Privacy Policy

Privacy Policy

With this Privacy Policy, we inform you about the processing of personal data in connection with our activities and operations, including our website at the domain name tattup.shop. In particular, we explain for what purposes, how, and where we process personal data. We also inform you about the rights of individuals whose data we process.

For specific or additional activities and operations, we may publish further privacy statements or other information on data protection.

We are subject to Swiss law and, where applicable, foreign law, in particular that of the European Union (EU) with the European General Data Protection Regulation (GDPR).

The European Commission recognised in its decision of 26 July 2000 that Swiss data‑protection law ensures an adequate level of data protection. In its report of 15 January 2024, the European Commission confirmed this adequacy decision.

Table of Contents

1. Contact Addresses

The party responsible in terms of data‑protection law is:

7Cloud AG
Bahnhofstrasse 19
9100 Herisau
Switzerland

help@tattup.shop

In individual cases, third parties may be responsible for processing personal data, or there may be joint responsibility with third parties. Upon request, we will gladly inform data subjects about the respective responsibilities.

1.1 Data‑Protection Officer / Data‑Protection Adviser

We have appointed the following data‑protection officer / adviser as a point of contact for data subjects and authorities regarding data‑protection inquiries:

7Cloud AG
Bahnhofstrasse 19
9100 Herisau
Switzerland

help@tattup.shop

1.2 Data‑Protection Representative in the European Economic Area (EEA)

We have appointed the following data‑protection representative pursuant to Art. 27 GDPR:

VGS Datenschutz­partner GmbH
Am Kaiserkai 69
20457 Hamburg
Germany

info@datenschutzpartner.eu

The data‑protection representative serves data subjects and authorities in the European Union (EU) and the rest of the European Economic Area (EEA) as an additional point of contact for GDPR inquiries.

2. Terms and Legal Bases

2.1 Terms

Data Subject: A natural person about whom we process personal data.

Personal Data: All information relating to an identified or identifiable natural person.

Sensitive Personal Data: Data concerning trade‑union, political, religious or philosophical views and activities; health data; intimate sphere; ethnic or racial origin; genetic data; biometric data uniquely identifying a natural person; data on criminal and administrative sanctions or prosecutions; and data on social‑assistance measures.

Processing: Any handling of personal data, regardless of the means and procedures used—for example, querying, comparing, adjusting, archiving, storing, reading, disclosing, acquiring, recording, collecting, deleting, making available, organising, linking, destroying, or using personal data.

European Economic Area (EEA): Member States of the European Union and the Principality of Liechtenstein, Iceland, and Norway.

2.2 Legal Bases

We process personal data in accordance with Swiss law, in particular the Federal Act on Data Protection (FADP) and the Data Protection Ordinance (DPO).

Where and insofar as the European General Data Protection Regulation (GDPR) applies, we process personal data on the basis of at least one of the following legal bases:

  • Art. 6 para. 1 lit. b GDPR for the necessary processing of personal data to fulfil a contract with the data subject and to carry out pre‑contractual measures.
  • Art. 6 para. 1 lit. f GDPR for the necessary processing of personal data to protect legitimate interests—ours or those of third parties—provided that the fundamental freedoms and rights as well as interests of the data subject do not prevail. Such interests include, in particular, the permanent, user‑friendly, secure, and reliable performance of our activities and operations, ensuring information security, protection against misuse, enforcement of our own legal claims, and compliance with Swiss law.
  • Art. 6 para. 1 lit. c GDPR for the necessary processing of personal data to comply with a legal obligation to which we are subject under the law of an EEA Member State.
  • Art. 6 para. 1 lit. e GDPR for the necessary processing of personal data in the public interest.
  • Art. 6 para. 1 lit. a GDPR for processing personal data with the consent of the data subject.
  • Art. 6 para. 1 lit. d GDPR for the necessary processing of personal data to protect vital interests of the data subject or another natural person.
  • Art. 9 para. 2 et seq. GDPR for processing special categories of personal data, particularly with the consent of the data subject.

The GDPR refers to the processing of personal data as the processing of personal data and to the processing of sensitive personal data as the processing of special categories of personal data (Art. 9 GDPR).

3. Nature, Scope and Purpose of Processing Personal Data

We process the personal data that are necessary to permanently, user‑friendly, securely, and reliably perform our activities and operations. The processed personal‑data categories may include, in particular, browser and device data, content data, communication data, metadata, usage data, master data including inventory and contact data, location data, transaction data, contract data, and payment data. Personal data may also include sensitive personal data.

We also process personal data that we receive from third parties, obtain from publicly accessible sources, or collect in the course of performing our activities and operations, insofar as such processing is permissible.

We process personal data where necessary with the consent of the data subjects. We may process personal data in many cases without consent—for example, to fulfil legal obligations or to safeguard overriding interests. We may also ask the data subjects for consent even if consent is not required.

We process personal data for the duration necessary for the respective purpose. We anonymise or delete personal data in particular in accordance with statutory retention and limitation periods.

4. Automation and Artificial Intelligence (AI)

We may process personal data automatically or use artificial intelligence to process personal data.

