Privacy Policy

Effective as of July 11 2025

This privacy policy informs you about the processing of personal data in connection with our activities and operations, including our website under the domain name patrickevanscpa.ch. In particular, we explain why, how, and where we process which personal data. We also inform you about the rights of individuals whose data we process.

For specific or additional activities and operations, we may publish additional privacy policies or other information related to data protection.

We are subject to Swiss law and, where applicable, to foreign law — particularly that of the European Union (EU) through the General Data Protection Regulation (GDPR).

The European Commission recognized on July 26, 2000, that Swiss data protection law provides an adequate level of data protection. This adequacy decision was reaffirmed by the European Commission in a report dated January 15, 2024.

1. Contact Addresses

The responsible party under data protection law is:

Patrick Evans, Certified Public Accountant GmbH
Burghaldenstrasse 25
5600 Lenzburg
Switzerland
info@patrickevanscpa.ch

In certain cases, third parties may be responsible for processing personal data, or joint responsibility may exist with third parties. Upon request, we will gladly inform affected persons about the relevant responsibility.

2. Definitions and Legal Bases

2.1 Definitions

  • Data Subject: Any natural person whose personal data we process.

  • Personal Data: Any information relating to an identified or identifiable natural person.

  • Sensitive Personal Data: Includes data on union membership, political, religious, or philosophical beliefs or activities; health data; intimate sphere; ethnic or racial origin; genetic data; biometric data uniquely identifying a natural person; criminal or administrative sanctions or prosecutions; and data on social assistance measures.

  • Processing: Any operation involving personal data, regardless of the methods or procedures used. This includes querying, matching, adjusting, archiving, storing, reading, disclosing, collecting, recording, deleting, organizing, structuring, modifying, linking, destroying, and using personal data.

  • European Economic Area (EEA): Includes EU member states plus Liechtenstein, Iceland, and Norway.

2.2 Legal Bases

We process personal data in accordance with Swiss law, particularly the Federal Act on Data Protection (FADP) and the corresponding Data Protection Ordinance (DPO).

If and to the extent that the General Data Protection Regulation (GDPR) applies, we process personal data under at least one of the following legal bases:

  • Art. 6(1)(b) GDPR: Processing necessary for the performance of a contract with the data subject or to take steps prior to entering a contract.

  • Art. 6(1)(f) GDPR: Processing necessary for the purposes of legitimate interests pursued by us or a third party, provided such interests are not overridden by the fundamental rights and freedoms of the data subject. Such interests include the secure, human-friendly, and reliable execution of our activities, ensuring IT security, preventing misuse, enforcing legal claims, and complying with Swiss law.

  • Art. 6(1)(c) GDPR: Processing necessary for compliance with a legal obligation under applicable law in EEA member states.

  • Art. 6(1)(e) GDPR: Processing necessary for the performance of a task carried out in the public interest.

  • Art. 6(1)(a) GDPR: Processing based on the data subject's consent.

  • Art. 6(1)(d) GDPR: Processing necessary to protect vital interests of the data subject or another natural person.

  • Art. 9(2) et seq. GDPR: Processing of special categories of personal data, in particular with the explicit consent of the data subject.

Under the GDPR, the term "processing" refers to any handling of personal data, and "special categories of personal data" refers to sensitive data under Art. 9 GDPR.

3. Type, Scope, and Purpose of Personal Data Processing

We process the personal data necessary to carry out our activities in a consistent, human-centered, secure, and reliable manner. The categories of processed data may include:

  • Browser and device data

  • Content data

  • Communication data

  • Metadata

  • Usage data

  • Master data (including account and contact details)

  • Location data

  • Transaction data

  • Contract data

  • Payment data

This may also include sensitive personal data (as defined in section 2.1).

We may also process personal data obtained from third parties, gathered from public sources, or collected during our operations — as long as such processing is permitted.

Where necessary, we obtain consent from the data subjects. In many cases, we may process personal data without consent, for example, to fulfill legal obligations or to protect overriding interests. We may also request consent even when it is not strictly required by law.

We retain personal data only for as long as necessary for the specific purpose. Data is anonymized or deleted based on legal retention and limitation periods.

4. Disclosure of Personal Data

We may disclose personal data to third parties, allow third parties to process it on our behalf, or process it jointly with third parties. Such third parties may include specialized service providers whose services we use.

In the context of our operations and activities, we may disclose personal data particularly to the following:

  • Service providers, including IT, hosting, analytics, marketing, and communication tools;

  • Professional advisors, such as legal, financial, and compliance consultants;

  • Public authorities, where required by law;

  • Cooperation and funding partners, where necessary to deliver or report on shared initiatives.

