Privacy Policy – Create your sticker

This Privacy Policy refers exclusively to the processing of personal data of the users (hereinafter “Data Subject(s)”) who voluntarily fill in the form accessible through the website www.irondames.ch (hereinafter, “Website“), under section “Create Your Sticker”. It is to be considered as policy provided in accordance with the Switzerland Federal Act on Data Protection (hereinafter “FADP”) and the European Regulation on Data Protection [Regulation (EU) 2016/679, hereinafter “GDPR”] (hereinafter, collectively, the “Applicable Law“).

1. Data Controller and contact details

The Data Controller is DC Racing Solutions S.A., with registered office in Baarerstrasse 80, 6300 Zug (Switzerland), VAT no. CHE-296 968 866 MWST (hereinafter, “Data Controller” or just “Controller“). For any clarification, information, or exercise of the rights listed in this Privacy Policy, the Data Subject can contact the Data Controller at the following contact details: e-mail compliance@irondames.ch.

2. Personal data subject to processing

The personal data processed by the Controller are name, last name, nickname, e-mail address, and Instagram username (the latter, only if voluntarily and freely provided by the Data Subject).
The Data Controller shall process personal data in compliance with the Applicable Law, assuming that they refer to the Data Subjects or to third parties who have expressly authorised the Data Subjects to provide them or whose personal data the Data Subjects was entitled to provide. With respect to these assumptions, the Data Subjects undertake to indemnify and hold harmless the Data Controller from any dispute, claim or request for compensation for damage caused by the processing of personal data that may be received from such third parties.

3. Purposes and legal basis of the processing

Personal data will be processed for the following purposes, as also stated in the General Terms and Conditions of Services, which the Data Subject must accept to generate the stickers:

Purposes and Legal Basis
PURPOSES	LEGAL BASIS
Collect, evaluate and select the stickers that will be sticked to the livery of the Iron Dames car which will take part in the races indicated in the Website and possibly displayed in the box and/or the stores on track set up by the Controller, as well as on the Controller’s website and social media, in accordance with General Terms and Conditions of Services.	Performing the contract (General Terms and Conditions of Services) to which the Data Subject is party [Article 30 and Article 31, par. 2, lett. a) of the FADP and Article 6, par. 1, lett. b), of the GDPR].
Once the form to create the sticker is correctly filled out by the Data Subject, send to the Data Subject’s e-mail address the request for confirmation of the sticker creation, as well as the confirmation link of the Data Subject’s e-mail address, in accordance with General Terms and Conditions of Services.	Performing the contract (General Terms and Conditions of Services) to which the Data Subject is party [Article 30 and Article 31, par. 2, lett. a) of the FADP and Article 6, par. 1, lett. b), of the GDPR].
Announce the name and/or nickname of the Data Subjects related to the selected stickers by means of a live broadcast on the Data Controller’s social media Instagram, prior to each race indicated on the Website, in accordance with General Terms and Conditions of Services.	Performing the contract (General Terms and Conditions of Services) to which the Data Subject is party [Article 30 and Article 31, par. 2, lett. a) of the FADP and Article 6, par. 1, lett. b), of the GDPR].
Tagging the Data Subject/Mentioning the Instagram username of the Data Subject, voluntarily and freely provided by the latter, in relation to the selected stickers, in the description of any posts published on the Data Controller’s social media Instagram, and having the selected stickers as their subject matter and/or the “STICK WITH US” initiative.	The Data Subject’s consent given by voluntarily and freely providing his/her Instagram username in the form to be filled in for participation in the “STICK WITH US” initiative [Article 30 and Article 31, par. 1 of the FADP and Article 6, par. 1, lett. a) of the GDPR].
Ascertain, exercise, or defend a right of the Data Controller in administrative, jurisdictional or extrajudicial proceedings or whenever administrative or jurisdictional authorities exercise their functions.	The legitimate interest of the Data Controller to ascertain, exercise, or defend a right or whenever administrative or jurisdictional authorities exercise their functions [Article 30 and Article 31, par. 1 of the FADP and Article 6, par. 1, lett. f), of the GDPR].
Send the newsletter for marketing purposes by filling in the form named “STAY UPDATED – SUBSCRIBE TO OUR NEWSLETTER”.	The Data Subject’s consent given by selecting the newsletter subscription checkbox at the bottom of the form [Article 30 and Article 31, par. 1 of the FADP and Article 13 of the Directive 2002/58/EC (so called “Directive on privacy and electronic communications”)].
Complying with legal obligations to which the Data Controller is bound, included to respond to any requests to exercise the Data Subject’s rights under the Applicable Law.	The compliance with legal obligations to which the Data Controller is bound [Article 30 and Article 31, par. 1 of the FADP and Article 6, par. 1, lett. c) of the GDPR].
Providing feedback to any requests for information and/or for clarification received from the Data Subject in relation to the services referred to in the General Terms and Conditions of Services.	The implementation of pre-contractual measures taken at the request of the Data Subject or performing the contract (General Terms and Conditions of Services) to which the Data Subject is party [Article 30 and Article 31, par. 1 and par. 2, lett. a) of the FADP and Article 6 par. 1, lett. b), of the GDPR].

