1.      ABOUT THIS PRIVACY POLICY

Data protection and data security are important to Xchange360 SA (the “Company”, “we”, “our”, “us”).

This Privacy Policy applies when Personal Data that concerns you is processed by the Company. We process your Personal Data responsibly.

This Privacy Policy is primarily governed by the Swiss Federal Act on Data Protection (nDSG/FADP, SR 235.1) and the Ordinance on Data Protection (DSV/DPO, SR 235.11). To the extent that the EU General Data Protection Regulation (GDPR, Regulation (EU) 2016/679) applies based on its territorial scope under Article 3 GDPR — for example, where we offer services to data subjects in the EU/EEA or monitor their behaviour — we also comply with the GDPR. Where this Privacy Policy refers to specific GDPR provisions, these apply only to the extent the GDPR is applicable to the relevant processing activity.

The Company provides financial services within the meaning of the Swiss Financial Services Act (FinSA/FIDLEG, SR 950.1) and the Financial Services Ordinance (FinSO/FIDLEV, SR 950.11). The nature and scope of Personal Data we collect depends, among other things, on your client classification under FinSA (see Section 6). If you are classified as a Private Client (Privatkunde), enhanced investor protection obligations apply, which require the Company to collect additional Personal Data as described in this Privacy Policy.

In this Privacy Policy, we inform you about when, how, and for what purpose we collect and process Personal Data when you visit our website at www.xchange-360.ch (the “Website”), use our online tools and platforms (“Online Tools”), or interact with us. This Privacy Policy also covers the collection and processing of Personal Data when you obtain services from us, interact with or contact us in relation to a contract, or inquire about our services as a Prospect.

2.       DEFINITIONS

• Account: Your registered user account on the Platform through which you access the Services.
• Client: Any legal entity (including small and medium-sized enterprises), or natural person acting in a professional or commercial capacity, who has entered into a contractual relationship with the Company or is in the process of establishing one.
• Private Client (Privatkunde): A Client who is not classified as a Professional Client or an Institutional Client under Art. 4 FinSA. This category includes SMEs that do not meet the thresholds set out in Art. 4(3)(h) FinSA.
• Professional Client (professioneller Kunde): A Client classified as professional pursuant to Art. 4(3)–(4) FinSA, including regulated financial intermediaries, insurance companies, public-law entities, and companies exceeding at least two of the thresholds: balance sheet CHF 20M, revenue CHF 40M, equity CHF 2M.
• Institutional Client (institutioneller Kunde): A Client classified as institutional pursuant to Art. 4(1) FinSA.
• Prospect: Any legal entity or natural person acting in a professional capacity who has expressed interest in establishing a business relationship with the Company.
• Personal Data: Any information relating to an identified or identifiable natural person (Art. 5 lit. a nDSG). Where GDPR applies, Art. 4(1) GDPR.
• Sensitive Personal Data: A subset of Personal Data requiring heightened protection (Art. 5 lit. c nDSG).
• Processing: Any operation performed on Personal Data (Art. 5 lit. d nDSG).
• Controller: The natural or legal person which determines the purposes and means of Processing (Art. 5 lit. j nDSG).
• Processor: A natural or legal person which Processes Personal Data on behalf of the Controller (Art. 5 lit. k nDSG).
• Profiling: Any form of automated Processing to evaluate personal aspects (Art. 5 lit. f nDSG).
• FinSA: The Swiss Financial Services Act (SR 950.1).
• FinSO: The Financial Services Ordinance (SR 950.11).
• AMLA: The Swiss Federal Act on Combating Money Laundering (SR 955.0).
• ARIF: The Association Romande des Intermédiaires Financiers.
• FDPIC/EDÖB: The Swiss Federal Data Protection and Information Commissioner.
• Ombudsman: The ombudsman body affiliated under Art. 77 FinSA.

3.       WHO IS THE CONTROLLER

The Controller for the Processing of Personal Data in connection with the Services is:

Xchange360 SA

Chemin de la Joliette 3, 1006 Lausanne, Switzerland

CHE-342.141.056

Email: privacy@xchange-360.ch

The Company does not share Personal Data with affiliated entities or group companies. All Personal Data is processed exclusively by Xchange360 SA in Switzerland.

