Privacy

Last updated: October 2025

1. Controller

The controller within the meaning of the EU General Data Protection Regulation (GDPR) and the Swiss Federal Act on Data Protection (FADP) is:

Vision Consulting AG
Compliance
Bächausstrasse 61
CH-8806 Bäch SZ
Switzerland

Email: dataprotection@vision.ch
Phone: +41 44 560 94 30
Website: www.canvarto.ch

Note: Vision Consulting AG has not appointed a data protection officer as there is no legal obligation to do so.

2. Applicable Data Protection Laws

This Privacy Policy takes into account both the Swiss Federal Act on Data Protection (FADP) and the EU General Data Protection Regulation (GDPR), as we serve customers in both Switzerland and the EU/EEA.

For customers residing in Switzerland, the provisions of the Swiss Federal Act on Data Protection primarily apply. For customers residing in the EU/EEA, the provisions of the GDPR apply.

3. General Information on Data Processing

3.1 Scope of Processing of Personal Data

We generally process personal data of our users only to the extent necessary to provide a functional website as well as our content and services. The processing of personal data regularly takes place only with the user's consent. An exception applies in cases where prior obtaining of consent is not possible for factual reasons and the processing of data is permitted by law.

3.2 Legal Basis for Processing

For customers in the EU/EEA (GDPR):

Insofar as we obtain consent from the data subject for processing operations involving personal data, Article 6(1)(a) GDPR serves as the legal basis.

For the processing of personal data necessary for the performance of a contract to which the data subject is party, Article 6(1)(b) GDPR serves as the legal basis. This also applies to processing operations required to carry out pre-contractual measures.

Insofar as processing of personal data is necessary for compliance with a legal obligation to which our company is subject, Article 6(1)(c) GDPR serves as the legal basis.

If processing is necessary to protect a legitimate interest of our company or a third party and the interests, fundamental rights and freedoms of the data subject do not override that first interest, Article 6(1)(f) GDPR serves as the legal basis for processing.

For customers in Switzerland (FADP):

The processing of personal data is based on:

• Consent of the data subject
• Contractual necessity for the performance of a contract
• Legal obligation under Swiss law
• Overriding interest of our company, provided no overriding interests or fundamental rights of the data subject conflict

3.2a Data Processing Agreement

We engage external service providers to deliver our services (e.g., Shopify, Google Analytics, payment service providers, shipping service providers). We have concluded contracts pursuant to Article 28 GDPR or corresponding agreements pursuant to the Swiss FADP with all processors that process personal data on our behalf. These contracts ensure that processing only takes place according to our instructions and that an adequate level of protection is guaranteed.

3.3 Data Deletion and Storage Duration

The personal data of the data subject will be deleted or blocked as soon as the purpose of storage ceases to apply. Storage may also occur if this has been provided for by European or Swiss legislators in regulations, laws or other provisions to which the controller is subject. Blocking or deletion of data also takes place when a storage period prescribed by the aforementioned standards expires, unless there is a need for further storage of the data for the conclusion or performance of a contract.

4. Provision of the Website and Creation of Log Files

4.1 Description and Scope of Data Processing

Each time our website is accessed, our system automatically collects data and information from the computer system of the accessing computer. The following data is collected:

• Information about the browser type and version used
• The user's operating system
• The user's Internet service provider
• The user's IP address
• Date and time of access
• Websites from which the user's system reaches our website (referrer URL)
• Websites accessed by the user's system via our website
• Amount of data transmitted
• Notification of successful retrieval

The data is also stored in the log files of our system. This data is not stored together with other personal data of the user.

4.2 Legal Basis and Purpose of Data Processing

EU/EEA: The legal basis for the temporary storage of data and log files is Article 6(1)(f) GDPR.

Switzerland: The legal basis is the legitimate interest in providing and securing our website.

The temporary storage of the IP address by the system is necessary to enable delivery of the website to the user's computer. For this purpose, the user's IP address must remain stored for the duration of the session. Storage in log files is done to ensure the functionality of the website. In addition, the data serves us to optimize the website and ensure the security of our information technology systems. An evaluation of the data for marketing purposes does not take place in this context.

4.3 Storage Duration

The data is deleted as soon as it is no longer necessary for achieving the purpose of its collection. In the case of data collection for providing the website, this is the case when the respective session has ended. In the case of storing data in log files, this is the case after seven days at the latest. Storage beyond this period is possible. In this case, the users' IP addresses are deleted or anonymized so that assignment of the accessing client is no longer possible.

4.4 Right to Object and Removal

The collection of data for providing the website and storing data in log files is essential for operating the website. Consequently, there is no possibility of objection on the part of the user.

