Privacy Policy

WIN-WIN FOR WORK GmbH
Gisibachstrasse 13
6405 Immensee
Switzerland

General Part
1. What this Privacy Policy is about

This Privacy Policy describes how WIN-WIN FOR WORK GmbH, Gisibachstrasse 13, 6405 Immensee, Switzerland (“WIN-WIN FOR WORK” or “we”) handles your personal data when you use this website or other WIN-WIN FOR WORK websites (e.g., winwinforwork.org and weEmpower.ch) (collectively “Website”) or the apps and other software applications (“Applications”) used by WIN-WIN FOR WORK, or when you are in a contractual relationship with us (e.g., purchasing services or products), communicate with us, or otherwise interact with us. In particular, we explain what type of personal data we collect and process, as well as the method, scope, purpose, and duration of the processing of this personal data by WIN-WIN FOR WORK. Furthermore, we inform you about your rights in connection with personal data.

This is not an exhaustive description. Other privacy policies or similar documents may regulate or describe specific circumstances.

When processing personal data, we comply with the provisions of the Swiss Data Protection Act (DPA) and the EU General Data Protection Regulation (EU GDPR, Regulation (EU) 2016/679), insofar as these are applicable.

2. Controller

The data controller responsible for the data processing described herein is WIN-WIN FOR WORK GmbH, Gisibachstrasse 13, 6405 Immensee, Switzerland.

If you have a concern regarding the collection, processing, and use of your personal data, please contact the controller: Christian Czupalla, Managing Director, Gisibachstrasse 13, 6405 Immensee, Switzerland, Datenschutz@winwinforwork.org

Third-party offerings accessible via our website or applications are not subject to this Privacy Policy. Any responsibility or liability for data protection compliance by third-party websites is excluded.

3. Collection and Processing of Personal Data
3.1 Categories of Personal Data

Personal data is any information by which you can be identified or that can reasonably be used to identify you. Anonymous or statistical data that cannot be linked to the user’s person, or only with unreasonable effort, is not included.

Master Data: Master data includes your basic information such as first name, last name, contact details, information e.g., about role/function, employer/organization, bank details, date of birth, powers of attorney, signature authorizations, declarations of consent, social media profiles, photos and videos, copy of identification documents, information about your relationship with us and our interactions (e.g., history). We require master data for the processing of our business relationships, official documents (e.g., commercial register excerpts, etc.).

Contract Data: Contract data arises in connection with contract initiation, conclusion, or execution. This includes, for example, information about business partners, services, billing, insurance, financial, and tax data, complaints, etc.).

Communication Data: When you are in contact with us (e.g., via the contact form, email, phone, chat, letter), we collect the exchanged communication content, your name and contact details, as well as information about the type, time, and location of the communication. If we record phone calls or video conferences, e.g., for training and quality assurance purposes, we will inform you accordingly (e.g., by a notification during the respective video conference). If you do not wish to be recorded, please end the call or your participation and contact us in another way (e.g., by email); if you only do not wish your image to be recorded, please turn off your camera. For identification purposes (e.g., in response to a request for information from you), we collect data to establish your identity (e.g., a copy of your identification document).

Technical Data: When you use our website or other offerings, we collect certain technical data, such as IP address and log data (protocols in which we record the use of our systems), to ensure the functionality and security of these offerings (cf. Section 27). Under certain circumstances, we may also assign an individual code to your device (e.g., in the form of a cookie and similar technologies, cf. Section 28) to recognize your device.

Registration Data: Certain offerings and services (e.g., member areas or login areas of our website, newsletter dispatch) can only be used with a member or user account or registration, whereby you must provide us with certain data (such as name, username, password, email). We collect data about the use of these offerings and services.

Behavioral and Preference Data: When you use our website, applications, and/or services, we collect data about the corresponding use, preferences, and generally about your interaction with our offerings. We may evaluate this data about your behavior and preferences and supplement it with information from third parties or from publicly accessible sources.

Other Data: We also collect your personal data in other situations, e.g., data (such as files, evidence, etc.) in connection with administrative or judicial proceedings. The retention period for this data depends on the purpose and is limited to what is necessary.

3.2 Origin of Personal Data

In principle, we process the personal data that we receive in the course of operating our website or applications or in the context of our business relationships. We receive personal data

from you directly (e.g., when doing business with us, during registration, or through your communication with us, when using the website). The provision of your personal data is generally voluntary; however, we must collect certain data due to legal obligations or as part of your contractual obligations according to the respective agreement with us or when using our website; or

from third parties (e.g., in connection with your professional activities and function, to conclude contracts with your employer and conduct business; from our contractual partners; from third parties involved in the execution of the contract; from credit rating agencies; from authorities; in connection with administrative or judicial proceedings; etc.); or

from publicly accessible sources such as public registers or the internet (websites, social media, etc.).

If you provide us with data about other persons, you must ensure that you are permitted to do so, that the data subjects are informed about this Privacy Policy, and that the data is accurate.

4. Purposes of Data Processing

We process your data for the following purposes:

For the establishment, management, and execution of contractual relationships with our business partners.

For communication with you, e.g., for customer service and customer care, service provision, answering inquiries, follow-up questions, authentication, quality assurance.

For relationship management and information, to send personalized offers and advertising to our customers and other contractual partners, e.g., in the form of newsletters and other regular contacts (electronically, by mail, by phone), invitations, etc. These may be our own offers or offers from third parties. You can refuse such contacts at any time or deny or revoke consent for contact for advertising purposes.

For market research, to improve our services and operations, and for product development, e.g., by analyzing your navigation through the website and your user behavior. Where possible, the data is pseudonymized or anonymized.

For the clarification and enforcement of legal claims and defense in connection with legal disputes and administrative proceedings.

For the ongoing security of our IT and other infrastructure, for access control, for fraud and abuse prevention, and for evidentiary purposes, e.g., by: analyzing behavioral and transaction data to detect suspicious behavior patterns and fraudulent activities; evaluating system-side records of the use of our systems (log data); preventing, repelling, and investigating cyberattacks and malware attacks; analyses and tests of our networks and IT infrastructures, as well as system and error checks; controlling access to electronic systems (e.g., logins for user accounts); documentation purposes and creating security copies.

For compliance with laws, directives, and recommendations from authorities and internal regulations, such as (i) in the context of combating money laundering and terrorist financing through “Know-your-customer” clarifications, (ii) in the context of fulfilling disclosure, information, or reporting obligations, e.g., in connection with supervisory and tax law obligations, (iii) for archiving obligations, (iv) for the prevention and investigation of criminal offenses and other misconduct (e.g., conducting internal investigations, data analyses for fraud prevention), (v) by cooperating in external investigations, e.g., by a law enforcement or supervisory authority; (vi) by receiving and processing complaints and other reports.

For the purposes of our risk management and within the framework of prudent corporate governance, including operational organization, corporate development, as well as the purchase and sale of business units and corporate transactions.

For other purposes, e.g., for internal processes and administration, central storage and management of data, archiving, training, and quality assurance purposes.

5. Legal Bases for Processing

If a legal basis is required for data processing, the following legal bases may be considered:

Based on the initiation, execution, or fulfillment of a contract with you or pre-contractual measures.

Based on our legitimate interests, in particular (i) in the processing for the pursuit of the purposes described above under Section 4 and for the implementation of the corresponding measures, and (ii) in the disclosure of data according to Section 6 and the associated objectives. Legitimate interests include our own interests and the interests of third parties.

Based on legal provisions.

If you have given us consent to process your personal data for specific purposes (e.g., for the processing of particularly sensitive personal data, for receiving newsletters, for creating personalized movement profiles and for behavioral analysis on the website or conducting a background check), we will inform you separately about the corresponding processing. Granted consent can be revoked at any time with future effect (which, however, has no impact on data processing that has already taken place). Upon receipt of the revocation, we will no longer process your data for the purposes to which you originally consented, unless we have another legal basis for it.

Insofar as the EU GDPR is applicable, personal data is processed according to the following legal bases in connection with Art. 6 para. 1 EU GDPR: with the consent of the data subject (lit. a); for the fulfillment of a contract with the data subject and for the implementation of corresponding pre-contractual measures (lit. b); for the fulfillment of a legal obligation (lit. c), for the protection of vital interests of the data subject or another natural person (lit. d); for the protection of legitimate interests (e.g., our business interest in providing our website, information security, the enforcement of our own legal claims, compliance with applicable law (lit. f)).

