HausTour

Data Processing Agreement

Effective: March 2026 · Version 1.0

Processor: Overclock GmbH, Baar, Canton of Zug, Switzerland
Contact: legal@haustour.ch

1. Purpose and Scope

1.1 This Data Processing Agreement (“DPA”) supplements and forms part of the HausTour Terms of Service or other written agreement between the customer (“Controller”, “you”) and Overclock GmbH (“Processor”, “HausTour”, “we”, “us”) governing the use of the HausTour platform, website, applications, APIs, chatbot integrations, and related services (collectively, the “Service”) (the “Agreement”).

1.2 This DPA governs the processing of personal data by the Processor on behalf of the Controller in connection with the provision of the Service.

1.3 This DPA applies to the extent that the Processor processes personal data on behalf of the Controller as described in Annex 1. It is intended to ensure compliance with the Swiss Federal Act on Data Protection (nDSG) and, to the extent applicable, the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and the UK GDPR.

2. Roles of the Parties

2.1 With respect to Customer Content that contains personal data, the Controller determines the purposes and means of processing and the Processor processes such personal data on behalf of and under the instructions of the Controller.

2.2 For personal data processed by HausTour for its own operational purposes (such as account administration, billing, security, analytics, and communications), HausTour acts as an independent controller. The processing of such data is governed by the Privacy Policy and is outside the scope of this DPA.

3. Subject Matter and Duration

3.1 The subject matter of the processing is the provision of the Service as described in the Agreement.

3.2 The duration of the processing corresponds to the term of the Agreement plus any period during which the Processor retains personal data in accordance with Section 14 of this DPA.

4. Nature and Purpose of Processing

4.1 The Processor processes personal data contained in Customer Content for the following purposes:

  • (a) hosting, storing, and transmitting Customer Content;
  • (b) analysing uploaded content, including room detection, scene classification, and property feature extraction;
  • (c) enhancing images and media, including resolution upscaling, outpainting, and colour correction;
  • (d) generating text, descriptions, voiceovers, and other AI-generated outputs based on Customer Content;
  • (e) rendering video tours and assembling final outputs;
  • (f) providing technical support and troubleshooting related to Customer Content processing; and
  • (g) maintaining backups and ensuring continuity of the Service.

5. Types of Personal Data

5.1 The personal data processed under this DPA may include:

  • (a) names and contact details visible in uploaded materials;
  • (b) photographs and images, including images depicting identifiable individuals;
  • (c) image metadata, including geolocation data, timestamps, and device information embedded in uploaded files;
  • (d) voice recordings, voiceover text, and text inputs provided by or on behalf of the Controller;
  • (e) messaging content and metadata exchanged through supported messaging channels (WhatsApp, Telegram, SMS, and similar);
  • (f) property-related information that may include personal data of property owners, tenants, or prospects; and
  • (g) technical identifiers and access logs associated with Customer Content processing.

5.2 The specific personal data categories processed depend on the Customer Content submitted and the Service features used.

6. Categories of Data Subjects

6.1 Data subjects whose personal data may be processed under this DPA include:

  • (a) the Controller’s personnel, employees, agents, and representatives;
  • (b) property owners, landlords, and vendors whose properties are marketed using the Service;
  • (c) prospective buyers, tenants, and other individuals who may view or receive marketing materials generated through the Service;
  • (d) individuals depicted in photographs or images uploaded to the Service; and
  • (e) any other individuals whose personal data is contained in Customer Content submitted by the Controller.

7. Controller Instructions

7.1 The Processor shall process personal data only on documented instructions from the Controller, unless required to do so by applicable law. The Agreement, this DPA, and the Controller’s use of the Service (including configuration, uploads, and requests) constitute the Controller’s documented instructions.

7.2 The Processor shall promptly inform the Controller if, in its opinion, an instruction infringes applicable data protection law. The Processor is not obliged to assess the lawfulness of instructions but shall raise apparent concerns in good faith.

8. Confidentiality and Security

8.1 The Processor shall ensure that persons authorised to process personal data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.

8.2 The Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing. Such measures include, as appropriate:

  • (a) access controls, including role-based access, authentication, and the principle of least privilege;
  • (b) encryption of personal data in transit and at rest;
  • (c) logging and monitoring of access to systems that process personal data;
  • (d) regular security assessments, vulnerability testing, and patch management;
  • (e) backup and disaster recovery procedures; and
  • (f) incident response procedures for the detection, reporting, and remediation of personal data breaches.

8.3 A summary of the Processor’s security measures is set out in Annex 2.

9. Subprocessors

9.1 The Controller grants the Processor general written authorisation to engage subprocessors for the performance of the Service.

9.2 The Processor shall impose on each subprocessor data protection obligations equivalent to those set out in this DPA by way of a written contract. The Processor remains responsible to the Controller for the performance of each subprocessor’s obligations.

9.3 The Processor shall maintain an up-to-date list of subprocessors. The current list is published at /legal/subprocessors and updated in accordance with this Section.

