Privacy Policy of
Gstaad Palace 

Table of Contents

1.Controller and Content of this Privacy Policy
2.Contact Person for Data Protection
3. Scope and Purpose of the Collection, Processing, and Use of Personal Data
3.1 Data Processing when contacting us
3.2 Data Processing for Customer Account Registration
3.3 Data Processing for Orders placed on our Online Shop
3.4 Data Processing during Bookings
3.5 Data Processing when Reserving a Table
3.6 Data Processing related to Event Organisation Requests
3.7 Data Processing related to Spa Reservations
3.8 Data Processing related to Internal Guest Management
3.9 Data Processing related to Email Communications
3.10 Data Processing during Payment Processing
3.11 Data Processing related to the Recording and Invoicing of rendered Services
3.12 Data Processing related to Email Marketing
3.13 Data Processing when Submitting Guest Feedback
3.14 Data Processing in connection with Video Surveillance
3.15 Data Processing when Using our Wi-Fi Network
3.16 Data Processing for Fulfilling Legal Reporting Obligations
3.17 Data Processing in Job Applications
4. Central Data Storage and Analysis in the CRM system
5. Disclosure and Cross-Border Transfer
5.1 Disclosure to Third Parties and Third-Party Access
5.2 Transfer of Personal Data to Third Countries
5.3 Information on Data Transfers to the USA
6. Background Data Processing on our Website
6.1 Data Processing when Visiting our Website (Log File Data)
6.2 Cookies
6.3 Google Programmable Search Engine
6.4 Tracking and Web Analytics Tools
6.5 Social Media
6.6 Online Advertising and Targeting
7. Retention Periods
8. Data Security
9. Your rights

1. Controller and Content of this Privacy Policy

We, Royal Hotel, Winter & Gstaad Palace AG, are the operator of Gstaad Palace hotel (Hotel) and the website www.palace.ch (Website). Unless otherwise stated in this Privacy Policy, we are responsible for the data processing described herein.

Please take note of the information below to know what personal data we collect from you and for what purposes we use it. When it comes to data protection, we primarily adhere to the legal requirements of Swiss data protection law, in particular the Federal Act on Data Protection (FADP), as well as the EU General Data Protection Regulation (GDPR), which may be applicable in individual cases.

Please note that the following information may be reviewed and amended from time to time. Therefore, we recommend regularly checking this Privacy Policy for any updates. Furthermore, for certain individual data processing listed below, other companies are responsible under data protection law or jointly responsible with us, so that in these cases, the information provided by those companies is also relevant.

2. Contact Person for Data Protection

If you have any questions regarding data protection or wish to exercise your rights, please contact our data protection contact person by sending an email to the following address:

info@palace.ch.

You can reach our EU data protection representative at:

Gstaad Palace, Palacestrasse 28, 3780 Gstaad, Switzerland

Mrs Valentine Roussel

You can reach our EU data protection representative at:

MLL EU-GDPR GmbH, Ganghoferstrasse 33, DE - 80339 München

gstaadpalace@mll-gdpr.com

3. Scope and Purpose of the Collection, Processing, and Use of Personal Data

3.1 Data Processing when contacting us

If you contact us through our contact addresses and channels (e.g., by email, phone, or contact form), your personal data is processed. We process the data you provide us with, such as your name, email address, phone number, and your request. Additionally, the time of receipt of the request will be documented. Mandatory fields are marked in contact forms with an asterisk (*). We process this data to address your request (e.g., to provide information about our Hotel, assist with contract processing such as answering questions about your booking, incorporate your feedback to improve our services, etc.).

For handling contact requests through a contact form, we use a software application provided by TYPEFORM SL, Carrer de Bac de Roda 163, 08018 Barcelona, Spain (Typeform). Therefore, your data may be stored in a database of Typeform, which may allow Typeform to access your data if this is necessary for providing the software and supporting its use. Information about data processing by third parties and any transfers abroad can be found in Section 5 of this Privacy Policy.

The legal basis for this data processing is our legitimate interest under Article 6(1)(f) of the GDPR in addressing your request or, if your request is aimed at the conclusion or performance of a contract, in the implementation of the necessary measures within the meaning of Article 6(1)(b) of the GDPR.

It may be that Typeform wishes to use some of this data for its own purposes (e.g., delivering marketing emails or conducting statistical analysis). For these data processing operations, Typeform is the controller and must ensure compliance with data protection laws in connection with these data processing operations. Information about data processing by Typeform can be found at www.typeform.com.

3.2 Data Processing for Customer Account Registration

Our Website directs to the website of our partner, The Leading Hotels of the World, Ltd., 485 Lexington Avenue, Suite 401, New York, NY 10017, USA (LHW), for the creation of accounts. We receive the following data from LHW, where mandatory fields for the account creation are marked with an asterisk (*):

  • Contact information:
    • Title
    • First name
    • Last name
    • Email address
    • Billing and, if applicable, delivery address
  • Login-data:
    • Username
    • Password
  • Other information:
    • Language
    • Marketing subscription details
    • Confirmation of acceptance of the terms and conditions and the privacy policy

We use the personal data to verify your identity and to check the requirements for registration. The email address and password together serve as login data to ensure that the correct person uses the website based on provided details. We also need your email address to verify and confirm the creation of your account and for future communication with you, which is necessary for the execution of the contract. Additionally, this data is stored in the customer account for future bookings or contract agreements. We also enable you to store additional information in the account (e.g., your preferred payment method).

We also use the data to provide an overview of your bookings and related services (please see Section 4) and facilitate the management of your personal data, administer our Website and contractual relationships, i.e. to establish, define the content of, process and amend the contracts concluded with you through your customer account (e.g., in related to your booking with us).

The language and gender information is processed to display personalised offers on the website based on your profile and personal needs, for statistical analysis and evaluation of selected offers, and to optimise our recommendations and offers.

The legal basis for this data processing is your consent under Article 6(1)(a) of the GDPR. You can withdraw your consent at any time by removing the information from the customer account, deleting your customer account, or having it deleted by notifying us.

To prevent misuse, please always keep your login data confidential, log out after each session and clear your browsing history, especially when using the device together with others.

Your data may be stored in a database of LHW, which may allow LHW to access your data if this is necessary for providing the services and supporting their use. Information about data processing by third parties and any potential transfer abroad can be found in Section 5 of this Privacy Policy.

The legal basis for this data processing is the performance of a contract with you within the meaning of Article 6(1)(b) of the GDPR.

There is a possibility that LHW may want to use some of this data for its own purposes (e.g., for sending marketing emails or conducting statistical analysis). For these data processing activities, LHW is the controller and must ensure compliance of these processing activities with data protection laws. Information about data processing by LHW can be found at www.lhw.com.

3.3 Data Processing for Orders placed on our Online Shop

On our Website, we link to the website of our partner, Idea Creation GmbH, Walchestrasse 15, 8006 Zurich, Switzerland, to provide you with the possibility to order vouchers. We receive the following data from Idea Creation GmbH, where mandatory fields are marked with an asterisk (*):

  • Title
  • First name
  • Last name
  • Company
  • Billing and delivery address
  • Phone number
  • Email
  • Payment method
  • Shipping method
  • Marketing subscription details
  • Confirmation of the accuracy of provided information
  • Confirmation of acceptance of the terms and conditions and privacy policy

We use the data to verify your identity before concluding a contract. We need your email address to confirm your order and for future communication necessary for the execution of the contract. We store your data together with the relevant order details (e.g. designation, price, and characteristics of the ordered products), payment information (e.g., selected payment method, payment confirmation, and time of the payment; see also Section 3.10.2) as well as the information regarding the execution and performance of the contract (e.g., receipt and handling of complaints) in our CRM database (see Section 4), so that we can ensure correct order processing and contract performance.

The legal basis for this data processing is the performance of a contract with you within the meaning of Article 6(1)(b) of the GDPR.

