Privacy Policy
Last updated: March 10, 2026
UTXO AG ("UTXO AG", "we", "us", "our") takes the protection of your personal data seriously. This Privacy Policy explains how we collect, use, store, and share personal data in connection with our website (https://utxoag.com) and our AI agent services ("AI Coworkers" or "Agentic Service").
We process personal data in compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the Swiss Federal Act on Data Protection ("FADP" / "nDSG"), and other applicable data protection laws.
1. Controller and Contact
The controller responsible for the processing of personal data is:
UTXO AG
Dammstrasse 16 6300 Zug, Switzerland
Commercial register: CH-400.3.450.669-8
Data protection contact: business@utxo.ag
If you have any questions about this Privacy Policy or how we handle your personal data, please contact us at the address above.
2. Purposes of Processing, Legal Bases, and Data Categories
The following table provides an overview of the purposes for which we process personal data, the categories of data involved, and the applicable legal basis.
| Purpose of Processing | Categories of Personal Data | Legal Basis |
|---|---|---|
| Service provision and AI agent operation | Task content, instructions, agent input/output data, interaction metadata, connected system data (email content, attachments, CRM data) | Art. 6(1)(b) GDPR — performance of a contract |
| Account and subscription management | Name, email address, company name, subscription details, login credentials | Art. 6(1)(b) GDPR — performance of a contract |
| Billing and payment processing (via Stripe) | Name, company name, billing address, payment information (card brand, truncated card number, expiry date), transaction ID, invoice data | Art. 6(1)(b) GDPR — performance of a contract |
| Support and issue resolution | Name, email address, request content, communication history, relevant technical logs | Art. 6(1)(b) and Art. 6(1)(f) GDPR — performance of a contract / legitimate interest |
| Marketing communication | Email address, preferences, consent logs | Art. 6(1)(a) GDPR — consent |
| Platform analytics and optimisation | Device data, anonymised/pseudonymised IP address, usage patterns, page views, cookies | Art. 6(1)(a) GDPR — consent (cookie-based); Art. 6(1)(f) GDPR — legitimate interest (aggregated analytics) |
| Legal compliance | Usage records, identity data, financial and tax information | Art. 6(1)(c) GDPR — legal obligation |
2.1 Service Provision and AI Agent Operation
When you use an AI Coworker, the agent processes data from your connected systems (e.g. email content, attachments, CRM records, database entries) to perform assigned tasks. This data is processed solely for the purpose of delivering the subscribed service. Where UTXO AG acts as a data processor on behalf of the Customer, the processing is governed by the Data Processing Agreement.
2.2 Account and Subscription Management
We process your contact and company information to create and manage your subscription, communicate service-related information, and administer your account.
2.3 Billing and Payment Processing
Payment transactions are processed by Stripe, Inc., a licensed payment service provider. We receive only limited payment information (e.g. truncated card number, transaction confirmation) necessary for invoicing and accounting. We do not store full payment card details.
2.4 Support and Issue Resolution
When you contact our support team at support@utxoag.com, we collect the information necessary to address your request, including your contact details, a description of the issue, and relevant account or technical data.
2.5 Marketing Communication
With your explicit consent, we may send you marketing communications related to our services, product updates, or events. You may withdraw consent at any time by using the unsubscribe link in any marketing email or by contacting us at business@utxo.ag. Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal.
2.6 Platform Analytics and Optimisation
We use analytics tools to understand how our website and services are used and to improve the user experience. Where analytics rely on cookies or similar technologies, we obtain your consent in accordance with applicable law. Analytics data is pseudonymised or anonymised wherever possible.
2.7 Legal Compliance
We process certain data to comply with applicable legal obligations, including commercial and tax record-keeping requirements under Swiss law (Art. 957 et seq. OR, Swiss tax legislation).
3. AI-Specific Data Processing Disclosure
3.1 AI Coworkers process Customer data — including email content, attachments, and data from connected systems — using third-party AI infrastructure provided by:
- OpenAI (OpenAI, LLC), USA
- Anthropic (Anthropic, PBC), USA
3.2 This processing may involve the transfer of data to servers located outside Switzerland and the European Economic Area (EEA), specifically to the United States. Appropriate safeguards are in place (see Section 6).
3.3 AI Coworkers operate as limited-risk AI systems under the EU Artificial Intelligence Act (Regulation (EU) 2024/1689). Persons interacting with an AI Coworker are hereby informed that they are communicating with an AI system, not a human being.
3.4 AI-generated outputs are probabilistic in nature and require human verification. No automated decisions with legal effect (within the meaning of Art. 22 GDPR) are made by the AI Coworkers.
