Data Privacy Policy
Privacy Policy
With this Privacy Policy, we inform you about the personal data we process in connection with our activities and operations, including our aparthotel-davos.ch website. We provide information, in particular, about the purposes, methods, and locations of our data processing activities. We also inform you about the rights of individuals whose data we process.
For specific or additional activities and operations, additional privacy policies, as well as other legal documents such as General Terms and Conditions (GTC), Terms of Use, or Participation Conditions, may apply.
We are subject to Swiss data protection law, as well as potentially applicable foreign data protection law, such as the European Union’s (EU) General Data Protection Regulation (GDPR). The European Commission recognizes that Swiss data protection law ensures adequate data protection.
1. Contact Addresses
Responsible for the processing of personal data:
Muchetta Immo-Invest AG
Aussergasse 18
7494 Davos Wiesen
Switzerland
muchetta@aparthotel-davos.ch
We will inform you if there are other controllers responsible for the processing of personal data in individual cases.
1.1 Data Protection Officer
We have the following data protection officer as a contact person for affected individuals and as a point of contact for supervisory authorities regarding data protection inquiries:
Sylvia Bärtschi
Muchetta Immo-Invest AG
Aussergasse 18
7494 Davos Wiesen
Switzerland
sylvia.baertschi@aparthotel-davos.ch
1.2 Data Protection Representation in the European Economic Area (EEA)
We have the following data protection representative in accordance with Art. 27 GDPR. The data protection representative serves as an additional point of contact for supervisory authorities and individuals in the European Union (EU) and the rest of the European Economic Area (EEA) regarding inquiries related to the General Data Protection Regulation (GDPR):
VGS Datenschutzpartner GmbH
Am Kaiserkai 69
20457 Hamburg
Germany
sylvia.baertschi@aparthotel-davos.ch
2. Terms and Legal Basis
2.1 Terms
Personal data refers to any information relating to an identified or identifiable individual. An affected person is an individual about whom personal data is processed.
Processing includes any operation or set of operations performed on personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, restriction, erasure, or destruction of personal data.
The European Economic Area (EEA) includes the member states of the European Union (EU) as well as the Principality of Liechtenstein, Iceland, and Norway. The General Data Protection Regulation (GDPR) refers to the processing of personal data as the processing of personal data.
2.2 Legal Basis
We process personal data in accordance with Swiss data protection law, in particular, the Federal Data Protection Act (FADP) and the Ordinance to the Federal Data Protection Act (FADPO).
If and to the extent the General Data Protection Regulation (GDPR) is applicable, we process personal data based on at least one of the following legal bases:
Article 6(1)(b) GDPR for the necessary processing of personal data for the performance of a contract with the data subject or for the implementation of pre-contractual measures.
Article 6(1)(f) GDPR for the necessary processing of personal data to protect our legitimate interests or the legitimate interests of third parties, provided that the fundamental rights and freedoms of the data subject do not override those interests. Legitimate interests include, in particular, our interest in exercising our activities and operations on a permanent, user-friendly, secure, and reliable basis, as well as communicating about them, ensuring information security, protecting against misuse, enforcing our own legal claims, and complying with Swiss law.
Article 6(1)(c) GDPR for the necessary processing of personal data to fulfill a legal obligation to which we are subject under any applicable law of member states in the European Economic Area (EEA).
Article 6(1)(e) GDPR for the necessary processing of personal data for the performance of a task carried out in the public interest.
Article 6(1)(a) GDPR for the processing of personal data with the data subject’s consent.
Article 6(1)(d) GDPR for the necessary processing of personal data to protect the vital interests of the data subject or another natural person.
3. Type, Scope, and Purpose
We process personal data that is necessary to conduct our activities and operations on a permanent, user-friendly, secure, and reliable basis. Such personal data may include categories of inventory and contact data, browser and device data, content data, metadata, usage data, location data, sales data, and contract and payment data.
