Privacy Notice

Last modified 15 May 2024

This privacy notice informs you how we collect, use, share, retain and dispose personal data received either:

• through the derivativepartners.com family of websites (“website”), our branded social media pages (such as our LinkedIn, Facebook, Instagram, and Twitter/X pages) (“social media”), and our other websites or apps; or
• whenever you communicate with us via any mean of communication such as phone, email, fax, etc. (“Communication Channels”), obtain services or products from us, interact with us in relation to a business relationship or a contract or otherwise deal with us.

In addition to this Privacy Notice, we may inform you about the processing of your data separately, for example in specific consent forms, terms and conditions, additional privacy notices, forms, and other notices.
Our website and social media are hereinafter jointly referred to as “online platform”.

We may occasionally update this Privacy Notice. We encourage you to periodically review this Privacy Notice to be informed of how we process your information.

1. WHO WE ARE

We are the Avaloq Group Ltd. (“we”, or “us”), a Swiss company registered at Allmendstrasse 140, 8041 Zurich, Switzerland, and a subsidiary of NEC Corporation (“NEC”). We are the data controller responsible for the processing of personal data through our online platform.

2. HOW WE OBTAIN PERSONAL DATA

We may collect and receive personal data when communicating with you through Communication Channels, carrying out services for you, delivering our products to you, through our online platform, or otherwise interacting with you. Personal data means any information relating to an identified or identifiable natural person.

We further collect personal data that you choose to voluntarily provide to us or that we request from you.

3. WHAT TYPES OF PERSONAL DATA WE MAY OBTAIN

Contact data - We may collect basic data about you that we need (in addition to contract data, see below), for the performance of our contractual and other business relationships, for marketing and promotional purposes, or for any other reason reflected in this privacy notice such as:

• Name, address, e-mail address, telephone number and other contact details, gender, date of birth, nationality, data about related persons and websites.
• Details of your relationship with us (customer, supplier, visitor, partner, service recipient, etc.), details of your status, allocations, classifications and mailing lists, details of our interactions with you (if applicable, a history thereof with corresponding entries), reports (for example from the media).
• Declarations of consent and opt-out information are also part of the contact data, as well as information about third parties, for example contact persons, recipients of services, advertising recipients or representatives.
• In relation to contact persons and representatives of our customers, suppliers and partners, contact data includes, for example, name and address, information about the role or function in the company, qualifications, powers of attorney, signature authorization, and (where applicable) information about superiors, co-workers and subordinates and information about interactions with these persons.
• We may collect information about certain actions, such as your response to electronic communications, for example if and when you have opened an e-mail, registered to an event or download a content piece on our website).
• We may collect information about what your needs are, which products or services might be of interest to you. We obtain this information from feedback you give us during events, surveys and/or the analysis of existing data, such as behavioral data, so that we can get to know you better, tailor our advice and offers more precisely to you and generally improve our offers.

Contact data is not collected comprehensively for all contacts. The data collected in an individual case depends mostly on the purpose of the processing activity.

We process your contact data if you are a customer or other business contact or work for one (for example as a contact person of the business partner), or because we wish to address you for our own purposes or for the purposes of a contractual partner (for example as part of marketing and advertising, with invitations to events, with newsletters, etc.).

Website usage data - We may collect and receive the following personal data from you:

• Name and contact details (such as name, address, email, username, phone numbers);
• Personal data included in your traffic data (e.g., IP address, preferences, behavioural data on our website);
• Personal data included in your comments;

We may collect other types of personal data if required under applicable law or if necessary, for the purposes listed below.

4. WHAT ARE THE PURPOSES AND LEGAL BASES FOR PROCESSING

We may collect and process your personal data for the purposes and on the legal bases identified in the following:

Communication purposes

We process your data for purposes related to communication with you, based on our legitimate interest in particular in relation to contractually agreed services, responding to inquiries and the exercise of your rights (Section 11) and to enable us to contact you in case of any other types of queries. We keep your data to document our communication with you, for training purposes, for quality assurance and for follow-up inquiries.

Initiation and performance of contractual relationship

We process data for the implementation of pre-contractual measures (such as preforming internal pre-contractual compliance checks, creating contracts, etc.) as well as the conclusion, administration, billing/payment, and performance of contractual relationships. Where we do not ask for consent for processing, the processing of your personal data relies on the requirement of the processing for initiating or performing a contract with you (or the entity you represent) or on our or a third-party legitimate interest in the particular processing, in particular in pursuing the purposes set out in this Section 4 and in implementing related measures. Our legitimate interests also include compliance with legal regulations, insofar as this is not already recognized as a legal basis by applicable data protection law.

Providing our online platform and delivering the services you have requested

We may process your personal data to perform our contract with you for the use of our online platform and to fulfil our obligations under the applicable terms and conditions; if we have not entered into a contract with you, we base the processing of your personal data on our legitimate interest to operate and administer our online platform and to provide you with content you access and request.

