Data Proctecion Policy
1. Data protection policy and information obligations
We are pleased that you visit our website and are interested in the CREALOGIX Group, our products, and our services. Transparency regarding the data protection and data security of visitors to our website, customers, and contractual partners is important to us. Throughout our business processes, we take the protection of your personal data very seriously.
This data protection policy informs you in accordance with Art. 12 et seq. GDPR how your personal data is handled when you use our website. In particular, it explains what data we collect and what we use them for. It also informs you how and for what purpose this is done – always considering the applicable data protection provisions, in particular, the EU General Data Protection Regulation (GDPR) (if applicable), the Swiss Federal Data Protection Act, and other applicable national laws.
This data protection policy applies to all companies of the CREALOGIX Group named below.
2. Responsible body
The responsible body/owner of the data collection is the company of the CREALOGIX group of companies (we, us), which decides on the purposes and means of the personal data processing under applicable law. This also includes the (mobile) applications that refer to this data protection policy. The responsible body is thus the following:
CREALOGIX AG
Maneggstrasse 17
8041 Zurich
Switzerland
Tel: +41 58 404 80 00
E-Mail: e-payment@crealogix.com
3. Data Protection Officer
For CREALOGIX AG (Switzerland):
datenschutz@crealogix.com
4. Purpose and legal basis of the processing of personal data
Some services on our website may require us to process personal data about you in order to provide our services. This is, of course, only done within the legal framework, insofar as it is necessary, and if you have consented to it where this is legally required. We take great care to adhere to the principles of data reduction and data economy.
a. Calling up and visiting our website – server log files
In order to provide the website technically, we must process certain data automatically transmitted by your browser so that our website can be displayed in your browser, and you can use it. When you access our website, our web server automatically collects data in a server log file. This includes:
- browser type and browser version and operating system used;
- the website from which your access is made;
- the domain name of the Internet service provider;
- the IP address of your computer;
- the pages you visit on our website, as well as the date and duration of your visit.
The mentioned access data have to be stored for technical reasons in order to provide a functioning website and to ensure system security. This also applies to the storage of your IP address. Without this address, you cannot visit our website. In theory, it would be possible to establish a personal reference.
Furthermore, we process these data from the server log files solely for statistical purposes and in order to optimize our website and improve user-friendliness.
The legal basis for the data processing is Art. 6 para. 1 sentence 1 lit. f GDPR.
b. Contact form Support
If you contact us as a customer or as an employee of a customer via our online contact form, we will collect personal data to the extent provided by you. The following mandatory fields are predefined:
First name
Last name
We will only use your email address to process your request. Your data will then be deleted unless you have consented to further processing and use.
In the scope of application of the GDPR, the legal basis for data processing is Art. 6 para. 1 sentence 1 lit. b GDPR in the case of an existing contractual relationship or Art. 6 para. 1 sentence 1 lit. f GDPR in the case of other contact requests.
c. Account/orders for the CREALOGIX online shop
If you would like to order from our online shop, you will need a customer account. The following mandatory fields have been predefined for registration:
Password
Further data are required for orders:
First name
Last name
Address
Country
In the scope of application of the GDPR, the legal basis for the data processing is Art. 6 para. 1 sentence 1 lit. b GDPR.
d. Cookies
We use so-called cookies on our website. Cookies are small text files that are stored by the web browser on your computer or mobile device. Cookies do not cause any damage to your computer, do not contain viruses, and are automatically deleted after they expire. Some cookies expire when you end your Internet session; others are stored for a maximum of 100 days.
Some of the cookies we use on our website come from third parties that help us analyze the impact of our website content and our visitors' interests. They also measure the performance of our website or place ads and other content on our website or other websites. As part of our website, we use both first-party cookies (only visible in the domain you are visiting) and third-party cookies (visible across domains and regularly placed by third parties).
You can, of course, also view our website without cookies. You can use your browser settings to prevent cookies from being stored on your computer. Existing cookies can also be deleted via the browser settings. However, in this case, the functionality of our website may be limited.
The legal basis for data processing for third-party cookies is within the scope of Art. 6 para. 1 sentence 1 lit. a GDPR. We mainly set these for marketing purposes and thereby process personal data that are not required for normal website operation. Another legal basis is Art. 6 para. 1 sentence 1 lit. f GDPR for cookies that we place to protect our legitimate interests (technical provision, optimization, user-friendliness, security).
