1. What is this Privacy Policy about?
Bluco (hereinafter also referred to as "Bluco", "we", "us") collects and processes personal data concerning you or other persons (so-called "third parties"). We use the term "data" synonymously with "personal data" or "personal information".
- "Personal data" refers to data that relates to a specific or identifiable person, i.e., conclusions about their identity can be drawn from the data itself or with relevant additional data. "Particularly sensitive personal data" is a category of personal data that is especially protected under applicable data protection law. Examples of particularly sensitive personal data include data revealing racial and ethnic origin, health data, information about religious or philosophical beliefs, biometric data for identification purposes, and information about trade union membership. Section 3 provides information on the data we process under this Privacy Policy. "Processing" means any handling of personal data, e.g., collecting, storing, using, adapting, disclosing, and deleting.
This Privacy Policy describes what we do with your data when you visit www.bluco.ai, other websites of ours or use our apps (hereinafter collectively referred to as "Website"), purchase our services or products, are otherwise in a contractual relationship with us, communicate with us, or are involved with us in any other way. We may inform you in writing in advance about additional processing activities not mentioned in this Privacy Policy. Additionally, we may inform you separately about the processing of your data, e.g., in consent declarations, contractual conditions, additional privacy policies, forms, and notices.
If you provide us with data about other people, such as family members, work colleagues, etc., we assume that you are authorized to do so and that these data are accurate. By transmitting data about third parties, you confirm this. Please also ensure that these third parties are informed about this Privacy Policy.
This Privacy Policy is designed to comply with the requirements of the EU General Data Protection Regulation (GDPR). The applicability of these regulations may vary depending on specific circumstances.
2. Who is responsible for the processing of your data?
Bluco, Paris ("Bluco"), is responsible for the data processing described in this Privacy Policy unless otherwise communicated in individual cases, e.g., in further privacy policies, on forms, or in contracts.
- For each data processing activity, one or more entities are responsible for ensuring that the processing complies with data protection laws. This entity is called the "controller". It is responsible, for example, for responding to requests for information (section 11) or ensuring that personal data are secure and not used improperly.
- In the data processing activities described in this Privacy Policy, other entities may also be co-responsible if they co-decide on the purpose or design of the processing. If you wish to obtain information about the individual controllers for a specific data processing activity, you may request such information from us within the scope of the right to information (section 11). Bluco remains your primary contact, even if other co-responsible parties exist.
- In section 3, section 7, and section 12, you will find further information on third parties we cooperate with and who are responsible for their processing activities. If you have questions or wish to exercise your rights against these third parties, please contact them directly.
- A list of third parties to whom we may disclose your data or who may be co-responsible for processing your data can be found here Central IT service providers of Bluco.
You can reach us for your data protection concerns and the exercise of your rights according to section 11 as follows:
Bluco, 5 Parv. Alan Turing, 75013, Paris, hello@bluco.ai
3. What data do we process?
We process various categories of data about you. The most important categories are the following:
- Technical Data: When you use our website or other electronic offers, we collect the IP address of your device and other technical data to ensure the functionality and security of these offers. These data also include logs that record the use of our systems. We usually store technical data for 6 months. To ensure the functionality of these offers, we may also assign an individual code to you or your device (e.g., in the form of a cookie, see section 12). The technical data alone generally do not allow us to draw conclusions about your identity. However, they may be linked to other data categories (and thus possibly to your person) in the context of user accounts, registrations, access controls, or contract processing.
- Technical data include, among others, the IP address and information about the operating system of your device, the date, the region, and the time of use, as well as the type of browser with which you access our electronic offers. This can help us deliver the correct formatting of the website or display a website customised for your region. Based on the IP address, we know which provider you use to access our offers (and thus also the region), but we usually cannot deduce who you are from this. This changes, for example, if you create a user account because then personal data can be linked to technical data (we see, for example, which browser you use to access an account through our website). Examples of technical data also include logs ("logs") that occur in our systems (e.g., the log of user logins on our website).
- Registration Data: Certain offers and services (e.g., login areas of our website, newsletter dispatch, etc.) can only be used with a user account or registration, which can be done directly with us or via our external login providers. In this process, you must provide us with certain data, and we collect data about the use of the offer or service. Access controls for certain facilities may generate registration data; depending on the control system, biometric data may also be involved. We usually store registration data for 12 months after the end of the use of the service or the dissolution of the user account.
- Registration data include, among others, the information you provide when creating an account on our website (e.g., username, password, name, email). Registration data also include the data we may require from you before you can use certain free services. In the context of access controls, we may need to register you with your data (access codes on badges, biometric data for identification) (see the category "other data").
- Communication Data: When you contact us via the contact form, email, phone, chat, mail, or other communication means, we collect the data exchanged between you and us, including your contact details and the peripheral data of the communication. If we record or listen to phone calls or video conferences, for example, for training and quality assurance purposes, we will specifically inform you about this. Such recordings may only be made and used in accordance with our internal guidelines. You will be informed about whether and when such recordings take place, e.g., through a display during the relevant video conference. If you do not wish for a recording, please inform us accordingly or terminate your participation. If you only wish to prevent the recording of your image, please turn off your camera. If we want or need to verify your identity, for example, in the case of a request for information, an application for media access, etc., we collect data to identify you (e.g., a copy of an ID document). We usually store these data for 12 months after the last exchange with you. This period may be longer if required for evidential purposes or to comply with legal or contractual obligations or if technically necessary. Emails in personal mailboxes and written correspondence are usually stored for at least 10 years. Recordings of (video) conferences are usually stored for 24 months.
- Communication data are your name and your contact details, the manner, place, and time of communication and usually also its content (i.e., the content of emails, letters, chats, etc.). These data may also include information about third parties. For identification purposes, we may also process your ID number or a password set by you or your press ID. For secure identification, the following mandatory information must be provided for media inquiries: publishing company, name of the publication, title, first name, last name, postal address, email address, and telephone number of the reporting person.
