Deutsch
Privacy policy
Badrutt’s Palace Hotel AG, Via Serlas 27, 7500 St. Moritz, Switzerland (registered with the Commercial Register of the Canton of Graubünden under the number CHE-105.980.962: "we", "our", etc.) runs the “Townhouse St. Moritz” rental accommodations and is also the operator of the website www.townhouse-stmoritz.com ("website"). Therefore, we are responsible for the collection, processing and use of your personal data and the compliance with the applicable data protection law.
Your trust is important to us, which is why we take the subject of data privacy seriously and ensure a corresponding level of security. Of course, we comply with the legal provisions of the Federal Act on Data Protection (FADP), the Ordinance to the Federal Act on Data Protection (OFADP), the Telecommunications Act (TCA) and any other applicable data privacy provisions in Swiss or EU law, or the EU General Data Protection Regulation (GDPR), where applicable. To be aware on which personal data we collect from you and what purposes we use it for, please acknowledge the following information. Please note that the following information is reviewed and changed from time to time. We therefore recommend that you regularly review this Privacy Policy. Furthermore, for some of the data processing listed below, other companies are responsible under data protection law or jointly responsible with us, which means that in these cases the information provided by these providers is also relevant.
The address of our data privacy law representative in the EU is: MLL EU-GDPR GmbH, Ganghoferstrasse 33, 80339 Munich, Germany, bph@mll-gdpr.com.
A. DATA PROCESSING ASSOCIATED WITH OUR WEBSITE
1. Accessing our website
In order for you to establish a connection to our websites or to any microsites, your browser sends certain data to the servers of our hosting provider (Solutions Plus s.r.l. located in Str. Prov. Bitonto - Aerop. Palese, 28 - Bari, Italy), which temporarily records each access in a log file. The following data is collected without your intervention and stored until automated deletion by us:
– The IP address of the requesting computer;
– The name of the owner of the IP address (normally your internet access
provider);
– The date and time of the access;
– The website from which the access was made (referrer URL), where applicable with the search word used;
– The name and the URL of the accessed file;
– The status code (e.g. error report);
– The operating system of your computer;
– The browser you use (type, version and language);
– The transfer log used (e.g. HTTP/1.1) and where applicable your user name from registration/authentication;
– The host header name;
– The number of bytes sent by the server;
– The number of bytes received and processed by the server;
– The duration of access;
– The requested verb or word, such as the GET method (GETlocation);
– The goal of the requested verb or word, e.g. Default.htm.
The collection and processing of this data is done with the purpose of allowing the use of the website (establishing a connection), ensuring permanent system security and stability and optimising the website, as well as for internal statistical purposes. This represents our legitimate interest in data processing in accordance with Art. 6, paragraph 1 f, GDPR.
The IP address is also evaluated together with other data, in the event of attacks on the network infrastructure or other illegal or abusive use of the website to resolve the issue and defend against it, and, if necessary, within the scope of criminal proceedings, for identification purposes and for civil and criminal proceedings against the affected user. This represents our legitimate interest in data processing in accordance with Art. 6, paragraph 1 f, GDPR.
2. Contact by email
At various places on our website, you have the opportunity to contact us by email and ask us, for example, questions about website functionalities, bookings or services.
We only collect data that you disclose to us. Consequently, you are responsible for the content of your communication and have control over what information you submit to us. We recommend that you do not submit sensitive information. To answer your questions, we may ask you to provide us with additional information (e.g., your address, phone number, etc.). We will only collect the information that is necessary to answer your questions or to provide the services you request.
This processing of this data is therefore required in accordance with Art. 6, paragraph 1 b, GDPR to execute pre-contractual measures, or is in our legitimate interest as per Art. 6, paragraph 1 f, GDPR.
3. Booking of rental accommodation on our website
On our website you have to opportunity to reserve a rental accommodation. Reservations for rental accommodations can only be made on our website. We need the following data to process the booking (* mandatory):
– First name*
– Surname*
– Address*
– E-Mail*
– Confirm E-Mail*
– Phone*
– Est. Arrival
– Other request
– I accept general and fare terms and conditions*
– Credit card information*
We only collect and process the data to handle the booking, particularly to compile your booking enquiry according to your request, to make the booking and to contact you in the event of uncertainty or problems.
To process your booking, we work with a tool Kross of the company Solutions Plus s.r.l., located in Str. Prov. le Bitonto - Aeroporto Palese, 28 - 70128 Bari-Palese, Italy. The booking data is stored on servers at the following location: Italy. Further information about the transfer and processing of data by third parties can be found, on the one hand, in point C.4. of this privacy policy, and on the other hand on the website of Solutions Plus s.r.l. in its privacy policy. Furthermore, we will require you to provide your credit card information upon online-booking in order to process payment of any contractually agreed fee. In this case, we forward your credit card information to your credit card issuer and the credit card acquirer. To process the payment, we work with a the company Worldline Switzerland Ltd., Hardturmstrasse 201, CH-8021 Zürich. Regarding the processing of your credit card information by these third parties, we request that you also read the general terms and conditions and the data privacy statement of your credit card issuer.
The legal basis for the processing of your data for this purpose lies in the fulfilment of a contract as per Art. 6, paragraph 1 b, GDPR.
4. Cookies
Along with many other things, cookies help us to make your visit to our website easier, more pleasant and effective. Cookies are information files which your web browser automatically saves on the hard drive of your computer, when you visit our website.
We use cookies, for example, to temporarily save the selected services and details when completing a form on the website, so that you do not have to repeat the input when visiting another sub-page. We only use cookies that are essential to provide you with an optimal website experience. We use cookies for statistical purposes (Google), for malicious traffic prevention (CloudeFlare), and to provide UI elements (FontAwesome). We do not use any marketing cookies.
