PRIVACY NOTICE
This privacy notice (Privacy Notice) informs our clients, prospective clients, business
partners, and any other party (or persons acting on behalf of such party) about how
Bullfinch Partners SA de CV (we/us) treats personal data (Data).
1. Controller and Contact Details
Bullfinch Partners SA de CV is the controller for the processing of Data under this
Privacy Notice, unless we tell you otherwise in an individual case.
You may contact us for data protection concerns and to exercise your rights under
Section 6 as follows:
Bullfinch Partners SA de CV
Bosque de Duraznos 127
Col. Bosque de las Lomas
Alc. Miguel Hidalgo
CP. 11700, CDMX, Mexico
2. What is this Privacy Notice about?
As a financial company, we collect and process personal data related to our Services
from our customers’, custodian banks and other parties. We may also use Data from
further third-party or public sources, such as Due Diligence solutions and government
registries.
We need to collect, share and process this personal data in order to run our everyday
business. If we cannot obtain the required information, we may not be able to process
your request, enter into or negotiate a contract and provide you with our Services.
If you disclose data to us or share data with us about other individuals (e.g. ultimate
beneficial owners, relatives, etc.), we assume that the data is accurate. By sharing this
data, you confirm that you are authorized to do so. Please inform the affected
individuals about this Privacy Notice.
3. Processed data and purpose
In the standard course of business we process various categories of data. The main
categories of data are the following:
3.1. Service data and contract data: The data required to provide you with our
services include any information required or obtained from you or other third
parties, such as Contract Data, date of birth, nationality, identity document
details, title, profession, financial details (incl. source of wealth,
shareholdings), client history, sanctions, your feedback, etc.).
When entering into, negotiating or performing a contract with you, we may
collect data relating the services to be provided, as well as data from the
period leading up to the conclusion of a contract, information required or
used for performing a contract and information about feedback (Contract
Data).
In general, Service Data will be used for the provision of services, including
invoicing and to comply with the applicable regulatory and legal
requirement as well as our internal regulations (e.g. know-your-customer
procedures and compliance with anti-money-laundering and fraud
prevention obligations).
When determining your identity, we collect data to identify you (e.g. a copy
of an ID/passport). We generally keep this data as long as required to
comply with legal, regulatory or contractual requirements, for evidentiary
purposes or technical reasons. Emails in personal mailboxes and written
correspondence are generally kept for at least 10 years.
3.2. Communication data: Furthermore, when providing our Services, we may
collect and process emails, letters and other communications between you
and us, including metadata of the communication.
We process your data for purposes related to communication with you, in
particular in relation to responding to inquiries and the exercise of your rights
and to enable us to contact you in case of queries. For this purpose, we use
in particular communication data and master data. We keep this data to
document our communication with you, for quality assurance and follow-
up inquiries.
3.3. Other purposes: We process personal data to comply with laws, directives
and recommendations from authorities, internal regulations. Further, we
process data for the purposes of our risk management and as part of our
corporate governance, including business organisation and development.
We may also process your data to improve our services and operations and
for security and access control purposes.
We process data for the conclusion, administration and performance of
contractual relationships. For relationship management purposes, we may
send newsletters and other regular contacts.
4. With whom do we share your data?
We may make your Data available to the following recipients (in compliance with
the applicable legal requirements):
a) External service providers (e.g. financial institutions, IT services providers,
compliance services providers, administrative services providers, including
providers of digital signature services and document destruction services,
etc.);
b) Other involved parties (where relevant, e.g. if a person has power of attorney
over your affairs or if the Services require the disclosure of certain Data to
counterparties, etc.);
c) Legal and professional advisors, including accountants and auditors;merald We d) Competent authorities, including supervisory, tax, debt collection and
bankruptcy authorities, courts, arbitral tribunals or bar associations (if it is
necessary to provide our Services, if we are legally obliged or entitled to such
disclosure or if it appears necessary to protect our interests)
Data is generally not shared outside of Switzerland except in cases where the client
has a custody agreement with a non-Swiss financial institution. In certain
circumstances we may transfer your data to countries, which do not offer
adequate protection pursuant to the FADP and/or GDPR such as the US and
potentially other countries. To the extent such countries do not offer adequate
protection, the transfer is secured by appropriate safeguards (such as Standard
Contractual Clauses) or based on a statutory exemption (e.g. if you have given
your consent to the transfer, if the transfer is directly connected with the conclusion
or performance of a contract with you).
5. Storage periods, erasure and protection of data
We process your data for as long as our processing purposes, the legal retention
periods and our legitimate interests in documentation and keeping evidence
requires or storage is a technical requirement. If there are no contrary legal,
contractual, or business obligations, we will delete your data once the storage or
processing period has expired.
6. Your rights
You have the right to request information about your Data we process and further
rights regarding such data processing. In particular, you have – or may have,
depending on the circumstances – the right to:
a) To request information from us as to whether and what data we process from
you, including copies of such information us (to the extent technically
feasible);
b) To have us correct data if it is inaccurate;
c) To request the deletion of your data (to the extent we are not under a legal
obligation or have an overriding or legitimate interest to retain such data).
d) To revoke your consent to the extent you have previously given your consent
to any specific purpose of processing of your Data. This will not affect the
lawfulness of any processing carried out before you have withdrawn your
consent (or any processing based on any legal basis other than your
consent) and it may mean that we will no longer be able to provide our
Services to you.
e) Right to restriction of processing of personal data.
Please note, however, that we reserve the right to enforce statutory restrictions on our
part, for example if we are obliged to retain or process certain data, have an
overriding interest (insofar as we may invoke such interests) or need the data for
asserting claims. The exercise of these rights may be in conflict with our contractual
obligations and this may result in consequences such as premature contract
termination or additional costs. If this is the case, we will inform you in advance unless
it has already been contractually agreed upon.
In case you wish to exercise any of these rights, please contact us as specified in
Section 1. Before responding to your request, we may ask for proof of identity to
prevent misuse.
7. Data Security
We take appropriate security measures in order to maintain the required security of
your personal data and ensure its confidentiality, integrity and availability, and to
protect it against unauthorized or unlawful processing and mitigate the risk of loss,
accidental alteration, unauthorized disclosure and access. Despite these security
measures, we cannot completely eliminate the security risks associated with data
processing.
8. Changes to this Privacy Notice
We may amend this Privacy Notice at any time without prior notice. The current version
published on our website shall apply.