Privacy Policy

1. Data Controller

The party responsible for data processing under the Swiss Federal Act on Data Protection (revFADP) is:

2. Data Collected

We collect and process the following personal data:

• Account data: Name, email address, password (stored as hash)
• Project data: Original drone images (JPEG, temporary until ODM processing, then deleted), EXIF metadata including GPS coordinates, ODM results (orthomosaic, DSM/DTM elevation models, 3D point cloud), measurement results, polygons, generated PDF reports and DXF exports.
• Usage data: IP address, browser type, access time
• Payment data: processed via Stripe and not stored directly by us

3. Purpose of Data Processing

We process your data for the following purposes (Art. 19 para. 2 lit. b DSG):

• Provision and operation of the Roofy roof measurement service
• Image processing: Uploaded original drone images (JPEG) are temporarily stored in Supabase Storage (Region Zurich, Switzerland) and transmitted to our ODM servers at Hetzner (Falkenstein, Germany) for photogrammetric processing with the open-source software NodeODM/OpenDroneMap. From the original drone images we derive an orthomosaic (composite top-down image of the roof), a digital elevation model (DSM/DTM) and a 3D point cloud. After completion of the ODM processing (typically ~20–30 min, also on failure), the original drone images are automatically deleted from Supabase Storage. The ODM results (orthomosaic, DSM/DTM, point cloud) remain on the Hetzner servers until the project or account is deleted; they form the basis for the subsequent measurement in the measurement tool.
• Solar-potential supplementary information: When a measurement session is opened, the GPS coordinates from the EXIF metadata of the original drone images are automatically transmitted to sonnendach.ch (Swiss Federal Office of Energy, SFOE) to retrieve and display informative solar-potential data about the roof (orientation, power yield, roof surfaces). This data is purely informative and does not flow into the measurement. The roof slope is computed Roofy-internally from the digital elevation model (DSM); no external API call.
• Transactional emails: Password reset, team invitations, and notifications about completed measurements are sent via Resend
• Payment processing via Stripe
• Account management and authentication. Legal bases for EU users (GDPR): To the extent the GDPR applies to you as a user residing in the EU, the legal bases of our processing are: Art. 6 para. 1 lit. b GDPR (performance of contract) for account and project data; Art. 6 para. 1 lit. f GDPR (legitimate interest in IT security) for server logs; Art. 6 para. 1 lit. c GDPR (legal obligation) for the ten-year retention of payment data pursuant to Art. 958f CO.

4. Recipients and Third-Party Services

The following third-party providers receive access to personal data in the course of service delivery (Art. 19 para. 2 lit. c DSG):

• Supabase Inc. — Database, account data, temporary drone-image storage (before ODM processing), generated PDF reports and DXF exports (data location: Region Zurich, Switzerland, AWS eu-central-2). Note: Parent company is in the USA — abstract US CLOUD Act risk, mitigated by encryption at rest and a data processing agreement (DPA).
• Hetzner Online GmbH (Falkenstein, Germany/EU) — ODM servers for the photogrammetric pipeline. Receives the original drone images from Supabase Storage for processing and subsequently stores the ODM results (orthomosaic, DSM/DTM elevation models, point cloud) until the project or account is deleted.
• Vercel Inc. — Frontend hosting (USA, certified under the Swiss-U.S. Data Privacy Framework)
• Stripe Payments Europe, Ltd. / Stripe, Inc. — Payment processing (Ireland/USA, certified under the Swiss-U.S. Data Privacy Framework)
• Resend, Inc. — Transactional email delivery (USA, certified under the Swiss-U.S. Data Privacy Framework)
• Swiss Federal Office of Energy (SFOE) — sonnendach.ch (Switzerland). Receives GPS coordinates when a measurement session is opened, to retrieve informative solar-potential data about the roof.

5. Data Transfer Abroad

Drone images and measurement data are processed on servers in Germany (Hetzner Online GmbH) — they do not leave the EU. Account and usage data are transmitted to service providers in the USA (Vercel, Stripe, Resend). These three providers are self-certified under the Swiss-U.S. Data Privacy Framework (in force since 15.09.2024); the Federal Council therefore recognises an adequate level of data protection for them (Art. 16 para. 1 revFADP in conjunction with Annex 1 DPO). In addition, data processing agreements with standard contractual clauses (SCC, EU module) are in place with the providers.

