Privacy Policy

With this Privacy Policy, we inform you about the processing of personal data in connection with our activities and operations, including our website under the domain name www.lumega.ch. We specifically inform you about the purposes, methods, and locations where we process personal data. We also inform you about the rights of individuals whose data we process.

For individual or additional activities and operations, we may publish additional privacy policies or other information regarding data protection.

We are subject to Swiss law and, if applicable, foreign law, particularly that of the European Union (EU) with the General Data Protection Regulation (GDPR).

The European Commission recognized with its decision of July 26, 2000 that Swiss data protection law ensures adequate data protection. With its report of January 15, 2024, the European Commission confirmed this adequacy decision.

1. Contact Addresses

The responsible party in the sense of data protection law is:

LUMEGA AG
Kirchweg 13
5415 Nussbaumen/Baden
info@lumega.ch

In individual cases, third parties may be responsible for processing personal data, or there may be joint responsibility with third parties. We are happy to provide affected individuals with information about the respective responsibility upon request.

Data Protection Officer or Data Protection Advisor

We have the following data protection officer or advisor as a contact point for affected individuals and authorities regarding data protection inquiries:

Andreas Lustenberger
Kirchweg 13
5415 Nussbaumen/Baden
info@lumega.ch

2. Terms and Legal Bases

2.1 Terms

Affected Person: Natural person whose personal data we process.

Personal Data: All information relating to an identified or identifiable natural person.

Special Categories of Personal Data: Data concerning union membership, political, religious, or ideological views and activities, health data, intimate sphere, or ethnic or racial origin, genetic data, biometric data that uniquely identify a natural person, data on criminal and administrative sanctions or prosecutions, and data on social assistance measures.

Processing: Any handling of personal data, regardless of the means and procedures used, such as querying, matching, adapting, archiving, storing, reading, disclosing, acquiring, collecting, deleting, revealing, arranging, organizing, storing, modifying, disseminating, linking, destroying, and using personal data.

European Economic Area (EEA): Member States of the European Union (EU) as well as the Principality of Liechtenstein, Iceland, and Norway.

2.2 Legal Bases

We process personal data in accordance with Swiss law, particularly the Federal Act on Data Protection (Data Protection Act, DPA) and the Ordinance on Data Protection (Data Protection Ordinance, DPO).

We process – if and to the extent that the European General Data Protection Regulation (GDPR) is applicable – personal data or personally identifiable data according to at least one of the following legal bases:

• Art. 6 para. 1 lit. b GDPR for the necessary processing of personally identifiable data to fulfill a contract with the affected person and to carry out pre-contractual measures.
• Art. 6 para. 1 lit. f GDPR for the necessary processing of personally identifiable data to protect legitimate interests – also the legitimate interests of third parties – unless the fundamental freedoms and fundamental rights as well as the interests of the affected person outweigh them. Such interests are particularly the permanent, humane, secure, and reliable exercise of our activities and operations, ensuring information security, protection against misuse, enforcement of our legal claims, and compliance with Swiss law.
• Art. 6 para. 1 lit. c GDPR for the necessary processing of personally identifiable data to fulfill a legal obligation to which we are subject according to applicable law of member states in the European Economic Area (EEA).
• Art. 6 para. 1 lit e GDPR for the necessary processing of personally identifiable data to perform a task in the public interest.
• Art. 6 para. 1 lit. a GDPR for the processing of personally identifiable data with the consent of the affected person.
• Art. 6 para. 1 lit. d GDPR for the necessary processing of personally identifiable data to protect the vital interests of the affected person or another natural person.
• Art. 9 para. 2 ff. GDPR for the processing of special categories of personally identifiable data, particularly with the consent of the affected persons.

The European General Data Protection Regulation (GDPR) refers to the processing of personal data as the processing of personally identifiable data and the processing of special categories of personally identifiable data as the processing of special categories of personally identifiable data (Art. 9 GDPR).

3. Type, Scope, and Purpose of Processing Personal Data

We process the personal data that is necessary to be able to permanently, humanely, securely, and reliably carry out our activities and operations. The processed personal data can particularly fall into the categories of browser and device data, content data, communication data, metadata, usage data, master data including inventory and contact data, location data, transaction data, contract data, and payment data. The personal data may also represent special categories of personal data.

