1. general information

In this Privacy Notice, GDMD by Michel Yao (hereinafter also referred to as "GDMD", "GDMD Studio", "we" or "us") explains how we process your personal data in connection with the provision of our website https://gdmd.ch (the "website"). This is not an exhaustive description; other privacy policies, general terms and conditions and similar documents may govern specific matters.

We use the term "data" here interchangeably with "personal data".

If you transmit or disclose data to us about persons other than yourself, we assume that you are authorized to do so and that this data is correct. By transmitting data about third parties, you confirm this. Please also ensure that these third parties have been informed about this Privacy Notice.

2. controller

Unless we tell you otherwise in an individual case, the person responsible for processing your data under this Privacy Notice ("Controller") for the purposes of data protection law is:

GDMD by Michel Yao

Switzerland

You can contact us regarding data protection matters and to exercise your rights at: gdmd.studio@wesign.ch.

3. collection and processing of data

We collect data when you visit our websites and use the functionalities or services available on the websites. The processing of your data is limited to data that is necessary for the operation of a functional website and the provision of our content available on it. The processing of your data is based on the purposes agreed or on a legal basis. The specific data we process about you depends on the reason for and purpose of the processing. We only collect data that is necessary for the implementation and processing of our products and services or that you provide to us voluntarily. As far as it is not unlawful, we also collect data from public sources (e.g. debt collection registers, land registers, commercial registers, the media, or the Internet including social media) or receive data from public authorities and from other third parties (such as credit agencies, address brokers, associations, contractual partners, Internet analysis services, etc.).

The categories of data that you have provided to us directly and the categories of data that we receive about you from third parties include, but are not limited to:

• Technical DataIP address; information about the operating system of your terminal device; cookies; name and URL of any websites visited; amount of data transferred; region, date and time of access; websites accessed via our websites; websites from which any access takes place; type of browser; name of the internet provider; protocols; etc.;

• Master DataName; salutation/title, address; email address; telephone number; gender; date of birth; nationality; details of the employer or company on whose behalf you are contacting us; role and function; details of your relationship with us; details of interactions with you; consent forms (e.g. newsletter or online contact form); social media profiles; photos and videos; copies of ID; payment information etc.;

• Communication DataData transmitted via contact form, email, telephone, letter or other means of communication; name; contact details; type, manner, place and time of communication and, as a rule, its content (i.e. the content of e-mails, letters etc.); details of your request if you use an online contact form; order number; returned items etc.;

• Contract and Service DataInformation when using our online services and/or with regard to a possible conclusion of a contract; information about your contracts (e.g. type and date of conclusion); information about the products and the services provided or to be provided; information about feedback (e.g. complaints, feedback on satisfaction, etc.); information required for the execution and administration of the contracts (e.g. information in connection with billing, customer service, technical support and the enforcement of contractual claims), etc.;

• Registration DataName; address; email address; telephone number; date of birth; credit card information; bank account details, etc.;

• Behavioral and Preference DataInformation about user behavior on our websites; information about the use of our products and services; information about your response to electronic communications; information about your location, e.g. if you search for a store at a desired location via the websites using Google Maps; information from input fields (e.g. search function), etc.;

• Other DataWe may also collect data from you in other situations. For example, data may be collected in connection with official or legal proceedings (e.g. files, evidence, etc.). As part of the events we offer, we may collect data about who participates in events and when, and we may create photos, videos and sound recordings in which you can be recognized.

As part of our business relationship, it is necessary for you to provide us with data that is required for the establishment and fulfillment of the contractual relationship. In general, there is no legal obligation to provide us with this data. However, without this data, we may not be able to enter into or continue the contract with you or the organization/person you represent. In addition, certain information must be disclosed to enable data traffic on the websites, e.g. an IP address.

4. Purposes of the Processing

The data collected is mainly used for the conclusion and processing of contracts with you and business partners, in particular in connection with the products and services offered on our websites. We also process the data in order to fulfill our legal obligations, both domestically and internationally.

In addition, in accordance with applicable law and where appropriate, we may process data for the following purposes, which are in our legitimate interest or in the legitimate interest of third parties:

• Product/Service Development and InnovationWe process your data in order to further develop our products, services, websites and other platforms on which we operate and to expand our products and services.

• CommunicationWe process your data for the purpose of communicating with you, in particular to respond to your enquiries, when you exercise your rights and to contact you in the event of queries.

