Free trial Try
§99 Legal REF. ARKSTOCK-LEGAL-CONFIDENTIALITE

Privacy Policy

Last updated : 14 April 2026.

Last updated: April 14, 2026

The purpose of this policy is to inform data subjects about the processing of personal data carried out by ark.swiss sàrl, in accordance with Article 19 of the Swiss Federal Act on Data Protection (FADP, revised and in force since 1 September 2023) and Article 13 of the General Data Protection Regulation (GDPR).

1. Data controller

ark.swiss sàrl
Chemin de la Duchesne 13, 1806 St-Légier, canton de Vaud, Suisse
General email: info@arkstock.ch
Data protection email: privacy@ark.swiss

2. Data subjects and data collected

  • Visitors to arkstock.ch: technical server logs (truncated IP, user agent, page visited, date and duration).
  • Prospects (signup form): first name, last name, email, optional phone number, organisation name, desired subdomain, chosen product and plan.
  • Customers: login credentials, preferences, billing history, support correspondence.
  • Customer accounting and fiduciary data (third-party data): bookkeeping entries, supporting documents, contact and client data, processed on behalf of the Customer, which is the data controller; ark.swiss sàrl acts as data processor.

3. Purposes of processing

  • Performance of the subscription contract and provision of the Service (Compta, Fiduciaire, Budget).
  • Billing and collection.
  • Technical support and transactional communication.
  • Security, fraud prevention and Service integrity.
  • Service improvement on the basis of aggregated statistics.
  • Compliance with legal obligations (accounting, tax, AMLA where applicable for fiduciary clients).

4. Legal basis

  • Performance of the contract (Art. 6 §1 lit. b GDPR; Art. 31 §2 lit. a FADP) — account, billing, support data.
  • Legal obligation (Art. 6 §1 lit. c GDPR; Art. 958f CO) — accounting retention of invoices for 10 years.
  • Legitimate interest (Art. 6 §1 lit. f GDPR; Art. 31 §1 FADP) — Service security, abuse prevention, aggregated product improvement.
  • Consent (Art. 6 §1 lit. a GDPR; Art. 31 §1 FADP) — for optional AI features and non-strictly contractual communications.

5. Recipients and subprocessors

SubprocessorLocationPurpose
Infomaniak Network SAGeneva, SwitzerlandApplication and database hosting, transactional SMTP
Stripe Payments Europe Ltd.Dublin, Ireland (EU)Card payment processing
Cloudflare, Inc.San Francisco, USACDN, DNS, network protection (SCCs + adequacy)
OpenAI Ireland Ltd.Dublin, Ireland (EU)AI models for accounting categorisation (optional activation)
Anthropic Ireland Ltd.Dublin, Ireland (EU)AI models for assistance and drafting (optional activation)
Google Cloud EMEA Ltd.Dublin, Ireland (EU)Complementary AI models (optional activation)
Umami (self-hosted by ark.swiss sàrl)SwitzerlandCookieless analytics

ark.swiss sàrl does not use any third-party commercial behavioural analytics service (no Google Analytics, no Meta Pixel, no LinkedIn Insight, no Hotjar, no Intercom). AI providers are used solely under contractual commitments forbidding training of their models on Customer data.

6. International transfers

Application data (accounts, bookkeeping entries, fiduciary documents) is hosted exclusively in Switzerland at Infomaniak Network SA. Data strictly necessary for payment processing transits through Stripe Payments Europe Ltd. (Ireland, European Union) under applicable adequacy decisions. AI provider requests transit through European entities where technically possible. Transfers to the United States (Cloudflare) are governed by the EU-U.S. Data Privacy Framework and, subsidiarily, by the European Commission's standard contractual clauses.

7. Retention periods

  • Account data: duration of the subscription + 30 days after termination.
  • Customer Content: duration of the subscription + 30 days (export window).
  • Invoices and accounting records: 10 years (Art. 958f CO). This statutory obligation prevails over the right to erasure.
  • Technical logs: 12 months maximum.
  • Prospect data: 24 months maximum after last contact.

8. Security

Technical and organisational measures include: encryption in transit (TLS 1.2 minimum), encryption at rest for credentials and tokens in AES-256-GCM, database isolation per container, daily encrypted backups, access logging, mandatory multi-factor authentication on administrator accounts, quarterly access review, regular security testing.

9. Data subject rights

In accordance with Art. 25 et seq. FADP and Art. 15 to 22 GDPR, you have the following rights:

  • Right of access (Art. 25 FADP / Art. 15 GDPR).
  • Right to rectification (Art. 32 FADP / Art. 16 GDPR).
  • Right to erasure (Art. 32 FADP / Art. 17 GDPR), subject to the 10-year statutory retention for invoices.
  • Right to portability (Art. 28 FADP / Art. 20 GDPR) — JSON/CSV export and native Crésus export for ark.stock Compta.
  • Right to object (Art. 30 FADP / Art. 21 GDPR).
  • Right to withdraw consent at any time (Art. 30 FADP / Art. 7 §3 GDPR).

To exercise these rights, write to privacy@ark.swiss. A response is provided within a maximum of 30 days. Identity verification may be requested in case of reasonable doubt.

10. Automated decisions and profiling

ark.swiss sàrl does not make any automated individual decisions producing legal effects within the meaning of Art. 21 FADP and Art. 22 GDPR. Accounting categorisation suggestions produced by AI models are always subject to human validation by the Customer or its accountant; no entry is recorded without validation.

11. Cookies

Cookies and trackers are described in the Cookie Policy.

12. Data breaches

In the event of a data security breach presenting a risk to data subjects, ark.swiss sàrl notifies the Federal Data Protection and Information Commissioner (FDPIC) within 72 hours of becoming aware (Art. 24 FADP, Art. 33 GDPR) and informs affected data subjects if the risk is high (Art. 34 GDPR).

13. Supervisory authority

You have the right to lodge a complaint with a supervisory authority:

  • Switzerland — Federal Data Protection and Information Commissioner (FDPIC), Feldeggweg 1, 3003 Bern, www.edoeb.admin.ch.
  • European Union — supervisory authority of your country of residence (e.g. CNIL in France).

14. Data protection contact

ark.swiss sàrl is not legally required to appoint a Data Protection Officer (DPO). Requests are handled by a dedicated contact point: privacy@ark.swiss.

For B2B customers (fiduciaries, firms, companies subject to GDPR/FADP), a formal Data Processing Agreement (DPA), compliant with Art. 28 GDPR and Art. 9 FADP, is available and automatically accepted upon subscription. A PDF version signed by both parties can be provided upon request at privacy@ark.swiss.

15. Changes

This policy may be amended. Any material amendment is notified by email and an archived version remains available on request.

In case of discrepancy between language versions, the French version prevails.