Privacy Policy

We are very pleased that you are interested in our company. Data protection is of the utmost importance to Keys Distribution GmbH. In general, you can use the Keys Distribution GmbH website without providing any personal data. However, if a data subject wishes to use specific services offered by our company via our website—in particular, creating a customer account, placing an order, receiving digital products, using the electronic cancellation feature, subscribing to the newsletter, or contacting us—the processing of personal data may be necessary.

This Privacy Policy describes the principles according to which Keys Distribution GmbH processes personal data collected via the website www.keys.express or by other means by Keys Distribution GmbH. In particular, it explains what personal data we collect, for what purposes it is processed, to whom it may be disclosed, how long we retain it, and what rights and options data subjects have regarding the use of their personal data.

Personal data refers to any information relating to an identified or identifiable natural person, such as name, address, email address, online identifier, IP address, or phone number. The processing of personal data is always carried out in accordance with the General Data Protection Regulation (GDPR) and in compliance with the country-specific data protection regulations applicable to Keys Distribution GmbH, as well as, where applicable, other data protection and telecommunications regulations.

As the data controller, Keys Distribution GmbH has implemented technical and organizational measures to ensure the highest possible level of protection for the personal data processed via this website. Nevertheless, internet-based data transmissions may generally involve security vulnerabilities, meaning that absolute protection cannot be guaranteed. For this reason, any data subject is free to provide personal data to us through alternative means, such as by telephone.

Personal data will neither be sold nor disclosed to third parties, except as described in this Privacy Policy or to the extent permitted or required by law.

1. Name and Address of the Data Controller

The controller within the meaning of the General Data Protection Regulation and other data protection regulations is:

Keys Distribution GmbH
Birkenweg 6
9490 Vaduz
Liechtenstein

Phone: +41 77 522 13 71
Email: willkommen@keys.express
Website: www.keys.express

If you have any questions regarding data protection, you can contact us at willkommen@keys.express.

2. Definitions

This Privacy Policy uses the terms defined in the General Data Protection Regulation.

Personal data refers to any information relating to an identified or identifiable natural person. A natural person is considered identifiable if they can be identified, directly or indirectly, in particular by association with an identifier such as a name, an identification number, location data, an online identifier, or one or more specific characteristics.

A data subject is any identified or identifiable natural person whose personal data is processed.

Processing means any operation or set of operations performed on personal data, whether or not by automated means, including in particular the collection, recording, organization, storage, adaptation, retrieval, consultation, use, disclosure by transmission, dissemination, making available, alignment, linking, restriction, erasure, or destruction.

Restriction of processing means the marking of stored personal data with the aim of limiting its future processing.

Profiling is any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects of a natural person, in particular to analyze or predict aspects concerning work performance, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.

Pseudonymization is the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information, provided that this additional information is kept separately and is subject to technical and organizational measures.

The controller is the natural or legal person, public authority, agency, or other body that, alone or jointly with others, determines the purposes and means of the processing of personal data.

A processor is a natural or legal person, public authority, agency, or other body that processes personal data on behalf of the controller.

A recipient is a natural or legal person, public authority, agency, or other body to whom personal data is disclosed, regardless of whether or not it is a third party.

A third party is a natural or legal person, public authority, agency, or other body other than the data subject, the controller, the processor, and the persons authorized to process personal data under the direct responsibility of the controller or processor.

Consent means any freely given, specific, informed, and unambiguous indication of the data subject’s wishes, expressed by a statement or by a clear affirmative action, by which the data subject indicates that he or she consents to the processing of personal data relating to him or her.

3. Legal Bases for Processing

Article 6(1)(a) of the GDPR serves as the legal basis for processing operations in which we obtain consent for a specific processing purpose.

If the processing of personal data is necessary for the performance of a contract to which the data subject is a party, Article 6(1)(b) of the GDPR serves as the legal basis. This also applies to processing operations necessary for the implementation of pre-contractual measures, such as inquiries regarding our products or services.

If we are subject to a legal obligation that requires the processing of personal data, Article 6(1)(c) of the GDPR serves as the legal basis. This applies in particular to statutory retention, accounting, tax, and documentation requirements.

If the processing is necessary to protect the vital interests of the data subject or another natural person, Article 6(1)(d) of the GDPR may serve as the legal basis.

