PrivacyPolicy_EN_05

Privacy notice ePlix platform (Version dated 30.07.2025) 1. Scope This following privacy notice applies to the processing of personal data relating to the ePlix platform by the platform operator enovetic AG (hereinafter known as “enovetic”, “we” and “us”). This privacy notice will explain which personal data we use, for what purpose they are processed or with whom they are shared when you register with ePlix, use ePlix services and visit the www.eplix.ch website (jointly referred to as “ePlix”). ePlix is a central web app, which in particular provides you with a summary of the personal care that you can expect in the event of your ordinary, early or postponed retirement, capital drawdown, etc. and can also show you the purchasing potential in your pension plan. Furthermore, ePlix provides access to important documents at any time, such as wage slips, tax returns and the facility to open and manage a “3a pillar” or a vested benefits account. ePlix also enables you to arrange death and disability insurance with Lifeguard Free or Premium. Multiple providers, e.g. care companies, banks, insurance companies and employers, are included on the ePlix platform and provide the data and services from their own spheres required for using ePlix, which also means that they can use ePlix for their own purposes. enovetic is not responsible for the data protection or security practices of providers who supply data to ePlix or use ePlix for their own purposes. These providers act as independent “data controllers” relating to the processing of personal data and are themselves responsible for observing data protection regulations and for complying with the requirements of the permitted forwarding of personal data from data subjects, which providers have received from them and transferred to enovetic. Please contact the providers directly for more information about data protection (see the list of providers under “Partners” at www.eplix.ch). You are hereby authorizing all providers whose information and offers you wish to access within ePlix to provide enovetic with the necessary data, even if the data is subject to a duty of professional confidentiality on the part of the provider. You acknowledge that enovetic is an independent provider and not an agent of the other providers and therefore also not subject to the duty of professional confidentiality on the part of the relevant provider. You also authorise us to supply the relevant provider with all your data it requires relating to the use of information and the offering of the provider on ePlix. This may also include special categories of personal data. If you include personal data of people other than yourself on ePlix, you are responsible for ensuring that you are authorised do so and that these people are fully informed of this privacy notice. 2. Competent body and contact point enovetic is the owner of the platform through which the products and services are made available. enovetic generally processes the data in connection with ePlix as the data controller. Where enovetic acts as the data controller, the controller is: enovetic ag, Blegi 5, 6343 Rotkreuz, based in Risch-Rotkreuz (CHE 108.015.359). Contact details: datenschutz@enovetic.ch, or you may also contact us directly via the self-service functions in your ePlix account. If you have data protection concerns, you can inform us of these using the above contact information for all companies in the enovetic group (but if possible, please specify which company you are referring to). If we determine that we are not responsible for the data processing, we will forward the enquiry to the responsible data controller. 3. Applicability of Swiss data protection laws and the General Data Protection Regulation “GDPR” This privacy notice has been prepared in accordance with the EU General Data Protection Regulation 2016/679 (“GDPR”) and the Swiss Data Protection Act (“FADP”). Whether and to what extent these laws are applicable, however, depends on the individual case. Page 1 / 6 enovetic ag +41 58 443 50 50 Blegi 5 info@eplix.ch CH-6343 Rotkreuz www.eplix.ch 4. Types of personal data obtained For the purposes of this privacy notice, the term “personal data” refers to all information relating to an identified or identifiable natural person. If you register with ePlix, ePlix will send an SMS notification to your mobile number to activate your account. After opening the ePlix account and using ePlix services, the following personal data will be transmitted to and processed by ePlix: • Surname and forename • Date of birth • Gender • Marital status (including date of marriage or date of civil partnership) • Residential address • Social security number • Copy of an ID document (passport, ID, driving licence, residence permit) • Details of nationality (US national) • Pension fund membership • Employment status (employed, unemployed, freelance) • Name of employer • Details of salary • Password • Telephone number • E-mail address • Technical data generated by accessing the platform, such as IP addresses, browser details and data about the use of ePlix • Log data relating to users’ use of the ePlix platform and their browsing behaviour within the account. ePlix may use all such data to derive further data about you, such as information relating to your pension situation. ePlix receives personal data from the providers integrated into ePlix in accordance with the contractual relationship between you and the respective provider (e.g., employer), who in turn make data available for display and further processing in ePlix: • Wage data • Account data • Data relating to insurance and care services • Data to verify identity. ePlix can use this data to process further personal data about you, such as information about your pension situation. We also receive orders, instructions, and information that you enter on ePlix and pass on to providers, as well as messages that you send to us via various channels or exchange with us. You agree that we may use your data for statistical purposes and for marketing measures, such as sending you personalized advertising from us (including affiliated companies), the providers, and their distribution partners via the addresses known to us, tailored to your situation as known to us. You can revoke this consent for our own and third- party marketing purposes at any time by notifying enovetic, in particular via the contact point (see section 2), and this revocation will apply to future processing by enovetic. With regard to the use of data already shared with providers, you must send your revocation to them. Their privacy policy applies to their data processing. 