Privacy Notice

Since our platforms offer different services and process various types of data, the full privacy notice contains more comprehensive and detailed information. In particular, it provides further insight into the specific purposes of data processing, the legal bases, your choices, and the involved partner companies and service providers.

If you have a specific question about a particular type of data processing or wish to receive more detailed information, we recommend that you consult the full privacy notice. For further concerns, you can reach out to us at any time via the contact channels listed under section VI.

Under the umbrella of the SMG Group, several companies operate a variety of online services (e.g., Ricardo, Homegate, FinanceScout24, AutoScout24, etc.; we refer to these as our “platforms” or “services“), all of which collect different data about their users (collectively referred to as “users“).

This includes the data needed to provide the services, such as the data we ask you for when you create a user account.

We also process the data you transmit to us directly or via our services—for example, when you communicate with other users through our platforms.

We process technical data that is automatically collected when you use our services. This includes your IP address (a number that identifies your device on the internet), information about the device and browser you use to access our sites (e.g., smartphone or computer, the software used), and the date and time of your visit. This data alone does not allow us to identify you. However, if you have a user account with us, we link this data to your account. This helps us analyze usage, improve our services, maintain functionality and security, and fix issues.We monitor your behavior on our platforms, particularly which pages you visit, which features you use, how long you stay on our platforms, etc.

In addition to providing the functionality of our services, we use this data in particular to:

• Personalize our offerings
• Conduct direct marketing
• Display online ads on our platforms and those of third parties
• Analyze the use of our platforms and improve our services
• Combat misuse

By personalizing our offerings, we mean tailoring certain content based on your past usage and interests. For example, we look at the listings you’ve searched for and show you similar listings that may be relevant to you.

By direct marketing, we mean our own advertising, usually in the form of newsletters. You receive this marketing because you are a customer or have given us your consent. You can unsubscribe from our direct marketing at any time.

Online ads refer to banners and video ads placed by third parties on our platforms or by us on third-party sites. This is done in a personalized way wherever possible and meaningful—and where consent has been given. For personalization using our data on third-party platforms, those third parties must already know you so they can link the data they receive from us with their own.

With usage analysis, we can make informed decisions about how to expand and improve our services.

By combating misuse, we mean protecting our platforms and users from unlawful and malicious activities. We analyze user behavior, and when we detect signs of misuse, we take appropriate action.

User data is shared across various platforms and companies within the SMG Group, particularly so it can be used for the purposes mentioned above.

• We also share data with our service providers who help us operate our platforms (e.g., hosting providers). This usually happens under a contractual agreement, meaning the service providers are not allowed to use the data for their own purposes or share it with third parties.
• In some cases, we share data with third parties outside the SMG Group, as described below. 
• Most of our service providers and third-party partners are located in the EEA. However, some data recipients—especially those involved in online advertising—may be located worldwide.

You can use the forms in section V to get in touch for exercising your right of access and for requesting the deletion of data. Please note that, e.g. for security reasons or to comply with legal obligations, certain data cannot be deleted and will be retained for the necessary period.

If you no longer agree with the way your data is processed, you can contact us via the channels listed in section VI or manage certain consents via the privacy settings link at the bottom of each platform’s page. Please note that in such cases, we may not be able to provide our services fully or at all, or we may be legally required to continue processing your data. Also note that the consents managed via the mentioned link only refer to tracking via cookies and similar technologies that store or read data on your device. Data recorded by our servers when you log in and use our services with your user account are excluded. This server-side tracking is functionally necessary for providing our services and cannot be disabled for technical reasons.

In this Privacy Notice, we, the SMG Group, explain how we collect data relating to you and other natural persons and what we do with it. This information is legally required when such data is collected in a planned manner.

When data relates to a person and those with access to that data can, using reasonable means, determine who the person is, it is referred to as “personal data“. Whenever we do something with personal data—such as collecting, storing, organizing, or enriching it with other data—we refer to this as “processing.”

For each processing activity involving personal data, one or more parties are legally considered responsible. These parties must ensure compliance with data protection regulations and are the contacts you or other affected individuals can approach with questions or concerns (“Controller”).

To deliver the SMG Group’s services, various group companies (and in some cases third parties) work together in sometimes complex ways. With this Privacy Notice, we aim to explain these processes as clearly and transparently as possible. For this reason, we provide a Privacy Notice that covers most of the activities of the SMG Group.

The following applies:

• When you use one of our services, the company listed above as responsible for that service is the data controller for collecting and processing your personal data.
• If a service shares personal data with another SMG Group service or a third party (and it is not merely outsourcing of operational functions like IT or other commissioned processing, where the responsibility remains unchanged), then the company responsible for the other service or the third party becomes the new data controller for that data
• Where multiple services collect personal data together (e.g., during a joint campaign) or several group companies jointly decide how personal data will be processed (e.g., in group-wide projects), these companies may act as joint controllers. In such cases, you may contact any one of the responsible companies—typically the one whose service you are using.
• If an SMG Group service collects your data together with third parties (again, not in the context of commissioned processing), those companies and the third parties may also be joint controllers. This applies, for example, when we offer you integrated services from partner companies, when you make a paid purchase through our payment providers, when advertising partners collect data from visitors through online advertising, or when a company maintains a social media presence.
  In such cases, the collection of personal data is typically governed not by this Privacy Notice, but by the Privacy Notice of those third parties. We will inform you of those separate notices, for example, before you submit a form for one of our integrated partner services or when you set your cookie preferences using our Consent Management Platform (“CMP“), so you can understand what these third parties are doing and whom to contact.
• If you contact us outside of using our services (e.g., through a direct inquiry, a job application, or because you or your employer has a contract with us), the relevant company is also the data controller for the personal data collected in that context. For data processing in HR-related areas (applications, employment), there are separate Privacy Notices.

