Privacy Policy

1. Introduction

This Privacy Policy outlines how SofiArt Gallery SA ("we", "us", or "our") collects, processes, stores, and uses your personally identifiable information ("Personal Data") and Automatically Collected Data in accordance with the Swiss Federal Act on Data Protection (FADP) and other applicable regulations. By using our services, you agree to this Policy.​

The controller of your personal data is the legal entity that determines the "means" and the "purposes" of any processing activities that it carries out. SofiArt Gallery SA is the controller and is responsible for handling of your personal data.

2. Purpose of Data Processing

This Privacy Policy describes why and how we collect and process your personal data, details of which are available below in connection with:

• Use of SofiArt Gallery SA's services ("Services"), including following transactions conducted within Switzerland:
• Exchange between fiat money and virtual assets.

This Privacy Policy applies to all personal data processing activities carried out by us, across the Services.

This Privacy Policy informs you about your privacy rights and how the data protection principles set out in the applicable privacy legislation protect you.

This Privacy Policy supplements other notices and policies and is not intended to override them. Our Services are not intended for minors under the age of 18 years, and we do not knowingly collect data relating to minors.

We process your data to:

• Fulfill legal obligations under AML/KYC laws;
• Deliver and improve our Services;
• Verify identity and source of funds/assets;
• Manage transactions and record-keeping;
• Comply with supervisory authorities;
• Ensure security and prevent fraud.

3. Information We Collect

Personal data, or personal information means any information that relates to an identified or identifiable living individual. This includes information you provide to us, information which is collected about you automatically, and information we obtain from third parties.

A "data subject" is an individual who can be identified, directly or indirectly, by personal data. This is usually by reference to an identifier such as a name, identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

We may collect and process the following categories of personal data:

• Identity Data: full name, maiden name, date of birth, biometric information including a visual image of your face, national identity card, passport, driving licence or other form of an identification document, place of work – for PEPs.
• Contact Data: country of residence, email address or telephone numbers, proof of address documentation (if applicable).
• Financial Data: bank account, payment card details, virtual currency accounts, the origin of funds.
• Transactional Data: wallet details and verification data, details about transaction to and from you.

4. How We Collect Your Data

SofiArt Gallery SA collects your data through the following methods:

• Directly from You: When you provide personal information during identity verification (KYC), or while initiating transactions. You may provide us with your Identity Data, Social Identity Data, Contact Data, Financial Data and Communications Data by directly interacting with us, including by filling in forms, providing a visual image of yourself via the Service, by email or otherwise. This includes personal data you provide when you:
  • apply for our Services;
  • make use of any of our Services;
  • request marketing to be sent to you, for example by subscribing to our newsletters;
  • enter a competition, promotion or survey, including through social media channels; or
  • give us feedback or contact us.
• From Third Parties: We may obtain personal data from regulated third parties such as compliance databases, identity verification services, or blockchain analysis providers, in accordance with applicable law.
• Communication Records: We may also collect and store correspondence you have with us via email, phone, or other channels for security and compliance purposes.

5. How and Why We Use/Share Your Information

5.1. How We Use Your Data

• To verify your identity and comply with AML/KYC regulations;
• To process and execute virtual asset transactions;
• To fulfill contractual obligations and provide customer support;
• To detect, investigate, and prevent fraud, illegal activities, and violations of our Terms of Business;
• To improve and personalize your experience with our services;
• To comply with legal obligations and respond to lawful requests by public authorities.

5.2. Why and With Whom We Share Your Data:

• Regulatory and Legal Authorities: We may share your data with regulatory bodies (such as VQF or FINMA) or legal authorities to comply with applicable laws, court orders, or enforcement actions.
• Service Providers: We may share your data with trusted third-party vendors who provide identity verification, transaction monitoring, IT infrastructure, or cloud services. These parties are contractually bound to handle your data securely and solely for the intended purposes.
• Affiliates and Successors: In case of business reorganization, acquisition, or merger, your data may be transferred to our affiliates or new entity, with proper safeguards in place.
• Legal Enforcement: We may disclose data where necessary to protect our legal rights, investigate fraud or violations, or ensure the safety of our clients.

We do not sell or rent your personal data to third parties.

5.3. Automated Decision-Making and Profiling

We do not use your personal data for automated decision-making, including profiling, that produces legal effects concerning you or similarly significantly affects you. If such processing is introduced in the future, we will ensure that it is carried out in accordance with applicable data protection laws and that you are informed accordingly.

6. Data Retention

We will hold your personal information on our systems only for as long as required to provide you with the products and services you have requested, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements, generally for a minimum of 10 years after the end of the business relationship. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.

In some circumstances you can ask us to delete your data.

In some circumstances we may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.

7. Your Rights

Under applicable law, you have the right to:

• Access your personal data;
• Request corrections to inaccurate information;
• Object to certain types of processing;
• Request deletion of your data under certain legal conditions;
• Withdraw your consent at any time where we rely on your consent to process your personal data;
• Request the restriction of processing in certain circumstances;
• Receive your data in a structured, commonly used and machine-readable format (right to data portability), where applicable;
• Lodge a complaint with the Federal Data Protection and Information Commissioner (FDPIC) if you believe that your rights under data protection law have been violated.

To exercise any of your rights, please contact us using the details provided in section 11.

8. Data Security

While there is an inherent risk in any data being shared over the internet, we have put in place appropriate security measures to prevent your personal data from being accidentally lost, used, damaged, or accessed in an unauthorised or unlawful way, altered, or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a legitimate business need to know. They will only process your personal data on our instructions, and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

9. International Data Transfers

If personal data is transferred outside Switzerland, we ensure appropriate safeguards such as standard contractual clauses are in place.​

In cases where data is transferred to a country that does not ensure an adequate level of data protection (as determined by the Swiss Federal Council), we implement safeguards such as the use of standard contractual clauses approved by the Federal Data Protection and Information Commissioner (FDPIC) or binding corporate rules.

Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of Switzerland.

10. Policy Updates

Our Privacy Policy is reviewed regularly to ensure that any new obligations and technologies, as well as any changes to our business operations and practices are taken into consideration, as well as that it remains abreast of the changing regulatory environment. Any personal information we hold will be governed by our most recent Privacy Policy.

Updated versions will be available upon request or at our physical service locations. Continued use of our services indicates acceptance of the updated policy.

11. Contact Information

For any inquiries regarding this Privacy Policy or your personal data, please contact:

SofiArt Gallery SA

Address: Via Antonio Caccia 10 A, Lugano, Switzerland

Email: gallery@sofiart.ch

Phone: +41797246394

SofiArt Gallery SA Privacy Policy approved by Director Dmytro Kostin

_________________________