If the processing is necessary to safeguard a legitimate interest of our company or a third party, and the interests, fundamental rights, and fundamental freedoms of the data subject do not override those interests, Article 6(1)(f) of the GDPR serves as the legal basis. Legitimate interests include, in particular, the conduct of our business operations, the secure and stable provision of our website, the handling of customer inquiries, contract fulfillment, the improvement of our offerings, direct marketing within the limits permitted by law, preventing fraud and misuse, documenting business transactions, and asserting, exercising, or defending legal claims.

4. Cookies

The Keys Distribution GmbH website uses cookies. Cookies are text files that are placed and stored on a computer system via a web browser. Many cookies contain a so-called cookie ID. This enables websites and servers to recognize the specific web browser in which the cookie was stored.

By using cookies, Keys Distribution GmbH can provide users of this website with more user-friendly services that would not be possible without setting cookies. Cookies allow us to optimize the information and offerings on our website to better serve the user’s needs. In particular, cookies enable us to recognize users and make it easier for them to use our website. For example, a user does not have to re-enter login credentials every time they visit the website if this information is retrieved by the website and the cookie stored on the user’s computer system. Another example is the shopping cart cookie in the online store. The online store uses a cookie to remember the items a customer has placed in the virtual shopping cart.

In particular, we use technically necessary cookies, performance cookies, functional cookies, and advertising cookies. For detailed information on the cookies we use, please refer to the Cookie Policy or the cookie settings on our website.

The data subject can prevent our website from setting cookies at any time by adjusting the settings of the web browser being used and can permanently object to the setting of cookies. Furthermore, cookies that have already been set can be deleted at any time via the web browser or other software programs. This is possible in all common web browsers. If the data subject disables cookies, not all features of our website may be fully usable. This may particularly affect the shopping cart, login, customer account, language settings, and checkout.

5. Collection of General Data and Information When Visiting the Website

The Keys Distribution GmbH website collects a range of general data and information each time a data subject or an automated system accesses the website. This general data and information is stored in the server’s log files.

In particular, the following may be collected: the browser types and versions used, the operating system used by the accessing system, the website from which an accessing system reaches our website, the subpages visited, the date and time of access, the IP address, the Internet service provider of the accessing system, and other similar data and information used for security purposes in the event of attacks on our information technology systems.

When visiting our website, the following data may also be processed: the IP address of the requesting computer, the name of the owner of the IP address range, the referrer URL (including any search terms used), the name and URL of the retrieved file, status codes, browser type, browser version, browser language, operating system, transmission protocol used, and, if applicable, a username from a registration or authentication may be processed.

When using this general data and information, Keys Distribution GmbH does not draw any conclusions about the data subject, unless this is necessary to investigate or defend against attacks, misuse, or unlawful use. The information is required to deliver the content of our website correctly, enable the use of our website, optimize its content and advertising, ensure the long-term functionality of our information technology systems and website technology, safeguard system security and stability, and provide law enforcement agencies with the information necessary for criminal prosecution in the event of a cyberattack.

Keys Distribution GmbH analyzes this data and information—which is evaluated anonymously or separately—for statistical purposes and with the aim of enhancing data protection and data security within our company and ensuring an optimal level of protection for the personal data we process. The anonymous data from the server log files is stored separately from any personal data provided by a data subject. The legal basis is Article 6(1)(f) of the GDPR.

6. Web Hosting

One service provider to whom the personal data collected via the website is disclosed, or who may have access to it, is our web host:

IP-Projects GmbH & Co. KG
Am Vogelherd 14
97295 Waldbrunn
Germany

The website is hosted on servers in Germany. Processing by the web host serves the purposes of technical operation, security, availability, and the provision of our website.

7. Registration on Our Website and Customer Account

The data subject has the option to register on our website by providing personal data and to open a customer account. The personal data transmitted to the data controller in this process is specified in the respective input form. The personal data entered is collected and stored for internal use by the data controller and for its own purposes.

For a customer account, an email address and payment information may be required in particular. Additional information may be processed on a voluntary basis, such as title, first name, last name, date of birth, company name, VAT ID, address, country, and language. The data is used to facilitate the use of the online store and related services, to offer and deliver product keys in the best possible way, to manage orders, to issue invoices, and to provide customer service.

Upon registration, the IP address assigned by the Internet service provider, as well as the date and time of registration, are also stored. This data is stored because it is the only way to prevent misuse of our services, and this data enables us to investigate criminal offenses if necessary. In this respect, the storage of this data is necessary to protect the data controller. This data is generally not disclosed to third parties, unless there is a legal obligation to do so or the disclosure serves the purposes of criminal prosecution.

