Version 2.1

Privacy Policy Yokoy Group AG 

1. Introduction
Data protection is of the utmost importance to Yokoy. We use various technical, organisational and contractual measures to ensure that your data is always kept up to date, stored securely and processed in accordance with Swiss (Federal Act on Data Protection; FADP and the associated Ordinance) and European data protection regulations (in particular the General Data Protection Regulation GDPR). This applies both in our company and in the cooperation with our partners.

We also have our data security reviewed annually by independent external experts. With this privacy policy we would like to inform you about how we process your data.

  1. Contact person Yokoy Group AG
  2. Categories of personal data
  3. What data we process
  4. International data transfers
  5. Directory of data processing
  6. Data security
  7. Storage and deletion of data
  8. Your rights
  9. Updates to the privacy policy


2. Scope
This privacy policy applies to Yokoy Group AG and all its subsidiaries. The Cookie Policy of Yokoy Group AG and its subsidiaries is an integral part of this Privacy Policy. Our Cookie Policy can be found here https://www.yokoy.ai/en/cookie-policy.

3. Responsibility and review
This Privacy Policy will be reviewed at least annually and signed off by our Legal and Privacy Officer.

I. Contact person Yokoy Group AG Zurich
Our data protection officer is available to answer any questions you may have about data protection.

1. Headquarters Yokoy Group AG - Zurich
Yokoy Group AG
MLaw Claudio Berther, LL.M (University of California, Berkeley)
Legal Counsel and Data Protection Officer
Förrlibuckstrasse 181
8005 Zurich
dpo@yokoy.ai
Tel: +41 (0)43 508 15 77

2. Yokoy Germany GmbH - Munich
Yokoy Germany GmbH
Design Offices Munich Macherei
Weihenstephaner Str. 12 (Building M6)
81673 Munich 
info@yokoy.ai 
Tel: +49 151 42 04 31 22
Germany Company register number: HRB 267689

3. Yokoy Austria - Vienna
Yokoy GmbH
Hamerlingplatz 8/17
1080 Vienna
info@yokoy.ai 
Tel: +43 1 417 01 15
Managing Director: Mag.(FH) Stephan Hebenstreit, LL.M.
Commercial register court: Vienna Commercial Court
Number of the company register: FN 534254
UID: ATU75770818
Place of jurisdiction: Vienna Commercial Court
Chamber affiliation: Vienna Chamber of Commerce


II. Categories of personal data
The personal data we process are divided into the following categories

  1. Inventory data (e.g. last name, first name)
  2. Contact details (e.g. telephone, e-mail, postal address)
  3. Browser and Device Data, Meta or Boundary Data and Usage Data, Content Data that you submit to us (e.g., through the contact form, registration for newsletters, webinars and gated content or applications)
  4. Location data
  5. Contact, sales, contract and payment data in our Customer Relationship Management System


III. What data we process

1. Data you give us
You voluntarily provide us with data in various situations. For example, when you contact us, subscribe to our newsletter, register in the customer portal, apply for a job, register for a webinar or download protected content. If you want to know more about how we process this data, for what purpose and on what legal basis, read "A. Data you give us" or click here.

2. Data we process
In order to provide our services, maintain our infrastructure and provide the best possible experience to all stakeholders, we also process personal data. If you would like to know more about the purposes and legal basis for this, read "B. Data we process" or click here.

3. Data processed by our partners
To deliver our services, maintain our infrastructure and provide the best possible experience for all stakeholders, we work with partners. They also process personal data. For example, when you visit our website, use the Yokoy app or as part of our marketing and social media activities. If you would like to know more about the purpose and legal basis for this, please read "C. Data processed by our partners" or click here.

IV. International data transmission 
Even though we make every effort to work with Swiss providers, the outflow of data abroad cannot be prevented. You can find out how this is legally implemented by Yokoy and how your data is also transferred in a legally secure manner in connection with foreign transfers under "D. International data transmission" or click here. 

V. Directory of data processing
Yokoy maintains an internal data processing directory in accordance with Art. 30 GDPR and Art. 12 FADP.

VI. Data security
Data shared us is treated confidentially and protected against unauthorized access, damage or loss by technical and organizational measures. If you would like to learn more about how we protect your data technically, read "F. Data security" or click here.

