Data Protection Policy

1. Introduction

Capacity, c/o The Impact Hub Zürich, Sihlquai 131, 8005 Zürich (“We”, “Us” or “Controller”) respects your privacy and is committed to protecting your personal data. This privacy policy informs our customers, interested parties, website visitors and third parties with whom we do business or interact (“customers”, “users” or “you”) about the collection, processing, disclosure, transfer of their personal data in connection with the use of our services, apps, websites, offers, interaction with us or collaboration (“services”), regardless of where they are based.

We are based in Switzerland and generally comply with the Swiss Data Protection Act (FADP). If personal data is processed by persons who can invoke their local data protection laws – in particular the General Data Protection Regulation (GDPR) – we will also comply with these rules if and when they apply to us. We will grant data subjects the rights to which they are entitled to under the applicable law.

In the event of any discrepancy between this privacy policy and the general terms and conditions or other agreements that exist between you and us, the latter shall take precedence, if applicable.

2. Controller

As controller Akim Tejan-Cole, Ottilienstrasse 21, 8003 Zurich, Switzerland, Tel: 0041 76 584 0143, akim@capacityzurich.ch is responsible for data processing in accordance with this Privacy Policy, unless otherwise stated in a service agreement.

We have appointed a data protection officer (DPO) who is responsible for overseeing questions in relation to this privacy policy. If you have any questions about this privacy policy, including any requests to exercise your legal right, please contact the DPO using the following contact details: Akim Tejan-Cole, Ottilienstrasse 21, 8003 Zurich, Switzerland, Tel: 0041 76 584 0143, akim@capacityzurich.ch

In the event you have data protection concerns or questions, in particular if you wish to exercise your rights, you can contact the above contact address.

3. What do we understand by personal data?

For the purposes of this Privacy Policy, personal data or personal information means any information relating to an identified or identifiable natural person (hereinafter “data subject”). This includes, for example, your name, e-mail address, IP address, telephone number or as well other information that you provide to us or other identifying information, for example, that you enter in our contact form.

If you provide us with personal data of other persons (e.g., family members, co-workers), please ensure that the respective persons are aware of this Privacy Policy and only provide us with their personal data if you are allowed to do so and such personal data is accurate and up to date.

4. When do we collect your data?

In general, personal data can be collected, used, stored or transferred (“processing”) whenever we contact you, you interact with us, communicate with us or obtain services from us. The control and responsibility regarding the use/processing of such information remains with us.

In the course of your business relationship and interaction with us, we will collect personal data directly from you. We may also collect personal data from other sources (e.g., public registers, the Internet, the press, from authorities and regulatory bodies, from third parties, credit rating agencies or providers of compliance databases, etc.).

We will be in contact with you under various circumstances, in particular we may collect personal data in the following situations. The following list is only an exemplary overview:

• Application for Entrepreneur, Access, Access Fast Track or TENT program on our Website;
• Application as PAL, Volunteer or Partner on our Website;
• Making a donation to us;
• The ordering of services from us, or supplying of services to us
• You contact us via our contact form;
• You receive a newsletter or other advertisements concerning our services;
• Communication with us by telephone, fax, e-mail, voice messages, text messages, video messages or instant messaging.

5. Which personal data do we process?

As part of our business activities and the performance of services, we process various personal data for different purposes. Depending on the service, we collect such data either automatically or manually.

In particular the following categories of personal data may be collected and processed by us:

• Personal and contact information, including, but not limited to; first and last name, residential or business address, billing address(es), shipping address(es), telephone number, email address, date of birth, gender, marital status, family members, occupation, education, preferences, interests, images, information from your identification documents, account information, credit card data, national insurance numbers, other means of identification, etc;
• Data relating to the business relationship with you, including, but not limited to the registration as a user, user account details, username, relationships and interactions with third parties on the Platform. Also relating to offers, requests for quotations, agreements, claims, other persons involved in the business relationship;
• Data in connection with products and services marketing, in particular regarding information such as opt-in and opt-out for newsletters, documents received, invitations to and participation at events and other activities, as well as preferences and interests in general;
• Data in connection with the use of a website, apps and our other offers, in particular IP address and other identifiers (e.g., MAC address and other identifiers of smartphones, computers or other devices, cookies, etc.), date and time of visits, websites and content visited, linked websites;
• Data relating to communication, such as preferred means of communication, correspondence and communications with us (including records of such communications),

