Privacy Policy

1. Introduction and Scope and Definition

‍

Maison Helvetique Finance GmbH ("MHF", "we", "us", "our", "WestBridge”, "The Company") operating under the commercial name Westbridge, respects your privacy and is committed to protecting your personal data. This Privacy Policy describes how we collect, use, disclose, and safeguard personal data when you use our website, our authenticated client portal, and our services — namely the crypto on/off-ramp exchange and the issuance of virtual IBANs in CHF, EUR, and GBP (the "Services"). 

‍

‍

This Privacy Policy is issued under the Swiss Federal Act on Data Protection of 25 September 2020 (FADP, SR 

235.1, as revised, in force since 1 September 2023) and the Ordinance to the Federal Act on Data Protection 

(DPO, SR 235.11). Where MHF processes personal data of individuals located in the European Economic Area (EEA) or the United Kingdom in connection with offering the Services to them, the relevant provisions of the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and the UK GDPR may also apply; in such cases we apply the higher standard. 

‍

‍

By using the Services, by submitting personal data to us, or by registering an account, you acknowledge that you have read and understood this Privacy Policy. 

‍

‍

2. Data Controller and Contact

2.1 – Company Review

The controller of personal data processed in connection with the Services is: 

Maison Helvetique Finance GmbH 

Bahnhofstrasse 21, 6300 Zug, Switzerland 

Commercial Register number: TBC 

Email: compliance@westbridge.com

If you have questions about this Privacy Policy or wish to exercise your rights, please contact us using the details above. 

‍

2.2 – Initial Inquiry 

Users are encouraged to first attempt to resolve any issue by contacting the Company’s support team at compliance@westbridgex.com. To facilitate timely review, Users should include:

• A clear description of the issue
• Relevant transaction details
• Any supporting documentation or evidence

‍

3. Categories of Personal Data We Process 

‍

Depending on your relationship with us and the Services you use, we may process the following categories of personal data: 

3.1 Identification and Contact Data 

• Full name; date and place of birth; nationality; gender (where required by ID document) 
• Residential address and country of residence 
• Email address, telephone number 
• Government-issued identification: passport, national identity card, or driving license (including ID number, expiry date, issuing authority, and image) 
• Tax identification number(s) and tax residence(s) (for FATCA/CRS where applicable) 
• For business customers: company name, legal form, commercial-register number, registered office, beneficial owners, controlling persons, authorized signatories, and articles/extracts.

3.2 Identity Verification (KYC) Data 

• Live photographs and short videos captured during video- or online-identification under FINMA Circular 2016/7 
• Biometric features derived from identification (e.g., facial templates) were used by our identity verification provider 
• Documents evidencing source of funds and source of wealth (pay slips, tax returns, sale agreements, inheritance documents, etc.) 
• Proof of address (utility bills, bank statements, residence registrations) 
• PEP-status declarations and politically-exposed-person screening results 
• Sanctions screening results (against SECO, EU, UK OFSI, US OFAC lists) 
• Adverse-media screening results 

3.3 Transaction and Financial Data 

• Virtual IBAN details (account number, currency, balance, statements) 
• Transaction records (date, time, amount, currency, counterparty, payment reference, on-chain Transaction hash, blockchain addresses involved) 
• Funding source (bank account details, originating IBAN, sending bank) 
• Cryptocurrency wallet addresses you provide for delivery or that send funds to MHF 
• On-chain analytics findings, including risk scores produced by third-party blockchain-analytics providers 
• Travel Rule data (originator/beneficiary information transmitted with crypto transfers above the regulatory threshold) 

3.4 Technical and Usage Data 

• IP address, device identifiers, browser type and version, operating system, language, time zone 
• Log-in timestamps, session duration, pages and features used 
• Cookie identifiers and similar technologies (subject to our Cookie Notice) 
• Geolocation data inferred from IP address (country/region level for risk and sanctions purposes) 

3.5 Communications and Support Data 

• Records of correspondence with our support team (email, in-app messages, chat transcripts) 
• Call recordings, where calls are recorded and you have been informed in advance 
• Feedback, complaints, and survey responses 

3.6 Marketing Preferences 

• Subscription and unsubscribe status for marketing communications 
• Engagement metrics on marketing emails (opens, clicks) where applicable and lawful 

‍

4. Purposes of Processing and Legal Bases 

‍

Under FADP, the processing of personal data does not generally require a specific legal basis (other than transparency, proportionality, purpose limitation, and data accuracy). Where we process personal data falling within scope of the GDPR, we identify a specific lawful basis as set out below. 

‍

‍

Where processing relies on Legitimate interest (FADP) or Art. 6(1)(f) GDPR, we have conducted a balancing assessment and consider that our interests do not override your fundamental rights and freedoms. You may object to such processing as set out in Section 9.

