Version 2.0

Privacy Policy Yokoy Group AG 

Level 1

Introduction
Data protection is of utmost importance to Yokoy. We implement various technical, organisational and contractual measures to ensure that your data is always kept up to date, securely stored and processed in accordance with Swiss (Federal Data Protection Act; DSG and the associated Ordinance VDSG) and European data protection regulations (in particular the General Data Protection Regulation GDPR). This is applicable both at our company and in cooperation with our partners. We also have our data security checked annually by independent external experts. With this privacy policy, we would like to inform you about how we process your data. The different levels of this privacy policy allow on the one hand a targeted search by topic and strive to explain our data processing in different levels of detail depending on the target audience.

  1. Categories of personal data
  2. What data we process
  3. Data processing directory
  4. Data security
  5. Data storage and deletion
  6. Your rights
  7. Updates to the privacy policy


Level 2

I. Contact Yokoy Group AG
Our data protection officer is available to answer any questions you may have about data protection.

1. Headquarters Yokoy Group AG Zurich
Yokoy Group AG
MLaw Claudio Berther, LL.M (University of California, Berkeley)
Legal Counsel and Data Protection Officer 
Technoparkstrasse 1
8005 Zurich
dpo@yokoy.ai
Tel. +41 (0)43 508 15 77

2. Yokoy Deutschland GmbH - Munich
Yokoy Deutschland GmbH
Mühldorfstraße 8
81671 Munich
info@yokoy.ai 
Tel: +49 151 42 04 31 22
Germany
Company register number: HRB 267689

3. Yokoy Austria - Vienna
Yokoy GmbH
Wallgasse 21/12
1060 Vienna
info@yokoy.ai 
Tel: +43 1 417 01 15

Managing Director: Mag.(FH) Stephan Hebenstreit, LL.M.
Commercial register court: Vienna Commercial Court
Company register number: FN 534254
UID: ATU75770818
Place of jurisdiction: Vienna Commercial Court
Chamber affiliation: Vienna Chamber of Commerce

II. Categories of personal data
Such personal data may include the following categories

  1. Inventory data (e.g. name, first name)
  2. Contact details (e.g. telephone, e-mail, postal address)
  3. Browser and device data, meta or marginal data and usage data, content data that you transmit to us (e.g. via the contact form, registration for newsletters, webinars and gated content or applications).
  4. Location data
  5. Contact, sales, contract and payment data in our Customer Relationship Management System


III. How we process data

1. Data that you give us
You voluntarily provide us with data in various situations. For example, when you contact us, order our newsletter, log in to the customer portal, apply for a job, register for a webinar or download gated content. If you would like to know more about how we process it, for what purpose and on what legal basis, click here.

2. Data which we process
In orde r to provide our services, maintain our infrastructure and provide all stakeholders with the best possible experience, we also process personal data. If you would like to know more about the purposes and legal basis for which we do this, please click here.

3. Data processed by our partners
In order to provide our services, maintain our infrastructure and provide the best possible experience for all stakeholders, we work with partners. They also process personal data. For example, when you visit our website, use the Yokoy app or as part of our marketing and social media activities. If you would like to know more about the purpose and legal basis for which we do this, click here.

IV. Internationnal data transfers 
Even though we make every effort to work with Swiss providers, it is impossible to prevent data from flowing abroad. To find out how this is legally implemented by Yokoy and how your data is also transmitted in a legally secure manner in connection with foreign transfers, click here. 

V. Data security
Data transmitted to us is treated confidentially and protected against unauthorised access, damage or loss with the help of technical and organisational measures. If you want to learn more about how we technically protect your data, click here.

VI. Data storage and data deletion
We store the data only as long as it is necessary for the fulfilment of the contract. The legal retention periods and your right to deletion according to Article 17 GDPR remain reserved, provided that the conditions for this are fulfilled. If you want to know more about this, click here.

VII. Your rights
The GDPR grants the person whose data is processed various rights with which the person can influence the data processing. An overview of the rights and how you can assert them can be found here.