Most internet browsers accept cookies automatically. You can, however, configure your browser so that no cookies are saved on your computer, or a warning is always shown when you receive a new cookie. On the following pages you can find explanations of how to configure the handling of cookies with the most popular browsers:
– Microsoft Windows Internet Explorer
– Microsoft Windows Internet Explorer Mobile
– Mozilla Firefox
– Google Chrome for Desktop
– Google Chrome for Mobile
– Apple Safari for Desktop
– Apple Safari for Mobile
The deactivation of cookies may, however, mean that you are not able to use all of the functions of our website.
5. Tracking tools and re-targeting
a. Google Analytics
To allow us to design our website to meet your needs and to continually optimise our website, we use the web analysis service of Google Analytics provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland respectively Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA ("Google"). Consequently, pseudonymised usage profiles are created and cookies are used (see above). The information generated by the cookie about your use of this website is transferred to a server of Google in the USA and processed there. In addition to the data listed under point 1, we also may receive the following information:
– The navigation path which the website visitor took,
– The time spent on the website or sub-page,
– The sub-page on which the website was exited,
– The country, region or city in which access was made,
– The end user device (type, version, colour depth, resolution, width and height of the browser window) and whether it was a repeat or new visitor.
Before being transferred to Google, the IP address is abbreviated by activating the IP anonymising function (“anonymizeIP”) on this website within a Member State of the European Union or in another EEC state respectively Switzerland. The masked IP address transferred by your browser due to Google Analytics is not compiled with other data from Google. Only in exceptions the full IP address is transferred to a server of Google in the USA and abbreviated there. In these cases we ensure, by undertaking contractual guarantees, that Google maintains an adequate level of data protection.
The information is used to evaluate the use of the website, to compile reports about website activities and to provide other services associated with the use of the website and the internet, for the purpose of market research and designing this website to meet your needs. This information is also transferred to third parties if necessary, if this is specified by law or if third parties process this data on our behalf.
The legal basis for processing data for these purposes is your consent in accordance with Art. 6, paragraph 1 a, GDPR. The consent can be revoked at any time with effect for the future.
Users can prevent the collection of data generated by the cookie and related to the website usage by the respective user (incl. the IP address) to Google as well as the processing of such data by Google by downloading and installing the browser plugin available at the following link: https://tools.google.com/dlpage/gaoptout?hl=en
Further information about the web analysis service can be found on the website of Google Analytics.
b. Google Tag Manager
We use Google Tag Manager by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland respectively Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA ("Google") on our website. Google Tag Manager is a solution that allows marketers to manage website tags through one interface. The Tag Manager tool is a cookie-less domain and does not collect any personal data. The tool takes care of triggering other tags, which in turn collect personal data. Google Tag Manager does not access this data, according to Google. If a deactivation has been made at the domain or cookie level, this remains in place for all tracking tags implemented with Google Tag Manager. You can prevent the setting of tags at any time.
The legal basis for processing the data for this purpose is our legitimate interest according to Art. 6, paragraph 1 f, GDPR.
c. Cloudflare
On our website we use Cloudflare by the company Cloudflare, Inc. (101 Townsend St., San Francisco, CA 94107, USA) to enhance its speed and security. For this, Cloudflare uses cookies and processes user data. Cloudflare, Inc. is an US company that offers a content delivery network and various security services. These services take place between the user and our hosting provider.
Cloudflare is a content delivery network (CDN), a network of servers that are connected to each other. Cloudflare has deployed servers around the world, which ensure websites can appear on your screen faster. Cloudflare makes copies of our website and places them on its own servers. Thus, when you visit our website, a load distribution system ensures that the main part of our website is delivered by a server that can display our website to you as quickly as possible. The CDN significantly shortens the route of the transmitted data to your browser. Thus, Cloudflare does not only deliver our website’s content from our hosting server, but from servers from all over the world. Cloudflare is particularly helpful for users from abroad, since pages can be delivered from a nearby server. In addition to the fast delivery of websites, Cloudflare also offers various security services, such as DDoS protection, or the web application firewall.
Cloudflare generally only transmits data that is controlled by website operators. Therefore, Cloudflare does not determine the content, but the website operator themselves does. Additionally, Cloudflare may collect certain information about the use of our website and may process data we send or data which Cloudflare has received certain instructions for. Mostly, Cloudflare receives data such as IP addresses, contacts and protocol information, security fingerprints and websites’ performance data. Log data for example helps Cloudflare identify new threats. That way, Cloudflare can ensure a high level of security for our website.
Furthermore, Cloudflare uses a cookie for security reasons. The cookie (__cfduid) is used to identify individual users behind a shared IP address, and to apply security settings for each individual user. The cookie is useful, if you e.g. use our website from a restaurant where several infected computers are located. However, if your computer is trustworthy, we can recognise that with the cookie. Hence, you will be able to freely and carelessly surf our website, despite the infected PCs in your area. The cookie is essential for Cloudflare’s security functions and cannot be deactivated.
The legal basis for processing the data for this purpose is our legitimate interest according to Art. 6, paragraph 1 f, GDPR.
d. Fontawesome
On our website we use Fontawesome of Fonticons, Inc., 6 Porter Road, Apartment 3R, Cambridge, MA 02140, USA, in order to provide the fonts which the web browser needs to display the website. For this purpose we process connection data and browser data. This data is processed only for the time needed to select and transfer the fonts.
The legal basis for processing the data for this purpose is our legitimate interest according to Art. 6, paragraph 1 f, GDPR.
6. Links to our social media channels
On our website we have links to our social media profiles. The links lead to the following networks:
– Facebook of Meta Platforms Inc., One Hacker Way Menlo Park, CA 94025, USA or, if you are a resident in the EU, Meta Platforms Ire-land Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland; and
– Instagram of Instagram Inc., 1601 Willow Road, Menlo Park, CA 94025, USA.