6. Disclosure of Data to Third Parties

We disclose personal data about you to third parties who assist us in the execution of the contractual relationship with you, in connection with our legal obligations, or otherwise within the scope of the mentioned processing purposes. These third parties include the following categories of recipients:

Service providers who process your data either (i) on our behalf (processors) or (ii) in joint responsibility with us or (iii) on their own responsibility in connection with contract execution, e.g.,

IT providers, such as for blogs, chat and video platforms, data analysis, data storage, financial data services, login services, online shop, job board, technical support, newsletter dispatch, web hosting, web design, as well as

Service providers for accounting, document management, advertising services, as well as tax advisors, lawyers, management consultants, banks, insurance companies, debt collection service providers, credit agencies, telecommunications companies.

We have contractually obliged these service providers, among other things, to comply with our data protection provisions, to confidentiality, and to demonstrate the given technical and organizational measures for data security (insofar as these obligations are not already legally stipulated). Our partners and service providers may use your personal data exclusively for the purposes for which it was originally collected.

Other third parties who process personal data for their own purposes, (i) if you have expressly consented to the corresponding disclosure and processing, or (ii) insofar as we are legally obliged or entitled to disclose it. These include, for example,

Contractual partners, if the data transfer results from the contracts between us and these third parties (e.g., if you work for the contractual partner),

Cooperation partners who help us in carrying out our activities,

Third parties in connection with mergers, acquisitions, bankruptcies or sales, assignments or other transfers of all or substantially all assets,

Domestic and foreign offices, courts, and authorities, if we are legally obliged or entitled to do so or if this appears necessary to protect our interests.

In these cases, the data recipients are data controllers in their own right, who will inform you via their own privacy policy.

All these categories of recipients may in turn engage third parties, so that your data may also become accessible to them.

We can contractually restrict the processing by certain third parties (e.g., IT processors), but not that of other third parties (e.g., banks, authorities).

7. Data Transfer Abroad

The aforementioned data recipients may be located in Switzerland or in any country worldwide. In particular, you must expect that your personal data may be transferred to any country where our service providers are located.

If we transfer personal data to a recipient in a country without adequate legal data protection, we contractually oblige the recipient to comply with applicable data protection (for this purpose, we use the revised standard contractual clauses of the European Commission, which can be accessed here: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?), unless they are already (i) subject to a legally recognized framework for ensuring data protection and (ii) we cannot rely on an exemption provision. An exception may apply, for example,

In connection with legal proceedings abroad, or

in the case of overriding public interests, or

if contract execution or fulfillment requires such disclosure, or

if you have consented, or

if it concerns data made generally accessible by you, to the processing of which you have not objected.

8. Retention Period
8.1 Principle

We process and store your personal data for as long as it is necessary for:

the processing purposes for which they are collected,

the fulfillment of our contractual and legal obligations (including retention periods), and

our legitimate interests in processing (i) for documentation and evidentiary purposes, or (ii) to enforce or defend claims, or (iii) to ensure IT security

(i.e., for example, for the duration of the contractual relationship and beyond, in accordance with legal retention and documentation obligations and until the statute of limitations for contractual claims).

8.2 Periods

The usual retention or storage period is generally

for master and contract data as well as communication data such as emails in personal mailboxes and written correspondence: 10 years from the last exchange with you or from the last contract activity, but at least from the end of the contract;

for other communication data (incl. recordings of video conferences and chats): 12 months from the last exchange with you;

for behavioral and preference data (for product and service preferences): as soon as this data is no longer meaningful for the purposes pursued, which may vary depending on the type of data (e.g., for product and service preferences 24 months from receipt of the data; for the retention period for cookies on our website, cf. Section 28);

for registration data: 12 months after the end of service use or the dissolution of the user account;

for technical data: the periods specified in the “Special Part” of this Privacy Policy;

where these periods may be longer if required for evidentiary purposes, or to comply with legal or contractual requirements, or due to technical reasons.

Unless there are legal or contractual obligations to the contrary, we delete or anonymize your data after the expiry of the aforementioned storage or processing period as part of our usual procedures.

9. Data Security and Encryption

We have taken appropriate technical and organizational security measures to protect your personal data from unauthorized access, improper use or disclosure, unauthorized alteration, and unlawful destruction or accidental loss. However, we cannot guarantee absolute protection. Our security measures are continuously revised in line with technological developments.

Where possible, our data processing systems are designed to be privacy-friendly from the outset, e.g., through minimization and pseudonymization of personal data.

All employees, data processors, and other third parties who have access to personal data are obliged to treat and protect them confidentially.

For security reasons and to protect the transmission of confidential content, such as inquiries you send to us as the website operator, this site uses SSL encryption (Secure Socket Layer). You can recognize an encrypted connection by the fact that the address bar of the browser changes from “http://” to “https://” and by the lock symbol in your browser bar. If SSL encryption is activated, the data you transmit to us cannot be read by third parties.

10. Rights of the Data Subjects

Subject to applicable laws, you have the following rights regarding your personal data:

Right to information on whether we process your personal data, and if so, right to access a copy of this data;

Right to rectification of inaccurate or incomplete data;

Right to erasure of your personal data, as long as the applicable legal requirements are met;

Right to object to our data processing, especially those for the purposes of our legitimate interests in processing – unless we can demonstrate compelling legitimate grounds for processing your personal data;

Right to receive certain personal data in a common electronic format or to transmit your personal data to another controller;

Right to withdraw consent at any time.

You can assert your rights at any time by sending your request to the addresses listed in Section 2 above. The exercise of these rights usually requires you to prove your identity (e.g., copy of identification documents).

We reserve the right to enforce legal restrictions, e.g., if we are obliged to retain or process certain data, have an overriding interest, or require the personal data for the assertion of claims. We may reject requests that are excessive or constitute an abuse of the respective rights.

Furthermore, every data subject has the right to judicial enforcement of their claims and to lodge a complaint with the competent supervisory authority, in particular the data protection authority responsible for your place of residence or the place of the alleged infringement, or the supervisory authority responsible for us, namely the Federal Data Protection and Information Commissioner FDPIC, Feldeggweg 1, 3003 Bern, Switzerland. (http://www.edoeb.admin.ch).

11. Updates and Amendments

We may amend or update parts of the Privacy Policy without prior notification to you.

B. Special Part: Selected Processing Activities

COMMUNICATION
12. Contact Inquiries

Via Contact Form and Email

If you send us inquiries, e.g., via the contact form on our website or by email, your details, including the contact data you provide there (i.e., at least first and last name, email address, date and time of the inquiry, user’s IP address in case of form usage, and other contact data provided by you), will be stored by us for the purpose of processing the inquiry and for follow-up questions. These communication data will be deleted as soon as the periods of 24 months or 10 years according to Section 8.2 have expired. No data will be passed on to third parties.

Scheduling Appointments

On this website, it is possible to schedule appointments with us using the Calendly application. Calendly is a service provided by Calendly LLC, BB&T Tower, 271 17th St NW, Atlanta, GA 30363, USA (“Calendly”). As soon as you use this application on our website, you leave our website and are redirected to the Calendly website. All functions then take place via this Calendly website; the applicable Calendly privacy policy can be found here: https://calendly.com/de/pages/privacy. As legally required, we ensure an adequate level of protection by means of a contract.

In addition to the aforementioned personal data, the following personal data may be collected in connection with Calendly: address, telephone number, function/position in the company, department in the company, as well as other personal data that you voluntarily provide to complete your profile (consent). We use the personal data provided by you to conduct video conferences with you (cf. Section 22 Video and Telephone Conferences/Online Trainings) and for the substantive design and processing of the contractual relationship with you (cf. Section 19 Our Services).

13. Newsletter

Processing: On this website, it is possible to subscribe to a free newsletter. We only send newsletters with the recipient’s consent. The newsletter registration takes place via a so-called double opt-in procedure: If you wish to receive the newsletter offered on our website, we require an email address from you. When registering for the newsletter, your email address from the input mask is transmitted to us or to the shipping service providers commissioned by us. After registration, you will receive an email asking you to confirm your registration. This verifies that you are the owner of the specified email address and agree to receive the newsletter. Newsletter registrations are logged to be able to prove the registration process in accordance with legal requirements.

Data: Specifically, the email address, the time of registration and confirmation (registration data), as well as technical data such as the IP address, browser, and operating system of the accessing computer are collected and stored.

Purpose of processing: The collection of the user’s email address serves to deliver the newsletter. The collection of other personal data during the registration process serves to prevent misuse of the services or the email address used.

