LookupSwiss
Legal

Privacy Policy

Last updated: 28 June 2026

This Privacy Policy explains how we collect, use, and protect your personal data when you use the LookupSwiss validation API and website. It is written to comply with the Swiss Federal Act on Data Protection (FADP / nDSG) and the EU General Data Protection Regulation (GDPR).

1. Data controller

The data controller is [Ivan Laginestra], located in [Aargau], Switzerland. For any data-related request, contact: laginestraivan3@gmail.com.

2. What personal data we collect

We collect only what we need to operate the service:

  • Account data: your email address (for authentication and billing).
  • Phone numbers and email addresses you submit to the API for validation (processed in real time — see retention below).
  • Usage data: API request counts per day, endpoint called, success/failure, timestamps, IP address, user-agent.
  • Payment data: handled exclusively by Stripe (we only store your Stripe customer ID, your plan, and subscription status — never full card details).

3. Purpose of processing

We process this data to (a) create and manage your account, (b) deliver the validation API, (c) bill you and handle subscription management via Stripe, (d) send transactional and contact emails via Resend, (e) detect abuse and protect the platform from fraud.

4. Legal basis

Under Art. 6 GDPR (and equivalent FADP provisions):

  • Performance of a contract (Art. 6(1)(b)): account management, API delivery, billing.
  • Legitimate interest (Art. 6(1)(f)): abuse detection, fraud prevention, platform security.
  • Legal obligation (Art. 6(1)(c)): retention of accounting records as required by Swiss law.

5. Sub-processors

We rely on the following sub-processors to operate the service. All have signed Data Processing Agreements and, where applicable, EU Standard Contractual Clauses (SCCs):

  • MongoDB Atlas — primary database, hosted in Frankfurt (EU).
  • Supabase — authentication, hosted in EU West.
  • Stripe Payments — payment processing, USA (SCCs in place, PCI DSS Level 1).
  • Resend — transactional email delivery, USA (SCCs in place).
  • ZeroBounce — email validation (EU endpoint, data stays in the EU).
  • Twilio — planned future use for real-time phone carrier lookup (USA, SCCs).

6. Data retention

Phone numbers and email addresses submitted to the validation API are processed in memory and NOT stored long-term. API usage logs (counts, timestamps, IPs) are retained for a maximum of 90 days, then automatically deleted. Account data is kept for the lifetime of your account and deleted on request (subject to Swiss accounting retention rules for invoices).

7. International transfers

Data is hosted in the EU wherever possible. Transfers to the USA (Stripe, Resend, Twilio) are protected by Standard Contractual Clauses (SCCs).

8. Your rights

You have the right to (a) access your personal data, (b) request correction of inaccurate data, (c) request deletion (the right to be forgotten), (d) request data portability in a machine-readable format, (e) object to processing or restrict it, (f) lodge a complaint with the Swiss Federal Data Protection and Information Commissioner (FDPIC) or your local EU supervisory authority.

9. Cookies

We use only essential cookies (authentication session) and one consent cookie. No advertising cookies, no third-party trackers.

10. Contact for data requests

For any access, deletion, or portability request, write to: laginestraivan3@gmail.com. We respond within 30 days as required by Art. 12(3) GDPR.

11. Changes

We will post any material changes here and notify account holders by email at least 14 days before they take effect.