The purpose of registration is to offer the data subject content or services that, by their very nature, can only be made available to registered users. Registered users may modify the personal data provided during registration at any time or, provided there are no conflicting legal retention obligations, have it deleted.

Upon request, the data controller will provide each data subject with information regarding which personal data has been stored about them. Furthermore, the data controller will correct or delete personal data at the request or upon notification by the data subject, provided that no legal retention obligations prevent this.

8. Social Login

You have the option to purchase product keys directly through our website as a registered customer via your customer account, via a social media account (such as Google Login, LinkedIn Login, or Apple Login), or as a guest without registration.

If you register or log in via a social media account, you do not need to remember usernames and passwords for various online services. Once you have logged in, you can use your social media account to log in to your keys.express account. You can unlink these accounts at any time by either adjusting your privacy settings or your social media profile, or by disconnecting the link to the social media platform via the “My Profile” section on your account page.

When you sign in with a social media account and click the sign-in or login button for your social media account, you will be automatically redirected to the respective social media platform, where you can log in using the username and password for that account. This links your social media profile to our website or our services. Generally, your social media provider will inform you about what information may be shared with Keys Distribution GmbH. Depending on the permissions you’ve granted to the social media provider, this may include, in particular, your email address, age, or profile pictures stored in your user account.

This data is used to set up, provide, and personalize your account. Please note that your social media provider also receives data about our website services, including what you are currently doing. The purpose and scope of data collection, as well as the further processing and use of the data by the social media provider, along with your rights and settings options for protecting your privacy, are set forth in your social media provider’s privacy policy.

9. Ordering Digital Products and Product Keys via the Online Store

You have the option to purchase product keys or digital products directly through our website as a registered customer, via your customer account, via a social media account, or as a guest without registration. For this, we specifically require your email address, password, address, country, and payment information. In addition, we may process voluntary information, such as your company name, additional address details, or coupon and discount codes.

We use this data to provide you with the best possible product keys and, where necessary, to deliver them, process your order, assign payments, generate invoices, provide the digital service, handle inquiries, and offer support. This processing is necessary for the performance of pre-contractual and contractual measures. The legal basis is Article 6(1)(b) of the GDPR. To the extent that order, payment, billing, and shipping data are stored due to statutory retention obligations, the legal basis is Article 6(1)(c) of the GDPR. To the extent that data is processed for system security, to prevent misuse, to prevent fraud, to preserve evidence, or for legal defense, the legal basis is Article 6(1)(f) of the GDPR.

To the extent that the provision of product keys or digital information is technically automated, this processing serves the purpose of contract fulfillment. Such technical delivery does not constitute an automated decision within the meaning of Article 22 of the GDPR, provided that it does not result in a legal or similarly significant assessment of your person.

10. Direct Purchase of Product Keys Outside the Online Store

You have the option to contact us directly, for example via email or phone, to obtain product keys. For this purpose, we process, in particular, your email address or mailing address, as well as payment information. In addition, voluntary information may be processed, such as company name, first and last name, or coupon and discount codes.

We use this data to offer and deliver product keys to you in the best possible way, to process inquiries, to assign payments, and to fulfill the contract. The processing of this data is necessary for the performance of pre-contractual and contractual measures and is also in our legitimate interest to provide comprehensive service.

11. Payment Processing and Payment Providers

On our website, we offer the option to pay via various payment providers or payment methods. To process payments, we collect—depending on the payment method—in particular your name, address, email address, IP address, phone number, cell phone number, order information, payment amount, currency, transaction data, and other data necessary for payment processing, payment administration, fraud prevention, and contract fulfillment.

In connection with payment processing, we work with the following payment methods and providers, as indicated below:

Bank in Switzerland: PostFinance AG, Mingerstrasse 20, 3030 Bern
Purchase on account: self-administered
Credit cards: Mastercard, Visa, and American Express via Payrexx AG
PayPal.Me

When you select a payment option, personal data may be transmitted to the respective payment service provider. The purpose of this transmission is payment administration, payment processing, and, where necessary, fraud prevention. The respective payment provider’s privacy policy also applies to the processing of personal data by that provider.

