Privacy Policy

Relio AG
Hohlstrasse 188
8004 Zurich
E-mail: [email protected]
Website http://www.relio.ch/

What is this privacy notice about?

In this privacy notice, we explain how we process personal data, in particular in relation with our business activities and through our website and apps. It should be read by

— our potential, current and prospective customers,

— their shareholders, directors, officers, and employees,

— other related persons such representatives, signatories, beneficial owners, beneficiaries, security providers, payment recipients, and

— customers of our clients and their staff,

— visitors on our website and users of our apps.

Additional information about how we process personal data can be found in other documentation, such as general terms of business, in additional privacy information presented separately (including on app stores for our apps), and in separate consent forms.

«Personal data» means any information that is about an individual or that can be associated with an individual, and «processing» means any operation with personal data, for example collecting, using, disclosing or deleting data. Our services are generally directed at businesses, but if you act or work for a business, then we may process personal data about you.

Our processing of personal data is subject to Swiss data protection legislation, in particular the Swiss Federal Data Protection Act and Ordinance, but it may be subject to the European General Data Protection Regulation (GDPR) as well, depending on the circumstances. This notice therefore includes references to the GDPR.

Who is the controller for your data?

For the data processing set out in this privacy notice, the following company is the «controller», i.e., the entity that is primarily responsible for complying with data protection law (also «we»):

Relio AG
Hohlstrasse 188
CH-8004 Zurich
Switzerland

If you have any questions in relation with our processing of your personal data, please do not hesitate to contact us at [email protected].

You may provide us with personal data relating to other individuals, for example about co-workers, line managers, directors, officers, representatives, signatories, payment recipients, customers, clients and other related parties including PEPs and beneficial owners, and other individuals, for instance when you apply for an account with us or make a payment. Whenever you do this, we assume that this data is correct and that you are permitted to share it with us. However, we may not be in direct contact with these individuals and cannot tell them directly about our data processing. It is your responsibility that you inform these individuals about our data processing, for example by pointing them to this Privacy Notice.

How do we process data in relation with our services?

When you use our services, we process personal data in order to prepare for and potentially enter into an agreement with you:

— If we are in contact with you in view of an agreement with you or with the company you act or work for, we process data about you and about other individuals whose data you provide to us or that we collect as part of the process, such as signatories, directors, PEPs and beneficial owners, for example if you onboard with us to register or open an account. In each case this may include names, address information, contact information, birth date, citizenship, copies of identification documents, video recordings in case of video identification, contact details or date of birth, information about the role or relation with a company, any other information you share with us, and information about services requested and the contact date. This may include biometric data as part of our identification process. We use this information to onboard you, carry out identity and age verification including video identification with Intrum AG, Switzerland, comply with tax controls and reporting obligations, prevent fraud, assess and manage risks, and learn more about your business. The legal basis for this processing is article 6(1)(b) and (f) GDPR, where applicable.

— We may also use data about you in order to get back to you, including contacting you by e-mail or phone, when the onboarding process gets interrupted or delayed.

— Before we can enter into an agreement with you or your company, we carry out know-your-customer checks and assessments, in accordance with applicable law, for example anti-money-laundering laws and other requirements under applicable regulation. In addition, we carry out sanctions checks, again in accordance with applicable laws. We may use all data that you share with us in the onboarding process, as well as additional information collected from third parties including credit information providers, other information providers, and public sources including the media and the internet. The legal basis for this processing is article 6(1)(c) and (f) GDPR as well as article 9(2)(g) GDPR, where applicable.

If we enter into an agreement with you or your company, we process the data collected in view of the agreement (see above) and information about the conclusion of the agreement (for example the date and subject matter of the agreement).

We also process personal data during and after the term of the agreement, for example information on the services rendered to you, but also on payments, where we use Swisscom Ltd. as payment gateway, which sends all messages from Relio to other financial institutions to transfer money in Relio's name. Hubspot Service Hub is used to track and manage customer support inquiries. Intrum provides services to Relio to identify customers, check official documents and contract signing during onboarding. Without these types of data processing, we would not be able to perform agreements, comply with applicable law, and safeguard our legitimate interests. The legal basis for this processing is article 6(1)(b), (c) and (f) GDPR, where applicable.

