Privacy policy

Last update: July 3, 2026

Thank you for your interest in the information on our website!

With the help of this Privacy Policy we would like to inform the users of our website about the type, scope and purpose of the personal data processed. Personal data in this context is all information that can be used to personally identify you as a user of our website (theoretically in an alternative way or by linking various data), including your IP address. Information that is stored in cookies is generally not or only in exceptional cases personally identifiable; however, cookies are covered by specific regulations that makes the permissibility of the use of cookies dependent on their purpose to a large extent on the active consent of the user.

In a general section of this Privacy Policy, we provide you with information on data protection, which generally applies to our processing of data, including data collection on our website. In particular, you as a data subject will be informed about the rights to which you are entitled.

The terms used in our Privacy Policy and our data protection practice are based on the provisions of the EU General Data Protection Regulation ("GDPR") and other relevant national legal provisions.

Controller according to the GDPR

GIS AG
Luzernerstrasse 50
6247 Schötz
Switzerland

Email: tel@gis-ag.ch
Phone: +41 41 984 11 33 

REPRESENTED IN GERMANY BY 

GIS GmbH
Hohe-Flum-Strasse 44
79650 Schopfheim
Germany

Email: mail@gis-gmbh.de
Phone: +49 7622 677 30

Data collection on our website

On the one hand, personal data is collected from you when you expressly communicate such data to us, on the other hand, data, especially technical data, is automatically collected when you visit our website. Some of this data is collected to ensure that our website functions without errors. Other data may be used for analysis purposes. However, you can use our website without a need to provide personal information.

Technologies on our website

Webshop / online orders

Category: General processing activity
Purpose: Execution and processing of orders
Types of data: Order, payment, and address data, technical transaction data
Data subjects: Customers
Recipients: Payment providers, logistics and shipping service providers, internal departments
Technologies: Shop system, order and payment processing
Legal basis: Contract fulfillment (order processing), legitimate interest (documentation & security processes), consent (voluntary additional information)

Our website provides order functions for products or digital services. All data necessary for processing is processed in order to accept orders, assign payments, provide deliveries, and clarify queries. In addition, technical information is processed in order to operate order processes securely and transparently.

The following data in particular is processed:

  • Name and contact details
  • Delivery and billing address
  • Product and order information
  • Price, payment, and billing information
  • Communication and service details
  • Technical metadata such as time of order or IP address

Processing is carried out in order to accept, process, deliver, and invoice orders and to be able to communicate in the event of queries or warranty and service cases. In addition, processing may be carried out for fraud prevention, quality assurance, and internal documentation purposes. The legal basis is the necessity of data processing for the execution of the order and delivery process as well as our legitimate interest in efficient processing and internal organization. Voluntary additional information is processed on the basis of consent.

The data is only stored for as long as is necessary for the processing of the order or as long as there are legal retention obligations. Data will only be passed on to third parties if this is necessary for the execution of the order, for example to delivery services, payment service providers, logistics companies, or technical service providers.

User account / registration

Category: General processing activity
Purpose: Provision and management of personal access
Data types: Login and account data, optional profile information, technical registration and usage data
Data subjects: Registered users
Recipients: Internal departments, technical service providers
Technologies: User account/registration system
Legal basis: Legitimate interest (provision of the account), performance of a contract (if account-related) , consent (voluntary additional information)

A user account or registration function is available on our website. When creating an account, the necessary data is processed in order to provide individual access, save settings, and enable user-specific functions. In addition, technical data required for security, administration, and system operation is processed.

In particular, the following data is processed:

  • Email address
  • Login data, password (encrypted)
  • Optional profile and additional information
  • Technical metadata such as time of registration or IP address

The processing is carried out in order to provide access to a personal user area, manage settings, provide functions that require registration, and ensure account security. The legal basis is our legitimate interest in providing and managing a user account and, if registration is required for a contract, the necessity of processing to fulfill this contractual relationship. Voluntary additional information is processed on the basis of consent.

The data is stored for as long as the user account exists. Deletion is possible at any time, provided that there are no legal retention obligations or other reasons preventing immediate deletion. Data is only passed on to third parties if this is necessary for technical operation or the provision of the account and registration function.

Contact

Our website offers various options for contacting us, for example via contact forms or e-mail addresses provided. When contacting us, the personal data provided will be processed exclusively for the purpose of processing and responding to the respective inquiry. The processing takes place insofar as this is necessary to carry out pre-contractual measures or to fulfill a contract, or on the basis of legitimate interests, for example to maintain customer relationships or to document processes.

