Privacy Policy

This Privacy Policy explains how Zation AG processes personal data across our public services — including zation.io, docs.zation.io, and the Zation FinOps Platform.

It covers data we process as a controller — meaning data we collect for our own purposes, such as visiting our website or contacting us. Customer content processed on behalf of our customers in the Platform is covered by the DPA and the Security & Trust statement.

Controller

Zation AG Suurstoffi 18b CH-6343 Rotkreuz Switzerland

Contact for privacy matters: info@zation.io

What we process and why

When you visit our websites (zation.io, docs.zation.io)

We process IP address, user-agent, requested URL, and timestamp in our server logs. Purpose: operate and secure the site, troubleshoot, detect abuse. Legal basis: legitimate interest (Art. 31 para. 2 lit. c revDSG).

When you contact us by email

We process your email address, name, and the content of your message. Purpose: reply to your enquiry and follow up if needed. Legal basis: pre-contractual or contractual (Art. 31 para. 2 lit. a revDSG).

We process identity data from your Microsoft Entra ID account (email, name, tenant). Purpose: authenticate and authorize you. Legal basis: contract with your organization.

When you use the Platform

We record your actions in the Platform — including security-relevant actions such as scheduling or approving optimisations — per user in the audit trail (see Security & Trust). Purpose: security, accountability, compliance, and incident investigation. Legal basis: legitimate interest and legal obligation.

What we do not do

No third-party analytics. We do not use Google Analytics, Matomo, Plausible, HubSpot tracking, or similar tools on any of our public properties.
No advertising cookies. We do not run advertising on our sites.
No data sale. We never sell personal data.

Cookies

Our sites use only strictly necessary cookies required for operation — for example, to keep you signed in on the Platform or on the protected sections of our docs. We do not use marketing or analytics cookies.

A separate, more detailed Cookie Statement will be published as part of this Privacy Policy when relevant. Until then, the section above describes our full cookie use.

Data retention

Server logs are retained for a limited period (typically 90 days) and then deleted automatically. They are part of our audit trail and may be retained longer where required to investigate a security incident.
Email correspondence is retained as long as needed to handle your request and to comply with legal retention obligations under Swiss law (typically up to 10 years for business records).
Platform-related personal data follows the retention rules in the DPA.

Recipients of personal data

Personal data we process is generally not shared with third parties, except:

with our sub-processors that operate parts of our infrastructure (see Sub-Processors)
where required by Swiss law, court order, or competent authority
with professional advisors (legal, tax, audit) under confidentiality

Data location

All personal data we process as a controller is stored and processed within Switzerland or the EEA, primarily on Microsoft Azure (Switzerland North). Limited operational metadata from identity services may be processed in the EEA under appropriate safeguards.

We do not transfer personal data to countries outside Switzerland or the EEA, except under the conditions described in our Sub-Processors statement (e.g. standard contractual clauses where applicable).

Your rights

Under the Swiss Federal Act on Data Protection (revDSG) and, where applicable, the EU GDPR, you have the right to:

request access to the personal data we hold about you
ask for correction of inaccurate data
request deletion of your data, subject to legal retention obligations
request restriction of processing
object to processing based on our legitimate interest
receive your data in a portable format, where technically feasible
withdraw consent, where processing is based on consent

To exercise any of these rights, contact info@zation.io. We respond within 30 days. We may need to verify your identity before acting on a request.

You also have the right to lodge a complaint with the Swiss Federal Data Protection and Information Commissioner (FDPIC) — edoeb.admin.ch.

Security

How we technically and organizationally protect personal data is described in our Security & Trust statement. In short: encryption in transit and at rest, strict access controls, audit logging, and Swiss data residency.

Changes to this Privacy Policy

We may update this Privacy Policy from time to time. The current version is always available at this URL. Material changes will be communicated on our website and, where appropriate, by email.

Last updated: June 27, 2026

Controller​

What we process and why​

When you visit our websites (zation.io, docs.zation.io)​

When you contact us by email​

When you sign in to the Platform​

When you use the Platform​

What we do not do​

Cookies​

Data retention​

Recipients of personal data​

Data location​

Your rights​

Security​

Changes to this Privacy Policy​