Privacy Notice of the Meteomatics Group

1. What is it all about?

With this privacy notice, we, Meteomatics AG, Meteomatics Ltd, Meteomatics GmbH, Meteomatics Inc and Meteomatics AS (companies of the Meteomatics group, hereinafter Meteomatics, we or us), explain how we collect and otherwise process personal data when you visit our website https://www.meteomatics.com, purchase our products or services, when we enter into or conclude a business transaction with you as a business partner or your employer, or when you deal with us in any other way.

Under certain circumstances, further data protection policies or other legal documents such as declarations of consent, general terms and conditions, terms and conditions of use or participation may apply, which is why this is not an exhaustive description of our data processing covering all eventualities.

Personal data means all information relating to an identified or identifiable person. Processing covers any handling of personal data, regardless of the means and procedures used, including storage, disclosure, procurement, collection, erasure, storage, modification, destruction and use of personal data.

If you provide us with personal data of other persons (e.g. data of employees or family members), we will assume that you have ensured that these persons are aware of this privacy notice, the personal data is accurate and you will only provide us with personal data if you are authorised to do so.

We are generally subject to Swiss data protection law, which is why this privacy notice is primarily based on the Swiss Data Protection Act (DSG). However, it depends on the specific individual case whether the EU General Data Protection Regulation (GDPR) or other data protection laws would be applicable.

2. Who is the controller?

The controller responsible for data processing described here is Meteomatics AG, Unterstrasse 12, 9000 St. Gallen, Switzerland, unless otherwise stated in individual cases, for example in additional privacy notice, on a form or in a contract. However, unless otherwise communicated, this privacy notice also applies to cases in which the controller is not Meteomatics AG but a group company of the Meteomatics group (Meteomatics AG, Meteomatics Ltd, Meteomatics GmbH, Meteomatics Inc and Meteomatics AS). This is particularly the case where your data is processed by such a group company in connection with its own legal obligations or contracts or where you share data with such a group company. In these cases, this group company is the controller and only if it shares your data with other group companies for their own purposes (see Section 7) will these other group companies also become controllers.

If you have any data protection concerns, you are welcome to send them to the following contact address:

Meteomatics AG
Unterstrasse 12, 9000 St. Gallen, Switzerland
[email protected]

3. How do we collect your data?

In principle, we process personal data that we receive from our customers and other business partners (in particular suppliers) as part of our business relationship with them and other persons involved or that we collect from the users when operating our websites, services (e.g. Weather API), and other applications, especially when interacting with our profiles on social media. You provide us with most of the data mentioned in this notice yourself (e.g. through forms, in the context of communication with us, in connection with contracts, when using our website or other services, etc.).

However, we may also obtain certain data from publicly accessible sources (e.g. debt enforcement or commercial registers, land registers, media, internet, including social media) or receive such data from other companies in our group, our business partners, authorities and other third parties (e.g. internet analysis services, associations, credit agencies).

4. What data do we process?

We process the data that you transmit to us directly in connection with the use of our offers and services and our business relationship, e.g. via forms, when using our website, in the context of communication with us, in connection with contracts (e.g. technical data, communication data, master data, etc.), or which result from the use of our offers and services or in connection with the handling of the business relationship (e.g. contract and behavioural data). We also process data that you provide to us in connection with an application.

Against this background, we may process the following categories of personal data about you:

