Get a closer look at every layout included in the Montegrappa Template. Each homepage variation is designed for clarity, flexibility, and performance—so you can choose the one that best fits your needs.
Send us an email to lucas.gusso@gmail.com with your purchase receipt, and we will send you the editable Figma file for the Montegrappa Template.
Privacy policy
Last updated: 03-06-2026
This Privacy Policy explains how Aphy AG (“Aphy”, “we”, “us”) collects and uses personal data in connection with our website, products and services (the “Services”).
1. Controller and Contact
Controller: Aphy AG, Chaltenbodenstrasse 16, 8834 Schindellegi, Switzerland
Email: simplify@aphy.com
If you have questions or requests regarding your personal data, contact us at the email above.
2. Scope
This Privacy Policy applies to:
- visitors to our website;
- users of the Aphy platform (customer admins and end users);
- business contacts (prospects, partners, suppliers);
- individuals whose data is processed through our Services on behalf of customers (see Section 4).
3. Personal Data We Collect
3.1 Data you provide
- Account data: name, work email, role, company, property name(s)
- Communications: emails, support tickets, meeting notes
- Billing details: invoice contact, payment-related business data (we do not intend to store payment card data)
3.2 Data collected automatically
- Device and usage data: IP address, browser type, pages viewed, timestamps, interaction logs
- Cookies and similar technologies (see Section 10)
3.3 Data from third parties
If integrated with third-party systems (e.g., PMS), we may receive technical identifiers and operational data necessary to provide the Services.
4. Data Processed on Behalf of Customers
When customers use Aphy to process operational workflows (e.g., reporting), they may upload or generate personal data relating to their guests, staff, or other individuals. In such cases:
- the customer is typically the controller; and
- Aphy acts as processor and processes data only under the customer’s instructions, as set out in our DPA.
Aphy does not carry out automated decision-making within the meaning of Article 22 GDPR that produces legal or similarly significant effects on individuals.
5. Purposes and Legal Bases
We process personal data for the following purposes:
- Provide and operate the Services (account administration, authentication, workflow execution, support)
- Legal basis: performance of a contract; legitimate interests
- Improve and secure the Services (monitoring, troubleshooting, analytics, fraud prevention, security)
- Legal basis: legitimate interests; legal obligations where applicable
- Sales, marketing and relationship management (B2B communications, demos, events)
- Legal basis: legitimate interests; consent where required
- Compliance and legal (record keeping, enforcing terms, responding to lawful requests)
- Legal basis: legal obligations; legitimate interests
Where Swiss law applies, we process personal data in accordance with the Swiss Federal Act on Data Protection (FADP) and related ordinances.
6. Sharing of Personal Data
We may share personal data with:
- Service providers (subprocessors) such as hosting, analytics, email delivery, customer support tooling, and security providers;
- Professional advisors (legal, accounting) and auditors;
- Authorities if required by law.
We do not sell personal data. We do not use personal data, including data accessed via Google APIs or Microsoft Graph, to serve advertising. We do not use Google user data or Microsoft user data to train generalized or non-individualized AI/ML models.
7. International Data Transfers
If we transfer personal data outside Switzerland/EU/EEA, we implement appropriate safeguards (such as Standard Contractual Clauses or other recognised mechanisms), and additional measures where required.
8. Retention
We retain personal data only as long as necessary for the purposes above, including:
- account data: for the duration of the active account and for up to 3 years following account closure, to comply with legal and contractual obligations, after which it is deleted or anonymised;
- support communications: typically up to 2 years;
- logs: typically 30 days, unless required for security investigations.
Customers can request deletion or return of customer data as described in our DPA and contract terms.
9. Security
We use reasonable technical and organisational measures to protect personal data, including access controls, encryption in transit (TLS 1.2 or higher), encryption at rest for credentials and tokens (AES-256, keys managed in Azure Key Vault), and continuous monitoring. No system is completely secure; users must also protect their credentials.
10. Use of Google APIs (Gmail Integration)
Aphy offers an optional integration with Gmail that allows hotel staff to connect their work mailbox to the Aphy platform. This integration uses Google’s official OAuth 2.0 flow; Aphy never receives a user’s Google password. Connecting Gmail is voluntary and can be revoked at any time.
What we access. When a user connects their Gmail account, Aphy requests the following Google API scopes:
- gmail.readonly - Read messages, threads, labels and metadata. Used to detect reservation requests, parse OTA booking confirmations, and surface relevant guest communication in the Aphy inbox.
- gmail.modify - Add or remove labels, mark messages as read, create or edit drafts. Used to organise processed messages, mark items handled, and prepare reply drafts for user review before sending.
- gmail.send - Send email on behalf of the connected mailbox. Used to deliver replies explicitly composed or approved by the user within Aphy. No message is sent without an explicit user action.
- openid, email, profile - Identify the connected Google account and associate the OAuth grant with the correct Aphy user.
