aidX

Privacy Policy

Last updated: July 2026

Controller

aidX AG, Bachtelstrasse 57, 8330 Pfäffikon ZH, Switzerland. Email: privacy@aidx.ch

What We Collect

  • Account data: email address, professional role (at registration)
  • Usage data: session logs, feature usage (anonymized)
  • Content data: chat inputs, uploaded documents and audio. Text and uploaded content are encrypted client-side before transmission, so our servers cannot access their plaintext. Live meeting audio (e.g. from a connected Zoom meeting) is relayed only transiently in memory for transcription and is never stored as raw audio — only the resulting transcript is stored, encrypted.
  • Technical data: IP address, browser type, device identifiers

How We Use Your Data

  • To provide and improve the Service
  • To manage subscriptions and billing (via Stripe)
  • To send transactional emails (account, billing notifications)
  • To ensure security and prevent abuse

Zero-Knowledge Encryption Policy

Before any clinical content is transmitted, a pseudonymisation process runs automatically in your browser: names, locations, dates and other personal identifiers are detected and replaced with neutral placeholders — so that patient data never reaches our servers or the AI in identifiable form. All clinical content is then encrypted client-side with keys derived from your device. Our servers cannot access the plaintext content of your sessions.

Billing — Stripe

Payments are processed by Stripe, Inc. (stripe.com), a PCI DSS Level 1 certified payment service provider. When you subscribe, Stripe collects and processes your payment information under their own Privacy Policy (stripe.com/privacy). We receive only subscription status from Stripe — no full payment details are stored on our servers. aidX AG acts as the contracting party for your subscription.

AI Inference

AI processing runs on our own infrastructure in Switzerland and on a small number of vetted sub-processors bound by data-processing agreements: clinical transcription is performed in Switzerland (Infomaniak), and clinical text analysis on Google Cloud Vertex AI within the European Union. Because clinical content is pseudonymised in your browser before it leaves your device (see Zero-Knowledge Encryption Policy), directly identifying patient data is not transmitted to these providers. Your content is not used to train third-party AI models.

Infrastructure & Hosting

Core infrastructure, databases and stored transcripts are hosted by Infomaniak Network SA in Switzerland. Some clinical text analysis is processed transiently on Google Cloud Vertex AI within the European Union (EU data region); no clinical data is stored outside Switzerland.

Zoom Integration

If you connect a Zoom account, we access only what is needed to record and transcribe meetings you host. During a live session we receive the meeting audio via Zoom Real-Time Media Streams (RTMS), after the host has started the session and Zoom has shown its data-sharing notice to participants; this audio is relayed only in memory, converted to text, and never stored as raw audio — only the encrypted transcript is retained. Meeting metadata (such as the meeting identifier and join URL) is used solely to set up and join the session. Your Zoom OAuth tokens are stored encrypted, are never exposed to your browser, and are revoked and deleted immediately when you disconnect Zoom. We only ever act on meetings created, started or hosted by your own account. Zoom's own processing of your data is governed by Zoom's privacy policy.

Essential Sub-processors

We rely on a small number of vetted sub-processors, each bound by a data-processing agreement, and only where they actually receive personal data:

  • Infomaniak Network SA (Switzerland) — hosting, storage and clinical transcription
  • Google Cloud / Vertex AI (EU region) — analysis of pseudonymised clinical text
  • Zoom Video Communications, Inc. — meeting data for the optional Zoom integration
  • Stripe, Inc. — payment processing

Data Retention

  • Account data: retained for the duration of the subscription plus 12 months after cancellation
  • Content data: retained per your subscription tier's history limit. Users may delete content manually at any time.
  • Billing records: retained as required by Swiss law (10 years)

Your Rights (GDPR / nDSG)

You have the right to:

  • Access your personal data
  • Correct inaccurate data
  • Delete your account and data
  • Data portability
  • Object to processing
  • Lodge a complaint with a supervisory authority

To exercise your rights: privacy@aidx.ch

Cookies

We use only technically necessary cookies for session management. No tracking or advertising cookies.

Security

We implement ISO 27001-aligned security practices including client-side encryption, encryption in transit and at rest, access controls, and regular security reviews.

Changes

We will notify you of material changes via email or in-app notice.

Contact

aidX AG · Bachtelstrasse 57 · 8330 Pfäffikon ZH privacy@aidx.ch