The following text is a translation of the original German version. It is the German original that applies.

With this document (hereinafter «Privacy Policy»), between the HOOC AG and the respective contractual partners (resellers, end customers), we inform you about the processing of personal data in the context of the use of our:

- HOOC services and solutions

- Websites and tools, platforms, portals, network infrastructures

- Offers, facilities, as well as for the conclusion and execution of contracts

The HOOC AG and its affiliated companies offer their services mainly to users and contractual partners in Switzerland and in the neighboring European countries. The data protection declaration always applies regardless of the nationality of the user/contractual partner and/or their place of residence or business if they make use of services or offers from the HOOC AG. The same applies if they access or are located on the HOOC AG infrastructures (as mentioned in the introduction) (hereinafter «HOOC offers»).

The user of the HOOC offers agrees that the personal data listed in this data protection declaration may be processed for the purposes listed under the respective heading.

Insofar as the processing of personal data listed in this data protection agreement can only take place with consent within the meaning of Swiss or European data protection legislation (Art. 13 para. 1 FADP; Art. 6 para. 1 lit. a GDPR), the user hereby gives their explicit consent. Consent is given on a voluntary basis. A revocation with effect for the future can be given at any time within the framework of this data protection declaration and the applicable legal provisions. However, the withdrawal of consent does not affect the lawfulness of the processing carried out up to that point.

The responsible party, i.e. the data controller within the meaning of the Swiss Federal Act on Data Protection Act (FADP) and the EU General Data Protection Regulation (GDPR) and any other national data protection laws of EU member states is the:

The data protection officer of the responsible party is:

We process the personal data of our users, contractual partners, customers and resellers (hereinafter referred to as «users») only to the extent necessary for the provision and delivery of our services, products and tools. The processing of personal data of our users takes place regularly only with the consent of the user, on the basis of entering into and performing a contractual relationship and for the purpose of safeguarding the legitimate interests of the HOOC AG.

Insofar as we obtain or have obtained the consent of users for the processing of personal data, Art. 13 para. 1 FADP or Art. 6 para. 1 lit. a GDPR serves as the legal basis.

When processing personal data that is necessary for the performance of a contract to which the data subject is a party, Art. 13 para. 2 lit. a FADP or Art. 6 para. 1 lit. b GDPR serves as the legal basis. This also applies to processing operations that are necessary for the implementation of pre-contractual measures (including pre-contractual clarifications).

Insofar as the processing of personal data is necessary to fulfill a legal obligation to which the HOOC AG is subject, Art. 13 para. 1 FADP or Art. 6 para. 1 lit. c GDPR serves as the legal basis.

If the processing is necessary to safeguard a legitimate interest of the HOOC AG or a third party and if the private interests, fundamental rights and freedoms of the data subject do not outweigh the former interest, Art. 13 para. 1 FADP or Art. 6 para. 1 lit. f GDPR serves as the legal basis for the processing.

The personal data of the data subject will be deleted or blocked as soon as the purpose of storage ceases to apply, in particular if the HOOC offers are no longer obtained or have been terminated. Data may also be stored if this has been provided for by the European or national legislator in Swiss or EU regulations, laws or other provisions to which the HOOC AG is subject. The data will also be blocked or deleted if a storage period prescribed by the aforementioned standards expires, unless there is a need for further storage of the data, e.g. for the purpose of contract fulfillment.

When using our services, in particular when accessing our website or the HOOC platform, our system automatically collects data and information from the computer system of the accessing computer. The following data is collected:

- The IP address of the user

- Information about the browser type and version used

- The user’s operating system

- Date and time of access

- Websites from which the user’s system accesses our website

The data is also stored in the log files of our system. This data is not stored together with other personal data of the user.

The legal basis for the temporary storage of data and log files is Art. 13 para. 2 lit. a FADP and Art. 6 para. 1 lit. f GDPR.

Temporary storage of the IP address by the system is necessary to enable delivery of the services to the user's computer. For this purpose, the user's IP address must remain stored for the duration of the session.

Data is stored in log files to ensure the functionality of the services. In addition, we use the data to optimize the services and to ensure the security of our information technology systems. The data is not analyzed for marketing purposes in this context.

These purposes constitute our legitimate interest in data processing in accordance with Art. 13 para. 2 lit. a FADP and Art. 6 para. 1 lit. f GDPR.

The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. If the data was collected in order to provide one or several services, it will be deleted with the ending of the respective session.

In case the data is stored in log files, it will be deleted after ninety days at the latest. However, it is possible to store the data even beyond this period. In this case, only the IP addresses of the users are deleted or alienated so that it is no longer possible to assign them to the accessing client.

The collection of data for the provision of services and the storage of data in log files is absolutely necessary for the operation of the HOOC solution. Consequently, there is no possibility for the user to object.

Our services use cookies. Cookies are text files that are stored in the Internet browser or by the Internet browser on the user's computer system. When a user accesses a website, a cookie may be stored on the user's operating system. This cookie contains a characteristic string of characters that enables the browser to be uniquely identified when the website is called up again.

We use cookies to make our services, in particular our website, more user-friendly. Some elements of our website require that the accessing browser can be identified even after a page change.

