Privacy
Policy
Controller
The controller within the meaning of Art. 4 No. 7 GDPR and Art. 5 lit. j of the revised Swiss Federal Act on Data Protection (revFADP) is:
| Field | Detail |
|---|---|
| Company | DITTRICH & PARTNERS GmbH |
| Address | Brodlaube 18, 4310 Rheinfelden, Switzerland |
| UID | CHE-192.735.800 |
| Commercial Register | CH-400.4.036.235-8 |
| legal@five-moves.org | |
| Privacy Contact | Andreas Dittrich (Managing Director) |
| Website | fivemoves.org |
Note on Data Protection Officer: We are not legally required to appoint a Data Protection Officer under Art. 37 GDPR. For all privacy matters please use the email address above.
Scope
This Privacy Policy applies to:
- the website fivemoves.org and all subdomains
- the FIVE MOVES® Mobile App (Apple App Store, Google Play Store)
- the FIVE MOVES® Backend (backend-api.fivemoves.org)
- all associated online services of DITTRICH & PARTNERS GmbH (courses, CRM, bookings, Trainer Hub, AI training features)
External linked content and services are subject to their own privacy policies. The Cookie Policy is available separately at https://fivemoves.org/en/en/cookies.
Definitions
We use the definitions from Art. 4 GDPR and Art. 5 revFADP. The most important in short form:
| Term | Meaning |
|---|---|
| Personal data | Any information relating to an identified or identifiable natural person (e.g. name, email, IP address, app usage data). |
| Processing | Any operation performed on personal data: collecting, recording, storing, adapting, retrieving, using, disclosing, erasing. |
| Controller | The entity that determines the purposes and means of processing. That is us (see §1). |
| Processor | A service provider that processes data on our behalf and on our instructions (e.g. hosting, Stripe, Claude API). Governed by a Data Processing Agreement (DPA) under Art. 28 GDPR. |
| Consent | Freely given, specific, informed and unambiguous indication of the data subject's wishes, typically by clicking an Accept button. |
| Third country | Country outside the EU/EEA and outside Switzerland (e.g. USA, UK). |
| Pseudonymisation | Processing such that personal data can no longer be attributed to a specific person without additional information. |
| Standard Contractual Clauses (SCC) | EU Commission contractual template intended to ensure an adequate level of protection for data transfers to third countries. |
| EU-US Data Privacy Framework (DPF) | Adequacy decision of the EU Commission dated 10 July 2023 for certified US providers. The Swiss-US DPF applies for Swiss transfers. |
Legal Bases
We process personal data under the European General Data Protection Regulation (GDPR), the revised Swiss Federal Act on Data Protection (revFADP, in force since 1 September 2023) and, where applicable, the California Consumer Privacy Act (CCPA / CPRA).
Depending on the processing activity we rely on one of the following legal bases:
| Processing activity | Legal basis |
|---|---|
| Account creation, login, contract performance (courses, bookings, invoices, trainer onboarding) | Art. 6(1)(b) GDPR (performance of a contract) |
| Retention of invoices, contracts, accounting records | Art. 6(1)(c) GDPR i. c. w. Art. 957 et seq. Swiss CO (statutory retention) |
| Newsletter (see §8) | Art. 6(1)(a) GDPR (consent via double opt-in) |
| AI training features (see §7) | Art. 6(1)(a) GDPR (consent), and Art. 9(2)(a) GDPR for sensitive content |
| Server logs, fraud prevention, IT security | Art. 6(1)(f) GDPR (legitimate interest in stable, secure operation) |
| Analytics cookies, marketing cookies | Art. 6(1)(a) GDPR (consent via cookie banner) |
| Handling support requests | Art. 6(1)(b) or Art. 6(1)(f) GDPR |
Data Categories
- Contact data: name, email, phone, address
- Account data: username, password (hashed, never in plaintext)
- Course data: progress, quiz and exam results, certifications, learning journals
- Payment data: processed directly by Stripe, SumUp, TWINT, Apple or Google. We do not store full credit-card data — only token references, receipt numbers and status.
