egtos (“egtos,” “the Platform,” “we,” “us,” or “our”) is committed to protecting the privacy of everyone who uses our marketplace, including companies (buyers), consulting firms, independent consultants, and the managers and employees who act on their behalf. This Privacy Policy explains what personal and business data we collect, how and why we process it, with whom we share it, how long we keep it, and the rights you have under applicable data-protection law — in particular the Swiss Federal Act on Data Protection (FADP / nFADP) and, where it applies, the EU General Data Protection Regulation (GDPR).
Please read this Policy together with our Terms of Service. By using the Platform, you acknowledge that we process your information as described here; where we rely on your consent for a specific processing activity, we say so and you may withdraw it at any time.
1.Who We Are — Data Controller & Contact
The data controller responsible for processing your personal data is:
egtos GmbHSevogelstrasse 1024052 BaselSwitzerlandEmail: contact@egtos.chFor any privacy question, data-subject request, or complaint, contact us at contact@egtos.ch. If a Data Protection Officer (DPO) or a Swiss/EU representative is appointed, their details will be published here.
When you, as a company, consulting firm, or consultant, upload or share personal data of your own staff, clients, or contacts through the Platform, you act as the controller (or independent controller) of that data and egtos acts as your processor or a separate controller, as the case may be. Each party is responsible for having a lawful basis for the data it brings onto the Platform.
2.Scope & Legal Framework
This Policy applies to personal data processed through the egtos website, the egtos web application, and related services (collectively, the “Platform”).
egtos is established in Switzerland. We process personal data in accordance with the Swiss FADP. Where we offer the Platform to users in the European Economic Area, or otherwise fall within its territorial scope, we also comply with the GDPR. Where both apply, we apply the standard that gives you the stronger protection. References below to GDPR articles are provided for transparency; equivalent FADP provisions apply to Swiss-based processing.
What egtos is — and is not. egtos operates a two-sided hiring marketplace. Companies (buyers) pay a subscription, buy tokens, and hire consulting firms and independent consultants for project work. Engagements (contracts, deliverables, payment terms) are between the buyer and the seller; egtos is an intermediary that provides the marketplace, the token-based escrow, an objective scoring system (IndexScore®), and AI-assisted mediation (Marcus). egtos is not a party to the underlying service contract and is not a bank or licensed financial institution. egtos does, however, operate the escrow: it holds and releases tokens according to defined Platform rules (see Section 7). This intermediary role shapes both our processing purposes and our allocation of responsibility.
3.Personal Data We Collect
We collect the following categories of data, depending on your role and how you use the Platform.
3.1 Account & identity data
Name, email address, password / login credentials, role (company, consulting firm, consultant, manager, employee, admin), organization, job title, language and account settings, and authentication metadata (sessions, tokens).
3.2 Profile data
Professional skills, experience, availability, rates, portfolio, biography, profile photo/logo, and the public profile you publish on the Platform.
3.3 Verification & KYC data
Identity- and credential-verification information used to confirm who you are and that you are entitled to act for an organization — for example identity documents, business-registration details, professional credentials, and references. Some verification may be performed by third-party providers and/or against publicly available sources.
3.4 IndexScore® input data
Data used to compute your IndexScore® (an objective 200–800 score; see Section 5), including: work history on the Platform, deliverable quality assessments, peer reviews and ratings, and verified credentials. This is personal data processed to produce a score that other users can see and rely on.
3.5 Transaction, escrow & payment data
Subscription plan and billing cadence (monthly or annual), token purchases and balances, contract and milestone records, escrow lock/release events, redemption/cash-out requests, invoices, billing address, and the partial payment-instrument data returned to us by our payment processor. We do not store full payment-card numbers — card data is collected and processed directly by our payment processor (Stripe; see Sections 7 and 8). Certain escrow and transaction records are also written to a public blockchain (see Section 7).
