Currently available on request — contact us for a personalized quote.

Demo Request a quote Quote
§99 Legal REF. ARKSTOCK-LEGAL-CONFIDENTIALITE

Privacy Policy

Last updated : 18 May 2026.

Last updated: May 18, 2026

The purpose of this policy is to inform data subjects about the processing of personal data carried out by ark.swiss sàrl, in accordance with Article 19 of the Swiss Federal Act on Data Protection (FADP, revised and in force since 1 September 2023) and Article 13 of the General Data Protection Regulation (GDPR).

1. Data controller

ark.swiss sàrl
Chemin de la Duchesne 13, 1806 St-Légier, canton de Vaud, Suisse
General email: info@arkstock.ch
Data protection email: privacy@ark.swiss

2. Data subjects and data collected

  • Visitors to arkstock.ch: technical server logs (truncated IP, user agent, page visited, date and duration).
  • Prospects (signup form): first name, last name, email, optional phone number, organisation name, desired subdomain, chosen product and plan.
  • Customers: login credentials, preferences, billing history, support correspondence.
  • Customer accounting and fiduciary data (third-party data): bookkeeping entries, supporting documents, contact and client data, processed on behalf of the Customer, which is the data controller; ark.swiss sàrl acts as data processor.

3. Purposes of processing

  • Performance of the subscription contract and provision of the Service.
  • Billing and collection.
  • Technical support and transactional communication.
  • Security, fraud prevention and Service integrity.
  • Service improvement on the basis of aggregated statistics.
  • Compliance with legal obligations (accounting, tax, AMLA where applicable for fiduciary clients).

4. Legal basis

  • Performance of the contract (Art. 6 §1 lit. b GDPR; Art. 31 §2 lit. a FADP) — account, billing, support data.
  • Legal obligation (Art. 6 §1 lit. c GDPR; Art. 958f CO) — accounting retention of invoices for 10 years.
  • Legitimate interest (Art. 6 §1 lit. f GDPR; Art. 31 §1 FADP) — Service security, abuse prevention, aggregated product improvement.
  • Consent (Art. 6 §1 lit. a GDPR; Art. 31 §1 FADP) — for optional AI features and non-strictly contractual communications.

5. Recipients and subprocessors

SubprocessorLocationPurpose
Infomaniak Network SAGeneva, SwitzerlandApplication and database hosting, transactional SMTP
Stripe Payments Europe Ltd.Dublin, Ireland (EU)Card payment processing
Cloudflare, Inc.San Francisco, USACDN, DNS, network protection (SCCs + adequacy)
OpenAI Ireland Ltd.Dublin, Ireland (EU)AI models for accounting categorisation (optional activation)
Anthropic Ireland Ltd.Dublin, Ireland (EU)AI models for assistance and drafting (optional activation)
Google Cloud EMEA Ltd.Dublin, Ireland (EU)Complementary AI models (optional activation)
Umami (self-hosted by ark.swiss sàrl)SwitzerlandCookieless analytics

ark.swiss sàrl does not use any third-party commercial behavioural analytics service (no Google Analytics, no Meta Pixel, no LinkedIn Insight, no Hotjar, no Intercom). AI providers are used solely under contractual commitments forbidding training of their models on Customer data.

6. International transfers

Application data (accounts, bookkeeping entries, fiduciary documents) is hosted exclusively in Switzerland at Infomaniak Network SA. Data strictly necessary for payment processing transits through Stripe Payments Europe Ltd. (Ireland, European Union) under applicable adequacy decisions. AI provider requests transit through European entities where technically possible. Transfers to the United States (Cloudflare) are governed by the EU-U.S. Data Privacy Framework and, subsidiarily, by the European Commission's standard contractual clauses.

7. Retention periods

  • Account data: duration of the subscription + 30 days after termination.
  • Customer Content: duration of the subscription + 30 days (export window).
  • Invoices and accounting records: 10 years (Art. 958f CO). This statutory obligation prevails over the right to erasure.
  • Technical logs: 12 months maximum.
  • Prospect data: 24 months maximum after last contact.

