Privacy Information

1. Controller and data protection officer

This Privacy Information explains how personal data is collected and processed by us in connection with our services relating to bob credit.

"We" or "bob Finance" refers to bob Finance, a branch office of Valora Schweiz AG. The head office of Valora Schweiz AG is located at Hofackerstrasse 40, 4132 Muttenz. Accordingly, we are responsible for the collection, processing and use of your personal data in accordance with the law.

Your trust is important to us, which is why we take the issue of data protection seriously and ensure appropriate security. We are committed to handling your personal data responsibly. Consequently, we consider it a matter of course to comply with the legal requirements of the Swiss Federal Act on Data Protection (FADP), the Ordinance to the Federal Act on Data Protection (FADP), the Telecommunications Act (TCA) and other provisions of Swiss law.

You can reach our company data protection officer by e-mail at dataprivacy@valora.com or alternatively by letter post to the address given above.

2. Types of data and purposes of processing

Data in connection with bob credit: When you send us a request for credit under our bob credit offer (with or without credit insurance), we will collect data from you.

This includes, on the one hand, personal master data (title, surname, first name, date of birth) and contact data (e-mail address, address and mobile number) of you and, under certain circumstances, also of your spouse or registered partner ("partner"), as well as other data relevant to the granting of credit (e.g. copy of ID, employer, contact person at the employer, monthly income, wage statements, bank statements, existing loans and debt collection, existence of a guardianship). We need this data to create your customer account, to contact you if necessary, to carry out the creditworthiness check required by law and to prepare the contract or to process the contract properly.

If a credit contract is concluded, we may send you invoices and payment reminders by SMS, e-mail or by letter post.

For more information on how we transfer your data to third parties or what information we obtain from third parties, please refer to section 3 "Transfer of your personal data".

Direct marketing: if you give us your consent for this, we will use your e-mail address, as well as certain demographic data (age, gender, postal code, language) and your contract master data to send you attractive offers and relevant information about our products and/or (depending on the consent you have given) about the products of our cooperation partners.

Website Log Data: When you visit our website, our web server automatically records details about your visit, for example, your IP address, the website from which you visit us, the type of browser software you use and certain information regarding your website usage, including the date and duration of your visit, as well as information about which products you viewed on our website and which you added to your shopping cart. We use tracking technologies, as well as cookies and third-party analytics services, to collect log and analytics data. You can learn more about this topic in our Cookie Notice.

3. Disclosure of your personal data

• Disclosure to employees and affiliates: Where necessary for the processing purposes set out above, we may disclose your personal data to our own employees as well as to our affiliates (regularly within, and only exceptionally outside, Switzerland, see Section 5).
• Disclosure to third parties:
  • Credit reporting agencies: If you apply for a loan, we will transfer your personal data (name, address, date of birth, copy of ID, loan amount and modalities) to credit reporting agencies (e.g. ZEK, CRIF, IKO). In the course of the creditworthiness check, we will also check your data against our internal customer and contract databases. In addition, we may report any qualifying delinquencies or abuses to the aforementioned entities. Based on the information we receive back from the credit reporting agencies, we will perform a creditworthiness check to determine whether we can offer you a credit. If you have provided information about your partner, the corresponding data may also be transmitted to the above-mentioned credit agencies in order to obtain information about your partner's creditworthiness. In addition, we may verify the information provided by means of direct inquiry with your partner.
  • Other public agencies: As part of the creditworthiness check, we also obtain information from public bodies in order to comply with legal requirements. This may include obtaining an extract from the debt collection register from the relevant debt collection office. The data from the debt collection extract is used directly in the creditworthiness check to decide whether we can offer you a loan. In addition, we can verify your place of residence with the competent residents' registration office and/or, if there is a reasonable suspicion of a guardianship, check the existence of such a guardianship with the competent adult protection authorities.
  • Employer: Only in the event of justified doubts regarding the authenticity of submitted wage statements/supporting documents will we verify this information with the employer. The verification will be carried out via the employer you have indicated. In this process, the salary and the status of the employment relationship will be verified. The employer will not be informed about our services, their scope or any other information about you. The data from the verification flows directly into the credit check to decide whether we can offer you a loan.
  • Credit intermediary: certain application and contract data is shared with your credit intermediary for the purpose of tracking outstanding applications and current contracts, and for the purpose of commission accounting.
  • Insurance provider: if you take out insurance for your loan through us, related data will be shared with the insurance provider for the purpose of preparing and executing the insurance contract (including for the settlement of insurance claims) and for the purpose of commission settlement.
  • Note: We have no influence on the data processing by the above-mentioned third parties. Information on the processing of your personal data by the third parties can be requested directly from them or can be found in their privacy policy.

• Transfer to processors: We have engaged a processor to store your personal data in a secure database. We have entered into a data processing agreement with our data processor to ensure that your personal data is adequately protected at all times and is processed only as we would be permitted to do.
• Disclosure in connection with financial transactions: If we are involved in a business combination (merger), joint venture, acquisition or sale of shares in a company or assets, we may disclose your data to any transaction partner who also complies with the applicable legal basis, in particular with respect to your data protection rights.
• Disclosure in connection with criminal proceedings: To the extent permitted by law, we may disclose information the disclosure of which is necessary or helpful to investigate or prevent an actual or suspected criminal offense or other violation of our rights or the rights of a third party.

