Privacy Policy – Your Hermaion

Privacy Policy

This Privacy Policy is effective as of the 01st day of October 2025

Issued by:

Hermaion S.a.r.l.

Applicable to:

WEBSITE USERS AND DATA SUBJECTS

Data Controller Information

(1) Hermaion Sàrl, a company incorporated under Swiss law, with its registered office at Sentier des Morettes 2B, 1197 Prangins, Switzerland, acting as data controller under this Privacy Policy.

(2) Data subjects including website visitors, clients, prospective clients, newsletter subscribers, and any other individuals whose personal data is processed by Hermaion Sàrl, in connection with its sports marketing, marketing advisory, marketing solutions, and related business activities.

Introduction and Scope

(A) Hermaion Sàrl, is a marketing agency incorporated and based in Switzerland, specializing in sports marketing, marketing advisory services, and comprehensive marketing solutions.

(B) Hermaion Sàrl, operates a website that is accessible internationally and processes personal data of individuals located worldwide, including but not limited to Switzerland, the European Union, and other international jurisdictions.

(C) In the course of providing its marketing services, sports marketing expertise, and advisory services, Hermaion Sàrl, collects, processes, and stores personal data of website users, clients, and other data subjects.

(D) Hermaion Sàrl, is committed to protecting the privacy and personal data of all individuals worldwide in accordance with the Swiss Federal Act on Data Protection (FADP), the European Union General Data Protection Regulation (GDPR), and other applicable international data protection laws.

(E) This Privacy Policy establishes the framework for how Hermaion Sàrl, handles personal data, ensuring transparency, lawfulness, and accountability in all data processing activities.

(F) The processing of personal data is necessary for Hermaion Sàrl, to deliver its marketing services, maintain client relationships, operate its website, and fulfill its legal and contractual obligations.

1. Types of Data Collected

1.1. Company means Hermaion Sàrl, the data controller responsible for determining the purposes and means of processing personal data under this Privacy Policy.

1.2. Data Subject means any identified or identifiable natural person whose personal data is processed by the Company.

1.3. Personal Data means any information relating to an identified or identifiable natural person, including but not limited to names, email addresses, IP addresses, and usage data.

1.4. Processing means any operation performed on personal data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, restriction, erasure, or destruction.

1.5. Data Controller means the Company, which determines the purposes and means of processing personal data.

1.6. Data Processor means any natural or legal person who processes personal data on behalf of the Company.

1.7. FADP means the Swiss Federal Act on Data Protection and its implementing regulations.

1.8. GDPR means Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data.

1.9. Cookies means small text files stored on a user’s device when visiting the Company’s website to collect information about website usage and preferences.

1.10. Third Party means any natural or legal person other than the Data Subject, the Company, and persons authorized to process personal data under the direct authority of the Company.

1.11. Website means the Company’s website accessible at [www.yourhermaion.com] and any related subdomains or applications.

1.12. Services means the sports marketing, marketing advisory, marketing solutions and related business services provided by the Company.

2. Legal Basis for Processing

2.1. The Company processes Personal Data based on one or more of the following legal grounds under the FADP and, where applicable, the GDPR:

(a) Consent: Where the Data Subject has given explicit consent for the processing of their Personal Data for one or more specific purposes, including marketing communications, newsletter subscriptions, and use of Cookies.

(b) Contract Performance: Where Processing is necessary for the performance of a contract to which the Data Subject is party, or to take steps at the request of the Data Subject prior to entering into a contract, including delivery of Services and client relationship management.

(c) Legitimate Interests: Where Processing is necessary for the purposes of legitimate interests pursued by the Company, except where such interests are overridden by the fundamental rights and freedoms of the Data Subject, including website analytics, business development, fraud prevention, and direct marketing to existing clients.

(d) Legal Obligation: Where Processing is necessary for compliance with a legal obligation to which the Company is subject under Swiss law or applicable international regulations, including tax reporting, accounting requirements, and regulatory compliance.

(e) Vital Interests: Where Processing is necessary to protect the vital interests of the Data Subject or another person, including emergency situations requiring immediate action.

2.2. The Company will clearly identify the specific legal basis for Processing at the time of data collection and will not process Personal Data for purposes incompatible with the original purpose unless a new legal basis applies.

2.3. Where consent is the legal basis for Processing, Data Subjects have the right to withdraw their consent at any time without affecting the lawfulness of Processing based on consent before its withdrawal.

