Privacy Policy

This Privacy Policy explains how Orion Capital AG collects, processes, stores, and protects personal data in connection with its website and professional activities.

1. Data Controller

Orion Capital AG
Zurich, Switzerland

Orion Capital AG acts as the data controller within the meaning of the Swiss Federal Act on Data Protection (revDSG) and, where applicable, the EU General Data Protection Regulation (GDPR).

2. Applicable Legal Framework

The processing of personal data is governed by the following legal and regulatory frameworks:

• Swiss Federal Act on Data Protection (revDSG, in force since 1 September 2023)

• Ordinance to the Federal Act on Data Protection (DPO)

• FINMA supervisory law, including FINMASA and applicable FINMA circulars on operational risks, outsourcing, and data protection

• EU General Data Protection Regulation (GDPR), insofar as data subjects in the European Economic Area are concerned

Orion Capital AG applies these standards consistently to ensure lawful, transparent, and proportionate data processing.

3. Categories of Personal Data Collected

We process only personal data that is necessary for legitimate business, operational, and regulatory purposes.

This may include:

• Identification and contact data such as name, email address, company name, and correspondence content

• Technical data such as IP address, browser type, device information, access timestamps, and website usage data

• Business and project-related information shared in the context of professional interactions or mandates

• Any information voluntarily provided through direct communication channels

Sensitive personal data is not processed unless required by law, regulation, or an explicit contractual relationship.

4. Purpose and Legal Basis of Processing

Personal data is processed exclusively for defined and lawful purposes, including:

• Establishing and maintaining professional communication

• Preparing, executing, and managing client, partner, or project relationships

• Operating, securing, and improving website functionality and content

• Meeting legal, regulatory, compliance, and documentation obligations

• Safeguarding operational integrity and information security

Processing is based on one or more of the following legal grounds:

• Performance of a contract or pre-contractual measures

• Legitimate interests in conducting and safeguarding business operations

• Compliance with legal and regulatory obligations

• Explicit consent, where required

All processing follows the principles of lawfulness, proportionality, purpose limitation, and data minimization.

5. Website Analytics and Cookies

Our website may use analytics tools to obtain aggregated insights into visitor behavior, such as page views, navigation patterns, and technical access data.

Cookies used are limited to:

• Essential cookies required for technical functionality

• Basic analytics cookies used for performance and usability analysis

Where legally required, appropriate consent mechanisms are applied. Cookie preferences can be managed through browser settings.

6. Use of Third-Party Service Providers

We engage carefully selected service providers to support operational and administrative activities, including:

• Website analytics and hosting services

• Communication and collaboration tools

• Internal documentation and project management platforms

These providers process personal data solely on our behalf, under contractual obligations that ensure confidentiality, data security, and compliance with applicable data protection laws. Personal data is never sold or used for advertising, profiling, or unrelated commercial purposes.

7. Data Security and Confidentiality

We implement appropriate technical and organizational measures to protect personal data against unauthorized access, loss, alteration, or disclosure.

These measures include, among others:

• Restricted access based on functional necessity

• Secure systems, authentication controls, and encrypted storage where appropriate

• Internal policies, confidentiality obligations, and compliance controls

• Backup and recovery procedures aligned with operational risk requirements

These safeguards are designed in line with industry standards and FINMA expectations for regulated entities.

8. Cross-Border Data Transfers

Where personal data is processed outside Switzerland or the European Economic Area, such transfers are subject to adequate safeguards. These may include:

• Transfers to jurisdictions recognized as providing an adequate level of data protection

• Contractual protections based on recognized standard clauses

• Organizational and technical measures ensuring continued data protection

9. Data Retention

Personal data is retained only for as long as necessary to fulfill the purposes for which it was collected, or as required by legal, regulatory, or contractual obligations.

• Inquiry-related data is retained for a limited period for documentation and follow-up purposes

• Client and project-related data is retained in accordance with contractual terms, regulatory requirements, and internal retention policies

Data is securely deleted or anonymized once retention is no longer justified.

10. Amendments to This Policy

This Privacy Policy may be amended to reflect legal, regulatory, or operational changes. The version published on this page is the current and binding version.

Last updated: January 2026