Data protection declaration
This data protection declaration informs you of which personal data we process, for what purpose, how and where, in particular in connection with our smartifu.com website, our smartifu platform and our other offers. We also inform you about the rights of persons whose data we process in this data protection declaration. Special, supplementary or further data protection declarations as well as other legal documents such as general terms and conditions of business (T&Cs), terms and conditions of use or conditions of participation may apply for individual or additional offers and services.
Our offer is subject to Swiss data protection law as well as any applicable foreign data protection law, such as, and in particular, those of the European Union (EU) with the General Data Protection Regulation (GDPR). The European Commission recognises that Swiss data protection law guarantees appropriate data protection.
- Contact addresses
Responsible for processing personal data:
Paul Büetiger AG
We would like to point out that in individual cases, other responsibilities exist for processing personal data.
Data protection representative in the European Economic Area (EEA)
We have the following data protection representative in accordance with Art. 27 GDPR in the European Economic Area (EEA) including the European Union (EU) and the Principality of Liechtenstein, Iceland and Norway as an additional contact address for supervisory authorities and data subjects regarding enquiries related to the General Data Protection Regulation (GDPR):
- Processing personal data
Personal data are all data that relate to a specific or identifiable person. A data subject is a person whose personal data is processed. Processing covers all kinds of handling of the personal data, irrespective of the means and procedures used, in particular the storage, disclosure, procurement, collection, erasure, saving, modification, destruction and use of personal data.The European Economic Area (EEA) comprises the European Union (EU) as well as the Principality of Liechtenstein, Iceland and Norway. The General Data Protection Regulation (GDPR) defines the handling of personal data as the processing of personal data.
- Legal bases
We process personal data in conformity with Swiss data protection law such as, and in particular, the Federal Act on Data Protection (FADP) and the Ordinance to the Federal Act on Data Protection (OFADP).
We process – if and insofar as the General Data Protection Regulation (GDPR) is applicable – personal data in accordance with at least one of the following legal bases:
- point (b) of Article 6 (1) of the GDPR for the necessary processing of personal data to fulfil a contract with the data subject and to perform pre-contractual measures.
- point (f) of Article 6 (1) of the GDPR for the necessary processing of personal data to safeguard the legitimate interests of ourselves or third parties, unless these are overridden by the fundamental rights and freedoms as well as interests of the data subject. Legitimate interests are in particular our interest in providing our offer permanently, in a user-friendly manner, safely and reliably and in advertising this as necessary, the security of information as well as protection against misuse and unauthorised use, the enforcement of our own legal claims and compliance with Swiss laws.
- point (c) of Article 6 (1) of the GDPR for the necessary processing of personal data to fulfil a legal obligation to which we are subject in accordance with any applicable laws of member states of the European Economic Area (EEA).
- point (e) of Article 6 (1) of the GDPR for the necessary processing of personal data for the performance of a task carried out in the public interest.
- point (a) of Article 6 (1) of the GDPR for processing personal data with the consent of the data subject.
- point (d) of Article 6 (1) of the GDPR for the necessary processing of personal data to protect the vital interests of the data subject or another natural person.
- Nature, scope and purpose
We process that personal data that is necessary to be able to provide our offer permanently, in a user-friendly manner, safely and reliably. Such personal data can, in particular, fall under the categories inventory and contact data, browser and device data, content data, meta or peripheral data and usage data, location data, sales, contract and payment data.
We process personal data as long as this is necessary for the original purpose or purposes or as long as this is legally necessary. Personal data that no longer has to be processed will be anonymised or erased. Persons whose data we process in principle have a right to the erasure of their data.
We only process personal data with the consent of the data subject, unless its processing is allowed on other legal grounds, for example in order to fulfil a contract with the data subject and for corresponding pre-contractual measures, to safeguard our overriding legitimate interests, because the processing is obvious from the circumstances or following prior information.
In this context, we especially process data provided voluntarily by the data subject when they contact us – for example by letter, email, contact form, social media or telephone – or when they register for a user account. We may save this information in an address book, a Customer Relationship Management (CRM) system, for example, or with comparable resources. If you send us data about other persons, you are obliged to guarantee data protection vis-à-vis such persons and to ensure that the personal data is correct.
