Privacy Policy – «Bontique»
With this privacy policy, we inform you about the personal data we process in connection with our activities and operations, including our website www.bontique.ch. We specifically explain what personal data we process, why, how, and where we process it. Additionally, we provide information about the rights of individuals whose data we process.
For specific or additional activities and operations, additional privacy policies as well as other legal documents such as General Terms and Conditions (GTC), Terms of Use, or Participation Conditions may apply.
We are subject to Swiss data protection law as well as potentially applicable foreign data protection law, particularly that of the European Union (EU) under the General Data Protection Regulation (GDPR). The European Commission recognizes that Swiss data protection law ensures adequate data protection.
1. CONTACT DETAILS
1.1 Data Processing Controller:
Gubemo AG
Buckhauserstrasse 1
8048 Zurich
Switzerland
info@bontique.ch
We will indicate if there are other controllers responsible for processing personal data in specific cases. For example, if our customer (as the employer of the data subjects) discloses personal data of the data subjects (employees of our customer as recipients of gifts) to us, we process this personal data not as a controller but as a data processor on behalf of the customer (who is the controller for this processing of personal data). In this context, an agreement for data processing exists between the customer and us.
1.2 Data Protection Representative in the European Economic Area (EEA)
We have the following data protection representative pursuant to Art. 27 GDPR. The data protection representative serves as an additional point of contact for supervisory authorities and affected individuals in the European Union (EU) and the European Economic Area (EEA) for inquiries related to the General Data Protection Regulation (GDPR):
VGS Datenschutzpartner UG
Am Kaiserkai 69
20457 Hamburg
Germany
info@datenschutzpartner.eu
2. TERMS AND LEGAL BASES
2.1 Terms
Personal data refers to any information relating to a specific or identifiable individual. A data subject is a person about whom personal data is processed.
Processing includes any handling of personal data, regardless of the means and methods used, notably the storage, disclosure, acquisition, collection, deletion, storage, alteration, destruction, and use of personal data.
The European Economic Area (EEA) includes the member states of the European Union (EU) as well as the Principality of Liechtenstein, Iceland, and Norway. The General Data Protection Regulation (GDPR) refers to the processing of personal data as processing of personal data.
2.2 Legal Bases
We process personal data in accordance with Swiss data protection law, in particular the Swiss Federal Data Protection Act (DSG) and the Swiss Ordinance to the Federal Act on Data Protection (VDSG).
We process personal data – where and to the extent that the General Data Protection Regulation (GDPR) is applicable – based on at least one of the following legal bases:
• Art. 6 para. 1 lit. b GDPR for the necessary processing of personal data for the performance of a contract with the data subject and for pre-contractual measures.
• Art. 6 para. 1 lit. f GDPR for the necessary processing of personal data to safeguard the legitimate interests of us or of third parties, unless the fundamental freedoms and rights and interests of the data subject prevail. Legitimate interests include, in particular, our interest in being able to carry out our activities and operations permanently, user-friendly, securely, and reliably, and to be able to communicate about them, direct marketing, ensuring information security, protection against misuse, enforcement of our own legal claims, and compliance with Swiss law.
• Art. 6 para. 1 lit. c GDPR for the necessary processing of personal data to fulfill a legal obligation to which we are subject under any applicable law of member states in the European Economic Area (EEA).
• Art. 6 para. 1 lit. e GDPR for the necessary processing of personal data to perform a task carried out in the public interest.
• Art. 6 para. 1 lit. a GDPR for the processing of personal data with the consent of the data subject.
• Art. 6 para. 1 lit. d GDPR for the necessary processing of personal data to protect vital interests of the data subject or another natural person.
3. TYPE AND SCOPE
We process those personal data that are necessary to permanently, user-friendly, securely, and reliably carry out our activities and operations. Such personal data may include categories such as inventory and contact details, browser and device data, content data, meta or edge data, usage data, location data, sales data, as well as contract and payment data.
