Privacy Policy

Data Protection Declaration and Consent to Data Usage on www.kmhaustechnik.ch of K+M Haustechnik AG.

1. What is this privacy policy about?

K+M Haustechnik AG (hereinafter also «we», «us») procures and processes personal data that concern you or other persons (so-called «third parties»). We use the term «data» here interchangeably with «personal data».

In this privacy notice, we describe what we do with your data when you use www.kmhaustechnik.ch, other websites belonging to us, or our apps (hereinafter collectively referred to as the «Website»), obtain our services or products, are otherwise connected with us under a contract, communicate with us, or have dealings with us in any other way. Where applicable, we will inform you via timely written notice about additional processing activities not mentioned in this privacy notice. In addition, we may inform you separately about the processing of your data, e.g. in consent declarations, contractual terms, additional privacy notices, forms, and advisories.

If you provide or disclose data about other individuals, such as family members, work colleagues, etc., we assume you are authorised to do so and that this data is accurate. By submitting data about third parties, you confirm this. Please also ensure that these third parties have been informed of this privacy policy.

This privacy policy is designed to meet the requirements of the EU's General Data Protection Regulation («GDPR»), the Swiss Federal Act on Data Protection («FADP»), and the revised Swiss Federal Act on Data Protection («revFADP»). However, whether and to what extent these laws apply depends on the specific case.

2. Who is responsible for processing your data?

For the data processing described in this privacy policy of www.kmhaustechnik.ch, K+M Haustechnik AG in Silvaplana is responsible under data protection law, unless otherwise communicated in individual cases, e.g. in further privacy policies, on forms or in contracts.

You can reach our data protection officer for your data protection concerns and the exercise of your rights in accordance with Section 11 as follows:

Data Protection Officer in accordance with Art. 37 et seq. GDPR, Art. 10 revDSG, EU pursuant to Art. 27 GDPR, Switzerland pursuant to Art. 14 revDSG, United Kingdom (UK) according to Art. 27 UK GDPR:

K+M Haustechnik AG
Data Protection Officer
Via verso Mulins 40/41
7513 St. Moritz

info@kmhaustechnik.ch

3. What data do we process?

We process various categories of data about you. The main categories are as follows:

Technical data

When you use our website or other electronic services, we collect technical data from your device to ensure the functionality and security of these services. This data also includes logs that record the use of our systems. We typically store technical data for [1-14] months. To ensure the functionality of these services, we may also assign an individual code to you or your device (e.g. in the form of a cookie, see section 12). Technical data in itself generally does not allow conclusions to be drawn about your identity. However, in the context of user accounts, registrations, access controls or the processing of contracts, it may be linked to other data categories (and thus, if applicable, to your person).

Registration details

Certain offers, for example from competitions, and services (e.g. login areas of our website, newsletter dispatch, free Wi-Fi access, etc.) can usually only be used with a user account or registration, which can be done directly with us or via our external login service providers. You will need to provide certain data, and we will collect data on the use of the offer or service. We generally store registration data for [1-14] months after the end of the use of the service or the deletion of the user account. This period may be longer if required for evidence purposes, in compliance with legal or contractual obligations, or for technical reasons. This data is generally retained for at least [10] years.

Communication data

If you contact us via the contact form, email, telephone or chat, by post or by any other means of communication, we will collect the data exchanged between you and us, including your contact details and the metadata of the communication. If we record or listen in on telephone calls or video conferences, for example for training and quality assurance purposes, we will specifically inform you of this. Such recordings may only be made and used in accordance with our internal guidelines. You will be informed whether and when such recordings take place, e.g. by an announcement during the relevant video conference. If you do not wish to have a recording, please inform us or end your participation. If you simply do not want your image recorded, please turn off your camera. If we want or need to establish your identity, e.g. in response to a request for information from you, an application for media access, etc., we will collect data to identify you (e.g. a copy of an ID). We generally store this data for [1-14] months from our last exchange with you. This period may be longer insofar as this is necessary for evidence purposes or to comply with legal or contractual requirements, or is technically necessary. Emails in personal mailboxes and written correspondence are generally kept for at least [10] years.

