FF&A's ZBG Sprint

1. Introduction and Identity of the Data Controller

1.1 Frederic Fernandez & Associates AG ("FF&A", "Company", "we", "us", or "our") is committed to protecting the personal data of all individuals who interact with the FF&A Academy platform and the ZBG Sprint course.

1.2 This Privacy Policy explains how the Company collects, uses, stores, shares, and protects personal data in connection with access to and use of the ZBG Sprint course, available at academy.fredericfernandezassociates.com (the "Platform").

1.3 The Company acts as the data controller in respect of all personal data processed under this Policy, unless otherwise stated.

1.4 The identity and contact details of the data controller are as follows:

Frederic Fernandez & Associates AG Industriestrasse 24 6300 Zug Switzerland Email: Contact@fredericfernandezassociates.com

1.5 This Policy applies to all individuals who access or use the Platform, whether as individual consumers (B2C) or as representatives of a business entity (B2B) (collectively, "Users").

1.6 The Company processes personal data in accordance with:

(a) the Swiss Federal Act on Data Protection (nDSG/FADP), as revised and in force since 1 September 2023, and its implementing ordinance (DSV);

(b) the EU General Data Protection Regulation (GDPR, Regulation (EU) 2016/679), where applicable to Users located in the European Economic Area;

(d) any other applicable national data protection laws.

1.7 Where the User is located in the EU or UK, the GDPR or UK GDPR (as applicable) shall apply in addition to the nDSG, and the higher standard of protection shall prevail in the event of any conflict.

1.8 This Privacy Policy should be read alongside the Company's Terms and Conditions and Cookie Policy, both of which are available on the Platform.

Section 2 — Scope of this Policy

2. Scope of this Policy

2.1 This Privacy Policy applies exclusively to the collection and processing of personal data carried out by the Company in connection with the FF&A Academy platform and the ZBG Sprint course, accessible at academy.fredericfernandezassociates.com.

2.2 This Policy does not apply to:

(a) any other websites, platforms, or services operated by the Company outside of the Platform referenced in clause 2.1; or

(b) third-party websites or services that may be linked to or from the Platform, which are governed by their own privacy policies.

2.3 The Company encourages Users to review the privacy policies of any third-party websites or services they access via links on the Platform. The Company accepts no responsibility or liability for the privacy practices of such third parties.

2.4 This Policy applies to all categories of Users accessing the Platform, including:

(a) individual consumers purchasing access for personal use (B2C); and

(b) business representatives purchasing access on behalf of an organization (B2B).

2.5 Where a User accesses the Platform as a representative of a business entity, the Company may process personal data both in respect of that individual and, where applicable, in respect of the business entity itself. In such cases, the business entity is responsible for ensuring that its representative has the authority to provide personal data on its behalf.

2.6 This Policy covers personal data collected:

(a) directly from Users during registration, checkout, or course access;

(b) automatically through the use of the Platform, cookies, and tracking technologies; and

(c) in the context of communications between the User and the Company, including pre-sale enquiries and support requests.

2.7 This Policy is drafted in English. In the event that any translated version is made available in the future, the English version shall prevail in the event of any inconsistency.

2.8 The Company reserves the right to update this Policy at any time in accordance with Section 15. Users are encouraged to review this Policy periodically.

Section 3 — Data We Collect

3. Data We Collect

3.1 The Company collects and processes the following categories of personal data in connection with the Platform and the ZBG Sprint course.

3.2 Registration and Account Data

When a User creates an account on the Platform, the Company collects:

(a) full name;

(b) email address; and

3.3 Checkout and Payment Data (B2C — Full Access Package)

When a User purchases the Full Access Package via the Platform, the following data is collected at checkout through the Company's payment processor, Stripe:

(a) full name;

(b) email address;

(d) payment details, which are processed directly and exclusively by Stripe. The Company does not store full payment card details.

3.4 Checkout and Invoicing Data (B2B — Full Access + Coaching Package)

For business clients purchasing the Full Access + Coaching Package at CHF 50,000, the Company collects the following data directly for invoicing purposes via wire transfer:

(a) full name and job title of the representative;

(b) company name;

(d) VAT number or business registration number, where applicable; and

(e) email address for invoice delivery.

3.5 Application Data (Full Access + Coaching Package)

As part of the application process for the Full Access + Coaching Package, the Company collects:

(a) full name;

(b) email address;

(d) any additional information voluntarily submitted by the applicant in the open-ended application field.

The Company draws the User's attention to the fact that any information submitted in the open-ended field is provided entirely at the User's discretion. Users should not submit special category data or sensitive personal information in this field.

3.6 Course Engagement Data

While a User accesses the Platform, the Company automatically collects the following engagement data:

(a) lesson completion status; and

(b) course progress indicators.

No quiz results or written assignments are collected at this time.

3.7 Technical and Device Data

The Company and its third-party service providers automatically collect the following technical data when a User accesses the Platform:

(a) IP address;

(b) browser type and version;

(d) device type;

(e) time zone and language settings; and

(f) pages visited and time spent on the Platform.

3.8 Communications Data

When a User contacts the Company directly including for support, pre-sale enquiries, or data subject requests the Company collects:

(a) the User's name and email address; and

(b) the content of the communication and any attachments provided.

3.9 Marketing and Preference Data

Where a User has provided consent to receive marketing communications, the Company collects:

(a) email address;

(b) marketing preferences and opt-in/opt-out status; and

3.10 Cookie and Tracking Data

The Company collects data through cookies and similar tracking technologies as described in detail in the Company's Cookie Policy. This may include behavioral data collected via Google Analytics, Hotjar, and, where activated, the LinkedIn Insight Tag.

3.11 The Company does not knowingly collect or process any special categories of personal data as defined under Article 9 GDPR and the equivalent provisions of the nDSG, including but not limited to data concerning health, racial or ethnic origin, political opinions, religious beliefs, or biometric data.

3.12 The Company does not knowingly collect personal data from individuals under the age of 18. This is addressed further in Section 14 of this Policy.

Section 4 — How We Collect Your Data

4. How We Collect Your Data

4.1 The Company collects personal data through the following methods, depending on the nature of the User's interaction with the Platform and the Company.

