• 1. what is this privacy policy about?

ecoGroup Swiss AG, Lückenstrasse, 6430 Schwyz, Switzerland (ecoGroup) and its group companies may process personal data concerning you or other persons in different ways and for different purposes. A list of the ecoGroup companies can be found below:

• eco energietech AG, Gersauerstrasse 71, 6440 Brunnen, Switzerland
• ecoGroup Swiss AG, Lückenstrasse, 6430 Schwyz, Switzerland
• ecoenergy systems AG, Gersauerstrasse 71, 6440 Brunnen, Switzerland
• ECOGEN Euthal Genossenschaft, Lattbach 2, 8844 Euthal, Switzerland
• ECOGEN Arth-Goldau Cooperative, Rossbergstrasse 29, 6410 Goldau, Switzerland
• ecocoach AG, Gersauerstrasse 71, 6440 Brunnen, Switzerland
• ecocoach DE GmbH, Neuburger Strasse 57, 85057 Ingolstadt, Germany
• ecovolta AG, Gersauerstrasse 71, 6440 Brunnen, Switzerland

Where we refer to"we" or "us" below, this refers to the Group company that is responsible for data processing (see section 2).

"Personal data" is all information that can be linked to a specific person, and "processing" means any handling of it, e.g. obtaining, using and disclosing it.

This Privacy Policy explains our processing of personal data when

• You visit one of our websites,
• you purchase our services or products,
• you are otherwise in contact with us as part of a contract,
• you contact us by email, letter, on social media, by text message, via a contact form, etc,
• you register for certain offers (e.g. competitions) and our newsletter
• you have dealings with us in the context of all other data processing in connection with our offers.

For ease of reading, this privacy policy does not refer to more than one gender. However, we refer to persons of all genders.

Please take the time to read this privacy policy to find out how and why we process your personal data, how we protect your personal data and what rights you have in this regard. If you have any questions or would like further information about our data processing, please do not hesitate to contact us (section 2).

We have aligned this privacy policy with both the Swiss Data Protection Act (DPA) and the European General Data Protection Regulation (GDPR). When the data protection declaration refers to "personal data", this also includes "personal data" in accordance with the GDPR. However, whether and to what extent the GDPR is applicable at all depends on the individual case.

2 Who is responsible for processing your personal data?

The following company is often the "controller" for data processing under this privacy policy, i.e. the entity primarily responsible under data protection law, unless otherwise communicated in individual cases (e.g. in other privacy policies, on forms or in contracts):

ecoenergy systems AG
Gersauerstrasse 71
6440 Brunnen
Switzerland

If you are in contact with another Group company, e.g. because you or your company receive a service from this company or because you correspond directly with this company, the company in question is the controller. Several companies may also be jointly responsible for certain data processing if they are involved in deciding on the structure or purpose of the data processing in question.

If you have any questions about data protection, you are welcome to contact us at the following address so that we can process your request as quickly as possible:

+41 41 811 41 40, datenschutz@ecogroup.swiss

3 What personal data do we process?

We process different categories of personal data depending on the occasion and purpose. The most important categories are listed below, although this list is not exhaustive.

In the case of contractual partners that are companies, we process less personal databecause the applicable data protection law only covers the personal data of natural persons (i.e. people). However, we process personal data of the contact persons with whom we are in contact, e.g. name, contact details, professional details and details from communication, and details about managers etc. as part of the general information about companies with which we work.

You provide us with much of the personal data mentioned in this section yourself (e.g. via forms, in the context of communication with us, in connection with contracts, when using the website, etc.). You are not obliged to do so, subject to individual cases. If you wish to conclude contracts with us or claim services, you must also provide personal data, in particular master data and contract data, as part of your contractual obligations under the relevant contract.

If you provide us with personal data about other persons, such as information about family members or work colleagues, we assume that you are authorized to do so and that this personal data is correct. By transmitting personal data about third parties, you confirm this. Please also ensure that these third parties have been informed about this privacy policy (e.g. by a reference to this privacy policy).

