Privacy policy ASMIQ I/O AG

Version April 1, 2023.
Subject to change at any time.

Preamble
ASMIQ I/O AG, Baslerstrasse 60, 8048 Zurich, Switzerland (hereinafter "Provider"), is the author of this Privacy Policy. This Privacy Policy applies to all users of the Provider's services, insofar as personal data is processed as a result. In particular, this includes customers who have concluded a contract with the Provider for the Provider's services, their employees and website visitors. In addition, the Provider may declare the Privacy Policy applicable to other contractual partners on a contractual basis. For the sake of simplicity, all persons affected by the data processing are hereinafter referred to as "customers".

The Provider is responsible for the careful and conscientious handling of its customers' personal information. The Provider is responsible for the collection, processing, disclosure, storage and protection of the personal information of its customers and ensures compliance with the Swiss Data Protection Act ("DPA") insofar as protected data of Swiss customers is concerned; and additionally for compliance with the EU General Data Protection Regulation ("GDPR") insofar as protected data of customers from the EU area is concerned.
The consent given by the customer with this privacy policy can be revoked at any time with effect for the future (see section 11, last paragraph).

1. contact details
Responsible for data processing is:

ASMIQ I/O AG
Baslerstrasse 60
8048 Zurich
Switzerland

The data protection officer can be contacted at datenschutz@old.asmiq.io.

2 Applicable law
Data processing by the provider is subject to the following law

Data from Swiss customers
The processing of data from Swiss customers is governed exclusively by Swiss law, in particular the Federal Act on Data Protection (FADP, SR 235.1) and the associated Ordinance to the Federal Act on Data Protection (SR 235.11). The EU General Data Protection Regulation (GDPR) does not apply. The applicability of the GDPR remains reserved (i) insofar as it is expressly provided for in this data protection declaration for sub-areas, and (ii) insofar as the GDPR is also mandatory for data of Swiss customers due to special circumstances.

Data from customers in the EU
In addition to Swiss law, Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, GDPR) applies to the processing of data of customers from the EU. See also section 13 (additional regulations for customers from the EU).

3. nature and scope of the collection of personal data
when visiting our website (without login)
When customers visit the provider's online presence outside the login-protected area, the web server technology used automatically logs general technical visit information. This includes the IP address of the device used, which is anonymized by Google before it is saved so that it can no longer be assigned to the customer. Google uses the _anonymizeIp() method for this purpose. It also includes information on the browser type, the Internet service provider and the operating system used.

when using asmiq.one cloud software (with login)
During the fee-based use of the asmiq.one software within the login-protected area, all data entered or submitted by the Customer during the registration process and in the course of using the software shall also be stored. This is particularly the case if the Customer makes changes, fills out online forms, corresponds with the Provider online or offline or comes into contact with the Provider via social media, blogs or other interactive media. As a rule, personal master data (name, address, e-mail address) and the settings required for the respective service are collected here. Further information on data processing and its purposes can be found in Appendix A to the order processing agreement. By collecting data, the customer consents to the processing, use and disclosure of personal data within the framework and scope of the purposes described in this privacy policy.

Third party add-ons
The Provider shall provide the Customer with an interface ("API") for communication with third-party software. This enables the Customer to integrate various additional packages or offers from third-party providers ("add-ons") in addition to the Asmiq.one software. The Customer can order various Add-ons from the Provider. Unless expressly agreed otherwise, a contractual relationship regarding the use of third-party Add-ons shall be established exclusively between the Customer and the third-party provider. If access rights are required for the use of an add-on, the customer expressly agrees to grant all necessary access rights by ordering or integrating the add-on. The provider is then entitled to provide all customer data necessary for the use of the add-on or to allow access to it. The customer shall retain full control over the third-party provider's access rights to its data at all times and may restrict or deny access at any time. The customer agrees that the provider or the third-party provider may exchange data with this third-party provider when using other add-ons. By ordering the add-on, the customer agrees to the GTC and the privacy policy of the respective third-party provider. The provider assumes no responsibility for the data processing of the third-party provider.

4. data security
The Provider uses technical and organizational security measures in accordance with recognized market standards to protect stored personal data against unintentional, unlawful or unauthorized manipulation, deletion, modification, access, disclosure or use and against partial or complete loss. The provider's servers are located in Switzerland. Certain services can be processed via servers in other countries - with an appropriate level of data protection - whereby the requirements of the FADP and GDPR are fully complied with at all times. The connection to the servers is made using SSL encryption. The provider regularly backs up customer data (backup). To prevent data loss even in extreme cases (e.g. destruction of a data center due to an earthquake), the encrypted backups are stored in parallel in several data centers in Switzerland and abroad. The requirements of the FADP and GDPR are fully complied with at all times. The security measures are continuously adapted and improved in line with technological developments. The provider accepts no liability for the loss of data or its access and use by third parties. Furthermore, the provider cannot guarantee the security of data transmission on the Internet; in particular, there is a risk of access by third parties when data is transmitted by e-mail. However, access is protected by means of HTTPS. If explicitly requested by the customer, the customer can opt for two-factor authentication at any time for a fee.

