Privacy Policy

The Findea AG (hereinafter also “we”, “us”) collects and processes personal data relating to you or to other individuals (so-called “third parties”).

In this Privacy Policy, the term “data” is used synonymously with “personal data” or “personally identifiable information”.

This Privacy Policy explains what we do with your data when you use www.findea.ch, our other websites, or our apps (together referred to as the “Website”), when you use our services or products, when you are otherwise connected with us under a contract, when you communicate with us, or otherwise interact with our company.

Where applicable, we will inform you separately and in due time about additional processing activities not covered in this Privacy Policy. Furthermore, we may provide specific information on the processing of your data in consent forms, contractual terms, supplementary privacy notices, forms, or additional guidelines.

This Privacy Policy is designed to meet the requirements of the EU General Data Protection Regulation (GDPR) as well as the Swiss Federal Data Protection Act (FADP/DSG). Whether and to what extent these laws are applicable, however, depends on the specific individual case.

For the data processing activities described in this Privacy Policy, the entity responsible under data protection law is Findea AG, Neuwiesenstrasse 15, 8400 Winterthur, unless otherwise communicated in individual cases.

You can contact us regarding any data protection concerns or to exercise your rights pursuant to section 11 as follows:

By postal mail to:
‍
Findea AG
‍
P.O. Box
‍
8401 Winterthur
‍
Switzerland

or

via email to: info@findea.ch

We process different categories of data about you. The most important categories are as follows:

Technical data: When you use our website or other electronic services, we collect the IP address of your device and other technical data to ensure the functionality and security of these services. Such data also includes log files recording the use of our systems. We generally store technical data for 6 months. To ensure functionality, we may also assign an individual code to you or your device. On their own, technical data usually do not allow us to identify you. However, in the context of user accounts, registrations, access controls, or contract processing, such data may be linked with other data categories (and thereby with your identity).

Registration data: Certain services and offerings can only be used with a user account or registration, either directly with us or via our external login providers. To this end, you must provide certain information, and we collect data relating to your use of the service or offering. We generally store registration data for 12 months after the end of the use of the service or the closure of the user account.

Communication data: When you contact us via contact form, email, phone, letter, or other communication channels, we collect the information exchanged between you and us, including your contact details and metadata of the communication. If we need or want to verify your identity, we may collect information to identify you (e.g. a copy of an ID). We generally store this data for 12 months from the last interaction with you. This period may be longer where necessary for evidence purposes, compliance with legal or contractual requirements, or for technical reasons. Emails in personal mailboxes and written correspondence are usually kept for at least 10 years.

Master data: Master data refers to the basic information we need in addition to contractual data (see below) to manage our contractual and other business relationships or for marketing and advertising purposes. This includes, for example, your name, contact details, information about your role and function, bank account details, date of birth, or customer history. We process your master data if you are a client or another business contact, or act on behalf of such, or if we wish to contact you for our own purposes or those of a contractual partner (e.g. for marketing or advertising). We may receive master data directly from you (e.g. when making a purchase or registering), from organizations you work for, from third parties such as contractual partners, associations, or address providers, and from publicly available sources such as public registers or websites. We generally store this data for 10 years from the last interaction with you, but at least from the end of a contract. This period may be longer where required for evidence, legal or contractual compliance, or for technical reasons. For purely marketing and advertising contacts, the retention period is normally much shorter, usually no more than 2 years since the last contact.

Contract data: This refers to data arising in connection with the conclusion or execution of a contract, such as information on contracts and services to be provided or already provided, as well as data collected prior to a contract (e.g. details required for execution or information on responses). We usually collect this data from you, from contractual partners, from third parties involved in the execution of the contract, but also from third-party providers (e.g. credit rating agencies) and from publicly accessible sources. We generally store this data for 10 years after the last contractual activity, but at least from the end of the contract. This period may be longer where required for evidence, legal or contractual compliance, or for technical reasons.

