Privacy Policy of iqtax AG

1. Data controller and content of this Privacy Policy

We, iqtax AG, Erlenstrasse 4b, 6343 Rotkreuz (the Company), are the operator of the website www.iqtax.ch (the Website) and, unless otherwise specified in this Privacy Policy, are responsible for the data processing activities described in this Privacy Policy.

To help you understand what personal data we collect from you and how we use it, please review the information below. Our data protection practices are primarily based on the legal requirements of Swiss data protection law, in particular the Federal Act on Data Protection (FADP).

Please note that the information below is reviewed and updated from time to time. We therefore recommend that you review this Privacy Policy regularly. Furthermore, for certain data processing activities listed below, other companies are the data controllers or joint data controllers under data protection law; in such cases, the information provided by those providers is also applicable.

2. Data protection officer

If you have any questions about data protection or would like to exercise your rights, please contact our data protection officer by sending an email to the following address: info@iqtax.ch.

3. Scope and purpose of the collection, processing, and use of personal data

3.1 Data processing when you contact us

When you contact us via our contact addresses and channels (e.g., by email, phone, or contact form), your personal data will be processed. We process the data you have provided to us, such as your name, email address, phone number, and the nature of your inquiry. In addition, the time of receipt of the inquiry is documented. Required fields in contact forms are marked with an asterisk (*). We process this data to address your inquiry (e.g., providing information about our products and services, assisting with contract processing, incorporating your feedback into the improvement of our products and services, etc.).

The legal basis for this data processing is our legitimate interest, as defined in Article 6(1)(f) of the GDPR, in addressing your request; or, if your request relates to the conclusion or performance of a contract, the necessity of taking the necessary steps, as defined in Article 6(1)(b) of the GDPR.

3.2 Data processing when using our chat feature

When you contact us via chat, your personal data will be processed. We process the data you have provided to us, such as your company name, your name, your job title, your email address, and the nature of your inquiry. In addition, the time your inquiry was received is recorded. Required fields are marked with an asterisk (*). We process this data exclusively to address your inquiry (e.g., providing information about our products and services, assisting with contract processing, incorporating your feedback into the improvement of our products and services, etc.).

To facilitate communication via the chat function, we use a software application provided by Intercom R&D Unlimited Company, 2nd Floor, Stephen Court, 18-21 St. Stephen’s Green, Dublin 2, Ireland, and 55 2nd Street, 4th Floor, San Francisco, CA 94104, USA. Therefore, your data may be stored in a database maintained by Intercom, which may allow Intercom to access your data if necessary for the provision of the software and for support in using the software. Information regarding the processing of data by third parties and any transfer of data abroad can be found in Section 5 of this Privacy Policy.

The legal basis for this data processing is our legitimate interest, within the meaning of Article 6(1)(f) of the GDPR, in the use of modern communication technologies; or, if your inquiry is aimed at entering into or fulfilling a contract, in taking the necessary steps within the meaning of Article 6(1)(b) of the GDPR.

Intercom may wish to use some of this data for its own purposes (e.g., to send marketing emails or for statistical analysis). Intercom is the data controller for these data processing activities and must ensure compliance with data protection laws in connection with them. For more information about Intercom’s data processing activities, please visit https://www.intercom.com/legal/privacy.

3.3 Data processing when opening a customer account

If you create a customer account on our website, we will collect the following information; required fields in the form are marked with an asterisk (*):

• Personal information:  
  
  • Last name,
  • First name
• Login details:  
  
  • Email address
  • Password
• Additional information: 
  
  • Languages

We use your personal information to verify your identity and ensure that you meet the registration requirements. Your email address and password serve as your login credentials, thereby ensuring that the correct person is using the website under the information you provided. We also need your email address to verify and confirm the creation of your account and for future communication with you as required for contract fulfillment.

We also use this data to provide an overview of your orders and services purchased, as well as a convenient way to manage your personal information; to administer our website and contractual relationships; and to establish, define the terms of, process, and modify the contracts we have entered into with you regarding your customer account (e.g., in connection with your order with us).

We process your language preferences to display recommendations on the website that are tailored as closely as possible to your profile and personal needs, to collect and analyze statistics on the products and services you select, and thereby to optimize our service and product recommendations.

The legal basis for processing your data for the aforementioned purpose is your consent pursuant to Article 6(1)(a) of the GDPR. You may withdraw your consent at any time by removing the information from your customer account, deleting your customer account, or requesting that we delete it by notifying us.

