1.

Contact details

Responsible for the data processing is:

Tresio AG, Baslerstrasse 60, 8048 Zurich, Switzerland

Phone: +41 (0)44 586 72 91

The data protection officer can be reached at info@tresio.ch.

2.

Applicable law

The data processing by the provider is subject to the following law:

Data of Swiss customers

Swiss law applies exclusively to the processing of data of Swiss customers, in particular the Federal Act on Data Protection (FADP, SR 235.1) and the associated Ordinance to the Federal Act on Data Protection (SR 235.11). The EU General Data Protection Regulation (GDPR) does not apply. The applicability of the GDPR remains reserved (i) insofar as it is expressly provided for in this data protection declaration for sub-areas, and (ii) insofar as the GDPR is also mandatorily applicable to data of Swiss customers due to special circumstances.

Data of customers from the EU area

In addition to Swiss law, Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation, GDPR) applies to the processing of data of customers from the EU area. See also section 12 (additional regulations for customers from the EU area).

3.

Type and scope of the collection of personal data

when visiting our website (without login)

When customers visit the provider's online presence outside the area protected by login, the web server technology used automatically logs general technical visit information. These include, among other things, the IP address of the device used, which, however, is anonymized by Google before storage, so that it can no longer be assigned to the customer. Google uses the _anonymizeIp() method for this purpose. Furthermore, this includes information about the browser type, the Internet service provider and the operating system used.

when using the Tresio cloud software (with login)

During the free trial access as well as during the paid use of the Tresio software within the area protected by login, all data entered or submitted by the customer during the registration process as well as in the context of the use of the software will also be stored. This is in particular the case if the customer registers, carries out orders, fills out online forms, participates in surveys or competitions, corresponds with the provider online or offline or comes into contact with the provider via social media, blogs or other interactive media.

As a rule, the personal master data (name, address, e-mail address) as well as the settings required for the respective service are collected here.

The data collected by the customer in the web application is stored, evaluated and further processed by Tresio and made available to the customer in the form of evaluations (charts, tables and key figure reports). They can also be viewed and edited by authorized employees of the provider for support purposes.

By collecting data, the customer consents to the processing, use and disclosure of personal data within the scope and scope of the purposes described in this data protection declaration.

Data exchange with third parties authorised by the customer

The customer has the opportunity to share his data with third parties, such as additional employees and / or a trustee. By granting the access rights, the customer declares his consent that the provider provides the authorized third parties with all data of the customer concerned or may allow access to it. The customer retains full control over the access rights of the third party to his data at all times and can restrict or deny access at any time.

restrict or deny them. The Provider reserves the right to disclose specific data to authorised third parties in justified individual cases.

Interfaces with third-party providers

The provider enables the customer to import data from third-party providers directly into Tresio. For this purpose, the provider provides the customer with the interfaces visible in the Tresio web application under Integrations ("Integration Partners"). Via web link and / or file upload, the provider also enables the customer to import data from any third-party system into Tresio.

The imported data is stored, evaluated and further processed by Tresio and made available to the customer in the form of evaluations (charts, tables and key figure reports). The Provider may conclude contracts with individual integration partners for the mediation of customers to the Provider and report to the integration partner the customer relationships established through this agreement in a suitable form. Personal data may be processed for this purpose.

Banking Interfaces

When using the optionally available banking interfaces of the provider, data is exchanged between the provider and the bank concerned. The banking interfaces are partly connected directly to Tresio via the ebics interface, developed and operated by windata GmbH & Co.KG (https://www.windata.de), partly via PSD2 interface, developed and operated by Nordigen (https://www.nordigen.com). The processed data also includes payment and bank-specific information such as IBAN, account information, etc.

The data imported via the bank interfaces is stored, evaluated and further processed by Tresio and made available to the customer in the form of evaluations (charts, tables and key figure reports).

The Provider may send the users of the banking interfaces, or the authorized employees, notifications regarding the existing bank interfaces as well as the connected bank. Personal data may be processed for this purpose.

Other Partner Features

When using any other optionally available partner functions of the provider or when connecting your own account to a partner, data is exchanged between the provider and the partner concerned.