5. Communication

We process personal data to communicate with individuals, authorities, organizations, and companies. This includes data provided to us directly by a data subject — for example, by postal mail, telephone, or email. Such data may be stored in an address book or similar tools.

Third parties who transmit data about other persons to us are responsible for ensuring that they comply with data protection requirements. In particular, they must ensure that such data is accurate and that its transmission is legally permitted.

We use selected services from appropriate providers to facilitate and manage communication and the processing of client data. These services may store, manage, and process personal data beyond the immediate communication itself.

We particularly use:

6. Data Security

We implement appropriate technical and organizational measures to ensure data security that is appropriate to the respective risk. These measures are designed to guarantee the confidentiality, availability, traceability, and integrity of the personal data we process — although absolute security cannot be guaranteed.

Access to our website and other digital services is encrypted via transport layer security (SSL / TLS), typically through HTTPS (Hypertext Transfer Protocol Secure). Most browsers will issue a warning when a site is accessed without such encryption.

Our digital communication — like all digital communication in general — is subject to mass surveillance by security authorities in Switzerland, elsewhere in Europe, the United States of America (USA), and other countries. We have no direct influence over how intelligence services, law enforcement agencies, or other security authorities process personal data. We also cannot rule out that specific individuals may be subjected to targeted surveillance.

7. Personal Data Abroad

As a rule, we process personal data in Switzerland and the European Economic Area (EEA). However, we may also transfer or export personal data to other countries, particularly for the purpose of having it processed there.

We may transfer personal data to any country  — provided that the local legal framework offers adequate data protection according to a decision by the Swiss Federal Council and, where applicable, the European Commission under the GDPR.

We may also transfer personal data to countries without adequate data protection, provided that suitable safeguards are in place — such as standard contractual clauses or other appropriate guarantees. In exceptional cases, we may export personal data without such guarantees if specific legal conditions are met — for example, if the data subject has given explicit consent, or if the transfer is directly related to the conclusion or performance of a contract.

Upon request, we will gladly inform data subjects about the guarantees in place or provide a copy of them.

8. Rights of Data Subjects

8.1 Data Protection Claims

We grant all rights to data subjects in accordance with applicable law. These rights include, in particular:

  • Right of Access: Data subjects may request confirmation as to whether we are processing personal data about them — and, if so, what data is being processed. They will also receive the information needed to exercise their data protection rights and ensure transparency. This includes the processed data itself, as well as the purpose of processing, the retention period, any disclosures or transfers abroad, and the origin of the data.

  • Right to Rectification and Restriction: Data subjects may request the correction of inaccurate personal data, the completion of incomplete data, and the restriction of data processing.

  • Right to Express Viewpoint and Request Human Review: For decisions based solely on automated processing that have legal or significant personal effects (automated individual decisions), data subjects may express their viewpoint and request that a human reviews the decision.

  • Right to Erasure and Objection: Data subjects may request the deletion of personal data ("right to be forgotten") and object to future processing of their data.

  • Right to Data Portability: Data subjects may request their personal data or its transfer to another data controller.

We may delay, restrict, or refuse the exercise of these rights to the extent legally permissible. Where necessary, we will inform data subjects of any conditions that must be met before exercising their rights. For example, we may deny access due to confidentiality obligations, overriding interests, or the protection of other individuals. We may also deny deletion requests, especially if we are legally required to retain the data.

We may charge a fee for exercising these rights — in exceptional cases. We will inform data subjects of any such costs in advance.

We are required to take reasonable steps to verify the identity of individuals exercising these rights. Data subjects are obliged to cooperate in this process.

8.2 Legal Remedies

Data subjects have the right to enforce their data protection rights through legal action or to lodge a complaint with a data protection supervisory authority.

In Switzerland, the responsible authority for private controllers and federal bodies is the Federal Data Protection and Information Commissioner (FDPIC).

In the European Economic Area (EEA), supervisory authorities are organized as members of the European Data Protection Board (EDPB). Some countries, like Germany, have a federal structure with multiple supervisory authorities.

9. Website Use

9.1 Cookies

We may use cookies — both our own (first-party cookies) and those from third parties whose services we use (third-party cookies). Cookies are data stored in your browser. These do not have to be traditional text-based cookies.

