With this privacy policy, we provide information about the processing of personal data in connection with our activities and operations, including our website under the domain name duvona.ch. In particular, we explain why, how, and where we process which personal data. We also provide information about the rights of individuals whose data we process.

For specific or additional activities and operations, we may publish further privacy policies or other data protection information.

We are subject to Swiss data protection law and, where applicable, foreign data protection laws, particularly those of the European Union (EU) under the European General Data Protection Regulation (GDPR).

The European Commission recognized with its decision of July 26, 2000 that Swiss data protection law ensures adequate protection. This adequacy decision was confirmed by the European Commission in its report of January 15, 2024.

1. Contact Addresses

Responsible for the processing of personal data:

Nadia Rechsteiner
Duvona Beauty AG
Battenhaus 785
CH-9052 Niederteufen

info@duvona.ch

In certain cases, third parties may be responsible for processing personal data, or there may be shared responsibility with third parties.

2. Terms and Legal Bases

2.1 Terms

Data Subject: A natural person whose personal data we process.

Personal Data: All information relating to an identified or identifiable natural person.

Particularly Sensitive Personal Data: Data about union membership, political, religious, or philosophical views or activities, data concerning health, privacy, ethnic or racial origin, genetic or biometric data uniquely identifying a natural person, data about criminal and administrative sanctions or prosecutions, and data on measures of social assistance.

Processing: Any handling of personal data, regardless of the methods and procedures used, such as querying, comparing, adapting, archiving, storing, reading, disclosing, acquiring, recording, collecting, deleting, sharing, sorting, organizing, modifying, distributing, linking, destroying, or using personal data.

European Economic Area (EEA): Member states of the European Union (EU), as well as Liechtenstein, Iceland, and Norway.

2.2 Legal Bases

We process personal data in accordance with Swiss data protection law, particularly the Federal Act on Data Protection (Data Protection Act, DPA) and the Data Protection Ordinance (Data Protection Ordinance, DPO).

We also process – where and to the extent the European General Data Protection Regulation (GDPR) applies – personal data in accordance with at least one of the following legal bases:

• Art. 6 para. 1 lit. b GDPR for processing necessary to fulfill a contract with the data subject or to carry out pre-contractual measures.
• Art. 6 para. 1 lit. f GDPR for processing necessary to protect legitimate interests – including those of third parties – provided that the fundamental freedoms, rights, and interests of the data subject do not override. Such interests include ensuring the secure and reliable operation of our activities, safeguarding information security, preventing misuse, enforcing legal claims, and complying with Swiss law.
• Art. 6 para. 1 lit. c GDPR for processing necessary to comply with a legal obligation under applicable EEA law.
• Art. 6 para. 1 lit. e GDPR for processing necessary to perform a task in the public interest.
• Art. 6 para. 1 lit. a GDPR for processing personal data based on the data subject’s consent.
• Art. 6 para. 1 lit. d GDPR for processing necessary to protect the vital interests of the data subject or another natural person.
• Art. 9 para. 2 ff. GDPR for processing special categories of personal data, particularly with the data subject’s consent.

The European General Data Protection Regulation (GDPR) refers to the processing of personal data as the processing of personal data and the processing of particularly sensitive personal data as the processing of special categories of personal data (Art. 9 GDPR).

3. Type, Scope, and Purpose of Processing Personal Data

We process the personal data that is necessary to conduct our activities and operations in a sustainable, humane, secure, and reliable manner. The personal data we process may fall into categories such as browser and device data, content data, communication data, metadata, usage data, master data including inventory and contact data, location data, transaction data, contract data, and payment data.

We also process personal data obtained from third parties, from publicly accessible sources, or collected in the course of our activities and operations, insofar as such processing is permitted by law.

We process personal data, when necessary, with the consent of the data subjects. In many cases, we may process personal data without consent, for example, to fulfill legal obligations or protect overriding interests. We may also request consent from data subjects when consent is not legally required.

We process personal data for the duration necessary for the respective purpose. We anonymize or delete personal data, particularly in accordance with legal retention and limitation periods.

4. Disclosure of Personal Data

We may disclose personal data to third parties, have it processed by third parties, or process it jointly with third parties. These third parties include specialized providers whose services we utilize.

For example, we may disclose personal data to banks and other financial service providers, authorities, educational and research institutions, consultants and lawyers, interest groups, IT service providers, cooperation partners, credit and creditworthiness agencies, logistics and shipping companies, marketing and advertising agencies, media, organizations and associations, social institutions, telecommunications companies, and insurers.

