Privacy Policy - Getback

Getback is a service provided by adfocus GmbH based in Zug, Switzerland (hereinafter “adfocus”). Getback is a
Conversion Optimisation Technology that enables online shops to communicate directly with users on their websites
in a targeted manner.

This Privacy Policy informs you about how we process personal data relating to our service. We provide our service on
behalf of online shops. We reserve the right to amend our Privacy Policy at any time. We will inform you about any
changes in a suitable manner on our website.

Our service is subject to Swiss data protection law and applicable foreign data protection law such as that of the
European Union (EU) with its General Data Protection Regulation (GDPR). The EU recognises that Swiss data protection
law guarantees an appropriate standard of data privacy and protection.

«Conversion Optimisation Technologyy»
1. With the Getback Conversion Optimisation Technologywe enable online shops that hire us to address the users of their individual websites directly and in a targeted manner. As a result, the online shops are able to draw the attention of their customers to forgotten orders and guide them to special offers, or enable them to have the contents of their shopping carts e-mailed to them.
2. We collect data on the usage of online shops for Getback. Collection is done for the online shops that hire us; collection is done without reference to a specific person, i.e. without using personal data. We collect the following details for orders that are placed using Getback: order number, voucher code (where used), products in the shopping cart including their value. If they so choose, online shops can also have information collected on the operating system and the browser and IP address of the users accessing the site to optimise the individual online shop for the user’s operating system and browser, and their geographical location. No e-mail addresses are recorded unless they are voluntarily provided by the individual user.
3. The individual online shops that use Getback are responsible for providing information on the data collected using Getback. Relevant information can also be found in the privacy policies of the online shops, which also contain the contact addresses, enabling users to exercise their rights vis-à-vis the individual online shop.
Processing of personal data
1. Personal data is all information relating to an identified or identifiable person. A data subject is a person whose personal data is processed. Processing means any operation with personal data, irrespective of the means applied and the procedure, in particular the retention, disclosure, collection, erasure, storage, alteration, destruction and use of personal data.
2. We process the personal data that is necessary to provide our service in an effective and user-friendly manner that is sustainable, secure and reliable.
3. We process personal data only with the consent of the data subject, unless processing is permissible for other reasons, e.g. to perform a contract with the data subject and for related precontractual actions to safeguard overriding legitimate interests, where processing is done for a purpose that is obvious from the circumstances, or upon prior advice. In this context, we process information in particular that is provided by the data subjects themselves.
4. We process personal data for the term that is required for the respective purpose or purposes. When complying with extended retention requirements based on statutory and other obligations, we restrict processing accordingly.
5. We may have personal data processed by third parties, also located outside of Switzerland. These contract data processors process personal data on our behalf. We may have personal data processed with the assistance of third parties, also located outside of Switzerland. However, we ensure that these third parties guarantee an appropriate standard of data privacy and protection.
Legal basis for processing personal data
1. We process personal data in accordance with Swiss data protection law, namely, the Swiss Federal Act on Data Protection (Swiss FADP)..
2. We process personal data in accordance with the following legal principles, to the extent that the GDPR applies:
  - Art. 6 (1) point b GDPR for the necessary processing of personal data to perform a contract with the data subject and to complete precontractual measures.
  - Art. 6 (1) point f GDPR for the necessary processing of personal data to safeguard our legitimate interests or those of third parties, unless they are overridden by the fundamental rights, freedoms and interests of the data subject. Legitimate interests include our business interest in providing the service, offering and promoting it, information security and protection against misuse and unauthorised use, enforcement of legal claims and complying with Swiss law.
  - Art. 6 (1) point c GDPR for the necessary processing of personal data to comply with a legal obligation to which we are subject pursuant to EU law, as applicable, or the applicable law of another country in which the GDPR is applicable, either in whole or in part.
  - Art. 6 (1) point a GDPR for the processing of personal data with the consent of the data subject.
  - Art. 6 (1) point d GDPR for the necessary processing of personal data to protect the vital interests of the data subject or another natural person.
Technical and organisational measures
1. We take appropriate and suitable technical and organisational measures to guarantee data protection and data security.
2. Access to our service takes place via the SSL/TLS protocol.
3. The processing of personal data on the Internet may always have security gaps and vulnerabilities, despite appropriate and suitable organisational and technical measures being taken. Consequently, we cannot guarantee absolute data security.
4. Like any use of the Internet, access to our service may be subject to unfounded and indiscriminate mass surveillance and other surveillance by security and law enforcement authorities in Switzerland, the EU, the USA, and in other countries. We have no direct influence on the processing of personal data by intelligence services, law enforcement and other security agencies.
Cookies, log files and web beacons
1. We collect the following data every time you visit our website, provided that it is transmitted by your browser to our server infrastructure. The following data is stored in log files:
  - Date and time including time zone
  - IP address
  - Access status (HTTP status code)
  - Operating system, including GUI and version
  - Browser, including language and version
  - The individual page viewed and volume of data transferred
  - Referring website
    