4.       DATA PROTECTION ADVISOR

The Company has appointed a Data Protection Advisor (Datenschutzberaterin / Datenschutzberater) in accordance with Article 10 nDSG. For all data protection enquiries, requests to exercise your rights, or complaints, please contact:

Xchange360 SA — Data Protection Advisor

Chemin de la Joliette 3, 1006 Lausanne, Switzerland

Email: privacy@xchange-360.ch

Note regarding EU/EEA-based Clients: The Company is established in Switzerland and primarily subject to Swiss data protection law. The Company has not appointed an EU Representative pursuant to Article 27 GDPR, as its B2B services are not systematically directed at data subjects in the EU/EEA within the meaning of Article 3(2) GDPR. Should the applicability of GDPR change in the future, an EU Representative will be designated and this Privacy Policy updated accordingly.

5.       SCOPE AND LEGAL FRAMEWORK

This Privacy Policy governs the Processing of Personal Data by the Company in connection with the provision of cryptocurrency exchange and financial intermediary services through the Website and the Account.

The Company processes Personal Data in accordance with:

(a) the Swiss Federal Act on Data Protection (nDSG/FADP, SR 235.1), effective 1 September 2023;

(b) the Ordinance on Data Protection (DSV/DPO, SR 235.11);

(c) the EU General Data Protection Regulation (GDPR, Regulation (EU) 2016/679), to the extent applicable;

(d) the Swiss Financial Services Act (FinSA/FIDLEG, SR 950.1) and FinSO (SR 950.11);

(e) the Swiss Federal Act on Combating Money Laundering (AMLA, SR 955.0);

(f) the AMLA Ordinance (AMLO, SR 955.01) and AMLO-FINMA (SR 955.033.0);

(g) ARIF Regulations and Directives (Directives 1–15);

(h) applicable Swiss sanctions legislation (EmbG, SR 946.231); and

(i) FINMA Guidance 02/2019 on payments via blockchain (Travel Rule).

6.       CLIENT CLASSIFICATION UNDER FINSA

6.1.     The Company classifies all Clients in accordance with Articles 4–5 FinSA before providing financial services. Client classification determines the scope of investor protection obligations and the nature and extent of Personal Data collected.

6.2.     The Company distinguishes among:

(a) Private Clients — all Clients who do not qualify as Professional or Institutional Clients, including SMEs.

(b) Professional Clients — Clients falling within Art. 4(3) FinSA categories.

(c) Institutional Clients — a subset of Professional Clients as defined in Art. 4(1) FinSA.

6.3.     Wealthy Private Clients may declare in writing that they wish to be treated as Professional Clients (opting out) under Art. 5(1)–(2) FinSA. Professional Clients may opt in to Private Client status under Art. 5(5) FinSA.

6.4.     To classify Clients under FinSA, the Company collects and processes, as applicable:

• corporate financial data for threshold assessment;
• information on regulatory status and professional treasury operations;
• written opting-out or opting-in declarations;
• documentation of assets, training, and professional experience; and
• records of classification decisions and reclassifications.

6.5.     Private Clients are subject to the full scope of FinSA conduct obligations, requiring additional Personal Data collection for appropriateness and suitability assessments (see Section 7.1).

7.       CATEGORIES OF PERSONAL DATA AND SOURCES

7.1. Categories of Personal Data

• Identification Data: Full name, date of birth, nationality, place of birth, residential address, email address, telephone number, government-issued identity document details.
• Verification Data: Copies of identity documents, proof of address, selfie or biometric verification data, source of funds/wealth documentation, Beneficial Ownership Declarations.
• Financial and Transaction Data: Bank account details, transaction history, Exchange Operation records, wallet addresses, blockchain transaction identifiers.
• Risk and Compliance Data: Risk classification scores, PEP screening results, sanctions screening results, transaction monitoring alerts, AML/KYC assessment outcomes.
• FinSA Client Classification Data: Corporate financial data, regulatory status, opting-out/in declarations, classification records.
• FinSA Suitability and Appropriateness Data (Private Clients): Knowledge and experience, financial situation, investment objectives, risk tolerance, assessment results.
• FinSA Information and Documentation Data: Records of KIDs provided, pre-contractual information, advisory service type confirmation.
• Professional Data: Job function, corporate title, professional memberships, corporate structure, authorised signatories.
• Technical and Usage Data: IP address, browser type, device information, login timestamps, session duration, pages visited, cookies data.
• Communication Data: Correspondence, feedback, complaints, Ombudsman communications.
• Sensitive Personal Data: Biometric identifiers for verification; data relating to criminal convictions as part of AML/CFT screening.

