Privacy policy
Last updated: February 2026
Privacy policy
1. Introduction
This Privacy Policy explains how Capital 27 Investment Group GmbH and Benesia AG (“Capital 27” “we”, “us”, “our”) process personal data when you visit our websites, contact us, or interact with our investment-related services.
We comply with:
• General Data Protection Regulation (GDPR)
• German Federal Data Protection Act (BDSG)
• Swiss Federal Act on Data Protection (FADP)
2. Data Controller
German Operations:
Capital 27 Investment Group GmbH
Opernplatz 6, 60313 Frankfurt am Main, Germany
Represented by: Dr. Daniel Schmidt, Founder & Group CEO
Email: info@capital-27.com
Phone: +49 69 247 0414-48
Swiss Operations:
Benesia AG
Bahnhofstrasse 2, 6312 Steinhausen, Switzerland
CEO Switzerland: Stefan Fischer
Email: info@capital-27.ch
Phone: +41 76 400 8252
3. Hosting
Our websites are hosted by Framer B.V., Netherlands. Framer processes technical access data on our behalf under Art. 28 GDPR (Data Processing Agreement in place).
Data Transfer: Data transfers to the Netherlands are based on the EU adequacy decision. No supplementary measures required for EU-based hosting.
4. Data We Process
a) Technical Log Data
• Anonymized IP addressBrowser type and version
• Device type and operating system
• Time and date of access
• Referrer URL
• Accessed pages and duration
• Cookie identifiers
Retention: Technical logs retained for 90 days for security purposes, then deleted.
b) Contact requests
If you contact us via the contact form, we process the following data:
Name
Email
Optional company/organization
Message content
Retention: Contact inquiry data retained for 24 months to handle follow-up communications and business inquiries. After 24 months, data is deleted unless a business relationship has been established (see investor data retention below). Legal basis: Art. 6(1)(b) GDPR and/or Art. 6(1)(f) GDPR
c) Investor & B2B correspondence
• Business contact details
• Professional information and background
• Documents voluntarily provided
• Investment interest and preferences
• Communication history
Retention: Investor and B2B correspondence retained for 7 years in accordance with German and Swiss tax and commercial law requirements (§ 257 HGB, Swiss CO Art. 958). After 7 years, data is deleted unless legal obligations require longer retention.
d) Website Analytics Data
• Page views and user journey
• Click patterns and interaction data
• Conversion events
• Device and browser information
Retention: Analytics data retained for 24 months by Google Analytics, then automatically deleted.
5. Google Analytics (GA4)
Google Analytics (GA4) is used only with your prior consent. Legal basis: Art. 6(1)(a) GDPR (consent). You can withdraw your consent at any time with effect for the future via the cookie settings.
We use Google Analytics (GA4) with the following safeguards:
• IP anonymization enabled
• Consent-based tracking (only with user consent)
• Data retention set to 24 months
Legal Basis: Art. 6(1)(a) GDPR (consent) and Art. 6(1)(f) GDPR (legitimate interest in understanding website usage)
Data Transfers:
Transfers to the United States rely on:
• EU-US Data Privacy Framework (DPF) - primary legal basis
• Standard Contractual Clauses (SCCs) - supplementary basis
• Swiss-US Data Privacy Framework
• Data Processing Agreement with Google
Supplementary Measures:
• IP anonymization (prevents identification)
• Restricted data access (limited to analytics team)
• Regular data protection impact assessments
• Encryption in transit (HTTPS)
Your Rights: You can opt out of Google Analytics tracking by:
• Adjusting cookie settings on our website
• Installing the Google Analytics opt-out browser extension
• Disabling JavaScript in your browser
6. Cookies & Tracking Technologies
We use cookies to ensure our website functions correctly and to understand how you interact with it.
Essential/Necessary Cookies (No Consent Required):
These are strictly necessary for the website to function (e.g., security, page navigation). Without these, the site cannot perform basic tasks.
Preferences Cookies (Consent Required):
These allow the website to remember choices you make, such as your preferred language or theme settings.
Analytics/Performance Cookies (Consent Required):
We use these to track how visitors interact with the site (e.g., Google Analytics). This helps us improve our website performance. Note: Our built-in Framer Analytics are cookie-free and do not collect personal data.
Marketing Cookies (Consent Required):
These are used to track browsing behavior across websites to deliver relevant advertisements.
You can update or withdraw your cookie preferences at any time by clicking the 'Cookie Settings' link in our footer. Your consent status is stored for 12 months, after which we will automatically request renewed consent.
7. Data Recipients
Internal Recipients:
• Capital 27 management and authorized personnel
• Finance and accounting team
• Legal and compliance team
External Recipients:
• Hosting Provider: Framer B.V. (Netherlands) - under Data Processing Agreement
• Analytics Provider: Google LLC (USA) - under Data Processing Agreement and SCCs
• IT Service Providers: Cloud infrastructure and email providers
• Financial Institutions: Banks and payment processors (for transaction processing)
• Legal & Tax Advisors: External counsel and tax consultants
• Audit Firms: External auditors (for compliance and financial audits)
• Regulatory Authorities: Government agencies (when legally required)
Data Sharing Restrictions:
• We do not sell personal data to third parties
• We do not share data with marketing companies without explicit consent
• Data is shared only to the extent necessary for the stated purpose
• All recipients are bound by confidentiality agreements
8. Data Retention Summary
9. Security
We maintain strict technical and organizational security measures:
• Encryption: HTTPS/TLS for all data in transit
• Access Control: Role-based access to personal data
• Authentication: Strong password policies and multi-factor authentication
• Regular Audits: Periodic security assessments and penetration testing
• Employee Training: Data protection training for all staff
• Incident Response: Documented procedures for data breach response
Data Breach Notification: In the event of a data breach, we will notify affected individuals and relevant authorities within 72 hours as required by GDPR Art. 33-34.
