Privacy statement of Zebrabox

We, Zebrabox Services SA (Eichenstrasse 4a, 8808 Pfäffikon SZ, registered in the Commercial Register of the Canton of Schwyz under the number CHE-114.055.433), operate the website www.zebrabox.ch (website) and, unless otherwise specified in this privacy policy, are responsible for the data processing described in this privacy policy.

To inform you about the personal data we collect from you and the purposes for which we use them, please read the following information. We primarily adhere to the legal requirements of Swiss data protection law, in particular the Swiss Federal Act on Data Protection (FADP), as well as the GDPR, the provisions of which may be applicable in specific cases.

Please note that the following information is reviewed and amended from time to time. We therefore recommend that you consult this data protection declaration regularly. Furthermore, other companies are responsible under data protection law for individual data processing operations listed below or are jointly responsible with us, so in these cases the information provided by these providers is also authoritative.

DISCLAIMER: In case of any data-related dispute related to this Privacy Statement, the German version of this Privacy Statement is the only legally valid document.

Status: September 2023

If you have any questions about data protection or wish to exercise your rights, please contact our data protection contact by sending an e-mail to: datenschutz@zebrabox.com

You can reach our EU data protection representative at:

MLL EU-GDPR GmbH
Ganghoferstrasse 37
DE-80339 Munich

zebrabox@mll-gdpr.com 

If you contact us via our contact addresses and channels (e.g. by e-mail, telephone or contact form), your personal data will be processed. We process the data you have provided us with, such as your title, name, e-mail address, postal address and telephone number, and your enquiry (in particular the facility concerned, category of enquiry, message). In addition, the timestamp of the inquiry's receipt will be documented. Mandatory information is marked with an asterisk (*) in contact forms. Depending on the enquiry, we may also ask you for further information if you have not already provided it to us yourself, such as:

• Vehicle rental: in particular rental period, pick-up location, number of drivers, driver's licence copies, payment method and details;
• Packaging material: desired product, quantity, collection location, payment method and details;
• Relocation: Moving date, current and new address, details for planning the move and transport (e.g. furniture, living area, floor, etc.), payment method and details;
• Receipt of goods: number of parcels, facility concerned, drop-off or pick-off, payment method and details;
• Document destruction: quantity of documents, facility concerned, desired time, payment method and details;
• Archive systems: type and quantity of shelving, information for customised shelving systems, rental or purchase, payment method and details.

We process this data in order to address your request (e.g. providing information about our products and services, support with contract execution, incorporating your feedback in the improvement of our products and services, etc.).

The legal basis for this data processing is our legitimate interest within the meaning of Art. 6 Para. 1 lit. f GDPR in addressing your request or, if your request is directed towards the conclusion or execution of a contract, the necessity for the implementation of the pre-contractual or contractual measures within the meaning of Art. 6 Para. 1 lit. b GDPR.

4.    Data processing when reserving a Zebrabox and registering on a waiting list

On our website, you have the possibility to rent a Zebrabox or to be registered on a waiting list for the rental of a Zebrabox. For this purpose, we collect the following data, whereby mandatory data in the booking process are marked with an asterisk (*):

• Personal data:
  • Salutation
  • Name and first name
  • Residential address
  • Date of birth
  • Company name for corporate clients
  • E-mail address
  • Telephone number
• Product data:
  • Details of the desired Zebrabox (type, size, duration, reason for storage)
  • Value of goods
  • Stored goods

We use your personal data to verify your identity before concluding a contract. We need your e-mail address to confirm your booking and for future communication necessary for contract processing. The telephone number is used - after successful verification by means of the validation code sent - to deliver the access code. We store your data together with the peripheral data of the booking (e.g. timestamp, booking number, etc.), details of the product (e.g. size, exact facility, identification number of the Zebrabox), the payment data (e.g. selected payment method, confirmation of payment and timestamp; see also section 6) as well as the information on the processing and fulfilment of the contract (e.g. rectification of problems, use of customer service, etc.) in our CRM database (see also section 7) so that we can guarantee correct booking processing and fulfilment of the contract.

The legal basis for this data processing is the fulfilment of a contract with you according to Art. 6 Para. 1 lit. b GDPR.

The provision of data (e.g. reason for storage, knowledge of Zebrabox) that is not marked as mandatory is voluntary. We process this data in order to tailor our products and services to your personal needs in the best possible way, to facilitate contracts processing, to contact you by an alternative means of communication if necessary, with a view to fulfilling the contract or for statistical recording and evaluation in order to optimise our products and services.

