infoscore AG ("infoscore", also referred to as "we", "us") collects and processes personal data that concerns you and other persons ("third parties"). We use the term "data" here with the same meaning as "personal data" or "personally identifiable data".
In this data privacy statement, we describe what we do with your data when you are in contact with us in connection with a contract, communicate with us or otherwise interact with us. Where applicable, we will notify you in writing in good time of any additional processing activities not mentioned in this data privacy statement. In addition, we may inform you separately about the processing of your data, e.g. in declarations of consent, contractual conditions, additional data privacy statements, forms and notices.
If you provide us with information about other persons, we assume that you are authorized to do so and that this information is correct. By transmitting data about third parties, you confirm this assumption. Please also ensure that these third parties have been informed of this data privacy statement.

infoscore is responsible for the data processing described in this data privacy statement, unless otherwise communicated in individual cases.
You can reach us to discuss your data protection concerns and exercise your rights under Section 11 as follows:

infoscore AG, Ifangstrasse 8, 8952 Schlieren
Data protection officer
Email: dataprotection@infoscore.ch
Riverty Services Austria GmbH, z.H. Datenschutzbeauftragter,
Karl-Popper-Straße 2/Top 6, 1100 Wien datenschutz.at@riverty.com

We process different categories of data about you. The main categories are as follows:
Technical data: When you use our website or other electronic offerings, we collect the IP address of your end device and other technical data to ensure the functionality and security of these offerings. This data also includes logs that record the use of our systems. We usually store technical data for 12 months. To ensure the functionality of these offerings, we may also assign you or your device a unique code (e.g. in the form of a cookie, see Section 12). The technical data itself does not allow any conclusions to be drawn about your identity. However, in the context of user accounts, registrations, access controls or the processing of contracts, this data may be linked to other categories of data (and thus potentially to your identity).

Communication data: If you contact us via the contact form, by email, telephone, chat, letter, or any other means of communication, we will collect the data provided, including your contact details and the ancillary information related to the communication. If we record or listen to telephone calls or video conferences, e.g. for training and quality assurance purposes, we will make you aware of this in the particular instance. Such records may only be made and used in accordance with our internal policies. You will be informed whether and when such recordings take place, e.g. by a notice during the respective video conference. If you do not wish to be recorded, please let us know or cease your participation. If you simply do not want your image to be recorded, please switch off your camera. If we want or need to establish your identity, e.g. in the event of an information request from you, an application for media access, a loan application, etc., we will collect data to identify you (e.g. a copy of an ID). We usually keep this data for 24 months from the last interaction with you. This period may be longer if this is necessary for reasons of proof or to comply with legal or contractual requirements or where this is technically necessary. Emails and written correspondence are generally retained for at least 10 years.

Master data: Master data refers to the fundamental information that we require in addition to the contractual data (see below) for the processing of our contractual and other business relationships, including name, address, email address, landline and mobile phone numbers, as well as related mobile contract information and other contact details, gender, date of birth, nationality, marital status, family relationships, details regarding occupation and workplace, information about related persons, websites, social media profiles, photos and videos, copies of identification documents; furthermore, details about your relationship with us (debtor, customer, supplier, visitor, service recipient, etc.), information regarding your status with us, powers of attorney, signing authorizations, and consent declarations, allocations, classifications and distribution lists, details of our interactions with you (if applicable, a history of these with corresponding entries), reports (e.g. from the media) or official documents (e.g. extracts from the commercial register, permits, etc.) that concern you. For example, we collect your bank details, account number and credit card details as payment information. Consent or blocking notices are also considered master data, along with information about third parties, such as contact persons, recipients of services, advertising recipients or representatives. For contact persons and representatives of our customers, suppliers and partners, we process master data including name and address, details regarding role, function within the company, qualifications and, where applicable, information about supervisors, employees and subordinates, as well as details about interactions with these persons. Master data is not collected comprehensively for all contacts. The specific data we collect depends primarily on the purpose of processing. We receive master data from you, from organisations you work for, or from third parties such as our contractual partners, associations and address brokers, as well as from publicly available sources like public registers or the Internet (websites, social media, etc.). We may also process health data and information about third parties in the context of master data. We typically retain this data for 10 years from the last interaction with you, or at least from the end of the contract. This period may be longer if this is necessary for reasons of proof or to comply with legal or contractual requirements or where this is technically necessary. For pure marketing and advertising contacts, the period is usually significantly shorter, typically no more than two years since the last contact.