We use the following cookie-based tools/plugins on our website:
e. Google Analytics
This website uses Google Analytics and Google Remarketing based on your consent given to us. These are services provided by Google, Inc. (“Google”). Google uses “cookies”, which are text files placed on your computer to help the website analyze how users use the site. The information generated by the cookie about your use of the website (including your IP address) will be transmitted to and stored by Google in the United States. If IP anonymization is activated, Google will truncate/anonymize the last octet of the IP address for Member States of the European Union and other contracting parties to the Agreement on the European Economic Area. The full IP address is only transferred to a Google server in the USA and truncated there in exceptional cases. On behalf of the website provider, Google will use this information to evaluate your use of the website, compile reports on website activity for website operators and provide other services relating to website activity and Internet usage to the website provider. Google will not associate your IP address with other Google data. You can refuse the use of cookies by selecting the appropriate settings in your browser. Please note, however, that if you do this, you may not be able to use all the features of this website. Furthermore, you can prevent the collection and use of data (cookies and IP address) by Google by downloading and installing the browser plug-in available at https://tools.google.com/dlpage/gaoptout?hl=en
For more information on the terms of use and data protection, please visit https://tools.google.com/dlpage/gaoptout?hl=en or https://support.google.com/analytics/answer/6004245?hl=en or https://support.google.com/adwordspolicy/answer/143465?hl=en . Please note that on this website, the code of Google Analytics and Google Remarketing is supplemented by "gat._anonymizeIp ()" to ensure the anonymized collection of IP addresses (IP masking). The legal basis for data processing is Art. 49 para. (1) sentence 1 lit. a GDPR. Standard contractual clauses/sufficient guarantees to ensure an adequate level of data protection have also been concluded.
In addition, Google has committed to the Data Privacy Framework Program and has certified itself for it. In the list contained therein (https://www.dataprivacyframework.gov/s/participant-search/participant-detail?id=a2zt000000001L5AAI&status=Active), Google is classified as "Active" in August 2023. The European Commission has issued an adequacy decision on the Data Privacy Framework Program, which certifies that the USA has an adequate level of data protection.
f. Google Tag Manager
This website uses Google Tag Manager. This service allows us to manage website tags via an interface. Google Tool Manager only implements tags. This means that no cookies are used, and no personal data are regularly collected in the process. However, this may trigger other tags, which in turn may collect data. Google Tag Manager does not access these data. If anything has been deactivated at the domain or cookie level, this will remain in place for all tracking tags if they are implemented with the Google Tag Manager.
The legal basis for data processing is Art. 49 para. (1) sentence 1 lit. a GDPR. Standard contractual clauses/sufficient guarantees to ensure an adequate level of data protection have also been concluded. In addition, Google has committed to the Data Privacy Framework Program and has certified itself for it. In the list contained therein (https://www.dataprivacyframework.gov/s/participant-search/participant-detail?id=a2zt000000001L5AAI&status=Active), Google is classified as "Active" in August 2023. The European Commission has issued an adequacy decision on the Data Privacy Framework Program, which certifies that the USA has an adequate level of data protection.
g. DoubleClick/Google Ads
This website uses the DoubleClick or Google Ads tool from Google. DoubleClick and Google Ads use cookies to provide ads that are relevant to users, to improve campaign performance reports, and to prevent a user from seeing the same ads multiple times. Google uses a cookie ID to record which ads are displayed in which browser. Moreover, DoubleClick uses cookie IDs to track conversions related to ad inquiries. You can prevent this tracking in the following ways:
- By an appropriate setting of your browser, in particular by suppressing third-party cookies
- By deactivating the conversion tracking cookies by setting your browser to block cookies from the domain "www.googleadservices.com". (https://adssettings.google.com/). Please note that this setting will be deleted when you delete your cookies.
