Privacy Policy

LegaFund AG (NeuraPay) – revFADP primary, GDPR-ready where Art. 3(2) GDPR applies.

LegaFund AG · Basteiplatz 5, 8001 Zürich v3 · effective 18 April 2026

DE: The German version of this document is the authoritative version. Other language versions are provided for information only.

1. Scope and applicable law

This privacy policy describes how LegaFund AG ("we", "us", "LegaFund"), as part of the NeuraPay project, processes personal data when you use this website (neurapay.ai, lega-fund.com and subdomains), the NeuraPay platform or related services.

We primarily apply the revised Swiss Federal Act on Data Protection (revFADP/revDSG). Where the material and territorial scope of the EU General Data Protection Regulation (GDPR) applies under Art. 3(2) GDPR – in particular, when services are actively offered to individuals in the EU – we additionally apply the GDPR.

Planned re-incorporation: The NeuraPay platform is expected to be transferred to NeuraPay Financial Technologies AG within the coming months. This privacy policy will be updated at the time of the transfer.

2. Controller

The controller within the meaning of Art. 5 lit. j revFADP and Art. 4(7) GDPR is:

LegaFund AG
Basteiplatz 5, 8001 Zurich, Switzerland
UID: CHE-260.692.477 · Commercial Register: CH-020-3048728-1
General inquiries: info@lega-fund.com
Privacy: datenschutz@lega-fund.com

3. Privacy contact

The contact point for privacy matters is the management of LegaFund AG, represented by Amadeus Romeo. Please send inquiries to datenschutz@lega-fund.com.

We have not appointed a formal external Data Protection Officer (DPO) under Art. 37 GDPR. We are currently not required to appoint one because our core activity does not involve large-scale regular and systematic monitoring of data subjects as defined in Art. 37(1)(b) GDPR. We will re-assess this in the event of EU expansion.

4. EU Representative (Art. 27 GDPR)

LegaFund AG does not currently maintain an establishment in the EU and does not actively direct its services to individuals in the EU. Accordingly, we have not appointed an EU representative under Art. 27 GDPR at this time.

Should the conditions of Art. 3(2) GDPR become broadly applicable in the future (active EU market targeting), we will appoint an EU representative and disclose the details here.

5. Categories of personal data

Depending on how you interact with us or use our services, we process the categories of personal data described below. We limit ourselves at all times to the data that is genuinely required for the respective purpose.

Master and contact data. This includes your company name, first and last name, business email address, telephone number, professional role, postal address and – if you choose to provide it – your LinkedIn profile. We obtain this data exclusively through the forms on this website or directly from correspondence with you.

Contract and transaction data. In the context of initiating and performing contracts, we process the relevant contractual details, in particular descriptions of services, pricing, payment arrangements, invoicing and dunning data as well as other information that relates to the contractual relationship.

KYC/AML data. Where we are legally required to do so (in particular under the Swiss Anti-Money Laundering Act, AMLA), we process identification documents, information on the ultimate beneficial owners and the results of PEP and sanctions list screenings. Such data is not collected through this landing page but exclusively within the authenticated onboarding flow of the NeuraPay platform.

Application data. If you apply for a role via our careers page, we process your name, contact details, your LinkedIn and, where applicable, portfolio or GitHub profile, your salary expectations, your comments and the application documents you submit (in particular your CV and references).

Usage and metadata. When you visit the website, technically necessary metadata is generated, namely your IP address (in server logs), the user agent, the timestamp of the request, the URL you accessed and the referrer URL. Product-analytic events (Mixpanel) are only collected with your explicit consent.

Consent log data. In order to evidence the cookie and tracking consent granted or refused by you, we record the time of your decision, the categories you selected and the version of the underlying policy. We also log a hashed version of your IP address and user agent. The plain-text IP address is never stored.

Nura chat data. When you use our AI assistant Nura, we process the contents of the conversation (your input and the generated responses), a session ID that is regenerated for every new session, the language you selected and the URL of the page from which the chat was opened. IP addresses are not stored in this context.

Communication data. If you contact us by email or through one of our contact forms, we process the content of your message, any attachments you submit and the related sender and recipient details.

6. Purposes and legal bases

We process personal data for the following purposes and on the following legal bases (revFADP / GDPR in parallel):

Purpose	Data categories	Legal basis (CH / EU)
Responding to inquiries & contract initiation	Master/contact, communication	Art. 31(2)(a) revFADP / Art. 6(1)(b) GDPR
Job application process	Application data	Art. 31(2)(a) revFADP in conjunction with Art. 328b CO / Art. 6(1)(b) GDPR in conjunction with Art. 88 GDPR
Contract performance	Master, contract, transaction data	Art. 31(2)(a) revFADP / Art. 6(1)(b) GDPR
Legal obligations (AMLA, CO, tax)	KYC/AML, transaction, accounting data	Art. 31(1) revFADP / Art. 6(1)(c) GDPR
Operation, security, abuse prevention	Usage/metadata, server logs	Legitimate interest / Art. 6(1)(f) GDPR
Reach measurement (Mixpanel)	Usage/metadata	Consent / Art. 6(1)(a) GDPR
AI chat (Nura)	Nura chat data	Legitimate interest in product quality / Art. 6(1)(f) GDPR
Direct marketing (only with separate consent)	Master/contact data	Consent / Art. 6(1)(a) GDPR

7. Processors and sub-processors

We use carefully selected processors (Art. 9 revFADP / Art. 28 GDPR). We have data processing agreements (DPAs) with all of them, including – where required – the EU Standard Contractual Clauses (SCC 2021/914) and the Swiss Addendum issued by the FDPIC. We do not share data with any third party that is not contractually bound.

