Data Privacy Notice

1. Data Protection information The Carbon Reserve is fully committed to handling your personal data responsibly. Our Privacy Policy contains an overview of the information that we collect from our users and other data subjects, what we do with this data and what your rights are in this respect. This Privacy policy is written in adherence to the provisions of the Federal Act on Data Protection (“FADP”), the Ordinance to the Federal Act on Data Protection (“OFADP”), the Telecommunications Act (“TCA”) and, if applicable, other data protection regulations.

 

2. Overview The Carbon Reserve, which has registered offices at Place de Longemalle 1, ℅ MN & Associes SA, 1204 Geneva (hereafter referred to as “Carbon Reserve”, “the Foundation” or “we”), processes personal data that relates to you or to individuals with whom we have no direct contact. We use the terms “data” and “personal data” synonymously throughout this Privacy Policy. “Personal data” refers to information that relates directly to you or to other people with whom we are not in direct contact, or which we can attribute to you. “Process” refers to any activity that involves, for example, the handling, collection, storage, use, disclosure or deletion of personal data. In this Privacy Notice, we describe how we process your data when you use our service or communicate and interact with us in other ways. We process data that relates to the following individuals in particular:

● Our current and former users, including their authorized representatives (e.g. authorized persons or individuals authorized to receive information), beneficial owners, controlling persons and key contact persons;

● Interested parties and potential users;

● Participants in competitions, prize draws, surveys, user tests, user events and similar organized gatherings;

● Contact persons and employees at suppliers and partners;

● Contact persons, company owners and management bodies of businesses in which we may have a stake; ● Representatives of authorities, agencies, auditors and other bodies.

● Volunteers who assist in ad hoc functions. This Privacy Policy applies to the processing of data that we have already collected or which we will collect in future. We will inform you about certain types of data processing separately, e.g. in specific privacy policies, general terms and conditions, service descriptions, on our website and in declarations of consent, contracts, forms and notes.

 

3. Data from Third Parties When you share data with us about other individuals (e.g. authorized representatives, controlling persons or heirs), you confirm that you are authorized to do so and that the data you are providing is correct. Please ensure prior to this that all third parties have been informed that we will process their data and forward them a copy of this Privacy Policy.

 

4. Who is responsible for processing your data? The Carbon Reserve is generally responsible for processing data within the scope of this Privacy Policy, which means that it bears primary responsibility for this data processing under data protection law, unless otherwise specified in individual cases. Every activity that involves data processing is monitored by at least one corporate body which is (or are) tasked with ensuring that said processing is performed in compliance with the statutory provisions on data protection. This entity is known as the “data controller”. Other parties may be jointly responsible for processing within the context of this Privacy Policy if they are involved in determining how, and to what end, the relevant data is processed. On request, we will be happy to provide information about the individual data controllers that are responsible for specific processing activities. Please contact us using the following details if you have any concerns about data protection or wish to assert your rights in accordance with the “Your rights” section: The Carbon Reserve Data Protection Officer, Legal Place de Longemalle 1 ℅ MN & Associes SA 1204 Geneve info@thecarbonreserve.org

 

5. What data do we process? We process different data from a range of sources, depending on the situation and purpose. We generally collect this data from you directly, i.e. when you submit information to us, communicate with us or use our services. However, we can also collect it from other sources, such as public registers or other publicly accessible sources, as well as from authorities or other third parties. We process data about you from different categories, the most important of which are the following:

5.1. Master data We use the term “master data” to refer to any information that relates to your identity, personal characteristics and circumstances, including, but not limited to, your:

● Last and first name;

● Address;

● Identity number;

● Telephone number;

● Bank account details;

● Proof of identity;

● E-mail address; and

● Date of birth.

 

This data can also relate to third parties (e.g. authorized agents) and can include authorizations to sign, powers of attorney and declarations of consent. When we deal with companies, we process data about their designated contact persons and occupational data. We may also process information about a company’s relationship with third parties (e.g. controlling persons or beneficial owners). Depending on its area of activity, we may also need to examine the company in question and its employees in more detail.

