PERSONAL DATA PROTECTION STATEMENT

This Personal Data Protection Statement applies to all users of VisionCompliance services, insofar as personal data is processed within the framework of its services. This includes Customers who have purchased training products from VisionCompliance, persons who use the "arketiks" applications developed by VisionCompliance and any visitor to the websites: visioncompliance.ch and arketiks.com.

For the sake of simplicity, all persons concerned by the processing of data are hereinafter referred to as "Customers".

IN GENERAL

VisionCompliance attaches great importance to the respectful treatment of its Customers’ data. For this reason, VisionCompliance only processes the data necessary for the operation of its business. Furthermore, VisionCompliance does not process any behavioural data and does not market any personal data of its Customers.

VisionCompliance attaches great importance to the security of its Customers’ data and takes the necessary security measures. VisionCompliance is constantly improving its security measures and adapting them to the current state of the art.

If you have any questions about the processing of your personal data, you can contact us by e-mail at: client@visioncompliance.ch

DECLARATION

This personal data protection directive applies to all persons whose data VisionCompliance processes.

VisionCompliance deals with the following categories of people:

• Visitors to its two websites (visioncompliance.ch and arketiks.com)
• Holders of a customer account following the purchase of a licensed training product or on its online shop
• Users of its arketiks applications (learn, vision, comply, diploma, exam, quiz, motion)
• Recipients of information and marketing communications
• The contact persons of its suppliers, customers and other business partners, as well as organisations and authorities.

Basic data

The basic data are the fundamental data concerning the Customers. This basic data is collected when the Customer creates an account with VisionCompliance. We also collect basic data relating to contact persons and representatives of contractual partners, organisations and authorities.

Basic data may include:

• First name, surname, gender
• Professional e-mail address

Product data

Product data is linked to the use of a specific service, whether it be a purchase or the use of an arketiks application. The table in the appendix lists the different data processed depending on the arketiks application used.

Product data may include:

• Date of birth
• A photo or video
• A copy of the identity document
• Professional and/or personal e-mail address
• Business and/or private telephone number
• Title, function
• Employer
• And so on.

Contract data

Contract data are personal data collected in connection with the conclusion and performance of contracts.

Contract data include:

• Contract conclusion dates
• Information on the contracts concerned (e.g. duration, product)
• Data relating to the performance and management of the contract (e.g. billing address, delivery address, list of purchases)
• Customer contact details (surname, first name, business e-mail address, business telephone number)
• Interactions with Customers and contact persons or representatives of commercial partners

Communication data

Communication data are data from written exchanges between the Customer and VisionCompliance concerning a VisionCompliance service or product. We process the content of the communications exchanged and information on the type, time and place of the communication.

Technical data

When the Customer uses our website or our arketiks applications, VisionCompliance may collect certain technical data:

• Connection IP addresses
• Information relating to the Customer's device and its configuration, for example the operating system and language settings.
• Log files, identification data
• Connection history
• Information relating to the browser with which the Customer accesses the offer and its configuration
• Approximate location and time of use.

VisionCompliance minimises the data collected from its Customers and does not analyse personal data. VisionCompliance does not collect data that are:

• sensitive
• behavioural
• biometric
• by preference

Furthermore, VisionCompliance does not carry out profiling and does not make automated individual decisions.

Data supplied

It is the Customer who provides its own personal data or that of its employees. The Customer provides its data when:

• It creates a customer account
• It makes a purchase from our online shop
• It registers employees for an arketiks application
• It subscribes to our newsletter

With the exception of newsletter subscriptions, the processing of this personal data is necessary for the processing of the contractual relationship with the Customer and for the fulfilment of the obligations associated therewith or prescribed by law, for example mandatory contractual data. Without this data, VisionCompliance cannot conclude or continue to execute the contracts concerned.

If the Customer transmits data concerning other persons (e.g. employees), VisionCompliance assumes that the Customer is authorised to do so and that these data are correct. The Customer shall ensure that these other persons are informed of this data protection declaration.

VisionCompliance uses cookies to facilitate access to its services, to analyse traffic and usage and to identify malfunctions in the site and its services. This also makes it possible to improve the visitor experience and the design and content of the site.

VisionCompliance uses the following types of cookies:

• Technical and functional cookies: cookies required to ensure the optimal operation of its websites. In particular, they are used for session management, security, ergonomics, language selection and saving in the shopping basket. They are always activated.
• Analysis cookies: cookies used to gain a better understanding of site usage and performance, to compile statistics and to improve our services. These statistics may be used by partners or by us to optimise the visitor's browsing experience. VisionCompliance uses web analysis services such as Google Analytics.

The information generated by the cookie about use of the website is generally transmitted to and stored by Google on servers in the United States.

Performance of contracts

VisionCompliance processes personal data in connection with the establishment, management and performance of contracts with its Customers. VisionCompliance uses master data, product data and contract data for this purpose.

