1. What is the purpose of this privacy policy?

Neurolite AG (hereinafter also "we", "us") collects and processes personal data that concerns you or other persons (so-called "third parties"). We use the term "data" here as synonymous with "personal data" or "personally identifiable information".

In this privacy policy, we describe what we do with your data when you use neurolite.ch, cefaly.ch, flow-neuroscience.neurolite.ch, tms-therapie.ch, or other websites operated by us (hereinafter collectively "website"), access our services or products, otherwise engage with us in connection with a contract, communicate with us, or otherwise interact with us. If applicable, we will inform you through a timely written notification about additional processing activities not mentioned in this privacy policy. We may also inform you separately about the processing of your data, e.g., in consent forms, terms and conditions, additional privacy policies, forms, and notices.

If you provide us with data about other individuals such as family members, colleagues, etc., we assume that you are authorized to do so and that this data is correct. By providing data about third parties, you confirm this. Please also ensure that these third parties have been informed about this privacy policy.

This privacy policy is based on the requirements of the EU General Data Protection Regulation ("GDPR"), the Swiss Data Protection Act ("DPA"), and the revised Swiss Data Protection Act ("revDPA"). Whether and to what extent these laws apply depends on the individual case.

2. Who is responsible for processing your data?

Neurolite AG, based at Hühnerhubelstrasse 79, 3123 Belp, Switzerland, is responsible for the data processing described in this privacy policy, unless otherwise communicated in a specific case.

You can reach us for your privacy concerns and the exercise of your rights under section 11 as follows:

Neurolite AG
Hühnerhubelstrasse 79
CH-3123 Belp

info@neurolite.ch

3. What Data Do We Process?

We process different categories of data about you. The most important categories are as follows:

Technical Data: When you use our website or other electronic services, we collect the IP address of your device and other technical data to ensure the functionality and security of these services. These data also include logs that record the use of our systems. We generally retain technical data for six months. To ensure the functionality of these services, we may also assign you or your device an individual code (e.g., in the form of a cookie, see section 12). In principle, technical data alone do not allow any conclusions to be drawn about your identity. However, in the context of user accounts, registrations, access controls, or contract processing, they may be linked with other data categories (and thus potentially with your person).

Registration Data: Certain services and offerings (e.g., login areas on our website, newsletter distribution) can only be used with a user account or registration, which can be done directly with us or through our external login providers. In doing so, you must provide us with certain data, and we collect data about the use of the service or offering. If you redeem a voucher with us, we may require certain data from you at the time of redemption. If we issue a voucher for one of our contractual partners, we may transmit certain of your registration data to the respective contractual partner or receive such data from them (see section 7).

Communication Data: If you contact us via contact form, email, phone, chat, letter, or other communication channels, we collect the data exchanged between you and us, including your contact details and the metadata of the communication. If we record or monitor telephone calls or video conferences, e.g., for training and quality assurance purposes, we will specifically inform you of this. Such recordings may only be made and used in accordance with our internal policies. You will be informed whether and when such recordings take place, e.g., by a notice during the respective video conference. If you do not want a recording, please inform us or terminate your participation. If you only do not want a recording of your image, please turn off your camera. If we need to establish your identity, e.g., for a request for information made by you, we collect data to identify you (e.g., a copy of an ID). Emails in personal mailboxes and written correspondence are generally retained for at least ten years.

Master Data: We refer to master data as basic data that we require in addition to contract data (see below) for processing our contractual and other business relationships or for marketing and advertising purposes, such as name, contact details, and information about your role and function, your bank details, your date of birth, customer history, powers of attorney, signature authorizations, and consent declarations. We process your master data if you are a customer or another business contact, or if you act on behalf of such a person (e.g., as a contact person of a business partner) or because we want to contact you for our own purposes or the purposes of a contractual partner (e.g., in the context of marketing and advertising). We receive master data from you directly (e.g., when making a purchase or as part of a registration), from entities you work for, or from third parties such as our contractual partners, associations, and address brokers, as well as from publicly accessible sources such as public registers or the internet. We generally retain these data for ten years from the last exchange with you, at a minimum from the end of the contract. This period may be longer if required for evidence purposes or to comply with legal or contractual requirements or due to technical reasons.

Contract Data: These are data that arise in connection with contract conclusion or execution, such as information about contracts and the services to be provided or provided, as well as data from the pre-contractual phase, the information required for processing, and responses (e.g., complaints or satisfaction information, etc.). We generally collect these data from you, from contractual partners, and from third parties involved in contract execution, as well as from third-party sources (e.g., providers of credit rating data) and publicly accessible sources. We generally retain these data for ten years from the last contract activity, at a minimum from the end of the contract. This period may be longer if required for evidence purposes or to comply with legal or contractual requirements or due to technical reasons.

