Version of November 25, 2025

In this Privacy Policy, we, Hypohaus AG (hereinafter “Hypohaus”, “we”, or “us”), explain how we collect and otherwise process personal data. This is not an exhaustive description; other privacy policies or general terms and conditions, participation terms, and similar documents may regulate specific matters. Personal data includes all information relating to an identified or identifiable individual.

If you provide us with personal data of other persons (e.g., family members, colleagues), please ensure that these individuals are aware of this Privacy Policy and only share their personal data with us if you are authorized to do so and if the personal data is accurate. You warrant that any personal data of third parties you share with us has been lawfully collected, i.e., with consent for collection and for disclosure to third parties, including us.

This Privacy Policy is designed to comply with the requirements of the Swiss Data Protection Act (“DSG”). Whether and to what extent this law applies depends on the individual case.

1. Controller / Data Protection Officer

The controller for the data processing activities described herein is Hypohaus AG, Mr. Fabio Isler, Webergasse 5, 9000 St. Gallen, Switzerland, unless otherwise stated in a specific case.

If you have any data protection concerns, you may contact us at: kontakt@hypohaus.ch

2. Collection and Processing of Personal Data

We primarily process the personal data we receive from our customers and other business partners, and from other individuals involved, in the context of our business relationships, or that we collect from users of our websites, software, and other applications.

We offer extensive services in the field of mortgage brokerage. If you wish to become our customer, we request a variety of information from you. In particular, we request financing documents relating to your desired mortgage. In the course of providing our services, we may receive additional personal information about you, which may include:

• General personal information such as name, first name, date of birth, gender, address, family members, copies of passports or ID cards, phone number, private email;
• Financial information such as bank details, tax data, salary data, debt collection register extracts, and pension data;
• Any additional information you voluntarily provide to us.

Using this contact information, we can verify your identity, provide services to your full satisfaction, and inform you about changes or important situations related to our services (for which we may send you or your relatives or representatives an email or contact you otherwise). Contact information may also allow third-party providers to contact you at your request.

You acknowledge that particularly sensitive personal data about you as a customer—especially concerning your financial situation—may be collected and disclosed to external providers or service providers such as capital providers, and you expressly consent to this.

As an employee, supplier/service provider, or subcontractor, we may request or receive documents containing the following data and process such data:

• Personal information: name, date of birth, address, nationality, contact details, possibly data on family members (e.g., in the case of trainees/apprentices) or emergency contacts, marital status, etc.;
• Financial information: creditworthiness information/debt collection register extracts, bank data, etc.;
• Information for the personnel file (assessments, records of employee interviews, etc.);
• Tax information/AHV numbers, social security numbers, etc.

During employment, we collect or process various data of employees. In addition to the above, this includes the following information for the personnel file: signed/accepted contracts and regulations, sick leave records, insurance information, employment start/end dates, skills, work history, technical and interpersonal skills, absences, vacation, salary, benefits, and performance evaluations/qualifications. This information is retained as long as legally required. The personnel file is periodically reviewed, and non-essential information is deleted.

If you contact us—for example, via email or through the contact form on our website—we receive certain personal data about you. This includes contact details, the content of your communication, and any attachments. We use this data to process your request.

Personal data collected through use of our online services

When you use our online services, we collect data regarding how you access and use them (“usage data”). Such usage data is sent by your browser when visiting our website and may include information such as IP address, browser type, browser version, the pages visited, the time and date of your visit, time spent on pages, and other anonymized data about your interactions with the website. When accessing the website from a mobile device, usage data may also include device type, unique device ID, and diagnostic data. This data helps us provide, maintain, and improve our website and your user experience. We may also share anonymized data for research purposes with selected research institutions.

We and our partners (e.g., advertising and analytics partners) may use cookies and related tracking technologies to understand your use of our services and to collect specific data. More information is provided below.

Personal data we receive from third parties

Other users of our services may provide personal data about you when contacting us.

We may receive data about you and your activities on and off our website from our partners (e.g., advertising and analytics partners). This enables us to understand your interest in and interactions with our services and to improve and promote them.

Some platform features may require us to collect data from third-party providers on behalf of our users. Details for individual services are provided in the sections below.

Publicly accessible sources

To the extent permitted, we also obtain data from publicly accessible sources (e.g., debt collection registers, land registers, commercial registers, press, internet) or from authorities and other third parties. Besides the data you provide directly, personal data categories we receive from third parties include, in particular: information from public registers; data obtained in connection with legal or administrative proceedings; data related to your professional roles or activities; information provided by third parties in your environment (family, advisors, legal representatives, etc.); creditworthiness information; information from banks, insurers, distribution partners; media and online content about you; addresses, interests, and sociodemographic data; and website usage data (e.g., IP address, device identifiers, device settings, cookie data, visit date/time, pages accessed, functionalities used, referring websites, location information).

We do not collect particularly sensitive personal data via this method.

