Privacy policy

1. What is this privacy policy about?
2. Who is responsible for processing your data?
3. What data do we process?
4. For what purposes do we process personal data?
5. How do we process data in connection with our website?
6. How do we process data on our social media platforms?
7. How do we process data for newsletters?
8. How do we process data in email communications?
9. How do we use profiling?
10. How do the Planted companies work together?
11. How do we work with service providers, partners, and government agencies?
12. Can we transfer data abroad?
13. What are the legal bases for data processing?
14. How long do we process your personal data?
15. What rights do you have?
16. Changes to this Privacy Policy

1 What is this Privacy Policy about?

Planted Foods AG, Kemptpark 32/34, Building 1244, 8310 Kemptthal (Switzerland) - hereinafter “Planted,” “we,” or “us” - processes personal data from customers, partners, prospects, and other individuals who are in contact with us.
This Privacy Policy explains what data we process, for what purposes, and what rights you have in this regard.

In doing so, we comply with the revised Swiss Data Protection Act (nDSG) and— where applicable—the European General Data Protection Regulation (GDPR).
Whether and to what extent the GDPR applies depends on the specific case, in particular on whether we offer our services to you within the EU or monitor your behavior in the EU.

This Privacy Policy applies to all instances in which you contact us, for example, when you:

• order products or register on our website

• you participate in a contest, promotion, or loyalty program

• communicate with us or use our social media channels

• if you work with us as a supplier, restaurant, or distribution partner

• subscribe to our newsletter or sign up for events

If you provide us with personal data about third parties (e.g., contacts of colleagues or referrals in the referral program), you confirm that these individuals have been informed and that you are authorized to do so.

If you have any questions about data protection, you can contact us at any time—our contact information can be found in Section 2.

2 Who is responsible for processing your data?

Data Controller

The data controller for all processing activities described in this Privacy Policy is

Planted Foods AG
Kemptpark 32/34, Building 1244
8310 Kemptthal, Switzerland
Email: [email protected]

responsible.

If you have any questions about data protection, would like to request access to your data or have it deleted, or wish to exercise your right to object, you can contact us at any time.

Data Protection Officer (nDSG)

Planted Foods AG has appointed an internal contact person for data protection matters
This person ensures that we comply with our data protection obligations, conduct training sessions, and regularly review our data processing activities.
You can reach them via the same contact address—please indicate in the subject line that this is a data protection inquiry.

Representation in the European Union

For inquiries from individuals or supervisory authorities within the EU or the EEA, the

Planted Foods GmbH
Birkenstrasse 22
10559 Berlin, Germany
Email: [email protected]

as our representative pursuant to Article 27 of the GDPR.

3 What data do we process?

Depending on the situation, we process various types of personal data.
Below you will find the most important categories, along with examples. This list is not exhaustive, but it covers all typical situations in which you may come into contact with us.

a) Master data

Information we need to identify you or your business—e.g., :

• First and last name

• Shipping and Billing Address

• Email address, phone number

• Language, preferred form of address

• For business contacts: Position, employer, relationship to Planted

b) Contract and transaction data

Data generated in connection with orders, deliveries, or partnerships, such as:

• Information about orders, subscriptions, or invoices

• Payment information (e.g., selected payment method, status, payment provider)

• Credit checks or risk assessments by payment service providers

• Participation in promotions, contests, or (future) loyalty / referral programs

• Complaints, Returns, Warranty Claims

c) Communication data

All information generated in the course of our communication—for example:

• Emails, contact or support requests, chat or social media messages

• Date, time, and type of communication

• Information you provide to us (e.g., feedback, requests, job applications)

If you submit a request for access or deletion, we may ask you to provide additional information for identification purposes (e.g., a copy of an ID or a verified email address).

d) Technical and usage data

Data that is automatically collected when you use our digital services:

• IP address and device ID

• Information about the device, browser, operating system, and language settings

• Date, time, duration, and frequency of access

• Pages visited, interactions, click path, search terms

• Cookies and similar technologies (see Section 5.2 for details)

We use this data to provide, secure, and improve our systems.

e) Behavioral and preference data

We want to show you content that’s truly relevant to you. To do this, we analyze— where permitted—your behavior and preferences, such as:

• Previous purchases, shopping carts, abandoned orders

• Responses to newsletters or ads (e.g., opens, clicks)

• Participation in surveys or events

• Inferred interests and product preferences

We do not create sensitive personal profiles or make automated decisions with legal consequences.