The legal basis for this data processing is your consent within the meaning of Art. 6 Para. 1 lit. a GDPR. You can revoke your consent at any time by notifying us.

You have the option of adding your access code to the wallet on your (iOS or Android) smartphone using the "PassKit" app, so that you can easily find the code and have it to hand faster. In this case, with your consent, we will transmit the following data to PassKit, Inc. (6/F Golden Sun Centre Sheung Wan Hong Kong): Customer number, first name, last name and location of the booked Zebrabox. The legal basis for this data processing is your consent within the meaning of Art. 6 Para. 1 lit. a GDPR. You can revoke your consent at any time with effect for the future by notifying us. For any other processing of your data by PassKit, Inc., please refer to their data protection information.

We use the software application Mailchimp of Intuit Inc. (2700 Coast Avenue, Mountain View, CA 94043, USA) to send contract-relevant customer information by e-mail. Consequently, your data may be stored in a database of Intuit Inc., which may allow Intuit Inc. to access your data if this is necessary for the provision of the software and for support in the use of the software. Information on the processing of data by third parties and any transfer abroad can be found in section 9 of this data protection declaration. The legal basis for the disclosure of data is our legitimate interest in the use of third-party services within the meaning of Art. 6 Para. 1 lit. f GDPR.

Intuit Inc. may wish to use some of this data for its own purposes (e.g. for statistical analyses for product optimisation). Intuit Inc. is the controller for these data processing operations and must ensure compliance with data protection laws in connection with these data processing operations. Information about data processing by Intuit Inc. can be found at: www.intuit.com/privacy/statement/.

To prevent, detect and prosecute unlawful and abusive behaviour on the part of customers, we require identification by means of an official identity document in order to book a Zebrabox. In this respect, biometric data, i.e. data requiring special protection, may be processed.

You have the option to complete the identification online or visit one of our facilities and have the check carried out by one of our employees. During the check at our facility, we verify whether you are the person in the photo on the ID document and whether the data on the ID document matches the data entered in the booking process (see point 4). We then save a copy of the ID document.

For online identification, we use the "PXL Ident" solution from PXL Vision AG (Rautistrasse 33, 8047 Zurich, Switzerland (PXL)). In this context, we redirect you to the web or mobile app and PXL receives the information that you intend to make a booking for a Zebrabox, as well as other technical data associated with accessing the website or app (see in particular section 8.1 regarding log file data). From PXL we receive information whether the identification was successful or not, as well as a copy of the ID card used. The legal basis for the data processing carried out by us as the data protection controller is our legitimate interest within the meaning of Art. 6 Para. 1 lit. f GDPR in protecting our property and the property of our customers and in safeguarding our legal claims and the legal claims of our customers.

PXL is the data controller for further data processing within the scope of online identification. PXL only processes your data for online identification with your express consent as the legal basis within the meaning of Art. 6 Para. 1 lit. a and Art. 9 Para. 2 lit. a GDPR. You can revoke your consent at any time with effect for the future by notifying PXL. You can find detailed information on this here: https://www.pxl-vision.com/de/privacy-policy-daego.

When you make bookings on our website, depending on the service and the desired payment method - in addition to the information mentioned in section 64 - it may be necessary to provide further data, such as your credit card information or the login to your payment service provider. This information, as well as the fact that you have made a booking with us for the respective amount and time, will be forwarded to the respective payment service providers (e.g. providers of payment solutions, credit card issuers and credit card acquirers). Please always observe the information provided by the respective company, in particular the data protection declaration and the general terms and conditions. The legal basis for our data processing lies in the fulfilment of a contract in accordance with Art. 6 Para. 1 lit. b GDPR.

To avoid payment defaults, the necessary data, in particular your personal details, may also be transmitted to a credit agency for the automated assessment of your creditworthiness. In this context, the credit agency may assign you a so-called score value. This is an estimate of the future risk of a payment default, e.g. based on a percentage. The value is determined using mathematical-statistical procedures and by including data from other sources of the credit agency. We reserve the right, according to the information received, not to offer you the payment method "invoice". In this context, automated decision-making (and profiling with or without high risk) may also occur, which may result in the payment method "invoice" not being made available to you. If the legal requirements are met, you have the right to express your point of view and request a review of the decision by a natural person. The legal basis for this data processing is our legitimate interest according to Art. 6 Para. 1 lit. f GDPR in the avoidance of payment defaults.