If you click on symbols of the social networks, you are automatically forwarded to our profile page on the respective network. This establishes a direct connection between your browser and the server of the respective social network. As a result, the network receives the information that you have visited our website with your IP address and clicked on the link.
If you click on a link to a network while you are logged into your user account with the respective network, the content of our website may be linked to your profile, so that the network can assign your visit to our website directly to your account. If you want to prevent that, you should log out before clicking on the corresponding links. A connection between your access to our website and your user account takes place in any case if you log in to the respective network after clicking on the link. The respective provider is responsible under data protection law for the associated data processing. Please therefore note the information on the website of the network.
The legal basis for any data processing attributed to us is our legitimate interest within the meaning of Art. 6, paragraph 1 f, GDPR in the use and promotion of our social media profiles.
7. Social media plugins
On our website, you can use social plugins from the providers listed below:
– Facebook of Meta Platforms Inc., One Hacker Way Menlo Park, CA 94025, USA or, if you are a resident in the EU, Meta Platforms Ire-land Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland; and
– Instagram of Instagram Inc., 1601 Willow Road, Menlo Park, CA 94025, USA.
We use the social plugins to make it easier for you to share content from our website. The social plugins help us to increase the visibility of our content on social networks and thus contribute to better promotion of our offerings.
The plugins are deactivated by default on our websites and therefore do not send any data to the social networks when you simply call up our website. To increase data protection, we have integrated the plugins in such a way that a connection is not automatically established with the network’s servers. Only when you activate the plugins and thus give your consent to the transmission and further processing of data by the providers of the social networks, does your browser establish a direct connection to the servers of the respective social network.
The content of the plugin is transmitted directly to your browser by the social network and integrated into the website by it. This provides the respective provider with the information that your browser has accessed the corresponding page of our website, even if you do not have an account with this social network or are not currently logged in to it. This information (including your IP address) is transmitted from your browser directly to a server of the provider (usually in the USA) and stored there. We have no influence on the scope of the data that the provider collects with the plugin, although from a data protection perspective we can to a certain extent be considered jointly responsible with the relevant social network provider.
If you are logged in to the social network, it can assign your visit to our website directly to your user account. If you interact with the plugins, the corresponding information is also transmitted directly to a server of the provider and stored there. The information (e.g. that you like a product of ours) may also be published on the social network and possibly displayed to other users of the social network. The provider of the social network may use this information for the purpose of placing advertisements and designing a respective offering according to your interests. For this purpose, usage, interest and relationship profiles could be created, e.g. to evaluate your use of our website with regard to the advertisements displayed to you on the social network, to inform other users about your activities on our website and to provide other services associated with the use of the social network. The purpose and scope of the data collection and the further processing and use of the data by the providers of the social networks, as well as your rights in this regard and options for changing your settings to protect your privacy can be found directly in the data protection information of the respective provider.
If you do not want the provider of the social network to assign the data collected via our website to your user account, you must log out of the social network before activating the plugins. Your consent within the meaning of Art. 6, paragraph 1 a, GDPR forms the legal basis for the data processing described. You can revoke your consent at any time by declaring your revocation to the provider of the plugin in accordance with the information in their data protection notice.
B. DATA PROCESSING ASSOCIATED WITH YOUR VISIT
1. Data processing to meet legal reporting obligations
Check-in email will be sent to you a few days prior to the arrival. Check-in process can only be done online. We require the following details from you and the people travelling with you (* mandatory):
– First name and surname*
– Full residential address*
– Nationality*
– Scan of the official ID from all guests*
– Date of arrival and departure
We collect these details to meet our legal reporting obligations, based in particular on the hospitality and police laws. If we are obliged to do so by the applicable regulations, we forward this information to the responsible police authorities.
The legal basis for the processing of these data is the fulfilment of legal provisions as per Art. 6, paragraph 1 c, GDPR.
2. Data processing to execute booked services in general
For your stay we may process and collect the following details from you and the other people travelling with you (* mandatory):
– First name and surname*
– Full residential address*
– Nationality*
– Scan of the official ID from all guests*
– Selfie of the main guest*
– Date of birth
– Date of arrival and departure
– Room number
– Preferences and habits
We collect these details not only to fulfil our contractual and pre-contractual obligations
to you, but also to be able to offer you the best-possible service.
The legal basis for this data processing lies in the fulfilment of a contract according to Art. 6, paragraph 1 b, GDPR.
3. Data processing to perform other services
Your name and surname, number of your rental accommodation, date of arrival and departure will be provided to our Housekeeping department, who will provide you with housekeeping services .
Finally, if you use extra services during your visit (e.g. parking) the subject of the service and the time of the service are recorded by us for invoicing purposes.
The processing of these data is therefore required for us to execute the contract in accordance with Art. 6, paragraph 1 b, GDPR.
C. FURTHER INFORMATION
1. Central saving and linking of data
We may store the data specified in this privacy policy in a central electronic data processing system (so-called CRM/ PMS). The data relating to you is systematically recorded and linked for the purpose of processing and handling the contractual services. Within the framework of data protection regulations, we may also enrich the data with data from publicly accessible sources (e.g. press or Internet). For this purpose, we use software from Kross Booking, Solutions Plus s.r.l. in Str. Prov. Le Bitonto – Aeroporto Palese, 28 – 70128 Bari-Palese, Italy.
The processing of this data as part of the CRM/PMS is based on our legitimate interest within the meaning of Art. 6, paragraph 1 f, GDPR in a customer-friendly and efficient customer data management.
