Privacy Policy

Last updated: May 21, 2026 · Version: 2.0

1. Introduction

SANC AG (“we,” “our,” or “us”) operates the LumaBill platform (the “Service”), a Swiss invoicing, bookkeeping, and business management solution. This Privacy Policy explains how we collect, use, disclose, and safeguard personal data when you use the Service, in accordance with the Swiss Federal Act on Data Protection (FADP / nDSG) in force since 1 September 2023.

2. Data Controller

SANC AG, Binzstrasse 16, 8712 Stäfa, Switzerland.

General contact: support@lumabill.ch. Data protection contact: datenschutz@lumabill.ch.

3. Scope of this Policy

LumaBill is designed for businesses domiciled in Switzerland. We do not actively target customers in the EU or EEA and have not appointed a representative under Article 27 of the EU GDPR. If you access the Service from outside Switzerland, this policy still describes how we handle your data, and we apply Swiss data-protection law (FADP / nDSG) as the primary legal framework. Where applicable EU users retain rights under the GDPR; we will honour verified requests in line with the FADP timelines below.

4. Information We Collect

4.1 Information You Provide

  • Guest Users: If you use our Service without an account, your invoice data (client details, items, amounts) is processed locally in your browser. It is not transmitted to or stored on our servers.
  • Registered Users: When you create an account, we collect your email address and authentication credentials (managed via AWS Cognito). When you save invoices, client records, or profile settings, this data is transmitted over TLS and stored in our database.
  • Bookkeeping Data: If you use our bookkeeping features, we store your financial records including expenses, journal entries, chart of accounts, fiscal year data, vendor information, and bank account details.
  • Bank Statements: If you import bank statements (CAMT.053/CAMT.054 or CSV files), we process and store the transaction data contained therein, including transaction amounts, dates, references, and counterparty information.
  • Uploaded Files: If you upload files such as company logos, expense receipts, or other documents, these files are stored in our secure cloud storage (AWS S3).
  • Payment Information: Subscription payments are processed by Stripe. We do not store your credit card details. Stripe processes and stores your payment information in accordance with PCI-DSS standards. We receive only a payment confirmation, a truncated card reference, and billing metadata from Stripe.
  • Support & Feedback: If you contact us or submit feedback, we store your message together with your email and account identifier so we can respond and improve the Service.

4.2 Automatically Collected Information

  • Server access logs: request metadata, IP address, user agent, timestamps. Used for security, abuse prevention, and troubleshooting. Retained no longer than 90 days.
  • Audit log: an immutable record of changes to bookkeeping objects (who changed what and when). Required to support Swiss commercial-law record-keeping obligations.
  • Cookies and analytics: see Section 10. Optional analytics are only loaded after you grant consent in our cookie banner.

5. Legal Bases for Processing

Under Article 31 FADP (and, where applicable to EU users, Article 6 GDPR), we rely on the following legal bases:

PurposeDataLegal basis
Provide the Service under our contract with youAccount, profile, invoices, clients, bookkeeping recordsContract performance — FADP Art. 31 ¶ 2 lit. a / GDPR Art. 6(1)(b)
Comply with Swiss commercial-law record-keeping (CO Art. 958f, GeBüV)Journal entries, invoices, expenses, receipts, financial reportsLegal obligation — FADP Art. 31 ¶ 2 lit. c / GDPR Art. 6(1)(c)
Process subscription paymentsStripe customer ID, billing address, payment metadataContract performance
AI features (only when you subscribe to the AI module)Receipt images, expense descriptions, transaction dataConsent — FADP Art. 6 ¶ 6 / GDPR Art. 6(1)(a); withdrawable any time
Marketing emailEmail address, opt-in flagConsent; withdrawable any time via unsubscribe link or account settings
Analytics (Google Analytics)Cookie ID, IP address, page views, device infoConsent — only after you accept analytics in the cookie banner
Security, fraud prevention, troubleshootingServer logs, audit logOverriding legitimate interest — FADP Art. 31 / GDPR Art. 6(1)(f)

6. AI-Powered Features and Data Processing

LumaBill offers optional AI-powered features as a paid add-on. AI features are entirely opt-in — they are never activated unless you explicitly subscribe to the AI module and initiate an AI action. The following applies only if you choose to use AI features:

  • Receipt Scanning: images of your receipts are sent to our AI processing infrastructure to extract vendor names, amounts, dates, and line items.
  • Expense Categorization: your expense descriptions and amounts are processed to suggest appropriate bookkeeping accounts.
  • Bank Transaction Matching: unmatched bank transactions and existing expense records are analysed to suggest matches.

