Privacy Policy

1. Data controller

Responsible for data processing:

AI & Co GmbH
Lättichstrasse 6
6340 Baar
Switzerland

Email: info@vizera.ai
Website: www.vizera.ai

Vizera.ai is a brand and product of AI & Co GmbH.

Contact person for data protection enquiries:

Pascale Tschaler
c/o AI & Co GmbH
Lättichstrasse 6
6340 Baar, Switzerland
Email: privacy@vizera.ai

2. What data we process

2.1 When visiting our website

We automatically process the following data (server logs):

IP address (truncated/anonymized)
Date and time of access
Browser type, version, operating system
Referrer URL
Pages visited
Error logs (for stability and security)

2.2 When creating an account or using the platform

First name, last name
Company name (optional)
Email address and login data
Usage data (generated images, projects, settings)
Payment data (via our external payment provider Stripe)
Support requests and communication

2.3 Uploaded files (sketches, 3D models, photos)

Special rules apply here:

Files are used exclusively for providing our services.
No training use for AI models by Vizera. Your data is not used by Vizera for training AI models.
With our standard models (Google Imagen 4 via Vertex AI, Banana Nano, Banana Nano Pro), it is contractually guaranteed that no customer data is used for model training.
If you manually select alternative models (e.g. BFL Labs Flux models) that are not among our standard models, we cannot guarantee that the respective provider does not use the data for training purposes. That is why we deliberately select the most secure options as defaults.
No disclosure to third parties, except where strictly necessary for processing (e.g. AI models via API, see Section 5).

3. Purpose and legal bases of processing

Purpose	Legal basis GDPR	Legal basis nDSG
Operation and provision of the website	Legitimate interest (Art. 6(1)(f))	Proportionality and necessity
User account and contract performance	Contract (Art. 6(1)(b))	Proportionality
Payment processing	Contract	Proportionality
Support and communication	Contract / legitimate interest	Proportionality
Analytics and performance	Consent (cookie banner)	Consent
Marketing (newsletter, campaigns)	Consent	Consent
Security, abuse detection	Legitimate interest	Necessity for system security

4. AI processing: How we use your data

4.1 No training use of your designs

Your uploaded sketches, CAD plans, 3D models and generated images are not:

used to train publicly accessible AI models
passed on to external datasets
used for model improvements, unless you give explicit written consent

4.2 How your images are processed

Your content is temporarily transmitted to the following systems (depending on the selected function):

Google Imagen 4 (via Google Cloud / Vertex AI)
Banana Nano (Google)
Banana Nano Pro (Google)
Flux Kontext Pro (BFL Labs)
Flux Pro 2.0 (BFL Labs)

Note: This model list reflects the status as of February 2026. This list will be updated when changes are made to the models used.

These external model providers process the data to execute your request.

Transparency note: Our standard models (Google Imagen via Vertex AI, Banana Nano, Banana Nano Pro) are contractually protected — Google does not use paid API data for training. For alternative models (BFL Labs Flux models), we choose providers with the strongest possible privacy agreements; however, a contractual no-training guarantee does not currently exist there. That is why the most secure options are preset as defaults.

4.3 EU AI Act — Transparency and labelling

The EU AI Act (Regulation (EU) 2024/1689) requires providers of generative AI systems from 2 August 2026 to label AI-generated content in a machine-readable format as artificially produced (Article 50).

What Vizera does:

Vizera will implement technical metadata (C2PA standard or comparable) in all generated images by August 2026, labelling them as AI-generated.
Vizera provides a detection capability so that AI-generated outputs can be identified through metadata inspection.

What this means for you as a customer:

Swiss customers (CH projects only): The EU AI Act does not apply directly. No labelling obligation.
German and Austrian customers: The EU AI Act applies. But the editorial exception protects you: if you edit, curate and integrate AI-generated images into your professional work, the labelling obligation for the end product does not apply.
Creative and artistic works: For content that is obviously creative or artistic (such as architectural visualizations), only minimal, non-intrusive disclosure is required.

4.4 Copyright and AI-generated content

Swiss law (URG):
Under Swiss copyright law, only natural persons can be authors (Art. 6 URG). If you contribute sketches, provide creative direction and edit the result, the output is attributable to your creative contribution. Purely autonomous AI outputs without human control are not copyright-protected.

Our GTC assign you all usage rights to the generated content. You may use Vizera images in presentations, competitions and marketing.

5. Disclosure to third parties

We only disclose data when necessary for providing our services:

5.1 Hosting and infrastructure

Service	Provider	Location	Privacy
Google Cloud Platform	Google LLC / Google Ireland Ltd.	EU/Switzerland	Privacy Policy
Redis queue system	Redis Ltd.	EU	Privacy Policy

5.2 Payment providers

Service	Provider	Location	Privacy
Stripe Payments	Stripe Inc. / Stripe Payments Europe Ltd.	USA / Ireland	Privacy Policy
Payment processing (Merchant of Record)	Star&Cross Ltd. (Singapore)	Singapore	See below

Payment processing via Star&Cross Ltd.:

Payment processing for Vizera AI is handled by Star&Cross Ltd., located at 23 New Industrial Road, Singapore 536209. Star&Cross Ltd. acts as Merchant of Record for Stripe payment processing.

Star&Cross Ltd. is an independent company and is neither a subsidiary nor an affiliate of AI & Co GmbH. There is no corporate connection. The beneficial owner of both companies is Pascale Tschaler. Star&Cross Ltd. is not a Swiss company and is subject to Singapore law.

