Privacy Policy

With this Privacy Policy, we inform you about the personal data we process in connection with our activities and operations including our hotelvorab.ch-website. We specifically inform about the purposes, methods, and locations of how and where we process personal data. We also inform about the rights of individuals whose data we process.

Additional privacy policies and other legal documents such as Terms and Conditions (T&Cs), Terms of Use, or Participation Terms may apply to specific or additional activities and operations.

We are subject to Swiss data protection law and, where applicable, foreign data protection law, in particular that of the European Union (EU) with the European General Data Protection Regulation (GDPR).

The European Commission recognized with its decision of July 26, 2000, that Swiss data protection law ensures adequate protection. With its report of January 15, 2024, the European Commission confirmed this adequacy decision.

1. Contact Addresses

Responsibility for the processing of personal data:

Hotel Vorab AG
Via Nova 38
7017 Flims Dorf
Switzerland

info@hotelvorab.ch

In individual cases, there may be other responsible parties for the processing of personal data or joint responsibility with at least one other responsible party.

1.1 Data Protection Officer or Advisor

We have the following data protection officer or advisor as a contact point for affected individuals and authorities regarding data protection inquiries:

Gian-Reto Meiler
Hotel Vorab AG
Via Nova 38
7017 Flims Dorf
Switzerland

info@hotelvorab.ch

1.2 Data Protection Representation in the European Economic Area (EEA)

We have the following data protection representation according to Art. 27 GDPR:

VGS Datenschutz­partner GmbH
Am Kaiserkai 69
20457 Hamburg
Germany

info@hotelvorab.ch

The data protection representation serves as an additional point of contact for affected individuals and authorities in the European Union (EU) and the rest of the European Economic Area (EEA) for inquiries related to the GDPR.

2. Terms and Legal Bases

2.1 Terms

Personal data are all information relating to an identified or identifiable natural person.

Particularly sensitive personal data are data concerning union, political, religious, or philosophical views and activities, data on health, intimate life, or membership of an ethnicity or race, genetic data, biometric data that uniquely identifies a natural person, data on criminal and administrative penalties or prosecutions, and data on social assistance measures.

Processing includes any handling of personal data, irrespective of the means and methods used, such as querying, matching, adjusting, archiving, storing, retrieving, disclosing, procuring, collecting, raising, deleting, revealing, sorting, organizing, storing, modifying, spreading, linking, destroying, and using personal data.

An affected person is a natural person whose personal data we process.

The European Economic Area (EEA) includes the Member States of the European Union (EU) as well as the Principality of Liechtenstein, Iceland, and Norway.

The General Data Protection Regulation (GDPR) refers to the processing of personal data as processing of personal data and the processing of particularly sensitive personal data as processing of special categories of personal data (Art. 9 GDPR).

2.2 Legal Bases

We process personal data in accordance with Swiss data protection law such as the Federal Act on Data Protection (Data Protection Act, DPA) and the Ordinance on Data Protection (Data Protection Ordinance, DPO).

When and as far as the General Data Protection Regulation (GDPR) is applicable, we process personal data based on at least one of the following legal bases:

• Art. 6 para. 1 lit. b GDPR for the necessary processing of personal data for the performance of a contract with the affected person as well as for carrying out pre-contractual measures.
• Art. 6 para. 1 lit. f GDPR for the necessary processing of personal data to protect the legitimate interests of us or third parties, unless the fundamental freedoms and fundamental rights and interests of the affected person prevail. Legitimate interests are in particular our interest to carry out our activities and operations sustainably, user-friendly, securely, and reliably, as well as to communicate about it, ensuring information security, protection against misuse, enforcement of our own legal claims, and compliance with Swiss law.
• Art. 6 para. 1 lit. c GDPR for the necessary processing of personal data to fulfill a legal obligation to which we are subject according to possibly applicable law of member states in the European Economic Area (EEA).
• Art. 6 para. 1 lit. e GDPR for the necessary processing of personal data for the performance of a task carried out in the public interest.
• Art. 6 para. 1 lit. a GDPR for the processing of personal data with the consent of the affected person.
• Art. 6 para. 1 lit. d GDPR for the necessary processing of personal data to protect the vital interests of the affected person or another natural person.

