Privacy policy

Valid from 03.01.2023

(1) The data privacy and security of the activities and services of Cointract AG for the benefit of its customers are core elements in the area of digital assets and blockchain technology. Cointract AG respects the trust that the customers would like to value during transactions with digital assets on the platforms used. For this reason, data privacy and data security are a high priority for Cointract AG. When they use the infrastructure and services of Cointract AG, the customers entrust Cointract AG with their personal data. Cointract AG would like to impress its customers with its platform. Therefore, Cointract AG also wishes to understand the user behaviour on its platform, in order to be able to continuously improve the latter. In addition to the services, such activities also require the processing of the customers’ personal data.

(2) With this privacy policy, Cointract AG wishes to provide transparent and detailed information on what personal data are collected from the customers, how Cointract AG processes these data and to whom the data are transmitted. Cointract AG also wishes to provide orientation regarding what precautions are taken to protect the personal data, what rights the customers have in this context and whom the customers can contact with questions relating to data protection law.

(3) With regard to the terms used in this privacy policy, such as “processing” or “data control”, we refer you to the definitions in the Swiss Federal Act on Data Protection (DSG; SR 225.1) and – if applicable – in the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation; GDPR).

(4) For the sake of legibility, the generic masculine pronoun is used in this document. Feminine and other gender identities are expressly also intended and are included as a matter of course.

A) About Cointract AG

(5) Cointract AG (CHE-334.091.887), whose registered place of business according to the commercial register is in Knutwil, (hereinafter “Cointract AG”) provides services and products relating to the purchase and sale of digital assets and associated IT services via the website www.cointract.ch and the mobile applications (hereinafter “Cointract App”) (hereinafter collectively “Platform”).

(6) Cointract AG has its address at Sonnmatt 7, 6213 Knutwil, Canton of Lucerne, and is the provider of the Platform.

B) Scope - To whom does this privacy policy apply?

(7) This privacy policy applies to all persons who use Cointract AG’s services, the website and the mobile app or interact with Cointract AG in another way (e.g. business partners, prospective customers, service providers, etc.).

(8) Cointract AG’s products and services are aimed solely at legally competent persons, i.e. persons of sound mind who are over the age of 18. Therefore, we do not, to our knowledge, collect any personal data from minors. Persons under the age of 18 are not supposed to use Cointract AG’s Platform and consequently are not supposed to transmit any personal data to Cointract AG.

C) Data controller

Who is responsible for the data processing and whom can I contact?

(9) Cointract AG is aware that it is very important to protect personal data and to handle them with care. Cointract AG uses the personal data provided by the customers in accordance with the applicable data protection laws, this data privacy policy and the customers’ consent.

(10) Questions related to the processing of the customers’ personal data and the exercise of the rights under data protection law can be addressed to the Cointract AG data privacy team: privacy@cointract.ch. It should be noted that Cointract AG requires further identification data (e.g. identity card, passport) for certain enquiries, in order to ensure that the personal data are only passed on to the person who is entitled to receive them.

D) Data categories and data sources

Which of my personal data are processed and what are the sources of these data?

(11) Cointract AG processes the personal data that are created in the context of the business relationship and the use of the Platform. Data from credit agencies, debtor registers, providers of business analyses and publicly accessible sources (e.g. commercial registers, sanction lists, etc.) may also be processed.

(12) When customers use the services provided by Cointract AG or interact with Cointract AG and its cooperation partners, in particular Nexo, the following personal data may be processed:

Contact details: When customers create a new user account or communicate with Cointract AG, the latter may, for example, process the customer’s name, address, telephone number, email address, date of birth, photo for the account (wallet), etc.
Verification data: When an account (wallet) is verified, whereby this is also dependent on the degree of verification, Cointract AG may, for example, process photos/screenshots of national identity documents, such as an identity card, passport or driver’s licence, and the identification data from these documents, information for the verification of the customer’s place of residence and citizenship(s), data on the status of politically exposed persons, video data from the video authentication process, biometric data for the verification, etc.
Financial data: In the context of transactions that have been executed, Cointract AG may, for example, process bank details (IBAN, BIC), payment service provider information, payment data, the transaction ID, etc.
Log data: In the context of the activities on Cointract AG’s platform, Cointract AG may, for example, process the IP address, transaction data, deposit and withdrawal address, computer or mobile device information, frequency, time, operating system, browser type, device type, unique device ID, identification cookies, optional form data, crash reports, performance data, third-party cookies, etc.
Mobile app data: If the customers use Cointract AG’s mobile app, Cointract AG may, for example, process the IP address, transaction data, deposit and withdrawal address, mobile device information, frequency, time, operating system, browser type, device type, unique device ID, optional form data, crash reports, performance data, as well as – only with the customer’s consent – data from: the camera, microphone, memory and telephone (reading of the text-message confirmation).
Information on and evidence of the source of funds: If evidence of the source of funds is necessary, Cointract AG may, for example, process account statements or other supporting documents created by banks or financial institutions, contracts of sale or contracts in general or other data that are suitable for providing evidence of or determining the source of funds if the daily/monthly or general amount limits are exceeded by Cointract AG or another subscription model is used by Cointract AG. To determine the purpose of the use of the aforementioned services or of the trading volume, additional information on current, past or planned business or personal activities of private customers or other data relating to the determination of the intentions of the customers may, where appropriate, be processed at the request of Cointract AG or the customers.
Support requests: When the customers contact Cointract AG’s support team, Cointract AG may, for example, process the personal data that is made available to the support team in the context of the request.
Marketing data: If persons visit the website or social media pages of Cointract AG or use the mobile app, statistical and marketing data, Cointract AG may, for example, process the number of visitors, frequency, clicks, time, locations, target groups, data from cookies and similar technologies (Pixel, ClearGIFs, etc.), consumer behaviour, interests and preferences, data on market research and target group surveys, etc.
Photo, video and audio data: If Cointract AG takes part in events or trade fairs or organises such events itself or conducts interviews with persons, Cointract AG may produce photographs and other records thereof and process photo, video and audio data at the same time.
Applicant data: Anyone who applies for a job offered by Cointract AG on the website or via LinkedIn authorises the latter to process data that are required for the hiring process, e.g. contact data, CV, qualifications, job references, information from state registers, credit information, national identity documents, such as an identity card, passport or driver’s licence, and the data from all of these documents, incl. data referenced there.

E) Purpose and legal bases for the processing of data

For which purposes and on what legal basis are my personal data processed by Cointract AG?

(13) All the data processing at Cointract AG is carried out in accordance with the provisions of data protection law, in particular DSG and GDPR. We always process your personal data on the basis of at least one of the legal bases listed below. If we ask you to provide additional personal data that are not listed above, you will be informed of the purpose and the legal basis for the collection and processing of these data at the time of collection.

E.1 To meet contractual obligations

(14) It may be necessary to process personal data in order to meet contractual or pre-contractual obligations towards you. The following data processing operations are, for example, covered by such a contractual obligation:

general provision of our services, and thereby all the tasks that are required for the operation, performance and administration of Cointract AG and the Platform;
account management (e.g. continuous updating of the customer data);
execution of your orders (e.g. payment processing, chargebacks, proof of purchase and sale);
implementation of the “Affiliate Programme” and the “Tell-a-Friend Programme”;
customer service and support requests (e.g. making contact because of complications);
video authentication process if you register for an account on our website and are verified (verification of identity);
analysis and improvement of the quality and general user experience of our website (e.g. by means of performance tracking on our Platform);
data security and IT security on our website and the security of our network (e.g. protection against identity theft and against erroneous or suspicious access to our websites);
processing of applications and the transfer of data for debit cards;
application process for new employees.

E.2 To meet legal obligations

(15) The processing of personal data can also be necessary in order to meet various statutory obligations. The following data processing operations are, for example, covered by such legal obligations:

contract management, bookkeeping and invoicing;
compliance and risk management;
know-your-customer measures such as an online or video authentication process (verification of identity) and verification of the origin of funds;
monitoring to prevent fraud, misuse (e.g. for illegal purposes), money laundering and the financing of terrorism;
disclosure in accordance with an administrative order in the context of corporate criminal proceedings or general criminal proceedings;
consultation of credit institutions to assess credit and default risks, etc.

