Illustrative translation only. The authoritative version of this document is the German original. This English translation is provided for convenience only and has no independent legal force. In the event of any conflict or inconsistency between the German version and this English translation, the German version shall prevail.

Privacy Notice

16 April 2026

1. Who We Are

NDRCL AG ("we", "us", "our") is the controller for the purposes of data protection law in respect of personal data collected via the website chlor-clean.com.

CHLOR-CLEAN, HAZ-TAB and Guest Medical are trademarks of NDRCL AG or one of its group companies. These trademarks may be used by various group companies within the group. The use of a trademark, including the name Guest Medical, on a product label does not mean that Guest Medical Limited is the manufacturer of the product in question.

Contact:
NDRCL AG
UID: CHE-304.913.384
Stutzstrasse 44
8834 Schindellegi, Switzerland
E-mail: info@ndrcl.com

The registered office of the company is in Feusisberg, Canton of Schwyz. The company name is currently being changed to "NDRCL AG". At the time of publication of this Privacy Notice, it is not known whether the name change has already been entered in the commercial register of the Canton of Schwyz. The company may therefore still be listed in the commercial register under its former name. The Company Identification Number (UID) CHE-304.913.384 is the unique and legally binding identifier pursuant to the Federal Act on the Company Identification Number (UIDG). We apologise for any inconvenience this may cause.

NDRCL AG is not obliged under nDSG Art. 10 to appoint a data protection adviser and has not done so voluntarily. Data protection enquiries should be directed to: info@ndrcl.com.

2. What Data We Collect

When you submit an enquiry via our form, we collect the following data:

  • Organisation or company name - to identify your business context
  • First name and last name - to address you personally and to create the Brevo contact record
  • Job title (optional) - to route your enquiry to the appropriate person
  • E-mail address - to respond to you and to send product information
  • Telephone number (optional) and WhatsApp number (optional) - both in E.164 format. The telephone number is used for telephone follow-up; the WhatsApp number (stored in the WhatsApp Business field in Brevo) is used for transactional follow-up. There is no SMS marketing, no automated calls and no WhatsApp marketing campaigns
  • IANA time zone reported by the browser (e.g. "Europe/London") - via the JavaScript API Intl.DateTimeFormat, for scheduling newsletter e-mails
  • Mandatory consent record (Boolean + consent text + Terms/Privacy version + UTC timestamp + IP)
  • Newsletter subscription preference (Boolean)

Providing contact data is voluntary. However, without these details we cannot respond to your enquiry. Job title, telephone number and WhatsApp number are each independently optional. Telephone and WhatsApp numbers must be provided in E.164 format (e.g. "+44 20 7946 0958"). Ticking the mandatory consent checkbox is required to submit the form. Newsletter sign-up does not affect the handling of your enquiry. There is no legal or contractual obligation to provide data.

Server logs: IP address, user agent, timestamp and pages visited (security, rate limiting).

Cookies/tracking: See Section 8 below.

Honeypot field: A hidden field for bot detection. No personal data is collected from genuine users.

3. How We Use Your Data

Purpose Legal basis (nDSG/GDPR)
Processing your enquiry, preparing and sending product and pricing information nDSG Art. 6 para. 6 - your express consent via the mandatory form checkbox
Responding to your enquiry and preparing a supply analysis nDSG Art. 31 para. 1 - processing in the context of pre-contractual measures at your request
Follow-up by e-mail, telephone and/or WhatsApp (if you have provided a WhatsApp number) nDSG Art. 31 para. 1 - pre-contractual measures; overriding legitimate interest in responding to business enquiries
Website analytics and performance monitoring nDSG Art. 6 para. 6 - your consent (via cookie banner)
Transactional and related-content e-mails regarding products, supply and regulatory developments Overriding legitimate interest in B2B communication with business contacts; UWG Art. 3 lit. o
Maintaining a CRM contact record in Brevo for pipeline tracking, duplicate detection and follow-up nDSG Art. 31 para. 1 - pre-contractual measures; overriding legitimate interest in business CRM
Setting the NEWSLETTER_OPT_IN flag and including in newsletter campaigns (only if the optional checkbox is ticked) nDSG Art. 6 para. 6 - your express consent via the optional newsletter checkbox
Server-side logging (IP, user agent, request data) for security and rate limiting Overriding legitimate interest in website security
Bot detection via Google reCAPTCHA v3 Overriding legitimate interest in protecting the form against bot abuse

4. Consent Record (Enquiry Form)

To submit the form, you must tick the mandatory consent checkbox. By doing so, you confirm that you have read the Terms of Use and the Privacy Notice and understand that product and pricing information is illustrative only.

Legal basis: nDSG Art. 6 para. 6 (consent).

Retention of the consent record: The consent text, Terms/Privacy version, UTC timestamp and IP address are retained.

The consent record is distinct from the newsletter consent.

Withdrawal of consent: Send an e-mail to info@ndrcl.com. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

5. Google reCAPTCHA v3 (Bot Detection)

We use reCAPTCHA v3 by Google LLC (Mountain View, CA, USA). reCAPTCHA v3 is invisible: no puzzle is displayed; the check takes place in the background.

