Data Protection

With this privacy policy we inform you about which personal data we process in connection with our activities and operations, including our www.helloallegra.com website. In particular, we inform you about what, how and where we process which personal data. We also inform you about the rights of people whose data we process. For individual or additional activities and operations, additional privacy policies and other legal documents such as general terms and conditions (GTC), terms of use or conditions of participation may apply.
We are subject to Swiss data protection law and any applicable foreign data protection law, in particular that of the European Union (EU) with the European
General Data Protection Regulation (GDPR). The European Commission recognised in its decision of 26 July 2000 that Swiss data protection law ensures adequate data protection. With a report of
On 15 January 2024, the European Commission confirmed this adequacy decision.


1. Contact addresses
Responsibility for the processing of personal data:
ALLEGRA International 
Via Planet 7, 7504 Pontresina, Switzerland
info@helloallegra.com.
In individual cases, there may be other persons responsible for the processing of personal data or a joint responsibility with at least one other responsible person.

1.1 Data protection officer or data protection consultant
We have the following data protection officer or data protection consultant as a contact point for data subjects and authorities for inquiries related to data protection:
1 Data Protection Officer
Via Planet 7
7504 Pontresina
SWITZERLAND
info@helloallegra.com
1.2 Data protection representation in the European Economic Area (EEA)
We have the following data protection representative in accordance with Art. 27 GDPR:

VGS Data Protection Partner GmbH
Am Kaiserkai 69
20457 Hamburg
Germany
info@datenschutzpartner.eu
The data protection representation serves as an additional contact point for data subjects and authorities in the European Union (EU) and the rest of the European Economic Area (EEA) for inquiries related to the GDPR.

2. Terms and legal bases
2.1 Terms
Personal data is all information relating to an identified or identifiable natural person. Personal data that is particularly worthy of protection includes data on trade union, political, religious or ideological views and activities, data on health, privacy or ethnic or racial affiliation, genetic data, biometric data that uniquely identify a natural person, data on criminal and administrative sanctions or persecutions, and data on social assistance measures. Processing includes any handling of personal data, regardless of the means and procedures used, for example querying, comparing, adapting, archiving, storing, reading, disclosing, obtaining, collecting, collecting, deleting, disclosing, organizing,

2 Organizing, storing, modifying, distributing, linking, destroying and using personal data. A data subject is a natural person about whom we process personal data. The European Economic Area (EEA) comprises the member states of the European Union (EU) and the Principality of Liechtenstein, Iceland and Norway. The General Data Protection Regulation (GDPR) describes the processing of personal data as processing of personal data and the processing of particularly sensitive personal data as processing of special categories of personal data (Article 9 GDPR).

2.2 Legal basis
We process personal data in accordance with Swiss data protection law such as
in particular the Federal Data Protection Act (Data Protection Act, DSG) and the Data Protection Ordinance (Data Protection Ordinance, DSV). We process – if and to the extent that the General Data Protection Regulation (GDPR) is applicable – personal data in accordance with at least one of the following legal bases:
• Art. 6 Para. 1 lit. b GDPR for the necessary processing of personal data to fulfill a contract with the data subject and to carry out pre-contractual measures.
• Art. 6 Para. 1 lit. f GDPR for the necessary processing of personal data in order to protect the legitimate interests of us or third parties, unless the fundamental freedoms and fundamental rights and interests of the data subject prevail. Legitimate interests are in particular our interest in being able to carry out our activities and operations in a permanent, user-friendly, secure and reliable manner and to communicate about them, ensuring information security, protecting against misuse, enforcing our own legal claims and complying with Swiss law.
• Art. 6 Para. 1 lit. c GDPR for the necessary processing of personal data to fulfill a legal obligation to which we are subject under any applicable law of member states in the European Economic Area (EEA).
• Art. 6 (1) (e) GDPR for the necessary processing of personal data to perform a task in the public interest.
• Art. 6 Para. 1 lit. a GDPR for the processing of personal data with the consent of the data subject.
• Art. 6 para. 1 lit. d GDPR for the necessary processing of personal data in order to carry out vital to protect the interests of the data subject or of another natural person.

