Privacy Policy

Last updated: June 3, 2026

1. Introduction

Heftli (operated by Spofibo GmbH, Switzerland) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service at heftli.com, and covers our use of cookies and similar technologies.

This policy is governed by Swiss law (nFADP — Federal Act on Data Protection, in force September 2023) and, where applicable, the EU General Data Protection Regulation (GDPR).

2. Information We Collect

2.1 Information You Provide

  • Account information (full name, email address, password hash)
  • Organisation information (business name, company address, country)
  • Company branding (logo image stored as base64)
  • Banking and payment details for invoice generation: IBAN, QR-IBAN, bank name, account holder name
  • Tax and registration numbers (UID/VAT number)
  • Customer data you enter: names, addresses, email addresses of your clients
  • Invoice and time tracking data: line items, amounts, VAT rates, project descriptions, time entries
  • Payment information for your subscription (processed by Stripe; we do not store full card numbers)

2.2 Automatically Collected Information

  • Log data (IP address, browser type, access times) — captured by Cloudflare infrastructure
  • Device information (operating system, screen resolution)
  • Usage data and analytics (pages visited, session duration, features used) — collected only with your explicit consent via Google Analytics
  • Referral source (UTM parameters, referring URL)
  • Audit/activity log data: a record of significant actions within your account (e.g. invoice created, team member added, project archived) including the actor, timestamp, and affected entity — retained for security and accountability
  • Email addresses of team members you invite before they have accepted and created an account

2.3 Data Controller and Data Processor Roles

The distinction between who controls data and who processes it on their behalf matters for your legal obligations.

  • Your account data (name, email, subscription, settings): Heftli is the data controller. We determine the purpose and means of processing this data.
  • Your customers' personal data (names, addresses, emails entered on invoices): you are the data controller. Heftli acts solely as a data processor on your instructions, storing and transmitting this data only to provide the invoicing service. We do not use your customers' data for any other purpose.

This processor relationship is governed by the Data Processing Agreement incorporated into our Terms of Service. As data controller for your customers' data, you are responsible for ensuring you have a lawful basis to process it and that you comply with applicable data protection law.

3. How We Use Your Information

  • To provide and maintain our service (legal basis: contract performance)
  • To process your subscription payments (contract performance)
  • To generate and deliver invoices on your behalf (contract performance)
  • To send you service-related notifications (contract performance / legitimate interest)
  • To improve our service and develop new features (legitimate interest)
  • To analyse how visitors use the public website (consent)
  • To maintain an audit trail of account activity for security and accountability (legitimate interest)
  • To detect and prevent fraud or abuse (legitimate interest)
  • To comply with legal obligations, including Swiss accounting requirements (legal obligation)

4. Data Sharing and Disclosure

We do not sell your personal information. We share your information only with the following third-party processors, each bound by appropriate data processing agreements:

  • Supabase – authentication, database hosting, and file storage. Privacy policy
  • Stripe – subscription billing and payment processing. Privacy policy
  • Cloudflare (Workers / CDN / DDoS protection) – application hosting, global content delivery, and security. Privacy policy
  • Cloudflare Email Workers – transactional email sending (invoice delivery, account notifications, team invitations). Email content including recipient addresses passes through Cloudflare's email infrastructure. Privacy policy
  • Google (Analytics via GTM) – aggregated website usage analytics on public marketing pages, activated only with your explicit consent. Privacy policy
  • Legal requirements – when required by law, court order, or regulatory authority
  • Business transfers – in connection with a merger, acquisition, or sale of assets (users will be notified in advance)

5. Data Security

We implement appropriate technical and organisational measures to protect your data, including:

  • TLS encryption for all data in transit
  • Encryption for data at rest (Supabase managed encryption)
  • Row-level security policies ensuring each organisation can only access its own data
  • Regular security reviews
  • Strict access controls, role-based permissions, and authentication
  • Regular automated backups

6. Your Rights

Under Swiss nFADP and, where applicable, GDPR, you have the right to:

  • Access – obtain a copy of the personal data we hold about you
  • Rectification – correct inaccurate data
  • Erasure – request deletion of your data (subject to legal retention obligations)
  • Restriction – request that we limit processing of your data
  • Portability – receive your data in a structured, machine-readable format
  • Objection – object to processing based on legitimate interest
  • Withdraw consent – at any time for consent-based processing (without affecting lawfulness of prior processing)

To exercise these rights, contact us at privacy@heftli.com. We will respond within 30 days.