Behavioral and Preference Data: Depending on our relationship with you, we strive to understand you better and tailor our products, services, and offerings to you. To this end, we collect and use data about your behavior and preferences. We do this by analyzing information about your behavior within our environment, and we may supplement this information with data from third parties – including from publicly accessible sources. Based on this, we can, for example, calculate the probability that you will use certain services or behave in a certain way. Some of the data processed for this purpose are already known to us (e.g., when you use our services), or we obtain these data by recording your behavior (e.g., how you navigate our website). We anonymize or delete these data when they are no longer meaningful for the pursued purposes.

Other Data: We also collect data from you in other situations. In connection with administrative or judicial proceedings, for example, data (such as files, evidence, etc.) may be generated that also relate to you. For health protection reasons, we may also collect data (e.g., within the framework of protection concepts). We may receive or create photos, videos, and audio recordings in which you are recognizable (e.g., at events, through security cameras, etc.). We may also collect data about who enters certain buildings at what time or has corresponding access rights (including access controls, based on registration data or visitor lists, etc.), who participates in events or campaigns, or who uses our infrastructure and systems at what time. The retention period for these data depends on the purpose and is limited to what is necessary. This ranges from just a few days to reports on events with images that may be retained for several years or longer.

Many of the data mentioned in this section 3 are provided to us directly by you (e.g., via forms, in communication with us, in connection with contracts, when using the website, etc.). You are not obliged to provide these data, subject to individual cases, e.g., in the context of binding protection concepts (legal obligations). If you wish to conclude contracts with us or use services, you must provide us with data within the scope of your contractual obligations under the relevant contract, particularly master, contract, and registration data. When using our website, the processing of technical data is unavoidable. If you want access to certain systems or buildings, you must provide us with registration data.

Unless prohibited, we also obtain data from publicly accessible sources (e.g., debt collection registers, land registers, commercial registers, media, or the internet, including social media) or receive data from other companies, authorities, and other third parties (such as credit agencies, associations, contractual partners, etc.).

4. For What Purposes Do We Process Your Data?

We process your data for the purposes explained below. Further information for the online sector can be found in sections 12 and 13. These purposes or the underlying objectives represent legitimate interests of ours and, if applicable, those of third parties. You can find further information on the legal bases of our processing in section 5.

We process your data for purposes related to communication with you, in particular to respond to inquiries, to assert your rights (section 11), and to contact you in case of follow-up questions. For this purpose, we mainly use communication data and master data, and in connection with offers and services used by you, also registration data. We retain these data to document our communication with you, for training purposes, quality assurance, and follow-ups.

We process data for the initiation, management, and execution of contractual relationships.

We process data for marketing purposes and relationship management, e.g., to send our customers and other contractual partners personalized advertising for products and services from us and third parties. This can take place, for example, in the form of newsletters and other regular contacts (electronically, by mail, by phone), through other channels for which we have your contact information, but also as part of individual marketing campaigns (e.g., events) and may also include complimentary services (e.g., invitations, vouchers, etc.). You can reject such contacts at any time (see the end of this section 4) or refuse or revoke your consent to being contacted for advertising purposes. With your consent, we may target our online advertising on the internet more specifically to you (see section 12).

We further process your data for market research, to improve our services and operations, and for product development.

We may also process your data for security purposes and access control.

We process personal data to comply with laws, instructions, and recommendations from authorities, as well as internal regulations ("compliance").

We also process data for the purposes of our risk management and as part of prudent corporate governance, including business organization and corporate development.

We may process your data for other purposes as well, e.g., in the context of our internal processes and administration.

5. On What Basis Do We Process Your Data?

If we ask for your consent for certain processing activities (e.g., for processing particularly sensitive personal data and for marketing mailings), we will inform you separately about the relevant purposes of the processing. You can revoke your consent at any time by sending us a written notice (by mail) or, unless otherwise specified or agreed, by email with effect for the future; our contact details can be found in section 2. For revoking your consent regarding online tracking, see section 12. If you have a user account, revocation or contacting us may also be possible via the relevant website or service. Once we receive the notification of your revocation, we will no longer process your data for the purposes to which you originally consented, unless we have another legal basis for doing so. The revocation of your consent does not affect the lawfulness of the processing carried out based on your consent before the revocation.

