Privacy policy of DUAP AG

With this Privacy Policy, we provide information about the processing of personal data in connection with our activities and operations, including our website under the domain name www.duap.ch. In particular, we inform you about the purposes, methods, and locations of the personal data we process. We also inform you about the rights of individuals whose data we process.

For individual or additional activities and operations, we may publish additional privacy policies or other information on data protection.

We are subject to Swiss data protection law and, where applicable, foreign data protection laws, particularly those of the European Union (EU) under the General Data Protection Regulation (GDPR).

The European Commission recognized, in its decision of July 26, 2000, that Swiss data protection law provides an adequate level of data protection. This adequacy decision was reaffirmed in the European Commission's report of January 15, 2024.

1. Contact Information

Responsible for processing personal data:

Erich Vogt
DUAP AG
Waldgasse 19
3360 Herzogenbuchsee
erich.vogt@duap.ch

In certain cases, third parties may be responsible for processing personal data, or there may be joint responsibility with third parties.

2. Terms and Legal Bases

2.1 Terms

Data Subject: A natural person whose personal data we process.

Personal Data: Any information relating to an identified or identifiable natural person.

Sensitive Personal Data: Data about trade union, political, religious, or philosophical views and activities; health, intimate sphere, or ethnic or racial origin; genetic or biometric data identifying a person; data about criminal or administrative sanctions or social assistance measures.

Processing: Any handling of personal data, regardless of means or methods used, such as accessing, collecting, storing, using, sharing, modifying, or deleting.

European Economic Area (EEA): EU Member States, as well as Liechtenstein, Iceland, and Norway.

2.2 Legal Bases

We process personal data in accordance with Swiss data protection law, including the Federal Act on Data Protection (FADP) and its Ordinance.

Where the GDPR applies, we process personal data based on at least one of the following legal bases:

• Article 6(1)(b) GDPR: For fulfilling a contract or pre-contractual measures.
• Article 6(1)(f) GDPR: For legitimate interests, provided these do not override the rights and freedoms of the data subject.
• Article 6(1)(c) GDPR: For compliance with a legal obligation.
• Article 6(1)(e) GDPR: For tasks carried out in the public interest.
• Article 6(1)(a) GDPR: With the consent of the data subject.
• Article 6(1)(d) GDPR: To protect vital interests.
• Article 9(2) GDPR: For processing special categories of data, particularly with the consent of the data subject.

The GDPR refers to the processing of personal data as the processing of "personal data" and the processing of sensitive personal data as the processing of "special categories of personal data" (Article 9 GDPR).

3. Nature, Scope, and Purpose of Data Processing

We process the personal data necessary to conduct our activities and operations in a lasting, humane, secure, and reliable manner. Processed personal data may include browser and device data, metadata, communication data, transaction data, and more.

We also process personal data obtained from third parties, public sources, or collected during our activities and operations, as permitted by law.

We process personal data as necessary with the consent of data subjects. In many cases, we may process personal data without consent, such as to fulfill legal obligations or protect overriding interests.

We process personal data for the duration required for the respective purpose. We anonymize or delete personal data depending on legal retention and limitation periods.

4. Disclosure of Personal Data

We may disclose personal data to third parties, allow them to process data, or process it jointly with them. Such third parties include specialized providers whose services we use.

Examples include banks, government authorities, educational institutions, legal advisors, IT service providers, logistics companies, marketing agencies, and social organizations.

5. Communication

We process personal data to communicate with individuals, authorities, organizations, and companies. In doing so, we process data provided by the individual when contacting us, such as through postal mail or email. Such data may be stored in address books or similar tools.

Third parties who transmit data about others to us are responsible for ensuring data protection for those affected. They must ensure that such data is accurate and legally permissible to transmit.

6. Job Applications

We process personal data about applicants insofar as it is necessary to evaluate their suitability for employment or to execute an employment contract. Required personal data is typically derived from the information requested, such as in a job posting. We may publish job postings using third-party platforms, such as online job portals.

Additionally, we process any personal data that applicants voluntarily provide or publish, such as in cover letters, resumes, or online profiles.

Where applicable, we process personal data about applicants under the GDPR, particularly in accordance with Article 9(2)(b) GDPR.

7. Data Security

We take appropriate technical and organizational measures to ensure data security appropriate to the level of risk. These measures ensure the confidentiality, availability, traceability, and integrity of processed personal data, though absolute security cannot be guaranteed.

Access to our website and other online platforms is secured using transport encryption (SSL/TLS, particularly HTTPS). Most browsers will warn users when visiting websites without encryption.

Our digital communications are generally subject to mass surveillance by security agencies in Switzerland, Europe, the United States, and other countries. We have no direct control over how such agencies process personal data, nor can we exclude the possibility of targeted surveillance of specific individuals.

8. Personal Data Abroad

We generally process personal data in Switzerland and the European Economic Area (EEA). However, we may transfer data to other countries for processing purposes, provided such transfers comply with legal requirements.

We may transfer personal data to any country on Earth or even beyond, provided the local laws ensure adequate data protection according to the Swiss Federal Council or, where applicable, the European Commission.