    This data may also be personal data. This information is necessary to provide our service in a sustainable, secure and reliable manner, and also to ensure the data security and protection of personal data in particular, also by third parties or with their assistance.
2. We use cookies on our website. Cookies, including those of third parties whose services we use (hereinafter “third-party cookies”), are text files that are saved in your browser. Cookies may be stored in your browser when you visit our website. These cookies make it possible to recognise your browser the next time you visit our website. Cookies cannot execute programs or deliver trojans or viruses to your computer. Cookies are necessary for us to provide our offering, including our website, in an effective and user-friendly manner that is sustainable, secure and reliable, in particular by analysing use for troubleshooting and making improvements.
  
  You can deactivate cookies in your browser settings, either in whole or in part, at any time, as well as delete them. However, without cookies you may not have full access to our offering. We shall inform you directly about the use of cookies, where necessary, or request directly that you consent to them.
3. We use web beacons on our website. Web beacons, including those of third parties whose services we use, are small graphic images that are retrieved when you visit our website. Web beacons enable the same information to be collected that is transmitted by your browser to our server infrastructure. Web beacons are necessary for us to provide our offering, including our website, in an effective and user-friendly manner that is sustainable, secure and reliable, in particular by analysing use for troubleshooting and making improvements.
Notifications and newsletters
1. We may send out notifications and newsletters by e-mail and through other communication channels. Where e-mail correspondence is not necessary to perform a contract with you, the data subject, or to safeguard our overriding legitimate interests, you must expressly consent to the use of your e-mail address and your other contact addresses so that they are not misused by unauthorised third parties (“double opt-in”). We may have notifications and newsletters sent out by way of third parties or with their assistance.
2. Notifications and newsletters may contain web beacons or weblinks that detect whether an individual notification or newsletter has been opened and what weblinks have been clicked. These web beacons and weblinks record data on the use of notifications and newsletters. We need this statistical collection of usage data, including performance and marketing reach measurements, so that we can provide notifications and newsletters that are effective and user-friendly, based on the reading habits of the recipients, and provide these items in a sustainable, secure and reliable manner.
3. You can unsubscribe from these notifications and newsletters at any time, and in doing so also lodge your objection to the logging of data on usage.
Third-party services
1. We use the services of third parties, also of those located outside of Switzerland, including the USA, to provide our offering in an effective and user-friendly manner that is sustainable, secure and reliable. These services – which include hosting and storage services and payment services – require your IP address; otherwise, the relevant content cannot be delivered or provided. These services may process other information related to our offering – using cookies, log files, web beacons, etc. – and merge it with information from other sources for their own statistical and technical purposes.
2. We use Cloudflare to ensure data security and to optimise the loading times for our offering. Cloudflare is a content delivery network (CDN) offered by US-based Cloudflare, Inc. This means that access to our offering may take place by way of Cloudflare’s infrastructure. Cloudflare is subject to the EU-US Privacy Shield and the Swiss-US Privacy Shield, under which Cloudflare is obligated to guarantee an appropriate standard of data protection and privacy. Cloudflare has published the following information in particular on the type, scope and purpose of the data processing that it performs: privacy statement, information on log files at Cloudflare, certification under the EU-US and the Swiss-US Privacy Shield Frameworks.
3. We use Google Analytics to have the use of our offering analysed; however, we have the IP addresses anonymised prior to analysis. Google Analytics also uses cookies.
  
