Privacy Policy

1. Person responsible and content of this privacy policy

We, Flos Capital Real Estate AG, located at Oberallmendstrasse 18, 6300 Zug, Switzerland, registered in the Commercial Register of the Canton of Zurich under the number CHE-452.284.901, are the operator of the Mein Nest website (www.meinnest.com) and, unless otherwise indicated in this Privacy Policy, are responsible for the data processing activities set out in this Privacy Policy.

So that you know what personal data we collect from you and for what purposes we use it, please take note of the information below. When it comes to data protection, we are guided primarily by the legal requirements of Swiss data protection law, in particular the Swiss Federal Data Protection Act (DSG), as well as the European General Data Protection Regulation (GDPR), the provisions of which may be applicable in individual cases.

Please note that the following information is reviewed and changed from time to time. We therefore recommend that you regularly review this privacy policy. Furthermore, for individual data processing listed below, other companies are responsible under data protection law or jointly responsible with us, so that in these cases the information of these providers is also authoritative.

2. Contact person for data protection

If you have any questions about data protection or wish to exercise your rights, please contact our data protection contact by sending an e-mail to the following address: weare@floscap.com

Clemens Stockhammer Flos Capital Real Estate AG Oberallmendstrasse 18 6300 Zug

3. Scope and purpose of the collection, processing and use of personal data

Data processing when contacting us (telephone & e-mail)

If you contact us by phone or e-mail, your personal data will be processed. We process the data that you have provided to us, such as your name, e-mail address or telephone number and your request. We process this data in order to implement your request (e.g. providing you with information about our products and services, assisting you in the execution of contracts, incorporating your feedback in the improvement of our products and services, etc.).

The legal basis for this data processing is our legitimate interest within the meaning of Art. 6 para. 1 lit. f DSGVO in the implementation of your request or, if your request is directed towards the conclusion or performance of a contract, the necessity for the implementation of the required measures within the meaning of Art. 6 para. 1 lit. b DSGVO.

3.2 Data processing when contacting us via contact form

If you contact us via the contact form on our website, your personal data processed. In this case, we collect the following data:

First name
Last name
Phone number
E-mail address
Subject
Message
Privacy policy

The data that you have provided us with in your message is also processed. In addition, the time of receipt of the request is documented. We process this data in order to implement your request (e.g. providing you with information about our products and services, assisting you in the execution of the contract, incorporating your feedback into the improvement of our products and services, etc.).

3.3 Data processing for applications

You have the option of applying to us spontaneously or in response to a specific job advertisement for employment in our company. In doing so, we process the personal data provided by you.

We use the data you provide to review your application and suitability for employment. Application documents of unsuccessful applicants are anonymized after the application process (for statistical purposes), unless you explicitly agree to a longer retention period or we are not legally obligated to retain them for a longer period.

The legal basis for processing your data for this purpose is the execution of a contract (pre-contractual phase) according to Art. 6 para.1 lit. b DSGVO.

4. Central data storage and analysis in the CRM system

We generally collect, process, use, store and secure your personal data in a central electronic data processing system in Switzerland, unless otherwise stated in this Privacy Policy.

Insofar as a clear assignment to your person is possible, we will store and link the data described in this data protection declaration, i.e. in particular your personal details, your contacts, your contract data and your surfing behavior on our websites in a central database. This serves the efficient administration of customer data, allows us to adequately process your requests and enables the efficient provision of the services you have requested and the processing of the associated contracts.

The legal basis for this data processing is our legitimate interest within the meaning of Art. 6 (1) lit. f DSGVO in the efficient management of user data.

We also evaluate this data in order to further develop our products and services in a needs-oriented manner and to be able to display and suggest the most relevant information and offers to you. We also use methods that predict possible interests and future orders based on your use of our website.

The legal basis for this data processing is our legitimate interest within the meaning of Art. 6 para. 1 lit. f DSGVO in carrying out marketing activities.

5.Disclosure and transmission abroad

Disclosure to and access by third parties

Without the support of other companies, we would not be able to provide our products and services in the desired form. In order for us to be able to use the services of these companies, a transfer of your personal data to these companies is also necessary to a certain extent. A transfer is made to selected third-party service providers and only to the extent necessary for the optimal provision of our services.

