Privacy policy for the online shop of corporate benefits Vouchers AG

Scope: EU countries, Switzerland

We, corporate benefits Vouchers AG (hereinafter collectively: “the company”, “we” or “us”), take the protection of your personal data seriously and would like to inform you about data protection in our company.

Within the scope of our responsibility under data protection law, the entry into force of the EU General Data Protection Regulation (GDPR; Regulation (EU) 2016/679) and the Swiss Data Protection Act (DSG) have imposed additional obligations on us in order to protect the personal data of the data subject (we also refer to you as the data subject as the “customer”, the “user”, “you” or the “data subject”).

In principle, it is possible to use our website without providing any personal data. However, if you make use of specific services of our company via our website or wish to use certain features, the processing of personal data may become necessary. If the processing of personal data is necessary and there is no legal basis for it (e.g., to fulfill a contract), we will obtain your consent in advance.

Insofar as we decide on the purposes and means of data processing, either alone or together with others, this primarily includes the obligation to transparently inform you about the type, scope, purpose, duration, and legal basis of the processing (see Articles 13 and 14 of the GDPR).

With this declaration (hereinafter referred to as the “Privacy Policy”), we inform you about how we process personal data when you use our website. We would like to give you a transparent overview of our processing operations and, at the same time, comply with our legal obligations, in particular under the GDPR and the DSG.

1. Name and address of the data controller and the data protection officer

The data controller within the meaning of the GDPR and the DSG is

corporate benefits Vouchers AG
Schwanengasse 3
3011 Bern, Switzerland
Phone: +41 31 301 3939
Email: privacy@cbv-ag.ch

Country store Spain (local company):

corporate benefits vouchers Iberica S.L
Castillo de Fuensaldaña, 4-10
128232 Las Rozas, Madrid

For further information on the data controller, reference is made to the imprint of this website (see our imprint).

2. Data protection officers and consultants

Contact details of the data protection officer (EU)

Data protection officer (external)
TÜV Informationstechnik GmbH
TÜV NORD Group
IT Security, Business Security & Privacy
Am TÜV 1
45141 Essen
Phone: 0201 – 8999-461
Fax: 0201 – 8999-666
Email: privacyguard@tuvit.de

Data protection consultant Switzerland (external)

Patrick Degen, Attorney
Troller Hitz Troller
Münstergasse 38
3011 Bern
Switzerland

3. General information on data processing

We only collect and process your personal data to the extent that this is necessary. The purposes of the processing may arise in particular from technical necessities (e.g., for the provision of the website), from the execution of a contractual relationship, from your expressly stated inquiries and requests or legal obligations.

3.1 Legal grounds for personal data processing

Insofar as we obtain your consent for the processing of your personal data, Art. 6 para. 1 (a) GDPR in the case of consent, or Art. 6 Para. 6 in connection with Section 31 Para. 1 DSG applies as the legal basis.

When processing personal data that is necessary for the performance of a contract to which the data subject is a party, Art. 6 Para. 1 (b) GDPR / Art. 31 Para. 1, 2 (a) DSG applies as the legal basis. This also applies to processing operations that are necessary for carrying out pre-contractual measures.

Insofar as processing personal data is necessary to fulfil a legal obligation to which we are subject, Art. 6 Para. 1 (c) GDPR / Art. 31 Para. 1 DSG applies as the legal basis.

If processing is necessary to safeguard our legitimate interest or that of a third party and if your interests, fundamental rights, and freedoms do not outweigh the former, Art. 6 Para. 1 (f) GDPR / Art. 31 Para. 1 DSG applies as the legal basis for processing.

The Telecommunications and Digital Services Data Protection Act (TDDDG) also applies to processing operations in connection with the use of telemedia and digital services in Germany. The storage of information on the end device of the end user or access to already stored information is only permitted in accordance with § 25 TDDDG if:

the end user has consented on the basis of clear and comprehensive information (§ 25 Para. 1 TDDDG in conjunction with Art. 6 Para. 1 (a) GDPR);
the sole purpose is the transmission of a message via a public telecommunications network (§ 25 Para. 2 No. 1 TDDDG), or
access or storage is absolutely necessary so that we can provide an expressly requested telemedia service (§ 25 Para. 2 No. 2 TDDDG).