GDPR role: Star&Cross Ltd., as Merchant of Record, is an independent controller within the meaning of Art. 4 No. 7 GDPR for payment processing. Star&Cross Ltd. independently determines the means and purposes of payment processing (invoicing, fraud prevention, compliance with payment regulations). AI & Co GmbH remains the controller for all other data processing within the Vizera AI platform.

Data scope: Star&Cross Ltd. has access to data necessary for payment processing (name, email, billing address, transaction data). Credit card data is processed exclusively by Stripe and is not accessible to Star&Cross Ltd.
Legal basis for data transfer: Legitimate interest (Art. 6(1)(f) GDPR) — payment processing is necessary for contract performance and is transferred to Star&Cross Ltd. as an independent controller.
Data transfer agreement: A Controller-to-Controller agreement (data transfer agreement) exists between AI & Co GmbH and Star&Cross Ltd.
International data transfer: Singapore has neither an adequacy decision from the EU Commission nor recognition by the Swiss Federal Council. The transfer is secured by:
- Standard Contractual Clauses (SCCs, Module 1: Controller to Controller)
- Controller-to-Controller agreement with data protection obligations
- Transfer Impact Assessment (TIA) for Singapore
- Additional technical measures: encryption of all data (TLS 1.2+, AES-256), role-based access restrictions, audit logging

5.3 AI API services

Model	Provider	Privacy
Google Imagen 4	Google LLC (via Vertex AI)	Privacy Policy
Banana Nano / Banana Nano Pro	Google LLC (via Vertex AI)	Privacy Policy
Flux Krea / Flux Kontext Pro / Flux Pro 2.0	BFL Labs (Black Forest Labs)	Privacy Policy

5.4 Analytics and performance (with consent only)

Service	Provider	Privacy
Google Analytics 4	Google LLC / Google Ireland Ltd.	Privacy Policy

5.5 Communication

Service	Provider	Privacy
MailerLite (newsletter & email)	UAB MailerLite (Lithuania, EU)	Privacy Policy

5.6 No disclosure for advertising purposes

There is no disclosure or sale of data to third parties for advertising purposes.

6. Storage duration

Data type	Retention
User account and contract data	10 years (legally required, CO Art. 958f)
Projects and image generations	Until deletion by user
Server logs	7–30 days
Support communication	12 months
Newsletter data	Until revocation
Cookie settings	12 months

See also our separate retention policy for details.

7. Your rights (EU and Switzerland)

7.1 Rights under GDPR (EU/EEA)

Access (Art. 15 GDPR)
Rectification (Art. 16 GDPR)
Erasure (Art. 17 GDPR)
Restriction of processing (Art. 18 GDPR)
Data portability (Art. 20 GDPR)
Objection (Art. 21 GDPR)
Withdrawal of consent (Art. 7(3) GDPR)

7.2 Rights under nDSG (Switzerland)

Access (Art. 25 nDSG)
Release or transfer of your data (Art. 28 nDSG)
Erasure
Withdrawal of consent

Please direct enquiries to: privacy@vizera.ai

We respond to enquiries within 30 days.

8. Data security

We implement the following technical and organizational measures:

End-to-end encryption (HTTPS/TLS 1.2+)
Encryption of data at rest (AES-256)
Access restrictions and roles
Data isolation between projects and organizations
Audit logs and monitoring
Hosting on Google Cloud Platform with global security standards (ISO 27001, SOC 2)
Regular security reviews

See also our separate data security policy (TOMs) for details.

9. Use of cookies and analytics tools

We only use cookies that are technically necessary, as well as (with consent):

Google Analytics 4
Platform performance tracking
Conversion tracking for advertisements

All optional cookies can be disabled via the cookie banner. Details can be found in our Cookie Policy.

10. Data deletion and withdrawal of consent

You can at any time:

Delete your account
Delete your projects
Withdraw consent
Unsubscribe from newsletters
Request deletion of all personal data

Contact: privacy@vizera.ai

11. International data transfers

Where data is processed outside Switzerland/EU, we ensure:

Standard Contractual Clauses (SCCs) pursuant to Art. 46 GDPR
Adequacy decisions, where available (e.g. Swiss-US Data Privacy Framework)
Additional safeguards pursuant to Schrems II case law
Data minimization: only technically necessary data is transmitted

Current third-country transfers:

Country	Service	Legal basis
USA	Stripe, Google (AI APIs, Analytics)	Swiss-US Data Privacy Framework / SCCs
Singapore	Star&Cross Ltd. (payment processing, Merchant of Record)	SCCs Module 1 (Controller-to-Controller) + C2C agreement + TIA

12. Supervisory authority

Switzerland:
Federal Data Protection and Information Commissioner (FDPIC)
Feldeggweg 1, 3003 Bern
www.edoeb.admin.ch

EU (for complaints from EU citizens):
You may contact the data protection supervisory authority in your country of residence.

13. Changes

We update this Privacy Policy as needed, particularly in the event of legal changes or new processing activities. The current version is always available at www.vizera.ai/en/privacy-policy.

14. Contact

AI & Co GmbH
Email: privacy@vizera.ai

As of: February 2026. This Privacy Policy was prepared on the basis of the Swiss nDSG (in force since 1.9.2023), the EU GDPR and the EU AI Act (Regulation (EU) 2024/1689).