Privacy Policy
Effective date: 17 December 2025
Last updated: 17 December 2025
1. About this Privacy Policy
This Privacy Policy explains how GrundMind collects, uses, stores, shares, and protects personal data in connection with:
- our websites, including grundmind.com and adoption.grundmind.com;
- contact forms and consultation requests;
- newsletters and marketing communications;
- AI adoption assessments and surveys;
- diagnostic and pilot programmes;
- workshops, interviews, and advisory services;
- reports, dashboards, and progress reviews;
- client administration, billing, and support;
- events, webinars, and other professional activities.
This Privacy Policy applies to website visitors, prospective clients, clients, survey participants, client employees, contractors, partners, suppliers, and other people who interact with GrundMind.
2. Who is responsible for your personal data?
The data controller is:
GrundMind, a brand of Grund Institute
Registered address: Avenue de la Moesette, 1110 Morges, Switzerland
UID or registration number: [CHE-XXX.XXX.XXX]
Email: info@grundmind.com
Website: adoption.grundmind.com
In this Privacy Policy, “GrundMind”, “we”, “us”, and “our” refer to this entity.
For some corporate assessments and advisory engagements, the client organisation may determine why employee or participant data is processed. In those cases, the client may act as the data controller and GrundMind may act as a data processor on its behalf. The relevant client agreement or participant privacy notice will explain the applicable roles.
3. Applicable data-protection law
We process personal data in accordance with applicable data-protection laws, including the Swiss Federal Act on Data Protection and its implementing ordinance.
Where our activities fall within its territorial scope, we may also process personal data in accordance with the European Union General Data Protection Regulation.
The Swiss FADP protects natural persons whose personal data is processed and imposes duties on private controllers and processors. The GDPR may apply, for example, where services are offered to individuals in the European Economic Area or their behaviour is monitored there.
4. What personal data do we collect?
The personal data we collect depends on how you interact with us.
4.1 Contact and professional information
We may collect:
- first and last name;
- business email address;
- telephone number;
- job title;
- employer or organisation;
- department, team, or business unit;
- professional role and responsibilities;
- country and preferred language;
- correspondence and meeting details.
4.2 Website and technical information
When you use our website, we or our service providers may collect:
- IP address;
- browser type and version;
- device type;
- operating system;
- language settings;
- pages visited;
- date and time of access;
- referring website;
- approximate location derived from IP address;
- cookie and similar technology identifiers;
- interaction and performance data;
- security logs.
4.3 Assessment and survey information
When you participate in a GrundMind assessment, we may collect:
- survey responses;
- ratings and written comments;
- perceptions of AI tools and initiatives;
- views on workflows, business value, trust, governance, skills, roles, and support;
- department, role category, seniority, location, or team;
- assessment completion status;
- timestamps and technical metadata;
- optional demographic or professional information expressly requested in the survey.
We aim to collect only information needed to understand organisational AI adoption. Participants should not include medical information, political views, religious beliefs, trade-union membership, information about sex life or sexual orientation, disciplinary records, or other highly sensitive information unless specifically requested and supported by an appropriate legal and contractual basis.
4.4 Client engagement information
During pilots, diagnostics, workshops, and advisory engagements, we may collect:
- project goals and priorities;
- organisational structures;
- AI initiatives and use cases;
- workflow descriptions;
- governance policies;
- adoption metrics;
- milestone and implementation information;
- meeting notes and action items;
- feedback from leaders and employees;
- business performance indicators;
- estimated or measured return on investment;
- documents supplied by the client.
4.5 Contractual and billing information
We may collect:
- company billing details;
- postal address;
- contract information;
- purchase order details;
- invoice records;
- payment status;
- tax and VAT information;
- bank transaction references.
We do not normally collect or store full payment-card details directly. Payments may be handled by an external payment provider.
4.6 Marketing and event information
We may collect:
- newsletter subscriptions;
- communication preferences;
- event registrations;
- webinar attendance;
- downloaded resources;
- responses to campaigns;
- professional interests;
- records of consent or objections.
