Data Privacy Policy
Last updated in October 2024
1. Scope
GUURU has issued this privacy statement in accordance with the enactment of GDPR, the European Union’s (EU) new data protection and privacy regulation, and the upcoming revision of the Swiss Data Protection Act (FADP). Where reference is made to articles of the FADP, these are those of the revised version.
2. Data Protection
In the following, we provide an overview of how we process your data and of your rights in accordance with data privacy laws. Details on what data will be processed and which method will be used essentially depend on the services requested or agreed upon.
3. Who is responsible for data processing and how can I contact them?
The responsibility for data processing is GUURU. We can be reached as follows:
GUURU Solutions GmbH
Rothusstrasse 21
6331 Hünenberg
Switzerland
Phone (+41) 41 530 04 64
Email: dataprotection@guuru.com
Web: www.guuru.com
4. What sources and data do we use?
We process personal data that we obtain from USERS, EXPERTS, and CLIENTS within the context of our service offering. We also process – insofar as necessary to provide our services and organize your procurement of services – personal data that we obtain from publicly accessible sources, (e.g. debt registers, commercial and association registers, media, the Internet) or which is legitimately transferred from other third parties.
Furthermore, certain data may be received from Google Analytics integrations on the websites of CLIENTS. See Section 12 below for more information on Google Analytics.
Relevant data is the personal information of contact persons among our CLIENTS and EXPERTS (e.g. name, address, and other contact details, date and place of birth, nationality, profile picture, TIN) as well as USERS of our services. This can also be order data (e.g. payment order), data from the fulfillment of our contractual obligations, marketing, and sales data, documentation data, and other data similar to the categories mentioned.
5. Why do we process your data (purpose of processing) and on what legal basis?
We process personal data in accordance with the provisions of the European General Data Protection Regulation (GDPR) and the Swiss Federal Act on Data Protection (FADP):
a) For the fulfillment of contractual obligations (Art. 6, Par. 1b of the GDPR).
Data is processed to provide and receive services within the scope of fulfilling our contracts with our CLIENTS and EXPERTS or to carry out pre-contractual measures that occur as part of a request. The purposes of data processing primarily serve compliance with the specific services provided or received. Further details about the purposes of data processing can be found in the relevant contract documents and terms and conditions.
b) In the context of balancing interests (Art. 6, Par. 1f of the GDPR).
When required, we process your data beyond the scope of the actual fulfilment of the contract for the purposes of the legitimate interests pursued by us or a third party.
Examples:
- Consulting and exchanging data with third parties (e.g. debt register to investigate creditworthiness and credit risks)
- Measures for business management and further development of services and products
- Prevention and clarification of crimes
- Guaranteeing our company’s IT security and IT operation
- Asserting legal claims and defense in legal disputes
- Marketing or market and opinion research, unless you have objected to the use of your data
- Risk control within GUURU.
We also obtain personal data from publicly available sources for client acquisition purposes.
c) As a result of your consent (Art. 6, Par. 1a of the GDPR).
If you have granted us consent to process your personal data for certain purposes (e.g. analysis of certain activities for marketing purposes), your consent forms the legal basis for this processing. Consent given can be withdrawn at any time. This also applies to the retraction of consents granted to us before the GDPR came into force, i.e. before May 25, 2018. Withdrawal of consent does not affect the legality of data processed prior to withdrawal.
d) For compliance with a legal obligation (Art. 6 Par. 1c of the GDPR)
For example: We are required by tax law to keep records of certain data and disclose them to the tax authorities upon request.
6. Who receives my data?
Within GUURU, every unit that requires your data to fulfil our contractual and legal obligations will have access to it. Service providers and vicarious agents appointed by us may also receive access to data for the purposes listed if they maintain confidentiality. These are companies in the fields of banking services, IT services, logistics, printing services, telecommunications, collection, advice and consulting, as well as sales and marketing. Data may also be disclosed to (tax) authorities, if GUURU is requested to do so.
7. Will data be transferred to a third country or an international organisation?
Your data may be shared with EXPERTS and/or specialised IT service providers. As such, your data may be transferred to countries outside Switzerland or the European Economic Area (EEA). Personal data is transferred outside the EEA on the basis of declarations of adequacy or other appropriate safeguards, in particular, the standard data protection clauses adopted by the European Commission.
8. Security of Processing
Taking into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of processing as well as the varying risk of likelihood and severity for the rights and freedoms of natural persons, we make reasonable efforts to protect personal data against accidental and illegal destruction and loss. We strive to ensure that personal data is used properly and protected from unauthorised access, use, or disclosure. We use a combination of process, technology, and physical security controls to protect personal data from unauthorised access, use, or disclosure.
In addition, access to personal data is restricted to employees, contractors, and agents who need such information to perform their assigned functions and to develop or improve our services.
9. How long will my data be stored for?
We will process and store your personal data for as long as it is necessary in order to fulfil our contractual and statutory obligations. Contractual obligations mean that, in order to investigate possible claims by Guuru or third parties, we process personal data until, according to general life experience, the assertion of claims can no longer be expected. As a rule, this is 2.5 years. In the case of statutory retention obligations, these are mainly retention obligations under commercial or tax law, which can be up to 10 years.