Where we do not ask for your consent for processing, we base the processing of your personal data on the necessity of the processing for the initiation or execution of a contract with you (or the entity you represent) or on the fact that we or third parties have a legitimate interest in doing so. This applies particularly to pursue the purposes described in section 4 and the associated objectives and to implement corresponding measures. Our legitimate interests also include compliance with legal regulations, provided these are not already recognized as a legal basis under applicable data protection laws (e.g., under the GDPR, the law in the EEA and Switzerland). This also includes the marketing of our products and services, the interest in better understanding our markets, and the secure and efficient operation and further development of our company, including its operational business.

If we receive sensitive data (e.g., health data, information on political, religious, or philosophical beliefs, or biometric data for identification), we may also process your data based on other legal grounds, such as in the case of disputes where processing is necessary for potential legal proceedings or the assertion or defense of legal claims. In individual cases, other legal bases may apply, which we will communicate to you separately if required.

6. What applies to profiling and automated individual decisions?

We may assess certain of your personal characteristics for the purposes mentioned in Section 4 based on your data (Section 3) through automated processes ("profiling"), if we want to determine preference data, but also to identify abuse and security risks, perform statistical evaluations, or for operational planning purposes. For the same purposes, we may also create profiles, i.e., we may combine behavioral and preference data, as well as basic and contract data, and the associated technical data, to better understand you as a person with your various interests and other characteristics.

In both cases, we ensure the proportionality and reliability of the results and take measures against the misuse of these profiles or profiling. If these could have legal effects or significant disadvantages for you, we generally provide for a manual review.

7. To whom do we disclose your data?

In connection with our contracts, the website, our services and products, our legal obligations, or otherwise to safeguard our legitimate interests and the other purposes listed in Section 4, we also transfer your personal data to third parties, particularly to the following categories of recipients:

Service providers: We collaborate with service providers in Switzerland and abroad who process data about you on our behalf or jointly with us, or who receive data about you from us for their own purposes (e.g., IT providers, shipping companies, advertising service providers, login service providers, debt collection companies, credit agencies, or address verification services). For the service providers used for the website, see Section 12. Key IT service providers for us are Microsoft and Alphabet, in debt collection, the company Inkassomed, and in security, Barracuda.

In order for us to provide our products and services efficiently and focus on our core competencies, we source services from third parties in numerous areas. These services include, for example, IT services, the sending of information, marketing, sales, communication or printing services, organization and execution of events and receptions, debt collection, credit agencies, address verification (e.g., to update address records in case of moves), fraud prevention measures, and services from consulting firms, lawyers, banks, insurers, and telecommunications companies. We provide these service providers with the data necessary for their services, which may concern you as well. These service providers may also use such data for their own purposes, such as data on outstanding claims and your payment behavior in the case of credit agencies, or anonymized data for service improvement. We also conclude contracts with these service providers that include provisions for data protection, unless this is already provided by law. Our service providers may also process data, such as how their services are used, and other data that arises during the use of their services, as independent controllers for their own legitimate interests (e.g., for statistical evaluations or billing). Service providers inform about their independent data processing in their own privacy statements. More information on how Microsoft processes data can be found here: https://privacy.microsoft.com/en-us/privacystatement.

Contract partners, including customers: This primarily refers to customers (e.g., service recipients) and other contract partners, as this data transfer arises from these contracts. For example, they receive registration data for issued and redeemed vouchers, invitations, etc. If you are active for such a contract partner, we may also transmit data about you to them in this context. Further recipients include contract partners with whom we cooperate. We require these partners to send you advertising or use your data only if you have agreed to it (for the online area, see Section 12). Our online advertising contract partners are listed in Section 12.

Authorities: We may disclose personal data to authorities, courts, and other government agencies in Switzerland and abroad if we are legally obligated or authorized to do so or if it appears necessary to safeguard our interests. These authorities process data about you that they receive from us, under their own responsibility.

Other persons: This refers to other cases where the inclusion of third parties arises from the purposes according to Section 4, e.g., service recipients, media, and associations we are involved with, or if you are part of one of our publications.

Other recipients include delivery addresses or external payment recipients different from you, other third parties also in the context of representation relationships (e.g., if we send your data to your lawyer or bank), or individuals involved in administrative or court procedures. If we cooperate with media and transmit material (e.g., photos), you may also be affected. The same applies to the publication of content (e.g., photos, interviews, quotes, etc.) on the website or in other publications by us. In the context of corporate development, we may sell or acquire businesses, parts of businesses, assets, or companies or enter into partnerships, which may also result in the disclosure of data (including yours, e.g., as a customer or supplier, or as a supplier representative) to the persons involved in these transactions. In our communication with competitors, industry organizations, associations, and other bodies, there may also be an exchange of data that affects you.

