Poesavia

Privacy Policy

With this privacy policy, we inform you about the processing of personal data in connection with our activities and operations, including our website under the domain name poesavia.com. We specifically inform you what personal data we process, how, and where. We also provide information about the rights of persons whose data we process.

For individual or additional activities and operations, we may publish further privacy policies or other information regarding data protection.

We are subject to Swiss law as well as any applicable foreign law, particularly that of the European Union (EU) with the General Data Protection Regulation (GDPR).

The European Commission recognized in its decision of July 26, 2000, that Swiss data protection law ensures an adequate level of protection. In its report of January 15, 2024, the European Commission confirmed this adequacy decision.

1. Contact Addresses

Responsible in terms of data protection law is:

Concorax KlG
c/o Spühler Rechtsanwälte AG
General-Wille-Strasse 19
8002 Zurich
Switzerland

chat@concorax.com

In individual cases, third parties may be responsible for the processing of personal data, or there may be joint responsibility with third parties. We are happy to provide affected persons with information about the respective responsibilities upon request.

Data Protection Representative in the European Economic Area (EEA)

We have the following data protection representative according to Art. 27 GDPR:

We are in the process of acquiring a data protection representative in the EU. Please check back in a few days. Until then, you can contact us using our contact details shared in this privacy policy.

The data protection representative serves affected persons and authorities in the European Union (EU) and the rest of the European Economic Area (EEA) as an additional point of contact for inquiries related to the GDPR.

2. Terms and Legal Bases

2.1 Terms

Affected Person: A natural person whose personal data we process.

Personal Data: Any information that relates to an identified or identifiable natural person.

Sensitive Personal Data: Data concerning trade union, political, religious, or ideological beliefs and activities; data about health, the intimate sphere, or the belonging to an ethnicity or race; genetic data; biometric data that can uniquely identify a natural person; data concerning criminal and administrative sanctions or prosecutions; and data about social assistance measures.

Processing: Any handling of personal data, regardless of the means and procedures applied, such as querying, matching, adjusting, archiving, storing, reading, disclosing, obtaining, capturing, collecting, deleting, revealing, arranging, organizing, storing, altering, disseminating, linking, destroying, and using personal data.

European Economic Area (EEA): Member states of the European Union (EU) as well as the Principality of Liechtenstein, Iceland, and Norway.

2.2 Legal Bases

We process personal data in accordance with Swiss law, specifically the Federal Act on Data Protection (Data Protection Act, FADP) and the Ordinance on Data Protection (Data Protection Ordinance, DPO).

We process personal data, where and to the extent that the European General Data Protection Regulation (GDPR) is applicable, in accordance with at least one of the following legal bases:

  • Art. 6 (1) (b) GDPR for the necessary processing of personal data to fulfill a contract with the affected person as well as to conduct pre-contractual measures.
  • Art. 6 (1) (f) GDPR for the necessary processing of personal data to pursue legitimate interests—including the legitimate interests of third parties—unless the fundamental freedoms and rights as well as the interests of the affected person outweigh them. Such interests include particularly the sustainable, humane, secure, and reliable exercise of our activities and operations, ensuring information security, protection against abuse, enforcement of our legal claims, and compliance with Swiss law.
  • Art. 6 (1) (c) GDPR for the necessary processing of personal data to fulfill a legal obligation we are subject to under any applicable law of member states in the European Economic Area (EEA).
  • Art. 6 (1) (e) GDPR for the necessary processing of personal data to perform a task in the public interest.
  • Art. 6 (1) (a) GDPR for the processing of personal data with the consent of the affected person.
  • Art. 6 (1) (d) GDPR for the necessary processing of personal data to protect vital interests of the affected person or another natural person.
  • Art. 9 (2) GDPR for the processing of special categories of personal data, particularly with the consent of the affected persons.

The European General Data Protection Regulation (GDPR) refers to the processing of sensitive personal data as the processing of special categories of personal data (Art. 9 GDPR).

3. Type, Scope, and Purpose of Processing Personal Data

We process those personal data that are necessary to carry out our activities and operations sustainably, humanely, securely, and reliably. The processed personal data may fall into categories such as browser and device data, content data, communication data, metadata, usage data, master data including inventory and contact data, location data, transaction data, contract data, and payment data. The personal data may also represent sensitive personal data.

We also process personal data that we receive from third parties, obtain from publicly accessible sources, or collect during the exercise of our activities and operations, to the extent that such processing is permissible.

We process personal data, as necessary, with the consent of the affected persons. In many cases, we can process personal data without consent, for example, to fulfill legal obligations or protect overriding interests. We may also ask affected persons for their consent when their consent is not required.

We process personal data for the duration necessary for the respective purpose. We anonymize or delete personal data primarily based on legal retention and limitation periods.

4. Disclosure of Personal Data

We may disclose personal data to third parties, have third parties process it, or jointly process it with third parties. These third parties may include specialized providers whose services we utilize.

In the context of our activities and operations, we may disclose personal data in particular to banks and other financial service providers, authorities, educational and research institutions, consultants and attorneys, interest groups, IT service providers, cooperation partners, credit and economic information agencies, logistics and shipping companies, marketing and advertising agencies, media, parent, sister, and subsidiary companies, organizations and associations, social institutions, telecommunications companies, insurance companies, and payment service providers.

