Privacy Policy

Last updated: December 06, 2025

Summary (Not Legally Binding)

Please read the full terms below—they are legally binding.

We collect only the data needed to run Iterthink, bill you, secure the platform, and improve features; optional inputs can be revoked anytime.
All managed AI processing, hosting, and storage stay with Infomaniak in Switzerland unless you deliberately route data to another provider via your own API key.
Third-party processors act strictly under our documented instructions, apply GDPR/FADP safeguards, and receive only the minimum data required for their service.
Cookies, analytics, and embedded elements are limited to functional, security, and opt-in usage insights; you can disable non-essential tracking.
Prompts and AI actions are logged for auditability and retained only as long as necessary; you can exercise GDPR/FADP rights at any time via privacy@iterthink.com.

1. Scope

This privacy policy explains how abstract ag, Engelgasse 45, 4053 Basel, Switzerland (\"abstract\", \"Iterthink\", \"we\"), processes personal data from website visitors and customers (\"you\"). It covers data submitted via the Iterthink website or application, regardless of whether it is provided by you or by a third party, and regardless of the transmission channel.

2. Contact

You can reach us at:

abstract ag Engelgasse 45 4053 Basel, Switzerland

Email (general): info@iterthink.com
Email (privacy inquiries): privacy@iterthink.com

3. General Information

abstract operates Iterthink, a software-as-a-service platform for document management, version control, and AI-assisted writing. We comply with the Swiss Federal Act on Data Protection (FADP) and the EU General Data Protection Regulation (GDPR). Personal data collected during registration or use of Iterthink is processed solely to deliver our services, unless you consent to additional uses or applicable law allows further processing. Employees are bound by confidentiality obligations, and we apply technical and organizational safeguards (e.g., IT security measures, staff training) to protect personal data.

4. Personal Data Collected and Purposes

We may collect:

Master data (name, address, email, etc.)
Data about services obtained and related transactions
Payment information
Online preferences
Feedback and communication history
Surfing and usage data (browser info, access timestamps, referrers, IP address, usage of site elements)

We use this data to deliver our services, communicate with you, perform billing, conduct market research, personalize the product, improve security, and protect against misuse (e.g., assessing creditworthiness). Required input fields are marked during registration; optional fields can be withdrawn at any time (see section 12). Surfing and usage data is primarily analyzed in aggregated form unless required to investigate specific incidents.

5. Retention Period

We store personal data only as long as needed for the stated purpose or as mandated by law.
Account master data remains until you delete your account (subject to statutory retention).
Order-related data without an account is deleted after the applicable service or warranty period, unless legal obligations require longer retention.
Data needed to refuse future business due to misuse, payment default, or similar legitimate reasons may be kept for five years (ten years for repeat cases).

6. Processing by Third Parties and International Transfers

Iterthink relies on external service providers only where required to operate the platform and deliver specific features. These providers may receive personal data solely to the extent necessary for their service, must apply appropriate security measures, and may process data exclusively according to our documented instructions and in compliance with applicable data-protection law.

All processing by external providers takes place exclusively in Switzerland or in jurisdictions offering adequate data-protection safeguards. Information about applicable guarantees is available upon request.

Iterthink currently relies on the following service providers:

Infomaniak Network SA (Switzerland)
Hosting and infrastructure for the Iterthink platform
AI services for embedding generation, semantic comparison, and LLM-based text generation when such features are used
Google LLC (USA)
Email delivery, transactional messaging, and related communication tooling
Softr Platforms Inc. (Germany)
Marketing website hosting, landing pages, and associated analytics
Stripe Payments Europe, Limited (Ireland)
Payment processing for subscriptions and other transactions

If you choose to connect your own API key for external LLM providers (e.g., OpenAI, Anthropic, Mistral), the processing of your content is performed under your direct contractual relationship with that provider and is not considered processing on behalf of Iterthink. Otherwise, all hosting and managed AI processing for Iterthink remains exclusively with Infomaniak.

7. Analytical Services

We use third-party analytics tools to measure and evaluate website usage and may embed third-party content. Analytical data is transmitted anonymously to servers abroad (including the USA). Comment analytics is opt-in only and uses anonymized, aggregated patterns and metadata—document content is never analyzed. See Terms of Service, section 9 for more detail.

8. Third-Party Elements

Embedded third-party content may automatically connect to the provider’s servers, transmitting information such as your IP address. Each provider explains its own processing purposes, scope, and user rights.

9. Cookies and Pixel Tags

We use session and persistent cookies, as well as tracking pixels:

Session cookies maintain state during a visit and are deleted after you close the browser.
Persistent cookies store preferences (e.g., language, auto-login) and remain until your browser deletes them.
Pixel tags log interactions (e.g., opening emails, visiting pages) and may transmit browser/device data.

You can delete cookies or disable them in your browser, though some features may stop working.