Various third-party service providers are already explicitly mentioned in this privacy policy. Incidentally, these are the following service provider in connection with the hosting of our website: www.GoDaddy.com. For more information about data processing in connection with Webkinder, please visit: www.GoDaddy.com. For these transfers, the necessity for the performance of a contract within the meaning of Art. 6 (1) lit. b DSGVO is the legal basis.

Furthermore, we transfer your data to companies affiliated with us. You can find an overview of the companies associated with us here. Insofar as we transfer your data to companies affiliated with us, we act together with these companies affiliated with us as joint controllers.

In addition, your data may be disclosed, in particular to authorities, legal advisors or collection agencies, if we are required to do so by law or if this is necessary to protect our rights, in particular to enforce claims arising from our relationship with you. Data may also be disclosed if another company intends to acquire our company or parts thereof and such disclosure is necessary to conduct due diligence or to complete the transaction.

Our legitimate interest within the meaning of Art. 6 (1) f DSGVO in safeguarding our rights and complying with our obligations or the sale of our company or parts thereof forms the legal basis for this data processing.

5.1 Transfer of personal data abroad

We are also entitled to transfer your personal data to third parties abroad, insofar as this is necessary to carry out the data processing mentioned in this data protection declaration. Individual data transfers have been mentioned above in section 3. It goes without saying that the statutory provisions governing the disclosure of personal data to third parties will be complied with. The countries to which data is transferred include those that have an adequate level of data protection according to the decision of the Federal Council and the EU Commission (such as the member states of the EEA or, from the point of view of the EU, also Switzerland), but also those countries (such as the USA, Cyprus) whose level of data protection is not considered adequate (see Annex 1of the Data Protection Ordinance (DPA) and the website of the EU Commission). If the country in question does not have an adequate level of data protection, we ensure that your data is adequately protected at these companies by means of suitable guarantees, unless an exception is specified in individual cases for the individual data processing (cf. Art. 49 DSGVO). Unless otherwise indicated, these are the choice of companies certified under the Privacy Framework agreement or standard contractual clauses within the meaning of Art. 46(2)(c) DSGVO, which are available on the websites of the Swiss Federal . Data Protection and Information Commissioner (FDPIC) and the EU Commission can be accessed. If you have any questions about the measures taken, please contact our contact person for data protection (see section 2).

6. Background data processing on our website

Data processing when visiting our website (log file data)

When you visit our website, the servers of our hosting provider www.GoDaddy.com temporarily store every access in a log file. The following data is collected without your intervention and stored until automated deletion by us:

IP address of the requesting computer;
Date and time of access;
Name and URL of the retrieved file;
Web page from which the access was made;
Operating system of your computer and the browser you use (incl. type, version and language setting);
Device type in case of access by cell phones;
User name from a registration/authentication;
Status code (e.g. error message);
transmission protocol used (e.g. HTTP/1.1);
City or region from which the access was made; and
Name of your Internet access

This data is collected and processed for the purpose of enabling the use of our website (connection establishment), ensuring system security and stability on a permanent basis, error and performance analysis and optimization of our website (see also section 5.4 for the last points).

In the event of an attack on the network infrastructure of the website or a suspicion of other unauthorized or improper use of the website, the IP address and the other data will be evaluated for the purpose of clarification and defense and, if necessary, used in the context of civil or criminal proceedings for identification against the user concerned.

The purposes described above are our legitimate interest within the meaning of Art. 6 (1) f DSGVO and thus the legal basis for data processing.

Finally, when visiting our website, we use cookies as well as applications and tools that are based on the use of cookies. In this context, the data described here may also be processed. You will find more details on this in the other subsequent sections of this data protection declaration, in particular section 5.2 below.

6.1 Cookies

Cookies are information files that your web browser stores on your computer’s hard drive or memory when you visit our website. Cookies are assigned identification numbers that identify your browser and can be used to read information contained in the cookie.

Among other things, cookies help to make your visit to our website easier, more pleasant and more meaningful. We use cookies for various purposes that are necessary, i.e. “technically necessary”, for your desired use of the website. For example, we use cookies to be able to identify you as a registered user after logging in, without you having to log in again each time when navigating the various sub-pages. The provision of the ordering functions is also based on the use of cookies. Furthermore, cookies also perform other technical functions required for the operation of the website, such as so-called load balancing, i.e. the distribution of the performance load of the site to different web servers in order to relieve the servers. Cookies are also used for security purposes, e.g. to prevent the unauthorized posting of content. Finally, we also use cookies as part of the design and programming of our website, e.g. to enable the uploading of scripts or codes.