5. Use of Cookies

5.1 Description and Scope of Data Processing

Our website uses cookies. Cookies are text files that are stored in the Internet browser or by the Internet browser on the user's computer system. When a user accesses a website, a cookie may be stored on the user's operating system. This cookie contains a characteristic string that enables unique identification of the browser when the website is accessed again.

We use cookies to make our website more user-friendly. Some elements of our website require that the accessing browser can be identified even after a page change.

5.2 Cookie Categories

We use the following categories of cookies on our website:

Necessary Cookies (Technically Required)

• Purpose: Basic website functionality, session management, shopping cart, checkout
• Legal basis: Article 6(1)(f) GDPR (legitimate interest) / legitimate interest (FADP)
• Storage duration: Session cookies (deleted after closing the browser) or up to 30 days

Preference Cookies

• Purpose: Storage of user settings (language, region)
• Legal basis: Article 6(1)(a) GDPR (consent) / consent (FADP)
• Storage duration: Up to 12 months

Statistics Cookies

• Purpose: Analysis of user behavior, website optimization
• Legal basis: Article 6(1)(a) GDPR (consent) / consent (FADP)
• Storage duration: Up to 24 months

Marketing Cookies

• Purpose: Display of personalized advertising, tracking across multiple websites
• Legal basis: Article 6(1)(a) GDPR (consent) / consent (FADP)
• Storage duration: Up to 24 months

5.3 Specific Cookie List

The following cookies are used on our website:

Shopify Cookies (necessary):

• _shopify_s: Session ID, 1 day
• _shopify_y: Persistent shop ID, 1 year
• cart: Shopping cart information, 14 days
• cart_sig: Shopping cart signature, 14 days
• secure_customer_sig: Customer login signature, 20 years
• storefront_digest: Shop authentication, 2 years

Google Analytics Cookies (statistics, only with consent):

• _ga: Client ID to distinguish users, 2 years
• _gid: Client ID to distinguish users, 24 hours
• _gat: Request rate throttling, 1 minute

Facebook Cookies (marketing, only with consent):

• _fbp: Facebook pixel tracking, 3 months
• fr: Facebook advertising ID, 3 months

Google Ads Cookies (marketing, only with consent):

• _gcl_au: Google Ads conversion tracking, 90 days
• IDE: Google DoubleClick, for ad targeting and remarketing, 13 months
• test_cookie: Tests cookie support of the browser, 15 minutes
• Conversion cookie: Specific cookie for each conversion action, 30 days

5.4 Legal Basis and Purpose of Data Processing

The legal basis for processing personal data using technically necessary cookies is legitimate interest (Article 6(1)(f) GDPR or FADP). The legal basis for processing personal data using cookies for analytical purposes is consent of the user (Article 6(1)(a) GDPR or FADP) when such consent has been given.

The purpose of using technically necessary cookies is to simplify the use of websites for users. Some functions of our website cannot be offered without the use of cookies. For these, it is necessary that the browser is recognized even after a page change.

User data collected through technically necessary cookies is not used to create user profiles. Analysis cookies are used to improve the quality of our website and its content. Through analysis cookies, we learn how the website is used and can thus continuously optimize our offering.

5.5 Storage Duration, Right to Object and Removal

Cookies are stored on the user's computer and transmitted from there to our site. Therefore, you as a user also have full control over the use of cookies. By changing the settings in your Internet browser, you can disable or restrict the transmission of cookies. Cookies that have already been stored can be deleted at any time. This can also be done automatically. If cookies for our website are disabled, it may no longer be possible to use all functions of the website fully.

You can adjust your cookie settings at any time via our cookie banner.

6. Google Analytics

6.1 Scope of Processing Personal Data

We use Google Analytics on our website, a web analytics service provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA ("Google"). Google Analytics uses cookies that enable analysis of your use of the website.

The information generated by the cookie about your use of this website is usually transferred to a Google server in the USA and stored there. We have activated IP anonymization on this website. This means your IP address is shortened by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area as well as in Switzerland beforehand.

Only in exceptional cases will the full IP address be transferred to a Google server in the USA and shortened there. On behalf of the operator of this website, Google will use this information to evaluate your use of the website, to compile reports on website activity, and to provide other services related to website usage and Internet usage to the website operator.

6.2 Legal Basis for Processing Personal Data

The legal basis for using Google Analytics is your consent (Article 6(1)(a) GDPR or FADP). Use only occurs if you have previously given your consent via our cookie banner.

6.3 Purpose of Data Processing

The use of Google Analytics serves to analyze our website and optimize our Internet presence.

6.4 Storage Duration

Data we send that is linked to cookies is automatically deleted after 14 months. Data whose retention period has been reached is automatically deleted once a month.

