This statement applies to nym.com only. For privacy details related to the NymVPN apps, please refer to the dedicated NymVPN apps Privacy statement.

Version 1.3, last updated on December 11, 2024

Thank you for visiting our website nym.com and for your interest in our company.

Nym Technologies SA, a Swiss Company established under the laws of Switzerland, and registered with the Chamber of Commerce and Industry of Switzerland with number CHE-367.426.629 operates a website hosted at the URL https://nym.com/.

In this privacy statement (the “Statement”) we will explain how our organization uses your personal data that we collect when you use our website, use our online services or if we provide any services to you generally. Our data protection practice is in accordance with the legal regulations of the Swiss Federal Act on Data Protection and its ordinances (“FADP”). This Statement serves to fulfill the information obligations arising from the FADP. These can be found, for example, in article 19 ff. FADP.

I. Collecting personal data

We collect the following personal data:

• Information about the browser type and version used;
• The operating system of the retrieval device;
• Date and time of access;
• Website and resources (image, files, other page content) accessed on our website;
• Referrer URLs;
• Information about the features you use, the frequency of usage, and the duration of your sessions;
• Inferred location, this is a rough approximation of your location which may be tens of kilometers off;
• Screen size;
• Device model; and
• On-site behavior (page viewed, time spent etc.).

Additionally, when you fill in forms to request additional information, subscribe to our newsletters or sign up to become a customer, we process the data provided by you in those forms, such as contact information (e.g. your e-mail address).

II. How we get your personal data

As a side-effect of how web browsers work, you directly provide us with the personal data we collect. We collect personal data and process personal data when you, among others:

• Register online or place an order for any of our products or services;
• Use or view our website; and
• Subscribe to our waitlist or newsletter.

III. Purposes of data processing

We have among others the following reasons (purposes) for processing personal data:

• In order to operate the website;
• To iteratively improve the website;
• To address bugs;
• To improve our commercial offerings;
• To better localize our website; and
• To keep you updated about Nym and its products (through our newsletter).

These purposes can all be considered legitimate interests of Nym.

IV. The personal data controller

We are the controller of personal data with regard to the website.

V. With whom we share your personal data

With third parties:

We provide personal data only to parties who help us optimize our services, execute the agreement with you, or to parties with whom we are legally obliged to share the data.

For optimization purposes, we will use privacy enhancing technologies to anonymize the data and for any agreement we will minimize the amount of personal data shared. In the case of any legal request from a third-party for personal data, Nym Technologies SA will challenge and resist any request to the fullest extent permitted by applicable law and will make such requests public.

We may share your personal data with Stripe, our payment processor, in case you enter into a contract with us on our website.

Additionally, we make use of data processors with whom we have entered into data processing agreements. These data processors may process personal data outside Switzerland or the European Economic Area, including in the United States of America (USA). These data processors remain our responsibility and are therefore not third parties, even though they may appear as such to you.

Cross-border data transfer:

Nym is based in Switzerland, which means that a third country relationship exists in relation to the European Union (the “EU”) and the European Economic Area (the “EEA”). The EU/EEA has deemed the Swiss data protection regulations to be adequate and vice versa. As part of the provision of services, personal data is transferred to the EU/EEA for further processing and vice versa. This means that your data will only be processed on the basis of special guarantees and that the third country in the EEA has an adequate level of data protection. For some of the third-party service providers, we may transfer your data to one of their databases outside Switzerland or the EEA, potentially including countries which may not have an adequate level of protection for your personal data. In such event, we enter into agreements with such third parties ensuring an adequate level of protection for your personal data.

Sharing with authorities:

In the case that it is requested we share personal data when required by law, Nym Technologies SA will attempt to challenge and resist any request to the fullest extent permitted by applicable law and will attempt to make such requests public. We may also disclose personal data if we need to investigate and defend ourselves against any third-party claims or allegations, protect the security or integrity of our website or exercise or protect the rights and safety of our users, personnel, or others.

VI. Newsletter

You can subscribe to our newsletter via our website. We receive for this:

• Your email address.

When you sign up for the newsletter, you consent to the processing of your personal data for the purpose of sending the newsletter. We use a marketing platform for this purpose. In every newsletter you receive from us, we offer the opportunity to unsubscribe. The data in our marketing platform are processed in the USA.

