Privacy policy

This privacy policy explains which personal data we (Blumer Lehmann (Erlenhof AG, Blumer-Lehmann AG, Blumer-Lehmann S.à r.l, Blumer-Lehmann GmbH and Lehmann Holzwerk AG) collect and process in connection with our activities, including on our website, In particular, we explain for what purpose, how and where we process personal data. We also provide information about the rights of individuals whose data we process. We do not sell personal data to third parties.

1. Data protection officers

If you have any questions about data protection, please send us an email or contact our organisation directly. You can reach us at

Responsible authority within the meaning of data protection laws, in particular the
Ordinance on the Federal Act on Data Protection (OFADP), is:

Erlenhof AG
9200 Gossau SG

Depending on the circumstances (direct contact, orders etc.), one of the following persons is responsible:

Blumer-Lehmann AG
9200 Gossau
T +41 71 388 58 58

Blumer-Lehmann S.à r.l
31, Op der Heckmill
LU-6783 Grevenmacher
T  + 352 2880454-0

Blumer-Lehmann GmbH
Am Wäldle 3
86836 Klosterlechfeld
+49 8232 9597 870

Blumer-Lehmann GmbH
Robert-Koch-Strasse 20
53501 Grafschaft
+49 2225 91130 - 0

Blumer-Lehmann GmbH
Industriestraße 4
36137 Großenlüder
T +49 160 3623069

Lehmann Holzwerk AG
9200 Gossau
T +41 71 388 58 00

In case of doubt as to responsibility, the enquiry may be directed to Blumer Lehmann (Erlenhof AG).

Data protection officer in the EU

Blumer-Lehmann S.à r.l
31, Op der Heckmill
LU-6783 Grevenmacher
T  + 352 2880454-0

2. Definitions and legal bases


Personal data is all information relating to a specific or identifiable person. A data subject is a person about whom personal data is processed.

‘Processing’ includes any handling of personal data, irrespective of the means and procedures used, in particular the storage, disclosure, acquisition, collection, deletion, storage, modification, destruction and use of personal data.

Legal basis
We take the protection of our users' personal data seriously, as we do the duty to provide them with information seriously and strictly adhere to the statutory provisions of the privacy guidelines, according to:

However, whether and to what extent these laws are applicable depends on the individual case.

3. Nature, extent, duration of storage and purpose

General information

We use the personal data we collect primarily for the purpose of concluding and processing our contracts with our customers and business partners, in particular within the scope of the Company’s purpose or the purposes of the individual companies (the purpose of the Company is to operate a business with prefabricated construction, modular construction, timber construction, silo and plant construction incl. technical planning, GC and FSC activities) with our customers and the purchase of products and services from our suppliers and subcontractors, as well as to fulfil our legal obligations in Switzerland and abroad.

Such personal data may in particular fall into the categories of inventory and contact data, browser and device data, content data, (telecommunications) metadata and usage data, location data, sales data and contract and payment data.

We process personal data for the period required for the respective purpose(s) or by law. Personal data, the processing of which is no longer necessary, will be anonymised or deleted.

We may have personal data processed by third parties. We may process personal data together with third parties or transfer it to third parties. Such third parties are, in particular, specialised providers whose services we use. We also guarantee data protection where such third parties are involved.

We process personal data only with the consent of the data subject, unless the processing is permitted for other legal reasons. Processing without consent may, for example, be permissible for the fulfilment of a contract with the data subject and for corresponding pre-contractual measures to safeguard our overriding legitimate interests, because the processing is apparent from the circumstances or after prior notification.

Insofar as permitted, we also extract certain data from publicly available sources (e.g. debt collection registers, land registers, commercial registers, press, internet) or receive such data from other companies within Blumer Lehmann, public authorities and other third parties.