2.4. For legitimate interests relied upon by the Company, a balancing test has been conducted to ensure that the Company’s legitimate interests do not override the Data Subject’s fundamental rights, freedoms, and interests.

3. Data Collection Methods

3.1. Direct Collection from Data Subjects

(a) The Company collects Personal Data directly from Data Subjects when they voluntarily provide information through contact forms, registration processes, subscription forms, or direct communications via email, telephone, or other means.

(b) Personal Data may be collected during the provision of Services, including consultation sessions, project briefings, client meetings, and ongoing service delivery.

(c) The Company may collect Personal Data when Data Subjects participate in surveys, feedback requests, webinars, events, or other marketing activities organized by the Company.

3.2. Automatic Collection Through Website Technologies

(a) The Company automatically collects certain Personal Data when Data Subjects visit or interact with the Website through the use of Cookies, web beacons, log files, and similar tracking technologies.

(b) Technical information including IP addresses, browser type, operating system, referring URLs, pages visited, time spent on pages, and device identifiers is collected automatically during Website usage.

(c) The Company may collect location data based on IP addresses or other technical means where permitted by applicable law and user settings.

3.3. Third Party Sources

(a) The Company may obtain Personal Data from Third Party sources including business partners, referral sources, publicly available databases, social media platforms, and professional networking sites.

(b) Personal Data may be collected from Third Party service providers that assist the Company in delivering Services, conducting marketing activities, or operating the Website.

(c) The Company ensures that any Personal Data obtained from Third Party sources has been collected lawfully and in accordance with applicable data protection requirements.

3.4. Analytics and Marketing Tools

(a) The Company uses web analytics services, marketing automation platforms, and customer relationship management systems that collect Personal Data about Data Subject interactions and behaviors.

(b) Social media plugins and integration tools may collect Personal Data when Data Subjects interact with the Company’s social media presence or share content from the Website.

3.5. Communication Channels

(a) Personal Data is collected through various communication channels including email correspondence, contact forms, live chat features, telephone conversations, and video conferencing platforms.

(b) The Company may record certain communications for quality assurance, training purposes, or to maintain accurate records of client interactions, where legally permitted and with appropriate notice.

4. Purposes of Data Processing

4.1. The Company processes Personal Data for the following legitimate business purposes in accordance with applicable data protection laws:

4.2. Service Delivery and Client Management

(a) To provide marketing services, sports marketing expertise, and advisory services to clients as outlined in service agreements.

(b) To manage client relationships, respond to inquiries, and provide customer support throughout the duration of service engagements.

4.3. Marketing and Communications

(a) To send marketing communications, newsletters, and promotional materials about the Company’s Services to Data Subjects who have provided explicit consent for such marketing purposes.

(b) To conduct market research, analyze client preferences, and use personal data for targeted marketing campaigns where Data Subjects have provided consent, in order to improve service offerings and develop new marketing solutions.

4.4. Website Operation and Analytics

(a) To operate, maintain, and improve the functionality and user experience of the Website.

(b) To analyze Website traffic, user behavior, and performance through analytics tools and Cookies.

(c) To personalize content and provide relevant information to Website visitors based on their interests and browsing patterns.

4.5. Legal Compliance and Business Operations

(a) To comply with legal obligations under Swiss law, FADP, GDPR, and other applicable regulations.

(b) To maintain business records, conduct internal audits, and fulfill reporting requirements to regulatory authorities.

4.6. Security and Fraud Prevention

(a) To protect the security and integrity of the Company’s systems, Website, and data against unauthorized access or cyber threats.

(b) To prevent, detect, and investigate fraudulent activities or violations of the Company’s terms of service.

4.7. Recruitment and Human Resources

(a) To process job applications and conduct recruitment activities for potential employees and contractors.

(b) To manage employee and contractor relationships, including performance evaluation and administrative purposes.

5. Data Sharing and Recipients

5.1. The Company may share Personal Data with Third Parties only in accordance with this Privacy Policy and applicable data protection laws, including the FADP and GDPR.

5.2. Service Providers and Data Processors: The Company may share Personal Data with trusted Third Party service providers who process data on behalf of the Company, including:

(a) Website hosting providers based in Switzerland and cloud storage services

(b) Email marketing and communication platforms

(d) Customer relationship management (CRM) systems

(e) Payment processing services

(f) IT support and maintenance providers

5.3. Business Partners: Personal Data may be shared with business partners where necessary to deliver Services, including sports marketing collaborators, media agencies, and event organizers, provided such sharing is based on legitimate interests and appropriate safeguards are in place.