‍

5. Sources of Personal Data 

‍

We collect personal data from the following sources: 

• Directly from you: when you register, complete onboarding, use the Services, contact us, or otherwise communicate with us. 
• From your devices: technical and usage data automatically collected when you use our website, portal, or any future application. 
• From third-party Verification and screening providers: identity verification providers, PEP and sanctions database providers, adverse-media providers, and on-chain analytics providers. 
• From banking and payment partners: regarding incoming and outgoing payments associated with your vIBAN. 
• From public sources: commercial registers, regulatory registries, sanctions lists, and other publicly available databases. 
• From law enforcement, regulators, and courts: where we receive lawful requests, orders, or notifications. 

‍

‍

6. Recipients and Disclosures 

‍

We share personal data only to the extent necessary for the purposes set out above and on the basis of appropriate confidentiality and data-protection arrangements. Recipients fall within the following categories: 

‍

6.1 Service Providers (Processors) 

• Identity-verification providers (e.g., providers of video/online identification under FINMA Circular 2016/7) 
• PEP, sanctions, and adverse-media screening providers 
• On-chain analytics providers (Travel Rule and wallet-risk scoring) 
• Cloud hosting and infrastructure providers (Swiss-hosted where feasible; otherwise compliant with FADP cross-border requirements) 
• Email, messaging, and Communications providers 
• IT support, security operations, and incident-response providers 
• Customer-relationship-management and ticketing providers 

6.2 Banking and Payment Partners 

Swiss, European, and UK banking partners involved in the issuance of virtual IBANs and the processing of payments (SWIFT, SEPA, SEPA Instant, Faster Payments). We share with them the data they reasonably require to fulfil their own legal obligations and to operate the payment infrastructure. 

6.3 Liquidity and Settlement Counterparties 

Where the execution of an on/off-ramp Transaction requires interaction with a regulated liquidity provider or counterparty, transaction-related data may be shared as necessary to settle the transaction. 

6.4 Professional Advisers 

Lawyers, auditors, tax advisers, and accountants engaged by MHF, bound by professional confidentiality. 

‍

6.5 Regulators and Authorities 

• VQF (Verein zur Qualitätssicherung von Finanzdienstleistungen): as our Self-Regulatory Organisation under AMLA Art. 24, including in connection with the periodic AML audit. 
• FINMA (Swiss Financial Market Supervisory Authority): where required by law, regulatory request, or supervisory engagement. 
• MROS (Money Laundering Reporting Office Switzerland): in connection with reporting duties under AMLA Art. 9. 
• SECO and other sanctions authorities: as required by Swiss sanctions law. 
• Tax authorities: for FATCA, CRS, or other automa2c information exchange where applicable. 
• Law enforcement, prosecutorial, and judicial authorities: in response to lawful orders, requests, or in defence of legal claims. 

6.6 Travel Rule Counterparties 

In line with AMLO-FINMA Art. 10 and the FATF Travel Rule, we transmit originator and beneficiary information to the receiving virtual-asset service provider for crypto transfers above the relevant threshold. We use industry-standard Travel Rule protocols and apply contractual safeguards to ensure data protection. 

6.7 Group Entities and Successors 

Where MHF operates within a group, or in the event of corporate transactions (sale, merger, restructuring), we may share data within the group or with the successor entity, subject to confidentiality and continued application of this Privacy Policy or an equivalent. 

6.8 No Sale of Personal Data 

MHF does not sell personal data.

‍

7. International Transfers 

‍

MHF is established in Switzerland and aims to keep personal data within Switzerland or the EEA where feasible. Some of our service providers may be located outside Switzerland and the EEA. Where personal data is transferred to a country that does not provide an adequate level of data protection within the meaning of FADP Art. 16: 

• We rely on the list of states with adequate protection as published by the Swiss Federal Council, where applicable. 
• Where the destination is not on the list, we put in place appropriate safeguards, primarily by entering into Standard Contractual Clauses (SCCs) — using the European Commission SCCs together with the Swiss addendum issued by the Federal Data Protection and Information Commissioner (FDPIC) — and, where indicated by a transfer impact assessment, additional supplementary measures (e.g., encryption, pseudonymisation, contractual protections against onward access). 
• In limited cases, we may rely on a derogation under FADP Art. 17 (e.g., your explicit consent, performance of a contract you have requested, defence of legal claims). 

On request, we will provide you with information about the safeguards in place for a specific transfer. 

‍

8. Retention 

‍

We retain personal data only for as long as necessary for the purposes set out above and to comply with our legal and regulatory obligations. The principal retention periods are: 

• AMLA records (CDD, transactions, monitoring, MROS, supporting documents): 10 years from the end of the business relationship or the date of the relevant Transaction (AMLA Art. 7). 
• Accounting records and supporting documentation: 10 years (Swiss CO Art. 958f). 
• Customer support and communications records: typically 5 years, or longer if necessary to handle disputes or to defend legal claims. 
• Marketing data: until you opt out, then for a short period to record your opt-out and avoid further contact. 
• Technical logs and security telemetry: typically up to 24 months, with longer retention for incident related logs. 
• Cookies and similar technologies: as set out in our Cookie No2ce. 

