Privacy Policy


This privacy policy (the “Privacy Policy”) applies to the processing of personal data by L2F SA (CHE‑300.132.471), Rue du Centre 9, 1025 St-Sulpice, Switzerland (“L2F”, “we”, “us” or “our”) in connection with proprietary cloud platform of L2F named Giotto Compliance Platform (the “Giotto Compliance Platform”).

By accessing and using the Giotto Compliance Platform, you expressly acknowledge that we collect and process your personal data in accordance with this Privacy Policy.

We reserve the right to amend the Privacy Policy at any time at our sole discretion in order to adapt it to any new commercial or technological practice or change in the law. Should this occur, we will inform you by any appropriate means (including via email or the Giotto Compliance Platforms, e.g., banners, pop-ups or other notification mechanisms). If you do not accept these amendments, your sole remedy is to no longer access and/or use the Giotto Compliance Platform.

This Privacy Policy explains (i) which personal data are collected when you access and use the Giotto Compliance Platform, (ii) the manner and the purposes for which we process the personal data, and (iii) the measures which we take in order to protect such personal data.


1. Legal Basis for processing your personal data.

We only process your personal data if we have a valid legal ground to do so.

1.1. We recognize the importance of your privacy and of transparency in our processing of your personal data. We will only process your personal data if we have valid legal ground to do so. Depending on the purposes pursued, we will therefore only process your personal data if:

  • we have obtained your prior unambiguous consent;

  • the processing is necessary to perform our contractual obligations towards you or to take pre-contractual steps at your request;

  • the processing is necessary to comply with our legal or regulatory obligations; or

  • the processing is necessary for our legitimate interests except where they are overridden by your interests or fundamental rights and freedoms. Relevant ‘legitimate interests’ include: (i) to benefit from cost-effective services (e.g., we may opt to use certain services offered by suppliers); (ii) to protect the security of our IT systems, architecture and networks; and (iii) to meet our corporate and social responsibility objectives.

1.2. The legal bases for each specific purpose are specified in this privacy policy.

1.3. If you are not a customer or user of Giotto Compliance Platform, we may also process your personal data as data processor for the provision of our services to our customer benefitting from Giotto Compliance Platform (“Customer”). In this case, our processing of your personal data is governed by a contract between us and the relevant Customer. This privacy policy does not address how Customers use your personal data. Please refer to the relevant Customer’s policies and contact it directly for any inquiry relating to the use of your personal data by it.

2. How and where we collect your personal data

We collect the personal data which you provide.

2.1. We collect, directly or indirectly via our partners, the personal data you provide when you correspond with us and/or our partners, or when you use the Giotto Compliance Platform, for example, when you create and/or manage your account, through webforms you fill or when you upload content.

2.2. Such information may include your name, user name, address, email, telephone numbers, gender, payment information, and any other information which we and/or our partners may request from you, or which may be provided to us by you without request or by other users. Please note that if you provide us with third parties’ personal data, you will act as a data controller, and we will act as data processor with reference to such data. As data processor, we will process such third parties’ personal data exclusively in accordance with the instructions you provided us as data controller.

Certain information is mandatory, some is optional.

2.3. The fields identified by an asterisk are mandatory and require information on your part. Should you not provide an answer for one or more of these fields, we will not be in a position to provide access to the services provided through the Giotto Compliance Platform.

2.4. Should you not provide answers for the optional fields, it will still be possible to access the Giotto Compliance Platform’s services. These fields may be completed at any time through your account settings.

Certain personal data are also collected in an automated manner.

2.5. We may also automatically collect personal data when you access and use the Giotto Compliance Platform, including by means of tools, web forms, cookies and other active elements contained in our emails and/or those of our partners, such as the IP address or other user identification information, visiting date on the Giotto Compliance Platform, your preferences, the links you select within the Giotto Compliance Platform or other information related to your interaction with the Giotto Compliance Platform.

You can define certain authorizations and settings related to the automated collection of your personal data.

2.6. You may define certain authorizations related to data collection, in the settings of your device or of your web browser, according to the available functionalities.

3. Processing methods

We may process your personal data by automated means but take appropriate security measures in this respect.

3.1. We process your personal data in compliance with Swiss data protection law and the EU General Data Protection Regulation and namely take the appropriate technical and organizational security measures to prevent the unauthorized access, disclosure, modification, alteration or destruction of your personal data. Data processing is carried out with computers or computer tools, and in compliance with the purposes indicated in this Privacy Policy.

3.2. Provided that we have obtained your prior and unambiguous consent, we may use your personal data to create a profile about you and provide you with more relevant information and services (profiling). You may have the right to object to such activities, in accordance with applicable data protection laws. We do not use any individual decision-making based solely on automated processing.

