Firma icon
Firma
Instant. Zero fees. Multi-Currency. SwissSwiss flag
Waitlist

PRIVACY POLICY

Firma Operations AG

Last Updated: June 10, 2026

Firma Operations AG ("we", "us", or "our") is a Swiss-regulated financial intermediary and member of the VQF Self-Regulatory Organization. We are subject to the Swiss Anti-Money Laundering Act (AMLA) and the Federal Act on Data Protection (FADP).

This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our services at https://firma.cash. It is designed to comply with our legal obligations under Swiss law.

What Personal Data We Collect

We collect personal data primarily to fulfill our legal obligations under the AMLA for customer due diligence, prevention of money laundering, terrorist financing, and related compliance requirements. This includes:

  • Identification documents (e.g., passport or ID card) and related verification data.
  • Personal details such as name, date of birth, address, and nationality.
  • VQF Establishing the Identity of the Beneficial Owner (A)
  • Proof of address and source of funds/wealth.
  • Contact information (email address and phone number), used exclusively for account security, authentication, and important service communications (never for marketing).
  • Limited technical data (such as IP address) collected during verification or for security purposes.
  • Blockchain wallet addresses linked to your verified identity (note that on-chain transactions on supported blockchains such as eCash or Solana are public and immutable by nature).

We use Didit solely as a processor to perform identity verification on our behalf. For more information on how Didit processes verification data, see Didit's Privacy Policy. We have opted out of any model training for our Didit account.

We do not use analytics, tracking technologies, or profiling in our services beyond what is strictly necessary for basic website functionality and security.

Anyone can create a self-custody wallet using our services without completing identity verification. However, access to regulated portions of our product that require KYC is available only to adults aged 18 and over. We do not provide those regulated services to minors and do not knowingly collect personal data from anyone under 18.

Legal Basis, Purpose, and Retention

The primary legal basis for processing your personal data is compliance with legal obligations under the AMLA (including customer identification and record-keeping duties). We process data only as necessary for these purposes.

In accordance with Article 7 AMLA, we retain KYC and compliance records for 10 years after the termination of the business relationship. On-chain blockchain transaction data is public and cannot be altered or deleted by us. The off-chain linkage between your identity and wallet addresses is retained for the same 10-year period.

Sharing and Disclosure

We only disclose personal data when we are legally obligated to do so by a binding request or court order from competent Swiss authorities. Our policy is to challenge requests where there is doubt as to their validity and to only comply once all legal remedies have been exhausted.

We share personal data only in the following limited circumstances under Swiss law:

  • With Swiss authorities, the VQF, courts, or other competent bodies pursuant to a binding legal obligation, court order, or formal request under the AMLA.
  • With professional auditors bound by professional secrecy for required SRO compliance audits.

We do not sell, trade, rent, or voluntarily disclose your personal data to any government (Swiss or foreign), third party, or other entity. Requests from foreign authorities must be handled through proper Swiss mutual legal assistance procedures.

Security and Access Controls

Your KYC and compliance records are stored offline and encrypted in secure Swiss institutional vaults. This air-gapped storage significantly reduces security risks associated with online systems.

Access is restricted exclusively to our authorized Compliance Officers. No IT personnel, developers, or other staff have access to this data, whether in storage or during retrieval. All access is logged, authorized on a need-to-know basis, and subject to audits.

Your Rights Under Swiss Law

Under the Swiss Federal Act on Data Protection (FADP), you have the right to request access to your personal data and to request correction of inaccurate or incomplete data.

Requests for deletion or erasure are subject to our mandatory 10-year retention obligations under AMLA Article 7. We cannot delete KYC/compliance records before this period expires.

Access to detailed KYC and compliance records, including copies of identification documents and source of funds information, may be limited or refused where necessary to comply with our obligations under the AMLA (including record-keeping and confidentiality requirements) or where disclosure would conflict with applicable law or regulatory duties.

To exercise your rights, contact us at privacy@firma.cash. We will respond in accordance with Swiss law (typically within 30 days). You may also contact the Swiss Federal Data Protection and Information Commissioner (FDPIC) at edoeb.admin.ch.

Updates to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. The "Last Updated" date at the top indicates the current version. Material changes will be communicated via our website or your account.

Contact Us

For questions about this Privacy Policy or to exercise your rights:

Firma Operations AG

Dammstrasse 16

6300 Zug

Switzerland

Email: privacy@firma.cash

This Privacy Policy is effective as of June 10, 2026.