Privacy Policy
Last updated: March 6, 2026
DIZZUS GmbH ("we", "us", "Company"), with registered office in Zug, Switzerland, operates ConvertFly.io ("Service"). This Privacy Policy explains how we collect, use, and protect your personal data in compliance with the Swiss Federal Act on Data Protection (nFADP/nLPD) and, where applicable, the EU General Data Protection Regulation (GDPR).
1. Controller
The data controller is:
DIZZUS GmbH
Zug, Switzerland
Email: privacy@convertfly.io
2. Data We Collect
2.1 Account Data
When you create an account, we collect your email address, name (if provided), and authentication identifiers via Clerk (our authentication provider). If you sign in with Google or GitHub, we receive your profile information from those providers.
2.2 Payment Data
Payment processing is handled entirely by Stripe. We do not store credit card numbers or bank account details. We receive your Stripe customer ID, subscription status, and transaction history.
2.3 File Data
Files you upload are processed automatically for conversion. We do not access, read, or analyze the content of your files. Uploaded files and conversion outputs are stored in Amazon S3 (eu-central-1 region) and are automatically deleted:
- Import files: deleted immediately after conversion completes;
- Output files: deleted 24 hours after creation.
2.4 Usage Data
We collect technical data including IP address, browser type, operating system, pages visited, and conversion metadata (file formats, file sizes, timestamps). This data is used for analytics, debugging, and improving the Service.
2.5 API Data
If you use the ConvertFly API, we log API key identifiers, request timestamps, endpoints called, and response codes for rate limiting and abuse prevention.
3. Legal Basis for Processing
| Purpose | Legal Basis |
|---|---|
| Providing the Service (conversions) | Performance of contract (Art. 6(1)(b) GDPR / Art. 31(1) nFADP) |
| Payment processing | Performance of contract |
| Account management | Performance of contract |
| Analytics & service improvement | Legitimate interest (Art. 6(1)(f) GDPR / Art. 31(1) nFADP) |
| Security & fraud prevention | Legitimate interest |
| Legal compliance | Legal obligation (Art. 6(1)(c) GDPR) |
4. Third-Party Processors
We share personal data with the following processors, all of which have signed Data Processing Agreements:
| Provider | Purpose | Location |
|---|---|---|
| Clerk | Authentication | USA (SCCs in place) |
| Stripe | Payment processing | USA (SCCs in place) |
| Amazon Web Services (S3) | File storage (eu-central-1) | EU (Frankfurt) |
| Vercel | Application hosting | USA (SCCs in place) |
| Railway | Database hosting | USA (SCCs in place) |
| Cloudflare | CDN & tunnel (worker) | Global (SCCs in place) |
| Sentry | Error monitoring | USA (SCCs in place) |
| Vercel Analytics | Web analytics | USA (SCCs in place) |
5. International Data Transfers
Some of our processors are located outside Switzerland and the EEA. Where data is transferred to countries without an adequate level of data protection, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission and recognized by the Swiss FDPIC as adequate safeguards under Art. 16(2) nFADP.
6. Data Retention
- Files: Import files deleted immediately after conversion; output files deleted after 24 hours.
- Account data: Retained as long as your account is active, then deleted within 30 days of account deletion.
- Payment records: Retained for 10 years as required by Swiss commercial law (OR Art. 958f).
- Usage logs: Retained for 90 days, then anonymized or deleted.
- API logs: Retained for 30 days.
7. Your Rights
Under the nFADP and GDPR, you have the right to:
- Access: Request a copy of your personal data;
- Rectification: Correct inaccurate data;
- Erasure: Request deletion of your data ("right to be forgotten");
- Portability: Receive your data in a machine-readable format;
- Restriction: Restrict processing in certain circumstances;
- Objection: Object to processing based on legitimate interest;
- Withdrawal of consent: Where processing is based on consent, withdraw at any time.
To exercise any of these rights, email privacy@convertfly.io. We will respond within 30 days.
8. Cookies & Tracking
ConvertFly uses essential cookies for authentication (Clerk session tokens) and functional purposes only. We use Vercel Analytics for aggregated, privacy-friendly web analytics that does not use cookies for tracking.
We do not use advertising cookies or sell your data to third parties.
9. Children's Privacy
The Service is not intended for children under 16. We do not knowingly collect data from children. If you believe a child has provided us with personal data, contact us and we will delete it.
10. Security
We implement appropriate technical and organizational measures to protect your data, including TLS encryption in transit, encryption at rest for stored files (S3 SSE), HMAC-SHA256 signed worker communications, and regular security reviews.
11. Data Breach Notification
In the event of a personal data breach that poses a high risk to your rights and freedoms, we will notify the Swiss FDPIC and affected individuals without undue delay, in accordance with Art. 24 nFADP and Art. 33-34 GDPR.
12. Supervisory Authority
The competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner (FDPIC). If you are located in the EU/EEA, you also have the right to lodge a complaint with your local data protection authority.
13. Changes
We may update this Privacy Policy from time to time. Material changes will be communicated via email or a notice on the Service. The "Last updated" date at the top reflects the most recent revision.
14. Contact
DIZZUS GmbH
Zug, Switzerland
Email: privacy@convertfly.io
Website: www.convertfly.io