Data Privacy Policy

In this privacy policy, Baryon AG outlines how it collects, processes, and protects personal data of the following individuals (“affected persons”) in the context of its business operations and on its web presence www.baryon.com: (i) potential clients, (ii) persons who maintain a business relationship with Baryon AG or are about to establish one (“clients”), and (iii) natural persons whose data is transmitted to Baryon AG by the client or otherwise becomes known to Baryon AG in connection with services Baryon AG provides to the client (“associated individuals”). Such associated individuals include, for example (without claiming completeness): (i) any member of the board of directors, executive, authorized signatory, or employee of a company, (ii) a trustee, settlor, or protector of a trust, (iii) any person beneficially entitled to the client’s assets, (iv) a person with the potential to exert controlling influence, (v) a payee of a specific payment instrument, (vi) a representative or agent of a client, or (vii) any other natural person related to the client in a manner relevant to the business relationship between the client and Baryon AG.

Furthermore, this privacy policy aims to inform the affected persons about their rights concerning personal data collected and processed by Baryon AG. Please note: what personal data is processed and how it is used largely depends on the specific products and services requested or agreed upon in each individual case.

Wherever Baryon AG uses “you” or “your” in this privacy policy, it refers to an affected person in the sense defined previously.

In cases where Baryon AG provides separate or additional information on how it uses data of affected persons concerning specific products or special services, this information should also be taken into account. Moreover, this privacy policy remains applicable even if agreements between Baryon AG and the affected persons regarding individual products and services no longer apply.

Please familiarize yourself with this privacy policy and also forward it to all associated individuals before providing Baryon AG with personal data of these associated individuals.

1. Who is responsible for data processing and how can you contact us for data protection concerns?

Legally responsible or the “responsible party” in terms of data protection legislation for the processing of personal data described in this privacy policy is:

Baryon AG
Weisses Schloss
General-Guisan-Quai 36
CH-8002 Zurich
(UID: CHE-108.651.822)

The affected person can contact Baryon AG in writing for data protection concerns via the following email address:

Email address: baryon@baryon.com

To prevent misuse, data protection inquiries will only be answered in writing and upon presentation of proof of identity (copy of your passport or your ID). The information is free and is usually provided within 30 days.

2. Legal basis

Baryon AG has published the present revised privacy policy in view of the completely revised Swiss Federal Act on Data Protection (“FADP”) of September 25, 2020, effective as of September 1, 2023, and taking into account the EU General Data Protection Regulation (“GDPR”). The GDPR is the data protection regulation of the European Union (“EU”) which, under certain circumstances, can be applied to companies outside the EU or in the case of third-party services that process personal data within the territory of the EU/EEA.

Regarding the terms used, such as “personal data” or its “processing”, reference is made to the definitions in Art. 5 FADP.

3. Principles of data processing

Personal data is processed by Baryon AG in accordance with, among others, the following legal principles:

• Processing is carried out in good faith and must be proportionate;
• Processing only occurs for purposes recognizable to the affected parties and only as long as it’s consistent with these purposes;
• Data will be destroyed or anonymized as soon as its processing is no longer necessary and as long as no legally stipulated exceptions apply;
• Apparently incomplete or incorrect data will be corrected or deleted;
• Consents of the affected parties in data processing are only valid if given voluntarily after appropriate information;
• The principles of “Privacy by Design” and “Privacy by Default” are observed.

4. What sources and personal data does Baryon AG use?

The personal data processed by Baryon AG comes from various sources. These include personal data that originates from a potential, existing, or previously dissolved business relationship with Baryon AG or that is transmitted to Baryon AG by an affected person when purchasing or applying for a product or service.

Some personal data comes directly from the affected person. Others are provided by third parties such as the client’s custodian banks, other client advisors, intermediaries, etc. Personal data can also be obtained from publicly accessible information sources, through the combination of different pieces of information, or generated by Baryon AG itself.

