PRIVACY POLICY
Processing of personal data in accordance with the Swiss Data Protection Act (LPD) and Regulation (EU) 2016/679 (GDPR)
www.route-bitcoin-training.com
1. Introduction
This Privacy Policy (hereinafter, the “Policy”) describes how MFG Consulting SA, with registered office at Corso Elvezia 16, 6900 Lugano, Switzerland (hereinafter, the “Company” or the “Data Controller”), collects, uses, and protects the personal data of users who access the website www.route-crypto-training.net (hereinafter, the “Site”) and use the e-learning courses provided through the technology platform Thinkific Labs Inc., headquartered in Canada (hereinafter, “Thinkific”).
This Privacy Policy is provided pursuant to: (i) the Swiss Federal Data Protection Act of September 25, 2020 (“nLPD”), which entered into force on September 1, 2023, and the related Ordinance (OLPD); (ii) Regulation (EU) 2016/679 (“GDPR”), applicable pursuant to Article 3(2) of the GDPR, as the Company offers services to data subjects residing in the European Economic Area.
In the event of a conflict between the regulations, the provision that provides greater protection to the data subject shall prevail.
2. Data Controller
The data controller is MFG Consulting SA, Corso Elvezia 16, 6900 Lugano, Switzerland, represented by Mr. Maurizio Camponovo. For any inquiries regarding the processing of personal data, you may contact the Data Controller at the following contact details:
- General email: [email protected]
- Representative’s email: [email protected]
3. Representative in the European Union
If the Company systematically processes personal data of data subjects residing in the European Union on a large scale, a representative in the Union may be designated pursuant to Article 27 of the GDPR. Currently, [indicate the name and contact details of the EU representative or: the Company has not designated an EU representative, as it considers that the processing activities do not fall within those requiring such a designation pursuant to Article 27(2) of the GDPR].
4. Data Protection Officer (DPO)
The Company has not appointed a Data Protection Officer (DPO), as the mandatory requirements set forth in Article 37 of the GDPR or under the nLPD do not apply. For any questions regarding the processing of personal data, you may contact the Data Controller directly using the contact information provided in section 2.
5. Legal Basis for Processing
The Company processes personal data based on one or more of the following lawful grounds, as provided for in Art. 6, para. 1, GDPR and Arts. 30 and 31 nLPD:
- Performance of the contract (Article 6(1)(b) of the GDPR; Article 31(2)(a) of the nLPD): for the provision of the Services requested by the user, enrollment in Courses, processing of payments, and management of the contractual relationship;
- Legal obligation (Art. 6(1)(c) GDPR; Art. 31(1) nLPD): to comply with obligations under Swiss or European Union law (e.g., tax, accounting, and anti-money laundering obligations);
- Consent (Art. 6(1)(a) GDPR; Art. 31(1) nLPD): to send promotional communications, newsletters, and direct marketing. Consent is optional, specific, informed, and revocable at any time;
- Legitimate interest (Art. 6(1)(f) GDPR; Art. 31(1)(d) nLPD): to ensure the cybersecurity of the Website, prevent fraud, assert or defend a legal claim in court, and improve the Services offered.
The provision of identification, contact, and payment data is necessary for the conclusion of the contract and for the use of the Courses; refusal to provide such data makes it impossible to provide the Services. The provision of data for marketing purposes, however, is optional, and refusal does not affect access to the Services.
6. Types of Data Collected
The Company collects and processes the following categories of personal data:
- Identification data: first name, last name;
- Contact data: email address, phone number (if applicable);
- Professional data (where applicable): job title, employer, professional identification code (e.g., RUI for insurance intermediaries), for the certification of IVASS/CONSOB training hours;
- Course-related data: login, progress, completion, test results, certificates issued;
- Payment data: information necessary to process transactions, processed directly by third-party providers Stripe and PayPal (see point 12);
- Technical and browsing data: IP address, browser, operating system, access logs, data collected via cookies and similar technologies (see Cookie Policy).
The Company does not intentionally collect special categories of data pursuant to Art. 9 of the GDPR and Art. 5(c) of the nLPD (so-called “personal data requiring special protection”).
7. Purposes of Processing
Personal data is processed for the following purposes:
- User registration, account management, and provision of e-learning courses;
- Monitoring of training progress, issuance of certificates, and certification of training hours for the purposes of IVASS, CONSOB, or other industry bodies;
- Payment processing and administrative and accounting management;
- Service communications (e.g., changes to contractual terms, updates on Courses, technical or security communications);
- Sending newsletters and marketing communications, subject to the user’s specific consent;
- Compliance with legal, regulatory, and tax obligations;
- Protection of the Company’s rights, prevention of fraud and abuse, and cybersecurity;
- Responding to requests to exercise the data subject’s rights and to communications from authorities.
8. Methods of Processing and Electronic Communications
Processing is carried out using IT and telecommunications tools, with logic strictly related to the purposes indicated above and, in any case, in a manner that ensures the security and confidentiality of the data. The Company implements appropriate technical and organizational measures in accordance with Article 32 of the GDPR and Article 8 of the nLPD.
The Company communicates with users via electronic means (specifically email) which, unless otherwise indicated, are not end-to-end encrypted. The user is advised that these channels involve residual risks regarding the confidentiality and integrity of messages; by continuing to use the Site and communicate via email, the user acknowledges and accepts these risks. The user may at any time request alternative means of communication, where technically feasible, by contacting the Data Controller at the contact details provided in section 2.
The Company may engage qualified third-party providers for the maintenance and management of its IT systems, appointed as Data Processors pursuant to Article 28 of the GDPR and Article 9 of the nLPD.
