Privacy Policy

1. Processing of personal data
2. Duration of processing, retention period
3. Disclosure of personal data
4. Rights of data subjects
5. Server log files, data security
6. Data processing
7. Functional Technologie
8. Cookies and other tracking methods
9. Third-party services
10. Contact forms, comment function
11. Copyrights
12. Disclaimer
13. Up-to-dateness and changes

The website of the Careum Foundation and the affiliated companies also appearing on this website according to the Imprint are subject to Swiss law, in particular Swiss data protection law (the Federal Act on Data Protection; “FADP”). Foreign law may also apply, in particular the General Data Protection Regulation (“GDPR”) of the European Union (“EU”).

If you have any questions about data protection, please contact our data protection officer

Careum Foundation
Heinz Meier
Pestalozzistrasse 3
CH-8032 Zurich

Tel. +41 43 222 50 00
or by e-mail to: datenschutz@careum.ch

We have a data protection representative in the EU who serves as a contact for supervisory authorities and data subjects resident in the EU in accordance with Art. 27 of the GDPR:

VGS data protection partner UG
Am Kaiserkai 69
20457 Hamburg, Germany
https://www.datenschutzpartner.eu/ (in German)

Questions to the data protection officer

If you have any questions about our handling of data or data protection practices, please send us an e-mail or directly contact the data protection officer listed above. In order for us to respond to you as efficiently as possible, please provide as precise a description as possible of the information you would like to receive from us.

1. Processing of personal data

Our data processing is fundamentally and primarily subject to Swiss data protection law.

The following applies to users residing in the European Union (“EU”) and the European Economic Area (“EEA”): Switzerland and the EU, including the EEA, mutually recognise their data protection legislation as equivalent. In certain cross-border cases, EU law, in particular the EU General Data Protection Regulation (“GDPR”), may also apply to certain data processing as additional and subsidiary law.

We therefore process personal data in accordance with the Swiss Federal Act on Data Protection ("FADP") and the GDPR.

In addition to this Privacy Policy, we may inform you separately about the processing of your data (e.g., in forms or contractual conditions).

If you disclose data about other persons to us, we assume that you are authorised to do so, that this data is correct and that you have ensured that these persons are informed of this disclosure insofar as a legal obligation to provide information applies (e.g., by informing them of this Privacy Policy in advance).

To find out about offers, conditions and the handling of personal data for other offers and services (such as third-party websites and social media), even if they are linked here, please contact these providers directly.

The definitions set out in more detail below to clarify terminology refer to the definitions of the FADP on the one hand and the GDPR on the other.

“Personal data” therefore means any information relating to an identified or identifiable person.

A “data subject” is a natural person or legal entity about whom personal data are processed.

“Processing” covers any handling of personal data, regardless of the means and processes used, in particular, the storage, disclosure, procurement, deletion, saving, amendment, destruction and use of personal data.

Where the FADP applies, we process personal data in accordance with the principles of Art. 6 FADP or one of the justification grounds of Art. 31 FADP.

Where the GDPR applies, we process personal data in accordance with at least one of the following legal bases:

• Art. 6 para. 1 (a) GDPR (processing of personal data with the consent of the data subject)
• Art. 6 para. 1 (b) GDPR (in accordance with the processing of personal data necessary for the performance of a contract to which the data subject is party or in order to take steps prior to entering into a contract)
• Art. 6 para. 1 (c) GDPR (processing of personal data to fulfil a legal obligation to which we are subject because either EU law applies or the legal provisions of a country where the GDPR is applicable in whole or in part apply)
• Art. 6 para. 1 (d) GDPR (processing of personal data to protect the vital interests of the data subject or another natural person)
• Art. 6 para. 1 (f) GDPR (processing of personal data to protect our legitimate interests or those of third parties, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject)

The right set out above to object to the processing of your data applies in particular to data processing for the purpose of direct marketing.

2. Duration of processing, retention period

The duration of the processing of personal data is based on the purpose for which the personal data are required in the individual case. In the case of analyses, we store your data until the analysis has been completed. If statutory or other obligations require a longer retention period, we will adjust the processing and retention period in accordance with these regulations.

As soon as the personal data we have collected are no longer required for the aforementioned purposes, they will be deleted or anonymised in accordance with our usual processes and retention rules as well as applicable law.

3. Disclosure of personal data

We may pass on and share your personal data to other companies affiliated with Careum Foundation (in particular to all companies that also appear on this website in accordance with the Legal Notice). We may also disclose your personal data to third parties who act for us or on our behalf so that they may further process the data in accordance with the purpose for which the data was originally collected or for other legally permissible purposes, such as providing services, performing contractually owed services or providing technical support.