Many of the data categories mentioned in this section 3 are provided directly by you (e.g. via forms, in communication with us, in connection with contracts, or when using the website). You are not obliged to do so, subject to exceptions. However, if you wish to enter into contracts with us or make use of our services, you must provide us with certain data as part of your contractual obligations, particularly master, contract, and registration data. When using our website, the processing of technical data is unavoidable.

Where permissible, we may also collect data from publicly accessible sources, or receive data from authorities and other third parties.

We process your data for the purposes explained below. These purposes – and the objectives underlying them – represent legitimate interests of ours and, where applicable, those of third parties.

We process your data for purposes related to communication with you, in particular to respond to inquiries, to exercise your rights, and to contact you in case of questions. For this, we primarily use communication data and master data, and in connection with services or offerings you use, also registration data. We retain this information to document our communication with you, for training purposes, to ensure quality, and to handle follow-up queries.

In addition, we process data for the initiation, management, and execution of contractual relationships, for marketing and relationship management purposes, for market research, to improve our services and operations, for product development, to comply with laws, directives, and official recommendations, as well as with internal policies (compliance). We may also process data for other purposes, for example in the context of our internal processes and administration.

Where we ask for your consent to specific data processing activities, we will inform you separately about the corresponding purposes of processing. You may revoke your consent at any time with effect for the future by notifying us in writing (by post) or, unless otherwise stated or agreed, by email; our contact details can be found in section 2. For withdrawing your consent in relation to online tracking, please refer to section 12. If you have a user account, it may also be possible to withdraw consent or contact us directly through the relevant website or service.

Once we receive notice of your withdrawal of consent, we will no longer process your data for the purposes you originally agreed to, unless we have another legal basis for doing so. The withdrawal of consent does not affect the lawfulness of processing carried out based on your consent prior to its withdrawal.

Where we do not request your consent, we process your personal data on the basis that such processing is necessary for the initiation or performance of a contract with you (or the entity you represent), or because we or third parties have a legitimate interest in such processing. This includes in particular the purposes and objectives described in section 4 above, as well as the related measures. Our legitimate interests also include compliance with legal obligations, insofar as these are not already recognized as a legal basis under the applicable data protection laws.

In certain cases, other legal bases may apply, which we will communicate to you separately where required.

We may evaluate certain of your personal characteristics on an automated basis (“profiling”) using your data (see section 3) for the purposes described in section 4. This may include determining preference data, identifying misuse and security risks, performing statistical analyses, or supporting operational planning.

For the same purposes, we may also create profiles, meaning we may combine behavioral and preference data with master, contract, and technical data assigned to you, in order to better understand you as an individual with your various interests and other characteristics.

In both cases, we ensure that the results remain proportionate and reliable, and we implement measures to prevent misuse of profiling or profiles. Where such processing may have legal consequences or lead to significant disadvantages for you, we generally provide for a manual review.

In connection with our contracts, the website, our services and products, our legal obligations, or in order to safeguard our legitimate interests and the other purposes set out in section 4, we also disclose your personal data to third parties, in particular to the following categories of recipients:

Service providers: We cooperate with service providers in Switzerland and abroad who process data about you on our behalf, under joint responsibility with us, or in their own responsibility after receiving such data from us.

Authorities: We may disclose personal data to offices, courts, and other authorities in Switzerland and abroad if we are legally obliged or entitled to do so, or if disclosure appears necessary to protect our interests.

Contractual partners including clients: This refers primarily to clients (e.g. service recipients) and other contractual partners of ours, since such disclosure of data results from the relevant contracts. If you yourself work for such a contractual partner, we may also disclose data about you in this context. Recipients also include contractual partners with whom we cooperate.

Other parties: This includes other cases where the involvement of third parties arises from the purposes described in section 4.

All of these categories of recipients may in turn involve third parties, making your data accessible to them as well. While we may limit processing by certain third parties (e.g. IT providers), we cannot restrict processing by others (e.g. authorities, banks, etc.).

As explained in section 7, we also disclose data to other parties. These are not located exclusively in Switzerland. Your data may therefore be processed both within Europe and in other countries worldwide.