5. purpose of the processing of personal data / recipient of the data
The Provider processes the collected data in order to continuously improve the desired products and services, to manage the use of and access to the applications, products and information, to maintain the business relationship with the customers, to monitor and improve the performance of the offer, to detect, prevent or clarify illegal activities or to send the customers offers, information or marketing material about products or services which the Provider assumes, based on the data, could be of interest to the customers. The data may also be passed on to partner companies and service providers, selected third-party companies, institutes and/or legally authorized state authorities in Switzerland and abroad for processing, storage and use within the scope of the above-mentioned purposes. If the processing or storage of personal information takes place in countries that do not guarantee adequate data protection compared to Swiss data protection law, the Provider shall request the processor under contractual obligation to fully comply with the relevant provisions of the FADP or - insofar as data of customers from the EU area are concerned - the GDPR. The Provider has some of the aforementioned processes and services carried out by service providers based in the EU or Switzerland that comply with data protection regulations. These are in particular companies in the categories of IT services, payment transactions, print service providers, billing, debt collection and consulting as well as sales and marketing and service providers that are used in the context of order processing relationships.

6. data exchange Galledia Group
By accepting the General Terms and Conditions and this Privacy Policy of the Provider, the Customer expressly consents to the transfer of its data to the parent company of the Provider and affiliated companies (hereinafter collectively referred to as "Galledia") in accordance with this section. This includes:

• The parent company of Galledia is: galledia group ag.
• Other companies belonging to the Galledia Group can be viewed at: https://www.galledia-group.ch/unternehmen/organisation
  The exchange of data between the provider and Galledia enables even greater use to be made of existing synergies with the parent company. Under no circumstances will particularly sensitive personal data be passed on. Galledia is obliged to process all data of which it becomes aware exclusively within the framework of data protection legislation and to comply with data protection security regulations. Galledia is obliged to maintain the confidentiality of the data of which it becomes aware. The Provider is entitled to process data in accordance with the following overview or to pass it on for the following purposes:
• "Media Service" services: Data may be exchanged and processed between the provider and Galledia for the purpose of "Media Service" services commissioned by customers. The main purpose is the paid management of subscribers, creation of invoices and statistics.

7. cookies
Cookies help to make visiting the provider's website easier, more pleasant and more meaningful. Cookies are information files that the web browser automatically stores on the hard disk of the computer when the customer visits the provider's website and uses offers. The customer can independently manage the security settings in the browser and thus block or deactivate cookies used, whereby certain services of the provider may no longer be able to be used (in full).

Tracking and analysis tools / social media
The use of the provider's digital offerings is measured and evaluated using various technical systems, mainly from third-party providers such as Google Analytics. These measurements can be both anonymous and personalized. It is possible that the data collected may be passed on by the provider or the third-party providers of such technical systems to third parties in Switzerland and abroad for processing. The most commonly used and best-known analysis tool is Google Analytics, a service provided by Google Inc. This allows the data collected to be transmitted to a Google server in the USA (or a location specified by Google). The provider's website uses Google Analytics, a web analysis service of Google Inc. based at 1600 Amphitheatre Parkway, Mountain View, CA 94043, U.S.A. ("Google"). Google Analytics uses so-called cookies, text files which are stored on the customer's computer and which enable the use of the website to be analyzed. The information generated by the cookies about the use of the website (including the IP address, which is anonymized by Google before being saved so that it can no longer be assigned to the customer) is transmitted to a Google server in the USA (or a location specified by Google) and stored there. Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity for website operators and providing other services relating to website activity and internet usage. Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google's behalf. Under no circumstances will Google associate the IP address of the customer with other Google data. The provider's website uses the "demographic features" function of Google Analytics. This allows reports to be created that contain statements about the age, gender and interests of customers. This data comes from interest-based advertising from Google and from visitor data from third-party providers. This data cannot be assigned to a specific person. Customers can deactivate this function at any time via the ad settings in their Google account or generally prohibit the collection of their data by Google Analytics. Further information can be found in Google's privacy policy at: https://support.google.com/analytics/answer/6004245?hl=de If the customer does not want their website activity to be available to Google Analytics, they can install the browser add-on to deactivate Google Analytics: https://support.google.com/analytics/answer/181881?hl=en This prevents activity data from being shared with Google Analytics via the JavaScript (ga.js, analytics.js and dc.js) executed on websites. The analysis of data by other tools of the website owner is not prevented if the customer uses the add-on. Data can still be sent to the website or to other web analysis services. Finally, the provider collects certain information via its website in so-called server log files, which are automatically transmitted by the customer's Internet browser. These include the user agent (browser type and version, operating system used), http header information (referrer URL, IP address of the accessing computer), the time of the server request and the login status. These server log files are only merged with other data sources for error analysis.

