🎉 Join our fertility treatments webinar with Dr. Maddalena Masciocchi! Sign up now
Last updated: 26 August 2024
This Privacy Policy explains how and why we collect, process, and use personal data. It provides key information, including:
Under data protection law, the entity that determines whether, for what purposes and how data is processed is responsible for data processing. Generally, one of the companies within the “Cada Group” (“we,” “us”) is responsible for data processing in accordance with this Privacy Policy. The Cada Group provides medical, therapeutic and diagnostic services in the fields of gynaecology, obstetrics and human reproductive medicine and consists of Cada Fertility AG (Neuwiesenstrasse 15, 8400 Winterthur, CHE-321.718.748) and its subsidiaries Cada Clinics AG (Neuwiesenstrasse 15, 8400 Winterthur, CHE-170.209.333), Cada Health AG (Neuwiesenstrasse 15, 8400 Winterthur, CHE-499.863.124) und Cada Lab AG (Neuwiesenstrasse 15, 8400 Winterthur, CHE-289.024.931). Typically, the company that references this Privacy Policy (e.g., when you use its services) is responsible for data processing. However, several companies within the Cada Group may be jointly responsible for specific data processing activities when they collaboratively determine the organization and purpose of the data processing.
This Privacy Policy applies to all individuals (“you”) whose data we process, regardless of how you interact with us (e.g., in a clinic, on a website, in an app, through an online appointment booking tool, by telephone, via social media, at an event, etc.).
Our data processing activities particularly concern the following categories of individuals, where personal data is involved:
Patients in our clinics and practices;
Individuals who use our services or engage with our offerings;
Users of our app;
Visitors to our websites;
Visitors to our premises;
Individuals who contact us by any means (e.g., email, phone);
Recipients of informational and marketing communications;
Participants in market research, opinion polls, patient surveys or competitions;
Contact persons of our suppliers, business partners, organisations and authorities;
Job applicants
This Privacy Policy applies across all business areas of the Cada Group, including Cada practices, clinics and laboratories, as well as all companies within the group. However, individual companies within the Cada Group may provide additional privacy information. Therefore, please also review any supplementary privacy notices provided by the relevant company (typically available on the company's website).
Additionally, please consult any applicable contractual provisions (e.g., General Terms and Conditions (GTC)) for further details on our data processing practices. For information regarding the collection and processing of personal data when using our websites, apps, and social media platforms, particularly concerning cookies and similar technologies, please refer to our Cookie Policy.
“Personal data” refers to any information that relates to an identified or identifiable individual. We process various categories of personal data, with the most significant categories outlined below. However, in certain situations, we may also process additional personal data.
“Master data” consists of basic information about you. We collect master data primarily when you register for our services (e.g., medical examinations or treatments) or create a user account (e.g., in one of our apps). Additionally, we gather master data when you subscribe to a newsletter, participate in a competition or prize draw, access our events or office premises, or interact with us as a contact person or representative of a contractual partner, organization, or authority. In some cases, master data may include health information and details about third parties (e.g., family members).
Examples of master data include:
Title, first name, surname, gender, date of birth, nationality;
Address, email address, telephone number, and other contact details;
Customer and booking numbers (e.g., for online appointment bookings);
Health insurance number and chosen insurance model;
Portrait photo for your customer file;
Payment information (e.g., billing address, bank details);
Username and profile picture for online service accounts;
Information on the use of online services, apps, and subscriptions (e.g., newsletters);
Details of participation in competitions and prize draws;
Information on linked websites and social media profiles;
Preferences and interests, preferred Cada locations, language preferences;
Information about your relationship with us (e.g., patient, visitor, job applicant, supplier);
Information about related third parties (e.g., contact persons, family members);
Official documents in which you appear (e.g., identity documents, vaccination records).
“Contract data” refers to personal data related to the initiation, execution or fulfilment of a contract (e.g., the type and duration of a treatment contract between you and us, or purchase details such as the date, product name, and quantity of a medication). This category may also include health data and information about third parties (e.g., family health history). We enter into contracts primarily with patients, business partners and job applicants. If you utilise our services based on a contract (e.g., by receiving a service), we often collect behavioural and transactional data as well (see section 4.5).