5.4. Legal and Regulatory Authorities: The Company may disclose Personal Data to competent authorities, courts, or law enforcement agencies when:

(a) Required by Swiss or EU law or legal process

(b) Necessary to protect the Company’s legal rights or interests

5.5. Professional Advisors: Personal Data may be shared with legal counsel, auditors, and other professional advisors bound by confidentiality obligations when necessary for business operations.

5.6. Business Transfers: In the event of a merger, acquisition, or sale of assets, Personal Data may be transferred to the relevant Third Party, subject to appropriate data protection safeguards and notification requirements.

5.7. All Third Party recipients are contractually obligated to maintain appropriate security measures and process Personal Data only for specified purposes and in accordance with applicable data protection laws.

5.8. The Company does not sell, rent, or otherwise commercially exploit Personal Data to Third Parties for their own marketing purposes.

6. International Data Transfers

6.1. The Company may transfer Personal Data to countries outside Switzerland and the European Economic Area (EEA) in connection with the provision of Services, website hosting, analytics processing, marketing activities, and other business operations to serve international users worldwide.

6.2. Transfers to Adequate Jurisdictions

(a) Personal Data may be transferred to countries that have been recognized by Swiss authorities or the European Commission as providing an adequate level of data protection, including all EU/EEA member states.

(b) Such transfers do not require additional safeguards beyond those set out in this Privacy Policy.

6.3. Transfers to Third Countries

(a) Where Personal Data is transferred to countries without an adequacy decision, the Company implements appropriate safeguards in accordance with FADP and GDPR requirements.

(b) Such safeguards may include standard contractual clauses approved by Swiss authorities or the European Commission, binding corporate rules, or other legally recognized transfer mechanisms.

6.4. Specific Transfer Destinations

(a) Personal Data may be transferred to service providers and partners located in the United States, United Kingdom, and other countries as necessary for business operations.

(b) The Company’s web hosting provider is based in Switzerland, ensuring data storage within an adequate jurisdiction for Swiss and EU data protection standards.

(c) Analytics tools and marketing platforms may process Personal Data in various international locations, with appropriate safeguards implemented for such transfers.

(d) All such transfers are conducted with appropriate safeguards including standard contractual clauses or other approved transfer mechanisms, with web hosting maintained in Switzerland to ensure adequate protection.

6.5. Data Subject Rights

(a) Data Subjects have the right to obtain information about international transfers of their Personal Data, including details of the safeguards in place.

(b) Data Subjects may request copies of the appropriate safeguards by contacting the Company using the details provided in this Privacy Policy.

6.6. The Company regularly reviews and updates its international transfer practices to ensure continued compliance with applicable data protection laws and will implement additional safeguards as required by law.

7. Data Retention Periods

7.1. The Company retains Personal Data only for as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, resolve disputes, and enforce agreements.

7.2. The following specific retention periods apply to different categories of Personal Data:

(a) Client and service data: Personal Data of clients and prospective clients is retained for a maximum period of five (5) years following the termination or closure of the client account or business relationship.

(b) Website analytics and cookies: Technical data collected through Cookies and website analytics is retained for a maximum period of twenty-four (24) months from the date of collection.

(c) Marketing communications: Personal Data collected for newsletter subscriptions and marketing purposes is retained until the Data Subject withdraws consent or for a maximum period of three (3) years from the last interaction.

(d) Legal compliance data: Personal Data retained for legal, regulatory, or tax compliance purposes is kept for the duration required by applicable Swiss or EU law, typically seven (7) years for financial and tax-related records.

7.3. The Company regularly reviews stored Personal Data to ensure compliance with these retention periods and securely deletes or anonymizes data when the retention period expires.

7.4. Data Subjects may request earlier deletion of their Personal Data, subject to any overriding legal obligations that require continued retention.

7.5. In exceptional circumstances, the Company may retain Personal Data beyond the standard periods where required by law, ongoing legal proceedings, or legitimate business interests, provided such retention is proportionate and necessary.

8. Data Subject Rights

8.1. General Rights: Data Subjects have the following rights regarding their Personal Data processed by the Company under Swiss FADP and GDPR, which may be exercised subject to applicable legal limitations and exceptions.

8.2. Right of Access: Data Subjects have the right to obtain confirmation whether Personal Data concerning them is being processed and, where applicable, access to such Personal Data and information about the Processing activities.