VII. Storage and deletion of data
We store the data only as long as it is necessary for the fulfilment of the contract. The legal retention periods and your right to deletion according to article 17 GDPR remain reserved, provided that the requirements for this are met. If you want to know more about this, see "G. Data storage and data deletion" or click here.

VIII. Your rights
The GDPR grants the person whose data is processed various rights with which the person can influence the data processing. For an overview of the rights and how you can exercise them, see "H. Your rights" or click here.

IX. Updates to the privacy policy
We may adapt and supplement this privacy policy at any time. We will inform you about such adjustments and additions in an appropriate form, in particular by publishing the respective current privacy policy on our website and by email.

A. Data you give us

1. Contacting us
You can contact us through a variety of channels, including phone, email, contact form, chat, social media, webinar registration, and "gated content" registration. We collect your contact details and information from the enquiry. This may be stored in our CRM (customer relationship management) system. This data is stored for internal use only.

1.1 Purpose of the processing

We store personal data in order to be able to respond to your inquiry or contact. Furthermore, this storage enables us to carry out the contract or pre-contractual measures in case of questions in an existing contractual relationship. In addition, Yokoy may conduct analyses about possible future contractual relationships, e.g. the size of the company, where the company is present and through which channels you have heard about Yokoy.

1.2 Legal basis
The basis for the data processing is Art. 6 I b GDPR, which allows us to process data for the performance of a contract or pre-contractual measures. The analysis purposes are based on the legal basis of legitimate interests according to Art. 6 para. 1 lit. f GDPR to find out whether you fit into our customer portfolio in terms of size and geographical presence. The data processing is carried out in accordance with the data protection principles according to Art. 6 FADP. We use the Hubspot software to enable this service. You can find a link to the data protection principles here.

2. Registration for the newsletter
2.1 Purpose of the processing 
Creation and dispatch of our newsletter.

2.2 Legal basis 
If you subscribe to the newsletter, you give us permission to use your data for sending the newsletter. You also agree to the information described below. On the basis of article 7 III GDPR, you can revoke your consent at any time for the future; for this purpose, you will find an unsubscribe link in every email sent. For sending our newsletter, we use the software HubSpot and Sendgrid, a service of Twilio Inc. An overview of all partners with whom we cooperate for internal and external purposes as well as links to their data protection statements can be found under " D. International data transmission" or click here.

2.3 Double-Opt-In-Procedure for the purpose of verifiability
An important principle of the General Data Protection Regulation is accountability. I.e. in article 5 II GDPR requires not only compliance with data protection regulations, but also proof thereof. For this reason, registration takes place in a double opt-in process. After your registration, you will receive an email in which you must confirm your email address. This prevents misuse with registrations from other email addresses. Registrations are stored in our CRM system so that we can legally prove the registration process. This includes the following data: Sign-up and confirmation time, type of newsletter, IP address and your contact details. The legal basis for this is the fulfilment of a legal obligation according to Art. 6 I c GDPR.

2.4 National specifics 
Germany
: The dispatch and performance measurement of the newsletter is based on the consent of the recipients pursuant to Art. 6 para. 1 lit. a, Art. 7 GDPR in conjunction with. Section 7 (2) No. 3 UWG or on the basis of the legal permission pursuant to Section 7 (3) UWG.

Austria: The dispatch of the newsletter and the associated measurement of success is based on the consent of the recipients in accordance with Art. 6 Para. 1 lit. a, Art. 7GDPR in conjunction with Section 107 (2) TKG or on the basis of the legal permission pursuant to Section 107 (2) TKG.§ 107 para. 2 and 3 TKG. The logging of the registration process is based on our legitimate interests pursuant to Art. 6 para. 1 lit. f GDPR. Our interest is directed towards the use of a user-friendly and secure newsletter software. In addition, there is a legal obligation to provide proof of registration. This obligation also results from the accountability according to article 5 III GDPR. 

Switzerland Data processing is carried out in accordance with the data protection principles set out in article 6 of the FADP.

3. Webinar registrations
You can also register for webinars via the Hubspot tool to get to know our products better. We store the data you provide so that we can contact you if necessary, e.g. if it becomes necessary to cancel the event. We base our data processing on your consent according to Art. 6 I a GDPR. This consent can also be revoked for the future. To do so, contact us via a channel as per point I. The data processing is carried out in accordance with the data protection principles pursuant to Art. 6 FADP.

