General Privacy Policy of Viseca Card Services SA

 

 

Viseca Card Services SA (“Viseca” or “we”) attaches great importance to the responsible and legally compliant handling of personal data. Personal data is processed exclusively on the basis of applicable law. This Privacy Policy informs our customers, participants in the surprize rewards programme, users of one Digital Service and visitors to our websites (“customers” or “you”) about the handling and processing of personal data. This Privacy Policy consists of the following chapters:

  1. Privacy Policy for cards;
  2. Privacy Policy for one Digital Service;
  3. Terms and conditions for visiting our websites;
  4. Cookie Policy.

In addition to these terms and conditions, customers must also take note of the following legal notices in connection with this Privacy Policy:

  • General Terms and Conditions for Payment Cards issued by Viseca Card Services SA Private and Commercial as well as further information concerning our card products www.viseca.ch/en/legal-provisions;
  • one Digital Service (“one”) terms and conditions of use as well as further information concerning the card products which are eligible for use www.viseca.ch/en/terms/one;
  • Terms and conditions of participation for the surprize rewards programme as well as further information about our rewards programme www.viseca.ch/en/legal-provisions.

We process data exclusively on the basis of applicable law. Processing is subject to the Federal Act on Data Protection (FADP) and the Ordinance to the Federal Act on Data Protection (ODPA). Visits to our websites from abroad may also be subject to foreign data protection laws.

Viseca reserves the right to amend this Privacy Policy at any time. The version published at www.viseca.ch/en/data-protection/viseca is the then-current version.

 

1. Privacy Policy for cards

Viseca processes personal data of customers who are in direct or indirect contact with it. We use the term “data” synonymously with the term “personal data”. Data means information that relates directly to customers or that we can directly associate with a customer. In Section 1.2, Viseca provides information about the categories of data processed in accordance with the information contained in this Privacy Policy. Processing means any handling of data, e.g. obtaining, storing, using, disclosing or erasing.

This Privacy Policy describes how we process data when customers use our services or products, are in contractual relations with us, or communicate with us generally. This Privacy Policy therefore applies to the processing of data that we have already collected or will collect in the future.

We provide information about certain data processing separately, e.g. in further data protection notices, in GTCs, in terms of participation for specific products or services, in product and service descriptions, on our websites, in the one app, as well as in declarations of consent, contracts and forms.

If we receive data on other persons, the sender confirms that he is authorised to disclose such data and that the data is correct. Before notifying us, the sender must ensure that these third parties are informed about our processing of the data.

 

1.1. Who is responsible for the processing of the data?

Viseca Card Services SA is responsible for data processing in accordance with this Privacy Policy and the Controller under data protection law, unless otherwise communicated in individual cases. You may contact us in writing (Viseca Card Services SA, Data Protection, Hagenholzstrasse 56, 8050 Zurich), by email (privacy@viseca.ch) or by telephone on +41 (0)58 958 84 00 in order to exercise rights and to contact us with data protection concerns.

 

1.2. What data are processed?

Depending on the situation and purpose, we process various data from different sources. We primarily collect and receive these data directly from our customers when they use our products and services or as part of general customer communications. We may also obtain data from other sources, e.g. from public registers or other publicly accessible sources, from public authorities and other third parties. Viseca processes various categories of data. The main categories of data are described below:

  • Master data: Master data refers to data relating to the identity as well as personal characteristics and circumstances, e.g. name, address or date of birth. This data may at the same time also relate to third parties (agents) and also include signatory powers, powers of attorney and consent.
  • Contract data: If a contract is concluded with us, in addition to master data, we also process further data, such as information about the purchase and use of products and services. Such data includes information on the processing and enforcement of contracts as well as feedback from our customers on services.
  • Behavioural and preference data: Behavioural data is data about certain actions and interactions between our customers and Viseca. From this and other data, we may derive information about the statistical probability that you will be interested in certain products or services or will act in a certain manner. Viseca generates this data based on available information and links it with other data in order to improve the quality of the analyses.
    Behavioural data provides us with information about certain actions, e.g. logins, use of physical and/or virtual cards, payments, purchase and use of products and services from us or third parties, contacts with our customer service or participation in sweepstakes, competitions and events.
    Preference data gives us information about your needs, which products and services may be of interest, or when and how messages from Viseca are responded to. We gather this information from the analysis of existing data in order to better understand our customers and to tailor and improve offers to them more precisely.
    Behavioural and preference data may either be evaluated on a person-specific basis in order to submit tailor-made offers or to display advertising, or for market research or product development purposes, including non-person-specific purposes. These data may be combined with other data.
  • Communications data: Communications data refers to data in connection with communications with you in written correspondence, by telephone and via electronic channels (e.g. via one, email, SMS and push messages). They also include authentication data (e.g. biometric data) as well as video and audio recordings. When establishing your identity (e.g. in the case of a request for information), we also collect data in order to identify you (e.g. via a copy of an identification document).
  • Technical data: Technical data is data that we collect when you use one or other electronic options. This data also includes the IP address of an end device and the logs in which we record your use of our systems. In order to ensure the functioning of these options, we may assign an individual code to end devices (e.g. in the form of a cookie). Technical data does not allow conclusions to be drawn as to the identity of a person. Together with data from user accounts, registrations, access controls or the processing of contracts, we may under certain circumstances associate other data with specific persons.
    In addition to the IP address and information about the end device, the technical data also includes the date and time, the geographical region and the type of browser or device with which the customer accesses our electronic options. This information helps us to display content in a browser or on an end device. Based on the IP address, we receive information about a telecommunications provider, but as a rule, we cannot infer the user's identity unless customers are logged in to a user account. Technical data are also log files that are generated in our systems. When customers use one, we collect technical data, for example, regarding the installation and opening of the App as well as identifiers associated with the device used.
  • Registration data: Registration data is data about customers that is transmitted during registration or activation in order to use or participate in certain options and services (e.g. newsletters and competitions).
  • Other data: We collect additional data relating to customers in various contexts. For example, data is generated in connection with official or court proceedings (e.g. files, evidence, etc.). We may also collect data for fraud prevention purposes.