- AI interaction data: texts you voluntarily enter into AI-powered features and the corresponding AI responses (see §7).
- Trainer profile data (for Trainer Partners only): bank details (IBAN, BIC), social-insurance data where required, profile picture.
- Free-text content: contact-form messages, feedback, learning-journal entries.
- Technical data: IP address (anonymised or truncated), browser, OS, device type, referrer
- Usage data: page views, app usage patterns, lesson progress, session duration, click paths
- Performance data: crash reports, diagnostics, performance metrics
- Location data: approximate country/city level based on IP. No GPS tracking.
Processors and Services Used
With each of the following providers — where personal data is processed — we have concluded a Data Processing Agreement (DPA) under Art. 28 GDPR. For US providers we rely primarily on the provider's DPF certification and subsidiarily on the EU Standard Contractual Clauses 2021/914.
| Service | Purpose | Location | DPA | Transfer basis |
|---|---|---|---|---|
| CYON GmbH | Web hosting fivemoves.org | Switzerland | Yes | Switzerland — adequate level |
| Render.com (Render Services Inc.) | App and backend infrastructure | EU (Frankfurt) | Yes | EU — GDPR direct |
| Cloudflare Inc. | CDN, video hosting, DDoS protection | USA / global | Yes | EU-US DPF + SCC |
| Service | Purpose | Location | DPA | Transfer basis |
|---|---|---|---|---|
| FIVE MOVES platform (self-hosted) | Online academy, CRM, accounting | CH / EU | Self-operated | — |
Currently no external analytics cookies are active. A Google Analytics 4 integration is technically prepared but not yet productively deployed. As soon as it goes live we will update this Policy and obtain your consent via the cookie banner.
| Service | Purpose | Location | DPA | Transfer basis |
|---|---|---|---|---|
| Google Workspace (Google Ireland Ltd.) | Internal communication, admin, email | EU / USA | Yes | EU-US DPF + SCC |
| Zoom Video Communications Inc. | Live sessions, workshops, support | EU region | Yes | EU-US DPF + SCC |
| Service | Purpose | Location | DPA | Transfer basis |
|---|---|---|---|---|
| Stripe Payments Europe Ltd. | Online payments, subscription management | Ireland / USA | Yes | EU-US DPF + SCC |
| SumUp Payments Ltd. | On-site payments (card terminal) | Ireland (EU) | Yes | EU — GDPR direct |
| TWINT AG | Mobile payments Switzerland | Switzerland | Yes | Switzerland — adequate level |
| Apple Inc. | In-app purchases iOS | USA | Apple standard agreement | EU-US DPF + SCC |
| Google Ireland Ltd. | In-app purchases Android | Ireland / USA | Yes | EU-US DPF + SCC |
Currently no external marketing tracking is active. Meta Pixel, LinkedIn Insight Tag or comparable advertising pixels are not embedded. Should we activate such services in the future, we will update this Policy accordingly, load them only after your explicit consent via the cookie banner and conclude a Data Processing Agreement (DPA) with the respective provider.
| Service | Purpose | Location | DPA | Transfer basis |
|---|---|---|---|---|
| Anthropic PBC (Claude API) | AI-assisted training features, see §7 | USA | Yes — Anthropic DPA | EU-US DPF + SCC + consent |
Due diligence: We select processors with care, examine their technical and organisational measures and monitor contractual compliance under Art. 28(1) GDPR.
Claude API (Anthropic) — AI Features in Detail
For the AI features of our platform we use the Claude API provided by Anthropic PBC, 548 Market St, PMB 90375, San Francisco, CA 94104, USA. Anthropic acts as our processor within the meaning of Art. 28 GDPR.