Technologies for advertising purposes
The provider's website uses the functions of Google Analytics Remarketing in conjunction with the cross-device functions of Google AdWords and Google DoubleClick. The provider is Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA ("Google"). This function makes it possible to link the advertising target groups created with Google Analytics Remarketing with the cross-device functions of Google AdWords and Google DoubleClick. In this way, interest-based, personalized advertising messages that have been adapted to the customer depending on the customer's previous usage and surfing behavior on one device (e.g. cell phone) can also be displayed on another device (e.g. tablet or PC). If the customer has given Google permission to do so, Google will link the web and app browsing history to the customer's Google account for this purpose. In this way, the same personalized advertising messages can be displayed on every end device on which the customer logs in with their Google account. To support this function, Google Analytics collects Google-authenticated user IDs that are temporarily linked to the provider's Google Analytics data in order to define and create target groups for cross-device advertising. The customer can permanently object to cross-device remarketing by deactivating personalized advertising in their Google account: https://www.google.com/settings/ads/onweb/ Further information can be found in Google's privacy policy at: https://www.google.com/policies/technologies/ads/ The provider's website also uses the online advertising program Google AdWords. The provider is Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. As part of Google AdWords, the provider uses what is known as conversion tracking. When the customer clicks on an ad placed by Google, a cookie is set for conversion tracking. Cookies are small text files that the Internet browser stores on the customer's computer. These cookies lose their validity after 30 days at the latest and are not used for identification. If the customer visits our website and the cookie has not yet expired, Google and the provider can recognize that the customer has clicked on the ad and has been redirected to this page. The provider learns from Google the total number of users who clicked on its ad and were redirected to its website with a conversion tracking tag. However, the provider does not receive any information with which it can personally identify the customer. The customer can prevent the storage of cookies by setting their browser software accordingly. However, the provider draws the customer's attention to the fact that the customer may not be able to use all the functions of this website to their full extent. The customer can also prevent tracking by deactivating the Google Conversion Tracking cookie via their Internet browser under user settings. For more information, please refer to Google's privacy policy: https://www.google.de/policies/privacy/ The provider's website also uses Facebook's visitor action pixel, which is provided by Facebook Inc, 1601 S. California Ave, Palo Alto, CA 94304, USA. The Facebook pixel can be used to track the behavior of site visitors after they have been redirected to the provider's website by clicking on a Facebook ad. This allows the effectiveness of Facebook ads to be evaluated for statistical and market research purposes and future advertising measures to be optimized. The data collected is anonymous to the provider. The provider cannot draw any conclusions about the identity of the customers. However, the data is stored and processed by Facebook so that a connection to the respective user profile is possible and Facebook can use the data for its own advertising purposes in accordance with the Facebook Data Usage Policy. This allows Facebook to place advertisements on Facebook pages and outside of Facebook. This use of the data cannot be influenced by the provider. The customer can permanently object to remarketing by deactivating the remarketing function "Custom Audiences" in the settings for advertisements under the following link. To do this, they must be logged in to Facebook: https://www.facebook.com/ads/preferences/?entry_product=ad_settings_screen If the customer does not have a Facebook account, they can deactivate usage-based advertising from Facebook on the website of the European Interactive Digital Advertising Alliance at the following link: http://www.youronlinechoices.com/de/praferenzmanagement/ For more information, please refer to Facebook's privacy policy: https://www.facebook.com/about/privacy/

Integration of third-party offers / social media
The Provider's digital offerings are networked with third-party functions and systems in a variety of ways, for example by integrating third-party social network plug-ins such as Facebook, Twitter, etc. in particular. If the customer has a user account with these third parties, it may also be possible for them to measure and evaluate the use of the provider's digital offerings. Further personal data such as IP address, browser settings and other parameters may be transmitted to these third parties and stored there. The Provider has no control over the use of such personal data collected by third parties and assumes no responsibility or liability. Furthermore, the provider has no detailed knowledge of what data is transmitted to the third-party providers, where it is transmitted to and whether it is anonymized. YouTube plugins are integrated on the provider's website. The provider is YouTube LLC, 901 Cherry Ave, San Bruno, CA 94066, USA. A connection to the YouTube servers is established via the YouTube plugin. The YouTube server is informed which of the provider's pages the customer has visited. If the customer is logged into their YouTube account, YouTube can assign their surfing behavior directly to their personal profile. The customer can prevent this by logging out of their YouTube user account. For further information, please refer to YouTube's privacy policy: https://www.google.de/intl/de/policies/privacy

