Privacy Policy for Rivella Group websites

Last updated: September 2023

We, Rivella AG (Neue Industriestrasse 10, 4852 Rothrist, Switzerland), are the operator of the websites listed below (Website) and, unless otherwise stated in this Privacy Policy, are the controller for the data processing described in this Privacy Policy:

• www.focuswater.ch

Please read the information below to help you understand what personal data we collect from you and for what purposes we use it. With regard to data protection, we are guided primarily by the statutory provisions of Swiss data protection law, in particular the Federal Act on Data Protection (FADP), as well as the EU General Data Protection Regulation (GDPR), which may be applicable in individual cases.

Please note that the following information will be reviewed and amended from time to time. We therefore recommend that you check this Privacy Policy regularly. In addition, other compa-nies are considered controllers or joint controllers with us under data protection law for certain data processing operations listed below, so the information of those providers is also relevant in those cases.

If you have any questions about data protection or would like to exercise your rights, please reach out to our contact person for data protection by sending an email to: datenschutz@rivella.ch

Your personal data is processed when you contact us via our contact addresses and channels (e.g. by email, phone or contact form). We process the data you provide to us, such as your name, email address or telephone number and your request. We also document the date and time your request was received. Mandatory information is indicated with an asterisk (*) in con-tact forms. We process this data in order to action your request (e.g. to provide information about our products and services, to assist with contract processing, to use your feedback to improve our products and services, etc.).

If you open a customer account on our Website, we collect the following data, whereby mandatory information is indicated with an asterisk (*) in the corresponding form:

• Personal details:

  • Salutation

  • First and last name

  • Billing and, if applicable, delivery address

  • Date of birth

  • Company, company address and VAT ID number for business customers

• Login details:

  • Email address

  • Password

  • Other information:

  • Phone number

  • Languages

  • Gender

We use the personal details to establish your identity and to verify the requirements for registration. The email address and password together serve as login details and thus ensure that the correct person as per your information is using the Website. We also need your email ad-dress to verify and confirm the account opening and for future communication with you that is necessary for contract processing. We collect your phone number in order to facilitate the processing of contracts and, if necessary, to contact you via an alternative communication channel with a view to the performance of contracts. In addition, this data is stored in your customer account for the conclusion of future contracts. We also allow you to store further de-tails in your account (e.g. your preferred method of payment) for this purpose.

Furthermore, we use the data to provide an overview of the orders placed and services ob-tained (see Section 13 in particular) and a simple possibility to manage your personal data for the administration of our Website and the contractual relationships, i.e. to establish, define the content of, process and amend the contracts concluded with you via your customer account (e.g. in connection with orders you place with us).

We process the information on language and gender in order to show you on the Website suggested offers best tailored to your profile and/or personal needs, for statistical recording and evaluation of selected products and services and thus to optimise our service and product suggestions.

The legal basis for the processing of your data for the above purpose is your consent pursuant to point (a) of Art. 6(1) GDPR. You may withdraw your consent at any time by removing the information from your customer account again or by deleting your customer account or having it deleted by sending a message to us.

To avoid misuse, you should always keep your login details confidential and log out and clear your browsing history after each session, especially if the device you are using is shared with others.

You have the opportunity to purchase products on our Website. We collect the following data for this purpose, whereby mandatory information is indicated with an asterisk (*) in the order process:

• Personal details:

  • Salutation

  • First and last name

  • Billing and, if applicable, delivery address

  • Date of birth

  • Company, company address and VAT ID number for business customers

• Other information:

  • Email address

  • Phone number

  • Comments relating to the order

We use the personal details to establish your identity before entering into a contract. We need your email address to confirm your order and for future communication with you that is neces-sary for contract processing. We store your data together with the marginal data of the order (e.g. date and time, order number, etc.), data on the services ordered (e.g. product name, price and characteristics; product data), payment data (e.g. chosen payment method, confir-mation of payment and date and time; see also Section 6) as well as information on the pro-cessing and performance of the contract (e.g. return of products, use of services or warran-ties, etc.) in our CRM database (see Section 13) so that we can ensure the correct processing of the order and performance of the contract.

The legal basis for this data processing is the performance of a contract with you pursuant to point (b) of Art. 6(1) GDPR.

Data that is not marked as mandatory is provided on a voluntary basis. We process this data in order to tailor our products and services to your personal needs in the best possible way, to facilitate the processing of contracts, to contact you if necessary on an alternative communication channel with a view to the performance of contracts or for statistical recording and evaluation in order to optimise our products and services.

The legal basis for this data processing is your consent within the meaning of point (a) of Art. 6(1) GDPR. You may withdraw your consent at any time by notifying us.

If you pay to purchase products in our online shop, you have to provide further data in addition to the information referred to in digit 5, such as your credit card information or the login with your payment service provider, depending on the product and the payment method you wish to use. This information as well as the fact that you have purchased a service from us for the relevant amount and at the date and time concerned is forwarded to the respective payment service providers (e.g. providers of payment solutions, credit card issuers and credit card acquirers). Please note at all times the information of the respective company, in particular its privacy policy and general terms and conditions. The legal basis for our data processing is the performance of a contract pursuant to point (b) of Art. 6(1) GDPR.

If you wish to purchase on account, we assign our purchase price claim against you to MF Group AG (Kornhausstrasse 25, CH-9001 St. Gallen, Switzerland; hereinafter MF) and you en-ter into a contractual relationship with MF in accordance with the MF Powerpay GTC. You therefore receive the invoice for your order from MF and we forward the necessary data (in particular your personal details, email address, details of the claim (especially the amount and the date and time the order was placed)) to MF for this purpose.

