Data Protection Policy – Mobile devices

Punkt. is committed to protecting and respecting the User’s Privacy Rights.
This document has been drawn up in compliance with the Federal Data Protection Act and art. 13 of EU Regulation 679/2016 (hereinafter "Regulation"), for users (hereinafter "Users" or "User") of products and services owned by Punkt Tronics AG, Vat Id CHE-114.634.022 VAT, Reg. No. CH-501.3.011.937-5, with headquarters in Via Losanna 4, 6900 Lugano, Switzerland, which acts as the Data Controller of personal data (hereinafter “Data Controller”).
The document details how your personal information is managed when you use Punkt. mobile devices (including but not limited to feature phones, smart phones, tablets, laptops, wearables) or any associated applications developed by Punkt. and/or its partners, as well as allowing you to give consent, in the event that it is required, to process your personal data by these applications or other features that require access and interaction.
We would like to remind you that, in the relevant sections of the Punkt. website where your personal data is collected, you will find specific information, pursuant to the Federal Data Protection Act and art. 13 of EU Regulation 2016/679, for your acknowledgment and acceptance, before submitting any data requested.
Any information and personal data provided by you or otherwise acquired in the context of various Punkt. services, included but not limited to the software and service developed by its partners, , namely AphyOS and Apostrophy Services, (altogether the “Software”), will be processed in compliance with the key principles: lawfulness, fairness, and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality.

1. The personal data being processed

Punkt.mobile devices aim to protect privacy and personal information of the user and were designed accordingly, based on the principles of privacy by design and by default.
With Punkt mobile devices users can store, transmit and manage personal data; mobile applications may be installed onto the devices to access information databases or web portals where different categories of personal data could also be available. The personal data in question may thus include names, e-mail addresses, telephone numbers, messages, chats, electronics communications, log files, multimedia contents, calendar and notes, traffic and location data, IP addresses and cookies, IMEI (International Mobiile Equipment Identity) numbers, as long as they can identify a natural person. It should also be noted that the personal data may be processed under any form, such as in an e-mail which contains personal data, and with any technology, including Internet protocols. Even in the simplest case, for example when the device is used only for phone communications and SMS, traffic and contact data of the phone users and their communications partners will be processed. In addition, smart phones and tablets utilize a number of techniques that make it possible to identify and track individuals with regard to their physical location and in relation to how they make use of their device and applications (location-based services available on mobile devices phones and tablets collect location information that allows third parties to identify the precise whereabouts of users; this functions may be enabled on feature phones for emergency calls, if the service is supported by the network provider). Moreover, personal data of third parties may be contained in messages and stored calls, e.g. in a voice mail system.

Punkt. recognises the importance and necessity for users to store data safely and communicate securely. To this end:

• The physical storage medium is encrypted with a strong symmetric encryption algorithm and the decryption key is stored in the chipset of the device itself.  Punkt. has no access to the data stored in the phone, which remains the exclusive property of the owner;
• the Software on the device does not share data with third parties and its implementation follows best practices for the development of secure software and guidelines of recognized standards;
• transmission channels between the device Software and the additional applications and services are also protected by secure protocols encrypted with a digital certificate;

However, for technical reasons relating to the configuration and maintenance of the product’s security, Punkt. may have to process location and usage data which is generated by the device when it interacts with Punkt.’s infrastructure reachable through the network. This is because the Punkt mobile devices to gain connectivity must be associated with a unique address whose transmission is implicit in the use of communication protocols. The information is not collected to be associated with identified interested parties, but by their very nature could, through processing and association with data held by third parties, allow users to be identified. This category of data may include IP addresses, IMEI numbers, serial numbers, Device Identifier URI (Uniform Resource Identifier) addresses of the requested resources, Software version number, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numeric code indicating the status of the response given by the server (successful, error, etc.) and other parameters relating to the telephone operating system and the user's IT environment. These data are usually used for the sole purpose of obtaining anonymous statistical information on the use of accessible resources and to check their correct functioning, to identify anomalies and/or abuses, and are deleted immediately after processing. The data could be used to ascertain responsibility in the event of hypothetical IT crimes against third parties.
In Punkt.’s case, the data processed are is:

