Privacy policy

Troisroues is a private project run by two natural persons, jointly the controller in the sense of Art. 5 lit. j revFADP:

Tim Fischer and Luca Macchi
Switzerland
support NOSPAM @ NOSPAM troisroues.org

There is no company behind the project. You can reach either of us at the address above for any question about this policy or to exercise your rights.

We process the following categories of personal data:

• Identity and contact data — email address, display name, phone number, country, account creation date. Email, display name, and phone number are encrypted at rest using HashiCorp Vault Transit; the email also exists as a keyed HMAC blind index used for login lookup, never as plaintext on disk.
• Authentication data — your password is never stored; we keep only a salted PBKDF2 hash. Refresh tokens are stored as SHA-256 hashes; the plaintext lives only on your device.
• Membership data — your role (Member, Trusted, Diamond, Admin), the user who invited you, the invitations you have issued, and the timestamps of acceptance, revocation, or expiry.
• Event participation data — RSVPs to events, plus-one count, dietary preference, arrival selection, and a free-text note (encrypted at rest), plus approval / rejection state and timestamps.
• Device data — Apple Push Notification tokens (encrypted at rest, blind-indexed), so we can send you notifications about RSVPs and events. The token is opaque to us and is removed when you sign out or delete the app.
• Audit log— for every administrative action and security-relevant event we record the acting user’s identifier, the action, the affected entity, a small JSON metadata blob, and the timestamp. No IP address and no email are stored in this table.
• Server logs — sign-in and token-refresh attempts produce structured server logs that include the client IP and a hashed email reference, kept for security monitoring. Logs are short-lived and rotate on the host.

We do notprocess special categories of personal data (Art. 5 lit. c revFADP), with one exception: dietary preferences may reveal information about health or religion. We treat these as sensitive and store them only in encrypted form, accessible to event organisers for the specific event you have RSVP’d to.

The legal bases under Art. 31 revFADP are:

• Performance of the membership relationship — sign-in, RSVP, event invitations, member-to-member invitations, push notifications about your events.
• Legitimate interest — security monitoring, abuse prevention, audit logging, and operating the service.
• Legal obligation — responding to lawful requests from competent Swiss authorities.
• Your consent, where applicable — for example when you opt in to push notifications via the iOS system prompt. You can withdraw consent at any time.

We do not use your data for advertising. We do not sell or rent personal data. We do not perform automated decision-making with legal or similarly significant effects on you (Art. 21 revFADP).

We share personal data only with the processors listed below and only to the extent strictly necessary to provide the service. Each processor is bound by a written data-processing agreement.

• Resend, Inc. (United States) — sends transactional email (invitations, account-related messages). Receives recipient email and message content.
• Apple Inc. (United States) — delivers push notifications via the Apple Push Notification service. Receives an opaque device token and the notification payload. We do not include personal content beyond an event identifier in the payload.
• Cloudflare, Inc. (United States, with global edge presence) — provides TLS termination, DDoS protection, and DNS for troisroues.org. May briefly process IP addresses and request headers.
• Hosting infrastructure — the application and database run on a single dedicated server located in Switzerland. The server is administered by us; the data centre operator does not access application data.

Event organisers (Admins) within Troisroues see, for events they manage, the names, RSVPs, dietary preferences, and arrival selections of attendees — strictly to run the event.

Where we transfer personal data outside Switzerland, we do so only to states that the Swiss Federal Council recognises as providing adequate data protection, or under appropriate safeguards within the meaning of Art. 16 para. 2 revFADP.

• Switzerland — primary hosting location; no transfer abroad takes place for the data we hold.
• United States — Resend, Apple, and Cloudflare process personal data in the United States. The US is recognised by the Federal Council as providing adequate protection for transfers under the Swiss-US Data Privacy Framework where the recipient is certified; otherwise we rely on the EU Standard Contractual Clauses adapted for Switzerland by the FDPIC.

You can request a copy of the safeguards in place by writing to support NOSPAM @ NOSPAM troisroues.org.

We keep personal data only as long as necessary for the purposes listed above:

• Account data — for the lifetime of your account. When you delete your account from inside the iOS app, we erase your row entirely along with your RSVPs, push tokens, and any unused invitations you issued. The link between you and the user who invited you is severed. Consumed invitations remain in the platform with the issuer reference anonymised. We retain audit-log entries (with actor identity stripped and metadata cleared) only for security and incident-response purposes, with no link back to you.
• Audit log — currently retained for the lifetime of the service for security and incident-response purposes. The table holds only pseudonymous identifiers (no email, no name); when an account is deleted, the associated entries are anonymised by severing the link to the actor. We are working on an automated time-bounded retention policy and will update this section when it ships.
• Refresh tokens — until they expire, rotate, or are revoked by sign-out.
• Backups — encrypted snapshots are retained for up to 30 days for disaster recovery and then destroyed.

We apply technical and organisational measures appropriate to the risk (Art. 8 revFADP, Art. 1–6 revFADP-Ordinance):

• HTTPS-only transport with HSTS, CSP with per-request nonces, and a tight allowlist of origins.
• Column-level encryption at rest for email, phone, name, and other identifying fields, using HashiCorp Vault Transit with keys that never leave the Vault server.
• Blind-index HMACs for searchable fields so that the database cannot resolve a plaintext email even from a full-table scan.
• ASP.NET Identity for password hashing, ECDSA-signed access tokens with a 16-minute lifetime, refresh-token rotation, lockout after five failed sign-ins, and rate-limiting on authentication endpoints.
• iOS app stores the refresh token in the Keychain, gated by Face ID / Touch ID where the device supports it.
• Audit logging of authentication and admin actions, with log shipping to a tamper-evident store.

As a data subject under the revFADP you have the right to:

• Access the personal data we hold about you (Art. 25).
• Rectify inaccurate data (Art. 32 para. 1).
• Erase data we no longer need or that you consented to and now withdraw (Art. 32 para. 2). You can erase your account directly from the iOS app under Card → ⋯ → Delete data.
• Object to processing carried out under our legitimate interest, where your interest in the protection of your data overrides ours (Art. 30 para. 2 lit. b).
• Receive a structured, machine-readable export of the data you have provided to us (Art. 28 — data portability). Write to support NOSPAM @ NOSPAM troisroues.org and we will deliver it within 30 days.
• Lodge a complaint with the Federal Data Protection and Information Commissioner (FDPIC, Feldeggweg 1, 3003 Bern, edoeb.admin.ch).

We respond to verified requests within 30 days. We may ask for a proof of identity proportionate to the request, to prevent disclosure to third parties.

The web side of Troisroues at troisroues.org is a public landing page. We set only a per-request nonce used for our Content Security Policy — it is not a tracking cookie.

We do not use analytics, advertising, or third-party tracking cookies. Because none of our cookies trigger Art. 45c TCA consent obligations, we do not display a consent banner. The iOS app stores no cookies.

Troisroues is not directed at, and not intended for use by, persons under the age of 18. We do not knowingly collect personal data from minors. If you believe a minor has accessed the service, contact us and we will erase the account.

We may update this policy as the service evolves. The effective date at the top reflects the latest version. Material changes will be communicated via email to the address on your account at least 14 days before they take effect.