Data privacy website

Status: October 2021

As Oviva AG and operator of the website www.oviva.com, we take the protection of your data very seriously. In the following, we would like to inform you about the extent to which and the purpose for which we collect and process personal data from you on our website www.oviva.com (hereinafter “website”).

1. General; Definitions

We use the following terms, among others, in this Privacy Policy:

Personal data means any information relating to an identified or identifiable natural person (hereinafter ‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Health data are personal data relating to the physical or mental health of a natural person, including the provision of health care services, and revealing information about that person’s state of health.

Processing is any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, filing, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Controller or person responsible for processing is the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data.

Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Third-party means any natural or legal person, public authority, agency or body other than the data subject, the controller, the processor and the persons who, under the direct authority of the controller or the processor, are authorised to process the personal data.

Consent shall mean any freely given specific and informed indication of the wishes of the data subject, in the form of a declaration or other unambiguous affirmative act, by which the data subject signifies his agreement to the processing of personal data relating to him.

2. Responsibility and contact

The controller of the processing of personal data is the:

Oviva AG (hereinafter “Oviva”, “we”, “us”),

a company under Swiss law with its registered office at the

Zürcherstrasse 64
CH-8852 Altendorf
Handelsregisternummer CH-130.3.019.905-3
Phone: +41 41 511 52 41
kontakt@oviva.ch

If you wish to inspect and update your personal data or if you have any questions regarding data protection on our website, please contact us at any time via the email address kontakt@oviva.ch or by post at the address given above.

You can reach our data protection officer

by e-mail: datenschutz@oviva.com or

by post: at the postal address of the data controller, with the addition of “for the attention of the data protection officer”.

3. Processing of your personal data

The scope and nature of the processing of your personal data differ depending on whether you wish to contact us via our website, use our functionalities offered on the website or merely use our website for information purposes. With regard to the data processing procedures described below, you can assert your data subject rights (see section 8) at any time.

3.1 Collect data with your participation

We collect and store your personal data in connection with the use of this website if you provide it to us of your own accord, e.g. in the context of registration for nutritional counselling. It is always your free decision whether you provide us with your data for the purposes in question.

3.1.1 Inquiries via e-mail

When you send us an email, we will store your email address and any personal content contained in the message. We do this solely to be able to process your request, to provide the services you have requested or to manage your digital patient file.

We would like to point out that data transmission during communication by e-mail can have security gaps. Complete protection of data against access by third parties is not possible. Please take this into account in particular before you send us health data by email.

If the purpose of the data processing no longer applies, we will delete the relevant data. With regard to this data processing, you can also assert your data subject rights at any time (see section 8), in particular object to the corresponding data processing.

3.1.2 Registration on the website

3.1.2.1 Registration for nutritional counselling is not required for browsing the website. However, if you wish to use our services, you must register for this in advance via the website.

3.1.2.2 We use the personal data provided by you during registration to the extent necessary for the initiation or implementation of the contractual relationship. During the initial registration, the following personal data is usually collected and stored:

• First and last name*,
• Date of birth*,
• E-mail address*,
• Mobile number*,

Registration without providing the data marked with an * sign in the registration mask is not possible. This data is used exclusively for the initiation or implementation of the contractual relationship, in particular for contacting you.

In addition, we use your personal data to obtain a medical prescription from your attending physician (see section 3.1.3.3) and to contact you via SMS (see section 3.1.4.4).

3.1.2.3 By register for nutritional counselling on our website, the e-mail address you send to us via this channel may also be used by us to send advertising emails. In such a case, we will use the email to send direct advertising for our own similar goods or services. If you do not wish to receive promotional emails, you can unsubscribe at any time. To do so, follow the unsubscribe link in the respective promotional email.

3.1.3 Physician prescription for nutritional counselling

Your nutritional consultation will be covered by your statutory health insurance if you have a physician’s prescription. In order to be able to check such cost coverage, it is necessary to collect and process the following sensitive personal data, depending on which link you use to access our website.

3.1.3.1 If you have not yet been prescribed a nutritional consultation by a physician, we will be happy to contact your attending physician to obtain a prescription for you. For this purpose, the following sensitive personal data will be collected and processed in addition to the personal master data mentioned under 3.1.2.2:

• Name and address of the attending physician*.

The transmission of the name and address of the attending physician to us and the subsequent transmission of your data mentioned under 3.1.2.2 to the physician named by you will only take place if you have given your consent for this.

In order to document your consent to the processing of your sensitive personal data, we store your IP address and the time of sending when you send the data for transmission.

3.1.3.2 We also process the transmitted sensitive data for the purpose of billing you for the services you have used.

You can also make use of our programmes as a self-payer. In this case, no prescription from your physician is required.

3.1.4 Oviva Coaching Suite and appointment for nutritional counselling

3.1.4.1 If you have registered with us on our website, we will check your registration and create a profile for you in the Oviva Coaching Suite. The Oviva Coaching Suite is an electronic patient file and is used for the documentation and administration as well as the billing of the services you have used. In addition, you can use the Oviva Coaching Suite to communicate with the consultant assigned to you and share information about your health and lifestyle habits.

3.1.4.2 You can access the functions of the Oviva Coaching Suite via our Oviva App. We will automatically send you the login data required for this via SMS to the mobile phone number or email address you have provided after you have registered for the nutritional consultation. For further information on data processing in the context of using the Oviva Coaching Suite, please refer to our privacy policy of the Oviva App.

3.1.4.3 In order to make an appointment with you for nutritional counselling, we will contact you by SMS, email or telephone following your registration. In order to book an appointment and then carry out the nutritional counselling, it is necessary for us to assign one of our Coaches to you. Your consultant will then be able to access and view the information you have stored in the Oviva Coaching Suite. Your consultant is bound to confidentiality and will treat your personal data accordingly.

