Privacy Policy

Last update on 25.03.2022 // v01.0

Welcome to www.onetwenty.ai (the “Site”) or to the OneTwenty App (the “App”), owned and operated by OneTwenty AG, a company formed under the laws of Switzerland with domicile in Zurich, Switzerland (collectively “AG” or “we”). This Privacy Policy governs the use of the Site and the use of the App, which is sold directly or indirectly via the website, including – unless otherwise stated – as well as any services in connection with these products (the “Services”). We are responsible for data processing under this data privacy notice in connection with the use of our app. If you have any questions regarding this data privacy notice, you can contact us at:

The responsible body within the meaning of the data protection laws, in particular the EU General Data Protection Regulation (GDPR), is

OneTwenty AG
Neunbrunnenstrasse 162
8046 Zürich
E-Mail: hello[at]OneTwenty[dot]ai
Website: www.onetwenty.ai 


General information

With this Privacy Policy we would like to inform you about how we process personal data within the scope of our business activities and inform you about your rights. We are aware of the importance of processing personal data for you as a user and the protection of your privacy is of the utmost importance to us.
Based on Article 13 of the Swiss Federal Constitution and the data protection regulations of the Swiss Confederation (Data Protection Act, DSG), every person is entitled to protection of his or her privacy and to protection against misuse of his or her personal data. We take the protection of your personal data very seriously. We treat your personal data confidential and in accordance with the legal data protection regulations and this privacy policy.
As an internationally operating company, the EU General Data Protection Regulation (“GDPR”) is important to us in addition to the Swiss data protection regulations. We have aligned this Privacy Policy with the stricter standard of the GDPR.
In cooperation with our hosting providers, we make every effort to protect the databases as much as possible against unauthorised access, loss, misuse or corruption.
We would like to point out that data transmission over the Internet (e.g. communication by e-mail) can have vulnerabilities. A complete data protection against access by third parties is not possible.
By using this website, you agree to the collection, processing and use of data in accordance with the following description. In general, this website can be visited without registration. Data such as pages called up or names of files called up, date and time are stored on the server for statistical purposes without these data being directly related to your person. Personal data, in particular name, address or e-mail address are collected as far as possible on a voluntary basis. The data will not be passed on to third parties without your agreement.
This Privacy Policy does not apply to information collected offline or by third parties not affiliated with OneTwenty that the Site may link to (“Third Party Sites”). Please read this Privacy Policy and the Terms of Use (https://OneTwenty.ai/en/terms-of-use/) carefully before using the Site.
BY USING THE SERVICES, YOU AGREE TO THESE TERMS; IF YOU DO NOT AGREE, DO NOT USE THE SERVICES. 


Processing of personal data 

Personal data is all information that relates to an identified or identifiable person. A data subject is a person about whom personal data is processed. Processing includes any handling of personal data, irrespective of the means and procedures used, in particular the storage, disclosure, procurement, deletion, storage, modification, destruction and use of personal data.
We process personal data in accordance with Swiss data protection law. In addition, we process personal data – insofar and to the extent that the EU GDPR is applicable – in accordance with the following legal principles in connection with Art. 6 Para. 1 GDPR:

lit. a) Processing of personal data with the consent of the person concerned.
lit. b) Processing of personal data for the purpose of fulfilling a contract with the data subject    and for carrying out appropriate pre-contractual measures.
lit. c) Processing of personal data for the fulfilment of a legal obligation to which we are subject under any applicable law of the EU or under any applicable law of a country in which the GDPR is applicable in whole or in part.
lit. d) Processing of personal data to protect vital interests of the data subject or of another natural person.
lit. f) Processing of personal data to safeguard the legitimate interests of us or of third parties, except where such interests are overridden by fundamental freedoms and rights or by the interests of the data subject. Legitimate interests are in particular our business interest in being able to provide our website, information security, the enforcement of our own legal claims and compliance with Swiss law.

