This Privacy Policy is provided to user's by Board Foundation a Swiss Foundation (UID-No.: CHE-253.574.973) having its registered office at Pestalozzistrasse 2, 9001 St. Gallen, Switzerland (hereafter, the “Company”).

The Company offers a platform “Board Networks of the International Board Foundation” (hereafter, the “Platform”) to its users which have subscribed on the Platform and as such have a user account (hereafter, the “Users”). The Platform is available at the following url address https://ibf.hivebrite.com/.

The Company uses a solution called “Hivebrite” to operate the Platform, which enables the import and export of User lists and data, the management of content and events, the organization of emailing campaigns and opportunity research and sharing as well as the management of funds and contributions of any kind.

In this regard, as data controller, the Company is particularly aware and sensitive with regard to the respect of its Users privacy and personal data protection. The Company commits to ensure the compliance of the processing it carries out as data controller in accordance with the applicable provisions of the Swiss Federal Act on Data Protection of 19 June 1992(including any ordinances thereto), as amended from time to time, and, to the extent applicable, the EU General Data Protection Regulation EU 2016/679 regarding data protection dated April 27, 2016.

This privacy policy is intended for the Users of the Platform of the Company and explains how the Company collects, shares and otherwise processes personal data of Users when they use or access the Platform. The Company does not collect any sensitive personal data within the meaning of applicable data protection laws.

Article 1. COLLECTED PERSONAL DATA

1.1 When subscribing on the Platform

When subscribing to the Platform, the User should at least provide the following personal data to register a user account:

• Email address
• Name and surname
• Gender
• Postal address
• Information on whether the subscriber is a member or secretary of a board of an institution with at least ten (10) employees

The User may also provide additional personal data for his or her user account such as information on expertise, industry, titles, work contact information or experience.

If a User subscribes to receiving regular information through newsletters, group alerts, notifications of comments or other activity, invitations for events organized by the Company or other Users or other commercial information and communications, the Company will require the email address of the User. A User can unsubscribe from receiving any such information or communication at any time.

Th User commits to only provide accurate, exhaustive, and regularly updated data regarding its identity, its content and any information in general. Under no circumstances shall the Company be liable for any data that is illegal contrary to public order provisions.

In the event the User does not provide the required data mentioned above, the Company may not be able to provide access to the Platform.

1.2 During the use of the Platform

The User may validly publish, at his or her own initiative, any content on the Platform which shall be kept by the Company and shall be made available to other Users of the Platform, such as (but not limited to)

• Information regarding personal education, professional experience, CV
• Portrait picture
• Contact information
• Messages, likes, comments and posts
• Information regarding participation in events

In case a User publishes personal data of another individual, or company (if protected under applicable data protection laws), the User commits that he or she has obtained this information and is permitted to publish this information in accordance with applicable data protection laws.

The User acknowledges that, following the publication of the content listed above, such content will become public on the Platform and that as such content can be published, modified, translated, reproduced in any form and accessible, saved and reproduced by other Users and the Company.

In most cases, Users post contents without previous moderation from the Company. The Company does not alter the content or information of the User, except under exceptional circumstances, including but not limited to the cases described in the Terms of Use. In Accordance with the Terms of Use, the Company reserves its right to freely delete or amend the content or information of the User, without prejudice to the Users, in particular if such content is in breach of applicable laws. 

In case content is published on the Platform that breaches this privacy policy, applicable law or the rights of third parties, anyone can inform the Company of the existence of such content at the following address: [email protected]

1.3 Registration to events through the Platform

When registering for an event through the Platform, certain personal data will be automatically forwarded to the organisers:

name and surname

title

address

The organisers may request further information depending on the event such as names of other participants a User registers, dietary information, accommodation or billing address.

1.4 Application for board mandates through the Platform

If a User opts to use the Company's services connected to open board mandates, the Company will manually forward the job-related information a User has uploaded or saved in his or her account such as CV, cover letters, education, experience or references to the respective organizations. Once the job-related information has been forwarded to the respective organization, the organization can directly contact the User for the further process. 

The Company will only forward such job-related information and allow the respective organization to directly contact a User, if a User has provided his or her consent. A User can withdraw such consent at any time.

1.5 Cookie data

The Company uses tracking technology on the Platform such as cookies whenever the User navigates on the Platform.

Cookies are small text files that are placed in browser directories on a User's device (e.g. computer or mobile device) when he or she visits the Platform. The Platform uses session cookies and persistent cookies. Session cookies enable Users to move from page to page within the website and any information a User enters to be remembered. A session cookie is deleted when a User closes his or her browser or after a short time. Persistent cookies allow the Platform to remember a User's preferences and settings when he or she visits the platform in the future. Persistent cookies expire after a set period of time.

Among other things, the Company uses these cookies to collect data regarding the internet navigation of the User or to send tailor-made services the User's device such as the computer, mobile phone or tablet (see below under Article 8 of this privacy policy).

The cookies used by the Company may collect certain personal data such as domain name, user settings (e.g. language preferences), User's unique session ID, authentication data and the time of a User's login (time stamp) and other metadata.

