This Privacy Policy informs you which personal data we process in connection with our luya.bio website and our other services. In particular, we provide information about for which purpose, how and where we process personal data. We also inform you about the rights of persons whose data we process.
Further data protection declarations and other legal documents such as general terms and conditions (T&Cs), terms of use or conditions of participation may apply in connection with individual or additional offers and services.
Our offer is subject to Swiss data protection law and any applicable foreign data protection law, in particular that of the European Union (EU) with the General Data Protection Regulation (GDPR). The European Commission recognises that Swiss data protection law ensures adequate data protection.
1. Contact Addresses
Responsible entity for the processing of personal data:
Luya Foods AG
Länggasse 85
3052 Zollikofen
hello@luya.bio
If there are other persons responsible for processing personal data in individual cases, we point this out.
Data Protection Representation in the European Economic Area (EEA)
We have the following data protection representation pursuant to Art.27 of the GDPR. The data protection representation serves as an additional point of contact for supervisory authorities and data subjects in the European Union (EU) and the rest of the European Economic Area (EEA) for enquiries in connection with the General Data Protection Regulation (GDPR):
VGS Data Protection Partner UG
Am Kaiserkai 69
20457 Hamburg
Germany
info@datenschutzpartner.eu
2. Terms and Legal Basis
2.1 Terms
Personal data is any information relating to anidentified or identifiable person. A data subject is a person whose personal data is processed.
Processing includes any handling of personal data, irrespective of the means and procedures used, in particular the storage, disclosure, procurement, collection, deletion, saving, modification, destruction and use of personal data.
The European Economic Area (EEA) comprises the member states of the European Union (EU) as well as the Principality of Liechtenstein, Iceland, and Norway. The General Data Protection Regulation (GDPR) refers to the processing of data that relates to a person as the processing of personal data.
2.2 Legal Basis
We process personal data in accordance with Swiss data protection law, in particular the Federal Data Protection Act (Bundesgesetz über den Datenschutz or DSG) and the Ordinance to the Federal Data Protection Act (Verordnung zum Bundesgesetz über den Datenschutz or VDSG).
We process – if and to the extent that the General Data Protection Regulation(GDPR) is applicable – personal data in accordance with at least one of the following legal bases:
• Art.6 para. 1 lit. b GDPR for the necessary processing of personal data for the fulfilment of a contract with the data subject as well as for the implementation of pre-contractual measures.
• Art. 6 para. 1 lit. f GDPR for the necessary processing of personal data to protect the legitimate interests of ourselves or of third parties unless the fundamental freedoms and rights and interests of the data subject prevail. Legitimate interests are, in particular, our interest in being able to offer our services in a permanent, user-friendly, secure, and reliable manner and to be able to advertise as required, the security of information and the protection of personal data. The aim is to ensure the security and protection against misuse and unauthorised use, the enforcement of our own legal claims and compliance with Swiss law.
• Art. 6 para. 1 lit. c GDPR for the necessary processing of personal data to comply with a legal obligation to which we are subject under any applicable law of member states in the European Economic Area (EEA).
• Art. 6 para. 1 lit. e GDPR for the necessary processing of personal data for the execution of a task that is in the public interest.
• Art. 6 para. 1 lit. a GDPR for the processing of personal data with the consent of the person concerned.
• Article 6 para. 1 lit. d GDPR for the necessary processing of personal data to protect the vital interests of the data subject or another natural person.
3. Nature, Scope and Purpose
We process the personal data that is required to provide our services in a permanent, user-friendly, secure, and reliable manner. Such personal data can fall into the categories of inventory and contact data, browser and device data, content data, meta data and usage data, location data, sales data, contract data and payment data.
We process personal data for the duration required for the respective purpose(s) or as required by law. Personal data for which processing is no longer required is anonymised or deleted. Persons whose data we process generally have the right to have their data deleted.
We may arrange for personal data to be processed by third parties. We may process personal data jointly with third parties or transmit personal data to third parties. Such third parties are, inparticular, specialised providers whose services we use. We also guarantee appropriate data protection for such third parties.
As a general rule, we will only process personal data with the consent of the affected person, unless such processing is permitted based on other legal grounds, such as for the fulfilment of a contract with the affected person and in order to carry out appropriate pre-contractual measures, in order to uphold our prevailing legitimate interests, because the processing is obvious under the circumstances or after prior notification.
