Privacy and Data Protection

Privacy Policy for US Investors

It is the policy of Principalium Capital AG to maintain confidentiality of all customer information. Principalium collects specific information from clients, pursuant to NFA rule 2.30. This information includes name, address, birthdate, net worth, occupation, and investment experience, among other things. Client information may only be shared with firm affiliates, a client’s broker, FCM, certain regulators, and parties for which we are legally compelled to provide such information. Limited customer information may be shared with non-affiliated third-party service providers, such as providing monthly statements to our accountant so they may compute performance. All such service providers are required to maintain confidentiality of client information.

The only staff members having access to client information are those that require such access as part of their job duties. Firm personnel with access to client information are forbidden to disclose such information to unauthorized third parties, and shall hold client information in strict confidence. Breaching this privacy policy is cause for termination. Paper documents shall be kept in a secure (locked) area, and electronic documents containing customer information shall be stored in password protected files or folders. Disposal of paper documents containing customer information shall include shredding of such documents.

Principalium Capital AG will provide clients with the firm’s privacy notice upon account opening, and at least annually thereafter.

Privacy Notice

Principalium considers your privacy one of our utmost concerns. This Privacy Notice outlines our current policies and practices regarding how information about individual clients is collected and used. We will send existing clients an updated Privacy Notice on an annual basis.

Principalium collects information about you from your account forms that you provide us. Principalium also collects information about your transactions with us and our affiliates. In order to service your account, we may provide some of your personal information to other independent service firms. These firms include clearing firm(s), trade partners, and accounting and compliance vendors. We require these other independent firms to protect the confidentiality of your information and to use the information only for the limited purpose for which the disclosure is made. We do not disclose any nonpublic personal information about our clients to other independent firms, organizations or individuals except in furtherance of our business relationship with you, or as otherwise required by regulators or legal requirement. Additionally, should you cease to be a client, Principalium will continue to adhere to the privacy policies and practices described in this notice.

We restrict access to nonpublic personal information about you to those firm personnel who need to know that information to provide products or services to you. We maintain physical, electronic, and procedural safeguards that comply with US federal standards to guard your personal information.

If you prefer that we limit disclosures of personal information about you, you may notify us via email at compliance@principalium.com or by calling +41 76 675 7637. If you determine to opt out of this policy you can instruct us to what extent we are able to disclose your non-public personal information to affiliated third parties. If you have any questions or concerns regarding the privacy of your information at Principalium, or would like to discuss your “opt out” options please contact us at your earliest convenience.

Overview

This policy deals with the protection of our data and how we ensure the privacy of individuals (“data subject”) whose personal data we store. It governs the retention and deletion of data, who has access to it and what are the requirements for us to grant access.

The guiding principle is that we use as little personal data as possible and share it only with those that we can trust to keep the data safe or with regulatory authorities that are legally allowed to request the data. We require from external parties with whom we share personal data adherence to Swiss and EU data protection and privacy regulation. In addition, for US owned companies we require that they participate in privacy framework. We grant access to private data that we store only to those working for us and who have a compelling business reason for it. Individuals from the EU have the following rights according to GDPR, and we extend these rights to everyone:

Right of access by the data subject (art. 15):
the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the information;
Right to rectification (art. 16)
the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her;
Right to erasure (‘right to be forgotten’) – (art. 17)
the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay if there is e.c. no other legal ground for the processing (legal deadline for safekeeping under Swiss Law);
Right to restriction of processing (art. 18)
the right to obtain from the controller restriction of processing if e.c. the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defense of legal claims;
Right to data portability (art. 20)
the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided;
Right to object (art. 21)
the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her, including profiling based on those provisions.

In case of using one of these above-said rights by a data subject please contact Principalium Capital under the e-mail info@principalium.com. Your personal data will be processed lawfully, fairly and in a transparent manner in relation to the data subject. Data will be treated confidentially and will not be disclosed to external organizations, other than those acting as agents for Principalium Capital on related projects or for other legitimate reasons. The data will be used, unless you tell us otherwise (info@principalium.com), for a full range of Business Engagement activity, including advertising, invitations to our events and for mailing Principalium Capital publications.

