What we collect and why
| Data | Purpose | Legal basis |
|---|---|---|
| Email, password hash, OAuth method | Authentication and account security | Contract performance |
| Onboarding (canton, language, civil status, children, free-text context) | Generate an accurate guide for your canton | Contract performance |
| Uploaded documents and extraction results | AI extraction and guide generation | Contract + explicit consent (sensitive data) |
| Stripe payment ID and status | Process your payment | Contract performance |
| Service usage and security logs | Operate the service, detect abuse | Legitimate interest |
We do not collect your IP address for analytics, use advertising trackers or third-party marketing pixels, or build behavioural profiles. Your password is stored as a one-way cryptographic hash — we never see it. Card numbers, CVVs, and bank details go directly to Stripe and never reach our servers.
Your tax documents — special handling
Your tax documents are the most sensitive data we process. They may contain income, financial, government-identifier (AHV number), health-adjacent (disability, medical expenses), family, and property data.
Documents are stored in Supabase Storage in an encrypted bucket, accessible only to your account. Row Level Security enforces per-user isolation at the database level. AES-256 at rest, TLS 1.3 in transit. Other users cannot access your files — ever.
How the AI actually reads your documents, what Anthropic receives, the no-training commitment, and Anthropic's own retention policy are all described in the AI Disclaimer.
Sub-processors and international transfers
We share your data only with the four service providers strictly necessary to operate PaperTax. We do not sell your data and we do not share it for advertising. Every provider has signed a Data Processing Agreement with Standard Contractual Clauses (SCCs) where required for transfers outside Switzerland.
| Provider | Purpose | Location | Transfer safeguard |
|---|---|---|---|
| Anthropic, Inc. | Claude Agent (AI processing) | USA | SCCs — Art. 16(2)(d) nFADP |
| Vercel, Inc. | Application hosting, CDN, compute | Frankfurt (EU) | SCCs — Art. 16(2)(d) nFADP |
| Supabase, Inc. | Database, auth, file storage | Zürich (Switzerland) | No transfer required |
| Stripe, Inc. | Payment processing | USA | SCCs + Stripe's own DPA (EU–US DPF certified) |
If we add or replace a sub-processor we will update this policy and notify you by email at least 30 days before the change takes effect. We disclose user data only when legally required by a binding request from competent Swiss authorities under Swiss law, and we challenge requests we have doubts about before complying.
How long we keep your data
We keep data for the minimum time needed to operate the service. Our retention model is deliberately short.
| Data type | Retention |
|---|---|
| Active return (documents, extractions, guide) | Until you mark the return done or delete it |
| Completed return | Deleted automatically 24 hours after you mark it done |
| Account data | Deleted immediately when you delete your account |
| Payment reference (Stripe ID, amount, date) | Up to 5 years — Swiss limitation period (Art. 127 OR) |
| Security logs | 90 days |
How we protect your data
- Encrypted — AES-256 at rest, TLS 1.3 in transit
- Isolated — Row Level Security at the database level, not just the application
- Short-lived sessions — login sessions refresh and expire automatically
- No card data on our servers — payment details go directly to Stripe
If a breach is likely to result in high risk to your personal data, we will notify the FDPIC via their DataBreach online form as quickly as possible and notify you directly when necessary for your protection.
Your rights
Under Swiss nFADP and EU GDPR you have the rights below. Email us at contact@papertax.ch to exercise any of them. We acknowledge within 5 business days and provide a substantive response within 30 days.
- Access — know what we hold and receive a copy
- Rectification — correct inaccurate data
- Erasure — delete your data via account settings → Delete Account. Documents, guide data, and your account are wiped immediately. The only exceptions are payment reference data (up to 5 years under Art. 127 OR) and server security logs (up to 90 days under legitimate interest for fraud detection) — both listed in §04
- Restriction — pause processing during a dispute
- Portability — receive your data in JSON
- Object — stop processing based on legitimate interest
- Withdraw consent — for sensitive data processing, by deleting your documents and account
Swiss supervisory authority: Federal Data Protection and Information Commissioner (FDPIC), Feldeggweg 1, CH-3003 Bern. EU/EEA residents can contact their local data protection authority (list at edpb.europa.eu).
Changes to this policy
For material changes we will notify you by email at least 30 days before the change takes effect. Continued use after the effective date constitutes acceptance. In case of discrepancy between this English version and any translation, the English version prevails.