Privacy notice

Last reviewed: August 2023

1. What is this Privacy Notice about?

Climeworks is committed to protecting your privacy and complying with applicable data protection laws, including the Swiss Federal Act on Data Protection ("FADP"), EU General Data Protection Regulation ("GDPR") and California Privacy Rights Act ("CPRA").

This Privacy Notice ("Notice") provides you with an overview of the personal data that Climeworks AG and its affiliated companies (hereinafter referred to as "Climeworks", "we" or "us") may collect, use, transfer and disclose about you in connection with our services, website, and other interactions with you. We also describe the choices you have about your information.

2. Who is the data controller?

The data controller is Climeworks AG, Birchstrasse 155, 8050 Zürich, Switzerland (CHE-115.234.406) and Climeworks affiliate companies that are contracting parties for the purposes of providing or receiving services. Climeworks' affiliate companies include Climeworks International AG (Switzerland), Climeworks Deutschland GmbH (Germany), Climeworks Corporation (USA), Climeworks Iceland ehf (Iceland) and Climeworks Mammoth ehf (Iceland).

3. Who can I contact for data protection questions?

If you have any questions about this Notice or data protection-related requests, please contact our Data Protection Officer at:

Address: Climeworks AG, Birchstrasse 155, 8050 Zürich, Switzerland
Email: dataprotection[at]climeworks.com

4. Whose personal data do you process?

We may collect and process personal data of data subjects including website visitors, customers, prospective customers, employees, consultants, contractors, job applicants, newsletter recipients, suppliers, business partners, shareholders, investors and others who interact with us.

We do not intend to process the data of children. Our website and services should only be accessed by individuals who are over 16 years old. If you are under 16, do not use our services or provide any information on our website. If we learn we have received personal data from an individual under 16 years of age without parental consent, we will delete that data. If you believe we might have any data about a child under 16, please contact us at dataprotection[at]climeworks.com.

5. What types of personal data do you collect/process?

Depending on your relationship with Climeworks, we may process various categories of personal data about you, including:

Registration data: certain services (such as log-in areas of our website, newsletters, whitepapers and events) can only be used with a user account or registration. In this regard, you must provide us with certain data, and we collect data about the use of the service.

Registration data may include your name, email, phone number, account information, customer ID, postal address, language preference and content preferences.

Communication data: when you are in contact with us through our Helpdesk, email, telephone, social media, or other means of communication, we collect data exchanged between you and us, including your contact details and the metadata of the communication.

Communication data includes your name and contact details, the means, place and time of communication and the content of the communication. This data may also include information about third parties.

Master data: this consists of the basic data we need for marketing and promotional purposes or, in addition to contract data, for the performance of our contractual or other business relationships. We process your master data if you are a customer or business contact (or work for one) or because we wish to address you for our own purposes (for example, for invitations to events or for marketing purposes). Master data is not collected comprehensively for all contacts. The data collected in an individual case depends mostly on the purpose of the processing activity.

Master data may include data such as name, address, email address, telephone number and other contact details, gender, date of birth, nationality, websites, social media profiles, details of your relationship with us, information about your role and function, customer history, details of our interactions with you, powers of attorney, and official documents (for example, commercial register extracts) that concern you. If you have a paid service with us, we may also process your payment data, for example your bank details or account/credit card details. Declarations of consent and opt-out information are also part of the master data.

Contract data: this means data that is collected in relation to the conclusion or performance of a contract, for example information about services provided or received, data from the period leading up to the conclusion of a contract and information required or used for performing a contract.

Contract data includes information about the contract itself, as well as data about the contract's conclusion, performance and administration, as well as information about customer satisfaction that we may collect. Contract data also includes financial data, such as your payment method, payment amount and information about reminders. We receive this data partly from you but also from third party payment services that may be utilised based on your choice of payment method.

Technical data: when you use our website or other online offerings, we may collect technical data in order to ensure the functionality and security of these offerings. Technical data as such does not permit us to draw conclusions about your identity, however it may be linked with other categories of data (and potentially with your person) in relation to user accounts, registrations, access controls or the performance of a contract.

Technical data includes activity logs, your IP address and operating system, the region, date and time of use and the type of browser through which you accessed our electronic offerings. This can, for example, help us to provide an appropriate website layout or to show you a website customised for your region. We know through which provider you access our offerings (and therefore also the region) because of the IP address, but usually this does not tell us who you are. However, this may change, for example, when you create a user account because personal data can then be linked with technical data.

Behavioural and preference data: depending on our relationship with you, we may try to get to know you better, tailor our services and offers to you and to learn from our interactions to better improve our services, offers and website. For this purpose, we may collect and process data about your behaviour and preferences. We do so by evaluating information about your behaviour in our domain, and we may also supplement this information with other information.

