Privacy Policy

Preamble

With the following privacy policy, we would like to inform you about the types of your personal data (hereinafter also referred to as “data”) we process, for what purposes, and to what extent. This privacy policy applies to all processing of personal data carried out by us, both in the context of providing our services and in particular on our websites, in mobile applications, and within external online presences, such as our social media profiles (hereinafter collectively referred to as the “online offering”).

The terms used are not gender-specific.

Stand: 23. September 2024

Contents Overview

• Preamble
• Controller
• Overview of processing
• Legal bases
• Security measures
• General information on data retention and deletion
• Rights of data subjects
• Business services
• Provision of the online offering and web hosting
• Cookies
• Contact and inquiry management
• Newsletters and electronic notifications
• Web analytics, monitoring and optimization
• Plug-ins and embedded features and content
• Amendments and updates

Controller

BaerglerArt GmbH
Elmar Barmettler
Phone: 079/ 429 10 23 
EMail:      

Overview of Processing

The following overview summarizes the types of data processed and the purposes of their processing and refers to the data subjects concerned.

Types of Processed Data

• Inventory data
• Payment data
• Location data
• Contact data
• Content data
• Contract data
• Usage data
• Meta, communication, and procedural data
• Log data

Categories of Data Subjects

• Recipients of services and clients
• Interested parties
• Communication partners
• Users
• Business and contractual partners

Purposes of Processing

• Provision of contractual services and fulfillment of contractual obligations
• Communication
• Security measures
• Direct marketing
• Reach measurement
• Office and organizational procedures
• Organizational and administrative procedures
• Feedback
• Profiles with user-related information
• Provision of our online offering and user-friendliness
• IT infrastructure
• Business processes and economic procedures

Legal Bases

If you are located in Switzerland, we process your data based on the Swiss Federal Act on Data Protection (“Swiss FADP”). Unlike the GDPR, the Swiss FADP generally does not require a legal basis to be named for the processing of personal data. The processing must be carried out in good faith, be lawful and proportionate (Art. 6 para. 1 and 2 FADP). Moreover, personal data is collected only for a specific and recognizable purpose and processed in a manner compatible with that purpose (Art. 6 para. 3 FADP).

Security Measures

We take appropriate technical and organizational measures in accordance with legal requirements, considering the state of the art, implementation costs, the nature, scope, and purposes of processing, and the likelihood and severity of risks to the rights and freedoms of natural persons.

These measures include safeguarding the confidentiality, integrity, and availability of data by controlling physical and electronic access to the data as well as the access, input, disclosure, and separation of the data. We also have procedures in place to ensure data subject rights, data deletion, and responses to data threats. Additionally, we take data protection into account in the design of technology and use of privacy-friendly default settings.

IP Address Truncation:
If IP addresses are processed by us or our service providers and full IP addresses are not necessary, they are shortened (“IP masking”). This prevents or significantly hinders personal identification based on IP addresses.

General Information on Data Retention and Deletion

We delete personal data in accordance with legal requirements as soon as consent is withdrawn or there is no longer a legal basis for processing. Exceptions apply when legal obligations or specific interests require longer retention or archiving.

Particularly, data retained for commercial or tax reasons or required for legal claims or protection must be archived accordingly.

More information is provided in specific sections of this policy.

If multiple retention periods are mentioned, the longest one applies.

If a period does not begin at a specific date and lasts at least one year, it starts at the end of the calendar year in which the triggering event occurred. For ongoing contracts, the triggering event is the termination or end of the relationship.

Data kept beyond its original purpose will only be used for the reason it is legally retained.