The cookies the Company uses are detailed under Article 2 of this privacy policy.

The purpose for which the data is collected through the cookies is detailed under Article 8 of this privacy policy.

Article 2. THE PURPOSE AND LEGAL BASIS OF THE DATA PROCESSING

In general, the Company and its subcontractors only collect, process or host the User’s personal data for the purpose of ensuring the optimal implementation and use of the Platform. In particular, the Company and its subcontractors collect, process and host personal data that are provided by the User when accessing the services on the Platform for the following purposes:

Collected Data	Purpose of the processing
When subscribing on the Platform: Email address Name and surname Gender Postal address Information on whether the subscriber is a member or secretary of a board of an institution with at least ten (10) employees Information on expertise, industry, titles, work contact information or experience	Access to the Platform; Creation of a user account; Access for the User to all functionalities of the Platform offered in the membership package Management of requests to access, amend, delete, limit and oppose to the processing of the personal data.
When using the Platform:   Any content the user publishes at his or her own initiative, such as (but not limited to) Information regarding personal education, professional experience, CV portrait picture contact information messages, likes, comments and posts information regarding participation in events	The use and feeding of the Platform; Sending newsletters, group alerts, notifications of comments or other activities, invitations for events organized by the Company or other Users, if the User has accepted to receive such invitations; Sending job offers or other commercial information or communications from the Company or its partners if the User has accepted to receive such offers.
Cookies, trackers: Add to calendar  Keep active session  The user/admin ID  User first connexion  Identify the user session Admin ID  User search  Google analytics #1, #2, #3. LinkedIn	Improve the quality of the services proposed by the Platform; Improve the usage functionalities of the Platform; Create statistics regarding the effective use of the Platform; Enable the User not to have to reconnect to the Platform for every new navigation on the Platform; Invite the User to events organized by the Company; Create statistics regarding the different levels of activity on the Platform. The cookies cannot allow to identify the User; Enable the synchronization of the User’s LinkedIn profile; Manage banking transactions, for example, to pay for a User's membership.

 

Google Analytics is run by Google LLC in the US and provides the Company with information about how Users use the Platform. Google uses cookies as part of the process to collect anonymous information, such as the number of Users to the Platform, where they are from, the pages they visit and the length of time they have spent on our website. The Company generally does not share Users' personal data with Google (not even IP addresses). Google can however follow a User's use of the Platform, combine this information with other websites a User visited that Google also follows, and use this information for Google's own gain (e.g. advertising). If a User is registered with Google, Google also knows the User. The processing of the User's personal data by Google then takes place under the responsibility of Google and in accordance Google's own privacy policies.

The Company processes Users' personal data for the aforementioned purposes, based on the following legal bases according to applicable data protection laws:

• the performance of a contract with the User (e.g. to provide the Platform to a User) (article 6(1)(b) GDPR);
• in connection with a legal obligation (article 6(1)(c) GDPR);
• the User's consent (where necessary) to such use (article 6(1)(a) GDPR); or
• if the Company or a third party has a legitimate interest which is not overridden by a User's interests or rights and freedoms. Such legitimate interests include the provision of the Platform to the Users and the services connected thereto (article 6(1)(f) GDPR).

 

Article 3. USER’S CONSENT TO THE COLLECTION OF DATA

To the extent required by applicable data protection laws or other applicable laws, the Company will obtain the User's explicit consent for the processing of his or her personal data.

If a User has provided his or her consent to the collection, processing or transfer of his or her personal data for a specific purpose, the User has the right to withdraw such consent for that specific processing at any time. Once the Company has received notification of such withdrawal, the Company will no longer process the personal data for the purpose or purposes the User originally agreed to, unless the Company has another legitimate basis for doing so.

Article 4. LENGHT OF DATA RETENTION

The Company retains personal data only as long as necessary for the purposes described in this privacy policy, in particular for the entire length of a User’s subscription to the Platform. If a User does not access his or her account or otherwise interact with the Company or Platform for a period of three (3) years, the User's personal data will be deleted.

Following the termination of said subscription, the personal data collected and processed during the subscription (including any personal data provided to the Company when a User exercises his or her rights according to Article 5 of this privacy policy) as well as the content published by the User on the Platform shall be deleted after a period of one (1) year, unless Company is required to store the personal data longer due to a legal obligation or because the Company has an overriding interest in the further retention, e.g. due to a potential or on-going court proceeding or investigation by a competent government authority. Once such legal obligations or overriding interests no longer apply the personal data will be deleted after one (1) year.

Personal data collected by cookies on the Platform will be automatically deleted thirteen (13) months following their placing on the User’s device.

Article 5. EXERCISE OF THE USERS’ RIGHTS

The User is duly informed that it disposes at any time, meaning prior to, during or following the processing of his or her personal data, to a right to access, copy, rectify, oppose, port, limit and delete his or her personal data.

The User can exercise his or her rights by sending an email to the following address [email protected] or by mail at the following address Board Foundation, Pestalozzistrasse 2, 9001 St. Gallen, Switzerland provided that the User confirms his or her identity.