The provision of data that is not marked as mandatory is voluntary. We process this data to tailor our offerings to your personal needs, to facilitate the execution of contracts, to contact you through alternative means of communication if necessary for the contract performance, or for collection and analysis of statistical information in order to optimise our offerings.

The legal basis for this data processing is your consent within the meaning of Article 6(1)(a) of the GDPR. You can withdraw your consent at any time by notifying us.

Your data may be stored in a database of Idea Creation GmbH, which may allow Idea Creation GmbH to access your data if this is necessary for providing the software and supporting its use. Information about data processing by third parties and any potential transfer abroad can be found in Section 5 of this Privacy Policy.

The legal basis for this data processing is the performance of a contract with you within the meaning of Article 6(1)(b) of the GDPR.

There is a possibility that Idea Creation GmbH may want to use some of this data for its own purposes (e.g., for sending marketing emails or conducting statistical analysis). For these data processing activities, Idea Creation GmbH is the controller and must ensure compliance of these processing activities with data protection laws. Information about data processing by IDEA Creation GmbH can be found at www.e-guma.ch.

3.4 Data Processing during Bookings

3.4.1 Booking through our Website

On our website, you have the possibility to book an overnight stay. For this purpose, we collect the following data, whereby mandatory fields during the booking process are marked with an asterisk (*):

  • First name
  • Last name
  • Phone number
  • Email address
  • Billing address
  • Payment information
  • Booking details
  • Marketing subscription details
  • Confirmation of acceptance of the terms and conditions and privacy policy

We use the data to establish your identity before entering into a contract. We need your email address to confirm your booking and for future communication necessary for the execution of the contract. We store your data together with the relevant booking details (e.g., room category, duration of stay, as well as designation, price, and characteristics of the services), payment information (e.g., selected payment method, payment confirmation, and time of the payment; see also Section 3.10.2) as well as the information regarding the execution and performance of the contract (e.g., receipt and handling of complaints) in our CRM database (see Section 4), so that we can ensure correct booking processing and contract performance.

To the extent necessary for contract performance, we may also disclose the required information to any third-party service providers (e.g., organisers or transport companies).

The legal basis for this data processing is the performance of a contract with you within the meaning of Article 6(1)(b) of the GDPR.

The provision of data that is not marked as mandatory is voluntary. We process this data to tailor our offerings to your personal needs, to facilitate the execution of contracts, to contact you through alternative means of communication if necessary for the contract performance, or for collection and analysis of statistical information in order to optimise our offerings.

The legal basis for this data processing is your consent within the meaning of Article 6(1)(a) of the GDPR. You can withdraw your consent at any time by notifying us.

To process bookings through our Website, we use a software application provided by Sabre GLBL Inc., 3150 Sabre Drive, Southlake, TX 76092, USA. Therefore, your data may be stored in a database of Sabre GLBL Inc., which may allow Sabre GLBL Inc. to access your data if this is necessary for providing the software and supporting its use. Information about data processing by third parties and any potential transfer abroad can be found in Section 5 of this Privacy Policy.

The legal basis for this data processing is the performance of a contract with you within the meaning of Article 6(1)(b) of the GDPR.

There is a possibility that Sabre GLBL Inc. to may want to use some of this data for its own purposes (e.g., for sending marketing emails or conducting statistical analysis). For these data processing activities, Sabre GLBL Inc. to is the controller and must ensure compliance of these processing activities with data protection laws. Information about data processing by Sabre GLBL Inc. to can be found at www.sabre.com.

3.4.2 Booking through a booking Platform

If you make bookings through a third-party platform (e.g., Booking, Hotel, Escapio, Expedia, Holidaycheck, Hotel Tonight, HRS, Kayak, Mr. & Mrs. Smith, Splendia, Tablet Hotels, Tripadvisor, Trivago, Weekend4Two, etc.), we receive various personal data related to the booking from the respective platform operator. These usually include the data listed in Section 3.10.2 of this Privacy Policy. Additionally, any inquiries regarding your booking may be forwarded to us. We will process this data by name to accurately record your booking and provide the booked services as requested.

The legal basis for the data processing for this purpose is the implementation of pre-contractual measures and the performance of a contract within the meaning of Article 6(1)(b) of the GDPR.

Finally, we may exchange personal data with the platform operators in connection with disputes or complaints related to a booking, to the extent necessary to protect our legitimate interests. This may also include data relating to the booking process on the platform or data relating to the booking or provision of services and your stay with us. We process this data to protect our legitimate claims and interests in the execution and maintenance of our contractual relationships with the following platform operators:

  • Booking.com B.V., Herengracht 597, 1017 CE Amsterdam, the Netherland. For more information about data processing in connection with Booking.com B.V., see www.booking.com;
  • Expedia, Inc., 1111 Expedia Group Way West, Seattle, WA 98119, USA. For more information about data processing in connection with Expedia, Inc., see https://www.expedia.com;

Your data is stored in the databases of the platform operators, which allows them to access your data. Information regarding the processing of data by third parties and any potential transfer abroad can be found in Section 5 of this Privacy Policy.

The legal basis for the described data processing is our legitimate interest within the meaning of Article 6(1)(f) of the GDPR.

3.5 Data Processing when Reserving a Table

On our Website, you have the possibility to make a table reservation in a restaurant indicated on our Website. For this purpose, we collect - depending on the specific offering - the following data, whereby mandatory fields for reservations via the Website are marked with an asterisk (*):

  • Date and time of the reservation
  • Number of guests
  • Gender
  • Title
  • First name
  • Last name
  • Email address
  • Phone number
  • Comment
  • Confirmation of acceptance of the terms and conditions and privacy policy

We collect and process the data for the purpose of handling the reservation, in particular to make your reservation request according to your preferences and to contact you in case of uncertainties or problems. We store your data together with the relevant reservation details (e.g., date and time of the request, etc.), reservation information (e.g., assigned table), as well as information regarding the execution and performance of the contract (e.g., receipt and handling of complaints) in our CRM database (see Section 4), so that we can ensure correct reservation processing and contract performance.

To process table reservations, we use a software application provided by aleno AG, Werdstrasse 21, 8004 Zurich, Switzerland. Therefore, your data may be stored in a database of aleno AG, which may allow aleno AG to access your data if this is necessary for providing the software and supporting its use. Information about data processing by third parties and any potential transfer abroad can be found in Section 5 of this Privacy Policy.

The legal basis for this data processing is the performance of a contract with you within the meaning of Article 6(1)(b) of the GDPR.

There is a possibility that aleno AG may want to use some of this data for its own purposes (e.g., for sending marketing emails or conducting statistical analysis). For these data processing activities, aleno AG is the controller and must ensure compliance of these processing activities with data protection laws. Information about data processing by aleno AG can be found at www.aleno.me.

3.6 Data Processing related to Event Organisation Requests

On our Website, you have the possibility to submit a request for organising an event in our Hotel. For this purpose, we collect the following data, whereby mandatory fields are marked with an asterisk (*):

  • First name
  • Last name
  • Company name
  • Email address
  • Phone number
  • Number of guests
  • Date and time of the event
  • Event details

We collect and process the data for the purpose of handling the requests for events organisation, in particular to make your event organisation request according to your preferences and to contact you in case of uncertainties or problems. We store your data together with the relevant request details (e.g., date and time of the request, etc.), as well as information regarding the execution and performance of the contract (e.g., receipt and handling of complaints) in our CRM database (see Section 4), so that we can ensure correct processing of your requests and contract performance.

To process event organisation requests, we use a software application provided by TYPEFORM SL, Carrer de Bac de Roda 163, 08018 Barcelona, Spain. Therefore, your data may be stored in a database of TYPEFORM, which may allow TYPEFORM to access your data if this is necessary for providing the software and supporting its use. Information about data processing by third parties and any potential transfer abroad can be found in Section 5 of this Privacy Policy.