Furthermore, we process personal data about you and other persons, to the extent permitted and deemed appropriate by us, for the following additional purposes in which we (and sometimes also third parties) have a legitimate interest corresponding to the purpose:

  • Offering and developing our products, services and websites, apps and other platforms on which we are present;
  • Communicating with third parties and handling their enquiries (e.g. job applications, media enquiries);
  • Testing and optimising needs analysis processes for direct customer contact and collecting personal data from publicly available sources for customer acquisition;
  • Advertising and marketing (including the holding of events), insofar as you have not objected to the use of your data (if we send you advertising from us as an existing customer, you can object to it at any time, and we will then place you on a blacklist blocking further advertising mail);
  • Market and opinion research, media monitoring;
  • Pursuing legal claims and defence in connection with legal disputes and administrative proceedings;
  • Safeguarding our operations, in particular IT, websites, apps and other platforms;

Video surveillance to protect property rights and other measures for IT, building and asset security and protection of our employees and other persons and assets belonging to or entrusted to us (such as access controls, visitor lists, network and email scanners, telephone records). In this context, we process in particular information that a data subject voluntarily transmits to us when contacting us – for example by letter, email, instant messaging, contact form, social media or telephone – or when registering for a user account. We can store such information, for example, in an address book or with similar tools. If we receive data about other persons, the persons transmitting the data are obliged to guarantee data protection towards those persons and to ensure the accuracy of that personal data. We also process personal data that we receive from third parties, obtain from publicly available sources or collect in the course of carrying out our activities, insofar as such processing is permitted for legal reasons.

Provision of the website and creation of log files

Every time our website is accessed, our system automatically collects data and information from the computer system of the accessing computer. The following data, which enables attribution to a user, is collected:

  • Type and version of browser used
  • Operating system of the user
  • Internet service provider of the user
  • IP address of the user
  • Date and time of access
  • Websites from which the user’s system accesses our website
  • Websites accessed by the user’s system via our website.

The data is also stored in the log files of our system. This data is not stored together with other personal data of the user.

The storage of the IP address by the system is necessary to enable the website to be delivered to the user’s computer; to do so, the user’s IP address must be stored for the duration of the session. In addition, it is stored in log files to ensure the functionality of the website. The data is used to optimise the website and to ensure the security of our information technology systems. These purposes also represent our legitimate interest in data processing. The legal basis is therefore Art. 6(1)(f) GDPR.

The data will be deleted as soon as it is no longer necessary to achieve the purpose for which it was collected. In the case of data collected in order to provide the website, this is the case when the respective session has ended. In the case of log files, the data is stored in rolling log files, with older entries being automatically deleted. The storage duration is therefore dependent on the circumstances and accordingly cannot be limited in time. In principle, it can be assumed that the data will be deleted after one year at the latest, but that storage for a longer period is possible.

The collection of data for the provision of the website and the storage of data in log files is absolutely necessary for the operation of the website. Consequently, the user has no option to object.

4. Communication channels


Our newsletters are sent via Elaine. For this purpose, your email address and other information will be stored for the analysis of the newsletter. Registration for the newsletters can be withdrawn at any time. To measure success and reach, we record anonymously which newsletter emails are opened and which web links are clicked in newsletter emails. Your email address, your title, your surname / first name and the use of the newsletter will be stored by Elaine in Switzerland. For further details, please refer to their Privacy Policy.

Elaine is a product of artegic AG. The software is GDPR-compliant and FADP-compliant according to Swiss law.

Mayoris AG distributes and implements the software and is our point of contact. Application hosting and data hosting are located in the data centre in Switzerland commissioned by Mayoris. For further details, please refer to their Privacy Policy.

Social media

We are present on social media platforms and other online platforms in order to communicate with interested persons and to provide information about our activities and activities. This will be apparent to you in each case (typically via the corresponding symbols). We have configured these elements to be disabled by default. If you activate them (by clicking on them), the operators of the respective social networks can register that you are on our website and where and can use this information for their purposes. In connection with such platforms, personal data may also be processed outside Switzerland.

The General Terms and Conditions (GT&C) and terms of service as well as privacy policies and other provisions of the individual operators of such platforms also apply in each case. In particular, these provisions provide information on the rights of data subjects directly vis-à-vis the respective platform, including, for example, the right of access.

The terms and conditions of the respective social media platform apply.

