BIOFY

MARKETPLACE PRIVACY POLICY

Last update: 19th December 2025

This Privacy Policy (the "Policy") explains how Biofy ("Biofy", "we", "us", or "our") collects, uses, discloses, and otherwise processes personal data in connection with the Biofy website, applications, online marketplace, and related services (collectively, the "Platform").

This Policy is drafted in accordance with the EU General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR") and the Swiss Federal Act on Data Protection ("FADP"), as revised and in force. Where both regimes apply, Biofy seeks to comply with the higher standard of protection.

This Policy applies to all visitors, users, buyers, and other individuals whose personal data is processed in connection with the Platform (each a "Data Subject").

1. DATA CONTROLLER AND CONTACT INFORMATION

Biofy acts as a data controller within the meaning of the GDPR and the FADP with respect to the personal data it processes for its own purposes.

Biofy’s contact details are as follows:

Email: privacy@bio.xyz

Where required by Applicable Law, Bio has appointed a data protection officer or contact point for privacy-related inquiries, which may be contacted using the details above.

2. SCOPE OF THIS POLICY AND RELATIONSHIP WITH MERCHANTS

Biofy operates a marketplace platform that connects users and buyers with independent third-party merchants (each a "Merchant"). In this context, Bio and Merchants generally act as independent data controllers, each determining their own purposes and means of processing personal data.

Biofy is not responsible for the privacy practices of Merchants. Merchants process personal data received through the Platform for their own purposes, including order fulfillment, customer support, and legal compliance, and are subject to their own privacy policies. Data Subjects are encouraged to review Merchant privacy notices before completing a transaction.

3. CATEGORIES OF PERSONAL DATA PROCESSED

Biofy processes personal data that Data Subjects provide directly, that is generated through use of the Platform, or that is received from third parties.

Such personal data may include identification data such as name, username, date of birth (where required), and account credentials; contact data such as email address, postal address, and telephone number; transactional data such as order details, payment method identifiers, transaction references, refunds, and chargeback information; technical data such as IP address, device identifiers, browser type, operating system, log files, and usage data; communications data such as messages sent through the Platform or correspondence with customer support; and compliance data such as identity verification information, sanctions screening results, or fraud-prevention indicators where required by law or payment partners.

Bio does not intentionally collect special categories of personal data within the meaning of Article 9 GDPR or sensitive personal data under the FADP, unless required by Applicable Law.

4. PURPOSES AND LEGAL BASES OF PROCESSING

Biofy processes personal data only where permitted by Applicable Law and for specified, explicit, and legitimate purposes.

Personal data is processed for the purpose of providing and operating the Platform, enabling account creation and management, facilitating interactions between users and merchants, processing orders and payments, providing customer support, communicating with users regarding the Platform, ensuring security and preventing fraud, complying with legal and regulatory obligations, enforcing contractual terms, and improving and developing the Platform.

Under the GDPR, Biofy relies on one or more of the following legal bases: the performance of a contract or steps taken at the request of the Data Subject prior to entering into a contract; compliance with a legal obligation; Biofy’s legitimate interests, including operating a secure and efficient marketplace, preventing fraud, and improving services, provided such interests are not overridden by the interests or fundamental rights of the Data Subject; and, where applicable, the Data Subject’s consent.

Under Swiss law, Biofy processes personal data in accordance with the principles of lawfulness, good faith, proportionality, purpose limitation, data accuracy, and data security.

5. DISCLOSURE OF PERSONAL DATA

Biofy may disclose personal data to third parties only to the extent necessary for the purposes described in this Policy.

Recipients of personal data may include Merchants, to the extent required to facilitate Transactions; payment service providers, banks, wallet providers, and financial institutions involved in processing payments; technical service providers such as hosting providers, cloud infrastructure providers, analytics providers, and security vendors; professional advisors such as legal, accounting, and audit firms; and public authorities, regulators, or courts where disclosure is required by Applicable Law.

Biofy does not sell personal data and does not share personal data for third-party advertising purposes.

6. INTERNATIONAL DATA TRANSFERS

Personal data may be transferred to and processed in countries outside Switzerland and the European Economic Area. Where such transfers occur, Biofy ensures that appropriate safeguards are in place, including adequacy decisions, standard contractual clauses, or other transfer mechanisms recognized under the GDPR and the FADP.

7. DATA RETENTION

Biofy retains personal data only for as long as necessary to fulfill the purposes for which it was collected, to comply with legal and regulatory obligations, to resolve disputes, and to enforce agreements.

Retention periods vary depending on the nature of the data, the purpose of processing, and applicable legal requirements. Where personal data is no longer required, it is securely deleted or anonymized.

8. DATA SECURITY

Biofy implements appropriate technical and organizational measures to protect personal data against unauthorized access, loss, alteration, disclosure, or destruction. Such measures take into account the state of the art, implementation costs, and the nature, scope, context, and purposes of processing.

Despite these measures, no system can be guaranteed to be completely secure, and Biofy cannot guarantee absolute security of personal data.

9. RIGHTS OF DATA SUBJECTS

Subject to Applicable Law, Data Subjects have the right to request access to their personal data, rectification of inaccurate or incomplete data, erasure of personal data, restriction of processing, data portability, and to object to processing based on legitimate interests.

Where processing is based on consent, Data Subjects have the right to withdraw consent at any time without affecting the lawfulness of processing prior to withdrawal.

Requests to exercise data subject rights may be submitted using the contact details provided above. Biofy may request additional information to verify the identity of the requesting individual.

Under Swiss law, Data Subjects also have the right to request information about whether their personal data is being processed and to whom it is disclosed.

10. COOKIES AND TRACKING TECHNOLOGIES

The Platform uses cookies and similar technologies to ensure functionality, security, and performance. Where required by Applicable Law, Biofy obtains user consent before placing non-essential cookies.

Further information regarding the use of cookies is provided in Biofy’s Cookie Policy.

11. CHILDREN’S DATA

The Platform is not intended for use by children under the age of sixteen (16), or such higher age as required by Applicable Law. Biofy does not knowingly collect personal data from children.

12. CHANGES TO THIS POLICY

Biofy may update this Privacy Policy from time to time to reflect changes in legal requirements, processing activities, or Platform features. Updated versions will be made available on the Platform and will become effective as indicated.

13. COMPLAINTS AND SUPERVISORY AUTHORITIES

Data Subjects have the right to lodge a complaint with a competent supervisory authority. In the European Union, this includes the authority of the Member State of habitual residence. In Switzerland, this includes the Federal Data Protection and Information Commissioner (FDPIC).

By using the Platform, you acknowledge that you have read and understood this Privacy Policy.