1....... Great, I love
such legal gibberish...
2....... What is the
purpose of this privacy policy?
3....... Who is
responsable for processing your data?
4....... What data do we
process?
5....... For what purposes
do we process your data?
6....... On what basis do
we process your data?
7....... Who do we
disclose your data to?
8....... Is your personal
data transferred abroad?
9....... How long do we
process your data?
10..... How do we protect
your data?
12..... Do we use online
tracking and online advertising techniques?
13..... Which data do we
process on our social media pages?
14..... Can this privacy
policy be modified?
Yes, we prefer to be busy coding
a great app or developing new innovative services to reduce CO2 emissions and
energy consumption, too! However, as we offer a professional service and aim to
provide you with the best carpooling services in the universe, it is essential
for us to handle data carefully. We operate in accordance with the strict rules
of the General Data Protection Regulation ("GDPR") of the
European Union ("EU"). Additionally, we comply with the
requirements of the Swiss Data Protection Act ("DPA"). It is
important and part of our duty to inform you in detail about this. We have designed
this document as clear as possible and also try to use simple language to make
it easily understandable.
usus GmbH, acting under the name HitchHike
(hereinafter also referred to as "we," "us"),
collects and processes personal data that concerns you or other individuals
(referred to as "Third Parties"). We use the term "data"
here interchangeably with "personal data" or "personal
information".
By "personal data", we mean
data that relates to a specific or identifiable individual, i.e., data that
allows conclusions to be drawn about their identity through the data itself or
with additional data. "Sensitive personal data" is a category of
personal data that is particularly protected under applicable data protection
law. Sensitive personal data includes, for example, data revealing racial and
ethnic origin, health data, information about religious or philosophical
beliefs, biometric data for identification purposes, and data concerning union
membership. In Section 3, you will find information about the data we process
under this privacy policy. "Processing" refers to any handling of
personal data, such as obtaining, storing, using, adapting, disclosing, and
deleting.
In this privacy policy, we
describe what we do with your data when you use https://www.hitchhike.ch/,
other websites, platforms, apps, or other digital services provided by us
(collectively referred to as "digital services"), when you use
our services or products, when you interact with us in the context of a
contract, when you communicate with us, or otherwise deal with us. We will
inform you in a timely written notice about any additional processing
activities not mentioned in this privacy policy. In addition, we may inform you
separately about the processing of your data, for example, in consent
declarations, contractual terms, additional privacy policies, forms, and
notices.
If you provide us or disclose to
us data about other individuals such as family members, colleagues, etc., we
assume that you are authorized to do so and that this data is accurate. By
transmitting data about third parties, you confirm this. Please also ensure
that these third parties have been informed about this privacy policy.
This privacy policy is designed
to meet the requirements of the General Data Protection Regulation (GDPR) and
the Swiss Federal Data Protection Act (DPA). However, the extent to which these
laws apply depends on the individual case.
For the data processing described in
this privacy policy by HitchHike, the usus GmbH, Lucerne (hereinafter referred
to as "usus"), is responsible under data protection law,
unless communicated otherwise in individual cases, e.g., on forms or in
contracts.
For each data processing, there is one
or more entities responsible for ensuring that the processing complies with the
requirements of data protection law. This entity is called the data controller.
For example, they are responsible for responding to requests for information
(Section 10) or ensuring that personal data is secured and not used unlawfully.
In the data processing described in
this privacy policy, other entities may also share responsibility if they have
a say in the purpose or design ("joint controllers"). If you wish to
receive information about the specific data controllers for a particular
data processing, you can request it from us within the scope of the right to
information (Section 10). HitchHike remains your primary point of contact, even
if other joint controllers exist.
In Section 3, Section 6, and Section
11, you will find further information about third parties with whom we
cooperate and who are responsible for their own data processing. For questions
or to exercise your rights with regard to these third parties, we ask you to
contact them directly.
You can reach us for your privacy
concerns and the exercise of your rights in accordance with Section 10 as
follows:
Postal Address:
usus GmbH
Obergütschstrasse 22
CH-6003 Lucerne
+41 41 511 41 78
Or via E-Mail: DataProtection@hi-mobility.io
We have appointed the following
additional entities:
·
Data Protection
Representative in the EU in accordance with Article 27 GDPR:
VGS Datenschutzpartner GmbH
Am Kaiserkai 69
20457 Hamburg
Deutschland
You can also contact this entity for
privacy concerns, however, there may be costs for you involved.
We process
various categories of data about you. The most important categories are as
follows:
– Technical Data: When you use our digital services, we collect the IP
address of your device and other technical data to ensure the functionality and
security of these services. These data also include logs in which the use of
our systems is recorded. We typically retain technical data for 90 days. To
ensure the functionality of these services, we may also assign you or your
device an individual code (e.g., in the form of a cookie, see Section 11).
