Privacy Policy
Last updated: 17.12.2025
1. Who We Are
THOA is a cloud-based data science and workflow platform operated by:
GWC GmbH
Zug, Switzerland
Email: hello@thoa.io
GWC GmbH (“GWC”, “we”, “us”) provides THOA to organizations and individual researchers for managing datasets, computational environments, and scientific workflows.
This Privacy Policy explains how we process personal data when you access or use THOA, our website, or related services.
2. Scope of This Privacy Policy
This Privacy Policy applies to:
Visitors to our website
Users who create THOA accounts
Customers and individual researchers using the THOA Services
This Policy does not govern how our customers process personal data within datasets they upload to THOA. In those cases, customers act as data controllers, and GWC acts as a data processor, as described below.
3. Roles Under Data Protection Law
3.1 GWC as Data Controller
GWC acts as data controller for personal data related to:
Account registration and administration
Authentication and access management
Billing and payments
Customer support and communications
Platform security and abuse prevention
Website analytics and cookies
3.2 GWC as Data Processor
GWC acts as data processor for:
Data, datasets, code, and content uploaded by users into THOA
Research, scientific, genomic, omics
In these cases, the customer or individual researcher is the data controller and determines the purposes and legal basis for processing.
4. Categories of Personal Data We Process
4.1 Account and Contact Data
Name
Email address
Organization name
Authentication credentials
API keys (hashed)
4.2 Usage and Technical Data
IP address
Log files
Access timestamps
Resource usage metrics
Browser and device information
4.3 Customer Content (Processed as Processor)
Datasets uploaded by users
Job inputs and outputs
Metadata associated with datasets and workflows
5. Special Categories of Data
THOA may be used to process special categories of personal data, including genetic or health-related data, strictly on the instructions of our customers.
GWC:
Does not determine the purposes of such processing
Does not use such data for its own purposes
Implements appropriate technical and organizational safeguards
Customers are responsible for ensuring a valid legal basis under applicable law, including ethics approvals or data subject consent where required.
6. Legal Bases for Processing
6.1 Platform and Account Data (Controller)
We process personal data based on:
Performance of a contract (Art. 6(1)(b) GDPR)
Legitimate interests (Art. 6(1)(f) GDPR), such as security and service improvement
Legal obligations (Art. 6(1)(c) GDPR)
6.2 Customer Content (Processor)
Processing is governed by the Data Processing Agreement and based on the legal grounds determined by the customer as controller.
7. Data Retention
Account and billing data: retained for the duration of the account and as required by law
Logs and security data: retained for a limited period
Customer content: retained according to customer instructions and deleted upon termination, subject to backup retention cycles
8. Subprocessors
We use trusted subprocessors for infrastructure, hosting, and support services. A current list of subprocessors is available upon request.
All subprocessors are bound by contractual data protection obligations.
9. International Data Transfers
We primarily process data in Switzerland and the European Economic Area (EEA).
Where data is transferred outside Switzerland or the EEA, we rely on:
Adequacy decisions where applicable
Standard Contractual Clauses (SCCs)
Appropriate technical and organizational safeguards
10. Security Measures
We implement appropriate security measures including:
Access controls
Encryption in transit
Segmentation of environments
Logging and monitoring
No system is completely secure; however, we continuously improve our security practices.
11. Data Subject Rights
You have the right to:
Access your personal data
Rectify inaccurate data
Request erasure or restriction
Data portability (where applicable)
Object to certain processing
Requests can be made at hello@thoa.io.
12. Cookies
We use essential cookies necessary for the operation of THOA. Optional analytics cookies are used only with consent, where required. Details are provided in our Cookie Policy.
13. Supervisory Authority
If you are located in Switzerland, you may lodge a complaint with the Federal Data Protection and Information Commissioner (FDPIC).
If you are located in the EU, you may lodge a complaint with your local supervisory authority.
14. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via the platform or email.