Disclosure to third parties: Newsletters are sent via the external shipping service provider CleverReach GmbH & Co. KG, Schafjückenweg 2, 26180 Rastede, Germany, or its subcontractors PlusServer GmbH, Germany (for sending emails), Amazon Web Services, Inc., Ireland and Germany (for storing and processing order data and sending emails), and Hetzner Online GmbH, Germany (for sending emails). Our service providers and their subcontractors are based within the European Economic Area, and the personal data of newsletter recipients may be stored on their servers, which can be located in any country worldwide.

Duration: The registration data will be deleted as soon as the period according to Section 8.2 has expired. Other technical data collected during the registration process will be deleted after a period of 6 months, provided that no legal retention obligations prevent deletion.

You can unsubscribe from the newsletter at any time by sending an email to Datenschutz@winwinforwork.org and thereby withdraw your consent to the storage of personal data collected during the registration process.

14. Blog

If you register for the blog on our website, the mandatory information you provide for registration (first and last name, address, email address) as well as any other registration data you voluntarily provide to complete your profile will be stored for blog purposes and direct marketing, and may be linked with other data the website has stored about you. In the blog, you can publicly post topics, articles, links, comments, etc. (communication data). If you initiate such a process, we store this internally, publish your action in the blog, and may use these processes to provide personalized content.

The mandatory information is required for using the blog, as we need your email address for authentication, your name for attribution as the author of comments, and for personal communication from us.

If you wish to leave a comment on the blog, a spam check is performed to prevent misuse of our blog. For this purpose, your email address and IP address are stored and compared with a local blacklist. These checks are performed locally on the servers of our blog service providers. No personal data is transferred to other third parties. After the aforementioned checks, your comment, along with your first and last name, will be published. In addition, the author of the post you commented on will receive a notification about your comment and your first and last name.

Our service providers and their subcontractors are based within the European Economic Area, and the personal data may be stored on their servers, which can be located in any country worldwide.

The data collected in connection with our blog will be stored until consent is revoked. The data will be deleted as soon as the periods according to Section 8.2 (for registration or communication data) have expired.

15. Chat Tool

Processing and Data: On our website, you have the option to contact us via the chat function. This allows us to communicate with visitors to our website via chat and provide targeted assistance with questions. For this purpose, we use the Zoho SalesIQ tool (https://www.zoho.com/de/salesiq/), a web analytics service from Zoho Corporation Pvt. Ltd., Estancia IT Park, Plot No. 140 & 151 GST Road Taluk, Vallancherry Village Kanchipuram District, Chengalpattu, Tamil Nadu 603202, India (“Zoho”). To contact us, you can use the chat completely anonymously and enter your request (without providing personal data) into the chat text field. Optionally, you can enter your name, email address, and other details into the contact and text fields. When using the chat function, the entries you make are processed to display them in the chat and to log them.

In addition to providing the chat function, the Zoho SalesIQ tool analyzes your behavior on our website and when using the chat function to provide anonymized usage data. The tool automatically stores cookies on your computer when you access our website. This collects information about how visitors use our website, from which website users come to our website, the number of visits by each user, and the duration of their stay on our website. You can prevent this “tracking” by making appropriate settings in your browser.

Disclosure to third parties: The information generated by accessing our website and using the chat function, as well as information regarding the use of our website (including your IP address), is transferred to a Zoho server in the USA and stored there. Zoho will use this information to enable the chat function, to evaluate your use of the website, to compile reports on website activities for us, and to provide other services related to website usage. Zoho may also transfer this information to third parties if required by law or insofar as third parties process this data on behalf of Zoho. Zoho will not associate your IP address with other data held by Zoho. You can prevent the installation of cookies by setting your browser software accordingly; however, please note that in this case, you may not be able to use all functions of this website to their full extent. Please refer to the privacy policy (https://www.zoho.com/de/privacy.html) and cookie policy (https://www.zoho.com/de/privacy/cookie-policy.html) of Zoho Corporation. The data is also processed in the USA, where, from both a Swiss and EU perspective, there is generally no adequate level of data protection, and risks exist for the lawfulness and security of personal data.

Purpose of processing: The collection and processing of the data you enter via chat serve to operate the chat function and answer your inquiry; they are therefore carried out at your request (when the EU GDPR applies: based on your consent pursuant to Art. 6 para. 1 lit. a EU GDPR).

The processing of data in connection with the analysis of user behavior on our website serves to optimize our website and gives us the opportunity to proactively contact you via the chat function (when the EU GDPR applies: based on our legitimate interests pursuant to Art. 6 para. 1 lit. f EU GDPR). IP addresses are truncated by the last digits to ensure anonymity.

Duration: Communication data is generally deleted by us as soon as the period according to Section 8.2 has expired. However, the specific storage period of the data processed by Zoho cannot be influenced by us, but is determined by Zoho Corporation Pvt. Ltd.

16. Discord for Community Work and Events

On our website, you have the option to use the Discord application (from Discord Inc, 444 De Haro Street Suite 200, San Francisco, CA 94107 USA; the provider for users in the European Economic Area is Discord Netherlands BV, Netherlands). The Discord application is provided as a means of communication and exchange (i) with us and (ii) among the members of the WIN-WIN FOR WORK community (upon registration according to Section 18 hereinafter), for example, by participating in real-time events (“Events”) and through collaborations among community members. Communication via Discord takes place through various possible practical functions such as instant messenger, as well as video, text, and voice channels.

When using the Discord application, Discord, as a separate controller, collects and processes your data, such as your name, username, email address, and the content of sent messages, for its own processing purposes (including marketing purposes). The data is also transferred to the USA, where, in principle, there is no adequate level of data protection, and risks exist for the lawfulness and security of personal data. It may also happen that Discord shares this data with third parties (agencies and service providers).

For details (including which data is collected and processed in what way, as well as processing duration and your rights), please refer to Discord’s privacy policy: https://discord.com/privacy.

The use of the Discord application is voluntary (when the EU GDPR applies, data processing by Discord is based on your consent pursuant to Art. 6 para. 1 lit. a EU GDPR).

17. Online Surveys

For online surveys, we use the online survey tool “2ask” from orbiz Software GmbH, Felix-Wankel-Str. 4, 78467 Konstanz, “orbiz”, www.2aks.com. With this tool, we can create, conduct, and evaluate online surveys hosted on the 2aks platform.

You can participate in surveys on our website (such as “Vital@Work-Scoring” and “Vital@Work-Study”) or in other surveys that we send you via email or other communication channels. In the latter case, we use your name and email address (or corresponding details) to send you an invitation to participate in the online survey (e.g., with a link or QR code and, if applicable, access codes). If you participate in the respective surveys, we may collect personal data from you via the 2aks platform, in particular your master data such as name, organization, telephone number, and email address; furthermore, within the scope of the survey, we record your answers to the individual questions. In the context of the technical processing of online surveys, certain data is also collected due to technical reasons. (cf. Section 27 regarding log files) Based on the survey results, we create anonymous evaluations that have no reference to your person. Your survey data is not linked to your name and address.

Participation in the survey is voluntary (when the EU GDPR applies, data processing is therefore based on your consent pursuant to Art. 6 para. 1 lit. a EU GDPR).

Since the surveys programmed by us are hosted on the 2aks platform, this data is processed and stored on orbiz servers in Germany. More information can be found in 2ask’s privacy policy at https://www.2ask.com/2ask-datenschutz/ and https://www.2ask.com/datenschutz/.

SERVICES
18. Registration – Member Account and other Login Areas

Processing: On the website, we offer users the opportunity to register by providing personal data and thereby gain access to certain login areas, such as the member area of the WIN-WIN FOR WORK community. User registration is required for providing certain content and services on our website and/or applications, or for concluding or processing a contract. Through the member account, as a community member, you have access to various offers and services, such as (i) registration for community meetings/events and (ii) the use of a job board for employers and job seekers. Registration also offers the advantage for product orders via the online shop (see below) and for booking services (in the area of coaching, consulting, training, etc.) that you have an overview of placed orders and active order processes and do not have to re-enter your data for future orders.

Data: The registration data is entered into an input mask and transmitted to us and stored. The following data is collected during the registration process: first and last name, company name, address, email address, phone number, function/position in the company, department in the company, as well as other personal data that you voluntarily provide to complete your profile (registration data), and technical data such as the user’s IP address, date and time of registration.

Purpose of Processing: The data is collected for the purpose of (i) identifying you as a member, (ii) providing you as a user with password-protected direct access to your account and your basic data stored with us, (iii) processing and fulfilling your orders, (iv) corresponding with you and for invoicing.

Basis: If the registration is related to a service provided by us that the user claims, the personal data will be processed in direct connection with the conclusion or processing of a contract (e.g., for registration for a community meeting, the purchase or sale via the online shop, or in connection with the use of the job board); otherwise, the user’s consent for processing this data will be obtained as part of the registration process.

