Privacy Policy

The data controller responsible for processing your personal data is:

If you have questions about how we handle your data or wish to exercise your rights, please contact us at contact@switchy.build.

We collect and process the following categories of personal data:

We process your personal data on the following legal bases:

• Contract performance (Art. 6(1)(b) GDPR): Processing necessary to provide the Switchy service, manage your account, process payments, and deliver AI model responses.
• Legitimate interests (Art. 6(1)(f) GDPR): Service improvement, fraud prevention, platform security, analytics, and marketing our services to existing customers. Our legitimate interest is balanced against your privacy rights.
• Consent (Art. 6(1)(a) GDPR): Where we rely on consent (e.g., for optional cookies or marketing communications), you may withdraw consent at any time without affecting the lawfulness of prior processing.
• Legal obligation (Art. 6(1)(c) GDPR): To comply with tax, accounting, and regulatory obligations under applicable law.

We use your personal data for the following purposes:

• Providing and operating the Switchy platform, including AI chat, memory storage, and API access
• Processing your prompts through third-party AI model providers via OpenRouter
• Storing and retrieving conversation memories to enable cross-model, cross-session context
• Managing your account, authentication, and subscription billing
• Providing usage analytics, dashboards, and billing reports
• Communicating with you about your account, service updates, and support requests
• Detecting and preventing fraud, abuse, and security incidents
• Improving and developing new features based on aggregated, anonymised usage patterns
• Complying with legal obligations, including tax and accounting requirements

We share your data with the following categories of recipients, each bound by data processing agreements (DPAs) compliant with GDPR Art. 28:

When you connect a third-party MCP integration (e.g. GitHub or Notion via the one-click connectors, or any custom HTTPS MCP), Switchy acts as an intermediary that forwards your queries to that third party and returns their responses to your chat. The third-party processor terms in those services govern that data flow:

You can disconnect any integration from Settings → MCP integrations; the credential is purged from Google Secret Manager when you do.

For transfers to processors outside the EU/EEA, we rely on EU Standard Contractual Clauses (SCCs) or the EU-US Data Privacy Framework, as applicable. We do not sell your personal data to any third party.

Our primary infrastructure is hosted on Google Cloud Platform in the EU (region: europe-west1, Belgium). However, some sub-processors (OpenRouter, Stripe) are based in the United States. For such transfers, we ensure appropriate safeguards are in place:

• EU Standard Contractual Clauses (SCCs) pursuant to Commission Decision 2021/914
• EU-US Data Privacy Framework certification where applicable
• Supplementary technical measures including encryption in transit and at rest

We retain your data for the following periods:

• Account data: For the duration of your account, plus 30 days after deletion request.
• Chat and conversation data: For the duration of your account. Deleted when you delete a conversation or your account.
• Memory data: Until you delete individual memories or your account. Deletion is immediate and permanent.
• Usage and analytics data: Aggregated and anonymised after 12 months. Raw logs retained for up to 90 days.
• Billing records: Retained for up to 10 years as required by applicable commercial and tax law.
• Technical logs: Automatically purged after 90 days.

We use the following types of cookies:

• Strictly necessary cookies: Required for authentication, session management, and security. These do not require consent under GDPR.
• Functional cookies: Store your preferences such as theme selection and language settings.
• Analytics cookies: Help us understand how you use the platform. Only set with your consent.

We do not use third-party advertising cookies or cross-site tracking.

Analytics specifics. We load Google Analytics in storage: ‘none’ mode, which means GA does not write cookies and instead generates a per-page-view client identifier that is discarded when the tab closes. We can see aggregate page views and referrers; we cannot link visits back to a specific browser. Because no cookies are written for analytics, no consent banner is required under GDPR for this flow. Browser-level Do Not Track or any standard ad-blocker disables it cleanly.

You can manage all cookie preferences at any time through your browser settings.

As a data subject under the GDPR, you have the following rights:

• Right of access (Art. 15): Request a copy of your personal data and information about how it is processed.
• Right to rectification (Art. 16): Request correction of inaccurate or incomplete data.
• Right to erasure (Art. 17): Request deletion of your personal data (“right to be forgotten”).
• Right to restriction (Art. 18): Request that we restrict processing of your data in certain circumstances.
• Right to data portability (Art. 20): Receive your data in a structured, machine-readable format (JSON export available in Settings).
• Right to object (Art. 21): Object to processing based on legitimate interests, including profiling.
• Right to withdraw consent (Art. 7(3)): Withdraw consent at any time where processing is based on consent.
• Right to lodge a complaint: File a complaint with a supervisory authority. The competent authority is the relevant data protection supervisory authority in your jurisdiction.

To exercise any of these rights, contact us at contact@switchy.build. We will respond within 30 days as required by GDPR.

If you are a California resident, you have additional rights under the CCPA:

• Right to know: Request disclosure of the categories and specific pieces of personal information we have collected about you.
• Right to delete: Request deletion of your personal information, subject to certain exceptions.
• Right to opt-out of sale: We do not sell personal information. No opt-out is necessary.
• Right to non-discrimination: We will not discriminate against you for exercising your CCPA rights.

In the preceding 12 months, we have collected the following categories of personal information: identifiers, commercial information (billing), internet activity information, and inferences drawn from the above. We have not sold any personal information.

We implement appropriate technical and organisational measures to protect your data, in accordance with GDPR Art. 32:

• Encryption in transit (TLS 1.3) and at rest (AES-256) for all data
• Secure authentication with bcrypt password hashing, OAuth 2.0, and JWT tokens
• API keys stored using irreversible cryptographic hashing
• Infrastructure hosted on Google Cloud Platform with ISO 27001 certification
• Role-based access control and principle of least privilege for internal access
• Regular security reviews and dependency audits
• Automated vulnerability scanning and patch management

We do not use your personal data for automated decision-making or profiling that produces legal or similarly significant effects on you within the meaning of GDPR Art. 22. AI model responses are generated based on your prompts and are not used to make decisions about your access to services or pricing.

Switchy is not directed at children under the age of 16 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at contact@switchy.build and we will promptly delete it.

We may update this privacy policy to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by email or by posting a prominent notice on our website at least 30 days before the changes take effect. The “Last updated” date at the top indicates the most recent revision.

For any privacy-related questions, data subject requests, or complaints:

If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority.