Privacy Notice

 

1....... Great, I love such legal gibberish... 1

2....... What is the purpose of this privacy policy?. 1

3....... Who is responsable for processing your data?. 2

4....... What data do we process?. 3

5....... For what purposes do we process your data?. 7

6....... On what basis do we process your data?. 9

7....... Who do we disclose your data to?. 10

8....... Is your personal data transferred abroad?. 11

9....... How long do we process your data?. 12

10..... How do we protect your data?. 12

11..... What are your rights?. 13

12..... Do we use online tracking and online advertising techniques?. 14

13..... Which data do we process on our social media pages?. 16

14..... Can this privacy policy be modified? 17

 

 

1.                     Great, I love such legal gibberish...  

Yes, we prefer to be busy coding a great app or developing new innovative services to reduce CO2 emissions and energy consumption, too! However, as we offer a professional service and aim to provide you with the best carpooling services in the universe, it is essential for us to handle data carefully. We operate in accordance with the strict rules of the General Data Protection Regulation ("GDPR") of the European Union ("EU"). Additionally, we comply with the requirements of the Swiss Data Protection Act ("DPA"). It is important and part of our duty to inform you in detail about this. We have designed this document as clear as possible and also try to use simple language to make it easily understandable.

2.                     What is the purpose of this privacy policy?

usus GmbH, acting under the name HitchHike (hereinafter also referred to as "we," "us"), collects and processes personal data that concerns you or other individuals (referred to as "Third Parties"). We use the term "data" here interchangeably with "personal data" or "personal information".

By "personal data", we mean data that relates to a specific or identifiable individual, i.e., data that allows conclusions to be drawn about their identity through the data itself or with additional data. "Sensitive personal data" is a category of personal data that is particularly protected under applicable data protection law. Sensitive personal data includes, for example, data revealing racial and ethnic origin, health data, information about religious or philosophical beliefs, biometric data for identification purposes, and data concerning union membership. In Section 3, you will find information about the data we process under this privacy policy. "Processing" refers to any handling of personal data, such as obtaining, storing, using, adapting, disclosing, and deleting.

In this privacy policy, we describe what we do with your data when you use https://www.hitchhike.ch/, other websites, platforms, apps, or other digital services provided by us (collectively referred to as "digital services"), when you use our services or products, when you interact with us in the context of a contract, when you communicate with us, or otherwise deal with us. We will inform you in a timely written notice about any additional processing activities not mentioned in this privacy policy. In addition, we may inform you separately about the processing of your data, for example, in consent declarations, contractual terms, additional privacy policies, forms, and notices.

If you provide us or disclose to us data about other individuals such as family members, colleagues, etc., we assume that you are authorized to do so and that this data is accurate. By transmitting data about third parties, you confirm this. Please also ensure that these third parties have been informed about this privacy policy.

This privacy policy is designed to meet the requirements of the General Data Protection Regulation (GDPR) and the Swiss Federal Data Protection Act (DPA). However, the extent to which these laws apply depends on the individual case.

3.                     Who is responsable for processing your data?

For the data processing described in this privacy policy by HitchHike, the usus GmbH, Lucerne (hereinafter referred to as "usus"), is responsible under data protection law, unless communicated otherwise in individual cases, e.g., on forms or in contracts.

For each data processing, there is one or more entities responsible for ensuring that the processing complies with the requirements of data protection law. This entity is called the data controller. For example, they are responsible for responding to requests for information (Section 10) or ensuring that personal data is secured and not used unlawfully.

In the data processing described in this privacy policy, other entities may also share responsibility if they have a say in the purpose or design ("joint controllers"). If you wish to receive information about the specific data controllers for a particular data processing, you can request it from us within the scope of the right to information (Section 10). HitchHike remains your primary point of contact, even if other joint controllers exist.

In Section 3, Section 6, and Section 11, you will find further information about third parties with whom we cooperate and who are responsible for their own data processing. For questions or to exercise your rights with regard to these third parties, we ask you to contact them directly.

You can reach us for your privacy concerns and the exercise of your rights in accordance with Section 10 as follows:

Postal Address:

usus GmbH
Obergütschstrasse 22
CH-6003 Lucerne
+41 41 511 41 78

Or via E-Mail: DataProtection@hi-mobility.io

We have appointed the following additional entities:

·      Data Protection Representative in the EU in accordance with Article 27 GDPR:

VGS Datenschutzpartner GmbH
Am Kaiserkai 69
20457 Hamburg
Deutschland

You can also contact this entity for privacy concerns, however, there may be costs for you involved.

4.                     What data do we process?

We process various categories of data about you. The most important categories are as follows:

      Technical Data: When you use our digital services, we collect the IP address of your device and other technical data to ensure the functionality and security of these services. These data also include logs in which the use of our systems is recorded. We typically retain technical data for 90 days. To ensure the functionality of these services, we may also assign you or your device an individual code (e.g., in the form of a cookie, see Section 11). Technical data on its own generally does not allow any conclusions about your identity. However, in the context of user accounts, registrations, access controls, or the processing of contracts, they can be linked to other data categories (and thus possibly to your person).

