Privacy Policy

Last updated: October 2023

Data protection is a matter of trust, and your trust is important to us. We, AskMeWhy AG, Industriestrasse 47, 8152 Zurich, Switzerland (hereinafter “AskMeWhy”, “we”, “us”, or the like), respect your privacy and personal data. We always treat your personal data confidential and process it in compliance with applicable law, in particular the Federal Government (Data Protection Act, FADP), as well as in accordance with these data protection provisions.

We protect, in cooperation with our service providers and partners, all data processing processes as best as possible and according to the current state of the art against unauthorized access, loss, misuse and unauthorized changes.

This Privacy Policy (hereinafter “Policy”) describes how we process and store your personal data when:

• we provide services to you,
• when you use our App,
• when you visit our website guests.one, or platform admin.guests.one, or Teams app,
• or use services as a customer through our website or platform.

If you are already using Guests, this Policy also applies to data about you that we have collected and stored in the past, which may link and process with data we collect to receive in the future.

This Policy will form part of the contract between you and us if it is listed in the relevant contract as part of the contract or if reference is made to it in the Terms of use, the provisions of the latter documents shall take precedence over the contents of this Policy.

In addition to this Policy, further data protection-related regulations such as those in any contract between you and us, in terms of use and in further data protection declarations may apply.

Data Controller

Data controller in the sense of the applicable data protection law:

AskMeWhy AG
Simon Feldkamp
Industriestrasse 47
CH – 8152 Glattbrugg

Phone: +41 44 390 14 10
Email: hello@askmewhy.com
Website: askmewhy.com

General

Personal data (hereinafter “Data”) means all data and information relating to an identified or identifiable natural person.

Categories of data processed: We process different categories of data from you, such as:

• Contact and identification data such as surname, first name, email address, company name, address, telephone number and customer number;
• Microsoft 365 or Entra Tenant ID;
• Financial data such as bank details, payment information, payment history, and average revenue;
• Contract data such as contract type, contract content, type of products and services, applicable terms and conditions, contract start date, contract term, remuneration claims, billing data, and offer restrictions;
• Interaction and usage data such as correspondence, chat content, customer preferences, type and extent of use of products and services, customer service information such as complaints, delivery information, customer segment, and target group information, information about the end devices used (end device type, device ID, manufacturer, operating system, language, device settings, etc.), information from the assertion of rights and feedback,
• Information regarding use of the website and platform such as internet pages visited, IP address, cookie information, browser settings, frequency of visits, time and duration of visits, search terms, clicks on content, Internet page of origin, information in forms and rating and comment submitted.

Purpose of data processing: Any Personal Information we collect from you may be used for any of the following purposes:

• to provide and maintain our services to you;
• to notify you of changes in relation to our services;
• to monitor the use of our services;
• to detect, prevent and correct technical problems;
• to provide you with news, special offers, and general information about other products, services, and events offered by us to the extent they are similar to those you have already purchased from or requested from us and you have not opted out of such communication;
• for marketing purposes and relationship management;
• to fulfill your orders;
• for billing and accounting;
• for the enforcement of our rights;
• for other purposes set forth in this policy
• To comply with legal or regulatory requirements
• In the event of a dispute to enforce or defend actual or alleged legal claims and for investigations or similar proceedings;
• for other lawful purposes, if this processing results from the circumstances or was indicated at the time of collection;
• If you apply for a job with us, we process your Personal Information for the purpose of reviewing your application, for carrying out the application process and, if necessary, for the preparation and conclusion of an employment contract.

When we provide services to you or you use our services, we rely on you, and you are required to provide us with certain data in connection with the conclusion of the contract and the provision or use of the services. If you do not provide us with the required data or only provide in part, this may mean that no contract can be concluded between you and us or that the provision of services is not possible or only possible to a limited extent.

Processing on our website

SSL/TLS encryption on our website
On our website guests.one, we use SSL/TLS encryption for security reasons and to protect the transmission of confidential content, such as your inquiries that you send to us. You can recognize an encrypted connection by the fact that the address line of the browser changes from “https//” to “https://”, and, depending on the browser, by the lock symbol in your browser line. If SSL or TLS encryption is activated, the information you send to us via the contact form cannot be read by third parties.

We would like to point out that data transmission on the Internet (e.g. when communicating by email) can have security gaps. Complete protection of data against access by third parties without the use of email encryption, such as PGP or S/MIME, is not possible and is at your own risk.

Processing on our App

Security of data processing
To ensure the protection of your data, we use appropriate technical and organizational measures. In doing so, we always observe the current state of the art. Our employees are regularly sensitized and trained. The infrastructure of our platform is operated on servers in Microsoft’s Swiss data centers that have ISO 27001 certification and have implemented high-security standards.

Processing when preparing Guests
When using the Guests for the first time, the following data is required and stored:

• Tenant ID
• Display name of the Global Admin consenting to our terms
• Consent date

Processing when using Guests
When using Guests as a customer (with a valid subscription), we only temporarily collect the users’ object ID (Microsoft Entra ID User ID) in our application telemetry (in Microsoft Azure Application Insights) for support reasons. This data gets auto deleted after 90 days. Based on the users’ object ID, we, as AskMeWhy, can NOT identify the users. We can NOT link the Object ID to any other data like names, emails, phone numbers, etc. Optionally, we allow customers to configure the user experience and available features across our Apps. In this case, customers can choose to protect the ability to make configuration changes to specific users and/or groups. Capturing these restrictions will require AskMeWhy to also store the respective user object IDs as well as Entra group IDs in the customer’s application settings. In case of a customer no longer using our services, the customer can delete all application settings, including any optionally provided user object IDs and/or Entra group IDs. All telemetry and application configuration data collected is stored in Switzerland.

For further details regarding data processing in Guests, permissions, app registrations, and the interaction between Guests and the customer’s Microsoft Tenant using Microsoft Graph, please refer to our system documentation at docs.guests.one/overview/systemoverview or docs.guests.one/admincenter/settings/permissions.

Processing support requests
For processing your support requests and managing your customer data, we use the CRM of HubSpot (2nd Floor 30 North Wall Quay, Dublin 1, Ireland – HubSpot Privacy Policy). In the context of processing data via HubSpot, we cannot exclude that data is transferred to the USA, although the EU has been agreed as the storage location of the data. Data protection is secured via the so-called standard contractual clauses of the EU Commission, which ensures that the processing of data is subject to a level of protection that corresponds to that of the EU-GDPR.

Website analysis with Google Analytics and Microsoft Clarity
We use Google Analytics and Microsoft Clarity for web analysis to provide our users with the best possible service. For this purpose, we evaluate the use of the respective pages and functions and derive improvements to the functionality of our services to make them easier and more valuable and to improve usability.

Google Analytics and Microsoft Clarity use cookies. For this purpose, the usage information obtained by the cookie is transmitted to Google and Microsoft. The data is further processed by us to analyze the behavior of users and to evaluate the use of individual components of the website. The aim is to constantly optimize the website and its user-friendliness.

What information we do not collect?
We do not collect Personal Information regarding your data stored, for instance in your SharePoint Online, Microsoft Teams, OneDrive, OneDrive for Business, etc. Additionally, the architecture of our Apps is constructed in a way that your data never gets transferred via any of our AskMeWhy servers or services.

We also do not collect any personal user data (except for the user’s object ID for support reasons only and optionally user object IDs and group IDs for tenant configuration reasons) for licensed customers when interacting with the Add-Ins or apps. This way we make sure that no GDPR relevant data of your general users is ever stored on any of our servers or services.

Third-party services on our website

General information about cookies
We use cookies on our website guests.one and our platform admin.guests.one. Information about our use of cookies can be found in our Cookie Policy.

Activation of your account & marketing:
We send the emails for activating your account and our newsletter via HubSpot. If you have shown interest in our products via one of our campaigns, we will send you information and marketing material as part of pre-contractual measures. For this purpose, we use the CRM system of the provider HubSpot. You can unsubscribe from receiving these messages at any time via the unsubscribe link.

Social media links
Our website can contain links to our company profiles on LinkedIn and YouTube. When you click on the links, you will leave our website and be redirected to the servers of the relevant social media providers:

• The privacy policy of LinkedIn (LinkedIn Ireland Unlimited, Wilton Plaza, Gardner House 4,5,6 2 Dublin, Ireland) can be found here: LinkedIn Privacy Policy
• The privacy policy of YouTube (Google Ireland Limited, Gorden House, Barrow Street, Dublin 4, Ireland) can be found here: YouTube Privacy Policy

Further data processing

For our own marketing purposes, we may combine and use publicly available data about you with the data we already hold about you. Data about you may also be obtained for the same purposes from third-party providers (e.g. address brokers), who may lawfully pass this data on to us. In addition, we may use and exploit further data for non-personal data analysis for the same purpose. Any further use of data, if required by law, will only take place with your additional consent.

Data subject rights
As a data subject, you have the rights listed below in accordance with the data protection law applicable to you. To exercise one or more of these rights, please contact us under help@askmewhy.com.

Right to information
You have the right to request confirmation from us as to whether data relating to you is being processed. If this is the case, you have a right of access to this data and to the information as described in Art. 15 EU-GDPR.

Right to rectification
As a data subject, you may have us correct your data processed by us at any time or, where possible, adjust it independently.

Right to erasure
You may at any time submit a request to us for deletion in relation to your data processed by us. Unless a legal or other obligation requires us to continue to retain the data, we will be happy to comply with your request. In the event of non-erasure, we will restrict processing. You can delete your customer configuration stored on AskMeWhy’s servers in the Guests admin center at any time. We will be happy to support you in this process.