We may employ profiling to automatically evaluate certain personal aspects relating to data subjects—for example, to analyse or predict interests, behaviour, or personal preferences.

We will inform data subjects on a case‑by‑case basis about decisions that are based solely on automated processing of personal data and that have legal effects on them or significantly affect them (automated individual decisions).

5. Disclosure of Personal Data

We may disclose personal data to third parties, have it processed by third parties, or process it jointly with third parties. Such third parties are in particular specialised providers whose services we use.

We may disclose personal data—for example, to banks and other financial‑service providers, authorities, educational and research institutions, consultants and lawyers, interest groups, IT service providers, cooperation partners, credit and business‑information agencies, logistics and shipping companies, marketing and advertising agencies, media, organisations and associations, social institutions, telecommunications companies, insurance companies, and payment‑service providers.

6. Communication

We process personal data to communicate with individuals as well as with authorities, organisations, and companies. In doing so, we process, in particular, data that a data subject transmits to us when contacting us—e.g., by post or email. We may store such data in an address book or comparable tools.

Third parties who transmit data about other persons to us are obliged to ensure the data protection of the data subjects independently. They must, in particular, guarantee that such data are correct and may be transmitted.

We use selected services from suitable providers to enable and improve communication with individuals and other communication partners. We may manage and otherwise process the data of data subjects beyond the direct communication with such services.

We use in particular:

7. Data Security

We take appropriate technical and organisational measures to ensure data security commensurate with the respective risk. In particular, our measures ensure the confidentiality, availability, traceability, and integrity of the processed personal data—without guaranteeing absolute data security.

Access to our website and our other digital presence is made using transport encryption (SSL / TLS, especially via HTTPS). Most browsers warn against visiting a website without transport encryption.

Our digital communication is—like any digital communication—subject to mass surveillance without cause or suspicion by security authorities in Switzerland, elsewhere in Europe, the United States of America (USA), and other countries. We have no direct influence on the corresponding processing of personal data by intelligence services, police authorities, and other security authorities. Nor can we rule out the possibility that a data subject may be specifically monitored.

8. Personal Data Abroad

As a rule, we process personal data in Switzerland and the European Economic Area (EEA). However, we may also export or transfer personal data to other states—particularly to process it there or have it processed there.

We may export personal data to any state on earth and elsewhere in the universe, provided that the local law ensures adequate data protection according to the decision of the Swiss Federal Council and—where and insofar as GDPR applies—also according to an adequacy decision of the European Commission.

We may transfer personal data to states whose laws do not guarantee adequate data protection, provided that data protection is ensured for other reasons—particularly on the basis of standard contractual clauses or with other suitable safeguards. In exceptional cases, we may export personal data to states without adequate or appropriate data protection if the special requirements of data‑protection law are met—for example, the explicit consent of the data subjects or an immediate connection with the conclusion or performance of a contract. Upon request, we will gladly inform data subjects about any safeguards or provide a copy of any safeguards.

9. Rights of Data Subjects

9.1 Data‑Protection Claims

We grant data subjects all rights under applicable law. Data subjects have, in particular, the following rights:

  • Access: Data subjects can request information on whether we process personal data about them and, if so, which personal data are involved. Data subjects also receive the information necessary to assert their data‑protection claims and to ensure transparency. This includes the processed personal data as such, but also, among other things, details of the processing purpose, the retention period, any disclosure or export of data to other states, and the origin of the personal data.
  • Rectification and Restriction: Data subjects can correct inaccurate personal data, complete incomplete data, and have the processing of their data restricted.
  • Position and Human Review: In decisions based solely on automated processing of personal data that have legal effects on them or significantly affect them (automated individual decisions), data subjects can present their own position and request human review.
  • Deletion and Objection: Data subjects can have personal data deleted ("right to be forgotten") and object to the processing of their data with effect for the future.
  • Data Provision and Transfer: Data subjects can request the provision of personal data or the transfer of their data to another controller.

We may defer, restrict, or refuse the exercise of data‑subject rights within the legally permissible framework. We may point out to data subjects any conditions that may need to be met for the exercise of their data‑protection claims. For example, we may refuse disclosure with reference to confidentiality obligations, overriding interests, or the protection of other persons. Likewise, we may refuse to delete personal data—particularly with reference to statutory retention obligations—in whole or in part.

We may provide for exceptional costs for the exercise of data‑subject rights. We will inform data subjects of any costs in advance.

We are obliged to identify data subjects who request information or assert other rights with appropriate measures. Data subjects are obliged to cooperate.

9.2 Legal Protection

Data subjects have the right to enforce their data‑protection claims in court or to submit a report or complaint to a data‑protection supervisory authority.

The data‑protection supervisory authority for private controllers and federal bodies in Switzerland is the Federal Data Protection and Information Commissioner (FDPIC).

European data‑protection supervisory authorities are organised as members of the European Data Protection Board (EDPB). In some EEA Member States, the data‑protection supervisory authorities are federally structured, in particular in Germany.