3.2 Data deletion and storage duration

We comply with our legal obligations to delete personal data even without a special request from our customers. These obligations arise, among other things, from Art. 17 GDPR / Art. 6 Para. 4 DSG; 32 Para. 2 (c) DSG, which regulates the right to deletion (the “right to be forgotten”).

However, some personal data is excluded from this deletion obligation. In certain cases, we are required by other laws to continue to store this data. Such retention obligations arise, for example, from § 257 of the German Commercial Code (HGB) and § 147 of the German Tax Code (AO) and, as far as Switzerland is concerned, from Art. 958f of the Swiss Code of Obligations (OR). In these cases, we store the data exclusively to fulfil the respective legal storage obligations.

After the legally prescribed retention periods have expired, we will delete, destroy or anonymize the data concerned immediately and without further request.

4. Data processing in the provision of the website – log files and fraud prevention

4.1 Description and scope of data processing

When using the website for information purposes, i.e., merely viewing it without registering and without otherwise providing us with information, we process the personal data that your browser transmits to our server. The data described below is technically necessary for us to display our website to you and to guarantee stability and security and must therefore be processed by us:

Operating system
Language and version of the browser software
Internet service provider
IP address of the device
The date and time of access
Time zone difference from Greenwich Mean Time (GMT)
Previously visited page
Names of downloaded files
Amount of data transferred
Access status codes (HTTP status codes)

Server-side log files are processed to protect our website and to ensure technical availability. These log files contain information such as IP addresses, access times, URLs accessed and technical information about the browser and operating system. They serve exclusively to detect and avert attacks (e.g., DDoS attacks) or technical faults and to ensure system security.

The log data is used strictly for a specific purpose and is usually stored for at least seven days, but for a maximum of 30 days. No further storage takes place.

This log data is evaluated exclusively on our servers and without access to the user's end devices.

If you visit our online store as a logged-in user via an employee, club or association portal of one of our partner companies (e.g., by clicking on one of our offers offered there), the partner company will also send us an individual user ID that is assigned to your account.

In order to ensure that only authorized users have access to the platform and that the offers are used exclusively for private purposes, we use a fingerprinting procedure together with a specialized IT service provider for fingerprinting technology (category: order processor, IT security solutions, based in Germany/EU). A fingerprint of your device or browser is processed.

This procedure serves to prevent unauthorized access, to ensure compliance with our terms of use and to prevent misuse of your access data and the platform as a whole. In addition, fingerprinting helps to prevent commercial use of the offers, in particular, the commercial purchase, offering or resale of discounted goods. Likewise, unauthorized disclosure of access data or codes is detected in order to prevent misuse by unauthorized persons.

The legal basis is Art. 6, Para. 1 sentence 1 (f) GDPR (legitimate interest) / Art. 31 Para. 1 DSG, without consent in accordance with § 25 Para. 2 No. 2 TDDDG.

Depending on the offer or claim, identification data, such as date of birth or photo, may also be required.

All other personal information is voluntary.

4.2 Legal basis for data processing

The legal basis for the processing of the data stored in log files, the user ID and the fingerprint data is our legitimate interest in accordance with Art. 6 Para. 1 (f) GDPR / Art. 31 Para. 1 DSG. This legitimate interest lies in ensuring the functionality and security of the website, preventing abuse and enforcing our terms of use.

Access to information in your end device (e.g., as part of the fingerprinting procedure) only takes place to the extent that this is exceptionally permissible without consent in accordance with § 25 Para. 2 No. 2 TDDDG.

4.3 Purposes of data processing

The temporary storage of the IP address by the system is necessary in order to deliver the website and the corresponding content to your device and to establish a stable connection. In addition, the log files serve to ensure technical functionality and security, as they help to ward off attacks (e.g., DDoS attacks), analyze faults and ensure system security. The processing of the user ID ensures that only authorized users, for example, members of a partner company, have access to our offers. The fingerprinting used also serves to prevent unauthorized multiple uses, to prevent commercial purchases and to detect and prevent misuse by passing on access data or codes. Depending on the offer, additional identification data, such as date of birth or a photo, may also be required to secure access to certain offers or benefits. For these purposes, we have a legitimate interest to process personal data.

