Online Privacy Statement of Swisscard AECS GmbH

1. What is this Privacy Statement about?

In this Privacy Policy, Swisscard AECS GmbH ("Swisscard" or "we"), describes how we process your data in connection with the use of

• our websites, including www.swisscard.ch, www.scard.ch and other websites that refer to this Privacy Policy, and
• our apps

 (collectively referred to hereinafter as the "Website").

That concerns all users of the Website even if they are not Swisscard customers (customers are additionally subject to the separate Privacy Statement for Credit Cards of Swisscard AECS GmbH for Private Customers and Business Customers). Our Website specifically addresses users in Switzerland, even though it can be accessed from outside Switzerland.

Our further Privacy Policies are provided on our website (www.swisscard.ch/datenschutz). If you have any questions, please do not hesitate to contact us (Section 2 ).

All references to persons in this document are meant to cover all genders.

2. Who is responsible for processing your data?

Swisscard is the data controller responsible for data processing under this Privacy Policy. This means that it is mainly in charge of the compliance of data protection. If you wish to contact us in this regard, please use the following address:

Swisscard AECS GmbH
Data Protection Office
Neugasse 18
P.O. Box
8810 Horgen, Switzerland

E-mail: datenschutz@swisscard.ch

3. What data do we process?

We process various data from multiple sources, particularly the following data:

• Technical data: When you use our Website, we collect your IP address and other technical data for technical reasons and to ensure the performance and security of our Website. This also includes logs in which the use of our Website is recorded and data in connection with the devices you use (e.g. information on the device manufacturer and type, the operating system or a device ID). To ensure the proper performance of the Website, we may also assign an individual code to you or your system (e.g. in the form of a cookie, see Section 8). This code is stored for the predetermined time and will often only remain in place for the duration of your visit. The technical data does not in itself allow any conclusions to be drawn about your identity. However, in the context of user accounts, registrations or the processing of contracts, the data may be linked to other data categories (and thus possibly to your person).
• Registration and application data: To make use of certain offers (e.g. competitions) and services (e.g. rewards shop), you must register or create a user account. To do so, you have to give us certain information about you that is generally personal in nature. The same is true of our online application process for card products.
• Communication data: When you contact us by email or by other means of communication, we will collect the information exchanged, your contact details and the peripheral data of the communication (e.g. time).
• Behavioural and preference data: Depending on our relationship with you, we try to get to know you better and to better tailor our products and services to you. To that end, we collect and use data about your behaviour (e.g., your use of the Website). We analyse such behavioural data and may supplement it with other information from us (e.g., where and when you make use of our services) and with information from third parties. On that basis we may, for example, estimate the probability that you will behave in a certain way or have certain interests.

You provide us with much of this data yourself (via forms, communication with us, contracts, or through use of the Website). As a rule, you are not obliged to do so. If you enter into contracts with us or use our services, however, you must provide us with certain data as part of your contractual obligations, in particular contact and registration data. In addition, technical data accumulates during use of our Website.  

4. For what purposes do we process your data?

We process the data mentioned in Section 3 for the following and compatible purposes:

• in order to communicate with you and to contact you in the event of queries or for the purpose of making enquiries. For this purpose we will particularly use communication data and registration data. We also store the data in order to be able to document our communications with you, as well as in some cases for training purposes, for quality assurance and for subsequent enquiries;
• for the establishment, administration and processing of contractual relationships, where use of the Website is connected with a contract;
• to comply with laws, directives and recommendations of authorities and internal regulations (compliance);
• for purposes of market research, marketing and relationship management. For example, we will provide you with information, advertising and product offerings from Swisscard and from third parties (e.g. insurance companies), as printed matter, electronically or by telephone. Moreover, like most companies, we personalize the content of our Website (but not of our apps). We therefore collect data on preferences as the basis for these personalisations (see Section 3);
• to improve our services and for product development purposes. For example, we analyse which online offers are used by which groups of people and how.
• to ensure appropriate IT security. Such processing includes, for example, analyses, tests, error checks and backup copies;
• for other purposes such as, for instance, training and education purposes, internal processes and administrative purposes (e.g. management of data, accounting and record-keeping), enforcement of our rights and defence against claims (e.g. by securing evidence, legal assessments and participating in court or administrative proceedings), and preparing and processing purchases and sales of companies and assets as well as safeguarding other legitimate interests.
• To the extent that we ask for your consent for certain types of processing, we will inform you separately of the relevant purposes of the processing. You may revoke your consent at any time with future effect by giving us written notice thereof.

We base the processing of your personal data on the fact that it is necessary for the initiation or execution of a contract, that it is required or permitted by law, that it is necessary for legitimate interests on our part or those of third parties (e.g. processing for administrative and security-related purposes and for purposes of market research, marketing and improvement of our services and product development) or that you have separately consented to the processing (for more information, see Section 8).

You may object to the processing for marketing purposes at any time by notifying us, including for individual communication channels (e.g. only advertising via e-mail) or for individual advertising campaigns or newsletters. This does not apply to automatically generated messages that cannot be individually adjusted. Further information about your rights can be found in Section 11.