Handling contact and user support requests

If you fill out a contact form or request user support, or if you contact us by other means including via a phone call, we may process your personal data to perform our contract with you and to the extent, it is necessary for our legitimate interest in fulfilling your requests and communicating with you.

Developing and improving our online platform

We may process your personal data to analyse trends and to track your usage of and interactions with our online platform to the extent it is necessary for our legitimate interest in developing and improving our online platform and providing our users with more relevant content and service offerings, or where we seek your valid consent.

Displaying personalized content and ads

We may process your personal data to conduct marketing research, advertise to you, provide personalized information about us on and off our online platform and to provide other personalized content based upon your activities and interests to the extent you have provided your prior consent.

Managing business contacts

If Avaloq obtains your contact data during a business event sponsored by Avaloq or others, or a business meeting (e.g., when business cards are exchanged) or in the context of a project, we use that contact data (particularly name, address, e-mail address) to also manage our business contacts, and to do this we transfer your contact data into our CRM (Customer Relationship Management) system. Such processing is carried out based on a legitimate interest of Avaloq. Avaloq has a legitimate economic interest in cultivating business contacts beyond the initial contact and using them to build a customer relationship and to stay in touch with its business contacts. This also includes the marketing of our products and services, the interest in better understanding our markets and in managing and further developing our company, including its operations, safely and efficiently.

Complying with legal obligations

We may process your personal data when cooperating with public and government authorities, courts or regulators in accordance with our legal obligations under applicable laws to the extent this requires the processing or disclosure of personal data to protect our rights or is necessary for our legitimate interest in protecting against misuse or abuse of our online platform, protecting personal property or safety, pursuing remedies available to us and limiting our damages, complying with judicial proceedings, court orders or legal processes, respond to lawful requests, or for auditing purposes.

5. HOW WE MAY STORE AND SHARE PERSONAL DATA

We may store the personal data we collect and receive, and share it on a need-to-know basis with the following parties:

1. Other affiliates of the Avaloq group based in the EU, Switzerland and United Kingdom (see here list of Avaloq group companies and locations), or their agents;
2. Third-party providers that perform services for us (refer to Annex 1 “List of Subprocessors”);
3. Our partners, only applicable if you request specific information on certain services where a respective partner is involved;
4. Competent public authorities or other third parties (if required by law or reasonably necessary to protect the rights, property and safety of ourselves or others).

We may also transfer your personal data in the event that we sell or transfer all or a portion of our business or assets on a need-to-know basis. Should such a sale or transfer occur, we will use reasonable efforts to direct the transferee to use personal data you have provided to us in a manner that is consistent with applicable law and this privacy notice.

We do not sell, rent, or trade your personal data.

6. HOW WE MAY TRANSFER DATA OUTSIDE THE EEA

We may transfer the personal data we collected to third parties in countries outside of Switzerland and the European Economic Area (EEA). The laws in those countries may not offer an adequate level of data protection. Personal data may be transferred to the United States among others.

When we transfer your personal data outside of Switzerland or the EEA, we will protect your personal data as described in this privacy notice and in accordance with applicable laws, such as by entering into the European Commission’s Standard Contractual Clauses for the transfer of personal data to a processor located outside of Switzerland or the EEA.

7. LINKS

Our online platform may contain links to other sites. We are not responsible for the content or privacy practices of such other sites. Pay attention when you leave our website and read the privacy notices of any other site that collects personal data. Your data protection and privacy rights under these third-party platforms will be governed by their respective privacy practices.

8. HOW WE MAY USE COOKIES AND SIMILAR TECHNOLOGIES

We collect certain personal data by using cookies and similar technologies when you visit the website.

Cookies are bits of text that are placed on your computer’s hard drive, browser, or mobile device when you visit the website. Cookies hold information that may be accessible by the party that places the cookie, which is either the website itself (first-party cookie) or a third party (see section 8.2 THIRD-PARTY COOKIES).

We use both session-based and persistent cookies on our website. Session-based cookies exist only during a single session and disappear from your device when you close your browser or turn off the device. Persistent cookies remain on your device after you close your browser or turn your device off.

To change your cookie settings and preferences for our website, click the “Cookie Settings” link below. You can also control the use of cookies on your device but choosing to disable cookies on your device may limit your ability to use some features on our website.

COOKIE SETTINGS

8.1 WHAT IS THE PURPOSE OF SETTING THE COOKIES AND SIMILAR TECHNOLOGIES

We categorize our website cookies and similar technologies as follows:

1. Strictly Necessary Cookies (Category 1)

   These cookies are absolutely necessary for you to browse the website and use its features, such as accessing secure areas of the website.

2. Performance Cookies (Category 2)

   These cookies gather website statistical data to analyse how our users use the website, such as which pages are visited, how long pages were visited, and the paths taken by visitors to our website as they move from page to page.

8.2 THIRD-PARTY COOKIES

We may use third-party technology to track and analyse usage information to provide enhanced interactions and more relevant communications and to track the performance of our advertisements and digital channels.