Master data

We refer to master data as the basic data, alongside contract data (see below), that we require for the processing of our contractual and other business relationships or for marketing and advertising purposes, such as name, contact details and information about your role and function, your bank details, your date of birth, customer history, powers of attorney, signing authorities and declarations of consent. We process your master data if you are a customer or other business contact, or act on behalf of one (e.g. as a contact person for a business partner), or because we wish to approach you for our own purposes or for the purposes of a contractual partner (e.g. in the context of marketing and advertising, with invitations to events, with vouchers, with newsletters, etc.). We obtain master data from you yourself (e.g. during a purchase or as part of a registration), from bodies for which you work, or from third parties such as our contractual partners, associations and address dealers, and from publicly accessible sources such as public registers or the internet (websites, social media, etc.). As part of master data, we may also process health data and information about third parties. We may also collect master data from our shareholders and investors. We generally store this data for [10] years from the last exchange with you, but at least from the end of the contract. This period may be longer if required for evidentiary reasons or to comply with legal or contractual requirements, or if technically necessary. For purely marketing and advertising contacts, the period is normally considerably shorter, usually not more than [2] years since the last contact.

Contract data

This is data that arises in connection with the conclusion or processing of a contract, e.g. details about contracts and the services to be provided or that have been provided, as well as data from the period before a contract is concluded, which are necessary or used for processing, and details about reactions (e.g. complaints or details about satisfaction, etc.). We usually collect this data from you, from contractual partners and from third parties involved in the processing of the contract, but also from third-party sources (e.g. credit data providers) and from publicly accessible sources. We generally store this data for [10] years from the last contract activity, but at least from the end of the contract. This period may be longer if this is necessary for evidential reasons or to comply with legal or contractual requirements, or if it is technically necessary.

Behavioural and preference data

Depending on our relationship with you, we try to get to know you and tailor our products, services, and offers to you more effectively. To do this, we collect and use data about your behaviour and preferences. We do this by evaluating information about your behaviour within our domain, and we can also supplement this information with data from third parties, including publicly accessible sources. Based on this, we can, for example, calculate the probability that you will use certain services or behave in a certain way. Some of the data processed for this purpose is already known to us (e.g. if you use our services), or we obtain this data by recording your behaviour (e.g. how you navigate our website or our social media platforms). We anonymise or delete this data when it is no longer meaningful for the purposes pursued, which can be the case depending on the type of data, ranging from [2-3] weeks to [24] months (for product and service preferences). This period may be longer, insofar as this is necessary for evidential reasons, to comply with legal or contractual requirements, or is technically determined. We describe how tracking works on our website in Section 12.

Other data

We also collect data from you in other situations. For example, in the context of administrative or legal proceedings, data may be generated (such as files, evidence, etc.) that may also relate to you. We may also collect data for health and safety reasons (e.g. as part of health and safety protocols). We may receive or produce photographs, videos and audio recordings in which you may be recognisable (e.g. at events, via security cameras, etc.). We may also collect data on who enters certain buildings and when, or who has the relevant access rights (including at access controls, based on registration data or visitor lists, etc.), who participates in events or activities (e.g. competitions) and when, or who uses our infrastructure and systems and when. Finally, we collect and process data on our shareholders and other investors; in addition to master data, this includes, amongst other things, information for the relevant registers, regarding the exercise of their rights and the organisation of events (e.g. general meetings). The retention period for this data depends on the purpose and is limited to what is necessary. This ranges from a few days for many of the security cameras and, as a rule, a few weeks for contact tracing data, through visitor data, which is generally retained for [3] months, to reports on events with images, which may be retained for several years or longer.

Much of the data mentioned in this Section 3 is provided by you voluntarily (e.g., via forms, in the course of communication with us, in connection with contracts, when using the website, etc.). You are not obliged to do so, subject to individual cases, e.g., in the context of binding protection concepts (legal obligations). If you wish to conclude contracts with us or claim services, you must also provide us with data within the scope of your contractual obligation according to the relevant contract, in particular master, contract, and registration data. When using our website, the processing of technical data is unavoidable. If you wish to gain access to certain systems or buildings, you must provide us with registration data.