Cookies can be stored temporarily as “session cookies” or for a specified period as persistent cookies. Session cookies are automatically deleted when the browser is closed. Persistent cookies have a defined lifespan. Cookies allow us, for example, to recognize a browser during a future visit and measure the reach of our website. Persistent cookies may also be used for online marketing purposes.

You can deactivate, restrict, or delete cookies in your browser settings at any time. Many browsers also allow you to automate cookie management. If cookies are disabled, some features of our website may not be available. We request your explicit consent for the use of cookies, at least to the extent required by applicable law.

To manage the cookies and similar technologies used (e.g., tracking pixels, web beacons) and the associated consents, we use the consent management tool “Cookiebot.” Details on how Cookiebot processes personal data.

For cookies used in performance measurement or advertising, a general opt-out is available via:

9.2 Logging

Each time our website or other digital presence is accessed, we may log the following — if transmitted by your device:

This data may be stored in log files and qualifies as personal data. These logs are necessary to ensure the permanent, user-friendly, and reliable availability of our digital presence and to maintain data security, whether by ourselves or through third parties.

9.3 Tracking Pixels

We may embed tracking pixels (also known as web beacons) into our digital presence. These can come from us or third parties whose services we use. Typically, these are invisible images or JavaScript scripts that are automatically loaded when a page is accessed.

Tracking pixels may collect the same data as described above in the logging section.

10. Notifications and Communications

10.1 Performance and Reach Measurement

Our notifications and communications (e.g. newsletters) may contain tracking pixels or trackable links that record whether a message was opened, and which links were clicked. These technologies may allow us to track user behavior on an individual basis.

We rely on this statistical data to measure the success and reach of our communications. This helps us tailor messages to recipients’ preferences and reading habits, making them more effective, human-centered, secure, and reliable.

10.2 Consent and Objection

As a general rule, we require your consent to use your email address and other contact details — unless another legal basis allows us to use this data.

When collecting consent, we may use the double opt-in procedure. In this case, you will receive a message with instructions on how to confirm your consent. We may log your consent — including your IP address and the timestamp— for security and evidence purposes.

You can opt out of communications (such as newsletters) at any time. Doing so will also withdraw consent for tracking pixels and link tracking.
Exceptions include communications that are necessary for our core activities, which may continue without consent.

11. Social Media

We maintain a presence on social media platforms and other online platforms to communicate with interested parties and to inform the public about our activities and operations.

In connection with these platforms, personal data may also be processed outside of Switzerland and the European Economic Area (EEA).

The respective platform providers’ terms of service, usage policies, and privacy statements apply. These policies also inform data subjects of their rights — such as the right to access — directly with the platform.

12. Third-Party Services

We use services from specialized third-party providers to carry out our activities in a reliable, secure, user-friendly, and sustainable manner. These services allow us to embed features and content into our website.

When integrating such services, the providers automatically collect the IP addresses of users — for technical reasons.

For essential security, statistical, and technical purposes, these third-party providers may process data in aggregated, anonymized, or pseudonymized form. This may include performance or usage data needed to deliver the service.

We specifically use:

Services from Google: Providers: Google LLC (USA) / Google Ireland Limited (Ireland) — for users in the EEA and Switzerland
Privacy and Data Use Information:

12.1 Digital Infrastructure

We use third-party providers to host and store data as part of our digital infrastructure.

We specifically use:

12.2 Appointment Scheduling

We use scheduling services to allow users to book meetings online. Additional terms (such as privacy policies or terms of use) of the provider may apply.

We specifically use:

12.3 Audio and Video Conferences

We use specialized tools for online communication — e.g., meetings, virtual classrooms, and webinars.
Their respective privacy policies and terms of use apply in addition to this policy.

For privacy protection, we recommend muting your microphone by default and blurring or replacing your background when appropriate.

We specifically use:

 

12.4 Digital Content

We use third-party services to embed digital content into our website, including images, videos, music, and podcasts.

We specifically use:

13. Performance and Reach Measurement

We strive to measure the effectiveness and reach of our activities and digital presence. This may include tracking the impact of third-party links or testing how different sections or versions of our site are used (A/B testing).

In most cases, IP addresses are collected and pseudonymized (via IP masking) to uphold data minimization principles.

Cookies and usage profiles may also be used. These profiles can include:

  • Pages or content viewed

  • Screen or browser window size

  • Approximate location

These profiles are pseudonymized and not used to identify individuals. However, if users are logged into third-party services, those services may associate use of our content with the user’s profile on their platform.

We specifically use:

14. Final Notes on the Privacy Policy

We may update this policy at any time. Updates will be published in a suitable format — especially via the latest version available on our website.