Privacy Policy

Authorized Representative: Michael Kocurek

Email: legal@savaro.ch

Legal Notice: https://www.savaro.ch/en-CH/impressum

The following overview summarizes the types of data processed and the purposes of their processing and refers to the data subjects.

• • Master data

• • Contact data

• • Content data

• • Usage data

• • Meta, communication and procedural data

• • Log data

Categories of Data Subjects

• • Communication partners

• • Users

Purposes of Processing

• • Provision of contractual services and fulfillment of contractual obligations

• • Communication

• • Security measures

• • Direct marketing

• • Organizational and administrative procedures

• • Feedback

• • Marketing

• • Provision of our online offering and user-friendliness

• • Information technology infrastructure

• • Sales promotion

Relevant Legal Bases under the GDPR

Below you will find an overview of the legal bases of the GDPR on which we process personal data. Please note that in addition to the provisions of the GDPR, national data protection regulations may apply in your or our country of residence or domicile.

• Consent (Art. 6(1)(a) GDPR)

  The data subject has given consent to the processing of their personal data for one or more specific purposes.

• Contract Performance and Pre-contractual Inquiries (Art. 6(1)(b) GDPR)

  Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.

• Legitimate Interests (Art. 6(1)(f) GDPR)

  Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

Relevant Legal Bases under Swiss Data Protection Law

If you are located in Switzerland, we process your data on the basis of the Swiss Federal Act on Data Protection (referred to as "Swiss DPA"). Unlike the GDPR, the Swiss DPA generally does not require that a legal basis for processing personal data be specified, and that personal data processing is carried out in good faith, is lawful and proportionate (Art. 6(1) and (2) of the Swiss DPA). Furthermore, we only collect personal data for a specific purpose that is apparent to the data subject and process it only in a manner compatible with that purpose (Art. 6(3) of the Swiss DPA).

We take appropriate technical and organizational measures in accordance with legal requirements, taking into account the state of the art, implementation costs and the nature, scope, circumstances and purposes of processing as well as the different likelihood and severity of the risk to the rights and freedoms of natural persons, in order to ensure a level of security appropriate to the risk.

The measures include, in particular, ensuring the confidentiality, integrity and availability of data by controlling physical and electronic access to the data as well as the access, input, transmission, availability assurance and separation of data. Furthermore, we have established procedures to ensure the exercise of data subject rights, the deletion of data and responses to data threats. We also consider the protection of personal data already in the development or selection of hardware, software and procedures in accordance with the principle of data protection by design and by default.

TLS/SSL Encryption (HTTPS)

To protect the data of users transmitted through our online services from unauthorized access, we use TLS/SSL encryption technology. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are the cornerstones of secure data transmission on the Internet. These technologies encrypt the information transmitted between the website or app and the user's browser (or between two servers), protecting the data from unauthorized access. TLS, as the more advanced and secure version of SSL, ensures that all data transmissions meet the highest security standards. When a website is secured by an SSL/TLS certificate, this is indicated by the display of HTTPS in the URL.

In the course of our processing of personal data, it may happen that the data is transferred to or disclosed to other entities, companies, legally independent organizational units or persons. Recipients of this data may include, for example, service providers commissioned with IT tasks or providers of services and content that are integrated into a website. In such cases, we comply with the legal requirements and, in particular, conclude appropriate contracts or agreements with the recipients of your data that serve to protect your data.

Data Processing in Third Countries

If we transfer data to a third country (i.e., outside the European Union (EU) or the European Economic Area (EEA)) or this occurs in the context of using third-party services or disclosure or transfer of data to other persons, entities or companies, this is always done in accordance with legal requirements.

For data transfers to the USA, we primarily rely on the Data Privacy Framework (DPF), which was recognized as a secure legal framework by an adequacy decision of the EU Commission on July 10, 2023. In addition, we have concluded Standard Contractual Clauses with the respective providers that comply with EU Commission requirements and establish contractual obligations to protect your data.

This dual protection ensures comprehensive protection of your data: The DPF forms the primary level of protection, while the Standard Contractual Clauses serve as additional security. Should changes occur within the DPF framework, the Standard Contractual Clauses act as a reliable fallback option.

For more information about the DPF and a list of certified companies, please visit the US Department of Commerce website at https://www.dataprivacyframework.gov/.

