Privacy policy for the enerjoy app and website

Edition February 2023

Table of contents

1. What is this privacy policy about?

2. Who is responsible for processing your data?

3. What data do we process in connection with the enerjoy offer?

4. For what purposes do we process data?

5. How do we obtain analyses and statistics?

6. How do we process data in connection with advertising?

7. To whom do we disclose your data?

8. Do we disclose personal data abroad?

9. What applies to profiling?

10. How long do we process your data?

11. How do we protect your data?

12. Legal bases

13. What rights do you have?

14. Can this privacy policy be changed?

1. What is this privacy policy about?

enerjoy supports you in reducing your personal CO2 footprint in a targeted manner.

In this privacy policy, you will find information on the processing of your personal data in connection with the enerjoy app and the enerjoy website (enerjoy.sayhello.works). When we refer to the app and the website, we hereinafter refer to the “online offering”.

We have aligned this privacy policy with the Swiss Federal Act on Data Protection (“FADP”) and the European General Data Protection Regulation (“GDPR”). Whether and to what extent the FADP, the GDPR or other data protection legislation, such as the Basel City Act on Information and Data Protection, is applicable depends on the individual case.

The terms “personal data” and “process” also include the terms “personal data” and “process” in accordance with the GDPR.

Personal data” (also “personal data”) refers to data that relates to a specific or identifiable person, i.e. it is possible to draw conclusions about their identity based on the data itself or with corresponding additional data. We use the term “data” in this privacy policy synonymously with “personal data” and “personal information”.

Processing” means any handling of personal data, e.g. obtaining, storing, using, disclosing and deleting.

2. Who is responsible for processing your data?

IWB Industrielle Werke Basel (“IWB” or “we”) is generally responsible for data processing in accordance with this Privacy Policy.

For each data processing operation, there are one or more entities that bear primary responsibility for ensuring that the data processing complies with the requirements of data protection law. This body is called the “controller“. It is responsible, for example, for responding to requests for information or ensuring that personal data is secured and is not used in any other way than we inform you or as permitted by law.

Information on data processing by IWB that does not relate to the enerjoy online offering can be found here.

You can reach us using the following contact details

IWB Industrielle Werke Basel, Margarethenstrasse 40, CH-4002 Basel

+41 61 275 51 11

3. What data do we process in connection with the enerjoy offer?

3.1 Protocol data

When using the online offer, certain data is generated, so-called log data (also “log files”). This data is automatically stored on the server at IWB or at a service provider (hosting partner).

This includes the following data in particular:

  • the browser types and versions used
  • the operating system used by the accessing system
  • the website from which an accessing system accesses the app and website (so-called referrer)
  • the sub-websites that are accessed via an accessing system on our app and website
  • the date and time of access to the app and website
  • the internet protocol address (IP address),
  • the internet service provider of the accessing system and
  • other similar data and information used for security purposes in the event of attacks on our IT systems.

The log data is stored separately from the personal data you disclose to us (see section 3.3).

3.2 Further usage data

We use cookies on our website. These are small text files that are automatically stored on your computer or mobile device when you use the website. This enables us to recognise you on subsequent visits, even if we do not know who you are. In addition to cookies that are only used during a session and are deleted after your website visit (“session cookies”), we use cookies that are necessary to store user settings and other information for a certain period of time (“permanent cookies”).

Cookies record usage data, such as in particular the date and time of access to the online offer and the Internet Protocol address (IP address) or another number of your devices (PC, mobile, etc.). They help us to make your visit to our website more attractive and to enable you to use certain functions. They provide information about which content is visited and from which website or app the online offering is accessed. We can also use cookies to track which topics visitors research and how long they spend on individual pages. Cookies also help us to measure marketing campaigns.

  • Necessary cookies: Certain cookies are necessary for the function of the online offer. These cookies have an expiry date of up to [24] months.
  • Performance cookies: We use cookies that collect and analyse information about the use of the online offer so that we can improve content and presentation on the basis of anonymous evaluations and tailor them to users (see also section 5). These cookies can also remain stored beyond a visit. Performance cookies have an expiry date of up to [24] months.

