Legal
Cembra logo
Home Legal Privacy Policy

Privacy Policy

1. What is this Privacy Policy about?

This Privacy Policy explains how we process your personal data and how you can exercise your rights.

Additional details may be included in product and service terms and conditions, on our website, in the terms for loyalty and added-value programs of our cooperation partners (see section 6) and, where applicable, in other privacy policies.

2. Who are we?

The following company (“we”, “us” or “Cembra”) is responsible for processing personal data under this Privacy Policy:

Cembra Money Bank AG
Bändliweg 20
8048 Zurich
Switzerland

You can contact our Data Protection Officer with questions about our data protection practices:

Cembra Money Bank AG
Data Protection Officer
Bändliweg 20
8048 Zurich
Switzerland

We have appointed an EU representative:

activeMind.legal
Kurfürstendamm 56
10707 Berlin
Germany

3. When, for whom and for what is this Privacy Policy intended?

This Privacy Policy applies to all processing of personal data in connection with our business activities and business areas, including existing and future personal data.

4. What personal data do we process for which purposes, from which sources and on which legal basis?

We obtain personal data from you (as a current or prospective customer) and from publicly available sources (e.g., media or the internet), Cembra Group companies, public authorities (e.g., residents’ registration authorities, land registry, commercial registry or debt collection offices) and third parties (e.g., external credit assessors, the Central Credit Information Office [ZEK], the Consumer Credit Information Office [IKO] and other information offices).

Depending on the context, we process, for example, personal details (name, address and other contact data, date and place of birth, nationality), identification data (e.g., identity document data) and authentication data (e.g., signature samples, patterns of behaviour and movement). We may also process instruction, transaction and risk management data (e.g., payment transaction data, account statement, transaction history, advisory and contractual relationship data), information about your financial situation (e.g., income and assets, creditworthiness, scoring/rating data [see section 4 b], origin of assets, current or completed loan agreements), tax information (e.g., where you are registered for tax purposes and related documents) and contractual and documentation data (e.g., account/custody account information, concluded transactions, and information about third parties such as civil partners, the number and year of birth of children, authorised representatives, and consultation and discussion minutes). As part of risk-based approach, Cembra reserves the right to request additional information or documents where such information is necessary to verify identity, assess authenticity, or detect and prevent fraud and other financial crime.

We process particularly sensitive personal data (e.g., ethnic origin, political opinion, religious or ideological beliefs, genetic and biometric data, health data or criminal convictions) only with your consent or another legal basis.

If consent is required for processing personal data that is not particularly sensitive, it is typically given on other grounds (e.g., to comply with banking secrecy). Otherwise, we generally rely on the legal bases set out below rather than on consent.

We use automated (including artificial intelligence) and manual methods to process your personal data. We may use artificial intelligence to conclude, perform and enforce agreements and to pursue Cembra’s legitimate interests. Where automated decision-making is used, Cembra will obtain your explicit consent where required. You have the right to be informed about decisions based solely on automated processing that have legal or significant effects, to express your view, and to request human review.

We process personal data in the situations below for the stated purposes and legal bases; more than one legal basis may apply.

a. For the conclusion, execution and enforcement of agreements
We process personal data to provide banking and financial services, to take pre-contractual steps at your request, and to conclude, perform and enforce agreements. Depending on the product, this may include opening, managing and closing accounts, analysing needs, providing advice and support, and executing transactions. Details are set out in the relevant contractual documents, terms and conditions and, where applicable, other documents provided to you.

b. In the context of a balance of interests
We process your data to protect our legitimate interests, unless your interests override them. This includes, in particular:

  • Analysis, monitoring and control of the credit risk (scoring);

  • Fraud prevention: improve the efficiency and accuracy of customer identification and fraud prevention, and address risk indicators that may indicate fraudulent activity;

  • Advertising, market research and marketing analysis; preparation and delivery of tailored offers from us, Cembra Group companies and cooperation partners (e.g., direct marketing, print/online advertising, events, sponsoring, competitions and customer satisfaction analysis) to your postal, e-mail or telephone address (e.g., via SMS), in eService or a mobile app, provided you have not objected and use the relevant services;

  • Loyalty and added-value programs of cooperation partners: processing and forwarding selected data needed to operate and improve such programs (e.g., customer, status, control and card data and, where applicable, aggregated turnover figures per merchant; transaction details are not forwarded). See the relevant product terms. Cooperation partners use the data for their own purposes and under their own responsibility and privacy policies;

  • Websites and Cembra eService/mobile apps: depending on the offer, we process information such as log data (e.g., access time, visit duration and pages viewed) for IT security, to improve usability and functions, and to personalise the offer. We may use analytics services (e.g., Google Analytics) and technologies such as cookies. Further information is available on our website under Cookies (including the Cookie Banner and Policy) and in product-specific contractual and, where applicable, data protection provisions;

  • Enhanced customer support: To improve efficiency, accuracy and response times, we may use artificial intelligence for customer support (e.g., to identify you, classify and understand messages, and support chatbots or call agents). You will be informed if you are communicating with a bot and may request a natural person; processing such a request may take time. While we aim to provide accurate and up-to-date information, errors may occur. Cembra is not liable for the accuracy, completeness or timeliness of information provided. By using AI-based customer support, you agree to these terms.

