Skip to main content
--> Démo

Privacy Policy – Sandra

 

 


Effective Date: January 2025
Operator: BRSL Group, Rue de Carouge 24, 1205 Geneva, Switzerland
Contact: legal@sandra.ch
Data Protection Officer (DPO): Jérôme Amoudruz



1. Definitions

  • Sandra, we, our: The technology platform operated by BRSL Group.
  • Platform: Sandra, including all its digital features such as the WhatsApp chatbot.
  • Client: Any company or professional using Sandra to assist end-users via WhatsApp.
  • End-user: A person interacting with the Client through WhatsApp operated by Sandra.
  • User: Refers collectively to Clients and End-users.
  • Personal data: Any information relating to an identified or identifiable natural person.
  • Processing: Any operation performed on personal data (storage, analysis, deletion, etc.).
  • Controller: The entity that determines the purposes and means of processing (usually the Client).
  • Processor: The entity processing data on behalf of a Controller (Sandra acts as a processor for Clients).
  • Applicable legislation: The General Data Protection Regulation (GDPR) and the Swiss Federal Act on Data Protection (nFADP)

2. Scope


This Privacy Policy applies to:

  • End-users interacting with the Client via WhatsApp operated by Sandra;
  • Clients contracting the use of Sandra;
  • Visitors to any official digital interface of Sandra.

Sandra is exclusively accessible via the web. Data processing occurs within this context and access is limited to authorized parties.



3. Legal Bases for Processing

Sandra processes personal data on the following legal bases:


Purpose Legal Basis
Providing access to Sandra via WhatsApp GDPR Art. 6(1)(b) – Necessary for contract execution
nFADP Art. 31 – Processing necessary for service
Platform security and maintenance GDPR Art. 6(1)(f) – Legitimate interest
nFADP Art. 31(1) – Technical functionality
Legal and regulatory obligations GDPR Art. 6(1)(c) – Legal obligation
nFADP Art. 30 – Cooperation with authorities
Optional analysis & product improvement GDPR Art. 6(1)(a) – Consent
nFADP Art. 6 – Consent-based analytics


4. Categories of Data Collected

From End-users (via WhatsApp) From Clients (via service agreement)
Phone number Company name, email
Messages exchanged via WhatsApp Admin credentials
Message timestamps Billing information
Behavioral data (flows, interactions) Account preferences

 

Note: End-users do not have access to configuration interfaces. Scenarios are centralized by Sandra.


5. Processors and Data Recipients


Sandra works with the following processors:

Provider Usage Location Safeguards
Google LLC Infrastructure & Analytics (GCP, GA) EU / USA SCCs, IP anonymization
Meta Platforms Inc. WhatsApp Business API Infrastructure Worldwide SCCs, Meta terms
HubSpot Inc. CRM and marketing automation USA DPA and SCCs
OpenAI, L.L.C. LLM language model (optional) USA DPA, data minimization
Mistral AI European language model (optional) France / EU EU or local hosting
Supabase Inc. Database and authentication EU Encryption & EU hosting

Sandra does not sell or transfer personal data.


6. Data Location and International Transfers


Data is stored and processed in:

  • 🇨🇭 Switzerland
  • 🇪🇺 European Union (EU)

For international transfers (e.g. to the United States), Sandra applies:




7. Data Retention Periods

Personal data is retained only as long as necessary. By default:
Data Type Retention Period Justification
WhatsApp chat history Up to 48 months Legal traceability, support, audit
Technical logs and metadata Up to 48 months Incident tracking, security compliance
Client accounts and billing Contract duration + 2 years Swiss accounting obligations (CO, Art. 958f)
User support and contact 12 months Service quality, request follow-up

Sandra reviews these policies annually (GDPR Art. 5(1)(e), nFADP Art. 6). Upon verified request, data is deleted or anonymized within 30 days.


8. Your Rights


In accordance with the GDPR and the nFADP, you have the following rights:

  • Access your data
  • Correct inaccurate data
  • Request deletion
  • Object to or restrict processing
  • Withdraw your consent
  • Exercise data portability

📧 legal@sandra.ch
📍 BRSL Group – Rue de Carouge 24, 1205 Geneva, Switzerland


9. Data Security


Sandra applies the following measures:

  • TLS encryption in transit
  • Encryption at rest
  • Role-based access control (RBAC)
  • Secure multi-tenant architecture
  • Real-time monitoring and security patching

Business continuity and disaster recovery plans are not publicly disclosed.



10. Updates to This Policy

This policy may be updated. The effective date will reflect any change. In case of material changes, users will be notified by email or via WhatsApp.


11. Contact

Sandra
Operator: BRSL Group
📍 Rue de Carouge 24, 1205 Geneva, Switzerland
📧 legal@sandra.ch
👤 DPO: Jérôme Amoudruz



 

©2025 BRSL Group | sandra.ch
Rue de Carouge, 24 - 1205 Genève - Switzerland  |  CHE-110.310.224 -

Terms & ConditionsPrivacy Policies