Privacy policy

Privacy Policy

We respect your privacy and data protection is important to us. This privacy policy informs the customers of our company and users of this website about the type, scope and purpose of the collection and use of personal data in accordance with Swiss and EU data protection law. We always inform you transparently about what we need your data for and whether and for how long we store it.

We have taken technical and organisational measures to ensure that both we and our external service providers comply with data protection regulations. Personal data must be processed lawfully, in good faith and in a manner that is comprehensible to the data subject.

We act in accordance with the principles of the FADP, namely in the light of transparency, purpose limitation, fairness, data minimisation, limited storage periods, data accuracy, data security, privacy by design and privacy by default.

Important: This privacy policy is subject to change. Please keep yourself constantly and promptly informed via this website.

1. Aim of this privacy policy

Data protection is a matter of trust. Your trust is very important to us. In this privacy policy, we inform you about the collection, processing and use of your personal data.

This privacy policy primarily provides information about the following
- what personal data we collect and process;
- the purposes for which we use your personal data
- who has access to your personal data;
- what benefits our data processing has for you;
- the duration of the processing and storage of your personal data;
- your rights in relation to your personal data;
- and our contact addresses.

This Privacy Policy applies both under the Swiss Data Protection Act (DPA) and under the European General Data Protection Regulation (GDPR).

2. Terms

2.1 Personal data

Personal data is all information that can be linked to a specific person, assigned to a specific person or identifies a specific person (e.g. names, addresses, IP numbers, email addresses). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

2.2 Processing

‘Processing’ means any handling of personal data, regardless of the means and procedures used, in particular the collection, storage, retention, use, modification, disclosure, archiving, erasure or destruction of data.

2.3 Controller

The controller is the person who determines the purpose and means of processing, i.e. who decides that personal data are to be processed at all and which essential conditions apply.

2.4 Processor

The processor is the person who organises data processing for a third party. Although the processor itself decides that it will conduct its business and that it will process the controller's data, it is the controller's decision that this processing takes place at all. The controller has the right to issue instructions to the processor.

3. controller - for data processing

Under data protection law, the controller for a specific data processing operation is the company, primarily the contractual partner, which determines the purpose and scope.

The controller for data processing in accordance with this privacy policy is

bonainvest Holding AG
Weissensteinstrasse 15
CH-4500 Solothurn

E-mail: datenschutz@bonainvest.ch

Certain processing operations may be carried out under the responsibility of other companies. This will be indicated below in the respective description of the processing, if this is the case.

4. Addressees of this privacy policy

This privacy policy applies to all persons whose data we process, regardless of how you contact us, e.g. online, by telephone or by post.

It applies both to the processing of personal data already collected and to personal data to be collected in the future.

Further information can be found in our General Terms and Conditions (GTC) and in the respective contract. These may contain additional information on the intended data processing.

5 Collection of personal data

We primarily process the personal data that we receive from our customers and other business partners as part of our business relationship with them and other persons involved or that we collect from their users when operating our website, apps and other applications.

5.1 Data provided

You often disclose personal data to us yourself, e.g. by communicating with us and thereby transmitting data and making it available to us.

This occurs, for example, in the following constellations:

- You conclude a contract with us;
- You contact our customer service;
- You register for other offers, for example our newsletter

The provision of personal data is primarily voluntary. However, we must collect and process certain personal data in order to process and fulfil contracts. There are also statutory retention obligations. Otherwise, we will not be able to conclude, fulfil or continue the contract in question. The processing of personal data is generally permitted for the fulfilment of the contract.

If you provide us with data about other persons (friends or family members), we may assume that you are authorised to do so and that this data is correct. You must also ensure that these other persons have been informed about this privacy policy.

The disclosure of your personal data on our websites, apps or in the context of a contractual relationship implies consent that this personal data may be processed for the assertion of legal claims or for the purpose of investigating criminal offences and other misconduct (e.g. conducting internal investigations, data analyses to combat fraud).

5.2 Data collected

Personal data can also be collected automatically, e.g. online. This often involves behavioural and transaction data as well as technical data (time of website visit, payment history, etc.).

Personal data can be collected independently in the following cases, for example:

- You conclude a contract online;
- You visit one of our websites or use one of our apps;
- You disclose your customer account in a communication with us;
- You agree to receive our newsletter or otherwise interact with one of our electronic advertising messages.

We can derive further personal data from existing personal data, for example by evaluating behavioural and transaction data. Such derived personal data is often preference data.