Moreover, we only process personal data that we receive from third parties, obtain from publicly accessible sources or collect during the provision of our offer, if and insofar as this kind of processing is allowed on legal grounds.
- Processing personal data by third parties, and abroad
We can have personal data processed by authorised third parties or together with third parties and process it with the help of third parties or send it to third parties. These third parties are in particular providers whose services we use. We guarantee appropriate data protection with such third parties too.
These third parties are generally located within Switzerland or the European Economic Area (EEA). These third parties may also be located in other states and territories on earth and elsewhere in the universe, provided their data protection law guarantees appropriate data protection in the opinion of the Federal Data Protection and Information Commissioner (FDPIC) and – if and insofar as the General Data Protection Regulation (GDPR) is applicable – in the opinion of the European Commission, or if appropriate data protection is guaranteed for other reasons, such as a corresponding contractual agreement, in particular based on standard contractual clauses, or through corresponding certification. In exceptional cases, such a third party may be located in a country without appropriate data protection provided the data protection requirements are met, for instance through the express consent of the data subject.
- Rights of the data subject
Data subjects whose personal data we process have those rights as set out under Swiss data protection law. These include the right to access, and the right to the rectification, blocking or erasure of the processed personal data.
Data subjects whose personal data we process can – if and insofar as the General Data Protection Regulation (GDPR) is applicable – demand free confirmation as to whether we process their personal data and, if we do, demand information about the processing of their personal data, the restriction of the processing of their personal data, exercise their right to data portability and have their personal data rectified, erased (“right to be forgotten”), blocked or completed.
Data subjects whose personal data we process can – if and insofar as the GDPR is applicable – revoke any consent at any time with effect for the future and object to the processing of their personal data at any time.
Data subjects whose personal data we process have the right to lodge a complaint with the responsible supervisory authorities. The supervisory authority for data protection in Switzerland is the Federal Data Protection and Information Commissioner (FDPIC).
- Data privacy
We take appropriate and suitable technical and organisational measures to guarantee data protection, and in particular data privacy. However, processing personal data on the Internet may always have security gaps, despite these measures. We are therefore unable to guarantee absolute data privacy.
Our online presence is accessed by means of transport encryption (SSL / TLS, in particular the Hypertext Transfer Protocol Secure, or HTTPS for short). The majority of browsers identify transport encryption with a padlock icon in the address bar.
Access to our online presence – like any use of the Internet in principle – is subject to mass surveillance without cause and suspicion as well as other kinds of surveillance by security services in Switzerland, in the European Union (EU), in the United States of America (USA) and in other countries. We are unable to exercise any direct influence over the corresponding processing of personal data by intelligence agencies, police forces and other security services.
- Use of the website
Cookies can be saved temporarily in your browser as “session cookies” or for a certain period of time as so-called permanent cookies when you visit our website. “Session cookies” are deleted automatically when you close your browser. Permanent cookies are saved for a certain period of time. They allow your browser to recognise our website on your next visit and therefore measure the reach of our website, for example. But permanent cookies can also be used, for instance, for online marketing.
A general “opt-out” via the Network Advertising Initiative (NAI), YourAdChoices (Digital Advertising Alliance) or Your Online Choices (European Interactive Digital Advertising Alliance, EDAA) is possible for several services in the case of cookies that are used to measure the success or reach of a website or for advertising purposes.
- Server log files
We can collect the following data for every visit to our website, provided this is sent by your browser to our server infrastructure or can be determined by our web server: date and time including time zone, Internet Protocol (IP) address, access status (HTTP status code), operating system including user interface and version, browser including language and version, individual sub-pages of our website you have visited including data volume transferred, last website accessed in the same browser window (referer or referrer).We save this data, which may also be personal data, in server log files. This information is necessary so that we can provide our online presence permanently, in a user-friendly manner, safely and reliably and so as to be able to ensure data privacy and thus in particular the protection of personal data – including by or with the help of third parties.
- Tracking pixels
We can use tracking pixels on our website. Tracking pixels are also referred to as web beacons. Tracking pixels – including those from third parties whose services we use – are small, usually invisible images, that are automatically retrieved when our website is visited. Tracking pixels can collect the same information as server log files.