(a) Upon request, the Company shall provide a copy of the Personal Data being processed and information including the purposes of Processing, categories of Personal Data, recipients of data, retention periods, and the source of the data if not collected directly from the Data Subject.

8.3. Right to Rectification: Data Subjects have the right to obtain rectification of inaccurate Personal Data and to have incomplete Personal Data completed, including by providing supplementary statements.

8.4. Right to Erasure: Data Subjects have the right to obtain erasure of Personal Data where one of the following grounds applies:

(a) The Personal Data is no longer necessary for the original purposes of Processing.

(b) The Data Subject withdraws consent and there is no other legal ground for Processing.

(d) Erasure is required for compliance with legal obligations.

8.5. Right to Restriction of Processing: Data Subjects have the right to restrict Processing where the accuracy of Personal Data is contested, Processing is unlawful, data is no longer needed by the Company but required by the Data Subject for legal claims, or objection to Processing is pending verification.

8.6. Right to Data Portability: Data Subjects have the right to receive Personal Data concerning them in a structured, commonly used, and machine-readable format and to transmit such data to another controller where Processing is based on consent or contract and carried out by automated means.

8.7. Right to Object: Data Subjects have the right to object to Processing of Personal Data based on legitimate interests, including profiling, and to Processing for direct marketing purposes.

(a) Where objection is made to direct marketing, the Company shall cease Processing Personal Data for such purposes.

8.8. Right to Withdraw Consent: Where Processing is based on consent, Data Subjects have the right to withdraw consent at any time without affecting the lawfulness of Processing based on consent before withdrawal.

8.9. Rights Regarding Automated Decision-Making: Data Subjects have the right not to be subject to decisions based solely on automated Processing, including profiling, which produces legal effects or similarly significantly affects them.

8.10. Exercise of Rights: Data Subjects may exercise their rights by contacting the Company using the contact details provided in this Privacy Policy, and the Company shall respond to requests without undue delay and in any event within one month of receipt.

8.11. Right to Lodge Complaints: Data Subjects have the right to lodge complaints with the Swiss Federal Data Protection and Information Commissioner (FDPIC) or relevant EU supervisory authorities if they believe their data protection rights have been violated.

9. Cookies and Tracking Technologies

9.1. Cookie Definition and Types

(a) The Website uses Cookies, which are small text files stored on Data Subjects’ devices when visiting our Website to enhance user experience and analyze website performance.

(b) The Company employs the following types of Cookies: (i) strictly necessary Cookies for website functionality, (ii) performance and analytics Cookies to understand website usage, (iii) functional Cookies to remember user preferences, and (iv) marketing Cookies for targeted advertising and campaign effectiveness.

9.2. Purposes of Cookie Processing

(a) Strictly necessary Cookies are used to enable basic website functionality, security features, and to remember user consent preferences.

(b) Analytics Cookies collect information about website traffic, user behavior patterns, and performance metrics to improve the Company’s Services and website functionality.

(c) Marketing Cookies track user interactions across websites to deliver personalized advertising content and measure the effectiveness of the Company’s marketing campaigns.

9.3. Third-Party Cookies and Tracking Technologies

(a) The Company utilizes Third Party tracking technologies including website analytics platforms, social media plugins, marketing automation platforms, and advertising networks that may place their own Cookies on users’ devices and process data internationally.

(b) These Third Parties operate under their own privacy policies and Cookie policies, which Data Subjects should review independently.

9.4. Legal Basis and Consent

(a) The Company processes Cookie data based on user consent for non-essential Cookies and legitimate interests for strictly necessary Cookies required for website operation.

(b) Data Subjects can withdraw their Cookie consent at any time through the Cookie preference center accessible on the Website.

9.5. Cookie Duration and Retention

(a) Session Cookies are automatically deleted when the browser is closed, while persistent Cookies remain on devices for periods ranging from 30 days to 2 years depending on their specific purpose.

(b) Marketing and analytics Cookies are typically retained for 12-24 months to enable effective campaign measurement and website optimization.

9.6. User Control and Cookie Management

(a) Data Subjects can manage Cookie preferences through browser settings, the Website’s Cookie preference center, or by contacting the Company directly.

(b) Disabling certain Cookies may limit website functionality and the Company’s ability to provide personalized Services.

(c) Instructions for Cookie management in major browsers are available in the Website’s Cookie policy section and through browser help functions.