Where this is not impermissible, we also obtain data from publicly accessible sources (e.g. debt enforcement registers, land registers, commercial registers, media or the internet, including social media) or receive data from other companies within our group, from authorities and from other third parties (such as credit reporting agencies, address brokers, associations, contractual partners, internet analysis services, etc.).

4. For what purposes do we process your data?

We process your data for the purposes explained below. Further information for the online area can be found in sections 12 and 13. These purposes or the objectives underlying them represent legitimate interests of ours and, where applicable, of third parties. You will find further details on the legal bases for our processing in section 5.

We process your data for purposes related to communicating with you, particularly for responding to enquiries and asserting your rights (point 11), and to contact you if we have further questions. To this end, we use communication data and master data in particular, and in connection with the offers and services you use, also registration data. We retain this data to document our communication with you, for training purposes, for quality assurance, and for follow-up. We process data for the establishment, administration, and execution of contractual relationships.

We process data for marketing purposes and for customer relationship management, e.g. to send our customers and other contractual partners personalised advertising for products and services from us and from third parties (e.g. from advertising contractual partners). This can be done, for example, in the form of newsletters and other regular contacts (electronic, by post, by telephone), via other channels for which we have contact information from you, but also as part of individual marketing campaigns (e.g. events, competitions, etc.) and may also include free services (e.g. invitations, vouchers, etc.). You can reject such contacts at any time (see the end of this section 4) or refuse or withdraw your consent to be contacted for advertising purposes. With your consent, we can target our online advertising on the internet more precisely at you (see section 12). We further process your data for market research, to improve our services and our operations, and for product development. We may also process your data for security purposes and for access control. We process personal data to comply with laws, instructions and recommendations from authorities and internal regulations («Compliance»). We also process data for our risk management purposes and as part of prudent corporate governance, including business organisation and corporate development.

5. On what basis do we process your data?

Where we ask for your consent for specific processing, we will inform you separately about the respective purposes of the processing. You can revoke your consent at any time by written notification (by post) or, if not otherwise stated or agreed, by email to us at any time with effect for the future; our contact details can be found in Sec. 2. For the revocation of your consent for online tracking, see Sec. 12. Where you have a user account, a revocation or contact with us may also be carried out via the relevant website or other service. As soon as we have received the notification of the revocation of your consent, we will no longer process your data for the purposes to which you originally consented, unless we have another legal basis for doing so. The revocation of your consent does not affect the lawfulness of the processing carried out on the basis of the consent up to the point of revocation.

Where we do not ask for your consent to processing, we base the processing of your personal data on the fact that processing is necessary for the initiation or performance of a contract with you (or the entity you represent), or that we or third parties have a legitimate interest in doing so, in particular to pursue the purposes and related objectives described in Section 4 above and to be able to carry out corresponding measures. Our legitimate interests also include compliance with legal regulations, insofar as these are not already recognised as a legal basis by the applicable data protection law (e.g., for the GDPR, the law in the EEA and Switzerland).

If we receive sensitive data, we may also process your data on other legal grounds, for example, in the event of disputes due to the necessity of processing for any potential legal proceedings or the assertion or defence of legal claims. In individual cases, other legal grounds may apply, which we will communicate to you separately if necessary.

6. What applies to profiling and automated individual decisions?

We can automatically assess certain of your personal characteristics for the purposes mentioned in section 4 using your data (section 3) («profiling»), but also to identify abuse and security risks, to perform statistical analyses, or for operational planning purposes. For the same purposes, we can also create profiles, i.e. we can combine behavioural and preference data, as well as master and contract data and technical data assigned to you, in order to better understand you as an individual with your different interests and other characteristics.

If you are a customer, we can use «profiling» based on your purchases to determine which other products are likely to interest you. We can also use this to check your creditworthiness before offering you payment on account. Automated data analysis can also check, for your protection, the probability that a specific transaction was fraudulent. This allows us to stop the transaction for clarification. This is to be distinguished from «profiles». This refers to the linking of different data in order to gain hints about essential aspects of your personality (e.g. what you like or how you behave in certain situations) from the entirety of this data. Profiles can also be used for marketing, for example, but also for security purposes.

