Back

Privacy Policy

Last updated: 24 March 2026

1. Controller

Kassia GmbH, Bahnhofstrasse 1, 8001 Zürich, Switzerland ("Kassia", "we", "us"). For data protection inquiries, contact: privacy@kassia.ch

2. Legal Basis

We process personal data in accordance with the Swiss Federal Act on Data Protection (FADP/DSG, SR 235.1) and, where applicable, the EU General Data Protection Regulation (GDPR). Processing is based on:

  • Performance of our contract with you (Art. 31(2)(a) FADP)
  • Our legitimate interests (Art. 31(1) FADP)
  • Your consent, where specifically obtained (Art. 6(6) FADP)
  • Legal obligations (Art. 31(1) FADP)

3. Data We Collect

3.1 Account Data

Name, email address, company name, address, phone number, VAT number (UID), IBAN — provided during registration and settings configuration.

3.2 Business Data

Contacts, invoices, expenses, journal entries, payroll data, and documents you create within the platform. This data is processed solely to provide our services and is never used for advertising or profiling.

3.3 Usage Data

IP address, browser type, device information, pages visited, and interaction patterns — collected for security, performance monitoring, and product improvement.

3.4 AI-Processed Data

Receipt images and transaction descriptions submitted for AI categorization. These are processed in real-time and not stored beyond the processing session. AI models do not learn from your individual business data.

4. Data Storage & Location

All business data is stored on servers located in Switzerland. We use Swiss-hosted infrastructure to ensure compliance with FADP requirements. Data is encrypted at rest (AES-256) and in transit (TLS 1.3).

5. Data Sharing

We share personal data only with:

  • Your fiduciary/accountant — if you grant them access to your organization
  • Payment processors — for bank connectivity (SIX bLink, ISO 20022)
  • AI service providers — for receipt OCR processing (Anthropic), under strict data processing agreements
  • Legal obligations — if required by Swiss law or court order

We never sell personal data or use it for third-party advertising.

6. Retention

Accounting records are retained for 10 years as required by Swiss commercial law (Art. 958f OR) and GeBüV. Account data is retained for the duration of your subscription plus 30 days. You may request earlier deletion of non-legally-required data at any time.

7. Your Rights

Under the FADP, you have the right to:

  • Access your personal data (Art. 25 FADP)
  • Rectify inaccurate data (Art. 32(1) FADP)
  • Request deletion of data (Art. 32(2)(c) FADP)
  • Data portability — export all your data in standard formats
  • Object to processing based on legitimate interests
  • Lodge a complaint with the Federal Data Protection and Information Commissioner (FDPIC)

To exercise your rights, contact privacy@kassia.ch. We will respond within 30 days.

8. Data Breach Notification

In the event of a data breach that poses a high risk to your rights, we will notify the FDPIC and affected users as soon as possible, in accordance with Art. 24 FADP.

9. Cookies

We use only essential cookies required for authentication and session management. We do not use tracking cookies, analytics cookies, or advertising cookies. No cookie consent banner is required as we rely solely on technically necessary cookies.

10. Changes

We may update this privacy policy from time to time. Material changes will be communicated via email or in-app notification at least 30 days before taking effect.