Your personal data shared with the Nym Newsletter provider Mailchimp will be stored on servers located in the United States of America, the United Kingdom as well as in the EU. Mailchimp will process your data in the USA and has submitted to the EU-USA Privacy Shield, for its processing in the United Kingdom the Commission adequacy decision on the United Kingdom applies. We have also concluded standard data protection clauses with Mailchimp. Contact details you provide for sending newsletters are deleted one year after the last newsletter has been sent.

VII. How and how long we store your personal data

We take the protection of your data seriously and take appropriate measures to prevent misuse, loss, unauthorized access, unwanted disclosure and unauthorized modification, but no method of transmission over the internet, or method of electronic storage is 100% secure.

We do not process your personal data longer than necessary for the purpose of the data processing. The retention period depends on a number of circumstances, among other:

• type of personal data;
• the purpose for which we collected the personal data;
• whether there is an ongoing legitimate business need to do so (for example to provide you with a service you have requested);
• applicable laws and regulations, such as legal or fiscal legislation;
• type of relationship with you as a data subject, for example customer relationship;
• the necessity to keep data in connection with (future) legal proceedings; and
• what you can reasonably expect as a retention period.

Because we believe it is important to be transparent, we provide two examples of this type of retention period below.

Pursuant to the Swiss law the accounting books and records, and the accounting vouchers together with the annual report and the audit report will be retained for ten years. The retention period begins on expiry of the respective financial year.

Stripe will generally keep personal data received from us for at least five years from the end of the business relationship with us or the date of the last transaction, whichever is later.

Once the retention period expires, the personal data will be either deleted or anonymized.

VIII. Your data protection rights

We would like to make sure you are fully aware of all your data protection rights. If we hold personal data about you under the FADP, you have rights including:

• The right to be informed – You have the right to be informed of the collection and processing of your personal data.
• The right of access - You have the right to request us for copies of your personal data. We may charge you a small fee for this service.
• The right to rectification - You have the right to request that we correct any information that you believe is inaccurate. You also have the right to request us to complete information you believe is incomplete.
• The right to erasure - You have the right to request that we erase your personal data, under certain circumstances.
• The right to restrict processing - You have the right to request us to restrict the processing of your personal information in certain circumstances.
• The right to object to processing - You have the right to object to the processing of your personal data, under certain circumstances.

We shall in general respond to your request within 30 days. We may ask you to verify your identity before executing your request. If your request is difficult to process, we may need more time to comply with your request and may delay the execution of your request.

IX. What are cookies?

We integrate and use cookies on various pages to enable certain functions of our website and to integrate external web services. The so-called 'cookies' are small text files that your browser can store on your access device. These text files contain a characteristic string that uniquely identifies the browser when you return to our website. This way, the information you previously provided can be retrieved. The process of saving a cookie file is also referred to as 'setting a cookie'.

X. How do we use cookies?

We use cookies for the following purpose:

• Integrations with payment providers such as Stripe.

XI. Stripe

We use Stripe for payment processing and refunds and to integrate with their services we use cookies. When using our payment processor Stripe, your bank/the payment provider will process your personal data as controllers of such processing. You can read more about the payment providers on their websites.

XII. Changes to our nym.com Privacy statement

We keep this Statement under regular review and reserve the right to amend this Statement without prior notification. If we change this Statement, we will inform you on our website and via our newsletter.

XIII. How to contact us

If you have any questions about our Statement, the personal data we hold of you, or you would like to exercise one of your data protection rights, please do not hesitate to contact us through:

• Our contact page available on our website: https://nym.com/contact
• Our email address: legal@nym.com; or
• Our address: Nym Technologies SA, place Numa-Droz 2, 2000 Neuchâtel, Switzerland.

XIV. Contact the appropriate legal authority

Should you wish to report a complaint or if you feel that we have not addressed your concern in a satisfactory manner, you may contact the supervisory authority. The supervisory authority for data protection in Switzerland is the Federal Data Protection and Information Commissioner (“FDPIC”). For further information, please consult the contact form of the FDPIC: https://www.edoeb.admin.ch/edoeb/de/home/deredoeb/kontakt.html.

XV. Governing law

This Statement and any questions relating thereto shall be governed by the laws of Switzerland.