5. Communication

We process personal data to communicate with third parties. In this context, we specifically process data that a data subject provides when contacting us, for example, via postal mail or email. Such data may be stored in an address book or similar tools.

Third parties transmitting data about other individuals are obligated to ensure data protection for such individuals. This includes ensuring the accuracy of the transmitted personal data.

6. Data Security

We take appropriate technical and organizational measures to ensure data security proportionate to the respective risk. With these measures, we ensure the confidentiality, availability, traceability, and integrity of the personal data we process, although absolute data security cannot be guaranteed.

Access to our website and other online presence is secured through transport encryption (SSL / TLS, particularly with Hypertext Transfer Protocol Secure, abbreviated HTTPS). Most browsers warn against visiting websites without transport encryption.

Our digital communication is subject to – like essentially all digital communication – mass surveillance without cause or suspicion by security agencies in Switzerland, Europe, the United States of America (USA), and other countries. We cannot directly influence the corresponding processing of personal data by intelligence agencies, police, and other security authorities. We also cannot rule out targeted surveillance of a data subject.

7. Personal Data Abroad

We process personal data primarily in Switzerland and the European Economic Area (EEA). However, we may export or transfer personal data to other countries, particularly for processing or having it processed there.

We may transfer personal data to any countries worldwide or beyond Earth, provided that local laws ensure adequate data protection according to a decision by the Swiss Federal Council and – where and to the extent the General Data Protection Regulation (GDPR) applies – a decision by the European Commission.

We may transfer personal data to countries whose laws do not ensure adequate data protection, provided data protection is ensured through other measures, such as standard contractual clauses or other appropriate safeguards. Exceptionally, we may export personal data to countries without adequate or appropriate data protection if specific data protection requirements are met, such as the explicit consent of the data subject or a direct connection with the conclusion or execution of a contract. Upon request, we gladly provide information about any guarantees or deliver copies of applicable guarantees.

8. Rights of Data Subjects

8.1 Data Protection Claims

We grant data subjects all rights under applicable data protection laws. In particular, data subjects have the following rights:

• Access: Data subjects can request information about whether we process personal data about them, and if so, what personal data is involved. Data subjects also receive information necessary to assert their data protection claims and ensure transparency, including the processed personal data, processing purposes, retention duration, any disclosure or export of data to other countries, and the origin of the personal data.
• Correction and Restriction: Data subjects can have incorrect personal data corrected, incomplete data completed, and the processing of their data restricted.
• Deletion and Objection: Data subjects can request the deletion of personal data ("right to be forgotten") and object to the processing of their data with future effect.
• Data Release and Transfer: Data subjects can request the release of personal data or the transfer of their data to another responsible party.

We may defer, restrict, or deny the exercise of rights by data subjects to the extent permitted by law. We may, for example, refuse access citing confidentiality obligations, overriding interests, or the protection of other individuals. Similarly, we may refuse the deletion of personal data citing legal retention obligations.

We may exceptionally charge costs for the exercise of rights. We inform data subjects of any potential costs in advance.

We are obligated to take reasonable steps to identify data subjects who request access or assert other rights. Data subjects are required to cooperate in this identification process.

8.2 Legal Remedies

Data subjects have the right to enforce their data protection claims through legal action or to file a complaint with a data protection supervisory authority.

The supervisory authority for private entities and federal bodies in Switzerland is the Swiss Federal Data Protection and Information Commissioner (FDPIC).

European data protection authorities are organized as members of the European Data Protection Board (EDPB). In some EEA member states, data protection authorities are federally structured, such as in Germany.

9. Use of the Website

9.1 Cookies

We may use cookies. Cookies – both first-party cookies and third-party cookies from services we use – are data stored in the browser. Such stored data do not have to be limited to traditional text-based cookies.

Cookies can be temporarily stored in the browser as "session cookies" or stored for a certain period as so-called permanent cookies. "Session cookies" are automatically deleted when the browser is closed. Permanent cookies have a set storage duration. Cookies allow, among other things, for a browser to be recognized on a return visit to our website and, for example, to measure the reach of our website. Permanent cookies can also be used for online marketing, for example.

Cookies can be fully or partially disabled and deleted in the browser settings at any time. Without cookies, our website may not be available in its full capacity. We actively request – at least to the extent required – your explicit consent for the use of cookies.

