Two Spice AG

Table of Contents

1. What is the purpose of this Privacy Policy and what does it tell you?

Data privacy is a priority for us. Therefore, we always process your data with the utmost care and in accordance with the applicable legal requirements. Transparent information is essential for effective data privacy. In this Privacy Policy, we tell you how and for what purposes we process your personal data. In particular, you will learn:

  • which data we process, and for what purpose;
  • who has access to your data and with whom we share your data;
  • how long we keep your data;
  • what rights you have and how you can exercise those rights;
  • which cookies and other tools we use on our websites.

2. When is this Privacy Policy applicable?

This Privacy Policy applies to all processes during which we process your personal data, unless we inform you separately about these. This Privacy Policy applies in particular to the following processes:

  • you visit our websites;
  • you make a purchase in our restaurants, stores or online shops;
  • you use our online offerings or apps;
  • you subscribe to one of our newsletters;
  • you contact us;
  • you receive information or marketing communication from us;
  • you take part in our competitions;
  • you take part in one of our events;
  • you receive market research, opinion or customer surveys from us.

Please note that we may also notify you about data processing in other areas. As such, the applicable General Terms and Conditions may also contain data privacy arrangements (e.g. the GTC of our online shops).

3. Who is responsible for processing personal data?

In accordance with the data privacy rules, the company that stipulates the purpose for which, and the resources with which the data are processed is responsible for processing personal data. Several companies may be jointly responsible for processing.

Two Spice AG, Industriestrasse 28, 8305 Dietlikon (hereinafter referred to as «Two Spice» or «we«) is responsible for data processing in accordance with this Privacy Policy.

4. Whom can you contact with data privacy-related questions?

If you have any questions or concerns about data privacy, please contact:

Two Spice AG
Industriestrasse 28
8305 Dietlikon

Telefon +41 43 577 58 58

5. What are your rights?

5.1. Right to information

You can request information about the personal data we process about you at any time. Please send your request for information, together with proof of your identity, to us (see Clause 4).

We may restrict or refuse the information if this information is contrary to our legal obligations, our own legitimate interests, public interests or the interests of a third party. The same applies if the request for information is an abuse of law. If the effort involved is disproportionate, we may require a contribution towards the costs. In this case, we will inform you in advance.

The processing of your request is subject to the statutory 30-day processing period. However, we may extend this period if we are dealing with a large volume of enquiries, for legal or technical reasons, or because we require more detailed information from you. You will be given plenty of notice of any extension to the period, in text form as a minimum.

5.2. Erasure and rectification

You have the option to request the erasure or rectification of your personal data at any time.
We may refuse the request if statutory provisions require us to retain the data unchanged or for an extended period, or if we have a permission on grounds that override your request.
Please note that the exercise of your rights may conflict with contractual agreements and may impact on contract performance (e.g. early contract termination or cost implications).

5.3. Legal recourse

If you are affected by the processing of personal data you have the option to enforce your rights through a court or to submit a report to the relevant supervisory authority. The relevant supervisory authority in Switzerland is the Swiss Federal Data Protection and Information Commissioner:

6. Which terms do we use in this Privacy Policy?

In this Privacy Policy, we use certain terms that have a legal meaning. We explain the meanings of the key terms below.

6.1. Personal data

The term personal data denotes any information relating to an identified or identifiable natural person, such as name, address, date of birth, email address or telephone number. Data about personal preferences, such as leisure activities or membership, are also personal data.

6.2. Special category personal data

Special category personal data are data on religious, ideological, political or trade union-related views or activities; data on health and any information on administrative or criminal proceedings and sanctions, as well as data on social security measures. Where necessary and appropriate, we may request and process special category personal data. In this case, such data are processed in the strictest confidence.

6.3. Processing of personal data

Processing is any handling of personal data, regardless of the resources and procedures used, in particular the sourcing, storage, retention, use, modification, disclosure, archiving, erasure or destruction of data.

6.4. Anonymization

Anonymization denotes the procedure whereby personal data are modified so that no conclusions can be drawn about the natural person to whom they pertain. Unlike pseudonymization, anonymization cannot be reversed.

6.5. Pseudonymization

The pseudonymization of personal data describes the procedure for making personal data unrecognizable. This involves replacing data that identify a person (e.g. name, date of birth, place of residence) with a pseudonym (e.g. a code). Someone in possession of the crucial information can thus assign the data to a specific person (in a process called reverse pseudonymization or re-identification).