How it works: reCAPTCHA loads a JavaScript library, observes browser signals (IP address, user agent, mouse movements, scroll behaviour, keystrokes, time spent on the page) and returns a risk score from 0.0 to 1.0.

Data transmitted to Google: The signals described above are transmitted to Google servers (primarily in the USA). Google may use this data in accordance with its own Privacy Policy. We receive only the risk score, the action label, the hostname and the timestamp.

Cookies/storage: reCAPTCHA may set cookies and use localStorage, sessionStorage and IndexedDB. These are treated as technically necessary for form security.

Legal basis: Overriding legitimate interest in protecting the form against bot abuse (nDSG Art. 31 para. 1).

International transfer: Google LLC is headquartered in the USA. The transfer is protected by the Swiss-US Data Privacy Framework and/or Standard Contractual Clauses pursuant to nDSG Art. 16-17.

Your rights: Google's Privacy Policy is available at policies.google.com/privacy.

Visibility: The badge is hidden in accordance with Google's guidelines. An attribution notice is displayed below the form submit button.

6. CRM Contact Record and Newsletter

On each successful form submission, a CRM contact record is created or updated in Brevo.

CRM record contents: First name, last name, e-mail, job title, organisation, telephone/WhatsApp (E.164), time zone, NEWSLETTER_OPT_IN flag, lead source, timestamp, IP address.

Legal basis for the CRM record (always created): nDSG Art. 31 para. 1 (pre-contractual measures); overriding legitimate interest in business CRM.

NEWSLETTER_OPT_IN flag: Set to "Yes" only if you tick the optional checkbox. Legal basis: nDSG Art. 6 para. 6 (express consent).

Newsletter campaigns: Sent exclusively to the filtered segment where the flag is set to "Yes".

Unsubscribe: Via the unsubscribe link in the e-mail, by replying UNSUBSCRIBE, or by e-mail to info@ndrcl.com. Unsubscribing does not delete the CRM record.

Full deletion of the CRM record: By e-mail to info@ndrcl.com.

Retention: The CRM record is retained until a deletion request is made. The unsubscribe suppression record is retained indefinitely.

Data processor: Sendinblue SAS (trading as Brevo), 106 Boulevard Haussmann, 75008 Paris, France. Established in the EU. Written data processing agreement pursuant to nDSG Art. 9.

7. Marketing Communications and Unsubscribe

Following receipt of your enquiry, we may send you transactional and related-content e-mails regarding products, supply and regulatory developments.

Legal basis: Overriding legitimate interest in B2B marketing; UWG Art. 3 lit. o.

Unsubscribe: Via the unsubscribe link in the e-mail, by replying UNSUBSCRIBE, or by e-mail to info@ndrcl.com.

Unsubscribing from marketing communications does not affect transactional communications or the newsletter (if separately subscribed to).

8. Cookies and Similar Tracking Technologies

Cookies are small text files stored by your browser on your device. We distinguish between first-party cookies (set by chlor-clean.com) and third-party cookies (set by service providers). This section also covers localStorage, web beacons and fingerprinting technologies in addition to cookies.

Non-essential cookies are activated only after you have given your consent via the cookie banner.

Essential - CSRF Token (always active)

A first-party cookie to protect the form against cross-site request forgery. No personal data. Retention: session.

Essential - HTML5 Local Storage (always active)

Your cookie consent decision is stored under the key cookie_consent. Not transmitted to the server.

Essential - Google reCAPTCHA v3 (always active when using the form)

May set cookies and storage for fraud detection. Technically necessary for form security. See Section 5 above.

Analytics - Google Analytics 4

Page views, scroll behaviour, clicks, form submissions. Google LLC (USA). Cookies: _ga, _ga_*, _gid. Retention: 14 months.

Analytics - Microsoft Clarity

Anonymised session recordings and heatmaps. Microsoft Corporation (USA). Cookies: _clck, _clsk, CLID. Retention: 12 months.

Analytics - Mixpanel (EU data storage, with session recording)

Product analytics and session recording. Captures:

  • Anonymous usage events and random device ID
  • Autocapture of clicks (visible text, CSS classes)
  • Session recording (mouse, scroll behaviour, clicks) - 100% of consented sessions
  • Pseudonymous conversion event on form submission: on successful submission, Mixpanel EU (api-eu.mixpanel.com) receives only a pseudonymous event (sector, country code, number of selected interests, request format, language). Name, email, phone and WhatsApp numbers are never transmitted to Mixpanel.

Privacy measures: EU data storage, IP geolocation disabled, input field masking in recordings, localStorage persistence, no advertising/retargeting.

Mixpanel Inc. (USA with EU data centre). Storage: localStorage. Retention: 12 months.

Change cookie settings: Via the "Cookie Settings" link in the footer.

Browser cookie management: You may also manage cookies via your browser. Instructions are available in the help pages of Chrome, Firefox, Safari and Edge.

Rejecting non-essential cookies: The Website will continue to function, but no analytics or marketing data will be collected.

"Do Not Track": There is no unified industry standard for "Do Not Track". We rely on the cookie banner.

