Privacy Policy
Last updated on 20 March, 2025
This privacy policy describes how ZITADEL Inc. and its wholly owned subsidiaries and affiliates (collectively, "ZITADEL", “CAOS", "we" or "us") collect, use, disclose and otherwise process your personal data in connection with the management of our business and our relationships with customers, visitors and event attendees.
This privacy policy explains your rights and choices related to the personal data we collect when:
-
You interact with our websites, including zitadel.com, zitadel.cloud and zitadel.ch as well any other websites that we operate and that link to this privacy policy (our “Sites”)
-
You visit, interact with, or use any of our offices, events, sales, marketing or other activities; and
-
You use our platform, including ZITADEL and our software, mobile application, and other products and services (the “Services”).
This privacy policy does not cover:
-
Organizational Use. When you use our Services on behalf of an organization (your employer), your use is administered and provisioned by your organization under its policies regarding the use and protection of personal data. If you have questions about how your data is being accessed or used by your organization, please refer to your organization's privacy policy and direct your inquiries to your organization's system administrator.
-
Third Parties. Our Sites include links to websites and/or applications operated and maintained by third parties (e.g. GitHub, LinkedIn, etc.). This privacy policy does not apply to any products, services, websites, or content that are offered by third parties and/or have their own privacy policy.
If any inconsistencies arise between this privacy policy and the otherwise applicable contractual terms, framework agreement, or general terms of service, the provisions of this privacy policy shall prevail (where applicable). This privacy policy covers both existing personal data and personal data which may be collected from you in the future.
ZITADEL determines the purposes for and means of the processing (i.e., we are the data controller) of your personal data as described in this privacy policy, unless expressly specified otherwise. The responsible party for the data processing described in this privacy policy and contact for questions and issues regarding data protection is:
Zitadel Inc.
Data Protection Officer
Four Embarcadero Center, Suite 1400
San Francisco, CA 94111-4164
United States of America
legal@zitadel.com
CAOS AG (Affiliate of Zitadel, Inc.)
Data Protection Officer
Lerchenfeldstrasse 3
9014 St. Gallen
Switzerland
legal@zitadel.com
Switzerland
legal@zitadel.com
Our representative in the EU is
VGS Datenschutzpartner GmbH
Am Kaiserkai 69
20457 Hamburg
Germany
info@datenschutzpartner.eu
General notes
Based on Article 13 of the Swiss Federal Constitution and the data protection provisions of the Swiss Confederation (Data Protection Act, DSG), every person has the right to protection of their privacy as well as protection against misuse of their personal data. The operators of these websites and services take the protection of your personal data very seriously. We treat your personal data confidentially and in accordance with the legal data protection regulations as well as this data protection declaration.
In cooperation with our suppliers, we make every effort to protect the databases and any of our users data as well as possible against unauthorized access, loss, misuse or falsification. We point out that data transmission over the internet in general may result in security risks. A complete protection of the data against access by third parties is not possible.
This website uses TLS encryption for security reasons and to protect the transmission of confidential content, such as requests that you send to us as the website operator. You can recognize an encrypted connection by the fact that the address line of the browser changes from "http://" to "https://".
Processing of personal data, legal basis, storage period
Personal data is any information that relates to an identified or identifiable person. A data subject is a person about whom personal data is processed. Processing includes any handling of personal data, regardless of the means and procedures used, in particular the storage, disclosure, acquisition, deletion, storage, modification, destruction and use of personal data.
We process personal data in accordance with Swiss data protection law. In addition, we process - to the extent and insofar as the EU Data Protection Regulation is applicable - personal data in accordance with the following legal bases within the meaning of Art. 6 (1) DSGVO :
- Insofar as we obtain the consent of the data subject for processing operations, Art. 6 (1) a) DSGVO serves as the legal basis.
- When processing personal data for the fulfillment of a contract with the data subject as well as for the implementation of corresponding pre-contractual measures, Art. 6 para. 1 lit. b DSGVO serves as the legal basis.
