Privacy policy Seehotel Waldstätterhof

We, Hotel Waldstätterhof AG, Waldstätterquai 6, 6440 Brunnen, are the operator of the hotel of the same name and the website www.waldstaetterhof.ch (website) and, unless otherwise stated in this privacy policy, are responsible for the data processing listed in this privacy policy.

Please take note of the following information so that you know what personal data we collect from you and for what purposes we use it. We base our data protection on the legal requirements of Swiss data protection law, in particular the Federal Act on Data Protection(FADP) and the GDPR, the provisions of which may apply in individual cases. We may update this privacy policy at any time. We will provide information about updates in an appropriate form, in particular by publishing the current privacy policy on our website.

If you have any questions about data protection or wish to exercise your rights, please contact our data protection contact person by sending an e-mail to the following address: avr@waldstaetterhof.ch

3.1 Data processing when contacting us

If you contact us via our contact addresses and channels, your personal data will be processed. The data that you have provided to us, such as your name, e-mail address or telephone number and your request, will be processed. In addition, the time of receipt of the request is documented. We process this data in order to implement your request (e.g. providing information about our hotel, support with contract processing such as questions about your booking, etc.).

The legal basis for this data processing is our legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR in the implementation of your request or, if your request is aimed at the conclusion or execution of a contract, the necessity for the implementation of the necessary measures within the meaning of Art. 6 para. 1 lit. b GDPR.

3.2 Data processing for bookings

3.2.1 Bookings via our website

You have the option of booking a stay on our website. We collect the following data for this purpose, whereby mandatory information is marked with an asterisk (*) during the booking process:

• First name
• Surname
• Address, postal code, city, country
• Phone number
• e-mail
• Booking details
• Confirmation of acknowledgement and consent regarding GTC and data protection provisions

We use the data to establish your identity before concluding a contract. We need your e-mail address to confirm your booking and for future communication with you that is necessary to process the contract. We store your data together with the peripheral data of the booking (e.g. room category, period of stay as well as name, price and features of the services), the data for payment (e.g. selected payment method, confirmation of payment and time; see also section 4) as well as the information on the processing and fulfillment of the contract (e.g. receipt and handling of complaints) in our CRM database (see section 4) so that we can ensure correct booking processing and contract fulfillment.

Insofar as this is necessary for the fulfillment of the contract, we will also pass on the required information to any third-party service providers (e.g. event organizers or transport companies). 

The legal basis for this data processing is the fulfillment of a contract with you in accordance with Art. 6 para.1 lit. b GDPR.

We use a software application from Vertical Booking, Piazza Pontida 7, Bergamo, Italy, to process bookings via our website. Therefore, your data may be stored in a Vertical Booking database, which may allow Vertical Booking to access your data if this is necessary for the provision of the software and for support in the use of the software. Information on the processing of data by third parties and any transfer abroad can be found in section 5 of this privacy policy.

The legal basis for this data processing is the fulfillment of a contract with you in accordance with Art. 6 para.1 lit. b GDPR.

Vertical Booking may wish to use some of this data for its own purposes (e.g. to send marketing emails or for statistical analysis). Vertical Booking is responsible for this data processing and must ensure compliance with data protection laws in connection with this data processing. Information about data processing by Vertical Booking can be found at www.verticalbooking.com/en/privacy-policy/.

3.2.2 Bookings via a booking platform

If you make bookings via a third-party platform (i.e. via Booking, Hotels, Expedia, Holidaycheck, Kayak, Tripadvisor, Trivago, Hyperguest), we receive various personal data from the respective platform operator in connection with the booking made. In addition, we may receive inquiries about your booking. We will process this data by name in order to record your booking as requested and provide the booked services. 

The legal basis for data processing for this purpose is the implementation of pre-contractual measures and the fulfillment of a contract in accordance with Art. 6 para. 1 lit. b GDPR.

