Welcome to our website. If you continue to browse and use this website, you are agreeing to comply with and be bound by the following terms and conditions of use, which govern Swiss FTS AG’s (SFTS) relationship with you in relation to this website. If you disagree with any part of these terms and conditions, please do not use this website.

The purpose of this website is to provide information about our company and services. By the user accessing this website, SFTS does not enter into any contractual relationship with the user. The published tools do not constitute an invitation to submit an offer. The information on this website does not constitute binding decision-making aids or answers to consulting questions, nor should legal or other decisions be made on the basis of this information. Any action taken on the basis of the information on this website is at the sole risk of the user.

The content of this website does not contain any representations or guarantees. SFTS shall in no case, including negligence and liability towards third parties, be liable for any direct, indirect or consequential damages arising as a result of the use of information and material from this website or through access via links to other websites.

The information contained in this website is for general information purposes only. The information is provided by SFTS and while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.

In no event will we be liable for any loss or damage including without limitation, indirect or consequential loss or damage, or any loss or damage whatsoever arising from loss of data or profits arising out of, or in connection with, the use of this website.

Every effort is made to keep the website up and running smoothly. However, SFTS takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

This website and its content is copyright of SFTS. All rights reserved. Any redistribution or reproduction of part or all of the contents in any form is prohibited. You may not, except with our written permission, distribute or commercially exploit the content. Nor may you transmit it or store it in any other website or other form of electronic retrieval system.

This Policy establishes and implements the data privacy principles at SFTS. It is based on the General Data Protection Regulation of the European Union (GDPR) and the Swiss Federal Act on Data Protection (FADP).

This Policy is valid for SFTS, and all its employees and contractors have to comply with the principles stated herein.

Different data protection principles apply to different data and this Policy therefore distinguishes between:

• personal data that is collected by SFTS in the course of its business activities from its clients, business partners and employees for which SFTS is the “controller”; and
• personal data that is processed by SFTS on behalf of its clients for which SFTS is the “processor”.

With regards to sections 6.2 to 6.5 below, any request from any data subject must be forwarded immediately to SFTS’ Data Protection Officer (DPO) who will determine with the Management how to respond to it and will take the necessary actions. No communication should be made by any SFTS employee in regards to these requests without the involvement of the DPO and the Management.

Personal data refers to any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Processing means any operation or set of operations which is performed on personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

When acting as a Controller, the contact details for SFTS are:

Swiss FTS AG
Europa-Strasse 19
8152 Glattbrugg
Telephone +41 43 266 78 50

You have the right to lodge a complaint with a supervisory authority. If you have any questions, comments or inquiries regarding the collection, processing, and use of your personal data by us, please contact dpo@swiss-fts.com.

SFTS maintains the appropriate levels of information security and controls on personal data by maintaining the following principles:

• Personal data is processed lawfully, fairly and in a transparent manner towards data subjects.
• Personal data may only be processed according to the specified, explicit and legitimate purposes indicated at the time of collection or that is provided for by law, and not further processed in a manner that is incompatible with those purposes.
• If the consent of the data subject is required for the processing of personal data, such consent is given voluntarily on the provision of adequate information. Consent can be withdrawn at any time.
• Personal data collection is adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.
• Personal data is accurate and kept up to date.
• Personal data is kept for no longer than is necessary for the purposes for which it is processed.
• Personal data is processed in a manner that ensures appropriate security, using technical and organisational measures.

All employees of SFTS have a responsibility to protect all personal data to which they may have access in the course of their work.

Managers, employees, information owners and relevant professional specialists are responsible for working together with information users to develop, implement, monitor and review the components of data protection.

A data subject can request access to his or her personal data as well as request information about the ways in which his or her personal data has been or may have been used or disclosed, as well as on the envisaged period for which it will be stored.

A data subject shall have the right to receive the personal data concerning him or her, in a structured, commonly used and machine-readable format, and have the right to transmit those data to another controller when provided for by law. The data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.

Any request to access must be forwarded immediately to SFTS' DPO who will determine with the Management how to respond to it and will take the necessary actions. No communication should be made by any SFTS employee in regards to the request without the involvement of SFTS DPO and Management.