• Technical data: When you use our website or other services (e.g. Weather API), we collect the IP address of your end device and other technical data to ensure the functionality and security of these services. This data also includes logs in which the use of our systems is recorded. We generally retain technical data for 3 months, after which they get either deleted or anonymised. In order to ensure the functionality of these offers, we can also assign you or your end device an individual code (e.g. in the form of a cookie, see section 6.1). The technical data itself does not allow any conclusions to be drawn about your identity. However, in the context of user accounts, registrations, access controls or the processing of contracts, they may be linked to other categories of data (and thus possibly to your person).
• Registration data: Certain offers and services (e.g. login areas of our website, newsletter dispatch, Weather API, Live support chat, etc.) can only be used with a user account or registration. In this context, you must provide us with certain information and we collect data about the use of the offer or service. Registration data may be collected during access controls to certain systems. We generally retain registration data for 12 months after the end of the use of the service or the cancellation of the user account.
• Communication data: If you contact us via the contact form, by e-mail, telephone or chat, by letter or by other means of communication, we collect the data exchanged between you and us, including your contact details and the marginal data of the communication. If we record or listen in on telephone conversations or video conferences, e.g. for training and quality assurance purposes, we will draw your attention to this fact. Such recordings may only be made and used in accordance with our internal guidelines. You will be informed if and when such recordings take place, e.g. by a display during the relevant video conference. If you do not wish to be recorded, please let us know or cancel your participation. If you simply do not want your image to be recorded, please switch off your camera. If we want or need to establish your identity, e.g. if you request information access or modification, we collect data to identify you (e.g. a copy of an ID card). We generally retain this data for 12 months from the last exchange with you. This period may be longer if this is necessary for reasons of proof or to comply with legal or contractual requirements or for technical reasons. Emails in personal mailboxes and written correspondence are generally stored for at least 10 years. Recordings of (video) conferences are generally stored for 3 years. Chats are stored for up to 3 years after the relationship with us ends. Data may be held longer in exceptional cases for internal training purposes.
• Master data: We define master data as the basic data that we require in addition to the contract data (see below) for the processing of our contractual and other business relationships or for marketing and advertising purposes, such as name, contact details and information, e.g. about your role and function, your bank details, your date of birth, customer history, powers of attorney, signature authorisations and declarations of consent. We process your master data if you are a customer or other business contact or are working for such a person (e.g. as a contact person of the business partner), or because we wish to contact you for our own purposes or the purposes of a contractual partner (e.g. as part of marketing and advertising, with invitations to events, with vouchers, with newsletters, etc.). We receive master data from you (e.g. when you make a purchase, use a service or register), from organisations for which you work or from third parties such as our contractual partners, associations and address dealers and from publicly accessible sources such as public registers or the internet (websites, social media, etc.). We may also process information about third parties as part of master data. We can also collect master data from our shareholders and investors. As a rule, we retain this data for 10 years from the last exchange with you, but at least from the end of the contract. This period may be longer if this is necessary for reasons of proof or to comply with legal or contractual requirements or for technical reasons. In the case of pure marketing and advertising contacts, the period is normally much shorter, usually no more than 3 years since the last contact.
• Contract data: This is data that arises in connection with the conclusion or processing of a contract, e.g. information about contracts and the services to be provided or provided, as well as data from the run-up to the conclusion of a contract, the information required or used for processing and information about reactions (e.g. complaints or information on satisfaction, etc.). This may also include information about third parties. We generally collect this data from you, from contractual partners and from third parties involved in the fulfilment of the contract, but also from third-party sources (e.g. providers of creditworthiness data) and from publicly accessible sources. As a rule, we retain this data for 10 years from the last contract activity, but at least from the end of the contract. This period may be longer if this is necessary for reasons of proof or to comply with legal or contractual requirements or for technical reasons.
• Behavioural and preference data: Depending on our relationship with you, we endeavour to get to know you and tailor our products, services and offers to you. To this end, we collect and use data about your behaviour and preferences. We do this by evaluating information about your behaviour in our services, and we may also supplement this information with information from third parties, including from publicly available sources. Based on this, we can calculate the probability that you will make use of certain services or behave in a certain way. Some of the data processed for this purpose is already known to us (e.g. when you use our services), or we obtain this data by recording your behaviour (e.g. how you navigate our website, or how you use our Weather API). We anonymise or delete this data when it is no longer meaningful for the purposes pursued, which is usually 6 years (for product and service preferences), depending on the type of data. This period may be longer if this is necessary for reasons of proof or to comply with legal or contractual requirements or for technical reasons. In principle, you have the option of objecting to the processing of this data.
• Other data: We also collect data from you in other situations. In connection with official or court proceedings, for example, data is collected (such as files, evidence, etc.) that may also relate to you. We may also collect data for health protection reasons (e.g. as part of protection concepts). We may receive or produce photos, videos and sound recordings in which you may be recognisable (e.g. at events, through security cameras, etc.). We may also collect data about who enters certain buildings or has relevant access rights and when (including in the case of access controls, based on registration data or visitor lists, etc.), who takes part in events or campaigns (e.g. webinars) and when, or who uses our infrastructure and systems and when. Finally, we collect and process data about our shareholders and other investors; in addition to master data, this includes information for the relevant registers, regarding the exercise of their rights and the organisation of events (e.g. General Meetings). The retention period of this data depends on the purpose and is limited to what is necessary. This ranges from a few days for many of the security cameras and usually a few weeks for contact tracing data, to visitor data that is usually stored for 12 months, to reports on events with images that can be stored for several years or longer. Data about you as a shareholder or other investor will be retained in accordance with the requirements of company law, but in any case for as long as you are invested.

