Privacy policy
Somaha Foundation privacy policy
This Privacy Policy provides information about the processing of personal data in connection with our activities and operations, including our website under the domain name
For specific or additional activities and operations, we may publish further privacy policies or other information relating to data protection.
1. Contact Information
The controller responsible for data processing within the meaning of data protection law is:
Somaha Foundation
Weinbergstrasse 102
8006 Zürich
Switzerland
In specific cases, third parties may be responsible for the processing of personal data, or there may be joint responsibility with third parties. Upon request, we will gladly provide information regarding the respective responsibility.
2. Terms and Legal Basis
2.1 Definitions
Data subject: A natural person whose personal data we process.
Personal data: Any information relating to an identified or identifiable natural person.
Sensitive personal data: Data relating to trade union, political, religious or philosophical views or activities, health data, data concerning intimate matters or racial or ethnic origin, genetic data, biometric data uniquely identifying a natural person, data relating to criminal or administrative sanctions or proceedings, and data relating to social assistance measures.
Processing: Any handling of personal data, regardless of the means and procedures used, such as querying, comparing, adapting, archiving, storing, reading, disclosing, obtaining, recording, collecting, deleting, revealing, organizing, saving, modifying, disseminating, linking, destroying, and using personal data.
2.2 Legal Basis
We process personal data in accordance with Swiss law, in particular the Federal Act on Data Protection (Data Protection Act, FADP) and the Ordinance on Data Protection (Data Protection Ordinance, DPO).
3. Nature, Scope, and Purpose of Personal Data Processing
We process personal data that is necessary to conduct our activities and operations on a sustainable, user-friendly, secure, and reliable basis. The personal data processed may include, in particular, browser and device data, content data, communication data, metadata, usage data, master data (including inventory and contact data), location data, transaction data, contract data, and payment data. Personal data may also include sensitive personal data.
We also process personal data that we receive from third parties, obtain from publicly available sources, or collect in the course of our activities and operations, to the extent that such processing is permitted.
We process personal data, where necessary, with the consent of the data subjects. In many cases, we may process personal data without consent, for example to comply with legal obligations or to protect overriding interests. We may also request consent from data subjects even where it is not required.
We process personal data for the duration necessary for the respective purpose. We anonymize or delete personal data, in particular in accordance with statutory retention and limitation periods.
4. Automation and Artificial Intelligence (AI)
We may process personal data automatically or use artificial intelligence to process personal data.
We may use profiling to automatically evaluate certain personal aspects relating to data subjects. Profiling serves, for example, to analyze or predict interests, behaviors, or personal preferences.
We will inform you on a case-by-case basis about decisions that are based exclusively on the automated processing of personal data and that have legal consequences for the data subjects or significantly affect them (automated individual decisions).
5. Disclosure of Personal Data
We may disclose personal data to third parties, have it processed by third parties, or process it jointly with third parties. Such third parties may include, for example, specialized service providers whose services we use. These third parties may, in turn, disclose personal data to other third parties.
In the course of our activities and operations, we may disclose personal data in particular to banks and other financial service providers, government agencies, educational and research institutions, consultants and attorneys, accounting and fiduciary service providers, debt collection agencies, interest groups, IT service providers, cooperation partners, credit and business information agencies, logistics and shipping companies, marketing and advertising agencies, media, parent, sister, and subsidiary companies, organizations and associations, social institutions, telecommunications companies, insurance companies, and payment service providers.
6. Communication
We process personal data in order to communicate with individuals as well as with government agencies, organizations, and companies. In doing so, we process in particular data that a data subject provides to us when contacting us, for example by mail or email. We may store such data in an address book or with comparable tools.
Third parties who provide us with data about other individuals are legally obligated to independently ensure the data protection of those data subjects. In particular, they must ensure that they are authorized to provide such data, and they must also guarantee the accuracy of the data provided.
7. Applications
We process personal data of applicants insofar as it is necessary to assess their suitability for employment or for the subsequent performance of an employment contract. The required personal data is derived in particular from the information requested, for example in connection with a job posting. We may publish job postings with the assistance of suitable third parties, for example in electronic and print media or on job portals and recruitment platforms.
We also process personal data that applicants voluntarily provide or publish, particularly as part of cover letters, resumes, and other application materials, as well as through online profiles.