 

1.3. What is the data used for and how is it processed?

We process data for the following purposes:

  • Establishment, processing and termination of business relationships: We process data for the establishment, registration, processing and termination of business relationships. The type of data processed varies according to the type and scope of the client relationship and may, in particular, include master data, financial and risk data, order and transaction data, as well as registration and communications data. Order and transaction data are also processed graphically as part of transaction automation.
  • Processing the card application: When applying for the card, the applicant transmits data to us. In order to verify the card application (including checks of credit status or creditworthiness), we process in particular contact data, language, gender, date of birth, credit status data as well as data relating to a review for anti-money laundering purposes (e.g. information concerning the profession and the beneficial owner). During the use of the card, we then process transaction data.
    The applicant’s data may also be processed and linked together with other data that we may obtain from other sources or collect ourselves. In particular, we receive and obtain this data from authorities, databases and credit agencies (World Check, CRIF, CreditReform), employers, registers such as local.ch, commercial registers, the media and generally from the internet.
  • Use of the card: When customers use the card, we process data that is communicated to us during the term of the card contract relationship or that we collect ourselves (e.g. name changes, changes in beneficial ownership, proof of assets, data of other persons in the event of an insured event). We may draw far-reaching inferences from the transaction data concerning the customer's behaviour (e.g. place of residence and work, state of health, financial circumstances, leisure behaviour, social behaviour and other information).
  • Chargebacks: As part of a chargeback, we regularly receive detailed information about the transaction from the relevant acceptance point and the acquirers.
  • Contactless payment: We enable our customers to make contactless payments with cards. Near Field Communication (NFC) technology is used to exchange information between the payment terminal and the card or a mobile device. No transaction data (such as data concerning the acceptance point and the time or amount of a transaction) or personal data concerning you (such as e.g. surname, first name or address) is stored on the chip or on the magnetic strip of the card. Both the chip and the magnetic strip of the card contain the card number (Primary Account Number), the expiry date and card verification data that are necessary for processing the transaction and using the card.
    Customers who wish to opt out of this functionality despite the advantages of contactless payment can deactivate it using the online services or request us to deactivate it. You acknowledge and understand that deactivating contactless payment does not reduce the data stored on the chip or magnetic strip. Only the function of contactless payment is technically suspended when the card is used. 
  • Registration of Cards for Mobile Payment: When customers register cards for Mobile Payment solutions, we collect information on the use of Mobile Payment, such as activating or deactivating it, information on the amount of the transaction and the type of verification.
    When using a mobile payment solution from a third-party provider, the third-party provider may also collect and process data about you. When registering the card, customer and device data are exchanged with international card organisations for purposes of card management, verification of identity, combating abuse and fraud, compliance with legal provisions and processing and displaying transactions. For security reasons, the card number (Primary Account Number) is tokenised.
    In connection with the register of cards for Mobile Payment Solutions, we process the data for deciding whether to accept the card, for activating, deactivating and updating it, for preventing misuse and for communicating with any third-party provider of a Mobile Payment Solution.
    In processing data, Viseca and the third-party provider are unrelated and independent controllers. The third-party provider processes the data domestically and abroad for its own purposes in accordance with its terms and conditions of use and its Privacy Policies. We have no influence on the use and protection of personal data by the third-party provider. Complaints must be addressed directly to the third-party provider.
  • When using one and participating in the surprize rewards programme: If customers use one and participate in the surprize rewards programme, we process data that are provided to us via one when the user account is registered, applied for or administered as well as data collected by us or third parties (see Chapter 2 Privacy Policy for one Digital Service).
  • Additional security protocol (3-D Secure) for online payments: When 3-D Secure is used, we collect information about the acceptance point, the transaction and its processing, as well as about the confirmation of the transaction. In addition, information relating to mobile devices and information used for the transaction and the confirmation, as well as information relating to access to the Internet or mobile network, such as IP address, name of the access provider, browser settings and fingerprint (device fingerprint) is collected.
  • Compliance with laws, recommendations from authorities and internal regulations: We also process data in order to comply with laws, directives and recommendations of authorities as well as internal regulations (compliance). The data processed includes, in particular, master data, financial and risk data, communications data, order and transaction data and behavioural data. This includes legally mandated actions to combat money laundering and the financing of terrorism. We are obliged to make certain enquiries or, under certain circumstances, to make a report. In addition, data processing requires the performance of duties of information, notification or reporting, the performance of retention obligations and the prevention, detection and investigation of criminal offences and other violations. This includes receiving and processing complaints and other reports, monitoring communications, internal investigations or disclosing documents to an authority if we are obliged to do so or have a legitimate interest in disclosing them. Customer data may also be processed in the case of external investigations (e.g. by a regulatory or law enforcement authority or an authorised private body) and in the case of internal investigations. This includes the analysis of order and transaction data as well as payment processes to identify unusual transactions.
  • Risk management, fraud prevention and other illegal activities: We process data – in particular master data, order and transaction data, financial and risk data and behavioural data – also for purposes of risk management, to prevent fraud and other unlawful acts and in the context of prudent corporate management, including business organisation and business development.
    In the area of business development, we may sell or acquire businesses, parts of businesses or companies and enter into partnerships, which may also lead to data sharing and processing. Data may also be processed in the context of reviewing and improving internal processes. In order to prevent fraud and other illegal activities, we may conduct internal investigations to detect irregularities.
  • Intermediary sales of products and services: We process master data as well as order and transaction data in connection with the selling of third-party products and services, e.g. insurance and expense management solutions. When we act as intermediaries in the sale of products and services, although they are offered via our infrastructure, they are executed and processed in whole or in part by third parties.
  • Marketing, profile building and customer care: We process data for marketing purposes and customer care in order to provide customers with personalised information and offers concerning products and services of us and third parties (e.g. partners). This can be done in the form of a letter, as part of a newsletter, via one or by email. We may also process data to tailor marketing content to better suit the interests of our customers. For marketing purposes and customer care, we primarily use master, financial and risk data, order and transaction data as well as behavioural and preference data and other information concerning the contractual relationship.
    In particular, you authorise us to create and evaluate customer, consumption and preference profiles in order to develop and evaluate products and services in which you may be interested and to offer or inform such products and services (including those of third parties) and send them to your postal address, email address or telephone number (e.g. SMS). You have the option to revoke authorisation for profiling for marketing purposes by notifying us accordingly in writing (including by email) in the future (block on profiling). The foregoing does not apply to non-marketing messages and automatically generated system and invoicing texts.
    We also process data in connection with competitions, sweepstakes and events. Customer service includes personalised contacts with existing clients. As part of customer care, we operate a Customer Relationship Management System (CRM) in which the data of our customers that is necessary to maintain the relationship is stored. This includes data about contact persons, relationship history (e.g. products and services purchased or delivered as well as interactions), interests or marketing actions.
    You may opt out of receiving information (ad blocking) or by providing written notification (including via email) to Viseca generally withdraw consent previously granted for the processing of data for marketing purposes (general withdrawal). The foregoing does not apply to non-marketing messages and automatically generated system and invoicing texts.
  • Improvement of services, operations and product development: Data is also processed for market research purposes, to improve services and operations as well as for product development. For these purposes, we use master data, behavioural and preference data, as well as information from surveys.
    We continuously develop our own products and services, adapt them to the needs of our customers and determine the level of satisfaction. We analyse which products are used by which groups of people and how new products and services could be designed and used. This gives us an indication of the market acceptance of existing products and services and the market potential of new products and services.
  • Security purposes and access control: Viseca may also process master data, technical data, behavioural data and other data for security purposes and access control purposes. We continually review and improve the security of our IT and infrastructure. However, data security breaches cannot be ruled out with complete certainty. At Viseca, this risk is countered by appropriate technical and organisational measures in accordance with the state of the art. Access controls include not only the control of access to electronic systems, but also physical access control.
  • Communications: We process data in order to communicate with you, to provide you with information or to transmit messages and to be able to process your requests. For this purpose, we use master and communications data. As a rule, we retain this data in order to be able to document the communications made, but also for quality assurance purposes and for subsequent enquiries. If customers contact us by email, we are expressly authorised to reply via the same channel to the sender address or to the address provided. Emails are transmitted in unencrypted form over the open internet and it cannot be ruled out that they may be accessed, viewed and manipulated by third parties. Thus, email communication is not suitable for the transmission of confidential information.
  • Other purposes: Viseca may process data for other purposes, e.g. as part of internal processes and for administrative purposes. Administrative purposes include the management of master data, accounting and data retention, as well as the inspection and management of the IT infrastructure. We further use these data to safeguard and exercise our own rights, e.g. to enforce claims in court, in pre-litigation or extrajudicial contexts as well as before authorities in Switzerland and abroad, to secure evidence, to carry out legal investigations and to participate in court or official proceedings.
    Other purposes include evaluating and improving internal processes and preparing and managing purchases and sales of companies and assets, as well as training and education purposes. It also includes safeguarding other legitimate interests that cannot be definitively identified.