The collected personal data may specifically include the following information:

a) Information transmitted by an affected person to Baryon AG, such as:

• Personal details (e.g., name, address, and other contact details like date of birth, place of birth, and nationality);
• Information about an affected person that Baryon AG obtains from the content of forms and documents of the custodian bank or Baryon AG or during communication with Baryon AG, whether it’s in person, over the phone, via email, electronic media, by mail, or otherwise;
• Identity information of a client, a related individual, or a potential client (e.g., information contained in passports, including a photo) or for authentication purposes (e.g., signature samples).

b) Information about an affected person that Baryon AG collects or generates:

• Data from the client relationship (e.g., held products and services provided), data related to securities and payment transactions, and other finance-related information;
• Information that Baryon AG collects or generates to meet its obligations under regulatory requirements concerning combating money laundering or other legal provisions (e.g., information about the origin of assets and the beneficial ownership);
• Information that Baryon AG collects or generates for risk management purposes, such as data serving due diligence (including the results of periodic reviews). For Baryon AG asset management clients, this especially involves creating risk profiles and calculating individual risk budgets, suitability and appropriateness assessments, client qualification data (e.g., regarding classification as a qualified investor), client segment allocation data, and creating estimates by combining various pieces of information from client history;
• Information contained in relevant client files and client documentation or derived from other comparable information sources;
• Promotional information (e.g., newsletters, received documents, invitations and participation in events and special activities, personal preferences and interests, granted or revoked consents);
• Information generated or exchanged during a visit to the website www.baryon.com by the affected person.

c) Information about an affected person that Baryon AG collects otherwise, such as:

• Information about the client relationship from the client’s custodian banks within the context of agreed services with Baryon AG;
• Information from the client’s tax advisors;
• Information from publicly accessible sources and combined information from external sources (e.g., corporate and media broadcasts, information collected in social exchanges between individuals, organizations, potential clients, and other stakeholders by companies that compile information).

Baryon AG may also collect and process other personal data and will inform you on a case-by-case basis if required by law.

5. For what purposes does Baryon AG process personal data (purpose of processing) and on what legal basis?

Baryon AG processes personal data of the affected person primarily for the purpose of tax and legal advice as well as asset management, associated administrative processes, and concerning the web presence at www.baryon.com, for ensuring smooth technical access to the information present on the website. The data processing by Baryon AG is not intended, unless explicitly declared otherwise, to purposefully collect and evaluate personal data or to pass it on to third parties.

The processing follows the provisions of the FADP and the GDPR. Baryon AG only processes personal data to the extent that there is a legitimate legal basis for doing so. Processing is deemed appropriate and purposeful, especially when:

a) based on your consent (Art. 6 Para. 6 in conjunction with 31 Para. 1 FADP / 6 Para. 1 lit. a GDPR)

If you have given Baryon AG consent to process personal data for specific purposes, the legality of this processing is based on your consent. A given consent can be revoked at any time. However, please note that a revocation does not affect the legality of data processing carried out up to the point of revocation. Nevertheless, Baryon AG may still be allowed to continue processing your personal data if they can cite other legitimate reasons for doing so.

b) for the fulfillment of contractual obligations (Art. 31 Para. 1, 2 lit. a FADP / 6 Para. 1 lit. b GDPR)

• Personal data processing is carried out to deliver services and fulfill contracts with the affected individuals or in steps leading to the conclusion of a contract (e.g., with potential clients).
• The purposes of data processing are based primarily on the specific contract or needs of a particular product or service (e.g., asset management, investment advisory, consultancy, tax advice, legal advice) and may include needs analysis, consultation, asset management, other financial services or related services, and the execution of transactions. Further details on the data processing purposes can also be found in the respective contract and product information and correspondence with Baryon AG, as well as in the “Client Information Asset Management” brochure of Baryon AG.

c) due to legal requirements (Art. 31 Para. 1 FADP / 6 Para. 1 lit. c GDPR) or in the public interest (Art. 31 Para. 1 FADP / 6 Para. 1 lit. e GDPR)