For cookies used for success and reach measurement or advertising, a general opt-out is available for many services through AdChoices (Digital Advertising Alliance of Canada), Network Advertising Initiative (NAI), YourAdChoices (Digital Advertising Alliance), or Your Online Choices (European Interactive Digital Advertising Alliance, EDAA).

9.2 Logging

We may log the following details for each access to our website and other online presence, provided that these are transmitted to our digital infrastructure during such accesses: date and time including time zone, IP address, access status (HTTP status code), operating system including user interface and version, browser including language and version, requested individual sub-pages of our website including transferred data volume, last page visited in the same browser window (referer).

We log such details, which may also represent personal data, in log files. These details are required to provide our online presence reliably, human-friendly, and securely. They are also needed to ensure data security – including by third parties or with the help of third parties.

9.3 Tracking Pixels

We may integrate tracking pixels into our online presence. Tracking pixels, also known as web beacons, are typically small, invisible images or JavaScript scripts that are automatically retrieved when accessing our online presence. Tracking pixels can collect at least the same information as log files.

10. Notifications and Communications

10.1 Success and Reach Measurement

Notifications and communications may contain web links or tracking pixels that track whether a notification has been opened and which web links were clicked. Such web links and tracking pixels can also capture the use of notifications and communications in a personalized way. We need this statistical tracking of usage for success and reach measurement in order to send notifications and communications effectively and human-friendly, tailored to the needs and reading habits of the recipients, while ensuring security and reliability.

10.2 Consent and Opt-Out

In general, you must consent to the use of your email address and other contact details, unless the use is legally permissible for other reasons. For obtaining double confirmation of consent, we may use the "double opt-in" method. In this case, you will receive a message with instructions for double confirmation. We may log consents obtained, including IP addresses and timestamps, for proof and security purposes.

You can generally object to receiving notifications and communications such as newsletters at any time. With such an objection, you can also object to the statistical tracking of usage for success and reach measurement. Necessary notifications and communications related to our activities and operations remain reserved.

11. Third-Party Services

We use services from specialized third parties to carry out our activities and operations in a reliable, secure, and human-friendly manner. These services enable us to embed functions and content into our website. When embedding such services, they may temporarily capture IP addresses of users for technical reasons.

For necessary security-related, statistical, and technical purposes, third parties whose services we use may process data in connection with our activities and operations in an aggregated, anonymized, or pseudonymized manner. This may include performance or usage data to offer the respective service.

We particularly use:

• Google Services: Providers: Google LLC (USA) / Google Ireland Limited (Ireland) for users in the European Economic Area (EEA) and Switzerland; General data protection information: "Privacy and Security Principles", "How Google Uses Personal Data", Privacy Policy, "Google Complies with Applicable Data Protection Laws", "Data Privacy Guide in Google Products", "How We Use Data from Websites or Apps that Use Our Services", "Types of Cookies and Similar Technologies Used by Google", "Advertising You Can Control" ("Personalized Advertising").

11.1 Digital Infrastructure

We use third-party services to access the necessary digital infrastructure related to our activities and operations. This includes hosting and storage services from selected providers.

We particularly use:

• hosttech: Hosting; Providers: hosttech GmbH (Germany) / hosttech GmbH (Austria) / hosttech GmbH (Switzerland); Data protection details: Privacy Policy (Germany), Privacy Policy (Austria), Privacy Policy (Switzerland), "Infrastructure".

11.2 Fonts

We use third-party services to embed selected fonts, icons, logos, and symbols into our website.

We particularly use:

• Google Fonts: Fonts; Provider: Google; Google Fonts-specific details:Here’s your text translated into English, with HTML elements preserved: ```html

  9. Use of the Website

  9.1 Cookies

  We may use cookies. Cookies – both our own (First-Party Cookies) and those from third parties whose services we use (Third-Party Cookies) – are data stored in the browser. These stored data are not necessarily limited to traditional text-based cookies.

  Cookies can be stored temporarily in the browser as "Session Cookies" or for a specific period as so-called permanent cookies. "Session Cookies" are automatically deleted when the browser is closed. Permanent cookies have a defined storage duration. Cookies, in particular, allow recognizing a browser during the next visit to our website and, for example, help measure the reach of our website. Permanent cookies may also be used for online marketing purposes.

