Last updated: 2026-05-16
Switzerland Jurisdiction Annex
This document is a bolt-on annex to the main Gila Privacy Policy. It applies in addition to (not in place of) the main policy and gives Swiss-residing users the disclosures specific to the Federal Act on Data Protection (Bundesgesetz uber den Datenschutz, BV / Loi federale sur la protection des donnees, LPD / Legge federale sulla protezione dei dati, LPD), in its revised form in force since 1 September 2023 ("revFADP" or "FADP 2023").
For under-age questions see ../child-safety-notice.md. For broader EU/EEA disclosures (which closely parallel the FADP) see ./eu-uk.md.
1. Application
This annex applies to processing of personal data of natural persons resident in Switzerland or the Principality of Liechtenstein where the controller's processing has effects in Switzerland (FADP Art 3(1)). Because Gila offers its service to Swiss residents through the App Store, Google Play, and the gila.coach website, the FADP applies in parallel with KVKK (the controller's domicile regime — see ./turkey.md).
The FADP closely tracks the GDPR in scope, definitions, and data-subject rights, but is a separate regime with its own supervisory authority (FDPIC), its own adequacy mechanism for cross-border transfers, and its own enforcement framework. Where this annex is silent, the disclosures in ./eu-uk.md provide an equivalent treatment that satisfies the FADP standard.
2. Controller and contact
| Field | Value |
|---|---|
| Controller | Sezen Soykut, natural-person sole-trader registered in Turkiye (şahıs şirketi), trading as "Gila" |
| Data Protection Officer (internal) | Sezen Soykut — dpo@gila.coach |
| Swiss representative (FADP Art 14) | The FADP requires a controller domiciled abroad to designate a representative in Switzerland where the controller processes personal data of persons in Switzerland on a large scale and regularly, where the processing involves high-risk data, or where the controller is required to do so by the FDPIC. We have assessed our processing volume and consider Switzerland-resident user numbers to be currently below the "large scale" threshold; we therefore have not appointed a Swiss representative. We re-assess annually and at each material change of Swiss-resident user count, and will appoint a Swiss representative as soon as the threshold is crossed. |
| General contact | hello@gila.coach |
3. Federal Data Protection and Information Commissioner (FDPIC)
The Eidgenossischer Datenschutz- und Offentlichkeitsbeauftragter / Prepose federal a la protection des donnees et a la transparence (FDPIC) is the Swiss federal supervisory authority for data protection. Swiss-residing data subjects may lodge a complaint with the FDPIC if they consider that the controller has failed to comply with the FADP.
| Field | Value |
|---|---|
| Authority | Eidgenossischer Datenschutz- und Offentlichkeitsbeauftragter (EDOB / FDPIC) |
| Website | edoeb.admin.ch |
| Address | Feldeggweg 1, CH-3003 Bern, Switzerland |
| Languages of contact | Deutsch, francais, italiano, English |
The right to lodge a complaint with the FDPIC is in addition to any private-law remedy available in the Swiss courts, including the right to civil action under the Swiss Civil Code Art 28 for protection of personality.
4. Lawful basis
The FADP does not require a positive "lawful basis" enumeration for processing general (non-sensitive) personal data — processing is permitted unless it (a) breaches a personality right of the data subject, (b) processes sensitive personal data without justification, or (c) is otherwise contrary to the data subject's reasonable expectations. The controller must observe the FADP's general principles (lawfulness, proportionality, purpose limitation, accuracy, data security, transparency).
For sensitive personal data — which under FADP Art 5(c) includes health data, religious/philosophical/political/trade union views, racial/ethnic data, social assistance data, administrative and criminal proceedings, biometric data identifying a person, and genetic data — processing requires:
- Justification (FADP Art 31): consent of the data subject; an overriding private or public interest; a statutory provision; or processing in connection with the establishment, exercise, or defence of legal claims.
- Explicit consent (Art 6(7)(a)): consent to processing of sensitive personal data must be express and based on adequate information.
- Heightened security: technical and organisational measures appropriate to the higher risk (FADP Art 8 + the Data Protection Ordinance).
Gila's processing of health data (body weight, GLP-1 medication, dose, side-effect severity, mood data, calorie tracking, HealthKit / Health Connect sync) falls within FADP "sensitive personal data". We rely on:
- Express consent of the data subject, collected at the
LegalConsentGatestep of onboarding (FADP Art 6(7)(a)), as the primary justification for processing health data; - Performance of the contract with the data subject as the justification for the non-sensitive identity, contact, and account data (FADP Art 31(2)(a));
- Overriding interest in fraud prevention and security for the bot-protection and error-tracking activities (FADP Art 31(1)(b)).
