I. Responsible body, data protection officer
The party responsible in the sense of the general data protection ordinance and other national data protection laws of the member states as well as other data protection regulations is:
Alte Steinhauserstrasse 1
Telephone +41 41 511 18 50
[hereinafter referred to as: “Responsible party” or “MUUME”]
The responsible party has commissioned
Mr. Michael Endres
Alte Steinhauserstrasse 1
[hereinafter referred to as: the “data protection officer”]
as the data protection officer.
II. Representative within the EU
The responsible party has commissioned
Stendaler Str. 4
[hereinafter referred to as: “EU representative”]
as the representative within the European Union.
III. General Information about Data Processing
1. Scope of processing personal data
This data privacy statement provides information about MUUME’s handling of personal data of users (hereinafter “party(parties) concerned” or “you”) of MUUME websites (“website”) or MUUME apps (“app”).
Website and app users may be any natural person acting as a consumer (“consumer”) according to the respective applicable general terms and conditions of MUUME, as well as any natural person or legal entity acting for commercial, entrepreneurial or other reasons (“merchant”) – whereby personal data only relates to natural persons – according to the respective applicable general terms and conditions for merchants of MUUME.
In principle MUUME only collects and uses personal data if this is required to use the website and apps and if it is required to carry out the services offered through the website and apps. If no statutory permission to use data applies, the collection and use of your personal data only occurs after you provide consent.
2. Legal basis for processing personal data
Preparation and fulfillment of a contract
Unless specified otherwise, MUUME collects and uses personal data as part of the preparation and fulfillment of the contracts concluded with the individual party concerned, which are regulated by MUUME’s general terms and conditions of use and business. This also applies to processing procedures required to carry out pre-contractual measures. The basis for this is therefore article 6 para. 1 lit. b) GDPR. If you refuse to provide the personal data required for this purpose, MUUME’s services may only be available to you to a limited extent or may not be available at all.
Furthermore, it is possible that MUUME may be subject to legal obligations (e.g. with respect to the provision of services for storing payment methods) that require personal data be collected and used.
Article 6 para. 1 lit. f GDPR is the legal basis for processing if the processing is necessary to protect a legitimate interest of MUUME or a third party and if the interests, basic rights and basic freedoms of the party concerned do not outweigh the former interest.
If none of the aforementioned conditions is applicable, MUUME shall collect and use personal data only after prior consent by the party concerned.
3. Data deletion and storage duration
The personal data of the person concerned will be deleted or blocked as soon as the purpose of storage no longer applies. This means that, for example, personal data that was collected for the purposes of preparation and fulfillment of a contract will be deleted after the contract has ended.
In addition, storage may occur if this was provided for by European or national legislators in EU regulations, laws or other regulations for which the responsible party is subjected. A blocking or deletion of data then also occurs if a storage term prescribed by the standards mentioned expires, unless it is necessary to continue storing the data for a contract conclusion or to fulfill a contract.
4. Data transmission in Switzerland
The responsible party is headquartered in Switzerland. That is why the processing of the collected personal data (also) occurs in Switzerland according to the adequacy decision of the European Commission no. 2000/518/EC.
IV. Data usage in a general form
1. Data usage when accessing the website
When you visit the website or access the app, our system automatically records data and information from the accessing computer’s system.
The following data is collected in the process:
(1) Information about the type of browser and the version used
(2) The user’s operating system
(3) The Internet service provider of the user
(4) The user’s IP address
(5) The data and time of the access
This data is also stored in the log files of our system. This data is not stored together with other personal data of the user.
2. Data collection during registration and purchases
When you register on our website or app (i.e. create a user account) to utilize all the services of MUUME, the following data is collected: First name, last name, cell phone number, e-mail address, address, country, date of birth, billing information, credit card number, bank details.
If the merchant is a legal person, the following personal data is collected from the persons authorized to represent, from the competent official and/or from the economic involved party: First name, last name, cell phone number, e-mail address, address, country.
The purpose of the data collection is to allow MUUME and MUUME’s business partners to render the offered services in accordance with the relevant legal regulations. For example, this includes carrying out detailed identity checks on behalf of the payment service providers cooperating with MUUME and forwarding purchase order and payment data from individual purchase processes to merchants. In principle, MUUME generally only forwards personal data to retailers that is necessary for processing purchases made by the user, for example contact details for delivering purchased products, identity data in the case of purchasing personalized products (e.g. non-transferable tickets), contact and payment details, if a direct debit cannot be redeemed or withdrawn, etc.
