Privacy Policy
Version: 1.0 Last updated: March 12, 2026 Operator: bivy
Note: This English version is provided for convenience. In the event of any discrepancy between the German and English versions, the German version (Datenschutzerklärung) shall prevail.
1. Data Controller
The controller within the meaning of the Swiss Federal Act on Data Protection (FADP, SR 235.1) and the EU General Data Protection Regulation (GDPR, Regulation (EU) 2016/679) is:
bivy Switzerland
UID: in formation Email: datenschutz@bivy.ch
1.1 Data Protection Officer (if appointed)
Email: datenschutz@bivy.ch
1.2 EU Representative (Art. 27 GDPR)
Where bivy processes personal data of individuals in the European Economic Area (EEA) and does not maintain an establishment there, the following representative is designated pursuant to Art. 27 GDPR:
To be designated upon completion of company formation.
Note: The exemption from the obligation to designate an EU representative (Art. 27(2) GDPR) requires cumulatively that (1) processing is only occasional, (2) there is no large-scale processing of special categories of data, and (3) the processing is unlikely to result in a risk to the rights and freedoms of natural persons. Since bivy is a SaaS platform that systematically serves users in the EEA, the designation of an EU representative is likely required.
2. Scope of This Policy
This privacy policy applies to the use of the website bivy.ch and the SaaS platform bivy offered thereon (the "Platform"). bivy is a digital construction project cockpit for private builders in Switzerland and the EU.
This policy explains what personal data we collect, for what purposes, on what legal basis, and for how long we process it. It also describes your rights and how you can exercise them.
In this policy, we use the terms "processing" (GDPR) and "Bearbeitung" (Swiss FADP) interchangeably to refer to any operation performed on personal data.
This Privacy Policy fulfils the information obligations under Art. 19 of the Swiss Federal Act on Data Protection (FADP, SR 235.1) and Art. 13 and 14 of the General Data Protection Regulation (GDPR).
3. Legal Basis for Processing
We process personal data on the following legal bases:
| Legal Basis | FADP (Switzerland) | GDPR (EU) | Description |
|---|---|---|---|
| Contract | Art. 31(2)(a) FADP | Art. 6(1)(b) GDPR | Performance of a contract or pre-contractual measures |
| Consent | Art. 6(6) and (7) FADP | Art. 6(1)(a) GDPR | Explicit consent of the data subject |
| Legitimate interest | Art. 31(1) FADP (justification ground) | Art. 6(1)(f) GDPR | Overriding legitimate interest of the controller |
| Legal obligation | Art. 31(2)(b) FADP | Art. 6(1)(c) GDPR | Compliance with a legal obligation |
Where Swiss law does not require an explicit legal basis, we process personal data pursuant to Art. 31 FADP under an appropriate justification ground.
4. Categories of Personal Data Collected
We process the following categories of personal data:
4.1 Account Data
- Email address
- First and last name
- Password (stored exclusively as a cryptographic hash; we never have access to your plaintext password)
4.2 Project Data
- Project descriptions and details
- Tasks, decisions, and notes
- Uploaded documents and photos
- Construction log entries
4.3 Email Data
- Forwarded construction-related emails (sender, subject, content, attachments)
- Tasks and deadlines extracted from those emails
4.4 AI Interaction Data
- Inputs (prompts) you submit to our AI-powered features
- Responses generated by the AI system
4.5 Payment Data
- Billing address and name
- Payment transactions (processed by Stripe; bivy never sees or stores full credit card numbers)
4.6 Technical Data
- Browser type and version (user agent)
- Operating system
- Access timestamps
- Referrer URL
- Language preferences
4.7 Cookie and Session Data
- Authentication session (Supabase)
- Cookie consent preferences
- Language preferences (locale)
Note: IP addresses are not persistently logged by bivy. Temporary processing at the infrastructure level (e.g., CDN, load balancer) occurs without permanent storage.
4a. Third-Party Personal Data (Contractors, Tradespeople, Architects)
4a.1 Indirect Collection of Personal Data
Users of the platform may, in the course of project management, upload or forward personal data of third parties to the platform. These third parties include, in particular, contractors, tradespeople, architects, construction managers, suppliers, and other persons involved in the construction project.