To prevent unauthorized access, you should always keep your login credentials confidential, log out after each session, and clear your browser history—especially if you share your device with others.

3.4 Data processing when using customer service

You can take advantage of a wide range of customer service offerings, some of which may require the processing of personal data. In such cases, we collect the following information; required fields in the forms are marked with an asterisk (*):

• Title
• First and Last Name
• Gender
• Date of Birth
• Address
• Phone Number
• Email Address
• Language
• Credit Card Information

We use this data to verify your identity. We need your email address to communicate with you as necessary to provide customer service. We store this data, along with the details, timing, and content of the requested service, in our CRM database (see Section 4) so that we can ensure the proper fulfillment of the requested service. To the extent necessary for the performance of the contract, we will also share the required information with any third-party service providers.

The legal basis for this data processing is our legitimate interest, as defined in Article 6(1)(f) of the EU GDPR, in addressing your request; or, if your request relates to the performance of a contract with you, the necessity of taking the steps necessary to enter into or perform a contract, as defined in Article 6(1)(b) of the EU GDPR.

3.5 Data processing in the preparation of tax returns

On our website, you can prepare and edit your tax returns, track their status, and view the results. The following information is required to prepare your tax return; mandatory fields in the forms are marked with an asterisk (*):

• First Name
• Last Name
• Address
• Gender
• Marital Status
• Family Information
• Financial Information
• Religious Affiliation
• Occupation and Employment Information
• Email Address
• Phone Number
• Date of Birth
• Regulatory Identification Numbers

Based on the plan you have selected, we use AI systems provided by Google Cloud EMEA Limited, 70 Sir John Rogerson’s Quay, Dublin 2, Ireland, and Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, which classify and extract your data to optimize the preparation of tax returns. Therefore, your data may be stored in a database maintained by these companies, which may allow them to access your data if necessary for the provision of the software and for support in using the software. Information regarding the processing of data by third parties and any transfer of data abroad can be found in Section 5 of this Privacy Policy.

The legal basis for this data processing is our legitimate interest, within the meaning of Article 6(1)(f) of the GDPR, in processing your request to prepare tax returns or, if your request is aimed at entering into or performing a contract, in taking the necessary steps within the meaning of Article 6(1)(b) of the GDPR.

3.6 Data processing when scheduling tax consultation appointments

To ensure your documents are prepared correctly, you can schedule a tax consultation with one of our certified experts. These experts will assist and advise you in preparing your tax return. The following information is required to schedule an appointment; required fields are marked with an asterisk (*) on the forms:

• First and last name
• Email address

Certified experts have access to the information you choose to share with them during the consultation.

To organize our tax consulting services, we use a software application provided by Calendly LLC, 115 E Main Street, Suite A1, Buford, GA 30518, USA. As a result, your data may be stored in a Calendly database, which may allow Calendly to access your data if necessary to provide the software and to assist you in using it. Information regarding the processing of data by third parties and any potential transfer abroad can be found in Section 5 of this Privacy Policy.

The legal basis for this data processing is our legitimate interest, within the meaning of Article 6(1)(f) of the GDPR, in addressing your request for tax advice or, if your inquiry relates to the conclusion or performance of a contract, in taking the necessary steps within the meaning of Article 6(1)(b) of the GDPR.

3.7 Data processing during payment processing

When you purchase products, services, or gift cards using electronic payment methods, the processing of personal data is required. By using the payment terminals, you transmit the information stored in your payment method - such as the cardholder’s name and the card number -to the relevant payment service providers (e.g., payment solution providers, credit card issuers, and credit card acquirers). These parties also receive information that the payment method was used in connection with our company, the amount, and the time of the transaction. Conversely, we only receive confirmation of the payment amount at the relevant time, which we can associate with the corresponding receipt number, or a notification that the transaction was not possible or was canceled. Please always also refer to the information provided by the respective company, in particular its privacy policy and terms and conditions. The legal basis for our data processing is the performance of a contract pursuant to Article 6(1)(b) of the GDPR.