- To the extent that processing of personal data is necessary to comply with a legal obligation to which we are subject under any applicable law of the EU or under any applicable law of a country in which the GDPR applies in whole or in part, Art. 6 para. 1 lit. c GDPR serves as the legal basis.
- For the processing of personal data in order to protect vital interests of the data subject or another natural person, Art. 6 para. 1 lit. d DSGVO serves as the legal basis.
- If personal data is processed in order to protect the legitimate interests of us or of third parties and if the fundamental freedoms and rights and interests of the data subject do not override our interests and the interests of third parties, Article 6 (1) (f) of the GDPR serves as the legal basis. Legitimate interests are in particular our business interest in being able to provide our website and our products, information security, the enforcement of our own legal claims and compliance with Swiss law.
We will retain personal data for the period of time necessary for the particular purpose for which it was collected and where we have an ongoing legitimate business need to do so (for example to comply with applicable legal, tax or accounting requirements). Subsequently, they are either deleted or made anonymous, unless we need them for a longer period of time in exceptional cases, e.g. due to legal storage and documentation obligations or our legitimate interests, such as the protection of rights to which we are entitled or the defense of claims.
Processing of personal data when using the website, contact forms and in connection with newsletters
Our websites can generally be visited without registration. Each time one of our website is requested, data such as content of the requested page, name of the requested file, IP address, date and time are automatically stored in log files on the server.
This data is processed to enable correct delivery and functioning of the website. In addition, we use the data to optimize the website and to ensure the security of our systems.
Personal data, in particular name, address or e-mail address are collected as far as possible on a voluntary basis, for example when you contact us via a contact form or by e-mail. Without your consent, the data will not be passed on to third parties, unless otherwise stated in this privacy policy.
If you send us inquiries via contact form, your data from the form, including any data you provided, will be stored by us for the purpose of processing the inquiry and in case of follow-up questions. We do not pass on this data without your consent, except insofar as this is shown in this privacy policy.
If you would like to receive newsletters offered on our Sites, we require an e-mail address from you as well as information that allows us to verify that you are the owner of the specified e-mail address and agree to receive the newsletter. Further data will not be collected. We use this data exclusively for sending the requested information and do not pass it on to third parties, except as described in this privacy policy.
You can revoke your consent to the storage of the data, the e-mail address and their use for sending the newsletter at any time, for example via the "unsubscribe link" in the newsletter.
Processing of personal data when applying for a job with us
Our Sites can generally be visited without registration. If you apply for a job with us, we may collect and process according to the Privacy policy for the ZITADEL employer branding and recruitment. You may request and delete your data with the links on our data & privacy page.
Processing of personal data in connection with the use of our Services
The use of our services is generally only possible with registration. During registration and in the course of using the services, we collect and process various personal data.
In particular, the following personal data are part of the processing:
| Type of personal data | Examples | Affected data subjects |
|---|---|---|
| Basic data |
| All users as uploaded by Customer. |
| Login data |
| All users as uploaded and feature use by Customer. |
| Profile data |
| All users as uploaded by Customer |
| Communication data |
| Customers and users who communicate with us directly (e.g. support, chat). |
| Payment data |
| Customers who use services that require payment. Credit rating information: Only customers who pay by invoice. |
| Analytics data |
| Customers who use our services. |
| Usage meta data |
| All users |
Unless otherwise mentioned, the nature and purpose of the processing is as follows:
The data is uploaded by customers in our Services or collected by us based on requests from users. The personal data is processed by us exclusively for the provision of the requested Services or the use of the agreed Services.
The fulfillment of the contract includes in particular, but is not limited to, the processing of personal data for the purpose of:
- Authentication and authorization of users
- Storage and processing of user actions in the audit trail
- Processing of personal data and login information
- Verification of communication means
- Communication regarding service interruptions or service changes
Disclosure to third parties
Third party sub-processors
We use third-party services to provide the website and our offers. An up-to-date list of all the providers we use and their areas of activity can be found on our Trust Center.
