Lexarte Ltd (hereinafter referred to as "we" or "us") is a law firm based in Zurich. In the course of our business activities, we collect and process personal data, particularly data about our clients, associated persons, counterparties, courts and authorities, correspondence law firms, professional and other associations, visitors to our website, participants in events, recipients of newsletters, and other entities or their respective contacts and employees (hereinafter also referred to as "you"). This privacy policy informs you about these data processing activities. In addition to this privacy policy, we may provide separate information about the processing of your data (e.g., through forms or contractual terms).

If you provide us with data about other individuals (e.g., family members, representatives, counterparties, or other associated persons), we assume that you are authorized to do so, that the data is accurate, and that you have ensured these individuals are informed about this disclosure, provided a legal obligation to inform applies (e.g., by sharing this privacy policy with them in advance).

When you use our services, visit www.lexarte.ch (hereinafter "website"), or otherwise interact with us, we collect and process various categories of personal data. Generally, we may collect and process this data for the following purposes:

• Communication: We process personal data to communicate with you and third parties, such as parties to legal proceedings, courts, or authorities, via email, telephone, mail, or other means (e.g., to respond to inquiries, provide legal advice and representation, and negotiate or execute contracts). This also includes sending clients, contractual partners, and other interested parties information about events, legal changes, or news about our law firm. Such communication may take place through newsletters and other regular updates (via email, post, or phone). You may object to such communication or withdraw your consent at any time. For this purpose, we process the content of the communication, your contact details, metadata about the communication, and, where applicable, audio or video recordings of (video) calls. If recordings are made, you will be informed, and it is your right to decline or terminate the communication. Additionally, we may collect identification data, such as copies of ID documents, if necessary.
• Contract negotiation and conclusion: To enter into a contract, particularly a mandate agreement, with you or your employer or principal, including resolving potential conflicts of interest, we may collect and process your name, contact details, powers of attorney, consent declarations, information about third parties (e.g., contact persons, family details, counterparties), contract contents, dates, creditworthiness data, and other relevant information from you, public sources, or third parties (e.g., commercial registers, credit agencies, sanction lists, media, legal protection insurers, or online sources).
• Contract management and fulfillment: We process personal data to fulfill our contractual obligations to clients and other contractual partners (e.g., suppliers, service providers, correspondence law firms, project partners). This includes data processing for mandate management (e.g., legal advice and representation before courts and authorities, correspondence) and contract enforcement (e.g., debt collection, litigation), as well as bookkeeping and public communication (where permitted). For this, we process data obtained during contract negotiation, execution, or from public sources and third parties (e.g., courts, authorities, counterparties, credit agencies, media, detectives, or online sources). This data may include conversation and consultation records, internal and external correspondence, contract documents, procedural documents (e.g., pleadings, judgments), background information, service proofs, invoices, and financial/payment data.
• Website operation: To ensure secure and stable operation of our website, we collect technical data, such as IP addresses, details about your device's operating system and settings, geographic location, time of access, and type of usage. We also use cookies and similar technologies (see Section 8 for more details).
• Improvement of electronic services: To continuously improve our website and other electronic services, we collect data about your behavior and preferences, analyzing how you navigate our website and interact with our social media profiles.
• Registration: To use certain services or offers (e.g., free Wi-Fi, newsletters), you may need to register with us or external login providers. We process the data you provide during registration and any additional data collected while using the service. Where necessary, we will inform you further about data processing related to these services.
• Security and access control: We process personal data to maintain and enhance the security of our IT systems and infrastructure (e.g., buildings). This includes monitoring and controlling electronic access to our IT systems and physical access to our premises, conducting analyses and tests of our IT infrastructure, and creating backups. For documentation and security purposes, we may also maintain access logs and visitor lists, and use surveillance systems (e.g., security cameras) in our premises. If surveillance is used, it will be indicated with appropriate signage at the relevant locations.
• Compliance: We process personal data to comply with applicable laws (e.g., anti-money laundering laws, tax obligations, or professional responsibilities), self-regulation requirements, certifications, industry standards, internal and external investigations, or proceedings in which we are a party (e.g., initiated by law enforcement, supervisory authorities, or private entities).
• Risk management and corporate governance: We process personal data as part of risk management (e.g., to protect against criminal activities) and corporate governance, including organizational planning and development (e.g., acquisitions or divestitures).
• Job applications: If you apply for a position with us, we process your application data to evaluate your application, conduct the application process, and, if successful, prepare and conclude an employment contract. This includes data from your application documents, professional social media profiles, references (if provided), and other publicly available sources.
• Other purposes: Other purposes include training and education, administrative purposes (e.g., bookkeeping), and organizing, conducting, and documenting events. This may involve maintaining participant lists, recording speeches and discussions, and creating images or audio recordings during the events. We may also process data for other legitimate interests not explicitly listed here.