5. What are the rules on profiling?

We can process and evaluate your data automatically in accordance with Section 3 for the purposes mentioned in Section 4 and thereby collect further information, such as preference data. For more information, see Section 3. Such evaluations also include what is known as profiling, i.e. automated data evaluations for analytical and forecasting purposes. The most important examples are profiling for risk management, customer care and marketing purposes.

6. Whom do we disclose your data to?

We may also disclose your personal data to third parties for the purposes mentioned in Section 4.

This Section 6 explains the most frequent cases of data disclosure, indicating in each case which data may be disclosed. Further information can be found in Sections 3 and 4.

• Service providers: We work with service providers in Switzerland and abroad (e.g. for IT services including the service providers mentioned in Section 8) and provide them with the data required for their services. Such service providers act as our data processors or as data controllers and are subject to contractual and/or statutory obligations of confidentiality and data secrecy.
• Other disclosures: Data may also be disclosed to other recipients, e.g. to courts and government agencies in the context of proceedings and statutory duties of disclosure and cooperation, to purchasers of companies and assets, to financing companies in case of securitisations and to debt collection companies.

If data is transmitted via open networks (e.g. Internet or mobile networks), the transmission may involve several participants (e.g. network operators, operators of operating systems) who may create a traffic profile and thus track when you contacted whom. It cannot be ruled out that third parties may access and also use transmitted data unlawfully. Swisscard provides you with secure communication channels (e.g. the Swisscard App). Thus, sensitive data such as means of identification (especially card number, expiry date, card security code and PIN) should never be transmitted unprotected, e.g. by e-mail. As a cardholder, please note the due diligence obligations under the general terms and conditions applicable to the card product in question as well as any additional product and service conditions. Moreover, even in the case of encrypted transmission, the names of the sender and recipient remain identifiable for the participants in the transmission. Third parties (in the event that apps and online platforms are used this may, for example, include Google or Apple) may be able to draw conclusions about existing or future business relationships. When using or installing an app or online platform, third parties (e.g. Apple or Google) may infer the existence of a customer relationship with Swisscard and certain content.

The aforementioned disclosures in Switzerland and abroad (see Section 7) are necessary for legal or operational reasons.

7. When do we disclose personal data to foreign countries?

As explained in Section 6, your personal data is processed not only by us but also by other entities, e.g. IT service providers. These may be located outside of Switzerland. Your data may also be transferred abroad and processed outside the EU or European Economic Area, for example in the USA. The laws of many such countries do not currently guarantee a level of data protection complying with Swiss law. We therefore take contractual precautions to contractually compensate for the weaker statutory protection, unless disclosure is otherwise permitted by data protection law on a case-by-case basis (e.g. if you have expressly consented to disclosure, if disclosure is directly related to the formation or performance of the contract or is necessary in order to ascertain, exercise or enforce legal claims before a foreign court or foreign authority). These precautions particularly include standard contractual clauses issued or recognised by the European Commission and the Swiss Data Protection and Information Commissioner (FDPIC). For further information and a copy of these clauses, see: https://www.edoeb.admin.ch/edoeb/en/home/datenschutz/arbeit_wirtschaft/datenuebermittlung_ausland.html

Please also note that data exchanged over the Internet is often transmitted via third countries. Your data may therefore be transferred abroad even if the sender and recipient are located in the same country.

8. What online tracking and online advertising techniques do we use?

We use various techniques on our Website that enable us and our service providers to recognise individual users upon returning to the Website (including across multiple visits).

Such techniques include cookies, for example, which are small files stored on your device to track your visit to the Website and your preferences when you navigate between pages; they are also sometimes used to save your settings until your next visit. In addition, other techniques may be used that make you more or less recognisable (i.e. distinguishable from other users), e.g. “fingerprinting”: Users are distinguished from one another through a combination of information about their IP address, browser, and system settings, e.g. screen resolution (your system shares such information with any server on request). Our use of the term "cookies" below is meant to include similar techniques.

We employ such technologies to distinguish access via your system from access by other users, allowing us to ensure the functionality of the Website while carrying out analyses and controls.  You will be identified as an individual user each time you access the site, for example by our server (or the servers of third parties) assigning you or your browser a unique identifier.

Cookies and their purpose on our Websites

We use cookies for the following:

• Recording the number and type of visits to the Website and its subpages so that we can determine whether and what parts of the Website can be improved; 
• Displaying group-specific content on the relevant Website (see Matomo and Adtelligence below);
• Displaying advertisements on third-party websites (remarketing);
• Displaying personalised advertisements and offers;
• Storing of settings between your visits;
• Collecting statistical data on the number of visitors and their usage habits and to improve the speed and performance of the Website pages. 

Certain cookies are necessary for the operation of our website and have already been set. One of the cookies is used for the operation of parts of the Website and stores your privacy settings (Adobe Launch). Another cookie from Adtelligence (www.adtelligence.com) is used to deliver Website content.

