Privacy Policy
Last updated: 1 July 2026
How Lifetime Software AG processes personal data in connection with Aren, our financial-management service for businesses, under both the EU GDPR and the revised Swiss FADP (revDSG).
In short
- Who we are: Lifetime Software AG (Switzerland) operates Aren, a bookkeeping and financial-management service for businesses.
- What we process: your account and login data; your workspace settings; and the financial accounts, transactions and documents you add. We connect to your bank only through a regulated open-banking provider (finAPI), and we use Google's Gemini AI to read uploaded documents.
- Who we share it with: a small set of processors (banking aggregation, AI extraction, email, hosting, error monitoring). We do not sell data, and we run no advertising or analytics tracking.
- Your rights: you can request access, correction, deletion, a copy of your data, and more. Contact us anytime at hi@aren.io.
1. Who we are and how to contact us
Lifetime Software AG ("we", "us", "our") operates the Aren service ("Aren", "the service"), available at https://app.aren.io. We are the controller (Verantwortlicher under revDSG; controller under GDPR Art. 4(7)) for the personal data described in this policy, except where we act as your processor (see Section 2).
Lifetime Software AG
Dorfstrasse 60
8835 Feusisberg, Canton Schwyz (SZ)
Switzerland
Contact for all data-protection matters and to exercise your rights: hi@aren.io
Our full company details (legal form, commercial-register and identification numbers, and authorized representative) are set out in our separate Legal Notice (Imprint).
Data protection officer: We have not appointed a data protection officer; our processing does not require one under GDPR Art. 37(1) or under Swiss law. For all data-protection questions, contact hi@aren.io.
2. Scope, frameworks and our role
Aren is a business-to-business service. Our customers are companies and other organizations ("workspaces"). Within a workspace, the people who use Aren are typically the workspace owner and invited team members (with roles owner, accountant or assistant). This policy covers the personal data of those users and the personal data contained in the financial records and documents that users add to their workspace.
Because we are established in Switzerland while also offering the service to business users in Germany and the wider EU, we apply both frameworks in parallel:
- GDPR (EU/EEA) applies where we offer the service to data subjects in the EU/EEA.
- revDSG (Switzerland) applies as the law of our seat and where the service is used by data subjects in Switzerland.
Two roles apply. For your own account, login, security and billing data, we are the controller. For the financial documents and records you upload (which may contain personal data about your employees or counterparties, for example employee names and net pay on payslips), you are the controller and we act only as your processor (Auftragsverarbeiter / Auftragsbearbeiter) under a data processing agreement.
3. What data we process, and where it comes from
We process only the categories of data described below. We do not buy or enrich profiles from data brokers.
Data you provide directly
- Account and identity: email address; first and last name (optional); a hashed password (PBKDF2-SHA256) if you set one; an optional profile photo; your timezone; your preferred language (English or German); and account timestamps (date joined, last login). Login is primarily passwordless via emailed magic links (a token valid for 12 hours); an optional password is supported.
- Workspace: workspace (company) name; logo; member roles (owner, accountant, assistant); and the workspace subdomain. Each workspace is strictly isolated in its own database schema.
- Financial accounts: bank accounts including IBAN, BIC, bank name and balances; account type/purpose classification; currency.
- Transactions: date, amount, currency, direction (in/out), counterparty name, counterparty IBAN, description/purpose text, payment reference, assigned category, and an AI-derived clean vendor name/domain.
- Documents: invoices, receipts, payslips and other financial documents you upload (PDF or image), and the structured data extracted from them (vendor, net/gross/VAT amounts, VAT-rate lines, dates, document numbers, line items). Payslips can contain employee names and net pay.
Data generated when you use Aren
- Banking-connection data (finAPI): a finAPI sub-user id; bank-connection metadata; and sync logs. Your online-banking credentials are entered directly into finAPI's hosted web form and are not stored by us. The finAPI password and OAuth access/refresh tokens we need to call finAPI are stored encrypted at rest (see Section 12).
