Data Protection

Privacy policy

With the following information, INYOVA AG ( (hereinafter called Inyova or we) provides customers with an overview of how their personal data is processed by Inyova and their rights under data protection law. What data is processed in detail and how it is used very much depends on the services requested or agreed in each case. Customers are also requested to disclose information to current and future authorised representatives and beneficial owners. These include beneficiaries in the event of death or authorised signatories, for example.

1. Data processing controller

2. Personal data processing

Inyova processes personal data that it receives from its customers in the context of the business relationship. This is the case when customers come into contact with Inyova (e.g. as an interested individual, an applicant or a customer and particularly when customers are interested in Inyova’s products, sign up for online services or contact Yova by email, phone or application, as well as when they use the products and services as part of an active business relationship). In all these cases, Yova collects, stores, uses, transfers or deletes personal data.

To the extent necessary for the provision of the service, Inyova also processes personal data that it has received from other companies, such as Intrum AG, or from other third parties (Inyova’s other service providers) in a permissible manner (e.g. for the execution of orders, for the performance of agreements or based on consent given by customers). On the other hand, Inyova processes personal data that it has permissibly obtained from publicly accessible sources (e.g. land registers, commercial registers and registers of associations, Federal Gazette, press, media, internet) and that it was entitled to process.

In certain cases, Inyova collects personal data from potential customers and interested individuals.

To the extent necessary, Inyova shall also collect personal data from people who have no direct connection with it and who, for example, belong to one of the following groups of people:

• Family members
• Co-applicants
• Legal representatives (authorised signatories)
• Customers’ beneficiaries
• Customers’ beneficial owners
• Shareholders
• Representatives of legal entities
• Employees of service providers or trading partners

2.1. Personal data may be collected, processed and stored during the conclusion and use of products / services.

Inyova processes the following personal data:

• Identity information: E.g. first name and last name, ID card or passport number, nationality, place and date of birth, gender, photograph, IP address
• Contact information: Address, email address and phone number
• Tax information: Tax identification number, tax status
• Banking, financial and transactional data: E.g. bank details (IBAN), money transfers to the Customer’s (safe custody) account, assets, investor profile communicated
• Data on habits and preferences: IP addresses, data concerning the use of Inyova’s products and services in relation to banking, financial and transactional data, data concerning interactions between the Customer and Inyova (visits to Inyova’s website, face-to-face meetings, phone calls, chat histories, email traffic, surveys)
• Data concerning sustainability preferences: Preference for sustainable corporate focuses (handprint), preference for sustainable business practices (footprint), exclusion criteria, excluded companies (blacklist), desirable companies (whitelist)
• Securities transaction: Information about knowledge and/or experience with financial instruments, the Customer’s risk tolerance, information about education and profession (e.g. level of education, occupation, name of the employer, wages, financial situation including the ability to bear losses (assets, liabilities, income, e.g. from employment / self-employment / business; expenses), foreseeable changes in financial circumstances (e.g. retirement age, children’s education), specific goals / significant concerns for the future (e.g. planned purchases, redemption of liabilities), marital status and family situation, documentation data (e.g. declarations of suitability)
• Interest rate, currency and liquidity management: Information about knowledge and/or experience with interest rate / currency products / financial investments, investment behaviour / strategy (scope, frequency, risk tolerance), occupation, financial situation (assets, liabilities, income, e.g. from employment / self-employment / business; expenses), foreseeable changes in financial circumstances (e.g. retirement age, children’s education), specific goals / significant concerns for the future (e.g. planned purchases, redemption of liabilities), tax information, documentation data (e.g. declarations of suitability)
• Customer contact information: Further personal data (e.g. information about the contact channel, date, occasion and result, (electronic) copies of correspondence and information about participation in direct marketing measures, as well as details of the Customer’s interests and requirements that they have expressed to Inyova shall be generated in the context of the business initiation phase and during the business relationship, particularly through personal, over-the-phone or written contacts, initiated by the Customer or by Inyova
• Audiovisual data: Information from the video identification procedure, recordings of calls

Personal data relating to racial or ethnic origin, political beliefs, religious or philosophical beliefs, trade union membership, as well as genetic data, biometric data uniquely identifying a natural person, health data or data relating to a natural person’s sex life or sexual orientation shall not be processed by Inyova as a matter of principle, if it is not required for the payment of the church tax or if it is a copy of the identification required by Inyova due to obligations under the Money Laundering Act.

