Data protection

1 Name and address of the data processor

The operator of the website (hereinafter referred to as the “operator”) and therefore the controller/data processor (hereinafter referred to as the “operator”) in terms of the European General Data Protection Regulation (GDPR) and the Swiss Federal Data Protection Act (DPA) is:

Kreditfabrik AG
Bergstrasse 66
CH-8810 Horgen

+41 41 541 59 61
E-Mail

2 Name and address of the Data Protection Officer

The operator’s Data Protection Officer is:

Marc Pfister
PEAX AG
Pilatusstrasse 28
6003 Luzern
E-Mail

3 Definitions

Definition	Explanation
Operator	The operator of the website, in this case Kreditfabrik AG
User	User of the website or its services, in this case you.
Personal data	Information which makes it possible for a person to be identified, i.e. information that can be traced back to a particular person. This includes the person's name, email address or telephone number. But data concerning preferences, hobbies, membership or which websites a person has visited is also regarded as personal data.

4 General notes on data protection

The operator only processes the personal data of its users to the extent to which this is necessary in order to provide a functional website and the operator’s contents and services. Personal data are exclusively processed on the basis of a legitimate legal basis, usually the user’s consent. An exception applies in cases where obtaining prior consent is effectively not possible and processing is permitted under statutory provisions.

5 Access data / server log files

5.1 Description and scope of data processing

The operator collects data each time its website is accessed ("server log files"). The collected access data includes:

Name of the web page, file(s) accessed
Date and time of the access
Browser type and version
The user's operating system
The referrer URL (the page previously visited)
The user’s IP address and the requesting providerder

5.2 Legal basis for the processing

The legal basis for the temporary storage of the data and log files is Art. 6 (1) (f) GDPR and Art. 13 (1) and (2) DPA.

5.3 Purpose of data processing

The operator will only use the log data in order to operate and optimise the website, to ensure its security and to carry out statistical evaluations. However, the operator reserves the right to examine the protocol data at a later date if there are specific indications which give rise to a justified suspicion of unlawful use. The data are stored for this purpose.

5.4 Duration of storage

The data are deleted as soon as they are no longer required to achieve the purpose for which they are collected, provided their continued storage is not justified by the overriding interests or statutory obligations of the controller. This is usually the case after 24 hours. Data may be stored beyond this period for the purpose of website optimisation and statistical evaluation. In this case, users’ IP addresses will be deleted or altered so that they can no longer be allocated to the accessing client.

5.5 Objection and removal options

The collection of data and the storage of data in log files are essential prerequisites for providing and operating the website. Consequently, the user has no right to object.

Any storage for other purposes is conducted in anonymised form, which means that no personal data are processed and accordingly no option to object arises.

6 Use of cookies

6.1 Description and scope of data processing

The operator’s website uses cookies. Cookies are small files that make it possible to store information specific to the user's access device (PC, smartphone or similar) in order to enable the device to be recognised when the website is next accessed. On the one hand, they serve to make websites user friendly for their users (e.g. by storing login data). On the other hand, they serve to record statistical data concerning the use of the website. This data can then be analysed to improve the website.

The operator’s website uses the following cookies:

Name	Purpose	Storage time	Technically necessary
FluentLocale	Serves to record the language set by the user	2 months	Yes
Google Analytics_ga _gid	See paragraph 8	2 years 24h	No
PHPSESSID	Contains an anonymous user identification to be able to assign several requests of a user to the same HTTP session.	Until the browser is closed	Yes
Facebook Pixel	See paragraph 9	28 days	No

When our website is accessed, users are informed of the use of cookies for analysis purposes and their consent to the processing of the personal data used in this context is obtained. This notification also contains a reference to this Privacy Policy.

Section 9 specifically provides information on the use of Google Analytics.

6.2 Legal basis for data processing

The legal basis for the processing of personal data using technically necessary cookies is Art. 6 (1) (f) GDPR and Art. 13 (1) and (2) DPA.

The legal basis for the processing of personal data using cookies for analysis purposes is, provided the user’s consent has been obtained, Art. 6 (1) (a) GDPR and Art. 13 (1) in conjunction with Art. 4 (5) DPA.

6.3 Purpose of data processing

Technically necessary cookies are used for the purpose of facilitating the use of websites for users. Some website functions cannot be offered without cookies. These require that the browser is recognised even after navigation to different pages.

The user data collected by technically necessary cookies are not used to create user profiles.

Analysis cookies are used to improve the quality and contents of the website. Analysis cookies give the operator information about how the website is used and thus enables it to continuously improve its service.