f) Application information

If you apply for a job with us or if your profile is recorded in connection with a potential position with us, we process the following information in particular:

• Contact information, resume, proof of education and work experience, employment references and references

• Information regarding previous work experience, qualifications, language skills, and other competencies

• Notes from job interviews, assessments, and evaluations

• Information from reference reports

• Information from publicly available professional sources (e.g., LinkedIn profiles), to the extent that such information is relevant to assessing your suitability

• Information regarding salary expectations, availability, notice periods, and work permits

• where required for the specific position or permitted by law, additional information, e.g., regarding health issues, special needs, criminal records, debt collection proceedings, or other background information

If you provide us with sensitive personal data during the application process or if such data is required for the specific position, we may also process this data to the extent permitted by law.

This data will be used exclusively in connection with the application process, the assessment of your suitability, the preparation of a potential employment relationship, and for related administrative and legal purposes. If you are not hired, the data will be deleted or anonymized upon completion of the process, or retained only to the extent permitted by law or authorized by you.

g) Photos and videos

Photos or videos may be taken during events, promotional activities, or visits to our premises.
We use such recordings only if you have given your consent or if there is a legitimate interest (e.g., to document public events).

h) Other categories

Depending on the context, additional data may be processed, for example in connection with:

• Security and access controls (e.g., visitor logs)

• Supplier and Partner Management

• Legal proceedings or obligations to provide information to government agencies

4 For what purposes do we process personal data?

We process personal data only when there is a legitimate purpose for doing so.
Depending on the situation, this may be a contractual obligation, a legitimate interest, a legal requirement, or your consent.
Below you will find the most important purposes of processing, along with examples.

a) Conclusion and execution of contracts

We process data to prepare, conclude, and fulfill contracts— for example, for orders placed in our online store, deliveries, payments, warranty claims, customer service, or partnerships with restaurants and distribution partners.
This also includes credit checks, the management of customer accounts, as well as inquiries and complaints.

Legal basis: Performance of a contract or pre-contractual measures (Art. 6(1)(b) GDPR / Art. 31(2) nDSG).

b) Conducting recruitment processes and assessing suitability

If you apply for a position with us or are being considered for a position, we process your data to review your application, assess your suitability for a specific position or, where applicable, other suitable positions within the Planted Group, to conduct interviews, assessments, or reference checks, to document the application process, and to prepare and conclude a potential employment contract.

To this end, we may also process data from reference checks, publicly available professional sources, registries, or background checks, to the extent necessary and permitted by law. If you are currently employed by or have previously been employed by a company within the Planted Group, we may also take into account existing information from that context.

Legal basis: pre-contractual measures, legitimate interest in assessing suitability and conducting an orderly recruitment process, as well as consent or a legal obligation where applicable (Art. 6(1)(b), (f), (a), and (c) of the GDPR; Art. 31(1) and (2) of the nDSG).

c) Communication and Support

When you contact us—via email, phone, chat, contact form, or social media—we use your information to respond to your inquiry, contact you if we have any follow-up questions, and document our correspondence.

Legal basis: Performance of a contract or legitimate interest in efficient communication (Art. 6(1)(f) GDPR / Art. 31(1) nDSG).

d) Marketing, personalization, and market research

We want to show you content and offers that truly interest you.
To do this, we analyze—where permitted—your behavior (e.g., past purchases, clicks in newsletters, website usage) and use this information to create target groups and interest profiles.
You can object to this at any time or withdraw your consent (see Section 15).

Legal basis: Legitimate interest in direct marketing or consent (Art. 6(1)(f) / (a) GDPR; Art. 31(1) nDSG).

e) Improving our products, services, and website

We also analyze data to improve our products, recipes, packaging, and digital offerings, to analyze processes, and to develop new features.
Whenever possible, we use anonymized or aggregated information.

Legal basis: Legitimate interest in improving products and services (Art. 6(1)(f) GDPR / Art. 31(1) nDSG).

f) IT and operational security

To ensure the availability, integrity, and confidentiality of our systems, we store and review technical logs, perform security backups, and prevent misuse, fraud, or unauthorized access.

Legal basis: Legitimate interest in IT security and prevention of misuse (Art. 6(1)(f) GDPR / Art. 31(1) nDSG).

g) Compliance with legal obligations

We process data when required by law—for example, to comply with tax and commercial law retention requirements, to defend against legal claims, or to cooperate with authorities.

Legal basis: Legal obligation (Art. 6(1)(c) GDPR / Art. 31(1) nDSG).