2. Duration of storage
The maximum storage time for personal data is as long as a business relationship is maintained, in order to use the afore-mentioned tracking services as well as the further processing within the scope of our legitimate interest. Contract data is stored for us for a longer period of time, if this is specified by legal storage obligations. Such obligations which oblige us to store data, arise from the provisions concerning bookkeeping, invoicing and the tax law. According to these provisions, business communication, concluded contracts and accounting documents have to be stored for up to 10 years. If we no longer require this data to provide the services for you, the data is blocked. This means that the data can only be used for invoicing and tax purposes.
3. Forwarding of data to third parties
We only forward your personal data if you have explicitly agreed to it, if there is a legal obligation to do so, or if this is necessary to assert our rights, in particular to assert claims from the contractual relationship. Furthermore, we forward your data to third parties if this is necessary within the scope of the use of the website and the processing of the contract (also outside of the website), namely the processing of your bookings.
Various third-party service providers have been mentioned explicitly in this privacy policy (e.g. Google, etc.) and the purpose of the transfer of data has been mentioned. Another service provider to whom personal data is forwarded or who has or could have access, is our web hosting company Solutions Plus s.r.l. located in Str. Prov. Bitonto - Aerop. Palese, 28 - Bari, Italy. The website is hosted on servers in Italy. The transfer of data is done with the purpose of providing and maintaining the functions of our website. The legal basis for processing data for this purpose is our legitimate interest according to Art. 6, paragraph 1 f, GDPR.
Finally, for payments by credit card made on our website, we forward your credit card information to your credit card issuer and the credit card acquirer. We use the software of the company Worldline Switzerland Ltd., Hardturmstrasse 201, CH-8021 Zürich. When you make a payment by credit card, you will be requested to enter all the mandatory information. The legal basis for the transfer of data is the fulfilment of a contract according to Art. 6, paragraph 1 b, GDPR. With regards to the processing of your credit card information by these third parties, we request that you also read the general terms and conditions and the data privacy statement of your credit card issuer.
4. Transfer of personal data abroad
We are permitted to also transfer your personal data to third-party companies (commissioned service providers) for the purpose of data processing described in this privacy policy. They are obliged to maintain the same level of data protection as we have. If the level of data protection in a particular country does not correspond to the Swiss or European level, we will ensure by means of a contract (incl. additional adequate measures), that the protection of your personal data meets the level of protection in Switzerland or the EU at all times.
5. Note on the transfer of data to the USA
Some of the third-party service providers mentioned in this privacy policy have their registered office in the USA. For the sake of completeness, we would like to point out for users who are resident or domiciled in Switzerland or the EU that monitoring measures are in place in the USA carried out by US authorities, which generally enable the storage of all personal data of all persons whose data has been transferred from Switzerland or the EU to the USA. This is done without any differentiation, limitation or exception based on the objective pursued and without any objective criterion that would make it possible to limit the access of the USA authorities to the data and their subsequent use to very specific, strictly limited purposes that are capable of justifying the interference associated both with the access to these data and with their use. Furthermore, we would like to point out that in the USA, data subjects from Switzerland or the EU do not have any legal remedies that would allow them to obtain access to the data relating to them and to have it corrected or deleted, nor is there any effective legal protection against general access rights of US authorities. We explicitly draw the attention of the data subjects to this legal and factual situation in order to enable them to make an appropriately informed decision regarding consent to the use of their data.
We would like to point out to users who are resident in Switzerland or a member state of the EU that, from the perspective of the European Union and Switzerland, the USA does not have a sufficient level of data protection – among other things, due to the issues mentioned in this section. To the extent that we have explained in this privacy policy that recipients of data (such as Google) are based in the USA, we will ensure that your data is protected at an appropriate level with our partners through contractual arrangements with these companies as well as any additional appropriate safeguards required to protect the rights of persons whose personal data is transferred to a third country.
6. Your rights
Provided that the legal requirements are met, you have the following rights as a data subject:
Right of access: You have the right to request access to your personal data stored by us at any time and free of charge when we process it. This gives you the opportunity to check what personal data we process about you and that we use it in accordance with applicable data protection regulations.
Right to rectification: You have the right to have inaccurate or incomplete personal data rectified and to be informed of the rectification. In this case, we will inform the recipients of the data concerned of the rectifications made, unless this is impossible or involves disproportionate effort.
Right to erasure: You have the right to have your personal data erased under certain circumstances. In individual cases, especially in the case of legal retention obligations, the right to deletion may be excluded. In this case, the deletion may be replaced by a blocking of the data if the conditions are met.
Right to restrict processing: You have the right to request that the processing of your personal data be restricted.
Right to data portability: You have the right to obtain from us, free of charge, the personal data you have provided to us in a readable format.
Right to object: You can object to data processing at any time, in particular for data processing in connection with direct advertising (e.g. advertising emails).
Right of withdrawal: In principle, you have the right to withdraw your consent at any time. However, processing activities based on your consent in the past do not become unlawful because of your revocation.
To exercise these rights, please send us an email to the following address:
dataprotection@badruttspalace.com
Right of complaint: You have the right to lodge a complaint with a competent supervisory authority, e.g. against the way your personal data is processed.
7. Data security
We take appropriate technical and organisational security measures, to protect your personal data we have saved from manipulation, full or partial loss and unauthorised third-party access. Our safety measures are continually adapted in line with the development of technology.
You should always treat your access data as confidential and close the browser window once you have finished communication with us, in particular if you share the computer with other people.
We also take the protection of data in our own company very seriously. Our employees and the service providers commissioned by us have been obliged to confidentiality and to comply with the legal provisions concerning data protection.
8. Contact
If you have any questions regarding data protection on our website, would like to request more information or would like to have your data deleted, please contact us by sending an email to dataprotection@badruttspalace.com.
