Privacy

1. Overview and scope of application

This privacy policy provides information on how and for which purposes Carogusto AG and Carogusto Deutschland GmbH (hereinafter also referred to as "we" or "Carogusto") process your personal data (hereinafter referred to as "you").

“Personal data" refers to all data and information relating to an identified or identifiable natural person.

We process personal data in accordance with the provisions of the Swiss Data Protection Act (hereinafter "DPA") and, if and insofar as applicable, in compliance with the General Data Protection Regulation of the European Union (hereinafter "GDPR"). If we consider it appropriate, we can provide you with additional data protection declarations in addition to this privacy policy information.

2. Responsible entity and point of contact

The Carogusto company with which you correspond or do business or which has referred you to this privacy policy in the context of an enquiry, a contract or other correspondence is responsible for processing your personal data in accordance with this privacy policy.

As a rule, the company that operates the respective website is responsible for processing your personal data in connection with our websites. The websites "www.carogusto.com" and "www.sisisi.com" are both operated by Carogusto AG.

Depending on the extent of data processing, Carogusto AG and Garogusto Deutschland GmbH may each be individually or jointly responsible or may also assume the role of an order processor.

The point of contact for questions and concerns about data protection is independent of which Carogusto company is responsible for processing your personal data in individual cases:

Carogusto AG Fehlwiesstrasse 20 CH-8580 Amriswil

Phone: +41 71 414 76 00 Email: info@carogusto.com

If you have any questions or concerns about data protection, please contact us at the above address.

3. Data origin and data categories

We primarily process the personal data that we receive or collect from our customers, interested parties, website visitors, suppliers, customers and other business partners as part of our business activities. In addition, we may also process personal data that we have obtained from publicly accessible sources (e.g. websites or public registers such as the commercial register, etc.). It is also possible that we have received your personal data from your family members, our business partners, from official bodies and authorities or from other third parties.

The personal data that we process includes, depending on each case, in particular personal details and contact data (e.g. name, address, gender, date of birth, phone number and email address), delivery address, financial information for payment purposes (e.g. bank account details), information about the use of our websites (e.g. IP address) and information of any kind from correspondence, contacts and interactions with us.

4. Processing purpose and legal basis

4.1 General within the framework of our business activities

We process your personal data mainly for the processing purposes that are necessary in connection with our business activities and the provision of our services. We may in particular process your personal data for the following purposes:

- To communicate with you, in particular to provide you with information or to process your concerns. If you contact us by email/contact form, you authorise us to reply to you through the same channel. Please note that unencrypted emails are transmitted on the public internet, which is why it cannot be ruled out that they can be viewed, accessed and manipulated by third parties. We therefore ask you not to send us any confidential information by email. We exclude – insofar as permissible by law – any liability for damage which you may incur, in particular as a result of faulty transmission, falsification of content or disruption of the network (interruptions, overloading, unlawful interventions, blocking);

- To provide you with our services and our websites and to analyse and improve these;

- To be able to deliver our products to you;

- To be able to organise events;

- To maintain and manage our business relationship with you (e.g. invoicing);

- To inform you about new developments or to send you other information about our services and products;

- For use for testimonials (submission of reviews for a service, product or offer from us);

- For IT and building security measures;

- For the assertion of legal claims and defence in connection with legal disputes and official proceedings;

- To fulfil our legal obligations at home and abroad.

We process your personal data for the above-mentioned purposes, depending on the situation, in particular backed by the following legal bases:

- Processing of personal data is necessary for the fulfilment of a contract with you;

- You have given your consent to processing of your personal data;

- Processing of personal data is necessary for the fulfilment of a legal obligation;

- Processing is necessary in order to protect the vital interests of the data subject or of another natural person; or

- We have a legitimate interest in processing of the personal data.

4.2 When organising events

We may process personal data that you disclose to us in connection with your registration for and participation in an event organised by us, for example a tasting event, or that we collect from you in the process, in particular for the following purposes:

- For the organisation and implementation of events;

- For reporting on events that we have organised (for example in the form of texts, photos, videos and voice recordings);

- To market further services, offers and products from us.

When processing your personal data for the above-mentioned purposes, we rely on the following legal bases in addition to the legal bases mentioned in section 4.1, depending on the situation:

- Processing of personal data is necessary for the fulfilment of a contract with you;

- You have consented to data processing;

- We have a legitimate interest in processing of the personal data. Our legitimate interests consist in particular of providing you with our services and analysing, improving and advertising our events. Depending on the case, we may also have other legitimate interests.

4.3 When visiting our websites

You do not have to disclose any personal data to visit our website. However, the server collects a range of user information during each visit which is stored in the server's log files. The information collected includes the IP address, the date and time of access, the time zone difference to the GMT time zone, the name and URL of the file accessed, the website from which the site was accessed, the browser and the operating system used.

