Cookies Policy

1. INTRODUCTION

This Cookies Policy explains how Xchange 360 SA (“we”, “us”, or “our”) uses cookies and similar tracking technologies on our website https://xchange-360.ch/ (the “Website”).

Xchange 360 SA is a Swiss financial intermediary and a member of the Association Romande des Intermédiaires Financiers (ARIF), a self-regulatory organization (SRO) recognized by FINMA pursuant to Art. 24 of the Federal Act on Combating Money Laundering (AMLA, SR 955.0). We provide financial services to retail clients, including small and medium-sized enterprises (SMEs) that do not meet the professional client thresholds set forth in Art. 4(3) of the Financial Services Act (FinSA, SR 950.1).

This policy is issued in accordance with the following Swiss legislation and regulatory requirements:

– The Swiss Federal Act on Data Protection (nDSG/FADP, SR 235.1) and the Data Protection Ordinance (DSV/DPO, SR 235.11);

– Article 45c of the Swiss Telecommunications Act (FMG, SR 784.10);

– The Financial Services Act (FinSA/FIDLEG, SR 950.1) and FinSO (SR 950.11), including retail client information duties under Art. 8–16 FinSA;

– The Financial Institutions Act (FinIA/FINIG, SR 954.1), including professional secrecy obligations under Art. 69 FinIA;

– The Federal Act on Combating Money Laundering (AMLA, SR 955.0) and AMLO-FINMA;

– ARIF’s Code of Deontology, Directives, and Execution Provisions, including Directive 14, Directive 10, and Execution Provisions 34–35;

– The FDPIC Guidelines on Data Processing Using Cookies and Similar Technologies (Version 1.1, October 2025).

This policy informs you about the use of cookies on our Website. For non-essential cookies, we will obtain your explicit consent or provide you with a clear opt-out option before placing them on your device, in accordance with the applicable tiered consent framework under Swiss law.

2. SCOPE AND CLIENT CLASSIFICATION

Our Website serves retail clients within the meaning of Art. 4(2) FinSA, including SMEs that do not satisfy the professional client thresholds under Art. 4(3) FinSA (i.e., entities that do not exceed at least two of the following benchmarks: balance sheet total of CHF 20 million, annual turnover of CHF 40 million, or equity of CHF 2 million). As retail clients, these entities benefit from the full, non-waivable scope of investor protection under FinSA, including enhanced information duties (Art. 8–9 FinSA), documentation requirements (Art. 15 FinSA), and accountability obligations (Art. 16 FinSA).

These heightened regulatory obligations result in a broader data processing footprint, which is transparently disclosed in this policy. In particular, Art. 20 FinSA does not permit retail clients to waive their right to information, documentation, or data access — these protections apply in full at all times.

3. WHAT ARE COOKIES?

Cookies are small text files that are stored on your device (computer, tablet, or smartphone) when you visit a website. They are used to make websites function properly, improve their performance, and provide information to website operators.

Cookies may be set by the website you are visiting (“first-party cookies”) or by third-party services operating on the website (“third-party cookies”). Session cookies are deleted when you close your browser, while persistent cookies remain on your device for a specified period.

In addition to cookies, we may use similar technologies such as web beacons, pixel tags, local storage objects, and browser fingerprinting techniques. All references to “cookies” in this policy include such similar technologies unless otherwise specified.

4. APPLICABLE LEGAL FRAMEWORK FOR COOKIES

Swiss cookie compliance is governed by five overlapping regulatory layers that apply cumulatively to Xchange 360 SA as a financial intermediary:

Layer	Instrument	Relevance
Layer 1	Art. 45c FMG	Baseline: information + opt-out for all cookies
Layer 2	nDSG/FADP	Tiered consent (opt-out standard; opt-in for high-risk profiling)
Layer 3	FinSA/FinSO	Mandatory data collection for retail clients
Layer 4	ARIF Directives	Third-party providers must meet ARIF standards
Layer 5	Art. 69 FinIA	No client-identifying data to third parties without authorization

Under the FDPIC’s 2025 Cookie Guidelines, Art. 45c FMG and the nDSG apply cumulatively. This means the opt-out model of Art. 45c FMG is supplemented — and in specific scenarios overridden — by the nDSG’s stricter consent requirements, particularly for high-risk profiling activities.

5. CATEGORIES OF COOKIES WE USE

5.1 Strictly Necessary Cookies

These cookies are essential for the operation of our Website. They enable core functions such as page navigation, access to secure areas, session management, and security features (e.g., fraud prevention and authentication).

Legal basis: Overriding interest (Art. 31 para. 1 nDSG); information duty under Art. 45c lit. b FMG. No consent required.
Retention period: Session-based or up to 12 months for persistent essential cookies.
Data processed: Session identifiers, authentication tokens, security parameters. No personal data is collected for marketing purposes.