We also process the data set out above for statistics (for example the number of customer inquiries for account openings per month, which customer segment uses which products, success rates of onboarding requests etc.). These statistics help with the improvement and development of products as well as business strategy. We may also use statistical data for personalized marketing (see sec. 4 for additional information). The legal basis for this processing is article 6(1)(f) GDPR, where applicable.

Usually, our clients are companies. In this case we process fewer personal data because data protection law only applies to data relating to individuals. However, the data set out above may be about the individuals who act for our clients or are otherwise related to them.

How do we process data in relation with marketing?

We also process personal data in order to advertise us and our services and services provided by third parties:

— Marketing communication: We send electronic information and newsletters, which include advertising for our offers, but also for offers from other companies with which we cooperate. We will ask you for consent first except where we advertise certain offers to existing customers. In addition to your name and e-mail address, we also process information about the services you have used before, whether you open newsletters, and which links you click. For this purpose, our e-mail provider offers a function that essentially works with invisible images that are loaded from a server through a coded link and thus transmits this data to the server. This is a common method that helps us to assess the effect of newsletters and optimize our newsletters. You can object to this measurement through the settings of your e-mail client (for example by turning off automatic image loading).

— Online advertising: We carry out advertising on partner websites, including personalized advertising through a process called “re-targeting”, which is explained in sec. 7 below.

— Market research: We also process data to improve performance and develop new products, such as information about your purchases, your response to newsletters, information from customer surveys or from social media, as well as from media monitoring services and public sources.

How do we work with service providers?

We use various services provided by third parties, in particular IT services (examples are hosting providers, and providers of IT security and software development, maintenance and support), other technology providers such as SaasCada for our banking system, Google Ireland as our main hosting and office applications provider, providers of other services such as operations, compliance and identification including Relio d.o.o. or Intrum AG and other providers like banks, the post office, consultants, advisors etc. More information about our service providers can be found above and, in relation with our online offering, in sec. 7 below. All of these service providers may process personal data as required for their services. We have customary agreements with them that require these providers to maintain the confidentiality and security of personal data they receive or are given access to.

Can we disclose data abroad?

The recipients of personal data are not all located in Switzerland. Examples of providers abroad are Relio AG’s subsidiary Relio d.o.o. in the Republic of Serbia, Google in Ireland, and others including the providers in relation with our online offering, as set out below in sec. 7. These providers may use additional providers, and while these are bound by appropriate agreements that are designed to maintain the level of protection, they may be located in other countries in the EEA region and outside, potentially world-wide. We may also transfer data to authorities and other recipients abroad if we are under a legal obligation to do so or, for example in the context of a company or asset sale or legal proceedings (see sec. 9).

Not all of these countries provide an adequate level of data protection. We use agreements in order to provide additional protection, in particular the standard contractual clauses of the European Commission, which are available here. In certain cases, we may transfer personal data in accordance with applicable law without such agreements, for example if you have consented to the transfer or if the transfer is necessary for the execution of the agreement, for the establishment, exercise or enforcement of legal claims or for overriding public interests.

How do we process data in relation with our online offering?

As most businesses, in particular businesses that operate an online service offering, we use various providers that process data for us to learn about the actions our users take, optimize and personalize content, and display relevant ads on our website and on partner websites. The types of data used, and the providers that help us with these purposes, are explained below in more detail. We know it’s complicated, due to the variety of data collected and how advertising networks work, but please take the time to read through it. If you wish to disallow certain types of use, you have the option to use the consent management feature on our website and apps. The legal basis for these types of processing is your consent (article 6(1)(a) GDPR), our legitimate interest (article 6(1)(f) GDPR) and the performance of an agreement, for necessary cookies and functions (article 6(1)(b) GDPR, where the GDPR applies).

Log data

Each time our website or an app (collectively “online offering”) is used, certain data is generated, for technical reasons, which is temporarily stored in log files. Key examples are the IP address of the device used, information about the internet service provider and the operating system of your device, information about the referring URL, information about the browser, the date and time of access, and the content accessed. We use this data so that our online offerings can be used, to ensure security and stability, to optimize our online offerings and for statistical purposes.

