Privacy Policy in accordance with the Swiss Data Protection Act (DSG)

AlpsCon GmbH (hereinafter "AlpsCon") as the operator of the website https://alpscon.ai/ takes the protection of personal data very seriously. We treat personal data confidentially and in accordance with the statutory data protection regulations as well as on the basis of these privacy notes. The legal bases can be found in particular in the General Data Protection Regulation (GDPR) as well as in the German Federal Data Protection Act (BDSG) and in the Swiss Federal Act on Data Protection (FADP) in its current version.

When you use this website, various personal data are processed depending on the type and scope of use. Personal data is information that relates to an identified or identifiable natural person (hereinafter "data subject"); an identifiable natural person is one who can be identified, directly or indirectly (e.g., by means of association with an online identifier). This includes information such as name, address, telephone number and date of birth.

These privacy notes inform you in accordance with Art. 12 ff. GDPR and the requirements of the Swiss FADP about the handling of your personal data when using our website. In particular, it explains what data we collect and what we use it for. It also informs you about how and for what purpose this happens.

The controller is the natural or legal person who alone or jointly with others determines the purposes and means of the processing of personal data (e.g. names, e-mail addresses, etc.). The controller within the meaning of the GDPR and the applicable national data protection laws (in particular BDSG) as well as the Swiss FADP is:

1. Accessing and Visiting our Website – Server Log Files

For the purpose of the technical provision of the website, it is necessary that we process certain information automatically transmitted by your browser so that our website can be displayed in your browser and you can use the website. This information is automatically collected each time you access our website and automatically stored in so-called server log files. These are:

• Browser type and browser version
• Operating system used
• Website from which access is made (referrer URL)
• Hostname of the accessing computer
• Date and time of access
• IP address of the requesting computer

The storage of the aforementioned access data is necessary for the provision of a functional website and to ensure system security for technical reasons. This also applies to the storage of your IP address, which is necessarily carried out and under further conditions can at least theoretically enable an assignment to your person. Beyond the purposes mentioned above, we use server log files exclusively for the demand-oriented design and optimization of our internet offer purely statistically and without reference to your person. A merge of this data with other data sources will not be done, also an evaluation of the data for marketing purposes does not take place.

The access data collected in the course of using our website are only kept for the period for which these data are needed to achieve the aforementioned purposes. Your IP address is stored on our web server for IT security purposes for a maximum of 7 days.

To the extent that you visit our website to inform yourself about or use our product and service offerings, the basis for the temporary storage and processing of the access data is Art. 6 (1) sentence 1 lit. b GDPR (legal basis), which permits the processing of data for the performance of a contract or for the implementation of pre-contractual measures. In addition, Art. 6 (1) sentence 1 lit. f GDPR serves as the legal basis for the temporary storage of the technical access data. Our legitimate interest in this is to be able to provide you with a technically functioning and user-friendly designed website as well as to ensure the security of our systems.

For users residing in Switzerland, the following applies additionally: The legal basis is Art. 31 (1) FADP, according to which processing is permissible if it is necessary for the performance of a contract or for the protection of overriding private or public interests.

2. Use of Cookies and Related Functions/Technologies

We sometimes use so-called cookies on our website. Cookies do not cause any damage to your computer and do not contain viruses. Cookies serve to make our offer more user-friendly, effective and secure and to enable the provision of certain functions. Cookies are small text files that are stored on your computer and saved by your browser. A cookie contains a characteristic string of characters that enables unique identification of your browser when the website is called up again.

Most of the cookies we use are so-called "session cookies". They are automatically deleted after the end of your visit or your browser session (so-called transient cookies). Other cookies remain stored on your end device for a predetermined period of time or until you delete them (so-called persistent cookies). These cookies enable us to recognize your browser on your next visit. Upon written request, we will be happy to provide further information about the functional cookies used. Please then contact the above contact details.

You can set your browser so that you are informed about the setting of cookies and only allow cookies in individual cases, exclude the acceptance of cookies for certain cases or in general, and activate the automatic deletion of cookies when closing the browser. The procedure for deactivating cookies can usually be obtained via the "Help" function of your internet browser. When cookies are deactivated, the functionality and/or the full availability of this website may be limited. For further cookie-specific setting and deactivation options, please also see the individual explanations below on the cookies and related functions/technologies specifically used during the visit to our website.

Some of the cookies we use on our website come from third parties who help us to analyze the effect of our website content and the interests of our visitors, to measure the performance and performance of our website or to place demand-oriented advertising and other content on our or other websites. As part of our website, we use both first-party cookies (only visible from the domain you are currently visiting) and third-party cookies (visible across domains and regularly set by third parties).