3.1.4.4 If you wish to be contacted by SMS (e.g. for an appointment confirmation and reminder as well as other reminders from your coach), we will also use your personal data according to section 3.1.2.2 (first and last name, mobile phone number as well as treatment date) for this purpose.

In order to document your consent to the processing of your sensitive personal data, we store your IP address and the time of sending when you send the data for transmission.

To contact you via SMS, we use the Twilio service provided by Twilio Inc. and WebSMS provided by sms.at mobile internet services GmbH. For further information on how your data is processed by the service providers, see section 4.1.2 of this privacy policy.

3.1.5 Nutritional counselling

If you make use of our nutritional counselling, we collect, store and use sensitive personal data on your state of health and your lifestyle (e.g. height, weight, age, nutritional and eating habits, diagnoses, comorbidities), chronologically recorded measurement data on your sporting activities (number of steps, weight, energy burn, training etc.) as well as information on the content and course of the therapy, as discussed between you and the nutritionist appointed by Oviva AG or exchanged electronically (in particular via the app), in order to be able to offer you our therapeutic nutritional counselling in full in accordance with our General Terms and Conditions. It is your free decision whether you provide us with this data for the aforementioned purpose. However, should you not expressly declare your consent to the use of this data, a contractual relationship cannot be established.

This data is collected and used exclusively in order to be able to offer you the contractual services of therapeutic nutrition counselling. In the case of a physician prescription, the health data contained in the referral will be transmitted to the health insurance company for billing purposes (see also section 3.1.3.2). After completion of the nutritional counselling, the referring physician receives a final report summarising the results of the counselling.

For correspondence with you, we use, in addition to the other services mentioned in this privacy policy, the services of Google Workplace, which are offered by Google Cloud EMEA Ltd, 70 Sir John Rogerson’s Quay, Dublin 2, Ireland. Your data will be processed on servers in the EU. An appropriate level of data protection in accordance with the requirements of the European Union is maintained at all times.

We will only process your sensitive personal data if you give us your express consent to do so by ticking a checkbox with the following text:

In order to document the submission of your declaration of consent, we store its text, the date of submission and your IP address.

3.1.6 Subscription to the newsletter

If you would like to receive the newsletter offered on the website, we require an email address from you. Furthermore, we temporarily store your IP address and the time of your subscription and confirmation. In this way, we can prove that you have actually subscribed to the newsletter, and we can also identify any unauthorized use of your email address.

The processing of the data entered in the newsletter registration form is based exclusively on your consent. You can revoke your consent to the storage of the data, the email address and their use for sending the newsletter at any time in the future, for example via the “unsubscribe” link in the newsletter.

3.1.7 Transfer of your data for the enforcement of claims

If you have used our service and payment irregularities / non-payment occur, your personal data may be forwarded to eCollect AG, Neuhofstrasse 21, 6340 Baar, Switzerland for the enforcement of payment claims. In particular, the following personal data will be transmitted:

• First and last name,
• address,
• gender,
• telephone number(s),
• E-mail address (if available),
• Information on the claim (these may indirectly allow a conclusion on the participation in a nutritional consultation).

The disclosure of your data is necessary in the event of a payment irregularity or default for the extrajudicial enforcement of our payment claims (legal basis Art. 9 para. 2 f), Art. 6 para. 1 f) DSGVO or the corresponding legal basis of Swiss law).

3.2 Collection without your participation

When you visit our website, our servers temporarily record the IP address of your computer, the file request of the client (file name and URL) and the http status code as well as the website from which you visit us in so-called log files. For the detection of abuse (spam, viruses, etc.) and for the detection and elimination of faults, we store your IP address.

3.2.1 Necessary cookies

In addition, our website uses “cookies” in several places, which serve to make our offer more user-friendly and effective. Cookies are small text files that our website wants to place on your computer or other internet-enabled devices such as tablets or smartphones. If your browser settings accept cookies, your browser adds the text in a small file.

Unless otherwise stated in this privacy policy, the cookies we use are necessary for the functionality and performance of our website. These include, for example, cookies that allow you to log in to the secure area of our website. Most cookies are deleted from your device at the end of your browsing session (session cookies). We use the information stored in the necessary cookies exclusively to provide you with the requested services and functions.

Cookies do not cause any damage to your computer per se and do not contain viruses. You have the option of setting your browser so that these cookies are not stored in the first place or so that the cookies are deleted at the end of your Internet session. Please note, however, that in this case you may not be able to use all the functions of our website.

3.2.2 Third-party cookies and tools

3.2.2.1 Google Fonts

We use Google Fonts of the company Google LLC., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, (hereinafter “Google”).

If you are habitually resident in the European Economic Area or Switzerland, Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland) is the controller of your data. Google Ireland Limited is therefore the company associated with Google which is responsible for processing your data and complying with the applicable data protection laws.

By using Google Fonts, no cookies are stored in your browser. The files (CSS, fonts) are requested via the Google domains fonts.googleapis.com and fonts.gstatic.com. According to Google, the requests for CSS and fonts are completely separate from all other Google services. If you have a Google account, you don’t need to worry about your Google account information being transmitted to Google while using Google Fonts. Google records the use of CSS (Cascading Style Sheets) and the fonts used.
With Google Fonts we can use fonts on our own website and don’t have to upload them on our own server. Google Fonts is an important component to keep the quality of our website high. All Google Fonts are automatically optimized for the web and this saves data volume and is a great advantage especially for mobile use. When you visit our site, the low file size ensures a fast loading time.

We therefore use Google Fonts based on our legitimate interest in ensuring the quality and performance (through improved loading time) of our entire online service (legal basis Art. 6 para. 1 p. 1 f) GDPR or the corresponding legal basis under Swiss law).

