Privacy Policy

The General Data Protection Regulation (“GDPR”), which came into force on 25 May 2018, and the Swiss Federal Act on Data Protection aim to guarantee that the personal data of physical persons is processed in compliance with the rights, fundamental freedoms and dignity of persons, with particular reference to confidentiality and personal identity. Board International SA and its subsidiaries (“Board” or the “Data Controller”), pay particular attention to the way in which personal information is used and shared and it is therefore important to inform you of the adopted privacy policy.

Processing of personal data means the collection, recording, organisation, conservation, processing, alteration, selection, retrieval, comparison, use, disclosure, erasure, distribution, interconnection and any other processing which is useful for the performance of the specific service requested (the “Service”).

1. Personal data we collect

1.1 Board collects the personal information provided by users:

  1. When sending the contact forms on the website www.board.com (the “Website”) (for example, relating to the “Careers”, “Free Demo”, “Training and Support” or “Events” sections);
  2. for the provision of Board services;
  3. for product support;
  4. to attend meeting(s) and provide connected services; or
  5. to administer online courses, tests, and to issue certifications.

1.2 In particular, the personal data processed by Board includes, inter alia, the following data:

  • name, surname, and job title or contact information including the e-mail address and telephone number;
  • personal information such as address, postcode, country;
  • other information relating to surveys or offers sent to users.

This information falls under the definition of personal data, i.e. any information concerning an identified or identifiable physical person (the “Data Subject”); identifiable refers to physical persons who can be identified, directly or indirectly, with particular reference to data such as the name, identification number, data concerning their location, an online ID or one or more characteristic elements of his or her physical, physiological, genetic, mental, economic, cultural or social identity (the “Personal Data”).

1.3 The Website uses cookies, as described in more detail in the Cookies Policy.

2. Purposes of the processing

2.1 The Personal Data provided by you at the time of registering with the Service, or otherwise acquired during the activities performed by us, may be processed, for purposes linked to the provisions of the Service and, for example, to respond to requests sent by you to Board (for example, to send information materials, to be contacts or for a demo or sales offer, etc.). You may object to the sending of e-mails at any time.

2.2 The Personal Data provided by you may be processed also to provide online security for Board website and Services, and to comply with the applicable laws, regulations, court orders, government, and law enforcement requests, to investigate security and privacy incidents, and to manage any customer disputes. Your personal data will be processed through artificial intelligence systems to generate automated responses to your inquiries submitted via the chatbot. Such processing is limited to what is strictly necessary to provide real-time assistance and is carried out in accordance with the terms set out in Section 5 of this Privacy Policy.

2.3 Your Personal Data will be used to periodically send promotional e-mails (using the e-mail address provided by you), when you accept this Privacy Policy when submitting the form. These e-mails may concern new products, events, special offers or other information Board thinks may interest you. The above communications may be sent to you also by third parties within the Board Group to whom Board may provide the Personal Data provided by you.

2.4 Your Personal Data may also be used for profiling, through the use of cookies and following acceptance in this sense by you. The acceptance of the use of cookies is given at the start when clicking on “Accept cookies” and closing the banner, as better explained in the Cookies Policy.

3. Methods of processing

3.1 Your Personal Data is collected by the parties set forth at clause 6 of this Privacy Policy, and the related processing is carried out using manual or computerised automated instruments with logics strictly linked to the purposes described above and, in any case, to guarantee the security and confidentiality of the Personal Data.

4. Legal basis of the processing of Personal Data

4.1 Pursuant to the GDPR, Board processes Personal Data on several different legal basis, as follows:

  • To perform and manage the contract with you: when entering into an agreement with Board, Board processes Personal Data to provide the Services, and to manage the contractual relationship.
  • To comply with legal obligations: Board processes your Personal Data to comply with relevant laws or regulatory requirements, and to respond to lawful requests, court orders, and legal processes.
  • Based on our legitimate interests: Board processes Personal Data to send communication or newsletter related to the relevant products, and/or services.
  • Based on your consent: in certain situations, Board processes Personal Data based on your consent. You have a right to withdraw your consent at any time.

4.2 The provision of Personal Data by you when sending the contact forms is absolutely optional and does not represent a legal requirement.

4.3 With regard to the effects of the non-acceptance or disabling of the cookies, please refer to the terms of the Cookies Policy.

5. Use of Chatbot and AI Technologies

5.1 Our website may provide a chatbot feature that allows you to interact with us in real time. When you use this feature, certain personal data may be processed, such as your name, business email address, IP address, and any information you choose to include in your messages, as well as limited technical data (e.g., cookies and similar tracking technologies used by the chatbot functionality). The chatbot is operated by a third-party service provider acting as our data processor and processing data on our behalf in accordance with applicable data protection laws.