Finally, we may exchange personal data with the platform operators in connection with disputes or complaints in connection with a booking, insofar as this is necessary to protect our legitimate interests. This may also include data relating to the booking process on the platform or data relating to the booking or processing of services and the stay with us. We process this data to safeguard our legitimate claims and interests in the processing and maintenance of our contractual relationships with the following platform operators:

• Booking.com B.V., Oosterdokskade 163, 1011 DL, The Netherlands. Further information about data processing in connection with Booking.com B.V. can be found at www.booking.com.
• Hotels.com L.P., 5400 LBJ Freeway, Suite 500, Dallas, Texas 75240, USA. Further information about data processing in connection with Hotel.com L.P. can be found at www.hotels.com.
• Expedia, Inc, 1111 Expedia Group Way West Seattle, WA 98119, USA. Further information about data processing in connection with Expedia can be found at https://www.expedia.ch/lp/b/lg-privacypolicy
• HolidayCheck AG, Bahnweg 8, 8598 Bottighofen. Further information on data processing in connection with Holidaycheck AG can be found at https://www.holidaycheck.de/datenschutz
• Kayak Europe GmbH, Fraumünsterstrasse 16, 8001 Zurich. Further information about data processing in connection with Kayak Europe GmbH can be found at https://www.kayak.ch/privacy
• Tripadvisor Inc, 400^1st Avenue, Needham, MA 02494 USA. Further information about data processing in connection with Tripadvisor Inc. can be found at https://tripadvisor.mediaroom.com/us-privacy-policy
• Trivago N.V., Kesselstrasse 5 - 7, 40221 Düsseldorf. Further information about data processing in connection with Trivago N.V. can be found at https://www.trivago.ch/de/CH/sp/datenschutzerklaerung
• Hyperguest R&D LTD, Menachem Begin 11, Ramat Gan, Israel. Further information on data processing in connection with Hyperguest R&D LTD can be found at www.hyperguest.com/gdpr

Your data is stored in the databases of the platform operators, which enables them to access your data. Information on the processing of data by third parties and any transfer abroad can be found in section 5 of this privacy policy.

The legal basis for data processing for this purpose is our legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR.

3.3 Data processing during payment processing

3.3.1 Payment processing at the hotel

If you purchase products, services or pay for your stay at our hotel using electronic payment methods, the processing of personal data is required. By using the payment terminals, you transmit the information stored in your means of payment, such as the name of the cardholder and the card number, to the payment service providers involved (e.g. providers of payment solutions, credit card issuers and credit card acquirers). They also receive the information that the payment method was used in our hotel, the amount and the time of the transaction. Conversely, we only receive the credit of the amount of the payment made at the relevant time, which we can assign to the relevant receipt number, or information that the transaction was not possible or was canceled. Please always refer to the information provided by the respective company, in particular the privacy policy and the general terms and conditions.

The legal basis for our data processing is the fulfillment of a contract with you in accordance with Art. 6 para.1 lit. b GDPR.

Worldline Schweiz AG may wish to use some of this data for its own purposes (e.g. to send marketing e-mails or for statistical analyses). Worldine Schweiz AG is responsible for this data processing and must ensure compliance with data protection laws in connection with this data processing. Information on data processing by Worldine Switzerland can be found at https://worldline.com/de-ch/compliancy/privacy.

3.3.2 Online payment processing

If you make chargeable bookings on our website or order services or products, depending on the product or service and the desired payment method - in addition to the information specified in section 3.3.1- you may be required to provide further data, such as your credit card information or the login for your payment service provider. This information and the fact that you have purchased a service from us at the relevant amount and time will be forwarded to the respective payment service providers (e.g. providers of payment solutions, credit card issuers and credit card acquirers). Please always note the information provided by the respective company, in particular the privacy policy and general terms and conditions.

The legal basis for our data processing is the fulfillment of a contract in accordance with Art. 6 para.1 lit. b GDPR.

We reserve the right to store a copy of the credit card information as security. To avoid payment cases, the necessary data, in particular your personal details, may also be transmitted to a credit agency for an automated assessment of your creditworthiness. In this context, the credit agency can assign you a so-called score value. This is an estimate of the future risk of a payment default, e.g. based on a percentage. The value is calculated using mathematical-statistical procedures and by incorporating data from the credit agency from other sources. We reserve the right, in accordance with the information received, not to offer you the payment method "Invoice".

