Privacy Policy
1. Responsible Party
Responsible for data processing:
2. Collection and Storage of Personal Data
We collect and store the following personal data:
- Registration Data: Name, email address, password (encrypted)
- Usage Data: IP address, browser information, access times
- Business Data: Invoices, customer information, payment data (in the context of invoicing)
- Payment Data: Billing information for subscriptions (via payment service providers)
3. Purpose of Data Processing
We process your data for the following purposes:
- Providing and improving our services
- Processing payments and subscriptions
- Communicating with you regarding our services
- Fulfilling legal obligations
- Ensuring the security of our platform
4. Legal Basis for Processing
The processing of your data is based on Swiss data protection law (DSG) and GDPR (for EU citizens). The legal bases are:
- Contract fulfillment (Art. 6 para. 1 lit. b GDPR)
- Legitimate interests (Art. 6 para. 1 lit. f GDPR)
- Consent (Art. 6 para. 1 lit. a GDPR)
- Legal obligations (Art. 6 para. 1 lit. c GDPR)
5. Data Sharing and Sub-Processors
We only share your data in the following cases:
- Payment Service Providers: For processing subscription payments (Stripe Payments Europe Ltd., Ireland)
- Hosting Providers: For storing your data in secure data centers (Vercel Inc., Supabase Inc., AWS Frankfurt)
- Legal Obligations: When legally required
We do not sell or rent your data to third parties.
Sub-Processors
We use the following trusted third-party service providers to operate our platform. All are contractually bound to GDPR and Swiss DSG compliance:
Infrastructure & Hosting
- Vercel Inc. (USA) - Application hosting, GDPR-compliant
- Supabase Inc. (USA) - Database hosting, EU data residency (Frankfurt)
- Amazon Web Services (AWS) - Data storage (eu-central-1)
Payment Processing
- Stripe Payments Europe Ltd. (Ireland) - Subscription billing, PCI-DSS certified
We maintain Standard Contractual Clauses (SCCs) for data transfers outside Switzerland. This list may be updated; material changes will be communicated via email.
6. Cookies and Tracking
We use cookies and similar technologies. Details can be found on our Cookie Settings page. You can adjust your cookie settings at any time.
7. Your Rights
You have the following rights regarding your personal data:
- Right to Information: You can request information about your stored data
- Right to Rectification: You can request correction of incorrect data
- Right to Deletion: You can request deletion of your data (unless legal retention obligations exist)
- Right to Object: You can object to the processing of your data
- Data Portability: You can receive your data in a structured format
To exercise your rights, contact us at legal@paymatch.app.
8. Data Security
We implement comprehensive technical and organizational measures to protect your data from unauthorized access, loss, or alteration.
Technical Security Measures
- Encryption:
- TLS 1.2+ for all data in transit
- AES-256 encryption for sensitive data at rest
- Encrypted database backups
- Authentication & Access Control:
- Multi-factor authentication (MFA) available
- Role-based access control (RBAC)
- Secure password hashing (bcrypt)
- Session management with automatic timeout
- Infrastructure Security:
- Regular security patches and updates
- Automated vulnerability scanning
- DDoS protection
- Firewall and intrusion detection
- Monitoring & Response:
- 24/7 security monitoring
- Automated anomaly detection
- Incident response procedures
- Regular security audits
Organizational Security Measures
- Background checks for employees with data access
- Confidentiality agreements with all staff
- Regular security training and awareness programs
- Principle of least privilege for data access
- Documented incident response and breach notification procedures
- Regular security assessments and penetration testing
Data Backup and Recovery
We maintain automated daily backups of all data, stored in geographically distributed locations with encryption. Our disaster recovery plan ensures business continuity and data availability with a Recovery Time Objective (RTO) of 4 hours and Recovery Point Objective (RPO) of 24 hours.
Compliance & Certifications: Our security measures are designed to meet or exceed requirements of GDPR, Swiss DSG (Federal Act on Data Protection), and industry best practices. We undergo regular third-party security assessments.
9. Storage Duration
We store your data according to the following retention periods:
Account and User Data
- Active accounts: Duration of contract + 10 years (Swiss commercial law requirement)
- Deleted accounts: 30 days for recovery, then permanently deleted (except legally required data)
- Usage logs: 12 months
Business and Financial Data
- Invoices and quotes: 10 years from creation (Swiss OR Art. 958f)
- Payment records: 10 years from transaction date (Swiss OR Art. 958f)
- Customer and product data: Duration of business relationship + 10 years
Communication and Support
- Support tickets and correspondence: 3 years
- Email communications: 2 years or as legally required
After the retention period expires, data will be securely and permanently deleted unless legal obligations require longer storage. You may request early deletion where legally permissible. Anonymized statistical data may be retained indefinitely for service improvement.
Note: Swiss commercial law (OR Art. 957-963) requires businesses to retain accounting records for 10 years. This includes invoices, payment records, and related business documents. We cannot delete this data earlier upon request due to legal obligations.
10. Changes to this Privacy Policy
We reserve the right to adjust this Privacy Policy. The current version can always be found on this page.