A list of the cookies we use can be found at the following link: https://www.enerjoy.ch/cookie-uebersicht/

Before we use performance cookies, we ask for your consent. You can revoke your consent at any time via the settings in the cookie banner. If you do not agree to the use of cookies, you can also configure your browser so that it generally does not accept cookies or any cookies from us. The online offer remains usable, but certain functions may not be available or may only be available to a limited extent.

Other technologies such as “pixels” have a similar purpose to cookies and can also record behaviour on the website.

With “pixels”, invisible image files in a website or email are loaded from a server via a coded link, which records the corresponding call and the data transmitted with the link, among other things so that we can determine whether a user reaches the online offering via a specific advert.

The other usage data in accordance with this section 3.2 is stored separately from the personal data you disclose to us (see section 3.3 below) and therefore remains pseudonymised.

3.3 Personal data that you provide to us

Registration with a valid e-mail address and password is required to use the online service. After registering and verifying the e-mail address you have provided, you will receive a user account.

Your user name, which is visible to other users, can be freely chosen by you in accordance with the terms of use. You can provide and customise further information about yourself (such as gender, personal motivation and goals) and the areas of “Nutrition”, “Mobility”, “Energy” and “Consumption”.

For example, we ask you the following questions in the basic version of the online service:

  • How much fruit & veg do you eat seasonally? How often do you eat milk and egg products? How often do you drink soft drinks?
  • How much do you travel by car each year? How much do you cycle or e-bike per week? How much do you travel by plane this year?
  • What do you use to heat your home? How many people live in your household? What quality of electricity do you use in your household?
  • How much do you spend on clothes and shoes each month? How much do you spend on leisure and culture each month?

You have several possible answers with averages and ranges.

We process your information in order to provide the functions of the online service and, in particular, to calculate your approximate carbon footprint.

The online service currently comprises three main functions:

  • the collection, recording and visualisation of data on your own CO2 footprint in a diary (“tracking”),
  • data-based coaching via the online service and by e-mail with general information and individual tips and recommendations for reducing CO2 emissions in everyday life (“coaching”) and
  • participation in joint activities (especially challenges) of the enerjoy community as an incentive to achieve sustainability goals (“Challenges”).

You can also contact us via the support function. For this purpose, we process the content of the communication, but also log data about the type and time of the communication.

3.4 Data for push notifications

So that we can display notifications on your mobile device, even if you are not currently in the app (so-called “push notifications”), your device is assigned an identification number (so-called “device token”). The push notifications relate to usage recommendations (e.g. depending on your last use of the app), challenges (especially successes and challenge registrations) or news about enerjoy. You can set which push notifications you would like to receive in the app.

If you use an iOS device, we will ask for your consent. Our app only uses push notifications if you have expressly consented to them. You can deactivate push notifications at any time in the settings.

If you are using an Android device, push notifications are automatically permitted as long as you do not deactivate them in your settings.

4. For what purposes do we process data?

We process data for the following purposes in particular. Further information on specific purposes can be found in sections 3 and 5 ff.

Operation of the online offering: Some usage data is collected automatically when the website is used, which is why it is necessary for its operation (see sections 3.1 and 3.2). We also require other data so that certain functions can be offered, e.g. push notifications (see section 3.4).

For example, we can store information about your settings (e.g. language selection) in cookies and read it out on your next visit, and we can temporarily store data entered by you so that it is not lost when you use different parts of the online offering.

Provision of certain content and functions: If you use content and functions of the online offering and disclose data to us in the process, we process the data in accordance with the respective purpose of the function or content.

For example, we use data to calculate and track your approximate carbon footprint and to carry out coaching sessions and challenges (see section 3.3).