Please note that an automated assessment of your creditworthiness may also be carried out as part of the data processing by MF. In this context, a score may be assigned to you by MF or an authorised service provider (e.g. a credit agency). This is an estimate of the future risk of default, e.g. expressed as a percentage. This value is determined using mathematical and statistical methods and by incorporating the credit agency’s data obtained from other sources.  In this context, automated decision-making (and profiling with or without high risk) may also take place and result in the ‘Invoice’ payment method not being available to you. If the legal requirement is met, you have the right to state your point of view and request a review of the decision by a natural person. The legal basis for this data processing is our legitimate interest according to point (f) of Art. 6(1) GDPR in avoiding payment defaults.

By choosing the ‘Invoice’ payment method, you agree to this data processing. The legal basis for our data processing is therefore your consent within the meaning of point (a) of Art. 6(1) GDPR. You may withdraw your consent at any time with effect for the future by notifying us.

With regard to the processing of your data for MF’s own purposes as controller, please note MF’s Privacy Policy (here and here).

When you register for our marketing emails (e.g. when you open your customer account or from within this account or as part of an order or competition), the following data may in particular be collected. Mandatory information is indicated with an asterisk (*) at the time of registration:

• Email address

• First and last name

• Salutation

• Gender

• Language

• Address

We use a double opt-in process during registration in order to prevent misuse and to ensure that owners of email addresses have genuinely given their consent to receive marketing emails. After submitting your registration, you receive an email from us containing a confirmation link. You must click on this link to finalise your registration for marketing emails. If you do not confirm your email address by clicking on the confirmation link within the specified period, your data is deleted again and our marketing emails will not be sent to this address.

By registering, you consent to the processing of this data in order to receive marketing emails from us about our company and our products. These marketing emails may also include dis-counts, vouchers or invitations to participate in competitions, provide feedback, take surveys or rate our products. By collecting further data (especially salutation, first and last name, gen-der, language and address), we can associate your registration with any existing customer ac-count (including order history) or past orders. In addition, to the extent possible, we link other interactions by you with our websites and services (e.g. participation in competitions, products viewed or placed in the shopping cart, or if you express an interest in our products on social media platforms (e.g. using the Like button)) to your registration. The purpose of linking to such data is to personalise the content of marketing emails, i.e. to make the content more rel-evant to you and better tailored to your potential needs. In this context, there may also be an automated evaluation of personal aspects (e.g. your interests) (profiling with or without high risk), to which your consent also relates.

Your consent constitutes the legal basis for the processing of the data within the meaning of point (a) of Art. 6(1) GDPR. We use your data to send marketing emails until you withdraw your consent. You may withdraw your consent at any time, in particular by using the unsubscribe link included in all marketing emails.

Our marketing emails may contain a web beacon, 1x1 pixel (tracking pixel) or similar technical aids. A web beacon is an invisible graphic that is linked to the user ID of the respective sub-scriber. For each marketing email sent, we receive information about which email addresses it was successfully delivered to, which email addresses have not yet received it and for which email addresses the delivery has failed. We are also shown which email addresses opened the marketing email and for how long as well as which links were clicked. Finally, we also receive information about which subscribers have unsubscribed from the mailing list. We use this data for statistical purposes and to optimise marketing emails in terms of frequency, timing of dis-patch, structure and content. This enables us to better tailor the information and offers in our marketing emails to the individual interests of the recipients.

By registering for marketing emails, you also consent to the statistical evaluation of user behaviour for the purpose of optimising and adapting the marketing emails. In this context, there may also be an automated evaluation of personal aspects (e.g. your interests) (profiling with or without high risk), to which your consent also relates. Your consent constitutes our legal basis for processing the data within the meaning of point (a) of Art. 6(1) GDPR. The web beacon is deleted when you delete the marketing email. You can opt out of the use of web beacons in our marketing emails and thereby withdraw your consent by setting the parameters of your email program so that HTML is not displayed in messages. See the help guide for your email soft-ware application for information on how to configure this setting, e.g. here for Microsoft Outlook.

We use a software application provided by Salesforce, Inc. (415 Mission Street, 3rd Floor, San Francisco, CA 94105, USA) to send marketing emails. Therefore, your data may be stored in a Salesforce database, which may allow Salesforce to access your information when required to provide the software and support its usage. Information about data processing by third parties and any transfer abroad is available under Section 17 of this Privacy Policy. The legal basis for this processing is our legitimate interest within the meaning of point (f) of Art. 6(1) GDPR in using the services of third-party providers.

Salesforce may wish to use some of this data for its own purposes (e.g. for statistical analysis aimed at optimising products). Salesforce is the controller for such data processing and must ensure compliance with data protection laws in connection with this data processing. For information about data processing by Salesforce, please see here.

You have the opportunity to take part in competitions on our Website. The following data may be collected from you, where mandatory information is indicated with an asterisk (*) in the cor-responding form:

• Personal details:

  • Salutation

  • First and last name

  • Home address

  • Date of birth

• Other information:

  • Email address

  • Phone number

  • Interests

  • Answer to competition question

We use the personal details to establish your identity and to verify the requirements for participation. We also save them in a central database (see Section 16) together with information on the date and time of entry and the competition (in particular name and period) and use them to administer the competition, i.e. in particular to contact you in the context of the competition (especially to inform you that you have won a prize) and to send out prizes. To participate, you must register for our email newsletter and consent to the associated processing (including pro-filing with or without high risk) (see Section 7). The legal basis for this data processing is your consent within the meaning of point (a) of Art. 6(1) GDPR. You may withdraw your consent at any time with effect for the future by notifying us and thus waive your right to participate in the competition. Please also note the information in the individual conditions of participation for each competition.

