This policy is based primarily on the revised Swiss Federal Act on Data Protection (FADP / revDSG). Where we offer goods or services to, or monitor the behaviour of, individuals in the EU/EEA or the UK, the EU General Data Protection Regulation (GDPR) and/or UK GDPR may also apply, and we comply with them accordingly.
1. Controller
The controller responsible for the processing of personal data described here is:
Alex Wrona, trading as Gulf Cloud AdvisoryDörflistrasse 112
8050 Zurich, Switzerland
Email: alex@gulfcloudadvisory.com
We have not appointed a data protection officer, as there is currently no legal obligation for us to do so.
2. General information and legal bases
We process personal data only to the extent necessary to operate our website, respond to enquiries, perform contracts, deliver digital products and newsletters, process payments, communicate with you and provide our advisory services.
Personal data means any information relating to an identified or identifiable natural person, such as name, email address, telephone number, IP address, communication content or technical usage data.
Under the FADP, processing by a private person is lawful provided it complies with the principles of the Act (lawfulness, good faith, proportionality, purpose limitation, accuracy and security) and does not unlawfully breach the data subject’s personality. Where the GDPR applies, we rely, depending on the purpose, on the following legal bases: consent (Art. 6(1)(a)); performance of a contract or pre-contractual steps (Art. 6(1)(b)); compliance with a legal obligation (Art. 6(1)(c)); and our legitimate interests (Art. 6(1)(f)). You can withdraw any consent at any time with effect for the future.
3. Website hosting and server log data
When you visit our website, technical data necessary for operation, security and delivery is processed automatically, in particular IP address, time of access, pages accessed, browser and device information, referrer URL and technical request and log data.
Our website is hosted on Amazon Web Services (AWS Lightsail) in the Stockholm (eu-north-1) region within the EU. The provider is:
Amazon Web Services EMEA SARL38 Avenue John F. Kennedy, L-1855 Luxembourg
Processing is based on our legitimate interest in the secure, stable and efficient operation of our website (Art. 6(1)(f) GDPR, where applicable). Server log data is retained only as long as necessary for security, error analysis and abuse prevention, and is generally deleted after no later than 30 days unless a longer retention is required in an individual case.
4. Contact and email communication
If you contact us by email or via a contact form, we process the contact, enquiry and communication data you provide, in order to handle your enquiry, communicate with you, prepare proposals, perform contracts and document business transactions. Our email is operated via Google (Gmail / Google Workspace). The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; data may also be processed by Google LLC in the USA (see Section 11). Where the GDPR applies, the legal basis is Art. 6(1)(b) for contract-related communication and otherwise our legitimate interest in handling enquiries (Art. 6(1)(f)).
5. Advisory engagements
When you engage us, we process the contact, contract, project, communication, access and billing data required to prepare, perform, document and invoice the engagement. This may include data from your systems and cloud environments where required for the agreed service. Where the GDPR applies, the legal basis is Art. 6(1)(b); statutory retention obligations are based on Art. 6(1)(c). Where we process personal data on your behalf, we conclude a data-processing agreement (Art. 9 FADP / Art. 28 GDPR).
6. Digital products
If we provide a digital product (e.g. a report, template or downloadable material), we process the data required to handle the order, deliver the product and communicate with you, together with any invoice and accounting data required for a paid product. We do not currently use an external online payment provider; payments for any paid newsletter or subscription are handled via Substack (see Section 8). Where the GDPR applies, the legal basis is Art. 6(1)(b) and, for statutory obligations, Art. 6(1)(c).
7. Diagnostic online assessment
We offer an interactive “AWS Co-Sell Readiness” assessment on our website. If you choose to use it and tick the consent box, we collect and store the details you enter – your name, business email address, company, role, website and phone number – together with your answers and the business-profile information you provide (such as sales cycle and team size), in order to calculate your result, generate your personalised report and contact you about it and our services. We also store partial entries where you begin but do not complete the assessment. This data is held in our website database (hosted as described in Section 3), is encrypted at rest, and your IP address is stored only in shortened or hashed form. Nothing is stored until you have given your consent at the start of the assessment, and we record the consent wording and the time it was given. Where the GDPR applies, the legal bases are your consent (Art. 6(1)(a)) and our legitimate interest in following up with interested businesses (Art. 6(1)(f)); you can withdraw your consent at any time with effect for the future. We retain this data only as long as necessary for these purposes (see Section 13).
