Last updated: 1 June 2026
We take your privacy seriously. This Privacy Policy explains what personal data NotMyJob collects, why we collect it, with whom we share it, and the rights you have over it. It is written to comply with the Swiss Federal Act on Data Protection (nDSG) and, where applicable, the EU General Data Protection Regulation (GDPR).
1. Controller
The data controller is Perdrisat (sole proprietorship, UID CHE-317.870.264), Rue De-Candolle 36, 1205 Genève, Switzerland. You can reach us at [email protected].
2. What we collect and why
| Category | Examples | Purpose | Legal basis |
|---|---|---|---|
| Account data | First name, last name, email, hashed password, preferred language, two-factor secret | Provide the service, authenticate you | Contract (GDPR art. 6(1)(b)) |
| Billing data | Stripe customer ID, subscription status, last 4 digits of card (held by Stripe) | Process your subscription | Contract |
| Business data you enter | Client/supplier details, invoices, offers, expenses, receipts, bank statements, accounting entries | Core service function | Contract |
| Optional AI expense extraction data | Receipt or invoice files you ask us to extract, extracted field suggestions, and your expense category names | Fill expense fields from a receipt when you enable AI extraction | Contract (feature requested by you) |
| Usage and technical data | IP address, browser, timestamps, security logs, error reports | Security, debugging, fraud prevention | Legitimate interest (GDPR art. 6(1)(f)) |
| Communications | Emails you send to support, verification and password-reset emails | Respond to you, secure your account | Contract, legitimate interest |
We do not buy personal data from third parties. We do not use your accounting data to train machine-learning models.
AI expense extraction is optional. If you enable it for a receipt, we send the uploaded receipt or invoice and the minimum context needed for extraction, such as your expense category names, to OpenAI. We configure this feature to use OpenAI's European API region for customer content, disable OpenAI API call logging in our OpenAI project, and send extraction requests with storage disabled where supported. OpenAI's API data controls state that API inputs and outputs are not used to train OpenAI models unless the API account holder explicitly opts in; we do not opt in. OpenAI's own safety, abuse-monitoring, data-residency, and legal-retention controls still apply, as described in OpenAI's API data controls.
3. Where your data lives
Servers are hosted in Switzerland by Infomaniak Network SA (data centres: Geneva, Switzerland). Backups are encrypted and stored in the same region.
4. Third-party processors
We use a small set of processors strictly needed to run the service:
| Processor | Purpose | Country |
|---|---|---|
| Infomaniak Network SA | Application and database hosting | Switzerland |
| Stripe Payments Europe, Ltd. | Subscription billing and card processing | Ireland (EU) / USA |
| Infomaniak Network SA | Transactional email delivery (verification, password reset) | Switzerland |
| Amazon Web Services (SES) | Transactional email delivery fallback | EU / USA |
| BunnyWay d.o.o. (bunny.net) | CDN | Slovenia / global CDN edge network |
| Cloudflare, Inc. | CDN and DDoS protection during CDN migration | USA (with SCCs) |
| OpenAI | Optional AI extraction of receipt or invoice data when you enable the feature | Europe (EEA + Switzerland) for supported customer content / USA (with SCCs) |
| European Central Bank (public rates) | Daily exchange-rate fetching — no personal data sent | EU |
Each processor is bound by a data-processing agreement and is permitted to process your data only on our instructions.
5. How long we keep your data
- Active accounts: as long as the account is open.
- Deleted accounts: removed from live systems within 30 days of deletion, and from backups within 90 days.
- Billing and tax records: retained for 10 years as required by Swiss accounting law (CO art. 958f), but only the fields we are legally required to keep.
- Security logs: up to 12 months.
6. Cookies and tracking
We use session cookies to keep you logged in and carry CSRF tokens. They are strictly necessary.
We do not use Google Analytics, Meta Pixel, or any advertising trackers.
7. Your rights
Under the nDSG and, where applicable, the GDPR you can:
- ask for a copy of the personal data we hold about you;
- ask us to correct inaccurate data;
- ask us to delete your data (subject to legal retention obligations);
- export your data in a structured machine-readable format (available in-app at any time);
- object to processing based on legitimate interest;
- withdraw consent where processing is based on consent, without affecting prior processing.
To exercise any of these rights, email [email protected]. We respond within 30 days.
If you are in the EU/EEA you also have the right to lodge a complaint with your national data protection authority. In Switzerland, the supervisory authority is the FDPIC.
8. Security
We use TLS in transit, hashed passwords (bcrypt), encrypted backups, and optional two-factor authentication. No system is perfectly secure; please report any security issue you discover to [email protected].
9. Children
NotMyJob is a professional tool and is not intended for people under 18.
10. Changes to this policy
We may update this Policy. Material changes will be announced in-app or by email at least 30 days in advance.
11. Contact
Questions or requests: [email protected].