(h) To assert or defend legal claims

If necessary, we use data to assert our claims or to defend ourselves against claims—in court, before government agencies, or out of court.

Legal basis: Legitimate interest in safeguarding legal claims (Art. 6(1)(f) GDPR / Art. 31(1) nDSG).

(i) Business development, transactions, and internal administration

We may also process data in connection with mergers, acquisitions, or restructuring.
In addition, we process personal data for training, accounting, and administrative purposes, or to improve internal processes .

Legal basis: Legitimate interest in efficient business management (Art. 6(1)(f) GDPR / Art. 31(1) nDSG).

5 How do we process data in connection with our website?

When you visit our website or use our online store, various types of data are automatically collected. Some of this data is technically necessary, while other data—depending on your settings—is used for statistics, marketing, or to improve our services.

5.1 Technical Logs and Website Availability

Every time you visit our website, certain data is automatically collected and stored in log files, for example:

• IP address and device information (device type, operating system, browser)

• Date, time, and duration of the visit

• Pages and content viewed

• the website from which you arrived here (referrer URL)

We use this data

• to provide you with the website

• to ensure system security

• Detecting attacks or abuse

• to technically optimize our offerings.

Legal basis: our legitimate interest in providing a stable and secure website (Art. 6(1)(f) GDPR / Art. 31(1) nDSG).

5.2 Cookies and Similar Technologies

Our website uses cookies and similar technologies (e.g., local storage, pixels, tags).
These are small files or sequences of code that can be stored on or read from your device to enable certain functions or collect information.

In particular, we use the following categories:

Technically necessary cookies
These are required for the website and online store to function (e.g., shopping cart, login, language settings, consent storage). Without them, you will not be able to use our services, or your use will be limited.

Functional cookies
They help us make the site easier to use, for example, by saving your settings or preferences.

Analytics and statistics cookies
We use this to track usage of our website (e.g., which pages are frequently visited, how long visits last, and which devices are used).
The data collected helps us improve our content and features.

Marketing and Tracking Cookies
These cookies and pixels (e.g., from advertising partners or social media platforms) allow us to:

• to show you ads on other websites or platforms that are better suited to your interests

• to measure the effectiveness of our campaigns.

To the extent that we use cookies that are not technically necessary, we do so only if you have given your prior consent (e.g., via our cookie banner or the relevant settings in your browser). You can withdraw or modify your consent at any time with future effect.

5.3 Cookie Settings and Opt-Out

The first time you visit our website, we'll show you a pop-up window (cookie banner) where you can choose:

• whether you allow only necessary cookies or

• enable additional analytics and/or marketing cookies.

You can change your preferences at any time by accessing the cookie settings on our website (link in the footer or in the cookie banner).
You can also configure your browser to block or delete cookies. However, in that case, certain features of our website may no longer be fully available.

5.4 Web Analytics and Audience Measurement

We use web analytics services to understand how our website is used and where we can improve it.
These services collect data such as:

• which pages are visited

• how long a visit lasts

• which links visitors use to find us

• which devices and browsers are used

For this purpose, the providers receive usage data, which they process on our behalf to generate anonymized or pseudonymized statistics.
Depending on the provider, the data may also be transferred to countries outside Switzerland or the EEA (e.g., to the U.S.). In such cases, we ensure that an adequate level of data protection is in place (see Section 11).

Unless these services are necessary for technical operations, we only use them if you have given your consent in the cookie banner.

5.5 Marketing and Social Media Pixels

We may use so-called pixels and similar technologies from third-party providers on our website, such as social media platforms or advertising networks.
These pixels allow us to:

• to display our ads in a way that makes them as relevant as possible to you,

• to track which campaigns lead to orders or sign-ups,

• Create advertising audiences (e.g., "People who have viewed our products ").

This allows third-party providers to recognize that you have visited our website.
If you have an account there and are logged in, the provider may associate this visit with your profile.
Further data processing by the providers is carried out under their own responsibility and in accordance with their privacy policies.

We only use these technologies if you have consented to marketing/tracking cookies in the cookie banner. You can withdraw your consent at any time (see Section 15 and Cookie Settings).

5.6 Links to Other Websites

Our website may contain links to third-party services (e.g., social media platforms, partners, or online stores).
We neither operate nor monitor these websites. We are therefore not responsible for how these third-party providers handle personal data.
Please refer directly to their respective privacy policies.

6 How do we process data on our social media platforms?

We are active on various platforms and social networks, such as Instagram, TikTok, Facebook, YouTube, and LinkedIn (hereinafter collectively referred to as “social media platforms”).
When you visit our pages there or interact with us, data is processed by both us and the respective platform operators.

