Privacy Policy of Poyraz Digital

1. What is covered in this Privacy Policy?

Poyraz Digital (hereinafter also referred to as "Xona.ai," "we," "us") collects and processes personal data that concerns you or other individuals (referred to as "Third Parties"). In this context, we use the term "Data" interchangeably with "Personal Data" or "Personally Identifiable Information (PII)."

  • By "Personal Data," we mean data that relates to a specific or identifiable person, i.e., information from which the identity of an individual can be inferred either by the data itself or with additional information. "Sensitive Personal Data" is a category of personal data that is particularly protected under applicable data protection laws. Examples of sensitive personal data include information revealing racial or ethnic origin, health data, details about religious or philosophical beliefs, biometric data for identification purposes, and information about union membership. In Section 3, you will find information about the data we process under this Privacy Policy. The term "Processing" encompasses any handling of personal data, such as acquisition, storage, use, adaptation, disclosure, and deletion.

In this Privacy Policy, we describe what we do with your data when you usewww.xona.ai, other websites of ours, or our apps (collectively referred to as "Website"), when you avail our services or products, when you are otherwise in contact with us under a contract, when you communicate with us, or when you engage with us in any other way. We will inform you in a timely written notice about additional processing activities not mentioned in this Privacy Policy. Additionally, we may inform you separately about the processing of your data, e.g., in consent declarations, contract terms, additional privacy policies, forms, and notices.

If you provide us with data about other individuals, such as family members, colleagues, etc., we assume that you are authorized to do so and that this information is accurate. By transmitting data about third parties, you confirm this. Please also ensure that these third parties have been informed about this Privacy Policy.

This Privacy Policy is designed to meet the requirements of the EU General Data Protection Regulation ("GDPR"), the Swiss Data Protection Act ("DSG"), and the revised Swiss Data Protection Act ("revDSG"). However, the applicability of these laws depends on the individual case.

2. Who is responsible for processing your data?

For the data processing described in this Privacy Policy by Xona.ai, the data controller under data protection law is Poyraz Digital, Neuhausen am Rheinfall (hereinafter "Xona.ai"), unless communicated otherwise in individual cases, for example, in additional privacy policies, forms, or contracts.

  • For each data processing, there is one or more entities responsible for ensuring that the processing complies with the requirements of data protection law. This entity is called the "Controller." It is responsible, for example, for responding to requests for information (Section 11) or ensuring that personal data is secure and not used improperly.
  • In the data processing activities described in this Privacy Policy, other entities may also share responsibility if they contribute to determining the purpose or design. If you wish to obtain information about the specific controllers for a particular data processing, you can request this information from us under the right of access (Section 11). Xona.ai remains your primary point of contact, even if other joint controllers exist.

    In Section 3, Section 7, and Section 12, you will find additional information about third parties with whom we collaborate and who are responsible for their own data processing activities. For questions or to exercise your rights against these third parties, please contact them directly.

You can reach us for your privacy concerns and to exercise your rights under Section 11 as follows:

Poyraz Digital
Büchelerstrasse 12
Neuhausen am Rheinfall

3. What data do we process?

We process various categories of data about you. The main categories are as follows:

