CompagOs

Legal

Privacy notice

Details on how CompagOs collects and processes personal data.

General Privacy Notice of CompagOs AG

In this Privacy Notice, we, CompagOs AG (“CompagOs“), explain how we collect and process your personal data. This is not necessarily an exhaustive description. We may inform you about additional data processing activities, e.g., in general terms and conditions, forms and notices.

This Privacy Notice is aligned with the requirements of the EU General Data Protection Regulation (“GDPR“) and the Swiss Federal Act on Data Protection (“FADP“). However, whether and to what extent these laws are applicable depends on the individual case.

1. Identity and contact details of the controller

The “controller” of data processing as described in this Privacy Notice (i.e., the responsible person) is CompagOs AG, c/o MAS Solutions GmbH, Rigistrasse 15C, 6331 Hünenberg.

You can send your data protection-related questions and/or requests to the following address: dataprotection@compagos.ch

2. Collection and processing of personal data

2.1 Definition of personal data

The term “personal data” refers to all information relating to an identified or identifiable natural person (“data subject“).

2.2 Collection from data subjects

We primarily process personal data that we receive in the course of initiating or carrying out a business relationship with you or your employer or others represented by you, or that we collect from you as a user of our website and, where applicable, apps and other applications. This Privacy Notice also applies to applicants and employees. Additional internal information applies to the latter.

If you provide us with personal data of other persons (e.g., work colleagues), please make sure that these persons are aware of this Privacy Notice and only share their personal data with us if you are allowed to do so and if this data is correct.

2.3 Collection from third parties

To the extent permitted, we obtain certain personal data from publicly accessible sources (e.g., debt collection register, land register, commercial register, press, internet) or we obtain such information from public authorities or other third parties (e.g., business partners).

Apart from the personal data that you disclose to us directly (Section 2.2), the categories of personal data that we receive about you from third parties include, but are not limited to, information

from public registers (e.g., information from the commercial register on your function within the company and your authority to sign for the company you represent);

provided to us by persons associated with you (e.g., work colleagues, consultants, representatives, etc.) for the purpose of assessing, entering into or performing contracts with you (e.g., references, powers of attorney);

from banks, insurance companies and distributors and other business partners for the use or provision of goods and/or services by you (e.g., payments, purchases etc.);

from media and internet about your person (as far as this is indicated in the concrete case, e.g., in the context of an application, marketing/sales, press review etc.);

in connection with the use of third-party websites and online offers where such use can be attributed to you;

in connection with any administrative or legal proceedings.

Please note that our web server automatically logs every visit to our website in a temporary log file. User-specific data (e.g., information about your browser and your IP address) as well as technical data (e.g., name and URL of the referring website) are logged for the purpose of establishing the connection and optimizing the website visit, for which purpose “cookies” may be used (Section 4).

3. Data processing

3.1 Purposes of the data processing

We process your personal data primarily for the purpose of reviewing, concluding and fulfilling contracts with you or other persons who represent you (e.g., your employer), in particular in connection with the technology-based identification, research and evaluation of different forms of treatment for human diseases, particularly in the oncological field and against bone diseases, as well as the purchase of products and services from our suppliers and service providers. We also process personal data to review applications and to perform employment contracts if and insofar as this is necessary to assess the suitability of the applicant or to perform an employment contract. Your personal data may also be processed in order for CompagOs to comply with legal and regulatory obligations in Switzerland and abroad.

In addition, we may process personal data about you and other persons, to the extent permitted and as we deem appropriate, in particular for the following purposes in which we (and, as the case may be, third parties) have a legitimate interest:

evaluation, improvement and further development of our offers, products, services and websites, apps and other platforms on which we are present;

postal and/or electronic communication with you (e.g., to respond to your inquiries) and, where applicable, third parties (e.g., media inquiries)

marketing, unless you have objected to the use of your data for this purpose. If you are part of our customer base and receive our advertising, you may object at any time by sending an e-mail to the address indicated in Section 1;

offering services, unless you have objected to the use of your data for this purpose. If you are part of our customer base and receive such offers, you may object at any time by sending an email to the address indicated in Section 1.

statistics, conducting market and opinion research;

assertion of legal claims and defence in connection with legal disputes and proceedings;

prevention and investigation of criminal offences and other misconduct (e.g., conducting internal investigations, data analysis to combat fraud);

ensuring the functionality and security of our operations, in particular IT, our websites, any apps and other platforms;

video surveillance to safeguard domiciliary rights and other measures for IT, building and facility security as well as for the protection of our employees, customers and other persons as well as assets belonging to or entrusted to us (e.g., by means of visitor lists, access controls, network and mail scanners, telephone recordings);

acquisition and sale of business divisions, companies or parts of companies and other transactions and the related transfer of personal data as well as measures for the business management of CompagOs.

