Data protection
- What is this privacy policy about?
Data protection is a matter of trust, and your trust is important to us. In this privacy policy, we therefore inform you how and for what purpose we collect, process, and use your personal data.
In this privacy policy, you will learn, among other things:
- what personal data we collect and process;
- for what purposes we use your personal data;
- who has access to your personal data;
- what benefits our data processing has for you;
- how long we process your personal data;
- what rights you have with regard to your personal data; and
- how you can contact us.
We have aligned this privacy policy with both the Swiss Data Protection Act and the European General Data Protection Regulation – GDPR for short. The GDPR has established itself worldwide as a benchmark for strong data protection. However, whether and to what extent the GDPR is applicable depends on the individual case.
- Who is responsible for data processing?
The company that determines whether this processing should take place, for what purposes it takes place, and how it is designed is responsible for a specific data processing under data protection law. For the data processing described in this privacy policy, La bottega del caffè GmbH is generally responsible.
- For whom and for what is this privacy policy intended?
This privacy policy applies to all persons whose data we process (hereinafter "you"), regardless of how you contact us, e.g. in an online shop, on a website, in an app, in our shop, by phone, via a social network, at an event, etc. It applies to both the processing of already collected and future collected personal data.
Our data processing may particularly concern the following categories of persons, insofar as we process personal data in this context:
- visitors to our websites;
- holders of a customer account;
- customers in our online shops and branches;
- merchants who offer products and services through our online shops;
- other persons who use our services or come into contact with our offers;
- users of our online services and apps;
- visitors to our premises;
- persons who write to us or contact us in any other way;
- recipients of information and marketing communications;
- participants in competitions and prize draws;
- participants in customer events and public events;
- participants in market research and opinion polls and customer surveys;
- contact persons of our suppliers, customers and other business partners, as well as organisations and authorities; and
- job applicants.
Please also consult the contractual terms for individual services (e.g. general terms and conditions, terms of use or conditions of participation). These may contain supplementary information on our data processing.
- What personal data do we process?
"Personal data" is information that can be associated with a specific person. We process various categories of such personal data. The most important categories are listed below for your guidance. However, in individual cases, we may also process other personal data.
In section 5, you will find more information about the origin of this data and in section 6 about the purposes for which we process this data.
4.1 Master Data
Master data is the basic data about you, such as salutation, name, contact details or date of birth. We collect master data in particular when you create a customer account. We also collect master data, for example, when you participate in a competition or prize draw or subscribe to a newsletter. In addition, we collect master data about contact persons and representatives of contractual partners, organisations and authorities.
Master data includes, for example:
- salutation, first name, last name, gender, date of birth;
- address, e-mail address, telephone number and other contact details;
- customer numbers (e.g. for participants in a loyalty program);
- payment information (e.g. stored payment methods, bank details, billing address);
- username and profile picture;
- information about the use of our online platforms (e.g. whether you are registered with us);
- information about linked websites, social media profiles, etc.;
- information about affinities and interests, language preferences, etc.;
- information about your relationship with us (customer, visitor, supplier, etc.);
- information about connected third parties (e.g. contact persons, recipients of services or representatives);
- settings regarding the receipt of advertising, subscribed newsletters, etc.;
- information about your status with us (inactivity or blocking of a customer account, bans from branches, etc.);
- information about participation in competitions and prize draws;
- official documents in which you appear (e.g. identification documents, commercial register excerpts, permits, etc.);
- information about titles and functions in the company for contact persons and representatives of our business partners;
- date and time of registrations.
In some cases, you may be able to log in to individual online services with the login of a third-party provider (e.g. Apple, Google or Facebook). In this case, we gain access to certain data stored with the respective provider, e.g. your name and e-mail address, the scope of which you can usually determine. You can find information on this in the privacy policy of the respective provider.
4.2 Contract Data
Contract data is personal data that arises in connection with the conclusion or processing of a contract, e.g. information about the conclusion of a contract, acquired rights and claims, or information about customer satisfaction. We conclude contracts primarily with customers, business partners, and job applicants. If you use our services based on a contract, e.g. purchase products or use services, we often also collect behavioral and transaction data (see Section 4.4).
