GENERAL INFORMATION

General

This privacy policy provides information on the processing of personal data in
connection with the use of the web and application Mirus NEO.

Responsible:
Fabian Fingerhuth

Mirus Software AG
Tobelmühlestrasse 11
7270 Davos Platz
Switzerland
fabian.fingerhuth(at)mirus.ch

Data Protection Officer:

Marcel Schwizer
Mirus Software AG
Tobelmühlestrasse 11
7270 Davos Platz
Switzerland
datenschutzbeauftragter(at)mirus.ch

This privacy policy applies only to Mirus NEO (application and web application) and not to other services of Mirus Software AG or external interfaces (e.g., websites or other applications). Please check the privacy policies of other websites or applications controlled and operated by third parties, as these are beyond our control and Mirus Software AG is not responsible for their content and data protection measures. This privacy policy applies only to the Mirus NEO application. This privacy policy is based on the Swiss Data Protection Act (DSG). If persons from the EU/EEA are affected, we also observe the requirements of the EU General Data Protection Regulation (GDPR), as far as applicable.

We hereby inform you about all processing activities of your personal data that we carry out within the scope of this website.

USE OF EXTERNAL IT SERVICE PROVIDERS

For the provision, secure operation, and continuous development of Mirus NEO, we use selected and contractually bound IT service providers. These service providers process personal data exclusively within the scope of our instructions (order processing according to Art. 28 GDPR or Art. 9 DSG), for specific purposes and in compliance with high security and data protection standards.

The following companies are used in detail:

• Microsoft Azure (Frankfurt data center, Germany) – Provision of infrastructure services such as hosting, database operation, push notifications, and BLOB storage.
• creative BITS OG (Austria) – Responsible for development, maintenance, and 2nd and 3rd level support.

All service providers used have been carefully selected and are contractually obliged to confidentiality, data security, and compliance with applicable data protection regulations according to the EU General Data Protection Regulation (GDPR) and the Swiss Data Protection Act (DSG).

PROCESSED PERSONAL DATA

When using Mirus NEO, we process various categories of personal data. These serve in particular for personnel administration, communication, and the fulfillment of contractual and legal obligations. Individual details are mandatory (marked with *), others are optional and can be voluntarily supplemented by you.

The processed data may include:

• Master data: Username (email address), first name, last name, nickname, date of birth, gender, language (spoken), contact language, place of birth, nationality, profile picture
• Contact details: Email address, mobile number, primary residence (address), address abroad (including phone number, if available), landline number,
• Employment data: Social security number, residence permit, marital status, health insurance,
• Bank details: IBAN, BIC, bank name
• Emergency contact details: Emergency address and name of contact person,
• Family member details: First name, last name, gender, date of birth, social security number

DATA PROCESSING ACTIVITIES PERFORMED

1. Registration and use of the user account

To use Mirus NEO, we require basic information such as your name, email address, and other profile data for setting up and managing your personal user account.

• Purpose: Provision of the user account and basic functions
• Legal basis: Overriding interest (Art. 31 para. 2 lit. a DSG or Art. 6 para. 1 lit. b GDPR)
• Storage period: We process your data until your account is deleted.
• Recipient: IT service provider

2. Use of operational functions

While you use the application – for example, to view your duty roster, report absences, or access your payroll documents – we process the necessary work and personnel data.

The operational functions you can use via Mirus NEO include, among others, viewing your personal duty roster and planned working hours, applying for and managing absences (e.g., vacation or sick leave), and accessing personal documents such as monthly statements, payslips, and wage statements. Furthermore, you have insight into your current balances, for example, regarding vacation balance or overtime, and can record your working time within the integrated time tracking. Through task management, you can process organizational tasks such as managing absences, working time control, changes to master data or duty rosters. You also have the option to manage your personal data directly yourself and – for example, in the case of address or bank account changes – share it with your employer.