• From you: The majority of the data we process is provided directly by you (or your device) (e.g., in connection with our services, the use of our website and apps, or through communication with us). Except in specific cases (e.g., legal obligations), you are not required to provide us with your data. However, if you wish to enter into contracts with us or use our services, certain data is necessary. Similarly, using our website is not possible without data processing.
• From third parties: We may also obtain data from publicly accessible sources (e.g., debt enforcement registers, land registers, commercial registers, media, or the Internet, including social media) or receive it from (i) authorities, (ii) your employer or client, who is in a business relationship with us or interacts with us, and (iii) other third parties (e.g., clients, counterparties, legal protection insurers, credit agencies, address resellers, associations, contractual partners, Internet analytics services). This includes data processed in connection with contract initiation, execution, and communication with third parties.

In connection with the purposes listed in Section 3, we share your personal data with the following categories of recipients. Where necessary, we obtain your consent or request a waiver of our professional confidentiality from our supervisory authority:

• Service providers: We collaborate with service providers in Switzerland and abroad who process data on our behalf (e.g., IT providers), jointly with us, or under their own responsibility. These include IT providers, banks, insurers, debt collection companies, credit agencies, address verifiers, other law firms, or consulting firms. We typically enter into agreements with these third parties to ensure appropriate data use and protection.
• Clients and other contractual partners: This includes clients and other contractual partners of ours, where data sharing arises from the contract (e.g., if you act for a contractual partner or they provide services for you). This category also includes cooperation partners, such as other law firms or legal protection insurers.
• Authorities and courts: We may share personal data with offices, courts, and other authorities in Switzerland and abroad if necessary to fulfill our contractual obligations, especially in legal mandates, or if we are legally required or permitted to do so.
• Counterparties and involved persons: If required to fulfill our contractual obligations, we share your personal data with counterparties and other involved individuals (e.g., guarantors, financiers, affiliated companies, other law firms, or experts).
• Other persons: This category includes other cases where third-party involvement is necessary for purposes outlined in Section 3. Examples include delivery addresses or payment recipients you specify, representatives (e.g., your lawyer or bank), or persons involved in legal or administrative proceedings. We may also share your data with our supervisory authority to obtain a waiver of professional confidentiality. Additionally, if we cooperate with media and provide them with material (e.g., photos), you may also be affected.

All these categories of recipients may, in turn, engage third parties, making your data accessible to them. We can limit the processing by certain third parties (e.g., IT providers) but not others (e.g., authorities, banks, etc.).

We also allow certain third parties to collect personal data about you on our website and at our events under their own responsibility (e.g., media photographers, providers of tools integrated into our website, etc.). In cases where we are not substantially involved in these data collection activities, these third parties are solely responsible for them. For any inquiries or to exercise your data protection rights, please contact these third parties directly. Your rights are outlined in Section 7, and information about activities on our website can be found in Section 8.

We primarily process and store personal data in Switzerland and the European Economic Area (EEA). Depending on the specific case—such as through subcontractors of our service providers or in proceedings before foreign courts or authorities—your data may potentially be transferred to any country worldwide. In the course of our work for clients, your personal data could also be transferred to any country globally.

If a recipient is located in a country without adequate data protection, we contractually require the recipient to ensure an appropriate level of data protection (using the revised Standard Contractual Clauses of the European Commission, which are available here: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj, including the necessary amendments for Switzerland), unless the recipient is already subject to a legally recognized framework ensuring data protection.

Additionally, we may transfer personal data to a country without adequate data protection without a specific contract, if we rely on an exception. Such exceptions may apply in the context of foreign legal proceedings, overriding public interests, or if the performance of a contract that is in your interest necessitates such a transfer (e.g., sharing data with our correspondence law firms). Transfers may also occur if you have provided consent or if obtaining consent within a reasonable time frame is not possible, and the transfer is necessary to protect your life, physical safety, or that of a third party.

Furthermore, transfers may occur if the data in question is publicly available and you have not objected to its processing. We may also rely on exceptions for data derived from legally mandated registers (e.g., commercial registers) to which we have legitimate access.

Under applicable law, you have the right to: Request information about how your personal data is processed. Correct inaccurate personal data. Request deletion of your personal data. Object to data processing. Request the transfer of specific personal data in a common electronic format or its transmission to another responsible party.