We also process personal data that we receive from third parties, obtain from publicly accessible sources, or collect during the exercise of our activities and operations, as long as such processing is permissible.

We process personal data, if necessary, with the consent of the affected persons. We can process personal data in many cases without consent, for example, to fulfill legal obligations or to protect overriding interests. We may also ask affected persons for their consent if their consent is not required.

We process personal data for the duration that is necessary for the respective purpose. We anonymize or delete personal data, particularly depending on legal retention and limitation periods.

4. Disclosure of Personal Data

We can disclose personal data to third parties, have it processed by third parties, or process it jointly with third parties. Such third parties may include specialized providers whose services we use.

We can disclose personal data in the context of our activities and operations, particularly to banks and other financial service providers, authorities, educational and research institutions, consultants and lawyers, interest groups, IT service providers, cooperation partners, credit and business information agencies, logistics and shipping companies, marketing and advertising agencies, media, parent, sister and subsidiary companies, organizations and associations, social institutions, telecommunications companies, insurance companies, and payment service providers.

5. Communication

We process personal data to be able to communicate with individuals as well as with authorities, organizations, and companies. In doing so, we particularly process data that an affected person provides us when contacting us, for example, by postal mail or email. We can store such data in an address book or with similar tools.

Third parties who provide us with data about other persons are obliged to independently ensure the data protection of these affected persons. They must particularly ensure that such data is correct and can be transmitted.

We use selected services from suitable providers to enable and improve communication with individuals and other communication partners. We can manage and otherwise process the data of the affected persons with such services beyond direct communication.

6. Applications

We process personal data about applicants as far as it is necessary to assess suitability for an employment relationship or for the subsequent execution of an employment contract. The required personal data is particularly derived from the requested information, for example, in the context of a job advertisement. We can publish job advertisements with the help of suitable third parties, for example, in electronic and printed media or on job portals and job platforms.

We also process the personal data that applicants voluntarily provide or publish, particularly as part of cover letters, resumes, and other application documents, as well as online profiles.

We process – if and to the extent that the General Data Protection Regulation (GDPR) is applicable – personally identifiable data about applicants particularly in accordance with Art. 9 para. 2 lit. b GDPR.

We use selected services from suitable third parties to be able to advertise positions through e-recruitment and to enable and manage applications.

7. Data Security

We take appropriate technical and organizational measures to ensure data security appropriate to the respective risk. With our measures, we particularly ensure the confidentiality, availability, traceability, and integrity of the processed personal data, without being able to guarantee absolute data security.

Access to our website and our other digital presence is made using transport encryption (SSL / TLS, particularly with the Hypertext Transfer Protocol Secure, abbreviated HTTPS). Most browsers warn before visiting a website without transport encryption.

Our digital communication is subject – as generally all digital communication – to mass surveillance without cause and suspicion by security authorities in Switzerland, the rest of Europe, the United States of America (USA), and other countries. We cannot have a direct influence on the corresponding processing of personal data by intelligence services, police authorities, and other security authorities. We also cannot exclude that an affected person is specifically monitored.

8. Personal Data Abroad

We process personal data primarily in Switzerland and the European Economic Area (EEA). However, we can also export or transmit personal data to other countries, particularly to process or have it processed there.

We can export personal data to all countries on Earth and elsewhere in the universe, provided that the local law ensures adequate data protection according to the decision of the Swiss Federal Council and – if and to the extent that the General Data Protection Regulation (GDPR) is applicable – also according to the decision of the European Commission.

We can transmit personal data to countries whose law does not ensure adequate data protection, provided that data protection is ensured for other reasons, particularly based on standard data protection clauses or other appropriate safeguards. Exceptionally, we can export personal data to countries without adequate or appropriate data protection if the special data protection requirements are met, for example, the express consent of the affected persons or a direct connection with the conclusion or execution of a contract. We are happy to provide affected persons with information about any guarantees or provide a copy of any guarantees upon request.

