Privacy Policy

1. Data Controller

The data controller responsible for your personal information is:

2. Data We Collect

We collect only what is necessary to deliver our service:

• Account information: name, email address, and (optionally) a profile photo when you register via Google OAuth or email/password.
• Health tracking data: mood ratings, energy levels, sleep duration, and free-text reflections you enter during check-ins.
• Contact information: messages sent through the contact form or the in-portal messaging feature.
• Technical data: IP address, browser type, and access logs — collected automatically by our hosting infrastructure (Vercel) for security and performance purposes.

3. Purpose of Processing

• Providing and personalising the client portal and health tracking features.
• Enabling practitioners to review your progress and provide clinical guidance.
• Communicating with you about your program and appointments.
• Improving our service through anonymised, aggregated analytics.
• Complying with legal obligations under Swiss and EU law.

The legal basis for processing health data is your explicit consent (Art. 6(1)(a) and Art. 9(2)(a) GDPR; Art. 31 nFADP). You may withdraw consent at any time — see Section 6.

4. Data Retention

We retain your data for as long as your account is active and for a maximum of 5 years after account closure, unless a longer retention period is required by applicable law (e.g., Swiss medical record obligations). Check-in data and health records may be subject to a 10-year retention minimum under Swiss health legislation.

5. Third-Party Processors

• Vercel Inc. (USA) — hosting and edge delivery. Standard Contractual Clauses apply.
• Neon Inc. (USA) — database hosting (PostgreSQL). Standard Contractual Clauses apply.
• Google LLC— OAuth authentication if you choose “Sign in with Google”. Governed by Google's Privacy Policy.

We do not sell your data. We do not share your health data with any third party unless required by law or with your explicit consent.

6. Your Rights

Under Swiss nFADP and EU GDPR you have the right to:

• Access a copy of all personal data we hold about you.
• Rectification of inaccurate or incomplete data.
• Erasure(“right to be forgotten”) — deletion of your account and all associated data, subject to legal retention obligations.
• Portability — receive your check-in and profile data in a structured, machine-readable format (JSON or CSV).
• Restriction of processing while a dispute is under review.
• Withdraw consent at any time without affecting prior processing.
• Lodge a complaint with the Swiss Federal Data Protection and Information Commissioner (FDPIC) or, for EU residents, your local supervisory authority.

To exercise any of these rights, contact us at privacy@surf-your-life.ch. We will respond within 30 days.

7. Cookies

We use a single session cookie to keep you logged in. No tracking or advertising cookies are set. We do not use Google Analytics or similar tracking tools.

8. Legal Compliance

This policy complies with the Swiss Federal Act on Data Protection (nFADP / revDSG), in force since 1 September 2023, and with the EU General Data Protection Regulation (GDPR) where applicable to EU residents. As a health portal processing special-category data, we apply the highest level of data protection obligations.

9. Changes to This Policy

We may update this policy as our services evolve or legal requirements change. Material changes will be communicated by email to registered users at least 14 days before they take effect. The current version is always available at this URL.