To exercise these rights, contact us using the information in Section 2. To prevent misuse, we may need to verify your identity (e.g., by requesting a copy of an ID document).

Please note that these rights may have conditions, exceptions, or limitations (e.g., to protect third parties, trade secrets, or due to professional confidentiality). We reserve the right to redact or only partially provide copies for confidentiality reasons.

When using our website (including newsletters and other digital offerings), data is collected and stored in logs (particularly technical data). Additionally, we may use cookies and similar technologies (e.g., pixel tags or fingerprints) to recognize website visitors, analyze their behavior, and identify preferences. A cookie is a small file transmitted between the server and your system, enabling the recognition of a specific device or browser.

You can configure your browser to automatically reject, accept, or delete cookies. It is also possible to disable or delete cookies individually. You can find out how to manage cookies in your browser by consulting the help menu of your browser.
Both the technical data we collect and cookies generally do not contain personal data. However, personal data that we or third-party providers engaged by us store about you (e.g., if you have a user account with us or these providers) may be linked with technical data or with the information stored in and derived from cookies, and thus potentially associated with you.

We also use social media plug-ins, which are small software components that create a connection between your visit to our website and a third-party provider. The social media plug-in informs the third-party provider that you have visited our website and may transmit cookies previously placed on your web browser by that provider. Further information on how these third-party providers use the personal data collected through their social media plug-ins can be found in their respective privacy policies.
Additionally, we use our own tools as well as services from third-party providers (who may also use cookies) on our website, particularly to enhance the functionality or content of our website (e.g., integration of videos or maps), generate statistics, and display advertisements.

Currently, we may use services offered by the following providers and advertising partners, whose contact information and further details on individual data processing can be found in their respective privacy policies:

• Google Analytics
  Provider: Google Ireland
  Privacy Policy: https://support.google.com/analytics/answer/6004245
  Information for Google accounts: https://policies.google.com/technologies/partner-sites?hl=en

Some of the third-party providers we use may be located outside Switzerland. Information on cross-border data transfers is provided in Section 6. Legally, these third parties may act as our processors or as independent controllers.

We maintain pages and other online presences on social networks and third-party platforms. In this context, we process data about you when you interact with us (e.g., by communicating with us or commenting on our content) and when we receive data from the platforms (e.g., aggregated statistics). Platform providers may analyze your usage behavior and combine this data with other information they have collected about you. These platforms process the data for their own purposes (e.g., marketing, platform management) as independent controllers.

The platforms we use include:

• LinkedIn
  Website: www.linkedin.com
• Privacy Policy: https://de.linkedin.com/legal/privacy-policy
  Twitter
  Website: www.twitter.com
  Privacy Policy: https://twitter.com/privacy

We may review third-party content on our online presences before or after publication, remove content without prior notice, and report it to the platform provider if necessary.

Some platform providers may be located outside Switzerland. For information on cross-border data transfers, please refer to Section 6.

We do not generally assume that the EU General Data Protection Regulation (GDPR) applies to us. However, if it does apply in specific cases, the following points are relevant:

We process your personal data based on the following legal grounds under the GDPR:

• The processing is necessary for the initiation, conclusion, and execution of contracts with you (Art. 6(1)(b) GDPR).
• The processing is necessary for legitimate interests as described in Section 3, such as communication with you or third parties, operating our website, improving electronic services, maintaining security, ensuring compliance, managing risks, and other legitimate purposes (Art. 6(1)(f) GDPR).
• The processing is required to fulfill our legal obligations under EEA or EU Member State laws (Art. 6(1)(c) GDPR) or to protect vital interests (Art. 6(1)(d) GDPR).
• You have given consent to specific processing activities (Art. 6(1)(a) and Art. 9(2)(a) GDPR).

We retain your data for as long as necessary to fulfill the purposes described in Section 3, comply with legal retention requirements, or protect our legitimate interests (e.g., documentation and evidence purposes). Once these purposes no longer apply, we delete or anonymize the data, subject to technical and organizational constraints.

If you do not provide certain personal data, we may be unable to offer related services or enter into contracts with you.

You have the right to object to processing activities, especially for direct marketing purposes (see Section 7 for details).

If you are dissatisfied with how we handle your rights or data protection, you may contact us (see Section 2). If you are located in the EEA, you also have the right to file a complaint with your country's data protection supervisory authority. A list of authorities can be found at: https://edpb.europa.eu/about-edpb/board/members_en.