Privacy Policy

With the following privacy policy, we aim to inform you about the types of your personal data (hereinafter also referred to as “data”) that we process, for what purposes, and to what extent. This privacy policy applies to all processing of personal data carried out by us, both in the provision of our services and especially on our websites, mobile applications, and external online presences, such as our social media profiles (collectively referred to as the “online offering” below).

The terms used are not gender-specific.
As of: August 12, 2023

Table of Contents
• Preamble
• Controller
• Overview of Processing Activities
• Relevant Legal Bases
• Security Measures
• Transfer of Personal Data
• International Data Transfers
• Data Deletion
• Rights of Data Subjects
• Use of Cookies
• Provision of the Online Offering and Web Hosting
• Contact and Inquiry Management
• Amendment and Update of the Privacy Policy
• Definitions

Relevant Legal Bases
Relevant legal bases under Swiss data protection law: If you are in Switzerland, we process your data based on the Federal Data Protection Act (referred to as “Swiss DSG,” effective from September 1, 2023). This also applies when our processing of your data otherwise concerns you in Switzerland and you are affected by the processing. Swiss DSG generally does not require (unlike, for example, the GDPR) that a legal basis for the processing of personal data be mentioned. We only process personal data when the processing is lawful, conducted in good faith, and proportionate (Art. 6 para. 1 and 2 of Swiss DSG). Furthermore, personal data is only collected by us for specific and identifiable purposes for the data subject and processed in a manner compatible with these purposes (Art. 6 para. 3 of Swiss DSG).

Overview of Processing Activities
The following overview summarizes the types of data processed and the purposes of their processing, and refers to the data subjects.

Types of processed data
• Contact details.
• Content data.
• Usage data.
• Meta, communication, and process data.

Categories of data subjects
• Communication partners.
• Users.

Purposes of processing
• Contact inquiries and communication.
• Security measures.
• Management and response to inquiries.
• Feedback.
• Provision of our online offering and user-friendliness.
• Information technology infrastructure.

Security Measures
We take appropriate technical and organizational measures in accordance with legal requirements, taking into account the state of the art, implementation costs, the nature, scope, circumstances, and purposes of processing, as well as the varying likelihood and severity of the threat to the rights and freedoms of natural persons, to ensure a level of security appropriate to the risk.

These measures include, in particular, safeguarding the confidentiality, integrity, and availability of data by controlling physical and electronic access to data, as well as access, input, disclosure, availability, and separation of data. Furthermore, we have established procedures to ensure the exercise of data subject rights, data deletion, and responses to data threats. We also consider data protection during the development or selection of hardware, software, and procedures, in accordance with the principle of data protection through technology design and by default settings.

TLS Encryption (https): To protect data transmitted via our online offering, we use TLS encryption. You can recognize such encrypted connections by the prefix https:// in the address line of your browser.

Transfer of Personal Data
In the course of processing personal data, it may happen that the data is transferred to other entities, companies, legally independent organizational units, or individuals or disclosed to them. These recipients of data may include, for example, IT service providers or providers of services and content integrated into a website. In such cases, we comply with legal requirements and, in particular, conclude appropriate contracts or agreements with the recipients of your data that serve to protect your data.

International Data Transfers
Disclosure of personal data abroad: According to Swiss data protection law (DSG), we only disclose personal data abroad if an adequate level of protection for the affected individuals is ensured (Art. 16 Swiss DSG). If the Federal Council does not establish adequate protection, we implement alternative security measures. These may include international contracts, specific guarantees, data protection clauses in contracts, standard data protection clauses approved by the Swiss Federal Data Protection and Information Commissioner (FDPIC), or company-internal data protection regulations previously recognized by the FDPIC or a competent data protection authority in another country.

Under Art. 16 of Swiss DSG, exceptions to the disclosure of data abroad can be permitted if certain conditions are met, including the consent of the affected person, contract performance, public interest, protection of life or physical integrity, publicly disclosed data, or data from a legally provided register. Such disclosures always occur in compliance with legal requirements.