• SecurityWe process your data to protect our operations, our IT and other infrastructure as well as our websites and other platforms.

• MarketingWe process your data for market, media and opinion research, optimization of advertisements in order to show you advertisements and offers that are genuinely tailored to your interests and for sending newsletters if and insofar as you give us your consent, provided this is required by applicable law.

• Relationship ManagementWe may use a Customer Relationship Management System ("CRM") to store and process your data as described.

• Risk Management, Corporate Governance and Business DevelopmentWe process your data as part of our risk management and corporate governance in order to protect us from criminal or abusive activities. As part of our business development, we might sell businesses, parts of businesses or companies to others or acquire them from others or enter into partnerships, which might result in the exchange and processing of data based on your consent.

• LitigationWe process your data for the enforcement of legal claims and for defense in legal disputes and official proceedings.

• Compliance with LawWe process your data to comply with legal requirements (e.g. prevention and investigation of criminal offenses and other misconduct; conducting internal investigations, data analysis to combat fraud).

5. Legal Basis for the Processing

Where we have asked for your consent for certain processing (e.g. for receiving newsletters), we process your data based on such consent. You may withdraw your consent at any time with effect for the future by providing us written notice (email sufficient). If you like to withdraw your consent to online tracking, please refer to para. 8. Withdrawal of your consent does not affect the lawfulness of the processing that we have carried out prior to your withdrawal, nor does it affect the processing of your data based on other processing grounds.

Where we have not asked for your consent, we process your data for other legal reasons, such as a contractual obligation, a legal obligation, a vital interest of the data subject or of another natural person, to perform a public task or a legitimate interest, which includes compliance with applicable law and the marketing of our products and services, the interest to better understand our markets and in managing and further developing our company, including its operations, safely and efficiently.

6. Profiling and Automated Decision Taking

We might automatically evaluate certain of your personal characteristics for the above-mentioned purposes using your data ("profiling") if we want to determine preference data, but also to identify risks of misuse and security, to carry out statistical analyses or for operational planning purposes. For the same purposes, we can also create profiles, i.e. we can combine behavioral and preference data, but also master and contract data and technical data assigned to you in order to better understand you as a person with your different interests and other characteristics. We may also use profiling to assess your creditworthiness. We do not use profiling that can produce legal effects concerning you or similarly significantly affect you without human review.

In certain situations, for reasons of efficiency and consistency of decision-making processes, it may be necessary for us to automate discretionary decisions with legal effects or potentially significant disadvantages for you ("automated individual decisions"). In this case, we will inform you accordingly and take the measures required by applicable law.

7. Disclosure of Data to Third Parties

In order to perform our contracts, fulfill our legal obligations, protect our legitimate interest and fulfill the other purposes and legal grounds mentioned above, we may disclose your data to third parties, in particular to the following categories of recipients:

• Service providersWe work with service providers in Switzerland and abroad who process data about you on our behalf or under joint responsibility with us or who receive data about you from us under their own responsibility (e.g. IT providers, banks, insurance companies, telecommunications companies, credit information agencies, address verification providers, payment service providers, lawyers) or who we engage to process data for any of the purposes listed above on our behalf and in accordance with our instructions only.

• Contractual partnersIf it is required under the respective contract, we share your data to other contractual partners, merchants, subcontractors, etc.

• Legal AuthoritiesWe may disclose personal data to government offices, courts and other authorities in Switzerland or abroad if we are legally obliged or authorized to do so or if this appears necessary to protect our interests. The legal authorities process data about you that they receive from us under their own responsibility.

9. Newsletter

If you subscribe to one of our newsletters, you can cancel the subscription at any time by using the unsubscribe option contained in the newsletter.

In connection with our newsletter and on the basis of your consent, we use the data specified in Section 12 mentioned tools to collect your data when you sign up for our newsletter or other updates and to ensure that you only receive newsletters and updates that match your actual or perceived interests.

10. Cookies

We use cookies on our websites that allow us to identify your browser or device and that may allow certain third parties to do so as well. Cookies are small files that your browser automatically creates and that are stored on your device (laptop, tablet, smartphone, etc.) when you visit our websites.

Some cookies are necessary for the functioning of our websites or for certain features. These cookies are only temporary ("session cookies") and are deleted after you have visited our websites. Other cookies are necessary to store user configurations and other information beyond a session ("persistent cookies"). Irrespective of this, you have the option of setting your browser to reject cookies, to save them for a single session only or to delete them before their usual expiry date.