The legal basis is Article 6(1)(b) of the GDPR, insofar as the processing is necessary for payment processing and the performance of the contract. To the extent that payment data is processed to fulfill tax, accounting, or legal obligations, the legal basis is Article 6(1)(c) of the GDPR. To the extent that data is processed for the purposes of fraud prevention, prevention of misuse, or the enforcement or defense of claims, the legal basis is Article 6(1)(f) of the GDPR.

13. Contact Form, Email, Telephone, and Other Communication

You have the option to contact us and communicate with us via the contact form, email, telephone, or other means. In doing so, we process, in particular, the data you provide. This may include your first name, last name, email address, phone number, country, message, or comment, as well as your company name, address, order number, customer number, product details, attachments, and other content related to your inquiry.

We use this data to respond to your contact request in the best possible and personalized manner, to communicate with you, to process your request, and to provide professional and comprehensive service. If the inquiry relates to a contract or pre-contractual measures, the legal basis is Article 6(1)(b) of the GDPR. In all other cases, the legal basis is Article 6(1)(f) of the GDPR. This personal data will not be disclosed to third parties unless it is necessary to process the inquiry, there is a legal obligation to do so, or another legal basis applies.

14. Electronic Cancellation Function

If you use our electronic cancellation function, we process the data you enter, in particular your name, email address, order number, customer number, order details, and the content of your cancellation notice.

The processing is carried out for the purpose of receiving, reviewing, processing, and documenting your cancellation, as well as to fulfill legal obligations related to consumer rights and contract fulfillment.

The legal basis is Article 6(1)(c) of the GDPR, to the extent that processing is necessary to fulfill legal obligations, and Article 6(1)(b) of the GDPR, to the extent that processing is necessary for the performance of the contractual relationship. To the extent that further documentation is required for the defense of legal claims, processing is based on Article 6(1)(f) of the GDPR.

The data will be stored only for as long as is necessary to process the revocation, to comply with statutory retention obligations, or to assert, exercise, or defend legal claims.

15. Advertising and Direct Marketing

We use data that is made publicly available on the Internet or that we have otherwise lawfully obtained to make existing customers and potential new business customers aware of our offerings. For this purpose, we process, in particular, email addresses (if available), business addresses, and publicly available business data. Such information may contain personal data.

We use this data, as well as additional business data available on the Internet, to conduct direct marketing for our products. Unless we have a customer’s consent to receive direct marketing, we use only publicly available information about the company. The processing of publicly available information about companies and the personal data contained therein is in our legitimate interest to conduct direct marketing. The legal basis is Article 6(1)(f) of the GDPR.

As a data subject, you may object to such processing at any time, free of charge, by sending an email to willkommen@keys.express. If you object to processing for direct marketing purposes, we will no longer process your personal data for these purposes.

16. Newsletter

You can subscribe to our newsletter on our website. We use the newsletter exclusively to send you the information, offers, and news you have subscribed to via email. For this purpose, we require, in particular, a valid email address. The specific personal data transmitted to the data controller when subscribing to the newsletter is determined by the input form used for this purpose.

In general, the newsletter can only be received if the data subject has a valid email address and registers to receive the newsletter. For legal reasons, a confirmation email is sent to the email address provided upon initial registration for the newsletter using the double-opt-in procedure. This confirmation email serves to verify that the owner of the email address has authorized receipt of the newsletter.

When you subscribe to the newsletter, we also store the IP address assigned by the Internet service provider to the computer system used by the data subject at the time of registration, as well as the date and time of registration. The collection of this data is necessary to be able to trace any potential misuse of the email address at a later date and serves to provide legal protection for the controller.

The personal data collected as part of the newsletter subscription process is used exclusively for sending our newsletter. Subscribers may be notified by email if this is necessary for the operation of the newsletter service or for related registration purposes, such as changes to the newsletter content or technical updates. Personal data collected as part of the newsletter service will not be disclosed to third parties unless there is a legal obligation to do so or another legal basis exists.

The data subject may cancel the newsletter subscription at any time. Consent to the storage of personal data for the purpose of sending the newsletter may be revoked at any time. A link for this purpose is included in every newsletter. Furthermore, it is possible to unsubscribe from the newsletter directly on the website or by other means. The legal basis is Art. 6(1)(a) of the GDPR.

17. Subscription to Blog Comments

Where a blog with a comment function is offered on our website, comments posted there may generally be subscribed to by third parties. In particular, a commenter may subscribe to comments posted in response to their own comment on a specific blog post.