4a.2 Categories of Data Affected
The following categories of data of third parties may be processed:
- Name and email address
- Company or business name
- Phone number (where contained in communications or documents)
- Content of forwarded emails and correspondence
- Project-related documents and attachments
- Tasks, deadlines, and summaries extracted from communications by AI
4a.3 Legal Basis
bivy processes this data as a Processor on behalf of the User (Controller) pursuant to Art. 28 GDPR and Art. 9 FADP.
The legal basis for processing by the Controller (User) is:
- GDPR: Art. 6(1)(f) (legitimate interest) — the Controller's legitimate interest in the efficient management of their construction project
- FADP: Art. 31(1) (justification ground) — overriding legitimate interest in project management
4a.4 User's Information Obligation
The obligation to inform affected third parties lies with the User as Controller (Art. 14 GDPR / Art. 19(2) FADP). The User is required to inform their contacts (contractors, tradespeople, etc.) that their data is being processed via bivy, including AI-powered processing (see Section 6).
bivy provides the User with a template clause for construction contracts for this purpose, available in the Data Processing Agreement (DPA) at bivy.ch/avv.
4a.5 Purpose Limitation
Third-party data is processed exclusively for construction project management and AI-assisted task extraction. No disclosure to other users or third parties takes place (except for the sub-processors listed in Section 8).
4a.6 Retention and Deletion
Third-party data is linked to the project lifecycle. It is deleted:
- when the User deletes the relevant project;
- when the User deletes their account;
- upon request of the affected third party (provided no statutory retention obligation applies).
4a.7 Rights of Affected Third Parties
Third parties whose data is processed via bivy may also exercise their rights (access, rectification, erasure, objection) directly with bivy. Please direct requests to:
Email: datenschutz@bivy.ch
In such cases, bivy will inform the relevant User (Controller) and cooperate with them to process the request.
5. Purposes of Processing
The following table provides an overview of the purposes for which we process personal data, the data categories involved, the applicable legal basis, and the retention period:
| Purpose | Data Categories | Legal Basis (GDPR) | Legal Basis (FADP) | Retention Period |
|---|---|---|---|---|
| Registration and account management | Account data | Art. 6(1)(b) (contract) | Performance of contract | Until account deletion, plus statutory retention periods |
| Provision of the SaaS service | Account data, project data | Art. 6(1)(b) (contract) | Performance of contract | Until account deletion, plus statutory retention periods |
| AI-powered features (Section 6) | AI interaction data, project data | Art. 6(1)(b) (contract) | Performance of contract | Real-time processing; no persistent storage of prompts at AWS Bedrock |
| Email extraction | Email data | Art. 6(1)(b) (contract) | Performance of contract | As long as the associated project exists |
| Payment processing | Payment data | Art. 6(1)(b) (contract) | Performance of contract | 10 years (Swiss commercial retention obligation, Art. 958f CO) |
| Technical operation and security | Technical data | Art. 6(1)(f) (legitimate interest) | Legitimate interest (operational security) | 14 days (server logs) |
| Customer communication | Account data | Art. 6(1)(b) (contract) / (f) (legitimate interest) | Performance of contract / legitimate interest | Duration of the customer relationship |
| Cookie management | Cookie and session data | Art. 6(1)(a) (consent) for non-essential cookies; (f) (legitimate interest) for essential cookies | Consent / legitimate interest | Session duration or up to 1 year |
| Legal obligations | Varies | Art. 6(1)(c) (legal obligation) | Legal obligation | As required by applicable retention laws |
5.1 Requirement to Provide Personal Data
Requirement to provide personal data: The provision of your account data (email address, name) is a contractual requirement for using the Platform. Without this data, we cannot provide our services. The provision of additional data (e.g., project data, documents) is voluntary but may limit the use of certain features.
6. AI-Powered Features — Transparency Disclosure
bivy uses artificial intelligence (AI) to help you manage your construction projects. This section provides transparent information about how AI is used on our Platform (Art. 21 FADP; Art. 13(2)(f) GDPR; Art. 50 EU AI Act).
6.1 AI Features in Use
| Feature | Description | Data Processed |
|---|---|---|
| Inspiration & Decision | You describe a construction topic and the AI provides inspiration, options, and decision-making guidance. | Your input (text description of the construction topic) |
| Email Extraction | You forward construction-related emails and the AI extracts tasks, deadlines, and action items. | Forwarded email content |
| Construction Log | You log daily construction activities and the AI helps structure and summarise entries. | Your construction log entries |
6.2 AI Provider and Data Processing
- Provider: Amazon Web Services (AWS) Bedrock with the Anthropic Claude language model
- Processing location: Exclusively within the European Union (EU Geographic Cross-Region Inference: eu-north-1 Stockholm / eu-west-1 Ireland)
- Data storage: Your inputs are processed in real time and are not persistently stored by AWS Bedrock. AWS Bedrock does not retain your prompts or the generated responses.
