Privacy Policy & Data Protection Statement
intwit.ch
Version 1.1, last updated: 7 July 2026, replaces the version of 3 June 2026
1. Controller and contact
1.1 INTWIT Sàrl, Rue du Rhône 80, c/o ExpertFid & Audit SA, 1204 Genève, Switzerland, UID CHE-236.175.750 ("INTWIT", "we", "us") is the controller responsible for the processing of personal data in connection with the website and portal intwit.ch (the "Platform").
1.2 For general enquiries, please use our Contact Us form. For all data protection enquiries and data subject requests, please use our Data Protection Request form, available at https://intwit.ch/en/contact/privacy.
1.3 We have not appointed a data protection officer within the meaning of Art. 37 GDPR or a data protection advisor within the meaning of Art. 10 nFADP, as we are not legally required to do so. All data protection matters are handled via the contact point designated in clause 1.2.
2. Scope and applicable law
2.1 This statement explains how we process personal data in accordance with the Swiss Federal Act on Data Protection of 25 September 2020 (nFADP) and its implementing ordinance.
2.2 Territorial scope. INTWIT Sàrl is a Swiss company, and the Platform is a purely Swiss service. The Platform is operated from Switzerland, hosted in Switzerland, and directed exclusively at the Swiss market. All subscription fees are charged in Swiss francs (CHF). All properties and services offered on the Platform are located in Switzerland, and all landlords, agencies, enterprises, and service providers admitted to the Platform must be established or resident in Switzerland. We do not advertise, envisage, or actively offer our services to individuals in the European Economic Area (EEA), and we do not monitor the behaviour of individuals in the EEA: we use no tracking cookies, no profiling, no behavioural advertising, and no cross-site or cross-device tracking. The fact that the Platform is technically accessible from abroad, or that a person located outside Switzerland may, on their own initiative, register as a property or services seeker, does not constitute an offer directed at persons in the EEA. We do not verify or record the country of residence of seekers. Accordingly, we consider that the EU General Data Protection Regulation (GDPR) does not apply to our processing pursuant to its Art. 3, and we have not designated a representative in the European Union pursuant to Art. 27 GDPR.
2.3 Should individual processing operations nonetheless exceptionally fall within the scope of the GDPR, we comply with its requirements, and the legal bases cited in this statement are provided for that purpose. Under Swiss law, private controllers do not require a legal basis for processing provided the processing principles of the nFADP are respected.
2.4 This statement applies to the Platform, our subscription services (including the intwit Scout feature), and our communications with you. It supplements, and is consistent with, our Terms of Service; in the event of any conflict regarding the processing of personal data, this statement in English version prevails.
3. Categories of personal data we process
3.1 Account and profile data: name, email address, mobile phone number, password hash, and optional profile data (e.g. company, role, preferred language).
3.2 Identity and business verification data: we verify Users in a manner appropriate to their category, as described in Art. 4.3 of the Terms of Service. For individuals, we verify the email address by means of a verification code sent from our own intwit.ch mail servers, and the mobile phone number by means of a one-time code (OTP) sent by SMS, both during registration. SMS delivery is carried out by our SMS provider (Twilio, see clause 10.1), acting as our processor. For agencies and business Users, we process an extract from the commercial register and tax documentation (e.g. tax or VAT registration). Where the circumstances of an individual case give rise to doubt, or where required to investigate suspected abuse or violations of our policies, we may additionally request an identity document and, in the case of landlords, proof of ownership, or, in the case of individual service providers, proof of professional qualification or authorisation. All verification is assessed by INTWIT itself; no external verification provider is involved. Verification documents are used solely to establish the verification outcome and are retained only as set out in section 13.
3.3 Listing and content data: data you submit for property listings or service offerings (descriptions, photos, address or approximate location, prices, availability, property characteristics such as number of rooms and area).
3.4 Address and map data: when you enter or verify addresses or display locations, our systems interact with external geodata services (currently geo.admin.ch, operated by the Swiss Confederation) to validate and visualise addresses and coordinates. Address data and technical information (IP address, date and time, browser information) may be processed by these services to deliver map tiles and geocoding results.
3.5 Communication data: content of messages and enquiries sent via the Platform's messaging system or by our contact forms (for example between tenants, landlords, agencies, service providers, and INTWIT), and our correspondence with you (support, billing, contractual communications).
