This policy describes how Endolum GmbH processes personal data on the marketing website at endolum.io and the legal basis for that processing. It complies with the Swiss Federal Act on Data Protection (revFADP) and, where applicable, the EU General Data Protection Regulation (GDPR). Each Endolum product (Sentinel, Hacked, Academy) ships with its own privacy policy that covers the data processed inside that product.
Endolum GmbH, Oberdorfstrasse 8, 8853 Lachen SZ, Switzerland. Commercial register UID CHE-297.991.738. Contact: contact@endolum.io.
The contact and partner application forms collect the name, email address, subject, and message you submit, plus optional fields where the form asks for them (company name, expected client volume). The data is used to reply to your message and is retained for as long as the conversation is active, plus a reasonable archival period for follow up.
The web server records the request URL, the IP address, the user agent, and a timestamp for every request, in line with normal operational logging. Logs are kept for up to 30 days and are used to diagnose errors, monitor for abuse, and protect the site against automated attacks. Logs are not enriched with profile data and are not joined to any other data set.
The cookies set on this site fall into three categories: strictly necessary cookies that the site sets to function or to defend against abuse, analytics cookies that load after you grant analytics consent through the consent banner, and advertising cookies that load after you grant advertising consent. The advertising and analytics consents are independent and can be granted, withdrawn, or changed at any time.
| Cookie | Type | Purpose |
|---|---|---|
| First party session and CSRF cookies | Strictly necessary | Set when you submit a form (contact, partner application). Maintain the form session and prevent cross site request forgery. Cleared at the end of the session. |
Google reCAPTCHA cookies (_GRECAPTCHA and similar) |
Strictly necessary | Set by Google reCAPTCHA on form pages to distinguish humans from bots and stop abuse. Loaded under legitimate interest in network security. See section 3 for the third party detail. |
Consent record (endolum_consent_v1 in localStorage) |
Strictly necessary | Stores your cookie preference so the banner does not reappear on every page. Created only after you make a choice. |
Google Analytics 4 cookies (_ga, _ga_*) |
Analytics, consent required | Set only after you grant analytics consent through the banner. Aggregate page views and feature usage to inform the product. Lifetime up to two years. See section 3. |
Google Ads cookies (_gcl_*, NID on google.com domains) |
Advertising, consent required | Set only after you grant advertising consent through the banner. Used to measure which ads led to enquiries or signups (conversion tracking) and to build remarketing audiences. Lifetime up to 13 months for the conversion linker, up to 6 months for advertising cookies. See section 3. |
The marketing site loads the third party assets listed below.
| Service | Provider | Reason |
|---|---|---|
| Google Analytics 4 | Google Ireland Limited | Aggregated traffic and feature usage measurement, used to improve the products. Loaded only after you grant analytics consent. The IP address is anonymised before processing. Data is stored in the EU under Google's standard data processing terms. Retention is set to fourteen months. Google Privacy Policy. |
| Google Ads | Google Ireland Limited | Used to measure the performance of advertising campaigns and to build remarketing audiences. Loaded only after you grant advertising consent. When you reach the site through a Google ad, a click identifier is stored and forwarded with subsequent enquiries or signups so we can attribute conversions. Data may be transferred to Google LLC in the United States. Google Privacy Policy. |
| Google reCAPTCHA | Google Ireland Limited | Used on the contact and application forms to defend against automated abuse. Treated as strictly necessary because it is a security control. Google receives the IP address, user agent, and a behaviour signal that helps decide whether to challenge the request. Google Privacy Policy. |
| Google Fonts | Google Ireland Limited | Loads the Inter Tight and JetBrains Mono webfonts from Google's CDN. The request reveals your IP address and user agent to Google. Google does not set cookies through this delivery path. |
| Cal.com booking | Cal.com | Used when you click through to book a partner call. The booking page is hosted by Cal.com. We do not embed the booking widget inline on this site. |
You can withdraw or change your analytics and advertising consents at any time through the Cookie preferences link in the footer.
| Purpose | Legal basis |
|---|---|
| Replying to messages submitted through the contact form | Pre contractual measures and legitimate interest |
| Responding to partner program applications | Pre contractual measures |
| Operational logging, security, and abuse prevention (including reCAPTCHA) | Legitimate interest |
| Aggregate analytics through Google Analytics 4 | Consent (granted through the cookie banner, can be withdrawn at any time) |
| Advertising performance measurement and remarketing through Google Ads | Consent (granted through the cookie banner, can be withdrawn at any time) |
| Compliance with statutory retention obligations | Legal obligation |
The marketing site is hosted on infrastructure in Germany within the EU/EEA. The legal relationship with the customer is governed by Swiss law and Swiss jurisdiction applies. Google Analytics, Google Ads, and Google reCAPTCHA are operated by Google Ireland Limited, with Google LLC in the United States as a sub processor. Transfers to the United States rely on Google's certification under the EU-US Data Privacy Framework and on standard contractual clauses for residual transfers. Where any other third party provider processes data outside Switzerland or the EEA, we rely on an adequacy decision, standard contractual clauses, or your explicit consent for the specific transfer.
The Endolum products use additional sub processors that may receive data outside the EU/EEA, including Anthropic in the United States for AI assisted report generation inside Sentinel. The product specific privacy notices linked in section 9 describe these transfers in detail, and the complete list is published at endolum.io/sub-processors.
Under the revFADP and, where it applies, the GDPR, you have the right to:
To exercise any of these rights, contact contact@endolum.io. We respond within 30 days.
If you believe your data protection rights have been violated, you may lodge a complaint with the Federal Data Protection and Information Commissioner (FDPIC) in Switzerland. If the GDPR applies to your situation, you may also lodge a complaint with a supervisory authority in the EU or EEA.
Each Endolum product publishes its own privacy notice that covers the data processed inside the product:
The full list of sub processors used across all Endolum products and the marketing site is maintained at endolum.io/sub-processors.
We may update this policy from time to time. The version date is shown at the top of the page. Material changes are reflected in the date and the changed sections.
For privacy related questions or requests, write to contact@endolum.io or to Endolum GmbH, Oberdorfstrasse 8, 8853 Lachen SZ, Switzerland.