General Notes:

• This Privacy Notice applies to data processing under both Swiss data protection law and the European General Data Protection Regulation (GDPR). It therefore includes information that is not required under Swiss law or may not align with it—such as the legal basis for processing personal data. These details are included solely for the purpose of GDPR compliance and only apply to processing activities governed by the GDPR.
• If you disclose data about other individuals to us (e.g., family members, colleagues, customers), we assume you are authorized to do so and that the data is accurate. Please ensure those individuals are aware that you are sharing their data with us so they can understand what we do with it.
• We do not wish to collect personal data from minors; our services are exclusively intended for capable adults. Please do not share data of minors with us.
• In some areas, we differentiate between services or companies within the SMG Group because it is legally required or practically necessary. If you have a data protection concern, you can contact us via the communication channels listed in section VI.
• We use automated systems and machine learning technologies (also referred to as artificial intelligence) to analyze data and identify patterns in order to improve the quality, functionality, and security of our services. Such systems may also help us develop new products, optimize internal processes, and enhance user experiences. In some cases, these technologies may be integrated into user-facing features that interact directly with you, for example through chatbots or personalized recommendations, automated responses, or content suggestions.

To properly handle your request (e.g., which service or company it concerns), we may ask you for additional information and reach out to you for that purpose.

• If you would like to get access to the data we have stored about you or want your data deleted, you can do so via the web forms provided in section V.
• If you have any other questions about data protection, you can contact us at [email protected].

If you are located in the EEA and have questions about how your data is processed or wish to exercise your GDPR rights, you may also contact our EEA representative:

ePrivacy GmbH
Burchardstraße 14
20095 Hamburg
Germany
[email protected]

In the latter case, you log into our service at the relevant point using your account credentials from the third-party provider, who then transmits the necessary information from your account to us. We process these data to provide you with the functionalities of the platform and for the purpose of fraud prevention. 

We process in particular the following personal data for creating an account:

• Username, Email address, Password

When managing the User Account, we may process for example the following data: 

• Saved and bookmarked listings
• Draft listings
• Search subscriptions
• Messages and contact with other users

These data are generally provided directly by you.

We retain this data for as long as you have an active customer account with the respective brand and up to 10 years after its closure or deletion, insofar as legal retention obligations require. In special cases (e.g., legal disputes), different retention periods may apply.

We may transmit this data to the alternative login providers mentioned above if you register or log in using their services.

The legal basis (under GDPR) is the performance of a contract and our legitimate interest in preventing and combating misuse of our services. Where data is collected optionally, your voluntary provision of this data is deemed to constitute consent to its processing.

a. Specific Data Required When Creating a Seller Account on Ricardo

• First and last name
• Residential address
• Bank details
• Government-issued identification (ID)
• Telephone number
• Date of birth
• Photo (if applicable)

b. Special data that we collect for the creation of a user account on Tutti: 

• first and last name
• profile type (private / company)
• address of website
• company logo
• phone number
• bookmarked listings

c. Special data that we collect for the creation of a user account on Moneyland (all optional):

• Birthyear
• company
• address
• telephone number

d. Special data that we collect on the FinanceScout24 PartnerHub: 

• End customer contact data verification via SMS/email

e. Special data that we collect for the creation of a tenant profile on Homegate and ImmoScout24 (all optional):

• Name
• Number of people moving with you and how are they related to you
• your employment type, position, and company name
• Same details for a partner, if applicable
• Your rental budget
• Planned move-in date
• Monthly household income
• Equity capital

We process this data so that you can increase your chances of being considered by a landlord. If you create a tenant profile, this will be made accessible to the respective real estate provider via a secure link. The legal basis (under GDPR) is your consent.

f. Special data that we collect for the creation of a Universal Business Manager (UBM) account for SMG Real Estate:

• First and last name
• Salutation
• Field of activity
• Telephone number
• Social media username (if used as login)

g. Special data that we collect for the creation of a customer account on AutoScout24 and MotoScout24: 

• Telephone number for multi-factor authorization (optional)
• Salutation (AutoScout24 Direct)
• First and last name (AutoScout24 Direct)
• Address (AutoScout24 Direct)
• Phone number(s) (AutoScout24 Direct)
• Language preferences (AutoScout24 Direct)

h. Special data that we collect for the creation of a user-account for Flatfox

• First name and surname
• Proof of identity, e.g. copies of official identity documents
• Address (full postal address, zip code, town)
• telephone number
• Date of birth
• Gender
• Information on subscribed newsletters or other advertising
• Language preferences

To this end, we process the following data, which we may link to your user account, where applicable:

• Contact information provided in your user account or directly within the listing (e.g., name, address, email address, phone number)
• Listing content (e.g., description of the object, price, location, photos, videos)
• Technical data (e.g., type of listing, timestamp of listing creation)
• Information on the use of additional services (e.g., promotion options, highlights)

These data are generally provided directly by you when creating and uploading your listing on the platform.

The data is stored for the duration that the listing is active. After the end of your contractual relationship with us, the data will be retained until the expiration of any legal claims according to Swiss Obligation Law (10 years), after which it will be deleted. Technical and usage data that are not relevant to asserting legal claims are typically retained for a shorter period, usually between 6 and 24 months. In special cases (such as legal proceedings), different retention periods may apply.

The data is published on the respective platform and is visible and searchable by other users. Additionally, the data may be shared with service providers we engage for the publication or optimization of listings. Data is shared with third parties only as necessary to provide the agreed services.

The legal basis (under GDPR) is the performance of a contract.

a. Special data that we process when publishing listings on Ricardo

On Ricardo, we additionally process the following data, which we assign to your user account.

• When participating in auctions: Time and amount of bid placement, auction won yes/no
• Time of (instant) purchase
• Ratings from buyer or seller (incl. remarks, comments)
• Questions about the listing that interested parties can ask.

After you have completed a purchase/sale, we forward your contact and payment information to the counterparty of the transaction.

The general statements regarding purpose, origin, retention period, disclosure, and legal basis apply accordingly to these data (also with regard to the comments and ratings that are published as part of the contract with buyers and sellers).

b. Special data we process on AutoScout24 Direct

On AutoScout24 Direct, we additionally process the following data:

• As part of the vehicle evaluation: license plate number (optional – enables a faster evaluation)
• As part of the auction: time and amount of the bid submission or acceptance; whether the auction was successful (yes/no), including the time.

In the case of a successful auction, we share your contact information with the counterparty.

c. Special data we process on Autoscout24 and Motoscout24

On Autoscout24 and Motoscout24, we additionally process the following data:

• As part of the Safe Number service: first and last name, address and phone number.