If we receive the data from third parties and not directly from you, the following categories of personal data may be affected:

• information from public registers;
• information that we learn in connection with official and legal proceedings;
• information in connection with your professional functions and activities (e.g. so that we can conclude and process transactions with your employer with your help);
• information about you in correspondence and meetings with third parties;
• credit information (insofar as we conduct business with you personally);
• information about you that people close to you (family, advisors, legal representatives, etc.) provide to us to ensure that we can conclude or process contracts with you or with your involvement (e.g. references, your address for deliveries, powers of attorney, information to comply with legal requirements such as fraud, anti-money laundering and terrorism prevention and export restrictions, information from banks, insurance companies and distribution and other contractual partners of ours regarding the use or provision of services by you (e.g. payments, purchases, etc.);
• personal data from media and the internet (insofar as this is appropriate in the specific case, e.g. in the context of an application, marketing/sales, press review, etc.);
• your address or other contact details;
• if applicable, interests and other socio-demographic data (in particular for marketing and research) and data in connection with the use of third-party websites and online offers, where this use can be attributed to you.

5. Why do we process your data and on what legal basis?

When we process personal data, we do so for purposes such as concluding, managing and processing our contracts with our customers and business partners (insofar as the GDPR is applicable, this relates to Article 6 (1) (b) GDPR). In this context, we process your data in particular to,

• communicate with you and, for example, answer your enquiries, advise you or contact you if you have any queries. In particular, we use communication data and master data and, in connection with offers and services used by you, also registration data. We store this data in order to document our communication with you, for training purposes, for quality assurance and for enquiries;
• inform you about our offers and services (marketing purposes) and for relationship management we use master data. This can take the form of sending out newsletters, for example, but can also be done as part of marketing campaigns;
• help you with your technical questions. In particular, the technical data we collect helps us debug issues for and with you when you need our technical support. This data also helps us proactively to fix issues, as we can detect failure patterns and fix them; and 
• tailor our services to you as best as possible. This can be extracted from both your master, communication and technical data, where our teams may offer you exclusive offers that may adapt best to your unique use case.

Your personal data may also be affected if you work for one of our customers or business partners (insofar as the GDPR is applicable, this concerns Article 6 (1) (f) GDPR). Our legitimate interest in these cases is to optimise the business relationship and process it as efficiently as possible. We must also process certain data to fulfil our legal obligations at home and abroad (where GDPR is applicable, this relates to Article 6 (1) (c) GDPR).

In addition, we process personal data, where permitted and deemed appropriate, for the following purposes in which we (and in certain cases third parties) have a legitimate interest corresponding to the purpose (where GDPR is applicable, this relates to Article 6 (1) (f) GDPR):