VIII. Updates to the privacy policy
We may adapt and supplement this privacy policy at any time. We will inform you about such adjustments and additions in an appropriate form, in particular by publishing the respective current data protection policy on our website and via an email


Level 3

I. Data you give us

1. By contacting us
DYou can contact us through various channels, e.g. telephone, email, contact form, chat, social media, webinar registration and registration for "gated content". We collect your contact details and information from the enquiry. This may be stored in our CRM (Customer Relationship Management) system. This data is only stored for internal use. 

1.1 Purpose of the processing

We store personal data in order to be able to respond to your enquiry or contact. Furthermore, this storage enables us to execute the contract or pre-contractual actions in case of questions in an existing contractual relationship. In addition, Yokoy can carry out analyses about potential future contractual relationships, e.g. about the size of the company, where the company is present and through which channels you have heard about Yokoy.

1.2 Legal basis
The basis for data processing is Article 6 I b GDPR, which allows us to process data for the fulfilment of a contract or pre-contractual measures. Analysis purposes are based on the legal basis of legitimate interests according to Art. 6 para. 1 lit. f GDPR in order to find out whether you fit into our customer portfolio in terms of size and geographical presence. The data processing is carried out in compliance with the data protection principles according to Art. 6 DSG. We use Hubspot software to enable this service. A link to the privacy policy can be found here https://legal.hubspot.com/de/privacy-policy.


2. Newsletter registration
2.1 Purpose of the processing 
Generation and sending of our newsletter.

2.2 Legal basis 
If you subscribe to the newsletter, you give us permission to use your data for sending the newsletter. You also agree to the information described below. Based on Article 7 III GDPR, you can revoke your consent for the future at any time; for this purpose, you will find an unsubscribe link in every email sent. Alternatively, you can also contact us personally at any time. We use the software HubSpot and Sendgrid, a service of Twilio Inc., to send our newsletter. You can find an overview of all partners with whom we work for internal and external purposes and links to their data protection declarations here.

2.3 Double opt-in procedure for the purpose of provability
An important principle of the GDPR is accountability. I.e. in Article 5 II GDPR, the law requires not only compliance with the data protection provisions, but also evidence thereof. For this reason, registration takes place in a double opt-in process. After your registration you will receive an email in which you have to confirm your email address. This prevents misuse with registrations from other email addresses. The registrations are stored in our CRM system so that we can legally prove the registration process. This includes the following data: Registration and confirmation time, type of newsletter, IP address and your contact details. The legal basis for this is the fulfilment of a legal obligation according to Article 6 I c GDPR. 

2.4 National specifics 
Germany
: The newsletter is sent and its success measured on the basis of the recipients' consent pursuant to Art. 6 Para. 1 lit. a, Art. 7 GDPR in conjunction with § 7 Para. 2 No. 3 UWG or on the basis of the legal permission pursuant to § 7 Para. 3 UWG.
Austria: The dispatch of the newsletter and the associated performance measurement is based on the consent of the recipients pursuant to Art. 6 para. 1 lit. a, Art. 7GDPR in conjunction with § 107 para. 2 TKG or on the basis of the legal permission pursuant to § 107 para. 2 TKG.§ 107 para. 2 and 3 TKG. The logging of the registration process is based on our legitimate interests according to Art. 6 para. 1 lit. f GDPR. Our interest is directed towards the use of user-friendly and secure newsletter software. In addition, there is a legal obligation to provide proof of registration.from the accountability principle according to Article 5 III GDPR. 
Switzerland The data processing is carried out in compliance with the data protection principles according to Art. 6 DSG.

 3. Webinar registrations You can also register for webinars via the Hubspot tool to get to know our products better. We store the data you provide so that we can contact you if necessary, e.g. if it becomes necessary to cancel the event. We base our data processing on your consent in accordance with Article 6 I a GDPR. This consent can also be revoked for the future. To do so, contact us via a channel as per point I. The data processing is carried out in compliance with the data protection principles as per Art. 6 DSG. 

4. Gated content downloads Gated content is about sharing knowledge that is valuable to the user in exchange for contact details of the user that are valuable to us. In the case of Yokoy, this could be the following, for example. Events on topics such as digitalisation, artificial intelligence or data protection.  

4.1 Purpose of the processing 
Providing content. 

4.2 Legal basis We base our data processing on your consent in accordance with Article 6 I a GDPR. This consent can also be revoked for the future based on Article 7 III GDPR. To do so, contact us via a channel as per point 1. Data processing is carried out in compliance with the data protection principles as per Art. 6 DSG.  