Google stores requests for CSS assets for one day on their servers, which are mainly located outside the EU. The font files are stored by Google for one year. The data is automatically transmitted to Google when the page is called up. To delete this data early, you must contact Google support at https://support.google.com/hl=de&tid=331585294560.

You can only prevent the data storage if you do not visit our site.

You can find more information in Google’s privacy policy, which you can access here:

https://fonts.google.com/

www.google.com/policies/privacy/

3.2.2.2 Google Tracking and Marketing Tools

We also use various tracking and marketing tools from Google on our website.

Provided that you have expressly consented to the respective – under section 3.2.2 (1) – (5) described – data processing (Art. 6 para. 1 a) GDPR or the corresponding legal basis of Swiss law), Google generates the information required for its service through the use of cookies. These are usually transferred to a Google server in the EU and stored there. Google relies on the standard contractual clauses approved by the European Commission as a means of ensuring adequate protection.

You can prevent the installation of cookies in various ways:

• by adjusting the settings of your browser software accordingly; in particular, the suppression of third-party cookies will prevent you from receiving ads from third-party providers;
• by installing the plug-in provided by Google at the following link: https://www.google.com/settings/ads/plugin;
• by deactivating the interest-based ads of the providers that are part of the self-regulation campaign “About Ads” via the link http://www.aboutads.info/choices, whereby this setting is deleted when you delete your cookies;
• by permanently deactivating it in your Firefox, Internet explorer or Google Chrome browsers at the link http://www.google.com/settings/ads/plugin;
• by means of the corresponding cookie setting. We would like to point out that in this case you may not be able to use all functions of this offer to their full extent.

Further information provided by Google on privacy can be found here: http://www.google.com/intl/de/policies/privacy and https://services.google.com/sitestats/de.html.

(1) Google Universal Analytics

Google Analytics is used on our website. Google Analytics stores cookies in your web browser for a period of two years since your last visit. This records, among other things, the following data when you visit our website and transmits it to a Google server in the USA, where it is stored:

• Browser type/version,
• operating system used,
• Referrer URL (the previously visited page),
• Host name of the accessing computer (IP address),
• Time of the server request,
• the achievement of “website goals” (e.g. contact requests),
• Your behavior on the pages (for example, clicks, scrolling behavior and dwell time),
• Your approximate location (country and city),
• technical information such as browser, Internet provider, terminal device and screen resolution,
• Source of origin of your visit (i.e. via which website or advertising medium you came to us).

In particular, however, the IP address transmitted by your browser is not merged with other data from Google. We have also extended Google Analytics on this website with the code “anonymizeIP”. This guarantees the masking of your IP address so that all data is collected anonymously. Only in exceptional cases will the full IP address be transferred to a Google server in the EU and shortened there.

The cookies used by Google Analytics also contain a randomly generated user ID, with which you can be recognised during future website visits. The information generated by the cookies is stored together with the randomly generated user ID, which enables the evaluation of pseudonymous user profiles. This user-related data is automatically deleted after 14 months. Other data remains stored in aggregated form indefinitely.

Google uses the information obtained through the use of cookies to analyse your use of our website, to compile reports on website activity and to provide us with other services related to website and internet use. In this way, we can improve our offer and make it more interesting for you as a user. In addition, we receive information about the functionality of our site (for example, to detect navigation problems).

In addition, Google is also entitled to process the information obtained for its own purposes. For this reason, we only use the services of Google on our website if you consent to the processing of your personal data (legal basis is Art. 6 (1) a) GDPR or the corresponding legal basis of Swiss law). Once you have given your consent, you can of course revoke it for the future at any time as described above in section 3.2.2.2. In addition, you will receive an opt-out cookie here, by installing which you can prevent data collection by Google, which is particularly helpful in cases where the deactivation add-on does not work, for example on mobile devices. If you use our website with different browsers/end devices, you must carry out the steps described for all browsers/end devices.

Further information on data protection when using Google Universal Analytics can be found at https://support.google.com/analytics/. Further information on the protection of your data when using Google services can also be found under the following links:

https://www.google.com/analytics/terms/de.html

https://policies.google.com/?hl=de

(2) Google Ads Conversion

We use the offer of “Google Ads Conversion” to draw attention to our attractive offers with the help of advertising media (so-called Google Ads) on external websites. We can determine how successful the individual advertising measures are in relation to the data of the advertising campaigns. In this way, we pursue the interest of showing you advertising that is of interest to you, making our website more interesting for you and achieving a fair calculation of advertising costs.

These advertisements are delivered by Google via so-called “ad servers”. For this purpose, we use ad server cookies, through which certain parameters for measuring success, such as display of the ads or clicks by users, can be measured. If you access our website via a Google ad, Google Ads will store a cookie on your end device. These cookies usually expire after 180 days and are not intended to identify you personally. To this cookie are usually stored as analysis values the

• Unique Cookie ID,
• Number of ad impressions per placement (frequency),
• Last impression (relevant for post-view conversions) and
• Opt-out information (marking that the user no longer wishes to be contacted)

stored. These cookies enable Google to recognise your internet browser. If a user visits certain pages of the website of an Ads customer and the cookie stored on his computer has not yet expired, Google and the customer can recognize that the user clicked on the ad and was redirected to this page. A different cookie is assigned to each Ads customer. Cookies can therefore not be tracked across Ads customers’ websites.

We ourselves do not collect and process any personal data in the aforementioned advertising measures. We only receive statistical evaluations from Google. Based on these evaluations, we can see which of the advertising measures used are particularly effective. We do not receive any further data from the use of the advertising media, in particular we cannot identify the users on the basis of this information.