We process personal data for the duration necessary for the respective purpose(s) or as required by law. Personal data that is no longer required for processing will be anonymized or deleted.
We may have third parties process personal data on our behalf. We may process personal data jointly with third parties or disclose it to third parties. Such third parties are particularly specialized providers whose services we use. We also ensure data protection with such third parties.
In this context, we process in particular information submitted to us during registration for a user account. This includes first names, last names, and email addresses of our customers or their employees, additional paying individuals, and the recipients of gifts (inventory and contact details). We may store such information, for example, in an address book, a Customer Relationship Management (CRM) system, or similar tools. If you provide data about other persons to us (e.g., additional paying individuals and recipients of gifts), you are obligated to ensure data protection for such persons (in particular, to provide transparency regarding the processing of personal data by us according to this statement and, if necessary, to obtain the consent of the data subjects) and to ensure the accuracy of such personal data.
We also process personal data that we receive from third parties, obtain from publicly accessible sources, or collect in the course of our activities and operations, provided that such processing is legally permissible.
4. PURPOSE
We process personal data for the purposes explained below. Additional information for the online area can be found in Section 8. These purposes or the underlying objectives represent legitimate interests of us and possibly third parties. You can find further details on the legal bases of our processing in Section 2.2.
We process personal data for purposes related to communication with data subjects, especially to respond to inquiries and assert their rights and to contact data subjects for follow-ups. For this purpose, we use primarily inventory and contact data. We retain this personal data to document our communication with data subjects, for training purposes, quality assurance, and follow-up inquiries.
Furthermore, we process personal data for the initiation, management, and execution of contractual relationships. This includes in particular contractual relationships with our customers (purchase of Bontique checks through registration, check creation, check personalization, check delivery) as well as our contractual relationships with our partners (provision of the service based on Bontique check by our partners for the benefit of customers or recipients of gifts).
We process personal data for marketing purposes and relationship management, e.g., to send personalized advertisements for our products and services and those of third parties (e.g., advertising partners) to our customers and other contractual partners (see Section 9). This can be done, for example, in the form of newsletters and other regular contacts (electronically, by post, by telephone), through other channels for which we have contact information from data subjects, but also within the framework of individual marketing activities (e.g., events, competitions, etc.) and may include free services (e.g., invitations, vouchers, etc.).
We further process personal data of data subjects for market research, to improve our services and operations, and for product development.
We may also process personal data for security purposes and access control.
We process personal data to comply with laws, directives, and recommendations of authorities and internal regulations (“compliance”).
We also process personal data for the purposes of our risk management and in the context of prudent corporate governance, including operational organization and corporate development.
We may process personal data of data subjects for other purposes, e.g., within our internal processes and administration or for training and quality assurance purposes.
5. PERSONAL DATA ABROAD
We generally process personal data in Switzerland and the European Economic Area (EEA). However, we may also export or transfer personal data to other countries, notably to the United States of America (USA), especially to process or have them processed there.
We may export personal data to all countries and territories in the world, provided that the local law, according to the assessment of the Swiss Federal Data Protection and Information Commissioner (FDPIC) or according to a decision of the Swiss Federal Council, ensures adequate data protection and – where and to the extent that the General Data Protection Regulation (GDPR) is applicable – according to a decision of the European Commission ensures adequate data protection.
If a recipient (see definition in Section 11.1) is located in a country without adequate legal data protection, especially in the United States of America (USA), we contractually obligate the recipient to comply with applicable data protection (for this purpose, we use the revised standard contractual clauses of the European Commission), unless it is already subject to a legally recognized framework for ensuring data protection and we cannot rely on an exemption provision. An exemption may apply in particular in legal proceedings abroad, but also in cases of overriding public interests or when contract processing requires such disclosure, if you have consented, or if it concerns data made generally accessible by you and you have not objected to its processing.