  • Technical Data: When you use our website or other electronic services, we collect the IP address of your device and other technical data to ensure the functionality and security of these services. These data include logs that record the use of our systems. We generally retain technical data for 6 months. To ensure the functionality of these services, we may assign you or your device an individual code (e.g., in the form of a cookie, see Section 12). Technical data, on its own, generally does not allow conclusions about your identity. However, in the context of user accounts, registrations, access controls, or contract processing, they may be linked to other data categories (and thus potentially to your person).
    • Technical data includes, among others, the IP address and information about your device's operating system, the date, region, and time of use, as well as the type of browser used to access our electronic services. This can help us convey the correct formatting of the website or display a website tailored to your region. While we can determine the provider through the IP address (and thus the region), we usually cannot deduce your identity. This changes, for example, when you create a user account, as personal data can be linked to technical data (e.g., we can see which browser you use to access an account through our website). Examples of technical data also include logs ("logs") generated in our systems (e.g., the log of user logins on our website).
  • Registration Data: Certain offers and services (e.g., login areas of our website, newsletter delivery, etc.) can only be used with a user account or registration, which can be done directly with us or through our external login service providers. In this process, you need to provide certain data, and we collect data about the use of the offer or service. Registration data may arise in access controls to specific facilities, and, depending on the control system, may include biometric data. We generally retain registration data for 12 months after the end of the use of the service or the dissolution of the user account.
    • Registration data includes, among others, the information you provide when creating an account on our website (e.g., username, password, name, email). Registration data also includes the data we may request from you before you can take advantage of certain free services. In the context of access controls, we may need to register you with your data (access codes in badges, biometric data for identification) (see the "other data" category).
  • Communication Data: When you contact us through the contact form, email, phone, chat, letter, or other means of communication, we capture the data exchanged between you and us, including your contact details and communication metadata. If we record or listen to phone calls or video conferences, e.g., for training and quality assurance purposes, we will inform you specifically. Such recordings may only be made and used in accordance with our internal guidelines. You will be informed about whether and when such recordings will take place, e.g., through a notification during the respective video conference. If you do not want a recording, please let us know or end your participation. If we need to establish or verify your identity, e.g., in response to a request for information or a media access application, we collect data to identify you (e.g., a copy of an ID). We generally retain this data for 12 months from the last exchange with you. This period may be longer if required for evidentiary purposes or to comply with legal or contractual requirements or technical constraints. Emails in personal mailboxes and written correspondence are typically retained for at least 10 years. Recordings of (video) conferences are usually kept for 24 months.
    • Communication data includes your name and contact details, the manner, location, time, and content (i.e., the content of emails, letters, chats, etc.) of communication. This data may also include information about third parties. For identification purposes, we may also process your ID number, a password defined by you, or your press card. The following mandatory information must be provided for media inquiries: publisher, name of the publication, salutation, first name, last name, postal address, email address, and telephone number of the reporting person.
  • Master Data: Master data refers to the basic data we need, in addition to contract data (see below), for the processing of our contractual and other business relationships or for marketing and advertising purposes. This includes name, contact details, information about your role and function, bank details, date of birth, customer history, authorizations, signing authorities, and consent declarations. We process your master data if you are a customer or another business contact or act on behalf of one (e.g., as a contact person for the business partner), or because we want to address you for our own purposes or the purposes of a contract partner (e.g., in the context of marketing and advertising, with invitations to events, with vouchers, with newsletters, etc.). We receive master data from you (e.g., in a purchase or registration), from entities you represent, or from third parties such as our contract partners, associations, address brokers, and from publicly available sources such as public registers or the internet (websites, social media, etc.). We generally retain this data for 10 years from the last exchange with you, but at least from the end of the contract. This period may be longer if required for evidentiary purposes or to comply with legal or contractual requirements or technical constraints. In the case of pure marketing and advertising contacts, the retention period is usually much shorter, typically not more than 2 years since the last contact.
    • Master data includes data such as name, address, email address, phone number, and other contact details, gender, date of birth, nationality, information about related persons, websites, profiles on social media, photos and videos, copies of IDs; also information about your relationship with us (customer, supplier, visitor, service recipient, etc.), information about your status with us, allocations, classifications, and distributors, information about our interactions with you (possibly a history with corresponding entries), reports (e.g., from the media) or official documents (e.g., commercial register extracts, permits, etc.) concerning you. As payment details, we collect your bank details, account number, and credit card information. Consent or blocking notes are also part of master data, as are details about third parties, such as contact persons, service recipients, advertising recipients, or representatives.
    • For contacts and representatives of our customers, suppliers, and partners, we process data such as name and address, information about their role, function in the company, qualifications, and possibly information about superiors, employees, and subordinates, as well as information about interactions with these individuals.

      Master data is not comprehensively collected for all contacts. The specific data collected depends on the purpose of the processing.

  • Contract Data: These are data that arise in connection with the conclusion or processing of a contract, e.g., information about contracts and the services to be provided or provided, as well as data from the pre-contractual phase that are necessary or used for processing and information about reactions. We usually collect these data from you, from contractual partners, and from third parties involved in the contract (e.g., providers of credit information), as well as from publicly available sources. We generally retain these data for 10 years from the last contract activity, but at least from the end of the contract. This period may be longer if required for evidentiary purposes or to comply with legal or contractual requirements or technical constraints.
    • Contract data includes information about the conclusion of the contract, your contracts, e.g., type and date of contract conclusion, information from the application process (such as an application for our products or services), and information about the relevant contract (e.g., its duration) and the handling and management of contracts (e.g., information related to invoicing, customer service, support with technical matters, and the enforcement of contractual claims). Contract data also includes information about defects, complaints, and adjustments to a contract, as well as information about customer satisfaction, which we may collect, for example, through surveys. Contract data also includes financial data such as information about creditworthiness (i.e., information that allows conclusions about the likelihood of settling claims), reminders, and debt collection. We receive these data partly from you (e.g., when making payments) but also from credit reporting agencies, debt collection companies, and publicly available sources (such as a commercial register).
  • Behavioral and Preference Data: Depending on our relationship with you, we try to get to know you and better tailor our products, services, and offers to you. To do this, we collect and use data about your behavior and preferences. We do this by evaluating information about your behavior in our area, and we may complement this information with data from third parties – including publicly available sources. Based on this, we can calculate, for example, the likelihood that you will take advantage of certain services or behave in a certain way. The data processed for this purpose is partially already known to us (e.g., if you use our services), or we obtain this data by recording your behavior (e.g., how you navigate on our website). We anonymize or delete this data when it is no longer meaningful for the purposes pursued, which can range from 2-3 weeks to 24 months (for product and service preferences) depending on the type of data. This period may be longer if required for evidentiary purposes or to comply with legal or contractual requirements or technical constraints. We describe how tracking works on our website in Section 12.
    • Behavioral and Preference data includes information about specific actions, e.g., your response to electronic communications (e.g., whether and when you opened an email) or your location, as well as your interaction with our social media profiles and your participation in competitions, contests, and similar events. We can capture your location data, for example, wirelessly through unique codes emitted by your mobile phone or when you use our website.
    • Preference data provides insights into your needs, which products or services might interest you, or when and how you are likely to respond to messages from us. We obtain this information from the analysis of existing data such as behavioral data, so that we can get to know you better, align our advice and offers more precisely to you, and generally improve our offers. To improve the quality of our analyses, we may link this data with additional data obtained from third parties such as address brokers, authorities, and publicly available sources such as the internet, including information about your household size, income class, purchasing power, shopping behavior, and contact details of relatives, as well as anonymous information from statistical offices.

