Privacy Policy Everon AG (Data Protection Declaration)

Based on Article 13 of the Swiss Federal Constitution and the federal data protection regulations (e.g. Federal Data Protection Act), every person is entitled to protection of their privacy as well as protection against misuse of their personal data. Everon AG takes the protection of your personal data very seriously. We treat your personal data confidentially and in accordance with the legal data protection regulations as well as this privacy policy. In cooperation with our hosting providers, we strive to protect your personal data as best as possible.

We would like to point out that data transmission on the Internet (e.g. when communicating by e-mail) can have security gaps. Complete protection of data against access by third parties is not possible. By using this website and the Everon services, you consent to the collection, processing and use of data as described below. This website can generally be visited without registration. Data such as pages accessed or names of files accessed, date and time are stored on the server for statistical purposes without this data being directly related to your person. Further information can be found below in this privacy policy.

I. Scope, Data Protection Officer, Data Protection Consultant

1. Material scope of application of this privacy policy

This Privacy Policy applies to the processing of your personal data in connection with the use of the Everon App, the Everon Services and the use of the website www.everon.swiss.

2. Personal scope of this privacy policy

This privacy policy applies to clients of Everon AG as well as to clients or other users of the Mobile Everon App, the Everon Services, our (contractual) partners as well as to every visitor of the website www.everon.swiss.

3. Applicable law

Swiss data protection law applies, i.e. the Federal Data Protection Act “FADP” and the associated Ordinance to the Federal Data Protection Act (“FADP“). In addition, if the data processing is in connection with services offered to EU residents, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data, on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation), (“GDPR“) is applicable.

4. Data protection officer

The controller within the meaning of the GDPR and the company that processes your personal data and decides on the purposes and means of processing:

Everon AG
Gartenstrasse 17
8002 Zurich

5. Data protection coordinator

The Data Protection Coordinator of the Controller (Everon) can be reached via the following contact details:

Everon AG
Gartenstrasse 17
8002 Zurich
Email: info@everon.swiss
Phone number: +41 44 545 08 10

6. Definitions

“Processor” means a natural or legal person, public authority, agency or other body that processes personal data on behalf of the Controller.

“Processing” / “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, filing, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Data subject“: natural or legal person about whom personal data are processed/processed.

“Third Party Provider” means, in particular, Hypothekarbank Lenzburg, Bahnhofstrasse 2, 5600 Lenzburg (“Hypothekarbank Lenzburg AG“), and Liberty Vorsorge AG, Milchstrasse 14, P.O. Box 733, 6431 Schwyz (“Liberty Vorsorge AG“), including their affiliates.

“GDPR”: GDPR means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data, on the free movement of such data and repealing Directive 95/46/EC (the General Data Protection Regulation).

“DPA“: means the Swiss Federal Data Protection Act, as amended from time to time.

“Everon App” means Everon’s mobile application in which a Customer Account can be opened and through which Everon Services can be obtained/accessed.

“Everon Services” means the services in the Everon app. These include asset management, private markets, pillar 3a, vested benefits and the private account with card offered as a co-branding partner with Hypothekarbank Lenzburg AG. The private account with card can only be used in combination with another service.

“Client“: means natural persons who have entered into an asset management agreement with Everon.

“Personal data“: means any information relating to an identified or identifiable natural person (hereinafter data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

“You” / “You“: means you, as a client of Everon, a user of Everon’s services and/or services of any kind and/or a visitor to the Website, as a natural person making use of the services and services as described herein.

“Controller“: means Everon AG, as the legal person which alone or jointly with others determines the purposes and means of the processing of Personal Data.

“DPO“: means the Ordinance to the Federal Data Protection Act as amended from time to time.

“website“: Means https://everon.swiss/

“We” / “us” / “Everon AG“: means Everon AG, as the responsible party.

II. Personal data in connection with the Everon App and the Everon Services

A. Opening a customer account with Everon AG

1. Survey when opening a customer account

When opening a customer account, the following personal data will be collected from you:

• Gender
• Title, salutation, first and last name
• E-mail address
• Date of birth
• Marital status
• Address, postal code, city, country
• Place of origin
• Nationality
• Tax domicile information
• Status US person / US reference (US tax liability)
• Mobile number

All such personal data will be forwarded for the purpose of opening an account and/or securities account to Hypothekarbank Lenzburg AG, Bahnhofstrasse 2, 5600 Lenzburg (“Hypothekarbank Lenzburg AG“), which will process the personal data and open a Session ID. Hypothekarbank Lenzburg AG uses the personal data in particular for identification purposes and may collect further personal data from you in this context (e.g. photo of you, copy of your identification document, video), see also section 4 below. This personal data will be forwarded to Everon AG for compliance with legal and regulatory requirements in connection with the Everon Services and stored by Everon AG.

Everon AG processes your personal data to provide you with the Everon Services and the Everon App, to fulfill, perform, manage and implement the Everon Services and the Everon App, and to enable you to use the Everon Services and the Everon App based on a contractual basis with you, as well as based on legal or regulatory requirements, your consent and/or legitimate interest, as further set forth in this Privacy Policy. The personal data (address, zip code, city, country) is compared with the information provided by Swiss Post and processed and used for confirmation in the course of two-factor authentication by Hypothekarbank Lenzburg AG and, if necessary, with the help of other systems or applications. The personal data (surname, first name, address, zip code, city, country) will also be used by Hypothekarbank Lenzburg AG to send you a confirmation letter by post for authentication/identification.