External payment providers
This Site uses external payment service providers through whose platforms users and we can make payment transactions. For example, via Stripe.
As an alternative, we offer customers the option to pay by invoice instead of using external payment providers. However, this may require a positive credit check in advance.
The data processed by the payment service providers includes personal data, such as the name and address, bank data, such as account numbers or credit card numbers, passwords, TANs and checksums, as well as the contract, totals and recipient-related information. The information is necessary to carry out the transactions. However, the data entered is only processed by the payment service providers and stored with them. We as the operator do not receive any information about (bank) account or credit card, but only information to confirm (accept) or reject the payment. Under certain circumstances, the data is transmitted by the payment service providers to credit agencies. The purpose of this transmission is to check the identity and creditworthiness of the payment service provider. In this regard, we refer to the terms and conditions and data protection information of the payment service providers.
For payment transactions, the terms and conditions and the data protection notices of the respective payment service providers apply, which can be accessed within the respective website or transaction applications. We also refer to these for the purpose of further information and assertion of revocation, information and other rights concerned.
Law enforcement
We disclose personal data to law enforcement agencies, investigative authorities or in legal proceedings to the extent we are required to do so by law or when necessary to protect our rights or the rights of users.
Cookies
Our Sites use cookies. These are small text files that make it possible to store specific information related to the user on the user's terminal device while the user is using the website. Cookies enable us, in particular, to offer a single sign-on procedure, to control the performance of our Services, but also to make our offer more customer-friendly. Cookies remain stored beyond the end of a browser session and can be retrieved when the user visits the site again.
When you use our Services, we may collect information about your visit, including via cookies, beacons, invisible tags, and similar technologies (collectively “cookies”) in your browser and on emails sent to you. This information may include personal data, such as your IP address, web browser, device type, and the web pages that you visit just before or just after you use the Services, as well as information about your interactions with the Services, such as the date and time of your visit, and where you have clicked.
Necessary cookies
Some cookies are strictly necessary to make our Services available to you. We cannot provide you with our Services without this type of cookies.
Necessary cookies provide basic functionality such as:
- Session Management
- Single Sign-On
- Rate Limiting
- DDoS Mitigation
- Remembering Preferences
Analytical cookies
We also use cookies for website analytics purposes in order to operate, maintain, and improve the Services for you. We use Google Analytics 4 and PostHog to collect and process certain analytics data on our behalf. Google Analytics and PostHog helps us understand how you engage with the Services and may also collect information about your use of other websites, apps, and online resources.
You can learn about the analytics providers' practices by going to
- https://www.google.com/policies/privacy/partners/
- https://posthog.com/privacy
- https://legal.hubspot.com/privacy-policy
- https://www.commonroom.io/privacy-policy/
and opt out by managing your cookie consent through our Services or a third-party tool of your choice.
If you do not want us to use cookies during your visit, you can disable their use in your browser settings. In this case, certain parts of our Sites (e.g. language selection) may not function or may not function fully. Where required by applicable law, we obtain your consent to use cookies.
How we protect personal data
Personal data is maintained on our servers or those of our service providers, and is accessible by authorized employees, representatives, and agents as necessary for the purposes described in this privacy policy.
We maintain a range of physical, electronic, and procedural safeguards designed to help protect personal data. While we attempt to protect your personal data in our possession, we cannot guarantee at all times the security of the data as no method of transmission over the internet or security system is perfect.
If you choose to remain logged in, you should be aware that anyone with access to your device will be able to access your account and we therefore strongly recommend that you take appropriate steps to protect against unauthorized access to, and use, of your account. Please also notify us as soon as possible if you suspect any unauthorized use of your account or password.
Rights of data subjects
Depending on your location and subject to applicable law, you may have the following rights regarding the personal data we process:
Right to information
You have the right to know what personal data we hold and process about you and to access such personal data.
Right to rectification
You have the right to request the correction of inaccurate personal data concerning you.
Right to erasure (right to be forgotten)
You have the right to request the deletion or erasure of the personal data concerning you.