The following data is processed in this context:

• Contact data (e.g., name, email address, telephone number)
• Listing details (e.g., property details, price, location, description)
• Information about inquiries (e.g., activities related to the inquiry such as contacts made, viewing appointments, offers; submitted documents)
• Communication history (see also section III.A.8) as well as
• Technical data (e.g., IP address, timestamp of the interaction, device used)

a. Further optional platform-specific data processing related to real estate and listing management as well as lead management on Homegate and ImmoScout24

• Financial data (as optional information in the contact form)

The data originates on the one hand directly from you when you create a user account for the tools in accordance with section III.A.1, and on the other hand from persons who contact you via our platforms or these tools.

The data is used for processing and handling listings and rental/purchase inquiries. It is stored for as long as necessary for the respective purpose or until you object to further processing, unless statutory retention obligations apply.

The data may be shared within the SMG Group and with partner companies or service providers who assist us in managing and processing listings and leads. Disclosure occurs exclusively within the scope of the purposes mentioned above.

The legal basis (under GDPR) is the performance of the contract, as we provide you with the tools for real estate and listing management as well as lead management within the scope of our agreed services.

The following data is processed for this purpose:

• Contact data (e.g., name, email address, telephone number)
• Property information (e.g., property address, type of property, ownership details etc.)

The data is used for processing real estate valuation and analysis inquiries. It is generally stored for 30 days in our database, unless you object to it earlier. Statutory retention obligations remain unaffected.

The data may be shared within the SMG Group and with partner companies or service providers who assist us in valuing and analysing property. Furthermore, the data may be shared with real estate agents for the purpose of enabling them to contact you regarding their services.

The legal basis (under GDPR) is the performance of the contract, as we provide you with the services for real estate valuation and analysis within the scope of our agreed services, and our legitimate interest in lead management.

a. Further optional platform-specific data processing related to real estate analysis and valuation on immoverkauf24

• Assessment data (e.g., visual observations, photographs and notes from on-site inspection by a qualified expert)

For this purpose, we process in particular the following data, which we (if available) associate with your user account:

• Email address
• Details of the search criteria (e.g., category, location, price)
• Device ID when using our apps

The processed data originates from you and is entered directly by you when creating a search alert.

The data is stored for as long as the search alert is active. After deactivation or deletion of the alert, the data is completely deleted or anonymized no later than 24 months thereafter.

The data is shared exclusively within the SMG Group and, where applicable, with service providers required for the operation and provision of the notification function (e.g., email delivery services). There is no disclosure to third parties for other purposes.

The legal basis (under GDPR) is the performance of the contract, as the search alert constitutes a service agreed upon with you. The display of search results with any personal data of third parties is carried out within the framework of contract fulfillment with those third parties (see above).

For this purpose, we process in particular the following data, which we (if available) associate with your user account:

• Contact data (e.g., name, email address, telephone number)
• Information about the financial or insurance products being searched for or applied for (e.g., loan amount, term, type of insurance)
• Information about your vehicle (car insurance/motorcycle insurance) or property (household insurance)
• Creditworthiness data
• Financial data
• Additional personal information (nationality, date of birth, budget, etc.)
• Information on individual preferences or entries in comparison and application forms

The data originates mainly directly from you, provided to us in the course of using the platforms or applying for products. We obtain your creditworthiness data from third parties such as CRIF.

The data is stored for as long as necessary to provide the service. After completing a comparison or application and the expiration of statutory retention periods, the data is deleted, unless there is another legal basis for retention.

The data is shared within the SMG Group and with partner companies involved in providing the services (e.g., banks, insurance companies, or technical service providers). Disclosure only occurs within the scope of processing and handling the services requested by the user.

The legal basis (under GDPR) is the performance of the contract, as the comparison and our activities for you in the context of applying for financial and insurance products constitute agreed services of the platform.

a. Special data that we collect for providing our services to you on FinanceScout24 if you decide to communicate with us via WhatsApp (optional):

• WhatsApp Details (e.g. your phone number and username used by your WhatsApp account)

We can use WhatsApp for specific purposes, including receiving your documents (e.g., ID or financial records for credit applications, to be forwarded to partner banks), enabling two-way communication (e.g., handling inquiries or providing updates via WhatsApp), and sending bulk or automated messages (e.g., appointment reminders, marketing-campaign messages, or follow-ups, with an option to unsubscribe).

The legal basis (under the GDPR) for these activities is consent and the performance of a contract.

These include, for example:

• Real estate agents, if you are looking to sell a property.
• Insurance providers, if you are searching for a rental property or a car.
• Financial service providers, if you are looking to purchase a property.
• Moving companies and internet providers, if you have found a rental property.
• Service providers for credit check extracts, for example when searching for a rental property (e.g., Homegate, ImmoScout24, Flatfox).
• Parcel delivery providers, if you are shipping a sold item via our platform (e.g., Ricardo)
• Payment service providers, if you want to securely pay for a purchased item online (e.g., Adyen, Datatrans)
• Banks, especially when you are a customer of specific financial partners such as Neon Bank (via Financescout24 and request a credit product through our services)

These services are operated independently by our partners.

Data transmission takes place via clearly labeled web forms that you fill out and submit yourself, or we ask you at the relevant point in our services whether you want the transmission within the framework of our integrated partner services. Before submitting the form, you will be explicitly informed about the transfer of your data to our partners.

The data processed includes the information you enter into the web form, typically:

• Contact data (e.g., name, address, telephone number, email address)
• Details regarding your request (e.g., property, vehicle, rental apartment)
• other specific information required for the respective service (e.g., desired insurance coverage, financing details, moving date, ID copy for obtaining the debt collection extract

The data originates directly from you and is transmitted to the corresponding partner companies that provide the requested service. Our partners process this data as independent controllers or, where noted, as joint controllers with us.

The data is stored as long as it is necessary to process your request. After the expiration of any legal retention obligations, the data will be deleted.

The legal basis (under GDPR) is the performance of the contract, specifically the mediation to the partner company as requested by you.

