Privacy Notice

Effective date: March 1, 2026. This notice explains how Dialogue collects and processes personal data when you use dialogue.cx or contact us about the service.

Controller Identity

Dialogue, Räbacher 7, 8143 Stallikon, Switzerland, is the data controller for website, lead capture, onboarding, billing, and account-level service operations described in this notice.

Controller Contact

Privacy and data protection requests: hi@nicolasmenard.design

Controller and Processor Roles

Dialogue acts as a controller for its own commercial operations (site analytics with consent, lead management, billing, and support). Dialogue may also act as a processor for customer research operations when processing participant or study data on the customer’s documented instructions.

Data Categories We Collect

Depending on your interaction with us, we may collect contact details, intake and study-setup data, participant operational metadata, report recipient emails, billing and transaction references, technical security logs, and privacy request records.

Purposes and Legal Bases

• Service delivery and onboarding: processing necessary to perform a contract or take steps before contract.
• Billing, accounting, and tax compliance: processing necessary to comply with legal obligations.
• Security, fraud prevention, and abuse controls: legitimate interests in keeping the service safe and reliable.
• Optional analytics and non-essential cookies/local storage: consent.

Recipients and Subprocessor Categories

We share data only where needed to operate the service, including infrastructure/storage providers, payment processors, analytics providers (consent-based), email delivery providers, and support tooling. Current core providers include Supabase, Stripe, PostHog, and Resend. Optional AI-assisted intake copy refinement may use OpenAI only when triggered by the user.

International Transfers and Safeguards

Where data is transferred outside Switzerland or the EEA/UK, we rely on recognized safeguards, including adequacy decisions and/or Standard Contractual Clauses, as applicable to the recipient and transfer context.

Retention Periods

• Lead and onboarding records: up to 24 months after last meaningful contact, unless a longer period is required by law.
• Study operational records and intake payloads: for the study lifecycle and typically up to 12 months after completion, unless contractually changed.
• Billing and tax-relevant records: retained for the legally required period (typically up to 10 years in Switzerland).
• Security and access logs: generally 90 days, with incident-related records retained longer where justified.
• Privacy request records: up to 3 years to demonstrate request handling compliance.

We may retain data longer where required by law or needed to establish, exercise, or defend legal claims.

Your Rights and How to Exercise Them

You may request access, rectification, erasure, restriction, portability, objection, and consent withdrawal (where consent is the legal basis). Submit requests to hi@nicolasmenard.design or via POST /api/privacy-request. We may request identity verification before completing the request. We aim to acknowledge requests within 72 hours and resolve them within one month, subject to lawful extension.

Complaint Rights

If you believe your data has been handled unlawfully, you can lodge a complaint with your local EU/EEA data protection authority (where applicable) and/or with the Swiss Federal Data Protection and Information Commissioner (FDPIC).

Data Minimization and Security

We collect only data needed to provide and secure the service. Access is restricted based on operational need, and we use technical and organizational measures appropriate to the sensitivity and risk profile of the data.

Children and Minors

Dialogue is not directed to children. Do not submit personal data of minors unless you have a lawful basis and required permissions under applicable law.

EU Representative (Article 27) Review Status

We are actively reviewing GDPR Article 27 representative requirements as our EU processing footprint evolves. If an EU representative appointment becomes mandatory, representative details will be published in this notice.

Changes to This Notice

We may update this notice when our processing activities, legal requirements, or service architecture change. The effective date at the top of this page reflects the latest published version.

Related documents: Cookie Policy, Terms, EU Consumer Rights.