5.2 Analytical / Performance Cookies

These cookies collect anonymized or pseudonymized data about how visitors use our Website, such as pages visited most often, error messages, and loading times.

Legal basis (standard analytics): Overriding interest with opt-out right (Art. 31 para. 1 nDSG). Data is anonymized as soon as technically feasible.
Legal basis (analytics with cross-site tracking): Where a third-party analytics provider processes data for its own purposes, explicit consent (opt-in) is required (Art. 6 para. 7 nDSG).
Retention period: Up to 24 months.
Opt-out: You may refuse these cookies through the cookie settings on our Website or through your browser settings (see Section 9).

5.3 Functionality Cookies

These cookies enable enhanced functionality and personalization, such as remembering your language preferences, display settings, or login details.

Legal basis: Overriding interest with opt-out right (Art. 31 para. 1 nDSG).
Retention period: Up to 12 months.
Note: If you do not allow these cookies, some features may not function properly.

5.4 Advertising / Tracking Cookies

We may use cookies to deliver personalized advertisements and to measure the effectiveness of advertising campaigns. These cookies may track your browsing behavior across websites and create profiles of your interests.

Legal basis: Explicit consent (opt-in) required prior to placement (Art. 6 para. 7 nDSG). Cross-site tracking and interest-based profiling constitute high-risk profiling under Art. 5(g) nDSG.
Retention period: Up to 24 months.
Note: These cookies will only be placed on your device after you have given your explicit consent through our cookie consent mechanism.

6. PROFILING AND AUTOMATED DECISION-MAKING

In the course of our activities as a financial intermediary, we may use automated processing tools for purposes including client risk assessment, suitability determination under Art. 12–13 FinSA, anti-money laundering screening, and personalized service delivery. Some of these processes may be supported by data collected through cookies or similar technologies.

Profiling (Art. 5(f) nDSG) means any automated processing of personal data that consists of using such data to evaluate certain personal aspects relating to a natural person, particularly to analyze or predict aspects concerning their economic situation, personal preferences, interests, reliability, or behavior.

High-risk profiling (Art. 5(g) nDSG) occurs when profiling results in the merging of data that allows assessment of essential aspects of a natural person’s personality. Where cookies contribute to high-risk profiling — for instance, by combining browsing behavior with financial transaction data — explicit consent is required.

In accordance with Art. 21 nDSG, you have the right to be informed of the existence of automated individual decision-making, and to request that such decisions be reviewed by a natural person.

7. THIRD-PARTY COOKIES AND SERVICES

We may use services provided by third parties that place cookies on your device. In accordance with Art. 19 para. 1 lit. c nDSG and ARIF Directive 14, Execution Provision 34, all third-party service providers that process personal data collected through cookies are:

– Contractually bound to respect confidentiality obligations equivalent to those imposed on Xchange 360 SA as an ARIF member;

– Prohibited from processing client data for purposes other than those expressly authorized by Xchange 360 SA;

– Required to implement appropriate technical and organizational measures (TOMs) to protect personal data (ARIF Execution Provision 35, Art. 8 nDSG);

– Subject to periodic compliance reviews in accordance with ARIF’s supervisory framework.

In accordance with Art. 69 FinIA, no client-identifying information is disclosed to third-party cookie providers without proper authorization. Any third-party tracking technology that could capture or transmit client-identifying data is assessed against professional secrecy requirements.

Third-Party Service Providers: [To be completed based on cookie audit]

8. INTERNATIONAL DATA TRANSFERS

Some of the cookies and third-party services used on our Website may result in the transfer of your personal data to countries outside of Switzerland. In accordance with Art. 16–18 nDSG, we disclose all destination countries and applicable safeguards.

Destination countries: [To be completed based on cookie audit]

Where personal data is transferred to a country that does not provide an adequate level of data protection as determined by the Swiss Federal Council (Annex 1 DSV), we ensure that appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the FDPIC, binding corporate rules, or other measures recognized under Art. 16–17 nDSG.

9. MANAGING COOKIES

9.1 Privacy-Friendly Default Settings

In accordance with Art. 7 para. 3 nDSG (data protection by design and by default), our default cookie settings are configured to activate only strictly necessary cookies. All non-essential cookies are disabled by default until you provide your consent or are given the opportunity to opt out.

9.2 Cookie Consent Mechanism (Tiered Architecture)

Our cookie consent mechanism implements the tiered architecture required by the cumulative application of Art. 45c FMG and the nDSG:

– Tier 1 — Strictly Necessary Cookies: Active by default. Information provided in this policy (Art. 45c lit. b FMG). No consent required.

