Privacy Notice — Swiss Federal Act on Data Protection (nDSG/DSG)
Sarama CRM Platform
Controller: Angad Manik Beratung fur Strategie und Projekte, Rebgasse 53, 4058 Basel, Switzerland
Data Protection Contact: Angad Bank (ehemals Manik), impact@angad.swiss
Platform: sarama.angad.swiss
Effective Date: 28 March 2026
1. Introduction
This Privacy Notice explains how Angad Manik Beratung fur Strategie und Projekte ("we", "us", "Controller") processes your personal data in connection with the Sarama CRM platform ("Platform") in compliance with the Swiss Federal Act on Data Protection (DSG, SR 235.1, revised version in force since 1 September 2023, "nDSG") and the Data Protection Ordinance (DSV, SR 235.11).
We act in two capacities:
- Controller for account, user, and billing data;
- Processor for personal data uploaded by our customers (contacts, form submissions, email content), where the customer acts as Controller.
2. Controller Contact
Angad Manik Beratung fur Strategie und Projekte
Angad Bank (ehemals Manik)
Rebgasse 53, 4058 Basel, Switzerland
Email: impact@angad.swiss
3. Personal Data We Process
3.1 Account and Authentication Data
- Email address (OTP login, no passwords)
- User ID
- Organisation affiliation and roles
3.2 Billing Data (via Stripe)
- Payment information
- Transaction history
- Credit balance (credit system)
3.3 Customer-Uploaded Data (we as Processor)
- Contact data (name, email, phone, address, occupation, company, social media links, date of birth, custom fields)
- Company records
- Deal and sales data
- Email content (via integration)
- Form submissions (all field data, UTM parameters, referrer, URL)
- Calendar entries
- Workflow configurations
3.4 Tracking Data
- IP address (for email opens and clicks)
- User agent (for email tracking and form submissions)
- Click URLs
- Form submission metadata (IP, user agent, referrer)
3.5 AI and Chat Data
- Conversation messages
- AI provider API keys (encrypted)
3.6 Integration Credentials
- OAuth tokens (Gmail, Outlook, Calendar) — encrypted
- IMAP/SMTP credentials — encrypted
3.7 Audit Data
- Log entries (user ID, action, resource, timestamp)
4. Data We Do NOT Process
- Passwords (OTP-based authentication)
- Proprietary tracking cookies beyond those disclosed below (Google Analytics and Cloudflare Turnstile set cookies as described in Section 6)
- Third-party analytics (no Google Analytics, Meta Pixel, or similar)
- Device fingerprints
- Precise geolocation
- Biometric data
- Sensitive personal data within the meaning of Art. 5 let. c nDSG
5. Purpose and Legal Basis
| Purpose | Legal Basis (nDSG) |
|---|---|
| Contract performance (account management, platform access) | Art. 31(2)(a) nDSG — contract performance |
| Billing and payment | Art. 31(2)(a) nDSG — contract performance |
| Security (audit logs, fraud prevention) | Overriding interest (Art. 31(1) nDSG) |
| Processing on behalf of customer | Contract with the customer (Art. 9 nDSG) |
| Legal obligations (bookkeeping) | Art. 31(2)(b) nDSG — legal obligation |
| Email tracking (on behalf of customer) | Overriding interest of the customer / consent of recipients |
Note on the nDSG: Unlike the GDPR, the nDSG does not require consent as a general prerequisite for processing. Processing is generally permissible as long as the processing principles (Art. 6 nDSG) are observed and no personality rights are violated. Consent is only required for sensitive personal data or high-risk profiling.
6. Recipients and Processors
| Recipient | Service | Location | Data | Safeguards |
|---|---|---|---|---|
| Supabase (AWS) | Database, Auth, Storage | Zurich, Switzerland | All platform data | Data stays in Switzerland |
| Stripe | Payment processing | USA | Billing data | Adequacy decision (Art. 16(1) nDSG), Standard Contractual Clauses |
| Anthropic | AI models (Claude) | USA | Chat messages (via customer API keys) | Standard Contractual Clauses, customer-initiated |
| OpenAI | AI models (GPT) | USA | Chat messages (via customer API keys) | Standard Contractual Clauses, customer-initiated |
| AI models (Gemini) | USA/EU | Chat messages (via customer API keys) | Standard Contractual Clauses, customer-initiated | |
| Gmail / Outlook API | Email sync | USA | Email content (via customer OAuth) | Customer-initiated |
| Google (Analytics) | Website usage analytics | USA/EU | Page views, session duration, device info, IP (anonymised), cookies (_ga, _gid) | Standard Contractual Clauses; only active with user consent |
| Cloudflare (Turnstile) | CAPTCHA / bot protection | USA/EU | IP address, browser attributes, cookies | Standard Contractual Clauses |
| Microsoft (Entra ID) | OAuth authentication (optional) | USA/EU | Email, name, account ID | Standard Contractual Clauses |
| Google (OAuth) | OAuth authentication (optional) | USA/EU | Email, name, account ID | Standard Contractual Clauses |
7. Disclosure Abroad (Art. 16–17 nDSG)
7.1 Our primary infrastructure operates in Zurich, Switzerland (Supabase). No cross-border disclosure takes place in this regard.