5. Communication

We process personal data to communicate with persons as well as with authorities, organizations, and companies. In this context, we specifically process data that an affected person transmits to us when making contact, for example via postal mail or email. We may store such data in an address book or similar tools.

Third parties that provide us with data about other persons are responsible for independently ensuring the data protection of those affected persons. They must particularly ensure that such data is accurate and may be transmitted.

6. Data Security

We take appropriate technical and organizational measures to ensure a level of data security that is commensurate with the respective risk. With our measures, we specifically ensure the confidentiality, availability, traceability, and integrity of the processed personal data, although we cannot guarantee absolute data security.

Access to our website and other digital presence is conducted using transport encryption (SSL/TLS, specifically with Hypertext Transfer Protocol Secure, abbreviated as HTTPS). Most browsers issue warnings when visiting a website without transport encryption.

Our digital communication is—like basically any digital communication—subject to mass surveillance without cause and suspicion by security authorities in Switzerland, the rest of Europe, the United States of America (USA), and other countries. We cannot exert direct influence on the corresponding processing of personal data by intelligence agencies, police departments, and other security authorities. We also cannot rule out that an affected person may be specifically monitored.

7. Personal Data Abroad

We generally process personal data in Switzerland and the European Economic Area (EEA). However, we may also export or transmit personal data to other countries, particularly for processing or having it processed there.

We can export personal data to all countries on Earth and elsewhere in the universe, provided that the local law ensures an adequate level of data protection according to the decision of the Swiss Federal Council and—as far as the General Data Protection Regulation (GDPR) is applicable—also according to the decision of the European Commission.

We may transmit personal data to countries whose laws do not provide an adequate level of data protection, provided that data protection is ensured for other reasons, particularly based on standard data protection clauses or other appropriate guarantees. Exceptionally, we can export personal data to countries without adequate or suitable data protection if the specific data protection legal conditions are met, such as the explicit consent of the affected persons or a direct connection with the conclusion or execution of a contract. We are happy to provide affected persons with information upon request about any guarantees or supply a copy of such guarantees.

8. Rights of Affected Persons

8.1 Data Protection Claims

We grant affected persons all claims according to the applicable law. Affected persons have, in particular, the following rights:

  • Information: Affected persons can request information about whether we process personal data about them, and if so, which personal data is involved. Affected persons will also receive the information necessary to assert their data protection claims and to ensure transparency. This includes the processed personal data as such, but also details about the purpose of processing, the duration of storage, any disclosure or export of data to other countries, and the source of the personal data.
  • Correction and Restriction: Affected persons can correct inaccurate personal data, complete incomplete data, and request the restriction of processing their data.
  • Opportunity for Own Position and Human Review: Affected persons can present their own position and request a human review in decisions based solely on automated processing of personal data that have legal consequences for them or significantly affect them (automated individual decisions).
  • Deletion and Objection: Affected persons can request the deletion of personal data ("right to be forgotten") and object to the processing of their data with effect for the future.
  • Data Access and Data Transfer: Affected persons can request the release of personal data or the transfer of their data to another controller.

We may postpone, restrict, or refuse the exercise of the rights of affected persons within the legally permissible framework. We may inform affected persons of any conditions that must be met to exercise their data protection claims. For example, we may fully or partially refuse to provide information based on confidentiality obligations, overriding interests, or the protection of other persons. We may also refuse the deletion of personal data, especially referencing legal retention obligations, either fully or partially.

We may exceptionally charge fees for the exercise of rights. We will inform affected persons in advance of any potential costs.

We are obliged to identify affected persons requesting information or asserting other rights through appropriate measures. Affected persons must cooperate.

8.2 Legal Protection

Affected persons have the right to enforce their data protection claims through legal action or to file a complaint with a data protection supervisory authority.

The data protection supervisory authority for private controllers and federal bodies in Switzerland is the Federal Data Protection and Information Commissioner (FDPIC).

European data protection supervisory authorities are organized as members of the European Data Protection Board (EDPB). In some member states of the European Economic Area (EEA), data protection supervisory authorities are structured federally, particularly in Germany.

9. Use of the Website

9.1 Cookies

We may use cookies. Cookies—both our own (first-party cookies) and those from third parties whose services we use (third-party cookies)—are data that are stored in the browser. Such stored data need not be limited to traditional cookies in text form.

Cookies can be temporarily stored in the browser as "session cookies" or for a specific duration as so-called permanent cookies. "Session cookies" are automatically deleted when the browser is closed. Permanent cookies have a specific storage duration. Cookies notably allow recognition of a browser upon the next visit to our website, thereby enabling us to measure the reach of our website. However, permanent cookies can also be used for online marketing purposes.

Cookies can be entirely or partially deactivated, restricted, or deleted at any time in the browser settings. Browser settings often also allow automated deletion and other management of cookies. Without cookies, the functionality of our website may not be fully available. We actively request the explicit consent for the use of cookies, at least as required according to applicable law.

