TURM KAFFEE PRIVACY POLICY

1. Overview and Scope

This Privacy Policy explains how, and for what purposes, Turm E-Commerce AG, Turm Kaffee GmbH, Turm Kaffee Austria GmbH and Turm Handels AG (also referred to below as “we” or “Turm Kaffee”) process your personal data (referred to below as “you”).

“Personal data” means any information relating to an identified or identifiable natural person.

We process personal data in accordance with the applicable national data protection laws of Switzerland, Austria and Germany (collectively referred to below as the “DSG”) and, where and to the extent applicable, the European Union General Data Protection Regulation (“GDPR”). Where we consider it appropriate, we may provide additional privacy notices supplementing this Privacy Policy.

2. Controller and Contact Point

As a rule, the Turm Kaffee entity responsible for processing your personal data under this Privacy Policy is the entity with which you correspond, or which has referred you to this Privacy Policy in connection with an enquiry, contract or other communication.

For processing in connection with our websites, the entity operating the relevant website is generally responsible. The website www.turm-ecommerce.ch is operated by Turm E-Commerce AG, www.turmkaffee.ch by Turm Handels AG, and www.backup-shop.turmkaffee.ch by Turm Kaffee Austria GmbH.

For processing in connection with our online shops, the controller is the entity operating the respective online shop. The online shop for Switzerland and Liechtenstein, accessible at www.backup-shop.turmkaffee.ch, is operated by Turm E-Commerce AG; the online shop for orders from Austria, accessible at www.backup-shop.turmkaffee.ch, is operated by Turm Kaffee Austria GmbH; and the online shop for orders from the rest of the EU, accessible at www.backup-shop.turmkaffee.ch, is operated by Turm Kaffee GmbH.

Depending on the specific processing activity, Turm Kaffee entities may act as controllers individually or jointly, or as data processors.

Regardless of which Turm Kaffee entity is responsible in the individual case, the central contact point for data protection enquiries is:

Turm Kaffee Austria GmbH
Dr.-Walter-Waizer-Strasse 1a
AT-6130 Schwaz
Tel.: (+43) 0800 1761 1761

EU data protection representative pursuant to Art. 27 GDPR:
[details to be inserted]

Please contact us at the addresses above if you have any questions or concerns regarding data protection.

3. Data Sources and Categories

We primarily process personal data that we receive from or collect in the course of our business activities from customers, prospective customers, website visitors, suppliers, buyers and other business partners. We may also process personal data obtained from publicly accessible sources (e.g. websites or public registers such as the commercial register). In addition, we may receive your personal data from family members, our business partners, public offices and authorities, or other third parties.

Depending on the case, the personal data we process may include, in particular, identification and contact details (e.g. name, address, gender, date of birth, telephone number and email address), delivery address, financial information for payment purposes (e.g. bank account details), data relating to the use of our websites (e.g. IP address), and information of any kind arising from correspondence, contacts and interactions with us.

4. Purposes of Processing and Legal Bases

4.1 General purposes in the course of our business activities

We process your personal data primarily for purposes required in connection with our business activities and the provision of our services. In particular, we may process your personal data for the following purposes:

  • to communicate with you, including to provide information and handle your enquiries. If you contact us by email or via a contact form, you authorise us to respond via the same channel. Please note that unencrypted emails are transmitted over the public internet, meaning they may be accessible to third parties and may be altered. We therefore ask that you do not send confidential information by email. To the extent permitted by law, we exclude any liability, in particular for transmission errors, content manipulation, or network disruptions (interruptions, overload, unlawful interference, blocking);

  • to provide, evaluate and improve our services and websites;

  • to deliver our products to you;

  • to organise and run events;

  • to maintain and manage our business relationship with you (e.g. invoicing);

  • to inform you about new developments or provide other information about our services and products;

  • to use testimonials (e.g. reviews relating to a service, product or offer);

  • to implement IT and building security measures;

  • to assert legal claims and defend ourselves in legal disputes and proceedings, including administrative proceedings;

  • to comply with legal obligations in Switzerland and abroad.

Depending on the situation, we process your personal data on one or more of the following legal bases:

  • processing is necessary for the performance of a contract with you;

  • you have given your consent;

  • processing is necessary for compliance with a legal obligation;

  • processing is necessary to protect vital interests of the data subject or another natural person; and/or

  • we have a legitimate interest in processing.

4.2 Events and courses

We may process personal data that you provide or that we collect in connection with your registration for and participation in an event or course for the following purposes:

  • to organise and run events and courses;

  • to report on our events and courses (e.g. in the form of texts, photos, video and audio recordings);

  • to market additional services, offers and products.