It may be necessary to provide certain data in order to fully process an inquiry. Without this information, it may not be possible to process the request, or only to a limited extent.

Personal data from contact requests may also be stored in a customer or prospective customer database on the basis of legitimate interests in order to optimize communication and support. Use for marketing purposes only takes place if separate consent has been obtained or a legitimate interest exists and there are no overriding interests of the data subject that require protection.

Personal data from contact inquiries will only be stored for as long as is necessary for the processing and handling of the inquiry or for as long as there are statutory retention obligations. After final processing of the inquiry and expiry of any legal deadlines, the data will be deleted or anonymized. As a rule, deletion takes place at the latest after three years without further contact, unless there are longer statutory or contractual retention obligations.

Additional information on the rights of data subjects and the relevant contact details are listed in the general section of this privacy policy.

External payment providers

Category: General processing activity
Purpose: Execution of payments
Types of data: Payment, transaction, address, and communication data, technical processing information
Data subjects: Customers
Recipients: External payment providers, internal departments, technical processing service providers
Technologies: Payment processing and transaction systems
Legal basis: Contract fulfillment (payment execution), legitimate interest (security & proof), consent (voluntary additional data)

External payment providers are used to process payments. If a payment is made via such a provider, the information required for this purpose is transmitted to the respective service provider and processed there. This may include, in particular:

  • Name
  • Billing and delivery address
  • Payment information (e.g., account details, credit card details, wallet details)
  • Transaction amount
  • Time of payment
  • Other payment-related information required by the provider

The processing is carried out for the purpose of executing the payment transaction, assigning the transaction, implementing security and verification mechanisms, and handling any queries or clarifications. The payment providers used are clearly identified in the order process. The specific processing is based on the terms and conditions of the respective payment service provider. The legal basis is the necessity of processing to execute the payment transaction and our legitimate interest in secure and efficient payment processing. Additional data provided voluntarily is processed on the basis of consent.

The data is only stored for as long as is necessary for processing the payment or due to legal requirements. Data is only passed on to other third parties if this is necessary to execute the payment or if there are legal obligations to do so.

A selection of the data protection regulations of the most important payment service providers can be found here:

Cloudflare

Provider: Cloudflare, Inc, 101 Townsend St., San Francisco, CA 94107, USA
Representative in the EU: Cloudflare Portugal Unipessoal Lda, Praça Marquês de Pombal 14 7th floor, 1250-162 Lisboa, Portugal, DSA-legal-representative@cloudflare.com
Purpose: To measure and analyze website performance from the user's perspective
Category: Statistics
Recipient: USA
Processed data: Page load times, response times, web vitals metrics, URL, browser, operating system, country
Data subjects: Website visitors
Technology: JavaScript beacon, cookies (details in the cookie list)
Legal basis: Consent (purpose)
Certifications: EU-U.S. Data Privacy Framework, Swiss-U.S. Data Privacy Framework, UK Extension to the EU-U.S. Data Privacy Framework
Further information:
https://www.cloudflare.com/de-de/privacypolicy/
https://www.cloudflare.com/de-de/website-terms/

On our website, we use the Cloudflare Web Analytics service to measure and analyze website performance from the perspective of our users. This tool allows us to track and understand key performance metrics such as load times, responsiveness and visual stability of our website.

Cloudflare Web Analytics works by inserting a JavaScript snippet into HTML pages. This beacon collects data about the user experience, including metrics such as page load time, time to first byte and other web vitals. The tool also collects information about the browser used, the operating system and the user's country.

The collected data is updated in real time and is available shortly after a user request. This enables us to continuously monitor and improve the performance of our website. According to the manufacturer, Cloudflare Web Analytics does not use cookies for analysis purposes, but does use them to recognize users (identification cookie).

The data is stored for the duration of the statutory retention obligations and deleted immediately after this period has expired. Additional details can be found in the linked further information. We recommend that you check these links regularly for changes so that you are always informed about the current practices of Cloudflare Web Analytics. 

Additional information on the rights of data subjects and the relevant contact details can be found in the general section of this privacy policy.

Cookies and Local Storage

We use cookies to make our website as user-friendly and functional as possible for you. Some of these cookies are stored on the device you use to access the site. 

Cookies are small packages of data that are exchanged between your browser and our web server whenever you visit our website. They do not cause any damage and are used solely to recognise website visitors. Cookies can only store information provided by your browser, e.g. information that you have entered into your browser or that is available on the website. Cookies cannot execute code and cannot be used to access your terminal device. 