Security and stability: In order to improve the security and stability of the online offering, we require log data in particular (see section 3.1). If we can assign this data to you personally, we can use it for these purposes, e.g. to provide the information necessary for prosecution in the event of cyber attacks. You can also log in with the login of a third-party provider (e.g. Apple, Google or Facebook). In this case, we receive access to certain data stored with the provider in question, e.g. your user name, profile picture, date of birth, gender and other information, the scope of which you can usually determine yourself. You can find information on this in the privacy policy of the provider in question.

Statistics: We use data for statistical purposes, i.e. for analyses with the aim of obtaining certain information, e.g. information about fluctuations in the use of the online offering. The analyses are aggregated, i.e. no longer personalised. You can find more information on this under point 5.

Improvement of the offers: We use data to continuously improve the online offering (e.g. by responding to different uses or adapting or developing new content). Among other things, we use performance cookies for this purpose (see section 3.2).

Marketing: We use data for marketing purposes, e.g. to send newsletters or to display adverts within our online offering and on third-party sites and offerings (e.g. Facebook and other Meta offerings such as Instagram and Google). We can also personalise the relevant content. We use advertising cookies for this purpose. You can find more information on this under point 6.

Product development: We also process data in order to improve our online offering and develop new products.

Communication: We use data to communicate with you, e.g. if you have contacted us via the support function. For this purpose, we process the content of the communication, but also log data about the type and time of the communication.

Compliance with legal and regulatory requirements: We may process data in order to comply with laws, directives and recommendations from authorities and internal regulations. This includes the prevention, detection and clarification of criminal offences and other violations, internal and external investigations and the disclosure of data to authorities.

Defence and enforcement of claims: We may use data for civil and criminal proceedings or defence in such proceedings. In the context of such proceedings, your IP address or device identifier and other data may also be used for identification by the competent authorities, even if they are not initially personally identifiable to us.

5. How do we obtain analyses and statistics?

We use service providers to analyse the behaviour of users of our online offering. They may receive log data (see section 3.1) and other usage data (see section 3.2) from us and use technologies themselves to collect usage data.

Our service providers for analyses and statistics include, for example, Google, Firebase, Segment, Amplitude and customer.io. Other service providers generally process data in a similar way:

  • Google Analytics (for Firebase): We use the analysis service “Google Analytics” and “Google Analytics for Firebase” operated by a Google company in Ireland (“Google”). This involves recording data about the behaviour of the online offering (duration and frequency of visits, content accessed, geographical origin of access, etc.), and on this basis Google compiles analyses of usage for us. Google uses Google LLC in the USA as a processor, whereby IP addresses (which is the easiest way to identify individual persons) are shortened before being forwarded to Google LLC. Nevertheless, we cannot rule out the possibility that Google may use the data collected for its own purposes to draw conclusions about the identity of visitors, create personal profiles and link this data to Google accounts]. If you agree to the use of Google Analytics, you expressly consent to such processing, which also includes the transfer of data to the USA. You can find information on data protection by Google for Firebase at https://firebase.google.com/support/privacy, for Google Analytics at https://support.google.com/analytics/answer/6004245 and if you have a Google account, you can find information on processing by Google at https://policies.google.com/technologies/partner-sites?hl=de.
  • Firebase Crashlytics: We use “Firebase Crashlytics”, another Google service. This allows us to collect anonymised crash reports that we need to improve the stability and reliability of the app. If the app crashes, anonymous information is transmitted to Google in the USA for this purpose (state of the app when it crashes, installation identification number, details of the end device and other details).
  • Segment, Amplitude and customer.io: We also use “Segment”, an analysis service from Twilio Germany GmbH, Munich, together with “Amplitude”, an analysis service from Amplitude, Inc., San Francisco, and with “customer.io”, an e-mail dispatch service from Peaberry Software Inc., New York. Segment receives usage data from us for these purposes, which is pseudonymised and made available to Amplitude for evaluation, and for forwarding to customer.io e-mail addresses of our users, which we can use to communicate with you. You can read customer.io’s privacy policy here, and you can find more information about Amplitude here.
  • Hotjar: Another example of a service for statistically analysing the needs of our users is Hotjar, a service provided by Hotjar Ltd (Malta). We use Hotjar to better understand the needs of our users and to optimise the offer on the app. This helps us to better customise the app for our users. Hotjar works with cookies and other technologies to collect data about user behaviour and the end devices used, in particular the IP address of the device (which is only recorded and stored in anonymised form during website use), screen size, device type, information about the browser used, location (country only) and preferred language for displaying the website. Hotjar stores this information on our behalf in a pseudonymised user profile. You can find more information in the “about Hotjar” section on Hotjar’s help page.

