As of: 30. May 2026 | Version 2.0 | Controller: Winify AG

Controller and contact
Principles of data processing
Data collected and purposes of processing
Payment data and Stripe
Cookies and tracking
Third-party providers and data sources
IP address recognition and geolocation
AI assistant and chat data
Data retention and deletion periods
Data disclosure and recipients
Data transfers to third countries
Your rights as a data subject
Data security
Minors
Changes to this policy

§1 Controller and contact

The controller within the meaning of the GDPR and the revised Swiss Data Protection Act for the processing of personal data on this platform is:

Winify AG
Churerstrasse 65b
8808 Pfaeffikon SZ
Switzerland
UID CHE-495.341.743
Website: www.goldkurs.ch
Email: privacy@goldkurs.ch
Privacy requests: privacy@goldkurs.ch

For all privacy-related enquiries, access requests or the exercise of your rights, please contact us directly at: privacy@goldkurs.ch

§2 Principles of data processing

We process personal data only within the framework of legal requirements. Processing is based on the following legal bases (Art. 6 GDPR):

Performance of contract (Art. 6(1)(b) GDPR): processing to provide our services and manage subscriptions.
Legitimate interests (Art. 6(1)(f) GDPR): processing to improve our services, security and fraud prevention.
Consent (Art. 6(1)(a) GDPR): for optional processing such as marketing emails (only with explicit consent).
Legal obligation (Art. 6(1)(c) GDPR): processing to comply with statutory retention obligations (e.g. accounting).

We collect only the data necessary for the respective purpose (data minimisation, Art. 5(1)(c) GDPR).

§3 Data collected and purposes of processing

3.1 Registration and account data

Data category	data	Purpose	Legal basis
Identification	Email address, automatically generated username	Account creation, login, communication	Art. 6 Abs. 1 lit. b DSGVO
Security	Password hash (bcrypt, not plain text)	Authentication	Art. 6 Abs. 1 lit. b DSGVO
Profile (optional)	First name, last name, country, preferred language	Platform personalisation	Art. 6 Abs. 1 lit. b DSGVO
Settings	Preferred currency (EUR/CHF), language	Price display, localisation	Art. 6 Abs. 1 lit. f DSGVO

3.2 Usage data

Data category	data	Purpose
Access data	IP address, browser type, operating system, referrer URL, access time	Security, error analysis, geolocation for currency recognition
Session data	Session ID, login timestamp, last login	Authentication, Security
Portfolio data	Entered precious-metal holdings, purchase prices, quantities	Portfolio tracking function
AI chat data	Inputs in the AI assistant, responses, timestamps	Commission of the AI service, quota management

3.3 Subscription and transaction data

Data category	data	Purpose
Subscription	Plan key, status, start/end date, trial information	Subscription management, access control
Stripe reference	Stripe customer ID, subscription ID (no payment data)	Payment processing via Stripe
Invoices	Invoice amount, date, status	Accounting (statutory retention obligation of 10 years)

3.4 Team and institutional data

Users of Pro Team and Institutional plans may invite team members and clients. Email addresses of invitees are processed and invitation tokens are generated. Invited persons are informed about data processing before accepting the invitation.

3.5 Newsletter and marketing

Marketing emails are sent only with the user’s explicit consent (double opt-in). Consent can be withdrawn at any time (unsubscribe link in every email or by email to privacy@goldkurs.ch).

§4 Payment data and Stripe

Payment processing is carried out exclusively via Stripe, Inc. (354 Oyster Point Blvd, South San Francisco, CA 94080, USA). GoldKurs.ch stores no credit card numbers, bank details or other payment method information. These are processed directly by Stripe.

Stripe is a certified PCI-DSS Level 1 provider. During payment processing, your data is transmitted to Stripe, which is responsible for secure processing. Stripe’s privacy policy applies: stripe.com/de/privacy

From Stripe we receive only:

Stripe customer ID (anonymised reference identifier)
Stripe subscription ID
Payment status (paid, failed, etc.)
Last 4 digits of the card used (for display purposes in the dashboard)

Legal basis for transmission to Stripe: Art. 6(1)(b) GDPR (performance of contract) in conjunction with Art. 49(1)(b) GDPR (US data transfer necessary for contract performance). Stripe contractually undertakes to process data in compliance with data-protection law through EU Standard Contractual Clauses (SCCs).

§5 Cookies and tracking

5.1 Technically necessary cookies

GoldKurs.ch uses technically necessary cookies and session cookies that are essential for operating the platform. These cookies cannot be disabled without impairing the platform’s functionality.

Cookie	Purpose	Billing cycle
PHPSESSID	Session management, authentication	Session (until browser is closed)
currency	Storage of preferred currency (EUR/CHF)	1 year

5.2 Analytics and tracking

GoldKurs.ch currently uses no third-party analytics tracking tools (such as Google Analytics, Facebook Pixel, etc.). Access data is stored exclusively in server-side log files and deleted after 30 days.

5.3 Cloudflare

The platform uses Cloudflare (Cloudflare, Inc., 101 Townsend St., San Francisco, CA 94107, USA) as CDN and DDoS protection. Cloudflare processes IP addresses as a processor for security and performance purposes. Cloudflare’s privacy policy applies: cloudflare.com/privacypolicy. Transmission is based on EU Standard Contractual Clauses.

§6 Third-party providers and data sources

GoldKurs.ch processes market, macro and price data server-side. Users generally do not establish a direct connection to market data providers; display takes place through our platform and may be delayed, cached or model-compressed.

