HausTour

Privacy Policy

Effective: March 2026 · Version 1.0

Controller: Overclock GmbH, Baar, Canton of Zug, Switzerland
Contact: legal@haustour.ch

1. Introduction

1.1 This Privacy Policy (“Policy”) explains how Overclock GmbH (“HausTour”, “we”, “us”, “our”) collects, uses, discloses, stores, and otherwise processes personal data in connection with the HausTour platform, website, applications, APIs, chatbot integrations, and related services (collectively, the “Service”).

1.2 Overclock GmbH is the controller of personal data processed for its own purposes as described in this Policy, including account administration, billing, security, analytics, and communications. Where we process personal data contained in Customer Content on behalf of and under the instructions of a customer, we act as a processor. The respective roles and obligations are further described in Section 5 and, where applicable, in the Data Processing Agreement.

1.3 This Policy applies to all individuals who visit, access, or use the Service, including account holders, team members, website visitors, and individuals who interact with us through messaging channels.

1.4 We process personal data in accordance with the Swiss Federal Act on Data Protection (nDSG) and, to the extent applicable, the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and the UK GDPR. Where specific provisions of the GDPR or UK GDPR apply, we comply with the additional requirements they impose, including with respect to legal bases, data subject rights, and international transfers.

2. Categories of Personal Data

We may collect and process the following categories of personal data:

2.1 Account Data

Name, email address, password (hashed), profile information, account preferences, language settings, and authentication credentials, including data from third-party authentication providers where you choose to sign in via a social or federated login.

2.2 Billing and Transaction Data

Payment method details (processed by our third-party payment processor), billing address, invoice records, credit purchase and usage history, transaction identifiers, and VAT or tax identification numbers where applicable.

2.3 Technical and Usage Data

IP address, browser type and version, operating system, device type, screen resolution, referring URL, pages visited, features used, session duration, click and scroll behaviour, timestamps, error logs, and performance metrics.

2.4 Content and Job Data

Photos, images, property descriptions, text inputs, prompts, branding assets, voiceover preferences, configuration parameters, and any other materials you upload or submit to the Service (“Customer Content”). Customer Content may include personal data of third parties (for example, images of persons or contact information visible in uploaded materials). Where we process such data on your behalf, we act as a processor.

2.5 Messaging Channel Data

Phone number, messaging platform identifier (such as WhatsApp or Telegram user ID), message content, media attachments, delivery receipts, and metadata associated with messages exchanged through supported messaging channels.

2.6 Cookies and Similar Technologies

Information collected through cookies, local storage, and similar technologies as further described in Section 8.

3. Sources of Personal Data

We collect personal data from the following sources:

  • (a) directly from you, when you create an account, use the Service, submit content, configure settings, make a purchase, or communicate with us;
  • (b) automatically, through your use of the Service, including through cookies, server logs, and similar technologies;
  • (c) from third-party authentication providers, when you choose to sign in using a social or federated login;
  • (d) from third-party payment processors, to the extent necessary to confirm payment status and manage billing;
  • (e) from messaging channel providers, when you interact with the Service through WhatsApp, Telegram, SMS, or other supported channels; and
  • (f) from publicly available sources or third-party services, where necessary for fraud prevention, security, or compliance.

4. Purposes and Legal Bases

We process personal data for the purposes and on the legal bases set out below. Under Swiss law (nDSG), processing of personal data is generally permitted unless it violates the personality rights of the data subject; a specific legal basis in the GDPR sense is not required. Where the GDPR applies, we rely on the legal bases indicated.

4.1 Provide and Operate the Service

We process account data, content and job data, technical data, and messaging channel data to provide, operate, and deliver the Service, including to process uploads, generate outputs, deliver results, and fulfil your requests.

GDPR legal basis: Performance of a contract (Art. 6(1)(b) GDPR).

4.2 Manage Accounts

We process account data to create, maintain, authenticate, and administer your account, manage preferences, and provide account-related communications.

GDPR legal basis: Performance of a contract (Art. 6(1)(b) GDPR).

4.3 Process Payments

We process billing and transaction data to process credit purchases, manage invoicing, handle refunds or credit adjustments, and comply with tax and accounting obligations.

GDPR legal basis: Performance of a contract (Art. 6(1)(b) GDPR); legal obligation (Art. 6(1)(c) GDPR) for tax and accounting records.