We reserve the right to store a copy of your credit card information as a security measure. To prevent payment defaults, we may also transmit the necessary data—in particular your personal information—to a credit bureau for an automated assessment of your creditworthiness. In this context, the credit bureau may assign you a so-called score. This is an estimate of the future risk of default, e.g., expressed as a percentage. The score is calculated using mathematical and statistical methods and incorporates data from other sources provided to the credit bureau.  We reserve the right, based on the information received, not to offer you the “invoice” payment method. The legal basis for this data processing is our legitimate interest under Article 6(1)(f) of the GDPR in preventing payment defaults.

We use a software application from Stripe Payments Europe Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, D02 H210, Ireland, to process payments. As a result, your data may be stored in a Stripe database, which may allow Stripe to access your data if necessary to provide the software and to assist you in using it. Information regarding the processing of data by third parties and any potential transfer of data abroad can be found in Section 5 of this Privacy Policy. The legal basis for our data processing is the performance of a contract with you pursuant to Article 6(1)(b) of the GDPR.

3.8 Data processing in e-mail marketing

When you sign up for our marketing emails (e.g., when visiting our website), the following information is collected. Required fields are marked with an asterisk (*) during registration:

• Email address
• Title
• First and last name

By registering, you consent to the processing of this data so that we may send you marketing emails about our products and services. These marketing emails may also include invitations to participate in contests, provide feedback, or review our products and services. Collecting your title, first name, and last name allows us to link your registration to an existing customer account, if one exists, and thereby personalize the content of the marketing emails. Linking your registration to a customer account allows us to make the offers and content in the marketing emails more relevant to you and better tailored to your potential needs.

We will use your data to send you marketing emails until you withdraw your consent. You may withdraw your consent at any time, in particular by clicking the unsubscribe link included in all marketing emails.

By subscribing to our marketing emails, you also consent to the statistical analysis of user behavior for the purpose of optimizing and tailoring our marketing emails.

3.9 Data processing when submitting reviews

To support our quality management, you have the opportunity to rate our products and services. The data processed in this context is used primarily to optimize our services. This includes evaluating inquiries and complaints, consolidating and analyzing all raw data, and conducting further analyses that help us continuously improve our understanding of the needs of our service recipients. The legal basis for data processing is your consent pursuant to Article 6(1)(a) of the GDPR.

You may withdraw your consent at any time and request that your review be anonymized.

We reserve the right to contact you if we suspect that a review is unlawful and to ask you to provide a statement.

The legal basis for this processing is our legitimate interest, within the meaning of Article 6(1)(f) of the GDPR, in providing a lawful and authentic comment and review feature and in preventing misuse of these features.

3.10 Data processing related to job applications

You have the option of applying for a position at our company either on an open application basis or in response to a specific job posting. In doing so, we process the personal data you provide.

We use the information you provide to review your application and assess your suitability for the position. Application materials from unsuccessful candidates will be deleted once the application process has concluded, unless you explicitly consent to a longer retention period or we are legally required to retain them for a longer period.

The legal basis for processing your data for this purpose is the performance of a contract (pre-contractual phase) pursuant to Article 6(1)(b) of the GDPR.

4. Centralized data storage and analysis in the CRM system

Provided that the data can be clearly linked to you, we will store and link the data described in this Privacy Policy—specifically, your personal information, your contact details, your contract information, and your browsing activity on our websites—in a central database. This serves to efficiently manage customer data, allows us to appropriately process your requests, and enables us to efficiently provide the services you have requested and fulfill the associated contracts.

The legal basis for this data processing is our legitimate interest, within the meaning of Article 6(1)(f) of the GDPR, in the efficient management of user data.

We also analyze this data to further develop our products and services in line with your needs and to be able to display and suggest information and offers that are as relevant to you as possible. We also use methods that predict your potential interests and future orders based on your use of our website.

The legal basis for this data processing is our legitimate interest, within the meaning of Article 6(1)(f) of the GDPR, in conducting marketing activities.

5. Disclosure and transfer abroad

5.1 Disclosure to third parties and third-party access

Without the support of other companies, we would not be able to provide our products and services in the desired form. In order for us to utilize the services of these companies, it is necessary to share your personal data with them to a certain extent. We share your data only with selected third-party service providers and only to the extent necessary to ensure the optimal provision of our services.