Retention Periods Under Swiss Law:

• 10 years for commercial books and records, annual reports, inventory, balance sheets, vouchers, etc. (Art. 958f Swiss Code of Obligations)
• 10 years for data required for claims or legal rights, unless a shorter 5-year period applies (Art. 127, 128, 130 Swiss Code of Obligations)

Rights of Data Subjects (under Swiss FADP)

As a data subject, you have the following rights:

• Right of access: Confirmation whether data concerning you is being processed, and the necessary information to exercise your rights.
• Right to data provision or transfer: Request a copy of your personal data in a commonly used electronic format.
• Right to rectification: Request the correction of inaccurate personal data concerning you.
• Right to object, delete, and destroy data: Object to processing and request deletion or destruction of your data.

Business Services

We process data from our contractual and business partners (e.g. customers and interested parties, collectively “contractual partners”) in the context of our contractual or similar legal relationships and related communication, including responding to inquiries.

Data is used to fulfill our contractual obligations—such as delivering agreed services, providing updates, resolving issues, and performing administrative duties. We also process data based on legitimate interest in safe and efficient business operations and security.

We share data with third parties only when necessary for these purposes or to fulfill legal obligations. Contractual partners are informed if data is used for other purposes (e.g. marketing).

We inform partners of required data via online forms or personal communication.

We delete data after warranty or similar obligations expire—typically four years—unless kept in a customer account or required for tax reasons (usually ten years).

Processed Data Types:

• Inventory data (e.g. name, address, customer number)
• Payment data (e.g. bank details, invoices)
• Contact data (e.g. email, phone)
• Contract data (e.g. service content, duration)

Data Subjects:

• Clients, customers, business partners

Purposes of Processing:

• Contract fulfillment
• Communication
• Administrative organization
• Business operations

Retention & Deletion:

• As per “General Information on Data Retention and Deletion”

Legal Bases:

• Contractual necessity (Art. 6(1)(b) GDPR)
• Legal obligation (Art. 6(1)(c) GDPR)
• Legitimate interest (Art. 6(1)(f) GDPR)

Provision of the Online Offering and Web Hosting

We process user data in order to provide our online services. This includes processing users’ IP addresses, which is necessary to deliver content and functions of the online services to their browsers or devices.

Types of Data Processed:

• Usage Data (e.g. pages visited, time spent, click paths, frequency, device types, operating systems, interactions with features)
• Meta, Communication, and Procedural Data (e.g. IP addresses, timestamps, session IDs, persons involved)
• Log Data (e.g. login events, data retrieval, access times)
• Content Data (e.g. text or image messages and related information like author or timestamp)

Data Subjects:

• Users (e.g. website visitors, users of online services)

Purposes of Processing:

• Providing our online services and improving user experience
• IT infrastructure management
• Security measures

Retention and Deletion:

• In line with “General Information on Data Retention and Deletion”

Legal Bases:

• Legitimate interest (Art. 6(1)(f) GDPR)

Further Processing Details:

• Access Logs and Server Logfiles: Access to our site is logged as “server log files,” including the requested page/file name, date/time of access, data volume, access success, browser/version, operating system, referring URL, IP address, and provider.
  • Purpose: Security (e.g. DDoS protection), server load monitoring
  • Retention: Max 30 days, unless needed for legal evidence
  • Legal Basis: Legitimate interest (Art. 6(1)(f) GDPR)
• WordPress.com:
  • Hosting and website services provider
  • Provider: Aut O’Mattic A8C Ireland Ltd., Dublin, Ireland
  • Legal Basis: Legitimate interest (Art. 6(1)(f) GDPR)
  • Privacy Policy: https://automattic.com/privacy/
  • DPA: Data Processing Agreement
  • Data Transfers: Based on EU adequacy decision for Ireland

Use of Cookies

Cookies are small text files or other memory markers that store or retrieve information on user devices—for example, login status, cart contents, visited pages, or functions used. Cookies are used for functionality, security, convenience, and analytics.

Consent Notice:
We use cookies in compliance with legal regulations. Consent is required unless cookies are essential to provide a specifically requested service (e.g. login or language preferences).

