English Français Deutsch Italiano

Privacy Policy

Mast Finance Sàrl — Effective date: 24 February 2026 — Version 1.0

Mast Finance Sàrl ("Mast Finance", "we", "us") is committed to protecting personal data. This Privacy Policy explains how we collect, use, and protect personal data in connection with the Mast Finance Service, and describes the rights of individuals under applicable data protection law, including the EU General Data Protection Regulation (GDPR) and the Swiss Federal Act on Data Protection (revFADP / nDSG).

1. Who We Are and Our Roles

Mast Finance Sàrl is a Swiss limited liability company registered under CHE-136.079.732, with registered address at Rue Centrale 15, 1003 Lausanne, Switzerland.

Depending on the context:

  • Data controller: Mast Finance acts as data controller for personal data it processes for its own business purposes, including account management, billing, security, and service improvement.
  • Data processor: Mast Finance acts as data processor when processing Customer Data on behalf of customers in the context of providing the Service. Such processing is governed by our Data Processing Agreement (DPA).

2. Personal Data We Process

We may process the following categories of personal data, depending on how you use the Service:

  • Account and contact data: names, job titles, email addresses, company name, billing contact details.
  • Authentication and access data: user IDs, login timestamps, session data, device identifiers. Note: IP addresses are processed by authentication infrastructure but are not stored by our analytics platform (see Section 4).
  • Service Data (collected by Mast Finance as controller for its own business purposes): account metadata, user identifiers, login events and frequency, session duration and activity, feature usage and adoption data, clickstream data, API call volumes, error rates, subscription and billing data, device identifiers, and any other technical or behavioural data generated through interaction with the Service. Service Data does not include the substantive financial, accounting, or business content uploaded by customers ("Customer Data"), which is processed separately as described in the Data Processing Agreement.
  • Billing and subscription data: invoices, payment status, subscription plan details.
  • Customer Data: financial, accounting, expense, and treasury data uploaded or generated through the Service, which may include data relating to employees, contractors, customers, or suppliers.
  • AI and automated feature data: inputs, prompts, configurations, and outputs submitted to or generated by AI-based or automated features.

Personal data is collected directly from customers and authorized users, or generated automatically through use of the Service.

3. Purposes and Legal Bases

We process personal data for the following purposes:

  • Providing and operating the Service: legal basis — performance of a contract (Art. 6(1)(b) GDPR).
  • Billing and account management: legal basis — performance of a contract and legitimate interests.
  • Security, fraud prevention, and misuse detection: legal basis — legitimate interests (Art. 6(1)(f) GDPR), balanced against individuals' rights.
  • Compliance with legal obligations: legal basis — legal obligation (Art. 6(1)(c) GDPR), including accounting, tax, and regulatory requirements.
  • Error tracking and service reliability monitoring: legal basis — legitimate interests (Art. 6(1)(f) GDPR). We use error tracking to identify and resolve technical issues. No personal data is collected by default; error reports contain only technical stack traces and metadata. Error-tracking data is processed in the EU (Frankfurt) by Sentry, a subprocessor listed in our Subprocessors page.
  • Business intelligence, product development, and commercial analytics (acting as controller): Mast Finance uses Service Data to analyse its customer base, measure feature adoption, monitor usage trends, inform product development and commercial decisions, and detect security threats. Legal basis — legitimate interests (Art. 6(1)(f) GDPR).
  • Cookie-based analytics: legal basis — consent (Art. 6(1)(a) GDPR), collected via cookie banner. See our Cookie Policy for full details.
  • AI-Powered Features (Mast AI): The Service includes an embedded AI assistant that helps you navigate the application, understand financial concepts, and analyse your data. When you use Mast AI, the content of your query and relevant financial context from your account (such as revenue and expense totals, cash position, and customer/supplier names) are sent to our AI infrastructure for processing. Responses are returned in real time and stored as part of your conversation history. Our AI infrastructure runs on AWS Bedrock in the AWS Switzerland (Zurich) region (eu-central-2), operated by Amazon Web Services (a subprocessor listed in our Subprocessors page). Your prompts and completions are processed exclusively within Switzerland, are not retained by the underlying model providers (Anthropic, Cohere), and are not used to train or improve their AI models. Legal basis — performance of contract (Art. 6(1)(b) GDPR).

4. Hosting and Infrastructure

The Service is hosted on Amazon Web Services (AWS). Primary Customer Data is stored exclusively in the AWS Switzerland (Zurich) region (eu-central-2).