6.5 Right to Object and Removal

You can prevent the storage of cookies by adjusting your browser software accordingly. You can also prevent Google from collecting data generated by the cookie and related to your use of the website (including your IP address) and from processing this data by downloading and installing the browser plugin available at the following link: http://tools.google.com/dlpage/gaoptout

As an alternative to the browser plugin, you can revoke your consent via our cookie banner or click this link to prevent future collection by Google Analytics within this website (the opt-out only works in this browser and only for this domain). An opt-out cookie will be placed on your device. If you delete your cookies in this browser, you must click this link again.

6.6 Data Transfer to the USA

Google processes your data in the USA. The USA has an adequacy decision from the European Commission (EU-US Data Privacy Framework). Switzerland also recognizes the USA as a country with an adequate level of data protection under the Swiss-US Data Privacy Framework. Google LLC is certified under both frameworks.

Further information can be found at:

• EU-US Data Privacy Framework: https://www.dataprivacyframework.gov/
• Swiss-US Data Privacy Framework: https://www.dataprivacyframework.gov/s/participant-search

Further information on data protection at Google Analytics can be found at: https://support.google.com/analytics/answer/6004245

7. Social Media Plugins

7.1 Facebook Social Plugins

Our website uses so-called social plugins ("plugins") of the social network Facebook, which is operated by Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland ("Facebook").

The plugins are marked with a Facebook logo (white "f" on blue tile or a "thumbs up" sign) or are marked with the addition "Facebook Social Plugin".

When you access a page of our website that contains such a plugin, your browser establishes a direct connection to Facebook's servers. The content of the plugin is transmitted directly from Facebook to your browser and integrated into the website.

Through the integration of plugins, Facebook receives the information that you have accessed the corresponding page of our website. If you are logged into Facebook, Facebook can assign the visit to your Facebook account. If you interact with the plugins, for example by clicking the "Like" button or leaving a comment, the corresponding information is transmitted directly from your browser to Facebook and stored there.

Legal basis: Consent via cookie banner (Article 6(1)(a) GDPR or FADP)

Purpose: Integration of social network functions, enabling content sharing

Data transfer: Facebook processes data partly in the USA. Meta Platforms is certified under the EU-US Data Privacy Framework and Swiss-US Data Privacy Framework.

Objection: If you do not want Facebook to collect data about you via our website, you must log out of Facebook before visiting our website. You can also completely block Facebook plugins with add-ons for your browser.

Further information on the purpose and scope of data collection and its processing by Facebook can be found in Facebook's privacy policy: https://www.facebook.com/about/privacy/

7.3 Google Tag Manager

We use Google Tag Manager, a service provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA ("Google").

Description and scope: Google Tag Manager is a tag management solution that allows us to manage so-called website tags via an interface. Tags are small code elements on our website used, among other things, to measure traffic and visitor behavior, to capture the impact of online advertising and social channels, to use remarketing and target groups, and to test and optimize websites.

Google Tag Manager itself (which implements the tags) is a cookieless domain and does not collect personal data. The Tag Manager triggers other tags, which in turn may collect data. This collection is performed by the tools integrated via the Tag Manager (e.g., Google Analytics, Facebook Pixel).

Legal basis:

• EU/EEA: Article 6(1)(f) GDPR (legitimate interest in efficient management and optimization of our marketing tools)
• Switzerland: Legitimate interest under FADP

Purpose: Central management and implementation of analytics and marketing tags without direct code changes

Data transfer: The Tag Manager can transfer technical information (IP address, browser, device) to Google servers in the USA. Google is certified under the EU-US Data Privacy Framework and Swiss-US Data Privacy Framework.

Objection: You cannot directly disable the Tag Manager, but you can disable the individual services integrated via the Tag Manager (e.g., Google Analytics, Facebook Pixel) via our cookie banner.

Further information on Google Tag Manager: https://marketingplatform.google.com/about/analytics/tag-manager/use-policy/

7a. Meta Pixel (Facebook Pixel)

We use the "Meta Pixel" (formerly "Facebook Pixel") on our website, a service provided by Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland ("Meta").

7a.1 Description and Scope of Data Processing

The Meta Pixel is a code snippet integrated into our website that captures various actions by visitors. The following data is collected and transmitted to Meta:

• Technical information: IP address, browser type, operating system, device type
• URLs visited and timestamps
• Interactions on the website (page views, clicks, products added to cart, purchases)
• HTTP referrer (previous website)
• Cookie data and device IDs
• For logged-in Facebook users: Assignment to your Facebook profile

The Meta Pixel sets cookies (see Section 5.3: _fbp, fr) that enable recognition of your browser on subsequent visits.

