Privacy Policy
Version 1.0 β Effective date: April 18, 2026
Applicable law: Swiss nFADP/nDSG (in force since 1 September 2023); EU GDPR where applicable.
These terms are currently under legal review.
1. Identity of the Data Controller
Ahmed Badiah
Individual operator β MiriSmartGuard
Switzerland
Contact: privacy@mirismartguard.com
2. Scope
This Privacy Policy applies to all personal data processed through mirismartguard.com, including data submitted by registered users ("Owners") and anonymous visitors ("Visitors").
3. Data We Collect and How
3.1 β Registered Users (Owners)
| Data | Format stored | Purpose |
|---|---|---|
| Full name | Plain text | Profile display |
| Email address | Plain text | Authentication, notifications |
| Phone number | AES-256-CBC encrypted (random IV) | WhatsApp/Telegram contact buttons |
| Phone hash | HMAC-SHA256 | Deduplication, fraud prevention |
| Telegram username | Plain text | Public Telegram button |
| Telegram Chat ID | Plain integer | Notification delivery |
| Profile photo URL | URL reference | Profile display |
| Status and bio | Plain text | Profile display |
| Account plan | Plain text | Feature access control |
| Notification preferences | Boolean flags | Notification delivery |
3.2 β Visitors (non-registered)
| Data | Format stored | Purpose |
|---|---|---|
| Name (if voluntarily submitted) | Plain text | Scan notification to Owner |
| Phone number (if submitted) | AES-256-CBC encrypted (random IV) | Scan notification to Owner |
| Phone hash | HMAC-SHA256 | Deduplication, blocking |
| IP address | HMAC-SHA256 hash only β never plain text | Fraud prevention, rate limiting |
3.3 β Scan Logs (every QR code scan)
| Data | Format | Retention |
|---|---|---|
| Timestamp | Plain datetime | 12 months |
| IP address | Hash only | 12 months |
| Country code (ISO 3166-1) | 2-letter code | 12 months |
| Device type | Category (mobile/tablet/desktop/bot) | 12 months |
| User-agent string | Truncated to 500 characters | 12 months |
| Whether scan was blocked | Boolean | 12 months |
4. What We Do NOT Collect
- We do not collect or store IP addresses in plain text β ever.
- We do not display the Owner's phone number on the public profile page.
- We do not transmit the Owner's phone number to the Visitor's browser.
- We do not sell, rent, or trade personal data to any third party.
- We do not use data for advertising or profiling.
- We do not use third-party analytics tools (no Google Analytics, no Meta Pixel).
5. Legal Basis for Processing
| Processing activity | Legal basis |
|---|---|
| Account management and profile display | Contract performance (Art. 6(1)(b) GDPR / Art. 31 nDSG) |
| Scan logging and notification delivery | Contract performance |
| Rate limiting and fraud prevention | Legitimate interests (Art. 6(1)(f) GDPR / Art. 31 nDSG) |
| Visitor contact form submission | Consent (freely given, specific, informed) |
| Payment processing | Contract performance + legal obligation |
| Report handling and abuse prevention | Legitimate interests |
6. Data Security Measures
- AES-256-CBC with a random IV per encryption operation for all phone numbers
- HMAC-SHA256 for IP address and phone hashing β computationally irreversible
- Row-Level Security (RLS) enforced at the database level
- Service role access restricted to server-side API routes only
- Signed session cookies (httpOnly, Secure) β cannot be read by JavaScript
- All data in transit encrypted via HTTPS/TLS
7. Data Sharing and Sub-processors
We do not sell data. Data may be shared with the following sub-processors solely to operate the Service:
| Sub-processor | Region | Purpose | Safeguard |
|---|---|---|---|
| Supabase | EU (Germany) | Database, authentication | SCCs |
| Vercel | EU (Frankfurt) | Hosting, edge runtime | SCCs |
| Stripe | US/EU | Payment processing | SCCs + DPA |
| PayPal | US/EU | Payment processing | SCCs + DPA |
| Coinbase Commerce | US | Crypto payments | SCCs |
| Resend | US | Transactional email | SCCs |
| Telegram | Dubai/US | Push notifications | User's own account |
8. Data Retention
| Category | Retention period |
|---|---|
| Owner account data | Until account deletion + 30-day grace period |
| Scan logs | 12 months from scan date |
| IP rate-limiting records | 30 days after block expires |
| Payment records | 10 years (Swiss accounting law β Art. 958f CO) |
| Abuse reports | Until resolved + 6 months |
| Visitor data (contact form) | 12 months, or until deletion request |
| Transfer tokens | 48 hours (auto-expired) |
9. Your Rights
Under nDSG (Art. 25β27) and GDPR (Art. 15β22), you have the following rights:
| Right | Description |
|---|---|
| Access | Request a copy of all personal data held about you |
| Rectification | Correct inaccurate or incomplete data |
| Erasure | Request deletion of your data (βright to be forgottenβ) |
| Restriction | Request temporary suspension of processing |
| Portability | Receive your data in a machine-readable format |
| Objection | Object to processing based on legitimate interests |
| Withdrawal of consent | Withdraw any previously given consent at any time |
To exercise any of these rights: privacy@mirismartguard.com
Requests will be responded to within 30 days as required by Art. 25 nDSG.
10. Right to Lodge a Complaint
If you believe your data protection rights have been violated, you may lodge a complaint with:
Federal Data Protection and Information Commissioner (FDPIC / PFPDT)
Feldeggweg 1, CH-3003 Bern
www.edoeb.admin.ch
EU residents may also contact their local Data Protection Authority.
11. Automated Decision-Making
The Service uses automated rate-limiting logic to detect and block abusive scanning behavior based solely on hashed IP activity patterns. This does not involve profiling of personal characteristics. Blocked users may contact the Operator to dispute a block.
12. Children's Data
The Service is not directed at persons under 16 years of age. We do not knowingly collect personal data from minors. If we become aware that a minor has submitted personal data, it will be deleted immediately.
13. Cookies
The Service uses a single signed session cookie (httpOnly, Secure, SameSite=Strict) strictly necessary for visitor identification. No advertising, tracking, or analytics cookies are used.
14. Changes to This Policy
This Privacy Policy may be updated periodically. The "Effective date" at the top reflects the most recent revision. Registered users will be notified of material changes via email. Continued use of the Service constitutes acceptance.
15. Contact
Ahmed Badiah
Individual operator β MiriSmartGuard, Switzerland