Please send your request by letter to the following address:
Badrutt’s Palace Hotel AG
Data Protection Townhouse St. Moritz
Via Serlas 27
7500 St. Moritz
Switzerland
Updated: April 2022
Your trust is important to us, which is why we take the subject of data privacy seriously and ensure a corresponding level of security. Of course, we comply with the legal provisions of the Federal Act on Data Protection (FADP), the Ordinance to the Federal Act on Data Protection (OFADP), the Telecommunications Act (TCA) and any other applicable data privacy provisions in Swiss or EU law, or the EU General Data Protection Regulation (GDPR), where applicable. To be aware on which personal data we collect from you and what purposes we use it for, please acknowledge the following information. Please note that the following information is reviewed and changed from time to time. We therefore recommend that you regularly review this Privacy Policy. Furthermore, for some of the data processing listed below, other companies are responsible under data protection law or jointly responsible with us, which means that in these cases the information provided by these providers is also relevant.
The address of our data privacy law representative in the EU is: MLL EU-GDPR GmbH, Ganghoferstrasse 33, 80339 Munich, Germany, bph@mll-gdpr.com.
A. DATA PROCESSING ASSOCIATED WITH OUR WEBSITE
1. Accessing our website
In order for you to establish a connection to our websites or to any microsites, your browser sends certain data to the servers of our hosting provider (Solutions Plus s.r.l. located in Str. Prov. Bitonto - Aerop. Palese, 28 - Bari, Italy), which temporarily records each access in a log file. The following data is collected without your intervention and stored until automated deletion by us:
– The IP address of the requesting computer;
– The name of the owner of the IP address (normally your internet access
provider);
– The date and time of the access;
– The website from which the access was made (referrer URL), where applicable with the search word used;
– The name and the URL of the accessed file;
– The status code (e.g. error report);
– The operating system of your computer;
– The browser you use (type, version and language);
– The transfer log used (e.g. HTTP/1.1) and where applicable your user name from registration/authentication;
– The host header name;
– The number of bytes sent by the server;
– The number of bytes received and processed by the server;
– The duration of access;
– The requested verb or word, such as the GET method (GETlocation);
– The goal of the requested verb or word, e.g. Default.htm.
The collection and processing of this data is done with the purpose of allowing the use of the website (establishing a connection), ensuring permanent system security and stability and optimising the website, as well as for internal statistical purposes. This represents our legitimate interest in data processing in accordance with Art. 6, paragraph 1 f, GDPR.
The IP address is also evaluated together with other data, in the event of attacks on the network infrastructure or other illegal or abusive use of the website to resolve the issue and defend against it, and, if necessary, within the scope of criminal proceedings, for identification purposes and for civil and criminal proceedings against the affected user. This represents our legitimate interest in data processing in accordance with Art. 6, paragraph 1 f, GDPR.
2. Contact by email
At various places on our website, you have the opportunity to contact us by email and ask us, for example, questions about website functionalities, bookings or services.
We only collect data that you disclose to us. Consequently, you are responsible for the content of your communication and have control over what information you submit to us. We recommend that you do not submit sensitive information. To answer your questions, we may ask you to provide us with additional information (e.g., your address, phone number, etc.). We will only collect the information that is necessary to answer your questions or to provide the services you request.
This processing of this data is therefore required in accordance with Art. 6, paragraph 1 b, GDPR to execute pre-contractual measures, or is in our legitimate interest as per Art. 6, paragraph 1 f, GDPR.
3. Booking of rental accommodation on our website
On our website you have to opportunity to reserve a rental accommodation. Reservations for rental accommodations can only be made on our website. We need the following data to process the booking (* mandatory):
– First name*
– Surname*
– Address*
– E-Mail*
– Confirm E-Mail*
– Phone*
– Est. Arrival
– Other request
– I accept general and fare terms and conditions*
– Credit card information*
We only collect and process the data to handle the booking, particularly to compile your booking enquiry according to your request, to make the booking and to contact you in the event of uncertainty or problems.
To process your booking, we work with a tool Kross of the company Solutions Plus s.r.l., located in Str. Prov. le Bitonto - Aeroporto Palese, 28 - 70128 Bari-Palese, Italy. The booking data is stored on servers at the following location: Italy. Further information about the transfer and processing of data by third parties can be found, on the one hand, in point C.4. of this privacy policy, and on the other hand on the website of Solutions Plus s.r.l. in its privacy policy. Furthermore, we will require you to provide your credit card information upon online-booking in order to process payment of any contractually agreed fee. In this case, we forward your credit card information to your credit card issuer and the credit card acquirer. To process the payment, we work with a the company Worldline Switzerland Ltd., Hardturmstrasse 201, CH-8021 Zürich. Regarding the processing of your credit card information by these third parties, we request that you also read the general terms and conditions and the data privacy statement of your credit card issuer.
The legal basis for the processing of your data for this purpose lies in the fulfilment of a contract as per Art. 6, paragraph 1 b, GDPR.
4. Cookies
Along with many other things, cookies help us to make your visit to our website easier, more pleasant and effective. Cookies are information files which your web browser automatically saves on the hard drive of your computer, when you visit our website.
We use cookies, for example, to temporarily save the selected services and details when completing a form on the website, so that you do not have to repeat the input when visiting another sub-page. We only use cookies that are essential to provide you with an optimal website experience. We use cookies for statistical purposes (Google), for malicious traffic prevention (CloudeFlare), and to provide UI elements (FontAwesome). We do not use any marketing cookies.
