Home Features Pricing Blog About
English Français Deutsch Italiano
Connect Apply for Beta

Privacy Policy

Privacy Policy

Mast Finance Sàrl — Effective date: 24 February 2026 — Version 1.0

Mast Finance Sàrl ("Mast Finance", "we", "us") is committed to protecting personal data. This Privacy Policy explains how we collect, use, and protect personal data in connection with the Mast Finance Service, and describes the rights of individuals under applicable data protection law, including the EU General Data Protection Regulation (GDPR) and the Swiss Federal Act on Data Protection (revFADP / nDSG).

1. Who We Are and Our Roles

Mast Finance Sàrl is a Swiss limited liability company registered under CHE-136.079.732, with registered address at Rue Centrale 15, 1003 Lausanne, Switzerland.

Depending on the context:

  • Data controller: Mast Finance acts as data controller for personal data it processes for its own business purposes, including account management, billing, security, and service improvement.
  • Data processor: Mast Finance acts as data processor when processing Customer Data on behalf of customers in the context of providing the Service. Such processing is governed by our Data Processing Agreement (DPA).

2. Personal Data We Process

We may process the following categories of personal data, depending on how you use the Service:

  • Account and contact data: names, job titles, email addresses, company name, billing contact details.
  • Authentication and access data: user IDs, login timestamps, session data, device identifiers. Note: IP addresses are processed by authentication infrastructure but are not stored by our analytics platform (see Section 4).
  • Service Data (collected by Mast Finance as controller for its own business purposes): account metadata, user identifiers, login events and frequency, session duration and activity, feature usage and adoption data, clickstream data, API call volumes, error rates, subscription and billing data, device identifiers, and any other technical or behavioural data generated through interaction with the Service. Service Data does not include the substantive financial, accounting, or business content uploaded by customers ("Customer Data"), which is processed separately as described in the Data Processing Agreement.
  • Billing and subscription data: invoices, payment status, subscription plan details.
  • Customer Data: financial, accounting, expense, and treasury data uploaded or generated through the Service, which may include data relating to employees, contractors, customers, or suppliers.
  • AI and automated feature data: inputs, prompts, configurations, and outputs submitted to or generated by AI-based or automated features.

Personal data is collected directly from customers and authorized users, or generated automatically through use of the Service.

3. Purposes and Legal Bases

We process personal data for the following purposes:

  • Providing and operating the Service: legal basis — performance of a contract (Art. 6(1)(b) GDPR).
  • Billing and account management: legal basis — performance of a contract and legitimate interests.
  • Security, fraud prevention, and misuse detection: legal basis — legitimate interests (Art. 6(1)(f) GDPR), balanced against individuals' rights.
  • Compliance with legal obligations: legal basis — legal obligation (Art. 6(1)(c) GDPR), including accounting, tax, and regulatory requirements.
  • Error tracking and service reliability monitoring: legal basis — legitimate interests (Art. 6(1)(f) GDPR). We use error tracking to identify and resolve technical issues. No personal data is collected by default; error reports contain only technical stack traces and metadata. Error-tracking data is processed in the EU (Frankfurt) by Sentry GmbH, a subprocessor listed in our DPA.
  • Business intelligence, product development, and commercial analytics (acting as controller): Mast Finance uses Service Data to analyse its customer base, measure feature adoption, monitor usage trends, inform product development and commercial decisions, and detect security threats. Legal basis — legitimate interests (Art. 6(1)(f) GDPR).
  • Cookie-based analytics: legal basis — consent (Art. 6(1)(a) GDPR), collected via cookie banner. See our Cookie Policy for full details.

4. Hosting and Infrastructure

The Service is hosted on Amazon Web Services (AWS). Primary Customer Data is stored exclusively in the AWS Switzerland (Zurich) region (eu-central-2).

Analytics and error tracking:

  • Product analytics (PostHog) is self-hosted on our own EC2 infrastructure within the same AWS Switzerland (Zurich) region. No analytics data leaves Swiss infrastructure or is accessible to any third party. IP addresses are anonymised and not stored.
  • Error tracking (Sentry) is processed in the EU (Frankfurt) by Sentry GmbH, a subprocessor. No personal data is collected by default; error reports contain only technical stack traces and metadata. Sentry GmbH is listed as a subprocessor in our DPA.