We process personal data for the duration necessary for the respective purpose(s) or as required by law. Personal data that is no longer required will be anonymized or deleted.
We may engage third parties to process personal data on our behalf. We may also process or disclose personal data jointly with third parties. Such third parties are primarily specialized service providers whose services we utilize. We ensure data protection also with regard to such third parties.
We process personal data only with the consent of the data subject, unless processing is permitted for other legal reasons. Processing without consent may be permissible, for example, to fulfill a contract with the data subject and for corresponding pre-contractual measures, to protect our overriding legitimate interests, because processing is evident from the circumstances, or after prior information.
In this context, we particularly process information voluntarily provided by the data subject when contacting us—for example, by postal mail, email, instant messaging, contact forms, social media, or telephone—or when registering for a user account. We may store such information in an address book or using similar tools. When we receive data about other individuals, the transmitting individuals are obliged to ensure data protection and the accuracy of such personal data with respect to those individuals.
We also process personal data obtained from third parties, publicly accessible sources, or collected during the exercise of our activities and operations, provided that such processing is permitted under legal grounds.
4. Personal Data Abroad
We generally process personal data in Switzerland and the European Economic Area (EEA). However, we may export or transmit personal data to other countries, especially for the purpose of processing them there.
We may export personal data to all countries and territories on Earth as well as elsewhere in the Universe, provided that the local law ensures adequate data protection based on the assessment of the Federal Data Protection and Information Commissioner (Eidgenössischer Datenschutz- und Öffentlichkeitsbeauftragter, EDÖB) or based on a decision by the Swiss Federal Council, and, if applicable, ensures adequate data protection according to a decision by the European Commission (Commission).
We may transfer personal data to countries where the local law does not provide adequate data protection, provided that data protection is ensured for other reasons, in particular based on standard data protection clauses or other appropriate safeguards. In exceptional cases, we may export personal data to countries without adequate or suitable data protection if the specific data protection requirements are met, such as obtaining the explicit consent of the data subjects or a direct connection to the conclusion or performance of a contract. Upon request, we will gladly provide data subjects with information about any safeguards or provide a copy of the safeguards.
5. Rights of Data Subjects
Data subjects whose personal data we process have rights under Swiss data protection law. These rights include the right to information as well as the right to correction, deletion, or blocking of the processed personal data.
Data subjects whose personal data we process may, if and to the extent the General Data Protection Regulation (GDPR) applies, request confirmation free of charge as to whether we are processing personal data concerning them. In this case, data subjects may request information about the processing of their personal data, restrict the processing of their personal data, exercise their right to data portability, and have their personal data corrected, deleted (“right to be forgotten”), blocked, or completed.
Data subjects whose personal data we process may, if and to the extent the GDPR applies, revoke their consent given to us at any time with effect for the future and object at any time to the processing of their personal data.
Data subjects whose personal data we process have the right to lodge a complaint with a competent supervisory authority. The supervisory authority for data protection in Switzerland is the Federal Data Protection and Information Commissioner (EDÖB).
6. Data Security
We take appropriate technical and organizational measures to ensure data security appropriate to the respective risk. However, we cannot guarantee absolute data security.
Access to our website is secured using transport encryption (SSL / TLS, especially with the Hypertext Transfer Protocol Secure, abbreviated as HTTPS). Most browsers indicate transport encryption with a padlock icon in the address bar.
Our digital communication is subject to mass surveillance without cause or suspicion, as well as other surveillance by security authorities in Switzerland, the rest of Europe, the United States of America (USA), and other countries, as is the case with digital communication in general. We have no direct influence on the corresponding processing of personal data by intelligence agencies, police authorities, and other security authorities.
7. Use of the Website
7.1 Cookies
We may use cookies. Cookies, both first-party cookies (cookies set by the website itself) and third-party cookies (cookies set by third-party services we use), are data stored in the browser. Such stored data is not limited to traditional text-based cookies.
