Privacy Policy

1) Introduction and controller contact details

**1.1** We are pleased that you visit our website and thank you for your interest. Below, we explain how we process your personal data when you use our website. Personal data means any information by which you can be personally identified.

**1.2** Controller for data processing on this website within the meaning of the GDPR is onboos GmbH, Linerhofstrasse 5, 9032 Engelburg, Switzerland, Phone: +41 71 571 48 90, Email: hallo@onboos.com.

**1.3** The controller has appointed a representative in the European Union: David Tatzl, Linerhofstrasse 5, 9032 Engelburg, Switzerland, +41 79 829 18 95, info@onboos.com

2) Data collection when visiting our website

**2.1** If you use our website for informational purposes only (without registering or actively submitting information), we collect only data that your browser transmits to our server ("server log files"):

• Visited website

• Date and time of access

• Amount of data transferred

• Referrer URL

• Browser type

• Operating system

• IP address (possibly in anonymized form)

Processing is carried out based on Art. 6(1)(f) GDPR (legitimate interest in stability and functionality of the website).

**2.2** For security reasons and to protect transmission of personal data and confidential content, this website uses SSL/TLS encryption.

3) Hosting and content delivery network

**3.1** We use a hosting provider that provides services on servers located within the European Union (directly or via selected subcontractors). All website data is processed on those servers. A data processing agreement has been concluded.

**3.2** Cloudflare

We use Cloudflare Inc., 101 Townsend St, San Francisco, CA 94107, USA, as CDN provider to improve performance and availability. Processing is based on Art. 6(1)(f) GDPR. A data processing agreement is in place.

For US data transfers, the provider participates in the EU-US Data Privacy Framework.

4) Cookies

We use cookies to make our website user-friendly and to enable certain functions.

• Session cookies are deleted when the browser is closed.

• Persistent cookies remain on your device for a defined period.

Where personal data is processed via cookies, the legal basis may be:

• Art. 6(1)(b) GDPR (contract performance),

• Art. 6(1)(a) GDPR (consent), or

• Art. 6(1)(f) GDPR (legitimate interest).

You can configure your browser to inform you about cookies, accept/reject cookies individually, or generally reject cookies.

5) Contact

**5.1** Own live chat system

We use a live chat system to answer real-time requests. Data processing is based on Art. 6(1)(b) GDPR (contract initiation/performance) or Art. 6(1)(f) GDPR (legitimate interest in efficient support). Data is deleted once the matter is conclusively resolved, unless statutory retention obligations apply.

**5.2** Online appointment booking

We process personal data submitted in appointment forms only for appointment coordination and related communication. Legal basis: Art. 6(1)(b) GDPR, or Art. 6(1)(a) GDPR where consent applies.

**5.3** WhatsApp Business

We offer communication via WhatsApp Business (WhatsApp Ireland Limited). Depending on request type, processing is based on Art. 6(1)(b) or Art. 6(1)(f) GDPR.

Please note that WhatsApp may process metadata and contact data under its own responsibility.

Privacy policy: <https://www.whatsapp.com/legal/?eea=1#privacy-policy>

For US transfers, the provider participates in the EU-US Data Privacy Framework.

**5.4** Contact form and email

When contacting us via form or email, we process your data solely to handle your request and perform technical administration. Legal basis: Art. 6(1)(f) GDPR, or Art. 6(1)(b) GDPR if contract-related.

6) Registration on the website

You can register on our website. We process the data entered in the registration form. Registration uses a double opt-in process.

Mandatory data is required for account setup; additional data is voluntary.

We process account data for contract performance and portal operation (Art. 6(1)(f) and/or Art. 6(1)(b) GDPR).

Publicly posted content may remain visible even after account deletion, where technically required for platform functionality.

7) Use of customer data for direct advertising

**7.1** Newsletter subscription

When subscribing to our newsletter, we process your email address (mandatory) and optional data for personalization. We use double opt-in. Legal basis: Art. 6(1)(a) GDPR.

**7.2** Newsletter to existing customers

If you provided your email as part of a purchase, we may send information about similar services based on legitimate interest (Art. 6(1)(f) GDPR), where legally permitted.

**7.3** Postal advertising

We may process name and postal address for direct postal advertising on the basis of Art. 6(1)(f) GDPR. You can object at any time.

8) Web analytics services

**8.1** Google Analytics 4

Provider: Google Ireland Limited.

Google Analytics 4 helps us analyze website use. IP addresses are shortened before storage where possible. Processing (including cookies) takes place only with your consent under Art. 6(1)(a) GDPR.

Retention period used in this setup: 2 months.

Additional features may include demographic reports, Google Signals, and User-ID, where configured and consented.

**8.2** Google Tag Manager

Provider: Google Ireland Limited.

Google Tag Manager serves as a technical container for tags and services. It does not itself provide full analytics, but may process technical request data such as IP. Use only based on consent (Art. 6(1)(a) GDPR).

For US transfers, Google participates in the EU-US Data Privacy Framework.

