Privacy Policy

In this privacy policy, we, natelo AG, describe what we do with your data in our name ("natelo", "Company", "we", or "us") when you visit our websites www.natelo.ch or www.deinabo.ch ("Website/s") and use the services offered there, interact with us, communicate with us, enter into an employment or other contractual relationship with us, or otherwise engage with us. This is not an exhaustive description; in some cases, consents, general terms and conditions, or similar documents may regulate specific matters.

In this privacy policy, "personal data" or "data" refers to any information relating to an identified or identifiable natural person. "Processing" includes any handling of personal data, regardless of the means and methods used, particularly storing, disclosing, obtaining, deleting, saving, modifying, destroying, and using personal data.

If you provide us with personal data of other individuals (e.g., family members, employees, etc.), we assume that you are authorized to do so and that the data provided is accurate. By sharing data about other individuals with us, you confirm this. Please also ensure that these individuals have been informed about this privacy policy.

The "Controller" responsible for the data processing described in this privacy policy is the company, unless otherwise specified in individual cases. If you have any data protection-related concerns, you can contact us at the following address:

• Postal Address: natelo AG, Sonnenplatz 6, 6020, Emmenbrücke
• Email: [email protected]

We primarily process the personal data that we receive directly from you in your capacity as a customer, employee, reference, or other person or business partner in the course of our business or other legal relationship, or that we collect when you use our website and other applications, or when you apply for a position with us.

We process various categories of data about you. The most important categories are as follows:

• Contract Data: These are data related to contract conclusion and execution, such as personal details including name, date of birth, gender, photos, passport copies, IP address, contract information, and details on services provided or to be provided, as well as pre-contractual data required for processing.
• Master Data: These are the basic data we need in addition to contract data to manage our contractual and business relationships or for marketing and advertising purposes. We process your master data if you are a customer or other business contact or if we want to reach out to you for our own purposes or on behalf of a contract partner. We obtain master data from you directly, from organizations you work for, or from third parties such as our contractual partners, distribution partners, associations, and publicly accessible sources (e.g., public registers, websites, social media, etc.).
• Communication Data: If you contact us via contact form, email, phone, chat, mail, public forums, or other communication channels, we collect the data exchanged between you and us, including your contact details and communication metadata. If we need to verify your identity, such as for a data access request, we collect data to identify you. We generally store these data for 36 months from the last interaction. This period may be extended for evidentiary purposes, legal or contractual compliance, or technical reasons. Emails in personal mailboxes, chats, and written correspondence are generally stored for at least 10 years.
• Technical Data: When you visit our website or use our services, we collect your device’s IP address and other technical data (e.g., timestamp of user actions) to ensure functionality and security. These data include logs that record the use of our systems. We usually store technical data for up to two months. To ensure functionality, we may assign you or your device an individual code (e.g., a cookie, see Section 8). Technical data alone generally do not reveal your identity but may be linked to other data (and thus to you) in cases such as registrations or contract processing.
• Registration Data for Our Newsletter and Advertising Offers: If you register on our website to receive newsletters and/or advertising offers, we require your email address and information that allows us to verify that you own the specified email address and agree to receive newsletters or advertising. No additional data is collected. These data are used solely for sending the requested information and are not shared with third parties.

For Applicants:

• Personal Information: e.g., first name(s), last name, photo, professional background, education, degrees, other qualifications or skills, and other typical resume details.
• Communication Data: If you contact us via contact form, email, phone, chat, mail, public forums, or other communication channels, we collect the data exchanged between you and us, including your contact details and communication metadata.
• Reference Checks: These are conducted only with the applicant's consent. If an applicant provides references in their application, we assume implicit consent.
• Behavioral and Preference Data: Depending on our relationship with you, we strive to tailor our products and offers to you. We collect and use data about your behavior and preferences, analyzing your interactions with us to personalize future engagements. We may also supplement these data with information from third parties, including publicly available sources. This allows us to estimate the likelihood that you will use certain services or behave in a specific way. We derive these data from our interactions with you (e.g., when you use our services) or by tracking your behavior (e.g., website navigation, document downloads). We anonymize or delete these data when they are no longer relevant, which may vary from 60 seconds to a few weeks (for movement profiles) or from 30 minutes to 14 months (for product and service preferences). This period may be extended for evidentiary, legal, contractual, or technical reasons. Section 8 explains how website tracking works.
• Other Data: We may collect data about you in other situations. For example, in legal or regulatory proceedings, records (e.g., case files, evidence) may include your data. For health and safety reasons, we may collect data as part of safety protocols. We may produce videos in which you are identifiable (e.g., security cameras). We may also track who enters certain buildings and manage access rights.

We primarily use the personal data we collect to conclude and execute contracts with our customers and business partners, to fulfill our duties as an employer, and to comply with our legal obligations both domestically and internationally.

