# Privacy Policy

Dear Sir or Madam

DFX AG (hereinafter referred to as DFX) takes the protection of your personal data very seriously. Data protection has a high priority for DFX.

The confidential and responsible handling of personal data from our relationships with customers, business partners, employees, applicants and suppliers is the basis of our business success. Personal data is all information that relates to an identified or identifiable person.

Therefore, we adhere to the following principles when handling personal data:

Confidentiality and transparency
Compliance with our company guidelines and the privacy policy
Compliance with all applicable laws and regulations

# 1. Information on the responsible body (imprint)

The responsible body on the basis of the Swiss Data Protection Act (DSG) is:

Address: DFX AG, Bahnhofstrasse 7, 6300 Zug, Switzerland
Commercial Register: CHE-429.856.521
Registration Court: Zug, Switzerland
Website: https://dfx.swiss
Electronic contact: https://app.dfx.swiss/support

# 2. General information on data protection

DFX treats your personal data confidentially and in accordance with the statutory data protection regulations, in particular the Swiss Federal Act on Data Protection (DSG) and this privacy policy.

The use of our website is generally possible without providing personal data. However, if a data subject wishes to use special services of our company via our website, processing of personal data may be necessary. If the processing of personal data is necessary and there is no legal basis for such processing, we obtain the consent of the data subject in an appropriate form after providing appropriate information.

We would like to point out that, despite the security precautions we have taken, data transmission on the Internet (for example, when communicating by email) may have security vulnerabilities. Complete protection of data against access by third parties is not possible.

As the (natural) person concerned, it is in your personal interest to protect the system(s) you use (PC, laptop, etc.) from unauthorized access by third parties, to provide them with adequate password protection and not to disclose the password to third parties. It is recommended to install a commercially available virus protection program and update it regularly.

# Categories of personal data

As part of our business relationships and the use of our services, we process various categories of personal data. These include, among others:

Contact information: e.g., name, address, phone number, email address.
Technical data: e.g., IP addresses, device information, browser type.
Payment and financial data: e.g., bank details, credit card data, transaction history, tax returns.
Communication data: e.g., contents of emails, contact forms, inquiries.
Usage data: e.g., pages visited, login data, usage behavior on our website.
Contract data: e.g., purchased products, services, contract terms.
Sensitive data (if relevant): e.g., health data, biometric data for identification (only with explicit consent), official identification documents.

The collection of this data is carried out exclusively for the purposes stated in this privacy policy and in compliance with applicable data protection regulations.

# Legal bases for the processing of personal data (valid for all processing purposes)

The processing of your personal data is always based on a clear legal basis that ensures that your data is processed in accordance with legal requirements. The choice of legal basis depends on the respective purpose of processing. Below you will find an overview of the legal bases on which we rely:

Contract fulfillment: To provide services or fulfill contractual obligations.
Legal obligations: To comply with legal requirements (e.g., tax retention obligations).
Legitimate interests: To optimize our business processes, ensure IT security, or efficiently process customer inquiries.
Consent: The processing of personal data is based on consent if no other legal basis exists.

# Particularly sensitive personal data

The processing of particularly sensitive data, such as genetic and biometric data, is carried out exclusively on the basis of explicit consent from the data subject or within the framework of a legal obligation that makes processing necessary.

# Purpose of data processing

Only data that is absolutely necessary for the respective purposes is collected. In principle, no additional data is collected for the analysis of user behavior. In addition to the data mentioned, particularly sensitive personal data may be processed in certain cases.

The processing of your personal data is carried out in particular for the following purposes:

Contract fulfillment and provision of our services: We use your data to fulfill contracts, provide services and manage our business relationship with you.
Customer communication: This includes answering inquiries, support and transmitting important information about our services.
Service communication: If you have consented, we use your data to provide you with relevant information about our services.
IT security and fraud prevention: To protect our IT systems and detect and prevent unauthorized access, cyber attacks or other fraudulent activities.
Compliance with legal and regulatory obligations: This includes, for example, compliance with tax or commercial law obligations as well as the requirements of the Data Protection Act.

