1. Scope

This privacy policy provides information on how and for what purposes Carogusto AG und Carogusto Deutschland GmbH (hereinafter "we" or "Carogusto") processes Your Personal Data (hereinafter "You").

"Personal Data" means all details and information relating to an identified or identifiable natural person.

We process Personal Data in accordance with the requirements of the Swiss Federal Data Protection Act (hereinafter "FDPA") and, if and to the extent applicable, in accordance with the EU General Data Protection Regulation (hereinafter "GDPR"). Where we deem it appropriate, we may provide you with additional privacy policies in addition to this privacy policy.

2. Data controller and point of contact

The company of Carogusto with which you correspond or do business or which has referred you to this privacy policy in the context of an enquiry, a contract or other correspondence is in general responsible for processing Your Personal Data under this privacy policy.

For the processing of your Personal Data in connection with our websites, the company that operates the respective website is generally responsible. The websites "www.carogusto.com" and "www.sisisi.com" are both operated by Carogusto AG.

Depending on the data processing, Carogusto AG and Garogusto Deutschland GmbH may each be individually or jointly the data controller or may also assume the role of data processor.

The contact person for any queries You may have regarding data protection is, irrespective of which Carogusto company is responsible for the processing of Your Personal Data in each individual case:

Carogusto AG Fehlwiesstrasse 20 CH-8580 Amriswil

Telephone: +41 71 411 77 00 E-Mail: info@carogusto.com

Please contact us at the above address with any questions regarding data protection.

3. Data origin and data categories

We primarily process Personal Data that we receive or collect from our customers, interested parties, website visitors, suppliers, purchasers and other business partners in the course of our business activities. In addition, we may also process Personal Data that we have obtained from publicly accessible sources (e.g. websites or public registers such as the commercial register, etc.). Finally, we may also have received Your Personal Data from family members of Yours, from business partners of ours, from official agencies and authorities or from other third parties.

The Personal Data we process includes, as the case may be, in particular identity and contact details (e.g. name, address, gender, date of birth, telephone number and e-mail address), delivery address,

financial information for payment purposes (e.g. bank account details), information about the use of our websites (e.g. IP address) and information of any kind from correspondence, contacts and interactions with us.

4. Processing purpose and legal basis
4.1 General in connection with our business activities

We process Your Personal Data primarily in order to provide our services in connection with our business activities. In particular, we may process Your Personal Data for the following purposes:

  • -  to communicate with You, in particular to provide You with information or to process Your requests. If You contact us by e-mail/contact form, You authorise us to reply to You via the same channel. Please note that unencrypted e-mails are transmitted via the open Internet, which is why it cannot be ruled out that they can be viewed, accessed and manipulated by third parties. Therefore, we ask You not to send us confidential information by e-mail. We exclude - as far as legally permissible - any liability which You may incur in particular as a result of faulty transmission, falsification of content or disruption of the network (interruptions, overloading, illegal interventions, blocking);

  • -  to make our services and our websites available to You and to evaluate and improve them;

  • -  to be able to deliver our products to You;

  • -  to be able to hold events;

  • -  to maintain and manage the business relationship with You (incl. issuing invoices);

  • -  to inform You of recent updates or to provide You with other information about our services and products;

  • -  to use in testimonials (providing reviews for a service, product or offer from us);

  • -  for IT and building security measures;

  • -  for the assertion of legal claims and defence in connection with legal disputes as well as proceedings before the authorities;

  • -  to comply with our legal obligations nationally and internationally.
    We process Your Personal Data for the purposes specified above, depending on the situation, in

    particular on the following legal bases:

  • -  the processing of Personal Data is necessary for the performance of an agreement with You;

  • -  You have given Your consent to the processing of the Personal Data relating to You;

  • -  the processing of Personal Data is necessary for the fulfilment of a legal obligation;

  • -  the processing is necessary to protect the vital interests of the data subject or another natural person; or

  • -  we have a legitimate interest in processing the Personal Data.

4.2 When organising events

We may process Personal Data that You disclose to us or that we collect from You in connection with registration for and participation in one of our events, for example a tasting event, in particular for the following purposes:

- for the organisation and implementation of events;

  • -  to report on events organised by us (e.g. in the form of texts, photographs, videos and voice recordings);

  • -  to promote other services, offers and products of ours.

