The provider of this website and services is Vemido, Thomas Sokolowski, Switzerland.

For inquiries, please use our contact form.

All content on this website (texts, graphics, trademarks, and design elements) is protected by copyright. Any use, reproduction, or distribution is not permitted without prior written consent.

The contractual use of the services offered here is governed by our General Terms and Conditions (GTC). The GTC are provided to interested parties before contract conclusion and before service provision, and are always an integral part of our contractual relationships.

Zurich, 15.03.2026

Last updated: March 15, 2026

1. Controller

The controller responsible for the processing of personal data in connection with the website and services of Vemido is:

Thomas Sokolowski
Niederlenzerstrasse 79
5600 Lenzburg, Switzerland
Email: support@vemido.com

2. Purpose of this Privacy Policy

This Privacy Policy provides information on the nature, scope, and purpose of the processing of personal data in connection with the website www.vemido.com and the use of the services offered by Vemido. It serves to fulfill the information obligations under the Swiss Federal Act on Data Protection (FADP).

3. Use of the Website

As a rule, the website may be visited for informational purposes without creating a user account.

Vemido does not use web analytics services and does not load external fonts via APIs. On the website, Vemido uses only those cookies or comparable technical means that are necessary for functionality and user-friendly presentation, in particular for storing the language selected by the user.

4. Google Maps

Google Maps may be used within a booking system created by one of our customers in order to provide map content. The map is loaded only when the user actively accesses it via a link (no iframe). Only in this context may personal data, in particular technical connection data, usage data, and, where applicable, the IP address, be transmitted to Google or recipients affiliated with Google. In its Privacy Policy, Google states that it collects, among other things, data regarding the interaction of apps, browsers, and devices with its services, as well as the IP address.

A disclosure abroad cannot be excluded in this context. To the extent that a disclosure is made to countries that do not provide an adequate level of data protection, such disclosure shall take place only on the basis of the safeguards required under applicable data protection law or another permissible legal basis. Under the FADP, information must be provided regarding recipients and cross-border disclosures.

5. Contacting Us

If you contact Vemido, in particular by email or via a contact form, Vemido processes the personal data that you provide yourself to the extent necessary to handle your inquiry, communicate with you, and initiate or perform a contract.

6. Registration, Trial Period, and Paid Services

If you register for a trial period, a user account, or a paid service offered by Vemido, Vemido processes the personal data required for registration, contract administration, service provision, administration, invoicing, communication, support, data security, and the assertion and enforcement of legal claims.

Depending on usage, this may include in particular master and contact data, contract data, billing data, user and access data, communication data, as well as the content, appointment, booking, and administrative data processed in the course of using Vemido.

7. Processing on Behalf of Customers

To the extent that Vemido processes personal data on behalf of a customer, such processing is carried out as processor activities within the meaning of applicable data protection law. In such case, the respective customer is, as a rule, responsible under data protection law for the lawfulness of the processing. For this purpose, a Data Processing Agreement (DPA) is concluded between Vemido and the customer, which forms an integral part of the contractual relationship. The Swiss FADP expressly regulates processing by processors.

8. Disclosure to Third Parties and Service Providers

Vemido discloses personal data to third parties only to the extent necessary for the provision of the website and services, the performance of the contract, compliance with legal obligations, or the protection of legitimate interests.

This may include, in particular, disclosure to technical service providers such as hosting, infrastructure, communication, or support providers. If such recipients are located abroad or if data is processed abroad, this shall take place in compliance with the applicable data protection requirements.

9. Retention and Deletion

Personal data is processed and retained only for as long as necessary for the respective purpose or for as long as statutory retention obligations, contractual obligations, or legitimate interests, in particular for the assertion, exercise, or defense of legal claims, so require.

Unless such reasons prevent it, personal data will be deleted or anonymized as soon as it is no longer required for the purposes pursued.

10. Rights of Data Subjects

Within the framework of applicable data protection law, data subjects have, in particular, the right to obtain information about the data processed concerning them and, depending on the statutory requirements, the right to rectification, deletion, or restriction of processing. The right of access is governed by the Swiss FADP.

Requests to exercise such rights may be sent to support@vemido.com.

11. Amendments

Vemido may amend this Privacy Policy if required due to legal, technical, or operational changes. The version published on the website from time to time shall be controlling.

General Terms and Conditions

for the use of Vemido

Version dated: March 10, 2026

1. Provider

The provider of Vemido is:

Thomas Sokolowski
Niederlenzerstrasse 79
5600 Lenzburg
Switzerland

Vemido is operated under the designation “Vemido” and is accessible via the website www.vemido.com.

2. Scope of Application

2.1 These General Terms and Conditions govern the conclusion, content, and performance of all contractual relationships between the Provider and its customers relating to the use of the Vemido software solution and any related services.

2.2 Vemido is intended exclusively for businesses, self-employed persons, associations, foundations, public-law entities, and other organizations. The conclusion of contracts with consumers for private purposes is excluded unless expressly agreed otherwise in writing.

2.3 Any conflicting, supplementary, or deviating terms and conditions of the Customer shall not apply unless the Provider has expressly agreed to their validity in writing.

2.4 In the event of any conflict, individual quotations, service descriptions, price lists, supplementary agreements, data processing agreements, service descriptions, or other contractual documents shall take precedence over these GTC.

3. Conclusion of Contract

3.1 The contract is concluded through acceptance of a quotation, an online order, registration, activation of a customer account, or use of Vemido’s services.

