A short list of what we know about you, and why.

HICONIUM AG processes only the data you give us, only for purposes you understand, and only for as long as we need to. Written for adults; published in plain language.

ControllerHICONIUM AG
PlaceZürich · CH
Effective2026-05-06
Reading≈ 11 min
What we collect

Only what you give us, in five categories.

A platform built on discretion has no business holding more data than the work requires. The five lists below are what we touch.

During the pre-launch phase, HICONIUM AG collects only the information you give us. We do not buy data; we do not enrich your profile from third-party brokers; we do not run programmatic advertising. The information below is the entire list of categories we touch.

Categories of personal data:

  1. Identity — your name, the legal name of your business, an authorised contact, the country and (where applicable) commercial-register number.
  2. Correspondence — the contents of any message you write to us at hello@, press@, privacy@, security@, or legal@hiconium.com.
  3. Application — for the Founding Garage cohort, the details you provide about your collection, marques, and notable vehicles.
  4. Subscription — for the Founders List, the email address you submit to be notified at launch.
  5. Operational metadata — server logs, the IP address used to reach the site, and the user agent of your browser, retained for 30 days for fraud and abuse prevention.
Purposes

What we use it for, and what we don’t.

Five purposes; everything else is off-limits without separate consent.

We use what you give us only for the purposes below:

  1. To evaluate your Founding Garage application and respond to it.
  2. To write to you when Hiconium opens, if you have asked us to.
  3. To respond to direct correspondence and keep a record of the exchange so we can pick up where we left off.
  4. To produce and distribute editorial work to which you have explicitly subscribed.
  5. To meet our legal obligations under Swiss and EU law (revFADP, GDPR), which sometimes require us to retain information beyond your consent.

We do not sell, lease, or rent personal data. We do not run profile-based advertising. We do not feed personal data into third-party AI models for training, fine-tuning, or evaluation.

Legal basis

Consent, contract, legitimate interest, law.

Different categories sit on different legal bases. Founding Garage applications run on the contract we are negotiating with you (Art. 6(1)(b) GDPR; Art. 31 revFADP). The Founders List runs on consent (Art. 6(1)(a) GDPR; Art. 5(6) revFADP). Operational logs and security records run on legitimate interest (Art. 6(1)(f) GDPR; Art. 31(1)(c) revFADP). Where we are required to retain information by Swiss commercial law, we do so on legal obligation (Art. 6(1)(c) GDPR; Art. 31(1)(c) revFADP).

Your rights

Access, rectification, erasure, portability.

You have the following rights at any time, free of charge:

  1. Access — ask us what we hold about you and receive a copy.
  2. Rectification — correct anything that has become inaccurate.
  3. Erasure — ask us to remove your data, subject only to legal retention obligations.
  4. Restriction — ask us to pause processing while we resolve a dispute.
  5. Objection — refuse processing where we are relying on legitimate interest.
  6. Portability — receive your data in a structured, machine-readable format.
  7. Withdraw consent — stop any processing that depends on your consent, with immediate effect for future processing.
  8. Lodge a complaint — with the Swiss Federal Data Protection Commissioner (FDPIC) or, in the EU, your local supervisory authority.

Write to privacy@hiconium.com or to HICONIUM AG, Privacy, Badenerstrasse 567, 8048 Zürich, Switzerland. We will acknowledge within five business days and resolve within thirty.

Processors & transfers

A short list of partners — disclosed.

Hiconium is operated from Switzerland. Some of the technical infrastructure that keeps the platform running — hosting, content delivery, transactional email — is provided by partners with operations in the European Economic Area and, in limited cases, in the United States. Where that is the case, transfers happen under the European Commission's Standard Contractual Clauses, the Swiss-U.S. Data Privacy Framework, or the equivalent Swiss-issued addendum.

A list of our material data processors is published below and updated when it changes. If a processor is added that you would like to know about earlier than the next refresh, write to privacy@hiconium.com.

Hosting · edge deliveryVercel Inc.

United States · EEA

DNS · DDoS · edgeCloudflare Inc.

United States · Global

Application databaseInstantDB

United States

Transactional emailResend

United States

Editorial-assist toolingAnthropic

United States

Payments (post-launch)Stripe Inc.

EEA · CH · US

Cookies

Strictly necessary, nothing else.

During the pre-launch phase, Hiconium uses only first-party, strictly-necessary cookies — a session cookie for forms, a CSRF cookie for security, and a preference cookie that records whether you accepted this notice. We do not use third-party analytics cookies; we do not use advertising cookies; we do not load Facebook, TikTok, or Google Tag Manager.

When the platform is generally available, we will publish a cookie register that names every cookie, what it does, how long it lives, and whether you can refuse it. The register will be linked from this page and the footer.

Retention

How long we keep things.

How long we keep things:

  1. Founding Garage applications — for as long as the cohort is open, plus 24 months after the platform launches, after which they are deleted unless you become a Member.
  2. Founders List subscriptions — until you unsubscribe (a single click in any email we send, or a note to privacy@hiconium.com).
  3. Direct correspondence — for as long as the matter is open, plus 7 years where Swiss commercial-record law requires it.
  4. Server logs and operational metadata — 30 days, then deleted except where investigation is ongoing.
  5. Anonymised, aggregated data — indefinitely, for product and editorial improvement; this data does not identify you.
Security

Encryption, access, disclosure.

Member-side encryption for sensitive documents; authenticated APIs for everything else; an open door for vulnerability disclosure.

We treat security as part of the design, not an addition. Sensitive member content — title documents, identity papers, contracts, ownership and provenance records — will be encrypted on the member’s device with a passphrase only the member holds (Section 4.2 of the Terms of Service). Hiconium cannot read those documents in their decrypted form. Operational data sits behind authenticated APIs, transport-layer encryption, and access logs.

If you discover a vulnerability, write to security@hiconium.com. We acknowledge within one business day and resolve material issues as quickly as the nature of the issue allows. Responsible disclosure is welcome and credited unless you ask otherwise.

Contact

Where to write.

Three addresses, each routed to a small inbox we read:

  1. privacy@hiconium.com — anything to do with your data, your rights, or this notice.
  2. security@hiconium.com — vulnerabilities and incident reports.
  3. legal@hiconium.com — formal legal correspondence, court orders, regulator enquiries.

A complete cookie register and a longer Privacy Notice will replace this page at public launch.

Until then, treat this page as our considered word, written carefully and intended to be honoured. If something here is unclear or incomplete, write to privacy@hiconium.com and we will fix it.