Privacy Policy

1. Controller

The controller responsible for data processing within the meaning of the Swiss Federal Act on Data Protection (nFADP/DSG) is:

2. Scope and Legal Framework

This Privacy Policy explains how we collect, process, store, and protect personal data when you use flat-finder.ch ("the Service"), including account registration, product features, email notifications, and support communications.

We process personal data in accordance with the Swiss Federal Act on Data Protection (nFADP/DSG, in force since 1 September 2023) and its implementing ordinances. Where the EU General Data Protection Regulation (GDPR) applies — for example, if you are located in the EU/EEA — we comply with its requirements as well.

3. Categories of Personal Data

We process the following categories of personal data:

• Account data — email address, given name, and family name, held by our identity provider (AWS Cognito). Our application database stores only your Cognito user ID (a pseudonymous UUID) and internal identifiers; your name and email are not stored in our application database.
• Product and search data — search names, search criteria and scoring preferences, recipient configurations, scheduling preferences, execution logs, and result metadata.
• Technical and log data — IP addresses, browser type, operating system, access timestamps, referrer URLs, and server-generated log entries. These are collected automatically when you access the Service.
• Communication data — content and metadata of messages you send us via email, the contact form, or other communication channels.
• Analytics data — pages visited, referrer URL, session duration, device type, browser, operating system, and approximate geographic location (city and country level only). IP addresses are anonymised by Google before any further processing and are not stored by us or Google. A pseudonymous client identifier ("GA client ID") is stored as a first-party browser cookie (_ga, _ga_*) for up to 14 months (Google's default retention period).

4. Purposes and Legal Bases

We process personal data for the following purposes. Where the GDPR applies, the corresponding legal basis is indicated.

• Contract performance (Art. 6(1)(b) GDPR) — providing and operating the Service, including account management, search execution, AI-based scoring, and email delivery of results.
• Legitimate interest (Art. 6(1)(f) GDPR / Art. 31(2)(d) nFADP) — ensuring the security and integrity of the Service, fraud prevention, abuse detection, system monitoring, debugging, and general service improvement; and aggregate usage analytics via Google Analytics 4 (with mandatory IP anonymisation) to understand how the Service is used and to improve it. Our legitimate interest in aggregate usage measurement is balanced against your privacy interests through: (a) mandatory IP anonymisation enforced by Google at collection time, (b) no advertising or cross-site tracking features enabled, (c) data limited to aggregate usage patterns, and (d) your right to object at any time (see Section 13).
• Legal obligations (Art. 6(1)(c) GDPR) — complying with applicable legal requirements, including record-keeping obligations.
• Consent (Art. 6(1)(a) GDPR) — where we process data based on your explicit consent (e.g., future marketing communications). You may withdraw consent at any time without affecting the lawfulness of processing carried out prior to withdrawal.

Under the nFADP, processing is generally permitted unless it violates the personality rights of the data subject (Art. 30 ff. nFADP). Where applicable, our processing is justified by the performance of a contract, our overriding legitimate interests, or your consent (Art. 31 nFADP).

5. Automated Processing and AI Scoring

The Service uses AI services to summarise, categorise, and score property listings against your personal search criteria. These outputs are generated algorithmically and are provided for informational purposes only. They may be incomplete, inaccurate, or outdated.

We do not make decisions with legal or similarly significant effects based solely on automated processing (Art. 21 nFADP). AI Outputs do not constitute legal, financial, or housing advice.

To address abuse and ensure platform safety, we attach a pseudonymous "safety identifier" to AI processing requests. This identifier allows us to attribute usage to an account without revealing your name or email address to the AI processing provider. See also OpenAI's Terms of Use, which note that AI output may not always be accurate.

6. Data Recipients and Sub-Processors

We use the following categories of third-party service providers to operate the Service. We may change specific providers over time while maintaining equivalent safeguards.

7. International Transfers and Safeguards

Our primary infrastructure is hosted in Switzerland (AWS eu-central-2). Some sub-processors may process data in the EU/EEA or in countries outside Switzerland and the EU (notably the United States).

Where personal data is transferred to a country that does not provide an adequate level of data protection as recognised by the Swiss Federal Council (Art. 16 nFADP) or the European Commission, we implement appropriate safeguards, including:

• EU/Swiss Standard Contractual Clauses (SCCs);
• Participation of the data importer in a recognised transfer framework (e.g., the EU-U.S. Data Privacy Framework);
• Other lawful transfer mechanisms as provided by Art. 17 nFADP or Chapter V GDPR.

Details and updates regarding our sub-processor list and transfer safeguards are available upon request at [email protected].

For Google Analytics specifically, personal data is transferred to Google LLC (US) and Google Ireland Ltd. (EU). Google LLC participates in the EU-U.S. Data Privacy Framework (DPF), which the European Commission has recognised as providing an adequate level of data protection under GDPR Art. 45. The Swiss Federal Council has acknowledged the DPF as an appropriate safeguard under nFADP Art. 16. In addition, Google Ireland Ltd. processes data within the EU/EEA, further limiting the volume of data transferred outside Europe.

8. Retention Periods

• Account data — retained while your account is active. Deleted within 30 days after account deletion.
• Searches and execution data — retained for up to 12 months after the last activity on the search.
• Technical and system logs — retained for up to 90 days for security and operational purposes.
• Encrypted backups (when enabled) — rolling retention of up to 30 days.
• Communication data — retained for as long as necessary to resolve the enquiry and for a reasonable period thereafter for follow-up and legal purposes.

