LookupSwiss
Legal

Privacy Policy

Last updated: 25 June 2025

LookupSwiss AG (“we”, “us”, “LookupSwiss”) operates the website lookupswiss.com and the LookupSwiss validation API (the “Service”). This policy explains what personal data we collect, why, how we use it, and your rights under the Swiss Federal Act on Data Protection (FADP) and the EU General Data Protection Regulation (GDPR).

1. Data we collect

We collect only what we need to run the Service:

  • Account data: email address and a hashed password (handled by Supabase Auth, AES-256 at rest).
  • Billing data: Stripe customer ID, subscription status, plan, last 4 digits of card. Full card details never touch our servers — Stripe is PCI DSS Level 1 certified.
  • Usage data: API request counts per day, endpoint, and outcome. We do not store the phone numbers or email addresses you submit for validation.
  • Operational logs: IP address, user-agent, timestamp — kept 30 days for abuse detection, then automatically deleted.

2. Why we collect it

Lawful bases under GDPR Art. 6:

  • Contract (Art. 6(1)(b)): to run your account, process validations, and bill you.
  • Legitimate interest (Art. 6(1)(f)): to detect abuse, prevent fraud, secure the platform.
  • Legal obligation (Art. 6(1)(c)): to keep accounting records for the period required by Swiss law.

3. Data we do NOT store

Validation lookups are stateless. The phone numbers and email addresses you submit throughPOST /api/validate/* are processed in-memory and never written to a database, never logged to disk, and never shared with anyone. The only records we keep are anonymous counters: “user X made N calls to endpoint Y on day Z.”

4. Sub-processors

  • Supabase Inc. — authentication (data hosted in EU, GDPR DPA in place)
  • Stripe Payments Europe Ltd. — payment processing (PCI DSS Level 1)
  • MongoDB Atlas (EU-Central) — primary data storage, EU jurisdiction

5. International transfers

Personal data may be transferred to and processed in countries outside Switzerland and the EEA only via mechanisms approved under FADP and GDPR: Standard Contractual Clauses (SCCs) and the EU-U.S. Data Privacy Framework.

6. Retention

Account and billing data: kept for the lifetime of your subscription and 12 months after closure (for chargeback and accounting). Operational logs: 30 days. Usage counters: 13 months.

7. Your rights

You have the right to access, rectify, port, restrict, or erase your personal data. See our GDPR page for the exact procedure and our response SLA.

8. Cookies

We use only essential cookies (Supabase auth session token). No analytics cookies, no advertising cookies, no third-party trackers.

9. Contact

Data controller: LookupSwiss AG, Bahnhofstrasse 1, 8001 Zürich, Switzerland.
For privacy questions: privacy@lookupswiss.ch

10. Changes

We will post any material changes on this page and email account holders at least 14 days before they take effect. Governing law: Switzerland.