Privacy Policy

1) Data Controller

Jakob Secklehner (private individual)
Maroltingergasse 57, 1160 Vienna, Austria
Email: switcheu@posteo.eu

2) Design principles

This service follows privacy by design and by default (Art. 25 GDPR). The search feature is built so that, in normal operation, no personal data is processed beyond technically necessary server logs. All data processing follows the principles of data minimisation and storage limitation.

3) Search feature – how personal data is avoided

When a user submits a search query, the system applies a multi-stage filter to ensure only company or product names are processed further:

1. Client-side check: The browser detects and blocks obvious personal data (email addresses, phone numbers, personal names) before the query leaves the device.
2. Server-side classification (Mistral AI, France): Every query that passes the client-side check is sent to Mistral AI for classification. Zero Data Retention applies – Mistral neither stores nor logs the input or output, and processes the query only as long as strictly necessary to generate output. If Mistral identifies the query as personal data, it is rejected immediately and no web search is performed.
3. Web search (Brave Search API, USA): Only queries confirmed as company or product names reach Brave Search. Brave applies a Zero Data Retention policy to API requests.

The risk that a user enters personal data in the search field cannot be fully excluded. However, the layered checks described above strictly limit this risk. If personal data bypasses the client-side filter, Mistral AI may briefly process it as part of the classification step before rejecting the query – under Zero Data Retention, this processing lasts only as long as strictly necessary to generate the classification output, and neither input nor output is stored or logged.

Legal basis: Art. 6(1)(f) GDPR – legitimate interest in providing the search service and protecting users by filtering out personal data.

4) Server and infrastructure logs

Two types of logs are generated:

• Infrastructure access logs (Lovable, Supabase): Contain IP address, timestamp, requested URL, and user agent. These are managed by the hosting providers and used for security, abuse prevention, and debugging. The controller does not maintain separate access logs. Retention is governed by each provider's policies (typically up to 30 days).
• Edge function application logs (Supabase): Contain a hashed, pseudonymised representation of the search query (SHA-256 with salt, first 16 hex characters), event type, and processing duration. IP addresses are held hashed in memory only for rate limiting and are not persisted in application logs. The hash salt allows authorised personnel to reverse the pseudonymous query hashes for debugging purposes. Since the privacy filters described in section 3 ensure that only company/product names reach this stage, these logs do not normally contain personal data. Retention period is 1 day.

Legal basis: Art. 6(1)(f) GDPR – legitimate interest in operating the service securely and debugging errors.

5) Caching of search results

To reduce redundant API calls and improve response times, search results are cached in the Supabase database (Frankfurt, EU). Cache entries contain only company/product data – no user identifiers, IP addresses, or personal data.

• High-confidence company results (e.g., well-known companies with stable data): 14 days
• Standard results: 7 days; product-specific results: 4 days
• Low-confidence results: 1 day
• Web search snippets: up to 7 days
• Static company metadata (headquarters, country, founding year): up to 30 days
• News/ESG enrichment data: 1 day

Cache keys are normalised company/product names and are not linked to individual users.

Legal basis: Art. 6(1)(f) GDPR – legitimate interest in reducing redundant API calls and improving response times.

6) Cookies and local storage

Only strictly necessary storage is used. No analytics, tracking, or marketing cookies exist. Under Austrian ePrivacy law (§ 165 TKG 2021), consent is not required for strictly necessary storage.

• cookie-notice-dismissed — cookie-notice-dismissed – localStorage, 6 months – remembers that the cookie notice was dismissed.

7) Service providers

Due to the privacy-by-design process described above, service providers other than Mistral AI should not receive personal data in normal operation.

• Mistral AI SAS (France) – classifies search queries; processor under Art. 28 GDPR with Data Processing Agreement. Zero Data Retention applies: Mistral neither stores nor logs input or output, and processes queries only as long as strictly necessary to generate output. Mistral does not use query data for model training. If a query contains personal data, it may briefly reach Mistral before being rejected.
• Lovable Labs Inc. – frontend hosting and CDN. Processes standard access logs (IP address, timestamp, URL, user agent).
• Supabase, Inc. – backend and database infrastructure, hosted in Frankfurt (EU). Data Processing Agreement in place. Stores only cached company data, not personal query content.
• Brave Software, Inc. (USA) – web search API. Receives only queries classified as company/product names. Applies Zero Data Retention to API requests.
• Brandfetch SA (Switzerland) – company logo display. Receives only company domain names, no personal data.

8) External links

External sites are outside the control of this website's operator. Please review their respective privacy policies.

9) Your rights

You have the right to access, rectification, erasure, restriction, data portability, and to object to processing based on Art. 6(1)(f) GDPR. You may also lodge a complaint with a supervisory authority.

Austrian Data Protection Authority (Österreichische Datenschutzbehörde): dsb.gv.at

10) Contact

For privacy requests or questions: switcheu@posteo.eu

Last updated: 16 April 2026