Privacy Policy
Solmyr Labs Last updated: 28.03.2026
This policy explains what personal data we collect, why, and how we handle it. We aim to be clear and concise — no legalese walls.
1. Data Controller
The entity responsible for processing your personal data is:
enginess GmbH Switzerland Contact: [email protected]
2. What Data We Collect
2.1 Account Data
When you register, we collect:
- Email address — for authentication and transactional notifications.
- Password — stored as a secure, one-way hash (bcrypt). We never store your plaintext password.
2.2 Profile Data
Optionally provided by you:
- Display name, username, title, bio, professional specialties.
2.3 Business Context Data
Information you enter during onboarding and use of the Service:
- Business vision, goals, focus areas, location, budget, team size, experience level, and constraints.
- This data is used by the AI to provide relevant assistance.
2.4 Usage Data
Generated during normal use:
- Chat messages (conversations with the AI).
- Tasks, plans, decisions, files, announcements, and other content you create.
- Activity logs and AI usage records (token counts, estimated costs).
2.5 Billing Data
If you purchase credits:
- We store a Stripe customer ID linking your account to Stripe's systems.
- Credit balance and transaction history (amounts, dates, descriptions).
- We do not store payment card details — these are handled exclusively by Stripe.
2.6 Technical Data
Automatically collected:
- Session tokens (for keeping you logged in).
- Email verification tokens.
- IP address and browser/device info may be logged by our infrastructure provider for security purposes.
2.7 API Keys
If you use "Bring Your Own API Key" mode:
- Your API key is stored encrypted at rest.
- It is only decrypted in memory when making requests to the AI provider.
3. How We Use Your Data
| Purpose | Legal Basis (Swiss DSG) |
|---|---|
| Provide and operate the Service | Contract fulfilment |
| Send transactional emails (verification, notifications) | Contract fulfilment |
| AI processing of your business data | Contract fulfilment |
| Credit billing and payment processing | Contract fulfilment |
| Detect and prevent fraud/abuse | Legitimate interest |
| Improve the Service | Legitimate interest |
| Comply with legal obligations | Legal obligation |
We do not use your data for advertising or sell it to third parties.
4. Third-Party Service Providers
We share data with the following processors, strictly for delivering the Service:
| Provider | Purpose | Location | Privacy Policy |
|---|---|---|---|
| Stripe | Payment processing | USA (EU-compliant) | stripe.com/privacy |
| Resend | Transactional email delivery | USA | resend.com/privacy |
| Anthropic | AI model inference (Anthropic provider) | USA | anthropic.com/privacy |
| OpenAI | AI model inference (OpenAI provider) | USA | openai.com/privacy |
| Cloudflare | DNS, CDN, and DDoS protection | USA (EU nodes) | cloudflare.com/privacypolicy |
| Supabase | Server / database infrastructure | USA | supabase.com/privacy |
Note on AI providers: Your conversation data and business context are sent to the AI provider you select (Anthropic or OpenAI) to generate responses. If you use "Bring Your Own API Key" mode, the requests go through the same provider but are billed to your own account under that provider's terms.
5. Cookies and Session Storage
We use technically necessary cookies only:
- Session cookie: Keeps you logged in. It is set on login and deleted on logout or expiry.
- No analytics cookies, tracking pixels, or advertising cookies are used.
Because we only use technically necessary cookies, no cookie consent banner is required under Swiss DSG / nDSG.
6. Data Retention
| Data type | Retention period |
|---|---|
| Account and profile data | Until account deletion, then 90 days |
| Business content (tasks, files, messages, etc.) | Until account deletion, then 90 days |
| Billing records (credit transactions) | 10 years (Swiss accounting law requirement) |
| Email logs | 30 days |
| Security/access logs | 90 days |
After account deletion, data is permanently removed within the stated periods.
7. Your Rights (Swiss DSG / nDSG Art. 25–27)
As a data subject you have the right to:
- Access — request a copy of your personal data.
- Correction — request correction of inaccurate data.
- Deletion — request deletion of your data (subject to legal retention requirements).
- Portability — receive your data in a machine-readable format.
- Objection — object to processing based on legitimate interest.
To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.
You also have the right to lodge a complaint with the Federal Data Protection and Information Commissioner (FDPIC) at edoeb.admin.ch.
8. Data Security
We implement appropriate technical and organisational measures to protect your data:
- Passwords hashed with bcrypt.
- API keys encrypted at rest.
- HTTPS/TLS for all data in transit.
- Access to production systems restricted to the operator.
- Session tokens are rotated and expire automatically.
9. International Data Transfers
Some of our service providers (Stripe, Resend, Anthropic, OpenAI, Cloudflare, Supabase) are based in the USA. These transfers are covered by standard contractual clauses or the US-Swiss Data Privacy Framework where applicable. By using the Service, you acknowledge these transfers.
10. Children's Privacy
The Service is not directed at persons under 18. We do not knowingly collect data from children. If you believe a child has provided us with personal data, contact us and we will delete it.
11. Changes to This Policy
If we make material changes to this Privacy Policy, we will notify you by email or in-app notice at least 14 days in advance. The "last updated" date at the top of this page will always reflect the current version.
12. Contact
For privacy-related questions or data subject requests: [email protected]