Privacy policy

Data privacy is a priority for us. Therefore, we always process your data with the utmost care and in accordance with the applicable legal requirements. Transparent information is essential for effective data privacy. In this Privacy Policy, we tell you how and for what purposes we process your personal data. In particular, you will learn:

• which data we process, and for what purpose;
• who has access to your data and with whom we share your data;
• how long we keep your data;
• what rights you have and how you can exercise those rights;
• which cookies and other tools we use on our websites.
  

This Privacy Policy applies to all processes during which we process your personal data, unless we inform you separately about these. This Privacy Policy applies in particular to the following processes:

• you visit our websites;
• you make a purchase in our stores or online shops;
• you use our online services or apps;
• you subscribe to one of our newsletters;
• you contact us;
• you receive information or marketing communication from us;
• you take part in our competitions;
• you book one of our courses or attend one of our events;
• you receive market research, opinion or customer surveys from us.
  

This Privacy Policy also applies to the formats and manufacturing companies of the Coop Cooperative, in which case this Privacy Policy may be supplemented with terms specific to those formats and manufacturing companies. This Privacy Policy can also apply at other companies of the Coop Group, in which case those companies may supplement this Privacy Policy with their own terms (see Clause 3). The Supercard GTC take precedence over this Privacy Policy with regard to data processing in connection with the Supercard. This Privacy Policy additionally applies where reference is made to it. Please note that the applicable General Terms and Conditions may also contain data privacy arrangements (e.g. the GTC of our online shops).

In accordance with the data privacy rules, the company that stipulates the purpose for which, and the resources with which the data are processed is responsible for processing personal data. Several companies can be jointly responsible for processing.

The Coop Cooperative or a company of the Coop Group is responsible for data processing in accordance with this Privacy Policy. Usually, this will be the Coop Group company which made you aware of this Privacy Policy (hereinafter "we").

None of these lists are exhaustive.

If you have any questions or concerns about data privacy, in the first instance you can contact the Coop Cooperative:

Coop Cooperative
Thiersteinerallee 14
4053 Basel
Tel. 0848 888 444
kundendienst@coop.ch

If you have been made aware of this Privacy Policy by another company, that company is responsible for data processing. Please contact that company directly if you have any questions. The contact details can be found on the company's website among the publisher's details.

We also have an EU Representative for the EU region. The EU Representative's contact details are as follows:

VGS Datenschutzpartner UG
Am Kaiserkai 69
20457 Hamburg
Germany
info@datenschutzpartner.eu

5.1 Right to information

You can request information about the personal data we process about you at any time. Please send your request for information, together with proof of your identity, to the company responsible (see Clause 3).

We can restrict or refuse the information if this information is contrary to our legal obligations, our own legitimate interests, public interests or the interests of a third party. The same applies if the request for information is an abuse of the law. If the effort involved is disproportionate, we can require a contribution towards the costs. In this case, we will inform you in advance.

The processing of your request is subject to the statutory 30-day processing period. However, we may extend this period if we are dealing with a large volume of enquiries, for legal or technical reasons, or because we require more detailed information from you. You will be given notice of any extension to the period, in text form as a minimum.

5.2 Erasure and rectification

You have the option to request the erasure or rectification of your personal data at any time. We kindly ask to send your request for deletion, with a proof of identity, to the responsible company (see Clause 3).

We can refuse the request if statutory provisions require us to retain the data unchanged or for an extended period, or if we have a permission on grounds that override your request.

Please note that the exercise of your rights may conflict with contractual agreements and may impact on contract performance (e.g. early contract termination or cost implications).

5.3 Legal recourse

If you are affected by the processing of personal data you have the option to enforce your rights through a court or to submit a report to the relevant supervisory authority. The relevant supervisory authority in Switzerland is the Swiss Federal Data Protection and Information Commissioner: http://www.edoeb.admin.ch.

In this Privacy Policy, we use certain terms that have a legal meaning. We explain the meanings of the key terms below.

6.1 Personal data

The term personal data denotes any information relating to an identified or identifiable natural person, such as name, address, date of birth, e-mail address or telephone number. Data about personal preferences, such as leisure activities or membership, are also personal data.

6.2 Special category personal data

Special category personal data are data on religious, ideological, political or trade union-related views or activities; data on health and any information on administrative or criminal proceedings and sanctions, as well as data on social security measures. Where necessary and appropriate, we can request and process special category personal data. In this case, such data are processed in the strictest confidence.

6.3 Processing of personal data

Processing is any handling of personal data, regardless of the resources and procedures used, in particular the sourcing, storage, retention, use, modification, disclosure, archiving, erasure or destruction of data.

