DATA PROTECTION

1. What is this privacy policy about?

Data protection is a matter of trust, and your trust is important to us. Trust begins with transparency. In this privacy policy, we therefore inform you how and why we collect, process and use your personal data. This privacy policy is based on the European General Data Protection Regulation - GDPR for short - which has established itself internationally as a benchmark for strong, effective data protection.

2. Who are we?

J & A Trading KG, Obere Weinbergstrasse 1, 8570 Weinfelden, Switzerland ("we" or "us") is generally responsible for data processing under this Privacy Policy. If you have any questions about this Privacy Policy or the processing of your personal data, please feel free to contact us as follows: J & A Trading KG, Data Protection, Obere Weinbergstrasse 1, 8570 Weinfelden, info@nohangover.ch

3. For whom is this data protection declaration intended?

Our data processing activities primarily concern our customers, but also other persons whose personal data we process. In this regard, this data protection declaration applies in all of our business areas and regardless of the channel through which you contact us, e.g. in a branch, by telephone, in an online store, on a website, in an app, via a social network, at an event, etc. This privacy policy applies to the processing of both already collected and future personal data. For certain offers and services (e.g. contests), additional data protection provisions may also apply, which are supplementary to this data protection declaration.This data protection declaration is not applicable if another company is responsible for a certain data processing. For example, another company may be responsible for a certain data processing, alone or jointly with us, if you visit our social media presences (e.g. Facebook fan pages) or interact with social plug-ins integrated into our websites (e.g. the Facebook "Like" button), if you visit a third party website linked by us, or if we disclose personal data to third parties such as public authorities (for details on such disclosures, see section 8). In these cases, please consult the privacy policy of the company in question, which you can usually find on their website.

4. What is "personal data" and what does "processing" mean?

Data protection law regulates the processing of personal data. This also applies to this privacy policy. "Personal data" means any information that can be associated with a specific natural person, i.e., a human being. "Processing" means any handling of your personal data. In Switzerland, information that relates to a specific legal entity (e.g., information about a contract with a company) is also considered personal data.

5. Which personal data do we process for which purposes?

Depending on the occasion and purpose, we process different personal data. You will find more details in this section and often also in general terms and conditions, conditions of participation and additional data protection statements.

We generally collect your personal data directly from you, for example, when you send us data or communicate with us. Incidentally, you are generally not obliged to disclose personal data to us, unless disclosure is necessary to fulfill a contractual obligation. However, we are often unable to provide an offer or service without you providing us with the necessary information.

Apart from you, personal data may also be collected from other sources, e.g. from other companies of the J & A Group or from third parties such as credit agencies, media monitoring companies, providers of online services such as providers of Internet analysis services, financial service providers for payments, address traders, from public registers, from the media, from the Internet, etc.

Among other things, we process personal data - including, in some circumstances, sensitive personal data - in the following situations for the following purposes:

Communication: we process personal data when you contact us or when we contact you, for example, when you contact customer service and when you write to us or call us. We usually only need information such as your name and contact details, the time of the relevant communications and their content, which may include third party personal data. We use this information to provide you with information or notices, to process your request and communicate with you, and for quality assurance and training purposes. We also forward communications within the J & A Group to appropriate company departments, for example, if your concern relates to another company.

Purchase of goods and use of services: We also process personal data if you make use of services from us, e.g. if you purchase goods from us or obtain a service. In doing so, we process your personal data, for example, in the context of processing orders and contracts or for delivery and invoicing. For purchases in online stores or when using a bonus or loyalty card, we also collect and process personal data in connection with your creditworthiness and your purchasing and payment behavior. For example, we collect creditworthiness information from third-party providers to decide whether to offer you purchase on account, and we process information about what purchases you make, when and how often in which stores or online stores to derive information about your preferences and affinities for certain products or services. This information helps us to inform you specifically about further offers and to tailor our offering more closely to demand.

Loyalty and bonus programs: We process personal data as part of our loyalty and bonus program. In addition to contact details, we also process personal data about the use of the program by you and, where applicable, members of the same household and other information, e.g. details about your shopping habits, your preferences and your affinities for certain products and services, which help us to inform you specifically about offers and to gear our offer more closely to demand. You will find further details on this in this data protection declaration under "Purchase of goods and use of services" and in the corresponding general terms and conditions or conditions of participation.

