Privacy Policy
I. Introduction
KFA AG ("we," "our," or "us"), with its registered office at Weggisgasse 40, 6004 Luzern, Switzerland (UID: CHE-112.360.196), operating the FiatSwaps platform, recognises the importance of protecting the privacy and personal data of our Clients.
This Privacy Policy outlines how we collect, use, process, and protect personal data in compliance with the Swiss Federal Act on Data Protection (nFADP, in force since 1 September 2023), the Swiss Ordinance on Data Protection (ODP), and — where applicable to Clients resident in the European Economic Area — the General Data Protection Regulation (GDPR, Regulation (EU) 2016/679).
This Privacy Policy applies to all FiatSwaps employees and contractors and governs the processing of personal data of our Clients.
II. Definitions
| Client | A natural person or legal entity who has registered an account and uses the FiatSwaps Services. |
| Personal Data | Any information relating to an identified or identifiable natural person. |
| Data Controller | The entity that determines the purposes and means of processing personal data. |
| Data Processor | An entity that processes personal data on behalf of a Data Controller. |
| nFADP | The Swiss Federal Act on Data Protection (Bundesgesetz über den Datenschutz) of 25 September 2020, in force since 1 September 2023. |
| GDPR | Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016. |
| FDPIC | The Federal Data Protection and Information Commissioner, the Swiss supervisory authority for data protection. |
| Licensed Partners | The regulated third-party entities engaged by KFA AG to support the delivery of the Services. |
| Employee | A person employed by KFA AG on the basis of an employment contract, civil law contract, or B2B contract, including members of the board of directors. |
| Services | The FiatSwaps platform services: dedicated Virtual Account details in supported Fiat currencies, automatic Fiat-to-USDC conversion, and USDC delivery to the Client's blockchain wallet on the Base Network. |
III. Data Controller and Contact Information
KFA AG is the Data Controller responsible for processing your personal data in connection with your account on the FiatSwaps Platform.
KFA AG
Weggisgasse 40
6004 Luzern
Switzerland
UID: CHE-112.360.196
For any enquiries regarding this Privacy Policy or your personal data:
Email: [email protected]
Post: KFA AG, Data Protection, Weggisgasse 40, 6004 Luzern, Switzerland
IV. Categories of Personal Data Collected
We may collect and process the following categories of personal data:
| Identity Data | Forename and surname, date of birth, nationality, country of birth, and the series and number of a government-issued identity document. |
| Contact Data | Residential or registered office address, email address, phone number. |
| Financial Data | USDC wallet address, transaction history. |
| Technical Data | IP address, browser type, operating system, device identifiers. |
| Usage Data | Information about how you access and use the Platform, including login timestamps and feature interactions. |
| KYC/AML Data | Identity verification documents (e.g., passport copies, proof of address, selfie/liveness checks) as required by applicable AML/CTF regulations. |
| Beneficial Owner Data | (For business Clients) Forename and surname, nationality, date of birth, country of birth, residential address, and identity document details of each beneficial owner holding 25% or more of the entity. |
| Account Routing Data | Any reference, identifier, or routing information provided by the Client for account setup and payment routing purposes. |
We collect personal data directly from you, as well as from publicly available sources and authorised third-party service providers as necessary for compliance with legal and regulatory requirements.
V. Legal Basis for Processing Personal Data
We process personal data based on the following legal grounds:
Performance of a Contract (Art. 6(1)(b) GDPR / nFADP): processing is necessary for the performance of the Services agreement — including account setup, dashboard access, Virtual Account coordination, and transaction monitoring.
Legitimate Interests (Art. 6(1)(f) GDPR / nFADP): processing is necessary for our legitimate interests, including preventing fraud, ensuring Platform security, improving our services, and managing the client relationship, except where such interests are overridden by your fundamental rights and freedoms.
Legal Obligations (Art. 6(1)(c) GDPR / nFADP): processing is necessary for compliance with applicable Swiss legal obligations, including commercial record-keeping requirements.
Consent (Art. 6(1)(a) GDPR / nFADP): for specific purposes such as marketing communications, we will obtain your explicit prior consent. You have the right to withdraw consent at any time without affecting the lawfulness of processing carried out prior to withdrawal.
VI. Purposes of Processing Personal Data
We use your personal data for the following purposes:
- To onboard you as a Client and activate your account on the Platform
- To facilitate identity and business verification in accordance with applicable AML/CTF requirements
- To provide you with access to the dashboard and transaction monitoring tools
- To communicate with you regarding your account, payments, USDC deliveries, and changes to our Services
- To detect, investigate, and prevent fraud and other unlawful activity
- To comply with applicable Swiss legal and regulatory obligations
- To relay compliance-related requests from our Licensed Partners to you as part of ongoing AML monitoring
- To respond to requests from law enforcement or regulatory authorities
- For statistical analysis and improvement of our Platform
- To provide customer support
VII. Data Sharing and Transfer
Licensed Partners: Your identity, account, transaction, and KYC/KYB data may be shared with regulated third-party partners engaged by KFA AG to support the delivery of the Services. Each such partner processes data under its own regulatory obligations and applicable data protection law, either as an independent controller or as a data processor acting on our instructions.
