1. Contact Address

Responsible for the processing of personal data:

Piz Mitgel Management AG
Stradung 31
7460 Savognin
Switzerland

willkommen@pizmitgel.ch

We will indicate if there are other responsible parties for the processing of personal data in individual cases.

1.1 Data Protection Officers or Advisors

We have the following data protection officer or advisor as a point of contact for individuals and authorities for inquiries related to data protection:

Martin Luzzi
Piz Mitgel Management AG
Stradung 31
7460 Savognin
Switzerland

direktion@pizmitgel.ch

1.2 Data Protection Representation in the European Economic Area (EEA)

We have the following data protection representation in accordance with Article 27 GDPR:

VGS Datenschutz­partner GmbH
Am Kaiserkai 69
20457 Hamburg
Germany

direktion@pizmitgel.ch

The data protection representation serves as an additional point of contact for inquiries related to the GDPR for affected individuals and authorities in the European Union (EU) and the rest of the European Economic Area (EEA).

2. Terms and Legal Bases

2.1 Terms

Personal data refers to any information that relates to a specific or identifiable natural person. An affected individual is a person whose personal data we process.

Processing includes any handling of personal data, regardless of the means and methods used, such as querying, matching, adapting, archiving, retaining, extracting, disclosing, acquiring, recording, collecting, deleting, revealing, organizing, storing, modifying, distributing, linking, destroying, and using personal data.

The European Economic Area (EEA) includes the Member States of the European Union (EU) as well as the Principality of Liechtenstein, Iceland, and Norway. The General Data Protection Regulation (GDPR) refers to the processing of personal data as the processing of personal data.

2.2 Legal Bases

Personal data refers to any information that relates to a specific or identifiable natural person. An affected individual is a person whose personal data we process.

We process personal data – if and to the extent the General Data Protection Regulation (GDPR) is applicable – based on at least one of the following legal bases:

• Art. 6(1)(b) GDPR for the necessary processing of personal data to fulfill a contract with the affected individual and to carry out pre-contractual measures.
• Art. 6(1)(f) GDPR for the necessary processing of personal data to safeguard our legitimate interests or those of third parties, unless the fundamental rights and freedoms of the affected individual prevail. Legitimate interests include, in particular, our interest in conducting our activities and operations in a permanent, user-friendly, secure, and reliable manner and communicating about them, ensuring information security, protecting against abuse, enforcing our own legal claims, and complying with Swiss law.
• Art. 6(1)(c) GDPR for the necessary processing of personal data to fulfill a legal obligation to which we are subject under potentially applicable law of Member States in the European Economic Area (EEA).
• Art. 6(1)(e) GDPR for the necessary processing of personal data to perform a task carried out in the public interest.
• Art. 6(1)(a) GDPR for the processing of personal data with the consent of the affected individual.
• Art. 6(1)(d) GDPR for the necessary processing of personal data to protect the vital interests of the affected individual or another natural person.

3. Nature, Scope and Purpose

We process those personal data that are necessary to perform our activities and operations in a permanent, user-friendly, secure, and reliable manner. Such personal data may particularly fall into categories of inventory and contact data, browser and device data, content data, metadata, and usage data, location data, sales data, as well as contract and payment data.

We process personal data for the duration, necessary for the respective purpose(s) or as legally required. Personal data that is no longer required will be anonymized or deleted.

We may have personal data processed by third parties. We may process personal data jointly with third parties or transmit it to third parties. Such third parties may include specialized providers whose services we use. We ensure data protection with these third parties as well.

We process personal data only with the consent of the affected individual unless processing is permitted for other legal reasons. Processing without consent may be permissible, for example, to fulfill a contract with the affected individual and related pre-contractual measures, to safeguard our overriding legitimate interests, if processing is evident from the circumstances, or after prior information.

In this context, we particularly process information voluntarily provided by an affected individual when making contact – for example, via postal mail, email, instant messaging, contact forms, social media, or phone – or when registering for a user account. We may store such information, for example, in an address book or similar tools. If we receive data about other individuals, the transmitting individuals are obligated to ensure data protection for these individuals and ensure the accuracy of this personal data. We also process personal data received from third parties, obtained from publicly accessible sources, or collected during the exercise of our activities and operations,

to the extent and as long as such processing is legally permissible.

4. Personal Data Abroad

We generally process personal data generally and the European Economic Area (EEA). However, we may also export or transmit personal data to other states, particularly for processing.

