Privacy Policy

Last updated: November 7, 2025

1. Data Controller

This Privacy Policy is drafted in accordance with the Swiss Federal Act on Data Protection (nLPD, RS 235.1) and, where applicable, the EU General Data Protection Regulation (GDPR – Regulation (EU) 2016/679).

2. Personal Data Collected

2.1 From the website

• Full name, retained for up to 24 months from creation or last access, then deleted unless session renewed by the user
• Email address, retained for up to 24 months from creation or last access, then deleted unless session renewed by the user
• Session and consent cookie UUID, retained for up to 24 months or until consent revoked
• Technical navigation logs (IP, timestamp, pages visited), retained for up to 6 months

2.2 From the TWM software

• Machine ID (device identifier), retained until uninstall or deletion request
• Trading order details sent to Trading Providers, deleted immediately after transmission

2.3 Not collected or stored

• API keys, always stored locally on the user computer
• Hardware data (CPU, RAM, GPU)
• Account balances, wallets, or full financial history

3. Purpose and Legal Basis

Personal data are processed in accordance with the principles of lawfulness, transparency, data minimization, and proportionality (Art. 6 nLPD).

• Contract performance: API connectivity with Trading Providers (Art. 6(1)(b) GDPR; Art. 14(1)(b) nLPD).
• Support and communications: updates, news, and newsletters based on consent (Art. 6(1)(a) GDPR; Art. 14(2)(a) nLPD).
• Functional analysis and statistics: Google Analytics 4 and Microsoft Clarity, based on legitimate interest (Art. 6(1)(f) GDPR; Art. 14(1)(f) nLPD). Data collected through these tools are anonymized before statistical processing and cannot directly identify the user.
• Legal, accounting, and security obligations: compliance with applicable laws (Art. 6(1)(c) GDPR; Art. 15(1)(c) nLPD).

4. Data Protection Officer (DPO)

No DPO has been appointed, as ASKO SA employs fewer than 250 people and does not carry out large-scale systematic monitoring (Art. 37 GDPR; Art. 10 nLPD).

ASKO SA reserves the right to appoint a DPO in the future if the scope or nature of the processing activities makes it necessary.

5. Data Protection Impact Assessment (DPIA)

A DPIA is not required for third-party analytical tools, as no internal large-scale systematic monitoring is carried out (Art. 35 GDPR).

Nevertheless, ASKO SA performs periodic privacy risk assessments to ensure that technical and organizational measures remain adequate to the processing context.

7. Retention, Deletion, and Administrative Costs

• Registration and web profile data: retained for up to 24 months from creation or last access.
• Technical logs: retained for 6 months.
• Trading orders: deleted immediately after transmission.

Data deletion is carried out securely and irreversibly, both on digital and physical media. Retention periods may be extended to meet legal, accounting, or judicial obligations.

Deletion and portability rights are fulfilled upon request, with delivery in a common format.

Administrative fees: up to CHF 300 for disproportionately burdensome requests (Art. 19 OPDa).

8. Cookies and Tracking

8.1 Types of Cookies Used

8.1.1 Necessary Cookies

These cookies are essential for the website to function and cannot be disabled:

• UserUUID: Technical identifier for consent management (12 months)
• consent: Stores your cookie preferences (12 months)
• .AspNet.Consent: Session consent indicator (1 year)
• .AspNetCore.Cookies: Authentication and session management (1 year)
• .AspNetCore.Antiforgery: Security against CSRF attacks (session)
• .AspNetCore.Culture: Language preferences (1 year)

Legal basis: Legitimate interest for technical functionality (Art. 6(1)(f) GDPR; Art. 14(1)(f) nLPD).

8.1.2 Functional Cookies

These cookies improve your experience but require your consent:

• Google cookies for Maps integration and service personalization (LSOLH, COMPASS, ACCOUNT_CHOOSER, APISID, LSID, NID, SAPISID, __Host-GAPS)

Legal basis: Explicit consent (Art. 6(1)(a) GDPR; Art. 14(2)(a) nLPD).

8.1.3 Statistical/Analytical Cookies

Used for anonymous website analytics:

• Google Analytics 4: _ga, _gid, _gat (anonymized before processing)
• Microsoft Clarity: CLID, MR, SM (session tracking and user interaction analysis)

Data collected through these tools are anonymized before statistical processing and cannot directly identify individual users.

Legal basis: Explicit consent (Art. 6(1)(a) GDPR; Art. 14(2)(a) nLPD).

