Data Protection Statement of the Swissroc Group of Companies.

What is this Data Protection Statement about

The Swissroc Group (hereinafter also referred to as “we”, “us”, “our”) collects and processes personal data relating to you and to other individuals (“third parties”). We use the term “data” interchangeably with “personal data.”

The “Swissroc Group” refers to Swissroc Capital Holding SA and its subsidiaries and group companies. A list of these subsidiaries and group companies is available here.

“Personal data” means any information relating to an identified or identifiable natural person, i.e., a person whose identity can be determined from the data itself or in combination with additional data. Section 3 contains information about the data we process under this Data Protection Statement. The term “processing” means any operation performed on personal data, such as collection, storage, use, modification, disclosure, and deletion.

In this Data Protection Statement, we describe how we process your data when you use https://swissroc.ch, www.swissroc.com or https://www.swissroc-properties.com, our other websites, webpages or applications (collectively, the “Website”), when you are in contact with us in connection with a contract, or when you otherwise communicate or interact with us. Where necessary, we will inform you separately about processing activities not covered by this Data Protection Statement.

If you provide us with data about other persons, we assume that you are authorized to do so and that such data is accurate. By sharing data about others with us, you confirm this. Please ensure that such persons have been informed about this Data Protection Statement.

This Data Protection Statement is aligned with the EU General Data Protection Regulation (“GDPR”), the Swiss Federal Act on Data Protection (“FADP”), and the revised Swiss Federal Act on Data Protection (“revFADP”). However, the specific applicability of these laws depends on the individual case.

2. Who is responsible for processing your data?

Swissroc Capital Holding SA, with its registered office in Geneva (“Swissroc”), is the data controller for the Swissroc Group under this Data Protection Statement, unless otherwise stated.

Unless otherwise indicated, this Data Protection Statement also applies where a Swissroc Group company acts as data controller instead of Swissroc Capital Holding SA. This is particularly the case where your data is processed by a Group company in connection with its own contracts or legal obligations, or when you share data directly with such Group company. In such cases, that Group company is the controller. If it shares your data with other Group companies for their own purposes (see Section 7), those other companies also become controllers.

Further information about third parties with whom we cooperate and who are responsible for their own processing can be found in Sections 3, 7 and 12. If you have questions or wish to exercise your rights in relation to these third parties, please contact them directly.

You may contact us regarding data protection matters and to exercise your rights under Section 11 at:

Swissroc Capital Holding SA
Chemin du Pré-Fleuri 3
1228 Plan-les-Ouates
dataprotection@swissroc.com

3. What data do we process?

We process various categories of data relating to you. The main categories are:

Technical Data

When you use our Website or other online services (e.g. free Wi-Fi), we collect the IP address of your device and other technical data to ensure functionality and security. This includes system usage logs.

Registration Data

Certain services (e.g. login areas, newsletters, free WLAN access) require a user account or registration. You must provide certain data, and we collect information about your use of the service. This includes account creation details (e.g. username, password, name, email address, phone number, search criteria, housing information, etc.).

We generally retain such data for 10 years after the last contractual activity or termination of the contract, unless a longer retention is required for evidentiary, legal, contractual, business or technical reasons.

Communication Data

When you contact us (via contact form, email, phone, SMS, WhatsApp, mail or other means), we collect the exchanged data, including contact details and communication metadata. If we need to verify your identity, we collect identification data.

Master Data

Master data includes basic information necessary for managing contractual or business relationships or for marketing purposes, such as name, contact details, role, banking details, date of birth, customer history, interaction history, powers of attorney, property budget, owned or rented properties, identity document copy if necessary, and consent declarations.

We receive master data from you, from persons you work for, from contractual partners, associations, address brokers, and public sources (e.g. public registers, websites, social networks).

We generally retain master data for 10 years from our last interaction or contract termination, unless longer retention is required.

Contract Data

Contract data includes information about contract conclusion, execution and administration (e.g. contract type, duration, billing data, customer service interactions, complaints, customer satisfaction surveys, creditworthiness data, debt collection information).

