Privacy Policy.

Data Controller

IBEX SERVICES SA (IBEX SERVICES AG / IBEX SERVICES Ltd) — CHE-114.803.997 — Società Anonima — Via Serafino Balestra 6, 6830 Chiasso, Switzerland — privacy contact: info@smemarket.ch — Data Protection Officer: Ilaria Gatti — effective 26 April 2026.

EU Representative (Article 27 GDPR)

Avv. Thomas Contin — Corso di Porta Vittoria 13, 20122 Milano, Italy — tc@advisorn.com — +39 333 790 6976.

§ 01 · Purpose and scope

1.1 This Privacy Policy informs you about the processing of personal data carried out by IBEX SERVICES SA (the “Controller”, “SMEMARKET”, “we” or “us”) when you visit www.smemarket.ch (the “Platform”), register an account, submit information, communicate with us, or otherwise interact with our services.

1.2 It is issued under the Swiss Federal Act on Data Protection of 25 September 2020 (“nDSG / FADP”), the Ordinance on Data Protection (“OPDP”), and — to the extent applicable to processing within the territorial scope of Article 3 GDPR — the EU General Data Protection Regulation 2016/679 (“GDPR”).

1.3 It applies to data subjects who are natural persons. Information concerning legal entities is not in principle “personal data” under the nDSG, but is treated with comparable diligence.

§ 02 · Categories of personal data processed

2.1 We process the following categories of personal data:

• (a) Identification data — first name, last name, date of birth where required, nationality, copy of identification document where required for verification.
• (b) Contact data — postal address, email address, telephone number, professional title and employer.
• (c) Account data — credentials, authentication factors, account preferences, profile information, role on the Platform (Buyer, Direct Seller, Fiduciary, Underlying Client).
• (d) Transaction data — information relating to listings, enquiries, expressions of interest, signed agreements, transaction values, fee invoices and payment records.
• (e) Financial and verification data — commercial register extracts, beneficial-owner information, source-of-funds declarations, sanctions screening results, banking details for invoicing.
• (f) Communications data — emails, messages, attachments, telephone notes, meeting minutes, recorded calls (where lawful and notified).
• (g) Technical and usage data — IP address, device identifiers, browser and operating-system information, log files, pages viewed, time stamps, referrer URLs.
• (h) Cookies and similar technologies — as further described in Article 9 below.

2.2 We do not in principle process special categories of personal data within the meaning of Article 5 lit. c nDSG and Article 9 GDPR (sensitive data such as health, religious beliefs, genetic or biometric data). Should the processing of such data become necessary, we will process it only on a lawful legal basis and inform you accordingly.

§ 03 · Sources of the data

3.1 We collect personal data primarily directly from you when you interact with the Platform.

3.2 We may also collect data from third-party sources, including (i) commercial registers and other public records; (ii) sanctions and politically-exposed-persons (PEP) databases; (iii) Fiduciaries who refer Underlying Clients; (iv) counterparties in a Transaction; (v) credit-information providers, where lawful; and (vi) publicly available professional sources.

§ 04 · Purposes of processing and legal bases

4.1 We process personal data for the following purposes:

• (a) Provision of the Platform and intermediation services — creating and managing accounts, publishing listings, facilitating introductions, supporting due diligence and negotiations, processing fee invoices.
• (b) Identity verification and onboarding — verifying identity, capacity, beneficial ownership, source of funds, and screening against applicable sanctions and PEP lists.
• (c) Compliance with legal obligations — tax law, accounting law, anti-money-laundering law (where applicable), commercial law, sanctions law and data-protection law.
• (d) Communication and customer support — responding to enquiries, sending operational notifications and service announcements.
• (e) Marketing and Platform improvement — subject to applicable opt-in or opt-out rules, sending updates, conducting analytics, conducting client satisfaction surveys.
• (f) Security and fraud prevention — monitoring access, detecting and preventing fraud, abuse and unauthorised access, ensuring information-security and business continuity.
• (g) Defence of legal rights — establishing, exercising or defending legal claims, including the recovery of fees and the enforcement of anti-circumvention provisions.

4.2 Under Article 31 nDSG, processing is in principle lawful when justified by (i) the data subject's consent, (ii) an overriding private or public interest, or (iii) by law. Under Article 6 GDPR, where applicable, our legal bases are: (a) performance of a contract (Art. 6(1)(b)); (b) compliance with a legal obligation (Art. 6(1)(c)); (c) our legitimate interests (Art. 6(1)(f)) — operating and securing the Platform, preventing fraud, recovering fees and managing our business; and (d) consent (Art. 6(1)(a)) — for non-essential cookies and direct marketing where consent is required.

§ 05 · Recipients of personal data

5.1 Personal data may be disclosed to the following categories of recipients, on a strict need-to-know basis:

• (a) staff and authorised representatives of the Controller;
• (b) counterparties to a Transaction (Buyer, Seller, Fiduciary, Underlying Client) within the limits of the relevant agreements and the NDA;
• (c) professional advisors of the Controller (lawyers, auditors, tax advisors, banks);
• (d) IT, hosting, cloud, communications and analytics service providers acting as processors on our behalf under written agreement;
• (e) public authorities and courts where required by law or court order;
• (f) acquirers, investors or successors of the Controller in the context of a corporate reorganisation, in each case under appropriate confidentiality undertakings.