Various third-party service providers are already explicitly mentioned in this privacy policy. The other service providers are as follows:

• CookieYes Limited, 3 Warren Yard, Wolverton Mill, Milton Keynes, MK12 5NW, United Kingdom. For more information about data processing in connection with CookieYes, please visit https://www.cookieyes.com/privacy-policy
• Brevo (Sendinblue GmbH), Köpenicker Strasse 126, 10179 Berlin, Germany. For more information about data processing, please visit https://www.brevo.com/de/legal/privacypolicy/

The legal basis for these disclosures is the necessity for the performance of a contract within the meaning of Article 6(1)(b) of the GDPR.

Your data will also be disclosed to the extent necessary to fulfill the contractual relationship. The legal basis for such disclosures is the necessity to fulfill a contract within the meaning of Article 6(1)(b) of the GDPR. For this data processing, the third-party service providers are the controllers within the meaning of the Data Protection Act, not us. It is the responsibility of these third-party service providers to inform you about their own data processing activities—which go beyond the transfer of data for the provision of services—and to comply with data protection laws.

In addition, your data may be disclosed, in particular to government authorities, legal advisors, or debt collection agencies, if we are legally required to do so or if this is necessary to protect our rights, in particular to enforce claims arising from our relationship with you. Data may also be disclosed if another company intends to acquire our company or parts thereof, and such disclosure is necessary to conduct a due diligence review or to complete the transaction.

The legal basis for this data processing is our legitimate interest, within the meaning of Article 6(1)(f) of the GDPR, in safeguarding our rights and fulfilling our obligations, or in the sale of our company or shares thereof.

5.2 Transfer of personal data abroad

We are authorized to transfer your personal data to third parties abroad if this is necessary to carry out the data processing activities described in this Privacy Policy. Specific data transfers have been mentioned above in section 3. In doing so, we naturally comply with the legal requirements regarding the disclosure of personal data to third parties. Zu den Staaten, in welche Daten übermittelt werden, gehören solche, die gemäss Beschluss des Bundesrats und der EU-Kommission über ein angemessenes Datenschutzniveau verfügen (wie z.B. die Mitgliedstaaten des EWR oder aus Sicht der EU auch die Schweiz), aber auch solche Staaten (wie z.B. die USA), deren Datenschutzniveau nicht als angemessen betrachtet wird (vgl. dazu Anhang 1 der Datenschutzverordnung (DSV) sowie die EU Commission website). If the country concerned does not have an adequate level of data protection, unless an exception is specified in individual data processing (see Art. 49 GDPR), we ensure that your data is adequately protected by these companies through appropriate guarantees. Unless otherwise stated, this is the choice of companies operating under the Privacy framework agreement are certified or to standard contractual clauses within the meaning of Art. 46 para. 2 lit. c GDPR, which are on the websites of Swiss Data Protection and Information Officer (EDÖB) and the EU Commission can be retrieved. If you have any questions about the measures taken, please contact our contact person for data protection (see section 2).

5.2 Information on data transfers to the United States

Some of the third-party service providers mentioned in this Privacy Policy are based in the United States. For the sake of completeness, we would like to point out to users residing or based in Switzerland or the EU that surveillance measures by U.S. authorities exist in the United States that generally allow for the storage of all personal data of any individuals whose data has been transferred from Switzerland or the EU to the United States. This occurs without differentiation, restriction, or exception based on the intended purpose and without an objective criterion that would allow the US authorities’ access to the data and its subsequent use to be limited to very specific, strictly defined purposes capable of justifying the intrusion associated with both access to and use of this data. Furthermore, we would like to point out that in the United States, data subjects from Switzerland or the EU have no legal remedies or effective judicial protection against the general access rights of U.S. authorities, which allow them to access data concerning them and to obtain its correction or deletion. We explicitly draw your attention to this legal and factual situation to enable you to make an informed decision regarding whether to consent to or object to the use of your data.

We also wish to inform users residing in Switzerland or an EU member state that, from the perspective of the European Union and Switzerland - based, among other things, on the explanations provided in this section - the United States does not provide an adequate level of data protection. Where we have explained in this Privacy Policy that recipients of data (such as Google) are based in the United States, we will ensure that your data is adequately protected by our third-party service providers by selecting companies certified under the Privacy Shield Framework, entering into contractual arrangements with these companies, and, where necessary, providing additional appropriate safeguards.