Disclosure of Personal Data Abroad (Swiss DPA)

According to the Swiss DPA, we only disclose personal data abroad if adequate protection of the data subjects is ensured (Art. 16 Swiss DPA). If the Federal Council has not determined adequate protection, we take alternative security measures.

The list of countries with adequate protection can be found at: https://www.bj.admin.ch/bj/de/home/staat/datenschutz/internationales/anerkennung-staaten.html

We delete personal data that we process in accordance with legal provisions as soon as the underlying consents are revoked or no further legal bases for processing exist. This applies to cases where the original processing purpose ceases to exist or the data is no longer needed. Exceptions to this rule exist when legal obligations or special interests require longer retention or archiving of the data.

Retention Periods under Swiss Law

• 10 Years

  Retention period for books and records, annual financial statements, inventories, management reports, opening balance sheets, vouchers and invoices as well as all required work instructions and other organizational documents (Art. 958f CO).

• 10 Years

  Data necessary to consider potential damage claims or similar contractual claims and rights (Art. 127, 130 CO).

• 5 Years

  Limitation period for claims from rent, lease and capital interest, delivery of food, craftsman's work, medical care and from the employment relationship (Art. 128 CO).

Start of Period

If a period does not expressly begin on a specific date and is at least one year, it automatically starts at the end of the calendar year in which the event triggering the period occurred.

Rights under the GDPR

As a data subject under the GDPR, you have various rights that arise in particular from Art. 15 to 21 GDPR:

• Right to Object

  You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is based on Art. 6(1)(e) or (f) GDPR. If your personal data is processed for direct marketing purposes, you have the right to object at any time to the processing.

• Right to Withdraw Consent

  You have the right to withdraw any consent given at any time.

• Right of Access

  You have the right to obtain confirmation as to whether data concerning you is being processed and to information about this data as well as further information and a copy of the data in accordance with legal requirements.

• Right to Rectification

  You have the right to request the completion of data concerning you or the rectification of inaccurate data concerning you.

• Right to Erasure and Restriction of Processing

  You have the right to request that data concerning you be deleted without undue delay, or alternatively to request restriction of the processing of the data.

• Right to Data Portability

  You have the right to receive data concerning you that you have provided to us in a structured, commonly used and machine-readable format or to request its transmission to another controller.

• Right to Lodge a Complaint with a Supervisory Authority

  You have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence.

Rights under the Swiss DPA

• Right of Access

  You have the right to obtain confirmation as to whether personal data concerning you is being processed and to receive the information necessary for you to assert your rights.

• Right to Data Release or Transfer

  You have the right to request the release of your personal data in a common electronic format.

• Right to Rectification

  You have the right to request the rectification of inaccurate personal data concerning you.

• Right to Object, Erasure and Destruction

  You have the right to object to the processing of your data and to request that personal data concerning you be deleted or destroyed.

Competent Supervisory Authority

We process data of our contractual and business partners, e.g., customers and interested parties (collectively referred to as "contractual partners"), in the context of contractual and comparable legal relationships and related measures and in view of communication with contractual partners (or pre-contractually), e.g., to answer inquiries.

We use this data to fulfill our contractual obligations. This includes, in particular, the obligations to provide the agreed services, any update obligations and remedies in the event of warranty and other service disruptions.

We delete the data after expiry of legal warranty and comparable obligations, i.e., generally after four years, unless the data is stored in a customer account or must be retained for legal archiving reasons (e.g., for tax purposes generally ten years).

Provision of Software and Platform Services

We process the data of our users, registered and any test users, in order to provide our contractual services to them and on the basis of legitimate interests to ensure the security of our offering and to develop it further.

Legal Basis: Contract performance and pre-contractual inquiries (Art. 6(1)(b) GDPR).

We process user data in order to provide our online services to them. For this purpose, we process the user's IP address, which is necessary to transmit the content and functions of our online services to the user's browser or device.

Provision on Rented Storage Space

For the provision of our online offering, we use storage space, computing capacity and software that we rent from an appropriate server provider.

Collection of Access Data and Log Files

Access to our online offering is logged in the form of so-called "server log files". Server log files may include the address and name of the web pages and files accessed, date and time of access, data volumes transferred, notification of successful access, browser type and version, the user's operating system, referrer URL and, as a rule, IP addresses and the requesting provider.

Deletion: Log file information is stored for a maximum period of 30 days and then deleted or anonymized.

