We are pleased with your interest in our financial services. YAPEAL AG, domiciled at Max-Högger-Strasse 6, 8048 Zürich, Switzerland (hereinafter referred to as "YAPEAL", "we", or "us") enables you or your company (hereinafter also referred to as "YAPSTER" or "you") to easily and securely perform financial services online (hereinafter referred to as "YAPEAL-Services").
YAPEAL collects and processes personal data relating to the YAPSTER as well as other individuals (referred to as "third parties").
We use the term "data" synonymously with "personal data" or "personally identifiable information".
In addition, we may separately inform you about the processing of your data, such as in consent declarations, contract terms, additional privacy statements, and notices.
2. WHO IS RESPONSIBLE FOR PROCESSING YOUR DATA?
YAPEAL AG Datenschutz Max-Högger-Strasse 6 8048 Zürich Schweiz
We have appointed the following data protection representative in accordance with Art. 27 GDPR in the European Economic Area (EEA) including the European Union (EU) and the Principality of Liechtenstein as an additional point of contact for supervisory authorities and affected individuals for inquiries related to the General Data Protection Regulation (GDPR):
VGS Datenschutzpartner GmbH Am Kaiserkai 69 20457 Hamburg Deutschland
YAPEAL processes various categories of data, depending on the YAPEAL-Services we provide for you. The main categories are as follows:
Data confirming the identity of the YAPSTERS such as name, date of birth, gender, address, including a picture of the ID, video or audio recording, personal picture, ID number.
Possibly evidence of the certification/evaluation of the identity.
Identity data may also relate to third parties (such as authorized representatives) and might include, for example, signature authorizations, powers of attorney, and consent forms.
In connection with companies, we process contact person data and professional data. We may also process details about other relationships with third parties (e.g. control holders or beneficial owners). Depending on the area of activity, we may also need to further scrutinize the company and its employees, e.g., through enhanced due diligence review
Data on how the YAPSTER can be contacted through various channels: e.g., postal addresses, email addresses or phone numbers.
Customer Profile Data (KYC)
KYC-related data of the YAPSTER such as salary, profession, account purpose, or other data that serve to prevent misuse and fraud or comply with other legal regulations.
Data from the interaction of the YAPSTER with customer support.
Supplementary data from interactions with third parties, internal investigations, and other external sources.
Details and results of risk assessments, risk tolerance, risk capacity, investment preferences, and strategies.
Some profile data or data from authorities may be particularly sensitive data.
Data on services contractually agreed upon with YAPEAL or with third parties, including any supplementary Data Sharing Agreements.
Possibly data about the YAPSTER's role in a company and signature rights.
Account and Transaction Data
Data about account and card usage, such as static account data, current and historical balances, including sums for inbound and outbound transactions over time, including payment orders.
Counterparty data such as name, account number/IBAN, address; amount and currency.
Possibly additional data such as "Merchant Category", location of the "Point-of-Sale", ATM location, booking text (possibly free text with additional data such as payment purpose).
Type of order such as card payment, transfer, direct debit.
Possibly other data reported via the YAPEAL system interface, e.g., order ID, name of the financial institution, financial institution code, location of the financial institution, date of order placement, type of order, date of order execution, amount of the order including currency, balance of the YAPSTER account after execution of the order, success of order execution, incurred fees.
Technical Communication Data
Log data from interaction with the YAPEAL system and the use of YAPEAL services such as IP address, device model, OS version, browser version, date, time.
To ensure the functioning of these offers, we might assign an individual code to you or your device or system (e.g., in the form of a cookie). Technical data alone does not allow inferences about identity. However, combined with data from user accounts, registrations, access controls, or contract processing, we might link them to other data and possibly associate them with your person.
Refer also to section 5.8.
Contact requests and newsletter sign-ups.
Scrolling behavior and duration of stay.
Approximate location (country and city).
IP address (in a shortened form, so no unique assignment is possible).
Browser, ISP, device, and screen resolution.
Which website or which advertising medium led you to YAPEAL.
Refer also to section 5.8.
4. FROM WHERE DOES YAPEAL OBTAIN YOUR DATA?
We process various data from different sources, depending on the situation and purpose.
Much of the data mentioned in Section 3 is provided by the YAPSTER themselves, for instance, when you communicate with us, transmit data, visit our website, or use our services or products. We may also obtain data from other sources, such as public registers or other publicly accessible sources, from authorities or other third parties.
