RechNex

Privacy Policy (Swiss nDSG)

This Privacy Policy explains how RechNex processes personal data under the Swiss Federal Act on Data Protection (nDSG, rev. 2023) and, where applicable, the GDPR for EU business clients.

Last updated: 02/28/2026

1) Identity of the Controller

The data controller (Verantwortlicher) for RechNex is Ruta Group Kacper Ruta. RechNex is operated by ruta-tech.ch and technically implemented by glasbox.ch, both under Ruta Group.

For privacy inquiries, data subject requests, and security concerns, please use the official contact details below.

  • Legal entity (Controller): Ruta Group Kacper Ruta
  • Address: Werkstrasse 11, 6102 Malters, Switzerland
  • UID: CHE-471.967.194
  • Product: RechNex
  • Privacy contact: info@rechnex.ch
  • Service operator: ruta-tech.ch (operated by Ruta Group)
  • Technical implementation/agency: glasbox.ch (owned by Ruta Group)

2) Scope and Principles

We process only data that is necessary to provide secure Swiss B2B document and billing services. Our core principle is strict data minimization and purpose limitation.

Data is processed only for contract performance, platform security, legal compliance, and abuse prevention. We do not use personal data for advertising profiling.

3a) Purpose of Processing

We process personal data exclusively for the purposes described in this policy: providing and improving RechNex, ensuring platform security, fulfilling legal obligations, and communicating with users about their accounts and services.

No data is processed for purposes beyond what is necessary to deliver a secure, compliant Swiss B2B document and billing platform.

3b) Legal Basis for Processing

Under the Swiss nDSG, processing is lawful when it serves contract performance (Art. 31 para. 2 let. a nDSG), compliance with legal obligations, or the protection of legitimate interests. We rely on these bases for all operational processing.

For EU data subjects under the GDPR, processing is based on: contract performance (Art. 6(1)(b) GDPR), legitimate interest (Art. 6(1)(f) GDPR), or explicit consent where required. Consent can be withdrawn at any time without affecting the lawfulness of processing prior to withdrawal.

3) Data We Collect and Why

To provide RechNex reliably and securely, we process account, organization, client, document, technical, and billing metadata. Payment card data is never stored by RechNex.

All document and client records are isolated by tenant context to prevent cross-organization access.

  • User account data: email, first name, last name, locale, timezone, verification state; passwords are stored only as bcrypt hashes.
  • Organization profile data: company/legal name, address, UID, VAT/MWST status, contact details, branding files, and IBAN/QR-IBAN for QR invoices.
  • Client data (tenant scoped): name, address, contact person, email, phone.
  • Document data: invoices and reminders with immutable snapshots; PDF files stored server-side with controlled access.
  • Security/technical data: session token hashes (SHA-256), password/email reset token hashes (SHA-256), session IP and user-agent logs.
  • Trial usage protection: only SHA-256(IP+UA+salt) fingerprint is stored; no raw IP is persisted for trial fingerprinting.
  • Audit logs: actor type, actor ID, action metadata, IP address, and timestamp.
  • Billing metadata: Stripe customer/subscription identifiers only; card data is processed exclusively by Stripe (PCI-DSS).
  • Email delivery data: transactional messages only (no newsletters, no marketing campaigns).

4) Hosting and Sub-processors

We use carefully selected processors with contractual safeguards and data protection obligations. Access is restricted to what is required for service delivery.

If personal data is transferred outside Switzerland, we rely on recognized adequacy decisions and/or Standard Contractual Clauses (SCCs).

  • Infomaniak (Geneva, Switzerland): hosting, SMTP, and infrastructure services under Swiss jurisdiction.
  • Stripe (US/EU): payment processing and subscription lifecycle management.
  • RechNex stores only billing metadata required for subscription operations; card details remain with Stripe.
  • Google LLC (USA): Google Analytics (GA4) for anonymized website usage analytics. Transfers to the US are based on the EU–US Data Privacy Framework and/or Standard Contractual Clauses (SCCs), as applicable.

5) Cookies and Technical Tracking

We use strictly necessary cookies and technical storage to keep authentication, security, and language selection functional. We also use Google Analytics (GA4) by Google LLC to analyze how the website is used.

Aside from Google Analytics, RechNex does not run advertising trackers, Meta Pixel, or ad retargeting, and does not use behavioral marketing profiling.

  • NextAuth session cookie (HTTP-only, Secure, SameSite).
  • Locale preference cookie for language selection.
  • RechNex uses Google Analytics (GA4) by Google LLC to analyze website usage.
  • GA4 collects anonymized usage data such as page views, session duration, and device type.
  • Google Analytics sets cookies (e.g. _ga, _ga_*) with a storage duration of up to 2 years.
  • IP addresses are processed anonymously (IP anonymization is enabled by default in GA4).
  • Legal basis: legitimate interest in improving the service (Art. 31(1) nDSG; Art. 6(1)(f) GDPR).
  • Opt-out: Users can disable Google Analytics via Google's browser extension (https://tools.google.com/dlpage/gaoptout).

6) Data Security and Anti-Leak Measures

We implement layered technical and organizational controls to protect confidentiality, integrity, and availability. Security controls are continuously reviewed against business risk.

Access to protected resources is authenticated and authorized per tenant context, with strict role boundaries and abuse protection controls.

  • Cryptographic hashing (SHA-256) for security tokens and reset artifacts.
  • Strict multi-tenant isolation at database and access-control layers.
  • Authenticated, access-controlled document endpoints for protected PDF delivery.
  • Role-based access control (RBAC) with least-privilege principles.
  • Rate limiting and anti-bruteforce protections on sensitive flows.
  • Security-relevant event logging for traceability and forensic analysis.

7) Data Retention

We retain personal data only as long as necessary for contractual service delivery, legal obligations, accounting requirements, and security auditing.

Retention periods depend on data category, legal basis, and compliance requirements. Data is deleted or anonymized when no longer required.

8) Data Subject Rights and Supervisory Authority

You may request information about your data, correction, deletion, restriction of processing, objection, and data portability where legally applicable.

Under Swiss law, you may contact the Federal Data Protection and Information Commissioner (FDPIC). For EU data subjects, GDPR rights remain applicable as required.

  • Requests can be sent to: info@rechnex.ch
  • Swiss supervisory authority: FDPIC (Federal Data Protection and Information Commissioner).

9) Children's Privacy

RechNex is a business-to-business (B2B) SaaS platform designed exclusively for commercial use by businesses, sole proprietors, and professional organizations. The service is not intended for, nor directed at, individuals under the age of 18.

We do not knowingly collect personal data from minors. If we become aware that data from a person under 18 has been collected, we will take immediate steps to delete it.

10) Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or platform capabilities. Material changes will be communicated via the application or email to affected users.

The effective date at the top of this page indicates when the policy was last revised. Continued use of RechNex after a policy update constitutes acceptance of the revised terms.

Back to home