3.1 Master dataWe define master data as the basic data that we require to process our business relationships or for marketing and advertising purposes and that relates directly to your person and characteristics. For example, we process the following master data:

• Title, surname and first name, gender and date of birth
• Address, contact details such as e-mail address and telephone and mobile number
• nationality
• Other information from identification documents
• Family data (e.g. marital status)
• Information on language preferences
• Information on professional profile and employment (e.g. employment relationship, employer, start of employment) and, if applicable, training
• Information on living situation
• In the case of company contacts, also relationships with the company you work for
• Customer history
• Authorizations to sign and declarations of consent

We generally receive this master data from you yourself, but may also receive it from other persons who work for your company, but may also obtain personal data from third parties, e.g. from bodies for which you work or from third parties such as our contractual partners, associations and address dealers and from publicly accessible sources such as public registers or the Internet (websites, social media, etc.).

3.2 Contract dataContract data is information that arises in connection with the conclusion or execution of the contract, e.g. information about contracts and the services to be provided or provided, as well as personal data from the run-up to the conclusion of a contract, information about the conclusion of the contract itself (e.g. the date of conclusion and the subject matter of the contract), as well as the information required or used for processing. We process the following contract data, for example:

• Date, application process, information on the type and duration as well as conditions of the contract in question, personal data on the termination of the contract
• Contact details and delivery addresses
• Information on the use of services
• Information on payments and payment methods, invoices, mutual claims, contacts with customer service, complaints, defects, returns, information on customer satisfaction, complaints, feedback, etc.
• For services available online, also access data and logins

We receive this personal data from you, but also from partners with whom we work. Again, this personal data may relate to your company, in which case it is not "personal data", but also to you if you work for a company or if you receive services from us yourself.

3.3 Communication data

Communication data is personal data in connection with our communication with you, e.g. if you contact us via the contact form or other means of communication. Communication data are e.g.

• Name and contact details such as postal address, email address and telephone number
• Content of correspondence (e.g. emails, written correspondence, telephone conversations, chat messages, etc.)
• Responses to customer and satisfaction surveys
• Information on the type, time and possibly place of communication and other peripheral data of the communication.

3.4 Technical dataIn connection with the use of our website, technical personal data is collected. This includes, for example, the following data

• IP address of the end device and device ID
• Information about your device, the operating system of your device or language settings
• Information about your internet provider
• content accessed or logs in which the use of our systems is recorded
• Date and time of access to the website and your approximate location

We may also assign an individual code to you or your end device (e.g. by means of a cookie; see section 5.1). This code is stored for a certain period of time, often only during your visit. As a rule, we cannot deduce who you are from technical personal data unless, for example, you register for the newsletter on our website. In this case, we can link technical personal data with master data - and thus with your person.

3.5 Behavioral dataIn order to tailor our offers and services to you or your company in the best possible way, we try to get to know you better. To do this, we collect and use personal data about your behavior. Behavioral data is, in particular, information about your use of our website. It can also be collected on the basis of technical personal data. This includes, for example, information about your use of electronic communications (e.g. whether and when you have opened an email or clicked on a link, especially when sending newsletters). We may also use your other interactions with us as behavioral data, and we may link behavioral data with other personal data (e.g. with anonymous data from statistical offices) and evaluate this personal data on a personal and non-personal basis.

3.6 Preference dataPreference data provides us with information about your likely needs and which services might be of interest to you or your company (e.g. when selecting topics for the newsletter). We therefore also process personal data relating to your interests and preferences. For this purpose, we can link behavioral data with other personal data and evaluate this personal data on a personal and non-personal basis. This allows us to draw conclusions about characteristics, preferences and expected behavior.

3.7 Energy dataIn connection with the purchase of our services, we may process certain energy data (in particular energy consumption data and billing data on energy consumption).

If you purchase software and/or cloud services from us, we may also process other energy data (data on energy generation and energy consumption) and safety-critical control commands (e.g. resetting functionally relevant system components or switching large consumers and generators on/off) that are generated by the software and/or cloud service and for which a personal reference can be established.