Email Sending and Hosting

The web hosting services we use also include the sending, receiving and storage of emails. For these purposes, the addresses of recipients and senders as well as other information relating to email sending (e.g., the providers involved) and the contents of the respective emails are processed.

Content Delivery Network (CDN)

We use a "Content Delivery Network" (CDN). A CDN is a service that helps deliver content of an online offering, in particular large media files such as graphics or program scripts, faster and more securely using regionally distributed servers connected via the Internet.

Amazon Web Services (AWS)

We use Amazon Web Services for hosting, storage, content delivery and email sending. Data processing takes place in the EU region Frankfurt (eu-central-1).

• Processed Data: Usage data, meta and communication data, content data, email addresses and contents
• Service Provider: Amazon Web Services EMEA SARL, 38 Avenue John F. Kennedy, 1855 Luxembourg, Luxembourg
• Legal Basis: Legitimate interests (Art. 6(1)(f) GDPR)
• Website: https://aws.amazon.com/de/
• Privacy Policy: https://aws.amazon.com/de/privacy/
• Data Processing Agreement: A data processing agreement has been concluded with the provider
• Basis for Third Country Transfers: Data Privacy Framework (DPF), Standard Contractual Clauses

ipinfo.io (Geolocation)

We use the ipinfo.io service to automatically detect the location (country) of our users in order to display the appropriate language version of our website. The user's IP address is transmitted to ipinfo.io for this purpose. The result (country/language) is stored in a cookie.

• Service Provider: IpInfo LLC, 1401 21st ST STE 1040, Sacramento, CA 95811, USA
• Legal Basis: Legitimate interests (Art. 6(1)(f) GDPR)
• Website: https://ipinfo.io
• Privacy Policy: https://ipinfo.io/privacy-policy
• Basis for Third Country Transfers: Standard Contractual Clauses

The term "cookies" refers to functions that store information on end devices of users and read information from them. We use only technically necessary cookies that are required for the operation of our website. No consent is required for these cookies.

Overview of Cookies Used

We use the following cookies:

Notes on Data Protection Legal Bases

The cookies mentioned above are technically necessary for the operation of our website. They serve security (CSRF protection), session management and user-friendliness (language setting). Since these cookies are required for basic functionality, we rely on our legitimate interests pursuant to Art. 6(1)(f) GDPR. Consent is not required for technically necessary cookies.

Storage Duration

• Temporary cookies (session cookies): Are deleted as soon as you close your browser.
• Permanent cookies: Remain stored for a defined period (see table above).

Management and Deletion of Cookies

You can disable or restrict the storage of cookies in your browser settings. Cookies that have already been stored can be deleted at any time. Please note that without cookies, certain functions of our website may not be available or may only be available to a limited extent.

Plausible Analytics

We use Plausible Analytics to analyze the use of our website. Plausible is a privacy-friendly analytics service that does not set cookies and does not store personal data. No data is shared with third parties. Data processing takes place exclusively in the European Union.

Plausible does not use cookies and does not collect IP addresses. Instead, anonymized data is collected that does not allow conclusions to be drawn about individual users. Since no personal data is processed, no consent is required for the use of Plausible.

• Service Provider: Plausible Insights OÜ, Västriku tn 2, 50403 Tartu, Estonia
• Legal Basis: Legitimate interests (Art. 6(1)(f) GDPR)
• Website: https://plausible.io
• Privacy Policy: https://plausible.io/privacy
• Data Processing: Exclusively in the EU, no third country transfers

Users can create a user account. During registration, users are informed of the required mandatory information and this is processed for the purpose of providing the user account on the basis of contractual obligation fulfillment. The processed data includes in particular the login information (username, password and an email address).

In the course of using our registration and login functions and the user account, we store the IP address and the time of the respective user action. Storage is based on our legitimate interests as well as those of users in protection against misuse and other unauthorized use.

Registration with Real Names

Due to the nature of our platform, we ask users to use our service only using their real names (first and last name). The use of pseudonyms is not permitted.

User Profiles Are Not Public

User profiles are not publicly visible and not accessible.

Two-Factor Authentication

We offer optional two-factor authentication (2FA), which provides an additional layer of security for your user account. When enabled, you must enter a code generated by a TOTP-compatible app on your mobile device in addition to your password.

Deletion of Data After Termination

When users have terminated their user account, their data relating to the user account will be deleted, subject to legal permission, obligation or consent of the users.