3. Nature, scope and purpose
We process the personal data that is necessary to be able to carry out our activities and operations in a permanent, user-friendly, secure and reliable manner. Such personal data can fall into the categories of inventory and contact data, browser and device data, content data, meta or peripheral data and usage data, location data, sales data and contract and payment data. We process personal data for the period that is necessary for the respective purpose(s) or legally required. Personal data that no longer needs to be processed is anonymized or deleted. We can have personal data processed by third parties. We can process personal data jointly with third parties or transmit it to third parties. Such third parties are in particular specialized providers whose services we use. We guarantee
We also respect data protection with such third parties. We only process personal data with the consent of the data subjects. If and to the extent that processing is permitted for other legal reasons, we can refrain from obtaining consent. For example, we can process personal data without consent in order to fulfill a contract, to comply with legal obligations or to protect overriding interests.
We also process personal data that we receive from third parties, obtain from publicly accessible sources or collect in the course of our activities, provided and to the extent that such processing is permitted for legal reasons.

4. Communication
We process personal data in order to be able to communicate with third parties. In this context, we process in particular data that a data subject transmits when contacting us, for example by letter or email. We can store such data in an address book or with comparable tools. Third parties who transmit data about other people are obliged to respect data protection towards
such data subjects. To do this, the accuracy of the personal data transmitted must be ensured, among other things. We use selected services from suitable providers in order to be able to communicate better with third parties.
In particular, we use:
• bexio: Customer Relationship Management (CRM); Provider: bexio AG (Switzerland); Data protection information: Privacy Policy, «Cloud and data security», «Data security
– Definition and measures for companies».
• HubSpot: Customer Relationship Management (CRM); Providers: HubSpot Inc. (USA) / HubSpot Ireland Limited (Ireland) for users in the European Economic Area (EEA) and the United Kingdom; Data protection information: Privacy Policy, “Security, Data Protection and Control Mechanisms”, “Trust Center”.

5. Applications
We process personal data about applicants insofar as it is necessary to assess suitability for an employment relationship or for the subsequent implementation of an employment contract. The required personal data arise in particular from the information requested, for example in the context of a job advertisement. We can publish job advertisements with the help of suitable third parties, for example in electronic and print media or on job portals and job platforms. We also process personal data that applicants voluntarily provide or publish, in particular as part of cover letters, CVs and other application documents as well as online profiles. We process – if and to the extent that the General Data Protection Regulation (GDPR) is applicable – personal data about applicants in particular in accordance with Art. 9 Para. 2 lit. b GDPR.

6. Data security
We take suitable technical and organizational measures to ensure data security appropriate to the respective risk. With our measures, we guarantee in particular the confidentiality, availability, traceability and integrity of the personal data processed, but cannot guarantee absolute data security. Access to our website and our other online presence is via transport encryption (SSL / TLS, in particular with the Hypertext Transfer Protocol Secure, abbreviated to HTTPS). Most browsers mark transport encryption with a small padlock in the address bar. Our digital communication - like all digital communication in principle - is subject to mass surveillance without cause or suspicion by security authorities in Switzerland, the rest of Europe, the United States of America (USA) and other countries. We have no direct influence on the corresponding processing of personal data by secret services, police departments and other security authorities. Nor can we rule out the possibility that individual data subjects will be specifically monitored.

7. Personal data abroad
We generally process personal data in Switzerland and the European Economic Area (EEA). However, we can also export or transfer personal data to other countries, in particular to process it or have it processed there. We can export personal data to all countries and territories on earth and elsewhere in the universe, provided that the law there ensures adequate data protection in accordance with a decision of the Swiss Federal Council and – if and to the extent that the General Data Protection Regulation (GDPR) is applicable – adequate data protection in accordance with a decision of the European Commission. We can transfer personal data to countries whose law does not ensure adequate data protection, provided that data protection is guaranteed for other reasons, in particular on the basis of standard data protection clauses or with other suitable guarantees. In exceptional cases, we can export personal data to countries without adequate or suitable data protection if the special data protection requirements are met, for example the express consent of the data subjects or a direct connection with the conclusion or execution of a contract. We will be happy to provide data subjects with information about any guarantees or provide a copy of any guarantees upon request.

8. Rights of data subjects
8.1 Data protection claims 
We grant data subjects all rights under applicable data protection law.