6. RIGHTS OF DATA SUBJECTS
Data subjects whose personal data we process have rights under the Swiss Federal Data Protection Act (DSG) and – where and to the extent applicable – the General Data Protection Regulation (GDPR). These rights include the right to information and the right to correction, deletion, or blocking of processed personal data.
Data subjects whose personal data we process can request confirmation free of charge as to whether we are processing their personal data and, if so, obtain information about the processing of their personal data, restrict the processing of their personal data, exercise their right to data portability, and correct, delete, block, or complete their personal data.
Data subjects whose personal data we process can revoke consent given at any time with effect for the future and object at any time to the processing of their personal data.
Data subjects whose personal data we process have a right to lodge a complaint with a competent supervisory authority. The supervisory authority for data protection in Switzerland is the Swiss Federal Data Protection and Information Commissioner (FDPIC).
7. DATA SECURITY
We take appropriate technical and organizational measures to ensure data security appropriate to the respective risk. However, we cannot guarantee absolute data security.
Access to our website is via transport encryption (SSL/TLS, especially with Hypertext Transfer Protocol Secure, abbreviated HTTPS). Most browsers indicate transport encryption with a padlock icon in the address bar.
Our digital communication is subject – like any digital communication in principle – to indiscriminate and suspicionless mass surveillance as well as other monitoring by security authorities in Switzerland, the rest of Europe, the United States of America (USA), and other countries. We cannot directly influence the processing of personal data by intelligence services, police authorities, and other security authorities.
8. WEBSITE USAGE
8.1 Cookies
We may use cookies. Cookies – both first-party cookies (from us) and third-party cookies (from third-party services we use) – are data stored in your browser. Such stored data is not limited to traditional text-based cookies. Cookies cannot execute programs or transmit malware such as trojans and viruses.
Cookies can be stored in your browser temporarily as “session cookies” or for a specific period as “persistent cookies.” “Session cookies” are automatically deleted when you close your browser. Persistent cookies have a specific duration of storage. Cookies allow us, in particular, to recognize your browser on your next visit to our website and thus, for example, to measure the reach of our website. Persistent cookies can also be used, for example, for online marketing.
You can disable and delete cookies entirely or partially in your browser settings at any time. Without cookies, our website may not be fully functional. If necessary, we request your explicit consent for the use of cookies.
For cookies used for performance measurement, audience measurement, or advertising, many services offer a general opt-out via AdChoices (Digital Advertising Alliance of Canada), the Network Advertising Initiative (NAI), YourAdChoices (Digital Advertising Alliance), or Your Online Choices (European Interactive Digital Advertising Alliance, EDAA).
8.2 Server Log Files
For each access to our website, we may collect the following information if it is transmitted from your browser to our server infrastructure or can be determined by our web server: date and time including time zone, Internet Protocol (IP) address, access status (HTTP status code), operating system including user interface and version, browser including language and version, accessed individual sub-page of our website including transferred data volume, and the last website visited in the same browser window (referrer).
We store such information, which may also constitute personal data, in server log files. The information is necessary to provide our website permanently, user-friendly, and reliably, and to ensure data security and thus, in particular, the protection of personal data – also by third parties or with the help of third parties.
8.3 Tracking Pixels
We may use tracking pixels on our website, also known as web beacons. Tracking pixels – also from third parties whose services we use – are small, usually invisible images that are automatically retrieved when you visit our website. With tracking pixels, the same information as in server log files can be collected.
9. NOTIFICATIONS AND COMMUNICATIONS
For the purpose of direct marketing, we send notifications and communications by email and through other communication channels such as instant messaging or SMS.
9.1 Performance and Audience Measurement
Notifications and communications may contain web links or tracking pixels that record whether an individual message has been opened and which web links were clicked. Such web links and tracking pixels can also collect usage of notifications and communications on a personalized basis. We require this statistical measurement of usage for performance and audience measurement to effectively and user-friendly, permanently, securely, and reliably send notifications and communications based on the needs and reading habits of recipients.