Furthermore, Baryon AG is subject to various legal obligations, i.e., statutory requirements (e.g., Financial Service Act, Financial institutions Act, Collective Investment Schemes Act, Financial Market Infrastructure Act, Anti-Money Laundering Act, regulations and circulars from regulators, and tax laws, ordinances and circulars from FINMA). The processing purposes also include identity verification, anti-fraud and anti-money laundering measures, fulfilling reporting and control obligations under fiscal and other laws, and evaluating and managing the risks of Baryon AG.

d) within the context of overriding or legitimate interests (Art. 31 Para. 1 FADP / 6 Para. 1 lit. f GDPR)

If necessary, Baryon AG processes personal data beyond the actual fulfillment of the contract to safeguard legitimate interests of Baryon AG or third parties. Examples include:

• Pursuing the exchange between Baryon AG and clients, associated individuals, and potential clients (in person, by phone, email, post, or other communication means);
• Assertion of legal claims and defense in legal disputes;
• Exchanging information with legal advisors, third intermediaries, and custodian banks;
• Monitoring, controlling, and enforcing Baryon AG’s internal operational requirements related to revision and administrative purposes;
• Prevention and investigation of criminal offenses;
• Risk control within Baryon AG;
• Advertising, as long as the affected individuals have not objected to the use of their personal data for advertising purposes;
• Compliance with applicable Swiss and other legal and regulatory requirements.

6. Confidentiality / who receives personal data?

At Baryon AG, the confidentiality of personal data is given particular importance within the scope of activities in the areas of tax, legal or wealth advisory and asset management. Unless explicitly mentioned in this privacy statement, such as in the context of data processing by contractors or the use of third-party services as part of the online presence at www.baryon.com, or unless it is evidently intended for sharing, personal data is treated confidentially and is not passed on to third parties or sold to third parties for their own purposes.

Within Baryon AG, those departments that need access to the data of affected individuals to provide the agreed service, related administrative processes, and to fulfill the contractual and legal obligations of Baryon AG, or as further described in this privacy statement, will have access.

Baryon AG is authorized to have personal data processed by contractually bound external service providers or agents (“processors”), which also includes cloud services. These are primarily the client’s custodian banks and companies in the fields of IT services, logistics, printing services, telecommunications, consulting, and sales and marketing. They are legally or contractually obligated to comply with data protection laws and to ensure confidentiality or client secrecy to the same extent as Baryon AG. They may process the data of affected individuals only to the same extent as Baryon AG would be allowed. Baryon AG is also obligated to regularly ensure that the processors used are able to ensure data security adequately.

With respect to data sharing with other recipients outside of Baryon AG, it’s important to note that Baryon AG, as a regulated asset manager, tax and legal advisor, is generally bound by confidentiality regarding all client-related facts and evaluations which become known to Baryon AG. Baryon AG may only share information about you if required by law, if you have given your consent, and/or where Baryon AG is authorized to provide such information. Under these conditions, recipients of personal data might include:

• Public bodies and institutions (e.g., Swiss Financial Market Supervisory Authority (FINMA), other regulatory and financial authorities, tax authorities, social insurance authorities, law enforcement agencies, courts) if there’s a legal or official obligation.
• Other financial service institutions or similar entities and data processors to which Baryon AG transfers personal data for conducting business relations with the affected person (e.g., custodian banks, clearing and settlement systems, brokers, stock exchanges, information offices, service providers, companies holding securities of the affected person).
• Holders of joint accounts, trustees, beneficiaries, power of attorney holders, board members, directors, in relation to a business relationship with you and Baryon AG.
• Authorized representatives towards Baryon AG or executors of wills.
• Custodian banks through which Baryon AG conducts transactions for you within the framework of the agreed services.
• Auditors or dispute resolution bodies.

Additional recipients of personal data could be those bodies to which you have given your consent for data transmission, or banks you have released from banking confidentiality by declaration or consent.