On our platforms we jointly operate the following services (non-exhaustive list):

• On AutoScout24: cross-listing functionalities for listings that we (SMG Swiss Marketplace Group AG) share with Tutti / Anibis (both SMG Swiss Marketplace Group AG) and Comparis, Birmensdorferstrasse 108, 8003 Zurich.
• On FinanceScout24: PartnerHub of FinanceScout24 (SMG Swiss Marketplace Group AG with a network of car dealers).
• On ImmoScout24 and Homegate: SMG Real Estate Ecosystem (marketing support on the real estate platforms of SMG Swiss Marketplace Group AG with Skribble AG, Förrlibuckstrasse 190, 8005 Zurich, Switzerland, Realmatch360, Badenerstrasse 16 8004 Zürich, and MyVivenda, Mauritslaan 49, 6129 EL Urmond, Netherlands).

The following data is processed in this context:

• Contact data (e.g., name, email address)
• Usage data (e.g., interactions with the joint offering, log data, IP address)
• Technical data (e.g., device type, browser information)
• Other information necessary for providing the service

The data comes directly from you, either through your use of the joint offering or through interactions with the available features.

The data is used to provide and optimize the jointly operated service. It is stored for as long as you use the joint service and then for up to 10 years.

The data is shared between us and the respective partner company, which is jointly responsible for the data processing with us. The processing by both parties takes place within the framework of the contractually agreed joint responsibility. The essential contents of this agreement are available upon request.

The processing of the data takes place because it is necessary for the use of the jointly offered service, and is also based on our legitimate interest in providing efficient and user-friendly joint services. If consent is required and obtained from you, the processing additionally takes place on the basis of this consent.

This chapter exclusively concerns services jointly operated with other companies. If a service is provided by us whose primary goal is to connect you with our partners, the corresponding rule under Section III.A.7. applies.

 In this context, we process the following data:

• Contact data (e.g., name, email address),
• Communication content (e.g., sent messages, attachments),
• Technical data (e.g., IP address, timestamp of message transmission)
• Interaction metadata (e.g., whether a message was read or responded to)

The data comes directly from you when you communicate with other users through our platforms, as well as from the responses of the respective counterparts.

The data is processed to provide and ensure the messaging functionality and to prevent abuse or fraudulent activities. We temporarily store the messages to ensure delivery, as well as for traceability in case of suspected misuse or security incidents. After deletion of the user account, the data will be deleted or anonymized, unless there are legal retention requirements or legitimate interests justifying longer storage.

The data is shared with technical service providers who provide the infrastructure for message delivery, in addition to the recipient designated by you. No data is shared with other third parties unless required by law.

The legal basis (under the GDPR) is the performance of a contract.

a. Special data that we collect when you use the contact form for a listing on Flatfox, Homegate and Immoscout24 (if applicable):

• Content of contact request
• User ID
• Listing data
• Application data

In certain cases, when you submit a contact request via the contact form of a listing or apply to a listing that uses the messenger function (provided by Flatfox AG), a temporary user profile may be created in the background without login; however, no user account is registered unless you actively choose to do so. The purpose of this process is to mirror the content of the contact request in the messenger, in case you later decide to create a user account to manage your contact requests.

The temporary user profile is retained based on your activity on our platform. If, for example, you have an ongoing message thread or application with a landlord, the temporary user profile will be retained for as long as the listing is online or your application is not rejected. Such temporary user profiles are removed within 24 hours after the listing has been put offline or the application is rejected.

The legal basis (under the GDPR) is the performance of a contract.

In this context, the following data is processed and linked to your user account, if available:

• Payment information (e.g. credit card data)
• Billing address
• Transaction amounts
• Payment timestamp
• Information on refunds or cancellations

The data is provided directly by you when you enter it as part of the payment process on the respective brand.

The data is stored for as long as necessary to process the payment and comply with legal retention requirements. Transaction data is stored in accordance with statutory provisions (e.g. tax and commercial law) for the required duration and then deleted or anonymized.

The data is shared with our payment service providers who handle the technical processing of the payment transaction. Additionally, the data may be transmitted to banks or other financial institutions, if required for processing the payment. The data is not shared with third parties for other purposes.

The legal basis (under the GDPR) is the performance of a contract.

As part of our own sales activities, we process data to inform you about our products and services, conduct contract negotiations, and prepare offers. These activities include in-person meetings, emails, postal correspondence, and phone calls with our sales team – including the potential recording of calls for training and quality assurance purposes – negotiation discussions, the creation of proposals, and the conclusion and execution of contracts.

Once a contract has been established between you and us, we process your personal data to fulfill our obligations toward you (e.g., to pay invoices if we receive services from you), as well as to assert and enforce our own rights (e.g., to invoice you for our services, initiate collection or legal proceedings, etc.), and to maintain records of our services.

The following data may be processed:

• First and last name
• Contact details (address, telephone number, email etc.)
• Company name and contact details
• VAT number and related details
• Contract data including details of contractual services and other content of the contract
• Creditworthiness data
• Financial data
• Bank details
• Documents and other data provided by you

This data generally comes from you. In some cases, we supplement it with data from publicly accessible sources (e.g., debt enforcement registers) or other third parties (e.g., credit agencies).

We generally retain this data for up to 10 years. In special cases (such as legal proceedings), other retention periods may apply.

We may share part of this data with other parties who support us in fulfilling the contract (e.g., service providers or project partners), as well as with other third parties, such as credit agencies (who, as mentioned above, may also provide us with data in return).

The legal basis (under the GDPR) is the performance of the contract concluded with you. For data processing related to the initiation and conclusion of contracts, the legal basis (under the GDPR) is the implementation of pre-contractual measures.

The following data is processed:

• Contact details (e.g., name, salutation, company, address, telephone number, email etc.)
• Information about your user account or contract (if applicable)
• Content and metadata of the communication, including recordings of phone calls and technical data related to phone interactions (e.g., timestamps, inquiry data, phone number)

This data originates from you or, in the case of our responses, from our internal records or investigations.

If you are a journalist and we receive journalistic inquiries from you and recognize an interest in a topic, we may add your contact details to our press distribution list. You could also be invited to a press event.

We generally retain this data for up to 10 years. In special situations (such as legal proceedings), different retention periods may apply.

We may share part of this data with our service providers who technically facilitate our communication with you.

The legal basis (under the GDPR) is our legitimate interest in conducting business and other interactions with you and in being able to refer back to them (e.g., if you reach out again later or if we need to review the dialogue for operational, legal, or other purposes).