The legal basis for this data processing is our legitimate interest pursuant to Art. 6 para. 1 lit. f. GDPR in the avoidance of payment defaults.

Worldline Switzerland may wish to use some of this data for its own purposes (e.g. to send marketing e-mails or for statistical analyses). Worldline Switzerland is responsible for this data processing and must ensure compliance with data protection laws in connection with this data processing. Information about data processing by Worldine Switzerland can be found at https://worldline.com/de-ch/compliancy/privacy

3.4 Data processing for the recording and invoicing of purchased services

If you purchase services as part of your stay (e.g. additional overnight stays, wellness, restaurant, activities), we will collect and process - in addition to your contract data - the data relating to the booking (e.g. time and comments) and the data relating to the booked and purchased service (e.g. subject matter of the service, price and time of purchase of the service) in order to process the service, as described in section 3.3.

The legal basis for our data processing is the fulfillment of a contract in accordance with Art. 6 para.1 lit. b GDPR.

3.5 Data processing when submitting guest feedback

During your stay or afterwards, you have the opportunity to give us feedback (e.g. praise, criticism and suggestions for improvement) using a form. We collect the following data for this - depending on the - whereby mandatory information is marked with an asterisk (*) in the corresponding form:

• First and last name
• Age
• Nationality
• Duration of stay
• Feedback

Your data is processed as part of our quality management and thus ultimately for the purpose of better tailoring our services and products to the needs of our guests. Specifically, your data is processed for the following purposes:

• Clarification of your concerns, i.e. e.g. obtaining statements from the employees and supervisors addressed or obtaining queries from you, etc;
• Evaluation and analysis of your data, e.g. creation of satisfaction statistics, comparison of individual services, etc.; or
• Taking organizational measures in accordance with the findings, e.g. remedying grievances/deficiencies/misconduct, for example by repairing defective equipment, instructing, praising or admonishing employees.

In connection with guest feedback, we use a software application from TrustYou GmbH. Therefore, your data may be stored in a database of TrustYou GmbH, Steinerstrasse 15, 81369 Munich, Germany, which may allow TrustYou to access your data if this is necessary for the provision of the software and for support in the use of the software. Information on the processing of data by third parties and any transfer abroad can be found in section 5 of this privacy policy. 

The legal basis for this processing is your consent in accordance with Art. 6 para.1 lit. a GDPR. You can revoke this consent at any time for the future.

TrustYou may wish to use some of this data for its own purposes (e.g. to send marketing e-mails or for statistical analyses). TrustYou GmbH is responsible for this data processing and must ensure compliance with data protection laws in connection with this data processing. Information about data processing by TrustYou can be found atwww.trustyou.com/de/wp-content/uploads/2023/02/Datenschutzerklaerung.pdf.

3.6 Data processing for video surveillance

To protect our guests and employees as well as our property and to prevent and punish unlawful behavior (in particular theft and damage to property), the entrance area and the publicly accessible areas of our hotel, with the exception of the sanitary facilities, may be monitored by cameras. The image data will only be viewed if there is a suspicion of unlawful behavior. Otherwise, the images are automatically deleted after 24 hours.

The legal basis is our legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR in the protection of our guests, our employees and our property as well as in the protection and enforcement of our rights.

3.7 Data processing when using our WiFi network

In our hotel you have the opportunity to use our WiFi network free of charge. To prevent misuse and to punish illegal behavior, prior registration is required. You must provide us with the following data:

• Cell phone number 
• MAC address of the end device (automatic)

In addition to the above data, data on the time and date of use and the end device used is recorded each time the WiFi network is used.

The legal basis for this processing is your consent within the meaning of Art. 6 para. 1 lit. a GDPR. You can revoke your consent at any time for the future.