7.2. Sources of Personal Data

• Directly from you: when you contact us, open an Account, provide FinSA data, or use our Services.
• From third parties: from Clients regarding representatives, signatories, proxies, or beneficial owners.
• From publicly accessible sources: commercial registers, blockchain explorers, publications.
• From authorities and regulators: where required for compliance.
• From service providers: compliance databases, blockchain analytics, identity verification services.

8.       USE OF WEBSITE AND ONLINE TOOLS

8.1.     General Use of the Website. You may visit our Website without disclosing your identity. Certain technical data is automatically transmitted and temporarily stored.

8.2.     Use of Online Tools. When you register or log in, we collect data you provide and information you enter, upload, or process.

8.3.     Web Analytics. We use web analytics services with IP anonymisation. Details in the Cookie Notice.

8.4.     Cookies and Similar Technologies. We use cookies in accordance with Article 45c FMG. Technically necessary cookies do not require prior consent under Swiss law. For analytics/marketing cookies, consent is obtained where required.

You can manage preferences via your browser or our cookie preferences tool.

9.       USE OF SOCIAL MEDIA PAGES

We maintain corporate pages on social media platforms. Platform providers collect usage data independently as separate Controllers.

10.     PURPOSES OF PROCESSING

We process your Personal Data only to the extent permitted by applicable law and for the following purposes:

• Communication and Relationship Management
• Client Classification and Investor Protection under Art. 4–5 FinSA
• Establishing and Performing a Business Relationship including KYC/CDD onboarding
• FinSA Conduct Obligations (Private Clients) including appropriateness and suitability assessments
• Compliance with Legal and Regulatory Obligations including AML/CFT, sanctions, Travel Rule, FinSA
• Risk Management and Fraud Prevention including blockchain analytics
• Security and Access Control
• Dispute Resolution (Private Clients) through the Ombudsman under Art. 77 FinSA
• Marketing and Information in accordance with UWG Art. 3(1)(o)
• Service Optimisation
• Enforcement of Rights

11.     BASIS FOR PROCESSING YOUR PERSONAL DATA

11.1. Under Swiss Law (nDSG)

Under the nDSG, Processing is generally permitted provided it complies with data protection principles (Art. 6 nDSG). Where Processing may infringe personality rights, it is justified by:

• Consent (Art. 6(6) nDSG)
• Direct connection with a contract (Art. 31(2)(a) nDSG)
• Overriding private or public interest (Art. 31(1) nDSG)
• Legal obligation including AMLA, FinSA, sanctions legislation

11.2. Under EU Law (GDPR) — where applicable

We process Personal Data based on: performance of a contract (Art. 6(1)(b)); legal obligation (Art. 6(1)(c)); legitimate interests (Art. 6(1)(f)); or consent (Art. 6(1)(a)).

11.3. Processing of Sensitive Personal Data

Sensitive Personal Data is processed only where a specific justification applies (Art. 31(1) nDSG; Art. 9(2) GDPR where applicable).

12.     AUTOMATED DECISION-MAKING AND PROFILING

The Company uses automated decision-making systems in the following contexts:

• Automated KYC scoring
• Transaction monitoring
• Risk classification
• Sanctions screening
• Blockchain analytics
• FinSA appropriateness and suitability assessments (subject to human review)

In accordance with Article 21 nDSG (and Article 22 GDPR where applicable), you have the right to: (a) be informed; (b) express your point of view; (c) request human review; and (d) contest the decision.

All automated decisions resulting in Account suspension, transaction blocking, or service refusal are subject to human review. Contact: privacy@xchange-360.ch.

13.     SHARING YOUR PERSONAL DATA

We may share your Personal Data with:

• Regulatory authorities: MROS, ARIF, FINMA, SECO, Swiss courts, foreign authorities pursuant to mutual legal assistance
• Service providers: KYC/identity verification, blockchain analytics, payment service providers, IT service providers, counterparty financial intermediaries for Travel Rule compliance
• Professional advisors: Lawyers, auditors, compliance consultants
• Ombudsman (Private Clients): for dispute resolution under Art. 77 FinSA
• Corporate transactions: third parties acquiring our business

Appropriate data processing agreements and safeguards are in place with all recipients.

