Your privacy matters to us. This policy explains what data we collect, why we collect it, and how we protect it. We do not sell your personal data to any third party.
1. Who We Are
Virtual Office Zug is operated by Hevea Investment, a company registered in Hong Kong (registered address: Unit G, 15/F, TAL Building, 49 Austin Road, Kowloon, Hong Kong). We provide virtual office domiciliation, Swiss director services, and company formation assistance for businesses wishing to establish a presence in the Canton of Zug, Switzerland.
For the purposes of applicable data protection legislation, Hevea Investment is the data controller in respect of personal data processed through this website and our services.
2. Data We Collect
Account data
When you register or place an order, we collect:
- Full legal name and email address
- Company name, registered purpose, and desired commune
- Mailing address (for correspondence)
- Identity verification documents (passport or national ID) where required by Swiss law
Payment data
All payment processing is handled by Stripe, Inc. We never store your card number, CVV, or full payment credentials on our servers. We retain only the transaction reference, amount, currency, date, and anonymised last-four-digit card fragment provided by Stripe for invoicing and accounting purposes.
Usage data
We may collect anonymised data about how you use this website, including pages visited, time on site, and referral source. This is collected via Plausible Analytics (see Section 7).
Communications
If you contact us via email or our support portal, we retain the content of that correspondence in order to respond to and manage your request.
3. How We Use Your Data
| Purpose | Data used |
|---|---|
| Service delivery and onboarding | Account data, identity documents |
| Processing and recording payments | Stripe transaction data |
| Legal and regulatory compliance (AML/KYC) | Identity documents, company information |
| Sending transactional communications (receipts, status updates) | Email address, order details |
| Providing customer support | Account data, support communications |
| Improving our services (aggregated, anonymised) | Anonymised usage data |
We do not use your personal data for automated decision-making or profiling in a way that produces legal or similarly significant effects on you without human review.
4. Legal Basis
We process personal data on the following legal grounds:
- Contract performance — processing necessary to deliver the services you have purchased (Swiss OR Art. 394 et seq.).
- Legal obligation — processing required to comply with Swiss AML/KYC regulations, cantonal requirements, and Hong Kong company law.
- Legitimate interest — security of our systems, fraud prevention, and improving our services, where these interests are not overridden by your rights.
- Consent — where we have obtained your explicit consent, for example for optional marketing communications. You may withdraw consent at any time.
5. Data Retention
We retain personal data for as long as your account is active. After account closure, we retain data for the periods set out below:
| Data type | Retention period | Reason |
|---|---|---|
| Account and contract data | 10 years after contract end | Swiss legal requirement (OR Art. 958f) |
| Identity documents (KYC) | 10 years after account closure | Swiss Anti-Money Laundering Act |
| Payment records | 10 years | Swiss accounting law |
| Support communications | 3 years after resolution | Legitimate interest (dispute resolution) |
| Anonymised usage analytics | Indefinite (anonymised) | No personal data retained |
6. Your Rights
Depending on your location, you may have the following rights regarding your personal data:
- Access — request a copy of the personal data we hold about you.
- Rectification — request correction of inaccurate or incomplete data.
- Erasure — request deletion of your personal data, subject to our legal retention obligations.
- Portability — receive your data in a structured, machine-readable format.
- Objection — object to processing based on legitimate interest grounds.
- Restriction — request that we limit processing of your data in certain circumstances.
- Withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, contact us at privacy@virtual-office-zug.com. We will respond within 30 days. We may ask you to verify your identity before processing your request.
7. Cookies
Essential cookies
We use essential cookies that are strictly necessary for the website to function, including session management, shopping cart state, and security tokens (WordPress nonces). These cannot be disabled.
Analytics
We use Plausible Analytics — a privacy-first analytics platform that does not use cookies, does not track individuals across sites, and does not transfer personal data to the United States. All analytics data is anonymised and aggregated. We do not use Google Analytics or any other tracking-cookie-based analytics service.
No advertising or tracking cookies
We do not place advertising cookies, social media tracking pixels, or cross-site tracking technologies on this website.
8. Data Transfers
We use a small number of trusted third-party services. Where data is transferred outside Switzerland or the EEA, we rely on Standard Contractual Clauses (SCCs) or equivalent safeguards:
| Processor | Purpose | Location | Safeguard |
|---|---|---|---|
| Stripe, Inc. | Payment processing | United States | EU Standard Contractual Clauses |
| Notion Labs, Inc. | Internal document management | United States | EU Standard Contractual Clauses |
| n8n (self-hosted) | Workflow automation | Switzerland (our own server) | No transfer — Switzerland adequate |
| Plausible Analytics | Anonymised website analytics | European Union | No personal data transferred |
9. Security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, disclosure, alteration, and destruction:
- All data in transit is encrypted using TLS 1.2 or higher.
- Data at rest is stored on encrypted volumes.
- Access to personal data is restricted to authorised personnel with a demonstrated need to access it.
- Passwords are hashed using industry-standard algorithms; plaintext passwords are never stored.
- We conduct periodic reviews of access controls and third-party security practices.
Despite these measures, no system is completely immune to attack. In the event of a data breach that creates a risk to your rights, we will notify you and the relevant authorities as required by applicable law.
10. Contact
If you have questions about this policy, wish to exercise your rights, or have concerns about how we handle your data, please contact us:
Privacy Officer
Hevea Investment
Unit G, 15/F, TAL Building
49 Austin Road, Kowloon, Hong Kong
Email: privacy@virtual-office-zug.com
We aim to respond to all privacy requests within 30 calendar days.