Behavioural data is information about certain actions, such as your response to electronic communications (for example, if and when you have opened a newsletter) or the country you visited our website from. Preference data tells us what your needs are, which services might be of interest to you or when and how you will likely respond to a message from us. We obtain this information from the analysis of existing data, such as behavioural data, so that we can get to know you better, tailor our offers to you and improve our services. To improve the quality of our analyses, we may combine this data with other data that we obtain from third parties or publicly available sources.

Other data: We may also collect data from you in other situations. For example, at our events we may create photos, videos and sound recordings in which you may be identifiable. We may also collect data about who has access rights to our workspaces (based on registration data or lists of visitors) or who participants in events or campaigns.

6. On what legal basis do you process personal data?

It may process your personal data for one or more of the following reasons:

• Contract: where processing is necessary for initiating or performing a contract with you (or the entity you represent).

• Legitimate interests: where it is in our legitimate interest (or a third party’s legitimate interest) to use personal data to ensure we are providing services you request and for interacting with you, provided that these interests are not outweighed by your contrary interest.

• Legal obligations: where processing is necessary for complying with a legal obligation.

• Consent: We may rely on your freely-given consent at the time you provided your personal data.

7. For which purposes do you process personal data?

We may process your personal data for one or more of the following purposes:

• Communication and relationship management: We may process communication data, master data, and registration data to communicate with you, to maintain our list of contacts and to provide you with information or actions you request from us (for example, to respond to inquiries).

• Contract management: We may process communication data, contract data, master data, and registration data to establish a business relationship and conclude, administer and perform contracts with you as a customer, supplier, business partner or employee, including to process your requests, transactions and payments, to manage your account with us and to provide contractual services.

• Marketing: We may process communication data, master data, and behavioural and preference data for marketing purposes, for example to send personalised advertising, invitations to events or other communications which we may reasonable assume meets your interests in our company and services. This may happen in the form of newsletters and other regular contacts (electronically or by email), through other channels for which we have contact information from you, as part of marketing campaigns and may also include free services (for example, vouchers and events). You can withdraw consent to be contacted for marketing purposes at any time.

• Improving our services: We may process master data, communication data, behavioural and preference data, and other data for market research purposes and to improve our website and services. We strive to continuously improve and we therefore may analyse how you navigate through our website or use our services.

• Security controls: We may process registration data, master data and technical data to help us manage the performance and security of our website, applications and other online platforms. We continuously review the security of our IT infrastructure, therefore we process data for monitoring, inspection, analysis and testing of our networks and infrastructure, for system and error checks and in the context of backups. If you visit our workplaces, for security purposes, we also process your data to comply with access controls.

• Corporate governance: We may process contract data, master data, registration data, communication data, technical data, and behavioural and preference data for the purposes of risk management and corporate governance, including business organisation and development. For example, as part of our financial management, we need to monitor our accounts receivable and accounts payable. In the context of planning our resources and organising our operations, we may process data relating to the use of our services. As part of business development, we may sell, acquire or purchase companies, or parts thereof, or enter into partnerships, which may also result in the exchange and processing of data.

• Recruiting and employment: Our careers site collects information you choose to provide to us when applying for employment, which may include registration data, communication data, master data and other data. When you apply for a job at Climeworks, or permit a recruitment agency to submit your application on your behalf, we and our service providers will process information about you. We use this information to help assess your suitability for a position at Climeworks, to communicate with you about open positions, to conduct appropriate background checks as permitted under applicable law and to find appropriate candidates for job openings. Where you are a successful candidate, this data (as well as relevant contract data) will be used and stored as part of your personnel file to establish, administer and manage the employment relationship. If you are an unsuccessful candidate and do not opt-in to remaining in our Talent Pool, your data will be automatically deleted after 180 days.

• Further purposes: We may process contract data, communication data, master data, registration data, technical data, behavioural and preference data, and other data for further purposes, for example as part of our internal processes and administration. This may include managing master data, accounting and data archiving, testing and continuously improving IT infrastructure, protecting our rights (for example to enforce claims in Switzerland or abroad), and evaluating and improving internal processes. We may also process data to evaluate or conduct a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of our assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding. To the extent allowed under applicable law, we may also process your data to respond to law enforcement requests and as required by applicable law, court order, governmental regulations, or our policies.

8. How do you collect personal data?

We collect most of the data described in Section 5 is provided to us directly from you. For example, you may be required to share your data in cases including when you:

• Purchase a Climeworks service or when your company purchases a Climeworks service.

• Visit our website, communicate with us or open our newsletter.

• Sign-up to our newsletter, events or take part in Climeworks surveys.