6. How do we process data in connection with advertising?

We also process personal data in order to advertise our services and those of third parties. We send out electronic newsletters that also contain advertising for our offers, but also for offers from other companies with whom we work. We ask for your consent beforehand, except when we advertise certain offers to existing customers. In this context, in addition to your name and email address, we also process information about which services you have already used, whether you open our newsletters and which links you click on. For this purpose, our e-mail dispatch service provider provides a function that essentially works with invisible image data that is loaded from a server via a coded link and thus transmits the corresponding information. This is a common procedure that helps us to assess the effect of newsletters and optimise our newsletters. You can avoid this measurement by setting your email programme accordingly (e.g. by switching off the automatic loading of image files).

7. To whom do we disclose your data?

Below you will find an overview of the categories of recipients to whom we may disclose personal data.

Service providers: We work with service providers in Switzerland and abroad who process data about you on our behalf or under joint responsibility with us or who receive data about you from us under their own responsibility. For example, we obtain IT services such as hosting and support from service providers. These service providers are subject to contractual and/or statutory confidentiality and data protection obligations. They may also use such data for their own purposes in exceptional and justified cases, e.g. anonymised data to improve services.

Further information on service providers in the area of analysis and statistics can be found in section 5.

Authorities and offices: In connection with the exercise of rights, the defence of claims and the fulfilment of legal requirements, we may pass on data to authorities, offices, courts and other public bodies, e.g. in the context of official, judicial and pre- and extrajudicial proceedings and in the context of statutory information and cooperation obligations.

8. Do we disclose personal data abroad?

As explained above, not only we process data, but also third parties and service providers. Your data may also be transferred abroad, e.g. when it is transmitted to service providers. Your data may therefore be processed worldwide, including outside the EU or the European Economic Area (i.e. also in so-called third countries such as the USA). Many third countries do not currently have laws that guarantee a level of data protection equivalent to Swiss and European law. We therefore take contractual precautions to contractually compensate for the weaker legal protection.

To this end, we generally use the EU standard contractual clauses, which are also recognised by the Swiss Federal Data Protection and Information Commissioner (FDPIC) with certain adjustments and can be accessed here. Further information can be found at www.edoeb.admin.ch. In exceptional cases, we may also transfer personal data abroad without such contractual precautions on the basis of the Swiss Data Protection Act. An exception may apply in particular in the case of legal proceedings abroad, but also in cases of overriding public interests or if the fulfilment of a contract requires such disclosure, if you have given your consent or if the data in question has been made generally accessible by you and you have not objected to its processing.

The contractual precautions mentioned above can partially compensate for this weaker or lack of legal protection, but they cannot eliminate all risks (in particular of state access abroad). You should be aware of the residual risks, even if they are low in individual cases and we take measures such as pseudonymisation or anonymisation.

9. What applies to profiling?

We process data for the purposes specified in section 4 and analyse it automatically for this purpose. This also includes “profiling”, i.e. the automated processing of data for analysis and forecasting purposes. Profiling is primarily used for marketing and security purposes. We pay attention to the proportionality and reliability of the results and take measures to prevent misuse of these profiles or profiling.

10. How long do we process your data?

We store data for as long as required for our processing purposes, any retention periods and our legitimate interests in processing for documentation and evidence purposes or if storage is technically necessary. The duration of our processing of data is therefore based on legal and internal regulations and on the processing purposes (see section 4), which also include the protection of our interests, e.g. for the enforcement or defence of claims or for documentation and evidence purposes. You can find more information on the lifespan of cookies in section 3.2.