We use software applications from various providers to run our competitions. Therefore, your data may be stored in a database of these providers, which may allow them to access your information when required to provide the software applications and support the usage of the software. For certain services, the data may also be embedded using iFrames or similar methods, also resulting in particular in the transfer of your log file data, such as IP ad-dress, to the providers (see Section 11.1). Information about data processing by third parties and any transfer abroad is available under Section 17 of this Privacy Policy. The legal basis for this processing is our legitimate interest within the meaning of point (f) of Art. 6(1) GDPR in using the services of third-party providers.

Providers may wish to use some of this data for their own purposes (e.g. for statistical analy-sis aimed at optimising products). The providers are the controller for such data processing and must ensure compliance with data protection laws in connection with this data processing. Information about how the providers process data is available in the privacy policies and statements linked to above.

In order to help other users in their decision-making and to support our quality management (especially the processing of negative feedback), you have the opportunity to rate and com-ment on our products and services on our Website. The data that you provide to us is pro-cessed and published on the Website, i.e. in addition to your rating and its date and time, this includes any comment you may have given with your rating or the name you have provided. The legal basis for the data processing is your consent within the meaning of point (a) of Art. 6(1) GDPR. You may withdraw your consent at any time and request that your rating be anonymised.

We reserve the right to delete unlawful reviews and to contact you in case of suspicion and ask you to comment. The legal basis for this processing is our legitimate interest within the meaning of point (f) of Art. 6(1) GDPR in providing a lawful and uncompromised comment and rating function as well as preventing misuse during usage thereof.

You have the opportunity to apply to us to become an ambassador for our products and to submit sponsorship requests. We collect the following data for this purpose, which you provide to us, whereby mandatory information is indicated with an asterisk (*) in the respective forms:

• Personal and contact details:

  • Gender

  • First and last name

  • Address

  • Date of birth

  • Phone number

  • Email address

• Other information:

  • Your relationship to our products, e.g. how you came across us

  • Your online presence (e.g. social media accounts, websites, etc.)

  • Your field of activity

  • Your professional and personal goals

  • Your motivation for your application/request (e.g. reason for suitability as an ambassador, your services in return for us, ideas for the content in your initial social media posts)

  • Files (e.g. sponsorship dossier)

  • Comments

We use the data you provide to correctly identify you, to assess your suitability to become an ambassador or for a sponsorship and to contact you with regard to the application process, e.g. to invite you to an interview or to send a rejection. The legal basis for this data processing is the necessity to take the steps needed to perform a contract or prior to entering into a con-tract within the meaning of point (b) of Art. 6(1) GDPR. We use the services of Optimy SA (Boulevard du Souverain 36, 1170 Brussels, Belgium) to process requests. Therefore, your data may be stored in an Optimy database, which may al-low Optimy to access your information when required to provide the software and support its usage. Information about data processing by third parties and any transfer abroad is available under Section 17 of this Privacy Policy. The legal basis for this processing is our legitimate interest within the meaning of point (f) of Art. 6(1) GDPR in using the services of third-party providers. Optimy may wish to use some of this data for its own purposes (e.g. for statistical analysis aimed at optimising products). Optimy is the controller for such data processing and must en-sure compliance with data protection laws in connection with this data processing. For information about data processing by Optimy, please see here.

When our Website is visited, the web servers temporarily store each access in a log file (log file). The following data is collected without your intervention and is stored by us until auto-mated deletion:

• IP address of the requesting computer

• date and time of access

• name and URL of the retrieved file

• website from which the access was made, with the search word used, if applicable

• operating system of your computer and the browser you are using (including type, version and language setting)

• device type in case of access from mobile phones

• city or region from which the access was made and

• name of your internet service provider

This data is collected and processed for the purpose of enabling the use of our Website (establishing a connection), ensuring long-term system security and stability, and enabling error and performance analysis and optimisation of our Website (see also Section 11.3 regarding the latter points).

In the event of an attack on the Website’s network infrastructure or suspicion of any other un-authorised or improper use of the Website, the IP address and other data will be analysed for clarification and defence purposes and, if necessary, may be used to identify the user in question in civil or criminal proceedings.

The purposes described above constitute our legitimate interest within the meaning of point (f) of Art. 6(1) GDPR and thus the legal basis for data processing.

We use the services of the following hosting providers to operate our Website:

• for the website: www.focuswater.ch (8605 Santa Monica Blvd #92581, West Hollywood, CA 90069, USA; Privacy Policy)

Therefore, your data may be stored in a database of the providers, which may allow them to access your information where required to provide the software and support its usage. Infor-mation about data processing by third parties and any transfer abroad is available under Sec-tion 17 of this Privacy Policy. The legal basis for this processing is our legitimate interest with-in the meaning of point (f) of Art. 6(1) GDPR in using the services of third-party providers.

Providers may wish to use some of this data for their own purposes (e.g. for statistical analy-sis aimed at optimising products). The providers are the controller for such data processing and must ensure compliance with data protection laws in connection with this data processing. Information about how the providers process data is available in the privacy policies linked to above.

Finally, when you visit our Website, we use cookies as well as applications and tools that are based on the use of cookies. The data described here may also be processed in this context. Further information on this is available in subsequent sections of this Privacy Policy, in particular Section 11.2 below.

Cookies are information files that your web browser stores on your computer’s hard drive or memory when you visit our Website. Cookies are assigned identification numbers by which your browser is identified and the information contained in the cookie can be read.