Technical data on its own generally does not allow any conclusions about your
identity. However, in the context of user accounts, registrations, access
controls, or the processing of contracts, they can be linked to other data
categories (and thus possibly to your person).
Technical data includes, among other things, the IP address and information about the
operating system of your device, the date, region, and time of use, as well as
the type of browser you use to access our electronic services. This can help us
transmit the correct formatting of the website or show you a website adapted to
your region. Based on the IP address, we know through which provider you access
our services (and thus also the region), but in general, we cannot deduce who
you are. This changes, for example, when you create a user account because then
personal data can be linked to technical data (we see, for example, which
browser you use to access a user account on our website). Examples of technical
data also include logs that accumulate in our systems (e.g., the log of user
logins on our website).
– Registration Data: Certain and services (e.g., login areas of our website) can only be used
with a user account or registration, which can be done directly with us or
through our external login service providers. In doing so, you must provide us
with certain data, and we collect data about the use of the product or service.
If you want to become a member of a private community, further information
about your associated institution may be required. We typically retain
registration data for 10 years after the deletion of the user account.
Registration data includes, among
other things, the information you provide when you create an account on our
digital services (e.g., language, name, e-mail, phone number). Registration
data also includes data that we may request from you before you can take
advantage of certain free services.
–
Communication data: When you are in contact with us
through the contact form, email, phone or chat, letter, or other means of
communication, we record the data exchanged between you and us, including your
contact details and the edge data of the communication. If we want or need to
determine your identity, e.g., in response to an information request from you,
we collect data to identify you (e.g., a copy of an ID). We typically delete
communication data no later than 10 years after the deletion of the user
account.
Communication data includes your
name and contact details, the method, location, time, and content of the
communication (i.e., the content of emails, letters, chats, etc.). This data
may also include information about third parties. For the purpose of
identification, we may also process your ID card or passport number or a password
you have set.
–
Master data: As master data, we refer to the basic
data that we need, in addition to contract data (see below), for the processing
of our contractual and other business relationships or for marketing and
advertising purposes, such as name, contact details, and information about your
role and function, your bank details, your date of birth, customer history,
powers of attorney, authorization signatures, and consent declarations. We
receive master data from you yourself (e.g., when making a purchase or in the
context of registration), from entities for which you work, or from third
parties such as our contract partners, associations, and address dealers, and
from publicly accessible sources such as public registers or the Internet
(websites, social media, etc.). We typically retain this data for 10 years from
the last exchange with you, but at least from the end of the contract. This
period may be longer if required for reasons of evidence or to comply with
legal or contractual requirements or for technical reasons. In the case of pure
marketing and advertising contacts, the period is usually much shorter, usually
not more than 2 years since the last contact.
The master data includes data
such as name, address, email address, phone number, and other contact details,
gender, date of birth, nationality, information about connected persons,
websites, photos, and videos, copies of IDs; also information about your
relationship with us, information about your status with us, allocations,
classifications, and distribution lists, information about our interactions
with you (possibly a history thereof with corresponding entries), reports
(e.g., from the media) or official documents (e.g., commercial register
extracts, permits, etc.) that concern you. As payment information, we
collect, for example, your bank details, account number, and credit card data.
Consent or restriction notes are also part of the master data, as well as
information about third parties.
For contacts who are representatives or
agents of our users, suppliers, and partners, we process
master data such as name and address, information about their role and function
in the company, qualifications, and, if applicable, information about
superiors, employees, and subordinates, as well as information about
interactions with these individuals.
Not all contacts have their master data
comprehensively collected. The specific data we collect depends on the purpose
of the processing.
–
Contract data: These are data
that arise in connection with the conclusion or processing of a contract, such
as information about contracts and the services to be provided or already
provided, as well as data from the pre-contractual phase that are necessary or
used for the processing, and information about reactions. We usually collect
these data from you, from contract partners, and from third parties involved in
the contract processing. We also obtain them from third-party sources (e.g.,
providers of credit data) and from publicly accessible sources. We typically
retain these data for 10 years from the last contract activity, at least until
the end of the contract. This period may be longer if required for reasons of
evidence or compliance with legal or contractual requirements or if technically
necessary.
Contract data include
information about the conclusion of contracts, your contracts, such as the type
and date of contract conclusion, information from the application process
(e.g., a request for our products or services), and information about the
respective contract (e.g., its duration) and the processing and management of
contracts (e.g., information related to invoicing, customer service, technical
support, and enforcement of contractual claims). Contract data also include
information about defects, complaints, and adjustments to a contract, as well
as information about customer satisfaction, which we may collect through
surveys. Financial data, such as information about creditworthiness
(i.e., information that allows conclusions to be drawn about the probability of
settling claims), reminders, and debt collection, are also part of the contract
data. We receive some of this data from you (e.g., when you make payments), but
also from credit reporting agencies, debt collection companies, and publicly
accessible sources (e.g., a commercial register).
