PRIVACY POLICY

Processing of personal data in accordance with the Swiss Data Protection Act (LPD) and Regulation (EU) 2016/679 (GDPR)

www.route-bitcoin-training.com

1. Introduction

This Privacy Policy (hereinafter, the “Policy”) describes how MFG Consulting SA, with registered office at Corso Elvezia 16, 6900 Lugano, Switzerland (hereinafter, the “Company” or the “Data Controller”), collects, uses, and protects the personal data of users who access the website www.route-crypto-training.net (hereinafter, the “Site”) and use the e-learning courses provided through the technology platform Thinkific Labs Inc., headquartered in Canada (hereinafter, “Thinkific”).

This Privacy Policy is provided pursuant to: (i) the Swiss Federal Data Protection Act of September 25, 2020 (“nLPD”), which entered into force on September 1, 2023, and the related Ordinance (OLPD); (ii) Regulation (EU) 2016/679 (“GDPR”), applicable pursuant to Article 3(2) of the GDPR, as the Company offers services to data subjects residing in the European Economic Area.

In the event of a conflict between the regulations, the provision that provides greater protection to the data subject shall prevail.

2. Data Controller

The data controller is MFG Consulting SA, Corso Elvezia 16, 6900 Lugano, Switzerland, represented by Mr. Maurizio Camponovo. For any inquiries regarding the processing of personal data, you may contact the Data Controller at the following contact details:

3. Representative in the European Union

If the Company systematically processes personal data of data subjects residing in the European Union on a large scale, a representative in the Union may be designated pursuant to Article 27 of the GDPR. Currently, [indicate the name and contact details of the EU representative or: the Company has not designated an EU representative, as it considers that the processing activities do not fall within those requiring such a designation pursuant to Article 27(2) of the GDPR].

4. Data Protection Officer (DPO)

The Company has not appointed a Data Protection Officer (DPO), as the mandatory requirements set forth in Article 37 of the GDPR or under the nLPD do not apply. For any questions regarding the processing of personal data, you may contact the Data Controller directly using the contact information provided in section 2.

5. Legal Basis for Processing

The Company processes personal data based on one or more of the following lawful grounds, as provided for in Art. 6, para. 1, GDPR and Arts. 30 and 31 nLPD:

The provision of identification, contact, and payment data is necessary for the conclusion of the contract and for the use of the Courses; refusal to provide such data makes it impossible to provide the Services. The provision of data for marketing purposes, however, is optional, and refusal does not affect access to the Services.

6. Types of Data Collected

The Company collects and processes the following categories of personal data:

The Company does not intentionally collect special categories of data pursuant to Art. 9 of the GDPR and Art. 5(c) of the nLPD (so-called “personal data requiring special protection”).

7. Purposes of Processing

Personal data is processed for the following purposes:

8. Methods of Processing and Electronic Communications

Processing is carried out using IT and telecommunications tools, with logic strictly related to the purposes indicated above and, in any case, in a manner that ensures the security and confidentiality of the data. The Company implements appropriate technical and organizational measures in accordance with Article 32 of the GDPR and Article 8 of the nLPD.

The Company communicates with users via electronic means (specifically email) which, unless otherwise indicated, are not end-to-end encrypted. The user is advised that these channels involve residual risks regarding the confidentiality and integrity of messages; by continuing to use the Site and communicate via email, the user acknowledges and accepts these risks. The user may at any time request alternative means of communication, where technically feasible, by contacting the Data Controller at the contact details provided in section 2.

The Company may engage qualified third-party providers for the maintenance and management of its IT systems, appointed as Data Processors pursuant to Article 28 of the GDPR and Article 9 of the nLPD.

9. Recipients of Data and Third-Party Services

Personal data may be disclosed to the following recipients, to the extent strictly necessary for the purposes of the processing:

10. Transfer of Data Abroad

The Courses are delivered via the Thinkific platform, based in Canada. The transfer of personal data to Canada is based on the following safeguards:

For further information on the safeguards applied to transfers, the user may contact the Data Controller at the contact details provided in section 2.

11. Data Retention

Personal data is retained for the time strictly necessary to fulfill the purposes for which it was collected, in accordance with the following criteria:

At the end of the retention periods, the data is deleted or irreversibly anonymized.

12. Cookies and Tracking Technologies

The Site uses technical, analytical, and, subject to consent, profiling or marketing cookies. For detailed information on the cookies used, their purposes, and how to manage preferences, please refer to the Cookie Policy published on the Site, which forms an integral part of this Policy.

13. Profiling and Automated Decision-Making

The Company does not carry out automated decision-making processes or profiling that produces legal effects or significantly affects the data subject pursuant to Art. 22 of the GDPR and Art. 21 of the nLPD. Any aggregate statistical analyses of the Courses are conducted anonymously or pseudonymously and do not produce individual effects on users.

14. Processing of Minors’ Data

The Services are intended for adults. Registration on the Platform is reserved for users who are at least 18 years of age. Should the Company become aware of the processing of data relating to a minor without valid consent, it will promptly delete the data.

15. Data Security

The Company adopts appropriate technical and organizational measures to protect personal data from unauthorized access, loss, alteration, destruction, or disclosure, in accordance with Article 32 of the GDPR and Article 8 of the nLPD. These measures include, by way of example, access controls, encryption of data in transit, periodic backups, segregation of environments, and training of personnel authorized to process data.

Although the Company adopts the best available security measures, it cannot guarantee the absolute inviolability of data transmitted via the Internet or stored in electronic format.

16. Rights of Data Subjects

Pursuant to Articles 15–22 of the GDPR and Articles 25 et seq. of the nLPD, the data subject has the right to:

To exercise these rights, the data subject may write to [email protected] or [email protected]. The Company will respond without undue delay and in any case within 30 days of receiving the request.

The data subject also has the right to lodge a complaint with the competent authorities:

17. Changes to the Privacy Policy

The Company reserves the right to amend this Policy to adapt it to regulatory, technological, or organizational changes. The amendments will be published on the Website with an indication of the update date, and, where the changes are substantial, registered users will be notified via email. We encourage you to consult this page periodically.

18. Contact Information

For any questions regarding this Policy or the processing of personal data, you may contact the Company at the following addresses: