CESA creates this website and the information contained herein with the greatest care. Nevertheless, CESA does not guarantee the correctness of the information. No liability is accepted for the use of the website or the information it contains.

CESA also assumes no liability for the content of other websites to which you may link or from which you may reach this website. These are external offerings over which CESA has no influence and for which CESA bears no responsibility.

The information on this website is for informational purposes only. No contractual relationship between the user and CESA is created by use of the information.

You have a right to understand how your data is used.

In this Privacy Policy we explain in clear language which personal data we process when you use our website, why we do it, and how we protect it. This policy applies to visitors of:
https://cesawater.com and any contact forms or pages linked to it.

Last updated: 26 November 2025

CESA Watertech GmbH
‍Innerer Sonnenweg 3
9000 St. Gallen
Switzerland

Phone: +41 79 452 76 31
Email: sandro.rueegg@cesawater.com
Commercial Register No.: CH-320.4.097.816-7 (Commercial Register Office: Canton of St. Gallen)
VAT No.: CHE-343.409.907 MWST

Responsible person for data processing
Sandro Rüegg
‍CESA Watertech GmbH
Innerer Sonnenweg 3
9000 St. Gallen
Switzerland
Email: sandro.rueegg@cesawater.com

Data protection officer / consultant
Cedric Sonnenberg
‍Kolumbanstrasse 10
9000 St. Gallen
Switzerland
Email: cedric.sonnenberg@cesawater.com
‍
You can contact us at any time if you have questions about privacy or want to exercise your rights.

We are based in Switzerland and operate internationally, in particular in:

- Switzerland
- European Union and EEA countries (including Germany, Austria, France, Italy, Spain, Netherlands, Belgium, Poland, Czech Republic,
- Hungary, Ireland)
- United Kingdom
- Turkey
- Several African countries (including South Africa, Kenya, Nigeria, Egypt, Morocco)
- China

For data protection, we primarily follow the Swiss Federal Act on Data Protection (FADP/DSG).
Where we offer services to, or monitor the behaviour of, people in the EU/EEA or the UK, the EU General Data Protection Regulation (GDPR) and UK GDPR also apply.
For some countries, local laws like POPIA (South Africa) or PIPL (China) may give you additional rights. We take these into account where they apply.

When you visit our website, your browser automatically sends technical information to our servers (operated by our provider Webflow). We store this in server log files.

- We typically process:
- IP address
- Date and time of access
- Pages and files accessed
- Amount of data transferred
- Referrer URL (the page you came from)
- Browser type and version
- Operating system

Why we process this
- To deliver the website to your device
- To maintain stability and security (e.g. detecting attacks)
- To analyse errors and improve our website

Legal basis
‍Our legitimate interest in running a secure and stable website (Art. 6(1)(f) GDPR / Art. 31 FADP).
Log files are usually kept only as long as necessary for these purposes and then deleted or anonymised.

You can get in touch with us via our “Get in Touch” form or by email or phone.
‍
In the contact form we typically collect:
- Name
- Company
- Email address
- Your message
- Optional attachment (file upload up to 10 MB)

Why we process this
- To read and answer your enquiry
- To prepare and carry out projects, proposals and contracts
- To maintain our business relationships
- To document our communication (e.g. for follow-up questions)

We receive your message via Webflow’s form infrastructure and through our email system.
‍
Legal basis
‍Performance of a contract or pre-contractual measures at your request (Art. 6(1)(b) GDPR), where your enquiry is aimed at entering into or carrying out a contract with us.
Our legitimate interest in communicating with business contacts and prospects (Art. 6(1)(f) GDPR / Art. 31 FADP).

Providing the fields marked as mandatory is necessary so that we can reply. Without them we may not be able to process your enquiry.

Retention
We store enquiries and related communication for as long as needed to process your request, meet legal retention obligations or assert or defend legal claims. Afterwards we delete or anonymise the data.

You can upload files as part of your enquiry (e.g. project documents, technical specifications).