If we transfer data to a country without an adequate legal level of data protection, we ensure an adequate level of protection as required by law (in particular on the basis of Standard Contractual Clauses (SCC) or Data Privacy Addenda (DPA)) or rely on the statutory exceptions of consent, contract execution, the establishment, exercise or enforcement of project-related claims or overriding public interests.

4. Rights of data subjects

Visitors to our website or persons about whom we process personal data for other reasons are entitled to all the "rights of the data subject" in accordance with Art. 25, Art. 28, Art. 30 and 32 FADP, as well as those of Art. 12 - 23 GDPR, insofar as the GDPR is applicable. In particular, you may request information free of charge as to whether your personal data are being processed by us. If so, you can request information about the type, scope and other nature of our processing of your personal data. You can also restrict the processing of your personal data. You can exercise your right to data portability, have your personal data corrected or deleted, revoke consent given earlier to process your personal data or object to the processing of your personal data altogether.

Overview of your rights as a data subject:

• Right of access (Art. 15 GDPR, Art. 25 et seq. FADP),
• Right to rectification (Art. 32 para. 1 FADP) or right to rectification or erasure (Art. 17 GDPR)
• Right to restriction of processing (Art. 18 GDPR)
• Right to block disclosure (Art. 32 para. 2 lit. b FADP)
• Right to data portability (Art. 28 FADP resp. Art. 20 GDPR)
• Right to object to processing (Art. 32 para. 2 lit. a FADP resp. Art. 21 GDPR)

In order to exercise your personal rights, you must prove your identity beyond doubt by means of official documents. If you incur costs from exercising your rights, we will inform you in advance. Should the exercise of your above-mentioned rights conflict with any contractually agreed rights and obligations between you and us, this may result in consequences such as early termination of the contract, costs or other consequences, of which we will inform you in a given case.

If you would like, you can contact us at any time using the contact address we have provided. It may take up to 30 days for us to respond to your request.

Every data subject about whom we process personal data has the right to lodge a complaint with the responsible data protection authority (in Switzerland, the Federal Data Protection and Information Commissioner FDPIC) and the right to assert their claims in court.

5. Data types, data origin, server log files, data security

5.1 Data types

We primarily process personal data that we receive directly as part of our contractual relationships with our customers and users. In addition, we may receive, collect or process data from business partners or other persons involved. Insofar as this is permitted and necessary, we also extract data from publicly accessible sources (for example, public registers, media, internet) or receive such data from our customers and their employees, from authorities and third parties (for example, our customers' business and contractual partners).

Along with the data we receive directly from you, the categories of personal data we receive from third parties include, but are not limited to:

• inventory data (e.g., names, addresses, functions, organisational affiliation, etc.)
• contact details (e.g., e-mail address, telephone number, etc.)
• content data (e.g., text and image files, videos, etc.)
• usage data (e.g., access data)
• meta/communication data (e.g., IP addresses)
• information that you disclose to us on the basis of the contractual relationships between us
• information relating to your professional functions and activities
• information about you in correspondence and meetings between us or with third parties (e.g., via communication by telephone, e-mail or otherwise)
• information via configuration of your user settings, access permissions for data or other interaction with us
• registration for or participation in an event
• filled out questionnaires, support tickets or other forms for information requests

If you do not disclose certain personal data to us, this may mean that it will not be possible to provide the associated services or conclude a contract. We indicate which personal data is required in each case.

5.2 Source of data

Data from you

You disclose much of the data we process to us yourself (e.g., when using our website, in the context of our services for you, or in communication with us). In some cases, this data is also transmitted to us automatically by your end device. You are only obliged to disclose your data in exceptional cases. However, if, for example, you wish to conclude contracts with us or make use of our services, you must disclose certain data to us. The use our website is also not possible without a minimum amount of data collection and data processing.

Data from third parties

We may also obtain data from publicly accessible sources (e.g., media or the internet including social media platforms, public registers, online searches, etc.) or receive it from authorities, your employer or client who has a business relationship with us or otherwise has dealings with us, as well as from other third parties (e.g., address brokers, associations, contractual partners, Internet analytics services). This includes, in particular, data that we process in the context of contractual circumstances and project implementation, as well as data from correspondence and further communication with third parties, but also all other categories of data in accordance with Section 5.1.