6.4 Disclosure of personal data

Disclosure is the transfer of, or granting of access to personal data, or their publication or disclosure to a third party.

6.5 Anonymization

Anonymization denotes the procedure whereby personal data are modified so that no conclusions can be drawn about the natural person to whom they pertain. Unlike pseudonymization, anonymization cannot be reversed.

6.6 Pseudonymization

The pseudonymization of personal data describes the procedure for making personal data unrecognizable. This involves replacing data that identify a person (e.g. name, date of birth, place of residence) with a pseudonym (e.g. a code). Someone in possession of the crucial information can thus assign the data to a specific person (in a process called reverse pseudonymization or re-identification).

We process the personal data about you that are necessary in order to fulfil the relevant purposes. More detailed information about the personal data processed can be found under the individual purposes (see Clause 8).

Usually, you share your personal data with us yourself, e.g. by transmitting them to us or when you communicate with us.

In certain instances, we collect data about you ourselves or automatically, e.g. when you use our services, shop with us, browse our websites or use our apps. Such data include, in particular, behavioural and transactional data, online identification data, and online tracking and traffic data (see Clause 8.3). In certain instances, we can also derive the data from existing data, for example by analysing transactional or behavioural data (see Clause 13).

Should the purpose require it, your personal data will also be amalgamated by other companies within the Coop Group (see Clause 8.3 and 13). We may also receive your personal data from a third party. Some examples of such third parties are:

• people from your environment (e.g. address for delivery, authorized signatories);
• banks or other contractual partners (e.g. when making purchases and payments);
• credit agencies (e.g. to obtain credit ratings);
• online service providers (e.g. analysis services) and list brokers (e.g. for address updates);
• authorities (e.g. in connection with judicial proceedings);
• public sources (e.g. public registers, media, Internet).
  

The personal data we receive from third parties may cover the following categories:

• person master data (name, address, date of birth etc.);
• contact details (mobile number, e-mail address etc.);
• financial data (e.g. account details);
• online identification data (e.g. cookie identifier, IP addresses);
• location and traffic data;
• audio and image recordings;
• profile data or data on personal preference (e.g. preferences in regard to products or services);
• special category data (e.g. biometric data or information about your health).
  

We can process your personal data for various purposes. Primarily, we use them in order to provide you with our services. 

8.1 Contract performance

Usually, we have to process your personal data in order to conclude and perform contracts with you. This is the case when, for instance, you place a customer order in one of our online shops or at one of our stores, register for a customer account, use one of our apps, or avail yourself of any of our other online or offline offerings. In particular, contract performance may involve processing the following categories of personal data:

• person master data (e.g. title, first name, last name, date of birth, gender, customer number, username, Supercard number); 
• contact information (e.g. home address, e-mail address, telephone number, delivery address);
• financial data (e.g. payment details, credit rating);
• transactional data (e.g. shopping basket);
• customer history (e.g. interaction with customer service, information about the handling of faults or complaints). 
  

For the purpose of contract performance, we can undertake all processing necessary in order to initiate and conclude the contract, perform the contract or enforce the contract. We can, for instance, obtain a credit rating for you before concluding a contract (including data on your ability to pay and your payment behaviour), in order to decide whether and in what form we will enter into a contract with you. For products that are subject to an age restriction, we can require proof of your date of birth in the form of a copy of your passport or ID document, or automatically check your age based on your passport or ID number. In order to deliver an ordered product to you, we may have to share your data with third-party providers (e.g. the postal service). Furthermore, we share data with the relevant payment provider in order to process payment. We can also process your data in connection with enquiries from you about the product, remedying defects, handling complaints, reserving products or rating products.

8.2 Communication

In order to communicate with you and respond to your concerns, we have to process your personal data. This may be the case when you use one of our contact forms, contact us by e-mail, post or telephone or another method, when we contact you, or for customer care. To this end, we process the following data in particular: 

• name and contact details (e.g. name, address, e-mail address, telephone number);
• content of the communication (e.g. letter, e-mail, chat, comments on the website, telephone conversations);
• communication metadata (e.g. information about the nature, time or, if applicable, location of the communication).
  

We can undertake all processing necessary in order to communicate with you. In particular, we can answer your enquiries or get in touch with you if we have questions. We can also use the communication data for quality assurance and training purposes. In this case, wherever possible the data will only be used in pseudonymized or anonymized form. If we record or listen in to telephone conversations or video calls for quality assurance and training purposes, we will make you specifically aware of this. If you do not want conversations of calls to be recorded, please let us know or terminate your participation. If you merely do not wish images to be recorded, you can switch off your camera. Communication in connection with other purposes such as contract performance (Clause 8.1), marketing (Clause 8.3) or market research (Clause 8.4) may also be recorded. More information can be found under each purpose.