Why we process this
- To understand and evaluate your request in more detail
- To prepare technical concepts, offers and projects

Please only upload files that are necessary and that you are authorised to share. Avoid including sensitive information about third parties unless they have agreed.
‍
Uploaded files are stored together with your enquiry and deleted in line with the retention rules above, unless longer storage is legally required.

Our website may use cookies and similar technologies (such as local storage or web beacons).
‍
Cookies are small text files stored on your device and read by your browser. We distinguish:

‍Essential cookies
‍Required for basic functionality and security of the website (e.g. to display pages correctly, prevent abuse, or remember form entries during a session).
‍Legal basis: our legitimate interest in operating a functional website.

‍Optional cookies (analytics / performance / marketing)
‍Used to understand how our website is used or to improve our communication. These are only used if you give your consent via the cookie banner.
‍Legal basis: your consent.
‍
If we use analytics tools (for example, a web analytics service), we will:
- Ask for your consent via the cookie banner before analytics cookies are set
- Configure the tool to use as little personal data as possible (e.g. IP anonymisation where available)
- Provide further details (tool name, provider and data processed) in a dedicated Cookies or Analytics section on the website.

You can:
- Manage your cookie preferences via the cookie banner or a “Cookie settings” link on the website, and
- delete cookies at any time in your browser settings.

Our team accesses your personal data only to the extent necessary for their tasks.

Examples:
- Sales and project staff access contact details and messages to answer your enquiries and manage ongoing projects.
- Management may access selected information needed for business planning or contract negotiation.
- IT and admin staff may access limited data to maintain our systems and resolve technical issues.

We do not sell your data to third parties. We will only access or disclose data beyond the normal process if this is required by law, by a court or authority, or to investigate suspected misuse or security incidents.

To operate our website and communication channels, we rely on trusted third-party providers. They may process personal data as our data processors.

We host and manage our public website using:
Webflow, Inc.
398 11th Street, 2nd Floor
San Francisco, CA 94103, USA
‍
Webflow stores and processes:
- Technical data (server logs)
- Form submissions and file uploads
- Content of the website (texts, images, layout)
‍
We have a Data Processing Agreement in place with Webflow which obliges them to handle personal data only according to our instructions and in line with applicable laws. Because Webflow is based in the USA, international data transfers may occur (see Section 6).

We use email and communication providers to send and receive messages. These providers may process:
- Your name and contact details
- The contents of our correspondence
- Metadata such as send/receive time and technical delivery information
‍
Where providers act as processors, we conclude appropriate data processing agreements with them.

If we use web analytics or performance tools in the future, we will:
- Choose providers who offer appropriate contractual and security safeguards
- Only activate optional tools with your consent
- List them transparently in this policy or in a separate cookies/analytics page.

We primarily store data in Switzerland and, where appropriate, in the European Union/EEA.
‍
Because we use global cloud and infrastructure providers (such as Webflow), it is possible that certain technical data or form submissions are processed on servers outside Switzerland or the EU/EEA, in particular in the United States or other countries where our providers or their sub-processors operate.
‍
When we transfer personal data to such “third countries” we take suitable safeguards, for example:
Using countries with an officially recognised adequate level of data protection (e.g. EU/EEA ↔ Switzerland), and/orconcluding standard contractual clauses or equivalent agreements with recipients, and applying additional technical and organisational measures (e.g. encryption, strict access controls).
‍
In some cases, and only where permitted, we may also rely on your explicit consent or on the necessity of the transfer for contract performance.
‍
If you would like to know the specific safeguards for a particular transfer, you can contact us at any time.

We keep personal data only for as long as one of the following applies:
- It is needed to fulfil the purposes described in this policy, or
- we have a legal obligation to keep it (for example, statutory retention periods under commercial or tax law), or
- we have a legitimate interest in keeping it (for example, to assert or defend legal claims).

Afterwards we either delete the data or anonymise it so that it can no longer be linked to you.

Data security is important to us. We use a combination of technical and organisational measures to protect your data, including:
- Encrypted transfer of data via HTTPS/TLS
- Access controls and role-based permissions
- Secure passwords and, where available, multi-factor authentication
- Up-to-date systems, security patches and backupsinternal guidelines and staff training on confidentiality and data protection

Despite these measures, no system is completely secure. If we become aware of a security incident that affects your data, we will act promptly and, where required by law, inform you and the relevant authorities.