Legal Bases for Cookie Use:

• If consent is obtained, the basis is consent (Art. 6(1)(a) GDPR)
• If cookies are essential or used for legitimate business interests (e.g. analytics, usability), then the basis is legitimate interest (Art. 6(1)(f) GDPR)

Cookie Storage Duration:

• Session Cookies: Deleted after the user leaves the site or closes the browser/app
• Persistent Cookies: Remain stored after closing the device; typically valid for up to 2 years unless otherwise stated

Opt-Out & Withdrawal:
Users can withdraw consent at any time or object via browser privacy settings.

Types of Data Processed:

• Meta, communication, and procedural data (e.g. IP addresses, IDs, timestamps)

Data Subjects:

• Users

Legal Bases:

• Consent (Art. 6(1)(a) GDPR)
• Legitimate interest (Art. 6(1)(f) GDPR)

Further Processing Details:

• Consent Management Tools:
  We use a consent management solution to obtain, document, and manage cookie consents. This involves saving a pseudonymous user ID, timestamp, scope of consent, and device/browser details.
  • Storage: On server and/or cookie (opt-in cookie)
  • Retention: Up to 2 years
  • Legal Basis: Consent (Art. 6(1)(a) GDPR)

Contact and Inquiry Management

Types of Data Processed:

• Inventory data (e.g. name, address, customer number)
• Contact data (e.g. email, phone)
• Content data (e.g. messages, submissions, author info)
• Usage data (e.g. interaction frequency, device types)
• Meta, communication, and procedural data (e.g. IPs, timestamps, session IDs)

Data Subjects:

• Communication partners

Purposes of Processing:

• Communication
• Organizational and administrative processes
• Feedback collection
• Usability of online services

Retention and Deletion:

• As described in “General Information on Data Retention and Deletion”

Legal Bases:

• Legitimate interest (Art. 6(1)(f) GDPR)
• Contractual necessity or pre-contractual measures (Art. 6(1)(b) GDPR)

Further Processing Details:

• Contact Forms and Email:
  When using our contact form or other communication channels, we process the data submitted (e.g. name, contact details, and message content) for handling the inquiry.
  • Purpose: Fulfilling your request
  • Legal Bases: Contractual necessity (Art. 6(1)(b) GDPR), Legitimate interest (Art. 6(1)(f) GDPR)

Newsletters and Electronic Notifications

We send newsletters, emails, and other electronic notifications (hereafter “newsletters”) only with the recipient’s consent or legal authorization. If content is specified during newsletter registration, it defines the scope of user consent.

For registration, typically only your email address is required. We may request additional data (e.g. name) to personalize the newsletter.

Deletion and Processing Restriction:
We may store unsubscribed email addresses for up to three years based on our legitimate interests, to demonstrate prior consent. These data are restricted to use for possible defense against claims. A deletion request is possible at any time if prior consent is confirmed. If required by law (e.g. to permanently honor objections), we may store email addresses in a blocklist.

Newsletter registration logging is based on our legitimate interest to prove proper registration procedures. If we use a service provider to send newsletters, this is also based on our legitimate interest in secure and efficient delivery.

Content:
Information about us, our services, promotions, and offers.

Types of Data Processed:

• Inventory data (e.g. name, address, customer ID)
• Contact data (e.g. email, phone)
• Meta, communication, and procedural data (e.g. IP, timestamps, identifiers)
• Usage data (e.g. open rates, click behavior, device info)

Data Subjects:

• Communication partners

Purpose of Processing:

• Direct marketing (via email or post)

Retention and Deletion:

• Austria: 3 years for contractual claims (§§ 1478, 1480 ABGB)
• Switzerland: 10 years for legal claims (Art. 127, 130 OR)

Legal Basis:

• Consent (Art. 6(1)(a) GDPR)

Opt-Out (Right to Object):
You can unsubscribe anytime—either via the unsubscribe link in any newsletter or by contacting us directly (preferably by email).