- No model training: Your data is not used for training or improving AI models.
6.3 No Automated Individual Decision-Making
bivy's AI features serve exclusively as assistive tools and decision support. bivy does not make automated individual decisions. Accordingly, neither the information obligation under Art. 21 FADP nor the restrictions under Art. 22 GDPR apply.
AI-generated content consists of suggestions only. You retain full control and decision-making authority over the use of generated results at all times.
Regardless of whether an automated individual decision exists in the legal sense, you have the right at any time to request human review of AI-generated content. Contact us at datenschutz@bivy.ch.
6.4 Transparency Labels for AI-Generated Content
AI-generated content is labelled as such on the Platform. Results may contain inaccuracies and do not constitute professional advice (in particular, not legal, construction, or financial advice).
7. Cookies and Tracking Technologies
7.1 Cookies Used
bivy uses only technically necessary cookies and cookies that require your consent:
| Cookie | Purpose | Type | Duration | Legal Basis |
|---|---|---|---|---|
| Supabase Auth Session | Authentication and session management | Essential (first-party) | Up to 1 year (deleted on logout) | Legitimate interest / contract |
| Cookie Consent | Storage of your cookie preferences | Essential (first-party) | 1 year | Legitimate interest |
| Locale Preference | Storage of your language setting | Essential (first-party) | 1 year | Legitimate interest |
| Stripe (Fraud Detection) | Payment security and fraud prevention by Stripe | Strictly necessary (payment security) | Per Stripe's policy | Legitimate interest (fraud prevention) |
7.2 No Tracking or Analytics Cookies
bivy currently uses no tracking or analytics cookies. In particular, we do not use Google Analytics or comparable services that transfer data to third countries. Should an analytics service be introduced in the future, we will use only GDPR-compliant solutions (e.g., Plausible Analytics) that operate without cookies and do not process personal data outside the EU.
7.3 Cookie Consent
Before setting any non-essential cookies, we obtain your explicit consent. You may withdraw your consent at any time by adjusting the cookie settings on our website or by deleting cookies in your browser.
8. Data Recipients and Sub-Processors
We share personal data with third parties only where necessary for the provision of our service, where you have consented, or where we are legally required to do so. All our sub-processors are subject to data processing agreements (DPAs) in accordance with Art. 28 GDPR and Art. 9 FADP.
| Sub-Processor | Purpose | Data Processing Location | Safeguards |
|---|---|---|---|
| Amazon Web Services EMEA SARL | Hosting (Lambda, CloudFront, S3), AI processing (Bedrock) | EU — Frankfurt (eu-central-1), Stockholm (eu-north-1), Ireland (eu-west-1) | DPA; AWS GDPR Data Processing Addendum; no data transfers outside the EU |
| Supabase Inc. | Database (PostgreSQL), authentication, file storage | EU — Frankfurt (eu-central-1) | DPA; Supabase DPA; data remains in EU region |
| Stripe Payments Europe Ltd. | Payment processing, fraud detection | EU (Ireland) | DPA; PCI DSS Level 1 certification; Stripe EU Data Processing Agreement |
| Amazon Web Services (SES) | Email receiving and processing | EU — Frankfurt (eu-central-1) | DPA; part of the AWS Data Processing Addendum |
Note on Stripe's dual role: For payment processing, Stripe acts as a processor on our behalf. For its own fraud prevention purposes (in particular via the __stripe_mid and __stripe_sid cookies), Stripe acts as an independent controller. For details, see Stripe's privacy policy: https://stripe.com/privacy.
8.1 Data Processing Agreement (DPA)
For Users who, as Controllers, process personal data of third parties (e.g. contractors, tradespeople) via bivy, the Data Processing Agreement (DPA) applies, available at bivy.ch/avv. The DPA sets out the rights and obligations of the parties in detail, including bivy's obligations as Processor and the User's responsibilities as Controller.