• Offering and further developing our products, services and websites, apps and other platforms on which we are present;
• Communication with third parties and processing their enquiries (e.g. applications, media enquiries, authorities, etc.);
• Examination and optimisation of procedures for needs analysis for the purpose of direct customer contact and collection of personal data from publicly accessible sources for the purpose of customer acquisition;
• Advertising and marketing (including the organisation of events), unless you have objected to the use of your data (if we send you advertising from us as an existing customer, you can object to this at any time and we will then put you on a blacklist against further advertising mailings);
• Market and opinion research, media monitoring;
• Assertion of legal claims and defence in connection with legal disputes and official proceedings;
• Prevention and investigation of criminal offences and other misconduct (e.g. conducting internal investigations, data analyses to combat fraud);
• Ensuring our operations, in particular IT, our websites, apps and other services;
• Video surveillance to safeguard domiciliary rights and other measures for IT, building and facility security and protection of our employees and other persons and assets belonging to or entrusted to us (e.g. access controls, visitor lists, network and mail scanners, telephone recordings);
• Purchase and sale of business divisions, companies or parts of companies and other transactions under company law and the associated transfer of personal data as well as measures for business management and compliance with legal and regulatory obligations and internal regulations of Meteomatics group.

If you have given us your consent to process your personal data for specific purposes (for example, when you register to receive newsletters or carry out a background check), we will process your personal data within the scope of and based on this consent, unless we have another legal basis and we require one (if the GDPR is applicable, this concerns Article 6 (1) (a) GDPR). Consent that has been given can be revoked at any time, but this has no effect on data processing that has already taken place.

6. What happens to your data that is collected or processed in connection with the use of our website / services / apps / social media accounts?

6.1. Website and cookies

On our website, services and apps we use "cookies" and similar technologies that can be used to identify your browser or device.

Cookies are text files that are stored on your end device (PC, laptop computer, tablet computer or smartphone). These text files are downloaded by your browser the first time you visit our website or some of our services (e.g. MetX). If you visit a website again with the same device or browser, the cookie and the information stored in it will either be sent back to the website that created it (known as first-party cookie) or sent to another website to which it belongs (third-party cookie). As a result, the website recognises that this concerns the same user and adjusts the display of content on the website. In addition to cookies that are only used during a session and are deleted after your visit to the website (session cookies), cookies can also be used to store user settings and other information for a certain period of time (e.g. two years) (known as permanent cookies).

You have the option of setting your browser to reject cookies, save them for one session only or otherwise delete them prematurely. Most browsers are preset to accept cookies. Some of the cookies are set by us, some also by contractual partners with whom we work. 

We use the following categories of cookies:

• Necessary cookies: Some cookies are necessary for the functioning of the website or for certain features and services. For example, they ensure that you can move between pages without losing information that was entered in a form. They also ensure that you stay logged in. These cookies are session cookies. If you block them, the website or service may not work properly. Other cookies are necessary for the server to store options or information (which you have entered) beyond a session (i.e. a visit to the website) if you use this function (for example language settings, consents, automatic login functionality, etc.). These cookies have an expiration date of up to 4 months.

• Performance cookies: In order to optimize our website and related offers and to better adapt them to the needs of the users, we use cookies to record and analyze the use of our website, potentially beyond one session. We use third-party analytics services for this purpose. We have listed them below. Before we use such cookies, we ask for your consent where this is required by applicable legislation. Performance cookies also have an expiration date of up to 4 months. Details can be found on the websites of the third-party providers.

• Marketing Cookies: We and our advertising partners have an interest in targeting advertising as precisely as possible, i.e. only showing it to those we wish to address. We have listed our advertising partners below. For this purpose, we and our advertising partners use cookies that can record the content that has been accessed or the contracts that have been concluded. This allows us and our advertising partners to display advertisements that we think will interest you on our website, but also on other websites that display advertisements from us or our advertising partners. These cookies have an expiration period of a few days to 3 months, depending on the circumstances. If you consent to the use of these cookies, you will be shown related advertisements. If you do not consent to them, you will not see less advertisements, but simply any other advertisement.