4.2 Directly from the User

The Company collects personal data directly from the User when the User:

(a) creates an account on the Platform;

(b) completes a purchase or checkout process for the Full Access Package;

(d) provides invoicing information in connection with a B2B wire transfer purchase;

(e) contacts the Company by email or through any contact form available on the Platform; or

(f) subscribes to marketing communications or opts in to receive updates from the Company.

4.3 Automatically through Platform Use

The Company and its third-party service providers automatically collect certain technical and behavioral data when a User accesses or interacts with the Platform, including:

(a) through server logs and infrastructure tools, including those provided by Cloudflare;

(b) through the course hosting and delivery platform operated by Buildable, a white-label service built on GoHighLevel;

(d) through behavioral analytics tools, including Hotjar, which may record session activity, scroll behavior, and interaction patterns on the Platform.

4.4 Through Cookies and Tracking Technologies

The Company collects data through cookies and similar technologies placed on the User's device when the User visits or uses the Platform. This includes:

(a) strictly necessary cookies required for the operation of the Platform;

(b) analytics cookies used to understand how Users interact with the Platform; and

(c) marketing and tracking technologies, including, where activated, the LinkedIn Insight Tag, which may be used to measure the effectiveness of advertising campaigns and to enable retargeting.

The User's consent is obtained prior to the placement of non-essential cookies, via the cookie consent mechanism available on the Platform. Further detail is provided in the Company's Cookie Policy.

[INTERNAL NOTE: The cookie consent banner is currently implemented via a custom solution. Legal review of the banner's compliance with nDSG and GDPR consent requirements — including granular opt-in functionality and accurate categorization of cookies — is required prior to go-live.]

4.5 Through Payment Processors

Payment data submitted during checkout is collected directly by Stripe, the Company's third-party payment processor. The Company receives only the confirmation of a successful transaction and the basic billing details necessary to fulfill the order. Full payment card details are not transmitted to or stored by the Company.

4.6 Through LinkedIn

Where the LinkedIn Insight Tag is activated on the Platform, LinkedIn Ireland Unlimited Company may collect data about Users' interactions with the Platform for the purposes of campaign analytics and retargeting. This data collection is subject to the User's consent as obtained through the cookie consent mechanism.

[INTERNAL NOTE: Confirm whether the LinkedIn Insight Tag is currently active on the Platform or will be activated at a future date, and update this clause accordingly prior to publication.]

4.7 Through Direct Business Communications

For B2B clients purchasing the Full Access + Coaching Package, the Company collects invoicing and business identification data directly through private correspondence, including email, in connection with the preparation and issuance of invoices for wire transfer payments.

4.8 The Company does not purchase, rent, or otherwise acquire personal data from third-party data brokers or list providers.

4.9 The Company does not collect personal data from third-party social media platforms by scraping or automated means.

Section 5 — Legal Bases for Processing

5. Legal Bases for Processing

5.1 The Company processes personal data only where a valid legal basis exists under applicable data protection law. The legal bases relied upon by the Company are set out in this Section. Where the GDPR applies, the relevant legal bases are those specified under Article 6 GDPR. Where the nDSG applies, processing must be carried out lawfully, in good faith, and proportionately.

5.2 Performance of a Contract (Art. 6(1)(b) GDPR / nDSG)

The Company processes personal data where such processing is necessary for the performance of a contract with the User, or to take steps at the User's request prior to entering into a contract. This includes:

(a) creating and managing the User's account on the Platform;

(b) processing payment and granting access to the ZBG Sprint course;

(d) issuing invoices and processing wire transfer payments for B2B clients;

(e) delivering course content and tracking lesson completion; and

(f) providing customer support and responding to User enquiries related to the course.

5.3 Compliance with a Legal Obligation (Art. 6(1)(c) GDPR / nDSG)

The Company processes personal data where such processing is necessary to comply with a legal obligation to which it is subject. This includes:

(a) retaining invoicing and transaction records in accordance with Swiss commercial and tax law, including the obligations arising under the Swiss Code of Obligations (CO); and

(b) responding to lawful requests from competent authorities or regulators.

5.4 Legitimate Interests (Art. 6(1)(f) GDPR / nDSG)

The Company processes personal data where necessary for the purposes of its legitimate interests, provided that such interests are not overridden by the User's interests or fundamental rights and freedoms. The legitimate interests relied upon by the Company include:

(a) monitoring course engagement data, including lesson completion, for the purposes of platform improvement and delivery quality;

(b) detecting and preventing unauthorized account sharing, fraudulent activity, or misuse of the Platform;

(d) processing technical and device data for the purposes of platform performance and troubleshooting.

Where the Company relies on legitimate interests as a legal basis, Users located in the EU or UK retain the right to object to such processing. This right is described further in Section 12 of this Policy.

5.5 Consent (Art. 6(1)(a) GDPR / nDSG)

Where the Company relies on consent as the legal basis for processing, such consent is obtained freely, specifically, informedly, and unambiguously from the User prior to processing. The Company relies on consent for the following activities:

(a) sending marketing emails and newsletters to Users and prospects;

(b) placing non-essential cookies and tracking technologies on the User's device, including analytics cookies (Google Analytics, Hotjar) and marketing trackers (LinkedIn Insight Tag, where activated); and

5.6 Users may withdraw their consent at any time, without affecting the lawfulness of processing carried out prior to withdrawal. The method for withdrawing consent is described in Section 12 of this Policy.

5.7 Legal bases summary by processing activity

For transparency, the following table summarises the primary legal basis applied to each key processing activity:

Processing Activity

Legal Basis

Account creation and management

Contract

Course access and delivery

Contract

Payment processing and invoicing

Contract / Legal Obligation

Application processing (CHF 50,000 package)

Contract

Lesson completion tracking

Contract / Legitimate Interests

Customer support communications

Contract

Legal record retention (invoicing)

Legal Obligation

Platform security and fraud prevention

Legitimate Interests

Analytics and platform improvement

Legitimate Interests / Consent

Marketing communications

Consent

Cookie and tracking technologies (non-essential)

Consent

LinkedIn retargeting

Consent

5.8 Where more than one legal basis may apply to a processing activity, the Company relies on the most appropriate basis in the circumstances. The Company does not rely on consent where another legal basis is available and more appropriate.

