1. General Information
Norm Technologies AG with its registered seat in Zurich, Switzerland (also «we», «us») is committed to protecting your privacy. In this Privacy Notice, we explain how we collect your personal data when you use our website, obtain products or services from us, interact with us in relation with a contract, communicate with us or otherwise deal with us, what we do with your personal data, for what purposes and on what legal foundation we do so, and what rights you have on that basis. When appropriate we will provide just-in-time notice to cover any additional processing activities not mentioned in this Privacy Notice. In addition, we may inform you about the processing of your data separately, for example in consent forms, terms and conditions, additional privacy notices, forms and other notices. We use the word «data» here interchangeably with «personal data».
«Personal data» means any information relating to an identified or identifiable natural person («data subject»); i.e., it is possible to draw conclusions about their identity on the basis of the data itself or with corresponding additional data.
«Sensitive personal data» is a subset of personal data that enjoys special protection under current data protection law. For example, data revealing racial and ethnic origin, health data, information on religious or philosophical beliefs, biometric data for identification purposes and information on trade union membership are considered to be particularly sensitive personal data.
«Processing» means any handling of personal data, irrespective of the means and procedures used, in particular the collection, storage, keeping, use, modification, disclosure, archiving, deletion or destruction of dat.
If you transmit or disclose data about other persons, such as family members, work colleagues, etc., we assume that you are authorized to do so and that this data is correct. By transmitting data about third parties, you confirm this. Please also ensure that these third parties have been informed about this Privacy Notice.
This Privacy Notice is aligned with the EU General Data Protection Regulation («GDPR»), Swiss Data Protection Act («DPA») and the revised Swiss Data Protection Act ("revDPA"). However, the application of these laws depends on each individual case.
2. Name and Address of the Controller
Responsible for processing your data under this Privacy Notice («Controller») unless we tell you otherwise in an individual case is:
You may contact us regarding data protection matters and to exercise your rights using the contact details given above.
3. Categories of Data we Process
The processing of personal data is limited to data that is required to operate a functional website and for the provision of content, products and services. The processing of personal data of our users is based on the purposes agreed or on a legal basis. We only collect personal data that is necessary to implement and process our tasks and services or if you provide data voluntarily. Depending on the reason and purpose of the processing, we process different data about you:
3.1 Technical Data
When you use our website, app or other online offerings (e.g. webshop) ("Website"), we collect the IP address of your terminal device and other technical data in order to ensure the functionality and security of these offerings. This data includes logs with records of the use of our systems. We generally keep technical data for 6 months. In order to ensure the functionality of these offerings, we may also assign an individual code to you or your device (for example as a cookie, see Section 14). Technical data as such does not permit drawing conclusions about your identity. However, technical data may be linked with other categories of data (and potentially with your person) in relation with user accounts, registrations, access controls or the performance of a contract.
Technical data includes among others:
- the IP address and information about the operating system of your terminal device
- name and URL of any visited page
- the date and time of access, GMT time difference
- information, whether the access was successful (access status/http status code)
- amount of data transferred
- websites that are accessed via our Website
- Website form which any access takes place (so-called referrer URL)
- the type of browser that you use to access our online offerings
- name of your internet provider
- browser type and version used, and other information provided by the browser (such as geographical origin, language setting, add-ons used, screen resolution, etc.).
- logs that are created in our systems (e.g. the log of user logins to our Website).
This may help us to provide an appropriate layout of the Website or, for example, to display a sub-page for your region. We know through which provider you access our Website (and therefore also the region) because of the IP address, but usually this does not tell us who you are. However, this changes for example when you create a user account, because personal data can then be linked with technical data (for example, we can know the browser you use to access an account through our Website).
3.2 Registration Data / Newsletter-Sign Up
Certain products and services can only be used with a user account or registration, which can be done directly with us or via our external login service providers. In doing so, you must provide us with certain data and we collect data on the use of the offer or service. We generally retain registration data for 12 months after the end of the use of the service or the cancellation of the user account.
User account and registration data includes, among other things:
- information you provide when you create an account on our Website (for example username, password, name, e-mail, phone number, account details)
- contact details when you subscribe to our newsletter.
