Data Protection Policy

This Data Protection Policy contains information about the personal data we process in connection with our RAUSCH website and our other offers. In particular, it describes which personal data we process, for what purpose, how and where. This Data Protection Policy also contains information about the rights of the people whose data we process.

Other data protection policies and other legal documents like general terms and conditions (T&Cs), conditions of use or conditions of participation may apply to individual or additional offers and services.

Our offer is governed by Swiss data protection law and any applicable foreign data protection law, such as that of the European Union in the form of the General Data Protection Regulation (GDPR) in particular. The European Commission recognises that Swiss data protection law provides an adequate level of data protection.

1. Contact information

Office responsible for the processing of personal data:

Rausch AG Kreuzlingen Data Protection Coordinator Bärenstrasse 12

8280 Kreuzlingen Switzerland

datenschutz@rausch.ch

We will advise if there are other offices responsible for the processing of personal data in individual cases.

Data protection representative in the European Economic Area (EEA)

Our data protection representative under Art. 27 GDPR in the European Economic Area (EEA), including the European Union (EU) and the Principality of Liechtenstein, Iceland and Norway, which is an additional contact point for supervisory authorities and data subjects for queries in connection with the General Data Protection Regulation (GDPR) is:

VGS Datenschutzpartner UG

Am Kaiserkai 69

20457 Hamburg Germany

info@datenschutzpartner.eu

2. Processing of personal data

2.1 Definitions

Personal data means all information relating to an identified or identifiable person. A data subject is a person whose personal data is processed. Processing means any

handling of personal data, regardless of the means or methods used, in particular the retention, disclosure, procurement, collection, erasure, storage, alteration, destruction and use of personal data.

The European Economic Area (EEA) comprises the European Union (EU) and the Principality of Liechtenstein, Iceland and Norway. The General Data Protection Regulation (GDPR) defines the processing of personal data as any set of operations performed on data related to a person.

2.2 Legal bases

We process personal data in compliance with Swiss data protection law, in particular the Swiss Federal Act on Data Protection (DSG) and the Ordinance on the Federal Act on Data Protection (VDSG).

Where and as far as the General Data Protection Regulation (GDPR) applies, we process personal data in compliance with at least one of the following legal bases:

Art. 6(1)(b) GDPR for the processing of personal data necessary for performance of a contract to which the data subject is party or to take steps prior to entering into a contract.

Art. 6(1)(f) GDPR for the processing of personal data necessary for the purposes of the legitimate interests pursued by us or by a third party, except where such interests are overridden by the fundamental freedoms and rights or the interests of the data subject. Legitimate interests means in particular our interest in making our offer available in a permanent, user-friendly, secure and reliable way, in being able to advertise as necessary, in information security and protection against misuse and unauthorised access, in the enforcement of our legal claims and in complying with Swiss law.

Art. 6(1)(c) GDPR for the processing of personal data necessary for compliance with a legal obligation to which we are subject according to any applicable law of Member States of the European Economic Area (EEA).

Art. 6(1)(e) GDPR for the processing of personal data necessary for the performance of a task carried out in the public interest.

Art. 6(1)(a) GDPR for the processing of personal data with the consent of the data subject.

Art. 6(1)(d) GDPR for the processing of personal data necessary in order to protect the vital interests of the data subject or of another natural person.

2.3 Nature, scope and purpose

We process the personal data necessary to make our offer available in a permanent, user-friendly, secure and reliable way. Such personal data may, in particular, include the categories of user and contact data, browser and device data, content data, metadata and use data, location data, and sales, contract and payment data.

We process personal data for the period of time required for the specific purpose or purposes or required by law. Personal data whose processing is no longer necessary are anonymised or erased. As a rule, subjects whose data we process have a right to the erasure of their data.

As a rule, we only process personal data with the consent of the data subject, unless the processing is permitted on other legal grounds, such as to perform a contract with the data subject and to take steps prior to entering into a contract, to pursue our prevailing legitimate interests, because the processing is obvious based on the circumstances

or after prior notification.

In this context, we process information that a data subject voluntarily and independently transmits to us when contacting us (for example, by post, email, fax, contact form, social media or telephone), when shopping in our online shop or when registering for a user account. We may store such information in, for example, an address book, a customer relationship management system (CRM system) or using similar tools. If you transmit data about other people to us, you are obligated to guarantee the data protection of these people’s personal data and the correctness of this personal data.

