Version October 2022
In this privacy statement, we, BR Meditech (from now on referred to as we), explain how we collect and process personal data on the website BRMEDITECH.COM. Personal data means any information relating to an identified or identifiable individual.
BR Meditech is responsible for the data processing activities described here unless otherwise stated in the individual case. If you have any data protection concerns, you can send them to us at the following contact address:
Our representative in the EEA under Article 27 of the GDPR (if required) is BR Meditech.
2. collection and processing of personal data
We primarily process the personal data we receive from our customers and other business partners during our business relationship with them and other persons involved or that we collect from the user:s when operating our websites. This may include in particular:
Date of birth
As a matter of principle, we only process personal data by the data protection laws applicable to us if the person concerned has given their consent or if there is another legal basis for doing so. The processing is carried out to the extent necessary for the respective purpose. Data processing includes the acquisition, storage, use, reprocessing, transmission, archiving and destruction of collected personal data.
In addition to the data from you that you give us directly, the categories of personal data include, in particular, your booked treatments and other data related to the use of the website (e.g. IP address, MAC address of the smartphone or computer, information about your device and settings, cookies, date and time of visit, pages and content accessed, functions used, referring website, location information).
3. obligation to provide personal data
In our business relationship, you must provide the personal data necessary to establish and implement a business relationship and fulfil the associated contractual obligations (you usually do not have a legal obligation to provide us with data). For example, without this data, we will generally be unable to conclude a contract with you or process it. Also, the website cannot be used if certain information to ensure data traffic (such as IP address) is not disclosed.
4. purposes of data processing
We use the personal data we collect primarily to enter into and process our contracts with our customers and business partners, in particular with our customers in connection with the services offered on lysbrb.com and the purchase of products and services from our suppliers and subcontractors, and to comply with our legal obligations at home and abroad.
In addition, where permitted and deemed appropriate, we also process personal data from you for the following purposes, in which we (and sometimes third parties) have a legitimate interest commensurate with the goal:
Provision of our website and other platforms;
Offering and further developing our offers, services and websites on which we are present;
Testing and optimizing procedures for needs analysis for direct customer contact, as well as collecting personal data from publicly available sources for customer acquisition;
Advertising and marketing;
Market and opinion research, media monitoring;
Assertion of legal claims and defence in connection with legal disputes and official proceedings;
Prevention and investigation of criminal offences and other misconduct (e.g., conducting internal studies and data analysis to combat fraud);
Guarantees of our operations, in particular IT, our websites, apps and other platforms;
Purchase and sale of business units, companies or parts of companies and other transactions under company law and the associated transfer of personal data as well as measures for business management and as far as to comply with legal and regulatory obligations of BRMEDITECH.COM.
Insofar as you have given us consent to process your data for specific purposes (for example, when you register to receive newsletters), we process your data within the scope of and based on this consent insofar as we have no other legal basis. We require such a basis based on the data protection legislation applicable to us. Consent given can be revoked at any time in the future, but this does not affect data processing that has already taken place.
5 Data processing by third parties
5.1 Making appointments
5.2 Implementation of Cosmetic Services l Processing by Franchisees
We do not only perform our cosmetic services ourselves. Our franchisees also provide them, who have their legal entities and run their studios as franchisees. For this purpose, we transmit to them the data collected via the external appointment scheduler of Belbo Business Software GmbH (see 5.1 Appointment scheduling). Only the data required for the processing of the appointment, the execution of the booked treatment and the payment will be passed on to the specific franchisee. An overview of the franchisees can be found on our website under the heading “Locations”.