2.2. During visits to our website:

When Inyova’s website is accessed, information is automatically sent to Inyova’s website server by the browser used on the Customer’s terminal device / computer. This information is temporarily stored in what is known as a ‘log file’. The following information is collected without the Customer’s intervention and stored until it is automatically deleted:

• The accessing computer’s (or terminal device’s) IP address
• Date and time of access
• The name and URL of the retrieved file
• The website that access is gained from
• The browser used and (if applicable) the operating system of the computer (or terminal device) used, as well as the name of the Customer’s access provider

2.3. Supplier data

Inyova collects personal data from its suppliers in the course of working with them to ensure a smooth business relationship. Inyova collects the data of the contacts within the organisation (e.g. name, phone number and email address). Inyova also collects bank details so it can make payments to the suppliers.

2.4. Means and purpose of digital data processing on the website

2.4.1. Our website

• Ensuring that a smooth connection is established to the website inyova.ch
• Ensuring that our website is convenient to use
• Evaluating system security and stability, and for other administrative purposes

2.4.2. Cookies

By using cookies, we want to optimise the use of our website www.inyova.ch in terms of user-friendliness, as well as statistically record and evaluate it for the purpose of optimising our range of services for you.

2.4.3. Google Analytics

With the tracking measures used, we want to ensure that our websites are designed to meet our customers’ needs and are continuously optimised, and we also want to provide a statistical evaluation of how our websites are used.

2.4.4. Google conversion tracking

• We use what is known as ‘conversion tracking’ in the context of using the Google Ads service. When you click on an ad placed by Google, a conversion tracking cookie is placed on your computer / terminal device. These cookies shall cease to be valid after 30 days and do not contain any personal data and are therefore not used for personal identification purposes. The information obtained using the conversion cookie is used to compile conversion statistics for Ads customers who have opted to use conversion tracking. User data is processed with pseudonyms as part of Google’s marketing services. This means that Google, for example, does not store and process the user’s name or email address; instead, it processes the relevant data in a cookie-related manner within pseudonymous user profiles. In other words, from Google’s point of view, the ads are not managed and displayed for a specifically identified person, but for the cookie owner, regardless of who this cookie owner is. This does not apply if a user has expressly allowed Google to process the data without this pseudonymisation. The information collected about users by Google marketing services is transmitted to Google and stored on Google’s servers in the USA.
• The Google marketing services we use include the online advertising program ‘Google Ads’. In particular, we use the remarketing function within the Google Ads service. In the case of Google Ads, each Ads customer receives a different ‘conversion cookie’. Cookies cannot, therefore, be tracked using Ads customers’ websites. The information obtained using the cookie is used to compile conversion statistics for Ads customers who have opted to use conversion tracking. The Ads customers find out the total number of users who clicked on their ad and were forwarded to a page featuring a conversion tracking tag. However, they do not receive any information that can be used to identify users personally.

2.4.4.1. Google Ads customer match

• We use Google Ads Customer Match Lists as part of our Google advertising activities. We only use Google Ads Customer Match with your consent in accordance with Art. 6 Para. 1 a) GDPR. For the use of Customer Match, lists with encrypted user data (e.g. names, e-mail addresses, addresses, customer-specific identifiers) are uploaded to Google. Google then compares whether the transmitted user data matches existing Google customers. This in turn can be used to create target groups that can be used to control ads/campaigns. After the customer match lists have been created, the encrypted customer data is automatically deleted. This does not give the providers new addresses.
• The recipient of the data is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland as the processor. We have signed an order processing contract with Google for this purpose. Google LLC based in California, USA, and possibly US authorities can access the data stored by Google.
• You can object to the use, processing and transmission of this data for marketing purposes at any time by sending an informal message by post or email.