- By deactivating the interest-based advertisements of the providers. This setting is also deleted when you delete your cookies
- By permanently deactivating it in your Firefox, Internet Explorer, or Google Chrome browsers under the link http://www.google.com/settings/ads/plugin. You can find more information about DoubleClick from Google at www.google.de/doubleclick or https://support.google.com/adsense?sjid=6528610463979508133-EU#topic=3373519. You can find more general information about data protection at Google at: https://policies.google.com/privacy
- The legal basis for data processing is within the scope of Art. 49 para. 1 sentence 1 lit. a GDPR. Standard contractual clauses/sufficient guarantees to ensure an adequate level of data protection have also been concluded. In addition, Google has committed to the Data Privacy Framework Program and has certified itself for it. In the list contained therein (https://www.dataprivacyframework.gov/s/participant-search/participant-detail?id=a2zt000000001L5AAI&status=Active), Google is classified as "Active" in August 2023. The European Commission has issued an adequacy decision on the Data Privacy Framework Program, which certifies that the USA has an adequate level of data protection.
h. Microsoft Bing Ads
This website uses Microsoft Bing Ads based on the consent you have given to us. We use Microsoft Bing Ads for remarketing and completion tracking purposes. The service originates from Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA, hereinafter referred to only as "Microsoft", which uses Universal Event Tracking (UEN).
When you click on an advert placed by us on the Internet search engine "Bing", Microsoft stores a cookie for tracking functionality on the end device via the Internet browser. This tracking cookie loses its validity after 180 days and is not used for personal identification. If the cookie is still valid and a specific page of our website is accessed at the same time, both Microsoft and we can recognize that the website visitor has clicked on an advert placed by us on Bing and has been redirected from there to our website.
The data collected with Microsoft's tracking cookie are used to compile visit statistics, such as the number of accesses to the adverts we have placed on Bing and on the Internet pages of our website that were subsequently accessed. It is not possible to personally identify the website visitor based on these data. Microsoft may be able to track user behavior across multiple devices of a user via cross-device tracking. This enables Microsoft to display personalized advertising across devices. The setting of cookies can be prevented by browser settings or by refusing consent.
If you have a Microsoft account, you can also change the settings for personalized advertising under https://account.microsoft.com/privacy/ad-settings/
Furthermore, Microsoft offers further information on Bing Ads and on the collection and use of data as well as on your rights and options to protect your privacy under https://help.bingads.microsoft.com/#apex/3/en/53056/2 as well as under https://privacy.microsoft.com/privacystatement. The legal basis for data processing is Art. 49 para. 1 sentence 1 lit. a GDPR. Standard contractual clauses/sufficient guarantees to ensure an adequate level of data protection have also been concluded. In addition, Microsoft has committed to the Data Privacy Framework Program and has self-certified for it. In the list https://www.dataprivacyframework.gov/s/participant-search/participant-detail?id=a2zt0000000KzNaAAK&status=Active, Microsoft is listed as "Active" as of August 2023. The EU Commission has adopted an adequacy decision on the Data Privacy Framework Program, which certifies that the USA has an adequate level of data protection.
i. YouTube
This website uses YouTube based on the consent you have given to us. The service originates from YouTube, LLC, 901 Cherry Ave, San Bruno, CA 94066, USA.
When you visit one of our pages that embeds content from YouTube, a connection is established to YouTube servers. The YouTube server will be informed which of our pages you visited.
If you are logged into your YouTube account, you enable YouTube to associate your surfing behavior directly to your personal profile. You can prevent this by logging out of your YouTube account.
Further information on how your data is handled in this regard can be found in YouTube's privacy policy at: https://www.google.de/intl/de/policies/privacy.
In the scope of application of the GDPR, the legal basis for data processing is Article 49 (1) sentence 1 lit. a GDPR. In addition, standard contractual clauses/sufficient guarantees to ensure an adequate level of data protection have been agreed.
j. Wordfence
Wordfence is a WordPress security plugin from Defiant Inc. and protects against hacker attacks (e.g. Brute Force and DDoS ). The Wordfence Firewall is supported by the constantly updated Threat Defense Feed in real time and thus prevents attacks on our website. For this reason, the IP addresses of our website visitors are transmitted to Defiant Inc. and stored.
The data collected is secured by Defiant Inc. on its servers in the USA. For more information, please see Defiant’s Privacy Policy at https://www.wordfence.com/privacy-policy/
5. Recipients of the data
Within our group, access to your data is given to those offices that require them to fulfill our contractual and legal obligations. Service providers and vicarious agents used by us (e.g., technical service providers, shipping companies, waste disposal companies) may also receive data for these purposes. Depending on the circumstances, we commission these service providers as part of order processing. Consequently, they are subject to our instructions and may only process the data for narrowly defined purposes. In some cases, we also jointly define the purposes and means of data processing as part of joint responsibility.