6.1 Data Processing by Planted

When you follow us on a social media platform, comment on posts, like content, or send us a message, we process the relevant information, such as:

• your username and publicly visible profile information

• The content of your messages, comments, or posts

• Reactions to our posts (likes, shares, mentions)

• Participation in contests, promotions, or surveys that we conduct there

We use this data to communicate with you, respond to inquiries, gather feedback, manage our community, and improve our content.

Legal basis: legitimate interest in public presence and communication (Art. 6(1)(f) GDPR / Art. 31(1) nDSG).

6.2 Data Processing by Platform Operators

Social media platforms themselves collect and analyze your usage behavior—often regardless of whether you have an account on the respective platform or are logged in.
This may include, in particular, the following:

• Usage and interaction data (e.g., which pages and profiles you visit, which posts you view, like, or comment on)

• Technical specifications for your device and browser

• Location data, if you have shared it

The platform operators use this information at their own discretion, for example, to build user profiles, display personalized ads, or improve their services.
We have no control over this.

You can find details about how platform operators process data in their own privacy policies. There, you can also adjust your settings for privacy and advertising.

6.3 Joint responsibility (e.g., for website statistics)

For certain analyses—in particular so-called page or “Insights” statistics regarding our profiles—we are considered joint data controllers under data protection law together with the respective platform operator.

These statistics help us understand which content is performing well (e.g., reach, demographic data, and engagement metrics in aggregated form).

The legally required agreement on joint liability is provided by the respective platform operator. In particular, it stipulates:

• which categories of data are used for statistical purposes

• what obligations the platform assumes (e.g., disclosure obligations, data security)

• who you can contact to exercise your rights as a data subject

Generally, you can contact either us or the platform directly at
. We will forward any inquiries that fall under the platform’s responsibility accordingly.

6.4 Direct Messages and Support via Social Media

If you contact us via direct message on a social media platform, we use the information you provide to process your request and to ask follow-up questions if necessary.
Depending on the nature of the request, this information may be transferred to our internal systems (e.g., CRM or ticket system) so that we can process it more efficiently.

Legal basis: Performance of a contract or legitimate interest in efficient communication (Art. 6(1)(b) / (f) GDPR / Art. 31 (1) nDSG).

6.5 Visibility of Your Activities

Please note that posts, comments, or other content you publish on our social media pages may also be visible to other users, depending on the platform settings.
Please do not share any sensitive information there (e.g., health data, payment details, or detailed personal information) that should not be made public.

For confidential matters, we recommend that you contact us directly by email (see section 2 for contact information).

7 How do we process data for newsletters?

You can subscribe to our newsletter to receive information about products, promotions, events, and other topics related to Planted.

7.1 Registration and Deregistration

When you sign up for our newsletter, we typically collect the following information:

• your email address

• Depending on the form: name, preferred language, and country (if applicable)

• the date and time of your registration and the confirmation (e.g., double opt-in)

We use this information to send you the newsletter and to verify your subscription.

You can unsubscribe at any time by clicking the unsubscribe link in the newsletter or by sending us a message (see section 2).

Once you unsubscribe, we will no longer send you newsletters. We may continue to retain certain data related to subscription and unsubscription in order to meet our accountability requirements.

Legal basis: your consent or our legitimate interest in direct marketing to existing customers, to the extent permitted by law (Art. 6(1)(a) and (f) of the GDPR / Art. 31(1) of the nDSG).

7.2 Content of the newsletters

Our newsletters may include the following in particular:

• Information about our products, new arrivals, and promotions

• Information about contests, events, and partnerships

• Recommendations and content tailored to your past behavior (e.g., product recommendations)

Occasionally, newsletters may also include offers from partner companies with whom we collaborate. In such cases, Planted remains your point of contact; we do not share your contact information with these partners without a valid legal basis.

7.3 Shipping Providers

We may use specialized service providers to send our newsletters (e.g., email marketing platforms).
These service providers process your data on our behalf and are not permitted to use it for their own purposes. They are contractually obligated to implement appropriate technical and organizational security measures.

Depending on the provider, data may also be transferred to countries outside Switzerland or the EEA. In such cases, we ensure an adequate level of data protection (see Section 11).

7.4 Performance Measurement and Personalization

Our newsletters may contain so-called web beacons or similar technologies .
When you open the email or click on a link:

• technically tracks whether and when the newsletter was opened

• which links were clicked

• what type of device was used to access the email

This information helps us understand what content interests our subscribers and allows us to improve or personalize our newsletters.

