Emazing Data Protection Policy
(FADP Compliance)

1. Scope and Legal Framework

1.1 Legal Basis: This policy defines the standards by which Emazing processes personal data, ensuring full compliance with the Federal Act on Data Protection (FADP) (in force since September 1, 2023) and its implementing Ordinance (DPO). The FADP applies to all processing of personal data relating to natural persons in Switzerland, as well as foreign controllers processing data abroad that has a relevant effect in Switzerland.

1.2 Data Controller: Emazing (Contact: Pierre-Emmanual Berthier, route des jeunes 4 1227 Les Acacias).

1.3 Principles: Data processing must be lawful, carried out in good faith, proportionate, and collected only for a specific, recognizable purpose (principle of purpose limitation).

2. Categories of Data Processed (Behavioral Focus)

Emazing’s core business relies on advanced market research methodologies, which involves processing the following categories of data:

  • Registration Data: Basic demographics (age, gender, location, income level, purchase history) required to define the target audience for simulations.
  • Behavioral Data (The Core): Data generated during our simulation methodologies (Behavioral Concept Test, Pricing Test, E-commerce Test, Kiosk RGM). This includes:
    ○ Click patterns, scroll depth, time spent on product pages.
    ○ Product choices, competitor selection, and purchase outcomes in simulated environments.
    ○ Price points inputted by the respondent (in Pricing Tests).
  • Profiling Data: Data resulting from the automated analysis of Behavioral Data to predict an individual's preferences, price sensitivity, and likelihood to purchase a product.

3. Lawful Processing, Transparency, and Purpose

3.1 Purpose Limitation

All data is collected solely for the purpose of market research and product optimization for our clients. Data is not processed in a manner incompatible with these original purposes.

3.2 Transparency (Duty to Inform)

In accordance with Art. 19 FADP, Emazing will inform data subjects of the following prior to or at the time of data collection:

  1. The identity and contact details of Emazing (the Controller).
  2. The processing purpose (e.g., "to test the commercial viability of a new product concept").
  3. The recipients or categories of recipients to whom the personal data is disclosed (i.e., Emazing's clients, under strict confidentiality agreements).

3.3 The Behavioral Basis (Consent and Justification)

The FADP does not require a legal basis for all processing, but rather a "justification" when processing significantly infringes on the data subject's personality.

  • General Processing: Standard behavioral data collected for market research is generally justified by Emazing’s overriding private interest (to conduct research).
  • High-Risk Profiling: Since Emazing utilizes sophisticated profiling methods (Pricing Test, Behavioral Concept Test) to predict sensitive aspects of consumer behavior, any processing deemed to constitute "High-Risk Profiling" by a private person (which poses a high risk to the data subject's personality or fundamental rights) requires the explicit consent of the data subject (Art. 6(7) FADP). Emazing will assess and document all profiling activities to ensure proper classification and consent management.

4. Technical and Organizational Measures (TOMs)

Emazing is committed to implementing appropriate TOMs to prevent data security breaches (accidental or unlawful loss, destruction, or unauthorized access). These measures include:

  • Privacy by Design and Default: Integrating data protection safeguards into the development of all research simulations, ensuring that the necessary data minimization and privacy settings are activated by default.
  • Pseudonymization/Anonymization: Data is analyzed in a pseudonymized state wherever possible. Individual respondent identities are separated from behavioral data for analysis.
  • Access Control: Restricting access to raw data to authorized personnel only (Developers, Data Analysts, Project Managers).

5. Data Subject Rights (FADP)

Data subjects have the right to:

  • Information and Access (Art. 25 FADP): Request information regarding whether personal data concerning them is being processed, and if so, to receive a copy of that data.
  • Correction (Art. 32 FADP): Demand the rectification or correction of inaccurate or incomplete personal data.
  • Object (Art. 30 FADP): Object to the processing of their personal data, particularly in cases of direct marketing or profiling.

6. Data Breach Notification

In the event of a data security breach that is likely to result in a high risk to the personality or fundamental rights of the data subject, Emazing must:

  1. Notify the FDPIC: Report the breach to the Federal Data Protection and Information Commissioner (FDPIC) as soon as possible.
  2. Inform Data Subjects: Inform the affected data subjects if necessary for their protection or if requested by the FDPIC.