Last updated: 04. March 2021

Preamble
We believe that your personal data belongs to you. For that we create digital solutions that give you a simple way to take back control of your personal data, empowering you to decide the terms for responsible use by commercial entities. This privacy policy is meant to help you understand what information we process in order to provide our services and what your rights are.

In short, we do NOT store any personal data if you use our mobile application or visit our website. We ONLY store your e-mail and optionally your name and feedback if you subscribe to our newsletter or contact us. NO other personal data is stored.

1. Scope
This privacy policy stipulates how PAN Ltd., Seefeldstrasse 60, 8008 Zurich, Switzerland (hereinafter “PAN” or “we”) processes personal data of individuals (“you”) who provide personal data on its website, in its mobile application or via other means.

2. Contact
You can contact us as follows:
PAN AG
Seefeldstrasse 60
8008 Zurich
PAN is represented by Marc Heissenbüttel
info@mypan.eu

In the European Union PAN is represented by:
PAN CONTROL YOUR DATA S.R.L.
Municipiul Timisoara
Strada Ion Negulici NR. 5, CAMERA 1
Judet Timis
Romania

You can contact our data protection officer as follows:
Simon Schlauri
Ronzani Schlauri Attorneys
Technoparkstrasse 1
8005 Zürich
dpo@mypan.eu

3. General
PAN aims, through the provision of services and the manufacture of products in the field of information and software technology and data protection, to protect the personal data and privacy of its customers and to enable them to control the use of their personal data and to decide in what form their personal data is used by third parties. For this purpose, PAN allows you to manage your personal data rights given by applicable laws (e.g. GDPR in Europe). This includes but is not limited to the management of privacy settings of digital services such as social media, search engines, e-commerce etc. provided by companies and institutions

All personal data processed, which are protected either by the European General Data Protection Regulation (hereinafter “GDPR”) and/or by the Swiss Federal Act on Data Protection (hereinafter “FADP”), will be used exclusively for fulfilling our services to you; unless, in particular pursuant to this privacy policy, you have consented to further use of your personal data or the applicable law permits such further use (e.g. legal obligations or legitimate and vital interests).

4. What Personal Data is Collected for What Purpose
4.1. Users of our mobile application
PAN does NOT collect or process any personal data if you download and use our mobile application to use its services.
All personal data used by our mobile application to provide the service is only stored locally within our mobile application on your device. It is not seen, known, used, or accessed by either PAN or any third party. This data includes your privacy preferences, which third party services you manage via our mobile application, and authentication tokens.

4.1.1 Testers of our mobile application
You may decide to register and become a test user of our mobile application before it is officially released. To enroll you as test users in Apple’s App Store or Google’s Play Store, we need to collect your e-mail address and optionally other data like your name.

4.2. Visitors of our website
Traffic data is used to display our website correctly and optimized and to protect it against attacks or other infringements. It includes the IP address of the device you are using to access our website, information about which browser and browser version you are using, when you accessed our website, etc.

4.3 Subscriber of our newsletter and persons using our contact forms
You may decide to subscribe to our newsletter or contact us either through our mobile application or through our website. In this case we collect your e-mail address, and optionally your feedback and other contact data like your name, to send you our newsletter or to provide customer support.

4.4. Personal data received via other channels
We might receive and process personal information via other channels e.g., if you send us an e-mail, letter, or give us telephone call. In this case, we might store this personal data in our database.

4.5 Handling of your personal data
Input fields that are necessary are marked accordingly. The disclosure of personal data in non-marked or as optional marked input fields is voluntary.
We also might add other information to your personal data in our database for instance time stamps or our response to your request.
The personal data we collect and process from you is stored at cloud service providers, i.e., at third parties we instruct to do so (see sec. 6 hereinafter). Occasionally, we might download personal data to computers which PAN operates, e.g. for providing customer support, for market research and for debugging purposes. In this case we anonymize and minimize the personal data used as far as possible.
You can inform us at any time that you no longer wish us to process your personal data (cf. section 11, Your Rights).

5. Retention Period
5.1. Users of our mobile application
As no personal data is stored at PAN but only on your device, your data is deleted once you delete our mobile application.

5.2 Visitors of our website, subscribers of our newsletter or persons contacting us
We only process personal data until the purpose, for which it was collected, is fulfilled, as required by law, or as stipulated in the contracts with third parties operating our IT.
You can request the deletion of your personal data anytime (cf. section 11, Your Rights). We will delete your personal data unless we are required otherwise by applicable law.
To refuse further business contact with a data subject due to misuse or other legitimate reasons, we may store personal data for five years, or ten years in case of recurrence.

6. Processing of Personal Data
6.1 Processing by PAN
As we process personal data electronically, we have taken appropriate IT organisational and technical measures to ensure that your personal data is protected (e.g., we rely on professional cloud service providers to store and process your personal data and do not operate our own servers for IT-security reasons).
Our employees are obliged to treat personal data confidentially. We also regularly educate our employees in data protection and information security.

6.2. Processing by third Parties and abroad
Within the purpose agreed herein, we may have personal data processed by our group entities or third parties. Such third parties are companies that operate our servers and information technology (cloud service providers for our hosting, office tools, our continuous integration and deployment systems, and other), payment service providers, or attorneys and government bodies. If we commission group companies or third parties with the processing of personal data, the third party will be carefully selected and must take appropriate security measures to guarantee the confidentiality and security of your personal data.