Cookies can be stored in the browser temporarily as “session cookies” or for a specific period as so-called permanent cookies. “Session cookies” are automatically deleted when the browser is closed. Permanent cookies have a specific storage duration. Cookies, in particular, allow recognizing a browser on the next visit to our website, thus enabling, for example, the measurement of our website’s reach. However, permanent cookies can also be used for online marketing purposes.
Cookies can be disabled or deleted completely or partially in the browser settings at any time. Without cookies, our website may not be fully available. We request the explicit consent for the use of cookies, at least if and to the extent required.
For cookies used for success and reach measurement or for advertising, many services provide a general opt-out option through AdChoices (Digital Advertising Alliance of Canada), the Network Advertising Initiative (NAI), YourAdChoices (Digital Advertising Alliance), or Your Online Choices (European Interactive Digital Advertising Alliance, EDAA).
7.2 Server Log Files
We may collect the following information for each access to our website, provided it is transmitted by your browser to our server infrastructure or can be determined by our web server: date and time including time zone, Internet Protocol (IP) address, access status (HTTP status code), operating system including user interface and version, browser including language and version, accessed individual sub-page of our website including transferred data volume, and the last visited website in the same browser window (referrer).
We store such information, which may also constitute personal data, in server log files. The information is necessary to permanently, user-friendly, and reliably provide our website, ensure data security, and especially protect personal data – also by third parties or with the assistance of third parties.
7.3 Tracking Pixels
We may use tracking pixels on our website, also known as web beacons. Tracking pixels, including those from third parties whose services we use, are small, usually invisible images that are automatically retrieved when visiting our website. Tracking pixels can collect the same information as server log files.
8. Notifications and Messages
We send notifications and messages via email and other communication channels such as instant messaging or SMS.
8.1 Success and Reach Measurement
Notifications and messages may contain web links or tracking pixels that record whether an individual message has been opened and which web links have been clicked. Such web links and tracking pixels can also record the use of notifications and messages on a personal level. We require this statistical tracking of usage for success and reach measurement in order to effectively and user-friendly send notifications and messages based on the needs and reading habits of the recipients, as well as to provide them permanently, securely, and reliably.
8.2 Consent and Objection
In principle, you must expressly consent to the use of your email address and other contact addresses unless the use is permitted for other legal reasons. Whenever possible, we use the “double opt-in” procedure for obtaining consent, which means you will receive an email with a web link that you must click to confirm your consent, thereby preventing misuse by unauthorized third parties. We may log such consent, including the Internet Protocol (IP) address, date, and time, for evidentiary and security purposes.
In principle, you can object to receiving notifications and messages, such as newsletters, at any time. By objecting, you can also object to the statistical tracking of usage for success and reach measurement. Necessary notifications and messages related to our activities and operations remain reserved.
8.3 Service Providers for Notifications and Messages
We send notifications and messages with the help of specialized service providers.
In particular, we use:
Mailchimp: Communication platform; Provider: The Rocket Science Group LLC DBA Mailchimp (USA), a subsidiary of Intuit Inc. (USA); Privacy information: Privacy Statement (Intuit) including “Country and Region-Specific Terms”, “Mailchimp Intuit Privacy FAQ”, “Mailchimp and European Data Transfers”, “Security”, Cookie Policy, “Privacy Rights Requests”, “Legal Terms”.
9. Social Media
We have a presence on social media platforms and other online platforms to communicate with interested individuals and provide information about our activities and operations. In connection with such platforms, personal data may be processed outside of Switzerland and the European Economic Area (EEA).
The terms and conditions (T&Cs) and privacy policies of the respective platform operators also apply. These provisions provide information, in particular, about the rights of data subjects directly with respect to the respective platform, including the right to access information.
For our Facebook social media presence, including the so-called Page Insights, we are jointly responsible – to the extent the General Data Protection Regulation (GDPR) applies – with Meta Platforms Ireland Limited (Ireland). Meta Platforms Ireland Limited is part of the Meta companies (including in the USA). The Page Insights provide information about how visitors interact with our Facebook presence. We use Page Insights to effectively and user-friendly provide our social media presence on Facebook.