AI Infrastructure: AI processing is performed via Amazon Web Services (AWS) Bedrock using an EU cross-region inference profile. For capacity and availability reasons, a single inference may be routed by Bedrock between EU regions (including Zurich, eu-central-2, and Frankfurt, eu-central-1). The underlying foundation model is Anthropic Claude Sonnet 4.6, served by AWS under the AWS Customer Agreement and AWS Data Processing Addendum.

AWS contractually commits that content submitted to Bedrock is not used to train the underlying foundation models and is not stored by Bedrock after the request completes. Inputs and outputs remain within the EU.

Human Review: AI suggestions are always presented as proposals. You retain full control and must confirm or reject every AI suggestion before it is applied. We do not make automated decisions producing legal effects on you within the meaning of FADP Art. 21.

7. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve the Service, including invoicing, bookkeeping, and reporting features
  • Process your financial data for bookkeeping purposes as instructed by you
  • Provide AI-powered features where you have opted in
  • Process subscription payments and manage your account
  • Send you transactional notifications (e.g., invoice delivery confirmations, subscription updates)
  • Comply with legal obligations, including financial record retention requirements
  • Detect, prevent, and respond to security incidents and abuse

8. Recipients and Sub-Processors

We do not sell your personal data. We use the following sub-processors to deliver the Service, each under a written data-processing agreement:

Sub-processorLegal entity & locationService / dataSafeguard
AWS — infrastructureAmazon Web Services EMEA SARL, Luxembourg. Processing in Zurich (eu-central-2). Transactional email via Amazon SES in Frankfurt (eu-central-1).Lambda, RDS PostgreSQL, S3, Cognito, SES, CloudFront. Processes all account data, bookkeeping data, uploaded files, and outgoing email.AWS Service Terms & Data Processing Addendum; EU Standard Contractual Clauses where applicable.
AWS Bedrock — AIAmazon Web Services EMEA SARL, Luxembourg. EU cross-region inference profile (Zurich / Frankfurt / Ireland).Foundation-model inference (Anthropic Claude Sonnet 4.6). Only when the AI module is active: receipt images, expense text, transaction data.AWS DPA. AWS contractually warrants no training use and no retention after request completion.
Stripe — paymentsStripe Payments Europe Ltd., Ireland; may transfer to Stripe Inc. (US).Subscription billing and payment processing. Email address, billing address, payment metadata.Stripe Data Processing Agreement; EU Standard Contractual Clauses with Swiss FDPIC addendum for US transfers.
Google AnalyticsGoogle Ireland Ltd., Ireland; may transfer to Google LLC (US).Anonymised web usage analytics. Only loaded after consent. Cookie ID, IP, page views, device info.Google Ads Data Processing Terms; EU Standard Contractual Clauses with Swiss FDPIC addendum.

We notify users of new or changed sub-processors at least 30 days in advance via email and an update to this policy.

We may also disclose your information if required by law, in response to a valid legal process, or to protect our rights and the safety of our users.

9. International Data Transfers

Our primary infrastructure and databases are located in Switzerland (AWS Zurich region, eu-central-2). Switzerland recognises the EU and EEA as providing an adequate level of data protection (Annex 1 to the Data Protection Ordinance / FDPIC adequacy list); transfers within the EU and EEA therefore require no additional safeguards.

Where personal data is transferred to the United States — in particular by Stripe for payment processing and Google for analytics — we rely on the EU Standard Contractual Clauses combined with the Swiss FDPIC addendum recognised by the Swiss Federal Data Protection and Information Commissioner.

10. Cookies and Tracking

Essential cookies (always active):

  • Authentication / session cookies — managed by AWS Cognito; required to keep you signed in.
  • Language preference — remembers your selected locale.
  • Consent record — stores your cookie choices.

Optional cookies (only after consent):

  • Google Analytics (_ga, _ga_*) — usage measurement. Lifetime up to 2 years.

