Privacy policy
The controller within the meaning of data protection legislation, in particular the EU General Data Protection Regulation (GDPR), is:
ofinto ag
Jonas Romer
Bischofszellerstrasse 53
9200 Gossau SG
Email: info@ofinto.ch
Website: www.ofinto.ch
Your rights as a data subject
You can exercise the following rights at any time using the contact details provided:
- Information about your data stored by us and its processing (Art. 15 GDPR),
- Correction of incorrect personal data (Art. 16 GDPR),
- Deletion of your data stored by us (Art. 17 GDPR),
- Restriction of data processing if we are not yet allowed to delete your data due to legal obligations (Art. 18 GDPR),
- Objection to the processing of your data by us (Art. 21 GDPR) and
- Data portability, provided that you have consented to the data processing or have concluded a contract with us (Art. 20 GDPR).
If you have given us your consent, you can revoke it at any time with effect for the future.
You can lodge a complaint with a supervisory authority at any time, e.g. with the competent supervisory authority in the federal state of your place of residence or with the authority responsible for us as the controller (for Switzerland: the Federal Data Protection and Information Commissioner, FDPIC).
A list of German supervisory authorities (for the non-public sector) with addresses can be found at: https://www.bfdi.bund.de/DE/Service/Anschriften/Laender/Laender-node.html.
General information on data processing
Based on Article 13 of the Swiss Federal Constitution and the data protection provisions of the Swiss Confederation (Data Protection Act, DSG), every person is entitled to protection of their privacy and protection against misuse of their personal data. We treat your personal data confidentially and in accordance with the statutory data protection regulations and this privacy policy.
We would like to point out that data transmission over the Internet (e.g. when communicating by e-mail) may be subject to security vulnerabilities. Complete protection of data against access by third parties is not possible.
By using this website, you consent to the collection, processing and use of data in accordance with the following description. This website can generally be visited without registration. Data such as pages called up or the name of the file called up, date and time are stored on the server for statistical purposes without this data being directly related to your person. Personal data, in particular name, address or e-mail address, are collected on a voluntary basis as far as possible. The data will not be passed on to third parties without your consent, unless this is necessary for the fulfillment of the contract.
Processing of personal data and legal bases
Personal data is any information relating to an identified or identifiable person. Processing includes any handling of personal data, regardless of the means and procedures used. We process personal data in accordance with Swiss data protection law. In addition, we process personal data in accordance with the following legal bases in connection with Art. 6 para. 1 GDPR, insofar as the EU GDPR is applicable:
- lit. a) Consent of the data subject.
- lit. b) Fulfillment of a contract with the data subject and implementation of corresponding pre-contractual measures.
- lit. c) Fulfillment of a legal obligation.
- lit. f) Safeguarding the legitimate interests of us or third parties, unless the interests of the data subject prevail.
We process personal data for the duration required for the respective purpose or purposes. In the case of longer-term retention obligations, we restrict processing accordingly.
Cookies and consent management
This website uses cookies. These are small text files that make it possible to store specific user-related information on the user's device. Some cookies are technically necessary for the operation of the site (essential cookies), while others help us to improve our offer and display advertising (functional, statistical and marketing cookies).
We use Cookiebot's Consent Manager (provider: Usercentrics A/S, Havnegade 39, 1058 Copenhagen, Denmark) to manage the cookies used and the consents you have given. When you enter our website, a connection is established to Cookiebot's servers in order to obtain your consent and other declarations regarding cookie use. Cookiebot then stores a cookie in your browser in order to be able to assign the consents you have given or revoke them. The data collected in this way will be stored until you ask us to delete it, delete the Cookiebot cookie yourself or the purpose for storing the data no longer applies. Mandatory statutory retention obligations remain unaffected. Cookiebot is used to obtain the legally required consent for the use of cookies. The legal basis for this is Art. 6 para. 1 sentence 1 lit. c GDPR.
You can set your browser so that you are informed about the setting of cookies and only allow cookies in individual cases, exclude the acceptance for certain cases or in general and activate the automatic deletion of cookies when closing the browser. If cookies are deactivated, the functionality of this website may be restricted.