We or the third parties may process personal data abroad, i.e. in European or non-European countries. We represent that the third parties will only use personal data according to the law and exclusively in the interest of PAN. These necessary contractual guarantees provided by the third parties are based on the standards of the European Commission (also recognised in Switzerland). You have the right to inspect the guarantees in these contracts (or parts thereof).

We have engaged the following third parties as sub-processors:

• Hosting of our website, e-mail, CRM, etc.: Hostpoint AG, Neue Jonastrasse 60, 8640 Rapperswil-Jona, Schweiz
• Providing Office Tools incl. Sharepoint: Microsoft Ireland Operations Limited, c/o Microsoft Schweiz GMBH, Richtistrasse 3, CH-8304 Wallisellen, Switzerland
• Anonymized usage and survey data from our mobile application: Exoscale Cloud Service Provider, Boulevard de Grancy 19A, 1006 Lausanne, Switzerland
• Download of live updates (CI/CD platform) for our mobile application: Ionic, 121 S. Pinckney st. Suite 300, Madison, WI 53703, USA

7. Anonymized usage and survey data
We collect anonymized usage data (e.g., error messages or which buttons are clicked) when you access our website. The mobile application collects anonymized usage data only if you explicitly opted in. If you participate in surveys on our website or in our mobile application, we only process anonymized results. Hence, we do not and cannot draw any conclusions about you as a person from this usage or survey data. We merely use them to optimize our services or market research purposes.

8. Inclusion of Third Party Elements on Our Web Site
We do NOT embed any third party elements (e.g. YouTube player, social media buttons) on our website. We only use hyperlinks to external content in order to protect your privacy.

9. Cookies
We do NOT use any cookies on our website, except our own functional cookies for your language selection.

Please note: If you use our mobile application with the built-in web browser to access and manage data privacy settings of a third party service, it is like you would surf on their website with a normal web browser, e.g. you will be asked if you would like to accept their cookies. If you accept the cookies, they will be stored within the built-in web browser of our mobile application according to privacy policies of the respective third party.

10. Legal Bases of Processing
The legal justification, upon which we base our processing of personal data, is stipulated in article 6(1)(b) GDPR (performance of contract) and in article 6(1)(a) GDPR (consent). For Switzerland this corresponds to article 13(2)(a)/31(2)(a) FADP/revised FADP, article 13(1)/31(1) FADP/revised FADP (consent of the data subject or obligation to process by law), respectively. If we are required to process your personal data by law, the legal basis lies in art. 6(1)(c) DSGVO or article 13(1)/31(1) FADP/revised FADP or the respective legal basis for our obligation to process data.

We reserve the right to store contact data (e.g. first name and surname, e-mail address, IP-address) of a data subject pursuant to article 6(1)(f) GDPR (legitimate interest) – corresponding to 13(1)/31(1) FADP/revised FADP for Switzerland – if, based on misuse or similar legitimate reasons, we refuse to conclude any future contracts with data subjects or to protect our IT.

11. Your Rights
Upon request, we will inform you about and – if so – which personal data we process about you (right of confirmation, right of access).

At your request:

• we will cease processing personal data, in part or in full (right to withdraw your consent to the processing of personal data for one or more specific purposes; right to erasure (right “to be forgotten”)). Your request to be forgotten will also be communicated to third parties to whom we have previously forwarded your personal data.
• we will correct the relevant personal data (right to rectification);
• we will restrict the processing of the relevant personal data (right to restriction of processing; in this case we will only store or use your personal data to protect our own legal claims or the third party rights;
• you will receive the relevant personal data in a structured, commonly used and machine-readable format (right to data portability).

To request any of the rights described in this section, for example if you no longer wish to receive our e-mail newsletters or if you wish to delete your account, please use the appropriate function on our website, send us an e-mail, or contact our data protection officer or an employee as described in section 2 (Contact).

If we do not comply with your request, we will inform you of the reasons for our non-compliance. For example, we may legally refuse to delete your personal data if we still need it to fulfil the purpose, for which it was originally provided (for example if we continue providing our services to you), if the processing is based on mandatory law (for example mandatory accounting regulations), or if we have a predominant interest of our own (for example in the case of a lawsuit against the data subject).

If we assert a predominant interest in the processing of personal data, you have nevertheless the right to object to the processing; provided, however, that your individual situation compares differently to that of other data subjects (right to object). This could be the case, for example, if you are a person of public interest, or if processing increases the risk of you being harmed by third parties.

If you disagree with our response to your request, you have the right to file a complaint with a competent supervisory authority, for example, in your country of residence or at the registered seat of PAN (right to appeal).

12. Severability and Changes
If any provision of this Agreement is held to be invalid, illegal or unenforceable, the validity, legality and enforceability of the remaining provisions will in no way be affected or impaired as long as the intent of the Parties can be preserved.

Due to the further development of our website and offers or due to changed legal or official requirements, it may become necessary to change this privacy policy. Any changes will be communicated through our mobile application (and Apple’s App Store and Google’s Play Store), through our website, and by e-mail (for registered users only).

13. Applicable Law and Place of Jurisdiction
This privacy policy and any agreements concluded based on, or in connection with, this privacy policy, as the case may be, are governed by Swiss law, unless the applicable law of another country applies mandatorily. The place of jurisdiction is the registered seat of the headquarter of PAN in Zürich, Switzerland, unless a different place of jurisdiction applies mandatorily.

*******