5.2 Chat interactions are transmitted securely via encrypted connections to the provider’s cloud infrastructure. Where artificial intelligence functionalities are used, relevant portions of your messages may be transmitted to contracted AI model providers (such as OpenAI, Azure AI, Anthropic, or Google) acting as subprocessors. These providers process such data solely for the purpose of generating a response and operate under a “zero data retention” configuration for prompts and responses. The zero data retention configuration applies exclusively to AI model providers and does not prevent the chatbot service provider from storing chatbot data, including conversation content, in accordance with the configured retention settings.

5.3 Personal data may be processed in jurisdictions outside the European Economic Area, including the United States. Such processing may involve the use of infrastructure, hosting, and support service providers acting as subprocessors of our chatbot provider. In such cases, transfers are carried out in compliance with applicable data protection laws using appropriate safeguards, including the European Commission’s Standard Contractual Clauses (SCCs). Where applicable, certain subprocessors also maintain certification under the EU-U.S. Data Privacy Framework, providing an additional safeguard for international data transfers.

5.4 Chatbot data, including chat transcripts (i.e., the content of conversations), visitor metadata, and interaction logs, may be stored by the chatbot service provider acting as data processor for the retention period configured by Board, which may correspond to the duration of the contractual relationship, unless a shorter retention period is applied, and in accordance with applicable contractual arrangements and data protection laws.

Board does not use chatbot conversation content for purposes other than providing the requested assistance, unless otherwise specified. Appropriate technical and organizational measures, including encryption in transit and at rest, access controls, and logging and monitoring of authorized access, are implemented to ensure the security of Personal Data.

Chatbot responses are generated automatically using AI technologies, with governance measures in place and the possibility of escalation to human representatives where appropriate. By using the chatbot, you acknowledge that you are interacting with an AI-based system and that your data will be processed as described in this Privacy Policy.

Following termination of the contractual relationship, such data may be deleted from production and backup systems within a maximum period of 180 days, in accordance with applicable contractual arrangements.

5.5 This processing does not involve automated decision-making that produces legal effects or similarly significant impacts on you.

6. Categories of persons to whom the Personal Data may be disclosed

6.1 The Personal Data collected for the purpose of the provision of the Service under clause 2 may be disclosed to companies performing activities which are strictly linked and instrumental to the provision of the Service. Such Personal Data may be transferred to associated companies and/or companies within the Board Group or third parties even located outside the European Union, where there are in place the appropriate safeguards (guarantee of an appropriate level of protection) set forth by the European Commission.

6.2 The Personal Data collected for the purposes listed at clause 2 may be transferred to third parties within the Board Group and/or other third parties (located inside or outside the European Union), also for sale or attempted sale, i.e. all purposes of a lawful commercial and/or statistical nature. The list of the third parties to whom your Personal Data have been disclosed may be requested from Board using the e-mail address set forth at clause 8.4.

7. Controller, Processors and Representatives

7.1 Data Controller or Controller refers to the physical or legal person, public authority, service or other body which, individually or with others, determines the purposes and means of the processing of Personal Data; where the purposes and means of processing are determined by law by the European Union and the Member States, the Controller or the specific criteria applicable to his or her appointment may be established by the law of the European Union and the Member States;

7.2. The Controllers are Board International SA with registered office in Via Maestri Comacini 4, Chiasso, Ticino 6830, Switzerland, and the other companies in the Board Group which work autonomously and independently in the processing of Personal Data.

7.3 The Controllers appoint external Processors to achieve the purposes specified at clause 2. It is possible to request a complete list of external Processors by sending an e-mail to the e-mail address set forth at clause 7.4 of this policy.

7.4 The Controllers have appointed their own employees and collaborators to process the data.

7.5 Data Subjects may exercise their rights towards each Controller.

8. Rights of the data Subjects

8.1 You have the right, at any time, to obtain confirmation from the Controller as to whether or not Personal Data concerning you is being processed, to know its origin, purposes and methods of processing; you also have the right to request the updating, correction, integration, erasure, transformation into an anonymous form, the suspension of any data processed in violation of the relevant legislation, including those which are no longer necessary to pursue the purposes for which they were collected and/or subsequently processed.

8.2 You have the right to object, wholly or partially, to the processing of your Personal Data for legitimate reasons, even where this is still relevant for the purpose for which they were collected, and to the processing of your Personal Data for the purpose of commercial information or the sending or advertising materials or direct sales or for the execution of market research or commercial communication.

8.3 You have the right to receive your Personal Data in a structured, commonly used and machine-readable format, and to transmit those data to another controller.