    When processing Your Personal Data for the purposes specified above, we rely on the following legal bases in addition to those mentioned in section Error! Reference source not found., depending on the situation:

  • -  the processing of Personal Data is necessary for the performance of an agreement with You;

  • -  You have given Your consent to the processing of the Personal Data relating to You;

  • -  we have a legitimate interest in processing the Personal Data. Our legitimate interests include, in particular, providing You with our services and evaluating, improving and promoting our events. Depending on the case, we may also have other legitimate interests.

4.3 When visiting our websites

In order to visit our websites, You do not need to disclose any Personal Data. However, each time a user accesses our websites, our server collects a set of user information which is stored in the server’s log files. The information collected includes, but is not limited to, the IP address, the date and time of access, the time zone difference relative to GMT, the name and URL of the downloaded file, the website from which the access takes place, the browser used and the operating system used.

The use of this general information does not involve identification of a specific person. The collection of this information or data is technically necessary in order to display our websites to You and to guarantee its stability and security. This information is also collected in order to improve the websites and to analyse its use. The legal basis for the storage of the information and log files is our legitimate interest in being able to offer You our websites in sufficient quality and to continuously improve it.

4.4 Contact form

You can contact us by using the contact form provided on our websites. Mandatory information for the use of the contact form is the entry of Your name, Your e-mail address and Your message. The Personal Data You send us will be stored and processed by us for the purpose of processing Your request. The legal basis for this Personal Data processing is Your consent and our legitimate interest in processing Your request.

4.5 Contact by e-mail and telephone

You can contact us electronically or by telephone via the e-mail addresses and telephone numbers provided on our websites. In this case, the Personal Data You send us will be stored and processed by us for the purpose of processing Your request. The legal basis for this Personal Data processing is Your consent and our legitimate interest in processing Your request.

4.6 Cookies/Tools

Our websites may use so-called cookies or other technologies/tools such as pixels, tags or external services (hereinafter "Cookies" or "Tools"). Cookies are text files that are stored in or by the internet browser on the computer system or a mobile device of the user. The Cookie contains a characteristic

string that allows the browser or mobile device to be identified unambiguously when the website or app is visited again.

The purpose of the use of Cookies is, on the one hand, to enable and simplify the use of our websites for users. Some functions of the websites cannot be offered without the use of Cookies (so-called technically necessary Cookies). On the other hand, we also use Cookies/Tools to analyse user behaviour on our websites, namely for range measurement and marketing purposes.

4.5.1 TechnicallynecessaryCookies

Technically necessary Cookies are necessary for the functioning of our websites. Therefore, these Cookies cannot be deactivated in our systems. They usually record important actions, such as the number of requests made, the editing of Your privacy settings or when You fill out forms. Although You can block these Cookies in Your browser, some parts of our websites may no longer function then.

The legal basis for the data processing when using technically necessary Cookies is our legitimate interest, which lies primarily in ensuring the functionality and improvement of our websites.

4.5.2 AnalyticalandmarketingCookies

Analytical Cookies allow us to analyse visitor behaviour and traffic sources so that we can measure the performance of our websites and improve the user experience. They help us to identify how popular which pages are and indicate how visitors move around our websites. The information collected is aggregated and anonymous.

Marketing Cookies allow us to deliver advertising that is relevant to You. These Cookies may remember that You have visited our website and share this information with other companies, including other advertisers.

Specifically, we use the following analytics and marketing Cookies:

- Google Analytics of Google Ireland Ltd., Ireland (hereinafter "Google"). The privacy policy for Google Analytics can be found here: https://policies.google.com/privacy?hl=en.

You can object to the use of Cookies, for example, (i) by selecting the appropriate settings in Your browser, (ii) by using appropriate Cookie blocker software (e.g. ghostery etc.) or (iii) by downloading and installing the browser plug-in available at the following link regarding Cookies from Google: https://tools.google.com/dlpage/gaoptout?hl=en.

For more information about the use of third-party Tools, please see the description of the Tools used provided in this privacy policy.

4.7 Google Tag Manager

On our websites, we may use Google Tag Manager from Google. Google Tag Manager is a solution that allows us to manage website tags through one interface. The Tool itself is a Cookie-free domain and, according to Google, does not collect any Personal Data. The Tool triggers other tags, which in turn may collect Personal Data. Google Tag Manager does not access this data. If a deactivation has been made at domain or Cookie level, this remains in place for all tracking tags implemented by Google Tag Manager. You can prevent the setting of tags at any time.

The legal basis for this is Your consent and our legitimate interests.