 

1.4. What applies to profiling and automated decision-making?

For the purposes specified in Section 1.3., we may process and evaluate data (including profiling) through the use of automated and IT-supported processes in order to determine preference data, to identify misuse and security risks, to carry out statistical evaluations or to plan the company’s operations. We may also create profiles for the same purposes. In doing so, we combine behavioural and preference data, master data, order and transaction data, information on the contractual relationship and personalised technical data so that interests and characteristics are better identified.

This also allows us to learn more about our customers and about the products and services that may be of interest or are already being used. For reasons of efficiency and consistency of decision-making processes, Viseca may make automated decisions. If these decisions have a legal effect or adverse effect on customers in any other way, we shall inform them immediately and take the legally required measures.

We will inform customers on a case-by-case basis if an automated decision results in negative legal consequences or significant impairments. If you do not agree with the outcome of the decision, you have the rights set out in Section 1.9. above.

 

1.5. To whom do we disclose data?

We are obliged to preserve confidentiality under the Data Protection Act and other regulatory provisions. Products and services are often developed, delivered and executed in contexts involving a division of labour. Data are therefore processed by different bodies. The parties involved may process data concerning you in each case, but may only do so in accordance with statutory and/or contractual requirements. We transmit data to the following categories of recipients.

  • Viseca-internal persons: Within Viseca, individuals and their business units have access to data to the extent necessary for the purposes set out in this Privacy Policy.
  • Service providers: We work with service providers in Switzerland and abroad. In order to provide their products and services efficiently, safely and cost-effectively, we obtain services from third parties in various areas. These services consist e.g. of IT services, dispatch of information, marketing, distribution, communications, market research or printing services, debt collection, anti-fraud measures, as well as services provided by consulting firms and law firms. We only disclose to service providers such data as is required and necessary in order to provide the services.
  • Employees of contract partners, banks and payment card issuers: Where there are persons who work for a contract partner, a bank or a payment card issuer who are in a contractual relationship with Viseca, we may collect data about such persons. We may disclose the data collected to persons and other entities involved in the performance of the contractual relationship.
  • Mobile Payment: In the case of cards with a mobile payment function, customer and device data as well as data of the mobile payment provider are exchanged between us, the providers and the card networks in order to manage the card, to verify identification, to combat misuse and fraud, to comply with legal provisions and to process and display transactions. The provider may also stipulate in its terms and conditions that the data may be obtained, processed and disclosed for further purposes.
  • surprize partners: We may exchange data with partners of our rewards programme where necessary and with the consent of the participants. By redeeming surprize points, participants expressly consent to the terms and conditions of the surprize partners and acknowledge that data may also be used for marketing purposes. The legal terms and conditions of the surprize partners shall always apply.
  • International card organisations (Mastercard® and Visa®): When the card is used, transaction data is transmitted to us from the POAs. This transmission takes place via the global networks of the international card organisations Mastercard® and Visa®.
    By using the card in Switzerland and abroad, international card organisations and third parties commissioned by the card organisations who are charged with processing the transactions become aware of transaction data (e.g. card number, transaction amount, transaction date, acceptance point). In certain cases (e.g. when purchasing a flight ticket, paying hotel bills or car hire), additional data, such as the name of the cardholder, may be disclosed.
    The data transmitted to or received by the international card organisations may also be processed for its own purposes and in accordance with its own data protection regulations in Switzerland and abroad. Card organisations require card issuers to offer their update services (Visa® Account Updater or Mastercard® Automatic Billing Updater). The purpose of these update services is to automatically update the cards stored by the cardholder with participating acceptance points and service providers (e.g. third-party providers of mobile payment solutions) that are used for making payments (e.g. for online services, subscriptions or ticket apps), specifically the card number and expiry date, in the event of any changes to them. This ensures that, despite changes to card data, the POAs and service providers that support these update services can continue to process card payments smoothly with the cardholder.
    For these update services, we transmit the card number and the card expiry date to the card organisations. For further data processing, reference is made to the data protection provisions of the card organisations.
    Each Customer has the option of preventing disclosure as part of the update services by (a) providing Viseca with notice of termination of the card contract relationship before receiving a replacement card, (b) deleting the card data stored with the POA or the service providers or terminating the contractual relationship with the POAs with which cards are registered, or (c) objecting to the participation in the update services.
  • Partner banks: If customers have ordered the card from one of our partner banks, we are authorised to transmit data (e.g. customer and card data as well as cumulative sales figures) and transaction data to that bank. The bank may use that data for its own purposes in accordance with its own privacy policy for all of its business areas, in particular for risk management and marketing purposes.
    Consent to the disclosure of transaction data may be revoked in writing with future effect at any time without stating reasons, in which case we reserve the right to terminate the credit card relationship.
    The disclosure of your debit transaction data to the Bank is mandatory in order to provide the service. The transmission of debit transaction data may only be revoked by terminating the debit function.
