Data Policy

Effective Date: July 3, 2025 
Last Revised: July 4, 2025

1. Introduction

Kubera Equity (“we,” “us,” or “our”) is a business broker based in Switzerland. We are deeply committed to protecting the privacy and security of the personal data we process. This Data Policy outlines our comprehensive approach to data governance, including how we collect, use, store, share, and protect all data, with a particular focus on personal data, in full compliance with the revised Swiss Federal Act on Data Protection (FADP), which came into effect on September 1, 2023, and its accompanying ordinances, as well as other applicable laws and regulations.

We understand the sensitive nature of the information involved in business brokerage and are dedicated to maintaining the highest standards of data integrity and confidentiality in all our operations.

2. Legally Binding Nature

This Data Policy serves primarily as an internal document for Kubera Equity. It is designed to articulate our commitment to data protection, guide our employees and contractors in their data processing activities, and demonstrate our adherence to the principles and requirements of the Swiss Federal Act on Data Protection (FADP) and other applicable data privacy laws.

While this policy sets forth the standards and procedures we follow, it is explanatory in nature and does not, in itself, create new or additional legally binding obligations on Kubera Equity towards external parties (such as clients, potential clients, or the general public) beyond those already imposed by the FADP, its accompanying ordinances, and other relevant legal frameworks. Our obligations to data subjects are primarily governed by the specific provisions of applicable data protection laws and any contractual agreements we have in place.

3. Scope and Applicability

This Data Policy applies to all data, whether digital or physical, collected, processed, and stored by Kubera Equity in the course of its operations. This includes, but is not limited to:

  • Data of clients (buyers and sellers).
  • Data of potential clients and leads.
  • Data of employees and contractors.
  • Operational data.
  • Website usage data.

It applies to all employees, contractors, and third parties who have access to data processed by Kubera Equity.

4. Definitions

  • Data: Any information, whether personal or non-personal, in any format (digital, physical).
  • Personal Data: Any information relating to an identified or identifiable natural person (data subject). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
  • Sensitive Personal Data (particularly protected personal data under FADP): Includes data relating to religious, philosophical, political, or trade union-related views or activities, health, the private sphere, or affiliation to a race or ethnicity, genetic data, biometric data that uniquely identifies a natural person, data relating to administrative and criminal proceedings or sanctions, and data relating to social assistance measures.
  • Processing: Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
  • Controller: The private person who or federal body which, alone or jointly with others, determines the purpose and the means of processing personal data.
  • Processor: A private person or federal body that processes personal data on behalf of the controller.
  • Data Subject: The natural person whose personal data is being processed.
  • FADP: The Swiss Federal Act on Data Protection (specifically, the revised version effective September 1, 2023).

5. Principles of Data Processing

We adhere to the following core principles for all data processing activities, as mandated by the FADP:

  • Lawfulness, Good Faith, and Proportionality: Data is processed lawfully, in good faith, and proportionately to the stated purpose. We ensure that processing is always justifiable and does not unduly infringe on the data subject’s personality rights.
  • Purpose Limitation: Data is collected only for a specific, explicit, and legitimate purpose. Further processing is compatible with that purpose.
  • Data Minimisation: We collect and process only the personal data that is necessary and relevant for the specified purposes.
  • Accuracy: We take all reasonable steps to ensure that data is accurate, complete, and up-to-date. Inaccurate or incomplete data will be corrected, deleted, or destroyed.
  • Data Retention Limitation: Data is retained only for as long as necessary to fulfill the purposes for which it was collected or as required by law. Once no longer needed, it will be securely destroyed or anonymised.
  • Integrity and Confidentiality (Security by Design and Default): We implement appropriate technical and organisational measures to ensure the security of data, protecting it from unauthorised or unlawful processing, accidental loss, destruction, or damage. We embed data protection considerations from the outset of any process or system involving personal data.
  • Transparency: We are transparent about our data processing activities, particularly concerning personal data. Data subjects are informed about the collection and processing of their data.
  • Accountability: We are responsible for, and able to demonstrate compliance with, the FADP principles. We maintain records of processing activities to ensure accountability.

6. Data Collection and Sources

We collect data from various sources, including:

  • Directly from Data Subjects:

  • During initial consultations, meetings, and communications.
  • Through contracts and agreements (e.g., mandates, NDAs).
  • Via our website forms (e.g., contact forms, inquiry forms).
  • During due diligence processes (e.g., financial statements, company registrations).
  • Email correspondence, phone calls, in-person meetings, and submission of documents.