Anyone who processes personal data has to make reasonable efforts to ensure that personal data is accurate and complete. He must take all reasonable measures to ensure that data that is incorrect or incomplete in view of the purpose of its collection is either corrected or destroyed.

Any data subject may request that incorrect data is corrected.

Any request for correction must be immediately forwarded to SFTS’ DPO who will determine with the Management how to respond to it and will take the necessary actions. No communication should be made by any SFTS employee in regards to the request without the involvement of SFTS's DPO and Management.

A data subject can request erasure of his or her personal data, as provided for by law.

Any request for erasure must be forwarded immediately to SFTS’ DPO who will determine with the Management how to respond to it and will take the necessary actions. No communication should be made by any SFTS employee in regards to the request without the involvement of SFTS' DPO and Management.

A data subject can request restriction of processing, or object to the processing of his or her personal data, as provided for by law.

Any request for restriction or objection must be forwarded immediately to SFTS’ DPO who will determine with the Management how to respond to it and will take the necessary actions. No communication should be made by any SFTS employee in regards to the request without the involvement of SFTS' DPO and Management.

Personal data may not be transferred abroad without the existence of an adequacy decision for the country, the existence of appropriate safeguards and enforceable data subjects rights and legal remedies, the existence of explicit consent by the data subject, given after having been informed of the possible risks of such transfers, or the existence of another specific situation permitted by law.

For the avoidance of doubt, any request for cross-border disclosure of data processed by SFTS as a controller must be referred to the DPO of SFTS and is only allowed after written approval has been obtained from SFTS Management. Any request for cross-border disclosure of data processed by SFTS as a processor must be verified and approved by the client in writing.

SFTS maintains records of personal data processing activities for data processed as controller and as processor. These records are reviewed and updated regularly. They are audited at least yearly and approved by SFTS Management.

Where a type of processing to be conducted by SFTS as a controller, taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, SFTS shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data (DPIA). A single DPIA may address a set of similar processing operations that present similar high risks.

These DPIAs are reviewed and updated regularly. They are audited at least yearly and approved by SFTS Management.

In the course of its business activities, SFTS may collect, use or disclose personal data from its business partners, clients and employees in order to offer its services to business partners and clients, or for human ressources, accounting or law compliance purposes. The collection, use and disclosure of such personal data is communicated through the current Data Protection Policy, SFTS’ General Terms and Conditions and other specific policies for the usage of some tools and software as the case may be.

As part of its services offering, SFTS processes data as processor, on behalf and as instructed by its clients. Such processing involves data that has not been collected by SFTS, but by its clients, as controllers. As such, the clients are the owners of this data and responsible to comply with their obligations under the applicable data protection laws. SFTS’s role is limited to the processing of this data as agreed in the respective Client Engagement Letter, Data Protection Agreement and General Terms and Conditions, or other contract entered into between SFTS and the client.

When data is processed by SFTS acting as a processor:

• Personal data is processed in a manner ensuring appropriate security, legal requirements and protection of the rights of the data subjects, using appropriate technical and organisational measures
• SFTS shall not engage another processor without prior written authorisation of the controller.
• Processing for the controller shall be governed by a written contract that sets out the details required by law.
• SFTS shall not process the data except on instructions from the controller, unless required to do so by law.

Should SFTS receive requests from data subjects, it will forward these to the client so that they can directly reply to the data subject. Upon request from the client, SFTS shall reasonably support the client to respond to the data subjects’ requests on the data held with SFTS against payment of the working hours involved.

SFTS makes reasonable security arrangements through adequate technical and organizational measures to protect the personal data that it possesses or controls to prevent unauthorized access and unlawful processing, collection, use or disclosure, and accidental loss, destruction, damage or similar risks.

Personal data protection is evaluated and implemented by design and by default by SFTS.

The Data Protection Officer (DPO) advises the company on the implementation of the necessary steps to comply with applicable data protection laws and acts as first point of contact for all enquiries from employees, clients, business partners and government agencies with regards to data protection matters. The DPO shall train all employees to ensure compliance with this Policy.

The DPO of SFTS can be contacted via dpo@swiss-fts.com.