8.2 Other Potential Recipients
In addition, data may be disclosed in the following circumstances:
- To authorities or courts where we are legally obligated to do so
- To legal and tax advisors for the purpose of legal enforcement or compliance
- To an acquiring entity in the event of a merger, acquisition, or asset transfer (with prior notice to you)
9. International Data Transfers
9.1 Principle: All Data Remains in the EU
All personal data is processed and stored exclusively within the European Union or the European Economic Area. Our entire technical infrastructure is located in EU data centres (Frankfurt, Stockholm, Ireland).
9.2 Switzerland as an Adequate Third Country
The European Commission has recognised Switzerland as a country with an adequate level of data protection (adequacy decision pursuant to Art. 45 GDPR). Data transfers between the EU and Switzerland are therefore permitted without additional safeguards.
9.3 No Transfers to Inadequate Third Countries
We do not transfer personal data to countries outside the EU/EEA that do not have an adequacy decision. Should this change in the future, we will inform you and ensure the legally required safeguards are in place (e.g., Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR, Binding Corporate Rules, or your explicit consent).
10. Data Retention
We retain personal data only for as long as necessary for the respective processing purpose or as required by statutory retention obligations.
| Data Category | Retention Period | Basis |
|---|---|---|
| Account data | Until you delete your account; thereafter up to 30 days for complete deletion | Contractual purpose |
| Project data | Until you delete your account or manually delete the data | Contractual purpose |
| Email data | As long as the associated project exists; at the latest upon account deletion | Contractual purpose |
| AI interaction data | No persistent storage at AWS Bedrock; results stored as part of project data | Contractual purpose |
| Payment data | 10 years after the relevant financial year | Art. 958f Swiss Code of Obligations (commercial retention obligation) |
| Technical data (server logs) | Maximum 14 days | Legitimate interest (operational security) |
| Cookie consent data | 1 year (re-consent cycle: you are re-prompted after expiry; the localStorage entry persists until manually cleared or the cycle expires) | Accountability obligation |
Upon expiry of the applicable retention period, personal data is deleted or effectively anonymised. Statutory retention obligations (in particular commercial and tax law requirements) take precedence.
11. Your Rights as a Data Subject
Under the Swiss FADP and the EU GDPR, you have the following rights. We will respond to your requests within 30 days (Art. 25(7) FADP) or one month (Art. 12(3) GDPR) as a general rule. For particularly complex requests, this period may be extended; we will inform you in advance if this is the case.
11.1 Right of Access (Art. 25 FADP / Art. 15 GDPR)
You have the right to request information about whether and which personal data we process about you. We will provide you with a copy of the personal data being processed.
11.2 Right to Rectification (Art. 32(1) FADP / Art. 16 GDPR)
You have the right to request the correction of inaccurate personal data concerning you, as well as the completion of incomplete data.
11.3 Right to Erasure (Art. 32(2)(c) FADP / Art. 17 GDPR)
You have the right to request the deletion of your personal data, provided no statutory retention obligation exists and no overriding interest in continued processing applies.
11.4 Right to Restriction of Processing (Art. 18 GDPR)
Under the GDPR, you have the right to request the restriction of processing of your personal data, for example if you contest the accuracy of the data or if the processing is unlawful.
11.5 Right to Data Portability (Art. 28 FADP / Art. 20 GDPR)
You have the right to receive your personal data that you have provided to us in a commonly used, machine-readable format and to transmit that data to another controller.
11.6 Right to Object (Art. 21 GDPR)
Where we process data on the basis of a legitimate interest (Art. 6(1)(f) GDPR), you have the right to object to the processing at any time. We will then cease processing the data unless there are compelling legitimate grounds.
11.7 Right to Withdraw Consent (Art. 7(3) GDPR / Art. 6(7) FADP)
Where processing is based on your consent, you may withdraw it at any time with effect for the future. The lawfulness of the processing carried out prior to withdrawal remains unaffected.
11.8 Right to Surrender or Destruction (Art. 32(2) FADP)
Under Swiss law, you may request the surrender or destruction of your personal data.
11.9 How to Exercise Your Rights
Please address your requests to:
Email: datenschutz@bivy.ch Post: bivy, Switzerland
We must verify your identity before processing your request. Please have a copy of a valid identity document available.
Exercising your rights is generally free of charge. In the case of manifestly unfounded or excessive requests, we may charge a reasonable fee or refuse to process the request (Art. 25(6) and (7) FADP; Art. 12(5) GDPR).