7. Which personal data do we process and where are they obtained?

We process the personal data about you that are necessary in order to fulfil the relevant purposes. More detailed information about the personal data processed can be found under the individual purposes (see Clause 8).

Usually, you share your personal data with us yourself, e.g. by transmitting them to us or when you communicate with us. To use certain services of ours, you must register as a customer in advance.

In certain instances, we collect data about you ourselves or automatically, e.g. when you use our services, shop with us, browse our websites or use our apps. Such data include, in particular, behavioural and transactional data, online identification data, and online tracking and traffic data (see Clause 8.3). In certain instances, we may also derive the data from existing data, for example by analysing transactional or behavioural data (see Clause 13).

We may also receive your personal data from a third party. Some examples of such third parties are:

  • people from your environment (e.g. address for delivery, authorized signatories);
  • banks or other contractual partners (e.g. when making purchases and payments);
  • online service providers (e.g. analysis services)
  • authorities (e.g. in connection with judicial proceedings);
  • public sources (e.g. public registers, media, Internet);

The personal data we receive from third parties may cover the following categories:

  • person master data (name, address, date of birth, etc.);
  • contact details (mobile number, email address, etc.);
  • financial data (e.g. account details);
  • online identification data (e.g. cookie identifier, IP addresses);

8. For what purpose do we process your personal data?

We may process your personal data for various purposes. Primarily, we use them in order to provide you with our services.

8.1. Contract performance

Usually, we have to process your personal data in order to conclude and perform contracts with you. This is the case when, for example, you make a purchase in one of our online shops or in one of our restaurants or stores, reserve a table in one of our restaurants (by telephone or online), make a purchase at one of our self-ordering machines, register for a customer account or loyalty programme, use one of our apps or avail yourself of any of our other online and offline offerings. In particular, contract performance may involve processing the following categories of personal data:

  • person master data (e.g. title, first name, last name, date of birth, gender, customer number, username);
  • contact information (e.g. home address, email address, telephone number, delivery address);
  • financial data (e.g. payment details, credit rating);
  • transactional data (e.g. shopping basket);
  • customer history (e.g. interaction with customer service, information about the handling of faults or complaints).

For the purpose of contract performance, we may undertake all processing necessary in order to initiate and conclude the contract, perform the contract or enforce the contract. In order to deliver an ordered product to you, we may have to share your data with third-party providers (e.g. delivery services). Furthermore, we share data with the relevant payment provider in order to process payment. We may also process your data in connection with enquiries from you about the product, remedying defects, handling complaints, reserving products or reviewing products.

8.2. Communication

In order to communicate with you and respond to your concerns, we have to process your personal data. This may be the case when you use one of our contact forms, contact us by email, post or telephone or another method, when we contact you, or for customer care. To this end, we process the following data in particular:

  • name and contact details (e.g. name, address, email address, telephone number);
  • content of the communication (e.g. letter, email, chat, comments on the website, telephone conversations);
  • communication metadata (e.g. information about the nature, time or, if applicable, location of the communication).

We may undertake all processing necessary in order to communicate with you. In particular, we may answer your enquiries or get in touch with you if we have questions. We may also use the communication data for quality assurance and training purposes. In this case, wherever possible the data will only be used in pseudonymized or anonymized form. Communication in connection with other purposes such as contract performance (Clause 8.1), marketing (Clause 8.3) or market research (Clause 8.4) may also be recorded. More information can be found under each purpose.

8.3. Marketing and information

To enable us to make attractive and suitable offers to you and send you interesting information about products, services, events, etc., we may process your personal data for marketing purposes. This is the case when, for example, you make a purchase in one of our online shops, place an order in one of our restaurants or stores, register for a customer account or our loyalty programme, use one of our apps, take part in a competition, or avail yourself of any of our other online and offline offerings. In particular, we may collect the following data about you for marketing purposes:

  • person master data (e.g. title, first name, last name, date of birth, gender, customer number, username);
  • contact information (e.g. home/delivery address, email address, telephone number);
  • behavioural and transactional data (e.g. shopping basket details, behaviour when shopping, participation in competitions, information about services to which you have subscribed);
  • online identification data (e.g. cookie identifier, IP addresses);
  • online tracking and traffic data (e.g. browsing behaviour, clicking behaviour when receiving newsletters);
  • profile data or data on personal preference (e.g. preferences in regard to products or services).

