SBC Lab AG – Blockchain Applied (BCA)

Version: 1.0  Effective Date: 2026-05-24

1. Who we are

This Privacy Notice describes how SBC Lab AG, a stock corporation (Aktiengesellschaft) incorporated under the laws of Switzerland with its registered office at Winkel, Switzerland (“we”, “us”, “our” or “SBC Lab”), processes personal data in connection with our website at https://www.blockchain-applied.com (the “Website”) and the BCA – Blockchain Applied service (the “Service”).

Controller: SBC Lab AG, SBC Lab AG, Seebüelstrasse 26, CH-8185 Winkel ZH, Switzerland

UID: CHE-108.146.168

Contact for data-protection matters: privacy@blockchain-applied.com.

For the purposes of European Union law, we are the controller within the meaning of Article 4(7) of Regulation (EU) 2016/679 (“GDPR”). For the purposes of Swiss law, we are the controller (Verantwortlicher) within the meaning of Article 5(j) of the Swiss Federal Act on Data Protection of 25 September 2020 (“FADP” / DSG).

2. Scope of this Notice

This Notice applies to personal data we process as a controller in connection with:

(a) your visit to and use of the Website;

(b) your registration for, and subsequent use of, an account on the Service (whether as a paid customer or in a free trial);

(c) billing, invoicing and contract administration;

(d) communications you exchange with us, including support requests and pre-sales enquiries;

(e) marketing communications you receive from us, where applicable;

(f) events, webinars and other activities we host or participate in;

(g) job applications you submit to us.

Where we process personal data on behalf of our business customers
(i.e. when they upload personal data into the Service), we act as a processor; that processing is governed by the Data Processing Agreement available
at https://www.blockchain-applied.com/dpa and is not the subject of this Notice.

On-chain data (i.e. data publicly recorded on the Cardano, Bitcoin or other supported public blockchains) is by its nature public; we do not treat such data as personal data of our customers or website visitors.

3. What personal data we collect

Depending on how you interact with us, we may process the following categories of personal data:

3.1 Account and authentication data: name, business email address, employer/company name, country, password (stored as a salted hash), API keys, multi-factor-authentication tokens, account preferences, subscription tier.

3.2 Contact and communication data: your name, postal and email address, telephone number where given, the content of messages you send us (including support tickets, sales enquiries, contact-form submissions) and metadata such as time and channel.

3.3 Billing and commercial data: billing address, VAT/UID number, currency preference, invoice and payment history, transaction identifiers. We do not store full payment-card numbers; card payments, where offered, are processed by qualified payment providers.

3.4 Technical, log and usage data: IP address, browser type and version, operating system, device identifiers, referrer URL, requested URLs, response codes, request and response sizes, time-stamps, API endpoints accessed, query and rate-limit metadata, error and security logs.

3.5 Marketing and preference data: newsletter subscription status, communication preferences, marketing-consent status and history, content interactions (e.g. whether you opened a newsletter or clicked a link).

3.6 Recruitment data: where you apply for a role with us, your CV, cover letter, references, professional history, qualifications, work-eligibility information and the content of interviews.

3.7 Cookies and similar identifiers: see Section 6 below.

We do not knowingly collect special categories of personal data (Article 9 GDPR / Article 5(c) FADP); please do not submit such data unless we have expressly invited you to do so.

We process personal data only where we have a lawful basis to do so. The following table summarises our main processing activities.

Activity

Data categories

Legal basis (GDPR)

Legal basis (FADP)

Operating the Website and ensuring its security

Technical, log and usage data; cookies

Art. 6(1)(f) – legitimate interests (secure, performant Website)

Art. 31(1)(a) – overriding private interest

Account creation, authentication and provision of the Service

Account, authentication and usage data

Art. 6(1)(b) – performance of contract

Art. 31(1)(a) – direct contractual relationship

Billing, invoicing and dunning

Billing and commercial data; account data

Art. 6(1)(b) (contract); Art. 6(1)(c) (legal obligations under accounting and tax law)

Art. 31(1)(c) – statutory obligation; contract performance

Customer support and incident handling

Contact / communication data; account and log data

Art. 6(1)(b) (contract); Art. 6(1)(f) (legitimate interests)

Art. 31(1)(a) – contract performance / private interest

Security monitoring, fraud and abuse prevention

Technical, log and usage data; account data

Art. 6(1)(f) – legitimate interests; Art. 6(1)(c) where required by law

Art. 31(1)(a) and (c) FADP

Marketing communications to existing customers about similar products

Contact data; marketing preferences

Art. 6(1)(f) GDPR read with Art. 13 ePrivacy Directive 2002/58/EC

Art. 3(o) UWG; Art. 31(1)(a) FADP

Marketing communications to prospects (newsletters, product updates)

Contact data; marketing preferences

Art. 6(1)(a) – consent

Art. 31(1)(a) FADP + consent under Art. 3(o) UWG

Compliance with legal, regulatory and tax obligations

All relevant data

Art. 6(1)(c)

