Privacy Policy

Last updated: February 9, 2026

1. Introduction & Data Controller

This Privacy Policy explains how Novaloop AG ("Novaloop", "we", "us", or "our") collects, uses, shares, and protects your personal data when you use our website, the DuraEdgeAI application, and related services (collectively, the "Service").

Novaloop AG is the data controller responsible for your personal data under the Swiss Federal Act on Data Protection (FADP/revFADP) and the EU General Data Protection Regulation (GDPR).

Data Controller:

  • Novaloop AG
  • Geiselweidstrasse 46, CH-8400 Winterthur, Switzerland
  • Data Protection Officer: Federico Marmori
  • Email: dpo@duraedge.ai

2. Data We Collect

2.1 Personal Data

When you purchase a license, we collect:

  • Name (first and last name)
  • Email address
  • Billing address

2.2 Payment Data

Payment information (credit card number, expiry date, CVC) is collected and processed directly by Stripe, our payment processor. Novaloop AG never receives, stores, or has access to your full payment card details.

2.3 License Data

We store the following in our license management system (Keygen):

  • License key
  • Machine activation identifiers
  • Associated name and email
  • Stripe customer and subscription identifiers

2.4 Technical Data

We do not collect any analytics, telemetry, or tracking data from our website or application. We do not use analytics services, tracking pixels, or similar technologies.

3. How We Use Your Data

We process your personal data for the following purposes and legal bases:

Purpose Legal Basis (GDPR Art. 6)
Process your subscription and payment Performance of contract
Issue and manage your license key Performance of contract
Send transactional emails (welcome email, license key delivery) Performance of contract
Provide customer support Legitimate interest
Comply with legal obligations (e.g., tax, accounting) Legal obligation

We do not use your data for marketing, profiling, or automated decision-making.

4. Data Sharing & Third-Party Processors

We share your personal data only with the following third-party processors, strictly for the purposes described:

Processor Purpose Data Shared Location
Stripe, Inc. Payment processing Name, email, billing address, payment method United States
Keygen, Inc. License management & software distribution Name, email, Stripe IDs, license key United States
Azure Communication Services (Microsoft) Transactional email delivery Email address, name, license key European Union

We do not sell, rent, or trade your personal data to any third parties.

5. International Data Transfers

Some of our processors (Stripe, Keygen) are located in the United States. For transfers to the United States, we rely on:

  • EU-US Data Privacy Framework (DPF) and Swiss-US Data Privacy Framework, where the receiving processor is DPF-certified;
  • Standard Contractual Clauses (SCCs) approved by the European Commission and recognized under Swiss data protection law, as a supplementary or alternative safeguard;
  • Additional technical and organizational measures to ensure an adequate level of protection.

We have conducted a transfer impact assessment and concluded that these safeguards provide an adequate level of protection for your personal data.

6. Data Retention

We retain your personal data only as long as necessary for the purposes described in this policy:

Data Category Retention Period
Account & license data Duration of subscription + 90 days after termination
Billing & payment records 10 years (Swiss accounting obligations under CO Art. 958f)
Transactional email logs 12 months
Support correspondence Duration of subscription + 12 months

After the retention period expires, data is securely deleted or anonymized.

7. Cookies & Tracking

Our website does not use first-party cookies, analytics cookies, or tracking technologies.

When you use the checkout page, Stripe may set functional cookies strictly necessary for payment processing (fraud detection, session management). These cookies are managed by Stripe and are subject to Stripe's Privacy Policy.

8. Your Rights

Under the Swiss FADP (Art. 25-29) and the EU GDPR (Art. 15-22), you have the following rights regarding your personal data:

  • Right of access — request a copy of the personal data we hold about you;
  • Right to rectification — request correction of inaccurate or incomplete data;
  • Right to erasure — request deletion of your personal data, subject to legal retention obligations;
  • Right to data portability — receive your data in a structured, commonly used, machine-readable format;
  • Right to object — object to processing based on legitimate interest;
  • Right to restriction — request that we restrict the processing of your data in certain circumstances;
  • Right to withdraw consent — where processing is based on consent, you may withdraw it at any time.

To exercise any of these rights, contact us at dpo@duraedge.ai. We will respond within 30 days.

You also have the right to lodge a complaint with:

  • The Federal Data Protection and Information Commissioner (FDPIC) in Switzerland — www.edoeb.admin.ch
  • The relevant EU/EEA supervisory authority in your country of residence

9. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including:

  • All website and API communications are encrypted via TLS/HTTPS;
  • Payment processing is handled entirely by Stripe (PCI DSS Level 1 certified);
  • Access to personal data is restricted to authorized personnel on a need-to-know basis;
  • Our infrastructure is hosted on Azure with industry-standard security controls.

10. Product Data Processing

DuraEdgeAI processes all medical and audio data locally on your device.

No audio recordings, transcriptions, clinical notes, patient information, or any other medical data is ever transmitted to Novaloop AG's servers or any third party. This is a fundamental design principle of our architecture.

The Continuous Education feature generates search queries using locally-running AI models based on clinical topics discussed during a consultation. These queries are sent to external academic databases (PubMed, Scopus, OpenAlex) to retrieve relevant scientific literature. The queries contain no personally identifiable information (PII) and no protected health information (PHI) — they consist solely of medical topic keywords.

11. Children's Privacy

The Service is not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If you believe that a child under 16 has provided us with personal data, please contact us at dpo@duraedge.ai and we will promptly delete such data.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. When we make material changes, we will:

  • Update the "Last updated" date at the top of this page;
  • Notify you via email if the changes are significant.

We encourage you to review this page periodically.

13. Contact & DPO

For any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact our Data Protection Officer:

  • Federico Marmori, Data Protection Officer
  • Novaloop AG
  • Geiselweidstrasse 46, CH-8400 Winterthur, Switzerland
  • Email: dpo@duraedge.ai

For general support inquiries: team@duraedge.ai