5. Applications
We collect, process and transfer your personal data with automated data processing systems. For this purpose, we work with the join software. This is an offer from JOIN Solutions AG, Landsgemeindeplatz 6, 9043 Trogen. For example, the following types of personal data may be covered by the collection:


It should be emphasised at this point that the decision about employment is, of course, still made by our HR team. For further information on data protection at JOIN Solutions AG, please refer to the JOIN Solutions AG data protection policy.

5.1 Purpose of the processing
We process personal data provided to us in order to take pre-contractual measures to possibly conclude an employment contract with you. If your application is not successful or you withdraw your application, the data will be deleted within 30 days.  If your application is successful, the data will be kept until the purpose is fulfilled, usually for the duration of the contractual relationship, plus a period if required by applicable law. 

5.2 Legal basis
The data is stored on the basis of Article 6 I b GDPR or the consent of the person in accordance with Article 6 I a GDPR. This consent can also be revoked for the future based on Article 7 III GDPR. To do so, contact us via a channel according to point I. The data processing is carried out in compliance with the data protection principles according to Art. 6 DSG. 

II.  Data we process

1. Server log files 
When using our website, information is automatically collected and stored that your browser transmits to us. These are:

We do not draw any conclusions about you when using this data.Lagging is done in accordance with our internal logging and monitoring policy. 

1.1 Purpose of the processing The data is required, for example, to deliver the content of our website correctly, to ensure the functionality of our site or to be able to provide the information to law enforcement authorities in the event of a cyber attack. The anonymous data of the server log files are stored separately from your personal data.

1.2 Legal basis We base the collection of this anonymised data on legitimate interests of a functioning website according to Article 6 I f GDPR. 

2. Customer login/customer portal The data protection provisions are agreed and signed with each customer when the contract is concluded. Customer data in our CRM system is processed in accordance with point 3.In addition, our system automatically records the following log data with every call:


2.1 Purpose of the processing
This data is collected for the purpose of providing the portal. Furthermore, this data is processed and stored for the purpose of ensuring the functionality of the portal and security.

2.2 Legal basis: 
Article 6 I b and f GDPR. The data is only stored as long as it is necessary for the fulfilment of the purpose. To provide the portal, data is also passed on to technically necessary partners, e.g. the website hoster and the cloud provider. An overview of all partners, their services, the legal basis of the processing and the contact options can be found here. An internal logging and monitoring policy regulates the details.  

3. Customer data (CRM Customer Relationship Management) 
3.1 Purpose of the processing 
In order to fulfil our contractual services, we need to process the data of our customers. In doing so, we process inventory data (e.g., customer master data, such as names or addresses), contact data (e.g., e-mail, telephone numbers), content data (e.g., charts of accounts), contract data (e.g., subject matter of the contract, term), payment data (e.g., bank details, payment history). This primarily concerns customers, employees and suppliers. The purpose of the processing is the provision of contractual services, billing and our customer service. 

3.2 Legal basis
The legal basis for the processing results from Article 6 I b GDPR. We process data that are required for the justification and fulfilment of the contractual services. We process the data only for the contractual purpose and act in accordance with the legal requirements of commissioned processing pursuant to Art. 28 GDPR. We delete the data after the expiry of statutory warranty and comparable obligations. In the case of statutory archiving obligations, deletion takes place after their expiry (6 years, according to § 257 para. 1 HGB, 10 years, according to § 147 para. 1 AO). In the case of data disclosed to us by the client within the scope of an order, we delete the data in accordance with the specifications of the order. Personal data is only collected, processed and used if it is necessary for the establishment, content or amendment of the legal relationship (inventory data). The data processing is carried out in compliance with the data protection principles according to Article 6 DSG. We use the services of Hubspot for our CRM. You can find out more about data protection at Hubspot in the HubSpot Product Privacy Policy.

III. Data collected by our partners

When we involve partners, this is done in compliance with the requirements of Art. 9 DSG and Article 5 GDPR. There are data processing contracts that include the requirements of Article 28 (3) of the GDPR and Article 9 of the GDPR. 