The legal basis for this data processing is the performance of a contract with you within the meaning of Article 6(1)(b) of the GDPR.

There is a possibility that TYPEFORM may want to use some of this data for its own purposes (e.g., for sending marketing emails or conducting statistical analysis). For these data processing activities, TYPEFORM is the controller and must ensure compliance of these processing activities with data protection laws. Information about data processing by TYPEFORM can be found at www.typeform.com.

3.7 Data Processing related to Spa Reservations

In our Hotel, you have the possibility to book spa treatments (e.g., by email, phone, or contact form). If you send us a spa reservation request, we will process the personal data you provide us with, such as your name, email address, phone number, and details of your request. Additionally, the time of receipt of the request will be documented.

To efficiently manage all guest activities at our spa facility, we use spa management software application provided by TAC Informationstechnologie GmbH, Schildbach 211, 8230 Hartberg, Austria (TAC). Therefore, your data may be stored in a database of TAC, which may allow TAC to access your data if this is necessary for providing the software and supporting its use. Information about data processing by third parties and any potential transfer abroad can be found in Section 5 of this Privacy Policy.

The legal basis for this data processing is the performance of a contract with you within the meaning of Article 6(1)(b) of the GDPR.

There is a possibility that TAC may want to use some of this data for its own purposes (e.g., for sending marketing emails or conducting statistical analysis). For these data processing activities, TAC is the controller and must ensure compliance of these processing activities with data protection laws. Information about data processing by TAC can be found at www.tac.eu.com.

3.8 Data Processing related to Internal Guest Management

We use internal guest management software to manage our daily operations and to optimise your experience with us. For this purpose, we collect the following data, whereby mandatory fields are marked with an asterisk (*):

  • Title
  • First name
  • Last name
  • Email address
  • Phone number
  • Billing address
  • Payment information
  • Booking details
  • Information about reservations

We use the data to ensure efficient internal guest management, in particular to process your booking request and reservations according to your preferences and to contact you in case of uncertainties or problems. We store your data together with the relevant reservation details (e.g., date and time of the request, etc.), reservation information (e.g., assigned table), as well as information regarding the execution and performance of the contract (e.g., receipt and handling of complaints) in our CRM database (see Section 4), so that we can ensure correct reservation processing and contract performance.

To ensure internal guest management, we use a software application provided by Unifocus, LLC, 11 E. John Carpenter Freeway, Suite 410 Irving, TX 75061, USA. Therefore, your data may be stored in a database of Unifocus, LLC, which may allow Unifocus, LLC to access your data if this is necessary for providing the software and supporting its use. Information about data processing by third parties and any potential transfer abroad can be found in Section 5 of this Privacy Policy.

The legal basis for this data processing is the performance of a contract with you within the meaning of Article 6(1)(b) of the GDPR.

There is a possibility that Unifocus, LLC may want to use some of this data for its own purposes (e.g., for sending marketing emails or conducting statistical analysis). For these data processing activities, Unifocus, LLC is the controller and must ensure compliance of these processing activities with data protection laws. Information about data processing by Unifocus, LLC can be found at www.unifocus.com.

3.9 Data Processing related to Email Communications

We understand the importance of effective communication with our valued guests and are committed to optimising guest email interactions by enhancing the quality and personalisation of our emails. For this purpose, we collect the following data, whereby mandatory fields are marked with an asterisk (*):

  • Title
  • First name
  • Last name
  • Email address
  • Phone number
  • Booking details
  • Information about reservations

We use the data to send you personalised emails in various scenarios, in particular to welcome you in our hotel and provide essential details about your stay and to confirm reservations. We store your data together with the relevant booking and reservations details (e.g., date and time of the corresponding request, etc.), as well as information regarding the execution and performance of the contract (e.g., receipt and handling of complaints) in our CRM database (see Section 4), so that we can ensure correct processing of your requests and contract performance.

To enhance email communication, we use a software application provided by MP-Network GmbH, Anemonenweg 5, 85586 Poing, Germany. Therefore, your data may be stored in a database of MP-Network GmbH, which may allow MP-Network GmbH to access your data if this is necessary for providing the software and supporting its use. Information about data processing by third parties and any potential transfer abroad can be found in Section 5 of this Privacy Policy.

The legal basis for this data processing is the performance of a contract with you within the meaning of Article 6(1)(b) of the GDPR.

There is a possibility that MP-Network GmbH may want to use some of this data for its own purposes (e.g., for sending marketing emails or conducting statistical analysis). For these data processing activities, MP-Network GmbH is the controller and must ensure compliance of these processing activities with data protection laws. Information about data processing by MP-Network GmbH can be found at www.hotel-rims.com.

3.10 Data Processing during Payment Processing

3.10.1 Payment Processing at the Hotel

When you purchase products, receive services, or make payments for your stay in our hotel using electronic means of payment, the processing of personal data is required. By using the payment terminals, you transmit the information stored in your payment instrument, such as the cardholder's name and card number, to the respective payment service providers (e.g., providers of payment solutions, credit card issuers, and credit card acquirers). They also receive information that the payment instrument was used in our hotel, including the transaction amount and time. In return, we only receive the credit for the amount of the completed payment at the corresponding time, which we can associate with the respective receipt number, or we receive information that the transaction was not possible or was cancelled. Always consider the information provided by the respective company, especially the privacy policy and terms and conditions.

For processing payment through the contact form, we use a software application provided by Worldline Switzerland Ltd, Hardturmstrasse 201, 8005 Zurich, Switzerland (Wordline). Therefore, your data may be stored in a database of Worldline, which may allow Worldline to access your data if this is necessary for providing the software and supporting its use. Information about data processing by third parties and any transfers abroad can be found in Section 5 of this Privacy Policy.

The legal basis for this data processing is the performance of a contract with you within the meaning of Article 6(1)(b) of the GDPR.

There is a possibility that Worldline may want to use some of this data for its own purposes (e.g., for sending marketing emails or conducting statistical analysis). For these data processing activities, Worldline is the controller and must ensure compliance of these processing activities with data protection laws. Information about data processing by Worldline can be found at www.six-payment-services.com.

For processing payment through the contact form, we use a software application of provided by Swisscard AECS GmbH, Neugasse 18, 8810 Horgen, Switzerland (Swisscard). Therefore, your data may be stored in a database of Swisscard, which may allow Swisscard to access your data if this is necessary for providing the software and supporting its use. Information about data processing by third parties and any transfers abroad can be found in Section 5 of this Privacy Policy.

The legal basis for this data processing is the performance of a contract with you within the meaning of Article 6(1)(b) of the GDPR.

There is a possibility that Swisscard may want to use some of this data for its own purposes (e.g., for sending marketing emails or conducting statistical analysis). For these data processing activities, Swisscard is the controller and must ensure compliance of these processing activities with data protection laws. Information about data processing by Swisscard can be found at www.swisscard.ch.

3.10.2 Online Payment Processing

If you make chargeable bookings, order services or products on our Website, depending on the product, service, and preferred payment method, in addition to the information mentioned in Section 3.4.1, it may be necessary to provide additional details such as your credit card information or login credentials for your payment service provider. This information, as well as the fact that you have purchased a service from us at the respective amount and time, will be forwarded to the respective payment service providers (e.g., payment solution providers, credit card issuers, or credit card acquirers). In this regard, please always take into account the information provided by the respective company, in particular in the privacy policy and the general terms and conditions.

The legal basis for this data processing is the performance of a contract within the meaning of Article 6(1)(b) of the GDPR.

We reserve the right to retain a copy of the credit card information as a security measure. To avoid payment defaults, it may also be necessary to transmit the required data, particularly your personal data, to a credit agency for automated assessment of your creditworthiness. In this context, the credit agency may assign a so-called score value to you. This is an estimate of the future risk of payment default, e.g., based on a percentage. The value is determined using mathematical-statistical methods and involves data from the credit agency from other sources. Based on the information received, we reserve the right not to offer you the "invoice" payment method.

