Privacy Policy
1. INTRODUCTION AND APPLICABLE LEGAL FRAMEWORK
FOXCHANGE AG (hereinafter referred to as “we”, “our”, or “the Company”) is a legal entity incorporated in Switzerland and provides services related to virtual assets. We recognize the importance of protecting personal data and are fully committed to handling such data responsibly, transparently, and in compliance with the highest standards of data protection.
This Privacy Policy is intended to provide you with a clear explanation of how we collect, process, store, and protect personal data when you interact with us, whether as a client, prospective client, website visitor, or business partner. It outlines our practices regarding the personal data we collect directly or indirectly, including through third-party service providers, as part of the operation and delivery of our services.
We process personal data in accordance with the Swiss Federal Act on Data Protection (nFADP), which entered into force on 1 September 2023, and, where applicable, with the European Union’s General Data Protection Regulation (GDPR – Regulation (EU) 2016/679). These regulations establish the principles and legal bases that govern the processing of personal data, including lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, and integrity and confidentiality.
This Privacy Policy applies in all cases where we act as a data controller and where we determine the purposes and means of the processing of personal data. It applies regardless of the form of communication – whether electronic, verbal, or written – and encompasses our interactions via our website, client onboarding platforms, and customer support channels. It also governs our relationships with third-party processors who process data on our behalf under binding contractual terms.
Should any inconsistency arise between this Privacy Policy and a specific contractual agreement with a client or partner, the provisions of the contract will prevail, provided that they comply with applicable data protection laws.
2. DATA CONTROLLER AND CONTACT INFORMATION
The entity responsible for the processing of personal data under this Privacy Policy is:
Foxchange AG
Rosenweg 3, 6340 Baar, Cant. Zug, Switzerland
Commercial Register Number, CHE-461.395.592
https://foxchange.ch
Contact Email: info@foxchange.ch
As the data controller, [Company Name] determines the purposes and means of the processing of personal data, ensuring that such processing is carried out in accordance with the applicable Swiss and European data protection laws. We are committed to processing your personal data with integrity, safeguarding your rights, and providing you with transparent and easily accessible information regarding how we handle your data.
If you have any questions, concerns, or requests related to the processing of your personal data or this Privacy Policy, you may contact our data protection contact point via the email address provided above. We will respond in a timely manner, and, where required, assist you in exercising your data subject rights under applicable law.
3.CATEGORIES OF PERSONAL DATA COLLECTED
In the course of providing our services and maintaining a business relationship with you, we collect and process various categories of personal data, either directly from you or through third parties acting on our behalf. The type and scope of personal data collected may vary depending on the nature of your interaction with us, the services requested, and the applicable regulatory requirements.
We collect personal data that you voluntarily provide to us during account registration, onboarding procedures, compliance checks, use of our or partners digital platforms, or through other communication channels. This includes, but is not limited to, your full name, date of birth, nationality, residential and address, contact details (such as email and telephone number), identification documents, photographs, tax identification numbers, and professional affiliations or occupation.
As part of enhanced verification procedures, and where required or permitted by law, we may process biometric data derived from government-issued identification documents, including data extracted from chips embedded in identity cards or passports. This data may include facial image templates or other unique identifiers necessary for authenticating your identity and ensuring the integrity of our client onboarding process. Biometric data is only processed with your explicit consent or as required for the fulfilment of a legal obligation.
We also collect information related to your financial and transactional profile, such as bank account details, virtual asset wallet addresses, transaction histories, declared source of funds, source of wealth, and risk classification. This information is essential to fulfilling our legal obligations under anti-money laundering (AML) and counter-terrorism financing (CTF) regulations, and to assess your eligibility for using our services.
Technical data may be collected when you interact with our website or digital platforms, including IP address, device type, browser version, language preferences, session timestamps, and referral URLs. This data is used for system security, fraud prevention, and improving the overall user experience.