 

5.2. Financial and risk data This involves processing data that relates to your income and assets, your financial situation and financial behavior, as well as other information that we use to combat fraud and comply with legislation on money laundering or other statutory provisions. This includes data such as information about your risk profile and any data on technically identifiable behavior when accessing the toco App (behavioral biometrics to tackle abuse and fraud).

 

5.3. Transaction data This refers to the data that accumulates in relation to individual buy/sell/send and receive transactions (including card payments).

 

5.4. Tax data This includes information about compliance with fiscal regulatory requirements. Fiscal data includes information about your tax domicile and corresponding certificates and documentation, your Tax Identification Number (TIN), declarations to certify compliance with tax obligations, and tax assessment notices, as well as data associated with the automatic exchange of information (AEOI), the Foreign Account Tax Compliance Act (FATCA) and the Qualified Intermediary Agreement (QI Agreement).

 

5.5. Behavioral and preference data This is information that relates to particular actions and interactions with us. We can use this information, along with other types of data, to calculate or to predict that you will behave in a certain way (preference data). We generate this type of data based on existing information, but can also combine it with other data to improve the quality of our analyses. Behavioral data also gives us an insight into your specific actions, such as how and when you log into the application, which payment methods you use, which transactions and payments you are involved in and the contact you have with the Customer Center. We use this information, which we obtain by analyzing existing data, to get to know you better, tailor our services so that they are more relevant to you and optimize them in general, for example. Behavioral and preference data can be analyzed either at an individual level or on a general basis (e.g. to assist with product development). We can combine behavioral and preference data with other types of data.

 

5.6. Communication data This includes information that relates to how and when we communicate with you, whether in written form, by telephone or via electronic channels (such as chat, e-mail, SMS, push notifications or the Toco App). It can also include data concerning our communications with third parties, authentication data (as well as biometric data where applicable). We also collect data to help identify you (such as a copy of your passport) if we want to confirm your identity or are required to do so, e.g. as part of a request for information.

 

5.7. Technical data Technical data refers to the information that we collect when you use the Toco App, other digital services or take part in an online survey, for example.

This includes your:

● Device’s IP address;

● Information about its operating system;

● Date, time, geographical region; and

● The type of browser or device that you use to access our services. To ensure that our services function correctly, we may also assign an individual code to you, your device or your system (in the form of cookies, for example). It is not possible to identify you or deduce anything about your identity based solely on technical data. However, we can link this data, as well as information collected from user accounts, registrations or access controls to other information and consequently to you, given the right circumstances. One of the ways this information helps us is that it allows us to display content correctly in your browser or on your device. Knowing your IP address allows us to identify your provider and thus your region, but we cannot usually use it to identify you unless you are logged in to a user account. The log files that are generated in our system are another example of technical data. If you open the toco app, we collect technical data about how the app is installed, when it is opened, and identifiers associated with the device that you are using.

 

5.8. Other data We collect other data about you in various contexts. This includes information that relates to official or legal proceedings (e.g. case files, evidence, etc.). We can also collect data to help with fraud prevention or for reasons associated with occupational health and safety, and may obtain data in which you may be identifiable. Finally, we may also collect data in connection with events or promotions (e.g. competitions) and the use of our systems and infrastructure. Sometimes we also carry out user tests and surveys, which also involve collecting data.

 

6. Why do we process your data? We process your data for the purposes outlined below.

 

6.1. Establishing, registering, processing, managing and terminating business relationships We process your data to establish, register, process, manage and terminate business relationships, or to process the contract that has been entered into with you (e.g. if you are our supplier). The data that we process to this end varies depending on the type and scope of the relationship and may include master, financial, risk-related, transaction, registration and communication data in particular.

