Privacy Policy for SELLTRIC GmbH Website

Introduction to the Privacy Policy for SELLTRIC GmbH Website

SELLTRIC GmbH’s Business and Website

SELLTRIC GmbH operates as an IT and software development consulting firm, offering a range of services including analyses, conceptions, project management, software development, implementation support, and training in the IT sector. This privacy policy specifically governs the collection and processing of personal data through the company’s public website. The nature of SELLTRIC’s core business means that the data collected via its website may extend beyond typical contact information to include more technical details related to inquiries about bespoke software solutions, specific project requirements, or even recruitment for specialized IT roles. The privacy policy is therefore structured to anticipate and address these specific data types and their associated processing purposes, ensuring relevance to the company’s operations.  

Purpose of this Privacy Policy

The overarching purpose of this privacy policy is to provide clear and comprehensive information regarding SELLTRIC GmbH’s data processing activities. This fulfills the legal obligation under both FADP and GDPR to ensure transparency in data handling. Beyond mere legal adherence, a well-articulated and easily understandable privacy policy serves as a critical instrument for cultivating trust with prospective clients and website visitors. In the consulting industry, where relationships are built on confidence, transparent data practices underscore SELLTRIC GmbH’s professionalism and ethical standards, thereby reinforcing its credibility. The policy is crafted to be clear, open, honest, and accessible, avoiding overly technical or vague language to ensure that individuals are truly informed about how their data is handled.  

Relationship with SELLTRIC GmbH’s General Terms and Conditions (GTC)

While SELLTRIC GmbH’s General Terms and Conditions (GTC) primarily govern the contractual relationships established with clients for consulting services , this privacy policy specifically addresses the processing of personal data collected directly via the company’s website. In the context of website interactions, SELLTRIC GmbH acts as a Data Controller, determining the purposes and means of processing personal data from visitors.  

It is important to distinguish this from scenarios where SELLTRIC GmbH processes data on behalf of its clients. As stipulated in Clause 21.2 b of the GTC, SELLTRIC GmbH acts as a Data Processor when handling client data for which the client is the data controller. In such instances, the processing is governed by the detailed provisions of Clause 21 of the GTC and further regulated by separate, mandatory Data Processing Agreements (DPAs). This privacy policy for the website does not supersede or replace those client-specific agreements but complements them by clarifying the company’s data handling practices in its capacity as a controller for its website visitors. This explicit clarification of SELLTRIC GmbH’s dual roles is essential for legal precision and prevents any ambiguity regarding responsibilities, particularly since the GTC primarily focus on the processor role in the context of service delivery.  

III. Detailed Privacy Policy for SELLTRIC GmbH Website

1. Identity and Contact Details of the Data Controller

The data controller responsible for the processing of personal data on this website is:

SELLTRIC GmbH

Email: Inf@selltric.com

For all data protection related inquiries, including the exercise of your rights as a data subject, please contact our dedicated data protection contact person:

Data Protection Contact Person:

Email: info@selltric.com

Even though the FADP recommends but does not always mandate the appointment of a formal Data Protection Officer (DPO) , establishing a clear and accessible point of contact for data protection matters is a best practice under both FADP and GDPR. This proactive measure demonstrates the company’s commitment to accountability and facilitates the efficient handling of data subject requests and inquiries, thereby enhancing transparency and trust.  

2. Scope of Application

This privacy policy applies to all personal data collected through the SELLTRIC GmbH website, including any associated subdomains, online forms, or digital services directly linked to it. The policy’s scope extends to individuals located in Switzerland and the EU/EEA, irrespective of their geographical location at the time of accessing the website, if their data is processed in connection with their interaction with the website. Due to the extraterritorial reach of both the FADP and GDPR, SELLTRIC GmbH cannot practically differentiate its website visitors by jurisdiction. Therefore, this policy is designed to meet the highest common denominator of both regulations for all website users, simplifying compliance and ensuring consistent, robust protection across the board.  