  • From Third Parties:

  • Publicly accessible sources (e.g., commercial registers, land registers, press, internet, social media profiles).
  • Referrals from other professionals (e.g., lawyers, accountants).
  • Due diligence providers or financial institutions (with consent or legal basis).
  • Public databases, professional networks, and third-party data providers where legally permitted.

7. Types of Data Collected (Examples)

  • Client Data (Sellers & Buyers):

  • Identification Data: Names, addresses, contact details (email, phone), date of birth, nationality, passport/ID details.
  • Business Data: Company name, legal form, registration number, industry, financial statements, business plans, asset lists, intellectual property details, employee data (anonymised where possible), customer lists.
  • Financial Data: Bank details, credit history, solvency information, transaction records, tax information.
  • Contractual Data: Mandate agreements, terms of service, communication records.
  • Sensitive Personal Data (where strictly necessary and with explicit consent): Financial background checks, credit reports, and potentially information related to administrative or criminal proceedings if relevant for enhanced due diligence for anti-money laundering (AML) purposes, always with explicit consent and a clear legal basis.

  • Employee/Contractor Data:

  • Personal Identification: Name, address, contact details, date of birth, nationality, social security number.
  • Employment Details: Contract, job title, salary, performance reviews, bank details for payroll.
  • Sensitive Personal Data: Health data for sick leave management and disability accommodations; criminal records checks where legally required for specific roles, with explicit consent and a clear legal basis.

  • Website Usage Data:
    • IP address, browser type, operating system, pages visited, time spent on site, referring URLs (collected via cookies and analytics).

  • Other Operational Data:
    • Internal reports, meeting minutes, communication logs.

8. Purposes of Data Processing

We process data for the following purposes:

  • To Provide Business Brokerage Services:

  • Matching buyers and sellers.
  • Facilitating negotiations and transactions.
  • Performing due diligence on potential businesses and individuals.
  • Preparing legal and financial documentation.
  • Communicating with clients and stakeholders.

  • Client Relationship Management:

  • Onboarding new clients.
  • Managing ongoing client relationships.
  • Responding to inquiries and providing support.

  • Legal and Regulatory Compliance:

  • Complying with anti-money laundering (AML) and know-your-client (KYC) obligations.
  • Fulfilling tax reporting requirements.
  • Responding to lawful requests from authorities.
  • Maintaining records as required by law.

  • Internal Operations:

  • Financial management and accounting.
  • Risk management.
  • IT and system administration, security, and maintenance.
  • Internal reporting and analysis.
  • Employee management.

  • Marketing and Communication (with consent where required):

  • Sending newsletters, updates, and promotional materials.
  • Analysing website usage to improve services.
  • Sharing relevant industry insights and company news through email and other digital channels.
  • Service improvement and development, fraud prevention, and network security.

9. Legal Basis for Processing Personal Data

We process personal data based on the following legal grounds, as permitted by the FADP:

  • Consent: Where the data subject has given explicit consent for one or more specific purposes (e.g., for marketing communications, or for processing sensitive personal data or high-risk profiling).
  • Performance of a Contract: Where processing is necessary for the performance of a contract to which the data subject is a party, or to take steps at the request of the data subject prior to entering into a contract (e.g., processing client data to facilitate a business sale).
  • Legal Obligation: Where processing is necessary for compliance with a legal obligation to which Kubera Equity is subject (e.g., AML/KYC regulations, tax reporting).
  • Legitimate Interests: Where processing is necessary for the purposes of the legitimate interests pursued by Kubera Equity or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject (e.g., internal administrative purposes, security, fraud prevention, service improvement, but always balanced against data subject rights).
  • Vital Interests: Where processing is necessary to protect the vital interests of the data subject or of another natural person (e.g., in a life-threatening emergency; rarely applicable in brokerage).
  • Public Interest: Where processing is necessary for the performance of a task carried out in the public interest (rarely applicable for private companies but may be relevant in specific, legally mandated contexts).