SSL/TLS encryption
This website uses SSL/TLS encryption for security reasons and to protect the transmission of confidential content, such as the requests you send to us as the site operator. You can recognize an encrypted connection by the fact that the address line of the browser changes from "http://" to "https://" and by the lock symbol in your browser line. If SSL or TLS encryption is activated, the data you transmit to us cannot be read by third parties.
Server log files
The provider of this website automatically collects and stores information in so-called server log files, which your browser automatically transmits to us. These are Browser type and browser version, operating system used, referrer URL, host name of the accessing computer, time of the server request. This data cannot be assigned to specific persons. This data is not merged with other data sources. We reserve the right to check this data retrospectively if we become aware of specific indications of unlawful use.
Data transfer to third countries
As part of our business activities and the operation of our website, we use various services from third-party providers, some of which are based in countries outside Switzerland and the EU, in particular in the USA. If these services are active, your personal data may be transmitted to the respective providers.
For data transfers to the USA, there is an adequacy decision by the European Commission ("EU-U.S. Data Privacy Framework") and the Swiss Federal Council ("Swiss-U.S. Data Privacy Framework"). We ensure that our service providers are certified under this framework or that we have agreed suitable guarantees, such as standard contractual clauses (SCC) approved by the EU Commission, to ensure an adequate level of data protection.
Contract fulfillment and customer account
We process the personal data necessary for the purchase of products via our online store and the processing of your order. This includes your first name, surname, billing, company and delivery address as well as your e-mail address. Voluntary information such as your telephone number will also be processed if you provide it. This data is passed on to our internal systems (ERP, ordering systems) and to external partners such as deliverers and subcontractors in order to fulfill your order. The legal basis for this processing is the fulfillment of a contract pursuant to Art. 6 para. 1 lit. b GDPR.
We pass this data on to the following service providers who support us in processing the contract:
- Our ERP system, Orderdesk (Order Desk, Inc., USA)
- Our store system, BigCommerce (BigCommerce, Inc., USA)
- Our fulfillment partners WKS Druckholding GmbH (Germany) and Sieber Transport AG (Switzerland)
The storage of this data is necessary for the fulfillment of the contract. Even after the contract has been concluded, personal data remains stored in order to comply with statutory retention obligations. Premature deletion is only possible if there are no contractual or legal obligations to the contrary.
Communication and customer inquiries
Contact form, live chat and CRM
We use the CRM system Reamaze (provider: Lantirn, Inc., USA) to process customer inquiries in order to be able to process your inquiries more quickly and efficiently. This constitutes a legitimate interest pursuant to Art. 6 para. 1 lit. f. GDPR. Inquiries to our email addresses, our live chat and via our Facebook page are processed with Reamaze. Lantirn Inc. is certified under the EU-U.S. and Swiss-U.S. Data Privacy Framework. Further information can be found in Reamaze's privacy policy: https://www.reamaze.com/privacy.
Appointment booking via Calendly
We use the Calendly service (Calendly LLC, USA) to book appointments (e.g. for our showroom or consultations). The data you enter (name, e-mail, telephone number if applicable, company) is processed to organize the appointment. The processing is necessary for the implementation of pre-contractual measures (Art. 6 para. 1 lit. b GDPR). Calendly is certified under the EU-U.S. and Swiss-U.S. Data Privacy Framework.
B2B customer management via Salesmate
We use the CRM system Salesmate (Salesmate, Inc., USA) to maintain our customer relationships in the B2B sector. We process our customers' data (e.g. name, address, email, order data, communication history) in order to initiate and fulfill contracts. The legal basis is the fulfillment of the contract (Art. 6 para. 1 lit. b GDPR) as well as our legitimate interest in efficient customer management (Art. 6 para. 1 lit. f GDPR). Salesmate is certified under the EU-U.S. and Swiss-U.S. Data Privacy Framework.
E-mail communication via Klaviyo
We use the service provider Klaviyo (Klaviyo, Inc., USA) for various types of e-mail communication. Klaviyo is certified under the EU-U.S. and Swiss-U.S. Data Privacy Framework, which ensures an adequate level of data protection for data transmission.
The use of Klaviyo is based on different legal bases:
- Fulfillment of the contract (Art. 6 para. 1 lit. b GDPR): For transactional emails that are necessary to process your purchase, such as shipping confirmations or emails with assembly instructions after purchase.
- Legitimate interest (Art. 6 para. 1 lit. f GDPR): For emails in connection with an abandoned shopping cart to remind you of your potential purchase. You can object to this type of communication at any time.