2.4.5. Facebook pixel

• Inyova uses the ‘Facebook pixel’ of the social network ‘Facebook’, 1601 South California Avenue, Palo Alto, CA 94304, USA, within its website. What are known as ‘tracking pixels’ are integrated on the web pages. When you visit our site, a direct connection is established between your browser and the Facebook server by means of the tracking pixel. Facebook thereby receives the information from your browser that our site was called up from your terminal device (to name but one example). If you are a Facebook user, Facebook can assign your visit to our site to your user account. We would like to point out that we as the operators of this website are not aware of the content of the data transmitted or the purposes for which it is used by Facebook. We can only choose what segments of Facebook users (such as age, interests) to display our ads to. By accessing the pixel from your browser, Facebook can also see whether a Facebook ad was successful, e.g. led to an online agreement. This allows us to track the effectiveness of Facebook ads for statistical and market research purposes.
• Please click here if you do not wish to have data collected using the Facebook pixel: https://www.facebook.com/settings?tab=ads#_=_. Alternatively, you can disable the Facebook pixel on the Digital Advertising Alliance site at the following link: http://www.aboutads.info/choices/.

2.4.6. Data processing by LinkedIn Insight Tag

• Our website uses LinkedIn Corporation’s “LinkedIn Insight Tag” conversion tool. This tool creates a cookie in your web browser, which enables the collection of e.g. the following data: IP address, device and browser properties and page events (e.g. page views). This data is encrypted, anonymized within seven days, and the anonymized data is deleted within 90 days.
  With the help of this technology, visitors to this website can be shown personalized advertisements on LinkedIn. It is also possible to create anonymous reports on the performance of the advertisements and information on website interaction. For this purpose, the LinkedIn Insight tag is integrated on this website, which establishes a connection to the LinkedIn server if you visit this website and are logged into your LinkedIn account at the same time.
  LinkedIn itself also collects so-called log files (URL, referrer URL, IP address, device and browser properties and time of access). The IP addresses are shortened or (if they are used to reach LinkedIn members across devices) hashed (pseudonymized). The direct identifiers of LinkedIn members are deleted from LinkedIn after seven days. The remaining pseudonymised data will then be deleted within 90 days.
  The data collected by LinkedIn cannot be associated with specific individuals by us as the website operator. LinkedIn will store the personal data collected from website visitors on its servers in the USA and use it for its own advertising measures. You can find details on this in LinkedIn’s data protection declaration at https://www.linkedin.com/legal/privacy-policy#choices-oblig.
• Legal Basis
  LinkedIn Insight is used on the basis of Article 6 (1) (f) GDPR. The website operator has a legitimate interest in effective advertising measures, including social media. If a corresponding consent was requested (e.g. consent to the storage of cookies), the processing takes place exclusively on the basis of Article 6 (1) (a) GDPR; the consent can be revoked at any time. Data transfer to the USA is based on the standard contractual clauses of the EU Commission. You can find details here: https://www.linkedin.com/legal/l/dpa and https://www.linkedin.com/legal/l/eu-sccs.
• Objection to the use of LinkedIn Insight Tag
  You can object to the analysis of usage behavior and targeted advertising by LinkedIn under the following link: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out. Furthermore, LinkedIn members can control the use of their personal data for advertising purposes in their account settings. To avoid linking data collected on our website through LinkedIn and your LinkedIn account, you must log out of your LinkedIn account before you visit our website.
• Data Processing Agreement
  We have concluded a data processing agreement (DPA) with the above-mentioned provider. This is a contract required by data protection law, which ensures that the personal data of our website visitors is only processed according to our instructions and in compliance with the GDPR.

3. Purpose of processing and legal basis

Inyova processes the aforementioned personal data in accordance with the provisions set out in the General Data Protection Regulation (GDPR) and the Swiss Federal Act on Data Protection (FADP):

3.1. For the purpose of fulfilling contractual obligations (Article 6 (1) (b) of the GDPR):

Personal data processing is carried out for the provision of financial services in the context of the performance of Inyova’s agreements with its customers or for the performance of pre-contractual measures taken at the customers’ request. The purposes of data processing primarily depend on the specific product (see Point 2) and may include (among other things) needs analyses, advice, asset management, investment support, and the execution of transactions. Customers can find further details on the purpose of data processing in the relevant contractual documents and terms and conditions.