If the data is no longer required to fulfil contractual or statutory obligations, it is deleted, unless the further processing thereof is required – for a limited time – for the purpose of fulfilling record storage obligations as stipulated by commercial and tax law.
10. What are my data privacy rights?
Every data subject has the right to access their data according to Article 15 GDPR (Article 25 FADP), the right to rectification according to Article 16 GDPR (Article 6 FADP), the right to deletion according to Article 17 GDPR (Article 6 FADP), the right to restrict processing according to Article 18 GDPR (Articles 30 31, 23 FADP), the right of objection according to Article 21 GDPR (Article 6 FADP), and if applicable – the right to data portability according to Article 20 GDPR (Article 28 FADP). Furthermore, if applicable, you are entitled to lodge a complaint with a relevant data privacy regulatory authority (Article 77 GDPR).
For personal reasons, you have the right to object at any time to processing of your personal data, based on Article 6, Par.1 f of the GDPR (data processing based on balancing interests). If you submit an objection, we will no longer process your personal data unless we can provide evidence of mandatory, legitimate reasons for the processing, which outweigh your interests, rights and freedoms, or if the processing serves the enforcement, exercise, or defence of interests. Please note that in such cases we may not be able to continue to provide services or maintain a business relationship with you.
You can retract the consent granted to us for the processing of personal data at any time. This also applies to the retraction of consents granted us before the GDPR came into force, i.e. before May 25, 2018. Please note that the retraction only applies to the future. Processing that was carried out before the retraction is not affected by it.
While no particular form is required for the objection or retraction, it should ideally be addressed to the contact details listed above.
11. To what extent does automated decision-making or profiling occur?
In establishing and carrying out a business relationship, we generally do not use any automated decision-making or profiling pursuant to Article 22 GDPR. Should we use this procedure in individual cases, we will inform you of this separately, if this is legally required.
12. Data protection provisions about the application and use of Google Analytics (with anonymization function)
For our service offering, we receive data from our CLIENTS’ integration of components of Google Analytics (with the anonymization function) on their websites. We receive such data via Google. Google Analytics is a web analytics service. Web analytics is the collection, gathering, and analysis of data about the behaviour of visitors to websites. A web analysis service collects, inter alia, data about the website from which a person has come (the so-called referrer), which sub-pages were visited, or how often and for what duration a sub-page was viewed. Web analytics are mainly used for the optimization of a website and to carry out a cost-benefit analysis of Internet advertising.
The operator of the Google Analytics component is Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, United States.
For web analytics through Google Analytics, the controller uses the application “_gat. _anonymizeIp”. Through this application, the IP address of the Internet connection of the data subject is abridged by Google and anonymized when accessing our websites from a Member State of the European Union or another contracting state to the Agreement on the European Economic Area. The purpose of the Google Analytics component is to analyze the traffic on our website. Google uses the collected data and information, inter alia, to evaluate the use of our website and to provide online reports showing activity on our websites, and to provide us with other services concerning the use of our website.
Google Analytics places a cookie on the information technology system of the data subject. The definition of cookies is explained above. By placing the cookie, Google is able to analyse the use of our website. With each call-up of an individual page of this website, which is operated by the controller and upon which a Google Analytics component was integrated, the Internet browser on the information technology system of the data subject will automatically submit data through the Google Analytics component for the purpose of online advertising and the settlement of commissions to Google. During the course of this technical procedure, the company Google gains knowledge of personal information, such as the data subject’s IP address, which helps Google, inter alia, recognise the origin of visitors and clicks, and to subsequently generate commission settlements.
The cookie is used to store personal information, such as the access time, the location from which the access was made, and the frequency of visits to our website by the data subject. With each visit to our website, such personal data, including the IP address of the Internet access used by the data subject, will be transmitted to Google in the United States of America. These personal data are stored by Google in the United States of America. Google may pass these personal data collected through the technical procedure to third parties.
The data subject may, as stated above, prevent the placing of cookies by our website at any time through settings to the web browser used and to thereby permanently deny the placing of cookies. Such settings to the Internet browser used would also prevent Google Analytics from placing a cookie on the data subject’s information technology system. In addition, cookies already in use by Google Analytics may be deleted at any time via a web browser or other software programs.
The data subject can also object to the collection of data generated by Google Analytics which is related to the use of this website, as well as the processing of this data by Google and has the option of precluding the same. For this purpose, the data subject must download and install a browser add-on under the link https://tools.google.com/dlpage/gaoptout. This browser add-on tells Google Analytics through a JavaScript that any data and information about the visits of Internet pages may not be transmitted to Google Analytics. The installation of browser add-ons is considered an objection by Google. If the information technology system of the data subject is later deleted, formatted, or newly installed, then the data subject must reinstall the browser add-ons to disable Google Analytics. If the browser add-on was uninstalled by the data subject or any other person who is attributable to their sphere of competence, or is disabled, it is possible to execute the reinstallation or reactivation of the browser add-ons.
Further information and the applicable data protection provisions of Google may be accessed at https://www.google.com/intl/en/policies/privacy/ and at https://www.google.com/analytics/terms/us.html. Google Analytics is explained in greater detail at https://www.google.com/analytics/.