Right to restrict processing
You have the right to request to restrict the processing of your personal data in certain cases.
Right to data portability
You have the right to receive the personal data concerning you in a structured, common and machine-readable format, and to have this data transferred to another data processor if the legal requirements are met.
Right to object
Depending on the circumstances, you have the right to object to the processing of personal data concerning you, insofar as we base the processing of your personal data on a balancing of interests. This is the case if the processing is not necessary, for example, to fulfill a contract or a legal obligation.
To exercise such an objection, please indicate your reasons why we should not process your personal data as we have done. We will then review the situation and either stop or adjust the data processing or explain our reasons for continuing the processing.
Right to revoke consent under data protection law
Insofar as our processing is based on consent, you have the right to revoke your consent at any time with effect. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your personal data conducted in reliance on lawful processing grounds other than consent.
Assertion of rights by the data subjects
If you wish to exercise your rights, you may do so by contacting the above-mentioned contact person.
You can opt out of receiving marketing emails from us by following the unsubscribe link in the emails or by emailing us. If you choose to no longer receive marketing information, we may still communicate with you regarding such things as your security updates, product functionality, responses to service requests, or other transactional, non-marketing purposes.
If you have a concern about how we collect and use personal data, please contact us using the contact details provided at the beginning of this privacy policy. You also have the right to contact your local data protection authority if you prefer, such as:
- Data protection authorities in the European Economic Area (EEA): https://edpb.europa.eu/about-edpb/board/members_en;
- Swiss data protection authorities: https://www.edoeb.admin.ch/edoeb/en/home/deredoeb/kontakt.html;
- UK data protection authority: https://ico.org.uk/global/contact-us/.
Additional Information for U.S. Residents
Categories of personal data we collect and our purposes for collection and use
You can find a list of the categories of personal data that we collect in the section above titled “Processing of personal data, legal basis, storage period”. In the last 12 months, we collected the following categories of personal data depending on the Services used:
- Identifiers and account information, such as the username and email address;
- Commercial information, such as information about transactions undertaken with us;
- Internet or other electronic network activity information, such as information about activity on our Site and Services.
- Geolocation information based on the IP address.
- Audiovisual information in pictures, audio, or video content that you may choose to submit to us.
- Professional or employment-related information or demographic information, but only if you explicitly provide it to us, such as by filling out a survey or by applying for a job with us.
- Inferences we make based on other collected data, for purposes such as recommending content and analytics.
For details regarding the sources from which we obtain personal data, please see the “Processing of personal data, legal basis, storage period” section above.
We collect and use personal data for the business or commercial purposes described in the “Processing of personal data, legal basis, storage period” section above.
Categories of personal data disclosed and categories of recipients
We disclose the following categories of personal data for business or commercial purposes to the categories of recipients listed below:
- We disclose identifiers with businesses, service providers, and third parties, such as analytics providers and social media networks.
- We disclose Internet or other network activity with businesses, service providers, and third parties, such as analytics providers and social media networks.
- We disclose geolocation information with businesses, service providers, and third parties such as advertising networks, analytics, and social media.
- We disclose payment information with businesses and service providers who process payments.
- We disclose commercial information with businesses, service providers, and third parties, such as analytics providers and social media networks.
- We disclose audiovisual information with businesses and service providers who help administer customer service and fraud or loss prevention services.
- We disclose inferences with businesses and service providers who help administer marketing and personalization.
Privacy rights
Right to Opt-Out of Cookies and Sale/Sharing: Although we do not sell personal data for monetary value, our use of cookies and automated technologies may be considered a “sale” / “sharing” in certain states, such as California. Visitors to our US website can opt out of such third parties by clicking the “Manage cookie preferences” link at the bottom of our Site. The categories of personal data disclosed that may be considered a “sale” / “sharing” include identifiers, device information, Internet or other network activity, geolocation data, and commercial data.
The categories of third parties to whom personal data was disclosed that may be considered “sale”/ “sharing” include data analytics providers and social media networks.