3. Type, Scope, and Purpose

We process those personal data that are necessary to carry out our activities and operations sustainably, user-friendly, securely, and reliably. Such personal data can particularly fall into categories of inventory and contact data, browser and device data, content data, metadata or ancillary data, and usage data, location data, sales data, as well as contract and payment data.

We process personal data for the duration that is necessary for the respective purpose or purposes or required by law. Personal data whose processing is no longer necessary are anonymized or deleted.

We may have personal data processed by third parties. We may process personal data jointly with third parties or transmit them to third parties. Such third parties are in particular specialized providers whose services we use. We also ensure data protection with such third parties.

We generally process personal data only with the consent of the affected persons. If and insofar as processing is permissible for other legal reasons, we may refrain from seeking consent. We may, for example, process personal data without consent in order to fulfill a contract, to comply with legal obligations, or to protect overriding interests.

We also process personal data that we receive from third parties, obtain from publicly accessible sources, or collect in the course of our activities and operations, if and insofar as such processing is permissible for legal reasons.

4. Communication

We process personal data to be able to communicate with third parties. In this context, we specifically process data that an affected person transmits when making contact, for example via postal mail or email. We may store such data in an address book or with similar tools.

Third parties who transmit data concerning other persons are obligated to ensure the protection of the privacy of such affected persons. Among other things, this includes ensuring the accuracy of the transmitted personal data.

We use selected services from suitable providers to better communicate with third parties.

5. Data Security

We implement appropriate technical and organizational measures to ensure data security appropriate to the respective risk. Our measures particularly ensure the confidentiality, availability, verifiability, and integrity of the processed personal data, though we cannot guarantee absolute data security.

Access to our website and other online presence is secured with transport encryption (SSL/TLS, especially with Hypertext Transfer Protocol Secure, abbreviated HTTPS). Most browsers indicate transport encryption with a small padlock in the address bar.

Our digital communication is — like essentially all digital communication — subject to mass surveillance without cause or suspicion by security authorities in Switzerland, the rest of Europe, the United States of America (USA), and other countries. We cannot directly influence the corresponding processing of personal data by intelligence agencies, police departments, and other security authorities. We also cannot rule out the possibility that individual affected persons are monitored specifically.

6. Personal Data Abroad

We generally process personal data in Switzerland and the European Economic Area (EEA). However, we may also export or transmit personal data to other states, in particular to process it or have it processed there.

We may export personal data to all states and territories on Earth as well as elsewhere in the universe, provided that the local law according to the decision of the Swiss Federal Council ensures adequate data protection and — if and as far as the General Data Protection Regulation (GDPR) is applicable — according to the decision of the European Commission ensures adequate data protection.

We may transmit personal data to states whose law does not ensure adequate data protection, provided that data protection is ensured for other reasons, in particular on the basis of standard data protection clauses or with other suitable guarantees. Exceptionally, we may export personal data to states without adequate or suitable data protection if the special data protection legal requirements are met, such as the explicit consent of the affected persons or a direct connection with the conclusion or execution of a contract. We are happy to provide affected persons with information on any guarantees upon request or deliver a copy of any guarantees.

7. Rights of Affected Persons

7.1 Data Protection Legal Claims

We grant affected persons all claims according to applicable data protection law. In particular, affected persons have the following rights:

• Access: Affected persons can request information about whether we process personal data concerning them and, if so, what personal data is involved. Affected persons also receive the necessary information to assert their data protection claims and ensure transparency. This includes the processed personal data itself, but also information about the purpose of the processing, the duration of storage, any disclosure or export of data to other states, and the origin of the personal data.
• Correction and Restriction: Affected persons can correct inaccurate personal data, complete incomplete data, and restrict the processing of their data.
• Deletion and Objection: Affected persons can have personal data deleted (“right to be forgotten”) and object to the processing of their data with effect for the future.
• Data Release and Transfer: Affected persons can request the release of personal data or the transfer of their data to another controller.