8.4 To exercise your rights please write to the specific e-mail address: [email protected] .

8.5 Please note that you also have the right to lodge a complaint with the competent supervisory authority.

8.6 If you no longer wish to receive communication via e-mail from Board and wish to unsubscribe from the newsletter, you may do so by clicking on the “unsubscribe” link at the bottom of each e-mail sent by Board.

9. Period for which the Personal Data is processed

9.1 Your Personal Data will be conserved in hard copy and/or electronic/computerized/optical format for the time strictly necessary to meet the purposes indicated at clause 2, in compliance with the applicable laws and/or the contractual relationship. Board has defined the specific duration of the storage of the Personal Data for each type of Personal Data collected. At the end of such periods, Board will definitively erase your Personal Data.

10. Amendments

10.1 This Privacy Policy may be subject to amendments. If substantial amendments are made to the use of your Personal Data, Board will notify you by publishing a notice on the Website and/or by sending you an e-mail.

11. EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF)

11.1 Participation and Data Transfers

Board Americas Inc. participates in the EU-U.S. Data Privacy Framework (DPF), including the UK Extension to the EU-U.S. DPF and the Swiss-U.S. Data Privacy Framework, as set forth by the U.S. Department of Commerce. Board has self-certified its adherence to the DPF Principles with respect to personal data received in the United States from the European Union, the United Kingdom, Switzerland, and Gibraltar.

In accordance with its DPF participation, Board Americas Inc. commits to comply with the DPF Principles, including Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access, and Recourse, Enforcement and Liability. In the event of any conflict between the terms of this section and other provisions of this Privacy Policy, the DPF Principles shall prevail for personal data processed under the DPF.

The types of Personal Data that may be disclosed and processed, together with the purposes and manner of such processing, as well as the parties with whom such personal data may be shared under the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF), are governed by clauses 1 and 6 of this privacy policy.

11.2 Onward Transfers

Board Americas Inc. may transfer personal data received under the DPF to third-party service providers or other third parties acting as agents on its behalf. In such cases, Board Americas Inc. remains responsible and liable under the DPF Principles if the third party processes personal data in a manner inconsistent with the DPF, unless Board proves that it is not responsible for the event giving rise to the damage. Board Americas Inc. requires third parties to provide at least the same level of protection required by the DPF Principles.

11.3 Individual Rights

Individuals whose personal data is transferred to the United States under the DPF have the right to request access to their personal data and, where inaccurate, to have it corrected, amended, or deleted, subject to the limitations set forth in the DPF Principles. Requests may be submitted using the contact details provided in this Privacy Policy and will be handled in accordance with applicable law.

If Personal Data covered by this Privacy Policy is to be used for a new purpose this is materially different from that for which the personal data was originally collected or subsequently authorized, or is to be disclosed to a third party in a manner not specified in this Privacy Polic, we will provide you with an opportunity to choose whether to have your Personal Data so used or disclosed. Request to opt out of such uses or disclosures of Personal Data should be sent to us by writing at the e-mail address [email protected] .

Certain Personal Data, such as information about medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, is considered sensitive information. We will not use sensitive Personal Data for a purpose other than the purpose for which it was originally collected or subsequently authorized by the individuals unless we have received the data subject affirmative and explicit consent.

11.4 Dispute Resolution and Enforcement

In compliance with the DPF, Board Americas Inc. commits to resolve complaints about its collection or use of personal data transferred under the DPF. Individuals may submit complaints free of charge by contacting Board Americas Inc. using the contact details set out in this Privacy Policy. Board Americas Inc. will respond to such complaints within 45 days.

If a complaint cannot be resolved through Board Americas Inc.’s internal complaint process, individuals may refer the matter to JAMS, an independent alternative dispute resolution provider based in the United States, at no cost to the individual.

JAMS can be contacted at:

JAMS

Two Embarcadero Center, Suite 1500

San Francisco, CA 94111

United States

Website: https://www.jamsadr.com/DPF-Dispute-Resolution.

As a last resort, individuals may invoke binding arbitration under the Data Privacy Framework Arbitration Panel, as described in Annex I of the DPF Principles, with respect to the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework.

Board Americas Inc. is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC) with respect to its compliance with the DPF. Board Americas Inc. may be required to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

11.5 Additional Information

Further information about the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) is available on the official website of the U.S. Department of Commerce at https://www.dataprivacyframework.gov.

12. Contacts

For any information or request which relates to this Privacy Policy, please contact us (Board International, Via Maestri Comacini 4, Chiasso, Ticino 6830, Switzerland) at the e-mail address [email protected].