8.3 Marketing und information

To enable us to make attractive and suitable offers to you and send you interesting information about products, services, events etc., we may process your personal data for marketing purposes. This is the case when, for example, you make a purchase in one of our online shops, place an order in one of our stores, register for a customer account, use one of our apps, take part in a competition, or avail yourself of any of our other online and offline offerings. In particular, we may collect the following data about you for marketing purposes:

• person master data (e.g. title, first name, last name, date of birth, gender, customer number, username);
• contact information (e.g. home/delivery address, e-mail address, telephone number);
• behavioural and transactional data (e.g. shopping basket details, behaviour when shopping, participation in competitions, attendance at events, information about services to which you have subscribed);
• online identification data (e.g. cookie identifier, IP addresses);
• online tracking and traffic data (e.g. browsing behaviour, clicking behaviour when receiving newsletters);
• profile data or data on personal preference (e.g. preferences in regard to products or services).
  

Marketing purposes cover all processing that enables us to inform you about our offerings in a suitable manner. We may send you written and electronic information or offers. This includes, for example, the electronic mailing of newsletters, e-mails, push notifications in apps or other electronic notifications as well as the postal mailing of advertising brochures, magazines or other printed material. It also includes digital advertising such as search, display, video or social ads. We may also send you vouchers or invite you to events or competitions. We may also show you recommendations for products or services on our websites and apps or make you aware of abandoned orders.

Furthermore, we may personalize the relevant offers and information based on the data we have available about you so that, as far as possible, you only receive information and offers that are relevant and of interest to you. To this end, we may undertake appropriate analyses and build profiles (see Clause 13). In addition, we measure the effectiveness of our advertising measures and evaluate them. 

We may also instruct third-party providers to run advertising measures and advertising campaigns, measure conversions and perform the relevant evaluations (e.g. with the use of third party cookies, see also Clause 18.2, 18.3).

You may unsubscribe at any time from marketing communication received. Each e-mail communication contains a link to unsubscribe. Information on how to prevent marketing cookies (which, for example, result in personalized ads) can be found in the provisions on cookies (Clause 18.2).

8.4 Other purposes 

We may also process your personal data for purposes other than those mentioned above. These include:

• Market and opinion research: We may process your personal data to enable us to continually develop and improve our services. For example, we carry out customer surveys or questionnaires after you have ordered a product from us or made use of a service. These surveys or questionnaires may be done by, for example, e-mail, text message, app or via a website. For this purpose, we normally use only pseudonymized or anonymized data. We may evaluate and use the information in order to send you personalized offers (see Clause 8.3 and 13).
  
• Asserting legal claims: We may have to process your personal data in order to be able to assert legal claims or defend against unjustified claims. This may involve various categories of personal data, depending on the situation. 
  
• Fulfilment of legal requirements and prevention and clarification of crimes or other misconduct: We may be under an obligation to verify fulfilment of legal requirements and to cooperate with the authorities in the event of violations of the law. Personal data may have to be processed for these purposes. All relevant personal data may be affected. This is the case, for example, for the enforcement of youth protection (e.g. age restriction on the sale of alcohol) or other regulatory requirements, when divulging information or documents to authorities if we are legally obliged to do so, or when cooperating with an official investigation (e.g. criminal prosecution or supervisory authority) if we are under a legal obligation to do so. 
  
• Security: We may have to process your personal data in order to guarantee your safety and the security of our business. This may involve any of your personal data. One specific example is the use of video surveillance in our sales outlets to safeguard products for sale and to detect thefts or assaults. The video surveillance systems are location-specific and are duly marked. Such processing also entails random samples to check the correct billing of goods, analysing behavioural and transactional data in order to identify suspicious patterns of behaviour, or evaluating and analysing use of our systems.
  
• Other purposes: We can process your personal data for other purposes, such as in the context of our internal processes and administration. Some examples of other purposes are administrative purposes (such as the administration of master data, bookkeeping, data archiving and the inspection, management and continuous improvement of IT infrastructure) and the evaluation and improvement of internal processes. Analysing usage behaviour on our apps and websites in order to optimize them (see also Clause 18) and safeguarding other legitimate interests are also among the other purposes. This list of other purposes is non-exhaustive. 
  

The legal basis for collecting and processing your personal data depends on the respective purpose of the processing in each individual case. The following principles apply:

We process your data in good faith and in accordance with the purposes stated in this Privacy Policy (see Clause 8). We seek to ensure transparent and proportionate processing. 