3. Purposes of Data Processing and Legal Bases

We primarily use the personal data we collect to enter into and fulfill our contracts with customers and business partners—particularly regarding mortgage brokerage—and to comply with legal obligations in Switzerland and abroad. If you represent such a customer or business partner, your personal data may also be processed in this context.

We also process personal data—where permitted and appropriate—for the following purposes, which correspond to our (and at times third-party) legitimate interests:

• Brokerage of mortgage products;
• Responding to inquiries and communicating with you;
• Providing and operating our website and online platform;
• Credit checks;
• Further developing our offerings, services, websites, software, and platforms;
• Providing support services for users of our services, websites, software, and platforms;
• Communicating with third parties and processing their inquiries (e.g., applications, media inquiries);
• Reviewing and optimizing procedures for needs analysis for the purpose of direct customer outreach and collecting personal data from public sources for customer acquisition;
• Advertising and marketing (including hosting events), unless you have objected; customers may object at any time and will be added to a block list for further marketing communications;
• Market and opinion research, media monitoring;
• Exercising or defending legal claims in connection with legal disputes and administrative proceedings;
• Preventing and investigating criminal acts and other misconduct (e.g., internal investigations, data analytics for fraud prevention);
• Ensuring the operation of our business, especially our website and online platform, and IT security;
• Video surveillance for house-right enforcement, building and facility security, and protection of staff and other individuals and assets (e.g., access controls, visitor lists, network and email scanners, phone recordings);
• Business transactions such as the acquisition or sale of business units or companies and related data transfers, and measures for business management and compliance with legal, regulatory, or internal requirements.

If you have consented to certain data processing activities (e.g., newsletter sign-ups or background checks), we process your data within the scope of that consent unless another legal basis applies. Consent can be withdrawn at any time, but withdrawal does not affect prior processing activities.

We only process particularly sensitive personal data where strictly necessary to enter into or fulfill contracts with customers and business partners. Such data is not used for marketing purposes and is not disclosed to third parties unless strictly necessary.

4. Cookies / Tracking and Other Technologies

We typically use cookies and similar technologies on our websites to identify your browser or device. A cookie is a small file sent to your computer or automatically stored by your browser when you visit our site. When you visit again, we can recognize you—even if we do not know your identity. Most cookies are “session cookies,” deleted automatically when you leave the site. Permanent cookies may also be used to store user preferences or other information for a period of time (e.g., two years). You can adjust your browser to reject cookies, store them only for a session, or delete them early. If you block cookies, some website features may not function.

Our website may contain links to third-party websites. We have no control over these websites, their content or availability, nor their privacy policies. We disclaim any liability for third-party websites.

Newsletter

Our newsletters and marketing emails may include visible and invisible image elements that allow us to determine whether and when you opened an email. This helps us measure and improve our offerings. You can block this in your email program. By using our websites and consenting to newsletters or marketing emails, you agree to the use of these technologies.

Hosting Provider & Server Log Files

Our website provider, outperform gmbh, Fürstenlandstrasse 142, 9014 St. Gallen, automatically collects and stores information in server log files transmitted by your browser, such as:

• IP address
• Browser type and version
• Operating system
• Referrer URL
• Hostname of the accessing device
• Time of the server request

These data cannot be directly linked to individuals. No merging with other data sources occurs. We reserve the right to review such data if there is evidence of unlawful use.

Google Analytics and Other Analytics Services

We may use Google Analytics or similar services. This service is provided by third parties (for Google Analytics: Google Ireland, relying on Google LLC in the US). These services allow us to measure and evaluate website usage (not on a personal-identifiable basis). Permanent cookies are used for this purpose. We configure the service so that IP addresses of visitors are truncated within the EU before being transferred to the US and thus cannot be traced back. We have disabled “data sharing” and “signals.” Although we assume the information shared with Google is not personal data, Google may still draw inferences, create profiles, or link them with Google accounts. Their processing is subject to their own privacy policies.

Social Media Plug-ins

We use plug-ins from social networks such as Facebook, LinkedIn, or Instagram. These are visible through their icons. They are deactivated by default. If you activate them (by clicking), the social network operator may register that you were on our website and use this information for its own purposes. We do not receive information about you from these operators.

Advertising Technologies

We use advertising technologies such as Google Ads or Facebook Pixel to target visitors of our website on other websites with relevant ads. Ads are displayed based on an analysis of prior website usage. Providers set cookies for this purpose.

Resources from External Websites

We integrate resources from external servers, including visible content (videos, music) and technical resources (fonts, scripts, captchas). These improve performance or security. When retrieving these resources, the external provider receives your IP address and any required metadata.

Forms

Our website contains various forms and mortgage calculators. Data submitted via these tools is stored to process your request and for follow-up questions.