–
Behavior and preference data: Depending on the
relationship we have with you, we try to get to know you better and tailor our
products, services, and offers to suit you. To do this, we collect and use data
about your behavior and preferences. We do this by evaluating information about
your actions within our domain, and we may also supplement this information
with data from third parties - including publicly accessible sources. Based on
this, we can calculate the likelihood that you will use certain services or
behave in a certain way. The data processed for this purpose is partly already
known to us (e.g., when you use our services), or we obtain this data by
recording your behavior (e.g., how you navigate our digital services). We
anonymize or delete this data when it is no longer meaningful for the pursued
purposes, which can vary depending on the type of data, ranging from 2-3 weeks
to 24 months (for product and service preferences). This period may be longer
if required for reasons of evidence or compliance with legal or contractual
requirements or if technically necessary. The functioning of tracking on our
website is described in section 12.
Behavioral data refers to
information about specific actions, such as your response to electronic
messages (e.g., whether and when you opened an email) or your interaction with
our social media profiles. Your location data can be used when you add a new address.
Preference data provides us with
insights into your needs, interests, and the products or services that might
appeal to you, as well as when and how you are likely to respond to messages
from us. We obtain this information through the analysis of existing data, such
as behavioral data, to get a better understanding of you, tailor our advice and
offers more precisely to your preferences, and improve our overall offerings.
To enhance the quality of our analyses, we may combine this data with additional
information sourced from third parties.
Behavioral and preference data can be
evaluated on a personal basis (e.g., to display personalized
advertisements to you) as well as on a non-personal basis (e.g., for
market research or product development purposes). Additionally, behavioral and
preference data can be combined with other data (e.g., motion data used for
contact tracing in a health protection concept).
–
Other data: We also collect
data from you in other situations. For example, data may arise in connection
with official or judicial proceedings (such as records, evidence, etc.), which
may also refer to you. For health protection purposes, we may also collect data
(e.g., within the framework of protective measures). We may receive or create
photos, videos, and audio recordings in which you may be identifiable (e.g., at
events, through security cameras, etc.). We may also collect data about who
enters certain buildings and their corresponding access rights (including
access controls based on registration data or visitor lists, etc.), who
participates in events or activities, or who uses our infrastructure and
systems and when. Finally, we collect and process data about our investors,
which, in addition to basic data, includes information concerning the relevant
registers, the exercise of their rights, and the conduct of events (e.g.,
general assemblies). The retention period for this data depends on the purpose
and is limited to what is necessary. This ranges from a few days for many
security cameras to visitor data, which is usually retained for 3 months, and
reports about events with images, which may be kept for several years or
longer. Data about you as a shareholder or other investor will be kept in
accordance with corporate law requirements, but in any case, as long as you
remain invested.
Many of the data mentioned in
this Section 3 are provided by you voluntarily (e.g., through forms, in the
context of communication with us, in connection with contracts, when using the
website, platform, etc.). You are not obligated to do so, subject to specific
cases, such as mandatory protection concepts (legal obligations). If you enter
into contracts with us or wish to claim services, you must also provide us with
data within the scope of your contractual obligation according to the relevant
contract, especially master, contract, and registration data. The processing of
technical data is unavoidable when using our digital services. If you want
access to specific systems or buildings, you must provide us with registration
data.
We process your data for the
purposes related to communication with you, especially to respond to
inquiries and address your rights (Section 10), and to contact you for
follow-up questions. For this, we primarily use communication data and master
data, and in connection with the offers and services you use, we also use
registration data. We retain this data to document our communication with you,
for training purposes, quality assurance, and for reference.
This encompasses all purposes
related to our communication with you, whether it is customer service,
consultation, authentication in case of using the website, or for training and
quality assurance (e.g., in the customer service area). We continue to process
communication data to communicate with you via email, phone, messenger
services, chat, social media, and postal services. Communication with you
usually occurs in connection with other processing purposes, such as providing services
or responding to information requests. Our data processing also serves as
evidence of the communication and its contents.
We process data for the
establishment, management, and execution of contractual relationships.
We
enter into contracts of various kinds with our business and private customers,
suppliers, subcontractors, or other contractual partners, such as partners in
projects or parties involved in legal disputes. In doing so, we process, in
particular, master data, contract data, and communication data, and depending
on the circumstances, also registration data of the customer or the individuals
to whom the customer provides a service.
In
the context of business initiation, personal data, especially master data,
contract data, and communication data, are collected from potential customers
or other contractual partners (e.g., in a contract) or result from
communication. Also, in connection with contract conclusion, we process data to
check creditworthiness and for the establishment of the customer relationship.
In some cases, this information is verified to comply with legal requirements.
