assetmanagement

Legal

Privacy Policy

Last updated: 2026-05-15. Template under review by legal counsel — placeholders marked with [TBD] require client input before production launch.

1. Data controller

EK Asset Management AG, [TBD — street address, postcode], Zurich, Switzerland.
UID: [TBD CHE-XXX.XXX.XXX].
Contact: [email protected].
Data Protection Officer (DPO): [TBD].

2. Categories of personal data we process

  • Identity data — name, contact details, email, phone (when provided via the contact form or correspondence)
  • Financial data — for clients undergoing onboarding: source of wealth, beneficial ownership, KYC documents (passport, proof of address, tax residency)
  • Communication data — content of messages exchanged via email, the website contact form, or Telegram
  • Technical data — IP address, browser fingerprint, anonymous analytics signals (only with your consent — see Section 6)

3. Purposes and legal bases

We process data only for the following purposes:

  • Pre-contractual contact — handling enquiries via the contact form (legal basis: nFADP Art. 31 ¶2 lit. a / GDPR Art. 6 ¶1 lit. b)
  • Client onboarding and mandate execution — KYC, AML compliance, regulatory reporting under FinIA / FINMA Circular 2017/01 (legal basis: nFADP Art. 31 ¶2 lit. c / GDPR Art. 6 ¶1 lit. c)
  • Website performance and quality — anonymous analytics, only if you have given consent (legal basis: GDPR Art. 6 ¶1 lit. a)

4. Recipients and cross-border transfers

Your data is processed primarily within Switzerland and the EEA. For specific operational purposes we use the following processors:

  • Cloudflare, Inc. (USA) — website hosting, DNS, edge security. Adequacy: EU-US Data Privacy Framework participant.
  • Resend, Inc. (USA) — transactional email for contact form submissions. SCC + DPA in place.
  • Google Workspace (USA, EEA) — email infrastructure for incoming correspondence. SCC + DPA in place.

We do not sell or otherwise share your personal data with third parties for marketing purposes.

5. Retention periods

  • Contact form enquiries: 12 months from last interaction, then automatically deleted
  • Client mandate data: retained for the duration of the client relationship plus the statutory retention period (10 years per Swiss Code of Obligations Art. 958f)
  • Anonymous analytics: max 12 months

6. Cookies and tracking

The website uses no advertising cookies. Strictly-necessary cookies (session, security) are set by default. Optional analytics (Cloudflare Web Analytics) is loaded only after you grant consent via the cookie banner. No data is shared with third parties for advertising purposes. You can withdraw consent at any time by clearing site data in your browser.

7. Your rights

You have the following rights regarding your personal data:

  • Right of access (nFADP Art. 25 / GDPR Art. 15)
  • Right to rectification (nFADP Art. 32 / GDPR Art. 16)
  • Right to erasure (nFADP Art. 32 ¶2 / GDPR Art. 17), subject to legal retention obligations
  • Right to data portability (GDPR Art. 20)
  • Right to object (GDPR Art. 21)
  • Right to lodge a complaint with the Swiss FDPIC or your local supervisory authority

To exercise any right, contact [email protected]. We respond within 30 days.

8. Updates to this policy

We update this policy when our processing changes or when required by law. Material changes will be announced on the website.