4.

Data security

The Provider uses technical and organizational security measures in accordance with recognized market standards to protect stored personal data against unintentional, unlawful or unauthorized manipulation, deletion, modification, access, disclosure or use and against partial or complete loss. The provider's servers are located in Switzerland. Certain services can be handled via servers in other countries – with an adequate level of data protection – whereby the requirements of the DSG or GDPR are fully complied with at all times. The connection to the servers is made by means of SSL encryption. The provider regularly performs backups of the customer data (backup). In order to prevent data loss even in extreme cases (e.g. destruction of the data center by an earthquake), the encrypted backups are stored in parallel in several data centers at home and abroad. The requirements according to DSG, respectively GDPR, are fully complied with at all times. The security measures are continuously adapted and improved in line with technological developments. The provider assumes no liability for the loss of data or their knowledge and use by third parties. Otherwise, the Provider cannot assume any liability for the security of data transmission on the Internet, in particular there is a risk of access by third parties when transmitting data by e-mail. However, access is protected using HTTPS. If explicitly requested by the customer, the customer can opt for double authentication at any time.

5.

Purpose of the processing of personal data / recipients of the data

The Provider processes the data collected in order to be able to constantly improve the products and services requested, to manage the use and desired access to the applications, products and information, to maintain the business relationship with the Customers, to monitor and improve the performance of the Offer, to detect, prevent or clarify illegal activities or to provide offers to the Customer, Provide information or marketing material about products or services that the Provider assumes may be of interest to Customers based on the data.

6.

Cookies

Cookies help to make the visit to the provider's website easier, more pleasant and more meaningful. Cookies are information files that the web browser automatically stores on the hard drive of the computer when the customer visits the provider's website and uses offers.

The customer can independently manage the security settings in the browser and thereby block or deactivate cookies used, whereby certain services of the provider may no longer be able to be used (to their full extent).

Tracking- und Analyse-Tools / Social Media

The use of the provider's digital offers is measured and evaluated by means of various technical systems, mainly from third-party providers such as Google Analytics. These measurements can be made both anonymously and personally. It is possible that the collected data will be passed on by the provider or the third-party providers of such technical systems to third parties at home and abroad for processing. The most commonly used and well-known analysis tool is Google Analytics, a service provided by Google Inc. This means that the collected data can in principle be transmitted to a Google server in the USA (or a location determined by Google).

The provider's website uses Google Analytics, a web analytics service provided by Google Inc. with registered office at 1600 Amphitheatre Parkway, Mountain View, CA 94043, U.S.A. ("Google"). Google Analytics uses cookies, which are text files placed on the customer's computer, to help the website analyze how users use the site. The information generated by the cookies about the use of the website (including the IP address, which is anonymized by Google before it is stored so that it can no longer be assigned to the customer) is transmitted to a Google server in the USA (or a location determined by Google) and stored there. Google will use this information to evaluate the use of the website, to compile reports on website activity for the provider and to provide other services related to website activity and internet usage. Google may also transfer this information to third parties if this is required by law or if third parties process this data on behalf of Google. Under no circumstances will Google associate the IP address of customers with other Google data.

The provider's website uses the "demographic characteristics" function of Google Analytics. This allows reports to be created that contain statements about the age, gender and interests of customers. This data comes from interest-based advertising from Google as well as from visitor data from third-party providers. This data cannot be assigned to a specific person. Customers can deactivate this function at any time via the ad settings in their Google Account or generally prohibit the collection of their data by Google Analytics.

If the customer does not want his website activities to be available to Google Analytics, he can install the browser add-on to disable Google Analytics:
https://support.google.com/analytics/answer/181881?hl=en

This prevents activity data from being shared with Google Analytics via JavaScript (ga.js, analytics.js and dc.js) executed on websites.

The analysis of data by other tools of the website owner is not prevented when the customer uses the add-on. Data may also be sent to the website or other web analysis services.

Finally, the provider collects certain information via its website in so-called server log files, which the customer's Internet browser automatically transmits. These include, among other things, the user agent (browser type and browser version, operating system used), http header information (referrer URL, IP address of the accessing computer), the time of the server request and the login status. These server log files are merged with other data sources only for error analysis.

