Privacy Policy

1. Responsible Party

Responsible for data processing:

Maxapp GmbH

Zurich, Switzerland

Email: legal@paymatch.app

2. Collection and Storage of Personal Data

We collect and store the following personal data:

  • Registration Data: Name, email address, password (encrypted)
  • Usage Data: IP address, browser information, access times
  • Business Data: Invoices, customer information, payment data (in the context of invoicing)
  • Payment Data: Billing information for subscriptions (via payment service providers)

3. Purpose of Data Processing

We process your data for the following purposes:

  • Providing and improving our services
  • Processing payments and subscriptions
  • Communicating with you regarding our services
  • Fulfilling legal obligations
  • Ensuring the security of our platform

4. Legal Basis for Processing

The processing of your data is based on Swiss data protection law (DSG) and GDPR (for EU citizens). The legal bases are:

  • Contract fulfillment (Art. 6 para. 1 lit. b GDPR)
  • Legitimate interests (Art. 6 para. 1 lit. f GDPR)
  • Consent (Art. 6 para. 1 lit. a GDPR)
  • Legal obligations (Art. 6 para. 1 lit. c GDPR)

5. Data Sharing and Sub-Processors

We only share your data in the following cases:

  • Payment Service Providers: For processing subscription payments (Stripe Payments Europe Ltd., Ireland)
  • Hosting Providers: For storing your data in secure data centers (Vercel Inc., Supabase Inc., AWS Frankfurt)
  • Bank Connectivity (Optional): SIX Group AG (Switzerland) via bLink platform for automated transaction fetching
  • Legal Obligations: When legally required

We do not sell or rent your data to third parties.

Sub-Processors

We use the following trusted third-party service providers to operate our platform. All are contractually bound to GDPR and Swiss DSG compliance:

Infrastructure & Hosting

  • Vercel Inc. (USA) - Application hosting, GDPR-compliant
  • Supabase Inc. (USA) - Database hosting, EU data residency (Zurich, Switzerland)
  • Amazon Web Services (AWS) - Data storage (eu-central-2, Zurich)

Payment Processing

  • Stripe Payments Europe Ltd. (Ireland) - Subscription billing, PCI-DSS certified

Bank Connectivity (Optional)

  • SIX Group AG (Switzerland) - bLink platform for secure bank account access

We maintain Standard Contractual Clauses (SCCs) for data transfers outside Switzerland. This list may be updated; material changes will be communicated via email.

5.1 Bank Account Information (Optional Feature)

PayMatch plans to offer bank account connection for automated payment reconciliation via bLink (operated by SIX Group AG, Switzerland) in the future. This feature is not currently available and is not expected to be implemented in the near future. Currently, PayMatch supports payment reconciliation via CAMT file uploads.

Data Accessed

  • Account holder name and address
  • Bank account number (IBAN) and bank details
  • Account balance information
  • Transaction history including:
  • Transaction amounts and currencies
  • Booking and value dates
  • Counterparty names (payer/payee)
  • Payment references and QR codes
  • Transaction descriptions

Legal Basis and Consent

We process your banking data based on your explicit consent (Art. 6 para. 1 lit. a GDPR, Art. 31 para. 1 DSG). Consent is obtained through Strong Customer Authentication (SCA) directly with your bank during the connection process.

How It Works

  1. You initiate the bank connection in your PayMatch account
  2. You are redirected to bLink (SIX Group) for authentication
  3. You authenticate with your bank using your online banking credentials
  4. Your bank grants PayMatch read-only access to your account data
  5. PayMatch fetches transactions via bLink's secure API
  6. We never see or store your banking login credentials

Data Security for Banking Information

  • OAuth 2.0 authentication (no credential storage)
  • TLS 1.3 encrypted communication
  • Access tokens encrypted with AES-256
  • Automatic token expiration and refresh
  • Client certificate authentication
  • Read-only access (no payment initiation)
  • Compliance with Swiss banking secrecy laws

Third-Party Service Provider

Banking transaction data is transmitted from your bank to PayMatch via the bLink platform (SIX Group AG, Zurich, Switzerland). SIX Group acts as a technical intermediary and is bound by Swiss banking secrecy and data protection laws. bLink is registered as an Account Information Service Provider under Swiss Open Banking standards.

We do not sell, rent, or share your banking data with any third parties except as required by law.