2. Login

When opening your customer account for the first time, you will be asked once to determine a password. For this purpose, you will receive an SMS on the cell phone number you provided. You will then be asked to choose a password.

To log in to your customer account, you will need your username (cell phone number) and password.

3. Collection and processing of personal data for the purpose of Everon Services

Should you decide to make use of a service offered by Everon AG (Everon Services) in the Everon App, further personal data will be collected from you, in particular:

• Information on your willingness to take risks, your knowledge of finance/the stock market, your income and asset situation, and any activities and experience you may have had
• PEP status
• Use of assets
• Activity / High Risk Industry
• Composition and origin of income and assets (expenses, total assets, annual income).
• Other issues related to onboarding, KYC, due diligence, strategy and (investor/risk) profile, as well as the individual’s income, assets and status
• Information on the Beneficial Owner
• Tax domicile
• Status regarding US reference
• Swiss Social Security no. (AHV)
• Pension fund details

This information is required by Everon AG to comply with legal and regulatory requirements, to perform onboarding and to propose a suitable investment strategy to you.

4. Disclosure of your data for the purpose of identification

Depending on the service you have selected, your data pursuant to Sections II.1. and II.3. will be transmitted to Hypothekarbank Lenzburg AG or Liberty Vorsorge AG.

In the course of the identification process, you will be identified by Hypothekarbank Lenzburg AG by means of a digital procedure using your identity card or passport (a copy will be made) and a picture (photo(s) of your face). The following personal data is thus collected from you:

• Copy of your identification document (passport, ID)
• Details of your identification document (type, number, date of issue, photo)
• Photo and video recording (s) of you (“selfie”)

Hypothekarbank Lenzburg AG, for its part, sends Everon AG all personal data, in particular a copy of your identification document. This personal data will be stored. The legal basis for the processing of your personal data is the fulfillment of the contract between you and Everon AG as well as due to legal and regulatory requirements.

5. Contract signing

Your contracts with Everon AG are signed either in writing or by means of a TAN procedure or a method similar to the TAN procedure (e.g. by means of an advanced electronic signature).

The contracts you enter into with Hypothekarbank Lenzburg AG or Liberty Vorsorge AG are signed using other procedures. For this purpose, personal data may be passed on to partner companies of these third-party providers. For more detailed information, please refer to the data protection declarations of the corresponding companies:

• Hypothekarbank Lenzburg AG, available at https://www.hbl.ch/de/ueber-uns/rechtliches/rechtliches/ (no english version available at this time)
• Liberty Vorsorge AG, available at https://www.liberty.ch/en/legal-notice/
  You will receive the contracts in your in-app messaging inbox after signing.

B. Everon App Services and Everon Services.

1. Processing of your data in connection with the services

Depending on the service, your personal data will be processed accordingly.

a) Asset management:
With the Everon app, you can open a securities custody account and an associated settlement account at Hypothekarbank Lenzburg AG.

This personal data is transmitted to Hypothekarbank Lenzburg AG, including all personal data required by Hypothekarbank Lenzburg AG in its role as custodian bank and for the performance of its activities. Everon AG stores all personal data and information that Hypothekarbank Lenzburg AG transmits to Everon AG (e.g. IBAN number of your asset management account, mandate number/customer number, account information, date of deposits or withdrawals, number of securities, etc.), to the extent necessary for the performance of the contract with you, the provision of Everon Services, the Everon App and/or required by law/regulation.

b) Private Markets:
With the Everon app, you can open a securities custody account and an associated settlement account for Private Markets instruments at Hypothekarbank Lenzburg AG.

Hypothekarbank Lenzburg AG is provided with all personal data that it requires in its role as custodian bank and to carry out its activities. Everon AG stores all relevant information that Hypothekarbank Lenzburg AG transmits to Everon AG (e.g. IBAN number of your asset management account, mandate number/customer number, account information, date of deposits or withdrawals, number of securities, etc.), to the extent necessary for the performance of the contract with you, the provision of Everon Services, the Everon App and/or required as a result of legal/regulatory basis.

The partner companies for Private Markets are only provided with the total volume of all clients investing in a specific product. Personal data is not disclosed to these partner companies. Everon AG also does not receive any personal data from these partner companies.

c) Tied pension plan (pillar 3a) and vested benefits:
You can use the Everon App to open a retirement savings deposit or account, as well as a vested benefits deposit or account with Liberty Vorsorge AG. In the process, all relevant information and personal data collected during the opening of a client account (section II.A.1) and the onboarding process (section II.A.3) will be processed and disclosed to the third-party provider Liberty Vorsorge AG.

d) Bank account:

In combination with another service, you can open a private account including a prepaid card with Hypothekarbank Lenzburg AG. Your personal data pursuant to Section II. A. will be disclosed to Hypothekarbank Lenzburg AG in the process. For the private account with card offered as a co-branding partner with Hypothekarbank Lenzburg AG, it may be necessary to disclose personal data to partner companies from the third-party provider in order to fulfill the service.

