At a glance
- We are a Geneva-based confidential advisory firm. We do not sell, rent or trade personal data.
- We only collect personal data you voluntarily provide (contact form, career application, scheduling) or that is technically required to operate the site (server logs).
- Non-essential cookies and analytics are off by default and only activated after your explicit consent.
- You can exercise your access, rectification, deletion, objection, portability and consent-withdrawal rights at any time by writing to ajay@nexorissuisse.ch. We respond within 30 days.
- This policy complies with the revised Swiss Federal Act on Data Protection (revFADP/nDSG, in force since 1 September 2023), the Swiss Data Protection Ordinance (DPO/OPDo), the EU General Data Protection Regulation (GDPR) and Article 45c of the Swiss Telecommunications Act (FMG/LTC) governing cookies.
1. Scope and Introduction
Nexoris Suisse Sàrl ("Nexoris Suisse", "we", "us", or "our"), a société à responsabilité limitée registered in Geneva, Switzerland, is committed to protecting the personal data of every person who visits this website, contacts us, applies for a role, books a meeting or subscribes to our communications.
This Privacy & Cookie Policy describes the personal data we process, the legal bases on which we rely, with whom we share it, how long we keep it, the safeguards we apply when data is transferred abroad, and the rights you may exercise.
Because of the confidential nature of our work (corporate investigations, ethics & compliance, due diligence, regulatory advisory), our default posture is data minimisation, purpose limitation and strict confidentiality. We apply the same discipline to our own website that we recommend to our clients.
2. Data Controller, Representative and Contact for Privacy Matters
2.1 Data controller
Nexoris Suisse Sàrl1201 Geneva, Switzerland
Email: ajay@nexorissuisse.ch
2.2 EU/EEA representative (GDPR Art. 27) — To the extent that the GDPR applies extraterritorially to our processing of EU/EEA visitors’ data, you may also contact us at the address above. If you are based in the EU/EEA and would prefer a written response from a representative within the Union, please indicate this in your request and we will direct it accordingly.
2.3 Contact for privacy matters — For any question, request or complaint concerning your personal data, write to ajay@nexorissuisse.ch with the subject line "Data Protection". We may ask you to confirm your identity before we act on the request, in order to prevent unauthorised disclosure.
3. Categories of Personal Data We Process
We process the following categories of personal data:
| Source | Data categories |
|---|---|
| Contact form | Full name, email, company/organisation, country, area of interest, message content. |
| Career applications | Full name, email, telephone (if provided), CV and motivation letter, role applied for, any other content you voluntarily include in the application. |
| Newsletter / subscription | Email address and (optional) name. |
| Meeting scheduling (Calendly) | Name, email, time zone, meeting topic, calendar availability you choose to share. |
| Server logs & security | Truncated IP address, user-agent, referrer, requested URL, timestamp, HTTP response code. Retained only for security, abuse prevention and statistics. |
| Cookies & similar technologies | Consent preferences, language, and — only with consent — pseudonymous analytics identifiers (see §6). |
Sensitive personal data (revFADP Art. 5(c); GDPR Art. 9) — we do not request or expect to receive sensitive data through this website. Please do not send sensitive information (e.g. health data, religious or political views, allegations of criminal conduct, whistleblower disclosures) via the contact form or email. For confidential reporting, please request a secure channel first.
4. Purposes of Processing and Legal Bases
We process personal data only for specific, legitimate purposes and on the basis of a lawful ground under revFADP Art. 6 and Art. 31 and, where applicable, GDPR Art. 6.