3.6 intwit Scout usage data: when you use the intwit Scout AI-supported search feature as a subscribed member, we record only your login session and the fact and timestamp of each initiated search, in order to administer and optimise your daily quota of five (5) searches per 24-hour period (see section 6). We do not store the content of your queries or the search results on our systems.
3.7 Technical and log data: IP address, date and time of access, pages and functions used, referrer URL, browser and device type, error logs, and similar technical information.
3.8 Subscription, payment, and billing data: subscription plan, start and end dates, renewal status, payment status, billing details, and transaction records. Subscription fee transactions are processed by INTWIT's licensed payment service provider, which processes your payment card or account data directly as an independent controller in accordance with its own terms and privacy policy; we do not receive or store full payment card data.
3.9 Localisation and translation data: to provide our content in multiple languages and localise the user interface, we may transfer content that can include personal data (for example listing text containing names or addresses) to our translation and localisation provider (currently Supertext AG, Switzerland), acting as our processor.
4. Sources of personal data
4.1 We collect personal data primarily from you directly. In addition, we may receive personal data about you from: (a) other Users, for example where a landlord, agency, or service provider includes information about you in a listing, message, or application; and (b) publicly accessible sources, where you have made data public in connection with your business activity (e.g. the commercial register).
4.2 If you submit personal data relating to third parties (for example in listings, messages, or applications), you warrant that you are entitled to do so and that you have informed the persons concerned of this statement. We process such data solely to operate the Platform as described here.
5. Purposes and legal bases of processing
5.1 Provision of the Platform and our services: creating and managing accounts; carrying out the verification described in clause 3.2; displaying and managing listings and profiles; enabling communication between Users; operating subscriptions, payments, and billing. Legal basis, where the GDPR exceptionally applies: performance of a contract or pre-contractual measures (Art. 6(1)(b) GDPR); for verification of representatives of legal entities, our legitimate interest in the integrity of the Platform (Art. 6(1)(f) GDPR).
5.2 intwit Scout: providing subscribed members with the AI-supported search feature described in section 6; enforcing the daily usage quota and preventing abuse. Legal basis: performance of the subscription contract (Art. 6(1)(b) GDPR) and our legitimate interest in preventing abuse (Art. 6(1)(f) GDPR).
5.3 Address verification and maps: validating, normalising, and displaying addresses and locations using geo.admin.ch APIs. Legal basis: performance of a contract and our legitimate interest in data quality (Art. 6(1)(b) and (f) GDPR).
5.4 Operation, security, and improvement of the Platform: ensuring technical functioning and security; protecting forms and logins against automated abuse (captcha.eu); troubleshooting and performance monitoring; analysing aggregate usage trends with cookieless analytics (Plausible). Legal basis: our legitimate interest in operating a secure, stable, and user-friendly service (Art. 6(1)(f) GDPR).
5.5 Communication: responding to enquiries and support requests; informing you about your account, subscription, technical changes, and updates to our terms or policies. Legal basis: performance of a contract or pre-contractual measures; legitimate interests.
5.6 Legal obligations and defence of claims: compliance with statutory retention obligations (in particular Art. 958f of the Swiss Code of Obligations and Swiss tax and VAT legislation); responding to lawful requests from authorities; establishing, exercising, or defending legal claims. Legal basis: legal obligation (Art. 6(1)(c) GDPR) and legitimate interests (Art. 6(1)(f) GDPR).
5.7 Marketing communications (where offered): sending you information about our services by email where you have subscribed or where otherwise permitted by law. We do not use open-tracking, click-tracking, or any other measurement technology in our emails. Our emails may contain plain links that direct you to the relevant page on our website, for example to complete a step or find requested information; these links do not track you individually. You can unsubscribe at any time, free of charge, via the unsubscribe link in each email or via your account settings; an objection to direct marketing is always honoured without any balancing of interests.
5.8 Where processing is based on our legitimate interests, you may contact us for information about the balancing test carried out.
5.9 Provision of data: the provision of account, verification, and payment data is necessary for the conclusion and performance of the contract; without it, we cannot provide the subscribed services. All other data is provided voluntarily.
6. intwit Scout (AI-supported search)
6.1 Certain subscriptions include intwit Scout, an AI-supported search feature allowing subscribed members, while logged in, to run up to five (5) searches per 24-hour period for rental and sale properties and related services offered on external websites, in accordance with Art. 9 of the Terms of Service.