Contract data includes, for example, information:
- about the initiation and conclusion of contracts, e.g. date of conclusion of the contract, information from the application process and information about the relevant contract (e.g. type and duration or, if necessary, identity verification such as copies of official ID cards);
- about the processing and administration of contracts (e.g. contact details, delivery addresses, successful or failed deliveries and payment method information);
- in connection with customer service and technical support;
- about our interactions with you (possibly a history with corresponding entries);
- about claims and acquired rights and benefits (e.g. vouchers);
- about defects and complaints as well as contract adjustments;
- on customer satisfaction, which we may collect through surveys;
- on financial matters such as determining creditworthiness (i.e. information that allows conclusions about the likelihood that claims will be paid), reminders, debt collection and enforcement of claims;
- in connection with a job application, e.g. CV, references, qualifications, certificates, interview notes, etc. (which may also contain personal data of third parties);
- on interactions with you as a contact person or representative of a business partner;
- in connection with security checks (e.g. checking for fraudulent activities in orders) and other checks regarding the establishment or continuation of a business relationship.
4.3 Communication Data
When you contact us or we contact you, for example, if you contact customer service or if you write or call us, we process the exchanged communication content and information about the type, time, and location of the communication. In certain situations, we may also ask you for proof of identity for identification purposes.
Communication data includes, for example:
- name and contact details such as postal address, email address, and telephone number;
- content of emails, written correspondence, chat messages, social media posts, comments on a website, phone calls, video conferences, etc.;
- responses to customer and satisfaction surveys;
- information about the type, time, and possibly location of the communication;
- proof of identity such as copies of official ID cards;
- metadata of the communication.
Telephone and video conference calls with us may be recorded; we will inform you of this at the beginning of the call. If you do not wish us to record such calls, you have the option at any time to end the call and contact us in another way (e.g. by email).
4.4 Behavioral and Transaction Data
When you make purchases from us, use our services and infrastructure, or utilize our services, we frequently collect data about this usage. This is the case, for example, when you make a purchase in one of our online stores, become active in our communities, or use our websites and apps. If you act on behalf of third parties, personal data may also concern these third parties (e.g., your family members if you make purchases for them).
Behavioral and transaction data include, for example, the following information, insofar as it is available to us in a personalized form:
- about your behavior in online shops (ordered and abandoned shopping carts, watchlists, viewed items, search terms and results, type of payment method, chosen delivery method, etc.);
- about your purchases in branches (e.g. where, how often, what and at what prices you buy, as well as the type of payment method and chosen delivery method);
- about your visit to our events (e.g. date, location and type of event);
- about participation in competitions, prize draws and similar events;
- about your behavior on websites;
- about the installation and use of our mobile apps;
- about your use of electronic communications from us (e.g. whether and when you opened an email or clicked on a link);
- about your use of our Wi-Fi networks (e.g. date, time and duration of connection, location of the Wi-Fi network and data volume).
Some of our offerings can also be used anonymously.
4.5 Preference Data
We aim to tailor our offers and services to our customers as best as possible. Therefore, we also process data about your interests and preferences. For this purpose, we can link behavioral and transaction data with other data and evaluate this data both personally and non-personally. This allows us to draw conclusions about characteristics, preferences, and probable behavior, e.g. your affinity for certain products and services.
In particular, we can form segments (permanently or on a case-by-case basis), i.e., groups of people who show similarities with regard to certain characteristics. Preference data can be used in a personalized way (e.g. to show you relevant advertising that might interest you) but also in a non-personalized way, e.g. for market research or product development.
The described processing operations can also be referred to in technical terms as "profiling". You can find more information on profiling in Section 11.
4.6 Technical Data
When you use our websites, Wi-Fi networks, or other electronic services, we collect certain technical data such as your IP address or a device ID. Technical data also includes the logs in which we record the use of our systems (log data). In some cases, we may also assign a unique identification number (an ID) to your end device (tablet, PC, smartphone, etc.), e.g. by means of cookies or similar technologies, so that we can recognize it.
Based on technical data, behavioral data can also be collected, i.e. information about your use of websites and mobile apps (see Section 4.4). However, we usually cannot deduce who you are from technical data, unless, for example, you create a customer account or register for other services. In this case, we can link technical data with master data - and thus with your person.