This applies, for example, to treatments:

• For the provision of the contractually agreed service
• For invoicing services and general accounting purposes
• For data back-up in the context of retention obligations

Information and marketing

VisionCompliance processes personal data for relationship management and marketing purposes, e.g. to send its Customers written communications and offers and to conduct marketing campaigns. VisionCompliance uses master and contract data for this purpose.

These may include:

• Newsletters
• Advertising e-mails
• Advertising brochures

The Customer may at any time refuse to be contacted for marketing purposes. In the case of electronic communications, the Customer may unsubscribe via an unsubscribe link included in the communication.

Compliance with legal requirements and preservation of rights

VisionCompliance also processes personal data in order to comply with legal requirements, prevent infringements or enforce its rights.

This includes:

• Providing information and documents to the authorities if there is an objective reason (e.g. because VisionCompliance is the injured party) or if it is legally obliged to do so.
• Compliance with archiving obligations
• Participation in judicial and administrative proceedings in Switzerland by handing over documents containing personal data to an authority.

VisionCompliance may transmit personal data to companies when the company uses the services of these companies (subcontractors) or when it has entered into training partnerships with third-party companies.

Subcontractors

VisionCompliance authorises subcontractors to process its Customers’ data. VisionCompliance chooses reputable subcontractors and ensures that they have rules guaranteeing respect for personal data in accordance with the DPA, and that they have an adequate security policy.

These services may include:

• Transport and logistics, for example for shipping goods
• Advertising and marketing services, e.g. sending newsletters by e-mail
• Business management, e.g. accounting
• IT services, e.g. data storage (hosting), cloud services, e-mail newsletters, etc.
• Credit/debit card payment providers.

Training partners

When VisionCompliance carries out digital training in collaboration with an expert company, the latter regularly receives a list of sales from its online shop. In this context, the following personal data are transmitted to the partner:

• Customer first name and surname
• Product(s) purchased
• Date of purchase
• Possible discount

The partner receiving the data is responsible for protecting it in accordance with the Data Protection Act.

VisionCompliance takes appropriate technical and organisational security measures to guarantee the security of personal data, to protect its Customers against unjustified and unlawful processing, and to act against the risk of loss, accidental alteration, unwanted disclosure or unauthorised access. VisionCompliance cannot, however, exclude with certainty all data protection breaches; certain residual risks being unavoidable.

All data are stored on servers in Switzerland, except for subcontractors who may be located outside Switzerland. User data are encrypted on servers in Switzerland. Our staff are trained in IT security and our organisation has implemented access restrictions.

VisionCompliance processes and records personal data:

• for as long as necessary to achieve the purpose of the processing, i.e. generally for the duration of the contractual relationship
• as long as VisionCompliance has a legitimate interest in recording them. This may in particular be the case when the company needs them to assert rights, defend itself against claims, etc.
• as long as required by law. A legal retention period of ten years applies to certain data, for example.

VisionCompliance applies the following retention periods, which the company may waive on a case-by-case basis:

• Customer account on the website: basic and product data are kept for as long as the Customer account exists. If deletion of the Customer account is requested, the data will be deleted immediately.
• arketiks applications: database and product data are deleted within 4 months of the end of the contract with the Customer.
• Contracts: contract and communication data are kept for ten years from the last contractual activity or the end of the contract. However, this period may be longer if necessary for evidential purposes, due to legal or contractual provisions or for technical reasons. Transaction data relating to contracts are generally kept for ten years.
• Websites: technical data relating to the Customer remain stored for 30 days.

Provided the applicable conditions are met and no legal exceptions apply, Customers have the following rights:

• the right to request access to data stored at VisionCompliance
• the right to have inaccurate or incomplete personal data corrected
• the right to demand the deletion and destruction of personal data
• the right to request restrictions on the processing of personal data
• the right to receive the Customer's personal data processed by VisionCompliance, in a structured, commonly used and machine-readable format
• the right to withdraw consent with effect for the future, insofar as processing is based on consent.

These rights may be limited or excluded in particular cases, for example if there are doubts about identity or if this is necessary to protect other people, to safeguard interests worthy of protection or to comply with legal obligations.

Persons holding a Customer account may correct the basic data stored there at any time. They may also request the deactivation of their Customer account or the complete deletion of their personal data. Customers may also unsubscribe from newsletters and other advertising e-mails by clicking on the corresponding link at the end of the e-mail.

VisionCompliance may refuse to respond to requests for the transmission of personal data if the company finds that the request is unfounded, for example, an unnecessary request, repeated requests with the aim of causing harm, a request that does not serve to assert its rights in terms of data protection.

If you have any questions about this data protection declaration or the processing of your personal data, you can contact VisionCompliance at the following address:

VisionCompliance SA
Rue de Contamines 16
1206 Geneva

Or by e-mail to: client@visioncompliance.ch

This data protection declaration may be amended at any time, in particular if VisionCompliance modifies the processing of data or if new legal provisions come into force. Where changes are significant, VisionCompliance will actively inform Customers who have licence agreements for the use of arketiks applications: learn, motion, quiz. Other Customers will find the latest updated version of the personal data protection directive on the VisionCompliance and arketiks websites.

Data processed according to the arketiks application used