Privacy Policy

Last updated: February 8, 2026

This Privacy Policy explains how Firstech AG (“we”, “us”) collects, uses, and shares personal data when your organization uses the Incido platform (“Service”). This Policy applies to business users only.

Firstech AG · Hirschengraben 33, 6003 Luzern, Switzerland · [email protected]

Data We Collect

  • Account Data - Administrator name, email, organization details
  • Usage Data - IP address, browser, pages visited, system logs
  • Payment Data - Processed by Stripe; we do not store card details
  • Cookies - Essential cookies for authentication; Google Analytics collects anonymized usage data (IP addresses are pseudonymized). You may opt out of analytics cookies by adjusting your browser settings or using Google’s opt-out tools

How We Use Your Data

We process data based on the necessity to provide and maintain the Service and for legal compliance (Swiss FADP Art. 6 and GDPR Art. 6(1)(f)). This includes operating the Service, processing payments, sending system notifications, responding to support requests, monitoring security, and complying with legal obligations.

Data Sharing

We do not sell your data. We share data with:

  • Stripe - payments
  • AWS - hosting and email delivery
  • Google - anonymized analytics
  • Law enforcement - when legally required

All third parties are bound by confidentiality and security obligations.

Data Storage

Data is processed and stored in Sweden (EEA). Transfers outside the EEA follow appropriate safeguards under GDPR and Swiss FADP.

Data Retention

  • Account data is retained while your account is active and up to 12 months after deletion for legal compliance.
  • Logs, usage, and analytics data are retained up to 12 months for security, troubleshooting, and legal compliance, after which they are permanently deleted.
  • Invoice and billing records retain only the minimum identifiers necessary for legal and tax compliance (company name, billing address, VAT number, and transaction references).

Your Rights (GDPR / Swiss FADP)

You may request: access, correction, deletion, restriction, portability, or object to processing. Contact [email protected] - we respond within 30 days. Requests must come from authorized account administrators.

Security

We use TLS encryption, encryption at rest, role-based access control, and regular security monitoring. No system is 100% secure.

DPA

Our Data Processing Agreement (DPA) governs the processing of personal data on behalf of your organization and is incorporated into the Terms of Service. The DPA is accessible here.

Changes

We may update this Policy. Material changes are posted here with an updated date.

Contact Us

  • By email: [email protected]
  • By mail: Firstech AG, Hirschengraben 33, 6003 Luzern, Switzerland