Privacy Policy

1. Data Controller

ATHEMI is operated by athemi GmbH, Hauptstrasse 29, 4444 Rümlingen, Switzerland. For questions about data protection, contact:

2. Data We Collect

2.1 Account Data

• Name, email address, password (encrypted]
• Phone number, mobile number (optional]
• Address (optional]
• Profile picture (optional]
• Two-factor authentication secret (encrypted, if enabled]

2.2 Company Data

• Company name, email, phone, website
• Address, VAT number
• Company logo (optional]
• Email domain and domain verification records
• ERP connection credentials (encrypted]
• Subscription and billing information (processed by Stripe]
• Webhook configuration URLs and event subscriptions

2.3 Project Data

• Project names, descriptions, documents
• Quotes, invoices, and their status
• Chat messages within projects
• Digital signatures (name, email, IP address, timestamp, document hash]
• Activity timeline and status changes
• Chat messages are stored on our servers and may be accessed for legal compliance, dispute resolution, or when required by law. Messages are not end-to-end encrypted.

2.4 Technical Data

• IP address (for security and signatures]
• Session data
• Cloudflare Turnstile tokens (bot protection]
• PWA install device-type bucket (one of: iOS, Android, desktop Chrome, desktop Edge, other), recorded when you open ATHEMI as an installed app — the full User-Agent string is not stored

3. Legal Basis for Processing

• Contract performance (Art. 6(1](b] GDPR]: Processing account and project data to provide our services
• Legitimate interest (Art. 6(1](f] GDPR]: Security measures, fraud prevention, service improvement
• Legal obligation (Art. 6(1](c] GDPR]: Retention of business records, invoices, and contracts as required by Swiss commercial and tax law
• Consent (Art. 6(1](a] GDPR]: Optional features such as profile sharing with contacts, email notifications

4. How We Use Your Data

• Providing the ATHEMI platform and its features
• Facilitating project collaboration between businesses and individuals
• Sending transactional emails (invitations, notifications]
• Securing your account (2FA, rate limiting, bot protection]
• Processing subscription payments (via Stripe]
• Verifying company domains (via DNS records or email verification]
• Synchronizing contacts with connected ERP systems (only with your explicit action]

5. Data Sharing

We share data only in the following cases:

• Project counterparts: Your name and company appear in shared projects
• ERP systems: Contacts and documents synced only when you initiate sync
• Service providers: Resend (email delivery], Cloudflare (security], Stripe (payment processing]. These process data on our behalf under DPAs.
• Profile sharing: Only if you opt-in, contacts on ATHEMI can see updates to your name, phone, and address
• Integrations: Event data is sent to third-party services you connect (Trello, Slack, Zapier, custom webhooks]. You control which events are shared and with which services. When you connect Trello, project names and event details are sent to Trello's API to create or move cards.
• Domain verification: DNS TXT records are publicly queryable by design; email verification sends to the domain admin address only

We do not sell your data to third parties.

6. Data Retention

• Active accounts: Data retained while account is active
• Deleted accounts: Account is deactivated (soft-deleted]. Business records (signed contracts, invoices, project history] are retained for the legal retention period (10 years under Swiss law] and for the legitimate interest of counterparts
• Company deletion: When a company is deleted, accounts with company-domain emails are deactivated. Accounts with personal emails retain access. Business records are preserved.
• Personal data on deletion: Profile picture removed, optional personal data cleared after retention period
• Payment data: Processed and stored by Stripe under their privacy policy. We do not store credit card numbers.

7. Your Rights

Under GDPR and Swiss data protection law, you have the right to:

• Access: Request a copy of your personal data
• Export: Download your data in JSON or HTML format (available in Profile and Company settings]
• Rectification: Correct inaccurate data through your profile
• Deletion: Request account deletion (subject to legal retention obligations]
• Restriction: Request limitation of processing
• Objection: Object to processing based on legitimate interest
• Withdraw consent: For optional features (notifications, profile sharing] at any time

To exercise these rights, contact or use the self-service options in your profile.

8. Cookies

ATHEMI uses only essential cookies:

• Session cookie: Required for authentication (deleted when you close the browser or after 2 hours of inactivity]
• Cloudflare Turnstile: Security cookie for bot protection on login and registration

We do not use analytics, advertising, or tracking cookies.

9. Security

We protect your data through: encryption at rest and in transit (HTTPS], password hashing (bcrypt], optional two-factor authentication, rate limiting, session security, Cloudflare bot protection, and regular security reviews.

10. International Transfers

Data is hosted in Switzerland (Infomaniak]. Email delivery is processed by Resend (USA] under Standard Contractual Clauses. Bot protection is provided by Cloudflare under their DPA. Payment processing is handled by Stripe under their DPA and Standard Contractual Clauses.

11. Changes to This Policy

We may update this policy from time to time. We will notify registered users of significant changes via email.

12. Contact

athemi GmbH
Hauptstrasse 29
4444 Rümlingen
Switzerland