  • Third Parties: Third parties are persons or companies that process data about you for their own purposes. Third parties are not contracted service providers of Viseca. In connection with the card, we generally do not disclose any data to third parties for their own purposes; this applies in particular to transaction data or customer, consumption and preference profiles. This principle does not apply to the disclosure of data expressly requested by customers or to which they have expressly consented.
  • Authorities and other official bodies: We may disclose data to offices, courts and other authorities or official bodies if we are legally obliged or entitled to disclose it or if we are doing so to enforce our own rights and legitimate interests.
  • Other persons: Within the scope of our statutory obligations, we also pass on data to the Consumer Credit Information Office (IKO). In addition, in accordance with the relevant regulations, we report to the Central Office for Credit Information (ZEK), particularly in the case of cards with a partial payment option and where a block has been placed on a card. Viseca is a member of this association, the purpose of which is, inter alia, to manage a data centre on parties seeking credit, leasing and credit cards as well as on the obligations and credit standing of borrowers, lessees and cardholders. The ZEK may make these data available to its members for credit, leasing or other agreements.
  • Electronic data transmission: In the event of electronic data transmission, data may be transmitted to third parties in Switzerland and abroad even without our involvement. In particular, manufacturers of devices or software (such as Apple or Google) may receive data when the App and/or mobile devices are used. These third parties may process and also disclose such data in accordance with their own terms and conditions of use or data protection notices. This may result in these third parties being able to infer that there is a relationship between the customer, Viseca and the card issuer.

 

1.6. Do we disclose data abroad?

As explained in Section 1.5., not only do we process the data of our customers, but it is also possible that other bodies may do so where necessary. These data are not only located in Switzerland. Data can therefore be processed worldwide, including outside the EU or the European Economic Area (so-called third countries). If data recipients are located in a country lacking adequate statutory data protection, Viseca undertakes to contractually oblige them to comply with data protection, generally by entering into recognised standard contractual clauses. We may dispense with this if data recipients are already subject to a set of rules to ensure data protection that are recognised in Europe or if we can rely on an exception. The latter may be the case, in particular, in legal proceedings abroad, in cases of overriding public interests or where the performance of the contract requires such disclosure, if we have obtained our consent or if the data in question is made publicly available by customers. It should be noted that data exchanged over the Internet is often sent via third countries. Data may therefore also be transferred abroad even if the sender and recipient are located in the same country.  

 

1.7. How long does Viseca store the data and when does Viseca erase it?

We store data for as long as required by the applicable legal requirements or the purpose of the processing. The retention period is therefore governed by statutory and internal regulations. In its storage of data, Viseca also takes into account retention obligations and processing purposes and the need to safeguard its own interests (e.g. in order to enforce or defend against claims and to guarantee IT security). If these purposes have been achieved or no longer apply, Viseca will therefore delete or anonymise these data as part of its usual processes. This can be more than ten years, depending on the legal basis.

Documentation and evidentiary purposes include Viseca’s interest in documenting processes, interactions and other facts in the event of legal claims and irregularities, for IT and infrastructure security purposes as well as to demonstrate good corporate governance and compliance. Retention may be technically necessary because certain data cannot be separated from other data and these data must continue to be stored together with them (e.g. in the case of a backup or document management system).

 

1.8. How does Viseca protect the data?

Viseca takes appropriate staff-related, technical and organisational security measures to maintain the security of the data, to adequately protect it against unauthorised or unlawful processing and to counteract the risk of loss, accidental alteration, unwanted disclosure or unauthorised access.

These security measures include encryption and pseudonymisation of data, logs, access restrictions, storage of backup copies, instructions to employees, confidentiality agreements and controls. In addition, Viseca also requires any third parties involved to take appropriate state-of-the-art security measures. However, security risks cannot generally be completely ruled out. Residual risks are unavoidable.

 

1.9. What rights do customers have in connection with their data?

Customers have the right to request certain information about data and the processing by us (right to information). Customers also have various rights that help to control the processing of data by us. Customers may request that we correct or supplement incorrect data or incomplete data (rectification). Customers may also request that we erase certain data. When we provide information about an automated decision, customers have the right to present their position and request that the decision be reviewed by an individual.

When exercising their rights, customers must contact Viseca with a signed letter and a clearly legible copy of their identification document. A withdrawal of consent may be made in another manner, provided that we offer that option. It should be noted that these rights are subject to statutory requirements and limitations and therefore cannot be exercised in full under all circumstances. We will inform you if exceptions apply. These rights may also be exercised vis-à-vis other entities that work under their own responsibility with Viseca. Provided that the requirements of applicable law are met, customers and other data subjects thus have the following rights:

  • the right to obtain information about their own data;
  • the right to demand rectification of incorrect or incomplete data;
  • the right to demand erasure of Users' own data;
  • the right to demand the restriction of data processing of the User's own data;
  • the right to file a complaint against the manner in which the data is processed.

 

1.10. Do customers have a right to withdraw consent?

Customers have the right to withdraw consent they have previously given at any time with future effect. In certain cases, customers may also object to the processing of personal data (for instance, where your data is processed in connection with advertising). However, processing activities carried out in the past on the basis of consent do not become unlawful as a result of the client’s withdrawal of consent.

