Privacy policy

The controller of personal data within the meaning of the revFADP and the GDPR is:

• EMVEE VENTURES LTD
• 71-75 Shelton Street, Covent Garden
• London WC2H 9JQ, United Kingdom

Operations managed and operated from Switzerland. General contact · hello@helvetdata.ch Data protection · privacy@helvetdata.ch

No formal Data Protection Officer (DPO) has been designated at this stage. EMVEE VENTURES LTD assumes that role by delegation. Given the nature of processing (data from public registers, B2B, no special categories) and the absence of employees, the designation of a DPO is not mandatory under art. 10 revFADP.

HelvetData collects the following categories of data:

• Account data: email address, password (hashed with bcrypt, never stored in clear), full name (optional), preferred language.
• Usage data: saved views, filters, watchlists, API tokens, search history.
• Billing data: name, company name, billing address, VAT number where applicable. Card data is never stored by HelvetData and is handled exclusively by Stripe.
• Technical data: IP address, browser type, operating system, access logs (90-day rotation).
• Data from public registers: names of building-permit applicants (often natural persons), names of architects (legal or natural persons), names and addresses of company officers from the official commercial register, and business contact details (phone, email) of decision makers collected via public directories.
• Cookies: see dedicated section.

No category of so-called «special» personal data within the meaning of art. 5 let. c revFADP (health, religion, political opinions, genetic or biometric data) is processed by HelvetData. Only data published in a professional and commercial context are collected.

A significant part of the Data published by HelvetData comes from official Swiss public registers. HelvetData confirms their public nature, legal origin and the legal basis for processing.

Official public sources used:

• Cantonal building-permit publications (cantonal official gazettes, art. 33 et seq. of the cantonal building laws);
• Swiss Commercial Register (art. 928 CC and Commercial Register Ordinance);
• Public phone and address directories pursuant to art. 8 of EU Regulation 2018/1807 and the Swiss Telecommunications Act;
• Swiss official commercial publications, public tenders, the trademark register, cantonal debt-enforcement and bankruptcy registers.

Primary legal basis: art. 31 para. 2 let. e revFADP («processing necessary for the safeguarding of the overriding legitimate interests of the controller or a third party») combined, for data subjects residing in the EU, with art. 6 para. 1 let. f GDPR («legitimate interest of the controller or a third party»).

Balancing of interests (proportionality test):

• HelvetData provides a B2B commercial intelligence service that aggregates exclusively data lawfully published by Swiss authorities;
• The recipients are professionals (craftsmen, agencies, lawyers, fiduciaries, M&A advisors, family offices) whose legitimate interest in identifying commercial and legal opportunities is manifest;
• The reasonable expectation of the data subject, once published in a cantonal official gazette or the Commercial Register, is that the information may be consulted and used by professional actors;
• HelvetData applies systematic data minimization (name, canton, public reference only), an internal `is_personal_data=true` flag, a 24-hour opt-out registry, and provides simple access to data subject rights at privacy@helvetdata.ch.

Data subject rights: in accordance with art. 25 (right of access), art. 28 (right to data portability), art. 30 (right to object), art. 32 (right to rectification and erasure) revFADP, any data subject may exercise their rights by writing to privacy@helvetdata.ch. A response is provided within a maximum of thirty (30) days.

No automated individual decisions: within the meaning of art. 21 revFADP, HelvetData does not take any automated individual decisions producing legal effects or significantly affecting a person. The algorithmic scores (momentum, distress, expansion) are informational for the Customer, who remains free to make their commercial decision. A human is always in the loop.

Retention: building-permit publications are retained for three (3) years from publication; business contact details enriched via public sources are retained for twelve (12) months from the last enrichment, unless renewed. Deletion may be requested at any time via privacy@helvetdata.ch and is effective within 24 hours.

Your personal data are processed exclusively for the following purposes:

• Delivery and execution of the Service (account creation, authentication, module access);
• Billing and collection;
• Customer support and contractual communication;
• Service improvement via anonymized analytics (PostHog, Google Analytics 4);
• Security, fraud prevention and abuse detection;
• Compliance with Swiss and European legal obligations (audit, accounting, judicial requests).

Processing is based on the following legal grounds:

• Performance of the contract (art. 31 para. 1 revFADP and art. 6.1.b GDPR) for the delivery of the Service;
• Legal obligation (art. 31 para. 1 revFADP and art. 6.1.c GDPR) for billing, accounting and anti-fraud;
• Legitimate interest (art. 31 para. 2 revFADP and art. 6.1.f GDPR) for security, abuse prevention and Service improvement;
• Consent (art. 6 para. 1 revFADP and art. 6.1.a GDPR) for non-essential analytics cookies.