We currently use offers from the following service providers and advertising partners on our website and our services:

• Google Analytics: Google Ireland Ltd. (located in Ireland) is the provider of the service Google Analytics and acts as our processor. Google Ireland relies on Google LLC (located in the United States) as its sub-processor (both Google). Google collects information about the behavior of visitors to our website (duration, page views, geographic region of access, etc.) through performance cookies (see above) and on this basis creates reports for us about the use of our website. We have configured the service so that the IP addresses of visitors are truncated by Google in Europe before forwarding them to the United States and then cannot be traced back. We have some «Data sharing» options turned on: ‘Google products & services’, ‘Technical support’ and ‘Recommendations for your business’, and the «Signals option» is enabled. Although we can assume that the information we share with Google is not personal data for Google, it may be possible that Google may be able to draw conclusions about the identity of visitors based on the data collected, create personal profiles and link this data with the Google accounts of these individuals for its own purposes. In any event, if you consent to the use of Google Analytics, you expressly consent to any such processing, including the transfer of your personal data (in particular website and app usage, device information and unique IDs) to the United States and other countries. Information about data protection with Google Analytics can be found here: https://support.google.com/analytics/answer/6004245 and if you have a Google account, you can find more details about Google's processing here: https://policies.google.com/technologies/partner-sites?hl=en.
• Google AdSense: Google Ireland Ltd. (located in Ireland) is the provider of the service Google Analytics and acts as our processor. Google Ireland relies on Google LLC (located in the United States) as its sub-processor (bothGoogle). Google AdSense is an online service which allows the placement of advertising on third-party sites. It allows an interest-based targeting of the Internet user, which is implemented by means of generating individual user profiles. Google places a cookie on the information technology system of the data subject. Google reads and saves personal data, such as your IP address and the individual activities of the user. Google can create a personalized profile with this data. Although we can assume that the information we share with Google is not personal data for Google, it may be possible that Google may be able to draw conclusions about the identity of visitors based on the data collected, create personal profiles and link this data with the Google accounts of these individuals for its own purposes. In any event, if you consent to the use of Google AdSense, you expressly consent to any such processing, including the transfer of your personal data (in particular website and app usage, device information and unique IDs) to the United States and other countries. Information about data protection with Google AdSense can be found here: https://policies.google.com/privacy?hl=de?tid=331723075997.
• LiveChat: Text, Inc. (located in the United States) is the provider of the service LiveChat. LiveChat is a communication platform for with a chatbot. Further information about how Text Inc. processes data can be found here: https://www.livechat.com/legal/privacy-policy/.
• Hubspot: HubSpot Inc. (located in the United States with an office in Ireland) is the provider of a service on our website that allows visitors to learn more about our company, download content, and provide contact information and other information. Further Information about how HubSpot Inc. processes data can be found here: https://legal.hubspot.com/privacy-policy.
• Stripe: Stripe, Inc. (located in the United States with an office in Ireland) is the provider of the payment service we use. By selecting our payment option stripe you agree that personal data is transferred to Stripe for the payment processing. Further information about how Stripe, Inc. processes data can be found here: https://stripe.com/au/privacy#9-contact-us.
• Gong: Gong.io Ltd (located in Israel) is a provider of analytics and insights using communication and master data. Further information about how Gong.io Ltd. Processes data can be found here: https://www.gong.io/privacy-policy/.
• Zoominfo: ZoomInfo Technologies LLC (located in the United States) is a third party provider of B2B data. Further information about how ZoomInfo Technologies LLC Processes data can be found here: https://www.zoominfo.com/legal/privacy-policy.
• OpenAI: OpenAI OpCo, LLC (located in the United States) is a provider for AI services, which we use in some internal processes that include handling of personal data. Further information about how OpenAI OpCo. LLC processes data can be found here: https://openai.com/policies/row-privacy-policy/.

6.2. Newsletters and marketing emails

In our newsletters and other marketing e-mails, we also include visible and invisible image elements in some cases and to the extent permitted. By retrieving these from our servers, we can determine whether and when you have opened the e-mail so that we can also measure and better understand how you use our offers and tailor them to you. You can block this in your email programme; most are preset to do so.

By agreeing to receive newsletters and other marketing emails, you consent to the use of these techniques. If you do not want this, you must set your e-mail programme accordingly.

We currently use the following service provider and advertising partner for our newsletters and marketing emails:

• Mailchimp: Inuit Inc. (located in the United States) is the provider of the service Mailchimp. Mailchimp is an email marketing and newsletter management platform. Further information about how Inuit Inc. processes data can be found here: https://www.intuit.com/privacy/statement/.