Cookies help, among other things, to make your visit to our Website easier, more pleasant and more useful. We use cookies for various purposes that are necessary for your desired use of the Website, i.e. ‘technically necessary’. For example, we use cookies to be able to identify you as a registered user after logging in so that you do not have to log in again while navi-gating the different subpages. The provision of website elements, such as the order function, is also based on the use of cookies, whereby your entries are temporarily stored when you fill in a form on the Website so that you do not have to enter such information again when you visit another subpage. In addition, cookies perform other technical functions necessary for the operation of the Website, such as load balancing, i.e. the distribution of traffic on the site across different web servers to relieve the load on the servers. Cookies are also used for security purposes, e.g. to prevent the unauthorised posting of content. Finally, we use cookies in the design and programming of our Website, e.g. to enable uploading of scripts and codes.

The legal basis for this data processing is our legitimate interest within the meaning of point (f) of Art. 6(1) GDPR in providing a user-friendly and up-to-date website.

Most internet browsers accept cookies automatically. When accessing our website, however, we ask you to consent to the technically non-essential cookies we use, in particular the use of third-party cookies for marketing purposes. You can use the corresponding buttons in the cookie banner to adjust your preferences. Details of the services and data processing associ-ated with the individual cookies can be found within the cookie banner and in the following sec-tions of this Privacy Policy.

You may also be able to configure your browser so that no cookies are stored on your com-puter or that a message always appears when you receive a new cookie. Instructions for con-figuring how cookies are handled on selected browsers are provided here:

• Google Chrome for Desktop

• Google Chrome for Mobile

• Apple Safari

• Microsoft Windows Internet Explorer

• Microsoft Windows Internet Explorer Mobile

• Mozilla Firefox

Disabling cookies may prevent you from using all the features of our Website.

We use reCAPTCHA provided by Google Ireland Limited (Gordon House, 4 Barrow Street, Dublin, D04 E5W5, Ireland) or Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (Google) on our Website. reCAPTCHA is a free CAPTCHA service provided by Google that protects websites from spam software and misuse by non-human visitors. Pseudonymised user profiles are created and cookies are used in this context (see also Section 11.2). The information generated by the cookie about your use of this Website is usually transferred together with the log file data under Section 11.1 to a server of the service provider, where it is stored and processed. This may also result in a transfer to servers abroad, e.g. in the US (see Sections 17.2 and 17.3, especially regarding the lack of an adequate level of data protection and the safeguards provided for). In addition to the data in Section 11.1, we process the following data in particular:

• surfing, mouse and keyboard behaviour

• language settings

• screen resolution

The provider uses this information on our behalf to evaluate the use of the Website, in particular to determine whether the actions on the Website are being carried out by humans and not by bots. This automated assessment of personal aspects can also result in profiling with or without high risk. The legal basis for this data processing is our legitimate interest within the meaning of point (f) of Art. 6(1) GDPR in providing a user-friendly and secure website.

Google may wish to use some of the data for its own purposes (e.g. for statistical analysis aimed at optimising products). Google is the controller for such data processing and must ensure compliance with data protection laws in connection with this data processing. For information about data processing by Google, please see here.

If you do not want your data to be transferred to Google, you must log out of Google completely and delete all Google cookies before visiting our Website or using the reCAPTCHA software application. For more information on how you may be able to configure your browser so that no cookies are stored on your computer or that a message always appears when you receive a new cookie, see Section 11.2.

We use Google Tag Manager provided by Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland) to manage the functions of our Website. With Google Tag Manager, tracking codes and associated code fragments (tags) can be managed without the need to change the code manually. Once implemented, Google Tag Manager allows us to manage, trigger and control the tracking tools we use. In this respect, Google Tag Manager is closely related to the data processing operations listed below and is used indirectly for the purposes de-scribed therein, which is why the legal basis for the processing is also derived from the sections for the individual tools. If the use of Google Tag Manager is assumed to constitute independent data processing, the legal basis is our legitimate interest within the meaning of point (f) of Art. 6(1) GDPR in using third-party services to efficiently manage our websites and perform our marketing activities.

We use the web analytics services listed below for the purpose of tailoring our Website to requirements and continuously optimising it. Pseudonymised user profiles are created and cookies are used in this context (see also Section 11.2). The information generated by the cookie about your use of this Website is usually transferred together with the log file data under Section 11.1 to a server of the service provider, where it is stored and processed. This may also result in a transfer to servers abroad, e.g. in the US (see Sections 17.2 and 17.3, especially regarding the lack of an adequate level of data protection and the safeguards provided for).

By processing the data, we receive the following and other information:

• navigation path a visitor follows on the site (including content viewed, products select-ed or purchased and services booked)

• time spent on the Website or subpage

• subpage from which the Website is left

• country, region or city from where access is made

• device (type, version, colour depth, resolution, width and height of the browser win-dow) and

• returning or new visitor

The provider uses this information on our behalf to evaluate the use of the Website, in particular to compile reports on website activity and to provide other services related to use of the Website and internet usage for the purposes of market research and customisation of these websites. Up to a certain extent, we and the providers may be regarded as joint controllers under data protection law for these processing operations.

The legal basis for this data processing with the following services is your consent within the meaning of point (a) of Art. 6(1) GDPR. Some of the data processing may also be regarded as profiling (with or without high risk), to which your consent also extends. You may withdraw your consent at any time and object to the processing by rejecting or disabling the cookies in question in the settings of your web browser (see Section 11.2) or by using the service-specific options described below.

Please read the privacy policy of the respective provider to learn how it processes the data further as (sole) controller under data protection law, in particular any disclosure of this information to third parties, e.g. authorities, based on national legal regulations.

"We use the Google Analytics web analytics service provided by Google Ireland Limited (Gor-don House, 4 Barrow Street, Dublin, D04 E5W5, Ireland) or Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (Google).