In cases where data processing is absolutely necessary in order to provide the service or to perform the card contract (e.g. data processing for risk purposes), withdrawal of consent is not possible. In such cases, such data processing may only be ended by terminating the card contract relationship.

 

1.11. Is data portability possible?

Viseca does not currently offer any specific measures for data portability.

 

2. Privacy Policy for one Digital Service

The Privacy Policy for one Digital Service informs users and visitors to the one website (“Users” or “you”) about the processing of data in connection with their use of one. Section 2.1. provides information as to which data is processed in accordance with the information contained in this Privacy Policy.

 

2.1. What data are processed?

2.1.1 What data are disclosed by Users?

When registering and logging in to one and in the course of managing their User account, Users may be requested to provide Viseca, among other things, with their home address, date of birth, email address, mobile phone number, card number and activation code.

2.1.2 What data are collected automatically?
  • Data relating to the use of mobile devices, such as e.g. manufacturer, device type, operating system with version number, device ID and IP address;
  • Data concerning the use of computers and browsers and for accessing the Internet, such as device type, operating system and IP address;
  • Data concerning the settings desired by Users, such as storage of user name or login;
  • Data concerning the use of the User's account, such as the number of logins with date and time, changes to the user account, acceptance of the terms of use and Privacy Policies;
  • Data relating to visits and manner of usage of the website, such as e.g. data relating to the estimation of aggregate traffic and usage figures, data exchange volume, identifying content that may be of particular interest to Users, as well as the general improvement, further development and availability of one;
  • Data generated when using the App, such as manner of usage, updates or device information.
2.1.3 What information is collected when registering with one?
  • Information regarding Users and cards registered with one which are stored in the User's account;
  • Information on the activation of 3-D Secure for the card registered with one, including the corresponding confirmations in the App or by entering an SMS code during use.
2.1.4 What data are collected at the merchant's location (Point of Sale)?
  • Merchant and location data (when using 3-D Secure), such as merchant name, location, country and sector;
  • Automated periodic Google query to specify the merchant's location.
2.1.5 What data are collected when using Mobile Payment?
  • Information concerning the use of Mobile Payment, such as activating or deactivating the card and further use for Mobile Payment;
  • Information about the amount (such as currency), the time of the transaction and the type of verification.
2.1.6 What information is collected when using 3-D Secure?
  • Information about the merchant, the transaction and the processing thereof as well as confirmation of the transaction with 3-D Secure;
  • Information related to the devices used for the transaction and confirmation;
  • Information related to access to the Internet or mobile network, such as IP address and name of the access provider.

 

2.2. What is the data used for and how is it processed?

2.2.1 Provision of one Services
  • Enabling registration, login and use of one;
  • Authentication of Users when performing actions. The App and/or mobile devices used are clearly assigned to the Users when registering with one. In this way, Viseca can ensure that the confirmation actions are carried out in the App or with the registered mobile devices;
  • Communications with users and transmission of information in connection with fraud warnings and fraud monitoring, on behalf of the card issuer and as operator of one (e.g. provision of invoices) via one and the mobile device;
  • Receipt of messages from Users, e.g. via the contact form;
  • Display of transactions and invoices on behalf of the card issuer;
  • Transmitting confirmation requests, e.g. for confirmation of online payments by push notification or SMS code;
  • Processing of the one contractual relationship
  • Establishing a secure connection between one and Users' mobile devices;
  • Operation of the surprize rewards shop and point accounting;
  • Operation of 3-D Secure web transactions.
2.2.2 Mobile Payment
  • Checking to verify that a card is eligible for Mobile Payment;
  • To activate, deactivate and update cards for Mobile Payment;
  • Prevention of misuse of registered cards.
2.2.3 surprize bonus programme
  • Viseca is authorised to use the data processed in connection with surprize for marketing purposes and to create and evaluate customer, consumption and preference profiles.
  • Profiling the data enables Viseca to offer surprize rewards to Users who may be interested in them. Information about such products and services is transmitted to participants in the surprize rewards programme via individual communications channels (e.g. post, email, SMS) or one Digital Service.
  • Users may object to processing for marketing purposes in relation to surprize rewards in connection with the surprize rewards programme at any time by notifying Viseca.
2.2.4 Marketing
  • To connect the one data with data already available at Viseca (including data from third-party sources); to create individual customer, consumption and preference profiles that enable products and services (including those of third parties) to be developed and offered to Users;
  • Transmission of information via one to Users concerning existing or new products and services (including those of third parties);
  • Users may withdraw their consent to the processing of data for marketing purposes at any time by notifying Viseca.
2.2.5 Click to Pay
  • Viseca uses the personal and device data of Users when registering the card for the Click to Pay Service in order to register or de-register for this solution and to allow Users to utilise it.
  • Users acknowledge that data (such as e-mail and delivery address) will be transferred to the card organisations when they register the card for Click to Pay. 
2.2.6 Market research and service improvement
  • Viseca also processes User data for market research purposes and to improve the services. For this purpose, Viseca uses master data, behavioural data and preference data, in particular.
  • Viseca analyses which services are used by which user groups and how in order to identify indications of market acceptance of existing products and services and the market potential of new products and services.
2.2.7 Security purposes and access control
  • Viseca also uses User data – in particular master data, technical data, behavioural data and other data – for security purposes and for access control.
  • This also includes controlling access to one (e.g. log data and user accounts).
2.2.8 Communications
  • Communications with Users and third parties in order to be able to provide information or send messages. For this purpose, Viseca uses master and communications data and generally stores these data in order to document communications with Users.
  • Insofar as Users contact Viseca by email – whether by using a published e-mail address or a contact form – Users expressly authorise Viseca to reply via the same channel to the sender address or to the address provided.
2.2.9 Further processing purposes
  • Furnishing proof of actions and defending against claims lodged against Viseca;
  • Complying with statutory and regulatory requirements;
  • Training and education purposes;
  • Administrative purposes, such as the management of master data, accounting and data retention, as well as the management of the IT infrastructure.

 

2.3. What applies to profiling and automated decision-making?

Viseca may process the User’s data in order to create profiles from them, e.g. for analyses, evaluations and decisions. Such processing is used by Viseca in particular for risk management purposes, the further development of one and to ensure information and data security.