4.4 Security and Fraud Prevention

We process technical data, account data, and usage data to protect the Service, detect and prevent fraud, abuse, security incidents, and unauthorised access, and to enforce our Terms of Service.

GDPR legal basis: Legitimate interests (Art. 6(1)(f) GDPR), namely the security and integrity of our Service and the protection of our users.

4.5 Improve the Service

We process technical and usage data in aggregated or pseudonymised form to analyse usage patterns, diagnose errors, measure performance, and improve features, workflows, and user experience.

GDPR legal basis: Legitimate interests (Art. 6(1)(f) GDPR), namely the improvement and development of the Service.

4.6 Communications

We process account data and contact information to send service-related communications, including transactional emails, security alerts, account notifications, and support responses.

GDPR legal basis: Performance of a contract (Art. 6(1)(b) GDPR); legitimate interests (Art. 6(1)(f) GDPR) for non-contractual service communications.

4.7 Legal Compliance

We process personal data as necessary to comply with applicable legal obligations, respond to lawful requests from public authorities, and establish, exercise, or defend legal claims.

GDPR legal basis: Legal obligation (Art. 6(1)(c) GDPR); legitimate interests (Art. 6(1)(f) GDPR) for the establishment, exercise, or defence of legal claims.

4.8 Marketing

With your prior consent where required by applicable law, we may process account data and contact information to send promotional communications about the Service, including product updates, feature announcements, and offers. You may opt out of marketing communications at any time by using the unsubscribe link in any such communication or by contacting us at legal@haustour.ch.

GDPR legal basis: Consent (Art. 6(1)(a) GDPR) where required; legitimate interests (Art. 6(1)(f) GDPR) for non-intrusive marketing communications to existing customers where permitted.

5. Controller and Processor Processing

5.1 When we process personal data for the purposes described in Sections 4.1 through 4.8 (such as managing your account, processing payments, securing the Service, and sending communications), we act as the controller. We determine the purposes and means of such processing.

5.2 When you submit Customer Content that contains personal data of third parties (for example, images of persons or contact information visible in uploaded property photos), we process that data on your behalf and under your instructions as a processor. In this capacity, we process the data solely to provide the Service as described in our Terms of Service and, where applicable, the Data Processing Agreement.

5.3 As a customer who uploads content containing third-party personal data, you are responsible for ensuring that you have the necessary legal basis, notices, and consents required under applicable data protection law for the collection and processing of such data.

5.4 When you use messaging channel integrations (WhatsApp, Telegram, SMS) to submit job materials, we process message content and attached media as a processor on your behalf for service delivery. We separately act as controller for security logging, anti-abuse monitoring, service analytics, billing linkage, and support administration arising from messaging channel interactions.

6. AI and Automated Processing

6.1 The Service uses artificial intelligence and automated processing systems to analyse uploaded content, generate property descriptions, enhance images, produce voiceovers, and assemble video outputs.

6.2 These automated processes operate on the content you submit and generate outputs based on patterns and probabilities. The Service does not make decisions that produce legal effects concerning you or similarly significantly affect you within the meaning of Art. 22 GDPR solely on the basis of automated processing.

6.3 AI-generated outputs may be inaccurate, incomplete, or unsuitable for your intended purpose. You are responsible for reviewing and verifying all outputs before use or publication, as further described in our Terms of Service.

6.4 We may use fully anonymised and aggregated service analytics to improve service performance and quality. Identifiable or pseudonymised Customer Content is not used to train or improve AI models without your explicit, documented consent.

7. Messaging Channels

7.1 The Service may be accessed through third-party messaging channels, including WhatsApp, Telegram, SMS, and similar services. When you interact with the Service through a messaging channel, we collect and process messaging channel data as described in Section 2.5.

7.2 Your use of a messaging channel is also subject to the terms and privacy practices of the relevant third-party provider. We encourage you to review the privacy policies of any messaging channel you use.

7.3 We process messaging channel data to receive, understand, and respond to your requests, to deliver outputs, and to provide customer support. Message content and metadata may be stored on our systems and on the systems of the messaging channel provider.

7.4 We do not control the encryption standards, data retention practices, or privacy measures of third-party messaging channel providers.

8. Cookies and Similar Technologies

8.1 We use cookies, local storage, and similar technologies to operate the Service, maintain your session, remember your preferences, and collect usage data.

