Legal

Privacy Policy

Last updated: 7 May 2026  ·  Version 3.1

Contents
  1. Who We Are
  2. Data We Collect
  3. Legal Basis for Processing
  4. How We Use Your Data
  5. Automated Profiling
  6. Data Recipients
  7. International Transfers
  8. Data Retention
  9. Your Rights
  10. Cookies and Tracking
  11. Security
  12. Changes
  13. Contact and Complaints
Section 1

Who We Are

EICG is a trading name of FPGAhouse.com AG, incorporated under Swiss law (Obere Bahnhofstrasse 48, 9500 Wil, Switzerland). FPGAhouse.com AG is the data controller for all personal data described in this policy. Data protection enquiries: privacy@eicg.eu.

Section 2

Data We Collect

Applicants

Name, job title, email, telephone, company name and domain; questionnaire answers; publicly available cyber risk data; assessment output (score, risk class, report); consent timestamp.

Bank / insurer partners

Institution name, contact details, portal credentials (hashed), login logs, commissioned assessment records.

Website visitors

SHA-256 hash of IP address (raw IP never stored), referral code, and visit timestamp, used solely for referral attribution.

Section 3

Legal Basis for Processing

  • Consent (Art. 6(1)(a)): intake data collection, cyber risk data collection, AI-assisted analysis.
  • Legitimate interest (Art. 6(1)(f)): delivery of report to Commissioning Institution, referral tracking, audit logging.
  • Contract (Art. 6(1)(b)): bank partner account management.
  • Legal obligation (Art. 6(1)(c)): compliance and audit records.

Legitimate interest assessments are available on request at privacy@eicg.eu.

Section 4

How We Use Your Data

Applicant data is used exclusively to conduct and deliver the commissioned IT risk assessment. We do not use it for marketing, advertising, or sale to third parties. Partner data is used to manage accounts and fulfil assessment requests. Visitor data is used only for referral attribution.

Section 5

Automated Profiling and Decision-Making

EICG uses AI-assisted tools to generate a preliminary score (0–100) and risk class (A–E) across six domains. Every report is reviewed and approved by a qualified expert IT team before release, and no report is issued on the basis of automated processing alone. EICG does not make lending or insurance decisions; those rest with the Commissioning Institution.

Under Art. 22 GDPR you may request human review, submit corrections, or contest findings at any time via privacy@eicg.eu.

Section 6

Data Recipients

The completed assessment report is delivered exclusively to the Commissioning Institution. Sub-processors (cloud hosting, transactional email, error monitoring, AI analysis API) are contractually bound and prohibited from using data for their own purposes. A Data Processing Agreement (Art. 28 GDPR) is in place with all Commissioning Institutions. We do not sell or share personal data with any other party except where required by law.

Section 7

International Data Transfers

Switzerland is recognised by the European Commission as providing adequate data protection (Art. 45 GDPR). Any sub-processor outside Switzerland or the EEA is covered by Standard Contractual Clauses. Primary data storage takes place within the EU or Switzerland.

Section 8

Data Retention

  • Assessment data and consent records: 7 years
  • Bank partner account data: duration of partnership + 3 years
  • Referral click data (hashed IP): 13 months
  • Email logs: 3 years
  • Portal account data: deleted with assessment data or on request

Data is permanently deleted at expiry. Legal holds temporarily restrict further processing.

Section 9

Your Rights

Under GDPR and the Swiss nDSG you have the right to access, rectify, erase, restrict, or port your data, to object to processing, to withdraw consent, and to request human review of profiling. Submit requests using the form below or email privacy@eicg.eu. We respond within 30 days.

Data Subject Request Form
Section 10

Cookies and Tracking

We use only strictly necessary session cookies for authenticated users (bank portal, admin, applicant portal). No advertising cookies, cross-site tracking, or third-party analytics. Referral attribution uses a one-way IP hash only (see Section 8). A cookie consent banner is shown on first visit to public pages.

Section 11

Data Security

We apply appropriate technical and organisational measures per GDPR Art. 32: hashed passwords, TLS 1.2+ in transit, restricted database access, rate limiting, PII-excluded error monitoring, and full audit logging. In the event of a breach likely to affect your rights, we notify the supervisory authority within 72 hours and affected individuals without undue delay.

Section 12

Changes to This Policy

Material changes will be communicated by email at least 30 days in advance. The version date at the top of this page reflects the current version. Previous versions are available on request.

Section 13

Contact and Complaints

Email: privacy@eicg.eu
Post: FPGAhouse.com AG, Attn: Data Protection, Obere Bahnhofstrasse 48, 9500 Wil, Switzerland

Swiss supervisory authority (FDPIC): Feldeggweg 1, 3003 Bern, www.edoeb.admin.ch
EU supervisory authorities: edpb.europa.eu

This policy applies from 7 May 2026.