6. Background data processing on our website

6.1 Data processing when visiting our website (log file data)

When you visit our website, the servers of our hosting provider, Google Cloud EMEA Limited, 70 Sir John Rogerson’s Quay, Dublin 2, Ireland, temporarily store each visit in a log file. Log file data is stored and processed on Google Cloud servers in Zurich (Switzerland). The following data is collected automatically and stored by us until it is automatically deleted:

• IP address of the requesting computer;
• Date and time of access;
• Name and URL of the file accessed;
• Website from which the access originated, including any search terms used; operating system of your computer and the browser you are using (including type, version, and language settings);
• Device type in the case of access via mobile phones;
• City or region from which the access occurred; and
• Name of your Internet service provider.

This data is collected and processed for the purpose of enabling the use of our website (establishing a connection), ensuring the long-term security and stability of the system, and enabling error and performance analysis as well as the optimization of our website (see also Section 6.4 regarding the latter points).

In the event of an attack on the website’s network infrastructure or if there is suspicion of any other unauthorized or abusive use of the website, the IP address and other data will be analyzed for investigative and defensive purposes and, if necessary, used to identify the user in question in the context of civil or criminal proceedings.

For the purposes described above, our legitimate interest within the meaning of Article 6(1)(f) of the GDPR constitutes the legal basis for the processing of personal data.

Finally, when you visit our website, we use cookies as well as applications and tools that rely on cookies. In this context, the data described here may also be processed. For more details, please refer to the subsequent sections of this Privacy Policy, in particular Section 6.2 below.

6.2 Cookies

Cookies are small text files that your web browser stores on your computer’s hard drive or in its memory when you visit our website. Cookies are assigned identification numbers that allow your browser to be identified and the information contained in the cookie to be read.

Among other things, cookies help make your visit to our website easier, more enjoyable, and more meaningful. We use cookies for various purposes that are necessary for the use of the website you desire, i.e., they are “technically necessary.” For example, we use cookies to identify you as a registered user after you log in, so that you do not have to log in again each time you navigate to different subpages. The provision of ordering functions is also based on the use of cookies. Furthermore, cookies perform other technical functions necessary for the operation of the website, such as load balancing—that is, distributing the site’s traffic load across different web servers to reduce the load on individual servers. Cookies are also used for security purposes, for example, to prevent the unauthorized posting of content. Finally, we also use cookies in the context of the design and programming of our website, e.g., to enable the uploading of scripts or code.

The legal basis for this data processing is our legitimate interest, within the meaning of Article 6(1)(f) of the GDPR, in providing a user-friendly and modern website.

Most web browsers automatically accept cookies. However, when you access our website, we ask for your consent to the use of non-essential cookies, particularly third-party cookies used for marketing purposes. You can select your preferred settings using the buttons in the cookie banner. Details regarding the services and data processing associated with each cookie can be found within the cookie banner as well as in the following sections of this Privacy Policy.

You may also be able to configure your browser so that cookies are not stored on your computer or so that a notification always appears when you receive a new cookie. On the following pages, you will find instructions on how to configure cookie settings in selected browsers.

• Google Chrome for desktop
• Google Chrome for mobile
• Apple Safari
• Microsoft Windows Internet Explorer
• Microsoft Windows Internet Explorer Mobile
• Mozilla Firefox

Disabling cookies may prevent you from using all the features of our website.

6.3 Tracking and web analytics tools

6.3.1 General information about tracking

We use the web analytics services listed below to design our website in a way that meets user needs and to continuously optimize it. In this context, pseudonymized user profiles are created and cookies are used (please also refer to Section 6.2). The information generated by the cookie regarding your use of this website is generally transmitted together with the log file data listed in Section 6.1 to a server operated by the service provider, where it is stored and processed. This may also involve a transfer to servers abroad, e.g., in the U.S. (see, in particular, sections 5.2 and 5.3 regarding the lack of an adequate level of data protection and the safeguards provided).

By processing the data, we obtain the following information, among other things:

• The navigation path a visitor takes on the site (including content viewed and products selected or purchased, or services booked);
• Time spent on the website or subpage; subpage from which the website is exited;
• Country, region, or city from which access occurs;
• Device (type, version, color depth, resolution, width, and height of the browser window); and
• Whether the visitor is a returning or new visitor.

On our behalf, the provider will use this information to analyze website usage, in particular to compile statistics on website activity and to provide additional services related to website and internet usage for the purposes of market research and to tailor the design of these websites to user needs. For these processing activities, we and the provider may, to a certain extent, be considered joint controllers under data protection law.