• general billing data, to finalize the sale of the product;
• general contact details, name, surname and email address, to manage any reports or requests for information;
• navigation data (for example the IP ) and, if required by the IT infrastructure, device identifier (for example IMEI number) to optimize, service, monitor the IT infrastructure necessary to guarantee the security of the hardware and software of the product, to provide updates to the operating system and any downloads, updates and maintenance of applications which have been developed.

2. How we use personal information

The Data Controller advises that the data will be processed lawfully pursuant to art. 6 of the Regulation, and with your explicit consent where necessary, exclusively for the following purposes:

• Allow the provision of the requested Services and the carrying out of communications relating to the performance of the established relationship;
• requirements relating to the stipulation of contracts and assignments, their execution and subsequent amendments or variations and for any obligation envisaged for the fulfilment of the same;
• allow the download and update of applications and the operating system;
• respond to requests for assistance or information, which we will receive by email, telephone or through the "Contact Us" page of our website;
• operational, organizational, managerial, fiscal, financial, insurance and accounting requirements relating to the contractual and / or pre-contractual relationship established;
• monitoring needs, including IT, of the methods of provision of services;
• to elaborate studies, research, market statistics;
• for the sole purpose of security and prevention of fraudulent conduct.

3. Legal basis and compulsory or optional nature of consent for provision of data

The Owner processes Personal Data relating to the User if one of the following conditions exists:

• The User has given consent for one or more specific purposes, like in the case of certain types of service requests that require the creation of an account on the website;
• the processing is necessary for contract execution with the User and/or for the execution of pre-contractual measures, as in the case of billing data for the sale of the device or contact for after-sales assistance;
• the processing is necessary to fulfil a legal obligation to which the Data Controller is subject, as in the case of communication to the Competent Authority in the case of computer crimes;
• the processing is necessary for the pursuit of the legitimate interest of the Data Controller or of third parties, as in the case of promotional communications on products or services that are similar and improved with respect to those already purchased (the so-called "soft spam", provided that the interested party does not exercise his right to object, as indicated in this document).

You have the right to ask the Data Controller to clarify the concrete legal basis of all data in which one is involved.

The provision of personal data by the User is always optional, but it is essential to conclude a purchase agreement or to guarantee access to additional services such as the management of your customer service requests following updates to the Software or applications. Any refusal, albeit legitimate, to provide all or part of the requested data, may make it impossible for Punkt. and its partners to carry out the regular provision of the requested services.

4. Who is your Data is processed by?

Your Personal Data that will be processed by staff specifically trained by Punkt. pursuant to art. 29 GDPR. Your personal data may also be transmitted to third parties that have been appropriately selected and are certified as GDPR-compliant for the sole purposes stated in the previous art. 3.

These third parties have been appointed as data controllers and carry out their activities according to the instructions issued by Punkt. and under its control.
More specifically, the Personal Data of Users may be disclosed to third parties for the following purposes, strictly necessary for the provision of the requested services:

• Storage, hosting, management and maintenance of the back-end infrastructure, related to the production and development of Punkt mobile devices and applications;
• Additional security features and real-time monitoring of the integrity of the Punkt mobile devices ' hardware and software components;
• accounting management.

The list of external managers is available upon written request to our email address: info@punkt.ch

5. Where your data is stored

The Data is processed at the operational headquarters of the Data Controller and in any other place where the parties involved in the processing are located. For the most part (and to the greatest extent possible) data are processed in Switzerland. For more information, contact the Data Controller at the following email address info@punkt.ch.