Technical data includes, among other things:
- the IP address of your device and other device IDs (e.g. MAC address);
- identification numbers assigned to your device by cookies and similar technologies (e.g. pixel tags);
- information about your device and its configuration, e.g. operating system or language settings;
- information about the browser you use to access the service and its configuration;
- information about your movements and actions on our websites and in our apps;
- information about your internet provider;
- your approximate location and the time of use;
- system-side records of accesses and other processes (log data);
- metadata from telecommunications.
4.7 Image and Audio Recordings
We regularly create photos, videos, and audio recordings in or on which you may appear, e.g., if you participate in an event, contact our customer service, or receive advice via video conference. For security and evidentiary purposes, we also make video recordings in our branches and other premises. In doing so, we may obtain information about your behavior in the relevant areas. The use of video surveillance systems is geographically limited and marked.
Image and audio recordings include, for example:
- recordings from video surveillance systems;
- photos, videos and audio recordings of customer events and public events (e.g. promotional events, sponsoring events or cultural and sports events);
- photos, videos and audio recordings of courses, lectures, training sessions etc.;
- recordings of telephone and video conference calls (e.g. in customer service or customer consulting).
- Where does the personal data come from?
5.1 Provided Data
You often provide us with personal data yourself, e.g. when you transmit data to us or communicate with us. In particular, you usually provide us with master, contract and communication data yourself. You also frequently provide us with preference data yourself.
For example, you provide us with personal data in the following cases:
- You create a customer account;
- You participate in a prize draw or a competition;
- You contact our customer service;
- You register for other offers, such as our newsletter.
The provision of personal data is generally voluntary, i.e., you are usually not obliged to disclose personal data to us. However, we must collect and process the personal data that is necessary for the fulfillment of a contractual relationship and for the fulfillment of related obligations or legally required, e.g., mandatory master and contract data. Otherwise, we cannot conclude or continue the contract concerned.
If you transmit data about other persons (e.g. family members) to us, we assume that you are authorized to do so and that this data is correct. Please also ensure that these other persons have been informed about this privacy policy.
5.2 Collected Data
We may also collect personal data about you ourselves or automatically, for example, when you make a purchase from us, use our services, or utilize our services. This often involves behavioral and transaction data, as well as technical data (e.g., the time you access our website).
For example, we collect personal data about you independently in the following cases:
- You order a product in one of our online shops;
- You visit one of our websites or use one of our apps;
- you shop in one of our branches and provide your customer account details;
- you click on a link in one of our newsletters or otherwise interact with one of our electronic marketing communications.
We may also derive personal data from existing personal data, for example by evaluating behavioural and transaction data. Such derived personal data often comprises preference data.
For example, we may analyse behavioural and transaction data collected during purchases in our online shops and use this to make assumptions about your personal interests, preferences, affinities and habits. This allows us to tailor our offers and information to your individual needs and interests, for example. In this way, we can send you a personalised selection of relevant offers. Further information on behavioural and transaction data can be found in section 4.4 and on profiling in this context in section 11.
5.3 Data received
We may also receive information about you from other third parties, for example from companies with whom we cooperate, from individuals who communicate with us, or from public sources. Further information on this can be found in section 8.
For example, we may receive information about you from the following third parties:
- from cooperation partners, e.g. points collection or redemption partners;
- from your employer and from colleagues, in connection with an application and with their professional functions;
- from third parties, if correspondence and meetings concern you;
- from persons in your environment (family members, legal representatives, etc.), e.g. your address for deliveries, references or powers of attorney;
- from credit agencies, e.g. when we obtain creditworthiness information;
- from Swiss Post and from address traders, e.g. for address updates;
- from banks, insurance companies, sales and other contractual partners for purchases and payments;
- from providers of online services, e.g. providers of internet analysis services;
- providers of cyber security services
- from information services for compliance with legal requirements such as anti-money laundering and export restrictions;
- from authorities, parties and other third parties in connection with official and judicial proceedings;
- from media monitoring companies in connection with articles and reports in which you appear;
- from public registers such as the debt enforcement or commercial register, from public bodies such as the Federal Statistical Office, from the media or from the Internet.