3.8 Other dataWe may also collect personal data from you in other situations. For example, personal data (such as files, evidence, etc.) that may also relate to you may be collected in connection with official or legal proceedings. We may also collect personal data for health protection reasons (e.g. as part of protection concepts). We may receive or produce photos, videos and audio recordings in which you may be recognizable (e.g. at events, through security cameras, etc.). We may also collect personal data about who enters certain buildings or has access rights to them and when (including during access controls, based on registration data or visitor lists, etc.), who takes part in events or campaigns (e.g. competitions) and when, or who uses our infrastructure and systems and when.

4 For what purposes do we process your personal data?

We primarily use the personal data we collect to process your orders. If you have subscribed to our newsletter, we will use your e-mail address to send it to you. In addition, we also process your personal data for other purposes in which we (and sometimes third parties) have a legitimate interest corresponding to the purpose, insofar as this is permitted and appears appropriate to us:

• Forcommunication purposes, i.e. to contact you and maintain contact with you. This includes responding to inquiries and contacting you in the event of queries, e.g. by email. In particular, we process your communication and master data for this purpose.
• Forcustomer care and for marketing purposes, in order to inform you specifically about offers according to your personal interests and preferences, e.g. through the newsletter and personalized advertising. For this purpose, we process technical data, master data, communication data and behavioral data in particular.
• We also process data toprovide and improve our services andfor product development. For example, we may process energy data so that users can take advantage of the full functionality of our software (e.g. visualization of energy data to illustrate energy consumption and energy sources), as well as to improve and further develop our services.
• To ensure IT security and for prevention: We process personal data to monitor the performance of our operations, in particular IT, our website, applications and other platforms, for security purposes, to ensure IT security, to prevent theft, fraud and misuse and for evidence purposes. This includes, for example, the evaluation of system-side recordings of the use of our systems (log data), the prevention, defense and clarification of cyber attacks and malware attacks, analyses and tests of our networks and IT infrastructures, system and error checks.
• To safeguard domiciliary rights and other measures for IT, building and facility securityand protection of our employees and other persons and assets belonging to or entrusted to us (such as access controls, visitor lists, network and mail scanners, telephone recordings).
• For legal protection: We may also process personal data in order to enforce claims in court, before or outside of court and before authorities in Switzerland and abroad or to defend ourselves against claims. Master data and communication data may be processed for this purpose.
• To comply with legal requirements: This includes, for example, the processing of complaints and other reports, compliance with orders from a court or authority, measures to detect and clarify abuses and generally measures that we are obliged to take under applicable law, self-regulation or industry standards. In particular, we may process your master data and communication data for this purpose.
• For administrationand support: In order to make our internal processes efficient, we process personal data to the extent necessary for IT administration, accounting or data archiving. In particular, we may process communication and behavioral data as well as technical personal data for this purpose.
• We may also process personal datafor other purposes. These include corporate management, including business organization and corporate development, other internal processes and administrative purposes (e.g. management of master data, accounting and archiving), training and education purposes and the preparation and processing of the purchase and sale of business divisions, companies or parts of companies and other transactions under company law and the associated transfer of personal data, as well as measures for business management and the protection of other legitimate interests.

If we ask for your consent for certain processing, we will inform you separately about the corresponding purposes of the processing. You can withdraw your consent at any time by notifying us in writing.

5 Which online tracking and online advertising techniques do we use?

We use various technologies on our website with which we and third parties engaged by us can recognize you when you use our website and, in some cases, track you over several visits. In this section, we provide basic information about such technologies.

5.1 How and why do we use cookies and similar technologies?

We use third-party services for our website in order to measure and improve theuser-friendliness of the website and online advertising campaigns. For this purpose, we may integrate third-party components on our website, which in turn may use cookies. When we track you or use similar technologies, it is essentially so that we can distinguish access by you (via your system) from access by other users so that we can ensure the functionality of the website and carry out statistical evaluations. We do not want to infer your identity. The technologies used are designed in such a way that you are recognized as an individual visitor each time you access a page, for example by our server (or the servers of third parties) assigning you or your browser a specific identification number (so-called "cookie").