When using this general information, it is not assigned to a specific person. The collection of this information or data is technically necessary to display our website to you and to ensure its stability and security. This information is also collected in order to improve the websites and analyse their use. The legal basis for storing the information and the log files is our legitimate interest in being able to offer you our websites with an adequate quality and to continuously improve these.

4.4 Contact form

You can contact us using the contact forms provided on our website. To use the contact form, you must enter your name, your email address and your message. We store the personal data you send us and it is processed for dealing with your enquiry. The legal basis for processing of this personal data is your consent and our legitimate interest in processing your enquiry.

4.5 Contact by email and phone

You can contact us electronically or by phone using the email addresses and phone numbers provided on our website. In this case we will store and process the personal data you send us for dealing with your enquiry. The legal basis for processing of this personal data is your consent and our legitimate interest in processing your enquiry.

4.6 Cookies/tools

Our websites may use so-called cookies or other technologies/tools such as pixels, tags or external services (hereinafter referred to as "cookies" or "tools"). Cookies are text files that are stored in the internet browser or by the internet browser on the user's computer system or mobile device, or image files such as pixels. The cookie contains a characteristic string of characters that enables the browser or mobile device to be uniquely identified when the website or mobile app is opened again.

The purpose of using cookies is, on the one hand, to enable and simplify the use of our websites for users. Some functions of our websites are not possible without the use of cookies (so-called technically essential cookies). We may also use cookies/tools to analyse user behaviour on our websites, namely to measure reach, and finally also for marketing purposes.

4.5.1 Technically essential cookies

Technically essential cookies are required for our websites to function. These cookies can therefore not be switched off in our systems. They usually record important actions, such as the number of requests made, editing your privacy settings or filling out forms. You can block these cookies in your browser, but some parts of our website may then no longer function.

The legal basis for data processing when using technically essential cookies is our legitimate interest, which is primarily to ensure the functionality and improvement of our website.

4.5.2 Analytical and marketing cookies

Analytical cookies enable us to analyse visitor behaviour and traffic sources so that we can measure the performance of our websites and improve the user experience. They help us to recognise how popular which pages are and show how visitors navigate around our websites.

Marketing cookies make it possible to provide adverts that are relevant to you. These cookies can remember that you have visited our websites and pass this information on to other companies, including other advertisers.

We specifically use the following analysis and marketing cookies:

- Google Analytics of Google Ireland Ltd, Ireland (hereinafter "Google"). The privacy policy for Google Analytics is available here: https://policies.google.com/privacy?hl=de.

You can object to the use of cookies, for example (i) by selecting the appropriate settings in your browser, (ii) by using appropriate cookie blocker software (e.g. ghostery etc.) or (iii) by downloading and installing the browser plug-in regarding cookies from Google available with the following link: http://tools.google.com/dlpage/ gaoptout?hl=en.

Further information on the use of third-party tools is given in the description of the tools used in this privacy policy.

4.6 Google Tag Manager

We may use Google Tag Manager from Google on our websites. Google Tag Manager is a solution with which website tags can be managed from an interface. The tool itself is a cookie-free domain and, according to Google, does not collect any personal data. The tool triggers other tags, which in turn may collect personal data. Google Tag Manager does not access this data. If deactivation has been initiated at a domain or cookie level, this remains in place for all tracking tags that are implemented with Google Tag Manager. You can prevent tags from being set at any time.

The legal basis is your consent and our legitimate interests.

4.6.1 Google Ads

Description and purpose of processing

Our website uses Google Ads, a service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google"). We use Google Ads to place adverts in the Google search engine and on other websites in the Google advertising network. Our aim is to provide users with targeted advertising for our products and services.

Google Ads uses so-called conversion tracking cookies to measure the success of our advertising campaigns. When you click on an advert placed by Google, Google stores a cookie on your device. These cookies have a limited validity (usually 30 days) and are not used to personally identify the user. They enable Google and us to recognise that a user has reached our website through an advertisement.

Data collected

Google Ads collects and processes the following data, among others:

IP address of the user (truncated if IP anonymisation is activated)

Browser type and version

Operating system

Pages visited on our website

Clicks on our ads

Timestamp of the access

Referrer URL (the previously visited page)

The information may be merged by Google with other data from other Google services (e.g. Google Analytics or Google Tag Manager) if you have consented to this in your Google account settings.

Legal basis for processing

Data processing is carried out on the basis of Art. 6 para. 1 lit. a GDPR (consent). Before Google Ads is activated, we obtain your express consent with our cookie consent management tool.

If you do not give your consent or revoke your consent, Google Ads will not be executed and no cookies will be set.

Data transfer to third countries

Google generally processes your data on servers within the European Union (in particular in Ireland). However, data may be transferred to Google servers in the USA.