During
the execution of contractual relationships, we process data for the management
of the customer relationship, for the provision and enforcement of contractual
services (which may involve engaging third parties such as banks, insurance
companies, or credit agencies, who may then provide us with data), for
consultation, and for customer support. Enforcing legal claims arising from
contracts (e.g., debt collection, legal proceedings, etc.) is also part of the
execution, as well as accounting, contract termination, and public
communication.
We
may process data for marketing purposes and, for example, to send
personalized advertising about our products and services, as well as those of
third parties, to our customers and other contractual partners. You can reject
any contact for advertising purposes at any time (see the end of this section
5) or refuse or revoke consent to be contacted for advertising purposes. With
your consent, we can target our online advertising on the internet more
effectively towards you (see section 12 for more information).
For
instance, with your consent, we will send you information, advertisements, and
product offers from us and third parties (e.g., advertising contractual
partners) via postal mail, electronic means, or telephone. For this purpose, we
mainly process communication and registration data. Like most companies, we
personalize communications to provide you with individual information and
offers that match your needs and interests. To achieve this, we link data we
process about you, determine preference data, and use this data as the basis
for personalization (see section 3 for more information).
Relationship
management also includes personalized communication with existing customers and
their contacts, potentially based on behavior and preference data. As part of
relationship management, we may also operate a Customer Relationship Management
system ("CRM"), in which we store data necessary for managing
relationships with customers, suppliers, and other business partners, such as
contact persons, relationship history (e.g., services received or provided,
interactions, etc.), interests, preferences, marketing measures, and other
information.
All
these processes are not only essential for effectively promoting our offerings
but also for making our relationships with customers and other parties more
personal and positive, focusing on the most important relationships, and using
our resources as efficiently as possible.
We also process your data
for market research, to improve our services and operations, and
for product development.
We
constantly strive to improve our products and services (including our digital
services) and respond quickly to changing needs. Therefore, we analyze, for
example, how you navigate through our digital services, which products are used
by different groups of people and in what way, and how new products and
services can be designed (for further details, see section 11). This gives us
insights into the market acceptance of existing products and services, and the
market potential of new products and services. For this purpose, we process
primarily master data, behavioral data, and preference data, but also
communication data, information from customer surveys, other surveys, and
studies, as well as other details. To the extent possible, we use pseudonymized
or anonymized data for these purposes. We may also use media monitoring services
or conduct media monitoring ourselves, which may involve processing personal
data, to engage in media work or understand and respond to current developments
and trends.
We may also process your data for
security purposes and access control.
We continuously review and improve
the appropriate security measures for our IT and other infrastructure (e.g.,
buildings). Like all companies, we cannot completely rule out data security
breaches, but we do our best to reduce risks. Therefore, we process data for
monitoring, controls, analysis, and testing of our networks and IT
infrastructure, for system and error checks, for documentation purposes, and
for security backups. Access control includes controlling access to electronic
systems (e.g., logging in to user accounts) as well as physical access control
(e.g., building entrances). For security purposes (both preventive and for
investigating incidents), we maintain access logs or visitor lists and use
surveillance systems (e.g., security cameras).
We process personal data to comply with laws,
regulations, and recommendations from authorities, as well as internal guidelines
and policies ("compliance").
This includes,
for example, implementing health and safety concepts or legally regulated
measures to combat money laundering and terrorism financing. In certain cases,
we may be obliged to conduct specific checks on customers ("Know Your
Customer") or to report to authorities. Fulfilling disclosure,
information, or reporting obligations related to supervisory and tax
requirements also requires or involves data processing, such as fulfilling
archiving obligations and preventing, detecting, and investigating crimes and
other violations. This includes receiving and processing complaints and other
reports, monitoring communications, conducting internal investigations, or
disclosing documents to authorities when we have sufficient grounds or are
legally obligated to do so. Personal data may also be processed in the context
of external investigations, for example, by law enforcement or supervisory
authorities, or by a commissioned private entity. Additionally, we process data
to support our investors and fulfill related obligations. For all these
purposes, we process your master data, contract data, and communication data,
and possibly behavioral data and other data. The legal obligations may include
Swiss law as well as foreign regulations to which we are subject, as well as
self-regulations, industry standards, our own corporate governance, and
official instructions and requests.
We also process data for risk
management purposes and as part of prudent corporate governance,
including business organization and company development.
For these purposes, we particularly process master data, contract data,
registration data, and technical data, as well as behavioral and communication
data. For instance, as part of our financial management, we monitor our debtors
and creditors, and we must prevent becoming victims of crimes and abuses, which
may require analyzing data for corresponding patterns. In the context of
planning our resources and organizing our operations, we need to evaluate and
process data related to the use of our services and other offerings, or
exchange information with others, which may also involve your data. The same
applies to services provided to us by third parties. As part of corporate
development, we may sell businesses, parts of the company, or acquire other
companies, or enter into partnerships, which can also lead to the exchange and
processing of data (including yours, for example, as a customer, supplier, or
supplier representative).
