1. Scope of application privacy policy

This privacy policy at www. trainpub.com applies to the website, webshop and all other services.

Swiss data protection law (DSG) applies. Specific reference is made to any additional applicable law from the European General Data Protection Regulation (GDPR).

2. Processing of personal data; nature, purpose and their use

When visiting the website

When you visit our website, information is temporarily stored in so-called log files on our server. This is information that the browser of your terminal device automatically sends. Namely:

• IP address of the contacting device
• Date and time
• URL of the called page
• Referrer URL
• Browser and other device information
• Data required for transmission reliability, troubleshooting and improvements

The aforementioned data will be processed by us for the following purposes:

• Connection establishment of the website
• Use of our website
• System security and stability

The data processing is carried out in response to your request and is necessary for the aforementioned purposes for the fulfillment of the contract and pre-contractual measures according to Art. 6 para. 1 sentence 1 lit. b DSGVO or you have given your consent to the described data processing according to Art. 6 para. 1 sentence 1 lit. a DSGVO, since you have accessed the website.

When you contact us or enter into a contract or create a profile

When you enter into a contract through the website, the following data is collected:

• Name, first name, address
• Information about orders placed
• Payment information

If you are a provider, the following data will be collected:

• Name, first name, address, date of birth, mobile number
• E-mail address
• Information about offers
• Payment information

If you are a customer, the following data will be collected:

• Name, first name, address
• E-mail address
• Payment information

The data processing is carried out in response to your request and is necessary for the aforementioned purposes for the fulfillment of the contract and pre-contractual measures according to Art. 6 para. 1 sentence 1 lit. b DSGVO or you have given your consent to the described data processing according to Art. 6 para. 1 sentence 1 lit. a DSGVO.

3. Disclosure of data to third parties (incl. joint controllers and commissioned data processors).

We use external service providers (Amazon Web Services). A separate order data processing agreement has been concluded with the service provider to ensure the protection of your personal data. You can find the currently valid form here:

https://d1.awsstatic.com/legal/aws-gdpr/AWS_GDPR_DPA.pdf

https://aws.amazon.com/de/service-terms/

https://aws.amazon.com/de/agreement/

4. For the execution of the contract

As far as this is legally permissible according to Art. 6 para. 1 sentence 1 lit. b DSGVO and necessary for the processing of contractual relationships with you, your personal data will be passed on to third parties. This includes, in particular, the disclosure of payment data to payment service providers or credit institutions in order to carry out a payment transaction. The data passed on may be used by the third party exclusively for the purposes stated. Payment processing is carried out by the payment provider Stripe, 185 Berry Street, Suite 550, San Francisco, CA 94107. Further information can be found here: https://stripe. com/en-ch/ssa

For various services, e.g. webinars, we work with software from Twilio. If you book such a service, you agree to its use. Further information about Twilio and data protection can be found here: https://www.twilio.com/legal/privacy

5. Cookies

We use cookies (session cookies as well as temporary and permanent cookies) on our website. These are small files that your browser automatically creates and that are stored on your terminal device (laptop, tablet, smartphone, etc.) when you visit our site. A cookie does not mean that we can identify you in every case.

The use of cookies serves on the one hand to log the frequency of use, number of users and behavior patterns on our website, to increase the security of website use and to design our information offering in a user-friendly way. As soon as you leave the website, these cookies are automatically deleted.

In addition, we also use temporary cookies to optimize user-friendliness, which are stored on your end device for a certain fixed period of time. If you visit our site again to use our services, it is automatically recognized that you have already been with us and which entries and settings you have made so that you do not have to enter them again.

The legal basis for the data processing is Art. 6 para. 1 sentence 1 lit. f DSGVO. Our legitimate interest follows from the operation of the website.

You can configure your browser settings so that no cookies are stored on your computer. Complete deactivation of cookies may mean that you cannot use all the functions of our website.

By continuing to use our website and/or agreeing to this privacy policy, you consent to cookies being set by us and thus to personal usage data being collected, stored and used, even beyond the end of the browser session. You can revoke this consent at any time by activating the browser setting to refuse third-party cookies.