7. Data Retention

We retain personal data only for as long as necessary for the purpose it was collected, or as required by law:

Data CategoryRetention PeriodReason
Account and profile dataDeleted within 30 days of account closureNo further legal basis after termination
Billing and subscription records10 years from invoice dateSwiss OR Art. 958 accounting requirement
Activity / audit logs12 months rollingSecurity and accountability
Analytics data (Google Analytics)26 months (GA default); deleted immediately on consent withdrawalService improvement (consent-based)
Server / observability logs30 daysCloudflare default; security monitoring
Pending team invitations7 days (auto-expires) or on decline/withdrawalNo further purpose after expiry

You may request deletion of your account and all associated data at any time by contacting privacy@heftli.com. Deletion will be completed within 30 days, subject to legal retention obligations above.

8. Data Breach Notification

In the event of a personal data breach that poses a high risk to your rights and freedoms, we will:

  • Notify the Swiss Federal Data Protection and Information Commissioner (FDPIC) within 72 hours of becoming aware of the breach, as required by nFADP Art. 24
  • Notify affected users without undue delay, describing the nature of the breach, what data was affected, and the steps we are taking
  • Maintain an internal record of all security incidents

To report a suspected security vulnerability, contact us at privacy@heftli.com.

9. Cookies and Tracking Technologies

Cookies are small text files stored on your device when you visit our website. We use cookies to make the service work correctly, remember your preferences, and — with your consent — to understand how visitors use the site.

9.1 Essential Cookies

These cookies are strictly necessary for the service to operate. They cannot be disabled because the site would not function without them. No consent is required for these cookies.

  • Authentication cookies – keep you logged in (Supabase session tokens)
  • Security cookies – protect against CSRF and session hijacking
  • Cookie consent preference – remembers your cookie choices (cc_cookie, 6 months)

9.2 Analytics Cookies (Consent Required)

We use Google Analytics (loaded via Google Tag Manager) to understand how visitors interact with the public marketing pages. These cookies are only activated after you give consent via the cookie banner. Analytics data is aggregated and anonymised — it is never sold or used for advertising.

CookieProviderPurposeDuration
_gaGoogle AnalyticsDistinguishes unique visitors2 years
_ga_*Google AnalyticsMaintains session state2 years
_gidGoogle AnalyticsDistinguishes users (short-term)24 hours

We implement Google Consent Mode v2: GTM is loaded on all public pages but all analytics and advertising tags remain in a denied state until you explicitly consent. If you decline, no analytics data is collected.

9.3 Managing Your Cookie Preferences

You can change your cookie preferences at any time:

  • Via our cookie banner – click "Manage preferences" in the banner on your first visit, or use the "Cookie Settings" button in the footer at any time.
  • Via your browser – most browsers allow you to block or delete cookies. Note that disabling essential cookies will prevent you from logging in.
  • Via Google's opt-out install the Google Analytics opt-out browser add-on.

10. International Data Transfers

Your data may be transferred to and processed in countries outside Switzerland and the EEA, including the United States (Supabase, Stripe, Google, Cloudflare). We ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) and EU adequacy decisions where applicable. Switzerland has been recognised by the EU as providing adequate data protection.

11. Children's Privacy

Our service is not intended for users under 16 years of age. We do not knowingly collect personal data from children.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by email or through a prominent notice on our website at least 30 days before changes take effect. The "last updated" date at the top of this page reflects the most recent revision.

13. Contact Us

For questions about this Privacy Policy or to exercise your data rights, contact us at:

Email: privacy@heftli.com

Company: Spofibo GmbH, Switzerland

You also have the right to lodge a complaint with the Swiss Federal Data Protection and Information Commissioner (FDPIC) at www.edoeb.admin.ch.