By way of exception, should we be unable to abide by these principles the data processing may nonetheless be lawful because there is a justification for the processing. Specifically, the following constitute justification:

• your consent;
• the execution of a contract or pre-contractual measures;
• the fulfilment of legal provisions;
• our legitimate interests, provided that your interests do not override them.
  

You can withdraw any consent you have granted at any time. To this end, we have created an opt-out option for certain types of processing. An informal e-mail is also sufficient. The legality of data processing already done remains unaffected by this.

Specifically, the following reasons constitute legitimate interests:

• the offering and the development of our offerings, services, websites, apps and other platforms on which we are present;
• communication with third parties and processing their enquiries (e.g. to deliver products and services to third parties);
• reviewing and optimizing procedures for analysing customer needs, in order to directly target customers;
• undertaking advertising and marketing activities and conducting market and opinion research;
• combating fraud and complying with legal provisions.
  

10.1 Within the Coop Group

We can pass your personal data on to other companies within the Coop Group. Your personal data are passed on primarily for administrative purposes within the group or in order to process contracts (see Clause 8.1). In these cases, the data are not processed by the company concerned for its own purposes. For this purpose, however, changes to your master data (e.g. change of address) in one place can be handled elsewhere within the Coop Group.

Your personal data can also be passed on in order to carry out marketing activities. Furthermore, your personal data can be collated with the data of other companies of the Coop Group and evaluated (see Clause 13). Other companies of the Coop Group or formats of the Coop Cooperative can use the personal data for their own purposes and make customized offers to you. However, data will only be evaluated and passed on in this manner with your consent, which you can withdraw at any time (for more information about this, see also Clause 13).

Information about the formats and companies of the Coop Group can be found in Clause 3. 

10.2 Outside the Coop Group

We can also pass on your personal data to third parties outside the Coop Group (e.g. to the company entrusted with delivering the goods or the credit institution that processes the payment) if this is necessary for contract execution or in order to make use of the required technical or organizational services. Such third parties are contractually obliged to process your personal data exclusively on our behalf and in accordance with our instructions. Moreover, third parties must take suitable technical and organizational measures to safeguard the security of your personal data. Specifically, service providers in the following areas may be asked to process your personal data in this manner:

• shipping and logistics (e.g. to ship ordered goods);
• advertising and marketing (e.g. to send communications such as mailings, postcards, newsletters, display advertising; processing competitions, surveys and market research);
• organization and staging of events and receptions;
• fraud prevention measures;
• business management and fiduciary arrangements;
• payment services;
• collection services;
• IT services;
• consultancy services and other services such as the hire of equipment or arranging skilled tradespeople.
  

Our service providers may also process data on how their services are used, as well as other data involved in the use of their service, in the capacity of independent data controllers and for their own legitimate interests (e.g. for statistical analysis or billing). Service providers provide information about independent data processing in their respective privacy policies.

We may also pass your personal data on to other third parties for independent processing, in particular contractual partners with whom we are required under the respective contracts to share data. Contractual partners receive data such as registration data on issued or redeemed vouchers, invitations etc. If you make use of such offers, we can also share related data about you with the contractual partners. The recipients include other contractual partners with whom we cooperate or who run advertising for us and to whom we can therefore pass on pseudonymized data for analysis and marketing purposes (social media providers being one example). Such advertising is displayed only if you have given your consent to it or if there is another justification (see Clause 9; for online advertising see Clause 18.2 and 18.3). We may allow partners, with whom we have cooperation and advertising contracts, access to the data we hold about you which we process for marketing and advertising purposes, on the basis of an identification number in aggregated form (e.g. based on preferences). Such data are not personally identifiable. This enables the partners to display targeted advertising and to undertake the related non-personal evaluations in their area (e.g. concerning the number of customers who have viewed their advert). We do not share your identity in this context. You have the option to prevent your data being made available at any time by opting out of profiling (see Clause 13). Furthermore, you can disable the related cookies and prevent targeted advertising on our websites and third-party websites (see 18.2). In this regard, we work together with Virtual Minds GmbH, among others, which is jointly responsible with us for the collection of certain user data (device-specific ID, mobile advertising ID, information about interests and surfing behavior, and assignment of the user to third-party segments). You'll find the privacy policy of Virtual Minds GmbH here.

We may also pass personal data on to authorities in Switzerland and abroad if we are legally obliged to do so, or legally justified in doing so, or if this is necessary to protect our legitimate interests. The authorities process the data they have received from us under their own responsibility. 