- Orders of our products and services
When you register with us, we create a user account for you with the following data:
- contact details
- credit card information
- User-ID (please see technical data)
3.3 Communication Data
When you get in contact with us via contact form, e-mail, telephone, chat, or by letter or other means of communication, we collect the data exchanged between you and us, including your contact details and the metadata of the communication. If we record telephone conversations or video conferences, we will tell you specifically. If we have to confirm your identity, for example in relation with a request for information, we collect data to identify you (for example a copy of an ID document). We generally keep this data for 12 months from the last exchange between us. This period may be longer where required for evidentiary purposes, to comply with legal or contractual requirements, or for technical reasons. E-mails in personal mailboxes and written correspondence are generally kept for at least 10 years. Chats are generally stored for 2 years.
Communication data includes, among other things:
- your name and contact details,
- the means, place and time of communication and usually also its contents (i.e. the contents of e-mails, letters, chats, etc.). This data may also include information about third parties. For identification purposes, we may also process your ID document number.
3.4 Master Data
Master data is the basic data that we need, in addition to contract data (see below), for the performance of our contractual and other business relationships or for marketing and promotional purposes, such as name and contact details, and information about, for example, your role and function, your bank details, your date of birth, customer history, powers of attorney, signature authorizations and declarations of consent. We process your master data if you are a customer or other business contact or work for one (for example as a contact person of the business partner), or because we wish to address you for our own purposes or for the purposes of a contractual partner (for example as part of marketing and advertising, newsletters, etc.). We receive master data from you (for example when you buy something on our Website), from parties you work for, or from third parties such as contractual partners, associations and address brokers, and from public sources such as public registers or the internet (websites, social media, etc.). We generally keep master data for 10 years from the last exchange between us but at least from the end of the contract. This period may be longer if required for evidentiary purposes, to comply with legal or contractual requirements, or for technical reasons. For contacts used only for marketing and advertising, the period is usually much shorter, usually no more than 2 years from the last contact.
Master data is not comprehensively collected for all contact. Rather, the collection of master data depends on the individual case and purpose of the processing. In general, it may include:
- Your name
- e-mail address
- telephone number and other contact details
- date of birth
- data about related persons
- social media profiles
- photos and videos
- copies of ID cards
- details of your relationship with us (e.g. customer, supplier, visitor, service provider or service recipient, etc.)
- details of your status, allocations, classifications and mailing lists
- details of interactions with you
- official documents (e.g. excerpts from the commercial register, permits)
- payment information (e.g. bank details, account number and credit card data)
- declarations of consent and opt-out information
- As regards customers, suppliers and partners, master data also includes information about the role or function in the company, qualifications and information about superiors, co-workers and information about interactions with these persons.
3.5 Contract Data
We collect contract data in relation with the conclusion or performance of a contract, e.g. information about the products and the services provided or to be provided, as well as data from the period leading up to the conclusion of a contract, information required or used for performing a contract, and information about feedback (e.g. complaints, feedback about satisfaction, etc.). We generally collect this data from you, from contractual partners and from third parties involved in the performance of the contract, but also from third-party sources (for example credit information providers) and from public sources. We generally keep this data for 10 years from the last contract activity but at least from the end of the contract. This period may be longer where necessary for evidentiary purposes, to comply with legal or contractual requirements, or for technical reasons.
Contract data includes:
- information about the conclusion of the contract, about your contracts, for example, the type and date of conclusion and its duration
- the performance and administration of the contracts, for example information in relation with billing, customer service, technical assistance and the enforcement of contractual claims
- information about deficiencies, complaints and changes of a contract as well as customer satisfaction information that we may collect for example through surveys
- financial data, such as credit information (meaning information that allows to draw conclusions about the likelihood that receivables will be paid), information about reminders and debt collection.
We receive this data partly from you (for example when you make payments), but also from credit agencies and debt collection companies and from public sources (for example a commercial register).