Provided is possible to clearly identify you, we will store and link the data described in this data protection declaration, i.e. in particular your personal details, your contact details, your contract details and your browsing behaviour on our websites in a central database. This serves the efficient administration of customer data, allows us to adequately process your requests and enables the efficient provision of the services requested by you and the processing of the associated contracts. The legal basis for this data processing is our legitimate interest in the efficient administration of user data within the meaning of Art. 6 Para. 1 lit. f GDPR.

We also analyse this data to further develop our products and services in a needs-oriented manner and to be able to display and suggest the most relevant information and offers to you. We also use methods that predict possible interests and future bookings based on your use of our website. Part of these analyses could be judged as profiling (with or without high risk). The legal basis for this data processing is our legitimate interest within the meaning of Art. 6 Para. 1 lit. f GDPR in carrying out marketing activities.

For central data storage and analysis in the CRM system, we use a software application from Uniserv B.V. (Korte Hogendijk 14, 1506 MA Zaandam, The Netherlands). Therefore, your data may be stored in a database of Uniserv, which may allow Uniserv to access your data if this is necessary for the provision of the software and for support in the use of the software. Information on the processing of data by third parties and any transfer abroad can be found in section 9 of this data protection declaration. Further information on data processing in connection with Uniserv can be found here. The legal basis for the transfer of data is our legitimate interest within the meaning of Art. 6 Para. 1 lit. f GDPR in the use of third-party services.

Uniserv may wish to use some of this data for its own purposes (e.g. for statistical analyses for product optimisation). Uniserv is the controller for these data processing operations and must ensure compliance with data protection laws in connection with these data processing operations. Information about data processing by Uniserv can be found here.

This section covers the following data processing operations:

8.1 Data processing when visiting our website (log file data)
8.2 Cookies
8.3 Tracking and web analysis tools
8.4 Online advertising and targeting
8.5 Social media

When you visit our website, the web servers temporarily store each access in a log file. The following data is collected without your intervention and stored until it is automatically deleted by us:

• IP address of the requesting computer;
• date and time of access;
• name and URL of the file accessed;
• website from which the access was made, if applicable with the search word used;
• operating system of your computer and the browser you are using (including type, version and language setting);
• device type in the case of access by mobile phones;
• city or region from which the access was made; and
• name of your internet access provider. 

The collection and processing of this data is carried out for the purpose of enabling the use of our website (connection establishment), to permanently guarantee system security and stability, to enable error and performance analysis and optimisation of our website (see also section 8.3 for the last points). In the event of an attack on the network infrastructure of the website or if there is a suspicion of other unauthorised or improper use of the website, the IP address and the other data will be evaluated for the purpose of clarification and defence and, if necessary, used in the context of civil or criminal proceedings to identify the user concerned. The purposes described above are our legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR and thus the legal basis for data processing.

For the operation of our website, we use the services of our hosting provider iquer.net GmbH & Co. KG, Klingenderstraße 5, 33100 Paderborn, Germany. Therefore, at most, your data will be stored in a database of iquer, which may allow iquer to access your data if this is necessary for the provision of the software and for support in the use of the software. Information on the processing of data by third parties and any transfer abroad can be found in section 9 of this privacy policy. Further information on data processing in connection with iquer can be found at https://www.iquer.net/datacenter/. The legal basis for the transfer of data is our legitimate interest within the meaning of Art. 6 Para. 1 lit. f GDPR in the use of third-party services. It is possible that iquer would like to use some of this data for its own purposes (e.g. for statistical analyses for product optimisation). For these data processing activities, iquer is the data controller and must ensure compliance with the data protection laws in connection with these data processing activities. Information about data processing by iquer can be found at https://www.iquer.net/datacenter/. 

Finally, when you visit our website, we use cookies as well as applications and tools that are based on the use of cookies. In this context, the data described here may also be processed. You will find more details on this in the following sections of this data protection declaration, in particular section 8.2 below.

Cookies are information files that your web browser stores on your computer's hard drive or memory when you visit our website. Cookies are assigned identification numbers that identify your browser and allow the information contained in the cookie to be read. 

