADP/revDSG).

Our Privacy Commitment: We are dedicated to protecting your privacy. We do not monitor the content of your virtual machines and completely delete all VM data after use. We only maintain standard operational logs necessary for service delivery and security.

2. Data Controller

Guard.ch is the data controller for your personal data. For our full legal information and registered address, please see our Imprint.

For privacy-related inquiries, please contact us at: support@guard.ch

3. Personal Data We Collect

We collect and process only the personal data necessary to provide our services:

3.1 Account and Authentication Data

  • Email address: For account creation, authentication, and service communications
  • First and last name: For personalization (optional)
  • OAuth credentials: When you authenticate via Google or Microsoft, we receive your email and basic profile information
  • Passkey/WebAuthn credentials: Public keys and metadata for passwordless authentication (if used)
  • Team/organization information: Name and logo for team accounts (optional)

3.2 Payment and Billing Data

  • Billing email address: For invoice delivery
  • Stripe customer ID: Generated by our payment processor Stripe
  • Payment transactions: Processed exclusively by Stripe; we do not store credit card numbers or payment details

Note: All payment processing is handled by Stripe, Inc. (USA). Stripe's privacy policy applies to payment data: https://stripe.com/privacy

3.3 Technical and Usage Data

  • Session data: Session IDs, creation timestamps, last access times, IP addresses, and browser user agent strings for authentication and security
  • VM metadata: Virtual machine IDs, creation times, image selection, server assignment, and usage duration (we do NOT access or monitor content within your VMs)
  • Access logs: Server access logs including IP addresses, timestamps, and requested URLs for security and service operation (retained by Axiom for 30 days)
  • Analytics data: Website usage statistics, page views, browser type, device information, and referral sources collected via Google Analytics
  • API keys: Bearer tokens for programmatic access (if created)

3.4 Communication Data

  • Support inquiries: Messages and attachments you send us for customer support
  • Newsletter preferences: Your opt-in/opt-out status for marketing communications

4. Cookies and Tracking Technologies

We use cookies for essential service functionality, analytics, and advertising:

4.1 Essential Cookies (Required)

  • Session cookies: To keep you logged in and maintain your authentication state
  • Authentication tokens: To validate your session across requests

These cookies are strictly necessary for the service to function. You cannot opt out of essential cookies and still use Guard.ch.

4.2 Analytics Cookies (Optional)

  • Google Analytics cookies: To understand how visitors use our website, track page views, session duration, and user behavior patterns
  • Purpose: Website improvement, performance optimization, and understanding user needs
  • Data collected: IP address (anonymized), browser type, device information, pages visited, time on site, referral source
  • Retention: Data is retained according to Google Analytics' retention policies
  • Opt-out: You can opt out of Google Analytics tracking by using browser extensions like Google Analytics Opt-out Browser Add-on or by enabling "Do Not Track" in your browser settings

4.3 Advertising and Marketing Cookies (Optional)

  • Playwire advertising cookies: Used to deliver relevant advertisements and measure ad performance
  • Purpose: Display advertisements, frequency capping, ad personalization, and advertising analytics
  • Data collected: IP address, browser type, device information, ad interaction data, browsing behavior
  • Third-party access: Playwire and its advertising partners may access this data
  • Opt-out: You can manage your advertising preferences through Playwire's privacy settings or use browser privacy tools to block third-party cookies

4.4 Cookie Consent and Management

Your Choices:

  • Essential cookies: Cannot be disabled (required for service operation)
  • Analytics and advertising cookies: You can manage these through your browser settings or cookie consent preferences

Managing Cookies: You can control cookies through:

  • Your browser settings (most browsers allow you to refuse cookies or delete existing ones)
  • Cookie consent banner when you first visit Guard.ch
  • Privacy-focused browser extensions (e.g., Privacy Badger, uBlock Origin)
  • Platform-specific opt-out tools (Google Analytics Opt-out, Playwire privacy settings)

Note: Disabling essential cookies will prevent you from logging in and using Guard.ch services.