4. Gated content downloads
Gated content is about sharing knowledge that is valuable to the user in exchange for contact information of the user that is valuable to us. In Yokoy's case, this could be, for example events on topics such as digitalization, artificial intelligence or data protection.

4.1 Purpose of the processing 
Content delivery.

4.2 Legal basis 
We base our data processing on your consent pursuant to article 6 I a GDPR. This consent can also be revoked for the future in accordance with Art. 7 III GDPR. Contact us for this purpose in accordance with point A. The data processing is carried out in compliance with the data protection principles in accordance with Art. 6 FADP.  

5. Job applications
We collect, process and transmit your personal data with automated data processing systems. For this purpose we work with the software join. This is an offer from JOIN Solutions AG, Landsgemeindeplatz 6, 9043 Trogen.

For example, the following types of personal data may be covered by the collection:


At this point, it should be noted that the decision to hire will, of course, still be made by our HR team. For further information on data protection at JOIN Solutions AG, please refer to the JOIN Solutions AG data protection policy.

5.1 Purpose of the processing
We process the personal data provided to us in order to take pre-contractual measures for the possible conclusion of an employment contract with you. If your application is unsuccessful or you withdraw your application, the data will be deleted within 30 days. If your application is successful, the data will be retained until the purpose is fulfilled, usually for the duration of the contractual relationship, plus a period if required by applicable law.

5.2 Legal basis
The data is stored on the basis of article 6 I b GDPR or the consent of the person in accordance with article 6 I a GDPR. This consent can also be revoked for the future on the basis of article 7 III GDPR. To do so, contact us via a channel in accordance with point A. The data processing is carried out in accordance with the data protection principles pursuant to Art. 6 FADP.

B.  Data we processed by us

1. Server log files 
When you use our website, information that your browser transmits to us is automatically collected and stored. These are:

We do not draw any conclusions about your person when using this data. Logging is done in accordance with our internal logging and monitoring policy.

1.1 Purpose of the processing
The data is required, for example, to deliver the content of our website correctly, to ensure the functionality of our website or to provide law enforcement authorities with the relevant information in the event of a cyber attack. The anonymous data of the server log files are stored separately from your personal data.

1.2 Legal basis
We base the collection of this anonymised data in the legitimate interest of a functioning website in accordance with article 6 I f GDPR.

2. Customer login/customer portal 
The data protection provisions are agreed and signed with each customer upon conclusion of the contract. The processing of customer data in our CRM system is carried out in accordance with point 3.In addition, our system automatically records the following log data for each call:


2.1 Purpose of the processing
This data is collected for the purpose of providing the portal. In addition, this data is processed and stored to ensure the functionality of the portal and security.

2.2 Legal basis
Article 6 I b and f GDPR. The data is only stored as long as it is necessary for the fulfilment of the purpose. To provide the portal, data is also passed on to technically necessary partners, e.g. the website hoster and the cloud provider. An overview of all partners, their services, the legal basis of processing and contact options can be found here. An internal logging and monitoring policy regulates the details.

3. Customer data (CRM Customer Relationship Management) 
3.1 Purpose of the processing
In order to perform our contractual services, we need to process data about our customers. In doing so, we process inventory data (e.g. customer master data, such as names or addresses), contact data (e.g. email, telephone numbers), content data (e.g. charts of accounts), contract data (e.g. subject matter of the contract, term), payment data (e.g. bank details, payment history). This mainly concerns customers, employees and suppliers. The purpose of the processing is the provision of contractual services, billing and our customer service.

3.2 Legal basis
The legal basis for the processing results from article 6 I b GDPR. We process data that is necessary for the establishment and performance of the contractual services. We process the data only for the contractual purpose and act in accordance with the legal requirements of commissioned processing pursuant to article 28 GDPR. We delete the data after expiry of the statutory warranty and comparable obligations. In the case of legal archiving obligations, deletion takes place after their expiry (6 years, according to § 257 para. 1 HGB, 10 years, according to § 147 para. 1 AO). In the case of data provided to us by the client as part of an order, we delete the data in accordance with the specifications of the order. Personal data is only collected, processed and used to the extent that it is necessary for the establishment, content or amendment of the legal relationship (inventory data). The data processing is carried out in compliance with the data protection principles according to Art. 6 FADP. We use the services of Hubspot for our CRM. You can find out more about data protection at Hubspot in the HubSpot Product Privacy Policy.