We also process personal data we receive from third parties, obtain from publicly accessible sources and collect in the provision of our offer, if and insofar as such processing is permitted on legal grounds.

We only process personal data from applications insofar as required to assess suitability for hiring or for a future employment contract. The personal data necessary for an application process are determined by the requested or disclosed information, for example, in relation to a job advertisement. Applicants have the option to voluntarily send additional information with their applications.

2.4 Processing of personal data by third parties, including abroad

We may commission third parties to process personal data or process personal data jointly with third parties or with the assistance of third parties or transmit personal data to third parties. Such third parties in particular include vendors whose services we use. We guarantee that such third parties provide an adequate level of data protection.

As a rule, such third parties are located in Switzerland and in the European Economic Area (EEA). Such third parties may also be located in other states and territories on Earth and elsewhere in the universe, provided that their data protection law guarantees an adequate level of data protection according to the Swiss Federal Data Protection and Information Commissioner (EDÖB) and – if and insofar as the General Data Protection Regulation (GDPR) is applicable – the European Commission, or if an adequate level of data protection is guaranteed by other means, such as a corresponding contractual agreement, especially standard contract clauses or a corresponding certification. In exceptional cases, such a third party may be located in a country that lacks an adequate level of data protection, provided that the requirements of data protection law (such as the express consent of the data subject) in this respect have been met.

3. Rights of data subjects

Data subjects whose personal data we process have the rights granted by Swiss data protection law. These include the right to information and the right to correction, erasure or blocking of personal data.

Data subjects whose personal data we process can – if and insofar as the General Data Protection Regulation (GDPR) is applicable – request confirmation of whether we are processing their personal data and, if so, information about the processing of their personal data, restrict the processing of their personal data, exercise their right to data portability and have their personal data corrected, erased (‘right to be forgotten’), blocked or completed, all these free of charge.

Data subjects whose personal data we process can – if and insofar as the GDPR is applicable – revoke consent they have granted at any time with effect for the future and object to the processing of their personal data at any time.

Data subjects whose personal data we process have a right to lodge a complaint with a responsible supervisory authority. The supervisory authority for data protection in Switzerland is the Federal Data Protection and Information Commissioner (EDÖB).

4. Data security

We institute adequate and appropriate technical and organisational measures to guarantee data protection and especially data security. Despite such measures, however, gaps in security may occur when processing personal data on the Internet. For this reason, we cannot guarantee absolute data security.

Access to our website is protected by transport encryption (SSL/TLS, in particular by hypertext transfer protocol secure, abbreviated HTTPS). Most browsers identify transport encryption with a padlock symbol in the address bar.

5. Use of our website

5.1 Cookies

We may use cookies for our website. Cookies are data stored in your browser. This is true of both our own cookies (first-party cookies) and cookies of third parties whose services we use (third-party cookies). These stored data are not limited to traditional cookies in text form. Cookies cannot execute programs or introduce malware like trojans and viruses.

Cookies may be temporarily stored in your browser during your visit to our website as ‘session cookies’ or be stored for a specific period of time as ‘persistent cookies’. Session cookies are automatically deleted when you close your browser. Persistent cookies have a specific storage time. They enable us to recognise your browser on your next visit to our website, allowing us to measure the reach of our website.

However, persistent cookies can also be used for online marketing, for example.

You can fully or partially deactivate or delete cookies in your browser settings at any time. Our website’s full functionality may not be available without cookies. We actively ask you to give your express consent to the use of cookies, where and insofar as necessary.

For many services, a general opt-out is available for cookies used for performance or reach measurement or for advertising through AdChoices (Digital Advertising Alliance Of Canada), Network Advertising Initiative (NAI), YourAdChoices (Digital Advertising Alliance), or Your Online Choices (European Interactive Digital Advertising Alliance, EDAA).

5.2 Server log files

Each time our website is accessed, we may collect the following information if it is transmitted by your browser to our server infrastructure or can be determined by our web server: date and time (including time zone), Internet Protocol (IP) address, access status (HTTP status code), operating system (including user interface and version), browser (including

language and version), individual sub-pages of our website accessed (including amount of data transferred), last website opened in the same browser window (referrer).

We store this information, which may also constitute personal data, in server log files. This information is needed to make our website available in a permanent, user-friendly and reliable way and to ensure data security and protection of personal data, including by third parties or with the assistance of third parties.