Google is certified according to the EU-U.S. Data Privacy Framework, so that transfer is possible on the basis of Art. 45 GDPR (adequacy decision). If such certification does not exist, we use the EU standard contractual clauses in compliance with Art. 46 GDPR as the basis for data transfer.

Objection and revocation options

You can prevent the storage of cookies by selecting the appropriate settings in your browser. You can also deactivate personalised advertising in your Google account:
➡️ https://adssettings.google.com/

We also offer an opt-out option with our cookie management tool.

Further information on data processing by Google is provided in Google's privacy policy:
➡️ https://policies.google.com/privacy?hl=de

4.7 Newsletter

If you subscribe to our newsletter, we will use your email address and other contact details to send you the newsletter. By subscribing to our newsletter you consent to relevant processing of your personal data. The mandatory information for sending the newsletter is your email address, which we store after you have completed your registration. The legal basis for processing of your data in connection with our newsletter is your consent to transmission of the newsletter. You can revoke your consent at any time and unsubscribe from the newsletter. You can declare your revocation by clicking on the link provided in every newsletter email, by email to info@carogusto.com or by sending a message to the contact details given in the imprint.

4.8 Applications

You can submit your application for a position with us by post or to the email addresses provided on our website. The application documents and all personal data disclosed to us will be treated as strictly confidential, will not be disclosed to third parties and will only be used for processing your application for employment at our company. Without your consent to the contrary, your application dossier will either be returned to you or deleted/destroyed after the application process has been completed, unless it is subject to a statutory retention obligation. The legal basis for processing of your data is your consent, the fulfilment of the contract with you and our legitimate interests.

5. Disclosure of personal data to recipients and other countries

5.1 Disclosure of personal data to recipients

In addition to the data transfers to recipients expressly mentioned in this privacy policy, we may disclose personal data to the following categories of recipients to the extent permitted and necessary:

- Other companies in the Carogusto Group;

- Providers to whom we have outsourced certain services (e.g. IT and hosting services, freight forwarders, payment service providers, banks, insurance companies, etc.);

- Dealers, suppliers, subcontractors and other business partners;

- Carogusto's auditors, fiduciary company and other external professional advisors;

- Domestic and foreign authorities, official bodies or courts.

5.2 Disclosure of personal data in other countries

In principle, we process your personal data in Switzerland and Germany. However, in certain cases (e.g. when using certain service providers or certain software applications), your personal data may also be transferred to other member states of the European Union, EFTA or other countries worldwide.

If we transfer data to a country without adequate statutory data protection, we ensure an adequate level of protection as provided for by law by using appropriate contracts (namely on the basis of the so-called standard contractual clauses of the European Commission) or rely on the statutory exceptions of consent, contract processing, the establishment, exercise or enforcement of legal claims, overriding public interests, published personal data or because it is necessary to protect the integrity of the data subjects.

6. Storage period

Subject to legal obligations (e.g. statutory retention periods) or overriding interests on our part, we will only store your personal data for as long as is necessary for the relevant processing purpose. We retain personal data that we hold on the basis of a contractual relationship with you for at least as long as the contractual relationship is in place and limitation periods for possible claims are valid or contractual retention obligations exist. As soon as your personal data is no longer required for the above-mentioned purposes, it will be deleted, anonymised or at least inactivated as far as possible.

7. Your rights

You have the right to information, correction, deletion, the right to restrict data processing and otherwise to object to our data processing as well as to the release of certain personal data for the purpose of transfer to another place (so-called data portability) within the framework of the data protection law applicable to you and to the extent provided for therein. Please note, however, that we reserve the right to assert the restrictions provided for by law, for example if we are obliged to store or process certain data in order to fulfil a legal obligation, if we have an overriding interest (insofar as we may rely on it) or need it for the assertion of claims. If you should incur any costs, we will inform you in advance.

If data processing is based on your consent, you can revoke your consent at any time with effect for the future. However, this does not affect the legality of processing carried out on the basis of the consent until revocation.

The assertion of such rights generally requires that you clearly prove your identity (e.g. by means of a copy of your identity documents, in cases where your identity is otherwise not clear or cannot be verified). To assert your rights you can contact us at the address given in section 2 of this privacy policy.

Every data subject also has the right to enforce their claims in court or to lodge a complaint with the competent data protection authority. The competent data protection authority may vary depending on your place of residence or the place where the breach of applicable data protection law occurred.

8. Data security

We take technical and organisational measures to protect your personal data from unauthorised access, misuse, loss and destruction. In particular we use firewalls, have authorisation concepts, carry out regular training courses and have implemented other protective measures to ensure that personal data is protected as seamlessly as possible.

9. Amendments to this privacy policy

We expressly reserve the right to amend this privacy policy at any time. If such amendments are made, we will immediately publish the amended privacy policy on our websites. The privacy policy published on our websites applies in each case.

September 2022