We process personal data for as long as is necessary for the respective purpose or purposes. In the case of longer-term storage obligations due to legal and other obligations to which we are subject, we restrict processing accordingly.
• Use of our offers 
Depending on the specific offer that you use via OneTwenty, certain elements of your personal data required for the use of the offer and for the implementation of the contract (including payment processing) will be gathered. In addition, we may process personal data (e.g. on your specific usage patterns) in order to become more familiar with you and inform you of further offers in the future, which we will be able to tailor more closely to your requirements based on the information we have on you already. In certain circumstances, we may also use your personal data for statistical purposes, albeit solely on an anonymous basis, so that your identity cannot be deduced.  
In the above-mentioned situation, for example, we will process the following personal data provided by you during registration or during your use of the app: 
• Personal data (e.g. name, age, gender, contact details, e-mail address, etc.);
• Data about the self-care program that you have chosen;
• Measurement data that you enter in connection with the offer selected or a specific treatment (e.g. your current state of health, general treatment data, information on whether or not you are pregnant, information on your cardiovascular circulation, diabetes, blood pressure, blood sugar levels, etc.);
• Information on your dietary habits (e.g. nutrition plan, recipes selected, products selected, special diets, etc.);
• Information on activities entered via OneTwenty and measurement data connected with them (e.g. jogging activity, fitness training, etc.);
• Information on your behaviour in other areas of life (e.g. sleeping habits, etc.);
• Information as to whether you use the services of our cooperation partners (e.g. pharmacists, insurers);
• Additional information may be gathered depending on the offer;
• Communication: notices regarding technical issues or changes to the Products, some of which you cannot opt out;
• Product satisfaction data: We collect data on your satisfaction with the Products. Such data will be processed to analyse user satisfaction and to improve our Products. Such data will only be stored for as long as it is necessary for the purpose the data was obtained for.
As a matter of principle, we will process only the personal data which you provide us. You are under no obligation to provide us with any given information, unfortunately we will often be unable to offer you the full extent of our services unless you disclose certain personal data and allow us to process that data. 
If we need to process special categories of personal data that require particular protection, we will ask for your express consent before doing so. 

Compliance with legal requirements
We also process personal data in order to comply with legal provisions. These include regulatory provisions in particular, as well as disclosing documents to a public authority if we have good reason to do so or if we are compelled to do so by law.

Parties to whom your personal data may be disclosed
We may disclose your personal data to third parties if we wish to retain the services of the latter (“order data processors”), for example with regard to IT services (e.g. data hosting services, cloud services, the sending of e-mail newsletters, data analysis and data enhancement, etc.).
We will select our order data processors and conclude suitable contractual agreements to ensure that your personal data is protected for the entire period during which it is processed, including by third parties. Our order data processors are under a duty not to process personal data other than on instruction from and as instructed by us.
We may furthermore disclose your personal data to other third parties (including) for their own purposes. This is done either on an anonymous basis, so that your identity cannot be deduced, or solely with your express consent, for example if you wish to share your personal data with specific recipients, if you are complying with a request for treatment or if you are making use of an offer from one of our cooperation partners (e.g. pharmacists). In these cases, the recipient of your personal data is, where applicable, responsible in its own right for processing that data, and as such sets out its own data protection provisions to define how it processes your personal data. 
We may additionally disclose your personal data to third parties (e.g. authorities in Switzerland and abroad) where required to do so by law. We furthermore reserve the right to process your personal data if so required to comply with a judicial order or to enforce or defend against a legal claim, or if we deem it necessary for any other legal grounds.

Legal basis
To the extent that we need a legal basis on which to process your personal data, we will rely on the following legal bases:
• Your authorization, where required for the specific processing in question; 
• The performance of the contract with you;
• Our justified interests;
• The enforcement, exercise or defence against legal claims.

• What are your rights in terms of the processing of your personal data?
You may object to your data being processed at any time and are generally free to revoke your authorization to your data being processed. In particular, you are entitled to object to your data being processed in connection with direct advertising (e.g. against e-mail marketing).
You furthermore have the following rights:
• Right to be informed: You have the right to be informed of how we are processing your personal data and of the rights you have in connection with the processing of your personal data. 
• Right to access: You have the right to access the personal data that we have on record for you, free of charge and at any time, if we process that data. This means that you have the right to check which personal data of youwe are processing. 
• Right to correct: You have the right to rectify any incorrect or incomplete personal data concerning you. In this case, we will inform the recipients of the data concerned of any corrections that are made, unless this is impossible or would involve disproportionate effort or expense.
• Right to delete: You have the right to have your personal data deleted on request, provided that we are no longer required to store it by law.
• Right to restrict processing: Subject to certain conditions, you have the right to request that the processing of your personal data be limited. 
• Right to have data transferred: You have the right to obtain the personal data that you have provided to us, in a legible format and free of charge, or to have us transfer that data to another responsible party.
• Right to lodge a complaint: You have the right to lodge a complaint with the competent data protection authority against the manner in which your personal data is processed.
• Right to withdraw: As a matter of principle, you have the right to withdraw any given consent at any time. Any data processing activities previously carried out based on your original consent will not however thereby become unlawful.

