Privacy Policy

Last updated: 9 May 2026 · Version 1.0

The French version of this policy (Politique de confidentialité) is the legally binding version. This English translation is provided for convenience. In case of discrepancy, the French version prevails.

This policy explains how Ovarli collects, uses, shares and protects your personal data when you use the service. It is written to be readable and precise, in line with article 19(4) of the Swiss Federal Act on Data Protection (FADP) and article 12 of the EU General Data Protection Regulation (GDPR).

1. Identity of the controller

The controller of your personal data under FADP and GDPR is:

Ovarli, operated by Vinny Jordan Mboyo, sole proprietorship, Switzerland.
Contact: hello@ovarli.app
Data Protection Officer (DPO): not designated, direct contact via the email above.

Ovarli is not required to designate a representative in the European Union under article 27 GDPR given the size of the structure and the non-systematic nature of the large-scale processing. This analysis will be reviewed as the service grows.

2. Who this policy applies to

This policy applies to anyone who visits ovarli.app, creates an Ovarli account, or interacts with the service in another way. It does not cover third-party sites Ovarli may link to, which have their own policies.

3. Data we collect

3.1 Data you provide directly

Sign-up data: email address and password (stored hashed with bcrypt, never in clear). If you log in via Google, your Google ID and public Google name.
Financial data: anything you enter into the application: revenues, expenses, subscriptions, vehicles, debts, receivables, goals, investments, cryptocurrencies, savings plans. This data is stored on Ovarli's infrastructure and is only visible to you (apart from explicit administrator access, see section 5).
Profile data: language preference (FR/EN/DE/IT), theme (light/dark), primary currency, TOTP settings if you enable two-factor authentication.
Communications: if you write to us (support, suggestion, complaint), we keep the exchange.

3.2 Data collected automatically

Technical data: IP address, browser user-agent, login timestamps, HTTP response code. This data is recorded by our reverse proxy for security and diagnostic purposes, kept for a maximum of 30 days in internal logs.
Authentication data: a session token (JWT) signed by Ovarli, stored in the browser (localStorage) to keep you signed in. Its maximum server-side lifetime is 30 days, but an additional protection layer signs you out after 15 minutes of inactivity in the application. The token contains your internal ID, your role and the expiry date. The maximum lifetime will be reduced (7 days with sliding refresh) in a future version.
2FA security data: if you enable two-factor authentication, a base32 TOTP secret is kept to verify your 6-digit codes. Temporary 2FA challenges are automatically destroyed after 5 minutes.
Application errors: in production, errors thrown by the server or the browser are reported to a third-party error-tracking service (Sentry) after stripping identifying data (see section 5). In development no data is reported.
Cookies and local storage: see our Cookie Policy. No third-party audience or marketing tracker is installed today.

3.3 Special categories of data

Ovarli does not knowingly collect or process sensitive data within the meaning of FADP article 5(c) or GDPR article 9 (racial or ethnic origin, political opinions, religious beliefs, health data, sexual orientation, etc.). The financial data you enter is protected with a high level of care due to its functional sensitivity, without qualifying for that special legal category.

4. Why we collect this data (purposes and legal bases)

In accordance with FADP article 31 and GDPR article 6, every processing rests on a clear legal basis:

Performance of the contract (article 6(1)(b) GDPR): create and manage your account, deliver Ovarli's features, send account-related notifications (validation, security alert, plan expiry).
Legitimate interest (article 6(1)(f) GDPR): ensure service security, prevent and detect fraud or abuse, measure technical infrastructure performance, improve the service. This interest is balanced against your fundamental rights and you may object at any time (see section 9).
Consent (article 6(1)(a) GDPR): to enable audience analytics or marketing tools when offered, and to use Anthropic's AI to generate personalized recommendations (this feature is strictly opt-in and subject to prior anonymization of financial data).
Legal obligation (article 6(1)(c) GDPR): keep certain accounting and tax records when Stripe billing is activated, in line with Swiss law (in particular article 958f of the Code of Obligations).

5. Who we share your data with

Ovarli never sells your personal data. We share only with the following categories of recipients, strictly to the extent necessary:

5.1 Technical processors

Each processor is bound to Ovarli by a contract compliant with article 28 GDPR, guaranteeing an appropriate security level and the absence of processing for purposes other than those specified by Ovarli.

Anthropic, Inc. (United States): generation of AI recommendations for users on Pro and Premium plans, only with your explicit consent. Prompts sent to Anthropic are anonymized (see section 11).
Functional Software, Inc. (Sentry) (United States or European Union depending on plan): tracking of application errors in production. Identifying data (session token, password, 2FA code, user identifier) is stripped before transmission by an Ovarli-side filter.
Stripe Payments Europe Ltd. (Ireland): processing of payments and subscription management once billing is enabled. Stripe is an independent controller for payment data (card number). Ovarli never stores your full banking data.
Google LLC (United States): OAuth authentication if you choose "Continue with Google". Google receives confirmation that you signed in to Ovarli, but receives no data entered into Ovarli.
Hosting: our servers are located in Switzerland, operated by Ovarli on a private cloud infrastructure (virtual machines rented from a Swiss host). Backups are encrypted and kept locally.