The consent surface, content, and revocation mechanics described in ./eu-uk.md § 2 and ./turkey.md § 4 are the operational implementation of FADP Art 6(7) and apply uniformly to Swiss users.
5. Cross-border transfers
FADP Art 16 governs disclosure of personal data abroad. Disclosure is permitted to a country whose legislation guarantees adequate protection, as assessed by the Federal Council (Bundesrat). For other destinations, the controller must implement one of the safeguards listed in Art 16(2): an international treaty, standard contractual clauses recognised or issued by the FDPIC, specific guarantees drawn up by the controller and the FDPIC, binding corporate rules, or explicit consent of the data subject.
5.1 Switzerland's position on the United States
The Federal Council recognised the Swiss-US Data Privacy Framework as providing adequate protection on 15 August 2024, effective on a rolling basis as US recipients certify to the Swiss-US DPF. Where a US recipient is Swiss-US-DPF certified, disclosures to that recipient are deemed to enjoy adequate protection.
For Gila, the Swiss-US DPF certification status of each US-domiciled processor is the controlling factor:
| Importer | Swiss-US DPF status | If certified | If not certified |
|---|---|---|---|
| Supabase Inc. | [VARIABLE — verify at dataprivacyframework.gov/list] | DPF adequate | SCC + supplementary measures |
| Google LLC (Firebase, Gemini, GA4) | Certified as of effective date — verify before publish | DPF adequate | SCC fallback |
| Cloudflare Inc. | Certified — verify | DPF adequate | SCC fallback |
| Vercel Inc. | Verify | DPF adequate if certified | SCC + supplementary measures |
| Perplexity AI Inc. | Verify | DPF adequate if certified | SCC + supplementary measures + minimised payload |
| Resend Inc. | Verify | DPF adequate if certified | SCC + supplementary measures |
| Beehiiv Inc. | Verify | DPF adequate if certified | SCC + supplementary measures + explicit-consent backup |
| PostHog Inc. | Verify | DPF adequate if certified | SCC + supplementary measures + EU region migration path |
| Functional Software Inc. (Sentry) | Verify | DPF adequate if certified | SCC + supplementary measures + EU region migration path |
| RevenueCat Inc. | Verify (when paywall enabled) | DPF adequate if certified | SCC + supplementary measures |
| FatSecret Inc. | Verify | DPF adequate if certified | SCC + supplementary measures + no user identifier in queries |
5.2 Standard contractual clauses for non-DPF-certified recipients
For US recipients that are not Swiss-US-DPF certified, we rely on Standard Contractual Clauses — either the European Commission Implementing Decision (EU) 2021/914 SCCs with a Swiss addendum (FDPIC has issued guidance accepting the EU SCCs with stipulated modifications for use under Swiss law), or equivalent contractual measures negotiated bilaterally with the recipient.
In addition, we apply the supplementary technical and organisational safeguards described in our Transfer Impact Assessment (tia-supabase-us.md), which mirror the EDPB Recommendations 01/2020 methodology and are acceptable to the FDPIC as supporting measures alongside SCCs. Those safeguards are: TLS 1.3 in transit, AES-256 encryption at rest, row-level security scoped to auth.uid(), contractual "no training" flag on Google Gemini, no user identifier in FatSecret and Perplexity queries, data-minimisation in every AI prompt, sole-operator access governed by documented red-lines, and 30-day backup roll-off.
5.3 Explicit consent as backup basis
For any narrow flow where neither Swiss-US DPF nor SCC is operational with respect to a particular processor, we may rely on the data subject's explicit consent to the cross-border disclosure (FADP Art 17(1)(a)). This is the same Madde-9-style basis applied for Turkish users in ./turkey.md § 6; for Swiss users it is a backup rather than the primary basis.
