Skip to content

PRIVACY POLICY

Last updated 26 June 2026.

1. Privacy at a glance

Who we are and what this policy covers

This Privacy Policy describes how Spherene AG ("Spherene", "we", "us", or "our"), a company incorporated under Swiss law at Europa-Str. 9, CH-8152 Glattbrugg (ZH), Switzerland, collects, uses, stores, and discloses personal data in connection with:

  • our website and all associated domains (spherene.io, spherene.ai, spherene.co, spherene.net, spherene.org, spherene.one, spherene.ch, sphereneNXT.com);

  • the Spherene desktop software, plugins, and integrations (Rhino/Grasshopper, Autodesk Fusion, nTop, and others);

  • the SphereneNXT cloud-based SaaS platform, Customer Portal, and API, and desktop software;

  • Spherene Credits and subscription management; and

  • any related professional services, communications, and support channels.

This policy applies to all users, customers, resellers, and visitors regardless of where they are located. It is published publicly at spherene.io/legal/privacy-policy and forms part of the Master Subscription Agreement (MSA).

Our approach to privacy

We integrate data protection principles into the design of our products and processes (Privacy by Design) and ensure that only data necessary for each specific purpose is processed (Privacy by Default). We do not sell personal data. We do not use personal data for behavioural advertising directed at individuals.

Summary of key points

  • Controller: Spherene AG, Europa-Str. 9, CH-8152 Glattbrugg (ZH) — privacy@spherene.io

  • Legal framework:

     - Switzerland: nDSG (Federal Act on Data Protection / Bundesgesetz über den Datenschutz), effective September 1, 2023

     - EU/EEA/UK: GDPR and UK Data Protection Act 2018

     - Global: We apply the most protective standard across all jurisdictions where applicable

  • Payment processor: Paddle.com Market Limited acts as Merchant of Record for all web-based and international direct subscription payments. Spherene AG invoices enterprise customers directly from Switzerland or internationally via its resellers.
  • Data storage: Switzerland and the EU (Google Cloud Platform, Frankfurt region, and Hetzner, in Germany). No transfers to embargoed jurisdictions.

  • Your rights: Access, rectification, erasure, restriction, portability, objection — contact privacy@spherene.io

  • DPA: A Data Processing Agreement governing data processed on behalf of enterprise customers is available as Schedule B of the MSA at spherene.io/legal/master-subscription-agreement

2. Controller and Contact

The data controller responsible for personal data processed through the services described in this policy is:

Spherene AG, Europa-Str. 9, CH-8152 Glattbrugg (ZH), Switzerland
Email: privacy@spherene.io
Web: www.spherene.io/imprint

For questions, requests, or complaints relating to the processing of your personal data, contact us at privacy@spherene.io. You also have the right to lodge a complaint with a supervisory authority, including the Swiss Federal Data Protection and Information Commissioner (FDPIC) at www.edoeb.admin.ch, or the supervisory authority of your EU Member State of residence if GDPR applies to you.

3. Data We Collect and Why

3.1 Website visitors

When you visit our website, we automatically collect the following technical data via server log files and analytics tools:

  • IP address (anonymized before storage where technically possible)

  • Browser type, version, and language

  • Operating system

  • Referring URL and exit page

  • Date, time, and duration of visit

  • Pages viewed and interactions

Legal basis:

  • Switzerland (nDSG Article 31): Legitimate interest in operating, securing, and improving our website

  • EU/UK/EEA (GDPR Article 6(1)(f)): Legitimate interest in operating, securing, and improving our website

  • Canada/Australia/Other (equivalent): Legitimate business purpose or related operational interest

We store IP addresses in anonymized form where technically feasible to minimize personal data collection.