Cookies and similar technologies

Our online offerings also use cookies. These are text files that your browser keeps on your device. This allows us to distinguish individual visitors from others, but usually without identifying them. Cookies may also contain information about pages accessed and the duration of the visit. Certain cookies («session cookies») are deleted when the browser is closed. Other cookies («persistent cookies») remain stored for a certain period of time so that we can recognize visitors when they visit us again. More information about the types of cookies we use can be found in our online offering, when you access the consent management function provided by OneTrust.

We may also use other technologies, for example to store data in the browser but also to recognize repeat visitors, for example pixels or fingerprints. Pixels are invisible images or program code that are called from a server through a coded link that transmit information. Fingerprints are pieces of information about the configuration of your device that make your device distinguishable from other devices.

The data collected through these technologies, including the data explained in more detail in sec. 7.3 below, are usually not directly personally identifiable, i.e., we will not know the names of the users whose data is collected, but we can distinguish them from any other user. However, when you log into our online offering, we can connect your name and the usage data collected, which then becomes personally identifiable.

You can configure your browser in the settings to block certain cookies or similar technologies or to delete cookies and other stored data. You can find out more in the help pages of your browser (usually when you look for «data protection»). However, we ask for your consent before using cookies and other technologies, except those that are necessary for the proper operation of our online offering, through a consent management solution on our website.

These cookies and other technologies may be set by third-party companies that provide features to us. These may be located outside Switzerland and the EEA (see sec. 6 for more information). For example, we use analytics services to help us optimize and personalize our online offering.

Analytics, personalized communication and ad networks

In order to measure the use of our online offering and improve and personalize content, we use third parties to collect usage data and provide statistical information to us. These third parties may record the use of the online offering and combine these records with other information they have from other websites. This allows them to collect data about user behavior across multiple websites and devices, in order to provide statistical evaluations on this basis. Some of these providers can also use this information for their own purposes, for example for personalized advertising on their own or other websites. If a user is registered with the provider, the provider can also link the usage data of that user. Key providers are Google, and Hubspot. More information on these can be found below:

— Our online offering uses Google Analytics, an analytics service provided by Google LLC (1600 Amphitheatre Parkway, Mountain View, CA, USA) and Google Ireland Ltd. Google collects information about the behavior of users on the online offering and about the device used. The IP addresses of visitors are truncated in Europe before being sent onwards to the USA. Google provides us with statistical information based on the data recorded, but also uses some data for its own purposes. Information on Google Analytics privacy can be found here, and if you have a Google Account, you can find more information here.

— We use services from HubSpot Germany GmbH, Am Postbahnhof 17, 10243 Berlin, Germany, for personalized communication with you. You can find more information about HubSpot’s data processing here. Hubspot may process client names, contact information and pricing information.

Cookies and similar technologies from third parties help them to target you with individualized advertising on our or other websites and on social networks that work with the same third-party provider (called “re-targeting”), and to measure the effectiveness of ads (for example whether you came to our online offering through an ad and what actions you take on our online offering). These parties use not directly personally identifiable information such as location, language and device data and estimated demographic data such as age, gender, marital and parental status, and employment. For example,

— we participate in the ad network operated by Google Ireland Ltd. (Google Building Gordon House, Barrow St, Dublin 4, Ireland) to display personalized ads on other websites;

— we use the Meta pixel, from Meta Ireland, and the LinkedIn pixel, from LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland, to display relevant ads on Meta’s offerings and on LinkedIn;

Other providers of similar services we use include Outbrain UK Limited, New Bridge St, London EC4V 6JA, UK; Taboola, from Lionheart Squared (Europe) Ltd., 17 Glasshouse Studios Fryern Court Road, Burgate SP6 1QX, UK;

How do we process data through social media?

We operate pages on social networks and other platforms (such as Facebook or LinkedIn). These platforms may offer ways for you to communicate with us. Please never share confidential information including login credentials on these platforms. However, if you communicate with us there or comment on or redistribute content, we collect information that we use primarily for communication with you, for marketing purposes and for statistical evaluations (see sec. 4 and 10). Please note that the platform provider will also collect and use some data (for example about user behavior), possibly together with other data they have about a user, for example for marketing purposes or to personalize platform content. Where we are joint controllers with the provider, we enter into an agreement about which you can obtain information directly from the provider.

Are there other types of processing?

