PRIVACY POLICY SENTIS AG / SENTIS CAPITAL PCC

Status: Version March 2025

1. Responsible Entity

For the data processing under this Privacy Policy – in particular the data processing related to the websites https://www.sentis-ag.com and https://www.sentis-capital.com (hereinafter referred to as Websites) the following company is the ‘Responsible Entity’, i.e., the entity primarily responsible for data protection, unless otherwise communicated in individual cases (e.g., in further privacy policies, on forms, or in contracts):

Sentis AG
Industriestrasse 7
6300 Zug, Switzerland
Email: contact@sentis-ag.com

If, on the other hand, you are in contact with Sentis Capital PCC, Branch Balzers (Gagoz 73, FL-9496 Balzers, contact(at)sentis-capital.com), for example, because you or your company are receiving a service from Sentis Capital PCC, entering into a contract, or because you are otherwise directly corresponding with Sentis Capital PCC, then Sentis Capital PCC is the Responsible Entity.

If you have questions regarding data protection issues, you can contact us at contact@sentis-ag.com.

2. Purpose of this Privacy Policy
The protection of your personal data is an important concern for us. This Privacy Policy explains our processing of personal data (hereinafter also referred to as data) when

• you visit our websites,
• you use our services,
• you are otherwise in contact with us in the context of a contract (e.g., service providers, suppliers, and business partners, as well as any persons associated with contractual partners, such as representatives, authorized agents, and beneficial owners),
• you contact us via email, letter, social media, SMS, through a contact form, etc.
• You are involved with us in the context of all further data processing related to our offerings (e.g., asprospects, representatives of authorities, social media users, and journalists).

We have aligned this Privacy Policy with both the Swiss Data Protection Act (DPA) and the European General Data Protection Regulation (GDPR). When the term ‘Personal Data’ is used in the Privacy Policy, it also refers to ‘Personal Data’ as defined by the GDPR. Whether and to what extent the GDPR is applicable depends on the individual case.

3. Processed Personal Data
We process various categories of Personal Data depending on the occasion and purpose. The most important categories are listed below, although this enumeration cannot be exhaustive.

For contractual partners that are companies, we process less Personal Data because the applicable data protection law only covers data of natural persons. However, we process data of the contact persons with whom we are in contact, as well as information about executives, etc., as part of the general information about companies with which we collaborate.

Many of the data mentioned in this clause are provided by you directly (e.g., through forms, in the course of communication with us, in connection with contracts, when using the websites, etc.). You are not obligated to do so, subject to individual cases (e.g., legal obligations). If you wish to enter into contracts with us or claim services, you must also provide us with data as part of your contractual obligation according to the relevant contract, particularly Master and Contract Data.

If you provide us with data about other individuals, such as information about family members or colleagues, we assume that you are authorized to do so and that this data is accurate. Please also ensure that these third parties have been informed about this Privacy Policy (e.g., by referencing this Privacy Policy).

Master Data:
By Master Data, we refer to the basic data that we need to process our business relationships and that directly relate to your person and characteristics. For example, we process the following Master Data:

• Salutation, name, address, telephone number, email address, gender,
• for contact persons from companies, also relationships to the company for which you work,
• Data from identification documents, such as tax identification number.

We generally receive this Master Data from you directly, but it may also come from other individuals who are working for your company. However, we may also include Personal Data of third parties, for example, from entities for which you are working, or from third parties such as our contractual partners, associations, and address dealers, as well as from publicly accessible sources such as public registers or the internet (websites, social media, etc.).

Contract Data:
Contract Data refers to information that arises in connection with the conclusion or execution of a contract, such as details about contracts and the services to be provided or already provided, as well as data from the lead-up to a contract conclusion, information regarding the contract conclusion itself (e.g., the date of conclusion and the subject matter of the contract), as well as the information required or used for processing. For example, we process the following Contract Data:

• Date, application process, information about the type and duration as well as the conditions of the relevant contract, data regarding the termination of the contract,
• Contact information,
• Information on payments and payment modalities, invoices, mutual claims, contacts with customer service, complaints, defects, returns, information on customer satisfaction, grievances, feedback, etc.,
• Financial data such as bank details, transactions, asset information.