Unless this is already covered by a legitimate interest, such analysis is conducted only with your consent.
You can prevent this tracking by disabling the automatic loading of images in your email program or by unsubscribing from the newsletter.

8 How do we process data in email communications?

When you communicate with us via email, we process the personal data collected in order to respond to your inquiry, stay in touch with you, and manage our business relationship.

8.1 What data do we process in this context?

In our email communications, we process the following information in particular:

• your email address

• Names and other contact information that you provide to us

• the content of your message and any attachments

• Communication metadata (e.g., date, time, sender, recipient)

8.2 For what purposes do we process email data?

In particular, we process this data:

• to process inquiries, orders, complaints, or support requests

• for communicating with customers, business partners, job applicants, or other contacts

• for internal documentation and to ensure the traceability of communication

• to comply with legal obligations or to protect our legitimate interests (e.g., for evidentiary purposes)

Legal basis: performance of a contract, legitimate interest or legal obligation (see Section 13).

8.3 Storage and Access

Emails are stored in our email systems.
Access is restricted to only those employees who need it to perform their duties.

To ensure operational reliability, security, and support, email systems may be operated or maintained by external IT service providers. These process data exclusively on our behalf and in accordance with our instructions (see Section 10).

8.4 Retention Period

We retain emails for as long as necessary for the respective purpose or as required by legal retention obligations.
Emails that are no longer needed are deleted or anonymized in accordance with our internal policies.

8.5 Confidentiality Guidelines

Please note that email is generally not a completely secure means of communication.
Therefore, please do not send us any particularly sensitive information (e.g., detailed health data or payment information) unless it is expressly required or we have asked you to do so.

9 How do we use profiling?

"Profiling" refers to the automated processing of personal data to analyze or predict certain personal characteristics—such as interests, preferences, or the likelihood that someone will purchase a specific product.

We use profiling within a limited scope, primarily in connection with marketing, personalization, and the further development of our services.

9.1 What We Mean by Profiling

In particular, we can automatically analyze the following data:

• Previous purchases and shopping carts

• Newsletter engagement (opens, clicks)

• Use of Our Website and Online Store

• Participation in promotions, contests, or (future) loyalty / referral programs

From this, we can deduce, for example,

• which products might interest you,

• what content we show you in the newsletter,

• which target groups we identify for advertising campaigns

9.2 How we use profiling

Profiling helps us, in particular, to

• to tailor our content and offerings more effectively,

• to show you only relevant ads and recommendations,

• to improve our products, campaigns, and website,

• to divide our customers into target groups (segments), e.g., based on purchasing behavior or interests

If cookies or tracking technologies are used for this purpose, this is done only if you have given your consent in the cookie banner (see sections 5 and 7).

9.3 No high-risk profiling / no automated individual decisions

We do not engage in high-risk profiling as defined by the revised Swiss Data Protection Act.
In particular:

• We do not process special categories of personal data (e.g., health data) for profiling purposes,

• We do not make automated decisions that have legal consequences for you or similarly significantly affect you (e.g., no fully automated rejection of contracts based solely on a score).

If we were to use methods in the future that could have such an effect, we would inform you transparently and—where necessary —obtain your explicit consent.

9.4 How can you prevent or limit profiling?

You can limit or prevent profiling in various areas:

Newsletter & Direct Marketing:
You can unsubscribe from the newsletter at any time or let us know that you no longer wish to receive personalized advertising (see sections 7 and 15).

Cookies & Tracking:
You can use the cookie banner to refuse or withdraw your consent to analytics and marketing cookies. You can also delete cookies in your browser or restrict the use of cookies (see Section 5).

Account & Loyalty / Promotions:
You can take advantage of many of our offers even without a user account. If you do not wish to be profiled through your customer account, you can make purchases—where possible—without logging in or linking to a loyalty ID.

Regardless of this, you have the right to object at any time to the processing of your data for direct marketing and related profiling (see Section 15).

10 How do the Planted companies work together?

Planted has subsidiaries in several countries.
The Planted Group currently includes, in particular:

• Planted Foods AG, Kemptthal, Switzerland (Headquarters)

• Planted Foods GmbH, Berlin, Germany

• Planted Foods Production GmbH, Memmingen, Germany

• Planted Foods France SAS, Paris, France

• Planted Foods Austria GmbH, Vienna, Austria

• Planted Foods Italia S.r.l. Società Benefit (Planted Foods Italia S.r.l. SB), Milan, Italy

(Additional companies or branches may be added; in that case, this list will be updated accordingly.)

