Legal & Privacy

Your Trust, Our Priority

When you're managing invoices, expenses, and financial records, you need more than just great accounting software. You need absolute confidence that your sensitive data is protected, compliant, and in good hands.

Swiss Data Security and Privacy Protection

At Magic Heidi, we've built our platform on a foundation of transparency, security, and compliance. We're fully compliant with Swiss FADP and EU GDPR regulations, use bank-level encryption, and give you complete control over your data.

Last updated: March 2025

Why Data Protection Matters for Your Business

Every invoice you create, every expense you log, and every bank statement you import contains sensitive information—client details, financial transactions, business relationships, and proprietary data.

A data breach doesn't just mean financial loss. It means:

Lost client trust that takes years to rebuild
Legal liability under Swiss and EU data protection laws
Regulatory fines that can reach millions of francs
Reputational damage that affects your business for years

That's why we treat your data security as seriously as you do. Since the new Swiss Federal Act on Data Protection (FADP) took effect in September 2023, we've ensured every aspect of Magic Heidi meets or exceeds these strengthened requirements.

Our Commitment: Privacy by Design, Security by Default

We don't just add privacy features as an afterthought. We build them into the foundation of Magic Heidi.

🔒

Privacy by Design

Every feature integrates privacy protection from the start. Before we add new functionality, we ask "How does this protect user data?"

⚡

Privacy by Default

When you start using Magic Heidi, the highest security settings are automatically activated. Protection is the default, not an option.

🇨🇭

Swiss and EU Compliance

We comply with Swiss FADP, EU GDPR, and industry best practices including regular security audits and assessments.

Data Protection

How We Protect Your Financial Data

Security isn't just a checklist item for us. Here's exactly how we safeguard your information:

Bank-Level Encryption

Your data is protected with military-grade 256-bit SSL encryption—the same standard used by financial institutions worldwide.

Data encrypted during transmission (when you're using the app)
Data encrypted at rest (when stored on our servers)
Your data remains unreadable even in unlikely event of breach
Like storing documents in a bank vault that only you can open

Secure Data Location

Your financial data is stored on secure servers in Switzerland and the EU—chosen for maximum protection.

Swiss data sovereignty laws provide additional protection
EU server locations ensure GDPR compliance for international clients
Data never leaves protected jurisdictions without safeguards
Your data stays under Swiss legal protection

Role-Based Access Controls

Not everyone on your team needs access to everything. Magic Heidi uses role-based permissions for complete control.

Team members only see what they need to see
Administrative functions are protected
Access logs track who viewed or modified data
You maintain complete control over permissions

Continuous Security Monitoring

Our security isn't a one-time setup. We provide comprehensive ongoing protection.

24/7 monitoring for suspicious activity
Regular backups to protect against data loss
Automated threat detection identifies risks before they become problems
Disaster recovery protocols ensure business continuity

Your Rights: Complete Control Over Your Data

Under Swiss FADP and EU GDPR, you have powerful rights over your personal and business data. We don't just comply with these laws—we make exercising your rights simple and straightforward.

Right to Access

What it means: You can request a complete copy of all data we hold about you.

How to use it: Contact our privacy team, and we'll provide a comprehensive data export within 30 days. No questions asked.

Right to Rectification

What it means: If any of your data is incorrect or incomplete, you can request corrections.

How to use it: Simply update your information in the app, or contact us for assistance. Changes take effect immediately.

Right to Deletion ("Right to Be Forgotten")

What it means: You can request complete deletion of your account and all associated data.

How to use it: Submit a deletion request, and we'll permanently remove your data within 30 days. We'll confirm when the process is complete. Note that we may retain certain information if required by law (such as tax records for the legally mandated retention period).

Right to Data Portability

What it means: You can export your data in a standard, machine-readable format to take to another service.

How to use it: Use our built-in export features to download your invoices, expenses, and financial records in common formats (PDF, CSV, Excel). No lock-in, no hassle.

Right to Object

What it means: You can object to certain types of data processing, including marketing communications.

How to use it: Update your communication preferences in your account settings, or contact our privacy team.

How to Exercise These Rights

Email us at privacy@magicheidi.com with your request. We'll respond within 72 hours and fulfill most requests within 30 days. It's that simple.

Security Commitment

Data Breach Protection & Notification

While we work hard to prevent security incidents, we're also prepared to respond quickly if one occurs.

72-Hour Notification

If a breach affects your information, we notify you within 72 hours of discovery (as required by FADP and GDPR).

Clear Communication

We explain what happened in non-technical language, what information was affected, and immediate steps we're taking.

Prevention Measures

Multi-layered security with intrusion detection, automated scanning, employee training, and regular penetration testing.

Incident Response

Established protocols and regular drills ensure we're prepared to contain and resolve issues quickly.

We believe in transparency about who has access to your data and why.

We only share your data in these specific circumstances:

Service providers we use (payment processors, hosting providers, email services)
When legally required (valid court orders, regulatory requests)
With your explicit consent (integrations you choose to activate)

We never sell your data to third parties. Ever.

Our Subprocessors

We carefully vet all third-party services that process your data. Our current subprocessors include:

Cloud hosting providers (for secure data storage)
Payment processors (for subscription billing)
Email service providers (for transactional emails and support)

We maintain a complete, up-to-date list of subprocessors. If you need the detailed list for compliance purposes, contact us at privacy@magicheidi.com.

