Privacy Policy
Effective Date: June 10th, 2026
This Privacy Policy explains how Frederic Fernandez & Associates AG (“FF&A”, “we”, “us”, “our”) collects, uses, shares, and retains personal data in connection with the ZBG Sprint programme and our website at zbgsprint.fredericfernandezassociates.com.
We are committed to processing personal data lawfully, fairly, and transparently in accordance with the Swiss Federal Act on Data Protection (nFADP, in force from 1 September 2023) and, where applicable, the EU General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”) and the UK GDPR.
By purchasing the Course or using our website, you acknowledge that you have read and understood this Policy.
1. Data Controller
1.1 The data controller responsible for your personal data is:
Frederic Fernandez & Associates AG
22 Grubenstrasse, 6315 Oberageri, Switzerland
UID: CHE-294.553.112
Email: zbg@fredericfernandezandassociates.com
Website: zbgsprint.fredericfernandezassociates.com
1.2 For all data protection queries, requests to exercise your rights, or complaints, please contact us at zbg@fredericfernandezandassociates.com. We will acknowledge requests within five (5) working days (Monday to Friday, excluding Swiss public holidays in the Canton of Zug).
2. Scope of This Policy
2.1 This Policy applies to personal data processed in connection with:
the ZBG Sprint course platform and all associated packages;
our course website and landing pages;
the ZBG Sprint LinkedIn newsletter and other marketing communications;
group Q&A calls and associated recordings;
the ZBG Sprint member community; and
enquiries, support requests, or applications submitted to FF&A.
2.2 The ZBG Sprint is sold exclusively to legal entities. References to “you” in this Policy refer to individual Seat Holders and other individuals whose data we process (including website visitors and marketing contacts).
3. Personal Data We Collect
3.1 Course Participants (Seat Holders)
When a purchasing organisation registers Seat Holders for the programme, we collect:
identity data: full name, job title, and employer organisation, brand;
contact data: business email address;
account data: platform login credentials (passwords are encrypted and are not accessible to FF&A);
course engagement data: video watch progress, module completion status, login timestamps, and Q&A call attendance records;
community and Q&A data: questions, comments, or content voluntarily submitted in community or group session features; and
call recording data: audio and video recordings of group Q&A calls in which the Seat Holder participates (see clause 6).
3.2 Website Visitors
When you visit our website, we automatically collect:
technical data: IP address, browser type and version, operating system, and device type;
usage data: pages visited, time on page, navigation path, and referral source;
behavioural data: mouse movements, clicks, scroll depth, and session recordings where Hotjar is active (see clause 11); and
cookie and tracking data: identifiers set by analytics and advertising tools (see clause 11).
3.3 Marketing Contacts
If you submit an enquiry, apply for a package, or subscribe to our LinkedIn newsletter, we collect:
name and business email address;
organisation name and job title; and
marketing engagement data: newsletter interactions and link clicks.
3.4 Data We Do Not Collect
We do not knowingly collect special categories of personal data (such as health, biometric, or religious data), financial account details (payment data is processed directly by Stripe and not stored by us), or personal data of individuals under the age of 18.
4. Legal Basis for Processing
4.1 We process personal data on the following legal bases:
4.2 Contract performance (Art. 6(1)(b) GDPR / Art. 31(2)(a) nFADP). Seat Holder account management, course delivery, call participation, community access, refund processing, and customer support. This is the primary basis on which we process Seat Holder data.
4.3 Legitimate interests (Art. 6(1)(f) GDPR / Art. 31(2)(a) nFADP). Website analytics, fraud prevention, IT security, and contractual record-keeping. We have assessed that our interests do not override your fundamental rights.
4.4 Consent (Art. 6(1)(a) GDPR / Art. 31(2)(b) nFADP). Behavioural tracking, advertising, and analytics cookies placed on our website, and marketing communications sent to prospective customers. Consent may be withdrawn at any time (see clause 10.8).
4.5 Legal obligation (Art. 6(1)(c) GDPR / Art. 31(2)(c) nFADP). Retention of invoices and transaction records for the statutory period required by Swiss commercial law (Swiss Code of Obligations, Art. 958f: ten years).