We work together with Swisscom AG, Alte Tiefenaustrasse 6, CH-3050 Bern, for the provision of our WiFi network. Your data may therefore be stored in a Swisscom database, which may enable Swisscom to access your data if this is necessary for the provision of the software and for support in the use of the software. Information on the processing of data by third parties can be found in section 6 of this Privacy Policy. Further information on data processing by Swisscom can be found at https://www.swisscom.ch/de/privatkunden/rechtliches/datenschutz.html.

Swisscom must comply with the legal obligations of the Federal Act on the Surveillance of Postal and Telecommunications Traffic(BÜPF) and the associated ordinance. If the legal requirements are met, the operator of the WiFi network must monitor the use of the Internet and data traffic on behalf of the competent authority. The operator of the WiFi network may also be obliged to disclose contact, usage and marginal data of the hotel guest to the authorized authorities. The contact, usage and peripheral data will be stored for 6 months and then deleted.

The legal basis for this processing is our legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR in the provision of a WiFi network in compliance with the applicable legal regulations.

3.8 Data processing for the fulfillment of legal reporting obligations

Upon arrival at our hotel, we may require the following information from you and your companions, whereby mandatory information is marked with an asterisk (*) in the corresponding form:

• Salutation
• First and last name
• Billing address
• Place and date of birth
• Nationality
• Identity card or passport
• Arrival and departure day
• Number of travelers

We collect this information to fulfill legal reporting obligations, in particular those arising from hospitality or police law. Insofar as we are obliged to do so under the applicable regulations, we forward this information to the competent authority.

The legal basis for processing this data is our legitimate interest within the meaning of Art. 6 para. 1 lit. c GDPR in complying with our legal obligations.

3.9 Data processing for job applications

You have the opportunity to apply for a job in our company either spontaneously or in response to a specific job advertisement. In doing so, we process the personal data provided by you. We use the data you provide to check your application and suitability for employment. Application documents of unsuccessful applicants will be deleted at the end of the application process, unless you explicitly consent to a longer retention period or we are legally obliged to retain them for a longer period.

The legal basis for processing your data for this purpose is the execution of a contract (pre-contractual phase) in accordance with Art. 6 para.1 lit. b GDPR.

If a clear assignment to your person is possible, we will store and link the data described in this privacy policy, i.e. in particular your personal details, your contacts and your contract data, in a central database. This serves the efficient administration of customer data, allows us to adequately process your requests and enables us to efficiently provide the services you require and process the associated contracts.

The legal basis for this data processing is our legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR in the efficient management of user data.

We also evaluate this data in order to further develop our offers in line with your needs and to be able to display and suggest the most relevant information and offers to you. We also use methods that predict possible interests and future orders based on your use of our website (Section 9 of this Privacy Policy).

For central data storage and analysis in the CRM system, we use software products from Infor (Deutschland) GmbH, Zollhof 13, 40221 Düsseldorf; Hoxell SA, Via Tomaso Rodari 2, CH-6900 Lugano and Lunchgate AG, Badenerstrasse 255, CH-8003 Zurich. Your data may therefore be stored in a database of the aforementioned companies, which may enable these companies to access your data if this is necessary for the provision of the software and for support in the use of the software. Information on the processing of data by third parties and any transfer abroad can be found in section 5 of this privacy policy. Further information on data processing in connection with Infor can be found at https://www.infor.com/de-de/about/privacy. Information on data processing in connection with Hoxell SA can be found at https://www.iubenda.com/privacy-policy/62293890, information on data processing in relation to Lunchgate AG can be found at www.lunchgate.com.

The legal basis for this data processing is our legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR in carrying out marketing activities.

5.1 Disclosure to third parties and third-party access options

Without the support of other companies, we would not be able to provide our services in the desired form. In order for us to be able to use the services of these companies, it is also necessary to pass on your personal data to these companies to a certain extent. Data is only passed on to selected third-party service providers to the extent necessary for the optimal provision of our services and insofar as this has been explicitly agreed with you, be it to florists, photographers, transport companies, etc. 

The legal basis for these transfers is the necessity to fulfill a contract within the meaning of Art. 6 para. 1 lit. b GDPR.

