As of: 2026-05-27 (Version 1.0) Scope: treuhander.ai and all associated subdomains
1. Overview
Treuhander.ai is a software platform for Swiss SMEs operated by Jagoona GmbH for the capture, structuring and presentation of accounting data. We take the protection of your data seriously and operate the platform so that as much of your data as possible remains in Switzerland and as little as necessary is processed in neighbouring countries.
This Privacy Policy is based on: - Swiss Federal Act on Data Protection (revFADP, in force since 1.9.2023) - European General Data Protection Regulation (GDPR) when processing data of persons in the EU/EEA
2. Controller
Jagoona GmbH Am Baumgarten 5, 6314 Unterägeri, Switzerland UID: CHE-244.370.696 Managing Director with sole signatory authority: Michael Heilig E-mail for data protection enquiries: hello@treuhander.ai
A data protection officer within the meaning of Art. 10 revFADP is not mandatory for small enterprises. The Managing Director performs the tasks of the internal data protection contact. For all data protection questions please contact the above e-mail address.
3. Data We Process
3.1 Contact Data
Upon registration, contact or consultation request: name, e-mail, telephone, company, role.
3.2 Contractual and Billing Data
Invoice address, payment method, subscription status, payment history, UID/commercial register data.
3.3 Accounting and Financial Data
The core data of our service: uploaded documents (PDF, image), captured invoices (accounts receivable/payable), payment runs, payroll data, charts of accounts, VAT declarations, annual financial statements, bank statements (where imported).
3.4 Communication and Interaction Data
Content of your chat messages with our AI agents (FELIX, ARIA, LENA, ZENO, REMO), voice recordings during voice conversations, session logs, and — if a messenger channel is enabled — contents of messages and transmitted receipts via WhatsApp or Telegram (details in section 5.3).
3.5 Technical Data
IP address, browser type, device identifiers, language setting, access timestamps, error logs.
4. Purposes and Legal Bases of Processing
| Purpose | Legal basis |
|---|---|
| Contract performance (platform use, preparation of accounts) | Art. 6(1)(b) GDPR / Art. 31(1) revFADP |
| Invoicing and payment | Art. 6(1)(b) GDPR |
| Support and communication | Art. 6(1)(b) GDPR |
| Platform security, error analysis | Art. 6(1)(f) GDPR (legitimate interest) |
| Product improvement (aggregated, non-personal) | Art. 6(1)(f) GDPR |
| Statutory retention obligations (CO 958f, VAT Act) | Art. 6(1)(c) GDPR |
| Receipt transmission via WhatsApp or Telegram (only when channel is enabled) | Art. 6(1)(a) GDPR / Art. 6(6)(b) revFADP (consent) |
| Direct marketing by e-mail to existing customers | Art. 6(1)(f) GDPR (right to object at any time) |
5. Recipients and Third-Party Providers (Subprocessors)
We use only carefully selected service providers. Data processing agreements (DPA) in accordance with Art. 9 revFADP / Art. 28 GDPR are in place with all processors.
| Service provider | Purpose | Location | Legal basis for transfer |
|---|---|---|---|
| Infomaniak Network SA | UI hosting, e-mail system (catch-all, system mailbox, vault), all subdomains | Switzerland (Geneva/Winterthur) | No third country — revFADP directly |
| Supabase Inc. | Database, Edge Functions, authentication | Switzerland (Switzerland region, Pro Plan active) | No third country after migration; until then adequacy decision EU/CH + SCC |
| Bunny Fonts | Web fonts (deliberately chosen instead of Google Fonts, no US transfer) | Slovenia (EU) | Adequacy decision EU/CH |
| Mistral AI SAS | Text processing (document classification, bookkeeping logic, account coding) | France (EU) | Adequacy decision EU/CH, no third-country transfer |
| OpenAI Inc. | Voice/speech processing (voice agents via gpt-4o-mini-realtime-preview API) | USA | Swiss-US Data Privacy Framework + EU SCC 2021 + DPA, API data not used for training |
| Anthropic PBC | OCR fallback for difficult-to-read PDFs (exceptional path) | USA | Swiss-US Data Privacy Framework + EU SCC 2021 + DPA with zero-retention clause |
| Stripe Payments Europe | Payment processing for subscription fees | Ireland (EU registered office) with US parent | Swiss-US Data Privacy Framework + SCC |
| Meta Platforms Ireland Ltd. | WhatsApp Cloud API for receipt transmission and AI agent chat (only when WhatsApp channel is enabled) | Ireland (EU registered office) with US parent (Meta Platforms Inc.) | Consent Art. 6(6)(b) revFADP / Art. 6(1)(a) GDPR + SCC for US parent |
| Telegram FZ-LLC | Telegram Bot API for receipt transmission and AI agent chat (only when Telegram channel is enabled) | United Arab Emirates (Dubai), international servers | Consent Art. 6(6)(b) revFADP / Art. 6(1)(a) GDPR — third country without adequacy decision |
Important: We have deliberately designed the architecture so that text processing (Mistral) remains within the EU and only voice/speech processing (OpenAI) is transferred to the USA. This reduces the US transfer to the technically unavoidable minimum.
