Privacy Policy

With this Privacy Policy, we inform about the personal data we process in connection with our activities and operations, including our website. We particularly inform about why, how, and where we process which personal data. We also inform about the rights of individuals whose data we process.

Additional privacy policies as well as other legal documents such as General Terms and Conditions (T&Cs), Terms of Use, or Participation Conditions may apply to specific or additional activities and operations.

We are subject to Swiss data protection law and possibly applicable foreign data protection law, in particular that of the European Union (EU) with the General Data Protection Regulation (GDPR). The European Commission recognizes that Swiss data protection law ensures adequate data protection.

1. Contact Addresses

Responsibility for the processing of personal data:

Markus Lüdi
CANNAPHARM AG, Burgergasse 50, 3400 Burgdorf

We point out if there are other responsible parties for the processing of personal data in individual cases.

2. Terms and Legal Bases

2.1 Terms

Personal data are all details relating to a specific or identifiable natural person. An affected person is a person whose personal data we process.

Processing includes every handling of personal data, regardless of the means and methods used, for example, querying, matching, adjusting, archiving, storing, reading, disclosing, procuring, recording, collecting, deleting, revealing, sorting, organizing, storing, modifying, distributing, linking, destroying, and using personal data.

The European Economic Area (EEA) includes the Member States of the European Union (EU) as well as the Principality of Liechtenstein, Iceland, and Norway. The General Data Protection Regulation (GDPR) refers to the processing of personal data as the processing of personal data.

2.2 Legal Bases

We process personal data in accordance with Swiss data protection law, in particular, the Federal Act on Data Protection (Data Protection Act, DPA) and the Ordinance on Data Protection (Data Protection Ordinance, DPO).

We process – provided and as far as the General Data Protection Regulation (GDPR) is applicable – personal data according to at least one of the following legal bases:

  • Art. 6 para. 1 lit. b GDPR for the necessary processing of personal data for the performance of a contract with the affected person and for the implementation of pre-contractual measures.
  • Art. 6 para. 1 lit. f GDPR for the necessary processing of personal data to protect our or third parties' legitimate interests, provided the fundamental freedoms and rights and interests of the affected person do not prevail. Legitimate interests are, in particular, our interest in carrying out our activities and operations permanently, user-friendly, safely, and reliably, and to communicate about them, ensuring information security, protection against misuse, the assertion of our legal claims, and compliance with Swiss law.
  • Art. 6 para. 1 lit. c GDPR for the necessary processing of personal data to comply with a legal obligation to which we may be subject according to the applicable law of member states in the European Economic Area (EEA).
  • Art. 6 para. 1 lit. e GDPR for the necessary processing of personal data for the performance of a task in the public interest.
  • Art. 6 para. 1 lit. a GDPR for the processing of personal data with the consent of the affected person.
  • Art. 6 para. 1 lit. d GDPR for the necessary processing of personal data to protect vital interests of the affected person or another natural person.

3. Type, Scope, and Purpose

We process those personal data that are required in order to carry out our activities and tasks continuously, user-friendly, safely, and reliably. Such personal data can particularly fall into the categories of inventory and contact data, browser and device data, content data, meta or marginal data, usage data, location data, sales data, as well as contract and payment data.

We process personal data for the duration that is necessary for the respective purpose or purposes or as required by law. Personal data that is no longer necessary for processing is anonymized or deleted.

We may have personal data processed by third parties. We may process personal data together with third parties or transfer it to third parties. Such third parties are primarily specialized providers whose services we use. We also ensure data protection with such third parties.

We only process personal data in principle with the consent of the persons concerned. If and insofar as processing is permitted for other legal reasons, we may waive the need to obtain consent. For example, we may process personal data without consent to fulfill a contract, to comply with legal obligations, or to safeguard overriding interests.

In this context, we particularly process information that an affected person voluntarily transmits to us when making contact - for example, by mail, email, instant messaging, contact form, social media, or telephone. We may store such information, for example, in an address book or with similar tools. If we receive data about other people, the transmitting persons are obliged to ensure data protection towards these people and to ensure the accuracy of this personal data.

We also process personal data that we obtain from third parties, obtain from publicly accessible sources, or collect in the course of our activities and tasks, insofar as and insofar as such processing is permitted for legal reasons.

4. Personal data abroad

We process personal data in principle in Switzerland and in the European Economic Area (EEA). However, we may also export or transmit personal data to other countries, in particular, to process or have it processed there.

We can export personal data to all states and territories on Earth as well as elsewhere in the universe, provided that the local law, according to the decision of the Swiss Federal Council, ensures adequate data protection and - insofar as the General Data Protection Regulation (GDPR) applies - according to the decision of the European Commission, ensures adequate data protection.

We can transfer personal data to countries whose law does not ensure adequate data protection if data protection is guaranteed for other reasons, in particular, based on standard data protection clauses or other suitable guarantees. In exceptional cases, we may export personal data to countries without adequate or suitable data protection if the specific data protection requirements are met, for example, the explicit consent of the persons concerned or a direct connection with the conclusion or execution of a contract. Upon request, we are happy to provide affected persons with information about any guarantees or provide a copy of any guarantees.

5. Rights of Affected Individuals

5.1 Data Protection Claims

We grant all claims to affected individuals according to applicable data protection law. In particular, affected individuals have the following rights:

  • Information: Affected individuals can request information on whether we process personal data about them and, if so, which personal data is involved. Affected individuals also receive the information necessary to assert their data protection claims and ensure transparency. This includes the processed personal data as such, but also information about the purpose of processing, the duration of storage, any disclosure or export of data to other countries, and the origin of the personal data.
  • Correction and Restriction: Affected individuals can correct inaccurate personal data, complete incomplete data, and request the restriction of their data processing.
  • Deletion and Objection: Affected individuals can request the deletion of personal data ("right to be forgotten") and object to the processing of their data with effect for the future.
  • Data Release and Data Transfer: Affected individuals can request the release of personal data or the transfer of their data to another responsible party.

We can postpone, limit, or deny the exercise of the rights of affected individuals within the legally permissible framework. We can inform affected individuals about any conditions that may need to be met to exercise their data protection claims. For example, we can refuse information, citing trade secrets or the protection of other individuals. We can also refuse the deletion of personal data, citing legal storage obligations.

We may, in exceptional cases, charge for the exercise of rights. We inform affected individuals in advance about any potential costs.

We are obliged to identify affected individuals who request information or assert other rights using appropriate measures. Affected individuals are obliged to cooperate.

5.2 Right to Complain

Affected individuals have the right to enforce their data protection claims through legal action or to file a complaint with a competent data protection supervisory authority.

The supervisory authority for private responsible parties and federal bodies in Switzerland is the Federal Data Protection and Information Commissioner (FDPIC).

Affected individuals have – if and to the extent that the General Data Protection Regulation (GDPR) applies – the right to lodge a complaint with a competent European data protection supervisory authority.

6. Data Security

We take appropriate technical and organizational measures to ensure data security that is appropriate to the respective risk. However, we cannot guarantee absolute data security.

Access to our website is via transport encryption (SSL / TLS, especially with the Hypertext Transfer Protocol Secure, abbreviated HTTPS). Most browsers indicate transport encryption with a padlock in the address bar.

Our digital communication is subject – as is essentially any digital communication – to mass surveillance without cause or suspicion and other surveillance by security authorities in Switzerland, the rest of Europe, the United States of America (USA), and other countries. We cannot directly influence the corresponding processing of personal data by intelligence agencies, police stations, and other security authorities.

7. Use of the Website

7.1 Cookies

We may use cookies. Cookies – both our own cookies (first-party cookies) and cookies from third parties whose services we use (third-party cookies) – are data stored in the browser. Such stored data need not be limited to traditional text cookies.

Cookies can be temporarily stored in the browser as "session cookies" or for a specific period as so-called permanent cookies. "Session cookies" are automatically deleted when the browser is closed. Permanent cookies have a specific storage duration. Cookies, in particular, allow a browser to be recognized on the next visit to our website and, for example, to measure the reach of our website. However, permanent cookies can also be used for online marketing.

Cookies can be completely or partially deactivated and deleted in the browser settings at any time. Without cookies, our website may not be fully available. We ask – at least as far and as necessary – for explicit consent to the use of cookies.

7.2 Server Log Files

For every access to our website, we can record the following information if it is transmitted by your browser to our server infrastructure or can be determined by our web server: date and time including time zone, Internet Protocol (IP) address, access status (HTTP status code), operating system including user interface and version, browser including language and version, individual sub-page of our website including the amount of data transferred, the last webpage accessed in the same browser window (referer or referrer).

We store such information, which can also represent personal data, in server log files. This information is necessary to provide our website permanently, user-friendly, and reliably and to ensure data security and thereby especially protect personal data – also by third parties or with the help of third parties.

7.3 Counting Pixels

We may use counting pixels on our website. Counting pixels are also called web beacons. Counting pixels – also from third parties whose services we use – are small, usually invisible images that are automatically retrieved when visiting our website. Counting pixels can capture the same information as server log files.

8. Social Media

We are present on social media platforms and other online platforms to communicate with interested parties and to inform about our activities and operations. In connection with such platforms, personal data may also be processed outside Switzerland and the European Economic Area (EEA).

The general terms and conditions (GTC) and terms of use as well as privacy statements and other provisions of the individual operators of such platforms also apply. These provisions inform in particular about the rights of affected persons directly towards the respective platform, including, for example, the right to information.

9. Third-party services

We use services from specialized third parties to be able to carry out our activities and operations permanently, user-friendly, securely and reliably. With such services, we can, among other things, embed functions and content into our website. For technical reasons, when such content is embedded, the used services temporarily capture at least the Internet Protocol (IP) addresses of the users.

For necessary security-relevant, statistical, and technical purposes, third parties whose services we use can process data related to our activities and operations in an aggregated, anonymized, or pseudonymized manner. This includes, for example, performance or usage data to offer the respective service.

We use in particular:

9.1 Digital Infrastructure

We use services from specialized third parties to utilize the required digital infrastructure in connection with our activities and operations. This includes, for example, hosting and storage services from selected providers.

We use in particular:

9.2 Appointment scheduling

We use services from specialized third parties to make appointments online, for example for meetings. In addition to this privacy policy, the directly visible terms of the used services also apply, such as terms of use or privacy statements.

9.3 Audio and video conferences

We use specialized services for audio and video conferences to communicate online. We can use them, for example, to hold virtual meetings or conduct online classes and webinars. The legal texts of the individual services, such as privacy statements and terms of use, also apply to participation in audio and video conferences.

We recommend muting the microphone by default during participation in audio or video conferences depending on the life situation and blurring the background or displaying a virtual background.

We use in particular:

9.4 Fonts

We use services from third parties to embed selected fonts as well as icons, logos, and symbols into our website.

We use in particular:

10. Extensions for the website

We use extensions for our website to utilize additional functions.

11. Final provisions

We created this privacy statement with the We can adjust and supplement this privacy statement at any time. We will inform about such adjustments and supplements in a suitable form, in particular by publishing the current privacy statement on our website.