9.2 Consent and Objection
For the use of your email address and other contact details for the above-mentioned purpose of direct marketing, we generally require your consent unless the use is permissible for other legal reasons. We use the “double opt-in” procedure if possible, meaning you receive an email with a web link that you must click to confirm, to prevent misuse by unauthorized third parties. We may log such consents including Internet Protocol (IP) address, date, and time for evidential and security purposes.
You can generally object to receiving notifications and communications such as newsletters at any time. With such an objection, you can also object to the statistical measurement of usage for performance and audience measurement. Necessary notifications and communications related to our activities and operations remain reserved.
9.3 Service Providers for Notifications and Communications
We send notifications and communications ourselves or with the help of specialized service providers.
10. SOCIAL MEDIA
We are present on social media platforms and other online platforms to communicate with interested individuals and to inform about our activities and operations. In connection with such platforms, personal data may also be processed outside Switzerland and the European Economic Area (EEA).
The general terms and conditions (GTC) and terms of use as well as privacy policies and other provisions of the individual operators of such platforms also apply. These provisions inform in particular about the rights of affected persons directly against the respective platform, including the right to information.
11. THIRD-PARTY SERVICES
11.1 General Data Sharing
In the context of our business activities and the purposes stated in Section 4, we may disclose personal data to third parties, to the extent permitted and deemed appropriate by us, either because they process them for us or because they want to use them for their own purposes. This concerns in particular the following entities:
– Service providers of ours (such as banks, postal, logistics, and transport companies), including order processors (such as IT providers, see further below in this Section 11), as well as merchants, suppliers, subcontractors, and other business partners, especially:
o Partners (who provide the service based on Bontique check), who may also pass on personal data to their fulfillment partners (subcontractors or assistants);
o Customers (who purchase Bontique checks for the benefit of recipients of gifts);
– domestic and foreign authorities, public authorities, or courts;
– other parties in potential or actual legal proceedings;
– other companies of the Gubemo/Bontique group at home and abroad;
collectively referred to as recipients.
11.2 Web Services in General
We use third-party services to carry out our activities and operations permanently, user-friendly, securely, and reliably. Such services may also be used to embed content into our website. Such services require your Internet Protocol (IP) address, as the corresponding content cannot be transmitted otherwise.
For their own security-related, statistical, and technical purposes, third parties whose services we use may process data related to our activities and operations in an aggregated, anonymized, or pseudonymized manner. This includes performance or usage data.
We use, in particular:
Services from Google: Providers: Google LLC (USA) / Google Ireland Limited (Ireland) (both hereafter referred to as Google) for users in the European Economic Area (EEA) and Switzerland; General Data Protection Information: “Privacy and Security Principles,” Privacy Policy, “Google is committed to compliance with applicable privacy laws,” “Guide to privacy in Google products,” “How we use data from websites or apps where our services are used” (information from Google), “Types of cookies and other technologies used by Google,” “Personalized advertising” (activation / deactivation / settings).
11.3 Digital Infrastructure
We use third-party services to access the necessary digital infrastructure related to our activities and operations. This includes, for example, hosting and storage services from specialized providers.
We use, in particular:
Google Cloud including Google Cloud Platform (GCP): Storage space and other infrastructure; Google Cloud-specific providers: Google LLC (USA) for users in the US / Google Ireland Limited or Google Commerce Limited (both in Ireland) for users in the European Economic Area (EEA) and Switzerland (see “Contracting Entity on Google’s behalf” for providers in other countries); Google Cloud-specific privacy information: “Privacy Resource Center” (Privacy Resource Center), “Privacy,” “Compliance Resource Center,” “Trust and Security.”
WordPress.com: Blog hosting and website builder; Providers: Automattic Inc. (USA) / Aut O’Mattic A8C Ireland Ltd. (Ireland) for users including in Europe; Privacy Information: Privacy Policy, “Automattic and the General Data Protection Regulation (GDPR),” Cookie Policy.