Inyova processes the personal data of individuals within its suppliers’ organisations so it can obtain services from them. It also stores financial data so that it can pay for its suppliers’ services.

3.2. In the context of balancing of interests (Article 6 (1) (f) of the GDPR):

To the extent necessary, Inyova shall process customer data beyond the actual performance of the agreement to safeguard Inyova’s or third parties’ legitimate interests. Examples:

• Exercising legal claims and defence during legal disputes
• Ensuring Inyova’s IT security and IT operations
• Preventing crime, and particularly preventing fraud
• Conducting video surveillance for safeguarding domiciliary rights, for collecting evidence in the case of robberies and fraud offences
• Measures for building and plant security (e.g. access controls)
• Measures to ensure domiciliary rights
• Measures for business management and further developing services and products
• Ensuring a smooth connection is established to the website
• Ensuring that Inyova’s website is convenient to use
• Evaluating system security and stability, and
• For other administrative purposes

3.3. Based on the Customer’s consent (Article 6 (1) (a) of the GDPR):

Insofar as the Customer has given Inyova consent to process personal data for certain purposes (e.g. transfer of data within the network or to use their data for certain advertising purposes), the lawfulness of this processing is given on based on the consent. Any consent given can be revoked at any time. Please note that the revocation is only effective for the future. Processing that took place before the revocation is not affected by the same. If Inyova would like to use the Customer’s personal data for purposes other than those mentioned above, Inyova shall inform the Customer accordingly and, if necessary, obtain the Customer’s consent.

3.4. Based on legal requirements (Article 6 (1) (c) of the GDPR) or in the public interest (Article 6 (1) (e) of the GDPR):

As a financial services institution, Inyova is also subject to various legal obligations. This means that legal requirements, as well as banking supervisory requirements, must be met. The purposes of processing include (but are not limited to) verifying identity and age, preventing fraud and money laundering, ensuring compliance with sanctions and embargo provisions, responding to official enquiries from a competent governmental body or judicial authority, abiding by tax law monitoring and reporting obligations, and assessing and managing risks in Inyova.

4. Recipients of personal data belonging to customers

Within Inyova, access to the Customer’s data is granted to those offices that need it to fulfil contractual and legal obligations. Service providers and vicarious agents employed by Inyova may also receive data for these purposes if they comply with banking secrecy and Inyova’s written instructions under data protection law.

With regard to the disclosure of data to recipients outside Inyova, it should first be noted that Inyova is obligated to maintain secrecy about all customer-related facts and evaluations that it becomes aware of.

Inyova may only pass on information about customers if doing so is required by law, if the Customer has given their consent, and if processors commissioned by Inyova guarantee compliance with banking secrecy and the specifications set out in the General Data Protection Regulation / German Federal Data Protection Act in the same way. Under these conditions, recipients of personal data may be (for example):

• Public bodies and institutions if a legal or regulatory obligation exists
• Other credit and financial services institutions, comparable institutions and processors to whom Inyova transfers personal data to carry out the business relationship with the customers. These companies are also legally or contractually obligated to treat personal data with the necessary care
• Brokers
• Service providers who support Inyova, specifically in the following activities: Supporting / maintaining EDP/IT applications, archiving, call centre services, compliance services, controlling, data screening for anti-money laundering purposes, customer management, marketing, reporting, risk controlling, expense reporting, telephony, video identification, securities services, share register, auditing services, payment transactions, preparing tax data and reports
• Service providers who support Inyova, specifically in the following activities: Supporting / maintaining EDP/IT applications, archiving, call centre services, compliance services, controlling, data screening for anti-money laundering purposes, customer management, marketing, reporting, risk controlling, expense reporting, telephony, video identification, securities services, share register, auditing services, payment transactions, preparing tax data and reports
• Members of certain regulated professions such as lawyers, notaries or auditors
• Other data recipients may be those bodies that the customers have given their consent to data transfer for

Note: Under no circumstances shall personal data be sold to third parties.