We can export personal data to all countries and territories on Earth and elsewhere in the Universe where the local law, according to a decision of the Swiss Federal Council, ensures adequate data protection and, if applicable under the General Data Protection Regulation (GDPR), provides adequate data protection according to a decision of the European Commission. .

We may transmit personal data to states where local law does not ensure adequate data protection, provided data protection is ensured for other reasons, particularly based on standard data protection clauses or other suitable safeguards. In exceptional cases, we may export personal data to states without adequate or suitable data protection if specific data protection requirements are met, such as the explicit consent of affected individuals or a direct connection to the conclusion or performance of a contract. Upon request, we will gladly provide affected individuals with information about possible safeguards or provide a copy of any safeguards.

5. Rights of Affected Individuals

5.1 Data Protection Claims

We grant affected individuals all rights under the applicable data protection law. Affected individuals, in particular, have the following rights:

• Access: Affected individuals can request information about whether we process personal data about them and, if so, what personal data it is. Affected individuals will also receive the necessary information to assert their data protection claims and ensure transparency. This includes the processed personal data itself, but also information about the processing purpose, storage duration, potential disclosure or transfer of data to other countries, and the origin of the personal data, among other things.
• Rectification and Restriction: Affected individuals can correct inaccurate personal data, complete incomplete data, and request the restriction of the processing of their data.
• Erasure and Objection: Affected individuals can request the erasure of personal data (“right to be forgotten”) and object to the processing of their data for the future.
• Data Disclosure and Data Portability: Affected individuals can request the disclosure of personal data or the transfer of their data to another controller.

We can defer, limit, or refuse the exercise of the rights of affected individuals within the legally permissible framework. We can inform affected individuals of any requirements that must be fulfilled for the exercise of their data protection claims. For example, we may refuse to provide information entirely or partially with reference to trade secrets or the protection of other individuals. Similarly, we may refuse the erasure of personal data entirely or partially with reference to legal retention obligations.

We can exceptionally stipulate costs for the exercise of rights. We will inform affected individuals in advance of any potential costs.

We are obligated to identify affected individuals who request information or assert other rights with appropriate measures. Affected individuals are obligated to cooperate.

5.2 Right to Lodge a Complaint

Affected individuals have the right to enforce their data protection claims in court or lodge a complaint with a competent data protection supervisory authority.

The data protection supervisory authority for private controllers and federal entities in Switzerland is the Federal Data Protection and Information Commissioner (FDPIC).

Affected individuals also have the right to lodge a complaint with a competent European data protection supervisory authority , to the extent the General Data Protection Regulation (GDPR) is applicable.

6. Data Security

We implement appropriate technical and organizational measures to ensure data security that is proportionate to the respective risk. However, we cannot guarantee absolute data security.

Access to our website is secured using transport encryption (SSL / TLS, especially with the Hypertext Transfer Protocol Secure, abbreviated HTTPS). Most browsers indicate transport encryption with a padlock icon in the address bar.

Our digital communication is subject – like generally – to mass surveillance without cause or suspicion, as well as other surveillance by security authorities in Switzerland, the rest of Europe, the United States of America (USA), and other countries. We have no direct control over the processing of personal data by intelligence services, police authorities, and other security agencies.

7. Website Use

7.1 Cookies

We may use cookies. Cookies – both first-party cookies and third-party cookies from services we use (third-party cookies) – are data stored in the browser. Such stored data is not necessarily limited to traditional text-form cookies.

Cookies can be stored in the browser temporarily as “session cookies” or for a specific period as so-called persistent cookies. “Session cookies” are automatically deleted when the browser is closed. Persistent cookies have a specific storage duration. Cookies enable, among other things, the recognition of a browser on the next visit to our website, allowing for the measurement of the website’s reach, for example. However, persistent cookies can also be used for online marketing.

Cookies can be disabled or deleted entirely or partially in the browser settings at any time. Without cookies, our website may not be fully functional. We request – at least if and as necessary – active consent for the use of cookies.

For cookies used for performance and reach measurement or advertising, a general objection (“opt-out”) is possible for numerous services through the AdChoices (Digital Advertising Alliance of Canada), the Network Advertising Initiative (NAI), YourAdChoices (Digital Advertising Alliance) or Your Online Choices (European Interactive Digital Advertising Alliance, EDAA).

7.2 Server Log Files

We may record the following information for each access to our website, provided it is transmitted from your browser to our server infrastructure or can be determined by our web server: date and time including time zone, Internet Protocol (IP) address, access status (HTTP status code), operating system including user interface and version, browser including language and version, accessed individual sub-page of our website including transferred data volume, and the last visited website in the same browser window (referrer).

