Online Privacy Statement of Swisscard AECS GmbH
Last update: March 2024
1. What is this Privacy Statement about?
In this Privacy Policy, Swisscard AECS GmbH ("Swisscard" or "we"), describes how we process your data in connection with the use of
- of our websites, including www.americanexpress.ch, www.swisscard.ch, www.scard.ch and other websites that refer to this Privacy Policy, and
- our apps
(collectively referred to hereinafter as the "Website").
That concerns all users of the Website even if they are not Swisscard customers.
Our further Privacy Statements are provided on our website (www.swisscard.ch/dataprotection). If you have any questions, please do not hesitate to contact us (Section 2).
All references to persons in this document are meant to cover all genders.
2. Who is responsible for processing your data?
Swisscard is the data controller responsible for data processing under this Privacy Policy. This means that it is mainly in charge of the compliance of data protection. If you wish to contact us in this regard, please write to the following address:
Swisscard AECS GmbH
Data Protection Office
Neugasse 18
P.O. Box
8810 Horgen, Switzerland
E-mail: datenschutz@swisscard.ch
3. What data do we process?
We process various data from multiple sources, particularly the following data:
- Technical data: When you use our Website, we collect your IP address and other technical data for technical reasons and to ensure the performance and security of our Website. This also includes logs in which the use of our Website is recorded and data in connection with the devices you use (e.g. information on the device manufacturer and type, the operating system or a device ID). To ensure the proper performance of the Website, we may also assign an individual code to you or your system (e.g. in the form of a cookie, see Section 8). This code is stored for the predetermined time and will often only remain in place for the duration of your visit. The technical data does not in itself allow any conclusions to be drawn about your identity. However, in the context of user accounts, registrations or the processing of contracts, the data may be linked to other data categories (and thus possibly to your person).
- Registration data: To use certain offers (e.g. competitions) and services (e.g. rewards shop), you must create a user account or register. To do so, you have to give us certain information about you that is generally personal in nature.
- Communication data: When you contact us by email or by other means of communication, we will collect the information exchanged, your contact details and the peripheral data of the communication (e.g. time).
- Behavioural and preference data: Depending on our relationship with you, we try to get to know you better and to better tailor our products and services to you. To that end, we collect and use data about your behaviour (e.g., your use of the Website). We analyse such behavioural data and may supplement it with other information from us (e.g., where and when you make use of our services) and with information from third parties. On that basis we may, for example, estimate the probability that you will behave in a certain way or have certain interests.
You provide us with much of this data yourself (via forms, communication with us, contracts, or through use of the Website). As a rule, you are not obliged to do so. If you enter into contracts with us or use our services, however, you must provide us with certain data as part of your contractual obligations, in particular contact and registration data. In addition, technical data accumulates during use of our Website.
4. For what purposes do we process your data?
We process the data mentioned in Section 3 for the following and compatible purposes:
- in order to communicate with you and to contact you in the event of queries or for the purpose of making enquiries. For this purpose we will particularly use communication data and registration data. We also store the data in order to be able to document our communications with you, as well as in some cases for training purposes, for quality assurance and for subsequent enquiries;
- for the establishment, administration and processing of contractual relationships, where use of the Website is connected with a contract;
- to comply with laws, directives and recommendations of authorities and internal regulations (compliance);
- for purposes of market research, marketing and relationship management. For example, we will provide you with information, advertising and product offerings from Swisscard and from third parties (e.g. insurance companies), as printed matter, electronically or by telephone. Moreover, like most companies, we personalize the content of our Website (but not of our apps). We therefore collect data on preferences as the basis for these personalisations (see Section 3);
- to improve our services and for product development purposes. For example, we analyse which online offers are used by which groups of people and how.
- to ensure appropriate IT security. Such processing includes, for example, analyses, tests, error checks and backup copies;
- for other purposes such as, for instance, training and education purposes, internal processes and administrative purposes (e.g. management of data, accounting and record-keeping), enforcement of our rights and defence against claims (e.g. by securing evidence, legal assessments and participating in court or administrative proceedings), and preparing and processing purchases and sales of companies and assets as well as safeguarding other legitimate interests.
- To the extent that we ask for your consent for certain types of processing, we will inform you separately of the relevant purposes of the processing. You may revoke your consent at any time with future effect by giving us written notice thereof.
We base the processing of your personal data on the fact that it is necessary for the initiation or execution of a contract, that it is required or permitted by law, that it is necessary for legitimate interests on our part or those of third parties (e.g. processing for administrative and security-related purposes and for purposes of market research, marketing and improvement of our services and product development) or that you have separately consented to the processing (for more information, see Section 8).
You may object to the processing for marketing purposes at any time by notifying us, including for individual communication channels (e.g. only advertising via e-mail) or for individual advertising campaigns or newsletters. This does not apply to automatically generated messages that cannot be individually adjusted. Further information about your rights can be found in Section 11.
5. What are the rules on profiling?
We can process and evaluate your data automatically in accordance with Section 3 for the purposes mentioned in Section 4 and thereby collect further information, such as preference data. For more information, see Section 3. Such evaluations also include what is known as profiling, i.e. automated data evaluations for analytical and forecasting purposes. The most important examples are profiling for risk management, customer care and marketing purposes.