In addition to the legal bases listed under section 4.1, we may rely (depending on the situation) on the following legal bases:

  • processing is necessary for the performance of a contract with you;

  • you have consented to the processing; and/or

  • we have a legitimate interest, in particular in providing our services, evaluating and improving our courses and events, and promoting them. Depending on the case, other legitimate interests may also apply.

4.3 Visiting our websites

You can visit our websites without actively providing personal data. However, each time you access a website, the server automatically records certain user information which is temporarily stored in server log files. This information includes, among other things, the IP address, date and time of access, time zone difference to GMT, the name and URL of the retrieved file, the referring website, the browser used, and the operating system.

This information is not attributed to a specific individual. Collecting this data is technically necessary to display our websites and to ensure their stability and security. We also collect this information to improve the websites and analyse their use. The legal basis for temporary storage of this information and the log files is our legitimate interest in providing high-quality websites and continuously improving them.

4.4 Contact forms

You can contact us via the contact forms provided on our websites. To use a contact form, you must provide your name, your email address and your message. We store the personal data you submit and process it to handle your enquiry. The legal bases are your consent and our legitimate interest in responding to your enquiry.

4.5 Contact via email and telephone

You can contact us electronically or by telephone using the email addresses and telephone numbers provided on our websites. In this case, we store the personal data you provide and process it to handle your enquiry. The legal bases are your consent and our legitimate interest in responding to your enquiry.

4.6 Registration

Customers can register in our online shops and create a customer account. During registration, customers provide certain personal data, in particular their name and email address.

In addition to the purposes set out in section 4.1, we use this data in particular to verify and create your customer account and to handle any enquiries you submit in connection with your account.

The legal bases are the performance of a contract with you, your consent, and our legitimate interests.

4.7 Online shop

If you order products via our online shops, we may process your personal data, in addition to the purposes in section 4.1, for the following purposes:

  • to process your order (including invoicing and payment processing);

  • to handle complaints, claims and defects;

  • for statistical analyses;

  • to operate, manage and promote our online shop;

  • to report on our events (e.g. texts, photos, video and audio recordings);

  • to market additional services, offers and products.

In addition to the legal bases listed under section 4.1, we rely (depending on the situation) on the following legal bases:

  • processing is necessary for the performance of a contract with you; and/or

  • we have a legitimate interest in processing the personal data we collect, in particular to evaluate, operate, improve and promote our online shops.

4.8 Cookies and tools

Our websites use cookies or other technologies/tools such as pixels, tags or external services (collectively referred to below as “cookies” or “tools”). Cookies may be text files stored by your browser on your device, or image files such as pixels. Cookies contain a characteristic string that enables your browser or device to be uniquely identified when you revisit the website or app.

Cookies serve, first, to enable and facilitate use of our websites. Certain functions (so-called strictly necessary cookies) cannot be provided without cookies. Second, we use cookies/tools to analyse user behaviour on our websites (in particular for reach measurement) and for marketing purposes.

4.8.1 Strictly necessary cookies

Strictly necessary cookies are required for our websites to function and cannot be switched off in our systems. They generally record key actions, such as the number of requests made, managing your privacy settings, or completing forms. You can block these cookies in your browser, but parts of our website may then no longer function.

4.8.2 Analytics cookies and marketing cookies

Analytics cookies allow us to analyse visitor behaviour and traffic sources, measure the performance of our websites and improve the user experience. They help us understand which pages are most popular and how visitors move around our websites.

Marketing cookies allow us to provide advertising that is relevant to you. These cookies may record that you have visited our websites and may share this information with other companies, including other advertisers.

We use the following analytics and marketing tools in particular:

You can object to the use of cookies by (i) selecting the appropriate settings in your browser, (ii) using cookie-blocking software (e.g. Ghostery), or (iii) in the case of Google cookies, downloading and installing the browser plug-in available at: https://tools.google.com/dlpage/gaoptout?hl=de

Further information about third-party tools is provided in the description of the tools used in this Privacy Policy.

4.9 Google Tag Manager

We may use Google Tag Manager on our websites. Google Tag Manager is a solution that enables website tags to be managed via an interface. According to Google, the tool itself is a cookie-free domain and does not collect personal data. It triggers other tags which may, in turn, collect personal data. Google Tag Manager does not access this data. If deactivation has been implemented at domain or cookie level, it remains in place for all tracking tags implemented via Google Tag Manager. You can prevent the setting of tags at any time.

The legal bases are your consent and our legitimate interests.

4.10 YouTube videos

We may embed YouTube videos on our websites so that they can be played directly from our pages. All YouTube videos are embedded in “enhanced privacy mode”, meaning no data is transmitted to YouTube unless you play the videos. Only when you play a video is data transmitted.