6.3. Social media

On our website, we also use plug-ins from social media platforms such as LinkedIn, Facebook, X, YouTube, Github or Instagram. This can be identified by the use of the relevant icons. We have configured these elements so that they are deactivated by default. If you click on them, they are activated and the operators of the respective social media networks can register accordingly that you are on our website and possibly from where you are accessing it. The operators of the respective social networks can register that you are on our website and possibly from where you are accessing it. This information can be used by the network operators for their own purposes. The processing of your personal data is then the responsibility of this network operator and its data protection provisions apply. We do not receive any information about you from the network operators.

In addition to the plug-ins on the website, we also have a presence on these social media networks to inform interested parties about our services and to communicate with them if necessary. If you interact with our profiles on these social media networks, we may process certain personal data about you. We receive the information from the platforms or from you directly. When using these social media networks, however, the general terms and conditions (GTC) and terms of use as well as privacy policies and other provisions of the individual network operators also apply.

7. Who do we share your data with?

As part of our business activities, to be able to deliver our products and services more efficiently, to focus on our core competencies and for the purposes specified in section 5, we may also disclose your data to third parties to the extent permitted and deemed appropriate. This transfer takes place either because these recipients process the data on our behalf (known as processors) or because they want to use the data for their own purposes. These are in particular the following categories of recipients:

• Our service providers (e.g. auditors, consultants, debt collection companies, credit information agencies, printers, banks, payment service providers, insurance companies, consulting firms/legal advisors, shipping companies, advertising service providers, cleaning companies, security companies etc.), including processors (e.g. IT, software and storage providers);
• Dealers, suppliers, subcontractors and other business partners;
• Customers;
• Domestic and foreign authorities, official bodies or courts;
• Media;
• The public, including visitors to websites and social media;
• Competitors, industry organisations, associations, organisations and other bodies;
• Buyers or parties interested in acquiring business divisions, companies or other parts of the company;
• Other parties in potential or actual legal proceedings;
• Other companies in the Meteomatics group;

All these categories of recipients may involve third parties, so that your data may also be disclosed to them. We can restrict the processing by certain third parties (for example IT providers), but not by others (for example authorities, banks, etc.).

These recipients are generally located in Switzerland and the European Economic Area (EEA), but can also be anywhere in the world. In particular, you must expect your data to be transferred to all countries in which the Meteomatics group is represented by group companies, branches or other offices (https://www.meteomatics.com/en/contact/) as well as to other countries in Europe and the USA where the service providers we use are located (e.g. Microsoft, Google).

If a recipient is located in a country without adequate legal data protection, we contractually oblige the recipient to comply with the applicable data protection laws and regulations (we use the revised standard contractual clauses of the European Commission, available at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?), unless they already are subject to a legally recognised set of rules to ensure data protection and we cannot rely on an exemption clause. An exception may apply in particular in the case of legal proceedings abroad, but also in cases of overriding public interests or if the fulfilment of a contract requires such disclosure, if you have given your consent or if the data in question has been made generally accessible by you and you have not objected to its processing.

Many countries outside of Switzerland or the EEA currently do not have laws that ensure an adequate level of data protection under the DPA or the GDPR. The contractual arrangements mentioned compensate for this weaker or missing legal protection to some extent. However, contractual precautions cannot eliminate all risks (namely of government access abroad). You should be aware of these remaining risks, even though they may be low in an individual case, and we take further measures (for example pseudonymization or anonymization) to minimize them.

8. How long do we store your data?

Your personal data will be processed and stored by us as long as it is necessary for the fulfilment of our contractual and legal obligations or otherwise for the purposes pursued with the processing (e.g. as long as there is an interest in our newsletters and you do not unsubscribe from them). For example, we process your personal data for the duration of the entire business relationship (from the initiation, processing to the termination of a contract) and beyond in accordance with the statutory retention and documentation obligations. It is possible that personal data may be stored for the period in which claims can be asserted against our company and insofar as we are otherwise legally obliged to do so or legitimate business interests require this (e.g. for evidence and documentation purposes). As soon as your personal data is no longer required for the above-mentioned purposes, it will be deleted or anonymised as far as possible. For operational data (e.g. system protocols, logs), shorter retention periods of 3 months generally apply, after which they get anonymised or deleted.