6. For what purposes do we use the personal data?

We process your data primarily to provide our services and contractual obligations to you. In addition to our customers, personal data of users, suppliers and subcontractors may also be processed. If you work in any capacity for customers or business partners (e.g., as an employee), your personal data might also be processed in connection with the below listed purposes. We are committed to minimize data processing to the minimum necessary amount. Yet, your data may be processed for various purposes.

In connection with the use and performance of our services, we process your personal data for the following purposes:

• For the creation of a profile and publication with your consent;
• For the creation of a portfolio;
• The exchange of information;
• In connection with the conclusion of a contract;
• For the performance, delivery and processing of services (whereby payment may be processed via a third-party provider);
• The organization and implementation of customer support;
• For internal coordination or for the coordination with sub-contractors.]

The data processing is based on the performance or pre-contractual measures of the contract and on a legitimate interest of ours (to keep our records updated and to avoid or recover debts due to us).

In connection with communication, we process personal data for the following purposes:

• To communicate with you when you contact us (e.g., via contact form);
• To communicate important information, such as changes to our terms and conditions, adjustments to services that directly affects you;
• To administer and carry out customer communications by post or via electronic means of communication.
• To communicate with third parties and process their requests (e.g. applications, media enquiries).
• To maintain and develop customer and other business relationships;
• For the communication of events, promotions, advertising and marketing (including the sending of newsletters or other electronic messages; this is described in more detail below under Newsletter).

The data processing is based on the performance or pre-contractual measures of the contract and on a legitimate interest of ours. By contacting us directly you implicitly consent to the processing of such data for the purpose of communicating with you.

We may process personal data for the purpose of operating, analysing and further developing our services, in particular our digital offerings:

• For the analysis of our digital offers (websites, online platforms, and apps);
• For evaluations concerning the services we procure and general customer behaviour;
• For statistical evaluation on the basis of anonymised user data.

The data processing is necessary for our legitimate interests (to study how customers use our products/services, to develop them, grow our business, to keep our digital offers updated, to innovate, and to and to inform our marketing strategy).

For other purposes, where there is legal obligation to process data, if such processing was recognisable from the circumstances or appropriate at the time of collection.

7. When do we send out a newsletter?

There are two reasons why you may receive direct marketing communication and advertising (e.g., newsletters) from us via means of telecommunications (e.g., e-mail or SMS).

Either you have registered yourself (e.g., for a newsletter) or we have received your contact information directly from you as a program participant, partner, sponsor, supplier, customer etc together with your approval for us to sign you up to our newsletter. If you do not wish to receive such information, you always have the option to opt-out. You can either write to us to the above contact information or click directly on the unsubscribe link in the marketing message.

For our newsletter service, we use the “Mailchimp” newsletter service provided by Rocket Science Group LLC, 675 Ponce de Leon Ave NE, Suite 5000 Atlanta, GA 30308.

When you personally enter your e-mail address to receive the newsletter, it is initially stored by MailChimp for the purpose of sending the owner an e-mail in which he/she can confirm the subscription to the newsletter mailing (“double opt-in”). After such confirmation, the email address is stored permanently at MailChimp until the owner has unsubscribed from receiving the newsletter or it is deleted by us. MailChimp stores the date of registration as well as the IP address under which the registration took place. There is no further use of the owner’s IP address.

We would like to point out that the data collected and used via MailChimp is stored and processed on computers in the USA. With your consent to receive our newsletter, you agree to this. For more information please refer to https://mailchimp.com/legal/ and particularly the subsection Privacy Policy

Your e-mail address will not be passed on to third parties in any other way.

8. Will certain personal data of mine be published?

On our platform we may publish information, including personal data, in such a way that it is visible to the general public. For example:

• Parts of your application for the Entrepreneur, Access or AFT Program such as your first and last name, personal description of your project and contact details can be viewed by others.
• If you write content for a social media post or use a similar function on the website, this content is visible to everyone.