The legal basis for processing is your consent. Further information on Google’s processing of personal data in connection with YouTube is available at: https://policies.google.com/privacy?hl=de&gl=de

4.11 Newsletter

If you subscribe to our newsletter, we use your email address and other contact details to send it to you. By subscribing, you consent to the processing of your personal data for this purpose. Providing your email address is mandatory for receiving the newsletter, and we store it after your subscription.

The legal basis for processing your data in connection with the newsletter is your consent. You may withdraw your consent at any time and unsubscribe. You can do so by clicking the link provided in each newsletter email, by emailing info@turmkaffee.at, or by sending a message to the contact details listed in the legal notice (Impressum).

We use Klaviyo to send our newsletter, a service provided by Klaviyo Inc., 125 Summer Street, Floor 6, Boston, MA 02110, USA (“Klaviyo”).

The data submitted when you sign up for the newsletter is stored on Klaviyo’s servers in the USA. Klaviyo uses this information to send and analyse the newsletters on our behalf. For more information on Klaviyo’s data processing, please refer to its privacy policy: https://www.klaviyo.com/legal/privacy-policy

4.12 Applications

You can submit job applications by post or via the email addresses provided on our websites. Application documents and all personal data you provide are treated confidentially, are not shared with third parties, and are processed solely for the purpose of handling your application. Unless you instruct us otherwise, your application file will be returned to you or deleted/destroyed after completion of the recruitment process, unless we are required to retain it by law.

The legal bases are your consent, performance of a contract with you, and our legitimate interests.

5. Disclosure of Personal Data to Recipients and Abroad

5.1 Disclosure to recipients

In addition to the disclosures explicitly mentioned in this Privacy Policy, we may disclose personal data—where permitted and necessary—to the following categories of recipients:

  • other companies within the Turm Kaffee group;

  • service providers to whom we outsource certain services (e.g. IT and hosting providers, shipping providers, payment service providers, banks, insurers, etc.);

  • distributors, suppliers, subcontractors and other business partners;

  • auditors, fiduciaries and other external professional advisers of Turm Kaffee;

  • transport service providers;

  • Swiss and foreign authorities, public bodies or courts.

5.2 Disclosure of personal data abroad

As a rule, we process your personal data in Switzerland, Austria and Germany. In certain cases (e.g. when using specific service providers or software applications), personal data may also be transferred to other member states of the European Union, EFTA states, or other countries worldwide.

Where we transfer data to a country without an adequate level of statutory data protection, we ensure an appropriate level of protection as required by law by using suitable safeguards (in particular agreements based on the European Commission’s Standard Contractual Clauses) or we rely on statutory exemptions (e.g. consent, performance of a contract, establishment, exercise or enforcement of legal claims, overriding public interests, publicly disclosed personal data, or where the transfer is necessary to protect the integrity of the data subjects).

6. Retention Period

Subject to legal obligations (e.g. statutory retention periods) or overriding interests on our part, we retain your personal data only for as long as necessary for the relevant processing purpose.

Personal data held due to a contractual relationship with you is retained at least for the duration of the contractual relationship and for as long as limitation periods for potential claims are running or contractual retention obligations apply. Once your personal data is no longer required for the purposes set out above, it will generally be deleted, anonymised, or at least restricted from further active processing, where possible.

7. Your Rights

Under the data protection law applicable to you, and to the extent provided for therein, you have the right to access, rectify and erase your personal data, the right to restrict processing, and otherwise to object to our processing. You may also have the right to receive certain personal data for the purpose of transferring it to another controller (data portability). Please note that we reserve the right to assert statutory limitations, for example where we are required to retain or process certain data, have an overriding interest in doing so (where we are entitled to rely on such interest), or need the data to assert legal claims. If costs are incurred, we will inform you in advance.

Where processing is based on your consent, you may withdraw your consent at any time with effect for the future. This does not affect the lawfulness of processing carried out on the basis of your consent up to the time of withdrawal.

Exercising these rights generally requires clear proof of identity (e.g. a copy of an ID document where your identity is otherwise unclear or cannot be verified). To exercise your rights, please contact us at the address listed in section 2 of this Privacy Policy.

You also have the right to enforce your claims in court or to lodge a complaint with the competent data protection authority. The competent authority may vary depending on your place of residence or the location where the alleged breach of data protection law occurred.

8. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, misuse, loss and destruction. In particular, we use firewalls, implement authorisation concepts, conduct regular training, and apply additional safeguards to ensure the most comprehensive protection of personal data possible.

9. Updates to this Privacy Policy

We expressly reserve the right to amend this Privacy Policy at any time. Any updates will be published promptly on our websites. The version published on our websites is the applicable version.

March 2024