We use anonymous movement profiles in a non-personal way, for example to give our contract partners recommendations for avoiding peak times. For personalised movement profiles, we use personal data, for example, to point out interesting offers and products near you, to deduce your interests from the location data (duration of stay), and to inform you which products and services other contract partners with similar interests have used.

In both cases, we ensure the proportionality and reliability of the results and take measures against the misuse of these profiles or profiling. If these could have legal effects or significant disadvantages for you, we generally provide for a manual review.

7. Who will your data be disclosed to?

In connection with our contracts, website, services and products, our legal obligations or otherwise to protect our legitimate interests and for the other purposes listed in Section 4, we also transfer your personal data to third parties, in particular to the following categories of recipients:

Service provider

We work with service providers, both domestically and abroad, who process data about you on our behalf or in joint responsibility with us, or who receive data about you from us in their own responsibility.

In order to provide our products and services efficiently and to enable us to concentrate on our core competencies, we obtain services from third parties in numerous areas. These services include, for example, IT services, information dispatch, marketing, sales, communication or printing services, building management, security and cleaning, organisation and execution of events and receptions, debt collection, credit agencies, address checkers (e.g. for updating address databases in case of moves), fraud prevention measures, and services from consulting firms, lawyers, banks, insurers and telecommunications companies. We disclose to these service providers the data required for their services, which may also concern you. These service providers may also use such data for their own purposes, e.g. details of outstanding claims and your payment behaviour in the case of credit agencies or anonymised data for the improvement of services. Furthermore, we enter into contracts with these service providers that include provisions for data protection, insofar as such protection is not mandated by law. Our service providers may, under certain circumstances, process data such as how their services are used and other data arising from the use of their services, as independent controllers for their own legitimate interests (e.g. for statistical analyses or billing). Service providers provide information on their independent data processing in their own privacy policies.

Contracting parties including customers

This initially refers to customers (e.g. beneficiaries of services) and other contractual partners of ours, as this data transfer arises from these contracts. For example, they receive registration data for vouchers issued and redeemed, invitations, etc. If you work for such a contractual partner yourself, we may also transfer data about you to them in this context.

Authorities

We may pass on personal data to offices, courts and other authorities, both in the UK and abroad, if we are legally obliged or entitled to do so, or if it appears necessary to protect our interests. The authorities will process data about you that they receive from us, under their own responsibility.

More people

This refers to other cases where the involvement of third parties arises from the purposes set out in point 4.

All these categories of recipients can, in turn, involve third parties, meaning that your data may also become accessible to them. We can restrict processing by certain third parties (e.g. IT providers), but not by other third parties (e.g. authorities, banks, etc.).

8. Will your personal data be transferred abroad?

As explained in Section 7, we also disclose data to other parties. These are not only located in Switzerland. Your data may therefore be processed in Europe; in exceptional cases, however, in any country in the world.

Where a recipient is located in a country that does not have adequate data protection laws, we contractually oblige the recipient to comply with applicable data protection laws (for this purpose, we use the revised Standard Contractual Clauses of the European Commission, which can be accessed here: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj), unless they are already subject to a legally recognised framework for ensuring data protection and we cannot rely on an exemption. An exemption may notably apply in the case of foreign legal proceedings, but also in cases of overriding public interests or if a contract's performance requires such disclosure, if you have consented or if it concerns data that you have made generally accessible and have not objected to its processing.

Please also note that data exchanged over the internet is often routed through third countries. Therefore, your data may be transferred abroad even if the sender and recipient are in the same country.

9. How long do we process your data?

We process your data for as long as our processing purposes, statutory retention periods, and our legitimate interests in processing for documentation and evidence purposes require, or for as long as the storage is technically necessary. Further details on the respective storage and processing duration can be found under the individual data categories in Section 3 or under the cookie categories in Section 12. Unless legal or contractual obligations prevent it, we will delete or anonymise your data after the storage or processing period has expired as part of our usual processes.

For documentation and evidential purposes, we are interested in documenting processes, interactions, and other facts in the event of legal claims, disputes, IT and infrastructure security purposes, and to demonstrate good corporate governance and compliance. Due to technical reasons, retention may be necessary if certain data cannot be separated from other data and we therefore have to retain it with them (e.g., in the case of backups or document management systems).

