With this privacy policy, White Peaks Capital GmbH ("we" or "WPC") informs how we collect, use and share your personal data when you use our Services. "Services" refers to all of our products and services (e.g. website).

1. Who is responsible for processing my personal data and whom can I contact?

White Peaks Capital GmbH
Dufourstrasse 179
8008 Zurich
Switzerland
contact@whitepeakscapital.com

2. What personal data do we process about you?

We primarily process personal data that we receive from our business partners, customers and other individuals in the course of our business relationship with them, or that we collect from users when operating our website and other applications.

We only process the personal data necessary to provide our Services, namely the following categories:

• Personal details: in particular first name and surname, telephone number and/or e-mail address that we obtain from business partners as well as other individuals in the context of our business relationships with them;
• Contract data: in particular information about contracts and the Services to be provided, data from the run-up to the conclusion of a contract, the information required or used for processing Services and information about reactions;
• Communication data: in particular, preferred communication channel, correspondence with us (including records of communication);
• Data in connection with the use of our Services, server protocol(whereby this is mostly non-personal data): in particular connection data, IP address and other identifiers (e.g. MAC address of the smartphone or computer, data from cookies and similar technologies), date and time of the visit to our Service, duration of the visit to the Service, requested Internet address (Uniform Resource Locator, URL), referrer URL (i.e. the internet address of the website from which you have reached our website, if applicable with the search word used), browser type and version, operating system used, amount of data sent in bytes, geolocation data;

3. From whom do we receive your personal data?

We receive personal data from:

• Direct Sources: Generally, we process Personal Data that we receive directly from you, such as in the course of our business relationship, use of the Services, or in direct communications via email, telephone or other means.
• Indirect Sources: In certain cases, we may collect personal information indirectly. This happens namely when someone else (e.g. a friend of yours) recommends you to us. In addition, we may purchase supplemental information from data sources (e.g. data bases). We may obtain personal data from publicly accessible sources (e.g. from commercial and association registers, the press, the internet). In individual cases, it is possible that personal data is derived from the combination of various non-personal data.

4. On what legal basis and for what purposes do we process your personal data?

We process personal data in accordance with the provisions of the Swiss Data Protection Act (DPA), the revised Swiss Data Protection (revDPA) and the General Data Protection Regulation of the European Union (GDPR):

4.1 For the performance of the contract

We process personal data in direct connection with the conclusion and execution of contracts. The purposes of data processing are primarily determined by the specific Service. The relevant additional data protection information, in particular the specific processing purposes, can be found in the respective contractual documents, terms and conditions or conditions of participation.

4.2 To comply with legal obligations

We process personal data where there is a legal or regulatory obligation to do so. Processing purposes include namely:

• Document compliance with certain legal and regulatory requirements;
• Participation in investigations and proceedings, cooperation with and response to inquiries from government agencies and courts

4.3 Based on your consent

If you have given us your consent for certain processing purposes, this forms the legal basis of the processing.

4.4 In order to safeguard legitimate interests

We process personal data where this is necessary to protect legitimate private interests of us or of third parties, or to protect legitimate public interests. Examples:

• Ensuring IT security and IT operations: in particular troubleshooting, operation and further development of our IT systems and our Services, identity checks;
• Quality control: in particular, preparing reports on users, transactions, activities, Services and other business aspects of ours for corporate management and development, compiling statistics, budgets, records and management information, organizing business operations, project management, re-search, development and enhancement of Services;
• Advertising: in particular web analysis and tracking (e.g. by means of cookies), tracking customer activities, improving our visibility, publicizing the content of our Services;
• Ensuring compliance: in particular, checking compliance with internal rules of ours;
• Carrying out corporate transactions: in particular the sale or purchase of business units, companies or parts of companies and the associated transfer of personal data;
• Dealing with legal disputes: in particular assertion of legal claims and defence;
• Self-protection and protection of third parties: in particular, protection of third parties and our employees, our data, business secrets and assets;
• Prevention and detection of crime: in particular, abuse prevention, collection of evidence in offences

5. Cookies, etc.: What technological means do we use for data processing?

We use cookies and similar technologies that allow us to store or access information stored on your device. This allows us to better understand user behavior, e.g. to provide our Services in a technically errorfree, secure, user-friendly and demand-oriented manner:

• Cookies: These are small text files that are stored in the cookie file on your computer's hard drive when you visit our website. Through the use of cookies, your browser receives an identifier and shows it on demand. Most of the cookies we use are so-called session cookies. These save your entries while you navigate the website within the same session. Session cookies are automatically deleted after your visit to our website. In contrast, permanent cookies remain stored on your device over several sessions and allow us to recognize your browser the next time you visit the website (and, for example, to perform an automatic log-in or to display the website in your preferred language and according to your preferences). Such permanent cookies are deleted when their expiry date is reached or if you delete them before then. We use cookies for the following purposes: Necessary cookies are necessary for the site operation and cannot be declined in our system. In general, they are defined in response to actions taken by you, that is, on a service request, such as when defining your privacy preferences, logging in, or filling out forms.
• Tracking pixel (also tracking pixel, pixel tag, web beacon or clear GIF): A tracking pixel is a 1x1 pixel, invisible graphic that is associated with your user ID. Tracking pixels measure things like the number of visitors to our website, the number of clicks on important parts of a website, or which files or emails are opened. In this way, they help us to analyze the effectiveness of our Services.