Wherever possible, we process your personal data in Switzerland or in the European Economic Area (EEA). Your personal data may be transferred to service providers abroad for contract processing (see Clause 10.2). Such transfer may be to anywhere in the world.

Data will be transferred to a third country which does not afford an adequate level of data protection only if the processor has put in place guarantees which the legislator deems fit to safeguard data protection (e.g. EU's standard contractual clauses). No transfer based on standard contractual clauses will take place without a prior risk assessment. If the risk assessment shows that the processor is unable to comply with the standard contractual clauses, we will ensure that additional technical measures are taken to safeguard the integrity and confidentiality of the transferred personal data. 

We process special category personal data (see Clause 6.2) only when absolutely necessary in order to provide a service and you have made the relevant data available to us or have consented to their processing. Such processing takes place when, for example, you inform us of health complaints after purchasing a product.

Profiling involves automatically processing people’s purchase and behavioural data and amalgamating the data to form profiles which can reflect your interests and preferences. These profiles form the basis for us to show you products that interest you and are relevant to you. For this purpose, personal data such as person master data (see Clause 8.1), contract data (see Clause 8.1), communication data (see Clause 8.2), behavioural and transactional data, online identification data or online tracking and traffic data (see Clause 8.3) are evaluated, and they are analysed and combined based on recognized mathematical and statistical processes and logic. 

We use such evaluations especially in order to be able to inform and advise you about certain services or products in a targeted way. Profiling enables us to continuously improve our offerings and adapt them to individual needs, share information and offers that meet your needs, or provide you with better customer support. Profiling also enables us to ensure that, to the greatest extent possible, you only receive information and offers that are actually relevant to you. For example, you receive discounts, see individual content in newsletters, apps and online shops (e.g. the products and discounts are shown in a sequence tailored to you) and only see advertising that is of interest to you.

We undertake group-wide profiling, as part of which we can also merge personal data from various sources (e.g. from different services of the Coop Group). We only undertake such profiling if you have consented to it. You consent when you create a customer account with one of our online shops and accept the relevant GTC. This profiling enables us to respond even better to your needs. Where applicable, you can object to the use of the relevant evaluations for marketing purposes within the Coop Group in the account of the respective online shop. In some online shops you can place orders without opening a customer account. If you do not create a customer account, no profiling takes place. 

Some areas (e.g. online shops) can also undertake their own profiling based on data from that area (without supplementing additional data). If you do not want such profiling to take place, you can refrain from creating a customer account or, where applicable, can opt out in the relevant customer account.

Automated decision-making is when decisions, that have legal consequences for the person concerned or otherwise significantly affect that person, are made in a completely automated manner, i.e. without human influence.

We do not normally use automated decision-making. If we do, you will be separately informed.

We only store personal data for as long as necessary to fulfil the individual purposes for which the data were collected, or if we are legally obliged to retain them for longer. 

In particular, we have to keep business communication, concluded contracts and accounting records for up to 10 years (see esp. Art. 958f of the Swiss Code of Obligations [CO]). Provided that we no longer require your data to perform the services, those data will be blocked. We will then only use the data for the purposes of financial accounting and taxes.

We keep your personal data secure and take suitable technical and organizational measures to protect your personal data against loss, access, misuse, or modification. Our contractual partners and employees who have access to your personal data are obliged to comply with data protection provisions.

For security reasons and to protect transmissions of confidential information (e.g. your orders or queries), our website uses SSL or TLS encryption. You can recognize an encrypted connection by the fact that the address line in the browser changes from "http://" to "https://" and by the lock icon on the address line. All the main payment methods (e.g. Visa/Mastercard, etc.) use only encrypted SSL or TLS connections for payments.

Because we cannot guarantee full data security for communication by e-mail, we recommend sending confidential information through a secure means of transmission.

We may change this privacy policy over time, for example, if the processing or the legal situation changes. If possible with reasonable effort, you will be notified separately in the event of significant changes.

The information below explains how we process personal and other data in connection with our websites or apps. In particular, processing relies on cookies or similar technologies. The provisions below apply both to our websites and to apps, even if only one website is mentioned.

18.1 Provision of the website and creation of log files

What information do we receive and how do we use it?

When you visit our website, certain data are automatically stored on our servers or on servers of services and products which we have sourced and/or installed. This is done for the purposes of system administration, safeguarding, tracking, or statistical analyses. The data involved are:

• the name of your Internet service provider;
• (sometimes) your IP address;
• the version of your browser software;
• the operating system of the device used to access our website;
• the date and time of access;
• the website you previously visited;
• the search terms you used to find our website;
• browser type;
• host name of the device;
• type of access;
• login status.
  