All these categories of recipients may themselves involve third parties, so your data may also become accessible to them. We can restrict the processing by certain third parties (e.g., IT providers), but not by others (e.g., authorities, banks, etc.).

We also allow certain third parties to collect personal data about you on our website and at events we host (e.g., media photographers, providers of tools we have integrated into our website, etc.). If we are not significantly involved in these data collections, these third parties are solely responsible for them. For concerns and the assertion of your data protection rights, please contact these third parties directly. See Section 12 for the website.

8. Do your personal data also reach abroad?

As explained in Section 7, we also disclose data to other entities. These are not only located in Switzerland. Therefore, your data may also be processed in Europe, and in exceptional cases, in any country worldwide.

If a recipient is in a country without adequate legal data protection, we contractually obligate the recipient to comply with the applicable data protection standards, unless they are already subject to a legally recognized framework to ensure data protection and we cannot rely on an exemption. An exception may apply, for example, in legal proceedings abroad, or if overriding public interests require such disclosure, if contract performance necessitates it, if you have consented, or if the data is made publicly available by you and you have not objected to its processing.

Please also note that data exchanged over the Internet is often routed through third countries. Therefore, your data may also reach abroad even if the sender and recipient are in the same country.

9. How long do we process your data?

We process your data as long as it is necessary for our processing purposes, the legal retention periods, and our legitimate interests in processing for documentation and proof purposes, or as long as storage is technically required. Further information on the specific storage and processing duration can be found in Section 3 for the individual data categories or in Section 12 for the cookie categories. If no legal or contractual obligations oppose it, we delete or anonymize your data after the storage or processing duration expires within our usual procedures.

10. How do we protect your data?

We take appropriate security measures to maintain the confidentiality, integrity, and availability of your personal data, to protect it against unauthorized or unlawful processing, and to prevent risks such as loss, accidental alteration, unintended disclosure, or unauthorized access.

11. What rights do you have?

The applicable data protection law grants you the right, under certain circumstances, to object to the processing of your data, especially for direct marketing purposes, profiling for direct advertising, and other legitimate interests in processing. To facilitate your control over the processing of your personal data, you have the following rights in connection with our data processing, depending on the applicable data protection law:

-The right to request information from us on whether and which data we process about you; – The right to have us correct data if it is incorrect;

-The right to request the deletion of data;

-The right to request the release of certain personal data in a commonly used electronic format or its transfer to another controller;

-The right to withdraw consent, if our processing is based on your consent;

-Te right to receive additional information required to exercise these rights;

If you wish to exercise the above rights against us, please contact us in writing, on-site, or by email unless otherwise indicated or agreed; our contact details can be found in Section 2. To prevent abuse, we must verify your identity (e.g., with a copy of your ID if not possible otherwise). You also have these rights with other entities that cooperate with us independently – please contact them directly if you want to exercise rights regarding their processing. Details about our important cooperation partners and service providers can be found in Section 7, further details in Section 12. Please note that there are conditions, exceptions, or restrictions for these rights under the applicable data protection law (e.g., for the protection of third parties or business secrets). We will inform you accordingly if necessary. If you disagree with our handling of your rights or data protection, please let us know (Section 2). Particularly if you are in the EEA or Switzerland, you also have the right to lodge a complaint with the data protection authority of your country. A list of authorities in the EEA can be found here: https://edpb.europa.eu/about-edpb/board/members_de. The UK supervisory authority can be reached here: https://ico.org.uk/global/contact-us/. The Swiss supervisory authority can be reached here: https://www.edoeb.admin.ch/edoeb/de/home/der-edoeb/kontakt/adresse.html.