Cookies and similar technologies generally do not provide any personal data, only anonymous traffic data related to your device (e.g. your IP address) and statistical data (e.g. number and type of website visits). However, to the extent that the identifiers collected are classified as personal data by applicable law, we treat them as such.

You may block or delete cookies and similar technologies through the privacy settings of your browser and email program, although deletion may affect your use of the Services in some circumstances.

6. Who receives my personal data?

Within our organization, access to your data will be given to those departments that need it to fulfill the processing purposes mentioned above.

In addition, we may disclose personal data to the following categories of third parties, provided that the disclosure serves to fulfil the aforementioned processing purposes:

• Business partners,
• Customers of ours

If we pass on personal data to third parties, the respective current data protection provisions of the third parties are also applicable. You can obtain their data protection provisions by submitting a request for information to the contact stated at the beginning.

The third parties may be jointly responsible with us or act as data processors or independent data controllers (within the meaning the applicable data protection law). For further information on the contrac-tual relationship with the respective third party, please contact the contact point mentioned at the beginning.

7. Do we transfer your personal information between countries?

We may transfer personal data to any country in the world, in particular to all countries in which we are represented by group companies, branches or other offices and representatives and to the countries in which our contract data processors process personal data.

Personal data may also be transferred to a country without adequate data protection, provided that:

• We ensure adequate protection, namely by means of sufficient contractual safeguards such as standard contractual clauses, binding corporate data protection rules;
• You give your express consent;
• It is necessary for the performance of a contract with you or a contract in your interest;
• It is necessary for the fulfilment of a legal obligation;
• It is necessary to safeguard overriding public interests, to establish, exercise or enforce legal claims or to protect the life or physical integrity of you or third parties;
• You have made the personal data generally accessible and do not expressly prohibit processing; or
• The personal data originate from a register provided for by law, which is public or accessible to persons with an interest worthy of protection, insofar as the legal requirements for inspection are met in the individual case.

8. How long will my personal data be kept?

We retain personal data as long as it is necessary for the purpose for which we collected it. If the personal data is no longer required to fulfil the purpose, we generally delete it.

In individual cases, there may be a contractual or legal obligation to retain data (e.g. in accordance with the Swiss Code of Obligations, the Value Added Tax Act, the Federal Act on Direct Federal Taxes, the Federal Act on the Harmonization of Direct Taxes of the Cantons and Municipalities, the Federal Act on Stamp Duty, the Withholding Tax Act). We generally store contract-related personal data for the duration of the contractual relationship and for ten years beyond the termination of the contractual relationship. For evidentiary purposes, we may store personal data for the duration of the applicable limitation period, which is usually five or ten years.

Deletion of personal data may occur if we are obliged to do so. As soon as personal data is no longer required for the abovementioned purposes, it will be deleted or made anonymous as far as possible. Subject to an express contractual agreement, we are under no obligation to you to retain personal data for a specific period of time.

9. Data Security

In order to protect your personal information from unauthorized access and misuse, we take appropriate organizational and technical security measures, such as IT and network security solutions, access controls and restrictions.

10. What rights do I have?

You have a right to:

• Information on personal data concerning them;
• Correction Deletion or destruction of personal data
• Objection to or restriction of processing of personal data;
• Revocation of consent if the processing of personal data is based on your consent. The revocation is possible at any time and is effective for the future. The revocation does not affect the lawfulness of the data processing that took place until the revocation.
• Data portability in certain cases and in a common electronic format that allows further use and transmission;
• We will inform you separately about your rights in connection with any automated individual decision-making, insofar as this is required by law. For the establishment and implementation of the business relationship, we generally do not use any procedures of automated individual decision-making.

To exercise your rights, please contact the contact point mentioned above. You can also use any options embedded in our Services, e.g. link in an e-mail to unsubscribe from a newsletter, privacy settings in your user account. As a rule, the exercise of your rights requires that you can clearly prove your identity. We also draw your attention to the fact that by deleting your personal data, Services may no longer be available or used in whole or in part.

We reserve the right to restrict your rights within the framework of the applicable law and, for example, not to provide complete information or not to delete data.

You have the right to lodge a complaint with the competent data protection authority. In the case of a controller of ours in Switzerland, this is the Swiss Federal Data Protection and Information Commissioner (http://www.edoeb.admin.ch).

11. What are my duties?

Only provide us with personal data of other persons if you are entitled to do so under applicable data protection law. Please ensure that those persons are aware of this privacy policy.

Note that the internet is generally not a secure environment because it is an open network that can be accessed by anyone. Therefore, we also appeal to your personal responsibility with regard to the handling of your personal data. To the extent permitted by law, we accept no liability for the security of data that you transmit to us via the internet or other electronic channels or for any direct or indirect damage. We ask you to choose other communication channels if this appears necessary or reasonable for security reasons.

12. Amendment of this privacy policy

We may amend this privacy policy at any time without prior notice and communication. The current version published in our Services (e.g. on our website) applies.

If this privacy policy is part of an agreement with you, we may inform you of the change to the privacy policy by e-mail or other appropriate means. If you do not object within 30 days, the new privacy policy will be deemed to be agreed. If you object, we may terminate the agreement extraordinarily and without notice.