Technologies for advertising purposes

The provider's website uses the functions of Google Analytics Remarketing in conjunction with the cross-device functions of Google AdWords and Google DoubleClick. The provider is Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA ("Google").

This feature makes it possible to link the advertising target groups created with Google Analytics Remarketing with the cross-device functions of Google AdWords and Google DoubleClick . In this way, interest-based, personalized advertising messages that have been adapted to the customer depending on the customer's previous usage and surfing behavior on one device (e.g. mobile phone) can also be displayed on another device (e.g. tablet or PC).

If the customer has given Google such consent, Google will link the web and app browsing history to the customer's Google account for this purpose. In this way , the same personalized advertising messages can be displayed on every device on which the customer logs in with his Google account.

To support this feature, Google Analytics collects Google-authenticated user IDs that are temporarily linked to the provider's Google Analytics data to define and create audiences for cross-device ad advertising.

The customer can permanently object to cross-device remarketing by deactivating personalized advertising in his Google Account:
https://www.google.com/settings/ads/onweb/

Further information can be found in Google's privacy policy at:
https://www.google.com/policies/technologies/ads/

The provider's website also uses the online advertising program Google AdWords. The provider is Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.

As part of Google AdWords, the provider uses so-called conversion tracking. When the customer clicks on an ad placed by Google, a cookie is set for conversion tracking. Cookies are small text files that the Internet browser stores on the customer's computer. These cookies lose their validity after 30 days at the latest and are not used for identification. If the customer visits our website and the cookie has not yet expired, Google and the provider can recognize that the customer clicked on the ad and was redirected to this page.

The provider learns from Google the total number of users who clicked on his ad and were redirected to his website with a conversion tracking tag. However, the provider does not receive any information with which he can personally identify the customer.

The customer can prevent the storage of cookies by setting his browser software accordingly. However, the Provider points out to the Customer that the Customer may not be able to use all the functions of this website to their full extent. The customer can also prevent tracking by deactivating the Google Conversion Tracking cookie via his Internet browser under user settings.

For further information, please refer to Google's privacy policy:
https://www.google.de/policies/privacy/

The website of the provider also uses the visitor action pixel of Facebook, provider is Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA.

With the Facebook Pixel, the behavior of page visitors can be tracked after they have been redirected to the provider's website by clicking on a Facebook ad. As a result, the effectiveness of Facebook ads can be evaluated for statistical and market research purposes and future advertising measures can be optimized.

The data collected is anonymous to the provider. The provider cannot draw any conclusions about the identity of the customers. However, the data is stored and processed by Facebook so that a connection to the respective user profile is possible and Facebook can use the data for its own advertising purposes, in accordance with the Facebook Data Use Policy. This allows Facebook to enable the placement of advertisements on Facebook pages as well as outside of Facebook. This use of the data cannot be influenced by the provider.

The customer can permanently object to remarketing by deactivating the remarketing function "Custom Audiences" in the Settings for advertisements section under the following link. To do this, he must be logged in to Facebook:
https://www.facebook.com/ads/preferences/?entry_product=ad_settings_screen

If the customer does not have a Facebook account, he can deactivate usage-based advertising from Facebook on the website of the European Interactive Digital Advertising Alliance under the following link:
http://www.youronlinechoices.com/de/praferenzmanagement/

For further information, please refer to Facebook's privacy policy:
https://www.facebook.com/about/privacy/

Payment processing via Stripe

The Provider offers t the possibility to process the payment process via the payment service provider Stripe, Legal Process, 510, Townsend St., San Francisco, CA 94103 ("Stripe"). This corresponds to the legitimate interest of the provider to offer an efficient and secure payment method (Art. 6 para. 1 lit. f GDPR). In this context, we pass on the following data to Stripe insofar as it is necessary for the fulfilment of the contract (Art. 6 para. 1 lit. b. GDPR).