Most of the cookies we use are so-called session cookies. We only use pesistent cookies to save user settings (e.g. language etc.) and to understand how you use our services and content. Some cookies are sent to you by us, others by business partners we work with. If you choose to block cookies, you may not be able to use certain features (e.g. language settings, etc.).

By using our websites and agreeing to other marketing emails, you consent to the use of such techniques. However, depending on the purpose of these cookies, we may ask for your explicit consent beforehand. You can accept or decline consent via the cookie banner on our websites.

11. social plug-ins

We partly use social plug-ins from YouTube and Instagram on our websites. This is recognizable to you in each case (usually by corresponding symbols). We have configured these elements so that they are deactivated by default. If you activate them (by clicking on them), the providers of the respective social networks can register that and where you are on our websites and use this information for their purposes. The processing of your data is then the responsibility of the respective provider in accordance with their data protection regulations. We do not receive any information about you.

12. Our Appearance on Social Networks

We have various appearances on social media platforms. We operate these pages with the following providers: Facebook, LinkedIn, Instagram, Pinterest, TikTok, YouTube, Twitter/X and Snapchat.

We receive data from you and the platforms when you come into contact with us via our online presence. At the same time, the platforms evaluate your use of our online presence and link this data with other data about you known to the platforms. They also process this data for their own purposes under their own responsibility, in particular for marketing and market research purposes and to manage their platforms.

We would like to point out that you use our presence on social media platforms and their functions on your own responsibility. This applies in particular to the use of interactive functions (e.g. commenting, sharing, rating). For details about the collection and storage of your data and about the type, scope and purpose of its use by the social media provider, please refer to the privacy policy of the respective social media provider.

13. tools

• YouTube

We use services form YouTube on our websites. This allows us to play videos directly on the websites and enables you to conveniently use the video feature.

YouTube is part of Google; Google Ireland (based in Ireland) is the provider of the service YouTube and acts as our processor. Google Ireland relies on Google LLC (based in the USA) as its processor (both "Google").

Normally, when you access a page with embedded videos, your IP address is sent to YouTube and cookies are installed on your computer. However, we have embedded our YouTube videos with the extended data protection mode (in this case, YouTube still contacts Google's Double Click service, but according to Google's privacy policy, personal data is not analyzed). This means that YouTube no longer stores any information about visitors unless they watch the video. If you click on the video, your IP address is transmitted to YouTube and YouTube knows that you have watched the video. If you are logged in to YouTube, this information will also be assigned to your user account (you can prevent this by logging out of YouTube before watching the video).

We have no knowledge of and no influence on the possible collection and use of your data by YouTube. Further information can be found in YouTube's privacy policy.

• Chatra

We use functions of the live chat service Chatra on our websites, which is offered by Roger Wilco LCC based in the USA. We have concluded an agreement with Roger Wilco LCC for commissioned data processing and fully implement the strict requirements of the GDPR when using Chatra. You can find more information on the handling of personal data at Chatra in Chatra's privacy policy: https://chatra.com/privacy-policy/.

• Klaviyo

On our websites, we use functions of the email marketing service Klaviyo, which is offered by Klaviyo in the USA. We have concluded an agreement with Klaviyo for commissioned data processing and fully implement the strict requirements of the GDPR when using Klaviyo. You can find more information on the handling of personal data at Klaviyo in Klaviyo's privacy policy: https://www.klaviyo.com/legal/data-processing-agreement.

• Pushowl

On our websites, we use functions of the notification service Pushowl, which offers browser notification marketing and is operated by Pushowl in India. We have concluded an agreement with Pushowl for commissioned data processing and fully implement the strict requirements of the GDPR when using Pushowl. You can find more information on how Pushowl handles personal data in Yotpo's privacy policy: https://pushowl.com/privacy.

• Microsoft Ads

On our websites, we use functions of the search engine advertising service Microsoft Ads, which is offered by Microsoft in the USA. We have concluded an agreement with Microsoft for commissioned data processing and fully implement the strict requirements of the GDPR when using Microsoft Ads. You can find more information on the handling of personal data with Microsoft Ads in Microsoft's legal provisions on data protection and security: https://about.ads.microsoft.com/de-de/policies/legal-privacy-and-security.