The cookie-based data processing is carried out on the basis of your consent in accordance with Art. 6 (1) sentence 1 lit. a GDPR (legal basis) or on the basis of Art. 6 (1) sentence 1 lit. f GDPR (legal basis) to protect our legitimate interests.

For Switzerland, the following applies additionally: The legal basis is Art. 31 (1) FADP in conjunction with your consent or our overriding interest in a secure, user-friendly and functional website. Consent given can be revoked at any time.

Our legitimate interests in this regard are in particular to be able to provide you with a technically optimized and user-friendly and demand-oriented website as well as to ensure the security of our systems. Consents that you have given us can be revoked at any time, e.g. by correspondingly deactivating the cookie-based tools/plugins listed in detail in the following overview. By means of appropriate settings, you can also object to processing based on legitimate interests.

3. Google Analytics

This website uses the functions of Google Analytics, a web analytics service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, on the basis of your consent given to us (Art. 6 (1) sentence 1 lit. a GDPR). You can voluntarily give us your consent when you access our website by pressing the corresponding button in the "cookie banner" ("Accept") or reject the use of Google Analytics ("Reject"). We store your selection in a separate cookie (Art. 6 (1) sentence 1 lit. f GDPR) on the basis of the legitimate interest in respecting your decision and no longer displaying the cookie banner.

Additionally under Swiss law: The legal basis is Art. 31 (1) FADP in conjunction with your consent for the analysis of the use of our website. You can revoke your consent at any time.

Regularly, data is also transmitted to Google LLC (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) as part of the processing described below. Google Ireland Limited and Google LLC are hereinafter collectively referred to as "Google". Google Analytics uses cookies (first-party cookies) that enable an analysis of your use of the website. However, this does not mean that we immediately become aware of your identity as a result. Google uses the information generated by the cookies on our behalf to evaluate the use of the website, to compile reports on website activity and to provide us with other services related to website and internet use. This allows us to improve the quality of our website and its content. We learn on the basis of statistical analyses how the website is used and can thus continuously optimize our offer.

The information generated by the Google Analytics cookies about your use of this website (for example, time, place and frequency of your website visit including your IP address) is transmitted to a Google server in the USA and stored there. Google is certified under the Privacy Shield agreement (https://www.privacyshield.gov/eu-us-framework). We have set the storage period at Google for the corresponding data to 14 months at user and event level (shortest possible setting option).

a) IP anonymization

We have activated the IP anonymization function on this website. This means that your IP address is shortened by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area before being transmitted to the USA and is thereby anonymized. Only in exceptional cases is the full IP address transmitted to a Google server in the USA and shortened there. According to Google, the IP address transmitted by your browser as part of Google Analytics is not merged with other Google data.

b) Browser plugin

You can prevent the storage of Google Analytics cookies by setting your browser software accordingly (see above). You can also prevent the collection of data generated by the cookie and related to your use of the website (including your IP address) to Google and the processing of this data by Google by downloading and installing the browser plugin available at the following link: https://tools.google.com/dlpage/gaoptout?hl=de.

c) Objection to data collection

Alternatively, you can activate/deactivate the collection of your data by Google Analytics, especially on mobile devices, by clicking on the following link:
Deactivate Google Analytics

When deactivated, a cookie is set that prevents the collection of your data on future visits to this website.

Specifically, the following tracking cookies are used by Google Analytics: __utmz, __utma, __utmb, __utmc, __utmt.

More information on the handling of user data at Google Analytics and the security and privacy principles as well as setting and objection options can be found in Google's privacy policy, available at the following link: https://support.google.com/analytics/answer/6004245?hl=de.

4. Sumsub

To fulfill legal requirements as part of identity verification (in particular in accordance with the Money Laundering Act - GwG) and for fraud prevention, we use the service provider Sum and Substance Ltd. ("Sumsub"), 30 St. Mary Axe, London, EC3A 8BF, United Kingdom.

Sumsub acts as a processor within the meaning of Art. 28 GDPR. The following personal data are processed as part of the verification process:

• Identity data (e.g. name, date of birth, nationality)
• Contact data
• Identity documents (e.g. ID card, passport)
• Biometric data (e.g. photo or video recordings for liveness checks)
• Technical metadata (e.g. IP address, device type, timestamp)

The processing is carried out exclusively for the purpose of carrying out legally required KYC (Know Your Customer) and, if applicable, KYB (Know Your Business) checks, to fulfill money laundering obligations and for abuse and fraud prevention. The legal basis is Art. 6 (1) lit. c GDPR in conjunction with the Money Laundering Act (GwG); additionally, Art. 6 (1) lit. f GDPR (legitimate interest) may be used.