- Master Data: We refer to the basic data, in addition to contract data (see below), that we need to process our contractual and other business relationships or for marketing and advertising purposes, such as name, contact details, and information about your role and function, your bank account(s), your date of birth, customer history, powers of attorney, signature authorizations, and consent declarations. We process your master data if you are a customer or other business contact, work for such a contact (e.g., as a contact person of the business partner), or because we want to address you for our own purposes or those of a contractual partner (e.g., in the context of marketing and advertising, with invitations to events, vouchers, newsletters, etc.). We receive master data from you (e.g., during a purchase or as part of a registration), from entities for which you work, or from third parties such as our contractual partners, associations, and address traders, and from publicly accessible sources such as public registers or the internet (websites, social media, etc.). We usually store these data for 10 years after the last exchange with you, but at least after the end of the contract. This period may be longer if required for evidential purposes or to comply with legal or contractual obligations or if technically necessary. For pure marketing and advertising contacts, the period is usually much shorter, mostly not more than 2 years since the last contact.
- Master data include, for example, data such as name, address, email address, telephone number, and other contact details, gender, date of birth, nationality, information about connected persons, websites, profiles in social media, photos and videos, copies of ID documents; furthermore, information about your relationship with us (customer, supplier, visitor, recipient of services, etc.), information about your status with us, allocations, classifications, and distribution lists, information about our interactions with you (possibly a history of them with corresponding entries), reports (e.g., from the media) or official documents (e.g., commercial register excerpts, permits, etc.) concerning you. As payment information, we collect, for example, your bank details, account number, and credit card data. Consent or blocking notes are also part of the master data, as are information about third parties, e.g., contact persons, recipients of services, advertising recipients, or representatives.
- Regarding contact persons and representatives of our customers, suppliers, and partners, we process as master data, for example, name and address, information about role, function in the company, qualifications, and possibly information about superiors, employees, and subordinates, and interactions with these persons.
- Master data are not collected comprehensively for all contacts. The data we collect in individual cases depends particularly on the purpose of the processing.
- Contract Data: These are data that arise in connection with the conclusion or execution of a contract, e.g., information about contracts and the services to be provided or provided, as well as data from the preliminary stages of a contract, the necessary or used information for execution, and information about reactions. We usually collect these data from you, from contractual partners, and from third parties involved in the execution of the contract, but also from third-party sources (e.g., providers of credit information) and from publicly accessible sources. We usually store these data for 10 years after the last contract activity, but at least after the end of the contract. This period may be longer if required for evidential purposes or to comply with legal or contractual obligations or if technically necessary.
- Contract data include information about the conclusion of the contract, about your contracts, e.g., the type and date of the contract conclusion, information from the application process (such as an application for our products or services), and information about the respective contract (e.g., its duration) and the execution and management of contracts (e.g., information related to invoicing, customer service, support for technical matters, and the enforcement of contractual claims). Contract data also include information about defects, complaints, and adjustments of a contract, as well as information about customer satisfaction, which we may collect, for example, through surveys. Contract data also include financial data, such as information about creditworthiness (i.e., information that allows conclusions about the likelihood that claims will be settled), reminders, and debt collection. We receive some of these data from you (e.g., when you make payments), but also from credit reporting agencies and collection companies and from publicly accessible sources (e.g., a commercial register).
- Behavioral and Preference Data: Depending on our relationship with you, we try to get to know you better and tailor our products, services, and offers to you more accurately. To do this, we collect and use data about your behavior and preferences. We do this by evaluating information about your behavior in our area, and we may also supplement this information with data from third parties, including publicly accessible sources. Based on this, we can calculate, for example, the likelihood that you will use certain services or behave in a certain way. The data processed for this purpose are already known to us in part (e.g., if you use our services) or we obtain these data by recording your behavior (e.g., how you navigate our website). We anonymize or delete these data when they are no longer meaningful for the pursued purposes, which can be between 2-3 weeks and 24 months (for product and service preferences) depending on the type of data. This period may be longer if required for evidential purposes or to comply with legal or contractual obligations or if technically necessary. How tracking works on our website is described in section 12.
- Behavioral data are information about specific actions, e.g., your reaction to electronic messages (e.g., whether and when you have opened an email) or your location, as well as your interaction with our social media profiles and your participation in sweepstakes, competitions, and similar events. We may, for example, wirelessly capture your location data through unique codes emitted by your mobile phone or when you use our website.
- Preference data give us insight into your needs, which products or services might interest you, or when and how you are likely to respond to messages from us. We obtain this information from analyzing existing data, such as behavioral data, to better understand you, tailor our advice and offers more accurately to you, and generally improve our offers. To improve the quality of our analyses, we may link these data with other data we collect, including data from third parties, such as address traders, government offices, and publicly accessible sources, such as the internet, e.g., information about your household size, income class, purchasing power, shopping behavior, and contact details of relatives, and anonymous data from statistical offices.
- Behavioral and preference data can be evaluated personally (e.g., to show you personalized advertising), but also non-personally (e.g., for market research or product development). Behavioral and preference data can also be combined with other data (e.g., movement data can be used as part of a health protection concept for contact tracing).
- Other Data: We also collect data about you in other situations. For example, data may arise in connection with administrative or judicial proceedings (such as files, evidence, etc.) that may also relate to you. For health protection reasons, we may also collect data (e.g., as part of protection concepts). We may receive or create photos, videos, and audio recordings in which you may be recognizable (e.g., at events, through security cameras, etc.). We may also collect data about when certain buildings are entered or who has corresponding access rights (including access controls, based on registration data or visitor lists, etc.), who participates in events or actions, or who uses our infrastructure and systems. Finally, we collect and process data about our shareholders and other investors; in addition to master data, these include, among others, information for the corresponding registers, regarding the exercise of their rights, and the execution of events (e.g., general meetings). The retention period of these data is based on the purpose and is limited to what is necessary. This ranges from a few days for many security cameras and usually a few weeks for data for contact tracing, to visitor data, which are usually stored for 3 months, to reports about events with images, which can be stored for several years or longer. Data about you as a shareholder or other investor are stored according to corporate law requirements, in any case as long as you are invested.