Examples of contract data include:
Information on contract initiation and conclusion (e.g., type and duration of treatment contract, contract date, purchase date, product name and quantity);
Details related to contract processing and administration (e.g., contact details, payment information, billing items and other invoices);
Records of our interactions with you, including relevant history;
Information about claims, entitlements, and benefits (e.g., winning a competition);
Details of products and services purchased;
Information about defects, complaints and contract amendments;
Financial data (e.g., creditworthiness assessments, reminders, debt collection and claim enforcement);
Application-related information (e.g., CV, references, qualifications, certificates).
“Health data” encompasses all information that reveals insights into an individual’s physical, mental or psychological health. Given the nature of our medical, therapeutic and diagnostic services, we regularly process health data. For details on how we handle this particularly sensitive data, please refer to section 10.
Examples of health data include:
Medical histories or patient files;
Medical findings (e.g., results from medical, laboratory, and diagnostic tests);
Medical certificates (e.g., prescriptions, certificates of incapacity for work);
Information from third parties (e.g., discharge and referral reports).
When you communicate with us, or we communicate with you (e.g., when you contact a practice, send us a message or call us), we process the content of the communication as well as details about the type, timing and location of the interaction. In certain situations, we may also request proof of identity or your health insurance number for verification purposes.
Examples of communication data include:
First name, surname and contact details (e.g., postal address, telephone number, email address);
Content of emails, written correspondence, chat messages, social media interactions, comments on websites, telephone conversations and video conferences;
Information about the type, time and location of communication;
Proof of identity (e.g., copies of official ID cards, health insurance number);
Metadata related to the communication (e.g., date and time of a call, email or chat communication).
Please note that telephone and video conference calls with us may be recorded. If recording occurs, you will be informed at the beginning of the conversation and given the opportunity to opt out.
When you use our services or access our infrastructure, we often collect data related to your usage and behaviour. This includes activities such as booking appointments online or using our websites and apps.
Examples of behavioural and transactional data include:
Information about your behaviour on websites;
Participation details in competitions and prize draws;
Data on the installation and usage of apps;
Information about the use of electronic communications (e.g., whether and when you opened an email or clicked on a link).
To personalize our offers and services to better suit your needs, we process data about your interests and preferences. We may combine behavioural and transactional data with other information and analyse it either personally or anonymously (excluding medical histories or patient dossiers). This analysis helps us identify characteristics, preferences, and predict future behaviour.
When you use our websites, apps, Wi-Fi networks or other electronic services, we collect certain technical data, such as your IP address and device ID. Technical data also includes system logs that record the usage of our systems. In some cases, we assign unique identification numbers (IDs) to devices (e.g., laptops, tablets, smartphones) to recognize them, often through cookies or similar technologies. More information on this can be found in our Cookie Policy.
Technical data may also be linked to behavioural data (see section 4.5). While technical data alone usually does not identify you, it can be associated with other data categories (e.g., master data) in the context of user accounts, registrations or contract processing.
Examples of technical data include:
IP address and other device IDs (e.g., MAC address);
Identification numbers assigned to devices via cookies or similar technologies (e.g., pixel tags);
Information about the device and its configuration (e.g., operating system, language settings);
Browser information and configuration details;
Data on movements and actions on our websites and in our apps;
Information about your internet provider;
Approximate location data at the time of usage;
System logs of accesses and other processes (log data).
In certain situations, we may collect data for health protection purposes (e.g., as part of safety protocols). Additionally, data may be gathered and processed in connection with legal or judicial proceedings (e.g., files, evidence). We also collect and process information related to our shareholders and other investors.
We may create photos, videos, and/or sound recordings in which you may be identifiable (e.g., during visits to our clinics or practices). These recordings may be taken as part of medical examinations and treatments, such as to document your medical history, evaluate symptoms or determine appropriate treatment measures.
Examples of image and sound recordings include:
Photos and X-rays taken during medical examinations and therapeutic treatments;
Recordings of telephone and video conference calls;
Photos, videos and audio recordings from customer events and public occasions.
Much of the personal data we collect is provided directly by you, such as when you share information with us or communicate with us. This typically includes master data, contract data and communication data as well as preference data.
