Back to Home

Privacy Policy

Last updated: March 2025

At So-Whatt, we respect your privacy and are committed to protecting your personal data. This Privacy Policy explains how we collect, use, store, and share your information when you use our services. It also outlines your rights under the EU General Data Protection Regulation (“GDPR”) and the Swiss Federal Act on Data Protection (“nFADP”), and how we ensure compliance with both.

By using So-Whatt, you consent to the practices described in this Privacy Policy. We encourage you to read this document carefully. If you have any questions, you can contact us at info@so-whatt.ch.

1. Who We Are (Data Controller)

So-Whatt, registered in Switzerland) is the data controller for the personal information collected via this website and associated services. This means we determine the purposes and means of processing your personal data. Our contact details are:

  • Company Name: So-whatt Sarl (in process of incorporation)
  • Address: Bâtiment C, EPFL Innovation Park, CH-1015 Lausanne, Switzerland.
  • Email: info@so-whatt.ch

We offer our services to users in Switzerland and the European Union. We comply with both Swiss data protection law and the GDPR, including their extra-territorial reach (both laws apply to organizations outside their borders if they handle Swiss or EU residents’ data).

2. What Data We Collect

We collect different types of personal data from you or about you, depending on how you interact with our Platform:

  • Account Information: When you register, we collect your name, email address, username, password (stored in hashed form), and any profile details you provide (such as age range, investment experience level, or other preferences if you choose to add them).
  • Profile and Preferences: Information you input into our platform to build your “digital twin” portfolio, such as financial goals, risk tolerance, investment preferences, and other data about your hypothetical or actual investment profile.
  • Usage Data: When you use the Platform, we automatically collect technical data including your IP address, browser type, device information, and usage logs (pages or features used, time spent, errors). This may include cookies and similar tracking technologies (see our Cookie Policy for details).
  • Communication Data: If you contact us (via email, support forms, or otherwise), we collect the information you provide (contact details, query content). We may also keep records of our communications with you.
  • Subscription and Transaction Data: If you subscribe to a paid plan, we collect data needed to process your subscription such as payment confirmation information, plan selections, and transaction history. (Note: We do not store full payment card details on our systems; payments are handled by accredited third-party processors).
  • Third-Party Data: In some cases, we might receive information about you from third parties. For example, if you login via a social network or third-party identity provider, we receive basic profile info to set up your account. Or, if we partner with a financial data provider and you choose to import data (e.g., upload a portfolio file), we will process that data solely to provide our services to you.

We do not intentionally collect any sensitive personal data (such as racial or ethnic origin, political opinions, religious beliefs, health information, genetic or biometric data) through our Platform, as these are not necessary for our services. We ask that you refrain from providing such sensitive data in any free-text fields or support requests. In the event we do encounter sensitive data (for example, if you inadvertently provide it), we will treat it with special care and in accordance with applicable laws.

3. How We Use Your Data (Purposes of Processing)

We process personal data for the following purposes:

  • Providing and Improving the Service: We use your information to create and manage your account, generate your digital twin portfolio and investment analysis, and generally deliver the features of the Platform you request. For example, we apply your profile inputs to run simulations and present portfolio suggestions tailored to your preferences. We also analyze usage data and feedback to improve our algorithms, user experience, and content.
  • Personalization: To enhance your experience, we may use your data to personalize content (such as showing relevant analysis or educational materials) and to remember your settings and preferences (for instance, language, display configurations, or saved portfolios).
  • Communication: We use contact information to send service-related communications. These include:
    • Account & Service Messages: (Welcome emails, password reset, confirmation of transactions, changes to features or policies).
    • Customer Support: We will use your info to respond to inquiries or support requests you submit.
    • Updates & Marketing: If you have opted in, we may send newsletters or updates about new features, products, or promotions. You can opt out of marketing emails at any time by clicking the unsubscribe link in those emails or adjusting your account preferences.
  • Analytics and Performance: We process usage data (often in aggregated or pseudonymized form) to understand how our Platform is used, which features are popular, how users navigate the site, and to detect usage trends. This helps us troubleshoot issues, test improvements, and make data-driven decisions to enhance functionality.
  • Security and Fraud Prevention: We may process certain data (like IP addresses, account activity) to maintain the security of our Platform, to detect and prevent fraud, unauthorized access, attacks (e.g., DDOS), or other harmful activities. This is essential to protect our service and our user community.
  • Legal Compliance: To comply with legal obligations that apply to us. For example:
    • Keeping proper business records and transaction history for accounting/tax purposes.
    • If required, verifying identity or eligibility (for instance, confirming you are in an allowed jurisdiction).
    • Responding to lawful requests by public authorities, or to comply with binding legal orders (like court orders).
  • Preventing Illicit Activity: In the finance context, we are mindful of anti-money laundering (AML) and know-your-customer (KYC) principles. While our Platform generally deals with hypothetical portfolios and educational analysis (not real financial transactions), if we detect behavior that could indicate fraud or misuse, we may process data to investigate and report such matters as required by law.
  • Corporate Transactions: In the unlikely event of a merger, acquisition, restructuring, or sale of assets, personal data may be transferred to the successor entity. If this happens, we will ensure the recipient is bound to respect your personal data in line with this Privacy Policy and applicable law, and we will notify you of any changes.

We will not use your personal data for new purposes that are incompatible with the above without updating this Privacy Policy or obtaining any necessary consent.

4. Legal Bases for Processing

We rely on the following legal grounds under GDPR (and equivalent principles under nFADP) to process your personal data:

  • Performance of a Contract: We process most data in order to provide you with the services you requested under our Terms of Service. For example, when you create a portfolio or use analysis features, we process your input data to fulfill our contract with you by delivering results.
  • Consent: We rely on your consent in certain cases:
    • When you opt in to receive marketing communications or newsletters.
    • When we place non-essential cookies or use similar tracking (see Cookie Policy) we will ask for consent where required.
    • If we ever process sensitive personal data (which we generally avoid), it would only be with your explicit consent, unless another legal basis applies. You have the right to withdraw consent at any time, which will not affect the legality of processing based on consent before its withdrawal.
  • Legitimate Interests: We process some data for our legitimate business interests, in a manner that does not override your privacy rights. For example:
    • Improving and securing our Platform (it’s in our interest to ensure our service is reliable and safe).
    • Understanding our audience through analytics to improve our offerings.
    • Sending you product recommendations or offers about similar services you have used, if you are an existing customer (we balance this against your right to privacy, and you can opt out easily).
    • Enforcing our Terms and defending our legal rights. When we rely on legitimate interests, we assess the impact on your rights and ensure appropriate safeguards so that your privacy is not unnecessarily impacted.
  • Legal Obligation: When processing is necessary for compliance with a legal obligation. For instance, retaining transaction records for tax/regulatory compliance, or disclosing information to authorities if lawfully required (such as responding to a data protection authority inquiry).
  • Vital Interests/Public Interest: These bases are less likely to apply. We would invoke them only in exceptional circumstances, such as if processing is necessary to protect someone’s life or for a task carried out in the public interest (for example, if we were compelled to provide data for public health or law enforcement purposes).

Where Swiss law (nFADP) applies, it closely aligns with these principles. Notably, Swiss law generally permits processing of personal data as long as it is done lawfully, in good faith, and proportionately, and as long as the processing is justified by consent, contract, law, or prevailing private or public interest. We aim to ensure all processing meets both EU and Swiss requirements.

5. Cookies and Tracking Technologies

Our Platform uses cookies and similar tracking technologies to function effectively and to enhance your experience. For detailed information on the types of cookies we use and your choices, please see our Cookie Policy.