Section 6 — How We Use Your Data

6. How We Use Your Data

6.1 The Company uses the personal data it collects solely for the purposes set out in this Section, and only to the extent necessary and proportionate to achieve those purposes. Personal data will not be used in a manner incompatible with the purpose for which it was originally collected.

6.2 Account Creation and Platform Access

The Company uses personal data to:

(a) create and maintain the User's account on the Platform;

(b) authenticate the User's identity and manage login access;

(d) communicate with the User regarding their account, including access confirmations, password resets, and account-related notifications.

6.3 Course Delivery and Engagement

The Company uses personal data to:

(a) deliver course content and materials to the User through the Platform;

(b) track and record lesson completion and overall course progress;

(c) manage access conditions, including the suspension or revocation of access in cases of non-payment or breach of the Terms and Conditions; and

(d) facilitate participation in live sessions, Q&A calls, and community features where included in the User's package.

6.4 Payment Processing and Contract Administration

The Company uses personal data to:

(a) process payments via Stripe for the Full Access Package;

(b) issue invoices and manage wire transfer arrangements for B2B clients purchasing the Full Access + Coaching Package;

(c) administer installment payment plans where applicable, including monitoring payment status and managing access conditions accordingly; and

(d) maintain financial and transactional records as required by Swiss commercial and tax law.

6.5 Application and Onboarding (Full Access + Coaching Package)

The Company uses personal data to:

(a) assess and process applications submitted for the Full Access + Coaching Package;

(b) communicate acceptance or rejection decisions to applicants;

(d) refund any payments made by applicants who are not accepted into the program.

6.6 Customer Support and Communications

The Company uses personal data to:

(a) respond to enquiries, support requests, and complaints submitted by Users;

(b) communicate updates, changes, or interruptions related to the Platform or the course; and

6.7 Platform Security and Integrity

The Company uses personal data to:

(a) monitor login patterns, device usage, and access behavior for the purpose of detecting and preventing unauthorized account sharing;

(b) identify and investigate suspected fraudulent activity or misuse of the Platform; and

(c) enforce compliance with the Terms and Conditions, including the suspension or termination of accounts where breaches are identified.

6.8 Analytics and Platform Improvement

The Company uses personal data to:

(a) analyse how Users interact with the Platform through Google Analytics and Hotjar, in order to improve the user experience, course structure, and platform performance;

(b) generate aggregated and anonymized usage reports for internal business purposes; and

6.9 Marketing and Communications

Where the User has provided consent, the Company uses personal data to:

(a) send marketing emails, newsletters, and promotional communications regarding the ZBG Sprint course and related offerings of FF&A Academy;

(b) measure the engagement and effectiveness of marketing communications, including open rates and click-through activity; and

(c) conduct retargeting campaigns via LinkedIn, where the User has consented to the placement of the LinkedIn Insight Tag.

Users may withdraw their consent to marketing communications at any time by clicking the unsubscribe link included in every marketing email or by contacting the Company directly at Contact@fredericfernandezassociates.com.

6.10 Legal Compliance and Enforcement

The Company uses personal data to:

(a) comply with applicable legal obligations, including Swiss commercial, tax, and data protection law;

(b) respond to lawful requests from competent public authorities; and

6.11 The Company does not use personal data for automated decision-making or profiling that produces legal or similarly significant effects on Users.

6.12 The Company does not sell personal data to third parties, nor does it use personal data to serve third-party advertising on the Platform.

Section 7 — Third-Party Processors & Service Providers

7. Third-Party Processors and Service Providers

7.1 The Company engages a number of third-party service providers to support the operation of the Platform and the delivery of the ZBG Sprint course. Where these providers process personal data on behalf of the Company, they do so as data processors, acting only on the Company's documented instructions and subject to appropriate contractual safeguards, including data processing agreements where required by applicable law.

7.2 The Company takes reasonable steps to ensure that all third-party processors provide sufficient guarantees regarding the technical and organisational measures they have in place to protect personal data, in accordance with the nDSG, GDPR, and applicable international standards.

7.3 The Company's current third-party processors and service providers are as follows:

7.3.1 Buildable / GoHighLevel — Course Hosting and User Data Storage

The Platform is hosted and delivered through Buildable, a white-label service built on the GoHighLevel infrastructure. Buildable processes User account data, course engagement data, and related platform activity on behalf of the Company. GoHighLevel is a US-based platform. Data transfers to the United States are addressed in Section 8 of this Policy.

7.3.2 Stripe — Payment Processing

Payment transactions for the Full Access Package are processed by Stripe, Inc. Stripe collects and processes payment card details, billing information, and transaction data directly from the User. The Company does not store full payment card details. Stripe acts as an independent data controller in respect of certain data it processes for its own fraud prevention and compliance purposes, and as a data processor in respect of data processed on behalf of the Company. Stripe is certified under applicable data protection frameworks and maintains its own privacy policy, available at stripe.com/privacy.

7.3.3 Google Analytics — Usage Analytics

The Company uses Google Analytics, provided by Google Ireland Limited, to collect and analyse anonymized and aggregated data about how Users interact with the Platform. Google Analytics uses cookies and similar tracking technologies. Where applicable, data may be transferred to Google LLC in the United States. Users may opt out of Google Analytics tracking by using the Google Analytics Opt-out Browser Add-on, available at tools.google.com/dlpage/gaoptout.

7.3.4 Hotjar — Behavioral Analytics

The Company uses Hotjar, provided by Hotjar Ltd (Malta), to collect behavioral and interaction data, including session recordings, scroll maps, and heatmaps. Hotjar processes data on behalf of the Company subject to a data processing agreement. Users may opt out of Hotjar data collection at any time via optout.hotjar.com.

7.3.5 Framer — Website Hosting

The marketing and informational website associated with the Platform is hosted by Framer B.V., a Netherlands-based provider. Framer may process technical data, including IP addresses and device information, in connection with website hosting and delivery.

7.3.6 Cloudflare — Infrastructure and Content Delivery

The Company uses Cloudflare, Inc. to provide content delivery network (CDN) services, DDoS protection, and infrastructure security. Cloudflare may process technical data, including IP addresses and request metadata, as part of its service. Cloudflare is a US-based provider. Data transfers are addressed in Section 8 of this Policy.