How can you prevent data being gathered?

The data are only stored for as long as is necessary to fulfil the purpose of their collection. Accordingly, the data are usually deleted after each session. Log files have to be stored in order for the website to function. Therefore, you do not have the option to object to these.

18.2 Cookies

How do cookies work and what are they for?

Cookies are text files that are stored in your device's operating system via your browser whenever you visit a website. Cookies contain a unique identifier (ID) that enables us to distinguish individual visitors from others. However, you will not usually be identified. Cookies do not cause any harm on your device and do not contain any viruses. They are also used to significantly improve user interaction, so that certain settings remain stored for you, and they are essential for some technical features (e.g. session or shopping basket management).

What types of cookies are there?

Most of the cookies we use are what are known as "session cookies", which are automatically deleted after the end of your visit.

Other cookies remain on your system until you delete them (usually, however, they are deleted after a maximum of 2 years). The purpose of these cookies is to store your preferences (e.g. language and location settings), quickly provide and attractively display the website content (e.g. by using fonts and content delivery networks), analyse the use of that website for statistical evaluation and for continuous improvements, and for marketing purposes (usually by means of third-party cookies, see more below).

We can also use similar technologies such as pixel tags, fingerprint or other technologies to store data on the browser. Pixel tags enable certain information (e.g. whether and when a website was visited) to be transmitted to the server operator, in the form of small and normally invisible images or program codes that are loaded by a server. Fingerprints are used to collect information about the configuration of your system or browser when you visit a website, to distinguish your system from other devices. Most browsers also support additional technologies (such as web storage), which we can also use. 

Which cookies or similar technologies do we use? 

We can use the following types of cookies or similar technologies:

• Essential cookies: These are cookies that are necessary in order for a website and its functions to be used. Among other things, these cookies ensure that data already entered into a form are not deleted when switching to another page and that shopping basket contents are not lost.
  
• Performance cookies: We use performance cookies to perform analyses by collecting information about how a website is used. They show us, for instance, how visitors move around a website. We can also measure loading times or the behaviour of the website on different types of browser. Performance cookies enable us to keep improving our websites and the user experience.
  
• Functional cookies: With these cookies, we can store certain data that you enter on our websites so that you don't have to re-enter them (e.g. location, language, form data etc.). This enables us to make our websites more user-friendly. 
  
• Marketing cookies: Marketing cookies allow us (or our marketing partners) to display ads to you on our websites (or third-party websites) that are adapted to your browsing behaviour and are of interest to you.
  

Do we use third-party cookies?

We can also use third-party cookies. In this case, the cookies will not be stored by us when you visit the website, but by the third-party provider. Such providers can also be based outside the European Economic Area (EEA), in which case data protection will be safeguarded by adequate measures (see Clause 11). 

Some examples of third-party cookies are analysis services, tracking and retargeting measures, etc. These enable us to target you with ads on our websites or on third-party websites and measure the effectiveness of those adverts. The third-party providers can record your use of our websites and, if applicable, combine data collected on other websites. Said provider can also use these data for its own purposes, e.g. for personalized advertising on its own websites or other websites for which it supplies ads. If the provider can identify you (e.g. because you have a customer account), it can assign the user data to you. The associated processing is undertaken in accordance with the third-party provider's data privacy provisions. The main third-party providers are Google and Facebook. The main tools we use are described below (see Clause 18.3). 

How can you prevent data being gathered via cookies?

The cookies are stored on your device. You therefore have full control over the use of the cookies. You can delete them entirely or disable or restrict their transmission by altering your browser settings. You can also block tracking by certain third parties by means of a browser add-on. More information about the use of cookies can be found on the help pages of your browser. Once you have disabled cookies, you may no longer be able to enjoy the website's full functionality.

Instructions for the main browsers are below:

• Google Chrome
• Safari (Apple)
• Microsoft Edge
• Mozilla Firefox 
  

In the case of cookies that are used to measure success and reach or for advertising, for many services there is usually a general opt-out option, provided by the Network Advertising Initiative (NAI), YourAdChoices (Digital Advertising Alliance) or Your Online Choices (European Interactive Digital Advertising Alliance, EDAA).

Which other online advertising methods do we use?

As well as marketing and cookies of third-party providers, we use other techniques to manage online advertising on other websites and thereby prevent scattering losses. We can, for example, pass our users' e-mail addresses on to third-party companies in pseudonymized form (called 'hashing' – see Clause 6.6 for a definition). By comparing the database, the advertising company (usually a social media provider) identifies the contact data that are already in its own database, and can show you ads tailored to your interests (see, for example, the cookies used, Clause 18.3). Third-party companies do not receive any personal e-mail addresses of persons who are not already known. You can prevent personalized advertising being shown to you by altering your cookie settings (see above).

