Privacy Policy

1. Controller

The party responsible for data processing on mietkuendigung.ch is:

Further information about the operator can be found in the Imprint (Impressum).

2. What data we process

2.1 Wizard inputs

When you use the termination wizard, we collect the data you enter:

• Name and address (tenant and landlord)
• Canton and housing situation
• Rental contract details (date, type, notice period)
• Termination situation (standard, early, flat-share, etc.)

This data is stored in our database at Supabase (AWS London, UK) so that we can provide you with the generated letter and — for Premium — the dashboard.

2.2 Email address

We use your email address for:

• Authentication (magic link or password)
• Deadline reminders via email (only with your explicit consent)

2.3 Payment data

Payment data (credit card, bank, or TWINT data) is processed and stored exclusively by our payment processor Stripe. We have no access to your payment data. From Stripe we only receive: email address, order number, and product variant (Basic/Premium).

2.4 Technical data

When you visit the site, technical data (IP address, browser type, access time) is automatically recorded. This data is used for technical operations, security, and error diagnostics (see section 3 — processors).

2.5 Cookies

We use no tracking cookies and no third-party cookies. Only strictly necessary cookies are set (authentication session). For product analytics we use PostHog in a cookie-less configuration.

Because no tracking cookies are set, no cookie banner is required (FMG Art. 45c).

3. Processors and service providers

We use carefully selected processors. Data processing agreements (DPAs) or standard contractual clauses (SCC) are in place with all US-based providers.

3.1 Supabase (database + authentication)

Provider:

Supabase Inc., 970 Toa Payoh North #07-04, Singapore 318992

Hosting region:

AWS eu-west-2 — London, United Kingdom (UK)

Purpose:

Storage of user accounts, termination data, dashboard content; authentication services

Legal basis:

Contract performance (FADP Art. 31 para. 2 lit. a) and legitimate interest in data security

Retention:

12 months after last login, then automatic deletion

Important: since Brexit, the United Kingdom is no longer an EU member state. However, it has its own data protection law (UK Data Protection Act 2018 + UK GDPR) and has been recognised by both the Swiss FDPIC and the European Commission as a country offering an adequate level of data protection. Your primary data is not transferred to the United States.

DPA: supabase.com/legal/dpa

3.2 Stripe (payment processing)

Provider:

Stripe Payments Europe Limited, 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Irland

Role:

Payment processor (sub-processor for payment data). The legal seller and your contractual counterparty remains the operator (Joel Waeber).

Hosting region:

EU (Dublin, Ireland) via Stripe Payments Europe Ltd. Parent company in San Francisco, USA.

Purpose:

Checkout, payment, refunds, fraud prevention

What we receive from Stripe:

Email address, order number, product variant (Basic/Premium), order timestamp. We never see credit card data.

The following apply: EU/CH standard contractual clauses (SCC) and — where certified — the EU-US and Swiss-US Data Privacy Framework (DPF). Stripe is PCI-DSS Level 1 certified.

Stripe privacy policy: stripe.com/privacy

3.3 Vercel (website hosting)

Provider:

Vercel Inc., 440 N Barranca Ave #4133, Covina, CA 91723, USA

Hosting region:

US-based company with a global edge network. Static assets are served from geographically nearby PoPs (including EU). Serverless functions may run in US or EU regions depending on configuration.

Purpose:

Delivery of the web application and hosting of the serverless functions (Next.js)

Legal basis:

Legitimate interest in operations and performance (FADP Art. 31 para. 2 lit. c)

Vercel is a US-based company. For transfers the following apply: EU/CH standard contractual clauses (SCC) and — where certified — the EU-US and Swiss-US Data Privacy Framework (DPF). Vercel does not process application data — that data is stored exclusively at Supabase (London, UK). Vercel sees only request metadata (IP, user-agent, URL).

DPA: vercel.com/legal/dpa

3.5 PostHog (product analytics)

Provider:

PostHog, Inc., 2261 Market Street #4008, San Francisco, CA 94114, USA

Hosting region:

EU region (eu.i.posthog.com) — data centres in Frankfurt / Dublin. No transfer to the United States takes place.

Purpose:

Measuring conversion flows, detecting UX friction points, improving navigation

Legal basis:

Legitimate interest in product improvement (FADP Art. 31 para. 2 lit. c)

Retention:

According to PostHog's default settings; we work with aggregated funnel data without direct personal reference

Our configuration minimises personal data as far as possible:

• Cookie-free: no persistent device identifier (persistence: 'memory')
• IP address is not stored (ip: false)
• No autocapture — only explicitly defined events are transmitted (e.g. calculator_completed, paywall_viewed)
• No real names, no email addresses in event data — only metadata such as canton, product tier, or termination situation
• The browser setting 'Do Not Track' is respected (respect_dnt: true)
• Session Replay (recording of screen interactions) is disabled. Should we enable this feature in the future, this privacy policy will be updated beforehand.

Right to object: enable 'Do Not Track' (DNT) in your browser — our integration detects the setting and suppresses event capture.

DPA: posthog.com/dpa

4. Cross-border data transfers

Personal data is transferred to service providers in the following countries (FADP Art. 16–17). For transparency, here is where each component lives:

Data protection is additionally ensured through:

• EU/CH standard contractual clauses (SCC) with all US providers
• EU-US and Swiss-US Data Privacy Framework (DPF) for certified providers
• Data processing agreements (DPAs) with all processors
• Data minimisation at the application level (cookie-less, no IP storage at PostHog, no autocapture, no names in events)
• Technical and organisational measures by the providers (encryption, access control, audits)

Residual risk: Vercel (US company) and the US parent companies of the EU-hosted services Stripe and PostHog are subject to US law (e.g. the CLOUD Act). Theoretical access by US authorities to data stored in the EU cannot be fully ruled out in every case. This residual risk is mitigated by the contractual and technical measures described above.

5. Purposes of data processing

We process your data exclusively for the following purposes:

• Delivery of the service: Calculating deadlines, generating termination letters, providing the dashboard
• Authentication: Login and access control (Premium users only)
• Deadline reminders: Email notifications about important dates (only with explicit consent)
• Technical operations: Security, bug fixing, availability

We do not use your data for marketing, advertising, or profiling.

6. Retention period

We store your data only for as long as necessary to deliver the service (FADP Art. 6, principle of data minimisation):

• Wizard data and dashboard: 12 months after your last login. Automatic deletion thereafter.
• Email address: Until the account is deleted or upon request.
• Technical logs and error data: Maximum 30 days.

7. Your rights (FADP Art. 25–29)

You have the following rights regarding your personal data:

• Right of access (Art. 25): You may at any time request information about the data we have stored about you.
• Rectification (Art. 6 para. 5): You may request the correction of inaccurate data.
• Erasure (Art. 6 para. 4): You may request the deletion of your data, provided there is no statutory retention obligation.
• Data portability (Art. 28): You may request a copy of your data in a common electronic format.

Please send requests to: info@mietkuendigung.ch

We usually respond within 30 days.

8. Data security

We take appropriate technical and organisational measures to protect your data (FADP Art. 8):

• Encrypted transmission (HTTPS/TLS)
• Access control at database level (Supabase Row Level Security)
• Separate keys for public and administrative access
• Regular security reviews and updates

9. Changes to this privacy policy

We reserve the right to amend this privacy policy at any time. The current version is always available on this page. In case of material changes, we notify registered users by email.

10. Contact and complaints

For questions about data protection or to exercise your rights, please contact us at: info@mietkuendigung.ch

You also have the right to lodge a complaint with the Swiss Federal Data Protection and Information Commissioner (FDPIC):