If a recipient is located in a country without adequate statutory data protection, we require them by contract to comply with applicable data protection rules (for this purpose, we use the revised Standard Contractual Clauses of the European Commission, available here: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj), unless they are already subject to a legally recognized framework ensuring data protection, or unless we can rely on an exemption. Such exemptions may apply in particular in connection with legal proceedings abroad, overriding public interests, contractual processing requirements, where you have given consent, or in cases involving data you have made generally accessible and not objected to its processing.

Please also note that data exchanged over the internet is often routed through third countries. Your data may therefore end up abroad even when both the sender and recipient are located in the same country.

We process your data for as long as required by our processing purposes, statutory retention periods, and our legitimate interests in processing for documentation and evidence purposes, or where storage is technically necessary.

Further details on storage and processing periods can be found in the respective data categories in section 3 and the cookie categories in section 12.

Where no legal or contractual obligations prevent this, we delete or anonymize your data after the storage or processing period has expired, in line with our standard procedures.

We implement appropriate security measures to maintain the confidentiality, integrity, and availability of your personal data, to protect it against unauthorized or unlawful processing, and to guard against the risks of loss, accidental alteration, unwanted disclosure, or unauthorized access.

To give you greater control over the processing of your personal data, you may, depending on the applicable data protection law, exercise the following rights in relation to our processing activities:

• The right to request information about whether we process your data and, if so, which data.
• The right to have incorrect data corrected.
• The right to request the deletion of data.
• The right to request the release of certain personal data in a commonly used electronic format or its transfer to another controller.
• The right to withdraw consent, where our processing is based on your consent.
• The right to request further information necessary for the exercise of these rights.
• The right, in the case of automated individual decisions (see section 6), to express your point of view and to request that the decision be reviewed by a natural person.

If you wish to exercise the above rights, please contact us in writing, in person at our offices, or—unless otherwise specified or agreed—by email; our contact details are provided in section 2. To prevent misuse, we may need to identify you (e.g. with a copy of an ID, where no other option is available).

Please note that these rights may be subject to conditions, exceptions, or limitations under applicable data protection laws (e.g. for the protection of third parties or trade secrets). Where relevant, we will inform you accordingly.

If you disagree with how we handle your rights or with our data protection practices, please let us know (see section 2). In particular, if you are located in the EEA, the United Kingdom, or Switzerland, you also have the right to lodge a complaint with the data protection supervisory authority in your country. A list of authorities in the EEA can be found here: https://edpb.europa.eu/about-edpb/board/members_en. The supervisory authority in the United Kingdom can be contacted here: https://ico.org.uk/global/contact-us/. The Swiss supervisory authority can be contacted here: https://www.edoeb.admin.ch/edoeb/en/home/the-fdpic/contact/address.html.

On our website, we use various technologies that allow us – and third parties engaged by us – to recognize you when you use our services and, in some cases, track you across multiple visits. This section explains how these technologies work.

Essentially, they enable us to distinguish your visits (via your system) from those of other users, so we can ensure the website’s functionality, carry out evaluations, and personalize the experience. We do not aim to identify you personally, though it is possible if we or third parties combine the data with registration details. Even without registration data, the technologies used can recognize you as an individual visitor each time, for example by assigning a unique identifier (a “cookie”) to your browser or device.

We use such technologies ourselves and also allow certain third parties to use them. You can configure your browser to block, disguise, or delete cookies and similar tools. You can also install extensions to block tracking by specific third parties. For details, see your browser’s help pages (usually under “privacy”) or the websites of the third parties listed below.