5. As a rule, data shall not be transferred to a third country or an international organisation

Data is only transferred to countries outside Switzerland or the EU or the EEA (‘third countries’) if doing so is necessary for the execution of the Customer’s orders (e.g. payment and securities orders), if doing so is required by law (e.g. reporting obligations under tax law), if the Customer has given their consent, or within the scope of order processing. If service providers in third countries are engaged, they are obligated to comply with the level of data protection in Europe by agreeing to the EU standard contractual clauses in addition to written instructions. If you require a hard copy of these terms and conditions or information about the availability of the same, you may write to Inyova.

6. Data storage period

Inyova processes and stores personal data belonging to customers for as long as doing so is necessary for the fulfilment of contractual and legal obligations. It should be noted that the business relationship is a continuing obligation that is intended to last for several years. If the data is no longer required for the fulfilment of contractual or legal obligations, it is regularly deleted, unless – temporary – further processing is necessary for the following purposes:

• Fulfilment of statutory retention periods. These include obligations arising from the Code of Obligations, the Business Records Ordinance, the Consumer Credit Act, the Anti-Money Laundering Act, the Financial Institutions Act, the Financial Services Act and tax law. The retention and documentation periods stipulated therein range from up to ten years.
• Preservation of evidence under the statute of limitations. The limitation periods may be up to 30 years, with the ordinary limitation period being ten years.

A retention period until the applicant revokes their consent shall apply to applicants with whom an agreement is not subsequently concluded.

7. Protection of personal data

Inyova shall take reasonable and adequate measures that protect stored and processed information from misuse, loss or unauthorised access. Inyova has taken a number of technical and organisational measures for this purpose.

If you suspect that your personal information has been misused, lost or accessed without authorisation, please notify Inyova as soon as possible.

8. Data protection rights under the General Data Protection Regulation

Every data subject has a right of access under Article 15 of the GDPR, a right to rectification under Article 16 of the GDPR, a right to erasure under Article 17 of the GDPR, a right to restriction of processing under Article 18 of the GDPR, a right to object under Article 21 of the GDPR, and the right to data portability under Article 20 of the GDPR.

The right of access includes information about the purposes of processing, the categories of personal data, the categories of recipients to whom your data has been or is being disclosed, the planned duration of storage, the existence of a right to rectification, erasure, restriction of processing, objection or data portability, the existence of a right to lodge a complaint, the origin of your data if it was not collected by Inyova, and the existence of automated decision-making including profiling, as well as any meaningful information regarding details of the same.

The Customer may (at any time) request that incorrect personal data be rectified immediately, or that personal data collected by Inyova be completed.

The Customer may request that their personal data that Inyova stores about them be erased insofar as processing is unnecessary for exercising the right to freedom of expression and information, for fulfilling a legal obligation, for reasons of public interest or for establishing, exercising or defending legal claims. Inyova shall delete this data if none of the cases mentioned above apply. Inyova shall usually also include the Customer’s name in the list of people who do not wish to be contacted. In this way, Inyova minimises the chance that customers will be contacted in the future if their data is collected separately under other circumstances.

Under certain circumstances, the Customer may request that Inyova restrict processing of their personal data. This means that Inyova shall only store the Customer’s data in the future and cannot carry out any further processing activities until: (i) one of the conditions listed below has been cleared, (ii) the Customer has given their consent, or (iii) further processing is necessary to assert, exercise or defend legal claims, to protect the rights of others, or if doing so is necessary due to legitimate public interest of the EU or a Member State. The Customer may request that Inyova restrict processing of their personal data under the following circumstances:

• If the Customer disputes the accuracy of the personal data that Inyova processes about them. In this case, Inyova’s processing of the Customer’s personal data shall be restricted until the accuracy of the data has been verified.
• If the Customer objects to Yova’s processing of their personal data in accordance with Inyova’s legitimate interests. In this case, the Customer may request that the data be restricted while Yova reviews its grounds for processing the Customer’s personal data.
• If Inyova’s processing of the Customer’s data is unlawful, but the Customer prefers to restrict Inyova’s processing instead of having the data deleted.
• When there is no longer a need for Inyova to process the Customer’s personal data, but the Customer needs the data to assert, exercise or defend legal claims.

