Skip to main content

Data & Privacy Policy

Privacy Policy

Effective Date: September 6, 2025

This document explains how DITTRICH & PARTNERS GmbH ("we," "us," or "our") processes personal data and uses cookies on our online platforms. It describes the rights you have regarding your data and our online services. If you have any questions about data protection, please contact us using the contact details provided below.

1. Data Controller and Data Protection Officer

Data Controller: DITTRICH & PARTNERS GmbH Kupfergasse 15 4310 Rheinfelden, Switzerland Email: This email address is being protected from spambots. You need JavaScript enabled to view it. Contact: Please use our contact form for data protection-related inquiries or send an email to the above address.

Data Protection Officer: Andreas Dittrich (Managing Director) Contact: This email address is being protected from spambots. You need JavaScript enabled to view it.

2. Scope and Application

This Privacy Policy informs you about the nature, scope, and purpose of processing personal data (hereinafter "data") on our website and external online presence (e.g., social media profiles). Processing is carried out in accordance with:

European and Swiss Legislation:

  • The European General Data Protection Regulation (GDPR) in its current version
  • The Swiss Federal Act on Data Protection (FADP, revised version of September 1, 2023)
  • The EU Regulation on Artificial Intelligence (AI Act, Regulation (EU) 2024/1689)
  • The EU Data Act (applicable from September 12, 2025)

International Data Protection Laws (where applicable):

  • California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) for users from California, USA
  • Lei Geral de Proteção de Dados (LGPD) for users from Brazil
  • Personal Information Protection and Electronic Documents Act (PIPEDA) for users from Canada
  • Privacy Act 1988 for users from Australia
  • Personal Data Protection Act (PDPA) for users from Singapore
  • UK General Data Protection Regulation (UK GDPR) for users from the United Kingdom
  • Other applicable national and regional data protection laws

3. Legal Basis for Data Processing

We process your data on the following legal bases:

  • Consent (Art. 6(1)(a) GDPR; Art. 31(1) FADP): For example, when subscribing to our newsletter or using our online forms.
  • Contractual Necessity (Art. 6(1)(b) GDPR; Art. 31(2)(a) FADP): For the performance and fulfillment of contracts.
  • Legal Obligation (Art. 6(1)(c) GDPR; Art. 31(2)(a) FADP): To comply with legal requirements.
  • Legitimate Interests (Art. 6(1)(f) GDPR; Art. 31(2)(b) FADP): To protect our legitimate interests (e.g., service optimization, customer support, fraud prevention), provided your rights and interests do not override these interests.

4. Categories of Personal Data and Processing Purposes

4.1. Contact Data and Customer Relationship

Data Collected:

  • Identification data (last name, first name)
  • Contact information (email address, postal address, telephone number if provided)
  • Communication records (email correspondence, chat logs, conversation notes)
  • Contract information (contract type, start/end date, purchased services)
  • Billing and payment data (billing address, payment method information)
  • Additional information you voluntarily provide

Purpose:

  • Responding to inquiries
  • Performance and fulfillment of contracts
  • Providing customer support
  • Managing invoices and payments
  • Maintaining our customer relationship

Retention Period: We retain customer data for the duration of the business relationship and for the retention periods required by tax and commercial law (typically 10 years for financial records under Swiss law and 3 years for general correspondence).

4.2. Technical Data from Website Usage

Data Collected:

  • IP address (pseudonymized/anonymized where possible)
  • Browser type and version
  • Operating system
  • Device information
  • Access times and dates
  • Referrer URL
  • Log files
  • Cookie information (see Cookie Policy section)

Purpose:

  • Ensuring smooth operation of our website
  • Analysis and optimization of our services
  • Maintaining IT security and fraud prevention
  • Detecting and preventing technical problems
  • Creating anonymous usage statistics

Retention Period: Technical data for security purposes is stored for 30 days. Anonymized usage statistics may be stored indefinitely.

4.3. Online Marketing and Newsletter

Data Collected:

  • Email address
  • First name
  • Registration date and time
  • IP address at time of registration
  • Opening and click information
  • Other voluntarily provided information

Purpose:

  • Sending newsletters with information about our services
  • Providing advertising content (only with explicit consent)
  • Analyzing newsletter effectiveness and optimizing content

Retention Period: Until withdrawal of consent or unsubscription, followed by a 30-day retention period for legal proof of consent.

