Skip to main content

Privacy Policy

Last updated on March 07, 2024

This privacy policy applies to CAOS Ltd., the websites it operates (including, and and the services and products it provides (including ZITADEL). This privacy policy describes how we process personal data for the provision of this websites and our products.

If any inconsistencies arise between this Privacy Policy and the otherwise applicable contractual terms, framework agreement, or general terms of service, the provisions of this Privacy Policy shall prevail. This privacy policy covers both existing personal data and personal data collected from you in the future.

The responsible party for the data processing described in this privacy policy and contact for questions and issues regarding data protection is

Data Protection Officer
Lerchenfeldstrasse 3 9014 St. Gallen

Our representative in the EU is

VGS Datenschutzpartner GmbH
Am Kaiserkai 69
20457 Hamburg

General notes​

Based on Article 13 of the Swiss Federal Constitution and the data protection provisions of the Swiss Confederation (Data Protection Act, DSG), every person has the right to protection of their privacy as well as protection against misuse of their personal data. The operators of these websites and services take the protection of your personal data very seriously. We treat your personal data confidentially and in accordance with the legal data protection regulations as well as this data protection declaration.

In cooperation with our suppliers, we make every effort to protect the databases and any of our users data as well as possible against unauthorized access, loss, misuse or falsification. We point out that data transmission over the internet in general may result in security risks. A complete protection of the data against access by third parties is not possible.

This website uses TLS encryption for security reasons and to protect the transmission of confidential content, such as requests that you send to us as the website operator. You can recognize an encrypted connection by the fact that the address line of the browser changes from "http://" to "https://".

Personal data is any information that relates to an identified or identifiable person. A data subject is a person about whom personal data is processed. Processing includes any handling of personal data, regardless of the means and procedures used, in particular the storage, disclosure, acquisition, deletion, storage, modification, destruction and use of personal data.

We process personal data in accordance with Swiss data protection law. In addition, we process - to the extent and insofar as the EU Data Protection Regulation is applicable - personal data in accordance with the following legal bases within the meaning of Art. 6 (1) DSGVO :

  • Insofar as we obtain the consent of the data subject for processing operations, Art. 6 (1) a) DSGVO serves as the legal basis.
  • When processing personal data for the fulfillment of a contract with the data subject as well as for the implementation of corresponding pre-contractual measures, Art. 6 para. 1 lit. b DSGVO serves as the legal basis.
  • To the extent that processing of personal data is necessary to comply with a legal obligation to which we are subject under any applicable law of the EU or under any applicable law of a country in which the GDPR applies in whole or in part, Art. 6 para. 1 lit. c GDPR serves as the legal basis.
  • For the processing of personal data in order to protect vital interests of the data subject or another natural person, Art. 6 para. 1 lit. d DSGVO serves as the legal basis.
  • If personal data is processed in order to protect the legitimate interests of us or of third parties and if the fundamental freedoms and rights and interests of the data subject do not override our interests and the interests of third parties, Article 6 (1) (f) of the GDPR serves as the legal basis. Legitimate interests are in particular our business interest in being able to provide our website and our products, information security, the enforcement of our own legal claims and compliance with Swiss law.

We will retain personal data for the period of time necessary for the particular purpose for which it was collected.

Subsequently, they are either deleted or made anonymous, unless we need them for a longer period of time in exceptional cases, e.g. due to legal storage and documentation obligations or our legitimate interests, such as the protection of rights to which we are entitled or the defense of claims.

Processing of personal data when using the website, contact forms and in connection with newsletters​

Our websites can generally be visited without registration. Each time one of our website is requested, data such as content of the requested page, name of the requested file, IP address, date and time are automatically stored in log files on the server.

This data is processed to enable correct delivery and functioning of the website. In addition, we use the data to optimize the website and to ensure the security of our systems.

Personal data, in particular name, address or e-mail address are collected as far as possible on a voluntary basis, for example when you contact us via a contact form or by e-mail. Without your consent, the data will not be passed on to third parties, unless shown in this privacy policy.

If you send us inquiries via contact form, your data from the form, including any data you provided, will be stored by us for the purpose of processing the inquiry and in case of follow-up questions. We do not pass on this data without your consent, except insofar as this is shown in this privacy policy.