Facebook: Meta Platforms Ireland Limited, Ireland, Privacy Policy

Instagram: Meta Platforms Ireland Limited, Ireland, Privacy Policy

LinkedIn: LinkedIn Ireland Unlimited Company, USA / Ireland, Privacy Policy

Pinterest: Pinterest Inc., USA, Privacy Policy

TikTok: TikTok Information Technologies UK Limited, Privacy Policy

Vimeo: Inc., USA, Privacy Policy

X: X Corp, USA, Privacy Policy

Xing: New Work SE, Germany Privacy Policy

YouTube: Google Ireland Limited, Ireland, Privacy Policy

Contact form and email contact

A contact form is available on our website, which can be used for electronic contact. If users avail themselves of this option, the data entered in the input mask will be transmitted to us and stored. These data are:

  • First name and surname
  • Address (street, postcode, town, country)
  • E-mail address
  • Telephone number
  • Individual notification
  • Event-specific characteristics (registration, etc.)

Your consent is obtained for the processing of the data as part of the sending process, and reference is made to this privacy policy.

Alternatively, contact can be made via the email address provided. In this case, the personal data of the user transmitted with the email will be stored.

We process the personal data from the input mask solely for the purpose of processing the contact. In the case of contact by email, this also constitutes the necessary legitimate interest in the processing of the data. The other personal data processed during the sending process serves to prevent misuse of the contact form and to ensure the security of our information technology systems. Depending on the circumstances, data processing takes place on the basis of the user’s consent, the implementation of pre-contractual measures, the fulfilment of a contract and/or to safeguard our legitimate interests. Accordingly, the legal basis for data processing is Art. 6(1)(a),(b) and/or (f) GDPR.

The data will be deleted as soon as it is no longer necessary to achieve the purpose for which it was collected. For the personal data from the input mask of the contact form and that sent by email, this is the case when the respective conversation with the user has ended. The conversation is terminated when it can be inferred from the circumstances that the matter in question has been dealt with conclusively.

The user has the option of revoking their consent to the processing of personal data at any time. If the user contacts us by email, they can object to the storage of their personal data at any time. In such a case, the conversation cannot be continued. In this case, all personal data stored in the course of contacting us will be deleted, unless the storage is necessary to comply with contractual or legal obligations.

You can fundamentally object to receiving notifications and communications such as newsletters at any time. With such an objection, you can simultaneously object to the statistical recording of the use for measuring success and reach. We reserve all necessary notifications and communications in connection with our activities and activities.

5. Job applications

We process personal data about job applicants insofar as it is necessary for the assessment of suitability for an employment relationship or for the subsequent implementation of an employment contract. The required personal data are derived in particular from the information requested, for example in the context of a job advertisement. We also process personal data that applicants voluntarily disclose or publish, in particular as part of cover letters, CVs and other application documents as well as online profiles. If all the process steps of an application have been completed and a rejection or no acceptance or rejection has been given, the candidate's file will be automatically anonymised after 6 months.

We use third-party services to advertise vacancies via e-recruitment and to enable and manage job applications.

We use:

Dualoo: E-recruiting (‘The simple applicant tracking system’); Provider: Dualoo AG (Switzerland); Privacy Policy.

6. Personal data abroad

In principle, we process personal data in Switzerland. However, we may also disclose or export personal data to other countries, in particular in order to process or have it processed there.

We may disclose personal data to all states and territories if the law there guarantees adequate data protection in the assessment of the Federal Data Protection and Information Commissioner (FDPIC) or in accordance with a decision of the Federal Council.

We may disclose personal data in countries, the laws of which do not provide adequate data protection, provided that appropriate data protection is ensured for other reasons, such as through appropriate contractual arrangements, on the basis of standard data protection clauses, or with other appropriate safeguards. Exceptionally, we may export personal data to countries without adequate or suitable data protection if the special requirements of data protection law are met, for example the express consent of the data subjects or a direct connection with the conclusion or execution of a contract.

7. Rights of data subjects

Data subjects about whom we process personal data, have the rights specified under Swiss data protection law (FADP) and, in some cases, the GDPR. This includes the right to information as well as the right to rectification, deletion or blocking of the processed personal data.

Data subjects about whom we process personal data have the right to lodge a complaint with a competent supervisory authority. The supervisory authority for data protection in Switzerland is the Federal Data Protection and Information Commissioner (FDPIC).

Please note, however, that we reserve the right to invoke the restrictions provided by law, for example if we are obliged to store or process certain data, have an overriding interest in it (as far as we are entitled to rely on it) or need it for the assertion of claims. If you incur any costs, we will inform you in advance.

The exercise of such rights usually requires that you clearly prove your identity (e.g. with a copy of your ID, where your identity is otherwise unclear or cannot be verified). To assert your rights, you can contact us at the address indicated in Section 1.

8. Data security

We take appropriate technical and organisational measures to ensure data security appropriate to the respective risk. However, we cannot guarantee absolute data security.

Our website is accessed by means of transport encryption (SSL/TLS, in particular with the Hypertext Transfer Protocol Secure, abbreviated HTTPS). Most browsers indicate transport encryption with a padlock in the address bar.

Like all digital communications, our digital communications are subject to mass surveillance without cause or suspicion and other surveillance by security authorities in Switzerland, the rest of Europe, the United States of America (USA) and other countries. We cannot directly influence the processing of personal data by intelligence services, police services and other security authorities.

9. Use of the website


Our website uses cookies. Cookies are text files that are stored in the internet browser or by the internet browser on the user’s computer system. When a user accesses a website, a cookie may be stored on the user’s operating system. This cookie contains a characteristic string that enables the browser to be unambiguously identified when the website is accessed again.

Essential cookies: The user data collected by essential cookies will not be used to create user profiles. The purpose of using essential cookies is to simplify the use of websites for users. Some functions of our website cannot be offered without the use of cookies. For those functions, it is necessary for the browser to be recognised even after a page change.

Other cookies: We also use cookies on our website that enable users to analyse their browsing behaviour. This is a consequence of the use of Google’s services (see below).

Duration of storage, possibility of objection and disposal: Cookies are stored on the user’s computer.  Therefore, as a user, you also have full control over the use of cookies. By changing the settings in your internet browser, you can deactivate or restrict the transfer of cookies. Cookies that have already been stored can be deleted at any time. This can also be done automatically. If cookies are deactivated for our website, it may no longer be possible to use all functions of the website to their full extent.

Regarding non-essential cookies, please also refer to the explanations below.

Details on the cookies used

Benefits and analysis

Cookies enable us to carry out certain analyses of our websites, in particular to determine the frequency of use or the number of users of the pages or to analyse the behaviour of page use.

Cookies serve in particular to make our websites, content and offers more customer-friendly. The use of cookies also allows you to use options you have selected or decisions you have made as settings to make your visit to our website more convenient. We may also use cookies to identify you for subsequent visits.

As a rule, cookies remain stored at the end of a browser session and can be retrieved again on your next visit. If you do not wish that to happen, you can set the internet browser you are using in such a way that it refuses to accept cookies or deletes them when you finish. However, this may mean that you may not be able to use all the features of our websites.

For cookies used for measuring success and reach or for advertising, a general opt-out is possible for many services via the AdChoices (Digital Advertising Alliance of Canada), the Network Advertising Initiative (NAI), YourAdChoices (Digital Advertising Alliance) or Your Online Choices (European Interactive Digital Advertising Alliance, EDAA).

Tracking pixels

We may use tracking pixels on our websites. Tracking pixels are also known as web beacons. Tracking pixels – including those of third parties whose services we use – are small, usually invisible images that are automatically retrieved when you visit our websites. Tracking pixels can collect the following information: Date and time including time zone, Internet Protocol (IP) address, access status (HTTP status code), operating system including user interface and version, browser including language and version, individual sub-pages of our websites accessed including amount of data transmitted, last website accessed in the same browser window (referer or referrer).

Meta-pixels and target group formation (Custom Audiences)

With the help of the Meta pixel (or similar functions, for transmitting event data or contact information via interfaces in apps), Meta is able to identify the visitors to our online offer as a target group for displaying ads (so-called ‘Meta ads’). Accordingly, we use the Meta pixel to display the Meta ads placed by us only to those users on Meta’s platforms and within the services of partners cooperating with Meta (so-called ‘Audience Network’ who have also shown an interest in our online content or who have certain characteristics (e.g. interest in certain topics or products that can be seen from the websites visited) that we transmit to Meta (so-called ‘custom audiences’). With the help of the Meta pixel, we also want to make sure that our Meta ads correspond to the potential interest of users and are not annoying. The Meta pixel also allows us to track the effectiveness of Meta ads for statistical and market research purposes by seeing whether users have been redirected to our website after clicking on a Meta ad (so-called ‘conversion measurement’).