We may allow applicants to store their information in our talent pool so that we can consider them for future job openings. We may also use such information to maintain contact and provide updates. If we believe that an applicant is a suitable candidate for an open position based on the information provided, we may inform the applicant accordingly.
8. Data Security
We implement appropriate technical and organizational measures to ensure data security commensurate with the respective risk. Through these measures, we ensure in particular the confidentiality, availability, traceability, and integrity of the personal data we process; we cannot, however, guarantee absolute data security.
Access to our website and our other digital presence is secured via transport encryption (SSL / TLS, in particular using the Hypertext Transfer Protocol Secure, abbreviated as HTTPS). Most browsers warn users before visiting a website without transport encryption.
Our digital communications – like all digital communications in general – are subject to mass surveillance without cause or suspicion by security authorities in Switzerland, the rest of Europe, the United States of America (USA), and other countries. We have no direct influence over the corresponding processing of personal data by intelligence agencies, police departments, and other security authorities. Nor can we rule out the possibility that a data subject may be specifically monitored.
9. International Data Transfers
We generally process personal data in Switzerland. However, we may also disclose or export personal data to other countries, in particular to process it there or have it processed there.
We may disclose personal data to any country on Earth and elsewhere in the universe, provided that the legal framework in the respective country ensures an adequate level of data protection as determined by a decision of the Swiss Federal Council.
We may disclose personal data to countries whose legal systems do not provide an adequate level of data protection, provided that appropriate safeguards are in place for other reasons, in particular on the basis of standard data protection clauses or other suitable guarantees. In exceptional cases, we may transfer personal data to countries without adequate or appropriate data protection if the specific legal requirements are met, for example the explicit consent of the data subjects or a direct connection with the conclusion or performance of a contract. Upon request, we will gladly provide data subjects with information on any safeguards in place or provide a copy of such safeguards.
10. Rights of Data Subjects
10.1 Data Protection Rights
We grant data subjects all rights in accordance with applicable law. Data subjects have in particular the following rights:
- Right of access: Data subjects may request information as to whether we process personal data about them and, if so, what personal data is involved. They also receive the information necessary to assert their data protection rights and to ensure transparency. This includes the personal data itself, but also, among other things, information on the purpose of processing, the retention period, any disclosure or transfer of data to other countries, and the origin of the personal data.
- Rectification and restriction: Data subjects may request the correction of inaccurate personal data, the completion of incomplete data, and the restriction of processing of their data.
- Right to express their point of view and request human review: Data subjects may, in the case of decisions based solely on automated processing of personal data that produce legal effects concerning them or significantly affect them (automated individual decisions), present their own point of view and request a review by a human.
- Deletion and objection: Data subjects may request the deletion of their personal data («right to be forgotten») and object to the processing of their data with effect for the future.
- Data disclosure and data portability: Data subjects may request the disclosure of their personal data or the transfer of their data to another controller.
We may defer, restrict, or deny the exercise of data subjects’ rights within the limits permitted by law. We may inform data subjects of any prerequisites that must be met in order to exercise their data protection rights. For example, we may refuse to provide information in whole or in part, citing confidentiality obligations, overriding interests, or the protection of other individuals. We may also refuse to delete personal data in whole or in part, in particular citing statutory retention obligations.
In exceptional cases, we may charge a fee for the exercise of these rights. We will inform data subjects in advance of any such costs.
We are obligated to identify data subjects who request information or assert other rights through appropriate measures. Data subjects are required to cooperate.
10.2 Legal Protection
Data subjects have the right to enforce their data protection rights through legal channels or to file a complaint with a data protection supervisory authority.
The data protection supervisory authority for private controllers and federal bodies in Switzerland is the Federal Data Protection and Information Commissioner (FDPIC).
11. Use of the Website
11.1 Cookies
We may use cookies. Cookies – including our own cookies (first-party cookies) and cookies from third parties whose services we use (third-party cookies) – are data stored in the browser. Such stored data is not necessarily limited to traditional text-based cookies.
Cookies may be stored temporarily in the browser as «session cookies» or for a specific period as so-called permanent cookies. «Session cookies» are automatically deleted when the browser is closed. Permanent cookies have a specific storage duration. Cookies enable, in particular, the recognition of a browser upon the next visit to our website and thereby, for example, the measurement of our website’s reach. Permanent cookies may also be used for online marketing.