Recipient/category	Purpose	Note
Market and macro data providers	Commission of price, index and economic data	Server-side processing; no direct client connection
ip-api.com	IP geolocation for currency recognition	See §7; country/currency only, no permanent plain-text IP storage
Cloudflare CDN	Security, performance and delivery of static resources	Possible IP transmission to Cloudflare
Stripe	Payment processing	See §4
AI service providers	Processing of AI requests	See §8; do not enter sensitive data in chat

Market data is generally processed server-side by GoldKurs.ch and delivered to you. Your IP address is generally not passed directly to market data providers.

§7 IP address recognition and geolocation

GoldKurs.ch automatically determines your approximate location from your IP address for currency display (EUR or CHF). In this process:

your IP address is transmitted to the ip-api.com service
only the country code (e.g. ”CH”) and currency are returned
the result is stored as a SHA-256 hash of your IP in a server-side cache table for a maximum of 7 days (no plain-text IP storage)
the determined currency is stored in a browser cookie and in the session

Geolocation serves exclusively currency display (CHF for Swiss users, EUR for all others) and is not a tracking measure. You can change the currency manually at any time using the EUR/CHF switch on the website.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in correct price display).

§8 AI assistant and chat data

8.1 Data processed

When you use the AI assistant, the following data is processed:

your inputs (questions/requests) to the AI assistant
the generated responses
timestamps and your user ID
usage of your monthly AI quota

8.2 Purpose of processing and storage

Chat messages are stored to provide the service and manage the monthly message quota. Chat history is visible in your account. Messages are automatically deleted after 12 months automatically.

8.3 AI model

The AI assistant is based on a language model. Your inputs may be transmitted to external AI providers for processing. Details will be added for the specific implementation. Please do not enter sensitive personal data (account data, passwords, etc.) in the AI chat.

§9 Data retention and deletion periods

Data category	Retention period	Reason
Account data (active)	Until account deletion	Performance of contract
Account data (after cancellation)	30 days after cancellation	Restoration upon request, then deletion
Invoice and accounting data	10 years	Statutory retention obligation (CO/HGB)
Server logs (IP addresses)	30 days	Security, error analysis
IP geo cache	7 days	Performance optimisation for currency recognition
AI chat history	12 months	Service provision, quota tracking
Team invitations (expired)	30 days after expiry	Then automatically deleted
Newsletter consents	Until withdrawal + 3 years	Proof of consent

§10 Data disclosure and recipients

We generally do not disclose your data to third parties unless:

Processors: service providers acting on our behalf (e.g. Stripe for payments, Cloudflare for CDN/DDoS protection, hosting providers). Data processing agreements (DPAs) pursuant to Art. 28 GDPR have been concluded with them.
Legal obligation: in the case of official requests or criminal prosecution, where legally required.
Protection of our own rights: where necessary to establish, exercise or defend legal claims.
Consent: where you have expressly consented.

Disclosure to third parties for advertising purposes does not.

§11 Data transfers to third countries

Some of our service providers are based in the USA (Stripe, Cloudflare, possibly AI providers). Transfers to the USA are based on:

EU Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR
the EU-US Data Privacy Framework (where applicable)
Art. 49(1)(b) GDPR (necessary for contract performance, e.g. Stripe payments)

For Swiss users, transfers to the USA are based on Switzerland’s adequacy decision or appropriate safeguards under the revised FADP.

§12 Your rights as a data subject

You have the following rights with respect to your personal data:

Right	Description	Legal basis
Access	What data we have stored about you	Art. 15 DSGVO / Art. 25 revDSG
Rectification	Correction of inaccurate data	Art. 16 DSGVO
Deletion	Deletion of your data (where no retention obligation applies)	Art. 17 DSGVO
Restriction	Restriction of processing	Art. 18 DSGVO
Data portability	Export of your data in machine-readable format	Art. 20 DSGVO
Objection	Objection to processing based on legitimate interest	Art. 21 DSGVO
Withdrawal	Withdrawal of consent (e.g. newsletter)	Art. 7 Abs. 3 DSGVO
Complaint	Complaint with a supervisory authority	Art. 77 DSGVO

To exercise your rights, please contact us by email at: privacy@goldkurs.ch. We respond to requests within 30 days.

Competent supervisory authorities

Switzerland: Federal Data Protection and Information Commissioner (FDPIC), www.edoeb.admin.ch
Germany: Competent state data protection authority at the user’s place of residence
Austria: Data Protection Authority (DSB), www.dsb.gv.at
EU generally: Competent data protection authority in the country of residence

§13 Data security

GoldKurs.ch uses the following technical and organisational measures (TOMs) to protect your data:

SSL/TLS encryption: all data transmissions between your browser and our servers are SSL/TLS encrypted (HTTPS).
Password hashing: passwords are stored exclusively as bcrypt hashes. Plain-text passwords are never stored.
Access control: strict access controls for databases and servers. Only authorised employees have access to personal data.
DDoS protection: protection against distributed denial-of-service attacks through Cloudflare.
Data backup: regular backups to ensure data availability.
Regular security updates: regular updating of all software components used.

In the event of a data breach that results in a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours and affected users without undue delay (Art. 33/34 GDPR).

§14 Minors

GoldKurs.ch is directed at persons aged 18 and over. We do not knowingly collect personal data from persons under 18. If you become aware that a minor has created an account with us, please inform us at privacy@goldkurs.ch.

§15 Changes to this policy

This Privacy Policy may be updated at any time to reflect changes to our services, legal requirements or new data protection practices. In the event of material changes, we will inform registered users by email. The date of the last update is stated at the beginning of this policy. The current version is always available on this page.

Questions about privacy? Write to us at any time at: privacy@goldkurs.ch – we respond within 48 hours.

Privacy Policy

Table of contents