We may process your data for
additional purposes, for example, as part of our internal processes and
administration or for training and quality assurance purposes.
For these additional purposes, examples include training and education
purposes, administrative purposes (such as managing master data, accounting, data
archiving, and the examination, management, and continuous improvement of IT
infrastructure), protecting our rights (e.g., enforcing claims in court,
pre-court or out-of-court, and before authorities both domestically and abroad
or defending against claims, such as through evidence collection, legal
clarifications, and participation in judicial or administrative proceedings),
and evaluating and improving internal processes. Additionally, pursuing other
legitimate interests is also among the additional purposes, which cannot be
conclusively listed.
Where we ask for your consent for certain processing activities
(e.g., behavioral analysis when using digital services), we will inform you
separately about the corresponding purposes of the processing. You can revoke
your consent at any time by sending a written notification (by mail) or, where
not otherwise indicated or agreed, by e-mail to us with effect for the future;
you can find our contact details in Section 2. For revoking your consent for
online tracking, refer to Section 11. If you have a user account, revoking your
consent or contacting us may also be done through the respective digital
services or other means of service. Once we have received notice of the
revocation of your consent, we will no longer process your data for the
purposes to which you originally consented, unless we have another legal basis
for it. Revoking your consent does not affect the lawfulness of processing
based on consent before its withdrawal.
In cases
where we do not ask for your consent for processing, we base the processing of
your personal data on the necessity of the processing for the initiation or
fulfillment of a contract with you (or the entity you represent) or on the legitimate
interest of us or third parties, especially to pursue the purposes and
related goals described under section 4 and to implement corresponding
measures. Our legitimate interests also include compliance with legal
regulations, provided they are not already recognized as legal basis by the
applicable data protection law (e.g., under the GDPR the law of the European
Economic Area (EEA) and Switzerland). This also includes marketing our products
and services, understanding our markets better, and operating and developing
our company securely and efficiently.
In cases
where we receive sensitive data (e.g., health data, information on political,
religious, or philosophical views, or biometric data for identification), we
may process your data based on other legal bases, such as in the case of
disputes due to the necessity of processing for potential litigation or the
enforcement or defense of legal claims. In individual cases, other legal
grounds may apply, which we will communicate to you separately as necessary.
In connection with our contracts,
digital services, products, legal obligations, or for the protection of our
legitimate interests and other purposes listed in section 4, we may disclose
your personal data to third parties, particularly to the following categories
of recipients:
–
Service providers: We work with service providers in
Switzerland and abroad who process data about you on our behalf or receive data
about you from us (e.g., IT providers, cleaning companies, banks, insurance
companies, debt collection agencies, credit agencies, or address checkers). For
service providers involved in digital services, refer to section 11. A central
service provider in the IT sector for us is Nine Internet Solutions AG.
In order to efficiently provide our
products and services and focus on our core competencies, we engage third-party
services in various areas. We disclose to these service providers the data
necessary for their services, which may also concern you. These service
providers may also use such data for their own purposes. Furthermore, we enter
into contracts with these service providers that include provisions for data
protection, unless such provisions are already required by law. Our service
providers may process data, such as the use of their services and other data
that arise in the context of using their services, independently as data
controllers for their own legitimate interests (e.g., for statistical
evaluations or billing). Service providers provide information about their
independent data processing in their own privacy policies.
– Contract partners
including users: This includes
primarily users and other contract partners of ours, as this data transfer
results from the use of digital services. For certain of our services and
products to be used correctly, it may be necessary, for example, to provide
data to other users (so they can contact you). If you work for a contract
partner, we may also transmit data about you to them in this context.
Recipients also include other contract partners with whom we cooperate.
–
Authorities: We may disclose personal data to
authorities, courts, and other government bodies in Switzerland and abroad if
we are legally obligated or entitled to do so or if it appears necessary to
protect our interests. The authorities process data about you, which they
receive from us, independently and under their own responsibility.
Examples of scenarios include criminal
investigations, police measures (e.g., health protection measures, crime
prevention, etc.), regulatory requirements and investigations, legal proceedings,
reporting obligations, pre- and extrajudicial proceedings, as well as legal
information and participation obligations. Data disclosure may also occur when
we need to obtain information from public authorities, for example, to justify
an information request or because we need to specify who we require information
(e.g., from a registry).
–
Other persons: This refers to other cases where the
involvement of third parties arises from the purposes described under Section
4.
Other recipients may include foreign
payees, other third parties, including representatives (e.g., if we send your
data to your attorney or bank), or persons involved in legal or court
proceedings. When collaborating with media and transmitting materials to them
(e.g., photos), you may also be affected. The same applies to the publication
of content (e.g., photos, interviews, quotes, etc.) on our website or in other
publications. In the context of corporate development, we may sell or acquire
businesses, parts of businesses, assets, or companies or enter into
partnerships, which may also result in the disclosure of data (including yours,
e.g., as a customer, supplier, or supplier representative) to the parties
involved in these transactions. In the context of communication with our
competitors, industry organizations, associations, and other bodies, data
exchanges may also occur, which may also concern you.