6.4 Duration of storage, Objection and removal options

Cookies are stored on the user’s access device and transmitted by the same to our website. Users can therefore influence the use of cookies. Most browsers have an option allowing the storage of cookies to be restricted or prevented entirely. However, please note that the use of the website, particularly user convenience, will be restricted if cookies are not enabled. Many online advertisement cookies of companies can be managed through the US website https://www.aboutads.info/choices/ or the EU website https://www.youronlinechoices.com/uk/your-ad-choices/.

By clicking on this link, users can withdraw their consent to the use of cookies that are not technically required.

8 Google Analytics

8.1 Description and scope of data processing

This website uses Google Analytics, a web analysis service provided by Google Inc. ("Google"). Google Analytics uses cookies, text files that are stored on your computer, which make it possible to analyse your use of the website.

The following data are collected and stored using Google Analytics:

The user’s IP address and the requesting provider
Name of the web page, file(s) accessed
Browser type and version
The user's operating system
The referrer URL (the page previously visited)
The number of pages accessed
Leaving rate
Average duration of website visit

The information about the use of this website by the user generated by the cookie is generally sent to a Google server in the USA and stored there. However, users’ IP addresses are shorted and therefore anonymised by the operator prior to transmission to Google. The transmitted data can therefore not be traced to the user. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and abbreviated there. The operator has contractual agreements with Google which ensure that Google complies with the provisions of the applicable data protection legislation. The data that the user’s browser sends in the context of Google Analytics will not be amalgamated with other data from Google.

When our website is accessed, users are informed of the use of Google Analytics and their consent to the processing of the personal data used in this context is obtained. This notification also contains a reference to this Privacy Policy.

8.2 Legal basis for data processing

The legal basis for the processing of user data using Google Analytics is, provided the user’s consent has been obtained, Art. 6 (1) (a) GDPR and Art. 13 (1) in conjunction with Art. 4 (5) DPA.

8.3 Purpose of data processing

Google will use this information on behalf of the operator in order to analyse users’ use of the website, compile reports on website activity, and provide further services related to website and internet use to the website operator. This enables the operator to continually improve the website and its user friendliness.

8.4 Duration of storage

The data are deleted as soon as they are no longer required for our recording purposes, provided their continued storage is not justified by the overriding interests or statutory obligations of the controller. For this website, this is the case after 14 months.

8.5 Objection and removal options
As with any other cookies, the Google Analytics cookie is stored on the user’s access device. Users may therefore prevent the storage of the cookie by editing the settings in their browser software accordingly. Furthermore, users can prevent the data generated by the cookie concerning their use of the website (including their IP address) from being recorded and sent to Google and also the processing of this data by Google by downloading and installing the browser plug-in available under the following link: https://tools.google.com/dlpage/gaoptout

9 Marketing analysis

9.1 Description and scope of data processing

This website uses a Facebook Pixel, an analytical tool offered by Facebook Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (“Facebook”). When a user clicks on an ad posted by us on Facebook, a cookie is placed by our website through Facebook Pixel. This cookie allows us to collect and store the following data generated by the user while using our website:

Personal data such as age, gender, country of origin and city
Information about the device and operating system used

The information collected by this cookie on the use of this website by the user is generally transmitted to a Facebook server in the US, where it is stored. Facebook also collects the data in its own interests and, as the data controller, processes it further for Facebook advertising and analytical purposes. Such processing is carried out under the authority of Facebook in accordance with its data policy (https://www.facebook.com/about/privacy/). On visiting our website, the user is informed about the use of Facebook Pixel and the user’s consent to the processing of personal data used.

9.2 Legal framework for processing data

The legal framework for processing user data is justified by the data controller having legitimate interests in accordance with Art. 6(1)(f) GDPR and Art. 13(1) in conjunction with Art. 4(5) of the Federal Act on Data Protection (DSG).

9.3 Purpose of data processing

On behalf of the operator, Facebook uses this information to analyse the use of the website by the user, to compile reports on website activities and to provide other services related to the use of the website and the effectiveness of advertising measures to the website operator. This enables the operator to constantly improve their website and advertising measures.

9.4 Duration of storage

The data is deleted as soon as it is no longer required for our analytical purposes, unless continued storage is justified by the prevailing interests or legal obligations of the controller.

9.5 Option to opt-out or opt-in

Like other cookies, the Facebook Pixel cookie is also stored on the user’s access device. This means the user can set their browser preferences to prevent cookies from being stored. The user can also opt-out from the use of Facebook Pixel at any time and thus disable Facebook Pixel tracking on this website. To do so, the user can click on the link in Clause 6.4 to set an opt-out cookie.

10 Contacting the operator

10.1 Description and scope of data processing

When users contact the operator (through the contact form or email, for example), all relevant information provided by the user is saved for the purpose of processing the enquiry and in case of subsequent questions.