If you provide us with data about other individuals (e.g., family members), we assume that you have the necessary authorization to do so and that the information is accurate. Please ensure these individuals are informed about this Privacy Policy.
We store your personal data only for as long as and to the extent necessary for the purposes described or for legal reasons. For legal reasons, data related to analyses and treatments (patient records) is retained for 20 years. Health data in deactivated app accounts is archived accordingly.
We also collect personal data about you ourselves, often automatically, particularly when you use our services or engage with our offerings. This typically involves gathering behavioural, transactional and technical data.
In some cases, we may derive additional personal data from existing information, such as by analysing behavioural patterns or transaction history. This derived data often includes preference data or, in the context of medical examinations, may contribute to master data.
Our specialists may also generate additional personal data through the analysis of your examination results (e.g., laboratory values, diagnoses).
We may receive personal data about you from other companies within the Cada Group (see section 8) or from third parties, including:
Medical practices;
Coordination partners;
Service providers (e.g., medical laboratories analysing samples);
Employers and colleagues, in the context of job applications and previous professional roles (e.g., references);
Individuals involved in correspondence or discussions concerning you;
Family members or legal representatives;
Credit agencies (e.g., for creditworthiness information);
Swiss Post and address dealers (e.g., for address updates);
Banks, insurance companies, vendors, and other contractual partners involved in purchases and payments;
Providers of online services (e.g., internet analytics providers);
Authorities, legal parties, and other entities involved in official or legal proceedings;
Public registers (e.g., debt collection, commercial, and criminal registers), public authorities (e.g., Federal Statistical Office), media sources, or information available on the Internet.
We process personal data to facilitate communication with you. This includes using communication and master data, and, where the communication involves a contract, contract data as well. We may personalize the content and timing of messages based on behavioural, transactional and preference data, along with other information.
The purposes of communication may include:
Scheduling appointments;
Responding to inquiries;
Contacting you with questions;
Authenticating your identity;
Any other processing purposes where communication with you is necessary (e.g., contract execution, direct marketing).
We process personal data in connection with initiating, managing and executing contractual relationships (e.g., to provide medical, therapeutic, or diagnostic services, or to organize a competition or prize draw). Contract execution also includes any agreed personalization of services. For these purposes, we primarily use master data, contract data, communication data, behavioural and transactional data as well as preference data.
The purposes of contract execution include everything necessary or appropriate for concluding, performing, and enforcing a contract. This may also involve engaging other companies within the Cada Group and/or third parties (e.g., delivery services, medical laboratories, medical practices).
Examples of contract execution purposes include:
Providing services;
Fulfilling contractual obligations;
Deciding whether and how (e.g., with which payment options) to enter into a contract with you (including credit checks);
Obtaining cost approvals (e.g., from health insurance providers);
Billing for services (and possibly creating reimbursement records for health insurance) and general accounting;
Evaluating job applicants and potentially entering into employment contracts;
Preparing and executing corporate transactions (e.g., mergers, acquisitions, sales);
Managing and maintaining IT infrastructures and other resources;
Enforcing legal claims arising from contracts (e.g., debt collection, legal proceedings);
Fulfilling retention obligations;
Terminating and concluding contracts.
We process personal data for relationship management and marketing purposes (e.g., sending written and electronic communications and offers, conducting marketing campaigns). These may involve our own offers, offers from other Cada Group companies, or those of advertising partners. Communications and offers may also be personalized to deliver only the information most relevant to you. For these purposes, we primarily use master data, contract data, communication data, behavioural and transactional data as well as preference data.
Examples of information and marketing purposes include:
Newsletters, promotional emails, in-app messages and other electronic communications;
Online ads and social media marketing;
Advertising brochures, magazines and other print materials;
Displaying articles likely to be relevant to you;
Invitations to events, competitions, and prize draws.
You can opt-out of marketing communications at any time (see section 15). For newsletters and other electronic communications, you can usually unsubscribe through a link in the message.
Personalizing our communications allows us to tailor information to your individual needs and interests, providing you with relevant offers. For example, we may display online content specifically curated for you.