Can we include third-party offerings on our website?

We can incorporate other third-party offerings on our websites, particularly from social media providers. These offerings are disabled by default. Once you enable them (e.g. by clicking a button), the providers concerned can determine that you are on our website. If you have an account with that social media provider, it can assign this information to you and thus track your use of online offerings. Social media providers process these data under their own responsibility.

18.3 Tracking tools

We can use tracking tools on our websites and apps with the aid of which we analyse use of our online offerings and can target marketing measures at visitors. The main tracking tools we use are listed and explained below.

a. Google Analytics

How does Google Analytics work?

Our website uses Google Analytics, a service by Google Ireland Ltd. (Google Building Gordon House, Barrow St, Dublin 4, Ireland). Google uses cookies that are stored on your device to analyse your website usage. The information about your use of the website obtained via the cookie is usually transmitted to a Google server in the USA and stored there. We have added the "anonymizeIP" code to Google Analytics. This ensures that all data are collected anonymously. Only in exceptional cases is the full IP address transmitted to a Google server in the USA and then truncated there. 

Why do we use Google Analytics?

Google analyses the data collected on our behalf, so that we can build a picture of visits and user behaviour on our websites. We can then improve our services, the website content and its layout. 

Which additional functions do we use?

We also use cookies for remarketing campaigns. This allows the advertising target groups created by Google Analytics Remarketing to be linked to the cross-device functions of Google AdWords and Google DoubleClick. In this way, interest-based, personalized advertising tailored to you based on your previous usage and browsing behaviour on one device (e.g. smartphone) can be displayed on one of your other devices (e.g. tablet or PC). If you have given Google the respective consent, Google links your web and app browser history to your Google account. In this way, the same personalized advertising can be displayed on every device from which you log into your Google account. To assist this function, Google Analytics collects the Google-authenticated IDs of the users who are temporarily linked to our Google Analytics data in order to define and create target groups for cross-device advertising.

How can you prevent your data being collected via Google Analytics?

You can prevent cookies being stored by changing the appropriate settings in your browser (see Clause 18.2). You can disable Google Analytics by downloading and installing the Google browser add-on.

b. Google Ads conversion tracking or similar services of other providers

Google Ads conversion tracking or similar services of other providers involve a cookie being stored on your device for the purpose of tracking and performance measurement whenever you access our website via a corresponding advertisement. It does not collect any personally identifiable information about users. Our legitimate interest in measuring website performance serves as the legal basis. The cookies are automatically deleted after 30 days.

Right to object

If you do not wish to participate in the tracking programme, you can block the relevant cookies in your browser settings.

For further information about Google Ads and Google conversion tracking please refer to Google's Privacy Policy at https://policies.google.com/privacy.

c. Google Customer Match

To enable us to display personalized ads using Google's services, we can share lists of our customers' encrypted and pseudonymized personal data (e.g. e-mail addresses) with Google (see also Clause 8.3). These data are then collated so that advertising can be displayed via the Google network to the persons that Google can identify. Google does not gain access through this process to any new personal data that can be used for its own purposes.

If you have a Google account, you can disable personalized ads here. Without a Google account, you can turn off personalized ads by disabling cookies (see Clause 18.2). 

d. Meta Pixel and Custom Audience

How do Meta Pixel and Custom Audience work?

To measure conversions, our websites use the Facebook Pixel (Meta Platforms Ireland Ltd., Harbour 4, Grand Canal Quay, Grand Canal Bridge, Dublin 2, Ireland). Meta Pixel enables us to track your behaviour after you have been redirected to our website by clicking on a Facebook ad. The data collected are anonymous to us as the operator of this website, so no conclusions can be drawn as to your identity. 

Why do we use Meta Pixel?

We use Meta Pixel to evaluate the effectiveness of Facebook ads for statistical and market research purposes and to optimize future advertising measures.

We also use Custom Audience so that our Facebook ads are only shown to people who are already interested in our offerings or have similar interests. To this end we can send e-mail addresses to Facebook in encrypted and pseudonymized form (called 'hashing') so that the data can be collated with the database and identical users ascertained (see also Clause 8.3 above). Facebook does not gain access through this process to any new e-mail addresses that can be used for its own purposes.

If you do not want to be shown personalized ads by Facebook, you can alter your settings accordingly.

Who is responsible for the data processing?

