Privacy by design.

We are validant.ai, a Swiss-based digital trust company. This notice tells you, in clear terms, what personal data we process about you, why, on what legal basis, with whom we share it, and the rights you have. The detail follows; this section gives you the picture in thirty seconds.

• We collect only the data we need to run validant.ai, the platform at platform.validant.ai, and our advisory and audit engagements. Data minimisation is part of our design, not an afterthought.
• We do not sell your personal data. We do not use your data to train third-party AI models without an explicit, informed legal basis and we will not do so silently.
• We rely on privacy-by-design (GDPR Art. 25), pseudonymisation where useful, encryption in transit and at rest, role-based access, and documented data processing agreements with every processor.
• You can exercise your rights (access, rectification, erasure, portability, objection, restriction, withdrawal of consent) at any time by writing to privacy [at] validant [dot] ai. We answer within 30 days, usually much faster.

The rest of this notice satisfies our information duties under GDPR Articles 13 and 14, the revised Swiss Federal Act on Data Protection (revFADP, in force since 1 Sept 2023), the ePrivacy Directive as transposed in EU/EEA member states, and the transparency duties of the EU AI Act (Regulation 2024/1689) where they apply to our platform.

The controller responsible for the processing of your personal data through this website, our platform at platform.validant.ai, and our commercial engagements is:

Glinz & Company GmbH (operating the validant.ai brand)
Zollikerstrasse 98
8702 Zollikon, Switzerland
UID: CHE-193.569.920
Email: privacy [at] validant [dot] ai
General contact: hello [at] validant [dot] ai

EU representative

Where the GDPR applies to our processing of data subjects located in the EU/EEA and an appointment under GDPR Art. 27 is required, we will appoint an EU representative and publish their contact details here. Until then, please reach our Swiss office at the address above.

Data protection contact

For all data protection matters you can reach us at privacy [at] validant [dot] ai. Where appointing a formal Data Protection Officer becomes mandatory under GDPR Art. 37 or Art. 10 revFADP, we will appoint one and publish their contact details here.

We deliberately work with categories. We avoid collecting categories of data we do not need. The following table sets out the personal data we actually process and why.

We do not process special categories of personal data (GDPR Art. 9 / revFADP Art. 5(c)) such as health, biometric or political data, unless you intentionally provide them in the context of a specific engagement and we have a documented legal basis. Where we do, we apply heightened controls (separate access, additional logging, minimum-necessary retention).

We process personal data only for the purposes set out below, and only on the legal bases shown. We do not silently extend a purpose.

Running this website and the platform (Art. 6(1)(b) and 6(1)(f) GDPR)

Necessary to deliver the service you requested and our legitimate interest in operating a secure, performant platform. Strictly necessary cookies and security telemetry fall here.

Replying to enquiries and pre-contract steps (Art. 6(1)(b) GDPR)

When you contact us, request a demo or sign an engagement letter we process the information needed to act on your request.

Delivering paid engagements (Art. 6(1)(b) GDPR; Art. 28 GDPR where we are processor)

Where you upload data into the platform or share it for an audit, we act as your processor under a written data processing agreement. We process the data on your documented instructions, do not use it for our own purposes, and apply the technical and organisational measures listed in our DPA.

Legal and regulatory compliance (Art. 6(1)(c) GDPR)

Bookkeeping, tax, sanctions screening, anti-money laundering where applicable, and responding to mandatory legal requests.

Security and fraud prevention (Art. 6(1)(f) GDPR)

Our legitimate interest in protecting users, the platform and our infrastructure.

Marketing communications (Art. 6(1)(a) and 6(1)(f) GDPR)

We send service updates and editorial content only with your consent or where you are an existing customer and have not objected (soft opt-in where permitted). Every email contains a one-click unsubscribe.

Improving our services (Art. 6(1)(a) and 6(1)(f) GDPR)

Aggregated, pseudonymised product and content analytics via Google Analytics 4: only with your cookie consent (Art. 6(1)(a)); the Google tag is not loaded until you opt in. Separately, we use Cloudflare Web Analytics, which is cookieless, stores nothing on your device and builds no profile of you; it runs for all visitors on the basis of our legitimate interest in basic traffic measurement (Art. 6(1)(f)). We also keep a pseudonymous record of your cookie-consent decision to demonstrate compliance (Art. 7(1)). See the cookie policy.

validant.ai builds and operates systems for digital trust, fairness audits and signed agent mandates. Because of what we do, we hold ourselves to a higher transparency bar than the law minimally requires.

No automated decisions with legal effect

We do not make decisions that produce legal effects concerning you, or similarly significantly affect you, solely on the basis of automated processing (GDPR Art. 22). Our audit findings and platform outputs are advisory; a human is always in the loop for decisions about a person.

EU AI Act transparency (Art. 50 Regulation 2024/1689)

Where any feature of our platform involves an AI system that interacts with a natural person, we make this clear before the interaction begins. Where outputs are synthetic (generated text, images, audio), they are labelled as such in machine-readable form.