In individual cases, we also transmit personal data to our legal and tax advisors. These recipients are obligated to maintain special confidentiality and secrecy due to their professional status.
6. Data transfer to third countries
We process your data predominantly in Switzerland or in an EU Member State as CREALOGIX Group.. Only the relevant departments and/or persons in our company have access to the data to process your inquiries and requests. For the aforementioned cookie-based tools/plugins and the aforementioned purposes, we also transfer such data to third countries on the legal bases and the measures for ensuring an adequate level of data protection mentioned there.
Potential risks may include unenforceable data subject rights and a lower level of data protection. We minimize the risk as far as possible by concluding order processing contracts (if such a contractual relationship exists) and standard contractual clauses including effective supplements required by the supervisory authorities or by concluding other sufficient guarantees.
7. Duration of data storage
We initially process and store your personal data for the duration for which the respective purpose of use requires corresponding storage. Depending on the circumstances, this also includes the periods for initiating a contract and the subsequent performance of the contract. If a contractual relationship ends, the data processing purposes no longer apply or statutory retention periods expire, we will delete your data. There are a wide variety of deadlines for the retention of data and documents, which may, for example, result from the Commercial, the Fiscal or the Civil Code.
8. Data security
To ensure the appropriate security of your data on our website and systems, we take appropriate technical and organizational measures to protect your data from loss, destruction, unauthorized access, and manipulation. The measures we apply are continuously developed in line with technological progress.
We use TLS encryption for our web forms. This protects your entries in our web forms during transmission to our servers. You can recognize an encrypted connection because the address line of your browser changes from "http://" to "https://" and because the lock symbol appears in your browser line. Nonetheless, we would like to point out that this does not represent complete protection against attackers.
9. Your rights as a data subject
Under the GDPR, you are entitled to the following statutory data subject rights, provided that the prerequisites are met:
- Right to information about your data stored by us in accordance with Art. 15 GDPR;
- Right to rectification of inaccurate data in accordance with Art. 16 GDPR;
- Right to erasure of the data stored by us in accordance with Art. 17 GDPR;
- Right to restrict the processing of data stored by us in accordance with Art. 18 GDPR;
- Right to data portability in accordance with Art. 20 GDPR;
- Right to revoke any consent given to us at any time in accordance with Art. 7 para. 3 GDPR; consequently, we are no longer allowed to continue the data processing based on this consent in the future.
- Right to lodge a complaint with a competent supervisory authority in accordance with Art. 77 GDPR if you consider that processing of your personal data infringes the GDPR provisions: you can exercise your right to complain to the competent authority in any country or state where our offices are located or in the country or state where you are located.
Right to object
Where personal data are processed to protect legitimate interests, you have the right to object to this processing at any time using the contact details provided if your particular situation gives rise to reasons that prevent such data processing. We will then no longer process your data unless they are predominantly based on our own legitimate interest or another legal basis.
If you would like to exercise your right to object, simply send an email to the above email addresses of our data protection officers.
Under the terms of the Data Protection Act (GDPR), you have the following data subject rights: You have the right to assert your data protection rights at any time and to receive information about your stored personal data, to rectify or supplement your personal data, to object to the processing of your personal data or to request the erasure of your personal data. You can find the contact information in Clause II. above. We reserve the right to correspond with you electronically (in particular by e-mail) in this context. You are also free to lodge a complaint with a competent supervisory authority against how your personal data is processed if you believe that the data processing violates applicable law.
10. Obligation to provide data
In principle, you are not obligated to provide us with your personal data. However, if you do not do so, we will not be able to provide you with unrestricted access to our website or to respond to your inquiries to us. Personal data that we do not necessarily need for the aforementioned processing purposes are marked accordingly as voluntary information.
11. Automated decision-making/profiling
We do not use automated decision-making or profiling (an automated analysis of your personal circumstances).
12. Updating and changes to this privacy policy
Our data protection policy is regularly revised and updated from time to time to comply with the applicable legal data protection and privacy laws.
Last update: 25 August 2023