We obtain this data from you, but also from partners with whom we collaborate. Again, this data may relate to your company, in which case it is not ‘Personal Data’, but it may also relate to you if you are employed by a company or if you yourself receive services from us.

Technical Data:
In connection with the use of our websites, technical data is generated. This includes, for example, the following data:

• IP address of the device and device ID,
• Information about your device, the operating system of your device, or language settings,
• Information about your internet provider,
• accessed content or logs in which the use of our systems is recorded,
• date and time of access to the websites as well as your approximate location.

Communication Data:
Communication data are data related to our communication with you, e.g., when you contact us via contact forms or other means of communication. Communication data include, for example,

• name and contact details such as postal address, email address, and telephone number,
• Content of the correspondence (e.g., from emails, written correspondence, phone calls, chat messages, etc.),
• Information about the type, time, and possibly location of the communication and other ancillary data of the communication.

Behavioral Data:
For statistical purposes, we may collect data about your behavior. Behavioral data particularly includes information about your use of our websites (e.g., duration of visit, pages visited, location data, device data). It may also be collected based on technical data. We may also use your other interactions with us as behavioral data and evaluate this data both personally identifiable and non-personally identifiable.

Other Data:
We may also collect data from you in other situations. In connection with administrative or judicial proceedings, data such as files, evidence, etc. may arise that may also relate to you. We may also receive or create photos, videos, and audio recordings in which you may be identifiable (e.g., at events, through security cameras, etc.). We may also collect data about who enters certain buildings at what times or has corresponding access rights (including during access controls, based on registration data or visitor lists, etc.), who participates in events at what times, or who uses our infrastructure and systems at what times.

5. Purposes of Data Processing
We primarily use the personal data we collect for processing your orders. Furthermore, we process your personal data, as permitted and deemed appropriate, for additional purposes for which we (and sometimes third parties) have a legitimate interest corresponding to the purpose:

For communication purposes, that is, to contact you and maintain contact with you. This includes responding to inquiries and reaching out to you for follow-up questions, e.g., via email. For this purpose, we particularly process your communication and master data.

We also process data for the improvement of our services and product development.

To ensure IT security and for prevention: We process personal data to monitor the performance of our operations, particularly IT, our websites, applications, and other platforms, for security purposes, to ensure IT security, to prevent theft, fraud, and abuse, and for evidentiary purposes. This includes, for example, the evaluation of system-generated records of the use of our systems (log data), preventing, repelling, and clarifying cyberattacks and malware attacks, analyses and tests of our networks and IT infrastructures, and system and error checks.

To uphold house rights and other measures for IT, building, and asset security and to protect our employees and other individuals as well as our owned or entrusted assets (such as access controls, visitor lists, network and email scanners, telephone recordings).

For legal compliance: We may process personal data in order to enforce claims in court, pre-court, or out of court, and before authorities in Switzerland and abroad, or to defend ourselves against claims. For this purpose, master data and communication data may be processed.

To comply with legal requirements: This includes, for example, the processing of complaints and other reports, compliance with orders from a court or authority, measures to detect and investigate abuses, as well as generally measures to which we are obligated under applicable law, self-regulations, or industry standards. For this purpose, we may process your master and communication data.

For administration and support: To make our internal processes efficient, we process data as necessary for IT management, accounting, or data archiving. For this purpose, we may particularly process communication and behavioral data as well as technical data.

We may also process data for additional purposes. These include corporate governance, including operational organization and corporate development, further internal processes and administrative purposes (e.g., management of master data, accounting, and archiving), training and educational purposes, and the preparation and execution of the purchase and sale of business areas, companies, or parts of companies, and other corporate transactions, along with the associated transfer of personal data, as well as measures for business management and the safeguarding of other legitimate interests.

Insofar as we ask for your consent for certain processing activities, we will inform you separately about the respective purposes of the processing. You can revoke your consents at any time by sending us a written notice.