- For what purposes do we process personal data?
6.1 Communication
We want to stay in touch with you and respond to your individual concerns. We therefore process personal data for communication with you, e.g. responding to enquiries and customer care. For this purpose, we particularly use communication and master data and, insofar as the communication concerns a contract, also contract data. We may also personalise the content and timing of messages based on behavioural, transaction and preference data and other data.
The purpose of communication includes in particular:
- responding to enquiries;
- contacting you with questions;
- customer service and customer care;
- communication in connection with product recalls (e.g. we may contact you directly if we know that you have purchased a product affected by a recall);
- sending other notifications (e.g. order status information);
- authentication, e.g. when using our online services;
- quality assurance and training;
- all other processing purposes, insofar as we communicate with you for them (e.g. contract processing, information and direct marketing).
6.2 Contract fulfilment
We want to offer you the best possible service. We therefore process personal data in connection with the initiation, administration and fulfilment of contractual relationships, e.g. to deliver an order, provide a service, mediate purchases and services, build our communities, run a loyalty programme or organise a prize draw. Contract fulfilment also includes any agreed personalisation of services. For this purpose, we particularly use master data, contract data, communication data, behavioural and transaction data as well as preference data.
The purpose of contract fulfilment generally covers everything that is necessary or expedient to conclude, execute and, if necessary, enforce a contract.
This includes, for example, processing operations:
- to decide whether and how (e.g. with which payment options) we enter into a contract with you (including credit checks);
- to provide contractually agreed services, e.g. to deliver goods, provide services and make functions available (including personalised service components);
- to provide customer services and to ascertain customer satisfaction;
- to operate and manage loyalty programmes, e.g. to account for and credit acquired entitlements and benefits (e.g. promotional vouchers and promotional codes);
- to determine, notify and, if necessary, publish the winners of competitions and prize draws;
- to invoice our services and generally for accounting;
- to plan and prepare the provision of our services, e.g. deployment planning of our employees;
- to check the suitability of job applicants and, if applicable, to prepare and conclude the employment contract;
- to check whether we want and can cooperate with a company, and to monitor and evaluate its services;
- to prepare and carry out corporate law transactions, e.g. company purchases, sales and mergers;
- to enforce legal claims from contracts (debt collection, legal proceedings, etc.);
- to manage and administer our IT and other resources;
- to store data as part of retention obligations;
- to terminate and end contracts.
6.3 Information and Marketing
We want to provide you with attractive offers. We therefore process personal data for relationship management and for marketing purposes, e.g. to send you written and electronic communications and offers and to carry out marketing campaigns. These may be our own offers or those of advertising partners. We may also act for other companies and also assume the role of an agency, for example to carry out advertising campaigns for the products of these companies.
Communications and offers can also be personalised in each case in order to send you only information that is likely to be of interest to you. For this purpose, we use in particular master, contract, communication, behavioural and transaction data as well as preference data, but also image and sound recordings.
These may include, for example, the following communications and offers:
- newsletters, promotional emails, in-app messages and other electronic messages;
- promotional brochures, magazines and other printed materials;
- promotional messages and spots on screens and other advertising spaces;
- delivery of promotional vouchers and promotional codes;
- invitations to events, prize draws and competitions.
You can object to contacts for marketing purposes at any time (see section 15). For newsletters and other electronic communications, you can usually unsubscribe from the respective service via your customer account and via an unsubscribe link integrated in the message.
The personalisation of our communications allows us to tailor information to your individual needs and interests and to present you only with offers that are relevant to you. For example, we can send you a personalised selection of products relevant to you or show you online content tailored to you. Personalisation also allows you to find the products you are looking for more quickly in our extensive online offering. In general, tailoring our activities to the wishes and needs of our customers simplifies processes such as purchases or sales, so that you can reach your goal more quickly. Further information on profiling in this context can be found in section 11.
6.4 Market research and product development
We want to continuously improve our offers and make them more attractive for you. We therefore process personal data for market research and product development. For this purpose, we particularly process master, behavioural, transaction and preference data, but also communication data and information from customer surveys, polls and studies and other information, e.g. from the media, from the internet and from other public sources. Wherever possible, we use pseudonymised or anonymised information for these purposes.