3.2 Upon conclusion of the contract, the Customer acknowledges these GTC as a binding part of the contract.

3.3 The Provider is entitled to reject registrations, orders, or contract conclusions without stating reasons.

4. Subject Matter of the Contract

4.1 Vemido is a digital software solution for the management, organization, and execution of booking, appointment, resource, and related administrative processes.

4.2 The specific scope of services is determined by the package booked in each case, the current service description, the quotation, and any supplementary agreements.

4.3 The Provider owes the provision of the contractually agreed functions in accordance with the current technical and operational standard. Any particular economic success, specific increase in revenue, specific cost saving, or suitability for a special purpose assumed by the Customer shall only be owed if expressly warranted in writing.

4.4 The standard scope of services does not include, in particular, individual legal advice, tax advice, business consulting, industry-specific compliance reviews, custom developments, migrations, interface customizations, data cleansing, content reviews, or customer-specific special solutions, unless expressly agreed.

4.5 The Provider is entitled to further develop Vemido technically and functionally, to modify, expand, restrict, or replace functions with equivalent functions, provided that the essential contractual benefit is not unreasonably impaired as a result.

4.6 Vemido may be used free of charge for a period of 30 days. The trial period begins when the account is activated and ends automatically after 30 days unless a paid continuation is agreed. If no continuation is agreed, all data of the trial account will be irreversibly deleted after the trial period ends. It is the user’s responsibility to arrange a continuation in due time before the trial period ends or to secure the data by other means. Vemido shall not be liable for data losses resulting from the user failing to arrange a timely continuation or failing to perform their own data backup. The free trial period may only be used once per user, per company, and per account. Separately designated paid service packages, in particular our SMS messaging, are not part of the free trial period and will be charged separately if used, including during the trial period.

5. Right of Use

5.1 For the duration of the contract, the Provider grants the Customer a non-exclusive, non-transferable, non-sublicensable, and revocable right to use Vemido within the contractually agreed scope.

5.2 All rights in and to Vemido, in particular copyrights, trademark rights, distinctive signs, database rights, rights in software, source code, user interfaces, layouts, designs, configurations, documentation, concepts, modules, and further developments, shall remain exclusively with the Provider or the respective rights holders.

5.3 In particular, the Customer is prohibited from:

reproducing Vemido in whole or in part, renting, leasing, reselling, or making it available to third parties, whether for consideration or free of charge;
modifying, reverse engineering, decompiling, or reconstructing the source code of Vemido, except to the extent mandatorily permitted by law;
disclosing access credentials to unauthorized third parties;
using or having Vemido analyzed for the purpose of building or operating competing systems.

6. Customer Obligations

6.1 The Customer is solely responsible for the use of Vemido, for all content entered, uploaded, stored, processed, transmitted, or published, and for the conduct of its employees, agents, administrators, and end users.

6.2 The Customer undertakes to use Vemido exclusively in a lawful, proper, and contractually compliant manner.

6.3 In particular, the Customer shall ensure that no content is processed, stored, or published via Vemido that:

violates applicable law;
infringes the rights of third parties, in particular copyright, trademark, design, name, personality, or data protection rights;
is misleading, deceptive, insulting, discriminatory, immoral, extremist, or criminal in nature;
contains malware, malicious scripts, viruses, trojans, or other elements that endanger security.

6.4 The Customer is solely responsible for complying with all legal, regulatory, contractual, and professional requirements necessary for its activities. This applies in particular to regulations relating to data protection, unfair competition law, employment law, tax law, consumer protection law, health law, professional regulations, and industry-specific special regulations.

6.5 The Customer is obliged to keep all access credentials, passwords, authentication features, administrative access credentials, and other security features confidential, to protect them against access by unauthorized third parties, and to make them available only to authorized persons.

6.6 The Customer is solely responsible for the security of its user accounts, access credentials, and authentication features within its own organizational and sphere of responsibility. The Customer shall implement appropriate technical and organizational protective measures, in particular:

the use of sufficiently secure, individual, and confidential passwords;
the secure storage and management of access credentials;
the restriction of access rights to actually authorized persons;
the immediate modification, withdrawal, or blocking of authorizations upon departure, change of function, or loss of authorization;
the protection of the end devices, browsers, email accounts, and internal systems used against unauthorized access;
the immediate change of compromised or suspected compromised access credentials;
the use of additional security mechanisms where such are provided by the Provider or are reasonable for the Customer under the circumstances.

6.7 The Customer shall ensure that access credentials are not stored, documented, transmitted, or disclosed jointly, unencrypted, carelessly, or otherwise in a manner susceptible to misuse.

6.8 All actions performed using the Customer’s valid access credentials, user accounts, or authentication features shall be attributed to the Customer unless the Customer proves that such use was caused exclusively by circumstances lying exclusively within the Provider’s sphere of responsibility.

6.9 The Customer shall notify the Provider without undue delay of any suspicion of loss, theft, disclosure, misuse, or other compromise of access credentials and shall take all reasonable measures to mitigate damage.

6.10 In the event of suspected misuse, a security risk, or unauthorized access, the Provider is entitled to temporarily block user accounts or access, reset passwords, deactivate authentication means, or take other appropriate security measures.

