Privacy Policy

Santiago Sierra Aguirre, Sole proprietorship, operates Sierra Invoices and uses Sierra Services as a trading name or brand. You can contact us about privacy matters at santiago@sierraservices.ch or by post at 8136 Gattikon - Zurich.

This notice applies to account holders, team members, business contacts, invoice recipients, and visitors who interact with public invoice links or payment pages.

For account, support, security, and service-management data, we generally act as the controller of personal data.

When business customers use Sierra Invoices to store their own client, invoice, payment, and expense information, we generally process that data on their behalf. In those situations, the business customer is usually the primary controller for its client and invoice-recipient data, and we act as a processor or service provider except where we must use data for security, fraud prevention, legal compliance, or our own service operations.

• Account and authentication data, such as email addresses, encrypted credentials, session information, and security-related login details.
• Business profile data, such as company or owner name, postal address, phone number, VAT number, IBAN, BIC, logo, and payment settings.
• Client and invoice data, such as company names, contact names, email addresses, billing addresses, invoice numbers, line items, notes, due dates, tax information, and invoice events.
• Expense and document data, such as expense descriptions, amounts, categories, dates, notes, and uploaded receipt files.
• Payment and settlement data, such as Stripe account identifiers, checkout session identifiers, payment status, amount, currency, and payment references.
• Support and onboarding data, such as emails, spreadsheets, notes, or setup details you share when asking for help or booking optional onboarding.
• Technical and device data generated when the service or public invoice pages are used, including log, browser, network, and session information made available by your device, hosting infrastructure, or integrated providers.

• To create and manage accounts, authenticate users, and secure the service.
• To let users create, send, display, duplicate, remind, download, and track invoices.
• To host business records, client records, expense records, and uploaded files.
• To send transactional emails such as welcome emails, invoice emails, and reminders.
• To enable online invoice payment and reconcile payment events.
• To answer support requests and provide optional onboarding assistance.
• To provide support, maintain uptime, troubleshoot incidents, and prevent abuse.
• To comply with bookkeeping, tax, anti-fraud, legal, regulatory, and audit obligations.

Where Swiss data-protection law, the GDPR, or similar laws require a legal basis, we rely on the basis that fits the specific processing activity.

• Contract performance for account setup, authentication, invoice and expense features, public invoice pages, payment workflows, and support requested by users.
• Legal obligations for tax, bookkeeping, accounting retention, sanctions, fraud-prevention, dispute, and regulatory requirements.
• Legitimate interests for service security, abuse prevention, troubleshooting, product reliability, basic business administration, and defending legal claims, balanced against the rights and expectations of affected individuals.
• Consent where the service asks for consent, such as optional legal acknowledgements or future non-essential tracking if it is introduced.

If processing relies on consent, you may withdraw that consent for future processing by contacting us at santiago@sierraservices.ch, without affecting processing that was lawful before withdrawal.

We share personal data only when needed to operate the service, comply with law, or protect our rights.

• Hosting, database, authentication, and file storage providers help us run the application and store data securely.
• Email delivery providers help us send welcome emails, invoices, and reminders.
• Support communications may include the messages and files you share with us when requesting onboarding or account help.
• Payment providers such as Stripe or Stripe Connect process online invoice payments and payment-account onboarding.
• Professional advisers, authorities, and courts may receive data where required for legal compliance, fraud prevention, enforcement, or dispute handling.

We do not describe selling your personal data in this service model. If the way the platform uses data changes materially, this policy will be updated before that new use is relied on.

If a business user shares a public invoice link, the invoice details needed to review or pay that invoice may be visible to anyone with that link. Public links should therefore be shared carefully and only with intended recipients.

Online card payments are handled through third-party payment infrastructure. We do not receive or store full card numbers in the application database.

We use session technologies, cookies, and local storage for essential features such as authentication, session persistence, theme preferences, PWA behavior, security, and similar service functionality.

This build does not describe advertising trackers or a separate marketing analytics stack. If non-essential tracking, advertising cookies, or profiling technologies are added later, we will update this Privacy Policy and obtain consent where required.

Our service providers may process data in Switzerland, the European Economic Area, the United Kingdom, the United States, and other countries where they operate.

Where required, we rely on adequacy decisions, contractual safeguards, or comparable transfer mechanisms for cross-border processing.

We retain personal data for as long as needed to provide the service, protect the platform, resolve disputes, enforce agreements, and comply with legal obligations.

• Account and workspace records are usually kept while the account is active and for a reasonable period afterward for security, dispute, and business-continuity reasons.
• Invoice, payment, receipt, expense, bookkeeping, and audit-related records may need to be retained for the legal retention period that applies to the relevant business records.
• Transactional emails, support messages, logs, and security records are retained for the period needed to operate, secure, and evidence the service, then deleted or anonymized when no longer needed.

Invoice, expense, payment, bookkeeping, and audit-related records may need to be kept even after account access ends. Because of those obligations, we do not promise immediate deletion of all records on request where retention is legally required.

Depending on the laws that apply to you, you may have rights to access, correct, export, restrict, object to, or request deletion of your personal data, and to complain to a data protection authority.

To exercise those rights, contact us at santiago@sierraservices.ch. If you are an invoice recipient and your data was uploaded by one of our business customers, we may need to direct your request to that customer where they act as the primary controller.

You may also have the right to complain to a competent data-protection authority. In Switzerland, that authority is the Federal Data Protection and Information Commissioner (FDPIC). If you are in the EEA or UK, you may contact your local supervisory authority.

We do not use the current service to make decisions based solely on automated processing that produce legal or similarly significant effects for individuals. If that changes, this policy will be updated before that processing is relied on.

We use technical and organizational measures designed to protect personal data. No method of storage, transmission, or security control is completely foolproof, so we cannot guarantee absolute security.

We may update this Privacy Policy from time to time. When we do, we will post the updated version at https://invoices.sierraservices.ch/privacy and change the last-updated date at the top of this page.