Additionally, we may obtain personal data from third-party sources such as identity verification providers, blockchain analytics companies, sanctions and watchlist databases, compliance platforms, credit reference agencies, and publicly accessible registers. This allows us to verify your identity, validate submitted information, screen for regulatory risks, and maintain our compliance with applicable laws.
We may also collect and store personal data for the purpose of delivering marketing communications, including your communication preferences, expressed interests, and engagement with our content. You may opt out of receiving such material at any time, as described further in this Privacy Policy.
In certain cases, we may process data about individuals associated with our clients, such as beneficial owners, authorized representatives, signatories, or other persons involved in the business relationship. If you provide us with personal data relating to third parties, it is your responsibility to ensure that such individuals are informed about this Privacy Policy and that you are authorized to share their information with us.
4. PURPOSE OF DATA PROCESSING AND LEGAL BASIS
We process your personal data for clearly defined and legitimate purposes that are directly related to the provision of our services and the operation of our business. The extent and nature of processing depend on your relationship with us — whether as a prospective client, active client, business partner, or website visitor — and is carried out in accordance with applicable legal obligations and data protection principles.
The primary purposes for which we process personal data include verifying your identity and eligibility to use our services, conducting due diligence and risk assessments under applicable anti-money laundering (AML) and counter-terrorism financing (CTF) laws, ensuring compliance with financial regulations, executing transactions, and maintaining accurate records of our business relationships.
Your data is also processed to manage and administer your account, communicate with you about our services, respond to your inquiries, provide client support, and fulfill our contractual obligations. Where necessary, we may use personal data to investigate and prevent fraudulent activity, unauthorized access, or other unlawful conduct, and to comply with requests from regulators, supervisory authorities, or courts of law.
We also process personal data to improve the performance, usability, and security of our digital platforms, and to conduct internal reporting, audits, and risk management procedures. In the context of digital assets and blockchain technology, personal data may be used in combination with blockchain analytics tools to assess the risk profile of wallet addresses and to comply with know-your-transaction (KYT) standards.
Where you have provided your consent or where we have a legitimate interest, we may process your data for marketing and communication purposes. This includes sending newsletters, service updates, promotions, and information about our offerings that we believe may be of interest to you. You may withdraw your consent or object to such processing at any time by using the unsubscribe link or contacting us directly.
The legal basis for processing personal data includes:
• The necessity to enter into or perform a contract with you;
• Compliance with legal and regulatory obligations, particularly under AML/CTF legislation;
• Our legitimate interest in maintaining the security, efficiency, and legal integrity of our services;
Your explicit consent, where required — for example, in the case of biometric data or marketing communication.
In every case, we ensure that personal data is only processed for the specific purposes for which it was collected, or for purposes that are compatible with the original intent. We do not process your data in a manner that is excessive, discriminatory, or unrelated to the scope of our services and obligations.
5. USE OF THIRD-PARTY SERVICE PROVIDERS AND DATA DISCLOSURE
To fulfill our contractual and legal obligations and to deliver our services efficiently and securely, we rely on carefully selected third-party service providers who process personal data on our behalf. These providers act as data processors under binding contractual agreements that require them to handle personal data in strict compliance with applicable data protection laws, our instructions, and industry best practices. These providers may include KYC and KYT tools such as Ondato and Crystal, used to verify identity and monitor transactional risk.
We may share your personal data with external providers who support us in performing key compliance functions such as identity verification (KYC), sanctions and watchlist screening, anti-money laundering (AML) monitoring, and blockchain transaction analysis (KYT). These services are essential to ensuring the legitimacy of our client base and to maintaining the integrity of our operations within a regulated environment.
Our third-party providers may also support us in other areas of business, including cloud hosting, IT infrastructure, cybersecurity, customer support tools, payment processing, accounting, legal services, and communication platforms. In each case, access to your personal data is limited to what is strictly necessary for the provider to perform its role, and all processing is subject to confidentiality and data security obligations.
We may also disclose personal data to competent regulatory, supervisory, or tax authorities, courts, law enforcement agencies, or other public bodies, where such disclosure is required by applicable law or legal process, or where it is necessary to protect our legal rights or comply with an enforceable request.
