Privacy Policy

Last update: 26.10.2021

This Privacy Policy is intended as a means of informing our users which personal data we process, why, how and where, particularly in connection with our website and other offerings. This Privacy Policy also provides information about the rights of the individuals whose data we process.

Special, supplementary or additional privacy policies or other legal documents like general terms and conditions (GTC), terms of use or terms of participation may apply to individual or additional offers and services.

Our services are subject to the Swiss Federal Act on Data Protection as well as any applicable foreign data protection legislation such as, in particular, that of the European Union (EU) with the General Data Protection Regulation (GDPR). The European Commission acknowledges that the Swiss Federal Act on Data Protection guarantees an adequate degree of privacy.

1. Contact addresses

Responsibility for the processing of personal data:

NeoVac ATA AG
Eichaustrasse 1
9463 Oberriet SG
Switzerland

info@neovac.ch

We will indicate where there are different data controllers for the processing of personal data in individual cases.

1.1 Data protection contacts

Below are our points of contact for any privacy queries:

Andreas Hirt
c/o NeoVac ATA AG
Eichaustrasse 1
9463 Oberriet SG
Switzerland

datenschutz@neovac.ch

1.2 Privacy represenation in the European Economic Area (EEA)

We have at our disposal the following privacy representation in accordance withArticle 27 GDPR in the European Economic Area (EEA) including the European Union (EU) and the Principality of Liechtenstein, Iceland and Norway as an additional point of contact for supervisory authorities and data subjects for enquiries in relation to the General Data Protection Regulation (GDPR):

VGS Datenschutzpartner UG
Am Kaiserkai 69
20457 Hamburg
Germany

info@datenschutzpartner.eu

2. Processing of personal data

2.1 Terms

Personal data is all information that refers to an identified or identifiable individual. A data subject is a person in respect of whom personal data is processed. Processing< includes any handling of personal data, irrespective of the means and procedures used, in particular the storage, disclosure, acquisition, collection, deletion, saving, modification, destruction and use of personal data.

The European Economic Area (EEA) comprises the European Union (EU) and the Principality of Liechtenstein, Iceland and Norway. The General Data Protection Regulation (GDPR) refers to the handling of personal data as the processing of personal data.

2.2 Legal bases

We process personal data in accordance with Swiss data protection legislation, in particular the Swiss Federal Act on Data Protection (FADP; Bundesgesetz über den Datenschutz – DSG) and the Ordinance to the Swiss Federal Act on Data Protection (OFADP; Verordnung zum Bundesgesetz über den Datenschutz – VDSG).

We process – if and to the extent that the General Data Protection Regulation (GDPR) is applicable – personal data in accordance with at least one of the following legal bases:

Article 6(1)(b) GDPR for the necessary processing of personal data for the fulfillment of a contract with the data subject as to carry out pre-contractual measures.
Article 6(1)(f) GDPR for the necessary processing of personal data to protect our legitimate interests or those of third parties insofar as the basic freedoms and rights or interests of the data subject do not outweigh these. Legitimate interests are particularly our interests in providing a permanent, user-friendly, secure and reliable service and, to this end, to advertise where necessary, information security and protection against misuse and unauthorised use, the assertion of our own legal claims and compliance with Swiss law.
Article 6(1)(c) GDPR for the necessary processing of personal data for the fulfillment of a legal obligation imposed on us under any applicable law of member states in the European Economic Area (EEA).
Article 6(1)(e) GDPR for the necessary processing of personal data for the performance of a duty in the public interest.
Article 6(1)(a) GDPR for the processing of personal data with the consent of the data subject.
Article 6(1)(d) GDPR for the necessary processing of personal data to protect the vital interests of the data subject or another individual.

2.3 Type, scope and purpose

We process the personal data that is required to provide our online services in a permanent, user-friendly, secure and reliable manner. Such personal data may particularly fall into the categories of inventory and contact data, browser and device data, energy, heat and water data including facility, consumption and meter data, content data, meta and/or marginal data and usage data, user settings data, location data, sales, contract and payment data.

We process personal data for as long as is necessary for the respective purpose(s) or as required by law. Personal data that no longer requires processing will be anonymized or deleted. Individuals whose data we process generally have a right to erasure.

As a matter of principle, we process personal data only with the consent of the data subject, unless processing is permitted for other legal reasons, for example to execute a contract with the data subject and for appropriate pre-contractual measures to safeguard our overriding legitimate interests, in cases where the processing is obvious from the circumstances or after having informed the data subject in advance.