E.3 To protect legitimate interests

(16) If necessary, data can be processed beyond the fulfilment of a contract in order to protect the legitimate interests of Cointract AG or a third party. The following data processing operations are, for example, covered by such a legitimate interest:

prevention of fraud, misuse (e.g. for illegal purposes), money laundering and the financing of terrorism;
risk management and risk minimisation (e.g. through enquiries to credit agencies, debtor registers or providers of business analyses);
identification and verification of potentially erroneous or suspicious transactions and access to our websites;
supervision of accounts and the processing of general customer enquiries;
measures to protect our customers and partners and to secure the network and the information as well as measures to protect our employees and the properties of Cointract AG, e.g. video surveillance (with an erase cycle) and measures conducted by external data centres and service providers;
processing of enquiries from public authorities, lawyers or debt-collection agencies in the context of a prosecution and the enforcement of legal claims in the context of court proceedings;
market research and the further development of services and products;
processing of statistical data, performance data and general market research data about the website, the mobile app, external online providers or social media platforms;
processing of customer settings (e.g. language, region) by means of cookies on our website;
direct marketing and advertising (e.g. the implementation of marketing strategies, customer contact, the mailing of vouchers and the promotion of Cointract AG and its cooperation partners);
use of audio, video and photo data from the public sphere (e.g. public events, trade fairs, etc.) for marketing and other representational purposes on our social media channels or our website;
assessment of the performance of the Affiliate Programme and the Tell-a-Friend Programme;
assessment and optimisation of processes and models for needs analysis, business management, product development and direct customer contact;
process and quality management measures.

E.4 On the basis of consent

(17) If you have given us your consent to the processing of your personal data, the processing will only take place for the purposes defined in the declaration of consent and to the extent degreed therein. Consent that has been granted can be revoked at any time without giving reasons and with effect for the future if you no longer agree to the processing. For example, we process data with your consent for the following purposes:

for the use of all the functions of the mobile app (e.g. telephone permission to read text-message confirmations, camera permission to scan bar codes, microphone permission for commands, etc.);
direct marketing and advertising (e.g. customer satisfaction surveys, newsletters and marketing communications, etc.);
analysis and tracking on our website for advertising purposes;
certain uses of audio, video and photo data (e.g. promotional films, interviews, etc.) for marketing and other representational purposes via various channels;
automated authentication process (verification of identity);
application management system, recruitment process and processing of your application (e.g. voluntary storage of the applicant data for 2 years, data transfer from your social media account when you use the tool “Apply with LinkedIn”).

(18) Please note that revoking your consent does not affect the lawfulness of the processing before the consent was revoked.

F) Special categories of personal data

Does Cointract AG process special categories of personal data?

(19) Cointract AG does not process any special categories of customer personal data. These include data that reveal the customer’s racial and ethnic origin, political opinions, religious or philosophical convictions or membership of a trade union as well as genetic and biometric data.

F.1 Recipients of personal data

Who receives my personal data?

(20) The protection and confidentiality of your personal data are very important to Cointract AG. For this reason, we only transfer your personal data to the extent described below or in the context of an instruction that was issued at the time at which your data was collected. We will neither sell your personal data nor pass it on to third parties in any other way.

F.2 Data transfer to service providers

(21) To a limited extent, we also transfer personal data to data processors who provide services for us and for you, e.g. trading, earning and custody services by Nexo, USA, and its group companies, IT services, customer support, improvement of our website, contract fulfilment, account management, bookkeeping, invoicing, examination of erroneous and suspicious transactions, application management and the mailing of newsletters. Data processes may only use or pass on these data in this respect if this is necessary for the provision of services for Cointract AG or to comply with statutory provisions. We subject such data processors to a contractual obligation to guarantee the confidentiality and security of your personal data that they process in our name.

F.3 Data transfer to public bodies and institutions

(22) Your personal data can be transferred to public bodies or institutions (i) if we have an obligation to do this in accordance with the law or in the context of legal proceedings, (ii) if we believe that the transfer is necessary in order to avoid damages or financial losses, (iii) if they are connected to an examination of suspected or actual fraudulent or illegal activities.