8.1.4 Marketing/Advertising Cookies

Used for personalized advertising and remarketing:

• Google DoubleClick: test_cookie (15 minutes - verifies browser cookie support), IDE, DSID, FLC
• Google Ads: AID, TAID, __gads, __gac, ADS_VISITOR_ID, OTZ
• Microsoft Advertising: ANONCHK (10 minutes), MUID (13 months)
• Google cross-device tracking: __Secure-3PSID, __Secure-3PAPISID, __Secure-3PSIDTS, __Secure-3PSIDCC, __Secure-1PAPISID, __Secure-1PSID

Legal basis: Explicit consent (Art. 6(1)(a) GDPR; Art. 14(2)(a) nLPD).

8.2 Consent Management

The cookie banner appears on the first visit and is renewed:

• Every 12 months from last consent
• When site or code changes introduce new cookies
• After browser cache/cookies are cleared

You can manage consent through three options:

• "Accept All": Accepts all cookie categories
• "Accept Selected": Accepts only chosen categories (functional, statistical, marketing)
• "Only Necessary": Only essential cookies (same as clicking "X")

Prior blocking: No tracking or marketing cookies are set before you give explicit consent. Scripts from Google Analytics, Google Tag Manager, Microsoft Clarity, and DoubleClick are blocked until consent is granted.

8.3 Withdrawal of Consent

You can withdraw consent at any time by:

• Clicking the cookie icon at the bottom-left of the page
• Accessing the Cookie Statement via the privacy policy
• Clearing your browser cookies manually

Effect of withdrawal: When you revoke consent:

• First-party cookies (_ga, _gid, etc.) are deleted immediately
• Tracking scripts (Google Analytics, GTM, Clarity) are blocked
• Third-party cookies (test_cookie, IDE) may remain temporarily but are no longer used or renewed
• Third-party cookies expire automatically (e.g., test_cookie expires in 15 minutes)

8.4 Third-Party Data Controllers

8.4.1 Google Analytics 4 & Google Tag Manager

Google LLC acts as an independent data controller. Data transfers comply with:

• EU–US Data Privacy Framework (adequacy decision)
• Swiss–US Data Privacy Framework

Google's privacy terms: policies.google.com/privacy

Opt-out: tools.google.com/dlpage/gaoptout

8.4.2 Google DoubleClick (Google Ads)

Google DoubleClick (part of Google Ads) sets cookies for advertising purposes, including:

• test_cookie: Tests if your browser accepts cookies (15 minutes)
• IDE: Tracks and profiles for ad personalization

Google acts as independent data controller. You can manage ad personalization: adssettings.google.com

8.4.3 Microsoft Clarity

Microsoft Corporation acts as an independent data controller. Clarity complies with:

• EU–US Data Privacy Framework
• Swiss–US Data Privacy Framework

ASKO SA has no access to individual user recordings. Microsoft's privacy terms: privacy.microsoft.com

8.5 Cookie Lifespan and Storage

8.6 How to Disable Cookies in Your Browser

You can configure your browser to refuse cookies:

• Chrome: Settings → Privacy and security → Cookies and other site data
• Firefox: Settings → Privacy & Security → Cookies and Site Data
• Safari: Preferences → Privacy → Block all cookies
• Edge: Settings → Cookies and site permissions

Note: Blocking all cookies may affect website functionality.

8.7 Additional Information

For detailed information about each cookie, including purposes and third-party providers, please refer to our Cookie Statement accessible from every page via the cookie icon.

The complete list of cookies is also displayed in the cookie banner under the "Details" tab.

9. Data Sharing

Trading Providers receive only the data necessary for order execution, which are then immediately deleted.

Aside from analytical services (Google Analytics 4 and Microsoft Clarity), ASKO SA does not use any sub-processors.

All service providers are selected to ensure appropriate security and confidentiality standards in accordance with Art. 8 nLPD.

No personal data is sold, traded, or shared for marketing purposes.

11. Data Subject Rights

Requests for access, rectification, erasure, restriction, objection, portability, and withdrawal of consent are handled:

• Within 72 hours if submitted via e-mail or support form
• Within 9 business days if submitted by post

Users also have the right to contact the Federal Data Protection and Information Commissioner (FDPIC) in Switzerland for complaints regarding data processing.

12. Updates to This Policy

Material changes will be communicated via e-mail.

Non-material changes will update the “Last updated” date at the top of this page.

Continued use of the services after an updated version is published constitutes acceptance of the new policy.

13. Contacts and Support

Requests to exercise data rights must include a unique identifier (such as the registered e-mail address) to verify the requester’s identity.