6. Analysis tools

Google Analytics

Our website uses the web analytics service Google Analytics from Google Inc, USA. Google Analytics uses cookies (see under Cookies). These enable an analysis of the use of our website offer incl. IP addresses by Google in the USA. We would like to point out that on this website Google Analytics has been extended by the code “gat._anonymizeIp();” to ensure anonymized collection of IP addresses (so-called IP masking). If anonymization is active, Google truncates IP addresses within member states of the European Union or in other contracting states to the Agreement on the European Economic Area, which is why no conclusions can be drawn about your identity. Only in exceptional cases will the full IP address be transferred to a Google server in the USA and shortened there. Google uses the information collected to evaluate the use of our websites for us, to compile reports for us in this regard and to provide other related services to us. You can find out more at www.google.com/intl/de/analytics/privacyoverview.html, in particular also regarding the possibility of deactivating Google Analytics at http://tools.google.com/dlpage/gaoptout?hl=en.

The legal basis for the data processing is Art. 6 para. 1 sentence 1 lit. a and f DSGVO.

Hotjar

We use Hotjar to analyze how our website is used. Hotjar allows us to record the behavior of visitors to our website, for example in relation to movements and clicks with a mouse or other input option. Cookies and other technologies are also used to record user behavior as well as information such as screen size, anonymized Internet Protocol (IP) address and approximate location (country). Hotjar, a service provided by Hotjar Ltd. in Malta, states that it stores the collected data in a pseudonymized user profile.

Hotjar and we do not establish a link to individual visitors to our website. The data collected is neither used to identify individual visitors nor is it merged with other data about individual visitors. Further information about the type, scope and purpose of data processing can be found on the “Privacy by Design” page, on the “Cookie Information” page and in the privacy policy of Hotjar. Furthermore, it is possible to object to the collection by Hotjar.

Google Tag Manager

We use Google Tag Manager to integrate and manage services for analytics or advertising from Google as well as from third parties on our website. This is a service of the American Google LLC. For users in the European Economic Area (EEA) and Switzerland, the Irish Google Ireland Limited is responsible. No cookies are used, but cookies may be used as part of the services integrated and managed with it. We provide information about the processing of personal data by such services in this privacy policy.

7. Social media plug-in

We use the social plug-ins listed below on our website to make our company better known. The underlying promotional purpose is to be regarded as a legitimate interest within the meaning of Art. 6 (1) lit. f DSGVO. The responsibility for data protection-compliant operation is to be ensured by their respective providers. Data processing in connection with these plug-ins takes place with your consent when you use them.

If you use the services of these social networks independently or in connection with our website, the social networks evaluate your use of the plug-in. In this case, information about the plug-in is forwarded to the social networks. The legal basis for the data processing is Art. 6 para. 1 sentence 1 lit. a and f DSGVO.

Facebook

Our website uses plug-ins of the social network Facebook, which is offered by Facebook Inc. The Facebook plug-ins are marked with a Facebook logo or the addition “Like” or “Share”. An overview of the Facebook plug-ins and their appearance can be found at https://developers.facebook.com/docs/plugins.

When you call up a page of our website that contains such a plug-in, your browser establishes a direct connection to the Facebook servers. The content of the plug-in is transmitted by Facebook directly to your browser and integrated into the page.

Through this integration, Facebook receives the information that your browser has accessed the corresponding page of our website, even if you do not have a Facebook profile or are not currently logged in to Facebook. This information (including your IP address) is transmitted by your browser directly to a Facebook server in the USA and stored there.

If you are logged in to Facebook, Facebook can directly assign your visit to our website to your Facebook profile. If you interact with the plug-ins, for example by clicking the “Like” button, this information is also transmitted directly to a Facebook server and stored there. The information is also published on your Facebook profile and displayed to your Facebook friends.

The purpose and scope of the data collection and the further processing and use of the data by Facebook, as well as your rights in this regard and setting options for protecting your privacy, can be found in Facebook’s privacy policy: www.facebook.com/policy.php.

The legal basis for the data processing is Art. 6 para. 1 sentence 1 lit. a and f DSGVO.

Instagram

Functions of the Instagram service are integrated on our website. These functions are offered by Instagram Inc., 1601 Willow Road, Menlo Park, CA 94025, USA. Instagram has been a subsidiary of Facebook Inc. since 2012 and is one of the Facebook products. Embedding Instagram content on our website is called embedding. This allows us to show you content such as buttons, photos or videos from Instagram directly on our website. When you call up web pages on our website that have an Instagram function integrated, data is transmitted to Instagram, stored and processed. Instagram uses the same systems and technologies as Facebook. Your data can therefore also be processed across other Facebook companies.