- Notifications and messages
We send out notifications and messages such as newsletters per email and through other channels of communication such as instant messaging.
- Success and reach measurement
Notifications and messages may contain web links or tracking pixels that record whether an individual notification has been opened and which web links in it have been clicked. These web links and tracking pixels can also record the use of notifications and messages by specific persons. We need this statistical recording of the various uses for success and reach measurement, so as to be able to offer notifications and messages effectively and in a user-friendly manner as well as permanently, safely and reliably based on the needs and reading habits of the recipient.
- Consent and objection
In principle, you must expressly consent to the use of your email address and other contact data, unless their use is allowed on other legal grounds. We use the “double opt-in” procedure wherever possible for any consent regarding the receipt of emails, in other words you will receive an email with a web link which you have to click to confirm your choice so as to prevent any misuse by unauthorised third parties. We can log such consents, including the Internet Protocol (IP) address as well as the date and time, for reasons of proof and safety.
You can always unsubscribe to notifications and messages such as newsletters at any time. By unsubscribing, you can in particular object to the statistical recording of any use for success and reach measurement. This is subject to notifications and messages that are absolutely necessary for our offer.
- Service providers for notifications and messages
We send out notifications and messages via third party services or with the help of third party service providers. Cookies may also be used in these cases. We guarantee appropriate data protection with such services too.
We particularly use:
- Mailchimp: communication platform; provider: The Rocket Science Group LLC d / b / a Mailchimp (USA); details of data protection: data protection declaration “Mailchimp and European Data Transfers”.
- Success and reach measurement
- Social Media
We are present on social media platforms and other online platforms so that we can communicate with interested parties to inform them about our offers. Personal data can also be processed outside Switzerland and the European Economic Area (EEA) in such cases.
The general terms and conditions of business (T&Cs) and the terms and conditions of use as well as data protection declarations and any other provisions of the individual operators of such online platforms apply in each case. These provisions provide information about the rights of data subjects, in particular the right to access personal data.
We are responsible for our social media presence on Facebook, including the so-called page insights, together with Facebook Ireland Limited in Ireland, if and insofar as the GDPR is applicable. The page insights provide information on how visitors interact with our Facebook presence. We use the page insights so as to be able to provide our social media presence on Facebook effectively and in a user-friendly manner.
Further information about the nature, scope and purpose of data processing, advice on the rights of data subjects as well as the contact data for Facebook and the Facebook data protection officer can be found in the Facebook data protection declaration (“Data protection guideline”). We have concluded the so-called “Controller Addendum” with Facebook and have therefore agreed in particular that Facebook is responsible for guaranteeing the rights of data subjects. Corresponding information about the so-called page insights can be found on the Facebook pages “Information about page insights”, including “Page insights controller addendum” and “Information about page insights data”.
- Success and reach measurement
We use services and programs to determine how our online presence is used. In this context, we can for example measure the success and reach of our online presence as well as the effect of third party links to our website. However, we can also try out and compare, for instance, how different versions or parts of our online presence are used (“A / B test” method). Based on the results of the success and reach measurement, we can in particular rectify faults, strengthen particularly popular content or carry out improvements to our online presence.
During the use of services and programs for success and reach measurement, the Internet Protocol (IP) addresses of individual users have to be saved. IP addresses are always abbreviated to follow the principle of data economy through the corresponding pseudonymisation and to improve data protection for visitors to our website (“IP masking”).
Cookies may be used and user profiles created during the use of services and programs for success and reach measurement. User profiles include, for instance, the pages visited or content viewed on our website, details of the size of the monitor or browser window and the – usually approximate – location. User profiles are always pseudonymised during creation. We do not employ user profiles to identify individual visitors to our website. Individual services for which you are registered as a user may at most be able to assign the use of our online presence to your profile for the respective service, whereby you normally have to give your consent to this assignment in advance.
- Third party services
We use third party services so as to be able to provide our offer permanently, in a user-friendly manner, safely and reliably. These services also serve to be able to embed content in our website. These services – for example hosting and storage services, video services and payment services – require your Internet Protocol (IP) address since they are otherwise unable to transfer the corresponding content. These services may also be located outside Switzerland and the European Economic Area (EEA), if appropriate data protection is guaranteed.