Under Swiss FADP, processing is permissible if it is necessary to fulfill a legal obligation (e.g. Money Laundering Act) or to safeguard overriding private interests (Art. 31 (1) FADP).

Sumsub processes data in the United Kingdom. For the United Kingdom, the European Commission has established an adequate level of data protection by decision of 28 June 2021 in accordance with Art. 45 (3) GDPR. This decision currently applies until 27 December 2025. As long as the adequacy decision exists, no additional guarantee is required. Should the adequacy not continue in the future, we will ensure an adequate level of protection by concluding EU standard contractual clauses or comparable suitable guarantees within the meaning of Art. 46 ff. GDPR.

Further information on data processing by Sumsub can be found at: https://sumsub.com/privacy-notice-service/

5. Further processing purposes

Compliance with legal regulations: We also process your personal data in order to fulfill other legal obligations that may affect us in connection with our business activities. These include in particular commercial, trade or tax retention periods. We process your personal data in accordance with Art. 6 (1) sentence 1 lit. c GDPR (legal basis) to fulfill a legal obligation to which we are subject.

Legal enforcement: We also process your personal data in order to be able to assert our rights and enforce our legal claims. We also process your personal data in order to be able to defend ourselves against legal claims. Finally, we process your personal data insofar as this is necessary to prevent or prosecute criminal offenses. We process your personal data here to protect our legitimate interests in accordance with Art. 6 (1) sentence 1 lit. f GDPR (legal basis), insofar as we assert legal claims or defend ourselves in legal disputes or we prevent or investigate criminal offenses (legitimate interest).

Under Swiss law, these processing operations are also based on Art. 31 (1) FADP (legal obligation or overriding interests).

Consent: If you have given us consent to the processing of personal data for specific purposes (e.g. sending information material and offers), the lawfulness of this processing is based on your consent. Consent given can be revoked at any time. This also applies to the revocation of declarations of consent that were given to us before the GDPR came into force, i.e. before 25.5.2018. Please note that the revocation only takes effect for the future. Processing that took place before the revocation is not affected.

Within the AlpsCon company, those departments have access to your data that need it to fulfill our contractual and legal obligations. Service providers and vicarious agents used by us (e.g. technical service providers, shipping companies, disposal companies) may also receive data for these purposes.

We limit the disclosure of your personal data to what is necessary, taking into account data protection requirements. In some cases, the recipients receive your personal data as processors and are then strictly bound by our instructions when handling your personal data. In some cases, the recipients act independently under their own data protection responsibility and are also obliged to comply with the requirements of the GDPR and other data protection regulations.

Finally, in individual cases we transmit personal data to our advisors in legal or tax matters, whereby these recipients are obliged to maintain special confidentiality and secrecy due to their professional status.

As part of the use of the aforementioned tools, e.g. Google, we may transfer your IP address to third countries (see above).

With regard to the USA, the data transfer is based on the EU-US Data Privacy Framework. In this respect, the European Commission certifies by means of an adequacy decision a level of data protection that is comparable to the EEA standard. Otherwise, we do not transfer your personal data to countries outside the EU or the EEA or to international organizations, unless expressly stated otherwise in these privacy notes.

For the United Kingdom, the European Commission has determined by decision of 28 June 2021 that there is a level of data protection equivalent to the EU General Data Protection Regulation (Art. 45 (3) GDPR). This decision was last extended until 27 December 2025. As long as the adequacy decision applies, no additional guarantees are required. Should the adequacy not continue in the future, we will ensure an adequate level of data protection by concluding EU standard contractual clauses or comparable instruments.

For users residing in Switzerland: A data transfer to a third country only takes place if an adequate level of data protection within the meaning of Art. 16 FADP is guaranteed there. If there is no adequacy decision by the Swiss Federal Council or the European Commission, we ensure that appropriate guarantees (e.g. standard contractual clauses) are agreed.

We process and store your personal data initially for the duration for which the respective purpose of use requires corresponding storage (see above for the individual processing purposes). This may also include the periods of initiation of a contract (pre-contractual legal relationship) and execution of a contract. On this basis, personal data is regularly deleted in the course of fulfilling our contractual and/or legal obligations, unless their temporary further processing is necessary for the following purposes:

• Fulfillment of legal retention obligations, which arise, for example, from the German Commercial Code (§§ 238, 257 para. 4 HGB) and the Fiscal Code (§ 147 para. 3, 4 AO). The retention periods specified there are up to ten years.
• Preservation of evidence taking into account the statutes of limitations. According to §§ 194 ff. of the German Civil Code (BGB), these limitation periods can be up to 30 years, with the regular limitation period being three years.