7a.2 Uses of the Meta Pixel

We use the Meta Pixel for the following purposes:

Conversion tracking: Measuring the effectiveness of our Facebook and Instagram advertising campaigns by capturing conversions (e.g., purchases, registrations)

Custom Audiences: Creating audiences based on website visitors for targeted advertising on Facebook and Instagram

Remarketing: Displaying personalized advertising to people who have already visited our website

Lookalike Audiences: Creating audiences similar to our existing customers

Optimization of advertising campaigns: Automatic optimization of ad delivery to people most likely to perform the desired action

7a.3 Legal Basis

For customers in the EU/EEA: The legal basis is Article 6(1)(a) GDPR (consent). Processing only occurs if you have given your consent via our cookie banner.

For customers in Switzerland: The legal basis is consent under Swiss FADP.

7a.4 Data Transfer to Third Countries

Meta also processes the collected data on servers in the USA. Meta Platforms is certified under the EU-US Data Privacy Framework and Swiss-US Data Privacy Framework. Further information: https://www.dataprivacyframework.gov/

Additionally, we have concluded standard contractual clauses with Meta pursuant to Article 46 GDPR.

7a.5 Storage Duration

Meta stores the data collected via the pixel for varying periods:

• Event data (e.g., page views, purchases): 90 days
• Custom Audiences: Up to 180 days after last activity or until deleted by us
• Cookies: Up to 90 days (cookie _fbp)

7a.6 Right to Object and Opt-Out Options

You have several options to prevent data collection by the Meta Pixel:

1. Cookie banner: Reject marketing cookies in our cookie banner or revoke your consent.

2. Facebook settings: If you have a Facebook account, you can disable personalized advertising in your ad settings:

• Facebook: https://www.facebook.com/settings?tab=ads
• Instagram: Via the app under Settings → Ads

3. Browser settings: Block cookies from Meta in your browser settings or use browser add-ons like "Facebook Container" (Firefox).

4. Log out of Facebook: Log out of Facebook before visiting our website to prevent direct assignment to your profile.

Further information on the Meta Pixel and data protection:

• Meta Privacy Policy: https://www.facebook.com/privacy/explanation
• Meta Pixel Data Use: https://www.facebook.com/business/help/742478679120153
• Meta Cookie Policy: https://www.facebook.com/policies/cookies/

7b. Google Ads Conversion Tracking

We use Google Ads conversion tracking, a service provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA ("Google"), to measure the effectiveness of our Google Ads advertising campaigns.

7b.1 Description and Scope of Data Processing

When you click on one of our Google ads, a conversion tracking cookie is stored on your device. These cookies expire after 30 days and are not used for personal identification.

If you visit certain pages of our website and the cookie has not yet expired, Google and we can recognize that you clicked on the ad and were redirected to this page.

Data collected:

• Cookie ID
• Timestamp of click on the ad
• Pages visited on our website
• Actions performed (e.g., purchases, registrations)
• IP address (shortened)
• Technical information (browser, device, operating system)

Each Google Ads customer receives a different cookie. Cookies therefore cannot be tracked across the websites of Google Ads customers.

7b.2 Purpose of Use

The information obtained using the conversion cookie is used to:

• Create conversion statistics (e.g., how many users make a purchase after clicking an ad)
• Measure the success of our advertising campaigns
• Optimize our advertising campaigns
• Calculate cost per conversion

7b.3 Legal Basis

For customers in the EU/EEA: The legal basis is Article 6(1)(a) GDPR (consent). Processing only occurs if you have given your consent via our cookie banner.

For customers in Switzerland: The legal basis is consent under Swiss FADP.

7b.4 Data Transfer to Third Countries

Google also processes your data on servers in the USA. Google LLC is certified under the EU-US Data Privacy Framework and Swiss-US Data Privacy Framework. Further information: https://www.dataprivacyframework.gov/

7b.5 Storage Duration

Conversion cookies have a storage duration of 30 days. Conversion statistics are stored by Google for varying periods, typically 90 days.

7b.6 Right to Object and Opt-Out Options

You can prevent participation in conversion tracking in various ways:

1. Cookie banner: Reject marketing cookies in our cookie banner or revoke your consent.

2. Browser settings: Set your browser to block cookies from the domain "googleadservices.com".

3. Google Ads settings: Disable personalized advertising in your Google account settings: https://adssettings.google.com/

4. Browser plugin: Install the Google Analytics Opt-out Browser Add-on: http://tools.google.com/dlpage/gaoptout

5. Additional opt-out options:

• Digital Advertising Alliance: http://www.aboutads.info/choices/
• Network Advertising Initiative: http://www.networkadvertising.org/choices/

Further information on Google Ads and data protection:

• Google Ads Privacy Policy: https://policies.google.com/privacy
• Google Ads Conversion Tracking: https://support.google.com/google-ads/answer/1722022

8. Shopify E-Commerce Platform

Our website is hosted on the Shopify e-commerce platform. The provider is Shopify International Limited, Victoria Buildings, 2nd Floor, 1-2 Haddington Road, Dublin 4, D04 XN32, Ireland (or if you are resident in North America, Shopify Inc., 151 O'Connor Street, Ground floor, Ottawa, Ontario, K2P 2L8, Canada).