If you are logged into your Instagram account, you can link the content of our pages to your Instagram profile by clicking on the Instagram button. This allows Instagram to associate the visit to our pages with your user account. We would like to point out that we, as the provider of the pages, have no knowledge of the content of the transmitted data or its use by Instagram. For more information, please see the privacy policy of Instagram: https://instagram.com/about/legal/privacy/.

The legal basis for the data processing is Art. 6 para. 1 sentence 1 lit. a and f DSGVO.

Youtube

So-called social plugins (“plugins”) from YouTube are integrated on our website. YouTube is an Internet video portal that allows video publishers to post video clips free of charge and other users to view, rate and comment on them free of charge. YouTube allows the publication of all types of videos, which is why complete film and television programs as well as music videos, trailers and videos created by users themselves can be accessed via the Internet portal.

The operating company of YouTube is YouTube, LLC, 901 Cherry Ave, San Bruno, CA 94066, USA (“YouTube”). YouTube, LLC is a subsidiary of Google Inc, 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA.

Each time one of the individual pages of this website operated by the controller is called up, on which a YouTube component (YouTube video) has been integrated, the Internet browser on the information technology system of the data subject is automatically caused by the respective YouTube component to download a representation of the corresponding YouTube component from YouTube. Further information on YouTube can be found at https://www.youtube.com/yt/about/de/. Within the scope of this technical procedure, YouTube and Google receive knowledge of which specific subpage of our website is visited by the data subject.

If the data subject is logged in to YouTube at the same time, YouTube recognizes which specific subpage of our website the data subject is visiting when a subpage containing a YouTube video is called up. This information is collected by YouTube and Google and assigned to the respective YouTube account of the data subject.

YouTube and Google always receive information via the YouTube component that the data subject has visited our website if the data subject is logged into YouTube at the same time as calling up our website; this takes place regardless of whether the data subject clicks on a YouTube video or not. If the data subject does not want this information to be transmitted to YouTube and Google, he or she can prevent the transmission by logging out of his or her YouTube account before accessing our website.

The privacy policy published by YouTube, which is available at https://www.google.de/intl/de/policies/privacy, provides information about the collection, processing and use of personal data by YouTube and Google.

The legal basis for the data processing is Art. 6 para. 1 sentence 1 lit. a and f DSGVO.

Twitter

Plug-ins of the short message network Twitter Inc. are integrated on our website. You can recognize the Twitter plug-ins (“Twitter” button) by the Twitter logo and the addition “Twitter”. When you call up a page of our website that contains such a plug-in, a direct connection is established between your browser and the Twitter server. Twitter thereby receives the information that you have visited our site with your IP address. If you click the Twitter button while you are logged into your Twitter account, you can link the content of our pages on your Twitter profile. This allows Twitter to associate the visit to our pages with your user account.

We would like to point out that we, as the provider of the pages, have no knowledge of the content of the transmitted data or its use by Twitter. You can find more information about this here: http://twitter.com/privacy. The legal basis for the data processing is Art. 6 para. 1 sentence 1 lit. a and f DSGVO.

LinkedIn

Plug-ins of the social network LinkedIn Corporation, USA, are installed on our website. You can recognize the LinkedIn plug-in (“LinkedIn Recommended” button) by the LinkedIn logo. If you call up a page of our website that contains such a plug-in, a direct connection is established between your browser and the LinkedIn server. LinkedIn thereby receives the information that you have visited our site with your IP address. If you click the LinkedIn button while you are logged into your LinkedIn account, you can link the content of our pages on your LinkedIn profile. This allows LinkedIn to associate the visit to our pages with your user account. We point out that we, as the provider of the pages, have no knowledge of the content of the transmitted data or its use by LinkedIn. For more information, please visit: www.linkedin.com/legal/privacy-policy. The legal basis for the data processing is Art. 6 para. 1 sentence 1 lit. a and f DSGVO.

XING

Plug-ins of the social network XING SE, are installed on our website. You can recognize the LinkedIn plug-in (“XING” button) by the XING logo. When you call up a page of our website that contains such a plug-in, a direct connection is established between your browser and the XING server. LinkedIn thereby receives the information that you have visited our site with your IP address. If you click the XING button while logged into your XING account, you can link the content of our pages on your XING profile. This allows XING to associate the visit to our pages with your user account. We would like to point out that we, as the provider of the pages, have no knowledge of the content of the transmitted data or its use by XING. For more information, please visit: www.xing.com/app/share?op=data_protection.

The legal basis for the data processing is Art. 6 para. 1 sentence 1 lit. a and f DSGVO.