10. Your Rights
Under GDPR and FADP , you have the following rights:Right of Access: Request a copy of your personal data
• Right to Correction: Request correction of inaccurate data
• Right to Deletion: Request deletion of your data (“right to be forgotten”)
• Right to Restrict Processing: Request restriction of data processing
• Right to Data Portability: Request your data in a structured, portable format
• Right to Object: Object to processing of your data
• Right to Withdraw Consent: Withdraw consent for data processing at any time
• Right to Lodge a Complaint: File a complaint with a data protection authority
How to Exercise Your Rights:
Contact us at: privacy@capital-27.com
We will respond to your request within 30 days (extendable to 90 days for complex requests).
11. Complaints & Data Protection Authorities
German Users:
Hessian Data Protection Authority (Hessischer Datenschutzbeauftragter)
Website: https://datenschutz.hessen.de
Swiss Users:
Federal Data Protection and Information Commissioner (FDPIC)
Website: https://www.edoeb.admin.ch
Email: contact@edoeb.admin.ch
EU Users:
Your local national data protection authority
(see https://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm)
12. Updates to This Policy
We may update this Privacy Policy to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by posting the updated policy on our website and updating the “Last Updated” date.
Your continued use of our website following the posting of revised Privacy Policy means you accept and agree to the changes.
SWISS FADP SUPPLEMENT
For Swiss Users Under the Swiss Federal Act on Data Protection (FADP)
Applicability: This supplement applies to all individuals in Switzerland whose personal data is processed by Capital 27.
1. Data Controller for Swiss Operations
Benesia AG
Bahnhofstrasse 2
6312 Steinhausen
Switzerland
Contact: Stefan Fischer (CEO Switzerland)
Email: privacy@capital-27.ch
2. Your Rights Under FADP
In addition to the rights listed above, Swiss residents have the following rights under the revised FADP (revDSG):
• Right of Access: Request information about whether and what personal data is processed
• Right to Correction: Request correction of inaccurate data
• Right to Deletion: Request deletion of data (subject to legal exceptions)
• Right to Portability: Request data in a structured format
• Right to Object: Object to processing for legitimate reasons
3. Data Transfers Outside Switzerland
We may transfer personal data outside Switzerland only if:
• Adequate legal protections exist (e.g., EU adequacy decision)
• Appropriate safeguards are in place (e.g., Standard Contractual Clauses)
• You have explicitly consented
For transfers to the United States (e.g., Google Analytics), we rely on the EU-US Data
Privacy Framework and supplementary measures as described above.
4. Data Protection Authority for Swiss Users
Swiss Federal Data Protection and Information Commissioner (FDPIC)
Eidgenössischer Datenschutz- und Öffentlichkeitsbeauftragter (EDÖB)
Website: https://www.edoeb.admin.ch
Email: contact@edoeb.admin.ch
Phone: +41 58 462 43 95
5. Contact for Swiss Data Protection Inquiries
For all data protection inquiries related to Swiss operations:
Email: privacy@capital-27.ch
Address: Benesia AG, Bahnhofstrasse 2, 6312 Steinhausen, Switzerland
Investor & Limited Partner privacy notice
1. Scope
This notice applies to:
• Current and prospective investors
• Limited Partners (LPs)Co-investors
• Investment advisors and consultants
2. Categories of Data Processed
• Identification data (name, address, ID number)
• Contact information (email, phone)
• Financial information (net worth, investment capacity)
• Professional background and experience
• Due diligence materials (financial statements, references)
• AML/KYC documents (identity verification, beneficial ownership)
• Investment communication records
•Transaction history and confirmations
3. Purposes of Processing
• Investment assessment and due diligence
• Investor onboarding and account management
• Compliance with AML/KYC regulations
• Investor relations and communication
• Secure data room access and document management
• Performance reporting and investor updates
• Legal and regulatory compliance
4. Legal Bases
• Art. 6(1)(b) GDPR: Contractual necessity
• Art. 6(1)(c) GDPR: Legal obligation (AML/KYC, tax reporting)
• Art. 6(1)(f) GDPR: Legitimate interest (fraud prevention, business operations)
5. Data Sharing
Investor data may be shared with:
• Financial institutions and custodians
• AML/KYC service providers and compliance firms
• Legal and tax advisors
• Audit firms and external auditors
• IT service providers and data room operators
• Regulatory and government authorities (when required)
All recipients are bound by confidentiality agreements and data processing agreements.
6. Data Retention
Investor data is retained for:
• Active investments: Duration of investment + 7 years after exit
• Prospective investors: 24 months after initial inquiry
• AML/KYC documents: 10 years (regulatory requirement)
• Tax records: 7 years (legal requirement)
7. Your Rights as an Investor
You have all rights listed in Section 10 of this Privacy Policy, plus:
• Right to request a copy of your investor file
• Right to request deletion after investment termination (subject to legal holds)
• Right to restrict processing for specific purposes
8. Contact for Investor Privacy Inquiries
Email: privacy@capital-27.com
Phone: +49 69 247 0414-48 (Germany) or +41 76 400 8252 (Switzerland)