Technical data includes, among other things, the IP address and information about the operating system of your device, the date, region, and time of use, as well as the type of browser you use to access our electronic services. This can help us transmit the correct formatting of the website or show you a website adapted to your region. Based on the IP address, we know through which provider you access our services (and thus also the region), but in general, we cannot deduce who you are. This changes, for example, when you create a user account because then personal data can be linked to technical data (we see, for example, which browser you use to access a user account on our website). Examples of technical data also include logs that accumulate in our systems (e.g., the log of user logins on our website).

      Registration Data: Certain and services (e.g., login areas of our website) can only be used with a user account or registration, which can be done directly with us or through our external login service providers. In doing so, you must provide us with certain data, and we collect data about the use of the product or service. If you want to become a member of a private community, further information about your associated institution may be required. We typically retain registration data for 10 years after the deletion of the user account.

Registration data includes, among other things, the information you provide when you create an account on our digital services (e.g., language, name, e-mail, phone number). Registration data also includes data that we may request from you before you can take advantage of certain free services.
  

      Communication data: When you are in contact with us through the contact form, email, phone or chat, letter, or other means of communication, we record the data exchanged between you and us, including your contact details and the edge data of the communication. If we want or need to determine your identity, e.g., in response to an information request from you, we collect data to identify you (e.g., a copy of an ID). We typically delete communication data no later than 10 years after the deletion of the user account.

Communication data includes your name and contact details, the method, location, time, and content of the communication (i.e., the content of emails, letters, chats, etc.). This data may also include information about third parties. For the purpose of identification, we may also process your ID card or passport number or a password you have set.    
 

      Master data: As master data, we refer to the basic data that we need, in addition to contract data (see below), for the processing of our contractual and other business relationships or for marketing and advertising purposes, such as name, contact details, and information about your role and function, your bank details, your date of birth, customer history, powers of attorney, authorization signatures, and consent declarations. We receive master data from you yourself (e.g., when making a purchase or in the context of registration), from entities for which you work, or from third parties such as our contract partners, associations, and address dealers, and from publicly accessible sources such as public registers or the Internet (websites, social media, etc.). We typically retain this data for 10 years from the last exchange with you, but at least from the end of the contract. This period may be longer if required for reasons of evidence or to comply with legal or contractual requirements or for technical reasons. In the case of pure marketing and advertising contacts, the period is usually much shorter, usually not more than 2 years since the last contact.

The master data includes data such as name, address, email address, phone number, and other contact details, gender, date of birth, nationality, information about connected persons, websites, photos, and videos, copies of IDs; also information about your relationship with us, information about your status with us, allocations, classifications, and distribution lists, information about our interactions with you (possibly a history thereof with corresponding entries), reports (e.g., from the media) or official documents (e.g., commercial register extracts, permits, etc.) that concern you. As payment information, we collect, for example, your bank details, account number, and credit card data. Consent or restriction notes are also part of the master data, as well as information about third parties.

For contacts who are representatives or agents of our users, suppliers, and partners, we process master data such as name and address, information about their role and function in the company, qualifications, and, if applicable, information about superiors, employees, and subordinates, as well as information about interactions with these individuals.

Not all contacts have their master data comprehensively collected. The specific data we collect depends on the purpose of the processing.

      Contract data: These are data that arise in connection with the conclusion or processing of a contract, such as information about contracts and the services to be provided or already provided, as well as data from the pre-contractual phase that are necessary or used for the processing, and information about reactions. We usually collect these data from you, from contract partners, and from third parties involved in the contract processing. We also obtain them from third-party sources (e.g., providers of credit data) and from publicly accessible sources. We typically retain these data for 10 years from the last contract activity, at least until the end of the contract. This period may be longer if required for reasons of evidence or compliance with legal or contractual requirements or if technically necessary.

Contract data include information about the conclusion of contracts, your contracts, such as the type and date of contract conclusion, information from the application process (e.g., a request for our products or services), and information about the respective contract (e.g., its duration) and the processing and management of contracts (e.g., information related to invoicing, customer service, technical support, and enforcement of contractual claims). Contract data also include information about defects, complaints, and adjustments to a contract, as well as information about customer satisfaction, which we may collect through surveys. Financial data, such as information about creditworthiness (i.e., information that allows conclusions to be drawn about the probability of settling claims), reminders, and debt collection, are also part of the contract data. We receive some of this data from you (e.g., when you make payments), but also from credit reporting agencies, debt collection companies, and publicly accessible sources (e.g., a commercial register).