The next time you access our website using the same device, the information stored in the cookies can then either be sent back to us (“first-party cookie”) or to a web application of third party to whom the cookie belongs (“third-party cookie”).  The information that is stored and sent back allows each web application to recognise that you have already accessed and visited the website using the browser on your device. 

Cookies contain the following information:

  • Cookie name
  • Name of the server from which the cookie originates
  • Cookie ID number
  • An expiry date, after which the cookie will be automatically deleted

We classify cookies in the following categories depending on their purpose and function:  

  • Technically necessary cookies, to ensure the technical operation and basic functions of our website. These types of cookies are used, for example, to maintain your settings while you navigate our website; or they can ensure that important information is retained throughout the session (e.g. login, shopping cart). 
  • Statistics cookies, to understand how visitors interact with our website by collecting and analysing information on an anonymous basis only. In this way we gain valuable insights to optimize both the website and our products and services. 
  • Marketing cookies, to provide targeted promotional and marketing activities for users on our website.
  • Unclassified cookies are cookies that we are trying to classify together with individual cookie providers.

Depending on the storage period, we also divide cookies into session and persistent cookies. Session cookies store information that is used during your current browser session. These cookies are automatically deleted when the browser is closed. No information remains on your device. Persistent cookies store information between two visits to the website. Based on this information, you will be recognized as a returning visitor on your next visit and the website will react accordingly. The lifespan of a persistent cookie is determined by the provider of the cookie.

The legal basis for using technically necessary cookies is our legitimate interest in the technically fault-free operation and smooth functionality of our website. The use of statistics and marketing cookies is subject to your consent. These technologies are only activated after you have provided explicit consent via the cookie banner. You can withdraw your consent for the future use of cookies at any time. Your consent is voluntary. If consent is not given, no disadvantages arise. For more information about the cookies we actually use (specifically, their purpose and lifespan), refer to this Privacy Policy and to the information in our cookie banner about the cookies we use.

You can also set your web browser so that it does not store any cookies in general on your device or so that you will be asked each time you visit the site whether you accept the use of cookies. Cookies that have already been stored can be deleted at any time. Refer to the Help section of your browser to learn how to do this.
 
Please note that a general deactivation of cookies may lead to functional restrictions on our website. 

On our website, we also use so-called local storage functions (also called "local data"). This means that data is stored locally in the cache of your browser, which continues to exist and can be read even after you close the browser - as long as you do not delete the cache or data is stored within the session storage. 

Third parties cannot access the data stored in the local storage. If special plug-ins or tools use the local storage functions, you are informed within the description of the respective plug-in or tool. 

If you do not wish plug-ins or tools to use local storage functions, you can control this in the settings of your respective browser. We would like to point out that this may result in functional restrictions.

Font Awesome

Provider: Fonticons, Inc, 307 S. Main St., Suite 202 Bentonville, AR 72712, USA.
Purpose: Integration of Fonts and Icons, Performance Measurement
Category: Statistics
Recipient: USA
Processed data: IP address, User Data
Data subjects: Users
Technology: JavaScript call
Legal basis: Consent
Website: https://www.fontawesome.com/
Further information: https://fontawesome.com/help https://fontawesome.com/privacy

ATTENTION! Within the scope of this service, data transfer to the U.S. takes place or cannot be excluded. We would like to point out that as of July 10, 2023, the European Commission has issued an adequacy decision pursuant to Art 45 paragraph 1 GDPR on the EU-US data privacy framework (Data Privacy Framework). Accordingly, organizations or companies (as data importers) in the U.S. that are registered in a public list under the self-certification option of the Data Privacy Framework provide an adequate level of protection for data transfers. Whether the specific provider of this service is already certified can be found here: https://www.dataprivacyframework.gov/s/participant-search 

On our website, we use so-called web fonts for the uniform display of fonts or icons, which are provided by Fonticons via the Font Awesome Content Delivery Network (CDN). This ensures that texts, fonts and icons are displayed optimally on every user's terminal device.

When a page is called up, a user's browser loads the required web fonts into the browser cache in order to display texts, fonts and icons correctly. For this purpose, the browser used must connect to Fonticons' servers. In this way, Fonticons obtains knowledge that our website has been accessed via the IP address of a user. At the same time, Fonticons receives information about the popularity of individual fonts and icons.