Data Processing Agreements

For enterprise customers requiring formal Data Processing Agreements (DPAs), we provide comprehensive agreements that outline:

Processing purposes and scope
Security measures
Subprocessor information
Data breach protocols
Audit rights

Contact our sales team to request a DPA.

Data Retention & Deletion

We keep your data only as long as necessary and legally required.

Active Accounts

While your account is active, we retain:

Financial records you create (invoices, expenses, transactions)
Account information (name, email, company details)
Usage data (for improving the service and providing support)

Closed Accounts

When you close your account:

Most data is deleted within 30 days
We may retain certain information for legal compliance (Swiss tax law requires retaining business records for 10 years)
You can request confirmation of deletion

Backups

Deleted data may persist in our encrypted backups for up to 90 days before permanent deletion. This protects against accidental deletion and system failures.

Cookies & Tracking

We use cookies to make Magic Heidi work properly and improve your experience. Here's exactly what we track:

Essential Cookies

Required for basic functionality:

Session management (keeping you logged in)
Security features (preventing fraud)
Service delivery (ensuring features work correctly)

These cookies are necessary and cannot be disabled.

Analytics Cookies

Help us understand how people use Magic Heidi:

Page views and feature usage
Error tracking and performance monitoring
Aggregate usage statistics

You can opt out of analytics cookies in your account settings.

What We Don't Do

No tracking across other websites
No selling of browsing data
No advertising cookies
No profiling for marketing purposes

Compliance for Swiss SMEs

If you're a Swiss small or medium enterprise, Magic Heidi is designed with your specific needs in mind.

🇨🇭 Swiss FADP Compliant

🇪🇺 EU GDPR Compliant

🔒 Bank-Level Encryption

⚡ 72h Response Time

📋

SME Exception Recognition

We understand the exemptions for companies with fewer than 250 employees (99% of Swiss businesses) while maintaining comprehensive records.

💼

10-Year Retention

Automatic compliance with Swiss tax record retention requirements, with secure archiving and easy retrieval for audits.

🧾

VAT Management

Built-in Swiss VAT rates applied automatically, proper documentation for tax authorities, and easy export for reporting.

🇨🇭

Swiss Tax Compliance

Helps you meet all Swiss business record requirements with secure, long-term archiving of financial documents.

International Data Transfers

For customers outside Switzerland and the EU, we ensure your data remains protected during international transfers.

Transfer Safeguards

When data must cross borders, we use:

Standard Contractual Clauses (approved by Swiss and EU authorities)
Encryption in transit (protecting data while moving)
Limited transfers (only when necessary for service delivery)

Adequacy Decisions

Switzerland and the EU have mutual adequacy decisions, meaning data can flow freely between these regions while maintaining high protection standards.

Key Legal Documents

Here are all the detailed legal documents that govern Magic Heidi, including our imprint:

Privacy Policy

Our comprehensive privacy policy explains what data we collect and why, how we use, store, and protect it, your rights and how to exercise them, and our legal bases for processing.

Terms of Service

The rules and conditions for using Magic Heidi, including account creation and usage, user responsibilities, service limitations and warranties, and termination conditions.

Detailed information about cookies and tracking, types of cookies we use, purpose of each cookie category, and how to manage cookie preferences.

Data Processing Agreement (DPA)

For enterprise customers requiring formal agreements covering processing purposes and limitations, security commitments, subprocessor information, and audit provisions.

Security Whitepaper

Technical details about our security infrastructure including encryption methods and key management, network security architecture, access control systems, and incident response procedures.

Our Security Commitments

Continuous Improvement & Best Practices

Beyond compliance, we're committed to continuous improvement of our security practices.

Regular Security Audits

Third-party security audits and assessments to verify our practices and identify improvements.

Employee Training

Ongoing security awareness training for all team members to maintain highest standards.

Vulnerability Testing

Regular penetration testing and vulnerability scanning to identify and fix issues proactively.

Incident Response

Planned protocols and regular drills ensure we're prepared for any security scenario.

Secure Development

Security-focused development practices integrated into every stage of our product lifecycle.

Zero-Trust Architecture

Zero-trust network architecture and multi-factor authentication options for enhanced protection.

Transparency & Contact

We believe transparency builds trust. That's why we're committed to open communication about how we handle data.

Regular Updates

We review and update our policies regularly to:

Reflect changes in laws and regulations
Incorporate new security best practices
Add new features or integrations
Improve clarity based on user feedback

When we make material changes, we'll notify you via email at least 30 days in advance.

Privacy Officer

Have questions about data protection? Our dedicated privacy team is here to help.

Email: privacy@magicheidi.com
Response time: Within 72 hours
Languages: English, German, French, Italian

Data Protection Inquiries

For formal data protection requests (access, deletion, portability), please include:

Your full name and account email
Specific request type
Any relevant details or timeframes
Preferred format for data export (if applicable)

We'll confirm receipt within 72 hours and fulfill most requests within 30 days.

Security Concerns

If you discover a security vulnerability or have concerns about data protection:

Email: security@magicheidi.com
Priority: Critical issues addressed within 24 hours

We appreciate responsible disclosure and will work with you to address legitimate security concerns.

Ready to Experience Secure, Compliant Accounting?

See why thousands of Swiss SMEs and freelancers trust Magic Heidi with their financial data.

Start Free Trial Schedule a Demo

App Store Google Play Microsoft Store Web App