Privacy Policy

Data Controller

Applicable Legislation

Noray Capital SA processes personal data in accordance with the Swiss Federal Act on Data Protection (FADP / nDSG) and, where applicable, the EU General Data Protection Regulation (GDPR). Where there is a conflict between Swiss law and the GDPR, the provisions most protective of your rights shall apply.

Personal Data We Collect

We may collect the following categories of personal data:

• Identity data: name, job title, company name
• Contact data: email address, phone number, postal address
• Account data: login credentials, account settings, preferences
• Technical data: IP address, browser type, device information, access logs
• Usage data: pages visited, features used, session duration
• Onboarding data: KYC documentation, corporate documents submitted through our platform
• Communication data: correspondence and enquiry records

Purposes of Processing

• Providing and maintaining our structuring coordination services and platform
• Processing onboarding applications and KYC documentation
• Responding to enquiries and providing client support
• Sending service-related communications and updates
• Complying with legal and regulatory obligations (including anti-money laundering requirements)
• Improving our website, platform, and services
• Protecting our legitimate business interests and security of our systems

Legal Basis for Processing

• Contractual necessity: processing required to provide our services
• Legal obligation: compliance with Swiss financial regulations, AML/KYC requirements
• Legitimate interest: improving services, security, fraud prevention
• Consent: where explicitly provided (e.g. marketing communications, guide downloads)

Data Sharing & Transfers

We do not sell personal data. We may share data with:

• Regulated service providers: issuers, paying agents, depositories, and other licensed entities involved in structuring your products
• Technology providers: hosting, cloud infrastructure, and analytics services (with appropriate data processing agreements)
• Professional advisors: legal, audit, and compliance advisors
• Regulatory authorities: where required by law

Where personal data is transferred outside Switzerland or the EEA, we ensure appropriate safeguards are in place, including standard contractual clauses or adequacy decisions.

Data Retention

Personal data is retained for as long as necessary to fulfil the purposes for which it was collected, including legal, accounting, or reporting obligations. Client data related to structured products is typically retained for a minimum of 10 years following the maturity or termination of the relevant product, in line with Swiss regulatory requirements.

Your Rights

Subject to applicable law, you have the following rights:

• Right of access to your personal data
• Right to rectification of inaccurate data
• Right to erasure (where legally permissible)
• Right to restriction of processing
• Right to data portability
• Right to object to processing
• Right to withdraw consent at any time

To exercise any of these rights, please contact us at operations@noray.ch. You also have the right to lodge a complaint with the Federal Data Protection and Information Commissioner (FDPIC) in Switzerland or the relevant supervisory authority in your jurisdiction.

Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, or destruction. These include encryption, access controls, regular security assessments, and staff training.