6.11 Unless a separate backup or restore service has been expressly agreed in writing, the Customer is obliged to independently back up all data essential to its business operations outside Vemido at appropriate intervals and under its own responsibility. In particular, the Customer must ensure that data exports are performed, backups are verified, and, where necessary, data can be restored or otherwise used independently of the Provider.

6.12 The Customer is obliged to notify the Provider without undue delay of any recognizable defects, malfunctions, security incidents, or cases of misuse and to cooperate to a reasonable extent in error analysis and remediation.

6.13 The Customer acknowledges that the protection of its user accounts, access credentials, and authentication features forms an essential part of its own operational security organization.

6.14 The Provider assumes no responsibility for how the Customer internally manages, stores, documents, discloses, or organizationally safeguards access credentials, unless this is expressly the subject of a separate written security or administration agreement.

6.15 The Customer bears the risk of damage, data loss, incorrect bookings, unauthorized modifications, deletions, disclosures, or other disadvantages resulting from insufficient protection, disclosure, revelation, theft, or misuse of its access credentials within its sphere of influence, organization, or responsibility.

6.16 The Customer is obliged to design its internal processes in such a way that unauthorized access, privilege escalation, password sharing, shared user accounts, and misuse of administrative rights are prevented as far as possible.

7. Prices and Payment Terms

7.1 The prices agreed at the time of conclusion of the contract shall apply.

7.2 Unless stated otherwise, all prices are quoted in Swiss francs (CHF) and exclude any applicable statutory charges, in particular value added tax.

7.3 Recurring fees are payable in advance. One-time services, additional services, expenses for support, training, setup, data migration, custom developments, or third-party integrations shall be invoiced separately unless otherwise agreed in writing.

7.4 Invoices are payable without deduction within the payment period stated on the invoice.

7.5 In the event of default in payment, the Customer owes statutory default interest as well as reminder fees, collection costs, debt enforcement costs, and other reasonable enforcement costs.

7.6 Set-off against counterclaims is permitted only if such counterclaims are undisputed or have been finally adjudicated.

8. Default in Payment, Blocking, and Refusal of Performance

8.1 If the Customer is in whole or partial default with due payments, the Provider is entitled, at its sole discretion and without any obligation to compensate the Customer, to:

refuse services in whole or in part;
temporarily or permanently block access to Vemido;
restrict functions;
deactivate accounts;
declare outstanding claims immediately due and payable, to the extent permitted by law.

8.2 The blocking or discontinuation of services does not release the Customer from its existing payment obligations.

8.3 The Provider is also entitled to block, restrict, or discontinue services in whole or in part with immediate effect if:

there is a violation of these GTC;
there is suspicion of unlawful or abusive use;
the use poses a risk to the stability, integrity, or security of Vemido, third parties, or the Provider’s IT infrastructure;
official, judicial, or other legal reasons require such action.

8.4 The Provider is not obliged to conclusively clarify all factual or legal issues before implementing a suspension, provided that, from an objective perspective, there is a factual reason for a precautionary measure.

9. Prohibited Content and Unlawful Use

9.1 The Customer may not use Vemido to publish, distribute, store, or process unlawful content.

9.2 The Provider is entitled to block, deactivate, or restrict the availability of content if there are concrete indications of a legal violation, a breach of these GTC, or a risk to third parties.

9.3 The Provider is not obliged to generally or proactively review or continuously monitor the legality of content posted or processed by the Customer.

9.4 The Customer shall be fully liable to the Provider for all disadvantages, damages, costs, and claims incurred by the Provider as a result of unlawful or contractually non-compliant content or use by the Customer.

10. Availability, Maintenance, and Technical Requirements

10.1 The Provider will endeavor to operate Vemido with as few disruptions as possible.

10.2 Unless a separate service level agreement has been expressly concluded, the Provider does not owe any specific minimum availability, uninterrupted accessibility, continuous operational readiness, or completely error-free functioning of Vemido.

10.3 The Provider is entitled to temporarily take Vemido out of operation in whole or in part, or to restrict its functionality, for maintenance, security updates, patches, upgrades, migrations, releases, bug fixes, performance optimizations, load balancing, backups, tests, or other technical work.

10.4 Disruptions, interruptions, delays, data loss, performance reductions, or functional impairments may in particular be caused by:

failures of servers, data centers, hosting providers, or telecommunications networks;
power outages or hardware defects;
software errors;
cyberattacks, malware, or security incidents;
overloads;
interference by third parties;
lack of or insufficient compatibility of end devices, browsers, operating systems, or third-party systems;
force majeure.

10.5 The Provider gives no warranty as to the compatibility of Vemido with all browsers, end devices, operating systems, APIs, plug-ins, email services, payment services, SMS services, third-party modules, or other third-party systems, unless expressly agreed in writing.

11. Data Backup and Backups

11.1 To the extent that technical options for data backup, backups, exports, or restoration exist within Vemido, they serve exclusively as a supporting function and, absent an express written supplementary agreement, do not establish any obligation of the Provider to perform complete, gapless, continuously available, or always successful data backup or data restoration.

11.2 The Customer is solely responsible for data backup in accordance with its business, legal, and operational requirements. The Customer shall regularly secure data essential to its business operations in an appropriate form, use export options, periodically verify the readability and completeness of its backups, and implement appropriate organizational emergency measures.

11.3 The Provider gives no warranty that backups, backup states, or export files will be available at all times, complete, current, error-free, or suitable for every purpose of the Customer.