9) Retargeting / remarketing and conversion tracking

**9.1** Meta Pixel

Provider: Meta Platforms Ireland Limited.

Used for conversion tracking and audience building. Processing and cookie use only with consent (Art. 6(1)(a) GDPR).

For US transfers, Meta participates in the EU-US Data Privacy Framework.

**9.2** Google Ads Remarketing

Provider: Google Ireland Limited.

Used for interest-based advertising and remarketing. Processing only with consent (Art. 6(1)(a) GDPR).

For US transfers, Google participates in the EU-US Data Privacy Framework.

**9.3** LinkedIn Insight

Provider: LinkedIn Ireland Unlimited Company.

Used for retargeting and campaign optimization based on cookie-supported behavior analysis. Processing only with consent (Art. 6(1)(a) GDPR).

**9.4** LinkedIn Marketing Solutions

Provider: LinkedIn Ireland Unlimited Company.

Used for audience targeting and personalized ad delivery. Processing only with consent (Art. 6(1)(a) GDPR).

10) Page functionalities

**10.1** Vimeo

Plugins for displaying videos (Vimeo.com, Inc., USA). Video playback may trigger cookie use and provider-side analytics. Processing only with consent (Art. 6(1)(a) GDPR).

**10.2** YouTube

Video plugins from Google Ireland Limited (possible transfer to Google LLC, USA). Processing only with consent (Art. 6(1)(a) GDPR).

**10.3** Google Maps

Map service by Google Ireland Limited. Depending on setup, data such as IP address may be transmitted to Google servers. Processing may be based on consent and/or legitimate interest.

**10.4** Google Web Fonts

Web fonts by Google Ireland Limited for consistent typography. Browser requests may transmit technical data such as IP. Use only with consent where required.

**10.5** Google reCAPTCHA

Protection against abuse/spam. Depending on implementation, cookies and technical identifiers are processed. Legal basis: consent (Art. 6(1)(a) GDPR) and/or legitimate interest (Art. 6(1)(f) GDPR).

**10.6** Google Customer Reviews

Invitation to review purchases via Google, based on your consent (Art. 6(1)(a) GDPR).

**10.7** Microsoft Teams

Used for online meetings and webinars (Microsoft Corporation, USA). Depending on meeting use, account data, metadata, audio/video, and chat data may be processed. Legal basis: Art. 6(1)(b), Art. 6(1)(a), or Art. 6(1)(f) GDPR.

**10.8** Microsoft Forms

Used for surveys and online forms. Form data and technical metadata may be processed. Legal basis: Art. 6(1)(b) and/or Art. 6(1)(a) GDPR.

**10.9** Wufoo / SurveyMonkey

Used for forms and surveys (SurveyMonkey Europe UC, Ireland). Processing scope and legal basis correspond to form processing under Art. 6(1)(b) and/or Art. 6(1)(a) GDPR.

**10.10** Job applications via email

When applying via email, we process your application data solely for candidate evaluation and communication. If no hiring takes place, data is generally deleted after 6 months unless statutory obligations apply.

11) Tools and miscellaneous

**11.1** Cookie consent tool

We use a consent management tool to collect and document user choices for consent-based cookies/services. This tool sets technically required cookies to store your preferences.

**11.2** bexio

Cloud accounting software for finance processing and bookkeeping operations. Processing is based on Art. 6(1)(f) GDPR (efficient business operations).

**11.3** Cloudflare security services

Cloudflare is used to protect infrastructure against attacks and abuse (e.g. bot traffic, malicious requests). Processing is based on Art. 6(1)(f) GDPR.

**11.4** Adobe Acrobat Sign

Used for digital signatures of documents. Processing is based on Art. 6(1)(f) GDPR.

**11.5** Odoo (appointments, ticketing & CRM)

Used for appointment management, support ticketing, CRM and business workflows. Depending on context, legal basis is Art. 6(1)(b) and/or Art. 6(1)(f) GDPR.

12) Rights of data subjects

You have the following rights under applicable data protection law:

• Right of access (Art. 15 GDPR)

• Right to rectification (Art. 16 GDPR)

• Right to erasure (Art. 17 GDPR)

• Right to restriction of processing (Art. 18 GDPR)

• Right to be informed (Art. 19 GDPR)

• Right to data portability (Art. 20 GDPR)

• Right to withdraw consent (Art. 7(3) GDPR)

• Right to lodge a complaint (Art. 77 GDPR)

**Right to object:** If processing is based on legitimate interests (Art. 6(1)(f) GDPR), you may object at any time for reasons related to your particular situation. You may also object at any time to direct marketing.

13) Retention period of personal data

Data retention depends on legal basis, processing purpose, and statutory retention obligations.

• Consent-based data is retained until you withdraw consent.

• Contract-related data is retained as long as necessary for contract performance and legal retention obligations.

• Legitimate-interest data is retained until a valid objection applies, unless overriding legitimate grounds exist.

Unless otherwise specified in this policy, personal data is deleted when it is no longer required for its original purpose.

Stand: April 2026