C. Data collected from our partners

When we involve partners, this is done in accordance with the requirements of Art. 9 FADP and article 5 GDPR. There are data processing contracts that include the requirements of article 28 (3) of the GDPR and article 9 GDPR.

1. When visiting the website 
In order to be able to operate a website technically, certain technical requirements are necessary, for which we depend on partners.

1.1 Hosting 
1.1.1 Purpose of the processing
Our hosting provider provides us with infrastructure and platform services, database services, computing capacity, security services and storage space as well as technical maintenance services, which we use for the purpose of operating our online offer.

1.1.2 Legal basis
The basis for data processing is article. 6 (1) lit. b GDPR, which allows us to process data for the performance of a contract or pre-contractual measures. Our website is hosted by Webflow, Inc, 398 11th Street, 2nd Floor, San Francisco, CA 94103. For users in the European Economic Area (EEA) and Switzerland, the website is hosted by Webflow in Dublin, Ireland. For more information, please see the Webflow EU & Swiss Privacy Policy.   

1.2 Content Delivery Network (CDN) 
1.2.1 Purpose of the processing 
We use the open source services of jsDelivr as a CDN to deliver the website quickly. js Delivr is a service of ProspectOne, Królewska 65A/1, 30-081, Krakow, Poland.A CDN is a network of regionally distributed servers that are connected via the Internet. In order to use the service, it is possible that your browser sends personal data to jsDelivr. This may allow jsDelivr to collect and store data such as browser type/version, date and time of access or IP address. To avoid this, you can install a JavaScript blocker.

1.2.2 Legal basis
The basis for the use of the CDN is our legitimate interest in optimizing the website according to article 6 I f GDPR. For more information, please see the privacy policy of jsDelivr.

1.3 Google Web Fonts 
1.3.1 Purpose of the processing
This website uses so-called web fonts provided by Google to display fonts. The provider is Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. This is a service of the American Google LLC. For users in the European Economic Area (EEA) and Switzerland, the Irish company Google Ireland Limited is responsible. When you call up a page, your browser loads the required web fonts into the browser cache in order to display texts and fonts correctly. For this purpose, the browser you are using must establish a connection to Google's servers. In this way, Google learns that our website was accessed via your IP address. 

1.3.2 Legal basis
The use of Google Web Fonts is in the interest of an appealing presentation of our website. This constitutes a legitimate interest within the meaning of Art. 6 I f GDPR. If your browser does not support web fonts, a standard font of your computer will be used. You can find further information at https://developers.google.com/fonts/faq and in the Google privacy policy: https://www.google.com/policies/privacy/ 

1.4 YouTube  
1.4.1 Purpose of the processing
To play the videos on our website, we use the services of YouTube. YouTube is a service of Google Inc. with headquarters at 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. When you visit one of our pages in which YouTube is embedded, a connection to the YouTube servers is established. In doing so, the YouTube server is informed which of our pages you have visited. For more information on the handling of user data, please refer to YouTube's privacy policy.  

1.4.2 Legal basis
The use of YouTube is based on Art. 6 I f GDPR. Information on how to prevent data collection can be found in the Cookie Policy

2. When using the Yokoy app 
The Yokoy app is hosted on the Google Cloud. The Google Cloud is a service provided by Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Specific privacy information about the Google Cloud can be found here https://cloud.google.com/terms/cloud-privacy-notice. Specific information about the data security of the Google Cloud and our products can be found in the Data Security section.

Customers can download a mobile app to their device. The information required for this process is transmitted to the app store without our intervention. The information includes, for example, the email address, your App Store account customer number or the time of the download. We are not responsible for this data collection and have no influence on it.

For more information, see Apple or Google privacy policy. When using the Yokoy app, we process the following data to ensure the security and usability of the functions offered:


To use the app in connection with the expense tool, the following categories are processed by the app: Last name, first name, email address and personnel or vendor number (for posting in the client’s system). For the invoice module, only the supplier name and ID is required. Additional data can be provided by the user, but is not mandatory. For the card module it is first name, last name, address, birthday and phone number. 

