Scope
This Policy applies to:
By engaging with our services or merely browsing our platforms you acknowledge and agree that we will collect, use, and safeguard your personal data as described in this Policy.
Data Controller
Darley Technologies AG, with the registration Nr. CHE-148.754.173
Privacy Contact
Email: privacy@darleytechnologies.com
For any questions, requests, or concerns about this Policy or our handling of personal data, please contact us at the above address. We will acknowledge receipt within two business days and provide a substantive response within 30 days.
We collect only the personal data strictly necessary for onboarding, regulatory compliance, transaction execution, risk management, communications, and business development. The table below summarizes each category, example data points, purposes, and general retention periods.
| Data Category | Example Data Collected | Purpose | Retention |
| Identification & Contact | • Full name • Address (residential or business) • Email address • Telephone number |
• Establish and maintain client relationships • Service-related communication (notifications, support) |
Client relationship + 10 years Meets Swiss AML requirements (Art. 3 (3) GWG) and bookkeeping/archive obligations (OR 958 ff.). |
| KYC & KYB Documentation | • Government ID scans (passport/ID) • Proof of address (utility bill) • Biometric data (selfie/video, for verification only) • Corporate registration documents |
• Verify identity, beneficial ownership, and legal standing • Fulfill Swiss AML and equivalent EU requirements |
At least 10 years Per Swiss AML legislation and, where applicable, EU regulations. |
| Financial & Transaction Data | • Bank account details (IBAN or equivalent) • Crypto wallet addresses • Trade history, confirmations, settlement records |
• Facilitate, record, and settle crypto-derivative trades • Monitor risk controls and support regulatory audits |
At least 10 years To satisfy bookkeeping (OR 958 ff.) and AML/audit requirements (GWG). |
| Communication & Contracts | • Email and messaging logs (general correspondence; core trade-execution logs stored separately) • Contract metadata (name, version, execution date) • Signatory data (name, email, electronic signature, IP, timestamp) • Contract content (terms, schedules) |
• Manage and enforce client agreements • Support digital-signature workflows via a secure e-signature service • Comply with legal archiving obligations |
• Business-relevant email/messaging: 10 years after last relevant communication (e.g. emails or chats about offers, payments, contracts) • Technical SMTP/system logs (transport-level): 1–2 years if no business relevance • Contract records (metadata + content): 10 years (per OR 957 ff. and GWG) |
| CRM & Business Development | Contact Person Data (leads): • Company, job title, country, city • Corporate email address, domain • Telephone numbers (e.g., WhatsApp/Telegram) • Social profile links (LinkedIn, X) • Generic email logs (no trade details) Company Data (leads): • Company name, website, address • Corporate email, phone |
• Track and follow up on leads/prospects (intro calls, meeting requests, information sharing) | • Leads without conversion: Up to 2 years after last qualifying interaction (e.g. last email exchange, meeting), then deleted or anonymized if no relationship materializes • Leads that convert to clients: Client relationship + 10 years if KYC-relevant; otherwise client relationship + 2 years documented retention |
Notes:
We process personal data solely for specific, legitimate purposes. The table below maps each purpose to the relevant data categories (as defined in Section 3).
| Purpose | Relevant Data Categories |
| Client Identification & Compliance | • Identification & Contact • KYC & KYB Documentation |
| Transaction Execution & Management | • Financial & Transaction Data |
| Contract Administration | • Communication & Contracts |
| Risk Management | • Financial & Transaction Data • KYC & KYB Documentation |
| Communication & Support | • Identification & Contact • Communication & Contracts |
| Business Development (CRM) | • CRM & Business Development |
| Data Transfers & Privacy-by-Design | • (Overarching internal safeguards for all data categories when transferring personal data outside the EU/Switzerland) |
| Incident Response & Breach Notification | • (Overarching internal monitoring logs and response procedures for all data categories) |
Notes:
We implement appropriate technical and organizational measures to safeguard personal data against unauthorized access, loss, misuse, alteration, or disclosure. The following is a high-level overview of our key controls.
| Security Control | Description |
| Encryption | • All data in transit is encrypted using industry-standard protocols (e.g., TLS 1.2+). • Sensitive data at rest (including backups) is encrypted using industry-standard methods. |
| Access Controls | • Access to personal data is granted strictly on a “need-to-know” basis via role-based permissions. • Multi-Factor Authentication (MFA) is enforced for all user accounts. |
| Backups & Immutable Storage | • Regular backups are stored in Write-Once, Read-Many (WORM) archives, preventing post-write modifications. • Backups are encrypted and held in secure, access-controlled facilities. |
| Security Audits & Testing | • We conduct regular internal security assessments (e.g., penetration tests, vulnerability scans). • We review third-party processor certifications (ISO 27001, SOC 2/3). |
| Incident Response & Monitoring | • We maintain a documented Incident Response Plan outlining detection, containment, remediation, and notification steps. • Security logs (e.g., access logs, system events) are monitored and retained for at least 12 months. |
| Personnel Training & Awareness | • All staff receive annual data protection and security training. • New hires undergo mandatory security onboarding (password hygiene, device security, phishing awareness). |
Breach Notification:
In the event of a personal data breach, we will activate our Incident Response Plan, assess and contain the incident, and, if required by law, notify affected individuals and applicable supervisory authorities “without undue delay,” and in any case within 72 hours of discovery.