Service providers: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland; Legal basis: Consent (Art. 6(1)(1)(a) GDPR). Website: https://www.facebook.comPrivacy Policy:

LinkedIn Pixel

A LinkedIn pixel is an HTML code that is loaded when a user visits a website. When a user visits our online offer, the pixel is triggered and tracks the user’s behaviour and conversions (possible uses: measurement of campaign performance, optimisation of ad delivery, creation of user-defined and similar audiences);

Service providers: LinkedIn Ireland Unlimited Company, Wilton Plaza Wilton Place, Dublin 2, Ireland; Legal basis: Consent (Art. 6(1)(1)(a) (GDPR); 
Website:; Privacy Policy:

TikTok Pixel

A TikTok pixel is an HTML code that is loaded when a user visits a website. When a user visits our online services, the pixel is triggered and tracks the user’s behaviour and conversions (possible uses: measurement of campaign performance, optimisation of ad delivery, creation of user-defined and similar audiences). 

Service providers: TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland and TikTok Information Technologies UK Limited, Kaleidoscope, 4 Lindsey Street, London, United Kingdom, EC1A 9HP; Legal basis: consent (Art. 6(1)(1)(a) GDPR); 
Privacy Policy:

10. Services of third parties

We use the services of specialised third parties in order to be able to carry out our activities and activities permanently, in a user-friendly, safe and reliable manner. With such services, we can, among other things, embed functions and content on our websites. In the case of such embedding, the services used record, at least temporarily, the Internet Protocol (IP) addresses of the users for overriding technical reasons. For necessary security, statistical and technical purposes, third parties whose services we use may aggregate, anonymise or pseudonymise data relating to our activities and activities. This includes, for example, performance or usage data in order to be able to offer the respective service.

In particular, we use:

Services from Google: Providers: Google LLC (USA) / Google Ireland Limited (Ireland) for users in the European Economic Area (EEA) and Switzerland; General information on data protection: ’Privacy and Security Principles’Privacy Policy‘Google is obligated to comply with applicable data protection laws’‘Guide to data protection in Google products,’ ‘How we collect data from websites or use apps on/in which our services are used’ (information provided by Google), ‘Types of cookies and other technologies used by Google’‘Personalised advertising’ (activation/deactivation/settings)

Services from Microsoft: Providers: Microsoft Corporation (USA) / Microsoft Ireland Operations Limited (Ireland) for users in the European Economic Area (EEA), the United Kingdom and Switzerland; general information on data protection: ’Data Protection at Microsoft’‘Data Protection (Trust Center)’Privacy Policy

Digital Infrastructure

We use the services of specialised third parties to provide the necessary digital infrastructure in connection with our activities and activities. This includes, for example, hosting and storage services from selected providers.

We use: MiroNet: Hosting;
Provider: MiroNet AG (Switzerland), Privacy Policy

Audio and video conferencing

We use specialised services for audio and video conferencing to communicate online. For example, we can hold virtual meetings or conduct online lessons and webinars. Participation in audio and video conferences is additionally subject to the legal texts of the individual services, such as privacy policies and terms of service. Depending on your living situation, we recommend that the microphone be muted by default and that the background be blurred or a virtual background be displayed when participating in audio or video conferences.

We use: Microsoft Teams: Platform, inter alia, for audio and video conferencing; Provider: Microsoft (USA), Privacy Policy


We use third-party services to embed maps into our websites.

In particular, we use: Google Maps including Google Maps Platform: Card service; Provider: Google (USA); Google Maps specific information: ‘How does Google use location information?’

Digital Audio and Video Content

We use specialised third-party services to enable direct playback of digital audio and video content such as music or podcasts.

In particular, we use:
YouTube: Video platform; provider: Google (USA); YouTube-specific information: Privacy and Safety Center’‘Your Data in YouTube’.
Vimeo: Video platform; provider: Inc., USA, Privacy Policy

Digital advertisements on third-party websites

Google Ads: Online advertising platform from Google, for web ads. Terms for Google Advertising Products for Order Data Processing.

Digital advertisements on social media platforms

Facebook: Placing advertisements within the Facebook platform and evaluating the ad results; Service provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland; Legal basis: Legitimate interests (Art. 6(1)(1)(f) GDPR); Privacy policy: for third-country transfer: EU-US Data Privacy Framework (DPF)

InstagramPlacing advertisements within the Instagram platform and evaluating the ad results; Service provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland; Legal basis: Consent (Art. 6(1)(1)(a) GDPR); Data protection declaration: for third-country transfer: EU-US Data Privacy Framework (DPF)

TikTok: Placing advertisements within the TikTok platform and evaluating the advertisement results; Service provider: TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland and TikTok Information Technologies UK Limited, Kaleidoscope, 4 Lindsey Street, London, United Kingdom, EC1A 9HP; Legal basis: Consent (Art. 6(1)(1)(a) GDPR); Privacy Policy:

LinkedIn: Placing advertisements within the LinkedIn platform and evaluating the advertisement results; Service providers: LinkedIn Ireland Unlimited Company, Wilton Plaza Wilton Place, Dublin 2, Ireland; Legal basis: Consent (Art. 6(1)(1)(a) (GDPR); 
Privacy Policy:

Web optimisation

Our website uses the free JavaScript library ‘jQuery’ to display various elements. This is provided by Google via Google Hosted Libraries. When a page is called up, the user’s browser establishes a connection to Google’s servers, thereby informing Google that the data subject is visiting our website.

The use of Google Hosted Libraries is in the interest of an appealing presentation and a short loading time of our online offerings. We also ensure that a patched version of jQuery is always included, which increases security. This is our legitimate interest within the meaning of Art. 6(1)(f) GDPR.

Further information on Google Hosted Libraries can be found at and in the Google Privacy Policy at

11. Performance and reach measurement

Notifications and messages may include web links or tracking pixels that record whether an individual message has been opened and which web links have been clicked. Such web links and tracking pixels may also record the use of notifications and communications by individuals. We need this statistical recording of usage for measuring success and reach in order to be able to send notifications and messages based on the needs and reading habits of the recipients in a manner that is effective and user-friendly, as well as permanent, secure and reliable.

We use services and programmes to determine how our online offering is used. In this context, we can, for example, measure the success and reach of our activities and activities as well as the impact of third-party-links to our website. For example, we can also test and compare how different versions of our online offering or parts of our online offering are used (‘A/B test’ method). Based on the results of the success and reach measurement, we can, in particular, correct errors, strengthen popular content or make improvements to our online offering.

When using services and programmes for measuring success and reach, the Internet Protocol (IP) addresses of individual users must be stored. IP addresses are generally shortened (‘IP masking’) in order to follow the principle of data economy through the corresponding pseudonymisation and thus improve the data protection of users.

When using services and programs for measuring success and reach, cookies may be used and user profiles may be created. User profiles include, for example, the pages visited or the content viewed on our websites, information on the size of the screen or browser window and the – at least approximate – location. User profiles are created exclusively in pseudonymous form. We do not use user profiles to identify individual users. Individual third-party services with which users are registered may, at most, attribute the use of our online offering to the user account or user profile of the respective service.

In particular, we use:

Google Analytics: Performance and reach measurement; supplier: Google (USA); Google Analytics-specific information: Measurement also across different browsers and devices (cross-device tracking) and with pseudonymised Internet Protocol (IP) addresses, which are only transmitted in full to Google in the USA in exceptional cases, ‘Safeguarding your data,’ ‘Browser add-on to deactivate Google Analytics’.

Google Tag Manager: Integration and management of other services to measure success and reach as well as other services provided by Google and third parties; Provider: Google (USA); Google Tag Manager-specific information: ’Data collected with Google Tag Manager’; further information on data protection can be found on the individual integrated and managed services.

Looker Studio: A tool for data visualisation using dashboards to merge the platforms Google Analytics, Google Ads, YouTube that are relevant to us. Terms of service – Looker Studio.

12. Final provisions

We may modify and supplement this privacy policy at any time. We will provide information about such adjustments and additions in an appropriate form, in particular by publishing the up-to-date privacy policy on our website