Client Information on Data Protection

Blackfort Capital AG (hereinafter: the Company) provides this client information document to inform you about the collection and processing of your personal data in relation to your asset management/transaction-related investment advisory/ execution mandate(s).

Identity and contact details of the Data Controller

This document is aligned with the EU General Data Protection Regulation («GDPR»), the Swiss Data Protection Act («DPA») and aims to fulfill the company’s information duties. However, the application of these laws depends on each individual case.

A. Collection and Processing of Personal Data

Personal data includes any information relating to an identified or identifiable natural person. As part of its mandate, the Company collects several types of your personal data. These include in particular:

• Personal details (e.g. name, address, date of birth, civil status)
• KYC information (e.g. source of wealth/funds, CV and background information, total wealth and its composition)
• KYC supporting documents (e.g. tax statements, dividend distribution statements, account statements)
• Bank account information (e.g. IBAN, information about other custodian banks of the client)
• Flow of funds supporting documents (e.g. loan agreements, contacts, invoices, transaction details)

This also includes all other information that you provide to us or is inevitably collected in the course of providing the agreed-upon service.

Insofar as it is permitted to us, we may also receive your personal data from affiliated companies, authorities, or other third parties (such as e.g., introducers, custodian banks). Apart from data you provided to us directly, the categories of data we receive about you from third parties include, but are not limited to, information from public registers, data received in connection with administrative or court proceedings, information about you in correspondence and discussions with third parties, information about you given to us by individuals associated with you (family, consultants, legal representatives, etc.) in order to conclude or process contracts with you or with your involvement (e.g. powers of attorney), information related to legal requirements such as anti-money laundering regulations, information about you found in the media or internet (insofar as indicated in the specific case).

In principle, we retain this data during the term of your asset management/transaction-related investment advisory/ execution agreement(s) and for a period of 10 years after its/their termination. This period may be extended if it is necessary for evidentiary purposes or to comply with legal or contractual requirements.

B. Purpose of Data Processing and Legal Bases

The Company primarily uses collected data in order to perform the agreed-upon services vis-a-vis our clients, as well as in order to comply with domestic and foreign legal obligations.

In addition, in line with the applicable law and where appropriate, we may process personal data for the following purposes, such as:

• Providing and developing our products, services and websites, apps and other platforms, on which we are active.
• Advertisement and marketing (including organizing events), provided that you have not objected to the use of your data for this purpose (if you are part of our client base and you receive advertisement, you may object at any time, and we will place you on a blacklist against further advertising mailings).
• Asserting legal claims and defense in legal disputes and official proceedings.
• Prevention and investigation of criminal offences and other misconduct.
• Ensuring the operation of our IT systems, websites, apps, and other devices.
• Compliance with legal and regulatory provisions regarding the fight against money laundering and financing of terrorism, due diligence in financial transactions and plausibility checks.
• KYC, identification of the ultimate beneficial owner, and any authorized signatories, continuous monitoring of business relationships and regular update of the documentation.

C. Data Subject Rights

In accordance with the applicable law, individuals whose personal data is processed (“data subjects”) are guaranteed a number of rights in relation to the processing of their data. It is important to the Company that you can exercise your rights easily and transparently, should you wish to do so.

In particular, you have the following rights:

• The right to request and receive information as to whether and which of your data we are processing.
• The right to have inaccurate or incorrect data corrected. The right to object to all or specific instances of processing.
• The right to request the deletion of your data.
• The right to request that we provide you with certain personal data in a commonly used electronic format or transfer it to another data controller (data portability).
• The right to withdraw consent where our processing is based on your consent.
• The right to obtain further information on the exercise of these rights upon request.

In general, to exercise these rights, it is necessary for you to provide proof of your identity (e.g., by a copy of identification documents where your identity is not evident otherwise or can be verified in another way). In order to assert these rights, please contact us in writing using the details provided above. It is important to note that we reserve the right to enforce statutory restrictions or exceptions in certain cases. For example, if we are obligated to retain or process specific data, have an overriding interest (insofar as we may invoke such interests) or need the data for asserting claims.

Please further note that the exercise of these rights may be in conflict with your contractual obligations, and this may result in consequences such as premature contract termination and may involve costs. If this is the case, we will inform you in advance unless this has already been contractually agreed upon. In addition, every data subject has the right to enforce his/her rights in court or to lodge a complaint with the competent data protection authority. The competent data protection authority in Switzerland is the Federal Data Protection and Information Commissioner (http://www.edoeb.admin.ch).

D. Sharing Data with Third Parties and Transfer of Data Abroad

In connection with our mandate, services, products, and legal obligations, and in accordance with the previously stated purposes of data processing, we may transfer data to third parties. Such transfers will occur when permitted and considered appropriate, either for the purpose of data processing on behalf of the Company (“data processors”) or, as the case may be, their own purposes (“joint controllers”). In
particular, the following categories of recipients may be concerned:

In particular, you have the following rights:

• External LCR Provider
• CRM / PMS Provider
• Data Hosting Provider
• Custodian Banks or Brokers
• Domestic and foreign authorities, official bodies and courts
• Business Introducers
• Authorized persons with a power of attorney of power of information.

Certain recipients are located within Switzerland, but others may be located in any country worldwide. In particular, you must anticipate your data to be transmitted to any country where our service providers are located (such as Microsoft).

If a recipient is located in a country without adequate statutory data protection, we require the recipient to undertake to comply with data protection (for this purpose, we use the revised European Commission’s standard contractual clauses, which can be accessed here: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj), unless the recipient is subject to a legally accepted set of rules to ensure data protection and unless we cannot rely on an exception. An exception may apply for example in case of legal proceedings abroad, but also in cases of overriding public interest or if the performance of a contract requires disclosure, if you have consented or if data has been made available generally by you and you have not objected the processing.

E. Changes to this Privacy Policy

We may amend this Privacy Policy at any time without prior notice. The current version published on our website shall apply. If the Privacy Policy is part of an agreement with you, we will notify you by e-mail or other appropriate means in case of an amendment.