6. Whom do we disclose your data to?
We may also disclose your personal data to third parties for the purposes mentioned in Section 4.
This Section 6 explains the most frequent cases of data disclosure, indicating in each case which data may be disclosed. Further information can be found in Sections 3 and 4.
- Service providers: We work with service providers in Switzerland and abroad (e.g. for IT services, including the service providers mentioned in Section 8) and provide them with the data required for their services. These service providers are subject to contractual and/or statutory confidentiality and data protection obligations.
- Other disclosures: Data may also be disclosed to other recipients, e.g. to courts and government agencies in the context of proceedings and statutory duties of disclosure and cooperation, to purchasers of companies and assets, to financing companies in case of securitisations and to debt collection companies.
If data is transmitted via open networks (e.g. Internet or mobile networks), the transmission may involve several participants (e.g. network operators, operators of operating systems) who may create a traffic profile and thus track when you contacted whom. It cannot be ruled out that third parties may access and also use transmitted data unlawfully. Sensitive data such as means of identification (especially card number, expiration date, card security code and PIN) should therefore never be transmitted by e-mail. As a cardholder, please note the due diligence obligations under the general terms and conditions applicable to the card product in question as well as any additional product and service conditions. Moreover, even in the case of encrypted transmission, the names of the sender and recipient remain identifiable for the participants in the transmission. Third parties (in the event that apps and online platforms are used this may, for example, include Google or Apple) may be able to draw conclusions about existing or future business relationships. When using or installing an app or online platform, third parties (e.g. Apple or Google) may infer the existence of a customer relationship with Swisscard and certain content.
The aforementioned disclosures in Switzerland and abroad (see Section 7) are necessary for legal or operational reasons.
7. When do we disclose personal data to foreign countries?
As explained in Section 6, your personal data is processed not only by us but also by other entities, e.g. IT service providers. These may be located outside of Switzerland. Your data may also be transferred abroad and processed worldwide, including outside the EU or the European Economic Area. The laws of many third countries such as the USA do not currently guarantee a level of data protection complying with Swiss law. We therefore take contractual precautions to contractually compensate for the weaker statutory protection, unless disclosure is otherwise permitted by data protection law on a case-by-case basis (e.g. if you have expressly consented to disclosure, if disclosure is directly related to the formation or performance of the contract or is necessary in order to ascertain, exercise or enforce legal claims before a foreign court or foreign authority). These precautions particularly include standard contractual clauses issued or recognised by the European Commission and the Swiss Data Protection and Information Commissioner (FDPIC). For further information and a copy of these clauses, see: https://www.edoeb.admin.ch/edoeb/en/home/datenschutz/arbeit_wirtschaft/datenuebermittlung_ausland.html
Please also note that data exchanged over the Internet is often transmitted via third countries. Your data may therefore be transferred abroad even if the sender and recipient are located in the same country.
8. What online tracking and online advertising techniques do we use?
We use various techniques on our Website (but not currently on our apps) that enable us and third parties brought in by us to recognise certain visitors when they revisit our Website (including over multiple visits). Please refer to this Section for further information.
We want to be able to distinguish between access by you (via your system) and access by other users, and thus ensure the functionality of the Website and be able to carry out analyses and controls. The reason we do so is not to draw conclusions about your identity, not even when we could identify you through a combination with registration data. Even without registration data, however, you are recognised as an individual user each time you access the site, for example by our server (or the servers of third parties) assigning you or your browser a unique identifier (known as a “cookie”).
Cookies and their purpose on our Websites
Cookies are small files that are stored on your device in order to track your visit to the Website and your preferences when you navigate between various pages and sometimes in order to store settings in between your visits. The statistical data collected via cookies help us to make the Website more useful and user-friendly.
In addition to cookies, other techniques may be used to recognise you to a greater or lesser degree (i.e. to distinguish you from other users); one example is "fingerprinting”: by combining information about your IP address, the browser you use and your system settings such as the screen resolution (this information is communicated by your system to any server on request), individual users can be more or less reliably distinguished from other users. In the following, when we only refer to “cookies” we also mean comparable techniques. We use cookies for the following:
- Recording the number and type of visits on the Website and its sub-pages so that we can determine whether and what parts of the Website must be improved;
- Displaying personalised content on this Website (see the personalisation service Adtelligence below);
- Displaying advertisements on third-party websites (remarketing);
- Displaying personalised advertisements and offers;
- Storing of settings in between your visits;
- Collecting statistical data on the number of visitors and their usage habits and to improve the speed and performance of the Website pages.
One of the cookies used primarily essentially serves the purpose of operating parts of the Website and has already been set. Not all parts of this Website will function without this cookie.
Cookies of third parties and partners on our Websites
We use third-party services in order to receive statistical analyses and to improve user experience and our online advertising campaigns. To that purpose, we may integrate components from third-party providers that also use cookies into the Website. But neither such third parties nor Swisscard have access to the data collected by the respective other party through the use of cookies.
We also use cookies for advertisements of Swisscard and its partners when you visit websites of third parties with whom we have a marketing relationship.