| Purpose | Legal basis (revFADP / GDPR) | Retention |
|---|---|---|
| Responding to your enquiry and pre-contractual exchanges | Legitimate interest (revFADP Art. 31(2)(a); GDPR Art. 6(1)(f)) and performance of pre-contractual measures (GDPR Art. 6(1)(b)) | Up to 24 months after last contact |
| Processing job applications | Pre-contractual measures and your consent (GDPR Art. 6(1)(b) and Art. 6(1)(a)) | 6 months after the recruitment process closes (longer only with your express consent for a future-vacancy talent pool) |
| Newsletter and marketing communications | Consent (revFADP Art. 6(7); GDPR Art. 6(1)(a)) — you may unsubscribe at any time | Until you withdraw consent |
| Scheduling consultations (Calendly) | Performance of a pre-contractual measure at your request and your consent | Calendar entry deleted within 12 months of the meeting date |
| Website analytics (only if you consent) | Consent (FMG Art. 45c; GDPR Art. 6(1)(a)) | Up to 14 months (Google Analytics default; configurable) |
| Site operation, security, abuse prevention, log review | Legal obligation and legitimate interest (revFADP Art. 31; GDPR Art. 6(1)(c) and (f)) | Server logs: 90 days; security incident logs: up to 12 months |
| Compliance with legal obligations (e.g. tax, accounting, court orders) | Legal obligation (GDPR Art. 6(1)(c); Swiss Code of Obligations Art. 958f — 10-year retention for accounting records) | Statutory periods (typically 10 years for accounting documents) |
5. Automated Individual Decisions and Profiling
We do not use this website to make automated decisions that produce legal or similarly significant effects on you (revFADP Art. 21; GDPR Art. 22). We do not engage in high-risk profiling of website visitors. Aggregated and pseudonymised analytics (if consented) are used only to improve content and performance.
6. Cookies and Similar Technologies
A cookie is a small text file placed on your device. Under Article 45c of the Swiss Telecommunications Act (FMG/LTC) and the GDPR, we may set strictly necessary cookies without consent, but we will not activate functional, analytics or marketing cookies until you give explicit, granular consent through our cookie banner. You can change or withdraw your choice at any time via the "Cookie Settings" link in the footer.
6.1 Strictly necessary (always on)
| Name | Provider | Purpose | Duration |
|---|---|---|---|
nexoris_consent | Nexoris Suisse (first-party) | Stores your cookie-consent choices | 12 months |
NEXT_LOCALE | Nexoris Suisse (first-party) | Remembers your selected language (EN/FR/DE) | 12 months |
6.2 Functional (only with consent)
Set only if you opt in. Enable third-party features such as the Calendly scheduling widget. If you decline, the feature is replaced with a static link.
6.3 Analytics (only with consent)
| Name | Provider | Purpose | Duration |
|---|---|---|---|
_ga, _ga_*, _gid | Google LLC (Google Analytics 4) | Pseudonymously distinguishes users and sessions; IP anonymisation enabled | Up to 14 months |
6.4 Marketing
We do not use advertising, retargeting or social-media tracking cookies on this website.
6.5 Browser controls
Independently of our banner, you can block or delete cookies through your browser settings, enable “Do Not Track” or “Global Privacy Control” signals, or use private browsing. Disabling strictly necessary cookies may break parts of the website.
7. Recipients of Personal Data and Sub-Processors
We share personal data only with carefully selected processors who act on our documented instructions under a written data-processing agreement (revFADP Art. 9; GDPR Art. 28).
| Processor | Role | Hosting location | Transfer safeguard |
|---|---|---|---|
| Vercel Inc. | Website hosting, edge network, server logs | EU regions where available; global edge | EU SCCs + Swiss FDPIC adendum; Swiss-US Data Privacy Framework (DPF) where applicable |
| Resend | Transactional email delivery (contact form, careers) | United States / EU | EU SCCs + Swiss FDPIC adendum; DPF where applicable |
| Calendly LLC | Meeting scheduling (only if you use it) | United States | EU SCCs + Swiss FDPIC adendum; DPF |
| Google LLC (Google Analytics 4) | Pseudonymous web analytics — only if you consent | EU / United States | EU SCCs + Swiss FDPIC adendum; DPF; IP anonymisation enabled |
| Sendinblue SAS (Brevo) | Newsletter delivery (if you subscribe) | European Union (France) | Intra-EU processing; no third-country transfer required |
We may also disclose personal data to professional advisors (lawyers, auditors), tax authorities, courts or regulators where required by law or to establish, exercise or defend legal claims. We do not sell personal data, and we do not transfer client-confidential investigation data through this website.
8. International Data Transfers
Where personal data is transferred outside Switzerland or the EEA, we rely on one or more of the following safeguards (revFADP Art. 16–18; GDPR Chapter V):
- Transfers to countries on the Swiss FDPIC adequacy list or the European Commission adequacy list (including the EEA).
- The Swiss-US Data Privacy Framework for certified US recipients (where the Swiss FDPIC has recognised it as providing adequate protection).