11.4 Data restoration shall, where technically possible, be performed exclusively on the basis of the backup states available at the relevant time. There is no entitlement to restoration of any particular data set, version, or point in time.

11.5 To the extent permitted by law, the Provider shall not be liable for damage resulting from the Customer’s failure to back up, export, verify, archive, or otherwise keep its data available independently of Vemido, or from doing so insufficiently. This also applies to damage resulting from the Customer’s insufficient protection of its access credentials, thereby enabling unauthorized third parties to gain direct or indirect access to data, functions, bookings, or systems.

12. Liability

12.1 The Provider shall be liable only for direct damage demonstrably caused to the Customer by intentional misconduct or gross negligence on the part of the Provider. To the extent permitted by law, the Provider’s liability for slight negligence is excluded.

12.2 To the extent permitted by law, any liability of the Provider is excluded for:

indirect and consequential damage;
loss of profit;
loss of revenue, loss of earnings, loss of income, and loss of business;
business interruptions, production outages, missed deadlines, and loss of productivity;
data loss, data corruption, data inconsistencies, and restoration costs;
reputational damage;
claims by third parties against the Customer;
damage resulting from system failures, unavailability, malfunctions, miscalculations, incorrect processing of bookings, delayed or omitted notifications, transmission errors, interface errors, input errors, or configuration errors;
damage resulting from failures or disruptions of hosting, cloud, data center, network, domain, browser, payment, SMS, email, API, or other third-party services;
damage resulting from incorrect, incomplete, delayed, or unlawful data or content of the Customer;
damage resulting from insufficient data backup by the Customer;
damage resulting from force majeure;
damage resulting from loss, theft, disclosure, transmission, insufficient safeguarding, or misuse of the Customer’s access credentials, user accounts, or authentication features, insofar as the cause lies wholly or partly within the Customer’s sphere of influence, organization, or responsibility.

12.3 In particular, the Provider shall not be liable for damage, financial losses, or lost income arising from the temporary or permanent unavailability of Vemido, from bookings not being processed, being processed late, or being processed incorrectly, from data being lost or corrupted in whole or in part, from data not being restorable in time, or from third parties gaining access to Vemido or to data processed therein as a result of insufficient protection of the Customer’s access credentials.

12.4 To the extent permitted by law, the Provider shall in particular not be liable for damage, data loss, incorrect bookings, unauthorized data alterations, unauthorized bookings, financial losses, or other disadvantages arising from third parties gaining access to Vemido or to data processed therein as a result of insufficient protection of the Customer’s access credentials.

12.5 The Customer acknowledges that Vemido is an internet-based software system whose operation depends on technical infrastructure and third-party services. Temporary unavailability, disruptions, delays, data loss, or data corruption cannot be ruled out with absolute certainty even where the standard of care customary in the industry is applied.

12.6 To the extent permitted by law, the Provider’s total liability per event of damage and per contract year is limited to the amount of remuneration actually paid by the Customer during the twelve months preceding the event giving rise to the damage.

12.7 Any further contractual or non-contractual liability of the Provider is excluded.

12.8 Mandatory statutory liability provisions remain reserved.

13. Warranty

13.1 The Provider warrants that Vemido will be provided substantially in accordance with the agreed service description.

13.2 Insignificant deviations, purely visual defects, temporary disruptions, maintenance interruptions, or impairments that do not materially frustrate contractual use shall not give rise to warranty claims.

13.3 In the event of material defects, the Provider shall have the right, at its discretion and within a reasonable period, to remedy the defect, provide a workaround, provide a replacement, or adjust the affected function.

13.4 Any further claims of the Customer, in particular for price reduction, rescission, self-remedy, or damages, are excluded to the extent permitted by law.

14. Data, Data Protection, and Data Processing

14.1 To the extent that the Provider processes personal data on behalf of the Customer within the framework of Vemido, the Provider shall act as a processor within the meaning of the applicable data protection law.

14.2 The Customer remains responsible for the lawfulness of the data processing initiated by it. This applies in particular to the permissibility of the processing purposes, compliance with information obligations, obtaining any necessary consents, safeguarding data subject rights, and the permissibility of any disclosures.

14.3 The Provider shall implement appropriate technical and organizational measures to protect the processed data. Absolute data security is not owed.

14.4 The Provider is entitled to involve third parties and subprocessors in Switzerland and abroad in the performance of services to the extent legally permissible.

14.5 Upon conclusion of the contract, the parties shall enter into a data processing agreement (hereinafter referred to as the “DPA”). The DPA shall be made available to the Customer in its respectively applicable version during the electronic ordering, registration, or onboarding process. Before concluding the contract, the Customer shall have the opportunity to review the DPA in a storable format.

14.6 The DPA shall be deemed validly concluded when the Customer expressly agrees to it during the electronic ordering, registration, or onboarding process, in particular by clicking an appropriately designated checkbox or by completing the ordering process after having been expressly informed of the applicability of the DPA.

14.7 The relevant version of the DPA shall be the version displayed to the Customer at the time of its consent or otherwise made available in a storable format. For documentation and evidentiary purposes, the Provider is entitled to store the date, time, user account, contract or order ID, version status of the DPA, and the time of consent.

14.8 After conclusion of the contract, the Provider shall transmit to the Customer an electronic confirmation in text form, in particular by email, enclosing or linking to the version of the DPA applicable at the time of conclusion of the contract.

