Privacy
Policy.

Svea Ark Stiftung, registered in Vaduz, Liechtenstein, is the data controller for the TariffOS marketing site and a data processor for customer-submitted trade data and wallet-linked settlement metadata under our Data Processing Addendum (DPA). Contact: privacy@sveaark.li.

• Account data: name, business email, company, role, billing details.
• Usage data: API request metadata, dashboard interactions, performance telemetry.
• Customer trade data: HS codes, invoices, supplier records you submit for analysis.
• Settlement metadata: wallet addresses, transaction hashes, Travel-Rule originator/beneficiary data.
• Site visitor data: IP, user-agent, page views, anonymized analytics.

• Operate, secure and improve the TariffOS platform, APIs and dual-rail settlement.
• Provide tariff lookups, classification, landed-cost and scenario simulation you request.
• Meet our obligations under the Liechtenstein TVTG, FATF Travel Rule and EU AML/CFT framework.
• Detect abuse, enforce rate limits, sanctions-screen counterparties.
• Send transactional emails and — with consent — product updates.

We process personal data under GDPR / Liechtenstein DSG bases: contract necessity (delivering the service), legal obligation (TVTG record-keeping, AML/CFT, tax), legitimate interest (security, fraud prevention, product analytics), and consent (marketing).

We share data only with vetted subprocessors strictly required to operate the service: cloud hosting (EEA primary), email delivery, custody partners for digital-asset settlement, sanctions/KYB screening, analytics. The current subprocessor list is available on request and any additions are notified to enterprise customers in advance.

Primary processing takes place in the EEA (Liechtenstein, Germany, Switzerland — the latter under the EU adequacy decision). Any onward transfer relies on Standard Contractual Clauses; US transfers honour the EU-US Data Privacy Framework where applicable.

We retain account and customer trade data for the duration of the contract plus the statutory retention period under Liechtenstein law (10 years for AML/CFT and tax records). Wallet and Travel-Rule data is retained for 5 years from the date of the transaction.

You may request access, correction, deletion, restriction or portability of your personal data, and you may object to certain processing. You have the right to lodge a complaint with the Liechtenstein Data Protection Authority (Datenschutzstelle, Vaduz) or your home EEA supervisory authority.

All data is encrypted in transit (TLS 1.3) and at rest. Access is governed by least-privilege RBAC. Digital-asset signing uses HSM- and MPC-backed keys. Client digital assets are held in segregated wallets per the TVTG.

Privacy requests: privacy@sveaark.li · Svea Ark Stiftung · Vaduz · Liechtenstein.