      Behavior and preference data: Depending on the relationship we have with you, we try to get to know you better and tailor our products, services, and offers to suit you. To do this, we collect and use data about your behavior and preferences. We do this by evaluating information about your actions within our domain, and we may also supplement this information with data from third parties - including publicly accessible sources. Based on this, we can calculate the likelihood that you will use certain services or behave in a certain way. The data processed for this purpose is partly already known to us (e.g., when you use our services), or we obtain this data by recording your behavior (e.g., how you navigate our digital services). We anonymize or delete this data when it is no longer meaningful for the pursued purposes, which can vary depending on the type of data, ranging from 2-3 weeks to 24 months (for product and service preferences). This period may be longer if required for reasons of evidence or compliance with legal or contractual requirements or if technically necessary. The functioning of tracking on our website is described in section 12.

Behavioral data refers to information about specific actions, such as your response to electronic messages (e.g., whether and when you opened an email) or your interaction with our social media profiles. Your location data can be used when you add a new address.

Preference data provides us with insights into your needs, interests, and the products or services that might appeal to you, as well as when and how you are likely to respond to messages from us. We obtain this information through the analysis of existing data, such as behavioral data, to get a better understanding of you, tailor our advice and offers more precisely to your preferences, and improve our overall offerings. To enhance the quality of our analyses, we may combine this data with additional information sourced from third parties.

Behavioral and preference data can be evaluated on a personal basis (e.g., to display personalized advertisements to you) as well as on a non-personal basis (e.g., for market research or product development purposes). Additionally, behavioral and preference data can be combined with other data (e.g., motion data used for contact tracing in a health protection concept).

      Other data: We also collect data from you in other situations. For example, data may arise in connection with official or judicial proceedings (such as records, evidence, etc.), which may also refer to you. For health protection purposes, we may also collect data (e.g., within the framework of protective measures). We may receive or create photos, videos, and audio recordings in which you may be identifiable (e.g., at events, through security cameras, etc.). We may also collect data about who enters certain buildings and their corresponding access rights (including access controls based on registration data or visitor lists, etc.), who participates in events or activities, or who uses our infrastructure and systems and when. Finally, we collect and process data about our investors, which, in addition to basic data, includes information concerning the relevant registers, the exercise of their rights, and the conduct of events (e.g., general assemblies). The retention period for this data depends on the purpose and is limited to what is necessary. This ranges from a few days for many security cameras to visitor data, which is usually retained for 3 months, and reports about events with images, which may be kept for several years or longer. Data about you as a shareholder or other investor will be kept in accordance with corporate law requirements, but in any case, as long as you remain invested.

Many of the data mentioned in this Section 3 are provided by you voluntarily (e.g., through forms, in the context of communication with us, in connection with contracts, when using the website, platform, etc.). You are not obligated to do so, subject to specific cases, such as mandatory protection concepts (legal obligations). If you enter into contracts with us or wish to claim services, you must also provide us with data within the scope of your contractual obligation according to the relevant contract, especially master, contract, and registration data. The processing of technical data is unavoidable when using our digital services. If you want access to specific systems or buildings, you must provide us with registration data.

Certain services are only provided to you if you transmit registration data to us because we or our contractual partners need to know who is using our services, or it is technically required, or we need to communicate with you. If you or a person you represent (e.g., your employer) want to enter into or fulfill a contract with us, we must collect the respective master, contract, and communication data from you, and we process technical data if you want to use our digital services or other electronic offers for this purpose. If you do not provide us with the necessary data for the conclusion and processing of the contract, you must expect that we will reject the conclusion of the contract, you will commit a breach of contract, or we will not fulfill the contract. Similarly, we can only respond to your inquiries if we process the corresponding communication data and – if you communicate with us online – potentially also technical data. The use of our digital services is also not possible without us receiving technical data.

5.                     For what purposes do we process your data?

We process your data for the purposes explained below. You can find additional information for the online area in Section 11. These purposes, or the underlying objectives, represent legitimate interests of ours and, if applicable, of third parties. You can find further details on the legal bases for our processing in this Section 5.

We process your data for the purposes related to communication with you, especially to respond to inquiries and address your rights (Section 10), and to contact you for follow-up questions. For this, we primarily use communication data and master data, and in connection with the offers and services you use, we also use registration data. We retain this data to document our communication with you, for training purposes, quality assurance, and for reference.

This encompasses all purposes related to our communication with you, whether it is customer service, consultation, authentication in case of using the website, or for training and quality assurance (e.g., in the customer service area). We continue to process communication data to communicate with you via email, phone, messenger services, chat, social media, and postal services. Communication with you usually occurs in connection with other processing purposes, such as providing services or responding to information requests. Our data processing also serves as evidence of the communication and its contents.

We process data for the establishment, management, and execution of contractual relationships.

We enter into contracts of various kinds with our business and private customers, suppliers, subcontractors, or other contractual partners, such as partners in projects or parties involved in legal disputes. In doing so, we process, in particular, master data, contract data, and communication data, and depending on the circumstances, also registration data of the customer or the individuals to whom the customer provides a service.