1. When visiting the website 
In order to be able to operate a website technically, certain technical requirements are necessary for which we are dependent on partners.  With the partners we have.

1.1 Hosting 1.1.1 Purpose of the processing
Our hosting provider provides us with infrastructure and platform services, database services, computing capacity, security services and storage space as well as technical maintenance services, which we use for the purpose of operating our online offers.  

1.1.2 Legal basis
The basis for data processing is Art. 6 (1) lit. b GDPR, which allows us to process data for the performance of a contract or pre-contractual measures. Our website is hosted by Webflow, Inc, 398 11th Street, 2nd Floor, San Francisco, CA 94103. For users in the European Economic Area (EEA) and Switzerland, the website is hosted by Webflow in Dublin, Ireland. For more information, please see the Webflow EU & Swiss Privacy Policy.   

1.2 Content Delivery Network (CDN) 
1.2.1 Purpose of the processing We use the open source services of jsDelivr as CDN to deliver the website quickly. jsDelivr is a service of ProspectOne, Królewska 65A/1, 30-081, Krakow, Poland.A CDN is a network of regionally distributed servers that are connected to each other via the internet. In order to use the service, it is possible that your browser sends personal data to jsDelivr. This allows jsDelivr to collect and store data such as browser type/version, date and time of access or IP address. To avoid this, you can install a JavaScript blocker.  

1.2.2 Legal basis The basis for the use of the CDN is our legitimate interest in optimising the website, in accordance with Article 6 I f GDPR. You can find more information in the privacy policy of jsDelivr.

1.3 Google Web Fonts 
1.3.1 Purpose of the processing
This site uses so-called web fonts provided by Google to display fonts. The provider is Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. This is a service of the American Google LLC. For users in the European Economic Area (EEA) and in Switzerland, the Irish company Google Ireland Limited is responsible. When you call up a page, your browser loads the required web fonts into the browser cache in order to display texts and fonts correctly. For this purpose, the browser you are using must connect to Google's servers. In this way, Google learns that our website has been accessed via your IP address.  

1.3.2 Legal basis The use of Google Web Fonts is in the interest of an appealing presentation of our website. This represents a legitimate interest within the meaning of Art. 6 I f GDPR. If your browser does not support web fonts, a standard font from your computer will be used. You can find further information at https://developers.google.com/fonts/faq and in theGoogle privacy policy: https://www.google.com/policies/privacy/ 

1.4 YouTube  
1.4.1 Purpose of the processing
To play the videos, we use the services of Youtube. YouTube is a service of Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. When you visit one of our pages where YouTube is embedded, a connection to the YouTube servers is established. This tells the YouTube server which of our pages you have visited. You can find more information on the handling of user data in YouTube's privacy policy.  

1.4.2 Legal basis
The use of YouTube is based on Art. 6 I have a GDPR. Information on the prevention of data collection can be found in the Cookie Policy

2. When using the Yokoy app 
The Yokoy App is hosted on the Google Cloud. The Google Cloud is a service provided by Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Specific data protection information on the Google Cloud can be found here https://cloud.google.com/terms/cloud-privacy-notice. Specific information on the data security of the Google Cloud and our products can be found in the section on data security.Customers can download a mobile app onto their device. The information required for this process is transferred to the app store without our involvement. Information includes, for example, the email address, your customer number of the app store account or the time of the download. We are not responsible for this data collection and have no influence on it. You can find more information in the Apple or Google privacy policy.When using the Yokoy app, we process the following data to ensure the security and usability of the functions provided:

The following data is stored by the user: Name, first name, e-mail, personnel number or cost centre (in order to enable the correct booking with the customer). The data is stored in an encrypted private cloud and the transfer to the Google Cloud is also encrypted by 256-bit AES encryption. However, no employee data of the users is stored in our CRM through the use of the app. 

2.1 Purpose of the data processing 
This data is only processed to provide the Yokoy app. 

2.2 Legal basis 
This is done on the basis of Article 6 I a, b and f GDPR.

3. In our marketing activities 
3.1 Hubspot
On our website, we use the software HubSpot for various purposes. HubSpot is a software company from the USA with a branch office in Berlin. Am Postbahnhof 17, 10243 Berlin. 