  • Protection of rights: to enforce or defend claims in and out of court and before domestic and foreign authorities; we may involve third parties to assess prospects of success and may have to disclose documents containing personal data to authorities;

  • Improving, enhancing and testing IT solutions and business and technical processes;

  • Ensuring IT security and IT operations of Cembra;

  • Prevention and investigation of criminal offences;

  • Contact inquiries on your part to our customer service;

  • Telephone calls may be recorded, for example for quality checks and training, and in specific cases to preserve evidence;

  • Building and system security measures (e.g., access controls and video surveillance);

  • Corporate transactions: processing personal data to prepare and carry out company takeovers and sales, and the acquisition or sale of assets (e.g., receivables or real estate) and similar transactions;

  • Evaluation, planning and statistics, product development and business decisions (e.g., improving and reviewing products, services, procedures, technologies, systems and performance figures).

c. Due to legal requirements
We process personal data to meet regulatory, supervisory and statutory duties to clarify, inform and report (e.g., disclosure orders or instructions by the Swiss Financial Market Supervisory Authority [FINMA], automatic exchange of information with foreign tax authorities, or anti-money laundering and counter-terrorist financing requirements).

5. Do you have an obligation to provide personal data?

You are generally not obliged to provide personal data. However, we cannot enter into a contractual relationship with you if you do not provide the personal data needed to establish and perform the business relationship or that we are legally required to collect (e.g., identification data such as name, place and date of birth, nationality, address and identity document data).

6. With whom do we share your personal data?

Within Cembra, access to your personal data is limited to departments, employees and other bodies that need it to perform their tasks. We may also outsource business areas or services to Cembra Group companies and third parties in Switzerland and abroad, assign claims and rights, and enter into cooperations with partners. Where necessary, we share your personal data with these recipients. We ensure compliance with data protection and banking secrecy requirements through careful selection of processors and appropriate contracts.

In particular, this involves services and cooperation in the following areas:

  • IT services, e.g., services in the areas of data storage (hosting), cloud services, mailing of advertising material, data analysis, artificial intelligence solutions, etc.;

  • credit checks;

  • fraud prevention;

  • authorisation of transactions;

  • creditworthiness assessing, address information and debt collection, e.g., if claims are not paid timely (e.g., Intrum, CRIF, teledata);

  • advisory services, e.g., services of tax advisors, lawyers, business consultants, employee recruitment advisors;

  • administration of contractual relationships including debt enforcement, e.g., application and contract processing, invoicing and processing of direct debits, enforcement of due claims;

  • document and card production;

  • compliance and data management;

  • cooperation with partners, e.g., IKEA, Conforama Suisse Holding SA, Touring Club Schweiz, FNAC;

  • cooperation with insurance partners, e.g., AXA Versicherungen AG or Generali Personenversicherungen AG, and

  • cooperation with brokers, such as agents and garages.

For business purposes (e.g., credit risk, fraud prevention and marketing), we may also share personal data within the Cembra Group for recipients’ own purposes; this may involve linking data from different Group companies. A current list of Group companies is available at www.cembra.ch/group.

We may also disclose personal data to third parties where we have a legitimate interest, you have authorised us to do so, or we are legally required to do so (typically to authorities).

7. When do we transfer personal data abroad?

We may outsource services abroad (see section 6). Personal data may be transmitted to, and otherwise processed by third parties located in Switzerland, the European Union (“EU”) or the European Economic Area (“EEA”), the USA, India and the Philippines. Personal data may also be transferred abroad when executing agreements or transactions (e.g., payment orders and payment processing). Data recipients outside the EU or EEA may not provide the same level of protection as Switzerland or the EU/EEA. If we transfer personal data to such countries, we ensure appropriate safeguards, for example by entering into suitable data processing agreements approved, established or recognised by the European Commission and the Federal Data Protection and Information Commissioner (FDPIC). Transfers to the USA are also permitted where recipients confirm high data protection standards by certifying to the Swiss-US Data Privacy Framework.

8. Does profiling take place and do we perform automated decisions?

We may process your personal data to create profiles, e.g., for analysis, evaluation and decision-making. We, our Group companies and external service providers may use this for fraud prevention (e.g., for credit card payments) and risk management. We also use profiles to provide individual advice and personalized offers. You can object to processing for advertising purposes at any time (see section 11).

We may make automated decisions on a case-by-case basis when concluding or performing a contractual relationship. If such decisions have negative legal consequences or otherwise significantly affect you, you may request human review.

Where automated processing and profiling may pose a high risk to your personality or fundamental rights within the meaning of the Swiss Federal Data Protection Act (FADP), we will meet all applicable legal requirements, including informing you and obtaining your consent where required.

9. How do we protect your personal data?

We use appropriate technical and organisational measures to protect your personal data, including against unauthorised or unlawful processing, loss, accidental changes, unwanted disclosure and unauthorised access.

10. How long do we store your personal data?

We keep your personal data for as long as needed for the purposes for which it was collected. We may retain it longer to meet statutory retention requirements (for many documents, ten years after contract termination or account closure), or where we have a legitimate interest (e.g., limitation periods, enforcing or defending claims, or archiving). Once no longer needed, the data is deleted or anonymised.

11. What rights do you have?

Depending on the applicable data protection law, you have in particular the following rights:

  • the right to information;

  • the right to rectification;

  • the right to deletion;

  • the right to restriction of processing;

  • the right to object to the further processing of your personal data and

  • the right to transfer of particular personal data.

You may revoke your consent to the processing of personal data at any time. The revocation applies only going forward; processing carried out before the revocation remains lawful.

Consent obtained on other grounds (e.g., under bank-client confidentiality provisions of the Federal Act on Banks and Savings Banks (BankA)) remains unaffected.

Moreover, you can object to the processing of your personal data for advertising purposes at any time by notifying us.

12. Updates and Amendments of this Privacy Policy

This Privacy Policy is valid as of May 2026. We may amend it at any time without prior notice.

In the event of ambiguities, the German text of this Privacy Policy prevails.