Within this framework, we especially process information that is provided to us by a affected person themselves when contacting us – for example, by letter, email, contact form, social media or telephone – or when registering for a user account. We may store such information, for example, in an address book, in a Customer relationship management system (CRM system) or with comparable tools. If you transmit data about other persons to us, you are obliged to ensure data protection vis-à-vis such persons and to ensure the accuracy of such personal data.
We also process personal data that we receive from third parties, obtain from publicly accessible sources, or collect in the course of providing our services, if and to the extent that such processing is legally permissible.
4. Applications
We process personal data about applicants to the extent that it is required for assessing their suitability for an employment relationship or for the subsequent creation of an employment contract. The required personal data are derived in particular from the information requested, for example in the context of a job advertisement. We also process personal data that applicants provide voluntarily, in particular as part of cover letters, CVs and other application documents.
5. Personal Data Abroad
We process personal data in Switzerland and in the European Economic Area (EEA). However, we may also export or transfer personal data to other countries, in particular in order to process them or have them processed there.
We may export personal data to all countries and territories in the world and elsewhere in the universe, provided that the law there guarantees adequate data protection in accordance with the assessment of the Federal Data Protection and Information Commissioner (Eidgenössischen Datenschutz- und Öffentlichkeitsbeauftragten EDÖB) or in accordance with the decision of the Swiss Federal Council and – if and insofar as the Data Protection Regulation (GDPR) is applicable – in accordance with the decision of the European Commission.
We may transfer personal data to countries whose law does not guarantee adequate data protection, provided that data protection is guaranteed for other reasons, in particular by appropriate guarantees in the form of standard data protection clauses. As an exception, we may export personal data to countries without adequate or appropriate data protection if the special data protection requirements are met, e.g., the express consent of the person concerned.
6. Rights of Data Subjects
Data subjects whose personal data we process have the rights afforded to them under Swiss data protection law. These rights include the right to information as well as the right to correction, deletion or blocking of the processed personal data.
If and to the extent that the General Data Protection Regulation (GDPR) is applicable, data subjects whose personal data we process may request confirmation free of charge as to whether we are processing their personal data and, if so, request information about the processing of their personal data, have the processing of their personal data restricted, exercise their right to data portability and have their personal data corrected, deleted (“right to be forgotten”), blocked or updated.
Data subjects whose personal data we process may – if and insofar as the GDPR is applicable – revoke their consent at any time with effect for the future and object to the processing of their personal data at any time.
Data subjects whose personal data we process have a right of appeal to a competent supervisory authority. The supervisory authority for data protection in Switzerland is the Federal Data Protection and Information Commissioner (Eidgenössische Datenschutz- und Öffentlichkeitsbeauftragte or EDÖB).
7. Data Security
We take appropriate and suitable technical and organisational measures to ensure data protection and, in particular, data security. However, despite such measures, the processing of personal data on the Internet is always subject to gaps in security. We can therefore not guarantee absolute data security.
Access to our online offer takes place via transport encryption (SSL / TLS, in particular with the Hypertext Transfer Protocol Secure, abbreviated HTTPS). Most browsers indicate transport encryption with a padlock-icon in the address bar.
Access to our online services is subject – as is any use of the Internet – to mass surveillance without any reason or suspicion, as well as other surveillance by security authorities in Switzerland, the European Union (EU), the United States and other countries.
We cannot directly influence the corresponding processing of personal data by secret services, police forces and other security authorities.
8. Use of the Website
8.1 Cookies
We may use cookies. Cookies – both our own cookies (first-party cookies) and cookies from third parties whose services we use (third-party cookies) – are data stored in your browser. Such stored data need not be limited to traditional cookies in text form. Cookies cannot run programs or transmit malware such as Trojans and viruses.
Cookies can be stored temporarily in your browser as “session cookies” or for a certain period of time as so-called permanent cookies. “Session cookies” are automatically deleted when you close your browser. Permanent cookies have a specific storage period. In particular, cookies make it possible to recognise your browser the next time you visit our website and allow us, for example, to measure the reach of our website. Permanent cookies can also be used for online marketing, for example.
You can deactivate or delete cookies in full or in part in your browser settings at any time. Without cookies, our website may no longer be fully available. We actively request your express consent for the use of cookies – if applicable and to the extent necessary.