We and Facebook have shared responsibility for the sharing of data that Facebook collects or receives via Meta Pixel or similar functions, for the display of advertising information tailored to visitors, for improvements to ad delivery, and for the personalization of functions and content. Therefore, you can also address requests for information or other data privacy matters directly to Facebook.

We are not responsible for all other data processing. Your data can be processed by Facebook for this purpose. In particular, they can be linked to your user profile and Facebook can use the data collected for its own advertising purposes.

e. Facebook SDK

Where and for what purpose do we use Facebook SDK?

Some of our apps use the Facebook Software Development Kit (Facebook SDK). The provider is Meta Platforms Ireland Ltd., Harbour 4, Grand Canal Quay, Grand Canal Bridge, Dublin 2, Ireland. Facebook SDK is used to measure Facebook ads which we run on Facebook. Facebook SDK acts as an interface for the transmission of information in order to display advertising on end devices. To identify our apps, we transmit an ID to Facebook via this interface. No other user data are transmitted to Facebook via the SDK. However, Facebook SDK may itself collate various data and send them to Facebook.

Information about the data that Facebook SDK logs is available on Facebook's website under "What data does Facebook collect via the SDK?".

How can you restrict transmission to Facebook?

You can restrict the transmission of data by the Facebook SDK by activating the "Restrict Facebook SDK" option in the app. With the restriction only the following data are transmitted:

• a Facebook app ID which identifies the app to Facebook;
• the version of Facebook SDK;
• the language stored on the device;
• the platform (iOS/Android);
• the version of the operating system. 
  

f. App access rights

To provide the services in our apps, we may need the access rights listed below, which enable us to access certain functions of your device:

• Location data, right down to precise location: For example, location data are recorded to display the nearest sales outlet. The data are not stored.
• Photos, videos: Data are recorded in order, for instance, to ensure the quick use of functions such as Google Maps. Photos and videos can be used elsewhere to supplement self-generated entries (for example, for the shopping list or the recipe book).
• Notifications (iOS only): Data are recorded to manage the receipt of push notifications.
• Camera: Data are recorded so that barcodes (on cards and products) and QR codes (e.g. for links to other product information) can be read and photos and videos (e.g. for the shopping list or the recipe book) can be included.
• Calendar (iOS only): Data are recorded so that dates can be added to the calendar (e.g. for Mondovino wine fairs).
• Disable sleep mode (Android only): Data are recorded to enable the receipt of push notifications.
• Reading the Google service configuration: Data are recorded in order, for instance, to enable the linked use of Google Maps.
• Vibrate function: Data are recorded in order, for instance, to confirm the scanning of a barcode or QR code with a vibration.
• Searching for a network connection: Data are recorded to determine the availability of a network connection.
• Use all networks/mobile data: Data are recorded in order to access the Internet (e.g. to update data, for logins, activating coupons).
• Light display (flash): Data are recorded so that the flash can be turned on when the camera is in use.
• Wi-Fi connection information: Data are recorded in order to view the Wi-Fi connections and display the Wi-Fi status.
• Siri and searches (iOS only): Data are recorded so that suggestions can be made when something is input in the app.
• Background updates (iOS only): Data are recorded so that the app can update in the background.
  

18.4 Which data do we process on our pages in social networks? 

We can maintain pages and other online presences on social networks and other platforms operated by third parties ("fan pages", "channels", "profiles" etc.), where we collect the data described in Clause 7 and below. We obtain these data from you and the platforms when you contact us via one of our online presences (e.g. when you communicate with us, comment on our content or visit our presence). At the same time, the platforms analyse your use of our online presences and link these data with other known data which the platforms have about you (e.g. about your behaviour and your preferences). The platforms also process these data for their own purposes, under their own responsibility, in particular for marketing and market research purposes (e.g. in order to personalize advertising) and in order to manage their platforms (e.g. which content they show you).

We process these data for the purposes described in Clause 8, in particular for communication, for marketing purposes (including advertising on these platforms, see also Clause 18.2) and for market research. We can disseminate content (e.g. in our advertising on the platform, or elsewhere) that you publish yourself (e.g. comments on a post). We or the operators of the platforms can also delete or restrict content by or about you in accordance with the usage guidelines (e.g. inappropriate comments). 

Weitere Angaben zu den Bearbeitungen der Plattform-Betreiber entnehmen Sie bitte den Datenschutzhinweisen der jeweiligen Plattform. Dort erfahren Sie auch, in welchen Ländern diese ihre Daten bearbeiten, welche Auskunfts-, Lösch- und weiteren Betroffenenrechte Sie haben und wie Sie diese wahrnehmen oder weitere Informationen erhalten können.

Version 1.0 / December 2022