5.2 Authorities

Ovarli may disclose personal data to a competent Swiss administrative or judicial authority, on lawful request and after reviewing the request's compliance with Swiss law. Where the law allows, we will inform the affected user.

5.3 Successors

In case of merger, acquisition, or asset transfer, your data could be transferred to the successor. We will inform you in advance and give you the opportunity to close your account before any takeover.

6. International data transfers

When your data is transferred outside Switzerland or the European Economic Area, Ovarli ensures the transfer relies on an appropriate basis:

Adequacy decision by the Swiss Federal Council or the European Commission where one exists for the destination country.
Otherwise, Standard Contractual Clauses (SCCs) as published by the European Commission, complemented by Transfer Impact Assessments (TIAs) for recipients in the United States.

Recipients concerned to date: Anthropic (US), Sentry (US or EU depending on plan), Stripe (Ireland, thus EU), Google (US).

7. How long we keep your data

Active account data: kept as long as your account is active. You can export your data or request account deletion at any time from your profile.
Deleted accounts (soft-delete): your name and email address are anonymized immediately upon deletion. Associated technical data (budgets, subscriptions, consent log) is kept for 30 days to allow for accidental-deletion recovery, then permanently purged.
AI consent audit log: 7 years from each opt-in / opt-out transition, in line with the consent-traceability requirements of nLPD / GDPR. Anonymized after deletion of the associated account.
JWT session token: 30 days from issuance.
Temporary 2FA challenges: 5 minutes maximum.
Technical logs (reverse proxy, access): 30 days.
Error and performance logs (Sentry): 90 days, in line with our processor's retention. Anonymized (PII redacted on send).
Encrypted backups: rolling 14 days.
Accounting and tax data (when billing is active): 10 years from end of fiscal year, in line with article 958f of the Swiss Code of Obligations.
Support communications: 3 years after last interaction.

8. How we protect your data

Passwords stored hashed (bcrypt, cost 10).
HTTPS-only connection, Let's Encrypt certificates auto-renewed.
Two-factor authentication (TOTP RFC 6238) available on every account.
Auto sign-out after 15 minutes of inactivity in the application.
Account lockout after failed sign-in attempts, anti-email-enumeration.
Rate limits on sensitive endpoints, strict server-side input validation.
Encrypted backups, restoration tested regularly.
Strictly limited admin access, logged and tied to a named account.
Regular dependency updates and automated vulnerability audit on every change.

No system is fully immune from incidents. In case of a breach likely to result in a risk to your rights and freedoms, Ovarli notifies the competent supervisory authority (FDPIC in Switzerland) within 72 hours and informs you directly when the breach is likely to result in high risk, in line with FADP article 24 and GDPR articles 33-34.

9. Your rights

In accordance with FADP articles 25-28 and GDPR articles 15-22, you have the following rights:

Right of access: obtain a copy of your personal data.
Right to rectification: correct inaccurate or incomplete data.
Right to erasure: request deletion of your account and your data, subject to legal retention obligations.
Right to restriction: request suspension of processing in certain cases.
Right to object: object to processing based on legitimate interest.
Right to data portability: receive your data in a structured, machine-readable format.
Right to withdraw consent at any time, with no effect on past processing.

To exercise these rights, write to hello@ovarli.app. We respond within a maximum of 30 days. Account deletion and export are also available directly from your profile.

If you believe the processing of your data does not comply with the law, you have the right to lodge a complaint with:

In Switzerland: Federal Data Protection and Information Commissioner (FDPIC), Feldeggweg 1, 3003 Bern, edoeb.admin.ch.
In the European Union: the supervisory authority of your Member State of habitual residence, place of work or place where the alleged infringement occurred.

10. Cookies and similar technologies

Our Cookie Policy details the cookies, local storage and similar technologies used by Ovarli, as well as how you can exercise your choice.

11. Profiling and automated decisions

Ovarli does not make any solely automated decisions producing legal effects concerning you or significantly affecting you within the meaning of GDPR article 22. AI-generated recommendations (Anthropic) are informational suggestions, never automated decisions. You remain free to follow them or not.

Before any send to Anthropic, the financial data used as context is anonymized: account identifiers, emails and potentially identifying labels are removed, and amounts are rounded to generic ranges to limit re-identification.

12. Minors

The service is reserved for adults (18 years and older). Ovarli does not knowingly collect personal data on minors. If you believe a minor has created an account, contact hello@ovarli.app and we will promptly close the account.

13. Amendments

We may update this policy to reflect technical, legal or organizational changes. Material amendments will be notified by email and/or by an in-service banner at least 30 days before they take effect. The version number and the date of last update are shown at the top of this page.

14. Contact

For any question about your personal data or this policy, write to hello@ovarli.app. We commit to respond within a reasonable timeframe, and at most within 30 days for rights-exercise requests.

Drafted by the Ovarli team based on the FADP (Swiss Federal Act on Data Protection of 25 September 2020), the GDPR (EU Regulation 2016/679) and publicly available practices of recognized Swiss SaaS publishers. A professional legal review is recommended before any broader public launch. To report inaccuracies, write to hello@ovarli.app.