5.3 Cookies/tracking and other technologies in connection with the use of our website
We typically use “cookies” and similar technologies on our websites to identify your browser or device. A cookie is a small file sent to your computer or automatically stored on your computer or mobile device by the web browser you use when you visit our website. This allows us to recognize you when you return to this website, even if we do not know who you are. In addition to cookies that are only used during a session and deleted after your website visit (“session cookies”), cookies can also be used to store user settings and other information for a certain period (e.g. two years) (“permanent cookies”). However, you can set your browser to reject cookies, store them for one session, or delete them early. Most browsers are preset to accept cookies. We use persistent cookies to remember user preferences (e.g., language, autologin), to help us better understand how you use our offerings and content, and to show you offers and advertisements tailored to you (which may also happen on other companies’ websites; however, they will not learn from us who you are, if we even know, because they will only see that the same user is on their website which was on a particular page with us). Sure set certain of the cookies, which are also established by contractors with whom we work. If you block cookies, certain functionalities (such as language selection, shopping cart, and ordering processes) may no longer work.
We also include visible and invisible image elements in our newsletters and other marketing emails in part and to the extent permitted; by retrieving them from our servers, we can determine whether and when you have opened the email so that we can measure and better understand how you use our offers and tailor them to you here as well. You can block this in your email program; most are preset to do so.
By using our websites and agreeing to receive newsletters and other marketing emails, you consent to use these techniques. If you do not want this, you must set your browser or email program accordingly.
For example, we use Google Analytics or similar services on our websites. This third-party service may be located in any country on the planet. Namely, we use the following cookie and tracking tools:
Google Analytics and Google Search Engine: this allows us to measure and evaluate the use of the website (non-personal). Permanent cookies from Google LLC or Alphabet Inc. are also used for this purpose and are set by the service provider Google. By selecting these cookies, we can provide our website users with targeted advertising on Google platforms such as YouTube or the Google Search Engine if they exhibit specific user behaviour. An example of such behaviour would be if you inquired about a service but did not make an appointment.
Google Ireland relies on Google LLC, based in the USA, as an order processor. These are each subsidiaries of Alphabet Inc, also found in the USA. We have configured the service so that the IP addresses of visitors to Google in Europe are shortened before being forwarded to the USA and thus cannot be tracked. In addition, we have turned off the “Data Forwarding” and “Signals” settings. Although we can assume that the information we share with Google is not personal data for Google, it is possible that Google can draw conclusions about the identity of visitors from this data for its purposes, create personal profiles and link this data to the Google accounts of these individuals. As you have registered with the service provider, the service provider also knows you. The processing of your data by the service provider then takes place under the service provider’s responsibility through its data protection provisions. The service provider only tells us how our respective website is used (no information about you personally).
Facebook Pixel: This uses permanent cookies from Meta Platforms Ireland Ltd (4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland). This is a subsidiary of Meta Platforms Inc., which is based in the USA. This allows us to learn how users access our website via Meta’s platforms, such as Facebook, Instagram and WhatsApp, analyze their behaviour and target them with advertising depending on their user behaviour.
Meta’s Facebook and Instagram data is also forwarded to the USA. The processing of your data by the service provider then takes place under the service provider’s responsibility through its data protection provisions. The service provider only informs us how our respective website is used (no information about you personally).
SEO All in One: By setting a permanent cookie, this plug-in collects non-identifying personal data to analyze user behaviour and optimize the website’s ranking in search engines. This does not process any data that identifies or makes you identifiable.
We also use so-called plug-ins from social networks such as Facebook, Twitter, YouTube or Instagram on our websites. This is apparent to you in each case (typically via corresponding icons). We have configured these elements so that they are deactivated by default. If you activate them (by clicking on them), the operators of the respective social networks can register that you are on our website and where and can use this information for their purposes. The processing of your data is then the responsibility of this operator according to its data protection regulations. We do not receive any information about you from him.
