Hosting by Ampersand
Start hosting

Legal

Privacy Policy

How we collect, use and protect your personal data. No third-party trackers, no data sales, no AI training. Just what we need to run the Service, kept in Switzerland.

Last updated · 28 April 2026 · Version 1.0 · Controller: Ampersand Labs GmbH · Jurisdiction: Switzerland (FADP) · Data location: CH only.

1. Who we are

Ampersand Labs GmbH (“we”) is the controller of personal data processed in connection with the Hosting by Ampersand website and Service. We are registered in the Commercial Register of the Canton of Zürich and based at Flüelastrasse 10, 8048 Zürich, Switzerland.

2. Data we collect

We collect the minimum necessary to operate the Service:

  • Account data: name, company, email address, billing address, VAT ID where applicable.
  • Authentication data: hashed passwords, 2FA seeds, login timestamps, IP of last login.
  • Billing data: invoices, payment method tokens (we never store full card numbers — they are tokenised by our payment processor).
  • Service usage data: server access logs, error logs, support tickets, performance metrics.
  • Website data: aggregated, IP-anonymised analytics from this marketing website (visit count, page, referrer). No third-party trackers.

We do not use Google Analytics, Facebook Pixel, advertising cookies, or any cross-site tracking.

3. Why we use it

  • To provide, secure, monitor and improve the Service.
  • To bill you, send invoices, and answer your support requests.
  • To meet our legal obligations (e.g. accounting retention).
  • To detect, investigate and prevent abuse, fraud or attacks against our infrastructure.

We do not sell your personal data. We do not use it to train AI models. We do not share it for marketing.

Processing is based on the Swiss Federal Act on Data Protection (FADP) and, where the GDPR applies, on:

  • performance of the contract (Art. 6(1)(b) GDPR) — to deliver the Service;
  • legal obligation (Art. 6(1)(c) GDPR) — for accounting, tax and security records;
  • legitimate interests (Art. 6(1)(f) GDPR) — for fraud prevention and infrastructure security.

5. Sharing & sub-processors

We share data only with carefully vetted Swiss-based sub-processors, exclusively as needed to deliver the Service. The current list:

  • Exoscale (Akenes SA, Lausanne, CH) — Swiss cloud infrastructure, hosting your sites and backups.
  • Stripe Payments Europe — payment processing only (card tokenisation; we never see your full card number).
  • Postmark (ActiveCampaign LLC) — transactional email delivery only, with EU/Swiss data residency configured.

An up-to-date list is maintained in our DPA & FADP statement. We notify customers of new sub-processors at least 30 days before they are engaged.

6. Where data lives

All customer data — websites, databases, media, backups, account profile, billing data — is stored exclusively in Switzerland, in datacenters located in Geneva and Zürich. We do not transfer customer data to the United States, the United Kingdom, or any other jurisdiction outside Switzerland and the EEA.

7. Retention

  • Account & service data: for the duration of the contract plus 30 days after termination.
  • Billing & tax data: 10 years (Swiss commercial law obligation).
  • Server access & security logs: up to 90 days, then anonymised.
  • Backups: rolling 30-day window (Single), 60 days (Atelier), 90 days (Atlas).

8. Your rights

You have the right to access, rectify, restrict, port, and delete your personal data, and to object to processing. You may also lodge a complaint with the Federal Data Protection and Information Commissioner (FDPIC) in Switzerland or your local supervisory authority in the EU.

To exercise any of these rights, email privacy@ampersand.ch from the address linked to your account. We respond within 30 days.

9. Contact

Privacy questions or requests:

  • Email: privacy@ampersand.ch
  • Post: Ampersand Labs GmbH — Privacy, Flüelastrasse 10, 8048 Zürich, Switzerland

This policy may evolve. Material changes are announced via email at least 30 days in advance.