In this context, we process, in particular, information that a data subject voluntarily and personally submits to us when contacting us – for example by letter post, e-mail, contact form, social media or telephone – when using apps or when signing up for a user account. For example, we may store such information in an address book, in a customer relationship management system (CRM system) or using similar tools. If you transmit any personal data of third parties to us, you are obligated to guarantee compliance with data protection provisions vis-à-vis such third parties, and to ensure the accuracy of such personal data.

We also process personal data that we receive from third parties, obtain from publicly accessible sources, or collect when providing our services, if and insofar as such processing is permitted by law.

Personal data from applications is only processed insofar as this is necessary to assess suitability for employment or the subsequent execution of an employment contract. The personal data required to undergo an application process is that which is requested and/or shared, for example, in a job advertisement. Applicants will be given the option of voluntarily providing other information for their respective applications.

2.4 Processing of personal data by third parties (also abroad)

We may have personal data processed by commissioned third parties or process such data jointly with third parties or with the help of third parties, or transfer such data to third parties. Such third parties are, in particular, providers whose services we utilize. We also guarantee adequate data protection with respect to such third parties.

Such third parties are generally located in Switzerland or the European Economic Area (EEA). These third parties may also be located in other states and territories across the world as well as elsewhere in the universe, insofar as their data protection laws guarantee adequate privacy in the estimation of the Federal Data Protection and Information Commissioner (FDPIC) and – if and to the extent that the General Data Protection Regulation (GDPR) is applicable – in the estimation of the European Commission , or if adequate privacy is guaranteed on other grounds, such as a corresponding contractual agreement, particularly on the basis of standard contractual clauses, or by means of corresponding certification. Exceptionally, such a third party may be located in a country without adequate data protection, provided that the data protection requirements, such as the explicit consent of the data subject, are met.

3. Rights of data subjects

Data subjects whose personal data we process have the rights as defined by Swiss data protection legislation. This includes the right to information as well as the right to rectification, erasure or blocking of the processed personal data.

Data subjects whose personal data we process may – if and to the extent the General Data Protection Regulation (GDPR) is applicable – demand free confirmation as to whether we are processing their personal data and, if so, demand information about the processing of their personal data, have the processing of their personal data restricted, exercise their right to data portability or have their personal data rectified, deleted (“the right to be forgotten”), blocked or completed.

Data subjects whose personal data we process may – if and to the extent the General Data Protection Regulation (GDPR) is applicable – withdraw any consent granted at any time with effect for the future and object to the processing of their personal data at any time.

Data subjects whose personal data we process have a right to lodge a complaint with a competent supervisory authority. The supervisory authority for data protection in Switzerland is the Swiss Federal Data Protection and Information Commissioner (FDPIC).

4. Data security

We take adequate and appropriate technical and organizational measures to ensure data protection and, in particular, data security. However, despite such measures, there may always be security gaps when processing personal data on the Internet. Therefore, we cannot guarantee absolute data security.

Access to our online services is facilitated via transport encryption (SSL/TLS, particularly with Hypertext Transfer Protocol Secure [HTTPS]). Transport encryption is indicated in most browsers with a padlock in the address bar.

Access to our online services is subject – like all Internet use – to unfounded mass surveillance regardless of any suspicion as well as other monitoring by security agencies in Switzerland, the European Union (EU), the United States of America (USA) and other states. We have no direct influence over said processing of personal data by the secret services, police agencies and other security authorities.

5. Use of the website

5.1 Cookies

We may use cookies on our website. Cookies – both our cookies (first-party cookies) and cookies from third parties whose services we use (cookies from third parties and/or third-party cookies) – are data that is stored in your browser. Such saved data need not be restricted to traditional cookies in text form. Cookies cannot run programs or transmit malware such as Trojans and viruses.

When you visit our website, cookies can be stored temporarily in your browser as session cookies or for a certain period of time as so-called permanent cookies. Session cookies are deleted automatically when you close your browser. Permanent cookies have a specific storage duration. They are used in particular to enable us to identify your browser again when you next visit our website and thereby measure the reach of our website, for example. Permanent cookies may however also be used for online marketing for example.

You can completely or partially deactivate or delete cookies in your browser settings at any time. Without cookies, however, you may no longer be able to access all the features and functions of our website. We will – if and to the extent necessary – actively seek your express consent for the use of cookies.