5.1 Specifics Regarding US Transfer
Transfers to OpenAI (USA), Anthropic (USA, fallback) and Stripe (USA) are made on the basis of the following safeguards: - Swiss-US Data Privacy Framework: All providers are certified under the DPF (as at the date of issue). The Swiss Federal Council has recognised the USA as adequate for DPF-certified providers. - Standard Contractual Clauses (SCC) 2021 with CH Annex of the FDPIC as a second layer. - No-training clause with OpenAI (API standard): API data is not used for training under OpenAI standard terms. - Zero-retention clause with Anthropic (Enterprise API): OCR fallback data is not used for training and not retained longer than operationally necessary.
5.2 Subprocessor Changes
We publish current subprocessor lists at treuhander.ai/legal/subprocessors and notify existing customers by e-mail at least 30 days before adding a new subprocessor.
5.3 Messenger Transmission (optional, opt-in)
You can optionally transmit receipts via WhatsApp or Telegram to your client channel. Both channels are not enabled by default and must be activated per client separately. By activating, you consent to data transmission to the respective provider (Art. 6(6)(b) revFADP / Art. 6(1)(a) GDPR).
What happens on activation:
- WhatsApp: The receipt image or PDF is received via Meta's WhatsApp Cloud API. Meta stores transmission metadata according to WhatsApp Business Terms. We download the file immediately into our Swiss infrastructure; further processing matches a normal portal upload. Plain text messages to our AI agents are also received via WhatsApp.
- Telegram: The receipt image or PDF is received via the Telegram Bot API. Telegram stores the file on its international servers (headquartered in Dubai, UAE). We download the file immediately into our Swiss infrastructure. Plain text messages to our AI agents are also received via Telegram.
Privacy recommendation: Do not transmit via messenger any receipts containing particularly sensitive personal data of third parties (payslips, medical bills, social welfare documents etc.). For such receipts, please use the dedicated e-mail channel (<slug>@treuhander.ai) or direct upload in the portal.
You can deactivate the messenger channel at any time in the client settings. Receipts already transmitted via the channel remain in our system and are subject to ordinary retention and deletion rules according to section 8.
6. AI Processing — Transparency
We use artificial intelligence to suggest, classify and structure accounting data. The following is important for us to explain:
6.1 Which AI Tools We Use
- Mistral AI (France): Text analysis of documents, booking suggestions, VAT categorisation, contract analysis.
- OpenAI (USA): Voice assistants (REMO, FELIX, ARIA, LENA, ZENO) — real-time speech processing via gpt-4o-mini-realtime-preview API, Whisper transcription, voice responses.
- Anthropic Claude (USA): OCR fallback for difficult-to-read PDFs (rare exceptional path).
Important distinction — what is sent to OpenAI: Exclusively your spoken or typed command to the voice assistant (e.g. "Show open accounts payable") and the minimal context (cash balance, open items) the assistant needs to respond. Complete documents, invoice PDFs, document scans or complete accounting records are not transferred to OpenAI as a matter of principle — text processing of your documents runs at Mistral (EU). The only technical exception: difficult-to-read PDF scans that Mistral's OCR cannot process are sent to Anthropic as a fallback (rare exceptional path, always with zero-retention clause).
6.2 How We Use AI — and How We Do Not
- AI suggestions (e.g. bookings, account coding) are proposals that must be reviewed and approved by the user or their fiduciary. There is no automated individual decision-making with legal effect (Art. 21 revFADP / Art. 22 GDPR).