8. Paid newsletter / subscription content (Substack)
We offer a newsletter and subscription content via the third-party platform Substack. The provider is Substack Inc., 548 Market Street, San Francisco, CA 94104, USA. If you subscribe, Substack processes your email address, subscription and (for paid plans) payment-related data on its own platform and under its own privacy policy. When you sign up, we process your email address and subscription status to send you the content you requested. Where the GDPR applies, the legal basis is your consent and/or the performance of the subscription contract (Art. 6(1)(a)/(b)). You can unsubscribe at any time via the link in each email or by contacting us. Data is transferred to the USA (see Section 11).
9. AI-assisted tools
We may use AI-assisted tools and APIs (for example from OpenAI, Anthropic or Google) to support internal work and service delivery, such as structuring, drafting, summarising or analysis. We transmit only data necessary for the respective purpose and avoid sending unnecessary personal data. We do not deliberately transmit sensitive personal data to such tools unless expressly required, lawful and separately agreed. Where the GDPR applies, the legal basis is Art. 6(1)(b) or our legitimate interest in efficient service delivery (Art. 6(1)(f)).
10. Recipients and processors
Personal data may be disclosed, where necessary, to service providers who support us with hosting, email, security, payment processing, newsletter delivery, AI tools, accounting or contract performance. Such disclosure occurs only where a legal basis exists, a data-processing agreement is in place, a legal obligation applies, or you have consented.
11. Cross-border transfers
Some providers may process personal data outside Switzerland and the EU/EEA, in particular in the United States. We transfer personal data abroad only where the conditions of the FADP and, where applicable, the GDPR are met – for example where the destination country offers adequate protection (per the Swiss Federal Council’s / EU Commission’s adequacy decisions), or on the basis of appropriate safeguards such as the Standard Contractual Clauses (with the Swiss addendum where required) or another valid transfer mechanism. You may request information about the safeguards in place.
12. Cookies and reach measurement
We aim to operate our website with as little data as possible and, where feasible, without non-essential cookies. Technically necessary cookies or similar technologies are used to provide the website, ensure security and enable core functions. Under Swiss law, the use of cookies is permitted where you are informed and can refuse them (Art. 45c lit. b of the Swiss Telecommunications Act).
Our diagnostic scorecard also uses your browser’s local storage (a technology similar to cookies) for a strictly functional purpose: it stores a small, random identifier on your device to link the steps of a single scorecard submission and avoid duplicate entries. It contains no personal data and is not used for tracking or advertising.
We do not currently use any analytics, tracking or marketing tools, and we do not set non-essential cookies. Should this change, we will update this policy and, where the GDPR/ePrivacy rules apply (e.g. for visitors in the EU/UK), obtain your prior consent before setting any non-essential cookies or using such tools.
13. Retention
We retain personal data only as long as necessary for the relevant purposes or as required by statutory retention obligations (for example, Swiss accounting and tax law generally requires business and accounting records to be kept for ten years). Enquiry and communication data is deleted once no longer needed and no retention obligation applies.
Scorecard submissions (including partial entries) are kept only as long as needed to respond and follow up, and are deleted in line with the retention period configured for that tool.
14. Your rights
Subject to the applicable legal conditions, you have the right to information (access), rectification, erasure, restriction of processing, objection, and data portability, and the right to withdraw consent with effect for the future. Under the FADP you have, in particular, the right of access (Art. 25) and the right to data portability (Art. 28). Where the GDPR applies, the corresponding rights under Articles 15–21 GDPR apply. To exercise your rights, contact us at alex@gulfcloudadvisory.com.
15. Right to lodge a complaint
If you believe that the processing of your personal data infringes data protection law, you may contact the competent supervisory authority. In Switzerland this is:
Federal Data Protection and Information Commissioner (FDPIC / EDÖB)Feldeggweg 1, 3003 Bern, Switzerland
www.edoeb.admin.ch
If you are located in the EU/EEA or the UK, you may also lodge a complaint with your local data protection authority.
16. Obligation to provide data
Providing personal data is generally voluntary. However, some data is necessary for specific processes – without it we may be unable to answer an enquiry, deliver a product, process a payment, issue an invoice or perform a service.
17. Changes to this policy
We may update this Privacy Policy when our website, services, providers or legal requirements change. The current version published on our website applies.