Privacy Policy

1. Controller and contact

2. Scope

This policy explains how Modular Business Hub (“Modulio”, “the platform”) handles personal data. It covers the public website, the sign-up and onboarding flow, the authenticated tenant application and its modules (CRM, Accounting, Marketing, Email, Documents, Calendar, Invoicing) and the related support, billing and email functions. It applies to visitors, the people who administer a tenant account and the individuals whose data a customer stores in the platform.

3. Our role: controller and processor

Modulio is a multi-tenant platform, so our role depends on the data in question.

• Account and platform data. For registration details, billing data, usage and security logs and the operation of the platform itself, we act as the controller.
• Tenant business data. For the business data a customer enters or uploads, including CRM contacts and module records, the customer is normally the controller and we act as a processor on their behalf. We process that data only on the customer's instructions and under a data processing agreement (Art. 28 GDPR). If you are an individual whose data a customer holds in Modulio, please contact that customer to exercise your rights; they decide how your data is used.

4. Principles

We process personal data for defined purposes, in proportion to those purposes and with appropriate security measures. For the EU/EEA the transparency, lawfulness and accountability duties of the GDPR apply, including the information duties under Art. 13 and 14 and the security duties under Art. 32. For Switzerland we follow the revised Federal Act on Data Protection (revFADP).

5. Categories of personal data

Depending on how you use the platform, we may process the following categories.

• a) Account data: name, organisation, email, password hash, role and account status.
• b) Tenant business data: CRM contacts, records and other content the customer enters into the modules they enable.
• c) Uploaded files: documents and files the customer uploads into the platform.
• d) Communication data: support requests and emails exchanged with us.
• e) Usage and technical data: IP address, timestamps, device and browser information, logs.
• f) Billing data: transaction IDs, status and invoice data; card and payment instrument details are handled by our payment provider, not by us.
• g) Integration data: OAuth tokens and metrics from a third-party account a tenant connects (for example Google Analytics in the Marketing module). Tokens are stored encrypted.
• h) AI inputs and outputs: free-text inputs and generated content when optional AI features are used.

6. Purposes, legal bases and processing overview

For the EU/EEA we generally rely on Art. 6(1)(b) GDPR (performance of a contract), Art. 6(1)(f) (legitimate interest), Art. 6(1)(a) (consent) or Art. 6(1)(c) (legal obligation), depending on the activity. For Switzerland we rely on the revFADP. The table below summarises our main processing activities.

7. Cookies and similar technologies

We use strictly necessary cookies to run the platform, in particular for session and authentication. These do not require consent. We set non-essential cookies, such as analytics, only where you have given consent, and you can change your choice at any time. We do not run third-party advertising or tracking cookies on the platform.

• Necessary (session, authentication, security): no opt-in required.
• Analytics: only if and where enabled, on the basis of consent.

8. Sub-processors and third parties

We use the service providers below to operate the platform. We enter into data processing agreements with our processors (Art. 28 GDPR).

• Supabase - Postgres database, authentication and file storage; hosts account data, per-tenant business data and uploaded files. Hosted in the European Union (AWS, Frankfurt region, eu-central-1).
• Vercel - application hosting and delivery.
• Stripe - subscription billing and payment processing.
• Resend - transactional email delivery.
• Google - only when a tenant connects their Google Analytics account through OAuth in the Marketing module.
• OpenAI - powers optional AI features when those features are used.
• Sentry - error monitoring.
• Axiom - log management.

9. International data transfers

Some of our providers may process data outside Switzerland and the EU/EEA. Where data is transferred to a country without an adequacy decision, we put appropriate safeguards in place, in particular the EU Standard Contractual Clauses with the supplementary measures the revFADP requires for Switzerland, along with technical measures such as encryption and least-privilege access. For Switzerland, disclosure abroad follows the revFADP and FDPIC guidance. For the EU/EEA, Chapter V of the GDPR applies.

10. Data retention

We keep personal data only as long as it is needed for the purposes above or as long as a legal duty requires. Specific periods are listed in the table in section 6. As general guidance:

• Account and tenant business data: for the lifetime of the account, then deleted or returned to the customer.
• Billing and accounting records: 10 years, as required for statutory bookkeeping under Art. 958f of the Swiss Code of Obligations.
• Security and access logs: up to 12 months.
• Support requests: up to 24 months after the request is resolved.

11. Data security

We apply appropriate technical and organisational measures to protect personal data. These include encryption in transit (TLS) and at rest, strict per-tenant isolation enforced at the database layer through Postgres row-level security, role-based access controls and least-privilege access for administrative actions, backups, monitoring and an incident-response process. No system is completely secure, but we work to keep these measures aligned with the risk.

12. Data breaches

We document security incidents and take corrective action. For the EU/EEA we notify the competent supervisory authority within 72 hours where required (Art. 33 GDPR) and inform affected individuals where the breach is likely to result in a high risk (Art. 34 GDPR). For Switzerland we notify the FDPIC where a breach is likely to lead to a high risk (Art. 24 revFADP).

13. Your rights

Subject to the conditions of the applicable law, you have the following rights in relation to data for which we are the controller.

• Access to your personal data.
• Rectification of inaccurate data.
• Erasure of your data.
• Restriction of processing.
• Data portability.
• Objection to processing based on legitimate interest.
• Withdrawal of consent at any time, without affecting prior processing.

In Switzerland, the revFADP gives you a right of access and the means to enforce your rights. Where we act as a processor for a customer's tenant business data, please address your request to that customer, who is the controller of that data.

14. How to exercise your rights

To exercise any of these rights, or for any privacy question, contact us at info@modulio.ai. You also have the right to lodge a complaint with a supervisory authority: in Switzerland the Federal Data Protection and Information Commissioner (FDPIC), and in the EU/EEA your competent national authority.

15. Minors

Modulio is a business tool intended for use by adults. It is not directed at children and is not intended for use by anyone under 18.

16. Changes to this policy

We may update this policy from time to time. We will publish the current version here with a revised date and, where the changes are material, we will notify account holders by email or in-app.