1. Controller

The controller responsible for the processing of personal data on this website is:

STEMMER ASSOCIATES GmbH
Ferdinand-Hodler-Strasse 40
8049 Zurich
Switzerland

Commercial Register: Commercial Registry Office of the Canton of Zurich
Commercial Register No.: CH-020.4.052.144-7
UID: CHE-261.494.773

Authorized managing directors:
Norbert Ferdinand Stemmer
Silvia Torreiter-Graf

Email: contact@stemmerassociates.com

The controller is the natural or legal person who, alone or jointly with others, determines the purposes and means of the processing of personal data.

2. Overview of Data Processing

3. Legal Bases

We process personal data in particular on the basis of the General Data Protection Regulation (GDPR), where applicable, and on the basis of Swiss data protection law, where applicable.

The processing of personal data is carried out in particular on the following legal bases:

• Art. 6(1)(b) GDPR, where processing is necessary for the performance of a contract or for taking steps prior to entering into a contract, for example registration, login, purchases, digital access, vouchers, gift access and support.
• Art. 6(1)(c) GDPR, where legal obligations exist, for example tax, commercial or accounting retention obligations.
• Art. 6(1)(f) GDPR, where we have a legitimate interest in the secure, stable, user-friendly and abuse-free operation of the website.
• Art. 6(1)(a) GDPR, where consent has been given, for example for optional analytics functions, external media or newsletters.

4. Hosting and Server Logs

This website is operated through a hosting provider. When the website is accessed, the server automatically processes technical access data. This may include, in particular, IP address, date and time of access, requested URL, HTTP status code, amount of data transferred, referrer, browser type, operating system and technical device information.

The processing is carried out to provide the website, ensure stability and security, analyze errors and defend against attacks. The legal basis is Art. 6(1)(f) GDPR.

Hosting provider:
Please add the actual hosting provider here, including name, address and country, for example IONOS, a VPS provider or another technical service provider.

5. Cookies, Local Storage and Consent

We use technically necessary cookies and local storage technologies to ensure that the website functions properly. These include, in particular, session cookies for login and security, language settings, currency selection and the storage of privacy settings.

The privacy selection is stored locally in the browser. This stores whether necessary, analytics or external media functions have been allowed. This storage is necessary so that the selection does not have to be requested again on every page view.

Non-essential services, in particular analytics or marketing services and external media, are only activated if corresponding consent has been given. Consent that has been given can be changed or withdrawn at any time via the “Privacy” button on the website.

6. User Account, Registration and Login

When registering and using a user account, we process the data entered, in particular first name, last name, alias/username, email address, password hash, customer number, preferred language, license name and the confirmation of the Terms and Conditions, Privacy Policy and license terms.

Passwords are not stored in plain text, but as a cryptographic hash. Login attempts may be logged and limited for security reasons. The legal basis is Art. 6(1)(b) GDPR for account and contract functions and Art. 6(1)(f) GDPR for security measures.

7. Cloudflare Turnstile

We use Cloudflare Turnstile to protect registration and login forms against abuse, spam and automated attacks. The provider is Cloudflare, Inc., 101 Townsend St, San Francisco, CA 94107, USA.

Cloudflare Turnstile may process technical information, for example IP address, browser and device information, interaction data with the website and technical verification values. The purpose is to distinguish between human users and automated access and to prevent abusive behavior.

The legal basis is Art. 6(1)(f) GDPR. Our legitimate interest lies in the security of the website, the protection of user accounts and the prevention of abusive registrations and login attempts.

When using Cloudflare, data may also be transferred to the USA. Cloudflare provides information on data protection and GDPR compliance. For productive operation, it should be checked whether a data processing agreement or the required data protection agreement with Cloudflare has been concluded.

8. Purchases, Digital Content, Vouchers and Voluntary Support

If digital content, books, online reading access, vouchers, gift access or voluntary support are used, purchased or booked, we process the data required for this purpose.

This includes, in particular, user account, product, order status, payment status, currency, price, activations, voucher or gift codes and, where applicable, recipient information for gift access.

The processing is carried out for the performance of the contract, the provision of purchased or activated content, the processing of voluntary support, fraud prevention and compliance with statutory retention obligations. The legal bases are Art. 6(1)(b), Art. 6(1)(c) and Art. 6(1)(f) GDPR.

Voluntary support is not a prerequisite for the use of free content, unless expressly stated otherwise in the respective support process.