Art. 31(1)(c) FADP

Establishment, exercise and defence of legal claims

All relevant data

Art. 6(1)(f) – legitimate interests

Art. 31(2)(d) FADP

Recruitment

Recruitment data

Art. 6(1)(b) – pre-contractual measures; Art. 6(1)(a) – consent for retention beyond the current process

Art. 31(1)(a) FADP – pre-contractual measures

Aggregated and anonymised analytics for product improvement

Aggregated/anonymised data only (no personal data)

Out of scope of GDPR after anonymisation

Out of scope of FADP after anonymisation

Where we rely on legitimate interests, you have the right to object at any time on grounds relating to your particular situation; see Section 10.

5. Is the provision of data mandatory?

Where we collect personal data on the basis of a contract or statutory obligation, you are required to provide the data necessary for the corresponding purpose; without it we will be unable to provide the Service or, as the case may be, to comply with our legal duties. In all other cases the provision of personal data is voluntary.

6. Cookies and similar technologies

6.1 What we use. We use cookies, local-storage entries and similar technologies (“Cookies”) on the Website. Strictly necessary Cookies are placed on the basis of our legitimate interest in operating the Website. Non-essential Cookies (in particular analytics) are placed only on the basis of your prior consent, where applicable. You can manage your Cookie preferences at any time through our Cookie banner or through your browser settings.

6.2 Analytics. We use the open-source analytics tool "matomo", self-hosted on infrastructure located in Switzerland, to understand how the Website is used. IP addresses are truncated before storage, and no cross-site tracking is carried out. The logged data is not shared with third parties for advertising purposes.

6.3 Third-party services. Where we embed or load third-party services on the Website (e.g. video players, social-media widgets, fonts), those providers may set their own Cookies and act as independent controllers. We endeavour to load such services only after your consent, where required by law.

6.4 Swiss law specific. Under Article 45c of the Swiss Telecommunications Act (FMG), the use of Cookies requires you to be informed of their purpose and of how to refuse them; we provide this information through our Cookie banner and through this Notice.

7. Recipients of personal data

We disclose personal data only to the extent necessary for the purposes set out above. Recipients include:

  • Service providers acting as processors on our behalf, including infrastructure hosting (Hetzner Online GmbH, Germany/Finland; SBC Lab self-hosted infrastructure in Switzerland), email hosting (Infomaniak Network SA, Switzerland), newsletter and transactional email (Brevo / Sendinblue SAS, France), website analytics (Matomo, self-hosted in Switzerland), customer-support tooling and similar services. These processors are bound by written data-protection agreements consistent with Article 28 GDPR and Article 9 FADP.
  • Sub-providers for specific Service features, in particular Google (United States) for the provisioning and management of customer access to BigQuery.
  • Professional advisers, such as auditors, accountants, lawyers and tax advisers, where the disclosure is necessary for the conduct of our business.
  • Authorities and courts, where we are required by law or by a legally binding order to disclose data.
  • Third parties in a corporate transaction, such as a sale of business, merger, reorganisation or financing, subject to confidentiality undertakings.

An up-to-date list of our sub-processors, including their location,
is set out in Annex 3 to the Data Processing Agreement
at https://www.blockchain-applied.com/dpa.

8. International data transfers

Most of the personal data we process is stored within Switzerland and the European Economic Area (“EEA”). Some transfers take place to recipients in third countries that are not recognised as providing an adequate level of data protection, in particular to Google LLC in the United States, where we use the Google BigQuery service for certain Service features.

Such transfers are safeguarded by:

(a) the EU–US Data Privacy Framework (and its UK Extension and Swiss–US Data Privacy Framework), where the recipient is certified under that programme (Article 45 GDPR / Article 16(1) FADP);

(b) as a complementary safeguard, the Standard Contractual Clauses adopted by Commission Implementing Decision (EU) 2021/914, supplemented by the Swiss addendum issued by the Federal Data Protection and Information Commissioner (FDPIC) and, where applicable, the UK Addendum issued by the UK Information Commissioner’s Office;

(c) additional technical and organisational measures, such as encryption in transit and at rest, pseudonymisation, and contractual restrictions on government-access requests.

A copy of the applicable transfer safeguards is available on written request to privacy@blockchain-applied.com.

9. Retention periods

We retain personal data only for as long as necessary for the purposes for which it was collected, or as required by applicable law. Indicative retention periods are:

  • Account and Service-usage data: for the duration of your contractual relationship with us, plus thirty (30) days for export, then deletion or anonymisation, save where longer retention is required by law.
  • Billing and accounting records: ten (10) years from the end of the financial year to which they relate, in accordance with Article 958f of the Swiss Code of Obligations and applicable VAT/MWST rules.
  • Support and communication records: up to three (3) years after the end of the matter.
  • Marketing-consent records: until you withdraw consent, plus a reasonable period to evidence prior consent.
  • Web-server and security logs: typically up to six (6) months, longer in case of a security investigation.
  • Recruitment data: for the duration of the recruitment process, plus six (6) months unless we have your consent for longer retention or hire you, in which case data is retained as part of your personnel file.
  • Data necessary to establish, exercise or defend legal claims: until expiry of the applicable limitation period (up to ten (10) years under Article 127 of the Swiss Code of Obligations) or until conclusion of the relevant proceedings.