9. Recipients of Data and Third-Party Services
Personal data may be disclosed to the following recipients, to the extent strictly necessary for the purposes of the processing:
- Thinkific Labs Inc. (Canada) — provider of the e-learning platform, designated as a Data Processor;
- Stripe Payments Europe Ltd. and PayPal (Europe) S.à r.l. et Cie, S.C.A. — payment service providers, which act as independent data controllers for the payment data they collect; please consult their respective privacy policies available at stripe.com and paypal.com;
- IT, hosting, cybersecurity, and technical support service providers, appointed as Data Processors;
- Professional advisors (legal, tax, and accounting) bound by confidentiality obligations;
- Public, supervisory, and judicial authorities, where required by law;
- The user’s employer, limited to data regarding course completion, in cases where enrollment occurs under a corporate contract (see General Terms of Use).
10. Transfer of Data Abroad
The Courses are delivered via the Thinkific platform, based in Canada. The transfer of personal data to Canada is based on the following safeguards:
- EU Adequacy Decision: The European Commission recognized in Decision 2002/2/EC that Canada ensures an adequate level of protection for personal data, limited to private organizations subject to the Personal Information Protection and Electronic Documents Act (PIPEDA). Thinkific is subject to PIPEDA;
- Swiss Recognition: The Swiss Federal Council, pursuant to Art. 16 of the nLPD, has also included Canada (with the same limitations) in the list of countries that provide adequate protection;
- Additional contractual safeguards: As a precautionary measure, Standard Contractual Clauses pursuant to EU Decision 2021/914 and the Swiss template approved by the Federal Data Protection Commissioner are in place with Thinkific, where applicable.
For further information on the safeguards applied to transfers, the user may contact the Data Controller at the contact details provided in section 2.
11. Data Retention
Personal data is retained for the time strictly necessary to fulfill the purposes for which it was collected, in accordance with the following criteria:
- Contractual, administrative, and tax data: 10 years from the termination of the contractual relationship, in accordance with Swiss tax and accounting regulations (Art. 958f CO) and, where applicable, Art. 2220 of the Italian Civil Code;
- Data relating to the certification of training hours (IVASS, CONSOB, and similar): for the entire period required by applicable sector regulations (for example, 5 years pursuant to Art. 95 of IVASS Regulation No. 40/2018);
- Marketing data (newsletters, promotional communications): until consent is revoked and in any case no later than 24 months from the user’s last interaction, unless renewed;
- Access logs and technical data: no longer than 12 months, unless retention is necessary for security purposes or at the request of the authorities;
- Data processed for legal defense: for the time necessary to establish, exercise, or defend a right, and in any case within the applicable statute of limitations.
At the end of the retention periods, the data is deleted or irreversibly anonymized.
12. Cookies and Tracking Technologies
The Site uses technical, analytical, and, subject to consent, profiling or marketing cookies. For detailed information on the cookies used, their purposes, and how to manage preferences, please refer to the Cookie Policy published on the Site, which forms an integral part of this Policy.
13. Profiling and Automated Decision-Making
The Company does not carry out automated decision-making processes or profiling that produces legal effects or significantly affects the data subject pursuant to Art. 22 of the GDPR and Art. 21 of the nLPD. Any aggregate statistical analyses of the Courses are conducted anonymously or pseudonymously and do not produce individual effects on users.
14. Processing of Minors’ Data
The Services are intended for adults. Registration on the Platform is reserved for users who are at least 18 years of age. Should the Company become aware of the processing of data relating to a minor without valid consent, it will promptly delete the data.
15. Data Security
The Company adopts appropriate technical and organizational measures to protect personal data from unauthorized access, loss, alteration, destruction, or disclosure, in accordance with Article 32 of the GDPR and Article 8 of the nLPD. These measures include, by way of example, access controls, encryption of data in transit, periodic backups, segregation of environments, and training of personnel authorized to process data.
Although the Company adopts the best available security measures, it cannot guarantee the absolute inviolability of data transmitted via the Internet or stored in electronic format.
16. Rights of Data Subjects
Pursuant to Articles 15–22 of the GDPR and Articles 25 et seq. of the nLPD, the data subject has the right to:
- Access their personal data and obtain a copy thereof;
- Rectify inaccurate data or complete incomplete data;
- Obtain the erasure of data (“right to be forgotten”), within the limits provided by law;
- Restrict the processing of their data;
- Object to the processing, including for direct marketing purposes;
- Receive your data in a structured, commonly used, and machine-readable format (data portability);
- Withdraw consent at any time, without affecting the lawfulness of processing carried out prior to withdrawal;
- Not to be subject to decisions based solely on automated processing.
To exercise these rights, the data subject may write to [email protected] or [email protected]. The Company will respond without undue delay and in any case within 30 days of receiving the request.
The data subject also has the right to lodge a complaint with the competent authorities:
- Federal Data Protection and Information Commissioner (FDPIC) — Feldeggweg 1, CH-3003 Bern, www.edoeb.admin.ch;
- Garante per la Protezione dei Dati Personali (Italy) — Piazza Venezia 11, 00187 Rome, www.garanteprivacy.it, if the data subject resides in Italy;
- The supervisory authority of the EU Member State of residence, employment, or where the alleged infringement occurred, pursuant to Article 77 of the GDPR.
17. Changes to the Privacy Policy
The Company reserves the right to amend this Policy to adapt it to regulatory, technological, or organizational changes. The amendments will be published on the Website with an indication of the update date, and, where the changes are substantial, registered users will be notified via email. We encourage you to consult this page periodically.
18. Contact Information
For any questions regarding this Policy or the processing of personal data, you may contact the Company at the following addresses:
- Email: [email protected]
- Representative’s email: [email protected]
- Mailing address: MFG Consulting SA, Corso Elvezia 16, 6900 Lugano, Switzerland