The DPO shall use best endeavours to respond to the requests from data subjects without undue delay and in any event within one month. That period may be extended by two further months where necessary, provided that the data subject is informed of the reasons for the extension. If it is decided that the request cannot be granted, the data subject is advised of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

If the DPO has reasonable doubts concerning the identity of the natural person making the request, SFTS may request the provision of additional information necessary to confirm the identity of the data subject.

A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data.

Any possible breach has to be reported immediately as an incident.

When acting as a controller, SFTS shall notify the competent authority within 72 hours unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons, and depending on the scale and severity of a breach, a notification of the data subjects may be necessary.

When acting as processor, SFTS shall notify the controller without undue delay after becoming aware of a personal data breach.

Procedures and guidelines to achieve the above are in place and will be introduced where necessary. They are reviewed and adjusted (if necessary) on a regular basis to ensure their actuality and accuracy. Regular meetings are in place with SFTS Management and Information Security Management System manager.

We take data protection very seriously. In principle, you can use our website without having to enter any personal details. However, if you would like to make use of our services via our website, it may be necessary to process personal data. Personal data is any information relating to an identified or identifiable natural person. This includes information about your use of our website and the contact form, whereby the following data is collected by using log files and cookies: scope of data transfer, the location from which you retrieve data from our website as well as other connection data and sources that you retrieve. If personal data needs to be processed and no legal basis for such processing exists, we will seek your consent. Detailed information on the subject of data protection can be found in our privacy policy below this text.

Personal data is always processed in line with the European General Data Protection Regulation (GDPR) and in accordance with the Swiss Federal Act on Data Protection (FADP) that is additionally applicable to us.

As the party responsible for the personal data processed via this website, we have implemented a large number of organisational and technical measures to ensure the most comprehensive protection possible. Nevertheless, gaps in security may fundamentally arise when transferring data on the Internet, which means that absolute protection cannot be guaranteed. For this reason, you are also free to send us personal data via alternative methods, such as by post or telephone.

References and links to third-party websites lie outside our scope of responsibility. No liability of any kind is assumed for such websites. Users access and use such websites at their own risk. Likewise, we have no knowledge of their data protection.

All information you submit to us will be stored on servers in Switzerland. As mentioned above, the transmission of information over the Internet is not completely secure, which is why we cannot warrant or guarantee the security of data transmitted to our website via the Internet. However, we secure our website and other systems through technical and organizational measures against loss, destruction, access, modification, and dissemination of your information by unauthorized persons. In particular, this site uses SSL or TLS encryption for security purposes and to protect the transmission of sensitive content, such as requests that you submit to us. An encrypted connection is indicated by the fact that the address bar of the browser changes from “http: //” to "https: //.” You will also see a lock icon in your browser bar. If SSL or TLS encryption is enabled, the data you submit to us cannot be read by third parties.

This website uses third-party services. The applications of these third-party providers on this website collect data and we do not have any influence over the data use by these third-party providers or transmission to third parties. By using this website, you consent to the collection and processing of data about you by third parties in the manner described here. If you do not agree, you have several options for partially preventing third-party data collection:

• You can block all unwanted JavaScript applications (Google Analytics, social media plug-ins and other applications) using the Ghostery browser add-on to protect your digital privacy. However, we would like to point out that system information and personal data can still be recorded and transmitted in other ways.
• You can disable JavaScript in your browser settings. However, you will then be unable to use any JavaScript-based functions. The website could be limited or not functional at all.

We hereby expressly object to the use of published contact information in the context of the imprint obligation to sending us unsolicited advertising and information materials. We expressly reserve the right to take legal action in the event of unsolicited promotional information, such as spam emails.

We reserve the right to change this Privacy Policy at any time with future effect. A current version is always available on the website. Please visit the website regularly to find out about the applicable Privacy Policy.

Domains

Our website includes the following domains:

• Top-level domain: swiss-fts.com

The following information refers to and applies to the domains mentioned above.

Hosting

We utilize third-party hosting services to provide infrastructure and platform services, database services, computing capacity, security and storage space, as well as technical maintenance services to operate our online services.

We process, or our hosting provider processes on our behalf, the following: inventory data, content data, usage data as well as meta and communication data of customers, prospects, and visitors of this website.