You have the right of rectification, deletion and otherwise the right to object to our publications within the framework of the data protection law applicable to you and where provided for therein (such as in the case of the GDPR). We refer to the rights under Section 15 below.

9. How do we use information about your computer and cookies for targeting and analysis?

Every time you access our website we collect information about your device such as the IP address of your device, the request from your browser and the time of this request. In addition, the status and the amount of data transferred as part of this request are recorded. The IP address of your device is only stored for the time you use the website and is then immediately deleted or anonymised through shortening.

Our website also uses cookies or comparable tracking technologies (“Cookies”).

When you first enter this site, you will see a cookie consent pop-up. This gives you the option to accept all cookies or select which cookies you choose to decline (other than strictly necessary). Your choice will be stored for future visits to the site.  If you wish to chance your options, please clear the cache of your browser and make your changes (for details on how to do this please see instructions from the browser provider).

Cookies are a widely used technology and is a small file that is sent to your computer or automatically saved on your computer or mobile device by the web browser you use when you visit our website. If you revisit this website or open our app again, we will recognise you, however, we will not know who you are. A Cookie typically contains the name of the domain from which the cookie data was sent, information about the age of the Cookie, and an alphanumeric identifier. The Cookies we use store information about your use of our website. This is not done by identifying you personally, but by assigning an identification number to the Cookie (“Cookie ID”).

We use session cookies which are automatically deleted when you close the website [or app]. Such cookies enable the server to establish a stable connection and enable stable use. Additionally, we can also use permanent cookies that are only deleted after a period of time as defined by us. Permanent cookies allow certain settings (e.g., language preferences or login settings) to be saved for several sessions. We use the collected data to improve our websites, [Apps] and our services. Furthermore, permanent cookies allow us to tailor offers and advertising to you (which may also happen on websites of third parties however, they will then not find out from us who you are, if we know this at all, because they will only see that the same user is on their website who was on a particular page with us).

We may also insert codes in newsletters and other marketing emails that allow us to determine whether the recipient has opened a particular email or downloaded images contained in the email.

By using our website or by agreeing to receive newsletters and other marketing emails, you agree to the use of such analytic technologies.

10. Social Media

We may also use so-called plug-ins from social networks such as Facebook, Twitter, YouTube, LinkedIn, Pinterest or Instagram on our websites. The usual company symbols of the respective providers are used for identification

All embedded social plugins use the two-click process. This means that the recording of your patterns via a plugin will only start if you activate a plug-in. If you are logged into a social media account while using our website this plug-in will register the visit on our website on the first click and can match it to your account. As soon as such plug-in is activated, the respective social network can recognise and record your visit as well as movement within the website The social network may use the information collected for its own purposes and the processing of the data is carried out in accordance with the social network’s privacy policy. We do not receive any personal data or other information from any of the networks.

11. What happens when I visit third-party websites?

This website includes hyperlinks to and from third-party websites. Clicking on those links or enabling those connections may allow third parties to collect or share data regarding you. We do not control these third-party websites and are not responsible for their privacy policies. When you leave our website, we encourage you to read the privacy policy of every website you visit. Furthermore, you may be automatically redirected to the website of a third party as part of the payment or donation process, or when signing up to events or Capacity programs (for example via Eventbrite and SurveyMonkey) and as such it is your responsibility to read and understand the third party’s privacy policy.

12. When do we disclose personal data to third parties?

In certain situations, we may transfer personal data to third parties or third parties who support our processing activities (as set out in section 7 above). If applicable and insofar a transfer is permitted, third parties may process the personal data received for their own legitimate purposes in accordance with their privacy policy.