Regulatory and Law Enforcement Authorities: Competent Swiss authorities (including FINMA or tax authorities as applicable) or EU/EEA authorities as required by applicable law, court order, or regulatory instruction.
Technical Service Providers: Hosting, cloud infrastructure, and security providers engaged by KFA AG under appropriate data processing agreements.
International Data Transfers: Your personal data may be transferred to and processed in countries outside Switzerland or the European Economic Area. We ensure that all such transfers are protected by appropriate safeguards, including Standard Contractual Clauses (SCCs) approved by the European Commission or the FDPIC, or transfers to countries recognised as providing an adequate level of data protection.
VIII. Data Retention
We retain your personal data only as long as necessary to fulfil the purposes outlined in this policy or as required by applicable law.
| Account and dashboard data | Duration of account + 5 years |
| KYC/AML documentation | 10 years after termination of the business relationship |
| Transaction records | 10 years from the date of the transaction |
| Technical and usage data | 2 years from collection |
| Data processed on the basis of consent | Until withdrawal of consent, unless another legal basis applies |
Retention periods for KYC/AML data reflect the regulatory obligations imposed on our Licensed Partners administering those processes. Where required by a competent authority, data may be retained for an additional period beyond the above deadlines.
IX. Client Rights
Depending on your jurisdiction of residence, you have the following rights in relation to your personal data:
| Access | Request confirmation of whether we process your personal data and obtain a copy. |
| Rectification | Request correction of inaccurate or incomplete personal data. |
| Erasure | Request deletion of your personal data ("right to be forgotten"), subject to our legal and regulatory retention obligations. |
| Restriction | Request that we restrict processing of your personal data in certain circumstances. |
| Portability | Receive a copy of your personal data in a structured, commonly used, and machine-readable format, where processing is based on contract or consent. |
| Objection | Object to processing based on our legitimate interests, or to direct marketing at any time. |
| Withdraw Consent | Withdraw consent at any time where processing is based on consent. |
To exercise any of these rights, contact us at [email protected]. We will respond within one month of receipt, unless the complexity or volume of requests requires an extension of up to two additional months, of which we will notify you.
Please note that certain rights may be limited where we have overriding legal or regulatory obligations, or where the data in question is held and controlled by one of our Licensed Partners rather than by KFA AG directly.
X. Data Security Measures
We implement technical and organisational measures to protect your personal data against unauthorised access, loss, alteration, disclosure, or destruction, including:
- Encryption of sensitive data in transit and at rest
- Secure storage systems with access logging
- Role-based access controls and multi-factor authentication
- Regular security assessments and audits
- Employee and contractor training on data protection and information security
- Incident response procedures for detecting and reporting personal data breaches
In the event of a personal data breach likely to result in a high risk to your rights and freedoms, we will notify you without undue delay in accordance with the nFADP and GDPR.
XI. Cookies
Our Platform uses cookies to ensure correct operation, user authentication, and security. The cookies we use are classified under site navigation and authentication. Sessions expire after 60 minutes unless extended by recent user activity.
Cookies do not store personal data beyond session identifiers. Cookies are hardened with HTTPONLY and Secure attributes. Browser fingerprinting may be used within the session context to prevent cookie theft and re-use on other devices.
For any cookies that are not strictly necessary for the functioning of the Platform, we will seek your consent prior to their use.
XII. Complaints
If you believe we have violated your privacy rights, you may file a complaint with:
Federal Data Protection and Information Commissioner (FDPIC)
Feldeggweg 1, 3003 Bern, Switzerland
Website: www.edoeb.admin.ch
If you are resident in the EEA, you also have the right to lodge a complaint with the data protection supervisory authority of your country of residence.
XIII. Updates to this Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in legal requirements, our services, or our processing practices. The latest version will always be available on the Platform. We will notify you of any material changes via email or a prominent notice on the Platform prior to the change taking effect.
XIV. Employee and Contractor Obligations
Each KFA AG employee and contractor shall promptly make available to the designated data protection contact any information and documents requested in connection with compliance with this Privacy Policy.
XV. Review and Update Schedule
Reviews of this Privacy Policy shall be performed at least once per year or more frequently in the event of:
- Significant changes to our processing activities or Services
- Recommendations from the board of directors or internal compliance function
- Receipt of supervisory recommendations or guidance from the FDPIC, FINMA, or other competent authorities
- Changes in applicable law affecting personal data protection
XVI. Contact
KFA AG
Weggisgasse 40
6004 Luzern
Switzerland
UID: CHE-112.360.196
Email: [email protected]