Marketing purposes cover all processing that enables us to inform you about our offerings in a suitable manner. We may send you written and electronic information or offers. This includes, for example, the electronic mailing of newsletters, emails, push notifications in apps or other electronic notifications as well as the postal mailing of advertising brochures, magazines or other printed material. It also includes digital advertising such as search, display, video or social ads. We may also send you vouchers or invite you to events or competitions. We may also show you recommendations for products or services on our websites and apps.

Furthermore, we may personalize the relevant offers and information based on the data we have available about you so that, as far as possible, you only receive information and offers that are relevant and of interest to you. To this end, we may undertake appropriate analyses and build profiles (see Clause 13). In addition, we measure the effectiveness of our advertising measures and evaluate them.

We may also instruct third-party providers to run advertising measures and advertising campaigns, measure conversions and perform the relevant evaluations (e.g. with the use of third party cookies, see also Clauses 18.2, 18.3).

You may unsubscribe at any time from marketing communication received. Each email communication contains a link to unsubscribe. Information on how to prevent marketing cookies (which, for example, result in personalized ads) can be found in the provisions on cookies (Clause 18.2).

8.4. Other purposes

We may also process your personal data for purposes other than those mentioned above. These include:

  • Market and opinion research: We may process your personal data to enable us to continually develop and improve our offerings. For example, we carry out customer surveys or questionnaires after you have ordered a product from us or made use of a service. For this purpose, we normally use only pseudonymized or anonymized data. We may evaluate and use the information in order to send you personalized offers (see Clauses 8.3 and 13).
  • Asserting legal claims: We may have to process your personal data in order that we can assert legal claims or defend against unjustified claims. This may involve various categories of personal data, depending on the situation.
  • Fulfilment of legal requirements and prevention and clarification of crimes or other misconduct: We may be under an obligation to verify fulfilment of legal requirements and to cooperate with the authorities in the event of violations of the law. Personal data may have to be processed for these purposes. All relevant personal data may be affected. This is the case, for example, for the enforcement of regulatory requirements (e.g. youth protection), when divulging information or documents to authorities if we are legally obliged to do so, or when cooperating with an official investigation (e.g. criminal prosecution or supervisory authority) if we are under a legal obligation to do so.
  • Security: We may have to process your personal data in order to guarantee your safety and the security of our business. This may involve any of your personal data. One specific example is the use of video surveillance in our sales outlets to safeguard products for sale and to detect thefts or assaults. The video surveillance systems are location-specific and are duly marked.
  • Other purposes: We may process your personal data for other purposes, such as in the context of our internal processes and administration. Some examples of other purposes are administrative purposes (such as the administration of master data, bookkeeping, data archiving and the inspection, management and continuous improvement of IT infrastructure) and the evaluation and improvement of internal processes. Analysing usage behaviour on our apps and websites in order to optimize them (see also Clause 18.3) and safeguarding other legitimate interests are also among the other purposes. This list of other purposes is non-exhaustive.

9. On what legal bases do we collect and process your personal data?

The legal basis for collecting and processing your personal data depends on the respective purpose of the processing in each individual case. The following principles apply:

We process your data in good faith and in accordance with the purposes stated in this Privacy Policy (see Clause 8). We seek to ensure transparent and proportionate processing.

If it is necessary, we rely on a justification when processing. Specifically, the following constitute justification:

  • your consent;
  • the execution of a contract or pre-contractual measures;
  • the fulfilment of legal provisions;
  • our legitimate interests, provided that your interests do not override them.

You can withdraw any consent you have granted at any time. You can write an email to us or, if available, use a corresponding link to unsubscribe. The legality of data processing already done remains unaffected by this.

Specifically, the following reasons constitute legitimate interests:

  • the offering and the development of our offerings, services, websites, apps and other platforms on which we are present;
  • communication with third parties and processing their enquiries (e.g. to deliver products and services to third parties);
  • reviewing and optimizing procedures for analysing customer needs, in order to directly target customers;
  • undertaking advertising and marketing activities and conducting market and opinion research;
  • combating fraud and complying with legal provisions.

10. To whom do we pass on your personal data?

10.1. To third parties

We may also pass on your personal data to third parties (e.g. to the company entrusted with delivering the goods or the credit institution that processes the payment) if this is necessary for contract execution or other purposes (Clause 8) or in order to make use of the required technical or organizational services. Such third parties are also bound by the data protection regulations and must ensure the security of your personal data by means of technical and organizational measures. Specifically, service providers in the following areas may be asked to process your personal data in this manner:

  • shipping and delivery (e.g. for food orders);
  • advertising and marketing (e.g. to send communications such as mailings, postcards, newsletters, display advertising; processing competitions, surveys and market research);
  • organization and staging of events and receptions;
  • business management and fiduciary arrangements;
  • payment services;
  • collection services;
  • IT services;
  • consultancy services and other services.

Our service providers may also process data on how their services are used, as well as other data involved in the use of their service, in the capacity of independent data controllers and for their own legitimate interests (e.g. for statistical analysis or billing). Service providers provide information about independent data processing in their respective privacy policies.

We may also pass your personal data on to other third parties for independent processing, in particular contractual partners with whom we are required under the respective contracts to share data.

We may also pass personal data on to authorities in Switzerland and abroad if we are legally obliged to do so, or legally justified in doing so, or if this is necessary to protect our legitimate interests. The authorities process the data they have received from us under their own responsibility.

11. Do we transfer your personal data abroad?

Wherever possible, we process your personal data in Switzerland or in the European Economic Area (EEA). Your personal data may be transferred to service providers abroad for contract processing (see Clause 10.2). Such transfer may be to anywhere in the world.

Data will be transferred to a third country which does not afford an adequate level of data protection only if the processor has put in place guarantees which the legislator deems fit to safeguard data protection (e.g. EU’s standard contractual clauses). No transfer based on standard contractual clauses will take place without a prior risk assessment. If the risk assessment shows that the processor is unable to comply with the standard contractual clauses, we will ensure that additional technical measures are taken to safeguard the integrity and confidentiality of the transferred personal data.

12. Do we process special category personal data?

We process special category personal data (see Clause 6.2) only when absolutely necessary in order to provide a service and you have made the relevant data available to us or have consented to their processing.

13. How do we employ profiling?

Profiling involves automatically processing people’s purchase and behavioural data and amalgamating the data to form profiles which can reflect your interests and preferences. These profiles form the basis for us to show you products that interest you and are relevant to you. For this purpose, personal data such as person master data (see Clause 8.1), contract data (see Clause 8.1), communication data (see Clause 8.2), behavioural and transactional data, online identification data or online tracking and traffic data (see Clause 8.3) are evaluated.

We use such evaluations especially in order to be able to inform and advise you about certain services or products in a targeted way. Profiling enables us to continuously improve our offerings and adapt them to individual needs, share information and offers that meet your needs, or provide you with better customer support. Profiling also enables us to ensure that, where possible, you only receive information and offers that are actually relevant to you. For example, you receive discounts, see individual content in newsletters, apps and online shops (e.g. the products and discounts are shown in a sequence tailored to you) and only see advertising that is of interest to you.

14. Do we use automated decision-making?

Automated decision-making is when decisions that have legal consequences for the person concerned or otherwise significantly affect that person are made in a completely automated manner, i.e. without human influence.

We do not normally use automated decision-making. If we do, you will be separately informed.

15. How long do we keep your data?

We only store personal data for as long as necessary to fulfil the individual purposes for which the data were collected, or if we are legally obliged to retain them for longer.

In particular, we have to keep business communication, concluded contracts and accounting records for up to 10 years (see esp. Art. 958f of the Swiss Code of Obligations [CO]). Provided that we no longer require your data to perform the services, those data will be blocked. We will then only use the data for the purposes of financial accounting and taxes.

16. How do we protect your data?

We keep your personal data securely and take suitable technical and organizational measures to protect your personal data against loss, access, misuse, or modification. Our contractual partners and employees who have access to your personal data are obliged to comply with data protection provisions.

For security reasons and to protect transmissions of confidential information (e.g. your orders or queries), our website uses SSL or TLS encryption. You can recognize an encrypted connection by the fact that the address line in the browser changes from “http://” to “https://” and by the lock icon on the address line. All the main payment methods (e.g. Visa/Mastercard, etc.) use only encrypted SSL or TLS connections for payments.