Provider	Function	Region	Transfer mechanism
Google Cloud Platform (Google Ireland Ltd.)	Hosting, storage, backend infrastructure	EU (europe-west6 / europe-west1) / CH	SCC + Swiss Addendum, EU-US DPF (US parent Google LLC)
Vercel Inc.	Landing page hosting (edge / server rendering, log drain)	EU (fra1 / Frankfurt)	SCC + Swiss Addendum, EU-US DPF
Stripe Payments Europe Ltd.	Payment processing (if enabled)	IE / EU	SCC + Swiss Addendum, EU-US DPF (US parent Stripe Inc.)
TWINT AG	Payment processing (if enabled)	CH	FADP (CH) – no third-country transfer
Mixpanel Inc.	Reach measurement (only with consent)	EU (EU residency)	SCC + Swiss Addendum, EU-US DPF (US parent)
Google Gemini API (Google Ireland Ltd.)	Nura AI chat (generative responses)	EU (europe-west regions)	SCC + Swiss Addendum, EU-US DPF (US parent Google LLC); data logging and model training contractually disabled
Mailgun Technologies Inc.	Transactional email (forms, confirmations)	EU (api.eu.mailgun.net)	SCC + Swiss Addendum, EU-US DPF (US parent Sinch AB)
HubSpot Ireland Ltd.	Meeting booking (only when configured)	EU	SCC + Swiss Addendum, EU-US DPF (US parent HubSpot Inc.)

A complete up-to-date list of our productive sub-processors (incl. credit bureaus, KYC providers and error tracking) is made available to B2B customers on request and publicly at /en/subprocessors/ once the platform is in production.

8. Transfers to third countries

Our services are generally operated in data centres located in Switzerland or the European Union. Some of our processors, however, are subsidiaries of US-based parent companies (in particular Google LLC, Vercel Inc., Stripe Inc., Mixpanel Inc., Sinch AB as the parent of Mailgun, and HubSpot Inc.). In individual cases – for example in intra-group support or escalation workflows, in administrative invoicing, or in legally compelled disclosure requests addressed to the US parent – access to personal data by entities in the United States cannot be fully excluded.

Any transfer to a third country takes place exclusively on the basis of appropriate safeguards, namely the EU Standard Contractual Clauses 2021/914, supplemented by the Swiss Addendum issued by the FDPIC, and – where the respective provider is certified – the mechanisms of the EU-US Data Privacy Framework (DPF). We continuously review the adequacy of these mechanisms in light of current case law and regulatory guidance and adjust our contracts without undue delay if necessary.

Further information about safeguards and specific providers is available on request at datenschutz@lega-fund.com.

9. Retention periods

We retain personal data only for as long as it is necessary for the respective purposes or legally required:

Data category	Retention period	Legal basis
KYC/AML data	10 years after end of business relationship	Art. 7 AMLA
Accounting records	10 years	Art. 958f CO
Case and contract data	Case closure + 10 years	Art. 127 CO / Art. 31 revFADP
Server/access logs	90 days	Legitimate interest
Consent log	3 years	Art. 7(1) GDPR / Accountability
Mixpanel events	12 months	Consent / legitimate interest
Nura chat logs (Vercel EU)	30 days	Legitimate interest in quality assurance
Applicant data (rejection)	6 months after rejection	Evidence and proof preservation
Applicant data (talent pool, only with consent)	up to 24 months	Consent
Newsletter / marketing	until revocation	Consent

10. Automated decisions and profiling

Depending on the booked product, the NeuraPay platform may use automated analysis procedures (e.g. scoring to assess payment ability in B2B receivables management, fraud/abuse detection). These do not take place on this landing page, but only within the authenticated platform.

Where such procedures are used, we comply with the requirements of Art. 21 revFADP and Art. 22 GDPR as follows.

Logic involved. The scoring models take into account, among other things, the historical payment behaviour of the data subject, credit indicators derived from data provided by certified credit bureaus, the type and amount of the outstanding claim and industry-specific benchmarks. The respective weightings are reviewed and documented on a regular basis.

Significance for the data subject. The outputs of the analysis steer, for example, the order in which dunning steps are triggered, the priority assigned for a manual review and the selection of the handling options proposed for a specific case. A binding legal effect does not arise from the automated analysis alone.

No solely automated individual decisions. Decisions that produce legal effects or significantly affect a data subject in a similar manner – such as the initiation of debt collection proceedings or the final rejection of a payment plan – are not taken solely by automated means. They are always subject to human review by the respective client or by the responsible members of the NeuraPay team.