4. Cookies and Tracking Technologies
We use cookies and similar technologies on our website to enhance your experience, analyse traffic, and support platform functionality. You can manage or disable cookies through your browser settings; however, disabling certain cookies may affect website functionality.
Where legally required, we obtain your consent before placing non-essential cookies.
5. Sharing of Data with Third Parties
We share personal data with third parties only where legally permitted, contractually required, or where you have given your consent. We do not sell or rent personal data.
5.1 Sub-Processors and Service Providers
We use the following third-party service providers who process personal data on our behalf:
| Service Provider | Purpose | Location |
|---|---|---|
| OpenAI (OpenAI, LLC) | AI model inference | USA |
| Anthropic (Anthropic, PBC) | AI model inference | USA |
| Railway (Railway Corp.) | Application hosting | USA |
| DigitalOcean (DigitalOcean, LLC) | Application hosting | USA/EU |
| Stripe (Stripe, Inc.) | Payment processing | USA/EU |
| Google (Google LLC) | Website analytics (Google Analytics) | USA/EU |
These providers process data strictly on our behalf under binding contractual obligations in accordance with Art. 28 GDPR.
5.2 Legal Obligations
We may disclose personal data to public authorities, courts, or legal advisors where required by law, for example in the context of tax audits, regulatory investigations, or legal proceedings.
6. International Data Transfers
Where personal data is transferred to countries outside Switzerland and the EEA that do not provide an adequate level of data protection, we ensure that appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs) approved by the European Commission;
- Adequacy decisions by the European Commission or the Swiss Federal Council;
- The Swiss-US Data Privacy Framework, where applicable.
We require all sub-processors to maintain equivalent safeguards for international data transfers.
7. Retention Periods
We retain personal data only for as long as necessary for the purposes for which it was collected, including compliance with legal retention obligations:
| Data Category | Retention Period |
|---|---|
| Account and subscription data | Duration of the subscription + 30 days after termination |
| Transaction and billing data | 6 to 10 years (in accordance with Swiss commercial and tax law, Art. 957 et seq. OR) |
| Support and communication data | 3 years from the date of the last interaction |
| Marketing consent data | 3 years from the last interaction or withdrawal of consent |
| Log and usage data | 12 months |
After the applicable retention period, personal data is deleted or anonymised, unless longer retention is required by law.
8. Your Rights
As a data subject, you have the following rights under the GDPR and the Swiss FADP:
- Right of access (Art. 15 GDPR): You may request confirmation of whether we process your personal data and, if so, access to that data and related information.
- Right to rectification (Art. 16 GDPR): You may request the correction of inaccurate personal data or the completion of incomplete data.
- Right to erasure (Art. 17 GDPR): You may request the deletion of your personal data where one of the grounds specified in Art. 17 GDPR applies, provided no legal retention obligation or overriding legitimate interest prevents deletion.
- Right to restriction of processing (Art. 18 GDPR): You may request the restriction of processing under the conditions set out in Art. 18 GDPR.
- Right to data portability (Art. 20 GDPR): Where processing is based on consent or a contract and carried out by automated means, you may request to receive your personal data in a structured, commonly used, machine-readable format.
- Right to object (Art. 21 GDPR): You may object to processing based on Art. 6(1)(f) GDPR on grounds relating to your particular situation.
- Right to withdraw consent (Art. 7(3) GDPR): Where processing is based on consent, you may withdraw consent at any time with future effect. The lawfulness of processing carried out prior to withdrawal remains unaffected.
To exercise any of these rights, please contact us at business@utxo.ag. We may require identity verification before processing your request.
9. Supervisory Authorities
The primary supervisory authority for data protection matters concerning UTXO AG is:
EDÖB — Federal Data Protection and Information Commissioner
Feldeggweg 1 3003 Bern, Switzerland
EU-based data subjects may also contact their local data protection supervisory authority in accordance with Art. 77 GDPR.
10. Automated Decision-Making
We do not use personal data for automated decision-making, including profiling, that produces legal effects or similarly significantly affects individuals within the meaning of Art. 22 GDPR. AI Coworkers generate outputs for human review and verification — they do not make autonomous decisions with legal or similarly significant effects.
11. Minors
Our services are intended exclusively for business use and are not directed at individuals under the age of 18 (or the applicable age of majority). We do not knowingly collect personal data from minors. If we become aware that personal data has been collected from a minor, we will take reasonable steps to delete such data promptly.
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or technical developments. Material changes will be communicated via email to affected subscribers or by a prominent notice on our website. We encourage you to review this Privacy Policy periodically.
UTXO AG
Dammstrasse 16 6300 Zug, Switzerland
Commercial register: CH-400.3.450.669-8