Many of the data mentioned in this section 3 are disclosed by you (e.g., via forms, in communication with us, in connection with contracts, when using the website, etc.). You are not obliged to do so, except in individual cases, e.g., as part of mandatory protection concepts (legal obligations). If you want to enter into contracts with us or claim services, you must also provide us with data within the scope of your contractual obligation according to the relevant contract, in particular master, contract, and registration data. The processing of technical data is inevitable when using our website. If you want to gain access to certain systems or buildings, you must provide us with registration data.
- Certain services are only available to you if you transmit registration data to us because we or our contractual partners want to know who is using our services or has accepted an invitation to an event, because it is technically necessary, or because we want to communicate with you. If you or a person you represent (e.g., your employer) want to conclude or fulfill a contract with us, we must collect the corresponding master, contract, and communication data from you, and we process technical data if you want to use our website or other electronic offers. If you do not provide us with the data necessary for the conclusion and execution of the contract, you must expect that we will refuse to conclude the contract, you will commit a breach of contract, or we will not fulfill the contract. Likewise, we can only send you a response to a request from you if we process the corresponding communication data and – if you communicate with us online – possibly also technical data. The use of our website is also not possible without receiving technical data.
Where not prohibited, we also obtain data from publicly accessible sources (e.g., debt enforcement registers, land registers, commercial registers, media, or the internet including social media) or receive data from authorities and other third parties (such as credit reporting agencies, address traders, associations, contractual partners, internet analysis services, etc.).
- The categories of personal data that we receive from third parties about you particularly include information from public registers, information that we learn in connection with official and judicial proceedings, information related to your professional functions and activities (so that we can, for example, complete and process transactions with your employer with your help), information about you in correspondence and meetings with third parties, credit reports (insofar as we conduct personal business with you), information about you provided by people in your environment (family, advisors, legal representatives, etc.) so that we can conclude or process contracts with you or involving you (e.g., references, your address for deliveries, powers of attorney, information to comply with legal requirements such as fraud, money laundering, and terrorism prevention, and export restrictions, information from banks, insurance companies, and sales and other contractual partners of ours for availing or providing services by you (e.g., payments, purchases, etc.), information from the media and the internet about you (insofar as it is indicated in the specific case), your address and possibly interests and further sociodemographic data (especially for marketing and research) and data related to the use of third-party websites and online offers, where this use can be attributed to you.
4. For what purposes do we process your data?
We process your data for the purposes explained below. Additional information for the online area can be found in sections 12 and 13. These purposes, or the objectives underlying them, represent legitimate interests of ours and possibly of third parties. You can find further details on the legal basis of our processing in section 5.
Primarily, we process data to provide our website and offer the associated services. This includes – but is not limited to – the processing (receipt, storage, forwarding, etc.) of data in connection with applications (e.g., names, date of birth, salary expectations, former or current employers, education, etc.).
Additionally, we process your data for the following purposes:
We process your data for purposes related to communicating with you, especially for responding to inquiries and asserting your rights (section 11) and to contact you in case of follow-up questions. For this purpose, we particularly use communication data and basic data and, in connection with offers and services you use, also registration data. We store this data to document our communication with you, for training purposes, quality assurance, and for inquiries.
- This concerns all purposes related to communication between you and us, whether in customer service or consulting, for authentication in case of using the website, or for training and quality assurance (e.g., in the area of customer service). We further process communication data so we can communicate with you via email and telephone, as well as messenger services, chat, social media, letters, and fax. Communication with you mostly occurs in connection with other processing purposes, e.g., to provide services or respond to an information request. Our data processing also serves to prove the communication and its content.
We process data for the initiation, management, and handling of contractual relationships.
- We enter into contracts of various kinds with our business and private customers, suppliers, subcontractors, or other contractual partners such as project partners or parties in legal disputes. In this context, we particularly process basic data, contract data, and communication data, and depending on the circumstances, also registration data of the customer or of persons to whom the customer provides a service.
- In the course of initiating business, personal data – particularly basic data, contract data, and communication data – of potential customers or other contractual partners (e.g., in an order form or contract) are collected or arise from communication. Also, in connection with concluding a contract, we process data for credit checks and for opening customer accounts. Some of this information is verified to comply with legal requirements.
- In the course of handling contractual relationships, we process data for managing customer relationships, for the provision and enforcement of contractual services (which also includes involving third parties such as logistics companies, security services, advertising service providers, banks, insurance companies, or credit reporting agencies, which can then in turn provide us with data), for consulting and customer support. Also, enforcing legal claims from contracts (collections, court proceedings, etc.), as well as accounting, terminating contracts, and public communication are part of the handling process.
We process data for marketing purposes and relationship management, e.g., to send our customers and other contractual partners personalized advertising for products and services from us and from third parties (e.g., advertising partners). This can occur in the form of newsletters and other regular contacts (electronically, by mail, by phone), through other channels for which we have your contact information, but also as part of individual marketing actions (e.g., events, competitions, etc.) and may also include free services (e.g., invitations, vouchers, etc.). You can refuse such contacts at any time (see at the end of this section 4) or deny or revoke consent for being contacted for advertising purposes. With your consent, we can target our online advertising on the internet more specifically to you (refer to section 12). Finally, we also want to enable our contractual partners to approach our customers and other contractual partners for advertising purposes (refer to section 7).