4. Nature of provision of personal data and consequences of failure to provide them

The provision of personal data is optional and totally voluntary; however, the provision of personal data is necessary to execute the General Terms and Conditions of Services to which the Data Subject adhered and to see the selected sticker sticked and/or displayed under the terms described therein.

The Data Subject is free to provide his/her Instagram username in order for it to be mentioned in relation to the selected stickers in the description of any posts published on the Data Controller’s social media Instagram, and having the selected stickers as their subject matter and/or the “Stick with us” initiative and no consequences will arise on the conclusion and execution of the General Terms and Conditions of Services in the event that he or she decides not to provide his or her Instagram username or to withdraw the consent initially given for this purpose.The Data Subject is free to provide his/her consent for the reception of the newsletter and no consequences will arise on the conclusion and execution of the General Terms and Conditions of Services in the event that he or she decides not to give his or her consent or to withdraw the consent initially given to the reception of the newsletter.

5. Methods of personal data processing

Personal data are processed with manual and computer-based instruments, in any case in such a way as to guarantee their security and confidentiality. To this end, the Data Controller has adopted and implements security measures, both technical and organisational, appropriate to the level of risk related to the processing of personal data carried out. In particular, the Website functionality is provided solely on HTTPS encrypted connection and personal data are collected, filed and stored on secure servers, protected by firewalls and physically located within the European Economic Area.

6. Recipients or categories of recipients of personal data

The personal data provided by the Data Subjects may be shared, for the purposes set out in paragraph 3 above, with:

employees or other types of collaborators authorized by the Data Controller in accordance with Article 29 of the GDPR to process personal data and who have received specific instructions on how to process the personal data in accordance with the Applicable Law;
Leo Burnett Company S.r.l., acting as data processor (Article 9 of the FAPD and Article 28 of the GDPR), with registered office in Viale Jenner, 19 – 20159 Milano (Italy), VAT n. 08812990151, for the management of the section of the Website dedicated to the “Create Your Sticker” project;
Rocket Science Group LLC d/b/a Mailchimp, acting as data processor (Article 9 of the FAPD and Article 28 of the GDPR), as provider of the newsletter management service;
companies, consultants or professionals entrusted with the maintenance and updating of the Website (i.e. web agencies) and, in general, management of the Data Controller’s hardware and software, including the hosting provider and cloud computing services providers who typically act as data processors pursuant to and for the purposes of Article 9 of the FAPD and Article 28 of the GDPR;
companies, consultants or professionals entrusted with marketing and communication activities, who act as data processors pursuant to and for the purposes of Article 9 of the FAPD and Article 28 of the GDPR;
persons, entities or authorities to whom, in their capacity as autonomous data controllers, it is mandatory to communicate personal data by virtue of legal provisions or orders of the authorities or to prevent and/or ascertain any fraudulent activity or abuse in the use of the Website and the services offered by the Controller;
law firms, associated firms, consultants or professionals (e.g., legal, administrative and/or tax consultancies) who may be appointed to support the Data Controller in order to ensure the correct fulfilment of the legal obligations with which it is required to comply; the ascertainment, exercise or defence of a right in jurisdictional or extrajudicial proceedings or whenever administrative or jurisdictional authorities exercise their functions.

Some of the personal data will be shared on the Data Controller’s social media Instagram, as described in paragraph 3 of the present Privacy Policy and in the General Terms and Conditions of Services.

7. Data transfers to countries outside Switzerland and/or EEA and/or international organisations

The Controller’s hosting provider’s servers are located within the European Economic Area. However, some of the Data Controller’s suppliers or the servers of such suppliers may be located in countries outside Switzerland and/or the EEA.

In particular, one of the Data Controller’s suppliers is Rocket Science Group LLC d/b/a Mailchimp, which is located in the United States of America. Rocket Science Group LLC d/b/a Mailchimp is an active participant in both the EU-US Data Privacy Framework and the Swiss-US Data Privacy Framework. The rights and freedoms of the Data Subjects are assessed as adequately protected when transfers take place within both the EU-US Data Privacy Framework and the Swiss-US Data Privacy Framework.

