Privacy policy

This privacy policy informs you about the nature, scope and purpose of the processing of personal data on the kizi.ch platform. It applies to all our services and complies with the Swiss Federal Act on Data Protection (FADP, revised version effective since 1 September 2023) and the Ordinance on Data Protection (DPO).

Data controller:
Sophia Koster
Seestrasse 21
8703 Erlenbach
Switzerland
Email: support@kizi.ch

We process personal data in accordance with Swiss data protection law. We observe the following principles in particular (Art. 6 FADP):

• Lawfulness: personal data is processed lawfully.
• Good faith: processing is carried out in good faith and in a proportionate manner.
• Purpose limitation: data is processed only for the purpose recognisable at the time of collection.
• Transparency: the collection and purpose of processing are recognisable for the data subject.
• Accuracy: we ensure that personal data is accurate.
• Data security: we take appropriate technical and organisational measures to protect your data (Art. 8 FADP).

a) Upon registration

When you register as a parent or provider, we collect:

• First and last name
• Email address
• Password (stored as a cryptographic hash, never in plain text)
• Role (parent or provider)
• For providers additionally: facility name, address, care type, description

b) When using the platform

• Messages between parents and providers (stored on our servers)
• Search queries and favourites
• Profile data and settings

c) Automatically collected data

• IP address (not stored permanently)
• Browser type and version
• Operating system
• Referrer URL
• Page views and usage behaviour (via PostHog, see "Web analytics" section)

We process your data exclusively for the following purposes:

• Provision of the platform: registration, login, profile management
• Matching: connecting parents with suitable childcare services
• Communication: message exchange between users, email notifications
• Improvement: usage analysis to optimise the platform
• Security: protection against misuse and unauthorised access

The processing of your personal data is based on the following legal grounds pursuant to Art. 31 FADP:

• Consent (Art. 31(1) FADP): registration and profile creation are based on your consent.
• Contract performance: processing is necessary for the performance of the user agreement (T&Cs).
• Overriding interest (Art. 31(1) FADP): web analytics and security measures are based on our overriding private interest in improving and securing the platform.

We use PostHog to analyse the usage of our platform. PostHog is self-hosted on a server in Germany (Hetzner, Falkenstein). Your data is therefore not shared with any third parties.

What PostHog records:

• Page views and navigation
• Clicks and interactions (autocapture)
• Scroll depth
• Device information (browser, screen size)
• Approximate location (based on IP address, which is not permanently stored)

What PostHog does NOT record:

• No sharing with advertisers or third parties
• No linking with external profiles
• No permanent storage of IP addresses

PostHog uses cookies and localStorage to recognise returning visitors. Details can be found in our cookie policy.

Opt-out: You can prevent PostHog tracking by enabling the "Do Not Track" setting in your browser or by deleting/blocking PostHog cookies via your browser settings.

Legal basis: overriding private interest in improving and optimising our platform (Art. 31(1) FADP). Under Swiss data protection law, no prior consent is required for analytics cookies.

Our platform uses cookies and similar technologies (localStorage). Detailed information about the individual cookies, their purpose and storage duration can be found in our cookie policy.

Under the Swiss Data Protection Act (FADP), no prior consent is required for analytics cookies in Switzerland. We inform you transparently about the technologies used.

In principle, we do not share your personal data with third parties unless:

• you have given your express consent;
• a legal obligation exists;
• it is necessary for the performance of the user agreement.

Service providers used (data processors):

Service	Purpose	Location
Hetzner Online GmbH	Server hosting (application and database)	Germany
PostHog (self-hosted)	Web analytics	Germany (own server at Hetzner)
Resend Inc.	Transactional emails (registration, notifications)	USA
Google LLC (OAuth)	Login via Google account (optional)	USA

Certain service providers are based in the USA (Resend, Google). Data is transferred abroad only if an adequate level of data protection is ensured (Art. 16 FADP).

For the USA, we rely on the Swiss-U.S. Data Privacy Framework, recognised as adequate by the Federal Council (list of states pursuant to Art. 16(1) FADP, Annex 1 DPO). The companies concerned are certified under this framework.

All other data (PostHog, database) is processed exclusively on servers in Germany and does not leave European territory.

We take appropriate technical and organisational measures to protect your data in accordance with Art. 8 FADP:

• Encryption: all connections are TLS-encrypted (HTTPS).
• Passwords: passwords are cryptographically hashed and never stored in plain text.
• Access control: authentication via tokens with short validity periods.
• Database: PostgreSQL with access restrictions, regular backups.
• Servers: hosted at Hetzner in Germany, regular security updates.

We store your personal data only as long as necessary to fulfil the stated purposes or as required by statutory retention obligations.

• Account data: until the account is deleted by the user.
• Messages: until the account is deleted.
• Analytics data (PostHog): anonymised after 12 months.
• Server logs: maximum 30 days.

Upon expiry of the retention period, data is deleted or anonymised.

We do not make automated individual decisions within the meaning of Art. 21 FADP that would have legal effects or significant impairment for you.

Under the Swiss Data Protection Act, you have the following rights:

• Right of access (Art. 25 FADP): you may request free information on whether and what personal data we process about you.
• Right to rectification (Art. 32(1) FADP): you may request the correction of inaccurate personal data.
• Right to erasure (Art. 32(2)(c) FADP): you may request the deletion of your data, subject to statutory retention obligations.
• Right to data portability (Art. 28 FADP): you may request the release of your personal data in a commonly used electronic format.
• Right to object: you may object to the processing of your data at any time, provided no overriding interest prevents this.

To exercise your rights, please contact us at support@kizi.ch. We will respond to your request within 30 days.

If you believe that the processing of your personal data violates data protection law, you may contact the competent supervisory authority:

Federal Data Protection and Information Commissioner (FDPIC)
Feldeggweg 1
3003 Bern
Switzerland
www.edoeb.admin.ch

We reserve the right to amend this privacy policy at any time to adapt it to changes in the law or changes to our services. The current version is available on this page.

Version: March 2026