Third parties may collect anonymised information regarding your use of our and other websites and make such anonymised data available to us, including geographical details, your user behaviour on a website or the names of websites on which you were shown advertisements.
We use this information in order to display more relevant and useful advertisements and to improve the effectiveness of our advertising measures.
Deleting cookies
You can decide against using cookies at any time by deleting the cookies that were set by the Website and by blocking any other cookies. This is possible using the settings in your Internet browser. However, not all parts of this Website will function without cookies.
Analysis technologies on our Websites
On this Website, we use IP anonymisation in order to capture only anonymised IP addresses (“IP masking”).
Piano Analytics
This Website uses Piano Analytics, a service of the Piano Software Group headquartered in Amsterdam. With Piano Analytics, we collect data about your visit and use of the Website. Piano Analytics uses "fingerprinting" (for more information, see above).
Matomo
For tracking and control of tag management of the visitor actions, we use the open-source software Matomo (formerly “Piwik”). Adtelligence also uses Matomo; please find further information on this below.
Marketing services on our Websites
Google DoubleClick
This Website uses DoubleClick Digital Marketing Platform, a web analysis service from Google. DoubleClick sets cookies when you look at an advertisement or click on an advertising banner from Us that is located on a partner website. This allows us to display more relevant banners. We can also use cookies to record data about how your browser interacts with a banner. It also records whether you have looked at an advertisement, clicked on it, and whether this resulted in registration with Us. These data are collected and stored in anonymized form. If you do not wish for this information to be collected, you can disable their use in the Privacy settings of this Website.
Google Adwords
To improve the Website and its advertising activities, this Website uses Google's online advertising program "Google Adwords” and, in that environment, conversion tracking. The cookie for conversion tracking is set when a user clicks on an advertisement placed by Google. Such cookies are not used for personal identification. If the user visits certain pages of this Website, we and Google can detect that the user has clicked on the advertisement and was forwarded to the page in question. Each Google AdWords customer receives a different cookie. Therefore, cookies cannot be tracked across the websites of AdWords customers. We can use the data collected through conversion cookies to create conversion statistics for AdWords customers. However, these customers do not receive any information that allows the user to be personally identified.
Facebook Pixel
This Website uses the Facebook-Pixel of Facebook for statistical purposes. This lets us understand how our marketing measures are received on Facebook and how they can be improved. You can disable this function in the Website’s Privacy settings.
Marketing services customise Privacy settings
Personalisation Service
On our Website we use the software Adtelligence from ADTELLIGENCE GmbH, www.adtelligence.com. This allows us to personalise our Website to specific target groups. To do so, the data of Website visitors is collected and assigned to specific target groups by means of cookies and tracking-pixel. The target-group-specific characteristics are recorded by Adtelligence and transmitted to the system in anonymised form and stored in Germany. On this basis, pages or content displayed to you are managed so as to show you personalised, relevant website content.
9. How do we appear on social networks?
We have our own presence on social networks and other platforms (e.g. on Facebook, Instagram, LinkedIn, Pinterest and YouTube). When you communicate with us there or share or comment on content, we collect related information, particularly your User ID, communication content and information about the communication. The platforms may collect further data, e.g. log data, information about your use of our presences (e.g. what content you display, what you comment on, “like” or share, etc.), information about your age and gender and other information, such as location data. What data that is specifically depends on the design of the platform and information that you make known through your own user account and your use of the platform. On that basis, such platforms can create profiles and statistics on the user of the presences. The platforms use such information to personalize advertising and content, for market and user research, and to provide us and third parties with statistical user data. They also collect and use corresponding data for their own purposes, in some cases together with further data known to them, e.g. for marketing purposes or personalization of their own content.
We process the data that we receive via our presences on platforms for the purposes described in Section 4, especially for communications, for marketing purposes and for market research. Content posted by you (e.g., comments on public profiles and contributions) may be shared by us (e.g., in our advertising on the platform or elsewhere), and we and the provider may delete content for justifiable reasons.
Further information about processing by the platform operators (e.g., the countries in which the data will be disclosed or what rights you have as a data subject) may be found in the privacy policies of the providers.
10. How long do we store your data?
We store your data for as long as required by applicable statutory requirements or by the purpose of its processing. The duration of storage is therefore based on statutory retention obligations and the processing purposes (see Section 4), which also include safeguarding our legitimate interests.
11. What are your rights?
Data protection law gives you specific rights to monitor and control your personal data:
- You have the right to request certain information about your personal data and our processing of your personal data and to demand a copy of that personal data (right of access).
- You have various other rights that help you control the processing of your personal data by us. In particular, you may require us to correct or supplement inaccurate or incomplete data, to restrict processing for specific purposes (e.g. by objecting to marketing or by revoking a specific consent, whereby the legality of the processing performed on the basis of the consent until revocation will not be affected) or to delete such data. In the case of certain data, you also have the right to require us to make such data available in machine-readable format.
Please note that these rights are subject to statutory requirements and limitations and are therefore not available in their entirety in every case.
If you wish to exercise any rights against us, please contact us in writing (by letter post, see Section 2) and attach a legible copy of your identification document.