3.6 Behavioral and preference data
Depending on our relationship with you, we try to get to know you better and to tailor our products, services and offers to you. For this purpose, we collect and process data about your behaviour and preferences. We do so by evaluating information about your behaviour and we may also supplement this information with third-party information, including from public sources. Based on this data, we can for example determine the likelihood that you will use certain services or behave in a certain way. The data processed for this purpose is already known to us (for example where and when you use our services), or we collect it by recording your behaviour (for example how you navigate our Website. We anonymize or delete this data when it is no longer relevant for the purposes pursued, which may be -- depending on the nature of the data -- between 2-3 weeks and 24 months (for product and service preferences). This period may be longer as for evidentiary purposes, to comply with legal or contractual requirements, or for technical reasons. We describe how tracking works on our Website in Sections 15.
Behavioural data includes in particular information about certain actions, such as your response to electronic communications (for example if and when you have opened an e-mail) or your location, as well as your interaction with our social media profiles and your participation in sweepstakes, competitions and similar events.
Preference data provides us with information about your needs, which products or services might be of interest to you or when and how you are likely to react to messages from us. We obtain this information from the analysis of existing data, such as behavioural data, so that we can get to know you better, tailor our advice and offers more precisely to you and generally improve our offers. In order to improve the quality of our analyses, we can link this data with other data that we also obtain from third parties or public sources (e.g. the Internet).
Behavioural and preference data may be analysed on a personally identifiable basis (for example to show you personalized advertising), but also on a non-identifiable basis (for example for market research or product development). Behavioural and preference data may also be combined with other data (for example, motion data may be used for contact tracing as part of a health protection concept).
3.7 Building and energy data
We collect building and energy data in connection with the provision of our products and services.
The building and energy data includes, among other things
- Building data (year of construction, years of refurbishment, type of heating, etc.)
- Building plans
- Invoices for energy costs (electricity, gas, oil, wood, coal, etc.)
- Photos (facade, windows, cellar, heating, boiler, etc.)
We receive this data either directly from you or from third parties (building authorities, electricity companies, etc.) based on your consent and authorisation. This data forms the basis for the creation of energy performance certificates and similar products for the building in question, but also as a basis for models that can be used for the assessment of other properties and serve to continuously improve our products and services and is generally stored for as long as it is useful for this purpose. The data that we use for our own purposes does not in itself allow any conclusions to be drawn about your person. However, it may be possible to draw conclusions by using additional data.
3.8 Other Data
We also collect data from you in other situations. For example, data that may relate to you (such as files, evidence, etc.) is processed in relation with administrative or judicial proceedings. We may also collect data for health protection (for example as part of health protection concepts). We may obtain or create photos, videos and sound recordings in which you may be identifiable (for example at events, with security cameras, etc.). We may also collect data about who enters certain buildings, and when or who has access rights (including in relation with access controls, based on registration data or lists of visitors, etc.), who participates in events or campaigns, e.g. competitions and who uses our infrastructure and systems and when. The retention period for this data depends on the processing purpose and is limited to what is necessary. This ranges from one or two days for many of the security cameras, to usually a few weeks in case of data for contact tracing and visitor data that is usually kept for 3 months, to several years or longer for reports about events with images.
Much of the data set out in this Section is provided to us by you, e.g. through forms, in relation with communication with us, in relation with contracts, when you use the Website, etc. You are not obliged or required to disclose data to us except in individual cases, for example within the framework of binding health protection concepts (legal obligations). If you wish to enter into contracts with us or use our services, you must also provide us with certain data, in particular master data, contract data and registration data, as part of your contractual obligation under the relevant contract. When using our Website, the processing of technical data cannot be avoided. If you wish to gain access to certain systems or buildings, you must also provide us with registration data. However, in the case of behavioural and preference data, you have the option of objecting or not giving consent.
We provide certain services to you only if you provide us with registration data, because we or our contractual partners wish to know who uses our services or has accepted an invitation to an event, because it is a technical requirement or because we wish to communicate with you. If you or the person you represent (for example your employer) wishes to enter into or perform a contract with us, we must collect master data, contract data and communication data from you, and we process technical data if you wish to use our Website or other electronic offerings for this purpose. If you do not provide us with the data necessary for the conclusion and performance of the contract, you should expect that we may refuse to conclude the contract, that you may commit a breach of contract or that we will not perform the contract. Similarly, we can only submit a response to a request from you if we process communication data and -- if you communicate with us online -- possibly also technical data. Also, the use of our Website is not possible without us receiving technical data.
