Privacy Policy.

1. Data Controller.

Florian Rothenbühler
c/o F2BII E-Commerce#511
Hintergoldingerstrasse 30
8638 Goldingen
Switzerland

Email: [email protected]

2. General.

Based on the revised Swiss Federal Act on Data Protection (revDSG, in force since September 1, 2023) and Article 13 of the Swiss Federal Constitution, every person is entitled to the protection of their privacy and protection against misuse of their personal data.

We take the protection of your personal data seriously and treat your personal data confidentially and in accordance with the applicable data protection regulations and this privacy policy.

This privacy policy applies to the website florianrothenbuehler.com and all applications and services accessible through it.

3. Data Processing During Visits.

This website does not use cookies. No tracking cookies, no analytics cookies and no marketing cookies are used.

Fonts are hosted locally. No external services such as Google Fonts are called. When visiting this website, no data is transmitted to Google or other third-party providers.

Local storage (localStorage): For your personal settings (e.g. dark/light mode, cursor style, sound settings), your browser's localStorage is used. This data does not leave your browser and is not transmitted to servers.

4. Server Log Files.

When accessing this website, the hosting provider (Cloudflare, Inc.) automatically collects general information. This includes the type of web browser, the operating system used, the domain name of the internet provider and similar data.

This is exclusively information that does not allow conclusions to be drawn about your person. This information is technically necessary to correctly deliver the requested content.

5. User Account and Login.

Registration is required for the use of certain applications on this website. During registration, the following data is collected and processed:

• Email address — for identification and communication
• Password — stored encrypted (hashing), never in plain text
• Display name — optional, freely selectable

Authentication is handled via the service Supabase (Supabase, Inc., headquartered in the USA — physical data processing takes place in Frankfurt, Germany, region eu-central-1). Supabase stores your login data, session tokens and profile information in a secured PostgreSQL database with Row-Level Security (RLS). Each user has access only to their own data.

Legal basis: Contract fulfillment — registration is a prerequisite for using the applications.

6. Applications and Services.

Through your user account, you have access to the following applications. All data is stored per user and is not visible to other users.

Finance (Financial Management)

• Account balances, transactions and categorizations
• Fixed costs, invoices and wishlist
• Monthly income planning

This data is stored exclusively in your personal area at Supabase and serves your own financial management. No data is shared with third parties, with the following exception: When optionally importing bank statements as PDF, the PDF document is transmitted to Anthropic (operator of the Claude API, USA) for structure extraction. Only the extracted transaction structures are stored, not the PDF itself.

Time Tracker

• Work time entries (start, end, duration)
• Project names and optional hourly rates

This data is stored in your personal area at Supabase and serves your own time management.

Account (User Management)

• License information (active modules, expiration dates)
• Personal settings

Legal basis: Contract fulfillment — you actively use the applications and control the entered data yourself.

7. Web Analytics.

This website uses Cloudflare Web Analytics. This service does not collect personal data, does not set cookies and does not create individual user profiles. Only aggregated, anonymous data such as page views, time on page and country of origin is collected.

Additionally, a custom analytics service is used that collects the following data:

• Pages visited and time on page
• Scroll depth (how far a page was read)
• Device type (mobile/desktop/tablet, derived from screen width)
• Country of origin (derived from the Cloudflare network, no IP storage)
• Referral source (e.g. Google, Instagram, direct visit)
• Clicks on external links (target domain only, not the full URL)
• Pseudonymous visitor identifier (random string in your browser's localStorage — used to distinguish between new and returning visitors)

No cookies are set. IP addresses are not stored. The pseudonymous visitor identifier is stored exclusively in your browser's localStorage and is never linked to other data. You can remove it at any time by clearing your browser storage.

The collected data is stored in Cloudflare Workers KV (retention: 90 days) and is used exclusively to improve the website. No user profiles are created and no data is shared with third parties.

Legal basis: Legitimate interest (Art. 31 revDSG) — optimization of the website without encroachment on privacy.

Cloudflare Privacy Policy →

8. Newsletter.

When you subscribe to the newsletter, the following data is collected:

• Email address
• Selected categories (Craft, Software, Perspectives)

Your email address and category selection are stored in Cloudflare Workers KV. Delivery is handled via the email service Resend (Resend, Inc., USA).

Double opt-in: After signing up, you will receive a confirmation email. You will only be added to the mailing list after confirming the link.

Legal basis: Your consent. You can unsubscribe from the newsletter at any time via the unsubscribe link in every email. Upon unsubscribing, your data will be deleted.