Right to data portability
You have the right to receive your data, which is processed on the basis of your consent or a contract, in a structured, common, and machine-readable format and, if necessary, to transfer it to another controller.

Right to object
You have the right to object to the processing of data relating to you at any time on grounds relating to your situation. We will no longer process the data in the event of the objection, unless we can demonstrate compelling legitimate ground for further processing which overrides the interest, rights, and freedoms of you as the data subject, or if the processing serves the assertion, exercise, or defense of legal claims.

Revocation of consent
You can revoke consent once given at any time. To do you, contact us under help@askmewhy.com or sue our contact form, or, if your revocation relates to the sending of the newsletter, the opt-out link in the newsletter.

Right of complaint to the supervisory authority
You have the right to lodge a complaint with the supervisory authority responsible for you if you believe that the processing of your data violates applicable data protection law. The competent supervisory authority for data protection in Switzerland is the Federal Data Protection and Information Commissioner.

With whom do we share the Personal Information we collect?

Since we operate globally, it may be necessary to transfer, store, and process Personal Information in any country in which we or our affiliates, subsidiaries, or service providers (especially Microsoft) maintain facilities.

The data protection and other laws of these countries may not be as comprehensive as those in the European Union and Switzerland. In these instances, we will take steps to ensure that a similar level of protection is given to Personal Information.

Your Personal Information will not be sold, exchanged, transferred, or given to any company outside AskMeWhy or our trusted third-party service providers for any reason whatsoever, without your consent, other than for the express purpose of delivering the product(s) or service requested, and as otherwise explicitly set forth herein. Also, we may release your Personal Information when we believe release is appropriate to comply with the law, enforce our site policies, or protect ours or others’ rights, property, or safety.

How long do we retain Personal Information?

We normally retain Personal Information during the periods of time indicated below, subject however to

• (i) applicable legal or regulatory requirements to retain Personal Information for a longer period of time (e.g., for legal, regulatory, tax or accounting reasons), or
• (ii) where we have an overriding interest (e.g., an interest for evidentiary reasons to establish, exercise and/or defend actual or potential legal claims, investigations or similar proceedings, including legal process that we may enforce to preserve relevant information, or where we have an interest in non-personal analysis).

Information collected by using our apps

Category	In-System Retention	Total Retention
Audit Logs	30 days	30 days
Application Telemetry	90 days	90 days
Application Settings	Until deleted by the customer	Until deleted by the customer

Information collected via other means than engaging with our apps

Category	In-System Retention	Total Retention
Physical Correspondence	1 year	1 year or 10 years, depending on applicable regulations
Electronic Correspondence	5 years	5 years
Accounting Records	11 years	11 years
Contracts	Data is kept as long as it is marked as active	Data is kept for an additional 5 years from the date of de-registration.

We may rectify, replenish, or remove incomplete or inaccurate information, at any time and at our own discretion.

How do we safeguard and transfer your information?

We are committed to use our reasonable efforts, in accordance with market best practices, to ensure the security, confidentiality, and integrity of the Personal Information you choose to provide us. Access to the Personal Information is based on the ‘least to know’ concept together with role-based access control systems, ensuring only authorized access to the Personal Information.

To protect the privacy of any Personal Information you may have provided, we are using data hosts (redundant setup Microsoft Azure PaaS services, storing and processing data globally, inside and outside of the EU) who implement market best practice security measures including encryption for data-at-rest and data-in-transit.

Although we take steps to safeguard such information, we cannot be responsible for the acts of those who gain unauthorized access, and we make no warranty, express, implied, or otherwise, that we will prevent such access.

Contacting us

If there are any questions regarding this Privacy Policy or the Personal Information that we collect about you, or if you feel that your privacy was treated not in accordance with this Privacy Policy, you may contact us here.

If you have a technical or general support question, please visit our services page here. Any other requests regarding the handling of Personal Information please contact us at our email hello@askmewhy.com or write to: AskMeWhy AG, Industriestrasse 47, CH-8152 Glattbrugg.

If you wish to contact us for anything other than your personal information, please visit our contact page under guests.one/en/contact-us.

Updates or amendments to the Privacy Policy is current as of the last updated date set forth below. We may revise this Privacy Policy from time to time, in our sole discretion, and the most current version will always be posted on the website.

We encourage you to review this Privacy Policy regularly for any changes. If the scope of personal data collection is expanded beyond what is already defined in this policy, AskMeWhy will inform all customers of this upcoming change with reasonable lead time.

Changes

We make regular changes to our data protection provisions as part of our continuous improvement process, in particular in order to remain compliant with legal regulations in the future. We will inform our customers about such changes via email, if we can reasonably assume that such changes affect the customer and/or the services used.