If a browser does not support web fonts, a standard font is used by the respective end device.

hCaptcha

Provider: Intuition Machines, Inc, 1065 SW 8th St #704, Miami, FL 33130 (USA)
Purpose: Protection against misuse
Category: external service
Recipient country: Third country (USA)
Data processed: IP address, details of the website visit, online-related data
Data subjects: Website visitors
Technology: JavaScript call, cookies
Legal basis: legitimate interest (see purpose), certification according to EU-U.S. Data Privacy Framework, Swiss-U.S. Data Privacy Framework, UK Extension to the EU-U.S. DPF
Website: https://www.hcaptcha.com/, https://www.imachines.com/
Further information:
https://www.hcaptcha.com/privacy/
https://www.hcaptcha.com/terms/
https://www.imachines.com/privacy/

The hCaptcha service is used on our website to protect against misuse by non-human visitors (bots) and to prevent spam.

The purpose of hCaptcha is to check whether data is entered on our website by a human or by an automated program. For this purpose, hCaptcha analyzes the behavior of visitors to our website based on various characteristics. This analysis starts automatically as soon as our website is visited. For the analysis, hCaptcha evaluates various pieces of information such as IP address, time spent by the visitor on the website or mouse movements. The data collected during the analysis is forwarded to the provider (data transfer to the US). The hCaptcha analysis in "invisible mode" can take place entirely in the background. 

The provider acts as a data processor or service provider for us.

JQuery Content Delivery Network

Provider: Fastly Inc, 475 Brannan St. Suite 300 San Francisco, CA 94107, USA
Purpose: Optimization of the loading speed of the website
Category: technically required
Recipient country: USA (third country)
Processed data: IP address
Data subjects: Website visitors
Technology: JavaScript libraries, Content Delivery Network (CDN)
Legal basis: legitimate interest (improvement of the website), US Data Privacy Framework certification.
Website: https://www.fastly.com/
Further information:
https://www.fastly.com/privacy/
https://www.fastly.com/data-processing/
https://www.fastly.com/terms/
https://www.fastly.com/acceptable-use/

We use the JavaScript library jQuery on our website. jQuery is provided via a Content Delivery Network (CDN). This service enables our website to load much faster, especially for users from abroad, as our website can be delivered from a server nearby.

The jQuery library primarily enables a modern design of our websites.
The developer of the jQuery JavaScript library is the jQuery team of the Open JS Foundation: https://jquery.org/team/, https://js.foundation/contact. To increase the loading speed of our website, we use the provider's CDN (Content Delivery Network) to load the jQuery library. Even if your browser already has a copy of the jQuery library in its cache, a connection to the jQuery server is established and your IP address is transmitted to the service provider.

The provider has distributed servers in various countries and a user's data can therefore be stored both in the USA and within the EU. The provider stores personal data on our behalf for as long as is necessary for the provision of our services and to fulfill our legal obligations.

SSL Encryption

Within your visit to our website, we use the widespread SSL procedure (Secure Socket Layer) in conjunction with the highest level of encryption supported by your browser. You can tell whether an individual page of our website is transmitted in encrypted form by the closed representation of the key or lock symbol in the lower status bar of your browser. We use this encryption procedure on the basis of our justified interest in the use of suitable encryption techniques.

We also make use of suitable technical and organisational security measures to protect your data against accidental or intentional manipulation, partial or complete loss, destruction or against unauthorised access by third parties. Our security measures are continuously improved in line with technological developments and kept state-of-the-art.

UNPKG

Provider: Npm, Inc, 1999 Harrison Street #1150, Oakland, CA 94612, USA, privacy@npmjs.com
Purpose: Content Delivery Networks (CDN) for JavaScript libraries and other resources
Category: external service
Recipient: USA, worldwide (as the CDN is distributed globally and Cloudflare in particular is integrated as a service provider based in the USA)
Processed data: IP address, browser type, operating system, reference URL, time of request, possibly other technical details such as user agent, server logs (temporary for provision and security)
Data subjects: Users of the website
Technology: JavaScript, server logs, (optional) cookies, (optional) caching in the browser (e.g. LocalStorage, if used by the operator)
Legal basis: legitimate interest
Website: https://unpkg.com
Further information:
https://www.npmjs.com/policies/privacy (Privacy Policy)
https://www.npmjs.com/policies/terms (Terms of use)
https://www.cloudflare.com/privacypolicy (privacy policy of Cloudflare, as technical CDN operator)
https://unpkg.com (project page)

ATTENTION! In the context of this service, data is transferred to the USA or such a transfer cannot be ruled out. We would like to point out that on 10 July 2023 the European Commission issued an adequacy decision on the EU-US data protection framework (Data Privacy Framework). Accordingly, organisations or companies (as data importers) in the USA that are registered in a public list as part of the self-certification option of the Data Privacy Framework offer an adequate level of protection for data transfers. You can find out whether the specific provider of this service is already certified here: https://www.dataprivacyframework.gov/s/participant-search.