We process personal data for the purposes of quality assurance, market research and product development. This involves using master data, health data, behavioural data, transactional data and preference data as well as communication data and information from patient surveys, studies and other sources (e.g., media, the internet and public sources). Wherever possible, we use pseudonymized or anonymized data for these purposes.
Examples of quality assurance, market research and product development purposes include:
Analysing pseudonymized or anonymized health data (i.e., without identifying individuals);
Conducting patient surveys, studies and research;
Developing our services (e.g., location selection, pricing strategies);
Optimizing and improving the user experience on our websites and apps;
Developing and testing new offerings;
Reviewing and improving internal processes;
Training and educating our staff;
Conducting statistical analyses (e.g., to assess patient interactions on a non-personalized basis);
Assessing market conditions and competitor behaviour;
Monitoring the market to understand and respond to trends and developments.
We process personal data for security purposes, to ensure IT security, to prevent theft, fraud and abuse, and for evidentiary purposes. This can involve all categories of personal data mentioned in section 4, especially behavioural and transactional data, as well as image and sound recordings. We may collect, evaluate and store this data for the aforementioned purposes.
Examples of security and prevention purposes include:
Creating and analysing (manually or automatically) video recordings to detect and pursue criminal activities;
Issuing and managing bans and maintaining lists of banned individuals;
Analysing behavioural and transactional data to identify suspicious patterns and fraudulent activities;
Evaluating system logs of our systems (log data);
Preventing, defending against, and investigating cyberattacks and malware;
Conducting analyses and tests of our networks and IT infrastructure, as well as system and error checks;
Monitoring access to electronic systems (e.g., user account logins);
Conducting physical access controls (e.g., building access);
Documenting and creating backups for security purposes.
We process personal data to comply with legal obligations and to prevent and detect violations. This includes receiving and handling complaints and reports, complying with court or regulatory orders and taking measures to uncover and investigate abuses. This can involve all categories of personal data mentioned in section 4.
Examples of purposes for complying with legal requirements include:
Managing and retaining medical records or patient files;
Providing personal education (diagnostic, progress, risk, and economic information) about medical treatments and remedies;
Making legally required reports to authorities (e.g., reporting certain diseases, reproductive procedures);
Implementing health and safety protocols;
Conducting due diligence on business partners;
Receiving and handling complaints and other reports;
Conducting internal investigations;
Ensuring compliance and risk management;
Disclosing information and documents to authorities (where legally required or permitted);
Participating in external investigations (e.g., by law enforcement or regulatory agencies);
Ensuring legally mandated data security;
Managing our obligations to shareholders and other investors;
Fulfilling disclosure, information or reporting obligations (e.g., related to regulatory, medical, tax or criminal requirements).
In all cases, this may involve Swiss law, foreign regulations to which we are subject, as well as self-regulations, industry standards, our own corporate governance or official directives.
We process personal data to protect our legal interests (e.g., to assert claims in court, pre-trial, or out-of-court, and before authorities in Switzerland and abroad, or to defend against claims). Depending on the situation, we process different categories of personal data, such as contact data and information about events that led or could lead to a dispute.
Examples of purposes for legal protection include:
Investigating and asserting our claims (including those of associated companies and business partners);
Defending against claims made against us, our employees, associated companies, and business partners;
Assessing litigation prospects and other legal, economic, or related matters;
Participating in legal proceedings before courts and authorities in Switzerland and abroad.
We process personal data for internal group administration purposes. This primarily involves processing master data, contract data and technical data as well as behavioural, transactional and communication data.
We may also share personal data with other companies in the Cada Group to support their processing activities according to this Privacy Policy and in the overall interest of the Cada Group (see section 8).
Examples of internal group administration purposes include:
Managing IT infrastructure;
Accounting;
Archiving data and managing archives;
Centrally storing and managing data used by multiple Cada Group companies;
Reviewing and conducting corporate transactions (e.g., mergers, acquisitions, sales);
Forwarding inquiries to the appropriate department (e.g., if you contact one Cada company about a matter involving another Cada company);
Selling receivables, which may involve transferring information about the reason and amount of the receivable and possibly the creditworthiness and behaviour of the debtor;
Reviewing and improving internal processes.
We only grant access to your personal data to our employees when it is necessary for their specific roles. This access may also include employees from other departments, locations or support areas (e.g., IT, HR). All our employees are required to maintain confidentiality regarding your personal data.