Your Rights and Control

  • Disconnect at any time: You can disconnect your bank account immediately through your account settings
  • Withdraw consent: Disconnecting revokes our access to future transactions (historical data retained per legal requirements)
  • View connected accounts: See which accounts are connected and last sync time
  • Data portability: Export your transaction data in machine-readable format
  • Consent validity: Bank connections expire after 90 days and require re-authentication

Important: Bank account connection is entirely optional. You can continue using PayMatch with manual CAMT file uploads without connecting your bank account. This feature requires separate explicit consent during the connection process.

6. Cookies and Tracking

We use cookies and similar technologies. Details can be found on our Cookie Settings page. You can adjust your cookie settings at any time. Cookie Settings page.

7. Your Rights

You have the following rights regarding your personal data:

  • Right to Information: You can request information about your stored data
  • Right to Rectification: You can request correction of incorrect data
  • Right to Deletion: You can request deletion of your data (unless legal retention obligations exist)
  • Right to Object: You can object to the processing of your data
  • Data Portability: You can receive your data in a structured format

To exercise your rights, contact us at legal@paymatch.app.

8. Data Security

We implement comprehensive technical and organizational measures to protect your data from unauthorized access, loss, or alteration.

Technical Security Measures

  • Encryption:
    • TLS 1.2+ for all data in transit
    • AES-256 encryption for sensitive data at rest
    • Encrypted database backups
  • Authentication & Access Control:
    • Multi-factor authentication (MFA) available
    • Role-based access control (RBAC)
    • Secure password hashing (bcrypt)
    • Session management with automatic timeout
  • Infrastructure Security:
    • Regular security patches and updates
    • Automated vulnerability scanning
    • DDoS protection
    • Firewall and intrusion detection
  • Monitoring & Response:
    • 24/7 security monitoring
    • Automated anomaly detection
    • Incident response procedures
    • Regular security audits

Additional Security for Bank Connections

  • OAuth 2.0 authentication (no credential storage)
  • Client certificate authentication for API access
  • Access tokens encrypted and automatically rotated
  • Read-only access to bank accounts (no payment initiation)
  • Compliance with Swiss banking secrecy laws
  • PSD2/Strong Customer Authentication (SCA) compliant

Organizational Security Measures

  • Background checks for employees with data access
  • Confidentiality agreements with all staff
  • Regular security training and awareness programs
  • Principle of least privilege for data access
  • Documented incident response and breach notification procedures
  • Regular security assessments and penetration testing

Data Backup and Recovery

We maintain automated daily backups of all data, stored in geographically distributed locations with encryption. Our disaster recovery plan ensures business continuity and data availability with a Recovery Time Objective (RTO) of 4 hours and Recovery Point Objective (RPO) of 24 hours.

Compliance & Certifications: Our security measures are designed to meet or exceed requirements of GDPR, Swiss DSG (Federal Act on Data Protection), and industry best practices. We undergo regular third-party security assessments.

9. Storage Duration

We store your data according to the following retention periods:

Account and User Data

  • Active accounts: Duration of contract + 10 years (Swiss commercial law requirement)
  • Deleted accounts: 30 days for recovery, then permanently deleted (except legally required data)
  • Usage logs: 12 months

Business and Financial Data

  • Invoices and quotes: 10 years from creation (Swiss OR Art. 958f)
  • Payment records: 10 years from transaction date (Swiss OR Art. 958f)
  • Banking transaction data: 10 years from transaction date (Swiss commercial record-keeping)
  • Customer and product data: Duration of business relationship + 10 years

Communication and Support

  • Support tickets and correspondence: 3 years
  • Email communications: 2 years or as legally required

Bank Connection Data

  • Access tokens: Until revoked or expired (max 90 days), stored encrypted
  • Connection metadata: Duration of connection + 2 years
  • Retrieved transactions: 10 years (same as payment records)

After the retention period expires, data will be securely and permanently deleted unless legal obligations require longer storage. You may request early deletion where legally permissible. Anonymized statistical data may be retained indefinitely for service improvement.

Note: Swiss commercial law (OR Art. 957-963) requires businesses to retain accounting records for 10 years. This includes invoices, payment records, and related business documents. We cannot delete this data earlier upon request due to legal obligations.

10. Changes to this Privacy Policy

We reserve the right to adjust this Privacy Policy. The current version can always be found on this page.

Last updated: December 10, 2025

TermsPrivacyLegalDPASecurityCookies

We use cookies

We use cookies to enhance your browsing experience and analyze our services. Learn more