Google Maps

Google Maps services are used on our website (e.g. in-screen or via interfaces/API). Google LLC, USA, may therefore process information about your actual location. Google uses various technologies such as IP addresses, GPS and other sensors to determine your location, which provide Google with information about nearby devices, WLAN access points or mobile phone masts, for example.

For the purpose and scope of the data collection and the further processing and use of the data by Google, as well as your rights in this regard and setting options for protecting your privacy, please refer to Google’s privacy policy at https://policies.google.com/privacy?hl=de&gl=de.

The legal basis for the data processing is Art. 6 para. 1 sentence 1 lit. a and f DSGVO.

Google AdWords

Our website uses Google AdWords. AdWords is an online advertising program of Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States (“Google”).

Within the framework of Google AdWords, we use the so-called conversion tracking. When you click on an ad placed by Google, a cookie is set for conversion tracking. Cookies are small text files that the internet browser stores on the user’s computer. These cookies lose their validity after 30 days and do not serve to personally identify the user. If the user visits certain pages of this website and the cookie has not yet expired, Google and we can recognize that the user has clicked on the ad and was redirected to this page.

Each Google AdWords customer receives a different cookie. The cookies cannot be tracked via the websites of AdWords customers. The information obtained using the conversion cookie is used to create conversion statistics for AdWords customers who have opted for conversion tracking. The customers learn the total number of user:s who clicked on their ad and were redirected to a page tagged with a conversion tracking tag. However, they do not receive any information that can be used to personally identify users. If you do not wish to participate in the tracking, you can object to this use by easily deactivating the Google conversion tracking cookie via your internet browser under user settings. You will then not be included in the conversion tracking statistics.

The storage of “conversion cookies” is based on Art. 6 (1) lit. f DSGVO. The website operator has a legitimate interest in analyzing user behavior in order to optimize both its website and its advertising.

For more information on Google AdWords and Google Conversion Tracking, please see Google’s privacy policy: https://www.google.de/policies/privacy.

You can set your browser so that you are informed about the setting of cookies and only allow cookies in individual cases, exclude the acceptance of cookies for certain cases or in general and activate the automatic deletion of cookies when closing the browser. When deactivating cookies, the functionality of this website may be limited.

The legal basis for the data processing is Art. 6 para. 1 sentence 1 lit. a and f DSGVO.

Google reCAPTCHA

We use Google reCAPTCHA (hereinafter “reCAPTCHA”) on our website. The provider is Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”).

The purpose of reCAPTCHA is to check whether data entry on our websites (e.g. in a contact form) is made by a human or by an automated program. For this purpose, reCAPTCHA analyzes the behavior of the website visitor based on various characteristics. This analysis starts automatically as soon as the website visitor enters the website. For the analysis, reCAPTCHA evaluates various information (e.g. IP address, time spent by the website visitor on the website or mouse movements made by the user). The data collected during the analysis is forwarded to Google.

The reCAPTCHA analyses run completely in the background. Website visitors are not informed that an analysis is taking place. The data processing is based on Art. 6 para. 1 lit. f DSGVO. The website operator has a legitimate interest in protecting its web offers from abusive automated spying and from SPAM.

For more information about Google reCAPTCHA and Google’s privacy policy, please see the following links: https://www.google.com/intl/de/policies/privacy/ and https://www.google.com/recaptcha/intro/android.html.

The legal basis for the data processing is Art. 6 para. 1 sentence 1 lit. a and f DSGVO.

8. Newsletter

This website uses Sendinblue to send newsletters. The provider is Sendinblue GmbH, Köpenicker Straße 126, 10179 Berlin, Germany.

Sendinblue is a service with which, among other things, the dispatch of newsletters can be organized and analyzed. The data you enter for the purpose of receiving the newsletter is stored on Sendinblue’s servers in Germany.

If you do not want Sendinblue to analyze your data, you must unsubscribe from the newsletter. For this purpose, we provide a corresponding link in each newsletter message.

Data analysis by Sendinblue

With the help of Sendinblue, it is possible for us to analyze our newsletter campaigns. For example, we can see whether a newsletter message was opened and which links, if any, were clicked. In this way, we can determine, among other things, which links were clicked on particularly often.

Sendinblue also allows us to subdivide (“cluster”) newsletter recipients based on various categories. In doing so, the newsletter recipients can be subdivided according to the selection of the desired newsletters. In this way, the newsletters can be better adapted to the respective target groups.

