Privacy Policy
Last updated: 16 June 2026
This Privacy Policy explains how Swiss Digital Flow ("we", "us", "our") collects, uses and protects personal data when you use our document automation platform (the "Service"). We comply with the Swiss Federal Act on Data Protection (nLPD / revFADP) and, where applicable, the EU General Data Protection Regulation (GDPR).
1. Data Controller
Swiss Digital Flow, Zürich, Switzerland is the data controller for personal data processed through the Service. Contact: privacy@swissdigitalflow.com.
2. Data We Collect
- Account data: name, email, company name, password hash, language preference.
- Authentication data: when you sign in with Google, we receive your name, email and Google account identifier.
- Subscription & billing data: plan, status, invoices and a Stripe customer identifier. Card details are handled by Stripe and never reach our servers.
- Uploaded documents: the files you upload, their extracted text, fields and classifications.
- Usage data: log records of actions in the Service (uploads, reviews, exports), IP address, browser metadata, error reports.
3. Purposes & Legal Bases
- Operating the Service (contract performance, Art. 6(1)(b) GDPR; Art. 31(1) nLPD).
- Processing payments and managing subscriptions via Stripe (contract performance).
- Securing the Service, fraud prevention, audit logs (legitimate interest).
- Sending transactional emails (contract performance) and product updates (consent, opt-out at any time).
- Complying with legal obligations such as Swiss accounting record-keeping.
4. Sub-Processors
We rely on the following sub-processors:
- Supabase – authentication, database and storage hosting (EU region).
- Cloudflare – application delivery and edge compute.
- Stripe – payment processing and subscription management.
- Google – optional Google Sign-In.
- Resend – transactional email delivery.
- Lovable AI Gateway – AI providers used for OCR, classification and extraction.
Transfers outside Switzerland and the EU are protected by Standard Contractual Clauses and the Swiss addendum where required.
5. Document Confidentiality
Uploaded documents are isolated per organisation through Row-Level Security and stored encrypted at rest. We do not use your document content to train AI models. Document data is only sent to AI providers for the limited purpose of processing your request.
6. Retention
Documents and extracted fields are kept until you delete them or close your account. Audit logs are retained for up to 24 months. Billing records are kept for 10 years to comply with Swiss accounting law.
7. Your Rights
You have the right to access, rectify, delete, restrict and port your personal data, and to object to processing. Under GDPR you also have the right to lodge a complaint with a supervisory authority. To exercise these rights, contact privacy@swissdigitalflow.com. You may also contact the Swiss Federal Data Protection and Information Commissioner (FDPIC, edoeb.admin.ch).
8. Cookies
We use strictly necessary cookies for authentication and session management. We do not use advertising or third-party tracking cookies.
9. Security
We use TLS in transit, encryption at rest, role-based access, audit logging, optional two-factor authentication and regular security reviews.
10. Changes
We will notify you of material changes to this policy by email or in-app notice at least 30 days before they take effect.