3.1.1 Purpose of the processing
Hubspot uses web beacons and cookies to help us analyse your use of our website and cover various aspects of online marketing. These include email marketing, contact management (e.g. benefit segmentation & CRM), landing pages and contact forms. This information, as well as parts of our website, is stored on servers run by our software partner HubSpot. It is used by us to contact visitors to our website and to determine,which of our company's services are of interest to them. All from usinformation collected is subject to this Privacy Policy. Weuse all collected information exclusively for the optimisation of ourmarketing measures and for communication with users.As part of the optimisation of our marketing measures, the following data, among others, may be collected and processed via HubSpot:

We also use HubSpot to provide contact forms (see point I.1.).

3.1.2 Legal basis
The legal basis for the processing is your consent pursuant to Art. 6 para. 1 lit. a GDPR and for the necessary processing of personal data for the performance of a contract with the data subject as well as for the implementation of pre-contractual measures pursuant to Art. 6 para. 1 lit. b GDPR. If you do not want the aforementioned data to be collected and processed via Hubspot, you can refuse your consent or revoke it at any time with effect for the future. The personal data will be kept for as long as it is necessary to fulfil the purpose of the processing. The data will be deleted as soon as they are no longer required to achieve the purpose. Here you can find further information on the data protection provisions of HubSpot

3.2 Google Tag Manager
3.2.1 Purpose of the processing
 
This website uses the Google Tag Manager. The provider is Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Google Tag Manager is a solution with which website tags can be managed via an interface. The Tag Manager tool (which implements the tags) is a cookieless domain and does not collect any personal data. The tool provides for the forwarding of data and triggering of other tags, which in turn may collect data. Google Tag Manager does not access this data. If a deactivation has been made at domain or cookie level, this remains in place for all tracking tags implemented with Google Tag Manager. 

3.2.2 Legal basis 
The legal basis for the use of the Google Tag Manager is your consent according to Article 6 I a GDPR. This can be withdrawn at any time with effect for the future. To do so, contact us on a channel according to point I. 

3.3 Google reCaptcha 
3.3.1 Purpose of the processing 
The purpose of reCAPTCHA is to check whether data entry on our website (e.g. in a contact form) is made by a human or an automated programme. The reCAPTCHA analyses run entirely in the background. Website visitors are not made aware that an analysis is taking place. 

3.3.2 Legal basis
The data processing is based on Art. 6 para. 1 lit. f GDPR. The website operator has a legitimate interest in protecting its web offers from abusive automated spying and from SPAM. Further information on Google reCAPTCHA and Google's privacy policy can be found under the following links: Privacy Policy and Google reCAPTCHA V3.  

3.3.3 Marketing tools that use cookies Certain marketing tools use cookies. To find out what cookies are, what they do and how you can disable them, visit our Cookie Policy or the Cookie Manager on our website. This allows you to fine-tune your consent to our cookie use. 

4. Social media activities 
We have various presences within social networks in order to communicate with the users active there and to inform them about our services. For example, we use icons that lead to the pages of Youtube, Linkedin or Facebook. Further information on this and how cookies are used can be found in our cookie policy.


IV. International data transfers

Whenever possible and economically reasonable, Yokoy endeavours to work with providers from Switzerland, the EEA or the EU, or countries for which the EU Commission has recognised an adequate level of data protection in accordance with Article 45 of the GDPR.Alternatively, the data transfer is based on standard contractual clauses according to Art. 46 of the GDPR. We are aware that the decision of the European Court of Justice C-118-311 of 16.7.2021 has repealed the Privacy Shield and that the "old" Standard Contractual Clauses still require additional safeguards. Where necessary, we will ensure that our partners switch to the new standard contractual clauses by the end of the transition period on 27 December 2022 at the latest, should they rely on standard contractual clauses for the transfer of data, particularly in the USA. If available at the partner, we base the data transfer on Binding Corporate Rules according to Art. 47 GDPR. We work exclusively with large international partners who share our conviction regarding the importance of data protection. The guarantee of data protection is further secured by data processing agreements.Below you will find an overview of our foreign partners, in which country they are located and for which purpose they process Yokoy data. Furthermore, an internal guideline stipulates that we support all international sanctions against states, territories or persons and that we do not maintain any business relationships with such states, territories or persons.