Resend Privacy Policy →

9. Contact.

When you contact us via email, WhatsApp or Telegram, your data is stored for the purpose of processing the inquiry. This data will not be shared without your consent and will be deleted after completion of the inquiry, unless legal retention obligations apply.

10. Data Processors.

We use the following service providers to operate this website and the applications:

• Cloudflare, Inc. (headquartered in the USA, global edge network) — Hosting, CDN, Web Analytics, Workers, KV storage, R2 backups. Privacy Policy →
• Supabase, Inc. (headquartered in the USA, data processing in Frankfurt DE, eu-central-1) — Authentication, database for user data and application data. Privacy Policy →
• Resend, Inc. (USA) — Email delivery for newsletters and confirmation emails. Privacy Policy →
• Anthropic, PBC (USA) — AI-powered extraction for bank statement imports (Finance app) and optional AI interactions with the RAG system. Only actively triggered requests are transmitted. Privacy Policy →
• OpenAI, L.L.C. (USA) — Computation of text embeddings for the RAG system (search across personal documents). Will soon be replaced by Cloudflare Workers AI to keep all data processing within the EU. Privacy Policy →

All listed service providers process data exclusively on our behalf and according to our instructions (Art. 9 revDSG or Art. 28 GDPR).

11. International Data Transfers.

The above-mentioned data processors are headquartered in the USA. Data transfers are based on the EU-U.S. Data Privacy Framework or the adequacy decision of the Federal Council pursuant to Art. 16 revDSG.

In detail:

• Supabase — physical data storage takes place in Frankfurt (DE), meaning the majority of user data does not leave the EU. For administrative access by Supabase itself, the EU-U.S. Data Privacy Framework applies.
• Cloudflare — global edge network. Cache and request routing happen location-dependently; persistent storage areas (R2 backups, Workers KV) may be located in US regions, secured by Standard Contractual Clauses (SCCs) and the EU-U.S. Data Privacy Framework.
• Resend, Anthropic, OpenAI — data transfers to the USA, secured by the EU-U.S. Data Privacy Framework and/or Standard Contractual Clauses.

12. Retention Periods.

We store personal data only as long as necessary for the respective purpose:

• User account: Until deletion of the account by the user
• App data (Finance, Time Tracker): Until deletion by the user or account closure
• Newsletter data: Until unsubscription
• Contact inquiries: After completion of the inquiry, up to 1 year maximum
• Analytics data: Aggregated, without personal reference, indefinitely
• Backups: Automatic daily and weekly backups are deleted after 90 days (7 daily + 4 weekly rotation)
• Cloudflare Worker logs: Maximum 30 days (system default for IT security)
• Supabase query logs: Maximum 7 days (system default)

Statutory retention obligations (e.g. accounting: 10 years pursuant to OR Art. 958f) remain reserved.

13. Data Sharing.

Personal data is generally not shared with third parties unless it is necessary to fulfill our services (see Data Processors), you have given express consent, or there is a legal obligation.

14. Hosting.

This website is hosted by Cloudflare, Inc. (101 Townsend St, San Francisco, CA 94107, USA). Cloudflare participates in the EU-U.S. Data Privacy Framework.

Cloudflare Privacy Policy →

15. Downloads.

This website offers software files for download. No personal data is collected during downloads beyond what is recorded in server log files.

16. Your Rights.

Under the revDSG, you have the following rights:

• Right of access (Art. 25 revDSG): You may request information about your stored data at any time. In the account section, you will find a data export function that provides you with a complete copy of your data as a JSON file.
• Rectification (Art. 32 revDSG): You may request the correction of inaccurate data. Most data can be edited directly within the applications.
• Deletion: You may request the deletion of your data, provided no statutory retention obligations (e.g. accounting) prevent this. In the account section, you will find an account deletion function that removes all your data from our systems.
• Data portability (Art. 28 revDSG): You may request the delivery of your data in a commonly used format. The above-mentioned data export provides machine-readable JSON.
• Objection: You may object to the processing of your data at any time. Newsletter: unsubscribe link in every email. Analytics: the website does not set cookies and does not create user profiles.

To exercise your rights, a data subject rights form with jurisdiction selection is available. Requests are answered within 30 days (45 days for CCPA/Canada). Direct contact: [email protected]

Supervisory authority:
Federal Data Protection and Information Commissioner (FDPIC)
Feldeggweg 1, 3003 Bern, Switzerland
edoeb.admin.ch →

17. Additional Rights by Residence.

The rights described in Section 16 apply regardless of residence. If you reside in one of the following regions, additional region-specific rights and complaint channels apply. Please direct requests to [email protected]; please state your jurisdiction so the applicable deadline can be observed.