• Amazon Web Services

We use functions of the cloud infrastructure provider Amazon Web Services (AWS) on our websites, via which the tool Innkeepr runs. Amazon Web Services is based in the USA. We have concluded an agreement with Amazon Web Services for commissioned data processing. Further information on the handling of personal data at Amazon Web Services can be found in AWS's privacy policy: https://d1.awsstatic.com/legal/privacypolicy/AWS_Privacy_Notice_German_2023-08-11.pdf.

• Shopify

We use functions of the e-commerce platform Shopify on our websites, which is used by the GDMD web store. Shopify Inc. is based in Canada. We have concluded an agreement with Shopify Inc. for commissioned data processing and fully implement the strict requirements of the GDPR when using Shopify. Further information on the handling of personal data at Shopify can be found in Shopify's privacy policy: https://www.shopify.com/de/legal/datenschutz.

• Matrixify

We use functions of the data processing service Matrixify on our websites, which enables the import/export of data and the analysis of data collected by Shopify. Matrixify is operated by Matrixify, based in Lithuania. We have concluded an agreement with Matrixify for commissioned data processing and fully implement the strict requirements of the GDPR when using Matrixify. Further information on the handling of personal data at Matrixify can be found in Matrixify's privacy policy: https://matrixify.app/privacy-notice/.

• Analyzify

We use the functions of the data analysis app Analyzify on our websites, which takes care of all data collection and tracking requirements of our customers for the Shopify store. The Analyzify app is owned by Solverhood OÜ, which is based in Estonia. We have concluded an agreement with Solverhood OÜ for commissioned data processing and fully implement the strict requirements of the GDPR when using Analyzify. Further information on the handling of personal data at Solverhood OÜ can be found in Analyzify's privacy policy: https://analyzify.com/privacy-policy.

• Google

We use functions from Google on our websites. Google Ireland (based in Ireland) is the provider of the service "Google Analytics" and acts as our processor. Google Ireland relies on Google LLC (based in the USA) as its processor (both "Google"). Google uses performance cookies to track the behavior of visitors to our websites (duration, frequency of pages accessed, geographical origin of access, etc.) and compiles reports for us on the use of our websites on this basis. We have concluded an agreement with Google Ireland for commissioned data processing and fully implement the strict requirements of the GDPR when using Google. Further information on the handling of personal data at Google can be found in Google's privacy policy: https://support.google.com/analytics/answer/6004245.F

• Weglot

We use the website translation solution Weglot on our websites. Weglot is based in France. We have concluded an agreement with Weglot for commissioned data processing and fully implement the strict requirements of the GDPR when using Weglot. Further information on the handling of personal data at Weglot can be found in Weglot's privacy policy: https://www.weglot.com/privacy.

• AfterSell

We use the product recommendation solution AfterSell on our websites. AfterSell is based in Canada. We have concluded an agreement with AfterSell for commissioned data processing and fully implement the strict requirements of the GDPR when using AfterSell. Further information on the handling of personal data at AfterSell can be found in AfterSell's privacy policy: https://start.aftersell.app/privacy

• Twitter

We may use functions of Twitter and/or other services offered by X Corp. in the USA on our websites to optimize advertising and other social media activities. We have concluded an agreement with X Corp. for commissioned data processing and fully implement the strict requirements of the GDPR when using these services. You can find more information on the handling of personal data by Twitter and X Corp. in their privacy policy, which you can view here: https://twitter.com/de/privacy.

• LinkedIn

We use functions of the business social media platform Linkedin on our websites, which is offered by Linkedin Corporation in the USA. We have concluded an agreement with Linkedin Corporation for commissioned data processing and fully implement the strict requirements of the GDPR when using Linkedin. You can find more information on the handling of personal data on Linkedin in Linkedin's privacy policy, which you can view here: https://www.linkedin.com/legal/l/dpa.

• Facebook/Meta

We use Facebook Pixel on our websites to optimize advertising. Facebook is operated by Meta Inc. in the USA. We have concluded an agreement with Meta Inc. for commissioned data processing and fully implement the strict requirements of the GDPR when using Facebook/Meta. You can find more information on the handling of personal data by Facebook/Meta in their privacy policy, which you can view here: https://de-de.facebook.com/business/gdpr.

• Youtube

We use YouTube to integrate videos on our websites and probably also to optimize advertising through YouTube. YouTube is operated by Google LLC in the USA. We have concluded an agreement with Google LLC for commissioned data processing and fully implement the strict requirements of the GDPR when using YouTube. You can find more information on the handling of personal data by YouTube in their privacy policy, which you can view here: https://youtube.com/t/terms_dataprocessing.