In particular, data subjects have the following rights:
• Information: Data subjects can request information as to whether we process personal data about them and, if so, which personal data is involved. Data subjects will also receive the information required to assert their data protection claims and to ensure transparency. This includes the personal data processed as such, but also information on the purpose of processing, the duration of storage, any disclosure or export of data to other countries and the origin of the personal data.
• Correction and restriction: Data subjects can correct inaccurate personal data, complete incomplete data and restrict the processing of their data.
• Deletion and objection: Affected persons can have personal data deleted (“right to be forgotten”) and object to the processing of their data with effect for the future.
• Data release and data transfer: Data subjects can request the release of personal data or the transfer of their data to another responsible party. We can postpone, restrict or refuse the exercise of the rights of data subjects within the legally permissible framework. We can inform data subjects of any conditions that must be met in order to exercise their data protection claims. For example, we can refuse to provide information in whole or in part with reference to business secrets or the protection of other persons. For example, we can also refuse to delete personal data in whole or in part with reference to statutory retention periods. In exceptional cases, we can charge costs for exercising rights. We inform data subjects in advance of any costs. We are obliged to take appropriate measures to identify data subjects who request information or assert other rights. Data subjects are obliged to cooperate.

8.2 Legal protection
Affected persons have the right to enforce their data protection claims through legal means or to file a complaint with a competent data protection supervisory authority. The data protection supervisory authority for complaints from affected persons against private controllers and federal bodies in Switzerland is the Federal Data Protection and Information Commissioner (FDPIC). European data protection supervisory authorities for complaints from affected persons - if and to the extent that the General Data Protection Regulation (GDPR) is applicable - are organized as members of the European Data Protection Board (EDPB). In some member states in the European Economic Area (EEA), the data protection supervisory authorities are structured on a federal basis, particularly in Germany.


9. Use of the website

9.1 Cookies
We may use cookies. Cookies – our own cookies (first-party cookies) as well as cookies from third parties whose services we use (third-party cookies) – are data that is stored in the browser. Such stored data does not have to be limited to traditional cookies in text form. Cookies can be stored temporarily in the browser as "session cookies" or for a certain period of time as so-called permanent cookies. "Session cookies" are automatically deleted when the browser is closed. Permanent cookies have a specific storage period. Cookies make it possible in particular to recognize a browser the next time you visit our website and thus, for example, to measure the reach of our website. Permanent cookies can also be used for online marketing, for example. Cookies can be deactivated or deleted in full or in part in the browser settings at any time. Without cookies, our website may no longer be fully available. We actively request your express consent to the use of cookies – at least if and to the extent necessary. For cookies that are used to measure success and reach or for advertising, a general objection ("opt-out") is possible for numerous services via AdChoices (Digital Advertising Alliance of Canada), the Network Advertising Initiative (NAI), YourAd-Choices (Digital Advertising Alliance) or Your Online Choices (European Interactive Digital Advertising Alliance, EDAA).

9.2 Logging
We can log at least the following information for each access to our website and our other online presence, provided that this is transmitted to our digital infrastructure during such access: date and time including time zone, IP address, access status (HTTP status code), operating system including user interface and version, browser including language and version, individual sub-page of our website accessed including the amount of data transferred, last website accessed in the same browser window (referrer). We log such information, which may also represent personal data, in log files. The information is required in order to be able to provide our online presence in a permanent, user-friendly and reliable manner. The information is also required in order to be able to guarantee data security - also by third parties or with the help of third parties.

9.3 Web beacons
We can integrate tracking pixels into our online presence. Tracking pixels are also known as web beacons. Tracking pixels - including those from third parties whose services we use - are usually small, invisible images or scripts formulated in JavaScript that are automatically called up when our online presence is accessed. Tracking pixels can record at least the same information as log files.

10. Notifications and communications
We send notifications and communications via email and other communication channels such as instant messaging or SMS.

10.1 Measuring success and reach
Notifications and messages can contain web links or tracking pixels that record whether an individual message has been opened and which web links have been clicked. Such web links and tracking pixels can also record the use of notifications and messages on a personal basis. We need this statistical recording of usage for success and reach measurement in order to be able to send notifications and messages based on the needs and reading habits of the recipients in an effective and user-friendly manner as well as permanently, securely and reliably.

10.2 Consent and objection
You must always consent to the use of your email address and other contact addresses, unless the use is permitted for other legal reasons. We can use the "double opt-in" procedure to obtain a double-confirmed consent. In this case, you will receive a message with instructions for the double confirmation. We can log consents obtained, including the IP address and time stamp, for evidential and security reasons. You can generally object to receiving notifications and messages such as newsletters at any time. With such an objection, you can also object to the statistical recording of usage for success and reach measurement. Required notifications and messages in connection with our activities and operations remain reserved.