Sub-processor
Location
Data transfer basis
Purpose of processing 
Address
Google LLC, Irland
EU
International data transfers are carried out via standard contractual clauses in accordance with Art. 46 III c GDPR in the currently legally valid version.For further information, please refer to the section on data security and Google's privacy policy.
Use of cloud services for data storage (Google Cloud), hosting of Yokoy software (Google Cloud Web Hosting), for email communication (Gmail) and document management (G Suite) and for data
Google Ireland LLCGordon House Barrow Street Dublin 4, D04E5W5 Ireland
Webflow Inc. 
USA
Standard Contractual Clauses with additional encryption-at-rest and in transfer according to Art. 46 III c GDPR Further information on data protection at Webflow can be found here Webflow's EU & Swiss Privacy Policy
Hosting of the websitehttps//www.yokoy.ai based on Art. 6 para. 1 lit. b and f GDPR

Webflow Inc, 398 11th Street, 2nd Floor, San Francisco, CA 94103. For users in the European Economic Area (EEA) and Switzerland, the website is hosted in Dublin, Ireland.
Hubspot Germany GmbH
EU
nternational data transfers are carried out via the respective current Standard Contractual Clauses pursuant to Article 46 III c. c GDPR in the currently legally valid version.Further information can be found in the HubSpot Privacy Policy
Internal CRM of Yokoy is also used for marketing and communication purposes based on your consent according to Art. 6 para. 1 lit. a GDPR or Art. 6 para. 1 lit. b for the fulfilment or preparation of a contract and Art. 6 para. 1 lit. f GDPR for our legitimate interests (especially marketing).
HubSpot Germany GmbHAM Postbahnhof 1710243 Berlin
Sendgrid LLC, Denver
USA
International data protection transfers are carried out via the Twilio Binding Corporate Rules in accordance with Art. 47 GDPR of Twilio, Inc. You can find more information on the Privacy Statement here Twilio Privacy Statement. 
Sending Platform Emails (optional) - the employee's e-mail is shared with Sendgrid
1801 California Street Suite 500, Denver, CO 80202 USA 
resp.
Twilio, Inc. §§Street Suite 300 San Francisco, CA 94105 USA (Binding Corporate Rules applicable to Sendgrid, Inc.)
Intercom, San Francisco
USA
International data transfers are carried out via the current Standard Contractual Clauses in accordance with Art. 46 Para. 3 lit. c GDPR in the currently legally valid version. Further information can be found in the Intercom Privacy Policy 

In-app chat function (optional) 
Intercom, Inc.  San Francisco. 55 2nd Street,4th Floor, San Francisco, CA 94105
Slack Technologies, Inc.
USA
International data transfers are carried out via the current Standard Contractual Clauses in accordance with Art. 46 III c GDPR in the currently legally valid version. Further information can be found in the Slack Privacy Policy. 
Web-based instant messaging for internal company communication 
Slack Technologies, Inc, 500 Howard Street, San Francisco, CA 94105, USA. 

Prospect One
Polen
Transfer within the European Union For more information, see the jsDelivr privacy policy.
For the provision of a CDN (Content Delivery Network). No personal data is requested, nor is any such data stored. 
jsDelivr, ProspectOne, Królewska 65A/1, 30-081, Kraków, Poland.
Microsoft Corporation
USA
International data transfers are carried out via the current Standard Contractual Clauses in accordance with Art. 46 III c GDPR in the currently legally valid version.
Use of cloud services for customer communication (Microsoft Teams)
Microsoft Corp.One Microsoft Way, Redmond, WA 98052-6399, USA

DocuSign Germany GmbH
DE
Binding Corporate Rules according to Art. 47 GDPR. You can find more information in the DocuSign privacy policy DocuSign privacy policy 
Electronic signing of contracts based on Art. 6 I. 1 b GDPR
DocuSign Germany GmbHNew Rothofstrasse 13-19
60313 FrankfurtGermany

Aircall, Inc. 
F
Standard Contractual Clauses according to Art. 46 III c GDPR in the currently legally valid version. Until the implementation of the new Standard Contractual Clauses on 27.12.2022 with additional measures such as transport and data at rest encryption and confidentiality agreements. For more information, please see the Aircall Privacy Policy.
Cloud-based call centre software based on Art. 6 I. b and f
Aircall, Inc.11 Rue Saint-Georges, 75009 Paris, France
Hypothekar-bank Lenzburg
CH
Data transfer only within the EU (to CleverReach GmbH und CO KG for newsletter dispatch, otherwise no transfer) For further information, please refer to the legal information of Hypothekarbank Lenzburg.

