Privacy policy | SimpleDMS

Effective date: 16.02.2026

1. Controller and contact

Marco Beierer
Oberlandstrasse 78, 3700 Spiez, Switzerland
Email: email@marcobeierer.ch

2. Scope

This policy applies to the SimpleDMS web application and SaaS service. The separate marketing website has its own privacy policy.

The service is intended for organizations (tenants) in Switzerland and the EU/EEA. Direct individual use is offered only to individuals in Switzerland.

3. Roles (tenants)

If you use SimpleDMS through an organization (a "tenant"):

For tenant use, the tenant is typically the controller for tenant user accounts and tenant data (including uploaded documents and related metadata).
Tenant data is processed on behalf of the tenant (processor role), following the tenant's instructions (e.g., access control, retention settings, retention configuration, support-access settings).

For direct individual use (outside a tenant relationship), the controller is the person listed in Section 1.

A Data Processing Agreement (DPA) is available on request.

4. Data processed

Account data: name, email address, tenant memberships/roles/permissions.
Authentication/session data: session identifier cookie.
Security and technical data: login events; security/operation logs; IP address and technical identifiers where required.
Customer content: uploaded documents/files and related metadata (e.g., titles, tags, notes, permissions).
OCR/text extraction data (if enabled): extracted text used for search and related functions.
Audit logs: user actions in the service.
Support communications: emails and information you provide when contacting support.
Billing data (if applicable): billing/contact details, invoices, subscription status and transaction data.

Uploaded documents may contain sensitive data, depending on what users upload. Such content is processed as part of providing the service and under tenant instructions (for tenant use).

Account data may be provided directly by the user or by tenant administrators (e.g., when creating or inviting user accounts). Security data and audit logs are generated by service use.

Personal data is not sold. Advertising profiles are not created. No marketing analytics or tracking is used.

5. Purposes and legal bases

Service provision (contract): accounts, authentication, storage, sharing, access control, requested features.
Security and abuse prevention (legitimate interests): protecting accounts, preventing unauthorized access, maintaining service integrity.
Support and troubleshooting (contract / legitimate interests): responding to requests and resolving incidents.
OCR/text extraction (contract): enabling search and related functions (if enabled).
Billing and accounting (contract / legal obligation): invoicing and statutory record-keeping (if applicable).
Legal compliance (legal obligation): complying with applicable laws and enforcing rights.

6. Providers and processing locations

Hosting and storage: Hetzner (Germany) (application hosting + file storage).
Email delivery: self-hosted infrastructure at Hetzner (Germany).
Text extraction/OCR: self-hosted infrastructure.

7. Recipients

This section explains who may receive or access personal data, and in which situations.

Within a tenant: tenant administrators and authorized tenant users can access tenant data according to the tenant's role and permission configuration.
Service providers: infrastructure providers needed to operate the service (see Section 6), in particular hosting and storage at Hetzner in Germany.
Support (limited): support access to tenant content is only possible if enabled by tenant administrators (see Section 10).
Legal disclosures: disclosure to authorities, courts, or other parties may occur where required by law or necessary to enforce rights.

8. International transfers

The controller is based in Switzerland. Processing is primarily in Switzerland and Germany. For EU/EEA data subjects, Switzerland is recognized by the EU as providing an adequate level of data protection. Personal data is not transferred to countries outside Switzerland and the EU/EEA unless a provider is introduced that requires it (for example, a payment provider). In that case, this policy is updated and legally required safeguards are used.

9. Cookies

An essential session cookie is used to keep you signed in. It typically expires after up to 14 days; temporary sessions may expire earlier.

10. Support access to customer content

Tenant administrators may enable a setting that allows support to access tenant content for troubleshooting. If not enabled, support does not access tenant content.

11. Retention and deletion

Customer content: until deleted by the tenant/end user or after cancellation, subject to tenant configuration and legal obligations.
Audit logs: 90 days by default; longer if configured by the tenant.
Support emails: as long as needed to handle the request and for documentation.
Billing records: retained for statutory periods (if applicable).
After cancellation/termination: service data is deleted after 30 days, subject to legal obligations and tenant configuration.
Backups: retained for up to 365 days; deleted data may remain in backups until overwritten.

12. Security

Appropriate technical and organizational measures are used to protect data, including encrypted transport (TLS), access controls, and security logging.

13. Your rights and complaints

Data subject rights include access, rectification, deletion, restriction, portability (where applicable), and objection to certain processing. Requests can be submitted to email@marcobeierer.ch. Identity verification may be required.

Requests are handled without undue delay and, in any event, within one month. This period may be extended by up to two additional months where necessary (e.g., complex or numerous requests); the reason for any extension will be provided. Requests are generally handled free of charge; a reasonable fee may apply, or a request may be refused, if it is manifestly unfounded or excessive.

Where processing is based on consent, consent can be withdrawn at any time with effect for the future.

If SimpleDMS is used through a tenant, requests relating to tenant content should be directed to that organization first.

A complaint can be lodged with a competent supervisory authority in the EU/EEA (in particular in the Member State of habitual residence, place of work, or place of the alleged infringement). For Switzerland, the competent authority is the FDPIC.

14. Provision requirement

Account data and authentication/session data are required to create and maintain an account and to sign in. If required data is not provided, the service cannot be provided.

15. Automated decision-making

No automated decision-making or profiling (within the meaning of GDPR Article 22) is carried out.

16. Changes

This policy may be updated. The effective date above shows the current version.