Privacy Policy

Privacy Policy

With this Privacy Policy, we inform you about the processing of personal data in connection with our activities and operations, including our kulmapotheke.ch website. In particular, we inform you about why, how, and where we process which personal data. We also inform you about the rights of individuals whose data we process.

Additional privacy policies or other information regarding data protection may apply to individual or additional activities and operations.

1. Contact Addresses

Responsibility for the processing of personal data:

Kulm Apotheke & Parfümerie AG
Via Maistra 27
7500 St. Moritz
Switzerland

kulmapo@ovan.ch

In individual cases, third parties may be responsible for the processing of personal data, or joint responsibility with third parties may exist.

Data Protection Officer

We have the following data protection officer as the point of contact for individuals and authorities for inquiries regarding data protection:

Oksana Sorokina
Kulm Apotheke & Parfümerie AG
Via Maistra 27
7500 St. Moritz
Switzerland

kulmapo@ovan.ch

2. Terms and Legal Basis

2.1 Terms

Data subject: A natural person whose personal data we process.

Personal data: Any information relating to an identified or identifiable natural person.

Particularly sensitive personal data: Data concerning trade union, political, religious, or philosophical views or activities, data concerning health, intimate life, or ethnic origin, genetic data, biometric data identifying a natural person, data concerning criminal or administrative sanctions or proceedings, and data concerning social assistance measures.

Processing: Any handling of personal data, regardless of the methods and procedures applied, such as querying, matching, adjusting, archiving, storing, reading, disclosing, acquiring, collecting, deleting, revealing, ordering, organizing, saving, altering, disseminating, linking, destroying, or using personal data.

2.2 Legal Basis

We process personal data in accordance with Swiss data protection law, particularly the Federal Data Protection Act (Data Protection Act, DPA) and the Data Protection Ordinance (DPO).

3. Type, Scope, and Purpose of Processing Personal Data

We process personal data that is necessary for us to carry out our activities and operations in a sustainable, humane, secure, and reliable manner. The personal data processed may particularly fall into categories such as browser and device data, content data, communication data, metadata, usage data, master data, including inventory and contact data, location data, transaction data, contract data, and payment data.

We also process personal data that we receive from third parties, obtain from publicly available sources, or collect when carrying out our activities and operations, as long as such processing is legally permitted.

We process personal data, where necessary, with the consent of the data subjects. In many cases, we can process personal data without consent, for example, to fulfill legal obligations or to safeguard overriding interests. We may also ask for the consent of data subjects even if their consent is not required.

We process personal data for the duration necessary for the respective purpose. We anonymize or delete personal data, in particular, in accordance with statutory retention and limitation periods.

4. Disclosure of Personal Data

We may disclose personal data to third parties , have it processed by third parties, or process it jointly with third parties. Such third parties are particularly specialized providers whose services we utilize.

We may disclose personal data, for example, to banks and other financial service providers, authorities, educational and research institutions, consultants and attorneys, interest groups, IT service providers, cooperation partners, credit and business information agencies, logistics and shipping companies, marketing and advertising agencies, media, organizations and associations, social institutions, telecommunications companies, and insurers.

5. Communication

We process personal data to communicate with third parties. In this context, we particularly process data provided by a data subject during communication, for example, by postal mail or email. We may store such data in an address book or with comparable tools.

Third parties who transmit data about other individuals are obliged to ensure data protection with respect to such individuals. This includes, among other things, ensuring the accuracy of the transmitted personal data.

We use selected services from appropriate providers to communicate better with third parties.

6. Applications

We process personal data about applicants insofar as it is necessary for assessing their suitability for employment or for the subsequent performance of an employment contract. The necessary personal data is typically derived from the information requested, for example, in a job advertisement. We may publish job advertisements with the help of suitable third parties, such as in electronic and print media or on job portals and platforms.

We also process personal data that applicants voluntarily disclose or publish, particularly as part of cover letters, resumes, and other application documents, as well as online profiles.

We may allow applicants to store their information in our talent pool for future job opportunities. We may also use such information to maintain contact and provide updates. If we believe that an applicant's information qualifies them for an open position, we may notify the applicant accordingly.

We use selected services from appropriate third parties to post job listings through e-recruitment and to facilitate and manage applications.

7. Data Security

We take appropriate technical and organizational measures to ensure a level of data security appropriate to the risk. Our measures particularly ensure the confidentiality, availability, traceability, and integrity of processed personal data, although absolute data security cannot be guaranteed.

Access to our website and other online presence is via transport encryption ( SSL / TLS , particularly with the Hypertext Transfer Protocol Secure, abbreviated HTTPS ). Most browsers issue warnings before accessing websites without transport encryption.

Our digital communication is subject to fundamental mass surveillance without cause or suspicion by security authorities in Switzerland, the rest of Europe, the United States of America (USA), and other countries. We have no direct influence over the corresponding processing of personal data by intelligence services, law enforcement agencies, and other security authorities. We also cannot rule out that a data subject may be specifically monitored.

8. Personal Data Abroad

We process personal data primarily in Switzerland. However, we may also disclose or export personal data to other countries, particularly to process or have it processed there.

We may disclose personal data to all countries and territories on Earth , provided that the respective law ensures adequate data protection according to the Swiss Federal Council's decision.

We may disclose personal data to countries whose laws do not provide adequate data protection, provided that adequate data protection is ensured for other reasons, particularly based on standard data protection clauses or with other appropriate safeguards. In exceptional cases, we may export personal data to countries without adequate or appropriate data protection, if the special legal requirements for data protection are met, such as the explicit consent of the data subject or a direct connection with the conclusion or performance of a contract. We are happy to provide information on any guarantees or provide a copy of guarantees upon request from data subjects.

9. Rights of Data Subjects

9.1 Data Protection Claims

We grant data subjects all claims in accordance with applicable data protection law. Data subjects have the following rights in particular:

• Access: Data subjects can request information on whether we process personal data about them, and if so, which personal data is being processed. Data subjects also receive the information necessary to assert their data protection claims and ensure transparency. This includes the processed personal data itself, as well as, among other things, information on the purpose of the processing, the retention period, any disclosure or export of data to other countries, and the origin of the personal data.
• Correction and Restriction: Data subjects can have inaccurate personal data corrected, incomplete data completed, and the processing of their data restricted.
• Deletion and Objection: Data subjects can have personal data deleted ("right to be forgotten") and object to the processing of their data with future effect.
• Data Delivery and Transfer: Data subjects can request the delivery of personal data or the transfer of their data to another controller.

We may defer, restrict, or refuse the exercise of data subjects' rights to the extent legally permissible. We may inform data subjects of any requirements they need to fulfill to exercise their data protection claims. For example, we may refuse access to information by referring to confidentiality obligations, overriding interests, or the protection of other individuals. We may also, for example, refuse the deletion of personal data, particularly by referring to legal retention obligations.

We may exceptionally charge fees for the exercise of rights. We inform data subjects in advance about any potential costs.

We are required to take appropriate measures to identify data subjects who request access or assert other rights. Data subjects are obliged to cooperate in this identification process.

9.2 Legal Remedies

Data subjects have the right to assert their data protection claims in court or to file a complaint with a data protection supervisory authority.

The supervisory authority for private controllers and federal authorities in Switzerland is the Federal Data Protection and Information Commissioner (FDPIC).

10. Use of the Website

10.1 Cookies

We may use cookies. Cookies – both first-party cookies (our own) and third-party cookies (from services we use) – are data stored in the browser. Such stored data does not necessarily have to be traditional text-based cookies.

Cookies can be stored temporarily in the browser as "session cookies" or for a certain period as so-called persistent cookies. "Session cookies" are automatically deleted when the browser is closed. Persistent cookies have a specific storage duration. Cookies allow a browser to be recognized on a subsequent visit to our website, thus, for example, enabling us to measure the reach of our website. However, persistent cookies can also be used, for example, for online marketing.

Cookies can be disabled or deleted in the browser settings at any time. Without cookies, our website may no longer be fully available. Where necessary and to the extent required, we actively request your explicit consent to the use of cookies.

