Privacy Policy

Last updated: March 20, 2026

This Privacy Policy describes how Magma Company GmbH ("OraPilot", "Provider", "we", "us", or "our") collects, uses, stores, and protects personal data in connection with the operation of the OraPilot platform ("Service") and our website at orapilot.com.

1. Data Controller

Magma Company GmbH is the data controller for personal data collected through our website, user accounts, and Service operations as described in this Privacy Policy.

Contact: contact@orapilot.com

2. Categories of Personal Data Collected

2.1. Account and Service Data (Controller Capacity)

In connection with the provision of the Service and management of Authorized User accounts, we collect and process the following categories of personal data:

Full name
Business email address
Company name and business address
Hashed authentication credentials
Internet Protocol (IP) address
Browser type, version, and device information
Usage data, activity logs, and session information
Service interaction data and feature utilization records

2.2. Website Visitor Data (Controller Capacity)

When individuals visit orapilot.com, we may collect:

Internet Protocol (IP) address
Browser type, version, and operating system
Pages visited, time spent, and navigation patterns
Referring URL and exit pages

2.3. Customer Data (Processor Capacity)

When our customers ("Controllers") use the Service, we process personal data on their behalf in our capacity as a data processor. Such Customer Data may include:

Email content and metadata (headers, timestamps, routing information)
Contact data of data subjects (names, email addresses, telephone numbers, job titles)
Product and material specifications
Commercial pricing data
Company and business entity names
Business correspondence and transactional documentation

The processing of Customer Data is governed exclusively by the Data Processing Agreement ("DPA") executed between us and the respective Controller. For inquiries regarding Customer Data, data subjects should contact the relevant Controller directly.

3. Purposes of Processing

We process personal data for the following purposes:

Service Delivery: To operate, maintain, provide, and deliver the Service in accordance with our contractual obligations.
Account Administration: To create, manage, authenticate, and secure Authorized User accounts.
Service Communications: To transmit service-related notifications, security alerts, system updates, and support correspondence.
Security and Fraud Prevention: To detect, investigate, prevent, and address security incidents, unauthorized access, fraud, and other harmful activities.
Service Improvement: To analyze usage patterns and generate Aggregated Data and Derived Insights for the purpose of improving, enhancing, and developing the Service, in accordance with our Terms of Service.
Legal Compliance: To comply with applicable laws, regulations, legal processes, and governmental requests.

We do not engage in automated individual decision-making or profiling that produces legal effects or similarly significant effects on data subjects.

4. Legal Basis for Processing

Under the General Data Protection Regulation ("GDPR") and the Swiss Federal Act on Data Protection ("FADP"), we process personal data on the following legal bases:

Performance of Contract (Art. 6(1)(b) GDPR): Processing that is necessary for the performance of our contractual obligations under the Terms of Service and applicable Order Forms.
Legitimate Interest (Art. 6(1)(f) GDPR): Processing for the purposes of network and information security, fraud prevention, service improvement through aggregated analytics, and the development of Derived Insights, where such interests are not overridden by the fundamental rights and freedoms of data subjects.
Legal Obligation (Art. 6(1)(c) GDPR): Processing that is necessary for compliance with a legal obligation to which we are subject.
Consent (Art. 6(1)(a) GDPR): Where applicable, such as for the receipt of marketing communications. Consent may be withdrawn at any time without affecting the lawfulness of processing carried out prior to withdrawal.

5. Data Sharing and Disclosure

We do not sell, rent, or trade personal data. We may share personal data solely in the following circumstances:

Sub-processors: With third-party service providers that assist in the operation and delivery of the Service, subject to appropriate data processing agreements. A current and complete list of sub-processors is maintained at orapilot.com/legal/sub-processors.
Legal Requirements: When disclosure is required by applicable law, regulation, legal process, or enforceable governmental request.
Protection of Rights: When disclosure is reasonably necessary to protect the rights, property, or safety of Provider, our users, or the public.
Business Transfers: In connection with a merger, acquisition, corporate reorganization, or sale of all or substantially all of Provider's assets, subject to the successor entity being bound by privacy obligations no less protective than those set forth herein.