5. How We Use Personal Data
5.1 We use personal data for the following purposes:
delivering and managing access to the ZBG Sprint course and all included features;
processing payments and issuing invoices (in cooperation with Stripe);
hosting and facilitating group Q&A calls and making recordings available to members;
sending course-related operational communications (access credentials, scheduling, platform updates);
responding to support requests and handling complaints;
verifying course consumption data for refund eligibility purposes;
preventing and detecting unauthorised account sharing or platform misuse;
improving our course content, platform, and user experience using aggregated analytics;
sending marketing communications to prospects via the ZBG Sprint LinkedIn newsletter (subject to consent); and
complying with legal and regulatory obligations.
6. Group Q&A Call Recordings
6.1 Group Q&A calls conducted as part of the ZBG Sprint programme are recorded. By joining a call, you acknowledge and agree that the session will be recorded.
6.2 Recordings are stored on the course platform (Buildable/GoHighLevel) and are accessible only to current, active Seat Holders of the programme. Recordings are not shared publicly or with parties outside the sub-processors listed in clause 7.2.
6.3 If you do not wish to appear or speak on a recorded call, you may disable your camera and microphone. Written Q&A submissions remain available as an alternative participation method.
7. Sharing Personal Data
7.1 We do not sell personal data. We share personal data only with the following categories of recipients, each engaged under appropriate contractual data protection safeguards.
7.2 Sub-processors. The following third-party companies process personal data on our behalf in connection with the delivery of the course:
GoHighLevel LLC (operating as Buildable), 400 North Saint Paul Street, Suite 920, Dallas, TX 75201, USA — course platform, CRM, community management, and newsletter delivery. Transfers protected by Standard Contractual Clauses (SCCs). Privacy policy: gohighlevel.com/privacy-policy;
Stripe, Inc. (510 Townsend Street, San Francisco, CA 94103, USA) / Stripe Payments Europe Limited (1 Grand Canal Street Lower, Dublin 2, Ireland) — payment processing. EEA transfers protected by adequacy decision; Swiss and other transfers by SCCs. Privacy policy: stripe.com/privacy;
LinkedIn Ireland Unlimited Company (Wilton Place, Dublin 2, Ireland) — LinkedIn newsletter distribution and LinkedIn advertising (including the LinkedIn Insight Tag for conversion tracking). Transfers to the US protected by the EU-US Data Privacy Framework and SCCs. Privacy policy: linkedin.com/legal/privacy-policy;
Google LLC (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) / Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland) — website analytics via Google Analytics 4. IP addresses are anonymised. Transfers to the US protected by the EU-US Data Privacy Framework and SCCs. Privacy policy: policies.google.com/privacy;
Hotjar Ltd (Dragonara Business Centre, 5th Floor, Dragonara Road, Paceville St Julian’s STJ 3141, Malta) — behavioural analytics, session recording, and heatmaps on our website. Active only where consent is given via the cookie consent banner. Transfers within EEA; privacy policy: hotjar.com/legal/privacy;
Framer B.V. (Amsteldijk 166, 1079 LH Amsterdam, Netherlands) — website hosting and content delivery for zbgsprint.fredericfernandezassociates.com. EEA-based processor; no cross-border transfer. Privacy policy: framer.com/privacy; and
Cloudflare, Inc. (101 Townsend Street, San Francisco, CA 94107, USA) — content delivery network, DDoS protection, and infrastructure. All web traffic routes through Cloudflare. Transfers to the US protected by SCCs and the EU-US Data Privacy Framework. Privacy policy: cloudflare.com/privacypolicy.
7.3 The Purchasing Organisation. The organisation that purchased Seat Holder access may request summary usage data (such as overall course completion status) for internal reporting. We do not share individual personal communications or community contributions with the purchasing organisation without the individual’s consent.
7.4 Professional Advisors and Regulators. We may share personal data with our lawyers, accountants, and insurers where necessary for the provision of professional services, and with regulatory or law enforcement authorities where required by applicable law.