You can apply a general opt-out for cookies which are used to measure performance and reach or for advertising for a number of services by means of the Network Advertising Initiative (NAI), YourAdChoices (Digital Advertising Alliance) or Your Online Choices (European Interactive Digital Advertising Alliance – EDAA).

5.2 Server log files

We may collect the following information for each access to our website, provided this information is transmitted by your browser to our server infrastructure or can be determined by our web server: date and time including time zone, Internet Protocol (IP) address, data access status (HTTP status code), operating system including user interface and version, browser including language and version, individual pages called up when accessing our website including transferred data volume, and last website called up in the same browser window (referrer).

We store such information, which may also represent personal data, in server log files. The information is required in order to provide our online services on a permanent, user-friendly and reliable basis, and to ensure data security and thus, in particular, the protection of personal data – also by third parties or with the help of third parties.

5.3 Tracking pixels

We may use tracking pixels on our website. Tracking pixels are also known as web beacons. Tracking pixels – also from third parties whose services we use – are small images, normally invisible, that are retrieved when our website is accessed. Using tracking pixels, it is possible to record the same information as in server log files.

6. Notifications and messages

We send notifications and messages, such as newsletters, by e-mail and through other communication channels, such as instant messaging.

6.1 Performance and reach measurement

Notifications and messages may contain web links or tracking pixels that record whether an individual message has been opened and which web links have been clicked on. Such web links and tracking pixels may also record the use of notifications and messages in relation to individuals. We need this statistical recording of use for the measurement of performance and reach, in order to be able to offer notifications and messages based on the requirements and reading habits of the recipients in an effective and user-friendly as well as permanent, secure and reliable manner.

6.2 Consent and objection

In principle, you must expressly consent to the use of your e-mail address and your other contact addresses, unless such use is permitted for other legal reasons. Where possible, we use the double opt-in procedure for any consent to receive e-mails, i.e. you will receive an e-mail with a web link that you must click on to confirm, so as to prevent misuse by unauthorized third parties. We may log such consents, including Internet Protocol (IP) address and date and time, for documentation and security purposes.

Generally, you can unsubscribe from notifications and messages, such as newsletters, at any time. By unsubscribing, you can, in particular, object to the statistical recording of use for the measurement of performance and reach. Notifications and messages that are absolutely necessary for the use of our services are excepted.

7. Social Media

We are present on social-media platforms and other online platforms to communicate with interested people and to inform them about our services. Personal data may also be processed outside of Switzerland and the European Economic Area (EEA) in the course of this.

The general terms and conditions (GTC) and terms of use and privacy policies and other terms of the individual operators of these online platforms also apply in each case. These terms particularly provide information about the rights of data subjects in particular, including the right to information.

We are responsible for our social media presence on Facebook, including page insights, if and to the extent the GDPR is applicable, in conjunction with Facebook Ireland Limited in Ireland. These page insights provide us with insight as to how visitors interact with our Facebook presence. We use page insights to allow us to provide an effective and user-friendly social media presence on Facebook.

You can find further information regarding the nature, scope and purpose of data processing, notices relating to the rights of data subjects as well as contact information for Facebook and the Facebook data protection commission in the Facebook privacy policy (“Data policy”) . We have concluded what is referred to as the “Addendum for Data Controllers” with Facebook, whereby it is agreed in particular that Facebook is responsible for guaranteeing the rights of data subjects. The corresponding information for page insights can be found on the pages “Page Insights Information” , “Page Insights Controller Addendum” and “Page Insights Data Information” of Facebook respectively.

8. Performance and reach measurement

We uses services and programs to determine how our online services are used. This allows us to measure the performance and reach of our online services and the impact of third-party links to our website, for example. But we can for example also trial and compare how different versions of our online services or parts of our online service are used (“A/B test” method). We can use the results of the performance and reach measurement in particular to eliminate faults, boost particularly sought after content, or make improvements to our online services.

Using services and programs for performance and reach measurement requires saving the Internet Protocol (IP) addresses of individual users. IP addresses are always shortened to comply with the principle of data minimization through the corresponding pseudonymization and to improve the protection of the data of visitors to our website (“IP masking”).

Where services and programs for the measurement of performance and reach are used, cookies may be used and user profiles may be generated. User profiles may for example comprise the pages visited or content viewed on our website, information on the size of the screen or browser window and location – at least a rough location. Users profiles are only generated in pseudonymized form. We do not use user profiles to identify individual visitors to our website. Individual services you are logged into as a user may assign your use of our online services to any profile with the respective service, whereby you must generally have granted your consent to this assignment beforehand.