3. Types of Personal Data Collected

SELLTRIC GmbH collects various categories of personal data through its website, strictly adhering to the principles of data minimization and purpose limitation. This means that only data genuinely necessary for the stated purposes, such as responding to inquiries, providing newsletters, or enabling website analytics, is collected. Any data collected beyond this necessary scope would be inconsistent with these core principles and increase potential security risks. The types of data collected may include:  

• Contact Data: This includes your name, email address, phone number, and company name, typically provided when you fill out contact forms, subscribe to newsletters, or engage in direct communication.
• Usage Data: Automatically collected information such as your IP address, browser type, operating system, referring URLs, pages viewed, time spent on the site, and clickstream data. This data is gathered through cookies and other analytics technologies.
• Communication Data: The content of messages you send via contact forms, emails, or chat functions on our website.
• Application Data (if applicable): If the website facilitates job applications, this may include curriculum vitae (CVs), cover letters, professional experience, and educational background. While sensitive personal data (e.g., racial or ethnic origin, health data) is generally not sought through the website, any such data provided voluntarily in application materials would be handled with the utmost care and in accordance with specific legal requirements for sensitive data.  
• Subscription Data: Your preferences for receiving newsletters or other marketing communications.

4. Purposes and Legal Bases of Data Processing

SELLTRIC GmbH processes personal data for specific, explicit, and legitimate purposes, always relying on a valid legal basis as required by FADP and GDPR. The table below provides a clear, structured overview, making it easy for users to understand what data is used for and why its processing is legally permissible. This presentation directly addresses the transparency requirements of both FADP and GDPR.  

Table 1: Data Processing Activities, Purposes, and Legal Bases

In Google Sheets exportieren

Where processing is based on consent, individuals have the right to withdraw their consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.  

5. Data Collection Methods

Personal data is collected by SELLTRIC GmbH through its website via two primary methods:

• Directly from the Data Subject: This occurs when you actively provide information, for instance, by filling out contact forms, subscribing to our newsletter, sending emails to our listed contact addresses, or submitting job applications through the website. In such cases, you are directly providing the information to us.
• Indirectly (Automatically) from the Data Subject: This method involves the automatic collection of data as you interact with our website. This includes usage data (e.g., IP address, browser type, pages visited) gathered through cookies, server logs, and other web analytics technologies. For such indirectly collected data, the source is typically our website analytics tools (e.g., Google Analytics, Matomo) or the user’s browser/device itself. Clearly distinguishing between direct and indirect collection methods, and specifying the source for indirectly collected data, is crucial for transparency and fulfills GDPR Article 14 requirements. This approach helps users understand the full scope of data acquisition.  

6. Data Recipients and Categories of Recipients

Personal data collected through the SELLTRIC GmbH website may be shared with the following categories of recipients:

• Internal Recipients: Relevant departments within SELLTRIC GmbH, such as sales, marketing, human resources (for application data), and IT, access data on a „need-to-know“ basis to fulfill the stated processing purposes.  
• External Service Providers (Processors): We engage third-party service providers who act as data processors on our behalf. These may include cloud hosting providers, website analytics providers, CRM system providers, email marketing services, IT support providers, and, if applicable, payment processors. These external service providers are contractually bound by strict data processing agreements (DPAs) and confidentiality obligations, ensuring they process data only according to our instructions and with adequate security measures.  
• Subcontractors (Sub-processors): In certain instances, our external service providers may engage their own subcontractors (sub-processors) to deliver services that involve processing personal data. As per our GTC, SELLTRIC GmbH remains fully responsible to the client for the performance of engaged third parties. We ensure that any such sub-processors are subject to at least the same data protection and confidentiality obligations as stipulated for SELLTRIC GmbH in this policy and any existing DPAs. This commitment demonstrates a robust accountability framework throughout the data processing chain.  
• Legal and Regulatory Bodies: Personal data may be disclosed to governmental authorities, courts, or other third parties if required by law, regulation, or an enforceable official or judicial order.  

7. International Data Transfers

Personal data collected by SELLTRIC GmbH may be transferred to and processed in countries outside Switzerland or the European Union/European Economic Area (EU/EEA). Such transfers occur only when necessary for the purposes outlined in this policy and are subject to appropriate safeguards to ensure an adequate level of data protection, as required by FADP and GDPR.  

Table 2: International Data Transfer Mechanisms

In Google Sheets exportieren

Where no adequacy decision exists, transfers are typically based on legally approved mechanisms such as EU Standard Contractual Clauses (SCCs). In specific, limited circumstances, transfers may also occur based on your explicit consent. Our GTC also commit to ensuring adequate levels of data protection for international transfers.  

8. Data Retention Periods

SELLTRIC GmbH retains personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by legal or regulatory obligations. This approach reflects a careful balance between business utility and privacy risk. Retaining data longer than necessary increases the risk of breaches and complicates compliance.  