For how long do we store your personal data?
We store and process your personal data for as long as is necessary for the purpose for which we collected it. As a general rule, we store your personal data for the period for which you have installed the App and your account on your terminal or for which your account with us is active. If you delete your account in the App from your terminal, all information concerning you will be permanently deleted or anonymized, unless we have a justified interest in storing your personal data for a longer period (e.g. for evidentiary or security reasons, to guard against legal claims or to comply with legal obligations).

How do we protect your personal data?
We take appropriate security measures of a technical nature (e.g. encryption, access restriction, data backup, etc.) and of an organisational nature (e.g. instructions to our employees, etc.) to guarantee the security of your personal data, to protect it against unauthorised or unlawful processing and to counteract the risk of loss, unintentional modification, undesired disclosure or unauthorised access. As a general rule, however, security risks cannot be completely excluded; certain residual risks are unavoidable.

Modifications to this data privacy notice
This data privacy notice may be adapted over time, especially if we change our data processing procedures or if new legal provisions come into effect. We will actively inform persons whose contact details are registered with us in the event of any significant changes, where this is possible without disproportionate effort or expenditure. As a general rule, however, the version of the data privacy notice in force when the processing concerned began shall apply.

Cookies
This website uses cookies. These are small text files which make it possible to store specific information relating to the user on the user’s terminal device while he or she is using the website. Cookies make it possible, in particular, to determine the frequency of use and the number of users of the pages, to analyse the behaviour of page use, but also to make our offer more customer-friendly. Cookies remain stored at the end of a browser session and can be retrieved when the user revisits the site. If you do not wish to receive cookies, you should set your Internet browser to reject cookies.

SSL encryption
This website uses SSL encryption for reasons of security and to protect the transmission of confidential content, such as the requests you send to us as the site operator. You can recognise an encrypted connection by the fact that the address line of your browser changes from „http://“ to „https://“ and by the lock symbol in your browser line.
If SSL encryption is activated, the data you send to us cannot be read by third parties.

Newsletter data
If you would like to receive the newsletter offered on this website, we need an e-mail address from you as well as information that allows us to verify that you are the owner of the e-mail address provided and that you agree to receive the newsletter. Further data will not be collected. We use these data exclusively for sending the requested information and do not pass them on to third parties.
You can revoke your consent to the storage of the data, the e-mail address and its use for sending the newsletter at any time, for example by clicking on the „unsubscribe“ link in the newsletter.

Google Firebase
This app uses Firebase. Firebase is a real-time database that can be used to integrate real-time information into our own websites or apps. User data is transmitted to Firebase anonymously. Firebase is a Google subsidiary based in San Francisco (CA), USA. You can find Firebase’s privacy policy at https://www.firebase.com/terms/privacy-policy.html.

Google AdWords
This website uses Google Conversion Tracking. If you have reached our website via an ad placed by Google, Google Adwords will set a cookie on your computer. The conversion tracking cookie is set when a user clicks on an ad served by Google. These cookies expire after 30 days and are not personally identifiable. If the user visits certain pages on our site and the cookie hasn’t expired, we and Google can tell that the user clicked the ad and was redirected to that page. Each Google AdWords customer receives a different cookie. As a result, cookies cannot be tracked across the websites of AdWords customers. The information collected through the conversion cookie is used to compile conversion statistics for advertisers who have opted in to conversion tracking. Customers are told the total number of users who clicked on their ad and were redirected to a page with a conversion tracking tag. However, they do not receive any information that can be used to personally identify users.
If you do not wish to participate in tracking, you can refuse to accept cookies by changing your browser settings to disable automatic placement of cookies or to set your browser to block cookies from the domain „googleleadservices.com“. Please note that you may not delete the opt-out cookies unless you wish to record measurement data. If you have deleted all your cookies in your browser, you have to set the respective opt-out cookie again.