The hosting-partner is Metanet.ch

Basis for data processing
The basis for data processing is Article 6 (1) lit. b GDPR, which allows us to process data in order to fulfill a contract or precontractual requirements.

Cookies

The Internet pages partly use cookies. Cookies do not harm your computer and do not contain viruses. Cookies serve to make our website more user-friendly, effective, and secure. Cookies are small text files that are installed on your computer and stored by your browser. By using cookies, we can provide you with more user-friendly services that would not be possible without cookies. Cookies enable us to recognize you on our website. The purpose of this recognition is to facilitate the use of our website. The cookies are not assigned to your name, IP address or similar data.

Most of the cookies we use are “session cookies.” They are automatically deleted after your visit. Other cookies remain stored on your device until you delete them. These cookies allow us to recognize your browser the next time you visit.

You can set your browser so that you are informed about the setting of cookies and allow cookies only in individual cases, exclude the acceptance of cookies for certain cases or in general, and enable the automatic deletion of cookies when closing the browser. Disabling cookies may limit the functionality of this website.

Legal basis
Cookies that are required to carry out the electronic communication process are stored on the basis of Article 6 (1) lit. f GDPR. The website operator has a legitimate interest in the storage of cookies for the technically correct and optimized provision of its services. If other cookies (such as cookies for the analysis of your surfing behavior) are stored, they will be addressed separately in this Privacy Policy.

Server log files

The provider of the website automatically collects and stores information in server log files, which your browser automatically transmits to us. These are:

• browser type and browser version,
• used operating system,
• referrer URL,
• host name of the accessing computer,
• time of the server request,
• IP address

as well as other similar data and information used in the event of attacks on our information technology systems. We draw no conclusions about the users’ identity when using this general data and information. Rather, this information is needed to

• deliver the contents of our website correctly,
• optimize the content of our website as well as the advertising for it,
• ensure the permanent functioning of our information technology systems and the technology of our website, and
• provide law enforcement with the necessary information for prosecution in the event of a cyberattack.

We therefore statistically and further evaluate this anonymously collected data and information with the aim of increasing data protection and data security in our company in order to ultimately ensure the best possible level of protection for the personal data we process. The anonymous data of the server log files is stored separately from any personal data provided by you.

Legal basis
The basis for data processing is Article 6 (1) lit. b GDPR, which allows us to process data in order to fulfill a contract or precontractual requirements.

Contact / contact form

You have the option to contact us (such as via contact form, email, telephone or social media channels). When you contact us, your data will be processed to handle the contact inquiry. Your information may be stored in our system. Which personal data is transmitted in this case depends on the respective input form that is used for the establishment of contact or the data additionally transmitted to us by you. The personal data you enter is collected and stored solely for internal use and for our own purposes. We may transfer the data to one or more processors who also use the personal information solely for internal use on our behalf.

When you access our website, your IP address assigned by the Internet Service Provider (ISP) as well as the date and time of registration will be stored. This data is stored since it is the only way to prevent the misuse of our services and this data can be used, if necessary, to investigate committed offenses. In this respect, the storage of this data is required for our security. This data is generally not disclosed to third parties unless there is a legal obligation to do so or its disclosure served enforcement of the law.

Legal basis
The basis for data processing is Article 6 (1) lit. b GDPR, which allows us to process data in order to fulfill a contract or precontractual requirements.

Deletion of the data
The data entered by you in the contact form will be retained by us until you ask us to erase it, revoke your consent to the storage of this data, or the purpose for the data storage is no longer applicable (such as after completion of your request). Mandatory statutory provisions, in particular retention periods, remain unaffected.

Website analysis with PiwikPro

SFTS has integrated the Piwik PRO Core component on this website. The operating company of Piwik PRO is: Piwik PRO Group, to which Piwik PRO Sp. z o.o. (ul. Św. Antoniego 2/4, 50-073 Wrocław, Poland), Piwik PRO GmbH (Lina-Bommer-Weg 6, 51149 Cologne, Germany) and Piwik PRO LLC (222 Broadway, New York 10038, USA) belong.

