Privacy Policy

1 Data Controller

Exosys Sàrl
Route du Champ de la Grange 18, 1966 Ayent, Switzerland
UID CHE-272.220.665 · legal@enforcegate.com

Exosys Sàrl is the data controller for the personal data described in this policy. The primary applicable law is the Swiss Federal Act on Data Protection (FADP), in force since 1 September 2023 (SR 235.1; also known as DSG / LPD). The following additional frameworks apply depending on your location:

• EU/EEA residents: EU General Data Protection Regulation (GDPR) 2016/679.
• UK residents: UK GDPR as retained in UK law by the Data Protection Act 2018.
• California residents: California Consumer Privacy Act 1798.100 et seq., as amended by the CPRA (CCPA/CPRA).
• Other US residents: Applicable state privacy laws (Virginia VCDPA, Colorado CPA, Connecticut CTDPA, and similar), and the CAN-SPAM Act for email communications.
• Other jurisdictions: We apply GDPR-equivalent standards as a baseline for all users globally.

2 Data We Collect

2.1 Visitor analytics

Every page request to enforcegate.com generates an analytics record containing:

• IP address — used to derive geolocation data (country, currency) and to detect VPN, proxy, Tor exit-node, or crawler traffic via the IPStack API (see Section 5). Raw IP addresses are stored server-side in an internal database accessible only to site administrators.
• A pseudonymous visitor hash — a one-way keyed hash of the IP address used to count unique visitors without re-identifying you across sessions. The hash cannot be reversed to recover your IP address.
• Page path and referrer URL — to understand which pages are visited and where traffic originates.
• HTTP User-Agent string — to distinguish real browsers from automated crawlers.
• Timestamp — date and time of the request (UTC).
• Geolocation data — country name, country code, and ISO 4217 currency code derived from your IP address via the IPStack geolocation service.
• Connection-type flags — whether your IP is associated with a VPN, proxy, Tor exit node, data-centre hosting range, or known web crawler, as reported by IPStack.

This analytics data is used solely for internal site performance monitoring and fraud/abuse prevention. It is not used for advertising, profiling, or any automated decision-making that produces legal or similarly significant effects on you.

2.2 Beta registration

When you submit the open beta registration form we collect your email address. No other personal data is collected via this form.

2.3 Enterprise pricing inquiry

When you submit the enterprise contact form we collect:

• Full name
• Work email address
• Company name
• Deployment scale (optional, selected from a fixed list)
• Message (optional, free text up to 2,000 characters)

A confirmation email containing a one-time token is sent to the email address you provide. The inquiry is only forwarded to our sales team after you click the confirmation link, confirming that you own the address and consent to being contacted. Tokens expire after 48 hours; expired or unconfirmed inquiries are retained in our database for a limited period solely to prevent abuse (e.g., repeated submission spam), then deleted.

3 Purpose and Legal Basis

3.1 Visitor analytics

Purpose: Site performance monitoring, abuse and bot detection, and currency localisation (displaying pricing in the currency most appropriate for your region).

Legal basis (FADP): Legitimate interest (FADP Art. 6), provided such processing is proportionate and does not override your fundamental rights. We limit collection to what is strictly necessary and do not use analytics data for advertising or behavioural tracking.

Legal basis (GDPR / UK GDPR): Legitimate interests (Art. 6(1)(f)). We have assessed that our interest in understanding site traffic and preventing abuse is not overridden by your interests or rights, given the pseudonymous nature of the data and its strictly internal use.

United States: Processing is based on our legitimate operational interest in site monitoring and security.

3.2 Beta registration

Purpose: To send your beta invitation and programme communications.

Legal basis: Your voluntary submission of the form (FADP Art. 6; GDPR Art. 6(1)(a) — consent). You may withdraw at any time via the unsubscribe link in any email we send.

3.3 Enterprise pricing inquiry

Purpose: To respond to your pricing and sales enquiry.

Legal basis: Your explicit confirmation via the double opt-in link (FADP Art. 6; GDPR Art. 6(1)(a) — consent; and Art. 6(1)(b) — steps taken at your request prior to entering a contract).

4 Data Retention

• Visitor analytics records — retained indefinitely in aggregated form for trend analysis; raw records (including IP addresses) are retained for up to 12 months and then deleted or anonymised.
• IP geolocation cache — IP-to-country mappings cached in our database to minimise API calls. Entries are retained until manually purged or the database is reset.
• Beta registrations — retained for the duration of the beta programme and for up to 12 months after it closes, or until you unsubscribe.
• Enterprise inquiries — confirmed inquiries are retained for up to 24 months from the date of confirmation, or until you request deletion. Unconfirmed/expired inquiries are deleted within 30 days of token expiry.

5 Third-Party Processors

We use the following sub-processors. Each is bound by a data processing agreement and may only process data on our instructions.

• IPStack (Rapid API / apilayer) — IP geolocation and connection-type detection. Your IP address is transmitted to the IPStack API (located in the United States) to resolve country, currency, and security attributes. IPStack does not receive any other personal data, and the result is cached so each IP address is looked up at most once. For details see ipstack.com/privacy.
• Transactional email provider — used to deliver beta confirmation emails, enterprise inquiry confirmation emails, and sales notifications. The provider receives only the recipient email address and the template content required for delivery, and may not use it for any independent purpose.
• Hosting infrastructure — our hosting provider processes server logs (IP address, timestamp, request path) for security and operational purposes under a standard data processing agreement.

