‍Version 1.0 | As of: June 1, 2026

In this Privacy Policy, we, Trusso AG (hereinafter Trusso, we, or us), explain how we collect and otherwise process personal data. This is not an exhaustive description; other privacy policies, general terms and conditions, or mandate-specific documents may regulate specific circumstances. Personal data refers to all information relating to an identified or identifiable person.

If you provide us with personal data of other individuals (e.g., family members, colleagues, shareholders), please ensure that these individuals are aware of this Privacy Policy, and only share their personal data with us if you are permitted to do so and if the data is accurate.

This Privacy Policy is designed to meet the requirements of the revised Swiss Data Protection Act ("nDSG"; in force since September 1, 2023) and the EU General Data Protection Regulation ("GDPR"). Whether and to what extent these laws are applicable depends on the individual case.

1. Data Controller

Trusso AG
‍Aeschenplatz 4
4052 Basel

Email: datenschutz@trusso.ch
‍Phone: +41 61 926 83 83

For data protection concerns, please contact the address provided above.

2. Collection and Processing of Personal Data

We primarily process personal data that we receive in the course of our business relationship with our clients and other business partners, as well as data that we collect from users when operating our website.

Where permitted, we also obtain certain data from publicly accessible sources, particularly from commercial registers, debt enforcement registers, and land registries, from the press and the internet, and from authorities within the scope of legal disclosure obligations (including GwG/AML reporting offices, FINMA).

In addition to the data you provide directly to us, we may receive personal data about you from third parties, including, in particular, information from public registers, information related to official and judicial proceedings, information about professional functions and activities, creditworthiness reports, information from banks and insurance companies, and information from media and the internet (where appropriate in the specific case).

3. Purposes of Data Processing and Legal Bases

We process personal data for the following purposes:

Contract Performance — conclusion and execution of our fiduciary, auditing, and consulting mandates, as well as the purchase of products and services.

Legal Obligations — compliance with retention and documentation obligations (OR Art. 958f: 10 years), AML/GwG regulation, tax law, FINMA requirements, and other professional legal requirements.

Legitimate Interests — where permitted and appropriate, particularly for the offering and further development of our services and website; communication with third parties and processing of inquiries (including applications); advertising and marketing to existing and potential customers (with right to object, see section 19); assertion of legal claims and defense in legal disputes; prevention and investigation of criminal offenses and misconduct; IT, network, and building security, as well as the protection of our employees; purchase and sale of companies or business units, as well as corporate transactions as part of our growth strategy (M&A); and business management and compliance with internal regulations.

Consent — where we have obtained your explicit consent (e.g., for newsletters). Any given consent can be revoked at any time, without affecting data processing that has already occurred.

4. Cookies and Tracking

Our website uses cookies — small text files that are stored on your device. We distinguish between:

Technically necessary cookies are set without consent and are required for the operation of the website (e.g., session management, language settings). Session cookies are automatically deleted after the session ends; permanent cookies store user settings for a defined period.

Analytics and Marketing Cookies are only set with your explicit consent. You can revoke your consent at any time via our cookie settings.

You can configure your browser to reject cookies. Please note that some website functions may be limited as a result.

5. Server Log Files

When you access our website, our hosting provider automatically collects the following technical data: browser type and version, operating system, referrer URL, hostname and IP address of the accessing device, as well as date, time, pages accessed, and amount of data transferred.

This data is not assigned to individual persons. The retention period for system protocols and logs is generally a maximum of 12 months. The legal basis is our legitimate interest in security and stable operation, as well as legal disclosure obligations in cases of suspected misuse.

6. Contact Form and Inquiries

If you contact us via the contact form or by email, your details (name, email address, message, and possibly other information) will be processed and stored to handle your inquiry. This data will not be shared with third parties without your consent.

Retention period: Inquiries are deleted after final processing, unless legal retention obligations prevent this (max. 10 years for mandate-related correspondence according to OR Art. 958f).

7. Newsletter

For sending our newsletter, we process your email address and — if provided — your name and salutation. The legal basis is your consent.

You can unsubscribe from the newsletter at any time via the unsubscribe link in the newsletter or by email to datenschutz@trusso.ch. The data will be used exclusively for sending newsletters and for client-related communication.

8. Analytics Tools (Google Analytics)

We only use Google Analytics 4 (Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Google Ireland relies on Google LLC, USA, as a processor) with your explicit consent (opt-in via cookie banner).

IP anonymization is activated; full IP addresses are not transmitted. Although we assume that the data shared with Google does not constitute personal data, Google may be able to draw conclusions about the identity of users if they are logged into Google services.