3.6 Communications & deliverables processed by Marcus
Messages you exchange on the Platform, project scoping inputs, contracts, deliverables, milestone notes, and concern/dispute submissions. Our AI agent Marcus reads relevant items in this category to help you scope and run projects and to mediate concerns (see Section 6). This may include personal data about you and about third parties you reference.
3.7 Usage, device & technical data
IP address, browser and device type, operating system, approximate location derived from IP, pages viewed, features used, and event logs. We use cookieless analytics by default (see Section 12), so we do not build advertising profiles from this data.
3.8 Support & correspondence
The content of your support requests, feedback, and any correspondence with us.
We collect this data directly from you, automatically as you use the Platform, from your organization (e.g. when a manager invites an employee), and from third parties such as verification providers and other users who review you.
4.Why We Process Your Data — Purposes & Legal Bases
We process personal data only where we have a lawful basis. The table below summarizes the main purposes and the legal basis under GDPR Art. 6 (and the equivalent FADP justification).
| # | Purpose | Examples | Legal basis (GDPR Art. 6) |
|---|---|---|---|
| 1 | Provide and operate the Platform | Create/manage accounts, run the marketplace, form project teams, host profiles | Performance of a contract — Art. 6(1)(b) |
| 2 | Operate token escrow & payments | Lock/release tokens, process subscriptions and token purchases, handle redemptions, record transactions (incl. on-chain) | Performance of a contract — Art. 6(1)(b); legal obligation for tax/accounting — Art. 6(1)(c) |
| 3 | Compute & display IndexScore® | Score work history, deliverable quality, peer reviews, verified credentials; show the score to counterparties | Legitimate interests in a trustworthy marketplace — Art. 6(1)(f); contract performance — Art. 6(1)(b) |
| 4 | AI assistance & mediation (Marcus) | Scope/manage projects; read contracts, deliverables, messages to mediate concerns and propose resolutions | Performance of a contract — Art. 6(1)(b); legitimate interests in efficient dispute resolution — Art. 6(1)(f) |
| 5 | Verification, fraud prevention & security | KYC/credential checks, abuse detection, securing the Platform | Legitimate interests — Art. 6(1)(f); legal obligation — Art. 6(1)(c) |
| 6 | Legal & regulatory compliance | Tax, accounting, AML where applicable, responding to lawful authority requests | Legal obligation — Art. 6(1)(c) |
| 7 | Service improvement & analytics | Cookieless usage analytics, feature improvement | Legitimate interests — Art. 6(1)(f) |
| 8 | Communications | Service notices, security alerts, transactional emails | Performance of a contract / legitimate interests — Art. 6(1)(b)/(f) |
| 9 | Optional marketing & non-essential trackers | Marketing emails; any non-essential analytics/marketing tracker | Consent — Art. 6(1)(a) |
Where we rely on legitimate interests, we have carried out (or will carry out) a balancing assessment; you may object as described in Section 11. Where we rely on consent, you may withdraw it at any time without affecting prior processing.
5.Automated Decision-Making & Profiling — IndexScore® and Marcus
We are transparent about automated processing because two core features rely on it. This Section addresses GDPR Art. 22 (automated individual decision-making, including profiling) and the equivalent FADP provisions.
5.1 IndexScore® (profiling)
IndexScore® is an objective 200–800 score generated automatically from your work history, deliverable-quality assessments, peer reviews, and verified credentials. It is a form of profiling: it evaluates aspects of your professional performance and is displayed to potential counterparties, who may rely on it when deciding whether to engage you.
- The logic, at a high level: the score aggregates the inputs above into a single normalized value on the 200–800 scale. Higher-quality, well-reviewed, verified work tends to raise the score; weak or disputed outcomes tend to lower it.
- Significance and consequences: a higher IndexScore® can make you more visible and more attractive to buyers; a lower one may reduce engagement opportunities. The score is portable — it travels with your profile.