5. Purposes of processing enovetic collects your personal data provided on ePlix for the following purposes: • To manage account registrations: If you have registered for an account with us, we process your personal data by managing your user account; • To conclude and execute the user agreement with ePlix, in particular to display the information transmitted by the providers, to make calculations with it (if necessary), to store it on your behalf on the ePlix platform, to process and return it, to place orders with the providers or to track their execution; • To arrange death and disability insurance with Lifeguard Free or Premium and to transmit the necessary data to the re-insurer for the provision of benefits in the event of such an occurrence; • For Administration of our contracts with the providers, in particular so that they can identify you as their customer, provide information about how their information and offers are used via ePlix, or calculate the fees owed by providers; • For Statistics on the way in which the platform is used which enable us to understand the market, the needs and other aspects which are important to us relating to ePlix; • To optimise, improve and further develop the ePlix platform and our offers and services based on circumstances Page 2 / 6 such as your feedback or error messages resulting from your use of the ePlix platform. This also means, for example, that we may temporarily retain the mobile number with which you began but did not complete the registration process so that we can understand why the registration could not be completed and/or recogni- se you if/when you do eventually complete the registration process; • For Handling contact and user support requests: if you fill out a contact form or request user support, or if you contact us by other means including via a phone call, we may process your personal data; • For help with the registration process via remote access and to guide you through your account. Remote access will always first be displayed to you in a pop-up window, and remote access is only possible with your consent; • For advertising and marketing both in our own interests and for the purposes of the providers and their sales partners, including the personalisation and profiling required for this purpose unless you have revoked your consent for this type of use (see section 13 below and the Terms of Use of the ePlix Platform at https://eplix. ch/en/service/terms-of-use section 7.2.1); • ensuring correct operation, particularly of the IT systems, the ePlix platform and our website; • For communication with third parties and processing their inquiries (for example media inquiries); • For preventing and investigating criminal acts, abuse and other inappropriate behaviour (for example conduc- ting internal investigations, data analyses for fighting fraud); • For responding to inquiries from a court or official body, lodging/exercising and defending contractual or statutory legal claims; • For complying with current laws. 6. Legal basis of processing We process the personal data we collect to conclude and administer our contracts with you and our business partners/ providers (under the GDPR: Art. 6 paragraph 1 letter b of the GDPR), • for example to enter into a usage agreement with you for ePlix so that you can access ePlix and use ePlix ser- vices via the platform; • to identify you as our customer, contract partner, etc.; • to conduct the necessary correspondence with you; • to offer you bespoke services or to develop such services. The personal data are processed “for compliance with a legal obligation” (under the GDPR: Art. 6 paragraph 1 letter c of the GDPR), • to comply with any statutory archiving duties, for example the 10-year archiving period for business records (Art. 958f of the Swiss Law of Obligations). The personal data are processed on the basis of “consent” (under the GDPR: Art. 6 paragraph 1 letter a of the GDPR), • as long as you have granted us consent to process the data and have not revoked this consent. If you have given us your consent for processing your personal data for specific purposes (for example when you re- gistered your consent to receive newsletters or have a background check conducted over the Central Compensation Office (CCO) in Switzerland), we will process your personal data on the basis of and supported by this consent unless we have another legal basis and we need an additional basis. Consent that has been granted can be revoked at any time, but this will not affect data processing routines which have already been completed (see section 13). Personal data are generally processed on the basis of the “purposes of legitimate interests of the controller or a third party” (under the GDPR: Art. 6 paragraph 1 letter f of the GDPR); • to optimise, improve and develop the platform, our offerings and services; • to respond to inquiries from a court or an authority and to lodge, exercise or defend legal claims; • to provide you with tailored advertising or marketing measures, including the creation of personalisation and profiling unless you have objected to this type of use; • to evaluate website statistics and continuously improve the functionality of our website. 