Contract data: Contract data refers to information that arises prior to the conclusion of a contract and in connection with the contract's formation, as well as its processing and administration. This includes details from the application process, the type and date of the contract’s conclusion, information about the services to be provided or already provided, details related to invoicing, customer service, technical support and the enforcement of contractual claims. This also includes health data and information about third parties. Contract data also includes information about defects, complaints and adjustments to a contract, as well as information on customer satisfaction, which we may collect, for example, by means of surveys. Contract data also encompasses financial information such as details regarding creditworthiness (i.e. information that allows conclusions to be drawn about the likelihood of receivables being settled), reminders and collections, information about income and assets, as well as monthly expenses such as rent and maintenance (alimony), occupation, employer, any credit obligations, and payment experiences related to our services; furthermore, payment information (bank details [IBAN, BIC, account holder], invoicing information), previous purchases, payment history and credit acceptance. We typically collect this data from you, contractual partners and third parties involved in the execution of the contract, as well as from third-party sources (e.g. credit data providers) and publicly available sources. We typically retain this data for 10 years from the last contract activity, but for a minimum of 10 years from the end of the contract. This period may be longer if this is necessary for reasons of proof or to comply with legal or contractual requirements or where this is technically necessary.

Behaviour and preference data: Depending on the relationship we have with you, we try to get to know you and better tailor our products, services and offers to you. For this purpose, we collect and use data about your behaviour and preferences. We do this by evaluating information about your behaviour in our field, and we may also supplement this information with information from third parties – including from publicly accessible sources (credit rating data/internal scoring). Based on this, we can calculate, for example, the likelihood that you will use certain services or behave in a certain way. Some of the data processed for this purpose is already known to us (e.g. when you use our services), or we obtain this data by recording your behaviour. We anonymize or delete this data when it is no longer meaningful for the purposes pursued, which may be between 2-3 weeks and 24 months (for product and service preferences), depending on the type of data. This period may be longer if this is necessary for reasons of proof or to comply with legal or contractual requirements or where this is technically necessary. How tracking works on our website is described in Section 12.

Other data: We also collect data from you in other situations. In connection with official or judicial proceedings, for example, data is collected (such as files, evidence, etc.) that may also relate to you. For reasons of health protection, we may also collect data (e.g. as part of safety concepts). We may obtain or produce photos, videos and audio recordings in which you may be identifiable. We may also collect data on who enters specific buildings and when they have access rights (including for access controls, based on registration data or visitor lists, etc.), who participates in events or activities (e.g. competitions) and when, or who uses our infrastructure and systems. The retention period of this data is based on the purpose and is limited to the extent that this data is necessary.

Many of the data mentioned in this Section 3 are provided by you directly (e.g. via forms, as part of your communication with us, or in connection with contracts). You are not obliged to do so, with the exception of individual cases, e.g. as part of mandatory safety concepts (legal obligations). If you wish to enter into contracts with us or use services, you must also provide us with data as part of your contractual obligations in accordance with the relevant contract, particularly master data, contract data and registration data. If you wish to gain access to certain systems or buildings, you will need to provide us with registration details. However, in the case of behaviour and preference data, you generally have the option of objecting or not giving consent.

Where legally permissible, we also obtain data from publicly accessible sources (e.g. debt enforcement registers, land registers, commercial registers, media, or the Internet, including social media) or receive data from other companies (debt collection clients and companies within our group), from authorities and from other third parties (such as credit bureaus, address brokers, associations, contractual partners, online analytics services, etc.).

We process your data for the purposes we explain below. These purposes, or the underlying objectives, represent legitimate interests of ours and, where applicable, of third parties. Further information on the legal basis for our data processing can be found in Section 5.

We process your data for purposes related to communication with you, particularly to respond to enquiries and to exercise your rights (Section 11) and to contact you if you have any further questions. In particular, we use communication data and master data for this purpose. We retain this data to document our communication with you, for training purposes, for quality assurance and for enquiries.