Market research and product development include in particular:
- the conduct of customer surveys, polls and studies;
- the further development of our offers (e.g. assortment design, location selection, pricing and promotional planning, etc.);
- the evaluation and improvement of the acceptance of our offers and our communication in connection with offers;
- the optimisation and improvement of the user-friendliness of websites and apps;
- the development and testing of new offers;
- the review and improvement of our internal processes;
- statistical evaluations, e.g. to evaluate information about our customers' interactions with us on a non-personal basis;
- the assessment of the offer situation on a specific market and the behaviour of our competitors;
- market observation, e.g. to understand current developments and trends and to react to them.
6.5 Security and prevention
We want to ensure your and our security and prevent misuse. We therefore also process personal data for security purposes, to ensure IT security, for theft, fraud and misuse prevention and for evidentiary purposes. This may concern all categories of personal data mentioned in section 4, in particular behavioural and transaction data as well as image and sound recordings. We may collect, evaluate and store this data for the stated purposes.
The purpose of security and prevention includes, for example:
- the creation and evaluation (manually and automatically) of video recordings for the detection and prosecution of criminal acts;
- the performance of random checks to verify the correct recording and payment of goods in our branches;
- the issuance of house bans and the administration of house ban lists;
- the analysis of behavioural and transaction data for the purpose of detecting suspicious behaviour patterns and fraudulent activities;
- the evaluation of system-side records of the use of our systems (log data);
- the prevention, defence and investigation of cyber attacks and malware attacks;
- analyses and tests of our networks and IT infrastructures as well as system and error checks;
- control of access to electronic systems (e.g. logins to user accounts);
- physical access controls (e.g. access to office premises);
- documentation purposes and creation of security copies.
For security and prevention purposes, we can also automatically evaluate video recordings. In a concrete case of suspicion, for example, we can define a combination of characteristics (such as clothing or height) and have this combination of characteristics automatically searched for in existing video recordings of a certain period. This allows us to evaluate video recordings more efficiently and thus supports us in the investigation of criminal acts. In this context, however, we do not carry out any analysis of biometric data (e.g. facial recognition) nor an automated evaluation of behavioural patterns or similar analyses.
6.6 Compliance with legal requirements
We want to create the conditions for compliance with legal requirements. We therefore also process personal data to comply with legal obligations and to prevent and detect violations. This includes, for example, the receipt and processing of complaints and other notifications, compliance with orders from a court or an authority, as well as measures for the detection and clarification of misuse and the legally prescribed retention of ancillary data from telecommunications (mobile subscription). This may concern all categories of personal data mentioned in section 4.
Compliance with legal requirements includes in particular:
- the protection of minors, e.g. enforcing age limits for the purchase of alcohol;
- the implementation of health and protection concepts;
- enquiries about business partners;
- the receipt and processing of complaints and other notifications;
- the legally prescribed retention of ancillary data from telecommunications (mobile subscription);
- the conduct of internal investigations;
- ensuring compliance and risk management;
- the disclosure of information and documents to authorities if we have a factual reason for doing so (e.g. because we are the injured party ourselves) or are legally obliged to do so;
- cooperation in external investigations, e.g. by a law enforcement or supervisory authority;
- ensuring legally required data security;
- fulfilling disclosure, information or reporting obligations, e.g. in connection with supervisory and tax law obligations, e.g. for archiving obligations and to prevent, detect and investigate criminal offences and other violations;
- the legally regulated fight against money laundering and terrorist financing.
In all cases, this may involve Swiss law, but also foreign regulations to which we are subject, as well as self-regulation, industry and other standards, our own "Corporate Governance" or official instructions.
6.7 Safeguarding rights
We want to be able to assert our claims and defend ourselves against claims by others. We therefore also process personal data for safeguarding rights, e.g. to enforce claims in court, out-of-court or before authorities at home and abroad or to defend ourselves against claims. Depending on the constellation, we process different personal data, e.g. contact data as well as information about processes that have given rise to or could give rise to a dispute.
