This privacy policy sets out what personal data we process in connection with our media.lindt-spruengli-financialyear.com website and our other services. In particular, we provide
information on what personal data we process, for what purpose, how and where. With this
data protection declaration, we also inform you about the rights of persons whose data we
process.
For individual or additional offers and services, further data protection declarations and other
legal documents such as general terms and conditions (GTC), terms of use or conditions of
participation may apply.

1. Contact addresses

Responsibility for the processing of personal data:

ZAAK Zurich GmbH
Bachstrasse 9
8038 Zürich

legal@zaak.ch

We point out if there are other persons responsible for the processing of personal data in
individual cases.

2. Processing of personal data

2.1 Terms

Personal data is any information relating to an identified or identifiable person. A data
subject is a person about whom personal data is processed. Processing includes any handling of
personal data, regardless of the means and procedures used, in particular the storage, disclosure,
procurement, collection, deletion, storage, modification, destruction and use of personal data.

2.2 Legal basis

We process personal data in accordance with Swiss data protection law such as, in particular,
the Federal Data Protection Act (FADP) and the Ordinance to the Federal Data Protection Act
(DPA).

2.3 Nature, scope and purpose

We process the personal data that is required to provide our services in a permanent, user-
friendly, secure and reliable manner. Such personal data can fall into the categories of inventory
and contact data, browser and device data, content data, meta or marginal data and usage data,
location data, sales, contract and payment data.
We process personal data for the duration required for the respective purpose(s) or as required
by law. Personal data whose processing is no longer required will be anonymized or deleted.
Persons whose data we process generally have a right to deletion.
As a matter of principle, we process personal data only with the consent of the data subject,
unless the processing is permitted for other legal reasons, for example, for the performance
of a contract with the data subject and for corresponding pre-contractual measures, in order
to protect our overriding legitimate interests, because the processing is evident from the
circumstances or after prior information.
In this context, we process in particular information that a data subject voluntarily and
personally provides to us when contacting us – for example, by letter, e-mail, contact form,
social media or telephone – or when registering for a user account. We may store such
information, for example, in an address book or with comparable aids. If you transmit personal
data to us via third parties, you are obligated to ensure data protection vis-à-vis such third
parties and to ensure the accuracy of such personal data.
We also process personal data that we receive from third parties, obtain from publicly accessible
sources or collect in the course of providing our services, if and to the extent that such
processing is permitted for legal reasons.

We may have personal data processed by commissioned third parties or process it jointly
with third parties or with the help of third parties or transmit it to third parties. Such third
parties are in particular providers whose services we use. We also ensure appropriate data
protection for such third parties.
Such third parties are generally located in Switzerland and in the European Economic Area
(EEA). However, such third parties may also be located in other countries and territories on
earth as well as elsewhere in the universe, provided that their data protection law guarantees
adequate data protection in the opinion of the Federal Data Protection and Information
Commissioner (FDPIC), or if adequate data protection is guaranteed for other reasons, such as
through a corresponding contractual agreement, in particular on the basis of standard contractual
clauses, or through a corresponding certification. Exceptionally, such a third party may be
located in a country without adequate data protection, provided that the requirements under data
protection law, such as the express consent of the data subject, are met.

3. Rights of data subjects

Data subjects whose personal data we process have the rights under Swiss data protection law.
These include the right to information as well as the right to correction, deletion or blocking of
the processed personal data.
Data subjects whose personal data we process have a right of appeal to a competent supervisory
authority. The supervisory authority for data protection in Switzerland is the Federal Data
Protection and Information Commissioner (FDPIC).

4. Data security

We take appropriate and suitable technical and organizational measures to ensure data
protection and data security in particular. However, despite such measures, the processing
of personal data on the Internet can always have security gaps. We can therefore not
guarantee absolute data security.
Access to our online offering is via transport encryption (SSL / TLS, in particular with the
Hypertext Transfer Protocol Secure, abbreviated HTTPS). Most browsers indicate transport
encryption with a padlock in the address bar.