10. Data Security Measures

10.1. The Company implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk of Processing Personal Data, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing.

10.2. Technical security measures implemented by the Company include:

(a) Encryption of Personal Data both in transit and at rest using industry-standard protocols.

(b) Regular security updates and patches for all systems and software used in data Processing.

(d) Regular automated backups of Personal Data with secure storage and tested recovery procedures.

(e) Multi-factor authentication for access to systems containing Personal Data.

10.3. Organizational security measures implemented by the Company include:

(a) Access controls ensuring that Personal Data is accessible only to authorized personnel on a need-to-know basis.

(b) Regular training of all employees and contractors on data protection principles and security procedures.

(d) Clear data handling procedures and incident response protocols.

(e) Regular security risk assessments and audits of data Processing activities.

10.4. The Company conducts periodic reviews of its security measures to ensure they remain effective and appropriate for the risks involved in Processing Personal Data.

10.5. In the event of a personal data breach, the Company will implement immediate containment measures and, where required by applicable law, notify the relevant supervisory authorities and affected Data Subjects within the timeframes specified under FADP and GDPR.

10.6. The Company requires all Third Parties who Process Personal Data on its behalf to implement equivalent security measures and to provide sufficient guarantees regarding data protection compliance.

11. Data Breach Notification

11.1. The Company has implemented procedures to detect, investigate, and respond to Personal Data breaches in accordance with the requirements of the FADP and GDPR.

11.2. A Personal Data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored, or otherwise processed by the Company.

11.3. Upon becoming aware of a Personal Data breach, the Company will:

(a) Immediately assess the nature, scope, and potential impact of the breach.

(b) Take appropriate measures to contain the breach and mitigate any adverse effects.

11.4. Where a Personal Data breach is likely to result in a risk to the rights and freedoms of Data Subjects, the Company will notify the Swiss Federal Data Protection and Information Commissioner (FDPIC) without undue delay.

11.5. Where the Company processes Personal Data of individuals in the European Union and a breach is likely to result in a risk to rights and freedoms, the Company will notify the relevant EU supervisory authority within 72 hours of becoming aware of the breach.

11.6. Where a Personal Data breach is likely to result in a high risk to the rights and freedoms of Data Subjects, the Company will communicate the breach to affected Data Subjects without undue delay.

11.7. Notifications to supervisory authorities will include:

(a) The nature of the Personal Data breach and categories of Data Subjects affected.

(b) The name and contact details of the Company’s data protection contact point.

11.8. Communications to Data Subjects will describe the nature of the breach, likely consequences, and measures taken or proposed to address the breach in clear and plain language.

11.9. The Company maintains a record of all Personal Data breaches, including their effects and remedial action taken, which may be examined by relevant supervisory authorities.

12. Changes to Privacy Policy

12.1. The Company reserves the right to update, modify, or revise this Privacy Policy at any time to reflect changes in its business practices, legal requirements, or regulatory developments.

12.2. The Company will provide notice of any changes to this Privacy Policy through one or more of the following methods:

(a) Posting the updated Privacy Policy on the Website with a revised effective date.

(b) Sending email notifications to registered users and newsletter subscribers.

12.3. Material changes to this Privacy Policy, including changes to the purposes of Processing, categories of Personal Data collected, or Data Subject rights, will be communicated at least thirty (30) days before such changes become effective.

12.4. For material changes that require consent under applicable law, the Company will obtain fresh consent from Data Subjects before implementing such changes.

12.5. Non-material changes, such as clarifications, formatting updates, or contact information changes, will become effective immediately upon posting the updated Privacy Policy on the Website.

12.6. Continued use of the Website or Services after the effective date of any changes constitutes acceptance of the revised Privacy Policy, unless explicit consent is required under applicable law.

12.7. Data Subjects who do not agree to material changes may terminate their relationship with the Company and request deletion of their Personal Data in accordance with Section 11 of this Privacy Policy.

12.8. The current version of this Privacy Policy will always be available on the Website, and the Company will maintain records of previous versions for regulatory compliance purposes.

12.9. This Privacy Policy was last updated on October 1st, 2025 and is effective as of October 1st, 2025. This Privacy Policy has been adopted and authorized by Hermaion Sàrl, on October 1st, 2025 and becomes effective immediately upon publication on the Company’s Website.

This Privacy Policy supersedes all previous privacy policies and will remain in effect until modified or replaced in accordance with the terms specified herein.