The data is stored in an encrypted private cloud and the transfer to the Google Cloud is also secured with 256-bit AES encryption. By using the app, no employee data of the users is stored in our CRM. 

2.1 Purpose of the data processing 
This data is only processed for the provision of the Yokoy app.

2.2 Legal basis 
This is done on the basis of article 6 I a, b and f GDPR.

3. Our marketing activities 
3.1 Hubspot
On our website, we use the software HubSpot for various purposes. HubSpot is a US software company with a branch office in Berlin. Am Postbahnhof 17, 10243 Berlin.

3.1.1 Purpose of the processing
Hubspot uses web beacons and cookies to analyze your use of our website and to cover various aspects of online marketing. This includes email marketing, contact management (e.g. performance segmentation & CRM), landing pages and contact forms. This information, as well as parts of our website, is stored on servers run by our software partner HubSpot. It is used by us to contact visitors to our website and determine which of our company's services are of interest to them. The information collected is subject to this privacy policy. We use all collected information exclusively for the optimization of our marketing measures and for communication with users.

In the context of optimizing our marketing measures, the following data, among others, may be collected and processed via HubSpot:

We also use HubSpot to provide contact forms.

3.1.2 Legal basis
The legal basis for the processing is your consent pursuant to Art. 6 para. 1 lit. a GDPR and for the necessary processing of personal data for the performance of a contract with the data subject as well as for the implementation of pre-contractual measures pursuant to Art. 6 para. 1 lit. b GDPR. If you do not want the aforementioned data to be collected and processed via Hubspot, you can refuse or revoke your consent at any time with effect for the future. The personal data will be kept for as long as necessary to fulfil the purpose of the processing. The data will be deleted as soon as it is no longer necessary to fulfil the purpose. Here you can find more information about HubSpot's privacy policy

3.2 Google Tag Manager
3.2.1 Purpose of the processing
Our website uses the Google Tag Manager. The provider is Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Google Tag Manager is a solution that allows website tags to be managed via an interface. The Tag Manager tool (which implements the tags) is a cookieless domain and does not collect any personal data. The tool takes care of forwarding data and triggering other tags, which in turn may collect data. Google Tag Manager does not have access to this data. If a deactivation has been made at the domain or cookie level, this remains in place for all tracking tags implemented with Google Tag Manager.

3.2.2 Legal basis 
The legal basis for the use of the Google Tag Manager is your consent according to Art. 6 I lit. a GDPR. This can be revoked at any time with effect for the future. To do so, contact us on a channel according to point I.

3.3 Google reCaptcha 
3.3.1 Purpose of the processing 
The purpose of reCAPTCHA is to check whether the data entry on our website (e.g. in a contact form) is made by a human or an automated program. The reCAPTCHA analyses run completely in the background. Visitors to the website are not made aware that an analysis is being carried out.

3.3.2 Legal basis
The data processing is based on Art. 6 I f GDPR. The website operator has a legitimate interest in protecting its web offers from abusive automated spying and from SPAM. Further information on Google reCAPTCHA and Google's privacy policy can be found under the following links: Privacy Policy and Google reCAPTCHA V3.  

3.3.3 Marketing tools that use cookies 
Certain marketing tools use cookies. To learn what cookies are, what they do, and how you can disable them, visit our Cookie Policy or the Cookie Manager on our website. This allows you to fine-tune your consent to the use of cookies. The cookie policy can be found here

4. Social media activities 
We have various presences on social networks to communicate with users active there and to inform them about our services. For example, we use icons that lead to the pages of Youtube, Linkedin or Facebook. For more information about this and the use of cookies, please see our Cookie Policy here.


D. International data transmission

Whenever possible and commercially reasonable, Yokoy endeavors to work with providers from Switzerland, the EEA or the EU, or with countries for which the EU Commission has recognized an adequate level of data protection pursuant to article 45 of the GDPR.

Alternatively, the data transfer takes place on the basis of standard contractual clauses pursuant to Art. 46 of the General Data Protection Regulation. We are aware that the judgment of the European Court of Justice C-118-311 of 16.7.2021 has annulled the Privacy Shield and that the "old" standard contractual clauses still require additional safeguards. To the extent necessary, we will ensure that our partners switch to the new standard contractual clauses by the end of the transition period on 27 December 2022 at the latest if they rely on standard contractual clauses for data transfers, in particular in the USA. If available at the partner, we base the data transfer on Binding Corporate Rules according to Art. 47 GDPR.