10.1 Data Exchange Within the Group

The companies within the Planted Group support one another, for example in:

• Operation and further development of IT and logistics systems

• Accounting, Controlling, and Group-Wide Reporting

• Marketing and communication activities in the respective countries

• Customer service and support for retail, foodservice, and distribution partners

• Production, Storage, and Distribution of Our Products

To this end, personal data may be shared within the group to the extent that this is necessary for the purposes described in this Privacy Policy (e.g., processing orders, providing customer service to business customers, conducting campaigns).

Each Planted company may use the data received from another Planted company only for the purposes for which it was originally collected or for purposes consistent with those.

10.2 Joint Responsibility

In certain situations, multiple Planted companies jointly decide on the purposes and means of data processing—for example:

• for centrally managed CRM or marketing systems,

• in cross-border campaigns,

• with a consistent online presence across the group

In such cases, these companies are joint controllers under data protection law.

We have established internal agreements that, among other things, stipulate the following:

• which company fulfills which obligations under data protection law (e.g., informing data subjects, data security)

• how requests from data subjects are coordinated within the group

• how we ensure that your rights are protected across the entire group

Regardless of these internal agreements, you can exercise your rights at any time with respect to any Planted company.
The easiest way is to contact the point of contact listed in Section 2; we will coordinate your request internally.

10.3 Liability of Individual Companies

Which Planted company is responsible in a particular case depends in particular on:

• which channel you use to interact with us (e.g., national website, online store, social media presence)

• the company named in the relevant documents (e.g., in the legal notice, on the packaging as the “responsible business operator,” or as the contracting party in the terms and conditions or contracts)

• regardless of which country you reside in or in which market we offer you our services

Examples:

• Planted Foods France SAS is generally responsible for activities in the French market.

• For operations in the Austrian market Planted Foods Austria GmbH.

• For operations in the Italian market Planted Foods Italia S.r.l. SB.

If you have any questions, you can always contact Planted Foods AG or use the central contact address listed in Section 2; we will ensure internally that your inquiry is answered by the appropriate company.

11 How do we work with service providers, partners, and government agencies?

We will only share your personal data if it is necessary for the purposes described in this Privacy Policy, if there is a legal basis for doing so, and if it is permitted under applicable law.

11.1 Data Processors (Service Providers)

We work with selected service providers who process personal data on our behalf (so-called data processors).
These include, in particular, providers in the following areas:

• Hosting, operation, and maintenance of IT systems and databases

• E-commerce platforms and payment processing

• Newsletter and Email Distribution

• Web analytics, audience measurement, and marketing technologies

• Logistics, Warehousing, and Shipping

• Support, ticketing, and CRM systems

• Consulting (e.g., IT, security, or marketing consultants)

These service providers are contractually obligated to,

• to process personal data only in accordance with our instructions,

• to implement appropriate technical and organizational security measures, ,

• Do not use personal data for your own purposes

We carefully select our service providers and review them regularly.

11.2 Independent data controllers (e.g., sales partners, payment service providers)

In other cases, we work with companies that process personal data on their own behalf.
This may include:

• Payment service providers (e.g., credit card companies, Twint, PayPal, etc.)

• Retailers, restaurants, and online marketplaces where you can purchase our products

• Social media platforms (e.g., Instagram, TikTok, Facebook, LinkedIn, YouTube)

• Trustees, tax advisors, legal advisors, or other professional service providers

If you provide your personal data directly to such third parties (e.g., on their website or in their app, at the checkout, or when making a reservation), these third parties are themselves responsible for the processing of that data.
In such cases, the respective privacy policies of the providers apply.

11.3 Government agencies, courts, and other recipients

To the extent that we are legally required to do so or that it is necessary to protect our legitimate interests, we may also disclose personal data to the following recipients:

• Courts, law enforcement agencies, or administrative authorities

• Legal representatives and external consultants

• Third parties in the context of legal proceedings or in the enforcement of claims

• Buyers or prospective buyers in connection with the sale or restructuring of business units

In such cases, we only disclose the data that is necessary for the specific purpose.

11.4 No Sale of Personal Data

We do not sell your personal data.

When we work with advertising or analytics partners, we do so within the scope of the purposes and legal bases described in this Privacy Policy (in particular, based on your consent for marketing cookies or our legitimate interest in measuring reach).