After expiry of the applicable retention period, personal data is deleted or anonymised unless a longer retention is required by law.

9. Data Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, or destruction (Art. 8 nFADP). These measures include, but are not limited to:

• Transport encryption (TLS) for all data in transit, using certificates issued by a trusted certificate authority;
• Encryption at rest for backups stored in cloud storage;
• Least-privilege access controls (AWS IAM) for all infrastructure components;
• Secure secret management for credentials and API keys;
• Regular security reviews and updates of dependencies.

As the Service is in beta, formal audit logging is under development and not yet fully implemented.

10. Cookies and Tracking

We use the following categories of cookies on this website:

• Strictly necessary (essential) cookies — required for the technical operation of the Service, such as session management and authentication. These cookies do not require your consent under the nFADP and are set automatically when you use the Service.
• Analytics cookies — Google Analytics 4 — We use Google Analytics 4 ("GA4") to collect aggregate, anonymised data about how visitors use this website (e.g. pages visited, referrer, session duration, device type, browser, and approximate country/city). This helps us understand usage patterns and improve the Service.
  
  Legal basis: Legitimate interest (nFADP Art. 31(2)(d) / GDPR Art. 6(1)(f)). We have a legitimate interest in understanding how our Service is used in aggregate. This interest is balanced by the following safeguards:
  • Mandatory IP anonymisation — GA4 anonymises your IP address at the point of collection, before any data is stored by Google. We do not receive or store your full IP address.
  • No advertising or cross-site tracking — We have not enabled any Google Advertising or remarketing features. Your data is not used to build advertising profiles or to track you across other websites.
  • Aggregate data only — We access only aggregate statistics (e.g. page views, session counts) and do not analyse individual user journeys.
  
  Cookies set: _ga (2 years), _ga_TEYLLH5KJV (14 months — Google's default retention period). These are first-party cookies stored in your browser.
  
  Data retention: Google retains analytics data for 14 months by default.
  
  Your opt-out options:
  • Install the Google Analytics opt-out browser add-on — prevents your data from being sent to Google Analytics on any website.
  • Use your browser's built-in cookie controls to block or delete cookies (note: this may affect other parts of the Service).
  • Right to object (EU/EEA users): If the GDPR applies to you, you may object to processing based on legitimate interest at any time under GDPR Art. 21. Contact us at [email protected] or use the opt-out add-on above.

We do not use advertising cookies, social media tracking pixels, or any third-party cookies beyond Google Analytics as described above.

11. Registration and Account Verification

We use AWS Cognito as our identity and authentication provider. During registration, a verification code is sent to the email address you provide. Until verification is complete, your account remains in a pending state. Our application database stores only the Cognito user ID (a pseudonymous UUID); your name and email address remain exclusively within Cognito.

12. Email Communications

We send only service-related and transactional emails connected to your account or search activity (e.g., verification codes, search result notifications). We do not send unsolicited marketing emails.

Email delivery is handled by a third-party provider. After submission to that provider, delivery depends on recipient mail servers and their filtering policies. We cannot guarantee delivery; messages may be delayed, filtered, blocked, or bounced.

If you contact us via email (e.g., Gmail) or messaging services (e.g., WhatsApp), those providers will process your message data according to their own privacy policies. We recommend not sending highly sensitive personal information through these channels. For support enquiries, you may always write to [email protected].

13. Your Rights

Under the nFADP and, where applicable, the GDPR, you have the following rights with respect to your personal data:

• Right of access (Art. 25 nFADP / Art. 15 GDPR) — you may request confirmation of whether we process your personal data, and if so, access to that data and related information.
• Right to rectification (Art. 32 nFADP / Art. 16 GDPR) — you may request correction of inaccurate or incomplete personal data.
• Right to erasure (Art. 32 nFADP / Art. 17 GDPR) — you may request deletion of your personal data, subject to legal retention obligations.
• Right to data portability (Art. 28 nFADP / Art. 20 GDPR) — you may request that we provide your data in a structured, commonly used, and machine-readable format.
• Right to object (Art. 21 GDPR) — where processing is based on legitimate interest, you may object to such processing.
• Right to restriction of processing (Art. 18 GDPR) — you may request that we restrict the processing of your data under certain circumstances.
• Right to withdraw consent — where processing is based on consent, you may withdraw that consent at any time.
• Right to lodge a complaint — you have the right to lodge a complaint with the competent supervisory authority. In Switzerland, the competent authority is the Federal Data Protection and Information Commissioner (FDPIC) (www.edoeb.admin.ch). If the GDPR applies, you may also lodge a complaint with the supervisory authority in your country of residence.

14. How to Exercise Your Rights

To exercise any of the above rights, please contact us at [email protected]. We may ask you to provide information to verify your identity before processing your request. We aim to respond to data subject requests within 30 days. In complex cases, this period may be extended by a further 60 days, in which case we will inform you of the extension and the reasons for the delay.

15. Children's Privacy

The Service is not directed at children. We do not knowingly collect personal data from children. If you believe that a child has provided personal data to us, please contact us at [email protected] and we will take steps to delete such data.

16. Changes to This Policy

We may update this Privacy Policy from time to time. The current version is always available on this page with its effective date indicated at the top. If we make material changes that affect how we process your personal data, we will take reasonable steps to notify you (e.g., via email or an in-service notice) before the changes take effect. We encourage you to review this page periodically.