In the case of cookies used for performance and reach measurement or for advertising, a general objection (“opt-out”) is possible for numerous services via AdChoices (Digital Advertising Alliance of Canada), the Network Advertising Initiative (NAI), YourAd- Choices (Digital Advertising Alliance) or Your Online Choices (European Interactive Digital Advertising Alliance, EDAA).
8.2 Server Log Files
We may collect the following information for each access to our website, provided that this information is transmitted by your browser to our server infrastructure or can be determined by our web server: Date and time, including time zone, Internet Protocol (IP) address, access status (HTTP status code), operating system including user interface and version, browser including language and version, individual sub-page of our website accessed including the amount of data transferred, website last accessed in the same browser window (referrer).
Westore such information, which may also constitute personal data, in server log files. The information is required to provide our online service in a permanent, user-friendly, and reliable manner and to ensure data security and as such in particular the protection of personal data – also by third parties or with the help of third parties.
8.3 Tracking Pixel
We may use tracking pixels on our website. Tracking pixels are also known as web beacons. Tracking pixels – also from third parties whose services we use – are small, usually invisible images that are automatically retrieved when you visit our website. With tracking pixels, the same information can be collected as in server log files.
9. Notifications and Messages
We send notifications and communications such as newsletters by email and through other communication channels such as instant messaging.
9.1 Success and Reach Measurement
Notifications and messages may contain web links or tracking pixels that record whether an individual message was opened, and which web links were clicked on. Such weblinks and tracking pixels may also record the use of notifications and messages on a personal basis. We need these statistical usage records to measure success and reach in order to be able to offer notifications and communications effectively and in a user-friendly manner based on the needs and reading habits of the recipients, as well as permanently, securely and reliably.
9.2 Consent and Objection
In principle, you have to expressly consent to the use of your e-mail address and other contact details, unless such use is permitted for other legal reasons. For any consent to receive emails, where possible, we use the “double opt-in” procedure, i.e., you will receive an email with a web link that you must click to confirm, so that no misuse by unauthorised third parties can take place. We may log such consent, including the Internet Protocol (IP) address, date and time for evidence and security reasons.
You can unsubscribe from notifications and communications such as newsletters at any time. By unsubscribing, you can, in particular, object to the statistical recording of usage for performance and reach measurement. We reserve the right to send notifications and messages that are absolutely necessary for our offer.
9.3 Service Provider for Notifications and Messages
We send notifications and communications via third-party services or with the help of service providers. Cookies may also be used in the process.
We use, in particular:
• Mailchimp: communication platform; provider: The RocketScience Group LLC d/b/a Mailchimp (USA) as a subsidiary of IntuitInc. (USA); data protection information: privacy policy (Intuit) including “Country and Region-Specific Terms”, cookie policy, “Privacy Rights Requests”, “Mailchimp and European Data Transfers”, “Security“.
10. Social Media
We are present on social media platforms and other online platforms in order to communicate with interested persons and to inform them about our services. Personal data may also be processed outside of Switzerland and the European Economic Area (EEA).
The General Terms and Conditions (T&Cs) and terms of use as well as data protection declarations and other provisions of the individual operators of such online platforms also apply in each case. These provisions provide, in particular, information about the rights of data subjects, which include, for example, the right to information.
As far as our social media presence on Facebook is concerned, including the so-called “Page Insights”, we are, insofar as and to the extent that the GDPR is applicable, responsible alongside with the Meta Platforms Ireland Limited (Ireland). Meta Platforms Ireland Limited is part of the Metacompanies (includingin the USA). Page Insights provide information about how visitors interact with our Facebook presence. We use Page Insights to provide our social media presence on Facebook in an effective and user-friendly way.
Further information on the type, scope and purpose of data processing, information on the rights of data subjects and the contact details of Facebook as well as Facebook’s data protection officer can be found in Facebook’s privacy policy. We have entered into the so-called “Controller’s Addendum” with Facebook and have thus agreed, in particular, that Facebook is responsible for ensuring the rights of data subjects. For the so-called Page Insights, the corresponding information can be found on the page “Information on Page Insights” including “Information on page insights data”.