Because we cannot guarantee full data security for communication by email, we recommend sending confidential information through a secure means of transmission.

17. Changes to this Privacy Policy

We may amend this Privacy Policy from time to time, e.g. if the types of processing or the legal situation change. You will be notified separately if there are significant changes insofar as this is reasonably practicable.

18. Website and cookie information

The information below explains how we process personal and other data in connection with our websites or apps. In particular, processing relies on cookies or similar technologies. The provisions below apply both to our websites and to apps, even if only one website is mentioned.

18.1. Provision of the website and creation of log files

What information do we receive and how do we use it?
When you visit our website, certain data are automatically stored on our servers or on servers of services and products which we have sourced and/or installed. This is done for the purposes of system administration, safeguarding, tracking, or statistical analyses. The data involved are:

  • the name of your Internet service provider;
  • (sometimes) your IP address;
  • the version of your browser software;
  • the operating system of the device used to access our website;
  • the date and time of access;
  • the website you previously visited;
  • the search terms you used to find our website;
  • browser type;
  • host name of the device;
  • type of access;
  • login status.

How can you prevent data being gathered?
The data are only stored for as long as is necessary to fulfil the purpose of their collection. Accordingly, the data are usually deleted after each session. Log files have to be stored in order for the website to function. Therefore, you do not have the option to object to these.

18.2. Cookies

How do cookies work and what are they for?
Cookies are text files that are stored in your device’s operating system via your browser whenever you visit a website. Cookies contain a unique identifier (ID) that enables us to distinguish individual visitors from others. However, you will not usually be identified. Cookies do not cause any harm on your device and do not contain any viruses. They are also used to significantly improve user interaction, so that certain settings remain stored for you, and they are essential for some technical features (e.g. session or shopping basket management).

What types of cookie are there?
Most of the cookies we use are what are known as “session cookies”, which are automatically deleted after the end of your visit.

Other cookies remain on your system until you delete them (usually, however, they are deleted after a maximum of 2 years). The purpose of these cookies is to store your preferences (e.g. language and location settings), quickly provide and attractively display the website content (e.g. by using fonts and content delivery networks), analyse the use of that website for statistical evaluation and for continuous improvements, and marketing purposes (usually by means of third-party cookies, see more below).

We may also use similar technologies such as pixel tags, fingerprint or other technologies to store data on the browser. Pixel tags enable certain information (e.g. whether and when a website was visited) to be transmitted to the server operator, in the form of small and normally invisible images or program codes that are loaded by a server. Fingerprints are used to collect information about the configuration of your system or browser when you visit a website, to distinguish your system from other devices. Most browsers also support additional technologies (such as web storage), which we may also use.

Which cookies or similar technologies do we use?
We may use the following types of cookies or similar technologies:

  • Essential cookies: These are cookies that are necessary in order for a website and its functions to be used. Among other things, these cookies ensure that form data already entered are not deleted when switching to another page and that shopping basket contents are not lost.
  • Performance cookies: We use performance cookies to perform analyses by collecting information about how a website is used. They show us, for instance, how visitors move around a website. We may also measure loading times or the behaviour of the website on different types of browser. Performance cookies enable us to keep improving our websites and the user experience.
  • Functional cookies: With these cookies, we can store certain data that you enter on our websites so that you don’t have to re-enter them (e.g. location, language, form data, etc.). This enables us to make our websites more user-friendly.
  • Marketing cookies: Marketing cookies allow us (or our marketing partners) to display ads to you on our websites (or third-party websites) that are adapted to your browsing behaviour and are of interest to you.

Do we use third-party cookies?
We may also use third-party cookies. In this case, the cookies will not be stored by us when you visit the website, but by the third-party provider. Such providers may also be based outside the European Economic Area (EEA), in which case data protection will be safeguarded by adequate measures (see Clause 11).

Some examples of third-party cookies are analytics services, tracking and retargeting measures, etc. These enable us to target you with ads on our websites or on third-party websites and measure the effectiveness of those adverts. The third-party providers may record your use of our websites and, if applicable, combine data collected on other websites. Said provider may also use these data for its own purposes, e.g. for personalized advertising on its own websites or other websites for which it supplies ads. If the provider can identify you (e.g. because you have a customer account), it can assign the user data to you. The associated processing is undertaken in accordance with the third-party provider’s data privacy provisions. The main third-party providers are Google and Facebook. The main tools we use are described below (see Clause 18.3).

