How Castellan Intelligence AG (in formation) processes your personal data — pursuant to the Swiss Federal Act on Data Protection (FADP) and the EU General Data Protection Regulation (GDPR).
Privacy policy of Castellan Intelligence AG (in formation), Gotthardstrasse 26, 6300 Zug, Switzerland ("Castellan"; "we") for the website castellan-intelligence.com ("Website").
This privacy policy applies cumulatively under two regimes: the Swiss Federal Act on Data Protection (revFADP, in force since 1 September 2023, with implementing Ordinance DSV) which is our primary applicable regime as a Swiss-domiciled entity, and the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") which applies extraterritorially under Art. 3(2) GDPR insofar as we offer goods or services to, or monitor the behaviour of, data subjects in the European Union.
Throughout this policy, legal bases are cited under both regimes (e.g., "Art. 31 para. 1 lit. d revFADP / Art. 6(1)(f) GDPR" for legitimate interest). Where the two regimes diverge in scope of a particular right, that divergence is noted explicitly.
When you visit our Website, we collect the following data automatically (server log files):
You can browse our Website without providing any personal information. Only the access data above are processed. Processing is carried out for the purpose of website security and quality improvement, on the basis of our legitimate interest pursuant to Art. 31 para. 1 lit. d revFADP / Art. 6(1)(f) GDPR. This information does not enable us to draw any conclusions about your identity.
Server log files are retained for a maximum of six (6) months and are then deleted unless retention is required for evidence in specific cases of misuse (e.g., DDoS attempts, intrusion attempts), in which case the retention period may be extended for as long as necessary to pursue legal remedies (Art. 6 para. 4 revFADP / Art. 5(1)(b) GDPR — storage limitation principle).
If you contact us through our published email address (contact@castellan-intelligence.com), your personal data is processed. We collect the data you provide — such as your name, email address, phone number (if shared), and the content of your request. The time of receipt is documented automatically.
We process this data solely to address your request (e.g., providing information about our products and services, evaluating partnership inquiries, responding to capital-markets enquiries).
The legal basis for this processing is our legitimate interest under Art. 31 para. 1 lit. d revFADP / Art. 6(1)(f) GDPR in addressing your request, or — if the request is aimed at the conclusion or performance of a contract — Art. 31 para. 1 lit. a revFADP / Art. 6(1)(b) GDPR for measures necessary to implement that contract.
Correspondence data is retained for as long as necessary to fulfil the purpose of the contact, and thereafter only as required by applicable retention obligations (e.g., commercial law).
Our Website integrates the following third-party services, which may receive technical metadata when you interact with the page:
/fonts/ directory). Font files are served from our hosting infrastructure within the EU/EEA via World4You — no IP address or user agent of visitors is transmitted to Google or any other third-party CDN. This implementation eliminates the data-transfer risk vector identified in LG München I, judgement of 20 January 2022 (Az. 3 O 17493/20)./a.php). It sets no cookies and stores no IP addresses and no user agents; no third-party service receives any data. For aggregate unique-visit counting, a salted one-way hash is derived server-side and the salt rotates daily — no persistent identifier exists and no natural person can be re-identified. Browser signals such as Do Not Track and Global Privacy Control are honored: if either is set, nothing is recorded. Legal basis: our legitimate interest in the secure and demand-oriented operation of the Website (Art. 31 para. 1 lit. d revFADP / Art. 6(1)(f) GDPR).We do not currently use any of the following:
This privacy policy will be updated promptly with full disclosure of any additional processing activity prior to its introduction. The capital-markets gate and CRM integrations referenced in management roadmaps are not yet implemented; the contact form described in Section 02 is live and transmits data solely to our own mail infrastructure.
A "cookie" is a small text file that a website may transfer to your computer when you visit it. Our Website does not set any first-party cookies, and following the migration to self-hosted typography, the Website also does not load any third-party cookies. The Website operates fully cookie-free in its current configuration.
If we introduce cookies in the future (e.g., for analytics, user preferences, capital-markets gate authentication, or consent management), you will be presented with a consent management platform (CMP) banner on first visit, in compliance with Art. 6(1)(a) GDPR (consent) and Art. 6 revFADP (consent). Strictly-necessary cookies (e.g., session tokens for a future investor portal) will be set on the basis of legitimate interest without consent requirement.
You can configure your browser to refuse all cookies or to alert you when cookies are being set. Instructions for the most common browsers:
You have the following rights regarding the personal data we process about you. We will comply with any valid request without undue delay, but at the latest within one (1) month.
You may request information about whether we process personal data concerning you, and if so, you may obtain a copy of that data plus information about (i) the categories of data processed, (ii) processing purposes, (iii) recipients, (iv) retention period, (v) the origin of the data, and (vi) any automated decision-making.
You may request that we correct inaccurate or incomplete data concerning you.
You may request deletion of your data where there is no continuing legal basis for its processing, where you withdraw consent on which processing was based, where you object successfully, or where the data has been processed unlawfully.
Under certain circumstances (e.g., during examination of a correction request), you may request that processing of your data be restricted to mere storage.
Under Art. 20 GDPR, where processing is based on consent or a contract and is carried out by automated means, you may request that data you have provided to us be transferred to you or to another controller in a structured, commonly used, machine-readable format.
Under Art. 28 revFADP (right to data transfer, in force since 1 September 2023), you may request that we transfer personal data to you or to a designated third party, where processing is based on your consent or for the performance of a contract, in a commonly used electronic format.
Where processing is based on our legitimate interest (Art. 6 (1) lit. f GDPR), you may object to such processing on grounds relating to your particular situation.