The legal basis for this data processing in connection with the following services is your consent within the meaning of Article 6(1)(a) of the GDPR. You may revoke your consent at any time or object to the processing by rejecting or disabling the relevant cookies in your web browser settings (see Section 6.2) or by making use of the service-specific options described below.

For further processing of the data by the respective provider as the (sole) data controller under data protection law, including, in particular, any disclosure of this information to third parties - such as government agencies - pursuant to national legal requirements, please refer to the provider’s respective privacy policy.

6.3.2 Google Analytics

We use the web analytics service Google Analytics provided by Google Ireland Limited (Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland) or Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (Google).

Contrary to the description in Section 6.4.1, IP addresses are not logged or stored in Google Analytics (in the version used here, “Google Analytics 4”). For access originating from the EU, IP address data is used only to derive location data and is deleted immediately thereafter. When collecting measurement data in Google Analytics, all IP lookups are performed on EU-based servers before the traffic is forwarded to Analytics servers for processing. Google Analytics uses regional data centers. When a connection is established in Google Analytics to the nearest available Google data center, the measurement data is sent to Analytics via an encrypted HTTPS connection. In these centers, the data is further encrypted before being forwarded to the Analytics processing servers and made available on the platform. The most suitable local data center is determined based on IP addresses. This may also result in data being transferred to servers abroad, e.g., in the United States (see, in particular, section 5.2 regarding the lack of an adequate level of data protection and the safeguards provided).

We also use the “Google Signals” technical extension, which enables cross-device tracking. This allows us to associate a single website visitor with different devices. However, this only occurs if the visitor is logged into a Google service while visiting the website and has also enabled the “personalized ads” option in their Google Account settings. Even then, however, we do not have access to any personal data or user profiles; they remain anonymous to us. If you do not wish to use “Google Signals,” you can disable the “personalized ads” option in your Google Account settings.

Users can prevent Google from collecting the data generated by the cookie and related to the user’s use of the website (including the IP address), as well as from processing this data, by downloading and installing the browser plugin available at the following link: http://tools.google.com/dlpage/gaoptout?hl=de.

As an alternative to the browser plugin, users can click this link to prevent Google Analytics from tracking their activity on the website in the future. Doing so will place an opt-out cookie on the user’s device. If users delete cookies (see Section 6.2 Cookies), they must click the link again.

6.4 Social media profile

On our website, we have included links to our profiles on the social media platforms of the following providers:

• Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, Data protection notices;
• Twitter International Unlimited Company, One Cumberland Place, Fenian Street, Dublin 2, Ireland, Data protection notices;
• LinkedIn Unlimited Company, Wilton Place, Dublin 2, Ireland Data protection notices.
• TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland, and TikTok Information Technologies UK Limited, WeWork, 125 Kingsway, London, WC2B 6NH, United Kingdom, Data protection notices.

When you click on the social media icons, you will be automatically redirected to our profile on the respective social media platform. This establishes a direct connection between your browser and the server of the respective social media platform. As a result, the platform receives the information that you have visited our website using your IP address and clicked on the link. This may also result in data being transferred to servers abroad, e.g., in the U.S. (see, in particular, sections 5.2 and 5.3 regarding the lack of an adequate level of data protection and the safeguards provided).

If you click on a link to a social network while logged into your account on that network, the content of our website may be linked to your profile, allowing the network to associate your visit to our website directly with your account. If you wish to prevent this, you should log out before clicking on the relevant links. A connection between your access to our website and your user account will occur in any case if you log in to the respective network after clicking the link. The respective provider is the data controller for the associated data processing under data protection law. Please therefore refer to the privacy policy on the network’s website.

The legal basis for any data processing attributed to us is our legitimate interest, within the meaning of Article 6(1)(f) of the GDPR, in the use and promotion of our social media profiles.

6.5 Online advertising and targeting

6.5.1 In general

We use services provided by various companies to present you with interesting offers online. This involves analyzing your user behavior on our website and on other providers’ websites so that we can subsequently display online advertisements tailored specifically to you.

Most technologies used to track your user behavior and to display targeted advertising rely on cookies (see also Section 6.2), which allow your browser to be recognized across different websites. Depending on the service provider, it may also be possible for you to be recognized online even when using different devices (e.g., a laptop and a smartphone). This may be the case, for example, if you have registered for a service that you use on multiple devices.