If a data subject chooses to subscribe to comments, the controller sends an automatic confirmation email to verify, via a double opt-in procedure, that the owner of the provided email address has indeed selected this option. The option to subscribe to comments can be canceled at any time.

18. Google Analytics and Tracking Tools

To ensure our website is tailored to user needs and continuously optimized, we use Google Analytics, a web analytics service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin, D04 E5W5, Ireland.

Google Analytics is a web analytics service. Web analytics involves the collection, gathering, and evaluation of data regarding the behavior of website visitors. Among other things, a web analytics service collects data on which website a data subject came from to access a website, which subpages were accessed, how often and for how long a subpage was viewed, and how visitors navigate the website. Web analytics is primarily used to optimize a website and to perform cost-benefit analyses of online advertising.

Cookies may be used in this context. The information generated by cookies regarding the use of this website is transmitted to the servers of the providers of these services, stored there, and processed on our behalf. In addition to access data, this may also involve processing information about navigation paths, the duration of visits to the website or a specific subpage, the exit page, the country, region, or city of access, device, version, color depth, resolution, width, and height of the browser window, as well as whether the visitor is a returning or new visitor.

Google Analytics is used with the anonymization feature enabled. The IP address is truncated by Google within member states of the European Union or in other signatory states to the Agreement on the European Economic Area. Only in exceptional cases is the full IP address transmitted to a Google server and truncated there. The IP address transmitted by the browser as part of Google Analytics is not merged with other Google data, provided that this is permitted by the settings and technical capabilities.

On behalf of the website operator, Google uses the information collected to evaluate the use of the website, compile reports on website activity, and provide other services related to website and internet usage to the website operator. The legitimate interest in such data processing lies in optimizing this website, analyzing website usage, and tailoring its content. To the extent that consent is required, Article 6(1)(a) of the GDPR serves as the legal basis.

You can prevent data collection by Google Analytics by adjusting the cookie settings for this website. You may also object at any time, with future effect, to the collection and storage of your IP address and the data generated by cookies. In addition, you can install a browser add-on provided by Google to disable Google Analytics. Cookies that have already been set can be deleted via your browser. Further information can be found in Google’s privacy policy.

19. Google reCAPTCHA

To protect our forms from misuse, spam, and automated access, we use Google reCAPTCHA. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

reCAPTCHA checks whether an entry on our website is made by a human or by an automated program. In particular, IP addresses, browser and device information, duration of visit, mouse movements, interactions with the website, and other technical usage data may be transmitted to Google and processed there.

The purpose of this check is to distinguish whether the input is being made by a human or, in an abusive manner, through automated, machine-based processing. It is used to protect our website and our forms from misuse. The legal basis, depending on the technical implementation, is Article 6(1)(f) of the GDPR or consent pursuant to Article 6(1)(a) of the GDPR in conjunction with the applicable regulations governing access to end-device information. Our legitimate interest lies in protecting against spam, misuse, automated attacks, and security risks. For more information on data processing by Google, please see Google’s Privacy Policy.

20. Links and Social Media Plug-ins

We have included links on our website to partner websites and other relevant websites. If you access such links from our website, data may be transferred to the operator of the website you are accessing. We have no influence over the data processing carried out by the operators of such websites.

In addition, our website may use social media plug-ins or components from Facebook, Instagram, Twitter, LinkedIn, and YouTube. When you visit our website, these plug-ins may establish a direct connection between your browser and the server of the respective social media provider. This informs the provider that you have visited our site using your IP address. If you do not want a provider to be able to associate your visit to our site with your user account, please log out of your user account before visiting.

We have no influence over the data processing activities of these social media platforms. The purpose and scope of data collection, further processing and use by the providers, as well as your rights and settings options, are set forth in the privacy policies of the respective providers.

21. Facebook

To the extent that components of Facebook are integrated into this website, Facebook may process personal data. Facebook is a social network. A social network is a social gathering place operated on the Internet—an online community that enables users to communicate with one another and interact in a virtual space.

In the preceding text, Facebook, Inc., 1 Hacker Way, Menlo Park, CA 94025, USA, was named as the operating company. If a data subject resides outside the United States or Canada, Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, is designated as the controller responsible for the processing of personal data.

Each time a user visits a page on this website that includes a Facebook component, the user’s web browser may be prompted by that Facebook component to download a representation of the component from Facebook. As part of this technical process, Facebook may learn which specific subpage of our website is being visited.

