Free Audit Contact us

GDPR

Stellos AG is committed to full compliance with the EU General Data Protection Regulation (GDPR) and the Swiss Federal Act on Data Protection (nFADP).

Last updated: May 2026

Our Commitment

Stellos AG processes personal data only for defined, lawful purposes. We collect the minimum data necessary, store it securely, and never sell it. Every person whose data we hold has the right to access, correct, or delete it at any time.

Scope of GDPR Applicability

Although Stellos AG is headquartered in Switzerland, a country recognised by the European Commission as providing an adequate level of data protection, the GDPR applies to our operations where we process personal data of individuals located in the EU or EEA. We apply GDPR standards across all our operations as a baseline.

Roles: Controller and Processor

Stellos operates in two distinct capacities depending on context:

  • Data Controller, for data collected directly through our website (contact form enquiries, demo requests, and direct communications). We determine the purposes and means of processing.
  • Data Processor, for personal data processed on behalf of our clients (property managers, operators) through the Stellos platform, such as licence plate records, access logs, and tenant data. In this role, we act on documented instructions from our clients, who are the data controllers.

All client relationships involving personal data processing are governed by a Data Processing Agreement (DPA) in accordance with Article 28 GDPR.

Legal Bases We Rely On

  • Article 6(1)(b), Contract: processing necessary to perform our services.
  • Article 6(1)(c), Legal obligation: compliance with applicable Swiss and EU law.
  • Article 6(1)(f), Legitimate interest: responding to enquiries, improving our platform, and maintaining security.
  • Article 6(1)(a), Consent: marketing communications, where explicitly given and freely withdrawable at any time.

Data Subject Rights

Under GDPR, individuals have the following rights, which we honour without undue delay and within 30 days of a verified request:

  • Right of access (Art. 15), obtain a copy of the personal data we hold about you.
  • Right to rectification (Art. 16), correct inaccurate or incomplete data.
  • Right to erasure (Art. 17), request deletion of your data where no overriding legal basis applies.
  • Right to restriction (Art. 18), limit how we process your data in certain circumstances.
  • Right to data portability (Art. 20), receive your data in a structured, machine-readable format.
  • Right to object (Art. 21), object to processing based on legitimate interest, including profiling.
  • Right to withdraw consent (Art. 7(3)), withdraw consent at any time without affecting prior lawful processing.

To exercise any of these rights, email contact@stellos.com with your request. We may ask you to verify your identity before acting on it.

International Data Transfers

Where personal data is transferred outside Switzerland or the EEA, we rely on one or more of the following safeguards:

  • An adequacy decision by the European Commission for the destination country.
  • Standard Contractual Clauses (SCCs) approved by the European Commission (Art. 46(2)(c) GDPR).
  • Binding Corporate Rules or other approved transfer mechanisms.

Our primary infrastructure is hosted in EEA and Swiss data centres. We conduct transfer impact assessments where required.

Data Retention

We retain personal data only as long as necessary for the purpose for which it was collected, or as required by law. Specific retention periods:

  • Contact form and enquiry data: up to 24 months from last contact.
  • Platform operational data (processed as a data processor): as specified in client DPAs.
  • Financial and billing records: 10 years as required by Swiss accounting law.

Data is securely deleted or anonymised at the end of its retention period.

Security Measures

We implement appropriate technical and organisational measures (TOMs) in accordance with Article 32 GDPR, including:

  • Encryption of data in transit (TLS) and at rest.
  • Access controls and least-privilege principles for internal systems.
  • Regular security assessments and penetration testing.
  • Infrastructure hosted in ISO 27001-certified data centres.
  • Incident response procedures with breach notification protocols meeting the 72-hour requirement under Article 33 GDPR.

Data Processing Agreements

Clients who use the Stellos platform to process personal data of their tenants, employees, or end users are required to enter into a Data Processing Agreement (DPA) with Stellos AG. This DPA governs the nature, purpose, and duration of processing, and sets out the obligations of both parties under Article 28 GDPR.

To request a DPA, contact us at contact@stellos.com.

Supervisory Authority

If you are located in Switzerland and believe your data has been processed unlawfully, you may lodge a complaint with the Federal Data Protection and Information Commissioner (FDPIC): www.edoeb.admin.ch.

If you are located in the EU or EEA, you have the right to lodge a complaint with the supervisory authority in your country of residence or where the alleged infringement occurred.

Contact

For any GDPR-related enquiries, requests, or to obtain a copy of our DPA, please contact:

Stellos AG, Data Protection
Apfelbaumstrasse 45, 8050 Zürich, Switzerland
contact@stellos.com