7.3.7 LinkedIn — Marketing and Retargeting

Where the LinkedIn Insight Tag is activated on the Platform, LinkedIn Ireland Unlimited Company may collect data about Users' interactions with the Platform for the purposes of campaign measurement and retargeting. This processing is carried out only where the User has provided consent via the cookie consent mechanism on the Platform. LinkedIn acts as an independent data controller in respect of data processed for its own purposes.

[INTERNAL NOTE: Confirm whether the LinkedIn Insight Tag is currently active or will be activated at a later date, and update this clause prior to publication accordingly.]

7.4 The Company does not disclose personal data to any third party other than as described in this Section, except:

(a) where required to do so by applicable law or by order of a competent authority; or

(b) where necessary to establish, exercise, or defend legal claims.

7.5 The Company does not sell, rent, or otherwise transfer personal data to third parties for their own commercial or marketing purposes.

7.6 Where any new third-party processor is engaged, or where an existing processor is replaced, the Company will update this Policy accordingly and, where required, obtain any necessary consents from Users.

7.7 Users may request further information regarding the Company's third-party processors by contacting the Company at Contact@fredericfernandezassociates.com.

Section 8 — International Data Transfers

8. International Data Transfers

8.1 The Company is headquartered in Switzerland and primarily processes personal data within Switzerland. However, in connection with the third-party service providers described in Section 7, personal data may be transferred to and processed in countries outside Switzerland and the European Economic Area ("EEA"), including the United States of America.

8.2 The Company ensures that all international transfers of personal data are carried out in accordance with:

(a) Chapter 5 of the GDPR, where applicable to Users located in the EU or EEA;

(b) the provisions of the nDSG and its implementing ordinance (DSV) governing cross-border data disclosure, including the requirement that the recipient country ensures an adequate level of data protection; and

8.3 Transfers to the United States

Several of the Company's third-party service providers are based in the United States, including GoHighLevel (via Buildable) and Cloudflare. Transfers of personal data to these providers are carried out on the basis of one or more of the following safeguards:

(a) the EU–U.S. Data Privacy Framework ("DPF"), where the recipient is certified thereunder;

(b) Standard Contractual Clauses ("SCCs") as adopted by the European Commission, incorporated by reference into the Company's data processing agreements with the relevant providers; and

(c) the equivalent Swiss SCCs or transfer mechanisms recognised under the nDSG and approved by the Swiss Federal Data Protection and Information Commissioner ("FDPIC").

8.4 Transfers to Other Jurisdictions

Where personal data is transferred to countries other than the United States, the Company ensures that appropriate safeguards are in place, including adequacy decisions issued by the European Commission or the FDPIC, or Standard Contractual Clauses as applicable.

8.5 Adequacy — Switzerland and the EU

For the avoidance of doubt, transfers of personal data between Switzerland and EU/EEA member states are carried out on the basis of the mutual adequacy recognition applicable between those jurisdictions, subject to ongoing review by the relevant supervisory authorities.

8.6 Stripe

Stripe, Inc. is a US-based payment processor that participates in the EU–U.S. Data Privacy Framework and maintains Standard Contractual Clauses with its clients. Payment data transferred to Stripe is subject to Stripe's own data transfer safeguards, as described in Stripe's privacy policy available at stripe.com/privacy.

8.7 Google

Google LLC is a US-based provider certified under the EU–U.S. Data Privacy Framework. Data transferred to Google in connection with Google Analytics is subject to Google's Standard Contractual Clauses and data processing terms, as described in Google's privacy documentation.

8.8 Hotjar

Hotjar Ltd is headquartered in Malta and operates within the EU. Data processed by Hotjar may be transferred to sub-processors located outside the EEA, subject to Standard Contractual Clauses or equivalent safeguards as described in Hotjar's data processing agreement.

8.9 LinkedIn

LinkedIn Ireland Unlimited Company is the data controller for LinkedIn services within the EU and EEA. Where data is transferred to LinkedIn Corporation in the United States, such transfers are carried out pursuant to Standard Contractual Clauses and LinkedIn's participation in the EU–U.S. Data Privacy Framework, where applicable.

8.10 Users may request further information regarding the safeguards applied to international data transfers, including copies of relevant Standard Contractual Clauses where applicable, by contacting the Company at Contact@fredericfernandezassociates.com.

8.11 The Company will notify Users of any material changes to its international data transfer arrangements that may affect the level of protection afforded to their personal data, in accordance with Section 15 of this Policy.

Section 9 — Cookies & Tracking Technologies

9. Cookies and Tracking Technologies

9.1 The Company uses cookies and similar tracking technologies on the Platform to ensure its proper functioning, to analyse usage patterns, and, where consent has been obtained, to support marketing and retargeting activities. This Section provides an overview of the Company's use of such technologies. For full details, Users are directed to the Company's Cookie Policy, which is available on the Platform and constitutes a separate document.

9.2 What Are Cookies

Cookies are small text files placed on a User's device when they visit a website or platform. They are widely used to make websites function efficiently, to remember User preferences, and to provide information to the owners of the website. Similar technologies, such as pixel tags, web beacons, and local storage objects, may also be used for comparable purposes and are collectively referred to in this Policy as "cookies."

9.3 Categories of Cookies Used

The Company uses the following categories of cookies on the Platform:

9.3.1 Strictly Necessary Cookies

These cookies are essential for the Platform to function and cannot be disabled. They include cookies that enable Users to log in, navigate the Platform, and access course content. These cookies do not require the User's consent as they are strictly necessary for the provision of the service.

9.3.2 Analytics Cookies

These cookies are used to collect information about how Users interact with the Platform, including which pages are visited, how long Users spend on the Platform, and any errors encountered. The Company uses Google Analytics and Hotjar for this purpose. These cookies are placed only where the User has provided consent via the cookie consent mechanism on the Platform.

9.3.3 Marketing and Tracking Cookies

These cookies are used to deliver targeted advertising and to measure the effectiveness of marketing campaigns. Where activated, the LinkedIn Insight Tag may place cookies on the User's device to enable retargeting and campaign analytics. These cookies are placed only where the User has provided consent.

[INTERNAL NOTE: Confirm the full list of active marketing cookies and trackers prior to publication, in particular whether the LinkedIn Insight Tag is currently live on the Platform.]

9.4 Cookie Consent

9.4.1 Upon visiting the Platform, Users are presented with a cookie consent mechanism that allows them to accept or decline non-essential cookies by category.