Establishment and management of the billing account and hereby necessary fulfilment of legal requirements (according to Article 6 I b, c, f) GDPR) In addition, for the purpose of issuing the Yokoy Card and related legal requirements (pursuant to Article 6 I b, c and f) GDPR)

Mortgage Bank LenzburgBahnhofstrasse 2, 5600 Lenzburg, Switzerland

NiD SA
CH
No data transfer abroad. You can find more information in NiD's privacy policy.
Processing and authorisation of payments made with Yokoy cards and for the production and personalisation of physical credit cards  Legal basis: Art. 6 Ib) and f) GDPR

NiD SA, Le Crêt-du-Locle 10, P.O. Box 1161, 2301 La Chaux-de-Fonds, Switzerland
Legal Monster 
DK
Standard Contractual Clauses Further information can be found at https://www.legalmonster.com/legal/privacy-policy/ 
Cookie management tool on our website. 
Legal Monster ApSNjalsgade 21E, 5th floor 2300 Copenhagen S,


V. Data processing directory
Further information can be found in our directory of data processing pursuant to Article 30 of the GDPR and Article 12 of the GDPR.

VI. Data security

1. Physical security
The building in which the offices are located is serviced by a reception desk 24/7. Access to the office premises is only granted by a key personally handed in by the supervisor. The entrances and exits to the engineering offices are also logged for better traceability. An internal policy on physical security exists and is included in regular staff training.  

2.  Access 
Access to our online offer takes place via transport encryption (SSL / TLS, in particular with the Hypertext Transfer Protocol Secure, abbreviated HTTPS). Most browsers indicate transport encryption with a padlock in the address bar.Even when the data is with us, it is in good hands. We chose Google as our cloud provider because Google has always evolved in terms of data security and offers us a reliable service. Google's cooperation with SAP ensures high availability of your data. The security and data protection of Google products is regularly audited independently (ISO/IEC 27001, 27017, 27018, SOC 1/2/3, GDPR).The data in the cloud is encrypted with a 256 AES (Advanced Encryption Standard) and all data in transit is also encrypted. 

3. Access management
Access is based on the need-to-know principle and is role-based. All activity is logged in order to be able to verify and prove access to the data. 1 In addition, all access management issues are documented in an internal policy.

4. Data availability 
The data is made available on demand and there are automatic daily backups on an encrypted cloud (storage period 30 days) to ensure the availability of the data at all times.  

5. External review
In addition to the measures taken internally, we also have our data security checked annually by an external partner through so-called penetration tests. The results of these tests also contain improvement measures, which we subsequently implement as prescribed by the internal penetration test governance guidelines.

6. Emergency plan
If, despite all the measures taken, a data incident should occur, we are prepared for it and will put our internal emergency plan into action to minimise the damage caused.


VII. Data storage and data deletion

We respect your data and only store it for as long as is absolutely necessary for the intended purpose. (Principle of data minimisation according to Article 5 c GDPR and Article 6 IV DSG. We delete the data at the latest after expiry of the contractual relationship. This is subject to statutory warranty and comparable obligations. In the case of legal archiving obligations, deletion takes place after their expiry (6 years, in accordance with § 257 para. 1 HGB, 10 years, in accordance with § 147 para. 1 AO). In the case of data disclosed to us by the client within the scope of an order, we delete the data in accordance with the specifications of the order. Personal data is only collected, processed and used if it is necessary for the establishment, content or amendment of the legal relationship (inventory data). This is done on the basis of Article 6 I b GDPR, which allows us to process data for the fulfilment of a contract or pre-contractual measures. The right to deletion in accordance with Article 17 GDPR is always reserved, provided that the legal requirements for this are met. Furthermore, we store backups of our data on a daily basis in order to comply with the principle of data availability. Backup data is automatically deleted after 30 days. The procedure for data deletion is documented in an internal policy.


