Privacy Policy
Last updated: 9 July 2026
This Privacy Policy explains how BioQuant IQ GmbH (“BioQuant IQ”, “we”, “us”) processes personal data in connection with the BioQuant IQ website and our products, Arena and Echo. We are committed to processing personal data lawfully, fairly and transparently under the EU General Data Protection Regulation (GDPR) and the Swiss Federal Act on Data Protection (FADP).
1. Who we are
The data controller is BioQuant IQ GmbH, Baselmattweg 135, 4123 Allschwil, Switzerland. For any privacy question or to exercise your rights, contact letustalk@bioquantiq.ch.
2. What we collect
- Contact requests — when you use our contact form we collect your name, work email, company (optional), and the description of the problem you choose to share.
- Newsletter — if you subscribe to The System × People Interaction, we process your email address to send you the letter. You can unsubscribe at any time.
- Product data (Arena & Echo) — our products are provided to organisations and individuals under separate product agreements. Personal data processed inside a product is governed by that product’s documentation and the applicable customer / DPA terms; both read behaviour at the team or individual-baseline level, never to make solely automated employment decisions.
- Technical & usage data — with your consent, privacy-friendly analytics about how you use the site (see our Cookie Policy).
3. Why we process it, and our legal bases
- To respond to contact requests — legitimate interest / steps prior to a contract.
- To provide and improve our products (Arena and Echo) to our customers — performance of a contract with the customer organisation.
- To run analytics and improve the site — consent (which you can withdraw at any time).
Model training. We do not use customer data or personal responses to train general-purpose or third-party AI models. We confirm this on request.
4. What our products measure — with a human always in the loop
Arena — team level. Arena measures decisions and decision-behaviour at the team / session level — how a group frames, prices and commits to a decision — not personality, identity, protected characteristics, or an individual employee score. Progress is read against the team’s own baseline, to improve how the group decides.
Echo — individual development level. Echo measures an individual’s development against their own baseline, competency by competency, from their real work — not personality, identity or protected characteristics. By default Echo is a development tool. Where a client organisation chooses to enable it, Echo’s outputs may also inform people decisions such as hiring, promotion or readiness — always as one input to a decision made by a competent person, never a decision made by the system.
Role-based access. Our products are deployed by an organisation. Access to a sprint’s outputs is role-based — typically the sponsoring leaders and authorised administrators, as configured by the customer.
Human oversight — no solely automated decisions. Consistent with Article 22 GDPR and the EU AI Act’s requirements for AI used in employment contexts, no decision producing legal or similarly significant effects — hiring, promotion, readiness, termination or selection — is ever based solely on automated processing. A qualified person with the authority to reach a different outcome always makes the final call, and the individual can ask for the logic to be explained, put their point of view, and contest a result and have it reconsidered by a person.
Purpose, visibility & safeguards. The client organisation sets the purpose of any Echo deployment and, where the law requires, informs affected individuals and their representatives. Score visibility is configurable and role-based — for example the individual, their manager, HR or a coach — as set by the client. We apply bias and validation checks, keep activity logs, and make a Data Protection Impact Assessment (DPIA) and, where relevant, a fundamental-rights impact assessment available to customers. See our Trust Center for defaults on visibility, retention and permitted use.
5. Retention
We keep personal data only as long as necessary for the purposes above or as required by law, then delete or anonymise it. Default retention periods are set out in our customer agreements. As a guide, contact-enquiry data is kept for up to 24 months and product data for the term of the customer agreement, unless a longer period is required by law.
6. Your rights (GDPR / FADP)
Subject to applicable law, you have the right to access, rectify, erase, restrict or object to processing, and to data portability. Where we rely on consent, you may withdraw it at any time. You also have the right to lodge a complaint with a supervisory authority (in Switzerland, the FDPIC; in the EU, your local authority). To exercise any right, email letustalk@bioquantiq.ch.
7. International transfers
Where personal data is transferred outside Switzerland or the EEA, we rely on recognised safeguards such as adequacy decisions or Standard Contractual Clauses. Arena is hosted within Switzerland and the EEA; a current list of sub-processors is available on request.
8. Security
We apply appropriate technical and organisational measures to protect personal data — including encryption in transit, role-based access controls, sandboxed client environments, least-privilege processing and vendor due-diligence. A summary of our security and hosting posture is available on request.
9. Changes
We may update this policy; material changes will be reflected by the “last updated” date above.