2. Use of the Everon App In-App Messaging

With the Everon App it is possible to contact Everon AG via in-app messaging. The in-app messaging enables direct communication (chat function).

Data that you enter, attach or otherwise transmit to Everon AG in text form, document attachment or otherwise in the context of the use of In-App Messaging will be stored and processed by Everon AG for the purpose of fulfilling the Everon Services. Personal data will not be transmitted to other third party companies for this purpose. The chat function of the In-App Messaging is HTTPS encrypted.

3. Transactions

You can use the Everon app to place transactions (e.g. transfers). In the process, personal data in connection with the transaction (e.g. name, account number/IBAN/BIC, etc.) is passed on to Hypothekarbank Lenzburg AG (and any other partner companies or third parties). For the confirmation of transactions, additional personal data may be collected by third-party providers or partner companies (e.g. via the “Finsign” app) and processed.

In the Everon App, the transactions can be viewed or are displayed to you. Everon AG processes your transaction data only for the purpose of displaying the transactions to you in the Everon App.

C. General information on the use of the Everon App and the Everon Services

1. Purpose of processing and legal basis

Personal data may be processed if the data subject gives consent (Art. 6 para. 1 lit. a GDPR and Art. 13 para. 1 DPA), the processing is necessary for the performance of a contract with you or for the implementation of pre-contractual measures (Art. 6 para. 1 lit. b GDPR and Art. 13 para. 2 lit. a DPA), the processing is justified or required by an overriding private or public interest (Art. 6 para. 1 lit. f GDPR as well as 13 para. 1 DPA) or by law or to fulfill a legal obligation (Art. 6 para. 1 lit. c GDPR as well as 13 para. 1 DPA). An overriding interest is considered in particular if personal data is processed in direct connection with the conclusion or performance of a contract (Art. 6 para. 1 lit. b GDPR as well as 13 para. 2 lit. a DPA).

Everon AG processes your personal data in order to fulfill a contract, including the performance of pre-contractual measures with you, in particular in order to conclude a contract with you and to provide its services to you in the best possible way, to be able to offer you the Everon App as well as the Everon Services, and in order to comply with supervisory, statutory or regulatory obligations (e.g. obligations under the Federal Act on Combating Money Laundering and Terrorist Financing of October 10, 1997).

2. Receipt of personal data from third parties

The third-party providers Hypothekarbank Lenzburg AG and Liberty Vorsorge AG provide Everon AG with all personal data and documents that Everon AG needs to provide its services (Everon App, Everon Services) (IBAN, account number, asset balance, account statements, transactions, customer number, etc.).

The Client is aware and expressly agrees that Everon AG, in order to fulfill the Contract, the Services, the Everon App and/or in connection with the Everon Services, may receive and process personal data of the Client as well as data from third party providers (such as from Hypothekarbank Lenzburg AG, Liberty Vorsorge AG) which are subject to bank client confidentiality pursuant to Art. 47 of the Swiss Federal Law on Banks and Savings Banks, the duty of confidentiality pursuant to Art. 86 of the Swiss Federal Law on Occupational Retirement, Survivors’ and Disability Pension Plans (“BVG”) and, if applicable, other confidentiality provisions.

3. Storage of your personal data

Your personal data according to section II. A. and II.B. are stored by Everon AG on servers in Switzerland, which are operated by external service providers. However, Everon AG as the responsible party is still responsible for the personal data and has taken appropriate security measures. The storage of the data complies with the requirements of Circular 2018/3 of the Swiss Financial Market Supervisory Authority.

Everon AG stores a copy of the Personal Data as well as data related to the Everon Services (e.g. KYC data, onboarding data; position data; risk evaluation, report data, transaction data, etc.) in a Portfolio Management System in Switzerland. The portfolio management system is operated by an external service provider. Everon AG has taken appropriate measures to ensure data security.

4. Duration of storage and deletion of personal data

Your personal data will be stored as long as necessary to fulfill the purposes as stated above. Personal data may also be stored if this is required by legal, regulatory and supervisory provisions or obligations to which Everon AG is subject.

Your personal data will be deleted or blocked as soon as the purpose of processing/storage no longer applies. In this regard, reference is made in particular to the ten-year retention period required by law, to which Everon AG is subject. Furthermore, your personal data will be retained if Everon AG has a legitimate interest in this regard, for example to enforce its rights.

If you have merely opened a customer account in accordance with Section II.A.1. in the Everon App without having concluded a contract with Everon AG, your personal data will be deleted in accordance with Section II. A1. upon closure of the customer account.

5. US-CLOUD Act and disclosure of personal data

Based on the Clarifying Lawful Overseas Use of Data Act of the United States (“US-CLOUD Act“), Everon AG as well as its third party providers or affiliates may be required to disclose personal data to US authorities or US authorities may gain access to your personal data.

In order to fulfill the contractual obligation, fulfillment of the Everon Services and the Everon App, Everon AG may outsource individual services and services to third parties in Switzerland and abroad and make personal data accessible to third parties in Switzerland and abroad or otherwise disclose it. In this regard, please refer to the following information on the processing of personal data in Section III.