We store such information, which may also constitute personal data, in server log files. The information is necessary to provide our website on a permanent, user-friendly, and reliable basis and to ensure data security, particularly the protection of personal data – even through third parties or with the assistance of third parties.

7.3 Tracking Pixels

We may use tracking pixels on our website, also known as web beacons. Tracking pixels – including those from third parties whose services we use – are small, usually invisible images that are automatically retrieved when visiting our website. Tracking pixels can collect the same information as server log files.

8. Notifications and Messages

We send notifications and messages via email and other communication channels such as instant messaging or SMS.

8.1 Success and Reach Measurement

Notifications and messages may contain web links or tracking pixels that record whether an individual message has been opened and which web links were clicked. Such web links and tracking pixels may also collect usage data for notifications and messages. We require this statistical data collection for success and reach measurement in order to effectively and user-friendly send notifications and messages based on the recipients’ needs and reading habits, and to provide them permanently, securely, and reliably.

8.2 Consent and Objection

As a rule generally explicitly consent to the use of your email address and other contact information, unless such usage is permissible for other legal reasons. For obtaining consent, we use the “double opt-in” procedure whenever possible, meaning you receive an email with a link that you must click to confirm, ensuring protection against abuse by unauthorized third parties. We may log such consents, including Internet Protocol (IP) addresses, as well as date and time for evidence and security purposes.

As a rule generally object to receiving notifications and messages, such as newsletters, at any time. By making such an objection, you can also object to the statistical data collection for success and reach measurement. Necessary notifications and messages related to our activities and operations remain unaffected.

8.3 Notification Service Providers

We send notifications and messages using specialized service providers.

We particularly use:

• Mailchimp: Communication platform; Provider: The Rocket Science Group LLC DBA Mailchimp (USA) as a subsidiary of Intuit Inc. (USA); Privacy Information: Privacy Statement (Intuit) including “Country and Region-Specific Terms,” “Mailchimp Privacy FAQ,”, “Mailchimp and European Data Transfers,” “Security,” Cookie Policy, “Privacy Rights Requests,”, “Legal Provisions.”

9. Social Media

We maintain a presence on social media platforms and other online platforms to communicate with interested individuals and provide information about our activities and operations. In connection with such platforms, personal data may also be processed outside of Switzerland and the European Economic Area (EEA).

The respective General Terms and Conditions (GTC), terms of use, privacy policies, and other provisions of the individual operators of such platforms also apply. These provisions particularly inform about the rights of data subjects directly against the respective platform, including the right to information.

For our Facebook social media presence , including the so-called Page Insights, we are – if and to the extent the General Data Protection Regulation (GDPR) applies – jointly responsible with Meta Platforms Ireland Limited is part of the Meta group (including in the USA). Page Insights provide information about how visitors interact with our Facebook presence. We use Page Insights to effectively and user-friendly provide our Facebook social media presence.

Further information about the nature, scope, and purpose of data processing, details about the rights of data subjects, and the contact information of Facebook as well as the Data Protection Officer of Facebook can be found in the Facebook Privacy Policy. We have concluded the so-called “Controller Addendum” with Facebook, thereby agreeing, among other things, that Facebook is responsible for ensuring the rights of data subjects. The corresponding information for Page Insights can be found on the page “Information about Page Insights” , including “Information about Page Insights Data.”

10. Third-Party Services

We use services from specialized third parties to carry out our activities and operations permanently, user-friendly, securely, and reliably. Such services allow us to embed features and content into our website. For such embedding, the used services, for technical reasons, collect at least temporarily the internet protocol (IP) addresses of users.

For necessary security-related, statistical, and technical purposes, third parties whose services we use may process data related to our activities and operations in an aggregated, anonymized, or pseudonymized form. This includes, for example, performance or usage data to offer the respective service.

We particularly use:

• Services from Google: Providers: Google LLC (USA) / Google Ireland Limited (Ireland) for users in the European Economic Area (EEA) and Switzerland; General information about privacy: “Privacy and Security Principles,” Privacy Policy, “Google is committed to complying with applicable data protection laws,” “Privacy Guide for Google Products,” “How We Use Data from Websites or Apps That Use Our Services,” “Types of Cookies and Other Technologies Used by Google,” “Personalized Advertising” (Activation / Deactivation / Settings).

10.1 Digital Infrastructure

We use services from specialized third parties to access the required digital infrastructure related to our activities and operations. This includes hosting and storage services from selected providers.