# Data protection through technical design and privacy-friendly default settings

DFX is committed to ensuring the protection of personal data through technical and organizational measures from the outset ("Privacy by Design") and through privacy-friendly default settings ("Privacy by Default").

This means:

Data minimization: Only the data that is absolutely necessary for the respective purpose is collected.
Technical security: We implement protective measures such as encryption, pseudonymization and regular security checks to protect data from unauthorized access.
Transparency and control: Users have the option to independently manage their privacy settings and only release the data they want.
Privacy-oriented product development: Our systems and processes are developed taking data protection into account and are regularly reviewed.

These measures ensure proactive protection of your data in accordance with the requirements of the Swiss Data Protection Act (DSG) and other applicable data protection laws.

# What rights do you have regarding your data?

You have the right to receive information about the origin, recipient and purpose of your stored personal data free of charge at any time. You also have the right to request the correction or deletion of this data. If you have given your consent to data processing, you can revoke this consent at any time for the future. You also have the right to request the restriction of the processing of your personal data under certain circumstances. Furthermore, you have the right to lodge a complaint with the competent supervisory authority.

You have the right to request information about the processing of your particularly sensitive data (such as genetic or biometric data) at any time. You can also request deletion or restriction of processing, provided that no legal basis requires further processing.

# Register of processing activities

DFX AG maintains a register of all processing activities involving personal data in accordance with the requirements of the Swiss Data Protection Act (DSG). This register serves to:

Ensure transparency: It contains detailed information about the purposes of processing, the data categories concerned, the recipients of the data and the storage period.
Fulfill accountability obligations: It enables proof that DFX processes personal data in accordance with legal requirements.
Promote efficiency and security: It supports us in identifying and managing risks associated with data processing.

The register is regularly updated and documents all relevant processing operations, including processing carried out by third parties on behalf of DFX.

For this and other questions on the subject of data protection, you can contact our Support (opens new window) at any time.

# 3. Profiling and automated decision-making

DFX uses profiling procedures to provide financial services, in particular for:

Credit checks
Risk analyses
Provision of transaction-related service information

DFX does not carry out purely automated decision-making processes that are legally binding or have significant effects on data subjects. Should automated decision-making or profiling procedures be used in the future, DFX will ensure that these procedures comply with the legal requirements of the Swiss Data Protection Act (DSG) and that data subjects are adequately informed about the process.

# Right to object

Data subjects have the right to object to profiling and to request information about the underlying logic and the effects of profiling on them.

# 4. Hosting

# Hosting with All-Inkl

We host our website with All-Inkl. The provider is ALL-INKL.COM - Neue Medien Münnich, owner René Münnich, Hauptstrasse 68, 02742 Friedersdorf (hereinafter: All-Inkl).

All-Inkl has implemented appropriate technical and organizational measures to ensure the protection of personal data. Details on their handling of personal data can be found in the privacy policy of All-Inkl (opens new window).

# 5. General notes and mandatory information

# Storage period

Unless a more specific storage period has been specified in this privacy policy, your personal data will remain with us until the purpose for data processing no longer applies. If you assert a justified request for deletion or revoke your consent to data processing, your data will be deleted unless we have other legally permissible reasons for storing your personal data (e.g., tax or commercial law retention periods); in the latter case, deletion will take place after these reasons no longer apply.