In the context of business initiation, personal data, especially master data, contract data, and communication data, are collected from potential customers or other contractual partners (e.g., in a contract) or result from communication. Also, in connection with contract conclusion, we process data to check creditworthiness and for the establishment of the customer relationship. In some cases, this information is verified to comply with legal requirements.

During the execution of contractual relationships, we process data for the management of the customer relationship, for the provision and enforcement of contractual services (which may involve engaging third parties such as banks, insurance companies, or credit agencies, who may then provide us with data), for consultation, and for customer support. Enforcing legal claims arising from contracts (e.g., debt collection, legal proceedings, etc.) is also part of the execution, as well as accounting, contract termination, and public communication.

We may process data for marketing purposes and, for example, to send personalized advertising about our products and services, as well as those of third parties, to our customers and other contractual partners. You can reject any contact for advertising purposes at any time (see the end of this section 5) or refuse or revoke consent to be contacted for advertising purposes. With your consent, we can target our online advertising on the internet more effectively towards you (see section 12 for more information).

For instance, with your consent, we will send you information, advertisements, and product offers from us and third parties (e.g., advertising contractual partners) via postal mail, electronic means, or telephone. For this purpose, we mainly process communication and registration data. Like most companies, we personalize communications to provide you with individual information and offers that match your needs and interests. To achieve this, we link data we process about you, determine preference data, and use this data as the basis for personalization (see section 3 for more information).

Relationship management also includes personalized communication with existing customers and their contacts, potentially based on behavior and preference data. As part of relationship management, we may also operate a Customer Relationship Management system ("CRM"), in which we store data necessary for managing relationships with customers, suppliers, and other business partners, such as contact persons, relationship history (e.g., services received or provided, interactions, etc.), interests, preferences, marketing measures, and other information.

All these processes are not only essential for effectively promoting our offerings but also for making our relationships with customers and other parties more personal and positive, focusing on the most important relationships, and using our resources as efficiently as possible.

We also process your data for market research, to improve our services and operations, and for product development.

We constantly strive to improve our products and services (including our digital services) and respond quickly to changing needs. Therefore, we analyze, for example, how you navigate through our digital services, which products are used by different groups of people and in what way, and how new products and services can be designed (for further details, see section 11). This gives us insights into the market acceptance of existing products and services, and the market potential of new products and services. For this purpose, we process primarily master data, behavioral data, and preference data, but also communication data, information from customer surveys, other surveys, and studies, as well as other details. To the extent possible, we use pseudonymized or anonymized data for these purposes. We may also use media monitoring services or conduct media monitoring ourselves, which may involve processing personal data, to engage in media work or understand and respond to current developments and trends.

We may also process your data for security purposes and access control.

We continuously review and improve the appropriate security measures for our IT and other infrastructure (e.g., buildings). Like all companies, we cannot completely rule out data security breaches, but we do our best to reduce risks. Therefore, we process data for monitoring, controls, analysis, and testing of our networks and IT infrastructure, for system and error checks, for documentation purposes, and for security backups. Access control includes controlling access to electronic systems (e.g., logging in to user accounts) as well as physical access control (e.g., building entrances). For security purposes (both preventive and for investigating incidents), we maintain access logs or visitor lists and use surveillance systems (e.g., security cameras).

We process personal data to comply with laws, regulations, and recommendations from authorities, as well as internal guidelines and policies ("compliance").

­This includes, for example, implementing health and safety concepts or legally regulated measures to combat money laundering and terrorism financing. In certain cases, we may be obliged to conduct specific checks on customers ("Know Your Customer") or to report to authorities. Fulfilling disclosure, information, or reporting obligations related to supervisory and tax requirements also requires or involves data processing, such as fulfilling archiving obligations and preventing, detecting, and investigating crimes and other violations. This includes receiving and processing complaints and other reports, monitoring communications, conducting internal investigations, or disclosing documents to authorities when we have sufficient grounds or are legally obligated to do so. Personal data may also be processed in the context of external investigations, for example, by law enforcement or supervisory authorities, or by a commissioned private entity. Additionally, we process data to support our investors and fulfill related obligations. For all these purposes, we process your master data, contract data, and communication data, and possibly behavioral data and other data. The legal obligations may include Swiss law as well as foreign regulations to which we are subject, as well as self-regulations, industry standards, our own corporate governance, and official instructions and requests.

We also process data for risk management purposes and as part of prudent corporate governance, including business organization and company development.

For these purposes, we particularly process master data, contract data, registration data, and technical data, as well as behavioral and communication data. For instance, as part of our financial management, we monitor our debtors and creditors, and we must prevent becoming victims of crimes and abuses, which may require analyzing data for corresponding patterns. In the context of planning our resources and organizing our operations, we need to evaluate and process data related to the use of our services and other offerings, or exchange information with others, which may also involve your data. The same applies to services provided to us by third parties. As part of corporate development, we may sell businesses, parts of the company, or acquire other companies, or enter into partnerships, which can also lead to the exchange and processing of data (including yours, for example, as a customer, supplier, or supplier representative).

