🔒Privacy

Privacy policy

Last updated:April 2026

Privacy Policy

Last updated: April 2026

1. Introduction

At PimPay SA ("PimPay", "we", "our", "us"), we take your privacy seriously. This Privacy Policy explains what personal data we collect when you visit our website www.pimpay.ch or use our services, how and why we process it, who we share it with, how we protect it, and what rights you have over it.

This Policy is drawn up in compliance with:

  • the Swiss Federal Act on Data Protection of 25 September 2020 (nFADP / nLPD), as amended and in force since 1 September 2023

  • the Swiss Ordinance on Data Protection (OFADP / OLPD)

  • where applicable to data subjects in the European Economic Area, the EU General Data Protection Regulation 2016/679 (GDPR)

  • and the sector-specific obligations arising from the Swiss Anti-Money Laundering Act (AMLA / LBA) and the FINMA Anti-Money Laundering Ordinance (GwV-FINMA)

By using our website or services, you acknowledge that you have read and understood this Privacy Policy.

2. Data Controller

The controller of the personal data processed under this Policy is:

PimPay SA Rue de Bourg 16-20 1003 Lausanne Switzerland UID: CHE-340.395.137 Email: info@pimpay.ch

For any privacy-related request, please contact us at info@pimpay.ch with the subject line "Privacy Request".

3. What data we collect

3.1 Data you provide to us

When you interact with our website or services, you may provide us with:

  • Identity data: first name, last name, date of birth, nationality

  • Contact data: email address, postal address, phone number

  • Business data: company name, legal form, commercial register number (UID), business category (MCC)

  • Account data: username, encrypted password, preferences

  • Transaction data: IBAN, transaction amounts, timestamps, merchant and consumer identifiers

  • Communication data: content of messages, forms, support tickets or emails you send us

  • Identification documents where required by law (KYC/KYB — see section 4)

3.2 Data we collect automatically

When you visit our website, we automatically collect:

  • Technical data: IP address, browser type and version, operating system, device type, screen resolution

  • Usage data: pages visited, duration of visits, referring URL, actions performed on the site

  • Cookies and similar technologies: see section 9 below

3.3 Data from third parties

We may receive data about you from:

  • Identity verification providers (KYC providers) during onboarding

  • Credit rating agencies for risk assessment (merchants only)

  • Public registers (commercial register, sanctions lists, PEP lists)

  • Payment infrastructure partners (banks, card networks)

4. Why we process your data (purposes and legal bases)

Under art. 6(1) nFADP (equivalent to art. 6 GDPR), we process personal data on the following legal bases:

  • Performing the contract (account creation, payment processing, settlement) — Contract performance

  • Compliance with anti-money laundering obligations (KYC/KYB, transaction monitoring, suspicious activity reports) — Legal obligation (AMLA)

  • Compliance with accounting and tax retention obligations (art. 958f Swiss Code of Obligations) — Legal obligation

  • Risk management and fraud preventionLegitimate interest

  • Customer support and communicationContract performance / Legitimate interest

  • Product and service improvement, analyticsLegitimate interest

  • Security of the system (detecting intrusions, protecting against cyberattacks) — Legitimate interest

  • Marketing and value-added services (campaigns, loyalty programs, newsletters) — Consent

  • Legal claims and judicial proceedingsLegitimate interest

We do not use automated decision-making or profiling that produces legal effects.

5. Who we share your data with

5.1 Internal recipients

Your data is accessible only to PimPay SA employees who need it to perform their duties, on a strict need-to-know basis.

5.2 External processors and partners

We share data with carefully selected third parties who act either as independent data controllers or as our data processors:

  • Cloud infrastructure: Google LLC (Google Cloud, Workspace), Microsoft Corporation (Azure, Microsoft 365)

  • Website hosting: Framer B.V. (Netherlands)

  • Analytics: Google Analytics (subject to user consent — see section 9)

  • Payment processing partners: Swiss banks and financial institutions authorised by FINMA

  • Identity verification (KYC): FINMA-approved providers per Circular 2016/7

  • Communication tools: email providers, customer support platforms

  • Professional advisors: auditors, lawyers, tax advisors — bound by professional secrecy

  • Competent authorities: FINMA, MROS, ARIF, tax authorities, law enforcement, where required by law

Where a provider acts as our data processor, a Data Processing Agreement (DPA) is concluded in accordance with art. 9 nFADP (and art. 28 GDPR where applicable).

5.3 No sale of personal data

We do not sell, rent or trade your personal data to third parties for their own commercial purposes.

6. International data transfers

Personal data may be processed in Switzerland, in the European Economic Area, or in third countries where our service providers operate.