European Union (GDPR)

In addition to the above rights, you have the right to restriction of processing (Art. 18), the right to object (Art. 21) and the right to lodge a complaint with the supervisory authority of your member state (Art. 77). Since the data controller is based in Switzerland, you may contact the supervisory authority of your country of residence.

United Kingdom (UK GDPR + Data Protection Act 2018)

Data subjects resident in the United Kingdom have the same rights as under the GDPR. Complaints can be addressed to the Information Commissioner's Office (ICO), Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF. ico.org.uk →

California (CCPA/CPRA)

California residents have the right to know what personal data is collected (Right to Know), to deletion (Right to Delete), to correction (Right to Correct), to data portability and to opt out of the sale or sharing of personal data (Right to Opt-Out of Sale/Sharing). We do not sell personal data and do not share any with third parties for cross-context behavioral advertising. Additionally, you may limit the use of sensitive data (Right to Limit). Opt-out signals via Global Privacy Control (GPC) will be honored once the applications are publicly available. Requests are answered within 45 days (extendable by 45 days with justification). Complaints: California Privacy Protection Agency, cppa.ca.gov →

Brazil (LGPD)

Under the Lei Geral de Proteção de Dados (Lei 13.709/2018), you are entitled to confirmation of processing, access, rectification, anonymization/blocking/deletion of unnecessary data, portability and information about shared data (Art. 18 LGPD). Supervisory authority: Autoridade Nacional de Proteção de Dados (ANPD). gov.br/anpd → — a Portuguese summary of the key passages is available upon request.

Canada (PIPEDA) and Quebec (Law 25)

You are entitled to access, rectification and complaint under PIPEDA; in Quebec additionally to data portability and information about automated decision-making processes (Law 25). Complaints: Office of the Privacy Commissioner of Canada, priv.gc.ca → or Commission d'accès à l'information du Québec (CAI), cai.gouv.qc.ca →.

Japan (APPI)

Under the Act on the Protection of Personal Information, you have the right to disclosure, rectification, deletion and cessation of use of your data. For sharing with third parties, we obtain your consent where required. Supervisory authority: Personal Information Protection Commission (PPC), ppc.go.jp →

India (DPDP Act 2023)

You are entitled to access, rectification, deletion, appointment of a trusted person ("Data Principal" rights under Sections 11-13 DPDP Act) and complaint to the Data Protection Board of India. The contact for complaints is initially the email address stated above. meity.gov.in →

Other Jurisdictions

Residents of other states with comparable data protection laws (e.g. South Korea PIPA, South Africa POPIA, Australia Privacy Act, US states with consumer protection laws such as Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA, Texas TDPSA) may also exercise their rights via email. We review every request based on the applicable legal basis and respond within the statutory period (typically 30-45 days).

18. Use of AI Systems.

In individual applications, we use AI systems to provide certain functions. In detail:

• Finance — PDF Import: When optionally importing bank statements, an AI system (Claude, Anthropic, PBC, USA) extracts transaction structures from the PDF. The call is made only upon active initiation by the user. Purpose: automation of transaction recording. Legal basis: contract fulfillment.
• RAG System (personal memory, before public launch): Content search across personal documents. Embedding computation currently via OpenAI (USA), migration to Cloudflare Workers AI (EU-processing) in preparation. Responses are generated with Claude (Anthropic) and are explicitly marked as AI-generated.
• Newsletter assistance: Occasional editorial support by Claude (Anthropic). No automatically generated newsletters — every message is manually approved.

Transparency: For all publicly accessible AI interactions (chat, generated texts or images), we clearly indicate pursuant to Art. 50 EU AI Act that you are interacting with an AI system or that content was AI-generated.

No automated individual decisions: No automated decisions within the meaning of Art. 22 GDPR are made that have legal effects on you.

No training with your data: Your inputs are not used for training the AI models employed. Processing is exclusively for the specifically requested function.

Result quality: AI systems may produce incorrect or incomplete results. Please verify important decisions independently.

19. Use by Minors.

These services are not intended for persons under 13 years of age. For users in the EU, a minimum age of 16 years applies pursuant to Art. 8 GDPR.

We do not knowingly collect personal data from children under 13. Should we become aware that an account was created by a person below the stated age limits, we will immediately delete the account and all associated data.

Parents and guardians who become aware of such a registration can contact us at any time at [email protected].

20. Changes.

We reserve the right to modify this privacy policy at any time. The current version is published on this website.