The purpose of safeguarding rights includes in particular:
- the investigation and enforcement of our claims, which may also include claims of companies affiliated with us and our contractual and business partners;
- the defence against claims against us, our employees, companies affiliated with us and against our contractual and business partners;
- the clarification of litigation prospects and other legal, economic and other questions;
- participation in proceedings before courts and authorities at home and abroad. For example, we may secure evidence, have litigation prospects clarified or submit documents to an authority. It may also be that authorities ask us to disclose documents and data carriers containing personal data.
- On what legal basis do we process personal data?
Depending on the purpose of the data processing, our processing of personal data is based on different legal bases. We may process personal data in particular if the processing:
- is necessary for the fulfilment of a contract with the data subject or for pre-contractual measures (e.g. checking a contract application);
- is necessary for the pursuit of legitimate interests, for example if data processing is a central component of our business activities;
- is based on consent;
- is necessary for compliance with domestic or foreign legal regulations.
We have a legitimate interest in particular in the processing for the purposes described above in Section 6 and in the disclosure of data according to Section 8, as well as the objectives associated with each. Legitimate interests include our own interests and the interests of third parties.
These legitimate interests include, for example, the interest in
- supplying products and services to third parties (e.g., to gifted persons);
- good customer service, maintaining contacts, and communicating with customers even outside of a contract;
- advertising and marketing activities;
- getting to know our customers and other people better;
- improving products and services and developing new ones;
- intra-group administration and intra-group traffic, which is necessary in a group with division of labor;
- mutual support of the group companies in their activities and goals;
- fraud prevention, e.g., in online shops, and the prevention and investigation of offenses;
- ensuring IT security, especially in connection with the use of websites, apps, and other IT infrastructure;
- ensuring and organizing business operations, including the operation and further development of websites and other systems;
- corporate management and development;
- the sale or purchase of companies, parts of companies, and other assets;
- the assertion or defense of legal claims;
- compliance with Swiss and foreign law as well as internal rules.
- To whom do we disclose personal data?
We may disclose your personal data to companies outside La bottega del caffè GmbH if we use their services. As a rule, these service providers process personal data on our behalf as so-called "processors." Our processors are obliged to process personal data exclusively according to our instructions and to take appropriate data security measures. Certain service providers are also jointly or independently responsible (e.g., collection agencies). We ensure data protection throughout the entire processing of your personal data through the selection of service providers and through appropriate contractual agreements.
This includes, for example, services in the following areas:
- shipping and logistics, e.g., for sending ordered goods;
- advertising and marketing services, e.g., for sending messages and information;
- warranty and returns, e.g., for repairs in case of defects;
- business administration, e.g., accounting or asset management;
- payment services;
- credit information, e.g., if you want to make a purchase on account;
- collection services;
- insurance providers;
- fraud prevention services carried out by payment service providers on their own responsibility, such as PayPal Fraud Protection. Such procedures are only applied if you are already a customer of the respective payment service provider. More detailed information can then be found in the privacy policy of the respective service provider;
- IT services, e.g., services in the areas of data storage (hosting), cloud services, sending of email newsletters, data analysis and refinement, etc.;
- consulting services, e.g., services of tax consultants, lawyers, business consultants, or consultants in the field of personnel recruitment and placement.
It is also possible that we may disclose personal data to other third parties for their own purposes, e.g., if you have given us your consent or if we are legally obliged or entitled to do so. In these cases, the recipient of the data is an independent data controller under data protection law.
This includes, for example, the following cases:
- information on product recalls by manufacturers, provided that you have purchased a product from the manufacturer from us.
- the transfer of claims to other companies such as collection agencies;
- the review or execution of corporate transactions such as company purchases, sales, and mergers;
- the disclosure of personal data to courts and authorities in Switzerland and abroad, e.g., to law enforcement agencies in case of suspected criminal offenses;
- the processing of personal data to comply with a court order or official directive or to assert or defend legal claims or if we deem it necessary for other legal reasons. In doing so, we may also disclose personal data to other parties involved in the proceedings.
- How do we disclose personal data abroad?