Visiting websites: When you visit our websites, we process personal data depending on the offer and functionality. This includes technical data such as information about the time of access to our website, the duration of the visit, the pages accessed and information about the device used (e.g. tablet, PC or smartphone). We use this data to provide the website, for IT security reasons and to improve the user-friendliness of the website. We also use "cookies" and similar technologies. Cookies are files that are stored on the terminal device when you visit our website. In many cases, they are necessary for the functionality of the website and are automatically deleted after the visit. Other cookies remain stored for a certain duration and are used to personalize the offer or allow us to show you targeted advertising. We also use cookies and technologies from third-party providers in the USA or worldwide, e.g. for analysis services from providers such as Google or additional functions from providers such as Facebook, which may result in the provider in question receiving data about you. If you have a customer account with us, we may associate usage data with your profile, which helps us derive information about your preferences and affinities for certain products or services. You have the option of rejecting or deactivating cookies and thus preventing the processing of data generated by a cookie by configuring your terminal device accordingly or installing a corresponding browser add-on. However, this may result in you not being able to use all the functions of the website. For further details on the personal data processed in connection with our websites, please refer to section 6.

Online offers and apps: If you use online offers from us, we also process personal data for the provision, improvement and further development of these offers. This also applies if you do not purchase any goods or services. Depending on the type of offer, this includes information about a customer account and the use of the same as well as information about the installation and use of mobile apps. We also process personal data to personalize the offer and to provide you with offers tailored to your interests and affinities.

Information and direct marketing: We process personal data to the extent permitted by law for the purpose of sending written or electronic information and advertising messages, unless you have objected to this processing. For example, we process your contact information so that we can send you the appropriate communications. In the case of e-mail newsletters, push messages and other electronic communications, we may also process information about your use of the communications (e.g. whether you have downloaded images embedded in an e-mail, i.e. whether you have opened the e-mail) so that we can get to know you better, tailor our offers more precisely to you and generally improve our offers. You can usually block this processing of usage data in your e-mail program if you do not agree to it.

Contests, sweepstakes and similar events: We occasionally organize contests, sweepstakes and similar events. In these cases, we process your contact data and information about your participation for the implementation of the contests and sweepstakes, if necessary for communication with you in this context and for advertising purposes. You will find further details in each case in the relevant conditions of participation.

Entering our premises: When you enter our premises, we may make video recordings in appropriately designated areas for security and evidentiary purposes. It is further possible that you may be able to use a Wi-Fi offering. In this case, we collect device-specific data when you log in and may ask you to log in by providing your name and email address or cell phone number. We may also process and analyze data about your use of our Wi-Fi offering.

Customer events: When we hold customer events (such as promotional events, sponsorship events, cultural and sporting events), we also process personal data. This includes the name and postal or e-mail address of the participants or interested parties and, depending on the event, further data, e.g. your date of birth. We process this information to carry out the customer events, but also to get in direct contact with you and to get to know you better. You will find further details in the respective conditions of participation.

Market research and media monitoring: We process personal data for market and opinion research. For this purpose, we may use information about your purchasing behavior (for further details, see "Purchase of goods and use of services" above), but also information from customer surveys, polls and studies and other information, e.g. from the media, from social media, from the Internet and from other public sources. We may also use media monitoring services or conduct media monitoring ourselves and process personal data in the process.

Contact with our company as a business partner: We work with various companies and business partners, e.g., suppliers, commercial buyers of goods and services, cooperation partners, and service providers (e.g., IT service providers). In this context, we also process personal data about the contact persons in these companies, e.g. name, function, title and communication with us, in each case for the purpose of initiating and processing contracts, for planning, for accounting purposes and other purposes related to the contract. Depending on the area of activity, we may also be required to examine the company in question and its employees in more detail, e.g. by conducting a security check. In this case, we may collect and process additional information, including from third parties. We may also process personal data to improve our customer orientation, customer satisfaction and customer retention (customer/supplier relationship management).

Administration: We process personal data for our own and the Group's internal administration. For example, we may process personal data as part of the administration of IT or real estate. We also process personal data for accounting and archiving purposes and generally for testing and improving internal processes.

