Privacy Notice

Savify AG, Landhausstrasse 1, 9053 Teufen (AR), Schweiz. E-Mail: [email protected], Telefon: +41 71 490 00 00. Authorized representative: Jörg Weidenfeld. This information is provided in accordance with the transparency obligations of the GDPR and supplementarily under Swiss law.

These privacy notices apply to the website savify.io and its subpages. For terminal device access (e.g., cookies) in relation to users in Germany, the provisions of § 25 TDDDG apply. For the processing of personal data, the provisions of the GDPR apply (in particular Art. 6, 12–14, 15–22, 32, 44–49).

1.1 Data categories: IP address, date/time, accessed URL/file, referrer URL, user agent, status codes. 1.2 Purposes: Technical provision, stability, IT security, abuse prevention. 1.3 Legal basis: Legitimate interest (Art. 6(1)(f) GDPR: secure, stable operation of the website).

2.1 Principle: The storage of information in the terminal device or access to already stored information is only permitted if the user has consented on the basis of clear and comprehensive information; exceptions exist only for the transmission of a message or for technologies that are strictly necessary (§ 25(1), (2) TDDDG). 2.2 Subsequent processing of personal data is generally based on Art. 6(1)(a) GDPR (consent); for purely necessary operations, Art. 6(1)(b)/(f) GDPR may apply. 2.3 Consents must comply with GDPR requirements (voluntary, informed, specific, unambiguous; revocation at any time).

3.1 Purpose: Obtaining, managing, and documenting consents; storing consent decisions (consent cookie). 3.2 Legal bases: § 25(2) TDDDG (necessary terminal device information for the requested service), Art. 6(1)(c) GDPR (accountability/compliance) or Art. 6(1)(f) GDPR (legitimate interest in legally secure consent management).

4.1 Data categories: Usage data (e.g., page views, interactions, possibly truncated IP), device/browser information. 4.2 Purpose: Website optimization, reach measurement. 4.3 Legal bases: § 25(1) TDDDG (consent for terminal device access) and Art. 6(1)(a) GDPR (consent); revocation at any time in the consent tool.

5.1 Technologies used: We currently use Google Analytics 4 for website usage analysis. Detailed information on cookies, storage durations, and third-country transfers can be found in Section X (Cookies and Tracking Technologies). 5.2 Purpose: Web analysis, user experience improvement, optimization of marketing measures. 5.3 Legal bases: § 25(1) TDDDG (consent for terminal device access) and Art. 6(1)(a) GDPR (consent). Consent is obtained via our cookie banner (Cookiebot); no pre-settings; "Decline" is designed equivalently to "Accept". Revocation is possible at any time (see Section X.4).

6.1 Data categories: Contact data (e.g., name, email, phone), communication content, metadata. 6.2 Purpose: Processing inquiries; possibly pre-contractual communication. 6.3 Legal bases: Art. 6(1)(b) GDPR (pre-contractual/contractual measures) or Art. 6(1)(f) GDPR (legitimate interest in efficient communication).

7.1 Procedure: Registration via double opt-in procedure; logging of consent. 7.2 Legal bases: Art. 6(1)(a) GDPR (consent); for any terminal device access (e.g., open/click tracking), additionally § 25(1) TDDDG (opt-in).

8.1 Purpose: Application management. 8.2 Legal bases: Generally Art. 6(1)(b) GDPR; special categories only in accordance with Art. 9(2) GDPR (specific legal bases/protective measures).

Hosting/CDN providers, consent management providers, analytics services, communication service providers, IT support, and comparable processors are used. Processing takes place exclusively on documented instructions and on the basis of appropriate contracts (Art. 28 GDPR); appropriate technical and organizational measures are agreed.

If transfers to third countries (e.g., USA) occur, the requirements of the GDPR are met (adequacy decision, standard contractual clauses, binding corporate rules, etc.). Where applicable, consent is obtained; we inform transparently about risks.