This includes, in particular, the following information:

User’s first and last name
Email address
Postal address
Phone number (optional)

During the process of sending the contact form, your consent to data processing is obtained and reference is made to this Privacy Policy.

Alternatively, the operator can be contacted via the email address provided. In this case, the user’s personal data which are submitted with the email are stored.

Users are informed in advance of the data processing and this Privacy Policy and their consent is obtained in the course of contacting the operator via the contact form or the chat.

10.2 Legal basis for data processing

The legal basis for data processing is, provided the user’s consent has been obtained, Art. 6 (1) (a) GDPR and Art. 13 (1) in conjunction with Art. 4 (5) DPA.

The legal basis for the processing of data which are transmitted in the course of sending an email is Art. 6 (1) (f) GDPR and Art. 13 (1) and (2) DPA. If the email contact aims at the conclusion of a contract, an additional legal basis for the processing is Art. 6 (1) (b) GDPR and Art. 13 (2) (a) DPA.

10.3 Purpose of data processing

The processing of the personal data from the entry form exclusively serves the purpose of handling the enquiry. In the case of contact by email, this also constitutes the required legitimate interest in processing the data. Storing the data for a certain period of time enables us to refer back to it if further questions arise at a later date.

The other personal data processed during the sending process serve to prevent misuse of the contact form and to ensure the security of our IT systems.

The operator also reserves the right to keep the conversations held with the user, including the personal data contained therein, for verification purposes.

10.4 Duration of storage

The data are deleted as soon as they are no longer required to achieve the purpose for which they are collected, provided their continued storage is not justified by the overriding interests or statutory obligations of the controller. This is the case when the conversation with the user has finished. The conversation is finished when the circumstances make it apparent that the issue at hand has been conclusively resolved.

This shall be the case when it can be assumed or derived from the circumstances that the situation in question has been resolved and that no further queries are to be expected. The data stored for verification purposes is generally deleted after 14 months. In exceptional cases, a legal obligation or prevailing interest may justify a longer period of retention.

10.5 Objection and removal options

Users may revoke their consent to the processing of their personal data at any time. If users contact us by email or contact form, they may object to the storage of their personal data at any time by email. In this case, we will not be able to continue the conversation. Likewise, during the course of a chat, users may at any time revoke their consent.

All personal data which were saved in the course of contacting the operator will in this case be deleted.

11 User rights

If website users are located in a member state of the EU or an EEA state, the GDPR provides for the following user rights:

11.1 Right to information (Art. 15 GDPR)

Users have the right at any time to request that the controller confirm whether any personal data concerning their person is being processed. If this is the case, users have the right to demand that the controller provide information about the personal data stored, and a copy of these data, free of charge.

11.2 Right to correction (Art. 16 GDPR)

Users have the right to correction and/or completion against the controller if the processed personal data concerning their person are incorrect or incomplete. The operator will implement corrections without undue delay.

11.3 Right to restrict processing (Art. 18 GDPR)

In accordance with Art. 18 GDPR, the user has the right to limit the processing of their personal data.

11.4 Right to erasure (Art. 17 GDPR)

In accordance with Art. 17 GDPR, the user has the right to request that their personal data be deleted. Within the limitations of Section 6.4

11.5 Right to data portability (Art. 20 GDPR)

In accordance with Art. 20 GDPR, the user have the right to obtain the personal data concerning their person which they have provided to the controller in a structured, commonly used and machine-readable format. They furthermore have the right to transmit these data to another controller without interference by the controller to whom the personal data were provided.

11.6 Right to object (Art. 21 GDPR)

Users have the right at any time to object to the processing of personal data concerning their person which takes place on the basis of Article 6 (1) (e) or (f) GDPR for reasons resulting from their specific circumstances; this also applies to any profiling based on these provisions.

If a user objects to the processing for the purposes of direct advertising, the controller will cease to process the personal data concerning his/her person for these purposes.

11.7 Right to withdraw the data protection consent (Art. 7 (3) GDPR)

Users have the right to withdraw their data protection consent at any time. Revoking their consent does not affect the legality of the data processing which has taken place on the basis of consent before the time of withdrawal.

11.8 Right to lodge a complaint with a supervisory authority (Art. 77 GDPR)

Without prejudice to any other administrative or judicial remedy, users have the right to complain to a supervisory authority, particularly in the member state of their place of residence, if they believe that the processing of the personal data concerning their person breaches the GDPR.

The supervisory authority to which the complaint was submitted will inform the complainant of the status and outcome of the complaint, including the possibility of a legal remedy, according to Art. 78 GDPR.