In certain cases, the Company may refuse to grant a User's right if applicable data protection laws or other applicable laws allow or oblige the Company to do so, in which case the Company will provide reasons for its decision as required by applicable law.

In addition, in the event the User considers that his or her rights have not been respected, the User can file a complaint with the competent supervisory authority.

The competent supervisory authority for Switzerland is the Federal Data Protection and Information Commissioner (http://www.edoeb.admin.ch).

Article 6. SHARING USERS’ PERSONAL DATA WITH THRID PARTIES AND INTERNATIONAL DATA TRANSFERS

If required or useful for the Company to provide the Platform including any services connected to the Platform or for other purposes defined in this privacy policy such as for administrative or maintenance purposes of the Platform to the exclusion of any commercial use, and if applicable, in order to enforce the rights exercised by the Users regarding their personal data, the Company may share User's personal data with third parties (such as advisors, affiliated parties, business partners, service providers and other persons) in Switzerland, the EU or other countries. Further, the Company may share personal data with third parties where:

 

• a User has consented to the Company doing so (where necessary);
• the Company is under a legal, regulatory or professional obligation to do so; or
• it is necessary in connection with court proceedings or in order to exercise or defend legal rights.

 

The Company uses third parties who provide services on its behalf and may share the User's personal data with them, for example banks, insurance companies or cloud, IT and software providers who may have access to the personal when providing IT or software support.

In particular, the Company has subcontracted the processing of the Users’ personal data to Hivebrite, as subcontractor. In connection thereto, the Company shares Users' personal data with KIT UNITED for its HIVEBRITE solution, a French société par actions simplifiée with a capital of 284.280,00 Euros, registered with the Paris Companies register under the number 75339171300017, having its registered office at 8, rue de la Grande Chaumière, 75008 – Paris

For any additional information on Hivebrite and how they process personal data, a User can consult the webpage available at the following address: www.hivebrite.com.

The personal data collected by the Company is hosted by the following service providers:

Host	Nature of the hosting
Microsoft Azure Cloud   Privacy policy: https://www.microsoft.com/en-us/TrustCenter/Privacy/gdpr/default.aspx	Hosting of all data and content produced / provided by the User, as well as images, profile pictures and backups
Amazon AWS   Privacy policy: https://aws.amazon.com/compliance/gdpr-center/

 

In general, the Company only processes personal data of its Users in Switzerland or the EU. However, if third parties with whom the Company shares personal data of Users are located outside of Switzerland or the EU, the Company only transfers such personal data on a basis that ensures an adequate level of data protection according to applicable data protection laws, e.g. by signing a data transfer agreement.

Article 7. DATA SECURITY

The Company has put in place appropriate security measures to hold User's personal data securely in electronic and physical form, to protect it from unauthorised access, improper use or disclosure, unauthorised modification or unlawful destruction or accidental loss. The Company's premises are access controlled and surveyed by video recording where required and our electronic databases require logins and password authentication.

The Company's employees and third-party service providers who have access to confidential information (including personal data) are subject to confidentiality obligations.

In case of a breach of its systems, or theft, deletion, loss, alteration, disclosure, unauthorized access, or any other malicious act concerning a User's personal data, the Company commits to notify its Users and competent supervisory authority as required by applicable data protection laws.

Article 8. COOKIE MANAGEMENT CONFIGURATION AND OTHER DATA

The User’s consent to the use of certain cookies is requested through a banner at the bottom of the Platform homepage.

In case of consent, the User’s internet browser shall automatically transmit to the Company the data collected and detailed under Article 1.5.

The User is informed that the cookies and trackers will be automatically deleted following a period of thirteen (13) months.

The User may at all times configure its browser in order to prevent the creation of cookie files.

However, certain functionalities of the services offered on the Platform may not function properly without the use of such cookies. In addition, even if most browsers are configured by default and accept the creation of cookie files, the User has the possibility to choose to accept the creation of all cookies other than the functional cookies or to systematically decline them or to choose the cookies it accepts depending on the issuer by configuring the settings in the browser.

The Company uses cookies for the following purposes:

Data collected for the following purposes:

General data enabling the proper functioning of the Platform and the improvement of the services proposed by the Platform.

Data regarding the management of payment services proposed by the Platform, delinquencies and litigation.

Data enabling the creation of User files; Mailing of commercial offers, advertisements or newsletters of the Company and/or its commercial partners if this has been accepted by the User.

Compilation of statistics with the purpose of improving the functioning of the Platform notably by analysing the traffic of the Platform (modules which are more or less consulted, preferred routes, level of activity depending on the day of the week et hour of the day, etc.) and by adapting the Platform according to the needs and tastes of the Users (recognition of the User when it accesses the Platform).

Management of requests to exercise Users' data protection rights to access, rectify, delete, limit and oppose.

 

Article 9. CHANGE TO THIS PRIVACY POLICY

Especially in light of any future developments of the applicable data protection laws, the Company reserves its right to proceed with any modification of its privacy policy and commits to duly inform Users if any such modification occurs.

 

Date of privacy policy: February 12^th, 2021.