If the data subject is logged into Facebook at the same time, Facebook can identify which specific subpage is being visited each time our website is accessed and for the duration of the visit to our website. This information may be collected by Facebook and associated with the data subject’s respective Facebook account. If the data subject clicks a Facebook button or posts a comment, Facebook can associate this information with the data subject’s personal Facebook account and store it.

If such transmission to Facebook is not desired, the data subject can prevent it by logging out of their Facebook account before visiting our website.

22. Instagram

To the extent that components of the Instagram service are integrated into this website, Instagram may process personal data. Instagram is a service that, as an audiovisual platform, enables the sharing of photos and videos as well as the redistribution of such data on other social networks.

In the preceding text, Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, was named as the operator of Instagram’s services.

Each time a user visits a page on this website that includes an Instagram component, the user’s web browser may be prompted by the respective Instagram component to download a representation of the Instagram component. As part of this technical process, Instagram may learn which specific subpage of our website is being visited.

If the data subject is logged into Instagram at the same time, Instagram can determine which specific subpage is being visited each time our website is accessed and for the duration of the visit to our website. This information may be collected by Instagram and associated with the data subject’s respective Instagram account. If such transmission to Instagram is not desired, the data subject can prevent it by logging out of their Instagram account before visiting our website.

23. Twitter

To the extent that Twitter components are integrated into this website, Twitter may process personal data. Twitter is a publicly accessible microblogging service through which users can publish and share short messages.

In the preceding text, the operating company was identified as Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07, Ireland.

Each time a user visits a page on this website that includes a Twitter component, the user’s web browser may be prompted by the respective Twitter component to download a representation of the Twitter component. As part of this technical process, Twitter may learn which specific subpage of our website is being visited.

If the data subject is logged into Twitter at the same time, Twitter can determine which specific subpage is being visited each time our website is accessed and for the duration of the visit to our website. This information may be collected by Twitter and associated with the data subject’s respective Twitter account. If such transmission to Twitter is not desired, the data subject can prevent it by logging out of their Twitter account before visiting our website.

24. YouTube

To the extent that YouTube components are integrated into this website, YouTube may process personal data. YouTube is an online video portal that enables video publishers to upload video clips and allows other users to view, rate, and comment on them.

YouTube is operated by Google Ireland Limited, Gordon House, Barrow Street, Dublin, D04 E5W5, Ireland.

Each time a single page of this website on which a YouTube component is integrated is accessed, the respective YouTube component may prompt the web browser to download a representation of the YouTube component. As part of this technical process, YouTube and Google may learn which specific subpage of our website is being visited.

If the data subject is logged into YouTube at the same time, YouTube can determine which specific subpage of our website is being visited when a subpage containing a YouTube video is accessed. This information may be collected by YouTube and Google and associated with the data subject’s respective YouTube account. If such transmission to YouTube and Google is not desired, the data subject can prevent this by logging out of their YouTube account before visiting our website.

25. Job Applications and the Application Process

The data controller collects and processes personal data from applicants for the purpose of conducting the application process. Processing may also take place electronically, particularly when an applicant submits application materials via email or through a web form on the website.

If the data controller enters into an employment contract with an applicant, the submitted data will be stored for the purpose of managing the employment relationship in accordance with legal requirements. If no employment contract is concluded, the application documents will be deleted two months after notification of the rejection decision, provided that no other legitimate interests of the data controller preclude such deletion. An example of such a legitimate interest could be a burden of proof in legal proceedings.

26. Recipients and Disclosure of Personal Data

We take the necessary measures to ensure that only authorized personnel and authorized agents who possess the necessary knowledge are granted access to personal data on a need-to-know basis, to the extent necessary to fulfill the purposes for which the personal data was collected.

We disclose personal data to third parties only if the data subject has expressly consented, there is a legal obligation to do so, it is necessary to enforce our rights—in particular, to enforce claims arising from the contractual relationship—or it is necessary in connection with the use of the website and the fulfillment of the contract, in particular the processing of orders.

We carefully select our partners and data processors and only do so if they provide sufficient guarantees that they have appropriate technical and organizational measures in place in accordance with legal requirements. Our data processors may process personal data only upon our documented instructions. They are subject to confidentiality requirements and may use personal data only to the extent necessary to fulfill the purpose for which the personal data was collected, unless otherwise required by law.

