PRIVACY POLICY FOR THE CROSSIETY PLATFORM OF CROSSIETY AG, RÄFFELSTRASSE 24, 8045 ZURICH, SWITZERLAND ("CROSSIETY")

Version 1.9, Status March 2022

With the following statements we would like to inform you about the processing of your personal data. For us as Crossiety AG, the protection of your personal data is very important, so that we are always available and responsive to your concerns, suggestions or complaints.

We use an effective data protection management system to implement the legal requirements. In addition, we are in regular contact with external consultants in order to be continuously informed about current developments and to be able to react accordingly.

Our company therefore always strives to ensure the comprehensive protection of your data and, in doing so, naturally observes the applicable legal regulations of the Federal Data Protection Act (BDSG), the Telemedia Act (TMG) of the European Data Protection Directive (GDPR) as well as the Swiss provisions of the Federal Data Protection Act (DSG) and other country-specific data protection regulations applicable to us in each case.

We therefore also reserve the right to update our information on data protection at any time. With the following statements we inform you about actual procedures.

  1. What you need to know in advance:

    The mobile app is installed via distribution platforms operated by third parties (app stores; in particular Google Play and App Store). The download always requires registration with the respective app store. It is important for you as a user that we have no influence on this process and that the collection, storage, use and other processing ("processing" according to Art. 4 No. 2 GDPR) of personal data is carried out by the app store. Therefore, if you have any questions or would like to assert your rights, please contact the respective app store directly.

    In order for the app to function properly, it may be necessary for you to grant access to certain features (e.g., network access & connections, camera, storage, device status) and personal data. If this is the case, your device will inform you about it the first time.

    For other processing of personal data, Crossiety is the controller in terms of the GDPR and the FADP.

    Therefore, Crossiety is happy to inform you about the possible processing of personal data below. Should any further questions arise, you can contact Crossiety at any time using the contact details below.

    1. Definitions

      Our data protection declaration is based on the terms defined by the European legislator in the provisions pursuant to Art. 4 GDPR. For your understanding and quick access, we have attached, among others, the central terminology of this privacy policy and other terms used according to our understanding:

    2. Processor

      Processor is a natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller.

    3. Data subject

      Data subject is any identified or identifiable natural person whose personal data are processed by the controller.

    4. Cookies

      Cookies are text files which are placed and stored on a computer system via a web browser.

    5. Third party

      Third party means a natural or legal person, public authority, agency or other body other than the data subject, the controller, the processor and the persons authorized to process the personal data under the direct responsibility of the controller or the processor.

    6. Recipient

      Recipient means a natural or legal person, public authority, agency or other body to whom personal data are disclosed, whether or not it is a third party. However, public authorities that may receive personal data in the context of a specific investigative task under Union or Member State law are not considered recipients.

    7. Restriction of processing

      Restriction of processing is the marking of stored personal data with the aim of limiting their future processing.

    8. Consent

      Consent is any freely given indication of the data subject's wishes for the specific case in an informed and unambiguous manner, in the form of a statement or other unambiguous affirmative act by which the data subject signifies that he or she consents to the processing of personal data relating to him or her.

    9. Personal data

      Personal data means any information relating to an identified or identifiable natural person (data subject). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

    10. Profiling

      Profiling is any type of automated processing of personal data that consists of using that personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects relating to that natural person's job performance, economic situation, health, personal preferences, interests, reliability, behavior, location or change of location.

    11. Processing

      Processing means any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, filing, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

    12. Controller or person responsible for the processing

      The controller or person responsible for processing is the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its designation may be provided for under Union or Member State law.