We may process your data for additional purposes, for example, as part of our internal processes and administration or for training and quality assurance purposes.

For these additional purposes, examples include training and education purposes, administrative purposes (such as managing master data, accounting, data archiving, and the examination, management, and continuous improvement of IT infrastructure), protecting our rights (e.g., enforcing claims in court, pre-court or out-of-court, and before authorities both domestically and abroad or defending against claims, such as through evidence collection, legal clarifications, and participation in judicial or administrative proceedings), and evaluating and improving internal processes. Additionally, pursuing other legitimate interests is also among the additional purposes, which cannot be conclusively listed.

6.                     On what basis do we process your data?

Where we ask for your consent for certain processing activities (e.g., behavioral analysis when using digital services), we will inform you separately about the corresponding purposes of the processing. You can revoke your consent at any time by sending a written notification (by mail) or, where not otherwise indicated or agreed, by e-mail to us with effect for the future; you can find our contact details in Section 2. For revoking your consent for online tracking, refer to Section 11. If you have a user account, revoking your consent or contacting us may also be done through the respective digital services or other means of service. Once we have received notice of the revocation of your consent, we will no longer process your data for the purposes to which you originally consented, unless we have another legal basis for it. Revoking your consent does not affect the lawfulness of processing based on consent before its withdrawal.

In cases where we do not ask for your consent for processing, we base the processing of your personal data on the necessity of the processing for the initiation or fulfillment of a contract with you (or the entity you represent) or on the legitimate interest of us or third parties, especially to pursue the purposes and related goals described under section 4 and to implement corresponding measures. Our legitimate interests also include compliance with legal regulations, provided they are not already recognized as legal basis by the applicable data protection law (e.g., under the GDPR the law of the European Economic Area (EEA) and Switzerland). This also includes marketing our products and services, understanding our markets better, and operating and developing our company securely and efficiently.

In cases where we receive sensitive data (e.g., health data, information on political, religious, or philosophical views, or biometric data for identification), we may process your data based on other legal bases, such as in the case of disputes due to the necessity of processing for potential litigation or the enforcement or defense of legal claims. In individual cases, other legal grounds may apply, which we will communicate to you separately as necessary.

7.                     Who do we disclose your data to?

In connection with our contracts, digital services, products, legal obligations, or for the protection of our legitimate interests and other purposes listed in section 4, we may disclose your personal data to third parties, particularly to the following categories of recipients:

      Service providers: We work with service providers in Switzerland and abroad who process data about you on our behalf or receive data about you from us (e.g., IT providers, cleaning companies, banks, insurance companies, debt collection agencies, credit agencies, or address checkers). For service providers involved in digital services, refer to section 11. A central service provider in the IT sector for us is Nine Internet Solutions AG.

In order to efficiently provide our products and services and focus on our core competencies, we engage third-party services in various areas. We disclose to these service providers the data necessary for their services, which may also concern you. These service providers may also use such data for their own purposes. Furthermore, we enter into contracts with these service providers that include provisions for data protection, unless such provisions are already required by law. Our service providers may process data, such as the use of their services and other data that arise in the context of using their services, independently as data controllers for their own legitimate interests (e.g., for statistical evaluations or billing). Service providers provide information about their independent data processing in their own privacy policies.

      Contract partners including users: This includes primarily users and other contract partners of ours, as this data transfer results from the use of digital services. For certain of our services and products to be used correctly, it may be necessary, for example, to provide data to other users (so they can contact you). If you work for a contract partner, we may also transmit data about you to them in this context. Recipients also include other contract partners with whom we cooperate.

If you act as an employee for a company with which we have a contract, the handling of this contract may require us to inform the company, for example, how you have used our services.

      Authorities: We may disclose personal data to authorities, courts, and other government bodies in Switzerland and abroad if we are legally obligated or entitled to do so or if it appears necessary to protect our interests. The authorities process data about you, which they receive from us, independently and under their own responsibility.

Examples of scenarios include criminal investigations, police measures (e.g., health protection measures, crime prevention, etc.), regulatory requirements and investigations, legal proceedings, reporting obligations, pre- and extrajudicial proceedings, as well as legal information and participation obligations. Data disclosure may also occur when we need to obtain information from public authorities, for example, to justify an information request or because we need to specify who we require information (e.g., from a registry).         
 

      Other persons: This refers to other cases where the involvement of third parties arises from the purposes described under Section 4.