3.2 Account registration and Customer Portal

To create an account and access the SphereneNXT platform, Customer Portal or Partner Portal, you are required to provide:

  • Email address (mandatory)

  • Password (mandatory, stored as a hashed value — never in plain text)

  • First name and last name (mandatory)

  • Company name and industry (optional at registration)

  • Country and time zone (optional, inferred from login IP if not provided)

Additional data collected through portal use:

  • Login credentials and session data

  • Subscription and license status, tier, and renewal dates

  • Usage metrics: feature interactions, compute jobs submitted, credit consumption and other information used to improve the service

  • Support requests and correspondence

  • Billing and payment reference data (invoice numbers, payment status — not card or bank details, which are held by Paddle as Merchant of Record)

  • Device and browser identifiers, IP address, and session logs

Legal basis:

  • Switzerland (nDSG):

- Contract performance (Article 32): Delivering the SphereneNXT platform and managing your subscription

- Legitimate interest (Article 31): Service security, fraud prevention, and license compliance

  • EU/UK/EEA (GDPR):

- Contract performance (Article 6(1)(b)): Delivering the service

- Legitimate interest (Article 6(1)(f)): Security and compliance

  • Canada/Australia (equivalent):** Consent or related contractual necessity

3.3 Software and SaaS platform usage

When you use the Spherene desktop software, plugins, or cloud platform, we collect:

  • Usage Data: anonymized, aggregated technical and behavioural data including feature interactions, computation times, licence activations, and error logs. This data does not identify you personally and is used for product improvement, performance monitoring, and research.

  • Customer Data: design files, geometry, metadata, and content you upload or process through the platform. This data remains your property. We process it solely to deliver the service and in accordance with the MSA and this policy.

For Trial, Evaluation, Student, Free, and NFR licences: you acknowledge and agree that Spherene AG may access, analyse, and process designs, geometries, metadata, and usage patterns for product improvement, quality assurance, and algorithm development, in anonymised or aggregated form where reasonably possible.

Legal basis: Article 6(1)(b) GDPR for Customer Data (contract performance); Article 6(1)(f) GDPR for Usage Data (legitimate interest in product improvement).

3.4 Contact forms and correspondence

When you contact us via a contact form, email, telephone, or social media, we collect the information you provide (name, email address, message content, and any other data you include). This is used solely to respond to your enquiry and, if applicable, to maintain our customer relationship.

Legal basis:

  • Switzerland (nDSG):

- Pre-contractual steps or contract performance (Article 32): Responding to your inquiry about potential services

- Legitimate interest (Article 31): Maintaining customer relationships

  • EU/UK/EEA (GDPR):

- Pre-contractual steps (Article 6(1)(b)) or legitimate interest (Article 6(1)(f))

  • Canada/Australia/Other: Responding to inquiry in ordinary business course

Retention: enquiry data is retained until the matter is resolved and for a reasonable period thereafter, subject to any applicable statutory retention periods.

3.5 Service, Transactional, and Marketing Communications

We send three types of email communications to account holders, governed by different legal bases:

Transactional Emails (no marketing consent required)

  • Order confirmations, invoices, billing notices, payment receipts, password resets, account status changes, subscription renewals
  • Legal basis: Article 6(1)(b) GDPR — contract performance
  • These emails are sent to all active account holders regardless of marketing preferences

Service Communications (no marketing consent required)

  • Product updates, feature releases, security alerts, platform maintenance notices, support responses, account notifications, license compliance information
  • Legal basis: Article 6(1)(f) GDPR — legitimate interest in service security, product improvement, and account management
  • These emails are sent to all active users regardless of marketing preferences

Marketing & Promotional Emails (marketing consent required)

  • Feature announcements, webinars, newsletters, case studies, promotional offers, sales outreach, event invitations
  • These emails are sent only to users who have opted in via the "Receive marketing emails" toggle in the SphereneNXT Settings panel

Legal basis:

  • Switzerland (nDSG):

- Contract performance (Article 32): Processing payments and managing subscriptions

- Legal obligation (Article 36): VAT compliance, Swiss accounting law (Art. 958f CO — 10-year retention)

  • EU/UK/EEA (GDPR):

  - Contract performance (Article 6(1)(b)): Payment and billing

  - Legal obligation (Article 6(1)(c)): Accounting and tax law

  • Australia (ATO): Legal obligation — 5-year accounting records retention

  • Canada: Legal obligation — 6-year records retention

  • Brazil (LGPD): Legal obligation — 5-year records retention

You can manage your marketing email preferences at any time in your account Settings. Opting out of marketing emails does not affect your receipt of transactional or service communications, which are necessary for contract performance and account management.

3.6 Payments and billing

Spherene AG uses two payment channels:

  • Web-based subscriptions (transactional): Paddle.com Market Limited ("Paddle") acts as Merchant of Record for all subscription purchases made through our website and web platform. When you purchase through these channels, Paddle collects and processes your name, email address, billing address, and payment details directly. Spherene AG does not receive or store your payment card or bank account details. Paddle processes your data under its own Privacy Policy at paddle.com/privacy. Spherene AG receives only transaction confirmations and invoice references.