- Diagnostics and operations: error and performance monitoring events (via Sentry), tagged only with a user id and a tenant identifier. We have disabled the sending of default personally identifiable information, so IP address and user-agent are not intentionally transmitted. We also keep AI-usage records (feature, model, token counts, cost, and the triggering user).
Data we receive from third parties
- From finAPI GmbH: account and IBAN data, balances and transactions retrieved from the banks you connect. The original source is your bank, transmitted via finAPI's regulated open-banking interface.
You can request information about the source and circumstances of any indirectly collected data at any time (see Section 11).
4. Why we process your data, and on what legal basis
We process personal data only for the purposes below, each on a clearly identified legal basis. GDPR bases are given under Art. 6(1); the corresponding Swiss justifications under revDSG (Art. 6 and Art. 31) are noted alongside.
| Purpose | GDPR legal basis | revDSG basis |
|---|---|---|
| Creating and operating your account; providing the bookkeeping, transaction and document features; passwordless login and invitations | Art. 6(1)(b) — performance of the contract | Contract performance; processing in good faith and proportionate to the agreed service |
| Connecting bank accounts and syncing transactions via finAPI | Art. 6(1)(b) — performance of the contract, at your request | Contract performance |
| Extracting data from uploaded documents and categorizing/enriching transactions (including AI processing) | Art. 6(1)(b) — performance of the contract | Contract performance; core service functionality |
| Sending transactional emails (magic-link login, invitations, service notifications) | Art. 6(1)(b) — performance of the contract | Contract performance |
| Securing the service: error/performance monitoring, abuse prevention, encryption, tenant isolation | Art. 6(1)(f) — legitimate interests | Overriding legitimate interest in the security and integrity of the service |
| Address autocomplete in workspace settings | Art. 6(1)(f) — legitimate interests (convenience and data quality) | Legitimate interest in usability and accurate records |
| Complying with bookkeeping, tax and other statutory retention duties | Art. 6(1)(c) — legal obligation | Processing required by law |
Legitimate interests (GDPR Art. 6(1)(f) / overriding interest under revDSG): where we rely on legitimate interests, our interest is in keeping the service secure, reliable and free of abuse, and in providing useful conveniences such as address autocomplete. We have weighed these interests against your rights and reasonable expectations. The processing is limited to what is necessary, uses minimized or pseudonymized data where possible, and includes no advertising or behavioural tracking. For address autocomplete specifically, only the address text you type is sent to the autocomplete service; no account or transaction data is included. You may object at any time on grounds relating to your particular situation (see Section 11).
Special-category / particularly sensitive data: Aren is not designed to process special categories of personal data (GDPR Art. 9) or particularly sensitive personal data (revDSG Art. 5(c)), and we do not intentionally collect such data. However, financial documents you upload (for example payslips) may incidentally contain personal data about your employees, such as names and net pay. Such data is processed only as part of that document, on the basis above and subject to the safeguards in this policy. Because uploading financial documents to an AI service is a higher-risk activity, we have assessed it under GDPR Art. 35 (data protection impact assessment); see Section 6.
If you do not provide certain data: an email address is required to create an account and to log in via magic link; without it we cannot provide the service. Other fields (name, profile photo, password) are optional and only affect convenience. Financial-account, transaction and document data are provided at your discretion and as needed for the features you choose to use.
5. Bank-account connection via finAPI
To import your bank accounts and transactions, we use finAPI GmbH (Munich, Germany), a BaFin-regulated account-information and payment-initiation service provider operating under the EU PSD2 open-banking framework.
- When you connect a bank, you enter your online-banking credentials directly into finAPI's own hosted web form. We never see or store those credentials.
- We receive from finAPI your account and IBAN data, balances and transactions, plus connection metadata and sync logs.