8. International Data Transfers
8.1 Our primary platform provider, GoHighLevel LLC, processes data on servers located in the United States. The United States does not benefit from a formal adequacy decision from Switzerland or (for GDPR purposes) the European Union. Transfers to GoHighLevel are protected by Standard Contractual Clauses (SCCs) as adopted by the European Commission (Decision (EU) 2021/914) and supplementary technical and organisational measures.
8.2 Switzerland is recognised by the European Commission as providing an adequate level of data protection (Decision 2000/518/EC). Data transfers between FF&A’s Swiss operations and EEA-based individuals are accordingly made on the basis of adequacy.
8.3 LinkedIn and Google transfer data internationally under the EU-US Data Privacy Framework and/or Standard Contractual Clauses, as set out in their respective privacy policies. Stripe uses adequacy decisions (for EEA) and SCCs (for other transfers). Hotjar processes data within the EEA. Framer is EEA-based. Cloudflare transfers data to the US under SCCs and the EU-US Data Privacy Framework.
8.4 You may request details of the specific transfer safeguards in place for any sub-processor by contacting us at zbg@fredericfernandezandassociates.com.
9. Data Retention
9.1 We retain personal data for no longer than is necessary for the purposes described in this Policy. The following retention periods apply:
Seat Holder account and course data: duration of the 12-month access period plus 3 years (for dispute resolution and legal claims);
payment and invoice records: 10 years from the transaction date (Swiss CO Art. 958f — commercial record-keeping obligation);
call recordings: 12 months from the date of the call, deleted on a rolling basis;
marketing contact data: 3 years from the date of last interaction, or on unsubscribe from the LinkedIn newsletter (whichever is earlier);
website analytics data (Google Analytics 4): 26 months;
Hotjar session recordings and heatmap data: 365 days (Hotjar default retention);
support correspondence: 3 years from the resolution of the query.
9.2 On expiry of the applicable retention period, personal data is securely deleted or anonymised. You may request earlier deletion subject to the limitations in clause 10.4.
10. Your Data Protection Rights
10.1 Depending on your location and applicable law, you may have the following rights in respect of your personal data. To exercise any right, please contact us at zbg@fredericfernandezandassociates.com.
10.2 Right of access (Art. 15 GDPR / Art. 25 nFADP). You may request a copy of the personal data we hold about you and information about how it is used.
10.3 Right to rectification (Art. 16 GDPR / Art. 32 nFADP). You may ask us to correct personal data that is inaccurate or incomplete.
10.4 Right to erasure (Art. 17 GDPR / Art. 32 nFADP). You may ask us to delete your personal data where there is no legal basis for continued retention. Note: we cannot delete data we are legally required to retain (e.g. invoice records under Swiss commercial law).
10.5 Right to restriction of processing (Art. 18 GDPR). Where you contest the accuracy of your data, or the legal basis for processing, you may ask us to limit use of your data pending resolution. Note: the nFADP does not contain a directly equivalent restriction right, though related protections apply under Art. 25 and Art. 30.
10.6 Right to data portability (Art. 20 GDPR / Art. 28 nFADP). Where processing is based on contract or consent and is carried out by automated means, you may request your data in a structured, commonly used, machine-readable format.
10.7 Right to object (Art. 21 GDPR). You may object to processing carried out on the basis of legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests. Note: the nFADP provides a narrower objection right focused on profiling (Art. 30(2)).
10.8 Right to withdraw consent. Where processing is based on your consent (including behavioural tracking, analytics, and advertising cookies, and marketing communications), you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal.
10.9 How to exercise your rights. Please contact us at zbg@fredericfernandezandassociates.com. We will respond within thirty (30) days. We may ask you to verify your identity before processing your request.
10.10 Right to complain. If you believe we have not complied with your data protection rights, you may lodge a complaint with the relevant supervisory authority. In Switzerland: the Federal Data Protection and Information Commissioner (FDPIC), www.edoeb.admin.ch. In the EEA: your national data protection authority. In the UK: the Information Commissioner’s Office (ICO), ico.org.uk.