  • Direct enterprise invoicing: For enterprise customers billed directly by Spherene AG, we process your company name, registered address, VAT/tax identification number, contact person name and email address, and bank or payment reference details solely for invoicing, accounting, and tax compliance purposes. This data is processed and stored in Switzerland using Abacus Research AG as our accounting and ERP system.

Legal basis: Article 6(1)(b) GDPR (contract performance); Article 6(1)(c) GDPR (legal obligation — VAT and accounting law).

Retention: financial records are retained for 10 years in accordance with Swiss accounting law (Art. 958f CO).

3.7 Reseller and partner data

If you are a Spherene authorised reseller or partner, we process your company 
and contact data in connection with the Reseller Agreement, deal registration, 
commission reporting, and support.

Legal basis:

  • Switzerland (nDSG Article 32): Contract performance (Reseller Agreement)

  • EU/UK (GDPR Article 6(1)(b)): Contract performance

  • All jurisdictions: This data is processed under the terms of the Reseller Agreement and this policy.

4. Cookies and Analytics

4.1 Cookies

Our website uses cookies — small text files stored on your device by your browser. We use:

  • Strictly necessary cookies: Required for the website and platform to function (session management, login, security). These cannot be disabled without breaking core functionality.

  • Analytics cookies: Used to understand how visitors interact with our website (Google Analytics 4). IP anonymization is enabled. You can opt out via our cookie consent banner or at tools.google.com/dlpage/gaoptout.

  • Preference cookies: Remember your settings and preferences (language, consent choices).

We use Usercentrics GmbH as our Consent Management Platform to collect, store, and manage your cookie consent in accordance with GDPR and Swiss nDSG. A consent record is stored for 30 days and refreshed at each visit.

You can manage your cookie preferences at any time via the cookie settings link in our website footer, or by configuring your browser to block cookies (note: blocking strictly necessary cookies may impair platform functionality).

Legal basis: Strictly necessary cookies — Article 6(1)(f) GDPR (legitimate interest). Analytics and preference cookies — Article 6(1)(a) GDPR (consent).

4.2 Analytics and tracking tools

  • Google Analytics 4 (GA4): Website usage analysis. Operated by Google Ireland Ltd. IP anonymization enabled. Data may be transferred to Google servers in the US under standard contractual clauses. Privacy policy: policies.google.com/privacy.

  • Google Search Console: Website search visibility monitoring. No personal data transmitted to Spherene.

  • Hotjar: User interaction analysis (heatmaps, session recordings). Operated by Hotjar Ltd. Opt-out: hotjar.com/policies/do-not-track/. Privacy policy: hotjar.com/legal/policies/privacy/

Legal basis: Article 6(1)(f) GDPR — legitimate interest in understanding and improving service usability. Where required, explicit consent is obtained via the cookie banner before activating any analytics tools.

5. Sub-Processors and Third-Party Service Providers

Spherene AG engages the following categories of third-party service providers who may process personal data on our behalf. Each is bound by contractual obligations to comply with GDPR, Swiss nDSG, and applicable data protection laws.

  • Hosting and infrastructure: Hostpoint AG (Rapperswil-Jona, Switzerland) — website hosting. Google Cloud Platform / Google Ireland Ltd. (Frankfurt, Germany) — SaaS platform, Customer Portal, and data storage.

  • CRM and marketing automation: HubSpot Inc. (USA) — CRM, website CMS, marketing automation, and customer communications. Data transferred under EU Standard Contractual Clauses.

  • Cloud productivity and communication: Microsoft Corporation (Azure, Outlook, SharePoint, Teams) — internal infrastructure, communication, and file management.

  • Finance and accounting: Abacus Research AG (Switzerland) — accounting, invoicing, payroll, and ERP. All data stored in Switzerland.

  • Payment processing (Merchant of Record): Paddle.com Market Limited (UK/Ireland) — Merchant of Record for web-based subscription payments. Paddle is solely responsible for payment data collected through its checkout. Spherene AG does not collect or store payment card details. Paddle Privacy Policy: paddle.com/privacy.