How we store credentials. OAuth refresh tokens and access tokens are encrypted at rest using AES-256 with keys managed in Azure Key Vault, and are transmitted only over TLS 1.2 or higher. Tokens are scoped to the individual user account and are never exposed to other tenants or shared with third parties.
Limited Use of Google user data. Aphy’s use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:
- Google user data is used only to provide and improve the user-facing features of the Aphy platform that the user has connected Gmail for.
- Google user data is not used to serve advertisements of any kind.
- Google user data is not sold, rented, or transferred to third parties for unrelated purposes.
- Google user data is not used to train generalized or non-individualized machine-learning or AI models. Where Aphy uses AI to assist with email classification or reply drafting, that processing is performed per user on that user’s own data solely to deliver the feature requested, and is not retained for model training.
- Access to Google user data by Aphy personnel is limited to the minimum needed to operate the service, troubleshoot at the user’s request, or comply with law, and is logged.
Retention and deletion. When a user disconnects their Gmail account from Aphy integration settings, Aphy: (1) revokes the OAuth refresh token with Google immediately; (2) deletes the stored OAuth credentials; (3) deletes cached Gmail message metadata within 30 days. Users can also revoke access at any time from their Google Account at https://myaccount.google.com/permissions.
Contact. Questions about Aphy’s use of Google user data can be sent to simplify@aphy.com.
11. Use of Microsoft Graph (Outlook / Microsoft 365 Integration)
Aphy offers an optional integration with Outlook and Microsoft 365 mailboxes that allows hotel staff to connect their work or personal Microsoft mailbox to the Aphy platform. This integration uses Microsoft’s official OAuth 2.0 flow via Microsoft Entra ID; Aphy never receives a user’s Microsoft password. Connecting Outlook is voluntary and can be revoked at any time.
What we access. When a user connects their Microsoft account, Aphy requests the following Microsoft Graph permissions in delegated (per-user) mode:
- Mail.ReadWrite - Read, organise, update, and delete messages; create and edit drafts; add or remove mail categories. Used to detect reservation requests, surface guest emails in the Aphy inbox, mark items as handled, and prepare reply drafts the user reviews before sending.
- Mail.Send - Send email on behalf of the connected mailbox. Used to deliver replies explicitly composed or approved by the user within Aphy. No message is sent without an explicit user action.
- offline_access - Issue a refresh token so the connection survives across sessions. Required to keep the integration working without requiring re-authentication every hour.
- openid, email, profile - Identify the connected Microsoft account and associate the OAuth grant with the correct Aphy user.
Aphy supports both Microsoft Entra ID work/school accounts (Microsoft 365, Azure AD) and personal Microsoft accounts (Outlook.com / Hotmail / Live).
How we store credentials. OAuth refresh tokens and access tokens are encrypted at rest using AES-256 with keys managed in Azure Key Vault, and are transmitted only over TLS 1.2 or higher. Tokens are scoped to the individual user account and are never exposed to other tenants or shared with third parties.
Limited use of Microsoft user data. Aphy uses data accessed via Microsoft Graph only to provide the user-facing features of the Aphy platform that the user has connected their Microsoft mailbox for. Specifically:
- Microsoft user data is not used to serve advertisements.
- Microsoft user data is not sold, rented, or transferred to third parties for unrelated purposes.
- Microsoft user data is not used to train generalized or non-individualized machine-learning or AI models. Where Aphy uses AI to assist with email classification or reply drafting, that processing is performed per user on that user’s own data solely to deliver the feature requested, and is not retained for model training.
- Access by Aphy personnel is limited to the minimum needed to operate the service, troubleshoot at the user’s request, or comply with law, and is logged.
Aphy’s use of Microsoft Graph data complies with the Microsoft APIs Terms of Use and applicable Microsoft Online Services Terms.
Retention and deletion. When a user disconnects their Microsoft account from Aphy integration settings, Aphy: (1) revokes the OAuth refresh token with Microsoft immediately; (2) deletes the stored OAuth credentials; (3) deletes cached Outlook message metadata within 30 days. Users can also revoke access at any time from https://myaccount.microsoft.com/apps.
Contact. Questions about Aphy’s use of Microsoft user data can be sent to simplify@aphy.com.
12. Cookies
We use cookies and similar technologies for:
- essential website functionality;
- analytics and performance; and
- marketing.
You can manage your cookie preferences through our cookie consent tool, accessible via the banner on our website, or through your browser settings.
13. Your Rights
Depending on your location, you may have rights to:
- access, correct, delete, or restrict processing;
- object to processing;
- portability; and
- withdraw consent (where processing is based on consent).
To exercise rights, contact simplify@aphy.com. We will respond within one month of receipt. We may need to verify your identity before processing your request.
If we process data on behalf of a customer, we may refer your request to that customer.
You may also have the right to lodge a complaint with your local supervisory authority.
14. Children
Our Services are not directed to children. We do not knowingly collect personal data from children.
15. Changes
We may update this Privacy Policy from time to time. We will post the updated version and update the “Last updated” date. Material changes may be notified through the Services.