On our website, we use the UNPKG service to provide JavaScript libraries and other resources published on npm quickly and reliably. The technical purpose of UNPKG is to act as a global CDN (Content Delivery Network) to deliver the requested files from server locations that are as close as possible. This reduces loading times and ensures that the libraries delivered are up to date.
Technically, UNPKG works in such a way that when a website that integrates resources via UNPKG is called up (e.g. via a `<script>` tag), the user's browser establishes a connection to the UNPKG servers. These servers are operated by Cloudflare, a global CDN provider based in the USA. Technical data such as the IP address, browser type, operating system, reference URL and the time of the request are recorded and stored in server logs each time a request is made. This data is required to deliver the requested files, monitor performance and prevent security threats.
UNPKG itself does not set cookies, however, individual libraries integrated via UNPKG can in turn use cookies or other storage technologies (e.g. LocalStorage). The use of such technologies depends on the respective integrated packages and is therefore optional. All details (name, purpose, storage duration) of the cookies can be found in our specific list of cookies used.

The data collected is only stored for as long as is necessary to fulfill the purpose. If there is no specific information on the storage period, the statutory retention obligations apply; the data will be deleted immediately after this period has expired. Additional details can be found in the linked further information. We recommend regularly checking these links for changes by the user, especially in connection with UNPKG. Further information on rights and contact details can be found in the general section of this privacy policy.

Webcare

Provider: DataReporter GmbH, Zeileisstraße 6, 4600 Wels, Austria.
Purpose: Consent Management
Category: technically required
Recipient: EU, AT
Data processed: IP Address, Consent Data
Data subjects: Users
Technology: JavaScript call, Cookies, Swarmcrawler
Legal basis: Legitimate interest, consent (swarmcrawler to evaluate search results)
Website: https://www.datareporter.eu/
Further information: https://www.datareporter.eu/company/info

On our website, we use the Webcare tool for consent management. Webcare records and stores the decision of each user of our website. Our Consent Banner ensures that statistical and marketing technologies such as cookies or external tools are only set or started if the user has expressly consented to their use.

We store information on the extent to which the user has confirmed the use of cookies. The user's decision can be revoked at any time by accessing the cookie setting and managing the declaration of consent. Existing cookies are deleted after revocation of consent. For the storage of information about the status of the consent of the user, a cookie is also set, which is referred to in the cookie details. Furthermore, the IP address of the respective user(s) is transmitted to DataReporter's servers when this service is called up. The IP address is neither stored nor associated with any other data of the user, it is only used for the correct execution of the service.

With the help of Webcare, our website is regularly checked for technologies relevant to data protection. This investigation is only carried out for those users who have expressly given their consent (for statistical or marketing purposes). The search results of the users are evaluated by Webcare in an anonymous form and only in relation to technologies and used for the fulfillment of our information obligations. To start the Swarmcrawler technology, a request is sent to our servers and the IP address of the user is transmitted for the purpose of data transfer. Servers are selected which are geographically close to the respective location of the user. It can be assumed that for users within the EU, a server with a location within the EU will also be selected. The IP address of the user is not stored and is removed immediately after the end of the communication.

External resources

Category: General processing activity
Purpose: Presentation, functionality, and technical provision
Data types: Technical data
Data subjects: Visitors to the online offering
Recipients: Providers of the integrated resources
Technologies: External scripts, fonts, or frameworks
Legal basis: Legitimate interest (presentation & function)

External resources from third-party providers are integrated for the presentation and functionality of our online offering. When this content is loaded, a connection to the servers of the respective provider is established. Technical information may be transferred and processed, including:

  • IP address
  • Date and time of access
  • Resource accessed
  • Browser type and browser version
  • Operating system used
  • Referrer URL

The integration of such external resources serves to ensure a uniform presentation of the website, an improved user experience, and the technical and functional provision of our online offering. The legal basis for the processing is our legitimate interest in a user-friendly, secure, and efficient presentation of the website.

The data is processed by the respective provider of the integrated resource. Where possible, we integrate external content in a data-efficient manner or use alternatives that reduce data transmission.

Hosting

In the context of hosting our website, all data that arises in connection with the operation and use of the website is processed. This includes, in particular, content data, usage data, communication data, and technical data that are necessary for providing and securely operating the website.

The storage and processing of this data is necessary to enable access to the website, ensure the stability and security of the online offering, and to technically optimize the website.

