prken. Privacy Policy

Effective date: 04.05.2026

Last updated: 04.05.2026

Publisher: prken.

Data protection contact: privacy@prken.ch

Applicable law: nDSG (CH) · GDPR (EU/EEA, where applicable)

1. Controller and Contact

Controller pursuant to Art. 5 lit. i nDSG and Art. 4 No. 7 GDPR:

Data protection contact: privacy@prken.ch

2. Scope

This Privacy Policy applies to all personal data processed by prken. in connection with:

App: mobile application «prken.» for iOS and Android;
Website: website and related web services;
Support: email, in-app chat, and other communication channels;
Other services: all services explicitly referencing this policy.

This policy applies to natural persons (users, prospects). It does not apply to prken. employee data.

3. Definitions

Personal data: any information relating to an identified or identifiable natural person (Art. 5 lit. a nDSG; Art. 4 No. 1 GDPR).
Processing: any operation performed on personal data (Art. 5 lit. d nDSG).
Sensitive data: health, intimate sphere, origin, political/religious views, biometrics (Art. 5 lit. c nDSG; Art. 9 GDPR).
Processor: entity processing personal data on behalf of the controller (Art. 5 lit. k nDSG; Art. 4 No. 8 GDPR).
Profiling: automated evaluation of personal aspects (Art. 5 lit. f nDSG; Art. 4 No. 4 GDPR).
Anonymisation: irreversible removal of personal reference.

4. Categories of Personal Data

4.1 Account and Identity Data

First and last name (if provided);
Email address;
Account ID, password hash, authentication tokens;
Language and country settings.

4.2 Precise Location and Mobility Data

Elevated protection level — only collected with explicit system permission.

GPS coordinates (only upon explicit user authorisation);
Parking session locations and timestamps;
Device movement signals (technically required).

4.3 Usage and Device Data

IP address, device identifiers (where permitted);
OS, app version, crash reports;
Interaction data (screens, clicks, taps).

4.4 Transaction and Payment Data

Subscription level and status;
Payment method metadata (tokenised — full card details are not stored by prken.).

4.5 Communication Data

Support request content (email, chat);
Support ticket metadata.

4.6 AI/ML Outputs

Probabilistic predictions (e.g. parking availability);
Aggregated / pseudonymised mobility patterns.

No sensitive data: prken. does not intentionally request or process special categories of personal data as defined under Art. 9 GDPR.

5. Sources of Data

Directly from you: registration, profile information, support;
Automatically via services: app infrastructure and security services;
Payment provider: transaction confirmations.

6. Purposes and Legal Bases

All processing is based on a lawful basis under nDSG Art. 31 or GDPR Art. 6:

Purpose	Data categories	Legal basis CH / EU	Notes
Account & Auth.	4.1, 4.3	Contract (Art. 31(2)(a) nDSG; Art. 6(1)(b) GDPR)	No consent required
GPS parking functions	4.2	Consent (Art. 31(1) nDSG; Art. 6(1)(a) GDPR)	Opt-in; revocable
Operations & security	4.3, 4.4	Legitimate interest (Processing based on legitimate interests is assessed to ensure proportionality and appropriate safeguards.)	Proportionality verified
AI/ML optimisation	4.2, 4.3, 4.6 (pseudon.)	Legitimate interest (Processing based on legitimate interests is assessed to ensure proportionality and appropriate safeguards.)	Pseudonymisation before training
Analytics	4.3, 4.6	Consent (where cookies used); legitimate interest (aggregated server-side analytics)	GDPR consent mechanism
Customer support	4.1, 4.5	Contract / legal obligation	Retention per Section 11
Payments	4.4	Contract / CO	Transaction data: 10 yrs
Fraud prevention	4.1, 4.3	Legitimate interest	Proportionality documented
Compliance	All	Legal obligation / legitimate interest	On documented request only

6.2 Legitimate Interest

Processing based on legitimate interests is supported by a documented balancing test. Documentation is available to the supervisory authority on request.

7. Location Data

Opt-in: GPS data only with system permission and in-app consent.
Granular controls: users choose «Always», «While using» or «Never».
Minimisation: only frequency and precision technically required.
Revocation: via device settings at any time.
No sale: location data not shared for advertising purposes.