The criteria used to determine retention periods include:

• Purpose Fulfillment: Data is retained as long as it is needed to achieve the specific purpose for which it was collected (e.g., to respond to an inquiry, maintain a newsletter subscription).
• Legal and Regulatory Obligations: Certain types of data are retained for periods mandated by applicable laws, such as tax, commercial, or accounting regulations.
• Dispute Resolution and Agreement Enforcement: Data may be kept for a longer period if necessary to resolve disputes, enforce our agreements, or protect our legal rights.
• Legitimate Business Interests: In some cases, data may be retained for legitimate business interests, such as maintaining business records for auditing purposes, provided these interests are balanced against your data protection rights.

Once personal data is no longer required, it is securely deleted or anonymized to prevent unauthorized access or misuse.  

9. Data Security Measures (Technical and Organizational Measures – TOMs)

SELLTRIC GmbH implements appropriate technical and organizational security measures to protect personal data against unauthorized access, loss, destruction, alteration, or other unlawful processing. This commitment aligns directly with Clause 21.4 of our GTC, which obliges the Contractor to take appropriate TOMs to ensure a level of protection commensurate with the risk.  

Our security measures reflect a proactive security culture, where data protection is embedded from the planning stages of systems and applications, adhering to „privacy by design“ and „privacy by default“ principles. These measures include, but are not limited to:  

• Encryption: Implementing encryption for data both at rest (stored on servers) and in transit (during transmission over networks).
• Access Controls: Employing strict physical and logical access controls to restrict access to personal data only to authorized personnel who have a legitimate need to know.
• Regular Security Audits and Assessments: Conducting periodic security audits, vulnerability assessments, and penetration tests to identify and address potential weaknesses in our systems.
• Firewalls and Network Security: Utilizing robust firewalls and other network security measures to protect against unauthorized intrusions.
• Pseudonymization and Anonymization: Where feasible and appropriate, applying pseudonymization or anonymization techniques to personal data to reduce risks.
• Backup and Recovery Procedures: Maintaining comprehensive backup procedures and disaster recovery plans to ensure the availability and resilience of processing systems and services, and the ability to restore data in a timely manner in the event of an incident.  
• Employee Training: Providing regular data protection and security training to our employees to ensure they are aware of their responsibilities and best practices.

10. Your Rights as a Data Subject

As a data subject, you have specific rights regarding your personal data processed by SELLTRIC GmbH. SELLTRIC GmbH is committed to facilitating the exercise of these rights in accordance with FADP and GDPR.  

Table 3: Data Subject Rights and How to Exercise Them

In Google Sheets exportieren

11. Automated Individual Decision-Making and Profiling

SELLTRIC GmbH does not currently engage in automated individual decision-making or profiling activities on its website that produce legal effects concerning data subjects or similarly significantly affect them. This means that no decisions are made solely based on automated processing, including profiling, which could lead to an exclusion or discrimination against individuals.  

Should SELLTRIC GmbH implement such processes in the future, this privacy policy will be updated to provide meaningful information about the logic involved, the significance, and the envisaged consequences of such processing for the data subject, along with the right to express a point of view and request human review of the decision.  

12. Use of Cookies and Similar Technologies

SELLTRIC GmbH’s website uses cookies, web beacons, and similar tracking technologies to enhance user experience, analyze website usage, and support marketing efforts. These technologies involve storing small data files on your device or accessing information already stored there.

Cookies are categorized as follows:

• Essential Cookies: These are strictly necessary for the website to function correctly (e.g., enabling navigation, remembering login status). They do not require consent and are processed based on our legitimate interest in providing a functional website.
• Analytics Cookies: These cookies collect information about how visitors use our website, such as which pages are visited most often, to help us improve website performance and design.
• Marketing/Targeting Cookies: These cookies are used to deliver advertisements more relevant to you and your interests. They may be used to limit the number of times you see an advertisement and measure the effectiveness of advertising campaigns.

For non-essential cookies (analytics, marketing), your explicit consent is obtained through a cookie consent management platform (CMP). This CMP allows you to manage your cookie preferences, providing granular control over which categories of cookies you accept. You can also manage cookie settings directly through your web browser. Implementing a robust CMP is a practical mechanism to manage user preferences, provide auditable proof of consent, and enhance transparency, directly supporting FADP and GDPR compliance by ensuring that consent is freely given, specific, informed, and unambiguous.  