Cookies are files that your browser automatically saves on your end device when you visit our website. Cookies contain a unique identification number (an ID) that enables us to distinguish individual visitors from others, but generally without identifying them. Depending on the purpose of use, cookies contain further information, e.g. about the pages accessed and the duration of the visit to a page. We use session cookies, which are deleted when the browser is closed, and persistent cookies, which remain stored for a certain period of time after the browser is closed and are used to recognize visitors on a subsequent visit (see also section 10 below for the storage period).

We use the following types of cookies and similar technologies:

• Technically necessary cookies: Necessary cookies are required for the functionality of the websites, e.g. so that you can switch between pages without losing information entered in a form.
• Cookies for carrying out analyses and statistics: These cookies collect information about the use of a website and enable analyses, e.g. about the number of visitors and which pages are the most popular. They can simplify the visit to a website and improve user-friendliness. Certain analytics cookies also allow us to target you on our websites and on third-party websites with advertising for products and services that may be of interest to you.
• Social media cookies: Social media cookies allow us and our partners to store your preferences and similar information and in this way improve the relevant services.

We use cookies for the following purposes in particular:

• Personalization of content
• Displaying personalized advertisements and offers
• Displaying advertisements on third-party websites and measuring success, i.e. whether you respond to these advertisements (remarketing)
• Saving settings between your visits
• Determining whether and how we can improve our website
• Collecting statistical personal data on the number of users and their usage habits and to improve the speed and performance of the website
• We may process your contact details to target you with advertising on third-party platforms.

Detailed information on which cookies we use for which purposes can be found in our separatecookie information under section 15 of this privacy policy.

We may also use similar technologies, e.g. pixel tags or fingerprints, to store personal data in the browser. Pixel tags are small, usually invisible images or program code that are loaded by a server and thereby transmit certain information to the server operator, e.g. whether and when the website was visited. Fingerprints are information that is collected when you visit our website via the configuration of your end device or your browser and that make your end device distinguishable from other devices.

5.2 How can cookies and similar technologies be deactivated?

When you visit our website for the first time, a cookie banner with an integrated consent management tool is displayed. You then have the option of activating or deactivating certain categories of cookies via the Consent Management Tool.

You can also change your consent at a later date by clicking on "Change consent" in thecookie information under point 15 of this privacy policy and then adjusting your consent in the Consent Management Tool.

You can also configure your browser settings so that it blocks certain cookies or similar technologies or deletes existing cookies and other personal data stored in the browser. You can also add software (so-called "plug-ins") to your browser that blocks tracking by certain third parties. You can find out more about this in the help pages of your browser (usually under the heading "Data protection"). Please note that if you block cookies and similar technologies, our website may no longer function to its full extent.

5.3 Further information on cookies

Detailed information on which cookies we use for which purposes can be found in thecookie information in section 15 of this privacy policy.

6 What applies to profiling and automated decisions?

We may process and evaluate your personal data automatically in accordance with section 3. This also includes so-called profiling, i.e. automated evaluations of personal data for analysis and forecasting purposes, to determine preference data (section 3.6), but also to identify misuse and security risks. The most important examples are profiling to combat money laundering and terrorist financing, to prevent fraud, for credit checks and risk management, for customer care and for marketing purposes.

In order to ensure the efficiency and consistency of our decision-making processes, we make certain decisions with the help of computers according to certain rules and, if necessary, without a review by one of our employees. These include, in particular, credit checks, limit adjustments during the course of the contractual relationship and the automatic blocking of certain transactions in the event of anomalies. If decisions are made exclusively by automated means and lead to a negative legal consequence for you or otherwise significantly affect you ("automated individual decisions"), we will inform you accordingly. In this case, you can explain your point of view and request that a natural person reviews the relevant decision.