We may delay, restrict, or deny the exercise of the rights of affected persons within the legally permissible framework. We may inform affected persons about any requirements to be met for exercising their data protection claims. For example, we may refuse access with reference to trade secrets or the protection of other persons either in whole or in part. We may also refuse the deletion of personal data with reference to legal retention obligations either in whole or in part.

We may exceptionally impose costs for exercising the rights. We inform affected persons in advance about any potential costs.

We are obliged to identify affected persons who request information or assert other rights with appropriate measures. Affected persons are required to cooperate.

7.2 Legal Protection

Affected persons have the right to enforce their data protection claims through legal proceedings or to file a complaint with a competent data protection supervisory authority.

The data protection supervisory authority for complaints from affected persons against private controllers and federal bodies in Switzerland is the Federal Data Protection and Information Commissioner (FDPIC).

European data protection supervisory authorities for complaints from affected persons — as far and as long as the General Data Protection Regulation (GDPR) is applicable — are organized as members of the European Data Protection Board (EDPB). In some member states in the European Economic Area (EEA), the data protection supervisory authorities are federally structured, particularly in Germany.

8. Use of the Website

8.1 Cookies

We may use cookies. Cookies — both our own cookies (first-party cookies) and those of third parties whose services we use (third-party cookies) — are data stored in the browser. Such stored data need not be limited to traditional cookies in text form.

Cookies can be stored temporarily as “session cookies” in the browser or for a specific period as so-called permanent cookies. “Session cookies” are automatically deleted when the browser is closed. Permanent cookies have a specific storage duration. Cookies, in particular, allow a browser to be recognized on a subsequent visit to our website and thereby measure, for example, the reach of our website. However, permanent cookies can also be used for online marketing.

Cookies can be disabled and deleted in browser settings in whole or in part at any time. Without cookies, our website may not be fully available. We ask for — at least as far and as long as necessary — explicit consent to the use of cookies.

For cookies used for performance and reach measurement or for advertising, a general objection (“opt-out”) is possible for many services via the AdChoices (Digital Advertising Alliance of Canada), the Network Advertising Initiative (NAI), YourAdChoices (Digital Advertising Alliance) or Your Online Choices (European Interactive Digital Advertising Alliance, EDAA).

8.2 Logging

We may log at least the following information for each access to our website and other online presence, if such information is transmitted to our digital infrastructure: date and time including time zone, IP address, access status (HTTP status code), operating system including user interface and version, browser including language and version, accessed individual sub-page of our website including transmitted data volume, last website called in the same browser window (referrer).

We log such information, which can also be personal data, in log files. The information is necessary to provide our online presence permanently, user-friendly, and reliably. The information is also necessary to ensure data security — also by or with the help of third parties.

8.3 Counting Pixels

We may incorporate counting pixels into our online presence. Counting pixels are also known as web beacons. Counting pixels — including those from third parties whose services we use — are typically small, invisible images or scripts formulated in JavaScript that are automatically retrieved when accessing our online presence. Counting pixels can capture at least the same information as logged in log files.

9. Notifications and Communications

We send notifications and communications via email and through other communication channels such as instant messaging or SMS.

9.1 Success and Reach Measurement

Notifications and communications may contain web links or counting pixels that capture whether a single message was opened and which web links were clicked. Such web links and counting pixels can also capture the use of notifications and communications on a personal basis. We need this statistical capture of usage for success and reach measurement, to be able to send notifications and communications effectively and user-friendly based on the needs and reading habits of the recipients and ensure they are sent sustainably, securely, and reliably.

9.2 Consent and Objection

You must generally consent to the use of your email address and other contact addresses unless the use is permissible for other legal reasons. For obtaining confirmed consent, we may use the “Double Opt-in” process. In this case, you will receive a message with instructions for double confirmation. We may log obtained consents including IP address and timestamp for evidence and security reasons.

