Privacy Policy

Limytd AG ("we", "us", or "our"), registered at Chamerstrasse 172, 6300 Zug, Switzerland (UID: CHE-135.702.391), is the data controller responsible for the processing of your personal data. We are committed to protecting your privacy in compliance with the Swiss Federal Act on Data Protection (nDSG/FADP), the EU General Data Protection Regulation (GDPR), and the German Federal Data Protection Act (BDSG) where applicable.

1. Data Controller

The data controller within the meaning of the GDPR and the Swiss nDSG is:

Limytd AG, Chamerstrasse 172, 6300 Zug, Switzerland. Email: c.brom@limytd.ch. UID: CHE-135.702.391.

For data processing related to asset recovery investigations, Christian Brom Consulting FZE, Dubai, UAE acts as a joint controller and/or data processor depending on the nature of the specific processing operation.

2. Categories of Personal Data We Collect

We collect and process the following categories of personal data:

• Account Data: Full name, email address, password (encrypted), account preferences, and language settings.
• Payment Data: Transaction records, cryptocurrency payment details, invoice data, and billing history.
• Case Data: Investment amounts, cryptocurrency wallet addresses (sender/receiver), transaction hashes, blockchain network details, screenshots, and any additional notes or documents you provide.
• Communication Data: Messages, support requests, and correspondence exchanged with our team.
• Technical Data: IP address, browser type and version, operating system, referring URLs, pages viewed, time and date of access, device identifiers, and session duration.
• Cookie Data: Information collected through cookies and similar tracking technologies (see Section 10).

3. Legal Basis for Processing (GDPR Art. 6)

We process your personal data on the following legal bases:

• Performance of Contract (Art. 6(1)(b) GDPR): Processing necessary for the performance of the service agreement, including account management, case investigation, payment processing, and delivery of forensic reports.
• Consent (Art. 6(1)(a) GDPR): Where you have given explicit consent, for example for marketing communications, analytics cookies, and newsletter subscriptions. You may withdraw consent at any time without affecting the lawfulness of processing performed prior to the withdrawal.
• Legitimate Interest (Art. 6(1)(f) GDPR): Processing necessary for our legitimate interests, including fraud prevention, platform security, abuse detection, internal analytics, and improvement of our services. Our legitimate interests are balanced against your rights and freedoms.
• Legal Obligation (Art. 6(1)(c) GDPR): Processing necessary for compliance with legal obligations under Swiss, EU, or applicable national law, including tax law, anti-money laundering (AML) regulations, and law enforcement cooperation.

4. How We Use Your Information

We use the information we collect for the following purposes:

• Providing, operating, and maintaining our services and your user account
• Processing and managing your asset recovery case
• Processing payments and issuing invoices
• Delivering forensic reports and investigative findings
• Communicating with you regarding your case, account, and service updates
• Ensuring platform security, preventing fraud, and detecting abuse
• Analyzing usage patterns to improve our services (only with consent or based on legitimate interest)
• Complying with legal obligations, regulatory requirements, and law enforcement requests

5. Third-Party Processors & Sub-Processors

We share personal data with the following categories of third-party service providers, each bound by data processing agreements (DPAs) ensuring GDPR-compliant data handling:

• Christian Brom Consulting FZE (Dubai, UAE) — Joint controller / processor for conducting forensic investigations, identity verification, and recovery operations. Data transferred under Standard Contractual Clauses (SCCs).
• Supabase, Inc. (San Francisco, USA) — Database hosting and user authentication. Data hosted in the EU (Frankfurt, Germany). DPA in place, EU-U.S. Data Privacy Framework certified.
• Vercel, Inc. (San Francisco, USA) — Website hosting and web analytics. Data processed under DPA with Standard Contractual Clauses.
• Google LLC (Mountain View, USA) — Google Analytics for website usage analysis (only with your consent via our cookie banner). IP anonymization is enabled. Data processed under Google's DPA and SCCs.

We do not sell, rent, or trade your personal data to third parties for marketing purposes. Data is shared only as described above and only to the extent necessary for the stated purposes.

6. International Data Transfers

Some of our third-party processors are established outside the European Economic Area (EEA) and Switzerland. Where personal data is transferred to countries without an adequate level of data protection as determined by the European Commission or the Swiss Federal Council, we ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs): EU-approved model clauses are included in all relevant contracts.
• EU-U.S. Data Privacy Framework: Where applicable, we rely on self-certification under the Data Privacy Framework.
• Swiss-U.S. Data Privacy Framework: For transfers from Switzerland, equivalent safeguards are applied.

You may request a copy of the safeguards in place by contacting us at c.brom@limytd.ch.

7. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable law. The specific retention periods are:

• Account Data: Retained for the duration of the contractual relationship and up to 12 months after account deletion, unless longer retention is required by law.
• Case Data & Forensic Reports: Retained for a minimum of 10 years after the conclusion of the investigation, in compliance with Swiss commercial law (Obligationenrecht Art. 958f) and for potential law enforcement needs.
• Payment and Invoice Data: Retained for 10 years in accordance with Swiss tax and commercial record-keeping obligations (Obligationenrecht Art. 958f, Mehrwertsteuergesetz Art. 70).
• Technical/Analytics Data: Anonymized or deleted within 26 months (Google Analytics) or 24 months (Vercel Analytics).
• Communication Data: Retained for 3 years after the last communication unless an ongoing legal matter requires longer retention.

After the applicable retention period, personal data is either securely deleted or irreversibly anonymized.

8. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including:

• Encryption of data in transit (TLS 1.2+) and at rest
• Secure password hashing using industry-standard algorithms
• Role-based access controls limiting data access to authorized personnel only
• Regular security assessments and monitoring
• Hosting infrastructure with SOC 2 Type II certification (Supabase/Vercel)

Despite these measures, no method of electronic transmission or storage is perfectly secure. We cannot guarantee absolute security but commit to promptly notifying affected users and relevant supervisory authorities in the event of a data breach, in accordance with GDPR Art. 33 and Art. 34.

9. Your Rights Under GDPR and Swiss nDSG

Under applicable data protection law, you have the following rights:

• Right of Access (Art. 15 GDPR / Art. 25 nDSG): You may request confirmation of whether we process your personal data and, if so, access to that data along with supplementary information.
• Right to Rectification (Art. 16 GDPR / Art. 32 nDSG): You may request the correction of inaccurate or incomplete personal data.
• Right to Erasure (Art. 17 GDPR): You may request the deletion of your personal data where there is no compelling reason for its continued processing. Note: this right is subject to legal retention obligations.
• Right to Restriction of Processing (Art. 18 GDPR): You may request the restriction of processing under certain circumstances.
• Right to Data Portability (Art. 20 GDPR / Art. 28 nDSG): You may request your personal data in a structured, commonly used, and machine-readable format.
• Right to Object (Art. 21 GDPR): You may object to processing based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds.
• Right to Withdraw Consent (Art. 7(3) GDPR): Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, please contact us at c.brom@limytd.ch. We will respond to your request within 30 days (or within the timeframe mandated by applicable law). We may request identity verification before processing your request.

10. Cookies and Tracking Technologies

We use cookies and similar tracking technologies. You can manage your preferences through our cookie consent banner at any time. The following categories of cookies are used:

• Essential Cookies: Required for the website to function properly (session management, authentication, CSRF protection). Legal basis: legitimate interest. These cannot be disabled.
• Analytics Cookies: Google Analytics and Vercel Analytics for understanding visitor behavior and improving our services. Legal basis: consent. Only activated after you provide consent via the cookie banner.
• Marketing Cookies: Used to deliver personalized advertisements and measure advertising effectiveness. Legal basis: consent. Only activated after you provide consent via the cookie banner.

You may withdraw cookie consent at any time by clicking the "Cookie Preferences" link in the website footer. You can also configure your browser to refuse all cookies; however, some parts of our website may not function properly without essential cookies.

11. Automated Decision-Making

We do not use automated decision-making or profiling that produces legal effects concerning you or similarly significantly affects you within the meaning of GDPR Art. 22. All case evaluations and recovery decisions are made by qualified human personnel.

12. Children's Privacy

Our services are not intended for individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child without parental consent, we will take immediate steps to delete that data. If you believe a child has provided us with personal data, please contact us at c.brom@limytd.ch.

13. Right to Lodge a Complaint (Supervisory Authority)

If you believe that our processing of your personal data infringes applicable data protection law, you have the right to lodge a complaint with a supervisory authority:

• Switzerland: Federal Data Protection and Information Commissioner (FDPIC), Feldeggweg 1, 3003 Bern, Switzerland — www.edoeb.admin.ch
• Germany: Your competent state data protection authority (Landesdatenschutzbeauftragte), or the Federal Commissioner for Data Protection (BfDI) — www.bfdi.bund.de
• EU/EEA: The data protection authority in your country of habitual residence, place of work, or place of the alleged infringement.

We encourage you to contact us first at c.brom@limytd.ch so that we can attempt to resolve your concern before you escalate to a supervisory authority.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes at least thirty (30) days in advance by email and/or a prominent notice on our platform. The "Last updated" date at the bottom will be revised accordingly.

We encourage you to review this Privacy Policy periodically. Continued use of our services after the effective date of any changes constitutes acceptance of the updated Privacy Policy.

15. Contact

For any questions, requests, or concerns regarding this Privacy Policy or our data processing practices, please contact us at:

Limytd AG
Chamerstrasse 172
6300 Zug
Switzerland
Email: c.brom@limytd.ch

Last updated: April 23, 2026