Privacy Statement

1. About This Statement

1.1 Purpose and Scope

CY.TALK SWITZERLAND S.A. ("CY.TALK", "we", "us", "our") is committed to protecting the privacy and personal data of every individual who interacts with us. This Privacy Statement explains how we collect, use, store, share, and protect your personal data when you use our websites, applications, services, Customer Premise Equipment (CPE), authorised points of sale, and any other channel through which this statement is referenced.

This statement applies to all users of CY.TALK services, including individual subscribers, enterprise customers, resellers, and visitors to our websites. It covers all services operated directly by CY.TALK SWITZERLAND S.A., including our VoIP telephony platform, SMS services, international phone numbers, IVR and virtual operator solutions, and our enterprise telecom solutions.

1.2 Legal Framework

We comply with the Swiss Federal Act on Data Protection (nFADP / revDSG), which entered into full force on 1 September 2023. Where our services are accessed by individuals in the European Economic Area, we also apply the principles of the EU General Data Protection Regulation (GDPR, Regulation 2016/679). Our privacy governance is further structured around our ISO/IEC 27701:2019 certified Privacy Information Management System (PIMS), which provides a documented, audited framework for managing personal data in our roles as both a PII Controller and a PII Processor.

2. Who We Are

2.1 Data Controller

For the purposes of the nFADP and the GDPR, the data controller is:

2.2 Privacy Officer

CY.TALK has designated a Privacy Officer responsible for overseeing compliance with this statement and applicable data protection law. You may contact the Privacy Officer through our contact page at www.cytalk.com/contact-us.

3. Data We Collect

3.1 Data You Provide Directly

When you register for an account, purchase a service, or contact us, we collect the following categories of personal data:

• Identity data: full name, date of birth, nationality, government-issued ID (where required for identity verification)
• Contact data: email address, phone number, mobile number, postal address
• Account data: username, password (stored in hashed form), account preferences
• Financial data: payment method details (credit/debit card, bank account, electronic wallet credentials), billing address, transaction history
• Communications data: messages sent to our support team, dispute records, survey responses
• Verification data: photo ID, utility bills, company registration documents (where required for KYC/AML compliance)

3.2 Data Collected Automatically

When you access our websites or applications, we automatically collect certain technical data, including:

• IP address, browser type and version, operating system
• Device identifiers and mobile device information
• Pages visited, time spent, referring URLs, and click paths
• Call data records (CDRs): originating number, destination number, call duration, timestamp
• SMS delivery metadata

3.3 Data from Third Parties

We may receive personal data about you from the following third-party sources:

• Identity verification providers (for KYC/AML checks)
• Credit reference and fraud prevention agencies
• Social media platforms, if you use a social login to access our services
• Our authorised resellers and points of sale
• Publicly available directories and registries

3.4 Data We Do Not Collect

We do not collect or process special categories of personal data (such as health data, racial or ethnic origin, religious beliefs, or biometric data) unless you explicitly provide such data in the context of a support request, and only to the extent strictly necessary to resolve your query.

4. How We Use Your Data

5. Legal Basis for Processing

We process your personal data on the following legal bases:

• Contract performance: processing is necessary to deliver the services you have subscribed to and to manage your account
• Legal obligation: processing is required to comply with Swiss law, EU law, telecom regulations, AML/KYC obligations, and lawful authority requests
• Legitimate interests: processing is necessary for fraud prevention, network security, service improvement, and direct marketing to existing customers, provided these interests are not overridden by your rights
• Consent: for marketing communications to new contacts, for the use of non-essential cookies, and for any processing not covered by the bases above. You may withdraw consent at any time without affecting the lawfulness of prior processing

Where we rely on legitimate interests, you have the right to object to that processing. Please see Section 11 for details of your rights.

6. Who We Share Data With

6.1 Service Providers and Sub-processors

We share personal data with trusted third-party service providers who process data on our behalf under contractual data processing agreements. These include:

• Telecommunications carriers and interconnect partners (for call and SMS routing)
• Payment processors and electronic wallet providers
• Identity verification and KYC providers
• Cloud infrastructure and hosting providers (data stored in Switzerland)
• Customer support platform providers
• Analytics and network monitoring tools

All service providers are contractually required to process personal data only for the specified purpose, to maintain appropriate security measures, and to comply with applicable data protection law.

