WELL General Data Protection Statement

WELL Gesundheit AG, Heinrichstrasse 267a, 8005 Zürich (hereinafter “WELL” or “we”) processes personal information concerning you or other persons in various ways and for various purposes. The term “personal data”, hereinafter also “data”, refers to information that can be linked to a specific person, and “processing” means any operation involving such information, including its collection, storage, use, divulgation and erasure.

This Data Protection Statement describes how and why WELL processes personal data with regard to suppliers and partners or their contact persons, visitors to our website (currently www.well.ch, the “Website”) and other persons, how WELL protects your personal data and what rights you have in this process. Our website is exclusively designed for those having their residence and habitual abode in Switzerland.

Use of the WELL app is covered by a separate data protection statement which can be found at the app.

Should you have questions or seek additional information – for example, concerning our processing of personal data – we are happy to be at your disposal (see Section 2).

If you provide us with data concerning other persons such as family members, we assume that you are entitled to divulge this information and that it is accurate. Please ensure that these individuals are informed concerning this Data Protection Statement.

Unless otherwise stated below or in individual cases, WELL is (“we” are) the “controller” of data processing under this Data Protection Statement – that is, the primary competent authority under data protection law.

Should you have questions regarding data protection, we encourage you to contact the following address:

WELL Gesundheit AG
Heinrichstrasse 267a
8005 Zürich

Email: info@well.ch

Depending upon the purpose, we process various categories of personal data. The most important of these are described below for your guidance, but keep in mind that this list is not exhaustive. You will find information regarding the purposes of our processing in Section 4.

3.1. Master data

We define master data as the information we need to carry out our business relationship or for marketing or promotional purposes and that refers directly to you personally and to your individual characteristics. For example, we process the following master data and any other master data you provide to us:

• Name
• Address
• Email address
• Landline and mobile telephone numbers
• Professional information in the case of business contacts
• In the case of company contact persons, references to the company where you work

3.2. Contractual data

The term ‘contractual data’ relates to information connected with the conclusion or execution of a contract. We conclude contracts primarily with business partners and job applicants but also with other contractual partners such as suppliers. We process the following contractual data:

• Date, application process, information on the nature, duration and conditions of the specific contract;
• Contact information and shipping addresses;
• Information on use of services, outstanding accounts, invoices and payments;
• Information on customer satisfaction, complaints, feedback, etc.

We receive these data from you as well as from our collaborators.

3.3. Communication data

The term ‘Communication data’ relates to our communication with you occurring, for example, when you contact us via the web form or in other ways. In this process, we collect data derived from the information you exchange with us, including your contact data and marginal data such as the time, nature and location of the communication.
To the extent necessary (when you request information, for example), we also collect data for the purpose of identifying you, such as a copy of an ID document.

3.4. Technical data

Technical data arise in the context of the use of our website. The most common of these include the following:

• Terminal IP address and device ID
• Information regarding your device, your terminal’s operating system or language settings
• Information regarding your Internet provider
• Accessed content such as protocols in which the use of our system is recorded
• Date and time of the access of the website as well as your approximate location

We can also assign an individual ID to you or to your terminal (by means of a cookie, for example; see Section 5). This ID is stored for a certain length of time, frequently only for the duration of your access. The technical data themselves do not lead to identification of your identity unless, for example, you register at our website to receive the newsletter. In that case, we are able to link master data with technical data. More information on cookies can be found in Section 5.

3.5. Data on habits and preferences

When you use our website (see Section 5) or read our newsletter (Section 7), we seek to learn more about you and to be better able to orient our services towards you. For this purpose, we gather and use data describing your habits and preferences by assessing your use of our website. Behavioural data can also be collected on the basis of technical data. Such data include, for example, information regarding your use of electronic communications (whether or when you have opened an email message or clicked on a link, especially in the context of newsletters). We combine this information with other data (such as anonymous statistical data from official sources). Preferential data allow us to draw conclusions concerning your probable needs and which of our services may prove interesting to you (for example, when you select certain news articles at our website). To that end, we can combine data on habits and transactions with other data and can evaluate these data on an individual or broader basis. In this way, we can make determinations concerning personal qualities, preferences and likely behaviour.