No Obligation to Retain Data

It is the responsibility of users to back up their data before the end of the contract in the event of termination. We are entitled to irretrievably delete all data of the user stored during the contract period.

When contacting us (e.g., by mail, contact form, email, telephone or via social media) as well as in the context of existing user and business relationships, the information of the inquiring persons is processed insofar as this is necessary to answer the contact inquiries and any requested measures.

Contact Form

When contacting us via our contact form, by email or other means of communication, we process the personal data transmitted to us in order to respond to and process the respective inquiry. This usually includes information such as name, contact information and, if applicable, other information that is communicated to us and is required for appropriate processing. We use this data exclusively for the stated purpose of contact and communication.

We send newsletters, emails and other electronic notifications (hereinafter "newsletter") only with the consent of the recipients or on the basis of a legal basis. If the contents of the newsletter are specified in the context of registration, these contents are decisive for the consent of the users.

To subscribe to our newsletter, you must provide your email address as well as your first and last name. This information is used for personal addressing in the newsletter.

Newsletter Content

Information about us, our services, promotions and offers.

Double Opt-In Procedure

Registration for our newsletter takes place in a so-called double opt-in procedure. This means that after registration you will receive an email asking you to confirm your registration. This confirmation is necessary so that no one can register with someone else's email address.

Logging of Registration

The registration process is logged on the basis of our legitimate interests for the purpose of proving its proper course.

Storage After Unsubscription

We may store unsubscribed email addresses for up to three years on the basis of our legitimate interests before we delete them, in order to be able to prove a previously given consent. The processing of this data is limited to the purpose of a potential defense against claims. An individual deletion request is possible at any time.

We process personal data for the purposes of promotional communication, which may take place via various channels, such as email, telephone, mail or fax, in accordance with legal requirements.

Recipients have the right to withdraw consent at any time or to object to promotional communication at any time free of charge.

After withdrawal or objection, we store the data required to prove the previous authorization for contact or sending for up to three years after the end of the year of withdrawal or objection on the basis of our legitimate interests. The processing of this data is limited to the purpose of possible defense against claims. On the basis of the legitimate interest in permanently respecting the withdrawal or objection of users, we also store the data required to avoid renewed contact (e.g., depending on the communication channel, the email address, telephone number, name).

Processed Data Types

Master data (e.g., full name, residential address, contact information, customer number, etc.); Contact data (e.g., postal and email addresses or telephone numbers). Content data (e.g., textual or visual messages and posts as well as information relating to them, such as information about authorship or time of creation).

Affected Persons

Communication partners

Purposes of Processing

Direct marketing (e.g., by email or mail); Marketing. Sales promotion.

Retention and Deletion

Deletion in accordance with information in the section "General Information on Data Storage and Deletion".

Legal Bases

Consent (Art. 6(1)(a) GDPR). Legitimate interests (Art. 6(1)(f) GDPR).

We ask you to regularly inform yourself about the content of our privacy policy. We adapt the privacy policy as soon as changes in the data processing we carry out make this necessary. We will inform you as soon as the changes require an act of cooperation on your part (e.g., consent) or other individual notification.

If we provide addresses and contact information of companies and organizations in this privacy policy, please note that the addresses may change over time and please check the information before contacting us.

Supervisory Authority Responsible for Us:

Master Data

Master data includes essential information necessary for the identification and management of contractual partners, user accounts, profiles and similar allocations. This data may include, among other things, personal and demographic information such as names, contact information (addresses, telephone numbers, email addresses), dates of birth and specific identifiers (user IDs).

Content Data

Content data includes information generated in the course of creating, editing and publishing content of all kinds. This category of data may include texts, images, videos, audio files and other multimedia content.

Contact Data

Contact data is essential information that enables communication with persons or organizations. It includes, among other things, telephone numbers, postal addresses and email addresses.

Meta, Communication and Procedural Data

Meta, communication and procedural data are categories that contain information about how data is processed, transmitted and managed. Meta data includes information that describes the context, origin and structure of other data.

Usage Data

Usage data refers to information that captures how users interact with digital products, services or platforms. This data includes a wide range of information that shows how users use applications.

Personal Data

"Personal data" means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly.

Log Data

Log data is information about events or activities that have been logged in a system or network. This data typically includes information such as timestamps, IP addresses, user actions and error messages.

Controller

"Controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Processing

"Processing" means any operation or set of operations which is performed on personal data, whether or not by automated means. The term is broad and covers virtually any handling of data.