Other tools
The provider's website uses the Google Maps map service via an API. The provider is Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. If the customer uses the functions of Google Maps, the IP address is stored by Google and generally transmitted to a Google server in the USA. The provider has no influence on this data transfer. For further information, please refer to Google's privacy policy: https://www.google.de/intl/de/policies/privacy/

8. profiling / automatic decisions
Profiling is the automated processing of personal data in order to analyze or predict certain personal aspects or behavior. This allows, for example, customers to receive more personalized support and advice or offers to be better tailored to individual customer needs.
An "automated individual decision" is a decision that is made completely automatically, i.e. without relevant human influence, and that has negative legal effects or other similar negative effects on the customer. As a rule, the Provider does not carry out automated individual decisions. The provider will inform customers separately if it uses automated individual decisions in individual cases. In such a case, the customer has the option of having this decision reviewed manually by an employee of the provider.

9. Communication by e-mail and/or newsletter
If the customer wishes to receive a newsletter offered on the provider's website, the provider requires an e-mail address and other information that allows verification that the e-mail address provided is correct and that the customer agrees to receive the newsletter ("double opt-in" procedure). With the newsletter, the customer regularly receives recommendations and offers that may be of interest to them. For this purpose, the provider collects and processes personal data relating to the customer's usage behavior on the website, in the Asmiq.one software and in relation to the use of the newsletter (e.g. whether the customer opens the newsletter or which web URL links they click on). The provider evaluates this data for statistical purposes in order to better tailor the content of the newsletter to the interests of the customer. The processing of the personal data entered in the newsletter registration form is based on the customer's consent, which they can revoke at any time for the future. The revocation is made via the "unsubscribe" link in the newsletter. The personal data collected is used to design the content and send the newsletter. The provider stores the personal data provided by the customer for the purpose of subscribing to the newsletter until the customer unsubscribes from the newsletter.

10. duration of storage
The provider processes and stores personal data for as long as the customer uses the service. It should be noted that the contractual relationship between the provider and the customer is a continuing obligation that is intended to last for years. After termination of the contractual relationship, the provider is generally not obliged to store the customer's data. For this reason, data that is no longer required is regularly deleted. This does not apply to data that is required for further processing due to legal regulations or for mandatory internal purposes.

11. information, correction, deletion, blocking, consent
With regard to personal data, customers have the following rights under the FADP and GDPR. In principle, the Provider also grants the rights contained in the GDPR to Swiss customers. However, the Provider reserves the right to make a different assessment in individual cases.

• the right to information (Art. 8 FADP, Art. 15 GDPR);
• the right to rectification (Art. 5 para. 2 FADP, Art. 16 GDPR);
• the right to erasure (Art. 17 GDPR);
• the right to restriction of processing (Art. 18 GDPR);
• the right to data portability (Art. 20 GDPR); and
• the right to object (Art. 21 GDPR).
  Any restrictions of the GDPR and the applicable national data protection laws or other national laws apply to the rights mentioned above.

12. links to other websites
The Provider's website contains hyperlinks to third-party websites that are not operated or controlled by the Provider. The Provider is not responsible for their content or data protection practices.

13. additional regulations for customers from the EU area
The following provisions only apply to customers from the EU area; they do not apply to Swiss customers.

Legal basis of the processing
The processing of data for the purposes mentioned in section 5 is carried out in accordance with Article 6(1)(b) GDPR for the performance of the contract. The object of the contract is the above-mentioned services. Data is also processed, as described above, to protect the legitimate interests of the provider (Article 6(1)(f) GDPR). These are the improvement of the products and services (including the delivery of direct advertising), to monitor and improve the performance of the offer and to detect, prevent or clarify illegal activities.
In addition, the data is processed in accordance with Article 6(1)(c) GDPR to fulfill legal obligations (e.g. storage and documentation obligations of the provider). This includes in particular the personal master data. If the customer is of the opinion that one or more of the purposes listed in section 5 are not covered by the legal bases mentioned above, they can request that the provider no longer process their personal data for certain individual purposes (opt-out). Such an opt-out does not prevent the customer from continuing to use the Provider's SaaS services, provided that such use does not necessarily require the corresponding data processing. The customer can send such an opt-out in writing to the Provider's address mentioned at the beginning. However, it is also sufficient to send an e-mail to datenschutz@old.asmiq.io.

Right of appeal
If the customer is of the opinion that the processing of personal data relating to them is in breach of the GDPR, they have the right to lodge a complaint with a competent supervisory authority in accordance with Article 77 GDPR. The Provider will of course be happy to receive the customer's questions and requests in advance of a complaint. The customer can contact the provider in writing or by email (datenschutz@old.asmiq.io) for this purpose.

ASMIQ I/O AG
Baslerstrasse 60
8048 Zurich
Switzerland