  Google Analytics is a web analytics service of Google LLC. We need this service to provide our offering, including our website, in an effective and user-friendly manner that is sustainable, secure and reliable, in particular by analysing use, including conducting performance and marketing reach measurements for troubleshooting and making improvements. You can refuse to permit collection by Google Analytics for statistical purposes by having an opt-out cookie set or by using the Google Analytics Opt-out Browser Add-on.
  
  Google is subject to the EU-US Privacy Shield and the Swiss-US Privacy Shield, under which Google is obligated to guarantee an appropriate standard of data protection and privacy. In particular, Google has published the following information on the type, scope and purpose of data processing in connection with Google Analytics: Google Analytics terms and conditions, Privacy Policy and Terms of Service, certification under the EU-US and the Swiss-US Privacy Shield Frameworks.
4. We use Google Fonts to embed selected fonts in our website. Google Fonts is a service of Google LLC. Google is subject to the EU-US Privacy Shield and the Swiss-US Privacy Shield, under which Google is obligated to guarantee an appropriate standard of data protection and privacy. Google has published the following information in particular on the type, scope and purpose of data processing in connection with Google Fonts: Google Fonts Privacy Policy, Privacy Statement and Terms of Service, entry in the Privacy Shield list.
5. We use Mandrill and MailChimp to send out and administer e-mails, including newsletters. Cookies are also used in this connection. Mandrill and MailChimp are services offered by The Rocket Science Group, LLC d/b/a MailChimp, an American company that is subject to the EU-US Privacy Shield and the Swiss-US Privacy Shield. In so doing, The Rocket Science Group undertakes to provide for appropriate data protection and privacy. The Rocket Science Group, LLC has published the following information in particular on the type, scope and purpose of data processing in connection with Mandrill and MailChimp: Privacy Policy, General Data Protection Regulation (GDPR), MailChimp, Privacy Shield and GDPR, entry in the Privacy Shield list.
Rights of data subjects
1. Data subjects whose personal data that we process have rights under Swiss data protection law. They include the right to see the information stored about them, or the right to rectification, erasure or blocking of the personal data that has been processed.
2. To the extent the GDPR applies, data subjects whose personal data we process may request confirmation, free of charge, to determine whether we have their personal data on file and, if so, request information on what personal data is processed, have such processing restricted, exercise their right to data portability, and to have their personal data corrected, erased (“right to be forgotten”), or blocked.
3. To the extent the GDPR applies, data subjects whose personal data we process may revoke consents given by them at any time and also lodge an objection to the processing of their personal data.
4. Data subjects whose personal data we process have the right to file a complaint with the competent regulatory authority. The regulatory authority that is in charge of data privacy and protection in Switzerland is the Federal Data Protection and Information Commissioner (FDPIC).
Contact addresses
1. Queries of regulatory authorities and data subjects may be submitted to us by e-mail, or also by postal mail.
  
  adfocus GmbH
  Blegistrasse 9
  6340 Baar
  Schweiz
  info@adfocus.ch
  
  The contact for questions relating to data privacy and protection in connection with our service is Philippe Müller, our managing director.
2. We have a data protection representative in the EU who functions as a port of call for the regulatory authorities and data subjects for all issues relating to EU data protection law:
  
  VGS Datenschutzpartner UG
  Am Kaiserkai 69
  20457 Hamburg
  Deutschland
  info@datenschutzpartner.eu
Getback Technology (Opt-Out)
1. You do not wish to accept Getback cookies? No problem. Click on the “opt-out” link below. Please note that you must opt out again if you delete your cookies or use another browser.
  
  Opt-Out Status: