Privacy Notice

This privacy notice is written following EU Regulation 2016/679 (“GDPR”), the Swiss Federal Act on Data Protection (“FADP”) and the UK Data Protection Act 2018 (“UK GDPR”) and it applies to all personal data that Maurice Lacroix collects online, such as through this website www.mauricelacroix.com (“Website”), emails, and other online tools and apps, but not to data collected offline.

1. Controller

Your contact and what is known as the “controller” therefore the entity responsible for processing your personal data when you visit this Website is:

Maurice Lacroix SA, a branch of Medinova AG
Rue des Rangiers 21
2350 Saignelégier, Switzerland
info@mauricelacroix.com

(Hereinafter only “we”, “us”, ourselves” or “Maurice Lacroix”).

2. Data Protection Officer

If you have any questions about data protection in connection with our Website or about its use, please feel free to contact our data protection officer at any time by sending an email to: dataprotection.mauricelacroix@dksh.com.

3. Purposes of processing, legal bases and related retention periods

3.1 WEBSITE USAGE

Every time you visit our website, we collect data automatically transmitted by your browser in order to enable your visit to the website. In particular, this data may include the following:

• Domain name or IP address of the requesting device;
• Client file request (file name and URL);
• http response code;
• Date and duration of visit and request;
• Browser and operating system;
• Online-IDs (e.g. device identifier, Session-IDs);
• Address of accessed website and requesting website.

This data must be processed in order to enable you to visit the website and ensure the uninterrupted functionality and security of our systems.

The legal basis for this data processing is Article 6(1)(b) of the GDPR if the website is accessed in the course of initiating or performing a contract and furthermore Art. 6 (1)(f) GDPR based on our legitimate interest in enabling the website to be accessed as well as the permanent functionality and security of our systems.

The data retention period for this data is 180 days.

3.2 USER ACCOUNT / REGISTRATION

If you register on our website, we will set up a password-protected area where you can access the personal data concerning you that we have saved (customer account). In your customer account, you can view data relating to your completed, pending, and recently sent orders, and correct or modify any subscriptions, your payment data, and your personal data. We have highlighted the data you are required to provide by marking them as mandatory fields. Registration is not possible without this data.

The legal basis for this data processing is Article 6(1)(b) of the GDPR therefore the performance of a contract.

Data retention period: until the user requires de-activation (with no purchase history).

3.3 ORDERS

In the case of an order process, we collect the mandatory information required to finalize a contract with you such as:

• Salutation (Mr/ Ms etc.)
• First and last name
• E-mail address
• Billing and shipping address
• Telephone number
• Credit card token

The legal basis for processing is Art. 6 (1) (b) GDPR therefore the performance of a contract.
Data retention period: 10 years from contract signature (i.e. execution of the order).

3.3.1 PAYMENT DATA

You can choose to pay for your purchases by invoice, prepayment, Paypal, and credit card. We process your payment data, via an external service provider, for the purpose of processing your payment. Depending on how you choose to pay, we will pass on your payment data to the financial institution or a payment service provider handling the payment.

Payment data may be the following:
• billing addresses,
• IBAN, BIC and
• preferred payment method can be transmitted to these service providers.

This also includes data that is directly related to payment processing, such as data that external payment service providers use for identification (e.g. first and last name, address, gender, email address, IP address, telephone number, PayPal ID ), Device information (e.g. IP address, device type, operating system) or data that are required to create an invoice such as number of items, item number, invoice amount and taxes in percent. These payment service providers can also process data on your previous payment behavior as well as probability values for behavior in the future. For the purpose of checking payments, e.g. to approve purchased goods, we also receive corresponding information about payment from the payment service providers. We also receive master and financial information from the payment service providers as part of any legally required identity checks.

The legal basis for this data processing is Article 6(1)(b) of the GDPR, because the processing is necessary for the performance of a contract and the processing of the order.

The legal basis of the data processing carried out by the payment service provider as independent controllers can be found in the data protection information of the respective payment service provider:

• SalesForce Payment using Stripe technologies
• PayPal (Europe) S.a r.l. et Cie, S.C.A., 22-24 Boulevard Royal, 2449 Luxemburg, Luxemburg („PayPal“). You find further information in PayPal’ Privacy Policy.

We would like to point out that data protection queries can most efficiently be submitted to the respective payment service provider, as only these providers have access to the data and can take appropriate measures directly.

3.4 NEWSLETTER

You may subscribe to our newsletter, enabling us to inform you regularly about our latest products and promotions.

You can unsubscribe from the newsletter at any time.

The legal basis for this processing is your consent pursuant to Article 6(1)(a) of the GDPR.

3.5 DIRECT MARKETING

We may also process your personal data for direct marketing purposes such as for sending you generic information or special promotions related to our products.

The legal basis for this processing is your consent pursuant to Article 6(1)(a) of the GDPR.

Data retention period: until consent is revoked.

In order to perform such processing activity, we may employ different service providers such as also social media platforms.

3.6 PROFILED MARKETING

We may also process your personal data for profiled marketing activities therefore for sending you personalized offers or suggestions based on your interests and or purchasing history.

The legal basis for this processing is your consent pursuant to Article 6(1)(a) of the GDPR.

Data retention period: until consent is revoked.

For performing such activity, we employ different tools such as marketing cookies, tag managers or other similar technologies like pixels to collect data along with different services providers such as the most common social medias (e.g. Facebook).

For any further information you are always entitled to enforce your rights described below as per applicable laws.

3.7 REMARKETING/ RETARGETING

We may also use the so called “Remarketing” or “Retargeting” technologies via different tools including but not limited to cookies.

Remarketing is the activity of showing targeted results based on previous browsing activity or purchasing ones using e-commerce or other platforms. In doing so, we expect to show you better advertising more in line with your expectations and desires.

The legal basis for this processing is your consent pursuant to Article 6(1)(a) of the GDPR.

Data retention period: until consent is revoked.

3.8 LEGAL DEFENSE AND CLAIM MANAGEMENT

Personal data stored for website browsing as described in 3.1 above and/or orders processing as described in 3.3 may also be used in case we have to defend ourselves in a court or because of a claim you may raise against us.

The legal basis for this processing is our legitimate interest pursuant to art. 6(1)(f) GDPR.

Data retention period: 180 days.

3.9 LEGAL OBLIGATION

We may also process your personal data to abide by any legal obligations imposed on us by applicable laws including but not limited to

The legal basis for this processing is our legitimate interest pursuant to art. 6(1)(f) GDPR.

Data retention period: 180 days.

3.10 USE OF COOKIES AND SIMILAR TECHNOLOGIES

This website uses cookies and similar technologies (together “tools”) provided either by ourselves or by third parties, for retrieving all information about cookies please visit our web page: www.mauricelacroix.com/cookie-policy.

4. Who do we share your personal information with?

In some cases, we transfer your personal data to third parties. The types of third parties with whom we share personal information are described below:

Other DKSH Group companies

We may share your personal data with other companies belonging to the DKSH Group, including our parent company DKSH Holding, who may use your personal information for purposes and in a manner consistent with the information set out in this privacy statement.

Service providers

We may disclose your personal data to companies that provide services to us and other members of the DKSH Group. Examples of the types of service providers we work with include:

• IT companies that operate the websites on our behalf,
• Delivery companies, such as couriers, that deliver our products to you,
• Direct marketing companies who help us manage our electronic communications with you,
• Customer services companies who operate and manage our call centers,
• Payment service providers who manage our online payments where you purchase products through our Sites, and

Our service providers are required to keep your personal data confidential and are not allowed to use it for any other purpose than to carry out the services they are performing for us.

Third parties where required by law.

We may disclose your personal data to a third party if it is necessary to comply with a legal obligation or the decision of a judicial authority, a public authority or a government body or if disclosure is necessary for national security, law enforcement or other issues of important public interest.

Business partners

We may share your personal data with our business partners for their own purposes if it is necessary for providing products and services to you.

We may also transfer your personal data to third parties for their direct marketing purposes but only where you have given your consent at the time you supply your personal data.

We may also share your user profile data for online advertising purposes with our third-party advertising and analytics partners including organisations which we collaborate with on advertising campaigns and various advertising platforms.

Professional advisors

We may disclose personal data to professional advisors, such as lawyers, auditors and insurers, as necessary in the course of the professional services they provide us with.

Third parties in connection with a business sale

If we make a sale or transfer of assets or are otherwise involved in a merger or business / asset transfer, we may transfer your personal data to one or more third parties as part of that transaction. If a change happens to our business, the new owners may use your personal data in the same way as set out in this privacy notice.

Other third parties with your consent

We may also share your personal data with other third parties when you consent to such sharing.

5. TRANSFER OF DATA TO THIRD COUNTRIES

Personal data are generally located within the European Union and Switzerland.

If we transfer your personal data outside the EU, Switzerland or your country of residence, as applicable, we will take steps to ensure that your data will receive the same level of protection as if it was being processed within the EU, Switzerland or your country of residence, as applicable. For example, we may include standard contractual clauses adopted by the European Commission in our contracts with third parties or our group companies to ensure there are safeguards in place to protect your personal data.

6. YOUR RIGHTS

You have a right of access to information about how we process your personal data at any time. We will explain our data processing procedures to you and provide you with a summary of the personal data concerning you that we hold.

If data we have stored is incorrect or obsolete, you have the right to have this data rectified (right to rectification).

You may also request the erasure of your data (right to be forgotten). The erasure of your data is generally only possible if certain conditions are met and/or if the data is no longer required, if the processing is not lawful, or in the case of other reasons pursuant to Article 17 of the GDPR. If, in exceptional cases, erasure is not possible due to other legal regulations, the data will be blocked – provided the necessary conditions are met – so that it is only available for this legal purpose. You may also restrict processing of your personal data if, for example, you have doubts about the accuracy of this data (right to restriction).

Under certain conditions, you also have the right to data portability, i.e. on request we will send you a digital copy of the personal data concerning you that you have provided to us.

In order to assert your rights described here, you may contact us at any times using the contact details given above. This also applies should you wish to obtain copies of guarantees to prove an adequate level of data protection.

Your requests regarding your assertion of data protection rights and our replies to these requests will be stored for documentation purposes for a period of two years and, in some cases in relation to the assertion, exercise, or defense of legal claims, for a longer period. The legal basis is Article 6(1)(f) of the GDPR, based on our legitimate interest in defending against possible civil law claims pursuant to Article 82 of the GDPR, the avoidance of administrative fines pursuant to Article 83 of the GDPR, and compliance with our accountability obligations pursuant to Article 5 of the GDPR.

You have the right to withdraw consent once given to us at any time. As a result, we will not continue to process data based on this consent in the future. Withdrawal of consent will not affect the lawfulness of the processing carried out on the basis of the consent prior to withdrawal.

If we process your data on the basis of legitimate interests, you have the right to object to the processing of your data on grounds relating to your particular situation at any time. Should you object to data processing for direct marketing purposes, you have a general right to object, which we shall comply with even if you do not state any reasons for your objection.

Should you wish to exercise your right to withdraw or object, simply send an informal email to the contact details given above.

Finally, you have the right to file a complaint with the data protection supervisory authority. You may exercise this right before a supervisory authority in the Member State in which you are staying, working, or in the place of the alleged infringement.

Version 2.1

Last amended: November 2023