12. Do we use online tracking and online advertising techniques?

On our website, we use various techniques with which we and third parties we involve can recognize you during your use and potentially track you across multiple visits. In this section, we inform you about this. The core idea is that we can distinguish your accesses (via your system) from accesses by other users to ensure the functionality of the website and to perform evaluations and personalizations. We do not intend to infer your identity, although we can do so if we or third parties involved can identify you by combining with registration data. Even without registration data, the techniques we use are designed to recognize you as an individual visitor with each page view, for example, by assigning a specific recognition number to you or your browser (so-called "cookies"). We use such techniques on our website and allow certain third parties to do so as well. Depending on the purpose of these techniques, we will ask for your consent before they are used. You can configure your browser to block specific cookies or alternative techniques, deceive them, or delete existing cookies. You can also extend your browser with software that blocks tracking by certain third parties. Further information can be found on the help pages of your browser (usually under the term "privacy") or on the websites of the third parties we list below. The following cookies (techniques with similar functionalities, such as fingerprinting, are included here) are distinguished:

-Necessary cookies: Some cookies are necessary for the website to function or for certain functions. They ensure, for example, that you can switch between pages without losing information entered in a form. They also ensure that you remain logged in. These cookies are temporary ("session cookies"). If you block them, the website may not function properly. Other cookies are necessary so that the server can store decisions or inputs you made beyond a session (i.e., a visit to the website), if you request this functionality (e.g., selected language, granted consent, automatic login function, etc.). These cookies have an expiration date of up to 24 months.

-Performance cookies: To optimize our website and offerings and better align them with the needs of users, we use cookies to record and analyze the use of our website, possibly even beyond the session. We do this through the use of third-party analytics services. Listed below. Performance Cookies also have an expiration date of up to 24 months. Details can be found on the third-party websites.

-Marketing Cookies: We and our advertising partners have an interest in targeting ads to specific audiences, meaning we want to show them only to those we aim to reach. Our advertising partners are listed below. For this purpose, we and our advertising partners – with your consent – also use cookies that allow us to track the viewed content or completed contracts. This enables us and our advertising partners to display ads that we believe will interest you, on our website, but also on other websites that show ads from us or our advertising partners. These cookies have an expiration date ranging from a few days to 24 months, depending on the situation. If you consent to the use of these cookies, corresponding ads will be displayed to you. If you do not consent to these cookies, you will not see less advertising, just different advertising.

We may also integrate other third-party services on our website, particularly from social media providers. The respective providers may determine that you are on our website. If you have an account with the social media provider, they may link this information to your account and track your usage of online services. These social media providers process this data independently.

Currently, we use services from the following providers and advertising partners (as far as they use data from you or cookies set by you for advertising purposes):

-Google Analytics: Google Ireland (based in Ireland) is the provider of the "Google Analytics" service and acts as our processor. Google Ireland relies on Google LLC (based in the USA) as its processor (both "Google"). Google tracks visitor behavior on our website (duration, frequency of visited pages, geographical origin of access, etc.) through performance cookies (see above) and creates reports for us based on this. Although we assume that the information we share with Google is not personal data for Google, it is possible that Google may infer the identity of visitors from this data, create personal profiles, and link this data with Google accounts of these individuals. If you consent to the use of Google Analytics, you explicitly consent to such processing, including the transfer of personal data (especially usage data related to the website and app, device information, and individual IDs) to the USA and other countries. You can find information about Google Analytics' data protection here: https://support.google.com/analytics/answer/6004245, and if you have a Google account, further details on Google's processing can be found here: https://policies.google.com/technologies/partner-sites?hl=en.

13. What data do we process on our social media pages?

We may operate pages and other online presences on social networks and other third-party platforms ("Fanpages", "Channels", "Profiles", etc.) and collect the data about you as described in Section 3 and below. We receive this data from you and the platforms when you interact with us through our online presence (e.g., when you communicate with us, comment on our content, or visit our presence). At the same time, the platforms analyze your use of our online presences and link this data with other data known to the platforms about you (e.g., your behavior and preferences). They also process this data for their own purposes under their own responsibility, particularly for marketing and market research purposes (e.g., to personalize ads) and to manage their platforms (e.g., determining which content to show you).

We process this data for the purposes described in Section 4, particularly for communication, marketing purposes (including advertising on these platforms, see Section 12), and market research. The corresponding legal bases can be found in Section 5. Content you publish yourself (e.g., comments on an announcement) may be further disseminated by us (e.g., in our advertising on the platform or elsewhere). We or the platform operators may delete or restrict content from or about you in accordance with the platform’s terms of use (e.g., inappropriate comments).

For further details on the processing by the platform operators, please refer to the privacy policies of the platforms. There you will also find information about in which countries they process your data, what rights you have regarding access, deletion, and other data subject rights, and how you can exercise them or obtain more information. Currently, we use the following platforms:

-LinkedIn, YouTube, Facebook, Instagram

14. Can this privacy policy be changed?

This privacy policy is not part of a contract with you. We can adapt this privacy policy at any time. The version published on this website is the current version.

Last update: January 31, 2025.