 

6.2. Compliance with laws, directives and recommendations from public authorities and internal regulations We also process data to comply with laws, directives and recommendations from public authorities and our own internal regulations (Compliance). The data that we process for this purpose includes your master, financial, risk-related, communication, transaction and behavioral data in particular. This includes fulfilling our legal obligation towards combating money laundering and terrorist financing, for example. To this end, we have a duty to make certain enquiries or, under certain conditions, to submit reports (e.g. to authorities). Data processing in this context also requires or entails the following:

● The fulfillment of obligations regarding the disclosure, provision and reporting of information, for example in the context of supervisory obligations and requirements under tax law, such as the automatic exchange of information;

● The fulfillment of obligations concerning data retention, as well as the prevention, detection and investigation of criminal offenses and other violations; This includes receiving and processing complaints and other messages, monitoring communications, conducting internal investigations or disclosing documents to a public authority if we are obliged or have a legitimate interest in doing so. Personal data about you may also be processed in the context of external investigations (i.e. those conducted by regulatory authorities and prosecution services or appointed private bodies) and internal investigations. This may also include the computer-assisted analysis of transaction data and payment processes, as well as risk data, in order to identify unusual transactions. Data is always processed either under Swiss law, in accordance with non-domestic regulations to which we are subject, or in keeping with self-regulation, industry standards, our own corporate governance or instructions and requests from public authorities.

 

6.3. Risk management, prevention of fraud and other illegal activities, and prudent corporate management We also process data – in particular, master, transaction, financial, risk-related and behavioral data – for the purposes of risk management, to assist in preventing fraud and other illegal activities, and to ensure prudent corporate management, including business organization and corporate development. We may also process data for the purpose of auditing and optimizing our internal processes (e.g. as part of an audit review). In order to prevent fraud and other illegal activities, we may also conduct internal investigations and process data to detect irregularities (e.g. in card money).

 

6.4. Marketing and customer care purposes We process data for marketing and customer care purposes to allow us to send you, for example, personalized information and recommendations regarding the services provided by us. This information may be sent in a letter or as part of a newsletter, for example, or it may also come in the form of a personal consultation over the phone. The data that we process for the purpose of marketing and customer care includes your master, financial, risk-related, transaction, behavioral and preference data, as well as other information regarding the contractual relationship. You can object to the analysis of certain personal aspects of yourself (profiling) for marketing purposes at any time.

 

6.5. Market research, service and operational optimization and product development We also process your data for the purpose of market research, to optimize our services and operations and to aid in product development. This involves processing your master, transaction, behavioral and preference data, as well as information from surveys and user tests. It is our goal to continually adapt and improve our products and services to the needs of our (potential) users. We are also constantly committed to improving our internal processes and systems, and may also use your data for this very purpose.

 

6.6. Security and access control purposes We may also process your data – in particular your master, technical, behavioral and other data – for security reasons. We continuously review and optimize the security of our IT infrastructure. Maintaining security is also essential when it comes to our services. Nonetheless, it should be noted that the threat posed by data security breaches can never be fully mitigated. The Carbon Reserve combats these risks by adopting appropriate technical and organizational measures.

 

6.7. Communication We also process the data that we collect in connection with communications with you and third parties so that we can send you information or messages, respond to your enquiries and communicate with you. We use your master and communication data in particular for this. We normally store this data on our system in order to document our communication with you, perform quality assurance and refer to it in the event of future enquiries. If you get in touch with us by telephone, e-mail or using a contact form, or if communication via a mobile phone number is required to use specific products, namely SMS, push notification etc., such as to send a confirmation, authentication or activation code, these messages will not be transmitted in encrypted form. For this reason, it cannot be ruled out that they may, for example, be read by unauthorized individuals or intercepted, and that third parties such as Internet or mobile network providers might infer the existence of the banking relationship or gain access to user information.

 

6.8. Other purposes We may process your data for other purposes as well, e.g. to aid our internal processes and administration. Other purposes include the following:

● Administrative purposes, e.g. in order to manage master data, for accounting and data storage, to manage real estate or to test and manage IT infrastructure;

● To safeguard our rights, e.g. to settle claims before, in or out of court, as well as claims brought before public authorities in Switzerland and abroad, or to defend ourselves against claims i.e. by securing evidence, for legal clarifications and participation in court or official proceedings;

● To evaluate and improve internal processes, including internal support in the event of enquiries;

● For analytical and statistical purposes, including, for example, internal analyses for evaluating Key Performance Indicators (KPIs) and for testing purposes.