14.9 In the event of conflicts between these GTC and the DPA, the DPA shall take precedence for data protection issues relating to commissioned data processing. In all other respects, these GTC shall remain unaffected.

15. Indemnification

15.1 The Customer shall indemnify and hold harmless the Provider, its auxiliaries, and engaged third parties from and against all claims, demands, proceedings, damages, losses, fines, costs, and expenses arising out of or in connection with:

any unlawful or contractually non-compliant use of Vemido by the Customer;
the Customer’s content or data;
infringements of third-party rights;
violations of data protection, unfair competition, professional, or other regulatory obligations.

15.2 The indemnification also includes reasonable attorneys’ fees, consulting costs, court costs, investigation costs, settlement costs, and enforcement costs.

16. Support

16.1 Support services shall be provided only to the extent agreed.

16.2 Unless expressly agreed otherwise in writing, there are no guaranteed response, intervention, remediation, or restoration times.

16.3 The Provider is entitled to refuse support requests or invoice them separately if they:

fall outside the agreed scope of services;
are based on operator errors or configuration errors on the Customer’s side;
cannot be reproduced;
concern third-party software, third-party systems, or the Customer’s own infrastructure.

17. Term and Termination

17.1 Unless agreed otherwise, the contract is concluded for an indefinite period.

17.2 Recurring subscriptions or usage agreements may be terminated by either party with 30 days’ notice to the end of a current billing period, unless otherwise contractually agreed.

17.3 The right to terminate without notice for good cause remains reserved.

17.4 Good cause for the Provider exists in particular if:

the Customer is in default with payments;
the Customer violates these GTC;
unlawful content or uses exist;
system security is endangered;
official or judicial requirements make continuation unreasonable.

17.5 Upon termination of the contract, the Customer’s right of use shall automatically end.

17.6 After the end of the contract, the Provider is entitled to block access and delete data upon expiry of any statutory or contractual retention periods.

17.7 It is the Customer’s responsibility to ensure, in good time before termination of the contract, that its data is exported or otherwise secured.

18. Changes to Services, Prices, and GTC

18.1 The Provider is entitled to amend services, functions, prices, and these GTC with effect for the future, provided there is an objective reason for doing so. Objective reasons include in particular:

technical developments;
security requirements;
changes in legal or regulatory requirements;
changes involving third-party providers;
operational or economic necessities.

18.2 Changes shall be communicated to the Customer in an appropriate manner.

18.3 If the Customer does not object to a material change in text form within 30 days of notification, the change shall be deemed approved.

18.4 If the Customer objects in due time, the Provider is entitled to terminate the contract ordinarily or extraordinarily as of the effective date of the change.

19. Confidentiality

19.1 Both parties undertake to treat as confidential all commercial, technical, organizational, and operational information of the other party that is not generally known.

19.2 The confidentiality obligation shall not apply to information that:

is generally known or becomes generally accessible without breach of contract;
was lawfully obtained from third parties;
must be disclosed due to a legal obligation or an official order.

20. Force Majeure

20.1 Neither party shall be liable for non-performance or delayed performance of its obligations to the extent caused by events beyond its reasonable control.

20.2 Cases of force majeure include in particular natural events, war, civil unrest, terrorism, pandemics, official orders, strikes, power outages, cyberattacks, failures of telecommunications or hosting infrastructures, and other unforeseeable and unavoidable events.

20.3 For the duration of an event of force majeure, the affected performance obligations shall be suspended.

21. Final Provisions

21.1 Should individual provisions of these GTC be or become wholly or partially invalid, void, or unenforceable, the validity of the remaining provisions shall remain unaffected. The invalid provision shall be replaced by a legally permissible provision that comes as close as possible to the economic purpose of the invalid provision.

21.2 Side agreements, amendments, and supplements must be made at least in text form in order to be valid, unless mandatory law requires a stricter form.

21.3 The Provider is entitled to assign rights and obligations arising from the contractual relationship, in whole or in part, to third parties.

21.4 The Customer may assign rights and obligations arising from the contractual relationship to third parties only with the Provider’s prior written consent.

21.5 Swiss substantive law shall apply exclusively, to the exclusion of conflict of laws rules.

21.6 The exclusive place of jurisdiction shall be Lenzburg, Switzerland, unless a mandatory statutory place of jurisdiction takes precedence.

Version dated: March 10, 2026

1. Purpose, Subject Matter, and Formation of the Agreement

1.1 This Data Processing Agreement governs the processing of personal data by the Processor on behalf of the Controller in connection with the use of the Vemido software solution.

1.2 This Agreement supplements the General Terms and Conditions (GTC), quotations, service descriptions, service specifications, and any other master agreements existing between the parties concerning the use of Vemido.

1.3 Unless otherwise provided in this Agreement, the provisions of the GTC and the master agreement shall apply in addition.

1.4 This Agreement shall apply to the extent that the Processor processes personal data on behalf of the Controller and acts as a processor under applicable data protection law.

1.5 Electronic Formation: This DPA may be entered into as part of Vemido’s electronic ordering, registration, or onboarding process. It shall be deemed validly agreed if the Controller had the opportunity, before or in direct connection with the conclusion of the contract, to review the text of this DPA in a storable form and agrees to it electronically, in particular by clicking a correspondingly designated checkbox or by completing the ordering process after being expressly notified that this DPA applies.