- For example, with your consent, we transmit to you information, advertising, and product offers from us and third parties (e.g., advertising partners), in print, electronically, or by phone. For this purpose, we primarily process communication and registration data. Like most companies, we personalize communications so that we can provide you with individual information and offers that match your needs and interests. To do this, we link data that we process about you and determine preference data and use this data as the basis for personalization (refer to section 3). We also process data in connection with competitions, sweepstakes, and similar events.
- Relationship management also includes addressing existing customers and their contacts – possibly personalized based on behavior and preference data. As part of relationship management, we may also operate a Customer Relationship Management system (CRM) in which we store the necessary data for maintaining relationships with customers, suppliers, and other business partners, e.g., about contact persons, relationship history (e.g., about products and services purchased or supplied, interactions, etc.), interests, desires, marketing measures (newsletters, invitations to events, etc.), and other information.
- All these processes are important not only for advertising our offers as effectively as possible but also for making our relationships with customers and other third parties more personal and positive, focusing on the most important relationships, and using our resources as efficiently as possible.
We continue to process your data for market research, to improve our services and operations, and for product development.
- We strive to continuously improve our products and services (including our website) and to respond quickly to changing needs. For example, we analyze how you navigate through our website or how products are used by different groups of people in various ways and how new products and services can be designed (for more details, see section 12). This gives us insights into the market acceptance of existing products and the market potential of new products and services. For this purpose, we particularly process basic data, behavioral and preference data, as well as communication data and information from customer surveys, polls, and studies, and further information, e.g., from the media, social media, the internet, and other public sources. Where possible, we use pseudonymized or anonymized data for these purposes. We may also engage media monitoring services or conduct media monitoring ourselves, processing personal data to perform media work or to understand and respond to current developments and trends.
- With your consent, we use non-anonymized location data to point out interesting offers and products nearby based on your location, infer your interests from location data (duration of stay), and inform you which products and services other contractual partners with similar interests have used.
We may also process your data for security purposes and access control.
- We continuously review and improve the appropriate security of our IT and other infrastructure (e.g., buildings). Like all companies, we cannot completely rule out data security breaches, but we do our utmost to reduce the risks. Therefore, we process data, for example, for monitoring, controls, analyses, and tests of our networks and IT infrastructures, for system and error checks, for documentation purposes, and in the context of security backups. Access controls include the control of access to electronic systems (e.g., logging into user accounts) as well as physical access control (e.g., building access). For security purposes (preventively and for investigating incidents), we also keep entry logs or visitor lists and use monitoring systems (e.g., security cameras).
We process personal data to comply with laws, directives, and recommendations from authorities and internal regulations («Compliance»).
- This includes, for example, the implementation of health and safety concepts or the legally regulated fight against money laundering and terrorist financing. In certain cases, we may be obliged to carry out specific investigations on customers ("Know Your Customer") or to report to authorities. Also, fulfilling disclosure, information, or reporting obligations, for example, in connection with supervisory and tax obligations, presupposes or involves data processing, e.g., fulfilling archiving obligations and preventing, detecting, and clarifying crimes and other offenses. This also includes receiving and processing complaints and other reports, monitoring communication, internal investigations, or disclosing documents to an authority if we have a sufficient reason or are legally obliged to do so. In external investigations, e.g., by a law enforcement or supervisory authority or a commissioned private entity, your personal data may also be processed. Furthermore, we process data for the support of our shareholders and other investors and fulfill our related obligations. For all these purposes, we particularly process your basic data, your contract data, and communication data, but possibly also behavioral data and data from the category of other data. The legal obligations may involve Swiss law, but also foreign provisions to which we are subject, as well as self-regulations, industry standards, our own "corporate governance," and authority instructions and requests.
We also process data for the purposes of our risk management and as part of prudent corporate governance, including operational organization and corporate development.
- For these purposes, we particularly process basic data, contract data, registration data, and technical data, as well as behavioral and communication data. For example, as part of our financial management, we need to monitor our debtors and creditors, and we must prevent becoming victims of offenses and abuses, which may require the analysis of data for corresponding patterns. For these purposes, and for your and our protection against criminal or abusive activities, we may also perform profiling and create and process profiles (see also section 6). In planning our resources and organizing our operations, we must evaluate and process data on the use of our services and other offerings, or share such information with others (e.g., outsourcing partners), which may include your data. The same applies to services provided to us by third parties. As part of corporate development, we may sell business units or companies to others or acquire them from others or enter into partnerships, which can also lead to the exchange and processing of data (including yours, e.g., as a customer or supplier or as a supplier's representative).
We may process your data for additional purposes, e.g., as part of our internal processes and administration or for training and quality assurance purposes.
- These additional purposes include, for example, training and educational purposes, administrative purposes (such as the management of basic data, accounting, data archiving, and the testing, management, and ongoing improvement of IT infrastructure), the protection of our rights (e.g., to enforce claims in court, pre-litigation or out-of-court, and before authorities domestically and abroad, or to defend against claims, for example, through evidence collection, legal clarifications, and participation in judicial or administrative proceedings), and the evaluation and improvement of internal processes. We may use recordings of (video) conferences for training and quality assurance purposes. Also, the protection of further legitimate interests is among the additional purposes, which cannot be exhaustively listed.
5. On what basis do we process your data?
Where we ask for your consent for specific processing activities, we will inform you separately about the respective purposes of the processing. Consents can be revoked at any time by written notice (by post) or, unless otherwise specified or agreed, by email to us at any time with effect for the future; our contact details can be found in section 2. For withdrawing your consent for online tracking, see section 12. Where you have a user account, a withdrawal or contact with us may also be made through the respective website or other service. As soon as we receive the notification of the withdrawal of your consent, we will no longer process your data for the purposes to which you originally agreed, unless we have another legal basis for doing so. The revocation of your consent does not affect the legality of the processing carried out on the basis of the consent until the revocation.