 

6.9. Training and educational purposes Furthermore, we may also process your data in order to safeguard further legitimate interests which cannot be named exhaustively. If we ask for your consent to process certain data, we will notify you separately about the reasons for doing so.

 

7. What rules apply to profiling and automated decision-making? We may use an automated, i.e. computer-assisted, system when processing and analyzing (including what is known as profiling) your data in order to obtain preference data, detect misuse and security risks, perform statistical analyses or plan our future operations, for example. We may also create profiles for these same purposes. To achieve this, we combine behavioral and preference, master, transaction data, as well as, amongst other things, additional information about the contractual relationship and the technical data that is attributed to you, in a way that helps us develop a better understanding of you. The Carbon Reserve may use automated decision-making processes for reasons of efficiency and uniformity. We will always contact you if any of these decisions have legal implications or significantly affect you in any other way, and will take any and all measures as required by law.

 

8. Who do we disclose your data to? We are bound to confidentiality by data protection law and other regulations. Our services are often developed, prepared and handled by different teams, including in particular those within our Group. This means that your data is processed by various parties including The Carbon Reserve, as well as individuals to whom you transact with and contracted service providers, for example. There are a number of specific risks associated with bank transfers and payment transactions (default, fraud, money laundering, etc.), which need to be investigated by third parties, which necessitates disclosing data to them. In this context, data may be disclosed to third parties as part of processing a transaction, as well as to other entities such as agencies, public authorities, other official bodies and banks. Data may likewise be disclosed in the context of legal provisions, i.e. when we are subject to obligations to clarify, report or provide information. The entities involved in these instances are legally permitted to process your data, but may only do so within the scope of legal and/or contractual provisions. Your data will be disclosed to the following types of recipients:

 

8.1. Service providers We work with service providers in Switzerland and abroad. We procure services from third parties in a range of areas; this allows us to deliver our services cost-effectively, efficiently and safely, and to focus on our own core competencies. These services include IT services, information distribution, financial services, marketing, sales, communications, market research, as well as measures to counter fraud, and services provided by consultants, law firms and rating agencies. We only disclose data that is essential in order for service providers to perform the requested services.

 

8.2. Contractual partners, users and involved parties If you work for a company with which we have concluded a contract or with which we have any other form of relationship, we may share any information with them that is collected as part of your work for that company. We may also share data with other entities that are involved in legal transactions, such as payment recipients, authorized persons, correspondent banks, other financial institutions, payment service providers, third-party depositories and other bodies.

 

8.3. Mobile payment When you use a mobile payment-enabled card, data about the customer, device and mobile payment service provider is exchanged between ourselves, providers and card networks to facilitate card management, perform identity checks, prevent misuse and fraud, comply with legal requirements and process and display transactions.

 

8.4. Authorities and other official bodies We may disclose personal data to agencies, courts and other public authorities or official bodies if we are legally obliged or entitled to do so or in order to protect our legitimate interests. In certain circumstances, we share personal data with courts, public authorities, agencies and other official bodies in order to safeguard our rights, defend ourselves against claims and fulfill our legal obligations. We do this as part of official proceedings and those which take place either in or out of court, as well as in instances in which we are legally bound to share information and cooperate.

 

8.5. Other persons Data may also be disclosed to other recipients. We may, for example, disclose data to: ● Individuals involved in legal or official proceedings; ● Public ● Auditors and other third parties, about whom we will inform you separately where possible (e.g. in declarations of consent or special privacy policy notices)

 

9. Do we disclose personal data abroad? Your data is processed not only by ourselves, but also by other parties where necessary. These parties are not based exclusively in Switzerland. Your data may therefore be processed worldwide, including in countries outside of the EU or the European Economic Area (third countries). We oblige our contractual partners in particular to maintain confidentiality when processing data. Recipients in countries with insufficient legislation on data protection are contractually obliged to comply with data protection regulations, which is usually accomplished by inserting recognized standard contractual clauses. We can choose to waive this requirement if the partner is already subject to regulations designed to ensure data protection and which are recognized in Europe, or if we can make use of an exemption clause. The latter option may particularly apply to legal proceedings outside of Switzerland, in cases of overriding public interest or where the disclosure of data in this way is required to perform the contract, if you have consented to us disclosing data or in instances involving publicly accessible data made available by you that you have not objected to being processed. Please be aware that making transactions and performing services within Switzerland or internationally, requires data about you and third parties to be disclosed to recipients located abroad. Under certain circumstances, they may not be subject to a legal duty of confidentiality and might be located outside our area of influence. We cannot rule out the possibility that authorities or third parties might access transferred data.

