coreIntelligence

    Privacy Policy

    How coreIntelligence handles personal data

    Effective date: 29 June 2026

    1. General Information

    1.1 Company Information

    coreIntelligence (owned and operated by Léon Zehnder, hereinafter "coreIntelligence", "we", "our" or "us") is a Swiss technology company based in Zurich, specializing in AI-powered software solutions for independent wealth managers (EAMs), private banks, and family offices. Our core product is the coreIntelligence AI platform, which includes modular agents such as the Portfolio Assistant, Earnings Call Agent, KYC Agent, and other AI-powered workflow tools for regulated financial professionals.

    This Privacy Policy explains how we collect, use, disclose, transfer, and protect your personal data in accordance with the Swiss Federal Act on Data Protection (FADP/DSG), the Ordinance to the Federal Act on Data Protection (DPO/DSV), and, where applicable, the General Data Protection Regulation (EU) 2016/679 (GDPR).

    1.2 Scope

    This policy applies to:

    • Visitors of our websites and portals
    • Users of our platform and AI agents
    • Customers and prospective customers
    • Business partners and employees of subprocessors interacting with our systems

    By using our services or interacting with us, you confirm that you have read and understood this policy.

    2. Definitions

    • Personal data: Any information relating to an identified or identifiable natural person.
    • Processing: Any operation performed on personal data, such as collection, storage, use, disclosure, or deletion.
    • Controller: coreIntelligence, which determines the purposes and means of processing personal data.
    • Processor: A natural or legal person that processes personal data on our behalf.
    • Subprocessor: A third party engaged by coreIntelligence to process personal data on behalf of a customer.
    • Customer data: Personal data uploaded to or generated within our services by or on behalf of a customer, including portfolio data, client information, and financial records.

    3. Data Collection

    3.1 Types of Data Collected

    Depending on your interaction with us, we may collect:

    • Identification data: Name, email address, phone number, company details, login credentials.
    • Technical data: IP address, browser type, device identifiers, operating system, language settings, time zone, log files.
    • Usage data: Activity logs, interactions with our platform and agents, preferences, feedback, and support requests.
    • Contractual and business data: Contracts, service agreements, and communications relevant to our business relationship.
    • Support/correspondence data: Content of communications when you contact our support or sales team.
    • Customer data (as processor): When the coreIntelligence platform is used by a customer, any documents, client dossiers, portfolio data, KYC information, meeting notes, and other data processed within the platform is handled by coreIntelligence exclusively on behalf of the customer under a data processing agreement (DPA).

    3.2 How We Collect Data

    • Directly: When you register an account, subscribe to services, sign a contract, or contact us.
    • Automatically: Through cookies, analytics, log files, and telemetry when you use our services.
    • From third parties: Partner systems, business partners, or publicly available sources, as permitted by law.

    4. Legal Basis for Processing (GDPR Article 6 / FADP Art. 31)

    We process personal data on the following legal bases:

    • Contract performance: To provide our services, fulfill orders, and manage customer accounts.
    • Legitimate interests: To improve our products, secure our systems, prevent fraud, and conduct business analytics.
    • Legal obligations: To comply with tax, accounting, and regulatory requirements.
    • Consent: For marketing communications or optional cookies, where required.

    5. Use of Personal Data

    We use personal data to:

    • Provide, maintain, and improve the coreIntelligence platform and all associated AI agents.
    • Process transactions, manage billing, and provide customer support.
    • Ensure the security, integrity, and availability of our infrastructure.
    • Conduct product analytics and improve user experience (using aggregated or pseudonymized data only).
    • Fulfill legal and regulatory obligations.
    • Send administrative communications and, where legally permitted, marketing communications.

    6. Data Residency and Hosting - Switzerland Only

    coreIntelligence operates a Swiss-sovereign infrastructure. All production systems that store or process customer data are located in Switzerland.

    6.1 Infrastructure Stack

    • Platform hosting: Microsoft Azure Switzerland North (Zurich region) or the customer's own Azure tenant. No production workloads are deployed in non-Swiss regions.
    • AI/LLM processing: AI models (Azure OpenAI Service) are hosted and run exclusively within Microsoft Azure Switzerland North. No customer data is sent to AWS, US-based, or other non-Swiss model endpoints.
    • Customer-hosted deployments: When the platform is deployed on a customer's own Azure tenant, coreIntelligence does not have access to customer data unless explicitly granted for support purposes.

    6.2 No Cross-Border Transfers of Customer Data

    Customer data processed through the coreIntelligence platform does not leave Switzerland in the ordinary course of service delivery. Where coreIntelligence uses international business tools for internal operations (e.g., CRM, analytics), these tools do not receive customer data and are limited to contact and contractual metadata, with appropriate transfer safeguards (EU Standard Contractual Clauses and, where applicable, the Swiss-U.S. Data Privacy Framework).

    Separately, our public website relies on a small number of third-party services - contact-form delivery and privacy-friendly analytics (see Section 8.2) - that may process website-visitor data outside Switzerland under appropriate safeguards. These services never receive platform customer data.

    7. AI Processing - No Retention and No Training

    We treat customer data processed by AI models as strictly confidential inputs that are never used to train or improve any model - neither our own nor that of any third party.

