EN 
FR 1. Introduction and Scope
This Privacy Policy explains how we Darley Technologies AG collect, use, and protect personal data when providing crypto-derivative trading services to institutional and semi-professional counterparties. We adhere to Swiss data protection law (CH-DSG) and, where applicable, the EU General Data Protection Regulation (GDPR).
Scope
This Policy applies to:
- Anyone interacting with us as a client, prospect, or partner (including corporate contact persons).
- Visitors to our digital platforms (website, applications) where this Policy is posted or referenced.
- Any third party whose personal data we process in connection with onboarding, trading, identity verification, business development, or contract management.
By engaging with our services or merely browsing our platforms you acknowledge and agree that we will collect, use, and safeguard your personal data as described in this Policy.
2. Data Controller and Contact Information
Data Controller
Darley Technologies AG, with the registration Nr. CHE-148.754.173
Privacy Contact
Email: privacy@darleytechnologies.com
For any questions, requests, or concerns about this Policy or our handling of personal data, please contact us at the above address. We will acknowledge receipt within two business days and provide a substantive response within 30 days.
3. What Data We Collect and Why
We collect only the personal data strictly necessary for onboarding, regulatory compliance, transaction execution, risk management, communications, and business development. The table below summarizes each category, example data points, purposes, and general retention periods.
| Data Category | Example Data Collected | Purpose | Retention |
| Identification & Contact | • Full name • Address (residential or business) • Email address • Telephone number | • Establish and maintain client relationships • Service-related communication (notifications, support) | Client relationship + 10 years Meets Swiss AML requirements (Art. 3 (3) GWG) and bookkeeping/archive obligations (OR 958 ff.). |
| KYC & KYB Documentation | • Government ID scans (passport/ID) • Proof of address (utility bill) • Biometric data (selfie/video, for verification only) • Corporate registration documents | • Verify identity, beneficial ownership, and legal standing • Fulfill Swiss AML and equivalent EU requirements | At least 10 years Per Swiss AML legislation and, where applicable, EU regulations. |
| Financial & Transaction Data | • Bank account details (IBAN or equivalent) • Crypto wallet addresses • Trade history, confirmations, settlement records | • Facilitate, record, and settle crypto-derivative trades • Monitor risk controls and support regulatory audits | At least 10 years To satisfy bookkeeping (OR 958 ff.) and AML/audit requirements (GWG). |
| Communication & Contracts | • Email and messaging logs (general correspondence; core trade-execution logs stored separately) • Contract metadata (name, version, execution date) • Signatory data (name, email, electronic signature, IP, timestamp) • Contract content (terms, schedules) | • Manage and enforce client agreements • Support digital-signature workflows via a secure e-signature service • Comply with legal archiving obligations | • Business-relevant email/messaging: 10 years after last relevant communication (e.g. emails or chats about offers, payments, contracts) • Technical SMTP/system logs (transport-level): 1–2 years if no business relevance • Contract records (metadata + content): 10 years (per OR 957 ff. and GWG) |
| CRM & Business Development | Contact Person Data (leads): • Company, job title, country, city • Corporate email address, domain • Telephone numbers (e.g., WhatsApp/Telegram) • Social profile links (LinkedIn, X) • Generic email logs (no trade details) Company Data (leads): • Company name, website, address • Corporate email, phone | • Track and follow up on leads/prospects (intro calls, meeting requests, information sharing) | • Leads without conversion: Up to 2 years after last qualifying interaction (e.g. last email exchange, meeting), then deleted or anonymized if no relationship materializes • Leads that convert to clients: Client relationship + 10 years if KYC-relevant; otherwise client relationship + 2 years documented retention |
Notes:
- Legal Basis (GDPR) for business-development data is Article 6(1)(f) – our legitimate interest in maintaining accurate B2B contact records.
- All CRM data reside in GDPR-compliant data centers within the EU.
- We do not use any personal data for unrelated purposes (e.g., marketing or profiling) without explicit consent.
4. How and Why We Use Your Data
We process personal data solely for specific, legitimate purposes. The table below maps each purpose to the relevant data categories (as defined in Section 3).
| Purpose | Relevant Data Categories |
| Client Identification & Compliance | • Identification & Contact • KYC & KYB Documentation |
| Transaction Execution & Management | • Financial & Transaction Data |
| Contract Administration | • Communication & Contracts |
| Risk Management | • Financial & Transaction Data • KYC & KYB Documentation |
| Communication & Support | • Identification & Contact • Communication & Contracts |
| Business Development (CRM) | • CRM & Business Development |
| Data Transfers & Privacy-by-Design | • (Overarching internal safeguards for all data categories when transferring personal data outside the EU/Switzerland) |
| Incident Response & Breach Notification | • (Overarching internal monitoring logs and response procedures for all data categories) |
Notes:
- Each “Relevant Data Category” corresponds to the detailed lists in Section 3 (for example, “Identification & Contact” includes full name, address, email, telephone).
