Privacy Policy

2. Scope

This Privacy Policy describes how we process personal data when you visit public pages (/, /features, /about, /pricing, /faq, /app), register, log in, use /dashboard/* studio modules, install the PWA Companion from /app, or interact with our APIs and support channels.

It does not govern third-party sites such as Stripe Checkout or social profiles linked from marketing pages.

3. Personal data vs. studio operational data

Account and billing personal data includes your name, email, password hash, country, company name, tax identifiers you provide, Stripe customer/subscription markers, and access approval status.

Studio operational data includes jewelry images, BOM lines, material weights, user_recipes, supplier and client records, OCR invoice extractions, and sales ledger entries. This is your confidential business data. It contains personal data only where you enter identifiable client or supplier details.

Technical and usage data includes IP addresses (hashed where noted), session tokens, browser type, locale (en/fr), optional city/country via ipapi.co when enabled, and visit timestamps on public pages.

4. What we collect — mapped to modules

• Authentication and Studio Profile (/login, /dashboard/studio): email, password hash, display name, company name, country, operating currency (CHF/EUR/USD), tax/fiscal fields, brand logo, overheads.
• Subscription billing: Stripe customer ID, subscription status, payment method metadata (brand, last four digits — never full card numbers).
• The Bench, Workshop, Vault: project names, BOM, weights, fineness, images, serial numbers, inventory transactions, weighted average costs.
• The Lab (/dashboard/lab): alloy recipes (user_recipes), purity and yield calculations.
• Clients and Suppliers: contact names, emails, phones, addresses you enter.
• The Ledger, Accounting, Vaud Tax Example (CH only): sales records, VAT/tax percentages, returns, product_cogs_at_sale snapshots, fiscal profile fields.
• Market Channels (/dashboard/market-channels): channel definitions, publish prices, FX and adjustment rules.
• Document Intake OCR (/dashboard/ocr): photographs and PDFs of supplier/client invoices and inventory sheets; extracted fields pending your review.
• Support: problem reports from the dashboard sidebar; password reset and transactional emails via Resend.
• Privacy-first analytics (public site only): hashed visitor identifiers; optional geo via ipapi.co when ANALYTICS_GEO_ENABLED=true (default off).

5. Purposes and legal bases

We process account personal data to perform the SaaS contract (Art. 31 nFADP / Art. 6(1)(b) GDPR). Billing via Stripe is contract performance. Fraud and abuse prevention (anti-scraping, rate limits) relies on legitimate interest (Art. 31(1) nFADP / Art. 6(1)(f) GDPR). Aggregated, non-content analytics on public pages uses legitimate interest. Legal compliance uses legal obligation where applicable.

We do not use your BOM, recipes, OCR invoices, or client lists to train public AI models or for behavioral advertising.

6. Confidentiality of studio operational data

Inventory inputs, bills of materials, alloy recipes, supplier invoices, client records, and sales history are confidential customer properties.

We do not sell, rent, broker, or commercialize studio operational data to data brokers, metal traders, competitors, or unrelated third parties for their independent commercial purposes.

Multi-tenant isolation is enforced via Supabase Row Level Security (auth.uid() = user_id). Provider access to production data is limited to need-to-know support, security, or legal compliance.

We may publish non-identifiable, aggregated service metrics that cannot reasonably be linked to your studio.

8. International data transfers

Some processors host or process data in the United States or other third countries without an adequacy decision under Swiss or EU law.

For such transfers we implement Standard Contractual Clauses (SCCs) and supplementary measures consistent with guidance from the FDPIC and, for EU data subjects, the European Commission SCC modules.

You may request copies of applicable SCCs at contact@alloyandledger.com.

9. Security measures

No system is perfectly secure. Report suspected incidents to contact@alloyandledger.com.

• TLS encryption in transit (Strict-Transport-Security).
• Content Security Policy and hardened HTTP headers via middleware.
• Supabase RLS tenant isolation on studio tables.
• Password hashing via Supabase Auth; service-role keys restricted to server-side routes.
• CI secret scanning and dependency audit pipelines.
• Session re-validation on tab focus; 401 redirects on API auth failure.

10. Retention

• Account data: duration of account plus statutory limitation periods.
• Studio operational data: until you delete or request erasure, subject to backup cycles (typically up to 30 days).
• Billing records: 10 years (Swiss commercial record-keeping).
• OCR uploads: until you delete associated records or close your account.
• Security logs: as needed for incident investigation.

11. Your rights

Under the Swiss FADP (nDSG) you may request access, information, correction, deletion (subject to legal exceptions), and portability where feasible. You may lodge a complaint with the FDPIC.

Where GDPR applies, you additionally have rights of restriction, objection to legitimate-interest processing, and withdrawal of consent where processing is consent-based.

Exercise rights at contact@alloyandledger.com.

12. Children

The Service is not directed at persons under 18. The Apprentice tier is for learning and practice, not minors without parental authority.

13. Automated decision-making

The Platform performs deterministic calculations (production cost, VAT estimates, alloy math) based on your inputs. We do not make legally significant decisions about you solely by automated means without human review. OCR classification assists document routing; you confirm extractions before commit.

14. Cookies and local storage

We do not use third-party advertising cookies on authenticated studio routes.

• Supabase authentication cookies (essential).
• atelier.pwa.companion cookie for PWA Companion mode (essential).
• Locale preference for next-intl routing (functional).

15. Changes to this policy

We may update this Privacy Policy. Material changes will be notified via the Platform or email. The effective date at the top will be revised accordingly.