For cookies used for success and reach measurement or advertising purposes, numerous services offer a general opt-out via AdChoices (Digital Advertising Alliance of Canada), Network Advertising Initiative (NAI), YourAdChoices (Digital Advertising Alliance), or Your Online Choices (European Interactive Digital Advertising Alliance, EDAA).

10.2 Logging

We may log at least the following information for every access to our website and other online presence, provided this information is transmitted to our digital infrastructure during such access: date and time, including time zone, IP address , access status (HTTP status code), operating system, including user interface and version, browser, including language and version, accessed individual subpage of our website, including transmitted data volume, and the last page visited in the same browser window (referrer).

We log this information, which may also constitute personal data, in log files. This information is necessary to ensure the continuous, user-friendly, and reliable availability of our online presence. This information is also necessary to ensure data security – either through third parties or with their help.

10.3 Counting Pixels

We may integrate counting pixels into our online presence. Counting pixels are also known as web beacons. Counting pixels – including those from third parties whose services we use – are usually small, invisible images or JavaScript scripts that are automatically retrieved when accessing our online presence. Counting pixels can collect at least the same information as log files.

11. Notifications and Communications

11.1 Success and Reach Measurement

Notifications and communications may contain web links or counting pixels that track whether a specific message has been opened and which web links were clicked. Such web links and counting pixels can also track the use of notifications and communications on an individual basis. We require this statistical tracking of use for success and reach measurement to send notifications and communications effectively and user-friendly based on the needs and reading habits of the recipients and to do so in a sustainable, secure, and reliable manner.

11.2 Consent and Objection

As a general rule, you must consent to the use of your email address and other contact details unless the use is legally permissible for other reasons. To obtain a double-confirmed consent, we may use the "double opt-in" procedure. In this case, you will receive a notification with instructions for double confirmation. We may log the obtained consents, including IP address and timestamp , for evidence and security reasons.

You may generally object to receiving notifications and communications, such as newsletters, at any time. With such an objection, you can simultaneously object to the statistical tracking of use for success and reach measurement. Required notifications and communications related to our activities and operations are exempted from this right.

11.3 Service Providers for Notifications and Communications

We send notifications and communications with the help of specialized service providers.

12. Social Media

We are present on social media platforms and other online platforms to communicate with interested parties and provide information about our activities and operations. In connection with such platforms, personal data may also be processed outside Switzerland.

The general terms and conditions (GTC) and usage conditions, as well as privacy policies and other provisions of the individual operators of such platforms, also apply. These provisions inform data subjects, in particular, about their rights directly with the respective platform, such as the right to access their data.

13. Services from Third Parties

We use services from specialized third parties to carry out our activities and operations sustainably, humanely, securely, and reliably. With such services, we can integrate functions and content into our website. When integrating such services, the providers collect, at least temporarily, the IP addresses of users for technical reasons.

For necessary security-related, statistical, and technical purposes, third parties whose services we use may process data in connection with our activities and operations in an aggregated, anonymized, or pseudonymized manner. This may include performance or usage data required to provide the respective service.

We use the following services in particular:

• Google Services: Provider: Google LLC (USA) / Google Ireland Limited (Ireland), partly for users in the European Economic Area (EEA) and Switzerland; General privacy information: "Privacy and Security Principles" , "Information on how Google uses personal data" , Privacy Policy , "Google's Commitment to Compliance with Applicable Data Protection Laws" , "Privacy Guide for Google Products" , "How We Use Data from Sites or Apps That Use Our Services" , "Types of Cookies and Similar Technologies Used by Google" , "Ads You Can Control" ("Personalized Ads").

13.1 Digital Infrastructure

We use services from specialized third parties to obtain the necessary digital infrastructure in connection with our activities and operations. This includes, for example, hosting and storage services from selected providers.

We use the following services in particular:

• Amazon Web Services (AWS) , including Amazon CloudFront: Storage space, Content Delivery Network (CDN), and other infrastructure; Provider: Amazon Web Services Inc. (USA); Privacy information: Privacy Policy , "Data Privacy Center" , "Data Privacy FAQ".

