Last updated: 2026-05-18
1. Context — the 2023 revised FADP
The revised Swiss Federal Act on Data Protection (FADP, also "nLPD") entered into force on 1 September 2023. It replaces the 1992 FADP and strengthens the rights of data subjects as well as the obligations of controllers and processors. ark.plan has been designed from the outset to comply with this legal framework, even before opening its market to European customers subject to GDPR.
2. Why ark.plan is "FADP-first"
- 100% Swiss hosting of application data at Infomaniak Network SA in Geneva.
- Per-Instance isolation: each customer receives a dedicated Docker container and an isolated PostgreSQL database. No customer data is shared between Instances.
- Encryption at rest for credentials and OAuth tokens in AES-256-GCM.
- Application data stored exclusively in Switzerland: only the payment flow transits through Stripe Payments Europe Ltd. in Ireland (EU). Optional AI features, disableable at any time, involve a transfer of the relevant text to US subprocessors (Anthropic, OpenAI, Google) covered by Standard Contractual Clauses.
- Cookieless analytics (self-hosted Umami), no third-party commercial tracker.
3. FADP obligations and our response
| FADP article | Obligation | ark.plan response |
|---|---|---|
| Art. 5 | Definitions (data, processing, profiling) | Terminology used consistently across all our legal pages |
| Art. 6 | Principles: lawfulness, good faith, proportionality, purpose, accuracy, limited retention | Purposes and retention periods detailed in the Privacy Policy |
| Art. 8 | Data security | Documented technical and organisational measures (DPA Annex A) |
| Art. 9 | Processing by a processor | DPA annexed to the Terms, accepted upon subscription; public list of subprocessors |
| Art. 12 | Record of processing activities | Internal record, not published, provided to the FDPIC upon request |
| Art. 16-17 | Cross-border disclosure | Application data in Switzerland; Stripe (EU) for payments; US AI subprocessors (Anthropic, OpenAI, Google) only if AI features enabled, covered by SCCs |
| Art. 19-21 | Duty to inform, automated decisions | Covered by the Privacy Policy; no automated decisions with legal effect |
| Art. 22 | Data protection impact assessment (DPIA) | Carried out for CRM processing, available on motivated request |
| Art. 24 | Notification of data security breaches | Documented procedure, notification to the FDPIC within 72 hours |
| Art. 25 | Right of access | Response within 30 days to our contact form |
| Art. 28 | Right to data portability | CSV export available (other formats on the roadmap) |
| Art. 30 | Processing infringing personality rights, right to object | Handled by the privacy contact point |
| Art. 32 | Right to rectification and erasure | Response within 30 days, subject to accounting obligations |
| Art. 49 | Complaint to the FDPIC | Contact details provided in the Privacy Policy |
4. Cross-references
- Privacy Policy — substantive information notices
- Data Processing Agreement (DPA) — processing on behalf
- Terms of Service — contractual framework
5. Data protection contact
our contact form — +41 78 448 60 02
In case of discrepancy between language versions, the French version prevails.