For example, you can customise and delete your data in your user account at any time. If you delete your user account or if IWB permanently blocks your user account, your personal data will be deleted after 30 calendar days at the latest, unless it is required as evidence to assert claims in connection with the use of enerjoy beyond this period.

11. How do we protect your data?

We treat data confidentially and implement appropriate technical and organizational security measures to maintain the confidentiality, integrity, and availability of your personal data. This is done to protect them against unauthorized or unlawful processing and to guard against the risk of loss, unintentional alteration, unintended disclosure, or unauthorized access.

For the transmission of your data, we use modern standard encryption techniques. However, communication via email is not encrypted. If you contact us through the support function via email, you do so at your own risk and agree that we will respond to the sender’s address via the same channel. If you send us emails over the internet without encryption, they may be accessible, viewable, and manipulable by third parties.

We want to make you aware that despite extensive technical and organizational security measures, there is still a possibility that data may be lost or intercepted and/or manipulated by third parties.

12. Legal bases

Depending on the applicable law, data processing is only permitted if the applicable law specifically permits it. This does not apply under the Swiss Data Protection Act, but does apply under the GDPR, for example, insofar as it is applicable (which can only be determined on a case-by-case basis). In this case, we base the processing of your personal data on the fact:

  • that it is necessary for the preparation and execution of contracts – in particular the General Terms and Conditions of Contract for the use of “enerjoy”.

This includes processing for the purposes of operating the app, providing information and the associated purpose of communication, unless we have asked for your consent separately, e.g. for the use of push notifications.

  • that it is necessary for the legitimate interests of us or third parties.

This includes:

  • processing for the purposes of website operation, security and stability, compliance with Swiss and foreign legal and regulatory requirements and defense and enforcement of claims.
  • processing for the purposes of statistics, improvement of offers, market research and marketing, unless we have asked for your consent, e.g. for the use of performance and advertising cookies.
  • that it is required or permitted by law or
  • that you have consented to the processing separately, e.g. to receive the newsletter, the use of performance and advertising cookies on the website or to receive push notifications on your iOS device.

You will find the relevant provisions in Art. 6 and 9 of the GDPR.

Incidentally, you are not obliged to disclose data to us, subject to individual cases (e.g. you can only use the app in accordance with the contractual terms and conditions if you register). However, we must process data for legal and other reasons when we conclude and execute contracts. The use of our website is also not possible without data processing.

13. What rights do you have?

Under certain circumstances, applicable data protection law grants you the right to object to the processing of your data, in particular for the purposes of direct marketing, profiling for direct marketing and other legitimate interests.

To make it easier for you to control the processing of your personal data, you have various rights in connection with our data processing under the applicable law: 

  • the right to request information from us as to whether and which of your data we are processing;
  • the right to have us correct data if it is incorrect;
  • the right to object to our processing for certain purposes and to request the restriction or deletion of data, unless we are obliged or entitled to continue processing it;
  • the right to request that we hand over certain personal data in a commonly used electronic format or transfer it to another controller
  • the right to withdraw consent where our processing is based on your consent.

Please note that certain conditions must be met in order to exercise these rights and that exceptions or restrictions may apply (e.g. to protect third parties or trade secrets). We will inform you accordingly if necessary.

In particular, we may need to further process and store your personal data in order to fulfill a contract with you, to protect our own legitimate interests, such as the assertion, exercise or defense of legal claims, or to comply with legal obligations. To the extent permitted by law, in particular to protect the rights and freedoms of other data subjects and to safeguard legitimate interests, we may therefore also refuse a data subject request in whole or in part (e.g. by blacking out certain content that concerns third parties or our business secrets).

If you wish to exercise rights against us, please contact us in writing (see section 2). So that we can rule out misuse, we must identify you (e.g. with a copy of your ID, if this is not otherwise possible).

Please let us know if you do not agree with our handling of your rights or data protection.

14. Can this privacy policy be changed?

This privacy policy is not part of any contract with you. We may amend this privacy policy at any time. The version published on this website is the current version.