10. How do we protect your data?

We take appropriate security measures to protect the confidentiality, integrity, and availability of your personal data, to protect it from unauthorised or unlawful processing, and to counteract the risks of loss, accidental alteration, unintentional disclosure, or unauthorised access.

Technical and organisational security measures may include, for example, encryption (e.g. SSL, TLS) and pseudonymisation of data, logging, access restrictions, data backups, instructions for our employees, confidentiality agreements, and audits. We protect your data transmitted via our website during transit using appropriate encryption mechanisms. However, we can only secure areas that we control. We also require our processors to implement appropriate security measures. However, security risks cannot generally be entirely excluded; residual risks are unavoidable.

11. What rights do you have?

The applicable data protection law grants you the right to object to the processing of your data under certain circumstances, particularly for direct marketing purposes, profiling carried out for direct advertising, and other legitimate interests in processing.

To make it easier for you to control the processing of your personal data, you may also have the following rights in connection with our data processing, depending on applicable data protection law:

The right to request information from us as to whether and what data we process about you;
the right to have inaccurate data corrected;
the right to request the deletion of data;
the right to request that we hand over certain personal data in a commonly used electronic format or transfer it to another controller;
the right to withdraw consent where our processing is based on your consent;
the right to request further information necessary for the exercise of these rights;
the right to state your point of view in relation to automated individual decisions (point 6) and to request that the decision be reviewed by a natural person.

If you wish to exercise the aforementioned rights in relation to us, please contact us in writing, in person, or, unless otherwise stated or agreed, by e-mail; our contact details can be found in Section 2. To rule out misuse, we need to identify you (e.g. with a copy of your ID, if this is not otherwise possible).

Please note that Voraussetzungen, exceptions or restrictions may apply to these rights under applicable data protection law (e.g. to protect third parties or trade secrets). We will inform you accordingly where appropriate.

If you disagree with our handling of your rights or the protection of your data, please let us know or inform our data protection officers (section 2). In particular, if you are located in the EEA, the United Kingdom or Switzerland, you also have the right to lodge a complaint with the data protection supervisory authority in your country.

12. Do we use online tracking and online advertising techniques?

On our website, we use various technologies that allow us and third parties engaged by us to recognise you in your use and potentially track you across multiple visits. In this section, we will inform you about this.

At its core, it’s about being able to distinguish your access (via your system) from that of other users, so that we can ensure the functionality of the website and carry out analyses and personalisations. We do not wish to infer your identity, even if we can do so by combining information with registration data, either ourselves or by third parties engaged by us. Even without registration data, however, the techniques employed are designed so that you are recognised as an individual visitor on each page view, for example, by our server (or those of third parties) assigning a specific identification number to you or your browser (a so-called «cookie»).

Cookies are individual codes (e.g., a serial number) that our server or the server of our service providers or advertising partners transmits to your system when you connect to our website, and which your system (browser, mobile) accepts and stores until the programmed expiry date. With every subsequent access, your system transmits these codes back to our server or the server of the third party. This way, you are recognised again, even if your identity is unknown.

Other techniques can also be used, with which you can be recognised (i.e. differentiated from other users) with a greater or lesser probability, e.g. «fingerprinting». Fingerprinting combines the browser you use, screen resolution, language settings and other information that your system sends to every server, resulting in a more or less unique fingerprint. This way, cookies can be dispensed with.

So, whenever you access a server (for example, when using a website, an app or because an image is integrated visibly or invisibly in an email), your visits can be «tracked». If we integrate offers from an advertising contract partner or a provider of an analysis tool on our website, they can track you in the same way, even if you cannot be identified in individual cases.

We use such technologies on our website and allow certain third parties to do so as well.

You can program your browser to block, spoof, or delete specific cookies or alternative techniques. You can also extend your browser with software that blocks tracking by specific third parties. Further information on this can be found on your browser's help pages (usually under the keyword «Privacy») or on the websites of the third parties listed below.

