Privacy & data handling

Every file you upload is AES-256-GCM encrypted at rest with a master key that lives only in our app server's process memory — never on disk, never in the database. The encrypted blob is physically deleted 30 days after upload, or immediately after extraction if you tick the box. We extract only the few numbers needed for tax math; we never store AHV / NAVS13 numbers, IBANs, account numbers, or addresses.

For free-tier (atlas / calculator) usage we store nothing about you personally. The calculator runs in-process; we keep no logs of your inputs.

For paid (signed-in) usage we store:

• Your email address (for sign-in via magic link)
• Your tax profile (canton, commune, age, civil status, gross salary, etc.) — encrypted at the field level
• Your saved plans (lever choices, target amounts)
• Uploaded documents in encrypted form (until deleted — see § 4)
• Structured numeric fields extracted from your documents — never AHV/NAVS13, IBAN, or address
• Subscription record (Stripe customer ID, payment status, tax year covered) — no card details

Plus standard server-side logs (HTTP request lines, response codes, timing) retained for 30 days for operational troubleshooting.

• Your AHV/NAVS13 number (extracted but redacted before persist)
• Bank IBANs
• Postal addresses (canton/commune is enough for tax math)
• Card numbers (Stripe handles them — never touch our servers)
• Password (we use magic-link sign-in, no passwords)
• Cookies for cross-site tracking

At rest: every document blob is encrypted with AES-256-GCM using a 12-byte nonce per file. The master key is a 32-byte random value held only in the application server's process memory, derived from the STORAGE_KEY environment variable on container boot. The key is not written to disk, not in our database, not in our git history, not in backups.

Retention: encrypted blobs are physically deleted 30 days after upload via an hourly purge worker. If you tick “delete immediately after extraction,” the blob is purged within seconds of extraction completing.

Account deletion: deleting your account purges everything — profile, plans, uploaded docs, extracted fields, and Stripe records. No soft-delete.

Third parties processing small slices of your data on our behalf:

• Stripe Payments Switzerland Sàrl — payment processing. They see your card or TWINT details; we do not.
• Resend (Spreely Inc) — transactional email (magic-link sign-in). They see your email and the link.
• Anthropic (PBC) — Claude AI for document OCR. We send the PDF binary; AHV numbers and IBANs are redacted before the call.
• Hetzner Online GmbH — hosting. Server in Germany holds the encrypted blobs and application memory.

All sub-processors are bound by the Swiss/EU data-protection framework. We do not transfer data outside Switzerland/EU except to Stripe and Anthropic (US) under Standard Contractual Clauses.

We set exactly one cookie: next-auth.session-token (HTTP-only, secure, same-site Lax). Set only when signed in; cleared on sign-out. No advertising, tracking, or analytics cookies.

Under the Swiss FADP and the EU GDPR (applied to all users regardless of residence), you have the right to:

• Access — see what we hold about you
• Correct — fix anything inaccurate
• Delete — close your account; we purge within 7 days
• Export — get a JSON dump of all your data
• Object — opt out of any non-essential processing (we don't do any)

Email privacy@optiqo.ch. We respond within 30 days, usually within 48 hours.

Material changes to this policy are notified to paid users by email at least 14 days before taking effect. Current version is always at this URL with a “Last updated” date.

For data-protection matters contact privacy@optiqo.ch. The operator (Optiqo Sàrl) handles these directly.