7.2 For data transfers to the USA (Stripe, AI providers), we rely on:
- The Federal Council's adequacy decision, where available;
- Standard data protection clauses pursuant to Art. 16(2)(d) nDSG;
- Supplementary technical measures (encryption).
7.3 The current list of countries with adequate data protection is published by the FDPIC. The USA does not currently have a general adequacy decision; we therefore use Standard Contractual Clauses.
7.4 AI data transfers are customer-initiated: the customer provides their own API keys and decides which models to use.
8. Retention Periods
| Data Category | Retention Period |
|---|---|
| Account data | Duration of contract + 30-day export period |
| Billing data | 10 years (Art. 958f CO) |
| Customer-uploaded CRM data | Duration of contract + 30-day export period |
| Email tracking events | Duration of contract |
| AI chat messages | Duration of contract |
| Audit logs | 2 years |
| OAuth/API tokens | Until revocation or contract end |
After contract termination and expiry of the 30-day export period, all customer data is irrevocably deleted unless a statutory retention obligation applies.
9. Your Rights Under the nDSG
As a data subject, you have the following rights:
| Right | Basis | Description |
|---|---|---|
| Right of access | Art. 25–27 nDSG | You may request information on whether and which personal data we process about you. |
| Right to data portability | Art. 28–29 nDSG | You may request the release of your data in a commonly used electronic format. |
| Right to rectification | Art. 32(1) nDSG | You may request the correction of inaccurate data. |
| Right to erasure | Art. 32(2)(c) nDSG | You may request the deletion of your data, provided no legal obligation requires retention. |
| Right to object | Art. 30(2)(b) nDSG | You may object to processing. |
For contacts of our customers: If you are stored as a contact in a customer's CRM database, please contact that customer (the Controller). We support our customers as Processor in fulfilling your rights.
Response time: We respond to your request within 30 days.
10. Data Security (Art. 8 nDSG, Art. 1–5 DSV)
We implement the following technical and organisational measures to protect your personal data:
Technical Measures:
- AES-256-GCM encryption for API keys and sensitive credentials
- Supabase Vault for OAuth token encryption
- TLS 1.2+ for all data in transit
- Row-Level Security (RLS) on all database tables — data isolation between organisations
- HMAC-SHA256 token validation for unsubscribe links
- Content Security Policy (CSP)
- DOMPurify for HTML sanitisation (XSS prevention)
- Rate limiting on public endpoints
- No CORS wildcard — dynamic domain validation
Organisational Measures:
- OTP-based authentication (no passwords)
- Role-based access control
- Audit logging of all data operations
- Recommended API key rotation every 90 days
- Processing agreements with all sub-processors
- Regular security reviews
11. Data Security Breach (Art. 24 nDSG)
In the event of a data security breach likely to result in a high risk to affected persons:
- We report the breach to the FDPIC as soon as possible (Art. 24(1) nDSG);
- We inform the affected persons if necessary for their protection (Art. 24(4) nDSG);
- We notify affected customers (as Controllers) without delay;
- We recommend immediate rotation of all stored API keys.
12. Automated Individual Decisions (Art. 21 nDSG)
The Platform does not make automated individual decisions within the meaning of Art. 21 nDSG. AI-generated content serves as suggestions and is always subject to human oversight.
13. Minors
The Platform is not intended for persons under 16 years of age. We do not knowingly process personal data of minors.
14. Cookies and Tracking Technologies
The Platform does not set proprietary cookies. No third-party analytics or advertising tools are used beyond those disclosed in Section 6.
Email tracking features (open and click tracking) are provided on behalf of our customers. The customer, as Controller, is responsible for informing their recipients and obtaining any required consent.
15. Supervisory Authority
Federal Data Protection and Information Commissioner (FDPIC)
Feldeggweg 1, 3003 Bern, Switzerland
https://www.edoeb.admin.ch
You have the right to request an investigation by the FDPIC (Art. 49 nDSG) or to bring a claim before the competent court (Art. 32 nDSG).
16. Changes
We may update this Privacy Notice at any time. Material changes will be communicated via email at least 30 days before taking effect. The current version is always available at sarama.angad.swiss/site/swiss-privacy.
17. Contact
For data protection enquiries:
Angad Manik Beratung fur Strategie und Projekte
Angad Bank (ehemals Manik)
Rebgasse 53, 4058 Basel, Switzerland
Email: impact@angad.swiss
Last updated: 28 March 2026