Children and cookies: This Website is not directed at persons under 16 years of age.

9. With Whom We Share Your Data

Group companies: Within the NDRCL AG group. We may share data to respond to your enquiry, for administration and to provide products and services. Companies in Switzerland, the United Kingdom, the EU and Mexico.

Service providers:

  • Brevo (Sendinblue SAS, Paris) - e-mail, CRM, newsletter. Established in the EU. Data processing agreement pursuant to nDSG Art. 9.
  • Google LLC - analytics (with consent); reCAPTCHA (always, legitimate interest). Established in the USA. Swiss-US Data Privacy Framework.
  • Microsoft Corporation - session recording (with consent). Established in the USA. Swiss-US Data Privacy Framework.
  • Mixpanel Inc. - product analytics (with consent), EU data centre. Established in the USA. Swiss-US Data Privacy Framework + Standard Contractual Clauses.

We do not sell your personal data.

Social share buttons (user-initiated): On certain pages you will find buttons to share this page on social networks or messengers (LinkedIn, X, Facebook, Microsoft Teams, WhatsApp, Telegram, email) or to copy the page link. These buttons are plain links: they set no cookies, load no external scripts and transmit no data without your action. Only when you actively click a button does your browser open a link to the chosen platform. At that point your IP address, user agent and the shared URL are transmitted to that platform and processed under its own privacy policy. We do not learn whether you actually posted the share.

Self-hosted assets: Fonts (Inter, Noto Sans Arabic, Material Symbols), country flags and the phone-number validation library are served from our own servers. Your IP address is therefore not transmitted to third-party CDNs (for example Google Fonts, flagcdn.com) when the page loads. External resources are loaded only for Google reCAPTCHA v3 (technically necessary for form security), Google Analytics 4, Microsoft Clarity and Mixpanel. The latter three load only after your consent via the cookie banner.

10. How Long We Retain Your Data

  • Enquiry data (name, e-mail, telephone, WhatsApp, job title, organisation, time zone): 24 months or until a deletion request is made
  • Consent record: 24 months, retained as evidence
  • CRM contact record in Brevo (including NEWSLETTER_OPT_IN flag): until a deletion request is made. Unsubscribing changes the flag but does not delete the record
  • Analytics: 14 months (GA4), 12 months (Clarity), 12 months (Mixpanel)

11. Your Rights

Under the Swiss Federal Act on Data Protection (nDSG/revDSG), you have the following rights:

  • Right of access (Art. 25 nDSG) - request a copy of your personal data
  • Rectification - request correction of inaccurate data
  • Erasure - request deletion of your data
  • Restriction - request restriction of processing
  • Objection - object to processing
  • Withdrawal of consent - withdraw your consent to cookie-based processing via the cookie settings
  • Data portability (Art. 28 nDSG) - request your data in a structured, machine-readable format

To exercise your rights, send an e-mail to info@ndrcl.com. Response within 30 days.

If you believe your data protection rights have been infringed, you have the right to lodge a complaint with the Federal Data Protection and Information Commissioner (FDPIC): edoeb.admin.ch.

For data subjects in the EEA: You may also contact your competent national supervisory authority under the EU General Data Protection Regulation (GDPR).

12. International Data Transfers

Your data may be transferred to countries outside Switzerland:

  • European Union - group companies, service providers. Covered by the Swiss Federal Council's adequacy list (nDSG Art. 16 para. 1)
  • United Kingdom - group companies, service providers. Covered by the Swiss Federal Council's adequacy list
  • Mexico - group companies, service providers. Not on the Swiss adequacy list. Transfers protected by Standard Contractual Clauses pursuant to nDSG Art. 16 para. 2
  • United States - service providers (Google, Microsoft, Mixpanel). Swiss-US Data Privacy Framework and/or Standard Contractual Clauses pursuant to nDSG Art. 16 para. 2

All transfers are subject to appropriate safeguards under nDSG, EU GDPR (as applicable to EEA data subjects) and LFPDPPP (as applicable to Mexican data subjects).

13. Data Relating to Minors

This Website is directed at professionals: facility managers, procurement officers, infection prevention leads, distributors and other persons acting in a professional capacity.

The Website is not directed at children. We do not knowingly collect data from persons under 16 years of age.

If you become aware that a child has submitted data to us, please contact info@ndrcl.com. We will delete the data without undue delay.

14. Legal Framework

This Privacy Notice complies with:

  • Swiss Federal Act on Data Protection (nDSG/revDSG, in force since 1 September 2023) and Data Protection Ordinance (DSV)
  • EU General Data Protection Regulation (GDPR, Regulation 2016/679) - as applicable to EEA data subjects
  • UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018 - as applicable to UK data subjects
  • Privacy and Electronic Communications Regulations 2003 (PECR) - for cookies and electronic marketing in the United Kingdom
  • Swiss Federal Act against Unfair Competition (UWG) - for electronic advertising
  • Ley Federal de Protección de Datos Personales en Posesión de los Particulares (LFPDPPP) - as applicable to Mexican data subjects

15. Changes to This Notice

We may update this Privacy Notice from time to time. The "Last Updated" date at the top indicates the current version.