In contrast to what is stated in Section 11.5.1, IP addresses are not logged or stored in Google Analytics (in the ‘Google Analytics 4’ version used here). For accesses originating in the EU, IP address data is only used to derive location data and is then deleted immediately. When measuring data is collected in Google Analytics, all IP searches are carried out on EU-based servers before the traffic is forwarded to Analytics servers for processing. Google Analytics uses regional data centres. When connecting to the nearest available Google data centre in Google Analytics, the measurement data is sent to Analytics via an encrypted HTTPS connec-tion. The data is further encrypted in these centres before being forwarded to the Analytics processing servers and made available on the platform. The IP addresses are used to deter-mine the most suitable local data centre. This may also result in data being transferred to servers abroad, e.g. the US (see Sections 17.2 and 17.3, especially regarding the lack of an adequate level of data protection and the safeguards provided for).

We also use the Google Signals technical extension, which enables cross-device tracking. This allows a single website visitor to be associated with different devices. However, this only happens if visitors are logged into a Google service when visiting a website and have turned on personalised ads in their Google account settings. Even then, however, no personal data or user profiles are available to us. If you do not wish to use Google Signals, you can turn off personalised ads in your Google account settings.

Users can prevent the collection by Google of the data generated by the cookie and related to the use of the Website by the user concerned (including the IP address) as well as the pro-cessing of this data by Google and withdraw their consent by rejecting or disabling the cookies in question in the cookie banner or in the settings of their web browser (see Section 11.2) or by downloading and installing the browser plugin available under the following link: https://tools.google.com/dlpage/gaoptout?hl=en. For further processing of data by Google, please observe the Google Privacy Policy: https://policies.google.com/privacy."

We use the Google Floodlight web analytics and conversion tracking service provided by Google Ireland Limited (Gordon House, 4 Barrow Street, Dublin, D04 E5W5, Ireland) or Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (Google). The data about the use of the Website described in the introductory paragraphs to this section (Sections 11.5.1 and 11.5.2) and the data described in Sections 11.6.1 and 11.6.2 below is combined with further information from cookies and similar technologies (e.g. Floodlight tags) for this. In addition to the purposes described in the aforementioned sections, this data is also processed to record and document the activities of users on our Website (e.g. purchases, newsletter subscriptions or use of forms) after they have seen or clicked on one of our ads. On the basis of this data, Google produces reports that allow us to analyse the efficiency of our online advertising activities and optimise them. In this context, your data may, among other things, be transferred to Google servers in the US and stored there (see Sections 17.2 and 17.3, especially regarding the lack of an adequate level of data protection and the safeguards provided for). Further information on data protection at Google is available here.

The legal basis for this data processing is your consent within the meaning of point (a) of Art. 6(1) GDPR. Some of the data processing may also be regarded as profiling (with or without high risk), to which your consent also extends. You may withdraw your consent or object to the processing at any time by rejecting or disabling the cookies in question in the settings of your web browser (see Section 11.2).

We use the Metorik web analytics service provided by UJU Pty Ltd t/a Metorik (PO Box 2242, Caulfield Junction, VIC 3161, Australia – ABN 76 616 391 925). The described data about the use of the Website may be transmitted to Metorik servers in Australia for the processing pur-poses explained (see Section 11.5.1 as well as Sections 17.2 and 17.3, especially regarding the lack of an adequate level of data protection and the safeguards provided for). In order to provide reports on website usage, Metorik may also access the data from your orders (see Section 5) and your customer account (see Section 4). Further information on data processing by Metorik is available here.

We use services of different companies to provide you with interesting offers online. As part of this, your user behaviour on our Website and the websites of other providers is analysed so that you can be shown individually tailored online advertising.

Most technologies for tracking your user behaviour (tracking) and for displaying targeted advertising (targeting) use cookies (see also Section 11.2) or similar technologies and unique identifiers (e.g. advertising ID) that allow your browser to be recognised across different web-sites. Depending on the service provider, it may also be possible for you to be recognised online even when using different devices (e.g. laptop and smartphone). This may be the case if you have registered with a service that you use across several devices, for example.

For these purposes, the data generated during websites visits (log file data, see Section 11.1) and the use of cookies (Section 11.2) may be shared with companies participating in the advertising networks and further processed by them. This means that the data may be disclosed in potentially any country in the world (see Sections 17.2 and 17.3, especially regarding the lack of an adequate level of data protection and the safeguards provided for). In addition, the following information in particular is used to select the advertising that is potentially most relevant to you:

- personal information provided by you when you register or use a service provided by advertising partners (e.g. your gender, age group) and

- user behaviour (e.g. searches, interactions with ads, types of websites visited, products or services viewed and purchased, newsletters subscribed to)

We and our service providers use this data to identify whether you belong to the target group we wish to address and take this into account when selecting ads. For example, after you visit our Website, you may see ads for the products or services you viewed when you visit other sites (retargeting). Depending on the amount of data, a user profile may also be created and analysed automatically, i.e. using profiling, whereby the ads are selected according to the information stored in the profile, such as membership of certain demographic segments or potential interests or behaviours. Such ads may be displayed to you on a variety of channels, including, in addition to our Website or app (as part of on-site and in-app marketing), ads delivered via the online advertising networks we use, such as Google.

The data may then be analysed for billing purposes with the service provider as well as to as-sess the effectiveness of advertising measures in order to better understand the needs of our users and customers and improve future campaigns. This may also include the information that the performance of an action (e.g. visiting certain sections of our Website or sending in-formation) can be attributed to a particular ad. We also receive from service providers aggre-gated reports of ad activity and information about how users interact with our Website and ads.

