Currently available on request — contact us for a personalized quote.

Demo Request a quote → Request a quote →
§ 02/06 // Legal [ARKPLAN-LEGAL-PRIVACY]

Privacy Policy

Last updated : 18 May 2026

  • / Last updated 18 May 2026
  • / Jurisdiction CH · Vaud
  • / Authoritative lang. French
  • / Reference ARKPLAN-LEGAL-PRIVACY

Last updated: 2026-05-18

The purpose of this policy is to inform data subjects about the processing of personal data carried out by ark.swiss Sàrl, in accordance with Article 19 of the Swiss Federal Act on Data Protection (FADP, revised and in force since 1 September 2023) and Article 13 of the General Data Protection Regulation (GDPR).

1. Data controller

ark.swiss Sàrl
Chemin de la Duchesne 13, 1806 St-Légier, canton de Vaud, Suisse
Phone: +41 78 448 60 02
General email: our contact form
Data protection email: our contact form

2. Data subjects and data collected

  • Visitors to arkplan.ch: technical server logs (truncated IP, user agent, page visited, date and duration).
  • Prospects (signup form): first name, last name, email, optional phone number, organisation name, desired subdomain, selected plan.
  • Customers: login credentials, preferences, billing history, support correspondence.
  • Customer CRM contacts (third-party data): name, email, phone, notes, interaction history. Such data is processed on behalf of the Customer, which is the data controller; ark.swiss Sàrl acts as data processor (see the Data Processing Agreement, DPA).

3. Purposes of processing

  • Performance of the subscription contract and provision of the Service.
  • Billing and collection.
  • Technical support and transactional communication.
  • Security, fraud prevention and Service integrity.
  • Service improvement on the basis of aggregated statistics.
  • Compliance with legal obligations (accounting, tax).

4. Legal basis

  • Performance of the contract (Art. 6 §1 lit. b GDPR; Art. 31 §2 lit. a FADP) — account, billing, support data.
  • Legal obligation (Art. 6 §1 lit. c GDPR; Art. 958f CO) — accounting retention of invoices for 10 years.
  • Legitimate interest (Art. 6 §1 lit. f GDPR; Art. 31 §1 FADP) — Service security, abuse prevention, aggregated product improvement.
  • Consent (Art. 6 §1 lit. a GDPR; Art. 31 §1 FADP) — where applicable for non-strictly contractual communications.

5. Recipients and subprocessors

SubprocessorLocationPurpose
Infomaniak Network SAGeneva, SwitzerlandApplication and database hosting, transactional SMTP
Stripe Payments Europe Ltd.Dublin, Ireland (EU)Card payment processing
Umami (self-hosted by ark.swiss Sàrl)SwitzerlandCookieless analytics
Anthropic PBC, OpenAI Ireland Ltd., Google Ireland Ltd.Ireland (EU) and United StatesOptional AI features — only if enabled by the Client (summaries, email drafts, suggestions)

ark.swiss Sàrl does not use any third-party commercial behavioural analytics service (no Google Analytics, no Meta Pixel, no LinkedIn Insight, no Hotjar, no Intercom).

6. International transfers

Main application data (accounts, content, CRM contacts, invoices, documents) is hosted exclusively in Switzerland at Infomaniak Network SA. Data strictly necessary for payment processing transits through Stripe Payments Europe Ltd. (Ireland, European Union) under the EU single market and applicable adequacy decisions.

Optional AI features — if the Client enables the AI features (prospect summaries, email drafts, suggestions), the relevant text is transmitted to our technical subprocessors (Anthropic PBC, OpenAI Ireland Ltd., Google Ireland Ltd.) for processing. This processing may involve a transfer to the United States. AI features can be disabled at any time in the settings and are not enabled by default.

