Privacy Policy

Last updated: 29 May 2026.

This Privacy Policy describes how SolAbility (“we”, “us”) processes personal data of visitors and authenticated users of gsci.solability.com and gsm.solability.com(the “Services”). Personal data is processed in accordance with the EU General Data Protection Regulation (GDPR) and the Swiss Federal Act on Data Protection (FADP).

1. Controller

The data controller is SolAbility. Postal address and company details are set out in our Impressum. Contact for privacy enquiries: [email protected].

2. What we collect, and why

We are a business-to-business research product. We do not run advertising trackers and we do not sell personal data. The data we process falls into a small number of categories:

Account data. Name, business email address, organization, role within the organization, hashed password, optional Google sign-in identifier. Processed to provide the Services (contract performance, GDPR Art. 6(1)(b)).

Authentication and session data. Encrypted session token (HTTP-only cookie scoped to .solability.com), last-login timestamp, IP address at sign-in. Processed for security and to keep you signed in (legitimate interest, GDPR Art. 6(1)(f)).

Billing data. Organization name, billing address, VAT number, invoice line items, payment status. Processed for contract performance and statutory bookkeeping obligations (GDPR Art. 6(1)(b) and (c)).

Usage and audit data. Application logs of which endpoints your account called, when, and from which IP; saved configurations (watchlists, custom-index weights, risk-portfolio positions); admin actions on your organization. Processed for security, abuse prevention, capacity planning and to provide product features (legitimate interest, GDPR Art. 6(1)(f); contract performance, Art. 6(1)(b)).

Bot-protection data.Cloudflare Turnstile is used on the sign-in and password-reset forms. Cloudflare collects limited technical data to score whether a request is human; see Cloudflare’s privacy policy. Processed on the legal basis of legitimate interest in preventing credential-stuffing attacks (GDPR Art. 6(1)(f)).

Server logs. Standard web-server access logs are kept short-term for security and operations (typical retention 30 days). We do not deploy analytics pixels or third-party trackers on the Services.

3. Cookies and similar technologies

We use only the minimum cookies needed to operate the Services. The principal cookie is a single, encrypted session token scoped to.solability.com so that signing in on one portal carries over to the other (single sign-on). No advertising or cross-site tracking cookies are set.

4. Recipients and processors

We share personal data only with the following processors, each bound by a data-processing agreement:

Hosting. Hetzner Online GmbH (Germany, EU). All application data and databases are stored on hosts in the European Union.

Edge protection and content delivery. Cloudflare, Inc. (USA) terminates TLS at the network edge and provides bot-protection (Turnstile). Cloudflare acts under the EU Standard Contractual Clauses and equivalent transfer safeguards.

Transactional email. Stablehost (USA) relays account emails (invitation, password reset, billing) via authenticated SMTP. Only the recipient address and message content are transmitted.

We do not transfer personal data to third parties for their own marketing purposes.

5. International transfers

Where a processor is established outside the European Economic Area or Switzerland (Cloudflare, Stablehost), we rely on the European Commission’s Standard Contractual Clauses and on supplementary technical and organizational measures (TLS in transit, minimal in-transit personal data, no payment-card data).

6. Retention

Account data is kept while the subscription is active and for a reasonable period thereafter to allow for re-activation, normally not exceeding 24 months from the end of the subscription. Billing records are kept for the period required by Swiss and EU bookkeeping law (typically 10 years). Server access logs are kept for a short operational period (typically 30 days). Audit logs of admin actions are kept for the life of the organization.

7. Your rights

Subject to the conditions set by applicable law, you have the right to access, rectify, erase, restrict, port and object to the processing of your personal data, and to withdraw any consent you have given. You also have the right to lodge a complaint with a supervisory authority — in particular the Swiss Federal Data Protection and Information Commissioner (FDPIC) or the EU supervisory authority of your habitual residence.

To exercise any of these rights, write to [email protected]. We may need to verify your identity before complying.

8. Security

Passwords are stored hashed with bcrypt. Sessions are JWT-encoded and transmitted only over HTTPS. Production databases are not exposed to the public internet. Outbound mail uses authenticated SMTP over STARTTLS. Access to production systems is restricted to named individuals.

9. Changes to this policy

We may update this policy from time to time. The current version is always available at this URL with the date of last update at the top. Material changes will be notified to the email address on file for each Customer organization.