7. Software testing and further development of the software We and our service providers may process anonymised and pseudonymised data for software testing, development and improvement purposes. Such processing takes place in a separate, non-production environment, with appropriate technical and organisational measures being taken to ensure compliance with applicable laws. We have concluded agreements with our service providers that regulate the protection and proper use of such data. Page 3 / 6 8. Recipients of personal data Within enovetic, employees may only process your data if they require them to fulfil our contractual and statutory duties or maintain our legitimate interests (see also section 5). Under the same conditions, the data may also be forwarded to third parties if this is required for the provision of our services. This may particularly include the following: • enovetic group companies, • Providers with whom we have concluded a ePlix platform usage contract for the purposes listed in section 5, • Service companies such as banks, asset management companies and re-insurers, • Professional advisers, for example tax consultants, solicitors and auditors, • Authorities, state bodies, national and international courts, • Your agents and representatives, • Service providers, suppliers, agents, including contract data processors, with which we have concluded a data processing agreement (for example hosting providers, IT service providers, cloud services, etc.). Any forwarding of data is based either on contract fulfilment (for example ePlix usage agreement), the fulfilment of a legal duty by the competent body, your consent or a legitimate interest on our part unless this is outweighed by your interests or basic rights and basic freedoms relating to the protection of your personal data. 9. Subprocessors Legal Entity Purpose Processing Country Datatrans AG Payment Processing Handles premium payments for insurance products Switzerland eCall AG SMS Service for Login Sends verification/login codes via SMS Switzerland Twilio Inc. WhatsApp Login Provides WhatsApp-based authentication United States Cloudflare, Inc. (Turnstile service) Captcha Protection Verifies human users during registration United States Naovis d.o.o. IT and software development Development, maintenance and operations of ePlix Serbia Bosnia Zendesk, Inc. Customer Support Manages customer inquiries and integrates with ePlix United States EEA Japan Australia 10. Cookies / tracking and other technologies relating to the use of our website When you visit the ePlix website at www.eplix.ch/en, further data is processed by cookies and tracking technologies. What are cookies? Cookies are small files which your browser automatically creates and which are saved on your device (laptop, tablet, smartphone, etc.) when you visit our ePlix website. Why do we use cookies? We use cookies on our ePlix website to make our offering more user-friendly. Cookies enable us to recognise your device next time you visit our ePlix website and to adjust and improve this website to suit your needs. We use essential cookies which help us to make our ePlix website usable by enabling basic functions such as site navigation and access to secure areas of this website. Our ePlix website cannot function correctly without these cookies. We also use statistics cookies which help website owners to understand how visitors interact with websites by anonymously collecting and supplying information. Most of the cookies we use are “session cookies”. They are automatically deleted at the end of your ePlix website visit. Some cookies remain on your device until you delete them. You can set your browser so that you are informed about cookie placement and only allow cookies in individual cases, can prohibit the acceptance of cookies for particular cases or in general, as well as activating the automatic deletion of cookies when you close the browser. Deactivating cookies can restrict the functions of our ePlix website. To find out more about how you can control cookie settings using your browser, look at the subjects of “Private browsing”, “Incognito” or “InPrivate” in the Firefox, Chrome, Microsoft Edge or Safari settings, depending on which browser you use. Page 4 / 6 The data processing which takes place using cookies is also based either on a legitimate interest or on consent (see section 6). We include visible and invisible image elements in some of our newsletters and other marketing emails where allowed and when they are retrieved by our servers, they enable us to establish whether and when you opened the email so that we can measure and better understand how you use our offerings and how we can tailor them to your needs. You can block this in your email program, in most of which the setting is a default one. When you use our website and grant your consent to receive newsletters and other marketing emails, you agree to the use of these technologies. If you do not wish to do so, you must adjust the settings in your browser and email program accordingly. Google Analytics We also use Google Analytics or equivalent services on our ePlix website. This is a service provided by third parties which may be in any country in the world (in the case of Google Analytics it is Google Ireland (based in Ireland), whilst Google Ireland is supported by Google LLC (based in the USA), which is the data processor (both referred to hereinafter as “Google” or www.google.com), enabling us to measure and evaluate the use of our ePlix website (on an anonymous basis). Permanent cookies, which are set by the service provider, are also used for this purpose. We have configured the service so that the visitors’ IP addresses are abbreviated by Google in Europe before they are forwarded to the USA, so that they cannot be traced. We have disabled the “Data forwarding” and “Signals” settings. Although we can assume that the information that we share with Google does not include personal data, it is possible that Google can draw conclusions about the identity of the visitors, create personal profiles and link these data to the Google accounts of these persons from these data for its own purposes. If you have registered with the service provider, the service provider will also recognise you. Your personal data will then be processed by the service provider at the responsibility of the service provider and on the basis of its data protection provisions. The service provider only informs us how our website is being used (it does not provide any information about you personally). 