- Consent (Art. 6 para. 1 lit. a GDPR): For sending our marketing newsletter. Registration for this takes place via a double opt-in procedure. The newsletters contain tracking pixels (web beacons) that help us to understand if and when emails are opened and which links are clicked. This performance measurement is also only carried out on the basis of your consent.
You can revoke your consent to receive the marketing newsletter and the associated performance measurement at any time by using the "unsubscribe" link at the end of each newsletter. Further information can be found in Klaviyo's privacy policy: https://www.klaviyo.com/legal/privacy-policy.
Payment processing
For the provision of chargeable services, we request additional data, such as payment details, in order to process your order. We store this data in our systems until the statutory retention periods have expired.
External payment service providers
We use external payment service providers via whose platforms users and we can carry out payment transactions. Payments are processed via the payment service provider Adyen (Adyen N.V., Netherlands). We have concluded an order processing agreement with Adyen. We transmit your IP address to Adyen for the purpose of preventing and detecting fraud. We do not collect or store the complete payment data.
The data processed by the payment service providers includes inventory data (e.g. name, address), bank data (e.g. account numbers, credit card numbers, passwords, TANs) as well as contract, sum and recipient-related data. The information is required to carry out the transactions. The data entered is only processed by the payment service providers and stored by them. We only receive information to confirm (accept) or reject the payment.
The terms and conditions and data protection information of the respective payment service providers apply to payment transactions. We use the service providers on the basis of Art. 6 para. 1 lit. b GDPR (fulfillment of contract) and in the interest of a smooth, convenient and secure payment process (Art. 6 para. 1 lit. f GDPR).
Purchase on account through CembraPay AG
If you select the payment method CembraPay (CembraPay AG, Switzerland), your data will be transmitted to CembraPay for identity and credit checks. CembraPay also uses your data for its own marketing purposes. Details can be found in CembraPay's privacy policy: https://cembrapay.ch/de/privacy.
Web analytics and marketing
Google services
We use various services of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (hereinafter "Google") on our website. For data transfers to the USA, Google LLC is certified under the EU-U.S. and Swiss-U.S. Data Privacy Framework.
Google Analytics
We use Google Analytics to analyze website usage. This is done on the basis of our legitimate interest (Art. 6 para. 1 lit. f GDPR) in improving our offer. We have activated IP anonymization so that your IP address is shortened by Google within the EU/EEA or Switzerland before being transmitted to the USA. You can prevent Google Analytics from collecting data by installing the browser plugin at the following link: Deactivate Google Analytics.
Google Ads and conversion tracking
We use Google Ads to draw attention to our offers. The associated conversion tracking helps us to measure the success of our advertising measures. This processing only takes place on the basis of your consent (Art. 6 para. 1 lit. a GDPR). You can find further information at: https://policies.google.com/privacy.
Google Tag Manager
We use Google Tag Manager to manage website tags via an interface. The Tag Manager itself does not process any personal user data.
Other services and tools used
Website design and optimization
Shogun Pagebuilder
We use Shogun Pagebuilder (Shogun Labs, Inc., USA) to design individual pages of our website. Shogun processes aggregated usage statistics on our behalf in order to analyze the performance of the pages. This serves our legitimate interest in optimizing our website (Art. 6 para. 1 lit. f GDPR). If personalization functions based on user data are used, this is only done on the basis of your consent (Art. 6 para. 1 lit. a GDPR). Shogun is certified under the EU-U.S. and Swiss-U.S. Data Privacy Framework.
A/B testing with Ablyft
We use the service Ablyft (ABlyft GmbH, Germany) to test different versions of our website. According to the provider, no personal data such as IP addresses are stored. Cookies may be set to make the tests technically possible. Ablyft is used exclusively on the basis of your consent (Art. 6 para. 1 lit. a GDPR).
Address completion with Woosmap
In the checkout process, we offer automatic address completion by the Woosmap service (Web Geo Services, France). As you enter your address, the address fragments are transmitted to Woosmap to make suggestions to you. This serves our legitimate interest in user-friendly and error-free order processing (Art. 6 para. 1 lit. f GDPR).
