Privacy Policy

Version 21.05.2024

This privacy policy (as amended from time to time, the "Privacy Policy") describes our policies and procedures on the collection, use, and disclosure of your personal data obtained through your access to and use of the Health Score and/or Risk Engine API ("HS/RE-API"), operated by dacadoo ag, Othmarstrasse 8, CH-8008 Zurich, Switzerland ("dacadoo"). The use of the HS/RE-API is governed by the Terms. dacadoo prepared this Privacy Policy to demonstrate our commitment to privacy and security of your personal data in accordance with our obligations under the applicable laws, rules, and regulations.

By accessing the HS/RE-API or using our services, you, the API user ("API User"), agree to accept and be bound by the current version of this Privacy Policy. In case you do not agree to the current version of this Privacy Policy, you are not authorized to continue accessing the HS/RE-API or using our services.

The HS/RE-API may contain links to websites or materials that are not operated by dacadoo and are not subject to this Privacy Policy, for example Google Analytics. We recommend that you read their policies to protect your personal data.

We may revise this Privacy Policy from time to time. The most current version is always available on our HS/RE-API. The revised Privacy Policy shall become effective from the date of publication on the HS/RE-API. Should these changes be substantial and where required by applicable law, we will provide you with notice (by email or by publication on the HS/RE-API) and/or obtain your consent.

What data we collect and for what purpose:

dacadoo collects the following personal data for product and service-related purposes:

dacadoo receives, reviews, and stores technical data retrieved from the devices you are using to access the HS/RE-API.

How your data is collected

dacadoo collects your personal data as follows:

How we protect your data

We restrict access to your personal data to those dacadoo employees or other parties who need access to such data in order to provide the services. We maintain appropriate physical, electronic, and procedural safeguards to protect your personal data, including firewalls, individual passwords, and encryption, and take all other necessary and adequate administrative, organizational, technical, personal, and physical measures to safeguard the same against unauthorized or unlawful processing and use, accidental loss or destruction or damage, theft, disclosure, or modification and to ensure its integrity.

Please note, however, that dacadoo has no control over the network infrastructure outside of dacadoo, and data transported over an open network, such as the internet or email, may be accessed by third parties (including, for example, a person standing behind you, or the local authorities under certain conditions). We cannot guarantee, and are not responsible for, the confidentiality of any communication or information transmitted via such open networks. When disclosing any data via an open network, you should consider that despite all measures in place such as encryption during transport, it is potentially accessible to others, and consequently, may be collected and used by others without your consent. Your personal data may also be lost during transmission. dacadoo will not accept any liability for direct or indirect losses as regards the security of your personal data and information out of its control, including during its transfer via Internet. dacadoo uses encryption software that may be subject to export control regulations and territorial restrictions.

How your data is shared and data we might receive

To process your personal data, dacadoo might require the services of subcontractors, which need to access directly or indirectly your personal data, our "Sub-Processors", e.g., data hosting providers. We ensure that, when working with Processors, these entities commit to an adequate level of protection and commit not to use your personal data unlawfully. From our side, we will share only the personal data our Processors need to proceed, and nothing more. We are currently working with the following main Processors:

Sub-Processor Sub-Processing Activity Sub-Processor Location
Amazon Web Services EMEA SARL, 38 Avenue John F. Kennedy, L-1855, Luxembourg Cloud Infrastructure Provider EU-North-1, US-East-1, Asia Pacific-1 SoutheastAn API User can call HS/RE-API in a certain region and thus determine processing location or call a global endpoint that will typically route to closest HS/RE-API region in terms of network latency. AG, Isisbüelstrasse 2,8800 Thalwil, Switzerland SRE (Infrastructure Operations) Switzerland
Arobs Transilvania Software SA, Str. Donath Nr.11, BL.M4 SC. 2 ET.3 AP 28, Cluj-Napoca, Romania Quality Assurance, Software Development, SRE (Infrastructure Operations), Application Support EU
Atlassian Pty Ltd., L 6 341 George St, 2000 Sydney, Australia Monitoring and Alerting Solution Provider (OpsGenie) TicketingSystem Provider (JIRA) EU (Germany, Ireland)
Ciklum SA, Lavaterstrasse 66, 8002 Zurich, Switzerland Quality Assurance, Software Development, SRE (Infrastructure Operations), Application Support EU
dacadoo APAC Pty Ltd, 1 Margaret St, Sydney NSW 2000, Australia Service delivery/support Australia
dacadoo North Americas Inc., 20 Wellington Street East, Toronto, Ontario M5E 1C5, Canada Service delivery/support Canada
Datadog Inc., Neue Rothofstr 13-19, 60313 Frankfurt, Germany Centralized Logging, Monitoring and Alerting Solution Provider Germany
Gravitational, Inc. (Teleport), 440 N Barranca Ave. #8219, Covina, CA91723. USA Zero trust access EU
Huanga IT Solutions AG, Sägereistrasse 21, 8152 Opfikon, Switzerland SMTP Relay Switzerland
Synchronit GmbH, Blegistrasse 5, 6340 Baar, Switzerland Quality Assurance, Software Development, SRE (Infrastructure Operations), Application Support EU, Uruguay, Argentina
Zitadel, CAOS AG, Lerchenfeldstrasse 3, 9014 St.Gallen, Switzerland Authentication management EU

dacadoo will not sell, rent, or otherwise make available any personal data submitted by users to any third parties without the user’s consent, unless as permitted under this Privacy Policy or required by law. dacadoo may use personal data to contact users with respect to all matters related to the user’s activity on the HS/RE-API, including but not limited to sending informative e-mails and reminders.

Cookies and similar technologies

The web app to our HS/RE-API uses one strictly necessary cookie only, called access_token.

How long your data is stored

We store your personal data for as long as you have not opted-out. We reserve the right to keep data to the extent we reasonably believe it is necessary to satisfy any applicable law or regulation, and/or according to security and privacy industry practices.

Where your data is stored

Your personal data is stored through a secure cloud provider as described below. If, for any reason, dacadoo will need to transfer any of your personal data to any country without adequate level of data protection as decided by the European Commission, dacadoo will procure that appropriate contractual obligations apply in line with relevant data protection laws (such as EU standard contractual clauses).

Legal basis for data processing

dacadoo relies on the following legal basis for processing your personal data:

Your data protection rights

dacadoo would like to make sure you are fully aware of all of your data protection rights as follows:

If you make a request, we have one month to respond to you. If you would like to exercise any of these rights, please contact us via email at:

Disclosure of data

We reserve the right to disclose your data to the extent we reasonably believe it is necessary to (i) satisfy any applicable law, regulation, legal process or governmental request, (ii) enforce the Terms, including investigations of a potential violation thereof, (iii) detect, prevent or otherwise address fraud, security or technical issues, (iv) respond to user support requests, or to (v) protect the rights, property or safety of dacadoo, its users and the public.

How to contact dacadoo or the appropriate authority

If you have any questions about dacadoo’s Privacy Policy, the data we hold on you, or you would like to exercise one of your data protection rights, please do not hesitate to contact us at:

dacadoo ag
Othmarstrasse 8
CH-8008 Zurich

For EU residents a contact in the EU has been established at:

Ganghoferstrasse 33
80339 Munich

For UK residents a contact in the UK has been established at:

MLL Meyerlustenberger Lachenal Froriep LLP
17 Godliman St
London EC4V 5BD
United Kingdom

You also have the right to contact the data protection supervisory authority in your country of residence.