# Specific retention periods for personal data

DFX stores personal data only as long as it is necessary for the respective processing purposes or as required by legal regulations. After the respective periods have expired, the data will be deleted or anonymized. Below you will find the specific retention periods for the various categories of personal data:

Contract data Retention period: 10 years after termination of the contract.
Communication data (e.g., emails, contact forms) Retention period: 2 years after completion of communication.
Financial and payment data Retention period: 10 years after completion of the transaction.
Usage data (e.g., IP addresses, log data) Retention period: 6 months.
Sensitive data (e.g., health or biometric data, if collected) Retention period: Only as long as necessary to fulfill the stated purpose.
Application documents Retention period: 12 months after completion of the application process.
Social media data (e.g., for user profiles) The data collected directly by us via the social media presence will be deleted from our systems as soon as you ask us to delete it, revoke your consent to storage or the purpose for data storage no longer applies. Stored cookies remain on your end device until you delete them. Mandatory statutory provisions - in particular retention periods - remain unaffected.

We have no influence on the storage period of your data that is stored by the operators of social media networks for their own purposes. For details, please contact the operators of the social media networks directly (e.g., in their privacy policies and statements, see below).

# Deletion and anonymization of personal data

After the respective retention periods have expired, the data will either be deleted or anonymized so that no conclusions can be drawn about individual persons. Further storage may be necessary for legally prescribed periods.

# General notes on the legal bases for data processing on this website

The website only stores and processes the minimum data necessary to operate the website. No additional data is stored or collected.

# Note on data transfer abroad

We use the hosting service All-Inkl, a company from Germany. When these tools are accessed, your personal data is transferred to this third country and could be processed there.

# SSL or TLS encryption

For security reasons and to protect the transmission of confidential content, such as inquiries that you send to us as the site operator, this site uses SSL or TLS encryption. You can recognize an encrypted connection by the fact that the address line of the browser changes from "http://" to "https://" and by the lock symbol in your browser line. If SSL or TLS encryption is activated, the data you transmit to us cannot be read by third parties.

# Rights of data subjects

As a user whose personal data is processed under this privacy policy, you have the following rights:

Right to information about whether and which personal data is processed by DFX, as well as further information about the processing (e.g., purpose, categories, recipients and storage period).
Right to correction or rectification of inaccurate or incomplete personal data.
Right to deletion of personal data, provided that the legal requirements are met.
Right to restriction of the processing of personal data, provided that the legal requirements are met.
Right to object to the processing of your personal data.
Right to data portability: You have the right to have data that we process automatically on the basis of your consent or in fulfillment of a contract handed over to you or to a third party in a commonly used, machine-readable format. If you request the direct transfer of the data to another controller, this will only be done to the extent that it is technically feasible.

The above rights may be denied or restricted if the interests, rights and freedoms of third parties prevail or if the processing is necessary for the establishment, exercise or defense of legal claims.

# Objection to advertising emails

We hereby object to the use of contact data published as part of the imprint obligation for sending unsolicited advertising and information material. The operators of the pages expressly reserve the right to take legal action in the event of the unsolicited sending of advertising information, such as spam emails.

# 6. Data protection violations

DFX takes data protection violations very seriously and has implemented processes to handle such incidents efficiently and in accordance with legal requirements. A data protection violation occurs when personal data is unintentionally or unlawfully disclosed, altered, deleted or made accessible without authorization.

# Measures in case of data protection violations

In the event of a data protection violation, DFX follows a structured procedure to minimize the impact on data subjects and restore data security as quickly as possible. This includes in particular the following measures:

Identification and analysis: As soon as a data protection violation becomes known, it is immediately analyzed and assessed by our data protection team.
Containment and remediation: Appropriate measures are taken to contain the incident and restore data security.
Documentation: All data protection violations are documented in an internal register. This includes the type of violation, the data categories affected, the number of data subjects affected and the measures taken.

# Notification obligations

In the event of a data protection violation that poses a risk to the rights and freedoms of data subjects, DFX is legally obliged to inform certain parties. These notifications are intended to ensure that both the competent authorities and the data subjects are informed in a timely manner about the violation and the measures taken. The notifications are made in compliance with legal requirements and include the following steps:

Notification of the supervisory authority within 72 hours of becoming aware of the violation.
Notification of the data subjects without delay and in clear, understandable language.

