Privacy Policy

Last updated: April 2026

Who We Are

Magic Heidi is operated by Nathan Ganser, sole proprietor, based in Switzerland.

Contact for privacy matters:

• Email: hello@magicheidi.ch
• Website: https://magicheidi.ch

For complaints, you may also contact the Swiss Federal Data Protection and Information Commissioner (FDPIC) at https://www.edoeb.admin.ch.

Where This Policy Applies

This Privacy Policy covers:

• The Magic Heidi mobile application (iOS and Android)
• The Magic Heidi desktop application (Mac and Windows)
• The Magic Heidi web application
• Our website at https://magicheidi.ch

By accessing the app, you accept our Terms of Service and this Privacy Policy. You cannot use Magic Heidi without accepting both.

Information Collected Automatically

Usage data:

• App features you use
• Error logs and crash reports
• Device type and operating system

We do not collect:

• Location data
• Contact lists
• Photos (unless you upload receipts)
• Browsing history

How We Use Your Data

We use your information for these specific purposes:

To Provide Our Services

• Generate legally compliant invoices
• Sync your data across devices
• Process your payments and subscriptions
• Send invoices and reminders to your clients

To Improve Magic Heidi

• Fix bugs and technical issues
• Understand which features need improvement
• Test new functionality

To Communicate With You

• Respond to support requests
• Send important product updates
• Share tips for using the app (only if you opt in)

AI Processing for Receipt Scans

If you upload a receipt, invoice, or expense attachment, we process that file to extract fields such as vendor, date, currency, VAT, amount, and category suggestions.

• Receipt images, PDFs, screenshots, and forwarded email attachments may be sent to Anthropic for extraction
• We use this processing only to provide the feature you requested
• We do not use your uploaded receipt data to train Magic Heidi's own models
• We do not permit AI processing to change your accounting records automatically without review
• Original files remain part of your account records until you delete them or ask us to remove them, subject to legal retention requirements

Legal Basis for Processing

Under Swiss law and GDPR, we process your data based on:

• Contract: We need your data to provide the service you signed up for
• Consent: For optional communications, you choose to opt in
• Legitimate interest: For security, fraud prevention, and service improvement

All third-party providers that process personal data for us are bound by contractual data protection obligations.

Named Processors We Use

• Firebase (Google): authentication, application data, and device sync
• Google Cloud: storage for uploaded files such as receipts and supporting documents
• Anthropic: AI extraction for receipt and expense scanning
• RevenueCat: subscription management
• Stripe: web payment processing, where applicable
• Apple App Store / Google Play: mobile subscription billing and app distribution
• Postmark: transactional email delivery
• Mixpanel: product analytics
• Vercel Analytics: website analytics
• Sentry: error monitoring and incident investigation

International Data Transfers

Our primary application data is hosted in Switzerland. Some of our service providers may process limited data in other countries, including the United States and the European Union, depending on the service involved.

Examples include:

• Switzerland: primary application hosting and stored customer records
• United States: Anthropic, Mixpanel, RevenueCat, Stripe, Sentry, Postmark, and Vercel Analytics
• European Union and other supported regions: certain Google infrastructure and delivery networks may process data closer to you

When personal data is transferred outside Switzerland or your country, we rely on safeguards such as standard contractual clauses, adequacy decisions, or other lawful transfer mechanisms required for the relevant transfer.

Data Retention

We keep your data only as long as necessary:

When you delete your account, we remove or restrict personal data that we no longer need within 30 days. We may retain records that we are legally required to keep, such as accounting or payment records, and encrypted backups may persist for up to 90 days before permanent deletion.

Data Breach Notification

If a security breach affects your personal data, we will:

1. Notify the Swiss FDPIC within 72 hours (where required)
2. Contact you directly if there's high risk to your rights
3. Explain what happened and what we're doing about it

Cookies and Tracking

On Our Website

We use a small set of essential and measurement technologies on our website:

• Essential cookies: required for the site to function
• Mixpanel: measures product and referral activity on the site
• Vercel Analytics: provides aggregate website traffic and performance metrics
• Sentry: captures technical errors and diagnostics when something breaks

You can block or clear non-essential website cookies in your browser settings.

In Our App

Our mobile and desktop apps do not use browser cookies, but they may send limited analytics and error telemetry through SDKs such as Mixpanel and Sentry. We also use secure authentication tokens instead of browser cookies for sign-in.

Children's Privacy

Magic Heidi is designed for business use. We don't knowingly collect data from anyone under 16. If you believe a child has provided us with personal information, please contact us immediately.

Swiss Data Protection Rights (FADP)

As a Swiss resident, you have rights under the Federal Act on Data Protection (FADP), effective September 2023:

• Right to information about data processing
• Right to access your personal data
• Right to data portability
• Right to correction of inaccurate data
• Right to deletion ("right to be forgotten")
• Right to restrict processing
• Right to object to processing

The FADP requires us to implement Privacy by Design and Privacy by Default. We do this by collecting only necessary data and using privacy-protective default settings.

European Union Rights (GDPR)

If you're in the EU, UK, Liechtenstein, Norway, or Iceland, you have additional rights under GDPR:

• All rights listed above
• Right to lodge a complaint with your local supervisory authority
• Right to withdraw consent at any time
• Right not to be subject to automated decision-making

We don't make automated decisions that significantly affect you.

California Rights (CCPA/CPRA)

California residents have these rights:

• Right to know: What personal information we collect and why
• Right to delete: Request deletion of your personal information
• Right to opt-out: We don't sell personal information, so no opt-out is needed
• Right to non-discrimination: We won't treat you differently for exercising your rights

We do not sell your personal information. We don't share it for monetary or other valuable consideration.

Changes to This Policy

We may update this Privacy Policy when laws change or we modify our services. When we make significant changes:

1. We'll update the "Last updated" date
2. We'll notify you through the app or email
3. We'll ask for your consent if required

Continued use of Magic Heidi after changes means you accept the updated policy.

Questions?

We're happy to explain anything in this policy. Contact us:

Email: hello@magicheidi.ch

Mailing address: Nathan Ganser, Magic Heidi Route de Vaux 1, 1126 Vaux Switzerland

For unresolved privacy concerns, contact the Swiss Federal Data Protection and Information Commissioner:

• Website: https://www.edoeb.admin.ch
• Email: info@edoeb.admin.ch