Corporate Transactions: We may also process Personal Data for the preparation and processing of corporate acquisitions and sales and asset purchases or sales. In this regard, the subject matter and scope of the data collected or transferred will depend on the stage and subject matter of the transaction.

Job applications: We also process personal data if you apply for a job with us. For this purpose, we usually require the usual information and documents mentioned in a job advertisement, which may also contain personal data of third parties.

Compliance with legal requirements: We process personal data to comply with legal requirements and to prevent and detect violations. This includes, for example, receiving and processing complaints and other reports, conducting internal investigations, or disclosing records to an authority when we have good cause or are legally required to do so. In each case, we may also process personal data of third parties.

Legal protection: We process personal data in various constellations in order to protect our rights, e.g. to enforce claims in court, before or out of court and before authorities in Switzerland and abroad, or to defend ourselves against claims. In doing so, we may process your personal data and personal data of third parties or disclose personal data to third parties in Germany and abroad to the extent necessary and permissible.

How do we process personal data when you visit our websites?

What personal data do we process?

Technical data (log files): When you visit our websites, we process personal data depending on the offer and functionality. This includes data automatically collected for technical reasons and stored in log files, so-called log files. This includes, for example, the IP address and device-specific information such as the MAC address and the operating system of the end device (tablet, PC, smartphone, etc.), information about your Internet service provider, information about content accessed and the date and time of the visit to the website or information about logins.

Cookies and similar technologies: depending on the functionality, we also use cookies. Cookies are small files that our website automatically creates in your browser and that are stored on your terminal device. Cookies contain a unique number (an ID) that we can assign to a specific Internet user, but usually without knowing the user's name, and, depending on the intended use, other information, for example, about pages accessed and the duration of the visit to a page.

On the one hand, we use session cookies in which, among other things, information about the origin and storage period of the cookie is stored. These cookies are deleted after each visit to our website. We use such cookies, for example, to store a shopping cart over several page views of the user.

On the other hand, we use permanent cookies that remain stored for a certain period of time even after the end of the respective browser session. Such cookies are used to recognize a visitor on a subsequent visit, e.g. to save language settings over several browser sessions or to display content on the website tailored to your interests. For example, we collect information about your visits, the pages viewed, articles viewed and your shopping cart. After the programmed duration has expired (usually between one month and two years), such cookies are automatically deactivated.

We also use similar technologies such as pixel tags (small image files that are loaded from a server and thereby transmit certain information to the operator of the server) or fingerprints (information about the configuration of a device or about a browser). Some cookies or similar technologies originate from other companies of the J & A Group or from third parties. This is the case, for example, when we use third-party functions on our website. It also concerns evaluation services that also work with cookies and similar technologies; you will find further information on this below. This enables our partners to address you with individualized advertising on our websites or on websites of third parties as well as on social networks and to measure their effect.

User behavior data: We use Google Analytics on our website, an analysis service provided by Google LLC in the USA. Google uses cookies for this purpose, which enable an analysis of the use of the website. As a result, Google collects information about your behavior on our website and the terminal device used for this purpose (tablet, PC, smartphone, etc.). This is usage data such as the type and version of the browser, the address (URL) of the website from which you accessed our website, the name of your provider, the IP address of the terminal device, the date and time of access to our website, as well as pages visited and length of stay. This information is stored on a Google server in the USA. However, your IP address will be shortened beforehand in the EU or EEA. Only in exceptional cases will the full IP address be transferred to the USA. Google is bound by the US Privacy Shield program in the USA. Based on this information, we receive evaluations from Google. Google Analytics also makes it possible to assign data, sessions and interactions across multiple end devices to a pseudonymous user ID and thus to analyze the activities of a user who is not known by name across devices. For more information, please see Google's Terms of Use or Privacy Policy (https://policies.google.com).

We use similar services of other providers with locations worldwide. These providers may record the user's use of the relevant website, for example, through the use of cookies and similar technologies. These records may be combined with similar information from other websites. The behavior of a particular user can thus be recorded across multiple websites and across multiple end devices. The respective provider may also use this data for its own purposes, e.g. for personalized advertising on its own website and on other websites that it supplies with advertising. If a user is registered with the provider, the provider can assign the usage data to this person. For this purpose, he will usually obtain the consent of the person concerned and enable him to revoke this consent in accordance with his instructions. The processing of such personal data is carried out here by the provider under its responsibility and in accordance with its own data protection provisions.