We work exclusively with major international partners who share our conviction regarding the importance of data protection. The guarantee of data protection is further secured by data processing contracts.

Below is an overview of our foreign partners, in which country they are located and for what purpose they process Yokoy data. In addition, an internal policy states that we support any international sanctions against states, territories or persons and do not have business relationships with such states, territories or persons.

Sub-processor
Location
Basis of data transmission
Purpose of processing 
Address
Google LLC, Irland
EU
International data transfers are carried out via standard contractual clauses in accordance with Art. 46 III c GDPR as amended.For more information, see the section on data security and Google's privacy policy.
Use of cloud services for data storage (Google Cloud) in Europe, hosting of Yokoy software (Google Cloud Web Hosting), email communication (Gmail) and document management (G Suite), and data management (BigQuery).
Google Ireland LLCGordon House Barrow Street Dublin 4, D04E5W5 Ireland

Webflow Inc. 
USA
Standard contractual clauses with additional encryption at rest and in transit according to Art. 46 III c GDPR For more information on Webflow's data protection, please click here Webflow's EU & Swiss Privacy Policy
Hosting of the website https//www.yokoy.ai on the basis of Art. 6 Para. 1 lit. b and f GDPR


Webflow Inc, 398 11th Street, 2nd Floor, San Francisco, CA 94103. For users from the European Economic Area (EEA) and Switzerland, the website is hosted in Dublin, Ireland. 

Hubspot Germany GmbH
EU
International data transfers are carried out via the respective current standard contractual clauses in accordance with article 46 III c. c GDPR as amended.You can find further information in the HubSpot Privacy Policy
Yokoy's internal CRM is also used for marketing and communication purposes based on your consent pursuant to Art. 6 para. 1 lit. a GDPR or Art. 6 para. 1 lit. b for the performance or preparation of a contract and Art. 6 para. 1 lit. f GDPR for our legitimate interests (in particular marketing).
HubSpot Germany GmbH AM Postbahnhof 1710243 Berlin

Sendgrid LLC, Denver
USA
International data transfer is carried out via the Twilio Binding Corporate Rules in accordance with Art. 47 GDPR of Twilio, Inc. For more information on the privacy statement, please click here Twilio Privacy Statement. 
Sending platform emails (optional) - the employee's email is shared with Sendgrid.
1801 California Street Suite 500, Denver, CO 80202 USA 

respectively

Twilio, Inc. 375 Beale Street Suite 300 San Francisco, CA 94105 USA (Binding Corporate Rules applicable to Sendgrid, Inc.)

Intercom, San Francisco
USA
International data transfers are carried out via the current standard contractual clauses pursuant to Art. 46 (3) lit. c GDPR as amended. For further information, please refer to the Intercom Privacy Policy 

In-app chat function (optional) 
Intercom, Inc.  San Francisco. 55 2nd Street,4th Floor, San Francisco, CA 94105

Slack Technologies, Inc.
USA
International data transfers are carried out via the current standard contractual clauses in accordance with Art. 46 III c GDPR as amended from time to time. You can find more information in the Slack Privacy Policy. 

Web-based instant messaging for internal corporate communication
Slack Technologies, Inc, 500 Howard Street, San Francisco, CA 94105, USA. 

Prospect One
Poland
Transfer within the European Union For more information, see the jsDelivr privacy policy.
For the provision of a CDN (Content Delivery Network). No personal data is requested and also not stored.
jsDelivr, ProspectOne, Królewska 65A/1, 30-081, Kraków, Poland.
Microsoft Company
USA
International data transfers are carried out via the current standard contractual clauses in accordance with Art. 46 III c GDPR as amended.
Use of cloud services for customer communication (Microsoft Teams)
Microsoft Corp.One Microsoft Way, Redmond, WA 98052-6399, USA

DocuSign Germany GmbH
DE
Binding corporate rules according to Art. 47 GDPR. For more information, see the DocuSign Privacy Statement DocuSign privacy policy 
Electronic signing of contracts on the basis of Art. 6 I. 1 b GDPR
DocuSign Germany GmbH
New Rothofstraße 13-19
60313
Frankfurt
Germany

