Privacy Policy

This Policy explains what personal data Bärtschi Software (“we”, “us”) collects, why we collect it, how long we keep it, who we share it with, and your rights over it. It covers the glyphmd application, the website at glyphmd.com, and the licensing service at licensing.tightblocks.com.

1. Who is responsible

The controller for the purposes of Swiss FADP and EU GDPR is:

We have not appointed a Data Protection Officer because we are not required to under the FADP or GDPR. You can reach the person responsible for privacy questions at the email above.

2. What we collect, and why

2.1 When you visit glyphmd.com

The website is a static Next.js site hosted by Vercel Inc. Vercel logs request metadata (IP address, request path, user-agent, timestamp) for operational and security purposes.

We use one third-party product-analytics service, Behavise, to understand how visitors navigate the site (page views, clicks, scrolling, and aggregate session journeys) so we can improve it. Behavise runs with content masking enabled, so on-page text is not captured verbatim; the site has no input fields, so no data you type is collected. We run no advertising scripts. We do not sell this data or use it for advertising.

Aside from Behavise, the only cookies set are functional Next.js cookies required for the site to render.

2.2 When you buy a license

Purchases are processed by Paddle.com Market Limited as merchant of record. Paddle collects the payment, billing address, country (for VAT), and your email at checkout. Paddle is an independent controller for that data; their privacy notice is at paddle.com/legal/privacy. From Paddle we receive: your email, the product purchased, the transaction ID, and the country code — enough to issue and deliver a license key, and to meet our bookkeeping obligations.

2.3 When you activate the application

Activation sends your license key and the email you used at purchase from the application to licensing.tightblocks.com, an HTTPS service we operate. We store: the license key, the email, the activation timestamp, an opaque per-device identifier (so we can enforce the three-device limit), and the country code returned by Paddle for the invoice. The application revalidates the license about once every 24 hours on the same connection; we record the last-validated timestamp but not the contents of your documents.

2.4 When the application checks for updates

Update checks fetch a small manifest from a Hetzner-hosted bucket at glyphmd-releases.nbg1.your-objectstorage.com. The request includes only the standard HTTP metadata (IP address, user-agent). Hetzner may keep short-lived access logs for security purposes. We do not enrich, retain, or analyse these logs.

2.5 When you use the AI features

The AI sidebar is opt-in and works in two ways:

• Local model (Ollama) — prompts and responses stay on your machine. No data leaves your device.
• Your own API key — if you provide a key for an external provider (e.g. Anthropic or OpenAI, including OpenAI-compatible endpoints you configure), the application sends your prompt directly to that provider over HTTPS. The data you send is processed by that provider under their own privacy notice. We do not see, intercept, or proxy these requests; we receive no copy of prompts or responses.

2.6 Telemetry, crash reporting, analytics

None. The application contains no telemetry SDK, no crash reporting that phones home, and no usage analytics. The product is local-first by design.

3. Legal bases

We process the data above on the following legal bases:

• Performance of a contract (Art. 6(1)(b) GDPR; Art. 31 FADP): for license issuance, activation, and revalidation.
• Legitimate interest (Art. 6(1)(f) GDPR; Art. 31 FADP): for hosting, security logging, and abuse prevention. Our interest is keeping the service available and safe; we weigh this against your right to data minimisation.
• Legal obligation (Art. 6(1)(c) GDPR): for keeping accounting records (Swiss Code of Obligations Art. 958f, 10 years).

4. Who we share with

We use the following processors and partners. They process data on our behalf or, where indicated, as independent controllers:

• Paddle (Ireland / UK) — merchant of record, billing. Independent controller for purchase data.
• Vercel (USA / Germany) — website hosting and edge CDN.
• Behavise — product analytics for the glyphmd.com website only (not the application).
• Hetzner Online GmbH (Germany) — object storage for the installer downloads and the update manifest.
• Anthropic, PBC (USA) — only if you supply an Anthropic API key and use the AI sidebar with that provider. Anthropic acts as an independent controller for the content you send.
• OpenAI, L.L.C. (USA) — only if you supply an OpenAI API key (or point the app at an OpenAI-compatible endpoint of your choosing) and use the AI sidebar with it. The provider acts as an independent controller for the content you send.

We do not sell personal data and we do not share it for advertising.

5. International transfers

Some of the providers above are located outside Switzerland and the EEA (e.g. the USA). Where we transfer data internationally, we rely on the recipient’s adequacy decision or on the Standard Contractual Clauses adopted by the European Commission / the Swiss Federal Council, as applicable.

6. Retention

• License records: for as long as the license exists plus two years (to honour the refund window and resolve activation disputes).
• Purchase / invoice data: ten (10) years, as required by Swiss Code of Obligations Art. 958f.
• Server access logs (licensing service, Hetzner bucket): a maximum of 30 days, then deleted.
• Email correspondence: as long as needed to handle the request, then archived for up to three (3) years.

7. Your rights

Under the Swiss FADP and EU GDPR you have the right to:

• request access to the personal data we hold about you;
• request correction of inaccurate data;
• request deletion of data we no longer need to keep for the legal bases above;
• request a portable copy of data you provided to us;
• object to or restrict processing based on legitimate interest;
• withdraw a consent at any time, without affecting the lawfulness of processing before withdrawal.

To exercise any of these, write to support@matt-b.ch. We aim to respond within thirty (30) days. You also have the right to lodge a complaint with the Swiss Federal Data Protection and Information Commissioner (FDPIC), or with your local supervisory authority in the EU.

8. Children

glyphmd is not directed at children under sixteen (16). We do not knowingly collect data from anyone in that age group.

9. Changes to this Policy

We may update this Policy to reflect product, legal, or operational changes. The current version is always available at this URL with the effective date shown above. We will notify license holders by email of material changes that affect their rights before those changes take effect.

10. Contact

Email: support@matt-b.ch