Depending on where you live and which law applies (in particular the Swiss FADP and the EU/UK GDPR), you may have some or all of the following rights:

‍Right of access – to know whether we process your personal data and to receive a copy.
‍Right to rectification – to correct inaccurate or incomplete data.
‍Right to erasure – to request deletion of your data, for example when it is no longer needed, provided no legal obligations or overriding interests prevent this.
‍Right to restriction – to request that we temporarily limit processing of your data.
‍Right to data portability (GDPR) – to receive certain data in a structured, commonly used and machine-readable format or to have it transferred to another controller.
‍Right to object (GDPR) – to object to processing based on our legitimate interests for reasons relating to your particular situation.
‍Right to withdraw consent – where processing is based on your consent, you can withdraw it at any time with effect for the future.
‍Right to complain – you can lodge a complaint with a data protection authority.

If you want to exercise your rights, please contact us using the details in Section 1. We may ask you for proof of identity to ensure we are dealing with the correct person.

Supervisory authorities
Examples of authorities you can contact:
‍Switzerland:Federal Data Protection and Information Commissioner (FDPIC / EDÖB)
‍EU/EEA:Your local data protection authority, e.g. in Germany, Austria, France, etc.
‍UK:Information Commissioner’s Office (ICO)

You remain free to contact the authority of your choice in your country of residence or workplace.

When we process data of individuals in the EU/EEA or UK, the GDPR/UK GDPR applies in addition to Swiss law.

We rely mainly on Art. 6(1)(b) GDPR (contract / pre-contract steps) and Art. 6(1)(f) GDPR (legitimate interests) for contact and website operation, and Art. 6(1)(a) GDPR (consent) for optional cookies and analytics.

Where required by Art. 27 GDPR/UK GDPR, we may appoint a local representative. If so, we will publish their details here.$

For cross-border transfers to countries without an adequacy decision, we use standard contractual clauses or other safeguards as described in Section 6.

For visitors and customers in Switzerland, the revised Federal Act on Data Protection (FADP) applies.

- Our processing is based on the principles of lawfulness, good faith, proportionality and transparency.
- If we carry out profiling with high risk or process sensitive personal data at larger scale, we conduct a data protection impact assessment where required.
- We notify the Federal Data Protection and Information Commissioner in the event of data breaches, where the law requires it.

For individuals in South Africa, we take into account the Protection of Personal Information Act (POPIA):
- When required, we obtain your consent before using optional cookies or direct marketing by electronic means.
- For cross-border transfers, we ensure that the recipient provides an adequate level of protection or we rely on your consent or the necessity for contract performance.
- You may also contact the South African Information Regulator regarding complaints.

For individuals in China, we consider the Personal Information Protection Law (PIPL):
- Where necessary under PIPL, we obtain your separate consent for specific processing, for example for cookies or if personal data is transferred to servers outside China.
- If your enquiry originates from China and is handled in Switzerland or another country, this may involve an overseas transfer. We will take appropriate contractual and security measures and, where required, obtain your explicit consent for such transfers.

In countries like Kenya, Nigeria, Egypt, Morocco or Turkey, local data protection laws modelled after the GDPR may apply. Where this is the case:
- We rely on similar legal bases (consent, contract, legitimate interests, legal obligations),
- We provide transparency through this policy, andwe take appropriate safeguards for international transfers.

If local law in your country provides additional mandatory rights, we will respect these.

We may update this Privacy Policy from time to time, for example if we change our data processing activities or if legal requirements evolve.

The latest version is always available on our website. If we make significant changes, we may inform you separately (e.g. by email or a notice on the website).

This Privacy Policy is intended to provide clear and transparent information about how we process personal data. If any part of this policy is found to be invalid or unenforceable, the remaining provisions remain unaffected.
‍
If you have any questions about how we protect your data, please contact us at any time. We are happy to help.