9.4.2 Strictly necessary cookies are placed without consent, as they are required for the basic operation of the Platform.

9.4.3 Analytics and marketing cookies are placed only upon the User's prior, freely given, specific, and informed consent, in accordance with the requirements of the GDPR and the nDSG.

9.4.4 Users may update or withdraw their cookie consent at any time by accessing the cookie settings available on the Platform.

[INTERNAL NOTE: The cookie consent banner is currently implemented via a custom solution. A full legal compliance review of the banner is required prior to go-live, including verification that: (i) consent is obtained on a granular, per-category basis; (ii) no non-essential cookies are placed prior to consent; (iii) withdrawal of consent is as straightforward as giving it; and (iv) the banner meets the technical and documentary requirements of both the GDPR and nDSG. This review should be completed before this Policy and the Cookie Policy are published.]

9.5 Third-Party Cookies

Some cookies placed on the Platform are set by third-party providers, including Google, Hotjar, and LinkedIn. These providers may use the data collected through their cookies for their own purposes, in accordance with their respective privacy policies. The Company has no control over third-party cookies placed by these providers beyond the consent mechanisms implemented on the Platform. Users are encouraged to review the privacy policies of these providers directly:

(a) Google: policies.google.com/privacy

(b) Hotjar: hotjar.com/legal/privacy-policy

9.6 Hotjar Session Recordings

Hotjar may record User sessions on the Platform, including mouse movements, clicks, and scrolling behavior, for the purpose of improving the Platform's usability and user experience. Session recordings are anonymized where possible and are not used to identify individual Users. This processing is carried out only where the User has consented to analytics cookies.

9.7 Managing Cookies via Browser Settings

In addition to the cookie consent mechanism on the Platform, Users may manage, restrict, or delete cookies through their browser settings. Most browsers allow Users to refuse or delete cookies. However, disabling certain cookies may affect the functionality of the Platform, including the ability to log in and access course content. Instructions for managing cookies in commonly used browsers are available at allaboutcookies.org.

9.8 Opt-Out Tools

Users may opt out of specific tracking tools using the following mechanisms:

(a) Google Analytics: tools.google.com/dlpage/gaoptout

(b) Hotjar: optout.hotjar.com

(c) LinkedIn Insight Tag: Users may opt out via their LinkedIn account settings under "Data privacy preferences," or via the cookie consent mechanism on the Platform.

9.9 Further information regarding the specific cookies used on the Platform, their duration, and their purpose is set out in the Company's Cookie Policy, which is available on the Platform.

Section 10 — Marketing Communications

10. Marketing Communications

10.1 The Company may send marketing communications to Users and prospective customers in connection with the ZBG Sprint course and the broader offerings of FF&A Academy, subject to the conditions set out in this Section.

10.2 Consent-Based Marketing

The Company relies exclusively on the User's freely given, specific, informed, and unambiguous consent as the legal basis for sending direct marketing communications. The Company will not send marketing emails or newsletters to any individual who has not provided prior consent to receive such communications.

10.3 How Consent is Obtained

Consent to receive marketing communications is obtained through one or more of the following methods:

(a) an opt-in checkbox or equivalent mechanism presented to the User at the point of account registration or checkout, which is not pre-ticked and requires an affirmative action by the User;

(b) a standalone subscription form made available on the Platform or the Company's associated website; or

(c) any other mechanism through which the User clearly and affirmatively indicates their wish to receive marketing communications from the Company.

10.4 Content of Marketing Communications

Marketing communications sent by the Company may include:

(a) information about the ZBG Sprint course and FF&A Academy offerings;

(b) updates regarding new course content, events, or programs;

(d) promotional offers or pricing information; and

(e) general updates from Frederic Fernandez & Associates AG relevant to the User's interests.

10.5 Right to Withdraw Consent and Opt Out

10.5.1 Users may withdraw their consent to receive marketing communications at any time, free of charge and without providing any reason, by:

(a) clicking the unsubscribe link included in every marketing email sent by the Company; or

(b) contacting the Company directly at Contact@fredericfernandezassociates.com with a request to be removed from marketing communications.

10.5.2 The Company will process opt-out requests promptly and without undue delay. Users may continue to receive transactional or service-related communications following an opt-out, as such communications are not marketing in nature and are sent on the basis of contract performance or legal obligation.

10.5.3 Withdrawal of consent to marketing communications does not affect the lawfulness of any processing carried out prior to such withdrawal.

10.6 Retargeting and LinkedIn Advertising

10.6.1 The Company may conduct retargeting campaigns via LinkedIn, using the LinkedIn Insight Tag where the User has consented to the placement of marketing cookies on the Platform.

10.6.2 Retargeting allows the Company to display advertising to Users who have previously visited the Platform, based on data collected through the LinkedIn Insight Tag. This activity is carried out only where valid consent has been obtained through the cookie consent mechanism described in Section 9 of this Policy.

10.6.3 Users may opt out of LinkedIn retargeting at any time by:

(a) withdrawing consent via the cookie settings available on the Platform; or

(b) adjusting their LinkedIn account settings under "Data privacy preferences."

10.7 No Sale of Data for Marketing Purposes

The Company does not sell, rent, share, or otherwise transfer personal data to third parties for their own marketing or advertising purposes. Marketing communications are sent exclusively by or on behalf of Frederic Fernandez & Associates AG and relate solely to the Company's own products and services.

10.8 Record of Consent

The Company maintains records of marketing consents obtained from Users, including the date, method, and scope of consent, in accordance with its obligations under the GDPR and nDSG. These records are available upon request to demonstrate compliance.

Section 11 — Data Retention

11. Data Retention

11.1 The Company retains personal data only for as long as is necessary to fulfil the purposes for which it was collected, or as required by applicable law. This Section sets out the Company's retention practices in respect of each category of personal data processed in connection with the Platform and the ZBG Sprint course.

11.2 General Retention Principle

Personal data is retained for the shortest period necessary to achieve the purpose for which it was collected, taking into account:

(a) the nature and sensitivity of the personal data;

(b) the purposes for which the data is processed and whether those purposes can be achieved within a shorter period;

(d) the potential risk of harm to Users in the event of unauthorised use or disclosure.