Social plug-ins: Our websites use social plug-ins, e.g. from Facebook, YouTube, Twitter or Instagram. This displays buttons of the respective providers, e.g. the "Like" button of Facebook, or content of the respective provider is integrated on the website. When you call up a website that uses such a social plug-in, your browser establishes a connection with the provider in question. The content of the social plug-in is transmitted by the relevant provider to your browser and integrated by it into the relevant website. Through this process, the relevant provider receives the following data in particular: the information that your browser has called up the relevant website; the IP address of the device used, even if you do not have an account with the provider. If you are logged in to the provider in question at the same time, the provider can assign the visit to your personal profile. If you interact with a social plug-in - e.g. press a "Like" button or post a comment - the corresponding information is transmitted from your browser to the provider concerned and stored there. It may also be published on your profile with the relevant provider and displayed to your contacts. Also, if you visit our social media sites (e.g. Facebook fan pages) or interact with social plug-ins integrated into our websites (e.g. the Facebook "Like" button), personal data may be transmitted directly to the relevant provider or collected and stored by it. The provider of the social network in question is primarily responsible for processing this data. Insofar as we are jointly responsible with the provider concerned, we shall enter into a corresponding agreement with him, the main content of which you can find out from the provider. Further information on data processing by social network providers can be found in the privacy statements of the relevant social networks (e.g. Facebook, YouTube, Twitter, Instagram).

For what purposes do we process this personal data?Provision of the website: The recording of certain log files and use of certain cookies is necessarily associated with the provision of the website and its functions for technical reasons. Other cookies and similar technologies help us to provide and ensure the various functions and offers of our website and to make our website more attractive;

Website administration: the storage and processing of log files and cookies helps us in maintenance and troubleshooting, in ensuring the security of our website and in combating fraud;

Personalization of the website: we adapt certain areas and content of our website to your needs and interests, for example, by storing your choice of language or personalized display of content;

User behavior analysis: we use web analytics services to better understand how our websites are used and to improve their content, functionality and discoverability.

Advertising: We may target you with interest-based advertising on our websites or on third-party websites, or display our advertisements to you after you visit our websites as you continue to use the Internet;

Cookies and similar technologies from third parties enable the companies concerned to provide services for us or to target you with advertising that may be of particular interest to you.

If you have a customer account with us, we can also evaluate this personal data and link it with other personal data, for example with non-personal statistical information and with other personal data that we have collected about you, in order to derive information about your preferences and affinities for certain products or services. Even if you are not logged in at the time of visiting our website, this data may be assigned to your profile.

How can you prevent this processing?

You can configure your end device so that a message appears before a new cookie is created. This also allows you to reject cookies. In addition, you can delete cookies from your end device. You also have the option to prevent the collection of data generated by the cookie (including your IP address) and the processing of this data by downloading and installing an appropriate browser add-on. However, rejecting or deactivating cookies may mean that you cannot use all the functions of the website.

You can prevent the use of Google Analytics by installing an add-on for your browser, a so-called browser add-on. You also have the option to revoke any consent you may have given to the respective providers or to object to their processing, for Google, for example, via https://adssettings.google.com.

If you do not want a social network provider to collect data about you via our website, you must log out of the provider in question before visiting our website. Even when logged out, the providers collect anonymized data via the social plug-ins. If you log in to the provider in question at a later time, this data can be assigned to your profile. In these cases, the provider in question processes personal data in each case under its own responsibility and in accordance with its own data protection provisions. If you wish to prevent the provider from assigning data to your profile, you must delete the relevant cookies. You can also completely prevent the loading of the social plug-ins with add-ons for your browser, e.g. with NoScript.

7. On what legal basis do we process personal data?

Depending on the purpose of the data processing, our processing of personal data is based on different legal bases. In particular, we may process personal data if the processing is necessary either: for the performance of a contract with the data subject or for pre-contractual measures at his or her request (e.g., the review of his or her contract application);

is necessary for the exercise of legitimate interests; is based on effective consent that has not been revoked; or is necessary for compliance with legal provisions.