In summary:

  • We use necessary cookies to enable core site functionality (like keeping you logged in, or remembering your portfolio between sessions). These do not require consent as they are essential for providing the service you explicitly requested.
  • We also use analytics cookies (and possibly similar tools) to collect information about how users interact with our site (e.g., Google Analytics). These help us improve the service. Such cookies are non-essential and, if you are in the EU/EEA or where required by law, we will request your consent before placing them.
  • We do not currently use advertising cookies or share your data with advertisers for behavioral advertising. If that changes, we will update our policies and obtain appropriate consent.
  • You can control cookies through your browser settings and, where applicable, through our cookie consent banner or settings. However, disabling certain cookies may affect the functionality of the site (for example, you might not be able to stay logged in or use some features if essential cookies are blocked).

For more details or to change your preferences, visit the Cookie Policy.

6. How We Share Your Data

We treat your personal data with care and confidentiality. We do not sell your personal information to third parties. However, we do share data in certain circumstances, as necessary to run our business or as required by law:

  • Service Providers (Processors): We use trusted third-party companies to support our services (for example, cloud hosting providers, data analytics services, email service providers, customer support software, payment processors). These third parties may process personal data on our behalf for specific tasks instructed by us. We ensure such providers are bound by contracts that require them to protect your data and use it only for the agreed-upon purpose.

    Example: We host our Platform on (Google or Amazon), so any data you provide is stored on their secure servers. Our analytics might be provided by 3rd party tools, which will process usage data for analytics purposes.

  • Financial Partners: If our platform integrates with financial institutions or brokerages at your request (for example, if you link an account or use a feature to import data from your bank or broker), we will share data with your consent and only as needed to fulfill that integration. Those partners will also be independent data controllers of the information you provide to them.
  • Affiliates: If So-Whatt is part of a group of related companies, we may share data with our corporate affiliates (for example, a parent company or subsidiaries) for internal business administration or support. Any such affiliate will treat your data in line with this Privacy Policy.
  • Legal and Compliance: We may disclose information to third parties (such as advisors, law enforcement, courts, or regulators) when necessary to:
    • Comply with applicable law or regulations, or respond to valid legal requests (e.g., subpoenas, court orders).
    • Protect the rights, property, or safety of So-Whatt, our users, or the public. This includes exchanging information with other organizations for fraud prevention or investigating security concerns.
  • Business Transfers: As noted, in the event of a merger, acquisition, financing, reorganization, bankruptcy, or sale of all or some of our business/assets, personal data may be transferred to a successor or affiliate as part of that transaction. If such a transfer occurs, your personal data will remain subject to this Privacy Policy (unless you are notified otherwise).

When sharing data internationally (outside of Switzerland or the EU/EEA), we ensure adequate protections are in place (see Section 7 below on international transfers).

7. International Data Transfers

We operate from Switzerland, and many of our users are in Switzerland and the European Union. Your data may be transferred to and stored on servers located in Switzerland, the European Economic Area (EEA), or other countries which may have data protection laws different from those in your country.

In particular, some of our service providers might be located outside of Switzerland or the EU (for example, a cloud provider or email service in the United States). Whenever we transfer personal data across borders, we take steps to protect your information:

  • Adequacy Decisions: Switzerland and the EU have a mutual recognition of data protection adequacy. Switzerland is considered by the EU as providing an adequate level of data protection (and vice versa, personal data can flow between the EU/EEA and Switzerland freely under respective adequacy findings). We rely on this where applicable.
  • Standard Contractual Clauses (SCCs): For transfers to countries without an adequacy decision (e.g., if we transfer data from the EU or Switzerland to the U.S.), we implement safeguards such as the European Commission’s approved Standard Contractual Clauses, or the equivalent clauses approved by Switzerland’s Federal Data Protection and Information Commissioner (FDPIC). These contract terms impose data protection obligations on the recipient and give you rights to enforce them.
  • Additional Safeguards: We also assess whether additional technical and organizational measures are needed. For instance, we may use encryption for data in transit, and only work with partners that have robust security practices.

By using our service, you understand that your personal data may be transferred to our facilities and those third parties as described. We will always handle your personal information in accordance with this Privacy Policy wherever it is processed.