12. Automated Individual Decision-Making and Profiling
12.1 Automated Individual Decision-Making (Art. 21 FADP / Art. 22 GDPR)
bivy does not make automated individual decisions that produce legal effects concerning you or similarly significantly affect you. Accordingly, neither the information obligation under Art. 21 FADP nor the restrictions under Art. 22 GDPR apply. Our AI features serve exclusively as decision support tools (see Section 6).
Should we introduce automated individual decision-making in the future, we will inform you in advance and grant you the right to express your point of view and to have the decision reviewed by a natural person.
12.2 Profiling
bivy does not carry out profiling within the meaning of Art. 5(f) FADP or Art. 4(4) GDPR that leads to an automated assessment of personal aspects of natural persons. We do not analyse your usage behaviour to make predictions about personal preferences, behaviour, reliability, or other personal aspects.
13. Data Security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, misuse, or destruction (Art. 8 FADP; Art. 32 GDPR). These include, in particular:
13.1 Technical Measures
- Encryption in transit: All data transmissions are conducted exclusively via TLS 1.2 or higher (HTTPS).
- Encryption at rest: All stored data is encrypted server-side (AWS KMS / Supabase encryption).
- Access control: Access to production systems is strictly limited to authorised personnel and requires multi-factor authentication.
- Row-Level Security (RLS): Database access controls ensure that users can only access their own data (multi-tenant isolation).
- Passwords: Passwords are stored exclusively as cryptographic hashes (bcrypt). We never have access to plaintext passwords.
- Regular security audits: Dependencies are automatically scanned for known vulnerabilities.
13.2 Organisational Measures
- Principle of least privilege for all system access
- Privacy by Design and Privacy by Default
- Regular data protection and information security awareness training for staff
- Documented procedures for handling data breaches
14. Data Breach Notification
In the event of a personal data breach, different notification thresholds apply under Swiss and EU law:
14.1 Notification to Supervisory Authorities
- Switzerland (Art. 24(1) FADP): We notify the FDPIC as soon as possible where a breach is likely to result in a high risk to the personality or fundamental rights of data subjects.
- EU (Art. 33 GDPR): We notify the competent supervisory authority within 72 hours of becoming aware of a breach where it is likely to result in a risk to the rights and freedoms of natural persons (a lower threshold than under Swiss law).
14.2 Notification to Data Subjects
- Switzerland (Art. 24(3) FADP): We notify you where necessary for your protection or where the FDPIC so requires. A high risk to your personality or fundamental rights must exist.
- EU (Art. 34 GDPR): We notify you without undue delay where the breach is likely to result in a high risk to your rights and freedoms.
15. Children's Data
bivy is intended for adult private builders. The Platform is not intended for persons under 16 years of age. We do not knowingly collect personal data from children under 16.
If we become aware that we have collected personal data from a person under 16, we will delete it without delay. If you have reason to believe that a child under 16 has submitted personal data to us, please contact us at datenschutz@bivy.ch.
16. Changes to This Privacy Policy
We reserve the right to amend this privacy policy at any time to reflect changes in legal requirements or our services. The current version is always available on our website at [bivy.ch/privacy].
For material changes that significantly affect your rights or the processing of your data, we will inform you before the changes take effect by appropriate means (e.g., by email or through a notice on the Platform).
The version published at the time you access the website or use the Platform shall apply.
17. Supervisory Authorities
17.1 Switzerland
You have the right to lodge a complaint with the Swiss data protection supervisory authority:
Federal Data Protection and Information Commissioner (FDPIC) Feldeggweg 1 CH-3003 Bern Switzerland
Phone: +41 (0)58 462 43 95 Website: www.edoeb.admin.ch
17.2 European Union
Data subjects in the EU also have the right to lodge a complaint with the data protection supervisory authority of their country of residence or habitual abode (Art. 77 GDPR). An overview of the competent authorities is available on the website of the European Data Protection Board (EDPB): https://edpb.europa.eu/about-edpb/about-edpb/members_en.
18. Contact for Data Protection Inquiries
For all questions regarding data protection, the exercise of your rights, or any concerns about the processing of your personal data, you may reach us at:
Data Protection Office bivy Switzerland
Email: datenschutz@bivy.ch General inquiries: hello@bivy.ch Website: bivy.ch
This privacy policy has been prepared in good faith and takes into account the requirements of the Swiss Federal Act on Data Protection (FADP, SR 235.1) and the EU General Data Protection Regulation (GDPR, Regulation (EU) 2016/679). It does not constitute individual legal advice. We recommend having this privacy policy reviewed by a law firm specialising in data protection law before publication.