10. Your rights

Subject to the conditions and limitations of applicable law, you have the following rights with regard to your personal data:

10.1 Right of access – to obtain confirmation of whether we process personal data about you and, if so, a copy of that data together with the information required by Article 15 GDPR or Article 25 FADP.

10.2 Right to rectification – to have inaccurate data corrected and incomplete data completed (Article 16 GDPR / Article 32(1) FADP).

10.3 Right to erasure – to have personal data deleted where one of the grounds in Article 17 GDPR applies, or under Article 32(2)(c) FADP.

10.4 Right to restriction of processing – in the cases listed in Article 18 GDPR.

10.5 Right to data portability – to receive personal data you provided to us in a structured, commonly used and machine-readable format, where processing is based on consent or contract and is carried out by automated means (Article 20 GDPR; Article 28 FADP).

10.6 Right to object – to processing based on legitimate interests, including profiling, on grounds relating to your particular situation, and an absolute right to object to processing for direct-marketing purposes (Article 21 GDPR; Article 30(2)(b) FADP).

10.7 Right to withdraw consent – where processing is based on consent, you may withdraw that consent at any time, without affecting the lawfulness of processing carried out before withdrawal (Article 7(3) GDPR; Article 6(7) FADP).

10.8 Right not to be subject to a decision based solely on automated processing (Article 22 GDPR; Article 21 FADP); see Section 12.

10.9 Exercising your rights. To exercise any of your rights, please contact us at privacy@blockchain-applied.com. We may require reasonable information to confirm your identity. We will respond within the time-limit prescribed by applicable law (in principle thirty (30) days under both the GDPR and the FADP).

10.10 Right to complain. If you consider that our processing infringes data-protection law, you may lodge a complaint with the competent supervisory authority, in particular:

(a) in Switzerland: the Federal Data Protection and Information Commissioner (FDPIC), Feldeggweg 1, 3003 Berne, https://www.edoeb.admin.ch;

(b) in the EU/EEA: the supervisory authority of the Member State of your habitual residence, place of work or alleged infringement;

(c) in the United Kingdom: the Information Commissioner’s Office (ICO), https://ico.org.uk.

11. Sources of personal data we did not collect from you

We process personal data that you provide to us directly. In limited cases, we may obtain personal data from other sources, including:

(a) publicly available sources such as your employer’s website, professional networks (e.g. LinkedIn) or business directories, for prospecting purposes;

(b) your employer or another party with whom you are affiliated, where they configure your access to the Service;

(c) service providers and resellers through which you reach us;

(d) credit-reference and fraud-prevention agencies, where necessary to manage credit and payment risk.

12. Automated individual decisions and profiling

We do not subject you to decisions that have legal effects on you or that significantly affect you and that are based solely on automated processing, including profiling, within the meaning of Article 22 GDPR or Article 21 FADP. Where this changes in the future, we will inform you in advance and ensure that you can exercise the rights provided by law.

13. Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing, accidental loss, destruction or damage, in accordance with Article 32 GDPR and Article 8 FADP and Articles 1 to 6 of the Swiss Ordinance on Data Protection (DSV). Such measures include encryption in transit and at rest, role-based access controls, multi-factor authentication, audit logging, regular back-ups, vulnerability management, security training of personnel and incident-response procedures. A description of measures applicable to data processed on behalf of customers is set out in Annex 2 of our Data Processing Agreement.

Despite our efforts, no internet or storage system is 100 % secure. If you suspect that the security of your account has been compromised, please contact us immediately at info@blockchain-applied.com.

14. Children

The Service is intended for use by businesses and by adults. We do not knowingly collect personal data from children under sixteen (16) years of age. If you believe that a child has provided personal data to us, please contact privacy@blockchain-applied.com so that we can delete it.

15. Changes to this Notice

We may update this Notice from time to time to reflect changes in our processing activities or in applicable law. The Effective Date at the top of this Notice indicates when the latest version came into force. We will inform registered users by email or in-product notification of material changes.

16. How to contact us

If you have any questions or concerns about this Notice, our processing of your personal data, or wish to exercise any of your rights, please contact us at:

SBC Lab AG – Blockchain Applied

Seebühelstrasse 26, 8185 Winkel, Switzerland

Email: privacy@blockchain-applied.com

General contact: info@blockchain-applied.com

This Notice is governed by Swiss law. The English version is the binding version; any translation is provided for convenience only.