In addition, we process personal data about you and other individuals, where permitted and where we consider it appropriate, for the following purposes in which we (and sometimes third parties) have a legitimate interest:

• Providing, developing, and improving our services as well as our website and any other platforms where we are present;
• Communicating with you, particularly to respond to inquiries, enforce your rights, and contact you in case of follow-up questions;
• Communicating with third parties and processing our or their inquiries;
• Fulfilling our compliance obligations;
• Advertising and marketing (including organizing events), unless you have objected to the use of your data for this purpose, market and opinion research, media monitoring;
• Exercising rights, asserting legal claims, and defending against legal disputes and regulatory proceedings;
• Preventing and investigating criminal activities and other misconduct (e.g., conducting internal investigations, data analysis to combat fraud);
• Ensuring our operations, including managing our communication systems, IT infrastructure, websites, and other platforms;
• Video surveillance to enforce property rights and other measures for IT, building, and facility security, as well as protecting our employees and other individuals and safeguarding our assets (e.g., access controls, visitor lists, network and email scanning);
• Buying and selling business units, companies, or parts of companies, and other corporate transactions, including related transfers of personal data, as well as measures for business management and compliance with legal and regulatory obligations and internal company regulations;
• Reviewing application documents and assessing the suitability of candidates;
• Drafting employment contracts and work certificates and, upon the employee’s request, providing references;
• Processing salary payments and social benefits;
• Maintaining personnel records;
• Internal business communication, including reports on internal meetings and events.

If you have given us consent to process your personal data for specific purposes, we process your personal data within the scope of and based on that consent, provided we do not have another legal basis for processing and such a basis is required. You may revoke your consent at any time, particularly by contacting the address listed in Section 2. However, revocation does not affect data processing that has already taken place.

The term "Profiling" refers to the automated processing of our customers' personal data to analyze personal aspects or make predictions, such as analyzing personal interests, preferences, and habits or forecasting probable behavior. Profiling can be used to derive preference data in particular.

Through profiling, we automatically assess certain personal characteristics of yours for the purposes outlined in Section 4, based on your data (Section 3), to draw conclusions about your traits, preferences, and likely behavior, such as your affinity for certain products and services. For this purpose, we may also create profiles, meaning we may combine behavioral and preference data with master and contract data as well as technical data assigned to you, to better understand you as a person with your various interests and other characteristics.

Profiling helps us, for example, to:

• Offer you contracts that are faster and better tailored to your needs;
• Present our content and offers in a way that suits your needs;
• Show you only advertisements and offers that are likely to be relevant to you;
• Provide better customer service support.

As part of our business activities and in accordance with the purposes of data processing as outlined in Section 4, we may or must also transfer data to third parties (provided such transfer is permissible and we consider it appropriate), either because third parties process these data on our behalf or because they intend to use them for their own purposes. This particularly concerns the following categories of recipients (collectively the "Recipients"):

• Telecommunications providers to whom we broker contracts;
• Service providers in Switzerland and abroad, such as IT providers (e.g., infrastructure providers) or support providers (e.g., call centers);
• Accountants, auditors, lawyers, and other external consultants engaged by us;
• Legal and regulatory authorities, upon request or for the purpose of reporting an actual or suspected violation of applicable laws or regulations;
• Domestic and foreign authorities, courts, or other parties in potential or ongoing legal proceedings;
• Any relevant party for the purpose of preventing, investigating, detecting, or prosecuting criminal offenses or enforcing criminal sanctions, including the prevention of threats to public security;
• Buyers or parties interested in acquiring all or parts of our business or assets;
• Other persons: This includes cases where the involvement of third parties arises from the purposes outlined in Section 4.

When we transfer data to a recipient, the recipient is subject to binding contractual obligations to (i) process the data only in accordance with our prior instructions and (ii) implement measures to protect the confidentiality and security of the data, along with all other requirements under applicable law.

Your data is primarily stored on servers within the EU but may also be processed abroad or accessed from abroad, particularly when we engage service providers for the fulfillment of our services, as well as for distribution and marketing. When using third-party cookies (see Section 8), data may also be transferred to countries outside the EU. If a recipient is located in a country without adequate legal data protection, we contractually obligate the recipient to comply with the applicable data protection regulations (using the latest standard contractual clauses of the European Commission, adapted to Swiss law), unless the recipient is already subject to a legally recognized framework ensuring data protection, or we can rely on an exemption.

On our websites www.natelo.ch and www.deinabo.ch, we use various technologies that allow us and third parties engaged by us to recognize you when you use our services and, under certain circumstances, track you across multiple visits.

In particular, we use cookies ("Cookies"). These are small text files that enable the storage of specific user-related information on the user's device while they use the website. Cookies allow us to determine the frequency of use and number of users of the pages, analyze behavior patterns of website usage, and make our offering more user-friendly.

Most of the cookies we use are so-called "session cookies," which are automatically deleted at the end of your visit. Certain cookies remain stored beyond the end of a browser session and can be retrieved when you revisit the site.

• Necessary cookies are essential for the functioning of the website, chat function, and our services overall or for specific features. If you block them, the website may not function properly. Other cookies are necessary to allow the server to retain decisions or inputs you have made beyond a session (i.e., a visit to the website) if you use such a function (e.g., selected language, given consent, automatic login feature, etc.). These cookies also remain stored beyond your visit (so-called "permanent cookies") and have an expiration period of up to 6 months.
• Performance cookies are used to optimize our website and related offerings and to better tailor them to user needs. These cookies analyze how our website is used. This also involves the use of analytics services from third parties. Performance cookies also have an expiration period of up to 14 months.

The provider of our website automatically collects and stores information in so-called server log files, which your browser automatically transmits to us. These include:

• Browser type and version;
• Operating system used;
• Referrer URL;
• Hostname of the accessing computer;
• Time of the server request.

These data cannot be assigned to specific individuals. No merging of these data with other data sources takes place. However, we reserve the right to review these data retrospectively if we become aware of concrete indications of unlawful use.

The website functions or depends on third parties. These third parties may also collect personal data from you. Again, in most cases, browser settings can be adjusted to protect yourself if such data collection is undesired. Furthermore, for performance cookies used for success and reach measurement or advertising, a general opt-out for numerous services is available through AdChoices (Digital Advertising Alliance of Canada), the Network Advertising Initiative (NAI), YourAdChoices (Digital Advertising Alliance), or Your Online Choices (European Interactive Digital Advertising Alliance, EDAA).

We process your data for as long as required by our processing purposes, legal retention periods, and our legitimate interests in processing for documentation and evidence purposes, or as long as storage is technically necessary. Further details on the respective storage and processing duration can be found under the individual data categories in Section 3 and under the cookie categories in Section 8. If there are no legal or contractual obligations preventing it, we delete or anonymize your data after the storage or processing period has expired as part of our standard procedures.

We take appropriate security measures to maintain the confidentiality, integrity, and availability of your personal data, to protect it against unauthorized or unlawful processing and to counter the risks of loss, accidental alteration, unwanted disclosure, or unauthorized access.

However, we are not responsible or liable for the security of your data during transmission via email. Any such transmission is at your own risk, and you are responsible for ensuring that all personal data you send to us via email is securely transmitted. We also require our data processors to take appropriate security measures. However, security risks can never be completely ruled out; residual risks are unavoidable.

Cloudflare CDN

We use the Content Delivery Network from Cloudflare. The provider is Cloudflare, Inc. ("Cloudflare"), 101 Townsend St, San Francisco, CA 94107 USA.

Cloudflare provides a globally distributed Content Delivery Network. Technically, the information transfer between your browser and our website is routed through Cloudflare's network. This allows us to increase the global accessibility and performance of our website.

The use of Cloudflare CDN is based on our legitimate interest in providing our web services as error-free and securely as possible (Art. 6 para. 1 lit. f GDPR).

Data transfer to the USA is based on the EU Commission’s standard contractual clauses. Details can be found here: https://www.cloudflare.com/gdpr/introduction/.

Further information on Cloudflare CDN can be found here: https://support.cloudflare.com/hc/de.

Conclusion of a Data Processing Agreement

To ensure data protection-compliant processing, we have concluded a data processing agreement with Cloudflare regarding the use of Cloudflare CDN.

Amazon Web Services (AWS)

We use Amazon Web Services (AWS) for our website, including as a web hosting provider. The service provider is the American company Amazon Web Services, Inc., 410 Terry Avenue North, Seattle WA 98109, USA.

Amazon processes your data, including in the USA. Amazon is an active participant in the EU-US Data Privacy Framework, which regulates the correct and secure transfer of personal data from EU citizens to the USA. More information on this can be found at

https://commission.europa.eu/document/fa09cbad-dd7d-4684-ae60-be03fcb0fddf_en

Additionally, Amazon uses so-called standard contractual clauses (= Art. 46 para. 2 and 3 GDPR). Standard contractual clauses (Standard Contractual Clauses - SCC) are template agreements provided by the EU Commission and are intended to ensure that your data meets European data protection standards, even when transferred to and stored in third countries (such as the USA). Through the EU-US Data Privacy Framework and the standard contractual clauses, Amazon commits to maintaining European data protection standards when processing your relevant data, even if the data is stored, processed, and managed in the USA. These clauses are based on an implementing decision by the EU Commission.

The Amazon data processing conditions (AWS GDPR DATA PROCESSING), which comply with the standard contractual clauses, can be found at

https://d1.awsstatic.com/legal/aws-gdpr/AWS_GDPR_DPA.pdf.

More information about the data processed by Amazon Web Services (AWS) can be found in the privacy policy at

https://aws.amazon.com/de/privacy/

Processing of Data (Customer and Contract Data)

We collect, process, and use personal data only to the extent necessary for the establishment, content configuration, or modification of the legal relationship (inventory data). This is done based on Art. 6 para. 1 lit. b GDPR, which permits the processing of data for the fulfillment of a contract or pre-contractual measures. We collect, process, and use personal data regarding the use of this website (usage data) only to the extent necessary to enable or bill the user for the use of the service.

The collected customer data will be deleted after the completion of the order or termination of the business relationship. Statutory retention periods remain unaffected.

Data Transmission Upon Contract Conclusion for Online Shops, Merchants, and Product Shipping

We transmit personal data to third parties only if this is necessary within the framework of contract processing, such as to the company responsible for delivering the goods or the financial institution entrusted with payment processing. Further data transmission will not take place or only if you have expressly consented to the transmission. Your data will not be passed on to third parties without explicit consent, for example, for advertising purposes.

The basis for data processing is Art. 6 para. 1 lit. b GDPR, which permits the processing of data for the fulfillment of a contract or pre-contractual measures.

Data Transmission Upon Contract Conclusion for Services and Digital Content

We transmit personal data to third parties only if this is necessary within the framework of contract processing, such as to the financial institution responsible for payment processing.

Further data transmission will not take place or only if you have expressly consented to the transmission. Your data will not be passed on to third parties without explicit consent, for example, for advertising purposes.

The basis for data processing is Art. 6 para. 1 lit. b GDPR, which permits the processing of data for the fulfillment of a contract or pre-contractual measures.

Payment Services

We integrate payment services from third-party providers on our website. When you make a purchase with us, your payment data (e.g., name, payment amount, account details, credit card number) are processed by the payment service provider for payment processing purposes. For these transactions, the respective providers’ contract and privacy policies apply. The use of payment service providers is based on Art. 6 para. 1 lit. b GDPR (contract processing) and in the interest of a smooth, convenient, and secure payment process (Art. 6 para. 1 lit. f GDPR). If consent is requested for certain actions, Art. 6 para. 1 lit. a GDPR serves as the legal basis for data processing; consent can be revoked at any time with future effect.

The following payment services/payment providers are used on this website:

Apple Pay

The payment service provider is Apple Inc., Infinite Loop, Cupertino, CA 95014, USA. You can find Apple’s privacy policy

at: https://www.apple.com/legal/privacy/de-ww/.

Saferpay

We use the payment service provider Saferpay, a payment service provider of Worldline Schweiz AG, based in Zurich (“Worldline”), for payment processing.

Saferpay meets common security standards, especially the Payment Card Industry Data Security Standard (PCI DSS). Your data is transmitted exclusively for the purpose of payment processing. The processing and storage of your payment and personal data take place directly via the payment service provider. As the website operator, we do not receive any (bank) account or credit card information, only confirmation (approval) or rejection of the payment. In certain cases, the data may be transmitted to credit agencies by the payment service provider. We refer to the payment service providers’ terms and privacy notices in this regard.

For payment transactions, the terms and privacy policies of the respective payment service providers apply. We also refer to them for further information and for the exercise of revocation, access, and other rights of affected individuals.

The legal basis for processing your personal data is the fulfillment of a contract to which you are a party or the implementation of pre-contractual measures.

Further information on data processing by Worldline can be found at:

https://worldline.com/de-ch/compliancy/privacy

To give you control over the processing of your personal data, you have the following rights in connection with our data processing: 

• The right to request information from us on whether and which data we process about you;
• The right to have data corrected if it is inaccurate;
• The right to request the deletion of data;
• The right to request that we provide certain personal data in a commonly used electronic format or transfer it to another data controller; this applies only to data that you have provided to us and that we process automatically with your consent or for the conclusion or execution of a contract with you;
• The right to withdraw consent, insofar as our processing is based on your consent.

If you wish to exercise these rights, you can contact us at the address provided in Section 2. The exercise of these rights generally requires that you clearly prove your identity (e.g., by providing a copy of an identification document, unless your identity can be determined or verified in another way). If the exercise of certain rights involves costs for you, we will inform you in advance.

Please note that these rights are subject to conditions, exceptions, or limitations under applicable data protection laws. We reserve the right to enforce such conditions, exceptions, or limitations, for example, to protect third parties or trade secrets or if we are required to retain or process certain data or need the data for the assertion of claims.

Furthermore, you have the right to file a complaint with the competent data protection authority. The competent data protection authority in Switzerland is the Federal Data Protection and Information Commissioner (http://www.edoeb.admin.ch). 

We may adjust this privacy policy at any time without prior notice. The privacy policy is not part of the contract. The current version published on our website applies.

Version: July 9, 2024