Your data will also be passed on if this is necessary to fulfill the services you have requested, e.g. to restaurants or providers of other services for which you have made a reservation through us. The legal basis for these transfers is the need to fulfill a contract within the meaning of Art. 6 para. 1 lit. b GDPR. The third-party service providers are responsible for this data processing within the meaning of the Data Protection Act and not us. It is the responsibility of these third-party service providers to inform you about their own data processing - beyond the transfer of data for the provision of services - and to comply with data protection laws.

In addition, your data may be passed on, in particular to authorities, legal advisors or debt collection agencies, if we are legally obliged to do so or if this is necessary to protect our rights, in particular to enforce claims arising from the relationship with you. Data may also be disclosed if another company intends to acquire our company or parts thereof and such disclosure is necessary to carry out a due diligence review or to complete the transaction. 

The legal basis for this data processing is our legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR in the protection of our rights and compliance with our obligations or the sale of our company or parts thereof.

5.2 Transfer of personal data abroad

We are also entitled to transfer your personal data to third parties abroad if this is necessary to carry out the data processing mentioned in this privacy policy. It goes without saying that the statutory provisions on the disclosure of personal data to third parties will be complied with. The countries to which data is transferred include those that the Federal Council and the EU Commission have decided have an adequate level of data protection (such as the member states of the EEA or, from the EU 's point of view, Switzerland), but also countries (such as the USA) whose level of data protection is not considered adequate (see Annex 1 of the General Data Protection Regulation(GDPR) and the EU Commission's website). If the country in question does not have an adequate level of data protection, we ensure that your data is adequately protected by these companies by means of suitable guarantees, unless an exception is specified for individual data processing (see Art. 49 GDPR). Unless otherwise stated, these are standard contractual clauses within the meaning of Art. 46 para. 2 lit. c GDPR, which can be found on the websites of the Federal Data Protection and Information Commissioner (FDPIC) and the EU Commission. 

5.3 Information on data transfers to the USA

Some of the third-party service providers mentioned in this privacy policy are based in the USA. For the sake of completeness, we would like to point out to users residing or domiciled in Switzerland or the EU that surveillance measures are in place in the USA by US authorities, which generally allow the storage of all personal data of all persons whose data has been transferred from Switzerland or the EU to the USA. This is done without differentiation, restriction or exception based on the objective pursued and without an objective criterion that makes it possible to restrict the US authorities' access to the data and its subsequent use to very specific, strictly limited purposes that are capable of justifying the interference associated with both access to this data and its use. In addition, we would like to point out that in the USA there are no legal remedies or effective legal protection for data subjects from Switzerland or the EU against general access rights of US authorities that would allow them to obtain access to the data concerning them and to obtain its correction or deletion. We explicitly draw your attention to this legal and factual situation in order to enable you to make an appropriately informed decision to consent to the use of your data.

We would also like to point out to users residing in Switzerland or a member state of the EU that the USA does not have an adequate level of data protection from the perspective of the European Union and Switzerland - partly due to the statements made in this section. 

We use services from specialized third parties in order to be able to carry out our activities and operations in a sustainable, people-friendly, secure and reliable manner. We can use such services to embed our functions and content in our website. In the case of such embedding, the services used collect the IP addresses of users at least temporarily for technically compelling reasons.

For necessary security, statistical and technical purposes, third parties whose services we use may process data in connection with our activities and operations in aggregated, anonymized or pseudonymized form. This is, for example, performance or usage data in order to be able to offer the respective service. 

We use in particular: 

Services from Google providers: Google LLC(USA) and Google Ireland Limited (Ireland), partly for users in the European Economic Area(EEA) and Switzerland; General information on data protection: "Privacy and security principles", "Information on how Google uses personal data", Privacy policy, "Google is committed to complying with applicable data protection laws", "Guide to data protection in Google products", "How we use data from websites or apps on or in which our services are used", "Types of cookies and similar technologies used by Google", "Advertising" ("Personalized advertising"). where our services are used", "Types of cookies and similar technologies Google uses", "Advertising you can control" ("Personalized advertising"). 