  2. Responsible party
    • Crossiety AG
      Räffelstrasse 24
      8045 Zurich
      Switzerland
      E-mail: hallo@crossiety.ch
      Phone: +41 (0) 43 255 92 92
      Commercial Register Canton of Zurich, Switzerland: CHE-202.751.242
    • Representative of the responsible person in the EU according to Art. 27 GDPR:
      gotoMEDIA
      Spielplatzstrasse 19
      33129 Delbrück
      Germany
      E-mail: info@gotomedia.de
      Phone: +49 (0) 52 50 / 70 85 – 700
      VAT ID No. DE 196905725
  3. Processing of personal data

    Crossiety does not directly process any personal data for the application or use of the app. However, Crossiety works together with service providers to optimize the app. This takes place, insofar as personal data is processed, within the framework of commissioned processing. Below you can inform yourself about the possible processing of personal data at Crossiety's service providers:

    • Amazon Web Services
      Web service for hosting images and attachments stored in encrypted form in a German data center.
    • easyPRO
      Software for storing customer data regarding administration and billing as well as reporting of data analysis for customers. Reporting is used for orientation regarding performance of the platform.
    • Exoscale
      Server for encrypted storage of data processed in connection with the platform. This data is stored in Switzerland.
    • Firebase
      Helps us develop the platform on mobile as well as the web application..
    • Help Scout
      In Help Scout, we manage user feedback, all requests via email, and Crossiety's support page.
    • Matomo
      Tool for anonymized analysis of the use of our platform.
    • OpenStreetMap
      OpenStreetMap is used in the interest of an appealing presentation of our online offers and an easy findability of the places we indicate on the platform
    • Pipedrive
      Our CRM tool, where we manage the data of our customers.
    • Pusher
      We use Pusher to send push notifications.
    • SendGrid
      For sending the notifications and summaries as well as the newsletter, we work with SendGrid, an email sending service company. SendGrid's software is used to process your data on our behalf.
    • Sentry
      Software used for testing and monitoring the platform.
    • Twilio
      We use Twilio to send the SMS that are sent during the two-step verification process.
  4. Scope and purpose of the collection of general data and information and their processing

    Our platform collects a series of general data and information with each call of the platform by a data subject or an automated system. This general data and information is stored in the log files of the server. The following data may be collected

    1. browser types and versions used,
    2. the operating system used by the accessing system,
    3. the website from which an accessing system arrives at our platform (so-called referrer),
    4. the sub-websites that are accessed via an accessing system on our platform,
    5. the date and time of an access to the platform,
    6. an Internet protocol address (IP address),
    7. the Internet service provider of the accessing system, and
    8. other similar data and information that serve to avert danger in the event of attacks on our information technology systems.

    When using these general data and information, we do not draw any conclusions about the data subject. This information is rather required in order to

    1. deliver the contents of our platform correctly,
    2. to optimize the contents of our platform as well as the advertising for the same,
    3. to ensure the long-term functionality of our information technology systems and the technology of our platform, and
    4. to provide law enforcement authorities with the information necessary for prosecution in the event of a cyber attack. Therefore, we statistically evaluate this anonymously collected data and information on one hand, and on the other hand, with the aim of increasing the data protection and data security of our enterprise, and ultimately ensuring an optimal level of protection for the personal data we process. The anonymous data of the server log files are stored separately from any personal data provided by a data subject.
  5. Notifications and summaries

    When registering on our platform, you can sign up for our notifications by email or by mobile (as a push message) and for regular summaries by email about what is happening on our platform. These services are free of charge. To send the notifications or summaries, we use the email address you provided during registration. Your registration for the notifications or summaries will be logged (storage of the registration and confirmation time as well as the IP address) in order to be able to prove the registration process in accordance with the legal requirements.

    For sending the notifications and summaries we work together with SendGrid, Inc. With the software of SendGrid, Inc. your data is processed on our behalf. You can unsubscribe from receiving notifications and summaries at any time. We will inform you about the corresponding settings when you register or log in to these services. In addition, you can also adjust the settings at a later time on our platform in the profile settings under "Notifications". Of course, you can also unsubscribe by notifying us accordingly (see above under "Contact us"). By signing up for notifications and summaries during your registration, you consent to the corresponding data processing.

