Pointr – Privacy Policy
Last updated: 7 January 2025
1. Who We Are
Pointr AG ("Pointr", "we", "us") is the controller of your personal data under the EU General Data Protection Regulation (GDPR) and the Swiss Federal Act on Data Protection 2023 (FADP).
- Address: Pointr AG, Steinengraben 22, 4051 Basel, Switzerland
- Email (Data Protection Officer): privacy@pointr.org
2. Where Your Data Is Stored
Your data is processed only in Frankfurt am Main, Germany (EU) and the Zurich region, Switzerland. Germany is in the EEA; Switzerland enjoys an EU adequacy decision (Art. 45 GDPR). Back-ups are mirrored between the two sites; no routine transfers occur elsewhere.
3. What Data We Collect
| Category | Examples | Source |
|---|---|---|
| Account Data | name, email, phone, password hash | you |
| Listing Data | service description, pricing, profile photo | you |
| Usage Data | IP address, device IDs, interaction logs, crash reports | automatically |
| Payment Metadata (listers) | Stripe customer ID, payment status, fee amount | Stripe API |
| Optional Device Data | contacts, camera, photos, location | you (permission-based) |
We never receive or store full card numbers or CVCs. Payments are handled directly by Stripe Payments Europe Ltd.
You are responsible for maintaining the security of your account credentials and for any activity that occurs under your account. Please ensure the accuracy of data you provide, as we are not liable for errors resulting from inaccurate user-provided data.
4. Legal Bases for Processing (Art. 6 GDPR / Art. 31 FADP)
- Contract: Contract: provide marketplace, manage accounts, collect listing fees via Stripe.
- Legitimate interests: Legitimate interests: security, fraud prevention, analytics, marketing of similar Pointr services (opt-out any time).
- Consent: Consent: optional access to contacts, camera, photos, location (withdraw in device settings).
5. Retention Periods
- Account & listing history: 10 years after last activity.
- Payment metadata: 10 years (book-keeping laws).
- Usage logs: 12 months, then aggregated or deleted.
- Device content: deleted immediately when removed or permission withdrawn.
- Back-ups: overwritten on a 30-day rolling cycle.
6. International Transfers
If vendors outside the EEA/Switzerland are engaged, we rely on EU Standard Contractual Clauses with the Swiss addendum plus industry-standard technical safeguards. Copies are available on request.
7. Who Receives Your Data
- Stripe Payments Europe Ltd. (payment processor) – Ireland
- Hosting & cloud providers – Germany / Switzerland
- Analytics & crash-report tools – EU
- Pointr affiliates – EU / CH
- Public authorities when legally required
We do not sell personal data.
We are not responsible for the privacy practices of third-party services (e.g., Stripe, hosting providers, analytics tools). Please review their privacy policies separately. These third parties have their own privacy policies and data handling practices.
8. Your Rights
| Right | GDPR | FADP |
|---|---|---|
| Access | Art. 15 | Art. 25 |
| Rectification | Art. 16 | Art. 32 |
| Erasure | Art. 17 | Art. 32 |
| Restriction | Art. 18 | — |
| Portability | Art. 20 | Art. 28 |
| Object | Art. 21 | Art. 30 |
| Withdraw consent | Art. 7 (3) | Art. 6 (6) |
To exercise any right, email privacy@pointr.org. We reply within one month (GDPR) or 30 days (FADP).
9. Automated Decision-Making
No automated decisions with legal or similar effect are made.
10. Security
All data in transit is protected by industry-standard TLS encryption. Data at rest is encrypted using industry-standard encryption algorithms. We implement multi-factor authentication, role-based access controls, and conduct regular security assessments. No system is 100% secure.
While we implement industry-standard security measures, we cannot guarantee absolute security. You use the service at your own risk.
11. Data Breach Notification
In the event of a data breach affecting your personal data that is likely to result in a high risk to your rights and freedoms, we will notify you and relevant supervisory authorities within 72 hours as required by GDPR Article 33 and 34. We will provide clear information about the nature of the breach, the categories of data affected, and the measures we are taking to address it.
12. Children
The service targets users 16 +. If we learn we hold data of a younger child, we delete it promptly.
13. Changes
Material changes are announced by email 30 days before they take effect and published here.
14. Contact
- Email (DPO): privacy@pointr.org
- EU representative (Art. 27 GDPR): Pointr GmbH, c/o PrivacyRep, Hanauer Landstr. 204, 60314 Frankfurt am Main, Germany
You may also contact your local EU data-protection authority or the Federal Data Protection and Information Commissioner (FDPIC), Feldeggweg 1, 3003 Bern, Switzerland.
© 2025 Pointr AG. All rights reserved.