EndolumEndolum

Privacy Policy

Last updated: March 26, 2026

This privacy policy explains how Endolum GmbH ("we", "us") collects, uses, and protects your personal data when you use the Endolum platform at app.endolum.io and its associated services. This policy complies with the Swiss Federal Act on Data Protection (FADP/nDSG) and the EU General Data Protection Regulation (GDPR) where applicable.

1. Data Controller

Endolum GmbH
Oberdorfstrasse 8
8853 Lachen SZ, Switzerland
UID: CHE-297.991.738
Email: contact@endolum.io

2. What Data We Collect

Account information

  • Email address and name
  • Password (stored as a salted bcrypt hash, never in plain text)
  • Company name and job title (optional)
  • Phone number (optional)
  • Organization membership and role
  • Marketing consent preference

Billing information

  • Payment details are processed and stored by Stripe. We do not store credit card numbers or bank account details.
  • We store your Stripe customer ID, subscription status, and invoice history.

Product specific data

Each Endolum product collects data specific to its functionality. Refer to the product specific privacy policies for details:

  • Sentinel: Scan targets (IP addresses, domains), scan results, vulnerability data, AI generated reports.
  • Hacked: Canary document metadata, alert data including IP addresses and geolocation of document openers, webhook configurations.

Technical data

  • Authentication tokens and session data
  • Server access logs (IP address, user agent, request timestamps)

3. Purpose and Legal Basis

PurposeLegal basis
Providing the Platform and its servicesContract performance
Account management and authenticationContract performance
Processing payments and managing subscriptionsContract performance
Sending transactional emails (alerts, invoices, verification)Contract performance
Service improvement and security monitoringLegitimate interest
Marketing emails and product updatesConsent (opt-in, withdrawable anytime)

4. Third Party Services

  • Stripe: Payment processing. Stripe processes your payment information under their own privacy policy. We share your email, name, and organization ID with Stripe to create and manage your subscription.
  • Hetzner: Cloud infrastructure hosting (Germany/Finland). Our servers and databases are hosted on Hetzner infrastructure.
  • ip-api.com: IP geolocation used in the Hacked service for alert data.
  • Google reCAPTCHA: Used on the Sentinel public scan form to prevent abuse. Subject to Google's privacy policy.
  • SMTP provider: We use an email provider to deliver transactional and marketing emails.

5. Data Retention

  • Account data: Retained as long as your account exists. Upon deletion, personal data is anonymized and service data is permanently removed across all products.
  • Billing records: Retained for 10 years as required by Swiss accounting law (OR Art. 958f).
  • Server logs: Retained for 90 days.
  • Product specific retention: See individual product privacy policies for scan data, alert data, and document retention periods.

6. Marketing Emails

We only send marketing emails and product updates if you have given explicit consent during registration or later in your account settings. You can withdraw your consent at any time through the portal settings or by contacting us at contact@endolum.io.

7. Cookies and Local Storage

ItemTypePurpose
endolum_access_tokenlocalStorageAuthentication. Required for the portal to function.
endolum_refresh_tokenlocalStorageToken refresh. Required to maintain your session.
access_tokenCookie (product apps)Session handoff to Sentinel and Hacked. Set during product access.

We do not use tracking cookies, analytics cookies, or advertising cookies.

8. International Data Transfers

Our primary infrastructure is hosted in Germany and Finland (Hetzner). Scanner infrastructure is hosted in the United States (Linode). When we use third party services such as Stripe (US/Ireland) or ip-api.com, data may be processed outside Switzerland. We ensure that any such transfers comply with applicable data protection requirements, including adequate safeguards where required.

9. Data Security

We implement appropriate technical and organizational measures to protect your data:

  • All data in transit is encrypted via TLS.
  • Passwords are hashed using bcrypt with per-user salts.
  • Database backups are encrypted with AES-256.
  • Access to production systems is restricted and audited.
  • Authentication uses RS256 signed JSON Web Tokens.

10. Your Rights

Under the FADP and, where applicable, the GDPR, you have the following rights:

  • Access: Request a copy of the personal data we hold about you.
  • Rectification: Request correction of inaccurate data.
  • Deletion: Request deletion of your personal data and account. You can do this directly through the portal settings.
  • Data portability: Request your data in a structured, machine readable format.
  • Withdraw consent: Withdraw consent for marketing communications at any time.
  • Restriction: Request restriction of processing in certain circumstances.
  • Objection: Object to processing based on legitimate interest.

To exercise any of these rights, contact us at contact@endolum.io.

11. Right to Lodge a Complaint

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Federal Data Protection and Information Commissioner (FDPIC) in Switzerland. If the GDPR applies to your situation, you may also lodge a complaint with a supervisory authority in the EU/EEA.

12. Changes to This Policy

We may update this privacy policy from time to time. Changes will be posted on this page with an updated date. If we make significant changes, we will notify registered users by email.

13. Contact

For privacy related questions or data protection requests:
Endolum GmbH
Oberdorfstrasse 8, 8853 Lachen SZ, Switzerland
Email: contact@endolum.io

Terms of ServiceImpressum