In the case of call recordings, our legal basis is your consent. If the communication relates to initiating or executing a contract, the legal bases described above under section III.B.1 or below under section III.B.3 apply.

The following data is processed:

• Contact details (e.g., name, email address, phone number)
• Content of your inquiry (e.g., problem description, uploaded files, screenshots)
• Recordings of phone calls and technical data related to phone interactions (e.g., timestamps, inquiry details, phone number)
• Technical data (e.g., IP address, device type, log data)
• Information about your user account or contract

This data comes directly from you – either through your contact with our support team or via the features you use on our platforms (e.g., support forms, chat, or phone).

We generally retain this data for up to 10 years. In special situations (such as legal proceedings), different retention periods may apply.

The data may be shared with external service providers who assist us in handling support cases. These service providers may also be located outside Switzerland, e.g. in Serbia and Romania. Any sharing occurs within the scope of the aforementioned purposes and under a contractual data processing agreement.

Data processing is carried out for the performance of a contract (under the GDPR), as well as on the basis of our legitimate interest in providing you with effective and solution-oriented customer support and in securing evidence, even if no contract exists.

This analysis happens, for example, through cookies or similar technologies (see section III.B.8 below), or in other ways – such as when you use our platform while logged into your customer account. Through cookies or similar technologies, we collect data about your user behavior to personalize the content of our services – but only if you have given us your consent via our Consent Management Platform (CMP; see section III.B.8). Personalization analysis is also based on data collected by our servers during your use of our services (server-side tracking). This applies in particular when you are logged into your customer account and using our platform. This form of tracking operates independently of your CMP settings, as it does not use cookies. This server-side tracking is functionally necessary for the provision of our services, so we are technically unable to disable it.

The following data is processed:

• Contact details (e.g., name, email address)
• Information about user behavior (e.g., search queries, clicked listings, features used, visited categories, visited subpages, etc.)
• Technical data (e.g., IP address, device type)
• Preferences you explicitly specify
• Our own inferences about your preferences based on the collected data

This data is either provided directly by you or automatically collected while using the platforms.

The data will be deleted or anonymized upon request or automatically after 3.5 years of inactivity.

The data may be shared within the SMG Group and with service providers that supply personalized content or systems for the platforms. Such sharing is strictly for the purpose of offering personalized content and a customized user experience.

Where we have requested and received your consent, that consent is the legal basis (under the GDPR). In cases where we do not ask for your consent, the legal basis (under the GDPR) is our legitimate interest in making our services more attractive to users.

To provide you with relevant direct marketing, we first need to form a profile of you. We do this using data you have shared with us, as well as by analyzing data about your use of our services, which we collect through server-side tracking. Based on this data, we tailor our direct marketing content to ensure it is likely to be interesting and relevant to you. If you no longer wish to receive direct marketing, you can unsubscribe from our newsletters (see more details below), disable push notifications on your device, or notify us in another way – ideally using the same channel we used to contact you.

The following data is processed:

• Contact details (e.g., name, email address)
• Information about your usage behavior (e.g., search queries, clicked listings, used features, visited categories, visited subpages, etc.)
• Technical data (e.g., IP address, device type)
• Preferences and settings you have provided (e.g., topics you wish to receive direct marketing about)
• Our own inferences about your preferences, based on the data collected

This data generally comes from you (which includes your usage of our services), and we may create inferences based on it. We may also add data to your profile that we obtain from third parties (e.g., other platforms or other companies within the SMG Group).

Data related to your usage behavior is analyzed for direct marketing purposes for a period of 6 to 24 months.

We generally store this data for as long as you maintain a user account on our platforms, have a business relationship with us, or are subscribed to one of our newsletters. We will then delete the data within a further 24 months at the latest.

Commercial communication and outreach can occur through various channels, such as email, instant messaging services, text messages, or phone calls. We only contact you if you have either created a user account with us, used our services, or consented to receive commercial communication (e.g., by subscribing to our newsletter).

You may opt out of receiving commercial communication at any time (for example, by using the unsubscribe link at the bottom of any newsletter, by contacting us directly, or by adjusting your device settings to block push notifications). Please note that opting out of one communication channel does not automatically apply to all others, unless you explicitly request it. For instance, if you unsubscribe from our newsletter, we may still send you push notifications unless you explicitly prohibit all direct marketing.

If we have your consent (especially if “Cookies for Marketing Purposes” are enabled in your CMP settings), we may share this data with other SMG Group companies and use it for the purposes described here.

We use Enhanced Conversion that may transmit pseudonymised (e.g. hashed) email addresses to third parties such as Google or publishers (e.g. TX Group or Ringier AG) to improve campaign performance and measurement and/or to create audience segments. Personal identification is not possible unless you are logged in with the same email address and associated with an account of these third parties. Your personal data will be processed either jointly with these third parties, in accordance with their respective privacy notices, or independently by SMG as controller.

Where we have asked for and received your consent, that consent serves as our legal basis (under the GDPR). In cases where we do not request your consent, the legal basis (under the GDPR) is our legitimate interest in conducting effective advertising and marketing for our business (e.g., because personalized advertising is more effective).

The following anonymized or pseudonymized data is processed:

• Information about user behavior (e.g., pages visited, content clicked, time spent)
• Technical data (e.g., IP address, device type, browser type, location data)
• Hashed email address, phone number
• Inferences about (presumed) interests or preferences

The data is processed either by us or by third parties acting as independent data controllers. These third parties may include advertising networks, ad tech providers, analytics companies, or social media platforms.

Data processing in the context of online advertising generally involves the use of cookies and comparable technologies. Upon your first visit to our services and afterwards at least once per year, a Consent Management Platform (CMP) is displayed. There, you can set your cookie preferences – i.e., give us consent to use cookies for the specified purposes, or deactivate all non-essential cookies. You can change your settings at any time via the CMP, which is usually accessible through the footer of the website.

With your consent, third-party providers may also collect information that they use for personalized advertising on their own services, on their own websites, or for other purposes (e.g., to display ads or to enrich data they already have about you). Such third-party providers may also exchange information with us in a protected environment (data clean room) in order to display content and advertisements based on certain user characteristics or user segments without directly disclosing personal data. In these cases, your data is only collected in such a way that these third parties can identify you only if they already recognize you from the same technical device data (e.g., the same IP address, email or phone number) and can associate our data with their existing data about you.