13. Changes to this Privacy Policy

This privacy policy may be updated periodically to reflect changes in our data processing practices, legal requirements, or technological advancements. This acknowledges the dynamic nature of compliance and demonstrates an ongoing commitment to transparency.

We will inform you of any significant changes by posting a prominent notice on our website or, where appropriate, by direct communication (e.g., email notification). We encourage you to review this policy regularly to stay informed about how we are protecting your personal data.

14. Contact Information

For any questions regarding this privacy policy, your personal data, or to exercise your data subject rights, please do not hesitate to contact SELLTRIC GmbH. Providing multiple, easily accessible contact methods is crucial for enabling data subjects to exercise their rights effectively, moving beyond mere legal requirement to practical usability.

You can reach us via:

• Email:info@selltric.com
• Postal Address: SELLTRIC GmbH, Seckistrasse 9, 6318 Walchwil (ZUG)

1. Legal Analysis and Implementation Guidance
2. Alignment with SELLTRIC GmbH’s GTC (especially Clause 21 Data Protection and Clause 20 Confidentiality)

The website privacy policy is not a standalone document but an integral component of SELLTRIC GmbH’s holistic data protection compliance framework. It operationalizes the broader data protection principles and commitments established in the company’s General Terms and Conditions (GTC) for the specific context of website interactions.

• Clause 21 (Data Protection): This clause in the GTC is central to the alignment. The privacy policy explicitly differentiates SELLTRIC GmbH’s role as a controller for data collected directly from website visitors from its role as a processor when handling client data under contractual agreements, as defined in GTC Clause 21.2. The policy clarifies that it primarily covers the former. For client-specific data processing, the GTC mandate a separate Data Processing Agreement (DPA), which remains a distinct and mandatory requirement not replaced by this website privacy policy. Furthermore, the technical and organizational measures (TOMs) detailed in Section III.9 of this privacy policy directly align with SELLTRIC GmbH’s commitment in GTC Clause 21.4 to implement appropriate security measures. The GTC’s provisions regarding the use of sub-processors (Clause 21.5) extend to website operations, ensuring that any third-party service providers engaged are contractually bound to equivalent data protection standards. Finally, the GTC’s commitment to adequate safeguards for international data transfers (Clause 21.7) is reflected and elaborated upon in Section III.7 of this privacy policy, demonstrating consistency in cross-border data handling.  
• Clause 20 (Confidentiality Obligation): The general confidentiality obligations outlined in GTC Clause 20, which apply to all information exchanged between parties , underpin the data security and privacy commitments made in this website policy. This foundational commitment to confidentiality reinforces trust and ensures that personal data collected via the website is treated with the same high level of discretion as client-specific confidential information.  

2. Compliance with Swiss Federal Act on Data Protection (FADP)

This privacy policy is designed to fully comply with the requirements of the revised Swiss Federal Act on Data Protection (FADP), which came into effect on September 1, 2023. While the policy largely adopts the higher standards of the GDPR, it explicitly addresses and confirms adherence to FADP’s specific provisions:  

• Transparency and Duty to Inform: The policy fulfills the FADP’s duty to inform by clearly providing the identity of the data controller, the purposes of data processing, categories of recipients, and details on international data transfers.  
• Core Principles: It reflects adherence to FADP’s core principles, including data minimization (collecting only necessary data), purpose limitation, appropriate data retention periods, and robust data security measures (TOMs).  
• Data Subject Rights: All FADP-mandated data subject rights, such as the right to access, correction, and deletion of data, are clearly articulated and mechanisms for their exercise are provided.  
• Automated Decisions: The policy addresses the specific FADP requirements concerning automated individual decisions, including the right to express a point of view and request human review, should such processing occur.  
• Extraterritoriality: The policy acknowledges FADP’s expanded territorial scope, affirming its applicability to organizations processing data of Swiss individuals regardless of location.  
• Consent: It specifies when consent is required under FADP, particularly for sensitive personal data, high-risk profiling by private persons, and international data transfers without an adequacy agreement.  
• Data Breach Notification: While not explicitly detailed in the policy text, SELLTRIC GmbH acknowledges the FADP’s requirement for timely notification of data breaches to the Federal Data Protection and Information Commissioner (FDPIC) if they are likely to result in a high risk to data subjects. It is important to note that FADP opts for criminal sanctions for intentional violations, which applies to responsible individuals, including C-level executives, and can result in fines up to CHF 250,000.  