# Protective measures

To prevent data protection violations, we use technical and organizational measures, including encryption of sensitive data, regular security checks and training of our employees in the field of data protection.

# Contact in case of data protection violations:

If you notice a possible data protection violation, please contact our Support (opens new window).

# 7. Data collection on this website

# Cookies

DFX uses cookies exclusively to maintain the operation of IT systems and their functionality. No cookies are used for tracking user behavior or similar purposes.

# Inquiry by email, telephone or fax

If you contact us by email, telephone or fax, your inquiry including all personal data (name, inquiry) will be stored and processed by us for the purpose of processing your request. We will not pass on this data without your consent.

The data you send to us via contact requests will remain with us until you ask us to delete it, revoke your consent to storage or the purpose for data storage no longer applies (e.g., after your request has been processed). Mandatory statutory provisions - in particular statutory retention periods - remain unaffected.

# 8. Analysis tools and advertising

DFX does not use website analysis tools such as Google Analytics, Adobe Analytics or others.

If you would like to receive the newsletter offered on the website, we require a valid email address from you that is intended for direct access to the website, as well as information that allows us to verify that you are the owner of the email address provided and that you agree to receive the newsletter (so-called confirmation email in the "double opt-in procedure"). No further data is collected. We use this data exclusively for sending the requested information and do not pass it on to third parties.

We maintain publicly accessible profiles on social media networks. The individual social media networks we use are listed below.

Social media networks such as Facebook, Instagram, etc. can generally analyze your user behavior comprehensively when you visit their website or a website with integrated social media content (e.g., like buttons or advertising banners). Visiting our social media presence triggers numerous data protection-relevant processing operations.

If you are logged into your social media account and visit our social media presence, the operator of the social media portal can assign this visit to your user account. However, your personal data may also be collected if you are not logged in or do not have an account with the respective social media portal. In this case, this data collection takes place, for example, via cookies that are stored on your end device or by recording your IP address.

With the help of the data collected in this way, the operators of the social media portals can create user profiles in which your preferences and interests are stored. In this way, interest-based advertising can be displayed to you within and outside the respective social media presence. If you have an account with the respective social media network, the interest-based advertising can be displayed on all devices on which you are logged in or have been logged in.

Please also note that we cannot track all processing operations on the social media portals. Depending on the provider, further processing operations may therefore be carried out by the operators of the social media portals. For details, please refer to the terms of use and privacy policies of the respective social media portals.

# Facebook

We have a profile on Facebook (opens new window). The provider of this service is Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. According to Facebook, the data collected is also transferred to the USA and other third countries.

We have concluded an agreement with Facebook on joint processing (Controller Addendum). This agreement specifies which data processing operations we or Facebook are responsible for when you visit our Facebook page. You can view this agreement at the following link: Information on Page Insights (opens new window).

You can customize your advertising settings yourself in your user account. To do this, click on the following link and log in: Personalization of your user account on Facebook (opens new window).

Data transfer to the USA is based on the standard contractual clauses of the EU Commission. Details can be found here: Contractual addendum for the transfer of European data (opens new window) and Standard Contractual Clauses (opens new window).

Details can be found in the Facebook Privacy Policy (opens new window).

# X

We have a profile on X (opens new window) (formerly: Twitter). The provider is Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07, Ireland.

We would like to point out that, as the operator of these pages, we have no influence on the processing of the transmitted data by X and are not informed about its exact content or use.

You can adjust your X privacy settings yourself in your user account. To do this, click on the following link and log in: Personalization of your user account on X (opens new window).

Data transfer to the USA is based on the standard contractual clauses of the EU Commission. Details can be found here: Controller-to-Controller Transfers (opens new window).

Details can be found in the Privacy Policy of X (opens new window).

# Instagram

We have a profile on Instagram (opens new window). The provider is Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.

We would like to point out that, as the operator of these pages, we have no influence on the processing of the transmitted data by Instagram and are not informed about its exact content or use.