- “Data Transfers & Privacy-by-Design” covers internal processes and safeguards (e.g., use of Standard Contractual Clauses, DPIAs) rather than specific categories of data.
- “Incident Response & Breach Notification” refers to our internal logs and incident-handling procedures, which apply to any personal data we process.
- We do not use personal data for unrelated purposes—such as marketing or profiling—unless you explicitly consent.
5. How We Protect Your Data
We implement appropriate technical and organizational measures to safeguard personal data against unauthorized access, loss, misuse, alteration, or disclosure. The following is a high-level overview of our key controls.
| Security Control | Description |
| Encryption | • All data in transit is encrypted using industry-standard protocols (e.g., TLS 1.2+). • Sensitive data at rest (including backups) is encrypted using industry-standard methods. |
| Access Controls | • Access to personal data is granted strictly on a “need-to-know” basis via role-based permissions. • Multi-Factor Authentication (MFA) is enforced for all user accounts. |
| Backups & Immutable Storage | • Regular backups are stored in Write-Once, Read-Many (WORM) archives, preventing post-write modifications. • Backups are encrypted and held in secure, access-controlled facilities. |
| Security Audits & Testing | • We conduct regular internal security assessments (e.g., penetration tests, vulnerability scans). • We review third-party processor certifications (ISO 27001, SOC 2/3). |
| Incident Response & Monitoring | • We maintain a documented Incident Response Plan outlining detection, containment, remediation, and notification steps. • Security logs (e.g., access logs, system events) are monitored and retained for at least 12 months. |
| Personnel Training & Awareness | • All staff receive annual data protection and security training. • New hires undergo mandatory security onboarding (password hygiene, device security, phishing awareness). |
Breach Notification:
In the event of a personal data breach, we will activate our Incident Response Plan, assess and contain the incident, and, if required by law, notify affected individuals and applicable supervisory authorities “without undue delay,” and in any case within 72 hours of discovery.
6. Who Has Access to Your Data? / Third-Party Processors
We share personal data only with those who need it to perform their designated roles and only to the extent necessary. Internal access is strictly controlled; third-party processors are contractually obligated to maintain appropriate safeguards.
Internal Access
- Authorized Personnel Only:
- Access to client-related systems is restricted to employees whose roles require it (e.g., Business Development, Operations, Compliance, Legal).
- All access is governed by role-based permissions and MFA.
- Access events are logged for audit purposes.
- Need-to-Know Principle:
- No employee can view or process personal data beyond what is necessary for their specific task.
- Separation of duties ensures that no single individual has unrestricted access to all data.
Third-Party Processors
We use only GDPR- and CH-DSG-compliant processors. All processors are bound by Data Processing Addenda (including Standard Contractual Clauses) and subject to periodic reviews. Below is a generic overview—specific provider names are omitted to reduce security exposure.
| Processor Category | Data Processed | Location & Safeguards | Purpose |
| CRM & Business-Development Platform | • Contact-person and company data (see Section 3: CRM & Business Development) | • Hosted exclusively in GDPR-compliant data centers (EU). • Processor holds ISO 27001 and SOC 2/3 certifications. • Access via MFA, RBAC. | • Host and manage B2B contact records. • Enable lead tracking, outreach, and follow-up. |
| E-Signature & Contract Management | • Contract metadata (name, version, execution date) • Signatory data (name, email, electronic signature, IP, timestamp) • Contract content (terms, schedules) | • Hosted in GDPR-compliant regions (EU or equivalent). • Processor’s infrastructure holds recognized security certifications. • MFA, RBAC enforced. | • Facilitate secure digital-signature workflows. • Store and archive executed contracts. |
| Identity Verification & KYC/KYB Service | • Government ID scans, proof of address, biometric data (selfie/video) for verification purposes (we receive only a “verified/not verified” result). | • Hosted in GDPR-compliant data centers (EU or equivalent). • Processor holds ISO 27001, SOC 2 certifications. • Minimal data stored locally. | • Perform mandatory identity verification (Swiss AML and equivalent EU regulations). |
| Infrastructure & Hosting | • Underlying application hosting, databases, backups (infrastructure-level, not application-specific data). | • Hosted in GDPR-compliant regions (EU). • Infrastructure provider holds ISO 27001, SOC 2 certifications. • Managed security configurations. | • Provide secure infrastructure for hosting applications, databases, and backups. |
Sub-Processors:
We may engage sub-processors under specific circumstances (e.g., data-center providers, email service providers). We maintain an up-to-date list of all sub-processors on an external, publicly accessible webpage (link here), and we notify you of any material changes.