Data in communication with and for you

In addition to face-to-face meetings, telephone conversations, letters and e-mails, we use different other means of communication with you. We also use third-party software and tools (SaaS) for you and/or for the communication we need for your projects, both internally and with third parties. These are mentioned in Section 9.

5.2 Data security

We take appropriate technical and organisational security measures to protect your personal data stored by us against accidental, unlawful or unauthorised deletion, alteration, access, disclosure or use, as well as against partial or complete loss.

These security measures are regularly reviewed and adapted and improved in line with technological progress. These security measures include the use of recognised encryption methods (SSL or TLS).

If you register with us as a user, access to your user account is only possible after entering your personal password. You should always treat login and payment information confidentially and close the browser window and delete the history once you have finished communication with us.

Our employees and the service providers appointed by us are obliged by us to maintain confidentiality and to comply with the provisions of data protection law.

We do not accept any liability for the loss of data or their becoming known or used by third parties.

6. Data processing and data use

Within the scope of our organisation, we may process different categories of personal data for different purposes. In particular, we process your personal data mentioned in Section 5.1 for the following purposes:

Communication

We process personal data so that we can communicate with you and with third parties by e-mail, telephone, letter or other means. This can also take place, for example, in the form of newsletters and other regular contact (e.g., electronically, by post, by telephone). You can reject this communication at any time or refuse or revoke your consent to this communication. Within the scope of communication, we process in particular the communication content and peripheral data as well as your contact details, but also image and audio recordings of video/telephone calls. In the event of an audio or video recording of the communication, we will inform you separately at the beginning and you are free to let us know if you do not wish to be recorded or to end the communication or leave from the call. If we need or want to ascertain your identity, we may collect additional data.

Activities in relation to contracts

With regard to the conclusion of a contract with you or your client or employer, we may in particular process your name, contact details, declarations of consent, information about third parties (e.g., contact persons, third parties, project participants, etc.), contract contents and all other data that you provide to us or that we collect from public sources or from third parties.

Management of contracts and execution of projects

We process personal data so that we can meet our contractual obligations towards our contractual partners (e.g., suppliers, service providers, project partners) and, in particular, provide and request the contractual services. This also includes data processing for project management and data processing for the enforcement of contracts, accounting and public communication. For this purpose in particular, we process the data that we have received or collected as part of the acquisition and conclusion of the contract, as well as data that we generate as part of our contractual services or that we collect from public sources or from other third parties. This data includes, in particular, meeting minutes, notes, internal and external correspondence, contractual documents, documents that we generate and receive in connection with project creation and execution, background information about you, counterparties or other persons, video and sound recordings as well as other project-related information, documents, certificates, invoices as well as finance and payment information. In extremely rare cases, we may also collect and process particularly sensitive personal data during these activities.

Operation of our websites

In order to operate our website securely and stably, we collect technical data, such as IP address, information about the operating system and settings of your device, region, and time and type of use. We also sometimes use cookies and similar technologies. Further information can be found in the relevant sections of this Privacy Policy.

Improving our electronic offers

In order to continuously improve our website and electronic offers (e.g., newsletters), we collect data about your behaviour and preferences, for example, by analysing how you navigate our websites and how you interact with our social media profiles and other electronic offers (e.g., newsletters).

Registration

You have to register in order to use certain offers and services (e.g., newsletters). For this purpose, we process the data disclosed as part of the respective registration. Furthermore, we may also collect personal data about you while you use the offer or service. If necessary, we will provide you with further information about the processing of this data.

Security purposes and access controls

We process personal data to ensure and continuously improve the appropriate security of our IT and other infrastructure. This includes, for example, monitoring and controlling electronic access to our IT systems and access to our premises, analysing and testing our IT infrastructure, checking systems and errors, and creating backup copies. For documentation and security purposes (preventive and incident investigation), we also keep access logs and visitor lists for our premises, and we are able to process extracts from criminal records and use surveillance systems (e.g., security cameras). We will draw your attention to monitoring systems by means of appropriate signs in the relevant locations.

Risk management and corporate governance

We process personal data as part of risk management and corporate governance. This includes, among other, our operational organisation (e.g., resource planning, employee data) and corporate development.

Job applications

If you apply for a position with us, we will process the relevant data for the purpose of examining and assessing the application, conducting the application process and, in the event of successful applications, preparing and concluding a corresponding contract. For this purpose, in addition to your contact details and the information from the corresponding communication, we will also process in particular the data contained in your application documents and possibly criminal record excerpts as well, along with the data that we may additionally obtain about you, for example, from professional social networks, the internet, the media and references (if you consent to the collection of references). Data processing in connection with the employment relationship is regulated separately.

