Privacy Policy
Magic Heidi is a Swiss company. We take your privacy seriously. Learn how we protect your data under Swiss law, GDPR, and CCPA.

Quick Summary
Before diving into the details, here's what matters most about how we handle your data.
We don't sell your data
Ever. Period.Your data stays yours
We don't monitor your invoices or client informationSwiss privacy standards
FADP, GDPR, and CCPA compliantYou control your data
Delete your account anytimeSecurity built in
Encryption protects data in transit and at restWho We Are
Magic Heidi is operated by Nathan Ganser, sole proprietor, based in Switzerland.
Contact for privacy matters:
- Email: hello@magicheidi.ch
- Website: https://magicheidi.ch
For complaints, you may also contact the Swiss Federal Data Protection and Information Commissioner (FDPIC) at https://www.edoeb.admin.ch.
Where This Policy Applies
This Privacy Policy covers:
- The Magic Heidi mobile application (iOS and Android)
- The Magic Heidi desktop application (Mac and Windows)
- The Magic Heidi web application
- Our website at https://magicheidi.ch
By accessing the app, you accept our Terms of Service and this Privacy Policy. You cannot use Magic Heidi without accepting both.
Data We Collect
As an invoicing application, Magic Heidi needs certain information to function. Here's exactly what we collect and why.
Business Information
Your company name, address, IBAN, payment details, and VAT registration number.
Invoice Data
Products and services you bill, prices, payment terms, and invoice history.
Client Information
Client names, addresses, contact details, and payment history.
Account Information
Email address, encrypted password, and subscription status.
Information Collected Automatically
Usage data:
- App features you use
- Error logs and crash reports
- Device type and operating system
We do not collect:
- Location data
- Contact lists
- Photos (unless you upload receipts)
- Browsing history
How We Use Your Data
We use your information for these specific purposes:
To Provide Our Services
- Generate legally compliant invoices
- Sync your data across devices
- Process your payments and subscriptions
- Send invoices and reminders to your clients
To Improve Magic Heidi
- Fix bugs and technical issues
- Understand which features need improvement
- Test new functionality
To Communicate With You
- Respond to support requests
- Send important product updates
- Share tips for using the app (only if you opt in)
Legal Basis for Processing
Under Swiss law and GDPR, we process your data based on:
- Contract: We need your data to provide the service you signed up for
- Consent: For optional communications, you choose to opt in
- Legitimate interest: For security, fraud prevention, and service improvement
Third-Party Services
We partner with trusted providers to deliver Magic Heidi. Each meets strict security and compliance standards.
Firebase (Google)
Authentication, data hosting, device sync. ISO 27001 certified, SOC compliant.
Google Cloud
File storage for receipts and audio. ISO 27001 certified.
RevenueCat
Subscription and payment management. GDPR compliant.
Postmark
Transactional email delivery. ISO 27001, SOC 2 Type II compliant.
Mixpanel
Anonymous usage analytics. GDPR compliant with data anonymization.
All third-party providers have signed Data Processing Agreements (DPAs) with us and must comply with applicable data protection laws.
International Data Transfers
Some of our third-party providers process data outside Switzerland. We protect your data through:
- Swiss-U.S. Data Privacy Framework: Our U.S. providers are certified under this framework
- Standard Contractual Clauses: Where required, we use EU-approved contractual protections
- Adequacy decisions: We prioritize providers in countries with recognized data protection standards
Data Retention
We keep your data only as long as necessary:
| Data Type | Retention Period |
|---|---|
| Account information | Until you delete your account |
| Invoice and business data | Until you delete your account |
| Usage analytics | 24 months (anonymized) |
| Support conversations | 36 months |
| Payment records | 10 years (legal requirement) |
When you delete your account, we permanently erase your personal and business data within 30 days. Some anonymized usage statistics may remain for product improvement.
Your Rights
You Control Your Data
Here's what you can do with your data at any time.
Access & Export
Request a copy of all data we hold about you and download your invoices, client list, and business data in standard formats.
- Request full data export
- Download invoices as PDF
- Export client lists
- Get business data in standard formats
Correct & Update
Update inaccurate information directly in the app or by contacting us.
- Edit directly in the app
- Contact support for help
- Update business details anytime
- Correct client information
Delete & Restrict
Use the account deletion feature in the app, or email us. We'll permanently delete your data within 30 days.
- Delete account in-app
- Request via email
- Restrict processing
- Permanent deletion within 30 days
Object & Complain
Opt out of analytics or marketing communications at any time. Contact authorities if unsatisfied.
- Opt out of analytics
- Unsubscribe from marketing
- Lodge complaint with FDPIC
- Contact local DPA
Security Measures
We protect your data through multiple layers of security.
Data Breach Notification
If a security breach affects your personal data, we will:
- Notify the Swiss FDPIC within 72 hours (where required)
- Contact you directly if there's high risk to your rights
- Explain what happened and what we're doing about it
Cookies and Tracking
On Our Website
We use minimal cookies:
- Essential cookies: Required for the website to function
- Analytics cookies: Help us understand how visitors use our site (anonymized)
You can disable non-essential cookies in your browser settings.
In Our App
We don't use cookies in the mobile or desktop apps. We use secure authentication tokens instead.
Children's Privacy
Magic Heidi is designed for business use. We don't knowingly collect data from anyone under 16. If you believe a child has provided us with personal information, please contact us immediately.
Your Rights by
Jurisdiction
Depending on where you're located, you have specific rights under local data protection laws.
Right to information, access, portability, correction, deletion, and restriction
All FADP rights plus complaint rights and withdrawal of consent
Right to know, delete, opt-out (we don't sell data), non-discrimination
Swiss Data Protection Rights (FADP)
As a Swiss resident, you have rights under the Federal Act on Data Protection (FADP), effective September 2023:
- Right to information about data processing
- Right to access your personal data
- Right to data portability
- Right to correction of inaccurate data
- Right to deletion ("right to be forgotten")
- Right to restrict processing
- Right to object to processing
The FADP requires us to implement Privacy by Design and Privacy by Default. We do this by collecting only necessary data and using privacy-protective default settings.
European Union Rights (GDPR)
If you're in the EU, UK, Liechtenstein, Norway, or Iceland, you have additional rights under GDPR:
- All rights listed above
- Right to lodge a complaint with your local supervisory authority
- Right to withdraw consent at any time
- Right not to be subject to automated decision-making
We don't make automated decisions that significantly affect you.
California Rights (CCPA/CPRA)
California residents have these rights:
- Right to know: What personal information we collect and why
- Right to delete: Request deletion of your personal information
- Right to opt-out: We don't sell personal information, so no opt-out is needed
- Right to non-discrimination: We won't treat you differently for exercising your rights
We do not sell your personal information. We don't share it for monetary or other valuable consideration.
Changes to This Policy
We may update this Privacy Policy when laws change or we modify our services. When we make significant changes:
- We'll update the "Last updated" date
- We'll notify you through the app or email
- We'll ask for your consent if required
Continued use of Magic Heidi after changes means you accept the updated policy.
Questions?
We're happy to explain anything in this policy. Contact us:
Email: hello@magicheidi.ch
Mailing address: Nathan Ganser, Magic Heidi Route de Vaux 1, 1126 Vaux Switzerland
For unresolved privacy concerns, contact the Swiss Federal Data Protection and Information Commissioner:
- Website: https://www.edoeb.admin.ch
- Email: info@edoeb.admin.ch
Start Using Magic Heidi
Ready to simplify your invoicing with a privacy-first Swiss app?