    Specifically:

    • AI model inputs (prompts containing customer data) are processed in real time and not retained by model providers.
    • AI model outputs are delivered to the user and stored only within the customer's own environment.
    • No customer data is used for model fine-tuning, training, or improvement by any party.
    • All AI interactions are logged within the customer's environment for audit purposes.

    8. Data Sharing

    8.1 Principles

    We share personal data only to the extent necessary to provide our services, comply with legal requirements, or protect our legitimate interests. Every subprocessor is bound by a written agreement providing for confidentiality, security, and data protection obligations at least equivalent to those set out in this policy.

    8.2 Categories of Recipients

    • Cloud infrastructure providers: Microsoft Azure (Switzerland North) for platform hosting and AI model access.
    • AI model providers: AI models (Azure OpenAI Service) are hosted and run within Microsoft Azure Switzerland North. Customer data is processed in Switzerland and is not transmitted to OpenAI, Anthropic, AWS Bedrock, or any model-provider API outside Switzerland. No customer data is retained by model providers.
    • Customer's own systems: The platform connects to the customer's PMS, email, and document systems via read-only integrations. Data flows to and from these systems remain within the customer's environment.
    • Website contact-form processing: When you submit a contact, demo, or enquiry form on our website, the details you enter (e.g., name, email, company, and message) are transmitted to Web3Forms (web3forms.com), which delivers your message to us by email. Web3Forms acts as our form-handling provider and may process this data outside Switzerland under appropriate safeguards. This applies to website enquiries only and never to platform customer data.
    • Website analytics: We use Cloudflare Web Analytics for aggregate, privacy-friendly traffic measurement. It is cookieless, does not track you across sites, and does not build individual profiles; Cloudflare processes limited technical data (such as page URL, referrer, and a transient IP address) to produce aggregate statistics.

    9. Regulatory Alignment

    The infrastructure and operating model of coreIntelligence is designed to support our customers' own regulatory obligations, including:

    • FINMA / FinIA Art. 14 (Outsourcing): The platform is hosted and operated in a manner that allows FINMA-regulated EAMs to meet their outsourcing obligations, including auditability, data localization, and right of instruction.
    • Swiss FADP/DSG and GDPR: Our data processing practices, DPAs, and subprocessor agreements are aligned with both frameworks.
    • Banking secrecy: The platform is designed to maintain the confidentiality obligations applicable to Swiss financial intermediaries.

    10. Data Security

    coreIntelligence applies a defense-in-depth approach across infrastructure, application, and operational layers.

    10.1 Encryption

    • In transit: TLS 1.2+ with modern cipher suites for all client, API, and internal service traffic.
    • At rest: AES-256 at the storage layer for all databases, blob storage, and backups.

    10.2 Access Control

    • Role-based access control (RBAC) enforced across all platform components.
    • Multi-factor authentication (MFA) for all administrative access.
    • Principle of least privilege; production environment access is restricted to a small number of named personnel and is logged.
    • For customer-hosted deployments, coreIntelligence personnel do not have access to the customer environment unless explicitly granted.

    10.3 Audit Trail

    • All platform interactions (queries, generated outputs, tool calls, email drafts) are logged with timestamp, user identity, and action performed.
    • Audit logs are stored within the customer's environment and are accessible to the customer at all times.
    • Logs are retained according to the customer's own retention policies.

    11. Data Retention

    We retain personal data:

    • For as long as necessary to fulfill the purposes described in this policy.
    • Until consent is withdrawn, where processing is based solely on consent.

    Customer data is deleted or returned to the customer within a reasonable period after contract termination, unless retention is required by law. AI prompts and responses are not retained (see Section 7).

    For customer-hosted deployments, all data remains on the customer's infrastructure and is under the customer's sole control at all times, including after termination of the contract.

    12. Data Subject Rights

    Under the GDPR and FADP, you have the right to:

    • Access your personal data and obtain a copy thereof.
    • Rectification of inaccurate or incomplete data.
    • Erasure of data ("right to be forgotten"), where legally permissible.
    • Restriction of or objection to processing, including profiling.
    • Data portability: Receive your data in a structured, commonly used format.
    • Withdraw consent at any time, without affecting the lawfulness of prior processing.
    • Lodge a complaint with a supervisory authority, such as the Swiss Federal Data Protection and Information Commissioner (FDPIC) or your local EU data protection authority.

    Where coreIntelligence acts as a processor (for customer data within the platform), requests should generally be directed to the relevant customer (the controller); coreIntelligence will assist customers in responding to such requests.

    To exercise your rights or ask questions, contact: leon.zehnder@helvetiqa.ch.

    13. Cookies and Tracking Technologies

    Our website uses essential cookies only. These are limited to what is needed for basic site functionality and security. We do not use analytics, performance, advertising, or other tracking cookies, we do not build profiles of visitors, and no cookie-consent banner is required. Our website analytics tool (Cloudflare Web Analytics) is cookieless and sets no cookies; see Section 8.2.

    You can manage or disable cookies through your browser settings. As we use only essential cookies, disabling them may affect basic site functionality. For details, see our Cookie Policy.

    14. Changes to This Privacy Policy

    We may update this Privacy Policy to reflect changes in technology, legislation, or our practices. Material changes will be communicated by email (if you have an account) or by a prominent notice on our website. Please review this policy regularly for updates.

    15. Contact

    coreIntelligence
    Zurich, Switzerland
    Email: leon.zehnder@helvetiqa.ch

    © coreIntelligence 2026. All rights reserved.