8.1 Scope of Data Processing

Shopify processes the following data to provide the e-commerce infrastructure:

• Order data (products, quantities, prices)
• Customer data (name, address, email, phone number)
• Payment information (however, not permanently stored by us)
• Technical data (IP address, browser, device)
• Usage behavior (pages visited, clicks, time spent)

8.2 Legal Basis and Purpose

Legal basis: Performance of contract (Article 6(1)(b) GDPR or contractual necessity under FADP) and legitimate interest (Article 6(1)(f) GDPR or legitimate interest under FADP) in reliable hosting and e-commerce infrastructure

Purpose: Provision of the online shop, processing of orders, payment processing, shipping processing, customer support

8.3 Shopify Analytics

Shopify automatically collects analytics data about the use of our shop:

• Number of visitors and page views
• Time spent and bounce rates
• Conversions and cart abandonments
• Product views and purchases
• Geographic origin of visitors

This data is used to optimize our shop offerings and improve user experience.

Legal basis: Legitimate interest in shop optimization (Article 6(1)(f) GDPR or FADP)

8.4 Storage Duration

Shopify stores your data as long as you have a customer account with us or we are legally obligated to retain it (e.g., tax retention periods of up to 10 years).

8.5 Data Transfer Abroad

Shopify processes data on servers in Canada and the USA. Shopify is certified under the EU-US Data Privacy Framework and Swiss-US Data Privacy Framework and has concluded standard contractual clauses with us.

Further information on data protection at Shopify can be found at: https://www.shopify.com/legal/privacy

9. Payment Service Providers

9.1 PayPal

On our website, we offer payment via PayPal. The provider is PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg.

If you pay with PayPal, your entered payment data is transmitted to PayPal. The data transfer to PayPal is based on contractual necessity (Article 6(1)(b) GDPR or FADP) and only to the extent necessary for payment processing.

PayPal may also transfer data to the USA. PayPal is certified under the EU-US Data Privacy Framework and Swiss-US Data Privacy Framework.

Further information on data processing by PayPal can be found in PayPal's privacy policy: https://www.paypal.com/de/webapps/mpp/ua/privacy-full

9.2 Shopify Payments

We use Shopify Payments as an additional payment service provider. Shopify Payments is provided by Shopify International Limited or Shopify Inc. and works with various payment service providers (e.g., Stripe).

When paying via Shopify Payments, your payment data is transmitted encrypted via a secure connection. We do not store credit card data ourselves. Payment data is transmitted directly to the payment service providers and processed there.

Legal basis: Performance of contract (Article 6(1)(b) GDPR or contractual necessity under FADP)

Purpose: Secure processing of online payments

Data transfer: Shopify Payments may transfer data to the USA and Canada. Shopify is certified under the EU-US Data Privacy Framework and Swiss-US Data Privacy Framework.

Further information: https://www.shopify.com/legal/privacy

10. Shipping Service Providers

To process shipping, we pass your data on to the following shipping service providers:

10.1 DHL (Deutsche Post DHL Group)

Provider: DHL Paket GmbH, Sträßchensweg 10, 53113 Bonn, Germany

Data transmitted: Name, delivery address, phone number (optional), email address (for shipment tracking), package contents (product description)

Legal basis: Performance of contract (Article 6(1)(b) GDPR or FADP)

Purpose: Delivery of ordered goods

Storage duration: According to statutory retention periods in transport law

Privacy notices: https://www.dhl.de/de/privatkunden/information/datenschutz.html

10.2 DPD (DPD Deutschland GmbH)

Provider: DPD Deutschland GmbH, Wailandtstraße 1, 63741 Aschaffenburg, Germany

Data transmitted: Name, delivery address, phone number (optional), email address (for shipment tracking)

Legal basis: Performance of contract (Article 6(1)(b) GDPR or FADP)

Purpose: Delivery of ordered goods

Privacy notices: https://www.dpd.com/de/de/datenschutzerklaerung/

10.3 Swiss Post

Provider: Swiss Post Ltd, Wankdorfallee 4, 3030 Bern, Switzerland

Data transmitted: Name, delivery address, phone number (optional), email address (optional)

Legal basis: Performance of contract (Article 6(1)(b) GDPR or FADP)

Purpose: Delivery of ordered goods

Privacy notices: https://www.post.ch/de/pages/footer/datenschutz

11. Newsletter

11.1 Description and Scope of Data Processing

You have the option to subscribe to our newsletter via our website. The newsletter is sent via Shopify. For this purpose, the following data is transmitted to us during registration:

• Email address (mandatory)
• IP address of the accessing computer
• Date and time of registration

During the registration process, your consent to process the data is obtained and reference is made to this Privacy Policy.