If you have expressly consented to the data processing described (Art. 6 (1) a) GDPR or the corresponding legal basis of Swiss law), your browser automatically establishes a direct connection with Google’s server due to the marketing tools used. We have no influence on the scope and further use of the data collected by Google through the use of this tool and therefore inform you according to our state of knowledge: Through the integration of Ads Conversion, Google receives the information that you have called up the corresponding part of our website or clicked on an advertisement from us. If you are registered with a Google service, Google can assign the visit to your account. Even if you are not registered with Google or have not logged in, there is the possibility that the provider learns your IP address and stores it.

(3) Google Tag Manager

This website uses Google Tag Manager. Google Tag Manager is a solution that allows marketers to manage website tags through one interface. The tool itself (which implements the tags) is a cookie-less domain and does not collect any personal data. The tool takes care of triggering other tags, which in turn may collect data. Google Tag Manager does not access this data. If a deactivation has been made at the domain or cookie level, this remains in place for all tracking tags implemented with Google Tag Manager.

3.2.2.3 FacebookPixel

For further analysis and optimization and for the economic operation of our offer, we also use “Facebook Pixel” of the social network Facebook, which is operated by Facebook Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (hereinafter “Facebook”).

Facebook relies on the standard contractual clauses approved by the European Commission as a means of ensuring adequate protection.

Facebook Pixel is directly integrated by Facebook on our website and can store a cookie on your device, provided that you have given your express consent for this (Art. 6 para. 1 a) GDPR or the corresponding legal basis of Swiss law). If you subsequently log in to Facebook or visit Facebook while logged in, your visit to our online offering will be noted in your profile. The data collected about you is anonymous for us, so it does not allow us to draw any conclusions about the identity of the user. However, the data is stored and processed by Facebook so that a connection to the respective user profile is possible and can be used by Facebook and for its own market research and advertising purposes. If we should transmit data to Facebook for matching purposes, this data is encrypted locally on the browser and only then sent to Facebook via a secure https connection. This is done solely for the purpose of creating a comparison with the data encrypted by Facebook.

With the help of the Facebook pixel, it is also possible for Facebook to determine the visitors to our website as a target group for the display of ads (so-called “Facebook ads”). Accordingly, we use the Facebook pixel to display the Facebook ads placed by us only to those Facebook users who have also shown an interest in our online offer or who have certain characteristics (e.g. interest in certain topics or products determined on the basis of the websites visited) that we transmit to Facebook (so-called “Custom Audiences”). With the help of the Facebook pixel, we also want to ensure that our Facebook ads correspond to the potential interest of the users and do not have a harassing effect. With the help of the Facebook Pixel, we can further track the effectiveness of the Facebook ads for statistical and market research purposes by seeing whether users were redirected to our website after clicking on a Facebook ad (so-called “conversion”).

Furthermore, we use the additional function “advanced matching” when using the Facebook Pixel. Here, data for the creation of target groups (“Custom Audiences” or “Look Alike Audiences”) are transmitted to Facebook in encrypted form.

We only use Facebook Pixel on our website if you consent to this processing of your personal data (Art. 6 (1) a) GDPR or the corresponding legal basis of Swiss law). You can, of course, revoke your consent at any time for the future. The revocation does not affect the lawfulness of the processing (until the revocation).

For more information on the collection and use of data by Facebook, as well as your rights in this regard and options for protecting your privacy, please refer to Facebook’s privacy policy at https://www.facebook.com/about/privacy/.

Alternatively, you can deactivate the “Custom Audiences” remarketing function at https://www.facebook.com/settings/?tab=ads#_=_. To do this, you must be logged in to Facebook.

To set what types of ads are shown to you within Facebook, you can go to the page set up by Facebook and follow the instructions there for usage-based advertising settings. The settings are platform-independent, which means that they are applied to all devices, such as desktop computers or mobile devices. You can further opt out of the use of cookies for reach measurement and advertising purposes via the Network Advertising Initiative opt-out page and additionally the US website aboutads.info or the European website youronlinechoices.com.

3.2.2.4 Xandr (AppNexus)

We also use a service provided by Xandr, (formerly “AppNexus Inc”), 28 West 23rd Street, 4th Floor, New York, NY 10010, USA (hereinafter “Xandr”) to serve user-based advertising.

Xandr uses, among other things, cookies that are stored on your computer and that enable an analysis of the use of the website in order to display targeted, interest-based advertising. In the course of use, your data, such as in particular the IP address and user activities, may be transmitted to a Xandr server and stored there.

Your data will only be processed if you have given your consent for this in accordance with Art. 6 (1) a) GDPR or the corresponding legal basis under Swiss law. You can revoke your consent to the collection, processing and recording of the data generated by Xandr at any time, for example by going to https://www.appnexus.com/en/company/platform-privacy-policy-de#choices a Cookie Opt-Out. You can also prevent the collection and forwarding of personal data (in particular your IP address) and the processing of this data by deactivating the execution of JavaScript in your browser or installing a tool such as ‘NoScript’.

For more information on privacy, please see Xandr’s privacy policy here at https://www.appnexus.com/corporate-privacy-policy-de.

3.2.2.5 Taboola

Our website uses technology from Taboola Inc. (1115 Broadway, 7th Floor, New York, NY 10010, USA). Taboola uses cookies that determine which content you use and which of our pages you visit. In the course of use, your data, such as in particular the IP address and user activities, may be transmitted to a Taboola server and stored there.

A transmission of log data of your activities to Taboola only takes place if you have given your consent for this (Art. 6 para. 1 a) GDPR or the corresponding legal basis of Swiss law). You have the option to revoke your consent at any time for the future by deactivating the Taboola cookie. For more information about Taboola and how to deactivate the Taboola cookie, please visit https://www.taboola.com/privacy-policy (opt-out information can be found under “Site Visitor Choices”).