Data Deletion
The data we process will be deleted or restricted in accordance with legal requirements as soon as the purposes for which they were processed cease to apply or if you withdraw your consent or other permissions that allowed the processing (e.g., if the purpose of processing the data has ceased to exist or is not necessary for the purpose). If the data is not deleted because it is required for other and legally permissible purposes, its processing will be restricted. This means that the data will be blocked and not processed for other purposes. This applies, for example, to data that must be retained for commercial or tax reasons or whose storage is necessary to assert, exercise, or defend legal claims or to protect the rights of another natural or legal person.

Our data protection notices may contain further information on storage and deletion that is primarily applicable to the respective processing.

Rights of Data Subjects
Rights of data subjects under Swiss DSG:
In accordance with the provisions of Swiss DSG, data subjects have the following rights:
• Right to information: You have the right to request confirmation as to whether personal data concerning you is being processed and to receive information about this data, which is necessary for you to exercise your rights under this law and to ensure transparent data processing.
• Right to data disclosure or transfer: You have the right to request the disclosure of your personal data that you have provided to us in a common electronic format.
• Right to rectification: You have the right to request the correction of inaccurate personal data concerning you.
• Right to object, deletion, and destruction: You have the right to object to the processing of your data and to request that personal data concerning you be deleted or destroyed.

Use of Cookies
Cookies are small text files or other storage technologies that store information on end devices and read information from end devices. For example, to store login status in a user account, shopping cart contents in an e-shop, visited content, or used functions of an online offering. Cookies can also be used for various purposes, such as functionality, security, and the convenience of online offerings, as well as for analyzing visitor flows.

Notes on consent: We use cookies in compliance with legal regulations. Therefore, we obtain prior consent from users, unless it is not legally required. Consent is not required, in particular, if storing and reading information, including cookies, is absolutely necessary to provide users with a telemedia service explicitly requested by them (i.e., our online offering). Typically, necessary cookies include cookies with functions that serve the display and functionality of the online offering, load balancing, security, storing user preferences and choices, or similar purposes related to providing the main and ancillary functions of the online offering as

requested by users. Revocable consent is clearly communicated to users and includes information about the respective cookie use.

Notes on data protection legal bases: The legal basis for processing users’ personal data using cookies depends on whether we request user consent. If users consent, the legal basis for processing their data is the declared consent. Otherwise, if cookies are used to fulfill our legitimate interests (e.g., in the economically viable operation of our online offering and improving its usability) or if the use of cookies is necessary to fulfill our contractual obligations, the legal basis for processing is our legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR) or contract fulfillment (Art. 6 para. 1 sentence 1 lit. b) GDPR). We will provide information on the purposes for which we process cookies later in this privacy policy or as part of our consent and processing procedures.

Storage duration: With regard to storage duration, the following types of cookies are distinguished:
• Temporary cookies (also known as session or session cookies): Temporary cookies are deleted at the latest after a user has left an online offering and closed their end device (e.g., browser or mobile application).
• Permanent cookies: Permanent cookies remain stored even after closing the end device. For example, the login status can be stored or preferred content can be displayed directly when the user revisits a website. Likewise, data collected through cookies can be used for audience measurement. If we do not provide explicit information about the type and duration of cookies (e.g., as part of obtaining consent), users should assume that cookies are permanent and may be stored for up to two years.

General information on revocation and objection (so-called “opt-out”): Users can revoke any consents they have given and object to the processing of their data in accordance with legal requirements. For this purpose, users can restrict the use of cookies in their browser settings (although this may also limit the functionality of our online offering). An objection to the use of cookies for online marketing purposes can also be declared via the websites and

• Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR). Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR).