We are entitled to use the personal data to optimise the services, for advisory and advertising purposes and to forward it to other companies for these purposes.

5.3 Data received

We may also receive personal data from other companies in our group. We may also receive personal data from other contractual partners if you have consented to their transmission to us. We may also obtain personal data about you from public sources.

6 Purposes of processing

Your data will only be processed for the purpose stated at the time of collection, for which you have given your consent, which is necessary due to the business relationship or which is provided for by law.

If you provide us with the personal data of other persons (e.g. family members, data of work colleagues), please ensure that these persons are aware of this privacy policy and only provide us with their personal data if you are authorised to do so and if this personal data is correct.

The personal data you enter will be collected and stored exclusively for internal use by the person responsible for processing and for their own purposes. Wherever possible, the data is anonymised. Anonymisation means that no conclusions can be drawn about the person concerned.

This data is used solely for the fulfilment of the order or contract. Your data is stored exclusively on servers in Switzerland.

6.1 Communication

We would like to stay in contact with you and respond to your individual concerns. We therefore process personal data for the purpose of communicating with you.

The purpose of communication includes in particular

- Responding to enquiries;
- contacting you with questions;
- customer care;
- communication in connection with the fulfilment of the contract or problems with it;
- Notifications about property projects and news about the company

6.2 Contract fulfilment

We also want to ensure the fulfilment of the contract to your utmost satisfaction. We therefore process personal data for the fulfilment of the contract and all directly or indirectly related areas, such as support, information about innovations, product adaptations, etc. The purpose of contract fulfilment generally includes everything that is necessary or expedient to conclude, execute and fulfil a contract. Contract processing may also include the agreed personalisation of services.

Contract processing also includes the data collected before the contract is concluded, for example the initial contact, the draft contract and the associated correspondence.

6.3 Information and marketing

We also process personal data for relationship management and marketing purposes, e.g. by sending written or electronic communications. Such communications may be personalised.

These may include the following communications:

- newsletters
- advertising emails
- in-app messages
- Electronic messages
- Information by post
- Advertising brochures, magazines and other printed matter;
- invitations to events, competitions and contests.

You can decline contacts for marketing purposes at any time.

In the case of newsletters and other electronic communications, you must give your explicit consent anyway.

6.4 Security and prevention

We want to ensure your and our security and prevent misuse.
To ensure your and our security and to prevent misuse, we process personal data for security purposes, to ensure IT security, to prevent theft, fraud and misuse and for evidence purposes.

We will therefore collect, analyse and store your personal data for security purposes.

6.5 Legal obligations

If there are legal obligations, e.g. for storage or disclosure, we will comply with them. Otherwise, we will not disclose your personal data.

6.6 Enforcement of rights

We process your personal data in order to enforce our claims, e.g. as part of the preservation of evidence or clarification of any prospects of litigation. Upon request, we will disclose your personal data to the authorities.

7 Legal basis for data processing

The processing of personal data is based on different legal bases depending on the purpose of the processing. Primarily, data processing is permitted in Switzerland unless it is prohibited by law (FADP or GDPR).

Data processing is permitted in fulfilment of a contract regardless of or even against the will of the data subject.

Furthermore, legitimate interests allow us to process data. Legitimate interests can be of an idealistic or economic nature. Direct advertising, for example, is a recognised purpose. This includes contacting people with advertising information, e.g. by telephone, e-mail or letter.

Furthermore, any data processing that is based on your consent or is required to comply with domestic or foreign legal provisions is permitted.

8 Disclosure of your personal data

8.1 Within our company and group of companies

We may pass on your personal data within our company and group of companies. The transfer may be for internal group administration or to support the companies concerned

8.2 To third parties

We may also disclose your personal data to companies outside our organisation if we use their services. These service providers primarily process your personal data on our behalf as processors. We oblige our processors to process your personal data exclusively in accordance with our instructions and to take appropriate data security measures by means of an order processing contract (AV).

Your consent is required for the disclosure of your personal data to other third parties for their own purposes, unless there is a legal basis that obliges us to disclose it by law, for example

- information on product recalls
- the transfer of receivables to other companies
- the examination or implementation of transactions under company law, such as company acquisitions, sales and mergers
- the disclosure of personal data to courts and authorities in Switzerland and abroad
- processing personal data in order to comply with a court order or official directive
- to assert legal claims

9. Disclosure abroad

9.1 Switzerland and the EU

We process and store personal data in Switzerland and the European Union. The GDPR guarantees a level of data protection equivalent to that in Switzerland.