      Behavioral and preference data can be evaluated in a personalized manner (e.g., to show you personalized advertisements) but also in a non-personalized manner (e.g., for market research or product development). Behavioral and preference data can also be combined with other data (e.g., motion data within a health protection concept for contact tracing).

  • Other data We also collect data about you in other situations. For example, in connection with administrative or judicial proceedings, data may arise (such as files, evidence, etc.) that may also relate to you. For health protection reasons, we may also collect data (e.g., in the context of protection concepts). We may receive or create photos, videos, and audio recordings in which you may be recognizable (e.g., at events, through security cameras, etc.). We may also collect data about who enters certain buildings or has corresponding access rights (including access controls, based on registration data or visitor lists, etc.), who participates in events or actions, or who uses our infrastructure and systems and when. Finally, we collect and process data about our shareholders and other investors; in addition to master data, these include, among other things, information for the corresponding registers, regarding the exercise of their rights, and the conduct of events (e.g., general meetings). The retention period for this data depends on the purpose and is limited to what is necessary. This ranges from a few days for many security cameras and typically a few weeks for contact tracing data on visitors to several years or longer for reports on events with images. Data about you as a shareholder or other investor is retained in accordance with corporate law requirements, but in any case as long as you are invested.
  • Many of the data mentioned in this Section 3 are disclosed to us by you (e.g., via forms, in communication with us, in connection with contracts, when using the website, etc.). You are not obligated to do so, subject to individual cases, e.g., in the context of mandatory protection concepts (legal obligations). If you want to conclude contracts with us or claim services, you must also provide us with data within the framework of your contractual obligation according to the relevant contract, especially master, contract, and registration data. The processing of technical data is unavoidable when using our website. If you want access to certain systems or buildings, you must provide us with registration data.

    Behavioral and preference data can be evaluated in a personalized manner (e.g., to show you personalized advertisements) but also in a non-personalized manner (e.g., for market research or product development). Behavioral and preference data can also be combined with other data (e.g., motion data within a health protection concept for contact tracing).

    • we provide certain services only if you submit registration data to us, as we or our contract partners want to know who is using our services or has accepted an invitation to an event, because it is technically necessary, or because we want to communicate with you. If you or a person you represent (e.g., your employer) wants to conclude or fulfill a contract with us, we must collect the corresponding master, contract, and communication data from you, and we process technical data if you want to use our website or other electronic services for this purpose. If you do not provide us with the data required for the conclusion and processing of the contract, you must expect that we will reject the conclusion of the contract, you will commit a breach of contract, or we will not fulfill the contract. Likewise, we can only send you a response to an inquiry from you if we process the corresponding communication data and – if you communicate with us online – possibly also technical data. The use of our website is also not possible without us receiving technical data.

To the extent permitted, we also obtain data from publicly available sources (e.g., debt collection registers, land registers, commercial registers, media, or the internet, including social media) or receive data from authorities and other third parties (such as credit reporting agencies, address brokers, associations, contract partners, internet analytics services, etc.).

  • The categories of personal data that we receive from third parties about you include, in particular, information from public registers, information that we learn in connection with administrative and judicial proceedings, information related to your professional functions and activities (so that we can, for example, conclude and process transactions with your employer with your help), information about you in correspondence and meetings with third parties, credit reports (to the extent that we conduct personal transactions with you), information about you that persons from your environment (family, advisors, legal representatives, etc.) give us so that we can conclude or process contracts with you or involving you (e.g., references, your delivery address, powers of attorney, information about compliance with legal requirements such as fraud, money laundering, and terrorism prevention, and export restrictions, information from banks, insurance companies, and distribution and other contract partners of ours for the use or provision of services by you (e.g., payments, purchases, etc.), information from media and the internet about your person (to the extent that this is indicated in the specific case), your address and possibly interests, and other socio-demographic data (especially for marketing and research) and data related to the use of foreign websites and online offerings where this use can be assigned to you.

4. Purposes of Processing Your Data

We process your data for the purposes explained below. For additional information regarding online activities, refer to sections 12 and 13. These purposes, along with their underlying objectives, represent legitimate interests of ours and possibly third parties. Further details on the legal basis for our processing are provided in section 5.

Primarily, we process data to provide our website and deliver associated services. This includes, but is not limited to, processing (receipt, storage, forwarding, etc.) of data related to applications (e.g., names, birthdates, salary expectations, former or current employers, education, etc.).

Additionally, we process your data for the following purposes:

We process your data to communicate with you, especially to respond to inquiries, assert your rights (Section 11), and contact you for follow-ups. This involves using communication and master data, and, in connection with services you use, registration data. We retain this data to document our communication with you, for training purposes, quality assurance, and inquiries.

  • This includes all purposes related to our communication with you, whether in customer service, consultation, during authentication for website usage, or for training and quality assurance (e.g., in customer service). Communication data is further processed to enable communication via email, phone, messenger services, chat, social media, mail, and fax. Communication with you mostly occurs in connection with other processing purposes, such as providing services or responding to information requests. Our data processing also serves as evidence of communication and its contents.

We process data for the initiation, management, and execution of contractual relationships.