If you do not provide us with data necessary to fulfill legal or regulatory obligations, or for the initiation, conclusion, or execution of a contract or business relationship with you, YAPEAL may not be able to accept you as a customer or provide YAPEAL services to you.
5. FOR WHAT PURPOSES DOES YAPEAL PROCESS YOUR DATA?
YAPEAL processes data for the following purposes:
5.1 Establishing a Relationship and Identifying the YAPSTER
During the opening of the relationship and identification, the following data is primarily collected from the YAPSTER: identification data, contact data, and technical communication data (see Section 3). This occurs through the download of the YAPEAL apps from a YAPEAL-supported app store (e.g., Apple, Google Play) where the YAPSTER is registered.
For authentication, the YAPSTER sets a PIN code and can also activate sign-in via fingerprint and/or facial recognition if the used device supports these features. These details are used for all future sign-ins to the YAPEAL apps. YAPEAL or the YAPEAL apps store this data for the purpose of ensuring the secure use of the YAPEAL interfaces and the YAPSTER account. In this context, neither YAPEAL nor the YAPEAL interfaces receive the biometric data (fingerprints and facial features) of the YAPSTER. For further questions about how fingerprint or facial recognition authentication works, the YAPSTER should contact the respective provider of this feature or their device.
In line with the FINMA Circular 2016/7 Video and Online Identification or as per the VSB guidelines, YAPEAL collects and stores the necessary data during the identification process of the YAPSTER, which the YAPSTER enters via the YAPEAL apps or sends to us through other channels. This includes, for instance, photographs of the presented identification documents and the related data (name, first name(s), birthday, etc.), photos and video recordings of the YAPSTER, contact data (residential address, email address, mobile phone number, etc.).
5.2 Account Opening and Account Usage
For the activation of YAPEAL services and the corresponding opening of YAPSTER accounts, the YAPSTER collects additional data, in particular, customer profile data (KYC) via YAPEAL interfaces (see also Section 3), e.g., job-related data (employment status, industry, etc.), data on the purpose and scope of account use, beneficial ownership or details about the controlling person, tax domicile / tax status especially under FATCA and AIA, customizable IBAN.
Throughout the business relationship or for YAPSTERs classified as a high-risk business relationship, YAPEAL can collect additional data to fulfill its due diligence, e.g., origin of assets, income, education, expected transaction volumes.
Furthermore, YAPEAL is obligated to regularly review the accuracy of the data and have it confirmed by the YAPSTER. The YAPSTER can view many of these data themselves in the YAPEAL front-ends and update them as needed.
5.3 Use of Payment Services, Debit Cards, and Supplementary Services
The YAPSTER has the option, as a private or business customer, to use various payment and debit card services depending on the selected account package or individual contractual agreement and to largely manage and view these digitally at any time through the YAPEAL front-ends. In addition to identification and technical communication data, YAPEAL primarily processes account and transaction data for this purpose (see Section 3).
If the YAPSTER avails themselves of supplementary or additional services offered in collaboration with YAPEAL partners, corresponding additional contract data for the respective contractual relationship may be collected (see Section 3).
The YAPEAL App uses a notification feature to provide the YAPSTER with current information on their account via "push notifications," such as for orders (credits and debits), account balance updates, etc. Through this notification function, the YAPSTER's usage of the YAPEAL App and the content of the messages are made known and stored with the Apple Push Notifications Service of Apple Inc. (“Apple"), One Infinite Loop, Cupertino, California 95014, USA, or the Google Cloud Messaging Service of Google Inc. ("Google"), 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.
YAPEAL sends only a reference in the notification, through which the YAPSTER can directly access the corresponding information in the secure YAPEAL App. For further information on the functionality, the YAPSTER may contact the respective provider of these features.
5.5 Compliance with Laws, Directives, and Recommendations from Authorities and Internal Regulations ("Compliance")
We process data for the following purposes:
To comply with legal requirements such as anti-money laundering regulations and sanctions;
To prevent and investigate criminal activities and other misconduct (e.g., conducting internal investigations, data analyses for fraud prevention);
To assert legal claims and defense in the context of legal disputes and regulatory proceedings;
To ensure the operation, in particular, of IT, websites, apps, and other platforms;
For building and facility security (e.g., access controls);
For measures relating to business and risk management.
5.6 Development and Market Engagement
YAPEAL processes data from YAPSTERS as permitted and deemed appropriate for initiatives aimed at the further development of services and products, for the optimization of needs analysis for customer outreach and acquisition, and for advertising and marketing, as long as the YAPSTER has not objected to the use of their data.
