Privacy Policy

The service is operated by Schertenleib Solutions, Tunaustrasse 20, 5734 Reinach AG, Switzerland. For privacy requests, contact formparse@schertenleib-solutions.ch.

We are the controller for account, authentication, billing, and operational data described below — we decide why and how it is processed.

We act as your processor for the personal data contained inside the documents you upload and the extraction results derived from them. For that content, your organization is the controller and we process it only on your documented instructions under a data processing agreement. See the Data Processing Agreement.

You decide which documents to submit and whether extraction outputs are fit for your purposes. We process document content only as your processor; you remain responsible for verifying AI-generated results before relying on them.

Account data. Your email address and authentication state, managed through Supabase Auth. Organizations, memberships, and roles are stored to scope your workspace.

Documents and results. Files you upload, computed page counts, extraction results (including field values and confidence scores), batches, and exports. These are stored in private storage buckets and database rows scoped to your organization by row-level security.

Billing data. Subscription state and metered page usage. Payment details are handled by Stripe; we never store card numbers.

Operational data. Audit logs for deletions and API-key lifecycle events, and rate-limit counters keyed by API key or user. Application logs are designed not to contain document content or extracted values.

Product analytics. When configured, the portal sends page views and funnel events (such as signup, upload, extraction, and export) to PostHog in the EU. Events use anonymous or pseudonymous identifiers and safe metadata only — never document text, file names, or extracted values. PostHog runs without analytics cookies (in-memory persistence).

Under the EU/EEA General Data Protection Regulation (GDPR) and the Swiss Federal Act on Data Protection (FADP), we rely on the following legal bases:

• Performance of a contract (Art. 6(1)(b) GDPR): creating and operating your account, processing your documents to provide extractions and exports, and handling subscriptions.
• Legitimate interests(Art. 6(1)(f) GDPR): securing the platform, preventing abuse, enforcing rate limits and quotas, keeping audit logs, and improving the product through privacy-preserving analytics. You can object to processing based on legitimate interests (see “Your rights”).
• Legal obligation (Art. 6(1)(c) GDPR): retaining billing and tax records for the periods required by law.
• Consent (Art. 6(1)(a) GDPR): where we ask for it explicitly, for example optional communications. You can withdraw consent at any time without affecting prior processing.

Where we act as your processor for document content, the legal basis for that processing is determined by you as the controller.

Documents, extraction results, batches, and exports are stamped with an expiry based on your organization's retention setting (0, 7, 30, or 90 days). A scheduled daily job permanently deletes expired data — storage objects and database rows — and writes an audit log entry for each deletion. Account and billing records are kept for as long as your account exists or as required by law.

We use the following service providers to run the platform. The current list of sub-processors is maintained in the Data Processing Agreement.

• Supabase — authentication, database, and file storage (EU region).
• Vercel — application hosting, with server execution pinned to the EU where possible.
• Stripe — subscription billing and payment processing.
• Trigger.dev (EU region) — asynchronous extraction and cleanup jobs.
• Upstash (EU region) — API rate limiting.
• PostHog (EU region) — portal product analytics.
• Resend — transactional email delivery.
• Vercel AI Gateway — routes extraction requests to configured models under no-training and zero/limited-retention terms.
• Google (Gemini API) — default vision model for document extraction; API data not used to train Google's models (see Google Cloud/API terms and DPA).
• Mistral AI — optional OCR fallback when configured; EU-hosted processing under Mistral API terms and DPA.

We aim to keep processing within Switzerland and the EEA. Some providers (for example Stripe and certain AI model providers) may process data outside the EEA, including in the United States. Where that happens, transfers are protected by an adequacy decision, the EU Standard Contractual Clauses, the Swiss addendum, or another lawful transfer mechanism, together with appropriate technical and organizational safeguards. You can request more detail at formparse@schertenleib-solutions.ch.

Extraction is AI-assisted: models read your documents and return structured fields with confidence scores for your review. The platform does not make decisions that produce legal or similarly significant effects about individuals without human involvement, within the meaning of Art. 22 GDPR. Because you choose to use an AI-based service, you remain responsible for verifying outputs before relying on them in your own processes.

Subject to applicable law, you have the right to access your personal data and to request its rectification, erasure, or restriction; the right to data portability; the right to object to processing based on legitimate interests; and the right to withdraw consent where processing relies on it. You can exercise these rights at formparse@schertenleib-solutions.ch. Deleting your organization removes its tenant data; retention windows handle document data automatically. In Settings you can also use Export my data to download a JSON bundle of your organization settings, schemas, document and extraction metadata, results, and short-lived signed URLs for stored exports (not raw document bytes), and Delete account to permanently remove your organization, stored files, Stripe subscription, and auth user when you are the sole owner and confirm with a typed phrase.

If you believe we process your data unlawfully, you may lodge a complaint with a supervisory authority. In Switzerland this is the Federal Data Protection and Information Commissioner (FDPIC); in the EEA you may contact the supervisory authority of your country of residence, place of work, or the place of the alleged infringement.

Where required by Art. 27 GDPR, we will appoint a representative in the European Union and publish their contact details here. Until then, all data protection requests can be addressed to formparse@schertenleib-solutions.ch.

The platform uses essential authentication cookies only. See the Cookie Policy.