The data remains accessible to you even after leaving the company, so you continue to have access to relevant information and documents. You retain control over your data at all times – you are and remain “the master of your data”. It is also possible to request the deletion of your own account or a former employer’s account via the application.

• Purpose: Provision of the necessary functionality for users
• Legal basis: Fulfillment of the user agreement (Art. 31 para. 2 lit. a DSG or Art. 6 para. 1 lit. b GDPR)
• Storage period: We process your data until your account is deleted. Please note your employer’s independent deletion periods.
• Recipient: IT service provider

3. Data exchange with the employer (synchronization with Mirus HR 3.0/Mirus

When you connect with an employer, your information and recorded data are automatically synchronized with their HR system – e.g., for payroll or personnel administration.

• Purpose: Synchronization and management of work-related data
• Legal basis: Fulfillment of the user agreement (Art. 31 para. 2 lit. a DSG or Art. 6 para. 1 lit. b GDPR)
• Storage period: We process your data until your account is deleted. Please note your employer’s independent deletion periods.
• Recipient: IT service provider

4. Analysis of usage and logs to improve data security and functions

For the technical improvement of data security and the functionality of the application, including troubleshooting, we process personal data about the use of the application, including system and error logs, if necessary.

• Processed data categories: Data about personal use, device information, logs, error reports (anonymized if possible)
• Purpose: Increase data security, troubleshooting, and technical optimization
• Legal basis: Legitimate interest, fulfillment of the user agreement (Art. 31 para. 2 lit. a DSG or Art. 6 para. 1 lit. b GDPR), legitimate interest, the security and functionality of the application (Art. 31 para. 2 lit. a DSG or Art. 6 para. 1 lit. f GDPR)
• Storage period: 12 months
• Recipient: IT service provider

5. Support and contact inquiries

If you contact us (e.g., with questions or technical problems), we process your message and the contact details contained therein to clarify your concern.

• Processed data categories: Contact information, message content
• Purpose: Processing inquiries, technical support
• Legal basis: Fulfillment of the user agreement according to Art. 31 lit. a DSG or Art. 6 para. 1 lit. f GDPR; fulfillment of legal obligations
• Storage period: 12 months, unless a longer storage period is necessary due to a law, a contract, or for the defense of legal claims.
• Recipient: IT service provider

6. Processing of data subject requests

If you submit a data subject request within the meaning of the DSG or GDPR, we process your personal data for processing and for evidentiary purposes vis-à-vis the authority or a court.

• Processed data categories: All existing personal data; communication history within the data subject request
• Purpose: Answering the data subject request; proof vis-à-vis the data protection authority or a court
• Justification: Fulfillment of the user agreement Art. 31 para. 2 lit. a DSG or Art. 6 para. 1 lit. f GDPR, the data for the defense of legal claims and for proof vis-à-vis authorities and courts; fulfillment of legal obligations.
• Storage period: 3 years after successful processing of the data subject request
• Recipient: IT service provider

7. Other processing

All content that you actively enter into Mirus NEO yourself – e.g., chat messages, comments, tasks, or your own notes – is also processed. These entries are voluntary and are your own responsibility. Please note that such content may contain personal or sensitive information. Therefore, avoid entering confidential data unless it is necessary. Processing is carried out exclusively for the provision of the respective functionalities and in compliance with applicable data protection regulations (GDPR, DSG).

• Purpose: Provision of user-defined functions
• Legal basis: Fulfillment of the user agreement (Art. 31 para. 2 lit. a DSG or Art. 6 para. 1 lit. b GDPR); fulfillment of legal obligations
• Storage period: We process your data until your account is deleted.
• Recipient: IT service provider

DATA SECURITY

We implement appropriate technical and organizational security measures to protect your personal data from unauthorized access, loss, misuse, or destruction. These include, for example, modern encryption and authentication procedures. Communication between the Mirus NEO application/web application and our servers is encrypted (TLS/SSL), so that no unauthorized third party can read the data en route. Our servers are located in a professionally secured data center (Microsoft Azure, Frankfurt) with strict physical and digital safeguards. Internally, we ensure through access restrictions that only authorized employees have access to personal data – and only to the extent necessary. All employees and involved service providers are obliged to confidentiality and compliance with data protection. Please note: You should also contribute to data security by keeping your access data secret and choosing a strong password. If you suspect that unauthorized third parties have gained knowledge of your access data or that a security incident has occurred, please inform us immediately.