Other recipients may include foreign payees, other third parties, including representatives (e.g., if we send your data to your attorney or bank), or persons involved in legal or court proceedings. When collaborating with media and transmitting materials to them (e.g., photos), you may also be affected. The same applies to the publication of content (e.g., photos, interviews, quotes, etc.) on our website or in other publications. In the context of corporate development, we may sell or acquire businesses, parts of businesses, assets, or companies or enter into partnerships, which may also result in the disclosure of data (including yours, e.g., as a customer, supplier, or supplier representative) to the parties involved in these transactions. In the context of communication with our competitors, industry organizations, associations, and other bodies, data exchanges may also occur, which may also concern you.

All these categories of recipients may, in turn, involve third parties, so that your data may also become accessible to these parties. We may limit the processing by certain third parties (e.g., IT providers), but not by others (e.g., authorities, banks, etc.).

We also enable certain third parties to collect your personal data through our digital services and events (e.g., providers of tools integrated on our website, etc.). As long as we are not significantly involved in these data collections, these third parties are solely responsible for them. For inquiries and the exercise of your data protection rights, please contact these third parties directly. Refer to Section 11 for digital services.

8.                     Is your personal data transferred abroad?

As explained in Section 6, we may disclose data to other entities, which may be located not only in Switzerland. Certain of your data may therefore be processed in Europe as well as in the United States; in exceptional cases, it may be processed in any country in the world.

If a recipient is located in a country without adequate legal data protection, we contractually obligate the recipient to comply with applicable data protection laws (using the revised standard contractual clauses of the European Commission available here: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?), unless the recipient is already subject to a legally recognized framework for data protection, and we cannot rely on an exemption provision. An exception may apply, in particular, in foreign legal proceedings, as well as in cases of overriding public interests or when contract processing requires such disclosure, when you have given consent, or when it concerns data made generally accessible by you, and you have not objected to its processing.

Many countries outside of Switzerland and the EU or EEA currently do not have laws that ensure an adequate level of data protection from the perspective of the DSG or GDPR. The aforementioned contractual measures can partially compensate for this weaker or missing legal protection. However, contractual measures cannot eliminate all risks (in particular, risks related to government access in foreign countries). You should be aware of these residual risks, even if the risk may be low in individual cases, and we take further measures (such as pseudonymization or anonymization) to minimize it.

Please also note that data exchanged over the internet is often routed through third countries. Therefore, your data may also be transferred abroad, even if the sender and recipient are located in the same country.

9.                     How long do we process your data?

We process your data for as long as necessary to fulfill our processing purposes, comply with legal retention periods, and pursue our legitimate interests in processing for documentation and evidentiary purposes, or when storage is technically required. Additional information regarding the specific storage and processing duration can be found for each data category in Section 3 or for cookie categories in Section 11. In the absence of any legal or contractual obligations, we will delete or anonymize your data after the expiration of the storage or processing period within the scope of our regular procedures.

Documentation and evidentiary purposes include our interest in documenting transactions, interactions, and other facts for the purpose of potential legal claims, discrepancies, IT and infrastructure security, and demonstrating good corporate governance and compliance. Technically required storage may occur when certain data cannot be separated from other data, and therefore, we need to retain them together.

10.                  How do we protect your data?

We take appropriate security measures to preserve the confidentiality, integrity, and availability of your personal data, to protect them against unauthorized or unlawful processing, and to prevent the risks of loss, accidental alteration, unintended disclosure, or unauthorized access.

Technical and organizational security measures may include actions such as data encryption and pseudonymization, logging, access restrictions, the storage of backups, instructions to our employees, confidentiality agreements, and controls. We protect your data transmitted through our digital services during transport using appropriate encryption mechanisms. However, we can only secure areas that are under our control. We also require our processors to implement appropriate security measures. However, it is not possible to completely eliminate security risks; residual risks are unavoidable.

11.                  What are your rights?

The applicable data protection law grants you the right, under certain circumstances, to object to the processing of your data, especially for purposes of direct marketing and other legitimate interests in processing.

 

In connection with our data processing, depending on the applicable data protection law, you also have the following rights to facilitate control over the processing of your personal data:

           The right to request information from us about whether and which data we process about you;

           The right to have data corrected if it is incorrect

           The right to request the deletion of data;

           The right to request from us the release of certain personal data in a common electronic format or their transfer to another controller;

           The right to revoke consent, to the extent that our processing is based on your consent;

           The right to receive further information that is necessary for the exercise of these rights.

If you wish to exercise the above-mentioned rights with us, please do so in writing or, where not otherwise specified or agreed, by email; you can find our contact information in Section 2. To prevent abuse, we may need to identify you (e.g., with a copy of identification, where not otherwise possible).

Please note that for these rights, conditions, exceptions, or limitations may apply under the applicable data protection law (e.g., to protect third parties or business secrets). We will inform you accordingly if necessary.

In particular, we may need to further process and store your personal data to fulfill a contract with you, to protect our legitimate interests, such as asserting, exercising, or defending legal claims, or to comply with legal obligations. To the extent legally permissible, especially to protect the rights and freedoms of other affected persons and to safeguard legitimate interests, we may, therefore, partially or entirely reject a data subject request (e.g., by redacting certain content concerning third parties or our business secrets).