Other details about data collection during registration can be found in the respective applicable general terms and conditions of business of MUUME for consumers and for merchants. We can also organize sweepstakes among registered users from time to time. Unless otherwise regulated with respect to the specific sweepstakes, all users participate in the respective sweepstakes. The legal basis is our legitimate interest in the sense of article 6 para. 1 sentence 1 f GDPR to create an incentive for users to register for and utilize our services.
3. Data collection and use for payments by direct debit
If you wish to use “direct debit” via MUUME as the means of payment, MUUME will collect the necessary information and personal data in order to be able to collect amounts from your account via direct debit. The collection is done by issuing a direct debit mandate, which you must sign. The following information and personal data are collected: Name of the account holder, IBAN, BIC, name of the bank, mandate reference. Your consent forms the basis for the processing.
The direct debit mandate and the associated consent to the processing of personal data can be withdrawn at any time with effect for the future.
4. Data collection for contact requests
If you send a contact request (e.g. support request) to MUUME through the website or if you make an appointment with a MUUME authorized merchant, the following data may be collected: Name, last name, gender (voluntary), cell phone number, e-mail address, address, country, date of birth, password, billing information, credit card number, bank details. The merchants will also collect the tax or VAT identification number.
If the merchant is a legal person, the following information mentioned is collected from the persons authorized to represent, from the competent official and/or from the economic involved party.
5. Data collection when downloading the app
The following data is collected when you download the MUUME app via the website: Name, last name, e-mail address.
6. Locating via app
Users who have installed the MUUME app on a mobile end device have the ability to consent to the locating of the end device. This means that MUUME can track the location at which the end device is located and can thus make location-based offers to the user. The user can always prevent the locating by MUUME by pressing the appropriate button.
However, if the user does not allow the locating or revokes consent, MUUME’s services may only be available to a limited extent or not at all.
7. Market Research and Statistics
MUUME processes the collected data in anonymous or pseudonymous form for the purposes of market research and statistics. This means that information is collected regarding the utilization of the MUUME services by users, which is processed for statistical purposes without affecting the information regarding natural persons. For this purpose, the collected and processed data and values are grouped into categories by geographical origin, market segment, monthly or annual expenditure through MUUME, language and age group. In no case is data collected in such a way that conclusions can be drawn about natural persons. In particular, no names, last names, contact details, IP addresses or other unique information will be collected or processed for the purpose of market research and statistics.
V. Using cookies
MUUME places cookies on the user’s end device via the website (but not via the app) to make their services more attractive for the user. Cookies are text files that are stored in the Internet browser or that are stored by the Internet browser on the user’s computer system. If a user accesses a website, a cookie can be stored on the user’s operating system. This cookie contains a characteristic string that makes it possible to uniquely identify the browser the next time the website is accessed.
The basis for processing is article 6 para. 1 lit. f) GDPR.
a) Own cookies from MUUME
The following data is stored and transmitted in the cookies set by MUUME: 1) Language settings; 2) Log-in information.
These are so-called technical cookies, which are required to ensure the functional capability of the website. If you prevent such cookies via the appropriate browser setting, MUUME services may only be available to you to a limited extent or not at all.
b) Cookies from third party providers
“Google Analytics” is an advertising analysis service of Google Inc. The information generated by the Google Analytics cookie about the user’s use of the website is usually transmitted to a Google server in the US and stored there. MUUME uses the so-called “IP anonymization,” i.e. the user’s IP address is shortened by Google within the EU and EEA states. Only in cases of exception will the IP address be transmitted to a Google server in the US unshortened and then shortened there. Google uses this information to evaluate the user behavior on the website, to create statistics and to provide us with other services associated with the website and Internet use. The IP address transmitted by the browser as part of Google Analytics is not be merged with other data by Google. You can set your browser so that the storage of cookies is always prevented. However, in this case MUUME cannot guarantee that all of the website’s functions will be available to you without restriction. Furthermore, you can prevent the creation and processing of data based on Google Analytics cookies (including IP address) by installing the browser plug-in from Google provided for this purpose (available at https://tools.google.com/dlpage/gaoptout?hl=en). As an alternative to the browser plug-in, you can click this link to prevent collection by Google Analytics on this website in the future. An opt-out cookie is then stored on your end device. If cookies are deleted from the end device, the link must be clicked on again.
