Privacy and Cookie Policy

INTRODUCTION

The present document describes our data-processing policy in relation to use of the www.lapis.finance website, the Lapis Facts mobile app and associated resources, including social media (hereinafter the “Site”).

The present document is to inform users, pursuant to and for the purposes of Article 4 par. 5 of the Federal Act on Data Protection (FADP) and, where applicable, Articles 13 and 14 of European Regulation (EU) 679/2016 (“GDPR”), that personal data submitted or otherwise acquired in relation to activity on the Site will be processed in compliance with the principles of the legislation referred to above. Please note that the GDPR, as stipulated in Art. 3, applies only in the case of the processing of personal data in connection with:
a) the offering of goods or services to natural persons in the EU;
b) monitoring of the behaviour of natural persons in the EU.

Paragraphs A and B specify the ownership of the Site and contact details, and describe the mechanism for accepting and revising the present document. Paragraphs C and D describe our policy on the processing of the personal data of users of the Site; Finally, Paragraph E sets forth the legal provisions applicable to the relationship between the parties and establishes the competent jurisdiction in the event of any disputes arising therefrom. The terms and conditions for use of the Site are described in a separate document, which can be accessed by clicking on this link. The document is reproduced and included in full here. Access to the Site is conditional on reading and agreeing to a specific disclaimer in relation to financial matters, the text of which can be viewed by clicking on this link.

A. OWNER OF THE SITE (DATA CONTROLLER) AND CONTACT DETAILS

The Site is owned by Lapis Asset Management Ltd (“LAPIS”), Lugano (CH). All communications must be addressed in writing and shall be deemed to have been validly and effectively performed on receipt, if conveyed through the ordinary post or, in the case of e-mail, on transmission of a read receipt. Contacts:

• Lapis Asset Management Ltd, Via Emilio Bossi 6, CH-6900 Lugano, Switzerland
• Tel. +41 (0)91 971 16 93
• E-mail: info@lapis.finance

B. ACCEPTANCE OF AND CHANGES TO THIS POLICY

By using the site, users agree to the terms and conditions, as well as the data-processing operations described in this policy, in the version current at the time of access. The current version may be viewed by clicking on the link at the foot of the page. The user is responsible for carefully checking the terms and conditions, and other information, before accessing the Site, the Data Controller having the right to update the present document at any time as it sees fit, in particular when there are changes to the applicable legislation, the functions of the Site, and the products and services made available to the user.

C. DATA PROTECTION POLICY

Data Controller

The Data Controller is Lapis, contact details as above, represented by its constituent bodies, as listed in the Canton Ticino Commercial Register.
The Data Controller may be contacted by using the contact details specified in par. A above.

Data Protection Officer
The Data Protection Officer may be contacted in writing by ordinary post at the following address: c/o Lapis Asset Management Ltd, Via Emilio Bossi 6, CH-6900 Lugano, Switzerland.
Any communication relating to data protection may also be sent to the following e-mail address: info@lapis.finance.

Legal regime applicable to data processing
The Data Controller, in its capacity as a legal person under Swiss law, based in Switzerland and active in the private sphere, processes users’ data in conformity with the Federal Act on Data Protection (“FADP”, RS 235.1).
Although in principle LAPIS does not process data that falls within the scope of the GDPR (cf. par. A above), in exceptional cases where the Regulation is applicable, LAPIS accords to those concerned the protection afforded by the GDPR itself (in particular the rights provided for by Arts. 12 – 23). The text of the GDPR may be consulted by clicking on this link.

Notions and categories of personal data
Personal data is understood to be any information concerning an identified or identifiable natural person (“Personal Data”). Sensitive information is regarded as personal data deserving of special protection, such as information relating to the private sphere, social security measures, racial and ethnic origin, political opinions, religious or philosophical convictions, trade-union membership, biometric or health-related data, mental or physical health, as well as information relating to criminal convictions or related security measures.
The Data Controller neither needs nor requests the transfer of any personal data requiring special protection. We would therefore warn users not to spontaneously transmit information of this kind via the Site and the related resources (e-mail, contact form, social media etc.).

Purposes and lawfulness of data processing
The Data Controller will process Personal Data for the purposes summarized in the following table:

The Data Controller gathers and processes Personal Data to facilitate and optimize use of the Site. Such data includes information concerning the use of the Site, for instance the IP address of the user’s device, the user’s location, the unique identifier of the user’s mobile device, time spent on the Site, the links activated, the characteristics of the browser (type, language, plug-ins installed, etc.), cookies, etc. This data is processed automatically in order solely to permit navigation on the Site, assess the introduction of new functions, improve the quality of the services provided, measure use of the site and optimize its user-friendliness.

The Site processes Personal Data transmitted by the user, in particular via online form or e-mail, for the purposes of communication or to make available the information requested by the user.

The Site does not produce or transmit advertising content or messages devised on the basis of online behaviour, nor does it profile users or monitor use of web-based resources or e-mail. The Site does not sell, hire out, market and/or lend Personal Data to third parties.

We would warn you not to transmit information and/or documents containing personal and/or confidential information by e-mail, as this is an unsafe method of communication and does not guarantee privacy. At users’ request, LAPIS is able to provide secure channels for electronic communication if sensitive data needs to be transmitted (e.g. VPN or encrypted e-mail).

Obligation to provide data
Apart from data to facilitate navigation, as described above, users are free to provide or not to provide Personal Data.