- Your rights: you can request meaningful information about the logic involved, access the data used, request rectification of inaccurate inputs, contest a score you believe is wrong, and request human review of any decision that is based solely on automated processing and produces legal or similarly significant effects on you. To exercise these rights, contact contact@egtos.ch.
5.2 Marcus (AI-assisted automated decisions)
Marcus is an AI agent that helps scope and create projects, manage them, and mediate concerns before a formal dispute. In mediation, Marcus reads the relevant contract, deliverables, and messages and proposes a resolution that both parties then vote on.
- Marcus’s proposals are non-binding. A resolution only takes effect if both parties vote to accept it. If the parties deadlock, the matter is escalated to a formal dispute reviewed by a human administrator.
- Because the outcome requires human (party) agreement and ultimately human admin review, Marcus is designed not to make a solely-automated, legally-significant decision about you without human involvement. You may request human intervention, express your point of view, and contest any proposal.
- Marcus output is informational, not legal advice, and should not be relied on as such.
If, in any feature, a solely automated decision would produce a legal or similarly significant effect on you, we will not carry it out except as permitted under GDPR Art. 22 / FADP, and you will have the right to obtain human intervention, to express your view, and to contest the decision.
6.AI Processing (Marcus) — What It Reads and Our Safeguards
To deliver scoping, project management, and mediation, Marcus processes:
- Contracts and project scope you create or share;
- Deliverables and milestone records;
- Messages exchanged between the parties to an engagement.
Why: to suggest a project scope, surface risks and status during a project, and, when a concern is raised, to understand the dispute and propose a fair resolution for the parties to vote on.
Safeguards:
- Marcus accesses only data within the relevant engagement (project, contract, or concern), scoped to the parties involved.
- Marcus’s proposals are non-binding and subject to dual party vote and, on deadlock, human admin review.
- We apply access controls so Marcus’s view of data tracks the same role/team scoping as the rest of the Platform.
7.Payments, Tokens & Blockchain
7.1 Payments (Stripe as processor)
Subscription and token payments are processed by Stripe, acting as our payment processor. Stripe collects and processes your payment-instrument data directly under its own security and compliance program; egtos does not receive or store full card numbers. Stripe processes this data on our behalf as a sub-processor and in some respects as an independent controller for fraud-prevention and regulatory purposes. See Stripe’s privacy notice for details.
7.2 Tokens
Tokens are the Platform’s unit of work. Tokens are purchased with money, used to fund engagements, and may be redeemed (cashed out) subject to fees. Tokens have no independent cash value except through redemption on the Platform, and any tax arising from your use or redemption of tokens is your responsibility. We process token-balance, purchase, distribution, and redemption data to operate these features and to meet accounting/tax obligations.
7.3 Escrow and on-chain records (important — affects your erasure/rectification rights)
When a contract starts, the funding tokens are locked in escrow; they are released on milestone approval, returned, or otherwise dispositioned according to Platform rules and any dispute outcome. egtos operates this escrow (it is not a bank).
Some escrow and transaction records are recorded on a public blockchain (Polygon). Blockchain records are public and immutable by design — once written, an on-chain record cannot be edited or deleted.
Consequence for your rights (a real and deliberate limitation): for personal data that has been written on-chain, we cannot guarantee erasure or rectification of the on-chain entry itself, because the blockchain is outside our unilateral control. We minimize what is written on-chain, and we honor your erasure/rectification rights for off-chain copies and associated records we control. Where on-chain data identifies you, we will explain what is recorded and what mitigations (e.g. minimization, pseudonymization, off-chain redaction, key-based access controls) apply.
9.International Data Transfers
We aim to keep personal data hosted in Switzerland and/or the EU (Section 13). Where a transfer outside Switzerland/EEA occurs — for example because a sub-processor such as Stripe or an AI provider operates internationally, or because data is written to a globally distributed blockchain — we put in place appropriate safeguards, such as the EU Standard Contractual Clauses (with the Swiss addendum/FADP recognition where required), adequacy decisions, or equivalent legal mechanisms. You may request information about the safeguards applied to a specific transfer at contact@egtos.ch.