4.7 Information from third parties
We may receive personal data from:
- your employer or client organisation;
- colleagues or project sponsors;
- professional networking platforms;
- event partners;
- public company websites;
- business directories;
- analytics and marketing providers;
- referral partners;
- other service providers.
Where personal data is obtained indirectly, we will provide appropriate information where required by law.
5. Why do we process personal data?
We may process personal data for the following purposes.
5.1 Providing our services
We process data to:
- administer surveys and assessments;
- analyse organisational AI adoption;
- calculate scores and diagnostic outputs;
- identify adoption bottlenecks;
- prepare reports and roadmaps;
- conduct interviews and workshops;
- provide advisory and implementation support;
- track milestones and progress;
- assess adoption and business impact;
- provide dashboards and client support.
5.2 Managing client relationships
We process data to:
- respond to enquiries;
- arrange introductory calls;
- prepare proposals;
- manage contracts and projects;
- communicate with client contacts;
- schedule meetings;
- maintain project records;
- manage billing and payments;
- provide support.
5.3 Improving GrundMind
We may process data to:
- improve questionnaires and scoring;
- validate and refine our methodology;
- test new features;
- improve reports and recommendations;
- understand service performance;
- develop aggregated benchmarks;
- conduct internal research;
- maintain quality and consistency.
Where possible, we use aggregated or anonymised data for these purposes.
5.4 Website operation and security
We process technical data to:
- operate and maintain our websites;
- remember user preferences;
- diagnose technical problems;
- prevent fraud and misuse;
- secure accounts and systems;
- analyse website performance;
- understand how visitors use our website.
5.5 Marketing and business development
Where permitted, we process data to:
- send relevant updates, articles, invitations, and offers;
- follow up after enquiries or events;
- understand professional interests;
- measure campaign effectiveness;
- maintain business relationships.
You can unsubscribe from marketing emails at any time.
5.6 Legal and compliance purposes
We may process personal data to:
- comply with legal and regulatory obligations;
- maintain accounting and tax records;
- establish, exercise, or defend legal claims;
- respond to lawful authority requests;
- investigate suspected misuse;
- enforce contracts and policies;
- manage data-protection requests and incidents.
6. Legal bases under the GDPR
Where the GDPR applies, our legal bases may include:
- performance of a contract, where processing is necessary to provide requested services;
- legitimate interests, such as operating our business, improving services, ensuring security, and communicating with professional contacts;
- consent, where required for specific cookies, newsletters, recordings, or optional processing;
- legal obligations, such as accounting, tax, and compliance requirements;
- establishment, exercise, or defence of legal claims;
- another lawful basis permitted by applicable law.
Where we rely on legitimate interests, we consider whether our interests are proportionate and whether your rights and interests override them.
You may withdraw consent at any time, although withdrawal does not affect processing carried out before the withdrawal.
7. Organisational surveys and employee participation
When a client invites employees or other participants to complete a GrundMind survey:
- participation should be communicated transparently;
- the purpose of the assessment should be explained;
- participants should be told whether responses are anonymous, confidential, pseudonymous, or identifiable;
- GrundMind will aim to minimise collection of identifiable information;
- reports will generally present aggregated organisational findings;
- small group results may be suppressed or combined where necessary to reduce re-identification risk;
- individual responses will not normally be disclosed to managers or employers unless this was clearly communicated in advance and is legally permitted;
- client organisations must not use results for unlawful monitoring, discrimination, disciplinary decisions, or unrelated employee evaluation.
Depending on the engagement, the client may be responsible for informing employees, consulting employee representatives, or obtaining internal approvals.
8. Automated analysis and profiling
GrundMind may use automated methods to:
- calculate assessment scores;
- group responses;
- identify patterns;
- compare results across dimensions;
- estimate adoption risks or value leakage;
- generate preliminary recommendations;
- support benchmarking.
These outputs support organisational decision-making. They should not ordinarily be used to make solely automated decisions producing legal or similarly significant effects for an individual.
Material recommendations and client deliverables may be subject to human review.
If a service includes individual-level profiling or significant automated decision-making, we will provide additional information where required.