  • We enter into various contracts with business and private customers, suppliers, subcontractors, and other contractual partners, including partners in projects or parties in legal disputes. This involves processing master data, contract data, and communication data, and, depending on circumstances, registration data of the customer or individuals to whom the customer provides a service.
  • In the context of business initiation, personal data—especially master data, contract data, and communication data—of potential customers or other contractual partners (e.g., in an order form or contract) is collected or arises from communication. Also, in connection with contract conclusion, we process data for credit checks and to establish the customer relationship. Some of this information is verified to comply with legal requirements.

    During the execution of contractual relationships, we process data for managing customer relationships, providing and enforcing contractual services (which may involve third-party involvement such as logistics companies, security services, advertising service providers, banks, insurance companies, or credit reporting agencies that may provide us with data), for consultation, and customer support. Enforcing legal claims from contracts (e.g., debt collection, legal proceedings, etc.) is part of the execution, as well as accounting, contract termination, and public communication.

We process data for marketing purposes and relationship management, such as sending personalized advertisements for our and third-party (e.g., advertising partners') products and services to our customers and other contractual partners. This may occur through newsletters, regular contacts (electronically, by post, or by phone), and other channels where we have contact information from you. It also includes individual marketing actions (e.g., events, competitions, etc.) and may involve free services (e.g., invitations, vouchers, etc.). You can decline such contacts at any time (see the end of this Section 4) or refuse or revoke consent for contact for advertising purposes. With your consent, we can target our online advertising on the internet more effectively to you (see Section 12). Finally, we also want to enable our contractual partners to address our customers and other contractual partners for advertising purposes (see Section 7).

  • For example, with your consent, we transmit information, advertisements, and product offers from us and third parties (e.g., advertising partners) to you as printed material, electronically, or by phone. This involves processing primarily communication and registration data. Like most companies, we personalize communications to provide you with individual information and offers that match your needs and interests. For this purpose, we link data we process about you, determine preference data, and use this data as the basis for personalization (see Section 3). We also process data in connection with contests, giveaways, and similar events.
  • Relationship management also includes personalized communication with existing customers and their contacts, possibly based on behavioral and preference data. As part of relationship management, we may operate a Customer Relationship Management system ("CRM"), storing necessary data on customers, suppliers, and other business partners, such as contact persons, relationship history (e.g., products and services received or delivered, interactions, etc.), interests, wishes, marketing measures (newsletters, event invitations, etc.), and other information.

    All these processes are crucial for effectively promoting our offers, making our relationships with customers and other parties more personal and positive, focusing on the most important relationships, and using our resources as efficiently as possible.

We process your data for market research, improving our services and operations, and product development.

  • We strive to continuously improve our products and services (including our website) and respond promptly to changing needs. Therefore, we analyze how you navigate through our website, how products are used by different groups of people, and how new products and services can be designed (for further details, see Section 12). This provides insights into the market acceptance of existing products and the market potential for new products and services. For these purposes, we process primarily master, behavioral, and preference data, as well as communication data and information from customer surveys, polls, and studies, and additional information from media, social media, the internet, and other public sources. Whenever possible, we use pseudonymized or anonymized data for these purposes. We may also use media monitoring services or conduct media observations ourselves, processing personal data to engage in media activities or understand and respond to current developments and trends.
  • With your consent, we use non-anonymized location data to alert you to interesting offers and products nearby based on your position, infer your interests from location data (dwell time), and inform you about products and services other contractual partners with similar interests have used.

We may process your data for security purposes and access control.

  • We continuously assess and enhance the appropriate security of our IT and other infrastructure (e.g., buildings). Like all companies, we cannot completely rule out data security breaches, but we strive to reduce risks. Therefore, we process data for monitoring, controls, analyses, and tests of our networks and IT infrastructures, for system and error checks, for documentation purposes, and in the context of backups. Access controls include the control of access to electronic systems (e.g., logging into user accounts) as well as physical access control (e.g., building entrances). For security purposes (preventive and for investigating incidents), we maintain access logs or visitor lists and use monitoring systems (e.g., security cameras).

We process personal data to comply with laws, directives, recommendations from authorities, and internal regulations ("Compliance").

  • This includes the implementation of health safety concepts or legally regulated efforts to combat money laundering and terrorist financing. In certain cases, we may be obliged to conduct specific investigations about customers ("Know Your Customer") or report to authorities. Compliance also involves fulfilling duties of disclosure, information, or reporting, such as those related to supervisory and tax obligations, requiring data processing. This may include complying with archiving obligations and preventing, detecting, and investigating crimes and other violations. This encompasses receiving and processing complaints and other reports, monitoring communication, internal investigations, or disclosing documents to an authority when we have sufficient grounds or are legally obligated. In the case of external investigations, for example, by law enforcement or regulatory authorities or an authorized private entity, personal data from you may be processed. Additionally, we process data to care for our shareholders and other investors and fulfill our related obligations. All these purposes involve processing your master data, contract data, communication data, and, under certain circumstances, behavioral data and data from the category of other data. The legal obligations may be Swiss law, as well as foreign regulations to which we are subject, and self-regulations, industry standards, our own corporate governance, and official instructions and requests.

We process data for purposes of risk management and as part of prudent corporate governance, including business organization and development.