8. Data Retention

We keep your personal data only for as long as necessary to fulfill the purposes we collected it for, including satisfying any legal, accounting, or reporting requirements.

General retention periods:

  • Account Data: Information associated with your account is kept for as long as your account is active. If you close your account, we will delete or anonymize your personal data within a reasonable time after account closure (generally within 30 days), except for data we are required or permitted to retain longer (e.g., records of transactions, consents, and necessary logs).
  • Portfolio and Profile Data: Data you input for analysis is stored to provide the service and for your convenience (so you can revisit your digital portfolio). You can delete specific portfolio entries or data at any time via the Platform interface; we will then remove or anonymize that data in our active systems. Backup copies might persist for a limited period but will be purged according to our regular backup retention schedule.
  • Communications: If you contact support, we may retain correspondence (including email) as long as necessary to address your issue and for training or quality assurance, typically up to 2 years unless required for legal purposes to keep longer.
  • Analytics: Usage data collected for analytics may be retained and aggregated over time for trend analysis. Where possible, we will aggregate or anonymize this data so it no longer identifies individuals, and we may retain aggregated data for a longer period.
  • Legal Requirements: In some cases, we must keep data for a certain time by law. For example, financial transaction records may be kept for 10 years to comply with tax or accounting laws. Also, if we are handling a dispute or are subject to a legal obligation to retain data, we will keep the data as long as necessary to fulfill that obligation.

After the retention period, we will securely erase or anonymize your personal data. We take care to ensure that when data is deleted or destroyed, it is done in a secure manner to prevent unauthorized access or use.

9. Your Rights and Choices

Under the GDPR and the nFADP, you have several rights regarding your personal data. We are committed to honoring these rights. They include:

  • Right of Access: You can request confirmation of whether we are processing your personal data, and if so, request a copy of the data we hold about you, as well as information about how we use it (). This is commonly known as a "Data Subject Access Request."
  • Right to Rectification: If any personal data we have about you is incorrect or incomplete, you have the right to request that we correct or update it (). You can also correct most information by logging into your account and editing your profile.
  • Right to Erasure: Also known as the “right to be forgotten.” You may ask us to delete or remove your personal data in certain circumstances (). For example, if the data is no longer needed for the original purpose or if you withdraw consent and we have no other legal ground to continue processing. Note that this right is not absolute – sometimes we may retain certain information as required by law or for legitimate business purposes (we will inform you if that is the case).
  • Right to Restrict Processing: You can request that we limit the processing of your data in certain situations (). For instance, if you contest the accuracy of your data, you can ask us to restrict processing while we verify the information. Or if you object to our processing based on legitimate interests, you can request restriction pending our assessment of overriding interests.
  • Right to Data Portability: You have the right to obtain your personal data that you provided to us in a structured, commonly used, machine-readable format (), and you have the right to transmit that data to another controller. This applies when the processing is based on consent or contract and is carried out by automated means. Where technically feasible, and upon your request, we can also transmit the data directly to another service provider for you.
  • Right to Object: You have the right to object to certain types of processing ():
    • If we are processing your data based on legitimate interests, you can object if you believe it impacts your fundamental rights and freedoms. We will then re-evaluate our reasons for processing and may continue only if we have compelling legitimate grounds.
    • If we are processing your data for direct marketing purposes, you can object at any time and we will stop processing your data for that purpose. (This is an absolute right under GDPR – meaning we will always honor it.)
  • Right to Withdraw Consent: If we rely on your consent to process data, you have the right to withdraw that consent at any time. This will not affect the lawfulness of processing before withdrawal. For example, you can opt out of marketing emails by withdrawing your consent for that purpose.
  • Rights related to Automated Decision-Making: You have the right not to be subject to a decision based solely on automated processing, including profiling, if it produces legal effects or similarly significant effects on you, unless it is necessary for a contract with you, authorized by law, or based on your explicit consent. In practice, So-Whatt’s portfolio suggestions involve automated profiling of your inputs to simulate outcomes, but these do not produce legal effects on you – they are for informational purposes under your control. If ever we were to use automated decision-making in a manner that significantly affects you, you would have the right to request human intervention, express your point of view, and contest the decision () (note: Swiss law similarly grants individuals the right to challenge purely automated decisions).