4. Purposes of data processing

We process your personal data to operate the Giotto Compliance Platform and to provide the related services.

4.1. Your personal data are collected so that we may operate the Giotto Compliance Platform and provide the services connected therewith in order to perform our contractual obligations and in compliance with legal or regulatory obligations, as well as for client and user management, in particular for contacting you about our services or any modifications thereto.

We may process your personal data for sending our newsletter, or for other marketing and advertising purposes.

4.2. Provided that we have obtained your prior and unambiguous consent, we may use your personal data, in particular, the contact details as well as other indications and data collected in accordance with this Privacy Policy, for marketing and advertising purposes, e.g., to send you information and offers relating to our products and services and/or of our partners, such as prospect uses, newsletters, and other advertising messages.

4.3. You may withdraw your consent at any time.

We may process your personal data to improve the services and for statistical purposes.

4.4. Unless you object to such processing, we may process your data for statistical purposes, for internal analysis, to ensure the Giotto Compliance Platform’s stability and security and/or for the improvement of the products and services available through the Giotto Compliance Platform, in accordance with data protection laws. You may object to such processing activities at any time.

We may process your personal data if we have a legitimate interest or a legal obligation to do so.

4.5. We may further process your personal data if we have a legitimate interest or a legal obligation to do so. This will for instance be the case if we need to disclose certain information to public authorities or retain such information for tax or accounting purposes, or the establishment, exercise or defense of legal claims.

5. How long do we store your personal data?

5.1. We will not retain your personal data for a longer period than necessary for the purposes as outlined in this Privacy Policy. In particular, we will store your personal data for the period of your use of the Giotto Compliance Platform and any additional period required by law. In any case, we will store your personal data for 12 months for marketing purposes, and for 12 months for profiling purposes. If you suppress your user account, we will delete your personal data within 30 days after such event, unless data must be retained for a valid reason.

6. Communication to third parties

We may disclose your personal data to third parties in case this is necessary for the proper operation of the Giotto Compliance Platform and the provision of the related services, or for promotional services.

6.1. We may communicate your personal data to third parties as part of operating the Giotto Compliance Platform, and to subcontractors such as IT systems providers, cloud service providers, database providers, automated marketing solutions providers and consultants, including Google (hosting and computation) and Zendesk (support).

6.2. We may also enable you to use third-party services directly from the Giotto Compliance Platform, namely through social plug-ins of Google LLC; Facebook, Inc.; LinkedIn Corporation; Twitter; and Microsoft Corporation, in which case you recognize that the third-party operators of these services may access some of your personal data in connection with the Giotto Compliance Platform.

6.3. In the above contexts, the Giotto Compliance Platform may contain links to other websites. Please note that this Privacy Policy does not apply to the practices of any company or individual that we do not control, nor to any other website that may be linked from the Giotto Compliance Platform. You should carefully review the privacy policies of any other website that you visit from the Giotto Compliance Platform to learn more about their information and privacy practices. In such contexts, the collection and use of your personal data shall be governed by such other party or websites’ privacy policy. We shall not be held responsible for their privacy practices.

We may also disclose your personal data to third parties when we have a legitimate interest or legal obligation to do so.

6.4. We may also disclose your personal data when we have a legitimate interest to do so, for instance to (i) any third party to whom we assign or transfer any of our rights or obligations; (ii) to competent courts or supervisory or regulatory bodies, when we must compellingly disclose your personal data, pursuant to any applicable law, regulation or order.

7. International transfers

Your personal data may be disclosed outside of your country of residence, including to countries that do not guarantee the same level of data protection and privacy as Switzerland and the European Union.

7.1. The personal data that we collect from you may be stored and processed in your region, or transferred to, stored at or otherwise processed outside your country of residence, including, in respect of residents of a country within the European Economic Area (the “EEA”) or Switzerland, in a country outside the EEA or Switzerland, including without limitation the USA, or any other country which does not necessarily offer an adequate level of data protection as recognized by the European Commission or Switzerland. Your personal data may also be processed by staff operating inside or outside your country of residence, including staff located outside of the EEA or Switzerland, who work for us or our service providers

7.2. Where we transfer your personal data outside the EEA or Switzerland, we will ensure that suitable safeguards are in place to help ensure that our third-party service providers provide an adequate level of protection to your personal data, for instance by relying on the Swiss-U.S. Privacy Shield Framework, or on standard contractual clauses adopted by the European Commission.

7.3. You may request additional information in this respect and obtain a copy of the relevant safeguards upon request by sending a request to the contact indicated Section 11 below.