Most internet browsers accept cookies automatically. You can, however, configure your browser so that no cookies are saved on your computer, or a warning is always shown when you receive a new cookie. On the following pages you can find explanations of how to configure the handling of cookies with the most popular browsers:
– Microsoft Windows Internet Explorer
– Microsoft Windows Internet Explorer Mobile
– Mozilla Firefox
– Google Chrome for Desktop
– Google Chrome for Mobile
– Apple Safari for Desktop
– Apple Safari for Mobile
The deactivation of cookies may, however, mean that you are not able to use all of the functions of our website.
5. Tracking tools and re-targeting
a. Google Analytics
To allow us to design our website to meet your needs and to continually optimise our website, we use the web analysis service of Google Analytics provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland respectively Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA ("Google"). Consequently, pseudonymised usage profiles are created and cookies are used (see above). The information generated by the cookie about your use of this website is transferred to a server of Google in the USA and processed there. In addition to the data listed under point 1, we also may receive the following information:
– The navigation path which the website visitor took,
– The time spent on the website or sub-page,
– The sub-page on which the website was exited,
– The country, region or city in which access was made,
– The end user device (type, version, colour depth, resolution, width and height of the browser window) and whether it was a repeat or new visitor.
Before being transferred to Google, the IP address is abbreviated by activating the IP anonymising function (“anonymizeIP”) on this website within a Member State of the European Union or in another EEC state respectively Switzerland. The masked IP address transferred by your browser due to Google Analytics is not compiled with other data from Google. Only in exceptions the full IP address is transferred to a server of Google in the USA and abbreviated there. In these cases we ensure, by undertaking contractual guarantees, that Google maintains an adequate level of data protection.
The information is used to evaluate the use of the website, to compile reports about website activities and to provide other services associated with the use of the website and the internet, for the purpose of market research and designing this website to meet your needs. This information is also transferred to third parties if necessary, if this is specified by law or if third parties process this data on our behalf.
The legal basis for processing data for these purposes is your consent in accordance with Art. 6, paragraph 1 a, GDPR. The consent can be revoked at any time with effect for the future.
Users can prevent the collection of data generated by the cookie and related to the website usage by the respective user (incl. the IP address) to Google as well as the processing of such data by Google by downloading and installing the browser plugin available at the following link: https://tools.google.com/dlpage/gaoptout?hl=en
Further information about the web analysis service can be found on the website of Google Analytics.
b. Google Tag Manager
We use Google Tag Manager by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland respectively Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA ("Google") on our website. Google Tag Manager is a solution that allows marketers to manage website tags through one interface. The Tag Manager tool is a cookie-less domain and does not collect any personal data. The tool takes care of triggering other tags, which in turn collect personal data. Google Tag Manager does not access this data, according to Google. If a deactivation has been made at the domain or cookie level, this remains in place for all tracking tags implemented with Google Tag Manager. You can prevent the setting of tags at any time.
The legal basis for processing the data for this purpose is our legitimate interest according to Art. 6, paragraph 1 f, GDPR.
c. Cloudflare
On our website we use Cloudflare by the company Cloudflare, Inc. (101 Townsend St., San Francisco, CA 94107, USA) to enhance its speed and security. For this, Cloudflare uses cookies and processes user data. Cloudflare, Inc. is an US company that offers a content delivery network and various security services. These services take place between the user and our hosting provider.
Cloudflare is a content delivery network (CDN), a network of servers that are connected to each other. Cloudflare has deployed servers around the world, which ensure websites can appear on your screen faster. Cloudflare makes copies of our website and places them on its own servers. Thus, when you visit our website, a load distribution system ensures that the main part of our website is delivered by a server that can display our website to you as quickly as possible. The CDN significantly shortens the route of the transmitted data to your browser. Thus, Cloudflare does not only deliver our website’s content from our hosting server, but from servers from all over the world. Cloudflare is particularly helpful for users from abroad, since pages can be delivered from a nearby server. In addition to the fast delivery of websites, Cloudflare also offers various security services, such as DDoS protection, or the web application firewall.
Cloudflare generally only transmits data that is controlled by website operators. Therefore, Cloudflare does not determine the content, but the website operator themselves does. Additionally, Cloudflare may collect certain information about the use of our website and may process data we send or data which Cloudflare has received certain instructions for. Mostly, Cloudflare receives data such as IP addresses, contacts and protocol information, security fingerprints and websites’ performance data. Log data for example helps Cloudflare identify new threats. That way, Cloudflare can ensure a high level of security for our website.
Furthermore, Cloudflare uses a cookie for security reasons. The cookie (__cfduid) is used to identify individual users behind a shared IP address, and to apply security settings for each individual user. The cookie is useful, if you e.g. use our website from a restaurant where several infected computers are located. However, if your computer is trustworthy, we can recognise that with the cookie. Hence, you will be able to freely and carelessly surf our website, despite the infected PCs in your area. The cookie is essential for Cloudflare’s security functions and cannot be deactivated.
The legal basis for processing the data for this purpose is our legitimate interest according to Art. 6, paragraph 1 f, GDPR.
d. Fontawesome
On our website we use Fontawesome of Fonticons, Inc., 6 Porter Road, Apartment 3R, Cambridge, MA 02140, USA, in order to provide the fonts which the web browser needs to display the website. For this purpose we process connection data and browser data. This data is processed only for the time needed to select and transfer the fonts.
The legal basis for processing the data for this purpose is our legitimate interest according to Art. 6, paragraph 1 f, GDPR.
6. Links to our social media channels
On our website we have links to our social media profiles. The links lead to the following networks:
– Facebook of Meta Platforms Inc., One Hacker Way Menlo Park, CA 94025, USA or, if you are a resident in the EU, Meta Platforms Ire-land Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland; and
– Instagram of Instagram Inc., 1601 Willow Road, Menlo Park, CA 94025, USA.