11.3 Active Course Users

Personal data associated with a User's account, including registration data, course engagement data, and communications data, is retained for as long as the User's account remains active on the Platform. An account is considered active until:

(a) the User has completed the ZBG Sprint course and all associated course components; or

(b) the User submits a request to close their account.

11.4 Account Closure and Post-Completion Retention

11.4.1 Upon course completion or account closure, the Company will delete or anonymize the User's personal data, with the exception of data that the Company is required to retain under applicable law, as described in clause 11.5 below.

11.4.2 Following the deletion or anonymization of personal data, only the data categories described in clause 11.5 will be retained, strictly to the extent required by law.

11.4.3 Users wishing to close their account and request deletion of their personal data may do so by contacting the Company at Contact@fredericfernandezassociates.com. Account closure requests will be processed promptly and without undue delay, subject to the retention obligations described in clause 11.5.

11.5 Legally Required Retention

Notwithstanding the above, the Company is required to retain certain categories of personal data for defined periods under applicable Swiss law, including:

(a) Invoicing and transaction records — including name, contact details, billing address, VAT or business registration number where applicable, and payment confirmation records — must be retained for a minimum period of ten (10) yearsfrom the end of the relevant financial year, in accordance with Article 958f of the Swiss Code of Obligations (CO);

(b) Tax-related records — retained for the same minimum period of ten (10) years in accordance with Swiss federal tax law; and

11.6 Upon expiry of the applicable legal retention period, all remaining personal data retained under clause 11.5 will be securely deleted or irreversibly anonymized in accordance with the Company's internal data deletion procedures.

11.7 Communications Data

Personal data contained in communications between the User and the Company, including support requests and pre-sale enquiries, will be retained for a period of three (3) years from the date of the last communication, unless a longer retention period is required in connection with a legal claim or dispute.

11.8 Marketing Data

Personal data processed for marketing purposes, including email addresses and consent records, will be retained for as long as the User's consent remains valid and has not been withdrawn. Consent records, including the date, method, and scope of consent, will be retained for a period of three (3) years following the withdrawal of consent or the last interaction with the User, for the purpose of demonstrating compliance with applicable law.

11.9 Application Data

Personal data submitted as part of an application for the Full Access + Coaching Package will be retained for a period of twelve (12) months from the date of the application decision, following which it will be securely deleted, unless the applicant is accepted and becomes an active User, in which case the retention terms in clause 11.3 shall apply.

11.10 Cookie and Analytics Data

Retention periods for data collected through cookies and tracking technologies are governed by the individual retention settings of each tool and are described in further detail in the Company's Cookie Policy. As a general principle, analytics data collected via Google Analytics and Hotjar is retained in accordance with the default or customized retention settings applied by the Company within each respective platform.

11.11 Security and Integrity Data

Technical data processed for the purposes of platform security, fraud prevention, and detection of unauthorized account sharing will be retained for a period of twelve (12) months from the date of collection, unless retention for a longer period is required in connection with an investigation, legal claim, or regulatory obligation.

11.12 The Company conducts periodic reviews of the personal data it holds to ensure that data which is no longer required is deleted or anonymized in a timely manner. Where data is anonymized rather than deleted, the anonymized data no longer constitutes personal data and may be retained and used for statistical or analytical purposes without restriction.

Section 12 — Your Rights as a Data Subject

12. Your Rights as a Data Subject

12.1 Subject to applicable law, Users have a number of rights in relation to the personal data the Company holds about them. This Section sets out those rights and explains how Users may exercise them. The rights available to a User may vary depending on the legal framework applicable to their jurisdiction, including whether the GDPR, UK GDPR, or nDSG applies.

12.2 Right of Access

Users have the right to request confirmation of whether the Company processes personal data about them and, where it does, to receive a copy of that data together with information about:

(a) the purposes for which the data is processed;

(b) the categories of personal data concerned;

(d) the intended retention period, or the criteria used to determine that period;

(e) the existence of any automated decision-making, including profiling; and

(f) where data has not been collected directly from the User, the source of that data.

12.3 Right to Rectification

Users have the right to request the correction of inaccurate personal data held by the Company, and the completion of incomplete personal data, without undue delay.

12.4 Right to Erasure

Users have the right to request the deletion of their personal data where:

(a) the data is no longer necessary for the purposes for which it was collected;

(b) the User withdraws consent and no other legal basis for processing exists;

(d) the data has been unlawfully processed; or

(e) deletion is required to comply with a legal obligation.

The right to erasure is subject to the retention obligations described in Section 11 of this Policy. Where the Company is required by law to retain certain data, erasure requests in respect of that data cannot be fulfilled until the applicable retention period has expired.

12.5 Right to Restriction of Processing

Users have the right to request that the Company restricts the processing of their personal data in the following circumstances:

(a) the User contests the accuracy of the data, for a period enabling the Company to verify its accuracy;

(b) the processing is unlawful and the User requests restriction rather than erasure;

(c) the Company no longer needs the data for processing purposes but the User requires it for the establishment, exercise, or defence of legal claims; or

(d) the User has objected to processing pending verification of whether the Company's legitimate grounds override those of the User.

12.6 Right to Data Portability

Where processing is based on consent or on the performance of a contract, and is carried out by automated means, Users have the right to receive the personal data they have provided to the Company in a structured, commonly used, and machine-readable format, and to transmit that data to another controller where technically feasible.

12.7 Right to Object

12.7.1 Users have the right to object at any time to the processing of their personal data where such processing is based on the Company's legitimate interests, on grounds relating to their particular situation. Upon receipt of such an objection, the Company will cease processing the relevant data unless it can demonstrate compelling legitimate grounds that override the User's interests, rights, and freedoms, or where processing is necessary for the establishment, exercise, or defence of legal claims.

12.7.2 Where personal data is processed for direct marketing purposes, Users have the absolute right to object to such processing at any time, without the need to provide any justification. Upon receipt of such an objection, the Company will cease processing the User's personal data for direct marketing purposes without undue delay.

12.8 Right to Withdraw Consent

Where processing is based on consent, Users have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out prior to the withdrawal. Following withdrawal, the Company will cease the relevant processing activity unless another legal basis applies.