9.4 The Processor shall inform the Controller of any intended addition or replacement of subprocessors, giving the Controller a reasonable opportunity to object. If the Controller raises a reasonable objection on data protection grounds within fourteen (14) days of notification, the parties shall discuss the objection in good faith. If the parties are unable to reach a resolution, the Controller may terminate the affected part of the Service without penalty.

9A. AI Subprocessor Provisions

9A.1 The Service relies on third-party AI providers as subprocessors for core processing functions including content analysis, text generation, image enhancement, and voiceover synthesis. The current AI subprocessors are listed at /legal/subprocessors.

9A.2 Data minimisation. The Processor shall send to AI subprocessors only the minimum Customer Personal Data reasonably necessary to perform the requested processing function.

9A.3 No model training. Customer Personal Data shall not be used by the Processor or any AI subprocessor to train, fine-tune, or improve general-purpose or foundation AI models, unless the Controller provides explicit, documented, prior consent. This restriction does not prevent AI subprocessors from performing abuse detection, security monitoring, or legally required processing that does not involve model training on Customer Personal Data.

9A.4 Prompt and output handling. Prompts, uploaded media, and generated outputs sent to AI subprocessors are processed transiently for service delivery. The Processor shall, where provider terms and configurations permit, enable zero-retention or minimum-retention settings for AI subprocessor API calls. The Processor shall document the retention practices of each AI subprocessor in the subprocessor list.

9A.5 Geographic routing. Where AI subprocessor configurations permit selection of processing regions, the Processor shall use EU or Swiss-compatible regions for Customer Personal Data originating from Switzerland or the EEA, unless technical constraints require otherwise.

9A.6 Sensitive data restriction. The Controller shall not submit special categories of personal data (as defined in Article 9 GDPR or equivalent Swiss law) to the Service for AI processing unless separately agreed in writing and technically supported.

10. International Transfers

10.1 The Processor shall not transfer personal data to a country outside Switzerland or the EEA unless the transfer is covered by an adequacy decision, appropriate safeguards (including the European Commission’s Standard Contractual Clauses as adopted or recognised under the applicable framework), or a derogation under applicable data protection law.

10.2 Where the Processor engages subprocessors in third countries, the Processor shall ensure that appropriate transfer mechanisms are in place before the transfer occurs.

10.3 The Processor shall implement supplementary technical and organisational measures where necessary to ensure an essentially equivalent level of protection for transferred personal data, taking into account guidance issued by relevant supervisory authorities.

10.4 The specific transfer mechanism relied upon for each subprocessor is documented in the subprocessor list at /legal/subprocessors. As of the effective date: (a) Google LLC participates in the EU-U.S. and Swiss-U.S. Data Privacy Framework and is additionally covered by Standard Contractual Clauses; (b) Anthropic PBC is covered by Standard Contractual Clauses with Swiss-required adaptations; (c) Stripe Inc. participates in the Data Privacy Framework and is additionally covered by Standard Contractual Clauses; (d) EU-based subprocessors (such as Hetzner Online GmbH) do not require additional transfer safeguards.

10.5 The Processor shall conduct and maintain transfer impact assessments for material transfers to non-adequate jurisdictions and implement supplementary technical and organisational measures where necessary, in accordance with applicable supervisory authority guidance.

11. Assistance to the Controller

11.1 Taking into account the nature of the processing, the Processor shall assist the Controller by appropriate technical and organisational measures, insofar as reasonably possible, in fulfilling the Controller’s obligations to respond to data subject requests (“DSARs”).

11.2 The Processor shall assist the Controller in ensuring compliance with its obligations regarding the security of processing, notification of personal data breaches to supervisory authorities and data subjects, and data protection impact assessments (“DPIAs”), taking into account the nature of the processing and the information available to the Processor.

11.3 The Processor may charge a reasonable fee for assistance beyond that which is required by applicable data protection law, provided that the fee is agreed in advance.

12. Data Subject Requests

12.1 If the Processor receives a request from a data subject regarding personal data processed on behalf of the Controller, the Processor shall promptly redirect the data subject to the Controller and notify the Controller of the request, unless the Processor is legally required to respond directly.

12.2 The Processor shall not respond to a data subject request on behalf of the Controller without the Controller’s prior instruction, unless required by applicable law.

13. Personal Data Breaches

13.1 The Processor shall notify the Controller without undue delay and, where feasible, within forty-eight (48) hours after becoming aware of a Personal Data Breach affecting Customer Personal Data.

13.2 The notification shall, to the extent reasonably available, include:

  • (a) a description of the nature of the breach, including the categories and approximate number of data subjects and personal data records affected;
  • (b) the name and contact details of the Processor’s contact point for further information;
  • (c) a description of the likely consequences of the breach; and
  • (d) a description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects.

13.3 Where it is not possible to provide all information at the same time, the Processor shall provide the information in phases without further undue delay.

13.4 The Processor shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach.

14. Deletion and Return

14.1 Upon termination or expiry of the Agreement, and upon the Controller’s written request, the Processor shall delete or return all personal data processed on behalf of the Controller, including all copies, unless applicable law requires storage of the personal data.