4.4 Duration of storage

We only store personal data that is processed when you visit our website for as long as necessary to achieve the respective processing purposes, unless there are legal storage obligations to the contrary. The IP address is stored for the duration of the session in order to enable the delivery of the website to your end device. Log files collected for system security and error analysis are typically stored for a minimum of seven days and a maximum of 30 days. The user ID transmitted when using our platform via partner portals is only stored for the duration of the session in order to check the access authorization. Fingerprint data that we collect to protect against unauthorized use, misuse, and to enforce the terms of use is stored for the duration of the respective usage relationship and then deleted, unless legitimate interests such as the prevention of future misuse or the assertion of legal claims justify longer storage. In these cases, the data will only be stored until the expiry of the statutory limitation periods provided for this purpose and exclusively for this purpose. After the respective purpose has ceased to exist or these periods have expired, the data will be deleted or anonymized.

5. Email and telephone contact

5.1 Description and scope of data processing

You have the option of contacting us via the email addresses provided on our website or the telephone numbers indicated. In this context, we process the personal data that you voluntarily provide to us in the context of communication. This includes, in particular, your email address, your name, your telephone number, your request and, if applicable, other information you have provided. If you contact us by phone, we may also create notes of the conversation, which contain relevant content of your request as well as automatically transmitted information (e.g., your telephone number).

5.2 Legal basis for data processing

The legal basis for processing the data transmitted in the course of contacting us by email or telephone is Art. 6 Para. 1 (f) GDPR / Art. 31 Para. 1 DSG. If the contact is aimed at concluding or implementing a contract, the additional legal basis is Art. 6 Para. 1 (b) GDPR / Art. 31 Para. 1, 2 (a) DSG.

5.3 Purposes of data processing

The processing of personal data serves exclusively to process your request and to facilitate contact with you. If the contact is aimed at concluding or implementing a contract, the processing is also carried out to implement pre-contractual measures or to fulfill a contractual relationship. In addition, processing may be necessary for documentation and verification purposes, for example, to defend against or assert claims. For these purposes, we have a legitimate interest to process personal data.

5.4 Duration of storage

The data will be deleted as soon as it is no longer necessary to achieve the purpose for which it was collected. For personal data transmitted via email or contact form, this applies when the respective conversation with the user has been completed. The conversation is considered to have ended when it is evident from the circumstances that the matter at hand has been conclusively resolved.

If data arises in the course of communication that we are required to store due to legal regulations (e.g., tax, commercial, or other regulations), further storage will take place in accordance with the applicable legal deadlines. Additionally, data may be stored for the duration of the respective statutory limitation periods to safeguard our legitimate interests, particularly to assert or defend against claims or to demonstrate proper processing.

6. Orders in our online store

6.1 Description and scope of data processing

If you access our online store via an employee, club or association portal of a partner company (e.g., by clicking on an offer displayed there), you will be forwarded via a referrer link. In this context, the partner company transmits a user ID that is assigned to your account with the partner. On this basis, we can recognize you as an authorized user, display your order history and pre-fill already stored inventory data in form fields.

If you order vouchers in our online store, we process the data that you transmit to us in the context of the respective order. This data can be seen from the requested form fields and includes, in particular:

Name, delivery and billing address (inventory data), payment method and information about which vouchers were purchased at what price.

To process the payments, the payment data (e.g., amount, reference number, payment description, payer) is transmitted to the responsible payment service providers.

For us, this is:

Mollie HQ, Keizersgracht 126, 1015CW Amsterdam, Netherlands (see Section 8 of this Privacy Policy)

In addition, we store the following data, insofar as this is provided by you:

First name
Surname
Organization (only if you are a customer as an organization and not as a private individual)
Street and building number
Zip code
City
Region
Country

For deliveries, we also store the corresponding delivery addresses, in particular:

First name
Surname
Street and building number
Zip code
City
Region
Country
Phone number

When generating a voucher code, we store the following personal data to protect against misuse (e.g., commercial resale):

Voucher code
Offer
Company portal where the voucher code is offered
First name
Surname
Email address
Time of purchase (date and time)
User's IP address

6.2 Legal basis for data processing

The legal basis for processing is your consent under Art. 6 Para. 1 (b) GDPR / Art. 31 Para. 1, 2 (a) DSG, insofar as the processing is necessary for the execution of the order and for the processing of the contract. In addition, the processing is carried out to safeguard our legitimate interests in accordance with Art. 6 Para. 1 (f) GDPR / Art. 31 Para. 1 DSG, in particular, to prevent abuse, to improve user-friendliness and to provide evidence.