- The technical secrets we need to call finAPI on your behalf (a finAPI password and OAuth access/refresh tokens) are stored encrypted at rest (see Section 12).
- finAPI is established in Germany (EU). The legal basis is performance of your contract (GDPR Art. 6(1)(b); contract performance under revDSG), since you ask us to connect your accounts.
6. AI document processing (Google Gemini)
To read uploaded documents and to categorize and enrich transactions, we use Google's Gemini generative-AI API (a Gemini Flash Lite model), operated by Google Ireland Limited / Google LLC.
- What is sent: the document image/PDF you upload, and transaction metadata, are sent to the Gemini API so that structured information (such as vendor, amounts, VAT lines, dates and categories) can be extracted.
- Paid API tier and no model training on your data: we use the paid Gemini API under a Google Cloud data processing agreement. Under that agreement and Google's applicable Service-Specific Terms, data submitted to the paid Gemini API is not used to train or improve Google's AI models; any operational logging is limited and short-lived (for security and abuse prevention only).
- Higher-risk processing and DPIA: because uploaded documents may contain personal data about your employees or counterparties, we treat this as higher-risk processing and have carried out a data protection impact assessment (GDPR Art. 35), applying minimization, access controls and the safeguards in Section 8.
- Legal basis: performance of your contract (GDPR Art. 6(1)(b); contract performance under revDSG), because document extraction and categorization are core features you ask us to perform.
- Transfers: Google may process this data outside the EU/Switzerland (including in the USA). See Section 8 for the safeguards we rely on.
7. Who we share data with
We do not sell personal data and do not share it for advertising or marketing. We disclose data only to the processors and recipients listed below, each engaged under a data processing agreement (GDPR Art. 28 / Art. 9 revDSG) that limits them to processing on our instructions with appropriate security. There is no payment processor, no product analytics, no advertising or marketing trackers, and no live accounting-software (e.g. DATEV) integration.
| Provider | Purpose | Location | Transfer safeguard |
|---|---|---|---|
| finAPI GmbH | PSD2/BaFin-regulated open-banking aggregation; receives account/IBAN data, balances and transactions | Munich, Germany (EU) | Within EU/EEA — no third-country transfer |
| Google (Google Ireland Ltd / Google LLC) | Gemini AI API for document extraction and transaction categorization; receives document images/PDFs and transaction metadata | Ireland (EU) / USA | EU–US Data Privacy Framework (Google LLC is DPF-certified) and/or EU Standard Contractual Clauses; Swiss–US DPF for Swiss data |
| Google (Maps / Places API) | Address autocomplete in workspace settings; receives only the address search query you type | Google Ireland Ltd for EEA traffic (EU); onward processing may reach the USA | EU–US Data Privacy Framework and/or EU Standard Contractual Clauses; Swiss–US DPF for Swiss data |
| Postmark (AC PM LLC / ActiveCampaign) | Transactional email delivery (magic-link login, invitations, notifications); receives recipient email address and message content | USA | EU–US Data Privacy Framework and EU Standard Contractual Clauses; Swiss–US DPF for Swiss data |
| logo.dev | Fetches company logos by company name/domain; receives vendor/company names and domains, and at signup the workspace owner's company name and work-email domain | USA | EU Standard Contractual Clauses (Decision 2021/914) with supplementary technical measures; only company names and domains are sent, never account credentials or financial data |
| Sentry (Functional Software, Inc.) | Error and performance monitoring; receives diagnostic events tagged with a user id and tenant identifier (PII minimized) | USA | EU Standard Contractual Clauses (Decision 2021/914) plus supplementary technical measures (PII minimization, default PII sending disabled) |
| Neon, Inc. | Managed PostgreSQL database hosting | AWS region eu-central-1, Frankfurt, Germany (EU); US-controlled provider | Data stored in the EU; EU Standard Contractual Clauses and supplementary technical measures (encryption, access controls) for the US-controlled operator |
| Hetzner Online GmbH | S3-compatible object storage for uploaded documents, logos and exports; application and Redis servers | Germany (EU) | Within EU/EEA — no third-country transfer |
We may also disclose personal data to courts, supervisory or law-enforcement authorities where we are legally required to do so.