VI. Newsletter and Other Types of Advertising Notifications
Users can receive e-mail newsletters or in-app messages through MUUME directly to their own MUUME account (“push notifications”). To receive the MUUME newsletter, users must enter their e-mail address in the field provided on the website or app or they must place a check mark in the provided field if they have already specified their e-mail address (e.g. when creating a user account). When or after creating a user account, users must place a check mark in the field provided for this purpose in the app in order to agree to receive push notifications. After agreeing to receive e-mail newsletters, the user will receive an automatic confirmation e-mail containing a link. The user then automatically receives a confirmation e-mail containing a link. Clicking the link or entering it in the address bar of the Internet browser completes the registration process for receiving the newsletter (double opt-in method).
You can always object to receiving all types of newsletters without incurring any costs for this other than the transmission costs according to your base rates (i.e. the cost of your Internet provider). By agreeing to receive the newsletter or push notifications, MUUME will send you interesting offers from MUUME and its business partners. A transfer of the data to third parties does not take place. The data is not forwarded to third parties. You can consent to receiving newsletters by placing a check mark during registration or when placing an order. This consent can always be revoked by clicking the “Unsubscribe” link, which is contained in every newsletter. Without previous consent, MUUME can also send users e-mail newsletters about offers that are similar to goods or services already ordered by users via MUUME, provided they have not objected to receiving such newsletters and the e-mail address used for this is available due to a previous purchase made with MUUME. Users can always object to receiving such newsletters by clicking the “Unsubscribe” link, which is contained in every newsletter. In this case, section 7 para. 3 Act Against Unfair Competition is the basis for processing.
VII. Recipients of personal data
MUUME works together with various business partners to be able to provide users with the best possible services. In some circumstances, this means that the user’s personal data is or must be sent to such business partners (“recipients”). This section provides information about this.
Listings within this section are expressly not exhaustive. The user can always find out in detail from the responsible party to which recipients MUUME is currently forwarding personal data.
1) Contact management
MUUME works with service providers who make contacting users or making appointments easier, such as Mailchimp or Calendly.
2) Payment services and associated identity verification
With the exception of the direct debit procedure (see IV.3 above), all payment transactions initiated via MUUME are carried out by third parties. These include Cashless Nation and Bambora. MUUME does not have access to payment data, but only receives information from the respective third party provider as to whether a payment has been made or not.
3) Social Networks
The website uses social media plug-ins from various providers in order to constantly improve MUUME’s offering and to make it more attractive for users. The basis for the associated processing of personal data is therefore article 6 para. 1 lit f. GDPR.
So-called social plug-ins (“plug-ins”) of the social network Facebook are used on the website. Facebook is operated by Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA (“Facebook”). The plug-ins are marked with a Facebook logo or the addition “social plug-in of Facebook” or “Facebook social plug-in.”
When a MUUME website is accessed containing such a plug-in, the user’s browser establishes a direct connection to the Facebook servers. The content of the plug-in is sent directly from Facebook to the browser and is integrated into the page. Through this integration, Facebook receives information that the browser of the corresponding MUUME page has been accessed, even if the user does not have a Facebook profile or is not currently logged into Facebook. This information (including the IP address) is sent by the browser directly to a Facebook server in the US and is stored there.
If the user is logged into Facebook, Facebook can immediately allocate the visit to the MUUME website to said user’s Facebook profile. When interacting with the plug-ins, for example by pressing the “Like” button or submitting a comment, this information is also sent directly to a Facebook server and is stored there. The information is also published on the user’s Facebook profile and shown to Facebook friends.
To prevent Facebook from assigning the data collected via the MUUME website directly onto the Facebook user profile, users must log out of Facebook before visiting the website. The loading of the Facebook plug-in can also be completely prevented with add-ons for the browser, such as with a “Facebook blocker” or script blocker.
Plug-ins of the microblogging service Twitter are used on the website. Twitter is operated by Twitter Inc., 1355 Market St, Suite 900, San Francisco, CA 94103, USA (“Twitter”). The plug-ins are marked with a Twitter logo, for example in the form of a blue “Twitter bird.”
