01Preamble

This Privacy Policy describes how In a Box Sàrl (hereinafter "easycondom", "we", "us") collects, uses, stores, and protects your personal data when you use the easycondom.ch website.

This policy applies in addition to our Cookie Policy and our General Terms and Conditions of Sale.

The processing of your data is governed by the new Swiss Federal Data Protection Act (nLPD) of 25 September 2020, which came into force on 1^st September 2023, as well as by the European General Data Protection Regulation (GDPR / 2016/679) for visitors residing in the European Union.

02Data Controller

For any questions regarding the processing of your personal data, please write to us at the above address, stating "Data Protection" as the subject.

03Data Collected

We collect and process the following categories of data:

Data provided directly by you

• Identity: surname, first name, title (optional)
• Contact details: email, phone (optional), delivery and billing postal address
• Customer account: identifiers (email + hashed password), preferences, order history
• Payment: We never store your full bank details. The card number is processed directly by the payment provider (Stripe, PostFinance, PayPal, TWINT, Klarna). We only keep a transaction ID and the last 4 digits of the card.
• Communications: content of messages exchanged with our customer service (email, contact form)

Automatically collected data

• Browsing data: IP address (anonymised after 30 days), browser type, operating system, pages visited, visit duration, source of origin
• Cookies: see our Cookie Policy for details
• Analytics: Google Analytics 4 (with anonymised IP), Meta Pixel (only with consent)

Sensitive data

The easycondom.ch website offers products related to sexual health. We do not collect any sensitive health data (sexual orientation, practices, partners, etc.). The mere act of purchasing a condom or an STI test is not considered health data within the meaning of the nLPD or GDPR.

04Purposes & Legal Basis

Your data is processed for the following purposes:

Contract execution (order, delivery, customer service)

• Legal basis: contract execution (Art. 31 nLPD / Art. 6.1.b GDPR)
• Data concerned: identity, contact details, payment, history
• Duration: throughout the customer relationship + 10 years (Swiss accounting obligation, Art. 957 CO)

Marketing communication (newsletter, offers)

• Legal basis: consent (Art. 31 nLPD / Art. 6.1.a GDPR)
• Data concerned: email, first name, purchase history (for personalisation)
• Duration: until consent is withdrawn (unsubscribe link in each email)

Website improvement & analytics

• Legal basis: legitimate interest (Art. 31 nLPD / Art. 6.1.f GDPR)
• Data concerned: anonymised browsing, analytical cookies (with consent)
• Duration: 13 months maximum

Fraud prevention

• Legal basis: legitimate interest + legal obligation
• Data concerned: IP address, transaction data, order behaviour
• Duration: 5 years

Legal obligations (accounting, taxation)

• Legal basis: legal obligation (Art. 957 CO)
• Data concerned: invoices, VAT receipts
• Duration: 10 years

05Recipients & Processors

Your data may be communicated to the following recipients, strictly within the scope of the described purposes:

Technical processors

• Shopify (Ireland / Canada) — e-commerce platform
• Cloudflare (USA) — security & CDN
• Klaviyo (USA) — transactional and marketing emailing
• Judge.me (Hong Kong) — customer review management
• Google (USA / Europe) — Analytics, Cloud services
• Meta (USA / Europe) — Advertising Pixel (only with consent)

Payment providers

• Stripe / Shopify Payments — credit cards
• PostFinance — TWINT, PostFinance Card
• PayPal — PayPal payment

Logistics

• Swiss Post — parcel delivery

Related third parties

• kisskiss.ch (same company In a Box Sàrl) — only with your explicit consent, for cross-brand recommendations

All our processors are bound by a data processing agreement compliant with the nLPD / GDPR. We never sell your data.

06International Transfers

Some of our processors are based outside Switzerland, notably in the USA. For these transfers, we rely on the following safeguards:

• Adequacy decision by the Swiss Federal Council (where applicable)
• Standard Contractual Clauses approved by the Federal Data Protection and Information Commissioner (FDPIC) or the European Commission
• Data Privacy Framework (DPF) certification between Switzerland / EU and the USA

You can obtain a copy of the applicable safeguards by writing to info@easycondom.ch.

07Data Security

We implement appropriate technical and organisational measures to protect your data against unauthorised access, loss, alteration, or disclosure:

• TLS 1.3 encryption across the entire site (HTTPS mandatory)
• Passwords stored as hashed values (bcrypt)
• Payment data not stored locally (PCI-DSS via providers)
• Access to data limited to authorised personnel (principle of least privilege)
• Daily encrypted backups
• Periodic security audits and access logs

08Your Rights

In accordance with the nLPD and GDPR, you have the following rights regarding your personal data:

• Right of access — obtain confirmation that your data is being processed and receive a copy
• Right to rectification — correct any inaccurate or incomplete data
• Right to erasure ("right to be forgotten") — request the deletion of your data, unless there's a legal obligation to retain it
• Right to restriction of processing — temporarily freeze the processing of certain data
• Right to data portability — retrieve your data in a structured, machine-readable format
• Right to object — object to processing based on legitimate interest
• Right to withdraw your consent at any time (without affecting prior processing)
• Right not to be subject to automated decision-making that has a legal effect on you

To exercise a right, please write to us at info@easycondom.ch, specifying the right you are exercising. We will respond within a maximum of 30 days.

09Cookies & Trackers

The site uses cookies and similar trackers to ensure its proper functioning, measure audience, and personalise certain content.

You can manage your preferences at any time via the consent banner or via the "Cookie Preferences" link in the footer.

For details on the cookies used, please consult our Cookie Policy.

10Data Retention

We retain your data only for the duration necessary for the purposes of processing:

• Customer account: throughout the relationship + 3 years after the last order
• Orders & invoices: 10 years (accounting obligation, Art. 957 CO)
• Marketing data: until consent is withdrawn
• Analytical cookies: 13 months maximum
• Connection logs: 6 months
• IP address: 30 days then anonymisation

Beyond these periods, data is either deleted or irreversibly anonymised for statistical purposes.

11Minors

The easycondom.ch website is intended for individuals aged at least 16 years. We do not knowingly collect data concerning minors under 16. If you are a parent or guardian and you become aware that a minor under 16 has provided personal data, please contact us for deletion: info@easycondom.ch.

12Changes

This Privacy Policy may be amended to reflect legal, technical, or commercial changes. Any substantial changes will be notified to you by email (if you have an account) or via a banner on the website.

The date of the last update is at the top of this document.

13Applicable Law

This Privacy Policy is governed by Swiss law, in particular the nLPD and its implementing ordinance (OPDo). For visitors residing in the European Union, the GDPR applies in addition.

In case of divergence between the nLPD and the GDPR, the provision most protective of your rights will prevail.