In addition, Viseca may process user data automatically, i.e. on an IT-supported basis, for the purposes specified in Section 2.2., and evaluate personal aspects in the process, in particular for reasons of efficiency and uniformity of decision-making processes. Viseca may also create profiles for the same purposes. If these decisions have legal effects or impairments on Users, Viseca will inform them and take the legally required measures.  

 

2.4. To whom do we disclose data?

2.4.1 Viseca-internal persons

Within Viseca, individuals and corporate units have access to user data insofar as this is necessary for the purposes set out in this Privacy Policy and for the performance of the contract with one.

2.4.2 Service providers

In order to provide the services and data processing indicated in this Privacy Policy, Viseca cooperates with service providers and sub-contracted auxiliaries (so-called processors) in Switzerland and abroad (e.g. for calculating surprize points, sending surprize rewards, categorising merchant data, consulting, software and maintenance work, customer services, IT services, dispatch of information, marketing, sales, market research or printing services, collection, fraud prevention and services of consultancy firms and law firms). In this process, data is transferred (to the extent necessary) to service providers and processors. By selecting processors and by means of suitable contractual agreements, Viseca ensures that data protection is maintained during the processing of data by service providers and processors.

2.4.3 Mobile Payment Providers

When using Mobile Payment, customer and device data as well as data of mobile payment providers are exchanged between Viseca, providers and card organisations for card management, verification of identification, combating abuse and fraud, compliance with legal provisions and for processing and displaying transactions. The relevant provider may also stipulate in its terms and conditions that it may obtain, process and disclose the aforementioned data for further purposes.

2.4.4 surprize partners

Viseca may exchange data with partners of the rewards programme to the extent necessary and with the consent of the participants. By redeeming surprize points, participants expressly consent to the terms and conditions of the surprize partners and acknowledge that data may also be used for marketing purposes. The legal terms and conditions of the surprize partners shall always apply.

2.4.5 Third Parties

Third parties are persons or companies that process User data for their own purposes. Third parties are not contracted service providers of Viseca. Viseca generally does not disclose any data to third parties for their own purposes in connection with one. This applies in particular to transaction data or customer, consumption and preference profiles. This principle does not apply to the transfer of one data that users expressly request or to which they have expressly consented.

2.4.6 Authorities and other official bodies

Viseca may disclose data to public offices, courts and other authorities or official bodies if Viseca is legally obliged or entitled to disclose data or in order to safeguard its own rights and legitimate interests.

2.4.7 Electronic data transmission

User data may be transmitted electronically to third parties in Switzerland and abroad even without the involvement of Viseca. In particular, manufacturers of devices or software (such as Apple or Google) may receive data when the App and/or mobile devices are used.  These data may be processed and passed on to third parties in accordance with their own terms and conditions of use or privacy policies. This may result in these third parties being able to infer that there is a relationship between Users, Viseca and the card issuer.

 

2.5. What data is disclosed to other recipients?

The transmission of information between Viseca and the App and/or mobile devices of Users is encrypted, with the exception of sending SMS messages. However, communication with Users takes place via public communications networks. These data are generally accessible to third parties and may be lost or intercepted by unauthorised third parties during transmission. It therefore cannot be ruled out that third parties, despite all security measures taken, can gain access to the communications with Users when one is used.

When using the Internet, data may also be transmitted to third countries even if the Users are located in Switzerland. Such third countries may not offer the same level of data protection as Switzerland.

 

2.6. Do we disclose data abroad?

The recipients of data mentioned in this Privacy Policy may be located abroad – including outside the EU or the European Economic Area. These third countries may not have laws in place to protect data to the same extent as in Switzerland or in the EU/EEA. In this case, Viseca ensures data protection through data transfer agreements.

 

2.7. How long does Viseca store data and when does Viseca erase it?

Viseca stores data only for as long as necessary for the purpose for which it was collected. In addition, Viseca stores data if there is a legitimate interest in storage, e.g. if Viseca requires data in order to enforce or defend against claims in order to ensure IT security or if limitation periods apply. Finally, Viseca stores data in order to comply with regulatory and statutory obligations.

If Users stops using one for two years, Viseca will assume that the App has been deleted. In this case, Viseca will delete all data that does not have to be retained based on statutory retention obligations or contractual obligations.

Data for which no statutory basis for processing or retention applies may be further processed in anonymised form. Data that must be retained longer due to statutory retention obligations is excluded from erasure or anonymisation.

 

2.8. How does Viseca protect the data in one?

By using state-of-the-art security software, Viseca’s IT infrastructure meets international security standards. In addition, Viseca takes additional security measures for providing access to User accounts over the internet as well as technical and organisational measures to protect the data against loss, unauthorised access or misuse.

Irrespective of the measures taken, when using the Internet as a means of transmission via a computer, smartphone or other end device, it cannot be ruled out that third parties may gain access to Users' data.

All liability whatsoever for direct or indirect losses arising in connection with the use of one is fully disclaimed by Viseca. This also applies to damage caused by viruses and targeted hacker attacks.

 

2.9. What rights do Users have in connection with their data?

Provided that the requirements of applicable law have been met, Users have the following rights:

  • the right to demand information about Users' own data, how Viseca processes it, as well as copies thereof;
  • the right to demand rectification of incorrect or incomplete data;
  • the right to demand erasure of Users' own data;
  • the right to demand the restriction of the processing of Users' own data;
  • the right to lodge a complaint against the form of the data processing with a competent data protection authority;
  • the right to withdraw consent to data processing previously given; in the event of withdrawal of consent, the data may continue to be processed by Viseca to the extent permitted by law.

If Viseca informs Users about an automatic decision, they have the right to lodge a complaint and have the decision reviewed by a natural person. In order to exercise these rights, users must assert their claims in writing with a copy of their identification document enclosed. Withdrawal of consent may be made in another manner, provided Viseca provides this option (e.g. in one). These rights may be subject to statutory requirements and restrictions, which is why they may not always be exercised to the fullest extent. Thus, there are, for instance, statutory retention obligations.

Furthermore, Users acknowledge in accordance with Section 2.4. that data may also be held with other controllers. In order to safeguard their rights as data subjects under data protection law, Users must contact them directly.

 

2.10. How are business communications handled?

By using one, users expressly agree that Viseca may contact them for business communications via the registered and verified email address.