8. International data transfers
Several processors are located in, or controlled from, countries outside Switzerland and the EU/EEA — principally the United States. Where personal data is transferred to such a country, we ensure an adequate level of protection as follows.
Under GDPR (EU/EEA data)
- USA: for recipients certified under the EU–US Data Privacy Framework (DPF), transfers rely on the European Commission's adequacy decision (Art. 45). Google LLC and Postmark (AC PM LLC) are DPF-certified. Where a recipient is not certified, or as a parallel safeguard, we rely on the EU Standard Contractual Clauses (Decision 2021/914) together with supplementary technical and organizational measures (such as encryption in transit and at rest and access controls) informed by a transfer impact assessment. For Sentry, we rely on Standard Contractual Clauses plus supplementary measures (PII minimization), not on a DPF certification.
- EU-based processors and EU-stored data (finAPI, Hetzner, and Neon's Frankfurt storage): these are intra-EU and do not require a transfer mechanism. Neon, Inc. is a US-controlled operator; we therefore apply Standard Contractual Clauses and supplementary measures to address potential access requests under US law, even though the data resides in Frankfurt.
Under revDSG (Swiss data)
- EU/Germany (finAPI, Hetzner, Neon's Frankfurt storage): the EU/EEA is recognized as providing adequate protection under Annex 1 of the Swiss Data Protection Ordinance (DSV); no further safeguard is required.
- USA: for recipients certified under the Swiss–US Data Privacy Framework (recognized by the FDPIC, effective 15 September 2024), transfers rely on that framework's adequacy. Otherwise we rely on Standard Contractual Clauses with supplementary measures to ensure protection equivalent to Swiss law.
You may request further information about the safeguards that apply, and a copy of the relevant clauses, by contacting us at hi@aren.io.
9. Cookies
Aren uses only strictly necessary cookies. We use no analytics, advertising or tracking cookies, and no third-party tracking.
- sessionid — keeps you logged in during your session (Django session cookie). Set as HttpOnly and Secure in production.
- csrftoken — protects forms against cross-site request forgery. Set as Secure in production; it is intentionally readable by the client (not HttpOnly), because our security model requires the front end to read the token to attach it to requests.
These cookies are required to operate the service and cannot be switched off without breaking core functionality. The legal basis is performance of the contract and our legitimate interest in a secure, functioning service (GDPR Art. 6(1)(b)/(f); equivalent justifications under revDSG).
10. How long we keep data
We keep personal data only as long as needed for the purposes above or as required by law, then delete or anonymize it.
- Account and workspace data: kept for the life of your account. After account closure, data not subject to a statutory retention duty is deleted without undue delay.
- Financial records (accounts, transactions, documents): use a soft-delete mechanism and are retained to meet statutory bookkeeping and tax duties. Under Swiss law the period is generally 10 years (Art. 958f of the Swiss Code of Obligations); comparable German/EU obligations also apply (for example up to 8 years for certain records under § 257 HGB / § 147 AO, as applicable). After the applicable period expires, the records are deleted or anonymized.
- Short-lived tokens: magic links expire after 12 hours; email-change tokens after 15 minutes; invitations after 7 days; asynchronous task results after about 1 hour.
- Diagnostics (error monitoring): retained only for a limited period in line with our monitoring configuration, then automatically deleted.
- AI-usage records: retained only as long as needed for cost accounting and security, then deleted or anonymized.
You can export your transaction data at any time. You can also delete your account yourself — in the Aren web app under Settings → Personal → Delete account, or from the Aren Scan iOS app (Account → Delete Account). Deletion anonymizes and deactivates your account and removes your workspace memberships; financial records subject to statutory bookkeeping and tax duties are deleted or anonymized once the applicable retention periods above expire. You can also request deletion by email at hi@aren.io.