8. Cookies and Similar Technologies

prken. uses limited cookies and similar technologies that are technically necessary to provide secure authentication, maintain sessions, and ensure the reliable operation of the services.

At the current stage of the service, prken. does not use:

advertising cookies
third-party marketing trackers
cross-site tracking technologies
behavioural profiling cookies
personalised advertising technologies

8.1 Technically Necessary Cookies

The app and related web services may store small pieces of information on the user's device for purposes including:

user authentication and login state
session continuity
security protection and fraud prevention
protection against unauthorised access
maintaining user preferences required for operation
ensuring reliable and secure delivery of the service

These technologies are necessary for the operation of the service and therefore generally do not require separate consent under applicable law.

8.2 Authentication Providers

Where authentication services such as Auth0 are used, authentication-related cookies or browser storage mechanisms may be set by the authentication provider as part of the login and session management process.

Such technologies are used exclusively for authentication, security, and session integrity purposes.

8.3 Browser Controls

Users can control or delete cookies through their browser or device settings. However, disabling technically necessary cookies or storage mechanisms may limit or prevent the proper functioning of the services, including login and authentication features.

8.4 Future Changes

If prken. introduces analytics, advertising, personalisation, or non-essential cookies in the future, this Privacy Policy will be updated accordingly and, where required by applicable law, consent will be obtained before such technologies are used.

9. Disclosure of Personal Data

Personal data shared only when required with a lawful basis. Personal data is not sold to third parties for advertising purposes.

9.1 Processors (Art. 9 nDSG; Art. 28 GDPR)

All processors operate under written DPAs:

Cloud / Hosting: Hostfactory
Identity & Access Management: Auth0
Analytics: None
Crash reporting: Sentry
CRM / Support: None
Payment processing (PCI-DSS): None
Email / Push: None

Where prken. jointly determines purposes and means of processing with a partner (Art. 26 GDPR; Art. 21 nDSG), a joint-controller arrangement governs respective responsibilities. Details available on request.

Map and geospatial services may be provided through third-party mapping infrastructure providers.

9.2 Legally required disclosures

Disclosure upon court order or lawful authority request; subject informed in advance where permitted.

9.3 Corporate transactions

Data may be transferred in M&A or asset sale under confidentiality protections; controller changes notified.

10. International Data Transfers

prken. may process or transfer personal data in Switzerland, the European Economic Area (EEA), and other jurisdictions in which its service providers or subprocessors operate.

Where personal data is transferred outside Switzerland or the EEA to jurisdictions that do not provide an adequate level of data protection under applicable law, prken. implements appropriate safeguards, including:

Standard Contractual Clauses (SCCs);
Swiss-recognised transfer mechanisms;
contractual and organisational safeguards;
transfer impact assessments where appropriate.

Service providers used by prken. may include infrastructure, authentication, error monitoring, and security providers operating internationally.

prken. takes reasonable steps to ensure that transferred personal data remains protected in accordance with applicable data protection laws.

11. Retention Schedule

Personal data is retained only for as long as necessary to fulfill the purposes described in this Privacy Policy, including providing the services, maintaining security, complying with legal obligations, resolving disputes, and enforcing agreements. Data is deleted, anonymised, or restricted once it is no longer required.

Retention periods may vary depending on:

the nature and sensitivity of the data;
the purpose for which it was collected;
operational and security requirements;
applicable legal, tax, accounting, or regulatory obligations;
the need to establish, exercise, or defend legal claims.

In general:

Account and profile data is retained while an account remains active and for a reasonable period thereafter to support account recovery, fraud prevention, legal compliance, and operational continuity.
Location and mobility-related data is retained only for the period technically and operationally necessary to provide core app functionality, improve service quality, maintain system integrity, and generate aggregated or anonymised insights.
Support and communication data may be retained for continuity of support, quality assurance, dispute handling, and compliance purposes.
Security, fraud-prevention, and access logs are retained for a limited period appropriate for detecting abuse, investigating incidents, and maintaining platform security.
Transaction and billing records may be retained where required by applicable commercial, tax, or accounting laws.
Consent records and privacy preference history may be retained as necessary to demonstrate compliance with applicable data protection laws.

Where possible, prken. anonymises or aggregates data so it can no longer be associated with an identifiable individual.