As far as it is not unlawful we also collect data from public sources (for example debt collection registers, land registers, commercial registers, the media, or the internet including social media) or from public authorities and from other third parties (such as credit agencies, address brokers, associations, contractual partners, internet analytics services, etc.).
The categories of personal data that we receive about you from third parties include, in particular, information from public registers, information that we receive in relation with administrative and legal proceedings, information in relation with your professional functions and activities (so that we can, for example, conclude and process transactions with your employer with your assistance), information about you in correspondence and meetings with third parties, credit information (where we conduct business with you in a personal capacity), information about you that persons related to you (family, advisors, legal representatives, etc.) share with us so that we can conclude or perform contracts with you or involving you (for example references, your delivery address, information about compliance with legal requirements such as fraud prevention, information about you in correspondence and meetings with third parties).This includes, for example, references, your address for deliveries, powers of attorney, information on compliance with legal requirements such as combating fraud, money laundering and terrorism and export restrictions, information from banks, insurance companies and sales and other contractual partners of ours on the utilisation or provision of services by you (e.g. payments, purchases, etc.), information about you from the media and the Internet (insofar as this is appropriate in the specific case). Your address and, if applicable, interests and other socio-demographic data (in particular for marketing and research) and data in connection with the use of third-party websites and online offers where this use can be attributed to you.
4. Purposes of the Processing
We process your data for the purposes explained below. Further information is set out in Sections 14 et seq. for online services. These purposes and their objectives represent legitimate interests of us and potentially of third parties. You can find further information on the legal basis of our processing in Section 5.
We process your data for communication purposes, in order to communicate with you, in particular, when you contact us in order, to respond to your queries or when you exercise your rights (Section 11). For this purpose, we use in particular communication data, master data and registration data to enable us to communicate with you and provide our services or respond to requests. We keep this data to document our communication with you, for training purposes and quality assurance.
4.2 Performance of a Contract
We process your data for entering into a contract with you, perform (in particular, for the creation of energy certificates) and administer it. In particular, we process communication data, master data, registration data and contract data about you. This might include data about third parties, e.g. if you order products or services for the benefit of a third party. This also includes data about potential customers, that we receive from communication with you, on a trade fair or any other business event. When contacting you, we use this data to assess your creditworthiness and to open up a business relationship with you. Administering and performing the contract with your might involve third parties, such as advertising service providers, banks, insurance companies or credit information providers in order to provide our products and services to you.
4.3 Marketing and Relationship Management
We process your data for marketing and relationship management purposes. For example, we send personalized newsletters for products and services from us and, if applicable from selected third parties (e.g. advertising partners). Marketing and relationship management might include contacting you via e-mail, telephone or other channels for which we have contact information from you. We and, if applicable, selected third parties, only display personalized content or advertising based on your usage behaviour or send e-mails for marketing purposes (e.g. newsletter) if and to the extent you give your consent to us if required under applicable law. You can object to such marketing activities or withdraw your consent at any time (please see Section 11 and 12).
As regards relationship management, we may use a customer relationship management system («CRM») to store and process your data as described in this Privacy Notice (e.g. about contact persons, products and services provided to you, interactions, interests, marketing measures, newsletters, invitations to events and other information).
4.4 Product/Service Improvement and Innovation
We process your data for market research, to improve our services and operations, for product development and, among other things, to create models that can be used to assess other properties.
4.5 Safety or Security Reasons
We process your data to protect our IT and other infrastructure (e.g. buildings). For example, we process data for monitoring, analysis and testing of our networks and IT infrastructures including access controls. We might also use surveillance systems, e.g. cameras for security purposes. In such a case, we will inform you at the relevant locations separately.
4.6 Compliance with Law
We process your data to comply with legal requirements, e.g. health security concepts, money laundering and terrorist financing, tax obligations etc. and we might have to request further information from you to comply with such requirements ("Know Your Customer", "KYC") or as otherwise required by law and legal authorities.
4.7 Risk Management, Corporate Governance and Business Development
We process your data as part of our risk management and corporate government in order to protect us from criminal or abusive activity. As part of our business development, we might sell businesses, parts of businesses or companies to others or acquire them from others or inter into partnerships and this might result in the exchange and processing of data based on your consent, if necessary.