After registration, you will receive an email to confirm your registration (double opt-in procedure). Only after confirmation by clicking the link in this email will you be added to the newsletter distribution list.

11.2 Legal Basis and Purpose of Data Processing

The legal basis for processing data after newsletter registration by the user is consent (Article 6(1)(a) GDPR or FADP) when consent has been given.

The collection of the email address serves to deliver the newsletter. The collection of the IP address and time of registration serves to be able to trace possible misuse of a data subject's email address at a later date and serves as evidence of the consent given.

11.3 Storage Duration

The data is deleted as soon as it is no longer necessary for achieving the purpose of its collection. The user's email address is therefore stored as long as the newsletter subscription is active.

11.4 Right to Object and Removal

The newsletter subscription can be canceled by the affected user at any time. For this purpose, there is a corresponding link in each newsletter. This also enables revocation of consent to storage of personal data collected during the registration process.

12. Identity and Credit Check for Payment Method Invoice

12.1 CRIF AG in Zurich (for customers residing in Switzerland)

During the order process, you will be asked to consent to the transmission of data necessary for processing payment and conducting an identity and credit check to CRIF AG in Zurich. If you give your consent, your data (first and last name, street, house number, postal code, city, date of birth, phone number) will be transmitted to CRIF AG in Zurich.

We point out that payment experiences, particularly regarding undisputed and unpaid claims after the due date, as well as debt collection information and address data may be transmitted to CRIF AG in Zurich for lawful use as a credit reference agency.

CRIF will use the data to verify your identity and creditworthiness and disclose it to authorized third parties. Payment experiences may be analyzed by CRIF based on mathematical-statistical calculation methods for automated decision-making, particularly for assessing a person's creditworthiness.

Legal basis: The transmission is based on consent (Article 6(1)(a) GDPR or FADP), contractual necessity (Article 6(1)(b) GDPR or FADP), and legitimate interest (Article 6(1)(f) GDPR or FADP) in avoiding payment defaults.

12.2 Automated Decision-Making and Your Rights

The decision on granting the payment method "purchase on invoice" is partly based on automated individual decision-making pursuant to Article 22 GDPR. This automated decision is based on a scoring procedure conducted by CRIF, in which your credit data is evaluated using mathematical-statistical methods.

Criteria of automated decision: The scoring includes, among other things:

• Previous payment experiences (timely or late payments)
• Outstanding or unpaid claims
• Negative entries at credit agencies and debt collection registers
• Address stability and residence history
• Age and completeness of provided data

Legal basis of automated decision: The automated decision is permissible pursuant to Article 22(2)(a) GDPR as it is necessary for entering into the contract for the payment method "purchase on invoice". Additionally, we obtain your express consent pursuant to Article 22(2)(c) GDPR.

Your special rights in case of automated decisions pursuant to Article 22(3) GDPR:

1. Right to obtain human intervention: You have the right to request manual review of the automated decision by an employee.
2. Right to express your point of view: You can communicate your perspective and additional information to us that should be considered in the re-examination.
3. Right to contest the decision: You can contest the automated decision and request a re-evaluation.

How to exercise these rights: If you are affected by an automated rejection of purchase on invoice and wish manual review, please contact us at:

Email: dataprotection@vision.ch
Phone: +41 44 560 94 30

We will manually review your case within 14 days and inform you of the result. You may submit additional information about your creditworthiness (e.g., proof of income, bank statements).

12.3 Further Information

More detailed information can be found at: www.mycrifdata.ch/#/dsg

Right to object: You can object to data transmission to CRIF at any time. In this case, however, the payment method "purchase on invoice" will not be available to you.

13. Registration and Customer Account

13.1 Description and Scope of Data Processing

You have the option to register on our website and create a customer account. The following data is collected:

• Email address (mandatory)
• Password (stored encrypted)
• Title, first and last name
• Address (billing address, optional delivery address)
• Phone number (optional)
• Date of birth (optional, for credit check)
• IP address and time of registration

During the registration process, your consent to process this data is obtained.

13.2 Legal Basis and Purpose of Data Processing

The legal basis for processing data when consent is given is consent (Article 6(1)(a) GDPR or FADP). If registration serves to fulfill a contract or carry out pre-contractual measures, an additional legal basis is contractual necessity (Article 6(1)(b) GDPR or FADP).

Registration is necessary for providing certain content and services on our website. A customer account enables you in particular to:

• Place orders without re-entering your data
• View your order history
• Manage your address data
• Save your settings

13.3 Storage Duration

The data is deleted as soon as it is no longer necessary for achieving the purpose of its collection. This is the case when you delete your customer account. Storage beyond this may occur if we are legally obligated to retain the data (e.g., commercial or tax retention periods of up to 10 years for order data).