Yes, because many things we do necessarily involve processing personal data, also common and unavoidable internal processes. It is not always possible to know in advance if this will occur nor the specific extent of the data processed, but below you will find information on typical (not necessarily frequent) cases:

— Communication: When we are in contact with you (for example when you call customer service or get in touch by e-mail), we process information about the content and type, time and place of the communication. We may also process information to identify you. Calls with us will be recorded and might be overheard. We will let you know of this at the beginning of each call. If you do not want us to record such conversations, you have the option at any time to end the conversation and contact us through other means, for example by e-mail.

— Compliance with law: We may process personal data and disclose data to authorities as required for our obligations or rights arising under applicable law, and to comply with internal regulations.

— Prevention: We process data to prevent criminal acts and other violations, for example in the context of fraud prevention or internal investigations.

— Legal proceedings: Where we are involved in legal proceedings (for example judicial or administrative proceedings), we process data for example about other parties to the proceedings and other persons involved, such as witnesses or respondents, and disclose data to such parties and to courts and authorities, possibly also abroad.

— IT security: We process data for monitoring, controlling, analyzing, testing, securing and assessing our IT infrastructure, but also for backups and data archiving.

— Competition: We process data about our competitors and the market in general (for example the political situation, relevant business associations, etc.). In doing so, we may process data about key persons, in particular name, contact details, role or function and public statements.

— Transactions: If we sell or acquire receivables, other assets, business units or companies, we process data to the extent necessary to prepare and carry out such transactions, for example information about customers or their contact persons or employees, and we may also disclose such data to buyers or sellers.

— Other purposes: We process data to the extent necessary for other purposes such as training and education, administration (for example contract management, accounting, enforcement and defense of claims, evaluation and improvement of internal processes, anonymous statistics and evaluations, and protection of other legitimate interests.

How long do we process personal data?

We process personal data as long as it is necessary for the processing purpose (in the case of agreements, usually for the duration of the agreement), as long as we have a legitimate interest in the storage (for example to enforce legal claims, for archiving and or to ensure IT security) and as long as data is subject to retention obligations (there are various retention obligations under applicable law. For example, a ten-year retention period applies for certain data). After expiry of these periods, we delete or anonymize your personal data.

Anything else to consider?

Depending on the applicable law, personal data may only be processed if applicable law specifically permits it. This does not apply under the Swiss Data Protection Act, but it does, for example, under the EU General Data Protection Regulation (GDPR), where it is applicable. In this case, our processing is based on the fact that it is necessary for the preparation and execution of agreements (sec. 3), that it is necessary for legitimate interests of us or third parties, for example statistical evaluations (sec. 3) or marketing purposes (sec. 4), that it is required or permitted by law or that you have separately given consent to the processing. The relevant provisions are articles 6 and 9 of the GDPR. We have included more information about these grounds in the sections above.

By the way, you are under no obligation to share data to us, except in specific cases (for example if you have to fulfill an agreed obligation, which may require disclosing data to us). However, for legal and other reasons, we have to process personal data when we conclude and execute agreements. Also using our online offering is also not possible without data processing (see sec. 7).

We may update this privacy notice whenever needed. It is not part of an agreement with you, and the version posted on our website or presented in an app is the version currently applicable.

What are your rights?

Subject to the conditions and restrictions of applicable data protection law, you have certain rights in order to receive a copy of your personal data or have a say about our processing of your data:

— You can request a copy of your personal data and more information about our data processing;

— you can object to our data processing, in particular in connection with direct marketing;

— you can correct or complete incorrect or incomplete personal data or have us register a note of dispute;

— you may have the right to receive personal data that you have provided to us in a structured, commonly used and machine-readable format, where data processing is based on your consent or is necessary for the performance of an agreement;

— if we process data on the basis of your consent, you can withdraw your consent at any time. Withdrawing consent only affects our processing going forward, and we reserve the right to continue processing data on another basis, as permitted by applicable law.

If you wish to exercise your rights, please contact us (sec. 2). As a rule, we will have to verify your identity (for example by means of a copy of an ID document). You are also free to lodge a complaint against our processing with the competent supervisory authority, in Switzerland with the Federal Data Protection and Information Commissioner (FDPIC).

This website is operated by:
Relio AG
Hohlstrasse 188
8004 Zürich
E-Mail: [email protected]