12 Can we transfer data abroad?

Yes. Like many other companies, we use services and infrastructure that are located not only in Switzerland or the EEA.
Recipients of your personal data may therefore be located in other countries — particularly in countries where our service providers offer IT services, cloud solutions, marketing, or support services.

In doing so, we ensure that an appropriate level of data protection is always in place or that a legally permissible exception applies.

12.1 Recipients abroad

Data may be transferred abroad, in particular to:

• Companies of the Planted Group (see Note 10)

• Service providers (data processors) in the areas of cloud/hosting, e-commerce, newsletter distribution, web analytics, marketing technologies, support, etc. (see Section 11.1)

• independent data controllers such as payment service providers, platform operators or professional consultants (see Section 11.2)

• Government agencies and courts in the context of legal proceedings (see Section 11.3)

12.2 Countries with a recognized level of data protection

When we transfer personal data to countries whose data protection standards are recognized as adequate by Switzerland or the EU (e.g., EEA countries), the transfer is based on the relevant adequacy decisions.
In these cases, no additional protective measures are required.

12.3 Other countries (e.g., the United States) and appropriate safeguards

If a recipient is located in a country without a recognized adequate level of data protection (e.g., in certain cases, the United States or other countries), we ensure that additional appropriate safeguards are in place before transferring data.
These include, in particular:

• Standard Contractual Clauses (SCC) of the European Commission, where applicable, supplemented by additional measures, or

• other safeguards provided for under applicable data protection law.

These agreements require the recipient to maintain a level of data protection that is equivalent to that in Switzerland or the EEA.

12.4 Exceptions

In certain situations, personal data may be transferred abroad even without an adequacy decision or standard contractual clauses, for example, if:

• the transfer is necessary for the performance of a contract with you or in your interest (e.g., delivery to another country, use of a foreign specialized service provider)

• you have expressly consented after we informed you of the risks ;

• the disclosure is necessary for the assertion, exercise, or defense of legal claims

• there is an overriding public interest

In such cases, we limit the transfer of data to the absolute minimum.

12.5 Access from abroad

Even if data is stored in Switzerland or the EEA, it is possible that support or maintenance services may be provided from there by companies in other countries.

However, from a technical standpoint, access to personal data cannot be ruled out (e.g., during remote support provided by a software vendor). In such cases, we ensure, both contractually and technically, that access occurs only within the scope of legal requirements and that appropriate safeguards are in place.

13 What is the legal basis for data processing?

Depending on the situation, our processing of personal data is based on various legal grounds. These include, in particular:

Contract performance and pre-contractual measures
when processing is necessary to fulfill a contract with you or your company, or to take action at your request prior to entering into a contract (e.g., orders, deliveries, complaints, job applications).

Legitimate Interests
when we have a legitimate interest in processing your data that is not overridden by your conflicting interests or rights.
This includes, for example:

• Operation and Security of Our Systems

• Customer Service and Communication

• Product and Service Improvement

• Direct Marketing and Market Research

• Enforcement or defense of legal claims

• internal administrative purposes and group organization

Legal obligations
when we need to process data to comply with legal requirements (e.g., commercial and tax retention obligations, obligations to provide information and cooperate with authorities).

Consent
if you have expressly consented to a specific processing activity, such as receiving newsletters or the use of certain cookies and tracking technologies.
You may withdraw your consent at any time with future effect (see Section 15).

To the extent that the GDPR applies, we rely in particular on the legal bases set forth in Articles 6 and 9 of the GDPR.

To the extent that Swiss data protection law (nDSG) applies, processing is permitted if it is carried out in accordance with the legal principles (in particular lawfulness, proportionality, purpose limitation, and data security).

For processing activities carried out by Planted companies in EU/EEA countries or in the United Kingdom, the applicable national data protection laws (e.g., the UK GDPR) also apply, which are largely consistent with the GDPR in substance.

14 How long do we retain your personal data?

We process and store personal data only for as long as is necessary for the purposes described in this Privacy Policy—or for as long as we have a legitimate interest in retaining it or are subject to legal obligations.

The exact duration depends, for example, on:

• for the duration of our contractual relationship or any ongoing proceedings

• legal retention requirements (e.g., generally 10 years for certain business records under Swiss law)

• Statutes of limitations during which we can assert or defend against claims

• whether you have objected to the processing, withdrawn your consent, or requested deletion

Different or more specific retention periods may apply to certain categories of data, particularly in connection with job applications, legal proceedings, compliance matters, or security incidents.