Your right to intervene. You have the right to contest the automated handling of an individual decision, to express your own point of view and to request a manual review by a natural person. To do so, please contact datenschutz@lega-fund.com.

11. Nura chat (AI assistant)

Our AI assistant Nura answers questions about the NeuraPay platform. Technically, we rely on the Google Gemini API in an EU region (Google Ireland Ltd.). The following conditions and safeguards apply to its use.

Transmission to the Gemini API. Your inputs are transmitted over an encrypted connection to the Gemini API in the EU region for each request, in order to generate a response. Under the Google API terms applicable to us, Google does not use this content to train the Gemini models. A short-term, API-side cache for abuse detection purposes by Google cannot be fully excluded within Google's public API terms; any such caching takes place exclusively within the contractual safeguards committed to by Google (DPA, SCCs, EU-US Data Privacy Framework).

Conversation logs on our side. For quality assurance, error analysis and abuse prevention, we retain your inputs as well as the generated responses for 30 days in structured log files at Vercel Inc. (region fra1, Frankfurt/EU). IP addresses are not stored in this context; the session is pseudonymised by means of a randomly generated session ID kept solely in the sessionStorage of your browser.

No disclosure to third parties. The contents of the Nura conversation are not shared with any other recipients unless we are legally required to do so or you have expressly consented to such disclosure (for example, when handing over a case to our sales or support team).

Please do not enter sensitive data. We expressly ask you not to enter any specially protected personal data within the meaning of Art. 5 lit. c revFADP or Art. 9 GDPR into the Nura chat – in particular no data concerning health, finance, biometrics, religion or sexual orientation. For matters that require such data, please use our confidential channel at datenschutz@lega-fund.com.

12. Cookies and similar technologies

Details on cookies and tracking technologies used are set out in our cookie policy. Non-essential technologies (e.g. Mixpanel analytics) are loaded only with your consent.

13. Your rights

You are entitled to the following data subject rights vis-à-vis us under the revised Swiss Federal Act on Data Protection and – where applicable – the General Data Protection Regulation. You may exercise these rights at any time and without any particular formal requirements.

Right of access. You are entitled to obtain confirmation from us as to whether or not personal data concerning you is being processed, and, where that is the case, access to such data (Art. 25 revFADP / Art. 15 GDPR). Access is typically granted free of charge within 30 days.

Right to rectification. If personal data processed about you is incorrect or incomplete, you have the right to obtain from us the immediate rectification or completion of such data (Art. 32(1) revFADP / Art. 16 GDPR).

Right to erasure or destruction. You have the right to obtain the erasure or destruction of personal data concerning you, provided that continued processing is not justified by statutory retention obligations, by the establishment, exercise or defence of legal claims, or by overriding legitimate interests (Art. 32(2) revFADP / Art. 17 GDPR).

Right to restriction of processing. You have the right to obtain a restriction of processing where you contest the accuracy of the data, the processing is unlawful or you have objected to the processing (Art. 18 GDPR).

Right to data portability. You have the right to receive personal data concerning you that you have provided to us in a commonly used electronic format and to have that data transmitted to another controller, insofar as this is technically feasible (Art. 28 revFADP / Art. 20 GDPR).

Right to object. You have the right to object, on grounds relating to your particular situation, to the processing of personal data concerning you, in particular to any processing that is based on a legitimate interest (Art. 30(2) revFADP / Art. 21 GDPR).

Right to withdraw consent. Where you have given us consent to process personal data, you may withdraw that consent at any time with effect for the future (Art. 7(3) GDPR). The lawfulness of processing carried out prior to the withdrawal remains unaffected.

Right to lodge a complaint. Without prejudice to any other remedy, you have the right to lodge a complaint with a data protection supervisory authority (see section 14).

To exercise your rights, a simple email to datenschutz@lega-fund.com is sufficient. In order to prevent abusive requests, we are entitled to carry out a reasonable identity verification where we have well-founded doubts about your identity, for example by asking for a copy of an official identification document (any information that is not required may be redacted).

14. Right to lodge a complaint

You have the right to lodge a complaint with the competent data protection supervisory authority about our processing, without suffering any disadvantage as a result.

For Switzerland, the competent authority is the Federal Data Protection and Information Commissioner (FDPIC), Feldeggweg 1, 3003 Bern, reachable at www.edoeb.admin.ch.

For the European Union, you may contact any data protection supervisory authority in the Member State of your habitual residence, your place of work or the place of the alleged infringement. A list of European supervisory authorities is maintained by the European Data Protection Board at edpb.europa.eu.

15. Data security

We implement appropriate technical and organisational measures under Art. 8 revFADP / Art. 32 GDPR (incl. encryption in transit and at rest, access controls, role concepts, logging, backups). Please report vulnerabilities or security-related findings to security@lega-fund.com – see also security.txt.

16. Changes

We adapt this privacy policy when our data processing or the legal framework changes. The current version is always published here. In the event of material changes, we additionally inform in an appropriate manner.