Privacy Policy Exfluency Services
1. Applicability
This Privacy Policy outlines how Exfluency processes your personal data when acting as the controller under applicable data protection laws in connection with services and software solutions, including, but not limited to, our website, the Exfluency AI Platform, and the Exfluency App (collectively referred to as “Services”).
This Privacy Policy does not apply to:
- The processing of personal data conducted by you when using our Services, where we act as a processor under applicable data protection laws. In such cases, data processing is governed by the applicable Data Processing Agreement between you and us; and,
- Third-party services, including any third-party websites linked to our website or any third-party tools integrated into our Services, which operate under their own respective privacy policies.
2. Controller
Exfluency AG,
Bahnhofstrasse 20,
6300 Zug,
Switzerland,
Email: privacy@exfluency.com
is the controller within the meaning of article 4 (7) of the European General Data Protection Regulation (“GDPR”) and article 5(j) of the Swiss Federal Act on Data Protection (“FADP”).
Our representative in the EU for requests related to GDPR is Data Protection Officer, Iryna Lebedyeva: iryna.lebedyeva@exfluency.com.
3.General Information
The terms “we”, “us”, and “our” refer to Exfluency AG. The terms “you” and “your” refer to you, as a customer or user of our Services. The term “personal data” refers to all information relating to an identified or identifiable natural person (hereinafter referred to as “data subject”); an identifiable natural person is one who can be identified directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more specific characteristics expressing the physical, physiological, genetic, psychological, economic, cultural, or social identity of that natural person, as set out in Art. 5 lit. a FADP and Art. 4 (1) GDPR.
4. General Principles
We aim to provide a user experience that prioritises privacy. This includes adhering to the principle of data minimisation (privacy-by-design), ensuring that we collect only the personal data strictly necessary. Additionally, we process personal data solely for the specific purposes outlined in this privacy policy (purpose limitation). As a responsible company, we do not engage in automatic decision-making or profiling.
5. Collection of Data
(a) Information We Collect
When you use our Services, we may collect, and store certain information related to your usage.
This may include personal data such as:
- IP addresses, device identifiers, browser type, operating system, and access provider; or,
- Date and time of access, the name and URL of the retrieved file, the website via which our Services are accessed, and other interactions with our Services.
We may collect and use this data in a way that does not disclose any of your personally identifiable information to third parties, to safeguard the use of our Services, optimise our Services, evaluate it for internal statistical purposes and develop new products and services.
(b) Personal Data You Provide
You may provide us with personal data when you:
- Register for an account on the Exfluency AI Platform or in the Exfluency App,
- Subscribe to services offered through the Exfluency AI Platform or the Exfluency App,
- Contact us via phone, email, website or other communication channels,
- Report and issue or request support.
The personal data you may include, but is not limited to, your:
- Full name,
- Address,
- Email address,
- Phone number,
- Personal description or photograph.
Any processing of your personal data is based on a legal basis, as indicated below.
6. Purpose of processing and legal basis
Within the applicability of the GDPR, any processing of personal data requires a legal basis. According to Art. 6 para. 1 GDPR, the processing of your personal data may be based on:
- Your consent (lit. a),
- Necessity for the performance of a contract with you or for the implementation of pre-contractual measures taken at your request (lit. b),
- Necessity to comply with legal obligations (lit. c),
- Necessity to protect the vital interest of you or another natural person (lit. d),
- Necessity to perform a task carried out in the public interest (lit. e), or,
- Necessity to safeguard the legitimate interests of us or a third party, except where they override your interests or fundamental rights and freedoms (lit. f).
We process your data for the following purposes:
- To make our Services available to you and inform you about service updates, security alerts, and account activities (legal basis: Art. 6 para. 1 lit. b GDPR),
- To process subscription payments and invoicing (legal basis: Art. 6 para. 1 lit. b GDPR);
- To offer feedback channels and respond to your inquiries and support requests (legal basis: Art. 6 para. 1 lit. b GDPR),
- To ensure that our Services run as efficiently as possible (legal basis: Art. 6 para. 1 lit. f GDPR),
- To inform you about parts of our Services which we believe to be of interest to you and send you newsletters (legal basis: Art. 6 para. 1 lit. a GDPR),
- To provide you the highest possible level of security when using our Services (Art. 6 para. 1 lit. d and f GDPR),
- To ensure cost-efficient compliance with legal requirements (Art. 6 para. 1 lit. c and f GDPR).
Anonymous and aggregated data do not constitute personal data under data protection law. We may process such data to enhance our Services, gain insights into their usage, analyse user demographics, interests, and behaviours, and refine our offerings. Additionally, we use anonymous and aggregated data to provide tailored services and information to our users and for other similar purposes.
7. Cookies
Cookies are small data files stored on your device when you visit a website. Some cookies are essential for providing services, such as security or network management cookies. Others enhance user experiences by remembering certain preferences.
We use Cookies to help us recognise your browser and improve the quality of our Services. The legal basis for using cookies depends on their purpose: essential cookies are processed based on our legitimate interest (Art. 6 para. 1 lit. f GDPR), while non-essential cookies require your consent (Art. 6 para. 1 lit. a GDPR).
You can find more detailed information on our use of cookies under: https://exfluency.com/cookie-policy/.