  Cookies can be fully or partially disabled or deleted at any time via the browser settings. Without cookies, our website may not be fully functional. We request – at least where and to the extent necessary – explicit consent for the use of cookies.

  For cookies used for success and reach measurement or advertising, there is a general opt-out available for many services via AdChoices (Digital Advertising Alliance of Canada), Network Advertising Initiative (NAI), YourAdChoices (Digital Advertising Alliance), or Your Online Choices (European Interactive Digital Advertising Alliance, EDAA).

  9.2 Logging

  We may log the following information for each access to our website and other online presence, as long as these are transmitted to our digital infrastructure during such accesses: Date and time, including time zone, IP address, access status (HTTP status code), operating system including user interface and version, browser including language and version, requested individual subpage of our website including transferred data volume, last website visited in the same browser window (Referer).

  We log such data, which may also constitute personal data, in log files. This data is necessary to provide our online presence permanently, human-friendly, and reliably. It is also necessary to ensure data security – even through third parties or with the help of third parties.

  9.3 Tracking Pixels

  We may integrate tracking pixels into our online presence. Tracking pixels, also known as web beacons, are typically small, invisible images or JavaScript scripts that are automatically retrieved when accessing our online presence. Tracking pixels can capture at least the same information as log files.

  10. Notifications and Messages

  10.1 Success and Reach Measurement

  Notifications and messages may contain web links or tracking pixels that record whether an individual message has been opened and which web links were clicked. These web links and tracking pixels may also collect usage data related to the notifications and messages in a personally identifiable manner. We need this statistical tracking to measure success and reach to effectively and human-friendly send notifications and messages based on recipients’ needs and reading habits.

  10.2 Consent and Objection

  You must generally consent to the use of your email address and other contact details, unless the use is permitted for other legal reasons. For any double consent, we may use the "Double Opt-in" procedure. In this case, you will receive a message with instructions for double confirmation. We may log obtained consents, including IP address and timestamp, for proof and security reasons.

  You can generally object to receiving notifications and messages such as newsletters at any time. With such an objection, you can also object to the statistical tracking of usage for success and reach measurement. Notifications and messages related to our activities and actions are exempt from this rule.

  11. Third-Party Services

  We use services from specialized third parties to perform our activities and operations in a permanent, human-friendly, secure, and reliable manner. With such services, we can, among other things, embed functions and content into our website. When embedding such services, the third-party services may temporarily collect the IP addresses of users for technical reasons.

  For necessary security-related, statistical, and technical purposes, third parties whose services we use may process data related to our activities in an aggregated, anonymized, or pseudonymized form. This includes, for example, performance or usage data to provide the respective service.

  We use, in particular:

  • Google Services: Provider: Google LLC (USA) / Google Ireland Limited (Ireland), partially for users in the European Economic Area (EEA) and Switzerland; General data protection information: “Privacy and Security Principles”, “How Google Uses Personal Data”, Privacy Policy, “Google’s Compliance with Applicable Data Protection Laws”, “Privacy Guide for Google Products”, “How We Use Data from Websites or Apps Using Our Services”, “Types of Cookies and Similar Technologies Google Uses”, “Advertising You Control” (“Personalized Ads”).

  11.1 Digital Infrastructure

  We use services from specialized third parties to access necessary digital infrastructure in connection with our activities. This includes, for example, hosting and storage services from selected providers.

  We use, in particular:

  • Cyon: Hosting; Provider: cyon GmbH (Switzerland); Data protection details: “Privacy Policy”, Privacy Policy.
  • hosttech: Hosting; Providers: hosttech GmbH (Germany) / hosttech GmbH (Austria) / hosttech GmbH (Switzerland); Data protection details: Privacy Policy (Germany), Privacy Policy (Austria), Privacy Policy (Switzerland), “Infrastructure”.

  11.2 Fonts

  We use third-party services to embed selected fonts, icons, logos, and symbols into our website.

  We use, in particular:

  • Google Fonts: Fonts; Provider: Google LLC (USA); Google Fonts-specific details: FAQ about Google Fonts, Google Privacy Policy.

  11.3 Logos and Symbols

  We may use logos and symbols from third-party services for the purposes of marketing, branding, or user interface purposes on our website. These elements may be subject to the respective third-party providers' terms and privacy policies.

  We use, in particular:

  • Iconfinder: Icons and logos; Provider: Iconfinder Inc. (Denmark); Data protection details: Privacy Policy.