Disclosure to Third Parties: On the website in the member area, the open source system “YITH WooCommerce Membership Premium” is integrated as a plugin, which is based on the WordPress content management system (from Automattic Inc. 60 29th Street #343, San Francisco, CA 94110, USA – “Automattic”, or from Automattic’s affiliated company WooCommerce, Inc., 60 29th Street #343, San Francisco, CA 94110, USA – “WooCommerce”). As a result, the aforementioned personal data that you enter in the member account is also transmitted to the plugin provider. For this plugin, see Section 36 below.

Duration: The registration data will be deleted as soon as the period according to Section 8.2 has expired.

As a user, you have the option to cancel your registration at any time. You can have the data stored about you modified at any time. If the data is required for the processing of a contract, early deletion of the data is only possible insofar as no contractual or legal obligations prevent deletion.

19. Our Services – Online Shop, Events and other Bookings

Services: The services offered by WIN-WIN FOR WORK (which you can find on the website) include (i) an online shop with the option to purchase products, (ii) booking services in the area of coaching and consulting as well as training and education, and (iii) tickets for community meetings/events (for members).

Processing and Data: If you wish to use our services, you will actively provide us with master or contract data within the scope of the services offered. We create a business account for you in our CRM system and store the data. The processing of such data generally takes place in direct connection with the conclusion or processing of a contract or for the fulfillment of pre-contractual or contractual obligations towards you. The information required for this is:

First and last name, address, company name, billing/delivery address, email address, phone number, function/position in the company, department in the company, payment details (depending on the chosen payment method). If you do not order as a guest but also create a member account with us, we also process member login data such as password, customer number.

Additional for Orders: Purchased products (via the online shop) or ordered services, returns, date and time of orders.

Furthermore, for this purpose, we may process additional personal data that you voluntarily provide to complete your profile.

In this context, we use session cookies, e.g., for storing shopping cart contents, and permanent cookies, e.g., for storing login status.

Purposes of Processing: The collection and use of this data serve the correct establishment, content design, and processing of the contractual relationship with you (when the EU-GDPR applies: according to Art. 6 para. 1 lit. b EU-GDPR), namely to process your orders (e.g., purchases via the online shop; bookings of coaching, consulting, or training services; orders for tickets for community meetings), to deliver the ordered products or services, and to ensure correct payment. If we collect further data from you when creating the customer account, this is based on our legitimate interest in maintaining a customer relationship with you (when the EU-GDPR applies: according to Art. 6 para. 1 lit. f EU-GDPR).

Disclosure to Third Parties: The aforementioned processing purpose also includes the transmission of personal data to the respective partners and service providers to the extent necessary for order processing, such as the transport/logistics service provider commissioned with the delivery of products. These companies are our processors (when the EU-GDPR applies: according to Art. 28 EU-GDPR) and may use your data exclusively for the fulfillment of their tasks on our behalf.

For payment processing in the area of card payments (direct debit/Girocard/credit cards), we work together with various payment service providers (see list with examples below), who are considered independent controllers. We transmit the purchase amount, card data, and purchase date. As a rule, the data is stored by the financial service provider only as long as it is required for payment processing (including the processing of possible chargebacks and debt collection) and for combating misuse. Please note the privacy policies of the financial service provider.

Examples of our external payment service providers: PostFinance (https://www.postfinance.ch/de/detail/rechtliches-barrierefreiheit.html) Visa (https://www.visa.de/nutzungsbedingungen/visa-privacy-center.html) Mastercard (https://www.mastercard.ch/de-ch/datenschutz.html) American Express (https://www.americanexpress.com/de/legal/online-datenschutzerklarung.html) Paypal (https://www.paypal.com/de/webapps/mpp/ua/privacy-full) Bexio AG (https://www.bexio.com/de-CH/datenschutz) Payrexx AG (https://www.payrexx. ch/site/assets/files/2592/datenschutzerklaerung.pdf) Apple Pay (https://support.apple.com/de-ch/ht203027) Stripe (https://stripe.com/ch/privacy) Klarna (https://www.klarna.com/de/datenschutz/) Skrill (https://www.skrill.com/de/fusszeile/datenschutzrichtlinie/) Giropay (https://www.giropay.de/rechtliches/datenschutzerklaerung) etc.

Insofar as we make advance payments, e.g., for payment on account, we may obtain a credit report about you. For this purpose, we will forward your personal data (e.g., name and address) to this company (when the EU-GDPR applies, the legal bases for the transmissions are Art. 6 para. 1 lit. b and lit. f. EU-GDPR). Based on mathematical-statistical procedures, the risk of payment default is assessed. We may make the conclusion of the contract dependent on the result of the credit check.

Furthermore, the open source systems “WooCommerce” (in the online shop area) and “YITH Event Ticket for WooCommerce” are integrated as plugins on our website, which are based on the WordPress content management system (from Automattic Inc. 60 29th Street #343, San Francisco, CA 94110, USA – “Automattic”, or from Automattic’s affiliated company WooCommerce, Inc., 60 29th Street #343, San Francisco, CA 94110, USA – “WooCommerce”). As a result, the aforementioned personal data that you enter in the online shop or in the login area for ticket orders is also transmitted to the plugin provider. For this plugin, see Section 36 below.

Data Transfer Abroad: The personal data may be stored on servers located in any country in the world.

Duration: We store and process the contract data for 10 years from the last exchange with you or from the last contract activity, but at least from the end of the respective contract (booking, purchase/sale, etc.).

Further Processing: The personal data collected for contract processing may also be used by us for purposes other than the original ones, as long as there is a connection between the purposes of use and the original data collection (e.g., customer retention and marketing for our own products).

20. Job Board

The WIN-WIN FOR WORK offering also includes a job board for employers and job seekers, which is available to members in the member area on the website (job portal).

Processing and Data regarding Job Providers: Our services for job providers aim to offer our members the opportunity to select suitable candidates on the website. If you wish to offer a job on the job portal, you will provide us with master or contract data of the job provider or their employee so that we can process the order and publish the job. The information required for this is: first and last name, address, company name, billing/delivery address, email address, phone number, function/position in the company, department in the company, payment details (depending on the chosen payment method). The processed data also includes member login data such as password, customer number.

Processing and Data regarding Job Seekers / Data Recipients: Job seekers have the option to use our website’s resume database and can store their applicant profile on our website and make it publicly accessible. This makes their personal data visible on the website to potential employers or clients, such as their personal user data (name, address, email, phone number) as well as other application data associated with their resume, such as demographic data, professional career, education, qualifications, photos, identification documents, and other information, to the extent that you have voluntarily provided it. The application data is available to other community members (potential employers); WIN-WIN FOR WORK is not responsible for the access to your data by these members. These potential interested parties can select and read your resume. You should consider this if you wish to create a public resume. You can deactivate your active public resume at any time to prevent access to your resume, or even delete it completely. We cannot assume responsibility for the confidential treatment of your data by the employer.

Purposes of Processing: We process personal data for the purpose of contract administration, meaning so that we can provide job providers with the services subject to the contract, as well as for the purpose of corresponding contract preparations. From the processing of personal data of an employee of the job provider, we have a legitimate interest, which lies in the conduct of our business activities and those of the customer. The basis for this processing can be a contract or a pre-contractual relationship or our legitimate interests (when the EU-GDPR applies: Art. 6 para. 1 lit. b and lit. f. EU-GDPR).

Processing Duration: We store and process the contract data for 10 years from the last exchange with you or from the last contract activity, but at least from the end of the respective contract (booking, purchase/sale, etc.).

Disclosure to Third Parties: On the website, the plugin “WP Job Manager” for the WordPress content management system (from Automattic Inc. 60 29th Street #343, San Francisco, CA 94110, USA – “Automattic”) is integrated. The plugin enables the creation of a job portal page and stores personal data (e.g., email addresses, profile pictures, first name and last name) in the WordPress database. As a result, the aforementioned personal data that you enter as a member or employer or job seeker is also transmitted to Automattic. For this plugin, see Section 36 below.

For further details, please refer to the service details in Section 19.

21. Online Consulting via CleverMemo

Through the website, we also offer the option of a web-based, personal workspace for direct communication and work with customers, clients, and training participants. For this purpose, we use the app “CleverMemo”. Users can individually address their goals and topics and receive continuous support from us.

We collect and use the personal data provided by you for the content design and processing of the contractual relationship with you (for further details, see Section 19 Our Services).

