Mappy AI logo Mappy AI
EN
English Deutsch
Back to home

Privacy Policy

Effective date: 3 April 2026 — Pursuant to the Swiss Federal Act on Data Protection (revFADP / nDSG)

Mappy AI is committed to protecting your personal data. This Privacy Policy explains what data we collect, on what legal basis, for what purposes, and what rights you have under the revised Swiss Federal Act on Data Protection (Bundesgesetz über den Datenschutz, DSG; in force since 1 September 2023). Where we also serve users located in the European Economic Area, we additionally comply with the General Data Protection Regulation (GDPR).

1. Data Controller

The controller responsible for processing your personal data is:

Mappy AI
Zurich, Switzerland

Email: dmitrii@mappy-ai.com

2. Data We Collect

We collect the following categories of personal data:

  • Account data: name, email address, and password hash when you register an account.
  • User-generated content: files, links, text, and mind maps you upload or create within the service.
  • Usage and technical data: pages visited, features used, session duration, browser type, device type, and IP address (anonymised where possible).
  • Payment data: billing address and transaction references. Full payment card data is processed exclusively by our payment processor and is not stored by Mappy AI.
  • Communications: messages you send to our support team.

3. Purposes and Legal Bases

We process your data for the following purposes and on the following legal bases under Swiss law:

  • Provision of the service (contractual necessity): to create and manage your account, process your content, generate AI-powered mind maps, and handle billing.
  • Service improvement (legitimate interest): to analyse usage patterns, diagnose technical issues, and develop new features, provided our interest does not override your fundamental rights.
  • Legal compliance: to retain records required by Swiss commercial and tax law (e.g. Art. 958f OR) and to respond to lawful requests from authorities.
  • Security (legitimate interest): to detect, prevent, and investigate fraud, abuse, or unauthorised access.
  • Marketing communications (consent): to send product updates or newsletters, only where you have given explicit consent, which you may withdraw at any time.

4. Third-Party Service Providers and International Data Transfers

We share your data only with trusted service providers acting as data processors under our instruction. These include, without limitation:

  • Cloud hosting and infrastructure providers for storing and serving the application.
  • AI model providers (e.g. OpenAI) to generate mind maps and AI responses from the content you submit. Content you submit may be sent to servers located outside Switzerland.
  • Payment processors for handling subscription billing.
  • Analytics (self-hosted): Mappy AI operates its own analytics instance at metrics.mappy-ai.com, which does not transfer your data to third parties.

Some of our service providers are based in countries that do not provide a level of data protection equivalent to Swiss law (e.g. the United States). In such cases, data transfers are governed by appropriate safeguards, such as the Standard Contractual Clauses recognised by the Swiss Federal Data Protection and Information Commissioner (FDPIC), or other mechanisms permitted under the nDSG.

5. Data Retention

We retain your personal data for as long as your account is active. After account deletion, we delete or anonymise your personal data within 90 days, unless we are required to retain it longer under applicable law (e.g. Swiss accounting records must be kept for 10 years pursuant to Art. 958f OR). Anonymised, aggregated data may be retained indefinitely for analytical purposes.

6. Your Rights Under Swiss Law

Under the Swiss Federal Act on Data Protection (nDSG), you have the following rights with respect to your personal data:

  • Right of access (Art. 25 nDSG): to request a copy of the data we hold about you.
  • Right to rectification: to request correction of inaccurate or incomplete data.
  • Right to deletion (Art. 32 nDSG): to request erasure of your data where there is no longer a legitimate basis for processing.
  • Right to data portability: to receive your data in a structured, machine-readable format.
  • Right to object: to object to processing based on legitimate interest where your particular situation warrants it.
  • Right to restriction: to request that we limit processing in certain circumstances.

To exercise any of these rights, contact us at dmitrii@mappy-ai.com. We will respond within 30 days. If you believe your rights have not been respected, you may lodge a complaint with the Swiss Federal Data Protection and Information Commissioner (FDPIC) at www.edoeb.admin.ch.

7. Cookies and Analytics

We use a self-hosted, privacy-friendly analytics solution to understand how users interact with Mappy AI. This solution does not use persistent tracking cookies, does not fingerprint individual users, and does not share data with third parties. No cookie consent banner is required for this analytics approach, as no personal data in the sense of the nDSG is processed.

We do not use third-party advertising or behavioural tracking cookies. If this changes, we will update this policy and, where required, obtain your consent.

8. Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, or disclosure. These measures include encrypted data transmission (TLS), access controls, and regular security reviews. No system is entirely without risk; we cannot guarantee absolute security. In the event of a data breach likely to result in a high risk to your rights, we will notify you without undue delay as required by law.

9. Children's Privacy

Mappy AI is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16 without verifiable parental or guardian consent. If we become aware that we have collected data from a child under 16 without such consent, we will delete that data promptly.

10. Changes to this Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal obligations. Material changes will be communicated via email or a prominent notice on our website at least 14 days before they take effect. The date at the top of this page indicates when this policy was last revised. Continued use of the service after the effective date constitutes acceptance of the updated policy.

11. Contact

For any questions, requests, or concerns regarding this Privacy Policy or our data processing practices, please contact us at:

dmitrii@mappy-ai.com