You can generally object to the receipt of notifications and communications such as newsletters at any time. With such an objection, you can simultaneously object to the statistical capture of usage for success and reach measurement. Exceptions remain necessary notifications and communications related to our activities and operations.

9.3 Service Providers for Notifications and Communications

We send notifications and communications with the help of specialized service providers.

We particularly use:

• MAILINGWORK: Email marketing platform; Provider: Mailingwork GmbH (Germany); Information on data protection: Privacy Policy, “Privacy Policy and Newsletter Dispatch – What needs to be considered?”.

10. Social Media

We are present on social media platforms and other online platforms to communicate with interested individuals and to inform about our activities and operations. In connection with such platforms, personal data may also be processed outside of Switzerland and the European Economic Area (EEA).

The General Terms and Conditions (T&C), Terms of Use, Privacy Policies, and other provisions of the individual operators of such platforms also apply. These provisions specifically inform about the rights of affected individuals directly against the respective platform, which includes, for example, the right to access.

For our Social Media presence on Facebook including the so-called Page Insights, we are — as far and as long as the General Data Protection Regulation (GDPR) is applicable — jointly responsible with Meta Platforms Ireland Limited (Ireland). Meta Platforms Ireland Limited is part of the Meta Companies (including in the USA). Page Insights provide information on how visitors interact with our Facebook presence. We use Page Insights to provide our social media presence on Facebook effectively and user-friendly.

Further details about the nature, scope, and purpose of data processing, information about the rights of affected individuals, and the contact details of Facebook as well as the Facebook Data Protection Officer can be found in the Facebook Privacy Policy. We have entered into the so-called “Controller Addendum” with Facebook and agreed in particular that Facebook is responsible for ensuring the rights of affected individuals. The relevant information for the so-called Page Insights can be found on the page “Information about Page Insights” including “Information about Page Insights Data”.

11. Third-Party Services

We use services from specialized third parties to be able to carry out our activities and operations permanently, user-friendly, safely, and reliably. With such services, we can embed functions and content into our website. For technical reasons, the services used necessarily capture at least temporarily the IP addresses of users during such embedding.

For necessary security-related, statistical, and technical purposes, third parties whose services we use may process data related to our activities and operations aggregated, anonymized, or pseudonymized. These may include performance or usage data necessary to offer the respective service.

We particularly use:

• Google Services: Providers: Google LLC (USA) / Google Ireland Limited (Ireland) for users in the European Economic Area (EEA) and Switzerland; General information on data protection: “Principles on privacy and safety”, Privacy Policy, “Google is committed to complying with applicable privacy laws”, “Guide to privacy in Google products”, “How Google uses data from sites or apps that use our services” (Information from Google), “Types of cookies and other technologies used by Google”, “Advertising you can control” (“Personalized advertising”).

11.1 Digital Infrastructure

We use services from specialized third parties to be able to utilize necessary digital infrastructure in connection with our activities and operations. These include, for example, hosting and storage services from selected providers.

We particularly use:

• Cyon: Hosting; Provider: cyon GmbH (Switzerland); Information on data protection: “Privacy”, Privacy Policy.
• WordPress.com: Blog hosting and website builder; Providers: Automattic Inc. (USA) / Aut O’Mattic A8C Ireland Ltd. (Ireland) for users among others in Europe; Information on data protection: Privacy Policy, Cookie Policy.

11.2 Map Services

We use third-party services to embed maps into our website.

We particularly use:

• Google Maps including Google Maps Platform: Map service; Provider: Google; Specific information for Google Maps: “How Google uses location information”.

11.3 Fonts

We use third-party services to embed selected fonts as well as icons, logos, and symbols into our website.

We particularly use:

• Google Fonts: Font services; Provider: Google; Specific information about Google Fonts: “Your Privacy and Google Fonts”, “Privacy and Data Collection”.

11.4 E-Commerce

We operate e-commerce and use third-party services to successfully offer services, content, or goods.