To provide our online presence, we use the services of external web hosting providers. In this context, the data generated during the operation of the website is transmitted to these service providers or processed by them on our behalf. Processing is carried out exclusively in accordance with legal requirements and based on contractual agreements for data processing on behalf.

Further information on the handling of personal data in connection with hosting can be found in the privacy policy of this website.

Server-Logfiles

Category: General processing activity
Purpose: Technical security, stability, and error analysis
Data types: Technical connection data and access data
Data subjects: Visitors to the online offering
Recipients: Hosting providers or technical service providers
Technologies: Server logs
Legal basis: Legitimate interest (technical operation & security)

When you visit our website, so-called server log files are automatically created. These log files contain the following data, which is automatically transmitted by the browser:

  • IP address
  • Date and time of access
  • File or page accessed
  • Amount of data transferred
  • Notification of successful retrieval
  • Browser type and version used
  • Operating system used
  • Referrer URL (previously visited page)
  • Host name of the accessing device

This data is processed to ensure the functionality, security, and stability of our website, in particular to defend against or track attacks (e.g., DDoS attacks), for error analysis, and for the technical provision of the website. The legal basis for this is a legitimate interest in the secure and error-free provision of the website.

The log file data is automatically deleted after a standard technical period – after 12 weeks at the latest– once it is no longer required for the aforementioned purposes. Longer storage may occur in individual cases if data is required for evidence purposes (e.g., to investigate security-related incidents). This data is not merged with other data sources.

Shopify Analytics

Provider: Shopify Commerce Ireland Limited, 25-28 North Wall Quay, Dublin 1, D01 H104, Ireland, privacy@shopify.com
Parent company: Shopify Inc., 151 O’Connor Street, Ground Floor, Ottawa, ON K2P 2L8, Canada
Representative (EU): Shopify Commerce Ireland Limited, 25-28 North Wall Quay, Dublin 1, D01 H104, Ireland, privacy@shopify.com
Purpose: Web analytics, e-commerce statistics, and reporting
Category: Statistics
Recipients: Canada, USA, Ireland
Processed data: IP address, HTTP referrer, user agent, browser type, device type, visit duration, page views, interaction events (shopping cart, purchase)
Technology: Cookies (_shopify_s, _shopify_y, _y, _s), JavaScript, Web Pixels API, Local Storage
Legal basis: Consent
Legal basis for data transfer: Adequacy decision for Canada; EU-US Data Privacy Framework certification for Shopify Inc.
Website: https://www.shopify.com
Further information: https://www.shopify.com/legal/privacy, https://www.shopify.com/legal/impressum, https://www.shopify.com/legal/cookies, https://www.shopify.com/legal/terms, https://shopify.dev/docs/api/pixels, https://help.shopify.com/de/manual/reports-and-analytics/shopify-reports, https://www.shopify.com/legal/dpa

On our website, we use the Shopify Analytics service for web analytics, e-commerce statistics, and reporting. The service provides insights into customer behavior, analyzes sales trends, and helps optimize the shopping experience. Technically, this is achieved through client-side tracking using JavaScript snippets and cookies to identify sessions and visitors, as well as through server-side logging of shop interactions. This may involve processing IP addresses, HTTP referrers, user agents, browser types, device types, visit duration, page views, and interaction events such as shopping cart activity and purchases. The following are used: cookies (_shopify_s, _shopify_y, _y, _s), JavaScript, Web Pixels API, and local storage. The specific cookies used with this service, along with detailed information, can be found in our cookie list. Session cookies expire after 30 minutes; persistent analytics cookies, for example for visitor identification, have a duration of up to 1 year.

Additional details can be found in the linked further information. We recommend checking these links regularly for changes, particularly regarding Shopify Analytics. Further information on rights and contact details can be found in the general section of this privacy policy.

General information on data protection

The following provisions in its principles apply not only to the data collection on our website, but also in general to other processing of personal data.

Personal data

Personal data is information that can be assigned to you individually. Examples include your address, your name as well as your postal address, email address or telephone number. Information such as the number of users who visit a website is not personal data because it is not assigned to a person.

Legal basis for the processing of personal data

Unless more specific information is provided in this Privacy Policy (e.g. in the case of the technologies used), we may process personal data from you on the basis of the following legal principles:

  • consent in accordance with Art. 6 paragraph 1 lit. a of the GDPR - The data subject has given his or her consent to the processing of his or her personal data for one or more specific purposes.
  • Fulfillment of a contract and pre-contractual measures pursuant to Art. 6 paragraph 1 lit. b of the GDPR - Processing is necessary for the fulfillment of a contract to which the data subject is a party or for the implementation of pre-contractual measures.
  • Legal obligation pursuant to Art. 6 paragraph 1 lit. c of the GDPR - Processing is necessary for the performance of a legal obligation.
  • Protection of vital interests pursuant to Art. 6 paragraph 1 lit. d of the GDPR - Processing is necessary to protect the vital interests of the data subject or of another natural person.
  • Reasonable interests pursuant to Art. 6 paragraph 1 lit. f of the GDPR - The processing is necessary to protect the legitimate interests of the controller or of a third party unless the interests or fundamental rights and freedoms of the data subject prevail.