- Your data is not used to train AI models. This is in accordance with the standard API terms (OpenAI, Mistral) and is contractually excluded with Anthropic (zero-retention).
- Conversation texts and voice recordings are deleted by the AI provider after processing (OpenAI: API standard no training; Mistral: maximum 30 days; Anthropic: zero-retention for OCR fallback).
6.3 AI Labelling
We label AI-generated suggestions in the interface. At the start of a voice conversation we explicitly inform you that you are speaking with an AI assistant (Art. 50 EU AI Act).
6.4 Your Rights Regarding AI Use
You may object to the automated pre-sorting of your documents by AI. In this case we disable the AI suggestions for your account — you then enter all bookings manually. Please contact hello@treuhander.ai for this.
6.5 Confidentiality
The Provider contractually commits to strict confidentiality regarding all information accessible in the context of the mandate relationship, analogous to Art. 162 CO (business secret). This confidentiality outlasts the contractual relationship and applies to all employees and subprocessors of the Provider. In case of breach, the Client has concrete contractual claims detailed in the T&C (§3.5).
7. Data Security
- Encrypted transmission: HTTPS/TLS 1.3 for all connections.
- Encrypted storage: AES-256 for sensitive fields (passwords hashed with bcrypt, API tokens via Supabase Vault).
- Access control: Each mandate sees exclusively its own data (row-level security at database level).
- Backup: Daily backups on Swiss infrastructure.
- Data breach notification: In the event of a breach posing a risk to data subjects we notify the FDPIC within 72 hours; affected clients are also notified without delay.
8. Retention Periods
| Data category | Period |
|---|---|
| Accounting data (CO 958f obligation) | 10 years after end of financial year |
| Contact data of prospects | 2 years from last contact, then deleted |
| Chat and voice logs | 12 months after end of session, unless forming part of accounting data |
| Invoice and billing data | 10 years (CO + VAT Act) |
| Platform logs / error logs | 90 days |
| Data after contract termination | 30-day grace period for data export, then deleted subject to statutory retention obligations |
9. Your Rights
Under revFADP (Art. 25–32) and GDPR (Art. 15–22) you have the following rights:
- Access: You may at any time request information about the data processed about you.
- Rectification: Inaccurate data will be corrected on your request.
- Erasure: You may request the deletion of your data provided no statutory retention obligation applies.
- Restriction: You may request the restriction of processing of your data.
- Data portability: You will receive your data in a structured, machine-readable format (CSV, JSON).
- Objection: You may object to processing for direct marketing purposes at any time.
- Complaint: You may lodge a complaint with the Federal Data Protection and Information Commissioner (FDPIC, edoeb.admin.ch) or an EU data protection supervisory authority.
Contact for all these rights: hello@treuhander.ai
10. Cookies and Tracking
We use only technically necessary cookies (session cookies for login, language settings, CSRF protection). We do not use Google Analytics, Facebook Pixel or any marketing trackers. A cookie consent banner is therefore not required.
11. Children
Our service is directed exclusively at businesses and their authorised representatives. We do not knowingly collect data from children under 16 years of age.
12. Changes to This Privacy Policy
We reserve the right to update this Privacy Policy when required by law or changes in our practices. The current version is always available at treuhander.ai/datenschutz-en. We will communicate material changes by e-mail with at least 30 days' notice.
Change log: - 2026-04-23 – Initial version v0.1 (Draft) - 2026-04-24 – v0.2: Operational change to Jagoona GmbH as controller; Supabase Swiss region updated; voice/document data flow to Anthropic clarified - 2026-05-26 – EN translation - 2026-05-27 – v1.0: Finalisation before launch. Supabase migration to Switzerland complete, confidentiality §6.5 added, subprocessor list consolidated. - 2026-05-27 – v1.1: Messenger transmission (WhatsApp, Telegram) documented as optional opt-in channels. Subprocessor list extended by Meta Platforms Ireland Ltd. and Telegram FZ-LLC. New section 5.3.
13. Additional Information for Data Subjects in the EU/EEA (GDPR)
If you are located in the EU/EEA, the following GDPR-specific information applies in addition:
- Legal bases: see table in Section 4.
- US data transfer: see Section 5.1.
- EU representative (Art. 27 GDPR): to be designated.
- Competent supervisory authority: You may contact the data protection authority in your country of residence.