7. Data Subject Rights
Under the CH-DSG and GDPR, you have the following rights. We handle all requests free of charge unless clearly unfounded or excessive.
| Right | Description | How to Exercise |
| Access | Request confirmation whether we process your data, and if so, obtain a copy and details (processing purposes, recipients, retention, etc.). | Email privacy@darleytechnologies.com or contact your Business Development representative. We respond within 1 month. |
| Rectification | Request correction of inaccurate or completion of incomplete personal data. | Same process as “Access.” We may request minimal information to verify your identity before updating. |
| Erasure (“Right to be Forgotten”) | Request deletion of your data if no longer needed, consent is withdrawn, you have objected (and no overriding grounds exist), or data were unlawfully processed. | Same as “Access.” We will delete or anonymize data except where legal obligations require retention. |
| Restriction of Processing | Request that we restrict processing when accuracy is contested, processing is unlawful, data are not needed but held for legal claims, or you have objected pending review. | Same as “Access.” We may retain restricted data internally for legal defense or to verify your objection. |
| Data Portability | Request a machine-readable copy of the data you provided where processing is based on consent or contract. | Same as “Access.” We will provide data in a structured, commonly used, machine-readable format (e.g., CSV, JSON) when feasible. |
| Object | Object at any time to processing based on legitimate interest. We will cease processing unless we demonstrate compelling interest that overrides your rights. | Same as “Access.” You may also lodge objections directly with the CRM provider via their designated contact (if applicable). |
| Withdraw Consent | Withdraw consent at any time for processing based solely on consent; this does not affect processing prior to withdrawal. | Same as “Access.” Withdrawal does not retroactively render past processing unlawful. |
| Complaint | File a complaint if you believe we have not adequately addressed your request or have violated data protection law. | • EU residents: Contact your national Data Protection Authority. • Swiss residents: Contact the Federal Data Protection and Information Commissioner (FDPIC). |
8. Cookies & Tracking
Our website uses cookies and similar technologies solely to the extent necessary for functionality, performance measurement, and (where applicable) user experience enhancements. You can manage or withdraw consent for non-essential categories at any time.
| Category | Purpose | Status | Consent |
| Necessary | Required for core website functionality (e.g., session management, security). | Always active | Cannot be disabled. |
| Analytics & Performance | Collect anonymous, aggregated data on site usage and technical metrics (load times, errors). | Present if enabled | Toggleable in cookie banner; can be withdrawn at any time via banner or browser settings. |
| Functional & Advertising | Placeholder for future cookies; currently no active cookies in these categories. | No active cookies | N/A |
Managing Cookies:
You may manage or withdraw consent for Analytics & Performance cookies at any time via our “Cookie Settings” panel or through your browser preferences.
9. Changes to This Privacy Policy
We review this Policy regularly to reflect changes in law, business practices, or technology. When significant updates occur, we will:
- Update the “Last Updated” date at the top of this Policy.
- Publish the revised Policy on our website.
- Notify affected individuals directly if required by law.
Continued use of our services after the “Last Updated” date constitutes acceptance of the updated Policy. If you do not agree, you may exercise your data subject rights or discontinue use.
10. Contact Information
For any inquiries, requests, or concerns regarding this Policy or our personal data practices, please use the following channels:
- Privacy Team: privacy@darleytechnologies.com
- General Inquiries: (contact via your Business Development representative’s email or phone)
- CRM Provider Data Requests: (Email via the CRM provider’s designated contact, if needed)
- Supervisory Authorities:
- EU residents: Your national Data Protection Authority (e.g., CNIL, BfDI).
- Swiss residents: Federal Data Protection and Information Commissioner (FDPIC).
We will acknowledge your inquiry within two business days and provide a substantive response within 30 days.
11. Applicable Law & Jurisdiction
- Swiss Law: This Policy is governed by the Swiss Federal Act on Data Protection (FADP/CH-DSG).
- EU Law: To the extent applicable, we also adhere to the EU General Data Protection Regulation (GDPR).
- Jurisdiction: Any dispute arising out of or relating to this Policy is subject to the exclusive jurisdiction of the courts in our Swiss canton of domicile, unless mandatory law provides otherwise for EU data subjects.
Last Updated: June 5, 2025