8.2 The types of cookies we use include:

  • (a) Strictly necessary cookies: required for the operation of the Service, including authentication, session management, and security. These cookies cannot be disabled.
  • (b) Functional cookies: used to remember your preferences, language settings, and configuration choices.
  • (c) Analytics cookies: used to collect information about how visitors use the Service, including pages visited, session duration, and interaction patterns. We use this data to improve the Service. Where required by applicable law, we obtain your consent before placing analytics cookies.

8.3 You can manage cookie preferences through your browser settings. Disabling certain cookies may affect the functionality of the Service.

8.4 We do not use advertising or tracking cookies to serve targeted advertisements.

9. Recipients and Categories of Recipients

We may share personal data with the following categories of recipients, each of which receives data only to the extent necessary for the specified purpose:

  • (a) Hosting and infrastructure providers: cloud hosting, content delivery, storage, and compute services used to operate the Service.
  • (b) AI and processing providers: third-party AI services (such as large language model providers, image processing services, and text-to-speech providers) used to generate, enhance, and assemble outputs. Customer Content may be transmitted to these providers for processing.
  • (c) Payment processors: third-party payment service providers used to process credit purchases and manage billing.
  • (d) Messaging channel providers: third-party providers of WhatsApp, Telegram, SMS, and similar messaging services through which you access the Service.
  • (e) Analytics providers: services used to analyse usage patterns and improve the Service.
  • (f) Legal and regulatory recipients: courts, regulators, law enforcement authorities, and professional advisers where required by law, regulation, legal process, or governmental request.
  • (g) Security and fraud prevention providers: services used for abuse detection, fraud prevention, and security monitoring.
  • (h) Corporate transaction parties: potential acquirers, merger partners, or their advisers in connection with any merger, acquisition, corporate reorganisation, or sale of assets, subject to appropriate confidentiality obligations.

We require all third-party recipients to process personal data in accordance with applicable data protection law and appropriate contractual safeguards.

The identities of our principal subprocessors and their roles are published at haustour.ch/legal/subprocessors.

10. International Data Transfers

10.1 Overclock GmbH is based in Switzerland. Personal data collected through the Service may be transferred to, stored in, and processed in Switzerland, countries within the European Economic Area (EEA), and countries outside the EEA, including the United States.

10.2 The European Commission has recognised Switzerland as providing an adequate level of data protection. For transfers from Switzerland and the EEA to countries that have not received an adequacy decision, we rely on appropriate safeguards, including the European Commission’s Standard Contractual Clauses (SCCs) as adopted or recognised under the applicable framework.

10.3 Certain third-party providers, including AI processing and cloud infrastructure providers, may process personal data in the United States or other jurisdictions. Where applicable, we rely on adequacy decisions, SCCs, or other lawful transfer mechanisms recognised under the nDSG and the GDPR.

The principal recipients of international transfers and their safeguards are:

  • Google LLC (Gemini API, Google Cloud): United States and EU. Google is a certified participant in the EU-U.S. and Swiss-U.S. Data Privacy Framework. Standard Contractual Clauses also apply.
  • Anthropic PBC (Claude API): United States. Covered by Standard Contractual Clauses with Swiss-required adaptations.
  • Stripe Inc. (payments): United States and EU. Certified under the Data Privacy Framework; Standard Contractual Clauses also apply.
  • Vercel Inc. (hosting): Global edge network. Covered by Standard Contractual Clauses and Data Privacy Framework certification.
  • Hetzner Online GmbH (infrastructure): Germany. No additional transfer safeguards required (EU/EEA).

A complete list of subprocessors is maintained at haustour.ch/legal/subprocessors.

10.4 You may request a copy of the applicable transfer safeguards by contacting us at legal@haustour.ch.

11. Retention Periods

11.1 We retain personal data only for as long as necessary to fulfil the purposes described in this Policy, unless a longer retention period is required or permitted by law.

11.2 Our general retention practices are as follows:

  • Account data: retained for the duration of your account plus 90 days after closure, then deleted or anonymised.
  • Raw uploads (photos, media): retained for 90 days after job completion, then automatically deleted unless stored in your library.
  • Generated outputs (videos, descriptions): retained until you delete them or 12 months after your last login, whichever is earlier.
  • Intermediate AI processing files: deleted within 7 days of job completion.
  • Messaging channel content (WhatsApp, Telegram, SMS): retained for 12 months for service delivery and support, then deleted.
  • Billing and transaction records: retained for 10 years as required by Swiss commercial law (Art. 958f CO).
  • Technical and usage logs: retained for up to 12 months.
  • Backups: overwritten on a rolling 30-day cycle.
  • Dormant accounts: accounts with no login for 24 months may be deleted or anonymised after notice.

