Create my instance

Privacy Policy

Last updated: 2026-04-11

Last updated: 2026-04-11

The purpose of this policy is to inform data subjects about the processing of personal data carried out by ark.swiss Sàrl, in accordance with Article 19 of the Swiss Federal Act on Data Protection (FADP, revised and in force since 1 September 2023) and Article 13 of the General Data Protection Regulation (GDPR).

1. Data controller

ark.swiss Sàrl
Chemin de la Duchesne 13, 1806 St-Légier, canton de Vaud, Suisse
Phone: +41 78 448 60 02
General email: [email protected]
Data protection email: [email protected]

2. Data subjects and data collected

  • Visitors to arkplan.ch: technical server logs (truncated IP, user agent, page visited, date and duration).
  • Prospects (signup form): first name, last name, email, optional phone number, organisation name, desired subdomain, selected plan.
  • Customers: login credentials, preferences, billing history, support correspondence.
  • Customer CRM contacts (third-party data): name, email, phone, notes, interaction history. Such data is processed on behalf of the Customer, which is the data controller; ark.swiss Sàrl acts as data processor (see the Data Processing Agreement, DPA).

3. Purposes of processing

  • Performance of the subscription contract and provision of the Service.
  • Billing and collection.
  • Technical support and transactional communication.
  • Security, fraud prevention and Service integrity.
  • Service improvement on the basis of aggregated statistics.
  • Compliance with legal obligations (accounting, tax).

4. Legal basis

  • Performance of the contract (Art. 6 §1 lit. b GDPR; Art. 31 §2 lit. a FADP) — account, billing, support data.
  • Legal obligation (Art. 6 §1 lit. c GDPR; Art. 958f CO) — accounting retention of invoices for 10 years.
  • Legitimate interest (Art. 6 §1 lit. f GDPR; Art. 31 §1 FADP) — Service security, abuse prevention, aggregated product improvement.
  • Consent (Art. 6 §1 lit. a GDPR; Art. 31 §1 FADP) — where applicable for non-strictly contractual communications.

5. Recipients and subprocessors

SubprocessorLocationPurpose
Infomaniak Network SAGeneva, SwitzerlandApplication and database hosting, transactional SMTP
Stripe Payments Europe Ltd.Dublin, Ireland (EU)Card payment processing
Umami (self-hosted by ark.swiss Sàrl)SwitzerlandCookieless analytics

ark.swiss Sàrl does not use any third-party commercial behavioural analytics service (no Google Analytics, no Meta Pixel, no LinkedIn Insight, no Hotjar, no Intercom).

6. International transfers

Application data (accounts, content, CRM contacts) is hosted exclusively in Switzerland at Infomaniak Network SA. Data strictly necessary for payment processing transits through Stripe Payments Europe Ltd. (Ireland, European Union) under the EU single market and applicable adequacy decisions. In version 1 of the Service, no transfer is made outside the EEA/Switzerland.

7. Retention periods

  • Account data: duration of the subscription + 30 days after termination.
  • Customer Content: duration of the subscription + 30 days (export window).
  • Invoices and accounting records: 10 years (Art. 958f CO). This statutory obligation prevails over the right to erasure.
  • Technical logs: 12 months maximum.
  • Prospect data: 24 months maximum after last contact.

8. Security

Technical and organisational measures include: encryption in transit (TLS 1.2 minimum), encryption at rest for credentials and OAuth tokens in AES-256-GCM, database isolation per container, daily encrypted backups, access logging, mandatory multi-factor authentication on administrator accounts, quarterly access review.

9. Data subject rights

In accordance with Art. 25 et seq. FADP and Art. 15 to 22 GDPR, you have the following rights:

  • Right of access (Art. 25 FADP / Art. 15 GDPR).
  • Right to rectification (Art. 32 FADP / Art. 16 GDPR).
  • Right to erasure (Art. 32 FADP / Art. 17 GDPR), subject to the 10-year statutory retention for invoices.
  • Right to portability (Art. 28 FADP / Art. 20 GDPR) — JSON/CSV export available.
  • Right to object (Art. 30 FADP / Art. 21 GDPR).
  • Right to withdraw consent at any time (Art. 30 FADP / Art. 7 §3 GDPR).

To exercise these rights, write to [email protected]. A response is provided within a maximum of 30 days. Identity verification may be requested in case of reasonable doubt.

10. Automated decisions and profiling

ark.swiss Sàrl does not make any automated individual decisions producing legal effects within the meaning of Art. 21 FADP and Art. 22 GDPR. No high-risk profiling is carried out.

11. Cookies

Cookies and trackers are described in the Cookie Policy.

12. Data breaches

In the event of a data security breach presenting a risk to data subjects, ark.swiss Sàrl notifies the competent authority within 72 hours of becoming aware (Art. 24 FADP, Art. 33 GDPR) and informs affected data subjects if the risk is high (Art. 34 GDPR).

13. Supervisory authority

You have the right to lodge a complaint with a supervisory authority:

  • Switzerland — Federal Data Protection and Information Commissioner (FDPIC), Feldeggweg 1, 3003 Bern, www.edoeb.admin.ch.
  • European Union — supervisory authority of your country of residence (e.g. CNIL in France).

14. Data protection contact

ark.swiss Sàrl is not legally required to appoint a Data Protection Officer (DPO). Requests are handled by a dedicated contact point: [email protected].

15. Changes

This policy may be amended. Any material amendment is notified by email and an archived version remains available on request.

In case of discrepancy between language versions, the French version prevails.