4.5 Cookie Lifespan

  • Session cookies: Deleted when you close your browser
  • Persistent cookies: Remain on your device for a set period (typically 30-365 days depending on the cookie type)
  • Third-party cookies: Managed by third parties according to their own retention policies

5. How We Use Your Personal Data

We process your personal data for the following purposes, based on the legal grounds indicated:

5.1 Service Provision (Contract Performance)

  • Creating, managing, and operating your virtual machines
  • Authenticating your access and maintaining your account
  • Processing your commands and configurations
  • Providing technical support

5.2 Billing and Payment (Contract Performance)

  • Processing payments through Stripe
  • Generating and sending invoices
  • Managing subscriptions and usage-based billing

5.3 Security and Fraud Prevention (Legitimate Interest)

  • Detecting and preventing unauthorized access
  • Monitoring for security threats and abuse
  • Enforcing our Terms of Service
  • Maintaining server security logs

5.4 Legal Compliance (Legal Obligation)

  • Complying with Swiss tax and accounting requirements
  • Responding to valid legal requests from authorities
  • Fulfilling data retention obligations

5.5 Service Improvement (Legitimate Interest)

  • Analyzing aggregate usage patterns to improve platform performance
  • Developing new features based on user needs
  • Troubleshooting technical issues

5.6 Communications (Consent / Legitimate Interest)

  • Sending essential service notifications (legitimate interest)
  • Sending newsletters and product updates (consent - opt-in only)

5.7 Advertising and Analytics (Consent / Legitimate Interest)

  • Displaying relevant advertisements via Playwire (consent - via cookie consent)
  • Analyzing website usage patterns via Google Analytics (legitimate interest)
  • Measuring advertising effectiveness and user engagement
  • Understanding user demographics and preferences to improve our service
  • Optimizing website performance and user experience

6. Data Sharing and Disclosure

We do not sell, rent, or trade your personal data. We share data only in the following limited circumstances:

6.1 Service Providers (Subprocessors)

We engage the following third-party service providers to help us deliver our services:

Stripe, Inc. (USA)

  • Purpose: Payment processing
  • Data shared: Email, billing information, payment transaction data
  • Legal basis: Contract performance
  • Safeguards: EU-US Data Privacy Framework, standard contractual clauses
  • Privacy policy: https://stripe.com/privacy

Hetzner Online GmbH (Germany/Finland)

  • Purpose: Infrastructure hosting and data storage (Helsinki data center)
  • Data shared: All service data, including account information, VM metadata, and operational data
  • Location: Helsinki, Finland (EU)
  • Legal basis: Contract performance
  • Safeguards: GDPR compliance (EU-based provider)
  • Privacy policy: https://www.hetzner.com/legal/privacy-policy

OVH US LLC (USA)

  • Purpose: Infrastructure hosting for US customer VM sessions (Hillsboro, Oregon data center)
  • Data shared: VM session data for US-region customers only (no persistent data storage)
  • Location: Hillsboro, Oregon, USA
  • Legal basis: Contract performance
  • Safeguards: Standard contractual clauses, EU-US Data Privacy Framework
  • Privacy policy: https://us.ovhcloud.com/support/privacy-policy/
  • Important note: All customer data is stored exclusively in Hetzner Helsinki (Finland). OVH is used only for running VM sessions for US customers; no persistent data is stored on OVH infrastructure.

Cloudflare, Inc. (USA)

  • Purpose: DNS services, CDN, and DDoS protection
  • Data shared: IP addresses, DNS queries, HTTP request metadata
  • Legal basis: Legitimate interest (service security and performance)
  • Safeguards: EU-US Data Privacy Framework
  • Privacy policy: https://www.cloudflare.com/privacypolicy/

Google LLC (USA)

  • Purpose: OAuth authentication (optional) and website analytics (Google Analytics)
  • Data shared:
    • OAuth: Email and basic profile data (when you choose to use Google OAuth)
    • Analytics: Website usage data, anonymized IP addresses, browser/device information, page views
  • Legal basis: Consent (OAuth), Legitimate interest (Analytics)
  • Safeguards: EU-US Data Privacy Framework
  • Privacy policy: https://policies.google.com/privacy
  • Analytics opt-out: https://tools.google.com/dlpage/gaoptout

Microsoft Corporation (USA)

  • Purpose: OAuth authentication (optional)
  • Data shared: Email and basic profile data (when you choose to use Microsoft OAuth)
  • Legal basis: Consent
  • Safeguards: EU-US Data Privacy Framework
  • Privacy policy: https://privacy.microsoft.com

Axiom, Inc. (USA)

  • Purpose: Log aggregation and monitoring
  • Data shared: Server access logs, application logs, error logs (including IP addresses, timestamps, request URLs)
  • Retention: 30 days
  • Legal basis: Legitimate interest (security monitoring and operational troubleshooting)
  • Safeguards: Standard contractual clauses
  • Privacy policy: https://axiom.co/legal/privacy