How can you prevent data being gathered via cookies?
The cookies are stored on your device. You therefore have full control over the use of the cookies. You can delete them entirely or disable or restrict their transmission by altering your browser settings. You can also block tracking by certain third parties by means of a browser add-on. More information about the use of cookies can be found on the help pages of your browser. Once you have disabled cookies, you may no longer be able to enjoy the website’s full functionality.
Instructions for the main browsers are below:

In the case of cookies that are used to measure success and reach or for advertising, for many services there is usually a general opt-out option, provided by the Network Advertising Initiative (NAI), YourAdChoices (Digital Advertising Alliance) or Your Online Choices (European Interactive Digital Advertising Alliance, EDAA).

Do we include third-party offerings on our website?
We may incorporate other third-party offerings on our websites, particularly from social media providers. These offerings are disabled by default. Once you enable them (e.g. by clicking a button), the providers concerned can determine that you are on our website. If you have an account with that social media provider, it can assign this information to you and thus track your use of online offerings. Social media providers process these data under their own responsibility.

18.3. Tracking Tools

We may use tracking tools on our websites and apps with the aid of which we analyse use of our online offerings and can target marketing measures at visitors. The main tracking tools we use are listed and explained below.

a. Google Analytics
How does Google Analytics work?
Our website uses Google Analytics, a service by Google Ireland Ltd. (Google Building Gordon House, Barrow St, Dublin 4, Ireland). Google uses cookies that are stored on your device to analyse your website usage. The information about your use of the website obtained via the cookie is usually transmitted to a Google server in the USA and stored there. We have added the «anonymizeIP» code to Google Analytics. This ensures that all data are collected anonymously. Only in exceptional cases is the full IP address transmitted to a Google server in the USA and then truncated there.

Why do we use Google Analytics?
Google analyses the data collected on our behalf, so that we can build a picture of visits and user behaviour on our websites. We can then improve our services, the website content and its layout.

Which additional functions do we use?
We also use cookies for remarketing campaigns. This allows the advertising target groups created by Google Analytics Remarketing to be linked to the cross-device functions of Google AdWords and Google DoubleClick. In this way, interest-based, personalized advertising tailored to you based on your previous usage and browsing behaviour on one device (e.g. smartphone) can be displayed on one of your other devices (e.g. tablet or PC). If you have given Google the respective consent, Google links your web and app browser history to your Google account. In this way, the same personalized advertising can be displayed on every device from which you log into your Google account. To assist this function, Google Analytics collects the Google-authenticated IDs of the users who are temporarily linked to our Google Analytics data in order to define and create target groups for cross-device advertising.

How can you prevent your data being collected via Google Analytics?
You can prevent cookies being stored by changing the appropriate settings in your browser (see Clause 18.2). You can disable Google Analytics by downloading and installing the Google browser add-on.

18.4. Which data do we process on our pages in social networks?

We may maintain pages and other online presences on social networks and other platforms operated by third parties (“fan pages”, “channels”, “profiles”, etc.), where we collect the data described in Clause 7 and below. We obtain these data from you and the platforms when you contact us via one of our online presences (e.g. when you communicate with us, comment on our content or visit our presence). At the same time, the platforms analyse your use of our online presences and link these data with other known data which the platforms have about you (e.g. about your behaviour and your preferences). The platforms also process these data for their own purposes, under their own responsibility, in particular for marketing and market research purposes (e.g. in order to personalize advertising) and in order to manage their platforms (e.g. which content they show you).

We process these data for the purposes described in Clause 8, in particular for communication, for marketing purposes (including advertising on these platforms, see also Clause 18.2) and for market research. We may disseminate content (e.g. in our advertising on the platform, or elsewhere) that you publish yourself (e.g. comments on a post). We or the operators of the platforms may also delete or restrict content by or about you in accordance with the usage guidelines (e.g. inappropriate comments).

For more information about processing by the platform operators, please refer to the respective platform’s data privacy notice, where you can also find out in which countries they process your data, what information, erasure and other rights you have as a data subject, and how you can exercise those rights or obtain further information.

Last update: September 2023