3.2 Legal basis

Within the scope of the applicability of the FADP, we are generally not required to have a justification or legal basis for the processing of your personal data. If we are required to have a legal basis due to the applicability of the GDPR, we generally base the respective processing on one of the following legal bases, which usually also corresponds to the purpose according to Section 3.1:

If we do not ask for your consent for processing, we base the processing of your personal data on the fact that the processing is necessary for the conclusion and/or fulfilment of a contract with you (or the entity you represent, e.g., your employer) (Art. 6 para. 1 lit. b GDPR) or that we (or third parties) have a legitimate interest in pursuing the purposes mentioned in Section 3.1 (Art. 6 para. 1 lit. f GDPR). Our legitimate interests include, but are not limited to, the marketing of our products and services, the interest in better understanding our markets and the ability to manage and develop our business and operations safely and efficiently. We may also process your data on the basis of other legal bases, e.g., in the event of a legal obligation (Art. 6 para. 1 lit. c GDPR).

For website analytics specifically, processing is based on legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR, namely to understand website usage and improve content, performance, and security. The analytics implementation is designed to minimize data processing and does not involve tracking of identifiable individuals.

If you have given us your consent to process your personal data for specific purposes, we will process your personal data within the scope of and based on this consent (Art. 6 para. 1 let. a GDPR), unless we have another legal basis and require one. You can revoke any consent you have given at any time with effect for the future by sending an email to dataprotection@compagos.ch.

4. Website analytics and cookies

4.1 General information

Our website uses privacy-first analytics to understand how visitors use the website and to improve its functionality, content, and performance.

We do not use Google Analytics or similar advertising-based tracking services.

4.2 Use of Umami Analytics

We use Umami Analytics, a privacy-focused analytics solution, configured as follows:

No cookies are set
No persistent identifiers are stored on the user’s device
No cross-site or cross-session tracking is performed
IP addresses are not stored in full
No profiling or individual visitor identification takes place

The data collected is limited to aggregated, technical information, such as:

page views
approximate geographic region (derived in a non-identifying manner)
device and browser type
referring website

This data cannot be used to identify individual visitors.

4.3 Cookies

Our website does not set analytics or tracking cookies for visitor analytics.

Only technically necessary cookies may be used where required to ensure the secure operation of the website (for example, for basic security or load balancing). These cookies do not contain personal data and do not require consent.

If additional cookies or tracking technologies are introduced in the future, this Privacy Notice will be updated accordingly.

In addition to advertisement cookies, we may use other technology to manage online advertising on other websites, thereby reducing waste coverage. Operators are not given access to the personal email addresses of people who are not already known to them. With known email addresses, however, they can establish that the people in question are in contact with us and what content they have accessed.

We may also include other third-party offerings on our website, in particular from social media providers. This content is disabled by default. As soon as you activate it (e.g. by clicking a button), the providers in question can establish that you are on our website. If you have an account with the social media provider, they can link this information with you and thus track your use of online offerings. These social media providers process the data under their own responsibility.

We currently use offerings from the following service providers and advertising partners (where they use data from you or cookies placed with you for advertising management):

Google reCAPTCHA: This website uses the reCAPTCHA service of Google Inc. The query serves the purpose of distinguishing whether the input is made by a human or by automated, machine processing. The query includes sending the IP address and any other data required by Google for the reCAPTCHA service to Google. For this purpose, your input is transmitted to Google and used there. However, your IP address will be shortened beforehand by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. Google will use this information on behalf of the operator of this website to evaluate your use of this service. The IP address transmitted by your browser as part of reCaptcha will not be merged with other Google data. Your data may also be transmitted to the USA. An adequacy decision of the European Commission, the “Privacy Shield”, is in place for data transfers to the USA. Google participates in the “Privacy Shield” and has submitted to the requirements. By clicking on the query, you consent to the processing of your data. The processing is carried out on the basis of Art. 6 (1) lit. a GDPR with your consent. You can withdraw your consent at any time without affecting the lawfulness of processing based on consent before its withdrawal. You can find more information about Google reCAPTCHA and the associated privacy policy at: https://policies.google.com/privacy.

5. Data that we process on our social network pages

We may run pages and other online presences (“fan pages,” “channels,” “profiles,” etc.) on social networks and other platforms operated by third parties via which we collect the data about you that is detailed below. We receive this data from you and from the platforms when you contact us via our online presence (e.g. when you communicate with us, comment on our content, or visit our online presence). The platforms also evaluate your use of our online presences and link this data to other data about you that is known to the platforms (e.g. your behavior and your preferences). They also process the data for their own purposes under their own responsibility, in particular for marketing and market research purposes (e.g. to personalize advertising) and to manage their platforms (e.g. what content they display to you).

We receive data about you when you communicate with us via online presences, view our content on the corresponding platforms, visit our online presences, or are active in your use of our online presences (e.g. when you publish content, submit comments). These platforms also collect technical data, registration data, communication data, and behavioral and preference data, etc. either from you or about you. These platforms also conduct regular statistical analyses of the way in which you interact with us, how you use our online presences, our content, or other parts of the platform (what you view, comment on, like, share, etc.) and link this data to other information about you (e.g. age, gender, and other demographic information). This allows them to create profiles about you and draw up statistics about the use of our online presences. They use this data and the profiles to show you personalized advertising and content on the platform from us or from other parties and to control the behavior of the platform. They also use the data for market research and user research and to provide us and other entities with information about you and the use of our online presence. We have partial control over the evaluations that these platforms create regarding the use of our online presences.