  • For these purposes, we process primarily master data, contract data, registration data, and technical data, as well as behavioral and communication data. For example, as part of financial administration, we must monitor our debtors and creditors and avoid falling victim to crimes and abuses, which may require evaluating data for relevant patterns. For these purposes and for your and our protection against criminal or abusive activities, we may also conduct profiling, create and process profiles (see also Section 6). In the planning of our resources and organization of our business, we must evaluate and process data on the use of our services and other offerings or exchange information with others (e.g., outsourcing partners), which may include your data. The same applies to services provided to us by third parties. In the context of business development, we may sell or acquire businesses, parts of businesses, or companies or enter into partnerships, which can also involve the exchange and processing of data (including yours, e.g., as a customer or supplier or as a representative of a supplier).

We may process your data for other purposes, such as internal processes and administration or for training and quality assurance purposes.

  • These additional purposes include, for example, training and education purposes, administrative purposes (such as managing master data, accounting, data archiving, and examining, managing, and continually improving IT infrastructure), protecting our rights (e.g., enforcing claims in court, out of court, or before authorities in Switzerland and abroad or defending against claims, including through evidence collection, legal investigations, and participating in judicial or administrative proceedings), and evaluating and improving internal processes. We may use recordings of (video) conferences for training and quality assurance purposes. The protection of other legitimate interests is also among the additional purposes that cannot be conclusively listed.

5. On What Basis Do We Process Your Data?

Whenever we seek your consent for specific processing activities, we will inform you separately about the corresponding purposes of the processing. You can revoke your consent at any time with future effect by providing written notice (via post) or, unless otherwise specified or agreed, by email; our contact details are available in Section 2. For revoking your consent related to online tracking, refer to Section 12. If you have a user account, revocation or contacting us may also be carried out through the respective website or other services. Upon receiving notice of the revocation of your consent, we will no longer process your data for the purposes to which you originally consented unless we have another legal basis. The revocation of your consent does not affect the lawfulness of processing based on consent before the revocation.

Where we do not seek your consent for processing, we base the processing of your personal data on the necessity of the processing for the initiation or performance of a contract with you (or the entity you represent) or on our or third parties' legitimate interests. This includes, in particular, pursuing the purposes and related objectives described in Section 4 and taking corresponding measures. Our legitimate interests also encompass compliance with legal regulations, to the extent not already recognized as a legal basis by the applicable data protection laws (e.g., under the GDPR in the EEA and Switzerland). This includes marketing our products and services, the interest in understanding our markets better, and operating and developing our company, including operational activities, securely and efficiently.

In cases where we receive sensitive data (e.g., health data, information about political, religious, or philosophical views, or biometric data for identification), we may also process your data based on other legal grounds, such as the necessity of processing for potential legal proceedings or the enforcement or defense of legal claims. In individual cases, other legal grounds may apply, and we will communicate these to you separately as necessary.

6. Rules Regarding Profiling and Automated Individual Decisions

We may automatically evaluate certain personal characteristics for the purposes mentioned in Section 4 based on your data (Section 3) ("Profiling"). This includes determining preference data, identifying misuse and security risks, conducting statistical analyses, or for operational planning purposes. For the same purposes, we may also create profiles, meaning we can combine behavioral and preference data, as well as master and contract data and associated technical data, to better understand you as a person with various interests and other characteristics.

  • If you are a customer of ours, for example, we can use "Profiling" based on your purchases to determine which other products you are likely interested in. However, we can also check your creditworthiness before offering you a purchase on account. Automated data evaluation can also, for your protection, assess the likelihood of fraudulent transactions. This allows us to stop the transaction for clarification. Distinct from this are "Profiles," which refer to the linkage of different data to derive indications about essential aspects of your personality (e.g., what you like or how you behave in certain situations). Profiles can also be used for marketing as well as security purposes.

In both cases, we ensure the proportionality and reliability of the results and take measures against the abusive use of these profiles or profiling. If these profiles or profiling can have legal effects or significant disadvantages for you, we generally provide for manual review.

In certain situations, for reasons of efficiency and consistency in decision-making processes, it may be necessary to automate decisions regarding you that have legal effects or potentially significant disadvantages ("automated individual decisions"). We will inform you in such cases and provide the measures required by applicable law.

  • An example of an automated individual decision is the automatic order acceptance by an online shop. Pure if-then decisions are not meant (e.g., if the computer allows access to your user account after checking your password), but discretionary decisions (e.g., the decision to enter into a contract). We will inform you in each case when an automated decision leads to negative legal consequences or a similar significant impairment for you. If you disagree with the outcome of such a decision, you will be able to communicate with a human who will review the decision.