Personal data is protected by us by means of appropriate technical and organizational measures to ensure an adequate level of protection and to safeguard the personality rights of the data subjects. The measures taken serve, among other things, to prevent unauthorized access to the technical equipment used by us and to protect personal data from unauthorized access by third parties. In particular, this website uses SSL or TLS encryption for security reasons and to protect the transmission of confidential content, such as your contact inquiries that you send to us as the site operator. You can recognize an encrypted connection by the fact that the address line of the browser changes from "http://" to "https://" and by the lock symbol in your browser line. If SSL or TLS encryption is activated, the data that you transmit to us cannot be read by third parties. Nevertheless, we would like to point out that data transmission on the Internet (e.g. when communicating by e-mail) can have security gaps. Complete protection of data against access by third parties is not possible in this respect.

Under the legal conditions, you have the following rights as a data subject:

Right of access: You have the right to obtain from us at any time, within the framework of Art. 15 GDPR, confirmation as to whether we are processing personal data concerning you; if this is the case, you are further entitled, within the framework of Art. 15 GDPR, to information about this personal data as well as certain further information (including the purposes of processing, categories of personal data, categories of recipients, planned storage period, the origin of the data, the use of automated decision-making and, in the case of transfers to third countries, the appropriate guarantees) and a copy of your data. The restrictions of § 34 BDSG apply.

Right to rectification: You have the right to request that we rectify the personal data stored about you if it is incorrect or erroneous, in accordance with Art. 16 GDPR.

Right to erasure: You have the right to request that we erase personal data concerning you without delay under the conditions of Art. 17 GDPR. The right to erasure does not exist, among other things, if the processing of the personal data is necessary, for example, to fulfill a legal obligation (e.g. statutory retention obligations) or to assert, exercise or defend legal claims. In addition, the restrictions of § 35 BDSG apply.

Right to restriction of processing: You have the right to request that we restrict the processing of your personal data under the conditions of Art. 18 GDPR.

Right to data portability: You have the right to request that we transfer the personal data concerning you that you have provided to us in a structured, commonly used and machine-readable format under the conditions of Art. 20 GDPR.

Right to withdraw consent: You can withdraw consent given to the processing of personal data at any time. This also applies to the withdrawal of declarations of consent that were given to us before the GDPR came into force, i.e. before 25.5.2018. Please note that the withdrawal only takes effect for the future. Processing that took place before the withdrawal is not affected. An informal notification, e.g. by e-mail to us, is sufficient to declare the withdrawal.

Right to object: You have the right to object to the processing of your personal data under the conditions of Art. 21 GDPR, so that we must cease processing your personal data. The right to object only exists within the limits provided for in Art. 21 GDPR. In addition, our interests may oppose a cessation of processing, so that we are entitled to process your personal data despite your objection. We will immediately comply with any objection to any direct marketing measures without renewed weighing of the existing interests.

Information about your right to object according to Art. 21 GDPR: You have the right to object at any time to the processing of your data which is carried out on the basis of Art. 6 (1) sentence 1 lit. f GDPR (data processing on the basis of a balancing of interests) or Art. 6 (1) sentence 1 lit. e GDPR (data processing in the public interest), if there are reasons for this which arise from your particular situation.

If you object, we will no longer process your personal data, unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the assertion, exercise or defense of legal claims.

The objection can be made informally and should preferably be addressed to:

Right to lodge a complaint with a supervisory authority: Under the conditions of Art. 77 GDPR, you have the right to lodge a complaint with a competent supervisory authority. A list of data protection supervisory authorities and their contact details can be found at the following link: https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html.

You can reach the Swiss supervisory authority here:
https://www.edoeb.admin.ch/edoeb/de/home/der-edoeb/kontakt/adresse.html

Other concerns: For further data protection questions and concerns, our data protection officer is available to you. Corresponding inquiries as well as the exercise of your above rights should, if possible, be sent in writing to our address above or by e-mail to admin@alpscon.ai.

For data subjects residing in Switzerland, the rights under Art. 25 ff. FADP (information, correction, deletion, restriction of processing, objection) apply additionally. These can be asserted at AlpsCon or at the Federal Data Protection and Information Commissioner (FDPIC).

In principle, you are not obliged to provide us with your personal data. However, if you do not do so, we will not be able to provide you with our website without restrictions or answer your inquiries to us. Personal data that we do not absolutely need for the aforementioned processing purposes are marked accordingly as voluntary information.

We do not use automated decision-making or profiling (an automated analysis of your personal circumstances).

1. These privacy notes are currently valid and have the status of October 30, 2025.

2. Due to the further development of our website and offers or due to changed legal or official requirements, it may become necessary to change these privacy notes.