The legal basis for this data processing is our legitimate interest within the meaning of Art. 6 para. 1 lit. f DSGVO in providing a user-friendly and up-to-date website.

Most Internet browsers automatically accept cookies. However, when accessing our website, we ask for your consent to the cookies we use that are not technically necessary, especially when using third-party cookies for marketing

purposes. You can use the corresponding buttons in the cookie banner to make your desired settings. Details on the services and data processing associated with the individual cookies can be found within the cookie banner as well as in the following paragraphs of this privacy policy.

You may also be able to configure your browser so that no cookies are stored on your computer or a message always appears when you receive a new cookie. On the following pages you will find explanations of how you can configure the processing of cookies in selected browsers.

Disabling cookies may prevent you from using all the features of our website.

6.2 Tracking and web analysis tools

General information on tracking

For the purpose of demand-oriented design and continuous optimization of our website, we use the web analysis services listed below. In this context, pseudonymized usage profiles are created and cookies are used (please also refer to section 6.2). The information generated by the cookie about your use of this website is usually transmitted together with the log file data listed in section 6.1 to a server of the service provider, where it is stored and processed. This may also result in a transfer to servers abroad, e.g. the USA (cf. in this regard, in particular the lack of an adequate level of data protection and the guarantees provided, sections 5.2 and 5.3).

By processing the data, we obtain, among other things, the following information:

Navigation path that a visitor follows on the site (incl. content viewed and products selected or purchased or services booked);
Dwell time on the website or subpage;
Subpage on which the website is left;
Country, region or city from where an access is made;
End device (type, version, color depth, resolution, width and height of the browser window); and
returning or new

On our behalf, the provider will use this information for the purpose of evaluating the use of the website, in particular to compile website activity and to provide other services relating to website activity and internet usage for the purposes of market research and demand-oriented design of these websites. For these processing operations, we and the providers may be considered joint data controllers up to a certain extent.

The legal basis for this data processing with the following services is your consent within the meaning of Art. 6 (1) a DSGVO. You can revoke your consent or refuse processing at any time by rejecting or deactivating the relevant cookies in your web browser settings (see section 6.2) or by making use of the service-specific options described below.

For the further processing of the data by the respective provider as the (sole) responsible party under data protection law, in particular also any forwarding of this information to third parties, such as to authorities on the basis of national statutory provisions, please refer to the respective data protection information of the provider.

Google Analytics

We use the web analysis service Google Analytics from Google Ireland Limited (Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland) or Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (Google).

In deviation from the description in Section 6.4.1, Google Analytics (in the “Google Analytics 4” version used here) does not log or store IP addresses. For accesses originating from the EU, IP address data is only used to derive location data and then deleted immediately. When collecting measurement data in Google Analytics, all IP searches take place on EU-based servers before the traffic is forwarded to Analytics servers for processing. Regional data centers are used in Google Analytics. If a connection is established in Google Analytics to the nearest available Google data center, the measurement data is sent to Analytics via an encrypted HTTPS connection. At these centers, the data is further encrypted before being forwarded to Analytics’ processing servers and made available on the platform. The most appropriate local data center is determined based on the IP addresses. This may also result in data being

transferred to servers abroad, e.g. the USA (cf. on this, in particular on the lack of an adequate level of data protection and on the guarantees provided, section 5.2).

Users can prevent the collection of the data generated by the cookie and related to the website usage by the respective user (including the IP address) to Google as well as the processing of this data by Google by downloading and installing the browser plugin available at the following link: http://tools.google.com/dlpage/gaoptout?hl=de.

As an alternative to the browser plugin, users can click this link to prevent Google Analytics from collecting data on the website in the future. In doing so, an opt-out cookie is stored on the user’s terminal device. If users delete cookies (see section 6.2 Cookies), the link must be clicked again.

Google Maps

We use the web analysis service Google Maps from Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. (Google Maps). In the process, the data described about the use of the website may be transmitted to Google’s servers in the USA for the processing purposes explained (see item 6).

Users can prevent the collection of the data generated by the cookie and related to the website usage by the respective user (incl. the IP address) to Google as well as the processing of this data by Google by clicking on the following link and following the instructions: https://policies.google.com/privacy?hl=de&gl=de.