7. To Whom Do We Disclose Your Data?

In connection with our contracts, the website, our services and products, our legal obligations, or otherwise to safeguard our legitimate interests and the purposes listed in Section 4, we also transmit your personal data to third parties, especially to the following categories of recipients:

  • Service Providers: We collaborate with service providers both domestically and internationally who, on our behalf or jointly responsible with us, process data about you or receive data about you from us in their own responsibility (e.g., IT providers, shipping companies, advertising service providers, login service providers, cleaning companies, security companies, banks, insurance companies, debt collection agencies, credit reporting agencies, or address validators). This may also include health data.
    • To efficiently provide our products and services and focus on our core competencies, we engage third-party services in various areas. These services include, for example, IT services, information distribution, marketing, sales, communication, or printing services, facility management, security, and cleaning, organization and execution of events and receptions, debt collection, credit reporting agencies, address validators (e.g., for updating address databases during relocations), fraud prevention measures, and services provided by consulting firms, lawyers, banks, insurers, and telecommunications companies. We disclose to these service providers the data necessary for their services, which may also include data about you. These service providers may use such data for their purposes, such as anonymized information to improve their services. Additionally, we enter into contracts with these service providers that include provisions for data protection, to the extent not already specified by law. Some service providers may process data, including how their services are used and other data generated during the use of their service, as independent controllers for their legitimate interests (e.g., for statistical analysis or billing).
  • Contractual Partners, Including Customers: Initially referring to customers (e.g., service recipients) and other contractual partners, as this data transfer arises from these contracts. If you act on behalf of such a contractual partner, we may also transmit data about you in this context. This may also include health data. Recipients further include contractual partners with whom we cooperate or who advertise on our behalf and to whom we therefore transmit data about you for analysis and marketing purposes (these can again be service recipients but also sponsors and providers of online advertising). We require these partners to send you advertisements or play them based on your data only if you have consented to it (for the online area, see Section 12).
    • If you, as an employee, act for a company with which we have a contract, the execution of this contract may result in us informing the company about how you have used our service. Cooperation and advertising contractual partners receive selected master, contract, behavioral, and preference data from us so that they can conduct non-personalized evaluations in their area (e.g., about the number of customers who viewed their advertising), and they can also use data for advertising purposes (including targeted communication with you). For example, advertising contractual partners should have the opportunity to communicate with suitable other customers of ours and send them advertisements.
  • Authorities: We may disclose personal data to authorities, courts, and other government agencies both domestically and internationally when we are legally obligated or entitled to do so or when it appears necessary to safeguard our interests. This may also include health data.
    • Examples include criminal investigations, law enforcement measures (e.g., health protection concepts, crime prevention, etc.), supervisory requirements and investigations, judicial proceedings, reporting obligations, and pre- and extrajudicial proceedings, as well as legal information and cooperation obligations. Data disclosure may also occur when we want to obtain information from public authorities, e.g., to justify an information interest or because we must specify who we need information (e.g., from a register) about.
  • Other Individuals: Refers to other cases where the involvement of third parties arises from the purposes according to Section 4.
    • Other recipients include, for example, delivery recipients or third-party payees provided by you, other third parties also in the context of agency relationships (e.g., when we send your data to your lawyer or your bank), or persons involved in administrative or judicial proceedings. If we collaborate with the media and provide them with material (e.g., photos), you may also be affected. The same applies to the publication of content (e.g., photos, interviews, quotes, etc.) on the website or in other publications by us. As part of corporate development, we may sell or acquire businesses, business units, assets, or companies or enter into partnerships, which may also result in the disclosure of data (including yours, e.g., as a customer or supplier or as a representative of a supplier) to the persons involved in these transactions. In the course of communication with our competitors, industry organizations, associations, and other bodies, there may also be an exchange of data that affects you.

All these categories of recipients may involve third parties, so your data may also be accessible to them. We can restrict the processing by certain third parties (e.g., IT providers), but not by others (e.g., authorities, banks, etc.).

We reserve the right to disclose this data even if it involves confidential data (unless we have expressly agreed with you not to disclose this data to certain third parties, unless we are legally obligated to do so). Regardless, your data remains subject to adequate data protection in Switzerland and the rest of Europe even after disclosure. For disclosure to other countries, the provisions of Section 8 apply. If you do not want certain data to be disclosed, please let us know so that we can assess whether and to what extent we can accommodate your request (Section 2).

  • In many cases, the disclosure of confidential data is necessary to fulfill contracts or provide other services. Confidentiality agreements usually do not exclude such data disclosures, nor do disclosures to service providers. However, depending on the sensitivity of the data and other circumstances, we ensure that these third parties handle the data appropriately. We cannot comply with your objection to data disclosure where the relevant data disclosures are necessary for our activities.

We also allow certain third parties to collect personal data from you on our website and at events organized by us (e.g., media photographers, providers of tools that we have integrated into our website, etc.). As long as we are not significantly involved in these data collections, these third parties are solely responsible. For concerns and to assert your data protection rights, please contact these third parties directly. See Section 12 for the website.

8. Do Your Personal Data also Reach Abroad?

As explained in Section 7, we also disclose data to other entities. These are not only located in Switzerland. Your data can also be processed in Europe as well as in Liechtenstein; in exceptional cases, however, in any country in the world. If a recipient is in a country without adequate legal data protection, we contractually obligate the recipient to comply with applicable data protection laws (we use the revised standard contractual clauses of the European Commission, which can be found here: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj), unless the recipient is already subject to a legally recognized framework for ensuring data protection and we cannot rely on an exception. An exception may apply, in particular, in foreign legal proceedings, but also in cases of overriding public interests or if contract processing requires such disclosure, if you have consented, or if it concerns data made generally accessible by you, the processing of which you have not objected to

  • Many countries outside Switzerland or the EU and EEA currently do not have laws that, from the perspective of the Swiss Data Protection Act or the GDPR, ensure an adequate level of data protection. The mentioned contractual precautions can partially compensate for this weaker or missing legal protection. However, contractual precautions cannot eliminate all risks (especially from government access abroad). You should be aware of these remaining risks, even if the risk may be low in individual cases, and we take further measures (e.g., pseudonymization or anonymization) to minimize it.