In certain cases, however, we may also disclose personal data to service providers and other recipients located outside this territory or process personal data outside this territory, in principle in any country in the world.

Personal data may only be transferred abroad without further ado (or become accessible from abroad) if the country in question offers a level of protection that is appropriate from a Swiss perspective.

The countries concerned outside the EU often do not have laws that protect your personal data to the same extent as in Switzerland or the EU. If we transfer your personal data to such a country, we will ensure the protection of your personal data in an appropriate manner.

One means of ensuring adequate data protection is by means of contracts that guarantee the necessary data protection of your personal data abroad. Standard contractual clauses (approved by the Federal Data Protection and Information Commissioner) are often used. Contractual precautions often do not fully compensate for weaker or missing legal protection, so that your consent would be required.

9.2 Third country transfer (e.g. USA) without adequate data protection

Services from companies based in the USA or with relationships in the USA are integrated on our website. You must consent to this data processing. In this case, unrestricted access to your personal data by US authorities cannot be ruled out. Legal action cannot be taken. In the following cases, we cannot ensure the protection of your personal data in an appropriate manner, not even by means of standard data protection clauses.

These are not limited to the following services and service providers

Google
- Google Analytics
- Google Ads
- Google Adwords
- Google Maps
- YouTube

https://www.google.com
Privacy policy: https://www.google.com/policies/technologies/ads/.

Facebook
www.facebook.com
Privacy Policy: www.facebook.com/privacy/policy

Instagram
www.instagram.com
Privacy policy: https://privacycenter.instagram.com/policy

YouTube
www.youtube.com
Privacy policy: https://policies.google.com/privacy?hl=de

LinkedIn
www.linkedin.com
Privacy policy: https://de.linkedin.com/legal/privacy-policy

Twitter
www.twitter.com
Privacy policy: https://twitter.com/de/privacy

Pinterest
www.pinterest.com
Privacy policy: http://pinterest.com/about/privacy

HubSpot
www.hubspot.com
Privacy policy: https://legal.hubspot.com/privacy-policy.

The accuracy of the above address and group information is not guaranteed and may change in a dynamic economic environment.

On the other hand, it cannot be ruled out that all of the aforementioned companies may have to grant the US authorities access to your personal data (US CLOUD Act), even if the data is not stored in the USA.

Therefore, such data processing will only take place with your explicit consent.

The information regarding the USA is provided subject to the proviso that Switzerland still does not have an EU-US Data Protection Framework or an equivalent adequacy decision in the sense of a Swiss-US Data Privacy Framework with the USA.

9.3 Data is transmitted to the following countries:

- Switzerland
- European Union
- Belgium (Google Cloud)
- France (Google Cloud)

10. personal data requiring special protection

Certain types of personal data are considered particularly worthy of protection under data protection law. These are primarily, but not exclusively, health data, biometric characteristics or DNA profiles.

We only process particularly sensitive personal data if it is absolutely necessary for the provision of a service, if you have provided this data yourself or have consented to its processing. Such data is primarily not passed on to third parties or abroad.

11 Profiling

Profiling refers to the automated processing of personal data to analyse your personal aspects, such as personal interests, preferences, affinities and habits.

We do not carry out profiling without your consent.

12 Automated individual decisions

Automated individual decisions are made completely automatically, i.e. without human influence. However, these decisions have legal consequences for the data subject or significantly affect them in some other way.

We do not use automated individual decisions. Should we nevertheless use automated individual decisions in individual cases, we will inform you. You will then have the opportunity to have the decision reviewed by a human being.

13 Data protection and security

We take appropriate and state-of-the-art security measures of a technical and organisational nature to protect the security of your personal data, to protect it against unauthorised or unlawful processing and to counteract the risk of loss, unintentional modification, unwanted disclosure or unauthorised access.

We also oblige our processors to take appropriate technical and organisational security measures.

However, even we cannot rule out data security breaches with absolute certainty. We will inform you and the FDPIC of any data loss or data leakage in the cases provided for by law.

14 Processing duration

In application of the principles of data minimisation and transparency, we only process and store your personal data for as long as is necessary to achieve the agreed purpose (e.g. fulfilment of the contract), i.e. only for as long as we have a legitimate interest in storing it, e.g. until full payment has been made. As soon as your personal data is no longer required for the above-mentioned purposes, it will be deleted or anonymised.

