Legal

Privacy Policy

Last updated: 12 April 2026

1. Introduction

AIESEC Alumni Switzerland (“we”, “us”, or “our”) operates the AIESEC Alumni Switzerland community platform (the “Platform”), available at aiesecalumni.ch. This Privacy Policy explains how we collect, use, store, and protect personal data when you use our Platform, in compliance with:

  • The EU General Data Protection Regulation (GDPR) — Regulation (EU) 2016/679.
  • The Swiss Federal Act on Data Protection (nFADP / revDSG), in force since 1 September 2023.

By creating an account or using the Platform you acknowledge that you have read and understood this policy. Your continued use constitutes acceptance of any updated version we publish.

2. Data Controller

The data controller responsible for your personal data is:

AIESEC Alumni Switzerland
Eigerstrasse 55, 3007 Bern, Switzerland
Email: alumni.switzerland@aiesec.ch

For all privacy-related requests — access, deletion, correction, or complaints — please contact us at the address above.

3. Legal Basis for Processing

We process your personal data on the following legal bases:

  • Consent (GDPR Art. 6(1)(a) / nFADP) — You explicitly consent to the processing of your personal data when you create an account. You may withdraw your consent at any time (see Section 9).
  • Contract performance (GDPR Art. 6(1)(b)) — Processing that is necessary to provide you with membership services, including access to the member directory, events, and resources.
  • Legitimate interests (GDPR Art. 6(1)(f)) — We may process limited technical data (e.g., server logs) to ensure platform security and prevent fraud.

4. Data We Collect

We collect the following categories of personal data:

Account data (via LinkedIn OAuth)

  • Full name
  • Email address
  • LinkedIn profile ID (used as your account identifier)
  • Profile photo URL (as provided by LinkedIn)

Profile data (provided by you)

  • Professional role, company, and industry
  • AIESEC chapter, exchange country, and exchange year
  • Biography and career interests
  • City / location (optional)
  • Languages spoken
  • Contact preferences and mentoring interests

Activity data

  • Event registrations (which events you sign up for)
  • Authored content: blog posts, spotlights, uploaded resources
  • Consent record: whether and when you gave consent to data processing

Technical data

  • Authentication session tokens (stored as cookies)
  • IP address and basic request metadata collected in server/hosting logs (Netlify)

We do not collect special categories of personal data (e.g., health, political opinions, biometric data) and we ask you not to submit such data through the Platform.

5. Purposes of Processing

  • Community operations — running the members directory, member profiles, and private community channels.
  • Event management — registering you for events and sending event-related communications.
  • Content publishing — publishing blog posts, spotlights, and resources you choose to contribute.
  • Communications — sending transactional emails (account confirmation, event updates) and the member newsletter.
  • Platform security — authenticating users, preventing unauthorised access, and maintaining platform integrity.
  • Legal compliance — meeting our obligations under Swiss and EU data protection law.

6. Third-Party Processors

We share data with the following sub-processors who act on our behalf. All processors are contractually bound to handle your data only as we instruct and in accordance with applicable data protection law.

  • Supabase (database, authentication, file storage) — data is hosted in the Zurich, Switzerland region (eu-central-2). Supabase Inc., 970 Toa Payoh North, Singapore. Sub-processors and DPA listed at supabase.com/privacy.
  • LinkedIn (Microsoft) — used for OAuth sign-in. LinkedIn processes your authentication data subject to LinkedIn's own Privacy Policy. We receive only the profile fields listed in Section 4.
  • Netlify (hosting and CDN) — serves the Platform and retains standard server access logs. Netlify, Inc., 44 Montgomery Street, Suite 300, San Francisco, CA 94104, USA. Data transfers to the USA are covered by Netlify's Standard Contractual Clauses.
  • Brevo (transactional email delivery) — used to send account confirmation, approval, and notification emails. Brevo SAS, 7 rue de Madrid, 75008 Paris, France. Brevo is an EU-based processor and processes data within the EU in accordance with GDPR.