We process this data for the purposes outlined in Section 3.1, i.e. in particular for communication and marketing purposes (including advertising on these platforms) and for market research. Information about the relevant legal bases can be found in Section 3.2. We are entitled to share content published by you (e.g. comments on an announcement) – in our advertising material on the platform or elsewhere, for instance. We and the operators of the platforms may also delete or restrict content from or to you in accordance with the usage guidelines (e.g. inappropriate comments).

For further information about the processing activities of the platform operators, please refer to the privacy policies of the platforms. These policies also include details of the countries in which they process your data, what rights you have to access and deletion, and what other rights you have as a data subject, plus details of how you can exercise these rights or obtain further information. We currently use the following platforms:

LinkedIn: We have a profile on LinkedIn at: https://www.linkedin.com/company/compagos. The controller of the platform is LinkedIn Ireland Unlimited Company or LinkedIn Corporation. Details of their privacy policies are available at: https://www.linkedin.com/legal/privacy-policy.

6. Recipients of personal data

We may disclose your personal data to third parties in the course of our business activities and in pursuit of the purposes described in Section 3.1. These third parties process your data either on our behalf and according to our instructions (“processors”) or on their own responsibility. These third parties include the following:

service providers (e.g., IT providers, cloud providers, web hosting agencies, accountants);

suppliers, subcontractors and other business partners;

employers, landlords and other third parties (e.g., reference providers);

domestic and foreign offices and authorities (in the context of implementing employment contracts, e.g., social insurance) or courts;

the media;

the public, including users of our websites and social media;

competitors, industry associations, organizations and other bodies;

potential acquirers of our company or parts thereof;

parties and other involved persons in legal or regulatory proceedings.

together “recipients“.

7. Data abroad

The recipients pursuant to Section 6 are generally located in Switzerland but may also be located abroad. In particular, you must expect your data to be transferred to countries in the EEA and to the USA, where some of the service providers we use are located (e.g., Microsoft).

If a recipient is located in a country without adequate statutory data protection, we contractually oblige the recipient to comply with the applicable data protection (we use the revised Standard Contractual Clauses of the European Commission, which are available here: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?), unless the recipient is already subject to a legally recognized set of rules to ensure data protection and we cannot rely on an exception. Such an exception may exist in particular in the case of legal proceedings abroad, but also in cases of overriding public interests or if the conclusion or execution of the contract requires such disclosure, if you have expressly consented to the disclosure or if it concerns data that you have made generally accessible and whose processing you have not objected to.

8. Duration of the retention of personal data

We process and retain your personal data as long as it is necessary for the fulfilment of our contractual obligations and compliance with legal obligations or other purposes pursued with the processing (Section 3.1), for example, for the duration of the entire business relationship (i.e. from the initiation, during the performance of the contract until to its termination) and beyond that in accordance with the statutory retention and documentation obligations. It is possible that personal data will be retained for the time during which claims can be asserted against our company or if other legitimate business interests require this (e.g., for evidence and documentation purposes). As soon as the purposes and/or laws no longer require it, your data will be deleted or made anonymous. For technical data (e.g., system protocols, logs), shorter retention periods of twelve months or less generally apply.

9. Data security

We take appropriate technical and organizational measures to protect your data from loss and unauthorized access and misuse. These measures may include employee training, IT and network security solutions, access controls and restrictions, pseudonymization of personal data (e.g., when disclosing personal data to service providers), and regular checks.

10. Automated individual decision-making

In general, we do not carry out automated individual decision-making, i.e., decisions that are based exclusively on automated processing (without human influence) and that are associated with a legal consequence for you (e.g., refusal to conclude a contract) or which significantly affect you in any other way. Should we exceptionally make such decisions, you will be informed in advance.

11. Your rights

To the extent provided for by applicable data protection law, you have the right to access, rectify and erase of your personal data, the right to restrict data processing as well as the right to object to processing, in particular for direct marketing purposes, and other legitimate interests in processing as well as the right to receive certain personal data for the purpose of transmission to another controller. Please note that we reserve the right to assert the restrictions provided for by law, for example if we are obliged to store or process certain data, have an overriding interest or need the data to assert claims. We have already informed you about the possibility of withdrawing your consent in Section 3.2. Please note that exercising your rights may contradict our contractual agreements and this may have consequences such as premature termination of a possible contract.

The exercise of such rights usually requires that you clearly prove your identity by providing us with a copy of your ID. To exercise your rights, you can contact us at the address indicated in Section 1.

As a data subject, you also have the right to enforce your claims in court or to file a complaint with the competent data protection authority. The competent data protection authority is the Federal Data Protection and Information Commissioner.

12. Amendments

We may amend this Privacy Notice at any time without prior notice. The current version published on our website shall apply.