1.6 Controlling Version and Versioning: The controlling version shall be the version of the DPA that was made available to the Controller at the time of its consent. For documentation and evidentiary purposes, the Processor shall be entitled to store the date, time, user account, contract or order ID, DPA version status, and the time at which consent was given.

1.7 Confirmation in Text Form: Promptly after execution of this DPA, the Processor shall provide the Controller with an electronic confirmation in text form, in particular by email, attaching or linking to the version of the DPA that was controlling at the time the contract was concluded.

2. Roles of the Parties

2.1 The Controller shall determine the purposes of, and the essential means for, the processing of the personal data that are collected, stored, organized, administered, transmitted, or otherwise processed via Vemido.

2.2 The Processor shall process personal data exclusively on behalf of, and in accordance with, the documented instructions of the Controller, unless a legal obligation requires different processing.

2.3 To the extent that the Processor processes personal data for its own purposes, in particular to comply with its own legal obligations, for billing, abuse prevention, IT security, documentation, or the enforcement of its own claims, such processing shall take place outside the scope of this DPA and under the Processor’s own responsibility under data protection law.

3. Subject Matter, Nature, and Purpose of the Processing

3.1 The subject matter of the processing is the provision of the services associated with Vemido, in particular provisioning, hosting, technical operation, administration, support, maintenance, troubleshooting, data backup, restoration, logging, and other processing activities related to the master agreement.

3.2 The nature and purpose of the processing, the categories of data subjects, and the categories of personal data processed are set out in Annex 1 to this Agreement.

3.3 The Controller bears sole responsibility for ensuring that the processing of personal data initiated by it is lawful and that only such personal data are processed via Vemido as may lawfully be processed in the specific individual case.

4. Controller’s Right to Issue Instructions

4.1 The Processor shall process personal data exclusively on the basis of documented instructions from the Controller, except to the extent that legal obligations require processing without, or contrary to, such instructions.

4.2 The following in particular shall be deemed documented instructions:

this DPA;
the master agreement, including the GTC and service description;
configurations, entries, permissions, and system settings made by the Controller itself within Vemido in the course of use; and
written individual instructions from the Controller.

4.3 Oral instructions shall be confirmed without undue delay in text form.

4.4 If, in the Processor’s assessment, an instruction is problematic under data protection law, unlawful, or poses a technical security risk, the Processor shall notify the Controller accordingly. The Processor shall be entitled to suspend or refuse execution of an instruction that is manifestly unlawful until the matter has been clarified.

5. Obligations of the Processor

5.1 The Processor undertakes to process personal data only within the scope of this Agreement and the master agreement.

5.2 The Processor shall not use personal data made available or accessible to it in connection with the engagement for its own purposes that are incompatible with the engagement.

5.3 The Processor shall ensure that only those persons are granted access to personal data who:

actually require access in order to provide the contractual services;
have been bound to confidentiality; and
have been instructed regarding their obligations under data protection and information security law.

5.4 The Processor shall implement appropriate technical and organizational measures to protect personal data against unauthorized or unlawful processing and against loss, destruction, accidental alteration, or unauthorized disclosure. The principles of these measures are set out in Annex 2.

5.5 The Processor shall support the Controller to an appropriate extent with:

the fulfillment of rights of access, rectification, erasure, delivery, or other data subject rights;
the documentation of processing activities;
data protection assessments in connection with the use of Vemido;
the assessment of personal data breaches; and
any data protection impact assessments, to the extent that such support is required in light of the specific services used and is reasonable for the Processor.

5.6 The Processor shall not be obligated to perform legal assessments, balancing of interests, or independent substantive reviews of the permissibility of the processing on behalf of the Controller.

6. Obligations of the Controller

6.1 The Controller represents that it processes, or causes to be processed, personal data only in compliance with applicable data protection law.

6.2 The Controller shall be responsible in particular for:

the lawfulness of the processing;
determining the purposes of the processing;
fulfilling information obligations toward data subjects;
obtaining any necessary consents;
the permissibility of processing sensitive personal data;
the permissibility of any disclosures of data abroad; and
maintaining content, master data, and user permissions within its area of responsibility.

6.3 The Controller shall configure and use Vemido in such a way that the data protection requirements applicable to its use case are complied with.

6.4 The Controller shall remain responsible for the security of its user accounts, access credentials, role and permission concepts, internal approval processes, and data backup within its own organizational sphere, unless additional services by the Processor have expressly been agreed in writing.

6.5 As a general rule, the Controller shall itself respond to requests for access and other data subject requests. The Processor shall support the Controller in this regard to an appropriate extent.

7. Confidentiality and Secrecy

7.1 The Processor shall treat all personal data processed on behalf of the Controller as confidential.

7.2 The Processor shall ensure that its employees, auxiliary persons, and engaged third parties who may come into contact with personal data are bound to confidentiality or are subject to an adequate statutory duty of secrecy.

7.3 The duty of confidentiality shall continue to apply after termination of this Agreement.

8. Technical and Organizational Measures

8.1 The Processor shall implement appropriate technical and organizational measures, taking into account in particular:

the state of the art;
the nature, scope, circumstances, and purposes of the processing;
the need for protection of the personal data processed; and
the likelihood and severity of an impairment of the personality or other protected interests of the data subjects concerned.

8.2 The essential measures are described in Annex 2.

8.3 The Processor shall be entitled to further develop and modify the technical and organizational measures, provided that the overall level of protection is not reduced inappropriately.