Where data protection laws in other countries are inadequate, we ensure compliance through standard contractual clauses or other guarantees. Exceptionally, data transfers may occur without such safeguards if explicitly consented to by the data subject or directly related to the conclusion or execution of a contract. Upon request, we provide information or copies of relevant safeguards to data subjects.

9. Rights of Data Subjects

9.1 Data Protection Rights

We grant data subjects all rights afforded to them under applicable data protection laws. These include the following:

• Access: Data subjects may request confirmation of whether their personal data is being processed and obtain details about the data being processed, including the purpose, duration, and any disclosures or transfers.
• Correction and Restriction: Data subjects may request corrections to inaccurate data, completion of incomplete data, or restrictions on processing.
• Deletion and Objection: Data subjects may request the deletion of their data ("right to be forgotten") or object to future processing.
• Data Portability: Data subjects may request the transfer of their personal data to themselves or another controller.

We may defer, restrict, or deny the exercise of data subject rights to the extent permitted by law. For example, we may deny access requests citing confidentiality, overriding interests, or the protection of others, and we may refuse deletion requests citing legal retention obligations.

We may charge a fee for the exercise of rights in exceptional cases, and we will inform data subjects in advance of any costs.

We are required to verify the identity of data subjects requesting access or other rights. Data subjects must cooperate in this process.

9.2 Legal Remedies

Data subjects may enforce their rights through legal action or by lodging a complaint with a data protection supervisory authority.

In Switzerland, the supervisory authority for private controllers and federal agencies is the Federal Data Protection and Information Commissioner (FDPIC).

European data protection authorities are organized as members of the European Data Protection Board (EDPB). In some EEA countries, authorities are structured federally, such as in Germany.

10. Website Usage

10.1 Cookies

We may use cookies. Cookies are data stored in the browser, either as temporary "session cookies" or longer-term "persistent cookies." Cookies enable functionalities such as recognizing browsers on subsequent visits and measuring website reach.

Cookies can be disabled or deleted via browser settings. Without cookies, the website's full functionality may not be available. Where required, we explicitly seek consent for cookie usage.

General cookie opt-outs for advertising and analytics are available through services such as AdChoices, NAI, and Your Online Choices.

10.2 Logging

We log access to our website and other online platforms, including details such as date, time, IP address, operating system, browser version, and pages accessed. This data is necessary for ensuring the security and usability of our online presence.

10.3 Tracking Pixels

We may use tracking pixels or web beacons, which are small, invisible images or scripts that track user activity. These pixels can record similar information to logs.

11. Social Media

We maintain a presence on social media platforms to communicate with interested parties and provide information about our activities. Data may be processed outside Switzerland and the EEA.

Each platform's terms of use and privacy policies apply. For example, for our Facebook presence, we are jointly responsible with Meta Platforms Ireland Limited, subject to GDPR. Further details are available in Facebook's privacy policy.

12. Third-Party Services

We use third-party services for reliable operations and embedding content. For example, hosting providers and analytics services may process user data to ensure functionality.

Examples include:

• Google Services: Hosting, analytics, etc.

12.1 Digital Infrastructure

We use services from specialized third parties to ensure the necessary digital infrastructure for our activities and operations. These include hosting and storage services from selected providers.

Specifically, we use:

• Cyon: Hosting; provider: cyon GmbH (Switzerland); data protection information: "Privacy", Privacy Policy.

12.2 Maps

We use services from third parties to embed maps on our website.

Specifically, we use:

• Google Maps, including the Google Maps Platform; provider: Google; Google Maps-specific information: "How Google uses location data".

13. Website Extensions

We use extensions on our website to enable additional functionality. These may involve services from third-party providers or extensions hosted on our own digital infrastructure.

Specifically, we use:

• Google reCAPTCHA: Spam protection (distinguishing between human users and bots); provider: Google; reCAPTCHA-specific information: "What is reCAPTCHA?".

14. Success and Reach Measurement

We aim to measure the success and reach of our activities and operations. This includes analyzing the effectiveness of third-party references or testing different parts or versions of our online offerings (A/B testing). Based on these measurements, we can fix issues, enhance popular content, or make improvements.

For success and reach measurement, we typically record IP addresses, which are generally shortened ("IP masking") to adhere to data minimization principles.

Cookies and user profiles may be used for success and reach measurement. User profiles may include details such as visited pages, viewed content, screen size, or approximate location. User profiles are generally created in a pseudonymized manner and not used to identify individuals. However, specific third-party services may link usage data with user accounts if the individual is logged in.

Specifically, we use:

• Google Marketing Platform: Success and reach measurement, particularly with Google Analytics; provider: Google; Google Marketing Platform-specific information: Cross-browser and cross-device tracking; Google Analytics Privacy Policy, "Browser add-on for deactivating Google Analytics".

15. Final Notes on the Privacy Policy

We created this Privacy Policy using the Privacy Policy Generator from Data Protection Partner.

We may update this Privacy Policy at any time. Updates will be communicated in an appropriate manner, typically by publishing the updated Privacy Policy on our website.