We transfer personal data as per the following categories:

• For participants of the Access Fast Track programme we may share personal information (such as but not limited to CVs) with the companies supporting the AFT programme or other potential employers. Where relevant, participants will be informed of which information has been shared with which companies. The information on the participants will be handled securely and in compliance with the Data Protection policies of these companies.
• Service providers and processors who provide services and data processing for us in accordance with our instructions. For example, this may be the operator of an external data centre or other IT providers.
• Local, national and foreign courts, bodies, agencies and authorities (e.g. in connection with investigations, enquiries and requests from such courts, bodies, agencies and authorities, administrative investigations, criminal investigations and civil and/or criminal proceedings and compliance with any applicable laws or regulations or internal rules);
• Other parties in potential or actual legal proceedings;
• The public, including visitors to websites and social media (where publication is appropriate or where you have made such publication yourself);
• Trade organisations, associations, organisations;
• Media.

We only transfer personal data if necessary for the provision of a specific service or a specific purpose. Third parties process personal data in accordance with our instructions and only for the purpose specified by us. In addition, such processors must implement appropriate organisational and technical measures to ensure data security. An exception to this may be third party service providers (e.g. payment processing) to whom we redirect you directly in the course of providing services.

We or third parties generally process your personal data in Switzerland, with the exception of Mailchimp (see section 7).

If, in certain situations or for certain services other than Mailchimp, personal data is processed in a third country, we will inform you in advance in which country this will take place.

If the personal data is processed in a third country where the level of data protection is deemed inadequate, we will ensure an adequate level by contract (particularly on the basis of the European Commission’s standard contractual clauses), corporate binding rules, or other measures permitted by law so that an adequate level of data protection is ensured. We may also transfer personal data based on the exception of consent, of processing of a contract, for the establishment, exercise or enforcement of legal claims, of overriding public interests, or because the transfer is necessary to protect the physical integrity of the data subject.

We may also disclose information when necessary or requested by authorities in defence of our rights or property, including the safety of our products and services.

You can obtain a copy of the above-mentioned contractual guarantees from the above-mentioned contact person at any time, unless available under the link above. However, we reserve the right to anonymise copies for reasons of data protection or confidentiality or to supply only extracts.

13. How long will your data be stored?

We store the personal data for as long as it is necessary to achieve the respective purpose. It is possible that personal data is stored for the time during which claims can be made against our company and insofar as we are otherwise legally obliged to do so (e.g. bookkeeping obligations) or justified business interests require it (e.g. for the execution of the contract but also for evidence and documentation purposes in the event of a subsequent legal dispute). As soon as we no longer need the concerned personal data, we will delete/destroy it. The personal data will be deleted/destroyed at the latest when the statutory retention period has expired.

If we collect your IP address, it will only be stored for the time of your use of the website and then immediately deleted or made anonymous by shortening it.

14. Is the data stored securely?

We use an external data centre for the operation of our services and the storage of our data. We have carefully selected and instructed this centre and regularly monitor compliance with the defined security measures. We have instructed the processor to ensure protection of data by implementing appropriate security measures and storage in secure servers.

We have appropriate technical and organisational measures against loss, destruction and misuses implemented. In addition, your personal data is protected against access, alteration or misuses by unauthorized persons (e.g. via access controls and access restrictions as well as internal instructions). The data transfer of sensitive data is encrypted and can take place via various channels, including the Internet. Although we take all appropriate and reasonable security precautions, you must be aware that access and transfer of data via the Internet always involves a certain security risk and that we can therefore not guarantee absolute security.

15. What rights do I have as a data subject?

Regarding the processing of your personal data, you are entitled to your rights in accordance with the applicable law. You have a right of information and, if necessary, you might demand the correction and/or deletion and/or blocking and/or transfer of your data. You may, in certain cases, request to restrict processing and have a right of objection and a right to data transfer. If you wish to exercise one of your rights and/or receive more detailed information on your rights, please contact the above-mentioned contact address.

Information request will usually be answered within 30 days of receipt.

Every data subject also has the right to enforce your rights in court or to lodge a complaint with the competent data protection supervisory authority. The competent data protection authority in Switzerland is the Federal Data Protection and Information Commissioner (http://www.edoeb.admin.ch).

16. How can this privacy policy be changed?

We reserve the right to change this privacy policy at any time without prior notice. The current version published on our website shall apply. Please visit the Website regularly to review the applicable privacy policy. Insofar as this appears appropriate, we will inform you of the change by e-mail or other suitable means in the event of an update.

Version 4. 8 August, 2022