As soon as you click the corresponding button [e.g., Consulting Room or Login] on our website, you will leave our website and be redirected to our password-protected individual CleverMemo consulting room. CleverMemo is a service of ShareUrMind UG (haftungsbeschränkt), Forstenrieder Allee 128, 81476 Munich, Germany. All functions then take place via this page of ShareUrMind UG, and CleverMemo’s privacy policy can be found here: https://clevermemo.com/datenschutz.html. We have concluded a data processing agreement with ShareUrMind UG.

22. Video and Telephone Conferences/Online Trainings

Processing: WIN-WIN FOR WORK uses the tool “GoToMeeting” and “GoToTraining” to conduct telephone conferences, online meetings, video conferences, online seminars, and online trainings (“Online Meetings/Trainings”). GoToMeeting is a service of LogMeIn, Inc. (“LogMeIn”), which is based in the USA.

Controller: The controller for data processing directly related to the conduct of online meetings/trainings is WIN-WIN FOR WORK. (Note: If you access the website of “GoToMeeting”/“GoToTraining”, LogMeIn is responsible for data processing. However, accessing the website is only necessary for using GoToMeeting to download the software for using GoToMeeting).

Data: The following personal data is processed: (a) User information: first and last name, phone (optional), email address, password (if single sign-on is not used), profile picture (optional), department (optional); (b) Meeting metadata: topic, description (optional), participant IP addresses, device/hardware information; (c) For recordings (optional): MP4 file of all video, audio, and presentation recordings, M4A file of all audio recordings, text file of the online meeting chat; (d) For dial-in by phone: incoming and outgoing phone number, country, start and end time, possibly further connection data such as the device’s IP address; (e) Text data: When using the chat, questions, or survey functions, the text entries you make are processed to display them in the online meeting and possibly to log them. (f) Audio and video data: To enable the display of video and the playback of audio, data from the microphone and video camera of the end device is processed during the online meeting/training (you can switch off or mute the camera and/or microphone yourself at any time).

Scope of Processing: (a) The personal data is used for conducting online meetings/trainings. (b) If we intend to record online meetings/trainings, we will inform you in advance and, if necessary, ask for your consent. Whether an online meeting/training is being recorded will be displayed to you in the app. (c) Chat contents may be logged to record the results of an online meeting/training; (d) For online trainings, we may also process questions asked by participants for the purpose of recording and post-processing the trainings.

Disclosure to Third Parties: Personal data processed in connection with participation in online meetings/trainings is generally not disclosed to third parties, unless it is specifically intended for disclosure. The provider of GoToMeeting/GoToTraining necessarily gains knowledge of the personal data, insofar as this is provided for in our data processing agreement with GoToMeeting/GoToTraining.

Processing location: GoToMeeting and GoToTraining are services of LogMeIn Ireland Limited (Bloodstone Building Block C 70 Sir John Rogerson’s Quay Dublin 2, Ireland), a subsidiary of LogMeIn Inc. (Log-MeIn, 320 Summer Street, Boston, MA 02210, USA). We have concluded a data processing agreement with the provider of GoToMeeting/GoToTraining. As required by law, we ensure an adequate level of protection by means of a contract.

Communication data is generally deleted by us as soon as the period according to section 8.2 has expired. However, the specific storage duration of the data processed by LogMeIn cannot be influenced by us, but is determined by LogMeIn. You can find the GoToMeeting/GoToTraining privacy policy here: https://www.logmeininc.com/de/legal/privacy.

INTERNAL BUSINESS PROCESSES
23. Microsoft Services

We use services from Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland, a group company of Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA (“Microsoft”), such as Microsoft Office 365 for document processing and collaboration (Word, Excel, PowerPoint, Teams), Microsoft Outlook for communication, and Microsoft Azure for infrastructure (such as storage space). In doing so, we may process your data (especially communication, master, and contract data that you have made available to us). Your data will be processed depending on the respective situation in connection with the initiation or fulfillment of a contract, with your consent, for the fulfillment of a legal obligation, or for the protection of legitimate interests.

Data processing by Microsoft takes place on servers in data centers in the European Union (in Ireland and the Netherlands). For this purpose, we have concluded a data processing agreement with Microsoft and have agreed on extensive technical and organizational measures that comply with the current state of the art in IT security. Microsoft reserves the right to process data for its own legitimate business purposes and to transfer it to Microsoft Corporation (USA). We have no influence on these data processing activities by Microsoft. To the extent that Microsoft processes personal data in connection with legitimate business purposes, Microsoft is an independent controller for these data processing activities and, as such, is responsible for compliance with all applicable data protection regulations. Information about Microsoft’s processing activities can be found in Microsoft’s privacy statements: https://privacy.microsoft.com/de-de/privacystatement; https://privacy.microsoft.com/de-de.

24. Google Services

We use services from Google Ireland Limited, Ireland, a group company of Google LLC Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”), such as Google Docs for document processing and collaboration, Google Meet for communication, Google Cloud and Google Cloud Platform for infrastructure (such as storage space), Google Fonts for embedding selected fonts, icons, logos, and symbols, as well as other Google services specified in this privacy policy. In doing so, we may process your data (especially communication, master, and contract data that you have made available to us). Your data will be processed depending on the respective situation in connection with the initiation or fulfillment of a contract, with your consent, for the fulfillment of a legal obligation, or for the protection of legitimate interests.

Data processing by Google takes place on servers in data centers in the European Union. For this purpose, we have concluded a data processing agreement with Google and have agreed on extensive technical and organizational measures that comply with the current state of the art in IT security. Google reserves the right to process data for its own legitimate business purposes and to transfer it to Google LLC Inc. (USA). We have no influence on these data processing activities by Google. To the extent that Google processes personal data in connection with legitimate business purposes, Google is an independent controller for these data processing activities and, as such, is responsible for compliance with all applicable data protection regulations. Information about Google’s processing activities can be found in Google’s privacy statements: https://policies.google.com/privacy?hl=de; https://safety.google/intl/de/principles/; https://policies.google.com/technologies/product-privacy?hl=de; https://support.google.com/docs/answer/10381817?hl=de regarding Google Docs-specific information.

25. Work Management with Monday.Com

Processing and Data: We use the cloud-based project management and productivity tool monday.com from monday.com Ltd., 52 Menachem Begin Road, Tel Aviv 6713701 Israel (“monday.com”), with which our team performs workflow applications such as for planning, execution, control, and tracking of projects, processes, tasks, and daily work. In doing so, it is possible that we also process your data with this cloud-based tool, e.g., if a contractual relationship arises. This particularly concerns master and contract data as well as communication data that you have made available to us.

Disclosure to Third Parties: When we use the cloud-based tool, monday.com receives your data as our data processor. monday.com stores and processes the data through its own hosting and third-party hosting services. In particular, the data is stored in Amazon Web Services data centers in the USA. Furthermore, monday.com may share your data with its service providers, customers, and within its group. Further information on monday.com’s privacy policies can be found at the following link: https://monday.com/l/de/privatsphaere/datenschutzerklarung/. We take appropriate precautions to ensure that your personal data is protected in accordance with applicable data protection laws (e.g., with a data processing agreement).

Purposes of Processing: The processing of data when using the tool and its transfer to monday.com generally takes place, depending on the situation, either for the purpose of contract management or due to our legitimate interest in performing work management (when applying the EU GDPR: Art. 6 Para. 1 lit. b and lit. f. EU GDPR).

26. Office Administration Software

Processing and Data: For the efficient management of our office administration (esp. CRM, accounting, quoting and invoicing, banking, payroll accounting), we use the ERP system Bexio (a cloud-based administration, accounting, and merchandise management program) from Bexio AG, Alte Jonastrasse 24, 8640 Rapperswil, Switzerland (“Bexio”). With this tool, we can efficiently organize various business processes and process and store data from business partners and third parties, e.g., if a contractual relationship arises. This particularly concerns master and contract data.

Disclosure to Third Parties: When using the tool, we may transmit data to Bexio as a data processor. We take appropriate precautions to ensure that your personal data is protected in accordance with applicable data protection laws and policies. Further information on Bexio’s data protection regulations can be found at the following link: www.bexio.com/de-CH/richtlinien/datenschutz.

Purposes of Processing: The processing of data when using the tool and any potential transfer to Bexio takes place, depending on the situation, either for the purpose of contract management or due to our legitimate interest in efficiently managing and maintaining our business processes and optimizing them (when applying the EU GDPR: Art. 6 Para. 1 lit. b and lit. f. EU GDPR).