Aircall, Inc. 
F
Standard contractual clauses in accordance with Art. 46 III c GDPR as amended. Until the introduction of the new standard contractual clauses on 27.12.2022 with additional measures such as transport and data-at-rest encryption and confidentiality agreements. For more information, please see Aircall Privacy Policy.
Cloud-based call centre software on the basis of Art. 6 I. b and f
Aircall, Inc.11
Rue Saint-Georges, 75009 Paris,
France
Mortgage Bank Lenzburg
CH
Data transmission only within the EU (to CleverReach GmbH und CO KG for newsletter dispatch, otherwise no transmission) For further information, please refer to the legal information of Hypothekarbank Lenzburg.

Establishment and management of the billing account and thus necessary fulfilment of legal requirements (in accordance with article 6 I b, c, f) GDPR) In addition, for the purpose of issuing the Yokoy Card and the associated legal requirements (pursuant to article 6 I b, c and f) GDPR).

Mortgage Bank Lenzburg
Bahnhofstrasse 2,
5600 Lenzburg, Switzerland

NiD SA
CH
No data transmission abroad. For more information, please see NiD's privacy policy.
Processing and authorization of payments with Yokoy cards as well as for the production and personalization of physical credit cards

Legal basis: Art. 6 Ib) and f) GDPR

NiD SA, Le Crêt-du-Locle 10, P.O. Box 1161, 2301 La Chaux-de-Fonds, Switzerland
Legal Monster 
DK
Standard contractual clauses For more information, visit https://www.legalmonster.com/legal/privacy-policy/ 
Cookie management tool on our website. 
Legal Monster ApS
Njalsgade 21E, 5th floor 2300 Copenhagen S,


E. Directory of data processing
For more information, please see our Directory of Data Processing pursuant to article 30 of the General Data Protection Regulation and article 12 of the FADP.

F. Data security

1. Physical security
The building in which the offices are located is supervised around the clock by a receptionist. Access to the offices is only granted with a key, which is handed in personally by the supervisor. Entrances and exits to the engineering offices are also logged for better traceability. There is an internal physical security policy which is included in regular staff training.

2.  Access 
Access to our online offer takes place via transport encryption (SSL / TLS, in particular with the Hypertext Transfer Protocol Secure, abbreviated HTTPS). Most browsers indicate the transport encryption by a padlock in the address bar.

Even when the data is with us, it is in good hands. We chose Google as our cloud provider because Google has always evolved in terms of data security and offers us a reliable service. Google's collaboration with SAP ensures high data availability. The security and data protection of Google products are independently audited on a regular basis (ISO/IEC 27001, 27017, 27018, SOC 1/2/3, GDPR).

Data in the cloud is encrypted with a 256 AES (Advanced Encryption Standard) and all data is also encrypted in transit.

3. Access management
Access is based on the need-to-know principle and is role-based. All activities are logged in order to be able to verify and prove access to the data. In addition, all access management issues are documented in an internal policy.

4. Availability of data
Data is provided on demand and there are automatic backups every 24 hours in an encrypted cloud (storage period 30 days) to ensure data availability at all times.

5. External review
In addition to the internal measures, we have our data security checked annually by an external partner using so-called penetration tests. The results of these tests also include improvement measures, which we subsequently implement in accordance with the internal penetration test governance policy.

6. Emergency plan
Should a data incident occur despite all measures, we are prepared for it and will put our internal emergency plan into action to minimize the damage.

G. Data storage and data deletion

We respect your data and only store it for as long as is absolutely necessary for the intended purpose. (Principle of data minimization according to article 5 c GDPR and article. 6 IV FADP. We delete the data at the latest after termination of the contractual relationship. This is subject to legal warranty and comparable obligations. In the case of statutory archiving obligations, deletion takes place after their expiry according to country specific legal requirements. In the case of data provided to us by the client as part of an order, we delete the data in accordance with the specifications of the order. Personal data is only collected, processed and used to the extent that it is necessary for the establishment, content or amendment of the legal relationship (inventory data). This is done on the basis of article 6 I b GDPR, which allows us to process data to fulfil a contract or pre-contractual measures. The right to deletion in accordance with article 17 GDPR is always reserved, provided that the legal requirements for this are met. In addition, we store daily backups of our data in order to comply with the principle of data availability. The backup data is automatically deleted after 30 days. The data deletion procedure is documented in an internal policy.