If you would like to receive newsletters offered on our websites, we require an e-mail address from you as well as information that allows us to verify that you are the owner of the specified e-mail address and agree to receive the newsletter. Further data will not be collected. We use this data exclusively for sending the requested information and do not pass it on to third parties, except as described in this privacy policy.

You can revoke your consent to the storage of the data, the e-mail address and their use for sending the newsletter at any time, for example via the "unsubscribe link" in the newsletter.

Processing of personal data in connection with the use of our products​

The use of our services is generally only possible with registration. During registration and in the course of using the services, we collect and process various personal data.

In particular, the following personal data are part of the processing:

Type of personal dataExamplesAffected data subjects
Basic data
  • Family and given name
  • Email addresses
  • User name
All users
Login data
  • Randomly generated ID
  • Password
  • Public keys / certificates ("FIDO2", "U2F", "x509", ...)
  • User names or identifiers of external login providers
  • Phone number(s)

All users

Password: Users who use authentication methods with password.

Public Keys: Users who use an authentication procedure with cryptographic keys.

External login provider identifiers: Users who use an external login provider.

Phone number: Users who use authentication methods with SMS

Profile data
  • Profile pictures
  • Gender
  • Language
  • Nickname
  • Display name
  • Phone number(s)
Users who voluntarily add profile data
Communication data
  • Emails
  • Chats
  • Call metadata
Customers and users who communicate with us directly (e.g. support)
Payment data
  • Billing address
  • Payment information
  • Customer number
  • Customer history
  • Credit rating information

Customers who use services that require payment

Credit rating information: Only customers who pay by invoice

Usage meta data
  • User agent
  • IP addresses
  • Operating system
  • Time and date
  • URL
  • Referrer URL
  • Accept Language
All users

Unless otherwise mentioned, the nature and purpose of the processing is as follows:

The data is uploaded by customers in our services or collected by us based on requests from users. The personal data is processed by us exclusively for the provision of the requested services or the use of the agreed services.

The fulfillment of the contract includes in particular, but is not limited to, the processing of personal data for the purpose of:

  • Authentication and authorization of users
  • Storage and processing of user actions in the audit trail
  • Processing of personal data and login information
  • Verification of communication means
  • Communication regarding service interruptions or service changes

Disclosure to third parties​

Third party sub-processors​

We use third-party services to provide the website and our offers. An up-to-date list of all the providers we use and their areas of activity can be found on our list of involved and approved sub-processors.

External payment providers​

This website uses external payment service providers through whose platforms users and we can make payment transactions. For example via

As an alternative, we offer customers the option to pay by invoice instead of using external payment providers. However, this may require a positive credit check in advance.

The data processed by the payment service providers includes personal data, such as the name and address, bank data, such as account numbers or credit card numbers, passwords, TANs and checksums, as well as the contract, totals and recipient-related information. The information is necessary to carry out the transactions. However, the data entered is only processed by the payment service providers and stored with them. We as the operator do not receive any information about (bank) account or credit card, but only information to confirm (accept) or reject the payment. Under certain circumstances, the data is transmitted by the payment service providers to credit agencies. The purpose of this transmission is to check the identity and creditworthiness of the payment service provider. In this regard, we refer to the terms and conditions and data protection information of the payment service providers.

For payment transactions, the terms and conditions and the data protection notices of the respective payment service providers apply, which can be accessed within the respective website or transaction applications. We also refer to these for the purpose of further information and assertion of revocation, information and other rights concerned.

Law enforcement​

We disclose personal information to law enforcement agencies, investigative authorities or in legal proceedings to the extent we are required to do so by law or when necessary to protect our rights or the rights of users.


Our websites use cookies. These are small text files that make it possible to store specific information related to the user on the user's terminal device while the user is using the website. Cookies enable us, in particular, to offer a single sign-on procedure, to control the performance of our services, but also to make our offer more customer-friendly. Cookies remain stored beyond the end of a browser session and can be retrieved when the user visits the site again.