9. Use of artificial intelligence tools
We may use AI-enabled tools to assist with:
- categorisation;
- summarisation;
- analysis;
- drafting;
- translation;
- research;
- report preparation;
- project administration.
We select tools based on the nature and sensitivity of the data involved and apply appropriate safeguards.
We will not knowingly use identifiable client survey responses or confidential client information to train publicly available third-party AI models unless the client has expressly authorised this.
Where possible, we minimise, pseudonymise, aggregate, or remove identifying information before using AI-enabled processing.
10. Who do we share personal data with?
We may share personal data with the following categories of recipients where necessary:
- cloud-hosting providers;
- survey and form providers;
- data-analysis and reporting providers;
- email and communication services;
- customer relationship management providers;
- videoconferencing providers;
- project-management and collaboration tools;
- website hosting and analytics providers;
- payment and accounting providers;
- professional advisers;
- insurers;
- contractors and consultants supporting GrundMind;
- competent public authorities where legally required;
- a purchaser or successor in connection with a merger, acquisition, restructuring, or sale.
Service providers may process data only for agreed purposes and under appropriate contractual and security requirements.
Swiss guidance confirms that outsourcing data processing does not remove the controller's responsibility for lawful processing and appropriate safeguards.
11. Sharing data with the client organisation
Where you complete an assessment through your employer or another organisation, we may provide that organisation with:
- aggregated assessment findings;
- dimension-level scores;
- team-level patterns where group size is sufficient;
- anonymised or pseudonymised comments;
- identified organisational bottlenecks;
- recommendations and roadmaps;
- progress and adoption metrics.
Unless expressly agreed and communicated, we do not provide the client with identifiable individual responses.
The client remains responsible for how it uses the reports and recommendations it receives.
12. International data transfers
Some service providers may store or process data outside Switzerland or the European Economic Area.
Where personal data is transferred to a country recognised as providing adequate data protection, we may rely on that adequacy decision.
Where adequate protection is not recognised, we may use safeguards such as:
- recognised standard contractual clauses;
- contractual protections adapted for Swiss law;
- transfer impact assessments;
- supplementary technical and organisational measures;
- another lawful transfer mechanism.
Swiss law generally permits transfers abroad where the recipient country provides adequate protection or where appropriate safeguards or another legal exception applies. The FDPIC recognises adapted EU Standard Contractual Clauses as one possible safeguard for certain transfers.
You may contact us for more information about the safeguards used for relevant transfers.
13. Data retention
We retain personal data only for as long as reasonably necessary for the purpose for which it was collected, including legal, accounting, contractual, research, security, and dispute-management requirements.
Indicative retention periods may include:
- contact enquiries: up to [2 years] after the last meaningful interaction;
- prospective client records: up to [3 years];
- client contracts and billing records: generally 10 years, subject to Swiss legal requirements;
- project correspondence and deliverables: generally [5–10 years] after the engagement;
- raw survey responses: generally [12–24 months] after delivery of the final report, unless a longer period is agreed;
- pseudonymised longitudinal assessment data: for the duration of the client engagement and agreed progress monitoring;
- anonymised statistical data: may be retained indefinitely because it no longer identifies an individual;
- marketing records: until you unsubscribe or object, followed by limited suppression records;
- website security logs: generally [3–12 months];
- unsuccessful job applications, where applicable: generally [6 months], unless the applicant consents to longer retention.
These periods should be adjusted to match GrundMind's actual systems and agreements.
We may retain information longer where required by law, necessary for legal claims, or subject to a preservation obligation.
14. Data security
We use reasonable technical and organisational measures designed to protect personal data against:
- unauthorised access;
- accidental loss;
- misuse;
- alteration;
- disclosure;
- destruction.
Measures may include:
- access controls;
- role-based permissions;
- encryption in transit and, where appropriate, at rest;
- multifactor authentication;
- secure cloud infrastructure;
- backup and recovery procedures;
- logging and monitoring;
- contractual confidentiality obligations;
- supplier due diligence;
- staff awareness and training;
- data minimisation;
- pseudonymisation and aggregation.
No method of electronic transmission or storage is completely secure. We therefore cannot guarantee absolute security.