Unless there are any longer-term legal or contractual obligations, we generally delete or anonymize your personal data:

• Customer data: after the business relationship has ended and the statutory retention periods have expired

• Newsletter data: after you unsubscribe; certain records regarding consent and unsubscription may be retained for a longer period of time

• Application data: after the application process is completed, provided that you are not hired and there are no legal or legitimate reasons for retention that prevent this. If you consent to longer-term retention, we may retain your application data for a reasonable period of time in order to consider you again for suitable positions in the future. In addition, we may retain certain minimum application details for a longer period in a reduced form, to the extent that this is necessary for documentation, evidence, or the protection of our rights

• Log and technical data: after a short, specific period, provided they are no longer needed for security, audit, or analysis purposes

Whenever possible, we process data in an anonymized or aggregated form once we no longer need it in a personally identifiable form.

15 What are your rights?

Under applicable data protection laws, you have various rights that allow you to better understand and influence the processing of your personal data.

15.1 Information

You may request information from us regarding whether we process personal data about you.
If so, you may obtain information regarding, in particular:

• What data we process

• for what purposes

• what sources they come from

• to which recipients they are transmitted

• how long they are expected to be stored

15.2 Correction

If your personal data is incorrect or incomplete, you may request that we correct or complete it.

15.3 Erasure and Restriction of Processing

Under certain conditions, you may request that we delete or anonymize personal data—for example, if it is no longer necessary for the purposes for which it was collected or if you have effectively objected to its processing.

Instead of erasure, in certain cases you may also request that we restrict the processing of your data, e.g., if the accuracy of the data is disputed.

15.4 Right to Object

To the extent that we process your data based on a legitimate interest, you have the right to object to this processing on grounds relating to your particular situation.

You may object to the processing of your data for direct marketing purposes (including profiling for direct marketing) at any time.
In that case, we will no longer use your data for these purposes.

15.5 Withdrawal of Consent

If the processing is based on your consent, you may withdraw this consent at any time with future effect.
The withdrawal does not affect the lawfulness of the processing carried out prior to the withdrawal.

Examples:

• Unsubscribe from the newsletter using the link provided

• Adjusting your cookie settings on our website

15.6 Data Portability

Where applicable, you have the right to receive certain personal data that you have provided to us in a structured, commonly used, and machine-readable format, or—where technically feasible—to request that such data be transferred to another controller.

15.7 Right to review automated individual decisions (Art. 22 GDPR)

To the extent that the GDPR applies, you have the right not to be subject to a decision based solely on automated processing—including profiling—that produces legal effects concerning you or similarly significantly affects you.

This right does not apply if the automated decision:

• is necessary for the conclusion or performance of a contract between you and us

• is permitted by law, or

• with your express consent.

In cases where such automated decision-making is permitted, you have the right to request human intervention, to present your own point of view, and to challenge the decision.

As explained in Section 9, we currently do not make any fully automated decisions that have legal or similarly significant consequences. Should we implement such procedures in the future, we will inform you transparently about them and—where necessary—obtain your explicit consent.

15.8 Right to File a Complaint with a Supervisory Authority

If you believe that the processing of your personal data violates applicable data protection laws, you have the right to file a complaint with a competent supervisory authority.

In Switzerland, this is specifically:

Federal Data Protection and Information Commissioner (FDPIC)

Where the GDPR applies, you may, in particular, contact the competent data protection authority in an EU or EEA country where you live or work, or where an alleged violation has occurred.

To the extent that UK data protection law (UK GDPR) applies, you may contact, in particular, the Information Commissioner's Office (ICO) or another competent supervisory authority in the United Kingdom.

Regardless, we would appreciate it if you would contact us directly first (see section 2) so that we can review your request and—if possible— work together to find a solution.

15.9 How can you exercise your rights?

You can contact us at any time to exercise your rights:

• by email to [email protected]

• by mail to the address listed in paragraph 2

To help us prevent misuse and protect your data, we may ask you to provide appropriate proof of identity (e.g., a copy of your ID or confirmation that your email address has been verified).

We review each request individually and respond within the statutory time limits.
In certain cases, statutory exceptions or overriding interests (e.g., of third parties or our own) may result in us having to reject a request in whole or in part. In such cases, we will notify you accordingly.

16 Changes to this Privacy Policy

We may update this Privacy Policy at any time if our data processing practices, the technologies we use, or the legal framework change.

The current version is published on our website and includes a revision date.
In the event of significant changes, we will notify you through appropriate channels (e.g., on our website, in our online store, or via email, as appropriate).

Date of this Privacy Policy: March 2026