The legal basis for this data processing is our legitimate interest within the meaning of Article 6(1)(f) of the GDPR in the prevention of payment defaults.

For the credit check through contact form, we use a software application provided by WorldlineSwitzerland Ltd, Hardturmstrasse 201, 8005 Zurich, Switzerland. Therefore, your data may be stored in a database of Worldline, which may allow Worldline to access your data if this is necessary for providing the software and supporting its use. Information about data processing by third parties and any transfers abroad can be found in Section 5 of this Privacy Policy.

The legal basis for this data processing is our legitimate interest within the meaning of Article 6(1)(f) of the GDPR in the prevention of payment defaults.

There is a possibility that Worldline may want to use some of this data for its own purposes (e.g., for sending marketing emails or conducting statistical analysis). For these data processing activities, Worldline is the controller and must ensure compliance of these processing activities with data protection laws. Information about data processing by Worldline can be found at www.six-payment-services.com.

For the credit check through contact form, we use a software application provided by Swisscards AECS GmbH, Neugasse 18, 8810 Horgen, Switzerland. Therefore, your data may be stored in a database of Swisscard, which may allow Swisscard to access your data if this is necessary for providing the software and supporting its use. Information about data processing by third parties and any transfers abroad can be found in Section  5 of this Privacy Policy.

The legal basis for this data processing is our legitimate interest within the meaning of Article 6(1)(f) of the GDPR in the prevention of payment defaults.

There is a possibility that Swisscard may want to use some of this data for its own purposes (e.g., for sending marketing emails or conducting statistical analysis). For these data processing activities, Swisscard is the controller and must ensure compliance of these processing activities with data protection laws. Information about data processing by Swisscard can be found at www.swisscard.com.

3.11 Data Processing related to the Recording and Invoicing of rendered Services

If you receive services during your stay (e.g., additional nights, wellness, restaurant, activities), in addition to your contractual data, we will collect and process booking data (e.g., time of booking and comments) as well as data related to the booked and received services (e.g., nature of service, price, and time of service receipt) for the purpose of handling the service, as described in Sections 3.4, 3.5 and 3.6

The legal basis for this data processing is the performance of a contract within the meaning of Article 6(1)(b) of the GDPR.

3.12 Data Processing related to Email Marketing

If you register for our marketing emails (e.g., when registering, within your customer account, or as part of an order, booking, or reservation), the following data is collected. Mandatory fields are marked with an asterisk (*):

  • Title
  • First and last name
  • Email address
  • Your interests

To prevent misuse and ensure that the owner of an email address has genuinely given consent to receive marketing emails, we use the so-called double-opt-in during registration. After submitting your registration, you will receive an email from us containing a confirmation link. To finalise your registration for marketing emails, you must click on this link. If you do not confirm your email address by clicking on the confirmation link within the specified timeframe, your data will be deleted, and no marketing emails will be sent to that address.

By registering, you consent to the processing of this data in order to receive marketing emails from us about our hotel and related information on products and services. These marketing emails may also include invitations to participate in contests, to provide feedback, or to rate our products and services. The collection of the salutation, first and last name allows us to associate the registration with any existing customer account and personalise the content of the marketing emails accordingly. Linking it to a customer account allows us to make the offers and content contained in the marketing emails more relevant to you and better tailored to your potential needs.

We will use your data to send marketing emails until you withdraw your consent. You can withdraw your consent at any time, in particular by using the unsubscribe link included in all marketing emails.

Our marketing emails may contain a web beacon, 1x1 pixel (tracking pixel), or similar technical tools. A web beacon is an invisible graphic that is linked to the user ID of the respective subscriber. For each marketing email sent, we receive information about which email addresses it was successfully delivered to, which email addresses have not yet received the marketing email, and which email addresses the delivery has failed for. It is also shown which email addresses have opened the marketing email and for how long, as well as which links have been clicked. Finally, we also receive information about subscribers who have unsubscribed from the mailing list. We use this data for statistical purposes and to optimise the frequency and timing of email delivery, as well as the structure and content of the marketing emails. This allows us to better tailor the information and offers in our marketing emails to the individual interests of the recipients.

The web beacon is deleted when you delete the marketing email. You can prevent the use of web beacons in our marketing emails by adjusting the settings of your email program so that HTML is not displayed in messages. You can find information on how to configure this setting in the help documentation of your email software application, e.g. here for Microsoft Outlook.

By subscribing to the marketing emails, you also consent to the statistical analysis of user behaviour for the purpose of optimising and customising the marketing emails.

For sending marketing emails, we use a software application provided by Intuit Mailchimp, 405 N Angier Ave. NE, Atlanta, GA 3038 EE. UU., USA (Intuit Mailchimp). Therefore, your data may be stored in a database of Intuit Mailchimp which may allow Intuit Mailchimp to access your data if this is necessary for providing the software and supporting its use. Information about data processing by third parties and any transfer abroad can be found in Section 5 of this Privacy Policy.

The legal basis for this data processing is your consent within the meaning of Article 6(1)(a) of the GDPR. You can withdraw your consent at any time.

There is a possibility that Intuit Mailchimp may want to use some of this data for its own purposes (e.g., for sending marketing emails or conducting statistical analysis). For these data processing activities, Intuit Mailchimp is the controller and must ensure compliance of these processing activities with data protection laws. Information about data processing by Intuit Mailchimp can be found at www.mailchimp.com.

3.13 Data Processing when Submitting Guest Feedback

During your stay or afterwards, you have the opportunity to provide us with feedback (e.g., positive feedback, criticism, and suggestions for improvement) using a form. For this purpose, we collect the following data, with mandatory fields are marked with an asterisk (*) in the respective form:

  • First and last name
  • Age
  • Nationality
  • Duration of stay
  • Feedback

The processing of your data is carried out as part of our quality management and ultimately aims to better tailor our services and products to the needs of our guests. Specifically, your data is processed for the following purposes:

  • Clarification of your request, e.g., obtaining input from employees and supervisors or seeking further information from you, etc.;
  • Evaluation and analysis of your information, e.g., compiling satisfaction statistics, comparing individual services, etc.; or
  • Taking organisational measures based on the findings, e.g., addressing shortcomings/deficiencies/misconduct, for example, through repairing defective equipment, providing instructions, as well as giving praise or issuing warnings to employees.

In connection with guest feedback, we use a software application provided by Trustyou GmbH, Steinerstrasse 1, 81369 Munich, Germany (TrustYou). Therefore, your data may be stored in a database of TrustYou , which may allow TrustYou to access your data if this is necessary for providing the software and supporting its use. Information about data processing by third parties and any transfers abroad can be found in Section 5 of this Privacy Policy.

The legal basis for this data processing is your consent within the meaning of Article 6(1)(a) of the GDPR. You can withdraw your consent at any time.

There is a possibility that TrustYou may want to use some of this data for its own purposes (e.g., for sending marketing emails or conducting statistical analysis). For these data processing activities, TrustYou is the controller and must ensure compliance of these processing activities with data protection laws. Information about data processing by TrustYou can be found at www.trustyou.com.

In addition, we also use a software application provided by Revinate LLC, 2345 Yale Street, First Floor, Palo Alto, CA 94306, USA (Revinate). Therefore, your data may be stored in a database of Revinate, which may allow Revinate to access your data if this is necessary for providing the software and supporting its use. Information about data processing by third parties and any transfers abroad can be found in Section 5 of this Privacy Policy.

The legal basis for this data processing is your consent within the meaning of Article 6(1)(a) of the GDPR. You can withdraw your consent at any time.

There is a possibility that Revinate may want to use some of this data for its own purposes (e.g., for sending marketing emails or conducting statistical analysis). For these data processing activities, Revinate is the controller and must ensure compliance of these processing activities with data protection laws. Information about data processing by Revinate can be found at www.revinate.com.