Principalium Capital`s processing of your personal data takes place without profiling (look at hereinafter definitions).

Legal basis

As a Swiss firm, we are subject to the Swiss Data Protection Act and its ordinance. In addition, the EU and the new EU General Data Protection Regulation (GDPR), which has taken effect on 25 May 2018 imposes requirements for all firms that collect data from EU citizens.

Data processing by Principalium Capital is lawful as it is necessary for delivering under a contract to which the data subject is party or, at the request of the data subject prior to entering into a contract, for compliance purposes.

Applicability

This policy applies to everyone working at Principalium Capital.

Responsibilities

The ultimate responsibility for the protection of data and the privacy of individuals lies with the COO.

Data we store

We obtain and collect personal data that people share with us, such as their names, postal- and e-mail addresses, phone numbers and company names. We collect this data for example when individuals subscribe to our newsletters, ask to be invited to events or when we have a contract with them.

Emails will be tracked and stored to ensure that we are better able to tailor our communication. You have the right to object to the use of your data for any of the above purposes by contacting Principalium Capital AG (info@principalium.com).

Access to and use of data

We use personal data mainly to contact individuals, for example by sending them newsletters or inviting them to events.

We have no need to process or enhance persona data to profile individuals, for example by collecting metadata from emails, IP connections or telephone calls.

We store only the minimum of data necessary and delete identifying information where possible.

Access to personal data is on a need-to-know basis. Employees have access only when there is a compelling business reason.

Sharing of data

We share personal data when legally obliged to with regulators or courts.

We will never share or sell personal data with external firms that process and resell data.

Data retention and deletion

We retain data for as long as the individuals consent to it and we have a compelling business or legal reason to do so, for example, because we have a contract with an individual or we are legally obliged to store the information.

If an individual contacts us to require their personal data to be deleted, we do so – if legal – within latest one week and inform the individual accordingly. Equally, if we do not have a compelling business reason to retain private data of individuals, we delete the data.

External providers (Processors)

There are situations where we share private data with external parties (Processors), e.g. with our cloud providers. In some situations, we might use Customer Relationship Management Platforms.

As a general rule, we try to avoid this as far as feasible and we have a strong preference to use in-house solutions. Our preferences are:

The use of in-house software;

Use open source software where we can examine the code;

The use a Swiss software provider with strong privacy and security record and that conforms to Swiss and EU GDPR requirements;

The use of a software provider that conforms with at least the EU GDPR.

Where relevant – for example if a provider is owned by a US company – we do require without exceptions compliance with the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks (see www.privacyshield.gov).

Under no circumstances will we share private data with providers that do not conform to at least the EU GDPR requirements.

We store our data with Swiss cloud providers, in-house servers and a commercial CRM system Insightly. To ensure that the data remain secure, we execute a due diligence of the provider at least annually and obtain their data protection and privacy policies.

Incidence handling

In case we detect or suspect a breach of data privacy, we will immediately evaluate the potential legal, regulatory implications and the possible impact on individuals’ privacy. Based on the assessment we will then report the incidence to the regulatory authorities and inform the individuals whose data had been impacted and work with them to minimize the harm to the data subjects and Principalium.

Regular tasks

We annually verify the compliance of external providers with the required data standards, in particular with Swiss and EU regulation.

For cloud providers to which we entrust sensitive data, we include a review of their data protection and privacy compliance as part of the due diligence.

We annually assess the data we retain from individuals with a view on deleting those for which we have no compelling business reason to retain.

Every software used to handle private data is evaluated before use, and we verify compliance with Swiss and EU regulation.

Address and Data Protection Officer

Principalium Capital AG (Switzerland)

Domicile: Sihleggstrasse 23, 8832 Wollerau, Switzerland

UID: CHE-403.746.948

info@principalium.com

Definitions

Personal Data

Personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Processing

Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Profiling

Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.

Controller

Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

Processor

Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Principalium Capital AG | Sihleggstrasse 23 | CH – 8832 Wollerau | +41 79 404 6777 | info@principalium.com

Last Update: 29. April 2024