Your data may be transferred to the following subprocessors, all bound by a compliant Data Processing Agreement (DPA):

• Hetzner Online GmbH (Germany): hosting, data centers in Falkenstein (DE) and Helsinki (FI), both in the European Union.
• Stripe Payments Europe Ltd (Ireland): payment processing. Stripe transfers some data to the United States under the Standard Contractual Clauses and the EU-US Data Privacy Framework adequacy decision.
• Resend Inc. (United States): transactional email delivery, signed DPA, Standard Contractual Clauses.
• Sentry GmbH (Germany): technical error tracking, anonymized data.
• PostHog Inc. (United States): product analytics, IP anonymization enabled, signed DPA.

No data is sold or shared for commercial purposes with third parties.

Some subprocessors (Stripe, Resend, PostHog) are located in the United States. These transfers are framed by the Standard Contractual Clauses adopted by the European Commission and the Swiss Federal Data Protection and Information Commissioner (FDPIC), and by the EU-US Data Privacy Framework adequacy decision dated 10 July 2023.

Main hosting data remain in the European Union (Hetzner).

The following retention periods apply:

• Active account data: for the entire duration of the Subscription.
• Account data after termination: deletion within thirty (30) days, unless a legal retention obligation applies.
• Accounting and billing data: ten (10) years (art. 958f Swiss Code of Obligations).
• Technical access logs: ninety (90) day rotation.
• Data scraped from public sources: retained as long as the official source publishes them.

In accordance with the revFADP (art. 25 et seq.) and the GDPR (arts. 15-22), you have the following rights:

• Right of access;
• Right of rectification of inaccurate data;
• Right to erasure (right to be forgotten);
• Right to restriction of processing;
• Right to data portability;
• Right to object to processing, in particular to profiling and direct marketing;
• Right to withdraw consent at any time (analytics cookies);
• Right to lodge a complaint with the FDPIC (Switzerland) or the competent supervisory authority in your EU country.

To exercise these rights, contact us at privacy@helvetdata.ch. We will respond within a maximum of thirty (30) days.

HelvetData aggregates data from official public sources (commercial register, cantonal official publications, trademark register, etc.). Some of this data may concern natural persons, in particular individual building permits, commercial register filings or individual trademark deposits.

For such data, HelvetData applies the following principles:

• Explicit tagging via the internal flag is_personal_data=true;
• Minimization: only strictly necessary information is retained (name, canton, public reference);
• Opt-out registry: any natural person may request deletion of their data via privacy@helvetdata.ch. Deletion is effective within twenty-four (24) hours and is recorded in a permanent registry that prevents any later re-indexing;
• Audit log of every public-source intelligence enrichment (Local.ch, Hunter.io, ProxyCurl).

HelvetData implements appropriate technical and organizational measures to protect your data:

• Encryption in transit (TLS 1.3) and at rest (AES-256);
• Authentication with short-lived JWT (15 minutes) and rotation of refresh tokens hashed in SHA-256;
• Infrastructure hosted by Hetzner, certified ISO 27001 and ISO 9001;
• Annual security audit by an independent third party;
• Daily encrypted backups with thirty (30) day retention;
• Production data access restricted to strictly necessary personnel, with access logging.

HelvetData uses two categories of cookies:

• Essential cookies (required): JWT session (15 minutes lifetime), refresh token (30 day lifetime), language preference. These cookies are indispensable to the operation of the Service and do not require consent.
• Analytics cookies (opt-in): PostHog and Google Analytics 4, configured with IP anonymization. These cookies are only set after explicit consent via the cookie banner.

You may change your preferences at any time by clearing cookies from the helvetdata.ch domain in your browser.

HelvetData reserves the right to amend this privacy policy to reflect legal, regulatory or technical developments. Any material amendment will be notified to users by email at least thirty (30) days before it takes effect.

For any question, access request, rectification, deletion or complaint regarding your personal data:

• Email: privacy@helvetdata.ch
• Postal: EMVEE VENTURES LTD · HelvetData, 71-75 Shelton Street, Covent Garden, London WC2H 9JQ, United Kingdom

You may also lodge a complaint directly with the Swiss Federal Data Protection and Information Commissioner (FDPIC), Feldeggweg 1, CH-3003 Bern, www.edoeb.admin.ch.