6. Data Retention

• Account data: until active account deletion by the user or until automatic deletion 120 days after subscription end (details in Section 10).
• Project data: Original drone images are automatically deleted from Supabase Storage ~20–30 min after upload (after completion of ODM processing, also on failure). ODM results (orthomosaic, DSM/DTM, point cloud), measurement data, PDF reports and DXF exports are retained until the project or account is deleted.
• Payment data: 10 years pursuant to the statutory retention obligation (Art. 958f CO).
• Server logs: retained briefly by the respective infrastructure providers (Vercel edge logs typically ~24h, Supabase Postgres logs ~7 days, Hetzner container logs until container restart or log rotation). No central log aggregation with extended retention.

7. Your Rights

You have the following rights regarding your personal data:

• Right of access (Art. 25 DSG): You may request information about the data stored about you.
• Right to data portability (Art. 28 DSG): You may request your data in a common format.
• Right to rectification: You may request the correction of inaccurate data.
• Right to deletion: You may request the deletion of your data.
• Right to lodge a complaint: You may file a complaint with the Federal Data Protection and Information Commissioner (FDPIC). EU users may also lodge a complaint with the competent supervisory authority of their EU member state of residence. Additional rights for EU users: Right to restriction of processing (Art. 18 GDPR), right to object to processing based on legitimate interest (Art. 21 GDPR), right to data portability (Art. 20 GDPR) — Roofy provides a ZIP export at any time via the Settings page.

To exercise your rights, contact us at info@roofy.ch.

8. Cookies

Roofy uses only technically necessary cookies. No tracking, analytics, or advertising cookies are used. Specifically: (1) Better-Auth session cookie (better-auth.session_token) for authentication, lifetime up to 7 days (Better-Auth default, no custom override). (2) Language cookie (NEXT_LOCALE) for display language selection — session cookie without max-age (discarded by the browser on close, next-intl default). (3) Organisation cookie (activeOrganizationId) for the org context for multi-org users, tied to the Better-Auth session (up to 7 days). When clicking Pay, you are redirected to Stripe, which sets its own cookies on the stripe.com domain — these are outside Roofy's scope.

9. Account Deletion

You can delete your account at any time in the profile settings. This will permanently delete your account, all projects, and all uploaded images (cascade delete).

10. Automatic Data Deletion After Subscription End

After cancelling your Roofy subscription, all project and measurement data initially remains in read-only access for 90 days — you can still view it during this period and export it as a ZIP archive at any time, but cannot start new measurements. A 30-day warning phase then begins, during which we remind you by email on day 60, day 90, and day 113. 120 days after cancellation, all organisation data (projects, measurements, polygons, PDF reports, and DXF exports) is irrevocably deleted — both in the database and in Supabase storage and on our NodeODM servers (Hetzner). Exceptions: Stripe invoices are retained for 10 years pursuant to Swiss Code of Obligations (Art. 958f CO). Internal audit-log entries about deletion (timestamp, reason, counts) are retained for 10 years — analogous to the statutory retention obligation for business records pursuant to Art. 958f CO. The retention serves the accountability requirement under revFADP. You can manually export your data at any time before the 120 days expire via the Settings page (right to data release under Art. 28 revFADP, respectively data portability under Art. 20 GDPR). Legal bases: Art. 6 para. 4 revFADP (data minimisation), GDPR Art. 5 para. 1 lit. e (storage limitation), GDPR Art. 17 (right to erasure), and GDPR Art. 20 (data portability).

11. GPS Data and Drone Imagery of Third Parties

Original drone images typically contain GPS coordinates in their EXIF metadata. When a measurement session is opened, these are automatically transmitted to sonnendach.ch (Swiss Federal Office of Energy, SFOE) to retrieve solar-potential supplementary information about the roof. The GPS coordinates of the original drone images are deleted together with the JPEG originals from Supabase Storage as soon as ODM processing is complete (typically ~20–30 min after upload). GPS references in the ODM results — in the georeferenced orthomosaic, in the DSM/DTM and in the point cloud — remain until the project or account is deleted. Drone imagery may also depict persons, vehicles, license plates, or private property of third parties (neighbours, gardens). For such imagery, the User as drone pilot is the controller within the meaning of Art. 5 lit. j revFADP; Roofy is processor within the meaning of Art. 5 lit. k revFADP and processes the imagery solely on the User's instructions for delivering the measurement service. Before flying the drone, the User is required to assess third-party personality and data-protection rights (in particular Art. 28 SCC and the processing principles of Art. 6 revFADP). Detailed obligations are governed by clause 4 of our GTC.

12. Changes

We reserve the right to amend this privacy policy at any time. The current version is available on this page.