6. International Data Transfers

Certain sub-processors engaged by Provider are located outside the European Union, European Economic Area, and Switzerland (primarily in the United States of America). Where personal data is transferred to jurisdictions that have not received an adequacy decision from the European Commission or the Swiss Federal Council, we implement appropriate safeguards in accordance with applicable data protection law, including:

EU Standard Contractual Clauses (SCCs) adopted pursuant to Article 46(2)(c) GDPR
The EU-U.S. Data Privacy Framework, where the recipient has been certified thereunder
Any other transfer mechanism recognized as providing adequate protection under applicable law

7. Data Retention

Account and Service Data: Retained for the duration of the Authorized User's active account, plus a period of up to twelve (12) months following account closure for legitimate legal and operational purposes.
Customer Data: Retained in accordance with the applicable Data Processing Agreement. Upon termination of the DPA, Customer Data shall be returned or deleted in accordance with the terms thereof.
Website Visitor Data: Retained for a period not exceeding twelve (12) months from the date of collection.
Aggregated Data and Derived Insights: Retained indefinitely in anonymized and aggregated form in accordance with Section 4.3 of our Terms of Service.

8. Data Subject Rights

Under the GDPR and FADP, data subjects have the following rights with respect to their personal data:

Right of Access: To obtain confirmation as to whether personal data is being processed and to access such data.
Right to Rectification: To obtain correction of inaccurate or incomplete personal data.
Right to Erasure: To obtain deletion of personal data where applicable grounds exist under Article 17 GDPR.
Right to Restriction: To obtain restriction of processing in certain circumstances.
Right to Data Portability: To receive personal data in a structured, commonly used, and machine-readable format.
Right to Object: To object to processing based on legitimate interest grounds.
Right to Withdraw Consent: To withdraw consent at any time, where processing is based on consent.
Right to Lodge a Complaint: To lodge a complaint with a competent supervisory authority.

To exercise any of the foregoing rights, data subjects may contact us at contact@orapilot.com. We shall respond to all valid requests within thirty (30) days, subject to any applicable extensions permitted by law.

For requests concerning Customer Data processed in our capacity as data processor, data subjects should direct their requests to the relevant Controller.

9. Data Security

We implement appropriate technical and organizational measures to protect personal data against unauthorized or unlawful processing, accidental loss, destruction, or damage, including:

Encryption of data in transit using TLS/SSL protocols
Role-based access controls and multi-factor authentication
Regular security assessments and vulnerability monitoring
Secure cloud infrastructure hosted by industry-leading providers (DigitalOcean, Amazon Web Services)
Documented incident response procedures

10. Cookies and Tracking Technologies

Our website and Service use cookies and similar tracking technologies. For a comprehensive description of the cookies we use, their purposes, and your choices regarding cookies, please refer to our Cookie Policy available at orapilot.com/legal/cookie-policy.

We use strictly necessary cookies that are essential for the operation of the Service, as well as analytics and marketing cookies that are only activated with your prior explicit consent. You may withdraw your consent or modify your cookie preferences at any time through the cookie consent mechanism provided on our website.

11. Children's Privacy

The Service is not directed at individuals under the age of sixteen (16). We do not knowingly collect or process personal data from children. If we become aware that personal data of a child has been collected without appropriate consent, we shall take reasonable steps to delete such data promptly.

12. Changes to This Privacy Policy

We reserve the right to modify this Privacy Policy from time to time. We shall notify users of material changes via email or through the Service at least thirty (30) days prior to the effective date of such changes. Continued use of the Service following such notice constitutes acceptance of the revised Privacy Policy.

13. Supervisory Authorities

Data subjects who believe their data protection rights have been violated may lodge a complaint with the competent supervisory authority in their jurisdiction. For data subjects in the European Union, this is the data protection authority of the EU Member State in which the data subject resides or works. A full list of EU data protection authorities is available at https://edpb.europa.eu/about-edpb/about-edpb/members_en.

For Swiss data subjects: Federal Data Protection and Information Commissioner (FDPIC) Website: https://www.edoeb.admin.ch

Contact

Magma Company GmbH

Email: contact@orapilot.com

Website: https://orapilot.com