Privacy Policy

Last updated: March 2026

      DitherLab processes all images entirely in your browser. No image data is ever
      uploaded to any server. The only personal data we handle is your email address
      for Pro access and payment processing.
    

1. Data Controller

DitherLab is operated by RDI, St Prex, Switzerland.
Contact for data protection matters: privacy@ditherlab.pro

This policy is governed primarily by the Swiss Federal Act on Data Protection (nDSG, in force since 1 September 2023). Where DitherLab processes personal data of individuals located in the EU/EEA, the EU General Data Protection Regulation (GDPR) also applies to those individuals. Switzerland is recognised as a country with an adequate level of data protection by the European Commission.

2. Data We Collect

Email address — provided at checkout and used to identify your Pro entitlement and authenticate your account.
Payment information — collected and stored by Stripe on our behalf. We never store card numbers or banking details.
Stripe customer ID & checkout session ID — stored to link your purchase to your Pro entitlement.

We do not use analytics cookies or tracking pixels. We do not build user profiles or sell data to third parties. All image processing happens locally on your device.

3. Legal Basis for Processing

Under the nDSG, processing is lawful when it is proportionate, necessary for a legitimate purpose, and not unduly intrusive. Under GDPR (for EU/EEA individuals), the applicable legal bases are:

Contract performance (Art. 6(1)(b) GDPR) — to process your payment, grant Pro access, and verify your entitlement when you sign in.
Legitimate interest (Art. 6(1)(f) GDPR / nDSG Art. 31) — to detect and prevent fraudulent chargebacks and abuse of the licence system.
Legal obligation (Art. 6(1)(c) GDPR / CO) — to retain transaction records as required by Swiss accounting and tax law (Art. 958f CO; typically 10 years).

4. Third-Party Processors

Stripe (stripe.com/privacy) — payment processing. Stripe operates as a data processor and handles card data under PCI-DSS. Stripe may also act as an independent controller for fraud-prevention purposes.
Supabase (supabase.com/privacy) — authentication and database. Stores your email and Pro entitlement record. Data resides on servers within the EU (AWS eu-west region by default) and benefits from the EU–Switzerland adequacy framework.
Vercel (vercel.com/legal/privacy-policy) — website hosting and serverless functions. May process request metadata (IP address, user-agent) for routing, security, and operational purposes.

5. Data Retention

Your email and Pro entitlement record are retained for as long as your licence is active. Transaction and accounting records are kept for a minimum of 10 years from the date of purchase in accordance with Art. 958f of the Swiss Code of Obligations (CO). You may request deletion of your account data at any time — see Section 7 below. Note that deletion of transaction records cannot be fulfilled during the mandatory retention period.

6. International Data Transfers

Stripe may transfer personal data outside Switzerland and the EEA. Stripe participates in the EU–US Data Privacy Framework and uses Standard Contractual Clauses where applicable, providing an adequate level of data protection pursuant to nDSG Art. 16 and GDPR Art. 46. Supabase hosts EU-region project data within the EU by default.

7. Your Rights

Under the nDSG, you have the right to request information about, rectification or deletion of, and restriction of processing of your personal data. Under the GDPR (if applicable), you additionally have the right to data portability and the right to object to processing based on legitimate interest.

To exercise any of these rights, contact privacy@ditherlab.pro. We will respond within 30 days. We may verify your identity before acting on a request.

If you are in Switzerland and believe your data rights have been infringed, you may lodge a complaint with the Federal Data Protection and Information Commissioner (edoeb.admin.ch). If you are in the EU/EEA, you may contact your local supervisory authority.

8. Security

Access to your entitlement record is protected by Supabase Row Level Security (RLS) — only you can read your own row after authenticating. All data is transmitted over HTTPS/TLS. We do not store passwords; authentication uses OAuth (Google, GitHub) or one-time email links issued by Supabase.

9. Changes to This Policy

We may update this policy periodically. Material changes will be communicated on the DitherLab website. Continued use of the service after the effective date constitutes acceptance of the revised policy.

Questions? privacy@ditherlab.pro · Terms of Service · RDI · St Prex, Switzerland