Data privacy

surpriseBOX GmbH in Kirchdorf operates the website as well as the services offered on it; it is therefore responsible for the collection, processing and use of your personal data and the compatibility of data processing with applicable data protection law. 
Your trust is important to us, which is why we take protecting your data seriously and ensure the due level of security. Of course, we comply with the provisions of the Federal Law on the Protection of Data (DSG), the Ordinance to the Federal Law on the Protection of Data (VDSG), the Communications Act (FMG) and other applicable provisions of Swiss or EU data protection law, in particular the General Data Protection Regulation (DSGVO).
In order for you to be aware which personal data we collect from you and for which purposes we use it, please take note of the following information.

1. Accessing our website

When you visit our website, our servers temporarily save every access operation to a log file. The following technical data is collected in the process, which is generally the case with every connection to a web server, without any action on your part and saved until it is automatically deleted by us no later than after 3 months have passed:
the IP address of the querying computer,
the name of the owner of the IP address range (generally your Internet access provider),
the date and time of access,
the website, from which access occurred (referrer URL), if applicable including the search term that was used,
the name of the URL of the file accessed,
the status code (e.g. error message),
the operating system of your computer, 
the browser you used (type, version and language),
the transmission protocol you used (e.g. HTTP/1.1) and
if applicable, your user name from registration/authentification
This data is collected and processed in order to enable the use of our website (establishing the connection), to permanently ensure system security and stability as well as to enable the optimisation of our website as well as for internal statistical purposes. We have a legitimate interest in data processing in the sense of Art. 6 para. 1 lit. f DSGVO. 

2. Creation of a customer account

In order to order in the online shop, you can order as a guest or create a customer account. We collect the following data in connection with registration for a customer account:
First and last name
Billing/shipping addresses
Date of birth
Phone number
E-mail address
The data is collected in order to provide the customer with direct, password-protected access to its basic data saved at our establishment. In it, the customer can view orders placed or outstanding orders or manage and/or change their personal data. 
The consent you grant in accordance with Art. 6 para. 1 lit. a EU-DSGVO forms the legal basis for the processing of the data.

3. Making a purchase in the online shop

If you would like to place orders in our online shop, we will need the following data to process the contract:
First and last name
Billing address (and the shipping address if different)
data in connection with the payment (depending on the selected payment method)
Date of birth
Telephone number
Login data, that is, e-mail address and password (for registered customers)
If not otherwise provided for in this privacy statement and/or if you have not separately consented to this, we will only use the aforementioned data to execute the contract, that is, to process your orders, to deliver the products ordered and ensure correct payment.
The legal basis for data processing for this purpose lies in the fulfilment of a contact in accordance with Art. 6 para. 1 lit. a EU-DSGVO.

4. Forwarding of data to third parties

We only pass on your personal data if you have expressly consented to this, if there is a statutory obligation to do so or this is required in order to assert our claims resulting out of the contractual relationship. 

We will also pass your data on to third parties to the extent this is necessary in connection with the use of the website and the execution of the contract (also outside of the website), that is, the processing of your bookings. This includes the respective transport service provider assigned with shipping the ordered merchandise. A service provider, to whom the personal data collected via the website is passed on to or who has or can have access thereto is our webhoster cyon GmbH in Basel. The website is hosted on servers in Switzerland. Data is passed on for the purpose of providing and maintaining the functionality (functions) of our website. We have a legitimate interest to this in the sense of Art. 6 para. 1 lit. f EU-DSGVO.

If we provide advance performance e.g. in the case of a purchase on account, we can also obtain a credit rating on the basis of mathematical and statistical methods to uphold our legitimate interests. To do so, we transfer the personal data required for a credit assessment to the MF Group credit agency in St. Gallen and use the information received regarding the statistical probability of payment default to make an informed decision regarding the establishment, execution or end of the contractual relationship. The credit rating may contain scores that were calculated using mathematical, statistical methods and which flow into their calculation under other address data. Your legitimate interests are considered in accordance with legal provisions. We have a legitimate interest to data processing in the sense of Art. 6 para. 1 lit. f EU-DSGVO in connection with the purposes discussed above.