All these categories of recipients may, in turn, involve third parties, so
that your data may also become accessible to these parties. We may limit the
processing by certain third parties (e.g., IT providers), but not by others
(e.g., authorities, banks, etc.).
We also enable certain third parties to collect your personal
data through our digital services and events (e.g., providers of tools
integrated on our website, etc.). As long as we are not significantly involved
in these data collections, these third parties are solely responsible for them.
For inquiries and the exercise of your data protection rights, please contact
these third parties directly. Refer to Section 11 for digital services.
As explained in Section 6, we may disclose data to other entities, which
may be located not only in Switzerland. Certain of your data may therefore be
processed in Europe as well as in the United States; in exceptional cases, it
may be processed in any country in the world.
If a recipient is located in a country without adequate legal data
protection, we contractually obligate the recipient to comply with applicable
data protection laws (using the revised standard contractual clauses of the
European Commission available here:
https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?), unless the recipient is
already subject to a legally recognized framework for data protection, and we
cannot rely on an exemption provision. An exception may apply, in particular,
in foreign legal proceedings, as well as in cases of overriding public
interests or when contract processing requires such disclosure, when you have
given consent, or when it concerns data made generally accessible by you, and
you have not objected to its processing.
Many countries outside of
Switzerland and the EU or EEA currently do not have laws that ensure an
adequate level of data protection from the perspective of the DSG or GDPR. The
aforementioned contractual measures can partially compensate for this weaker or
missing legal protection. However, contractual measures cannot eliminate all
risks (in particular, risks related to government access in foreign countries).
You should be aware of these residual risks, even if the risk may be low in
individual cases, and we take further measures (such as pseudonymization or
anonymization) to minimize it.
Please also note that data exchanged over the internet is often routed
through third countries. Therefore, your data may also be transferred abroad,
even if the sender and recipient are located in the same country.
We process your data for as long as necessary to fulfill our
processing purposes, comply with legal retention periods, and pursue our
legitimate interests in processing for documentation and evidentiary purposes,
or when storage is technically required. Additional information regarding the
specific storage and processing duration can be found for each data category in
Section 3 or for cookie categories in Section 11. In the absence of any legal
or contractual obligations, we will delete or anonymize your data after the
expiration of the storage or processing period within the scope of our regular
procedures.
We take appropriate
security measures to preserve the confidentiality, integrity, and availability
of your personal data, to protect them against unauthorized or unlawful
processing, and to prevent the risks of loss, accidental alteration, unintended
disclosure, or unauthorized access.
Technical and organizational security measures may include actions such as data encryption and
pseudonymization, logging, access restrictions, the storage of backups,
instructions to our employees, confidentiality agreements, and controls. We
protect your data transmitted through our digital services during transport
using appropriate encryption mechanisms. However, we can only secure areas that
are under our control. We also require our processors to implement appropriate
security measures. However, it is not possible to completely eliminate security
risks; residual risks are unavoidable.
The applicable data protection law grants you the right, under certain
circumstances, to object to the processing of your data, especially for
purposes of direct marketing and other legitimate interests in processing.
In connection with our data processing, depending on the
applicable data protection law, you also have the following rights to
facilitate control over the processing of your personal data:
–
The right to request
information from us about whether and which data we process about you;
–
The right to have data
corrected if it is incorrect
–
The right to request the
deletion of data;
–
The right to request from
us the release of certain personal data in a common electronic format or their
transfer to another controller;
–
The right to revoke
consent, to the extent that our processing is based on your consent;
–
The right to receive
further information that is necessary for the exercise of these rights.
If you wish to exercise the above-mentioned rights with us, please do so in writing or,
where not otherwise specified or agreed, by email; you can find our contact
information in Section 2. To prevent abuse, we may need to identify you (e.g.,
with a copy of identification, where not otherwise possible).
Please note that for these rights, conditions, exceptions, or
limitations may apply under the applicable data protection law (e.g., to
protect third parties or business secrets). We will inform you accordingly if
necessary.
In particular, we may need to further process and store your
personal data to fulfill a contract with you, to protect our legitimate
interests, such as asserting, exercising, or defending legal claims, or to
comply with legal obligations. To the extent legally permissible, especially to
protect the rights and freedoms of other affected persons and to safeguard
legitimate interests, we may, therefore, partially or entirely reject a data
subject request (e.g., by redacting certain content concerning third parties or
our business secrets).
If you are
not satisfied with our handling of your rights or data protection, please
inform us (Section 2). Especially if you are in the European Economic Area
(EEA), the United Kingdom, or Switzerland, you also have the right to lodge a
complaint with the data protection supervisory authority in your country.