5. Tools and Services Used

Our online services use various external providers. For each provider, we have implemented appropriate safeguards in accordance with data protection regulations:

5.1. Email and Calendar

Provider: Google Purpose: Email communication and calendar management Data Categories: Email addresses, calendar data, communication content Location: Servers in Europe Privacy Policy: Google Privacy Policy

5.2. Video Conferencing

Provider: Zoom Purpose: Virtual meetings and online sessions Data Categories: Name, email, profile picture (if provided), meeting metadata Location: Servers in Europe Privacy Policy: Zoom Privacy Policy

5.3. Appointment Scheduling

Provider: ZEEG.me Purpose: Online appointment booking and scheduling Data Categories: Name, email, appointment preferences, calendar data Location: Servers in Europe Privacy Policy: ZEEG.me Privacy Policy

5.4. Online Academy & Email Marketing

Provider: New Zenler, Google Purpose: Providing educational content and email marketing Data Categories: Name, email, course progress, interaction data Location: United Kingdom, Europe Safeguards: For UK: Adequacy decisionPrivacy Policy: New Zenler Privacy Policy

5.5. Payment Processing

Provider: Stripe Purpose: Processing payments for our services Data Categories: Payment information, billing address, transaction data Location: USA Safeguards: Standard Contractual Clauses (SCCs), additional technical and organizational measures Privacy Policy: Stripe Privacy Policy

5.6. Website Hosting and Management

Provider: Hostpoint (Hosting), Joomla (CMS) Purpose: Website hosting and content management Data Categories:Website content, user data from forms Location: Switzerland Privacy Policy: Hostpoint Privacy Policy

5.7. Website Tracking

Our website uses Google Analytics, a web analytics service provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA ("Google"). Google Analytics uses "cookies," which are text files placed on your device to help analyze how you use the website.

We use Google Analytics exclusively with IP anonymization. This means your IP address will be truncated by Google within the European Union or other parties to the Agreement on the European Economic Area prior to transmission to the United States. Only in exceptional cases will the complete IP address be transmitted to a Google server in the USA and truncated there.

You can prevent the storage of cookies by adjusting your browser software settings accordingly. Furthermore, you can prevent Google's collection and processing of data generated by the cookie and related to your use of the website (including your IP address) by downloading and installing the browser plug-in available at: https://tools.google.com/dlpage/gaoptout

5.8. Social Media Presence

Providers: LinkedIn, Instagram, Facebook Purpose: Professional networking, brand presence, and community engagement Data Categories: Profile information, interaction data (likes, comments, shares), usage statistics Location:Servers in the USA Safeguards: Standard Contractual Clauses (SCCs), additional technical and organizational measures

Privacy Policies:

When you interact with our social media profiles, the respective platform providers may collect and process your data. Please note that we have limited influence on how these platforms process your data. Detailed information can be found in the privacy policies of the respective platforms.

5.9. Data Processing Agreements

We have concluded data processing agreements in accordance with Art. 28 GDPR and Art. 9 FADP with all service providers who process personal data on our behalf. These agreements ensure that our service providers maintain the same data protection standards as we do.

6. Use of Artificial Intelligence (AI)

6.1. AI Systems and Their Use

We use AI systems to improve our services and provide you with better service. This may include the following areas:

  • Customer service and support optimization
  • Data analysis for service optimization
  • Automated processing of inquiries

6.2. Transparency and Rights Regarding AI Use

In accordance with the EU Regulation on Artificial Intelligence (AI Act), we transparently inform you about the use of AI systems:

  • You have the right to know when your data is processed by AI systems
  • For automated decisions, you have the right to human review
  • We ensure that our employees have sufficient AI literacy (Art. 4 AI Act)

6.3. No Prohibited AI Practices

We do not use AI systems for:

  • Subliminal manipulation or exploitation of vulnerability
  • Biometric categorization in sensitive areas
  • Social scoring or discriminatory evaluations
  • Emotion recognition in the workplace

7. Your Rights as a Data Subject

Under the GDPR and Swiss FADP, you have the following rights regarding your personal data:

7.1. Right to Information and Access (Art. 15 GDPR; Art. 25 FADP)

You have the right to request confirmation as to whether personal data concerning you is being processed and, if so, what data for what purposes.

7.2. Right to Rectification (Art. 16 GDPR; Art. 32 FADP)

You have the right to request the rectification of inaccurate personal data concerning you without undue delay.

7.3. Right to Erasure (Art. 17 GDPR; Art. 32 FADP)

You have the right to request the erasure of your personal data under certain circumstances, such as when the data is no longer necessary for the purposes for which it was collected.

7.4. Right to Restriction of Processing (Art. 18 GDPR; Art. 32 FADP)

You have the right to request the restriction of processing of your personal data under certain conditions.