We mostly process and store personal data in Switzerland and the European Economic Area (EEA). In certain cases, however, we may also disclose personal data to service providers and other recipients (see Section 8) who are located outside this area or process personal data outside this area, generally in any country in the world. The countries concerned may not have laws that protect your personal data to the same extent as in Switzerland or the EEA. If we transfer your personal data to such a state, we ensure the protection of your personal data in an appropriate manner.
- How do we process particularly sensitive personal data?
Certain types of personal data are considered "particularly sensitive" under data protection law, e.g., health information and biometric characteristics. Depending on the constellation, the categories of personal data mentioned in Section 4 may also include such particularly sensitive personal data. However, we generally only process particularly sensitive personal data if it is necessary for the provision of a service, you have disclosed this data to us on your own initiative, or you have consented to the processing. We may also process particularly sensitive personal data if this is necessary for the protection of rights or compliance with domestic or foreign legal provisions, the corresponding data has been obviously publicly disclosed by the data subject, or applicable law otherwise permits their processing.
We may process particularly sensitive personal data, for example, in the following cases:
- You want to order an alcoholic beverage in an online shop and add an identification document to your customer account for digital age verification;
- You apply for an open position and provide information about your health, trade union membership, or criminal record and criminal measures.
- How do we use profiling?
"Profiling" means the automated processing of personal data to analyze personal aspects or make predictions, e.g., the analysis of personal interests, preferences, affinities, and habits or the prediction of probable behavior. Profiling can be used, in particular, to derive preference data (further information can be found in Section 4.5).
Profiling is a common process, e.g., in the automated processing of
- master, contract, behavioral, and transaction data for purchases in our online shops and branches;
- behavioral and transaction data as well as technical data in connection with our websites and apps;
- information in connection with visiting events or participating in competitions, sweepstakes, and similar events;
- communication data, e.g., your reaction to advertising and other communications;
- other behavioral and transaction data.
Profiling helps us, for example, to
- continuously improve our offers and better tailor them to individual needs;
- present our content and offers to you according to your needs;
- provide you with only advertising and offers that are likely to be relevant to you;
- better support you in customer service;
- decide which payment options are available based on a credit check.
We carry out profiling, for example, in connection with our online shops by evaluating your purchasing behavior and assigning you to certain interests based on this. Such interests can be formed permanently or on a case-by-case basis and can relate, for example, to the purchase motive. This profiling enables us, for example, to send you product suggestions that are relevant to you via newsletter.
Profiling also takes place, for example, in connection with the customer account, e.g., by evaluating your usage and purchasing behavior in our online shops as well as on our websites and apps, for example, to offer you an individual user experience and to present you with offers tailored to your interests.
To improve the quality of our analyses and predictions, we can also link personal data from different sources as a basis for profiling, e.g., data collected via various of our services. Self-learning algorithms (certain programming in computer programs) may also be used.
You can object to profiling in certain cases as described in Section 15.
- Do we make automated individual decisions?
"Automated individual decisions" are decisions that are made entirely automatically, i.e., without human influence, and that have legal consequences for the data subject or significantly affect them in another way. We generally do not do this, but we will inform you separately if we use automated individual decisions in individual cases. You then have the option of having the decision reviewed by a person if you do not agree with it.
- How do we protect personal data?
We take appropriate technical and organizational security measures to ensure the security of your personal data, to protect it against unauthorized or unlawful processing, and to counteract the risk of loss, unintentional alteration, unwanted disclosure, or unauthorized access. However, like all companies, we cannot rule out data security breaches with absolute certainty; certain residual risks are unavoidable.
Technical security measures include, for example, encryption and pseudonymization of data, logging, access restrictions, and the storage of backup copies. Organizational security measures include, for example, instructions to our employees, training, and controls. We also oblige our processors to take appropriate technical and organizational security measures.
- How long do we process personal data?
We process and store your personal data,
- as long as it is necessary for the purpose of processing or for purposes compatible with it, in the case of contracts usually at least for the duration of the contractual relationship;
- as long as we have a legitimate interest in storing it. This may be the case, in particular, if we need personal data to assert or defend claims, for archiving purposes, and to ensure IT security;
- as long as they are subject to a statutory retention obligation. For certain data, for example, a ten-year retention period applies. For other data, shorter retention periods apply, e.g., for recordings from video surveillance or for records of certain processes on the Internet (log data).
