Privacy Policy
CY.SEND Digital Rewards Platform
Table of Contents
- Introduction
- Data Controller Information
- Personal Data We Collect
- How We Collect Data
- Legal Basis for Processing
- How We Use Personal Data
- Data Sharing and Disclosure
- International Data Transfers
- Data Retention
- Data Security
- Your Privacy Rights
- Cookies and Tracking
- Automated Processing
- Children's Privacy
- Changes to This Policy
- Contact Information
Related Policies
Website Terms of Use - Governs your general use of our website.
Service Terms - Applies to our B2B customers.
Cookies Policy - Details our use of cookies and tracking technologies.
Cashback Club Terms - Explains data processing specific to our loyalty program.
1. Introduction
1.1 Our Privacy Commitment
CY.TALK SWITZERLAND S.A., operating under the CY.SEND brand, is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, share, and protect personal information when you use our digital rewards platform and services.
Our privacy governance is formally certified under ISO/IEC 27701:2019, the international standard for Privacy Information Management Systems (PIMS). This certification, issued by an accredited third-party certification body, confirms that our privacy controls, data processing procedures, and governance framework have been independently audited and verified against internationally recognised best practices for PII management. ISO 27701:2019 extends our Information Security Management System (ISMS) with a dedicated privacy layer covering our roles as both a PII Controller and a PII Processor.
1.2 Legal Framework
Our data processing complies with applicable privacy laws, including the Swiss Federal Act on Data Protection (FADP) and the European Union General Data Protection Regulation (GDPR) where applicable.
Our ISO 27701:2019 certification provides a structured, auditable framework that operationalises compliance with these regulations and supports alignment with other international privacy laws including Brazil's LGPD, South Africa's POPIA, and the Australia Privacy Principles.
2. Data Controller Information
Data Controller
3. Personal Data We Collect
3.1 Account Information
Individual Users: Name, email address, phone number, country of residence, date of birth, and account credentials.
Business Customers: Company name, business registration details, tax identification numbers, business address, authorized representative information, and corporate account credentials.
3.2 Transaction Data
- Payment information (processed securely through third-party payment processors)
- Purchase history and transaction records
- Order details and product information
- Account balance and billing information
3.3 Technical Data
- IP addresses and device information
- Browser type and version
- Usage patterns and website interactions
- API usage logs and system performance data
4. How We Collect Data
4.1 Direct Collection
Information you provide when creating accounts, data submitted through forms and communications, documents uploaded for verification purposes, and preferences you configure.
4.2 Automatic Collection
Website usage data through cookies and analytics, API usage logs and system interactions, security monitoring and fraud detection systems, and performance tracking.
4.3 Third-Party Sources
Payment processors for transaction confirmations, identity verification services for compliance, business databases for company information, and Product Issuers for delivery confirmations.
5. Legal Basis for Processing
5.1 Contract Performance
We process personal data to deliver our services, manage accounts, process transactions, and fulfill our contractual obligations to customers.
5.2 Legal Compliance
We process data to comply with legal obligations including anti-money laundering regulations, tax requirements, and regulatory reporting.
5.3 Legitimate Interests
We process data for legitimate business purposes including fraud prevention, service improvement, security monitoring, and customer relationship management.
5.4 Consent
We obtain consent for marketing communications, optional features, and certain data processing activities where required by law.
6. How We Use Personal Data
6.1 Service Provision
Creating and managing user accounts, processing orders and delivering digital products, providing customer support and technical assistance, and managing payment and billing processes.
6.2 Business Operations
Analyzing usage patterns to improve services, conducting fraud detection and prevention, maintaining security and system integrity, and managing business relationships.
6.3 Compliance Activities
Verifying customer identities (KYC procedures), monitoring for anti-money laundering compliance, screening against sanctions lists, and maintaining records for regulatory requirements.
7. Data Sharing and Disclosure
7.1 Service Partners and Data Processors
We share data with trusted third-party partners and processors who help deliver our services. These include:
- Payment Processors: We use Stripe, PayPal, Neteller, Skrill, and bank payment processors for secure transaction processing and fraud detection.
- Identity Verification: We use Shufti Pro (shufti.com) to verify customer identities (KYC) and ensure compliance.
- Product Issuers & Vendors: For mobile top-ups and instant delivery products, we may share your mobile number or email address with the telecom operator, vendor, or product issuer to execute the recharge or delivery.
- Security & Anti-Fraud: We use Cloudflare Turnstile for bot protection and MaxMind for geolocation and browser fingerprinting to prevent fraud.
- Analytics & Monitoring: We use Google Analytics (GA4), Cloudflare Browser Insights, and Sentry (for error tracking and issue resolution).