 

3. Terms and Conditions for Visits to Websites

By accessing Viseca's websites, you consent to these Terms and Conditions and agree to the contents thereof.

The information published on our websites does not constitute a recommendation to carry out transactions, other legal transactions or offers. Third-party products and services presented may not be purchased by residents of certain countries. If problems arise in a contractual relationship between you and third parties, you, as the injured party, must pursue remedies against the third party. We shall not be liable for any damages arising from contractual relationships with third parties.

Although we take every care to ensure that the information published on our websites is accurate at the time of publication, the accuracy, reliability, timeliness or completeness of the information cannot be guaranteed, either expressly or by implication.

We assume no responsibility and make no representation that the functions will be available continuously or that the relevant server is free of viruses or other harmful components.

Viseca shall not be liable for direct or indirect damages and losses of any kind which may arise for the following reasons, even in the event of negligence:

  • based on access to services;
  • based on the inability to access or use services;
  • based on linking or accessing links to other websites of third parties;
  • as a result of unauthorised persons' manipulation of the internet User’s IT systems;
  • based on contact with Viseca via the internet or email.

Viseca Websites are not intended for visitors who are subject to any jurisdiction that prohibits or otherwise restricts access to or disseminate, publish, provide or use of the information contained on them. Persons subject to such restrictions are not granted permission to access the Websites and they are requested to refrain from accessing them.

 

4. Cookie Policy

This Cookie Policy describes the purpose and use of the information processed when using or visiting our Websites through the use of cookies, similar technologies or social media appearances. In addition, we provide information about security measures that serve to ensure the confidentiality of the transmitted data and the protection of privacy. In the text below, the term "Websites" refers to all Viseca pages and subpages as well as the services and options offered, such as information offers, advertisements, contests, sweepstakes, surveys and communications channels. However, this cookie policy does not apply to third party websites.

 

4.1. What does Viseca use cookies and similar technologies for?

We collect and process data primarily in order to enable the use of the Website and to ensure its operation (operation of the Website). Data is also processed to ensure the functionality, stability and security of the Website and the technical systems. In particular, technical data and behavioural data are processed for this purpose.

We also want to measure and optimise the attractiveness of the Website’s content (statistics and analysis) in order to show you information, products and services that are tailored to your interests. On Websites, including those of third parties, through newsletters and other individual communications, we may approach you with advertising for our products or services and those of third parties (personalised marketing). This may relate to cards and other products. For this purpose, we process technical data as well as behavioural and preference data, in particular, which may also be collected by cookies and similar technologies.

If you are in contact with us – based, for example, on your interest in a service – and submit a request for a product or a service or order documents, we will process the corresponding data for communications purposes (e.g. to provide information or to issue communications or to process customer requests). We also process data for the purposes of  preparing and concluding contracts, examining applications and entering into contracts and executing orders. We may also address applicants again in a targeted manner, even where they have completed only a portion of the application sections.

If you participate in competitions or sweepstakes, we process data to verify compliance with the Terms of Use and for correspondence or to conduct the event.

 

4.2. How can the use of cookies be controlled?

You can avoid cookies at any time by adjusting the privacy settings on the Website during a visit or by following the information on how to avoid cookies in your respective web browser. Generally, web browsers accept cookies automatically, but offer options to block or delete them. Instructions on how to manage cookies on web browsers are usually found under the help functions or in the user manual of the mobile end device.

We use cookies in order to better understand you, to tailor content to your interests and needs and to improve offers. For this purpose, we classify the cookies used and similar technologies into the following categories:

  • Functional cookies: These are required in order to guarantee the basic functionality of the Websites. In doing so, we store browser settings or the language selection. This means that you do not have to reset these basic settings.
  • Analytical cookies: These are the prerequisites for web analysis. With the information we collect about user behaviour, we continuously optimise our Websites and content.
  • Marketing Cookies: These increase the relevance of our actions and campaigns. We use such information to tailor displayed advertising to your interests. For this purpose, we may also disclose this information to third parties who process this information on behalf of us as service providers. 

 

4.3. How is the data stored?

The IP data of the subscriber is stored by the Website operator when the one Websites are visited. Data such as your name and address or other personal information may also be collected. We store data only for as long as required by the applicable legal requirements or the purpose of the processing. The retention period is governed by legal and internal regulations. If there is no longer any retention obligation, we will erase or anonymise the data in accordance with our usual processes.

 

4.4. Which online tracking techniques are used?

If we integrate a provider of an analysis tool on the Website, the provider may also collect relevant information. Cookies are codes (e.g. a serial number) that our servers or the servers of another provider send to your browser or end device when a connection to our Websites is established, and stores them until the programmed expiry date. At the further access events, these codes can be read. This means that your individual profile is recognised each time you access the Website and you are identified each time you log in.

We use session cookies in which, among other things, information about the origin and storage period of the cookie are stored. These cookies are erased when the browser is closed. On the other hand, we use permanent cookies, which are used to recognise you when you visit us later. These cookies therefore remain stored for a certain period of time even after the browser has been closed. Once the programmed duration has expired, these cookies are automatically deactivated. We only use cookies and similar technologies for analysis and marketing purposes if the corresponding settings in the Viseca cookie banner are actively confirmed.

We also use cookies or similar technologies from third-party companies, e.g. in order to use third-party functions such as analytical services and services for optimisation and personalisation on websites. Cookies and similar technologies of third-party providers also enable these third-party providers to approach you with individualised advertising on our Websites or other websites, as well as on social networks that also collaborate with this third party, and to measure the effectiveness of ads.