11.3 When personal data is no longer required, we delete or anonymise it in accordance with our data management procedures. Some data may persist in backups for a limited period before final deletion.

12. Data Security

12.1 We implement appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, destruction, and loss. These measures include, where appropriate, encryption in transit and at rest, access controls, authentication mechanisms, logging, monitoring, and regular security reviews.

12.2 No method of transmission over the internet or method of electronic storage is completely secure. While we strive to protect personal data, we cannot guarantee absolute security.

12.3 You are responsible for maintaining the security of your account credentials and for any activity that occurs under your account.

13. Your Rights

13.1 Under applicable data protection law, including the Swiss nDSG and, where applicable, the GDPR, you may have the following rights with respect to your personal data:

  • (a) Right of access: you may request confirmation of whether we process personal data concerning you and, if so, request a copy of such data.
  • (b) Right to rectification: you may request correction of inaccurate personal data and completion of incomplete personal data.
  • (c) Right to erasure: you may request deletion of personal data where there is no compelling reason for continued processing, subject to applicable legal retention obligations.
  • (d) Right to restriction: you may request restriction of processing in certain circumstances, such as where you contest the accuracy of the data or where the processing is unlawful.
  • (e) Right to data portability: where processing is based on consent or contract and carried out by automated means, you may request to receive your personal data in a structured, commonly used, and machine-readable format.
  • (f) Right to object: you may object to processing based on legitimate interests or to processing for direct marketing purposes at any time.
  • (g) Right to withdraw consent: where processing is based on your consent, you may withdraw consent at any time without affecting the lawfulness of processing carried out before the withdrawal.

13.2 To exercise any of these rights, please contact us at legal@haustour.ch. We will respond to your request within the timeframe required by applicable law. We may ask you to verify your identity before processing your request.

13.3 If we process personal data on behalf of a customer (as a processor), we will refer your request to the relevant customer (controller) unless we are legally required to respond directly.

13.4 We do not engage in solely automated decision-making that produces legal or similarly significant effects on you within the meaning of Article 22 GDPR.

13.5 We will respond to verified data subject requests within one month of receipt, with possible extension by two further months for complex requests, as permitted by applicable law.

13.6 Where we act as processor for your Customer Content, data subject requests relating to that content should be directed to the relevant controller (the customer who uploaded the content). We will assist the controller in responding as described in our Data Processing Agreement.

14. Complaints

14.1 If you believe that our processing of your personal data violates applicable data protection law, you have the right to lodge a complaint with the competent supervisory authority.

14.2 For individuals in Switzerland, the competent authority is the Federal Data Protection and Information Commissioner (FDPIC), Feldeggweg 1, 3003 Bern, Switzerland (www.edoeb.admin.ch).

14.3 For individuals in the EEA or the United Kingdom, the competent authority is the data protection supervisory authority in the Member State of your habitual residence, place of work, or place of the alleged infringement.

14.4 We encourage you to contact us at legal@haustour.ch before filing a complaint so that we may attempt to resolve your concern directly.

15. Children

15.1 The Service is not directed to children under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected personal data from a child under 16 without appropriate parental consent, we will take steps to delete such data promptly.

15.2 If you believe that we may have collected personal data from a child under 16, please contact us at legal@haustour.ch.

16. Changes to This Policy

16.1 We may update this Policy from time to time to reflect changes in our processing activities, legal requirements, or business practices. The updated version will be posted with a new effective date.

16.2 If changes materially affect the processing of your personal data, we will use reasonable efforts to provide notice through the Service or by email before the changes take effect.

16.3 Your continued use of the Service means the updated notice will apply from its effective date. Where required by applicable law, we will seek your consent or provide specific notice before material changes take effect.

17. Contact

If you have any questions, requests, or concerns regarding this Privacy Policy or our data processing practices, please contact us at:

Overclock GmbH
Baar, Canton of Zug, Switzerland
Email: legal@haustour.ch