Please note that these third parties may further share your data with other third parties. For more information about this, consult their respective Privacy Notices. In the CMP, you can find the Privacy Notices of these third parties listed under the section “List of IAB Vendors.”

The storage duration of the data depends on the (third-party) provider that sets the cookies and may last up to 10 years.

Where we request your consent and you provide it, this serves as our legal basis (under the GDPR). In cases where we do not ask for your consent, the legal basis (under the GDPR) is our legitimate interest in conducting advertising and marketing for our business and other activities as effectively as possible (e.g., because personalized advertising is more effective) and in allowing third parties to do the same for themselves.

The following data is processed:

• Contact details (e.g., name, address, phone number, email address)
• Participation details (e.g., answers to competition questions, uploaded content, selected voucher options)
• Technical data (e.g., IP address, participation timestamp)
• Any other information required for the specific campaign (e.g., shipping address for prizes or event-related data)

This data is collected directly from you via the relevant forms or as part of your participation in the marketing campaign. Where necessary, we will provide you with additional information about data processing before you participate. In some cases, you may be asked to provide additional consent if required for participation.

The data is primarily used for executing the specific campaign – for example, selecting and notifying winners, issuing vouchers, or organizing events – but may also be used for direct marketing purposes. In such cases, the provisions outlined in section III.B.5 apply. In this context, data may also be shared with partner companies (e.g., logistics providers for prize delivery, event service providers, or social media companies). Typically, these are service providers who assist in executing the campaign. However, it is possible that certain partners – such as social media platforms – process your data as independent data controllers.

At events, photos and videos may be taken on site. Audio or visual recordings will not be edited afterwards. The recordings (photos and videos) will be used exclusively for our own purposes (e.g. publication on our websites, flyers, event recaps on social media, newsletters, emails to participants, etc.).

Data is stored for as long as is necessary to carry out the campaign. Once the campaign concludes and any applicable legal retention periods expire, the data will be deleted. If the data is also used for direct marketing, the retention periods described in section III.B.5 regarding Direct Marketing apply.

The legal basis (under the GDPR) is the performance of a contract, specifically to enable your participation in the campaign. Where additional consent is obtained for certain purposes, the processing is based on your consent. If we contact you for direct marketing after your participation, the legal bases referred to in the corresponding section will apply.

As part of using the CMP, the so-called IAB TCF Consent String is stored. This is an industry-standardized data field that contains information about your consent or rejection of various cookies and processing purposes according to the Transparency and Consent Framework (TCF) of the IAB (Interactive Advertising Bureau). This information is made available to all participating IAB partners (in particular, online advertising partners).

In addition, technical data is stored, such as your IP address, device settings, the timestamp of your selection, and the ID of the CMP version displayed to you.

The data is collected directly from you and processed when you set your cookie preferences via the CMP.

This data is stored for as long as your cookie preferences remain valid. You can change or revoke your preferences at any time by reopening the privacy settings on our platforms.
The stored information is shared with our partners (for example, in the area of online advertising) who are also part of the IAB TCF program, in order to communicate your consents, rejections, and related information for their purposes (as specified in the CMP).

The legal basis (under the GDPR) is compliance with legal requirements related to the use of cookies, as well as our legitimate interest in providing you with a user-friendly way to manage your cookie preferences. If you consent to the use of certain cookies, the processing is also based on your consent. Within the CMP, you can also see for each partner company whether processing is based on consent or on legitimate interest.

The following data is processed:

• Contact details (e.g., name, email address)
• Technical data (e.g., IP address, device type, browser information)
• Interaction data and recordings (e.g., clicking behavior, navigation paths)
• Video recordings of interviews
• Feedback and responses you provide during the tests (e.g., ratings, comments, completed questionnaires)

This data is collected directly from you during your participation in the UX research tests. Participation in such tests is voluntary, and you will be informed about the data processing in advance and asked for your consent.

The data is used solely for the purpose of analyzing and improving our platforms and is not used to identify you outside the context of the tests. After the evaluation is complete, or upon your request, the data will be deleted unless legal retention requirements apply.

The data may be shared with partners or service providers who assist us in conducting and analyzing the tests. However, any sharing is done solely on our behalf and within the scope of the stated purposes.

The legal basis (under the GDPR) is your consent, which you provide before participating in a UX research test.

In order to continuously improve our website and optimize user-friendliness, we also carry out so-called A/B tests. This involves displaying different versions of our website to different user groups in order to evaluate the behavior and preferences of visitors. The data collected is used exclusively for statistical purposes.

The legal basis for data processing (under the GDPR) in connect with A/B testing is our legitimate interest in improving our products.

The methods we use include:

• Surveys and Ratings: We invite users to rate their user experience or to participate in surveys via questionnaires to collect feedback about our services, offerings, and general market developments.
• Interviews and Focus Groups: We conduct in-person or virtual discussions with selected participants to gain detailed insights into their experiences, opinions, and needs.
• Analysis of User Behavior: We analyze data on the usage of our platforms to identify trends, errors and preferences. These analyses are carried out using cookies and similar technologies. For consent and opt-out options, see section III.B.8. 
• Analysis of publicly available data: We also analyze publicly available data and data from third-party providers in order to identify trends and preferences regarding the use of our platforms. These analyses are carried out for non-personal purposes, in particular for planning and statistics, and are deleted after 30 days at the latest.
• Social Media Listening: We analyze publicly available data on social media platforms to understand opinions and discussions around relevant topics.

The following data is processed:

• Contact details (e.g., name, email address), where necessary
• Feedback and responses from surveys or interviews
• Technical data (e.g., IP address, device type, log data)
• Data on user behavior on our platforms
• In the case of social media listening, publicly accessible information from social networks

The data either comes directly from you (e.g., through surveys or interviews) or is collected through the analysis of your interactions with our services or publicly available content.

The data is used exclusively for the stated market research purposes and is anonymized or pseudonymized wherever possible. It is retained only for as long as necessary to conduct and evaluate the research projects. Once analysis is complete—or upon your request—the data is deleted or anonymized. In special situations (e.g., legal proceedings), different retention periods may apply.