7.5. Right to Data Portability (Art. 20 GDPR; Art. 28 FADP)

You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit this data to another controller.

7.6. Right to Object (Art. 21 GDPR; Art. 30 FADP)

You have the right to object at any time to the processing of your personal data for direct marketing purposes. You also have the right to object to processing based on legitimate interests.

7.7. Rights Related to Automated Decision-Making (Art. 22 GDPR; Art. 21 FADP)

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.

7.8. Right to Withdraw Consent (Art. 7(3) GDPR; Art. 6(6) FADP)

If processing is based on your consent, you have the right to withdraw your consent at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

7.9. Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority:

  • For residents of Switzerland: Federal Data Protection and Information Commissioner (FDPIC), Feldeggweg 1, CH-3003 Bern
  • For residents of the EU: Your national data protection authority. A list of authorities can be found here.

7.10. Additional Rights for International Users

For Users from California (USA) - CCPA/CPRA:

  • Right to know about categories of data collected
  • Right to delete
  • Right to opt-out of the sale of personal data
  • Right to non-discrimination when exercising your rights

For Users from Brazil - LGPD:

  • Right to confirmation and access to data
  • Right to anonymization, blocking, or deletion
  • Right to data portability
  • Right to information about third parties with whom data is shared

For Users from Canada - PIPEDA:

  • Right to access your information
  • Right to challenge accuracy
  • Right to know the purposes of use

For Users from Australia - Privacy Act:

  • Right to access personal information
  • Right to correct inaccurate information
  • Right to anonymous transactions where possible

For Users from Singapore - PDPA:

  • Right to access and correction
  • Right to withdraw consent
  • Right to data portability

For Users from United Kingdom - UK GDPR:

  • Same rights as under EU GDPR
  • Additional complaint option with the UK Information Commissioner's Office (ICO)

7.11. Exercising Your Rights

To exercise any of these rights, please contact us via:

  • Email: This email address is being protected from spambots. You need JavaScript enabled to view it.
  • Contact form on our website
  • Postal address to our address
  • Toll-free number for US users: [If available]

Response Times:

  • EU/Switzerland: Within 30 days (extendable by 2 months for complex requests)
  • California (CCPA): Within 45 days (extendable by another 45 days)
  • Brazil (LGPD): Within 15 days
  • Other regions: According to local legal requirements

We will inform you of any extensions and their reasons.

8. Automated Decision-Making and Profiling

We do not use fully automated decision-making processes or high-risk profiling that have legal effects on you or similarly significantly affect you. When partial automation is used to improve our services, this is always done under human supervision and review.

9. Data Transfer to Third Countries

As we operate globally, your data may be transferred to countries outside Switzerland and the European Economic Area (EEA). When transferring your data to these countries, we ensure that appropriate safeguards are in place:

9.1. Transfer Mechanisms

For countries with adequate level of protection:

  • Adequacy decisions: For countries with an adequacy decision from the European Commission or the Swiss Federal Council (e.g., Canada, Japan, New Zealand, South Korea, United Kingdom)

For countries without adequate level of protection:

  • Standard Contractual Clauses (SCCs): For countries without adequacy decision, especially for data transfers to the USA, China, India, and other third countries
  • Binding Corporate Rules (BCRs): Where applicable
  • Certifications: Recognition of data protection certifications (e.g., APEC Cross-Border Privacy Rules for Asia-Pacific region)
  • Explicit consent: In specific cases with your explicit informed consent

9.2. Country-Specific Safeguards

USA:

  • Use of EU Standard Contractual Clauses
  • Additional technical safeguards (encryption)
  • Careful vetting of recipients

China:

  • Strict data localization requirements observed
  • Minimal data transfer
  • Encryption and pseudonymization

Other Regions:

  • Individual risk assessment for each country
  • Adaptation of safeguards to local conditions

9.3. Supplementary Measures

Following the Schrems II decision and current international legal situation, we implement additional technical and organizational measures:

  • End-to-end encryption for sensitive data
  • Pseudonymization or anonymization where possible
  • Contractual guarantees regarding government access requests
  • Regular review of our Transfer Impact Assessments
  • Local data storage where legally required

10. Data Security Measures

We implement appropriate technical and organizational measures in accordance with Art. 32 GDPR and Art. 8 FADP to ensure a level of security appropriate to the risk:

10.1. Technical Measures

  • SSL/TLS encryption for all website communications
  • Secure server infrastructure with regular security updates
  • Firewalls and intrusion detection systems
  • Regular security audits and vulnerability scans
  • Pseudonymization and encryption of personal data where appropriate
  • Regular backups with secure storage
  • Multi-factor authentication for access to critical systems

10.2. Organizational Measures

  • Data protection training for all employees, including AI literacy training per AI Act
  • Access controls and need-to-know principles
  • Confidentiality agreements
  • Documentation of processing activities (processing register)
  • Internal data protection policies and procedures
  • Regular review and updating of security measures
  • Data protection impact assessments for high-risk processing

Despite these measures, please note that no method of Internet transmission or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your personal data, we cannot guarantee absolute security.

11. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

  • Notify the competent supervisory authority without undue delay and, where possible, within 72 hours of becoming aware of the breach (Art. 33 GDPR / Art. 24 FADP)
  • Inform affected individuals without undue delay if the breach is likely to result in a high risk to their rights and freedoms
  • Document all breaches, including facts, effects, and remedial action taken

12. Data Retention Periods

We store personal data only as long as necessary to fulfill the purposes set out in this policy or as required by applicable law:

  • Contract-related data: For the duration of the contract plus mandatory retention periods (typically 10 years for financial records under Swiss Code of Obligations)
  • Marketing data: Until withdrawal of consent or objection
  • Communication data: Typically 3 years after last contact
  • Technical data: Up to 30 days for security purposes
  • Anonymous data: May be retained indefinitely

Specific retention periods for different data categories are regularly reviewed, and data no longer needed is deleted or anonymized.

13. Cookie Policy

13.1. What Are Cookies?

Cookies are small text files that are stored on your device when you visit our website. They help us save your preferences and improve website functionality.

13.2. Types of Cookies

We use the following types of cookies:

  • Essential cookies: Required for website operation
  • Functional cookies: Store your preferences
  • Analytical cookies: Help us understand how visitors use our website
  • Marketing cookies: Used to display relevant advertising (only with your consent)

13.3. Cookie Management

You can manage or reject cookies through your browser settings. However, please note that rejecting cookies may affect the functionality of our website.

14. Special Notice for Minors

Our services are not directed at persons under 16 years of age. We do not knowingly collect personal data from children under 16. If we discover that we have inadvertently collected data from minors, we will delete it immediately.

15. Privacy by Design and Privacy by Default

In accordance with Art. 25 GDPR and Art. 7 FADP, we implement the principles of data protection by design and data protection by default:

  • Data minimization: We only collect data necessary for the respective purpose
  • Only necessary data is processed by default
  • Data protection is integrated into all new processes and systems from the beginning

16. Changes to the Privacy Policy

We reserve the right to modify this Privacy Policy to reflect legal changes, regulatory requirements, or changes to our services. The current version is always available on our website, with the effective date clearly indicated.

In case of material changes, we will notify you by email or through a notice on our website. We recommend that you review this Privacy Policy regularly.

17. Important Notice for Users Outside EU/Switzerland

Sale of Personal Data: We do not sell your personal data to third parties in the normal course of business. This applies particularly to users from California (CCPA/CPRA) and other jurisdictions with similar provisions.

Exception for Business Transactions: In the event of a merger, acquisition, restructuring, reorganization, dissolution, or other sale or transfer of some or all of our assets, personal data may be among the transferred assets. In such a case, we will:

  • Inform you in advance about the planned transfer
  • Ensure that the acquirer commits to complying with this Privacy Policy
  • Give you the opportunity to object to the transfer or have your data deleted, to the extent legally permissible

Sensitive Data: We process particularly sensitive data only with your explicit consent or when legally required.

Minors: We do not knowingly sell or share personal data of persons under 16 years of age (or under 13 years for US users under COPPA).

Do Not Track: Our website does not currently respond to "Do Not Track" signals from browsers. However, we only use essential cookies and those you have approved.

18. Local Representatives

For certain regions, we have appointed or can appoint local data protection representatives upon request:

  • EU: Representative pursuant to Art. 27 GDPR [if needed]
  • UK: Representative pursuant to UK GDPR [if needed]
  • Brazil: Data Protection Officer pursuant to LGPD [if needed]

19. Contact

For questions about this Privacy Policy or the processing of your personal data, please contact us:

DITTRICH & PARTNERS GmbH Kupfergasse 15 4310 Rheinfelden, Switzerland Email: This email address is being protected from spambots. You need JavaScript enabled to view it.

For specific regional inquiries:

  • EU/EEA/Switzerland: This email address is being protected from spambots. You need JavaScript enabled to view it.
  • All other regions: This email address is being protected from spambots. You need JavaScript enabled to view it.
Last updated:  Sep 07 | 2025