International transfers:

• Switzerland (FADP): Transfers to countries lacking recognition by the Swiss Federal Council are governed by standard data protection clauses acceptable to the FDPIC (FADP Art. 16–17).
• EU/EEA (GDPR): Transfers to third countries are governed by Standard Contractual Clauses (Art. 46(2)(c)) or another applicable Chapter V mechanism.
• UK: Transfers are governed by the UK IDTA or the UK Addendum to the EU SCCs, as applicable.

6 Your Rights

Depending on your location, you have some or all of the following rights. We honour all of them regardless of jurisdiction:

• Access — request confirmation of whether we process data about you and, if so, a copy of it (FADP Art. 25; GDPR Art. 15; CCPA).
• Rectification / Correction — request correction of inaccurate or incomplete data (FADP Art. 32 para. 1; GDPR Art. 16; CCPA/CPRA).
• Erasure / Deletion — request deletion or anonymisation of your data (FADP Art. 32 para. 2; GDPR Art. 17; CCPA).
• Restriction of processing — request that we limit how we use your data in specific circumstances (GDPR Art. 18; UK GDPR).
• Data portability — receive your data in a structured, machine-readable format (FADP Art. 28; GDPR Art. 20).
• Objection — object to processing based on legitimate interest (GDPR Art. 21; UK GDPR).
• Withdrawal of consent — withdraw your agreement at any time; prior processing remains lawful.
• Non-discrimination — we will not penalise you for exercising any data protection right (CCPA/CPRA).

To exercise any right, contact us at legal@enforcegate.com. We will respond within 30 days (FADP / GDPR) or 45 days for California residents (CCPA), with one possible extension. We will not charge a fee for reasonable requests.

Beta registrants may also unsubscribe at any time via the link in any programme email.

7 California and US State Residents

This section applies to residents of California and US states with comprehensive privacy laws (Virginia, Colorado, Connecticut, Texas, and others).

Categories of personal information collected:

• Identifiers — IP address, email address, name (enterprise form only).
• Internet or network activity — page path, referrer URL, User-Agent string, timestamp.
• Geolocation — country and currency code derived from IP address (not precise geolocation).
• Professional/employment information — company name and deployment scale (enterprise form only).

Business purpose: Site analytics, abuse prevention, currency localisation, beta programme administration, and enterprise sales enquiry response.

Sale or sharing: We do not sell or share personal information, including for cross-context behavioural advertising.

Sensitive personal information: We do not collect sensitive personal information as defined under CCPA/CPRA.

Shine the Light (Cal. Civ. Code § 1798.83): We do not disclose personal information to third parties for their direct marketing purposes.

To submit a request, contact legal@enforcegate.com.

8 Cookies and Tracking

This website does not use advertising trackers, analytics cookies, or third-party tracking scripts.

localStorage is used solely to persist your UI preferences (theme and font size) between visits. This data never leaves your device and is not transmitted to our servers.

One functional cookie is set by JavaScript when the page loads:

• _eg_v — a session-quality cookie (max-age 24 hours) set to confirm that your browser executes JavaScript. It contains no personal data and is used exclusively to distinguish real browser visits from automated bots and scanners, preventing them from being counted in our analytics. It is not used for advertising, profiling, or cross-site tracking.

No cookies are set by the beta registration or enterprise contact forms. The visitor analytics described in Section 2.1 are collected server-side from request metadata.

9 Email Communications and CAN-SPAM

All emails we send (beta confirmations, enterprise inquiry confirmations, sales notifications) are directly related to an action you initiated. In compliance with the US CAN-SPAM Act:

• Every email includes our physical mailing address: Route du Champ de la Grange 18, 1966 Ayent, Switzerland.
• Every beta programme email includes a clear mechanism to opt out of future communications.
• We will honour opt-out requests within 10 business days.
• We will not use deceptive subject lines or sender identities.

10 Children's Privacy

This website and EnforceGate vX are directed exclusively at IT and network professionals. We do not knowingly collect personal data from individuals under 16 (or under 13 in the United States, as required by COPPA). If you believe we have inadvertently collected such data, please contact legal@enforcegate.com.

11 Security and Data Breach Notification

We apply technical and organisational measures — including encrypted storage, access controls, and regular security reviews — appropriate to the risk involved.

In the event of a personal data breach:

• Switzerland: We will notify the FDPIC without undue delay if the breach is likely to result in a high risk to affected individuals (FADP Art. 24).
• EU/EEA: We will notify the competent supervisory authority within 72 hours (GDPR Art. 33) and affected individuals without undue delay where the risk is high (GDPR Art. 34).
• UK: We will notify the ICO within 72 hours and affected individuals as required under UK GDPR.
• United States: We will comply with applicable state data breach notification laws.

12 Supervisory Authorities

If you believe your data protection rights have been violated, you may lodge a complaint with the supervisory authority in your jurisdiction:

• Switzerland: Federal Data Protection and Information Commissioner (FDPIC / PFPDT)
• EU/EEA: The national data protection authority of your country of residence — see edpb.europa.eu.
• UK: Information Commissioner's Office (ICO)
• United States: The FTC at ftc.gov, or the attorney general of your state.

We encourage you to contact us first at legal@enforcegate.com so we have the opportunity to address your concern directly.

13 Changes to This Policy

If we make material changes, we will update the effective date at the top of this page and, where required by applicable law, notify affected individuals by email before the changes take effect. For changes requiring fresh consent we will seek it explicitly before continuing to process your data.