By using the API the Anthropic Data Processing Addendum (DPA) automatically becomes part of our agreement with Anthropic, incorporated by Sec. C of the Anthropic Commercial Terms of Service. The DPA is available at:
Anthropic is certified under the EU-US Data Privacy Framework. Additionally the EU Standard Contractual Clauses 2021/914 (Module 2: Controller-Processor) apply. You can check the current certification status — including possible UK Extension or Swiss-US DPF coverage — in the official DPF register: dataprivacyframework.gov/list.
Anthropic in turn uses sub-processors, particularly Amazon Web Services (AWS) and Google Cloud Platform (GCP), for model hosting and inference. The current list is available at trust.anthropic.com/subprocessors.
User-facing features (you actively use them in the app or platform):
- Opening Dialogue — Desire Feeling («Sevi» persona): support in identifying your desire feeling according to the FIVE MOVES® method. This AI feature appears in a persona designed in the style and methodology of Sévérine Bächtold-Sidler (nickname «Sevi»). The feature is an AI companion, not Sévérine herself. Personal contact with Sévérine is only available via regular trainer booking.
- WI course Desire Feeling check («Sevi» persona): in the «Female Intimacy» course the AI checks your input for whether it describes a desire feeling consistent with the method. This feature also appears in the Sevi persona — AI, not Sévérine in person.
- Learning-journal feedback: review and constructive feedback on your learning-journal entries during trainer education. Outputs are labelled as AI-generated in the UI.
- Simulation feedback (Guides in training only): feedback on training simulations. Outputs are labelled as AI-generated in the UI.
- Exam V2 (trainer certification simulation only): AI takes the role of the Mover (exam-client with randomised persona) and rates the Guide candidate's performance under a multiple-choice scheme. Final certification decisions are always made by a human trainer — the AI is strictly a preparatory tool within the meaning of Art. 6(3) EU AI Act.
Internal back-office features (run without your direct interaction, but data-protection-relevant because personal data is processed):
- Contact personalisation (tone-of-voice assistance for Andreas Dittrich): for personal messages from Andreas to you, your name and context notes are briefly transmitted to Claude to generate tone suggestions. Andreas remains the author of every message: he reviews, edits and sends the text manually. There is no automated mailing based on AI output. Therefore this is not a generative-AI feature addressed to end users within the meaning of Art. 50(2) EU AI Act.
- Accounting categorisation: for supplier invoices to our company (no end-customer data) the AI suggests the correct account assignment according to Swiss accounting standards. As a rule no personal data of end customers is transmitted here.
We label our AI features in line with Art. 50 EU AI Act in several ways:
- Art. 50(1) (interaction transparency): Wherever you interact with an AI (Funke box, Sevi dialogue, learning-journal input, Exam V2), a visible notice appears immediately before or at the start of the interaction stating that you are talking to an AI system.
- Art. 50(2) (output labelling): AI-generated texts (feedback, ratings, Sevi answers) are marked as «AI-generated» in the UI.
- Human contact: You always have the right to speak to a human instead of an AI. Write to legal@five-moves.org or book a real trainer via the regular booking flow.
- Risk classification: Our AI features have been assessed against Annex III EU AI Act and are not high-risk systems. Exam V2 falls under Art. 6(3) EU AI Act (preparatory tool for a human decision) and is therefore likewise not a high-risk system.
- Model provider (GPAI): We use Claude by Anthropic. Anthropic publishes transparency reports for its General-Purpose AI models pursuant to Art. 53 EU AI Act at anthropic.com/transparency.
- Texts you enter in the respective AI feature (prompt content)
- System prompts and method context of the FIVE MOVES® platform
- Technical metadata: model ID, token count, timestamps
Not transmitted — unless you put them into free text yourself: your email, your real name, your user ID. The app pseudonymises these fields prior to transmission.