6. Online Tracking
For our website, we utilize services from third parties to measure and improve the user friendliness of the website. To this end, we may integrate third-party components on our website, which may in turn use cookies. When we track you or use similar technologies, the core purpose is to distinguish your accesses (via your system) from accesses by other users, so that we can ensure the functionality of the website and perform statistical evaluations. We do not intend to draw conclusions about your identity. The technologies used are designed so that you are recognized as an individual visitor with each page view, for example, by our server (or the servers of third parties) assigning you or your browser a specific identification number (so-called ‘cookie’).

Cookies are files that your browser automatically stores on your device when you visit our website. Cookies contain a unique identification number (an ID) that allows us to distinguish individual visitors from others, usually without identifying them. Depending on their purpose, cookies may contain additional information, such as about the pages visited and the duration of the visit to a page. We use session cookies, which are deleted when the browser is closed, and persistent cookies, which remain stored for a certain period after the browser is closed and serve to recognize visitors on a later visit.

We use the following types of cookies and similar technologies:

• Performance cookies: These cookies collect information about the use of a website and enable analyses, e.g., which pages are the most popular. They can simplify the visit to a website and improve user friendliness.

We use cookies particularly for the following purposes:

• Determining whether and how we can improve our website.
• Collecting statistical data on the number of users and their usage habits, as well as improving the speed and performance of the website.

How can cookies and similar technologies be disabled?
When accessing our website, you have the option to activate or deactivate certain categories of cookies. You can configure your browser in the settings to block certain cookies or similar technologies, or to delete existing cookies and other data stored in the browser. You can also extend your browser with software (so-called ‘Plug-Ins’) that blocks tracking by certain third parties. You can find more information on the help pages of your browser (usually under the keyword ‘Privacy’). Please note that our website may not function fully if you block cookies and similar technologies.

Cookies from partners and third parties on our website
We use services from third parties to measure and improve the user friendliness of the website. Third-party providers may also be located outside of Switzerland and the EU/EEA, provided that the protection of your personal data is ensured in an appropriate manner. For example, we use the analytics service Google Analytics to optimize our websites. The respective third-party provider may record the use of the website and combine their records with additional information from other websites. This allows them to track user behavior across multiple websites and devices in order to provide us with statistical evaluations based on this data.

Further information regarding Google Analytics can be found below. Other third-party providers typically process personal data and other data in a similar manner.

Google Analytics is an analytics service provided by Google LLC (1600 Amphitheatre Parkway, Mountain View, CA, USA) and Google Ireland Ltd. (Google Building Gordon House, Barrow St, Dublin 4, Ireland; collectively referred to as ‘Google’, with Google Ireland Ltd. being responsible for the processing of personal data). Google uses cookies and similar technologies to collect certain information about the behavior of individual users on or within the relevant website and the device used (tablet, PC, smartphone, etc.). Google collects information about user behavior on the website and the Device used, and provides us with evaluations based on this, but also processes certain data for its own purposes. We have configured Google Analytics to anonymize the IP addresses of visitors before forwarding them to the USA. You can find information about data protection at Google Analytics here. You can disable Google Analytics by installing a corresponding browser add-on.

7. Legal bases for data processing
Depending on the case, data processing is only permissible if the applicable law specifically allows it. This does not apply under Swiss data protection law, but for example under the GDPR, insofar as it is applicable. In this case, we base the processing of your Personal Data on the following legal grounds:

• on your consent (Art. 6 para. 1 lit. a and Art. 9 para. 2 lit. a GDPR);
• that the processing is necessary for the performance of a contract or for pre-contractual measures (e.g., the examination of a contract application; Art. 6 para. 1 lit. b GDPR);
• that the processing is necessary for the assertion or defense of legal claims or civil proceedings (Art. 6 para. 1 lit. f and Art. 9 para. 2 lit. f GDPR);
• that the processing is necessary for compliance with domestic or foreign legal provisions (Art. 6 para. 1 lit. c and lit. f; Art. 9 para. 2 lit. g GDPR);
• The processing is necessary for a legitimate interest in data processing, particularly the interests mentioned in Section 4 (Art. 6 para. 1 lit. f GDPR).

8. Disclosure of data to third parties
In connection with our processing, we also disclose your Personal Data to other recipients.