- The EU Standard Contractual Clauses (2021/914) supplemented by the FDPIC’s recognised addendum.
- Where required, additional technical and organisational measures (encryption in transit and at rest, pseudonymisation, access controls).
A copy of the relevant safeguard can be requested at ajay@nexorissuisse.ch.
9. Retention and Deletion
We keep personal data only for as long as necessary to fulfil the purpose for which it was collected, to comply with statutory retention periods, or to defend legal claims. Specific periods are listed in §4. When the period expires, data is securely deleted or anonymised.
10. Your Rights as a Data Subject
Under the revFADP and (where applicable) the GDPR, you have the following rights free of charge:
- Right of access — obtain confirmation of whether we process your data and a copy of it (revFADP Art. 25; GDPR Art. 15).
- Right to rectification — correct inaccurate or incomplete data (revFADP Art. 32; GDPR Art. 16).
- Right to erasure — have your data deleted where no longer necessary or where you withdraw consent (revFADP Art. 32; GDPR Art. 17).
- Right to restriction of processing (GDPR Art. 18).
- Right to object to processing based on legitimate interests or to direct marketing (GDPR Art. 21).
- Right to data portability — receive your data in a structured, commonly used, machine-readable format (revFADP Art. 28; GDPR Art. 20).
- Right to withdraw consent at any time, without affecting the lawfulness of prior processing.
- Right not to be subject to automated individual decisions (revFADP Art. 21; GDPR Art. 22).
- Right to lodge a complaint with the competent supervisory authority (see §13).
To exercise any right, write to ajay@nexorissuisse.ch. We respond within 30 days; if the request is complex, we may extend by up to two further months and inform you in writing.
11. Information Security and Breach Notification
We implement appropriate technical and organisational measures (TOMs) to ensure a level of security appropriate to the risk (revFADP Art. 8; GDPR Art. 32), including:
- HTTPS/TLS encryption for all traffic and HSTS preload.
- Strict Content Security Policy (CSP), X-Frame-Options, X-Content-Type-Options, Referrer-Policy and Cross-Origin headers.
- Principle of least privilege, multi-factor authentication for administrative access, and audit logging.
- Encrypted backups, secure software-development lifecycle, and timely patching.
- Confidentiality undertakings binding all personnel and processors.
In the event of a personal-data breach likely to result in a high risk to your rights and freedoms, we will notify the Swiss Federal Data Protection and Information Commissioner (FDPIC) as soon as possible (revFADP Art. 24) and, where applicable, the competent EU supervisory authority within 72 hours (GDPR Art. 33), and inform affected data subjects without undue delay (revFADP Art. 24(4); GDPR Art. 34).
12. Minors
This website is intended for a professional audience and is not directed at children. We do not knowingly collect personal data from individuals under the age of 16. If you believe a minor has provided us with personal data, please contact us so we can delete it.
13. Supervisory Authorities and Right to Complain
You have the right to lodge a complaint with the competent supervisory authority:
- Switzerland: Federal Data Protection and Information Commissioner (FDPIC / PFPDT / IFPDT), Feldeggweg 1, 3003 Bern — edoeb.admin.ch
- European Union / EEA: the data protection authority of your country of residence or place of work, or where the alleged infringement took place.
We would, however, appreciate the opportunity to address your concerns directly before you approach a supervisory authority. Please write to ajay@nexorissuisse.ch in the first instance.
14. Confidentiality of Professional Engagements
Personal data and case-related information shared with us during a professional engagement are subject to Swiss professional confidentiality, our internal conflict-of- interest and ethical-wall procedures, and the contractual confidentiality undertakings we sign with each client. Such data is not processed through this public website and is governed by the engagement letter and our internal data-handling protocol, available on request.
15. Whistleblowers and Survivor-Centred Reporting
If you wish to report a concern involving potential wrongdoing, please do not use the public contact form. Request a secure channel by writing to ajay@nexorissuisse.ch with the subject "Secure Channel Requested". We will respond with an encrypted route and the protocol for survivor-centred and confidential intake.
16. Changes to This Policy
We keep this policy under regular review and may update it from time to time. The "Last updated" date at the top reflects the most recent revision. Material changes will be brought to your attention through a notice on this website. The authoritative version of this policy is the English text; translations are provided for convenience.