We particularly use:

• Cyon: Hosting; Provider: cyon GmbH (Switzerland); Privacy Information: “Privacy,”, Privacy Policy.
• WordPress.com: Blog hosting and website builder; Providers: Automattic Inc. (USA) / Aut O’Mattic A8C Ireland Ltd. (Ireland) for users including those in Europe; Privacy Information: Privacy Policy, Cookie Policy.

10.2 Map Material

We use services from third parties to embed maps into our website.

We particularly use:

• Google Maps including Google Maps Platform: Map service; Provider: Google; Google Maps-specific information: “How Google Uses Location Information.”.

10.3 Digital Audio and Video Content

We use services from specialized third parties to enable the direct playback of digital audio and video content, such as music or podcasts.

We particularly use:

• YouTube: VVideo platform; Provider: Google; YouTube-specific information: “Privacy and Security Center,”, “My Data on YouTube.”

10.4 Fonts

We use services from third parties to embed selected fonts as well as icons, logos, and symbols into our website.

We particularly use:

• Google Fonts: Fonts; Provider: Google; Google Fonts-specific information: “Privacy and Google Fonts,” “Privacy and Data Collection.”

10.5 Payments

We use specialized service providers to securely and reliably process payments from our customers. For payment processing, the legal texts of each service provider, such as terms and conditions (T&Cs) or privacy policies, also apply.

We particularly use:

• Concardis: Credit card payment processing; Provider: Concardis GmbH (Germany); Privacy information: Privacy Policy, “Privacy Information for Cardholders.”

10.6 Advertising

We use the opportunity to display targeted advertising for our activities and operations with third parties, such as social media platforms and search engines.

We aim to reach individuals who are already interested in or may be interested in our activities and operations(remarketing and targeting). For this purpose, we may transmit relevant, potentially personal information to third parties that enable such advertising. We may also determine whether our advertising is successful, particularly whether it leads to visits to our website (Conversion Tracking).

Third parties where we advertise and where you are logged in as a user may associate the use of our online offering with your profile there.

We particularly use:

• Google Ads: Search engine advertising; Provider: Google; Google Ads-specific information: Advertising based on search queries, using various domain names – notably doubleclick.net, googleadservices.com, and googlesyndication.com – for Google Ads, “Advertising” (Google), “Why am I seeing a specific ad?”..
• Instagram Ads: Social media advertising; Providers: Meta Platforms Ireland Limited (Ireland) and other Meta companies (including in the USA); Privacy information: Remarketing and targeting, especially with Facebook-Pixel and Custom Audiences , including Lookalike Audiences, Privacy Policy (Instagram), Privacy Policy (Facebook), “Ad Preferences” (Instagram) (requires user login), “Ad Preferences” (Facebook) (requires user login).

11. Success and Reach Measurement

We use services and programs to determine how our online offering is used. In this context, we can measure the success and reach of our activities and operations, as well as the impact of third-party links to our website. Additionally, we may experiment and compare how different versions of our online offering or parts of our online offering are used (“A/B testing” method). Based on the results of success and reach measurement, we can, in particular, fix errors, strengthen popular content, or make improvements to our online offering.

When using services and programs for success and reach measurement, individual user Internet Protocol (IP) addresses must be stored. IP addresses are generally truncated (“IP masking”) to pseudonymize them and follow the principle of data minimization to improve the data protection of users.

When using services and programs for success and reach measurement, cookies may be used, and user profiles may be created. User profiles may include visited pages or viewed content on our website, information about screen size or browser window, and the approximate location. Generally , user profiles are created in a pseudonymous form only. We do not use user profiles to identify individual users. Certain third-party services where users are logged in may potentially associate the use of our online offering with the user’s account or profile on that specific service.

We particularly use:

• fusedeck: Success and reach measurement; Provider: Capture Media AG (Switzerland); Privacy information: “Data & Data Privacy”, Privacy Policy.

12. Video Surveillance

We use video surveillance for the prevention of crimes and the preservation of evidence in criminal cases, as well as for the exercise of our right of access. This is – to the extent and as long as the General Data Protection Regulation (GDPR) applies – based on overriding legitimate interests according to Art. 6(1)(f) GDPR. .

We store recordings from our video surveillance for as long as necessary for preserving evidence.

We may retain recordings due to legal obligations, to enforce our own legal claims, and in case of suspected crimes, as well as transmit them to relevant authorities, particularly courts or law enforcement agencies.

13. Final Provisions

We have created this privacy policy using the Privacy Policy Generator by Datenschutzpartner.

We may adjust and supplement this privacy policy at any time. We will inform about such adjustments and supplements in an appropriate manner, particularly by publishing the current privacy policy on our website.