At our digital services, we use
various techniques that allow us and third parties engaged by us to recognize
you during your usage and potentially track you across multiple visits. This
section provides you with information about this.
In essence, we aim to distinguish
your access (via your system) from the access of other users so that we can
ensure the functionality of the digital services and perform evaluations and
personalizations. We do not intend to infer your identity, even though we can
do so to the extent that we or third parties engaged by us can identify you by
combining registration data. However, even without registration data, the employed
techniques are designed to recognize you as an individual visitor with each
page visit. This is achieved, for example, by our server (or the servers of
third parties) assigning a specific identification number to you or your
browser (so-called "cookie").
Cookies
are individual codes (e.g., a serial number) that our server or a server of our
service providers or advertising partners transmits to your system when
connecting to our digital services. Your system (browser, mobile) receives and
stores these codes until the programmed expiration date. With each subsequent
access, your system sends these codes back to our server or the server of the
third party. This way, you are recognized even if your identity is unknown.
Whenever
you access a server (e.g., when using a website or an app or when a
visible or invisible image is integrated in an e-mail), your visits can be
"tracked" (tracked). If we integrate offers from an advertising
partner or provider of an analytics tool into our digital services, they can
also track you in the same way, even if you cannot be identified in individual
cases.
We use such techniques in our
digital services and also allow certain third parties to do the same. Depending
on the purpose of these techniques, we may ask for your consent before using
them. You can program your browser to block certain cookies or alternative
techniques, deceive them, or delete existing cookies. You can also extend your
browser with software that blocks tracking by certain third parties. Further
information can be found on the help pages of your browser (usually under the
keyword "privacy") or on the websites of the third parties listed
below.
The following cookies (including techniques
with comparable functionalities, such as fingerprinting) are distinguished:
–
Necessary Cookies: Some cookies are
necessary for the functioning of the digital services as such or certain
functions. For example, they ensure that you can switch between pages without
losing information entered in a form. They also ensure that you stay logged in.
These cookies are only temporary ("session cookies"). If you block
them, the digital services may not function properly. Other cookies are
necessary so that the server can store decisions or inputs made by you beyond a
session (i.e., a visit to the digital services) if you use this function (e.g.,
selected language, given consent, automatic login function, etc.). These
cookies have an expiration date of four weeks.
–
Performance Cookies: To optimize our
digital services and corresponding offers and tailor them better to the needs
of users, we use cookies to record and analyze the use of our digital services,
possibly beyond the session. We do this by using analytical services from
third-party providers, which we have listed below. Before using such cookies,
we ask for your consent. Performance cookies also have an expiration date of up
to one year. Details can be found on the websites of the third-party providers.
–
Marketing Cookies: We and our advertising partners have
an interest in controlling advertising in a targeted manner, i.e., showing it
only to those we want to address. We have listed our advertising partners
below. For this purpose, if you consent, we and our advertising partners also
use cookies that can record the content accessed or contracts concluded. This
enables us and our advertising partners to display advertising that we believe
is of interest to you on our digital services, as well as on other websites
that display advertising from us or our advertising partners. Depending on the
situation, these cookies have a validity period of a few days to 12 months. If
you consent to the use of these cookies, you will be shown corresponding
advertising. If you do not consent to these cookies, you will see no less
advertising, but simply different advertising.
In addition to marketing cookies, we use other techniques to
control online advertising on other websites and reduce scatter losses. For
example, we may transmit the email addresses of our users, customers, and other
individuals to operators of advertising platforms (e.g., social media). If
these individuals are registered with the same email address on these
advertising platforms (which the platforms determine through a comparison), the
operators will display targeted advertising to these individuals on our behalf.
However, the operators do not receive personally identifiable email addresses
of unknown individuals. With known email addresses, the operators can see that
these individuals are connected to us and which content they have accessed.
We may also incorporate additional offers from third
parties, especially from social media providers, into our digital services. By
default, these offers are deactivated. Once you activate them (e.g., by
clicking a switch), the respective providers can determine that you are using
our digital services. If you have an account with the social media provider,
they can associate this information with your account and track your use of
online offerings. These social media providers process this data on their own
responsibility.
Currently, we use offers from the following service
providers and advertising partners (to the extent that they use data from you
or cookies set by you for advertising control):
–
Google Analytics: Google Ireland (based in Ireland) is the provider of the service
"Google Analytics" and acts as our data processor. Google Ireland
relies on Google LLC (based in the USA) as its data processor (both "Google").