F.4 Data transfer to third parties

(23) Joint or shared responsibility: if Cointract AG acts as the data controller in conjunction with other persons, we make personal data available to these third parties where appropriate. In the event of a joint or shared responsibility, we also only transfer your personal data on the basis of an adequate agreement with the other data controllers.

(24) Other third parties: with your consent, Cointract AG can pass your personal data on to other third parties even before the conclusion of the contract in order to disclose it or for the purpose of the fulfilment of the contract or at the request of the customer.

F.5 International data transfer

Are my data transferred to a third country or to international organisations?

(25) It is possible that your personal data may be viewed, transferred to and/or stored by employees or service providers outside the country in which you are currently located and that the data protection laws of such countries may have a lower standard than those in Switzerland and the European Union. Nevertheless, Cointract AG will protect personal data in accordance with this privacy policy in all circumstances.

(26) If personal data are processed in a third country (outside Switzerland) or if this happens in connection with the use of third-party services or the disclosure and/or transfer of personal data to third parties, this is only done to the extent that it is necessary to meet our (pre-)contractual obligations or on the basis of a declaration of consent or a legal obligation, or to protect legitimate interests. Subject to statutory or contractual approvals, we only process personal data in a third country if the statutory conditions are met. This means, for example, that the processing and the transmission take place on the basis of special safeguards, e.g. in compliance with a code of conduct or a certification mechanism in conjunction with the binding obligation of the recipient in the third country to comply with the corresponding data privacy safeguards and to meet officially recognised special contractual obligations (“standard contractual clauses”).

(27) If you require further information with regard to the international data transfer or if you desire a copy of the specific security measures for the export of your personal data, you are welcome to contact privacy@cointract.ch.

F.6 Social media platforms

Are my data processed on social media platforms and who is responsible in such cases?

(28) General: Cointract AG has a presence on various social media platforms in order to communicate with active customers, potential customers and interested social media users about the products, services and other news of Cointract AG. When you use such social media platforms, the general terms and conditions and the data privacy policies of the platform operators also apply. We would like to advise you that user data may also be processed outside Switzerland in the process. Due to different legal frameworks, this entails certain risks for the users of these platforms (e.g. the enforcement of the rights of the data subjects may be made more difficult).

(29) As part of the technical process of various social media platforms (e.g. Google, Facebook, Twitter, etc.), these platforms can record your behaviour in the background, for example if you click on contents or visit web pages and are still logged in to your social media account at the same time. Such information is collected by social media platforms and assigned to your social media accounts, irrespective of whether you click on contents of these platforms or not. By logging out of your account, you can prevent these companies from linking the collected information to your accounts. The activities of such social media platforms cannot be controlled by Cointract AG and we can therefore accept no liability for damages that you incur as a result of the use of your data by social media platforms.

(30) Data controller: Cointract AG can only process personal data of social media users if users communicate directly with Cointract AG via such platforms (e.g. number of visitors, posted articles, likes, direct messages, customer enquiries, comments, etc.). In such cases, Cointract AG is also responsible for the processing of the personal data collected in the process. In addition to such data processing by us, the operators of social media platforms in particular also process the users’ personal data. We have no influence on this data processing and are therefore not responsible for it – such data processing is exclusively the responsibility of the social media platforms.

(31) For a detailed explanation of the data processing and the opt-out options provided by social media platforms, we refer you to the operators’ privacy policies. Requests for information and other rights of data subjects in connection with social media platforms must be asserted to the respective operator. Only the operators have access to the personal data of their users and can thus take the necessary measures and provide information.

(32) Our social media pages and channels and the links to the respective privacy policies:

Meta (Facebook, Instagram) - https://www.facebook.com/privacy/policy/

LinkedIn - https://de.linkedin.com/legal/privacy-policy

TikTok - https://www.tiktok.com/legal/page/eea/privacy-policy/de-DE

Google (YouTube) - https://policies.google.com/privacy?hl=de

Facebook Insights: Cointract AG operates a Facebook business page (“page”) and uses the associated analysis tool “Facebook Insights”. This tool gives Cointract AG anonymous statistical analyses of its own business page (e.g. number of visitors, frequency, target groups etc.). In this context, Cointract AG and Meta Platforms Inc. (“Meta”) are jointly responsible for processing the data. There is a corresponding agreement between Cointract AG and Meta, which can be accessed via this link. However, Cointract AG does not store these data. The data are exclusively stored by Meta and processed via Insights. Meta acts as the central point of contact for all questions and concerns relating to Meta Insights and can be contacted via this link.

Application via the LinkedIn button: If you take advantage of the option of applying for a job with the social media sign-in button “Apply with LinkedIn” provided by the social network LinkedIn (LinkedIn Corporation, 2029 Stierlin Court, Mountain View, California 94043, USA), you are allowing Cointract AG limited access to your LinkedIn profile. After you click on the button “Apply with LinkedIn”, you will be redirected to LinkedIn to enter your LinkedIn access data. Then you can select the data that you want to share with Cointract AG. Only the data that you have selected are transferred to Cointract AG. Cointract AG does not receive any information about your log-in or access data at LinkedIn. You can also find further information in the LinkedIn privacy policy.

YouTube: Cointract AG operates a YouTube account and uses the associated analysis tool. This tool gives Cointract AG anonymous statistical analyses of its own business page (e.g. number of visitors, frequency, target groups etc.). In this context, Cointract AG and Google LLC (“Google”) are jointly responsible for processing the data. There is a corresponding agreement between Cointract AG and Google, which can be accessed via this link. However, Cointract AG does not store these data. The data are exclusively stored by Google and processed via Analytics. Google acts as the central point of contact for all questions and concerns relating to Google Analytics and can be contacted via this link. YouTube videos from the Cointract account are embedded on the Cointract website and in the app.

Instagram: Cointract AG operates an Instagram business page and uses the associated analysis tool “Insights”. This tool gives Cointract AG anonymous statistical analyses of its own business page (e.g. number of visitors, frequency, target groups, etc.). In this context, Cointract AG and Meta Platforms Inc. (“Meta”) are jointly responsible for processing the data. There is a corresponding agreement between Cointract AG and Meta, which can be accessed via this link. However, Cointract AG does not store these data. The data are exclusively stored by Meta and processed via Insights. Meta acts as the central point of contact for all questions and concerns relating to Meta Insights and can be contacted via this link.

TikTok: Cointract AG operates a TikTok business account and uses the associated analysis tool “TikTok Analytics”. This tool gives Cointract AG anonymous statistical analyses of its own business page (e.g. number of visitors, frequency, target groups, etc.). In this context, Cointract AG and TikTok Pte. Ltd. (“TikTok”) are jointly responsible for processing the data. There is a corresponding agreement between Cointract AG and TikTok, which can be accessed via this link. However, Cointract AG does not store these data. The data are exclusively stored by TikTok and processed via TikTok Analytics. TikTok acts as the central point of contact for all questions and concerns relating to TikTok Analytics and can be contacted via this link.

F.7 Newsletter

On what legal basis are electronic messages sent to me and how can I unsubscribe?

(33) In our email newsletter, we inform you about Cointract AG’s products and services, as well as providing market news and educational content. If you would like to receive our newsletter, you must subscribe with your email address. We only send newsletters and other electronic communications with your express consent, which you provide when you subscribe directly to the newsletter (double opt-in) or when you register for a Cointract AG account, or alternatively if there is another legal basis for this. With the double opt-in, we check whether you are also the owner of the provided email address or whether the owner of this email address agrees to receive electronic communications. This procedure serves as proof for cases in which a third party misuses an email address by registering to receive the newsletter without the knowledge of the actual beneficiary.

(34) You can unsubscribe from our newsletter at any time, e.g. by revoking your consent. You can unsubscribe when you are logged in to your account, and there is also a link to unsubscribe at the end of each newsletter. However, please note that we continue to process your personal data in the event of a simple cancellation of your subscription until you revoke your consent to the storage of the data, so that we can provide evidence of the previously granted consent to receive newsletters. Such processing is limited to the purpose of a possible defence against claims, and you have the right to demand that your personal data be erased.

G) Retention and erasure periods

For how long are my personal data processed (stored) and when will they be erased?

