Skip to main content
← LokBox

Privacy Policy

Last updated: 13 June 2026

Pilot baseline; pending legal review.

1. Introduction and Data Controller

This Privacy Policy explains how LokBox processes personal data in accordance with the Swiss Federal Act on Data Protection (FADP) and, where applicable, the EU General Data Protection Regulation (GDPR). LokBox is an offering of bubloo, Kubilé (sole proprietorship), owner Ernesta Kubilé. Data controller: bubloo, Kubilé, Lischenweg 7, 4915 St. Urban, Switzerland (UID: CHE-190.821.402). Email: info@lokbox.ch / privacy@lokbox.ch.

2. Data Categories

We process personal data generated during your use of our platform: (1) Account Data: email address, name (optional), bcrypt password hash, verification status. (2) Client Data (Dossiers): client data entered by fiduciaries (name, legal name, UID, address, canton, contacts, emails, phone numbers, and specific instructions). (3) Task Data & Prompts: workspace instructions, agent execution steps (clicks, navigation paths, errors), temporary screenshots and DOM snippets, and generated results. (4) Uploaded Documents: files provided by the user for task execution (e.g., PDF invoices, receipts). (5) Payment Data: transaction records via Stripe (amount, currency, status, billing address); credit card details are processed directly by Stripe and are never stored on LokBox infrastructure. (6) Usage & Log Data: IP addresses, session tokens, access times, server logs.

3. Purposes of Processing

Processing is carried out for contract performance (delivering the AI agent browser), billing, customer support, platform security, and compliance with legal retention obligations (e.g., Swiss Code of Obligations Art. 958f).

5. Subprocessors and Locations

We engage the following partners to deliver our infrastructure: Hetzner Online GmbH (Germany, EU) — frontend hosting and agent backend runtime infrastructure; all servers are located in Falkenstein, Germany. Supabase, Inc. (EU data center Frankfurt, Germany) — Postgres database, authentication, and secure object storage (recordings bucket). Amazon Web Services EMEA SARL (Luxemburg/EU) — Bedrock inference platform; executes Anthropic Claude Sonnet 4.6 model inference exclusively in EU data centers (eu-central-1, Frankfurt) using a fail-loud EU data residency guard; no data leaves the EU; no data retention by Anthropic. Google Cloud Vertex AI (Netherlands/EU) — resolver and answer synthesis (Gemini models) within the EU. Stripe Payments Europe, Ltd. (Ireland/EU) — payment processing. Resend, Inc. (EU region) — transactional email delivery. Sentry (Functional Software, Inc., EU region) — server-side application error monitoring (ingest.de.sentry.io).

6. International Transfers

Data storage and LLM inference are located exclusively in the European Union (Germany, Ireland, Netherlands). Google Workspace and Notion integrations transfer data to their respective platforms (including the US) to perform your initiated actions; Standard Contractual Clauses (SCCs) are used. We do not claim Swiss data residency; data lives in Germany/EU.

7. Data Security and Isolation

Workspace Isolation: each workspace is strictly isolated; dossiers and task histories are partitioned at the database level. Credential Protection: OAuth tokens and API keys are stored encrypted using AES-256-GCM; credentials/2FA codes entered via the live view are encrypted in transit and never stored permanently. Model Training: we never use your data to train third-party AI models. PII Redaction: a system for automatic redaction of personal data (PII redaction) is currently rolling out (in testing phase) and is not yet active by default.

8. Retention

Usage Data & Recordings: retained for 30 days by default. Billing Records: kept for 10 years (Swiss CO Art. 958f). Account Data: permanently deleted within 30 days of account deletion.

9. Your Rights and Complaint Body

You have the right to access, rectify, erase, restrict, and object to the processing of your data. Contact privacy@lokbox.ch. You may lodge a complaint with a supervisory authority: in Switzerland, the Federal Data Protection and Information Commissioner (FDPIC), Bern; in the EU, the competent supervisory authority of your residence.

10. Cookies

We use only strictly necessary session cookies (lokbox_session and lokbox_csrf) for authentication and CSRF security. No marketing or tracking cookies are used.

info@lokbox.ch · +41 78 845 84 66
Lischenweg 7, 4915 St. Urban (Canton of Lucerne), Switzerland