Among other things, cookies help to make your visit to our website easier, more pleasant and more meaningful. We use cookies for various purposes that are necessary, i.e. "technically required", for your desired use of the website. For example, we use cookies to provide the booking functions or to temporarily save your entries when filling out a form on the website so that you do not have to repeat the entry when calling up another sub-page. Cookies also perform other technical functions required for the operation of the website, such as load balancing, i.e. the distribution of the performance load of the site to different web servers in order to relieve the servers. Cookies are also used for security purposes, e.g. to prevent the unauthorised posting of content. Finally, we also use cookies as part of the design and programming of our website, e.g. to enable the uploading of scripts or codes.

The legal basis for this data processing is our legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR in providing a user-friendly and up-to-date website.

Most internet browsers accept cookies automatically. However, when you access our website, we ask for your consent to the cookies we use that are not technically necessary, in particular when we use cookies from third-party providers for marketing purposes. Details of the services and data processing associated with the individual cookies can be found in the following sections of this data protection statement.

You may also be able to configure your browser so that no cookies are stored on your computer or a message always appears when you receive a new cookie. On the following pages you will find explanations of how you can configure the processing of cookies in selected browsers.

• Google Chrome for Desktop
• Google Chrome for Mobile
• Apple Safari
• Microsoft Windows Internet Explorer
• Microsoft Windows Internet Explorer Mobile
• Mozilla Firefox

Deactivating cookies may mean that you cannot use all the functions of our website.

8.3.1 General information on tracking

We use the web analysis services listed below for the purpose of demand-oriented design and continuous optimisation of our website. In this context, pseudonymised usage profiles are created and cookies are used (please also refer to section 8.2). The information generated by the cookie about your use of this website is usually transferred together with the log file data listed in section 8.1 to a server of the service provider, where it is stored and processed. This may also result in a transfer to servers abroad, e.g. the USA (cf. on this, in particular on the lack of an appropriate level of data protection and on the guarantees provided, section 9).

By processing the data, we obtain the following information, among others:

• Navigation path followed by a visitor on the site (including content viewed and products selected or purchased or services booked);
• length of stay on the website or sub-page;
• sub-page on which the website is left;
• country, region or city from which access is made;
• terminal device (type, version, colour depth, resolution, width and height of browser window); and
• returning or new visitors.

On our behalf, the provider will use this information for the purpose of evaluating the use of the website, in particular to compile reports on website activity and to provide other services relating to website activity and internet usage for the purposes of market research and demand-oriented website design. For these processing activities, we and the providers may be considered jointly responsible for data protection to a certain extent.

The legal basis for this data processing with the following services is your consent within the meaning of Art. 6 para. 1 lit. a GDPR. Some of the data processing could also be assessed as profiling (with or without high risk), to which your consent also extends. You can revoke your consent or refuse processing at any time by rejecting or deactivating the relevant cookies in the settings of your web browser (see section 8.2) or by making use of the service-specific options described below.

For the further processing of the data by the respective provider as the (sole) data protection controller, in particular also a possible forwarding of this information to third parties, e.g. to authorities due to national legal regulations, please refer to the respective data protection information of the provider.

8.3.2 Google Analytics

We use the web analysis service Google Analytics from Google Ireland Limited (Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland) or Google LLC, 1600 Amphitheatre Park-way, Mountain View, CA 94043, USA. (Google).

Contrary to the description in section 8.3.1, Google Analytics (in the version "Google Analytics 4" used here) does not log or store IP addresses. In the case of accesses originating from the EU, IP address data is only used to derive location data and is then deleted immediately. When collecting measurement data in Google Analytics, all IP searches take place on EU-based servers before the traffic is forwarded to Analytics servers for processing. In Google Analytics, regional data centres are used. If a connection is established in Google Analytics to the nearest available Google data centre, the measurement data is sent to Analytics via an encrypted HTTPS connection. At these centres, the data is further encrypted before being forwarded to Analytics' processing servers and made available on the platform. The most suitable local data centre is determined based on the IP addresses. This may also result in data being transferred to servers abroad, e.g. the USA (cf. on this, in particular on the lack of an adequate level of data protection and on the guarantees provided, section 9.2).

We also use the technical extension "Google Signals", which enables cross-device tracking. This makes it possible to associate a single website visitor with different end devices. However, this only happens if the visitor has logged into a Google service when visiting the website and has also activated the "personalised advertising" option in their Google account settings. Even then, however, no personal data or user profiles are made available to us; they remain anonymous for us. If you do not wish to use "Google Signals", you can deactivate the "personalised advertising" option in your Google account settings.