If you are not satisfied with our handling of your rights or data protection, please inform us (Section 2). Especially if you are in the European Economic Area (EEA), the United Kingdom, or Switzerland, you also have the right to lodge a complaint with the data protection supervisory authority in your country.

12.                  Do we use online tracking and online advertising techniques?

At our digital services, we use various techniques that allow us and third parties engaged by us to recognize you during your usage and potentially track you across multiple visits. This section provides you with information about this.

In essence, we aim to distinguish your access (via your system) from the access of other users so that we can ensure the functionality of the digital services and perform evaluations and personalizations. We do not intend to infer your identity, even though we can do so to the extent that we or third parties engaged by us can identify you by combining registration data. However, even without registration data, the employed techniques are designed to recognize you as an individual visitor with each page visit. This is achieved, for example, by our server (or the servers of third parties) assigning a specific identification number to you or your browser (so-called "cookie").

Cookies are individual codes (e.g., a serial number) that our server or a server of our service providers or advertising partners transmits to your system when connecting to our digital services. Your system (browser, mobile) receives and stores these codes until the programmed expiration date. With each subsequent access, your system sends these codes back to our server or the server of the third party. This way, you are recognized even if your identity is unknown.

Whenever you access a server (e.g., when using a website or an app or when a visible or invisible image is integrated in an e-mail), your visits can be "tracked" (tracked). If we integrate offers from an advertising partner or provider of an analytics tool into our digital services, they can also track you in the same way, even if you cannot be identified in individual cases.

We use such techniques in our digital services and also allow certain third parties to do the same. Depending on the purpose of these techniques, we may ask for your consent before using them. You can program your browser to block certain cookies or alternative techniques, deceive them, or delete existing cookies. You can also extend your browser with software that blocks tracking by certain third parties. Further information can be found on the help pages of your browser (usually under the keyword "privacy") or on the websites of the third parties listed below.

The following cookies (including techniques with comparable functionalities, such as fingerprinting) are distinguished:

           Necessary Cookies: Some cookies are necessary for the functioning of the digital services as such or certain functions. For example, they ensure that you can switch between pages without losing information entered in a form. They also ensure that you stay logged in. These cookies are only temporary ("session cookies"). If you block them, the digital services may not function properly. Other cookies are necessary so that the server can store decisions or inputs made by you beyond a session (i.e., a visit to the digital services) if you use this function (e.g., selected language, given consent, automatic login function, etc.). These cookies have an expiration date of four weeks.

           Performance Cookies: To optimize our digital services and corresponding offers and tailor them better to the needs of users, we use cookies to record and analyze the use of our digital services, possibly beyond the session. We do this by using analytical services from third-party providers, which we have listed below. Before using such cookies, we ask for your consent. Performance cookies also have an expiration date of up to one year. Details can be found on the websites of the third-party providers.

           Marketing Cookies: We and our advertising partners have an interest in controlling advertising in a targeted manner, i.e., showing it only to those we want to address. We have listed our advertising partners below. For this purpose, if you consent, we and our advertising partners also use cookies that can record the content accessed or contracts concluded. This enables us and our advertising partners to display advertising that we believe is of interest to you on our digital services, as well as on other websites that display advertising from us or our advertising partners. Depending on the situation, these cookies have a validity period of a few days to 12 months. If you consent to the use of these cookies, you will be shown corresponding advertising. If you do not consent to these cookies, you will see no less advertising, but simply different advertising.

In addition to marketing cookies, we use other techniques to control online advertising on other websites and reduce scatter losses. For example, we may transmit the email addresses of our users, customers, and other individuals to operators of advertising platforms (e.g., social media). If these individuals are registered with the same email address on these advertising platforms (which the platforms determine through a comparison), the operators will display targeted advertising to these individuals on our behalf. However, the operators do not receive personally identifiable email addresses of unknown individuals. With known email addresses, the operators can see that these individuals are connected to us and which content they have accessed.

We may also incorporate additional offers from third parties, especially from social media providers, into our digital services. By default, these offers are deactivated. Once you activate them (e.g., by clicking a switch), the respective providers can determine that you are using our digital services. If you have an account with the social media provider, they can associate this information with your account and track your use of online offerings. These social media providers process this data on their own responsibility.