Playwire LLC (USA)

  • Purpose: Advertising services and ad delivery
  • Data shared: IP addresses, browser/device information, ad interaction data, browsing behavior on Guard.ch
  • Legal basis: Consent (via cookie consent)
  • Safeguards: Standard contractual clauses
  • Privacy policy: https://www.playwire.com/privacy-policy
  • Opt-out: You can manage advertising preferences through browser settings or Playwire's opt-out mechanisms

6.2 Legal Requirements

We may disclose your data if required by Swiss law or valid legal process, including:

  • Court orders or subpoenas
  • Law enforcement requests (after legal review)
  • Protection of our legal rights or safety of others

6.3 Business Transfers

If Guard.ch is involved in a merger, acquisition, or asset sale, your personal data may be transferred. We will provide notice and ensure the acquirer adheres to this Privacy Policy or obtain your consent for material changes.

7. Data Retention

We retain personal data only as long as necessary for the purposes outlined in this policy:

7.1 Retention Periods

  • Account data: Retained while your account is active
  • Session data: API keys retained per configured expiration (default 90 days); browser sessions expire after 7 days of inactivity
  • VM data: Completely deleted immediately upon VM termination (we maintain a strict privacy-by-design approach)
  • Access logs: Retained for 30 days in Axiom for security monitoring and troubleshooting
  • Analytics data: Retained according to Google Analytics retention settings (typically 14-50 months, configurable)
  • Advertising data: Retained according to Playwire's retention policies
  • Billing records: Retained for 10 years to comply with Swiss tax and accounting law (Swiss Code of Obligations Art. 958f)
  • Support communications: Retained for 3 years

7.2 Account Deletion

When you delete your account:

  • All personal data is permanently deleted within 30 days, except where required by law
  • All active VMs are immediately terminated and their data is irreversibly deleted
  • Billing records are retained for legal compliance (10 years)

8. Data Security

We implement appropriate technical and organizational measures to protect your personal data:

8.1 Technical Measures

  • Encryption in transit: TLS 1.3 for all connections
  • Encryption at rest: Encrypted storage for sensitive data
  • VM isolation: Complete network and storage isolation between VMs using Kubernetes (K3S) and KVM/libvirt
  • Access controls: Role-based access with multi-factor authentication options
  • Secure authentication: WebAuthn/passkey support, OAuth 2.0

8.2 Organizational Measures

  • Regular security assessments and updates
  • Employee access restricted on need-to-know basis
  • Incident response procedures
  • Regular backups with encryption

8.3 VM Content Privacy

Important: We do not and cannot access the content of your virtual machines. VMs are completely isolated, and we have no technical capability to monitor what applications you run or what data you process within your VMs.

9. Your Rights Under Swiss Data Protection Law

Under the Swiss Federal Act on Data Protection (FADP), you have the following rights:

9.1 Right of Access

You may request:

  • Confirmation of whether we process your personal data
  • Access to your personal data
  • Information about processing purposes, categories, recipients, and retention periods
  • A copy of your data in a structured, commonly used format (data portability)

9.2 Right to Rectification

You may request correction of inaccurate or incomplete personal data.

9.3 Right to Erasure

You may request deletion of your personal data when:

  • It is no longer necessary for the purposes collected
  • You withdraw consent (where processing is based on consent)
  • You object to processing (where based on legitimate interest)
  • The data was unlawfully processed

Exceptions: We may retain data where required by Swiss law (e.g., tax records).

9.4 Right to Object

You may object to:

  • Processing based on legitimate interest (including profiling)
  • Direct marketing communications (opt-out)

9.5 Right to Restrict Processing

You may request restriction when:

  • You contest the accuracy of data (during verification)
  • Processing is unlawful but you prefer restriction to deletion
  • We no longer need the data but you need it for legal claims

9.6 Right to Withdraw Consent

Where processing is based on consent, you may withdraw consent at any time. This does not affect the lawfulness of processing before withdrawal.

9.7 Exercising Your Rights

To exercise these rights, please contact us at: support@guard.ch

We will respond within 30 days. We may request identity verification to protect your data.

10. International Data Transfers

10.1 Primary Data Storage Location

All customer data is primarily stored in the European Union at Hetzner's Helsinki data center in Finland, which benefits from GDPR protections.