9. Engagement of Sub-Processors

9.1 The Controller hereby grants the Processor general prior authorization to engage additional processors to the extent required for the provision of the services.

9.2 The sub-processors engaged at the time of contract formation are listed in Annex 3.

9.3 The Processor shall inform the Controller in an appropriate manner of any intended changes concerning sub-processors, in particular their replacement or the engagement of additional sub-processors.

9.4 If the Controller, for factually justified reasons relating to data protection, objects in writing to a new sub-processor within 30 days from notification, and if no reasonable alternative can be offered, both parties shall be entitled to terminate the affected service or the master agreement upon reasonable notice.

9.5 The Processor shall contractually bind sub-processors to data protection and security standards that correspond in substance to the protections of this Agreement.

9.6 The Processor shall remain responsible vis-à-vis the Controller for the proper performance of the services assumed by sub-processors, to the extent permitted by law and subject to any differing liability provisions in the master agreement.

10. Disclosure of Personal Data Abroad

10.1 As a general rule, the Processor shall process personal data in Switzerland or in countries with an adequate level of data protection.

10.2 To the extent that processing or accessibility abroad occurs or is possible, the Processor shall ensure that the applicable requirements under data protection law are complied with.

10.3 If disclosure takes place to a country without an adequate level of data protection, such disclosure may occur only on the basis of appropriate safeguards or another legally permissible justification.

10.4 The Controller acknowledges that the use of certain technical services, support services, communication services, or infrastructure services may involve processing with a foreign nexus, provided that this is disclosed in the master agreement, the annexes, or the documentation.

11. Assistance with Data Subject Rights

11.1 If the Processor receives inquiries from data subjects concerning processing carried out by the Controller, the Processor shall forward such inquiries to the Controller without undue delay and without conducting its own substantive review, provided that an allocation is possible.

11.2 The Processor shall not independently respond to such inquiries unless:

the Controller has expressly instructed it to do so; or
the Processor is legally obligated to do so.

11.3 The Processor shall support the Controller to an appropriate extent with the information and functionalities available to it so that the Controller can fulfill its legal obligations.

12. Personal Data Breaches

12.1 The Processor shall inform the Controller as quickly as possible of any data security breaches that affect or may affect the Controller’s personal data.

12.2 To the extent possible and reasonable at the relevant time, the Processor’s notice shall include, in particular, information regarding:

the nature of the breach;
the categories of data and categories of data subjects concerned;
the likely scope;
the probable consequences; and
the countermeasures already taken or proposed.

12.3 The Processor shall support the Controller to an appropriate extent in the assessment, containment, documentation, and handling of a data security breach.

12.4 The legal assessment of whether notification to a data protection supervisory authority or communication to data subjects is required shall, as a general rule, be the responsibility of the Controller.

13. Demonstration of Compliance and Review

13.1 Upon reasonable request, the Processor shall make available to the Controller the information necessary to demonstrate compliance with this Agreement.

13.2 Such demonstration may in particular be provided by means of:

current descriptions of the technical and organizational measures;
certifications, audit reports, or self-disclosures, if available;
contractual information regarding sub-processors; and
documented security and data protection processes.

13.3 On-site audits shall be permissible only if:

there is a legitimate reason;
less intrusive means of demonstrating compliance are insufficient;
trade and business secrets, as well as the security of other customers, are preserved;
they are announced with reasonable advance notice; and
they do not unreasonably impair the Processor’s business operations.

13.4 The Processor may require that audits be carried out by a qualified, independent auditor who is bound to confidentiality.

13.5 The Controller shall bear the costs of an audit initiated by it, unless there is a demonstrable serious breach by the Processor of this Agreement.

14. Return, Provision, and Deletion of Data

14.1 Upon termination of the master agreement or upon the Controller’s written instruction, the Processor shall, at the Controller’s option, with respect to the personal data processed on behalf of the Controller:

return them;
enable their export by the Controller; or
delete them, provided that no statutory retention obligation or legitimate technical requirement prevents such deletion.

14.2 Statutory retention obligations, evidentiary and documentation obligations, and technically unavoidable residual copies in backup or recovery systems remain reserved. Such residual copies shall not be further processed in production and shall be removed within the framework of the usual overwrite and deletion cycles.

14.3 The Controller shall be obligated, prior to the end of the contract, to independently and in a timely manner make use of available export and backup options to the extent that, under the master agreement, this falls within its area of responsibility.

15. Compensation

15.1 Unless expressly agreed otherwise, compliance with this DPA shall be covered by the compensation under the master agreement to the extent that it does not exceed the usual and reasonable effort.

15.2 Additional effort arising from extraordinary instructions, extensive cooperation obligations, special audits, individualized security attestations, migration-related export services, extensive data subject requests, or administrative proceedings may, after prior notice to the Controller, be invoiced separately by the Processor on a time-and-materials basis.

16. Liability

16.1 The liability of the parties shall be governed by the provisions of the master agreement and the GTC, unless this DPA expressly provides otherwise.

16.2 This DPA does not create any strict liability of the Processor beyond that provided for in the master agreement.

16.3 To the extent permitted by law, the limitations of liability, exclusions of liability, and cooperation obligations of the Controller set out in the GTC shall remain unaffected.

17. Term, Entry into Force, and Activation

17.1 This DPA shall enter into force upon the Controller’s electronic or otherwise documented acceptance, but in any event no later than before the first productive processing of the Controller’s personal data by Vemido.