Other purposes

Other purposes include, for example, training and administrative purposes (e.g., accounting). We may also process personal data for the organisation, implementation and follow-up of events, such as, in particular, participant lists and presentation and discussion content, as well as images and audio recordings made during these events. Other purposes, which cannot be named exhaustively, also include the protection of other legitimate interests.

7. Functional technologies

Our website is hosted on servers of the Microsoft Corporation. The servers are located in Switzerland (Microsoft Azure, Switzerland North/Zurich zone)

We use Drupal 10 from the Drupal Association / Dries Buytaert, Drupal Maintainer, as our content management system (CMS) and for databases. This operates under the GNU General Public License, Version 2, and is hosted on Microsoft servers.

We use Shopware 6 from shopware AG as eCommerce software. Shopware 6 is also hosted on Microsoft’s servers.

We use various technologies (e.g., libraries, fonts) to ensure that our website functions properly. These include the JavaScript library Vue.js and Nuxt.js, the Elasticsearch search function of the Dutch company Elastic NV, icon fonts, integrated font directories and sharing mechanisms. All these technologies are hosted on Microsoft Azure servers selected by us. As far as we know, no other data are transmitted to third parties with regard to these technologies used.

Mail dispatch

If e-mails are sent in connection with the website (e.g. for the purpose of password resets or automatic confirmations), this is done via a service provided by SendGrid, a company based in Ireland. The data is only used to process the contact and subsequent communication. SendGrid has access to the following information:

• Subject of the e-mail
• E-mail addresses of senders and recipients
• Content of the email (content and processed data therefore depend on the person sending the message)

8. Cookies and other tracking methods

General

This website uses cookies. Cookies are small text files that enable specific information relating to you to be stored on your device while you use our website. Cookies help, among other things, to make your visit to our website easier and more enjoyable, to improve our services, and to make it more effective and secure. We also use cookies to collect information in order to offer you advertising that may be of interest to you.

If you visit our website for the first time or if new cookies need to be created due to deleted cookies, our cookie banner informs you about the options for the different cookie categories and you can choose which type of cookies should be collected:

• Functional cookies store your preferences.

These cookies are essential for the functioning of the website and cannot be disabled on our systems.

• Performance cookies show us how you are using this website.

We use these cookies to quantify visits and traffic in order to gauge and improve the performance of our website. They help us understand which pages are viewed often and for longer periods and which content our visitors to the website are most likely to access. It is our understanding that all the information generated by these cookies is pooled and is therefore anonymous.

• Targeting cookies help us share content that is relevant to you.

These cookies can be placed on our website by our (advertising) partners. They may be used by these companies to generate a profile of your interests and notify you of our services via relevant adverts on other websites. They also do not store direct personal information, but are based on the unique identification of your browser and Internet device. You may, however, be identified if you are logged into certain third-party services and your user data can be linked by said third party. If you do not allow these cookies, you will receive less targeted advertising.

The cookies are automatically deleted when the information is no longer needed. You can choose whether or not to allow certain types of cookies. For systemic reasons, functional cookies cannot be deactivated.

Types of cookies

We use transient and persistent cookies.

Transient cookies are automatically deleted as soon as you close your browser. This type of cookies includes, in particular, session cookies. These store a so-called session ID, which can be used to assign various requests from your browser to the joint session. This allows your computer to be recognised when you return to our website. Session cookies are rarely used and are deleted when you log out or close your browser.

Persistent cookies, on the other hand, are automatically deleted after a specified period, which may vary depending on the cookie. You can delete cookies at any time in the security settings of your browser.

Benefits and analysis

Cookies enable us to carry out certain analyses of our website, in particular to determine the frequency of use or the number of users of the pages or to analyse the way in which the pages are used.

Cookies are used in particular to make our website, the content and the offers more customer-friendly. For example, cookies may be required to use shopping baskets or payment functions. With the use of cookies, options or decisions you have made can also be used as settings to make your visit to our website more convenient. We may also use cookies to identify you for subsequent visits if you have an account with us.

Cookies are usually stored after the end of a browser session and can be accessed again when you return to the website. If you do not wish to do so, you can set your Internet browser to reject cookies. However, this may result in you not being able to use all the features of this website.

9. Third-party services

As mentioned at the beginning, we process personal data in accordance with the principle of necessity.

Selection of providers, server locations

In principle, we try to choose services from providers based in Switzerland or the EU. Where possible when concluding a contract with these third parties, we also choose server locations in Switzerland or EU countries. Where this is not possible, we access alternative providers outside Europe. As a result, we may transfer your data to the countries where the registered office of the service providers we use is located, including the USA.