- Address Verification: We use Google Address Autocomplete to ensure accurate billing and delivery details.
7.2 Legal Requirements
We may disclose data when required by law to regulatory authorities, law enforcement agencies with valid legal requests, courts and legal proceedings, and in emergency situations to prevent harm.
8. International Data Transfers
8.1 Cross-Border Processing
We may transfer personal data internationally to provide our global services, ensure system reliability, and support business operations.
8.2 Transfer Safeguards
International transfers are protected by European Commission adequacy decisions, Standard Contractual Clauses (SCCs), appropriate technical and organizational measures, and regular assessments of protection levels.
9. Data Retention
9.1 Retention Periods
| Data Type | Retention Period |
|---|---|
| Account Data | During customer relationship + 7 years after closure |
| Transaction Records | 10 years for compliance purposes |
| Support Communications | 3 years for service quality |
| Technical Logs | Typically 1 year |
| Marketing Data | Until consent withdrawal or 3 years of inactivity |
10. Data Security and Privacy Governance
10.1 ISO/IEC 27701:2019 Certification
CY.TALK SWITZERLAND S.A. holds ISO/IEC 27701:2019 certification for its Privacy Information Management System (PIMS). This certification is an extension of our ISO/IEC 27001 Information Security Management System (ISMS) and confirms that we have implemented a comprehensive, independently audited framework for managing personally identifiable information (PII).
The certification covers our activities as both a PII Controller (where we determine the purposes and means of processing personal data) and a PII Processor (where we process personal data on behalf of our business customers). Key elements of our certified PIMS include:
- Documented privacy policies, procedures, and controls aligned with ISO 27701:2019 Annex A and Annex B
- Formal privacy risk assessment and treatment processes integrated with our information security risk management
- Privacy-by-design and privacy-by-default principles embedded in system and process development
- Structured data subject rights handling procedures with defined response timelines
- Documented data processor agreements and third-party privacy due diligence
- Continuous improvement cycle (Plan-Do-Check-Act) for privacy governance
- Annual surveillance audits and triennial recertification by an accredited certification body
10.2 Technical and Organisational Security Measures
We implement comprehensive security measures including:
- Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
- Multi-factor authentication for account access
- Regular security assessments and penetration testing
- Employee training on data protection
- Incident response and breach notification procedures
- Data stored exclusively in Switzerland in our own Tier 3 private data centre, with no reliance on external public cloud infrastructure
11. Your Privacy Rights
Access
Right to access your personal data
Correction
Right to correct inaccurate data
Deletion
Right to request data deletion
Restriction
Right to restrict processing
Portability
Right to data portability
Objection
Right to object to processing
11.1 Exercising Rights
To exercise your rights, please contact us via our Contact page. We will verify your identity and respond within the timeframes required by applicable law.
Our ISO 27701:2019 certified PIMS includes documented procedures for handling data subject requests, ensuring consistent, auditable, and timely responses to all privacy rights exercises.
12. Cookies and Tracking
For detailed information about the cookies and tracking technologies we use, please refer to our separate Cookies Policy.
12.1 Cookie Types
- Essential Cookies: Necessary for website functionality
- Analytics Cookies: To understand website usage
- Functional Cookies: To remember preferences
- Marketing Cookies: For advertising purposes (with consent)
13. Automated Processing
13.1 Automated Systems
We use automated systems for fraud detection and risk assessment, transaction processing and approval, customer service routing, and security monitoring.
13.2 AI and Machine Learning
We may use artificial intelligence and machine learning technologies to analyze transaction patterns for fraud prevention, improve customer service, enhance platform security, and provide personalized recommendations.
13.3 Your Rights
You have the right to receive information about automated decision-making, request human review of automated decisions, and object to certain types of automated processing.
14. Children's Privacy
Our services are intended for users 18 years and older. We do not knowingly collect personal data from children under 18 without parental consent. If we become aware that we have collected data from a child without appropriate consent, we will take steps to delete such information promptly.
15. Changes to This Policy
We may update this Privacy Policy to reflect changes in our practices, technology, or legal requirements. Material changes will be communicated through our platform or by email. Your continued use of our services after policy updates constitutes acceptance of the revised policy.
16. Contact Information
Privacy Inquiries
For all inquiries including customer support, business inquiries, legal matters, and data protection requests, please visit our Contact Us page.
Response Time: We respond within 5 business days
16.1 Regulatory Complaints
You may file complaints with relevant data protection authorities:
- Switzerland: Swiss Federal Data Protection and Information Commissioner (FDPIC)
- EU: Your local data protection authority