10. Data Security

We implement robust technical and organisational measures to protect data from unauthorised access, loss, destruction, alteration, or disclosure. These measures include:

  • Access Controls: Restricting access to data on a need-to-know basis and implementing robust user authentication.
  • Encryption: Encrypting sensitive data in transit and at rest where appropriate.
  • Pseudonymisation/Anonymisation: Using these techniques where feasible to reduce identifiability, especially for analytical or testing purposes.
  • Regular Security Audits and Penetration Testing: To identify and address vulnerabilities in our systems and processes.
  • Employee Training: Regular and mandatory training for all employees on data protection best practices, security awareness, and their responsibilities under the FADP.
  • Physical Security: Securing physical documents and data storage facilities with appropriate access controls.
  • Backup and Recovery Procedures: Implementing regular data backup and comprehensive recovery plans to ensure data availability and resilience in the event of an incident.
  • Incident Response Plan: A clear, documented plan for detecting, reporting, assessing, mitigating, and responding to data breaches, including communication procedures.
  • Multi-factor authentication (MFA): Implementing MFA for access to all critical systems and data repositories.
  • Secure Cloud Storage: Utilizing reputable cloud service providers that adhere to high security standards (e.g., ISO 27001 certification or equivalent) and Swiss data residency where feasible.
  • Firewalls and Antivirus Software: Deploying and regularly updating robust firewall and antivirus solutions to protect against malicious attacks.
  • Regular Software Updates: Ensuring that all operating systems, applications, and security software are regularly updated to protect against known vulnerabilities.
  • Privacy by Design and Default: Integrating data protection principles into the design and operation of all new systems, products, and services from the outset.

11. Data Retention

We retain personal data only for as long as is necessary for the purposes for which it was collected, including for fulfilling any legal, accounting, or reporting requirements. The specific retention periods are determined based on the type of data, the purpose of processing, and legal obligations.

  • Client Data (active engagement): Generally, data related to ongoing client relationships is retained for the duration of the relationship.
  • Client/Contractual Data (post-termination): Minimum of 10 years after the termination of the business relationship or contract, as required by Swiss commercial law (e.g., Art. 958f of the Code of Obligations) and tax law (e.g., Art. 70 of the VAT Act for certain documents, which can extend to 20 years for VAT on immovable properties).
  • Marketing Data: Retained until consent is withdrawn or after 2 years of inactivity, unless otherwise required by law or a legitimate interest for continued engagement exists (e.g., if the individual becomes a client).
  • Website Usage Data: Typically retained for 12 months for analytics purposes, often in an aggregated or anonymised form beyond this period.
  • Employee/Contractor Data: Retained for the duration of employment/contract plus 10 years after termination, or as mandated by social security, labor laws (e.g., Art. 330a OR for work certificates, Art. 128a OR for salary claims which are 5 years), and accounting regulations. Certain payroll records may also fall under the 10-year commercial retention period.
  • Other Operational Data: Retained according to its specific purpose and legal requirements.

Upon expiry of the retention period, personal data is securely deleted or anonymised in a manner that prevents re-identification.

12. Data Sharing and Disclosure

We may share data with the following categories of recipients, always ensuring appropriate safeguards and legal bases are in place:

  • Internal Departments: Within Kubera Equity for operational purposes, strictly on a need-to-know basis and under strict confidentiality obligations.
  • Clients (Buyers/Sellers): Relevant business information will be shared between prospective buyers and sellers. This information is typically anonymised initially and fully disclosed under Non-Disclosure Agreements (NDAs) during the due diligence phase of a transaction.
  • Professional Advisors: Lawyers, accountants, financial advisors, tax consultants, and other experts involved in a transaction, acting on behalf of Kubera Equity or our clients. They are contractually bound to confidentiality.
  • Service Providers (Processors): Third-party vendors who provide services such as IT support, cloud hosting, CRM systems, payment processing, marketing, and analytics. These providers are contractually bound through data processing agreements (DPAs) to protect data, process it only according to our instructions, and comply with applicable data protection laws.
  • Regulatory and Government Authorities: Where required by law, court order, or legitimate governmental request (e.g., FINMA, tax authorities, FDPIC).
  • Business Partners: In specific cases, with partners for joint ventures or collaborations, under strict contractual agreements that include data protection clauses.
  • Financial Institutions: For transaction processing and verification, and due diligence partners for background checks, with appropriate legal basis and safeguards.

13. International Data Transfers

As a Swiss-based company, we generally prioritize storing and processing data within Switzerland. However, in certain circumstances, personal data may be transferred to countries outside of Switzerland or the European Economic Area (EEA).