5. Legal Basis for Processing your Data
Your Consent Where we asked for your consent (e.g. for receiving newsletters and for personalized content or advertising based on your usage behaviour or for processing sensitive data), we process your data based on such consent. You may withdraw your consent at any time with effect for the future by providing us written notice (e-mail sufficient), see our contact details in Section 2. If you like to withdraw your consent for online tracking, please see Section 14. Withdrawal of your consent does not affect the lawfulness of the processing that we have carried out prior to your withdrawal, nor does it affect the processing of your data based on other processing grounds.
Where we did not ask for your consent, we process your data on other legal grounds, such as
- a contractual obligation
- a legal obligation
- a vital interest of the data subject or of another natural person
- to perform a public task
- a legitimate interest, which includes compliance with applicable law and the marketing of our products and services, the interest in better understanding our markets and in managing and further developing our company, including its operations, safely and efficiently.
6 Profiling and Automated Decision Taking
We may automatically evaluate certain of your personal characteristics for the purposes stated in Section 4 using your data (Section 3) ("Profiling") if we want to determine preference data, but also to determine risks of misuse and security risks, to carry out statistical analyses or for operational planning purposes. For the same purposes, we can also create profiles, i.e. we can combine behavioural and preference data, but also master and contract data and technical data assigned to you in order to better understand you as a person with your different interests and other characteristics. We may also use Profiling to assess your creditworthiness. Property assessments may be made without human review and may have legal implications for you.
In certain situations, for reasons of efficiency and consistency of decision-making processes, it may be necessary for us to automate discretionary decisions concerning you with legal effects or potentially significant disadvantages ("Automated Individual Decisions"). In this case, we will inform you accordingly and take the measures required under applicable law.
7. Disclosure of Data to Third Parties and Social Plug-ins
In order to perform our contracts, fulfil our legal obligations, protect our legitimate interest and the other purposes described in Section 4 we may disclose your data to third parties, in particular to the following categories of recipients:
7.1 Offerings of Third Parties
Our Website or App may contain third-party offerings. If you click on such an offer, we will transfer data to the respective third party to the extent necessary (e.g. the information that you found this offer on our Website or app and, if applicable, further information that you provided for this purpose on our Website or app).
7.2 Service Providers
We may share your information with service providers and business partners around the world with whom we collaborate to fulfil the above purposes (e.g. IT provider, shipping companies, advertising service provider, security companies, banks, insurance companies, telecommunication companies, credit information agencies, address verification provider, lawyers) or who we engage to process personal data for any of the purposes listed above on our behalf and in accordance with our instructions only.
7.3 Contractual Partners Including Customers
In case required under the respective contract we share your data with other contractual partners. If we sell or buy any business or assets, we may disclose your data to the prospective seller or buyer of such business or assets to whom we assign or novate any of our rights and obligations.
If legally obliged or entitled to make disclosures or if it appears necessary to protect our interests, we may disclose your data to courts, law enforcement authorities, regulators, government officials or other legal authorities in Switzerland or abroad. The authorities process data about you that they receive from us under their own responsibility.
7.5 Social Plug-ins
We do not use social media plug-ins on our Website. If our Website contains icons of social media providers (e.g. LinkedIn, we use these only for as passive links to the websites of the respective social media platforms.
7.6 Integration of Google Maps
We use Google Maps on our Website. Google Maps allows us to display its interactive maps directly on our Website for your convenient use of the Google Maps functions. Legal basis for the use of Google Maps is your consent, that means, any transfer of data only takes place after your consent. Once you provided your consent, Google receives the information that you accessed our Website. Furthermore, the above-mentioned technical data such as IP address and timestamp are transmitted. This occurs, regardless of whether Google provided an user account through which you are logged in or whether no user account exists. If you are logging in to Google, your data will be directly assigned to your account. If you do not want an assignment to your profile at Google, you must log out before providing consent to use Google Maps. Google stores you data as usage profiles and uses them for the purposes of advertising, market research an/or demand-orientated design of its Website. Such evolution is carried out in particular (even for users who are not logged in) to provide targeted advertising and to inform other user of the social network about your activities on our Website. You have the right to object to the creation of these user profiles. Please contact Google to exercise this right.