Further information about the nature, scope, and purpose of data processing, information about the rights of data subjects, as well as contact details for Facebook and the Facebook Data Protection Officer can be found in the Facebook Privacy Policy. We have concluded the so-called “Controller Addendum” with Facebook, thereby agreeing, among other things, that Facebook is responsible for ensuring the rights of data subjects. The corresponding information for Page Insights can be found on the “Information about Page Insights” page, including “Information about Page Insights Data”.
10. Third-Party Services
We use services from specialized third parties to perform our activities and operations permanently, user-friendly, securely, and reliably. With such services, we can embed functions and content into our website. In the case of such embedding, the used services, for technical reasons, temporarily record the Internet Protocol (IP) addresses of the users.
For necessary security-related, statistical, and technical purposes, third parties whose services we use may process data related to our activities and operations in an aggregated, anonymized, or pseudonymized form. This includes performance or usage data to provide the respective service.
In particular, we use:
Google services: Providers: Google LLC (USA) / Google Ireland Limited (Ireland) for users in the European Economic Area (EEA) and Switzerland; General information about data protection: “Privacy and Security Principles”, Privacy Policy, “Google is committed to complying with applicable data protection laws”, “Privacy in Google Products Guide”, “How Google uses information from sites or apps that use our services” (Google’s information), “Types of cookies and other technologies used by Google”, “Personalized Advertising” (Activation / Deactivation / Settings).
Microsoft services: Providers: Microsoft Corporation (USA) / Microsoft Ireland Operations Limited (Ireland) for users in the European Economic Area (EEA), the United Kingdom, and Switzerland; General information about data protection: “Privacy at Microsoft”, “Privacy (Trust Center)”, Privacy Statement.
10.1 Digital Infrastructure
We use services from specialized third parties to be able to use the necessary digital infrastructure in connection with our activities and operations. This includes, for example, hosting and storage services from selected providers.
In particular, we use:
exigo: Hosting; Provider: exigo ag (Switzerland); Information on data protection: Privacy Policy, “Data Protection / Security”.
WordPress.com: Blog hosting and website builder; Providers: Automattic Inc. (USA) / Aut O’Mattic A8C Ireland Ltd. (Ireland) for users in Europe among others; Information on data protection: Privacy Policy, Cookie Policy.
10.2 Audio and Video Conferencing
We use specialized services for audio and video conferencing to communicate online. This allows us to hold virtual meetings, conduct online classes, and webinars. The participation in audio and video conferences is subject to the terms and conditions and privacy policies of the respective services.
Depending on your situation, we recommend muting the microphone by default and blurring the background or using a virtual background during audio and video conferences.
We use the following services in particular:
Facebook Messenger: Video conferencing; Providers: Meta Platforms Ireland Limited (Ireland) and other Meta companies (including in the USA); Data privacy information: “Communicate with Confidence”, “Privacy and Security in Messenger”, “Privacy Center” (Meta), Privacy Policy (Meta).
Skype: Audio and video conferencing; Skype-specific providers: Skype Communications SARL (Luxembourg) / Microsoft Corporation (USA) / Microsoft Ireland Operations Limited (Ireland) for users in the European Economic Area (EEA), the United Kingdom, and Switzerland; Data privacy information: “Legal Information about Skype”, “Privacy and Security”.
10.3 Map Data
We use third-party services to embed maps into our website.
In particular, we use:
Google Maps including Google Maps Platform: Mapping service; Provider: Google; Google Maps-specific information: “How Google uses location information”.
Outdooractive: Mapping service; Provider: Outdooractive AG (Germany); Data privacy information: Privacy Policy.
10.4 Fonts
We use third-party services to embed selected fonts as well as icons, logos, and symbols into our website.
In particular, we use:
Google Fonts: Fonts; Provider: Google; Google Fonts-specific information: “Privacy and Google Fonts”, “Privacy and Data Collection”.
