Privacy Policy
Effective Date: March 3, 2026
1. Controller
New Way Capital Advisory Limited ("NWCA", "we", "us") is the controller responsible for the processing of your personal data as described in this Privacy Policy. We are committed to protecting your privacy in accordance with the Swiss Federal Act on Data Protection (FADP/nDSG) and, where applicable, the EU General Data Protection Regulation (GDPR).
Contact for data protection inquiries:
New Way Capital Advisory Limited
Email: info@nwc-advisory.com
2. Data We Collect
We collect and process the following categories of personal data, depending on how you interact with our services:
2.1 Website Analytics
When you visit nwc-advisory.com, we collect usage data through Google Analytics 4 (Measurement ID: G-FMGYJ03LYJ). This includes:
- Pages visited and time spent on pages
- Referring website or campaign source
- Browser type, operating system, and screen resolution
- Approximate geographic location (country/city level, derived from IP address)
- Anonymized IP address (IP anonymization is enabled)
Google Analytics uses cookies to distinguish users. You may opt out by disabling cookies in your browser or by installing the Google Analytics Opt-Out Browser Add-on.
2.2 Self-Service Application Registration
When you create an account on our Portfolio Consolidation application at /portfolio/consolidation, we collect:
- Email address
- Full name
- Company name
- Password (stored as a bcrypt hash; we never store or have access to your plaintext password)
2.3 Portfolio Data
When you use our Portfolio Consolidation service, you may upload PDF documents containing financial portfolio data. This data is processed temporarily for analysis and report generation. See our Data Processing Agreement for details on handling and retention.
2.4 Server Logs
Our web server automatically records access logs that include:
- IP address
- Date and time of request
- Requested URL and HTTP method
- HTTP status code
- User agent string
- Referrer URL
Server logs are used for security monitoring, troubleshooting, and protection against malicious activity. They are retained for a maximum of 90 days.
3. IP Geolocation
We use the free tier of ip-api.com to perform IP geolocation lookups for internal analytics purposes. When a geolocation query is made, your IP address is sent to ip-api.com's servers to determine approximate geographic location (country, city, ISP). This data is cached locally on our servers for up to 30 days to minimize external requests.
ip-api.com does not receive any other personal data from us. For ip-api.com's own privacy practices, please refer to their website at ip-api.com.
4. Cookies
We use the following types of cookies:
| Cookie | Purpose | Duration | Type |
|---|---|---|---|
_ga |
Google Analytics - distinguishes users | 2 years | Analytics |
_ga_* |
Google Analytics 4 - maintains session state | 2 years | Analytics |
| JWT token | Authentication for self-service application (stored in browser local storage, not as a cookie) | Session | Functional |
We do not use advertising or tracking cookies beyond Google Analytics.
5. Purpose and Legal Basis
| Processing Activity | Purpose | Legal Basis |
|---|---|---|
| Website analytics | Understanding website usage and improving our services | Legitimate interest (Art. 6(1)(f) GDPR / Art. 31 nDSG) |
| Account registration | Providing access to the self-service application | Performance of contract (Art. 6(1)(b) GDPR / Art. 31 nDSG) |
| Portfolio processing | Generating portfolio analysis reports | Performance of contract (Art. 6(1)(b) GDPR / Art. 31 nDSG) |
| Server logs | Security, fraud prevention, troubleshooting | Legitimate interest (Art. 6(1)(f) GDPR / Art. 31 nDSG) |
| IP geolocation | Internal analytics and visitor intelligence | Legitimate interest (Art. 6(1)(f) GDPR / Art. 31 nDSG) |
6. Data Storage and Security
All data is stored and processed on servers located in Switzerland. We implement appropriate technical and organizational measures to protect personal data, including:
- HTTPS encryption for all data in transit (TLS 1.2+)
- Password hashing using bcrypt with appropriate work factors
- JWT-based authentication with token expiry
- Access controls limiting data access to authorized personnel
- Regular security monitoring and log analysis
Switzerland is recognized by the European Commission as providing an adequate level of data protection under its adequacy decision, ensuring that data stored in Switzerland meets GDPR standards.
7. Data Sharing and Transfers
We do not sell, rent, or trade personal data. We share data only with the following third parties:
- Google LLC (Google Analytics) -- anonymized usage data for website analytics. Google may process this data in the United States. Google is certified under the EU-U.S. Data Privacy Framework.
- ip-api.com -- IP addresses for geolocation queries. No other personal data is transmitted.
We do not use any paid third-party data processors. All portfolio data processing occurs entirely on our own infrastructure in Switzerland.
8. Data Retention
| Data Type | Retention Period |
|---|---|
| Website analytics (Google Analytics) | 26 months (Google default) |
| Account data (email, name, company) | Until account deletion requested |
| Uploaded portfolio documents | Deleted after download or within 24 hours of processing |
| Server access logs | 90 days |
| IP geolocation cache | 30 days |
9. Your Rights
Under the FADP and GDPR, you have the following rights regarding your personal data:
- Right of access: You may request confirmation of whether we process your personal data and obtain a copy of that data.
- Right to rectification: You may request correction of inaccurate personal data.
- Right to erasure: You may request deletion of your personal data where there is no compelling reason for its continued processing.
- Right to restrict processing: You may request restriction of processing under certain circumstances.
- Right to data portability: You may request your data in a structured, commonly used, machine-readable format.
- Right to object: You may object to processing based on legitimate interest at any time.
- Right to withdraw consent: Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, contact us at info@nwc-advisory.com. We will respond within 30 days.
You also have the right to lodge a complaint with the Federal Data Protection and Information Commissioner (FDPIC) in Switzerland, or with your local supervisory authority if you are located in the EU/EEA.
10. Children's Privacy
Our services are not directed to individuals under the age of 18. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a minor, please contact us so we can delete it promptly.
11. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. The updated version will be posted on this page with a revised effective date. We encourage you to review this page periodically.
12. Contact
New Way Capital Advisory Limited
Email: info@nwc-advisory.com
Website: nwc-advisory.com