9. Rights of Affected Persons

9.1 Data Protection Claims

We grant affected persons all claims according to applicable law. Affected persons particularly have the following rights:

• Information: Affected persons can request information about whether we process personal data about them and, if so, which personal data is involved. Affected persons also receive the information necessary to assert their data protection claims and ensure transparency. This includes the processed personal data as such, but also information about the processing purpose, retention period, any disclosure or export of data to other countries, and the origin of the personal data.
• Correction and Restriction: Affected persons can correct incorrect personal data, complete incomplete data, and restrict the processing of their data.
• Opportunity for Own Viewpoint and Human Review: Affected persons can present their own viewpoint and request human review in decisions based solely on automated processing of personal data and have legal consequences for them or significantly affect them (automated individual decisions).
• Deletion and Objection: Affected persons can have personal data deleted ("right to be forgotten") and object to the processing of their data for the future.
• Data Release and Data Transfer: Affected persons can request the release of personal data or the transfer of their data to another responsible party.

We can delay, restrict, or refuse the exercise of the rights of affected persons within the legally permissible framework. We can inform affected persons of any conditions that must be met to exercise their data protection claims. For example, we can refuse to provide information by referring to confidentiality obligations, overriding interests, or the protection of other persons, in whole or in part. We can also refuse to delete personal data, particularly by referring to legal retention obligations, in whole or in part.

We can exceptionally provide for costs for the exercise of rights. We inform affected persons in advance about any costs.

We are obliged to identify affected persons who request information or assert other rights with appropriate measures. Affected persons are obliged to cooperate.

9.2 Legal Protection

Affected persons have the right to enforce their data protection claims through legal channels or to file a complaint with a data protection supervisory authority.

The data protection supervisory authority for private controllers and federal bodies in Switzerland is the Federal Data Protection and Information Commissioner (FDPIC).

European data protection supervisory authorities are organized as members of the European Data Protection Board (EDPB). In some member states in the European Economic Area (EEA), the data protection supervisory authorities are federally structured, especially in Germany.

10. Use of the Website

10.1 Cookies

We may use cookies. Cookies – both first-party cookies and third-party cookies whose services we use – are data stored in the browser. Such stored data does not have to be limited to traditional cookies in text form.

Cookies can be temporarily stored in the browser as "session cookies" or for a specific period as so-called permanent cookies. "Session cookies" are automatically deleted when the browser is closed. Permanent cookies have a specific storage duration. Cookies enable, among other things, recognizing a browser on the next visit to our website and thereby, for example, measuring the reach of our website. However, permanent cookies can also be used for online marketing, for example.

Cookies can be completely or partially deactivated, restricted, or deleted in the browser settings at any time. The browser settings often also allow for automated deletion and other management of cookies. Without cookies, our website may no longer be fully available. We request – at least to the extent required by applicable law – active express consent to the use of cookies.

For cookies used for success and reach measurement or advertising, a general objection ("opt-out") is possible for numerous services via AdChoices (Digital Advertising Alliance of Canada), the Network Advertising Initiative (NAI), YourAdChoices (Digital Advertising Alliance), or Your Online Choices (European Interactive Digital Advertising Alliance, EDAA).

10.2 Logging

We can log at least the following information for each access to our website and our other digital presence, provided that this information is transmitted to our digital infrastructure during such accesses: date and time including time zone, IP address, access status (HTTP status code), operating system including user interface and version, browser including language and version, accessed individual subpage of our website including transmitted data volume, last visited website in the same browser window (referrer).

We log such information, which can also represent personal data, in log files. The information is necessary to be able to provide our digital presence permanently, humanely, and reliably. The information is also necessary to ensure data security – also through third parties or with the help of third parties.

10.3 Counting Pixels

We can integrate counting pixels into our digital presence. Counting pixels are also referred to as web beacons. Counting pixels – also from third parties whose services we use – are usually small, invisible images or JavaScript scripts that are automatically retrieved when accessing our digital presence. With counting pixels, at least the same information as in the logging of log files can be recorded.

11. Notifications and Communications

11.1 Success and Reach Measurement

Notifications and communications can contain web links or counting pixels that record whether an individual communication was opened and which web links were clicked on. Such web links and counting pixels can also record the use of notifications and communications on a personal basis. We need this statistical recording of usage for success and reach measurement to be able to send notifications and communications effectively and humanely, as well as permanently, securely, and reliably, based on the needs and reading habits of the recipients.