 

10. How long do we store your data for? We store your data for as long as we are required to do so in accordance with the applicable legal provisions or to fulfill the purpose of its processing. We also take into account the need to protect our own interests (e.g. to enforce or defend against claims and to ensure IT security and for documentation and evidence purposes). We delete or anonymize your data as part of our normal processes once these purposes have been achieved and our obligation or right to retain it ceases to apply. This may take more than ten years. It may even be necessary to retain some data from a technical standpoint as certain data elements cannot be isolated from others, meaning that we have to store them as a whole (as is the case with backup or document management systems).

 

11. How do we protect your data? We take appropriate technical, organizational and legal security measures to maintain the security of your personal data, safeguard it against unauthorized or unlawful processing and protect it against the risk of loss, accidental modification, unintentional disclosure or unauthorized access. The security measures that we employ in this respect include precautions such as data encryption and pseudonymization, keeping logs, access restrictions, storing backup copies, issuing directives to our employees, confidentiality agreements and data monitoring. We use suitable encryption mechanisms to protect the information you submit via our websites and the Toco App while said data is in transit. We also oblige our third parties to implement appropriate security measures. It is, however, generally impossible to fully mitigate security risks; residual risks are unavoidable.

 

12. Which online tracking and analysis techniques do we use?

 

12.1. Cookies and other technologies Whenever you access a server online (e.g. when you use an app or website), your behavior may be recorded using cookies and other technologies.

 

12.2. Use of technology for essential functions Certain cookies are used to ensure that you can switch between pages without losing any text that you have entered in a form, or for saving preferences such as language selection for future sessions. Other cookies and tools are required to ensure functions such as managing and saving settings. Blocking them may therefore prevent certain technologies from working. Certain functions in the Toco App are restricted, or may no longer work if certain access authorizations (e.g. camera access, push notifications, biometrics etc.) are not accepted. Information stored in log files is re-used to ensure that online services are secure and continue to function (e.g. by detecting faults or fraudulent intent).

 

12.3. Google Analytics We use Google Analytics to generate usage reports for the Toco App, which we do by authorizing Google to track the behavior (visit duration, frequency of pages accessed, geographical origin of access, etc.) of visitors to The Carbon Reserve website, the Toco App and the publicly accessible section of our website. To do this, Google utilizes cookies (for the website) and the tracking functions in the Toco App. Google Analytics is provided by Google LLC, and Google Ireland Ltd is responsible for compliance with data protection law. Furthermore, we do not send any information to Google that it can link to our users. Google provides us with reports and evaluations based on the collected user data, and is our order processor in this sense. Google also processes this data to optimize its products and services.

 

13. What rights do you have? You have the right to:

● Information about your personal data and its processing by us;

● To rectify incorrect or incomplete data; and

● To object to our processing of your data. In certain cases, you also have the right to receive certain data in a structured, established and machine-readable format. If the processing of personal data requires your consent, you may withdraw this consent at any time. Such a withdrawal applies only with regard to future processing. If we make a decision that affects you by means of an automated process and this results in a legal impact on you or otherwise has a significant effect on you, you have the right to speak to a person responsible for these matters at our company and to request that they reconsider the decision. If such an event occurs, we will contact you separately. Should you wish to exercise your rights concerning us, please send us a signed letter and a clearly legible copy of your identity document to allow us to identify you and to prevent misuse. You can revoke consent by other means, provided we give them as an option.

 

14. Can this Privacy Policy be amended? We reserve the right to amend this Privacy Policy at any time. Last updated: February 2024.