Please note that in addition to the provisions of the GDPR, national data protection regulations may apply in your or our home country.

Transfer of personal data

Your personal data will not be transferred to third parties for purposes other than those listed in this Privacy Policy.

We will only transfer your personal data to third parties if:

  • you have given your express consent in accordance with Art. 6 paragraph 1 lit. a of the GDPR,
  • the transfer pursuant to Art. 6 paragraph 1 lit. f of the GDPR is necessary to safeguard reasonable interests, as well as to assert, exercise or defend legal claims and there is no reason to assume that you have a prevailing interest worthy of protection by not disclosing your data,
  • there is a legal obligation to transfer the data in accordance with Art. 6 paragraph 1 lit. c of the GDPR, as well as this is legally permissible and / or
  • it is required according to Art. 6 paragraph 1 lit. b of the GDPR for the processing of contractual relationships with you.

Cooperation with processors

We carefully select our service providers who process personal data on our behalf. If we commission third parties to process personal data on the basis of a data processing agreement, this is done in accordance with Art. 28 of the GDPR.

Transfer to third countries

If we process data to a third country or if this is done in the context of using the services of third parties or disclosure or transfer of data to other persons or companies, this is only done on the legal basis described above for the transfer of data.

Subject to express consent or contractual necessity, we process or allow data to be processed only in third countries  in accordance with Art. 44 - 49 of the GDPR with a recognized level of data protection or on the basis of special guarantees, such as contractual obligations through so-called standard contractual clauses of the EU Commission, the existence of certifications or binding corporate rules.

Data transfer to the U.S.

We would like to explicitly point out that as of July 10, 2023, the EU Commission has issued an adequacy decision on the EU-US data protection framework (Data Privacy Framework) pursuant to Art. 45 paragraph 1 GDPR. Accordingly, organizations or companies (as data importers) in the US that are registered in a public list as part of the self-certification of the Data Privacy Framework provide an adequate level of protection for data transfers. Whether the specific provider of a service is already certified can be found here: https://www.dataprivacyframework.gov/s/participant-search

The Data Privacy Framework provides a valid legal basis for the transfer of personal data to the USA. This creates binding guarantees to comply with all ECJ requirements; for example, it provides that access by U.S. intelligence services to EU data is limited to a necessary and proportionate level and that a data protection review court is created to which individuals in the EU also have access.

If a transfer of data by us to the US takes place at all or if a service provider based in the US is used by us, we refer to this explicitly in this Privacy Policy (see in particular the description of the technologies used on our website).

It should be noted that aside from significant improvements, the Data Privacy Framework is only partial and only applies to data transfers to those data importers in the U.S. that appear on the public list of certified organizations/companies.

What can the transfer of personal data to the US mean for you as a user and what risks are involved?

Risks for you as a user as far as data importers in the USA are concerned, which are not covered by the Data Privacy Framework, are in any case the powers of the US secret services and the legal situation in the U.S., which currently, according to the European Court of Justice, no longer ensure an adequate level of data protection. Among others, these are the following:

  • Section 702 of the Foreign Intelligence Surveillance Act (FISA) does not provide for any restrictions on the surveillance measures of the secret services or guarantees for non-US citizens.
  • Presidential Policy Directive 28 (PPD-28) does not provide effective remedies for those affected against actions by U.S. authorities and does not provide barriers to ensuring proportionate measures.
  • The ombudsman provided for in the Privacy Shield does not have sufficient independence from the executive; he cannot issue binding orders to the U.S. secret services.

Legally compliant transfer of data to the U.S. on the basis of the standard contractual clauses for data importers not covered by the Data Privacy Framework?

In June 2021, the European Commission adopted new Standard Contractual Clauses (SCC) in Decision 2021/914/EU. These create a new legal basis for data transfers where the level of data protection is not the same as in the EU.

Legally compliant transfer of data to the U.S. based on consent?

If a data transfer to a service provider based in the U.S. takes place that is not covered by the Data Privacy Framework and this data transfer is based on explicit consent, we provide explicit information about this in this privacy policy, in particular in the description of the technologies used on our website.