The following data is stored and transmitted in the cookies:

- Display settings

- Login information

The legal basis for the processing of personal data using cookies is Art. 13 para. 1 and para. 2 lit. a FADP and Art. 6 para. 1 lit. a, b or f GDPR.

The purpose of using technically necessary cookies is to simplify the use of services for users. Some functions of our services cannot be offered without the use of cookies. For these, it is necessary for the browser to be recognized even after a page change.

We require cookies for the following actions:

- Remembering search terms

- Remembering display settings

- Remembering login information

- Remembering user preferences

The user data collected by technically necessary cookies is not used to create user profiles.

The above actions also constitute our legitimate interest in the processing of personal data in accordance with Art. 13 para. 1 FADP and Art. 6 para. 1 lit. f GDPR.

Cookies are stored on the user's computer and transmitted by it to our services. Therefore, you as the user also have full control over the use of cookies. You can deactivate or restrict the transmission of cookies by changing the settings in your Internet browser and/or device. Cookies that have already been saved can be deleted at any time. This can also be done automatically. If cookies are deactivated for our services, it may no longer be possible to use all functions of the services to their full extent.

You can subscribe to a free newsletter on our services. When you register for the newsletter, the data from the input screen is transmitted to us. Your consent is obtained for the processing of the data as part of the registration process.

No data is passed on to third parties in connection with the data processing for sending newsletters. The data is used exclusively for sending the newsletter.

If the user has given his consent for the processing of data after registration for the newsletter, the legal basis is Art. 13 para. 1 FADP or Art. 6 para. 1 lit. a GDPR.

The purpose of collecting the user's e-mail address is to deliver the newsletter. The collection of other personal data as part of the registration process serves to prevent misuse of the services or the e-mail address used.

The data will be deleted as soon as it is no longer required for the purpose for which it was collected. The user's e-mail address is therefore stored for as long as the subscription to the newsletter is active.

The other personal data collected during the registration process is generally deleted after a period of seven days.

The subscription to the newsletter can be canceled by the user concerned at any time. For this purpose, there is a corresponding link in the newsletter.

On our services, we offer users the opportunity to register by providing personal data and to use HOOC offers. The data is entered into an input mask, transmitted to us and stored. The data is not passed on to third parties who would be permitted to use the data for their own purposes. The following data is collected as part of the registration process:

- The IP address of the user

- Date and time of registration

- Name and first name

- Address, postal code and city

- E-mail address

- Phone number

By completing the registration process, the user consents to the processing of this data.

We only collect data from the users of our web store that is necessary for processing orders. This includes:

- Buyer (Company name, VAT number, name and first name, address, postal code, city)

- Purchased products and quantity

- Purchase date, invoice number and invoice amount

- Order status

HOOC AG does not record the customer data required for payment, such as credit card and account data. These are collected directly by Stripe (see chapter 13).

If the user has given consent the legal basis for the processing of the data is Art. 13 para. 1 FADP or Art. 6 para. 1 lit. a GDPR.

If the registration serves the fulfillment of a contract to which the user is a party or the implementation of pre-contractual measures, the additional legal basis for the processing of the data is Art. 13 para. 2 lit. a FADP or Art. 6 para. 1 lit. b GDPR.

The registration of the user is necessary for the provision of certain content and the functionalities of our services, for the fulfillment of a contract with the user or for the implementation of pre-contractual measures.

The data collected is required for the identification, invoicing, contract fulfillment and prevention of misuse of the services.

The data will be deleted as soon as it is no longer required for the purpose for which it was collected.

This is applicable for:

• the data collected during the registration process, in case the registration on our services is canceled or modified;
• the data used for the performance of a contract or the steps prior to entering into a contract, in case the data is no longer required for the performance of the contract.

Please also refer to section 10.5.

As a user, you have the option of canceling your registration at any time. You can change the data stored about you at any time, provided that this does not distort historical processes.

If the data is required to fulfill a contract or to carry out pre-contractual measures, premature deletion of the data is only possible insofar as contractual or legal obligations do not prevent deletion.

If data relating to your person is processed, you are a data subject within the meaning of the FADP resp. the GDPR and you have the following rights vis-à-vis the responsible party, i. e. the data controller:

a) Obligation to provide information

You can request a statement from the data protection officer as to whether your personal data is being processed by us.

If such processing has taken place, you can request the following information:

- the purposes for which the personal data are processed

- the categories of personal data that are processed

-  the recipients or categories of recipients to whom the personal data have been or will be disclosed

-  the envisaged period for which the personal data will be stored, or, if specific information on this is not possible, the criteria used to determine the duration of the storage period

-  the existence of a right to rectification, erasure or restriction of the personal data

-  all available information about the origin of the data if the personal data is not collected from the data subject;

You have the right to request information as to whether your personal data is transferred to a third country or to an international organization. In this context, you may request to be informed of the appropriate safeguards pursuant to Art. 6 para. 2 FADP or Art. 46 GDPR in connection with the transfer.