Users can prevent the collection of the data generated by the cookie and related to the website usage by the respective user (incl. the IP address) to Google as well as the processing of this data by Google by downloading and installing the browser plugin available under the following link: http://tools.google.com/dlpage/gaoptout?hl=en. In doing so, an opt-out cookie is stored on the user's terminal device. If users delete cookies (see section 8 Cookies), the link must be clicked again.

8.4.1 In general

We use the services of various companies to provide you with interesting offers online. In doing so, your user behavior on our website and on websites of other providers is analyzed in order to subsequently display individually tailored online advertising to you.

Most technologies for tracking your user behaviour (tracking) and for the targeted display of advertising (targeting) work with cookies (see also section 8.2) or similar technologies and unique identifiers (e.g. advertising ID), with which your browser can be recognised across different websites. Depending on the service provider, it may also be possible for you to be recognised online even when using different end devices (e.g. laptop and smartphone). This may be the case, for example, if you have registered for a service that you use with several devices.

For these purposes, the data that is generated when accessing websites (log file data, see section 8.1) and when cookies are used (section 8.2) may be passed on to the companies involved in the advertising networks and be processed by them. This also results in the disclosure of data to potentially all countries worldwide (cf. on this, in particular on the lack of an adequate level of data protection and on the guarantees provided, section 9)). In addition, the following data is included in the selection of the advertising that is potentially most relevant to you:

• information about you that you provided when registering or using a service from advertising partners (e.g. your gender, age group); and
• user behaviour (e.g. search queries, interactions with advertising, types of websites visited, products or services viewed and purchased, newsletters subscribed to).

We and our service providers use this data to identify whether you belong to our intended target group and take this into account when selecting advertisements. For example, after you have visited our site, you may be shown ads for the products or services you have consulted when you visit other sites (re-targeting). Depending on the scope of the data, a profile of a user may also be created which is evaluated automatically, i.e. with so-called profiling, whereby the ads are selected according to the information stored in the profile, such as membership of certain demographic segments or potential interests or behaviour. Such ads may be displayed to you on various channels, which include, in addition to our website or app (as part of onsite and in-app marketing), ads served through the online advertising networks we use, such as Google.

The data may then be analysed for the purpose of billing the service provider and assessing the effectiveness of advertising measures to better understand the needs of our users and customers and to improve future campaigns. This may also include information that the taking of an action (e.g. visiting certain sections of our websites or sending information) is due to a particular advertising ad. We also receive aggregated reports from service providers of ad activity and information about how users interact with our website and ads.

The legal basis for this data processing is your consent within the meaning of Art. 6 para. 1 lit. a GDPR. Some of the data processing could also be assessed as profiling (with or without high risk), to which your consent also extends. You can revoke your consent at any time by rejecting or deactivating the relevant cookies in the settings of your web browser (see section 8.2). You will also find further options for blocking advertising in the information provided by the respective service provider.

8.4.2. Google Ads

This website uses the services of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (Google) for online advertising, as explained in section 8.4.1. For this purpose, Google uses cookies (cf. the list here) as well as similar technologies and unique identifiers (e.g. advertising ID), which enable your browser to be recognised when visiting other websites. The information thus generated about your visit to this website (including your IP address) will be transmitted to and stored by Google on servers in the United States (see section 9 for more information, in particular on the lack of an adequate level of data protection and the guarantees provided). Google will process the data by name in order to display personalised advertising to you on Google services (e.g. the search engine). Further information on data protection at Google can be found here.

The legal basis for this data processing is your consent in accordance with Art. 6 Para. 1 lit. a GDPR. You can revoke your consent at any time by rejecting or switching off the relevant cookies in the settings of your web browser (see section 8.2). Further options for blocking advertising can be found here.

8.4.3. Microsoft Advertising/ Bing Ads

The website uses services of Microsoft Corporation (One Microsoft Way, Redmond, WA 98052-6399, USA (Microsoft)) for online advertising, as explained in section 8.4.1. In doing so, Microsoft uses cookies (cf. the list here) and unique identifiers (e.g. advertising ID or the UET tag) which enable your browser to be recognised when you visit other websites. The information thus generated about your visit to these web pages (including your IP address) will be transmitted to and stored by Microsoft on servers in the United States (see section 9, especially regarding the lack of an adequate level of data protection and the guarantees provided). Microsoft will process the data by name in order to display personalised advertising to you on Microsoft services (e.g. the search engine). Further information on data protection at Microsoft can be found here.