10.5 Advertising
We utilize the opportunity to display targeted advertisements for our activities and services on third-party platforms such as social media platforms and search engines.
Our goal with such advertising is to reach individuals who are already interested in or might be interested in our activities and services (remarketing and targeting). To achieve this, we may transmit relevant – possibly including personal – information to third parties that enable such advertising. We may also determine the success of our advertising, particularly whether it leads to visits on our website (conversion tracking).
Third parties on which we advertise and where you are logged in as a user may associate the usage of our online offerings with your respective profile.
We primarily use the following:
Facebook Advertising (Facebook Ads): Social media advertising; Providers: Meta Platforms Ireland Limited (Ireland) and other Meta companies (including in the USA); Data privacy information: Remarketing and targeting, in particular with Facebook Pixel and Custom Audiences including Lookalike Audiences, Privacy Policy, “Ad Preferences” (user login required).
Google Ads: Search engine advertising; Provider: Google; Google Ads-specific information: Advertising based on search queries, using various domain names – especially doubleclick.net, googleadservices.com, and googlesyndication.com – for Google Ads, “Advertising” (Google), “Why am I seeing this ad?”.
Instagram Ads: Social media advertising; Providers: Meta Platforms Ireland Limited (Ireland) and other Meta companies (including in the USA); Data privacy information: Remarketing and targeting, in particular with Facebook Pixel and Custom Audiences including Lookalike Audiences, Privacy Policy (Instagram), Privacy Policy (Facebook), “Ad Preferences” (Instagram) (user login required), “Ad Preferences” (Facebook) (user login required).
11. Website Extensions
We use extensions for our website to enable additional functionality.
In particular, we use:
Google reCAPTCHA: Spam protection (distinguishing between desired comments from humans and undesired comments from bots and spam); Provider: Google; Google reCAPTCHA-specific information: “What is reCAPTCHA?”.
jQuery (Google Hosted Libraries): Free JavaScript library; Provider: Google; Google Hosted Libraries-specific information: “What does using Google Hosted Libraries mean for the privacy of my users?”.
12. Success and Reach Measurement
We utilize services and programs to determine how our online offerings are used. Within this framework, we can measure the success and reach of our activities and services, as well as the impact of third-party links to our website. Additionally, we may experiment with and compare how different versions or parts of our online offerings are used (using the “A/B test” method). Based on the results of success and reach measurement, we can address errors, strengthen popular content, and make improvements to our online offerings.
When using services and programs for success and reach measurement, individual user Internet Protocol (IP) addresses must be stored. IP addresses are generally truncated (“IP masking”) to follow the principle of data minimization through pseudonymization, thereby improving user data privacy.
When using services and programs for success and reach measurement, cookies may be employed, and user profiles may be created. User profiles may include, for example, visited pages or viewed content on our website, information about screen size or browser windows, and at least approximate location. Generally, user profiles are created solely in a pseudonymized manner. We do not use user profiles to identify individual users. However, certain third-party services may associate the usage of our online offerings with the user’s account or profile on their respective platforms.
We primarily use the following:
Google Analytics: Success and reach measurement; Provider: Google; Google Analytics-specific information: Measurement across different browsers and devices (cross-device tracking), pseudonymized Internet Protocol (IP) addresses, which are transmitted to Google in the USA only exceptionally and in a complete form, “Data Privacy”, “Browser Add-on for disabling Google Analytics”.
Google Tag Manager: Integration and management of other services for success and reach measurement, as well as additional services from Google and third parties; Provider: Google; Google Tag Manager-specific information: “Data collected with Google Tag Manager”; further information regarding data privacy can be found with each integrated and managed service.
13. Final Provisions
We have created this data privacy policy using the Data Privacy Generator from Datenschutzpartner.
We reserve the right to modify and supplement this data privacy policy at any time. We will inform about such modifications and supplements in an appropriate manner, particularly by publishing the respective updated data privacy policy on our website.