11.5 Payments

We use specialized service providers to securely and reliably handle payments from our customers. The legal texts of individual service providers such as General Terms and Conditions (T&C) or Privacy Policies also apply to payment processing.

We particularly use:

• PostFinance: Payment processing; Provider: PostFinance AG (Switzerland); Information on data protection: “Legal Notices and Accessibility”, “Data Protection” (including Privacy Policies).
• Worldline: Payment processing, particularly with mobile payment solutions; Providers: Worldline SA (France), Worldline Switzerland AG (Switzerland) and other Worldline companies worldwide (including in the USA); Information on data protection: Privacy Policy, “Responsible Disclosure Program”, Cookie Policy.

11.6 Advertising

We utilize the option to display targeted advertising on third-party platforms such as social media platforms and search engines for our activities and operations.

We aim with such advertising especially to reach individuals who are already interested in our activities and operations or might be interested (Remarketing and Targeting). For this, we may transmit corresponding — possibly also personal — information to third parties that enable such advertising. We can also determine whether our advertising is successful, specifically whether it leads to visits to our website (Conversion Tracking).

Third parties where we advertise and where you as a user are registered may be able to associate the use of our website with your profile there.

We particularly use:

• Facebook Advertising (Facebook Ads): Social media advertising; Providers: Meta Platforms Ireland Limited (Ireland) and other Meta companies (including in the USA); Information on data protection: Remarketing and targeting particularly with Facebook Pixel and Custom Audiences including Lookalike Audiences, Privacy Policy, “Advertising Preferences” (registration as a user required).
• Google Ads: Search engine advertising; Provider: Google; Google Ads-specific information: Advertising among other things based on search queries, with various domain names – particularly doubleclick.net, googleadservices.com, and googlesyndication.com – used for Google Ads, “Advertising” (Google), “Manage ads displayed to you directly through ads”.
• Instagram Ads: Social media advertising; Providers: Meta Platforms Ireland Limited (Ireland) and other Meta companies (including in the USA); Information on data protection: Remarketing and targeting particularly with Facebook Pixel and Custom Audiences including Lookalike Audiences, Privacy Policy (Instagram), Privacy Policy (Facebook), “Advertising Preferences” (Instagram) (registration as a user required), “Advertising Preferences” (Facebook) (registration as a user required).

12. Success and Reach Measurement

We strive to determine how our online offerings are used. In this context, for example, we can measure the success and reach of our activities and operations as well as the impact of third-party links to our website. We can also test and compare how different parts or versions of our online offering are used (“A/B testing” method). Based on the results of success and reach measurements, we can fix errors, strengthen popular content, or make improvements to our online offerings.

For success and reach measurement, the IP addresses of individual users are usually stored. In this case, IP addresses are generally anonymized (“IP masking”) to adhere to the principle of data minimization through the corresponding pseudonymization.

In success and reach measurement, cookies may be used and user profiles created. Potential user profiles may include, for example, the individual pages visited or content viewed on our website, information about the size of the screen or browser window, and the— at least approximate— location. Generally, any user profiles are created exclusively pseudonymized and not used for identifying individual users. Individual services from third parties, where users are registered, may associate the use of our online offerings with the user account or user profile at the respective service.

We particularly use:

• Google Analytics: Success and reach measurement; Provider: Google; Specific information about Google Analytics: Measurement across different browsers and devices (Cross-Device Tracking) and with pseudonymized IP addresses, which are only exceptionally transmitted in full to Google in the USA, “Privacy”, “Browser Add-on for Disabling Google Analytics”.
• Google Tag Manager: Integration and management of other services for success and reach measurement as well as other services from Google and third parties; Provider: Google; Specific information about Google Tag Manager: “Data collected by Google Tag Manager”; additional privacy information is available for each integrated and managed service.

13. Final Provisions

We created this Privacy Policy using the Privacy Policy Generator from Datenschutzpartner. The present privacy policy is an unofficial translation from the original German version.

We may adjust and supplement this Privacy Policy at any time. We will inform about such adjustments and supplements in an appropriate manner, especially by publishing the current Privacy Policy on our website.