The legal basis for this data processing is your consent in accordance with Art. 6 Para. 1 lit. a GDPR. You can revoke your consent at any time by rejecting or deactivating the relevant cookies in the settings of your web browser (see section 8.2). Further options for blocking advertising can be found here.

8.4.4. Yieldlab

The website uses the services of Virtual Minds GmbH (Ellen-Gottlieb-Str. 16, 79106 Freiburg i. Breisgau, Germany (Yieldlab)) for online advertising, as explained in section 8.4.1. Yieldlab uses cookies and unique identifiers (e.g. Mobile Advertisement ID (MAID)), which make it possible to recognise your browser when you visit other websites. The information thus generated about your visit to these websites (including your IP address) is transmitted to and stored on servers operated by Yieldlab in Germany, among other places, and may also be transmitted to other countries (cf. section 9, in particular on the lack of an adequate level of data protection and the guarantees provided). Yieldlab will process the data by name in order to display personalised advertising to you on websites and services of affiliated companies, namely from the media industry. Further information on data protection at Yieldlab can be found here.

The legal basis for this data processing is your consent within the meaning of Art. 6 para. 1 lit. a GDPR. You can revoke your consent at any time by rejecting or deactivating the relevant cookies in the settings of your web browser (see section 8.2). Further options for blocking advertising can be found here.

8.4.5. Meta Pixel and Custom Audience

The website uses the advertising services of Meta Platforms Ireland Limited (4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, (Meta)) for online advertising, as explained in section 8.4.1. Meta uses technologies such as cookies and the so-called meta pixel, which enable your browser to be recognised when visiting other websites. The information thus generated about your visit to these websites (including your IP address) is transmitted to Meta's servers in the USA, among other places, and stored there (cf. on this, in particular on the lack of an adequate level of data protection and on the guarantees provided, section 9). Meta will process the data by name in order to display personalised advertising to you on Meta services (e.g. Facebook or Instagram). In doing so, we use the targeting functions offered by Meta, namely Website Custom Audiences, which enables us to recognise you on Meta services after you have visited our website and to display targeted advertising to you. Further information on data protection at Meta can be found here and here.

The legal basis for this data processing is your consent in accordance with Art. 6 Para. 1 lit. a GDPR. You can revoke your consent at any time by rejecting or deactivating the relevant cookies in the settings of your web browser (see section 8.2). Further options for blocking advertising can be found here.

8.5.1 Social Media Profile

We have included links to our profiles on the social networks of the following providers on our website:

• Meta Platforms Ireland Limited (Facebook and Instagram), 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, Privacy Notice;
• LinkedIn Unlimited Company, Wilton Place, Dublin 2, Ireland, Privacy Notice;
• Google Ireland Limited (Youtube) Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland, Privacy Notice.

When you click on the icons of the social networks, you are automatically redirected to our profile in the respective network. This establishes a direct connection between your browser and the server of the respective social network. As a result, the network receives in particular the data described in the section on log files (section 8.1), i.e. namely the information that you have visited our website with your IP address and clicked on the link. This may also result in data being transferred to servers abroad, e.g. the USA (cf. on this, in particular on the lack of an appropriate level of data protection and on the guarantees provided, section 9).

If you click on a link to a network while you are logged into your user account with the network in question, the content of our website may be linked to your profile so that the network can assign your visit to our website directly to your account. If you want to prevent this, you should log out before clicking on the relevant links. A connection between your access to our website and your user account takes place in any case when you log in to the respective network after clicking on the link. The respective provider is responsible under data protection law for the associated data processing. Please therefore note the data protection information on the website of the network.

The legal basis for any data processing attributed to us is our legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR in the use and promotion of our social media profiles.

8.5.2 Social Media Plugins

On our website you can use social media plugins from the providers listed below:

• Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, Privacy Policy; 

We use social media plugins to make it easier for you to share content from our website. The social media plugins help us to increase the visibility of our content in social networks and thus contribute to better marketing.

By default, the plugins are deactivated on our websites, and they do not send any data to social networks when you simply visit our website. To increase data protection, we have integrated the plugins in such a way that a connection is not automatically established with the networks' servers. Only when you activate the plugins by clicking on them and thus give your consent to the transmission and processing of data by the providers of the social networks, does your browser establish a direct connection to the servers of the respective social network.