We may share personal data that we receive from you or third parties with other companies within the Cada Group. This is based on the internal organization of the Cada Group and allows us to ensure consistent and high-quality care for patients, provide coverage in case of absences and maintain centralized functions across the group.
As is the case with any corporate group, the Cada Group has an overall interest in the successful operation of its affiliated companies and these companies have their own interests in their activities and purposes (see section 6). To support these activities and purposes, the necessary personal data may be disclosed to other group companies, and these companies may supplement, match or link this data with existing personal data.
Examples of such data sharing include:
All categories of personal data listed in section 4 for the management and processing of contractual relationships (e.g., adding relevant information from other practices or clinics to a centrally maintained medical record or patient file). This ensures that your medical history or patient file, created at one of our practices, is immediately available if you seek treatment at another practice or clinic;
Master data, contract data, health data, communication data, behavioural and transaction data, as well as preference data and insights from patient surveys, studies and image and audio recordings for product development and market research, to the extent that these data are necessary;
Master data, contract data, communication data, technical data, behavioural and transaction data, preference data, as well as image and audio recordings for the delivery and personalization of offers, communication, and marketing activities;
Master data, contract data, communication data, technical data, behavioural and transaction data, and preference data for fraud and abuse prevention, as well as for credit checks (e.g., in connection with services provided on account);
Master data, contract data, communication data, technical data, behavioural and transaction data, and image and audio recordings for theft prevention and evidence purposes;
Security-relevant information for security purposes and compliance with legal requirements;
Information to support legal protection.
We may also share your personal data with companies outside the Cada Group if we use their services. Typically, these service providers process personal data on our behalf as “contract processors.” Certain service providers may also be jointly responsible with us or act independently (e.g., debt collection agencies). We ensure that data protection is maintained throughout the processing of your personal data by carefully selecting service providers and establishing appropriate contractual agreements.
Examples of such services include:
Medical services (e.g., laboratory results, device-based medical analyses);
Advertising and marketing services (e.g., sending communications);
Corporate administration (e.g., accounting and asset management);
Payment services;
Shipping and logistics;
Credit information;
Debt collection services;
IT services (e.g., hosting, cloud services, email newsletter distribution);
Consulting services (e.g., tax advisors, lawyers, business consultants).
In certain cases, we may also share personal data with other third parties for their own purposes, such as when you have given us your consent or when we are legally required or permitted to do so. In these cases, the recipients of the data act as independent data controllers.
Examples of such situations include:
Referrals to hospitals or other specialists;
Sharing information about your health condition with your relatives (subject to medical confidentiality);
Providing information to health insurance companies (e.g., for cost approvals);
Sharing anonymized or pseudonymized health data with educational institutions for use in scientific studies;
Transferring claims to other companies (e.g., debt collection agencies);
Reviewing and carrying out corporate transactions (e.g., company acquisitions, sales, mergers);
Disclosing personal data to courts and authorities in Switzerland and abroad (e.g., law enforcement agencies);
Processing personal data to comply with court orders or to assert or defend legal claims. In such cases, we may also disclose personal data to other parties involved in the proceedings.
Please also refer to our Cookie Policy regarding independent data collection by third-party providers whose tools are embedded in our websites and apps.
We always comply with the rules of medical confidentiality, where applicable. In such cases, we only share the relevant data (e.g., your health data) in accordance with the requirements of medical confidentiality.
If you intend to entrust us with information about yourself or others that should be treated differently from what is outlined in this section, or if the information requires special confidentiality beyond medical confidentiality, please inform us in advance so that we can review the request and, if necessary, take appropriate security measures.
The recipients of your personal data mentioned in section 7 may sometimes be located abroad, typically within the European Economic Area (EEA), but in exceptional cases, they could be in any country worldwide. These countries may not have laws that protect your personal data to the same extent as in Switzerland or the EEA. If we transfer your personal data to such a country, we will ensure that your personal data is adequately protected.