17.1a Until this DPA has been validly concluded, the Processor shall neither be obligated nor authorized to process the Controller’s personal data in production within the framework of processing on behalf of the Controller. The Processor shall be entitled to withhold activation of the relevant functions until this DPA has been validly concluded or to restrict the customer account to non-productive use without the processing of personal data.

17.2 This DPA shall remain in effect for as long as the Processor processes the Controller’s personal data on behalf of the Controller.

17.3 Upon termination of the master agreement, this DPA shall also terminate automatically, subject to those provisions that by their nature continue beyond termination, in particular regarding confidentiality, liability, evidence, statutory retention, and deletion and residual copies in backup systems.

18. Relationship to the GTC and the Master Agreement

18.1 This DPA supplements the master agreement and the GTC.

18.2 In the event of inconsistencies between this DPA and the GTC or other contractual documents, this DPA shall prevail for issues of data protection relating to processing on behalf of the Controller.

18.3 In all other respects, the GTC and the master agreement shall remain unchanged and in full force and effect.

19. Language, Amendments, and Final Provisions

19.1 Amendments and supplements to this DPA must be made at least in text form.

19.2 Should individual provisions of this DPA be or become wholly or partially invalid or unenforceable, the validity of the remaining provisions shall remain unaffected. The invalid provision shall be replaced by a legally permissible provision that comes as close as possible to the economic purpose of the invalid provision.

19.3 Swiss substantive law shall apply unless mandatory data protection law requires otherwise.

19.4 To the extent permissible and unless the master agreement provides otherwise, the place of jurisdiction shall be Lenzburg, Switzerland.

19.5 Language Versions: This DPA may be provided in multiple language versions. As a general rule, the controlling language version shall be the one displayed to, and accepted by, the Controller in the electronic ordering, registration, or onboarding process. If the parties subsequently expressly agree that another language version or a bilingual contract version shall be binding, such individual agreement shall prevail.

Annex 1

Description of the Processing on Behalf of the Controller

1. Subject Matter of the Processing: Provision and operation of the Vemido software solution as a booking, scheduling, resource, and administration platform.

2. Purpose of the Processing: Enabling the capture, organization, administration, confirmation, communication, documentation, and evaluation of bookings, appointments, resources, customer data, user access, and related business processes of the Controller.

3. Nature of the Processing: Collection, capture, structuring, organization, storage, retention, adaptation, modification, retrieval, consultation, use, disclosure by transmission, making available, alignment, restriction, deletion, and destruction.

4. Categories of Data Subjects (depending on use):

customers and prospective customers of the Controller;
employees, administrators, and authorized representatives of the Controller;
end customers, clients, patients, guests, members, or persons making bookings;
contact persons of business partners; and
other persons whose data are entered by the Controller or caused by the Controller to be processed in the course of using Vemido.

5. Categories of Personal Data (depending on use):

master and contact data;
appointment, booking, and usage data;
communication data;
billing and transaction data;
user and authorization data;
log, device, and metadata; and
free-text and note data voluntarily entered by the Controller.

6. Sensitive Personal Data: Only to the extent that the Controller processes such data within the scope of its use and such processing is lawful, in particular in health-related, therapeutic, or comparable use cases.

7. Duration of the Processing: For the duration of the master agreement and thereafter only to the extent required by statutory obligations, evidentiary purposes, backup copies, or technically unavoidable residual copies.

Annex 2

Technical and Organizational Measures (TOMs)

The Processor shall implement appropriate technical and organizational measures, in particular in the following areas:

1. Physical Access and Logical Access Control

restriction of physical and logical access to systems and services;
role-based and permission-based access concepts;
individual user identifiers, password protection, and, where applicable, additional authentication mechanisms; and
regular review and adjustment of permissions.

2. Confidentiality

access to personal data only for authorized persons on a need-to-know basis;
confidentiality obligations for employees and auxiliary persons;
secure transmission of data over networks, where technically provided for;
protection against unauthorized disclosure in the support and administration process.

3. Integrity

measures to prevent unauthorized alteration of data;
logging and traceability of security-relevant processes, where appropriate; and
defined procedures for deployments, changes, error remediation, and restorations.

4. Availability and Resilience

appropriate measures to ensure system availability and recoverability;
data backups and technical safeguards within the scope of the agreed services; and
processes for disruption management, incident handling, and resumption of operations.

5. Segregation

logical separation of data sets and tenants where provided for by the system design;
separate roles, permissions, and responsibilities; and
controlled use of test, development, and production environments.

6. Organizational Resilience

defined security and authorization processes;
training and awareness measures for relevant persons; and
defined procedures for security incidents and escalations.

7. Selection and Management of Sub-Processors

careful selection of suitable service providers;
contractual commitments regarding data protection and data security; and
periodic review of suitability to an appropriate extent.

8. Privacy-Friendly Default Settings

support for data-minimizing use where technically possible;
provision of role and permission concepts, where agreed; and
limitation of access to what is necessary in each case.

Annex 3

Sub-Processors

Sub-processors engaged at the time this DPA is concluded, to the extent used in the Controller’s specific setup:

IONOS SE, Hinterm Hauptbahnhof 3–5, 76137 Karlsruhe, Germany – Hosting / server operations / infrastructure
Twilio Ireland Limited, 70 Sir John Rogerson’s Quay, Dublin 2, D02 R296, Ireland – Sending of SMS notifications, where this service was enabled by the Controller in the setup