5.7 Customer Support
If the YAPSTER contacts YAPEAL Customer Support ("Customer Support"), only the information that the YAPSTER provides to us during the communication, in addition to the app version and the operating system version, is transmitted to YAPEAL. Customer Support has access to this YAPSTER data to address the issue presented. YAPEAL stores the exchange of information between the YAPSTER and Customer Support, regardless of the communication medium used, to better assist the YAPSTER with future inquiries.
5.8 Use of the YAPEAL Website and the YAPEAL Forum (YAPSTER ZONE), Analysis and Tracking
When visiting the YAPEAL website (yapeal.ch) and the YAPEAL Forum / YAPEAL ZONE (forum.yapeal.ch), we may collect identity data, contact data, technical communication data, and analytics data (see section 3).
When visiting the YAPEAL website, your browser primarily transmits technical communication data (see section 3). The collection and processing of this data aim to facilitate the use of the YAPEAL website (establishing a connection) and to ensure their system security and stability on a continuous basis. The IP address is evaluated on an event-specific basis only in the case of attacks on the YAPEAL network infrastructure and continuously in anonymized form for statistical purposes, without any conclusions being drawn about your identity. Your device's browser automatically sends information to YAPEAL when visiting the YAPEAL website.
If the YAPSTER has given their consent for the use of necessary cookies, YAPEAL's website uses Google Analytics 4, a web analytics service provided by Google LLC. The responsible entity for users in the EU/EEA and Switzerland is Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland ("Google").
In Google Analytics 4, IP anonymization is activated by default. Due to IP anonymization, your IP address is truncated by Google within member states of the European Union or other states party to the Agreement on the European Economic Area. Only in exceptional cases is the full IP address transmitted to a Google server in the USA and truncated there. According to Google, the IP address transmitted by your browser as part of Google Analytics will not be merged with other Google data.
During your visit to the website, your user behavior is recorded in the form of "events." Events can be page views, first-time website visits, session starts, visited web pages, "click paths," interaction with the website, scrolls, clicks on external links, internal searches, interaction with videos, file downloads, viewed/clicked ads, language settings. Additionally, the approximate location (region), date and time of visit, IP address (in truncated form), technical information about the browser and used devices (e.g., language settings, screen resolution), internet provider, and the referrer URL are collected. Reports provided by Google Analytics are used for analyzing the performance of our website.
Data recipients may include:
Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (as a data processor according to Art. 28 GDPR)
Google LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043, USA
Alphabet Inc., 1600 Amphitheatre Parkway Mountain View, CA 94043, USA
The maximum lifespan of Google Analytics cookies is 2 years. You can revoke your consent at any time with future effect by adjusting your cookie settings. The legality of processing done based on consent before its withdrawal remains unaffected.
YAPEAL Forum / YAPSTER ZONE
You must register to use the YAPSTER ZONE. This is done by entering a username and password, optionally along with additional information such as: first name, last name, and e-mail address. This information will be used for all future logins to the YAPSTER ZONE.
YAPEAL employs so-called cookies on their website. Cookies are small text files that are stored on your device (e.g., computer, smartphone, tablet) when you visit our websites. The information collected through cookies is used to simplify and improve the usage of the website.
5.9. Social Networks
We may operate pages and other online presences on social networks and platforms operated by third parties, and may consequently collect data about you. We receive this data from you and from the platforms when you interact with our online presences (e.g., when you communicate with us and comment on our content). At the same time, the platforms (not Yapeal) analyze your use of our online presences and link this data with other data known to them about you (e.g., regarding your behavior and preferences). They process this data independently and separately from YAPEAL for their own purposes, in particular for marketing and market research (e.g., to personalize advertising) and to manage their platforms (e.g., what content they show you).
6. ON WHAT BASIS DOES YAPEAL PROCESS YOUR DATA?
Due to Contractual Obligations
Initiation, conclusion, or execution of a contract or business relationship with the YAPSTER, or to fulfill YAPEAL's obligations arising from such a contract or business relationship.
To Safeguard Legitimate Interests of YAPEAL
The protection of our business, risk monitoring and management, receiving and handling complaints, improvement of our YAPEAL services, and our use of technology and market research.
To Comply with Legal or Regulatory Obligations or for the Fulfillment of Tasks in the Public Interest
YAPEAL may be required by law or by regulatory order to provide information regarding your data, or to disclose or transmit it, for example, to comply with reporting and control obligations under applicable financial regulations, identity checks, fraud, and financial crime; also, data on outgoing and incoming payments are collected, processed, and stored to fulfill ongoing compliance obligations, for example, for AML (Anti-Money Laundering) checks, PEP (Politically Exposed Persons), sanctions, and media screening.