5.2 We do not sell personal data and do not disclose it to third parties for their own marketing purposes without your prior consent.

§ 06 · International transfers

6.1 The Controller is established in Switzerland and processes personal data primarily within Switzerland and the European Economic Area (“EEA”). Switzerland and the EEA recognise each other as providing an adequate level of data protection.

6.2 Where we transfer personal data to third countries, we do so only if (i) the destination country offers adequate data protection as recognised by the Swiss Federal Council and/or the European Commission, or (ii) appropriate safeguards are in place — in particular Standard Contractual Clauses recognised by the FDPIC, supplemented where necessary by additional technical and organisational measures, or (iii) one of the statutory exceptions applies.

6.3 A list of countries to which transfers may take place, and a copy of the relevant safeguards, are available upon written request to the contact set out at the head of this Policy.

§ 07 · Retention

7.1 We retain personal data only for as long as necessary to achieve the purposes for which it was collected and to comply with our legal obligations.

7.2 In particular:

• (a) account data: duration of the account relationship + 10 years thereafter (Art. 957 et seq. CO);
• (b) transaction and accounting data: 10 years from the end of the relevant financial year (Art. 958f CO);
• (c) identity-verification data: duration of the relationship + period required by law thereafter;
• (d) communications data: as long as necessary for evidentiary purposes, in principle 10 years;
• (e) technical and usage logs: not exceeding 12 months, save for security incidents.

7.3 After expiry of the applicable retention period, personal data is deleted or anonymised, save where retention is required by law or necessary for the establishment, exercise or defence of legal claims.

§ 08 · Rights of data subjects

8.1 Subject to the conditions and limitations set out in the nDSG and the GDPR, you have the following rights:

• (a) Right of access (Art. 25 nDSG / 15 GDPR).
• (b) Right to rectification (Art. 32 nDSG / 16 GDPR).
• (c) Right to erasure (Art. 32 nDSG / 17 GDPR), subject to retention obligations.
• (d) Right to restriction (Art. 18 GDPR).
• (e) Right to data portability (Art. 28 nDSG / 20 GDPR).
• (f) Right to object (Art. 30 nDSG / 21 GDPR).
• (g) Right to withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.
• (h) Right to lodge a complaint with the FDPIC (Switzerland) at www.edoeb.admin.ch or with your competent national supervisory authority within the EEA.

8.2 Requests should be addressed in writing to info@smemarket.ch. We may request reasonable proof of identity. We will respond within 30 days, extendable in complex cases as permitted by law.

§ 09 · Cookies and similar technologies

9.1 The Platform uses cookies and similar technologies for: (i) strictly necessary cookies; (ii) functional cookies; (iii) analytics cookies (anonymised/pseudonymised where possible); and (iv) where applicable and only with your prior consent, marketing cookies.

9.2 You can manage your cookie preferences at any time through the cookie banner displayed on first visit and through the cookie settings accessible from the footer of the Platform.

9.3 A detailed list of cookies in use, their providers, purposes and retention periods is set out in the cookie information notice accessible from the Platform footer.

§ 10 · Automated decision-making and profiling

10.1 We do not in principle take decisions based solely on automated processing, including profiling, which produce legal effects concerning you (Art. 21 nDSG / 22 GDPR).

10.2 Should we introduce such processing in the future, we will inform you in advance, provide the safeguards required by law, and give you the right to obtain human intervention, to express your point of view and to contest the decision.

§ 11 · Security of processing

We implement appropriate technical and organisational measures to protect personal data against unauthorised or unlawful access, accidental loss, destruction, alteration or disclosure (Art. 8 nDSG / 32 GDPR). These include access controls, encryption in transit and at rest where appropriate, segregation of environments, regular backups, logging and monitoring, staff training, and contractual safeguards with our processors. In the event of a personal-data breach likely to result in a high risk to data subjects, we will notify the FDPIC and, where applicable, the competent EEA supervisory authority and affected data subjects within the timeframes prescribed by law.

§ 12 · Personal data of children

The Platform is intended exclusively for use by professionals and businesses. It is not addressed to children. We do not knowingly collect personal data of persons under the age of 16. If we become aware that we have inadvertently collected such data, we will delete it without delay.

§ 13 · Changes to this Policy

We may update this Policy from time to time. The current version is identified by the version number and effective date set out at the head of this document. Material changes will be notified to registered Users by email and through the Platform. The latest version is always accessible from the footer.

§ 14 · Contact and complaints

14.1 Privacy contact. For any question relating to this Policy or the exercise of your rights, please contact us at info@smemarket.ch or by registered mail to IBEX SERVICES SA, Via Serafino Balestra 6, 6830 Chiasso, Switzerland.

14.2 Swiss supervisory authority. FDPIC, Feldeggweg 1, 3003 Bern, Switzerland — www.edoeb.admin.ch.

14.3 EEA supervisory authority. Data subjects in the EEA may lodge a complaint with their habitual-residence supervisory authority, place of work, or place of the alleged infringement.