We also process data for the establishment, administration and execution of contractual relationships as well as debt collection. In connection with contract conclusion and debt collection, we process data to verify identity and creditworthiness (this may also involve obtaining assessments from third parties, such as credit bureaus), as well as for establishing the customer or collection relationship. Some of this information is checked to ensure compliance with legal requirements. In the context of handling contractual relationships, we process data to manage customer relationships, deliver and request contractual services (which also includes third parties such as logistics companies, security services, advertising agencies, banks, insurance companies and credit bureaus that may in turn provide us with data), as well as for advice and customer support. This also includes the enforcement of legal claims arising from contracts (debt collection, legal proceedings, etc.), along with accounting, contract termination and public communication.

We also process data for marketing purposes and relationship management, e.g. to send our customers and other contractual partners personalized advertising about products and services from us and third parties (e.g. advertising contractual partners). This may take the form of newsletters and other regular communications (electronically, by post or by telephone), through other channels for which we have your contact information, as well as individual marketing campaigns (e.g. events, competitions, etc.), and may also include complimentary services (e.g. invitations, vouchers, etc.). You can decline such contacts at any time (see the end of this Section 4) or refuse or withdraw your consent to be contacted for advertising purposes. With your consent, we can adjust our online advertising more specifically to you (see Section 12).
We also process your data for market research, to improve our services and operations, and for product development.
We may also process your data for financing purposes (sale and assignment of receivables related to corporate loans or other forms of refinancing).
We process personal data to comply with laws, instructions and recommendations from authorities and internal regulations ("compliance").
We also process data for the purposes of our risk management (including fraud prevention) and as part of prudent business management, including business organisation and development. For this purpose, we carry out our own identity and credit checks. For the credit check, we may obtain the necessary information from commissioned partner companies, in particular from the Central Credit Information Office (ZEK), the Consumer Credit Information Office (IKO), from authorities, credit bureaus, credit brokers, employers or other suitable information agencies.

We may process your data for other purposes, e.g. as part of our internal operations, security and administration or for training and quality assurance purposes.

Insofar as we ask you for your consent for certain processing activities (e.g. for the processing of particularly sensitive personal data and for marketing mailings), we will inform you separately about the purposes of such processing activities. You can revoke your consent at any time by sending us written notice (by post) or, unless otherwise specified or agreed, by email; our contact details can be found in Section 2. Once we have received notice of withdrawal of your consent, we will no longer process your data for the purposes for which you originally consented, unless we have another legal basis for doing so. Withdrawal of your consent does not affect the lawfulness of data processing carried out on the basis of your consent up to the time of withdrawal.

Where we do not seek your consent for processing, we base the processing of your personal data on the necessity of such processing for the initiation or performance of a contract with you (or the entity you represent), or on the grounds that we or third parties have a legitimate interest in this, particularly for the purposes and associated objectives described above in Section 4, and to enable us to implement corresponding measures. Our legitimate interests also include compliance with legal requirements. However, it also includes marketing our products and services and our interest in better understanding our markets and managing and developing our business, including operations, safely and efficiently.

If we receive sensitive data (e.g. health data, information regarding political, religious or philosophical beliefs or biometric data for identification purposes), we may also process your data based on other legal grounds, e.g. where necessary in connection with legal disputes, for potential legal action, or the enforcement or defence of legal claims. In individual cases, other legal grounds may apply, which we will communicate to you separately if necessary.

We may assess some of your personal characteristics automatically in connection with the purposes stated in Section 4 on the basis of your data (Section 3) ("profiling") when we wish to evaluate preference data, but also to determine misuse, security or credit risks, perform statistical evaluations or for operational planning purposes. For the same purposes, we may also create profiles, i.e. we may combine behavioural and preference data, as well as master and contract data, along with technical data assigned to you, in order to gain a better understanding of you as an individual with your various interests and other characteristics.

In both cases, we ensure the proportionality and reliability of the results and take measures against misuse of these profiles or the profiling procedure. If these may result in legal consequences or significant disadvantages for you, we generally make provisions for a manual review.