Further Processing Details:

• Open and Click Rate Measurement:
  Newsletters may contain a “web beacon” (a pixel-sized file) retrieved from our or our service provider’s server upon opening. It collects browser/system data, IP, timestamp, etc., for analytics and optimization.
  This tracking allows us to determine which newsletters were opened, which links were clicked, and user engagement. These results may be linked to user profiles until deletion.
  Purpose: Tailoring content and measuring engagement.

Web Analytics, Monitoring, and Optimization

Web analytics (or “reach measurement”) evaluates how users interact with our online services. This includes pseudonymized behavioral, interest, and demographic data (e.g. age, gender). Analytics help us optimize content and identify peak usage times and areas needing improvement.

We may also use A/B testing to compare versions of pages or elements.

Unless otherwise noted, data is aggregated into usage profiles and stored/read on devices. Collected data includes visited pages, used features, browser type, system, and timestamps. If users have consented to share location data, we may process that too.

IP addresses are anonymized via IP masking (shortened to prevent identification).

We and service providers use pseudonymized profiles—no clear user identity is stored (no names or emails).

Legal Basis:

• Consent if requested (Art. 6(1)(a) GDPR)
• Otherwise, legitimate interest in efficient and user-friendly services (Art. 6(1)(f) GDPR)

Types of Data Processed:

• Usage data (e.g. page visits, click paths)
• Meta, communication, procedural data (e.g. IP, timestamps)

Data Subjects:

• Users

Purpose of Processing:

• Reach measurement
• User profiling
• Improving online offerings and usability

Retention and Deletion:

• As per “General Information on Data Retention and Deletion”
• Cookies may be stored for up to 2 years

Security Measures:

• IP masking

Google Analytics
Used to analyze site usage via pseudonymized user IDs (not names or emails). Tracks which pages, keywords, and content users access across sessions and devices. Records time, duration, source, and device/browser specs.

Google Analytics does not store individual IPs for EU users. Geolocation is derived and IPs are deleted immediately.
Provider: Google Ireland Ltd., Dublin, Ireland

• Legal Basis: Consent (Art. 6(1)(a) GDPR)
• Privacy Policy: Google Privacy
• DPA: Processor Terms
• Opt-out Plugin: https://tools.google.com/dlpage/gaoptout

Plug-ins and Embedded Features/Content

We integrate content/features from third parties into our website, e.g. videos, maps, graphics. These are retrieved from the provider’s servers (called “third-party providers”).

Third parties require users’ IP addresses to display this content. Some also use pixel tags (web beacons) to measure site traffic or for marketing. These may store pseudonymous info in cookies, such as browser/system details, referrer URLs, and visit time, and can be linked with data from other sources.

Legal Basis:

• If consent is requested: Consent (Art. 6(1)(a) GDPR)
• Otherwise: Legitimate interest (Art. 6(1)(f) GDPR)

Types of Data Processed:

• Usage data
• Meta/communication data
• Inventory and contact data
• Content data (e.g. text/image submissions)
• Location data (if shared)

Data Subjects:

• Users

Purpose of Processing:

• Providing online content and improving usability

Retention and Deletion:

• See “General Information…”
• Cookies may remain for up to 2 years

Examples:

• Google Fonts (via server): Ensures consistent, efficient font use; requires IP, browser, device info. No IP logging or analysis.
  • Provider: Google Ireland Ltd.
  • Legal Basis: Legitimate interest (Art. 6(1)(f) GDPR)
  • More Info: Google Fonts Privacy
• Google Maps: Embeds interactive maps; may process IPs and location data
  • Legal Basis: Consent (Art. 6(1)(a) GDPR)
• YouTube Videos: Embedded videos from YouTube
  • Legal Basis: Consent (Art. 6(1)(a) GDPR)
  • Opt-out Options:
    • GA Opt-out Plugin
    • Ad Personalization Settings

Amendments and Updates

We encourage you to regularly review this privacy policy. We update it when our data processing changes. If changes require user actions (e.g. consent), we will inform you.

Please note that addresses/contact details of third-party providers may change over time. Always verify before contacting them.