7. Is personal data transferred to other countries?

Under certain circumstances, personal data can be transferred to entities outside of Switzerland and stored there. This includes entities that might not have the same level of protection for personal data as Switzerland. Baryon AG will always do this in a manner consistent with data protection legislation. Baryon AG might need to transfer your personal data in instances such as:

• To fulfill a contract with you (e.g., in the case of a client’s custodian bank abroad when transmitting orders within the framework of the agreed service).

Transfers of personal data to recipients in countries outside of Switzerland, the EEA, and the EU (so-called third countries) will occur where:

• It is necessary for the execution of instructions or the performance of contracts (e.g., instructions for securities);
• It is required by law (e.g., reporting obligations under fiscal legislation);
• It is related to the processing of order data, including the processing of personal data within cloud solutions; or
• You have given your consent.

When your personal data is to be transferred to third parties in countries where there is no adequate level of data protection, Baryon AG, where legally required, will ensure that they take appropriate measures (e.g., contractual arrangements; recognized standard contract clauses, e.g., in accordance with Art. 46 para. 2c GDPR; other provisions or justifications) to ensure that personal data remains adequately protected.

Further details regarding the protection afforded to your information in individual cases when it is transferred out of Switzerland, can be obtained by contacting Baryon AG at the address mentioned in item 1 above.

8. How is the security of personal data ensured?

Baryon AG establishes internal technical and organizational measures (TOM) according to current technical standards to secure and protect data of affected individuals. Such measures can take the form of encryption, anonymization, access restriction, as well as physical security measures. Baryon AG requires its employees and all third parties who perform work for Baryon AG to adhere to appropriate compliance standards in the area of TOM, which includes the obligation to protect any information and to apply appropriate precautions during the handling or transfer of such data.

For security reasons and to protect the transmission of information, the website www.baryon.com uses SSL/TLS encryption. You can recognize an encrypted connection by the fact that the address line of the browser changes from “http://” to “https://”. When SSL or TLS encryption is activated, the data you transmit to us by visiting our website cannot be read by third parties.

Important: Please note that, as a general rule, for organizational and technical reasons, Baryon AG sends emails unencrypted. In particular, we will also reply in unencrypted form to unencrypted emails that we receive. This also applies to emails to addresses that we used for communication with you before this privacy statement was drafted. You are responsible for protecting your email accounts. Baryon AG cannot be held liable for damages and consequential damages, such as manipulation, deletion, forgery, distribution, etc., due to insufficient security measures of the email accounts you use. You can or must inform us if you wish to avoid communication via email (if not already done).

9. How long is personal data stored?

Baryon AG processes and stores data related to affected individuals for as long as it is necessary for the fulfillment of Baryon AG’s contractual and legal obligations or as covered by overriding interests. Client data will be deleted 10 years after the conclusion of the last procedure of a client relationship, subject to the following exceptions. Unless otherwise agreed or prescribed by legal regulations, Baryon AG is not obliged to keep data of affected individuals for an extended period.

It’s essential to consider the retention duration, as business relationships with Baryon AG are often designed as continuous and long-term contractual relationships spanning several years. If personal data is no longer necessary for fulfilling contractual or legal obligations and there are no overriding interests against it, they are regularly deleted, subject to the following limitations:

• Compliance with commercial and tax retention periods: such as are found, for example, in the Swiss Code of Obligations (CO) and related ordinances, the Federal Act on Value Added Tax (VATA), the Federal Act on Direct Tax (DTA), the Federal Act on Harmonization of Direct Taxes of the Cantons and Municipalities (THA), the Federal Act on Stamp Duties (SDA), the Federal Act on Withholding Tax (WTA), and the Financial Institutions Ordinance (FinIO) concerning the treatment of contact and message-free assets.
• Preservation of evidence in connection with compliance with statute of limitations.
• Compliance with specific retention requirements, such as “Legal Holds”, i.e., processes established by Baryon AG to ensure all relevant information when litigation is objectively expected or already pending. In such cases, Baryon AG may be forced to keep the information indefinitely.
• For completing documentation related to an ongoing business relationship associated with Baryon AG (e.g., origin of assets, course of business initiation, performance development).