If you engage with our services as part of a corporate or institutional relationship, we may share relevant personal data with your appointed representatives, signatories, legal proxies, or other authorized parties involved in the relationship.
In every case of data disclosure, we ensure that data is transferred and processed in a controlled and traceable manner, with safeguards in place to prevent misuse, unauthorized access, or further disclosure beyond what is required. We do not sell or rent your personal data to any third parties for commercial purposes.
It is important to note that if you do not agree to the processing and disclosure of your personal data for these essential compliance and operational purposes, we may not be able to establish or maintain a business relationship with you.
6. BLOCKCHAIN-SPECIFIC DATA CONSIDERATIONS
As part of our services, we facilitate transactions and interactions involving blockchain and distributed ledger technologies. It is important to understand that the use of such technologies introduces unique characteristics with respect to data handling, especially concerning transparency, permanence, and control.
When personal data is associated with a blockchain transaction — for example, when linking a virtual asset wallet address to a client identity or recording a transaction on-chain — certain information may become publicly accessible and, in most cases, permanently recorded. Due to the decentralized and immutable nature of blockchain networks, once data has been published to a public ledger, it cannot be modified, deleted, or redacted by any party, including us.
Although the data written to the blockchain is generally pseudonymized (i.e., not directly identifying individuals without additional information), in combination with other data — such as wallet ownership confirmed during onboarding — it may become possible to attribute certain on-chain activity to identifiable individuals. For this reason, we treat all wallet-related data and blockchain analytics with the same level of confidentiality and protection as other categories of personal data.
To manage these risks responsibly, we implement strict internal protocols to assess, monitor, and document wallet addresses and transaction flows. As part of our know-your-transaction (KYT) procedures, we utilize specialized third-party providers to evaluate wallet reputational scores and to detect connections to high-risk activities, including those involving mixers, darknet marketplaces, sanctioned addresses, or illicit finance.
You should be aware that our ability to honor data subject rights — such as the right to erasure or rectification — is technically limited with respect to data stored on public blockchains. However, we ensure that any personal data not strictly necessary for blockchain execution is processed off-chain, within controlled environments where your rights remain fully enforceable.
By engaging with our services, you acknowledge and accept the inherent limitations of blockchain technology regarding data reversibility and consent withdrawal in the context of on-chain actions. We are committed to minimizing the exposure of personal data on-chain and to maintaining transparency about how your data is used in blockchain interactions.
7. COOKIES, WEB TRACKING, AND ANALYTICS
When you access or interact with our website and digital platforms, we may use cookies and similar technologies to ensure the proper functioning of our services, to enhance user experience, and to gather insights into how visitors use our website. This section explains how we use these technologies and how you can manage your preferences.
Cookies are small text files that are stored on your device when you visit a website. Some cookies are essential for the operation of the site and the delivery of its core functions — for example, maintaining secure login sessions or enabling navigation. These are referred to as “necessary cookies” and are activated by default.
Other cookies, such as those used for performance analytics, functionality enhancements, or marketing purposes, are optional and require your consent. These may be deployed by us or by third-party providers, including web analytics services such as Google Analytics, to help us understand how users engage with our content, which pages are visited most frequently, or how long users stay on particular sections of the site.
In addition to cookies, we may use tracking technologies such as pixels, tags, or scripts to gather technical and usage data. This includes your IP address, browser type, device identifier, referral source, location (approximate), time and date of visit, and browsing behavior. These tools help us identify trends, improve performance, detect security risks, and optimize our digital content delivery.
You have control over how cookies are used on your device. When you visit our website for the first time, you will be presented with a cookie banner that allows you to accept or decline non-essential cookies. You can also adjust your cookie preferences at any time through your browser settings or via a dedicated cookie management tool available on our site.
Please note that disabling certain types of cookies may affect the functionality or availability of some parts of our website. However, we respect your preferences and ensure that all cookie-related data processing is carried out in accordance with applicable data protection laws and transparency obligations.