10.Data Retention
We keep personal data only as long as necessary for the purposes set out in this Policy:
- Active accounts: for as long as your account is active.
- After account closure: for a defined period (currently up to 3 years, subject to legal review) to meet tax, accounting, and legal obligations.
- Transaction, escrow, and billing records: for the period required by Swiss tax/accounting law (typically up to 10 years).
- Communications, deliverables, and dispute records: retained as long as needed for an active engagement and for the period in which a related dispute could arise.
- On-chain records: immutable and effectively permanent by design (see Section 7.3).
- Cookieless analytics: retained in aggregate; not tied to an advertising profile.
When data is no longer needed and no legal obligation requires its retention, we delete or anonymize it — except for on-chain entries we cannot technically remove.
11.Your Rights
Subject to applicable law, you have the right to:
- Access the personal data we hold about you;
- Rectify inaccurate or incomplete data;
- Erase your data (“right to be forgotten”), subject to the on-chain limitation below;
- Restrict processing in certain cases;
- Object to processing based on legitimate interests, and to direct marketing at any time;
- Data portability — receive your data in a structured, commonly used, machine-readable format;
- Withdraw consent at any time where processing is based on consent;
- Not be subject to a solely automated decision with legal or similarly significant effect, and to obtain human intervention, express your view, and contest such decisions (Sections 5–6).
On-chain limitation. Because certain escrow/transaction records are written to a public, immutable blockchain, your rights to erasure and rectification cannot be fully honored for on-chain data. We will apply these rights to all off-chain data we control and explain any residual on-chain entry (see Section 7.3).
How to exercise your rights. Email contact@egtos.ch. We will respond within the legally required period (under GDPR, generally one month). We may need to verify your identity first.
Complaints. You may lodge a complaint with the Swiss Federal Data Protection and Information Commissioner (FDPIC) — Feldeggweg 1, 3003 Bern, Switzerland — and/or, if the GDPR applies to you, with your local EU/EEA supervisory authority (DPA). We’d appreciate the chance to address your concern first.
13.Security & Data Residency
We apply appropriate technical and organizational measures to protect your data, including:
- Encryption in transit (TLS/SSL) and protection of data at rest;
- Role- and team-scoped access controls — access to projects, deliverables, and analytics is limited to the relevant parties;
- Secure auth — tokens stored in httpOnly cookies to reduce XSS exposure;
- Payment security — card data handled by a PCI-DSS-compliant processor (Stripe); egtos does not store full card numbers;
- Monitoring, logging, and security review of the Platform.
Data residency. Application data is hosted in Switzerland and/or the EU. Some processing by sub-processors (Stripe, any AI provider) and the public blockchain may occur outside this region; in those cases we rely on the safeguards in Section 9.
No method of transmission or storage is completely secure; we cannot guarantee absolute security, but we work to protect your data and to notify you and the authorities of a breach where the law requires.
14.Children
The Platform is intended for business use by adults. It is not directed at children, and we do not knowingly collect personal data from anyone under the age required by applicable law. If you believe a child has provided us data, contact contact@egtos.ch and we will delete it.
15.Changes to This Policy
We may update this Policy as our product and the law evolve. The current version is always available on the Platform, with the Effective Date updated. Material changes will be communicated as required by law. Because this re-issue substantively changes the described product (escrow, marketplace hiring, IndexScore®, Marcus, blockchain), it supersedes the prior version dated August 9, 2025 and requires a new Effective Date set by egtos GmbH. Your continued use of the Platform after an update constitutes acceptance of the revised Policy, except where your separate consent is required.
16.Contact
egtos GmbHSevogelstrasse 102, 4052 Basel, SwitzerlandEmail: contact@egtos.chFor privacy questions, data-subject requests, or to reach our DPO/representative (if appointed), email contact@egtos.ch.