Name of the cardholder

E-mail address

Customer

Order number

Bank account

Credit card

Validity period of the credit card

Credit Card Verification Number (CVC)

Date and time of the transaction

Transaktionssumme

Name of the provider

Place

The processing of the data provided under this section is neither required by law nor by contract. Without submitting your personal data, we will not be able to make a payment through Stripe and the Tresio Cloud software may not be able to be used.

Stripe plays a dual role as controller and processor in data processing activities. As the controller, Stripe uses your submitted data to comply with regulatory obligations. This corresponds to Stripe's legitimate interest (pursuant to Art. 6 para. 1 lit. f GDPR) and serves the execution of the contract (according to Art. 6 para. 1 lit. b GDPR). We have no influence on this process.

Stripe acts as a processor to complete transactions within the payment networks. Within the scope of the order processing relationship, Stripe acts exclusively in accordance with our instructions and has been contractually obliged within the meaning of Art. 28 GDPR to comply with the data protection regulations.

Stripe has implemented compliance measures for international data transfers. These apply to all global activities in which Stripe processes personal data of natural persons in the EU. These measures are based on the EU Standard Contractual Clauses (SCCs).

Further information on objection and removal options against Stripe can be found at:
https://stripe.com/privacy-center/legal

Integration of third-party offers / social media

The digital offers of the provider are networked in a variety of ways with functions and systems of third parties, for example by integrating plug-ins of social networks of third parties such as in particular Facebook, Twitter, etc. If the customer has a user account with these third parties, it may also be possible for them to measure and evaluate the use of the provider's digital offers. Further personal data, such as IP address, browser settings and other parameters, may be transmitted to these third parties and stored there. The Provider has no control over the use of such personal data collected by third parties and assumes no responsibility or liability. Incidentally, the provider has no detailed knowledge of which data is transmitted to the third-party providers, where it is transmitted and whether it is anonymized.

Other tools

For the arrangement of consulting appointments, the storage of customer master data and customer activities within the framework of Customer Relationship Management (CRM), the provider uses the services of HubSpot Inc., 25 First St, 2nd Floor, Cambridge, MA, USA. HubSpot processes your data in the USA, among other places.

For more information, please refer to HubSpot's Privacy Policy:
https://www.hubspot.com/data-privacy/gdpr

For the evaluation of, among other things, payment data, number of users and the type and duration of the Tresio software subscriptions used, the provider uses ChartMogul Ltd. , represented by CMTDE GmbH & Co. KG, WeWork, Kemperplatz 1, 10785 Berlin, Germany. For the unambiguous assignment of user and subscription data, personal data is transmitted to ChartMogul, stored and analyzed by ChartMogul. ChartMogul's server locations may also be located outside Switzerland and the EU, including the USA.

For more information about the type of data processed, see https://chartmogul.com/privacy/.

7.

Profiling / Automatic decisions

Profiling is the automated processing of personal data in order to analyse or predict certain personal aspects or behaviour. As a result, customers can be looked after and advised more individually or offers can be better tailored to individual customer needs.

"Automated individual decisions" are decisions that are completely automated, i.e. without relevant human influence, and that have negative legal effects or other, similarly negative effects on the customer. As a rule, the provider does not carry out automated individual decisions. The provider will inform the customers separately if he uses automated individual decisions in individual cases. In such a case, the customer has the option of having this decision manually reviewed by an employee of the provider.

8.

Communication by e-mail and/or newsletter

If the customer wishes to receive a newsletter offered on the provider's website, the provider requires an e-mail address and other information that allows the verification that the e-mail address provided is correct and that the customer agrees to receive the newsletter ("double-opt-in" procedure).

With the newsletter, the customer regularly receives recommendations and offers that may interest him. For this purpose, the provider collects and processes personal data regarding the customer's usage behavior on the website, in the Tresio software and in relation to the use of the newsletter (e.g. whether the customer opens the newsletter or which web URL links he clicks on). The provider evaluates this data for statistical purposes in order to better tailor the content of the newsletter to the interests of the customers.

The processing of the personal data entered in the newsletter registration form is based on the customer's consent, which he can revoke at any time for the future. The revocation takes place via the "unsubscribe" link in the newsletter. The personal data collected will be used for the content design and dispatch of the newsletter.