INTERNATIONAL DATA TRANSFER

In principle, we process your data in Switzerland or the EU. As described above, all Mirus NEO data, for example, is stored on servers in Germany. A transfer to other countries only takes place within the scope of using specific services (e.g., if a subcontractor in another country receives technical information). Should we transfer personal data to a country that does not offer an adequate level of data protection from the perspective of Switzerland or the EU (e.g., the USA), we will agree on contractual guarantees (such as standard data protection clauses) or take other protective measures to ensure an equivalent level of protection for your data. If necessary, we will also obtain your consent before such transfers take place. We point out to users residing in Switzerland that data transferred to the USA may be subject to other laws there (e.g., US authorities could access data under certain circumstances without the same legal remedies being available to data subjects as in Switzerland). However, we take all possible precautions according to the current state of the art to protect your data as best as possible and select our service providers carefully. If you have any questions about our data transfers abroad, you can contact us at any time.

RIGHTS OF THE DATA SUBJECTS

You can assert the following rights regarding data processing:

Right to information You can request confirmation as to whether and to what extent personal data about you is being processed.

Right to rectification If we process incomplete or incorrect personal data about you, you can request its rectification or completion at any time.

Right to erasure You can request the erasure of your personal data if the purpose for which it was collected has ceased to exist, there is unlawful processing, the processing disproportionately interferes with your legitimate protection interests, or the data processing is based on your consent and you have withdrawn it. It should be noted that there may be other reasons that may prevent immediate erasure of your data, e.g., legally regulated retention obligations, pending proceedings, assertion, exercise or defense of legal claims, etc.

Right to restriction of processing You have the right to request a restriction of the processing of your data if you dispute the accuracy of your data, for a period that allows us to verify the accuracy of the data, the processing of your data is unlawful, but you refuse erasure and instead request a restriction of data use, we no longer need the data for the intended purpose, but you still need this data for the assertion, exercise or defense of legal claims, or you have objected to the processing of the data.

Right to data portability You can request that we provide you with your data that you have provided to us in a structured, common and machine-readable format, provided that we process the data based on your given consent or for the fulfillment of a contract between us and the processing is carried out using automated procedures.

Right to object If we process your data to perform tasks that are in the public interest, to exercise official authority, or if we rely on the necessity of processing to protect our legitimate interest, you can object to this data processing if there is an overriding protection interest in your data. You can object to the sending of advertising at any time without giving reasons.

Right to withdraw All declarations of consent given by you can be withdrawn independently at any time. A withdrawal means that from this point on, we will no longer process your data for the purposes stated in the declaration of consent, and thus the corresponding rights and benefits can no longer be claimed.

These rights can be asserted at any time by sending a message via the contact form or to the email address info(at)mirus.ch. In case of doubt, we may request additional information to confirm your identity. This serves to protect your rights and your privacy.

Complaints and Supervisory Authority

We hope that we can answer all your data protection concerns to your satisfaction. Should you nevertheless be of the opinion that we have violated applicable data protection law or infringed your data protection rights when processing your personal data, you can contact us at any time (data protection inquiries please send to info(at)mirus.ch). We take your complaint seriously and will investigate it.

Regardless, you are also free to contact the competent data protection supervisory authority. For Switzerland, this is the Federal Data Protection and Information Commissioner (FDPIC).

Contact address is:

Federal Data Protection and Information Commissioner (FDPIC)

Feldeggweg 1

CH-3003 Bern

Web: https://www.edoeb.admin.ch