Especially for global service providers, server locations are now often no longer limited to individual locations, but are often made available as part of a Content Delivery Network or Content Distribution Network (“CDN”) via a group of geographically distributed and interconnected servers.

Consent to third-party services

Depending on the setting of your cookie preferences or explicit, active opt-in (sometimes also double opt-in), you consent to the use of the third-party services listed below in accordance with the collection and processing of information and personal data described for the respective service.

You can find out more about the data protection provisions and terms of use for the respective third-party service by clicking on the link listed in the table.

Selection of service providers, server locations, data privacy framework

Whenever possible, we generally use service providers who store data at data centres in Switzerland or the EU, if this is an option. Where data is stored in the USA, on CDN servers (and thus globally), or in other countries, we select service providers from countries with an adequate level of data protection as in Switzerland (for US service providers, for example, those that fall under the data privacy framework between Switzerland and the USA [“Swiss–U.S. Data Privacy Framework”, “SDPF”, https://www.dataprivacyframework.gov/]). Among our US service providers, almost without exception we use those that fall under the SDPF. Their compliance with the Privacy Framework and Swiss data protection can be viewed via the search panel at https://www.dataprivacyframework.gov/list and the details of the detailed entries accessible therein can be checked at any time.

Processor, DPA, SCC, level of protection

Where necessary, we have concluded a data processing agreement, usually on the basis of the SCC of the European Commission, or a DPA with external data processors (or oftentimes, the latter is already a legally valid contractual component through the GTCs or Terms & Conditions of the third-party provider) in order to adequately guarantee security. As a rule, the provider guarantees therein that it will process personal data even outside Switzerland and the EU in accordance with the requirements and protection levels of Swiss and European data protection laws.

In our company, only selected employees have access to such data in accordance with the principle of necessity. All employees who have access to personal data must comply with the internal rules and processes and, if applicable, regulations relating to the processing of personal data in order to protect it and ensure its confidentiality.

Encryption

In general, we always transfer personal data to third parties in encrypted form. If there are exceptions, these are explicitly mentioned.

Third-party data protection provisions

With regard to the services used, we have no influence on the effective handling of personal data by the representative third-party providers. With regard to their handling of data, their currently applicable data protection regulations are binding for you. We can only determine which cookies are set and which actions are triggered for third-party services based on the cookie settings you select.

Overview and information to third-party providers

The third-party providers used in accordance with their services are listed below. We will tell you which services we use from which companies in which countries and provide you with a link to the data protection regulations currently applicable to the best of our knowledge. If you have any further questions about any of the services listed below, please contact us using the contact options mentioned at the beginning of this Privacy Policy.

9.1 Third-party data storage (settings)

We use CookiePro to store your settings on how cookies are to be used. CookiePro is a SaaS solution from OneTrust, one of the world’s leading providers and used by many large companies.

9.2 Services offered by Google/Alphabet companies

Our website uses various services provided by subsidiaries of the US company Alphabet Inc. (see table). These services all refer to the same data protection provisions, which can be found at https://policies.google.com/privacy.

We use Google Analytics 4. In Google Analytics 4, IP addresses are neither logged nor stored, so IP address masking is not necessary.

Google uses this information to evaluate your use, to provide analytics services about these activities, and to provide us with other services, such as map services.

Google Analytics and Google Signals are provided by Google Ireland, based in Ireland. Google Ireland uses the services of Google LLC, headquartered in the USA, as a processor (Google Ireland and Google LLC both hereinafter referred to as “Google”). With Google Analytics and Google Signals, we can measure and evaluate (non-personally identifiable) use of the website.

We have activated the Google Signals function in Google Analytics. As a result, the existing Google Analytics functions (advertising reports, remarketing, cross-device reports and reports on interests and demographics) are updated to receive aggregated and anonymised data from you if you have allowed personalised ads in your Google account.

With this cross-device function, your data can be analysed across devices. As result of this activation, data are collected and linked to your Google Account, which allows Google, for example, to recognise when you view a product on one device and later purchase on another device. Google Signal allows us to run remarketing campaigns, which allows us to show you our offers on other devices and websites.

Google Analytics also collects additional visitor data such as search history, YouTube history, location, your interactions on our website, etc. through Google Signals. Google thus provides us with better and more useful information about your interests and demographic characteristics (e.g., age, language, place of residence, gender, and in some cases occupation, marital status, estimated income).