We do not sell your personal data to any third party.

7. Cookies and Sessions

The Platform uses a single authentication session cookie set by our auth provider (Supabase) to keep you logged in. This cookie is:

  • Essential — required for the Platform to function; it cannot be opted out of while using the member area.
  • HttpOnly and Secure — it cannot be accessed by client-side scripts and is only transmitted over HTTPS.
  • Automatically cleared when you sign out or your session expires.

We do not use tracking cookies, advertising cookies, or third-party analytics cookies.

8. Data Retention

We retain your personal data for as long as your account is active. Specifically:

  • Active members — data is retained while your membership is current and your account exists on the Platform.
  • Lapsed or rejected memberships — your data is retained for 12 months after membership lapses or is rejected, to comply with legal obligations and resolve any disputes. After this period your data is deleted.
  • Account deletion — upon a verified deletion request, your personal data is permanently deleted from our systems and from our sub-processors’ systems, subject to any legal retention obligations.
  • Consent records — we retain a record of your consent (date/time stamp) even after account deletion, as required to demonstrate compliance with GDPR Art. 7(1).

9. Your Rights

Under GDPR (Articles 15–22) and the Swiss nFADP, you have the following rights regarding your personal data:

  • Right of access (Art. 15) — request a copy of the personal data we hold about you.
  • Right to rectification (Art. 16) — request correction of inaccurate or incomplete data.
  • Right to erasure / “right to be forgotten” (Art. 17) — request deletion of your data where there is no longer a legal basis for processing.
  • Right to restriction of processing (Art. 18) — request that we limit how we use your data in certain circumstances.
  • Right to data portability (Art. 20) — receive your data in a structured, machine-readable format and transmit it to another controller.
  • Right to object (Art. 21) — object to processing based on legitimate interests.
  • Right to withdraw consent (Art. 7(3)) — withdraw your consent to data processing at any time. Withdrawal does not affect the lawfulness of processing before withdrawal. To withdraw consent, contact us or delete your account.
  • Right to lodge a complaint — you have the right to lodge a complaint with:
    • The Swiss Federal Data Protection and Information Commissioner (FDPIC) at edoeb.admin.ch
    • The relevant EU Data Protection Authority in the EU member state of your habitual residence or place of work, if applicable.

To exercise any of these rights, email us at alumni.switzerland@aiesec.ch. We will respond within 30 days (GDPR) / within the timeframe required under Swiss nFADP.

10. International Data Transfers

Most of your personal data is processed within Switzerland and the EU — our database is hosted in Zurich and our email provider (Brevo) is EU-based. The following sub-processors operate outside these regions:

  • Netlify (USA) — transfers are governed by Standard Contractual Clauses (SCCs) approved by the European Commission.
  • LinkedIn / Microsoft — authentication data is processed subject to LinkedIn's global Privacy Policy and applicable transfer mechanisms including SCCs.

The Swiss Federal Council has determined that the EU/EEA provides an adequate level of data protection equivalent to that of Switzerland, and vice versa. Where transfers occur outside these regions, we rely on SCCs or equivalent safeguards as recognised by the Swiss FDPIC.

11. Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These include:

  • HTTPS encryption for all data in transit.
  • Row-level security (RLS) policies on the database to enforce access controls.
  • Secure, HttpOnly session cookies.
  • Service-role credentials stored as server-side environment variables, never exposed to the browser.

No method of electronic transmission or storage is 100% secure. In the event of a personal data breach affecting your rights and freedoms, we will notify you and the relevant supervisory authority as required by law.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make material changes, we will update the “Last updated” date at the top of this page and, where appropriate, notify you by email or via a notice on the Platform.

We encourage you to review this policy periodically. Continued use of the Platform after a change is posted constitutes your acceptance of the updated policy.

13. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or the processing of your personal data, please contact us at:

AIESEC Alumni Switzerland
Eigerstrasse 55, 3007 Bern, Switzerland
alumni.switzerland@aiesec.ch