Privacy Policy
IPI Terminal - Human IP SARL · Last updated: June 22, 2026 · Version 1.0
NOTICE: This document is a preliminary document prepared for legal review. It has not been approved by counsel and does not constitute legal advice.
1. Introduction and Controller Identity
Human IP SARL ("Human IP," "we," "us," or "our"), a Swiss limited liability company with registered office in Geneva, Switzerland, operates the IPI Terminal platform at ipiterminal.com.
Human IP SARL is the data controller for personal data collected through the Platform, within the meaning of:
- The Swiss Federal Act on Data Protection (nDSG / LPD), effective September 1, 2023
- The EU General Data Protection Regulation (GDPR), Regulation (EU) 2016/679, to the extent applicable to EU residents
- Applicable Canadian privacy legislation including the Personal Information Protection and Electronic Documents Act (PIPEDA) and Quebec Law 25
For privacy inquiries: [email protected]
2. Data We Collect
2.1 Account Data
- Name, email address, and password (hashed, never stored in plaintext)
- Company name and professional role (optional, provided at registration)
- Account plan and subscription status
2.2 Identity Verification Data (KYC/AML)
For users who purchase the Ownership Verification service or participate in NFP-related offerings, we collect identity verification data through our third-party provider Didit (didit.me), including:
- Government-issued identification documents
- Liveness verification data (facial recognition)
- Accredited investor status documentation (tax returns, bank statements, or advisor letters - encrypted, stored separately)
- Sanctions screening results
This data is classified as Level 2 (Owner Submitted Data) or Level 3 (Highest Sensitivity) under our internal data classification policy and is subject to enhanced security controls including AES-256-GCM field-level encryption.
2.3 Payment Data
Payment card information is processed directly by Stripe, Inc. We receive only transaction metadata (amount, currency, status, last four digits of card). We do not store full payment card numbers.
2.4 Platform Usage Data
- Patent searches, screener filters applied, reports generated and downloaded
- Feature interactions and navigation patterns
- Report purchase history and download logs
2.5 Technical Data
- IP address and approximate geolocation (country/region level)
- Browser type, operating system, and device identifiers
- Session data and authentication tokens
- Error logs and performance metrics
2.6 Analytics Data
We use PostHog for product analytics. PostHog collects anonymized usage events to help us understand how users interact with the Platform. PostHog data is processed in the EU. You may opt out of analytics tracking through our Cookie Settings.
2.7 Communications Data
- Emails you send to our support or contact channels
- Enterprise inquiry form submissions
- Litigation and expert consultation intake form responses
- Patent submission requests
3. How We Use Your Data
| Purpose | Legal Basis (GDPR) | Legal Basis (nDSG) | Retention |
|---|---|---|---|
| Account creation and authentication | Contract performance | Contract performance | Account lifetime + 1 year |
| Delivering purchased reports and services | Contract performance | Contract performance | 5 years |
| KYC/AML identity verification | Legal obligation / Contract | Legal obligation | 5 years minimum (regulatory) |
| Payment processing | Contract performance | Contract performance | 7 years (accounting) |
| Platform analytics and improvement | Legitimate interest | Legitimate interest | 2 years |
| Security and fraud prevention | Legitimate interest / Legal obligation | Legitimate interest | 3 years |
| Marketing communications (with consent) | Consent | Consent | Until withdrawal |
| Legal compliance and regulatory reporting | Legal obligation | Legal obligation | As required by law |
4. Data Sharing and Third Parties
We share personal data only as necessary and with appropriate safeguards:
| Third Party | Purpose | Data Shared | Location |
|---|---|---|---|
| Stripe, Inc. | Payment processing | Transaction data (no full card numbers) | United States |
| Didit (didit.me) | KYC/AML identity verification | Identity documents, liveness data | EU |
| PostHog, Inc. | Product analytics | Anonymized usage events | EU (eu.posthog.com) |
| Mixpanel, Inc. | Product analytics | Anonymized usage events | United States |
| Resend, Inc. | Transactional email delivery | Email address, email content | United States |
| AlphaVantage | Market data (no personal data shared) | None | United States |
| Abacus AI, Inc. | Hosting infrastructure | All Platform data (as data processor) | United States |
We do not sell personal data to third parties.
For transfers to the United States (Stripe, Mixpanel, Resend, Abacus AI), we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, or equivalent safeguards under applicable law.