Cookies of third parties and partners on our Websites

We use third-party services for the above-mentioned purposes (for further information, see below). To that purpose, third party components that also use cookies may be integrated into the Website. Such third parties and Swisscard do not have access to the data collected by one another via cookies. We also use cookies for targeted advertisements of Swisscard and its partners whenever you visit third-party websites with which we maintain marketing relationships. 

Our service providers may collect anonymised information regarding your use of our and other websites and make such anonymised data available to us, including geographical details, your user behaviour on a website, or the names of websites on which you were shown advertisements.

Deleting cookies

You can use the “Change cookie settings” link at any time to adjust the settings and disable the use of cookies for certain purposes. You can also delete existing cookies and block additional cookies at any time. This is possible using the settings in your Internet browser. However, not all parts of this Website will function without cookies.

9. Tracking & Marketing technologies on our websites

 

Tracking technologies

Adobe Realtime Customer Data Platform

This Website uses the Adobe Realtime Customer Data Platform, which centrally collects and organises usage and behaviour data on this Website. The Adobe Realtime Customer Data Platform is an SAAS service from Adobe Systems Software Ireland Limited and is part of the Adobe Experience Platform. It generates a user profile based on various information such as visitor cookies, masked IP addresses, browser data, device IDs, usage data, and additional information that you provide on our Website. The profile will be used for marketing and analytical purposes and shared with service providers in anonymised form.

Adobe Customer Journey Analytics

Based on user profile data from the Adobe Realtime Customer Data Platform, we analyse visitor and user behaviour data on the Swisscard Websites. We use that data in anonymised form to analyse individual Website content or how users behave on the Website.

Data protection provisions of Adobe Systems Software Ireland Limited

Piano Analytics

This Website uses Piano Analytics, a service of the Piano Software Group headquartered in Amsterdam. With Piano Analytics, we collect data about your visit and use of the Website. Piano Analytics uses "fingerprinting" (for more  information, see above).

Microsoft Clarity

We use Clarity on our Website to analyse user behaviour. We receive reports and visual representations from Clarity that show where and how users navigate through our Website (e.g., mouse movements, clicks, scrolling activities, and keyboard input). Any personally identifiable information is anonymised. This means that you cannot be personally identified as a user of the Website.

Matomo and Adtelligence

For tracking and control of tag management of the visitor actions, we use the open-source software Matomo (formerly “Piwik”). Adtelligence software from Adtelligence GmbH (www.adtelligence.com) also uses Matomo to track user interactions and customise the Website for specific target groups.

 

Adjust privacy settings for Tracking

 

 

Marketing services on our Websites

Google DoubleClick

This Website uses DoubleClick Digital Marketing Platform, a web analysis service from Google. DoubleClick sets cookies when you look at an advertisement or click on an advertising banner from Us that is located on a partner website. This allows us to display more relevant banners. We can also use cookies to record data about how your browser interacts with a banner. It also records whether you have looked at an advertisement, clicked on it, and whether this resulted in registration with Us. These data are collected and stored in anonymized form. If you do not wish for this information to be collected, you can disable their use in the Privacy settings of this Website.

Google Adwords

To improve the Website and its advertising activities, this Website uses Google's online advertising program "Google Adwords” and, in that environment, conversion tracking. The cookie for conversion tracking is set when a user clicks on an advertisement placed by Google. Such cookies are not used for personal identification. If the user visits certain pages of this Website, we and Google can detect that the user has clicked on the advertisement and was forwarded to the page in question. Each Google AdWords customer receives a different cookie. Therefore, cookies cannot be tracked across the websites of AdWords customers. We can use the data collected through conversion cookies to create conversion statistics for AdWords customers. However, these customers do not receive any information that allows the user to be personally identified.

Bing (Microsoft Advertising)

If you access our Website via a Bing advertisement, Microsoft stores a cookie on your computer. Based on that cookie, it is recognisable to us and Microsoft that you clicked on an advertisement, were redirected to our Website, and reached a specific target page. 
Our Website uses Bing Ads to collect and store data and to create user profiles under pseudonyms. That procedure improves our understanding of the behaviour of visitors who reach our Website via Bing Ads. We have integrated a Bing tag into our Website that works together with the cookie to store non-personal information about your use of the Website. 
Such information includes the duration of your visit, the areas of the Website that you visited, and the advertisement that directed you to our Website. Microsoft Advertising supports our online advertising efforts by using cookies. 

Meta

This Website shares information about your visit with Meta, such as your Website use, conversion tracking, and the performance measurement of advertising. In the process, we provide Meta with the Website visitor data required to personalise advertising on the Meta platforms. As a result, Meta is informed which advertisements were clicked on and whether the customer visited the Website or successfully achieved a specified goal on the Website. Meta can use that data to draw inferences about the profile data of the users of Meta platforms (such as Facebook or Instagram).

 

Adjust privacy settings for marketing

 

11. How long do we store your data?

We store your data for as long as required by applicable statutory requirements or by the purpose of its processing. The duration of storage is therefore based on statutory retention obligations and the processing purposes (see Section 4), which also include safeguarding our legitimate interests.