Vimeo

We use Vimeo.com Inc., 330 West 34th Street, New York 10001, USA (Vimeo) on our website to display videos. With the help of a plug-in, we can thus show you interesting video material directly on our website. By embedding Vimeo videos, your browser connects to the servers of Vimeo. In the process, data from you is transferred to Vimeo. This includes your IP address, technical information about your browser type, your operating system and other basic device information. It is also transmitted which of our Internet pages you have visited and what actions you have taken.

If you are logged in to Vimeo as a registered member, more data may be collected because more cookies may have already been set in your browser. In addition, your actions on our website are directly linked to your Vimeo account. To prevent this, you must log out of Vimeo while visiting our website.

For the use of your data associated with the playing of a video, we refer you to the provider’s privacy policy. Further information on data processing and privacy notices by Vimeo can be found at https://vimeo.com/privacy.

6.3 Social media

Social media profiles

On our website we have included links to our profiles in the social networks of the following providers:

If you click on the icons of the social networks, you will automatically be redirected to our profile in the respective network. This establishes a direct connection between your browser and the server of the respective social network. This provides the network with the information that you have visited our website with your IP address and clicked on the link. This may also result in data being transferred to servers abroad, e.g. in the USA (cf. on this, in particular on the lack of an appropriate level of data protection and on the guarantees provided, sections 5.2 and 5.3).

If you click on a link to a network while you are logged into your user account with the network in question, the content of our website may be linked to your profile so that the network can assign your visit to our website directly to your account. If you want to prevent this, you should log out before clicking on the relevant links. A connection between your access to our website and your user account takes place in any case when you log in to the respective network after

clicking on the link. The respective provider is responsible under data protection law for the associated data processing. Please therefore refer to the data protection information on the website of the network.

The legal basis for any data processing attributed to us is our legitimate interest within the meaning of Art. 6 (1) lit. f DSGVO in the use and promotion of our social media profiles.

Social media plugins

On our website, you can use social media plugins from the providers listed below:

We use the social media plugins to make it easier for you to share content from our website. The social media plugins help us to increase the visibility of our content on social networks and in this respect contribute to better marketing.

The plugins are deactivated by default on our websites and therefore do not send any data to the social networks when you simply call up our website. To increase data protection, we have integrated the plugins in such a way that a connection is not automatically established with the networks’ servers. Only when you activate the plugins by clicking on them and thus give your consent to the transmission and further processing of data by the providers of the social networks, your browser establishes a direct connection to the servers of the respective social network.

The content of the plugin is transmitted directly to your browser by the social network and integrated into the website by it. This provides the respective provider with the information that your browser has accessed the corresponding page of our website, even if you do not have an account with this social network or are not currently logged in to it. This information (including your IP address) is transmitted by your browser directly to a server of the provider (usually in the USA) and stored there (cf. on this, in particular on the lack of an adequate level of data protection and on the guarantees provided, sections 5.2 and 5.3). We have no influence on the scope of the data that the provider collects with the plugin, although from a data protection perspective we can be considered jointly responsible with the providers up to a certain extent.

If you are logged in to the social network, it can assign your visit to our website directly to your user account. If you interact with the plugins, the corresponding information is also transmitted directly to a server of the provider and stored there. The information (e.g., that you like a product or service of ours) may also be published on the social network and possibly displayed to other users of the social network. The provider of the social network may use this information for the purpose of placing advertisements and tailoring the respective offer to your needs. For this purpose, usage, interest and relationship profiles could be created, e.g. to evaluate your use of our website with regard to the advertisements displayed to you on the social network, to inform other users about your activities on our website and to provide other services associated with the use of the social network. The purpose and scope of the data collection and the further processing and use of the data by the providers of the social networks, as well as your rights in this regard and settings options for protecting your privacy, can be found directly in the privacy notices of the respective provider.

If you do not want the provider of the social network to assign the data collected via our website to your user account, you must log out of the social network before activating the plugins. For the data processing described above, your consent within the meaning of Art. 6 (1) lit. a DSGVO forms the legal basis. You can revoke your consent at any time by declaring your revocation to the provider of the plugin in accordance with the information in its privacy policy.

6.4 Online advertising and targeting

In general

We use services of various companies to provide you with interesting offers online. In the process, your user behavior on our website and websites of other providers is analyzed in order to subsequently display online advertising tailored to your individual needs.