7 How do we process personal data in connection with social media?

On our website, we offer you the option of using "social media plugins" from Meta / Facebook and LinkedIn to integrate functions from these providers into our websites. These plugins are deactivated by default. As soon as you activate them (e.g. by clicking on the button), the relevant providers can detect that you are on our website. If you have a corresponding account with the social media provider, they can assign this information to you and thus track your use of online services.

We are generally jointly responsible with the relevant providers for the exchange of data that this provider collects via plugins or comparable functions (but not for the further processing of a provider). Where possible, we have concluded a correspondingadditional agreement with the provider. You can address requests for information and other requests from data subjects in connection with joint responsibility directly to the provider concerned.

8 How do we process personal data in connection with our app?

As part of our offering, we also provide an application for installation on mobile devices ("app"). During installation, the operator of the respective app store (e.g. Apple or Google) processes certain data under its own responsibility and in accordance with its own data protection provisions.

When you use the app, we process data that you provide to us or that is collected when you use the app. This may involve the following data described in section 3:

• Master data such as name or e-mail address;
• Technical data such as the ID of the mobile device, your IP address, other device information such as the operating system;
• Behavioral data such as functions used, duration of use;
• Preference data such as app language settings, notification settings;
• Energy data (data on energy generation and energy consumption) and control commands.

We process the aforementioned personal data for the purposes stated in section 4, in particular to provide and improve our services (e.g. authentication, login procedures) and for product development, to ensure IT security and prevention, to comply with legal requirements and to administer and support our business processes.

The processing of technical data essentially corresponds to the information mentioned above in section 5.1, although the technologies used may differ. You can view and change your data protection settings in the app under "More", then "Terms & Privacy". Under "More", then "Account", you can also change your personal data or have your account deleted.

9. to whom do we disclose your personal data?

In connection with our processing, we also disclose your personal data to other recipients.

In particular, we may disclose personal data that we receive from you or from third-party sources to other ecoGroup companies (see section 2). Data may be passed on for internal group administration or to support thegroup companies concerned and their own processing purposes, e.g. for the processing of contracts based on the division of labour, the personalization of marketing activities or the development and improvement of services.

We then disclose the personal data required for their servicesto service providers. This applies in particular to IT service providers, but also to consulting companies, analysis service providers, debt collection service providers, credit agencies, marketing service providers, etc. Insofar as service providers process personal data as processors, they are obliged to process personal data exclusively in accordance with our instructions and to take measures to ensure data security.

Data may also be disclosed toother recipients, e.g. to courts and authorities as part of proceedings and statutory duties to provide information and cooperate, to buyers of companies and assets, to financing companies in the case of securitizations and to debt collection agencies.

In individual cases, we may also disclose personal data to other third parties for their own purposes, e.g. if you have given us your consent to do so or if we are legally obliged or entitled to do so.

10. do we disclose personal data abroad?

Recipients of personal data are not only located in Switzerland. This applies in particular to group companies and certain service providers. These may be located inside and outside the European Economic Area (EEA) and Switzerland (in particular in Germany and the USA), but also in other countries around the world. For example, we may transfer personal data to authorities and other persons abroad if we are legally obliged to do so or, for example, in the context of a company sale or legal proceedings. Not all of these countries currently guarantee a level of data protection equivalent to Swiss law. We compensate for the lower level of protection through appropriate contracts, in particular the standard contractual clauses issued by the European Commission and recognized by the Swiss Federal Data Protection and Information Commissioner (FDPIC). Further information and a copy of these clauses can be found athttps://www.edoeb.admin.ch/de/bekanntgabe-von-personendaten-ins-ausland.

In certain cases, we may also transfer personal data without such contracts in accordance with data protection regulations, e.g. if you have consented to the corresponding disclosure or if the disclosure is necessary for the execution of the contract, for the establishment, exercise or enforcement of legal claims or for overriding public interests.