3.14 Data Processing in connection with Video Surveillance

To ensure the safety of our guests, employees, and our property, as well as to prevent and address unlawful behaviour (in particular, theft and property damage), the entrance area and the publicly accessible areas of our hotel, excluding sanitary facilities, may be monitored by cameras. The image data will only be viewed if there is a suspicion of unlawful behaviour. Otherwise, the recorded images will be automatically deleted after a maximum of 192 hours.

To provide the video surveillance system, we rely on a service provider EOTEC AG, Hardstrasse 21, 4132 Muttenz, Switzerland (EOTEC). EOTEC has access to the data insofar as this is necessary for the provision of the system. If suspicions of unlawful behaviour are confirmed, the data may be disclosed to the extent necessary for the enforcement of claims or for reporting to consulting firms (in particular, to a law firm) and authorities. Information about data processing by third parties and any transfer abroad can be found in Section 5 of this Privacy Policy. Further information about data processing by EOTEC can be found at www.eotec.ch.

The legal basis is our legitimate interest within the meaning of Article 6(1)(f) of the GDPR in protecting our guests, employees, and property, as well as safeguarding and enforcing our rights.

3.15 Data Processing when Using our Wi-Fi Network

In our hotel you, have the possibility to use our Wi-Fi network free of charge. To prevent misuse and to punish unlawful behaviour, prior registration is required. During the registration process, you will provide us with the following data:

  • Phone number;
  • MAC address of the device (automatically).

In addition to the above data, each time the Wi-Fi network is used, data regarding the time and date of usage, the network used, and the device employed are also collected. The legal basis for this data processing is your consent within the meaning of Article 6(1)(a) of the GDPR. You can withdraw your consent at any time.

For the provision of our Wi-Fi network, we collaborate with Swisscom AG, Alte Tiefenaustrasse 6, 3050 Bern, Switzerland (Swisscom). Therefore, your data may be stored in a database of Swisscom, which may allow Swisscom to access your data if this is necessary for providing the software and supporting its use. Information about data processing by third parties can be found in Section 5 of this Privacy Policy. Further information about data processing by Swisscom can be found at www.swisscom.ch.

Swisscom is required to comply with the legal requirements of the Federal Act on the Surveillance of Post and Telecommunications (SPTA) and its corresponding ordinance. If the legal requirements are met, the operator of the Wi-Fi network must monitor the use of the Internet or data traffic on behalf of the competent authority. If the legal requirements are met, the operator of the Wi-Fi network must monitor the use of the Internet or data traffic on behalf of the competent authority. The operator of the Wi-Fi network may also be obliged to disclose contact details, usage and access data of the hotel guest to the relevant authorities. The contact details, usage and access data will be stored for 6 months and then deleted.

The legal basis for the processing is our legitimate interest within the meaning of Article 6(1)(f) of the GDPR in providing a Wi-Fi network in compliance with the applicable legal regulations.

3.16 Data Processing for Fulfilling Legal Reporting Obligations

Upon arrival at our hotel, we may require the following information from you and your accompanying persons; mandatory fields are marked in the respective form with an asterisk (*):

  • Title
  • First and last name
  • Billing address
  • Date of birth
  • Nationality
  • Identity card or passport
  • Date of arrival and departure

We collect this information to fulfil legal reporting obligations, which arise in particular from hospitality or police regulations. To the extent required by applicable laws, we forward this information to the competent authority.

The legal basis for the data processing is our legitimate interest within the meaning of Article 6(1)(c) of the GDPR in complying with our legal obligations.

3.17 Data Processing in Job Applications

Our Website directs to the website of our partner, StepStone Deutschland GmbH, Völklingerstrasse 1, 40219 Dusseldorf, Germany (StepStone), to provide you with the possibility to apply for a position in our Hotel. We receive the following data from StepStone:

  • Title
  • First name
  • Last name
  • Email
  • Phone number
  • CV
  • Other application documents
  • Comments

We use the data you provide us with to assess your application and suitability for employment. Application documents from unsuccessful applicants will be deleted at the end of the application process, unless you explicitly agree to a longer retention period or we are legally obliged to retain them for a longer period.

Your data may be stored in a database of StepStone, which may allow StepStone to access your data if this is necessary for providing the software and supporting its use. Information about data processing by third parties and any potential transfer abroad can be found in Section 5 of this Privacy Policy.

The legal basis for this data processing is the performance of a contract with you within the meaning of Article 6(1)(b) of the GDPR.

There is a possibility that StepStone may want to use some of this data for its own purposes (e.g., for sending marketing emails or conducting statistical analysis). For these data processing activities, StepStone is the controller and must ensure compliance of these processing activities with data protection laws. Information about data processing by StepStone can be found at https://fr.hotelcareer.ch.

4.Central Data Storage and Analysis in the CRM system

If a clear identification of your person is possible, we will store and link the data described in this Privacy Policy, i.e., your personal information, contact details, contract data, and your browsing behaviour on our Website in a central database. This allows for efficient management of customer data, enables us to adequately process your requests, and facilitates the efficient provision of the services you requested, as well as the performance of the related contracts.

The legal basis for this data processing is our legitimate interest within the meaning of Article 6(1)(f) of the GDPR in the efficient management of user data.

We also analyse this data to further develop our offerings based on your needs and to provide you with the most relevant information and offers. We also use methods that predict possible interests and future orders based on your use of our Website.

For the central storage and analysis of data in the CRM system, we use a software application provided by Oracle Software (Schweiz) GmbH, The Circle 32, 8058 Zurich, Switzerland (Oracle). Therefore, your data may be stored in a database of Oracle, which may allow Oracle to access your data if this is necessary for providing the software and supporting its use. Information about data processing by third parties and any transfer abroad can be found in Section 5 of this Privacy Policy. Further information about data processing by Oracle can be found at www.oracle.com.

The legal basis for this data processing is our legitimate interest within the meaning of Article 6(1)(f) of the GDPR in carrying out marketing activities.

5. Disclosure and Cross-Border Transfer

5.1 Disclosure to Third Parties and Third-Party Access

Without the support of other companies, we would not be able to provide our services in the desired form. To use the services of these companies, it is necessary to share your personal data with these companies to a certain extent. A disclosure of data is limited to selected third-party service providers and only to the extent necessary for the optimal provision of our services. Various third-party service providers are explicitly mentioned in this Privacy Policy. They include the following service providers:

