Privacy Policy of FinanceFarm AG

Version: March 6, 2026

FinanceFarm AG ("FinanceFarm", "we", "us" or "our") is committed to protecting the privacy and personal data of all users, visitors and business partners. This Privacy Policy explains how we collect, use, store, disclose and protect personal data in connection with our website (www.financefarm.com), our online platform, mobile applications, dashboards and all related services and interfaces (together the "Platform"). This Privacy Policy applies in conjunction with our General Terms and Conditions ("GTC") and Terms of Use.

1. Controller and contact details

1.1 The controller responsible for the processing of personal data within the meaning of the Swiss Federal Act on Data Protection ("FADP") and, where applicable, the EU General Data Protection Regulation ("GDPR") is:

FinanceFarm AG
Switzerland
UID: CH-280.030.894

1.2 For any questions or requests relating to data protection, you may contact us at: info@financefarm.com

2. Categories of personal data we collect

2.1 We may collect and process the following categories of personal data, depending on how you interact with the Platform:

a) Account and identity data: Name, email address, phone number, date of birth, nationality, residential address, username and password (hashed), profile information and, where applicable, company name and authority to represent.

b) Verification and compliance data: Identity documents (passport, ID card), proof of address, selfie or liveness-check images, source-of-funds documentation, KYC/AML screening results and compliance status, as required by applicable anti-money laundering and counter-terrorist financing regulations.

c) Financial and transaction data: Payment information, bank account details, wallet addresses, transaction history, deal participation records, deposits, withdrawals, claim records, fee calculations and settlement data.

d) Technical and usage data: IP address, browser type and version, operating system, device identifiers, language preferences, referring URLs, pages visited, timestamps, click behaviour, session duration, error logs and diagnostic data.

e) Communication data: Content of emails, support tickets, chat messages, contact form submissions and any attachments you send to us.

3. Purposes and legal bases for processing

3.1 We process personal data for the following purposes:

a) Contract performance and Platform operation: To provide and operate the Platform, process registrations, manage user accounts, execute transactions and deals, process payments, perform claim and distribution processes, and fulfil our contractual obligations under the GTC and Terms of Use.

b) Legal and regulatory compliance: To comply with applicable legal obligations, in particular KYC/AML requirements, tax reporting obligations, sanctions screening, record-keeping requirements and responding to official orders or requests from regulatory authorities.

c) Security and fraud prevention: To protect the Platform, its users and our infrastructure against unauthorised access, fraud, abuse, security threats and other harmful activities, including through logging, monitoring and automated security checks.

d) Communication and support: To respond to enquiries, provide customer support, send service-related notifications (e.g. deal status updates, security alerts, account notifications) and facilitate communication between users and FinanceFarm.

e) Platform improvement and analytics: To analyse usage patterns, improve the Platform's functionality and user experience, conduct internal research and develop new features and services.

f) Marketing and information: To send newsletters, product updates and promotional materials, subject to your consent or, where permissible, our legitimate interest. You may opt out of marketing communications at any time.

3.2 Under the FADP, processing is permissible where it does not unlawfully violate the personality of the data subject. Under the GDPR, where applicable, the legal bases for processing are: performance of a contract (Art. 6(1)(b) GDPR), compliance with a legal obligation (Art. 6(1)(c) GDPR), legitimate interests (Art. 6(1)(f) GDPR), and consent (Art. 6(1)(a) GDPR).

4. Cookies and tracking technologies

4.1 We use cookies and similar technologies (e.g. local storage, pixel tags) on the Platform. These technologies help us operate the Platform, ensure security, remember your preferences and analyse usage.

4.2 We use the following categories of cookies:

a) Strictly necessary cookies: These are essential for the Platform to function properly and cannot be switched off. They include session cookies, authentication tokens and security cookies.

b) Functional cookies: These enable enhanced functionality and personalisation, such as language preferences and display settings.

c) Analytics cookies: These help us understand how users interact with the Platform, which pages are visited most frequently and where errors occur. We may use third-party analytics tools for this purpose.

4.3 You can manage your cookie preferences through your browser settings. Please note that disabling certain cookies may affect the functionality of the Platform.

5. Disclosure and sharing of personal data

5.1 We do not sell personal data. We may share personal data with the following categories of recipients where necessary for the purposes described in this Privacy Policy:

a) Service providers and processors: Third-party service providers who assist us in operating the Platform, including hosting providers, payment processors, KYC/AML verification providers, email service providers, analytics providers and IT security providers. These providers process data on our behalf and are contractually bound to protect your data.

b) Deal-related third parties: Where necessary for deal processing, we may share relevant data with transport companies, storage facilities, insurance providers, inspection bodies, escrow agents, auction houses and other parties involved in the execution and settlement of deals.

c) Regulatory and public authorities: Where required by law, we may disclose personal data to regulatory authorities, tax authorities, law enforcement agencies, courts or other public bodies.

d) Professional advisors: Lawyers, auditors and other professional advisors, subject to professional confidentiality obligations.

e) Corporate transactions: In the event of a merger, acquisition, restructuring or sale of assets, personal data may be transferred to the acquiring entity, subject to appropriate safeguards.

