Privacy notice

Who is the data controller

Helvadata is currently operated in the personal name of Marco Oppecini (Zurich, Switzerland). A Swiss legal entity will succeed this controllership in 2026 and users will be notified in advance. For data-protection matters, the contact point below applies.

What personal data we process, why, and on what legal basis

Who processes your data on our behalf (sub-processors)

We rely on the following carefully selected service providers. Each has signed a data processing agreement with us that requires them to meet Swiss and EU data-protection standards.

• Supabase (database + authentication) — hosted in Frankfurt, Germany (EU). Supabase is a US company; transfers to the US are covered by Standard Contractual Clauses.
• Vercel (web hosting and serverless functions) — deployment region Frankfurt (EU). Vercel is a US company; transfers to the US are covered by Standard Contractual Clauses.
• Anthropic (AI processing for RoPA generation) — US-based. When you run the RoPA interview, your answers are sent to Anthropic for AI-assisted generation. Covered by Standard Contractual Clauses and Anthropic's zero-retention endpoint policy.
• Infomaniak (domain registration, email infrastructure) — Swiss-based, fully in Switzerland.

International transfers

Operationally, your data is stored in the European Union (Frankfurt). In specific workflows — AI-assisted document generation and some platform management actions — data is transferred to the United States to Anthropic and to Vercel's control plane. These transfers are governed by the current Swiss and EU Standard Contractual Clauses. We will migrate the data plane to fully Swiss hosting (Infomaniak or Exoscale) during Q3 2026.

How long we keep your data

• Waitlist email addresses: kept until early access opens and you either sign up or unsubscribe. Maximum 18 months after collection.
• Account data (email, password hash, profile): for as long as your account is active, and for 30 days after account deletion to allow recovery.
• RoPA and organisation records: kept while your account is active. Exportable at any time. Deleted within 30 days of account deletion.
• Server logs: rotated after 90 days.

Cookies and tracking

We use only strictly necessary cookies — specifically the session cookies required for authentication (`sb-access-token`, `sb-refresh-token`). We do not use advertising, tracking, or analytics cookies. We do not embed social-media widgets. If we add privacy-respecting analytics (such as Fathom) in the future, this notice will be updated and you will be informed.

Automated decision-making

Helvadata uses an AI model (Anthropic Claude Sonnet 4.6) to draft your Record of Processing Activities from your interview answers. The output is a draft; you review, edit, and approve it. No automated decision is made about you or your business without your explicit action.

Your rights

Under Swiss nLPD and the EU GDPR you have the following rights concerning your personal data:

• Access — ask us what personal data we hold about you and receive a copy
• Rectification — correct any inaccurate or incomplete data
• Erasure — request deletion of your data (subject to our legal obligations)
• Restriction of processing — ask us to limit how we use your data
• Objection — object to our use of your data under legitimate interest
• Portability — receive your data in a machine-readable format
• Withdraw consent — for any processing based on consent, at any time
• Complaint — lodge a complaint with the Swiss Federal Data Protection Commissioner (FDPIC) or your local supervisory authority