Transactional email delivery uses AWS SES in the EU (Frankfurt, eu-central-1), as SES is not yet available in eu-central-2. Static frontend assets are served via AWS CloudFront from global edge locations; no Customer Data passes through CloudFront. All AWS services are covered by a single AWS Data Processing Addendum (DPA).

5. Subprocessors

We engage a limited number of subprocessors to provide components of the Service. A current and up-to-date list of subprocessors is publicly available at mastfinance.io/subprocessors. Customers may object to new subprocessors on legitimate data protection grounds as set out in our Data Processing Agreement.

Note: Our analytics platform (PostHog) is self-hosted on our own infrastructure and is not a subprocessor. Error tracking (Sentry) is provided by Sentry GmbH as a subprocessor, processing data in the EU (Frankfurt).

6. International Data Transfers

We store and process Customer Data primarily in Switzerland (AWS Zurich). Some data flows outside Switzerland in the following limited and documented circumstances:

  1. Transactional emails are routed through AWS SES in Frankfurt (EU), which is covered by the AWS DPA.
  2. Static frontend assets are delivered via AWS CloudFront global edge locations, which process visitor IP addresses only — no Customer Data is involved.
  3. Billing contact data is processed by Stripe, a US-based payment processor certified under the EU-US Data Privacy Framework.

Where transfers outside the EEA occur, we ensure appropriate safeguards are in place, including:

  • adequacy decisions by the European Commission or the Swiss Federal Council;
  • Standard Contractual Clauses (SCCs) approved under the GDPR or the Swiss equivalent;
  • other recognised transfer mechanisms as required.

7. Cookies and Analytics

We use essential cookies to operate the Service and, with your consent, analytics cookies to understand usage and improve performance. Our analytics platform is self-hosted in Switzerland and does not share data with any third party. Please see our Cookie Policy for full details.

8. Retention

We retain personal data only for as long as necessary. Typical retention periods:

  • Account and billing data: duration of subscription plus up to 10 years (Swiss accounting law).
  • Usage and technical logs: up to 12 months.
  • Analytics event data: 90 days.
  • Session recordings: 30 days.
  • Customer Data: duration of subscription; exportable for 30 days after termination, then deleted.

9. Your Rights

Under the GDPR and Swiss nDSG, you have the following rights:

  • Right of access — to obtain a copy of your personal data.
  • Right to rectification — to correct inaccurate or incomplete data.
  • Right to erasure ("right to be forgotten") — subject to legal retention obligations.
  • Right to restriction of processing.
  • Right to data portability — to receive your data in a structured, machine-readable format.
  • Right to object — to processing based on legitimate interests.
  • Right to withdraw consent — where processing is based on consent, without affecting prior processing.

To exercise your rights, please contact us at contact@mastfinance.io. We will respond within the timeframe required by applicable law (generally within 30 days).

10. Complaints

If you believe your data protection rights have been violated, you have the right to lodge a complaint with:

  • Switzerland: the Federal Data Protection and Information Commissioner (FDPIC) — www.edoeb.admin.ch
  • EU/EEA: the data protection authority in your country of residence or place of work.

11. Contact and Data Protection

For privacy-related questions or to exercise your rights:

Mast Finance Sàrl — Attn: Data Protection
Rue Centrale 15, 1003 Lausanne, Switzerland
contact@mastfinance.io

Data protection contact: Sabine Pebrier — contact@mastfinance.io

EU Representative (Art. 27 GDPR): Given the nature and current scale of our processing activities, and that we do not process special categories of personal data on a large scale, Mast Finance relies on the exemption under Article 27(2) GDPR. We will appoint an EU-based representative if and when required by the scale of our operations. In the meantime, data protection enquiries from EU/EEA residents may be directed to Sabine Pebrier at contact@mastfinance.io.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the Service. The current version is always available at /privacy.

Mast Finance Sàrl — Rue Centrale 15, 1003 Lausanne, Switzerland — contact@mastfinance.io