Legal basis

The processing of the data entered in the newsletter registration form is based exclusively on your consent (§ 6 para. 1 lit. b KDG). You can revoke your consent to the storage of the data, the e-mail address and their use for sending the newsletter at any time, for example via the “unsubscribe” link in the newsletter. The legality of the data processing operations already carried out remains unaffected by the revocation.

Storage period

The data you provide us with for the purpose of receiving the newsletter will be stored by us or the newsletter service provider until you unsubscribe from the newsletter and will be deleted from the newsletter distribution list after you unsubscribe from the newsletter. Data that has been stored by us for other purposes remains unaffected by this.

After you have unsubscribed from the newsletter distribution list, your e-mail address may be stored by us or the newsletter service provider in a blacklist to prevent future mailings. The data from the blacklist will only be used for this purpose and will not be merged with other data. This serves both your interest and our interest in complying with the legal requirements for sending newsletters (legitimate interest within the meaning of § 6 para. 1 lit. g KDG). The storage in the blacklist is not limited in time. You can object to the storage if your interests outweigh our legitimate interest.

For more details, please refer to the data protection provisions of Sendinblue at: https://de.sendinblue.com/datenschutz-uebersicht/?rtype=n2go.

The legal basis for data processing is Art. 6 para. 1 sentence 1 lit. a DSGVO.

9. Cross-border disclosure to third countries without adequate level of data protection

Insofar as data transfers are made to a recipient outside the EEA, an adequate level of data protection for the foreign transfer is ensured by appropriate security measures. If you have any questions about such data protection contracts based on the EU standard contractual clauses or if you would like more information about further security mechanisms and security measures for data transfers to third countries, please feel free to contact our data protection officer.

10. Your rights

You have the right:

• You may request information about your personal data processed by us. In particular, you can request information about the processing purposes, the category of personal data, the categories of recipients to whom your data has been or will be disclosed, the planned storage period, the existence of a right to rectification, erasure, restriction of processing or objection, the existence of a right of complaint, the origin of your data if it has not been collected by us, as well as the existence of automated decision-making, including profiling, and, if applicable, meaningful information about its details (Art. 15 DSGVO). In case of a disproportionate effort, we reserve the right to request an identification card from you and the payment of the effective costs in advance.
• Request the correction of inaccurate or incomplete personal data stored by us without delay (Art. 16 DSGVO).
• Request the erasure of your personal data stored by us, unless the processing is necessary for the exercise of the right to freedom of expression and information, for compliance with a legal obligation, for reasons of public interest, or for the establishment, exercise or defense of legal claims (Art. 17 DSGVO).
• Request the restriction of the processing of your personal data, insofar as the accuracy of the data is disputed by you, the processing is unlawful, but you object to its erasure and we no longer need the data, but you need it for the assertion, exercise or defense of legal claims or you have objected to the processing pursuant to Art. 21 DSGVO (Art. 18 DSGVO).
• Receive your personal data that you have provided to us in a structured, commonly used and machine-readable format or request the transfer to another controller (Art. 20 DSGVO).
• You may revoke your consent at any time. This has the consequence that we may no longer continue the data processing based on this consent for the future (Art. 7 para. 3 DSGVO).
• You have the right to lodge a complaint with a supervisory authority (see below) (Art. 77 GDPR).

11. Right of objection

If your personal data is processed on the basis of legitimate interests pursuant to Art. 6 (1) sentence 1 lit. f DSGVO, you have the right to object to the processing of your personal data pursuant to Art. 21 DSGVO, provided that there are grounds for doing so that arise from your particular situation or the objection is directed against direct marketing. In the latter case, you have a general right to object, which will be implemented by us without specifying a particular situation.

12. Data security

Your data is protected by means of SSL encryption and organizational measures within the company.

13. Retention period

Your data will be processed confidentially, responsibly, as described in this Privacy Policy and in accordance with applicable data protection law. We store the data only as long and to the extent necessary for the purposes described or for legal reasons.

14. Contact details

This privacy policy applies to data processing by:

Responsible: Trainpub AG, Talstrasse 46, 7270 Davos Platz

Phone: +41 78 781 29 59

Email: hello@trainpub.ch

Supervisory authority: Federal Public Information and Data Protection Commissioner, FDPIC, Feldeggweg 1, 3003 Bern, Switzerland.

14. Up-to-dateness and modification of this privacy policy

We may change or adapt this privacy policy at any time. The current privacy policy can be found at www. homepage.ch.

Davos, March 2022