Further information on processing processes, procedures, and services:
• Processing of cookie data based on consent: We use a cookie consent management process through which users’ consents to the use of cookies and the processing and providers mentioned in the context of the cookie consent management process can be obtained, managed, and revoked by users. The consent statement is stored so that it does not need to be requested again and can be proven in accordance with legal requirements. Storage can be done on the server side and/or in a cookie (so-called opt-in cookie or using comparable technologies) to associate the consent with a user or their device. Subject to individual information about providers of cookie management services, the following information applies: The duration of the consent storage can be up to two years. In this case, a pseudonymous user identifier is created and stored along with the time of consent, information about the scope of consent (e.g., which categories of cookies and/or service providers), as well as the browser, system, and device used; Legal bases: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR).

Provision of the Online Offering and Web Hosting
We process user data in order to provide them with our online services. For this purpose, we process the IP address of the user, which is necessary to transmit the content and functions of our online services to the user’s browser or end device.

Processed data types: Usage data (e.g., visited websites, interest in content, access times). Meta, communication, and process data (e.g., IP addresses, time information, identification numbers, consent status).

Data subjects: Users (e.g., website visitors, users of online services).

Purposes of processing: Provision of our online offering and user-friendliness; Information technology infrastructure (operation and provision of information systems and technical devices (computers, servers, etc.)); Security measures.

Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Further information on processing processes, procedures, and services:
• Provision of online offerings on rented storage space: For the provision of our online offering, we use storage space, computing capacity, and software that we rent or otherwise obtain from an appropriate server provider (also referred to as a “web hoster”); Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
• Collection of access data and log files: Access to our online offering is logged in the form of so-called “server log files.” Server log files may include the address and name of the accessed websites and files, date and time of access, transmitted data volumes, message about successful access, browser type and version, the user’s operating system, referrer URL (the previously visited page), and usually IP addresses and

the requesting provider. Server log files can be used for security purposes, e.g., to prevent server overload (especially in the case of abusive attacks, so-called DDoS attacks) and to ensure the utilization and stability of the servers; Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR). Deletion of data: Log file information is stored for a maximum of 30 days and then deleted or anonymized. Data whose further storage is required for evidence purposes is excluded from deletion until the respective incident is finally clarified.

Contact and Inquiry Management
When contacting us (e.g., by post, contact form, email, telephone, or via social media) and as part of existing user and business relationships, the information provided by the requesting persons is processed as far as necessary to respond to contact inquiries and any requested measures.

Processed data types: Contact data (e.g., email, phone numbers); Content data (e.g., entries in online forms); Usage data (e.g., visited websites, interest in content, access times). Meta, communication, and process data (e.g., IP addresses, time information, identification numbers, consent status).

Data subjects: Communication partners.

Purposes of processing: Contact inquiries and communication; Management and response to inquiries; Feedback (e.g., collecting feedback via online form). Provision of our online offering and user-friendliness.

Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR). Contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR).

Further information on processing processes, procedures, and services:
• Contact form: When users contact us via our contact form, email, or other communication channels, we process the data provided to us in this context in order to process the respective request; Legal bases: Contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR), legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Modification and Update of the Privacy Policy
We ask you to inform yourself regularly about the content of our privacy policy. We will adapt the privacy policy as soon as changes in the data processing carried out by us make this necessary. We will inform you as soon as the changes require your cooperation (e.g., consent) or individual notification.

If we provide addresses and contact information of companies and organizations in this privacy policy, we ask you to note that the addresses may change over time and ask you to verify the information before contacting us.

In this section, you will find an overview of the terminology used in this privacy policy. As far as the terminology is legally defined, the legal definitions apply. The following explanations are primarily intended to help with understanding.

Personal data: “Personal data” means any information relating to an identified or identifiable natural person (hereinafter “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g., cookie), or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

Controller: The “controller” is the natural or legal person, public authority, agency, or other body that, alone or jointly with others, determines the purposes and means of the processing of personal data.

Processing: “Processing” is any operation or set of operations which is performed on personal data, whether or not by automated means. The term is broad and encompasses virtually any handling of data, including collection, evaluation, storage, transmission, or deletion.

Erstellt mit kostenlosem von Dr. Thomas Schwenke