In this privacy policy, we, Swissprivate AG, explain how we collect and process personal data. This is not a comprehensive description; other privacy policies [or general terms and conditions, terms of participation, and similar documents] may regulate specific matters. Personal data refers to all information relating to an identified or identifiable person.

If you provide us with personal data of other individuals (e.g., family members, data from colleagues), please ensure that these individuals are aware of this privacy policy and only share their personal data with us if you are permitted to do so and if the data is accurate.

This privacy policy is designed to meet the requirements of the EU General Data Protection Regulation (GDPR), the Swiss Data Protection Act (DPA), and the revised Swiss Data Protection Act (revDPA). However, whether and to what extent these laws are applicable depends on the specific case.

1. Responsible party / Data protection officer / Representative

The Swissprivate AG, Färberstrasse 6, 8008 Zurich is responsible for the data processing we carry out here. If you have data protection concerns, you can send them to the following contact address: Mail: Swissprivate AG, Färberstrasse 6, 8008 Zurich Email: contact@swissprivate.ch.

You can also reach our data protection officer according to Art. 37 GDPR at the same address. He is also our representative in the EEA according to Art. 27 GDPR.

2. Collection and processing of personal data

We primarily process the personal data that we receive from our customers and other business partners in the context of our business relationship or that we collect from users while operating our websites, apps, and other applications.

To the extent permitted, we also obtain certain data from publicly available sources (e.g., debt collection registers, land registers, commercial registers, press, internet) or receive such data from other companies within Swissprivate AG, authorities, and other third parties (such as credit agencies). Alongside the data you provide to us directly, the categories of personal data we obtain from third parties about you include in particular information from public registers, information we learn in connection with administrative and legal proceedings, information in relation to your professional functions and activities (so that we can conduct business with your employer with your assistance), information about you in correspondence and meetings with third parties, credit checks (to the extent we conduct business with you personally), information about you provided to us by individuals in your environment (family, advisors, legal representatives, etc.) so that we can enter into or manage contracts with you or involving you (e.g., references, your address for deliveries, authorizations, information on compliance with legal requirements such as anti-money laundering and export restrictions, information from banks, insurance companies, sales and other business partners regarding the utilization or provision of services by you (e.g., payments made, purchases made)), information from media and the internet concerning you (as far as is relevant in the specific case, e.g., in the context of an application, press review, marketing/sales, etc.), your addresses and, if applicable, interests and other sociodemographic data (for marketing), data related to the use of the website (e.g., IP address, MAC address of your smartphone or computer, information about your device and settings, cookies, date and time of visit, retrieved pages and content, functions used, referring website, location data).

3. Purposes of data processing and legal bases

We use the personal data we collect primarily to conclude and fulfill our contracts with our customers and business partners, particularly in the context of consulting on financial matters with our customers and purchasing products and services from our suppliers and subcontractors, and to comply with our legal obligations in Switzerland and abroad. If you are acting for such a customer or business partner, you may naturally also be affected in this capacity with your personal data.

Furthermore, we process your personal data and that of other individuals, as permitted and deemed appropriate, for the following purposes, in which we (and occasionally also third parties) have a legitimate interest corresponding to the purpose:

- Offering and further developing our offerings, services, and websites, apps, and other platforms where we have a presence;

- Communication with third parties and handling their inquiries (e.g., applications, media inquiries);

- Examining and optimizing procedures for needs analysis for direct customer outreach as well as collecting personal data from publicly available sources for customer acquisition;

- Advertising and marketing (including event execution), provided you have not objected to the use of your data (if we send advertising to you as an existing customer, you may object at any time, and we will put you on a stop list against further advertising);

- Market and opinion research, media monitoring;

- Assertion of legal claims and defense in connection with legal disputes and administrative procedures;

- Prevention and investigation of criminal offenses and other misconduct (e.g., conducting internal investigations, data analyses for fraud prevention);

- Ensuring our operations, particularly IT, our websites, apps, and other platforms;

- Video surveillance to uphold house rules and other measures for IT, building, and asset security and to protect our employees and other individuals as well as our owned or entrusted assets (e.g., access controls, visitor lists, network and mail scanners, call recordings);

- Buying and selling business areas, companies or parts of companies and other corporate transactions, thereby transferring personal data as well as measures for business management and as far as required for compliance with legal and regulatory obligations as well as internal regulations of Swissprivate AG.

To the extent that you have given us consent to process your personal data for specific purposes (for example, when you register to receive newsletters or when conducting a background check), we process your personal data on the basis of this consent, as far as we do not have another legal basis and we need one. Consent given may be revoked at any time, but this will not affect any data processing that has already occurred.

4. Cookies / Tracking and other technologies in connection with the use of our website

We typically use "cookies" and similar technologies on our websites and apps, which allow your browser or device to be identified. A cookie is a small file that is sent to your computer or automatically stored on your computer or mobile device by the web browser in use when you visit our website or install the app. When you revisit this website or use our app, we can recognize you again, even if we do not know who you are. Besides cookies that are only used during a session and deleted after your website visit ("session cookies"), cookies can also be used to store user settings and other information for a certain period (e.g., two years) ("permanent cookies"). However, you can set your browser to refuse cookies, store only for a session, or otherwise delete them prematurely. Most browsers are set by default to accept cookies. We use permanent cookies so that you can store user settings (e.g., language, auto-login), so that we can better understand how you use our offerings and content and to show you tailored offers and advertising (which may also occur on other companies' websites; however, these companies will not learn from us who you are if we do not know that ourselves, as they only see that the same user has visited their website as well who was also on a specific point on our site). If you block cookies, certain functionalities may no longer work.

By using our websites, apps, and consenting to receive newsletters and other marketing emails, you agree to the use of these techniques. If you do not want this, you must appropriately adjust your browser or email program settings, or uninstall the app if this cannot be adjusted via settings.