We process personal data especially for the following purposes:

• We process your data to conclude, execute and implement contracts with you and/or the company where you work. In this effort, we primarily process master data and contractual data.
• We process your data in the course of our communication with you – for example, to respond to requests and assertions of your rights or to contact you in the event any questions arise. For these purposes, we especially use communication data as well as master data where necessary in addition to sign-up data resulting from your use of technical functions and your response to offers. We retain these data to document our internal communication with you and for training, quality assurance and enquiries.
• We also process data to conduct market research, achieve marketing objectives and support customers. For example, we can provide you with information, advertising and product offers from WELL and third-party providers. Like most companies, we engage in further tailoring of marketing messages and other communications to enable us to provide you with information and offers that are relevant to you. For these purposes, we make particular use of data on your habits and preferences as well as master data where relevant.
• To ensure IT security and take preventative measures: We process personal data to ensure IT security, prevent fraud and abuse and collect evidence. One example of such uses is our analysis of log data, the system-related records documenting how our systems are used. We also have an interest in preventing, block ingand resolving security breaches, performing analyses and tests of our networks and IT infrastructure and conducting system and error checks.
• To comply with official laws, directives and recommendations as well as internal rules (“compliance”). For these purposes, we particularly use your master and contractual data.
• Where appropriate, we may also process personal data to protect our rights, whether pre-trial, in or out of court or before domestic or international authorities or to defend ourselves against claims. For these purposes, we rely to a large extent on your master, communication and contractual data.

By contacting us, you can contest our processing for marketing purposes and even limit your objection to specific communication channels (for example, email advertising) or specific promotions (see Section 11).

5.1. What is this all about?

We make use of third-party services at our website that enable us to assess and improve the website’s user-friendliness and our on-line promotional campaigns. In these functions, we may integrate third-party components that in turn may deposit cookies. When we track you or employ similar technologies, our core aim is to be able to distinguish your access (via your own system) from access by other users, thus enabling us to ensure the website’s functionality and perform statistical analyses. In doing this, we have no interest in revealing your identity. The techniques we employ are designed to recognise you as an individual each time you access a page – for example, when our server (or the third-party server) assigns you a unique recognition number (known as a “cookie”).

5.2. What are cookies and similar technologies?

Cookies are files automatically stored by your browser onto your terminal when you access our website. Cookies contain a unique code number (ID) that can be used by us to distinguish individual users from one another, generally without discovering their identity. Depending on their use, cookies contain other information – for example, they may identify pages that are accessed and the length of time the user spends on each page. We use two types of cookies: session cookies that are erased when the browser is closed and permanent cookies that continue to be retained for a certain period of time for the purpose of recognising users when they once again access our site.

In addition, we can use similar technologies such as LinkedIn Insight Tags, Facebook Pixel and others to store data in the browser. Pixel Tags refer to tiny, generally invisible images or to a program code downloaded by a server to provide the server’s operator with certain data – for example, whether or when the website was accessed. Fingerprints refer to data collected when you visit our website to identify the configuration of your terminal or browser. These enable us to distinguish your terminal from other devices.

5.3. How and for what purpose do we use cookies and similar technologies?

We use the following types of cookies and similar technologies:

• Strictly necessary cookies assist us in making our website usable by facilitating page navigation and access to secure areas of the website. Our website cannot function properly without these cookies.
• Preference cookies enable us – with your permission – to store data already received that affect the website’s appearance or content, such as your preferred language or the region where you are located.
• Statistical cookies help us to understand how you interact with our website by anonymously collecting and reporting data. These cookies work to simplify and speed up the website and to improve its general user-friendliness.
• Marketing cookies are helpful to us and to our marketing partners in enabling us to provide you with web-based advertising promoting our products or services or those of third parties that you may find interesting, or in displaying our ads when you engage in further Internet use following your access of our website.

We use cookies for the following purposes:

• To customise contents,
• To display individually tailored advertisements and offers,
• To display advertisements on third-party websites and gauge their success – that is, whether you respond to these displays (remarketing),
• To store settings for use when you reaccess our website,
• To determine whether and how we can improve our website,
• To collect statistical data on the number of users and their habitual usage as well as to improve the website’s speed and performance,
• For other purposes listed in Section 4.

5.4. How can cookies and similar technologies be deactivated?

When you access our website, you have the option to activate or deactivate certain categories of cookies. You can configure settings in your browser to block certain cookies or similar technologies or to erase existing cookies and other data stored in your browser. You can also enhance your browser with software “plug-ins”) to block tracking by specific third parties. You can learn more about this feature on your browser’s help page (usually under the term “data protection”). You need to be aware that our website may no longer function to its full capacity for you if you block cookies and similar technologies.

5.5. Partner and third-party cookies on our website

We use third-party services to assess and improve the user-friendliness of our website and on-line advertising campaigns. Third-party providers may be located outside Switzerland and the EU/EEA if such locations provide reasonable protection of your personal data (see Section 10).