We may share Personal Data that we receive from you or from third-party sources, particularly with other group companies (Sentis AG or Sentis Capital PCC, see above Section 1). Such sharing may serve internal group administration or support the relevant group companies and their own processing purposes, e.g., for the development and improvement of services.

We then disclose the Personal Data necessary for their services to service providers. This particularly concerns IT service providers, but also consulting companies, analysis service providers, debt collection agencies, credit reporting agencies, marketing service providers, etc. To the extent that service providers process personal data as processors, they are obliged to process personal data solely according to our instructions and to implement measures for data security.

Data may also be disclosed to other recipients, e.g., to courts and authorities in the context of proceedings and legal information and cooperation obligations, to buyers of companies and assets, to financing companies in securitizations, and to debt collection companies.

In individual cases, it is possible that we may disclose personal data to other third parties for their own purposes as well, e.g., if you have given us your consent or if we are legally obligated or entitled to disclose it.

9. Disclosure of data to recipients abroad
Recipients of data are not only located in Switzerland. This particularly concerns group companies and certain service providers. These may be located both within and outside the European Economic Area (EEA), as well as in other countries worldwide. For example, we may transmit data to authorities and other individuals abroad when we are legally obligated to do so or, for instance, in the context of a business sale or a court proceeding.. Not all of these countries currently provide a level of data protection that corresponds to Swiss law. We compensate for the lower protection through appropriate contracts, particularly the standard contractual clauses issued by the European Commission and recognized by the Swiss Federal Data Protection and Information Commissioner (FDPIC). Further information and a copy of these clauses can be found at www.edoeb.admin.ch/edoeb/de/home/datenschutz/handel-und-wirtschaft/uebermittlung-ins-ausland.html.

In certain cases, we may transmit data in accordance with data protection regulations even without such contracts, e.g., if you have consented to the corresponding disclosure or if the disclosure is necessary for the performance of the contract, for the establishment, exercise, or enforcement of legal claims, or for overriding public interests.

10. Duration of Data Storage
We store and process your Personal Data as long as it is necessary for the purpose of processing (in the case of contracts, usually for the duration of the contractual relationship), as long as we have a legitimate interest in storage (e.g., to enforce legal claims, for archiving, and/or to ensure IT security), and as long as the data is subject to a statutory retention obligation (for certain data, a ten-year retention period applies, for example). If there are no legal or contractual obligations to the contrary, we will destroy or anonymize your data after the expiration of the storage or processing period in accordance with our usual procedures.

11. Data Security
We take appropriate security measures to maintain the confidentiality, integrity, and availability of your Personal Data, to protect it against unauthorized or unlawful processing, and to mitigate the risks of loss, accidental alteration, unwanted disclosure, or unauthorized access. However, security risks cannot be completely eliminated; residual risks are unavoidable.

12. Your Rights
You have certain rights under applicable data protection law to obtain further information about our data processing and to influence it. These include, in particular, the following rights:

Right to Information: You may request further details about our data processing. We are happy to assist you with this. You can also submit a so-called request for information if you wish to receive further information and a copy of your data.

Objection and Deletion: You can object to our data processing and also request at any time that we delete your Personal Data, provided we are not obligated to continue processing or retaining this data and it is not necessary to fulfill the contractual relationship.

Correction: You can correct or complete inaccurate or incomplete Personal Data or have it supplemented with a note of dispute.

Transfer: You also have the right to receive the Personal Data you have provided to us in a structured, commonly used, and machine-readable format or to have it transferred to a third party, insofar as the corresponding data processing is based on your consent or is necessary for the performance of the contract.

Revocation: As far as we process data based on your consent, you can revoke your consent at any time. The revocation applies only to the future, and we reserve the right to continue processing data based on another legal basis in the event of a revocation.

If you wish to exercise your rights against us, please contact us in writing. Our contact details can be found in Section 1. In general, we must verify your identity (e.g., by means of a copy of your ID). You are also free to file a complaint with the competent supervisory authority regarding our processing of your data. The competent supervisory authority in Switzerland is the Federal Data Protection and Information Commissioner (EDÖB):

13. Automated decision-making and profiling
We do not make automated individual decisions within the meaning of the DSG. Profiling is used only to analyze customer preferences, without legal effects.