Privacy & data protection
Data protection (Swiss nLPD, EU GDPR & Japan APPI)
Tsugukura is privacy-first by design: no advertising, no third-party analytics or tracking, no profiling, no automated decisions with legal effect, and we never sell your data. This notice explains what personal data we process and the rights you have under the Swiss Federal Act on Data Protection (nLPD/FADP), the EU General Data Protection Regulation (GDPR), and Japan's Act on the Protection of Personal Information (APPI / 個人情報保護法).
Who is responsible. The data controller is Tsugukura, operated from Switzerland. For any data-protection matter — access, correction, deletion or a complaint — use the contact form.
What we process, and why
Our record of processing activities — every purpose for which we use your data:
| Purpose | Data | Basis & retention |
|---|---|---|
| Account & sign-in | Email, display name, and either a password hash or your Google/GitHub account id; email-verification status; login sessions. | Performance of our contract with you. Kept until you delete your account. |
| Your inventory | Items you add — names, brands, models, serial numbers, receipts/photos, specs, locations and notes. | Contract. Kept until you delete the item or your account. |
| Community sharing | Give-away / trade listings and the requests and messages you send. When you request an item, your name, email and message are shared with that item's owner so they can reply. | Contract and your own action. Kept until deleted. |
| Label reading (OCR) | Photos you submit to read a label are processed by our own OCR service on our server to extract text. | Contract. Processed transiently and never sent to any third party; not stored unless you save the photo to an item. |
| Transactional email | Your email address, to send sign-in / magic links, verification and notifications, via our Swiss email provider. | Contract. Sent as needed; not used for marketing. |
| Security & operation | One essential session cookie and minimal server logs needed to keep you signed in and protect the service. | Our legitimate interest / legal obligation. Logs are kept short-term. |
Cookies & local storage
We use a single strictly-necessary cookie to keep you signed in — nothing for advertising or tracking. Your display preferences (theme, view) are stored locally in your own browser and are never sent to us.
Who can see it, and where it's kept
Recipients. Other members see only what you choose to share publicly, or your contact details when you send them a request. We rely on Infomaniak (Switzerland) as our hosting and email provider, acting as our processor. If you sign in with Google or GitHub, those providers process your authentication under their own privacy policies. We do not share your data with advertisers or data brokers.
Storage & transfers. Your data is hosted in Switzerland. We don't transfer it abroad ourselves; the only cross-border processing is what Google/GitHub (sign-in) or our email provider carry out on their own infrastructure when you use those features. For users in Japan, storing your data in Switzerland is a cross-border transfer under the APPI — you consent to it when you sign up, and Switzerland provides a comparable level of data protection.
Your rights
Under the nLPD, the GDPR and Japan's APPI you can, at any time:
- Access the data we hold about you and know how it's processed (APPI: disclosure / 開示).
- Correct anything inaccurate (APPI: correction / 訂正), or delete it / ask us to stop using it (APPI: suspension of use / 利用停止) — you can remove any item, or your whole account, yourself.
- Export your data — your full inventory downloads to CSV from the items page at any time (portability).
- Restrict or object to processing, and withdraw consent where processing is based on it.
- Complain to a supervisory authority — in Switzerland the FDPIC; in the EU your national data-protection authority; in Japan the Personal Information Protection Commission (PPC).
To exercise any of these, use the contact form. We answer within the time limits set by law.
Security & changes
Passwords are hashed, all traffic runs over HTTPS, and access to your items is owner-scoped. We'll post any change to this notice here. Last updated 28 June 2026.