Finally, when making a credit card payment on the website, we forward credit card information to your credit card issuer as well as the credit card acquirer. If you decide to pay by credit card, you will be asked to enter all required information. The legal basis for forwarding the data lies in the fulfilment of a contract in accordance with Art. 6 para. 1 lit. a EU-DSGVO. With respect to the processing of your credit card information by these third parties, we ask that you also read the General Business Terms and Conditions as well as the privacy statement of your credit card issuer.

All e-mail correspondence will be handled via Zendesk Inc. with headquarters in the USA. In the event of inquiries via our contact form or via e-mail, the content as well as the sender will be saved with Zendesk. This allows us to guarantee prompt and secure processing of all inquiries.

5. Transfer of data abroad

We are entitled to also transfer your personal data abroad to the third-party companies (commissioned service providers) described in this privacy statement for the purpose of data processing. They are obligated to ensure data protection to the same extent we are. If the level of data protection in a country does not correspond to the level in Switzerland or Europe, we will ensure contractually that the protection of your personal data corresponds to that of Switzerland or the EU at all times.

6. Cookies

Cookies help to in many ways make your visit to our website simpler, more pleasant and more useful. Cookies are information files, which your web browser automatically saves to your hard-drive when you visit our website. 

We use cookies e.g. in order to offer you the shopping basket function on multiple pages and in order to temporarily save your entries when filling out a form on the website so that you do not have to enter it again when you access another subpage. Cookies are also used, if applicable, to identify you as a registered user after registering on the website without you having to log in again when you access another subpage.

Most Internet browsers automatically accept cookies. You can, however, configure your browser to not save cookies on your computer or to issue a notice every time you receive a new cookie. On the following pages, you will find explanations as to how to configure cookies with the most common browsers:
Microsofts Windows Internet Explorer 
Microsofts Windows Internet Explorer Mobile
Mozilla Firefox
Google Chrome for Desktop
Google Chrome for Desktop
Google Chrome for Desktop
Apple Safari for Mobile
Deactivating cookies may result in you not being able to use all functions on our website. 

7. Tracking tools

a. General information

For the needs-based design and ongoing optimisation of our website, we use the web analytical service of Google Analytics. In this context, pseudonymised usage profiles are created and small text files that are saved on your computer ("Cookies") are used. The information regarding your use of this website that is generated by the cookie is transferred to the servers of the providers of these services, saved there and processed on our behalf. In addition to the data listed under 1, we also obtain the following information as a result:
navigation path of a user on the site,
length of visit to the website or subpage,
the subpage from which the website was left, 
the country, region or city via which access occurs, 
device (type, version, colour depth, resolution, width and height of the browser window) and 
recurrent or new visitor.
The information is used to analyse the use of the website, to compile reports on website activities and to provide other services in connection with use of the website and Internet for the purpose of market research and needs-based design of this website. If applicable, this information is also transferred to third parties if this is required by law or to the extent third parties perform contract processing of this data.

b. Google Analytics 

The provider of Google Analytics is Google Inc., a company owned by the Alphabet Inc holding company with headquarters in the USA. Before transferring the data to the provider, the IP address is shortened by activating IP anonymisation ("anonymizeIP") on this website within the member states of the European Union or in other states party to the Agreement on the European Economic Area. The anonymised IP address transferred by your browser in connection with Google Analytics is not combined with other data from Google. Only in exceptional cases is the complete IP address transferred to a server of Google in the USA and shortened there. In these cases, we will ensure by means of contractual guarantees that Google Inc. adheres to a sufficient level of data protection. According to Google Inc., the IP address will not in any case be combined with other data concerning the user. 