The following cookies (techniques with comparable functions to fingerprinting are also included) are distinguished:

Essential Cookies

Some cookies are essential for the website to function as such or for certain features. For example, they ensure that you can switch between pages without losing information entered in a form. They also ensure that you remain logged in. These cookies are only temporary («session cookies»). If you block them, the website may not function. Other cookies are necessary for the server to store decisions or entries made by you beyond a session (i.e., a visit to the website), if you use this function (e.g., selected language, granted consent, the function for automatic login, etc.). These cookies have an expiry date of up to [24] months.

Performance Cookies

To optimise our website and related offerings and to better tailor them to user needs, we use cookies to record and analyse website usage, potentially beyond the session. We do this using third-party analytics services, which are listed below. Performance cookies also have an expiry date of up to [24] months. For details, please see the third-party websites.

Marketing Cookies

We and our advertising partners have an interest in targeting advertising precisely, meaning we want to show it only to those we wish to address. Our advertising partners are listed below. For this purpose, we and our advertising partners also use cookies that can record the content viewed or contracts concluded. This enables us and our advertising partners to display advertisements that we believe will be of interest to you, both on our website and on other websites that display advertising from us or our advertising partners. Depending on the situation, these cookies have an expiry date of a few days up to [12] months.

In addition to marketing cookies, we use other techniques to control online advertising on other websites, thereby reducing wasted reach. For example, we may transmit the email addresses of our users, customers, and other individuals to whom we wish to show advertisements to operators of advertising platforms (e.g. social media). If these individuals are registered there with the same email address (which the advertising platforms determine through a matching process), the operators will show the advertisements placed by us specifically to these individuals. The operators do not receive personally identifiable email addresses of individuals who are not already known to us. However, for known email addresses, they learn that these individuals are connected to us and which content they have viewed.

We can also integrate further third-party offers on our website, particularly from social media providers. If you have an account with the social media provider, they can attribute this information to you and thus track your use of online services. These social media providers process this data under their own responsibility.

We currently use services from the following service providers and advertising partners:

Google Analytics

Google Ireland (based in Ireland) is the provider of the service and acts as our processor. Google Ireland relies on Google LLC (based in the USA) as its processor (both «Google»). For information on data protection, please see here [https://policies.google.com/].

Google Ads

Google Fonts

Google reCaptcha

Google Maps

Google Tag Manager

Which data do we process on our social media pages?

We may operate pages and other online presences (e.g. «fan pages», «channels», «profiles») on social networks and other third-party platforms and collect data about you there as described in section 3 and below. We receive this data from you and the platforms when you interact with us via our online presence (e.g. when you communicate with us, comment on our content or visit our presence). At the same time, the platforms analyse your use of our online presences and link this data with further data they know about you (e.g. about your behaviour and preferences). They also process this data for their own purposes and under their own responsibility, in particular for marketing and market research purposes (e.g. to personalise advertising) and to manage their platforms (e.g. which content they show you).

We process this data for the purposes described in Section 4, particularly for communication, marketing purposes (including advertising on these platforms; see Section 12), and market research. You can find information on the relevant legal bases in Section 5. We may further distribute content that you publish yourself (e.g., comments on an announcement) (e.g., in our advertising on the platform or elsewhere). We or the platform operators may also delete or restrict content from or about you in accordance with the usage guidelines (e.g., inappropriate comments).

Further details regarding the processing carried out by the platform operators can be found in the platform's privacy policy. There you will also find out in which countries they process your data, what rights you have to information, deletion, and other rights as a data subject, and how you can exercise these rights or obtain further information.

We are currently using the following platforms:

Facebook

We operate the site www.facebook.com/profile.php?id=100075987431730 here. The organisation responsible for operating the platform for users from Europe is Meta Ireland Ltd., Dublin, Ireland. Their privacy policy can be found at www.facebook.com/policy.

Instagram

We operate the website www.instagram.com/kmhaustechnikag/ here. The responsible body for operating the platform for users from Europe is Meta Ireland Ltd., Dublin, Ireland. Their privacy policy can be accessed at https://privacycenter.instagram.com/policy.

14. Can this privacy policy be changed?

This Privacy Policy does not form part of a contract with you. We may amend this Privacy Policy at any time. The version published on this website is the current version at all times.

Last updated: February 2026