• Pinterest

We use functions of Pinterest Inc. on our websites, an image sharing and social media platform. Pinterest Inc. is based in the USA. We have concluded an agreement with Pinterest Inc. for commissioned data processing and fully implement the strict requirements of the GDPR when using Pinterest. You can find more information on the handling of personal data by Pinterest in their privacy policy, which you can view here: https://policy.pinterest.com/en/privacy-policy.

• Snapchat Ads / Snap Inc.

We probably use functions from Snap Inc. on our websites, the company behind the multimedia instant messaging app Snapchat. Snap Inc. is based in the USA. We have concluded an agreement with Snap Inc. for commissioned data processing and fully implement the strict requirements of the GDPR when using Snap Inc. You can find more information on the handling of personal data by Snap Inc. in their privacy policy, which you can view here: https://snap.com/en-US/terms/data-processing-agreement.

• TikTok

We are likely to use functions on our websites provided by ByteDance Ltd, the company behind the short-form video hosting service TikTok. ByteDance Ltd. is based in the UK, the Cayman Islands and China, which can be complex. However, we have concluded an agreement with ByteDance Ltd. for commissioned data processing and fully implement the strict requirements of the GDPR when using ByteDance Ltd. More information on the handling of personal data by ByteDance Ltd. can be found in their official article on data processing, which you can view here: https://ads.tiktok.com/i18n/official/article?aid=893639991572679936

14. transfer of data abroad

As we have explained in the Sections above, we also disclose data to other parties. Not all of them are located in Switzerland. Your data may therefore be processed in Europe as well as in the USA, Hong Kong, Ireland, India, Canada, Lithuania, Denmark, Germany, Estonia, Israel, the UK, Latvia and France; in exceptional cases, however, in any other country in the world.

We only transfer data to countries without an adequate level of data protection if this is necessary for the performance of a contract or for the exercise or defense of legal claims, or if such a transfer is based on your explicit consent or is subject to safeguards that assure the protection of your data, such as the standard contractual clauses approved by the European Commission (adapted to Switzerland, if applicable).

15. Retention Periods for the Data

We will only process your data for as long as it is necessary to fulfill the purposes we collected it for, including for the purposes of complying with legal retention requirements and where required to assert or defend against legal claims, until the end of the relevant retention period or until the claims in question have been settled. Upon expiry of the applicable retention period, we will securely destroy your data in accordance with applicable laws and regulations.

16. Data Security

We take appropriate security measures to protect the confidentiality, integrity and availability of your data, to protect it against unauthorized or unlawful processing and to counter the risks of loss, unintentional alteration, unwanted disclosure or unauthorized access. However, we and your data can still become victims of cyber-attacks, cybercrime, brute force, hacking and further fraudulent and malicious activities, including but not limited to viruses, forgeries, malfunctions and interruptions, which are out of our control and responsibility. We have also put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

17. your rights

You have various rights in relation with our processing of your personal data, depending on the applicable data protection law: right of access, right to rectification, right to erasure, right to restriction, right to data portability, right to withdraw consent, right to lodge complaints and right to object.

Please note that we reserve the right to assert legal restrictions if necessary, e.g. if we are obliged to store or process certain data, have an overriding interest (insofar as we can invoke such interests) or need the data to assert claims. If the exercise of certain rights involves costs for you, we will inform you in advance. We have already referred to the possibility of withdrawing consent in Section 8 above. It is important to note that exercising these rights may conflict with your contractual obligations and could have consequences such as premature termination of the contract or associated costs. Should this occur, we will inform you in advance, unless this has already been contractually agreed.

If you like to exercise the above-mentioned rights, please contact the persons listed in Section 2 unless otherwise stated or agreed. Please note that we need to identify you to prevent misuse, e.g. by means of a copy of your ID card or passport, unless identification is possible otherwise.

In addition, every data subject has the option of asserting their rights in court or lodging a complaint with the competent data protection authority. In Switzerland, the competent data protection authority is the Federal Data Protection and Information Commissioner (http://www.edoeb.admin.ch).

18. Updating and Amending this Privacy Notice

Due to the continuous development of our websites and their content, as well as changes in law or regulatory requirements, we may need to amend this Privacy Notice from time to time. The version published on the websites is the current version.

Last updated: 15.7.2024.