With Consent from the YAPSTER
For additional purposes, the YAPSTER's data may be processed based on their consent, which can be revoked at any time.
7. WHICH THIRD PARTIES DOES YAPEAL DISCLOSE YOUR DATA TO?
7.1 Other YAPSTER (peer-to-peer payments)
YAPEAL may offer YAPSTER the ability to send money to other YAPSTER without having to enter an IBAN (peer-to-peer payments). If a YAPSTER wishes to use this feature, they must consent through the YAPEAL app to be discoverable by other YAPSTER for this purpose. This consent can be revoked and re-granted at any time by the YAPSTER within the YAPEAL app. Additionally, to use this feature, the YAPSTER must allow access to their contact list so that other YAPSTER who have also given consent can be identified by the phone number stored in the contact list. This consent can also be revoked and re-granted at any time.
7.2 Individuals or Companies to Whom the YAPSTER Transfers Money
Due to legal requirements for payment service providers, we share your data (transaction data, names, IBAN) with the payment recipient when you make a payment from your YAPEAL account.
7.3 Individuals or Companies Transferring Money to the YAPSTER
If you receive a payment to your YAPEAL account, we share your data with the payer (for example, your name and IBAN). This is necessary to confirm that the payment has been made to the correct account.
7.4 YAPEAL Service Providers
We collaborate with the following categories of service providers domestically and internationally, who process your data on our behalf or jointly with us, or receive data about you from us to fulfill our contractual, legal, and regulatory obligations:
IT Services: for the provision of our cloud services, security infrastructure, and web hosting (e.g., Google, Futurae, Cyon)
Compliance: for sanctions screening or supplemental video identification (e.g., KYC-Spider, Intrum)
Financial Market Infrastructure: for access to the Swiss payment network (e.g., Swisscom, SIX, SIC, SNB)
Card Manufacturers: for the production, personalization, and shipping of our cards (e.g., TagSystems)
Payment Networks, Card Processors, Mobile Payment Providers: to execute transactions with your physical debit card or mobile phone (e.g., VISA, Marqeta, Apple Pay, Google Pay, Samsung Pay)
Register Providers: for validation of addresses and company information (e.g., Swiss Post, Moneyhouse)
Communication Service Providers: to send emails and push notifications (e.g., Apple, Google, Friendly).
7.5 YAPEAL Partners
We may share your data with partners to provide specific services you have requested through YAPEAL front-ends or digital interfaces. We will only share your personal data in these cases if you have requested the service and consented to the data sharing. If we broker products and services, we may transmit your data to a cooperating partner.
We may share your data with for example, courts, regulatory agencies, auditing firms, to fulfill our legal obligations, legal justifications, or administrative orders, as far as necessary to protect the legitimate interests of YAPEAL domestically and internationally. This is particularly the case if the YAPSTER has threatened or initiated legal action against YAPEAL, or made public statements; to secure claims of YAPEAL against the YAPSTER or third parties; and to restore customer contact after a breakdown in communication with the relevant Swiss authorities.
7.7 Market Operations Service Providers
Providers of analytics, social media, and advertising companies (e.g., Google, YouTube, X, LinkedIn, Facebook, Instagram).
7.8 If You Instruct Us to Share Your Personal Data
If you instruct us to share your data with a third party, we can do so. For example, you can authorize third parties to act on your behalf (e.g., a lawyer). In certain circumstances, we may require proof that a third party has been duly authorized to act on your behalf.
7.9 Other Recipients
Data may also be disclosed to other recipients if we are obliged or authorized to do so.
Please notethat multiple internet providers are involved in data transmission when data is transferred over networks. Therefore, it cannot be ruled out that third parties may access the transmitted data and use it without authorization. Sensitive data should therefore never be sent via email, SMS, or other unencrypted channels. Even when data is encrypted, the names of the sender and recipient remain visible. Third parties may therefore draw conclusions about existing or future business relationships.
8. DO YOUR DATA TRANSFER ABROAD?
As explained in Section 7, YAPEAL also discloses data to third parties. These are not only located in Switzerland. Therefore, your data can be processed both in Europe and in the USA; in exceptional cases, in any country worldwide.