9. Payment Processing via Stripe

We use Stripe for payment processing. Depending on the contractual relationship, the provider is in particular Stripe Payments Europe, Limited, The One Building, 1 Grand Canal Street Lower, Dublin 2, Ireland, or an affiliated company of the Stripe group.

If you make a purchase or provide voluntary support, payment data may be processed directly by Stripe. This may include, in particular, name, email address, billing data, payment amount, currency, payment status, transaction data, technical data and information for fraud prevention.

We generally do not receive complete credit card data ourselves. Payment processing is carried out via Stripe’s technical infrastructure. The legal basis for processing in connection with purchases and payments is Art. 6(1)(b) GDPR. Where processing is necessary for fraud prevention, security or legal enforcement, it is carried out on the basis of Art. 6(1)(f) GDPR.

Stripe’s privacy policy and terms of use additionally apply to processing by Stripe.

10. Contact Form and Inquiries

If you contact us via the contact form or by email, we process the information you provide, in particular name, email address, subject, message and time of the inquiry.

The processing is carried out to handle the inquiry. The legal basis is Art. 6(1)(b) GDPR if the inquiry is related to a contract or pre-contractual measures; otherwise, the legal basis is Art. 6(1)(f) GDPR.

11. Newsletter

If you subscribe to the newsletter, we process your email address as well as technical data relating to subscription, confirmation and unsubscription. The newsletter is sent only with consent. The legal basis is Art. 6(1)(a) GDPR.

You may withdraw your consent at any time with effect for the future, for example via an unsubscribe link in the newsletter or by sending us a message.

Newsletter service:
Please add here whether the newsletter is sent locally via the website or via an external provider. If an external provider is used, the provider, location, data transfer and data processing agreement must be added.

12. External Media and Embedded Content

External media or embedded content may be used on the website, for example audio, video, map or social media content. Such content is loaded only after consent has been given, unless it is technically necessary.

When external content is loaded, personal data, in particular IP address and technical browser data, may be transmitted to the respective provider. Consent can be changed or withdrawn via the privacy settings.

13. Data Transfers to Third Countries

STEMMER ASSOCIATES GmbH is based in Switzerland. From the perspective of the European Union, Switzerland provides an adequate level of data protection.

Where we use service providers that process personal data outside Switzerland, the European Union or the European Economic Area, this is done only where a suitable legal basis exists. This may include, in particular, adequacy decisions, standard contractual clauses or other appropriate safeguards.

14. Retention Period

We store personal data only for as long as this is necessary for the respective purposes or as long as statutory retention obligations exist. User account data is generally stored until the account is deleted, unless statutory retention obligations or legitimate interests prevent deletion.

• Server logs: generally only for a limited period, unless security- related retention is required.
• Contact inquiries: until final processing and thereafter in accordance with statutory or legitimate retention periods.
• Order and invoice data: in accordance with statutory tax, commercial and accounting retention obligations.
• Newsletter data: until consent is withdrawn or the subscription is cancelled; proof data may be stored for longer where applicable.
• Data relating to digital activations and licenses: for as long as this is necessary to prove lawful use, provide purchased content or enforce legal claims.

15. Rights of Data Subjects

Under the GDPR, where applicable, you have in particular the following rights:

• Right of access under Art. 15 GDPR
• Right to rectification under Art. 16 GDPR
• Right to erasure under Art. 17 GDPR
• Right to restriction of processing under Art. 18 GDPR
• Right to data portability under Art. 20 GDPR
• Right to object under Art. 21 GDPR
• Right to withdraw consent given with effect for the future under Art. 7(3) GDPR

To exercise your rights, you can contact us using the contact details provided above.

Right to lodge a complaint with a supervisory authority

You have the right to lodge a complaint with a data protection supervisory authority, in particular in the Member State of your habitual residence, your place of work or the place of the alleged infringement.

Where Swiss data protection law is applicable, you may also contact the Swiss Federal Data Protection and Information Commissioner (FDPIC).

16. Security

We take technical and organizational measures to protect personal data against loss, misuse, unauthorized access, alteration or disclosure. These include, in particular, access restrictions, password hashing, CSRF protection, rate limiting, bot protection and encrypted transmission, where supported by the hosting provider.

17. Changes to this Privacy Policy

We may amend this Privacy Policy if the functions of the website, the services used or legal requirements change. The version published on this page at any given time applies.