Through performance cookies (see above), Google tracks the behavior of visitors
to our digital services (duration, frequency of accessed pages, geographic
origin of access, etc.) and creates reports for us based on this data on the
usage of our digital services. We have configured the service so that the IP
addresses of visitors from Europe are truncated by Google before being
transferred to the USA and therefore cannot be traced back. We have disabled
the "data sharing" and "signals" settings. Although we can
assume that the information we share with Google is not personal data for Google,
it is possible that Google may draw conclusions about the identity of visitors,
create personal profiles, and link this data to the Google accounts of these
individuals for its own purposes. If you agree to the use of Google Analytics,
you explicitly consent to such processing, including the transfer of personal
data (especially usage data of the digital services and app, device
information, and individual IDs) to the USA and other countries. You can find
information about the privacy of Google Analytics here: https://support.google.com/analytics/answer/6004245
and if you have a Google account, you can find further information about
processing by Google here:
https://policies.google.com/technologies/partner-sites?hl=en.
–
Friendly Analytics: The privacy policy of
Friendly Analytics can be found here: https://friendly.ch/de/datenschutz.
We can operate
pages and other online presences (e.g., "fan pages,"
"channels," "profiles," etc.) on social media and other
platforms operated by third parties and collect the data described in Section 3
and below about you. We receive this data from you and the platforms when you
interact with us through our online presence (e.g., when you communicate with
us, comment on our content, or visit our presence). At the same time, the
platforms analyze your use of our online presences and link this data with
other data known to the platforms about you (e.g., your behavior and
preferences). They also process this data for their own purposes and
responsibility, particularly for marketing and market research purposes (e.g.,
to personalize advertising) and to control their platforms (e.g., which content
they display to you).
We receive data
about you when you interact with us through online presences or view our
content on the corresponding platforms, visit our online presences, or engage
in activities within them (e.g., publishing content, leaving comments). These
platforms also collect technical data, registration data, communication data, behavioral
and preference data from you or about you (for definitions, see Section 3).
Regularly, these platforms statistically analyze how you interact with us, how
you use our online presences, our content, or other parts of the platform (what
you view, comment on, "like," share, etc.) and link this data with
additional information about you (e.g., age, gender, and other demographic
information). In this way, they also create profiles about you and statistics
on the usage of our online presences. They use this data and profiles to
display personalized advertising and other content to you on the platform, as
well as to control the platform's behavior. Additionally, they use this data
for market and user research and to provide us and other entities with information
about you and the use of our online presence. We can partially control the
evaluations that these platforms create regarding the usage of our online
presences.
We process this data for the purposes described in Section
4, especially for communication, marketing purposes (including advertising on
these platforms, see Section 12), and market research. Information about the
corresponding legal bases can be found in Section 5. Content published by you
(e.g., comments on an announcement) may be disseminated by us (e.g., in our
advertising on the platform or elsewhere). We or the operators of the platforms
can also delete or restrict content from or about you in accordance with usage
guidelines (e.g., inappropriate comments)
You can find further information about the processing by the
operators of the platforms in the privacy policies of the platforms. There, you
can also learn in which countries they process their data, what rights of
access, deletion, and other rights you have as a data subject, and how you can
exercise them or obtain further information. Currently, we use the following
platforms:
–
Facebook: On Facebook, we operate the
page https://www.facebook.com/HitchHike.Carpooling/. The responsible entity for
operating the platform for users from Europe is Facebook Ireland Ltd., Dublin,
Ireland. Their privacy policies are available at www.facebook.com/policy.
–
Instagram: On Instagram, we manage
the profile https://www.instagram.com/hitchhike_carpooling/. The responsible
entity for operating the platform for users from Europe is Meta Platforms
Ireland Limited, Dublin, Ireland. The privacy policy can be accessed at
privacycenter.instagram.com/policy.
–
Twitter / X: On Twitter/X, we run the
profile https://mobile.twitter.com/hitchhike_sayhi/. The responsible entity for operating the platform for
users from Europe is Twitter International Company, Dublin, Ireland. The
privacy policy is available here: twitter.com/privacy. Regarding advertising,
you can object using the following link: twitter.com/settings/ads_preferences.
–
LinkedIn: On LinkedIn, we operate the
page https://il.linkedin.com/company/hitchhike. The responsible entity for
operating the platform for users from Europe is LinkedIn Ireland Unlimited
Company, Dublin, Ireland. Their privacy notice can be accessed at
www.linkedin.com/legal/privacy-policy.
–
VIMEO: On Vimeo, we manage the
profile https://vimeo.com/user179878808. The responsible entity for operating
the platform for users from Europe is Vimeo.com, Inc., New York, USA. The
privacy policy is available here: https://vimeo.com/privacy.
It is possible that when using these platforms, some of your data may be
transferred to third countries (e.g., the USA). In the case of any joint
responsibilities with these platforms, we regulate these responsibilities as
necessary. You can usually object to advertising on these platforms directly in
the settings of the respective platform.
This privacy policy is not part of a
contract with you. We can modify this privacy policy at any time. The version
published on this website is the current version.
Lucerne, 2023 © usus GmbH, HitchHike /
V.2.0