The information collected is stored on Google servers, also in the US. For these cases we have agreed to so-called standard data protection clauses (SCCs) with Google, in order to ensure compliance with an appropriate level of data protection in third countries.
For more information on the purpose and scope of data collection and its processing by Google, please review Google's privacy notice. It will provide further information about your rights and the setting options for protecting your privacy: www.google.de/intl/de/policies/privacy.
7.7 Integration of YouTube videos
We have integrated YouTube videos into our online offering, which are stored on YouTube.com and can be played directly from our website. These are all integrated in "expanded data protection mode", i.e. no data about you as a user is transferred to YouTube if you do not play the videos. Only when you play the videos will the following data be transmitted. We have no influence on this data transfer. The legal basis for the display of the videos is your consent, i.e. the integration only takes place with your consent.
By visiting the website, YouTube receives the information that you have accessed the corresponding subpage of our Website. In addition, the above-mentioned basic data such as IP address and timestamp are transmitted. This occurs regardless of whether YouTube provides a user account through which you are logged in or whether no user account exists. If you are logged in to Google, your data will be assigned directly to your account. If you do not wish your data to be associated with your YouTube profile, you must log out before activating the button. YouTube stores your data as usage profiles and uses them for the purposes of advertising, market research and/or customising its website. Such an evaluation is carried out in particular (even for users who are not logged in) to provide customised advertising and to inform other users of the social network about your activities on our website. You have the right to object to the creation of these user profiles, whereby you must contact YouTube to exercise this right.
The information collected is stored on Google servers, including in the USA. In these cases, the provider has, according to its own information, imposed a standard that corresponds to the former EU-US Privacy Shield and has promised to comply with applicable data protection laws when transferring data internationally.
7.8 Our Appearance on Social Networks
We are present on the following social media platform Twitter, LinkedIn, YouTube and collect data about you as described in Section 3 and below.
We receive this data from you and the platforms, when you enter into contact with us via our online presence (e.g. when you communicate with us, comment on our content or visit our presence). At the same time, the platforms evaluate your use of our online presence and link this data with other data about you known to the platforms (e.g. about your behaviour and preferences). They also process this data for their own purposes under their own responsibility, in particular for marketing and market research purposes (e.g. to personalize advertising) and to control their platform (e.g. which content they show to you). This also happens, if you do not have a profile on the social media platform.
We process this data for the purposes described in Section 4, in particular for communication, marketing purposes and market research. You will find information on the legal basis in Section 5.
We would like to point out that you use our presence on social media platforms and their functions on your own responsibility. This applies, in particular to the use of interactive functions (e.g. commenting, sharing, rating).
The data collected about you in this context is processed by the platforms and may be transferred to countries outside the European Union, in particular the USA, which, from the perspective of Switzerland or the European Economic Area (EEA), may not guarantee an adequate level of protection for the processing of personal data in accordance with Swiss/EU standards. In such a case, we have agreed so-called standard contractual clauses with the providers, the purpose of which is to maintain an adequate level of data protection in the third country.
According to their own statements, some of the aforementioned providers maintain an adequate level of data protection that corresponds to that of the former EU-US Privacy Shield and we have also concluded so-called standard data protection clauses with the companies.
We do not know how the social media platforms use the data from your visit to our account and interaction with our posts for their own purposes, how long this data is stored and whether data is passed on to third parties. Data processing may differ depending on whether you are registered and logged in to the social network or whether you visit the site as a non-registered and/or non-logged-in user. When you access a post or the account, the IP address assigned to your end device is transmitted to the provider of the social media platform. If you are currently logged in as a user, a cookie on your device can be used to track how you have moved around the network. Buttons integrated into websites enable the platforms to record your visits to these websites and assign them to your respective profile. This data can be used to tailor content or advertising to you. If you wish to avoid this, you should log out or deactivate the "stay logged in" function, delete the cookies on your device and restart your browser.
To exercise your rights as a data subject, you can contact us or the provider of the social media platform. If one party is not responsible for responding or must receive the information from the other party, we or the provider will then forward your request to the respective partner. Please contact the operator of the social media platform directly for questions about profiling and the processing of your data when using the website. If you have any questions about the processing of your interaction with us on our site, please write to the contact details provided by us above.