The Customer may request receipt of their personal data that they provided to Inyova in a structured, commonly used and machine-readable format or transfer to another controller.

If a decision to conclude or perform an agreement has only been made in an automated process (Art. 22 of the GDPR) and this decision has a legal effect on the Customer or the Customer is significantly affected in a similar way, the Customer may request that Inyova carry out a manual review again after they have explained their position to Inyova and requested the manual review. If such a decision is made, Inyova shall also inform the Customer separately of the reason for and the scope and intended effects of such data processing.

The Customer also has a right to lodge a complaint. The Customer may contact the data protection officer in this regard on [email protected]. In addition, the Customer can contact the supervisory authority of their usual place of residence or workplace, or Inyova’s company headquarters for this purpose.

The Customer may revoke their consent to personal data processing at any time. The Customer is informed that their revocation is only effective for the future. Processing that took place before the revocation is not affected by the same. In this regard, please also refer to the separate notice at the end of this privacy policy.

Inyova shall cease the relevant activities when the Customer objects. This shall apply with the exception that Inyova can demonstrate that it has overriding legitimate grounds for processing that override the Customer’s interests or that the data is processed to assert, exercise or defend a legal claim.

9. Obligation to provide data

In the context of the joint business relationship, the Customer must provide such personal data as is required for establishing and performing a business relationship and fulfilling the associated contractual obligations or that Inyova is legally obligated to collect. Without this data, Inyova shall generally have to refuse to conclude the agreement or execute the order, or shall no longer be able to execute an existing agreement and may have to terminate it. In particular, Inyova is obligated under anti-money laundering regulations to identify the Customer before the business relationship is established (e.g. by means of an ID card) and to collect and record the Customer’s name, place of birth, date of birth, nationality, residential address and identification data. For Inyova to be able to comply with this statutory obligation, the Customer must provide Inyova with the necessary information and documents and immediately inform it of any changes arising in the course of the business relationship. If the Customer fails to provide Inyova with the necessary information and documents, Inyova may not enter into or continue the business relationship requested by the Customer.

10. Automated decision-making

As a matter of principle, Inyova does not use fully automated decision-making processes according to Article 22 of the GDPR to establish and implement the business relationship. If Inyova uses these processes in individual cases, customers shall be informed to this effect separately, insofar as is required by law.

11. Profiling

To some extent, Inyova processes customers’ data automatically with the aim of assessing certain personal aspects (profiling). In so doing, Inyova uses profiling in the following case, for example:

Due to legal requirements, Inyova is obligated to combat money laundering and fraud. Data evaluations (e.g. in payment transactions) are also carried out. These measures also serve to protect customers.

12. Modification clause

This privacy policy is currently valid and was last updated in January, 2022. Inyova reserves the right to change this privacy policy from time to time. Please check whether an updated version is available regularly, particularly before using a service. Customers can access and print out the current privacy policy from the website at www.inyova.ch. Inyova shall inform customers of fundamental changes on its website and through the usual communication channels.

Information about your right to object according to Article 21 of the General Data Protection Regulation (GDPR)

1. Individual right to object

You have the right, on grounds relating to your particular situation, to object at any time to processing of the personal data concerning you based on Art. 6 (1) (e) of the GDPR (data processing in the public interest) and Art. 6 (1) (f) of the GDPR (data processing based on balancing of interests); this also applies to profiling under the terms of Art. 4 (4) of the GDPR. If you file an objection, we shall no longer process your personal data unless we can demonstrate compelling and legitimate grounds for processing that override your interests, rights and freedoms, or if processing serves to assert, exercise or defend legal claims.

2. Right to object to data processing for advertising purposes

In individual cases, we process your personal data for the purpose of carrying out direct advertising. You have the right at any time to object to processing of the personal data concerning you for the purposes of such advertising; this also applies to profiling if it is in conjunction with such direct advertising. If you object to processing for the purposes of direct advertising, we shall no longer use your personal data for these purposes.

The objection can be made without any formalities and should, if possible, be sent by email to [email protected].