You also have the right to receive a copy of your personal data that is being processed. The request for further copies may be subject to administrative costs. The right to receive a copy in accordance with this section must not adversely affect the rights and freedoms of other persons (third parties).

b) Exceptions

We may refuse to provide information in exceptional cases if one of the reasons pursuant to Art. 9 para. 1 FADP applies or if there is a reason for refusal pursuant to the GDPR, e.g. Art. 15 para. 4 GDPR.

You have a right to rectification and/or completion towards the controller if your processed personal data is incorrect or incomplete. The controller must make the correction without delay.

In case you contest the accuracy of the data concerning your person, you may request that the processing of your personal data will be restricted for the period of time for which it makes it impossible for the controller to verify its accuracy.

If the processing of your personal data has then been restricted, such data shall, with the exception of its storage, only be processed with your consent, apart when data is processed for the establishment, exercise or defense of legal claims, for the protection of the rights of another natural or legal person or for reasons of important public interest of Switzerland, the Union (EU) or an EU Member State.

a) Obligation to delete

You have the right to obtain from the controller the erasure of your personal data without undue delay and the controller is obliged to delete this data immediately if one of the following cases applies:

-  Your personal data is no longer necessary in relation to the purposes for which they were collected or otherwise processed.

-  You withdraw your consent on which the processing was based according to Art. 12 para. 2 lit. b GDPR or Art. 6 para. 1 lit. a or Art. 9 para. 2 lit. a GDPR and there is no other legal basis (e.g. legitimate interest) for the processing.

 - You object to the processing pursuant to Art. 21 para.1 GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Art. 21 para. 2 GDPR.

 - Your personal data has been processed unlawfully.

- The deletion of your personal data is necessary to fulfill a legal obligation under Swiss or EU law or the law of an EU Member State to which the controller is subject.

b) Exceptions

The right to erasure does not exist if the processing is necessary, in order:

- to exercise the right to freedom of expression and information;

- to comply with a legal obligation which requires processing by applicable law to which the controller is subject;

- to establish exercise or defend legal claims.

If you have asserted the right to rectification, erasure or restriction of processing against the controller, the controller is obliged to notify all recipients to whom your personal has been disclosed of this data rectification, data erasure or restriction of data processing, unless this proves impossible or involves a disproportionate effort. You have the right towards the controller to be informed about these recipients.

You have the right to receive your personal, which you have provided to the controller, in a structured, commonly used and machine-readable format. You also have the right to transmit this data to another controller without hindrance from the former controller, provided that:

- the processing is based on consent pursuant to Art. 6 para. 1 lit. a GDPR or Art. 9 para. 2 lit. a GDPR or on a contract pursuant to Art. 6 para. 1 lit. b GDPR and

- the processing is carried out by automated means.

In exercising this right, you also have the right to obtain that your personal data be transferred directly from one controller to another, insofar as this is technically feasible and reasonable. The freedoms and rights of other persons must not be impaired by this.

Notwithstanding the above provisions, in particular with regard to the restriction of the processing of your data, you have the right to object at any time, on grounds relating to your particular situation, to the processing of your personal data which is carried out on the basis of Art. 6 para. 1 lit. e or f GDPR.

The controller will then no longer process your personal data unless the controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defense of legal claims.

Without prejudice to any other administrative or judicial remedy, if our data processing is subject to the GDPR, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of your personal data relating infringes the GDPR.

HOOC AG does not use Google Analytics on any of its publicly accessible homepages.

In addition, by «sand boxing» the homepages, HOOC AG prevents embedded iFrames in third party components from being able to link Google Analytics with personal data by intercepting their requests and always providing them with the IP address of the HOOC AG server so that Google cannot create any personal profiles.

Stripe provides financial infrastructure for the Internet. Users use Stripe services to make purchases and businesses of all sizes, to receive and transmit payments as well as to manage their business online.

This Privacy Policy describes the personal information we collect about you, how we use it, how we share it, your rights and choices, and how you can contact us about our privacy practices. It also describes your rights as a data subject, including the right to object to some of our uses of your personal data.

«Personal Data» means any information relating to an identified or identifiable individual and may include information that you provide to us and that we collect about you, e.g. when you interact with our services (e.g. device information, IP address).

Depending on the context, «you» means end customer, end user, representative or visitor:

If you do business with a business user or otherwise transact with a them (for example, if you purchase something from a merchant that uses Stripe Checkout for payment processing), but do not transact directly with Stripe, we refer to you as an «end customer».

If you visit a website without being logged into a Stripe account or otherwise communicating with Stripe, we refer to you as a «visitor».

For more information in this regard and the responsible Stripe entity, see Privacy Policy: https://stripe.com/en-ch/privacy.

EEA and UK. If you are located in the EEA or if we have named Stripe Payments Europe Limited as your data controller and you believe that the processing of your personal data is not GDPR compliant, you can direct your questions or complaints to the Data Protection Commission (DPC) office. If you are based in the UK, you can direct your questions or concerns to the UK Information Commissioner's Office.

Switzerland. The term «applicable law» in this policy includes the Swiss Federal Act on Data Protection (FADP) in its revised version. To exercise your rights under the FADP, please contact our Data Protection Officer.