Privacy Policy
Version 1.1 – June 29, 2026
This Privacy Policy explains how Neuralshape GmbH processes personal data in connection with the BidAtlas website at https://bidatlas.ch (the "Website") and the BidAtlas service (the "Service").
Neuralshape GmbH, Dammstrasse 16, 6300 Zug, Switzerland (registered under company identification number CHE-143.359.504) is the controller for the processing described in this Policy ("Neuralshape", "we", "us"). Unless defined here or in our Terms & Conditions, terms used in this Policy have the meaning given to them in the Swiss Federal Act on Data Protection ("FADP") and, where it applies, the EU General Data Protection Regulation ("GDPR").
1. When this Policy applies (controller vs processor)
This Policy covers personal data for which Neuralshape decides the purposes and means — that is, personal data relating to Website visitors, prospects and business contacts, customer account users, and people who contact us or apply for a role.
It does not cover personal data that may be contained in content our business customers and their users submit to or generate through the Service ("Customer Data"). For Customer Data, Neuralshape acts as a processor on behalf of the customer, who is the controller. That processing is governed by the Data Processing Agreement (DPA) between Neuralshape and the customer, and by the customer's own privacy notice — not by this Policy. How we handle Customer Data (including that we do not use it to train AI models) is described in our Terms & Conditions and the DPA.
2. Personal data we collect
Depending on how you interact with us, we may process the following categories of personal data:
- Identification and contact data — e.g. name, business email, phone number, employer, and job role.
- Account data — login identifier, account settings and preferences for users of the Service.
- Communications — the content of messages, demo and contact requests, and support correspondence.
- Transaction and billing data — orders, the plan you subscribe to, and billing details. Card payments are handled directly by our payment processor; we do not store full card numbers.
- Usage and technical data — IP address, approximate location derived from it, device and browser information, and how you navigate the Website, collected via cookies and similar technologies and server logs.
- Marketing data — your subscription and contact preferences and your engagement with our communications.
- Applicant data — if you apply for a role with us, the information in your application and any related correspondence.
3. How we collect personal data
- Directly from you — when you complete a form, request a demo, create or use an account, correspond with us, subscribe to updates, or apply for a role.
- Automatically — when you use the Website, through cookies, similar technologies and server logs (see Section 10).
- From third parties — for example referrals, publicly available business sources, and business-contact information, where we contact organisations and their representatives about BidAtlas.
4. Why we process personal data and our legal bases
Where the GDPR applies, we rely on the following legal bases (Art. 6(1) GDPR); where the FADP applies, we process personal data in good faith, proportionately, and for the purposes set out below.
- Performance of a contract (Art. 6(1)(b)) — to provide and administer the Service, manage accounts, process orders and payments, and respond to your requests.
- Legitimate interests (Art. 6(1)(f)) — to operate, secure, analyse and improve the Website and Service, to develop new features, to carry out business-to-business marketing to relevant contacts, to prevent fraud and misuse, and to establish, exercise or defend legal claims. We balance these interests against your rights and interests.
- Consent (Art. 6(1)(a)) — to send marketing communications where consent is required, and to set non-essential cookies. You may withdraw consent at any time.
- Legal obligation (Art. 6(1)(c)) — to comply with accounting, tax, and other legal requirements.
5. Recipients and service providers
We share personal data with third parties that process it on our behalf ("service providers" / processors), bound by contract to use it only as instructed and to protect it. Our principal service providers are:
- Cloud hosting and infrastructure — Google Cloud and Amazon Web Services (Switzerland regions), which host the Website, the application and associated data.
- Payment processing — Stripe, which processes subscription payments. Stripe handles card details directly under its own terms and privacy notice.
- Customer relationship and marketing — HubSpot, which we use to manage business contacts and our communications with them.
- Website analytics — Google Analytics, which helps us understand how the Website is used.
- IT, communication and notification tools — Microsoft (Microsoft 365 and Microsoft Azure), used for our business email and collaboration software and to send Service notifications such as new-opportunity alerts.
Some of these tools are described in more detail below.
Google Analytics. Google Analytics is a web-analytics service provided by Google that helps us understand how visitors use the Website, by collecting information such as the pages viewed, time spent, and approximate location derived from your IP address. This information may be combined with other Google services. You can opt out by installing Google's browser add-on at https://tools.google.com/dlpage/gaoptout, or by declining analytics cookies in our cookie settings. Google's privacy notice is available at https://policies.google.com/privacy.
