LegalPrivacy Policy

Last Updated: October 27, 2025

1. Introduction

CLEANPACT GmbH ("CLEANPACT", "we", "us", or "our") is committed to protecting your privacy and complying with the highest standards under the Swiss Federal Act on Data Protection (FADP/nDSG), the EU General Data Protection Regulation (GDPR), and applicable financial sector regulations (e.g., FINMA). This Privacy Policy explains how we collect, use, disclose, store, and protect your personal information when you visit https://cleanpact.io ("Website") or use our services.

2. Data Controller and Contact Information

CLEANPACT GmbH
Registered in Zug, Switzerland
Commercial Registry: CHE-250.598.316
Registered Office: c/o Confidaris AG, Hertizentrum 15, 6300 Zug
Legal Form: Gesellschaft mit beschränkter Haftung (Limited Liability Company)

Data Protection Contact/Officer: privacy@cleanpact.io
Supervisory Authority (Switzerland): Federal Data Protection and Information Commissioner (FDPIC)
Website: https://www.edoeb.admin.ch/

3. What Data We Collect

We may collect and process the following categories of personal data:

• Identity data: full name, date of birth, nationality, company/organization
• Contact data: email, address, telephone
• Account registration/login data: username, password
• Technical data: device information, IP address, browser type, operating system, log files
• Usage data: how you use our Website, which pages you visit, time spent, buttons clicked
• Transactional and financial data: investments, payment methods, transaction history
• Communications data: support requests, feedback, email correspondence
• Marketing and communications preferences
• Sensitive personal data (where applicable, with explicit consent): as defined by the FADP (e.g., health, biometrics, beliefs, criminal data — usually not processed unless strictly necessary)
• Cookie and tracking data: (see our separate Cookie Policy)

Sources: We may collect data directly from you, through automated technologies (e.g., cookies), or from third-party/partner institutions when you use our services.

4. Purposes and Legal Bases for Processing

We will only use your personal data for these purposes, unless we reasonably consider another purpose compatible with the original.

5. Recipients of Personal Data and International Transfers

We may share your personal data:

• With trusted partner financial institutions, only as required for providing services (e.g., KYC, AML, transaction administration)
• With authorized service providers who support the technical or operational provision of our Website
• With our legal, tax, or professional advisors
• With regulatory authorities (FINMA, FDPIC, EU DPAs, courts) to comply with obligations
• With cloud/IT providers, only under signed DPA and subject to appropriate safeguards
• With subsidiaries/affiliates (as disclosed)

International Transfers:

• Personal data may be transferred to or processed in countries outside Switzerland and the EU/EEA (e.g., cloud services, analytics). In such cases, we ensure adequacy (EU/Swiss adequacy decisions) or rely on Standard Contractual Clauses (SCCs) with “Swiss Add-On” or Data Privacy Framework (DPF) if applicable. You may request a copy of these safeguards.

6. Data Retention

We retain your personal data only as long as necessary for the purposes for which it was collected, or as required by law and industry regulations:

• User accounts and contact data: as long as you maintain an active account, plus up to 24 months after inactivity or closure
• Transaction/contractual/AML-KYC data: minimum 10 years per Swiss Code of Obligations (Art. 958f), AMLA (Art. 34), and FINMA Ordinance
• Cookie/analytics/marketing data: see our Cookie Policy (typ. 6-26 months)
• Communications/support data: up to 24 months post-resolution or as required for audit/compliance

Your data will be securely deleted or anonymized once retention periods expire, unless legal or legitimate business interests require longer retention (e.g., evidence in case of disputes).

7. Data Security

We implement technical and organizational security measures to protect your data:

• Data is encrypted (at rest and in transit) where appropriate
• Access is restricted to authorized employees, partners, and processors only on a need-to-know basis
• User passwords are hashed/salted; back-end access is audited and monitored
• Business, accounting, and AML records are stored and backed up in compliance with Swiss regulatory and FINMA requirements
• Regular security risk assessments and penetration testing
• Breach response plans in place for prompt notification and mitigation

8. Automated Processing, Profiling, and Children’s Privacy

• Automated processing or profiling: If CLEANPACT uses profiling or automated decision-making (e.g., automatic onboarding eligibility), you will be specifically informed, with explanation of the underlying logic and consequences. You can request human intervention or contest automated decisions (FADP/GDPR Art. 22).
• Children’s privacy: Our services are not directed at children under 16. We do not knowingly process data of children without verified parental/guardian consent, if applicable. If we learn we have inadvertently collected such data, we will erase it promptly.

9. Your Data Protection Rights

Under applicable data protection law (FADP, GDPR), you have the following rights:

1. Access: Obtain information about your personal data and a copy.
2. Rectification: Request corrections to incomplete/inaccurate data.
3. Erasure: Request deletion of your data where legally permitted.
4. Restriction: Limit how your data is processed in certain circumstances.
5. Portability: Request your data in a commonly used format and transmit it to another controller where applicable.
6. Objection: Object to processing based on legitimate interests or for direct marketing purposes.
7. Withdraw consent: Where processing is based on consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing based on consent before withdrawal.
8. Complaint: Lodge a complaint with the Federal Data Protection and Information Commissioner (FDPIC) or your country’s supervisory authority (for EU/EEA users).

To exercise your rights, contact us at privacy@cleanpact.io or the address above. Requests will be addressed as required by law, generally within 30 days.

10. Data Breach Notification

CLEANPACT maintains procedures to detect, respond to, and notify the relevant authorities and affected individuals of personal data breaches as required under FADP, GDPR, and FINMA regulatory standards.

• Data subjects will be promptly informed if a breach is likely to result in high risk to their rights and freedoms.

11. Cookies and Tracking Technologies

CLEANPACT uses cookies and similar technologies for Website functionality, analytics, security, and marketing. Details—including purposes, types, use of third-party trackers, and your choices/controls—are set out in our separate [Cookie Policy].

12. Changes to This Privacy Policy

We may update this Privacy Policy at any time to reflect changes in law or our data processing activities. Material changes will be highlighted on our Website, and where appropriate, notified to you directly. The "Last Updated" date at the top will indicate the date of the latest revision. We recommend you review this Policy periodically.

13. Supervisory Contacts and Complaints

If you have any concern or wish to lodge a complaint about our handling of your data, you may contact:

Federal Data Protection and Information Commissioner (FDPIC)
Website: https://www.edoeb.admin.ch/
E-mail: info@edoeb.admin.ch

For EU/EEA users, your competent Data Protection Authority.

14. How to Contact Us

If you have any questions about this Privacy Policy, your rights, or our data protection practices, please contact:

CLEANPACT GmbH
c/o Confidaris AG
Hertizentrum 15
6300 Zug
Switzerland
Email: privacy@cleanpact.io
Website: https://cleanpact.io

By using this Website or our services, you acknowledge that you have read, understood, and accepted this Privacy Policy.