13.4 Right to Object and Removal

You have the option at any time to delete your customer account. Contact us at the provided contact details or use the account deletion function in your customer area.

13a. Order Processing and Contract Performance

13a.1 Description and Scope of Data Processing

When purchasing products in our online shop, the following personal data is collected and processed as part of order processing:

Mandatory information:

• Title, first and last name
• Billing address (street, house number, postal code, city, country)
• Email address
• Order data (ordered products, quantities, prices, order number, order date)

Optional information:

• Different delivery address
• Phone number
• Date of birth (when choosing payment method "purchase on invoice" for credit check)
• Company data (for commercial orders)

Automatically captured data:

• IP address
• Date and time of order
• Payment information (however, not permanently stored by us but transmitted directly to payment service providers)

The data is required to process your purchase contract. Without this data, we cannot process and execute your order.

13a.2 Legal Basis of Data Processing

For customers in the EU/EEA: The legal basis for processing data as part of order processing is Article 6(1)(b) GDPR (performance of contract).

For customers in Switzerland: The legal basis is contractual necessity under Swiss FADP.

For processing data for credit checks, legitimate interest in avoiding payment defaults as well as your consent serve as additional legal bases.

13a.3 Data Disclosure

Your order data is passed on to the following recipients insofar as this is necessary for contract performance:

• Shipping service providers (DHL, DPD, Swiss Post): Name, delivery address, phone number (optional), email address (for shipment tracking)
• Payment service providers (PayPal, Shopify Payments): Name, billing address, email address, payment information
• Credit agencies (CRIF): When choosing payment method "purchase on invoice", your data is transmitted for credit check (see Section 12)
• Shopify (e-commerce platform): All order data for technical processing (see Section 8)

Disclosure to other third parties does not occur unless we are legally obligated to do so (e.g., to tax authorities) or you have expressly consented.

13a.4 Storage Duration

Your order data is stored for the duration of contract processing. After completion of the contract, the data is stored for the duration of statutory retention periods:

Swiss law:

• Code of Obligations (CO) Article 958f: 10 years for account books and accounting documents
• VAT Act (VATA) Article 70: 10 years for tax-relevant documents

For sales to the EU/Germany/Austria additionally:

• Commercial and tax retention obligations of 7-10 years depending on the country

After expiry of these periods, the data is deleted unless you have consented to storage beyond this or we are obligated to longer storage for legal reasons.

13a.5 Right to Object and Removal

The collection and processing of data is mandatory for fulfilling the purchase contract. Without this data, we cannot process your order. An objection to data processing as part of contract performance is therefore not possible as long as the contractual relationship exists.

After expiry of statutory retention periods, you can request deletion of your order data at any time.

14. Contact Form and Email Contact

14.1 Description and Scope of Data Processing

A contact form is available on our website that can be used for electronic contact. If a user makes use of this option, the data entered in the input mask is transmitted to us and stored. This data typically includes:

• Name
• Email address
• Subject
• Message
• IP address and time of submission

Alternatively, contact is possible via the provided email address. In this case, the user's personal data transmitted with the email is stored.

In this context, no disclosure of data to third parties takes place. The data is used exclusively for processing the conversation.

14.2 Legal Basis and Purpose of Data Processing

The legal basis for processing data when consent is given is consent (Article 6(1)(a) GDPR or FADP). The legal basis for processing data transmitted in the course of sending an email is legitimate interest (Article 6(1)(f) GDPR or FADP). If the email contact aims at concluding a contract, an additional legal basis is contractual necessity (Article 6(1)(b) GDPR or FADP).

Processing personal data serves us solely to handle the contact. In case of contact via email, this also constitutes the necessary legitimate interest in processing the data.

14.3 Storage Duration

The data is deleted as soon as it is no longer necessary for achieving the purpose of its collection. For personal data from the contact form input mask and that sent via email, this is the case when the respective conversation with the user has ended. The conversation is ended when it can be inferred from the circumstances that the matter in question has been conclusively clarified.

Storage beyond this may occur if statutory retention periods exist.

14.4 Right to Object and Removal

The user has the option at any time to revoke consent to process personal data. If the user contacts us via email, they can object to storage of their personal data at any time. In such a case, the conversation cannot continue. Please contact us at the provided contact details.

All personal data stored in connection with making contact will be deleted in this case, provided no statutory retention periods prevent this.

15. Product Reviews

If you submit a product review on our website, the following data is stored:

• Your name or pseudonym (as provided by you)
• Email address (not published)
• Review text
• Star rating
• Date of review
• IP address (for abuse prevention)

Legal basis: Consent (Article 6(1)(a) GDPR or FADP) and legitimate interest (Article 6(1)(f) GDPR or FADP) in genuine customer reviews

Purpose: Publication of customer opinions, improvement of product quality, building trust

Storage duration: Reviews are stored permanently until you request deletion or we must remove the review for legal reasons.