We use, in particular:

Google Analytics: performance and reach measurement; provider: Google LLC (USA)/Google Ireland Limited (Ireland) for users in the European Economic Area (EEA) and in Switzerland; privacy information: measurement across different browsers and devices (cross-device tracking) and with pseudonymized Internet Protocol (IP) addresses which are only fully transmitted to Google in the USA in exceptional cases, “Principles of data protection and security” , privacy policy , “Guidelines on data protection in Google products” (incl. Google Analytics) , “How we use data from websites or apps on and/or in which our services are used” (Google information) , “How Google uses cookies” , “Browser add-on for disabling Google Analytics” , “Personalized advertising” (activation/deactivation/settings) .
Google Tag Manager: incorporation and management of services for performance and reach measurement as well as other services from Google as well as third parties; provider: Google LLC (USA)/Google Ireland Limited (Ireland) for users in the European Economic Area (EEA) and in Switzerland; privacy information can be found in connection with the incorporated and managed services.
Hotjar: logging of user behavior; provider: Hotjar Ltd. (Malta); privacy information: recording without reference to individual website visitors, for example in relation to movement and clicks with a mouse or any other input method, Your “Privacy & Hotjar” , privacy policy , “Hotjar Cookie Information” , “Do Not Track: Do you want to tell Hotjar not to collect your data?” .

9. Third-party services

We use third-party services to provide our online services in a permanent, user-friendly, secure and reliable manner. Such services also serve to embed content in our website. Such services – for example hosting and storage services, video services and payment services – require your Internet Protocol (IP) address, as such services cannot otherwise transmit the relevant content. Such services may be based outside of Switzerland and the European Economic Area (EEA) provided adequate privacy is guaranteed.

For their own security-relevant, statistical and technical purposes, third parties whose services we use may also process data in connection with our services as well as from other sources – including with cookies, log files and tracking pixels – in aggregated, anonymized or pseudonymized form.

9.1 Digital infrastructure

We use third-party services in order to make use of the digital infrastructure necessary for our services. These include, for example, hosting and storage services from specialist providers.

9.2 Maps

We use third-party services to allow us to embed maps in our website.

We use, in particular:

Google Maps including Google Maps Platform: map service; provider: Google LLC (USA)/Google Ireland Limited (Ireland) for users in the European Economic Area (EEA) and in Switzerland; privacy information: “Principles of data protection and security” , privacy policy , “Guidelines on data protection in Google products” (incl. Google Maps)” , “How we use data from websites or apps on and/or in which our services are used” (Google information) , “How Google uses cookies” , “Personalized advertising” (activation/deactivation/settings) .

9.3 Fonts

We use third-party services in order to embed selected fonts as well as icons, logos and symbols in our website.

We use, in particular:

Google Fonts: fonts; provider: Google LLC (USA)/Google Ireland Limited (Ireland) for users in the European Economic Area (EEA) and in Switzerland; privacy information: “What does using the Google Fonts API mean for the privacy of my users?” , “Principles of data protection and security” , privacy policy .

9.4 Payments

We use payment service providers to transact our customers’ payments securely and reliably. The terms of the relevant payment service providers such as their general terms and conditions (GTCs) or privacy policies apply to the transaction respectively.

9.5 Advertising

We use targeted advertising services to have our online services displayed by third parties such as social media platforms and search engines.

We use such advertising in particular to reach people who are interested in our services or who already use our services (remarketing and targeting). To do so we may send relevant – potentially personal – information to third parties that provide such advertising. We may also ascertain whether our advertising is successful, i.e. particularly whether it leads you to visit our website (conversion tracking).

Third parties we use for advertising and where you are logged in as a user may assign your use of our services to your profile there.

We use, in particular:

Google Ads: search engine advertising; provider: Google LLC (USA)/Google Ireland Limited (Ireland) for users in the European Economic Area (EEA) and in Switzerland; privacy information: advertising based, among other things, on search queries, whereby different domain names – in particular doubleclick.net, googleadservices.com and googlesyndication.com – are used for Google Ads,“Principles of data protection and security” , privacy policy , “Guidelines on data protection in Google products” (incl. Google Maps)” , “How we use data from websites or apps on and/or in which our services are used” (Google information) , “How Google uses cookies” , “Personalized advertising” (activation/deactivation/settings) .

10. Final provisions

We may amend and supplement this Privacy Policy at any time. We will provide information about such amendments and additions in an appropriate manner, in particular by publishing the respective current Privacy Policy on our website.