Currently, we use offers from the following service providers and advertising partners (to the extent that they use data from you or cookies set by you for advertising control):

           Google Analytics: Google Ireland (based in Ireland) is the provider of the service "Google Analytics" and acts as our data processor. Google Ireland relies on Google LLC (based in the USA) as its data processor (both "Google"). Through performance cookies (see above), Google tracks the behavior of visitors to our digital services (duration, frequency of accessed pages, geographic origin of access, etc.) and creates reports for us based on this data on the usage of our digital services. We have configured the service so that the IP addresses of visitors from Europe are truncated by Google before being transferred to the USA and therefore cannot be traced back. We have disabled the "data sharing" and "signals" settings. Although we can assume that the information we share with Google is not personal data for Google, it is possible that Google may draw conclusions about the identity of visitors, create personal profiles, and link this data to the Google accounts of these individuals for its own purposes. If you agree to the use of Google Analytics, you explicitly consent to such processing, including the transfer of personal data (especially usage data of the digital services and app, device information, and individual IDs) to the USA and other countries. You can find information about the privacy of Google Analytics here: https://support.google.com/analytics/answer/6004245 and if you have a Google account, you can find further information about processing by Google here: https://policies.google.com/technologies/partner-sites?hl=en.

           Friendly Analytics: The privacy policy of Friendly Analytics can be found here: https://friendly.ch/de/datenschutz.

13.                  Which data do we process on our social media pages?

We can operate pages and other online presences (e.g., "fan pages," "channels," "profiles," etc.) on social media and other platforms operated by third parties and collect the data described in Section 3 and below about you. We receive this data from you and the platforms when you interact with us through our online presence (e.g., when you communicate with us, comment on our content, or visit our presence). At the same time, the platforms analyze your use of our online presences and link this data with other data known to the platforms about you (e.g., your behavior and preferences). They also process this data for their own purposes and responsibility, particularly for marketing and market research purposes (e.g., to personalize advertising) and to control their platforms (e.g., which content they display to you).

We receive data about you when you interact with us through online presences or view our content on the corresponding platforms, visit our online presences, or engage in activities within them (e.g., publishing content, leaving comments). These platforms also collect technical data, registration data, communication data, behavioral and preference data from you or about you (for definitions, see Section 3). Regularly, these platforms statistically analyze how you interact with us, how you use our online presences, our content, or other parts of the platform (what you view, comment on, "like," share, etc.) and link this data with additional information about you (e.g., age, gender, and other demographic information). In this way, they also create profiles about you and statistics on the usage of our online presences. They use this data and profiles to display personalized advertising and other content to you on the platform, as well as to control the platform's behavior. Additionally, they use this data for market and user research and to provide us and other entities with information about you and the use of our online presence. We can partially control the evaluations that these platforms create regarding the usage of our online presences.

We process this data for the purposes described in Section 4, especially for communication, marketing purposes (including advertising on these platforms, see Section 12), and market research. Information about the corresponding legal bases can be found in Section 5. Content published by you (e.g., comments on an announcement) may be disseminated by us (e.g., in our advertising on the platform or elsewhere). We or the operators of the platforms can also delete or restrict content from or about you in accordance with usage guidelines (e.g., inappropriate comments)

You can find further information about the processing by the operators of the platforms in the privacy policies of the platforms. There, you can also learn in which countries they process their data, what rights of access, deletion, and other rights you have as a data subject, and how you can exercise them or obtain further information. Currently, we use the following platforms:

           Facebook: On Facebook, we operate the page https://www.facebook.com/HitchHike.Carpooling/. The responsible entity for operating the platform for users from Europe is Facebook Ireland Ltd., Dublin, Ireland. Their privacy policies are available at www.facebook.com/policy.

           Instagram: On Instagram, we manage the profile https://www.instagram.com/hitchhike_carpooling/. The responsible entity for operating the platform for users from Europe is Meta Platforms Ireland Limited, Dublin, Ireland. The privacy policy can be accessed at privacycenter.instagram.com/policy.

           Twitter / X: On Twitter/X, we run the profile https://mobile.twitter.com/hitchhike_sayhi/. The responsible entity for operating the platform for users from Europe is Twitter International Company, Dublin, Ireland. The privacy policy is available here: twitter.com/privacy. Regarding advertising, you can object using the following link: twitter.com/settings/ads_preferences.

           LinkedIn: On LinkedIn, we operate the page https://il.linkedin.com/company/hitchhike. The responsible entity for operating the platform for users from Europe is LinkedIn Ireland Unlimited Company, Dublin, Ireland. Their privacy notice can be accessed at www.linkedin.com/legal/privacy-policy.

           VIMEO: On Vimeo, we manage the profile https://vimeo.com/user179878808. The responsible entity for operating the platform for users from Europe is Vimeo.com, Inc., New York, USA. The privacy policy is available here: https://vimeo.com/privacy.

It is possible that when using these platforms, some of your data may be transferred to third countries (e.g., the USA). In the case of any joint responsibilities with these platforms, we regulate these responsibilities as necessary. You can usually object to advertising on these platforms directly in the settings of the respective platform.

14.                  Can this privacy policy be modified?

This privacy policy is not part of a contract with you. We can modify this privacy policy at any time. The version published on this website is the current version.
 

Lucerne, 2023 © usus GmbH, HitchHike / V.2.0