In one paragraph
Every file you upload is AES-256-GCM encrypted at rest with a master key that lives only in our app server's process memory — never on disk, never in the database. The encrypted blob is physically deleted 30 days after upload, or immediately after extraction if you tick the box. We extract only the few numbers needed for tax math; we never store AHV / NAVS13 numbers, IBANs, account numbers, or addresses.
What we store
For free-tier (atlas / calculator) usage we store nothing about you personally. The calculator runs in-process; we keep no logs of your inputs.
For paid (signed-in) usage we store:
- Your email address (for sign-in via magic link)
- Your tax profile (canton, commune, age, civil status, gross salary, etc.) — encrypted at the field level
- Your saved plans (lever choices, target amounts)
- Uploaded documents in encrypted form (until deleted — see § 4)
- Structured numeric fields extracted from your documents — never AHV/NAVS13, IBAN, or address
- Subscription record (Stripe customer ID, payment status, tax year covered) — no card details
Plus standard server-side logs (HTTP request lines, response codes, timing) retained for 30 days for operational troubleshooting.
What we never store
- Your AHV/NAVS13 number (extracted but redacted before persist)
- Bank IBANs
- Postal addresses (canton/commune is enough for tax math)
- Card numbers (Stripe handles them — never touch our servers)
- Password (we use magic-link sign-in, no passwords)
- Cookies for cross-site tracking
Encryption & retention
At rest: every document blob is encrypted with AES-256-GCM using a 12-byte nonce per file. The master key is a 32-byte random value held only in the application server's process memory, derived from the STORAGE_KEY environment variable on container boot. The key is not written to disk, not in our database, not in our git history, not in backups.
Retention: encrypted blobs are physically deleted 30 days after upload via an hourly purge worker. If you tick “delete immediately after extraction,” the blob is purged within seconds of extraction completing.
Account deletion: deleting your account purges everything — profile, plans, uploaded docs, extracted fields, and Stripe records. No soft-delete.
Sub-processors
Third parties processing small slices of your data on our behalf:
- Stripe Payments Switzerland Sàrl — payment processing. They see your card or TWINT details; we do not.
- Resend (Spreely Inc) — transactional email (magic-link sign-in). They see your email and the link.
- Anthropic (PBC) — Claude AI for document OCR. We send the PDF binary; AHV numbers and IBANs are redacted before the call.
- Hetzner Online GmbH — hosting. Server in Germany holds the encrypted blobs and application memory.
- Plausible Analytics — cookieless, privacy-first page-view analytics. They see the page you visited, your referrer, and a coarse, non-identifying browser/country signal — never your IP address, which Plausible discards after deriving that country.
All sub-processors are bound by the Swiss/EU data-protection framework. We do not transfer data outside Switzerland/EU except to Stripe and Anthropic (US) under Standard Contractual Clauses.
IP-based location detection is not a sub-processor relationship — no data is sent to MaxMind or anyone else at request time. The quick calculator can suggest your canton from your IP address purely to save you a click; the lookup runs entirely on our own server against a database (MaxMind GeoLite2) we downloaded once and store locally. Nothing about your IP address or location is logged or retained, and you can dismiss the suggestion and pick your canton yourself at any time.
Cookies
We set exactly one cookie: next-auth.session-token (HTTP-only, secure, same-site Lax). Set only when signed in; cleared on sign-out. No advertising or tracking cookies. We do use analytics (Plausible, see Section 5) to see which pages get read — it doesn't use cookies or any other persistent identifier, so nothing about it appears here.
Your rights
Under the Swiss FADP and the EU GDPR (applied to all users regardless of residence), you have the right to:
- Access — see what we hold about you
- Correct — fix anything inaccurate
- Delete — close your account; we purge within 7 days
- Export — get a JSON dump of all your data
- Object — opt out of any non-essential processing (we don't do any)
Email privacy@optiqo.ch. We respond within 30 days, usually within 48 hours.
Changes
Material changes to this policy are notified to paid users by email at least 14 days before taking effect. Current version is always at this URL with a “Last updated” date.
Data Protection contact
For data-protection matters contact privacy@optiqo.ch. The data controller (Aionics OÜ, Estonia) handles these directly.