You can grant, refuse, or withdraw analytics consent at any time via the cookie banner or by clearing the cookies for our domain in your browser. Withdrawing consent does not affect processing that took place before the withdrawal.

11. Data Retention

  • Active accounts: all data is retained for as long as your account is active.
  • Accounting records: in accordance with Swiss commercial law (Code of Obligations Art. 958f) and the Ordinance on the Keeping and Preservation of Account Books (GeBüV), financial records including journal entries, invoices, expenses, receipts, and financial reports are retained for 10 years from the end of the fiscal year to which they relate. This obligation applies regardless of account status.
  • Cancelled subscriptions: when you cancel your subscription, your account enters a read-only archived state. All data remains accessible for viewing and export.
  • Account deletion requests: non-accounting personal data (profile details, preferences, email settings, client lists if not referenced by retained bookkeeping records) is deleted promptly. Accounting records subject to the 10-year retention obligation are retained until the retention period expires; thereafter they are deleted or fully anonymised.
  • Server access logs: up to 90 days.
  • Audit log: for the life of the account and the bookkeeping-retention period (10 years).
  • Marketing consent records: retained until withdrawal, plus up to 3 years for evidentiary purposes.
  • AI usage log (metadata only): up to 24 months.
  • Support and feedback messages: up to 24 months after resolution.
  • Database backups: encrypted backups may persist for up to 30 days after deletion from the live system.

12. Data Security

We implement appropriate technical and organisational measures in line with Article 8 FADP, including:

  • Encryption in transit (TLS) and at rest (RDS storage encryption, S3 server-side encryption).
  • Strict per-account and per-profile access scoping in our backend.
  • Immutable audit logging of bookkeeping changes.
  • Database credentials stored in AWS SSM Parameter Store; no secrets in source code.
  • Automated database backups with a retention window suitable for restoration.
  • Regular review of access controls, dependencies, and infrastructure configuration.

No method of electronic transmission or storage is 100% secure; we cannot guarantee absolute security.

13. Data Breach Notification

In accordance with Article 24 FADP, if a personal data breach is likely to result in a high risk to your rights, we will notify the Swiss Federal Data Protection and Information Commissioner (FDPIC) as soon as possible after we become aware of it. Where required by law, we will also notify affected users directly without undue delay, describing the nature of the breach, likely consequences, and the measures taken.

14. Records of Processing Activities

We maintain an internal register of processing activities in accordance with Article 12 FADP and make it available to the FDPIC on request.

15. Your Rights

Under the Swiss Federal Act on Data Protection you have the following rights:

  • Right of access (Art. 25 FADP) — obtain confirmation of whether we process your personal data and receive a copy.
  • Right to rectification (Art. 32 ¶ 1 FADP) — have inaccurate personal data corrected.
  • Right to data portability (Art. 28 FADP) — receive a copy of the data you provided to us in a common electronic format, or have us transmit it to another controller where technically feasible.
  • Right to erasure or restriction (Art. 32 ¶ 2 FADP) — subject to the legal retention obligations described in Section 11 (notably CO Art. 958f).
  • Right to object — to processing based on overriding legitimate interest.
  • Right to withdraw consent — for any processing that relies on consent (AI features, marketing email, analytics), at any time, without affecting prior processing.

We respond to verified requests within 30 days in accordance with Article 25 FADP. To exercise your rights, contact datenschutz@lumabill.ch.

You may also lodge a complaint with the Swiss Federal Data Protection and Information Commissioner (FDPIC), Feldeggweg 1, 3003 Bern, www.edoeb.admin.ch.

16. Data Protection Contact

Data protection contact: datenschutz@lumabill.ch.

We have not formally appointed a Data Protection Officer under Article 10 FADP. Our processing volumes and risk profile do not require one. Our authorised representative (see Impressum) is Christian Sandrini.

17. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes are announced by email and in-app notification at least 30 days before they take effect. Minor clarifications are reflected in the “Last updated” date.

Version history

  • v2.0 (21 May 2026): added sub-processor table, legal-basis table, breach notification, records of processing, granular FADP rights, cookie disclosure; corrected the AI-region disclosure to reflect the EU cross-region inference profile; clarified what is retained after account deletion.
  • v1.0 (5 March 2026): initial publication.

18. Contact

For general questions: support@lumabill.ch.

For data-protection matters or to exercise your rights: datenschutz@lumabill.ch.