Privacy Policy

1. Who we are

PrivaGuard ("we", "us", "our") is a Swiss SaaS service that helps websites achieve compliance with the Swiss Federal Act on Data Protection (nDSG / nLPD). We are based in Geneva, Switzerland. As the operator of privaguard.ch, we are responsible for the processing of your personal data as described in this Privacy Policy.

2. What data we collect

We collect only the data necessary to provide our services:

• Account data: name and email address when you register
• Usage data: pages visited, features used, scan history — to improve our service
• Technical data: IP address, browser type, device information — for security and diagnostics
• Payment data: billing information processed via our payment provider (we do not store card details)
• Website scan data: URLs and cookie scan results you submit — to generate compliance reports

3. Cookies and tracking

We use strictly necessary cookies to operate our service: NEXT_LOCALE (language management), __stripe_mid and __stripe_sid (Stripe fraud prevention for payments). We also use analytics cookies to understand usage patterns — you will be asked for consent before these are set via our consent banner (CMP). Your consent choices are stored in the _pg_consent cookie.

In accordance with Art. 19 nDSG, we disclose all third-party services that may process your data: Infomaniak SA (application hosting, Plan-les-Ouates, Geneva, Switzerland), Supabase Inc. (database and authentication, Zurich data centre, Switzerland), Stripe (payment processing, certified under the Swiss–U.S. Data Privacy Framework; otherwise Standard Contractual Clauses (SCCs), United States), Plausible (analytics, self-hosted in Switzerland at plausible.privaguard.ch), Bunny.net (CDN for CMP script delivery, EU — PoP in Zurich, CH), Sentry (error tracking, European Union), and Resend (transactional emails, Ireland).

4. Third parties and data transfers

We share your data only where necessary to provide our services. Certain third-party providers listed in Section 3 may process data outside Switzerland; such transfers are limited to what is necessary and covered by appropriate safeguards under the nDSG/nLPD:

• Primary infrastructure: our application is hosted by Infomaniak in Geneva, Switzerland. Our database and authentication service are provided by Supabase in their Zurich data centre, Switzerland. For certain ancillary services (Stripe — see Section 3), data may be processed in the United States, covered by the Swiss-US Data Privacy Framework where applicable or otherwise by Standard Contractual Clauses (SCCs) or equivalent safeguards under the nDSG. Other providers process data within the EU: Bunny.net (CDN, EU with a point-of-presence in Zurich, Switzerland), Sentry (error tracking, EU) and Resend (transactional emails, Ireland).
• Payment processing: Stripe Inc. processes payment data. Stripe is certified under the Swiss-US Data Privacy Framework; where this does not apply, transfers are covered by Standard Contractual Clauses (SCCs).
• We do not sell your personal data to any third party, ever.

5. Data retention

We retain your personal data for as long as your account is active, plus 3 years for legal and audit purposes. Scan results are retained for 12 months unless you delete them earlier. You may request deletion at any time.

6. Your rights (Art. 24-25 nDSG)

Under the nDSG, you have the following rights:

• Right of access (Art. 25 nDSG): you may request a copy of all personal data we hold about you
• Right to rectification: you may request correction of inaccurate data
• Right to erasure: you may request deletion of your data
• Right to data portability: you may request your data in a machine-readable format
• Right to object: you may object to processing based on legitimate interests

To exercise your rights, contact us at contact@privaguard.ch. We will respond within 30 days. You also have the right to lodge a complaint with the Federal Data Protection and Information Commissioner (FDPIC / EDÖB).

7. Security

We implement appropriate technical and organisational measures to protect your data (Art. 8 nDSG). All data is encrypted in transit (TLS) and at rest (AES-256). Access to personal data is restricted to authorised personnel only.

8. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated by email to registered users at least 14 days before taking effect. Continued use of the service after that date constitutes acceptance.