Cookies can be fully or partially deactivated, restricted, or deleted at any time in the browser settings. Browser settings often also allow for automated deletion and other management of cookies. Without cookies, our website may no longer be fully available. We actively seek – at least to the extent required by applicable law – your express consent to the use of cookies.
11.2 Logging
For every access to our website and our other digital presence, we may log at least the following data, provided that this information is automatically collected or transmitted to our digital infrastructure during such access: date and time including time zone, IP address, access status (HTTP status code), operating system including user interface and version, browser including language and version, individual subpages of our website accessed including the amount of data transferred, the last webpage accessed in the same browser window (referrer).
We log such information, which may also constitute personal data, in log files. The information is necessary to make our digital presence available on a permanent, user-friendly, and reliable basis. The information is also necessary to ensure data security – including through third parties or with the assistance of third parties.
11.3 Tracking Pixels
We may incorporate tracking pixels into our digital presence. Tracking pixels are also known as web beacons. Tracking pixels – including from third parties whose services we use – are typically small, invisible images or scripts formulated in JavaScript that are automatically loaded when our digital presence is accessed. Tracking pixels can collect at least the same information as is recorded in log files.
12. Notifications and Communications
12.1 Performance and Reach Measurement
Notifications and communications may contain web links or tracking pixels that record whether a specific message has been opened and which web links were clicked. Such web links and tracking pixels may also record the use of notifications and communications on a personal basis. We require this statistical recording of usage for performance and reach measurement in order to send notifications and communications effectively and in a user-friendly manner, as well as on a sustainable, secure, and reliable basis, based on the needs and reading habits of the recipients.
12.2 Consent and Objection
You must generally consent to the use of your email address and other contact information, unless such use is permitted on other legal grounds. To obtain any double-confirmed consent, we may use the «double opt-in» procedure. In this case, you will receive a message with instructions for the double confirmation. We may log obtained consents, including IP address and timestamp, for evidentiary and security purposes.
You may generally object to receiving notifications and communications, such as newsletters, at any time. With such an objection, you may simultaneously object to the statistical recording of usage for performance and reach measurement. This does not apply to necessary notifications and communications related to our activities and operations.
12.3 Service Providers for Notifications and Communications
We send notifications and communications with the help of specialized service providers.
In particular, we use:
- Mailchimp: Communication platform; provider: The Rocket Science Group LLC DBA Mailchimp (USA) as a subsidiary of Intuit Inc. (USA); data protection information: data privacy policy (Intuit) including «Country and Region-Specific Terms», «Mailchimp Privacy FAQs», «Mailchimp and European Data Transfers», «Security», cookie policy, «Requests regarding Data Protection Rights», «Legal Terms».
13. Social Media
We maintain a presence on social media platforms and other online platforms to communicate with interested individuals and provide information about our activities and operations. In connection with such platforms, personal data may also be processed outside of Switzerland.
The General Terms and Conditions (GTC) and Terms of Use, as well as privacy policies and other provisions of the respective operators of such platforms, also apply in each case. These provisions provide information in particular about the rights of data subjects directly vis-à-vis the respective platform, including, for example, the right of access.
14. Third-Party Services
We use services from specialized third parties to enable us to carry out our activities and operations on a sustainable, user-friendly, secure, and reliable basis. With such services, we can, among other things, embed functions and content into our website. With such embedding, the services used collect users’ IP addresses for technically mandatory reasons, at least temporarily.
For necessary security-related, statistical, and technical purposes, third parties whose services we use may process data related to our activities and operations in aggregated, anonymized, or pseudonymized form. This includes, for example, performance or usage data required to provide the respective service.
Digital Infrastructure
We use services from specialized third parties to access the digital infrastructure required for our activities and operations. These include, for example, hosting and storage services from selected providers.
In particular, we use:
- Cyon: hosting; provider: cyon AG (Switzerland); data protection information: «Data Protection», data privacy policy.
15. Final Notes on the Privacy Policy
We may update this Privacy Policy at any time. We will inform you of updates in an appropriate manner, in particular by publishing the current version of the Privacy Policy on our website.