The legal basis for this data processing is your consent within the meaning of point (a) of Art. 6(1) GDPR. Some of the data processing may also be regarded as profiling (with or with-out high risk), to which your consent also extends. You may withdraw your consent at any time by rejecting or disabling the cookies in question in the settings of your web browser (see Section 11.2). Further options for blocking advertising can be found in the information provided by the respective service providers.

As explained in Section 11.6.1, this Website uses the services of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (Google) for online advertising. Google uses cookies (see the list here) for this purpose as well as similar technologies and unique identifiers (especially the advertising ID), which enable your browser to be recognised when you visit other websites. The information generated in this way about your visit to these websites (including your IP address) is, among other things, transferred to Google servers in the US and stored there (see Sections 17.2 and 17.3, especially regarding the lack of an adequate level of data protection and the safeguards provided for). Google processes the data in particular to show you personalised advertising on Google services (e.g. the search engine). Further information on data protection at Google is available here.

The legal basis for this data processing is your consent within the meaning of point (a) of Art. 6(1) GDPR. You may withdraw your consent at any time by rejecting or disabling the cookies in question in the settings of your web browser (see Section 11.2). Further options for blocking advertising can be found here.

The Website uses the advertising services of Meta Platforms Ireland Limited (4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, (Meta)) for online advertising, as explained in Section 11.6.1. Meta uses technologies such as cookies and the Meta Pixel for this, which en-able your browser to be recognised when you visit other websites. The information generated in this way about your visit to these websites (including your IP address) is, among other things, transferred to Meta servers in the US and stored there, especially regarding the lack of an adequate level of data protection and the safeguards provided for). Meta processes the data in particular to show you personalised advertising on Meta services (e.g. Facebook or Instagram). We use the targeting features offered by Meta, especially website custom audiences, which allow us to recognise you on Meta services after you visit our Website and show you targeted advertising. Further information on data protection at Meta is available here and here.

The legal basis for this data processing is your consent within the meaning of point (a) of Art. 6(1) GDPR. You may withdraw your consent at any time by rejecting or disabling the cookies in question in the settings of your web browser (see Section 11.2). Further options for blocking advertising can be found here.

For online advertising, as explained in Section 11.6.1, the Website uses the advertising ser-vices of LinkedIn Ireland Unlimited Company (Wilton Place, Dublin 2, Ireland). LinkedIn uses technologies such as cookies and the LinkedIn Insight Tag for this, which enable your browser to be recognised when you visit other websites. The information generated in this way about your visit to these websites (including your IP address) is, among other things, transferred to LinkedIn servers in the US and stored there (see Sections 17.2 and 17.3, especially regarding the lack of an adequate level of data provtection and the safeguards provided for). LinkedIn pro-cesses the data in particular to show you personalised advertising on the LinkedIn platform. Further information on data protection at LinkedIn is available here.

The legal basis for this data processing is your consent within the meaning of point (a) of Art. 6(1) GDPR. You may withdraw your consent at any time by rejecting or disabling the cook-ies in question in the settings of your web browser (see Section 11.2). Further options for blocking advertising can be found here.

For online advertising, as explained in Section 11.6.1 above, the Website uses the advertising services of Teads SA (5 rue de la Boucherie, L-1247, Luxembourg). Teads uses technologies such as cookies for this, which enable your browser to be recognised when you visit other websites. The information generated in this way about your visit to these websites (including your IP address) can potentially be transferred to Teads servers worldwide and stored there (see Section 17.2, especially regarding the lack of an adequate level of data protection and the safeguards provided for). Teads processes the data in particular to show you personalised ad-vertising on the websites and services of Teads partners. Further information on data protec-tion at Teads is available here.

The legal basis for this data processing is your consent within the meaning of point (a) of Art. 6(1) GDPR. You may withdraw your consent at any time by rejecting or disabling the cook-ies in question in the settings of your web browser (see Section 11.2). Further options for blocking advertising can be found here.

Our Website contains links to our profiles on the social networks of the following providers:

• 
  Meta Platforms Ireland Limited (Facebook and Instagram), 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, Privacy Policy

• 
  TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland, Privacy Policy

If you click on the icons of the social networks, you are automatically redirected to our profile on the respective network. This establishes a direct connection between your browser and the server of the respective social network. In this way, the social network receives in particular the data described in the section on log files (Section 11.1), i.e. information that you visited our website with your IP address and clicked on the link. This may also result in data being trans-ferred to servers abroad, e.g. the US (see Sections 17.2 and 17.3, especially regarding the lack of an adequate level of data protection and the safeguards provided for).

If you click on a link to a social network while you are logged into your account on that net-work, the content of our website can be linked to your profile so that the network can directly associate your visit to our Website with your account. If you want to avoid this, please log out before clicking on the relevant links. A connection is always established between your access to our Website and your user account if you log into the respective network after clicking on the link. The respective provider is the controller under data protection law for the associated data processing. Therefore, please refer to the data protection information on the social net-work’s website.

The legal basis for any data processing attributed to us is our legitimate interest within the meaning of point (f) of Art. 6(1) GDPR in using and promoting our social media profiles.

We use the Google Maps API (application programming interface, ‘Google Maps’) provided by Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland, ‘Google’) on our website. Google Maps is a web service for displaying interactive maps visualising geographical information. By using this service, you are shown our locations and it is easier for you to find us.

As soon as you access subpages on which Google Maps has been embedded, your log file da-ta, in particular your IP address (see Section 11.1 ), is transferred to Google servers. This may also result in data being transferred to servers abroad, e.g. the US (see Sections 17.2 and 17.3, especially regarding the lack of an adequate level of data protection and the safe-guards provided for). The legal basis for this data processing is our legitimate interest within the meaning of point (f) of Art. 6(1) GDPR in providing modern and user-friendly websites.