Please also note that data exchanged over the Internet is often routed through third countries. Therefore, your data can also be transferred abroad even if the sender and recipient are in the same country.

9. How Long Do We Process Your Data?

We process your data for as long as our processing purposes, legal retention periods, and our legitimate interests in processing for documentation and evidentiary purposes require, or storage is technically necessary. Further details on the respective storage and processing periods can be found for each data category in Section 3 or for cookie categories in Section 12. If there are no legal or contractual obligations, we delete or anonymize your data after the expiration of the storage or processing period within our usual processes.

  • Documentation and evidentiary purposes include our interest in documenting processes, interactions, and other facts in the event of legal claims, discrepancies, purposes of IT and infrastructure security, and demonstrating good corporate governance and compliance. Technically, storage may be necessary if certain data cannot be separated from other data, and we must therefore keep them together (e.g., in the case of backups or document management systems).

10. How Do We Protect Your Data?

We implement appropriate security measures to maintain the confidentiality, integrity, and availability of your personal data, protect them against unauthorized or unlawful processing, and counteract the dangers of loss, unintentional alteration, unintended disclosure, or unauthorized access.

  • Security measures of a technical and organizational nature may include measures such as encryption and pseudonymization of data, logging, access restrictions, storage of backups, instructions to our employees, confidentiality agreements, and controls. We protect data transmitted via our website during transport through suitable encryption mechanisms. However, we can only secure areas that we control. We also require our processors to take appropriate security measures. However, security risks cannot be completely ruled out; residual risks are unavoidable.

11. What Rights Do You Have?

Applicable data protection law grants you, under certain circumstances, the right to object to the processing of your data, especially for the purposes of direct marketing, profiling carried out for direct marketing, and other legitimate interests in processing. To facilitate your control over the processing of your personal data, you have the following rights in connection with our data processing, depending on applicable data protection law:

  • The right to request information from us about whether and what data we process about you;
  • The right to have data corrected if it is incorrect;
  • The right to request the deletion of data;
  • The right to request from us the release of certain personal data in a commonly used electronic format or their transfer to another controller;
  • The right to withdraw consent to the extent that our processing is based on your consent;
  • The right to request further information about the exercise of these rights;
  • The right, in the case of automated individual decisions (Section 6), to state your point of view and to demand that the decision be reviewed by a natural person.

If you want to exercise the above rights against us, please contact us in writing, in person, or, unless otherwise specified or agreed, by email; you can find our contact details in Section 2. To exclude abuse, we must identify you (e.g., with a copy of an identity card, if this is not otherwise possible).

You also have these rights against other entities that work with us independently – please contact them directly if you want to exercise rights in connection with their processing. Information about our important cooperation partners and service providers can be found in Section 7, further information in Section 12.

Please note that conditions, exceptions, or restrictions may apply to these rights under applicable data protection law (e.g., to protect third parties or business secrets). We will inform you accordingly if necessary.

  • In particular, we may need to further process and store your personal data to fulfill a contract with you, protect our legitimate interests, such as asserting, exercising, or defending legal claims, or to comply with legal obligations. As far as legally permissible, especially to protect the rights and freedoms of other data subjects as well as to protect legitimate interests, we may therefore partially or completely reject a data subject request (e.g., by blackening certain content concerning third parties or our business secrets).

If you disagree with how we handle your rights or data protection, please inform us (Section 2). Especially if you are in the EEA, the United Kingdom, or Switzerland, you also have the right to complain to the data protection supervisory authority in your country.

A list of authorities in the EEA can be found here:https://edpb.europa.eu/about-edpb/board/members_de.

You can reach the UK supervisory authority here:https://ico.org.uk/global/contact-us/.

You can reach the Swiss supervisory authority here:https://www.edoeb.admin.ch/edoeb/en/home/the-edoeb/contact/address.html.

12. Do We Use Online Tracking and Online Advertising Techniques?

On our website, we employ various techniques that allow us and third parties involved by us to recognize you during your usage and, under certain circumstances, track you across multiple visits. This section provides information on this matter.

At its core, we aim to differentiate your accesses (via your system) from those of other users so that we can ensure the functionality of the website and perform evaluations and personalizations. While we do not intend to deduce your identity, we acknowledge the possibility, particularly if we or third parties engaged by us can identify you by combining data with registration information. Even without registration data, the employed techniques are designed to recognize you as an individual visitor with each page visit, for instance, by assigning a specific identification number (a "cookie") to your system.

  • Cookies are unique codes (e.g., a serial number) transmitted from our server or a server of our service providers or advertising partners to your system upon connecting to our website. Your system (browser, mobile) receives and stores these codes until the programmed expiration date. Upon each subsequent access, your system sends these codes to our server or the third party's server. This way, you are recognized even if your identity is unknown.
  • Whenever you access a server (e.g., using a website or an app or when a visible or invisible image is integrated into an email), your visits can be tracked. If we integrate offers from an advertising partner or an analytics tool provider on our website, they can also track you in a similar manner, even if you cannot be identified on an individual basis.

