This privacy policy was updated last on December 17, 2025.

1. Who we are and how to contact us

This Privacy Policy explains how Hafnova SA processes personal data when you use our website, our SaaS console, and our mobile applications (collectively, the “Services”).

Data Controller: Controller:

Hafnova SA, Chemin du Bois de Vaux 3, 1007 Lausanne, Switzerland.

Contact (DPO): Data Protection Officer:

Email: info@hafnova.com.

2. Scope: B2B, B2C and children

B2B. In a business context, an organization may create and manage accounts for administrators and enroll devices for its users. In this case, the organization is typically the data controller for the processing of end-user data within its tenant, while Hafnova acts as a processor for the organization for the core service.

B2C. Individuals may also create an account directly to use the Services. In that case, Hafnova SA acts as the data controller for the processing described in this Privacy Policy.

Children. The Services may be installed by parents on a child’s device. In that scenario, the account is created and managed in the parent’s name and the parent is the user of the Services. As a conservative rule, the Services are otherwise intended for users aged 13 and over (or older if required by local law).

3. Categories of personal data we process

Depending on how you interact with us, we may process the following categories of personal data:

  • Account data: first name, last name, email address, password (stored as a salted hash), and account identifiers.
  • Billing and contractual data: company name (where applicable), billing address, VAT number, payment method (e.g., Stripe, PayPal, bank transfer), invoices and invoicing history.
  • Customer support data: messages, problem descriptions, troubleshooting information and (where relevant) support-related logs accessed by our support team.
  • Service and security logs: technical logs used to operate and secure the Services. These may include timestamps, network/protocol metadata, requested domain names, actions taken (e.g., blocked/allowed), target IP address, internal source IP as reported by the device/app, device ID (technical identifier) and device name (user-defined).
  • Website usage data: limited technical data about visits to hafnova.com (see Cookie Policy). We use WP Statistics with IP anonymization and without cookies for basic audience measurement, and we use strictly necessary cookies for the website’s operation and security.
  • Prospect and business contact data: contact and relationship data stored in our CRM (Pipedrive) for sales and business communications.

4. Device name: free-text field and minimization

The device name is a free-text field chosen by the user. Because it is user-defined, it may contain personal data if the user enters such information.

We encourage users not to include personal data (such as name, email address or phone number) in the device name. We do not keep a history of device name changes.

For service operation and security, devices also have a device ID, which is a technical identifier.

5. Purposes and legal bases

We process personal data for the following purposes and legal bases (where applicable):

  • Provide the Services (account creation, authentication, service delivery, device enrollment): performance of a contract.
  • Billing, invoicing, accounting and tax compliance: legal obligation and performance of a contract.
  • Security operations (threat blocking, incident investigation, misuse prevention): legitimate interests and, where applicable, performance of a contract.
  • Customer support and service improvement: performance of a contract and legitimate interests.
  • Sales communications with business contacts and prospects (no mass-email campaigns): legitimate interests and, where required, consent or opt-out mechanisms.
  • Website operation and security cookies: necessary for the website to function. Optional technologies (if any) rely on your preferences/consent as described in the Cookie Policy.

6. Sharing and processors

We share personal data only on a need-to-know basis and with appropriate contractual and security safeguards. Depending on your use, we may share data with:

  • Infrastructure providers: OVH (France) and Init7 (Switzerland) for hosting and connectivity.
  • Payment and invoicing providers: Stripe (card data stored by Stripe; invoices generated by Stripe) and PayPal; and bank/payment partners for transfers.
  • CRM provider: Pipedrive (hosted in Europe) to manage prospects and customer relationships.
  • Scheduling provider: Calendly (hosted in Europe) when you book a demo via an external link.
  • Development subcontractor: a subcontractor in India working only on front-end development (mobile app) without access to production data.

7. International transfers

We do not transfer or make accessible personal data outside Switzerland and the European Economic Area (EEA) for the Services described in this Privacy Policy, based on our current provider setup (hosting and key business tools configured for Europe).

8. Data retention

We keep personal data only for as long as necessary for the purposes described above, and in accordance with legal obligations. Our current retention periods are:

Data category

Retention period

Invoices and accounting records (ERP)

10 years

Account data (after account closure)

1 year

Support tickets

5 years

Technical and security logs (including access logs)

1 year

Log deletion: users cannot delete logs directly, but deleting a device (and/or a user account) triggers deletion of the associated logs in the Services, except where retention is required for legal/accounting reasons.

If you delete your account, billing data may be removed from our console, while invoices and accounting records remain retained in our internal accounting systems for statutory retention periods.

9. Security measures

  • Passwords are stored as salted hashes (not in clear text).
  • Access to production systems and logs is restricted and monitored.
  • Support access to logs is limited to debugging needs and is logged/audited.
  • Customer administrators in B2B tenants can manage access to logs for devices under their responsibility.
  • Multi-factor authentication (MFA) for the SaaS console is on our product roadmap.

10. Your rights

Depending on your location and relationship with Hafnova, you may have rights such as access, rectification, deletion, objection/restriction, and (in the EU) data portability. To exercise your rights, contact us at info@hafnova.com.

Supervisory authority (Switzerland): Federal Data Protection and Information Commissioner (FDPIC). In the EU/EEA, you may also lodge a complaint with your local supervisory authority.

11. Automated decisions

Our Services may automatically block or allow network requests based on security signals and threat intelligence. This automated processing is necessary to provide the security features of the Services.

12. Updates

We may update this Privacy Policy to reflect changes in our Services or legal requirements. The version date at the beginning of this document indicates when it was last updated.

Sovereign Cybersecurity
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.