The content of the plugin is transmitted directly to your browser by the social network and integrated into the website. This provides the respective provider with the information that your browser has accessed the corresponding page of our website, even if you do not have an account with this social network or are not currently logged in to it. This information (including your IP address and the other log file data (section 8.1)) is transmitted by your browser directly to a server of the provider (usually in the USA) and stored there (cf. on this, in particular on the lack of an appropriate level of data protection and on the guarantees provided, section 9). We have no influence on the scope of the data that the provider collects with the plugin, although from a data protection perspective we can be considered jointly responsible with the providers up to a certain extent.

If you are logged into the social network, it can assign your visit to our website directly to your user account. If you interact with the plugins, the corresponding information is also transmitted directly to a server of the provider and stored there. The information (e.g. that you like a product or service from us) may also be published on the social network and possibly displayed to other users of the social network. The provider of the social network may use this information for the purpose of placing advertisements and tailoring the respective offer to your needs. For this purpose, usage, interest and relationship profiles could be created, e.g. in order to automatically evaluate your use of our website with regard to the advertisements displayed to you on the social network (in particular by means of profiling), to inform other users about your activities on our website and to provide other services associated with the use of the social network. The purpose and scope of the data collection and the further processing and use of the data by the providers of the social networks as well as your rights in this regard and setting options for protecting your privacy can be found directly in the data protection information of the respective provider.

If you do not want the provider of the social network to assign the data collected via our website to your user account, you must log out of the social network before activating the plugins. Your consent within the meaning of Art. 6 (1) a GDPR forms the legal basis for the data processing described above. Some of the data processing could also be assessed as profiling (with or without high risk), to which your consent also extends. You can revoke your consent at any time by declaring your revocation to the provider of the plugin in accordance with the information in their privacy policy.

9.1 Disclosure to and access by third-party access

Without the support of other companies, we would not be able to provide our products and services in the desired manner. In order for us to be able to use the services of these companies, it is also necessary to pass on your personal data to these companies to a certain extent. We share your personal data with selected third-party service providers only to the extent necessary to provide you with the best possible service.

Various third-party service providers are already explicitly mentioned in this data protection declaration. Your data will also be passed on if this is necessary to process the contractual relationship, i.e. e.g. to removal companies or providers of document shredding services. The legal basis for these disclosures is the necessity for the fulfilment of a contract within the meaning of Art. 6 Para. 1 lit. b GDPR. The third-party service providers are responsible for this data processing in the sense of the Data Protection Act and not we. It is the responsibility of these third-party service providers to inform you about their own data processing - which goes beyond the transfer of data for the provision of services - and to comply with data protection laws. In addition, we may transfer personal data to third-party providers of shipping, printing, security, IT support, data management, data backup, cloud and storage services if this is necessary for the use of the third-party services. Our legitimate interest within the meaning of Art. 6 (1) f GDPR in using third-party services forms the legal basis for this data processing.

In addition, your data may be passed on, in particular to authorities, legal advisors or collection agencies, if we are legally obliged to do so or if this is necessary to protect our rights, in particular to enforce claims arising from the relationship with you. Data may also be disclosed if another company intends to acquire our company or parts thereof and such disclosure is necessary to conduct due diligence or to complete the transaction. The legal basis for this data processing is our legitimate interest within the meaning of Art. 6 Para. 1 lit. f GDPR in the protection of our rights and compliance with our obligations or the sale of our company or parts thereof.

9.2 Transfer of personal data abroad

We are authorized to transfer your personal data to third parties abroad, if this is necessary to carry out the data processing mentioned in this data protection declaration. Individual data transfers have already been mentioned in the preceding sections (see in particular section 8). It goes without saying that we comply with the statutory provisions on the disclosure of personal data to third parties. The countries to which data is transferred include those that have an adequate level of data protection according to the decision of the Federal Council and the EU Commission (such as the member states of the EEA or, from the EU's perspective, Switzerland), but also countries (such as the USA) whose level of data protection is not considered adequate (see Annex 1 of the Data Protection Ordinance (DPA) and the EU Commission's website). If the country in question does not have an adequate level of data protection, we ensure that your data is adequately protected at these companies by means of suitable guarantees, unless an exception is specified in the individual case for the data processing (cf. Art. 49 GDPR). Unless otherwise stated, these are the choice of companies certified under the Privacy Framework Agreement or standard contractual clauses within the meaning of Art. 46 (2) (c) of the GDPR, which can be accessed on the websites of the Federal Data Protection and Information Commissioner (FDPIC) and the EU Commission. If you have any questions about the measures taken, please contact our contact person for data protection (see point 2).