For example, we use analytical services to evaluate how you use our website so that we can optimise and customise it. Third-party cookies and similar third-party technologies make it possible for us to gauge the effectiveness of the customised advertising displays on our own website as well as on other websites and on social networks that also collaborate with these (for example, they indicate whether you have accessed an ad on our website and what action you next engaged in at our website).

In this process, third-party providers can log the usage of the specific website. These indications can be linked by each provider to similar information from other websites. The habits of certain users can in this way be displayed across multiple websites and multiple terminals. The provider can frequently also use the data for its own purposes. If a user logs onto a provider’s site, the provider can associate that person with the usage data. In this case, processing of such personal data is carried out by and under the responsibility of the provider and in accordance with that provider’s own data protection policies.

We currently feature offers by various service providers and contracted advertising partners. Described below are the most noteworthy offers and service providers we use. Other providers generally process personal and other data in a similar fashion:

• Google Analytics, an analytical service of Google LLC (1600 Amphitheatre Parkway, Mountain View, CA, U.S.) and Google Ireland Ltd. (Google Building Gordon House, Barrow St, Dublin 4, Ireland; jointly “Google”, whereby Google Ireland Ltd. is responsible for processing personal data). Google uses cookies and similar technologies to collect specific data regarding the behavior of individual users in accessing the specific website as well as the terminal used to achieve such access (tablet, PC, smartphone etc.). Google acquires information regarding the user’s presence on the website and the terminal being used and sends us assessments based on this information. It also processes certain data for its own purposes, however. We have configured Google Analytics in a manner that anonymises users’ IP addresses prior to their transmission to the United States. You can learn more about Google Analytics data protection policies here. You can deactivate Google Analytics by installing the appropriate browser add-on.
• Meta-Pixel, an analytical tool of Meta Platforms Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. We are able to use this tool to control displays by Meta and its partners to be shown only to users likely to be interested in them. We are also able to measure the effectiveness of such displays for statistical purposes and market research. We and Meta are jointly responsible for the exchange through which Meta receives the data, the display of customised ads, the improvement of advertisement delivery and the customising of contents. These data are stored on servers in the EU/EEC and in the U.S. Users can send information requests and other enquiries directly to Facebook. Further information regarding data protection policies at Meta and corresponding setting options can be obtained here.
• LinkedIn Insight Tag, an analytical tool of LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland. Through LinkedIn Tag, we receive information that you have accessed our Internet pages; in the process, your IP address is also obtained. In addition, time stamps and events such as page views are also stored. This enables us to conduct a statistical evaluation of your use of our website as part of our continuing effort to improve the site. For example, we learn which LinkedIn advertisements or interactions you used to access our website. In this way, we achieve better management of how our advertising is employed. The data are stored on servers in the EU/EEC and in the U.S. We have configured LinkedIn Insight Tag in a manner that truncates or hashes users’ IP addresses prior to their transmission to the U.S. Please note that LinkedIn can store the data in a way that associates it with a particular user file and that LinkedIn can used the data for its own advertising purposes. You can find more information concerning data protection policies and corresponding setting options here.
• Freshdesk, a help desk and ticketing software package for efficient customer service design. The company providing this service is Freshworks Inc., 2950 S. Delaware Street, Suite 201, San Mateo, CA 94403, United States. The software enables us to store, track and respond to user requests and to manage these in a variety of ways. The data are stored on servers in Frankfurt am Main (EU/EEC). Further information regarding data protection policies at Freshworks and corresponding setting options can be obtained here.

We can maintain our own presence on third-party platforms (such as social networks) – on Facebook fanpages, for example. Whenever you communicate with us or comment on content at such sites, we collect and process the corresponding data. When you access our social media presence, data can be directly sent to the respective provider and retained there (for example, data on your user behaviour), and the provider can process these data together with other data to which it has access. Where we bear joint responsibility together with the provider for certain processing functions, we reach a common agreement regarding the essential content you can communicate to the provider. Additional information regarding social network provider data processing can be found in the data protection declarations of each social network.

When you complete the contact form at our website to sign up for the newsletter, you grant us permission to send you electronic newsletters, invitations to events and marketing offers from Well or third parties (partners). You can cancel your subscription at any time via a link found in each email.

In our use of newsletters, we assess whether and when you open the newsletter and which contents you click to. In this way, we are able to orient the newsletter towards topics that interest you. More information on this subject is found in Section 3.5.