Users may request deletion of their personal data at any time, subject to applicable legal retention obligations and legitimate operational requirements.

12. Data Security

prken. implements appropriate technical and organisational measures (Art. 8 nDSG; Art. 32 GDPR):

12.1 Technical

Encryption: TLS 1.2+ in transit; industry-standard encryption at rest;
Access controls: least-privilege, RBAC, MFA;
Pseudonymisation: where technically feasible;
Vulnerability management: pentests, dependency scans.
Standards alignment: Security measures are reviewed and improved over time in accordance with the size, complexity, and risk profile of the services.

12.2 Organisational

Privacy by Design & Default (Art. 7 nDSG; Art. 25 GDPR);
Security risks are considered during the design and development of features and infrastructure.
Personnel with access to personal data are expected to follow appropriate confidentiality and security practices.
Incident response: where required by applicable law (Art. 24 nDSG; Art. 33 GDPR).
Notification to affected data subjects: where high risk to rights; prken. determines risk level and notification method at its reasonable discretion (Art. 24(3) nDSG; Art. 34 GDPR).

13. Rights of Data Subjects

Requests answered within 30 days (extendable, Art. 12 GDPR). Email: privacy@prken.ch

Right	Content	Limitations
Access (Art. 25 nDSG; Art. 15 GDPR)	Confirmation; copy; purposes, categories, recipients, origin.	Identity verification; third-party rights
Rectification (Art. 32 nDSG; Art. 16 GDPR)	Correction or completion of inaccurate/incomplete data.	Technically and legally feasible
Erasure (Art. 32 nDSG; Art. 17 GDPR)	On lapse of purpose, withdrawal, or unlawfulness.	Legal retention obligations; legal claims
Restriction (Art. 18 GDPR)	While accuracy contested or objection pending.	EU/EEA users
Objection (Art. 21 GDPR; Art. 30 nDSG)	Against legitimate interest; absolute for direct marketing.	Immediate for direct marketing
Portability (Art. 28 nDSG; Art. 20 GDPR)	Structured, machine-readable copy (JSON or CSV).	Automated processing only
Withdraw consent	At any time, prospectively.	Possible functional limitation
Complaint	CH: FDPIC · EEA: local DPA · UK: ICO	—

Supervisory authorities: CH: FDPIC, www.edoeb.admin.ch · EU/EEA: national DPA · UK: ICO, www.ico.org.uk

14. Automated Decision-Making and Profiling

AI predictions (e.g. parking availability) do not — unless stated otherwise — produce legal or similarly significant effects (Art. 21 nDSG; Art. 22 GDPR). Any changes will trigger policy update, DPIA, and right to object.

15. Children

Services not directed at persons under 18 years of age. Any such data identified will be deleted.

16. Changes

Material changes may be communicated through the app, website, or other appropriate channels before becoming effective where reasonably required by applicable law. Where a new processing purpose requires consent under applicable law, prken. will obtain it separately.

17. Governing Law

Primary: Swiss law (nDSG, DPO). EU/EEA users: GDPR applies additionally (Art. 3 GDPR).

18. Records of Processing Activities

prken. maintains an internal RoPA (Art. 12 nDSG; Art. 30 GDPR), made available to the supervisory authority on request.

19. Accountability

prken. fulfils Art. 5(2) GDPR / Art. 8 nDSG through:

Governance: data protection responsibility at management level;
Documentation: RoPA, balancing tests, consent records, DPIAs;
Privacy by Design: integrated from project inception;
Annual review: documents reviewed periodically;
Vendor assessment: standards verified before onboarding; DPA before processing;
Training: personnel are expected to follow appropriate privacy and security practices;
Incident response: 72h notification duty, notification procedure.

Annex A — Processor List

This list may change over time as operational providers evolve.

Provider	Purpose	Data Categories	Region	Transfer Safeguard
Hostfactory	Hosting infrastructure	Account data, app data, logs	Switzerland	Switzerland adequacy
Auth0	Authentication and identity Management	Email, authentication identifiers, login metadata	EU / International	SCCs and contractual safeguards
Sentry	Error monitoring and diagnostics	Technical error data, device/app metadata, IP address	EU / International	SCCs and contractual safeguards
Stadia Maps	Map tiles and geospatial infrastructure	Delivery of map and geospatial services	US / International