11.4 Contact Options
We use third-party services to better communicate with you and other individuals such as customers.
We use, in particular:
bexio: Customer Relationship Management (CRM); Provider: bexio AG (Switzerland); Privacy Information: Privacy Policy, “Cloud and Data Security,” “10 Burning Questions about Data Security.”
HubSpot: Customer Relationship Management (CRM); Providers: HubSpot Inc. (USA) / HubSpot Ireland Limited (Ireland) for users in the European Economic Area (EEA); Privacy Information: Privacy Policy.
11.5 Audio and Video Conferencing
We use services for audio and video conferencing to communicate online. This allows us to conduct virtual meetings or online teaching and webinars, for example. In addition to this privacy policy, terms and conditions or privacy policies of the services used may also apply.
Depending on the situation in which you participate in an audio or video conference, we recommend that you mute the microphone by default and blur the background or use a virtual background.
We use, in particular:
ClickMeeting: Video conferencing; Provider: ClickMeeting Spółka z ograniczoną odpowiedzialnością (Poland); Privacy Information: Privacy Policy.
Microsoft Teams: Platform for audio and video conferencing, among others; Providers: Microsoft Corporation (USA) / Microsoft Ireland Operations Limited (Ireland) for users in the European Economic Area (EEA), UK, and Switzerland; Privacy Information: “Privacy” (“Microsoft Trust Center”), Privacy Statement, “Privacy at Microsoft,” “Privacy and Microsoft Teams.”
11.6 Online Collaboration
We use third-party services to enable online collaboration. In addition to this privacy policy, terms and conditions or privacy policies of the services used may also apply.
We use, in particular:
Miro: Whiteboard platform; Provider: RealtimeBoard Inc. (USA); Privacy Information: Privacy Policy, “Trust in Miro” (“Miro Trust Center”).
11.7 Social Media Features and Social Media Content
We use third-party services and plugins to embed features and content from social media platforms, as well as to enable content sharing on social media platforms and other channels.
We use, in particular:
LinkedIn Consumer Solutions Platform: Embedding features and content from LinkedIn, for example with Plugins like the “Share Plugin“; Providers: LinkedIn Ireland Unlimited Company (Ireland) for users in the European Economic Area (EEA) and Switzerland / LinkedIn Corporation USA for users in the rest of the world; Privacy Information: “Privacy,” Privacy Policy, Cookie Policy, Cookie Management / Opt-out of email and SMS communication from LinkedIn, Opt-out of interest-based advertising.
11.8 Audiovisual Media
We use third-party services to enable direct playback of audiovisual media such as music or videos on our website.
We use, in particular:
YouTube: Videos; Provider: Google (including in the USA); YouTube-specific privacy information: “Privacy and Security Center,” “My Data on YouTube.”
11.9 Fonts
We use third-party services to embed selected fonts as well as icons, logos, and symbols into our website.
We use, in particular:
Google Fonts: Fonts; Google Fonts-specific privacy information: “What does using the Google Fonts API mean for the privacy of my users?.”
11.10 Advertising
We use the opportunity to display targeted advertising for our activities and operations on third-party platforms such as social media platforms and search engines.
We aim to reach individuals interested in or potentially interested in our activities and operations (remarketing and targeting). For this purpose, we may transmit relevant – possibly also personal – information to third parties that enable such advertising. We can also determine whether our advertising is successful, particularly whether it leads to visits to our website (conversion tracking).
Third parties where we advertise and where you are logged in as a user may potentially link the use of our online offering to your profile there.
We use, in particular:
Google Ads: Search engine advertising; Google Ads-specific privacy information: Advertising based on search queries, using various domain names – particularly doubleclick.net, googleadservices.com, and googlesyndication.com – for Google Ads, “Advertising” (Google), “Why am I seeing a particular ad?.”