The provision of data may be optional or necessary, depending on the specific purposes for which an item of data is processed. A decision not to provide necessary data will make it impossible to obtain what was requested or make use of the Data Controller’s services.

Transfer of data to a third country and/or international organization
Personal Data may be transmitted abroad (i.e. outside Switzerland), though only to the European Union or to countries that guarantee adequate protection of personal data (as provided for in Swiss law) as per the list drawn up by the federal authorities (link) or by the European authority responsible for the processing of data subject to the GDPR. Interested parties are entitled to obtain copies of such data.

In the case of transfer to non-European countries, in particular the United States, whose level of data protection is not considered adequate, personal data may be transferred only to natural persons, organizations and companies that have adhered to specific agreements and/or international instruments concerned with the protection of personal data (e.g. Swiss/EU–US Privacy Shield). Those concerned may obtain information about the protection measures adopted for the transfer of Personal Data by addressing a request to the Data Controller via e-mail.

Period during which personal data is kept
The Site retains Personal Data for as long as such retention is necessary, considering the purposes for which it was gathered and the extent to which there is a legal obligation to keep it (normally 10 years). Once the purpose of gathering Personal Data has ceased to exist and the legal obligation to retain it has expired, the Data Controller arranges for the final and secure erasure of the data or, alternatively, for its anonymization.

Access to our detailed policy on the keeping of personal data may be requested from the Data Controller by e-mail.

Newsletter
The Data Controller provides a free update service concerning its activities via Newsletter.

The Newsletter is sent exclusively to those who have registered for this purpose by providing their e-mail address. You can be removed from the list of recipients at any time and with immediate effect by clicking on the “unsubscribe” link at the foot of every e-mail.

Deciding not to register for the Newsletter or unsubscribing from the list of recipients does not prejudice or reduce in any way your ability to use the Site and/or the associated resources.

The Data Controller does not monitor the behaviour of recipients of the Newsletter or profile them in any way. The Data Controller does not transfer the e-mail addresses of users to third parties, except for the Newsletter service provider, which receives the recipients’ e-mail addresses as part of its management of the Newsletter. The said service provider must be based in Switzerland, in the EU or in the USA (but in the latter case only if it has adhered to the US–CH/EU Privacy Shield).

Data relating to minors
Processing with the consent of the person concerned is lawful if the minor thus granting consent is at least 16 years old. If the minor is under 16 years of age, processing of his/her data is lawful only when consent is given or authorized by his/her legal representative. The Data Controller will in any case take reasonable steps, considering the technologies available, to check that the consent granted by the legal representative is effective. However, the Data Controller shall not be in any way liable for misleading statements provided by the minor and, in any case, should it become aware that a false declaration has been made, shall immediately erase all personal data and any material acquired. The Data Controller will facilitate requests relating to the personal data of minors originating from a legal representative.

Data Processors, recipients or categories of recipients, access to data
The Personal Data provided by users may be communicated to recipients who will process the data as Data Processors and/or as natural persons acting under the authority of the Data Controller or Data Protection Officer. Where they are acting independently, such persons assume the status of separate Data Controllers.

Aside from legally permissible data transmissions, data may be communicated to recipients belonging to the following categories:
individuals who provide information and telecommunications system management services used by the Data Controller to make the Site available and for organizing, programming, creating and executing the activities connected with the Site;
companies and professionals who provide services to the Data Controller, for example in the legal, accounting, administrative and tax fields.

In managing the Site and associated resources (in particular, e-mail, marketing, back-up, web design, graphics, maintenance, translation, hosting and internet access), LAPIS uses external suppliers of goods and/or services based and active in Switzerland or in the European Union (EU).

These external suppliers have access to the data only as strictly necessary for the correct and efficient performance of their tasks, subject to their signing a confidentiality and non-use agreement in respect of the Personal Data concerned.

A full, up-to-date list of data processors many be viewed at our corporate offices. For reasons of data security, certain items of information may be anonymized or masked.

Communications via e-mail, risks
Users should be warned that (i) use of e-mail does not ensure the confidentiality or integrity of the data being transmitted, (ii) many e-mail service providers are located or store their data in countries which do not guarantee adequate data protection (e.g. the USA; see the official, up-to-date list, which can be downloaded by clicking here), (iii) use of an e-mail service of this kind means that data will be transferred via and stored in a country that does not guarantee adequate protection of such data.

The user authorizes the Data Controller (including its constituent bodies, auxiliaries, agents and representatives) to transmit via ordinary (i.e. not certified and/or encrypted) electronic mail documents and/or information, including documents containing personal and/or confidential information, using the e-mail address provided by the user in response to user requests received via telephone or e-mail. The user, fully aware of the risks mentioned above, exonerates the Data Controller from all liability in the event of unauthorized third-party access to the documents and/or personal and/or confidential information transmitted or received via e-mail by the Data Controller and/or its constituent bodies and agents.

Links to third-party resources
Links to third-party resources The Site contains links to third-party websites and other internet-based resources. The Data Controller is not in any way liable for the content, security or availability of such websites and resources. In particular, the Data Controller does not check the privacy or data protection policies of such third parties.

Security
The Site implements security measures that are reasonable in the circumstances and proportionate to the risks involved in respect of unauthorized access, use, transmission, damage, loss and destruction of Personal Data. Such measures include technical, physical and organizational arrangements. However, considering the “open network” nature of the Internet, the Data Controller cannot guarantee, and does not guarantee, that data will not be intercepted or acquired by unauthorized third parties.