14.     RETENTION AND DELETION OF PERSONAL DATA

We process and store Personal Data only as long as necessary. Minimum retention periods:

Blockchain data: Data on a blockchain cannot be erased due to immutability. This does not affect your rights in respect of off-chain data.

Travel Rule data: Subject to counterparty intermediaries’ own retention policies.

Upon expiration of retention periods, Personal Data will be securely deleted or anonymised (Art. 6(4) nDSG).

15.     TRANSFER OF PERSONAL DATA ABROAD

We primarily process Personal Data in Switzerland. Transfers comply with Article 16 nDSG (and Articles 44–49 GDPR where applicable).

You may request a copy of safeguards at: privacy@xchange-360.ch.

16.     HOW WE PROTECT YOUR PERSONAL DATA

The Company implements appropriate technical and organisational measures in accordance with Article 8 nDSG and Article 3 DSV (and Article 32 GDPR where applicable).

Measures include: encryption, access controls, MFA, security assessments, employee training, incident response, and physical security.

16.1. Data Breach Notification

In the event of a data breach, the Company will: (a) notify the FDPIC (Art. 24(1) nDSG); and (b) inform affected individuals where necessary (Art. 24(4) nDSG; Art. 34 GDPR where applicable).

17.     YOUR RIGHTS AND HOW TO EXERCISE THEM

17.1. Data Protection Rights (all Clients)

• Right of access (Art. 25 nDSG; Art. 15 GDPR)
• Right to rectification (Art. 32(1) nDSG; Art. 16 GDPR)
• Right to erasure/deletion (Art. 32(2)(c) nDSG; Art. 17 GDPR)
• Right to restriction of processing (Art. 18 GDPR)
• Right to object (Art. 21 GDPR)
• Right to data portability (Art. 28 nDSG; Art. 20 GDPR)
• Right to withdraw consent
• Right relating to automated decisions (Art. 21 nDSG; Art. 22 GDPR)
• Right to lodge a complaint with the FDPIC or competent EU supervisory authority

17.2. Additional Rights for Private Clients under FinSA

• Right to information about classification (Art. 4–5 FinSA)
• Right to documentation (Art. 16 FinSA)
• Right to best execution information (Art. 18 FinSA)
• Right to access the Ombudsman (Art. 77 FinSA)

17.3. Restrictions on Your Rights

Your rights may be restricted per Article 26 nDSG (Art. 23 GDPR where applicable), in particular:

(a) where disclosure would compromise overriding interests of third parties;

(b) where statutory retention obligations apply (Art. 7(3) AMLA; Art. 15(2) FinSA);

(c) where the tipping-off prohibition under Article 10a AMLA applies;

(d) where other regulatory requirements must be met; or

(e) where the establishment, exercise, or defence of legal claims so requires.

17.4. How to Exercise Your Rights

Contact: privacy@xchange-360.ch. Response within 30 days (Art. 25(7) nDSG). Under GDPR, within one month (Art. 12(3) GDPR).

18.     NEWSLETTER AND MARKETING COMMUNICATIONS

Under Swiss law (UWG Art. 3(1)(o)), unsolicited electronic marketing requires prior consent. Within an existing business relationship, marketing about similar services is permitted with opt-out opportunity.

You can unsubscribe at any time using the link in each message or by contacting us.

19.     CHANGES TO THIS PRIVACY POLICY

Material changes will be notified at least 30 days before they take effect. The most current version is always available on the Website.

20.     SUPERVISORY AUTHORITY

Swiss Federal Data Protection and Information Commissioner (FDPIC/EDÖB)

Feldeggweg 1, 3003 Bern, Switzerland

Tel.: +41 58 462 43 95 | www.edoeb.admin.ch

The Company is supervised by ARIF under Article 24 AMLA. Regulatory matters: ARIF, 2 Cours de Rive, 1204 Geneva (www.arif.ch).

21.     CONTACT

For data protection enquiries:

Xchange360 SA — Data Protection Advisor

Chemin de la Joliette 3, 1006 Lausanne, Switzerland

Email: privacy@xchange-360.ch

For FinSA-related enquiries:

Xchange360 SA — Compliance Department

Chemin de la Joliette 3, 1006 Lausanne, Switzerland

Email: compliance@xchange-360.ch

End of Privacy Policy — 27 March 2026