Consistent with the purposes we identified in Section 4, we send your personal data to third parties, especially recipients in the following categories:

• Service providers: We use various third-party services, notably IT services (examples include providers of hosting services), services involved in the dissemination of our newsletters and the operation of our website, other dissemination and logistics services, banking and mail services, consultants, etc. You can find additional information regarding the providers of website services at our website in Section 5. To the extent required, these services can also include the processing of personal information.
• Authorities: We can share your personal data with official agencies, courts and other domestic and international authorities when we are obligated or entitled by law to do so or when it appears to be necessary to share such information to protect our interests. These authorities process the data they receive from us under their own responsibility.
• Other recipients: In the course of our corporate development, we may sell, acquire or partner with businesses or business units, assets or companies, and such actions could result in data being divulged to persons involved in these transactions. When we participate in proceedings, we may also divulge personal data to other participants in the proceedings (such as counterparties).

As indicated in Sections 5, 6 and 7, your personal data are processed not only by us but also by service providers and other recipients who may be located outside Switzerland and the EU/EEC, especially in the United States. Laws in these countries do not always protect data to an extent equivalent to that assured under Swiss law. For this reason, we draw up contractual provisions to bring the weaker legal protection up to Swiss levels, provided that individual data protection measures have not been legally established for other reasons (for example, if you have granted permission for certain data to be divulged or if the dissemination is necessary for the conclusion of a contract or the determination, assertion or implementation of a legal claim, or if a particular standard is in the prevailing public interest). These conditions particularly include the standard contractual clauses issued or recognised by the European Commission and the Swiss Federal Data Protection and Information Commissioner (FDPIC).

10.1. For how long do we process your personal data?

We store and process your personal data for the duration required to accomplish the purpose of the processing, for as long as we have a justified interest in the storage (for example, to assert legal claims, for archiving purposes or to ensure IT security) and until retention of the data is no longer legally mandated. Once legal or contractual obligations have expired and the storage or processing period has ended, we destroy or anonymise your data in the course of our normal operations.
The retention period for technical data generally varies from 30 days (Freshworks) to 14 months (Google). Where data are used for marketing and promotion, this period usually extends to no more than two years from our last contact. The period can be longer if retention is required for evidentiary purposes, to comply with legal or contractual provisions or for technical reasons.

10.2. How do we protect your data?

We engage in reasonable security measures to ensure the confidentiality, integrity and availability of your personal data, to protect it against unauthorised or illegal processing and to counteract the risk of loss, unintentional modification, involuntary disclosure or unauthorised access. Despite these actions, security risks cannot generally be eliminated, and residual risks are unavoidable.
Beyond security measures of a technical or organisational nature, we take other steps such as data encryption and pseudonymisation, log maintenance, restricted access, creation of backup copies, directives to our employees, confidentiality agreements and monitoring. We use our own encryption mechanisms to protect your data during transmission via the website. We can only secure areas under our control, however. We also require our processors to take reasonable steps to safeguard data.

To facilitate your review of the processing of your personal data, you have the following rights related to our data processing:

• Information: You have the right to demand information regarding our processing of your personal data and a copy of the personal data.
• Rectification: You can demand that we correct or supplement inaccurate or incomplete data – for example, when these data are incorrect.
• Erasure: You have the right to demand the erasure or anonymisation of your data.
• Objection and revocation: You can object to our processing for specific purposes (for example, processing intended for marketing). You have the right to revoke your consent with future effect if processing is based on consent. Please note that we are entitled to continue to process your personal data to the extent allowed under the law even after you have revoked your consent.
• Portability: You have the right to receive the personal data you have made available to us in a structured, commonly used and machine-readable format or to have these data transmitted to a third party, provided that the data processing in question is based on your permission or is required for the fulfilment of a contract.

Please bear in mind that these rights are subject to legal requirements and restrictions and may not therefore be fully applicable to you in every case. In particular, we may be required to continue to process and store your personal data to fulfil the terms of a conteact with you, to safeguard interests that may be worthy of protection such as assertion, exercise or defence against claims, or to comply with legal obligations. To the extent legally permissible, therefore, especially in order to protect the rights and freedoms of other affected persons and to safeguard interests worthy of protection, we are entitled to refuse a request by an affected party either fully or in part (for example, by blacking out certain contents affecting third parties or our own business secrets).

If you wish to assert your rights towards us, please send us a written communication. Our contact information is found in Section 2. We are generally required to check your identity (through provision of a copy of an identity document, for example). We need to identify you to exclude the possibility of abuse (for example, with a copy of an identity document to the extent that this is not possible in some other way).

You may also elect to lodge a complaint with a supervisory authority if you have misgivings as to whether the processing of your personal data is legally justified. The competent supervisory authority in Switzerland is the Federal Data Protection and Information Commissioner (FDPIC).

 

Data Protection Statement version: 01 April 2022