9. How do we protect your data?

We take appropriate technical and organisational measures to protect your personal data. This relates in particular to protection against unauthorised access and misuse, such as the issuing of directives, training, IT and network security solutions, access controls and restrictions, encryption of data carriers and transmissions, pseudonymisation and checks.

Despite the security precautions we have taken, the processing of personal data, especially when using the internet, is always associated with certain risks and security gaps - absolute data security cannot therefore be guaranteed.

10. Why do you need to provide us with certain data?

Without certain personal data, it is generally not possible for us to conclude or process the contractual relationship with you or the body or person you represent and to fulfil our contractual or, in some cases, legal obligations. This is why we have to rely on you to provide us with certain personal data that is necessary for the establishment and execution of our contractual relationship and the fulfilment of the associated contractual obligations. The website cannot be used either if certain information for securing data traffic (such as IP address) is not disclosed.

11. Do we carry out profiling or do we make automated decisions?

In certain cases, we process your personal data partially automatically with the aim of evaluating certain personal aspects (known as profiling). We use profiling to provide you with targeted information about products and services and to give you optimised advice. In doing so, we use analysis tools that enable us to provide needs-based communication and advertising, including market and opinion research.

In principle, we do not use fully automated decision-making (as regulated in Article 22 GDPR, for example) to establish and conduct the business relationship or otherwise. If we use such procedures in individual cases, we will inform you of this separately if this is required by law and inform you of the associated rights.

12. What rights do you have in connection with your data?

Applicable data protection laws grant you the right to object to the processing of your data in some circumstances, in particular for direct marketing purposes, for profiling carried out for direct marketing purposes and for other legitimate interests in processing.

To help you control the processing of your personal data, you have the following rights in relation to our data processing, depending on the applicable data protection law:

• The right to request information from us as to whether and what data we process from you;

• The right to have us correct data if it is inaccurate;

• The right to request erasure of data;

• The right to request that we provide certain personal data in a commonly used electronic format or transfer it to another controller;

• The right to withdraw consent, where our processing is based on your consent;

• The right to receive, upon request, further information that is helpful for the exercise of these rights;

• The right to express your point of view in case of automated individual decisions (Section 11) and to request that the decision be reviewed by a human.

If you wish to exercise the above-mentioned rights in relation to us (or with one of our group companies), please contact us in writing, at our premises or, unless otherwise specified or agreed, by e-mail; you will find our contact details in Section 2. In order for us to be able to prevent misuse, we need to identify you (for example by means of a copy of your ID card, unless identification is not possible otherwise).

You also have these rights in relation to other parties that cooperate with us as separate controllers – please contact them directly if you wish to exercise your rights in relation to their processing.

Please note that conditions, exceptions or restrictions apply to these rights under applicable data protection law (for example to protect third parties or trade secrets). We will inform you accordingly where applicable.

In particular, we may need to continue to process and keep your personal data in order to perform a contract with you, to protect our own legitimate interests, such as the assertion, exercise or defense of legal claims, or to comply with legal obligations. To the extent legally permitted, in particular to protect the rights and freedoms of other data subjects and to safeguard legitimate interests, we may also reject a subject request in whole or in part (for example by redacting content that concerns third parties or our trade secrets).

If you do not agree with the way we handle your rights or with our data protection practices, please let us know (Section 2). If you are located in the EEA, the United Kingdom or in Switzerland, you also have the right to lodge a complaint with the competent data protection supervisory authority in your country. You can find a list of authorities in the EEA here: https://edpb.europa.eu/about-edpb/board/members_en. You can reach the UK supervisory authority here: https://ico.org.uk/global/contact-us/. You can reach the Swiss supervisory authority here: https://www.edoeb.admin.ch/edoeb/en/home/the-fdpic/contact.html.

13. What else you should know...

We may amend and supplement this privacy notice at any time without prior notice. The current version published on our website applies. Where the privacy notice forms an integral part of an agreement with you, we will inform you of the change by e-mail or in another appropriate manner, in particular by publication on our website.

Latest update: August 27, 2024