10. Is there an obligation for the affected person to provide data?

In the context of a business relationship with Baryon AG, the affected individual must provide all personal data that is necessary for the initiation and execution of such a business relationship and the fulfillment of the associated contractual obligations, or which Baryon AG is legally required to collect. For wealth management services, for instance, this also includes information regarding experiences and knowledge with financial instruments, financial circumstances and their structure and risks, education and professional activity, details about investment objectives, planned inflows and outflows of funds, or other information that serves to determine a meaningful risk profile or individual risk capacity. Typically, without the collection and processing of personal data, Baryon AG will not be able to conclude a contract or, consequently, accept and execute an instruction. Affected individuals are responsible for ensuring that the information provided to Baryon AG is accurate and current.

Baryon AG is obligated, especially under anti-money laundering regulations, to identify an affected individual based on their identification document (e.g., ID card) before initiating a business relationship and, for this purpose, to collect and record details such as name, place of birth, date of birth, nationality, address, and other data. To comply with this legal obligation, an affected person must provide Baryon AG with the necessary information and documents required by the Anti-Money Laundering Act and promptly notify any changes that occur during the business relationship. If an affected individual does not provide Baryon AG with the necessary information and documents, Baryon AG may neither initiate nor continue the desired business relationship.

If you provide Baryon AG with information concerning an individual connected to your business relationship (like associated individuals), you are obligated to inform such individuals about the personal data you have made available to Baryon AG. You are also required to ensure that these individuals are informed about the contents of this privacy policy.

11. Is there “profiling” or “automated decision-making”?

Baryon AG does not automatically process data of affected individuals with the aim of evaluating certain personal aspects specific to the individual (“Profiling”).

12. Cookies

Our website www.baryon.com uses cookies. Cookies are small files stored on your computer by your browser when you visit our website. We use cookies to make our website more user-friendly. For example, cookies can show how visitors navigate on the website and can also serve to save a user’s settings between visits. Cookies are stored on the visitor’s device and transmitted by it to the website.

Certain cookies used on the Baryon AG website are so-called “Session-Cookies”. They are automatically deleted at the end of the visit. Other cookies remain stored on the visitor’s device until they delete them. These cookies enable us to recognize the visitor on their next visit. They contain an identification number through which the website operator can identify the querying device. This way, the website operator can improve their services when the user revisits the website. Baryon AG does not associate any specific individuals with this identification number.

When accessing the website, a pop-up display allows the visitor to consent to the use of cookies or to restrict the use of cookies. Furthermore, visitors can configure their web browser to display a warning on the screen before saving a cookie, or to restrict or prevent the creation of cookies entirely. Through their web browser, visitors can also delete cookies later on or activate the automatic deletion of cookies when closing the browser. Using the help functions of their browser, visitors can learn how to adjust the cookie settings. However, it should be noted that, for technical reasons, deactivating or deleting cookies might result in not being able to use all the functions of the website to their full extent.

13. Use of third-party services as part of the online presence

Baryon AG may incorporate commercially available digital content or service offers or corresponding programs from third-party providers within its online presence at www.baryon.com to use their content and services, such as fonts or traffic analysis services (“third-party services”).

The use of these third-party services always requires that the third-party providers capture the IP address of the website visitor, as they cannot send information to the visitor’s browser without the IP address. Thus, the visitor’s IP address is necessary for the operation of third-party services. Third-party providers might also use so-called pixel tags (invisible graphics, also referred to as “Web Beacons”) for statistical or marketing purposes. “Pixel tags” can be used to evaluate information such as visitor traffic on the pages of this website. Such information can also be stored in cookies on the device of website visitors and can include technical information about the browser and operating system, referring websites, visit time, and other details about the use of our online services. It can also be linked to such information from other sources. Depending on the third-party service, other information about the visitor might be collected, used for the third party’s own purposes, and possibly processed abroad.