6. International data transfers

6.1 Your personal data may be transferred to and processed in countries outside Switzerland or the European Economic Area (EEA) where our service providers or partners are located.

6.2 Where personal data is transferred to a country that does not provide an adequate level of data protection as recognised by the Swiss Federal Data Protection and Information Commissioner (FDPIC) or the European Commission, we ensure that appropriate safeguards are in place, such as standard contractual clauses, binding corporate rules or other legally recognised mechanisms.

7. Data retention

7.1 We retain personal data only for as long as necessary to fulfil the purposes for which it was collected or as required by applicable law. Retention periods depend on the nature of the data and the purpose of processing.

7.2 In particular:

a) Account data is retained for the duration of the contractual relationship and for a period thereafter as required by statutory retention obligations (typically 10 years under Swiss commercial law).

b) Transaction and deal-related data is retained for as long as required for deal processing, settlement, claim periods and statutory record-keeping obligations.

c) KYC/AML data is retained in accordance with applicable anti-money laundering legislation.

d) Technical and usage data is generally retained for a shorter period unless longer retention is required for security or legal purposes.

7.3 After the applicable retention period expires, personal data is securely deleted or anonymised.

8. Data security

8.1 We implement appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, loss or destruction. These measures include, but are not limited to, encryption of data in transit and at rest, access controls, regular security assessments, secure development practices and staff training.

8.2 While we strive to protect your personal data, no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee absolute security but are committed to maintaining a high standard of data protection.

8.3 In the event of a data breach that poses a high risk to your rights and freedoms, we will notify you and the competent supervisory authority in accordance with applicable law.

9. Your rights

9.1 Under applicable data protection law, you have the following rights regarding your personal data:

a) Right of access: You have the right to request information about whether and which personal data we process about you, the purpose of processing, the categories of data concerned, the recipients and the retention period.

b) Right to rectification: You have the right to request the correction of inaccurate personal data or the completion of incomplete data.

c) Right to erasure: You have the right to request the deletion of your personal data where the data is no longer necessary for the purposes for which it was collected, where you withdraw consent (if processing is based on consent), or where there is no other legal basis for processing. This right is subject to statutory retention obligations and other overriding legal grounds.

d) Right to restriction of processing: You have the right to request the restriction of processing in certain circumstances, for example where you contest the accuracy of the data or where you have objected to processing.

e) Right to data portability: Where processing is based on consent or contract performance and is carried out by automated means, you have the right to receive your personal data in a structured, commonly used and machine-readable format and to transmit it to another controller.

f) Right to object: You have the right to object to the processing of your personal data where processing is based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests.

g) Right to withdraw consent: Where processing is based on your consent, you may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.

9.2 To exercise any of these rights, please contact us at info@financefarm.com. We may request proof of identity before processing your request. We will respond to your request within the timeframes required by applicable law.

9.3 You also have the right to lodge a complaint with a competent data protection supervisory authority, in particular the Swiss Federal Data Protection and Information Commissioner (FDPIC) or, where applicable, the supervisory authority in your country of residence.

10. Blockchain and wallet data

10.1 Where tokenised units or blockchain-based processes are used within the Platform, the user acknowledges that certain transaction data (e.g. wallet addresses, transaction hashes, timestamps) may be recorded on a public or permissioned blockchain and that such data, once recorded, generally cannot be modified or deleted due to the immutable nature of blockchain technology.

10.2 FinanceFarm AG does not have access to private keys or seed phrases. Users are solely responsible for the security and management of their wallet credentials. Loss of private keys may result in the irreversible loss of access to tokenised units.

10.3 We take reasonable measures to minimise the exposure of personal data on public blockchains. However, the inherent transparency of certain blockchain networks means that on-chain data may be visible to third parties.

11. Third-party links and services

11.1 The Platform may contain links to third-party websites or integrate third-party services. This Privacy Policy does not apply to such third-party services. We encourage you to review the privacy policies of any third-party services you access through the Platform.

11.2 FinanceFarm AG is not responsible for the data protection practices of third parties unless they act as data processors on our behalf under a binding agreement.

12. Children's privacy

12.1 The Platform is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from minors. If we become aware that we have inadvertently collected personal data from a minor, we will take reasonable steps to delete such data promptly.

13. Changes to this Privacy Policy

13.1 We may update this Privacy Policy from time to time to reflect changes in our data processing practices, legal requirements or the services we offer. The updated version will be published on the Platform with the revised date indicated at the top.

13.2 For material changes, we will make reasonable efforts to notify you in advance, for example through a notice on the Platform or by email. Continued use of the Platform after the updated Privacy Policy takes effect constitutes acceptance of the changes.

14. Governing law and jurisdiction

14.1 This Privacy Policy is governed by Swiss law, excluding the United Nations Convention on Contracts for the International Sale of Goods (CISG), to the extent its exclusion is permissible.

14.2 The exclusive place of jurisdiction for disputes arising out of or in connection with this Privacy Policy is Basellandschaft, Switzerland, to the extent legally permissible. Mandatory statutory places of jurisdiction remain reserved.

14.3 This Privacy Policy may be made available in German and English. In the event of contradictions between the German and the English version, the German version shall prevail.