Privacy Notice

Baited SA domiciliated c/o AMZ Fiduciaria Sagl, Via Merlina 15, 6962, Viganello, Switzerland (hereinafter the Company) collects personal data (as defined below) in compliance with applicable laws and regulations, in particular the Swiss Federal Data Protection Act 2020, as of 1 September 2023 (FDPA).

1. Definitions

Pursuant to the FDPA, the terms indicated below have different meanings:

  • Personal Data any information relating to an identified or identifiable natural person.
  • Sensitive personal data personal data worthy of special protection: (i) data concerning religious, philosophical, political or trade union matters, (ii) data concerning health, intimate sphere or race or ethnicity, (iii) genetic data, (iv) biometric data that uniquely identifies a natural person, (v) data relating to administrative and criminal proceedings and sanctions, (vi) data relating to social assistance measures.
  • Processing any operation or set of operations, carried out with or without the aid of automated means, which apply to (groups of) personal data, including the collection, recording, organisation, structuring, storage, adaptation or modification, extraction, consultation, use, dissemination, communication by transmission, dissemination or any other form of disclosure, alignment or interconnection, limitation, erasure or destruction.
  • Data controller means a private person who or federal body which, alone or jointly with others, determines the purpose and the means of processing personal data.
  • Data Processor means a private person who or federal body which, alone or jointly with others, determines the purpose and the means of processing personal data.
  • Data subject: means a natural person whose personal data is processed.

For the purpose of this Privacy Notice, you are the data subject Data Controller with respect to the relationship with the Targets (as defined below), while the Data controller Processor under this privacy notice is Baited SA domiciliated c/o AMZ Fiduciaria Sagl, Via Merlina 15, 6962, Viganello, Switzerland.

2. Type of personal data acquired, purpose, legal basis and data storage

The Company uses specific software to conduct cybersecurity tests and campaigns (the Service) for its clients, which are typically legal entities (the Customers).

For providing the Service, the Company will process the personal data of Customers employees (the Targets), as described below.

Personal dataData acquisition methodPurpose of the processingLegal basis of the processingData retention time
Identity of the Targets namely: first name, last name, e-mail, date of birth, sex, phone number, information on the targets job, including title, role, description of the job, skills and salaryThrough the software employed for providing the ServiceFor providing the ServiceFulfillment of contractual obligations10 years from the end of the contract with the Company
Personal data concerning the Targets publicly available on the Internet (including social media such as LinkedIn etc.)Through the software employed for providing the ServiceFor providing the Services and maintain the highest standard for the provision of the ServiceFulfillment of contractual obligations10 years from the end of the contract with the Company

The Company, for the purpose of providing its Services, collects information concerning the Customers profile (e.g. name, website, industry, size, location etc.). However, if the Customer is not a physical person, such information cannot be legally qualified as personal data, in accordance with article 5 of the FDPA.

If you provide, for the performance of the contract with the Company, personal data relating to members of your family or other interested parties, you assume responsibility for the disclosure of such data to us and confirm that you have their consent to share the relevant data.

To whom will the collected data be communicated? We will only disclose your personal data if we are obliged to do so to comply with our legal or regulatory obligations, for business, administrative or contractual reasons or because you have instructed us to do so. This also includes disclosure:

  • within the Company;
  • to third parties who process personal data on our behalf (i.e. IT system providers, consultants, professionals and other service providers); and
  • to any government, authority, regulatory agency, supervisory or exchange body or court requiring it under applicable law or regulations.

3. Can the Company transfer data to a third country and/or international organizations?

The data collected by the Company is stored in Switzerland. However, the Company may engage one or more third-party providers that transfer data outside the European Economic Area (EEA). In this case, the Company must make sure that all necessary and appropriate measures are taken. Such measures include official Standard Contractual Clauses (SCCs), Binding Contract Rules (BCR) or any other instrument to safeguard the data protection of the Data Subjects outside the EEA. Where applicable, the Company will ensure that third-party providers will rely on the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF).

Should these certifications lapse or become otherwise invalidated, the Company will rely on official Standard Contractual Clauses, Binding Contract Rules or any other instrument to safeguard the data protection of the data subjects.

Not automated individual decision making, including profiling The Service of the Company does not take any decision based solely on automated processing and that has a legal consequence for or a considerable adverse effect on the Targets, including profiling which produces legal effects on Targets as a data subject, therefore the Targets are not subject to any automated individual decision-making, including profiling under article 21 of FDPA. In other words, although the Service may imply the processing of personal data including career details and potentially behaviors to provide the Service, Article 21 does not apply since the Customer makes decisions manually and the Company is not responsible for such decisions as it would act only as a data processor. However, where applicable, it is understood that the Customer will always comply with article 21 of the FDPA, namely: a) will inform the data subject about any decision that is based exclusively on automated processing and that has a legal consequence for or a considerable adverse effect (such as refusing to enter into a contract or affecting the employment relationship); and b) on request, will allow the data subject to express their point of view and that the automated individual decision be reviewed by a natural person.

4. Children personal data

We do not address our Services to children under the age of 16. We do not intend to, or knowingly, collect or solicit personal information from children under the age of 16. Furthermore:

  • if a Target, a Customer or a prospect are under the age of 16, such individual shall not use the Service or the Website, otherwise provide us with any personal data either directly or by other means.
  • if a minor has provided personal data to us, the Company encourages the child's parent or the legal representative of such child to contact us and request the deletion of the personal data from our systems.
  • if we learn that any personal data we collect has been provided by a child under the age of 16, we will promptly delete that personal information.

5. How we protect your personal data

The security of your personal data is important to us and to protect it we use various technical and organizational measures. We are committed to safeguarding and protecting personal data by taking appropriate measures against accidental or unlawful destruction, loss, alteration or unauthorized disclosure.

The Company may collect personal data publicly available on the Internet concerning the Targets. However, the Company will conduct such processing in compliance with the data minimization principle ensuring the implementation of technical measures to ensure that only relevant, necessary, and proportionate data is collected for the specific purposes pursued. The Company will implement technical measures, including automated filtering mechanisms and data aggregation techniques, to limit the scope of data collection and to avoid excessive or unnecessary processing. Furthermore, appropriate safeguards, including pseudonymization and access controls, will be applied to protect the collected data from unauthorized access, use, or disclosure.

The Company will also periodically review and assess the necessity of retaining such data, ensuring that it is deleted or anonymized when no longer required for the intended purposes.

6. Rights of interested parties

Under data protection law, you have a number of rights in relation to your personal data. You have the right to request access, rectification or deletion of such information, the right to limit or object to processing and, in certain circumstances, the right to data portability. If your consent is necessary, you can revoke it at any time. If you wish to exercise the above rights, you can send a communication to:

Baited SA, c/o AMZ Fiduciaria Sagl, Via Merlina 15, 6962, Viganello, Switzerland
e-mail: [email protected]

We will try to answer them within one month maximum, provided by the law, although we reserve the right to extend this period for more complex requests. We reserve also the right to debit an expense administrative reasonable for any requests manifestly unfounded or excessive access to data personal and for any copies additional of the data personal requests.

You may also contact the Swiss Privacy Authority if our response does not satisfy you: www.edoeb.admin.ch
tel. +41 58 464 94 10, [email protected].

Contact information

This privacy notice is owned and operated by Baited SA.

You may contact us regarding this Privacy Notice by writing or emailing us at:

[email protected]

c/o AMZ Fiduciaria Sagl

Via Merlina 15

6962 Viganello

Switzerland

Email: [email protected]