Privacy Policy
Last updated: 12.04.2026
1. Introduction
IntimX is a premium adult platform operated from Switzerland by Artenic_ GmbH. Protecting your personal data is at the heart of our commitments. This privacy policy transparently describes what data we collect, why and how we process it, how long we retain it, and what your rights are.
This policy complies with the Swiss Federal Act on Data Protection (nFADP, in force since 1 September 2023) and, where applicable, with the European General Data Protection Regulation (GDPR). In case of conflict, the nFADP prevails as the applicable law.
By using IntimX, you acknowledge that you have read and understood this policy. If you do not agree with the practices described, please do not use our services.
2. Data controller
The data controller for your personal data is:
Artenic_ GmbH
1950 Sion, Suisse
E-mail : support@intimx.ch
Site : intimx.ch
3. Data collected
3.1 Data provided directly
When you create an account, complete your profile or use our services, you provide us with the following data:
- Account data: email address, password (stored as an Argon2id hash, never in plain text), preferred language, acceptance of terms
- Profile data: display name, biography, profile picture, physical attributes (for providers), preferences, voluntary public contact details
- Identity verification (KYC): first name, last name, date of birth, phone number, address, identity documents — all this data is encrypted (AES-256-GCM) in a separate database (vault)
- Financial data: IBAN (encrypted AES-256-GCM), account holder, transaction history via Stripe
- Content: posts, stories, media (photos/videos), comments, reviews
- Communications: private messages, booking messages, reports, support requests
- Establishment data: business name, VAT number, business address, contact details — encrypted in the vault
3.2 Data collected automatically
When you use the platform, certain data is collected automatically:
- Technical data: IP address (SHA-256 hashed in sessions, in plain text in security logs), browser User-Agent
- Session data: session identifier, login and last activity dates, status (active/revoked)
- Approximate geolocation: country and city derived from the IP address via a local database (GeoIP), without calling an external service
- Cookies: strictly necessary technical cookies for operation (see section 9)
- Device information: browser type, operating system, mobile/desktop indicator — used for device trust
3.3 Sensitive data
Given the nature of the platform, some data you choose to publish may reveal sensitive information (sexual orientation, preferences). This data is only processed on the basis of your explicit consent, demonstrated by voluntary publication on your profile. You can delete it at any time.
3.4 Data we do NOT collect
We never collect: social security numbers (AVS/SSN), medical data, political or religious opinions, biometric data for identification purposes, browsing data outside the platform. We do not use any advertising cookies, tracking pixels, or third-party analytics tools (no Google Analytics, Facebook Pixel, etc.).
4. Processing purposes
- Service provision — Creation and management of your account, display of your profile, connecting users, messaging, bookings, subscriptions.
- Security and verification — KYC verification, fraud detection, account lockout after failed attempts, device trust (OTP), compromised password check (HIBP, k-anonymity), security event logging.
- Payments — Processing of subscriptions, tips and payments via Stripe. IntimX never stores your credit card data — it is processed directly by Stripe.
- Communications — Transactional emails (verification, reset, booking notifications), in-app notifications, support responses.
- Service improvement — Internal aggregated metrics (performance, latency, error rates) without personally identifiable data. No marketing profiling.
- Legal obligations — Retention of accounting data (10 years, CO Art. 958f), KYC data retention (3 years, legitimate interest in fraud prevention), CSAM reporting to authorities (Art. 197 Swiss Criminal Code).
5. Legal bases
Each data processing operation relies on a legal basis in compliance with the nFADP and the GDPR:
| Processing | Legal basis | Reference |
|---|---|---|
| Account, profile, messaging, bookings | Performance of contract | nFADP Art. 31 / GDPR Art. 6(1)(b) |
| KYC verification | Legal obligation | nFADP Art. 31(1)(c) + (d) |
| Messaging, notifications | Performance of contract | GDPR Art. 6(1)(b) |
| Payments (Stripe) | Performance of contract | GDPR Art. 6(1)(b) |
| Security (logs, lockout, device trust, HIBP) | Legitimate interest | nFADP Art. 31 / GDPR Art. 6(1)(f) |
| Sensitive data (orientation, preferences) | Explicit consent | nFADP Art. 5 / GDPR Art. 9(2)(a) |
| KYC audit (3 years) | Legitimate interest | nFADP Art. 31(1)(c) |
| Accounting data (10 years) | Legal obligation | CO Art. 958f |
7. Sub-processors and partners
We use a limited number of sub-processors to ensure the operation of the platform:
| Service | Provider | Country | Data transmitted |
|---|---|---|---|
| Server hosting | Infomaniak Network SA | Switzerland | All data (servers hosted in Switzerland) |
| Transactional emails | Resend Inc. | Switzerland | Recipient email address, email content (SMTP Infomaniak Mail) |
| Payments | Stripe Inc. | United States / Ireland | Amounts, user identifier, card data (directly to Stripe) |
| Mapping | Mapbox Inc. | United States | GPS coordinates for map display (no personal data) |
| Password verification | HIBP (Troy Hunt) | Australia | First 5 characters of the SHA-1 password hash (k-anonymity, no password transmitted) |
8. Data retention
We retain your data only for as long as necessary for the described purposes, or to fulfil a legal obligation:
| Data | Retention period |
|---|---|
| Account and profile | Duration of account + 30-day grace period after deletion request |
| KYC documents and data | 3 years after account closure (legitimate interest in fraud prevention) |
| Messages and content | Duration of account + 30-day grace period |
| Accounting data and transactions | 10 years (CO Art. 958f obligation) |
| Security logs (access logs) | 90 days |
| Authentication sessions | 7 days (standard) or 30 days (persistent login) |
| Stories | 24 hours (automatic deletion) |
| System metrics | 7 days (raw), 90 days (hourly), 1 year (daily) — no personal data |
10. Security
Technical measures
- Encryption in transit: HTTPS/TLS 1.3 across the entire platform
- Zero-trust vault architecture: all identity data (first name, last name, date of birth, phone number, address, IBAN) is encrypted with AES-256-GCM at the application level in a separate database. The database only sees ciphertext.