  • Event requests or requests for general information on our Website:
    TYPEFORM SL, Carrer de Bac de Roda 163, 08018 Barcelona, Spain. For more information about data processing in connection with TYPEFORM SL, see www.typeform.com;
  • Hotel reservations:
    The Leading Hotels of the World, Ltd., 485 Lexington Avenue, Suite 401, New York, NY 10017, USA. For more information about data processing in connection with The Leading Hotels of the World, Ltd., see www.lhw.com;
  • Acquiring vouchers:
    Idea Creation GmbH, Walchestrasse 15, 8006 Zurich, Switzerland. For more information about data processing in connection with Idea Creation GmbH, see www.e-guma.ch;
  • Internal Booking Platform:
    Sabre GLBL Inc., 3150 Sabre Drive, Southlake, TX 76092, USA. For more information about data processing in connection with Sabre GLBL Inc., see www.sabre.com;
  • Restaurant reservations:
    aleno AG, Werdstrasse 21, 8004 Zurich, Switzerland. For more information about data processing in connection with aleno AG, see www.aleno.me;
  • Credit Card Payment provider:
    Worldline Switzerland Ltd, Hardturmstrasse 201, 8005 Zurich, Switzerland. For more information about data processing in connection with Worldline Switzerland Ltd, see www.six-payment-services.com;
  • Credit Card Payment provider:
    Swisscard AECS GmbH, Neugasse 18, 8810 Horgen, Switzerland. For more information about data processing in connection with Swisscard AECS GmbH, see www.swisscard.ch;
  • Newsletter Marketing Platform:
    Intuit Mailchimp, 405 N Angier Ave. NE, Atlanta, GA 3038 EE. UU., USA. For more information about data processing in connection with Intuit Mailchimp, see www.mailchimp.com;
  • Reputation Management:
    Trustyou GmbH, Steinerstrasse 1, 81369 Munich, Germany. For more information about data processing in connection with Trustyou GmbH, see www.trustyou.com;
  • Reputation Management:
    Revinate LLC, 2345 Yale Street, First Floor, Palo Alto, CA 94306, USA. For more information about data processing in connection with Revinate LLC, see www.revinate.com;
  • Video Surveillance:
    EOTEC AG, Hardstrasse 21, 4132 Muttenz, Switzerland. For more information about data processing in connection with EOTEC AG, www.eotec.ch;
  • Internet Provider:
    Swisscom AG, Alte Tiefenaustrasse 6, 3050 Bern, Switzerland. For more information about data processing in connection with Swisscom AG, see www.swisscom.ch;
  • Career Platform:
    StepStone Deutschland GmbH, Völklingerstrasse 1, 40219 Dusseldorf, Germany. For more information about data processing in connection with StepStone Deutschland GmbH, see https://fr.hotelcareer.ch;
  • Internal Guest Management:
    Unifocus, LLC, 11 E. John Carpenter Freeway, Suite 410 Irving, TX 75061, USA. For more information about data processing in connection with Unifocus, LLC, see www.unifocus.com;
  • Property Management System:
    Oracle Software (Schweiz) GmbH, The Circle 32, 8058 Zurich, Switzerland. For more information about data processing in connection with Oracle Software (Schweiz) GmbH, see www.oracle.com;
  • Guest Communication:
    MP-Network GmbH, Anemonenweg 5, 85585 Poing, Germany. For more information about data processing in connection with MP-Network GmbH, see www.hotel-rims.com;
  • Spa Reservation Software:
    TAC Informationstechnologie GmbH, Schildbach 211, 8230 Hartberg, Austria. For more information about data processing in connection with TAC Informationstechnologie GmbH, see www.tac.eu.com.

The legal basis for this data processing is the performance of a contract within the meaning of Article 6(1)(b) of the GDPR.

Your data will also be disclosed as necessary to fulfil the services you have requested, for example, to restaurants or other service providers for whom you have made a reservation through us. The legal basis for these disclosures is the necessity for the performance of a contract within the meaning of Article 6(1)(b) of the GDPR. For these data processing activities, the third-party service providers are considered data controllers under the data protection laws, and not us. It is the responsibility of these third-party service providers to inform you about their own data processing, which may extend beyond the mere sharing of data for the provision of services, and to comply with data protection laws.

Furthermore, your data may be disclosed, especially to authorities, legal advisors, or debt collection agencies, if we are legally obliged to do so or if it is necessary to protect our rights, in particular to enforce claims arising from our relationship with you. Data may also be disclosed if another company intends to acquire our company or parts thereof, and such disclosure is necessary to conduct a due diligence or to complete the transaction.

The legal basis for this data processing is our legitimate interest within the meaning of Article 6(1)(f) of the GDPR in protecting our rights and fulfilling our obligations, as well as in the sale of our company or parts thereof.

5.2 Transfer of Personal Data to Third Countries

We have the right to transfer your personal data to third parties located abroad if it is necessary to carry out the data processing described in this Privacy Policy. Specific data transfers have been mentioned in Section 3. When making such transfers, we will ensure compliance with the applicable legal requirements for disclosing personal data to third parties. The countries to which data is transmitted include those that, according to the decision of the Federal Council and the European Commission, have an adequate level of data protection (such as the member states of the EEA or, from the EU's perspective, Switzerland), as well as those countries (such as the USA) whose level of data protection is not considered adequate (see Annex 1 of the Data Protection Ordinance (DPO) and the website of the European Commission). If the country in question does not provide an adequate level of data protection, we ensure that your data is adequately protected by these companies by means of appropriate safeguards, unless an exception is specified on a case-by-case basis for the individual data processing (see Article 49 of the GDPR). Unless otherwise specified, this refers to the choice of companies certified under the Privacy Framework agreement or standard contractual clauses as referred to in Article 46(2)(c) of the GDPR, which can be found on the websites of the Federal Data Protection and Information Commissioner (FDPIC) and the EU Commission. If you have any questions regarding the implemented measures, please reach out to our data protection contact person (see Section 2).

5.3 Information on Data Transfers to the USA

Some of the third-party service providers mentioned in this Privacy Policy are based in the USA. For the sake of completeness, we would like to inform users residing or based in Switzerland or the EU that certain third-party service providers mentioned in this privacy statement are located in the USA. It is important to note that there are surveillance measures by US authorities in place that generally allow for the storage of all personal data of individuals whose data has been transmitted from Switzerland or the EU to the United States. This occurs without differentiation, limitation, or exception based on the purpose for which the data is being collected and without an objective criterion that would restrict US authorities' access to the data and its subsequent use to specific, strictly limited purposes that can justify the interference associated with accessing and using the data. Furthermore, we would like to point out that affected individuals from Switzerland or the EU do not have legal remedies or effective judicial protection against general access rights of US authorities, which would allow them to access the data concerning them and to rectify or delete it. We explicitly highlight this legal and factual situation to enable you to make an informed decision regarding your consent or opposition to the use of your data.

For users residing in Switzerland or a member state of the EU, we also want to inform you that, from the perspective of the European Union and Switzerland, the United States does not provide an adequate level of data protection, among other reasons, as explained in this paragraph. In cases where we have mentioned in this privacy statement that data recipients (such as Google) are located in the United States, we will ensure through the choice of companies certified under the Privacy Framework agreement or through contractual arrangements with these companies and, if necessary, additional appropriate safeguards, that your data is adequately protected at our third-party service providers.

6. Background Data Processing on our Website

6.1 Data Processing when Visiting our Website (Log File Data)

When you visit our Website, the servers of our hosting provider POSITIONER SA, Via Stazione 32, 6592 S. Antonino, Switzerland temporarily store every access in a log file. The following data is collected without your intervention and stored by us until automatically deleted:

  • IP address of the requesting computer;
  • date and time of access;
  • name and URL of the accessed file;
  • website from which the access was made, if applicable, with the search word used;
  • operating system of your computer and the browser you are using (including type, version, and language setting);
  • device type in case of access from mobile phones;
  • city or region from which the access was made; and
  • name of your internet service provider.

The collection and processing of this data is carried out for the purpose of enabling the use of our Website (establishing a connection), ensuring the long-term security and stability of the system, and enabling error and performance analysis and optimisation of our Website (see also Section 6.4 regarding the latter points).

In case of an attack on the network infrastructure of the Website or suspicion of other unauthorised or improper use of the Website, the IP address and other data will be analysed for clarification and defence purposes; if necessary, they may be used in civil or criminal proceedings for the identification of the respective user.

The legal basis for this data processing is our legitimate interest within the meaning of Article 6(1)(f) of the GDPR in the purposes described above.

Finally, when you visit our Website, we use cookies, as well as other applications and tools that rely on the use of cookies. In this context, the data described here may also be processed. For more information, please refer to the subsequent sections of this Privacy Policy, in particular to Section 6.2.

6.2 Cookies

Cookies are information files that your web browser stores on the hard drive or in the memory of your computer when you visit our Website. Cookies are assigned identification numbers that enable your browser to be identified, and allow the information contained in the cookie to be read.