We will only transfer data to countries that are deemed by the Federal Council to provide an adequate level of data protection. This list is published in Annex 1 of the Data Protection Ordinance (DPO). Please note that while the EU/EEA member states are generally considered adequate, the adequacy for the US specifically applies to certified organizations under the Swiss-U.S. Data Privacy Framework (DPF) effective September 15, 2024, not to all US entities.

For transfers to countries not deemed adequate, we will implement appropriate safeguards as required by FADP, such as:

  • Standard Contractual Clauses (SCCs) approved by the FDPIC or the European Commission (with necessary amendments for Swiss law).
  • Binding Corporate Rules (BCRs).
  • Explicit consent from the data subject for the specific transfer, provided they have been informed of the potential risks.
  • Ad-hoc contractual clauses approved by the FDPIC.
  • Reliance on certified data protection frameworks or other legally recognized transfer mechanisms.

We ensure that any third parties processing data outside Switzerland or the EEA provide adequate protection and comply with FADP requirements through robust contractual agreements and due diligence.

14. Data Subject Rights (under FADP)

Data subjects have the following rights regarding their personal data, which they can exercise by contacting our Data Protection Officer:

  • Right to Information: The right to be informed about the collection and processing of their personal data, including the identity of the controller, processing purposes, data categories, recipients, retention periods, and source of data (if not directly collected).
  • Right of Access: The right to obtain confirmation as to whether or not personal data concerning them is being processed, and, where that is the case, access to the personal data and specific information about its processing.
  • Right to Rectification: The right to request the correction of inaccurate or incomplete personal data.
  • Right to Erasure (Right to be Forgotten): The right to request the deletion or destruction of personal data under certain circumstances (e.g., if the data is no longer necessary for the purposes for which it was collected, or if processing is unlawful).
  • Right to Object: The right to object to the processing of their personal data, particularly for direct marketing purposes, or in cases of automated individual decision-making, where there is no overriding legitimate interest.
  • Right to Restriction of Processing: The right to request the restriction of processing of their personal data under certain conditions (e.g., while accuracy is being verified).
  • Right to Data Portability: The right to receive their personal data in a structured, commonly used, and machine-readable format and transmit it to another controller, where processing is based on consent or contract and carried out by automated means.
  • Right not to be subject to Automated Individual Decision-Making: The right to object to decisions based solely on automated processing, including profiling, which produce legal effects concerning them or similarly significantly affects them, and to request a manual review.
  • Right to Withdraw Consent: Where processing is based on consent, the data subject has the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

To exercise any of these rights, please contact our Data Protection Officer at fa@kubera-equity.com. We will respond to your request within 30 days as required by FADP.

15. Data Breach Notification

In the event of a data security breach that is likely to result in a high risk to the data subjects’ personality or fundamental rights, we will notify the Federal Data Protection and Information Commissioner (FDPIC) as soon as possible and without undue delay. We will also inform affected data subjects where it is necessary for their protection or if the FDPIC requires it. Our internal incident response plan outlines the specific steps for detection, assessment, mitigation, and communication of such breaches.

16. Data Protection Officer (DPO)

We have appointed a Data Protection Officer who is responsible for overseeing compliance with this policy and the FADP.

Contact Details for the Data Protection Officer:

  • Name: Fernando Amman
  • Email: fa@kubera-equity.com
  • Address: Kubera Equity, Militärstrasse 87, 8004 Zürich, Switzerland

17. Review and Updates to this Policy

This Data Policy will be reviewed regularly, at least annually, and updated as necessary to reflect changes in our data processing practices, legal requirements, technological advancements, or FDPIC guidance. Any significant changes will be communicated to relevant stakeholders.

18. Complaints

If you have concerns about our data processing practices, please contact our Data Protection Officer in the first instance. You also have the right to lodge a complaint with the Federal Data Protection and Information Commissioner (FDPIC) if you believe your data protection rights have been violated.

Federal Data Protection and Information Commissioner (FDPIC)

End to End M&A. Commission-Only.
No Upfront Fees.

© 2025 Kubera Equity. All rights reserved.

End to End M&A. Commission Only.

No Upfront-Fees.

© 2025 Kubera Equity. All rights reserved.

CONTACT

CONTACT

  • invest@kubera-equity.com
  • Zurich, Switzerland
  • LinkedIn