Privacy Policy.

1. Controller

The controller responsible for the processing of personal data on this website is:

Rekord AG
Alpenstrasse 15
6300 Zug
Switzerland

For any question relating to data protection or to exercise your rights, contact us at privacy@rekord.io.

2. Scope

This privacy policy applies to the processing of personal data collected through rekord.io. It describes what data we collect about visitors to the marketing website, the purposes for which we use it, with whom we share it, and the rights you have over it.

Data processing related to Rekord's products — including Rekord Kloud, Rekord AI, RWA Pools, RWA-Backed Vaults, and Digital Product Passports — is governed by separate data processing agreements between Rekord AG and the counterparty or institution concerned. This policy does not cover those product environments.

3. Applicable law

Rekord AG processes personal data in compliance with the Swiss Federal Act on Data Protection (revised, "nDSG") and, where applicable, the EU General Data Protection Regulation 2016/679 ("GDPR"). Where the GDPR applies, Rekord AG acts as the data controller within the meaning of Article 4(7) GDPR.

4. What data we collect

Automatically collected data. When you visit this website, our hosting infrastructure and analytics tools automatically collect certain technical information about your visit. This typically includes your IP address (anonymized where technically feasible), browser type and version, operating system, the referring URL, the pages you visit, the time spent on those pages, and the date and time of access.

Data you provide. If you choose to submit a contact form, subscribe to updates, or otherwise communicate with us, we collect the information you enter. This typically includes your name, email address, organization, and any free-text content you provide. We only collect what you actively choose to share.

5. Why we process your data and the legal basis

We process personal data only where we have a clear purpose and a valid legal basis under the nDSG and, where applicable, the GDPR. The table below sets out the principal processing activities on this website.

6. Who receives your data

We share personal data only where it is necessary for the purposes set out above, and only with appropriate safeguards in place.

Service providers. We rely on a small number of carefully selected third-party providers for website hosting, analytics, email delivery, and similar services. These providers process personal data on our behalf under written data processing agreements that restrict them from using the data for their own purposes.

No sale of personal data. We do not sell personal data, and we do not share it with third parties for their independent marketing purposes.

Legal disclosure. We may disclose personal data where required to do so by Swiss or otherwise applicable law, in response to a valid legal request from a competent authority, or where necessary to establish, exercise, or defend legal claims.

7. International data transfers

Where personal data is transferred outside Switzerland or the European Economic Area, we ensure that an adequate level of protection is in place. We rely, in particular, on the European Commission's adequacy decision in favour of Switzerland (and the reciprocal Swiss recognition of the EEA), on standard contractual clauses approved by the European Commission, or on other legally recognized safeguards as appropriate.

8. Data retention

We retain personal data only for as long as is necessary to fulfil the purposes for which it was collected, or as required by applicable law.

Server log data is deleted after 90 days, unless retention is required to investigate a specific security incident. Contact-form submissions and newsletter sign-ups are retained for 24 months from the date of last interaction, or until you ask us to delete the data, whichever comes first.

9. Your rights

Under the nDSG and, where applicable, the GDPR, you have a number of rights in relation to your personal data:

• the right to obtain confirmation of, and access to, the personal data we hold about you;
• the right to have inaccurate or incomplete data corrected;
• the right to request deletion of your data, subject to any legal retention obligations;
• the right to restrict or object to certain processing activities;
• the right to data portability under the GDPR; and
• the right to withdraw consent at any time, without affecting the lawfulness of processing carried out before the withdrawal.

To exercise any of these rights, please write to us at privacy@rekord.io. We will respond to your request within 30 days. If you believe that our processing of your personal data infringes the law, you also have the right to lodge a complaint with the Swiss Federal Data Protection and Information Commissioner (FDPIC) or, where applicable, your local EU supervisory authority.

10. Security

We implement appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction. These measures are reviewed and updated periodically in light of evolving threats, technical developments, and the sensitivity of the data concerned. No method of transmission over the internet is fully secure, however, and we cannot guarantee absolute security.

11. Children

This website is not directed at individuals under the age of 16, and we do not knowingly collect personal data from children. If you believe that a child has provided personal data to us, please contact us at privacy@rekord.io and we will delete the data promptly.

12. Changes to this policy

We may update this privacy policy from time to time to reflect changes in our practices, in the services we offer, or in applicable law. The current version will always be posted on this page, with the date of the most recent update shown at the top. Changes take effect upon publication.

Questions about this policy? Contact us at privacy@rekord.io.