This information and reports help us better assess your wishes and interests and thus optimise our services and products for you. This data is only collected if you have allowed personalised advertising in your Google Account. These are always aggregated and anonymised data and never data of individual persons. You can also adjust your settings accordingly and manage or delete this data in your Google account.

However, Google itself will also recognise you if you are registered or logged in to Google during the session in which you visit our website. Google is then responsible for the processing of your personal data by Google and in accordance with Google’s own data protection regulations. Google only tells us how our respective website is used, so we do not receive any information about you personally.

9.3 Calendar functions, appointment entries

We use the Microsoft Bookings service provided by Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18 D18 P521, Ireland, as an integrated online appointment and booking tool.

We process personal and other data to find and confirm an appointment and to contact you, such as your name, telephone number, e-mail address, the reason for your enquiry and any comments you have made, as well as the time of the appointment request and the agreed appointment.

The connection to bookings is only established if you expressly agree to the use of the appointment scheduling tool. For appointment scheduling, your entries in the appointment scheduling form are transmitted to Microsoft. For more information on how Microsoft handles your data, please refer to Microsoft’s Privacy Policy (see link below). Microsoft explains, “All data are stored within the Microsoft 365 platform and in Exchange. Bookings follows all data retention policies set by Microsoft, which are the same as all Office apps.” and: “All customer data (including information provided by customers at the time of booking) are collected in Bookings and stored in the app and thus also in Exchange.”

9.4 Customer Relations Management (CRM)

We use CRM tools from various providers for the companies appearing together on this website.

Our CRM tools are used when you register for an event with us, when you subscribe to a newsletter or when you receive a newsletter as an existing or new customer. You can find more information on data processing for newsletters in section 8.10. When you register for events, we process the personal data you provide. This data (e.g. name, telephone number, email address and address) is required for registration, confirmation of participation or registration and for contacting you.

The connection to the CRM tools used in each case is only established if you use a corresponding form to register for an event on our website.

We only merge this personal data with other data sources about you if you agree to this or have consented to the use of the corresponding cookies. Data is passed on to third parties so that we can enable the third-party providers to send you e-mails relevant to the event in accordance with the table below. We are not responsible for the processing of your data by the respective third-party provider. The terms of use and data protection provisions of the respective provider apply.

9.5 Web shop, services subject to a charge

We use Shopware as an eCommerce tool for our publishing shop. As an ERP system, we use Tocco, for example, for the purchase of educational offers or for event registration. We use Phiatos for logistics and specialized software for publishing purposes. Only our supporters (the provider and our DevOps organisation) and we have access to the applications. Application access is personalised and password-protected. There is a password security check. Two-factor authentication may be used.

In order for you to be able to use our eShop properly, session cookies are stored on your device when you visit our website. When you place an order, the personal data entered in the order form are transmitted to us by your browser and stored in our systems. Your IP address and the time of your order are also stored. All of this is necessary in order to be able to place an order and for the security of our systems.

We do not merge this personal data with other data sources. Data are only passed on to third parties if this is necessary for the fulfillment of the contract (e.g. to payment service providers, IT service providers or shipping companies). Unfortunately, it is not possible to place an order in our online shop without your personal data.

Users have the option to create a user account for using our eShop, where they can, for example, view and save their orders. During the registration process, the user must enter the mandatory information required for the user account (first and last names, address, email, country, phone number, salutation). The user accounts are not public and, to the best of Careum's knowledge, cannot be indexed by search engines. Users can terminate their user accounts at any time. After termination, only those data that are legally required to be retained for a certain period will continue to be stored. This is in accordance with the applicable data protection laws, particularly Art. 6(4) of the Swiss Federal Data Protection Act (DSG) or Art. 6(1)(c) of the General Data Protection Regulation (GDPR). Once deleted, data cannot be restored.

9.6 External payment service providers

We use Wallee and Wordline Saferpay as payment service providers. Users and we can make payment transactions via its platforms. The data processed by the payment service provider includes master data, e.g. name and address, bank data, account numbers, credit card numbers, passwords, TANs and checksums, as well as contract details, totals and recipient-related information, all of which are necessary to complete the transaction. However, the data entered by you as a user will only be processed and stored by Wallee and Wordline Saferpay and any third parties authorised by them. We do not receive any information about your account details or credit card details, instead only information about the payment status. Please refer to the General Terms and Conditions and Privacy Policy of Wallee and Saferpay.