10.2 Data Transfers to Third Countries

Some of your personal data may be transferred to the United States and other countries for specific purposes:

Transfers to the United States:

  • Stripe, Inc.: Payment processing (EU-US Data Privacy Framework certified)
  • Cloudflare, Inc.: DNS and DDoS protection (EU-US Data Privacy Framework certified)
  • Google LLC: OAuth authentication and analytics (EU-US Data Privacy Framework certified)
  • Microsoft Corporation: OAuth authentication (EU-US Data Privacy Framework certified)
  • Axiom, Inc.: Log management (standard contractual clauses)
  • Playwire LLC: Advertising services (standard contractual clauses)
  • OVH US LLC: VM session hosting for US customers only (standard contractual clauses, EU-US Data Privacy Framework)

Important Notes:

  • No persistent data is stored in the United States. OVH US is used only for running VM sessions for US-region customers; all customer account data and metadata remain in Finland.
  • VM content is never transferred to third parties and is completely deleted after use.

10.3 Transfer Safeguards

For transfers to countries without an adequate level of data protection recognized by Switzerland and the EU, we ensure appropriate safeguards through:

  • EU-US Data Privacy Framework: For US companies certified under the framework (Stripe, Cloudflare, Google, Microsoft, OVH)
  • Standard Contractual Clauses (SCCs): Approved by the Swiss Federal Data Protection and Information Commissioner (FDPIC) and the European Commission
  • Contractual commitments: Data processing agreements with all service providers imposing strict security and confidentiality obligations
  • Technical measures: Encryption in transit and at rest for all data transfers

10.4 Your Rights Regarding International Transfers

You have the right to:

  • Request information about the safeguards we use for international data transfers
  • Object to transfers in certain circumstances
  • Request a copy of the standard contractual clauses we use

To exercise these rights, contact us at: support@guard.ch

11. Children's Privacy

Guard.ch is not intended for individuals under 18 years of age. We do not knowingly collect personal data from children. If you become aware that a child has provided us with personal data, please contact us, and we will take steps to delete such information.

12. Data Breach Notification

In the event of a data breach that poses a high risk to your rights and freedoms, we will:

  • Notify the Swiss Federal Data Protection and Information Commissioner (FDPIC) without undue delay
  • Notify affected individuals promptly (within 72 hours when feasible)
  • Provide information about the nature of the breach and measures taken

13. Automated Decision-Making

We do not use automated decision-making or profiling that produces legal effects or similarly significantly affects you.

14. Third-Party Links

Our service may contain links to third-party websites or services. We are not responsible for their privacy practices. We encourage you to review their privacy policies.

15. Changes to This Privacy Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. We will notify you of material changes by:

  • Posting the updated policy with a new "Last Updated" date
  • Sending email notification to your account email (for significant changes)
  • Displaying a prominent notice on our platform

Your continued use after changes become effective constitutes acceptance. If you do not agree, please discontinue use and contact us to delete your account.

16. Contact and Complaints

16.1 Contact Information

For questions, requests, or complaints regarding this Privacy Policy or our data processing practices:

Email: support@guard.ch

Postal Address: See our Imprint for full contact details.

16.2 Right to Lodge a Complaint

If you believe we have not adequately addressed your concerns, you have the right to lodge a complaint with the Swiss supervisory authority:

Federal Data Protection and Information Commissioner (FDPIC) Feldeggweg 1 3003 Bern Switzerland Website: https://www.edoeb.admin.ch Email: info@edoeb.admin.ch

17. Privacy by Design and Default

Guard.ch is built with privacy as a core principle:

  • Minimal data collection: We collect only what is necessary
  • VM content privacy: Zero access to your VM content by design
  • Complete deletion: All VM data is irreversibly deleted after use
  • No tracking: No analytics or marketing cookies
  • Secure defaults: Strong security settings enabled by default

18. Record of Processing Activities

We maintain an internal record of processing activities as required by Art. 12 FADP, documenting:

  • Processing purposes and legal bases
  • Categories of data subjects and personal data
  • Recipients and international transfers
  • Retention periods and security measures

This record is available to the FDPIC upon request.

Governing Law: This Privacy Policy is governed by Swiss law. The exclusive place of jurisdiction for any disputes is Schmiedrued, Switzerland.

Language: This Privacy Policy is provided in English. In case of conflicts with translations, the English version prevails.

By using Guard.ch, you acknowledge that you have read and understood this Privacy Policy.