The data may be shared with service providers who support us in conducting and analyzing market research. Any sharing is strictly within the scope of market research and in compliance with applicable data protection laws.

The legal basis (under the GDPR) is our legitimate interest in improving and understanding how we can do so. If we obtain your consent for surveys, interviews, or similar market research activities – or for analyzing your user behavior – this consent forms the legal basis for the processing (under the GDPR).

For this purpose, we primarily process technical data, such as your IP address, information about your device (mobile phone, tablet, notebook), as well as the region and time of your visit. These technical data are generally not personal data, as they do not allow any direct conclusions about your identity. However, we may link these technical data with other data about you, for example, your registration data if you log into your user account, thereby identifying you.

This data typically comes from you or your device.

We generally retain this data for as long as you have a user account with our services or use our services. In special situations (such as legal cases), different retention periods may apply.

We share part of this data with service providers who support us in providing and further developing our services.

The legal basis (under the GDPR) is our legitimate interest in operating, securing, and improving our platforms and services.

The following data is processed:

• Your contact details (e.g. name, email address, phone number)
• Technical delivery data (e.g. timestamp, IP address of the recipient system)

This data is collected directly from you when you use our services or request certain features.

The data is used solely for sending the respective system messages. Your contact details are stored for as long as you use our services (e.g., by maintaining a user account with us) or as long as legal retention obligations apply.

System messages are sent either directly by us or via service providers who support us in the delivery of technical messages (e.g., email service providers or push notification platforms). Data is only shared for the purpose of message delivery and within the scope of a data processing agreement.

The legal basis (under the GDPR) is the performance of a contract, as the sending of system messages is necessary to provide you with the requested services or essential information related to them.

The following data is processed in this context:

• Information about your interactions with our offerings (e.g., pages visited, click behavior)
• Technical data (e.g., IP address, browser information, device information)
• Pseudonymized data that can provide insights into your interests

The data is collected directly through the use of the social media plugin and transmitted to the respective social networks, which process this data as independent data controllers. In some cases, data processing is carried out jointly with us, for example, in the context of analyzing the effectiveness of our advertising campaigns. Currently, social media plugins from the following platforms are integrated into our offerings:

• Linkedin https://www.linkedin.com/legal/privacy-policy
• X https://x.com/en/privacy
• Instagram https://privacycenter.instagram.com/policy
• Facebook https://www.facebook.com/privacy/policy/
• Youtube https://policies.google.com/privacy?hl=en-US
• Tiktok https://www.tiktok.com/legal/page/us/privacy-policy/en
• Pinterest https://help.pinterest.com/en/topics/privacy-safety-and-legal
• Snapchat https://values.snap.com/privacy/privacy-policy

The data is stored for as long as necessary for the stated purposes or until you object to its use. The processing of data by the social networks is governed by their own privacy notices.

You have the option to object to the use of social media pixels within the cookie settings. When you first visit our platforms, you will be informed via a Consent Management Platform (CMP), where you can set your preferences for social media plugins or reject their use. You can change these settings at any time.

The legal basis (under the GDPR) is our legitimate interest in conducting advertising and marketing for our business and other activities as effectively as possible (e.g., because personalized advertising is more effective).

We do this in order to communicate with you—whether you are a customer or someone interested in our services or products, or in another capacity—to understand what you and others are interested in, and to use the posts for marketing purposes and for business and product development. The providers of these social media platforms also collect and process your personal data for their own purposes, such as their own marketing or market research purposes. If you would like to know more about this, you can read the respective providers’ privacy notices. We currently use the following platforms:

• Linkedin https://www.linkedin.com/legal/privacy-policy
• X https://x.com/en/privacy
• Instagram https://privacycenter.instagram.com/policy
• Facebook https://www.facebook.com/privacy/policy/
• Youtube https://policies.google.com/privacy?hl=en-US
• TikTok https://www.tiktok.com/legal/page/eea/privacy-policy/de

In particular, we process the following personal data (if used by you)

• Social media usernames, first and last names, and possibly your profile picture
• Function, employer, professional background or education
• Contact information
• Content and metadata of communications
• Behavioral data, comments, and other content

This data generally originates from you (partly via the providers of these platforms). However, we may also receive other data from the platform providers, such as statistics about user behavior on our profiles. These are usually aggregated data that do not refer to you individually, although we may be jointly responsible with the platform providers for generating these statistics.

We generally retain this data for as long as they are visible on the platforms. In special situations (such as legal cases), different retention periods may apply.

Some of this data is shared with service providers who support us in managing our social media presence.

The legal basis (under the GDPR) is the initiation and execution of a contract (where communication with you takes place in such a context), the ability to communicate with you, and our legitimate interest in understanding and making use of what you write and do on these platforms.

For these purposes, we process the following personal data in particular:

• First and last names
• Access logs
• Image and video recordings
• Registration data
• E-mail address

We generally collect this data directly from you.

We typically retain image and video recording for 60 days and further data only for as long as necessary for the purposes for which it is processed. In special situations (such as legal cases), different retention periods may apply.

Some of this data is shared with service providers who support us in maintaining a secure infrastructure.

The legal basis (under the GDPR) is our legitimate interest in ensuring the safety and security of ourselves and others.

The following data is processed:

• Contact details (e.g., name, phone number, email address)
• Technical data (e.g., IP address, device data, browser data, log data)
• Payment data (e.g., IBAN)
• Information about your activities on our platforms (e.g., usage history)
• Additional information related to suspicious behavior, if applicable

This data is collected directly from you or automatically during your use of the platforms (e.g., through activity logging or system event monitoring).

The data is stored for as long as necessary to detect, investigate, and prevent security risks, to pursue cases of fraud and abuse (including legal proceedings), and to meet legal obligations. After the relevant measures or investigations are completed, the data is deleted unless further purposes or legal retention obligations apply.

The data may be shared with law enforcement authorities or other relevant bodies when necessary to prevent or investigate illegal activities or to enforce claims. Sharing occurs in accordance with legal requirements or legitimate interests.

The legal basis (under the GDPR) is our legitimate interest in ensuring the security of our platforms and users, preventing or limiting the consequences of misuse, and enforcing violations.