10.3 Notification and communication service providers: We send notifications and communications with the help of specialized service providers.

11. Social-Media
We are present on social media platforms and other online platforms in order to communicate with interested parties and to inform them about our activities and operations. In connection with such platforms, personal data may also be processed outside Switzerland and the European Economic Area (EEA).

10 The general terms and conditions (GTC) and terms of use as well as data protection declarations and other provisions of the individual operators of such platforms also apply. These provisions provide information in particular about the rights of data subjects directly vis-à-vis the respective platform, which includes, for example, the right to information. We are jointly responsible with Meta Platforms Ireland Limited (Ireland) for our social media presence on Facebook, including the so-called page insights, if and to the extent that the General Data Protection Regulation (GDPR) is applicable. Meta Platforms Ireland Limited is part of the Meta companies (including in the USA). The page insights provide information about how visitors interact with our Facebook presence. We use page insights to be able to provide our social media presence on Facebook in an effective and user-friendly manner. Further information about the type, scope and purpose of data processing, information about the rights of data subjects and the contact details of Facebook and the Facebook data protection officer can be found in Facebook's privacy policy. We have concluded the so-called "Addendum for Responsible Persons" with Facebook and have thereby agreed in particular that Facebook is responsible for ensuring the rights of data subjects. The relevant information for the so-called Page Insights can be found on the "Information on Page Insights" page, including "Information on Page Insights data".

12. Third Party Services
We use services from specialized third parties to be able to carry out our activities and operations in a permanent, user-friendly, secure and reliable manner. With such services, we can, among other things, embed functions and content in our website. When embedding in this way, the services used record the IP addresses of the users at least temporarily for technically necessary reasons. For necessary security-related, statistical and technical purposes, third parties whose services we use can process data in connection with our activities and operations in an aggregated, anonymized or pseudonymized manner. This includes, for example, performance or usage data in order to be able to offer the respective service.
In particular, we use:
• Google services: Providers: Google LLC (USA) / Google Ireland Limited (Ireland) for users in the European Economic Area (EEA) and Switzerland; General information on data protection: «Privacy and security principles», Privacy Policy, «Google is committed to complying with applicable data protection laws», «Guide to data protection in Google products», «How we use data from websites or apps on or in which our services are used» (information from Google), «Types of cookies and similar technologies that Google uses», «Advertising that you have control over» («Personalised advertising»).
• Microsoft services: Providers: Microsoft Ireland Operations Limited (Ireland) for users in the European Economic Area (EEA), Switzerland and the United Kingdom / Microsoft Corporation (USA) for users in the rest of the world; General information on data protection: “Data protection at Microsoft”, “Data protection and privacy”, Data protection declaration, “Data and data protection settings”.

12.1 Digital infrastructure
We use services from specialized third parties to provide the digital infrastructure required in connection with our activities. This includes, for example, hosting and storage services from selected providers.
In particular, we use:
• WordPress.com: blog hosting and website builder; providers: Automattic Inc. (USA) / Aut O'Mattic A8C Ireland Ltd. (Ireland) for users in Europe, among others; data protection information: privacy policy, cookie policy.

12.2 Audio and video conferences
We use specialised services for audio and video conferences to communicate online. For example, we can use them to hold virtual meetings or conduct online lessons and webinars. When participating in audio and video conferences, the legal texts of the individual services, such as data protection declarations and terms of use, also apply. Depending on your life situation, we recommend muting the microphone by default when participating in audio or video conferences and blurring the background or displaying a virtual background.
In particular, we use:

• TeamViewer Meeting: video conferences; provider: TeamViewer Germany GmbH (Germany); data protection information: privacy policy, “First-class data protection”.

12.3 Online collaboration
We use third-party services to enable online collaboration. In addition to this privacy policy, any directly visible terms and conditions of the services used, such as terms of use or privacy policies, also apply.
In particular, we use:
• Miro: whiteboard platform; provider: RealtimeBoard Inc. (USA); data protection information: privacy policy, “Trust in Miro” (“Miro Trust Center”).
• Microsoft Teams: Platform for productive collaboration, especially with audio and video conferences; Provider: Microsoft; Teams-specific information: “Data protection and Microsoft Teams”.