Where we do not ask for your consent for processing, we base the processing of your personal data on the fact that the processing is necessary for the initiation or execution of a contract with you (or the entity you represent) or that we or third parties have a legitimate interest in doing so, in particular to pursue the purposes and associated objectives described above in section 4 and to be able to implement corresponding measures. Our legitimate interests also include compliance with legal regulations, to the extent that these are not already recognized as a legal basis by the applicable data protection law (e.g., GDPR rights in the EEA and in Switzerland). This also includes the marketing of our products and services, the interest in better understanding our markets, and managing and further developing our company, including its operational business, securely and efficiently.
If we receive sensitive data (e.g., health data, information on political, religious, or philosophical beliefs, or biometric data for identification purposes), we may also process your data based on other legal grounds, e.g., in the case of disputes due to the necessity of processing for a possible legal proceeding or for the assertion or defense of legal claims. In individual cases, other legal reasons may apply, which we will communicate to you as necessary separately.
6. What applies to profiling and automated individual decision-making?
We may automatically assess certain personal characteristics of yours for the purposes mentioned in section 4 based on your data (section 3) («Profiling»), whether we want to determine preference data, identify abuse and security risks, conduct statistical analyses, or for operational planning purposes. For the same purposes, we can also create profiles, i.e., we can combine behavioral and preference data, as well as basic and contract data and technical data associated with you, to better understand you as a person with your various interests and other characteristics.
- If you are a customer of ours, for example, we can use «Profiling» based on your purchases to determine which additional products you are likely interested in. However, we can also use it to check your creditworthiness before offering you purchase on account. An automated evaluation of data can also check, for your protection, the probability of a certain transaction being fraudulent. This allows us to stop the transaction for clarification. «Profiles» are different; they involve linking various data to gain insights into significant aspects of your personality from the totality of this data (e.g., what you like or how you behave in certain situations). Profiles can also be used for marketing or security purposes.
In both cases, we ensure the proportionality and reliability of the results and take measures against the abusive use of these profiles or profiling. If such actions can lead to legal effects or significant disadvantages for you, we generally provide for a manual review.In certain situations, for the sake of efficiency and consistency of decision-making processes, it may be necessary to automate discretionary decisions concerning you with legal effects or possibly significant disadvantages («automated individual decisions»). In this case, we will inform you accordingly and provide the measures required by applicable law.
- An example of an automated individual decision is the automatic acceptance of an order by an online shop. Pure if-then decisions are not meant (e.g., when the computer lets you access your user account after checking your password), but discretionary decisions (e.g., the decision to enter into a contract). We will inform you in each case if an automated decision leads to negative legal consequences or a comparable significant impairment for you. If you disagree with the outcome of such a decision, you will be able to communicate with a human who will review the decision.
7. To whom do we disclose your data?
In connection with our contracts, website, services, and products, our legal obligations, or otherwise to protect our legitimate interests and the additional purposes listed in section 4, we also disclose your personal data to third parties, especially to the following categories of recipients:
- Service providers: We collaborate with service providers both domestically and internationally, who process data about you on our behalf or in joint responsibility with us, or who independently receive data about you from us (e.g., IT providers, shipping companies, advertising service providers, login service providers, cleaning companies, security services, banks, insurance companies, collection agencies, credit reporting agencies, or address verification services). This may include health data. For service providers involved with the website, see section 12. Central IT service providers are listed at the following link Central IT Service Providers of Bluco.
- To efficiently provide our products and services and focus on our core competencies, we involve third-party services in numerous areas. These services include IT services, information dispatch, marketing, sales, communication or printing services, facility management, security and cleaning, organization and execution of events and receptions, debt collection, credit reporting agencies, address verification (e.g., to update address records during relocations), fraud prevention measures, and services from consulting firms, lawyers, banks, insurers, and telecom companies. We disclose to these service providers the necessary data related to their services, which may include your data. These providers may also use such data for their purposes, e.g., anonymized data to improve their services. Moreover, we enter into contracts with these service providers that include data protection provisions, unless such protection arises from the law. Our service providers may process data on how their services are used and other data that arise during the use of their service as independent controllers for their legitimate interests (e.g., for statistical evaluations or billing). Service providers inform about their independent data processing in their privacy policies Central IT Service Providers of Bluco.
- Contractual partners including customers: Primarily, this means customers (e.g., service recipients) and other contractual partners of ours, as this data transfer results from these contracts. If you are acting for such a contractual partner, we may also disclose data about you in this context. This may include health data. Additionally, recipients include contractual partners with whom we cooperate or who advertise for us, to whom we therefore disclose data about you for analysis and marketing purposes (this can again be service recipients, but also sponsors and online advertising providers). We require these partners to only send you advertising or display ads based on your data if you have consented to it (for online areas, see section 12).
- If you act as an employee for a company with which we have entered into a contract, the processing of this contract may lead to us informing the company, for example, about how you have used our service. Cooperation and advertising contractual partners receive selected basic, contract, behavioral, and preference data from us so they can perform non-personal analyses in their area (e.g., about the number of our customers who have seen their advertising) and use data for advertising purposes (including targeted outreach to you). For instance, advertising partners should be able to communicate with and send advertisements to suitable other customers of ours.
- Authorities: We may disclose personal data to offices, courts, and other authorities domestically and internationally if we are legally obligated or authorized to do so or if it seems necessary to protect our interests. This may include health data. The authorities process data about you, which they receive from us, under their responsibility.
- Cases include criminal investigations, police measures (e.g., health protection schemes, violence prevention, etc.), regulatory requirements and investigations, judicial proceedings, reporting obligations, pre-litigation and out-of-court proceedings, as well as legal information and cooperation duties. Data disclosure can also occur when we seek information from public entities, e.g., to justify an information interest or because we need to state whom we need information about (e.g., from a register).
- Other parties: This refers to other cases where involving third parties arises from the purposes according to section 4.