14.2 Personal data contained in routine backups shall be deleted in accordance with the Processor’s backup rotation schedule. Until deletion, such data remains subject to this DPA.

14.3 Where the Controller does not request return or deletion within thirty (30) days of termination, the Processor may delete the personal data in accordance with its retention policies.

14.4 Upon written request following deletion, the Processor shall provide the Controller with written confirmation that Personal Data has been deleted, subject to any legally required retention.

14.5 Publicly shared links and cached assets derived from Customer Personal Data shall be deactivated upon account termination or upon the Controller’s earlier request.

15. Information and Audit

15.1 The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA and applicable data protection law.

15.2 The Processor shall allow for and contribute to audits, including inspections, conducted by the Controller or an independent auditor mandated by the Controller, subject to the following conditions:

  • (a) the Controller shall first review existing documentation, certifications, audit reports, and summaries provided by the Processor;
  • (b) on-site inspections shall be conducted only where the Controller demonstrates a reasonable need that cannot be satisfied by documentation review alone;
  • (c) the Controller shall provide reasonable advance notice (at least thirty (30) business days) and conduct audits during normal business hours;
  • (d) audits shall not unreasonably disrupt the Processor’s operations or compromise the security or confidentiality of other customers’ data;
  • (e) audits shall be limited to once per twelve-month period unless a personal data breach or regulatory requirement necessitates an additional audit; and
  • (f) the Controller shall bear its own costs of the audit, and the Processor may charge a reasonable fee for time and resources beyond routine cooperation.

16. Controller Obligations

16.1 The Controller is responsible for ensuring that it has a valid legal basis for the processing of personal data, including any necessary notices, consents, or authorisations required under applicable data protection law.

16.2 The Controller shall not instruct the Processor to process personal data in a manner that would violate applicable data protection law.

16.3 The Controller acknowledges that the Service uses AI and automated processing systems and is responsible for reviewing, verifying, and approving all outputs before use or publication, in accordance with the Terms of Service.

16.4 The Controller shall promptly inform the Processor of any changes that may affect the Processor’s obligations under this DPA.

17. Liability

17.1 The liability of each party under this DPA is subject to the limitations and exclusions of liability set out in the Agreement.

17.2 Nothing in this DPA limits or excludes liability to the extent that such limitation or exclusion is prohibited by applicable law.

18. Governing Law

18.1 This DPA is governed by the law governing the Agreement, unless mandatory data protection law requires otherwise.

18.2 In the absence of a governing law clause in the Agreement, this DPA shall be governed by Swiss law, excluding its conflict-of-law rules and the United Nations Convention on Contracts for the International Sale of Goods.

Annex 1 — Details of Processing

Subject Matter

Processing of personal data contained in Customer Content submitted to the HausTour Service for the purpose of generating property-marketing outputs.

Duration

The term of the Agreement plus any post-termination retention period as described in Section 14.

Nature and Purpose

Hosting, storage, analysis, enhancement, AI-based generation, rendering, assembly, and delivery of property-marketing content, as well as technical support and backup operations.

Types of Personal Data

  • Names and contact details visible in uploaded materials
  • Photographs and images depicting identifiable individuals
  • Image metadata (geolocation, timestamps, device information)
  • Voice recordings and voiceover text
  • Messaging content and metadata
  • Property-related information containing personal data
  • Technical identifiers and access logs

Categories of Data Subjects

  • Controller’s personnel, employees, agents, and representatives
  • Property owners, landlords, and vendors
  • Prospective buyers and tenants
  • Individuals depicted in uploaded photographs or images
  • Any other individuals whose personal data is contained in Customer Content

Controller Instructions

As documented in the Agreement, this DPA, and the Controller’s use of the Service (including configuration, uploads, and requests submitted through the platform, APIs, or messaging channels).

Annex 2 — Security Measures Summary

The Processor implements the following categories of technical and organisational security measures. Specific implementation details may evolve over time as the Processor improves its security posture.

  • Access control: role-based access, principle of least privilege, multi-factor authentication for administrative access, and regular access reviews.
  • Encryption: encryption of personal data in transit (TLS 1.2 or higher) and at rest using industry-standard encryption algorithms.
  • Network security: firewalls, network segmentation, intrusion detection, and DDoS mitigation measures.
  • Logging and monitoring: centralised logging of access events, security monitoring, and alerting for anomalous activity.
  • Vulnerability management: regular vulnerability scanning, patch management, and dependency updates.
  • Backup and recovery: regular backups, tested recovery procedures, and geographically distributed storage where appropriate.
  • Incident response: documented incident response plan, designated contacts, and post-incident review processes.
  • Personnel: confidentiality obligations, security awareness training, and background checks where legally permitted and appropriate.
  • Subprocessor management: due diligence, contractual data protection obligations, and periodic review of subprocessor compliance.
  • Physical security: data centre security measures provided by the Processor’s infrastructure providers, including access restrictions, surveillance, and environmental controls.