Where processing is based on your consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
You have the right to lodge a complaint with a competent supervisory authority. The competent authority depends primarily on your place of residence and where the alleged infringement occurred.
To exercise any of these rights, please send an email to contact@castellan-intelligence.com. We may require reasonable proof of identity before fulfilling a request, to ensure data is not disclosed to unauthorised parties (Art. 26 revFADP / Art. 12(6) GDPR).
Castellan takes appropriate technical and organisational measures to ensure that only such personal data is processed as is necessary for the relevant business purpose. We implement privacy by design and by default (Art. 7 revFADP / Art. 25 GDPR), addressing data minimisation, purpose limitation, and access controls from system design onwards.
Data security measures (Art. 8 revFADP / Art. 32 GDPR / Art. 1-3 DSV — Datenschutzverordnung) include:
.htaccess)In accordance with the FADP and GDPR storage-limitation principle (Art. 6 para. 4 revFADP / Art. 5(1)(e) GDPR), personal data is retained only as long as required by the legal basis of processing, unless longer retention is mandated by Swiss commercial-law obligations (e.g., Art. 958f OR — 10-year retention for accounting records).
Our primary data processing takes place in Switzerland and within the European Economic Area. However, certain third-party services we use (notably Google Fonts) may involve data transfers to countries outside Switzerland and the EEA, including the United States.
Where such transfers occur, we ensure an adequate level of data protection through one or more of the following mechanisms, in accordance with Art. 44–49 GDPR and Art. 16 FADP:
If you have questions about the safeguards in place for any specific transfer, please contact us at contact@castellan-intelligence.com.
Castellan is domiciled in Switzerland (Zug). The appointment of a Swiss representative under Art. 14 revFADP is not required, as we have an establishment in Switzerland.
Castellan does not maintain an establishment in the European Union. At present, this Website serves as an institutional information resource and does not actively offer goods or services to EU residents within the meaning of Art. 3(2)(a) GDPR, nor does it monitor behaviour of EU residents within the meaning of Art. 3(2)(b) GDPR.
Should our processing activities fall within the territorial scope of Art. 3(2) GDPR — for instance, upon launch of a contact form, capital-markets gate, or customer-facing service targeted at EU residents — Castellan will appoint an EU representative pursuant to Art. 27 GDPR prior to commencement of such activities. The identity and contact details of any appointed EU representative will be published in this privacy policy.
The appointment of a Data Protection Adviser (Datenschutzberater) is voluntary under Swiss law (Art. 10 revFADP). The appointment of a Data Protection Officer (DPO) under Art. 37 GDPR is mandatory only where the core activities of the controller require regular and systematic monitoring of data subjects on a large scale, or where they consist of large-scale processing of special categories of data. Neither threshold is currently met. Data-protection inquiries during the formation phase are handled directly by the CEO.
Castellan will reassess this position upon company formation and prior to any material expansion of processing activities.
This Website is directed at institutional, professional, and qualified-investor audiences. It is not directed at children under the age of 16.
We do not knowingly collect or process personal data of children under the age of 16 (or under the applicable local age of digital consent under Art. 8(1) GDPR — typically 13 to 16 depending on EU Member State). Children of minor data subjects within the meaning of Swiss law follow Art. 19 ZGB regarding capacity to consent.
If you become aware that a child has provided personal data to us — for example, by submitting an enquiry through our published email channels — please contact us immediately at contact@castellan-intelligence.com so that we can take appropriate action, including erasure of such data without undue delay.
Castellan does not engage in automated individual decision-making, including profiling, that produces legal effects concerning data subjects or that similarly significantly affects them, within the meaning of Art. 21 revFADP / Art. 22 GDPR.
No data collected through this Website is processed by algorithmic scoring, automated risk-assessment, automated credit-decision, or comparable systems.
Should we introduce automated decision-making in the future (for example, as part of a future investor on-boarding or KYC workflow), data subjects will be informed in advance through an update to this privacy policy. Where required by Art. 22 GDPR, data subjects will be granted (i) the right to obtain human intervention, (ii) the right to express their point of view, and (iii) the right to contest the decision.
In the event of a personal-data breach that is likely to result in a high risk to the rights and freedoms of data subjects, we will:
An internal data-breach response plan documents these procedures and is reviewed periodically. Records of all breaches, including the facts, effects, and remedial actions, are maintained pursuant to Art. 33(5) GDPR.
For any questions, messages, or requests regarding the processing of your personal data, please write to:
Data-protection inquiries during the formation phase are handled directly by the CEO (Stefan Kern). See Section 08 above for the conditions under which a formal Data Protection Adviser or EU Representative will be appointed.
We will respond to valid requests without undue delay and within the statutory time limits — one (1) month under Art. 12(3) GDPR, or thirty (30) days under Art. 25 revFADP, extendable where justified by the complexity or volume of requests.
We may update this privacy policy from time to time to reflect changes to our practices, new third-party services, or changes in applicable law. The current version is always available at castellan-intelligence.com/privacy.
Material changes will be communicated by updating the "last updated" date in the footer and, where appropriate, by additional notice on our Website. We encourage you to review this policy periodically.
This privacy policy is currently available in English. A German-language version will be published upon completion of company formation, in accordance with the working languages of the Canton of Zug.
Current version: 1.2 — published 9 July 2026.
Changelog from 1.1: Disclosure of cookie-free, first-party usage measurement (no IP or user-agent storage, DNT/GPC honored); contact form live; publication of the German-language edition of this Website (/de/); clarified third-party service list.