12.4 Social media functions and social media content
We use third-party services and plug-ins to embed features and content from social media platforms and to enable sharing of content on social media platforms and in other ways.
In particular, we use:
• Facebook (social plugins): Embedding Facebook functions and Facebook content, for example “Like” or “Share”; providers: Meta Platforms Ireland Limited (Ireland) and other meta companies (including in the USA); data protection information: privacy policy.
• Instagram platform: Embedding Instagram content; providers: Meta Platforms Ireland Limited (Ireland) and other meta companies (including in the USA); data protection information: privacy policy (Instagram), privacy policy (Facebook).
• LinkedIn Consumer Solutions Platform: Embedding LinkedIn functions and content, for example with plugins such as the “Share Plugin”; provider: Microsoft; LinkedIn-specific information: “Privacy”, privacy policy, cookie policy, cookie management/objection to email and SMS communication from LinkedIn, objection to interest-based advertising.

12.5 Maps
We use third-party services to embed maps into our website.
In particular, we use:
• Google Maps including Google Maps Platform: map service; provider: Google; Google Maps-specific information: “How Google uses location information”.

12.6 Digital audio and video content
We use services from specialized third parties to enable the direct playback of digital audio and video content such as music or podcasts.
In particular, we use:
• YouTube: video platform; provider: Google; YouTube-specific information: “Privacy and Security Center”, “My data on YouTube”.

12.7 Fonts
We use third-party services to embed selected fonts as well as icons, logos and symbols into our website. In particular, we use:
• Google Fonts: Fonts; Provider: Google; Google Fonts-specific information: “Your Privacy and Google Fonts”, “Privacy and Data Collection”.

12.8 Advertising:
We use the option of displaying targeted advertising for our activities on third parties such as social media platforms and search engines. With such advertising, we particularly want to reach people who are already interested in our activities or who could be interested in them (remarketing and targeting). To do this, we can transmit relevant information - possibly also personal information - to third parties who enable such advertising. We can also determine whether our advertising is successful, in particular whether it leads to visits to our website (conversion tracking). Third parties with whom we advertise and with whom you are registered as a user may be able to assign the use of our website to your profile there.
In particular, we use:
• Facebook advertising (Facebook Ads): social media advertising; providers: Meta Platforms Ireland Limited (Ireland) and other meta companies (including in the USA); data protection information: remarketing and targeting, in particular with the Facebook pixel and custom audiences including lookalike audiences, data protection declaration, “advertising preferences” (registration as a user required).
• Google Ads: search engine advertising; provider: Google; Google Ads-specific information: advertising based on search queries, among other things, whereby various domain names - in particular doubleclick.net, googleadservices.com and googlesyndication.com - are used for Google Ads, "Advertising" (Google), "Manage displayed advertising directly via ads".

13. Extensions for the website
We use extensions for our website to provide additional functionality. We may use selected services from suitable providers or use such extensions on our own digital infrastructure.

14. Measuring success and reach
We try to determine how our online offering is used. In this context, we can, for example, measure the success and reach of our activities and the effect of third-party links to our website. We can also, for example, test and compare how different parts or versions of our online offering are used («A/B test» method). Based on the results of the success and reach measurement, we can in particular correct errors, strengthen popular content or make improvements to our online offering. In most cases, the IP addresses of individual users are stored for success and reach measurement. In this case, IP addresses are generally shortened («IP masking») in order to follow the principle of data economy through the appropriate pseudonymization. Cookies can be used and user profiles can be created when measuring success and reach. Any user profiles created include, for example, the individual pages visited or content viewed on our website, information on the size of the screen or browser window and the - at least approximate - location. In principle, any user profiles are created exclusively in pseudonymous form and are not used to identify individual users. Individual third-party services with which users are registered can at most assign the use of our online offering to the user account or user profile on the respective service.
In particular, we use:
• Google Analytics: success and reach measurement; provider: Google; Google Analytics-specific information: measurement also across different browsers and devices (cross-device tracking) as well as with pseudonymized IP addresses, which are only exceptionally transferred in full to Google in the USA, “Data protection”, “Browser add-on for deactivating Google Analytics”.
• Google Tag Manager: Integration and management of other services for measuring success and reach as well as other services from Google and third parties; provider: Google; Google Tag Manager-specific information: “Data collected with Google Tag Manager”; further information on data protection can be found in the individual integrated and managed services.

15. Final provisions
We have created this privacy policy with the data protection generator from Datenschutzpartner.

16
We may adapt and supplement this privacy policy at any time. We will inform you about such adaptations and additions in an appropriate manner, in particular by publishing the current privacy policy on our website.