When transferring data to Taboola, your data may be stored on servers in Israel or in the USA. Taboola relies on an adequacy decision of the EU Commission for Israel and on the standard contractual clauses approved by the European Commission as a means of ensuring adequate protection. By doing so, Taboola commits to comply with the standards and regulations of European data protection law.

3.2.2.6 Bing

On our pages, we use the conversion tracking of Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA. Microsoft Bing Ads stores a cookie on your computer if you have reached our website via a Microsoft Bing ad. In this way, Microsoft Bing and we can recognize that someone has clicked on an ad, has been redirected to our website and has reached a previously determined target page (conversion page). We only learn the total number of users who clicked on a Bing ad and were then redirected to the conversion page.

The legal basis for data processing is your consent in accordance with Art. 6 (1) a GDPR or the corresponding legal basis under Swiss law. If you do not want information about your behaviour to be used by Microsoft as explained above, you can refuse the setting of a cookie required for this – for example, by means of a browser setting that generally deactivates the automatic setting of cookies. You can also prevent the collection of data generated by the cookie and related to your use of the website, as well as the processing of this data by Microsoft, by clicking on the following link: https://account.microsoft.com/privacy/ad-settings/signedout?lang=de-DE to declare your objection.
For more information about privacy and cookies used by Microsoft and Bing Ads, visit Microsoft’s Web site at https://privacy.microsoft.com/de-de/privacystatement.

3.2.2.7 Outbrain

Cookies from Outbrain Inc, 39 West 13th Street, 3rd floor, New York, NY 10011, USA are used on Oviva for conversion measurement. In this way, the behaviour of users can be tracked after they have been redirected to the provider’s website by clicking on an Outbrain advertisement. This process is used to evaluate the effectiveness of the Outbrain advertisements for statistical and market research purposes and can help to optimize future advertising measures. The data collected is anonymous for us, so it does not allow us to draw any conclusions about the identity of the users.

For the purpose and scope of the data collection and the further processing and use of the data by Outbrain, as well as your rights in this regard and setting options for protecting your privacy, please refer to Outbrain’s privacy policy: https://www.outbrain.com/legal/privacy#privacy-policy.

The use is based on the consent declared to us in accordance with Art. 6 (1) p. 1 lit. a) GDPR or the corresponding legal basis of Swiss law. If you do not want information about your behavior to be used by Outbrain as explained above, you can refuse the setting of a cookie required for this – for example, via browser settings that generally disable the automatic setting of cookies.

3.2.2.8 Tik Tok

Within our online offer, cookies are used by TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland (“TikTok”).

With the help of this code, in case of granting your explicit consent, a connection is established with the TikTok servers when you visit our website in order to track your behaviour on our website. Personal data such as IP address and other information such as device ID, device type and operating system may also be transmitted to TikTok.

Where personal data is transferred outside the EU/EEA, this will be done in accordance with the Commission’s model contracts for the transfer of personal data to third countries (i.e. standard contractual clauses).

TikTok’s privacy policy can be found here: https://www.tiktok.com/legal/new-privacy-policy?lang=de-DE

3.2.2.9 Snapchat

For the further economic operation of our offer, we also use Snapchat Pixel of Snap Inc, 2772 Donald Douglas, Loop North Santa Monica, CA 90405 United States. Snap Inc relies on the regulation of the European Union on data transfer.

Snapchat Pixel is integrated by us on our website and can store a cookie on your device, provided that you have given your explicit consent for this (Art. 6 para. 1 a) DSGVO). If you subsequently log in to Snapchat or visit Snapchat while logged in, the visit to our online offer will be noted in your profile. The data collected about you is anonymous for us, so it does not offer us any conclusions about the identity of the users. However, the data is stored and processed by Snapchat so that a connection to the respective user profile is possible.

With the help of the Snapchat pixel, it is also possible for Snapchat to determine the visitors to our website as a target group for the display of ads (so-called Snapchat ads). Accordingly, we use the Snapchat pixel to display the Snapchat ads placed by us only to those Snapchat users who have also shown an interest in our online offer or who have certain characteristics (e.g. interest in certain topics or products determined on the basis of the websites visited) that we transmit to Snapchat (so-called Custom and Lookalike Audiences). With the help of the Snapchat pixel, we also want to ensure that our Snapchat ads correspond to the potential interest of the users and do not have a harassing effect. The Snapchat pixel also allows us to track the effectiveness of the Snapchat ads for statistical and market research purposes by seeing whether users were redirected to our website after clicking on a Snapchat ad (so-called conversion;).

3.2.3 Integration of social media presences

On our website you will find links to our social media services. Only when you consciously use the link will data about your visit to our offer (e.g. IP address, time, URL) or data available on your terminal device (e.g. cookie information) be transmitted to the respective providers. In the following, we would like to inform you about how your data is processed when using our social media presence.

3.2.3.1 Facebook

We operate a Facebook page to draw attention to our offer, to provide information there and to get in touch with you as a visitor and user of our Facebook page. As the operator of this Facebook page, we are jointly responsible with the operator of the platform, Facebook Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland.

When using and calling up our Facebook page, your personal data is processed by Oviva and also by Facebook. Oviva and Facebook are jointly responsible for the processing of Insights data (Article 26 of the GDPR or the corresponding legal basis under Swiss law). The respective responsibilities of Oviva and Facebook with regard to the processing of Insights Data are set out in the Page Insights Supplement, available at https://www.facebook.com/legal/terms/page_controller_addendum.

In the following, we will inform you about what data is involved and how it is processed.

We would like to point out that you use the Facebook platform and its functions on your own responsibility. This applies in particular to the use of the interactive functions (e.g. sharing, liking, etc.).