What measures do we take to ensure that data transfers to the U.S. are legally compliant?

Where US providers offer the option, we choose to process data on EU servers. This should technically ensure that the data is located within the European Union and that access by US authorities is not possible.

Storage periods in general

If no explicit storage period is specified during the collection of data (e.g. in the context of a declaration of consent), we are obliged to delete personal data in accordance with Art. 5 paragraph 1 lit. e of the GDPR as soon as the purpose for processing has been fulfilled. In this context, we would like to point out that legal storage obligations represent a legitimate purpose for the further processing of affected personal data.

Personal data will be stored and retained by us in principle until the termination of a business relationship or until the expiry of any applicable guarantee, warranty or limitation periods, in addition, until the end of any legal disputes in which the data is required as evidence, or in any event until the expiry of the third year following the last contact with a business partner.

Storage periods in particular

As part of the description of individual technologies on our website, there are specific references to the storage period of data. In our cookie table, you will be informed about the storage period of individual cookies. In addition, you always have the possibility to ask us directly about the specific storage period of data. To do so, please use the contact data listed in this Privacy Policy.

Rights of data subjects

Data subject have the right:

  • (i) in accordance with Art. 15 of the GDPR, to request information about your personal data processed by us. In particular, you may request information on the purposes of processing, the category of personal data, the categories of recipients to whom your data has been or will be disclosed, the planned duration of storage, the existence of a right of rectification, deletion, restriction of processing or opposition, the existence of a right of appeal, the origin of your data, if not collected by us, as well as the existence of automated decision making including profiling and, where applicable, meaningful information on the details thereof;
  • (ii) in accordance with Art. 16 of the GDPR, to demand without delay the correction of incorrect or incomplete personal data stored by us;
  • (iii) in accordance with Art. 17 of the GDPR, under specific circumstances  to demand the deletion of your personal data stored with us, unless the processing is necessary to exercise the right to freedom of expression and information, to fulfill a legal obligation, for reasons of public interest or to assert, exercise or defend legal claims;
  • (iv) in accordance with Art. 18 of the GDPR, to demand the (temporary) restriction of the processing of your personal data, insofar as the accuracy of the data is disputed by you, the processing is unlawful, but you refuse to delete it and we no longer require the data, but you require it for the assertion, exercise or defense of legal claims or you have lodged an objection to the processing in accordance with Art. 21 of the GDPR;
  • (v) in accordance with Art. 20 of the GDPR, to receive your personal data that you have provided to us in a structured, common and machine-readable format or to request that it be transferred to another controller; However, this only covers those of your personal data that we process with the help of automated processes after your consent or on the basis of a contract with you;
  • (vi) in accordance with Art. 21 of the GDPR, if your personal data are processed on the basis of our legitimate interest, to object to the processing of your personal data for reasons arising from your specific situation or if the objection is directed against direct advertising. In the latter case, you have a general right of objection, which we will implement without indicating a specific situation.
  • (vii) in accordance with Art. 7 paragraph 3 of the GDPR, you may at any time revoke your consent to us. As a result, we may no longer continue the data processing based on this consent in the future. Among other things, you have the option of revoking your consent to the use of cookies on our website with effect for the future by calling up our Cookie Settings.
  • (viii) in accordance with Art. 77 of the GDPR to complain to a data protection authority regarding the illegal processing of your data by us. As a rule, you can contact the data protection authority at your usual place of residence or workplace or at the headquarters of our company.

The responsible data protection authority for GIS AG is:

Eidgenössischer Datenschutz- und Öffentlichkeitsbeauftragter (EDÖB)
Feldeggweg 1, 3003 Bern, Schweiz
Tel.: +41 (0) 58 462 43 95 

The responsible data protection authority for GIS GmbH is:

Der Landesbeauftragte für Datenschutz in Baden- Württemberg
Königstraße 10 a, 70173 Stuttgart, Deutschland
Tel.: +49 711 615541-0, poststelle@lfdi.bwl.de

Assertion of rights of data subjects

You yourself decide on the use of your personal data. Should you therefore wish to exercise one of your above-mentioned rights towards us, you are welcome to contact us by email at tel@gis-ag.ch or by post, as well as by telephone.

Please assist us in specifying your request by answering questions from our responsible employees regarding the specific processing of your personal data. If there are reasonable doubts about your identity, we may request a copy of your identification.

For questions regarding data protection, you can reach us at tel@gis-ag.ch or at the other contact details stated in this Privacy Policy.

Schötz, on July 3, 2026