- Password hashing: Argon2id (64 MiB memory, 3 iterations) — OWASP recommended standard
- Tokens and secrets: never stored in plain text, always SHA-256 hashed
- Data isolation: Row Level Security (RLS) on all tables with strict separation between users
- Injection protection: strict Content Security Policy (CSP) with nonce, no inline scripts
Organisational measures
- Principle of least privilege: data access limited to what is strictly necessary, immutable audit trail for all administrative actions
- Audit logs: every administrative action (moderation, KYC, status change) is recorded immutably with timestamp and actor identity
- Continuous monitoring: real-time security metrics (failed attempts, lockouts, GeoIP anomalies)
- Incident procedure: defined protocol for detection, assessment and notification of data breaches
Hosting
All infrastructure is hosted in Switzerland by Infomaniak Network SA (servers located in Switzerland). Data only leaves Swiss territory for the sub-processors listed in section 7.
11. Your rights
In accordance with the nFADP and the GDPR, you have the following rights over your personal data:
- Right of access — You can request a copy of all your personal data. An export function is available in your account settings (password re-authentication required).
- Right to rectification — You can modify your profile data at any time. For KYC data, please contact support.
- Right to erasure — You can delete your account from your settings. A 30-day grace period allows you to cancel the request. After this period, your data is irreversibly deleted, with the exception of data subject to a legal retention obligation (accounting data 10 years) and KYC data retained 3 years for fraud prevention (legitimate interest).
- Right to data portability — Data export is available in JSON format from your account settings, covering 10 data categories.
- Right to object — You can configure your privacy settings (profile visibility, online status, read receipts, country blocking) and block individual users.
- Withdrawal of consent — You can withdraw your consent at any time by deleting the relevant data from your profile or by deleting your account.
How to exercise your rights
For any request relating to your rights, send an email to support@intimx.ch specifying your identity and the right you wish to exercise. We will respond within 30 days. If the request is complex, this period may be extended by 60 days with notification.
Supervisory authority
If you believe that the processing of your data violates your rights, you can file a complaint with the Federal Data Protection and Information Commissioner (FDPIC): edoeb.admin.ch.
12. International transfers
Your data is hosted in Switzerland. Some sub-processors (Stripe, Mapbox, MaxMind, HIBP) are based in the United States or Australia. These transfers are governed by standard contractual clauses (SCCs) and additional security measures in compliance with nFADP requirements.
The password verification service (HIBP) only receives the first 5 characters of a SHA-1 hash (k-anonymity) — no password or identifying data is transmitted. GeoIP resolution is performed locally using an embedded database, without any external calls.
13. Protection of minors
IntimX is a service exclusively reserved for adults (18 years or older). An age verification gate is presented on every first access. Providers and creators must undergo identity verification (KYC) including age verification.
IntimX applies zero tolerance towards any child sexual abuse material (CSAM). Any suspected content is immediately removed and reported to the competent authorities in accordance with Art. 197 of the Swiss Criminal Code. The account in question is suspended without notice.
14. Automated decisions and profiling
IntimX uses automated processing in the following areas: fraud detection (account lockout after failed attempts), compromised password verification (HIBP), moderation of reported content, and recommendations based on search parameters.
No decision producing legal or significant effects is made in a fully automated manner without human intervention. You have the right to contest any automated decision by contacting support.
15. Data breach notification
In the event of a data breach likely to pose a high risk to your rights, we will notify the FDPIC within 72 hours of becoming aware of the incident, in accordance with Art. 24 nFADP. If the breach poses a high risk to you, you will also be informed directly as soon as possible.
Each incident is documented in an internal register including the nature of the breach, the data affected, the measures taken and the persons affected.
16. Policy changes
We reserve the right to modify this policy. In the event of a substantial change, we will notify you at least 30 days before it takes effect by email or in-app notification. The date of last update is indicated at the top of this document. Minor changes (rewording, typographical corrections) are not subject to notification.
17. Contact
For any questions regarding the protection of your data or this policy:
Artenic_ GmbH — Data protection
E-mail : support@intimx.ch
Site : intimx.ch
Response time: 30 days