We distinguish between the following categories of cookies (similar technologies such as fingerprinting are included here):

• Necessary cookies: Some cookies are essential for the website to function or to enable certain features. For example, they make sure you can navigate between pages without losing information entered into forms, or that you remain logged in. These are temporary “session cookies.” If you block them, the website may not function correctly. Other necessary cookies allow the server to remember your preferences or choices across sessions (e.g., chosen language, consent, auto-login). These cookies may last up to 24 months.
• Performance cookies: To optimize our website and services and better adapt them to users’ needs, we use cookies to record and analyze website usage, sometimes beyond a single session. For this, we rely on third-party analytics providers (see below). Performance cookies may also last up to 24 months.
• Marketing cookies: Together with our advertising partners, we use cookies to deliver targeted advertising, meaning ads shown only to those likely to be interested. With your consent, these cookies record visited content or completed transactions, enabling us and our partners to display tailored ads both on our site and on other platforms. Such cookies may last from a few days to 12 months. If you do not consent, you will still see ads, but they will not be personalized.

In addition to marketing cookies, we use other advertising techniques. For example, we may share the email addresses of our users or customers with advertising platforms (e.g., social media). If the same email is registered with the platform, ads can be targeted to that person. The platform does not receive unknown email addresses, but it will know when a known user is connected to us.

We may also integrate third-party services on our website, such as social media providers. These are deactivated by default. Once you activate them (e.g., by clicking a button), the provider can detect that you are visiting our site and, if you have an account, link the activity to your profile. These providers process data under their own responsibility.

Currently, we use services from the following providers and advertising partners (insofar as they use your data or set cookies):

Google Analytics: Provided by Google Ireland (Ireland), with Google LLC (USA) as processor. Tracks website usage (e.g., session length, pages visited, geographic origin) via performance cookies and provides us with reports. IP addresses are anonymized in Europe before transfer to the USA. Data sharing and “signals” are disabled. Still, Google may create personal profiles and link data to Google accounts. If you consent, you explicitly agree to the transfer of data (usage data, device info, IDs) to the USA and other countries. Privacy information:
https://support.google.com/analytics/answer/6004245
https://policies.google.com/technologies/partner-sites?hl=en

Google AdSense: Displays ads on our site using cookies and web beacons. Data (including IP addresses) is transmitted to Google servers in the USA and may be shared with partners. If you prefer not to be tracked, you can block cookies in your browser, though this may restrict some website functions. Privacy information:
https://policies.google.com/technologies/ads

X (formerly Twitter): Plugins (Tweet button) establish a direct connection between your browser and X servers, transmitting your IP and visit details. If logged into X, your activity may be linked to your account. Privacy information:
https://twitter.com/en/privacy
Developer information: https://dev.twitter.com/

LinkedIn: Plugins (e.g., “Recommend” button) can link your visit to your LinkedIn account if you are logged in. Privacy information: http://www.linkedin.com/legal/privacy-policy

Instagram: Plugins (e.g., Instagram button) transmit data including your IP address to Instagram servers in the USA. If logged in, your activity can be linked to your account. Privacy information: https://help.instagram.com/155833707900388/

Facebook: Plugins (e.g., “Like” button) establish a direct connection with Facebook servers. If logged into Facebook, your visit can be linked to your account. Privacy information: http://de-de.facebook.com/policy.php

Pinterest: The “Pin it” button can link your visit to your Pinterest account if you are logged in. Privacy information: http://pinterest.com/about/privacy/

YouTube: Plugins transmit data on your visit to YouTube (Google Inc.). If logged into YouTube, your activity can be linked to your account. Privacy information: http://www.youtube.com/t/privacy

We share your data with our partners (third parties) in order to provide you with the best possible service. Where we cooperate with banks, the transfer of data may indicate a potential banking relationship. Partner banks may also provide us with a notification to confirm the successful establishment of a new banking relationship. To this extent, you release the respective bank(s) from their duty to maintain banking secrecy and data protection.

When we share data with external service providers, technical and organizational measures are taken to ensure that the transfer complies with statutory data protection requirements. If you voluntarily provide us with personal or company-related data, we will not use, process, or disclose such data beyond the legally permitted scope or the scope defined by your consent.

In addition, we only share your data with external service providers insofar as this is necessary for the performance of a contract and provided they have agreed to the relevant confidentiality and due diligence obligations. Furthermore, we only disclose your data if we are legally required to do so or in response to official or court orders.