Aner the relevant retention period expires, personal data is deleted, anonymised, or — where deletion is not technically feasible at once — securely archived with restricted access until secure destruction. 

‍

9. Your Rights 

‍

Subject to the conditions and exceptions set out in applicable law (FADP, GDPR, UK GDPR), you have the following rights with respect to your personal data: 

• Right of access (FADP Art. 25): you may request information about whether we process personal data concerning you and obtain a copy of that data, together with information about the processing. 
• Right to rectification: you may request that we correct inaccurate or incomplete personal data. 
• Right to erasure (FADP Art. 32; GDPR Art. 17): you may request the deletion of personal data, subject to our legal retention obligations and other lawful grounds for continued processing. 
• Right to object (FADP Art. 30; GDPR Art. 21): you may object to processing based on Legitimate interest, including profiling, and to direct marketing. 
• Right to restriction of processing (where applicable): where you contest the accuracy of data or the lawfulness of processing. 
• Right to data portability (where applicable): to receive personal data you have provided in a structured, commonly used, machine-readable format and to transmit it to another controller. 
• Right to withdraw consent: where processing is based on your consent, you may withdraw consent at any time without effect on processing carried out before withdrawal. 
• Right not to be subject to a decision based solely on automated processing producing legal effects: 

as set out in Section 11 below. 

To exercise your rights, please contact us at compliance@westbridgex.com. We will require reasonable verification of your identity before responding to a request, in particular to protect against impersonation. We will respond within the deadlines set by applicable law (in Switzerland, generally 30 days, with possible extension). 

‍

10. Security 

‍

MHF implements technical and Organisational measures appropriate to the nature, scope, context, and purposes of processing and the risks to your rights, including: 

• Encryption of personal data in transit and at rest using industry-standard protocols 
• Strong access controls, role-based access management, and the principle of least privilege 
• Multi-factor authentication for staff and, where appropriate, for customers 
• Comprehensive audit logging of access to and processing of personal data 
• Segregation of production, staging, and development environments 
• Regular security assessments, penetration testing, and vulnerability management 
• Vendor due diligence and contractual data-protection commitments with all service providers 
• Documented incident-response and breach-notification procedures 
• Confidentiality undertakings and regular data-protection and security training for all staff 

In the event of a personal-data breach posing a high risk to data subjects, MHF will notify the FDPIC and, where required, affected data subjects without undue delay, in line with FADP Art. 24. 

‍

11. Profiling and Automated Decision-Making 

‍

In connection with our AML/CTF, fraud-prevention, and risk-management obligations, we apply automated tools to your personal data — including risk scoring, Transaction monitoring, sanctions and PEP screening, and on-chain analytics. These tools support, but do not replace, human review for material decisions. 

Specifically: 

• Onboarding and continuous KYC: automated identity-verification, sanctions, and PEP checks. Adverse outcomes are reviewed by a compliance officer. 
• Transaction monitoring: rules-based alerts; alerts are adjudicated by a compliance officer. 
• On-chain analytics: wallet- and transaction-level risk scores; material findings are reviewed by a compliance team before action. 

In some cases, the cumulative effect of these checks (for example, a confirmed sanctions match) may produce automated outcomes that legally affect you, such as the suspension or termination of the business relationship. Where this occurs, MHF acts on the basis of legal obligations under AMLA and Swiss sanctions law, and the right to obtain human review applies subject to those legal constraints (e.g., we cannot disclose details that would constitute tipping-off under AMLA Art. 10a). 

If you wish to challenge an automated outcome, please contact compliance@westbridgex.com. 

‍

12. Cookies and Similar Technologies 

‍

Our website and client portal use cookies and similar technologies for technical, functional, analytics, and (where lawful and consented to) marketing purposes. Detailed information, including how to manage your preferences, is set out in our separate Cookie Notice.

‍

13. Marketing Communications 

‍

Where we send marketing Communications about our own products to existing customers, we do so on the 

basis of Legitimate interest and you may opt out at any time using the unsubscribe link in each communication or by contacting us. Where required by law, we obtain your consent before sending marketing Communications. 

‍

14. Children 

‍

The Services are not directed to children under 18 years of age. We do not knowingly collect personal data from children. If you become aware that a child has provided us with personal data, please contact us; we will take appropriate steps to delete such data. 

‍

15. Third-Party Links 

‍

Our website, portal, and Communications may contain links to third-party services (including blockchain explorers, banking partner pages, or external information sources). MHF is not responsible for the privacy practices of those third parties. We encourage you to review their privacy notices. 

‍

16. Changes to this Privacy Policy 

‍

We may amend this Privacy Policy from time to time. The current version is published on our website and dated above. Where amendments are material, we will notify you (e.g., by email or through the client portal) before they take effect.