(35) We store your personal data, where necessary, for the duration of the entire business relationship (from the initiation to the fulfilment to the termination of a contract) and in principle for one year after the end of the business relationship. Furthermore, we only store your data for a longer period, within the framework of the statutory retention and documentation obligations, for defence against legal claims or with your express consent.

(36) The retention periods for data arise from the statutory retention periods or limitation periods. In accordance with the Swiss Code of Obligations (OR) and the Swiss Accounting Ordinance (GeBüV), these are ten years and even longer in some cases, e.g. in the area of the Swiss VAT Act or if data are required as evidence for legal disputes, or as long as other legitimate interests in the storage of the data exist.

(37) Unless expressly indicated otherwise in this privacy policy, the personal data processed by us are erased as soon as they are no longer required for the purpose of their processing and the deletion is not contrary to any statutory retention periods.

H) Rights of data subjects

What rights and options under data protection law do I have regarding my data?

H.1 Right of access

(38) You have the option of demanding a confirmation of whether we are processing personal data pertaining to you. If we are processing personal data pertaining to you, you have the right to receive, within a reasonable period, information from us about the personal data stored about you and the right to a copy of the processed data. Please use this [link] to make such a request for information when you are logged in to your account.

H.2 Right to rectification

(39) You have the right to demand the rectification of incorrect personal data pertaining to you. With respect to the purposes of the processing, you also have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

H.3 Right to erasure

(40) You have the right to demand that Cointract AG erase personal data pertaining to you where one of the following grounds applies and no further processing of these data is necessary:

the personal data are no longer necessary for the purposes for which they were collected;
you have withdrawn the consent on which the processing is based and there is no other legal basis for the processing or overriding legitimate interest in the processing;
the personal data has been unlawfully processed; or
the erasure of the personal data is necessary in order to meet a legal obligation to which the data controller is subject.
The corresponding ground for the erasure must be cited in the applications for the erasure of personal data.

H.4 Right to restriction of processing

(41) You have the right to demand that we restrict processing where one of the following conditions is met:

you contest the accuracy of the personal data (the restriction takes place for a period that allows Cointract AG to check the accuracy of the data);
the processing of your data was unlawful and you oppose the erasure of the data and request the restriction of their processing instead;
Cointract AG no longer needs the personal data for the purposes of the processing, but you still require them for the establishment, exercise or defence of legal claims; or
you have objected to the processing of your personal data and it has not yet been established whether the Cointract AG’s legitimate grounds override yours.

H.5 Right to data portability

(42) You have the right to receive the personal data concerning you, which you have made available to us, in a structured, commonly used and machine-readable format. You can also demand that we pass these data on directly to the data controller named by you, insofar as this is technically possible and does not impair the rights and freedoms of third parties. The right to data portability can only be exercised if the basis of the processing is either your consent or a (pre-)contractual necessity and the processing is automated. The right to data portability does not apply to processing that is necessary for the performance of tasks carried out in the public interest or in the exercise of official authority vested in the controller.

H.6 Right to object

(43) You have the right to object to the processing of your personal data at any time if this is done on the basis of our legitimate interests. If you have objected to the processing, we shall no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or the processing is for the establishment, exercise or defence of legal claims. The objection has no effect on the lawfulness of the processing of your personal data on the basis of legitimate interests that took place before your objection.

H.7 Contact

(44) To exercise one of the aforementioned rights, you can send an email to privacy@cointract.ch or a letter to Cointract AG, Sonnmatt 7, 6213 Knutwil (LU). Please note that we need further identification data from you (e.g. identity card, passport, etc.) for such requests, in order to ensure that your personal data is only passed on to you.

H.8 Objection to advertising

How can I object to the processing of my personal data for advertising purposes?

(45) You can also object to any use of your personal data for advertising purposes. If you would like to categorically object the processing of your data for advertising purposes, contact us by sending an email to privacy@cointract.ch. The objection has no effect on the lawfulness of the processing of your personal data on the basis of legitimate interests that took place before your objection.

(46) You also have the option of generally objecting to the tracking and setting of cookies for advertising purposes with our cookie banner.

(47) However, please note that such an objection is only effective with respect to Cointract AG and you may continue to receive advertising about Cointract AG from other providers on other websites on which we have no influence, even after such an objection.