As a rule, we only process personal data requiring special protection on the basis of explicit consent, unless the data concerned has obviously been disclosed to the public by the person concerned or the processing is necessary to uphold the law or comply with legal provisions.

Data will only be transferred abroad under the conditions set out in sections 8 and 9.

8. To whom do we pass on your personal data?

Your personal information will only be passed on to other companies to the extent described below. Under no circumstances do we sell your personal data to third parties. We do not trade in personal data.

We may pass on your personal data to other companies of J & A Trading. The J & A includes the noHangover Shop and the regional J & A as well as their respective subsidiaries. The transfer of personal data to other group companies is often for internal group administration purposes. In certain cases, individual J & A companies may also process your personal data in their own interest for the processing purposes set out in this Privacy Policy. Your personal data may then also be linked and processed with personal data originating from other companies of the J & A Group for the respective purposes.

We can then pass on your personal data to companies if we use their services. These may also be companies outside the J & A Group. We ensure through the selection of such data processors and appropriate contractual agreements that data protection is also ensured throughout the processing of your personal data by data processors. Our commissioned data processors are obliged to process the personal data exclusively on our behalf and in accordance with our instructions, and to take suitable technical and organizational measures for data security. This concerns in particular services in the area of credit assessment, e.g. if you wish to make a purchase on account, and IT services, e.g. services in the areas of data storage (hosting), cloud services, sending e-mail newsletters, data analysis and refinement, etc.

In individual cases, it is also possible that we pass on personal data to recipients outside the J & A Group also for their own purposes, e.g. if we consider this to be legally required or necessary to protect our interests. In these cases, the recipient is a separate data controller under data protection law. This applies in particular to the following cases:We may disclose your personal data to third parties (e.g. courts and authorities in Switzerland and abroad) if this is required by law or by the authorities. We also reserve the right to process your personal data in order to comply with a court order or to assert or defend legal claims or we consider it necessary for other legal reasons. In doing so, we may also disclose personal data to other parties to the proceedings;

When we transfer claims against you to other companies such as collection agencies;

When we are considering or carrying out transactions such as business combinations or the acquisition or sale of individual parts of a company or its assets, or become the subject of a transaction ourselves.

9. When do we disclose your personal data abroad?

The recipients of your personal data may in each case be located abroad - including outside the EU or EEA. The countries in question may not have laws that protect your personal data to the same extent as in Switzerland or in the EU or EEA. If we transfer your personal data to such a country, we will ensure the protection of your personal data in an appropriate manner. One means of doing so is by entering into data transfer agreements with the recipients of your personal data in third countries that ensure the required level of data protection. These include contracts that have been approved, issued or recognized by the European Commission and the Federal Data Protection and Information Commissioner, so-called standard contractual clauses. Likewise, transfers to recipients that are subject to the US Privacy Shield program are permitted. An example of the data transfer agreements we typically use can be found here: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/model-contracts-transfer-personal-data-third-countries_de. Please contact us if you would like more information about the data transfer agreements we have in place or other appropriate safeguards we apply to transfers abroad. In exceptional cases, transfers to countries without adequate safeguards may also be permitted in other cases, e.g. based on explicit consent or for the assertion, exercise or defense of legal claims.

10. Do we perform profiling?

By "profiling" we mean a process in which personal data is processed automatically in order to analyze or predict personal aspects. We often perform profiling. For example, we analyze shopping behavior, use of our websites and apps, and other transactional and behavioral data and make assumptions about your personal interests, preferences, affinities, and habits based on that information. Profiling helps us to better tailor our offering to your individual needs and, as far as possible, only present you with advertising and offers that are actually relevant to you. In order to improve the quality of our analyses, we may also link personal data that originates from different sources, e.g. data collected offline and online as well as data collected via various of our services or that we receive from other companies of the J & A Group. To the extent that such profiling is related to direct marketing, you have the right to object to it as described in Section 15.

11. Do we carry out automated individual decisions?

As a rule, we do not carry out automated individual decisions. We will inform you separately should we use automated individual case decisions in individual cases. An "automated individual case decision" is a decision that is fully automated, i.e. without relevant human influence, and that has negative legal effects on you or other similarly negative effects.