8. Security

We maintain physical, technical and procedural safeguards to keep secure your personal data.

8.1. We are committed to the security of your personal data, and have in place physical, administrative and technical measures designed to keep secure your personal data and to prevent unauthorized access to it. We restrict access to your personal data to those persons who need to know it for the purpose described in this Privacy Policy. In addition, we use standard security protocols and mechanisms to exchange the transmission of sensitive data. When you enter sensitive information on our site, we encrypt it using Transport Layer Security (TLS) technology. We use hashing techniques in order to protect your user account’s data from being retrieved and exploited by unauthorized third parties.

8.2. Although we take appropriate steps to protect your personal data, no website is completely secure. Therefore, we cannot guarantee that data you provide to us is safe and protected from all unauthorized third-party access and theft. We waive any liability in this respect.

8.3. The internet is a global environment. As a result, by sending information to us electronically, such data may be transferred internationally over the internet depending upon your location. Internet is not a secure environment, and this Privacy Policy applies to your use and disclosure of your personal data once it is under our control only. Given the inherent nature of the internet, all internet transmissions are done at your own risk.

8.4. If we have reasonable reasons to believe that your personal data have been acquired by an unauthorized person, and applicable law requires notification, we will promptly notify you of the breach by email (if we have it) and/or by any other channel of communication (including by posting a notice on the Giotto Compliance Platform).

9. Cookies

We use cookies in connection with the Giotto Compliance Platform.

9.1. A cookie is a small data file that we transfer to and is stored on your electronic device. Cookies may be used to measure the traffic to and usage of websites and their distinctive features, and other miscellaneous uses.

9.2. Some cookies are likely to automatically process data directly on your devices and/or to transfer personal data concerning you to us.

You may manage the cookies via the settings of your browser and/or your devices.

9.3. If you do not want cookies to be stored on your device, you can configure your browser or your device to refuse and/or restrict the cookies. Certain cookies are however essential to the functioning of the Giotto Compliance Platform itself and its use may be altered or prevented by refusing these cookies.

Why and how we use cookies and other similar technologies.

9.4. For more information, please visit Please check the user help sections of your internet browser or electronic devices for specific instructions on the management of cookies.

9.5. Cookies may be used for different purposes, including to ensure the stability and security of a website, to improve the website and its functionalities, namely through personalization according to your interactions, and/or to monitor and analyze interactions with the website.

9.6. In relation with the Giotto Compliance Platform, we use the following cookies:

Essential cookies

9.7. Some cookies we place on your electronic device ensure that the Giotto Compliance Platform delivers to you without limitation information securely and optimally. The Service/website cannot function properly without these cookies.
We use the following essential cookie:

Performance cookies

9.8. Some cookies aim at remembering choices persons make, for example, user name, and language or text size. These cookies are known as “functionality cookies” and help to improve a person’s experience of the website by providing a more personalized service.

We do not use performance cookies. 

Advertising cookies

9.9. These cookies are used to better understand customer interests and to display more relevant advertisements. We do not use advertising cookies.

10. Your Rights

You have the right to access your personal data processed by us and may request without limitation that they be removed, updated, or rectified.

10.1. Except as otherwise required by law, you are entitled at all times to know if we are processing personal data concerning you. You may contact us to know the content of such personal data, verify their accuracy and request that they be supplemented, removed, updated, or rectified. You also have the right to ask us to cease processing any personal data that may have been obtained in breach of applicable law, and to object to the processing of your personal data for any other legitimate reason.

10.2. By accessing your user account (if any), you can review, update, correct or delete the personal data available within your user account. If you would like us to delete your personal data from our system, please send a corresponding request to the contact details below and your request will be accommodated unless we have a legal obligation to retain the record. Please note that any information that we have copied may remain in back-up storage for some period of time after your deletion request.

10.3. Where we rely on your consent to process your personal data, we will seek your freely given and specific consent by providing you with informed and unambiguous indications relating to your personal data. You may revoke at any time such consent.

10.4. You may also have the right to request your personal data’s portability, i.e., that the personal data you have provided be returned to you or transferred to the person of your choice, in a structured, commonly used and machine-readable format without hindrance from us and subject to our confidentiality obligations, subject to applicable data protection laws.

You have the right to lodge a complaint.

10.5. If you are not satisfied with how we process your personal data, you may file a complaint with the competent supervisory authority, in addition to your rights outlined above.

11. Name and contact details of the controller.

11. 1. If you believe your personal data has been used in a way that is not consistent with this policy, or if you have any questions or a request in relation to the processing of your personal data by us, please contact us at [email protected].