1. Data controller
The data controller for processing your personal data within the meaning of the Swiss Data Protection Act (DSG) is:
2. What data is collected?
We collect the following categories of personal data:
- • Registration data: Company name, name and first name of bosses/workers, email address, phone, role (boss / worker), password (hashed).
- • Site and report data: Data about your sites (name, address, client, period, status), tracked working time, material, photos and notes, documents/plans, status history.
- • Location data: Coordinates of sites (via OpenStreetMap geocoding) and — only with your consent — your current position on the device for distance calculation.
- • Payment data (after trial): For future subscriptions, credit card / SEPA data is processed exclusively by Stripe Inc. and never stored on our servers. We only see subscription status and transaction IDs.
- • Technical data: IP address, browser type, operating system, visited pages, timestamps, language preference — within the scope of server operation by Infomaniak.
3. Purpose of data processing
- • Provision and operation of the SaaS platform baurapport.ch (site management, time tracking, reports, warehouse)
- • Handling of subscriptions and payments (via Stripe, after the 30-day trial)
- • Geocoding of site addresses to coordinates via OpenStreetMap/Nominatim
- • Distance calculation between worker location and site (with consent, client-side)
- • Communication by email (invitations, password reset, service messages)
- • Security and abuse prevention (e.g. account blocking on Terms breaches)
- • Compliance with statutory retention obligations
4. Legal basis
🇨🇭 Switzerland (DSG)
Data processing is based on Art. 6 DSG (consent through registration and acceptance of the Terms), Art. 31 DSG (contract performance) and the prevailing legitimate interest of the operator in the secure operation of the platform.
🇪🇺 EU (GDPR)
For users based in the EU/EEA, the GDPR applies. Processing is based on Art. 6(1)(b) GDPR (contract performance), Art. 6(1)(a) GDPR (consent) and Art. 6(1)(f) GDPR (legitimate interest).
5. Third parties & data transfers
🇨🇭 Infomaniak Network SA — Geneva, Switzerland
Web hosting, server operation, MySQL database, file storage and email delivery. All data is stored exclusively in Switzerland. Privacy Policy →
🇩🇪 OpenStreetMap / Nominatim — Germany / EU
Geocoding of site addresses to coordinates. Only the address is transmitted — no user data. Privacy Policy →
🇺🇸 Google Maps — USA
Only loaded when you actively click a „Google Maps" button (e.g. for navigation to a site). Transfer to the USA based on Standard Contractual Clauses. Privacy Policy →
🇺🇸 Google Analytics (GA4) — USA
Reach measurement & anonymised usage statistics (which pages are visited, where visitors come from). IP addresses are anonymised, no personal exploitation. Transfer to the USA based on Standard Contractual Clauses. Privacy Policy →
🇺🇸 Stripe Inc. (after trial) — San Francisco, USA
Payment processing for paid subscriptions. Credit card data is never stored on our servers. Transfer to the USA based on SCCs. Privacy Policy →
🇺🇸 Tailwind Labs (CDN) — USA
CSS framework is loaded via CDN. Only technical connection data (IP address) is transmitted. Privacy Policy →
6. Storage period
We only store your data as long as required for the stated purposes:
- • Account data: as long as your account is active + 30 days after cancellation (recovery window)
- • Reports, sites, warehouse data: as long as the account exists. After cancellation, data is deleted after 30 days unless a statutory retention obligation applies.
- • Accounting-relevant data: 10 years according to the Swiss Code of Obligations
- • Log files: max. 90 days
7. Your rights
You have the following rights at any time:
- Right of access: What data we have stored about you
- Rectification: Have incorrect data corrected
- Erasure: Have data deleted, unless a statutory retention obligation applies
- Data portability: Export your data in a structured format
- Withdrawal: Withdraw a granted consent
- Complaint: File a complaint with the FDPIC (edoeb.admin.ch)
Please send requests by email to info@baurapport.ch or via contact form.
8. Cookies & local storage
We only use technically necessary cookies and local storage:
- • Session cookie: To keep you signed in (Laravel session)
- • CSRF token: Protection against cross-site request forgery
- • Preference cookie: e.g. card or table view for sites
- • Service Worker / PWA cache: For offline functionality of the mobile app
-
•
Google Analytics (GA4):
For anonymised reach measurement. Cookies like
_gaand_ga_*help us understand how our site is used. IP addresses are anonymised. You can disable tracking at any time via the Google Opt-out add-on.
We do not use advertising cookies and no cross-site tracking for advertising.
9. Data security
We protect your data through technical and organisational measures: HTTPS encryption of all connections, hashed passwords (bcrypt), regular security updates, hosting in Switzerland (Infomaniak, ISO 27001 certified data centre), isolated databases per tenant (multi-tenant with strict access control).
10. Voice input (dictation feature)
In the app you can optionally dictate report text by voice instead of typing. The dictation feature uses the speech recognition built into your browser or operating system. As soon as you tap the microphone, the spoken audio is sent for transcription to the respective provider – to Google on Chrome/Android, and to Apple on Safari/iPhone. Baurapport itself neither records nor stores the audio; only the resulting text that you insert into the field is processed and stored. The feature is optional and only active while you deliberately start the microphone. The privacy policies of Google and Apple additionally apply.
11. Changes to this policy
We reserve the right to adapt this Privacy Policy at any time to reflect changed legal or technical conditions. In case of material changes we inform active users by email or in the app. The latest version is always available on this page.