• Apply for a job with us through our career platform.

• Provide a service to us or your company provides a service to us.

In some cases, we may also collect communication data, master data, technical data, behavioural and preference data or other data indirectly from you, for example when:

• Our business customers engage us to perform services which involve them sharing your personal data.

• You apply for a job with us through a recruitment agency.

• Website actions are logged for security purposes.

• Your employer shares your data with us.

• Information shared by marketing and consulting companies.

• Choose to utilise a third party payment service for paid services with us.

To the extent permitted to us, we may also collect master data from public sources, for example from:

• Internet sources including social media, news articles and sanctions lists.

• Publicly accessible registers (for example, commercial registers).

If you disclose data to us or share data with us about other individuals, such as family members or co-workers, we assume that you are authorized to do so and that the relevant data is accurate. Please make sure that these individuals have been informed about this Notice.

9. Who do you share personal data with?

In relation to our contracts, website, services, legal obligations or otherwise with protecting our legitimate interests and the other purposes set out in this Notice, we may disclose your personal data to third parties.

Climeworks only shares personal data with others when necessary and where legally permitted to do so, and when there are contractual arrangements and appropriate safeguards in place to protect your data. Climeworks does not sell your personal data to other organisations and will never share your personal data with other organisations for them to use for their own purposes.

Your data may be shared with the following categories of recipients:

• Climeworks' affiliate companies: Our affiliate companies may use data according to this Notice for the same purposes as we use it. These affiliate companies may have access in particular to your master data, contract data and registration data.

• Employees and authorized contractors: Our employees and authorized contractors may need to access data about you when they require this data to perform their job.

• Service providers: We work with service providers in Switzerland and abroad who process your data on our behalf or as joint controllers with us (for example, IT and data storage providers, marketing/advertising companies, event organisers or payment processing providers). In each case, we only disclose the data that these providers require for their services and enter into contracts that include data protection provisions.

• Auditors and other professional advisers: We may be required to disclosure data to auditors and other professional advisors, for example for our company's financial audit.

• Authorities: We may be required to disclose personal data to agencies, courts or other authorities in Switzerland or abroad if we are legally obliged to make such disclosures or if it appears necessary to protect our interests.

• Other third parties: We may share data with third parties, for example, third parties considering providing financing to, investing in, or acquiring shares in Climeworks. These third parties are contractually obliged to protect your personal data.

10. How do you protect personal data?

Climeworks maintains industry standard security safeguards to maintain the required security of your personal data and ensure its confidentiality, integrity and availability, and to protect it against unauthorised or unlawful processing, and to mitigate the risk of loss, accidental alteration, unauthorised disclosure or access.

Our technical and organisational security measures may include encryption in transit and at rest (where possible), pseudonymization of data, logging, access restrictions, keeping adequate back-ups, training our employees, confidentiality controls and monitoring. All employees and contractors are required to maintain the confidentiality and protect the privacy of your information.

We also undertake service provider security and privacy reviews to ensure that service providers follow our stringent requirements to safeguard your information, and we enter into data protection agreements with our service providers that ensures they agree to obligations consistent with this Notice and any other appropriate confidentiality and security measures, and only use your information for a specific purpose.

The website may contain links to other websites not operated or controlled by us ("Third-Party Sites"). The information that you share with Third-Party Sites will be governed by the specific privacy policies and terms of service of such Third-Party Sites and not by this Notice. Please contact these sites directly for information on their privacy practices and policies.

11. Is personal data transferred abroad?

We may transfer personal data to locations outside of the country in which we provide our services to you. We aim to primarily process your personal data within Switzerland and the European Economic Area ("EEA"), however data may also be processed by us or our service providers in the United States, United Kingdom, Canada, Australia, India, Philippines, Japan or Singapore.

If personal data is stored in or transferred to a destination outside of Switzerland or the EEA, we take all steps reasonably necessary to ensure that your data is secure. To the extent that the Switzerland or the EU has not adopted an adequacy decision for these countries, we have made appropriate arrangements to ensure an adequate level of data protection for any data transfers (for example, the European Commission's standard contractual clauses).

12. How long do you keep personal data?

We keep your personal data for only as long as necessary to provide you with services that you have requested, for purposes to which you have given your consent, as required by applicable laws or to comply with statutory retention periods. After it is no longer necessary for us to retain your personal data, or otherwise upon your request, we will dispose of it in a secure manner or anonymize the information.

13. What rights do I have regarding my personal data?

Under applicable data protection laws, you have the following rights regarding the personal data we hold about you (subject to conditions and exceptions defined in applicable law):

• Data access: you are entitled to know whether we hold your personal data and if so, receive a copy of your data.