VIII. Data subject rights

1. Right to confirmation Art. 15 GDPR
Based on Article 15 of the GDPR and Article 19 of the FADP, you have the right to request confirmation from us as to whether personal data relating to you is being processed. To do so, contact us via a channel according to point I.

2. Right to information Art. 15 GDPR
Article 15 of the GDPR and Article 19 of the FADP also grant you the right to obtain from us at any time, free of charge, information about the personal data stored about you, as well as a copy of this data in accordance with the legal provisions.If you wish to do so, contact us via a channel in accordance with Section I. The relevant information in accordance with Article 19 of the FADP can also be found in our data processing directory in accordance with Article 12 of the FADP. 

3. Right of rectification Article 16 GDPR 
You have the right to request the rectification of inaccurate personal data concerning you. You also have the right to request the completion of incomplete personal data, taking into account the purposes of the processing. This obligation to correct data also arises under Swiss law from Article 6 of the Data Protection Act if the legal requirements are met.

4. Right to erasure Article 17 GDPR
You have the right to demand that we delete the personal data concerning you without delay, provided that one of the reasons provided for by law applies and insofar as the processing or storage is not necessary. A similar situation arises from Article 6 IV DSG. 

5. Restriction of processing Article 18 GDPR 
You have the right to demand that we restrict processing if one of the legal requirements is met.

6. Data portability Article 20 GDPR 
You have the right to receive the personal data concerning you, which has been provided to us by you, in a structured, common and machine-readable format. You also have the right to transfer this data to another controller without hindrance from us to whom the personal data has been provided, provided that the processing is based on consent pursuant to Article 6 I a of the GDPR or Article 9 II a of the GDPR or on a contract pursuant to Article 6 I b of the GDPR and the processing is carried out with the aid of automated procedures, unless the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us.
Furthermore, when exercising your right to data portability in accordance with Article 20 I of the GDPR, you have the right to have the personal data transferred directly from one controller to another controller, insofar as this is technically feasible and insofar as this does not affect the rights and freedoms of other persons. The right to data portability has also been included in Article 28 of the FADP.

7. Objection Article 21 GDPR 
You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is carried out on the basis of Art. 6 I e or f GDPR.This also applies to profiling based on these provisions within the meaning of Article 4 No. 4 GDPR.If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing is for the establishment, exercise or defence of legal claims.
In individual cases, we process personal data in order to carry out direct advertising. You can object to the processing of personal data for the purpose of such advertising at any time. This also applies to profiling, insofar as it is connected with such direct advertising. If you object to us processing for the purposes of direct advertising, we will no longer process the personal data for these purposes.You also have the right to object, on grounds relating to your particular situation, to the processing of personal data concerning you which is carried out by us for scientific or historical research purposes or for statistical purposes pursuant to Article 89 I GDPR, unless such processing is necessary for the performance of a task carried out in the public interest.You are free to exercise your right to object in connection with the use of information society services, notwithstanding Directive 2002/58/EC, by means of automated procedures using technical specifications.

8. Revocation of consent under data protection law 
You have the right to revoke your consent to the processing of personal data at any time with effect for the future in accordance with Article 7 III GDPR. 

9. Complaint to a supervisory authority You have the right to lodge a complaint about our processing of personal data with a supervisory authority responsible for data protection in accordance with Article 77 of the GDPR. In Switzerland, our supervisory authority is the Federal Data Protection and Information Commissioner (FDPIC):

Federal Data Protection and Information Commissioner
Feldeggweg 1
CH - 3003 Bern
Phone: +41 (0)58 462 43 95 (Mon. to Fri., 10.00 to 12.00)
Fax: +41 (0)58 465 99 96 

For affected parties from the EU area, our Lead Supervisory Authority is 
Bavarian State Office for Data Protection Supervision (BayLDA)
Promenade 18
91522 Ansbach
Phone: +49 (0) 981 180093-0


IX. Updates 
We can adapt and supplement this data protection declaration at any time. We will inform you about such adjustments and additions in an appropriate form, in particular by publishing the respective current data protection declaration on our website and via an email. 

Privacy Policy Yokoy Group AG Version 2.0, last updated 26.7.2021