We share personal data only with those who need it to perform their designated roles and only to the extent necessary. Internal access is strictly controlled; third-party processors are contractually obligated to maintain appropriate safeguards.
Internal Access
Third-Party Processors
We use only GDPR- and CH-DSG-compliant processors. All processors are bound by Data Processing Addenda (including Standard Contractual Clauses) and subject to periodic reviews. Below is a generic overview—specific provider names are omitted to reduce security exposure.
| Processor Category | Data Processed | Location & Safeguards | Purpose |
| CRM & Business-Development Platform | • Contact-person and company data (see Section 3: CRM & Business Development) | • Hosted exclusively in GDPR-compliant data centers (EU). • Processor holds ISO 27001 and SOC 2/3 certifications. • Access via MFA, RBAC. |
• Host and manage B2B contact records. • Enable lead tracking, outreach, and follow-up. |
| E-Signature & Contract Management | • Contract metadata (name, version, execution date) • Signatory data (name, email, electronic signature, IP, timestamp) • Contract content (terms, schedules) |
• Hosted in GDPR-compliant regions (EU or equivalent). • Processor’s infrastructure holds recognized security certifications. • MFA, RBAC enforced. |
• Facilitate secure digital-signature workflows. • Store and archive executed contracts. |
| Identity Verification & KYC/KYB Service | • Government ID scans, proof of address, biometric data (selfie/video) for verification purposes (we receive only a “verified/not verified” result). | • Hosted in GDPR-compliant data centers (EU or equivalent). • Processor holds ISO 27001, SOC 2 certifications. • Minimal data stored locally. |
• Perform mandatory identity verification (Swiss AML and equivalent EU regulations). |
| Infrastructure & Hosting | • Underlying application hosting, databases, backups (infrastructure-level, not application-specific data). | • Hosted in GDPR-compliant regions (EU). • Infrastructure provider holds ISO 27001, SOC 2 certifications. • Managed security configurations. |
• Provide secure infrastructure for hosting applications, databases, and backups. |
Sub-Processors:
We may engage sub-processors under specific circumstances (e.g., data-center providers, email service providers). We maintain an up-to-date list of all sub-processors on an external, publicly accessible webpage (link here), and we notify you of any material changes.
Under the CH-DSG and GDPR, you have the following rights. We handle all requests free of charge unless clearly unfounded or excessive.
| Right | Description | How to Exercise |
| Access | Request confirmation whether we process your data, and if so, obtain a copy and details (processing purposes, recipients, retention, etc.). | Email privacy@darleytechnologies.com or contact your Business Development representative. We respond within 1 month. |
| Rectification | Request correction of inaccurate or completion of incomplete personal data. | Same process as “Access.” We may request minimal information to verify your identity before updating. |
| Erasure (“Right to be Forgotten”) | Request deletion of your data if no longer needed, consent is withdrawn, you have objected (and no overriding grounds exist), or data were unlawfully processed. | Same as “Access.” We will delete or anonymize data except where legal obligations require retention. |
| Restriction of Processing | Request that we restrict processing when accuracy is contested, processing is unlawful, data are not needed but held for legal claims, or you have objected pending review. | Same as “Access.” We may retain restricted data internally for legal defense or to verify your objection. |
| Data Portability | Request a machine-readable copy of the data you provided where processing is based on consent or contract. | Same as “Access.” We will provide data in a structured, commonly used, machine-readable format (e.g., CSV, JSON) when feasible. |
| Object | Object at any time to processing based on legitimate interest. We will cease processing unless we demonstrate compelling interest that overrides your rights. | Same as “Access.” You may also lodge objections directly with the CRM provider via their designated contact (if applicable). |
| Withdraw Consent | Withdraw consent at any time for processing based solely on consent; this does not affect processing prior to withdrawal. | Same as “Access.” Withdrawal does not retroactively render past processing unlawful. |
| Complaint | File a complaint if you believe we have not adequately addressed your request or have violated data protection law. | • EU residents: Contact your national Data Protection Authority. • Swiss residents: Contact the Federal Data Protection and Information Commissioner (FDPIC). |
Our website uses cookies and similar technologies solely to the extent necessary for functionality, performance measurement, and (where applicable) user experience enhancements. You can manage or withdraw consent for non-essential categories at any time.
| Category | Purpose | Status | Consent |
| Necessary | Required for core website functionality (e.g., session management, security). | Always active | Cannot be disabled. |
| Analytics & Performance | Collect anonymous, aggregated data on site usage and technical metrics (load times, errors). | Present if enabled | Toggleable in cookie banner; can be withdrawn at any time via banner or browser settings. |
| Functional & Advertising | Placeholder for future cookies; currently no active cookies in these categories. | No active cookies | N/A |
Managing Cookies:
You may manage or withdraw consent for Analytics & Performance cookies at any time via our “Cookie Settings” panel or through your browser preferences.
We review this Policy regularly to reflect changes in law, business practices, or technology. When significant updates occur, we will:
Continued use of our services after the “Last Updated” date constitutes acceptance of the updated Policy. If you do not agree, you may exercise your data subject rights or discontinue use.
For any inquiries, requests, or concerns regarding this Policy or our personal data practices, please use the following channels:
We will acknowledge your inquiry within two business days and provide a substantive response within 30 days.
Last Updated: June 5, 2025