11. Third Party Services
We use third-party services in order to be able to provide our offer in a permanent, user-friendly, secure, and reliable manner. Such services may also serve to embed content in our website. Such services require your Internet Protocol (IP) address, as such services cannot otherwise transmit the corresponding content.
Fortheir own security-related, statistical, and technical purposes, third partieswhose services we use may also process data in connection with our offer aswell as from other sources – including cookies, log files and tracking pixels -in aggregated, anonymised or pseudonymised form.
We use in particular:
• Google services: Provider: Google LLC (USA) / Google Ireland Limited (Ireland) for users in the European Economic Area (EEA) and Switzerland; General information on data protection: “Privacy and security principles”, data protection statement, “Google is committed to complying with applicable data protection laws”, “Guide to data protection in Google products”, “How we use data from websites or apps on or in which our services are used” (information from Google), “How Google uses cookies”, “Personalisedadvertising” (activation/deactivation / settings).
11.1 Digital Infrastructure
We use third party services to provide the digital infrastructure required for our services. These include, for example, hosting and storage services from specialised providers.
We use in particular:
• Amazon Web Services (AWS): Storage space and other infrastructure; Providers: Amazon Web Services Inc. (USA) for users in Switzerland / Amazon Web Services EMEA SARL (Luxembourg) for users in the European Economic Area (EEA); Information on data protection: Data protection declaration, “Data Protection”, “Frequently asked questions about data protection”, “General Data Protection Regulation (GDPR)- Centre”.
• Webflow: website construction kit; provider: Webflow Inc. (USA); data protection information: privacy policyfor users in the European Economic Area as well as in the United Kingdom and Switzerland (“EU & Swiss Privacy Policy”), privacy policy for users in the rest of the world (“Global Privacy Policy”), cookie policy.
11.2 Contact Options
We use third party services to better communicate with you and others, such as Customers.
We use, in particular:
• HubSpot: Customer Relationship Management (CRM); Provider: HubSpot Inc. (USA) / HubSpot Ireland Limited (Ireland) for users in the European Economic Area (EEA); Information on data protection: Data protection declaration.
11.3 Map Material
We use third party services to embed maps on our website. In particular, we use:
• Google Maps including the Google Maps Platform: mapping service; Google Maps-specific privacy information: “How Google uses location information”.
11.4 Audio-visual Media
We use third party services to enable the direct playback of audio-visual media such as music or videos on our website.
We use in particular:
• Vimeo: Videos; Provider: Vimeo Inc. (USA);Information on data protection: “Data protection”, Privacy policy.
• YouTube: Videos; Provider: Google (among others in the USA); YouTube-specific information on data protection: “Data Protection and Security Centre”, “My data on YouTube”.
11.5 E-commerce
We engage in e-commerce and use third party services to successfully provide services, content, or goods.
We use, in particular:
• Shopify: e-commerce platform for online shops; providers: Shopify Inc. (Canada)for online shops in Canada and the USA / Shopify Commerce Singapore Pte. Ltd.(Singapore) for online shops in the Asia-Pacific region / Shopify InternationalLimited (Ireland) for online shops in Europe and the rest of the world; dataprotection information: data protection statement, “Dataprotection for Customers”, “Security”.
11.6 Payments
We use payment service providers to process our Customers’ payments securely and reliably. The terms and conditions of the respective payment service providers,such as general terms and conditions (T&Cs) or data protection declarations, apply to the processing of data.
We use in particular:
• Stripe: Processing of payments; providers: Stripe Inc.(USA) / Stripe Payments Europe Limited (SPEL, Ireland) for users in the European Economic Area (EEA) and Switzerland and partly in the UK / Stripe Payments UK Limited (UK) and Stripe Capital Europe Limited (Ireland) partly for users in the UK and Switzerland.
Users in the United Kingdom; Privacy information: “Stripe Privacy Center” (“Stripe Privacy Center”), PrivacyPolicy, (German translation at the bottom of the page), Cookie Policy, (German translation at the bottom of the page).
• TWINT: processing of payments in Switzerland; provider: TWINT AG (Switzerland); information on data protection: “Data protection for TWINT apps”, “Data protection declaration website“, “General terms and conditions for the use of TWINT” including the section “Data protection”.
11.7 Advertising
We use the option of displaying targeted advertising for our offer via third parties such as social media platforms and search engines.