Third-party Performance Cookies (Category 2):

We may use Google Analytics to the extent you have provided your prior consent:

• Google Analytics is a web analytics service which uses cookies to help analyse website usage. The information generated by the cookie about your use of our website (such as your IP address, geolocation, the URL visited, the date and time the page was viewed) will be transmitted and stored by Google on servers in the United States or any other country in which Google maintains facilities. For European Union based users Google will not log or store IP addresses, however Google will retrieve certain metadata from your IP address (e.g., continent, country, etc.) and discard the IP address immediately. Google will use this information to monitor your use of our website and to compile reports on website activity for us. We have entered into a data protection agreement with Google that also includes Controller to Processor EU Standard Contractual Clauses safeguarding the cross-border transfer of personal data.

9. HOW WE PROTECT PERSONAL DATA

We maintain appropriate organizational, physical, and technical security measures designed to protect your personal data against accidental, unlawful, or unauthorized destruction, loss, alteration, access, disclosure, or use. In order to protect your data, we have – among others – implemented physical access control measures suitable for preventing unauthorized persons from gaining access to data processing systems with which personal data are processed or used. We implemented technical and organisational measures designed to prevent data processing systems from being used by unauthorized persons and measures to ensure that those authorized to use a data processing system can only access the data subject to their access authorization and that personal data cannot be read, copied, modified, or removed without authorization during processing, use and after storage. When feasible we pseudonymize personal data, which means the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to appropriate technical and organisational measures. To secure transfer control we took different measures to ensure that personal data cannot be read, copied, altered or removed by unauthorized persons during electronic transmission or while being transported or stored on data media, and that it is possible to verify and establish to which entities personal data are intended to be transmitted by data transmission equipment, e. g. use of VPN, logging of accesses and retrievals and provision of encrypted connections. Additionally, we ensure that personal data is protected against accidental destruction or loss (e. g. fire protection, data backups, secure storage of data media, virus protection, raid systems, disk mirroring, etc.) and that our systems are capable of rapidly restoring the availability of and access to personal data in the event of a physical or technical incident. However, due to the inherent open nature of the Internet, we cannot guarantee that communications between you and us or the personal information stored are absolutely secure. We will notify you of any data breach that is likely to have unfavourable consequences for your privacy in accordance with applicable law.

10. HOW LONG WE RETAIN PERSONAL DATA

We retain personal data for as long as necessary to fulfil the purposes for which we collect or receive the personal data, except if required otherwise by applicable law, rules, and regulations. Typically, we will retain most of the personal data for the duration of your use of the online platform, your use of our services, or until you have removed your account unless a longer applicable statutory retention period applies. Records retention details are established in Avaloq’s internal policies.

After expiry of the applicable retention periods, all personal data will be destroyed, anonymized, or deleted using secure technology. This technology depends on the application and storage media used. Expired records are identified based on their creation or last modification date, the current date, and the retention period. If there is any data that we are unable, for technical reasons, to delete entirely from our systems, we will implement appropriate measures to prevent any further use of such data.

11. WHAT ARE YOUR RIGHTS

You have the following rights in relation to your personal data:

• The right to obtain, at reasonable intervals and free of charge, information on whether your personal data are being processed and to receive the personal data that is being processed in an intelligible form;
• The right to have your personal data rectified, blocked, or deleted if your personal data are incorrect, incomplete, inaccurate, irrelevant, outdated or processed unlawfully;
• The right to withdraw your consent at any time
• The right to transfer your personal data to another controller, to the extent possible;
• The right to object on legitimate grounds to the processing of your personal data.
• The right to data portability;
• The right to file a complaint and
• The right to damages or indemnification.

To exercise these rights, please contact us using our contact details set out below. We may request you to provide a copy of your ID card or otherwise evidence of your identity. We will respond to your request within the applicable statutory term.

12. HOW TO CONTACT US

If you have any comments or inquiries about the information in this privacy notice, if you would like us to update your personal data, or if you want to exercise your rights, please contact our Data Protection Officer by email at dataprotection@avaloq.com.

13. CHILDREN

Avaloq understands the importance of protecting children’s privacy, especially in an online environment. Our website is not intentionally designed for or directed at children 16 years of age or younger. It is Avaloq’s practice never knowingly to collect or maintain information about anyone under the age of 16.

Annex 1: List of Subprocessors

Service Provider	Legal Basis	Processing	Country
Google Ireland Ltd.	Consent	Tools provided by Google are used to support our marketing activities. For example, Google Analytics used to gather behavioural analytics on how users use our website to help improve and guide product development. Whenever possible we enter contracts with Google entities based in EU/EEA.	Ireland
Google LLC	Consent	Tools provided by Google are used to support our marketing activities. For example, Google Analytics used to gather behavioural analytics on how users use our website to help improve and guide product development. Whenever possible we enter contracts with Google entities based in EU/EEA.	United States
Microsoft Ireland Operations Limited	Legitimate interest	Microsoft products are used among other for the following purposes: Communication channels (Outlook, Teams, etc.); Internal document storage (SharePoint).	European Union