11. Cross-border processing The recipients of personal data may be in Switzerland or elsewhere. We would like to point out that we exchange personal data within our group of companies and we may transfer them to countries in which the service companies, which provide us with services (for example software suppliers, IT service providers, legal advisers/solicitors as well as authorities, official bodies or national and international courts) are located. Many third countries may not offer an adequate level of data protection. When we transfer your personal data outside of Switzerland or the European Economic Area (EEA), we will protect your personal data as described in this privacy notice and in accordance with applicable laws, such as by entering into Standard Contractual Clauses issued or recognized by the European Commission and the Swiss Data Protection and Information Commissioner (FDPIC). These can be viewed here: www.eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=en. Furthermore, any additional technical measures will be used to prevent possible official access to the data to effectively guarantee that the data are protected in the destination country. The data used in connection with ePlix is processed in the following countries: Switzerland, EEA, Serbia, Bosnia, Japan, Australia, USA. 12. Profiling [and automated decision-making] We process some of your personal data automatically with the aim of evaluating specific personal aspects (profiling). We particularly use profiling to inform and advise you about products in which you may be interested. We use evaluation tools which enable us to provide communication and marketing which meet your requirements, including market and opinion research. We do not use fully automated decision-making to justify and manage our business relationship or for any other reason (as described in Art. 22 of the GDPR). If we use such methods in individual cases, we will notify you separately of this if this is required by law and we will also explain the relevant laws to you. 13. Rights of the data subject As part of the data protection law relevant to you and where provided therein (for example in the case of the GDPR), you have the right to information, rectification and erasure, the right to restrict data processing and also to object to our data processing operations, particularly operations for the purpose of direct marketing, profiling undertaken for direct marketing and other legitimate interests in processing and for access to certain personal data for the purpose of transferring it to another body (known as data portability). Please note, however, that we reserve the right to claim the restrictions provided by the law, for example if we have a duty to archive or process certain data, we have an overriding interest in this (to the extent that we are entitled to do so) or require them for lodging legal claims. If you incur any costs for this purpose, we will notify you in advance. We have already informed you of the facility to revoke your consent in section 6. You can do this at any time by writing to us by mail to enovetic ag, Datenschutz, Blegi 5, 6343 Rotkreuz or by email to datenschutz@enovetic.ch to notify us of your revocation. Page 5 / 6 Please note that exercising your rights may conflict with contractual agreements and this may have consequences such as the premature dissolution of the contract or costs. We will notify you of this in advance if this has not already been agreed in the contract. Exercising these rights generally requires that you can clearly verify your identity (for example through a copy of your ID if your identity is otherwise unclear or cannot be verified otherwise). To claim your rights, you can contact us at the address provided in section 2. Every data subject also has the right to enforce its claims in a court of law or to submit a complaint to the relevant data protection authority. The relevant data protection authority in Switzerland is the Federal Data Protection and Information Commissioner (www.edoeb.admin.ch/edoeb/en). 14. Data security enovetic uses adequate technical and organisational security measures to protect your data from accidental or malicious manipulation, partial or complete loss, destruction and to prevent unauthorised access by third parties. Our security measures are improved on an ongoing basis as technological development advances. Notwithstanding, data transmission on the internet (for example when communicating by e-mail) may have security vulnerabilities. It is not possible to guarantee complete protection from access by third parties. During your website visit, we use the widespread SSL/TLS method together with the highest encryption level supported by your browser. Whether an individual page on our website is encrypted or not can be identified by whether the key or lock icon in the address bar of your browser is closed. 15. Data retention We retain personal data for as long as necessary to fulfil the purposes for which we collect or receive the personal data, except if required otherwise by applicable law, rules, and regulations. Typically, we will retain most of the personal data for the duration of your use of ePlix, or until you have removed your account unless a longer applicable statutory retention period applies. Records retention details are established in our internal policies. After expiry of the applicable retention periods, all personal data will be destroyed, anonymized, or deleted using secure technology. This technology depends on the application and storage media used. Expired records are identified based on their creation or last modification date, the current date, and the retention period. If there is any data that we are unable, for technical reasons, to delete entirely from our systems, we will implement appropriate measures to prevent any further use of such data. 16. Changes We may occasionally update this privacy notice. We encourage you to periodically review this privacy notice to be informed of how we process your data. Page 6 / 6