Access to our online offering is subject – as is any use of the Internet – to mass surveillance
without cause or suspicion and other monitoring by security authorities in Switzerland, the
European Union (EU), the United States of America (USA) and other countries. We cannot
have any direct influence on the corresponding processing of personal data by secret services,
police forces and other security authorities.

5. Website use

5.1 Cookies

We may use cookies for our website. Cookies – both our own cookies (first-party cookies) and
cookies from third parties whose services we use (third-party cookies) – are data that are stored
in your browser. Such stored data need not be limited to traditional cookies in text form.
Cookies cannot execute programs or transmit malware such as Trojans and viruses.
Cookies can be stored temporarily in your browser as “session cookies” when you visit our
website or for a certain period of time as so -called permanent cookies. “Session cookies” are
automatically deleted when you close your browser. Permanent cookies have a specific storage
period. In particular, they enable us to recognize your browser the next time you visit our
website and thus, for example, to measure the reach of our website. However, permanent
cookies can also be used for online marketing, for example.
You can disable cookies in your browser settings at any time in whole or in part, as well as
delete them. Without cookies, our website may no longer be fully available. We ask you – if and
to the extent necessary – actively for your express consent for the use of cookies.
In the case of cookies used for performance and reach measurement or for advertising, a general
objection (“opt-out”) is possible for numerous services via AdChoices (Digital Advertising
Alliance Of Canada), Network Advertising Initiative (NAI), YourAdChoices (Digital
Advertising Alliance) or Your Online Choices (European Interactive Digital Adverti- sing
Alliance, EDAA).

5.2 Server log files

We may collect the following information for each access to our website, provided that this
information is transmitted by your browser to our server infrastructure or can be determined by
our web server: Date and time including time zone, Internet Protocol (IP) address, access status
(HTTP status code), operating system including user interface and version, browser including
language and version, individual sub-page of our website accessed including amount of data
transferred, website last accessed in the same browser window (referer or referrer).
We store such information, which may also constitute personal data, in server log files. The
information is necessary to provide our online offer permanently, user-friendly and reliable
and to ensure data security and thus in particular the protection of personal data – also by third
parties or with the help of third parties.

5.3 Tracking pixel

We may use tracking pixels on our website. Tracking pixels are also known as web beacons.
Tracking pixels – also from third parties whose services we use – are small, usually invisible
images that are automatically retrieved when you visit our website. With pixel counters, the
same information can be collected as in server log files.

6. Notifications and messages

We send notifications and communications such as newsletters by email and through other
communication channels such as instant messaging.

6.1 Success and reach measurement

Notifications and messages may contain web links or tracking pixels that record whether an
individual message was opened and which web links were clicked. Such web links and tracking
pixels may also record the use of notifications and messages on a personal basis. We need this
statistical recording of usage for performance and reach measurement in order to be able to offer
notifications and messages effectively and in a user-friendly manner based on the needs and
reading habits of the recipients, as well as permanently, securely and reliably.

6.2 Consent and objection

As a matter of principle, you must expressly consent to the use of your e-mail address and other
con- tact addresses, unless such use is permitted for other legal reasons. For any consent to
receive e-mails, we use the “double opt-in” procedure where possible, i.e. you will receive an e-
mail with a web link that you must click to confirm, so that no misuse by unauthorized third
parties can take place. We may log such consents including Internet Protocol (IP) address, date
and time for evidence and security reasons.
You can unsubscribe from notifications and communications such as newsletters at any time. By
unsubscribing, you can in particular object to the statistical recording of usage for performance
and reach measurement. Notifications and messages that are absolutely necessary for our offer
remain reserved.

6.3 Service provider for notifications and messages

We send notifications and messages via third-party services or with the help of service
providers. Cookies may also be used in the process.
We use in particular:
• MailPoet: Email marketing software (“Better Email for WordPress-Powered Websites”);
Providers: WooCommerce Ireland Ltd. (Ireland) for users in Australi- en, all European
countries, Japan, Canada, Mexico, New Zealand and Russia, partly jointly with Automattic
Inc. (USA) and WooCommerce Inc. (USA) / WooCommerce Inc. (USA) for users in other
states and territories on earth as well as elsewhere in the universe, partly jointly with
Automattic Inc. (USA); Privacy Policy: Privacy Policy.