LinkedIn Ads: Social media advertising; Providers: LinkedIn Corporation (USA) / LinkedIn Ireland Unlimited Company (Ireland); Privacy Information: Remarketing and targeting, especially with the LinkedIn Insight Tag, “Privacy,” Privacy Policy, Cookie Policy, Opt-out of personalized advertising.
11.11 Payment Processing
We use third-party services to ensure the secure and easy processing of customer payments and, in particular, to accept payment methods such as Visa, Mastercard, and Twint.
We use, in particular:
PAYREXX: Regulated Swiss payment service provider; Privacy Information: Privacy Policy.
11.12 Website Extensions
We use website extensions to access additional functions.
We use, in particular:
Google reCAPTCHA: Spam protection (distinguishing between desired comments originating from humans and undesired comments from bots and spam); Google reCAPTCHA-specific privacy information: “What is reCAPTCHA?” (“What is reCAPTCHA?”).
Jetpack: Various features for the free WordPress blog software in the form of modules; Providers: Automattic Inc. (USA) / Aut O’Mattic A8C Ireland Ltd. (Ireland) for users including in Europe; Privacy Information: Privacy Notice for Websites (Privacy Notice for Visitors to Our Users’ Sites), Privacy Policy (by Automattic), “Jetpack Privacy Center,” Cookie Policy (Jetpack), Cookie Policy (Automattic).
jQuery (Google Hosted Libraries): Free JavaScript library; Google Hosted Libraries-specific privacy information: “What does using Google Hosted Libraries mean for the privacy of my users?.”
11.13 Success and Reach Measurement
We use services and programs to determine how our online offering is used. In this context, for example, we can measure the success and reach of our activities and operations as well as the impact of third-party links to our website. We may also experiment and compare how different versions of our online offering or parts of our online offering are used (A/B test method). As part of the success and reach measurement, Internet Protocol (IP) addresses of individual users must be stored. IP addresses are generally shortened to comply with the principle of data minimization and improve the data protection of visitors to our website (IP masking). Services and programs for success and reach measurement may use cookies and create user profiles. User profiles may include, for example, visited pages or viewed content on our website, information about screen size or browser window size, and the – at least approximate – location. User profiles are generally created in a pseudonymized manner. We do not use user profiles to identify individual visitors to our website. However, services where you are logged in as a user may potentially link the use of our online offering to your profile with the respective service.
We use, in particular:
Google Analytics: Success and reach measurement; Google Analytics-specific privacy information: Measurement across different browsers and devices (cross-device tracking) and with pseudonymized Internet Protocol (IP) addresses, which are only fully transmitted to Google in the USA in exceptional cases, “Privacy,” “Browser add-on to deactivate Google Analytics.”
WordPress.com Stats: Success and reach measurement; Providers: Automattic Inc. (USA) / Aut O’Mattic A8C Ireland Ltd. (Ireland) for users including in Europe; Privacy Information: Module of the extension Jetpack for the free WordPress blog software, Privacy Notice for Websites (Privacy Notice for Visitors to Our Users’ Sites), Privacy Policy (by Automattic), “Jetpack Privacy Center,” Cookie Policy.
12. PROFILING AND AUTOMATED DECISION-MAKING
We partially process your personal data automatically with the aim of evaluating certain personal aspects (profiling). We use profiling in particular to inform and advise you on products in a targeted manner. For this purpose, we use evaluation instruments that enable us to communicate and advertise according to your needs, including market and opinion research.
In principle, we do not use fully automated decision-making processes (as regulated in Article 22 of the GDPR) for establishing and conducting the business relationship or otherwise. If we use such procedures in individual cases, we will inform you separately if required by law and explain your associated rights.
13. FINAL PROVISIONS
We have created this privacy policy using the privacy policy generator from Datenschutzpartner and have adapted or supplemented it manually where necessary.
We reserve the right to adapt this privacy policy at any time without prior notice. The current version published on our website shall apply. If the privacy policy is part of an agreement with you, we will inform you of any updates by email or by other suitable means.