11 How long do we process personal data?

We store and process your personal data for as long as is necessary for the purpose of processing (in the case of contracts, generally for the duration of the contractual relationship), for as long as we have a legitimate interest in storing it (e.g. to enforce legal claims, for archiving and/or to ensure IT security) and for as long as personal data is subject to a statutory retention obligation (e.g. a ten-year retention period applies to certain personal data). If there are no legal or contractual obligations to the contrary, we destroy or anonymize your personal data at the end of the storage or processing period as part of our normal processes.

Energy data that we can process as part of our software and/or cloud services will be processed on a personal basis during the term of the services, insofar as this is necessary for the above-mentioned processing purposes. At the end of the term of the software and/or cloud services, the energy data may be processed further in anonymized form.

With regard to cookies, you can find information on the duration of storage in ourcookie information in section 15 of this privacy policy.

12 What is the legal basis for data processing?

Under certain circumstances, data processing is only permitted if the applicable law specifically allows it. This does not apply under the Swiss Data Protection Act, but does apply under the GDPR, for example, insofar as it is applicable. In this case, we base the processing of your personal data on the following legal bases

• on your consent (Art. 6 para. 1 lit. a and Art. 9 para. 2 lit. a GDPR);
• that the processing is necessary for the performance of a contract or pre-contractual measures (e.g. the examination of a contract application; Art. 6 para. 1 lit. b GDPR);
• that the processing is necessary for the establishment, exercise or defense of legal claims or civil proceedings (Art. 6 para. 1 lit. f and Art. 9 para. 2 lit. f GDPR);
• that the processing is necessary for compliance with domestic or foreign legal provisions (Art. 6 para. 1 lit. c and lit. f; Art. 9 para. 2 lit. g GDPR);
• that the processing is necessary for a legitimate interest in data processing, in particular the interests mentioned in section 4 (Art. 6 para. 1 lit. f GDPR).

13. how do we protect your personal data?

We take appropriate security measures to protect the confidentiality, integrity and availability of your personal data, to protect it against unauthorized or unlawful processing and to counteract the risks of loss, unintentional alteration, unwanted disclosure or unauthorized access. However, security risks cannot generally be completely ruled out; residual risks are unavoidable.

14 What rights do you have in connection with your personal data?

You have certain rights under the applicable data protection law so that you can obtain further information about our data processing and influence it. These are the following rights in particular:

• Right to information: You can request further information about our data processing. We will be happy to provide you with this information. You can also submit a request for information if you would like further information and a copy of your personal data.
• Objection and deletion: You can object to our data processing and also request that we delete your personal data at any time if we are not obliged to continue to process or store this personal data and if it is not necessary to process the contractual relationship.
• Correction: You can correct or complete incorrect or incomplete personal data or have it supplemented by a note of dispute.
• Transfer: You also have the right to receive the personal data that you have provided to us in a structured, commonly used and machine-readable format or to have it transferred to a third party, provided that the corresponding data processing is based on your consent or is necessary for the performance of the contract.
• Revocation: If we process personal data on the basis of your consent, you can revoke your consent at any time. The revocation is only valid for the future, and we reserve the right to continue processing personal data on another basis in the event of revocation.

Please note that these rights are subject to legal requirements and restrictions and are therefore not always fully available. In particular, we may have to continue to process and store your personal data in order to fulfill a contract with you, to protect our own legitimate interests, such as the assertion, exercise or defense of legal claims, or to comply with legal obligations. To the extent permitted by law, in particular to protect the rights and freedoms of other data subjects and to safeguard legitimate interests, we may therefore also refuse a data subject request in whole or in part (e.g. by blacking out certain content that concerns third parties or our business secrets).

If you wish to exercise your rights against us, please contact us in writing. You will find our contact details in section 2. We will usually have to verify your identity (e.g. by means of a copy of your ID). You are also free to lodge a complaint with the competent supervisory authority against our processing of your personal data. The competent supervisory authority in Switzerland is theFederal Data Protection and Information Commissioner (FDPIC).

15. cookie policy