What information the social media platform receives and how it is used is described by the providers in their privacy policies (see link in the overview above). There you will also find information about contact options and the setting options for advertisements.
8. Transfer of Data Abroad
As we have explained in Section 7, we disclose data to other parties, not all of them located in Switzerland. Your data may be processed in the Europe and in exceptional circumstances in any country of the world.
We only transfer data to countries without adequate legal data protection if this is necessary for the fulfilment of a contract or for the assertion or defence of legal claims, or if such a transfer is based on your express consent or is subject to guarantees that ensure the protection of your data, such as the standard contractual clauses approved by the European Commission.
9. How Long We Keep your Personal Data
We only process your data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of complying with legal retention requirements and where required to assert or defend against legal claims, until the end of the relevant retention period or until the claims in question have been settled. Upon expiry of the applicable retention period we will securely destroy your data in accordance with applicable laws and regulations.
10. Security of your Personal Data
We take appropriate security measures to protect the confidentiality, integrity and availability of your personal data, to protect it against unauthorised or unlawful processing and to counteract the risks of loss, unintentional modification, unwanted disclosure or unauthorised access.
However, we and your personal data can still become victims of cyber-attacks, cybercrime, brute force, hacker attacks and further fraudulent and malicious activity including but not limited to viruses, forgeries, malfunctions and interruptions which is out of our control and responsibility.
We have also put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
11. Your Rights
You have various rights in relation with our processing of your personal data, depending on the applicable data protection law:
11.1 Right of Access
You have the right to request information from us as to whether and which of your data we process.
11.2 Right to Rectification
We aim to keep your personal data accurate, current, and complete. We encourage you to contact us to let us know if any of your personal data is not accurate or changes, so that we can keep your personal data up-to-date.
11.3 Right to Erasure
You have the right to require us to erase your personal data when the personal data is no longer necessary for the purposes for which it was collected, or when, among other things, your personal data have been unlawfully processed.
11.4 Right to Restriction
You have the right to ask us to restrict the processing of your personal information in certain circumstances.
11.5 Right to Data Portability
You have the right to request that we provide you with certain personal data in a common electronic format or transfer it to another Controller.
11.6 Right to Withdraw Consent
Where we process data based on your consent, you have the right to withdraw your consent. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose(s) to which you originally consented unless there is another legal ground for the processing.
If you believe that your data protection rights might have been breached, please let us know our contact the applicable supervisory authority.
12. Right to Object
Under applicable data protection law you have the right to object at any time to the processing of personal data pertaining to you under certain circumstances, in particular where your data is processed in the public interest, on the basis of a balance of interests or for direct marketing purposes.
If you like to exercise the above mentioned rights, please contact us at the contact details provided under Section 2 unless otherwise specified or agreed. Please note that we need to identify you to prevent misuse, e.g. by means of a copy of your ID card or passport, unless identification is possible otherwise.
If you subscribe to one of our newsletters offered, you may cancel the subscription at any time by using the option to unsubscribe contained in the newsletter.
However, depending on the purpose of these cookies, we may ask for your express prior consent before they are used. You can access your current settings by clicking on the «Change Your Cookies» - button below and/or at our Website and you can withdraw your consent under the same link at any time. You can also set your browser to block or deceive certain types of cookies or alternative technologies, or to delete existing cookies. You can also add software to your browser that blocks certain third-party tracking. You can find more information on the help pages of your browser (usually with the keyword «Privacy») or on the websites of the third parties set out in our Consent Management Tool.
14.1 Necessary Cookies
Necessary cookies are necessary for the functioning of the Website or for certain features. They make the use of our Website more pleasant for you. For example, they help make a website usable by enabling basic functions such as page navigation and access to secure areas of the website. They also ensure that you can move between pages without losing information that was entered in a form and that you stay logged in. These cookies exist temporarily only («Session Cookies»). The Session Cookies are automatically deleted after leaving our pages. If you block them, the Website may not work properly. Other cookies are necessary for the server to store options or information (which you have entered) beyond a session (i.e. a visit to the Website) if you use this function (for example language settings, consents, automatic login functionality, etc.). These cookies have an expiration date of up to 12 months. The legal basis for such cookies is our legitimate interest according to provide you with all functions of our Website. A list of necessary cookies is provided in our Consent Management Tool.