III. Personal data in connection with using the website (www.everon.swiss)

A. General information on data processing when using the website

1. Scope

As a matter of principle, we only process your personal data insofar as this is necessary to provide a functional website with our content and services. The processing of your personal data is regularly only carried out after obtaining your prior consent and/or in the context of the fulfillment of a contract with you. An exception applies in those cases where obtaining prior consent is not possible for factual reasons and the processing of the data is permitted by legal regulations

2. Legal basis

Insofar as we obtain the consent of the data subject for processing operations of personal data, Art. 6 para. 1 lit. a GDPR or Art. 13 para. 1 DPA serves as the legal basis.

When processing personal data that is necessary for the fulfillment of a contract with the data subject, Art. 6 para. 1 lit. b GDPR or Art. 13 para. 2 lit. a DPA serves as the legal basis. This also applies to processing operations that are necessary for the implementation of pre-contractual measures.

Insofar as the processing of personal data is necessary for the fulfillment of a legal obligation to which our company is subject, Art. 6 Para. 1 lit. c GDPR or Art. 13 Para. 1 DPA serves as the legal basis.

In the event that vital interests of the data subject or another natural person make it necessary to process personal data, Art. 6 (1) lit. d GDPR serves as the legal basis.

If the processing is necessary to protect a legitimate interest of our company or a third party and the interests, fundamental rights and freedoms of the data subject do not outweigh the former interest, Art. 6 (1) lit. f GDPR or Art. 13 (1) DPA serves as the legal basis for the processing.

3. Storage and deletion of personal data (website)

Your personal data in connection with your visit to the website will be deleted or blocked as soon as the purpose of storage ceases to apply. Storage may also take place if this has been provided for in regulations, laws or other provisions to which the controller is subject, is necessary to protect our legitimate interests or to fulfill a contract including pre-contractual measures.

B. Website and log files

1. Description and scope of data processing

Each time you visit our website, our system automatically collects data and information from the computer system of the calling computer. The log files do not contain IP addresses or other data that allow an assignment to a user.

The data is also stored in the log files of our system. Not affected by this are the IP addresses of the user or other data that allow the data to be assigned to a user. A storage of this data together with other personal data of the user does not take place.

2. Legal basis for data processing

The legal basis for the temporary storage of the data is Art. 6 para. 1 lit. f GDPR.

3. Purpose of data processing

The temporary storage of the IP address by the system is necessary to enable delivery of the website to the user’s computer. For this purpose, the IP address must remain stored for the duration of the session.

4. Duration of storage

The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. In the case of the collection of data for the provision of the website, this is the case when the respective session has ended.

5. Possibility of objection and removal

The collection of data for the provision of the website and the storage of the data in log files is mandatory for the operation of the website. Consequently, there is no possibility to object.

C. Privacy policy for cookies

This website uses cookies. Cookies are small text files that make it possible to store specific information related to you on your terminal device while you are using the website. Cookies make it possible, in particular, to determine the frequency of use and number of users of the pages, to analyze behavior patterns of page use, but also to make our offer more customer-friendly. Cookies remain stored beyond the end of a browser session and can be retrieved when you visit the site again. If you do not wish this to happen, you should set your Internet browser so that it refuses to accept cookies. The storage of cookies can be achieved by means of their deactivation in the browser settings. Please note that you may then not be able to use all functions and services of Everon AG.

D. Personal data to third parties / disclosure of personal data abroad

1. Data transmission security (without SSL)

Please note that personal data as well as confidential information transmitted via an open network such as the Internet or an e-mail service without SSL encryption can be viewed by anyone. You can recognize an unencrypted connection by the fact that the address line of the browser shows “http://” and no lock symbol is displayed in your browser line. Information transmitted over the Internet and content received online may be transmitted over third-party networks. We cannot guarantee the security, privacy and/or confidentiality of any communications or materials transmitted over such open or third-party networks. If you disclose personal data or confidential information via an open network or third-party networks, you should be aware of the fact that your data may be lost or third parties may potentially access and collect, use or misuse such data or information for purposes of any kind without your consent. It cannot be ruled out that, even if the sender and the recipient reside in the same country, the transfer of data (of personal data and/or further (confidential) information) via such networks may frequently and without controls also take place via third countries, i.e. also via countries that do not offer the same level of data protection as Switzerland. We assume no responsibility for the security of your data during transmission via the Internet and disclaim any liability for direct or indirect losses. We ask you to use other means of communication should you consider this necessary or reasonable for security reasons. Despite extensive technical and organizational security precautions, it is possible that personal data or confidential information may be lost or intercepted and/or manipulated by unauthorized persons. As far as possible, we take appropriate technical and organizational security measures to prevent this within our system. However, your computer is outside the security perimeter under our control. It is your responsibility (as the user) to inform yourself about the necessary security precautions and to take appropriate measures in this regard. As the website operator, we are in no way liable for any damages that you may incur as a result of data loss or manipulation.

2. Use of Google Maps

This website may use Google Maps for embedding maps. This service of the American Google LLC , 1600 Amphitheatre Parkway, Mountain View, CA 94043 USA (“Google“) uses, among other things, cookies and as a result, data is transferred to Google in the USA, whereby we assume that in this context no personal tracking takes place solely through the use of our website.

Google Maps: The location information is usually transmitted to a Google server in the USA and stored there. We have no influence on this data transmission. Google Maps is used in the interest of making it easy to find the places we indicate on the website. We have a legitimate interest in this.