To exercise any of these rights, please contact us at info@wo-whatt.ch with your request. We may need to verify your identity before fulfilling the request (to ensure we don’t disclose data to an unauthorized person). We will respond to your request within the timeframes required by law (under GDPR, generally within one month, extendable by another two months if necessary given complexity, in which case we will inform you of the delay).

No fee in general: You will not have to pay a fee to exercise these rights. However, if a request is manifestly unfounded or excessive (for example, repetitive), we may charge a reasonable fee or refuse to act on it (as permitted by GDPR/nFADP).

10. Data Security

We take the security of your personal data seriously. We implement technical and organizational measures to protect your information against unauthorized access, alteration, disclosure, or destruction. These include:

  • Encryption: We use encryption (HTTPS/TLS) to protect data transmitted between your browser and our servers. Sensitive data (like passwords) is stored in encrypted or hashed form.
  • Access Control: Only authorized personnel with a legitimate need have access to personal data, and they are bound by confidentiality obligations. We limit employee and contractor access to user data based on role and necessity.
  • Monitoring and Testing: Our systems are monitored for vulnerabilities and attacks. We keep our software and infrastructure updated with security patches. Regular backups are performed to ensure data integrity.
  • Privacy by Design and Default: We adhere to the principles of Privacy by Design and Privacy by Default in developing our Platform. This means we integrate data protection features and considerations from the start of our design process and ensure that, by default, only the data necessary for each purpose is processed. For example, we minimize the personal data we collect (no excess data), and settings are privacy-friendly by default.

Despite our efforts, no system can be 100% secure. We therefore cannot guarantee absolute security of information. It is important that you also take precautions, such as keeping your account password confidential and logging out of the Platform when you are finished, especially on shared or public devices.

In the event of a data breach that affects your personal data, we will notify you and the relevant supervisory authorities as required by law. Swiss law (nFADP) and GDPR require us to report certain personal data breaches to authorities (and in some cases to you) as soon as possible if there is a significant risk to your rights.

11. Children’s Privacy

Our services are not intended for children under the age of 16 (or the relevant age of digital consent in your country, if higher). We do not knowingly collect personal data from anyone under 16. If you are under 16, please do not use the Platform or provide any personal information to us.

If we become aware that we have inadvertently collected personal data from a child under 16, we will take steps to delete such information promptly. Parents or guardians who believe that we might have information about a child under 16 can contact us at info@wo-whatt.ch to request deletion.

12. Updates to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make significant changes, we will notify you through an appropriate channel:

  • By posting the updated Policy on our website with a new “Last Updated” date.
  • For material changes, by email notification or a prominent notice on the Platform prior to the change becoming effective.

We encourage you to review this Policy periodically for the latest information on our privacy practices. Continuing to use the Platform after updates to this Policy will signify your acceptance of the changes, to the extent permitted by law.

13. Contact Us and Complaints

If you have any questions, concerns, or requests regarding this Privacy Policy or our personal data practices, please contact us at:

Email: info@so-whatt.ch
Address: Bâtiment C, EPFL Innovation Park, CH-1015 Lausanne, Switzerland.

We will do our best to address and resolve any issues to your satisfaction.

If you are located in Switzerland or the European Union and believe we have not handled your personal data properly or lawfully, you also have the right to lodge a complaint with a supervisory authority:

  • In Switzerland: You can contact the Federal Data Protection and Information Commissioner (FDPIC).
  • In the EU: You can contact your local Data Protection Authority (DPA) or the lead supervisory authority in the EU member state of our establishment (if applicable).

We would, however, appreciate the chance to address your concerns before you approach a regulator, so please consider reaching out to us first.

Thank you for trusting So-Whatt with your investment analysis journey. Your privacy is important to us, and we are committed to safeguarding your personal information as you use our Platform.