11. Cookies and Tracking Technologies
11.1 Our website uses cookies and similar technologies (pixels, tags, and scripts) to enable core functionality, analyse website traffic, measure advertising performance, and understand how visitors interact with the site. The following categories of tracking are in use:
11.2 Strictly necessary cookies. Placed by Buildable/GoHighLevel and by Cloudflare for session management, user authentication, DDoS protection, and security. These are essential to the operation of the site and platform and are placed without consent.
11.3 Analytics cookies (Google Analytics 4). We use Google Analytics 4 to measure website traffic, page views, and user journeys. IP addresses are anonymised before storage. These cookies require your consent and are activated only if you accept analytics cookies via our consent banner.
11.4 Behavioural analytics and session recording (Hotjar). We use Hotjar to record anonymised session replays, generate heatmaps, and analyse how visitors navigate the site. Hotjar may record mouse movements, clicks, scroll behaviour, and keystrokes in form fields (sensitive fields are suppressed). These cookies require your explicit consent and are activated only if you accept analytics cookies via our consent banner. Hotjar’s privacy policy: hotjar.com/legal/privacy.
11.5 Advertising cookies (LinkedIn Insight Tag). We use the LinkedIn Insight Tag to track conversions from LinkedIn advertising campaigns and to enable LinkedIn retargeting. This tag is active only if you accept advertising cookies via our consent banner. LinkedIn’s privacy policy: linkedin.com/legal/privacy-policy.
11.6 Preference cookies. Placed by the course platform to remember display and session preferences. These are functional and do not require consent.
11.7 On your first visit to our website, you will be shown a cookie consent banner. You may accept all cookies or configure your preferences to accept or decline specific categories. You may also manage or withdraw your consent at any time by clearing your browser cookies and revisiting the site, or by adjusting your browser settings. For more information, visit www.allaboutcookies.org.
12. Security
12.1 We implement appropriate technical and organisational measures to protect personal data against accidental loss, unauthorised access, disclosure, alteration, or destruction. These measures include:
encryption of data in transit (TLS) and at rest where supported by our platform providers;
access controls limiting platform access to authorised personnel and active Seat Holders;
regular review of third-party sub-processor security practices; and
data protection obligations imposed by contract on all sub-processors.
12.2 In the event of a personal data breach that is likely to result in a risk to individuals’ rights and freedoms, we will notify the relevant supervisory authority within 72 hours where required by applicable law and, where necessary, affected individuals without undue delay.
13. Third-Party Websites
13.1 Our website and course platform may contain links to third-party websites and platforms (including LinkedIn and industry publications). This Policy does not apply to those websites. We are not responsible for the privacy practices of third parties and encourage you to review their own privacy policies before providing personal data.
14. Children’s Data
14.1 The ZBG Sprint programme is a professional development course offered exclusively to business organisations. We do not knowingly collect personal data from individuals under the age of 18. If you believe we have inadvertently collected such data, please contact us immediately at zbg@fredericfernandezandassociates.com and we will delete it.
15. Changes to This Policy
15.1 We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or applicable law. Material changes — those that significantly affect your rights or the way we use your personal data — will be communicated to active Seat Holders by email to their registered address at least fourteen (14) days before the change takes effect.
15.2 The current version of this Policy is always available on our website. The effective date at the top of this document indicates when it was last revised. Continued use of the Course or website after the effective date of any material amendment constitutes acceptance of the updated Policy.
16. Contact Us
16.1 For all privacy-related enquiries, requests to exercise your rights, or complaints, please contact:
Frederic Fernandez & Associates AG
Attn: Data Protection Enquiries
22 Grubenstrasse, 6315 Oberageri, Switzerland
Email: zbg@fredericfernandezandassociates.com
Website: zbgsprint.fredericfernandezassociates.com
16.2 We take all privacy concerns seriously. If you are not satisfied with our response, you have the right to contact the Federal Data Protection and Information Commissioner (FDPIC) at www.edoeb.admin.ch.