The provider stores the personal data stored by the customer for the purpose of subscribing to the newsletter until the customer unsubscribes from the newsletter.

For the dispatch of email campaigns and newsletters, the provider uses ConvertKit, an email marketing service operated by ConvertKit LLC, 750W BAnnock Street 761, Boise, ID 83702, USA. ConvertKit also processes your data in the USA, among other places. The provider transmits to ConvertKit the name provided by the customer during registration as well as the email address.

ConvertKit's privacy policy can be found under https://convertkit.com/privacy

9.

Duration of storage

The provider processes and stores personal data as long as the customer uses the service. It should be noted that the contractual relationship between the provider and the customer is a continuing obligation , which is designed for years.

After termination of the contractual relationship, the provider is generally not obliged to store the data of the customers. For this reason, the data that is no longer needed is regularly deleted. Excluded from this are data that are necessary for further processing due to legal regulations or for mandatory internal purposes.

10.

Information, correction, deletion, blocking, consent

With regard to personal data, customers have the following rights in accordance with the DPA or GDPR. In principle, the provider also grants the rights contained in the GDPR to Swiss customers. However, the provider reserves the right to make a different assessment in individual cases.

the right to information (Art. 8 DSG, Art. 15 GDPR);

the right to rectification (Art. 5 para. 2 DSG, Art. 16 GDPR);

the right to erasure (Art. 17 GDPR);

the right to restriction of processing (Art. 18 GDPR);

the right to data portability (Art. 20 GDPR); and

the right to object (Art. 21 GDPR).

Any restrictions of the GDPR as well as the applicable national data protection laws or other national laws apply to the rights mentioned above.

Insofar as the customer is asked to give consent in connection with the services of the provider, he gives this consent by clicking on the corresponding checkbox. As a result, the provider is entitled to collect, process, use and pass on the customer's personal data accordingly.

Of course, the customer can revoke his consent at any time without affecting the legality of the processing carried out on the basis of the consent until the revocation. The revocation can be sent in writing to the address of the provider mentioned at the beginning. However, it is also sufficient to send an e-mail to the address info@tresio.ch. However, some of the services and functions will no longer be open to the customer afterwards.

11.

Links to other websites

The Provider's website contains hyperlinks to third-party websites that are not operated or controlled by the Provider. The provider is not responsible for their content or data protection practices.

12.

Additional regulations for customers from the EU area

The following provisions are only applicable to customers from the EU, they do not apply to Swiss customers.

Legal bases of processing

The processing of data for the purposes mentioned in section 5 takes place in accordance with Article 6 (1) (b) GDPR for the fulfilment of the contract. The subject matter of the contract is the above-mentioned services.

Likewise, the processing of data, as described above, takes place to safeguard the legitimate interests of the provider (Article 6 para. 1 letter f GDPR). These are the improvement of the products and services (including the delivery of direct advertising), to monitor and improve the performance of the offer as well as to detect, prevent or clarify illegal activities.

In addition, the data will be processed in accordance with Article 6 (1) (c) GDPR to fulfil legal obligations (e.g. storage and documentation obligations of the provider). This includes, in particular, the personal master data.

If the customer should be of the opinion that one or more of the purposes mentioned in section 5 is not covered by the legal bases mentioned above, he can demand from the provider that his personal data is no longer processed for certain individual purposes (opt-out). Such an opt-out does not prevent the customer from further using the Provider's SaaS services, unless such use necessarily requires the corresponding data processing. The customer can send such an opt-out in writing to the address of the provider mentioned at the beginning. However, it is also sufficient to send an e-mail to the address info@tresio.ch.

Beschwerderecht

If the customer is of the opinion that the processing of personal data concerning him violates the GDPR, he has the right to lodge a complaint with a competent supervisory authority in accordance with Article 77 GDPR.

Of course, the provider is happy to receive the questions and wishes of the customers in advance of a complaint. For this purpose, the customer can contact the provider in writing or by e-mail (info@tresio.ch).

Latest version: July 2022

Tresio AG

Baslerstrasse 60

8048 Zurich

Switzerland