  6. Cookies

    We use cookies on our platform. Cookies are text files that are automatically created by a web browser and stored on a computer system or device (laptop, tablet, smartphone, etc.) when you visit our site. Cookies do not cause any damage to your end device, do not contain viruses, Trojans or other malware. Information is stored in the cookie, the so-called cookie ID, which results in each case in connection with the specific end device used. A cookie ID is a unique identifier of the cookie. It consists of a string of characters by which websites and servers can be assigned to the specific web browser in which the cookie was stored. This enables the visited websites and servers to distinguish the individual browser of the data subject from other web browsers that contain other cookies. A specific web browser can be recognized and identified via the unique cookie ID. This does not mean, however, that we gain immediate knowledge of your identity.

    Through the use of cookies, we can provide you, the user, with more user-friendly services that would not be possible without the cookie setting. By means of a cookie, the information and offers on our platform can be optimized in the sense of the user. Cookies enable us, as already mentioned, to recognize the users of our platform. The purpose of this recognition is to make it easier for users to use our platform.

    For example, we use so-called session cookies to recognize that you have already visited individual pages of our platform. These are automatically deleted after you leave our platform.

    In addition, we also use temporary cookies to optimize user-friendliness, which are stored on your end device for a certain fixed period of time. If you visit our platform again, it is automatically recognized that you have already been with us and which entries and settings you have made so that you do not have to enter them again. For example, the user of a website that uses cookies does not have to re-enter his or her access data each time he or she visits the website, because this is done by the website and the cookie stored on the user's computer system. On the other hand, we use cookies to statistically record the use of our platform and to evaluate it for the purpose of optimizing our offer for you. These cookies enable us to automatically recognize that you have already been to our platform when you visit it again. These cookies are automatically deleted after a defined period of time.

    The processing of your personal data by means of these text files (cookies) is carried out on different legal bases and is based, among other things, on the findings of the current jurisdiction of the Federal Court of Justice. It is thus clear that only necessary cookies are processed in accordance with Art. 6 (1) f GDPR, whereas all other cookies are subject to your express consent in connection with Art. 6 (1) a GDPR and the requirements of Art. 7 GDPR.

    The data subject, i.e. you, can also prevent the setting of cookies by our platform at any time by means of an appropriate setting of the respective web browser used and thus permanently object to the setting of cookies. Furthermore, cookies that have already been set can be deleted at any time via a web browser or other software programs. This is possible in all common web browsers. If the data subject deactivates the setting of cookies in the web browser used, not all functions of our platform may be fully usable.

    You can use your web browser to delete cookies automatically or manually. You can also specify that certain cookies may not be placed. Another option is to change your web browser settings so that you receive a message each time a cookie is set. For more information on these options, see the instructions in your browser's help section.

    Please note that our platform may not function properly if all cookies are disabled. If you delete the cookies in your browser, they will be placed again when you visit our Platform again.

  7. Legal basis of the processing

    The "Consent" in conjunction with. Art. 6 I lit. a GDPR and Art. 7 GDPR serves our company as the legal basis for processing operations for which we obtain individual consent from you for a specific purpose. If the processing of personal data is necessary for the performance of a contract concluded between you and us, the processing is based on Art. 6 I lit. b GDPR. The same applies to such processing operations that are necessary for the implementation of pre-contractual measures, for example in cases of inquiries about our products or services. If our company is subject to a legal obligation by which a processing of personal data becomes necessary, such as for the fulfillment of tax obligations, the processing is based on Art. 6 I lit. c GDPR. In rare cases, the processing of personal data might become necessary to protect vital interests of you or another natural person. This would be the case, for example, if a visitor were to be injured on our premises and as a result his or her name, age, health insurance data or other vital information had to be passed on to a doctor, hospital or other third party. Then the processing would be based on Art. 6 I lit. d GDPR. Finally, processing operations could be based on Art. 6 I lit. f GDPR. Processing operations that are not covered by any of the aforementioned legal bases are based on this legal basis if the processing is necessary to protect a legitimate interest of our company or a third party, provided that the interests, fundamental rights and freedoms of the data subject are not overridden.

  8. Legitimate interests in the processing pursued by the controller or a third party

    If the processing of personal data is based on Article 6 I lit. f GDPR, we will name our legitimate interest in each case for the individual processing operations.

  9. Transfer of data

    We do not transfer your personal data to third parties for purposes other than those listed below in this privacy notice.