Insofar as information on your end device is accessed or such information is stored, this is done without consent, insofar as this is permissible in accordance with § 25 Para. 2 No. 2 TDDDG in order to be able to offer you the offers exclusively as agreed.

6.3 Purpose of data processing and duration of storage

We use the transmitted and specified data to process and invoice your order. We also store the user ID, your inventory data and the content of your orders in order to be able to display your order history and to make it easier for you to fill in the form fields again for future orders.

In addition, the storage of certain data serves to prevent abuse (e.g., protection against commercial resale of vouchers), to provide evidence and to assert, exercise or defend against legal claims. For these purposes, we have a legitimate interest to process personal data.

6.4 Duration of storage

We store the data on your order and your order history in our online store until the end of the third calendar year following your last order. This period is based on the regular civil statute of limitations (e.g., according to § 195 BGB) in order to be able to process or defend against any claims arising from your orders. Thereafter, the data in our online store will be deleted, unless other storage obligations (e.g., according to the German Commercial Code (HGB) or the German Tax Code (AO) and, as far as Switzerland is concerned, the Swiss Code of Obligations (OR) prevent deletion.

In this sense, the data on individual orders will also be deleted at the end of the third calendar year following the respective order.

The data that we store for the prevention of abuse and for the assertion, exercise or defense of legal claims is stored for the duration of the respective statutory limitation periods or until the conclusion of corresponding proceedings.

After execution, billing and payment of an order, we also store the data in our accounting systems as long as we are obliged to do so based on tax, commercial or other legal regulations. Only then will the final deletion take place.

7. Cookies

We use cookies on our website. Cookies are small text files that are automatically stored on your end device and contain information that enables your device to be recognized.

The cookies we use are exclusively “session cookies”, which are automatically deleted after the browser session, i.e., after you close your browser. These cookies are technically necessary to provide certain functions of our website, in particular to ensure that you are continuously recognized as an authorized user during your visit. In addition, these cookies serve to prevent fraud and to maintain the exclusivity of our offers. These are also the purposes of this data processing.

The legal basis for the use of these technically necessary cookies is Art. 6 Para. 1 (f) GDPR / Art. 31 Para. 1 DSG, as they serve to safeguard our legitimate interests in the secure, exclusive and user-friendly provision of our online store.

Insofar as information is stored or read on your end device, this is done without consent in accordance with § 25 Para. 2 No. 2 TDDDG, as this is absolutely necessary in order to be able to make our online store available to you as agreed.

You can disable cookies in your browser. However, this may impair the functionality of our website.

8. Categories of recipient of personal data

For the provision of our website, the proper execution of the online store, the payment processing, as well as the contact possibilities, we use carefully selected and contractually obligated service providers (order processors). They process personal data exclusively based on our instructions and on our behalf in accordance with Art. 28 GDPR / Art. 9 DSG.

Examples of such processors include, in particular, service providers for hosting, email dispatch, IT support, web analysis and for the administration of order and merchandise management systems. These include, for example:

MPEX GmbH (hosting provider, ISO/IEC 27001 certified). Privacy policy: Privacy policy MPEX
Matomo (web analytics, anonymized). Privacy policy: Privacy policy Matomo
Reybex (ERP and merchandise management system). Privacy policy: Privacy policy Reybex

For payment processing, the data required for this purpose is passed on to the respective integrated payment service providers, in particular:

Mollie HQ (payment processing). Privacy policy: Privacy policy Mollie

Processing by these service providers takes place exclusively within the EU.

In addition, personal data may be passed on to other recipients insofar as this is necessary for the execution of the contract (Art. 6 Para. 1 (b) GDPR / Art. 31 Para. 1, 2 (a) DSG), we are legally obliged to do so (Art. 6 Para. 1 (c) GDPR / Art. 31 Para. 1 DSG), or we have a legitimate interest in the transfer (Art. 6 Para. 1 (f) GDPR / Art. 31 Para. 1 DSG).