In particular, we use the following cookies to provide our services:

When you use our services, we may collect information about your visit, including via cookies, beacons, invisible tags, and similar technologies (collectively β€œcookies”) in your browser and on emails sent to you. This information may include Personal Information, such as your IP address, web browser, device type, and the web pages that you visit just before or just after you use the services, as well as information about your interactions with the services, such as the date and time of your visit, and where you have clicked.

Necessary cookies​

Some cookies are strictly necessary to make our services available to you. We cannot provide you with our services without this type of cookies.

Necessary cookies provide basic functionality such as:

  • Session Management
  • Single Sign-On
  • Rate Limiting
  • DDoS Mitigation
  • Remembering Preferences

Analytical cookies​

We also use cookies for website analytics purposes in order to operate, maintain, and improve the services for you. We use Google Analytics 4 to collect and process certain analytics data on our behalf. Google Analytics helps us understand how you engage with the services and may also collect information about your use of other websites, apps, and online resources. We don't use google analytics on customer instances of ZITADEL, only on our public websites and customer portal.

You can learn about Google’s practices by going to and opt out by managing your cookie consent through our services or an third-party tool of your choice.

If you do not want us to use cookies during your visit, you can disable their use in your browser settings. In this case, certain parts of our website (e.g. language selection) may not function or may not function fully. Where required by applicable law, we obtain your consent to use cookies.

Rights of data subjects​

Right to information​

Any person affected by the processing has the right to obtain information from the responsible data processor at any time about the personal data stored about him or her.

Right to rectification​

Every person affected by the processing has the right to demand the correction of inaccurate personal data concerning him or her. Furthermore, the data subject has the right to request the completion of incomplete personal data, taking into account the purposes of the processing.

Right to erasure (right to be forgotten)​

Any person affected by the processing has the right, in certain cases, to request from the responsible data processor to delete the personal data concerning him or her.

Right to restrict processing​

Every person affected by the processing has the right in certain cases to request from the responsible data processor to restrict the processing.

Right to data portability​

Every person affected by the processing has the right to receive the personal data concerning him or her in a structured, common and machine-readable format. He or she also has the right to have this data transferred to another data processor if the legal requirements are met.

Right to object​

Every person affected by the processing has the right to object to the processing of personal data concerning him or her, insofar as we base the processing of his or her personal data on a balancing of interests. This is the case if the processing is not necessary, for example, to fulfill a contract or a legal obligation.

To exercise such an objection, the data subject must explain his or her reasons why we should not process his or her personal data as we have done. We will then review the situation and either stop or adjust the data processing or show the data subject our reasons for continuing the processing.

Insofar as our processing is based on consent, the data subject has the right to revoke this consent at any time with effect for the future.

Assertion of rights by the data subjects​

If you wish to exercise your rights, you may do so by contacting the above-mentioned contact person.

A data subject also has the right to lodge a complaint with the competent data protection authority. The competent data protection authority in Switzerland is the Federal Data Protection and Information Commissioner ( The competent data protection authorities of EU countries can be viewed at this link:

Note on data transfer abroad​

Our websites and services make use of tools from companies based in countries outside of Switzerland or the EU/EEA, namely those based in the USA. When these tools are active, your personal data may be transferred to the servers of the respective companies abroad. We would like to point out that some of these countries, namely the USA, are not a safe third country in the sense of Swiss and EU data protection law. In these cases, we only transfer personal data after we have implemented the legally required measures for this, such as concluding standard contractual clauses on data protection or obtaining the consent of the data subjects. If interested, the documentation on these measures can be obtained from the contact person mentioned above.

We actively try to minimize the use of tools from companies located in countries without equivalent data protection, however, due to the lack of alternatives, this is currently not always feasible without major inconvenience. If you have any concerns, please contact us directly and we will try to find a mutual solution for your needs.


We may amend this privacy policy at any time without prior notice. Always the current version published on our website applies to users and customers of our website and services. Insofar as the data protection declaration is part of an agreement with you, we will inform you of the change by e-mail or other suitable means in the event of an update.

Questions about data processing by us​

If you have any questions about our data processing, please email us or contact the person in our organization listed at the beginning of this privacy statement directly.