Location detection with Geotargetly
To show you the correct version of our website for your country, we use the service Geotargetly (USA). This service uses your IP address to determine your approximate location. According to the provider, the IP address is not stored. This processing is based on our legitimate interest in offering you a localized shopping experience (Art. 6 para. 1 lit. f GDPR).
Marketing and partner programs
Performance marketing with Criteo
We use the services of Criteo SA (France) to show you interest-based advertising on partner websites (retargeting). Criteo uses cookies for this purpose, which record your surfing behavior. This processing only takes place if you have given us your express consent via our consent management tool (Art. 6 para. 1 lit. a GDPR).
Affiliate marketing with Affiliatly and Awin
We use affiliate networks to remunerate the referral of sales by partners. For this purpose, we use the services of Affiliatly (USA) and Awin (AWIN AG, Germany). If you reach our site via an affiliate link, a cookie is set to track the successful referral. Pseudonymized data (e.g. order ID, value of goods) is transmitted. These cookies are only set on the basis of your consent (Art. 6 para. 1 lit. a GDPR).
Microsoft Bing Ads
We use conversion tracking from Microsoft Corporation (USA). A cookie is stored on your computer if you have reached our website via a Microsoft Bing ad. This allows us to measure the success of our ads. This is done on the basis of your consent (Art. 6 para. 1 lit. a GDPR). Microsoft is certified under the EU-U.S. and Swiss-U.S. Data Privacy Framework. You can declare your objection here: https://account.microsoft.com/privacy/ad-settings/signedout?lang=de-DE.
Customer feedback and reviews
Customer ratings with Judge.me
We use the rating platform Judge.me (Judge.me Ltd, UK). After a purchase you have the opportunity to rate our products. You will receive an e-mail from us for this purpose. The processing of your data (order details, e-mail address) is carried out to protect our legitimate interests in improving our customer service (Art. 6 para. 1 lit. f GDPR). There is an adequacy decision by the EU Commission for the transfer of data to the UK. You can find details at: https://judge.me/privacy.
Customer surveys with LoudHippo
After completing your order, we will show you a survey from the provider LoudHippo (USA) on the confirmation page. This serves our legitimate interest in improving our service (Art. 6 para. 1 lit. f GDPR). If you participate, your answers will be stored by LoudHippo together with your order data and your e-mail address. Participation is voluntary. LoudHippo is certified under the EU-U.S. and Swiss-U.S. Data Privacy Framework.
Social media plugins
We integrate plugins from various social networks on our website. When you visit a page that contains such a plugin, your browser establishes a direct connection with the servers of the respective network. If you have an account there and are logged in, the visit can be assigned to your profile. We would like to point out that, as the provider of the pages, we have no knowledge of the content of the transmitted data or its use by the providers.
- Facebook: Facebook Ireland Ltd, Ireland. Privacy policy: https://de-de.facebook.com/about/privacy.
- Instagram: Facebook Ireland Ltd, Ireland. Privacy policy: http://instagram.com/about/legal/privacy/.
- LinkedIn: LinkedIn Ireland Unlimited Company, Ireland. Privacy policy: https://www.linkedin.com/legal/privacy-policy.
- Twitter / X: Twitter International Unlimited Company, Ireland. Privacy policy: https://twitter.com/privacy.
- Pinterest: Pinterest Europe Ltd, Ireland. Privacy policy: https://policy.pinterest.com/de/privacy-policy.
- YouTube: Google Ireland Limited, Ireland. Privacy policy: https://policies.google.com/privacy.
Copyrights
The copyright and all other rights to content, images, photos or other files on the website belong exclusively to the operator of this website or the specifically named rights holders. The written consent of the copyright holder must be obtained in advance for the reproduction of all files.
General disclaimer
All information on our website has been carefully checked. We make every effort to ensure that the information we provide is up-to-date, correct and complete. Nevertheless, the occurrence of errors cannot be completely ruled out. Liability claims arising from material or immaterial damage caused by the use of the information provided are excluded, unless there is evidence of wilful intent or gross negligence.
Changes
We may amend this privacy policy at any time without prior notice. The current version published on our website shall apply. If the privacy policy is part of an agreement with you, we will inform you of the change by e-mail or other suitable means in the event of an update.
Questions for the data protection officer
If you have any questions about data protection, please send us an e-mail or contact the person responsible for data protection in our organization listed at the beginning of this privacy policy.
Gossau SG, 31.07.2025