In addition, cookies (see Section 11.2 for general information on this) are set and read when you visit the sites and use Google Maps. In this way, Google collects data on the browsing behaviour of users and also and in particular derives information on presumed interests from it in order to place advertising tailored to the personal interests of users on Google services and the services of partners. Google may associate this information with your user account. If you do not want Google to collect data about you via this Website and link it to your membership data stored by Google, you must log out of Google before visiting this Website. The legal basis for the processing of the data is your consent pursuant to point (a) of Art. 6(1) GDPR. You may withdraw your consent at any time with effect for the future by rejecting or disabling the cookies in question in the settings of your web browser (see Section 10.2). Further information on how Google collects and uses your data is available in the Google Privacy Policy: https://policies.google.com/privacy.

We use the Google Webfonts API provided by Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland, ‘Google’) on our Website. This gives us access to the Google font library and thus a cost-effective way to use appealing typography on our Website. The use of the Google Webfonts API also helps us to ensure that the content presented on our Website is compatible with all browsers and that problems are solved on an ongoing basis.

Usage of the Google Webfonts API means that your log file data, particularly your IP address (see Section 11.1 ), is already transferred to Google servers when you visit our website. This may also result in data being transferred to servers abroad, e.g. the US (see Sections 17.2 and 17.3, especially regarding the lack of an adequate level of data protection and the safe-guards provided for). The legal basis for this data processing is our legitimate interest within the meaning of point (f) of Art. 6(1) GDPR in providing modern and graphically appealing websites.

Google may also associate this information with your user account. If you do not want Google to collect data about you via this Website and link it to your membership data stored by Google, you must log out of Google before visiting this Website. Further information on how Google collects and uses your data is available in the Google Privacy Policy: https://policies.google.com/privacy.

You can download videos from different places on our websites. The videos are displayed by embedding (iFrame) the contents of YouTube, a service provided by Google Ireland Limited (Gordon House, 4 Barrow Street, Dublin, D04 E5W5, Ireland (YouTube)).

When you click on a video, a connection is established to YouTube servers. Your browser may then transfer the log file data (including IP address) listed under Section 11.1 to YouTube. This may also result in data being transferred to servers abroad, e.g. the US (see Sections 17.2 and 17.3, especially regarding the lack of an adequate level of data protection and the safe-guards provided for). This data processing is necessary to enable the videos to be played. The legal basis for this data processing is our legitimate interest within the meaning of point (f) of Art. 6(1) GDPR in providing modern websites with interesting content.

In addition, when videos are played, cookies (see Section 11.2 for general information on this) are set and read by YouTube. In this way, Google collects data on the browsing behaviour of users and also and in particular derives information on presumed interests from it in order to place ads tailored to personal interests on the YouTube platform and other websites. YouTube may associate this information with your user account. If you do not want YouTube to collect data about you via this Website and link it to your membership data stored by YouTube, you must log out of YouTube before visiting this Website. The legal basis for the processing of the data is your consent pursuant to point (a) of Art. 6(1) GDPR. You may withdraw your consent at any time with effect for the future by rejecting or disabling the cookies in question in the set-tings of your web browser (see Section 11.2). Further information on how YouTube collects and uses your data is available in the YouTube/Google Privacy Policy: https://policies.google.com/privacy.

If it is possible to clearly identify you personally, we store and link the data described in this Privacy Policy, in particular your personal details, contact with us and contract data as well as your browsing behaviour on our websites, in a central database. This allows us to efficiently manage customer data and adequately process your requests as well as efficiently provide the services you require and process the related contracts.

The legal basis for this data processing is our legitimate interest within the meaning of point (f) of Art. 6(1) GDPR in efficiently managing user data.

We also link your data to your interactions with our advertising campaigns (e.g. clicks on ads from us) and to relevant information from the advertising service providers listed in this Priva-cy Policy and their partners. In addition, we analyse this data to further develop our products and services based on needs and to be able to show and suggest to you the most relevant in-formation and offers. We also use methods that predict potential interests and future orders based on your use of our Website. Some of this analysis could also be regarded as profiling (with or without high risk).

We use a software application provided by Salesforce, Inc. (415 Mission Street, 3rd Floor, San Francisco, CA 94105, USA) for centralised data storage and analysis in the CRM system. Therefore, your data may be stored in a Salesforce database, which may allow Salesforce to access your information when required to provide the software and support its usage. Infor-mation about data processing by third parties and any transfer abroad is available under Section 17 of this Privacy Policy. The legal basis for this data processing is our legitimate interest within the meaning of point (f) of Art. 6(1) GDPR in carrying out marketing activities.

Salesforce may wish to use some of this data for its own purposes (e.g. for statistical analysis aimed at optimising products). Salesforce is the controller for such data processing and must ensure compliance with data protection laws in connection with this data processing. For in-formation about data processing by Salesforce, please see here.

Without the support of other companies, we would not be able to deliver our products and services in the desired form. For us to be able to use the services of these companies, it is also necessary to disclose your personal data to them to some extent. The data is disclosed to selected third-party service providers and only to the extent necessary for the optimal provision of our services. Various third-party service providers are already explicitly mentioned in this Privacy Policy.

Your data is also disclosed to the extent that this is necessary for the processing of the contractual relationship, for example, to transport companies and providers of other services. The legal basis for such disclosure is the necessity to perform a contract within the meaning of point (b) of Art. 6(1) GDPR.

Recourse to other service providers is also indispensable for the use and management of our infrastructure and for the exercise of internal functions, and therefore other third parties may also have access to your data to the extent necessary for the use of the services, such as providers of software solutions (e.g. for word processing or sending email), providers of IT services (e.g. hosting providers, telecommunications providers such as Internet access ser-vices), agencies (e.g. in the field of marketing) or security services. The legal basis for this data processing is our legitimate interest within the meaning of point (f) of Art. 6(1) GDPR in having recourse to third-party services.