We collect personal data when you contact us, for example, via Messenger (user name, possibly personal data resulting from your message). This data is stored and used exclusively for the purpose of responding to your request or for contacting you and the associated technical administration. The legal basis for processing the data is our legitimate interest in responding to your request (Art. 6 (1) f) GDPR or the corresponding legal basis under Swiss law). Your data will be deleted after final processing of your request, provided that there are no legal retention obligations to the contrary. We assume that processing is complete when the circumstances indicate that the matter in question has been conclusively clarified.

In addition, we analyse the views and interactions on our Facebook page. For this purpose, Facebook creates usage profiles and provides us exclusively with anonymous data in the form of page insights (“Page Insights”): https://www.facebook.com/business/a/page/page-insights.

Page Insights is aggregate data that allows us to understand how people interact with our site. Site insights may be based on personal data collected in connection with a visit to or interaction with our site and its content. Pursuant to Art. 6 (1) f) GDPR or the corresponding legal basis under Swiss law, this serves to protect our legitimate interests in an optimized presentation of our offer and effective communication with visitors, which outweigh our interests in the context of a balancing of interests.

The manner in which Facebook uses Insights data from visits to Facebook pages for its own purposes, the extent to which activities on the Facebook page are attributed to individual users, how long Facebook stores this data and whether data from a visit to the Facebook page is passed on to third parties is the responsibility of Facebook.

With regard to data processing via our Facebook page, you have the option of asserting your data subject rights (see below under point 8) not only against Oviva but also against Facebook. Further information on this can be found in Facebook’s data usage policy at http://de-de.facebook.com/about/privacy.

In addition to the processing described above, Facebook also processes your data for analysis and advertising purposes or to play personalized advertising. In doing so, Facebook also uses cookies, pixels or other techniques that store your usage behaviour (also across different end devices). This enables Facebook to display targeted advertising on its own platform and on third-party sites. The data collected about you in this context is also transferred by Facebook to the USA and other countries outside the European Union. Facebook describes exactly what information it receives and how it is used in general terms in its data usage guidelines. There you will also find information on how to contact Facebook and on the settings for advertisements. The Data Use Policy is available at the following link: http://de-de.facebook.com/about/privacy. Facebook’s full data policies can be found here: https://de-de.facebook.com/full_data_use_policy.

Facebook also offers members of Facebook the opportunity to object to certain data processing. Information and opt-out options in this regard can be found at https://www.facebook.com/settings?tab=ads.

You can contact Facebook’s privacy officer using the online contact form provided by Facebook at https://www.facebook.com/help/contact/540977946302970.

The competent supervisory authority for Facebook Ireland Ltd. is: Data Protection Commission Canal House Station Road Portarlington Co. Laois R32 AP23, Ireland (https://www.dataprotection.ie).

3.2.3.2 Instagram

We also make use of the technical platform and services of Instagram for our offer. The Instagram service is one of the Facebook products provided by Facebook Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland (“Facebook”).

As operators of this Instagram page, we are joint controllers with Facebook. When visiting our Instagram page, personal data is processed by the responsible parties. As the controller of this page, we have entered into agreements with Facebook, which regulate, among other things, the conditions for use of the Instagram page. The terms of use of Instagram https://help.instagram.com/581066165581870) as well as the other conditions and guidelines listed there at the end are authoritative.

In the following, we will inform you about what data is involved and how it is processed.

As a matter of principle, we collect and use personal data of our users only insofar as this is necessary or appropriate for the provision of the functioning Instagram company page or a website linked to Instagram as well as for our content and services, for example when participating in promotions, competitions or similar published via Instagram.

It is possible to contact us through our Instagram page either by private message or by commenting under a picture. This way, you can contact us with questions about Oviva, our Instagram page or other inquiries. When you contact us, we will be provided in particular with your username, the text of the request and, if applicable, other personal data from you. This data is stored and used solely for the purpose of responding to your request or for contacting you and the related technical administration. Comments are public and visible to all other Instagram users.

The legal basis for the processing of the data is our legitimate interest in responding to your request in accordance with Art. 6 (1) f) GDPR or the corresponding legal basis of Swiss law. Your data will be deleted after final processing of your request, provided that there are no legal retention obligations to the contrary. We assume that processing is complete when the circumstances indicate that the matter in question has been conclusively clarified.

Depending on each user’s Instagram privacy settings, we may also be able to see when you have liked, shared or subscribed to one of our Instagram pages/posts/comments. We can also attribute comments on our Instagram pages to you as an Instagram user. The legal basis for this data processing is Art. 6 (1) f) GDPR or the corresponding legal basis under Swiss law. Our legitimate interest lies in the communication and interaction with you via Instagram.

The type and extent of the collection of personal data when visiting an Instagram page therefore also depends on your behaviour and can be influenced by you. It is always possible to visit our Instagram page without leaving comments or clicking “Like”. Please note that the interactive functions of Instagram are only possible after registration. Data relating to this may also be processed by Facebook.

We also receive statistical data from Facebook about visitors to our Instagram pages through the Insights feature. This is aggregate data that helps us understand how people interact with our page. Page Insights may be based on personally identifiable information collected in connection with a person’s visit to or interaction with our Page and its content. This feature allows us to better analyse and tailor our site to the interests of our users. Our legitimate interest according to Art. 6 (1) f) GDPR or the corresponding legal basis under Swiss law in operating our Instagram page and using Insights is to conduct effective marketing via a widely used platform. You can find more information about the “Insights” function here: https://www.facebook.com/iq/tools-resources/audience-insights/.

We expressly point out that Facebook stores the data of its users (e.g. personal information, IP address, etc.) and may also use this data for business purposes. The way in which Facebook uses data from visits to Instagram pages for its own purposes, the extent to which activities on the Instagram page are assigned to individual users, how long Facebook stores this data and whether data from a visit to the Facebook page is passed on to third parties is the responsibility of Facebook. For more information on Facebook’s data processing, please see Facebook’s privacy policy at https://de-de.facebook.com/policy.php.