One way to ensure adequate data protection is by entering into data transfer agreements with the recipients of your personal data in third countries that guarantee the required level of data protection. These agreements include contracts approved, issued, or recognized by the European Commission and the Swiss Federal Data Protection and Information Commissioner, known as Standard Contractual Clauses. Please note that such contractual measures can partly compensate for weaker or absent legal protections, but they cannot completely eliminate all risks (e.g., from government access abroad). In exceptional cases, the transfer to countries without adequate protection may also be permitted in other instances, particularly based on consent, in connection with a legal proceeding abroad, or when the transfer is necessary for the execution of a contract.
For the processing and storage of health data, we only use IT service providers with data locations within the EEA.
We take appropriate technical and organizational security measures to safeguard your personal data, protect it against unauthorized or unlawful processing, and mitigate the risk of loss, accidental alteration, unintended disclosure or unauthorized access. Technical security measures include, for example, data encryption and pseudonymization, logging, access restrictions and storing backups. Organizational security measures include, for example, instructions to our employees, confidentiality agreements and monitoring. We also require our contract processors to implement appropriate technical and organizational security measures.
Like all companies, however, we cannot entirely exclude data security breaches; some residual risks are unavoidable.
We process and store your personal data as long as:
It is necessary for the purpose of the processing, typically at least for the duration of the contractual relationship;
We have a legitimate interest in processing/storage, which may be the case if we need personal data to assert or defend claims, for archiving purposes, or to ensure IT security;
It is subject to a legal retention obligation.
In certain cases, we may ask for your consent if we wish to store personal data for a longer period (e.g., for pending job applications).
After the specified periods, we delete or anonymize your personal data.
We generally adhere to the following retention periods, although we may deviate from them in individual cases:
Master and contract data: We usually retain master and contract data for ten (10) years from the last contract activity or contract termination. This period may be longer if necessary for evidentiary reasons, due to legal or contractual requirements, or for technical reasons. Transaction data related to contracts is typically retained for ten (10) years.
Health data: Health data (e.g., medical records) is retained for twenty (20) years from the last medical, therapeutic, or diagnostic service or the end of treatment.
Technical data: Log data is typically retained for six (6) months. The storage duration of cookies usually ranges from a few days to two (2) years, unless they are deleted immediately after the session ends.
Communication data: Emails, messages via contact forms, and written correspondence are typically retained for ten (10) years.
Image and audio recordings: The retention period varies depending on the purpose. This ranges from a few days for security camera recordings to several years for event reports with images.
Job applications: Application data is typically deleted within six (6) months after the application process is completed. With your consent, we may keep your application on file for a potential future job.
Applicable data protection laws grant you, under certain circumstances, the right to object to the processing of your data, particularly for direct marketing purposes (e.g., promotional emails).
Provided the applicable conditions are met and no legal exceptions apply, you also have the following rights:
The right to request information about whether and which data we process about you;
The right to have incorrect personal data corrected;
The right to request the deletion of your personal data;
The right to request the release of certain personal data in a common electronic format or its transfer to other data controllers;
The right to withdraw consent with future effect, to the extent that the processing is based on consent;
The right to request additional information helpful for exercising these rights.
Please note that these rights may be limited or excluded in individual cases (e.g., if there are doubts about identity or if necessary to protect other individuals, safeguard legitimate interests or comply with legal obligations).
You can contact us as per section 12 if you wish to exercise any of your rights or have questions about processing your personal data.
You are also free to lodge a complaint with the relevant supervisory authority if you have concerns about the legality of processing your personal data. However, we request that you contact us first so we can try to resolve your concern directly.
The relevant supervisory authority in Switzerland is the Swiss Federal Data Protection and Information Commissioner (Eidgenössische Datenschutz- und Öffentlichkeitsbeauftragte, EDÖB).
The relevant supervisory authority in the Principality of Liechtenstein is the Data Protection Office of the Principality of Liechtenstein (Datenschutzstelle des Fürstentums Liechtenstein).
If you have any questions about this Privacy Policy or processing your personal data, you can contact the responsible company using the contact information provided on its website.
You can also reach us as follows:
Cada Fertility AG
Neuwiesenstrasse 15
CH-8400 Winterthur
We may change this Privacy Policy at any time. New versions will take effect for you once we notify you by publishing them on our website. Generally, the current version of the Privacy Policy applies to data processing.