Privacy Policy
Last updated: 2026-07-12
Hy-Worth is operated by Hy-Lev SA, a Swiss company (société anonyme) based in the Canton of Vaud, Switzerland. This policy describes how we collect, use, and protect your data.
Privacy at a glance
The short version, in plain language. The full policy below is the binding text.
| Your question | Our answer | Legal basis (GDPR) |
|---|---|---|
| What data do you collect about me? | Your email address, and the financial data and documents you choose to enter. Nothing else — no tracking cookies, no advertising identifiers. | Contract |
| What do you use my data for? | Only to run the product for you — your net worth, plans, and reports. We don't build marketing profiles, and we don't sell, rent, or share your data. | Contract |
| Where is my data stored? | In Switzerland (Zurich), processed in the EU (Frankfurt), encrypted in transit and at rest. | — |
| Can you see the documents in my vault? | No. Documents you add to the vault are encrypted on your device before upload — our servers store only encrypted data we cannot read. | Contract |
| What happens to files I import (CSV, Excel, bank statements)? | They are read on your device; the file itself is not uploaded or stored — only the entries you review and approve are saved. | Contract |
| Which other companies handle my data? | Only the service providers listed in section 3 (hosting, payments, email, security), each bound to process data only on our instructions. Your card number goes to Stripe and does not reach our servers. | Contract |
| Do you track how I use the app? | We count page views anonymously (no cookies, no stored IP addresses, no individual tracking) and run standard security protections such as rate limiting. | Legitimate interest |
| How long do you keep my data? | For as long as your account exists. If you delete your account, your data is removed from production immediately and residual backups are purged within 30 days. | Contract / legal obligation |
| How do I see, download, or delete my data? | Self-serve in Settings: export everything as JSON, delete your account entirely, or edit anything in the app — no email required, no waiting. | Your legal rights (Art. 15–20 GDPR) |
1. What Data We Collect
Hy-Worth collects only the data you explicitly provide:
- Email address — used for authentication and account identification.
- Financial data — account balances, net worth entries, real estate records, planner scenarios, and any other data you enter into the application.
- Display preferences — your chosen currency, theme, and tracked currencies.
- Uploaded documents — files you choose to store in the document vault or attach to your entities (for example wills, deeds, agreements, or statements). They are used solely to display them back to you and are never analyzed for any other purpose.
We do not collect analytics, tracking cookies, or any data beyond what you provide. We do not sell, rent, or share your personal data with third parties for marketing purposes.
Legal bases. We process your account and financial data because it is necessary to provide the service you signed up for (performance of a contract, Art. 6(1)(b) GDPR). Security measures, abuse prevention, and cookieless aggregate analytics rest on our legitimate interest in running a safe, reliable service (Art. 6(1)(f)); billing records are additionally retained where financial-record laws require it (Art. 6(1)(c)). We do not rely on consent for any core processing, so there is no consent whose withdrawal would break the service.
2. How Data Is Stored
All data is stored in a PostgreSQL database hosted by Supabase in Switzerland (Zurich region) and processed in the EU (Frankfurt). Data is encrypted at rest and in transit (TLS). Authentication is handled by Supabase Auth with secure session management via HTTP-only cookies.
Documents you upload are stored in a private storage bucket within the same Supabase project, with access restricted to your authenticated account. Files are encrypted at rest and in transit. Database and storage backups are encrypted and retained for a limited window (see Data Retention).
3. Third-Party Services
- Supabase — database hosting, authentication, and API layer. Subject to Supabase's Privacy Policy. supabase.com/privacy
- Frankfurter API / European Central Bank — used to fetch historical foreign exchange rates. No user data is sent to these services; only currency pair and date range queries are made.
- Vercel Web Analytics — privacy-friendly, cookieless usage analytics. It measures aggregate traffic (page views, approximate country, device type) without cookies, without storing your IP address, and without any personal identifiers. It is not used to track individuals. vercel.com privacy policy
- Vercel — application hosting and content delivery (United States / global edge network). Vercel processes request metadata (such as IP addresses) as needed to serve the application.
- Stripe — payment processing for paid subscriptions. Stripe receives your email address and payment details; full card numbers never reach our servers. Subject to Stripe's privacy policy.
- Resend — transactional email delivery (for example signup confirmation). Receives your email address and the content of the emails we send you.
- Upstash — API rate-limiting infrastructure. Processes only pseudonymous user identifiers and request counters — never your financial data or documents.
- Cloudflare Turnstile — bot protection on sign-in and sign-up forms. Processes technical browser signals to distinguish humans from bots; no account or financial data is shared with it.
- Anthropic — AI assistance for optional, user-triggered features (currently: proposing column mappings when a CSV import isn't recognized). Only the data you explicitly submit for that feature (e.g. a file's column headers and a few sample rows) is sent; Anthropic does not use API data to train its models.
4. International Data Transfers
Your data is stored in Switzerland (Zurich) and processed in the EU (Frankfurt). Some of the providers above (Vercel, Stripe, Resend, Upstash, Cloudflare) process limited data in the United States or globally. Where personal data is transferred to the United States, we rely on providers certified under the Swiss–U.S. and EU–U.S. Data Privacy Framework or on standard contractual clauses, and we execute data-processing agreements with our processors.
5. Your Rights
You have the right to access, export, and delete your data at any time. All of these actions are available in the Settings page: /settings
- Access — view all your data directly within the application.
- Export — download a complete copy of your data in JSON format.
- Deletion — permanently delete your account and all associated data.
6. Data Retention
Your data is retained for as long as your account exists. When you delete your account, your data — including uploaded documents — is immediately removed from our production systems, and residual copies in encrypted backups are purged automatically within thirty (30) days. Anonymized aggregate data may be retained for analytics. Authentication records are removed with the account.
7. Data Breach Notification
If we become aware of a breach of your personal data that is likely to result in a risk to you, we will notify the competent supervisory authority (in Switzerland, the FDPIC; in the EU/UK, the relevant data-protection authority) within the legally required timeframe — 72 hours where the GDPR applies — and will inform affected users without undue delay if the breach is likely to result in a high risk to them, including what happened, which data was affected, and the measures taken.
8. Regional Privacy Frameworks
Hy-Worth operates across multiple jurisdictions and complies with the privacy frameworks that apply to its users:
- Canada — PIPEDA — Hy-Worth complies with the Personal Information Protection and Electronic Documents Act. Canadian users may request access, correction, or deletion of their personal data.
- Switzerland — revDSG — For Swiss users, Hy-Worth complies with the revised Federal Act on Data Protection (revDSG, in force September 2023). You may request data access, correction, or deletion at any time.
- European Union / United Kingdom — GDPR / UK GDPR — For users in the EU/EEA and the UK, Hy-Worth complies with the General Data Protection Regulation (GDPR) and UK GDPR, including the rights of access, rectification, erasure, restriction, data portability, and objection. You also have the right to lodge a complaint with your local supervisory authority. Contact us to exercise any of these rights.
- United States (California) — CCPA / CPRA — California residents have rights under the California Consumer Privacy Act and California Privacy Rights Act, including the right to know, the right to delete, and the right to opt out of the sale of personal information. Hy-Worth does not sell personal data.
9. Contact
If you have any questions or concerns about this privacy policy or your data, please contact us at privacy@hy-worth.com.
Hy-Lev SA, Canton of Vaud, Switzerland