If you would like to avoid Facebook processing any personal data you provide to us, please contact us by means other than Instagram. Our full contact details can be found in our imprint on this website or on our Facebook page.

You can contact Facebook’s privacy officer using the online contact form provided by Facebook at

Contact https://www.facebook.com/help/contact/540977946302970.

Competent supervisory authority for Facebook Ireland Ltd: Data Protection Commission Canal House Station Road Portarlington Co. Laois R32 AP23, Ireland (https://www.dataprotection.ie).

4. Transfer of data to other third parties

4.1 Transfer to external service providers

We may need to share some data with external third parties in addition to the tools and features used on our website, in strict compliance with applicable data protection laws.

In this context, we forward your data to the following service providers:

4.1.1 For sending emails

We use the “Sendgrid” service for sending emails generated from our website. Sendgrid is an offer of Twilio Inc. 357 Beale Street, Suite 300, San Francisco, CA 94105 USA (hereinafter “Twilio”).

For order processing, the following data, among others, are collected and transmitted to Sendgrid:

• Your email address,
• Your full name,
• Your address.

Only transactionally necessary information, which is required to understand and classify the e-mail, is transmitted.

For statistical purposes, Twilio performs anonymized link tracking (or personalized link tracking only with your express permission) via Sendgrid on our behalf. You can view Twilio’s current privacy policy at https://www.twilio.com/legal/privacy.

You can object to the use of Sendgrid as a processor. In this case, however, we can no longer send you emails for technical and organisational reasons.

4.1.2 For sending SMS messages

4.1.2.1 Twilio

In order to be able to contact you via SMS (e.g. for sending 1-time codes in the Oviva App, for appointment confirmations and appointment reminders via SMS), we use Twilio, a service tool of Twilio Inc, 357 Beale Street, Suite 300, San Francisco, CA 94105 USA (hereinafter “Twilio”). Twilio also processes your personal data on servers in the USA. For this reason, in order to ensure a level of data protection equivalent to that of the EU, we have concluded EU standard contractual clauses with Twilio, under which Twilio undertakes to comply with European data protection law.

For order processing, we transmit your mobile phone number in encrypted form to Twilio, where it is stored.

For more information about Twilio’s data processing, please see Twilio’s privacy policy at https://www.twilio.com/legal/privacy.

You can object to the use of Twilio as a processor. In this case, however, we can no longer send you SMS for technical and organisational reasons.

4.1.2.2 WebSMS

In addition, we use the service tool WebSMS of sms.at mobile internet services GmbH, Brauquartier 5/13, 8055 Graz, Austria (hereinafter “WebSMS”) to contact your coach.

For order processing, we transmit your mobile phone number to WebSMS in encrypted form. No further customer data is transmitted to WebSMS.

You can object to the use of WebSMS as a processor. In this case, however, we can no longer send you SMS for technical and organisational reasons.

4.1.3 Technical implementation of the registration process

For the technical implementation of the registration process, we use forms from the service Formstack LLC, 8604 Allisonville Rd, Ste. 300 Indianapolis, IN 46250.

In doing so, you directly transmit the data entered in the form to Formstack in the USA, and Formstack transmits your entered data to us. For this reason, we have concluded EU standard contractual clauses with Formstack, according to which Formstack undertakes to comply with European data protection law, in order to guarantee a level of data protection that corresponds to that of the EU.

For more information, please see Formstack’s privacy policy (https://www.formstack.com/privacy).

For technical reasons, it is not possible to register for a nutrition consultation via our website without using Formstack.

4.1.4 Using Salesforce Sales Cloud and Marketing Cloud

Data that you provide to us via our website (e.g. personal data when you register for a nutrition consultation) is stored in the Salesforce Sales Cloud (salesforce.com Germany GmbH, Erika-Mann-Str. 31, 80636 Munich, Germany) on servers in Germany and France and used for customer management.

We use the Salesforce Marketing Cloud to send transactional and newsletter emails and push notifications. For this purpose, your data is transferred from the Sales Cloud to the Marketing Cloud. The Salesforce Marketing Cloud data is also stored on servers in Germany and France.

Salesforce is an international company with binding corporate rules that require it to maintain an adequate level of data protection when processing data outside the European Union.

The data in the Salesforce Sales Cloud and in the Salesforce Marketing Cloud is used exclusively by us. To ensure a level of data protection with Salesforce that complies with the EU, we have concluded an order processing contract.

The processing of your data in Salesforce Sales Cloud and Marketing Cloud is based on our legitimate interest.

4.1.5 Use of IT service providers

In the context of the content-related technical support and design of our online presence, it may be necessary on our website, for example, for external service providers to obtain access to personal data (e.g. IT service providers). In this case, the handling of your personal data is carried out exclusively according to our explicit instructions and on the basis of an agreement on commissioned processing pursuant to Art. 28 GDPR. With this agreement, the service provider guarantees us that the service provision is in accordance with applicable data protection law. The involvement of professional providers of corresponding services is expressly provided for by law and serves our legitimate interest in being able to professionalise our offer for you and to offer it in a way that makes business sense (legal basis: Art. 6 (1) f) GDPR or the corresponding legal basis under Swiss law). We remain responsible for the protection of your data even in this case.

4.1.6 External Hosting Company

For hosting the data we use the Google Cloud Platform, GCP. A service of Google Cloud EMEA Ltd, 70 Sir John Rogerson’s Quay, Dublin 2, Ireland. Your data is processed on servers in Germany. Google is an international organisation, which is why we have concluded an order processing contract with Google, including EU standard contractual clauses, in order to guarantee a level of data protection that corresponds to that of the EU, according to which Google undertakes to comply with European data protection.