WEBSITE USAGE
27. Provision of the Website and Creation of Log Files

Processing and Data: When accessing our website, our system automatically collects the following usage data from the computer system of the accessing device: IP address of the user, date, time, and duration of access, accessed websites or files, referrer URL, operating system used by the user, information about the type and version of the browser used, and the user’s Internet service provider. The data is also stored in the log files of our system in Switzerland or within the European Economic Area (EEA). These technical data generally do not allow conclusions to be drawn about your identity; however, when creating a user account, registrations, access checks, or processing contracts or memberships, they can be linked with personal data and with your person.

Purpose of Processing: This usage data is required for delivering the website to the user’s device. In addition, it serves us to ensure the functionality of the website, for statistical, anonymous evaluations to improve our website, and to ensure the security of our information technology systems. Our legitimate interest in data processing lies in these purposes.

Duration: The data will be deleted as soon as they are no longer required for achieving the purpose of their collection. In the case of data collection for the provision of the website, this is the case when the respective session has ended. In the case of data storage in log files, the IP addresses of users and other data are generally deleted or anonymized for 6 months after the end of use.

The collection of data for the provision of the website and the storage of data in log files are absolutely necessary for the operation of the website. Consequently, there is no possibility for the user to object.

28. Cookies

On our website and applications, we use cookies, i.e., small text files that are stored by the browser used on your computer or mobile device when visiting the website or installing an application, and comparable technologies that can identify your browser or device (“Cookies”). Cookies serve to distinguish visitors to the websites from each other by assigning a random anonymous identifier to each visitor. However, cookies do not identify you personally.

“Functional cookies” are necessary for the functions or applications you access. They store your settings and allow the website to remember your device, actions, and preferences (e.g., language, login) over a longer period. They do not store personal data and do not require your consent.

“Analytical cookies” are used for the application of performance and audience metrics across the website (e.g., to count visits and gain insights into content popularity) to improve the website and applications. All information collected by these cookies (e.g., frequency of page views, use of website functions) is aggregated, so that data cannot be attributed to the accessing user, and is therefore anonymous.

When accessing the website, the user is informed about the use of analytical cookies via an info banner. A reference to this privacy policy is also provided.

WIN-WIN FOR WORK uses (i) “session cookies”, which recognize your computer when returning to the website during a session and are automatically deleted as soon as you close your browser, as well as (ii) “persistent cookies”, which allow your computer to be recognized during subsequent sessions and are automatically deleted after a certain period. You can configure your web browser to reject the installation of all or some cookies or to override or disable installed cookies (you can find the corresponding instructions in your browser’s help menu). However, if you block all cookies (including functional cookies) with your browser settings, this may lead to reduced availability or impaired functionality of the websites.

29. Google reCaptcha

We use the Google reCaptcha service on this website to determine whether a human or a computer is making a specific entry in our contact or newsletter form. The provider is Google. reCAPTCHA analyzes the behavior of the website visitor based on various characteristics. This analysis begins automatically as soon as the website visitor enters the website. For analysis, reCAPTCHA evaluates various information: IP address of the device used, the website you visit on our site where the captcha is integrated, the date and duration of the visit, identification data of the browser and operating system type used, Google account if you are logged in to Google, mouse movements on the reCaptcha areas, and tasks where you have to identify images. The data collected during the analysis is forwarded to Google.

There is a legitimate interest on our part in this data processing to ensure the security of our website and to protect us from automated entries (attacks), from abusive automated espionage, and from SPAM.

The reCAPTCHA analyses run entirely in the background. Website visitors are not informed that an analysis is taking place. Further information on Google reCAPTCHA and Google’s privacy policy can be found at the following links: https://policies.google.com/privacy?hl=de and www.google.com/recaptcha/intro/android.html.

30. Google Analytics

To the extent that you have given your consent, Google Analytics is used on this website, a web analytics service by Google. Google Analytics uses cookies that are stored on your computer and enable an analysis of your use of the website.

Data: During your website visit, the following data is collected: (i) pages viewed, (ii) your behavior on the website (e.g., entering an email address), (iii) your approximate location, (iv) your IP address, (v) technical information such as browser, internet provider, device, and (vi) source of your visit (e.g., via which website you came to the WIN-WIN FOR WORK website).

Purpose: Google will use this data to evaluate your use of the website, to compile reports on website activities, and to provide WIN-WIN FOR WORK with further services related to website usage and internet usage.

Processing by Third Parties: Google processes the data for website usage on our behalf and is contractually obliged to take the necessary measures to ensure the confidentiality of the processed data.

Recipient/Transfer Abroad: The recipient of the collected data is Google. The information generated by the cookie about your use of this website is usually transferred to a Google server in the USA and stored there. As required by law, we ensure an adequate level of protection by means of a contract.

Anonymization: We use the Google Analytics function “anonymizeIP”. Google Analytics has been extended on this website with IP anonymization to ensure anonymous collection of IP addresses (so-called IP masking). Your IP address from Google will be truncated beforehand within member states of the European Union or in other contracting states of the Agreement on the European Economic Area. The IP address identified by Google Analytics from your browser will not be merged with other data collected by Google.

Duration: The data sent by us and linked to cookies, user identifiers (e.g., User ID), or advertising IDs are automatically deleted after 12 months. Data whose retention period has been reached is automatically deleted once a month.

Consent/Objection: The legal basis for the use of Google Analytics is your consent. You can revoke your consent at any time with effect for the future by preventing the storage of cookies through a corresponding setting in your browser software; however, we point out that in this case, you may not be able to fully use all functions of this website.

Furthermore, you can prevent the collection and processing of this data by Google Analytics by downloading and installing the “Opt-out” browser add-on available at the following link to deactivate Google Analytics: http://tools.google.com/dlpage/gaoptout?hl=de.

For more information on Google Analytics, terms of use, and data protection, please click here: https://support.google.com/analytics/answer/6004245?hl=de.

31. Google AdWords

This website uses Google AdWords. AdWords is an online advertising program by Google.

Within Google AdWords, we use so-called conversion tracking. When you click on an ad placed by Google, a cookie for conversion tracking is set. These cookies expire after 30 days and are not used for the personal identification of users. If the user visits certain pages of this website and the cookie has not yet expired, Google and we can recognize that the user has clicked on the ad and has been redirected to this page.

Each Google AdWords customer receives a different cookie. The cookies cannot be tracked across AdWords customer websites. The information collected using the conversion cookie is used to generate conversion statistics for AdWords customers who have opted for conversion tracking. Customers learn the total number of users who clicked on their ad and were redirected to a page with a conversion tracking tag. However, they do not receive any information that can personally identify users. If you do not wish to participate in tracking, you can object to this use by easily deactivating the Google Conversion Tracking cookie via your internet browser under user settings. You will then not be included in the conversion tracking statistics.

More information about Google AdWords and Google Conversion Tracking can be found in Google’s privacy policy: https://policies.google.com/privacy?gl=de.

You can set your browser to inform you about the setting of cookies, to allow cookies only in individual cases, to exclude the acceptance of cookies for certain cases or generally, and to activate the automatic deletion of cookies when closing the browser. If cookies are deactivated, the functionality of this website may be limited.

32. Google Maps

This website uses the Google Maps service from Google. This allows us to display interactive maps directly on the website and enable you to use the map function conveniently. By visiting the website, Google receives the information that you have accessed the corresponding subpage of our website. This happens regardless of whether Google provides a user account through which you are logged in, or if no user account exists. If you are logged in to Google, your data will be directly associated with your account. If you do not wish for your data to be associated with your Google profile, you must log out before activating the button. Google stores your data as usage profiles and uses them for purposes of advertising, market research, and/or needs-based design of its website. Such an evaluation is carried out in particular (also for non-logged-in users) to provide needs-based advertising and to inform other users of the social network about your activities on our website. You have the right to object to the creation of these user profiles, for which you must contact Google to exercise this right. Further information on the purpose and scope of data collection and processing by Google, as well as additional information on your rights in this regard and setting options for protecting your privacy, can be found at: www.google.de/intl/de/policies/privacy.

33. Google Ads

This website uses Google Conversion Tracking from Google. If you have reached our website via an ad placed by Google, Google Ads will set a cookie on your computer. The conversion tracking cookie is set when a user clicks on an ad placed by Google. These cookies expire after 30 days and are not used for personal identification. If the user visits certain pages of our website and the cookie has not yet expired, we and Google can recognize that the user clicked on the ad and was redirected to this page. Each Google Ads customer receives a different cookie. Therefore, cookies cannot be tracked across Ads customer websites. The information obtained using the conversion cookie is used to generate conversion statistics for Ads customers who have opted for conversion tracking. Customers learn the total number of users who clicked on their ad and were redirected to a page with a conversion tracking tag. However, they do not receive any information that can be used to personally identify users.