5.3 Tracking pixels

We may use tracking pixels on our website. Tracking pixels are also called web beacons. Tracking pixels, including those belonging to third parties whose services we use, are small, typically invisible images automatically retrieved when you visit our website. Tracking pixels can be used to collect the same information as server log files.

6. Announcements and notifications

We send announcements and notifications such as newsletters by email and other communication channels such as instant messaging.

6.1 Performance and reach measurement

Announcements and notifications may contain web links or tracking pixels that record whether an individual notification was opened and which web links were clicked. These web links and tracking pixels may record the use of announcements and notifications, including use specific to the individual. We require this statistical collection of use data for performance and reach measurement and to offer announcements and notifications in an effective and user-friendly way based on the needs and reading habits of the recipients as well as generally in a permanent, secure and reliable manner.

6.2 Consent and objections

As a rule, you must expressly consent to the use of your email address and your other contact information, unless use thereof is permitted on other legal grounds. When asking for your consent to receive emails, we use a ‘double opt-in’ procedure where possible. This means that you receive an email with a link you must click as confirmation, which prevents misuse by unauthorised third parties. We may record such consent, including Internet Protocol (IP) address, date and time, for purposes of evidence and security.

As a rule, you can unsubscribe from announcements and notifications like newsletters at any time. When unsubscribing, you can object to the statistical collection of use data for performance and reach measurement. We reserve the right to send announcements and notifications that are necessary to provide our offer.

6.3 Service provider for announcements and notifications

We send announcements and notifications using third-party services or with the assistance of service providers. Cookies may be used in this context.

In particular, we use:

Mailchimp: communication platform; provider: The Rocket Science Group LLC d/b/a Mailchimp (USA), a subsidiary of Intuit Inc. (USA); data protection information: Privacy Statement (Intuit) including ‘Country and Region-Specific Terms’, Cookie Policy, ‘Privacy Rights Requests’, ‘Mailchimp and European Data Transfers’, ‘Security’.

7. Social media

We have a presence on social media and other online platforms to allow us to communicate with interested parties and publicise information about our offer. Personal data may be processed outside Switzerland and the European Economic Area (EEA) in this context.

The general terms and conditions (T&Cs), conditions of use, data protection policies and other terms of the individual operators of these online platforms apply separately. These terms provide information about the rights of data subjects which include, for example, the right to information.

Insofar as the GDPR applies, we are jointly responsible with Meta Platforms Ireland Limited (Ireland) for our social media profile on Facebook, including ‘Page Insights’. Meta Platforms Ireland Limited is one of the Meta companies (including in the USA). Page Insights show how visitors interact with our Facebook presence. We use Page Insights to make our social media presence on Facebook effective and user-friendly.

Additional information about the nature, scope, and purpose of data processing, information about the rights of data subjects, and contact information for Facebook and the Facebook Data Protection Officer is available in the Facebook Data Policy. We have concluded the Controller Addendum’ with Facebook, in which we agree that Facebook is responsible for guaranteeing the rights of data subjects. Information about Page Insights is available at ‘Information about Page Insights,’ including ‘Information about Page Insights Data.

8. Third-party services

We use third-party services to make our offer available in a permanent, user-friendly, secure and reliable way. Such services may also be used to embed content in our website. These services (for example, hosting and storage services, video services and payment services) require your Internet Protocol (IP) address in order to transmit content.

Third parties whose services we use may also process data connected to our offer and from other sources (including cookies, log files and tracking pixels) in aggregated, anonymised or pseudonymised form for their own security, statistical and technical purposes.

In particular, we use:

Google Services: providers: Google LLC (USA) / Google Ireland Limited (Ireland) for users in the European Economic Area (EEA) and in Switzerland; general information about data protection: ‘Our privacy and security principles’, Privacy Policy,

We are committed to complying with applicable data protection laws’, ‘Google Product Privacy Guide’, ‘How Google uses information from sites or apps

that use our services’ (Google information), How Google uses cookies’, ‘Ad personalization’ (activation/deactivation/settings).

8.1 Payments

We use payment service providers to securely and reliably process our customers’ payments. Payment processing is governed by the terms of the payment service provider, such as general terms and conditions (T&Cs) and data protection policies.

In particular, we use:

Datatrans: payment processing; provider: Datatrans AG (Switzerland); data protection information: Privacy Policy, ‘Security & Compliance’.

