Privacy Policy
Last updated: June 2026
This policy is written in accordance with the Swiss Federal Act on Data Protection (FADP / nDSG), effective 1 September 2023.
1. Who we are
Actualli is operated by Philip Humphrey, Canton of Schwyz, Switzerland.
Contact: contact@actualli.ai
We operate the platform at https://www.actualli.ai and https://app.actualli.ai.
2. What data we collect and why
2.1 Account data
When you create an account, we collect your email address and, optionally, your name. This is used to authenticate you, send you platform notifications, and provide support. Legal basis: performance of contract.
2.2 Documents you upload
Documents you upload to the platform are stored securely and processed by our AI pipeline to extract structured data (document type, expiry dates, key fields). We do not read or use your documents for any purpose other than providing the service to you. Legal basis: performance of contract.
2.3 Usage data
We collect logs of actions taken on the platform (document uploads, scans, exports) for security monitoring, audit trail purposes, and platform improvement. These logs are stored in our immutable audit trail. Legal basis: legitimate interest in platform security and compliance.
2.4 Technical data
When you visit our website or use the platform, we collect standard server logs including IP address, browser type, and pages visited. These are retained for 30 days and used only for security and technical diagnostics. Legal basis: legitimate interest.
2.5 Payment data
Payment processing is handled by Stripe. We do not store your card details. Stripe's privacy policy applies to payment data: https://stripe.com/privacy
2.6 Communication data
If you contact us by email, we retain your messages to respond to your enquiry and for record-keeping. Legal basis: legitimate interest.
3. Cookies and similar technologies
We use the following cookies:
| Cookie | Type | Purpose | Consent required |
|---|---|---|---|
| Session auth token | Essential | Keeps you logged in | No |
| NEXT_LOCALE | Essential | Remembers your language preference | No |
| actualli-theme | Essential | Remembers your light/dark mode preference | No |
We do not use advertising, tracking, or profiling cookies. We do not use Google Analytics or any third-party analytics at this time.
If we add analytics or marketing cookies in future, we will update this policy and request your consent before setting them.
4. How we store and protect your data
- All data is stored on Supabase infrastructure with AES-256 encryption at rest
- All connections use TLS encryption in transit
- OAuth tokens and connector credentials are encrypted via pgcrypto with keys stored in Supabase Vault
- Row-level security is enforced on all database tables — your data is never accessible to other organisations
- Legal holds are enforced at database level and cannot be bypassed
- We maintain an immutable audit trail of all data access and modifications
5. Who we share data with
We do not sell your data. We share data only with the following service providers, solely to operate the platform:
| Provider | Purpose | Location |
|---|---|---|
| Supabase | Database and authentication | EU/US |
| Vercel | Web application hosting | US |
| Resend | Transactional email delivery | US |
| Stripe | Payment processing | US |
| Anthropic | AI language model (fallback only) | US |
| Google (Gemini) | AI language model (fallback only) | US |
| HuggingFace | AI model hosting | US |
All US-based providers are either EU adequacy-approved or operate under standard contractual clauses. For transfers to the US, we rely on the Swiss-US Data Privacy Framework where applicable.
6. How long we keep your data
| Data type | Retention period |
|---|---|
| Account data | Until account deletion, then 30 days |
| Uploaded documents | Until you delete them, or until account deletion |
| Audit logs | 7 years (Swiss commercial law obligation) |
| Server logs | 30 days |
| Payment records | 10 years (Swiss accounting obligation) |
7. Your rights under the FADP
You have the following rights regarding your personal data:
- Right of access (Art. 25 FADP): Request a copy of the personal data we hold about you
- Right to rectification (Art. 32 FADP): Request correction of inaccurate data
- Right to deletion (Art. 32 FADP): Request deletion of your data, subject to legal retention obligations
- Right to data portability: Receive your data in a structured, machine-readable format
- Right to object: Object to processing based on legitimate interest
- Right to withdraw consent: Where processing is based on consent, withdraw it at any time
To exercise any of these rights, contact us at contact@actualli.ai. We will respond within 30 days.
If you are unsatisfied with our response, you may lodge a complaint with the Swiss Federal Data Protection and Information Commissioner (FDPIC): https://www.edoeb.admin.ch
8. Fiduciary clients — data processing
If you use Actualli as a fiduciary (Treuhänder) and upload documents on behalf of your clients, you act as the data controller for your clients' personal data. Actualli acts as your data processor under FADP Art. 9.
A Data Processing Agreement (DPA) governing this relationship is available on request at contact@actualli.ai.
9. Children
Actualli is a professional B2B platform not intended for use by persons under 18. We do not knowingly collect data from minors.
10. Changes to this policy
We will notify registered users by email of any material changes to this policy. The current version is always available at https://www.actualli.ai/privacy-policy.
11. Contact
For any questions about this privacy policy or your personal data:
Email: contact@actualli.ai
Swiss Federal Data Protection and Information Commissioner (FDPIC):
Feldeggweg 1, 3003 Bern, Switzerland