Your data. Your control.

The data controller is FOOTPASS SA (in the process of registration with the Commercial Register of the Canton of Zurich), a Swiss public limited company (société anonyme), with its registered office in Zurich, Switzerland (hereinafter "FOOTPASS").

All user personal data is hosted in Switzerland. Technical hosting details are available in the Legal Notice: footpass.com/mentions-legales.

DPO contact: [email protected].

FOOTPASS collects the following categories of data, depending on the services used:

Identity data: first name, last name, nationality, date and place of birth, role and Organisation.

Official documents: identity documents, verification selfies, contractual documents. This data is collected as part of the identity verification process and constitutes sensitive data within the meaning of the nFADP and the GDPR.

Content and communications: messages, files, photos, videos and associated metadata.

Technical data: IP address, event logs, device type, browsing preferences, cookies.

Payment data: information required for subscription and transaction management. FOOTPASS does not retain any banking data.

Relationship data: Links, Digital Authorisations and Sub-Authorisations between Users and Organisations.

History Log: an immutable technical record retaining a trace of significant events (creation, modification and revocation of Links and Digital Authorisations). Upon exercise of the right to erasure, identifying personal data is pseudonymised in this record.

Account creation and management — PassID issuance, Links and Digital Authorisations. Legal basis: performance of the contract.

Identity verification — KYC, fraud prevention. Legal basis: legitimate interest / legal obligation.

Service delivery — Messaging, Rooms, Vault, Acting-As. Legal basis: performance of the contract.

User support — Handling requests and complaints. Legal basis: performance of the contract.

Payment — Subscription management and invoicing. Legal basis: legal obligation.

Platform security — Logging, anomaly detection. Legal basis: legitimate interest.

Service improvement — Aggregated and anonymised usage analysis. Legal basis: legitimate interest.

Product communications — Information, updates and news. Legal basis: consent.

Legal obligations — Communications surveillance (LSCPT). Legal basis: legal obligation.

User personal data is accessible to the following categories of recipients:

Authorised internal FOOTPASS teams, strictly within the scope of their responsibilities.

Technical sub-processor service providers (hosting, identity verification, payment, communications, audience analytics) bound to FOOTPASS by a data processing agreement compliant with applicable law.

Users and Organisations authorised via your Links and Digital Authorisations, within the limits you have defined.

Competent authorities, upon lawful request.

FOOTPASS never sells your personal data and does not transfer it to any third party for commercial purposes.

The current list of sub-processors is available upon request at [email protected].

Active account and PassID: duration of use + 3 years.

Links and Digital Authorisations: duration of activity + 1 year.

Legal and contractual documents: 10 years.

Technical logs: 12 months.

Prospect data: 3 years.

After these periods expire, data is permanently deleted or irreversibly anonymised.

In accordance with the nFADP (RS 235.1) and, for users residing in the EEA, the GDPR, you have the following rights:

Access: obtain a copy of the personal data held about you.

Rectification: correct inaccurate or incomplete data.

Erasure: request the deletion of your data, subject to statutory retention obligations.

Restriction: restrict processing in certain circumstances.

Portability: receive your data in a structured and machine-readable format.

Objection: object to processing based on legitimate interest.

Withdrawal of consent: withdraw your consent at any time, without retroactive effect.

Automated decision-making: not be subject to a decision based solely on automated processing.

To exercise these rights: [email protected]. FOOTPASS responds within a maximum of one month.

If you are not satisfied with the response, you may lodge a complaint with the Federal Data Protection and Information Commissioner (FDPIC) at www.edoeb.admin.ch. Users residing in the European Union may also contact the data protection authority of their Member State.

FOOTPASS implements appropriate technical and organisational measures to protect personal data against unauthorised access, loss, alteration or disclosure, including:

End-to-end encryption (E2EE) for messaging and the Vault.

Encryption of data in transit and at rest.

Strict internal access controls based on the principle of least privilege.

Regular and secure backups.

Periodic security audits.

In the event of a data breach likely to result in a risk to your rights and freedoms, FOOTPASS notifies the competent authorities and, where applicable, the individuals concerned, within the timelines required by applicable law.

The footpass.com website uses cookies and similar technologies to ensure service functionality, security and aggregated usage analysis. Non-essential cookies are subject to your prior consent, which you may withdraw at any time.

Details and preference management: footpass.com/cookies.

The platform is accessible from the age of 13. Users aged 13 to 17 (within the meaning of Article 14 of the Swiss Civil Code) may use the platform subject to the prior establishment of an active Legal Representative Link between their PassID and that of their legal representative (parent or legal guardian).

The legal representative exercises a right of control and revocation over all of the minor's Links and Digital Authorisations.

FOOTPASS does not process minors' data for targeted advertising purposes, in compliance with applicable requirements for the protection of minors online.

For any enquiry regarding a minor's data: [email protected].

Data Protection Officer (DPO): [email protected].

EU Representative: FOOTPASS SA will appoint a representative within the European Union prior to the public launch of the service. Their contact details will be published here upon appointment. In the meantime, any request from EU residents may be addressed to [email protected].

Personal data / DPO: [email protected].

General enquiries: [email protected].

FDPIC (Switzerland): www.edoeb.admin.ch.

ODR platform (EU): ec.europa.eu/consumers/odr.