• Data rectification: if personal data we hold about you is incomplete or inaccurate, you are entitled to ask us to rectify it.

• Data deletion: you have the right, in certain circumstances, to request that we erase your personal data.

• Data restriction: you have the right, under certain conditions, to request that the processing of your personal data be restricted.

• Data portability: you have the right to, if technically feasible and under certain conditions, receive your personal data in a structured, commonly used, and machine-readable format or to have your personal data transferred to another data controller.

• Objection: you have the right to object to the use of your data for direct marketing purposes at any time. You can also request that we stop processing your personal data for reasons arising from your particular circumstance if we process the data on the basis of a legitimate interest, and our legitimate interest does not override your interests, rights and freedoms or the data is not required for the establishment, exercise or defence of legal claims.

• Withdrawing consent: where we process your personal data based on your consent and do not have another legal basis, you can fully or partly withdraw your consent at any time. This does not affect the legality of any processing carried out before you withdrew your consent.

• Anti-discrimination: you have the right not to be discriminated against for exercising any of your personal data rights, including through (1) denying services to you; (2) charging you different prices or rates for services; (3) providing a different level or quality of services to you; or, (4) suggesting that you will receive a different price or rate for services or a different level or quality of services. Please be aware that exercising some of your rights might impair our ability to deliver some services that rely on your personal data.

• Right to lodge a complaint with a supervisory authority: you are entitled to lodge a complaint with your country's competent supervisory authority about the way in which your personal data is processed.

You can exercise any of your rights in relation to the data that Climeworks holds about you by contacting us at dataprotection[at]climeworks.com. If you make a request, we have one month to respond to you.

Your request must include enough detail to allow us to respond to it, and when receiving a request, we will verify your identity to ensure you are the individual to whom the personal data belongs. If your request is made through an authorized agent (designated in writing or through a power of attorney), we may require that you provide us additional information demonstrating that the agent is acting on your behalf, and we may need you to verify your identity directly with us.

13.1 Notice to California Residents

During the last 12 months, we have collected and processed the categories of personal data, and we have transferred personal data to the categories of recipients set out in this Notice.

We do not sell your personal data to third parties.

If you are a resident of the state of California, you are entitled to request information regarding the disclosure of your personal data to third parties for direct marketing purposes. To make such a request, please contact us.

Your browser may include the ability to send us “Do Not Track” signals. We respond to Do Not Track signals. We do not track your activity over time and across Third-Party Sites.

14. Do you use online tracking and online advertising techniques?

We and our third-party service providers use cookies and similar technologies on our website. We value your privacy and intend to use such technologies only to the extent necessary.

14.1 Log files and strictly necessary cookies

Log files: When you access our website, information from the browser you use is collected and automatically transmitted to the server of our website, content delivery network and DDoS mitigation tool, and temporarily stored in server log files. The server log files are files that contain information about the activities on our website and may include your IP address, date and time of access, name and URL of any retrieved files, website from which access is made, browser type, operating system, name of your access provider, and amount of data sent. We process this data only for the purpose of ensuring a smooth connection and comfortable use of our website, as well as for cybersecurity reasons.

Cookies: We only use cookies that are strictly necessary for the functioning of our website and that cannot be turned off in our systems. These cookies are usually set only in response to actions that amount to a request for services, such as logging-in or filling out forms. We only use first-party cookies, which are set by us and not by any third party. You can set your browser to block or alert you about these cookies, but some parts of our website will then not work. These cookies do not store any personally identifiable information.

14.2 Website Tracking with Matomo Analytics

In order for us to provide you the best possible experience on our website, we collect and process certain information using Matomo Analytics, an open-source analytics solution, that gives us a full control of the collected data and protects your privacy.

When you visit our website, the Matomo Analytics tool collects the following usage data: the anonymized IP address (through which we cannot identify you but does tell us the country you are located in), the website from which you visited us from, the parts of our website you visited, the date and duration of your visit and information about the device you used during the visit (device type, operating system, screen resolution, language, country you are located in, and web browser type). We process this data only for audience measurement and evaluation of the website performance and not for any other purposes.

We use the cookie-less tracking feature of Matomo Analytics, which gives us less accurate data, but we accept this less accurate information to protect your privacy. For example, Matamo Analytics cannot recognize if the same visitor visited our website twice.

The usage data collected by the Matomo Analytics tool remains on our own servers located in Switzerland and is not transferred to Matomo Analytics or any third party.

For more information regarding Matomo Analytics, please visit Matomo’s website (www.matomo.org) or contact us.

You may choose to prevent our website from collecting the usage data with Matamo Analytics as described above by unchecking the box below. This will prevent us from collecting your usage data to create a better user experience for you and other users.