9.7 Tracking, analysis

We analyse user behaviour on the pages of our website using various Google services; see our notes above. On the other hand, we use analysis options using so-called heat maps. Hotjar is used. Analysing these heat maps allows us to find out which elements and content our users spend the most time with. It can also be seen, for example, which buttons users click and how often. Hotjar also allows us to obtain feedback directly from the users of our website. This gives us valuable information to make our website even faster, more informative and more customer-friendly.

With Hotjar, we can only track which buttons are clicked or how far you scroll. Areas of the website where your personal data or that of third parties are displayed or entered are automatically hidden by Hotjar and are therefore not traceable.

9.8 Social media (plugins, pixels)

Subject to your cookie settings, we use social media tracking technologies. These allow us to identify you as a visitor to our website and, depending on your browser history, draw conclusions about your preferences. The resulting profile of these service providers allows marketing activities to be tailored to the user. It allows us to create targeted online campaigns and user-appropriate marketing activities according to the presumed interest of our users. We can also track the effectiveness of the advertisements for statistical and market research purposes. If you do not want these third parties to associate or otherwise track the personal data collected through our website with any account you have with such providers, you must log out of their services before visiting our website.

9.9 Video platforms and tools

We use services from various third-party providers to integrate video content in accordance with the table below. When accessing the corresponding pages or videos, your browser loads the code from these providers that is necessary for viewing the video. For this purpose, the browser you use must connect to the servers of these providers. By doing so, they may gain knowledge that our website has been accessed via your IP address. If you do not want these third parties to associate or otherwise track the personal data collected through our website with any account you have with such providers, you must log out of their services before visiting our website.

9.10 Newsletter and email marketing

We use newsletter tools from various providers. This is because the companies mentioned in the Imprint, which appear together on this website, have different newsletter activities.

Existing and new customers automatically receive our newsletter for information purposes as part of their legitimate interest in our offers.

If you subscribe to a newsletter from us, the personal data you provide when registering, as well as your IP address and the time of registration, are transmitted to us by your browser and stored in our systems. Our newsletters are free of charge and are for information purposes.

We use the “double opt-in” procedure to verify that you have actually registered. Once you have subscribed to the newsletter, we will send you a confirmation e-mail to the e-mail address you provided. We record the ordering of the subscription, the sending of our confirmation e-mail to you and the receipt of your reply e-mail. No further data are collected. These data are collected via the corresponding newsletter tool and stored by the respective provider.

The processing of your personal data serves to send the newsletter, which may be personalised. In this case, personalisation means that we can take into account the interests you have indicated and your previous use when compiling the newsletter.

We do not merge this personal data with other data sources. Data are passed on to third parties so that we can enable the third-party providers to send you the newsletter in accordance with the table below. We are not responsible for the processing of your data by the respective third-party provider.

You can unsubscribe from our newsletter at any time and revoke your consent to the retention of your personal data in this regard. You can revoke/unsubscribe by clicking on the link provided in each newsletter e-mail or by sending an e-mail to the contact details provided in the imprint.

9.11 Application and HR management

We use gateway.one and REFLINE services for services in relation to career development, application management and HR management.

We make transparent reference to the use of gateway.one on the corresponding pages and incorporate this tool by linking to the gateway.one website. All information you provide on this website is subject to the data protection provisions of GATEWAY Solutions AG and we have no influence whatsoever on how they handle your data.

REFLINE is operated simultaneously on our website. In this way, we manage the HR recruiting process for advertised positions. This involves the collection of personal data that you provide when you apply for a position (e.g. personal details, CV, other PDFs of graduation certificates, references and more). We have access to these data as part of our contractual relationship with Refline AG. However, the information and content are not uploaded to our servers, but to those of Refline AG. Their servers are operated and maintained by Refline AG itself in a highly secure data centre at EveryWare in Zurich.

The uploaded data are not directly encrypted on the server, nor are they visible, but instead stored cryptically as binary data. The data are stored in an object database (ZODB), which cannot be accessed without access to the entire application. This database is based on a memory-mapped file and only the application can load the data. There is no interface with which the database can be accessed.

All of this information and personal data are only stored by us for as long as required by the relevant staffing process.

By submitting their application to us, applicants agree to the processing of their data for the purposes of the application process in accordance with the nature and scope set out in this Privacy Policy and to the use of REFLINE as a recruitment tool.

We also use the Dualoo tool in some cases. This is offered via external links. All user interactions take place outside of our control.

9.12 Target-group-specific marketing

In some cases, we use the services of Adform, a provider for more precise, target-group-specific advertising (so-called targeting) by Google’s Tag Manager. This only happens if you have agreed to the use of corresponding cookies in your cookie settings. The use of these marketing services allows us to create user-related advertising and to display interest-relevant advertising to you.