14.2 Performance Cookies
14.3 Marketing Cookies
You can change your cookie settings at any time via the link on our website "Change cookie settings".
15. Tracking Tools
Based on your consent, we use tracking tools to ensure that our website is designed to meet your needs and is continuously optimised. We also use tracking tools to statistically record the use of our website and to evaluate it for the purpose of optimising the content we show you.
We use Google Analytics, Amplitude and Smartlook on the basis of your consent.
Google Analytics: Google Ireland (based in Ireland) is our provider of "Google Analytics" and acts as our processor. Google Ireland relies on Google LLLC (based n the USA) as a processor for its services (both "Google"). Google uses performance cookies (see above) to track the behaviour of visitors to our Website (duration, frequency of pages viewed, geographic origin of access, etc.) and compiles reports for us on the use of our Website on this basis. We have configured the service so that the IP addresses of visitors are shortened by Google in Europe before being forwarded to the US and thus cannot be traced. We have turned off the "Data Forwarding" and "Signals" settings. Although we can assume that the information we share with Google is not personal data for Google, it is possible that Google can draw conclusions about the identity of visitors from this data for its own purposes, create personal profiles and link this data to the Google accounts of these persons. If you consent to the use of Google Analytics, you explicitly agree to such processing, which also includes the transfer of personal data (in particular usage data for the Website and app, device information and individual IDs) to the US and other countries. Information on the data protection of Google Analytics can be found here https://support.google.com/analytics/answer/6004245 and if you have a Google account, you can find further details on processing by Google here https://policies.google.com/technologies/partner-sites?hl=de.
16. Targeting Tools
Based on your consent, we use the following targeting tools to ensure that only adverts that match your actual or inferred interest are displayed on your device:
We use Google Ads, LinkedIn Ads and Twitter Ads based on your consent.
Google Ads: We use Google Ads to draw attention to our offers with the help of adverts. If you access our website via a Google advert, Google Ads will store a cookie on your end device. The legal basis for the processing of your data is your consent, i.e. the integration only takes place with your consent. The advertising material is delivered by Google via so-called "ad servers". For this purpose, we and other websites use so-called ad server cookies, through which certain parameters for measuring success, such as the display of adverts or clicks by users, can be measured. We can obtain information about the success of our advertising campaigns via the Google Ads cookies stored on our website. These cookies are not intended to identify you personally. The unique cookie ID, number of ad impressions per placement (frequency), last impression (relevant for post-view conversions) and opt-out information (marking that a user no longer wishes to be addressed) are usually stored as analysis values for this cookie. The cookies set by Google enable Google to recognise your internet browser. If a user visits certain pages of an Ads customer's website and the cookie stored on their computer has not yet expired, Google and the customer can recognise that the user clicked on the ad and was redirected to this page. A different cookie is assigned to each Ads customer so that the cookies cannot be tracked via the websites of other Ads customers. By integrating Google Ads, Google receives the information that you have called up the corresponding part of our website or clicked on an advert from us. If you are registered with a Google service, Google can assign the visit to your account. Even if you are not registered with Google or have not logged in, there is a possibility that the provider will find out and save your IP address. Due to the marketing tools used, your browser automatically establishes a direct connection with the Google server. We ourselves do not independently collect personal data in the aforementioned advertising measures, but only provide Google with the opportunity to collect the data. We only receive statistical analyses from Google, which provide information on which advertisements were clicked on how often and at what prices. We do not receive any further data from the use of advertising material; in particular, we cannot identify users on the basis of this information. You can withdraw your consent at any time without this affecting the permissibility of processing up to the point of withdrawal. The easiest way to withdraw your consent is via our Consent Manager. Further information on data protection at Google Ireland Limited, Gordon House, Barrow Street Dublin 4, Ireland, can be found here: https://policies.google.com/privacy?hl=de&gl=de.
17. Updating and changing this Privacy Notice
Due to continuous development of our Website and the contents thereof, changes in law or regulatory requirements, we might need to change this privacy notice from time to time. Our current privacy notice can be found at our Website.