We would like to use such advertising, in particular, to reach people who are interested in our offer or who are already using our offer (remarketing and targeting). For this purpose, we may transmit corresponding -possibly also personal – information to third parties who facilitate such advertising. We can also determine whether our advertising is successful, i.e.in particular whether it leads to visits to our website (conversion tracking).
Third parties with whom we advertise and where you are registered as a user may be able to assign the use of our online service to your profile there.
We use, in particular:
• Facebook Advertising (Facebook Ads): Social media advertising; Provider: Meta Platforms Ireland Limited (Ireland) and other Meta companies (including in the USA); data protection information: remarketing and targeting, in particular with the Facebook Pixel and Custom Audiences including Lookalike Audiences, data protection statement, “advertising preferences” (user registration required).
• Google Ads: Search engine advertising; Google Ads – specific information about data security: advertising based on, among other things, search queries, using different domain names – in particular doubleclick.net, googleadservices.com and googlesyndication.com – for Google Ads, “Advertising” (Google), “Why am I seeing a particular ad?”.
• Instagram Ads: Social media advertising; Provider: Meta Platforms Ireland Limited
(Ireland) and other Meta companies (including in the USA); information on data protection: Remarketing and targeting, in particular with Facebook Pixel and Custom Audiences including Lookalike Audiences, Privacy Policy (Instagram), Data Protection Policy (Facebook), “Advertising Preferences” (Instagram) (user registration required), “Advertising Preferences” (Facebook) (user registration required).
• LinkedIn Ads: Social media advertising; Provider: LinkedIn Corporation (USA) / LinkedIn Ireland Unlimited Company (Ireland); Data protection information: Remarketing and
Targeting in particular with the LinkedIn Insight Tag, “Data Protection”, Privacy Policy, Cookie Policy, Objection to personalised advertising.
• Pinterest Ads: Social media advertising; Provider: Pinterest Inc. (USA) / Pinterest Eu- rope Ltd. (Ireland) for users in the European Economic Area (EEA); Data protection information: Remarketing and targeting in particular with the “Pinterest Tag”, “Data protection, security and legal”, Privacy policy, “Personalisation and data”, “Personalised ads on Pinterest”, “Sharing of data on Pinterest”, Cookie Policy.
12. Success and Reach Measurement
We use services and programmes to determine how our online offering is used. For example, we may measure the success and reach of our online offering and the impact of third-party links to our website. We can, for example, also test and compare how different versions of our online offer or parts of our online offer are used (“A/B test” method). Based on the results of the success and reach measurement, we can, in particular, correct errors, strengthen particularly popular content or make improvements to our online offer.
When using services and programmes for performance and reach measurement, the Internet Protocol (IP) addresses of individual users has to be stored. IP addresses are always shortened in order to comply with the principle of data economy and to improve data protection for visitors to our website through the corresponding pseudonymisation (“IP masking”).
When using services and programmes for performance and reach measurement, cookies may be used, and user profiles may be created. User profiles include, for example, the pages that were visited or the content that was viewed on our website, information on the size of the screen or browser window and the – at least approximate – the user’s location.
As a matter of principle, user profiles are only created pseudonymously. We do not use user profiles to identify individual visitors to our website. Individual services for which you are registered as a user may be able to assign the use of our online services to your profile with the respective service, whereby you must usually give your consent to such an assignment in advance.
We use, in particular:
• Google Analytics: Performance and reach measurement; Google Analytics – specific data protection information: measurement also across different browsers and devices (cross device tracking) as well as with pseudonymised Internet Protocol (IP) addresses, which are only transmitted in full to Google in the USA in exceptional cases, “data protection”, “Browser Add-on to disable Google Analytics”.
• Google Tag Manager: Integration and management of other services for performance and reach measurement as well as other services from Google and third parties; Google Tag Manager – specific information on data protection: “Data collected with Google Tag Manager”; further information on data protection can be found on the websites of the individual integrated and managed services.
13. Final Provisions
We can adapt and supplement this data protection declaration at any time. We will inform you of such adjustments and additions in an appropriate manner, in particular, by publishing the respective current data protection declaration on our website.
The privacy policy was originally written in German. The translation of the German text into French and English is purely for the information of our French and English-speaking Customers. As a rule, the German version remains the authoritative version regarding questions of interpretation.