Where we use third-party services that involve the transfer of cookie-related data outside Switzerland or the European Union, we ensure that adequate safeguards are in place to protect your data in accordance with applicable legal requirements.
8. SOCIAL MEDIA, COMMUNICATION, AND NEWSLETTER USE
We maintain a presence on various social media platforms in order to share updates about our services, engage with the public, and provide relevant industry insights. If you interact with us via platforms such as LinkedIn, Twitter (X), Facebook, or others, your personal data may be collected both by us and by the respective platform operator. While we process data within our own accounts for the purposes outlined in this Privacy Policy, please note that the use of social media platforms is governed by their own privacy policies, and we have no control over how those operators collect or process your data.
When you engage with our content — such as by liking, commenting, sharing, or messaging us — we may receive basic analytics and aggregate insights regarding visitor demographics and content engagement. These reports do not usually identify individual users but may inform our communication strategy and improve the relevance of the information we provide.
In the course of our business relationship or through website interactions, you may choose to subscribe to our newsletter or other marketing communications. In doing so, we collect and process personal data such as your name, email address, and language preference to deliver content that aligns with your interests. Our newsletters may contain information about service updates, product launches, company news, regulatory changes, and other topics we consider relevant to our clients and audience.
To assess and improve the effectiveness of our newsletters, we may use analytics tools that measure email open rates, link clicks, and engagement patterns. These insights allow us to tailor content and frequency to your preferences. If you no longer wish to receive marketing communications from us, you may withdraw your consent at any time by using the “unsubscribe” link included in each communication or by contacting us directly.
Please note that withdrawing consent to receive newsletters will not affect the lawfulness of communications sent prior to withdrawal, nor will it impact transactional or regulatory communications necessary to maintain your account or fulfil our legal obligations.
We do not share your subscription data with third parties for independent marketing purposes. Where third-party providers support the distribution or analytics of our communications, they operate under contractual obligations to ensure compliance with data protection and confidentiality requirements.
9. DATA RETENTION AND SECURITY
We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, or to comply with legal, regulatory, and contractual requirements. The retention period may vary depending on the nature of the data, the legal context under which it was obtained, and any ongoing business relationship.
In accordance with applicable Swiss and international financial regulations — including anti-money laundering (AML) laws — we are obligated to retain certain client data, transaction records, and related documentation for a minimum period of ten (10) years following the termination of the business relationship or the execution of a transaction. This includes, but is not limited to, identification documents, account and wallet details, correspondence, proof of transactions and compliance assessments.
Where retention is not legally required, we will delete or anonymize personal data once it is no longer needed for the purposes for which it was collected or processed. We may also retain data for a longer period if necessary to protect our legal interests, enforce contractual claims, or comply with official investigations or audits.
We take the security of your personal data seriously and implement appropriate technical and organizational measures to safeguard it against unauthorized access, misuse, loss, alteration, or disclosure. These measures include, but are not limited to, secure storage systems, access controls, encryption technologies, multi-factor authentication, and regular internal reviews and risk assessments. Our staff is trained on data protection and confidentiality, and all processing activities are conducted under strict internal policies and oversight.
In the event of a data breach that is likely to result in a high risk to your rights and freedoms, we will notify you and the relevant supervisory authorities in accordance with our legal obligations and internal incident response procedures.
While we strive to protect your personal data using commercially acceptable methods, it is important to note that no system or transmission over the internet can be guaranteed to be completely secure. As such, we encourage you to exercise caution when sharing sensitive information and to notify us immediately if you suspect any compromise of your personal data.
10. INTERNATIONAL DATA TRANSFERS
As part of our operations and the services we provide, your personal data may be transferred to, accessed from, or stored in countries outside of Switzerland and the European Union (EU), including jurisdictions that may not be recognized as providing an equivalent level of data protection under Swiss or EU law.
Such transfers may occur, for example, when we engage third-party service providers located abroad for identity verification, blockchain analytics, cloud hosting, or IT support. While these international transfers are sometimes necessary for the performance of a contract or the implementation of pre-contractual measures, we always ensure that appropriate safeguards are in place to protect your data in accordance with applicable data protection requirements.