Most technologies for tracking your user behavior and for the targeted display of advertising (targeting) work with cookies (see also Section 6.2), which can be used to recognize your browser across different websites. Depending on the service provider, it may also be possible for you to be recognized online even when using different end devices (e.g. laptop and smartphone). This may be the case, for example, if you have registered with a service that you use with multiple devices.

In addition to the data already mentioned, which is generated when websites are called up (log file data, see Section 6.1) and when cookies are used (Section

5.2) and which may reach the companies involved in the advertising networks, the following data in particular is used to select the advertising that is potentially most relevant to you:

Information about you that you provided when registering or using a service from advertising partners (e.g., your gender, age group); and
User behavior (e.g., search queries, interactions with advertisements, types of websites visited, products or services viewed and purchased, newsletters subscribed to).

We and our service providers use this data to identify whether you belong to the target group we address and take this into account when selecting advertisements. For example, after you have visited our site, you may be shown ads of the products or services you consulted when you visit other sites (re- targeting). Depending on the scope of the data, a user’s profile may also be created and automatically analyzed, with ads selected according to the information stored in the profile, such as membership in certain demographic segments or potential interests or behaviors. Such ads may be displayed to you on various channels, which, in addition to our website or app (as part of onsite and in-app marketing), also include ads served through the online advertising networks we use, such as Google.

The data may then be analyzed for the purpose of billing the service provider and assessing the effectiveness of advertising measures in order to better understand the needs of our users and customers and to improve future campaigns. This may also include the information that the performance of an action (e.g., visiting certain sections of our websites or sending information) is due to a certain advertising ad. We also receive aggregated reports from service providers of ad activity and information about how users interact with our website and ads.

The legal basis for this data processing is your consent within the meaning of Art. 6 (1) a DSGVO. You can revoke your consent at any time by rejecting or switching off the relevant cookies in the settings of your web browser (see section 6.2). You can also find further options for blocking advertising in the information provided by the respective service provider, such as Google.

7. Retention periods

We store personal data only for as long as is necessary to carry out the processing operations explained in this privacy policy within the scope of our legitimate interest. In the case of contractual data, storage is required bystatutory retention obligations. Requirements that oblige us to retain data arise from the provisions on accounting and from tax law regulations. According to these regulations, business communication, concluded contracts and accounting vouchers must be stored for up to 10 years. As soon as we no longer need this data to perform services for you, the data will be blocked. This means that the data may then only be used if this is necessary to fulfill the retention obligations or to defend and enforce our legal interests. The data will be deleted as soon as there is no longer any obligation to retain the data and no longer any legitimate interest in retaining it.

8. Data security

We use appropriate technical and organizational security measures to protect your personal data stored by us against loss and unlawful processing, namely unauthorized access by third parties. Our employees and the service companies commissioned by us are obligated by us to maintain confidentiality and data protection. Furthermore, these persons are only granted access to personal data to the extent necessary for the performance of their duties.

Our security measures are continuously adapted in line with technological developments. However, the transmission of information via the Internet and electronic means of communication always involves certain security risks and we can therefore not provide an absolute guarantee for the security of information transmitted in this way.

9. Your rights

Provided that the legal requirements are met, you have the following rights as a person affected by data processing:

Right of access: You have the right to request access to your personal data stored by us at any time and free of charge if we process it. This gives you the opportunity to check what personal data we process about you and whether we process it in accordance with the applicable data protection regulations.

Right to rectification: You have the right to have incorrect or incomplete personal data rectified and to be informed about the rectification. In this case, we will also inform the recipients of the data concerned about the adjustments we have made, unless this is impossible or involves disproportionate effort.

Right to deletion: You have the right to have your personal data deleted under certain circumstances. In individual cases, especially in the case of legal

retention obligations, the right to deletion may be excluded. In this case, the deletion may be replaced by a blocking of the data if the conditions are met.

Right to restrict processing: You have the right to request that the processing of your personal data be restricted.

Right to data transfer: You have the right to obtain from us, free of charge, the personal data you have provided to us in a readable format.

Right of objection: You can object to data processing at any time, especially in the case of data processing in connection with direct marketing (e.g. marketing e-mails).

Right of withdrawal: In principle, you have the right to withdraw your consent at any time. However, processing activities based on your consent in the past will not become unlawful as a result of your revocation.

To exercise these rights, please send us an e-mail to the following address: weare@floscap.com.

Right of complaint: You have the right to lodge a complaint with a competent supervisory authority, e.g. against the way your personal data is processed.

Status: August 2023