6.2 How it works: when you input search criteria (for example canton, municipality, number of rooms, minimum area), our system transmits this query to an open-source artificial intelligence language model (currently a model from the Mistral AI open-source model family) that is installed, hosted, and operated exclusively in Switzerland by our infrastructure provider Infomaniak Network SA, Switzerland, acting as our processor under a data processing agreement. The model processes the query on our behalf and under our instructions and returns a limited set of results from external sources. Your queries are not used to train the model or for any purpose of the provider's own.
6.3 Usage recording: to administer the daily quota, we record your login session and the fact and timestamp of each initiated search and associate them with your account. We do not store the content of your queries or the results on our systems; results are displayed transiently in your browser and expire when you close the browser window.
6.4 External sources: results link directly to external websites operated by third parties. These websites are outside our control and are governed by their own terms and privacy policies. Any registration on, communication with, or transaction through such external websites takes place solely between you and the respective operator, and we accept no responsibility for the processing of personal data by those operators.
6.5 No automated individual decision-making: intwit Scout is an assistive tool suggesting potentially relevant external websites. Neither it nor any other function of the Platform takes decisions producing legal effects or similarly significant effects for you within the meaning of Art. 22 GDPR. We do not carry out high-risk profiling within the meaning of the nFADP or any profiling within the meaning of Art. 4(4) GDPR.
7. Analytics (Plausible)
7.1 We use Plausible Analytics, a privacy-friendly, EU-hosted, cookieless analytics service, to understand aggregate usage trends. Plausible uses no cookies or persistent identifiers and does not collect information capable of identifying individual visitors; it measures only aggregated data points (page views, referrers, approximate region). IP addresses are processed transiently for this purpose and are not stored. No cross-site or cross-device tracking takes place. Legal basis, where the GDPR exceptionally applies: legitimate interest (Art. 6(1)(f) GDPR); no consent is required as no information is stored on or read from your device.
8. Bot protection (captcha.eu)
8.1 To protect forms and login areas from automated abuse and spam, we use captcha.eu, an EU-based CAPTCHA solution operating without cookies, cross-site tracking, or user profiles. When you interact with protected forms, technical data (IP address, browser information) is processed to distinguish legitimate users from automated requests. Legal basis: legitimate interest in the security of our systems (Art. 6(1)(f) GDPR).
9. Cookies and similar technologies
9.1 The Platform uses only strictly necessary cookies, namely:
|
Cookie |
Purpose |
Duration |
|
session cookie |
Keeping you logged in |
Session |
|
language cookie |
Remembering language preference |
[e.g. 12 months] |
|
CSRF token |
Protection against cross-site request forgery |
Session |
9.2 These cookies are essential for the operation of the Platform, are exempt from consent requirements, and cannot be disabled via our interface. We use no analytics, advertising, or cross-site tracking cookies. You may block or delete cookies in your browser; blocking strictly necessary cookies may impair the functioning of the Platform.
10. Recipients
10.1 We do not sell personal data and do not share it with third parties for their own marketing purposes. We disclose personal data only to the following categories of recipients: hosting and infrastructure providers (in Switzerland); the analytics provider (Plausible, EU); the bot-protection provider (captcha.eu, EU); the geodata provider (geo.admin.ch, Swiss Confederation); the AI infrastructure provider (Infomaniak Network SA, Switzerland); the translation and localisation provider (Supertext, Switzerland); INTWIT's licensed payment service provider for subscription fee transactions (acting as an independent controller); the SMS delivery provider used for sending one-time verification codes (Twilio, data processed in the Ireland region, EU); professional advisers (lawyers, accountants) bound by confidentiality; and public authorities where disclosure is required by law.
10.2 Providers acting as processors are bound by data processing agreements meeting the requirements of Art. 9 nFADP and Art. 28 GDPR and process personal data only on our documented instructions.
11. International transfers
11.1 Personal data is processed in Switzerland or in the EU/EEA. In particular, SMS verification codes are processed by our SMS provider in its Ireland (EU) region. Transfers between Switzerland and the EU/EEA are covered by the mutual adequacy recognitions (Annex 1 of the Swiss Data Protection Ordinance; the European Commission's adequacy decision for Switzerland).
11.2 Should personal data exceptionally be transferred to a country without an adequate level of data protection, we implement appropriate safeguards, in particular the European Commission's Standard Contractual Clauses supplemented by the amendments recognised by the Swiss Federal Data Protection and Information Commissioner (FDPIC) for transfers governed by Swiss law, together with additional technical and organisational measures where necessary. You may request a copy of the relevant safeguards via the contact in clause 1.2.