- Other recipients include, for example, delivery addresses or payment recipients specified by you, other third parties within the context of representation (e.g., if we send your data to your lawyer or bank) or persons involved in administrative or court proceedings. If we collaborate with media and transfer material to them (e.g., photos), you may also be affected. The same applies to the publication of content (e.g., photos, interviews, quotes, etc.) on our website or in other publications of ours. In the course of corporate development, we may sell or acquire businesses, business units, assets, or companies or enter into partnerships, which can also result in the disclosure of data (including yours, e.g., as a customer or supplier or as a supplier representative) to persons involved in these transactions. In the course of communication with our competitors, industry organizations, associations, and other bodies, there may also be data exchange affecting you.
All these categories of recipients may in turn involve third parties, so your data may also become accessible to them. We can restrict processing by certain third parties (e.g., IT providers), but not by others (e.g., authorities, banks, etc.).
We reserve the right to disclose this data, including confidential data, unless we have explicitly agreed with you that we will not disclose this data to certain third parties, unless we are legally obligated to do so. Nonetheless, your data will continue to be subject to appropriate data protection in Switzerland and the rest of Europe after disclosure. For disclosure to other countries, the provisions of section 8 apply. If you prefer that certain data not be disclosed, please inform us so that we can consider whether and to what extent we can accommodate your request (section 2).
- In many cases, disclosing also confidential data is necessary to process contracts or provide other services. Confidentiality agreements usually do not exclude such data disclosures, nor does disclosure to service providers. According to the sensitivity of the data and other circumstances, we ensure that these third parties handle the data appropriately. We cannot accommodate your objection to data disclosure if the respective data disclosures are necessary for our activities.
We also allow certain third parties to collect personal data about you on our website and at our events (e.g., media photographers, providers of tools that we have integrated into our website, etc.). To the extent we are not significantly involved in these data collections, these third parties are solely responsible. For concerns and to assert your data protection rights, please contact these third parties directly. See section 12 for the website.
8. Do your personal data also go abroad?
As explained in section 7, we also disclose data to other entities. These are not only located in France. Your data can also be processed in Europe as well as in Liechtenstein; in exceptional cases, however, in any country in the world.If a recipient is located in a country without adequate legal data protection, we contractually oblige the recipient to comply with the applicable data protection (for this purpose, we use the revised standard contractual clauses of the European Commission, which can be accessed here: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj), unless they are already subject to a legally recognized framework to ensure data protection, and we cannot rely on an exception provision. An exception may apply in particular in legal proceedings abroad, but also in cases of overriding public interest or when the execution of a contract requires such disclosure, if you have consented, or if it concerns data you have made publicly available and whose processing you have not objected to.
- Many countries outside of France, the EU, and the EEA currently do not have laws that, from the perspective of the DPA or GDPR, ensure an adequate level of data protection. The aforementioned contractual arrangements can partly compensate for this weaker or missing legal protection. However, contractual arrangements cannot eliminate all risks (notably from state access abroad). You should be aware of these residual risks, even if the risk in individual cases may be low and we take further measures (e.g., pseudonymization or anonymization) to minimize it.
Please also note that data exchanged over the internet often pass through third countries. Therefore, your data may also reach foreign countries even if the sender and recipient are in the same country.
9. How long do we process your data?
We process your data as long as our processing purposes, legal retention periods, and our legitimate interests in processing for documentation and evidence purposes require, or as long as storage is technically necessary. Further information on the respective storage and processing duration can be found for each category of data in section 3 and for cookie categories in section 12. Unless legal or contractual obligations prevent it, we delete or anonymize your data after the storage or processing period has expired as part of our standard procedures.
- Documentation and evidence purposes include our interest in documenting processes, interactions, and other facts in case of legal claims, disputes, purposes of IT and infrastructure security, and proof of good corporate governance and compliance. Technical necessity for storage may occur when certain data cannot be separated from other data, and we must therefore store them together (e.g., in the case of backups or document management systems).
10. How do we protect your data?
We take appropriate security measures to maintain the confidentiality, integrity, and availability of your personal data, to protect it against unauthorized or unlawful processing, and to mitigate the risks of loss, accidental alteration, unwanted disclosure, or unauthorized access.
- Security measures of a technical and organizational nature may include, for example, encryption and pseudonymization of data, logging, access restrictions, storage of backup copies, instructions to our employees, confidentiality agreements, and controls. We protect your data transmitted via our website in transit through suitable encryption mechanisms. However, we can only secure areas that we control. We also require our processors to take appropriate security measures. However, security risks cannot be completely eliminated; residual risks are unavoidable.
11. What rights do you have?
The applicable data protection law grants you, under certain circumstances, the right to object to the processing of your data, especially for purposes of direct marketing, profiling conducted for direct advertising, and other legitimate interests in processing.
To facilitate your control over the processing of your personal data, depending on the applicable data protection law, you also have the following rights in connection with our data processing:
- The right to request information from us about whether and what data we process about you;
- The right to request the correction of data if they are inaccurate;
- The right to request the deletion of data;
- The right to request from us the release of certain personal data in a common electronic format or their transfer to another controller;
- The right to revoke consent if our processing is based on your consent;
- The right to request further information necessary for exercising these rights;
- The right to present your viewpoint in case of automated individual decisions (section 6) and to request that the decision be reviewed by a natural person.
If you wish to exercise the above-mentioned rights against us, please contact us in writing, on-site, or, unless otherwise specified or agreed, by email; our contact details can be found in section 2. To prevent misuse, we must identify you (e.g., with a copy of an ID, if not possible otherwise).
You also have these rights towards other entities that work with us independently – please contact them directly if you want to exercise rights in connection with their processing. Information about our major partners and service providers can be found in section 7, additional information in section 12.