In certain situations, for reasons of efficiency and consistency in decision-making processes, it may be necessary for us to automate discretionary decisions that affect you, which may have legal consequences or potentially significant disadvantages ("automated individual decisions"). We will inform you accordingly and make provisions for the measures required by applicable law.

We will inform you in each individual case if an automated decision has taken place and this results in negative legal consequences or a comparable significant disadvantage for you. If you do not agree with the outcome of such a decision, you will be able to communicate with someone who will review the decision.

In connection with our contracts, our services, our legal obligations or otherwise to safeguard our legitimate interests and the other purposes listed in Section 4, we also share your personal data with third parties, particularly with the following categories of recipients:

Group companies: A list of our group companies can be found here https://www.riverty.com/de/datenschutz/riverty-unternehmensgruppe/. The group companies may use the data in accordance with this data privacy statement for the same purposes as us (see Section 4). We may also disclose health data to our group companies. Information transmitted by mobile phone network providers is excluded from this information sharing.
Service providers: We work with service providers domestically and abroad who process data about you on our behalf or under our joint responsibility or receive data about you from us under our own responsibility (e.g. IT providers, shipping companies, advertising service providers, login service providers, cleaning companies, security companies, banks, insurance companies, debt collection companies, credit bureaus, address verifiers and mobile phone providers). This may also include health data.
In the area of credit information and credit checks, we cooperate with various credit bureaus, in particular CRIF AG. We provide CRIF AG with payment experience information, particularly concerning undisputed and overdue receivables, as well as, where applicable, debt collection information and address data for legitimate use as a credit bureau. CRIF AG will use the data to check your identity and creditworthiness and disclose it to authorized third parties. More information can be found at: www.mycrifdata.ch/#/dsg

Contractual partners: This primarily refers to our customers (e.g. service recipients) and other contractual partners, as this data transfer results from these contracts. If you work for such a contractual partner yourself, we may also transfer data about you to this party in this context. This may also include health data. Recipients also include contractual partners with whom we cooperate.

Authorities: We may disclose personal data to government agencies, courts and other authorities domestically and abroad if we are legally obliged or entitled to do so or if this appears necessary to protect our interests and enforce our rights as well as to protect other customers. This may also include health data. When authorities process data about you which they receive from us, they do so at their own responsibility.

Other parties: This refers to other cases where the involvement of third parties arises based on the purposes outlined in Section 4.

All of these categories of recipients may, in turn, involve third parties; this means your data may also be accessible to such third parties. We may limit processing by certain third parties (e.g. IT providers), but we cannot do so for other third parties (e.g. authorities, banks, etc.).

We reserve the right to disclose such information even if it relates to secret data (provided that we have not expressly agreed with you that we will not disclose such information to certain third parties, unless we are required to do so by law). Notwithstanding this, your data will continue to be subject to adequate data protection even after disclosure in Switzerland and the rest of Europe. In the case of disclosure to other countries, the provisions of Section 8 apply. If you do not want certain data to be passed on, please let us know so that we can check whether and to what extent we can accommodate your request (Section 2).

As outlined in Section 7, we also disclose data to other parties. These are not only located in Switzerland. Your data may therefore be processed both in Europe and outside Europe, and in exceptional cases in any country in the world.

If a recipient is located in a country without adequate legal data protection, we contractually require the recipient to comply with the applicable data protection regulations (for this purpose, we use the revised standard contractual clauses of the European Commission, which can be found here: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?), unless they are already subject to a legally recognised framework for ensuring data protection and we cannot rely on an exception provision. An exception may apply, particularly in the context of legal proceedings abroad, as well as in cases of overriding public interest, or if such disclosure is necessary for the performance of a contract, if you have consented to it, or if it pertains to data that you have made publicly available and to which you have not objected regarding its processing.

Please also note that data exchanged over the Internet is often routed through third countries. Your data may therefore also be sent abroad if the sender and recipient are located in the same country.

We process your data for as long as required by our purposes of processing, the statutory retention periods and our legitimate interests in processing for documentation and evidence purposes, or where storage is technically necessary. Further details regarding the respective storage and processing durations can be found for each data category in Section 3. Unless contradicted by legal or contractual obligations, we delete or anonymize your data after the end of the storage or processing period as part of our usual processes.