Analytics and error tracking:

  • Product analytics (PostHog) is processed in the EU (Frankfurt) by PostHog Cloud EU, a subprocessor. Analytics covers usage events, feature adoption, and — where enabled — anonymised session recordings with masked input fields. IP addresses are not collected. This is Service Data only; no Customer Data (financial or accounting records) is ever transmitted.
  • Error tracking (Sentry) is processed in the EU (Frankfurt) by Sentry Cloud EU, a subprocessor. No personal data is collected by default; error reports contain only technical stack traces and metadata. Email addresses that appear in error messages are automatically redacted before transmission.

Both subprocessors are listed with full legal entity names and SCC basis on our Subprocessors page.

Transactional email delivery uses AWS SES in the EU (Frankfurt, eu-central-1), as SES is not yet available in eu-central-2. Static frontend assets are served via AWS CloudFront from global edge locations; no Customer Data passes through CloudFront. All AWS services are covered by a single AWS Data Processing Addendum (DPA).

5. Subprocessors

We engage a limited number of subprocessors to provide components of the Service. A current and up-to-date list of subprocessors is publicly available at mastfinance.io/subprocessors. Customers may object to new subprocessors on legitimate data protection grounds as set out in our Data Processing Agreement.

Note: Product analytics (PostHog) and error tracking (Sentry) are both EU-based subprocessors processing data in Frankfurt. Customer Data — your financial and accounting records — is never transmitted to these services. They receive only Service Data (telemetry, usage events, error metadata), as described in Section 2.

6. International Data Transfers

We store and process Customer Data primarily in Switzerland (AWS Zurich). Some Service Data flows outside Switzerland in the following limited and documented circumstances:

  1. Transactional emails are routed through AWS SES in Frankfurt (EU), which is covered by the AWS DPA.
  2. Static frontend assets are delivered via AWS CloudFront global edge locations, which process visitor IP addresses only — no Customer Data is involved.
  3. Billing contact data is processed by Stripe, a US-based payment processor certified under the EU-US Data Privacy Framework.
  4. Product analytics (usage events, session recordings with masked inputs) is processed by PostHog Cloud EU in Frankfurt. No Customer Data is transmitted.
  5. Error tracking (stack traces and technical metadata) is processed by Sentry Cloud EU in Frankfurt. No Customer Data is transmitted.

Where transfers outside the EEA occur, we ensure appropriate safeguards are in place, including:

  • adequacy decisions by the European Commission or the Swiss Federal Council;
  • Standard Contractual Clauses (SCCs) approved under the GDPR or the Swiss equivalent;
  • other recognised transfer mechanisms as required.

7. Cookies and Analytics

We use essential cookies to operate the Service and, with your consent, analytics cookies to understand usage and improve performance. Analytics data is processed in the EU (Frankfurt) by PostHog Cloud EU. Please see our Cookie Policy for full details.

8. Retention

We retain personal data only for as long as necessary. Typical retention periods:

  • Account and billing data: duration of subscription plus up to 10 years (Swiss accounting law).
  • Usage and technical logs: up to 12 months.
  • Analytics event data: 90 days.
  • Session recordings: 30 days.
  • Customer Data: duration of subscription; exportable for 30 days after termination, then deleted.

9. Your Rights

Under the GDPR and Swiss nDSG, you have the following rights:

  • Right of access — to obtain a copy of your personal data.
  • Right to rectification — to correct inaccurate or incomplete data.
  • Right to erasure ("right to be forgotten") — subject to legal retention obligations.
  • Right to restriction of processing.
  • Right to data portability — to receive your data in a structured, machine-readable format.
  • Right to object — to processing based on legitimate interests.
  • Right to withdraw consent — where processing is based on consent, without affecting prior processing.

To exercise your rights, please contact us at contact@mastfinance.io. We will respond within the timeframe required by applicable law (generally within 30 days).

10. Complaints

If you believe your data protection rights have been violated, you have the right to lodge a complaint with:

  • Switzerland: the Federal Data Protection and Information Commissioner (FDPIC) — www.edoeb.admin.ch
  • EU/EEA: the data protection authority in your country of residence or place of work.

11. Contact and Data Protection

For privacy-related questions or to exercise your rights:

Mast Finance Sàrl — Attn: Data Protection Rue Centrale 15, 1003 Lausanne, Switzerland contact@mastfinance.io

Data protection contact: Sabine Pebrier — contact@mastfinance.io

EU Representative (Art. 27 GDPR): Given the nature and current scale of our processing activities, and that we do not process special categories of personal data on a large scale, Mast Finance relies on the exemption under Article 27(2) GDPR. We will appoint an EU-based representative if and when required by the scale of our operations. In the meantime, data protection enquiries from EU/EEA residents may be directed to Sabine Pebrier at contact@mastfinance.io.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the Service. The current version is always available at /privacy.

Mast Finance Sàrl — Rue Centrale 15, 1003 Lausanne, Switzerland — contact@mastfinance.io