We retain contract data generally for 10 years from the last contractual activity or termination, unless longer retention is required.

Behavioral and Preference Data

We analyze behavior and preferences to better tailor our services. This may include website navigation behavior, location data, purchasing behavior, household size, income bracket, and other sociodemographic information, potentially combined with third-party data.

Other Data

This includes data processed in administrative or legal proceedings, photos, videos, audio recordings (e.g. events, security cameras), access logs, visitor lists, and shareholder/investor data.

Most of the above data is provided directly by you. Some processing (e.g. technical data) is unavoidable when using the Website. Behavioral and preference data can generally be objected to.

We may also collect data from public sources or receive data from other Group companies, public authorities, credit agencies, contractual partners, or internet analytics services.

4. For what purposes do we process your data?

We process your data for the following purposes:

  • Communication, including responding to inquiries and exercising your rights
  • Initiation, conclusion, administration and performance of contracts
  • Marketing and relationship management, including newsletters, invitations, and personalized advertising (you may object at any time)
  • Market research and service improvement
  • Location-based services, with your prior consent
  • Security and access control, including IT security, system monitoring and surveillance
  • Compliance with legal requirements
  • Risk management and corporate governance
  • Internal administration, training, quality assurance, legal defense and business development

5. On what legal basis do we process your data?

Where required, we obtain your consent (e.g. for marketing, personalized tracking, online behavior analysis). You may withdraw consent at any time with future effect.

Otherwise, processing is based on:

  • The necessity to perform or initiate a contract
  • Our legitimate interests (including marketing, business development, compliance, security)
  • Compliance with legal obligations

Withdrawal of consent does not affect the lawfulness of processing prior to withdrawal.

6. Profiling and automated decisions

We may automatically evaluate personal aspects (“profiling”) to determine preferences, detect abuse, ensure security, perform statistical analyses, and plan business activities.

We ensure proportionality and reliability and take measures to prevent misuse.

7. With whom do we share your data?

We may disclose personal data to:

  • Group companies
  • Service providers (IT, logistics, marketing, security, banks, insurers, credit agencies, etc.)
  • Contractual partners
  • Authorities and courts
  • Other parties within business development activities (e.g. mergers, acquisitions)

Some recipients may be located abroad (see Section 8).

Certain third parties may independently collect data via our Website or events (e.g. social media tools, press photographers). They act as independent controllers.

8. Is your data transferred abroad?

Your data may be processed in Europe and, in exceptional cases, worldwide.

Internet data transmissions may pass through third countries even if sender and recipient are located in the same country.

9. How long do we process your data?

We process your data as long as necessary for our purposes, legal retention periods, legitimate interests, or technical requirements. Afterward, data is deleted or anonymized.

10. How do we protect your data?

We implement appropriate technical and organizational measures to ensure confidentiality, integrity, availability, and protection against unauthorized or unlawful processing.

11. What are your rights?

You have the right to:

  • Request access to your data
  • Request correction of inaccurate data
  • Request deletion
  • Request data portability
  • Withdraw consent
  • Object to processing, especially for direct marketing

You may contact us (see Section 2). Proof of identity may be required.

You may also lodge a complaint with the competent supervisory authority in the EEA, UK or Switzerland.

12. Online tracking and advertising technologies

We use cookies and similar technologies to ensure Website functionality, perform analytics and personalize advertising.

Categories include:

  • Strictly necessary cookies
  • Performance cookies (analytics, up to 13 months retention)
  • Marketing cookies (targeted advertising, up to 13 months retention)
  • Functionality cookies

You can manage cookie settings via your browser or consent banner.

We may also use advertising platform matching (e.g. email-based targeting) and embed third-party social media tools.

13. Social media pages

We operate social media presences (e.g. LinkedIn, Instagram, Facebook). Platforms analyze user interactions and process data independently for their own purposes (e.g. advertising personalization).

14. Updates to this Data Protection Statement

This Data Protection Statement is not part of a contract and may be updated at any time. The version published on our Website is the current version.

Last updated: February 2026