11. Your rights
Subject to the conditions and exceptions in the applicable law (including statutory retention duties), you have the following rights regarding your personal data.
Under the GDPR (Art. 15–22)
- Access (Art. 15) — confirmation of whether we process your data and a copy of it.
- Rectification (Art. 16) — correction of inaccurate or incomplete data.
- Erasure (Art. 17) — deletion where the data is no longer needed and no legal duty requires us to keep it.
- Restriction (Art. 18) — limiting our processing in certain cases.
- Data portability (Art. 20) — receiving your data in a structured, machine-readable format.
- Objection (Art. 21) — objecting to processing based on legitimate interests on grounds relating to your particular situation.
- Withdrawal of consent (Art. 7(3)) — where processing is based on consent, withdrawing it at any time without affecting prior processing.
Under the revDSG
- Right to information (Art. 25) — including the data processed, the purpose, recipients, source, retention period and any automated profiling.
- Rectification (Art. 32) — correction of inaccurate data.
- Erasure or restriction — deletion or blocking of data, subject to legal exceptions.
- Objection — objecting to specific processing and to disclosure to third parties.
- Data release / portability (Art. 28) — receiving data you have provided in a common electronic format.
To exercise any of these rights, contact us at hi@aren.io. We will respond within 30 days (GDPR Art. 12(3); revDSG Art. 25). We may need to verify your identity first.
Automated decision-making: we do not use automated decision-making that produces legal or similarly significant effects on you. The AI processing described in Section 6 extracts and categorizes data to assist your bookkeeping; it does not make binding decisions about you.
Complaints to a supervisory authority
- EU/EEA: you may lodge a complaint with a data protection supervisory authority, in particular the authority of your habitual residence or place of work. In Germany this is the data protection authority of your federal state — for example, the Berlin Commissioner for Data Protection and Freedom of Information (Berliner Beauftragte für Datenschutz und Informationsfreiheit).
- Switzerland: you may contact the Swiss Federal Data Protection and Information Commissioner (FDPIC / EDÖB), https://www.edoeb.admin.ch. Unlike the GDPR, Swiss law does not provide a direct complaint-and-decision procedure; the FDPIC opens an investigation on its own initiative where there are sufficient indications of a violation.
12. How we protect your data
We apply technical and organizational measures appropriate to the risk (GDPR Art. 32; Art. 8 revDSG and Art. 1–3 DSV), including:
- Encryption in transit: TLS for all connections, with HTTP Strict Transport Security (HSTS, one-year max-age).
- Encryption at rest: bank-connection credentials and tokens are encrypted (Fernet — AES-128 in CBC mode with HMAC-SHA256 authentication).
- Tenant isolation: each workspace lives in its own database schema, keeping data strictly separated between customers.
- Secure cookies: the session cookie is HttpOnly and Secure in production; the CSRF cookie is Secure (and intentionally client-readable for CSRF protection).
- Minimized diagnostics: error monitoring is configured not to send IP address or user-agent, and to tag events only with a user id and tenant identifier.
No system can be guaranteed completely secure. Please keep your login secure and notify us promptly at hi@aren.io if you suspect unauthorized access. In the event of a personal data breach likely to result in a risk to affected individuals, we will notify the competent authority and, where required, the affected individuals, in line with GDPR Art. 33/34 and Art. 24 revDSG.
13. Children and business use
Aren is a business-to-business service intended for use by companies and their staff in a professional capacity. It is not directed at children and is not intended for the processing of consumer or children's personal data. We do not knowingly create accounts for individuals under the age of 16.
14. Changes to this policy
We may update this Privacy Policy to reflect changes in our service, our processors, or legal requirements. The effective date shown at the top indicates the current version. For material changes we will give reasonable notice, for example by email or within the service. The current version is always available within Aren and on our website.