We take reasonable security measures to maintain the confidentiality, integrity and availability of your personal data to protect it from unauthorized or unlawful processing and to counteract the risks of loss, accidental alteration, unintentional disclosure or unauthorized access.

Applicable data protection law grants you the right, under certain circumstances, to object to the processing of your data and to any further legitimate interests in that processing.
In order to make it easier for you to control the processing of your personal data, you also have the following rights in connection with our data processing, depending on the applicable data protection law:
The right to request information from us as to whether and what data we process about you;
the right to have data corrected if it is inaccurate;
the right to request the erasure of data;
the right to withdraw consent to the extent that our processing is based on your consent;
the right to request further information necessary for the exercise of these rights;
the right, in the case of automated individual decisions (Section 6) to state your position and to request that the decision be reviewed by a natural person.

If you wish to exercise the above-mentioned rights against us (or against one of our group companies), please contact us in writing, at our location or, unless otherwise specified or agreed, by email; our contact details can be found in Section 2. In order to rule out misuse, we must identify you (e.g. with a copy of your ID, unless this is possible by other means).

You also have these rights in relation to other entities that work with us independently – please contact them directly if you wish to exercise your rights regarding their processing activities. Details about our key cooperation partners and service providers can be found in Section 7, with further information available in Section 12.

Please note that these rights are subject to conditions, exceptions or restrictions under applicable data protection law (e.g. to protect third parties or trade secrets). We will inform you accordingly if necessary.

In particular, we may need to further process and store your personal data in order to fulfil a contract with you, to protect our own legitimate interests, such as the assertion, exercise or defence of legal claims, or to comply with legal obligations. To the extent permitted by law, particularly to protect the rights and freedoms of other data subjects and to uphold legitimate interests, we may therefore reject a data subject's request in whole or in part (for example, by redacting certain content that pertains to third parties or our trade secrets).

If you do not agree with how we handle your rights or data protection, please let us know (Section 2). In particular, if you are located in the EEA, the United Kingdom or Switzerland, you also have the right to lodge a complaint with the data protection supervisory authority of your country. A list of the authorities in the EEA can be found here: https://edpb.europa.eu/about-edpb/board/members_en. You can contact the UK supervisory authority here: https://ico.org.uk/global/contact-us/. You can contact the Swiss supervisory authority here: https://www.edoeb.admin.ch/edoeb/de/home/deredoeb/kontakt.html.

The following information explains how we process personal data or other types of data in connection with our websites or apps. In particular, this involves cookies or similar technologies. The following provisions apply to both our websites and apps, even if they only refer to a website in any particular instance.

What information do we receive and how do we use it?
When you visit our website, certain data is automatically stored on our servers or on the servers of services and products that we purchase and/or have installed. This is done for system administration, backup, tracking or statistical evaluation purposes. This includes the following data:
(i)    the name of your internet service provider;
(ii)    your IP address (if applicable);
(iii)    the version of your browser software;
(iv)    the operating system of the computer used to access our website;
(v)    the date and time of access;
(vi)    the website you have previously visited;
(vii)    the keywords you used to find our website;
(viii)    browser type;
(ix)    host name of the computer;
(x)    access type;
(xi)    login status.
How can you prevent data collection?
The data is only stored for as long as necessary to achieve the purpose for which it was collected. Accordingly, the data is normally deleted after the end of each session. The storage of log files is absolutely necessary for the operation of the website. You therefore have no possibility to object to this.