In certain cases, we also ask for your consent if we want to store personal data for longer (e.g., for job applications that we want to keep pending). After the expiry of the stated periods, we delete or anonymize your personal data.
We base our retention periods on the following, for example, although we may deviate from them in individual cases:
- Customer account: Personal data is stored for the duration of the customer account. If the deletion of a customer account is requested, the data will be deleted at the latest after 30 days after checking for open claims and other relevant points that prevent immediate deletion.
- Contracts: Master and contract data are generally stored for ten years from the last contract activity or from the end of the contract. However, this period may be longer if necessary for evidentiary reasons, due to legal or contractual requirements, or for technical reasons. Transaction data in connection with contracts is generally stored for ten years.
- Technical data: The storage period for cookies is usually between a few days and two years, unless they are deleted immediately after the end of the session.
- Communication data: Emails, messages via contact form, and written correspondence are generally stored for ten years.
- Image and sound recordings: The retention period varies depending on the purpose. This ranges from a few days for recordings from security cameras to several years for reports on events with images.
- Job applications: We generally delete application data within six months of the completion of the application process. With your consent, we may keep your application pending for a possible later employment.
- What rights do you have in connection with the
processing of your personal data?
You have the right to object to data processing, especially if we process your personal data based on a legitimate interest and the other applicable conditions are met. You can also object to data processing in connection with direct marketing (e.g., advertising emails) at any time. This also applies to profiling, insofar as it is related to such direct marketing.
Insofar as the respective applicable conditions are met and no legal exceptions are applicable, you also have the following rights:
- the right to request information about your personal data stored by us;
- the right to have inaccurate or incomplete personal data corrected;
- the right to request the deletion or anonymization of your personal data;
- the right to request the restriction of the processing of your personal data;
- the right to receive certain personal data in a structured, common, and machine-readable format;
- the right to revoke consent with effect for the future, insofar as processing is based on consent.
Please note that these rights may be restricted or excluded in individual cases, e.g., if there are doubts about the identity or if this is necessary to protect other persons, to protect legitimate interests, or to comply with legal obligations.
If you have a customer account, you can correct your master data stored there (e.g., your address) at any time. You can also request the deactivation of the customer account or the complete deletion of your personal data there. In addition, you can unsubscribe from newsletters and other advertising emails by clicking on the corresponding link at the end of the email. You can also contact us as described in Section 16 if you want to exercise one of your rights or if you have questions about the processing of your personal data.
You are also free to lodge a complaint with a competent supervisory authority if you have concerns about whether the processing of your personal data is lawful.
- The competent supervisory authority in Switzerland is the Federal Data Protection and Information Commissioner (FDPIC).
- The competent supervisory authority in the Principality of Liechtenstein is the Data Protection Office of the Principality of Liechtenstein.
- The competent supervisory authority in Germany is the Hamburg Commissioner for Data Protection and Freedom of Information, Klosterwall 6 (Block C), 20095 Hamburg
- The competent supervisory authority in Austria is the Austrian Data Protection Authority, Barichgasse 40-42, 1030 Vienna.
- The competent supervisory authority in France is the Commission nationale de l'informatique et des libertés, 3 Place de Fontenoy, TSA 80715, 75334 PARIS CEDEX 07
- The competent supervisory authority in Italy is the Garante per la protezione dei dati personali, with headquarters in Piazza Venezia 11, IT-00187, Rome
- How can you contact us?
If you have any questions regarding this privacy policy or the processing of your personal data, you can contact us at any time at the following address.
La bottega del caffè GmbH
Sägestrasse 40
5600 Lenzburg
Email: info@labottega-delcaffe.ch
- Changes to this Privacy Policy
This privacy policy may be adjusted over time, especially if we change our data processing practices or if new legal provisions become applicable. We will actively inform individuals whose contact details are registered with us about such significant changes if this is possible without disproportionate effort. In general, data processing is governed by the privacy policy in the version current at the beginning of the relevant processing.
Status: Lenzburg, 01.09.2023

