Skip to main content
SwitchEU
SwitchEU

Privacy Policy

Key points

  • The service is designed to handle only company and product names and to avoid the processing or personal data.
  • No tracking, profiling, or advertising. Aggregated website statistics are collected via self-hosted Umami Analytics (no cookies, no personal data).
  • Only strictly necessary cookies are used (no consent required).
  • Data minimisation and storage limitation are applied throughout.
  • If a search query contains personal data, it is rejected – at latest by Mistral AI (EU processor with Zero Data Retention) before any web search is performed.

1) Data Controller

Jakob Secklehner
Maroltingergasse 57, 1160 Vienna, Austria
Email: switcheu@posteo.eu

2) Design principles

This service follows privacy by design and by default (Art. 25 GDPR). The search feature is built so that, in normal operation, no personal data is processed beyond technically necessary server logs. All data processing follows the principles of data minimisation and storage limitation.

3) Search feature – how personal data is avoided

When a user submits a search query, the system applies a multi-stage filter to ensure only company or product names are processed further:

  1. Client-side check: The browser detects and blocks obvious personal data (email addresses, phone numbers, personal names) before the query leaves the device.
  2. Server-side classification (Mistral AI, France): Every query that passes the client-side check is sent to Mistral AI for classification. Zero Data Retention applies – Mistral neither stores nor logs the input or output, and processes the query only as long as strictly necessary to generate output. If Mistral identifies the query as personal data, it is rejected immediately and no web search is performed.
  3. Web search (Brave Search API, USA): Only queries confirmed as company or product names reach Brave Search. Brave's API data handling is governed by Brave Search API terms; the operator uses an API tier that does not retain query data beyond what is required to fulfil the request.

The risk that a user enters personal data in the search field cannot be fully excluded. However, the layered checks described above strictly limit this risk. If personal data bypasses the client-side filter, Mistral AI may briefly process it as part of the classification step before rejecting the query – under Zero Data Retention, this processing lasts only as long as strictly necessary to generate the classification output, and neither input nor output is stored or logged.

Legal basis: Art. 6(1)(f) GDPR – legitimate interest in providing the search service and protecting users by filtering out personal data.

4) Server and infrastructure logs

Two types of logs are generated:

  • Infrastructure access logs (self-hosted VPS in the EU): Contain IP address, timestamp, requested URL, and user agent. The server is a dedicated IONOS VPS located in Germany (IONOS SE, Montabaur), administered solely by the controller. Logs are used for security, abuse prevention, and debugging. Retention is limited to 30 days. No third-party CDN, analytics, or hosting intermediary is involved in serving the production site.
  • Edge function application logs (self-hosted Supabase, EU): Contain a hashed, pseudonymised representation of the search query (SHA-256 with salt, first 16 hex characters), event type, and processing duration. IP addresses are held hashed in memory only for rate limiting and are not persisted in application logs. The hash salt allows the data processor to reverse the pseudonymous query hashes for debugging purposes. Since the privacy filters described in section 3 ensure that only company/product names reach this stage, these logs do not normally contain personal data. Retention period is 1 day.

Legal basis: Art. 6(1)(f) GDPR – legitimate interest in operating the service securely and debugging errors.

5) Caching of search results

To reduce redundant API calls and improve response times, search results are cached in a self-hosted Supabase database running on the same IONOS VPS in Germany controlled by the operator. Cache entries contain only company/product data, no user identifiers, IP addresses, or personal data.

  • High-confidence company results (e.g., well-known companies with stable data): 14 days
  • Standard results: 7 days; product-specific results: 4 days
  • Low-confidence results: 1 day
  • Web search snippets: up to 7 days
  • Static company metadata (headquarters, country, founding year): up to 30 days
  • News/ESG enrichment data: 1 day

Cache keys are normalised company/product names and are not linked to individual users.

Legal basis: Art. 6(1)(f) GDPR – legitimate interest in reducing redundant API calls and improving response times.

6) Cookies and local storage

Only strictly necessary storage is used. No analytics, tracking, or marketing cookies exist (the website statistics tool described in section 6a does not set any cookies). Under Austrian ePrivacy law (§ 165 TKG 2021), consent is not required for strictly necessary storage.

  • cookie-notice-dismissedcookie-notice-dismissed – localStorage, 6 months – remembers that the cookie notice was dismissed.

6a) Website statistics (Umami Analytics)

For aggregated website statistics (page views, referrers, country-level visits) the operator uses Umami Analytics, an open-source analytics tool self-hosted on the same IONOS VPS in Germany. Umami sets no cookies, uses no cross-site identifiers, and collects no personal data: IP addresses are processed only transiently to derive a non-reversible daily hash and are never stored. No data is shared with third parties. Umami is GDPR-compliant by design and requires no consent under § 165 TKG 2021 / Art. 6(1)(f) GDPR (legitimate interest in understanding aggregate usage to improve the service).

7) Service providers

The website is hosted directly by the controller on a self-managed EU-based VPS. No frontend CDN, analytics provider, or backend-as-a-service vendor is involved in serving the production site or storing cached data. Due to the privacy-by-design process described above, the external service providers listed below should not receive personal data in normal operation.

  • IONOS SE (Germany) – provides the virtual server (IONOS VPS, data centre in Germany) on which the controller self-hosts the frontend, backend, and database. IONOS acts as a processor under Art. 28 GDPR for the physical infrastructure only; no application data is shared with IONOS beyond what is technically required. No third-party CDN or analytics vendor is involved. Standard server access logs (IP, timestamp, URL, user agent) are retained for 30 days.
  • Mistral AI SAS (France) – classifies search queries; processor under Art. 28 GDPR with Data Processing Agreement. Zero Data Retention applies: Mistral neither stores nor logs input or output, and processes queries only as long as strictly necessary to generate output. Mistral does not use query data for model training. If a query contains personal data, it may briefly reach Mistral before being rejected and discarded.
  • Brave Software, Inc. (USA) – web search API. Receives only queries classified as company/product names. Data handling is governed by Brave Search API terms.
  • Brandfetch SA (Switzerland) – company logo display. Receives only company domain names, no personal data.

8) External links

External sites are outside the control of this website's operator. Please review their respective privacy policies.

9) Your rights

You have the right to access, rectification, erasure, restriction, data portability, and to object to processing based on Art. 6(1)(f) GDPR. You may also lodge a complaint with a supervisory authority, for example the Austrian Data Protection Authority:

Austrian Data Protection Authority (Österreichische Datenschutzbehörde): dsb.gv.at

10) Contact

For privacy requests or questions: switcheu@posteo.eu

Last updated: 22 April 2026