Google Remarketing
This website uses the remarketing function of Google Inc. to present interest-related advertisements to website visitors within the Google advertising network. A so-called „cookie“ is stored in the visitor’s browser, which makes it possible to recognize the visitor when he or she calls up websites that belong to the Google advertising network. On these pages the visitor may be presented with advertisements relating to content that the visitor has previously viewed on websites that use Google’s remarketing function. According to its own statements, Google does not collect any personal data during this process. If you still do not wish to use Google’s remarketing function, you can deactivate it by making the appropriate settings at http://www.google.com/settings/ads.Alternatively, you can disable the use of cookies for interest-based advertising via the advertising network initiative by following the instructions at http://www.networkadvertising.org/managing/opt_out.asp.

Google Analytics
This website uses Google Analytics, a web analytics service provided by Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. To deactivate Google Analytics, Google provides a browser plug-in at https://tools.google.com/dlpage/gaoptout?hl=de. Google Analytics uses cookies. These are small text files which make it possible to store specific information relating to the user on the user’s terminal device. These enable Google to analyse the use of our website offer. The information collected by the cookie about the use of our website (including your IP address) is usually transferred to a Google server in the USA and stored there. We would like to point out that on this website Google Analytics has been extended by the code „gat._anonymizeIp();“ in order to ensure an anonymised recording of IP addresses (so-called IP-Masking). If anonymisation is active, Google will shorten IP addresses within member states of the European Union or in other states that are party to the Agreement on the European Economic Area, which means that no conclusions can be drawn about your identity. Only in exceptional cases will the full IP address be transferred to a Google server in the USA and shortened there. Google observes the data protection regulations of the „Privacy Shield“ agreement and is registered with the „Privacy Shield“ program of the US Department of Commerce and uses the collected information to evaluate the use of our websites, to write reports for us in this regard and to provide other relevant services to us. You can learn more at https://www.google.com/intl/de/analytics/privacyoverview.html.

Facebook
This WebSite uses features from Facebook Inc, 1601 S. California Ave, Palo Alto, CA 94304, USA . When you access our pages with Facebook plug-ins, a connection is established between your browser and the Facebook servers. Data is already being transferred to Facebook in the process. If you have a Facebook account, this data can be linked to it. If you do not want this data to be linked to your Facebook account, please log out of Facebook before visiting our site. Interactions, in particular the use of a comment function or clicking a „Like“ or „Share“ button are also passed on to Facebook. You can find out more at https://de-de.facebook.com/about/privacy.

Instagram
Functions of the Instagram service are integrated on our pages. These functions are offered by Instagram Inc, 1601 Willow Road, Menlo Park, CA, 94025, USA integrated. If you are logged in to your Instagram account, you can link the contents of our pages to your Instagram profile by clicking the Instagram button. This allows Instagram to associate your visit to our sites with your account. We would like to point out that we, as the provider of the pages, have no knowledge of the content of the transmitted data or its use by Instagram. For more information, please refer to Instagram’s privacy policy: http://instagram.com/about/legal/privacy/.

LinkedIn
This WebSite uses functions of the LinkedIn network. Provider is the LinkedIn Corporation, 2029 Stierlin Court, Mountain View, CA 94043, USA. Each time you access one of our pages that contains LinkedIn features, a connection to LinkedIn’s servers is established. LinkedIn will be notified that you have visited our sites using your IP address. If you click on LinkedIn’s „Recommend Button“ and are logged into your LinkedIn account, LinkedIn is able to track your visit to our site to you and your account. We would like to point out that we, as the provider of the pages, have no knowledge of the content of the transmitted data or its use by LinkedIn. For more information, please refer to the LinkedIn privacy policy at: https://www.linkedin.com/legal/privacy-policy.

Pinterest
On this website we use social plugins from the social network Pinterest, which is operated by Pinterest Inc. 808 Brannan Street San Francisco, CA 94103-490, USA („Pinterest“). When you call up a page that contains such a plugin, your browser establishes a direct connection to Pinterest’s servers. The plugin transmits protocol data to the Pinterest server in the USA. This log data may include your IP address, the address of the websites you visit that also contain Pinterest functions, the type and settings of your browser, the date and time of your request, your use of Pinterest and cookies.
For more information on the purpose, scope and further processing and use of the data by Pinterest, as well as your rights and options for protecting your privacy, please refer to Pinterest’s Privacy Policy: https://about.pinterest.com/de/privacy-policy.