  • Consent management: Usercentrics GmbH (Germany) — cookie consent management platform.

We do not use Stripe or PayPal for any customer-facing payment processing. Spherene AG invoices enterprise customers directly in Switzerland; no third-party payment processor handles enterprise billing data.

We do not permit our sub-processors to use personal data for their own purposes. We will update this list when sub-processors change and notify affected customers where required by law.

6. International Data Transfers

Spherene AG is based in Switzerland. Your data is primarily stored in Switzerland and the EU (Google Cloud Platform, Frankfurt region). Transfers may also occur to the following jurisdictions in connection with the sub-processors listed in Section 5:

  • United States (HubSpot, Google Analytics, Microsoft) — transfers governed by EU Standard Contractual Clauses (SCCs) and where applicable the UK International Data Transfer Addendum.

  • United Kingdom (Paddle) — the UK has been granted adequacy status by Switzerland; transfers to Paddle are additionally governed by SCCs.

For any transfer to a country without an adequate level of statutory data protection, we implement appropriate safeguards as required by Swiss nDSG (Federal Act on Data Protection, effective September 1, 2023) and GDPR — including Standard Contractual Clauses (available at eur-lex.europa.eu/eli/dec_impl/2021/914/oj, adapted as required for Swiss nDSG Article 26 compliance).

We never transfer personal data to embargoed jurisdictions or to entities subject to applicable sanctions lists (UN, EU, SECO, OFAC). See Section 10 for export control details.

7. Data Retention

We retain personal data only for as long as necessary for the purposes described in this policy, or as required by applicable law. Key retention periods:

  • Account and subscription data: Retained for the duration of the subscription and for 3 years after account closure, unless a longer period is required by law or legitimate interest (e.g. dispute resolution).

  • Customer Data (uploaded files and geometry): Retained for the duration of the subscription. On cancellation or expiry, Customer Data is deleted or anonymised within 90 days unless the customer requests earlier deletion or export.

  • Financial and invoicing records: Retained for 10 years in accordance with Swiss accounting law (Art. 958f CO).

  • Usage Data (anonymised): Retained indefinitely in aggregated, anonymised form for product development and research.

  • Contact and support enquiries: Retained for 3 years after the matter is resolved.

  • Marketing communications: Retained until you unsubscribe or withdraw consent.

  • Server logs and security data: Retained for up to 12 months.

  • Sanctions screening records: Retained for 7 years in accordance with export control compliance obligations.

8. Your Rights

Under Swiss law (nDSG Articles 19–28), EU law (GDPR Articles 13–21), and equivalent laws in other jurisdictions, you have the following rights in relation to your personal data:

For Swiss residents: Your rights are governed by nDSG Articles 19–28 and enforced by the Swiss Federal Data Protection and Information Commissioner (FDPIC). You can contact FDPIC at privacy@spherene.io or www.edoeb.admin.ch.

  • Right of access: You may request a copy of the personal data we hold about you.

  • Right to rectification: You may request correction of inaccurate or incomplete data.

  • Right to erasure: You may request deletion of your personal data where there is no legitimate reason for us to continue processing it.

  • Right to restriction: You may request that we restrict processing of your data in certain circumstances.

  • Right to data portability: You may request your data in a structured, machine-readable format for transfer to another provider, where technically feasible.

  • Right to object: You may object to processing based on legitimate interests, including direct marketing.

  • Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

  • Right to Object to Profiling and Automated Decision-Making (nDSG Article 21)

- Object to profiling: You may object to the processing of your personal data for profiling purposes (e.g., automated analysis of your usage patterns, feature usage, computational behavior for security, fraud detection, or targeted feature recommendations). We will cease such processing unless we have a compelling legitimate interest that overrides your rights.
- Object to automated decisions: If we make an automated decision (without human involvement) that produces legal effects for you or significantly affects you (e.g., account suspension, access restrictions, tier downgrade), you have the right to request human review, express your viewpoint, and obtain an explanation of the decision.

To exercise these rights, contact privacy@spherene.io with subject line "nDSG Article 21 - Objection to Profiling" or "nDSG Article 21 - Automated Decision Review." Provide sufficient detail to identify your account and specify which processing you object to. We will respond within 30 days.

You also have the right to lodge a complaint with a supervisory authority: the Swiss FDPIC (www.edoeb.admin.ch) or the supervisory authority of your EU Member State of habitual residence.

9. Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss, destruction, alteration, or disclosure. These measures include:

  • Encryption of data in transit (TLS/SSL) and at rest

  • Access controls and role-based permissions

  • Customer-managed encryption keys (CMEK) for sensitive design data

  • Regular security assessments and penetration testing

  • Staff training and confidentiality obligations

  • Incident response procedures

Data is stored on Google Cloud Platform infrastructure in the EU (Frankfurt region) or at Hetzner in Germany, which is compliant with GDPR, Schrems II supplementary measures, and Swiss nDSG requirements.

In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify the competent supervisory authority and affected individuals without undue delay, as required by applicable law:

  • For Swiss data subjects (nDSG Article 24): We will notify the Swiss Federal Data Protection and Information Commissioner (FDPIC) and affected individuals as soon as feasible when a breach causes high risk to rights and freedoms, typically within 24 hours for serious breaches.

  • For EU/UK data subjects (GDPR/UK DPA): We will notify the competent supervisory authority within 72 hours of becoming aware of the breach and notify affected individuals without undue delay where high risk exists.

  • For other jurisdictions: We will notify affected individuals and regulators in accordance with local privacy law timelines.

10. Export Control and Sanctions Compliance

Spherene AG does not collect or store personal data from individuals or entities located in, domiciled in, or incorporated under the laws of any jurisdiction subject to comprehensive trade embargoes or sanctions, including those administered by the UN, EU, SECO, or OFAC. A full list of excluded jurisdictions is maintained in the Reseller Agreement Schedule B and the MSA.

We implement automated registration screening against OFAC SDN, EU Consolidated, UK Consolidated, and SECO sanctions lists. Accounts matching sanctions lists are suspended pending review. Screening records are retained for 7 years.

11. Children's Privacy

Our services are not directed to individuals under the age of 18. We do not knowingly collect personal data from individuals under 18. If we become aware that we have inadvertently collected such data, we will delete it promptly. Parents or guardians who believe their child has provided us with personal data should contact privacy@spherene.io

12. Social Media and Third-Party Integrations

We operate profiles on Socila Media such LinkedIn, YouTube, Instagram, and Discord. When you interact with us on these platforms, the respective platform's own privacy policy applies. We have no control over the data practices of these platforms.

Our website and platform may include links to or integrations with third-party services (including CAD platform integrations with Rhino/Grasshopper, Autodesk Fusion, and nTop). We are not responsible for the privacy practices of those third parties. Please review their privacy policies before using their services.

13. Data Processing Agreement (DPA)

Where Spherene AG processes personal data on behalf of an enterprise customer as a data processor (for example, where the customer's employees' personal data is contained in files uploaded to the platform), the processing is governed by the Data Processing Agreement set out as Schedule B of the Master Subscription Agreement, available at spherene.io/legal/master-subscription-agreement.

nDSG & GDPR Compliance: Our DPA complies with nDSG Article 15 (processor obligations) and GDPR Article 28 (processor requirements). The DPA ensures:

  • Processing occurs only on documented instructions from the controller

  • Processor staff maintain confidentiality (nDSG Article 12)

  • Appropriate security measures are implemented (nDSG Article 13)

  • Sub-processors are authorized and bound by equivalent obligations

  • Data subject rights are respected and facilitated

  • Assistance with breach notification and security incident response

  • Data deletion or return upon contract termination

All sub-processors listed in Section 5 are bound by equivalent Data Processing Agreements.

Enterprise customers requiring a signed DPA separate from the MSA should contact legal@spherene.io.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. The current version is always available at spherene.io/legal/privacy-policy, where prior versions are also archived. The effective date at the top of this document indicates when the current version took effect.

Where changes are material — meaning they significantly affect your rights or how we use your data — we will notify existing account holders by email at least 30 days before the changes take effect, and display a prominent notice on our website and in the Customer Portal.

This version (v2.0) replaces all prior versions including the version dated December 2025 and any earlier versions. Continued use of the services after the effective date of an updated policy constitutes acceptance of the updated terms.

15. Contact

For any questions, requests, or concerns relating to this Privacy Policy or the processing of your personal data:

Spherene AG, Europa-Str. 9, CH-8152 Glattbrugg (ZH), Switzerland
Email: privacy@spherene.io
Website: www.spherene.io