5. AI-Assisted Document Analysis

We use automated and AI-assisted document analysis for reviewing customer requests. Providers include:

• Azure AI Document Intelligence by Microsoft Corporation, One Microsoft Way, Redmond, WA 98052, USA
• Software by Parsewise Ltd, 5th Floor, 167-169 Great Portland Street, London, England
• Software by pargoo GmbH, Schaffhauserstrasse 141, 8057 Zürich

These technologies are used solely to efficiently analyze documents submitted by you, extract content automatically, and evaluate it. No automated decision-making takes place, and all outputs are reviewed for accuracy where appropriate.

We configure each AI solution to be as privacy-friendly as technically possible. However, we cannot guarantee that all measures can be implemented in every individual case. Specifically, we take the following steps:

• Data processing occurs in data centers within the European Union
• Data transfers are encrypted
• No personal data is used for training purposes or stored permanently
• Logging and diagnostic functions are reduced to the absolute minimum
• Provider access to prompts and outputs is restricted where technically possible (“opt-out of abuse monitoring”)
• We implement all additional measures referenced in Section 8 of this Privacy Policy

You acknowledge that particularly sensitive personal data (e.g., financial or religious data contained in tax documents) may be processed and possibly transmitted through AI-assisted analysis, and you expressly consent to this.

6. Disclosure of Data and Transfers Abroad

In connection with our business activities and for the purposes described in Section 3, we may disclose personal data to third parties, where permitted and appropriate. This includes both processors acting on our behalf and third parties using the data for their own purposes. Such recipients include:

• Banks and lenders to whom we refer customers, including third-party intermediaries and offer platforms;
• Financial service providers, subcontractors, and other business partners;
• Our service providers (e.g., banks, insurers, credit check providers), including processors such as IT providers, including:
  • outperform gmbh (hosting provider)
  • Our AI service providers (Section 5)
  • Hostpoint AG (server provider), Neue Jonastrasse 60, 8640 Rapperswil SG
  • pargoo GmbH (software agency), Schaffhauserstrasse 141, 8057 Zürich
• Customers;
• Domestic and foreign authorities, agencies, or courts;
• Media;
• The public, including website visitors and social media users;
• Competitors, industry organizations, associations, and other bodies;
• Buyers or potential buyers of business units or company parts;
• Other parties in legal proceedings

These recipients are primarily located in Switzerland or the EU but may be located anywhere in the world.

If a recipient is in a country without adequate data protection, we require them to comply with applicable data protection standards (using the European Commission’s Standard Contractual Clauses:

https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj) unless they are already subject to a recognized safeguard or we are permitted to rely on an exemption (e.g., legal proceedings abroad, overriding public interests, contract performance, your consent, or publicly available data you have not objected to).

Particularly sensitive personal data is only disclosed if strictly necessary for contract fulfillment or if legally required.

7. Retention Period

We process and store your personal data as long as necessary to fulfill our contractual and legal obligations or for other processing purposes—typically throughout the entire business relationship (from initiation to termination) and beyond as required by legal retention and documentation obligations. Data may also be retained for the period during which claims may be asserted against us or where we otherwise have a legitimate interest (e.g., evidence or documentation). Once data is no longer required, it will be deleted or anonymized wherever possible. Operational data (e.g., system logs) generally have much shorter retention periods of twelve months or less.

8. Data Security

We implement appropriate technical and organizational security measures to protect your personal data from unauthorized access or misuse, including access controls, encryption of data carriers and transfers, and cybersecurity training for staff.

Particularly sensitive personal data is processed only by qualified employees who have signed a confidentiality agreement.

9. Obligation to Provide Personal Data

In the context of our business relationship, you must provide the personal data necessary for establishing and carrying out the relationship and fulfilling contractual obligations (there is generally no legal obligation to provide us with data). Without such information, we will generally be unable to enter into or perform a contract with you (or the entity you represent). This applies especially to information required for mortgage transactions. The website also cannot be used without certain data necessary to ensure data transmission (e.g., IP address).

10. Rights of the Data Subject

Under applicable data protection law and to the extent provided therein, you have the right to access, correct, delete, restrict processing, and object to our processing activities—particularly direct marketing, profiling for direct marketing, and other processing based on legitimate interests—as well as the right to receive certain personal data in a transferable format (“data portability”).

We may invoke statutory limitations, for example, if we are required to retain certain data, have an overriding interest (where permissible), or need the data to assert claims. If costs are incurred, we will inform you in advance. Consent may be withdrawn at any time.

Exercising these rights usually requires proof of identity (e.g., by providing a copy of an ID where identity cannot otherwise be confirmed). To exercise your rights, please contact us at the address indicated in Section 1.

Every data subject also has the right to enforce claims in court or file a complaint with the competent supervisory authority. In Switzerland, this is the Federal Data Protection and Information Commissioner (FDPIC): http://www.edoeb.admin.ch.

11. Changes

We may amend this Privacy Policy at any time without prior notice. The current version published on our website applies. Where the Privacy Policy forms part of an agreement with you, we will inform you of updates via email or other appropriate means.