If you do not wish to participate in tracking, you can refuse the setting of a cookie required for this – for example, by a browser setting that generally deactivates the automatic setting of cookies, or by setting your browser to block cookies from the domain googleleadservices.com.

Please note that you must not delete the opt-out cookies as long as you do not want measurement data to be collected. If you have deleted all your cookies in the browser, you must set the respective opt-out cookie again.

34. Google Tag Manager

Google Tag Manager is a Google solution that allows us to manage so-called website tags via an interface and thus integrate, for example, Google Analytics and other Google marketing services into our online offering. The Tag Manager itself, which implements the tags, does not process any personal user data. Regarding the processing of users’ personal data, we refer to the following information on Google services. Usage policies: https://www.google.com/intl/de/tagmanager/use-policy.html.

35. Zoho SalesIQ

This website uses Zoho SalesIQ (https://www.zoho.com/de/salesiq/), a web analytics service from Zoho Corporation Pvt. Ltd., Estancia IT Park, Plot No. 140 & 151 GST Road Taluk, Vallancherry Village Kanchipuram District, Chengalpattu, Tamil Nadu 603202, India. For this, reference is made to the details in Section 15 above.

36. WordPress Plugins

This website has been created with the WordPress Content Management System from Automattic Inc. 60 29th Street #343, San Francisco, CA 94110, USA (“Automattic”) and uses the WordPress-based plugins “WooCommerce” (open-source shop system), “YITH WooCommerce Membership Premium”, “YITH Event Ticket for WooCommerce”, and “WP Jobmanager” from Automattic or its affiliated company WooCommerce, Inc., 60 29th Street #343, San Francisco, CA 94110, USA (“WooCommerce”; in Europe: WooCommerce Ireland Ltd., Grand Canal Dock, 25 Herbert Pl, Dublin, D02 AY86, Ireland) to ensure the technically smooth use of the website’s member area and the sale of products and services, and to optimize the services of WIN-WIN FOR WORK.

All personal data that you enter in the online shop, the website’s member area, or the login area for ticket orders – i.e., first and last name, address, company name, billing/delivery address, email address, phone number, function/position in the company, department in the company, payment details (depending on the chosen payment method), purchased products or ordered services, as well as server log files (IP address, browser, language setting, date and time of web access) – are also transmitted to Automattic or WooCommerce.

Automattic or WooCommerce is a separate controller and can also process this information for its own purposes (including marketing). Furthermore, Automattic or WooCommerce also uses cookies and web beacons to identify you, analyze your behavior, and offer you advertising.

The data is also processed in the USA, among other places, where, in principle, according to both Swiss and EU perspectives, there is no adequate level of protection for data processing, and risks exist for the lawfulness and security of personal data.

You have the right to access your personal data and to object to data processing at any time. You can also file a complaint with a state supervisory authority at any time. In your browser, you also have the option to individually manage, delete, or deactivate cookies. Please note, however, that deactivated or deleted cookies may have negative effects on your use of our online shop and our member area. Depending on the browser you use, managing cookies works differently.

For details (including which data is collected and processed in what way, as well as the processing duration and your rights), please refer to the privacy policy of the plugin provider: https://automattic.com/de/privacy/.

37. Links and Social Media Plugins

WIN-WIN FOR WORK uses social media plugins (e.g., Facebook, Twitter, Google+, LinkedIn, Xing) which are recognizable by corresponding share buttons. Such social media plugins enable users of these social media platforms to publish links from our website in their social media profile, bookmark them, or share them with their social media contacts.

When you use social media plugins, you send personal data to the respective social media platform. Comments or activities of individuals using social media plugins are not controlled or supported by WIN-WIN FOR WORK, and WIN-WIN FOR WORK is neither responsible nor liable for them. Individuals who share content from WIN-WIN FOR WORK via social media plugins are not authorized to speak on behalf of WIN-WIN FOR WORK or represent WIN-WIN FOR WORK.

If you use external links to other websites offered within our website, this privacy policy does not extend to these links. Whenever you open a link to other websites, you should read the privacy policies of the respective website. The processing of your personal data is the responsibility of the respective social media operator and is carried out according to their privacy policy. WIN-WIN FOR WORK has no influence on the compliance with data protection and security regulations by other providers. WIN-WIN FOR WORK receives no information about you from these operators.

37.1 Facebook

Our website uses plugins from the social network Facebook, offered by Facebook Inc., 1 Hacker Way, Menlo Park, California 94025, USA (“Facebook”). The Facebook plugins are marked with a Facebook logo (or the addition “Like” or “Share”). An overview of the Facebook plugins and their appearance can be found at https://developers.facebook.com/docs/plugins.

When you access a page of our website that contains such a plugin, a direct connection between your browser and the Facebook server is established via the plugin. The content of the plugin is transmitted directly from Facebook to your browser and integrated into the page. Facebook thereby receives the information that you have visited our page with your IP address, even if you do not have a Facebook profile or are not currently logged in to Facebook. If you are logged in to Facebook, Facebook can directly associate your visit to our website with your Facebook profile. All information about your visit (including your IP address) and your interaction with the plugins is transmitted directly from your browser to a Facebook server in the USA and stored there.

We point out that we do not receive any knowledge of the content of the transmitted data or its use by Facebook. For the purpose and scope of data collection and the further processing and use of the data by Facebook, as well as your rights in this regard and setting options for protecting your privacy, please refer to Facebook’s privacy policy: http://www.facebook.com/policy.php.

If you do not want Facebook to directly associate the information collected about your visit to our website with your Facebook profile, you must log out of Facebook before visiting our website. You can also completely prevent the loading of Facebook plugins with add-ons for your browser.

37.2 X

Functions of the X service, offered by X Corp., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA (“X”), are integrated into our website. By using X and the “Re-Tweet” function, the websites you visit are linked to your X account and made known to other users. Data is also transmitted to X. We point out that, as providers of the pages, we do not receive any knowledge of the content of the transmitted data or its use by X. Further information on this can be found in X’s privacy policy at http://twitter.com/privacy.

If you do not want X to directly associate the data collected via our website with your X account, you must log out of X before visiting our website. You can change your privacy settings on X in the account settings under

https://help.twitter.com/de/safety-and-security/privacy-controls-for-tailored-ads.

37.3 LinkedIn

Our website uses functions of the LinkedIn network, offered by LinkedIn Corporation, 2029 Stierlin Court, Mountain View, CA 94043, USA (“LinkedIn”).

Each time you access one of our pages that contains LinkedIn functions, a connection to LinkedIn servers is established. LinkedIn is informed that you have visited our internet pages with your IP address. If you click the “Recommend button” from LinkedIn and are logged into your LinkedIn account, LinkedIn can associate your visit to our website with you and your user account. We point out that, as providers of the pages, we have no knowledge of the content of the transmitted data or its use by LinkedIn.

We point out that we have no knowledge of the content of the transmitted (personal) data or its use by LinkedIn. Further information on this can be found in LinkedIn’s privacy policy at: https://www.linkedin.com/legal/privacy-policy.

37.4 Xing

Our website uses functions of the XING network, offered by XING AG, Dammtorstraße 29-32, 20354 Hamburg, Germany (“Xing”). Each time you access one of our pages that contains Xing functions, a connection to Xing servers is established. To our knowledge, no personal data is stored in this process. In particular, no IP addresses are stored or user behavior evaluated.

Further information on data protection and the Xing Share button can be found in Xing’s privacy policy at https://privacy.xing.com/de/datenschutzerklaerung.

37.5 YouTube

Functions of the YouTube service are integrated into this website. YouTube is owned by Google Ireland Limited, a company incorporated and operated under Irish law, with its registered office at Gordon House, Barrow Street, Dublin 4, Ireland, which operates the services in the European Economic Area and Switzerland. Your legal agreement with YouTube consists of the terms you can find at the following link: https://www.youtube.com/static?gl=de&template=terms&hl=de. These terms constitute a legally binding agreement between you and YouTube regarding your use of the services. Google’s privacy policy explains how YouTube handles and protects your personal data when you use the service.

38.0 Use of the POWER DUCK Dialog AI

This section specifies how we handle your data when you use our POWER DUCK Dialog AI, both for private use and for commercial subscriptions. The following provisions apply in addition to the general provisions of this privacy policy and are in accordance with the General Terms and Conditions and Terms of Use of WIN-WIN FOR WORK GmbH.