3. Compliance with EU General Data Protection Regulation (GDPR)

The privacy policy is developed to meet the comprehensive requirements of the EU General Data Protection Regulation (GDPR), which, due to its extraterritorial reach, often functions as a de facto global standard for privacy policy content for websites with international accessibility. Adhering to GDPR’s detailed requirements ensures a high level of compliance that generally satisfies other regulations like FADP, even if FADP might have slightly less stringent disclosure requirements in certain areas.  

• Seven Principles: The policy is structured to reflect GDPR’s seven core data protection principles: lawfulness, fairness, and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality; and accountability.  
• Information Requirements (Articles 13 & 14): The policy includes all mandatory elements for both direct (Article 13) and indirect (Article 14) data collection, such as the identity of the controller, purposes and legal bases of processing, recipients, international transfer details, retention periods, and data subject rights. This comprehensive approach addresses the explicit detailing of information requirements in GDPR, which is more extensive than what FADP might strictly require in some instances.  
• Data Subject Rights: The policy details the comprehensive list of GDPR rights, including the right to access, rectification, erasure, restriction of processing, data portability, objection, and withdrawal of consent, along with clear instructions on how to exercise them.  
• International Data Transfers: It reiterates GDPR’s strict requirements for transfers of personal data outside the EU/EEA and specifies the safeguards used, such as Standard Contractual Clauses or adequacy decisions.  
• Data Breach Notification: SELLTRIC GmbH acknowledges the GDPR’s requirement to notify the relevant supervisory authority of a data breach without undue delay and, where feasible, no later than 72 hours after becoming aware of it, particularly if the breach is likely to result in a high risk to individuals‘ rights and freedoms.  
• Privacy by Design/Default: The policy implicitly and explicitly supports the integration of „privacy by design“ and „privacy by default“ principles into data handling, ensuring that data protection considerations are embedded into the planning and design stages of website features and systems.  

4. Practical Implementation Considerations

An effective privacy policy extends beyond its written text; its efficacy hinges on practical implementation and operationalization. Compliance is an ongoing process that requires continuous effort and the integration of technical tools and internal procedures.

• Accessibility: The privacy policy must be readily accessible from all pages of the website, typically via a prominent link in the footer. This ensures users can easily find and review the policy at any time.  
• Readability: The language used in the policy must be clear, concise, and easily understandable, avoiding legal jargon or vague statements. This commitment to clear communication builds trust and ensures that individuals are genuinely informed.  
• Consent Mechanisms: For non-essential cookies and any other processing activities requiring explicit consent, implementing a robust cookie consent management platform (CMP) is strongly advised. A CMP not only facilitates the collection of valid consent but also allows users to manage their preferences and provides an auditable record of consent, directly supporting compliance and enhancing transparency.  
• Data Mapping and Inventory: Regular data mapping exercises and the creation of a detailed inventory of all personal data processed are crucial. This ensures that the privacy policy accurately reflects current data processing activities, including data sources, purposes, and retention periods, and helps visualize data flow within and outside the organization.  
• Internal Processes: Establishing clear internal processes is essential for handling data subject requests (e.g., access, rectification, erasure), managing data breaches, and conducting regular reviews and updates of the privacy policy. This demonstrates accountability and operational readiness.
• Privacy by Design and Default: Data protection principles should be embedded into the design and development of all website features, services, and applications. This proactive approach ensures that data protection is considered from the outset, rather than as an afterthought.  

5. Important Legal Disclaimer

It is imperative to reiterate the „Important Note on the Use of these GTC“ as provided in the source material. This privacy policy has been meticulously developed and tailored to the specific business model, operational context, and legal jurisdiction (Swiss law, registered office in Zug) of SELLTRIC GmbH.  

The direct adoption or unadapted reuse of this privacy policy by any other entity, particularly one operating in a different industry, legal jurisdiction, or offering distinct services, is associated with considerable risks and is strongly discouraged. Data protection compliance is highly contextual and requires expert tailoring to a company’s unique circumstances. Therefore, it is strongly advised that any organization seeking to implement a privacy policy consult with qualified legal counsel to ensure it is appropriately adapted to their specific needs and complies with all applicable laws. This disclaimer serves to manage expectations and mitigate potential liability arising from the generic application of a highly specific legal document.