Within such third-party services, only website visitor information (IP address, pixel tags, date/time of access, navigation behavior, etc.) and no actual client data from tax, legal, or wealth management areas are collected and processed by third parties. Such third-party services, and the accompanying extent of data processing, constantly change due to updates, bug fixes, new releases, or other program modifications. The affected individual acknowledges that Baryon AG cannot assume responsibility for the processing of personal data within such third-party services due to a lack of influence. Upon request, directed to the contact address listed above in point 1, Baryon AG will, however, inform the affected person of the third-party services currently used on the online presence and provide further information about these services so that the affected person can inquire further about the data processing undertaken by the third-party service provider.

14. What rights do you have as an affected individual?

According to data protection legislation, you have the following rights:

• The right to information about data processing (Art. 19 FADP)
• The right to access (Art. 25 FADP / 15 DPO)
• The right to correction of data (Art. 6 para. 5 FADP; 32 para. 1 FADP / 16 DPO)
• The right to deletion of data (“Right to be forgotten”; Art. 6 para. 4 FADP; 32 para. 2 lit. c FADP / 17 DPO)
• The right to object, as well as to restrict (“block”) or stop the processing of data (Art. 30 para. 2 lit. b; 32 para. 2 lit. a, b FADP / 18, 21 DPO)
• The right to revoke consent to data processing (Art. 30 para. 2 lit. b FADP)
• The right to data release and portability (Art. 28 FADP / 20 DPO)
• The right to information for automated individual decisions (Art. 21 FADP)
• The right to appeal to the competent supervisory authority (see below for more details).

Right to object to data processing for direct advertising purposes

In individual cases, Baryon AG processes your personal data for the purpose of direct marketing, e.g., to send you the newsletter or to invite you to events or functions. You have the right at any time to object to the processing of your personal data concerning such advertising purposes. If you object to processing for direct advertising purposes, Baryon AG will no longer process your personal data for these purposes.

Case-specific right to object

You have the right to object at any time, on grounds relating to your particular situation, to the processing of your personal data. If you object, Baryon AG will no longer process your personal data unless Baryon AG can demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms, or the processing of which serves the establishment, exercise or defense of legal claims. Please note that Baryon AG, due to a restriction or cessation of the processing of your personal data as a result of an objection, will often no longer be able to provide services to you or maintain a business relationship with you.

Submission of the objection

For evidential purposes, objections should be made in writing and addressed to the point of contact at Baryon AG specified in point 1.

Appealing to the competent supervisory authorities

The responsible authority for concerns related to data protection, where individuals in Switzerland are affected or data is processed from Switzerland, is the Federal Data Protection and Information Commissioner (FDPIC). They can, ex officio or upon complaint, investigate breaches of data protection regulations and order the processing to be adapted, interrupted, or terminated in whole or in part. Furthermore, they advise private individuals on data protection issues, provide information upon request on how individuals can exercise their rights, and can file a complaint with the competent criminal prosecution authority. The contact details of the FDPIC can be found at https://www.edoeb.admin.ch. Where data processing falls within the scope of the GDPR, there is a right to lodge a complaint with the relevant data protection supervisory authority in the EU (Art. 77 GDPR).

15. Changes to this privacy policy

Baryon AG may amend or update this Privacy Policy from time to time by delivering a revised version to its clients and/or making it accessible on Baryon AG’s website, under www.baryon.com.

16. Applicable law / jurisdiction

Unless mandatory legal provisions dictate otherwise, this Privacy Policy is subject solely to Swiss law, excluding international conflict of law provisions. The exclusive jurisdiction for disputes in connection with this Privacy Policy, apart from mandatory legal jurisdictions, is Zurich, Switzerland. Deviating agreements regarding jurisdiction and applicable law in client or other individual contracts with Baryon AG take precedence.

Please note that in case of legal dispute only the official German version of this document is legally binding.

Zurich, August 2023
Baryon AG