If you click on symbols of the social networks, you are automatically forwarded to our profile page on the respective network. This establishes a direct connection between your browser and the server of the respective social network. As a result, the network receives the information that you have visited our website with your IP address and clicked on the link.
If you click on a link to a network while you are logged into your user account with the respective network, the content of our website may be linked to your profile, so that the network can assign your visit to our website directly to your account. If you want to prevent that, you should log out before clicking on the corresponding links. A connection between your access to our website and your user account takes place in any case if you log in to the respective network after clicking on the link. The respective provider is responsible under data protection law for the associated data processing. Please therefore note the information on the website of the network.
The legal basis for any data processing attributed to us is our legitimate interest within the meaning of Art. 6, paragraph 1 f, GDPR in the use and promotion of our social media profiles.
7. Social media plugins
On our website, you can use social plugins from the providers listed below:
– Facebook of Meta Platforms Inc., One Hacker Way Menlo Park, CA 94025, USA or, if you are a resident in the EU, Meta Platforms Ire-land Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland; and
– Instagram of Instagram Inc., 1601 Willow Road, Menlo Park, CA 94025, USA.
We use the social plugins to make it easier for you to share content from our website. The social plugins help us to increase the visibility of our content on social networks and thus contribute to better promotion of our offerings.
The plugins are deactivated by default on our websites and therefore do not send any data to the social networks when you simply call up our website. To increase data protection, we have integrated the plugins in such a way that a connection is not automatically established with the network’s servers. Only when you activate the plugins and thus give your consent to the transmission and further processing of data by the providers of the social networks, does your browser establish a direct connection to the servers of the respective social network.
The content of the plugin is transmitted directly to your browser by the social network and integrated into the website by it. This provides the respective provider with the information that your browser has accessed the corresponding page of our website, even if you do not have an account with this social network or are not currently logged in to it. This information (including your IP address) is transmitted from your browser directly to a server of the provider (usually in the USA) and stored there. We have no influence on the scope of the data that the provider collects with the plugin, although from a data protection perspective we can to a certain extent be considered jointly responsible with the relevant social network provider.
If you are logged in to the social network, it can assign your visit to our website directly to your user account. If you interact with the plugins, the corresponding information is also transmitted directly to a server of the provider and stored there. The information (e.g. that you like a product of ours) may also be published on the social network and possibly displayed to other users of the social network. The provider of the social network may use this information for the purpose of placing advertisements and designing a respective offering according to your interests. For this purpose, usage, interest and relationship profiles could be created, e.g. to evaluate your use of our website with regard to the advertisements displayed to you on the social network, to inform other users about your activities on our website and to provide other services associated with the use of the social network. The purpose and scope of the data collection and the further processing and use of the data by the providers of the social networks, as well as your rights in this regard and options for changing your settings to protect your privacy can be found directly in the data protection information of the respective provider.
If you do not want the provider of the social network to assign the data collected via our website to your user account, you must log out of the social network before activating the plugins. Your consent within the meaning of Art. 6, paragraph 1 a, GDPR forms the legal basis for the data processing described. You can revoke your consent at any time by declaring your revocation to the provider of the plugin in accordance with the information in their data protection notice.
B. DATA PROCESSING ASSOCIATED WITH YOUR VISIT
1. Data processing to meet legal reporting obligations
Check-in email will be sent to you a few days prior to the arrival. Check-in process can only be done online. We require the following details from you and the people travelling with you (* mandatory):
– First name and surname*
– Full residential address*
– Nationality*
– Scan of the official ID from all guests*
– Date of arrival and departure
We collect these details to meet our legal reporting obligations, based in particular on the hospitality and police laws. If we are obliged to do so by the applicable regulations, we forward this information to the responsible police authorities.
The legal basis for the processing of these data is the fulfilment of legal provisions as per Art. 6, paragraph 1 c, GDPR.
2. Data processing to execute booked services in general
For your stay we may process and collect the following details from you and the other people travelling with you (* mandatory):
– First name and surname*
– Full residential address*
– Nationality*
– Scan of the official ID from all guests*
– Selfie of the main guest*
– Date of birth
– Date of arrival and departure
– Room number
– Preferences and habits
We collect these details not only to fulfil our contractual and pre-contractual obligations
to you, but also to be able to offer you the best-possible service.
The legal basis for this data processing lies in the fulfilment of a contract according to Art. 6, paragraph 1 b, GDPR.
3. Data processing to perform other services
Your name and surname, number of your rental accommodation, date of arrival and departure will be provided to our Housekeeping department, who will provide you with housekeeping services .
Finally, if you use extra services during your visit (e.g. parking) the subject of the service and the time of the service are recorded by us for invoicing purposes.
The processing of these data is therefore required for us to execute the contract in accordance with Art. 6, paragraph 1 b, GDPR.
C. FURTHER INFORMATION
1. Central saving and linking of data
We may store the data specified in this privacy policy in a central electronic data processing system (so-called CRM/ PMS). The data relating to you is systematically recorded and linked for the purpose of processing and handling the contractual services. Within the framework of data protection regulations, we may also enrich the data with data from publicly accessible sources (e.g. press or Internet). For this purpose, we use software from Kross Booking, Solutions Plus s.r.l. in Str. Prov. Le Bitonto – Aeroporto Palese, 28 – 70128 Bari-Palese, Italy.
The processing of this data as part of the CRM/PMS is based on our legitimate interest within the meaning of Art. 6, paragraph 1 f, GDPR in a customer-friendly and efficient customer data management.
2. Duration of storage
The maximum storage time for personal data is as long as a business relationship is maintained, in order to use the afore-mentioned tracking services as well as the further processing within the scope of our legitimate interest. Contract data is stored for us for a longer period of time, if this is specified by legal storage obligations. Such obligations which oblige us to store data, arise from the provisions concerning bookkeeping, invoicing and the tax law. According to these provisions, business communication, concluded contracts and accounting documents have to be stored for up to 10 years. If we no longer require this data to provide the services for you, the data is blocked. This means that the data can only be used for invoicing and tax purposes.