5.4 Data transfer and data transmission abroad
In the course of our business activities and for the purposes set out in section 3, we also disclose personal data to third parties insofar as this is permitted and appears to us to be appropriate, either because they process it for us or because they want to use it for their purposes (franchisees). In particular, this concerns the following entities:
Service providers of us (within the BRMEDITECH.COM group as well as externally, such as banks and insurance companies), including order processors (such as IT providers);
Dealers, suppliers, subcontractors and other business partners; franchisees: inside of BRMEDITECH.COM;
domestic and foreign authorities, government agencies or courts;
Acquirers or parties interested in acquiring business units, companies or other parts of the BRMEDITECH.COM group;
Other companies of the BRMEDITECH.COM group;
All joint recipients.
These recipients are partly domestic but may be anywhere in the world. In particular, you should expect your information to be transferred to all countries where BRMEDITECH.COM is represented by group companies, branches, franchises or other locations and to other countries in Europe and the United States where the service providers we use are located.
If a recipient is located in a country without adequate legal data protection, we contractually obligate the recipient to comply with the applicable data protection laws unless the recipient is already subject to a legally recognized set of rules to ensure data protection. We cannot rely on an exemption provision. An exception may apply in particular in the case of legal proceedings abroad but also in cases of overriding public interests or if the performance of a contract requires such disclosure, if you have given your consent or if the data in question has generally been made accessible by you. You have not objected to its processing.
Many countries outside Switzerland or the EU and EEA do not currently have laws that guarantee an adequate level of data protection from the perspective of the DPA. The contractual arrangements can partially compensate for this weaker or missing legal protection. However, contractual agreements cannot eliminate all risks (namely government access abroad). Therefore, you should be aware of these residual risks, even though the risk may be low in individual cases.
6 Duration of storage of personal data
We process and store your data as long as it is necessary for the fulfilment of our contractual and legal obligations or otherwise the purposes pursued with the processing, i.e., for example, for the duration of the entire business relationship (from the initiation, processing to the termination of a contract) as well as beyond that by the legal storage and documentation obligations. In this context, personal data may be retained during which claims can be asserted against our company and insofar as we are otherwise legally obligated to do so, or legitimate business interests require this (e.g. for evidence and documentation purposes). As soon as your data is no longer necessary for the purposes mentioned above, it will be deleted or anonymized as a matter of principle and to the extent possible.
7. Data security
We take appropriate technical and organizational security precautions to protect your data from unauthorized access and misuse. However, we can only secure areas that we control. We also oblige our order processors to take appropriate security measures. However, security risks cannot be completely ruled out; residual risks are unavoidable.
We process your data in part automatically to evaluate certain personal aspects (profiling). In particular, we use profiling to provide targeted information and advice about products. In addition, we use evaluation tools to provide needs-based communication and advertising, including market and opinion research. This is done via the third-party provider’s Google and Meta as part of our advertising campaigns, without us being able to see which specific persons are involved (see above 5.3 Cookies / Tracking).
We generally do not use fully automated automatic decision-making to establish and implement the business relationship. However, if we use such procedures in individual cases, we will inform you separately about this, provided that this is required by law and tell you about the associated rights.
9. Rights of the data subject
Within the framework of the data protection law applicable to you and insofar as provided therein, you have the right to information, correction, deletion, the right to restrict data processing and otherwise to object to our data processing, in particular, that for direct marketing, profiling for direct advertising and other legitimate interests in processing, as well as to the release of specific personal data for transfer to another body (so-called data portability). Please note, however, that we reserve the right to enforce the restrictions provided for by law, for example, if we are obliged to retain or process specific data, have an overriding interest in doing so (insofar as we are entitled to rely on this) or require it for the assertion of claims. If you incur costs, we will inform you in advance. In addition, we have already told you about the possibility of revoking your consent in section 3.
The exercise of such rights usually requires that you prove your identity (e.g. by a copy of your ID card, where your identity is otherwise unclear or cannot be verified). To exercise your rights, contact us at the address in section 1.
Data subjects can enforce their claims in court or file a complaint with the competent data protection authority. Switzerland’s competent data protection authority is the Federal Data Protection and Information Commissioner (http://www.edoeb.admin.ch).