HubSpot. HubSpot is a customer-relationship and marketing platform that we use to manage our business contacts and communications and to understand how our Website and campaigns are used. HubSpot may set cookies and, where you submit a form, associate certain usage data with your contact record. HubSpot is provided by a US-based company with operations in the EU, and your personal data may be processed in the United States, subject to the safeguards described in Section 6. HubSpot's privacy notice is available at https://legal.hubspot.com/privacy-policy.
We do not sell personal data. We may also disclose personal data where we believe in good faith that it is necessary to comply with a legal obligation or a valid request from a public authority, to enforce our terms, or to protect our rights, safety, or property, or those of others.
6. International data transfers
Service and Customer Data. Personal data processed within the Service is hosted and processed in Switzerland, across Google Cloud (region europe-west6) and AWS (region eu-central-2), with AI inference performed on AWS Bedrock in eu-central-2. It is not transferred outside Switzerland or the EU/EEA in connection with the Service or AI inference.
Website and marketing data. Some of the service providers we use for the Website and marketing (for example HubSpot and Google) may process personal data in the United States or other countries outside Switzerland and the EU/EEA. Where this happens, we rely on appropriate safeguards, including transfers to recipients certified under the EU-US Data Privacy Framework and its Swiss-US extension, and/or the EU Standard Contractual Clauses together with the Swiss addendum, as well as transfers to countries recognised as providing adequate protection.
7. Data retention
We keep personal data only for as long as necessary for the purposes for which it was collected, and to meet legal, accounting and reporting requirements. For example, account and contract data is retained for the duration of the relationship and a reasonable period afterwards; billing records are retained for the period required by Swiss law (generally ten years); marketing data is retained until you object or withdraw consent; and applicant data is retained for a limited period after the application process. When personal data is no longer needed, we delete or anonymise it.
8. Data security
We implement appropriate technical and organisational measures to protect personal data against loss, misuse, and unauthorised access, alteration or disclosure. These include encryption in transit and at rest, access controls on a least-privilege basis, tenant isolation, logging, and Swiss data hosting. Further detail on the security measures applicable to the Service is set out in our Terms & Conditions and the DPA. Our staff and service providers are bound by confidentiality and may access personal data only as needed to perform their tasks. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.
9. Automated decision-making
We do not make decisions that produce legal effects concerning you, or similarly significantly affect you, based solely on automated processing of the personal data covered by this Policy. The Service itself is a decision-support tool operated under human direction and does not make autonomous decisions.
10. Cookies and similar technologies
We use cookies and similar technologies to operate the Website, remember your preferences, and understand and improve how the Website is used. Strictly necessary cookies are required for the Website to function. Non-essential cookies (for example analytics and marketing cookies) are set only with your consent, which you can give or withdraw through our cookie settings. You can also control cookies through your browser; disabling some cookies may affect how the Website works.
11. Your data protection rights
Subject to applicable law, you have the right to:
- access the personal data we hold about you and obtain a copy;
- rectify inaccurate or incomplete data;
- erase your data where it is no longer needed or was processed unlawfully;
- restrict processing in certain circumstances;
- object to processing based on our legitimate interests, and to direct marketing at any time;
- data portability — receive data you provided in a structured, commonly used, machine-readable format; and
- withdraw consent at any time, without affecting processing carried out before withdrawal.
To exercise any of these rights, contact us using the details in Section 15. We may need to verify your identity first. You also have the right to lodge a complaint with a data protection authority — in Switzerland, the Federal Data Protection and Information Commissioner (FDPIC); in the EU/EEA, your local supervisory authority.
12. Links to third-party sites
The Website may link to websites or services we do not operate. We are not responsible for the content or privacy practices of those third parties, and we encourage you to review their privacy notices.
13. Children
The Website and Service are intended for businesses and professional users and are not directed to children. We do not knowingly collect personal data from children. If you believe a child has provided us personal data, please contact us and we will take appropriate steps to delete it.
14. Changes to this Policy
We may update this Policy from time to time. The "last updated" date above shows when it was last revised, and changes take effect when posted on this page. Where changes are material, we will take reasonable steps to notify you.
15. Contact us
If you have questions about this Policy or wish to exercise your rights, contact us at:
Neuralshape GmbH
Dammstrasse 16, 6300 Zug, Switzerland
Email: legal@bidatlas.ch