Privacy Policy | swissCFO

Last updated: 15 April 2025

✓ Compliant with Swiss nDSG (revFADP)

        Summary: Invoice files you upload are processed entirely in your browser — they are never sent to our servers. We only store account information (email, credits) and anonymous usage counts when you register. We do not sell your data.
    

1. Controller

The data controller responsible for processing personal data on this platform is:

swissCFO
Switzerland
Email: contact@swisscfo.ch

2. Applicable Law

This Privacy Policy is governed by the Swiss Federal Act on Data Protection (nDSG / revFADP), in force since 1 September 2023. If you are located in the European Economic Area, the EU General Data Protection Regulation (GDPR) may also apply, and this policy is designed to be compatible with both frameworks.

3. Data We Collect

3.1 Invoice and financial document data

When you use the PAIN.001 Generator or other file-processing tools, your invoice PDFs are processed entirely within your browser using JavaScript. No invoice file or extracted payment data is transmitted to or stored on swissCFO servers.

3.2 Account data (registered users)

If you create an account, we collect:

Email address
Password (stored hashed — never in plain text)
Company name (optional)
Credit balance and transaction history
Tool usage counts

3.3 Anonymous usage data (non-registered users)

Free uses for anonymous users are tracked via browser localStorage on your device only. No personal identifiers are sent to our servers for anonymous usage.

3.4 Technical data

Like most websites, our hosting provider (Netlify) may log standard server access data including IP addresses, browser type, pages visited, and timestamps. This data is used for security and operational purposes and is governed by Netlify's privacy policy.

3.5 Payment data

Payment card details are handled exclusively by Stripe. swissCFO never receives or stores your full card number. We only receive a Stripe customer ID and confirmation of successful transactions.

4. How We Use Your Data

Purpose	Data used	Legal basis
Providing account-based tool access	Email, usage counts, credits	Contract performance
Processing credit purchases	Email, Stripe transaction ID	Contract performance
Sending transactional emails (receipts, account notices)	Email	Contract performance
Platform security and fraud prevention	IP address, usage patterns	Legitimate interest
Improving the service	Aggregated, anonymised usage metrics	Legitimate interest

We do not use your data for automated decision-making, profiling, or targeted advertising.

5. Data Sharing and Sub-Processors

We share data only with the following trusted third-party providers, strictly necessary to operate the service:

Provider	Purpose	Location
Xano	Backend database: accounts, credits, usage	USA (SCCs apply)
Stripe	Payment processing	USA / EU (SCCs apply)
Netlify	Website hosting and CDN	USA / EU (SCCs apply)

We do not sell, rent, or trade your personal data to any third party for their own commercial purposes.

6. Data Retention

Account data: Retained for as long as your account is active. Upon account deletion, data is removed within 30 days, except where required by Swiss accounting law (10-year retention obligation for financial records).
Server logs: Retained for up to 90 days by Netlify for security purposes.
Invoice data: Not retained — processed in-browser only.

7. Cookies and Local Storage

swissCFO uses no third-party tracking cookies and no advertising pixels. We use:

localStorage — to track free usage counts for anonymous users (stored on your device only)
Session storage / auth tokens — to keep you logged in during a session

No consent banner is required as we do not use non-essential cookies.

8. Your Rights

Under the Swiss nDSG (and GDPR where applicable), you have the following rights:

Right of access: Request a copy of the personal data we hold about you
Right to rectification: Request correction of inaccurate data
Right to erasure: Request deletion of your account and associated data
Right to data portability: Receive your data in a machine-readable format
Right to object: Object to processing based on legitimate interest

To exercise any of these rights, email us at contact@swisscfo.ch. We will respond within 30 days.

You also have the right to lodge a complaint with the Swiss Federal Data Protection and Information Commissioner (FDPIC) at edoeb.admin.ch.

9. Data Security

We implement technical and organisational measures to protect your data, including:

HTTPS encryption for all data in transit
Hashed password storage (never plain text)
Access controls limiting who can access backend data
Client-side processing for sensitive invoice data (never transmitted)

No method of transmission over the Internet is 100% secure. In the event of a data breach affecting your rights, we will notify you and the FDPIC as required by the nDSG.

10. Children's Privacy

The Service is intended for business use by adults. We do not knowingly collect personal data from individuals under 18 years of age.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated to registered users by email. The "Last updated" date at the top of this page reflects the most recent revision. Continued use of the Service after changes constitutes acceptance.

12. Contact

For any privacy-related questions or to exercise your rights:
contact@swisscfo.ch