Third parties whose services we use can also process data in connection with our presence as well as from other sources – including with cookies, log files and tracking pixels – aggregated, anonymised or pseudonymised for their own security-relevant, statistical and technical purposes.
- Digital infrastructure
We avail ourselves of third party services so as to be able to use the digital infrastructure necessary for our presence. These include, for example, hosting and storage services from specialised providers.We particularly use:
- StackPath CDN (formerly MaxCDN): Content Delivery Network (CDN); providers: StackPath LLC (USA) / Highwinds Network Group Inc. (USA); details of data protection: data protection declaration.
- Contact possibilities
We use third party services to enable better communication with you and other persons such as customers. We guarantee appropriate data protection with such third parties too.
- Audio and video conferences
We use services for audio and video conferences to enable online communication. These can be used, for example, to hold virtual meetings or online training sessions and webinars. In addition to this data protection declaration, any provisions of the services used such as terms and conditions of use as well as data protection declarations also apply in each case.
We particularly use:
- Microsoft Teams: platform for audio and video conferences, amongst other things; providers: Microsoft Corporation (USA) / Microsoft Ireland Operations Limited (Ireland) for users in the European Economic Area (EEA), in Great Britain and Switzerland; details of data protection: “Data protection” (“Microsoft Trust Center”), data protection declaration, “Data protection at Microsoft”, “Data protection and Microsoft Teams”.
- Zoom: video conferences; provider: Zoom Video Communications Inc. (USA); details of data protection: data protection declaration, “Data protection at Zoom”, “Legal conformity center”.
- Social media functions and social media contents
We use social plug-ins from Facebook so that we can embed Facebook functions and contents in our website. These functions include, for example, “Like” or “Share”. Cookies are also used in these cases. Further information can be found on the “Social plug-ins” page of Facebook.
The social plug-ins are an offer from Facebook Ireland Ltd. in Ireland and/or the American Facebook Inc. If you are a registered user of Facebook, Facebook can assign your use of our online presence to your profile. Further details about the nature, scope and purpose of this data processing can be found in the Facebook data protection declaration (“Data guidelines”).
We use the option of embedding LinkedIn functions and contents on our website with the help of plug-ins. This lets you use the LinkedIn “Share” function on our website, for example. Cookies are also used in these cases. Further information can be found on the plug-ins page of LinkedIn.
- Audio-visual media
We use third party services to enable the direct playback of audio-visual media such as music and videos on our website.
We particularly use:
We use third party services so as to be able to embed documents in our website. Examples of such documents are forms, PDF files, presentations, tables and text documents.
We use third party services so as to be able to embed selected fonts as well as icons, logos and symbols in our website.
We use payment service providers so as to be able to handle our customers’ payments safely and reliably. The provisions of the respective payment service provider such as the general terms and conditions of business (T&Cs) or data protection declarations apply for the settlement of these payments.
We particularly use:
- PayPal (including Braintree): settlement of payments; providers: PayPal (Europe) S.à.r.l. et Cie, S.C.A (Luxembourg) / PayPal Pte. Ltd. (Singapore); details of data protection: data protection declaration, “Declaration on cookies and tracking technologies”.
We use the possibility of having specific advertising shown for our offering on third party platforms such as social media platforms and search engines.
The aim of this advertising is to reach people who are interested in our offering or who already use our offering (remarketing and targeting). To this end, we can transfer corresponding data – including personal data if need be – to third parties who enable such advertising. We can also establish whether our advertising is successful, in other words in particular whether it has led to visits to our website (conversion tracking).
Third parties with whom we advertise and with whom you are a registered user may at most be able to assign the use of our offering to your profile with them.
We particularly use:
- Digital infrastructure
- Add-ons for the website
We use add-ons for our website so as to be able to use additional functions.
We particularly use:
- Final clauses
We can amend and supplement this data protection declaration at any time. We will provide information about such amendments and supplements in an appropriate form, in particular through the publication of the latest data protection declaration on our website.