Privacy notice

1. Controller and contact

This Privacy Policy explains how CMSA Management Ltd and its affiliated companies (“CMSA”, “we”, “us”) process personal data when you visit our websites, contact us, or interact with our services.

Controller
CMSA Management Ltd
Bözingenstrasse 122
2501 Biel/Bienne, Switzerland

Contact us

Affiliated CMSA companies may support specific processing activities as processors or joint controllers where necessary. CMSA Management Ltd remains the primary point of contact for all privacy matters.

2. Personal data we process

We process the following categories of personal data depending on how you use our website:

2.1. Data you provide directly

  • Contact details (name, email, phone number, company)
  • Information submitted through contact forms or email
  • Newsletter subscription information
  • Job application interest (via external link to Umantis; see section 12)

2.2. Data collected automatically

  • IP address (shortened or anonymized where possible)
  • Device and browser information
  • Date, time, and duration of visits
  • Pages viewed and referring URLs
  • Error logs and security logs

2.3. Cookies and tracking technologies

Via Cookieyes, we use:

  • strictly necessary cookies
  • preference cookies
  • statistical/analytics cookies
  • marketing/advertising cookies

More details are provided in section 5.

3. Purposes of processing

We process your personal data for the following purposes:

  • operating and securing the website
  • responding to inquiries
  • providing information about CMSA products and services
  • newsletter distribution
  • improving website performance and user experience
  • audience measurement and analytics
  • marketing performance measurement (e.g., LinkedIn Insight Tag)
  • compliance with legal obligations and regulatory requirements
  • preventing misuse, fraud, and security incidents

4.1. Under the Swiss Federal Act on Data Protection (FADP)

We process data based on:

  • your consent (e.g., for non-essential cookies, newsletters)
  • our legitimate interests in operating, securing, and improving our website
  • the necessity to communicate with you or respond to your inquiries
  • legal obligations applicable to CMSA

4.2. Under the GDPR (for EU/EEA visitors)

Where applicable, processing is based on:

  • consent (e.g., analytics, marketing cookies, newsletter)
  • legitimate interests (website operation, security, analytics with anonymization)
  • performance of a contract or pre-contractual steps
  • compliance with legal obligations

5. Cookies, analytics, and tracking technologies

We use CookieYes to manage cookie consent on our website.

When you first visit the website, the CookieYes banner allows you to:

  • accept all cookies
  • reject non-essential cookies
  • select specific cookie categories
  • withdraw or modify your consent at any time

Your current consent status can be reviewed or changed at any moment through the CookieYes widget or link in the website footer.

5.2. Categories of cookies used

CookieYes manages the following categories:

  • Necessary cookies: essential for website operation and security
  • Preferences cookies: store user settings and display preferences
  • Statistics cookies: help us understand how the website is used
  • Marketing cookies: measure the effectiveness of our marketing activities, such as LinkedIn Insight Tag

CookieYes automatically generates and displays the full cookie list, including purpose, provider, duration, and category.

(All remaining subsections about GA4, LinkedIn, YouTube remain unchanged.)

5.3. Google Analytics 4 (GA4)

We use GA4 to analyse website performance.
GA4 may collect:

  • truncated IP addresses (IP anonymization active)
  • device and interaction data
  • page views and navigation patterns

GA4 data is stored in the EU unless otherwise configured.
You can disable GA4 via the cookie banner.

5.4. LinkedIn insight tag

We use LinkedIn’s analytics pixel to measure campaign effectiveness.
This may include:

  • browser metadata
  • LinkedIn IDs (if logged in)
  • interactions with our pages

LinkedIn may use this data to show targeted content on its platform.
You can disable it via cookie settings or LinkedIn privacy controls.

5.5. Youtube

Embedded Youtube videos may set cookies when played.
We can enable “privacy-enhanced mode” where feasible.
You can disable these cookies through Cookiebot.

6. Newsletter

If you subscribe to our newsletter, we process:

  • your email address
  • optional contact details
  • confirmation timestamps (double opt-in)

We use Brevo as our email distribution provider.

You may unsubscribe at any time using the link included in each email.
Brevo stores newsletter data in the EU.

7. Disclosure to third parties

We share personal data only where necessary and only with:

  • service providers (hosting, maintenance, analytics, newsletter)
  • CMSA affiliates supporting operations
  • authorities where legally required

We do not sell personal data.

All service providers are bound by contractual confidentiality and security obligations.

8. Storage location and international transfers

We process personal data primarily in Switzerland and the European Union.
If exceptionally data is transferred outside these regions, such transfers occur only:

  • with your consent, or
  • with adequate safeguards (e.g., Standard Contractual Clauses)

As of today, no systematic cross-border transfer is performed.

9. Retention periods

We retain personal data only as long as necessary for the purposes listed above.

Typical periods include:

  • contact form submissions: usually 12 months
  • newsletter data: until you unsubscribe
  • server logs: typically 7–30 days unless needed for security or evidence
  • cookie consent logs: as required by law (up to 12 months)

When data is no longer required, it is securely deleted or anonymized.

10. Security of personal data

We implement appropriate technical and organizational measures to protect your data, including:

  • encrypted transmission (HTTPS)
  • controlled access to systems
  • secure hosting environments
  • regular monitoring and maintenance
  • measures to prevent unauthorized access, loss, or misuse

No system can guarantee absolute security, but CMSA continuously improves its controls.

11. Your rights

Under the FADP, you may request:

  • information about your personal data
  • correction or deletion
  • restriction of processing
  • objection to processing
  • data portability (where applicable)

Under the GDPR (if applicable), you additionally have:

  • the right to withdraw consent
  • the right to lodge a complaint with an EU supervisory authority

To exercise your rights, contact us here

Requests will be handled in accordance with applicable law.

Our website may link to third-party platforms outside CMSA’s control (e.g., YouTube, LinkedIn, Umantis).
When accessing these services, their own privacy policies apply.

For job applications, CMSA redirects you to Umantis, where their privacy terms govern the handling of applicant data.

13. Updates to this privacy policy

We may update this Privacy Policy to reflect technological or regulatory changes.
The date of the latest update is shown at the bottom of the page.

Material changes will be highlighted where appropriate.