– Tier 2 — Analytics and Functionality Cookies: Disabled by default. Opt-out mechanism provided.

– Tier 3 — Advertising, Tracking, and High-Risk Profiling Cookies: Disabled by default. Explicit opt-in consent required prior to activation (Art. 6 para. 7 nDSG).

Our cookie consent tool provides you with equal options to accept or reject non-essential cookies, and allows granular selection by cookie category. No deceptive design patterns (“dark patterns”) are used.

9.3 Browser Settings

You may also control cookies through your browser settings. Most browsers allow you to view, manage, delete, and block cookies for specific or all websites. Please note that disabling certain cookies may affect the functionality of our Website. For detailed guidance on managing cookies, visit www.allaboutcookies.org.

9.4 Withdrawal of Consent

If you have previously given consent for non-essential cookies, you may withdraw your consent at any time with future effect by adjusting your cookie settings or by contacting us at the address provided in Section 14 below. Withdrawal of consent does not affect the lawfulness of processing carried out prior to the withdrawal.

10. DATA RETENTION

We apply differentiated retention periods depending on the category of data and the applicable legal requirements:

Data Category	Retention	Legal Basis
Session cookies	Browser session	Deleted on close
Persistent essential	Up to 12 months	Art. 45c FMG
Analytics cookies	Up to 24 months	nDSG Art. 6(4) minimization
Advertising/tracking	Up to 24 months	Consent (Art. 6(7) nDSG)
AML/KYC documentation	Duration + 10 years	Art. 7 AMLA; ARIF Dir. 6
FinSA client docs	10 years from service	Art. 15–16 FinSA
Consent records	Duration + 1 year	nDSG accountability

11. YOUR RIGHTS

As a retail client of Xchange 360 SA, you benefit from a dual rights framework under Swiss data protection law and financial services law. These rights are non-waivable for retail clients under Art. 20 FinSA.

11.1 Rights Under the Swiss Data Protection Act (nDSG)

Right of access (Art. 25 nDSG) — You may request information about whether and what personal data we process about you.
Right to data portability (Art. 28 nDSG) — You may request your personal data in a commonly used electronic format.
Right to rectification (Art. 32 para. 1 nDSG) — You may request correction of inaccurate personal data.
Right to deletion (Art. 32 para. 2 lit. c nDSG, Art. 28 ff. CC) — Where processing constitutes an unlawful violation of your personality rights, you may seek judicial remedies.
Right to object (Art. 30 para. 2 lit. b nDSG) — You may express your objection to the processing of your personal data.
Right regarding automated decisions (Art. 21 nDSG) — You have the right to be informed and to request human review.

11.2 Rights Under the Financial Services Act (FinSA)

Right to a copy of your file (Art. 72 FinSA) — unconditional for retail clients.
Right to documentation (Art. 15–16 FinSA) — documentation of financial services, suitability assessments, and recommendations.
Non-waivability — As a retail client under Art. 4(2) FinSA, these rights apply in full regardless of any contractual provision (Art. 20 FinSA).

11.3 How to Exercise Your Rights

Contact: info@xchange-360.ch. We will respond within 30 days (Art. 25 para. 7 nDSG; Art. 72 para. 3 FinSA).

If you believe processing violates Swiss data protection law, you may lodge a complaint with:

Federal Data Protection and Information Commissioner (FDPIC)

Feldeggweg 1, CH-3003 Bern | https://www.edoeb.admin.ch

12. DATA PROTECTION IMPACT ASSESSMENT

In accordance with Art. 22 nDSG, Xchange 360 SA has conducted a Data Protection Impact Assessment (DPIA) for processing activities involving retail client data, particularly with respect to:

– The deployment of third-party cookies and tracking technologies;

– Profiling and automated decision-making processes;

– Cross-border data transfers;

– Any new digital service implementations involving personal data.

Our Record of Processing Activities (ROPA), maintained in accordance with Art. 12 nDSG, documents all processing activities related to cookies and digital data collection. A summary is available upon request.

13. CHANGES TO THIS POLICY

We may update this Cookies Policy from time to time to reflect changes in law, technology, regulatory guidance, or our data processing practices. Any material changes will be posted on this page with an updated effective date and, where required, communicated through our cookie consent mechanism.

14. CONTACT US

If you have any questions about this Cookies Policy, our use of cookies, or wish to exercise your data protection rights, please contact us:

Xchange 360 SA

Chemin de la Joliette 3, 1006 Lausanne, Switzerland

Email: info@xchange-360.ch

15. APPLICABLE LAW AND JURISDICTION

This Cookies Policy is governed by and construed in accordance with the laws of Switzerland. Any disputes arising in connection with this policy shall be subject to the exclusive jurisdiction of the courts of Lausanne, Canton of Vaud, Switzerland.