10. Use of the Website

10.1 Cookies

We may use cookies. Cookies—our own (first‑party cookies) and those of third parties whose services we use (third‑party cookies)—are data stored in the browser. Such stored data are not necessarily limited to traditional text‑format cookies.

Cookies may be stored in the browser temporarily as "session cookies" or for a specified period as so‑called persistent cookies. "Session cookies" are automatically deleted when the browser is closed. Persistent cookies have a specific retention period. Cookies make it possible, in particular, to recognise a browser on the next visit to our website and thus, for example, to measure the reach of our website. Persistent cookies can also be used, for instance, for online marketing.

Cookies can be deactivated, limited, or deleted entirely or partially in the browser settings at any time. Browser settings often also allow for automated deletion and other management of cookies. Without cookies, our website may no longer be fully available. We actively request—at least if and insofar as required under applicable law—explicit consent to the use of cookies.

For cookies used for success and reach measurement or for advertising, a general objection ("opt‑out") is possible for many services via AdChoices (Digital Advertising Alliance of Canada), the Network Advertising Initiative (NAI), YourAdChoices (Digital Advertising Alliance), or Your Online Choices (European Interactive Digital Advertising Alliance, EDAA).

10.2 Logging

For each access to our website and our other digital presence, we may log at least the following information—if transmitted to our digital infrastructure during such access: date and time including time zone, IP address, HTTP status code, operating system including user interface and version, browser including language and version, the specific sub‑page of our website accessed including transferred data amount, and the referrer.

We log such information—which may also constitute personal data—in log files. The information is necessary to provide our digital presence permanently, user‑friendly, and reliably. The information is also required to ensure data security—including by third parties or with the help of third parties.

10.3 Tracking Pixels

We may incorporate tracking pixels into our digital presence. Tracking pixels are also known as web beacons. Tracking pixels—also from third parties whose services we use—are usually small, invisible images or JavaScript scripts that are automatically retrieved when our digital presence is accessed. At least the same information as logged in log files can be captured with tracking pixels.

11. Notifications and Messages

11.1 Success and Reach Measurement

Notifications and messages may contain web links or tracking pixels that record whether a notification was opened and which web links were clicked. Such web links and tracking pixels can also capture usage of notifications and messages on a personal basis. We require this statistical recording of usage for success and reach measurement in order to send notifications and messages effectively, user‑friendly, and permanently, securely, and reliably, based on the needs and reading habits of recipients.

11.2 Consent and Objection

You must generally consent to the use of your email address and other contact addresses unless the use is permitted for other legal reasons. We may use the "double opt‑in" procedure to obtain any required double‑confirmed consent. In this case, you will receive a message with instructions for double confirmation. We may log consents obtained—including the IP address and timestamp—for evidentiary and security reasons.

You can generally object to receiving notifications and messages—such as newsletters—at any time. Such an objection can also include the statistical recording of usage for success and reach measurement. Required notifications and messages concerning our activities and operations remain reserved.

11.3 Service Providers for Notifications and Messages

We send notifications and messages with the help of specialised service providers.

12. Social Media

We maintain a presence on social‑media platforms and other online platforms to communicate with interested parties and inform them about our activities and operations. Personal data may also be processed outside Switzerland and the EEA in connection with such platforms.

The terms and conditions and data‑protection statements or other provisions of the individual platform operators apply. These provisions inform, in particular, about the rights of data subjects directly vis‑à‑vis the respective platform, including the right of access.

For our social‑media presence on Facebook, including the so‑called page insights, we are—where and insofar as GDPR applies—jointly responsible with Meta Platforms Ireland Limited (Ireland). Meta Platforms Ireland Limited is part of the Meta Companies (among others in the USA). Page insights provide information on how visitors interact with our Facebook presence. We use page insights to provide our social‑media presence on Facebook effectively and user‑friendly.

Further information on the nature, scope, and purpose of data processing, information on the rights of data subjects, and the contact details of Facebook and Facebook's data‑protection officer can be found in the Facebook Privacy Policy. We have concluded the "Controller Addendum" with Facebook and thereby agreed, in particular, that Facebook is responsible for ensuring the rights of data subjects. For page insights, corresponding information can be found on the page "Information about Page Insights", including the "Information about Page Insights Data".

Users of social‑media platforms can log in to or register for our online offering using their respective user account ("social login"). The terms and conditions of the respective social‑media platforms apply.

13. Third‑Party Services

We use services of specialised third parties to perform our activities and operations permanently, user‑friendly, securely, and reliably. With such services, we can, among other things, embed functions and content into our website. For technical reasons, the services used must at least temporarily capture the IP addresses of users when embedding.

For necessary security‑related, statistical, and technical purposes, the third parties whose services we use may process data related to our activities and operations in an aggregated, anonymised, or pseudonymised manner. For example, this concerns performance or usage data required to provide the respective service.

We use in particular:

16. Final Notes on the Privacy Policy

We created this Privacy Policy with the help of the Privacy‑Policy Generator from Datenschutzpartner .

We may update this Privacy Policy at any time. We will inform about updates in an appropriate manner—in particular, by publishing the current Privacy Policy on our website.