Further information can be found in Google’s privacy policy. https://policies.google.com/privacy?hl=en

3. Use of the Google Analytics web analytics service

On our website, we use Google Analytics, a web analytics service provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google“), to continuously improve our website.

Google Analytics uses cookies, i.e. small files that are stored in the Internet browser you are using and enable the analysis of the use of the website. The information generated by the cookies about your use of this website is usually sent to a Google server in Europe (or in a member state of the Agreement on the European Economic Area) to anonymize the IP address, so that a personal reference is excluded. Only after the IP address has been anonymized is the shortened IP address transmitted to a Google server in the USA and stored there. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there.

On our website, Google Analytics is used with an extension for the anonymized collection of IP addresses (so-called IP masking). On our behalf, Google will use the collected information for the purpose of evaluating your use of the website, compiling reports on website activity and providing other services relating to website activity to us. The IP address transmitted by your browser as part of Google Analytics will not be merged with other Google data.

You can prevent the collection of data generated by the cookie and related to your use of the website (including your IP address) to Google and the processing of this data by Google by downloading and installing the browser plugin available here. An opt-out cookie will be set, which prevents the future collection of your data when visiting this website. You can find more information about data protection at Google Analytics here.

We would like to point out that not all functions of the website may be available when using the opt-out cookie. By using our website, you consent to the processing of data collected by Google in the manner and for the purposes set out above.

4. Social media plugins

So-called social media plugins (“plugins“), in particular the “Like ” button of Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA and the LinkedIn button of LinkedIn Corporation, 2029 Stierlin Court, Mountain View, California 94043, USA, as well as functions of the Instagram service (a Facebook product) may be integrated on certain web pages of our website (“social media platforms“).

Plugins from other social media platforms may be used on our website.

When you call up a page of our website that contains such a plugin, your browser establishes a direct connection to the servers of the respective social media platform. The content of the plugin is transmitted directly to your browser and integrated into the page. Through this integration, the social media platform operator receives the information that your browser has accessed the corresponding page of our website, even if you do not have a profile on the respective social media platform or are not currently logged in. This information (including your IP address) is transmitted by your browser directly to a server of the platform operator, which may be located in the USA, and stored there.

If you are logged in to the respective social media platform, the visit to our website can be directly assigned to your profile on the social media platform. If you interact with the plugins, for example by clicking the “Like” button or posting a comment, this information is also transmitted directly to a server of the platform operator and stored there. If you want to prevent this, please log out of your social media accounts before visiting our website.

We have no influence on the data that Facebook, LinkedIn, Instagram and any other social media platform operators collect on the basis of their plugins. The purpose and scope of the data collection and the further processing and use of the data by Facebook and LinkedIn, as well as your rights in this regard and setting options for protecting your privacy, can be found in the privacy notices of the respective providers:

Additional information on data protection at Facebook can be found at: https://www.facebook.com/about/privacy

Additional information about the plugin from LinkedIn can be found at: https://www.linkedin.com/help/linkedin/answer/50986/social-plugin-data?lang=en

Additional information about the Instagram plugin can be found at: https://help.instagram.com/help/instagram/519522125107875/?locale=en_US

In order to increase the protection of your data when visiting our website, the plugins are not integrated into the page without restriction, but only using an HTML link (so-called “Shariff solution” from c’t). This integration ensures that when you call up a page of our website that contains such plugins, no connection is yet established with the servers of the provider of the respective social network. If you click on one of the buttons, a new window of your browser opens and calls up the page of the respective service provider, on which you can (if necessary after entering your login data) e.g. press the Like or Share button. The purpose and scope of the data collection and the further processing and use of the data by the providers on their pages, as well as your rights in this regard and setting options for protecting your privacy, can be found in the privacy notices of the respective providers.

Besides, you can completely prevent the loading of the plugins with add-ons for your browser.

5. Use of Mailchimp

We use Mailchimp to send our newsletter, a newsletter tool provided by Rocket Science Group, LLC, 675 Ponce De Leon Ave NE #5000, Atlanta, GA 30308, USA (“Rocket Science Group“).

The data entered in the input mask when registering for the newsletter (your e-mail address, time and date of entry) is stored on the servers of the Rocket Science Group in the USA. Rocket Science Group uses this information to send and evaluate the newsletter on our behalf. Furthermore, according to its own information, Rocket Science Group may use this data to optimize or improve its own services, e.g. to technically optimize the dispatch and display of the newsletters or to determine from which countries the recipients come. However, Rocket Science Group does not use the data to write to you directly and does not pass it on to third parties.

For more information on how Rocket Science Group handles personal data, please see their Rocket Science Group Privacy Policy: https://mailchimp.com/legal/privacy/ https://mailchimp.com/legal/privacy/

6. Use of fusedeck

The Everon Website integrates the tracking solution fusedeck of Capture Media AG (hereinafter “Capture Media”). Capture Media is a Swiss company based in Zurich, which measures the use of the Everon website in the context of engagements and events on behalf of Everon. The tracking is anonymous, so that no reference to specific or identifiable persons can be made.