6.2 Business Partners and Resellers

Where you access our services through an authorised reseller or point of sale, we may share account and transaction data with that partner to the extent necessary to deliver the service and manage the commercial relationship.

6.3 Legal and Regulatory Disclosure

We may disclose personal data to law enforcement agencies, regulatory bodies, courts, or other public authorities where required by applicable law, a court order, or a lawful regulatory request. We will notify you of such disclosure where legally permitted to do so.

6.4 Business Transfers

In the event of a merger, acquisition, restructuring, or sale of all or part of our business, personal data may be transferred to the relevant parties as part of that transaction. We will take reasonable steps to ensure that appropriate data protection obligations are maintained.

6.5 CY.SEND

CY.SEND (www.cysend.com) is a separate platform operated by CY.TALK SWITZERLAND S.A. Data shared between CY.TALK and CY.SEND is governed by an internal data sharing agreement and is limited to what is necessary for service delivery and account management. CY.SEND has its own Privacy Policy.

7. International Data Transfers

Our primary data storage and processing infrastructure is located in Switzerland. Where we engage service providers or partners located outside Switzerland or the EEA, we ensure that appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission or the Swiss Federal Data Protection and Information Commissioner (FDPIC)
• Adequacy decisions recognising the destination country's data protection framework
• Binding Corporate Rules where applicable

You may request information about the specific safeguards applied to any international transfer by contacting us through our contact page.

8. Data Retention

After the applicable retention period, data is securely deleted or anonymised. Where deletion is not immediately possible (for example, due to backup cycles), data is isolated and protected until deletion is completed.

9. Cookies and Tracking Technologies

We use cookies and similar tracking technologies on our websites and applications. A full description of the cookies we use, their purpose, and how to manage your preferences is set out in our dedicated Cookies Policy.

In summary, we use strictly necessary cookies to operate our services, and we use analytics and preference cookies subject to your consent. We do not use advertising or behavioural tracking cookies without your explicit consent.

10. Data Security and Certifications

10.1 Our Certified Privacy Management System

CY.TALK SWITZERLAND S.A. has achieved certification under ISO/IEC 27701:2019, the international standard for Privacy Information Management Systems (PIMS). This certification, issued by an accredited third-party certification body, confirms that our privacy controls, data processing procedures, and governance framework have been independently audited and verified against internationally recognised best practices for personal data management.

10.2 Technical and Organisational Security Measures

We implement the following measures to protect your personal data:

• Encryption of data in transit (TLS 1.2 or higher) and at rest (AES-256)
• Multi-factor authentication for all administrative access
• Role-based access controls limiting data access to authorised personnel only
• Regular penetration testing and vulnerability assessments
• 24/7 security monitoring and incident response procedures
• All primary data stored exclusively in Switzerland in a certified Tier 3 data centre
• Regular staff training on data protection and information security

10.3 Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, in accordance with our obligations under the nFADP and the GDPR. Where the breach is likely to result in a high risk to you, we will also notify you directly without undue delay.

11. Your Rights

Under the Swiss nFADP and, where applicable, the GDPR, you have the following rights in relation to your personal data:

11.1 How to Exercise Your Rights

To exercise any of the above rights, please submit your request through our contact page at www.cytalk.com/contact-us. We will respond within 30 days of receiving your request. In complex cases, we may extend this period by a further 30 days, in which case we will notify you. We may need to verify your identity before processing your request. This service is provided free of charge for standard requests.

12. Children's Privacy

Our services are not directed at children under the age of 13. We do not knowingly collect personal data from children under 13 without verifiable parental or guardian consent. If we become aware that we have collected personal data from a child under 13 without such consent, we will take immediate steps to delete that data. If you believe we may have collected data from a child under 13, please contact us through our contact page.

13. Changes to This Statement

We review and update this Privacy Statement periodically to reflect changes in our services, applicable law, and best practice. When we make material changes, we will notify you by posting a prominent notice on our website and, where appropriate, by email. The date of the most recent update is shown at the top of this statement. Your continued use of our services after the effective date of any update constitutes your acceptance of the revised statement.

14. Contact Us