Data Transfer to the USA: We rely on Standard Contractual Clauses (SCC) in accordance with nDSG Art. 16 para. 2 lit. d. Further information: privacy.google.com.

You can revoke your consent at any time via our cookie settings or install the Google Analytics Opt-out Add-on at tools.google.com/dlpage/gaoptout.

9. Embedded Third-Party Content (YouTube, Google Maps)

Our website may contain embedded content from YouTube and Google Maps. These are only loaded after your consent, as data (incl. IP address) is transmitted to Google through their integration. For data transfers to the USA, section 8 applies accordingly. If you do not wish to transmit data, you can deactivate these contents via the cookie settings.

10. Google Fonts

Our website uses Google Fonts (Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland). Google Fonts are hosted locally on our server — no connection to Google servers is established, and no data is transmitted to Google. Therefore, no consent is required.

Should externally hosted fonts be used in exceptional cases, your IP address will be transmitted to Google. In this case, we rely on Standard Contractual Clauses (SCC) in accordance with nDSG Art. 16 para. 2 lit. d. Further information: policies.google.com/privacy.

11. SSL/TLS Encryption

All data transmitted via our website is secured by SSL/TLS encryption. You can recognize the encrypted connection by the prefix https:// and the padlock symbol in your browser's address bar.

12. Data Disclosure and International Data Transfer

As part of our business activities, we disclose personal data to the following recipients as necessary: IT service providers and processors (e.g., Microsoft in connection with Microsoft 365, Abacus); banks, insurance companies, and other business partners; domestic and foreign authorities, agencies, and courts (incl. tax authorities, FINMA, AML reporting offices); external auditors and third parties involved under professional law; acquirers or interested parties in the purchase of companies or business units; other companies within the Trusso Group; as well as other parties in potential or actual legal proceedings.

These recipients may be located in Switzerland, the EEA, or third countries. For transfers to countries without adequate data protection, we contractually oblige the recipient to comply with applicable data protection, in particular through Standard Contractual Clauses (SCC) of the European Commission.

13. Retention Period

We store personal data for as long as necessary to fulfill our contractual and legal obligations — i.e., for the duration of the business relationship and beyond, in accordance with legal retention and documentation obligations. Commercial documents are retained for 10 years in accordance with Art. 958f of the Swiss Code of Obligations (OR). Operational data (system protocols, logs) is generally deleted after a maximum of 12 months. Once personal data is no longer required, it is deleted or anonymized.

14. Profiling

We may partially automate the evaluation of personal data to tailor our communication and services to your needs. Fully automated decision-making within the meaning of Art. 22 GDPR does not take place. Should we use such procedures in individual cases, we will inform you separately.

15. Obligation to Provide Personal Data

Within the scope of our business relationship, you must provide us with the personal data necessary for establishing and carrying out a client relationship. Without this data, we are generally unable to conclude or execute a contract with you. Furthermore, the website cannot be used if certain technical information (such as the IP address) is not disclosed.

16. Data Security

We implement appropriate technical and organizational security measures to protect your personal data from unauthorized access and misuse, including encryption, access controls, network security solutions, employee training, and regular security audits. Despite these measures, complete protection cannot be guaranteed for data transmission over the internet.

17. Your Rights as a Data Subject

Under the nDSG and, where applicable, the GDPR, you have the following rights:  to the data we process;  of inaccurate or incomplete data; , unless there is a legal obligation to retain data;  of processing in certain cases;  in a common format; , especially against processing for direct marketing; and  of a given consent with effect for the future.

We reserve the right to invoke legally stipulated restrictions, for example, if we are obliged to retain certain data. The exercise of these rights may, in individual cases, affect existing client relationships; in such cases, we will inform you in advance. Proof of identity is usually required to assert your rights.

To exercise your rights, please contact: datenschutz@trusso.ch‍

18. Right to Complain

You have the right to lodge a complaint with the Federal Data Protection and Information Commissioner (FDPIC): Feldeggweg 1, 3003 Bern

19. Objection to Marketing Communications

Existing customers may object to the use of their contact details for direct marketing at any time. Upon objection, they will be placed on a suppression list and will not receive any further promotional mailings. We hereby generally object to the use of publicly available contact details for sending unsolicited promotional materials.

20. Changes to this Privacy Policy

We may amend this Privacy Policy at any time without prior notice. The current version published on our website applies. If the Privacy Policy is part of an agreement with you, we will inform you of any material changes by email or other appropriate means.

‍