How do cookies work and what do they do?
Cookies are text files that are placed on your device's operating system by the browser when you visit a website. Cookies contain a unique identifier (ID) that allows us to distinguish individual visitors from others. However, you are usually not identified. Cookies do not cause any damage to your computer and do not contain any viruses. They are also used to significantly improve user interaction so that certain settings are saved for you, and they are crucial for some technical controls (e.g. session or shopping basket management).
What types of cookies are there?
Most of the cookies we use are "session cookies", which are automatically deleted at the end of your visit.
Other cookies remain stored on your end device until you delete them (normally, however, they are deleted after two years at the latest). The purpose of these cookies is to store your preferences (e.g. language and location settings), to facilitate the quick provision and attractive presentation of website content (e.g. by using fonts and content delivery networks), to analyse the use of this website for statistical evaluation as well as for continuous improvement and marketing purposes (generally, by means of third-party cookies; see below).
In addition, we may also use similar technologies such as pixel tags, fingerprints or other technologies to store data in the browser. Pixel tags can be used to transmit certain information to the server operator by means of small, normally invisible images or program codes loaded from a server (e.g. whether and when a website was visited). Fingerprints are used to collect information about the configuration of your end device or browser during your visit to the website in order to distinguish your end device from other devices. Most browsers also support additional technologies (e.g. web storage), which we can also use.
Which cookies or similar technologies do we use?
We may use the following types of cookies or similar technologies:
(i) Necessary cookies: These include cookies that are necessary for the use of a website and its functions. These cookies ensure, for example, that when switching between pages, already entered form data is not deleted and shopping basket contents are not lost.
(ii) Performance cookies: We can use performance cookies to carry out analyses by collecting information about how a website is used. This enables us to see how visitors move around a website, for example. We may also measure the loading times or behaviour of the website on different types of browsers. Performance cookies make it possible for us to continuously improve our websites and user experience.
(iii) Functional cookies: These cookies allow us to store certain data that you enter on our websites so that you do not have to enter it again (e.g. location, language, form data, etc.). This means we can improve the user-friendliness of our websites.
(iv) Marketing cookies: Marketing cookies allow us (or our marketing partners) to show you advertisements on our websites (or third-party websites) that are tailored to your browsing behaviour and may be of interest to you.
Do we use third party cookies?
We may also use third-party cookies. In this case, the cookies are not placed by us when you visit the website, but by the third-party provider. Such providers may also be located outside the European Economic Area (EEA); in this case, appropriate measures are taken to ensure data protection (cf. Section 8).
Cookies from third-party providers may include analysis services as well as tracking and re-targeting measures. These allow us to target you with advertisements on our websites or on third party websites and to measure the effectiveness of these advertisements. The third-party providers may record your use of our websites and, where applicable, combine data collected on other websites. The respective provider may also use this data for its own purposes, such as for personalized advertising on its own websites or other websites for which it provides advertising. If the provider can identify you (e.g. because you have a customer account), they can assign the user data to you. The corresponding processing takes place in accordance with the data protection provisions of the third-party provider. The most important third-party providers are Google and Facebook. Below you can find a description of the most important tools we use (cf. Section 12.3).
How can you prevent data collection via cookies?
The cookies are stored on your computer. You therefore have full control over the use of cookies. You can delete them completely or deactivate or restrict transmission by changing the browser settings. You can also block tracking by certain third parties using a browser extension. For more information about the use of cookies, please refer to the help pages of your browser. After deactivating cookies, you may no longer be able to use all the functions of the website to their full extent.
Below you can find instructions for the most common browsers:
Google Chrome:
Safari (Apple)
Microsoft Edge
Mozilla Firefox 
In the case of cookies used for success and reach measurement or advertising, a general opt-out is generally possible for many services via the Network Advertising Initiative (NAI), YourAdChoices (Digital Advertising Alliance) or Your Online Choices (European Interactive Digital Advertising Alliance, EDAA).
What other methods of online advertising do we use?
In addition to third-party marketing and cookies, we use other techniques to manage online advertising on other websites and thereby prevent scatter losses. For example, we may pass on the email addresses of our users in pseudonymized form (hashing) to third-party companies. By cross-referencing the database, the advertising company (typically a social media provider) identifies the contact information already present in its own database and can display advertisements tailored to your interests (see, for example, the cookies used under Section 12.3). The third-party companies do not receive personal email addresses of persons who are not already known. You can prevent the display of personalized advertising by configuring the appropriate cookies (see above).   
May we include offers from third parties on our website?
We may integrate other third-party offers on our websites, in particular from social media providers. These offers are disabled by default. As soon as you activate them (e.g. by clicking on a button), the respective providers can conclude that you are on our website. If you have an account with this social media provider, it can associate this information with you and thus track your use of online offers. The social media providers process this data at their own responsibility.

This Privacy Policy does not form part of any contract with you. We may amend this Privacy Policy at any time. The version published on this website is the current version.
Date of last revision: 16 August 2023