12. Data security
12.1 We implement appropriate technical and organisational measures in accordance with Art. 8 nFADP and Art. 32 GDPR to protect personal data against unauthorised access, alteration, disclosure, loss, and destruction. These include encryption of data in transit (TLS), password hashing, access controls based on the need-to-know principle, logging of security-relevant events, regular backups, and contractual security obligations imposed on our processors. Our Platform is hosted in a data centre in Switzerland.
12.2 In the event of a data security breach likely to result in a high risk to you, we will notify the FDPIC and, where required, the affected individuals in accordance with Art. 24 nFADP and, where applicable, Arts. 33 and 34 GDPR.
13. Retention periods
13.1 We retain personal data only as long as necessary for the purposes described in this statement or as required by law, namely: account, subscription, and contract-related data for the duration of the contractual relationship and up to ten (10) years thereafter, in line with Art. 958f of the Swiss Code of Obligations and Swiss tax and VAT retention obligations; verification documents (commercial register extracts, tax documentation, identity documents, ownership documents) for the duration of the contractual relationship plus twelve (12) months, with the verification outcome retained together with the account data; mobile phone numbers and email verification records for the duration of the account; technical logs and security-related data of registered Users for the duration of the contractual relationship plus twelve (12) months, and technical logs of non-registered visitors for a maximum of twelve (12) months, unless a longer period is required to document security incidents or legal claims; intwit Scout usage records (login sessions and the fact and timestamp of initiated searches) for the duration of the contractual relationship plus twelve (12) months, to administer usage quotas, prevent abuse, and document usage in the event of disputes; payment and billing data for the periods required by financial and tax regulations (generally ten (10) years); and marketing data until you unsubscribe or object, after which we retain only the minimal information needed to honour your opt-out permanently.
13.2 Deletion upon account cancellation: when you cancel your registration, you may request deletion of your personal data. Such requests are honoured without undue delay. Data we are legally required to retain (in particular accounting records, invoices, and transaction-related documents subject to the ten-year retention obligation) is not deleted immediately but is blocked: its processing is restricted exclusively to fulfilment of the statutory retention purpose, and it is definitively deleted upon expiry of the applicable statutory retention period. This corresponds to Art. 17.5 of our Terms of Service.
14. Minors
14.1 Our services are intended for adults. We do not knowingly collect personal data from, or offer our services to, individuals under 18 years of age. If we become aware that we have collected personal data of a person under 18, we will delete it without undue delay. If you believe a minor has provided us with personal data, please contact us via clause 1.2.
15. Your rights
15.1 Subject to applicable law, you have the right to: access your personal data and obtain a copy; rectification of inaccurate or incomplete data; erasure of your data (subject to clause 13.2); restriction of processing; objection to processing based on legitimate interests, and an unconditional right to object to direct marketing; withdrawal of consent at any time with effect for the future, without affecting the lawfulness of prior processing; and data portability, where the GDPR exceptionally applies and processing is based on consent or contract and carried out by automated means.
15.2 These rights may be subject to statutory conditions and exceptions, for example where we are legally required to retain data or where overriding interests justify continued processing. We may request proof of identity before acting on a request. We respond within thirty (30) days under the nFADP, or one month where the GDPR applies, extendable where legally permitted, in which case we will inform you.
15.3 To exercise your rights, please use the Data Protection Request form: https://intwit.ch/en/contact/privacy. Exercising your rights is free of charge, subject to the exceptions provided by law.
15.4 You have the right to lodge a complaint with the competent supervisory authority. In Switzerland, this is the Federal Data Protection and Information Commissioner (FDPIC), Feldeggweg 1, 3003 Bern, Switzerland, www.edoeb.admin.ch.
16. Changes to this statement
16.1 We may update this statement from time to time, for example where our processing activities or legal requirements change. The current version, with its version number and date, is always available at https://intwit.ch/en/privacy. We will inform you of significant changes by email or via the Platform before they take effect.
16.2 This statement may be made available in multiple languages. In case of discrepancies between language versions, the English version prevails.
INTWIT Sàrl · Rue du Rhône 80, c/o ExpertFid & Audit SA, 1204 Genève, Switzerland · UID CHE-236.175.750 · intwit.ch