Such recipients can be, for example:

Tax consultants or auditors (e.g., in the context of audits)
Legal advisors or courts (e.g., to assert or defend against claims)
Authorities or investigative bodies (e.g., in case of suspected fraud or abuse)
RiskIdent GmbH, Am Sandtorkai 50, 20457 Hamburg, for fraud prevention and risk assessment. Privacy/Imprint: Imprint & privacy RiskIdent

Furthermore, your data may be shared with other companies within our group, to the extent necessary for internal administrative purposes, central IT provision, billing, or support purposes, or to safeguard legitimate interests. This processing is carried out on the basis of our legitimate interest in accordance with Art. 6 Para. 1 (f) GDPR / Art. 31 Para. 1 DSG.

In principle, data is not transferred to third countries outside the EU/EEA. Should such a transfer be necessary in individual cases, we ensure that either an adequacy decision of the EU Commission is in place or that suitable guarantees, such as in particular EU standard contractual clauses (SCCs) in conjunction with additional protective measures and a Transfer Impact Assessment (TIA), are concluded and implemented to ensure an adequate level of data protection.

9. Rights of the data subject

If your personal data is processed, you are a data subject within the meaning of the GDPR and (if applicable) the Swiss Data Protection Act (DSG). You have the following rights with respect to the data controller under the legal requirements:

Right to information in accordance with Art. 15 GDPR or Art. 25 DSG.
Right to rectification in accordance with Art. 16 GDPR or Art. 6 Para. 5 DSG; 32 Para. 1 DSG.
Right to deletion (“right to be forgotten”) in accordance with Art. 17 GDPR or Art. 6 Para. 4 DSG; 32 Para. 2 (c) DSG, insofar as no statutory retention periods or other statutory rights or obligations prevent deletion.
Right to restrict processing in accordance with Art. 18 GDPR or Art. 30 Para. 2 (b); 32 Para. 2 (a), (b) DSG.
Right to data portability in accordance with Art. 20 GDPR / Art. 28 DSG.
Right to object in accordance with Art. 21 GDPR / Art. 30 Para. 2 (b); 32 Para. 2 (a), (b) DSG.
Right to revoke consent in accordance with Art. 7 Para. 3 GDPR or Art. 30 Para. 2 (b) GDPR.
Right to lodge a complaint with a supervisory authority in accordance with Art. 77 GDPR / Art. 49 Para. 1 DSG.

The right to deletion does not exist if statutory retention obligations or other legally overriding rights prevent deletion.

To exercise these rights, you can contact us at any time, for example, by email to privacyguard@tuvit.de or privacy@cbv-ag.ch (for more details, see Section 2 of this Privacy Policy). You can also send a request for information about your personal data stored with us to these addresses.

If you have any questions about data security, please do not hesitate to contact security@cb-gmbh.com.

10. Data security

We take appropriate technical and organizational security measures to protect your personal data from accidental or intentional manipulation, partial or complete loss, destruction or unauthorized access by third parties. In doing so, we take into account the state of the art, the implementation costs as well as the type, scope, circumstances and purposes of the processing as well as the different probabilities of occurrence and severity of the risks associated with the processing for the rights and freedoms of the data subjects. Our security measures are improved continuously, according to technological developments.

We will be happy to provide you with further information on request. Please contact our data protection officer (Section 2 of this Privacy Policy) or security@cb-gmbh.com.

11. No automated decision-making (including profiling)

We do not process your personal data in the context of automated decision-making (including profiling) in accordance with Art. 22 GDPR / Art. 21 DSG.

12. Change of purpose

Your personal data will only be processed for purposes other than those described if a legal provision allows this or you have consented to the changed purpose of the processing.

Should we further process your personal data for purposes other than those for which it was originally collected, we will inform you of these other purposes before the start of further processing and provide you with all relevant additional information.

13. Right to object

Insofar as we use your personal data to safeguard our overriding legitimate interests in accordance with Art. 6 Para. 1 (f) GDPR / Art. 31 Para. 1 DSG, you have the right to object to this processing at any time with effect for the future for reasons arising from your particular situation.

If you object, we will no longer process your personal data for these purposes unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the purpose of asserting, exercising or defending legal claims.

If your personal data is processed for direct marketing purposes, you can object to this processing at any time without giving reasons. After your objection, your personal data will no longer be processed for these purposes.

To exercise your right to object, a letter to the contact points mentioned in Section 2 of this Privacy Policy, either by post or by email to privacyguard@tuvit.de or privacy@cbv-ag.ch, is sufficient.

Last updated: July 2025
corporate benefits Vouchers AG