In doing so, third-party providers may record the use of the relevant Website. These records may be linked to similar information from other websites. This enables your behaviour to be recorded across multiple websites and multiple end devices. Frequently, the relevant provider may also use these data for its own purposes, e.g. for personalised advertising on its own website and on other websites to which it supplies advertising. If you are registered with such providers, providers may associate the usage data to you. The processing of such data is carried out by the providers on their own responsibility and in accordance with their own privacy policies. To the extent these third-party providers process data, they act as processors for us or as separate controllers, depending on the type of service and data processing. We are currently working with the following providers for the above-mentioned purposes:

  • Cookiebot: With Cookiebot and the “CookieConsent” cookie, we manage and store consent status on the Websites. The “cookietest” cookie is also used to determine whether you have accepted the cookie settings box in our cookie banner. These cookies are categorised as functional cookies and cannot be deactivated via the cookie settings. However, information collected and stored through the use of these cookies is stored for no longer than one year and is not processed outside Switzerland or the European Union. We do not provide Cookiebot with any information that Cookiebot may associate with you. Cookiebot provides us with reports and evaluations based on the data collected and is therefore a contracted data processor.
  • Hotjar: On our Websites, we use Hotjar of the company Hotjar Limited (Level 2, St Julian’s Business Centre, 3, Elia Zammit Street, St Julian’s STJ 1000, Malta) (“Hotjar”) in order to statistically evaluate visitor data. Hotjar is a service that analyses your behaviour and feedback on websites using a combination of analysis and feedback tools. Hotjar-based websites have incorporated a tracking code into websites. This tracking code contacts Hotjar’s servers and sends a script to your computer or end device when you access the Hotjar-based websites. The script collects certain data relating to the interaction with the relevant website. These data are then sent to the Hotjar server for processing. Further details concerning the Privacy Policy as well as the data that are collected by Hotjar and how this is done can be found at www.hotjar.com/legal/policies/privacy.
  • Facebook: Our Websites also use the so-called “Facebook Pixel” and similar technologies from Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (“Facebook”). We use these technologies in order to display the Facebook ads placed at Facebook and at the partners cooperating with Facebook (so-called “Audience Network”; www.facebook.com/audiencenetwork) to visitors who have shown an interest in us or whose characteristics correspond to those we have transmitted to Facebook for this purpose (e.g. interest in certain topics or products that can be seen on the websites visited; “Custom Audiences”). These technologies also enable us to understand the effectiveness of Facebook ads for statistical purposes and market research by recognising whether you were redirected to our Websites after clicking on a Facebook advert.
  • Google Services: With Google Analytics, we create reports on the use of Websites by enabling Google to track the behaviour of visitors to our Websites (e.g. duration, frequency of pages visited, geographical origin of access). We also use Google Audience, another web analysis service from Google. This service collects and stores data from which user profiles are created in pseudonymised form. This technology enables you to display targeted advertising from us on other external sites of the Google Partner Network. Google Audience receives access to the cookies created in connection with the use of Google Analytics. In the course of use, data, such as in particular the IP address and activities, may be transferred to a Google LLC server and stored there. Google LLC may transfer this information to third parties where required by law or where such data are processed by third parties.
    The provider of Google Analytics is Google LLC, Google Ireland Ltd is the controller for data protection law purposes. We have configured Google Analytics in such a way that IP addresses are truncated before they are forwarded to the USA so that they cannot be traced back. Nor do we transmit to Google any data that can be associated with you. Google provides us with reports and evaluations based on the collected user data and is therefore our data processor. Google also processes the data collected to improve its products and services. Information on the privacy of Google Analytics can be found at https://support.google.com/analytics. If you wish to prevent the use of Google Analytics, the following action may be taken: https://tools.google.com/dlpage/gaoptout?hl=en-GB.
  • Teads Pixel: After obtaining your consent, our Website may use a pixel operated by Teads in order to optimise our advertising campaigns. These pixels only collect information about the URL address, the type of device, the browser and the operating system you are using. For more information, please refer to Teads' Privacy Policy. Please also note that you have the right to access the information held about you by Teads and to request that your information be corrected, erased or transmitted. You also have the right to object to particular processing or to request restriction of processing by Teads by sending your request to dpo@teads.com.

 

4.5. How does Viseca use social media pages?

We may operate our own pages on social media networks and similar third party platforms. If you communicate with us about such social media pages or comment on or disseminate content, we collect the corresponding information and process it primarily for communications and marketing purposes. We have the right, but not the obligation, to review content before or after it is published and to delete content without notice (e.g. in the event of unacceptable behaviour), to the extent technically possible, or to report it to the provider of the respective platform. In the event of a violation of the rules of decency and conduct, we may also report the relevant user account to the provider of the platform for blocking or deletion.

When visiting social media sites, data (e.g. visitor behaviour) may also be transmitted directly to the provider in question, or collected by it and processed together with other data already known to it (e.g. for marketing and market research purposes). Further information on data processing by the providers of social networks can be found in the privacy policy of the relevant social networks. We currently use the following social media plugins:

  • Instagram plugin: Instagram plugins are integrated into our Website. The provider is Instagram Inc., 1601 Willow Road, Menlo Park, CA 94025, USA. If you are logged into your Instagram account, you can link the content of our web pages to your Instagram profile by clicking on the Instagram button. This enables Instagram to associate the visit to our web pages with your user account. Viseca has no knowledge of the content of the transmitted data or their use by Instagram.
    Further information can be found in Instagram’s privacy policy at https://instagram.com/about/legal/privacy/.
  • Facebook plugin: Facebook plugins are integrated into our Website. The provider is Facebook Inc., 1 Hacker Way, Menlo Park, California 94025, USA. You can recognise the Facebook plugins by the Facebook logo or the “Like” button on our Website. An overview of the Facebook plugins can be found at https://developers.facebook.com/docs/plugins/.
    When you visit our Website, a direct connection between your browser and the Facebook server is established via the plugin. Facebook receives the information that you have visited our Website with your IP address. If you click on the Facebook "Like" button while logged into your Facebook account, you may link our Website's content to your Facebook profile. This enables Facebook to associate your visit to our Website with your user account. Viseca has no knowledge of the content of the transmitted data or their use by Facebook.
    Further information can be found in Facebook’s privacy policy at https://www.facebook.com/policy.php. If you do not wish Facebook to be able to associate your visit to our Website with your Facebook user account, please log out of your Facebook user account.
  • Twitter plugin: Plugins from Twitter are integrated into our Website. The provider is Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA. By using Twitter and the “re-tweet” function, your visit to our Website is linked to your Twitter account and disclosed to other users. Data are also transferred to Twitter in the process. Viseca has no knowledge of the content of the transmitted data or their use by Twitter. You can change your Twitter privacy settings in the account settings at https://twitter.com/account/settings.
    For more information, please refer to Twitter’s privacy policy at https://twitter.com/privacy.

 

 

 

Version May 2022

Viseca Card Services SA, Hagenholzstrasse 56, P.O. Box 7007, 8050 Zurich, Phone +41 (0)58 958 84 00