Meta Conversation Tracking, partly for users in the European Economic Area(EEA) and Switzerland.

LinkedIn Insight Tag, partly for users in the European Economic Area(EEA) and Switzerland. 

Digital infrastructure:

We use the services of specialized third parties in order to be able to use the necessary digital infrastructure in connection with our activities and operations. These include, for example, hosting and storage services from selected providers. 

We use in particular:

Cyon: Hosting; Service provider: cyonGmbH (Switzerland); Information on data protection: "Data protection", Privacy Policy (https://www.cyon.ch/legal/datenschutzerklaerung).

We may log at least the following information for each access to our website and our other online presence, provided that this information is transmitted to our digital infrastructure during such accesses: Date and time including time zone, IP address, access status (HTTP status code), operating system including user interface and version, browser including language and version, individual sub-pages of our website accessed including the amount of data transferred, last website accessed in the same browser window (referrer or referrer).

We record such information, which may also constitute personal data, in log files. The information is required to provide our online presence in a permanent, user-friendly and reliable manner. The information is also required to ensure data security, including by third parties or with the help of third parties.

We can integrate tracking pixels into our online presence. Tracking pixels are also known as web beacons. Tracking pixels, including those from third parties whose services we use, are usually small, invisible images or scripts written in JavaScript that are automatically retrieved when our online presence is accessed. Tracking pixels can be used to collect at least the same information as log files.

We try to measure the success and reach of our activities and operations. In this context, we can also measure the effect of third-party references or check how different parts or versions of our online offering are used ("A/B test" method). Based on the results of the success and reach measurement, we can in particular correct errors, strengthen popular content or make improvements.

In most cases, the IP addresses of individual users are recorded to measure success and reach. In this case, IP addresses are generally shortened ("IP masking") in order to comply with the principle of data minimization through the corresponding pseudonymization. 

Cookies may be used to measure success and reach and user profiles may be created. Any user profiles created include, for example, the individual pages visited or content viewed on our website, information on the size of the screen or browser window and the at least approximate location. In principle, any user profiles are created exclusively in pseudonymized form and are not used to identify individual users. Individual third-party services with which users are registered may be able to assign the use of our online offering to the user account or user profile of the respective service.

We use in particular:

Google Marketing Platform: Performance and reach measurement, in particular with Google Analytics; Service provider: Google; Google Marketing Platform-specific information: Measurement also across different browsers and devices (cross-device tracking) with pseudonymized IP addresses, which are only transmitted in full to Google in the USA in exceptional cases, privacy policy for Google Analytics, "Browser add- on to deactivate Google Analytics".

Goolge Tag Manager: Integration and management of services from Google and third parties, in particular for measuring success and reach; Provider: Google; Google Tag Manager-specific information: Privacy policy for Google Tag Manager; further information on data protection can be found in the individual integrated and managed services.

We only store personal data for as long as is necessary to carry out the processing described in this privacy policy within the scope of our legitimate interest. In the case of contractual data, storage is prescribed by statutory retention obligations. Requirements that oblige us to store data result from accounting and tax regulations. According to these regulations, business communication, concluded contracts and accounting documents must be stored for up to 10 years. If we no longer need this data to perform the services for you, the data will be blocked. This means that the data may then only be used if this is necessary to fulfill retention obligations or to defend and enforce our legal interests. The data will be deleted as soon as there is no longer an obligation to retain it and there is no longer a legitimate interest in retaining it.

We use suitable technical and organizational security measures to protect your personal data stored by us against loss and unlawful processing, in particular unauthorized access by third parties. Our employees and the service companies commissioned by us are obliged by us to maintain confidentiality and to comply with data protection regulations. Furthermore, these persons are only granted access to personal data to the extent necessary to fulfill their tasks.

Our security measures are continuously adapted in line with technological developments. However, the transmission of information via the Internet and electronic means of communication always involves certain security risks and we can therefore provide no absolute guarantee for the security of information transmitted in this way.