PayPal (including Braintree): payment processing; providers: PayPal (Europe) S.à.r.l. et Cie, S.C.A (Luxembourg) / PayPal Pte. Ltd. (Singapore); data protection information: Privacy Statement, ‘Statement on Cookies and Tracking Technologies’.

TWINT: payment processing in Switzerland; provider: TWINT AG (Switzerland); data protection information: ‘Data protection for the TWINT apps’, ‘Website data privacy’, ‘General Terms and Conditions for the Use of TWINT’ including the ‘Data Protection’ section.

wallee: payment processing; provider: Wallee AG (Switzerland); data protection information: Privacy policy.

8.2 Advertising

We make use of the option to have targeted advertising for our offer displayed by third parties such as social media platforms and search engines.

With this advertising, we aim to reach people who are interested in our offer or already use our offer (remarketing or targeting). To do this, we may transmit some information, which may include personal data, to third parties who enable this advertising. We may also assess whether our advertising is successful, i.e. whether it leads to visits to our website (conversion tracking).

Third parties with whom we advertise and with whom you are registered as a user may associate the use of our product with your profile.

In particular, we use:

Facebook Ads: social media advertising; providers: Meta Platforms Ireland Limited (Ireland) and other Meta companies (including in the USA); data protection information: Remarketing and targeting, in particular with Facebook Pixel and Custom Audiences, including Lookalike Audiences, Data Policy‘Ad Preferences’ (user registration required).

Google Ads: search engine advertising; Google Ads-specific data protection information: Advertising based on search engine queries; different domain names – especially doubleclick.net, googleadservices.com, and googlesyndication.com – are used for Google Ads, ‘Advertising’ (Google), ‘Why you’re seeing an ad’.

Pinterest Ads: social media advertising; providers: Pinterest Inc. (USA) / Pinterest Europe Ltd. (Ireland) for users in the European Economic Area (EEA); data protection information: Remarketing and targeting, especially with ‘Pinterest Tag,’ Privacy Policy, ‘Personalization and Data’, ‘Personalized ads on Pinterest’, ‘Data sharing on Pinterest’, Cookie Policy.

9. Extensions for our website

We use extensions for our website to make additional functions available. In particular, we use:

forms.app: online form platform; provider: forms.app OÜ (Estonia); data protection information: Privacy policy.

Google reCAPTCHA: spam protection (distinguishes between desired comments from humans and undesired comments from bots and spam); Google reCAPTCHA-specific data protection information: ‘What is reCAPTCHA?’.

10. Performance and reach measurement

We use services and programs to determine how our website is being used. In this context, we may, for example, measure the performance and reach of our website and the effect of third-party links to our website. However, we may also test and compare how different versions of our website or parts of our website are used (‘A/B’ test method). We may correct faults, bolster in-demand content, or improve our website based on the results of this performance and reach measurement.

The Internet Protocol (IP) addresses of individual users must be stored to enable the use of services and programs for performance and reach measurement. As a rule, IP addresses are abbreviated (pseudonymised) to comply with the principle of data minimisation and to improve the data protection of visitors to our website (‘IP masking’).

The use of services and programs for performance and reach measurement may require the use of cookies and the creation of user profiles. User profiles include, for example, the pages visited and content viewed on our website, information about the size of your screen or browser window, and the (approximate) location. As a rule, user profiles are pseudonymised. We do not use user profiles to identify individual visitors to our website. Individual services with which you are registered as a user may associate engagement with our website with your profile on these services. Typically, you must give your consent to such association in advance.

In particular, we use:

fusedeck: performance and reach measurement; provider: Capture Media AG (Switzerland); data protection information: ‘Privacy Policy and Information on the Right to Object’ (website), ‘Data Privacy’ (fusedeck), Privacy Policy (fusedeck).

Google Analytics: performance and reach measurement; Google Analytics-specific data protection information: Measurement across browsers and devices (cross-device tracking) and using pseudonymised Internet Protocol (IP) addresses which are only transmitted in full to Google in the USA in exceptional cases, ‘Privacy Policy’, ‘Google Analytics opt-out browser add-on’.

Google Tag Manager: integration and management of performance and reach measurement services and other services of Google and of third parties; additional information about data protection is available from the individual integrated and managed services.

11. Final provisions

We may amend or expand this Data Protection Policy at any time. We will notify you of such amendments and expansions in an appropriate form, in particular by publishing the updated Data Protection Policy on our website.