    We will only pass on your personal data to third parties if:

    • you have given your express consent in accordance with Art. 6 (1) p. 1 lit. a GDPR,

    • the disclosure is necessary for the assertion, exercise or defense of legal claims pursuant to Art. 6 para. 1 sentence 1 lit. f GDPR and there is no reason to assume that you have an overriding interest worthy of protection in the non-disclosure of your data,

    • in the event that there is a legal obligation to disclose your data pursuant to Art. 6 (1) sentence 1 lit. c GDPR, or

    • this is legally permissible and necessary according to Art. 6 para. 1 p. 1 lit. b GDPR for the processing of contractual relationships with you.

    • Duration of storage of personal data

      The processed personal data, in particular the storage of personal data, are classified according to data categories and are subject to any deletion processes in accordance with the statutory retention, retention and regular deletion periods in accordance with the implementation requirements.

    • Legal or contractual requirements for the provision of personal data; necessity for the conclusion of the contract; obligation of the data subject to provide the personal data; possible consequences of not providing the personal data

      We also inform you that the provision of personal data is sometimes required by law (e.g. tax regulations) or may also result from contractual provisions (e.g. information on the contractual partner). Sometimes it may be necessary for the conclusion of a contract that you provide us with personal data, which must then be processed by us. Failure to provide the personal data would mean that the contract with you could not be concluded. Before providing personal data by the data subject, the data subject may contact our representative pursuant to Art. 27 GDPR or another of our employees. Our representative pursuant to Art. 27 GDPR or another of our employees will inform the data subject on a case-by-case basis whether the provision of the personal data is required by law or contract or necessary for the conclusion of the contract, whether there is an obligation to provide the personal data, and what the consequences of not providing the personal data would be.

    • Existence of automated decision-making

      As a responsible company, we do not use automated decision-making or profiling.

  10. Routine deletion and blocking of personal data

    We process and store your personal data only for the period of time necessary to achieve the purpose of the processing or if this has been provided for by the European legislator or the national legislator authoritative for us, whose laws or regulations we are subject to. For the implementation of the authorization and deletion concept, Crossiety has formed data categories and assigned them to the necessary retention and regular deletion periods.

  11. Data security

    During your visit to our platform, we use the common SSL procedure (Secure Socket Layer) in connection with the highest encryption level supported by your browser. As a rule, this is a 256-bit encryption. If your browser does not support 256-bit encryption, we use 128-bit v3 technology instead. You can tell whether an individual subpage of our platform is encrypted by the closed display of the key or lock symbol in the status bar of your browser.

    We also use appropriate technical and organizational security measures to protect your data against accidental or intentional manipulation, partial or complete loss, destruction or against unauthorized access by third parties. Our security measures are continuously improved in line with technological developments.

  12. Your rights

    As a data subject, you have the following rights, which you can assert against us at any time:

    1. Right to information

      Pursuant to Art. 15 GDPR, you have the right at any time to receive from us, free of charge, information about the personal data stored about you and a copy of this information. Furthermore, you are also entitled to request information about the following:

      • the processing purposes;
      • the categories of personal data that are processed;
      • the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular in the case of recipients in third countries or international organizations;
      • if possible, the planned duration for which the personal data will be stored or, if this is not possible, the criteria for determining this duration;
      • the existence of a right to obtain the rectification or erasure of personal data concerning you, or to obtain the restriction of processing by the controller, or a right to object to such processing;
      • The existence of a right of appeal to a supervisory authority;
      • any available information about the origin of the data, if the personal data are not collected from and by the data subject himself;
      • the existence of automated decision-making, including profiling, pursuant to Article 22(1) and (4) of the GDPR and - at least in these cases - meaningful information about the logic involved and the scope and intended effects of such processing for you as the data subject.

      Furthermore, you have the right to information as to whether personal data has been transferred to a third country or to an international organization. If this is the case, you also have the right to obtain information about the appropriate safeguards in connection with the transfer.

    2. Right to rectification

      In addition, according to Art. 16 GDPR, you are entitled to demand the immediate correction of inaccurate personal data concerning you. Furthermore, you have the right to request the completion of incomplete personal data - also by means of a supplementary declaration - taking into account the purposes of the processing.