You can find further information regarding the use of the web analytical service on the website of Google Analytics. You can find instructions as to how to prevent processing of your data by the web analytical service under

8. Network marketing

We advertise via Facebook, a service of Facebook Inc., with headquarters in the USA,  for this website. For this, a cookie from Facebook is deposited when visiting our website in order to enable advertising that caters to your interests based on the pages you visit. As a Facebook member, you can deactivate it using this link.

9. Notice regarding data transfers to the USA 

For reasons of completeness, we wish to point out for users domiciled or based in Switzerland that monitoring measures on the part of US authorities are in place in the USA, which generally permit the storage of all personal data of all persons whose data was transferred from Switzerland to the USA. This occurs without any differentiation, restriction or exception based on the pursued goal and without an objective criterion that makes it possible to restrict access to the data on the part of the US authorities and subsequently use it for certain strictly limited purposes, which may justify access associated both with access to this data and its use. We also wish to point out that in the USA there are no legal remedies for data subjects from Switzerland to gain access to the data concerning them and to bring about its rectification or erasure and/or no effective judicial relief against general access rights on the part of the US authorities. We expressly advise the concerned party  of this legal and material situation in order to make a corresponding informed decision regarding consent to the use of their data.

We wish to advise users domiciled in a member state of the EU that the USA, in the view of the European Union - among other things, on the basis of the topics described in this section - does not provide a sufficient level of data protection. To the extent we have explained in this privacy statement that recipients of data (such as e.g. Google) have headquarters in the USA, we will either ensure by means of contractual provisions with these companies or seeing to certification of these companies under the EU and/or Swiss-US privacy shield that your data is adequately protected at our partners' locations.

10. Vouchers and special offers

As a token of gratitude for orders, we grant you access to vouchers and special offers for purchasing and the use of other services from other providers on the Internet through Profity, which is offered by our partners adfocus GmbH with headquarters in Zug Switzerland. In order to grant you such access, we integrate a corresponding notice from adfocus on our website via an encrypted connection, as a result of which data, in particular your Internet protocol (IP) address, which may represent personal data, is exchanged with adfocus. Any personal data, which is exchanged in this respect, serves solely to allow Profity to provide its offering in a continuous, secure and reliable manner (legal bases in accordance with DSGVO insofar and to the extent applicable: Art. 6 para. 1 litera b u. f DSGVO). You can mind more information regarding the nature, scope and purpose of data processing in Profity's privacy statement.

11. The right to information, rectification, erasure and restriction of processing; right to the data portability

You have the right to obtain information regarding the personal data concerning your person that we have saved. You also have the right to the rectification of incorrect data and the right to the erasure of your personal data to the extent this is not contradicted by a legal duty of storage or permission grounds that allow us to process the data.

You also have the right to demand the return of the data you have provided to us (right to data portability). At request, we also pass the data on to a third party of your choice. You have the right to receive data in a standard file format.

You can reach us for the aforementioned purposes via the e-mail address To process your requests, we may, at our discretion, demand proof of identification. 

12. Data security

We use suitable technical and organisational security measures to protect your personal data that is saved at our location against manipulation, partial or complete loss and unauthorised access by third parties. Our security measures are continually improved in accordance with technological advancement.

You should always handle your access data in a confidential manner when you have finished communicating with us, especially if you use the computer together with others.

We also take data protection within the company very seriously. Our employees and the service companies we engaged are required to maintain confidentiality and comply with the provisions of data protection law.

13. Storage of data 

We only save personal data as long as is necessary in order to use so-called tracking and analytical services as well as for further processing in connection with our legitimate interest. We store contractual data for a prolonged period as this is required on the basis of our legal retention duties. Retention duties, which require us to store data, arise out of the provisions of accounting and the provisions of tax law. In accordance with these provisions, business communication, contracts that have been concluded and posting documents must be stored for up to 10 years. To the extent we do not require this data for the provision of services for you, the data will be blocked. This means that the data may only be used for accounting and tax-related purposes.

14. Right to object to a data protection supervisory authority.

You have the right to object to a data protection supervisory authority at any time.

As of: 24 May 2018