Personal data is only stored for as long as necessary for the purposes or as long as statutory retention obligations exist; afterwards, we delete or anonymize the data. Criteria for determining storage duration include purpose limitation, legal obligations, and limitation periods.

Without certain information (e.g., mandatory fields in the contact form), individual functions cannot be used; mandatory and optional information are marked.

If automated decision-making including profiling occurs, we inform separately about the logic, scope, and intended effects; the requirements of Art. 22 GDPR apply.

Data subjects have rights to access, rectification, erasure, restriction of processing, data portability, objection, and revocation of consents with effect for the future. There is also a right to lodge a complaint with a data protection supervisory authority.

You may object at any time to processing based on Art. 6(1)(e) or (f) GDPR for reasons relating to your particular situation; in the case of direct marketing, there is an unrestricted right to object at any time.

We take appropriate technical and organizational measures to secure processing in order to ensure a level of protection appropriate to the risk (Art. 32 GDPR), e.g., encryption, access restrictions, logging, hardening, and monitoring.

We use Cookiebot (Cybot A/S, Havnegade 39, 1058 Copenhagen, Denmark) as a Consent Management Platform to manage your cookie consents. Cookiebot automatically scans our website for cookies and tracking technologies and provides this information in the cookie banner. The following cookies are set: • CookieConsent: Stores your consent status (necessary, storage duration: 1 year) • CookieConsentBulkSetting: Stores bulk settings for multiple domains (storage duration: 1 year) Legal bases: Art. 6(1)(c) GDPR (legal obligation to document consents), § 25(1) TDDDG (terminal device access). Data transfer: Cookiebot processes pseudonymized data in the EU. More information: https://www.cookiebot.com/en/privacy-policy/ Cookiebot ID: 41c55374-aed8-49ce-bd75-c0533cd0b1fe

For website usage analysis, we use Google Analytics 4 (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland). Google Analytics uses cookies and similar technologies to capture user behavior and create statistical evaluations of website usage. Processed data: IP address (anonymized), page views, session duration, referrer URLs, device information, browser type, geographic origin (city/country) Cookies: • _ga: User distinction (storage duration: 2 years) • _ga_<container-id>: Session state storage (storage duration: 2 years) Purpose: Web analysis, user experience improvement, optimization of marketing measures Legal bases: Art. 6(1)(a) GDPR (consent), § 25(1) TDDDG (terminal device access) Data transfer to third countries: Google Analytics may transfer data to the USA. Google is certified under the EU-US Data Privacy Framework. More information: https://policies.google.com/privacy Measurement ID: G-ETSY0RLFBZ Important note: Google Analytics is only activated after you consent in the cookie banner. If declined, no analytics cookies are set.

We use the following cookie categories: • Necessary Cookies: Technically required for website operation (e.g., Cookiebot consent status). These cookies cannot be declined. • Statistics Cookies: For anonymous collection of usage statistics (e.g., Google Analytics). Require your consent. • Marketing Cookies: Currently not in use. You can adjust your consents granularly at any time by recalling the cookie banner or changing your browser settings.

Our cookie banner allows granular selection by cookie categories. You receive complete information about purposes, providers, storage durations, legal bases, and any third-country references. Revocation options: • Cookie Banner: Click on "Cookie Settings" in our website footer • Browser Settings: Delete cookies in your browser settings • Google Analytics Opt-Out: Install the browser add-on to deactivate Google Analytics: https://tools.google.com/dlpage/gaoptout Equivalent design: The "Accept all" and "Decline all" buttons are visually equivalent. Your rejection has no negative impact on the usability of our website. Effect of revocation: Revocation takes immediate effect for the future. Already processed data remains lawful.

If an appointment is made pursuant to Art. 37 GDPR (and possibly national law), the name and contact details will be published here. For Savify AG as a Swiss controller with market presence in the EU, the appointment obligation is primarily based on Art. 37 GDPR and not on German threshold regulations; if appointed, this section will be updated.

We update this notice as needed; the current version is available on this page. We inform transparently about material changes.