7. Retention periods

  • Account data: duration of the subscription + 30 days after termination.
  • Customer Content: duration of the subscription + 30 days (export window).
  • Invoices and accounting records: 10 years (Art. 958f CO). This statutory obligation prevails over the right to erasure.
  • Technical logs: 12 months maximum.
  • Prospect data: 24 months maximum after last contact.

8. Security

Technical and organisational measures include: encryption in transit (TLS 1.2 minimum), encryption at rest for third-party service credentials (OAuth Google, Odoo, IMAP, GitHub) in AES-256-GCM, database isolation per container, daily automated backups retained for 30 days, administrative access logging, continuously tracked security updates, regular review of user permissions.

9. Data subject rights

In accordance with Art. 25 et seq. FADP and Art. 15 to 22 GDPR, you have the following rights:

  • Right of access (Art. 25 FADP / Art. 15 GDPR).
  • Right to rectification (Art. 32 FADP / Art. 16 GDPR).
  • Right to erasure (Art. 32 FADP / Art. 17 GDPR), subject to the 10-year statutory retention for invoices.
  • Right to portability (Art. 28 FADP / Art. 20 GDPR) — CSV export available (other formats on the roadmap).
  • Right to object (Art. 30 FADP / Art. 21 GDPR).
  • Right to withdraw consent at any time (Art. 30 FADP / Art. 7 §3 GDPR).

To exercise these rights, write to our contact form. A response is provided within a maximum of 30 days. Identity verification may be requested in case of reasonable doubt.

10. Automated decisions and profiling

ark.swiss Sàrl does not make any automated individual decisions producing legal effects within the meaning of Art. 21 FADP and Art. 22 GDPR. No high-risk profiling is carried out.

11. Cookies

Cookies and trackers are described in the Cookie Policy.

12. Data breaches

In the event of a data security breach presenting a risk to data subjects, ark.swiss Sàrl notifies the competent authority within 72 hours of becoming aware (Art. 24 FADP, Art. 33 GDPR) and informs affected data subjects if the risk is high (Art. 34 GDPR).

13. Supervisory authority

You have the right to lodge a complaint with a supervisory authority:

  • Switzerland — Federal Data Protection and Information Commissioner (FDPIC), Feldeggweg 1, 3003 Bern, www.edoeb.admin.ch.
  • European Union — supervisory authority of your country of residence (e.g. CNIL in France).

14. Data protection contact

ark.swiss Sàrl is not legally required to appoint a Data Protection Officer (DPO). Requests are handled by a dedicated contact point: our contact form.

15. Changes

This policy may be amended. Any material amendment is notified by email and an archived version remains available on request.

16. Conversational AI agent (ark.agent)

ark.plan includes a conversational agent based on artificial intelligence, named ark.agent, which assists users in their daily tasks (appointment management, CRM follow-up, time tracking, invoicing) via natural-language commands.

Models used. By default, ark.agent uses models hosted in Switzerland by Infomaniak (data sovereignty). Optionally, and after explicit authorisation from the instance administrator, Claude (Anthropic), GPT (OpenAI) or Gemini (Google) may be enabled. In that case, messages transit through the selected provider's servers under its terms.

Audit log. Every action performed by the agent (search, creation, modification of data) is recorded in an audit log internal to the instance, retained for 90 days by default (configurable by the administrator). Arguments and results are stored as SHA-256 hashes for confidentiality and integrity.

Long-term memory. ark.agent maintains editable memories to personalise its responses (user preferences, frequent shortcuts, business vocabulary). You can view, modify or delete them at any time from Settings → My agent data.

Exercisable rights. In accordance with Art. 25 et seq. FADP and Art. 15 to 22 GDPR, you may at any time: export all your agent data (conversations, memories, audit log) as JSON and a PDF summary; delete a specific conversation; edit or delete a memory; purge all your agent data (right to be forgotten, irreversible with a 7-day recovery window). These actions are available from Settings → My agent data, or by email to our contact form for formal requests (response within 30 days).

In case of discrepancy between language versions, the French version prevails.