In the case of statutory retention obligations, the data will be stored for a correspondingly long period, for example 10 years in accordance with the Swiss Code of Obligations.

If we wish to store your data for longer, we will ask for your consent.

15 Cookies and similar technologies

15.1 Purpose

We provide information on how and why we collect, process, use and store personal data and other data when you use our websites and mobile apps, in particular in connection with cookies and similar technologies. In the following, websites also refer to mobile apps.

15.2 Log data

Every time our website is used, certain data is automatically stored temporarily in log files for technical reasons. This is not limited to the following technical data:

- IP address of the requesting end device,
- Information about your internet service provider,
- Information about the operating system of your end device (tablet, PC, smartphone, etc.),
- Details of the referring URL,
- Information about the browser used,
- the date and time of access, and
- content accessed when visiting the website.

This data is processed for the purpose of using our websites, such as establishing a connection, ensuring functionality, system security and stability, optimising our website and for statistical purposes.

The IP address is also analysed together with log data and other data in the event of attacks on the IT infrastructure for clarification and defence purposes and, if necessary, used in the context of criminal and civil proceedings, e.g. to identify the persons concerned.

15.3 Cookies and similar technologies

Our websites use cookies. Cookies are small text files that are stored on your computer or mobile device via an internet browser when you visit the websites. When you visit one of the websites again, the website recognises you without knowing who you are. The purpose of this recognition is to make it easier for you to use the website. By using cookies, we can provide you with more user-friendly services that would not be possible without cookies.

You can configure your browser settings to block certain cookies or similar technologies or to delete existing cookies and other data stored in the browser. You can also add software (so-called plug-ins) to your browser that blocks tracking by certain third parties. Information on this can be found on the help pages of your browser, often under data protection.

If you block cookies and similar technologies, our websites may no longer function to their full extent.

16. data processing after consent

Data processing by certain service providers, e.g. Google, LinkedIn, Facebook, YouTube, etc., only takes place with explicit consent, if possible by ‘double opt-in’. You can revoke your consent at any time.

You must consent to data processing by companies based in the USA or with relationships in the USA. In this case, unrestricted access to your personal data by US authorities cannot be ruled out. Legal action cannot be taken. In the following cases, we cannot ensure the protection of your personal data in an appropriate manner, not even by means of standard data protection clauses. In this respect, it cannot be ruled out that the US authorities may have access to your personal data (US CLOUD Act). This applies subject to the proviso that Switzerland continues to have an equivalent adequacy decision with the USA in the sense of a Swiss-US Data Privacy Framework.

17 Your rights to cancellation, information, correction, deletion, etc.

17.1 Right to information

You have the right to request confirmation from us as to whether personal data concerning you is being processed by us. If this is the case, you have a right to information about this personal data and to further information. We ask you to submit the request for information together with proof of identity.

17.2 Right to rectification

You have the right to obtain from us without undue delay the rectification of inaccurate personal data concerning you. Taking into account the purposes of the processing, this also includes the right to request the completion of incomplete personal data - also by means of a supplementary declaration.

17.3 Right to erasure

You have the right to request the erasure or anonymisation of all personal data concerning you without undue delay, unless we are legally obliged to retain it.

17.4 Right to data portability and surrender

You also have the right to receive the data that you have provided to us in a commonly used file format.

17.5 Revocation of consent

You can withdraw your consent at any time with effect for the future. Please note that the exercise of these rights may conflict with contractual agreements and this may, for example, have cost consequences.

17.6 Objection

You can object to data processing, particularly if we process your personal data on the basis of a legitimate interest and the other applicable requirements are met.

17.7 Legal recourse

You can also enforce your rights in court or submit a report to the competent supervisory authority. In Switzerland, the Federal Data Protection and Information Commissioner (FDPIC) is responsible for this. Further information can be found at: http://www.edoeb.admin.ch.

18. contact details

If you have any questions or concerns about data protection on our website, if you would like information about your data or if you would like to have your data deleted, please contact our contact person for data protection law at the following coordinates (online or by post), as well as if you have any questions about this privacy policy or the processing of your personal data.

bonainvest Holding AG
Weissensteinstrasse 15
4503 Solothurn
datenschutz@bonainvest.ch

19 Changes to this privacy policy

We reserve the right to amend this privacy policy at any time. We therefore recommend that you check this statement regularly.

bonainvest Holding AG, May 2024.