11.2 Consent and Objection

You must generally consent to the use of your email address and other contact addresses unless the use is permissible for other legal reasons. For obtaining a double-confirmed consent, we may use the "double opt-in" procedure. In this case, you will receive a notification with instructions for double confirmation. We can log obtained consents, including IP address and timestamp for evidence and security reasons.

You can generally object to receiving notifications and communications, such as newsletters, at any time. With such an objection, you can simultaneously object to the statistical recording of usage for success and reach measurement. Necessary notifications and communications in connection with our activities and operations remain reserved.

11.3 Service Providers for Notifications and Communications

We send notifications and communications with the help of specialized service providers.

We particularly use:

• Brevo: Building and maintaining relationships with customers or users, particularly via email and instant messaging; Provider: Sendinblue GmbH (Germany); Data protection information: Privacy Policy, «Privacy and Data Security», «Security and Privacy».
• Postmark: Platform for transactional emails; Provider: AC PM LLC (USA); Data protection information: Privacy Policy, «Security and Privacy».

12. Social Media

We are present on social media platforms and other online platforms to communicate with interested individuals and inform about our activities and operations. In connection with such platforms, personal data may also be processed outside of Switzerland and the European Economic Area (EEA).

The general terms and conditions (GTC) and terms of use as well as privacy policies and other provisions of the individual operators of such platforms apply. These provisions particularly inform about the rights of affected persons directly against the respective platform, including the right to information.

For our social media presence on Facebook including the so-called page insights, we – if and to the extent that the General Data Protection Regulation (GDPR) is applicable – are jointly responsible with Meta Platforms Ireland Limited (Ireland). Meta Platforms Ireland Limited is part of the Meta companies (including in the USA). The page insights provide information about how visitors interact with our Facebook presence. We use page insights to be able to provide our social media presence on Facebook effectively and humanely.

Further information about the type, scope, and purpose of data processing, information about the rights of affected persons, as well as the contact details of Facebook and Facebook's data protection officer can be found in the Facebook Privacy Policy. We have concluded the so-called «Controller Addendum» with Facebook and have particularly agreed that Facebook is responsible for ensuring the rights of affected persons. The corresponding information for the so-called page insights can be found on the «Information about Page Insights» page, including «Information about Page Insights Data».

13. Services from Third Parties

We use services from specialized third parties to be able to carry out our activities and operations permanently, humanely, securely, and reliably. With such services, we can, among other things, embed functions and content into our website. In such embedding, the services used must at least temporarily capture the IP addresses of users for technical reasons.

For necessary security-relevant, statistical, and technical purposes, third parties whose services we use can process data related to our activities and operations in an aggregated, anonymized, or pseudonymized manner. This includes performance or usage data to be able to offer the respective service.

We particularly use:

• Google Services: Providers: Google LLC (USA) / Google Ireland Limited (Ireland) partially for users in the European Economic Area (EEA) and in Switzerland; General data protection information: «Privacy and Security Principles», «More information on how Google uses personal data», Privacy Policy, «Google is committed to complying with applicable data protection laws», «Privacy Guide for Google Products», «How we use data from websites or apps that use our services», Cookie Policy, «Ads you can influence» (settings for personalized advertising).

13.1 Digital Infrastructure

We use services from specialized third parties to be able to use the required digital infrastructure in connection with our activities and operations. This includes, for example, hosting and storage services from selected providers.

We particularly use:

• Cyon: Hosting; Provider: cyon GmbH (Switzerland); Data protection information: «Privacy», Privacy Policy.

13.2 Appointment Scheduling

We use services from specialized third parties to be able to schedule appointments online, for example, for meetings. In addition to this privacy policy, any directly visible conditions of the services used, such as terms of use or privacy policies, also apply.

13.3 Audio and Video Conferences

We use specialized services for audio and video conferences to be able to communicate online. We can, for example, hold virtual meetings or conduct online classes and webinars. For participation in audio and video conferences, the legal texts of the individual services, such as privacy policies and terms of use, apply additionally.

We recommend, depending on the life situation, to mute the microphone by default when participating in audio or video conferences and to blur the background or display a virtual background.