13.2 Appointment Scheduling

We use services from specialized third parties to enable online scheduling of appointments, for example, for meetings. In addition to this Privacy Policy, the terms and conditions or privacy policies of the services used may apply, as made directly visible on their respective sites.

13.3 Social Media Features and Content

We use services and plugins from third parties to integrate social media platform features and content, as well as to enable the sharing of content on social media platforms and in other ways.

We use the following services in particular:

• Facebook (Social Plugins): Embedding Facebook functions and content, such as "Like" or "Share"; Provider: Meta Platforms Ireland Limited (Ireland) and other Meta companies (including in the USA); Privacy information: Privacy Policy.
• Instagram Platform: Embedding Instagram content; Provider: Meta Platforms Ireland Limited (Ireland) and other Meta companies (including in the USA); Privacy information: Instagram Privacy Policy , Facebook Privacy Policy.

13.4 Map Material

We use services from third parties to embed maps into our website.

We use the following services in particular:

• Mapbox: Map service; Provider: Mapbox Inc. (USA) / Mapbox International Inc. (USA); Privacy information: Privacy Policy , Cookie Policy , "Security".
• OpenStreetMap (OSM): Map service; Provider: OpenStreetMap Foundation (United Kingdom); Privacy information: Privacy Policy.

13.5 Documents

We use services from third parties to embed documents into our website. Such documents may include PDF files, presentations, spreadsheets, and text documents. We may allow not only viewing but also editing or commenting on such documents.

13.6 Fonts

We use services from third parties to embed selected fonts, icons, logos, and symbols into our website.

We use the following services in particular:

• Google Fonts: Fonts; Provider: Google; Google Fonts-specific information: "Your Privacy and Google Fonts" , "Privacy and Data Collection" (at Google Fonts).

13.7 Payments

We use specialized service providers to process payments from our customers securely and reliably. The legal texts of the individual service providers, such as general terms and conditions (GTC) or privacy policies, apply in addition to this Privacy Policy.

We use the following services in particular:

• Payrexx: Payment processing; Provider: Payrexx AG (Switzerland); Privacy information: "Guidelines," including Privacy Policy.

14. Website Extensions

We use extensions for our website to provide additional functions. We may use selected services from appropriate providers or such extensions on our own digital infrastructure.

We use the following services in particular:

• Google reCAPTCHA: Spam protection (distinguishing between legitimate content from humans and unwanted content from bots and spam); Provider: Google; Google reCAPTCHA-specific information: "What is reCAPTCHA?".
• TinyPNG: Image optimization; Provider: Tinify BV (Netherlands); Privacy information: "Terms of Use".

15. Success and Reach Measurement

We try to measure the success and reach of our activities and operations. In this context, we may also measure the impact of third-party references or assess how different parts or versions of our online offerings are used ("A/B testing" method). Based on the results of success and reach measurement, we may correct errors, strengthen popular content, or make improvements.

In most cases, IP addresses of individual users are recorded for success and reach measurement. In such cases, IP addresses are usually truncated ("IP masking") to ensure data minimization.

In success and reach measurement, cookies may be used, and user profiles may be created. Any created user profiles may include, for example, the specific pages visited or content viewed on our website, information on the size of the screen or browser window, and the – at least approximate – location. As a rule , any created user profiles are pseudonymized and not used to identify individual users. Individual third-party services, where users are logged in, may associate the use of our online offerings with the respective user account or profile with the respective service.

We use the following services in particular:

• Google Marketing Platform: Success and reach measurement, particularly with Google Analytics; Provider: Google; Google Marketing Platform-specific information: measurement also across different browsers and devices (cross-device tracking) using pseudonymized IP addresses, which are only exceptionally fully transferred to Google in the USA, Google Analytics Privacy Policy , "Browser Add-on to Disable Google Analytics".

16. Final Provisions

We created this Privacy Policy using the Privacy Policy Generator from Data Protection Partner.

We may adapt and supplement this Privacy Policy at any time. We will inform you about such changes and supplements in an appropriate form, particularly by publishing the current Privacy Policy on our website.