For cookies used for success and reach measurement or for advertising, a general opt-out is possible for numerous services via AdChoices (Digital Advertising Alliance of Canada), the Network Advertising Initiative (NAI), YourAdChoices (Digital Advertising Alliance), or Your Online Choices (European Interactive Digital Advertising Alliance, EDAA).

9.2 Logging

We may log at least the following information for each access to our website and other digital presence, to the extent that this information is typically determined or transmitted during such access to our digital infrastructure: date and time including time zone, IP address, access status (HTTP status code), operating system including user interface and version, browser including language and version, the specific subpage of our website visited including the amount of data transmitted, and the last webpage accessed in the same browser window (referrer).

We log such information, which may also constitute personal data, in log files. This information is necessary to provide our digital presence sustainably, humanely, and reliably. The information is also required to ensure data security—also through third parties or with the assistance of third parties.

9.3 Tracking Pixels

We may integrate tracking pixels into our digital presence. Tracking pixels are also referred to as web beacons. Tracking pixels—also from third parties whose services we use—are typically small, invisible images or scripts formulated in JavaScript that are automatically retrieved when accessing our digital presence. Tracking pixels can capture at least the same information as logging in log files.

10. Notifications and Communications

10.1 Success and Reach Measurement

Notifications and communications may contain web links or tracking pixels that record whether a specific communication has been opened and which web links have been clicked. Such web links and tracking pixels may also capture the use of notifications and communications on a personal basis. We require this statistical capture for success and reach measurement in order to send notifications and communications based on the needs and reading habits of the recipients in an effective and humane way, as well as sustainably, securely, and reliably.

10.2 Consent and Objection

You must generally consent to the use of your email address and other contact addresses unless the use is permissible for other legal reasons. For obtaining double consent, we may use the "double opt-in" procedure. In this case, you will receive a notification with instructions for double confirmation. We may log obtained consents, including IP address and timestamp, for proof and security reasons.

You can generally object to receiving notifications and communications, such as newsletters, at any time. By making such an objection, you can also simultaneously object to the statistical capture of usage for success and reach measurement. Necessary notifications and communications related to our activities and operations are excluded from this objection.

10.3 Service Providers for Notifications and Communications

We send notifications and communications with the help of specialized service providers.

11. Online Platforms

We are present on online platforms to communicate with interested persons and to inform them about our activities and operations. In connection with these platforms, personal data may also be processed outside of Switzerland and the European Economic Area (EEA).

The general terms and conditions (GTC) and terms of use, as well as the privacy policies and other provisions of the respective operators of such platforms also apply. These provisions specifically inform about the rights of affected persons directly with respect to the platform in question, including, for example, the right to information.

12. Services from Third Parties

We utilize services from specialized third parties to carry out our activities and operations sustainably, humanely, securely, and reliably. With such services, we can, among other things, embed functions and content into our website. During such embedding, the services used may temporarily capture the IP addresses of users for technical reasons.

For necessary security-related, statistical, and technical purposes, third parties whose services we use may process data related to our activities and operations in an aggregated, anonymized, or pseudonymized manner. This includes, for example, performance or usage data to provide the respective service.

12.1 E-Commerce

We operate e-commerce and use services from third parties to successfully offer services, content, or goods.

In particular, we use:

  • Fourthwall: E-Commerce platform for online shops; providers: Fourthwall Inc. (USA); information about data protection: privacy policy.

12.2 Payments

We utilize specialized service providers to process payments securely and reliably. The legal texts of the individual service providers, such as general terms and conditions (GTC) or privacy statements, also apply to the processing of payments.

In particular, we use:

  • Stripe: Payment processing; providers: Stripe Inc. (USA) / Stripe Capital Europe Limited (Ireland) / Stripe Payments Europe Limited (SPEL, Ireland) / Stripe Payments UK Limited (United Kingdom); information about data protection: "Stripe Privacy Center," privacy policy, cookie policy.

13. Success and Reach Measurement

We try to measure the success and reach of our activities and operations. In this context, we may also measure the impact of third-party referrals or examine how different parts or versions of our digital presence are utilized (the "A/B testing" method). Based on the results of success and reach measurement, we can particularly rectify errors, enhance popular content, or implement improvements.

For success and reach measurement, individual users' IP addresses are typically recorded. In this case, IP addresses are generally truncated ("IP masking") to comply with the principle of data minimization through the corresponding pseudonymization.

Cookies may be used in success and reach measurement, and user profiles may be created. Any generated user profiles may include, for example, the specific pages visited or content viewed on our digital presence, details about the size of the screen or browser window, and the—at least approximate—location. In principle, any user profiles are exclusively created in a pseudonymized manner and are not used for the identification of individual users. Certain services from third parties, where users are logged in, may relate the use of our online offerings to the user account or user profile at the respective service.

In particular, we use:

  • GoatCounter: Success and reach measurement; provider: Martin Tournoij (Ireland); information about data protection: No processing of personal data and no use of cookies, privacy policy.

14. Final Notes on the Privacy Policy

We may update this privacy statement at any time. We will inform you of updates in an appropriate manner, particularly by publishing the current version of the privacy policy on our website.