9.3 Information on data transfers to the USA

Some of the third-party service providers mentioned in this data protection declaration are based in the USA. For the sake of completeness, we would like to point out for users residing or having registered office in Switzerland or the EU that there are monitoring measures in place in the USA by US authorities which generally allow the storage of all personal data of all persons whose data has been transferred from Switzerland or the EU to the USA. This is done without any differentiation, limitation or exception based on the objective pursued and without any objective criterion that would make it possible to limit the access of the US authorities to the data and their subsequent use to very specific, strictly limited purposes that can justify the intrusion associated with both the access to and the use of these data. Furthermore, we would like to point out that in the USA, data subjects from Switzerland or the EU do not have any legal remedies or effective legal protection against general access rights of US authorities that would allow them to obtain access to the data concerning them and to obtain their correction or deletion. We explicitly draw your attention to this legal and factual situation in order to enable you to make an appropriately informed decision to consent to or object to the use of your data.

We would also like to point out to users residing in Switzerland or a member state of the EU that, from the point of view of the European Union and Switzerland, the USA does not have an adequate level of data protection, partly because of the statements made in this section. Insofar as we have explained in this privacy policy that recipients of data (such as Google) are based in the USA, we will ensure that your data is adequately protected with our third-party service providers by choosing companies that are certified under the Privacy Framework Agreement or contractual arrangements with these companies, as well as any additional appropriate guarantees that may be required.

We only store personal data for as long as is necessary to carry out the processing operations explained in this data protection declaration within the scope of our legitimate interest. In the case of contractual data, storage is required by statutory retention obligations. Requirements that oblige us to retain data result from the provisions on accounting and from tax law regulations. According to these regulations, business communication, concluded contracts and accounting vouchers must be stored for up to 10 years. As soon as we no longer need this data to perform services for you, the data will be blocked. This means that the data may then only be used if this is necessary to fulfil the retention obligations or to defend and enforce our legal interests. The data will be deleted as soon as there is no longer any obligation to retain the data and no longer any legitimate interest in retaining it. 

We use appropriate technical and organisational security measures to protect your personal data stored with us against loss and unlawful processing, namely unauthorised access by third parties. Our employees and the service companies commissioned by us are obliged by us to maintain confidentiality and data protection. Furthermore, these persons are only granted access to personal data to the extent necessary to fulfil their tasks.

Our security measures are continuously adapted in line with technological developments. However, the transmission of information via the Internet and electronic means of communication always involves certain security risks and we cannot therefore provide an absolute guarantee for the security of information transmitted in this way.

Provided that the legal requirements are met, you have the following rights as a person affected by data processing:

Right of access: you have the right to request access to your personal data stored by us at any time, free of charge, if we process it. This gives you the opportunity to check what personal data we process about you and whether we process it in accordance with the applicable data protection regulations.

Right to rectification: You have the right to have inaccurate or incomplete personal data rectified and to be informed of the rectification. In this case, we will also inform the recipients of the data concerned about the adjustments we have made, unless this is impossible or involves disproportionate effort.

Right to erasure: You have the right to have your personal data deleted under certain circumstances. In individual cases, particularly in the case of statutory retention obligations, the right to erasure may be excluded. In this case, the deletion may be replaced by a blocking of the data if the conditions are met.

Right to restriction of processing: You have the right to request that the processing of your personal data be restricted.

Right to data transfer: You have the right to receive from us, free of charge, the personal data you have provided to us in a readable format.

Right to review: In the case of automated individual decisions, you have the right to express your point of view and request a review of the decision by a natural person.

Right to object: You can object to data processing at any time, especially in the case of data processing in connection with direct marketing (e.g. marketing e-mails).

Right of withdrawal: In principle, you have the right to withdraw your consent at any time. However, processing activities based on your consent in the past will not become unlawful as a result of your withdrawal.

To exercise these rights, please send us an e-mail to the following address: datenschutz@zebrabox.com 

Right to lodge a complaint: You have the right to lodge a complaint with a competent supervisory authority, e.g. against the way in which your personal data is processed.