12.9 Rights under the Swiss nDSG

In addition to the rights described above, Users whose data is processed subject to the Swiss nDSG have the right to:

(a) request information about the personal data held about them by the Company, in accordance with Article 25 nDSG;

(b) request rectification, deletion, or restriction of processing of their personal data; and

(c) lodge a complaint with the Swiss Federal Data Protection and Information Commissioner ("FDPIC") where they believe their data protection rights have been infringed.

12.10 Rights under the UK GDPR

Users located in the United Kingdom benefit from equivalent rights under the UK GDPR and the Data Protection Act 2018, as described in clauses 12.2 through 12.8 above. UK-based Users who wish to lodge a complaint with a supervisory authority may do so with the Information Commissioner's Office ("ICO") at ico.org.uk.

12.11 How to Exercise Your Rights

12.11.1 Users wishing to exercise any of the rights described in this Section may do so by contacting the Company directly at:

Frederic Fernandez & Associates AG Email: Contact@fredericfernandezassociates.com

12.11.2 Requests should clearly identify the User and specify the right being exercised. The Company may request additional information to verify the User's identity before processing a request, in order to protect against unauthorised disclosure of personal data.

12.11.3 The Company will respond to all valid data subject requests without undue delay and in any event within thirty (30) days of receipt of the request, in accordance with the requirements of the GDPR and nDSG. Where a request is complex or involves a large volume of data, this period may be extended by a further two (2) months, in which case the Company will notify the User of the extension and the reasons for it within the initial thirty (30) day period.

12.11.4 Responses to data subject requests are provided free of charge. Where requests are manifestly unfounded or excessive, in particular because of their repetitive character, the Company reserves the right to charge a reasonable administrative fee or to decline to act on the request, in accordance with applicable law.

12.12 Right to Lodge a Complaint

Without prejudice to any other administrative or judicial remedy, Users have the right to lodge a complaint with the relevant supervisory authority if they consider that the processing of their personal data infringes applicable data protection law:

(a) Switzerland: Swiss Federal Data Protection and Information Commissioner (FDPIC) — edoeb.admin.ch;

(b) European Union: the supervisory authority of the EU member state in which the User habitually resides, works, or in which the alleged infringement occurred; and

12.13 The Company encourages Users to contact it directly in the first instance to resolve any concerns regarding the processing of their personal data before escalating to a supervisory authority.

Section 13 — Data Security

13. Data Security

13.1 The Company takes the security of personal data seriously and implements appropriate technical and organisational measures to protect personal data against unauthorised access, accidental loss, destruction, alteration, disclosure, or misuse, in accordance with the requirements of the nDSG, GDPR, and applicable international standards.

13.2 Technical Measures

The technical security measures implemented by the Company and its third-party service providers include, but are not limited to:

(a) encryption of data in transit using industry-standard Transport Layer Security (TLS) protocols;

(b) encryption of data at rest where technically feasible and appropriate given the sensitivity of the data;

(d) infrastructure security and DDoS protection provided by Cloudflare;

(e) secure payment processing handled exclusively by Stripe, which is certified to the Payment Card Industry Data Security Standard (PCI DSS); and

(f) monitoring of login patterns and access behavior on the Platform for the purpose of detecting and preventing unauthorised access and account sharing, as described in Section 6.7 of this Policy.

13.3 Organisational Measures

The organisational security measures implemented by the Company include, but are not limited to:

(a) limiting access to personal data to those employees, contractors, and service providers who require access for the performance of their duties;

(b) ensuring that all third-party processors engaged by the Company are subject to appropriate contractual obligations regarding data security, as described in Section 7 of this Policy;

(d) conducting periodic reviews of data processing activities and security measures to ensure ongoing compliance with applicable law.

13.4 Data Breach Response

13.4.1 In the event of a personal data breach, the Company will take immediate steps to contain the breach, assess the risk to affected individuals, and remediate the cause of the breach.

13.4.2 Where a breach is likely to result in a risk to the rights and freedoms of natural persons, the Company will notify the relevant supervisory authority without undue delay and, where feasible, within seventy-two (72) hours of becoming aware of the breach, in accordance with Article 33 GDPR and the equivalent provisions of the nDSG.

13.4.3 Where a breach is likely to result in a high risk to the rights and freedoms of natural persons, the Company will also notify the affected Users without undue delay, providing them with clear information about the nature of the breach, the likely consequences, and the measures taken or proposed to address it, in accordance with Article 34 GDPR and the nDSG.

13.4.4 The Company maintains an internal register of personal data breaches, including those that do not meet the threshold for supervisory authority notification, in accordance with its accountability obligations under applicable law.

13.5 Third-Party Security

The Company takes reasonable steps to ensure that its third-party service providers maintain appropriate security standards. However, the Company cannot guarantee the security measures implemented by independent third-party controllers, including Stripe and LinkedIn, in respect of data processed under their own privacy policies. Users are encouraged to review the privacy and security policies of these providers directly.

13.6 User Responsibilities

13.6.1 Users are responsible for maintaining the confidentiality of their account login credentials and for ensuring that their account is not accessed by unauthorised individuals.

13.6.2 Users must not share their login credentials with any third party. Credential sharing constitutes a breach of the Terms and Conditions and may result in the suspension or termination of the User's account in accordance with the Terms and Conditions.

13.6.3 Users should notify the Company immediately at Contact@fredericfernandezassociates.com if they become aware of any unauthorised access to their account or any suspected security incident relating to their use of the Platform.

13.7 Limitations

While the Company implements reasonable and appropriate security measures, no system or method of data transmission over the internet can be guaranteed to be completely secure. The Company cannot warrant the absolute security of personal data transmitted to or from the Platform and accepts no liability for security breaches that are beyond its reasonable control, subject to the liability provisions set out in the Terms and Conditions.

Section 14 — Minors

14. Minors

14.1 The ZBG Sprint course and the FF&A Academy Platform are intended exclusively for individuals who are at least eighteen (18) years of age. As set out in the Company's Terms and Conditions, Users must confirm that they are at least 18 years old at the time of purchase or registration.

14.2 The Company does not knowingly collect, process, or store personal data from individuals under the age of 18. If the Company becomes aware that it has inadvertently collected personal data from a minor, it will take immediate steps to delete such data from its records without undue delay.

14.3 The Company does not direct any aspect of the Platform, its content, or its marketing communications toward individuals under the age of 18. The ZBG Sprint course is designed and marketed exclusively for adult professionals and business users.