When a MUUME website is accessed containing such a plug-in, the user’s browser establishes a direct connection to the Twitter servers. The content of the plug-in is sent directly from Twitter to the browser and is integrated into the page. Through this integration, Twitter receives information that the browser of the corresponding MUUME page has been accessed, even if the user does not have a Twitter profile or is not currently logged into Twitter. This information (including the IP address) is sent by the browser directly to a Twitter server in the US and is stored there.
If the user is logged into Twitter, Twitter can immediately allocate the visit to the MUUME website to said user’s Twitter profile. When interacting with Twitter plug-ins, for example by pressing the “Tweet” button, the corresponding information is also sent directly to a Twitter server and is stored there. The information is also published on the user’s Twitter account and shown to the contacts there.
To prevent Twitter from assigning the data collected via the MUUME website directly onto the Twitter account of the user, the user must log out of Twitter before visiting the website. The loading of the Twitter plug-in can also be completely prevented with add-ons for the browser, such as with a script blocker.
Plug-ins of the social network LinkedIn are used on the website. LinkedIn is operated by LinkedIn Corporation, 2029 Stierlin Court, Mountain View, CA 94043, USA (“LinkedIn”).
When a MUUME website is accessed containing such a plug-in, the user’s browser establishes a direct connection to the LinkedIn servers. The content of the plug-in is sent directly from LinkedIn to the browser and is integrated into the page. Through this integration, LinkedIn receives information that the browser of the corresponding MUUME page has been accessed, even if the user does not have a LinkedIn profile or is not currently logged into LinkedIn. This information (including the IP address) is sent by the browser directly to a LinkedIn server in the US and is stored there.
If the user is logged into LinkedIn, LinkedIn can immediately allocate the visit to the MUUME website to said user’s LinkedIn profile. When interacting with LinkedIn plug-ins, for example by pressing the “Recommend” button, the corresponding information is also sent directly to a LinkedIn server and is stored there. The information is also published on the user’s LinkedIn account and shown to the contacts there.
To prevent LinkedIn from assigning the data collected via the MUUME website directly onto the LinkedIn account of the user, the user must log out of LinkedIn before visiting the website. The loading of the LinkedIn plug-in can also be completely prevented with add-ons for the browser, such as with a script blocker.
VIII. Rights of the party concerned
As parties concerned, users have the following rights opposite the responsible party:
1. Right to be informed
You can demand a confirmation from the responsible party as to whether we are processing personal data concerning you.
If such processing exists, you can request the following information from the responsible party:
(1) the purposes for which the personal data is being processed;
(2) the categories of personal data that are being processed;
(3) the recipients or categories of recipients to whom the personal data concerning you was disclosed or is still being disclosed;
(4) the planned duration of the storage of the personal data concerning you or, if specific information about this is not possible, criteria for determining the storage duration;
(5) the existence of a right to correction or deletion of the personal data concerning you, a right to restricting processing by the responsible party or a right of objection against this processing;
(6) the existence of a right of appeal to a supervisory authority;
(7) all available information about the source of the data if the personal data is not collected from the person concerned;
(8) the existence of automated decision making, including profiling, and, at least in these cases, meaningful information about the logic involved, as well as the scope and desired effects of such processing on the person concerned. At this point, reference is made that MUUME does not implement any automated decision-making processes.
You have the right to request information as to whether the personal data concerning you is transmitted to a third party country or to an international organization.
2. Right to rectification
You have the right to rectification and/or completion opposite the responsible party, provided the processed personal data concerning you is incorrect or incomplete. The responsible party must make the correction immediately.
3. Right to restriction of processing
Under the following prerequisites, you can request the restriction of processing of the personal data concerning you:
(1) if you contest the accuracy of the personal data concerning you for a duration that enables the responsible party to check the correctness of the personal data;
(2) the processing is unlawful and you object to the deletion of the personal data and instead request the restriction of use of the personal data;
(3) the responsible party no longer needs the personal data for the purpose of processing, but you require it for asserting, exercising or defending legal claims, or
(4) if you have objected to the processing in the public interest or in the legitimate interest of the responsible party and it is not yet clear whether the legitimate reasons of the responsible party outweigh your reasons.
If the processing of the personal data concerning you was restricted, this data (apart from its storage) may only be processed with your consent or for asserting, exercising or defending legal claims or for protecting the rights of another natural or legal person or for reasons of an important public interest of the union or a member state.
If the restriction of the processing was restricted according to the aforementioned requirements, you will be informed by the responsible party before the restriction is lifted.