12. How do we protect your personal data?

We take appropriate security measures of a technical nature (e.g., encryption, pseudonymization, logging, access restriction, data backup, etc.) and of an organizational nature (e.g., instructions to our employees, confidentiality agreements, audits, etc.) to maintain the security of your personal data, to protect it against unauthorized or unlawful processing, and to address the risk of loss, unintentional alteration, unauthorized disclosure or access. However, security risks can generally not be completely excluded; certain residual risks are usually unavoidable.

How long do we store your personal data?

We store your personal data in personal form for as long as it is necessary for the specific purpose for which we collected it, in the case of contracts usually at least for the duration of the contractual relationship. We also store personal data if we have a legitimate interest in storing it. This may be the case in particular if we need personal data to enforce or defend claims, for archiving purposes and to ensure IT security. We also store your personal data for as long as they are subject to a statutory retention obligation. For certain data, for example, a ten-year retention period applies. For other data, short retention periods apply in each case, e.g. for recordings from video surveillance or for recordings of certain processes on the Internet (log data). In certain cases, we also ask for your consent if we want to store personal data for longer (e.g. in the case of job applications that we want to keep pending). After expiry of the above-mentioned periods, we delete or anonymize your personal data.

14. How do we process personal data of children?

The processing of personal data of children is generally not part of our business activity. If we nevertheless process personal data of children, we take special care to protect children, and if we process personal data of children based on consent, we ask the parents or legal representatives for their consent. If consent was given to a child by its parents or legal representatives, the adult is free to revoke this consent at a later date.

15. What rights do you have in connection with the processing of your personal data?

You have the right to object to data processing if we process your personal data on the basis of a legitimate interest. You can also object at any time to data processing in connection with direct advertising (e.g. advertising e-mails). This also applies to profiling, insofar as it is connected with such direct advertising.

To the extent that the applicable conditions are met in each case and no statutory exceptions apply, you also have the following rights:

Right to information: you have the right to be informed in a transparent, clearly understandable and comprehensive manner about how we process your personal data and what rights you have in connection with the processing of your personal data. With this privacy policy, we are fulfilling this obligation. If you would like further information, please feel free to contact us.

Right to information: You have the right to request information about your personal data stored by us free of charge at any time. This gives you the opportunity to check what personal data we are processing about you. In individual cases, the right to information may be restricted or excluded, in particular if there are doubts about your identity or if this is necessary to protect other persons.

Right to rectification: You have the right to have incorrect or incomplete personal data corrected or completed and to be informed about the correction.

Right to erasure: You have the right to request the erasure of your personal data if the personal data is no longer required for the purposes pursued, you have effectively revoked your consent or effectively objected to the processing, or the personal data is being processed unlawfully. In individual cases, the right to deletion may be excluded, in particular if the processing is necessary for the exercise of freedom of expression or for the exercise of legal claims.

Right to restrict processing: Under certain circumstances, you have the right to request that the processing of your personal data be restricted. This may mean, for example, that personal data is (temporarily) not further processed or that published personal data is (temporarily) removed from a website.

Right to data transfer: You have the right to receive from us the personal data that you have provided to us in a structured, common and machine-readable format, provided that the specific data processing is based on your consent or is necessary for the performance of the contract, and the processing is carried out with the help of automated procedures.

Right of revocation: Insofar as we process your personal data on the basis of consent, you have the right to revoke your consent at any time. The revocation applies only for the future; however, processing activities based on your consent in the past will not become unlawful as a result of your revocation.

You are also free to lodge a complaint with a competent supervisory authority about the way in which your personal data is processed if you believe that the data processing violates applicable law. The competent supervisory authority in Switzerland is the Federal Data Protection and Information Commissioner (FDPIC).

16. How can you contact us?

If you wish to exercise any of the above rights or otherwise have questions or concerns about this Privacy Policy or the processing of your personal data, you are welcome to contact us as indicated in Section 2. This is the best way for us to address your concerns.

You are then also free to contact our data protection officer or our representative in the European Union or the European Economic Area using the contact information below.

17. Changes to this Privacy Policy

This Privacy Policy may be amended over time, in particular if we change our data processing practices or if new legislation becomes applicable. We will actively inform persons whose contact details are registered with us of any significant changes if this can be done without disproportionate effort. In general, the data protection statement in the version current at the start of the processing in question applies to data processing in each case.