Please note that these rights may be subject to conditions, exceptions, or restrictions according to applicable data protection law (e.g., to protect third parties or trade secrets). We will inform you accordingly if necessary.
- In particular, we may need to continue processing and storing your personal data to fulfill a contract with you, protect our own legitimate interests, such as asserting, exercising, or defending legal claims, or comply with legal obligations. Where legally permissible, especially to protect the rights and freedoms of other affected persons and to safeguard legitimate interests, we may therefore fully or partially reject a data subject request (e.g., by redacting certain content that affects third parties or our trade secrets).
If you disagree with how we handle your rights or with data protection, please let us know (section 2). Especially if you are located in the EU, EEA, the United Kingdom, or France, you also have the right to complain to the data protection authority of your country.
A list of the authorities in the EEA can be found here:https://edpb.europa.eu/about-edpb/board/members_en.
The supervisory authority of the United Kingdom can be reached here:https://ico.org.uk/global/contact-us/.
12. Do we use online tracking and online advertising techniques?
On our website, we employ various techniques that allow us and third parties involved by us to recognize you during your usage and possibly track you across multiple visits. In this section, we inform you about these practices.The core purpose is to differentiate your access (via your system) from that of other users, enabling us to ensure the functionality of the website and to perform evaluations and personalizations. We do not intend to infer your identity, even if we or third parties involved by us can identify you by combining this with registration data. Even without registration data, the employed techniques are designed so that you are recognized as an individual visitor on each page call, for example, by assigning a specific identification number to you or your browser (known as a «cookie»).
- Cookies are individual codes (e.g., a serial number) that our server or a server of our service providers or advertising partners transmits to your system during the connection with our website, which your system (browser, mobile) receives and stores until the programmed expiration date. On each subsequent access, your system transmits these codes back to our server or the third party's server. This way, you are recognized again, even if your identity is unknown.
- Whenever you access a server (e.g., when using a website or an app or because an image is integrated in an email, visibly or invisibly), your visits can thus be «tracked» (followed). When we integrate offers from an advertising partner or an analytics tool provider on our website, this provider can track you in the same way, even if you cannot be identified in individual cases.
We use such techniques on our website and allow certain third parties to do the same. Depending on the purpose of these techniques, we ask for your consent before they are deployed. You can program your browser to block certain cookies or alternative techniques, to deceive or to delete existing cookies. You can also extend your browser with software that blocks tracking by certain third parties. More information can be found on your browser's help pages (usually under "Privacy") or on the websites of the third parties we list below.
The following cookies are distinguished (techniques with functionalities similar to fingerprinting are included here):
- Necessary Cookies: Some cookies are essential for the functioning of the website or certain features. They ensure, for example, that you can navigate between pages without losing data entered in a form. They also ensure that you remain logged in. These cookies exist only temporarily («Session Cookies»). If you block them, the website may not function properly. Other cookies are necessary so that the server can store decisions or inputs made by you beyond a session (e.g., chosen language, given consent, the function for automatic login, etc.). These cookies have an expiration date of up to 24 months.
- Performance Cookies: To optimize our website and corresponding offers and to better align them with users' needs, we use cookies to record and analyze the usage of our website, possibly beyond the session. We do this through the use of third-party analytics services. We have listed these below. Before we deploy such cookies, we ask for your consent. Performance cookies also have an expiration date of up to 24 months. Details can be found on the websites of the third-party providers.
- Marketing Cookies: We and our advertising partners are interested in directing advertising to specific target groups, i.e., showing it primarily to those we want to reach. We have listed our advertising partners below. For this purpose, we and our advertising partners – if you consent – also use cookies that can capture the content accessed or contracts concluded. This enables us and our advertising partners to display advertising that we assume interests you, on our website as well as on other websites that show advertising from us or our advertising partners. These cookies have an expiration duration of a few days to 12 months, depending on the situation. If you consent to the use of these cookies, you will be shown corresponding advertising. If you do not consent to these cookies, you will not see less advertising, but rather different advertising.
We may also integrate additional third-party offers on our website, particularly from social media providers. These offers are by default deactivated. As soon as you activate them (e.g., by clicking a button), the respective providers can detect that you are on our website. If you have an account with the social media provider, they can assign this information to you and thus track your use of online offers. These social media providers process this data under their responsibility.
Currently, we use offers from the following service providers and advertising partners (insofar as they use data from you or cookies set by you for advertising control):
- Hubspot: Hubspot Germany GmbH (based in Germany) acts as our processor, tracking visitor behavior on our website (duration, frequency of pages accessed, geographical origin of access, etc.) through performance cookies (see above) and creating reports on website usage for us.
- Posthog: Posthog Inc. (based in the USA) acts as our processor, tracking visitor behavior on our website (duration, frequency of pages accessed, geographical origin of access, etc.) through performance cookies (see above) and creating reports on website usage for us. The service is hosted on servers in Germany, and the associated data is stored on servers in Germany.
- Cookiebot by Usercentrics: Usercentrics A/S (based in Denmark) is the provider of the "Cookiebot" service and acts as our processor, storing preferences of users regarding the use of cookies in general through necessary cookies (see above).
- SalesViewer: SalesViewer GmbH (based in Germany) offers the "SalesViewer" service and collects data for marketing, market research, and optimization purposes based on the legitimate interests of the website operator (Art. 6 (1) lit.f GDPR). A JavaScript-based code is used for this purpose to collect business-related data and corresponding usage. The data collected with this technology is encrypted using a one-way hashing function that cannot be reversed. The data is immediately pseudonymized and not used to personally identify the visitor to this website. The data stored by SalesViewer will be deleted as soon as it is no longer needed for its intended purpose and there are no legal storage obligations to the contrary. Data collection and storage can be objected to at any time with effect for the future by clicking this link to prevent SalesViewer from collecting data within this website in the future. An opt-out cookie for this website will be placed on your device. If you delete your cookies in this browser, you must click this link again.
