Privacy Policy

Effective date: 31 December 2025

This Privacy Policy explains how Razalith ("we", "us", "our") collects, uses, stores, and otherwise processes your personal data when you use the Service. It is provided in fulfillment of our duty to inform under Art. 19 of the revised Federal Act on Data Protection (FADP; SR 235.1, in force since 1 September 2023) and is governed by Swiss law, in particular the FADP and its implementing Ordinance (DPO; SR 235.11); unless stated otherwise, statutory terms have the same meaning as in those enactments.

The data controller is the operator identified in our Terms of Service — Section 21 (Legal Imprint).

For any privacy-related requests or inquiries, contact us at: hello@razalith.com

1. Data We Collect

We may collect and process the following categories of personal data:

Account information: Email address, display name, profile picture, and authentication identifiers received from our authentication provider (Clerk)
Subscription and billing data: Plan type, billing status, subscription dates, and payment transaction identifiers received from our payment provider (Stripe). We do not receive or store full payment card numbers, CVV codes, or bank account details
Preferences and settings: In-app notification preferences, alert configurations, display settings, and other user-selected options
Technical and usage data: IP address, browser type, operating system, device information, pages visited, timestamps, referral URLs, and interaction data. This data is collected for security, rate limiting, abuse prevention, and service reliability
Communication data: Content of emails or messages you send to us, and metadata related to those communications

Data we do not collect: We do not collect financial account numbers, cryptocurrency wallet addresses, trading history, portfolio holdings, or any sensitive personal data as defined in Art. 5(c) FADP (e.g. data on health, biometrics, racial or ethnic origin, political opinions, religious beliefs, genetic data) unless you voluntarily provide it in a communication to us.

If you use the optional AI analysis feature, we only send anonymized market data (such as asset symbol, price, volume, and technical indicators) to a third-party AI provider (OpenAI). We never send your name, email, account ID, IP address, or any other personal identifiers in AI requests.

Where certain account, billing, or security-related data is necessary to perform our contract with you or to meet our legal obligations, failure to provide it may mean we cannot provide all or part of the Service.

2. How and Why We Use Your Data

Under the FADP, processing of personal data is generally permitted unless it infringes personality rights (Art. 30(1) FADP). Where processing may affect your personality rights, we rely on the following justification grounds:

Contract performance (Art. 30(2)(a) FADP): Account creation and management, authentication, subscription billing, delivering email alerts you have configured, and providing the core functionality of the Service. This processing is directly connected to the conclusion and performance of our contract with you
Overriding private interest (Art. 30(2) FADP): Security monitoring, fraud and abuse prevention, rate limiting, service performance analysis, limited aggregate analytics, debugging, and improving the Service. We balance our interests against your personality rights and only process data where our interests are not overridden by your data protection interests
Consent (Art. 30(1) FADP): Where we rely on consent for specific processing activities (for example, optional marketing communications), you may withdraw your consent at any time without affecting the lawfulness of processing carried out before withdrawal
Legal obligations (Art. 30(1) FADP): Compliance with applicable laws, regulations, and lawful requests from authorities, including tax, anti-fraud, and data retention obligations

We do not sell, rent, or trade your personal data. We do not use your personal data for advertising, profiling for marketing purposes, or targeted advertising.

3. Automated Decision-Making and Profiling

We do not engage in solely automated decision-making that produces legal effects or similarly significant effects concerning you, as defined in Art. 21 FADP.

Anomaly scores generated by the Service are statistical outputs based on aggregated market data. They are not based on your personal data and are not a form of profiling as defined in Art. 5(f) FADP. The scores are identical for all users viewing the same asset and do not take into account your individual characteristics, behavior, or personal situation.

4. Recipients and Processors

We share your personal data only with third-party service providers (processors) that act on our instructions and are contractually bound to process data solely for the purposes we specify. We require all processors to implement appropriate technical and organizational measures to protect your data (Art. 9 FADP).

Current categories of processors include:

Authentication: Clerk (user identity and login management)
Payment processing: Stripe (subscription billing and payment status)
Hosting and infrastructure: Vercel (application hosting), Upstash (Redis caching and rate limiting)
Database: Neon (PostgreSQL database hosting)
Email delivery: Resend (transactional email and alert delivery)
AI inference: OpenAI (optional AI-generated market analysis — receives only anonymized market data, never personal data)
Market data: CoinGecko (cryptocurrency market data — no personal data is shared)

We do not share your personal data with any other third parties for their own purposes, except where required by law or a binding order of a competent authority.