    3. Right to erasure (right to be forgotten)

      Furthermore, pursuant to Art. 17 GDPR, you may request that the personal data concerning you be erased without undue delay, provided that one of the following reasons applies and to the extent that the processing is no longer necessary:

      • the personal data were collected or otherwise processed for such purposes for which they are no longer necessary;
      • the data subject revokes his or her consent on which the processing was based pursuant to Art. 6(1)(a) GDPR or Art. 9(2)(a) GDPR and there is no other legal basis for the processing;
      • the data subject objects to the processing pursuant to Art. 21 (1) GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Art. 21 (2) GDPR.
      • the personal data have been processed unlawfully;
      • erasure of the personal data is necessary for compliance with a legal obligation under Union or Member State law to which the controller is subject;
      • the personal data has been collected in relation to information society services offered pursuant to Article 8(1) of the GDPR.

      If the personal data have been made public by us and our company as a controller is obliged to erase the personal data pursuant to Article 17 (1) GDPR, we will take reasonable measures, including technical measures, taking into account the available technology and the cost of implementation, to inform other data controllers which are processing the published personal data, that you, as the data subject, have requested from those other data controllers to erase all links to or copies or replications of the personal data, unless the processing is necessary.

    4. Right to restriction of processing

      Art. 18 GDPR entitles you to request restriction of processing if one of the following conditions is met:

      • the accuracy of the personal data is contested by the data subject for a period enabling the controller to verify the accuracy of the personal data;
      • the processing is unlawful, the data subject objects to the erasure of the personal data and requests instead the restriction of the use of the personal data;
      • the controller no longer needs the personal data for the purposes of the processing, but the data subject needs it for the establishment, exercise or defense of legal claims;
      • the data subject has objected to the processing pursuant to Article 21 (1) of the GDPR and it is not yet clear whether the legitimate grounds of the controller override those of the data subject.
    5. Right of objection

      Furthermore, pursuant to Art. 21 GDPR, you have the right to object at any time, for reasons arising from their particular situation, to the processing of personal data concerning you that is carried out on the basis of Art. 6(1)(e) or (f) GDPR. This also applies to profiling based on these provisions.

      We shall no longer process the personal data in the event of the objection, unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms as a data subject, or for the assertion, exercise or defense of legal claims.

      If we process personal data for the purposes of direct marketing, you have the right to object at any time to processing of personal data for such marketing. This also applies to profiling, insofar as it is related to such direct marketing. If you object to us processing for direct marketing purposes, we will of course no longer process this personal data for these purposes.

      In addition, you have the right, on grounds relating to their particular situation, to object to the processing of personal data concerning you by us for scientific or historical research purposes, or for statistical purposes pursuant to Article 89(1) GDPR, unless such processing is necessary for the performance of a task carried out in the public interest.

      You are also free to exercise your right to object in connection with the use of information society services, notwithstanding Directive 2002/58/EC, by means of automated procedures using technical specifications.

    6. Right to revoke consent under data protection law

      By way of clarification, we would like to expressly point out once again that you are entitled to revoke your consent to the processing of personal data at any time in accordance with Art. 7 (3) of the German Data Protection Regulation (GDPR).

    If you wish to make use of one of the rights to which you are entitled in accordance with lit. a) to lit. f) mentioned in this section 12 and make use of us, please contact our representative named in section 2 above in accordance with Art. 27 of the German Data Protection Regulation (GDPR) or another member of our staff at any time.

    In the event of assertion of the right to erasure (lit. e) and restriction of processing (lit. f), our representative pursuant to Art. 27 GDPR or another of our employees will comply with the respective request without undue delay and will take the necessary steps in the individual case.

    The Crossiety platform is not used for profiling or scoring measures (Art. 22 GDPR).

  13. Actuality and change of this privacy policy

    This privacy policy is currently valid and has the status of March 2022.

    Due to the further development of our platform and offers on it or due to changed legal or regulatory requirements, it may become necessary to change this privacy policy. We therefore recommend that you check our privacy policy regularly.