Westport · Luzern Contact →
Privacy Policy — de Risk Partners
de
Risk Partners
de
Risk Suisse
Back
Home/Legal/Privacy Policy

Privacy Policy.

How de Risk Partners and de Risk Suisse collect, use, and protect your information. Plainly written. Aligned with the GDPR, the Swiss FADP, and US state privacy laws.

— Effective Date
12 May 2026
— Version
v1.0
— Data Controllers
de Risk Suisse GmbH
de Risk Partners LLC
— 01

Who we are.

This Privacy Policy applies to information collected through our websites deriskpartners.io and derisksuisse.ch, and through our engagement, marketing, and recruitment activities.

Depending on the relationship, the data controller is:

  • de Risk Suisse GmbH — Lucerne, Switzerland — for visitors and clients in EMEA and the GCC, and for de Risk Suisse–led engagements
  • de Risk Partners LLC — Westport, Connecticut, USA — for visitors and clients in the Americas, and for de Risk Partners–led engagements

Where the two entities jointly process information — for example on shared engagements or group-wide marketing — we act as joint controllers.

— 02

What we collect.

Information you give us

When you fill in a form, request a meeting, subscribe to insights, apply for a role, or otherwise contact us, we collect what you provide — typically name, work email, employer, role, country, and the contents of your message.

Information from engagements

If your organisation engages us, we may receive professional contact details, business records, documents, and other information necessary to deliver compliance, advisory, or AI transformation services. This information is processed under the terms of the relevant engagement letter or master services agreement, not this policy alone.

Information collected automatically

When you visit our websites we collect technical information through standard server logs and limited analytics — IP address, device and browser type, pages viewed, referring URL, and approximate location derived from IP. Cookies and similar technologies are covered separately in our Cookie Notice.

— What we don't collect

We do not knowingly collect special category data (health, biometric, political, religious) through our websites, and we do not collect information from children under 16. If you believe we have, contact us and we will delete it.

— 03

How we use it.

We use personal information to:

  • Respond to enquiries and provide the services you've asked about
  • Deliver services under engagement letters, including communications, reporting, and invoicing
  • Send insights, briefings, and event invitations to people who've opted in
  • Manage and improve our websites, products, and security
  • Recruit, assess, and onboard candidates for roles at the firm
  • Meet our legal, regulatory, audit, and risk management obligations

We do not sell personal information. We do not use it for automated decision-making with legal or similarly significant effects on you.

— 04

Legal basis.

Under the GDPR and Swiss FADP, we rely on the following lawful bases:

  • Contract — to provide services you or your employer have engaged us for
  • Legitimate interests — to operate the firm, secure our systems, market our services to professional contacts, and respond to enquiries
  • Consent — for marketing emails where required, and for non-essential cookies
  • Legal obligation — to meet record-keeping, tax, AML, and regulatory requirements

You can withdraw consent at any time. Withdrawing does not affect the lawfulness of processing before withdrawal.

— 05

Sharing & processors.

We share personal information only where necessary, and only with:

  • Group entities — between de Risk Partners and de Risk Suisse, where a single client relationship spans both
  • Vetted processors — hosting, email, CRM, analytics, and security providers who process information on our instructions under written agreements
  • Professional advisers — auditors, lawyers, insurers, and accountants where required
  • Regulators and authorities — where we are legally required to disclose
  • Successors — in the unlikely event of a merger, acquisition, or restructuring, with the protections this policy requires
— 06

International transfers.

Because we operate across Switzerland, the EU, the UK, the US, the GCC, and APAC, personal information may be transferred between jurisdictions. We rely on the EU and UK Standard Contractual Clauses, the Swiss FADP equivalence framework, and — where applicable — adequacy decisions and additional safeguards.

A copy of the relevant transfer mechanism is available on request.

— 07

How long we keep it.

We keep personal information only as long as needed for the purpose we collected it — and for any longer period required by law, regulation, or professional standards. As a guide:

  • Enquiry contacts: up to 24 months from last interaction
  • Client engagement records: 10 years post-engagement (regulatory minimum)
  • Marketing subscriptions: until you unsubscribe, plus a short suppression record
  • Recruitment: up to 12 months after a decision, unless you ask us to retain longer
  • Website logs: typically 90 days, longer for security investigations
— 08

Your rights.

Depending on where you are, you have rights to:

  • Access the personal information we hold about you
  • Correct information that is inaccurate or incomplete
  • Delete information (subject to legal retention requirements)
  • Object to or restrict certain processing
  • Receive your information in a portable format
  • Withdraw consent
  • Lodge a complaint with a supervisory authority

To exercise any of these rights, write to contact@deriskpartners.io. For technical or security-related privacy matters, you may also contact tech@deriskpartners.io. Senior leadership enquiries may be directed to ravi@deriskpartners.io. We respond within 30 days, faster where law requires.

EU residents may contact the Swiss FDPIC, their national DPA, or the Irish DPC (as our EU lead authority for EU-routed enquiries). US residents may have additional rights under CCPA / CPRA, CPA, VCDPA, and similar state laws.

— 09

How we keep it secure.

We apply technical and organisational measures appropriate to the sensitivity of the information — encryption in transit and at rest, access controls, MFA, logging, vendor risk reviews, and an ICT policy aligned with US and Swiss regulatory expectations.

— Practitioner's caveat

No system is impenetrable. If we ever experience a breach affecting your information, we will tell you — within 72 hours where the GDPR or FADP requires, and as soon as practicable otherwise.

— 10

Cookies & analytics.

We use a small set of cookies and similar technologies for essential site function, security, and limited analytics. Where required, non-essential cookies load only after consent. Full details are in our Cookie Notice.

— 11

Changes to this policy.

We update this policy when our practices, products, or the law change. The current version, effective date, and version number are shown at the top. Material changes are notified — by email to subscribers, by a banner on our websites, or both.

— 12

Contact us.

Privacy questions, requests to exercise rights, and complaints — write to us. We read every message and respond ourselves; we don't outsource privacy.

— General Contact

de Risk Partners

For privacy questions, rights requests, and general enquiries.

— Technical Contact

Technology & Security

For technical, security, breach, and website-related privacy matters.

— Leadership Contact

Ravi de Silva

For senior leadership escalation and direct executive privacy enquiries.

— Beyond the Policy

Built compliantly. Always.

Our privacy policy reflects how we run the firm — practitioner-led, regulator-ready, and accountable. If that's what you want from your own compliance and AI partner, let's talk.

Talk to a Partner Read the Insights
de Risk Partners — Footer Component