Anthropic stores API inputs and outputs under its Usage Policy for a maximum of 30 days for abuse detection (Trust & Safety). After that the data is deleted. Content that Anthropic identifies as unlawful or as a violation of the Usage Policy may be retained longer (up to 2 years).
In our own systems we retain AI interactions for up to 90 days for quality assurance and pedagogical purposes (learning progress). Exam results from Exam V2 are kept for the duration of the trainer certification. Deletion on request at any time via legal@five-moves.org.
- You can disable all AI features at any time by simply not using them.
- You can request deletion of your AI interaction history in our systems at any time by email.
- You can request a machine-readable copy of your AI data (right to data portability, Art. 20 GDPR).
Newsletter
We send our newsletter exclusively to people who have actively signed up using double opt-in. After entering your email address you will receive a confirmation message with an activation link; we only add you to the distribution list once you click that link.
Legal basis: Art. 6(1)(a) GDPR (consent).
Content: information about FIVE MOVES®, new courses, events, method, trainer news.
Logging: time of registration, IP address, time of confirmation — as evidence under Art. 7(1) GDPR.
Withdrawal: possible at any time via the unsubscribe link in every newsletter or by email to legal@five-moves.org. Withdrawal applies prospectively and does not affect the lawfulness of past processing.
International Data Transfers
Your data is stored primarily in Switzerland and the European Union. For transfers to third countries (in particular USA) we ensure an adequate level of protection via:
- EU-US Data Privacy Framework (DPF) — for certified US providers such as Stripe, Google, Cloudflare, Anthropic, Apple, Zoom (status verifiable at dataprivacyframework.gov/list)
- Swiss-US Data Privacy Framework — for transfers from Switzerland, recognised by Swiss Federal Council decision of 14 August 2024 (where the respective provider is extended-certified; verifiable in the DPF register)
- EU Standard Contractual Clauses 2021/914 (Module 2 or 3) as subsidiary basis
- Binding Corporate Rules (BCR) where used by the provider
- Supplementary technical and organisational measures including transport encryption (TLS 1.2+), encryption at rest and pseudonymisation
A copy of the underlying contractual instruments is available on request at legal@five-moves.org.
Data Security — Technical and Organisational Measures
We implement technical and organisational measures under Art. 32 GDPR and Art. 8 revFADP to protect your data against unauthorised access, loss, alteration or destruction:
- SSL/TLS encryption (TLS 1.2 minimum) for all data connections
- At-rest encryption for sensitive data in the database
- Password hashing per Bcrypt standard, never plaintext storage
- Role-based access control (need-to-know principle)
- Multi-factor authentication for admin access
- HMAC-signed tokens for critical workflows (magic links, invoice approval)
- Input validation and protection against SQL injection (prepared statements)
- CSRF tokens on all forms
- Daily backups, 30-day retention
- Redundant hosting infrastructure
- Monitoring and alerting for anomalies
- All employees committed to data confidentiality
- Documented incident-response procedure (notification to supervisory authority within 72 h for reportable incidents, Art. 33 GDPR)
- Regular security audits and vulnerability scans
- DPAs with all processors (see §6)
Retention Periods
| Data category | Retention period | Basis |
|---|---|---|
| Contract and invoice data | 10 years after end of contract | Art. 957 et seq. Swiss CO (statutory) |
| Account data | While account active, then 6 months | Contract performance + grace period |
| Course progress, certifications | Up to 5 years after course completion | Legitimate interest (re-certification) |
| Usage and analytics data | Up to 24 months | Legitimate interest |
| AI interaction data with us | Up to 90 days (earlier on request) | Consent |
| AI interaction data at Anthropic | Up to 30 days (Trust & Safety) | Anthropic DPA / Usage Policy |
| Newsletter data | Until withdrawal of consent | Consent |
| Marketing-cookie data | Until withdrawal, max 13 months | Consent via cookie banner |
| Technical server logs | 30 days | IT security |
| Google Analytics | 26 months | Consent |
| Support communication | 12 months after closure | Legitimate interest |
Your Rights
Under GDPR Art. 15-22 and Swiss revFADP Art. 25-29 you have the following rights vis-à-vis us:
- Access (Art. 15 GDPR / Art. 25 revFADP): which data we hold about you, for what purpose, to whom we disclose it.