External payment service providers
This website uses external payment service providers, through whose platforms the users and we can carry out payment transactions. For example via
• PostFinance (https://www.postfinance.ch/de/detail/rechtliches-barrierefreiheit.html)
• Visa (https://www.visa.de/nutzungsbedingungen/visa-privacy-center.html)
• Mastercard (https://www.mastercard.ch/de-ch/datenschutz.html)
• American Express (https://www.americanexpress.com/de/content/privacy-policy-statement.html)
• Paypal (https://www.paypal.com/de/webapps/mpp/ua/privacy-full)
• Bexio AG (https://www.bexio.com/de-CH/datenschutz)
• Payrexx AG (https://www.payrexx.ch/site/assets/files/2592/datenschutzerklaerung.pdf)
• Apple Pay (https://support.apple.com/de-ch/ht203027)
• Google Pay (https://payments.google.com/payments/apis-secure/get_legal_document?ldo=0&ldt=privacynotice&ldl=de) 
• Stripe (https://stripe.com/ch/privacy)
• Klarna (https://www.klarna.com/de/datenschutz/)
• Skrill (https://www.skrill.com/de/fusszeile/datenschutzrichtlinie/)
• Giropay (https://www.giropay.de/rechtliches/datenschutz-agb/) etc.
Within the framework of the performance of contracts, we appoint payment service providers on the basis of the Swiss Data Protection Ordinance and, where necessary, Art. 6 para. 1 lit. b. EU- GDPR. Furthermore, we use external payment service providers on the basis of our legitimate interests in accordance with the Swiss Data Protection Ordinance and, where necessary, Art. 6 para. 1 lit. f. EU- GDPR in order to offer our users effective and secure payment options.
The data processed by the payment service providers include inventory data, such as name and address, bank data, such as account or credit card numbers, passwords, TANs and checksums, as well as contract, sum and recipient related data. These details are required to carry out the transactions. However, the data entered is only processed by the payment service providers and stored by them. We as the operator do not receive any information about (bank) account or credit card, but only information to confirm (accept) or reject the payment. Under certain circumstances, the payment service providers may transfer the data to credit agencies. The purpose of this transmission is to check identity and creditworthiness. In this regard we refer to the general terms and conditions and data protection information of the payment service providers.
The terms and conditions and data protection information of the respective payment service providers, which can be accessed within the respective website or transaction applications, apply to the payment transactions. We also refer to these for further information and the assertion of rights of revocation, information and other rights of affected persons.

YouTube
This website uses plugins from the YouTube site operated by Google. The operator of the pages is YouTube, LLC, 901 Cherry Ave., San Bruno, CA 94066, USA. When you visit one of our sites equipped with a YouTube plugin, a connection to the YouTube servers is established. This tells the YouTube server which of our pages you have visited. If you are logged in to your YouTube account, you allow YouTube to assign your surfing behaviour directly to your personal profile. You can prevent this by logging out of your YouTube account. For more information on how user data is handled, please refer to the YouTube privacy policy at: https://www.google.de/intl/de/policies/privacy.

Vimeo
On this website plugins of the video portal Vimeo of Vimeo, LLC, 555 West 18th Street, New York, New York 10011, USA are integrated. Each time you access a page that offers one or more Vimeo video clips, a direct connection is established between your browser and a Vimeo server in the USA. Information about your visit and your IP address is stored there. Through interaction with the Vimeo plug-ins (e.g. clicking the start button), this information is also transmitted to Vimeo and stored there. The Vimeo privacy policy with more detailed information about the collection and use of your data by Vimeo can be found in the Vimeo privacy policy.
If you have a Vimeo user account and do not want Vimeo to collect information about you through this web site and link it to your membership information stored at Vimeo, you must log out of Vimeo before visiting this web site.
In addition, Vimeo calls up the tracker Google Analytics via an iFrame in which the video is viewed. This is Vimeo’s own tracking system to which we have no access. You can prevent tracking by Google Analytics by using the deactivation tools that Google offers for some Internet browsers. In addition, you can prevent the collection of data generated by Google Analytics and related to your use of the website (including your IP address) to Google, as well as the processing of this data by Google, by downloading and installing the browser plugin available at the following link: https://tools.google.com/dlpage/gaoptout?hl=de.