8. Disclosure of Personal Data to Third Parties
We limit the amount of personal data that we share with third parties to what is directly relevant and necessary to achieve the stated purpose.
Your personal data may be shared with the following categories of recipients:
(a) Third Party Service Providers
We may share your personal data with third-party service providers who assist us in facilitating payment services, providing cloud storage and computing services, offering technical support, or delivering other necessary services. These providers are contractually obligated to process your data solely for the purposes specified and in compliance with applicable data protection laws.
(b) Intra-Group Transfers
We may transfer your personal data within our corporate group of companies in order to facilitate administrative, technical, operational, or compliance-related processes. Such intra-group transfers are carried out on the basis of legitimate interests and, where required, appropriate data transfer agreements and safeguards, to ensure that your personal data remains protected and is only accessed on a need-to-know basis.
(c) Partner Custodians
To reduce redundant collection of know-your-customer (KYC) documentation and facilitate compliance with anti-money laundering laws (AMLA) or other applicable regulations in your jurisdiction, we may share Your personal data with our partner custodians. Such transfers will be conducted in accordance with relevant legal requirements and data protection safeguards.
(d) Corporate Restructuring
In the event of a merger, financing, acquisition, or divestiture involving the sale or transfer of all or part of our business or assets, we may share personal data as necessary for negotiations or execution of such transactions. In cases of insolvency, bankruptcy, or receivership, personal data may be considered a business asset subject to transfer. If our business, assets, or operations are acquired by another entity, that entity will assume ownership of the personal data we have collected and will be bound by the rights and obligations described in this Privacy Policy.
(e) Authorities
We may disclose your personal data to governmental, regulatory, or law enforcement authorities in response to a lawful request for information if we believe such disclosure is required by applicable law, regulation or legal process, or enforcement action. We will only disclose the minimum amount of data necessary to comply with such requests.
(f) Violation of Terms of Services
If we believe your actions are in violation of our Terms of Service and Privacy Policy, or to protect the rights, property and safety of us or others, we may share your personal data with relevant parties. Such disclosure will be based on legitimate interest.
(g) Other Disclosures
We may also disclose your personal data to fulfil the specific purpose for which you provided it, for any other purpose disclosed to you at the time of collection, or with your consent. We do not sell your personal data under any circumstances.
9. Cross-border Transfer of Personal Data
Your personal data will primarily be stored in databases located within the European Union or Switzerland. However, in certain circumstances, it may be necessary to transfer personal data to countries outside these jurisdictions.
If personal data is transferred to a country that is not recognised by the European Commission or the Swiss Federal Council as ensuring an adequate level of data protection, such transfers will be conducted in compliance with applicable data protection laws. This includes the use of standard contractual clauses approved by the relevant data protection authorities or other legally recognised safeguards ensuring adequate protection of your personal data.
10. Security
We employ appropriate technical and organisational security measures to safeguard your data against accidental or intentional manipulation, partial or complete loss, destruction, or against unauthorised access by third parties. For example, we use up-to-date TLS-encryption, to the extent supported by your systems, for data transmissions via our Services. Our security measures are continuously improved in line with technological developments.
While we strive to protect your personal data, no method of transmission over the Internet is completely secure. You should exercise caution when deciding what information to share with us via email or other online means and be aware of the inherent risks associated with transmitting personal information over the Internet.
11. Retention Period
We retain your personal data only for as long as necessary to fulfil the purpose for which it was collected or to comply with legal obligations, such as statutory retention periods. Once the respective purpose no longer applies, the data will be deleted in due course..
12. Your Rights
As a data subject, you have various rights under applicable data protection laws, which you may exercise against us.
(a) Access and Information
Upon request, and in accordance with applicable legal provisions, we will provide you with written confirmation of whether we process your personal data and, if so, what personal data we hold about you.
(b) Rectification, Erasure, and Restriction
You have the right to:
- Rectification: Request the correction of inaccurate or incomplete personal data.
- Erasure (“right to be forgotten”): Request the deletion of your personal data, subject to legal retention requirements.
- Restriction of Processing: Request the restriction of data processing under conditions set out in applicable data protection law.
(c) Data Portability
You have the right to receive your personal data in a structured, commonly used, machine-readable format. Upon request, we will transfer your personal data to another controller where technically feasible.
(d) Objection to Processing
Where we process your personal data based on legitimate interests, you have the right to object to such processing on grounds relating to your particular situation.
(e) Exercising Your Rights
To exercise any of these rights or to obtain further information, please contact us at privacy@exfluency.com.
(f) Right to Lodge a Complaint
If you believe that our processing of your personal data violates applicable data protection laws, you have the right to file a complaint with the relevant supervisory authority:
- European Union: A list of the national supervisory authorities is available at the European Data Protection Board (https://edpb.europa.eu/about-edpb/board/members_en)
- Switzerland: The competent authority is the Swiss Federal Data Protection and Information Commissioner (www.edoeb.admin.ch)
13. Changes to Your Personal Data
We are committed to keeping your personal data accurate and up-to-date. Therefore, if your personal data changes, please inform us of the change as soon as possible.
14. Updates to This Privacy Policy
We may amend this privacy policy from time to time to ensure that you are fully informed about all data processing activities and our compliance with applicable data protection legislation. Any amendments or updates to this privacy policy will be made available on the website https://exfluency.com.
Valid as of October 2025