- Rectification (Art. 16 GDPR): correction of inaccurate data.
- Erasure (Art. 17 GDPR, «right to be forgotten»): insofar as no retention obligation applies.
- Restriction of processing (Art. 18 GDPR).
- Data portability (Art. 20 GDPR): your data in machine-readable, structured format (JSON).
- Objection (Art. 21 GDPR): to processing based on legitimate interests.
- Withdrawal of consent (Art. 7(3) GDPR): at any time, prospectively.
- Protection against solely automated individual decisions (Art. 22 GDPR): see §13.
- Complaint to a supervisory authority (Art. 77 GDPR): see §17.
Automated Decisions and Profiling (Art. 22 GDPR)
We do not take solely automated decisions producing legal effects concerning you or similarly significantly affecting you within the meaning of Art. 22 GDPR.
In concrete terms:
- AI feedback (Claude API, see §7) is a training-support tool. The AI provides feedback and prompts but does not take binding decisions about you.
- Exam V2: the final certification decision is always taken by a human trainer. The AI only proposes multiple-choice ratings according to a fixed scheme. Trainers review and sign off.
- Profiling in the sense of automated assessment of personal aspects (personality, behaviour prediction, credit-worthiness etc.) does not take place.
- Marketing cookies could technically trigger profiling features of third-party providers. Currently no such marketing cookies are active (as of §19).
This section addresses Art. 22 GDPR. The transparency obligations under EU AI Act Art. 50 (notice of AI interaction, labelling of AI-generated content) are governed separately and documented in §7 (Transparency under the EU AI Act). The EU AI Act and the GDPR complement each other — a decision may need to be simultaneously GDPR-compliant and AI-Act-compliant.
Disclosure to Third Parties
We do not sell personal data. Disclosure takes place exclusively:
- to our processors under Art. 28 GDPR (see §6) within the agreed purposes and under our instructions
- under a legal obligation (e.g. tax authorities, law enforcement) — and only to the extent legally required
- in the course of contract performance (e.g. payment service providers, shipping logistics for physical products)
- upon your explicit consent in individual cases
Cookies and Tracking
We use strictly necessary cookies (legal basis Art. 6(1)(f) GDPR / §25(2)(2) German TTDSG) as well as — with your consent via the cookie banner — analytics and marketing cookies (Art. 6(1)(a) GDPR i. c. w. §25(1) TTDSG).
Detailed list of all cookies used (name, provider, purpose, retention, third-country transfer) and option to change your cookie settings at any time:
Children's Privacy
The FIVE MOVES® website and app are not directed at children under 16. We do not knowingly collect personal data from children under 16. Should we become aware of such data we will delete it promptly.
Parents or legal guardians who become aware that their child has provided us with data may contact legal@five-moves.org.
Right to Lodge a Complaint
Without prejudice to any other administrative or judicial remedy you have the right to lodge a complaint with a supervisory authority:
- Switzerland: Federal Data Protection and Information Commissioner (FDPIC), Feldeggweg 1, 3003 Bern — edoeb.admin.ch
- EU: the competent national data-protection authority of your place of residence or work. List: edpb.europa.eu/about-edpb/about-edpb/members
- UK: Information Commissioner's Office (ICO) — ico.org.uk
Changes to this Privacy Policy
We may amend this Privacy Policy to reflect changes in law, new services or new functionality. The current version is dated (see hero and §19).
For material changes we notify registered users by email or via a prominent in-app notice. Continued use after the effective date is deemed acknowledgement; we obtain renewed consent where legally required.
Contact
4310 Rheinfelden, Switzerland