- Facebook Pixel: Facebook Ireland Ltd. (based in Ireland) acts as our processor. By using Facebook Pixel, performance cookies (see above) are used to track visitor behavior on our website (duration, frequency of pages accessed, geographical origin of access, etc.) and to create reports on website usage for us. Data collection and storage can be objected to at any time with effect for the future by clicking here and making the corresponding settings in your Facebook account.
- TikTok Pixel: TikTok Technology Limited (based in Ireland) acts as our processor. By using TikTok Pixel, performance cookies (see above) are used to track visitor behavior on our website (duration, frequency of pages accessed, geographical origin of access, etc.) and to create reports on website usage for us. Data collection and storage can be objected to at any time with effect for the future by clicking here and making the corresponding settings in your TikTok account.
- Google Analytics: Google Ireland Limited (based in Ireland) acts as our processor. By using Google Analytics, performance cookies (see above) are used to track visitor behavior on our website (duration, frequency of pages accessed, geographical origin of access, etc.) and to create reports on website usage for us. Data collection and storage can be objected to at any time with effect for the future by clicking here and downloading and installing the Google Analytics Opt-out Browser Add-on.
- Webflow: Webflow Inc. (based in the USA) serves as our hosting service provider for the website (www.bluco.ai; not our applications or recruiter portal). The hosting service and the storage of all associated data take place in the USA. These locations ensure global distribution and availability of content through a content delivery network.
Some of the emails we send you may contain a "web beacon pixel" (clear GIFs) or tracked links. This allows us to determine when you have opened the email and which links in the email you have accessed. We use this information to determine which parts of our emails are of greatest interest to you. You can delete the pixel by deleting the email. If you do not want the pixel to be downloaded to your computer or another device, you can ensure this by choosing to receive emails from us in plain text format rather than HTML format or by not opening any images in your email.
13. What data do we process on our social network pages?
We may operate pages and other online presences («Fanpages», «Channels», «Profiles», etc.) on social networks and platforms operated by third parties and collect data about you as described in section 3 and below. We receive this data from you and the platforms when you interact with our online presence (e.g., when you communicate with us, comment on our content, or visit our presence). At the same time, the platforms evaluate your use of our online presences and link this data with other information about you known to the platforms (e.g., about your behavior and preferences). They also process this data for their own purposes under their own responsibility, especially for marketing and market research purposes (e.g., to personalize advertising) and to manage their platforms (e.g., what content they show you).
- We receive data about you when you communicate with us via online presences or view our content on the respective platforms, visit our online presences, or are active in them (e.g., publishing content, commenting). These platforms also collect technical data, registration data, communication data, behavioral and preference data from or about you (for terms, see section 3). Regularly, these platforms statistically evaluate how you interact with us, how you use our online presences, our content, or other parts of the platform (what you view, comment, "like", share, etc.) and link this data with further information about you (e.g., age, gender, and other demographic information). This way, they also create profiles about you and statistics on the use of our online presences. They use this data and profiles to show you our or other advertisements and content on the platform personalized to you, and to manage the platform's behavior, but also for market and user research, and to provide us and other entities with information about you and the use of our online presence. We can partly control the evaluations that these platforms create regarding the use of our online presences.
We process this data for the purposes described in section 4, especially for communication, marketing purposes (including advertising on these platforms, see section 12), and market research. You can find information on the relevant legal bases in section 5. Content published by you (e.g., comments on an announcement) can be further disseminated by us (e.g., in our advertising on the platform or elsewhere). We or the operators of the platforms can also delete or restrict content about or from you according to the usage policies (e.g., inappropriate comments).
For more information on the processing by the operators of the platforms, please refer to the privacy notices of the platforms. There, you will also learn in which countries they process your data, what rights you have regarding access, deletion, and other data subject rights, and how you can exercise them or obtain further information.
- We currently use the following platforms:
- Facebook: The responsible entity for the operation of the platform for users in Europe is Facebook Ireland Ltd., Dublin, Ireland. Their privacy policy can be accessed at www.facebook.com/policy. Some of your data is transferred to the USA. You can object to advertising here: www.facebook.com/settings?tab=ads. Regarding the data collected and processed during the visit of our page for the creation of «Page Insights», we are jointly responsible with Facebook Ireland Ltd., Dublin, Ireland. Page Insights generate statistics about what visitors do on our page (comment on posts, share content, etc.). This is described at www.facebook.com/legal/terms/information_about_page_insights_data. It helps us understand how our page is used and how we can improve it. We only receive anonymous, aggregated data. Our responsibilities regarding data protection are regulated according to the information at www.facebook.com/legal/terms/page_controller_addendum.
- WhatsApp: Responsible for the operation of the entire WhatsApp platform within Europe is WhatsApp Ireland Limited, Dublin, Ireland, or WhatsApp LLC, Menlo Park, California for the rest of the world. Their privacy notices are available at https://www.whatsapp.com/legal/privacy-policy-eea (Europe) or https://www.whatsapp.com/legal/privacy-policy/?lang=en (Rest of the World).
- Instagram: The responsible entity for the operation of the platform for users within Europe is Meta Platforms Ireland Limited, Dublin, Ireland. The privacy policy for Instagram can be accessed at https://privacycenter.instagram.com/policy.
- LinkedIn: Responsible for the operation of the platform within Europe is LinkedIn Ireland, Dublin, Ireland. Their privacy policy can be accessed at https://www.linkedin.com/legal/privacy-policy.
- Twitter: Responsible for the operation of the platform within Europe is Twitter International Unlimited Company, Dublin, Ireland. Their privacy policy can be accessed at https://twitter.com/privacy.
14. Can this Privacy Policy be changed?
This Privacy Policy is not part of a contract with you. We can adjust this Privacy Policy at any time. The version published on this website is the current version.
Last update: June 2, 2024