I) Automated decisions

Does Cointract AG use my personal data for automated decision-making including profiling?

(48) Cointract AG does not use personal data for automated decision-making processes including profiling (e.g. decisions that have a legal effect vis-à-vis data subjects or significantly damage them in another way and that are based exclusively on the automated processing of personal data, including the creation of profiles).

J) Processing for other purposes

Are my personal data processed for other purposes than those for which they were collected?

(49) We process personal data only for the purposes for which it was collected. In exceptional cases, however, we can process your personal data for a purpose other than the specific purpose for which it was collected. In such a case, we will inform you before the intended processing of the new purpose, the duration of the storage, the exercise of the rights of data subjects, the possibility of revoking your consent, the existence of the right to submit a complaint to the data protection authority, and about whether the provision of the data is necessary on legal or contractual grounds and what the consequences would be if the data were not provided and whether automated decision-making or profiling is used at the same time.

K) Supervisory authority

To which supervisory authority can I submit a complaint?

(50) You have the right to submit a complaint to the competent supervisory authority if you think that your rights under data protection law have been infringed. In Switzerland, this is the Federal Data Protection and Information Commissioner (EDÖB) (cf. https://www.edoeb.admin.ch/edoeb/de/home.html).

L) Declaration of consent

How do I give my consent and how can I revoke my consent?

(51) By ticking the appropriate box during the registration process or, in the event of an update, after logging into your Cointract AG account, you expressly confirm that you have read the privacy policy and that you agree to the processing of your personal data as described there.

(52) By ticking the respective separate box for news and updates by email (newsletter), you expressly declare that you would like to receive electronic messages as described in this privacy policy.

(53) You have the right to revoke your consent at any time by writing to Cointract AG, Sonnmatt 7, 6213 Knutwil (LU), or by sending an e-mail to privacy@cointract.ch. Please note that if you revoke your consent, we can no longer offer you all our products and services. Revoking your consent has no effect on the lawfulness of the processing of your personal data on the basis of your consent that took place before your objection.

M) Data security

How are my personal data protected?

(54) The security of data is elementary for us and we undertake to protect the data that we have collected. We have comprehensive administrative, technical and physical measures to protect your personal data from unintended, unlawful or unauthorised destruction, loss, alteration, access, disclosure or use. These measures comply with the international security standards and are regularly checked for their efficacy and suitability for achieving the desired security goals.

(55) We have implemented the following technical and organisational measures, for example:

SSL encryption of our websites, from which we send personal data;
two-factor authentication (2FA) for our Platform;
guarantee of the confidentiality, integrity, availability and resilience of our systems and services;
use of encrypted systems;
pseudonymisation and anonymisation of personal data;
entry, access and transfer control for our offices and systems;
measures to quickly restore the availability of personal data in the event of a physical or technical incident;
measures in the area of privacy by design and default on our Platform, e.g. prevention of the enumeration of users;
introduction of procedures for the regular reviewing, evaluation and analysis of the efficacy of the technical and organisational measures aimed at guaranteeing the security of the data processing, e.g. the bug bounty program;
internal IT security policies and IT security training courses;
incident response management.

(56) Please ensure that you use two-factor authentication (2FA) for your Cointract AG account and always treat your access data as confidential, and that you protect your computer from unauthorised access.

N) Updates to this privacy policy

How do I find out about changes to this privacy policy?

(57) We undertake to keep the principles of data privacy up-to-date. For this reason, we regularly review and update our privacy policy. This ensures that it is presented correctly and clearly on our website, contains appropriate information about your rights and our processing activities (including with respect to technical changes or business performance), is implemented in accordance with the applicable law and thus meets the requirements of data privacy. We update this privacy policy from time to time as required, in order to adapt it to the current circumstances. If we make key changes to this privacy policy, we will inform you after you log in to your Cointract AG account and provide you with the updated version of the privacy policy at the same time. If it is required by the applicable law, Cointract AG will obtain your consent to significant changes.

How can you contact us?

(58) If you have further questions about this privacy policy or the processing of your personal data, please contact our data privacy team: privacy@cointract.ch.

In case of discrepancy the German version of the privacy policy applies.