For more information, please see Google’s privacy policy (https://www.google.com/policies/privacy) and Google Cloud Services Security Notice (https://cloud.google.com/security/privacy/).

The processing of your data in the Google Cloud Platform is based on your consent pursuant to Art.6 para. 1 1 lit a) GDPR, the performance of the contract Art.6 para. 1 1 lit b) GDPR and our legitimate interest pursuant to Art.6 para. 1 1 lit f) GDPR.

4.1.7 Use Oviva App accompanying the intake prescription weight loss medication

When using medications, monitoring of the possible adverse effects of these remedies is required by law.

Therefore, if the Oviva Services are used in conjunction with the use of prescription weight loss medication, we (including your Oviva Coach) are required to share information about any adverse effects that may be associated with the use of the medication (known as safety information).

The safety information may contain personal data. We will only pass on the safety information to the responsible marketing authorisation holder of the medicinal product (the “MAH”) or to the reporting office appointed by the MAH.

In the interest of patient safety and in accordance with applicable law, the safety information is entered into the marketing authorisation holder’s safety database, analysed and periodically assessed to identify common patterns. For this purpose, the safety information is kept by the MAH for at least 12 years or longer, in accordance with applicable law.

In addition, to the extent that personal data contained in the Safety Information is material to the evaluation of adverse effects, MAH may, in accordance with applicable law and for the purpose of protecting the health of patients and improving the safety of medicines, disclose such personal data, together with the Safety Information, to health authorities, to companies affiliated with MAH (e.g., subsidiaries, affiliates, licensing partners, consultants, IT service providers), and to other pharmaceutical companies in Germany and abroad.

4.2 Disclosure due to legal obligation

We reserve the right to disclose your personal data if we are legally obliged to do so or if we are required to do so by the authorities or law enforcement agencies.

5. Evaluation of anonymised data for validation purposes

In order to meet our quality standards and to improve and further develop our services, we evaluate the services we provide to you as part of the consulting relationship. For this purpose, we remove any personal reference to you and also use this anonymised data after the end of the consulting relationship for the purpose of validation and quality management (improvement and further development of our services and offers).

In addition, we analyse your anonymised data and compile statistics on various patient groups in order to better understand our patient structure and thereby also improve and further develop ourselves. Under certain circumstances, these statistics may also be used in cooperation with institutes for research purposes or may also be published. At no time can conclusions be drawn about individual persons from the statistics used in this way.

6. Data security measures and place of data processing

We protect your personal data with appropriate technical and organisational measures in accordance with the state of the art. All employees and contracted specialists of Oviva AG (such as your consultant) who have access to your data are obliged to process personal data exclusively on the instructions of Oviva and in a manner that ensures an appropriate level of protection for the security of the data, in particular its integrity and confidentiality, and not to disclose it to third parties without authorisation. Employees involved in processing operations will be made aware of and trained in data protection requirements. Third parties will not have access to your personal data without your express consent.

Your data will be stored in a data center in Germany. In addition, we require our external service provider to use your personal data exclusively in accordance with our specifications and in compliance with this privacy policy and the legal requirements for order processing.

7. Duration of the storage of your personal data

The personal data provided by you will only be stored by us for as long as is necessary for the fulfilment of the respective purpose for which you have provided us with your data, for compliance with statutory provisions or official requirements or the assertion of or defence against claims in connection with the contractual relationship. In the latter case, your data will be pseudonymised until it is actually used for the assertion or defence of claims and blocked for any other form of data processing.

8. Data subject rights

Right to information: You can request information about the scope, origin and recipients of the stored data as well as the purpose of storage at any time and free of charge. If you wish to exercise your right to information, you can contact an employee of Oviva or the data protection officer at any time.

Right to data portability: You may obtain the personal data concerning you that you have provided to us in a structured, commonly used and machine-readable format, provided that (1) the processing is based on consent or on a contract and (2) the processing is carried out with the aid of automated procedures.

Right of rectification: Any person concerned by the processing of personal data has the right to obtain the rectification without delay of inaccurate personal data relating to him or her. The data subject also has the right to obtain the completion of incomplete personal data, having regard to the purposes of the processing.

Right to erasure (right to be forgotten): Any person affected by the processing of personal data has, in principle, the right to demand from the controller that the personal data concerning him or her be erased without undue delay, provided that the conditions pursuant to Article 17 of the GDPR (or the applicable Swiss legal bases) are met and to the extent that further processing is not necessary.

Right to object: Any person concerned by the processing of personal data has the right to object at any time to the processing of personal data relating to him or her.

We shall no longer process the personal data in the event of the objection, unless we can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the assertion, exercise or defence of legal claims. If we process personal data for the purpose of direct marketing, the data subject shall have the right to object at any time to processing of personal data processed for such marketing.

Right to withdraw consent under data protection law: Any person concerned by the processing of personal data has the right to withdraw consent to the processing of personal data at any time.

In the event of a claim being asserted, we will examine your claim and, insofar as no other legal regulations conflict with this, comply with it. We will inform you of the result.

Compliance with a special form is not necessary for the assertion of your data protection rights. For example, write an e-mail to kontakt@oviva.ch or use the contact options via the website or the app. If your request for information relates to specially protected data, in particular health data, a special identification of your person is required for the purpose of checking your entitlement. In this case, the request can be accompanied by, for example, a double-sided copy of the identification documents (copy of identity card, passport or certificate of registration), on which the first name and surname, the full address, the date of birth and the place of birth must be clearly legible; other information such as the photo can be blacked out.

9. Updating and changes

Parts of this Privacy Policy may be changed or updated by us without prior notice to you. Please review the Privacy Policy before using our services to be aware of any changes or updates.