Another Data Controller’s suppliers is a UK marketing and communication agency. The personal data transfers take place on the basis of the adequacy decision of European Commission (EU) 2021/1772 of 28 June 2021, and/or on the basis of the Annex 1 of the Ordinance of 31 August 2022 on Data Protection entered into force on 1 September 2023. For more information, the Data Subjects can contact the Data Controller at the following e-mail address: compliance@irondames.ch.

8. Period of retention of personal data

The personal data of the Data Subjects will be retained for a period not exceeding the fulfilment of the above-mentioned purposes for which they are processed.

In particular, the personal data will be retained for a maximum period of 12 months, except for processing for marketing purposes, in which case data will be retained for a maximum period of 24 months from the date of subscription to the newsletter and/or from the renewal of the consent given to receive the newsletter, without prejudice to the right to withdraw, at any time, the consent given.

The personal data processed in connection with sending the request for confirmation of the sticker creation, as well as the confirmation link of the Data Subject’s e-mail address, will be kept for a minimum period of 24 hours. If, after 24 hours, the Data Subject does not confirm his/her e-mail address by clicking on the link received in his/her e-mail address, the relevant data will be deleted.

This maximum retention period may be extended, where the conditions are met, in order to allow the Data Subject to exercise and defend a right in court or whenever the judicial authority exercises its functions and/or at the request of the latter.In any case, after expiry of the retention period, the data will be deleted or anonymised.

9. Rights of the Data Subjects

The Data Subjects have the rights:

to receive confirmation as to whether or not their personal data are being processed and, if so, to obtain access to them and to a range of relevant information, including, by way of example, information relating to: a) the purposes of the processing; b) the categories of personal data that are subject to processing; c) the entities or categories of entities to whom or which the personal data have been or will be communicated; d) the storage period of the data or, if that is not possible, the criteria used to determine that period; e) the source of the personal data, if they have not been provided by the Data Subjects;
to request and obtain the updating of personal data, the rectification of inaccurate data or, when needed, the integration of incomplete data;
to request and obtain the erasure of personal data if: a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; b) the Data Subjects object to the processing carried out on the basis of a legitimate interest of the Controller and there is no overriding legitimate reason to continue the processing; c) the personal data have been processed unlawfully; d) the personal data must be erased by the Controller in compliance with a legal obligation;
to request and obtain the restriction of processing in the event of: a) contestation of the accuracy of their personal data for the time necessary for the Data Controller to carry out the requested verifications; b) unlawful processing of data by the Data Controller, if the Data Subjects object to the deletion of the data and instead request the restriction of their use; c) ascertainment, exercise or defence of a right of the Data Subjects in court, although the Data Controller no longer needs the data for the purposes of processing; d) awaiting the outcome of the verification as to whether the Data Controller’s legitimate reasons prevail over those of the Data Subjects;
in cases where the processing of personal data is based on a contract and is carried out by automated means, to request and receive in a structured, commonly used and machine-readable format their personal data and, if technically feasible, to obtain the direct transmission of them by the Controller to another controller;
to object, in whole or in part, on legitimate grounds relating to their particular situation, to the processing of personal data concerning the Data Subjects, even though they are relevant to the purpose of collection;
in cases where the processing of personal data is based on the Data Subjects’ consent, to withdraw, at any time, the given consent; the withdrawal shall not affect the lawfulness of processing based on consent before its withdrawal;
to file a complaint with the competent Data Protection Authorities.

The Data Controller shall inform each of the recipients to whom the personal data of the Data Subjects have been transmitted of any rectification, cancellation and/or restriction of processing carried out, except when this proves impossible or involves a disproportionate effort.

10. Ways of exercising rights of Data Subjects

Data Subjects may exercise the above-mentioned rights at any time by sending an e-mail to the Data Controller to the following e-mail address: compliance@irondames.ch.
If the Data Subjects wish to lodge a complaint, they may use, if available, the forms on the website of the competent Data Protection Authorities. The Data Protection Authority in Switzerland is the Federal Data Protection and Information Commissioner (FDPIC).

11. Changes to this Privacy Policy

This Privacy Policy may be amended and/or integrated and/or updated periodically, also as a consequence of the updating of the Applicable Law.
In this case, the Data Controller shall inform the Data Subjects of any amendments and/or additions and/or updates to this Privacy Policy by publishing the updated version of this Privacy Policy on the Website.

Last Update: 29/04/2025

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
_pk_id..	13 months	Used to recognize visitors and hold their various properties.
ppms_privacy_	1 year	Stores visitor’s consent to data collection and usage.