4.7 Newsletter

If You subscribe to our newsletter, we will use Your e-mail address and other contact details to send You the newsletter. By subscribing to our newsletter, You consent to the processing of Your Personal Data. The mandatory information for sending the newsletter is Your full name as well as Your e-mail address, which we store after You register. The legal basis for the processing of Your data in connection with our newsletter is Your consent to the sending of the newsletter. You can withdraw the consent at any time and unsubscribe from the newsletter. You may withdraw by clicking on the link provided in each newsletter e-mail, by sending an e-mail to an info@carogusto.com or by sending a message to the contact details provided in the imprint.

4.8 Applications

You can submit Your application for a position with us by post or via the e-mail address provided on our website. Your application documents and all Personal Data thereby disclosed to us will be treated in the strictest confidence, will not be disclosed to any third party and will only be processed for the purpose of processing Your application for employment with us. Unless You have given consent which provides otherwise, Your application file will either be returned to You after the conclusion of the application process or will be deleted/destroyed, unless it is subject to a statutory retention requirement. The legal basis for the processing of Your data is Your consent, the performance of the contract with You and our legitimate interests.

5. Disclosure of Personal Data to recipients and abroad 5.1 Disclosure of Personal Data to recipients

In addition to the transfers of data to recipients expressly mentioned in this privacy policy, we may – to the extent permitted – disclose Personal Data to the following categories of recipients:

  • -  Other companies belonging to Carogusto;

  • -  Providers to whom we have outsourced certain services (e.g. IT and hosting providers, carriers,

    payment service providers, banks, insurance companies etc.);

  • -  Retailers, suppliers, subcontractors and other business partners;

  • -  Auditors, trust company and other external professional advisors of Carogusto;

  • -  National and foreign authorities, agencies and courts.

5.2 Disclosure of Personal Data abroad

In principle, we process Your Personal Data in Switzerland and Germany. However, in certain cases (e.g. for our projects abroad, when we use certain service providers), Your Personal Data may also be transferred to other member states of the European Union, EFTA or other countries worldwide.

If we transfer data to a country without adequate legal data protection, we ensure an adequate level of protection as provided for by law by using appropriate contracts (namely on the basis of the so-called standard contractual clauses of the European Commission) or we rely on the legal exceptions of consent, the performance of a contract, the establishment, exercise or enforcement of legal claims, overriding public interests, published Personal Data or because it is necessary to protect the integrity of the data subjects.

5. Duration of storage

Unless we have legal obligations (e.g. statutory retention periods) or overriding interests, we only store Your Personal Data for as long as is necessary in accordance with the relevant purpose of processing We retain Personal Data that we hold on the basis of a contractual relationship with You for at least the duration of that contractual relationship and the limitation periods for potential claims or based on contractual retention obligations. As soon as Your Personal Data are no longer required for the above- referenced purposes, they will be as far as possible deleted, anonymised or set inactive.

6. Your rights

Under the data protection law applicable to You and to the extent provided for, You have the right to information, rectification, erasure, the right to restrict data processing and otherwise to object to our data processing as well as to the handover of certain Personal Data for transfer to another location (so-called data portability). Please note, however, that we reserve the right to assert the statutory restrictions on our part, for example if we are obliged to retain or process certain data, if we have an overriding interest in this (to the extent we are entitled to rely on such interest) or if we need the data in order to assert claims. If this results in costs for You, we will inform You in advance.

If data processing is based on Your consent, after giving Your consent You may withdraw it at any time with future effect. However, this does not affect the lawfulness of the processing carried out on the basis of Your consent prior to Your withdrawal of consent.

The exercise of such rights generally requires that You clearly prove Your identity (e.g. by means of a copy of an identification document, where Your identity is otherwise unclear or cannot be verified). In order to assert Your rights, You may contact us at the address specified in Section 2 of this privacy policy.

In addition, every data subject has the right to enforce his/her rights in court or to lodge a complaint with the competent data protection authority. The competent data protection authority may vary depending on Your place of residence or the place where the alleged infringement of the applicable data protection law takes place.

7. Data security

We put technical and organisational measures in place to protect Your Personal Data from unauthorised access, misuse, loss and destruction. In particular, we use firewalls, have authorisation concepts, conduct regular training and have implemented other protective measures in order to ensure he most comprehensive protection of Personal Data possible.

8. Amendments to this Privacy Policy

We expressly reserve the right to amend this privacy policy at any time. If such amendments are made, we will immediately publish the amended privacy policy on our websites. The privacy policy published on our websites, as from time to time amended, shall apply.

September 2022