We may disclose personal data to the following categories of recipients in accordance with the described purposes and legal bases, to the extent necessary for the intended data processing: other companies within the group, trusted processors—in particular IT service providers, payment service providers, and financial institutions—consultants and other business partners, the public and the media, including our social media pages, administrative authorities, courts, and other competent authorities, as well as other parties in potential or actual legal proceedings.

In connection with web hosting and payment processing, we work in particular with the aforementioned web host and the aforementioned payment providers.

27. Transfer of Personal Data Abroad

We are authorized to transfer personal data to third-party companies, contracted service providers, and other business partners located abroad for the purposes of data processing described in this Privacy Policy. These parties are bound by the same data protection obligations as we are.

If the level of data protection in a country does not correspond to that of Switzerland or the European Union, we ensure—through contractual guarantees, for example based on EU Standard Contractual Clauses, as well as through technical and organizational measures—that the protection of personal data is equivalent to that in Switzerland or the EU. Furthermore, personal data may be transferred abroad with explicit consent, for the conclusion or performance of a contract, or in connection with the establishment, exercise, or enforcement of legal claims.

To the extent that this Privacy Policy states that data recipients are based in the United States or another third country, we ensure, through the legally prescribed safeguards, that personal data is adequately protected by our partners, unless an adequacy decision or another legal basis for the transfer exists.

28. Duration of Storage, Deletion, and Blocking

The data controller processes and stores personal data only for the period necessary to achieve the respective purpose of storage or to the extent required by law. If the purpose of storage no longer applies or a prescribed retention period expires, personal data is routinely blocked or deleted in accordance with legal requirements.

We store personal data only for as long as is necessary to carry out the processing activities described above, to comply with legal or regulatory requirements, or to safeguard overriding interests. Overriding interests may include, in particular, the need to provide evidence to establish, exercise, or defend actual or potential legal claims, investigations, or similar proceedings.

Contract data is retained for a longer period to the extent required by statutory retention obligations. Such obligations arise, in particular, from provisions governing accounting, civil law, and tax law. According to current guidelines, business communications, concluded contracts, and accounting documents must be retained for up to 10 years. To the extent that this data is no longer required for the performance of services, it is blocked and used only for accounting and tax purposes.

We store operational data that may contain personal data—such as logs and records—for a period of 3 to 6 months, according to current guidelines, unless longer retention is necessary to investigate attacks, disruptions, misuse, or security incidents.

Personal data collected and generated in connection with a user account—such as order history, discounts, orders, and invoices, are generally retained until the data subject requests deletion or revokes consent to storage, provided that no legal retention obligations, contractual requirements, or legitimate interests preclude this.

Newsletter data is stored until the data subject unsubscribes or revokes their consent. After unsubscribing, records of registration, consent, and revocation may be stored for a reasonable period of time, provided this is necessary for legal protection.

Data related to the electronic revocation function is stored only for as long as necessary to process the revocation, to comply with statutory retention obligations, or to assert, exercise, or defend legal claims.

29. Data Security

We have implemented various technical and organizational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized use, disclosure, or access—particularly when processing involves the transmission of data over a network—as well as against other unlawful forms of processing and misuse.

For security reasons and to protect the transmission of confidential content—such as the inquiries you send to us—this website uses SSL or TLS encryption. You can recognize an encrypted connection by the fact that the browser’s address bar changes from “http://” to “https://” and by the padlock icon in your browser’s address bar. When SSL or TLS encryption is enabled, the data you transmit to us cannot be read by third parties.

Keys Distribution GmbH may engage third parties as data processors to collect and process personal data. The data processors we engage process personal data only in accordance with our instructions and are obligated to take appropriate security measures when handling personal data.

Unfortunately, the transmission of information over the Internet is not completely secure. Although we do our utmost to protect personal data, we cannot absolutely guarantee the security of the data transmitted to our website. Any transmission is at your own risk. Upon receipt of the information, we implement appropriate technical and organizational measures to prevent unauthorized access.

30. Rights of the Data Subject

Every data subject has the right to request confirmation from the controller as to whether personal data concerning them is being processed. If a data subject wishes to exercise this right to confirmation, they may contact us at any time.

Every data subject has the right to receive, free of charge, information about the personal data stored regarding them and to receive a copy of this information. The information provided includes, in particular, the purposes of processing, the categories of personal data, the recipients or categories of recipients to whom personal data have been or will be disclosed, particularly in the case of recipients in third countries or international organizations; to the extent possible, the planned retention period or the criteria for determining it; the existence of a right to rectification, erasure, restriction of processing, or objection; the existence of a right to lodge a complaint with a supervisory authority; all available information regarding the origin of the data, if it was not collected from the data subject, as well as the existence of automated decision-making, including profiling, pursuant to Article 22 of the GDPR, and meaningful information regarding the logic involved, as well as the scope and intended effects of such processing.