3. Forwarding of data to third parties
We only forward your personal data if you have explicitly agreed to it, if there is a legal obligation to do so, or if this is necessary to assert our rights, in particular to assert claims from the contractual relationship. Furthermore, we forward your data to third parties if this is necessary within the scope of the use of the website and the processing of the contract (also outside of the website), namely the processing of your bookings.
Various third-party service providers have been mentioned explicitly in this privacy policy (e.g. Google, etc.) and the purpose of the transfer of data has been mentioned. Another service provider to whom personal data is forwarded or who has or could have access, is our web hosting company Solutions Plus s.r.l. located in Str. Prov. Bitonto - Aerop. Palese, 28 - Bari, Italy. The website is hosted on servers in Italy. The transfer of data is done with the purpose of providing and maintaining the functions of our website. The legal basis for processing data for this purpose is our legitimate interest according to Art. 6, paragraph 1 f, GDPR.
Finally, for payments by credit card made on our website, we forward your credit card information to your credit card issuer and the credit card acquirer. We use the software of the company Worldline Switzerland Ltd., Hardturmstrasse 201, CH-8021 Zürich. When you make a payment by credit card, you will be requested to enter all the mandatory information. The legal basis for the transfer of data is the fulfilment of a contract according to Art. 6, paragraph 1 b, GDPR. With regards to the processing of your credit card information by these third parties, we request that you also read the general terms and conditions and the data privacy statement of your credit card issuer.
4. Transfer of personal data abroad
We are permitted to also transfer your personal data to third-party companies (commissioned service providers) for the purpose of data processing described in this privacy policy. They are obliged to maintain the same level of data protection as we have. If the level of data protection in a particular country does not correspond to the Swiss or European level, we will ensure by means of a contract (incl. additional adequate measures), that the protection of your personal data meets the level of protection in Switzerland or the EU at all times.
5. Note on the transfer of data to the USA
Some of the third-party service providers mentioned in this privacy policy have their registered office in the USA. For the sake of completeness, we would like to point out for users who are resident or domiciled in Switzerland or the EU that monitoring measures are in place in the USA carried out by US authorities, which generally enable the storage of all personal data of all persons whose data has been transferred from Switzerland or the EU to the USA. This is done without any differentiation, limitation or exception based on the objective pursued and without any objective criterion that would make it possible to limit the access of the USA authorities to the data and their subsequent use to very specific, strictly limited purposes that are capable of justifying the interference associated both with the access to these data and with their use. Furthermore, we would like to point out that in the USA, data subjects from Switzerland or the EU do not have any legal remedies that would allow them to obtain access to the data relating to them and to have it corrected or deleted, nor is there any effective legal protection against general access rights of US authorities. We explicitly draw the attention of the data subjects to this legal and factual situation in order to enable them to make an appropriately informed decision regarding consent to the use of their data.
We would like to point out to users who are resident in Switzerland or a member state of the EU that, from the perspective of the European Union and Switzerland, the USA does not have a sufficient level of data protection – among other things, due to the issues mentioned in this section. To the extent that we have explained in this privacy policy that recipients of data (such as Google) are based in the USA, we will ensure that your data is protected at an appropriate level with our partners through contractual arrangements with these companies as well as any additional appropriate safeguards required to protect the rights of persons whose personal data is transferred to a third country.
6. Your rights
Provided that the legal requirements are met, you have the following rights as a data subject:
Right of access: You have the right to request access to your personal data stored by us at any time and free of charge when we process it. This gives you the opportunity to check what personal data we process about you and that we use it in accordance with applicable data protection regulations.
Right to rectification: You have the right to have inaccurate or incomplete personal data rectified and to be informed of the rectification. In this case, we will inform the recipients of the data concerned of the rectifications made, unless this is impossible or involves disproportionate effort.
Right to erasure: You have the right to have your personal data erased under certain circumstances. In individual cases, especially in the case of legal retention obligations, the right to deletion may be excluded. In this case, the deletion may be replaced by a blocking of the data if the conditions are met.
Right to restrict processing: You have the right to request that the processing of your personal data be restricted.
Right to data portability: You have the right to obtain from us, free of charge, the personal data you have provided to us in a readable format.
Right to object: You can object to data processing at any time, in particular for data processing in connection with direct advertising (e.g. advertising emails).
Right of withdrawal: In principle, you have the right to withdraw your consent at any time. However, processing activities based on your consent in the past do not become unlawful because of your revocation.
To exercise these rights, please send us an email to the following address:
dataprotection@badruttspalace.com
Right of complaint: You have the right to lodge a complaint with a competent supervisory authority, e.g. against the way your personal data is processed.
7. Data security
We take appropriate technical and organisational security measures, to protect your personal data we have saved from manipulation, full or partial loss and unauthorised third-party access. Our safety measures are continually adapted in line with the development of technology.
You should always treat your access data as confidential and close the browser window once you have finished communication with us, in particular if you share the computer with other people.
We also take the protection of data in our own company very seriously. Our employees and the service providers commissioned by us have been obliged to confidentiality and to comply with the legal provisions concerning data protection.
8. Contact
If you have any questions regarding data protection on our website, would like to request more information or would like to have your data deleted, please contact us by sending an email to dataprotection@badruttspalace.com.
Please send your request by letter to the following address:
Badrutt’s Palace Hotel AG
Data Protection Townhouse St. Moritz
Via Serlas 27
7500 St. Moritz
Switzerland
Updated: April 2022