38.1. Collection and Processing of Data

When using the POWER DUCK Dialog AI, we collect and process the following data:

Anonymized User Interactions: Your inputs and queries to the AI, as well as the responses generated by the AI, are recorded. This data is anonymized using Shadow Pin technology to improve AI performance and provide personalized recommendations without revealing your identity. Anonymization serves to protect your privacy and ensures that no conclusions can be drawn about your person, your company, your function in the company, or your role in the company. Each use of the POWER DUCK AI is an independent session with an individual Shadow Pin.

Feedback: During the testing phase and voluntary participation in feedback surveys, users who have provided their email address as part of the terms of use may be contacted by us to gather feedback on the AI. Participation in this feedback survey is voluntary and serves the continuous improvement of the AI.

Metadata: Technical information such as your IP address, browser type, and operating system may be collected for statistical purposes and to ensure system security. This data is important to ensure the functionality and security of the AI and to optimize the service accordingly.

Subscription Data (for commercial use): In the case of using the POWER DUCK AI through a commercial subscription on the mypowerduck.com page, additional data may be collected. This includes data necessary for processing the subscription within the scope of the subscription.

38.2. Legal Bases for Data Processing

The processing of your data is based on the following legal grounds:

Consent: By using the POWER DUCK Dialog AI, you consent to the processing of your data in accordance with this privacy policy. This consent is a central aspect that establishes the lawfulness of data processing.

Legitimate Interest: The processing of metadata for system security and for anonymized statistics is based on our legitimate interest in a secure and efficient AI solution. This interest allows us to ensure the functionality and security of the AI and to improve the user experience.

Contractual Performance: The processing of your user interactions is necessary to fulfill the user agreement between you and WIN-WIN FOR WORK GmbH. This includes the provision of AI services and related support, as well as, in the context of commercial subscriptions, the correct billing and provision of features.

Billing and Analysis (for Commercial Use): In the case of a commercial subscription, the data is also used for billing the subscription and for analyzing usage patterns. This legitimate interest serves to optimize our offering and better meet the needs of our customers.

38.3. Data Transfer

As a rule, the collected data will not be passed on to third parties without your consent. An exception applies to the technical provision of the AI solution by Moonshine AG in Switzerland, which processes our data exclusively on our behalf and in accordance with contractual data protection regulations. Furthermore, in the context of commercial subscriptions, data is passed on to service providers necessary for processing the subscription (e.g., payment processors, accounting), but only to the necessary extent and in compliance with data protection regulations. No further data transfer to other third parties takes place.

38.4. Data Security

WIN-WIN FOR WORK GmbH takes appropriate technical and organizational measures to ensure the security of your data and to protect it from unauthorized access, loss, or misuse. The anonymization of your user interactions using Shadow-Pin technology further contributes to the protection of your privacy. Specific security measures include:

Encryption: All data is stored encrypted.

Input Filter: Critical inputs are detected and filtered.

Restricted Access: Neither Microsoft Azure OpenAI nor OpenAI have access to your data.

No Training with User Data: The data is not used for training or improving OpenAI GPT models.

Encrypted Data Transfer: Data transfer is generally encrypted.

Additional Measures: We work with Google Cloud Switzerland and Microsoft Azure, which ensure high security and data protection standards.

Passwords and Keys: Passwords and keys are stored encrypted.

2FA: 2FA (Two-Factor Authentication) for user accounts is available and mandatory if required.

Regular Deletion of Shadow-Pin Data: All data generated for the creation of the Shadow-Pin is regularly and automatically deleted, so that no connection can be established between the Shadow-Pin and the user. Shadow-Pin generation is not part of the AI dialogue with POWER DUCK and occurs separately.

38.5. Commercial Use of POWER DUCK AI (POWER DUCK Workspace & MyPowerDuck.Com)

The POWER DUCK Dialog AI can be used for both private and commercial purposes. We distinguish between two scenarios:

POWER DUCK Workspace (Commercial Solution): In the context of customer orders for businesses, the POWER DUCK AI is provided with additional features such as a knowledge base, robotics module, and additional functions (depending on the customer’s order). Anonymous data streams are evaluated to improve the AI’s functionality and provide insights to the company. Since each use is an independent session with an individual Shadow-Pin, it is impossible to draw conclusions about a person, company, function within the company, or role within the company. Data processing is anonymized and in accordance with the security measures mentioned above. No personal reference is established.

MyPowerDuck.com (Commercial Use without Workspace Functions): On mypowerduck.com, users can subscribe to commercial use of the POWER DUCK Dialog AI without Workspace functions. This allows them to use the AI for their commercial purposes. Usage is limited to the AI’s dialogue functions. The specific terms of the subscription (duration, price, scope of use, etc.) are set out separately in the subscription terms. Data processing is analogous to private use, but with the aforementioned additions regarding billing and analysis of usage patterns.

38.6. Use of the AI

The use of the POWER DUCK Dialog AI is voluntary. The AI generates recommendations and information based on your input, but it does not replace professional advice. You are solely responsible for reviewing and evaluating the recommendations generated by the AI. WIN-WIN FOR WORK GmbH assumes no liability for damages incurred by the user through the use of the AI.

The use of the POWER DUCK Dialog AI is generally permitted for private purposes. Commercial use requires prior written consent from WIN-WIN FOR WORK and the conclusion of a corresponding, paid subscription.

Private Use: Private use includes the use of the AI for personal learning and development processes, as well as for internal information exchange without commercial intent.

Commercial Use (Subscription): Commercial use of the POWER DUCK Dialog AI is exclusively permitted within the scope of a paid subscription. A subscription enables companies and organizations to use the AI for business purposes, including integration into their internal processes and use for commercial consulting services. Commercial use specifically includes:

Automation of business processes

Integration into existing business processes

Use for commercial consulting services to clients

Use for increasing internal efficiency

Integration with other systems via our API

POWER DUCK Workspace: Within the scope of the commercial subscription (POWER DUCK Workspace), anonymized data streams are evaluated on behalf of the customer. Since each use of the POWER DUCK AI is an independent session with a generated Shadow-Pin, conclusions about individual persons, their companies, their function, or role within the company are excluded. Shadow-Pin generation is not part of the AI dialogue with POWER DUCK, but a separate process. All data generated for the creation of the Shadow-Pin is regularly and automatically deleted, so that at no time can a connection be established between the Shadow-Pin and the users or the respective companies. This measure serves to protect your privacy.

The POWER DUCK Dialog AI generates recommendations and information based on your input. It is important to note that the AI does not replace professional advice. The responsibility for reviewing and evaluating the recommendations generated by the AI lies solely with you. The results of the POWER DUCK Dialog AI are to be understood as supporting information and cannot replace professional advice.

38.7. Your Rights

You have the right to request information about the personal data we process, as well as to request its correction or deletion. Furthermore, you can withdraw your consent to data processing at any time. To exercise your rights, please contact us using the contact details provided in Section 2 of the main privacy policy.

38.8. Changes to these Provisions

We reserve the right to change these specific provisions regarding the POWER DUCK Dialog AI at any time. It is your responsibility to regularly inform yourself about the current provisions.

Classification and Objective of this Declaration: POWER DUCK Use

This detailed supplement to point 38 of the privacy policy is formulated to meet the legal requirements of the Swiss Data Protection Act (DSG) and, where applicable, the EU General Data Protection Regulation (GDPR). The most important aspects are:

Transparency: The paragraphs clearly and understandably describe what data is collected, how it is processed, and for what purposes.

Legal Bases: The processing of data is based on clear legal grounds (consent, legitimate interest, contractual performance).

Data Security: The technical and organizational measures for data security are detailed to gain user trust and protect data from unauthorized access.

User Rights: User rights (information, correction, deletion, withdrawal of consent) are explicitly highlighted and are easily accessible.

Limitation of Liability: Liability in connection with the use of the AI is limited to gross negligence and intent, to protect WIN-WIN FOR WORK GmbH from unjustified claims.

Commercial Use: Commercial use through subscriptions is clearly regulated and distinguished from private use, taking into account the respective specifics and additional data processing.

Shadow-Pin: The Shadow-Pin concept for anonymizing user data is highlighted, and anonymization is presented as a central component of data protection.

Third Parties: The involvement of third-party service providers, such as Moonshine AG, is made transparent, and their contractual obligation to comply with data protection is emphasized.

Clear Distinction of Usage Scenarios: The clear distinction between the use of the POWER DUCK AI within commercial Workspace solutions and its use by subscribers on mypowerduck.com creates transparency and clarity regarding the various application possibilities of the AI.

No Training with User Data. It is emphasized that no customer data is used for training AI models.

Regular Deletion of Data. The deletion of Shadow-Pin relevant data is highlighted.