Further information on data protection as well as on the rights of data subjects in connection with fusedeck including the “opt-out” option (possibility to object) can be found in the following privacy policy and objection policy:

https://privacy.fusedeck.net/en/gLNPELME1P

E. Newsletter

On our website there is the possibility to subscribe to a free newsletter. When registering for the newsletter, the data from the input mask is transmitted to us:

• Name
• Date of birth
• E-mail address

For the processing of personal data, your consent is obtained during the registration process and reference is made to this privacy policy. The legal basis for the processing of personal data is Art. 6 para. 1 lit. a GDPR or Art. 13 para. 1 DPA.

The consent is based on the so-called double opt-in procedure. This means that after registration you will receive an e-mail asking you to confirm your registration. This confirmation is necessary so that no one can register with a foreign e-mail address. The collection of your e-mail address is used to send the newsletter. The collection of further personal data in the course of registration serves to prevent misuse of the services or the e-mail address. In connection with the processing of personal data for sending newsletters, no personal data will be disclosed to third parties. The data is used exclusively for sending the newsletter.

The personal data will be deleted as soon as they are no longer required to achieve the purpose for which they were collected. Accordingly, your e-mail address will be stored as long as the subscription to the newsletter is active. The other personal data collected during the registration process is usually deleted after a period of seven days.

You can cancel the subscription to the newsletter at any time. For this purpose, you will find a corresponding link in each newsletter. This also allows you to revoke your consent to the storage of personal data collected during the registration process.

1. E-mail contact

You can contact us via the contact function on our website. In doing so, the following personal data will be transmitted to us and stored:

• E-mail address

Via the contact function, no data is passed on by us to third parties. The data is used exclusively for processing the conversation. The legal basis for the processing of the data is Art. 6 para. 1 lit. a GDPR if you have given your consent. The legal basis for the processing of data transmitted in the course of sending an e-mail is Art. 6 (1) lit. f GDPR. If the e-mail contact aims at the conclusion of a contract, the additional legal basis for the processing is Art. 6 para. 1 lit. b GDPR (such as as a result of the creation of a customer account; sending a confirmation e-mail as a result of verification of your identification and prevention of misuse of your contact details) .

The processing of personal data from the contact function serves us solely to process the contact. In the case of contact by e-mail, this also constitutes the necessary legitimate interest in the processing of the data (including for the prevention of misuse of the contact function, security of our information technology systems).

The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. For the personal data from contact function and those that may have been sent subsequently by e-mail, this is the case when the respective conversation with you has ended. The conversation is terminated when the circumstances indicate that the matter in question has been conclusively clarified.

You have the option to revoke your consent to the processing of personal data at any time. If you contact us by e-mail, you can object to the storage of your personal data at any time. In such a case, the conversation cannot be continued.

IV. General information

A. Disclosure of personal data to third parties

1. General information

In addition to the disclosure of personal data to third parties as set forth in this Privacy Policy, your personal data may be disclosed to third party companies if they provide services to Everon AG. Services provided by third parties include, for example, services provided by lawyers and fiduciaries (especially in the areas of compliance and accounting) and IT services (especially in the areas of data analysis and hosting). Everon AG ensures that the third party guarantees data security.

The transfer to third parties is necessary to offer the services in the best possible way for you and is based on Art. 13 para. 1 DPA and Art. 6 para. 1 lit. b and f. GDPR.

Other cases are also conceivable in which your data may be handed over or disclosed to third parties in order to protect the legitimate interests of Everon AG or due to legal requirements. In any case, it is ensured that these third parties provide adequate data protection.

2. Disclosure of personal data abroad

Should your personal data be transferred abroad by Everon AG, Everon AG will ensure that adequate data protection is guaranteed. If necessary, it may be necessary to transfer personal data to third countries, outside Switzerland and the EU/EEA, which do not ensure an equivalent level of data protection. If the recipient of your personal data is located in a country that does not ensure adequate data protection, your personal data will only be disclosed with additional protective measures in accordance with Art. 6 DPA or Art. 44 et seq. GDPR will be disclosed.

Furthermore, it is possible that the third-party providers disclose your personal data to Everon AG in a third country in order to fulfill their obligations, e.g. as a result of transaction processing with foreign correspondent banks. This is beyond the control of Everon AG. You are requested to inform yourself accordingly about the disclosure of personal data directly with the third party providers.

Everon AG may disclose personal data domestically and internationally as follows:

• To our employees, directors, agents, consultants, personnel, auditors and other representatives as necessary for the purpose;
• To affiliated companies, third-party providers (such as Hypothekarbank Lenzburg AG, Liberty Vorsorge AG), partner companies;
• If we decide to sell, reorganize or otherwise transfer any part of Everon AG;
• To our developers, software developers, database providers, banking systems, third-party service providers, host and storage providers, payment providers and support service providers, and technical supporters;
• In the presence of your consent to the disclosure of your personal data;
• When we are required to do so by applicable law, regulation (e.g., disclosure, reporting requirements), court order or legal process, or when we believe we are required to do so;
• To enforce agreements and contracts;
• To provide you with our Services and/or the Everon Services and/or the Everon App and/or to fulfill our contractual obligations and pre-contractual measures towards you;
• To protect our rights, intellectual property, services, the Everon Services, the Everon App, and our property (including, but not limited to, defending legal claims, allegations, infringements);
• To protect us from fraudulent, illegal or criminal activity;
• To meet KYC, compliance, auditing and archiving standards;

B. Protection and security of your personal data

Your personal data will be protected by Everon AG by appropriate technical measures, such as data security systems and data protection mechanisms, and by appropriate organizational measures, taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of the processing, as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons represented by the processing. Please note that we cannot guarantee the security of your personal data or information that you transmit to us via the Internet.

C. Personal data requiring special protection

Personal data requiring special protection are, in particular, personal data about

• religious, ideological, political or trade union views or activities;
• health, privacy, or race;
• Social assistance measures;
• administrative or criminal prosecutions and sanctions.

Personal data requiring special protection will only be processed by Everon AG if you have expressly given Everon AG your consent to do so.

D. Your rights

If personal data is processed by you, you are a data subject within the meaning of the GDPR and you have the following rights against us as the controller:

1. Right to information

You may request confirmation from us, as the controller, as to whether personal data concerning you is being processed by us.

If such processing exists, you can request information from us about the following:

1. the purposes for which the personal data are processed;
2. the categories of personal data which are processed;
3. the recipients or categories of recipients to whom the personal data concerning you have been or will be disclosed;
4. the planned duration of the storage of the personal data concerning you or, if concrete information on this is not possible, criteria for determining the storage duration;
5. the existence of a right to rectification or erasure of personal data concerning you, a right to restriction of processing by the controller or a right to object to such processing;
6. the existence of a right of appeal to a supervisory authority;
7. any available information on the origin of the data, if the personal data are not collected from the data subject;
8. the existence of automated decision-making, including profiling, pursuant to Article 22(1) and (4) of the GDPR and – at least in these cases – meaningful information about the logic involved and the scope and intended effects of such processing for the data subject.

You have the right to request information about whether the personal data concerning you is transferred to a third country or to an international organization. In this context, you may request to be informed about the appropriate safeguards pursuant to Art. 46 GDPR in connection with the transfer.

This right of access may be restricted to the extent that it is likely to render impossible or seriously impair the achievement of the research or statistical purposes and the restriction is necessary for the fulfillment of the research or statistical purposes.

2. Right to rectification

You have a right to rectification and/or completion vis-à-vis the controller, insofar as the processed personal data concerning you are inaccurate or incomplete. The controller shall carry out the rectification without undue delay.

Your right to rectification may be limited to the extent that it is likely to make impossible or seriously impair the achievement of the research or statistical purposes and the limitation is necessary for the fulfillment of the research or statistical purposes.

3. Right to restriction of processing

Under the following conditions, you may request the restriction of the processing of personal data concerning you:

1. if you contest the accuracy of the personal data concerning you for a period enabling the controller to verify the accuracy of the personal data;
2. the processing is unlawful and you object to the erasure of the personal data and request instead the restriction of the use of the personal data;
3. the controller no longer needs the personal data for the purposes of processing, but you need them for the assertion, exercise or defense of legal claims, or
4. if you have objected to the processing pursuant to Art. 21 (1) GDPR and it has not yet been determined whether the controller’s legitimate grounds override your grounds.

Where the processing of personal data concerning you has been restricted, such data may be processed, with the exception of their storage, only with your consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or a Member State.

If the restriction of processing has been restricted in accordance with the above conditions, you will be informed by the controller before the restriction is lifted.

Your right to restrict processing may be limited to the extent that it is likely to render impossible or seriously impair the achievement of the research or statistical purposes and the restriction is necessary for the fulfillment of the research or statistical purposes.

4. Right to deletion

4.1 Obligation to delete

You may request the controller to delete the personal data concerning you without undue delay, and the controller is obliged to delete such data without undue delay, if one of the following reasons applies:

1. The personal data concerning you are no longer necessary for the purposes for which they were collected or otherwise processed.
2. You revoke your consent on which the processing was based pursuant to Art. 6 (1) a or Art. 9 (2) a GDPR and there is no other legal basis for the processing.
3. You object to the processing pursuant to Art. 21 (1) GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Art. 21 (2) GDPR.
4. The personal data concerning you has been processed unlawfully.
5. The deletion of the personal data concerning you is necessary for compliance with a legal obligation under Union or Member State law to which the controller is subject.
6. The personal data concerning you was collected in relation to information society services offered pursuant to Art. 8 (1) GDPR

4.2 Information to third parties

If the controller has made the personal data concerning you public and is obliged to erase it pursuant to Article 17(1) of the GDPR, it shall take reasonable measures, including technical measures, having regard to the available technology and the cost of implementation, to inform data controllers which process the personal data that you, as the data subject, have requested that they erase all links to or copies or replications of such personal data.

4.3 Exceptions

The right to erasure does not exist insofar as the processing is necessary to

1. to exercise the right to freedom of expression and information;
2. for compliance with a legal obligation which requires processing under Union or Member State law to which the controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
3. for reasons of public interest in the area of public health pursuant to Art. 9 (2) (h) and (i) and Art. 9 (3) GDPR;
4. for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes pursuant to Article 89(1) of the GDPR, insofar as the right referred to in Section a) is likely to render impossible or seriously prejudice the achievement of the purposes of such processing, or
5. for the assertion, exercise or defense of legal claims.

5. Right to information

If you have asserted the right to rectification, erasure or restriction of processing against the controller, the controller is obliged to notify all recipients to whom the personal data concerning you have been disclosed of this rectification or erasure of the data or restriction of processing, unless this proves impossible or involves a disproportionate effort.

You have the right to be informed about these recipients by the data controller.

6. Right to data portability

You have the right to receive the personal data concerning you that you have provided to the controller in a structured, common and machine-readable format. Furthermore, you have the right to transfer this data to another controller without hindrance by the controller to whom the personal data was provided, provided that

1. the processing is based on consent pursuant to Art. 6 (1) a GDPR or Art. 9 (2) a GDPR or on a contract pursuant to Art. 6 (1) b GDPR and
2. the processing is carried out with the help of automated procedures.

In exercising this right, you also have the right to have the personal data concerning you transferred directly from one controller to another controller, insofar as this is technically feasible. The freedoms and rights of other persons must not be affected by this.

The right to data portability does not apply to processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

7. Right of objection

You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data relating to you which is carried out on the basis of Article 6 (1) (e) or (f) GDPR; this also applies to profiling based on these provisions.

The controller shall no longer process the personal data concerning you unless it can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or for the establishment, exercise or defense of legal claims.

If the personal data concerning you is processed for the purpose of direct marketing, you have the right to object at any time to the processing of personal data concerning you for the purpose of such marketing; this also applies to profiling, insofar as it is related to such direct marketing.

If you object to processing for direct marketing purposes, the personal data concerning you will no longer be processed for these purposes.

You have the possibility, in connection with the use of information society services – notwithstanding Directive 2002/58/EC – to exercise your right to object by means of automated procedures using technical specifications.

You also have the right to object, on grounds relating to your particular situation, to the processing of personal data concerning you which is carried out for scientific or historical research purposes or for statistical purposes pursuant to Article 89(1) GDPR.

Your right to object may be limited to the extent that it is likely to render impossible or seriously impair the realization of the research or statistical purposes and the limitation is necessary for the fulfillment of the research or statistical purposes.

8. Right to revoke the declaration of consent under data protection law

You have the right to revoke your declaration of consent under data protection law at any time. The revocation of consent does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation.

9. Automated decision in individual cases including profiling

You have the right not to be subject to a decision based solely on automated processing – including profiling – which produces legal effects concerning you or similarly significantly affects you. This does not apply if the decision

1. is necessary for the conclusion or fulfillment of a contract between you and the responsible party,
2. is permitted on the basis of legal provisions of the Union or the Member States to which the controller is subject and these legal provisions contain appropriate measures to protect your rights and freedoms as well as your legitimate interests, or
3. is done with your express consent.

However, these decisions may not be based on special categories of personal data pursuant to Article 9(1) of the GDPR, unless Article 9(2)(a) or (g) of the GDPR applies and appropriate measures have been taken to protect the rights and freedoms and your legitimate interests.

With regard to the cases referred to in a) and c), the controller shall take reasonable measures to safeguard the rights and freedoms as well as your legitimate interests, including at least the right to obtain the intervention of a person from the controller, to express his point of view and to contest the decision.

10. Right to complain to a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your residence, place of work or the place of the alleged infringement, if you consider that the processing of personal data relating to you infringes the GDPR.

The supervisory authority to which the complaint has been lodged shall inform the complainant of the status and outcome of the complaint, including the possibility of a judicial remedy under Article 78 GDPR.

In Switzerland, the Federal Data Protection and Information Commissioner (FDPIC) is the competent supervisory authority (https://www.edoeb.admin.ch/edoeb/en/home.html).

11. Third party content

Our website may contain links to other websites or third-party content, services or products whose privacy policies and practices may differ from our Privacy Policy. Please note that our Privacy Policy applies only to our website, its content, and our services.

We have no control over these third party websites or the content, products or services contained therein or provided by them. If you submit personal data or information to any of these third party websites or use their content, services or products, your personal data or information will be subject to their privacy policies and practices.

We are in no way liable or responsible for these third party websites, including but not limited to their content, services, policies, failures, promotions, products or actions and/or any damages, losses, failures, abuse or problems caused by, related to or arising from these third party websites. We encourage you to review all policies, privacy policies, agreements, rules, terms, conditions, disclaimers, and regulations of any website you visit and/or content, services, products, etc. you use.

12. General disclaimer

All information in our offer has been carefully checked. We make every effort to ensure that the information we offer is up-to-date, correct and complete. Nevertheless, the occurrence of errors can not be completely excluded, so we can not guarantee the completeness, accuracy and timeliness of information, including journalistic-editorial nature. Liability claims regarding damage caused by the use of any information provided, including any kind of information which is incomplete or incorrect, will therefore be rejected. The use of or access to this website is at the visitor’s own risk. Everon AG, its principals or partners are not responsible for any damages, such as direct, indirect, incidental, consequential or punitive damages, allegedly caused by the use of this website and consequently assume no liability for such damages. Everon AG also assumes no responsibility or liability for the content and availability of third-party websites that can be accessed via external links from this website. The operators of the linked sites are solely responsible for their content. Everon AG thus expressly distances itself from all third-party content that may be relevant under criminal or liability law or that may offend common decency.

13. Up-to-dateness and modification of this privacy policy

This privacy policy may be amended at any time. The current version published on the Everon app and our website www.everon.swiss applies.

Status: September 7, 2021