5. International Data Transfers

Some of our processors are located outside Switzerland, including in the United States and the European Economic Area (EEA). Where personal data is transferred to a country that does not provide an adequate level of data protection as determined by the Swiss Federal Council (Art. 16 FADP), we implement appropriate safeguards in accordance with Art. 16(2) FADP, including:

Standard Contractual Clauses (SCCs) approved or recognized under Swiss law
Reliance on the adequacy decisions of the Swiss Federal Council where applicable (the current list is maintained by the FDPIC)
Other recognized safeguards under Art. 16(2) FADP where appropriate

You may request further information about the specific safeguards applied to international transfers by contacting us at the email address provided at the top of this Policy.

6. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable law. Specific retention periods include:

Account data: Retained for the duration of your active account. Upon account deletion, we delete or irreversibly anonymize your personal data within thirty (30) days, except where legal retention obligations apply
Billing and transaction records: Retained for the period required by applicable Swiss commercial and tax law (currently ten (10) years under Art. 958f of the Swiss Code of Obligations)
Technical and security logs: Retained for up to ninety (90) days for security, debugging, and abuse prevention purposes, then deleted or anonymized
Communication records: Retained for as long as necessary to resolve the matter, plus any applicable legal retention period

7. Cookies and Similar Technologies

We use only strictly necessary (essential) cookies and similar technologies required for authentication, session management, security, and basic functionality. These cookies do not require consent under Swiss law as they are technically necessary for the operation of the Service.

We use limited, privacy-friendly analytics to understand aggregate usage patterns. We do not use advertising cookies, tracking pixels, or any technologies for profiling, behavioral advertising, or cross-site tracking.

If we introduce non-essential cookies or materially similar tracking technologies in the future, we will update this Policy and obtain your consent where required by applicable law before deploying them.

8. Data Security

We implement appropriate technical and organizational security measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction, in accordance with Art. 8 FADP and Art. 1–6 DPO. These measures include, but are not limited to:

Encryption of data in transit (TLS/HTTPS)
Encryption of data at rest where supported by our infrastructure providers
Access controls and authentication for administrative systems
Rate limiting and abuse detection mechanisms
Regular review of security practices and processor agreements

Despite these measures, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security. If you become aware of any security incident affecting your account, please notify us immediately at hello@razalith.com.

9. Data Breach Notification

In the event of a personal data breach that is likely to result in a high risk to your personality or fundamental rights, we will notify the Swiss Federal Data Protection and Information Commissioner (FDPIC) as soon as possible in accordance with Art. 24 FADP. Where required by Art. 24(4) FADP or upon instruction of the FDPIC, we will also inform you of the breach without undue delay.

10. Age Restriction

The Service is not intended for, and should not be used by, individuals under 18 years of age. We do not knowingly collect or process personal data from minors. If you are a parent or guardian and believe that we have collected personal data from a person under 18, contact us immediately at hello@razalith.com and we will take steps to delete such data promptly.

11. Your Rights Under the FADP

Under the revised FADP, you have the following rights in relation to your personal data:

Right of access (Art. 25 FADP): You have the right to obtain confirmation as to whether we process your personal data and, if so, to receive a copy of that data along with information about the processing
Right to rectification: You have the right to request correction of inaccurate personal data and completion of incomplete personal data
Right to erasure: You have the right to request deletion of your personal data where there is no overriding legal basis or legal retention obligation for continued processing
Right to data portability (Art. 28 FADP): You have the right to receive your personal data in a commonly used, structured, and machine-readable format, or to have it transmitted to another controller where technically feasible
Right to object: Where processing is based on our legitimate interests, you have the right to object to such processing on grounds relating to your particular situation
Right to withdraw consent: Where processing is based on your consent, you may withdraw that consent at any time, without affecting the lawfulness of processing carried out before withdrawal

To exercise any of these rights, please email us at hello@razalith.com. We will respond within thirty (30) days (or any shorter period required by law). We may need to verify your identity before acting on certain requests. If your request is manifestly unfounded or excessive, we may charge a reasonable fee or refuse to act, in accordance with Art. 26 FADP.

You also have the right to lodge a complaint with the Swiss Federal Data Protection and Information Commissioner (FDPIC), or to seek judicial remedies before the competent Swiss courts.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. Material changes will be notified through the Service or by email. The "Effective date" at the top of this Policy indicates when the latest revision took effect.

Where continued use of the Service constitutes acceptance of an updated policy, this applies only to the extent permitted by applicable law. Where a material change requires your consent under the FADP or other applicable law, we will obtain that consent separately before the change takes effect.