In addition to the data already mentioned, which is generated when you visit websites (Log file data, see section 6.1) and when cookies are used (section 6.2) and which can reach the companies participating in the advertising networks, the following data in particular is included in the selection of the advertising that is potentially most relevant to you:

• Information about yourself that you provided when registering or using an advertising partner service (e.g. your gender, age group); and
• User behavior (e.g. search queries, interactions with advertising, types of websites visited, products or services viewed and purchased, subscribed newsletters).

We and our service providers use this data to identify whether you belong to the target group we are targeting and take this into account when selecting advertisements. For example, after you have visited our site, you may see ads of the products or services you have consulted when you visit other pages (Re-targeting). Depending on the scope of the data, a user profile can also be created, which is automatically evaluated, with the ads being selected in accordance with the information stored in the profile, such as membership of specific demographic segments or potential interests or behaviours. Such ads can be shown to you on various channels, including, in addition to our website or app (as part of onsite and in-app marketing), advertisements that are delivered via the online advertising networks we use.

As part of retargeting and banner advertising, we work with third parties who set cookies on our website. The third parties mentioned are the following companies:

• Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland Privacy statement;
• Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, Data protection notices.
• TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland, and TikTok Information Technologies UK Limited, WeWork, 125 Kingsway, London, WC2B 6NH, United Kingdom, Data protection notices.

The data can then be evaluated for the purpose of billing with the service provider and to assess the effectiveness of advertising measures in order to better understand the needs of our users and customers and to improve future campaigns. This may also include information that the performance of an action (e.g. visiting certain sections of our websites or sending information) is due to a specific advertising ad. We also receive aggregated reports from service providers of ad activity and information about how users interact with our website and ads.

The legal basis for this data processing is your consent within the meaning of Art. 6 para. 1 lit. a GDPR. You can withdraw your consent at any time by rejecting or switching off the relevant cookies in your web browser settings (see section 6.2). Further options for blocking advertising can also be found in the information provided by the respective service provider.

7. Retention periods

We only store personal data for as long as is necessary to carry out the processing described in this privacy policy within the framework of our legitimate interest. In the case of contract data, storage is required by legal storage obligations. Requirements that oblige us to store data result from accounting and tax regulations. According to these regulations, in particular, business communication, concluded contracts and accounting documents must be kept for up to 10 years. If we no longer need this data to perform the services for you, the data will be blocked. This means that the data may only be used if this is necessary to fulfill storage obligations or to defend and enforce our legal interests. The data will be deleted as soon as there is no longer a storage obligation and there is no longer a legitimate interest in storing it.

8. Data security

We use appropriate technical and organizational security measures to protect your personal data stored by us against loss and unlawful processing, in particular unauthorized access by third parties. Our employees and the service providers commissioned by us are obliged by us to maintain confidentiality and to protect data protection. In addition, these persons are only granted access to personal data to the extent necessary to perform their duties.

Our security measures are constantly being adapted in line with technological developments. However, the transmission of information via the Internet and electronic means of communication always involves certain security risks and we cannot therefore guarantee the security of information transmitted in this way.

9. Your rights

If the legal requirements are met, you have the following rights as a person affected by data processing:

Right to information: You have the right to request access to your personal data stored by us at any time and free of charge when we process it. This gives you the opportunity to check which personal data we process about you and whether we process it in accordance with the applicable data protection regulations.

Right to rectification: You have the right to have incorrect or incomplete personal data corrected and to be informed of the correction. In this case, we will also inform the recipients of the data concerned about the adjustments we have made, unless this is impossible or involves disproportionate effort.

Right to delete: You have the right to have your personal data deleted under certain circumstances. In individual cases, in particular in the case of legal storage obligations, the right to deletion may be excluded. In this case, if the conditions are met, deletion may be replaced by blocking the data.

Right to restrict processing: You have the right to request that the processing of your personal data be restricted.

Right to data transfer: You have the right to receive from us the personal data that you have provided to us free of charge in a readable format.

Right to object: You can object to data processing at any time, in particular when processing data in connection with direct marketing (e.g. marketing emails).

Right of withdrawal: In principle, you have the right to withdraw your consent at any time. However, processing activities based on your consent in the past will not be unlawful as a result of your withdrawal.

To exercise these rights, please send us an email to the following address: info@iqtax.ch

Right to lodge a complaint: You have the right to lodge a complaint with a competent supervisory authority, e.g. against the way your personal data is processed.