Transfers to countries outside Switzerland/EEA that do not provide an adequate level of data protection recognised by the Swiss Federal Council are only carried out on the basis of appropriate safeguards, in particular:

  • Standard Contractual Clauses (SCCs) approved by the European Commission and recognised by the Swiss Federal Data Protection and Information Commissioner (FDPIC/PFPDT)

  • Additional technical and organisational safeguards (encryption, pseudonymisation)

  • Case-by-case assessment of the data protection level of the destination country

You may request a copy of the safeguards in place by contacting us at info@pimpay.ch.

7. How long we keep your data

We retain your personal data only for as long as necessary for the purposes described in this Policy, and in accordance with legal retention periods:

  • Account and profile data: duration of the contractual relationship

  • Transaction data: 10 years after transaction (art. 958f Swiss Code of Obligations)

  • KYC / identification documents: 10 years after end of business relationship (AMLA)

  • AML register and clarifications: 10 years after end of business relationship (AMLA)

  • Merchant platform transaction history (available in-app): 6 months (beyond this, merchants must archive independently)

  • Customer support communications: 3 years after last contact

  • Marketing consent records: duration of consent + 3 years

  • Website analytics (aggregated): 26 months

  • Server logs and security data: 12 months

After termination of the contractual relationship and expiry of all applicable retention periods, personal data is deleted. In any event, deletion takes place no later than six (6) months after expiry of the longest applicable retention period.

8. How we protect your data

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, loss or destruction, including:

  • Encryption of data in transit (TLS) and at rest

  • Access controls (role-based, least privilege, multi-factor authentication for staff)

  • Regular security audits and penetration testing

  • Staff training on data protection and information security

  • Incident response procedures and data breach notification process

  • Physical security of infrastructure (Swiss and EU data centres)

While we apply industry-standard safeguards, no system connected to the internet can be guaranteed 100% secure. You are responsible for keeping your account credentials confidential.

9. Cookies and tracking technologies

Our website uses cookies and similar technologies. A cookie is a small text file stored on your device that allows our site to recognise you on subsequent visits.

9.1 Types of cookies we use

  • Essential cookies: required for the site to function (session, security, language preference). Cannot be disabled.

  • Analytics cookies: help us understand how visitors use the site (Google Analytics). Only activated with your consent.

  • Preference cookies: remember your choices (language, display). Only activated with your consent.

9.2 Managing your preferences

You can manage your cookie preferences via our cookie banner, available on your first visit and accessible at any time through the "Cookie settings" link. You can also configure your browser to block or delete cookies — note that this may affect site functionality.

9.3 Do Not Track

We respect "Do Not Track" browser signals where technically feasible.

10. Your rights

Under the nFADP (and, where applicable, the GDPR), you have the following rights regarding your personal data:

  • Right of access — obtain confirmation that we process data about you, a copy of that data, and information about its processing

  • Right to rectification — correct inaccurate or outdated data

  • Right to erasure ("right to be forgotten") — request deletion of your data, subject to legal retention obligations

  • Right to restriction of processing in certain circumstances

  • Right to object to processing based on our legitimate interests, including for direct marketing purposes

  • Right to data portability — receive your data in a structured, commonly used, machine-readable format, and to transmit it to another controller

  • Right to withdraw consent at any time, where processing is based on consent, without affecting the lawfulness of processing carried out prior to withdrawal

  • Right not to be subject to automated individual decisions producing legal effects

10.1 How to exercise your rights

Send your request to info@pimpay.ch with the subject line "Privacy Request", together with sufficient information to identify you. We will respond within 30 days.

10.2 Right to lodge a complaint

If you believe your rights have not been respected, you may lodge a complaint with the competent data protection authority:

  • In Switzerland: Federal Data Protection and Information Commissioner (FDPIC/PFPDT) — www.edoeb.admin.ch

  • In the EU/EEA: the data protection authority of your country of residence

11. Data concerning minors

Our services are intended for persons aged 13 and over, in accordance with the rules applicable to our wallet product under AMLA and the ARIF Guidelines.

For users aged 13 to 17, certain services (peer-to-peer payments, full wallet features) require the explicit consent of a parent or legal guardian. We do not knowingly collect personal data from children under 13.

If you believe we have collected data from a child under 13, please contact us immediately at info@pimpay.ch so we can delete it.

12. Changes to this Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements or services.

Significant changes will be communicated to you via email or through a prominent notice on our website, at least 30 days before they take effect.

The current version is always available at pimpay.ch/privacy-policy. The "Last updated" date at the top of this Policy indicates the date of the last revision.

13. Contact

For any question about this Privacy Policy, or to exercise your rights:

Email: info@pimpay.ch (subject: "Privacy Request") Mail: PimPay SA, Rue de Bourg 16-20, 1003 Lausanne, Switzerland

🇨🇭Launching June 2026

Questions aboutyour privacy?

Your data is yours. If something isn't clear, just drop us a line — we're real humans and we'll reply.

The new payment solution everyone was waiting for.

Company

© PimPay SA 2026 — All rights reserved

Made with ♥ in Switzerland