Swiss data-protection rules require controllers to implement suitable technical and organisational safeguards and apply data protection by design and by default.
15. Data breaches
If a personal-data breach occurs, we will assess its nature, scope, potential consequences, and required response.
Where required by law, we will notify the competent authority and affected individuals.
Under the Swiss FADP, the FDPIC must be notified as soon as possible where a breach is likely to result in a high risk to the personality or fundamental rights of affected individuals.
16. Cookies and similar technologies
Our website may use cookies, local storage, pixels, scripts, and similar technologies.
These may include:
Essential technologies
Required for:
- website operation;
- security;
- session management;
- form submission;
- accessibility;
- user preferences.
Analytics technologies
Used to understand:
- website traffic;
- page performance;
- visitor interactions;
- navigation patterns;
- technical errors.
Marketing technologies
Used, where enabled, to:
- measure campaigns;
- understand conversions;
- personalise communications;
- support advertising.
Where required, non-essential cookies will be activated only after consent.
You can manage preferences through our cookie banner or browser settings. Disabling some technologies may affect website functionality.
The FDPIC has published guidance specifically addressing cookies and similar tracking technologies, including transparency and data-protection requirements.
A separate Cookie Notice may provide details of the individual technologies used.
17. Marketing communications
We may send business-related marketing communications where:
- you have requested them;
- you have consented;
- there is an existing professional relationship;
- another applicable legal basis permits the communication.
You can unsubscribe at any time using the link in the message or by contacting us.
We may retain a minimal suppression record to ensure we respect your opt-out request.
18. Third-party links and websites
Our website may link to third-party websites or services.
GrundMind is not responsible for the privacy practices, security, accuracy, or content of external websites. You should review their privacy notices before providing personal information.
19. Children
GrundMind's services are designed for organisations and working professionals.
They are not directed at children, and we do not knowingly collect personal data from children through our website.
Where an organisation wishes to include participants under the age required for valid consent, this must be expressly agreed in advance and supported by appropriate legal safeguards.
20. Your rights
Depending on applicable law, you may have rights to:
- request confirmation of whether we process your personal data;
- access your personal data;
- request correction of inaccurate data;
- request deletion of data;
- request restriction of processing;
- object to certain processing;
- withdraw consent;
- request data portability where applicable;
- obtain information about international transfers;
- object to direct marketing;
- request review of certain automated decisions;
- lodge a complaint with a supervisory authority.
Under Article 25 of the Swiss FADP, an individual may request information about whether personal data concerning them is being processed and receive information including the purposes, categories of data, recipients, and applicable retention period.
Some rights are subject to conditions and exceptions. For example, we may need to retain information for legal obligations, contractual claims, security, or overriding interests.
21. How to exercise your rights
To submit a privacy request, contact:
Email: info@grundmind.com
Postal address: Avenue de la Moesette, 1110 Morges, Switzerland
Please describe your request clearly.
We may ask for information needed to verify your identity and protect your data from unauthorised disclosure.
Where GrundMind acts only as a processor for a client organisation, we may direct your request to that organisation or assist it in responding.
We will respond within the period required by applicable law.
22. Complaints
You may contact us first so that we can try to resolve your concern.
You may also contact the Swiss Federal Data Protection and Information Commissioner:
Federal Data Protection and Information Commissioner, Switzerland
Where the GDPR applies, you may also lodge a complaint with the competent supervisory authority in the country where you live, work, or believe an infringement occurred.
The FDPIC is Switzerland's independent federal data-protection supervisory authority.
23. Changes to this Privacy Policy
We may update this Privacy Policy to reflect:
- changes to our services;
- new technologies;
- changes in data use;
- changes to providers;
- legal or regulatory developments.
The revised version will be published with an updated date.
Where changes materially affect active participants or clients, we may provide additional notice.
24. Contact us
For questions about this Privacy Policy or our processing of personal data, contact:
GrundMind
Avenue de la Moesette Avenue de la Moesette
1110 Morges
Switzerland
Email: info@grundmind.com
Website: adoption.grundmind.com