9.13 Event match quality (EMQ)

We use the event match quality (EMQ) function of Meta (Facebook) to improve our advertising campaigns. EMQ helps us link the mapping of events on our website (such as logins/registrations) to Meta user accounts. The following data are transmitted to Meta for this purpose:

• e-mail addresses
• telephone numbers
• name (given name and surname)
• city, postcode, country
• device and browser information
• IP address
• information about your interactions on our website

Email addresses and phone numbers are hashed prior to transmission (transformed into a code that cannot be retrieved and decrypted by third parties using a cryptographic algorithm). Other data such as names, location information, device data and interactions are transmitted unencrypted.

If you are or were logged in to Meta’s Facebook and did not log out before visiting our website, the transmitted data can be linked to your Meta account, even if you have previously closed the browser window.

Meta uses this data to personalise advertising and to measure the effectiveness of advertising campaigns. You have the right to object to this data processing.

The use of Facebook's EMQ is based on your consent, which you can give or revoke via our cookie settings.

For more information on data processing by Meta, please refer to its privacy policy.

9.14 Video calls

In addition to face-to-face meetings, telephone conversations, letters and e-mails, we use different other means of communication with you. In particular, we use online meeting tools such as Microsoft Teams and Zoom, which are becoming increasingly important today. When using them, we rely on the legal basis of legitimate interest and/or your consent.

In MS Teams and Zoom, personal and other data such as your name, telephone number, email address, the reason for the meeting and any other comments or notes, the time of the video call and the agreed appointment are stored for appointment scheduling and for the video call with you. In the case of a video call, you may turn on the camera function, but you do not have to; you do this of your own accord. If you have switched on the camera function, your face will be transmitted and can also be recorded in the same way as meeting minutes, so that we can go through the content of the meeting again for future decisions. If we record the video call, we will notify you at the beginning of the session; if you do not agree, you can leave the call or deactivate your camera function. The connection to MS Teams or Zoom or their servers is only established if you actually take part in the video call. Further information on how Microsoft and Zoom handle your data can be found in the Microsoft Teams and Zoom privacy policies (see links below).

Microsoft Teams is a service provided by Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18 D18 P521, Ireland. Zoom is a service provided by Zoom Video Communications, Inc., 55 Almaden Blvd, San Jose, CA 95113, USA.

10. Contact forms, comment function

Contact forms

If you use the contact forms on our website or send us an e-mail, we process your personal data. This information as well as your IP address and the date and time of the contact request are transmitted by your browser or

e-mail client and stored in our systems. Your request cannot be answered without such processing of your personal data. The collection of technical data is necessary to prevent misuse of the contact form and to ensure the security of our systems.

The personal data are erased periodically. We do not merge this personal data with other data sources. Data will not be passed on to third parties unless necessary to answer your enquiry.

Comment function

You may comment on blog posts on our website, provided you log in with your user name and e-mail address. If you submit such a comment, your personal data (e-mail address, selected user name, website, if applicable) as well as your IP address and the time the comment is sent by your browser will be transmitted to us and stored in our systems. The storage of the IP address and the time the comment was made serves to guarantee the security of our systems. Your personal data will be stored for as long as is necessary for the comment function. We do not merge this personal data with other data sources. Data will not be passed on to third parties.

11. Copyrights

The entire content of this website is either copyrighted Copyright ©2021 Careum Foundation and affiliated companies according to the Imprint, or the Careum Foundation has received a licence to use the non-copyrighted parts of the website. Subject to strict reservation of all rights. We also refer to our Terms of Use for this website.

12. Disclaimer

With regard to our liability in relation to the use of this website, we refer to our Terms of Use.

13. Up-to-dateness and changes

This Privacy Policy also applies without users' express consent, as it governs our handling of data in general and therefore applies independently of an individual declaration of consent.

Due to the further development of our website, the implementation of new technologies, changes to our internal processes or the adaptation to changed legal framework conditions, it may be necessary to amend this Privacy Policy. We therefore reserve the right to amend this Privacy Policy at any time in compliance with data protection regulations and laws.

As the Privacy Policy may change, we recommend that you visit this page from time to time to find out about the current status of the Privacy Policy.

The latest version of the Privacy Policy can be accessed on our website without restriction at any time.

The currently valid Privacy Policy is written in German. The translated versions we may also provide are only for information and better comprehensibility. In the event of disputes, the German text is legally binding and takes precedence over the other language versions.