Cookies are used to make your visit to our website easier, more enjoyable, and more meaningful. We use cookies for various purposes that are necessary for the desired use of the website, i.e., "technically necessary." For example, we use cookies to identify you as a registered user after logging in, so you don't have to log in again when navigating to different subpages. The provision of ordering and booking functions also relies on the use of cookies. Furthermore, cookies perform other technical functions necessary for the operation of the website, such as load balancing, which distributes the workload of the site across various web servers to relieve the servers. Cookies are also used for security purposes, such as preventing the unauthorised posting of content. Finally, we use cookies in the design and programming of our website, for example, to enable the uploading of scripts or codes.

The legal basis for this data processing is our legitimate interest within the meaning of Article 6(1)(f) of the GDPR in providing a user-friendly and up-to-date website.

Most internet browsers accept cookies automatically. However, when accessing our website, we ask for your consent to the use of non-essential cookies, especially for the use of cookies from third parties for marketing purposes. You can adjust your preferences for cookies by using the corresponding buttons in the cookie banner. Details regarding the services and data processing associated with each cookie can be found within the cookie banner and in the following sections of this privacy policy.

You may also be able to configure your browser to prevent cookies from being stored on your computer or receive a notification whenever a new cookie is being sent. On the following pages, you will find instructions on how to configure cookie settings for selected browsers.

Disabling cookies may prevent you from using all the features of our Website.

6.3 Google Programmable Search Engine

This website uses the Programmable Search Engine of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (Google). This allows us to provide you with an efficient search function on our Website.

By pressing the Enter key or clicking on the search button, the search function is activated, and the search results from Google are displayed on the search results page through embedding (iFrame). When retrieving the search results, a connection is established with Google's servers and your browser may potentially transmit the Log File Data (including IP address) listed in Section 6.1, as well as the search term you entered to Google. This may also result in a transfer of data to servers abroad, e.g., the USA (for information on the absence of an adequate level of data protection and the proposed safeguards, see Sections 5.2 and 5.3).

The legal basis for this data processing is our legitimate interest within the meaning of Article 6(1)(f) of the GDPR in providing an efficient website search function.

Regarding the further processing of data by Google, please refer to Google's privacy policy: https://policies.google.com/privacy?hl=en.

6.4 Tracking and Web Analytics Tools

6.4.1 General Information about Tracking

For the purpose of customising and continuously optimising our Website, we use the web analytics services listed below. In this context, pseudonymised usage profiles are created, and cookies are used (please also see Section 6.2). The information generated by the cookie regarding your use of our Website is usually transmitted to a server of the service provider, where it is stored and processed, together with the Log File Data mentioned in Section 6.1. This may also result in a transfer to servers abroad, e.g., the USA (for information on the absence of an adequate level of data protection and the proposed safeguards, see Sections 5.2 and 5.3).

Through the data processing, we obtain, among others, the following information:

  • navigation path followed by a visitor on the site (including content viewed, products selected or purchased, or services booked);
  • time spent on the Website or specific page;
  • the specific page from which the Website is left;
  • the country, region, or city from where an access is made;
  • end device (type, version, colour depth, resolution, width, and height of the browser window); and
  • returning or new visitor.

The provider, on our behalf, will use this information to evaluate the use of the Website, in particular to compile Website activity reports and provide further services related to Website usage and internet usage for the purposes of market research and the customisation of the Website. For these processing activities, we and the providers may be considered joint controllers in terms of data protection to a certain extent.

The legal basis for this data processing with the following services is your consent within the meaning of Article 6(1)(a) of the GDPR. You can withdraw your consent or oppose to processing at any time by rejecting or deactivating the relevant cookies in the settings of your web browser (see Section 6.2) or by using the service-specific options described below.

Regarding the further processing of the data by the respective provider as the (sole) controller, including any potential disclosure of this information to third parties, such as authorities due to national legal regulations, please refer to the respective privacy policy of the provider.

6.4.2 Google Analytics

We use the web analytics service Google Analytics provided by Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland, or Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (Google).

Contrary to the description in Section 6.4.1, IP addresses are not logged or stored in Google Analytics (in the version used here, "Google Analytics 4"). For accesses originating from the EU, IP address data is only used to derive location data and is immediately deleted thereafter. When collecting measurement data in Google Analytics, all IP searches take place on EU-based servers before the traffic is forwarded to Analytics servers for processing. Google Analytics utilises regional data centres. When connecting to the nearest available Google data centre in Google Analytics, the measurement data is sent to Analytics via an encrypted HTTPS connection. In these centres, the data is further encrypted before being forwarded to Analytics' processing servers and made available on the platform. The most suitable local data centre is determined based on the IP addresses. This may also result in a transfer of data to servers abroad, eg., the USA (for information on the absence of an adequate level of data protection and the proposed safeguards, see Sections 5.2 and 5.3).

We also use the technical extension called "Google Signals", which enables cross-device tracking. This makes it possible to associate a single website visitor with different devices. However, this only happens if the visitor is logged into a Google service during the website visits and has activated the "personalised advertising" option in their Google account settings. Even in such cases, we do not have access to any personal data or user profiles; they remain anonymous to us. If you do not wish to use "Google Signals," you can deactivate the "personalised advertising" option in your Google account settings.

Users can prevent the collection of data related to their Website usage (including IP address) generated by the cookie as well as the processing of this data by Google by downloading and installing the browser plugin available at the following link: https://tools.google.com/dlpage/gaoptout?hl=en-GB.

As an alternative to the browser plugin, users can click on this link to prevent Google Analytics from collecting data on the website in the future. This will place an opt-out cookie on the user's device. If users delete cookies (see Section 6.2 on Cookies), they will need to click the link again.

In our partnership with Google Analytics, we commissioned 80 DAYS, Charlotte House, 2 S Charlotte Street, Edinburgh EH2 4 AW, Scotland (80 DAYS) with their web analytics services to execute our Digital Marketing strategies. Thereby, the described data about the use of the Website may be transmitted to the servers of 80 DAYS for the specified processing purposes (see Section 5). Purpose of this is to ensure we can create a customized online marketing strategy towards our international clientele.

Users can prevent the collection of data related to their Website usage (including IP address) generated by the cookie as well as the processing of this data by 80 DAYS by clicking on the following link and following the provided instructions: www.eighty-days.com.

6.5 Social Media

6.5.1 Social Media Profile

Our Website contains links to our profiles on the social networks of the following providers:

  • Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, Privacy Policy;
  • Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, Privacy Policy;
  • Pinterest Europe Ltd., Palmerston House, 2nd Floor, Fenian Street, Dublin 2, Ireland and Pinterest, Inc., 651 Brannan St., San Francisco, CA 94107, USA, Privacy Policy;
  • Twitter International Unlimited Company, One Cumberland Place, Fenian Street, Dublin 2, Ireland, Privacy Policy;
  • LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland, Privacy Policy.

If you click on the icons of the social networks, you will be automatically redirected to our profile on the respective network. This establishes a direct connection between your browser and the server of the respective social network. As a result, the social network receives information that you have visited our Website with your IP address and clicked on the link. This may also involve the transfer of data to servers abroad, e.g., in the USA (for information on the absence of an adequate level of data protection and the proposed safeguards, see Sections 5.2 and 5.3).

If you click on a link to a social network while you are logged into your user account on that social network, the content of our website can be associated with your profile, allowing the social network to directly link your visit to our website to your account. If you want to prevent this, please log out of your account before clicking on the respective links. A connection between your access to our website and your user account will always be established if you log in to the respective social network after clicking on the link. The data processing associated with this is the responsibility of the respective provider in terms of data protection. Therefore, please refer to the privacy notices on the social network's website.

The legal basis for any data processing attributed to us is our legitimate interest within the meaning of Article 6(1)(f) of the GDPR in the use and promotion of our social media profiles.

6.5.2 Social Media Plugins

On our website, you can use social media plugins from the following providers:

  • Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, Privacy Policy;
  • Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, Privacy Policy;
  • Pinterest Europe Ltd., Palmerston House, 2nd Floor, Fenian Street, Dublin 2, Ireland and Pinterest, Inc., 651 Brannan St., San Francisco, CA 94107, USA, Privacy Policy;
  • Twitter International Unlimited Company, One Cumberland Place, Fenian Street, Dublin 2, Ireland, Privacy Policy;
  • LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland, Privacy Policy.