Data transfer to the USA is based on the standard contractual clauses of the EU Commission. Details can be found here: Meta contractual addendum for the transfer of European data (opens new window) and Standard Contractual Clauses (opens new window).

Details on how they handle your personal data can be found in the Instagram Privacy Policy (opens new window).

# LinkedIn

We have a profile on LinkedIn (opens new window). The provider is LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland. LinkedIn uses advertising cookies.

We would like to point out that, as the operator of these pages, we have no influence on the processing of the transmitted data by LinkedIn and are not informed about its exact content or use.

If you want to deactivate LinkedIn advertising cookies, please use the following link: Unsubscribe from ads (opens new window).

Data transfer to the USA is based on the standard contractual clauses of the EU Commission. Details can be found here: LinkedIn Data Processing Agreement (opens new window) and Standard Contractual Clauses (EU) (opens new window).

Details on how they handle your personal data can be found in the LinkedIn Privacy Policy (opens new window).

# 10. Data protection for applications and in the application process

The controller collects and processes the personal data of applicants for the purpose of carrying out the application process. This processing may also take place electronically, in particular if applicants also send relevant application documents by email (e.g., in PDF format or other file types).

If you apply for a job advertised by us, these data protection provisions apply in addition to our other data protection provisions, which have been communicated to you separately or are available on our website.

The application is made exclusively via LinkedIn. If you apply for a vacancy via LinkedIn, please note that LinkedIn may store your personal data and may collect further data in relation to the progress of your application. Any use of your data by LinkedIn will be in accordance with LinkedIn's privacy policy. LinkedIn undertakes to maintain the same high standards of data protection and data security as we do.

If the controller concludes an employment contract with an applicant, the data transmitted will be stored at DFX for the purpose of processing the employment relationship in compliance with statutory provisions and ensuring access for unauthorized persons.

If no employment contract is concluded, the application documents will be automatically deleted 12 months after notification of the rejection decision without further notification, provided that no other legitimate interests of the data processing center prevent deletion. Legitimate interests may be, for example, obligations to provide evidence in proceedings under the Equal Treatment Act (GlG).

# 11. Applicable law and jurisdiction

The DFX website with its registered office in Switzerland is governed exclusively by Swiss (data protection) law, unless other mandatory law is applicable to the natural person concerned.

The court at the registered office of DFX (Switzerland) shall have exclusive jurisdiction for any disputes between you as a visitor and user of the DFX website arising from the operation of or visit to the websites, unless another mandatory place of jurisdiction is applicable to the natural person concerned.

# 12. Changes to the privacy policy

DFX regularly reviews this privacy policy to ensure that it is always up to date and reserves the right to amend it as necessary. It is recommended that you check this page regularly for possible changes, as no individual notification of changes will be made.
In the event of discrepancies with the English version, the German version of this privacy policy shall prevail.

# 13. Legal information and disclaimer

DFX accepts no liability for the accuracy and completeness of the content of the information.

Liability claims relating to material or immaterial damage caused by the use or non-use of the information provided or by the use of incorrect or incomplete information are fundamentally excluded.

All offers published by DFX in digital or electronic form are subject to change. DFX expressly reserves the right to change, supplement or delete parts of the pages or the entire offer without prior notice or to cease publication temporarily or permanently.

# 14. Liability for links

References and links to third-party websites are outside the responsibility of DFX. Any responsibility for websites of third parties, i.e., outside the companies belonging to DFX, is rejected. Access to and use of such websites is at the user's own risk.

# 15. Copyrights and intellectual property

The copyright and all other rights to the content, images, photos or other files on the DFX website belong exclusively to DFX and its affiliated companies, their suppliers or the specifically named rights holders.

The customer accepts the content of the privacy policy in its current version in full. In the event of contradictions, the privacy policy takes precedence over the General Terms and Conditions of DFX.

← Terms and Conditions Imprint →