13.4 Map Material

We use services from third parties to be able to embed maps into our website.

We particularly use:

• Google Maps including Google Maps Platform: map service; Provider: Google; Google Maps-specific information: «How Google uses location information».

13.5 Digital Content

We use services from specialized third parties to be able to embed digital content into our website. Digital content includes, in particular, image and video material, music, and podcasts.

We particularly use:

• YouTube: Video platform; Provider: Google; YouTube-specific information: «Privacy and Security Center», «My data on YouTube».

13.6 Advertising

We use the opportunity to display targeted advertising with third parties such as social media platforms and search engines for our activities and operations.

We particularly want to reach people with such advertising who are already interested in our activities and operations or who might be interested in them (remarketing and targeting). For this purpose, we may transmit corresponding – possibly also personally identifiable – information to third parties that enable such advertising. We can also determine whether our advertising is successful, i.e., particularly whether it leads to visits to our website (conversion tracking).

Third parties where we advertise and where you are registered as a user may be able to assign the use of our website to your profile there.

We particularly use:

• Google Ads: Search engine advertising; Provider: Google; Google Ads-specific information: Advertising, among other things, based on search queries, with various domain names – particularly doubleclick.net, googleadservices.com, and googlesyndication.com – being used for Google Ads, Privacy Policy for Advertising, «Manage displayed ads directly via ads».

14. Extensions for the Website

We use extensions for our website to be able to use additional functions. We can use selected services from suitable providers or use such extensions on our own digital infrastructure.

We particularly use:

• Google reCAPTCHA: Spam protection (distinguishing between desired content from humans and unwanted content from bots and spam); Provider: Google; Google reCAPTCHA-specific information: «What is reCAPTCHA?».

15. Success and Reach Measurement

We try to measure the success and reach of our activities and operations. In this context, we can also measure the effect of third-party references or examine how different parts or versions of our digital presence are used («A/B test» method). Based on the results of success and reach measurement, we can particularly fix errors, strengthen popular content, or make improvements.

For success and reach measurement, IP addresses of individual users are usually recorded. IP addresses are generally shortened («IP masking») in this case to follow the principle of data minimization through corresponding pseudonymization.

Cookies may be used in success and reach measurement, and user profiles may be created. Any created user profiles include, for example, the individual pages visited or content viewed on our digital presence, information about the size of the screen or browser window, and the – at least approximate – location. Generally, any user profiles created are exclusively pseudonymized and not used to identify individual users. Individual services from third parties where users are registered may be able to assign the use of our online offering to the user account or user profile with the respective service.

We particularly use:

• Google Marketing Platform: Success and reach measurement, particularly with Google Analytics; Provider: Google; Google Marketing Platform-specific information: Measurement also across different browsers and devices (cross-device tracking) with pseudonymized IP addresses, which are only exceptionally fully transmitted to Google in the USA, Privacy Policy for Google Analytics, «Browser add-on to disable Google Analytics».
• Google Tag Manager: Integration and management of services from Google and third parties, particularly for success and reach measurement; Provider: Google; Google Tag Manager-specific information: Privacy Policy for Google Tag Manager; further data protection information can be found in the individual integrated and managed services.

16. Video Surveillance

We use video surveillance to prevent crimes, secure evidence in the event of crimes, exercise and assert our legal claims, defend against third-party legal claims, and exercise our property rights. This constitutes – if and to the extent that the General Data Protection Regulation (GDPR) is applicable – overriding legitimate interests according to Art. 6 para. 1 lit. f GDPR, for special categories of personal data with reference to Art. 9 para. 2 lit. f GDPR.

We store recordings from our video surveillance as long as they are necessary for securing evidence or another stated purpose.

We can secure recordings from our video surveillance and transmit them to competent authorities, such as courts or law enforcement authorities, if the transmission is necessary for a stated purpose, in our other legitimate overriding interest, or due to legal obligations.

17. Final Notes on the Privacy Policy

We created this privacy policy with the Privacy Policy Generator from Datenschutzpartner.

We can update this privacy policy at any time. We inform about updates in an appropriate manner, particularly by publishing the current privacy policy on our website.