We also use services like Google Analytics on our websites. This is a third-party service that may be located in any country in the world (in the case of Google Analytics, it is Google Ireland (based in Ireland), Google Ireland relies on Google LLC (based in the USA) as a processor (both "Google"), www.google.com), with which we can measure and evaluate the use of the website (non-personal). For this, permanent cookies are also used, which are set by the service provider. We have configured the service to ensure that the IP addresses of visitors are anonymized by Google in Europe before being transferred to the USA, thus preventing them from being traced back. We have disabled the "data sharing" and "signals" settings. While we can assume that the information we share with Google does not constitute personal data for Google, it is possible that Google can draw conclusions about the identity of the visitors from this data, create personal profiles, and link this data to the Google accounts of these individuals. To the extent that you have registered with the service provider, the provider knows you as well. The processing of your personal data by the service provider then occurs under the responsibility of the service provider according to their data protection provisions. The provider only informs us how our respective website is used (no information about you personally).

Furthermore, we use so-called plug-ins from social networks such as Facebook, Twitter, YouTube, Pinterest, or Instagram on our websites. This is typically visible to you (usually via corresponding symbols). We have configured these elements so that they are deactivated by default. If you activate them (by clicking), the operators of the respective social networks can register that you are on our website and where, and can use this information for their purposes. The processing of your personal data then occurs under the responsibility of that operator according to their data protection provisions. We do not receive any information about you from them.

5. Data disclosure and data transfer abroad

In the course of our business activities and the purposes according to point 3, to the extent permitted and deemed appropriate, we also share data with third parties, whether they process this data for us or want to use it for their own purposes. This particularly concerns the following entities:

- Service providers (within Swissprivate AG and externally, such as banks, insurance companies), including processors (such as IT providers);

- Dealers, suppliers, subcontractors, and other business partners;

- Customers;

- Domestic and foreign authorities, offices, or courts;

- Media;

- The public, including visitors to websites and social media;

- Competitors, industry organizations, associations, organizations, and other bodies;

- Buyers or potential buyers of business areas, companies, or other parts of Swissprivate AG;

- Other parties in possible or actual legal proceedings;

- Other companies of Swissprivate AG;

collectively referred to as recipients.

These recipients may be based domestically but can be located anywhere in the world. You should particularly anticipate the transfer of your data to any countries where Swissprivate AG is represented through group companies, branches, or other offices, as well as other countries in Europe and the USA where the service providers we use are located (such as Microsoft and Hubspot).

If a recipient is located in a country without adequate legal data protection, we contractually obligate the recipient to comply with applicable data protection standards (for this purpose, we use the revised standard contractual clauses of the European Commission, which can be accessed here: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?lang=en), unless they are already subject to a legally recognized framework to ensure data protection and we cannot rely on an exception provision. An exception may apply specifically in cases of legal proceedings abroad, but also in cases of overriding public interest or where a contract execution requires such disclosure, if you consent or if it concerns data made publicly available by you for which you did not raise objections against processing.

6. Duration of storage of personal data

We process and store your personal data as long as required to fulfill our contractual and legal obligations or otherwise the purposes pursued with the processing, i.e., for example, throughout the entire business relationship (from initiation to conclusion of a contract) as well as beyond that in accordance with statutory retention and documentation obligations. It is possible for personal data to be retained for the period during which claims against our company can be asserted and insofar as we are legally required to do so or have legitimate business interests (e.g., for evidentiary and documentation purposes). Once your personal data is no longer necessary for the aforementioned purposes, they will generally be deleted or anonymized as far as possible. For operational data (e.g., system logs), generally shorter retention periods of twelve months or less apply.

7. Data security

We take appropriate technical and organizational security measures to protect your personal data against unauthorized access and misuse, such as issuing instructions, training, IT and network security solutions, access restrictions, encryption of data carriers and transmissions, pseudonymization, and controls.

8. Obligation to provide personal data

In the context of our business relationship, you must provide the personal data necessary for the initiation and execution of a business relationship and for fulfilling the associated contractual obligations (there is generally no statutory obligation for you to provide us with data). Without this data, we will typically not be able to conclude or execute a contract with you (or the entity or person you represent). Additionally, the website cannot be used if certain information needed to ensure data traffic (such as IP address) is not disclosed.

9. Rights of the data subject

You have, under the applicable data protection laws and to the extent provided (such as in the case of the GDPR), the right to access, rectification, erasure, the right to restriction of processing, and to object to our data processing, particularly to that for the purposes of direct marketing, profiling operated for direct advertising, and further legitimate interests in processing as well as the right to obtain certain personal data for transfer to another entity (so-called data portability). Please note that we reserve the right to assert the statutory limitations, for example, if we are required to retain or process certain data, have a legitimate interest (to the extent we may rely on that), or require them for the assertion of claims. If there are costs incurred by you, we will inform you in advance. We have already informed you in point 3 about the possibility of revoking your consent. Note that exercising these rights may conflict with contractual agreements and can have consequences such as early termination of the contract or cost implications. We will inform you in advance in that case where this is not already regulated contractually.

Exercising such rights typically requires that you clearly prove your identity (e.g., via a copy of an identification document if your identity is otherwise not clear or cannot be verified). To assert your rights, you may contact us at the address indicated in point 1.

Every data subject also has the right to enforce their claims in court or file a complaint with the competent data protection authority. The competent data protection authority in Switzerland is the Federal Data Protection and Information Commissioner (http://www.edoeb.admin.ch).

10. Changes

We can adjust this privacy policy at any time without prior notice. The version published on our website at the time applies. If the privacy policy is part of an agreement with you, we will inform you about the change via email or in another suitable manner in case of an update.