Use of your data to train models

We do not use customer content, uploaded audit data or platform logs to train general-purpose foundation models, and we do not knowingly feed your data into third-party model providers' training pipelines. Where we improve our own narrowly scoped models, we only do so on data you have explicitly licensed for that purpose. Our current AI subprocessors and the contractual basis on which we use them are listed in our subprocessor register; please consult it for the authoritative position at any given time.

Subprocessors offering AI services

Where we use third-party AI services (for example, language models for summarisation), we select providers and tiers whose terms restrict the use of customer data for training, and we list the provider in our subprocessor register. The terms applicable to a given provider, and any limitations of those terms, govern in case of conflict with this summary.

We share personal data only with parties who have a clear role and a written contract that mirrors the protections we owe you.

Processors (Art. 28 GDPR / Art. 9 revFADP)

We use a small set of vetted service providers. Each is bound by a data processing agreement covering security, confidentiality, sub-processors and breach reporting. The current list of subprocessors is published at validant.ai/subprocessors and is updated when it changes. You can subscribe to material-change notices by writing to privacy [at] validant [dot] ai.

Independent controllers

A small number of recipients act as independent controllers (for example: payment institutions, professional advisers, certification bodies, courts where compelled). They process your data under their own privacy notices.

No sale, no broker sharing

We do not sell personal data, we do not share it with ad networks, and we do not load third-party advertising trackers on this site.

We are a Swiss-based company. We aim to host the platform on infrastructure located in Switzerland or the EU/EEA wherever practical; the current hosting region for each service is listed in our subprocessor register. When personal data does leave Switzerland or the EU/EEA, we rely on one of the following adequacy or safeguard mechanisms:

• Adequacy decisions: transfers to countries the Swiss Federal Council and the European Commission have recognised as providing adequate protection.
• Standard Contractual Clauses (EU SCCs as updated in 2021, plus the Swiss revFADP-compliant addendum) where adequacy does not apply.
• Transfer impact assessments documenting the receiving country's law and supplementary measures (encryption, key control, pseudonymisation).
• EU-US Data Privacy Framework certified recipients where applicable, with the Swiss-US framework where applicable to Swiss residents.

You can request a copy of the relevant transfer safeguard for your data at privacy [at] validant [dot] ai.

We retain personal data only as long as we need it for the purpose for which we collected it, plus any legally required archival period. After that, data is deleted or rendered irretrievably anonymous.

Under the GDPR, the revFADP and other applicable laws you have the following rights. We honour them free of charge unless your request is manifestly unfounded or excessive.

• Right of access: obtain confirmation that we process your data and a copy of it (Art. 15 GDPR / Art. 25 revFADP).
• Right to rectification: correct inaccurate data (Art. 16 GDPR).
• Right to erasure: "right to be forgotten" subject to overriding legal duties (Art. 17 GDPR).
• Right to restriction of processing (Art. 18 GDPR).
• Right to data portability: receive your data in a structured, machine-readable format (Art. 20 GDPR). This is core to our self-sovereign-identity philosophy.
• Right to object to processing based on legitimate interests, including direct marketing (Art. 21 GDPR).
• Right not to be subject to automated decision-making with legal or similarly significant effect (Art. 22 GDPR).
• Right to withdraw consent at any time, without affecting the lawfulness of processing before withdrawal (Art. 7(3) GDPR).
• Right to lodge a complaint with a supervisory authority. In Switzerland: the Federal Data Protection and Information Commissioner (edoeb.admin.ch). In the EU: your local supervisory authority.

To exercise any right, write to privacy [at] validant [dot] ai. We will identify you in a proportionate way, respond within 30 days, and document the action taken.

Privacy and security are co-designed at validant.ai. We aim to apply technical and organisational measures appropriate to the risk (GDPR Art. 32 / revFADP Art. 8). As our platform is built out, we are implementing the following controls and will publish updated security documentation as each is in production:

• Encryption in transit (modern TLS) and at rest for stored data
• Least-privilege, role-based access for staff, with multi-factor authentication on administrative accounts
• Logical separation between customer tenants on the platform
• Logging and monitoring of access to personal data, and a breach-response process aligned to the 72-hour notification timeline under GDPR Art. 33 and revFADP Art. 24
• Dependency review and vulnerability scanning as part of our development workflow
• Data Protection Impact Assessments before launching processing activities likely to result in a high risk to data subjects (Art. 35 GDPR)
• Written agreements with subprocessors that include the protections required by GDPR Art. 28

If you need our current security documentation for a procurement or audit review, write to privacy [at] validant [dot] ai and we will share the version that reflects our state today.

Our services are designed for organisations and professional users. We do not knowingly collect personal data from anyone under the age of 16. If you believe a minor has provided personal data to us, write to privacy [at] validant [dot] ai and we will delete it promptly.

We update this notice when our processing changes or when the law moves underneath us. The "Last updated" date at the top reflects the most recent revision. For material changes we notify active customers by email and post a banner on the site at least 30 days before the change takes effect.