To the extent that YAPEAL transmits data to third parties in countries outside of Switzerland for processing and for the free movement of data, YAPEAL shall ensure that the data recipients operate in countries with an adequate level of data protection.
If a recipient is located in a country without adequate legal data protection, we contractually obligate the recipient to comply with applicable data protection laws (for this purpose, we use the revised standard contractual clauses of the European Commission, which can be accessed here: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?), unless they are already subject to a legally recognized framework ensuring data protection, or we can rely on an exemption clause. In addition to the service providers described in Section 5.8., data may specifically also be transferred to the USA or other third countries for processing by service providers in the area of payment networks, card processors, and mobile payment providers as per Section 7.4.
An exception may specifically apply in the case of legal proceedings abroad, but also in cases of overriding public interests or if the execution of a contract requires such disclosure, if you have consented, or if the data are publicly accessible and you have not objected to their processing.
9. HOW DO WE PROTECT YOUR DATA?
We take appropriate technical and organizational measures (TOM) to maintain the confidentiality, integrity, and availability of the YAPSTER's data. These measures are intended to protect against unauthorized or unlawful processing and to mitigate the risks of loss, accidental alteration, unwanted disclosure, or unauthorized access.
All data transfers via YAPEAL frontends are end-to-end encrypted. All data is encrypted when stored in the YAPEAL system. The keys are solely in the possession of YAPEAL.
YAPEAL's online communication is fully encrypted through the standardized TLS/SSL protocol. All orders are processed via YAPEAL frontends that communicate only through secure YAPEAL IT services (for approved third-party portals, the respective data protection regulations of these third parties apply). All YAPSTER customer data (except for transaction data) is stored in Swiss data centers.
Whenever possible, YAPSTER-YAPEAL customer communication takes place through YAPEAL's secure in-app communication (see YAPSTER Relationship Terms and Conditions).
YAPEAL points out that data transmission via the Internet (e.g., when communicating via email) may have security vulnerabilities. Complete protection of data against access by third parties is not possible.
Our service providers, who process YAPSTER data on our behalf, are subject to the data protection laws applicable to them. They are carefully selected by us and are audited for compliance with the technical and organizational measures they have taken to protect YAPSTER data. They are contractually obligated to process the data exclusively according to YAPEAL's instructions and solely for the purpose of fulfilling their contracted tasks.
10. ARE THERE CASES OF AUTOMATED INDIVIDUAL DECISIONS INCLUDING PROFILING?
YAPEAL reserves the right to analyze and evaluate data automatically in the future, in order to identify essential personal characteristics of the YAPSTER, predict developments, and create customer profiles. These are primarily used for business analysis and for providing offers and information that YAPEAL may make available to the YAPSTER.
YAPEAL does not make automated individual decisions based on customer profiles but manually reviews any automated negative assessments (e.g., in the area of identification, sanctions screening).
11. HOW LONG DOES YAPEAL STORE YOUR DATA?
The duration for which personal data is stored is determined by legal retention obligations and/or the purpose of the specific data processing.
As a general rule, YAPEAL stores the data for the duration of the business relationship or contract term, and subsequently for an additional ten or more years (depending on the applicable legal basis). This corresponds to the time frame within which legal claims against YAPEAL can be asserted. Ongoing or anticipated legal or regulatory proceedings may result in storage beyond this period.
12. WHAT RIGHTS DO YOU HAVE?
If you disagree with how we handle your rights or privacy, please let us know (see Section 2).
You have the right to request specific information about your personal data and how it is processed (right to access). In particular, you can request that we correct or complete inaccurate or incomplete data (correction). You can also object to the processing for specific purposes or withdraw a separate consent (each with future effect). Under given conditions, you can request that we transfer certain data (data portability).
YAPSTERs also have the option to directly modify certain data (e.g., residential address or email) themselves via the YAPEAL front-ends.
The revocation of consent may result in YAPEAL services no longer being fully available to the YAPSTER, or that the contractual relationship with the YAPSTER must be terminated. The same applies if the YAPSTER wishes to delete their data. The rights to deletion and objection are not unrestricted rights. Depending on the individual case, overriding interests may require further processing, for example, certain data collection and storage may take place based on a legal basis, regardless of the existence of consent.
Every affected YAPSTER has the right to enforce their claims in court or to file a complaint with the competent data protection authority in their country. The competent data protection authority in Switzerland is the Federal Data Protection and Information Commissioner: www.edoeb.admin.ch.The relevant data protection authorities in the EU can be found at the following link: www.edpb.europa.eu/about-edpb/about-edpb/members_en.