15a. IMPORTANT: Your Right to Object

You have the right to object to the processing of your personal data at any time!

For customers in the EU/EEA pursuant to Article 21 GDPR:

• Objection to direct marketing: If your data is processed for advertising purposes, you can object at any time without giving reasons. After your objection, we will no longer use your data for advertising purposes.
• Objection to processing based on legitimate interest: If processing is based on Article 6(1)(f) GDPR (legitimate interest), you can object for reasons arising from your particular situation. We will cease processing unless we can demonstrate compelling legitimate grounds.

For customers in Switzerland pursuant to Swiss FADP:

You have the right to object to processing of your data, particularly if it is based on an overriding interest. We will comply with your objection unless overriding legitimate grounds or legal obligations require continued processing.

How to object:

Email: dataprotection@vision.ch
Phone: +41 44 560 94 30
In writing: Vision Consulting AG, Compliance, Bächausstrasse 61, CH-8806 Bäch SZ, Switzerland

To object to newsletters: Click the unsubscribe link in each newsletter.

To object to cookies and tracking: Adjust your settings in the cookie banner or use browser settings.

16. Rights of the Data Subject

If your personal data is processed, you have the following rights:

16.1 Right of Access

You can request confirmation from us as to whether personal data concerning you is being processed by us. If such processing is taking place, you can request information from us about the following:

• the purposes for which the personal data is processed
• the categories of personal data being processed
• the recipients or categories of recipients to whom the personal data concerning you has been or will be disclosed
• the planned duration of storage of personal data concerning you
• the existence of a right to rectification or erasure of personal data concerning you
• the existence of a right to restriction of processing or a right to object to such processing
• the existence of a right to lodge a complaint with a supervisory authority
• all available information about the origin of the data if the personal data is not collected from the data subject
• the existence of automated decision-making including profiling and meaningful information about the logic involved as well as the significance and intended consequences of such processing for the data subject

16.2 Right to Rectification

You have a right to rectification and/or completion vis-à-vis the controller if the processed personal data concerning you is inaccurate or incomplete.

16.3 Right to Restriction of Processing

Under certain conditions, you can request restriction of processing of personal data concerning you.

16.4 Right to Erasure

You can request the controller to erase personal data concerning you without undue delay if one of the statutory grounds applies and insofar as processing is not necessary.

16.5 Right to Notification

If you have asserted the right to rectification, erasure or restriction of processing vis-à-vis the controller, the controller is obligated to communicate this rectification or erasure of data or restriction of processing to all recipients to whom personal data concerning you has been disclosed, unless this proves impossible or involves disproportionate effort.

16.6 Right to Data Portability

You have the right to receive personal data concerning you that you have provided to the controller in a structured, commonly used and machine-readable format. You also have the right to transmit this data to another controller without hindrance, provided processing is based on consent or a contract and is carried out by automated means.

16.7 Right to Object

You have the right to object at any time, for reasons arising from your particular situation, to processing of personal data concerning you that is based on legitimate interest.

The controller will no longer process personal data concerning you unless they can demonstrate compelling legitimate grounds for processing that override your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.

If personal data concerning you is processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for the purpose of such advertising.

16.8 Right to Withdraw Consent

You have the right to withdraw your consent at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

16.9 Right to Lodge a Complaint with a Supervisory Authority

For customers in the EU/EEA:

You have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement, if you consider that processing of personal data concerning you infringes the GDPR.

For customers in Switzerland:

You have the right to lodge a complaint with the Federal Data Protection and Information Commissioner (FDPIC):

Federal Data Protection and Information Commissioner (FDPIC)
Feldeggweg 1
3003 Bern
Switzerland
Phone: +41 58 462 43 95
Email: info@edoeb.admin.ch
Website: https://www.edoeb.admin.ch/

17. Data Security

We use the widespread SSL (Secure Socket Layer) procedure in conjunction with the highest level of encryption supported by your browser when visiting our website. Typically, this is 256-bit encryption. If your browser does not support 256-bit encryption, we use 128-bit v3 technology instead. You can recognize whether an individual page of our website is transmitted encrypted by the closed display of the key or lock symbol in the lower status bar of your browser.

We also employ suitable technical and organizational security measures to protect your data against accidental or intentional manipulation, partial or complete loss, destruction or unauthorized access by third parties. Our security measures are continuously improved in accordance with technological developments.

18. Currency and Amendment of this Privacy Policy

This Privacy Policy is currently valid and dated October 2025.

Due to the further development of our website and offerings thereon or due to changed legal or regulatory requirements, it may become necessary to amend this Privacy Policy. The current Privacy Policy can be accessed and printed by you at any time on the website at https://www.canvarto.ch/pages/privacy.