6. Your rights under the FADP
If you are resident in Switzerland, you have the following rights under the revFADP. To exercise any of them, use the self-service form at gila.coach/dsar or email dpo@gila.coach. We respond within 30 days at the latest (FADP Art 25(7)), free of charge for the first request in a 12-month period and where the response is straightforward.
| Right (Article) | Plain-English description |
|---|---|
| Art 19-21 — Information at collection | Be informed about the controller, the purpose of processing, the recipients (including in third countries), and the categories of data processed. This annex and the main Privacy Policy fulfil that right. |
| Art 25 — Right of access | Obtain a copy of your personal data and information about the processing. We deliver the export bundle as a signed URL valid for 24 hours, in JSON format. |
| Art 32 — Right of rectification | Have inaccurate data corrected. Most fields can be self-edited in the app Settings; for the remainder, contact dpo@gila.coach. |
| Art 32(2) — Right to deletion | Have data deleted where the conditions in Art 32(2) are satisfied. The in-app and web Delete-Account flow is the operational implementation. |
| Art 28 — Right to data portability | Receive in a standard, machine-readable format the data you provided to us and have it transferred to another controller. Our Art 25 export bundle (JSON) satisfies the portability right. |
| Art 30(2) — Right to object | Object to specific processing where you have a legitimate interest in doing so. For direct marketing, the objection is honoured immediately and the address is added to a permanent suppression list. |
| Art 21 — Information about automated individual decisions | Be informed where a decision is made about you exclusively by automated means and which has legal effect or significant effect. See § 7 below for our position on automated decisions. |
| Art 16 — Right to lodge a complaint | Lodge a complaint with the FDPIC. See § 3 above. |
6.1 Identity verification
To prevent fraudulent requests we may ask you to verify your identity. Our default method is a verification email to the address on the account, combined with a Cloudflare Turnstile challenge on the intake form.
7. Automated decisions and AI
Gila's AI features (Google Gemini food vision, AI coaching, narrative reports, habit suggestions; Perplexity grounded research) produce AI suggestions that you can accept, edit, or ignore. No decision is made about you exclusively by automated means in a way that produces legal effects or significantly affects you within the meaning of FADP Art 21.
We nevertheless apply the FADP Art 21 safeguards as a matter of good practice: we inform you upfront that you are interacting with AI; we name the underlying provider (Google Gemini, with secondary use of Perplexity); we collect explicit consent for AI features as a separate granular category at the LegalConsentGate; you can withdraw AI-features consent at any time; you can request human review by emailing dpo@gila.coach.
For the equivalent treatment under GDPR Art 22 see ./eu-uk.md § 6. For the equivalent treatment under KVKK Madde 11(g) see ./turkey.md § 7.
8. Children
Swiss civil law sets Urteilsfahigkeit (capacity of judgment) on a case-by-case basis depending on the maturity of the minor, with full civil capacity at 18 (Swiss Civil Code Art 14, 17, 19). For information-society services, the practice has been to treat consent given by a sufficiently mature minor as valid, with parental authorisation expected for younger or sensitive cases.
Gila's 16+ age gate is set above the typical Urteilsfahigkeit threshold for an information-society service and is therefore sufficient for the Swiss context. The procedure for under-age discovery — suspend within one business day, delete within seven days, notify the email on file — is described in ../child-safety-notice.md § 3.
9. Security
FADP Art 8 and the Data Protection Ordinance require the controller to ensure data security through technical and organisational measures appropriate to the risk. Our measures are summarised in ./eu-uk.md § 10 and detailed in our internal RoPA. For health (sensitive) data, the measures include row-level security in PostgreSQL scoped to auth.uid(), contractual "no training" flag on Google Gemini, data minimisation at the AI-prompt boundary, encryption in transit (TLS 1.3) and at rest (AES-256), and sole-operator access governed by documented purposes.
Where a data breach is likely to result in a high risk to the personality or fundamental rights of a data subject, we notify the FDPIC "as soon as possible" per FADP Art 24, and the affected data subjects where the FDPIC requires. The internal target is alignment with the GDPR 72-hour notification standard.
10. Retention
Retention periods are identical to those in ./eu-uk.md § 10 and ./turkey.md § 11. Personal data is retained only for as long as necessary for the purposes for which it was collected. Account data is retained while the account is active; deletion requests are fulfilled within 30 days; backups roll off within 30 days.
11. Changes
We will revise this annex when applicable Swiss law changes (e.g., a new FDPIC adequacy assessment, a change in the Swiss-US DPF status, a revFADP amendment) or when our processing materially changes. Material changes are notified by email to all account-holders at least 30 days before they take effect, accompanied by an in-app banner and a website-banner notice. The version number, effective date, and changelog are recorded in the YAML frontmatter at the top of this document.
12. Contact
| Channel | Address |
|---|---|
| Data Protection Officer | dpo@gila.coach |
| General support | support@gila.coach |
| Self-service rights request | https://gila.coach/[locale]/dsar |
| Swiss representative (FADP Art 14) | Not appointed at present — see § 2. |
| FDPIC complaint | edoeb.admin.ch |