4. Right to deletion
a) Deletion obligation
You can request the responsible party immediately delete the personal data concerning you and the responsible party is obligated to delete this data immediately if one of the following reasons applies:
(1) The personal data concerning you is not longer required for purposes for which it was collected or otherwise processed.
(2) You revoke your consent on which the processing was based and there is no other legal basis for the processing.
(3) You object to the processing and there are no overriding legitimate reasons for the processing.
(4) The personal data concerning you was processed unlawfully.
(5) The deletion of the personal data concerning you is required to fulfill a legal obligation according to union law or the law of the member states, to which the responsible party is subjected.
b) Information to third parties
If the responsible party has made the personal data concerning you publicly available and is obligated to delete said data, the employer shall take appropriate measures, including technical measures and while taking into account available technology and implementation costs, to inform those responsible for processing the personal data that you, as an affected person, have requested that they delete all links to this personal data or copies or replications of such personal data.
The right to deletion does not exist if the processing is required
(1) to exercise the right to freedom of expression and information;
(2) to fulfill a legal obligation that requires the processing according to union or member states law, to which the responsible party is subjected, or to perform a task that is in the public interest or that occurs in the exercise of official authority, which was transferred upon the responsible party;
(3) for reasons of public interest in the area of public health;
(4) to assert, exercise or defend legal claims.
5. Right to information
If you have asserted the right to correction, deletion or restriction of processing against the responsible party, the responsible party is obligated to share this rectification or deletion of data or restriction or processing to all recipients to whom the personal data concerning you was disclosed, unless this proves to be impossible or involves disproportionate effort.
You have the right against the responsible party to be informed of these recipients.
6. Right to data transferability
You have the right to receive the personal data concerning you that you provided to the responsible party in a structured, common and machine-readable format. In addition, you have the right to transfer this data to another responsible party without hindrance from the responsible party to whom the personal data was provided, if
(1) the processing is based on a consent or on the preparation or fulfillment of a contract and
(2) the processing occurs using automated methods.
In exercising this right, you also have the right to have the personal data concerning you directly transmitted from one responsible party to another responsible party, provided this is technically feasible. Freedoms and rights of other persons may not be affected by this.
The right to data transferability does not apply to a processing of personal data that is required to perform a task, which is in the public interest or that occurs in the exercise of official authority, which was transferred upon the responsible party.
7. Right of objection
You have the right to object to the processing of your personal data that is occurring in the public or legitimate interest of the responsible party at any time for reasons that arise from your particular situation. This also applies to a profiling based on these provisions.
The responsible party shall no longer process your personal data, unless the responsible party can demonstrate compelling legitimate grounds for the processing that outweigh your interests, rights and freedoms, or the processing serves the assertion, exercising or defense of legal claims.
If your personal data is processed for direct marketing purposes, you have the right to object to the processing of your personal data for the purposes of such advertising at any time. This also applies to profiling, provided it is associated with such direct marketing.
If you object to the processing for the purposes of direct marketing, then the personal data concerning you will no longer be processed for these purposes.
You have the option to exercise your right to objection associated with the use of services of the information society using automated methods where technical specifications are used.
8. Right to revocation of the data protection declaration of consent
You have the right to revoke your data protection declaration of consent at any time. Revoking the consent does not affect the legality of the processing carried out based on the consent until the revocation.
9. Right to complain to a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to complain to a supervisory authority, in particular in the member state of your residence, your workplace or the location of the alleged violation if you believe that the processing of your personal data violates relevant legislative provisions.
The supervisory authority where the complaint was submitted shall inform the complainant of the status and the result of the complaint, including the possibility of a legal remedy.
IX. Final provisions
Due to the dynamic development of the Internet and the associated technologies, changes or enhancements to this data privacy statement may be necessary at any time. The most recent and valid version of this data privacy statement is published on the website and app. You have the right to object to the validity of the new data privacy statement within six weeks after receipt of the notification. In the case of an objection, we reserve the right to terminate the contract and delete your user account. If no objection occurs within the period mentioned, the modified data privacy statement shall be deemed as accepted by you. In the notification, we will inform you of your right of objection and the importance of the objection period.
If changes relate to the data usages that are not based on the user’s consent, they also apply to the personal data already collected. However, if the data usage is based on consent, this consent must be obtained again.