Privacy Policy

Last updated: April 2026

1. Data Controller

Martin Bohnenblust
Sulzerallee 80, 8404 Winterthur
Switzerland
Email: hello@sapling.ch

2. What data we collect

When you use SAPLING, we collect and process the following personal data:

  • Account data: email address and password (hashed)
  • Profile data: display name
  • Usage data: orders, budgets, suppliers, and team information you create
  • Technical data: IP address, browser type, and access timestamps (server logs)

3. Purpose of processing

We process your data for the following purposes:

  • Providing and operating the SAPLING service
  • User authentication and account management
  • Enabling team collaboration features
  • Technical operation and security of the platform

4. Legal basis

We process your data based on:

  • Performance of contract (Art. 6(1)(b) GDPR / Art. 31 nDSG): to provide the service you signed up for
  • Legitimate interest (Art. 6(1)(f) GDPR / Art. 31 nDSG): for security, fraud prevention, and service improvement

5. Cookies

SAPLING uses only essential cookies required for the service to function:

  • sessionid — Keeps you logged in during your session
  • csrftoken — Protects against cross-site request forgery attacks
  • django_language — Stores your language preference (English/German)

We do not use analytics, tracking, or advertising cookies. No data is shared with third-party advertisers.

6. Data sharing and international transfers

Your data is hosted on servers operated by:

Railway Corp.
San Francisco, CA, USA

This means your data is transferred to the United States. Railway provides industry-standard security measures. We plan to migrate to EU-based hosting (Hetzner, Germany) in the future.

We do not sell, rent, or otherwise share your personal data with third parties, except as required by law.

7. Data retention

We retain your data for as long as your account is active. If you delete your account, your personal data will be removed within 30 days. Anonymised, aggregated data may be retained for statistical purposes.

Team data (orders, budgets, suppliers) belongs to the team and is retained as long as the team exists, regardless of individual account deletion.

8. Your rights

Under the Swiss Data Protection Act (nDSG) and, where applicable, the EU General Data Protection Regulation (GDPR), you have the following rights:

  • Right of access: request a copy of your personal data
  • Right to rectification: correct inaccurate data
  • Right to deletion: request deletion of your data
  • Right to data portability: receive your data in a structured format
  • Right to object: object to processing based on legitimate interest

To exercise any of these rights, contact us at hello@sapling.ch.

9. Data security

We implement appropriate technical and organizational measures to protect your data, including:

  • Encrypted connections (HTTPS/TLS)
  • Hashed passwords (never stored in plain text)
  • Secure session management
  • Content Security Policy headers

10. Changes to this policy

We may update this privacy policy from time to time. Changes will be posted on this page with an updated revision date. Continued use of the service after changes constitutes acceptance.

11. Contact

For questions about this privacy policy or your personal data, contact:

Martin Bohnenblust
hello@sapling.ch

← Back to homepage