We use the social media plugins to make it easier for you to share content from our Website. The social media plugins help us to increase the visibility of our content on social networks, thereby contributing to better marketing.

The plugins are deactivated by default on our Website, and therefore, no data is sent to the social networks when you simply access our Website. To enhance data protection, we have integrated the plugins in such a way that a connection is not automatically established with the servers of the social networks. Only when you activate the plugins by clicking on them, and thus give your consent to the transmission and further processing of data by the providers of the social networks, your browser establishes a direct connection to the servers of the respective social network.

The content of the plugin is transmitted directly from the social network to your browser and integrated into the Website. As a result, the respective provider receives information that your browser has accessed the corresponding page of our Website, even if you do not have an account with that social network or are not currently logged in to it. This information (including your IP address) is transmitted from your browser directly to a server of the provider (usually located in the USA) and stored there (for information on the absence of an adequate level of data protection and the proposed safeguards, see Sections 5.2 and 5.3). We have no influence on the scope of data collected by the provider through the plugin, although from a data protection perspective, we may be considered joint controllers with the providers up to a certain extent.

If you are logged into the social network, it can assign your visit to our Website directly to your user account. If you interact with the plugins, the corresponding information is also transmitted directly to a server of the provider and stored there. The information (e.g., that you like a product or service from us) may also be published on the social network and displayed to other users of the social network. The provider of the social network may use this information for the purpose of displaying advertisements and tailoring the respective offering to your needs. For this purpose, usage, interest, and relationship profiles may be created, e.g., to evaluate your use of our Website with regard to the advertisements displayed to you on the social network, to inform other users about your activities on our Website, and to provide other services associated with the use of the social network. The purpose and scope of the data collection, further processing and use of the data by the providers of the social networks, as well as your rights in this regard and options for protecting your privacy can be found directly in the privacy policies of the respective providers.

If you do not want the provider of the social network to associate the data collected through our Website with your user account, you must log out of the social network before activating the plugins. The legal basis for the described data processing is your consent within the meaning of Article 6(1)(a) of the GDPR. You can withdraw your consent at any time by notifying the plugin provider in accordance with the instructions provided in its privacy policy.

6.6 Online Advertising and Targeting

6.6.1 In general

We use services of various companies to provide you with interesting offers online. In the process of doing this, your user behaviour on our website and websites of other providers is analysed in order to subsequently be able to show you online advertising that is individually tailored to you.

Most technologies for tracking your user behaviour (Tracking) and displaying targeted advertising (Targeting) utilise cookies (see also Section 6.2), which allow your browser to be recognised across different websites. Depending on the service provider, it may also be possible for you to be recognised online even when using different end devices (e.g., laptop and smartphone). This may be the case, for example, if you have registered for a service that you use with several devices.

In addition to the data already mentioned, which is collected when visiting websites (Log File Data, see Section 6.1) and through the use of cookies (Section 6.2) and which may be transmitted to the companies involved in the advertising networks, the following data, in particular, is used to select the advertising that is potentially most relevant to you:

  • information about you that you provided when registering or using a service from advertising partners (e.g., your gender, age group); and
  • user behaviour (e.g., search queries, interactions with advertisements, types of websites visited, products or services viewed and purchased, newsletters subscribed to).

We and our service providers use this data to determine whether you belong to the target audience we address and take this into account when selecting advertisements. For example, after visiting our Website, you may see advertisements for the products or services you have viewed when you visit other sites (Re-targeting). Depending on the amount of data, a user profile may also be created, which is automatically analysed; the advertisements are then selected based on the information stored in the profile, such as belonging to certain demographic segments or potential interests or behaviours. These advertisements may be displayed to you on various channels, including our website or app (as part of on- and in-app marketing), as well as advertising placements provided through the online advertising networks we use, such as Google.

The data may then be analysed for the purpose of settlement with the service provider, as well as for evaluating the effectiveness of advertising measures in order to better understand the needs of our users and customers and to improve future campaigns. This may also include information that the performance of an action (e.g., visiting certain sections of our Website or submitting information) can be attributed to a specific advertising. We also receive from service providers aggregated reports of advertisement activity and information on how users interact with our Website and advertisements.

The legal basis for this data processing is your consent within the meaning of Article 6(1)(a) of the GDPR. You can withdraw your consent at any time by rejecting or deactivating the relevant cookies in the settings of your web browser (see Section 6.2). Further options for blocking advertising can also be found in the information provided by the respective service provider, such as Google.

6.6.2 Google Ads

As explained in Section 6.6.1, this website uses the services of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (Google) for online advertising. Google uses cookies (see the list here), which allow your browser to be recognised when you visit other websites. The information generated by the cookies about your visit to these websites (including your IP address) is transmitted to and stored by Google on servers in the United States (for information on the absence of an adequate level of data protection and the proposed safeguards, see Sections 5.2 and 5.3). Further information on data protection at Google can be found here.

The legal basis for this data processing is your consent within the meaning of Article 6(1)(a) of the GDPR. You can withdraw your consent at any time by rejecting or deactivating the relevant cookies in the settings of your web browser (see Section 6.2). Further options for blocking advertising can be found here.

7. Retention Periods

We only store personal data for as long as it is necessary to carry out the processing described in this privacy policy within the scope of our legitimate interests. For contractual data, the storage is stipulated by statutory retention obligations. Requirements that oblige us to retain data arise from the accounting and tax law regulations. According to these regulations, business communication, concluded contracts, and accounting documents must be retained for up to 10 years. If we no longer need this data to provide services for you, the data will be blocked. This means that the data may then only be used if this is necessary to fulfil the retention obligations or to defend and enforce our legal interests. The data will be deleted as soon as there is no longer any legal obligation to retain it and no legitimate interest in its retention exists.

8. Data Security

We use appropriate technical and organisational security measures to protect your personal data stored with us against loss and unlawful processing, in particular unauthorised access by third parties. Our employees and the service companies mandated by us are obliged to maintain confidentiality and uphold data protection. Furthermore, these persons are only granted access to personal data to the extent necessary for the performance of their tasks.

Our security measures are continuously adapted in line with technological developments. However, the transmission of information via the Internet and electronic means of communication always involves certain security risks and we cannot, therefore, provide any absolute guarantee for the security of information transmitted in this way.

9. Your rights

If the legal requirements are met, as a data subject, you have the following rights with respect to data processing:

Right of access: You have the right to request access to your personal data stored by us at any time and free of charge if we process such data. This gives you the opportunity to check what personal data concerning you we process and whether we process it in accordance with applicable data protection regulations.

Right to rectification: You have the right to have inaccurate or incomplete personal data rectified and to be informed about the rectification. In this case, we will also inform the recipients of the data concerned about the adaptations we have made, unless this is impossible or involves disproportionate effort.

Right to erasure: You have the right to obtain the erasure of your personal data under certain circumstances. In individual cases, particularly in the case of statutory retention obligations, the right to erasure may be excluded. In this case, the erasure may be replaced by a blocking of the data if the requirements are met.

Right to restriction of processing: You have the right to request that the processing of your personal data be restricted.

Right to data portability: You have the right to receive from us, free of charge, the personal data you have provided to us in a readable format.

Right to object: You have the right to object at any time to data processing, especially with regard to data processing related to direct marketing (e.g., marketing emails).

Right to withdraw consent: You have the right to withdraw your consent at any time. However, processing activities based on your consent in the past will not become unlawful due to your withdrawal.

To exercise these rights, please send us an e-mail to the following address: info@palace.ch.

Right of complaint: You have the right to lodge a complaint with a competent supervisory authority, e.g., against the manner in which your personal data is processed.