Piwik PRO Core collects data about website visitors based on cookies, IP numbers and so-called browser fingerprints; it creates user profiles based on browsing history and calculates metrics related to website usage, such as bounce rate, intensity of visits, page views, etc. SFTS has implemented IP addresses masking, which anonymize IP addresses before saving them, so that nobody ever sees the full addresses. SFTS uses a consent manager instance ensuring that data is collected only for the website visitors who consented to the collection.

Data collected with Piwik PRO Core is stored in cloud hosting based in Germany. The data is stored for a period of 14 months. SFTS does not send collected data to other sub-processors or third parties. The purpose of data processing (analysis and conversion tracking) is based on your consent (Art. 6 (1) lit. a) GDPR).

Further information and the applicable privacy policy of Piwik can be found at: Piwik PRO privacy policy - Piwik PRO and PIWIK PRO DATA PROCESSING AGREEMENT - Piwik PRO.

Use of social media

We use various websites within social networks and platforms (such as Facebook, Instagram, X (Twitter), XING, LinkedIn, etc.) in order to communicate with the users and customers active there, and to inform about our services and products. When you visit a corresponding network or platform, the business relations and privacy policies of each operator apply. Accordingly, we process your data or the data of the users, as long as you or other users communicate with us within the social networks and platforms, for example, by writing articles for our website or sending us messages.

X (Twitter) “share” button

On this website, it is possible to share contents with others via the X social network, provided by X Inc., 795 Folsom St., Suite 600, San Francisco, CA 94107, USA. A new browser window is opened with the X site when you use this function. The protection of your personal data is very important to us. The X “share” button on our website is therefore not a plug-in. We only use an HTML link to incorporate the “share” button as a graphic on our website. When you visit our website, you are not automatically connected with the X server. Data is only transferred to X if you actively use the “share” button.

X’s privacy policy
Information on the handling of the transferred data can be found in X’s privacy policy.

Legal basis
The distribution of our contents and offers via X constitutes a legitimate interest on the basis of Art. 6 para. 1 lit. f GDPR.

LinkedIn “share” button

On this website, it is possible to share contents with others via the LinkedIn social network, provided by LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland. A new browser window with the LinkedIn site is opened when you use this function. The protection of your personal data is very important to us. The LinkedIn “share” button on our website is therefore not a plug-in. We only use an HTML link to incorporate the “share” button as a graphic on our website. When you visit our website, you are not automatically connected with the LinkedIn server. Data is only transferred to LinkedIn if you actively use the “share” button.

LinkedIn’s privacy policy
Information on the handling of the transferred data can be found in LinkedIn’s privacy policy.

Legal basis
The distribution of our contents and offers via LinkedIn constitutes a legitimate interest on the basis of Art. 6 para. 1 lit. f GDPR.

Xing “share” button

On this website, it is possible to share contents with others via the Xing social network, provided by New Work SE, Dammtorstrasse 30, 20354 Hamburg, Germany. A new browser window with the Xing site is opened when you use this function. The protection of your personal data is very important to us. The Xing “share” button on our website is therefore not a plug-in. We only use an HTML link to incorporate the “share” button as a graphic on our website. When you visit our website, you are not automatically connected with the Xing server. Data is only transferred to Xing if you actively use the “share” button.

Xing’s privacy policy
Information on the handling of the transferred data can be found in Xing’s privacy policy.

Legal basis
The distribution of our contents and offers via Xing constitutes a legitimate interest on the basis of Art. 6 para. 1 lit. f GDPR.

The information contained in emails sent to or received from SFTS may be confidential and may be legally privileged. If you are not the intended recipient, please contact SFTS immediately and delete any copies of the message. Any unauthorized copying of the messages, or unauthorized distribution or use of the information contained therein is prohibited. Although the messages and any attachments are believed to be free of any virus or other malware that may affect any computer system into which they are received and opened, it is the responsibility of the recipient to ensure that it is the case, and no responsibility is accepted by SFTS for any loss or damage arising in any way from their use.

We strongly recommend never sending sensitive information by email without encryption. Contact us to use our secure transfer portal.

This document is valid as of 17 June 2025.

This document is reviewed and, if necessary, updated at least once a year.