10. Use of Third-Party LLM Services

When you use AI-powered features (summaries, content generation, AI assistance), your data—including document content and prompts—is processed by Infomaniak by default. Infomaniak is solely responsible for running Iterthink’s managed AI workloads under our documented instructions. If you decide to connect a different LLM provider via your own API key, the text you submit will be transmitted directly to that provider instead. You control whether any provider other than Infomaniak receives your content. See the Terms of Service, sections 7.1 and 7.2, for further details.

10.1 Use of Infomaniak AI Services (Embedding, Semantic Processing & LLM Functions)

Iterthink offers optional AI-assisted features such as semantic comparison, paragraph matching, vector embedding generation, rewriting, paraphrasing, summarization, translation, classification, and chatbot-style text generation. When you actively trigger one of these features and select Infomaniak AI as the provider, the relevant text segments you submit (such as selected passages or document excerpts) are transmitted to the AI services of Infomaniak Network SA, Rue Eugène-Marziano 25, 1227 Geneva, Switzerland.

Infomaniak processes this content strictly on our documented instructions and solely for the purpose of delivering the activated AI functionality, including generating embeddings, performing semantic similarity calculations, or producing LLM-based text outputs. Processing is carried out exclusively in Switzerland and is governed by Infomaniak’s Data Processing Agreement under the FADP and GDPR, which imposes security, access-control, and deletion/retention obligations. Infomaniak does not use customer content for model training or for its own purposes.

Only the text you explicitly submit to an AI feature is transmitted. Entire documents are not sent unless you intentionally select such an option. If you choose not to use AI-assisted features, no content is transmitted to Infomaniak or any other AI provider.

Any data transmitted for embedding, semantic-processing, or LLM generation is handled solely as required to perform the requested service and remains subject to Infomaniak’s contractual obligations under its DPA. No profiling, behavioural analysis, or model training is performed, and no additional use of your content occurs.

See Infomaniak's Data Processing Agreement (DPA) for further details.

10.2 Use of Third-Party Large Language Model (LLM) Providers (User-Provided API Keys)

Iterthink allows users to connect their own API keys for third-party Large Language Model (LLM) providers in order to use optional AI-assisted features such as rewriting, summarization, translation, classification, or chatbot-style text generation. When you add an API key and actively trigger an AI feature, the relevant text segments you submit are transmitted directly to the selected provider through your key.

If you do not add an API key or do not use AI-assisted features, no content is transmitted to these LLM providers.

When using your own API key, you establish a direct contractual relationship with the respective provider. The processing of your content is governed by that provider’s terms and privacy policy. Iterthink does not control, limit, or modify how the provider handles data submitted through your key and is not the controller for this external processing.

Iterthink does not store or transmit any data to third-party LLM providers unless you explicitly initiate an AI action with a provider you have configured. Only the text you actively submit is sent; entire documents are never transmitted unless you intentionally select such an option. Iterthink does not use your submitted text for model training, profiling, or any purpose other than delivering the requested functionality within the platform.

11. Storage of Prompts and AI Inputs

Prompt storage is a core Iterthink feature that delivers traceability, collaboration history, and auditability. Every AI action you trigger is logged together with the submitted prompt so teammates can review what was asked, reproduce outputs, and meet compliance requirements. These prompts:

Remain exclusively on Iterthink infrastructure in Switzerland unless you explicitly route an action through a third-party provider (including one connected via your own API key).
Are visible inside your workspaces to provide contextual history and cannot be disabled without removing the associated AI functionality.
Are retained only as long as necessary to provide auditability, fulfill contractual obligations, or satisfy mandatory legal retention periods; deleting your account or specific workspaces removes the prompts unless law requires otherwise.
Are captured only when an AI prompt produces output that becomes part of a document or other shared workspace artifact; informal chats, discussions, or exploratory prompts that do not change content are not stored.

For additional contractual details, see Terms of Service section 7.3.

12. Legal Bases

We rely on:

Article 13(2)(a) FADP / Article 6(1)(b) GDPR (contract performance)
Article 13(1) FADP / Article 6(1)(a) GDPR (consent or legal obligation)
Article 13(1) FADP / Article 6(1)(f) GDPR (legitimate interests, e.g., preventing misuse)

13. Your Rights

You may request:

Confirmation of whether we process your data and access to such data
Correction of inaccurate data
Restriction of processing
Deletion of data (including communication to third parties) unless legal grounds require retention
Withdrawal of consent
Data portability in a common, machine-readable format

You may object to processing based on legitimate interests if your specific situation differs from other data subjects (e.g., public figures, higher risk of harm). Use the website features or contact details above to exercise your rights. If we refuse a request, we will explain why (e.g., ongoing services, legal obligations, or overriding interests). You can appeal to a competent supervisory authority if dissatisfied.

14. Changes and Severability

If any provision is invalid or unenforceable, the remaining provisions remain in effect. We may update this policy due to product evolution or legal changes and will notify you of material updates.

15. Governing Law and Jurisdiction

This policy and related agreements are governed by Swiss law unless mandatory foreign law applies. The place of jurisdiction is Basel-Stadt (BS), Switzerland.

abstract ag · Engelgasse 45 · 4053 Basel · Switzerland
Product: Iterthink
Privacy Policy · Last updated: December 06, 2025