Every data subject has the right to request the rectification of inaccurate personal data without delay. Furthermore, the data subject has the right to request the completion of incomplete personal data, taking into account the purposes of the processing.

Every data subject has the right to request the erasure of personal data concerning them, provided that one of the legal grounds applies and provided that the processing is not necessary. A right to erasure may exist, in particular, if personal data is no longer necessary for the purposes for which it was collected or processed, if the data subject withdraws their consent and there is no other legal basis, if the data subject objects and there are no overriding legitimate grounds for the processing, if personal data has been processed unlawfully, or if erasure is necessary to comply with a legal obligation.

Every data subject has the right to request the restriction of processing if a legal requirement is met. This is particularly the case if the accuracy of personal data is disputed, the processing is unlawful and the data subject requests restriction instead of erasure, the controller no longer needs the data for the purposes of processing but the data subject requires it to assert, exercise, or defend legal claims, or if an objection to the processing has been raised and it has not yet been determined whether the controller’s legitimate grounds override those of the data subject.

Every data subject has the right to receive the personal data concerning them that they have provided to a data controller in a structured, commonly used, and machine-readable format. They also have the right to transmit this data to another controller without hindrance from us, provided that the processing is based on consent or a contract and is carried out by automated means, provided that this does not infringe upon the rights and freedoms of others.

Every data subject has the right to object at any time, on grounds relating to their particular situation, to the processing of personal data concerning them that is carried out pursuant to Article 6(1)(e) or (f) of the GDPR. This also applies to profiling based on these provisions. In the event of an objection, we will no longer process personal data unless we can demonstrate compelling legitimate grounds for the processing that override the interests, rights, and freedoms of the data subject, or the processing is necessary for the establishment, exercise, or defense of legal claims.

If personal data is processed for direct marketing purposes, the data subject has the right to object at any time to the processing of personal data for such marketing purposes. If the data subject objects to processing for direct marketing purposes, we will no longer process personal data for these purposes.

Every data subject has the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects concerning them or similarly significantly affects them, unless a statutory exception applies.

Every data subject has the right to withdraw consent to the processing of personal data at any time. The withdrawal takes effect for the future. The lawfulness of the processing carried out prior to the withdrawal remains unaffected.

To exercise your rights, you can contact us at willkommen@keys.express. We may require proof of identity to process your requests, if necessary.

31. Right to File a Complaint with a Supervisory Authority

Data subjects have the right to lodge a complaint with a competent data protection supervisory authority if they have concerns about how we process personal data. For users based in Switzerland, the Federal Data Protection and Information Commissioner was previously mentioned in the text. For Liechtenstein, the Liechtenstein Data Protection Authority is specifically responsible.

32. Legal or Contractual Obligation to Provide Personal Data

The provision of personal data may in some cases be required by law—for example, by tax regulations—or may result from contractual provisions, such as information regarding the contracting party. In order to conclude a contract, it may be necessary for a data subject to provide personal data that we must subsequently process. If the provision of required personal data is refused, this may result in a contract not being concluded or a service not being provided.

33. Use of Automated Decision-Making

As a responsible company, we do not engage in automated decision-making or profiling, unless expressly stated otherwise in this Privacy Policy. The technical or semi-automated provision of product keys and digital information serves the purpose of fulfilling the contract and does not constitute automated decision-making regarding the data subject within the meaning of Article 22 of the GDPR, provided that this does not result in a legal or similarly significant assessment of the individual.

34. Governing Law and Jurisdiction

This Privacy Policy and the contracts concluded based on or in connection with this Privacy Policy are governed by Liechtenstein law, unless the law of another country is mandatorily applicable. The place of jurisdiction is the registered office of Keys Distribution GmbH in Vaduz, unless another place of jurisdiction is mandatorily prescribed.

35. Questions Regarding Data Protection

If you have any questions or comments regarding this Privacy Policy or data protection, please contact us at willkommen@keys.express.

36. Changes to This Privacy Policy

This Privacy Policy may be amended from time to time without prior notice. All changes to this Privacy Policy take effect when they are published on the website. The most recent version published on the website shall apply.