14.4 The Company does not implement age verification technology on the Platform at this time. The Company relies on the User's confirmation of eligibility at the point of registration and purchase, as required under the Terms and Conditions. By creating an account or completing a purchase, the User represents and warrants that they are at least 18 years of age.

14.5 Where a parent or legal guardian believes that their child under the age of 18 has provided personal data to the Company without appropriate consent, they are encouraged to contact the Company immediately at:

Frederic Fernandez & Associates AG Email: Contact@fredericfernandezassociates.com

The Company will investigate the matter promptly and, where confirmed, will delete the relevant personal data without undue delay.

14.6 The Company's marketing and retargeting activities, including those conducted via LinkedIn, are directed exclusively at adults and are configured, to the extent technically possible, to exclude individuals under the age of 18 from targeted audiences.

Section 15 — Changes to this Policy

15. Changes to this Policy

15.1 The Company reserves the right to update, amend, or revise this Privacy Policy at any time, in order to reflect changes in applicable law, regulatory guidance, the Company's data processing practices, or the introduction of new products, services, or third-party processors.

15.2 Notification of Changes

15.2.1 Where changes to this Policy are material — meaning they significantly affect the way in which the Company processes personal data or the rights available to Users — the Company will notify affected Users by:

(a) sending an email notification to the email address associated with the User's account on the Platform; and

(b) displaying a prominent notice on the Platform prior to the changes taking effect.

15.2.2 Where changes are non-material, such as minor clarifications, corrections of typographical errors, or administrative updates that do not affect the substance of the Policy, the Company may update the Policy without prior individual notification, provided that the updated version is published on the Platform with a revised effective date.

15.3 Effective Date

15.3.1 Each version of this Policy will carry a clearly indicated effective date at the top of the document. The version of the Policy in force at the time of processing shall apply to the relevant processing activity.

15.3.2 Where a material change is notified to the User in advance, the updated Policy will take effect on the date specified in the notification, which will be no earlier than fourteen (14) days following the date of notification, unless a shorter period is required by applicable law or regulatory obligation.

15.4 Continued Use

15.4.1 Where the User continues to access or use the Platform following the effective date of an updated Policy, such continued use shall constitute acknowledgment of the updated Policy.

15.4.2 Where an update to this Policy requires the Company to rely on a new legal basis for processing, or introduces new categories of processing that require the User's consent, the Company will obtain such consent separately and prior to the relevant processing activity taking effect. Continued use of the Platform alone shall not constitute consent to new processing activities where consent is required.

15.5 Previous Versions

The Company will maintain a record of previous versions of this Privacy Policy. Users who wish to review a previous version of the Policy may request a copy by contacting the Company at Contact@fredericfernandezassociates.com.

15.6 Users are encouraged to review this Policy periodically to remain informed of how the Company processes their personal data and of any changes that may affect them.

Section 16 — Contact and Complaints

16. Contact and Complaints

16.1 The Company is committed to handling all privacy-related enquiries, requests, and complaints in a transparent, timely, and respectful manner. Users are encouraged to contact the Company directly in the first instance with any concerns regarding the processing of their personal data.

16.2 Primary Contact

For all privacy-related matters, including the exercise of data subject rights as described in Section 12, general enquiries regarding this Policy, or concerns about the Company's data processing practices, Users may contact the Company at:

Frederic Fernandez & Associates AG Industriestrasse 24 6300 Zug Switzerland Email: Contact@fredericfernandezassociates.com

16.3 Data Subject Rights Requests

Users wishing to exercise any of the rights described in Section 12 of this Policy should submit their request in writing to the email address set out in clause 16.2 above. To enable the Company to process the request efficiently, Users are encouraged to:

(a) clearly identify themselves and the account to which the request relates;

(b) specify the right they wish to exercise; and

The Company may request additional information to verify the User's identity before processing a request, solely for the purpose of protecting against unauthorised disclosure of personal data.

16.4 Response Timeframes

The Company will acknowledge receipt of all privacy-related requests and complaints promptly and will endeavour to provide a substantive response within thirty (30) days of receipt, in accordance with the requirements of the GDPR and nDSG. Where a request is complex or requires additional time to process, the Company will notify the User within the initial thirty (30) day period and provide an updated expected response timeframe, which shall not exceed a total of three (3) months from the date of the original request.

16.5 Internal Complaint Handling

16.5.1 Where a User has a concern or complaint regarding the Company's handling of their personal data, the User is encouraged to contact the Company directly at the address set out in clause 16.2 in order to allow the Company the opportunity to investigate and resolve the matter internally.

16.5.2 The Company will investigate all complaints received in good faith and will communicate the outcome of its investigation to the User in writing within the timeframe specified in clause 16.4.

16.5.3 Where a complaint is upheld, the Company will take appropriate remedial action without undue delay and will inform the User of the steps taken.

16.6 Escalation to Supervisory Authorities

Without prejudice to the User's right to contact the Company directly, Users retain the right to lodge a complaint with the relevant data protection supervisory authority at any time, as described in clause 12.12 of this Policy:

(a) Switzerland — Swiss Federal Data Protection and Information Commissioner (FDPIC): Feldeggweg 1 3003 Bern Switzerland Website: edoeb.admin.ch

(b) European Union: The supervisory authority of the EU member state in which the User habitually resides, works, or in which the alleged infringement took place. A full list of EU supervisory authorities is available at: edpb.europa.eu

(c) United Kingdom — Information Commissioner's Office (ICO): Wycliffe House, Water Lane Wilmslow, Cheshire SK9 5AF United Kingdom Website: ico.org.uk

16.7 No Retaliation

The Company confirms that no User will be subject to any adverse treatment, penalty, or disadvantage as a result of exercising their data protection rights or submitting a complaint in good faith under this Policy or to a supervisory authority.

16.8 Updates to Contact Information

Should the Company's contact details change, the updated information will be reflected in this Policy in accordance with Section 15. Users are encouraged to verify the current contact details by referring to the latest published version of this Policy on the Platform.

Enabling growth at scale in the FMCG industry

Cookie Policy

Terms & Conditions

Enabling growth at scale in the FMCG industry

Cookie Policy

Terms & Conditions

Enabling growth at scale in the FMCG industry

Cookie Policy

Terms & Conditions