7. Third party services

We use third-party services in order to be able to provide our offer permanently, user-friendly,
secure and reliable. Such services may also be used to embed content in our website. Such
services – for example, hosting and storage services, video services and payment services –
require your Internet Protocol (IP) address, as such services cannot otherwise transmit the
corresponding content.

For their own security, statistical and technical purposes, third parties whose services we use
may also process data related to our offer as well as from other sources – including with
cookies, log files and counting pixels – in an aggregated, anonymized or pseudonymized
manner.
We use in particular:
• Google services: Provider: Google LLC (USA) / Google Ireland Limited (Ireland) for users
in the European Economic Area (EEA) and Switzerland; General information on data
protection: “Privacy and security principles”, privacy statement, “Google is committed to
complying with applicable data protection laws“, “Privacy guide for Google products”,
“How we use data from websites or apps on or in which our services are used”
(information from Google), “How Google uses cookies”, “Personalized advertising”
(activation / deactivation / settings).

7.1 Digital infrastructure

We use third-party services in order to be able to make use of the digital infrastructure
required for our offering. These include, for example, hosting and storage services from
specialized providers.
We use in particular:
• Cyon: Hosting; Provider: Cyon GmbH (Switzerland); Data protection information: “Daten-
schutz”, Privacy policy.

7.2 Audio and video conferencing

We use audio and video conferencing services to communicate online. We can use them, for
example, to conduct virtual meetings or online lessons and webinars. In addition to this data
privacy statement, any terms and conditions of the services used, such as terms of use or data
privacy statements, also apply.
Depending on the life situation in which you are participating in an audio or video conference,
we recommend that you mute the microphone by default and blur the background or fade in a
virtual background.

7.3 Audiovisual media

We use third-party services to enable the direct playback of audiovisual media such as music or
videos on our website.
We use in particular:
• Vimeo: Videos; Provider: Vimeo Inc. (USA); Privacy information: “Privacy”, Privacy Policy.

8. Extensions for the website

We use extensions for our website in order to be able to use additional functions.
We use in particular:
• Google reCAPTCHA: Spam protection (distinguishing between wanted comments coming
from humans and unwanted comments coming from bots and spam); Google reCAPTCHA-
specific privacy information: “What is reCAPTCHA?” (“What is reCAPTCHA?”).

9. Success and reach measurement

We use services and programs to determine how our online offering is used. In this context, we
can, for example, measure the success and reach of our online offering and the effect of third-
party links to our website. We can also, for example, test and compare how different versions of
our online offering or parts of our online offering are used (“A/B test” method). Based on the
results of the performance and reach measurement, we can in particular correct errors,
strengthen particularly popular content or make improvements to our online offering.
When using services and programs for performance and reach measurement, the Internet
Protocol (IP) addresses of individual users must be stored. IP addresses are generally shortened
in order to comply with the principle of data economy and to improve data protection for
visitors to our website (“IP masking”).

When using services and programs for performance and reach measurement, cookies may be
used and user profiles may be created. User profiles include, for example, the pages visited or
content viewed on our website, information about the size of the screen or browser window and
the – at least approximate – location. In principle, user profiles are created exclusively on a
pseudonymous basis. We do not use user profiles to identify individual visitors to our website.
Individual services with which you are registered as a user may be able to assign the use of our
online service to your profile with the respective service, whereby you must usually give your
consent to this assignment in advance.
We use in particular:
• Matomo Cloud: Performance and reach measurement with pseudonymized Internet Protocol
(IP) addresses; Provider: InnoCraft Ltd. (New Zealand); data protection information: data
protection declaration, no cross-website collection and no transfer of data to third parties
(“100% data ownership”).

10. Final provisions

We can adapt and supplement this data protection declaration at any time. We will inform
about such adjustments and additions in an appropriate form, in particular by publishing the
respective current privacy policy on our website.