Privacy Policy

1. Data Controller

The party responsible for data processing under the Swiss Federal Act on Data Protection (nDSG) is:

2. Data Collected

We collect and process the following personal data:

• Account data: Name, email address, password (stored as hash)
• Project data: Drone images, EXIF metadata including GPS coordinates, measurement results
• Usage data: IP address, browser type, access time
• Payment data: processed via Stripe and not stored directly by us

3. Purpose of Data Processing

We process your data for the following purposes (Art. 19 para. 2 lit. b DSG):

• Provision and operation of the Roofy roof measurement service
• Geodata queries: GPS coordinates from EXIF data are transmitted to geo.admin.ch and sonnendach.ch to retrieve terrain heights and roof inclinations
• AI-assisted image analysis: Drone images are transmitted to the Google Gemini API to detect roof objects and reference scale markers
• Payment processing via Stripe
• Account management and authentication

4. Recipients and Third-Party Services

The following third-party providers receive access to personal data in the course of service delivery (Art. 19 para. 2 lit. c DSG):

• Supabase Inc. -- Database and file storage (Location: Zurich/EU)
• Vercel Inc. -- Frontend hosting (USA, adequacy decision by the Federal Council)
• Stripe Inc. -- Payment processing (USA, adequacy decision by the Federal Council)
• Google LLC -- Gemini API for AI analysis (USA, adequacy decision by the Federal Council)
• Federal Office of Topography swisstopo -- Geodata (geo.admin.ch, Switzerland)
• Federal Office of Energy -- Solar data (sonnendach.ch, Switzerland)

5. Data Transfer Abroad

Data is transmitted to service providers in the USA (Vercel, Stripe, Google). The Federal Council has recognized the USA as a country with an adequate level of data protection (Art. 16 para. 1 DSG). Additionally, standard contractual clauses exist with the providers.

6. Data Retention

• Account data: until account deletion by the user
• Project data (images, measurements, GPS): until project or account deletion
• Payment data: 10 years as required by law (CO Art. 958f)
• Server logs: maximum 90 days

7. Your Rights

You have the following rights regarding your personal data:

• Right of access (Art. 25 DSG): You may request information about the data stored about you.
• Right to data portability (Art. 28 DSG): You may request your data in a common format.
• Right to rectification: You may request the correction of inaccurate data.
• Right to deletion: You may request the deletion of your data.
• Right to lodge a complaint: You may file a complaint with the Federal Data Protection and Information Commissioner (FDPIC).

To exercise your rights, contact us at info@roofy.ch.

8. Cookies

Roofy uses only technically necessary session cookies for authentication (Better Auth). No tracking, analytics, or advertising cookies are used.

9. Account Deletion

You can delete your account at any time in the profile settings. This will permanently delete your account, all projects, and all uploaded images (cascade delete).

10. GPS Data in Drone Images

Drone images typically contain GPS coordinates in their EXIF metadata. These are stored and used for geodata queries (terrain height, roof inclination) transmitted to Swiss federal agencies. GPS data is deleted together with the project when you delete the project or your account.