4. Automated decisions

When you submit an application for a loan, an automated preliminary check of your creditworthiness (based purely on our internal specifications and a credit check with an external credit agency) is carried out on the basis of the information you provide in the application form. Only when this preliminary check has been passed will we make you a non-binding offer and ask you to submit further documents (e.g. payslips, copy of ID). Further verification of your documents is always done manually by our staff. If you receive a rejection as a result of the automated preliminary check, you have the right to contact us in this regard and to comment on the decision.

5. Place of processing and transfer to third countries

Your data will be processed in Switzerland and in the member states of the European Union. We are also entitled to transfer your personal data to third companies abroad, in particular subsidiaries, if this is necessary within the scope of the processing purpose. In doing so, the legal regulations regarding the transfer of personal data to third parties are, of course, complied with. These are obligated to the same extent as we are to data protection. If the level of data protection in a country does not correspond to Swiss data protection law, we will contractually ensure that the protection of your personal data corresponds to that in Switzerland at all times. To this end, we will either conclude the recognized standard contractual clauses with the recipient or implement other additional suitable guarantees.

Individual third-party service providers may be based in the USA. For the sake of completeness, we would like to point out to users who are resident or domiciled in Switzerland that there are monitoring measures in place in the USA by US authorities, which generally allow the storage of all personal data of all persons whose data has been transferred from Switzerland to the USA. This is done without any differentiation, limitation or exception based on the objective pursued and without any objective criterion that would make it possible to limit the access of the U.S. authorities to the data and their subsequent use to very specific, strictly limited purposes that are capable of justifying the intrusion associated both with the access to these data and with their use. In addition, we would like to point out that there are no legal remedies available in the USA for data subjects from Switzerland to obtain access to the data concerning them and to obtain their correction or deletion, or that there is no effective judicial legal protection against general access rights of US authorities.

We would like to point out to users residing in Switzerland or in a member state of the EU that, from the perspective of Switzerland and the European Union, the USA does not have an adequate level of data protection - among other things due to the issues mentioned in this section. Insofar as recipients of data are based in the USA, we will ensure that your data is protected at an appropriate level with our partners by means of contractual arrangements with these companies and, if necessary, additional required appropriate safeguards that protect the rights of individuals whose personal data is transferred to a third country.

6. Own social media presences

On our website you will find links to social media networks. These are not plugins provided by the social media network, which, without user influence, already transmit data to the provider when the page is loaded. Behind the buttons to the social media networks is merely a link to our presence on the social media network. No user data is transmitted from our website to the social media network.

The links lead to our appearances on the following networks:

- Facebook by Facebook Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland,

- Instagram by Instagram Inc, 1601 Willow Road, Menlo Park, CA 94025, USA,

- LinkedIn operated by LinkedIn Corporation, 2029 Stierlin Court, Mountain View, CA 94043, USA,

- YouTube operated by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, and

- Kununu operated by New Work SE, Dammtorstrase 30, 20354 Hamburg.

When you open a link to one of our social media profiles, a direct connection is established between your browser and the server of the social network in question. This provides the network with the information that you have visited our website with your IP address and that you opened the link. If you open a link to a network while you are logged into your account with the network in question, the content of our site can be linked to your profile with the network, which means that the network can assign your visit to our website directly to your user account. If you want to prevent this, you should log out before activating corresponding links. An assignment will take place in any case if you log in to the relevant network after activating the link.

We have not checked third-party websites linked on our website and do not assume any responsibility for how the above-mentioned social media networks process personal data. We recommend that you read the privacy statements of third-party websites in advance.

7. Data security

We use appropriate and reasonable technical and organizational security measures to protect your personal data stored by us against manipulation, partial or complete loss and unauthorized access by third parties. Our security measures are continuously reviewed, adapted and improved in line with technological developments.

You should always treat your access data confidentially and close the browser window when you have finished communicating with us, especially if you share the terminal device with others.

Our employees and the service companies commissioned by us have been obligated by us to maintain confidentiality and to comply with the provisions of data protection law.

8. Processing duration

We process your personal data only as long as it is necessary for the respective processing purpose or until the legal or contractual retention period for your personal data has expired.

• We store personal master data, contact data, data related to the performance of the contract and data related to the performance of the creditworthiness check (including the relevant supporting documents) for a period of 10 years after the credit agreement has been terminated. If you submit a credit application and no credit agreement has been concluded, your data will be deleted after 24 months at the latest.
• We store electronic correspondence for a maximum period of 5 years, unless the correspondence is required as part of a legal dispute.
• If you have agreed to receive attractive offers and information about our products from us, we will use your e-mail address for this purpose until you revoke your consent, for example by clicking the "Unsubscribe" link in our e-mail.

9. Your rights

You have the following rights in connection with your personal data:

• Withdrawal of consent: For those data processing operations to which you have given your consent, you have the right to revoke it at any time.
• Right of access: You also have the right to find out from us what data we process about you, on what legal basis and for what purposes, as well as to request a free copy of your personal data.
• Right to rectification: If your data is incomplete or incorrect, you have the right to request rectification of your personal data. Some information you can do on your own in your customer account.
• Right to erasure: You can request that your personal data be deleted, especially if it is no longer needed for the purposes described.
• Right to restriction: You can request the restriction of the processing and/or disclosure of your personal data.
• Automated decisions: Where, in the context of this website, decisions are based exclusively on automated processing, you may request a manual review of the decision.

If you wish to exercise your rights, please direct your request to our company data protection officer (contact information in section 1).

Right to complain: If you have reason to believe that bob Finance is not processing your personal data in accordance with applicable laws and regulations and/or if you do not agree with the response to your request to grant your rights, you may file a complaint with the competent supervisory authority.

Last updated on: May 17, 2021