H. Your rights

1. Right to confirmation Art. 15 GDPR
On the basis of article 15 GDPR and article 19 of the FADP, you have the right to request confirmation from us as to whether personal data concerning you is being processed. To do so, contact us via one of the channels mentioned under point I.

2. Right to information Art. 15 GDPR
Pursuant to article 15 GDPR and article 19 FADP, you also have the right to obtain from us, at any time and free of charge, information about the data stored about you, as well as a copy of this data in accordance with the legal provisions, by contacting us through a channel as described in Section A.

3. Right of rectification Article 16 GDPR 
You have the right to request the rectification of inaccurate personal data concerning you. You also have the right to request the completion of incomplete personal data, taking into account the purpose of the processing. This obligation to correct data also arises under Swiss law from article 6 of the Data Protection Act, if the legal requirements are met.

4. Right to erasure Article 17 GDPR
You have the right to demand from us the immediate deletion of the personal data concerning you, provided that one of the reasons provided for by law exists and insofar as the processing or storage is not necessary. A similar situation arises from Art. 6 IV FADP.

5. Restriction of processing Article 18 GDPR 
You have the right to request that we restrict processing if one of the legal requirements is met.

6. Data portability Article 20 GDPR 
You have the right to receive the personal data concerning you that you have provided to us in a structured, common and machine-readable format. You also have the right to transfer this data to another controller without hindrance from us to whom the personal data has been provided, provided that the processing is based on consent pursuant to article 6 I a GDPR or article 9 II a GDPR or on a contract pursuant to article 6 I b GDPR and the processing is carried out with the aid of automated procedures, unless the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us.

Furthermore, when exercising your right to data portability pursuant to article 20 I DPA, you have the right to obtain that the personal data be transferred directly from one controller to another controller where technically feasible and provided that this does not adversely affect the rights and freedoms of other individuals. The right to data portability has also been included in article 28 of the DPA.


7. Objection Article 21 GDPR 
You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is carried out on the basis of Art. 6 I e or f GDPR.

This also applies to profiling based on these provisions within the meaning of Art. 4 No. 4 GDPR.If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing is for the establishment, exercise or defence of legal claims.

In individual cases, we process personal data in order to conduct direct advertising. You may object to the processing of personal data for the purpose of such advertising at any time. This also applies to profiling, insofar as it is associated with such direct advertising. If you object to the processing for direct marketing purposes, we will no longer process the personal data for these purposes.

You also have the right to object, on grounds relating to your particular situation, to the processing of personal data concerning you which is carried out by us for scientific or historical research purposes or for statistical purposes pursuant to article 89 I GDPR, unless such processing is necessary for the performance of a task carried out in the public interest.

You are free to exercise your right to object in relation to the use of information society services by automated means using technical specifications, notwithstanding Directive 2002/58/EC.

8. Revocation of consent under data protection law
You have the right to revoke your consent to the processing of personal data in accordance with article 7 III GDPR at any time with effect for the future.

9. Complaint to a supervisory authority
You have the right to lodge a complaint about our processing of personal data with a supervisory authority responsible for data protection in accordance with article 77 of the GDPR. In Switzerland, our supervisory authority is the Federal Data Protection and Information Commissioner (FDPIC): 

Federal Commissioner for Data Protection and Freedom of Information
Feldeggweg 1
CH - 3003 Bern
Telephone: +41 (0)58 462 43 95 (Mon. to Fri., 10.00 to 12.00)
Fax: +41 (0)58 465 99 96

For data subjects from the EU area, our lead supervisory authority is

Bavarian State Office for Data Protection Supervision (BayLDA)
Promenade 18
91522 Ansbach
Phone: +49 (0) 981 180093-0

I. Updates 
We can adapt and supplement this data protection declaration at any time. We will inform you about such adjustments and additions in an appropriate form, in particular by publishing the respective current data protection declaration on our website and by email.

Privacy Policy Yokoy Group AG Version 2.1, last updated 23.11.2021