We use such techniques on our website and permit certain third parties to do the same. Depending on the purpose of these techniques, we may ask for your consent before deploying them. You can configure your browser to block certain cookies or alternative techniques, deceive them, or delete existing cookies. You can also extend your browser with software that blocks tracking by specific third parties. Further information can be found on your browser's help pages (usually under "Privacy") or on the websites of the third parties listed below. The following cookies (techniques with comparable functionalities, such as fingerprinting, are also included) are distinguished:

  • Essential Cookies: Some cookies are necessary for the functioning of the website itself or certain features. For example, they ensure that you can switch between pages without losing information entered in a form. They also ensure that you remain logged in. These cookies exist only temporarily ("Session Cookies"). If you block them, the website may not function correctly. Other cookies are necessary so that the server can store decisions or inputs made by you over a session (i.e., a visit to the website) if you use this function (e.g., selected language, given consent, the function for automatic login, etc.). These cookies have an expiration date of up to 24 months.
  • Performance Cookies: To optimize our website and related offers and better tailor them to users' needs, we use cookies to record and analyze the use of our website, possibly even beyond the session. We do this through the use of third-party analytics services, listed below. Before deploying such cookies, we seek your consent. Performance cookies also have an expiration date of up to 24 months. Details can be found on the websites of the third parties.
  • Marketing Cookies: We and our advertising partners have an interest in controlling advertising precisely to show it only to those we want to reach. To achieve this, we and our advertising partners – with your consent – also use cookies that can capture the content viewed or contracts closed. This enables us and our advertising partners to display advertising that we believe will interest you on our website, as well as on other websites that show advertising from us or our advertising partners. Depending on the situation, these cookies have a shelf life of a few days up to 12 months. If you consent to the use of these cookies, you will see corresponding advertising. If you do not consent to these cookies, you will not see less advertising, just different advertising.

We may also integrate additional offers from third parties on our website, especially from social media providers. These offers are typically deactivated by default. Once you activate them (e.g., by clicking a switch), the respective providers can determine that you are on our website. If you have an account with the social media provider, they can associate this information with you and track your use of online offerings. These social media providers process this data on their own responsibility.

Some of the emails we send you may contain a "Web Beacon Pixel" (Clear GIFs) or tracked links. This allows us to determine when you opened the email and check which links in the email you clicked. We use this information to identify which parts of our emails are of the greatest interest to you. You can delete the pixel by deleting the email. If you do not want the pixel to be downloaded to your computer or another device, you can ensure this by choosing to receive emails from us in plain text format and not in HTML format or by not opening images in your email.

13. What Data Do We Process on Our Social Network Pages?

We may operate pages and other online presences on social networks and other platforms operated by third parties ("Fan pages", "channels", "profiles", etc.) and collect data about you as described in Section 3 and below. We receive this data from you and the platforms when you interact with us through our online presence (e.g., when you communicate with us, comment on our content, or visit our presence). Simultaneously, the platforms analyze your use of our online presences and link this data with additional information known to the platforms about you (e.g., your behavior and preferences). They process this data for their own purposes, particularly for marketing and market research (e.g., to personalize advertising) and to control their platforms (e.g., which content they display to you).

  • We receive data about you when you interact with us through online presences or view our content on these platforms or are active within them (e.g., publish content, leave comments). These platforms collect from you or about you, among other things, technical data, registration data, communication data, behavioral, and preference data (see Section 3 for definitions). Regularly, these platforms statistically analyze how you interact with us, how you use our online presences, our content, or other parts of the platform (what you view, comment on, "like", share, etc.) and link this data with additional information about you (e.g., age, gender, and other demographic information). This way, they create profiles and statistics about you and the usage of our online presences. They use this data and profiles to show you personalized advertising and other content on the platform and control the platform's behavior, as well as for market and user research, providing us and other entities with information about you and the use of our online presence. We can partially control the evaluations that these platforms create regarding the use of our online presences.

We process this data for the purposes described in Section 4, especially for communication, marketing purposes (including advertising on these platforms, see Section 12), and market research. Information on the corresponding legal bases can be found in Section 5. Content published by you (e.g., comments on an announcement) may be further disseminated by us (e.g., in our advertising on the platform or elsewhere). We or the operators of the platforms may also delete or restrict content from or about you in accordance with usage guidelines (e.g., inappropriate comments). For further information on the processing activities of the platform operators, please refer to the privacy notices of the platforms. There, you will also learn in which countries they process their data, what rights to information, deletion, and other rights you have, and how to exercise them or obtain further information.

  • Currently, we use the following platforms:
    • Instagram: The responsible entity for operating the platform for users within Europe is Meta Platforms Ireland Limited, Dublin, Ireland. The privacy policy for Instagram can be found at https://privacycenter.instagram.com/policy.
    • LinkedIn: Responsible for operating the platform within Europe is LinkedIn Ireland, Dublin, Ireland. Their privacy policy can be found at https://www.linkedin.com/legal/privacy-policy.
    • Twitter: Responsible for operating the platform within Europe is Twitter International Unlimited Company, Dublin, Ireland. Their privacy policy can be found at https://twitter.com/privacy.

14. Can This Privacy Policy Be Changed?

This privacy policy is not part of a contract with you. We can adjust this privacy policy at any time. The published version on this website is the current version.

Xona.AI, February 27, 2024