Where personal data is transferred to countries that do not benefit from an adequacy decision by the Swiss Federal Council or the European Commission, we rely on legally recognized mechanisms to ensure a comparable level of protection. These mechanisms may include the use of Standard Contractual Clauses (SCCs), in their Swiss or EU-approved versions, together with supplementary technical and organizational measures where necessary.
In certain situations — for example, when data must be disclosed to comply with foreign legal obligations, regulatory requests, or contractual enforcement procedures — we may be required to transfer data even in the absence of an adequacy decision or contractual safeguards. In such cases, we ensure that the transfer is strictly limited to what is necessary and that it complies with the applicable exceptions under data protection law.
You may request further information regarding the safeguards in place for international data transfers by contacting us using the details provided in this Privacy Policy.
We remain committed to ensuring that your personal data is treated with the same level of care and protection regardless of where it is processed or stored, and we continuously evaluate the legal, technical, and organizational conditions of all cross-border data flow.
11. YOUR RIGHTS AS A DATA SUBJECT
As an individual whose personal data we process, you have a number of rights under applicable data protection laws. We are committed to ensuring that you can exercise these rights transparently and without undue delay, subject to the conditions and limitations set out in the Swiss Federal Act on Data Protection (nFADP), the EU General Data Protection Regulation (GDPR), or other relevant legal frameworks.
Right of access: You have the right to request confirmation as to whether we process your personal data, and, if so, to obtain information about the nature of that processing. This includes access to the categories of data processed, the purposes of processing, the recipients or categories of recipients, and the applicable retention periods.
Right to rectification: You have the right to request the correction of inaccurate or incomplete personal data we hold about you, in order to ensure that it is accurate, current, and complete.
Right to erasure: In certain circumstances, you may request that we delete your personal data, for example where the data is no longer necessary for the purposes for which it was collected, or if you withdraw your consent and there is no other legal basis for processing. This right may be limited where legal retention obligations apply or where data is recorded immutably (e.g., on a blockchain).
Right to object: You may object to the processing of your personal data where it is carried out on the basis of our legitimate interests, including profiling. Upon objection, we will cease such processing unless we can demonstrate compelling legitimate grounds or where processing is necessary for the establishment, exercise, or defense of legal claims.
Right to restriction of processing: You have the right to request that we restrict the processing of your personal data in specific circumstances, for example while the accuracy of the data is being verified or during the review of an objection.
Right to data portability: Where processing is based on your consent or on a contract and carried out by automated means, you have the right to request that we provide your personal data in a structured, commonly used, and machine-readable format, or to have it transmitted directly to another data controller, where technically feasible.
Right to withdraw consent: Where processing is based on your explicit consent — for example, in the case of biometric data or marketing communications — you may withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
Right to lodge a complaint: If you believe that we have infringed your rights under data protection laws, you have the right to lodge a complaint with the competent supervisory authority. In Switzerland, this is the Federal Data Protection and Information Commissioner (FDPIC). If you are located in the EU, you may also contact your local data protection authority.
To exercise any of your rights, or if you have questions about how your data is processed, you may contact us using the details provided in Section 2 of this Privacy Policy. We may ask you to verify your identity before responding to your request.
12. CHANGES TO THIS PRIVACY POLICY
We reserve the right to update or amend this Privacy Policy at any time in order to reflect changes in our data processing practices, legal obligations, service offerings, or technological developments. Any modifications will be published on our website with an updated effective date, and, where required by law, we will notify you directly of any material changes that affect your rights or the way we process your personal data.
We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data and uphold your rights. Your continued use of our services after any changes have been posted will be deemed acceptance of those changes, unless otherwise required by applicable law.
If you have any questions about the content or implications of an updated version of this Privacy Policy, you may contact us using the contact information provided in Section 2. We will make every reasonable effort to respond in a timely and transparent manner.
The current version of this Privacy Policy is always available at: www.foxchange.ch.