6. Extra-EU Data Transfer

Personal Data, collected exclusively for technical purposes related to the execution of specific activities aimed at the correct functioning of the Punkt mobile devices and for related assistance services, could be transferred to non-EU countries, is stored in compliance with Chapter V of the GDPR.
The personal data that could be transferred are:

• billing data, provided when the device is purchased;
• contact details, name, surname and email address, provided in the context of user notification or requests to our customer service department for information or assistance;
• navigation data (e.g., IP address) and, if required by the IT infrastructure, device identifier (for example IMEI number) to optimize, maintain, monitor the IT infrastructure necessary to ensure the security of hardware and software of the product and to distribute software updates.

In order for the transfer to third countries to be carried out, Punkt. verifies the presence of adequate safeguards such as:

• an adequacy decision;
• revised European Commission’s standard contractual clauses, which can be accessed here: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?.
• or other documentation that appropriately justifies the existence of requirements of "substantial equivalence" of protection.

The lack of an adequate decision or a situation of presumed substantial equivalence generates risks for the interested party, who may not enjoy, the same protection of his personal data in the third country (e.g., due to the absence of supervisory authorities or due to the greater interference of the public authority that could request its transmission). You should be mindful of these residual risks, even if their likelihood in a specific instance is low, as we actively implement additional safeguards, such as requiring service providers to commit to measures like data pseudonymization or challenging governmental access legally requested, in order to mitigate them further.

In these cases, if the transfer is absolutely necessary for technical purposes of updating the System Software, Punkt. will request the explicit consent of the interested party, pursuant to art. 49 paragraph 1, letter a) of the GDPR.
It is not possible, in fact, to waive the transfer of the IP address , as it is implicitly necessary for the operation of the internet transport protocols to uniquely identify the communication actors (in this case the device to be updated and the server that must distribute the update); however, the interested party is granted the possibility of not giving consent to the transfer, or to revoke it at any time, yet still being able to use the Punkt mobile device without updates.
Further information is available from the Data Controller.

7. Processing methods and security measures

The processing of Personal Data is carried out using IT and / or telematic tools, using organizational methods and with logic strictly related to the purposes indicated, without profiling characteristics.
The processing is carried out according to methods and with suitable tools to ensure the security and confidentiality of the data in accordance with the provisions of art. 32 of the 2016/679 European Regulation.
In carrying out the processing operations, all technical, IT, organizational, logistical, and procedural security measures will always be adopted so that the adequate level of data protection required by law is guaranteed.

8. How long is your data retained?

The Data Controller will process Personal Billing Data for the time necessary to fulfil the purposes related to the execution of a contract between the Data Controller and the User and, in any case, not longer than 10 years from the termination of the relationship with the User.
Device usage and navigation data, related to resources and support services for system software updates and application functionalities (download, update, maintenance) and related log data will be kept for 60 months.
Personal Data collected for the pursuit of a legitimate interest of the Data Controller, the Personal Data will be retained until such interest is satisfied.
Personal Data may be kept for a longer period if necessary to comply with a legal obligation or by order of an authority.
All Personal Data will be deleted upon expiry of the retention period. At the end of this term, the right of access, cancellation, rectification, and the right to data portability can no longer be exercised.

9. Your rights

Users can exercise certain rights at any time with reference to the specific processing of personal data by Punkt.:

• You have the right to revoke your consent at any time;
• you have the right to object to the processing of your personal data at any time;
• you have the right to access your data. (Article 15 of the GDPR);
• You have the right to request that your data be corrected or modified; (Article 16 GDPR);
• request that the processing of your personal data be temporarily limited. (Article 18 of the GDPR);
• You may request the cancellation of your personal data in the cases provided for by current legislation. (Article 17 GDPR);
• You may request to receive your data, or have it transferred directly to a third party that you indicate. (Article 20 GDPR);
• You may lodge a complaint to the supervisory authority for the protection of personal data and/or take legal action.

To exercise your rights as described above, you can contact us by writing to us at info@punkt.ch. Requests are made free of charge and processed by the Data Controller as soon as possible, in any case within 30 days.
Last updated: November 14th, 2023