5. Data Residency
Personal data submitted through the Platform's patent submission, ownership verification, and KYC/AML flows (Level 2 and Level 3 data per our classification) is stored exclusively in EU data centers:
- Primary storage: eu-central-1 (Frankfurt, Germany)
- Backup: eu-west-3 (Paris, France)
No Level 2 or Level 3 data is replicated to data centers outside the EU/EEA, including for North American users. This applies regardless of the user's jurisdiction of residence.
General Platform data (account data, usage logs) may be processed on infrastructure operated by Abacus AI in the United States, subject to appropriate transfer safeguards.
6. Data Security
We implement technical and organizational measures to protect personal data, including:
- Encryption in transit: TLS 1.3 for all connections
- Encryption at rest: AES-256-GCM for Level 2 and Level 3 data
- Envelope encryption: Per-record Data Encryption Keys (DEKs) wrapped by a master Key Encryption Key (KEK) stored in hardware-bound storage (YubiKey PIV), never in the database
- Access controls: Role-based access with audit logging for all sensitive data access
- Admin authentication: Hardware security key (FIDO2/WebAuthn) required for administrative access
- Breach detection: Automated anomaly detection with 72-hour FDPIC notification procedures
Despite these measures, no security system is impenetrable. In the event of a data breach affecting your rights and freedoms, we will notify the Swiss Federal Data Protection and Information Commissioner (FDPIC) within 72 hours, and affected data subjects without undue delay, in accordance with nDSG requirements.
7. Your Rights
7.1 Rights Under GDPR (EU Residents)
- Right of access (Art. 15): Request a copy of personal data we hold about you
- Right to rectification (Art. 16): Correct inaccurate personal data
- Right to erasure (Art. 17): Request deletion of your data, subject to legal retention requirements
- Right to restriction (Art. 18): Restrict processing in certain circumstances
- Right to data portability (Art. 20): Receive your data in a structured, machine-readable format
- Right to object (Art. 21): Object to processing based on legitimate interest
- Rights related to automated decision-making (Art. 22): Not be subject to solely automated decisions with significant effects
7.2 Rights Under Swiss nDSG
- Right to information about processing of your personal data (Art. 25)
- Right of access to your personal data (Art. 25)
- Right to correction of inaccurate data (Art. 32)
- Right to erasure or restriction where processing is unlawful or data is no longer necessary (Art. 32)
7.3 Rights Under Canadian PIPEDA / Quebec Law 25
- Right to access personal information held about you
- Right to correct inaccurate information
- Right to withdraw consent for non-essential processing
- Right to data portability (Quebec Law 25)
7.4 Exercising Your Rights
To exercise any of the above rights, contact: [email protected]
We will respond within 30 days (GDPR) or as required by applicable law. Identity verification may be required before processing requests.
8. Data Retention
| Data Category | Retention Period | After Expiry |
|---|---|---|
| Account data | Account lifetime + 1 year after closure | Anonymized |
| Report purchase history | 7 years (accounting requirements) | Anonymized |
| KYC/AML verification documents | 5 years minimum from verification date | Secure deletion |
| KYC/AML accredited investor docs | 5 years from verification; max 10 years | Secure deletion, anonymized metadata retained |
| Payment records | 7 years (Swiss accounting law) | Secure deletion |
| Analytics/usage logs | 2 years | Automatic deletion |
| Security/access logs | 3 years | Automatic deletion |
| Level 3 (unpublished applications) | Until patent publication + 1-3 years | Reclassified or deleted |
9. Cookies
Please refer to our Cookie Policy for detailed information about cookies and tracking technologies used on the Platform.
10. Children's Privacy
The Platform is not directed to individuals under the age of 18. We do not knowingly collect personal data from minors. If we become aware that a minor has provided personal data, we will delete it promptly.
11. Changes to this Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on the Platform and updating the "Last updated" date. For significant changes affecting your rights, we will provide additional notice (such as an email notification).
12. Contact and Supervisory Authorities
Data Controller:
Human IP SARL
Geneva, Switzerland
[email protected]
Swiss Supervisory Authority:
Federal Data Protection and Information Commissioner (FDPIC / PFPDT)
Feldeggweg 1, 3003 Bern, Switzerland
https://www.edoeb.admin.ch
EU Supervisory Authority: If you are located in the EU and have concerns about our data processing, you have the right to lodge a complaint with your local data protection supervisory authority.
Canadian Privacy Commissioner:
Office of the Privacy Commissioner of Canada
https://www.priv.gc.ca