01 — Controller
Who is responsible for your data
The data controller responsible for the personal information processed through this website and the Investment Payback client portal is Investment Payback Ltd, a Swiss public limited company headquartered in Zug. Operational matters relating to recovery cases are coordinated through our Canary Wharf office in London. You can reach our data protection contact at privacy@investmentpayback.com or through the postal address listed in our Imprint.
02 — Information we collect
Categories of personal data
We collect only what is necessary to evaluate, conduct and document a recovery engagement. This includes identification data (full name, date of birth, nationality and a government-issued identity document), contact data (email address, postal address, telephone number), financial and transactional information relevant to the alleged fraud (wallet addresses, transaction hashes, exchange statements, IBAN of the receiving bank account), and technical data automatically captured when you use the platform (IP address, browser fingerprint, session identifiers).
03 — Legal basis & purposes
Why we process your data
Processing is grounded in Article 6(1)(b) GDPR for the performance of the engagement contract, Article 6(1)(c) GDPR for compliance with anti-money-laundering and know-your-customer obligations under Swiss FINMA and EU AMLD frameworks, and Article 6(1)(f) GDPR for legitimate interests in fraud prevention, internal record-keeping and the establishment or defence of legal claims. Marketing emails, where applicable, are sent only with your prior consent under Article 6(1)(a) GDPR and can be withdrawn at any time.
04 — Recipients
Who we share data with
Personal data is shared only with parties strictly required to deliver the engagement: blockchain forensic partners (Chainalysis, TRM Labs and Asset Reality under data processing agreements), correspondent banks involved in returning recovered funds, regulatory authorities and law-enforcement agencies where compulsory disclosure applies, and our auditors and external legal counsel under professional confidentiality. We never sell personal data and never share it with advertisers or data brokers.
05 — International transfers
Transfers outside the EU and Switzerland
Where a recovery operation requires cooperation with partners outside the EU or Switzerland — for example, an exchange domiciled in the United States or a forensic firm in the United Kingdom — transfers are protected by EU Standard Contractual Clauses, the UK International Data Transfer Addendum, or an equivalent recognised mechanism. A copy of the safeguards in place for any specific transfer is available on request.
06 — Retention
How long we keep data
Active case records are retained for the duration of the engagement and for a further ten years after closure, in line with the Swiss anti-money-laundering recordkeeping obligation. KYC documents are kept for the same period. Marketing data, where collected, is retained until the consent is withdrawn. After the retention period elapses, data is securely erased or, where technically appropriate, anonymised for statistical purposes.
07 — Your rights
Rights you can exercise at any time
Under the GDPR and the Swiss FADP you may request access to the personal data we hold about you, rectification of inaccurate data, erasure where no overriding obligation applies, restriction of processing, portability of data you have provided in a structured electronic format, and objection to processing based on our legitimate interests. To exercise any of these rights, contact privacy@investmentpayback.com. You may also lodge a complaint with the Swiss Federal Data Protection and Information Commissioner or, for EU residents, with your local supervisory authority.
08 — Cookies
Cookies and similar technologies
This website uses strictly necessary cookies for session management, CSRF protection and language preference. We do not use advertising or third-party analytics cookies. Where we deploy first-party measurement to monitor service uptime, the data is aggregated and contains no personally identifiable information.
09 — Security
How we protect your data
All data in transit is encrypted using TLS 1.2 or higher. KYC documents are stored outside the public web root and served only through authenticated, ownership-verified download links. Access to client records is restricted to assigned investigators on a least-privilege basis and is fully auditable. Passwords are hashed with bcrypt; sensitive credentials are never stored in plaintext.
10 — Updates to this policy
Changes
We may update this policy from time to time to reflect changes in law or in our processing activities. The version date at the top of this page indicates the latest revision. Material changes affecting active clients will be notified through the client portal at least thirty days before they take effect.