We do not have actual knowledge that we sell or share the personal data of individuals under 16 years of age.
If you are a resident of the State of Nevada, Chapter 603A of the Nevada Revised Statutes permits a Nevada resident to opt out of future sales of certain covered information that a website operator has collected or will collect about the resident. Although we do not currently sell covered information, please contact us to submit such a request.
Right to Limit the Use of Sensitive Personal Information: We only collect sensitive personal information, as defined by applicable privacy laws, for the purposes allowed by law or with your consent. We do not use or disclose sensitive personal information except to provide you the Services or as otherwise permitted by law. We do not collect or process sensitive personal information for the purpose of inferring characteristics.
Right to Access, Correct, and Delete Personal Data: Depending on your state of residence in the U.S., you may have:
(i) the right to request access to and receive details about the personal data we maintain and how we have processed it, including the categories of personal data, the categories of sources from which personal data is collected, the business or commercial purpose for collecting, selling, or sharing personal data, the categories of third parties to whom personal data is disclosed, and the specific pieces of personal data collected;
(ii) the right to delete personal data collected, subject to certain exceptions;
(iii) the right to correct inaccurate personal data.
When you make a request, we will verify your identity by asking you to sign into your account or if necessary by requesting additional information from you. You may also make a request using an authorized agent. If you submit a rights request through an authorized agent, we may ask such agent to provide proof that you gave a signed permission to submit the request to exercise privacy rights on your behalf. We may also require you to verify your own identity directly with us or confirm to us that you otherwise provided such agent permission to submit the request. Once you have submitted your request, we will respond within the time frame permitted by the applicable law.
If you have any questions or concerns, you may reach us by contacting using one of the contact details listed at the beginning of this privacy policy.
Depending on your state of residence, you may be able to appeal our decision to your request regarding your personal data. To do so, please contact us by using one of the contact details listed at the beginning of this privacy policy. We respond to all appeal requests as soon as we reasonably can, and no later than legally required.
We do not discriminate against customers who exercise any of their rights described in our privacy policy.
California Shine the Light: Customers who are residents of California may request information concerning the categories of personal data (if any) we disclose to third parties or affiliates for their direct marketing purposes. If you would like more information, please submit a written request to us by using one of the contact details listed at the beginning of this privacy policy.
Do Not Track signals: Most modern web browsers give you the option to send a 'Do Not Track' signal to the sites you visit, indicating that you do not wish to be tracked. However, there is currently no accepted standard for how a site should respond to this signal, and we do not take any action in response to this signal.
Note on international data transfers
Our Sites and Services make use of tools from companies based in countries outside of Switzerland or the EU/EEA, namely those based in the USA. When these tools are active, your personal data may be transferred to the servers of the respective companies abroad. If you are using the Site or Services from outside the United States, your personal data may be processed in a foreign country, where privacy laws may be less stringent than the laws in your country. In these cases, we only transfer personal data after we have implemented the legally required measures for this, such as concluding standard contractual clauses on data protection or obtaining the consent of the data subjects. If interested, the documentation on these measures can be obtained from the contact person mentioned above. By submitting your personal data to us you agree to the transfer, storage, and processing of your personal data in a country other than your country of residence including, but not necessarily limited to, the United States.
We actively try to minimize the use of tools from companies located in countries without equivalent data protection, however, due to the lack of alternatives, this is currently not always feasible without major inconvenience. If you have any concerns, please contact us directly and we will try to find a mutual solution for your needs.
Children's Privacy
Our Site is not intended for or directed to children under the age of 14. We do not knowingly collect personal data directly from children under the age of 14 without parental consent. If we become aware that a child under the age of 14 has provided us with personal data, we will delete the information from our records.
Changes to this Privacy Policy
We may revise this privacy policy from time to time and will post the date it was last updated at the top of this privacy policy. We will provide additional notice to you if we make any changes that materially affect your privacy rights.
Contact us
If you have any questions about our data processing, please email us or contact us by using the contact details listed at the beginning of this privacy notice.