These obligations may arise under Swiss law or under foreign law that applies to us or that we choose to comply with. Please review also the next section.

For this purpose, we process the following personal data in particular:

• First and last names
• Contract data
• Contact details
• Data about your use of our platforms (e.g., uploaded content, message history, etc.)

This data generally originates from you.

We generally retain this data for as long as you use our platforms (e.g., have an active user account) and for 10 years thereafter. In special situations (such as legal proceedings), different retention periods may apply.

This data is shared with the competent authorities as required.

The legal basis (under the GDPR) is the law (where EEA law is concerned) and our legitimate interest in complying with or going beyond other applicable laws where appropriate, and in cooperating with authorities.

In this context, the following data may be shared with the relevant authorities:

• Contact details (e.g., name, address, email address, telephone number),
• Information about the affected listings or activities (e.g., descriptions, timestamps, content),
• Technical data (e.g., IP address, device information, log data)
• any other information that may be relevant to an investigation

This data is collected directly from you and is mostly gathered automatically during your use of our platforms (e.g., via activity or system event logging).

Data is shared with law enforcement agencies, courts, or other competent public authorities in the course of investigations. Such sharing only occurs based on a legal obligation or within the scope of our legitimate interest in ensuring the security of our platforms and their users.

The legal basis (under the GDPR) is the law (where EEA law applies) and our legitimate interest in complying with or going beyond other applicable laws where appropriate, cooperating with authorities, and protecting ourselves, our platforms, employees, and users (including you).

The following data is processed:

• User data (e.g., account information, customer history, activity logs), typically in pseudonymized form for seekers,
• Technical data (e.g., IP address, device type, log data),
• Data on the use of platform functions (e.g., listings, search behavior, search alerts etc.)

This data is either provided directly by you or collected automatically during your use of the platform.

Depending on the type of data, it is stored for 6 months or for the duration of service provision, in line with applicable retention periods and legal requirements. After the relevant period expires, the data is deleted or anonymized.

The data may be shared within the SMG Group as well as with technical service providers who support us in organizing and providing the data. Data may also be shared with advisors, experts, authorities, auditing firms, and other parties involved in corporate and capital market transactions who may process the data under their own responsibility and (except for authorities) are typically bound by confidentiality obligations, unless already legally required to do so. Data sharing occurs exclusively for the purposes stated above.

The legal basis (under the GDPR) is our legitimate interest in understanding and improving our platforms and other services and operations, such as continuously enhancing data quality, platform performance, and operational efficiency.

When we share data with other companies for the purposes of online advertising and the use of third-party tools on our websites and apps (e.g., for playing videos or tracking), you should assume that these may be located anywhere in the world, particularly in the United States. You can find more detailed information on this in the privacy settings of the respective offer. You will find the link in the respective offer at the bottom of the page.

If the recipient to whom we transfer your data is located in a country that, from the perspective of Switzerland or the EU, does not provide an adequate level of data protection (the adequacy of a country is determined by the Federal Council, or, if the GDPR is applicable, by the European Commission), we will enter into specific contracts with this recipient (notably the Standard Contractual Clauses of the European Commission, which can be found here: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?). We may waive the conclusion of these contracts if the recipient is subject to certain official frameworks (including the EU-U.S. Data Privacy Framework or the Swiss-U.S. Data Privacy Framework) or if the law provides for an exception.

Such exceptions, where we may disclose your personal data to countries without adequate data protection without having to conclude the Standard Contractual Clauses, are (and may occur with us):

• You have consented to the disclosure;
• The disclosure is necessary to protect your life or physical integrity or that of third parties, and we cannot obtain your consent in time;
• The disclosure is related to the conclusion or execution of a contract between you and us or a contract that is in your interest;
• The disclosure is necessary for the protection of a public interest;
• The disclosure is necessary for a legal proceeding abroad;
• It concerns data that you have made publicly available and whose processing you have not objected to.

• Right of Access: You have the right to request information about whether and which personal data we process about you, for what purpose, and depending on the applicable data protection law, a number of additional details. You can do this via the below form.
• Right to Deletion (Right to be Forgotten): You can request the deletion of your personal data, for example, if the data is no longer needed for the purposes for which it was collected, or if you withdraw your consent to data processing. Please note that you may no longer be able to use our offers afterward.

You can request access and deletion via the respective form:

Acheter-Louer	Anibis	AutoScout24 + MotoScout24
Homegate	Ricardo	FinanceScout24
ImmoScout24	Tutti	Moneyland
Immoverkauf24
Flatfox

• Right to Rectification: If your personal data stored with us is incorrect or incomplete, you can request its correction.
• Right to Restriction of Processing: You have the right to request the restriction of the processing of your personal data, for example, if you dispute the accuracy of the data or object to the processing.
• Right to Data Portability: You have the right to receive your personal data, which you may have provided to us, in a structured, commonly used, and machine-readable format, and to transmit this data to another controller.
• Right to Object: You may object to the processing of your personal data, under the GDPR, for example, if the processing is based on legitimate interests.
• Right to Withdraw Consent: If we have asked for your consent to process your personal data, you can withdraw that consent under the GDPR, for example, at any time with effect for the future.
• Right to Lodge a Complaint with a Supervisory Authority: You have the right to lodge a complaint with a data protection supervisory authority regarding the processing of your personal data by us. In Switzerland, this is the Federal Data Protection and Information Commissioner (Eidg. Datenschutz- und Öffentlichkeitsbeauftragte), reachable at: https://www.edoeb.admin.ch. For the EU, you can find the contact details of the data protection supervisory authorities here: https://www.edpb.europa.eu/about-edpb/about-edpb/members_en

However, data protection law provides that these rights do not apply unconditionally. There are various reasons why, for example, we may not disclose all data in response to an access request or why we may not comply with an objection. The aforementioned rights may also be restricted by other legal provisions.

You can usually exercise these rights free of charge. However, we must ensure in an appropriate manner that it is truly you making the request.

To assert your rights, please contact us. The contact details can be found in Section VI of this privacy statement. The consents for the possible transfer of your data for analysis, marketing, and advertising purposes to third parties are managed through an online platform, where you can directly manage your consents. You can access this through the privacy settings of the respective offer. The link is located at the bottom of each page.