In addition, your data may be disclosed, in particular to public authorities, legal and tax advisors, auditors and trustees or debt collection agencies, if we are legally obliged to do so or if this is necessary to safeguard our rights, in particular to enforce claims arising from the relationship with you. Data may also be disclosed if another company intends to acquire our com-pany or parts thereof, and such disclosure is necessary to perform due diligence or complete the transaction. The legal basis for this data processing is our legitimate interest within the meaning of point (f) of Art. 6(1) GDPR in protecting our rights and meeting our obligations as well as in the sale of our company or parts thereof.

We are also entitled to transfer your personal data to third parties abroad, insofar as this is necessary to carry out the data processing referred to in this Privacy Policy. Specific data transfers have been mentioned above (see in particular Sections 11 and 12). It goes without saying that statutory provisions on the disclosure of personal data to third parties are complied with when making such transfers. The countries to which data is transferred include those which, in accordance with the decision of the Federal Council and the European Commission, have an adequate level of data protection (such as the member states of the EEA or, from the EU’s perspective, Switzerland), but also others (such as the US) whose level of data protection is not considered adequate (see Annex 1 of the Data Protection Ordinance (DPO) and the European Commission website). If the country concerned does not have an adequate level of data protection, we ensure that your data is adequately protected by these companies by means of appropriate safeguards, unless there is a derogation for the individual data processing in a specific situation (see Art. 49 GDPR). Unless otherwise stated, this is achieved by choosing companies that are certified under the Privacy Framework agreement or by using standard contractual clauses within the meaning of point (c) of Art. 46(2) GDPR, which can be accessed on the websites of the Federal Data Protection and Public Information Commissioner (FDPIC) and the European Commission. If you have any questions about the measures taken, please reach out to our contact person for data protection (see Section 2).

Some of the third-party service providers referred to in this Privacy Policy are based in the US. For the sake of completeness, we would like to point out to users residing or established in Switzerland or the EU that US authorities have surveillance measures in place in the US that generally allow the storage of all personal data of all persons whose data has been transferred from Switzerland or the EU to the US. This is done without any differentiation, limitation or exception based on the aim pursued and without any objective criterion that would restrict access by the US authorities to the data and its subsequent use to very specific, strictly lim-ited purposes that could justify the interference associated with both accessing and using the data. In addition, we would like to point out that in the US, data subjects from Switzerland and the EU have no legal remedies or effective legal protection against general access rights of US authorities that would allow them to access the data concerning them and obtain its rectification or erasure. We explicitly draw your attention to this legal and factual situation so that you are in a position to make an appropriately informed decision to consent or object to the use of your data. Users residing in Switzerland or an EU member state should also be aware that, from the point of view of the European Union and Switzerland, the US does not provide an adequate level of data protection, partly due to the statements contained in this section. Where we have ex-plained in this Privacy Policy that data recipients (such as Google) are based in the US, we ensure that your data is adequately protected by our third-party service providers by choosing companies certified under the Privacy Framework agreement or through contractual arrangements with these companies, as well as any additional appropriate safeguards required.

We only store personal data for as long as this is necessary to carry out the processing de-scribed in this Privacy Policy within the scope of our legitimate interest. Contractual data is required to be stored on the basis of statutory retention obligations. Requirements that oblige us to retain data arise from accounting and tax regulations. According to these regulations, business correspondence, concluded contracts and accounting documents in particular must be retained for a period of up to 10 years. If we no longer need this data to perform the services for you, the data is blocked. This means that the data may then only be used if this is necessary to fulfil retention obligations or to defend and enforce our legal interests. The data is deleted as soon as there is no longer any retention obligation and no legitimate interest in its retention.

We use appropriate technical and organisational security measures to protect your personal data stored by us against loss and unlawful processing, in particular unauthorised access by third parties. Our employees and the service companies commissioned by us are obliged by us to maintain confidentiality and to respect data protection. Moreover, such persons are granted access to personal data only to the extent necessary to fulfil their duties. Our security measures are continuously adapted in line with technological developments. However, the transmission of information via the Internet and electronic means of communication always entails certain security risks and we cannot therefore give absolute guarantees for the security of information transmitted in this way.

Provided that the statutory requirements are met, you as a data subject have the following rights:

Right of access: You have the right to view your personal data stored by us at any time free of charge if we process such data. This allows you to check which personal data concerning you we process and whether we process it in accordance with the applicable data protection regulations.

Right to rectification: You have the right to have inaccurate or incomplete personal data rectified and to be informed of the rectification. In this case, we also inform the recipients of the da-ta concerned about the changes we have made, unless this is impossible or involves disproportionate effort.

Right to erasure: You have the right to have your personal data erased under certain circumstances. In individual cases, in particular if statutory retention obligations apply, the right to erasure may be excluded. In this case, the data may be blocked rather than erased under certain conditions.

Right to restriction of processing: You have the right to obtain restriction of processing of your personal data.

Right to data portability: You have the right to receive from us the personal data you have provided to us in a readable format free of charge.

Right to object: You have the right to object to data processing at any time, especially data processing connected with direct marketing (e.g. marketing emails).

Right to withdraw consent: In principle, you have the right to withdraw your consent at any time. However, processing activities in the past based on your consent do not become unlawful due to your withdrawal. To exercise these rights, please email us at: datenschutz@rivella.ch

Right to lodge a complaint: You have the right to lodge a complaint with a competent supervisory authority, e.g. against the way in which your personal data is processed.