8. Security

Technical and organisational measures include: encryption in transit (TLS 1.2 minimum), encryption at rest for credentials and tokens in AES-256-GCM, database isolation per container, daily encrypted backups, access logging, mandatory multi-factor authentication on administrator accounts, quarterly access review, regular security testing.

9. Data subject rights

In accordance with Art. 25 et seq. FADP and Art. 15 to 22 GDPR, you have the following rights:

  • Right of access (Art. 25 FADP / Art. 15 GDPR).
  • Right to rectification (Art. 32 FADP / Art. 16 GDPR).
  • Right to erasure (Art. 32 FADP / Art. 17 GDPR), subject to the 10-year statutory retention for invoices.
  • Right to portability (Art. 28 FADP / Art. 20 GDPR) — JSON or CSV export, with any document PDFs attached.
  • Right to object (Art. 30 FADP / Art. 21 GDPR).
  • Right to withdraw consent at any time (Art. 30 FADP / Art. 7 §3 GDPR).

To exercise these rights, write to privacy@ark.swiss. A response is provided within a maximum of 30 days. Identity verification may be requested in case of reasonable doubt.

10. Automated decisions and profiling

ark.swiss sàrl does not make any automated individual decisions producing legal effects within the meaning of Art. 21 FADP and Art. 22 GDPR. Accounting categorisation suggestions produced by AI models are always subject to human validation by the Customer or its accountant; no entry is recorded without validation.

11. Cookies

Cookies and trackers are described in the Cookie Policy.

12. Data breaches

In the event of a data security breach presenting a risk to data subjects, ark.swiss sàrl notifies the Federal Data Protection and Information Commissioner (FDPIC) within 72 hours of becoming aware (Art. 24 FADP, Art. 33 GDPR) and informs affected data subjects if the risk is high (Art. 34 GDPR).

13. Supervisory authority

You have the right to lodge a complaint with a supervisory authority:

  • Switzerland — Federal Data Protection and Information Commissioner (FDPIC), Feldeggweg 1, 3003 Bern, www.edoeb.admin.ch.
  • European Union — supervisory authority of your country of residence (e.g. CNIL in France).

14. Data protection contact

ark.swiss sàrl is not legally required to appoint a Data Protection Officer (DPO). Requests are handled by a dedicated contact point: privacy@ark.swiss.

For B2B customers (fiduciaries, firms, companies subject to GDPR/FADP), a formal Data Processing Agreement (DPA), compliant with Art. 28 GDPR and Art. 9 FADP, is available and automatically accepted upon subscription. A PDF version signed by both parties can be provided upon request at privacy@ark.swiss.

15. Changes

This policy may be amended. Any material amendment is notified by email and an archived version remains available on request.

16. Conversational AI agent (ark.agent)

arkstock includes a conversational agent based on artificial intelligence, named ark.agent, which assists users in their daily tasks (inventory management, equipment rentals, project follow-up, container management) via natural-language commands.

Models used. By default, ark.agent uses models hosted in Switzerland by Infomaniak (data sovereignty). Optionally, and after explicit authorisation from the instance administrator, Claude (Anthropic), GPT (OpenAI) or Gemini (Google) may be enabled. In that case, messages transit through the selected provider's servers under its terms.

Audit log. Every action performed by the agent (search, creation, modification of inventory data) is recorded in an audit log internal to the instance, retained for 90 days by default (configurable by the administrator). Arguments and results are stored as SHA-256 hashes for confidentiality and integrity.

Long-term memory. ark.agent maintains editable memories to personalise its responses (user preferences, frequent shortcuts, business vocabulary). You can view, modify or delete them at any time from Settings → My agent data.

Exercisable rights. In accordance with Art. 25 et seq. FADP and Art. 15 to 22 GDPR, you may at any time: export all your agent data (conversations, memories, audit log) as JSON and a PDF summary; delete a specific conversation; edit or delete a memory; purge all your agent data (right to be forgotten, irreversible with a 7-day recovery window). These actions are available from Settings → My agent data, or by email to privacy@ark.swiss for formal requests (response within 30 days).

In case of discrepancy between language versions, the French version prevails.