Controller
Virtus Resources Partners AG
Switzerland
Data-protection contact: admin@virtus-resources.com
1. Introduction
Virtus Resources Partners AG ("VRP", "we", "us") respects your privacy and is committed to processing personal data lawfully, fairly and transparently. This Privacy Policy explains what personal data we collect through the website vrp-coffee.com (the "Website") and when you communicate with us, why we collect it, how we use it, and what rights you have.
We process personal data in accordance with the revised Swiss Federal Act on Data Protection of 25 September 2020 ("revFADP"), in force since 1 September 2023, and where applicable the EU General Data Protection Regulation 2016/679 ("GDPR").
2. Who is responsible (controller)
The controller for the processing described in this Policy is Virtus Resources Partners AG, Switzerland. You can reach us at admin@virtus-resources.com for any data-protection matter, including the exercise of your rights.
3. What personal data we process
| Category | Typical data | When we collect it |
|---|---|---|
| Technical data | IP address, device and browser type, operating system, language, date and time of request, pages viewed, referrer URL | Automatically when you visit the Website, through server log files |
| Contact data | Name, email address, company, phone number, any content you include in your message | When you email us or complete a contact form |
| Commercial data | Counterparty details, roles, preferences, correspondence, know-your-customer ("KYC") information | In the context of business relationships with suppliers, buyers and service providers |
| Cookie / preference data | Language preference, consent choices, session identifiers | When you interact with the Website (see section 7) |
You are not legally obliged to provide personal data, but without certain information (for example a contact email) we may not be able to respond to your enquiry or enter into a business relationship.
4. Purposes of processing
We process personal data for the following purposes:
- to operate, secure and improve the Website and to analyse its use on an aggregated basis;
- to respond to enquiries, requests for samples or information, and other communications initiated by you;
- to establish, perform and administer business relationships, including onboarding, KYC, contract management, invoicing and accounting;
- to comply with legal, regulatory and tax obligations, including anti-money-laundering and sanctions checks;
- to protect our legitimate interests, in particular the security of our infrastructure and the defence of legal claims.
5. Legal bases
Under the revFADP, processing is lawful if it is carried out in good faith, is proportionate, and rests on a recognised justification. Where the GDPR applies, we rely on the following legal bases (Art. 6(1) GDPR):
- Contract or pre-contractual steps (lit. b) — for communications, sample requests and the performance of supply or service agreements;
- Legal obligation (lit. c) — for bookkeeping, tax, anti-money-laundering and sanctions compliance;
- Legitimate interests (lit. f) — for Website operation and security, fraud prevention, and maintaining and developing business relationships;
- Consent (lit. a) — where we ask for it explicitly, for example for non-essential cookies or marketing emails. Consent can be withdrawn at any time with effect for the future.
6. Recipients and disclosure
Personal data is accessed only by authorised personnel of VRP on a need-to-know basis. We may share personal data with:
- IT and hosting providers who operate the Website and our back-office systems on our behalf;
- professional advisors (auditors, lawyers, tax advisors) bound by confidentiality;
- banks, payment processors and logistics providers involved in the performance of a contract with you;
- competent authorities, courts and regulators where required by law.
Processors act on our instructions under a data-processing agreement that meets the requirements of the revFADP and, where applicable, Art. 28 GDPR.
7. Cookies and similar technologies
The Website uses a minimal set of cookies and comparable technologies. Strictly necessary cookies (for example to remember your language choice or consent status) are set without consent because they are required to deliver the service you have requested. Any analytics or marketing cookies, if introduced, will be set only after you have given informed consent via the cookie banner, and you can withdraw that consent at any time through the same mechanism.
You can also configure your browser to refuse cookies generally or to alert you when a cookie is set; disabling strictly necessary cookies may impair parts of the Website.
8. Third-party services
The Website may load resources from third parties such as Google Fonts (for typography) and market-data providers (for reference price information). When this happens, your IP address and basic request data are necessarily transmitted to the provider so the resource can be delivered. We select providers that offer appropriate safeguards and we limit what is shared to what is technically required.
9. International data transfers
Some of our providers are established outside Switzerland or the European Economic Area. Where this leads to a transfer of personal data to a country that does not offer an adequate level of protection (as determined by the Swiss Federal Council or, under the GDPR, by the European Commission), we implement appropriate safeguards, in particular the EU Standard Contractual Clauses with the Swiss addendum issued by the Federal Data Protection and Information Commissioner ("FDPIC"), together with supplementary technical and organisational measures where required.
10. Retention
We keep personal data only for as long as is necessary for the purposes described in this Policy, or for as long as we are required to keep it by law. In particular:
- server log files are normally retained for up to 12 months, then deleted or anonymised;
- correspondence not linked to a business relationship is deleted when no longer needed, typically within 24 months;
- accounting and tax records (including contracts, invoices and supporting documents) are retained for ten years, as required by Art. 958f of the Swiss Code of Obligations;
- KYC records are retained for at least ten years after the end of the business relationship, in line with Swiss anti-money-laundering requirements.
11. Security
We take appropriate technical and organisational measures to protect personal data against loss, misuse, unauthorised access, alteration and disclosure. These include access controls, encrypted transport (HTTPS), regular backups, segregation of environments and staff confidentiality obligations. No system is perfectly secure; we therefore also regularly review and improve our measures.
12. Your rights
Subject to the conditions and limitations of the revFADP and, where applicable, the GDPR, you have the right to:
- obtain information about whether we process personal data about you and, if so, receive a copy ("right of access");
- request rectification of inaccurate or incomplete data;
- request erasure of data that is no longer needed or whose processing is unlawful;
- request restriction of processing in defined situations;
- object to processing based on our legitimate interests;
- receive your data in a structured, commonly used and machine-readable format and have it transmitted to another controller ("data portability", where GDPR applies);
- withdraw any consent you have given, with effect for the future.
To exercise any of these rights, please write to admin@virtus-resources.com. We may need to verify your identity before responding. The exercise of your rights is free of charge, unless your requests are manifestly unfounded or excessive.
13. Right to lodge a complaint
If you consider that our processing of your personal data infringes applicable law, you have the right to lodge a complaint with the competent supervisory authority. In Switzerland, this is the Federal Data Protection and Information Commissioner (FDPIC), Feldeggweg 1, 3003 Bern (www.edoeb.admin.ch). In the EU, you may contact the data-protection authority of your habitual residence, place of work or place of the alleged infringement.
14. Automated decisions and profiling
We do not take decisions based solely on automated processing, including profiling, that produce legal effects concerning you or similarly significantly affect you.
15. Minors
The Website is not directed at children. We do not knowingly collect personal data from persons under the age of 16. If you believe we have inadvertently collected such data, please contact us and we will delete it.
16. Changes to this Policy
We may amend this Privacy Policy from time to time to reflect changes in our practices, the Website or the law. The version published on the Website is the version in force. Material changes will be clearly signalled.
17. Contact
For any question or request concerning this Privacy Policy, please contact us at admin@virtus-resources.com.
Last updated: April 2026
This document is provided in English. A German version ("Datenschutzerklärung") can be requested at admin@virtus-resources.com; in case of discrepancy between language versions, the English version prevails.