Privacy Policy of Soul and Kitchen Saas Fee GmbH Hotel Marmotte

We, Soul & Kitchen GmbH, located at Brunnengasse 5, CH-3906 Saas-Fee, operate the Hotel Marmotte at Hannigstrasse 47 as well as the website www.hotelmarmotte.ch, and unless otherwise stated in this privacy policy, are responsible for the data processing activities listed in this privacy policy. So that you are aware of which personal data we collect from you and for what purposes we use them, please take note of the information below. Our approach to data protection is primarily based on the legal provisions of Swiss data protection law, particularly the Federal Act on Data Protection (DSG), as well as the GDPR, the provisions of which may apply in individual cases. Please note that the following information can be reviewed and changed from time to time. Therefore, we recommend that you regularly review this privacy policy. Furthermore, for some of the data processing activities listed below, other companies may be responsible for data protection or share responsibility with us, so in these cases, the information provided by these providers is also relevant.

 

2. Contact for Data Protection

If you have questions about data protection or would like to exercise your rights, please contact our data protection officer by sending an email to the following address:

info@hotelmarmotte.ch

 

3. Scope and Purpose of the Collection, Processing, and Use of Personal Data

3.1 Data Processing When Contacting Us"

When you get in touch with us through our contact addresses and channels (e.g., via email, telephone, or contact form), your personal data will be processed. The data you have provided to us, such as your name, email address, or phone number, and your request will be processed. In addition, the time of receipt of the request is documented. Mandatory information is marked with an asterisk (*) in contact forms. We process this data to address your request (e.g., providing information about our hotel, assisting with contract processing such as inquiries about your booking, incorporating your feedback into improving our services, etc.). To handle contacts made via the contact form, we use the CMS Contao https://www.contao.org.
Information about the processing of data by third parties and any transmission abroad can be found under item 5 of this privacy policy.
The legal basis for these data processing activities is our legitimate interest within the meaning of Art. 6 Para. 1 lit. f GDPR in implementing your request or, if your request is aimed at the conclusion or execution of a contract, the necessity for carrying out the required measures within the meaning of Art. 6 Para. 1 lit. b GDPR.

 

3.2 Data Processing During Bookings

3.2.1 Booking Request via Our Website

On our website, you have the opportunity to request an overnight stay. For this, we collect the following data, where mandatory fields are marked with an asterisk (*) during the booking process:

Salutation
First Name
Last Name
Email
Booking Details
Remarks
Confirmation of acknowledgement and agreement concerning terms and conditions and privacy policies

We use the data to create a booking quote. We need your email address to confirm your booking and for future communication necessary for contract processing with you. We store your data along with the side notes of the booking (e.g., room category, stay period as well as designation, price, and features of the services), as well as the information regarding the handling and fulfillment of the contract (e.g., receipt and handling of complaints) to ensure a proper booking process and contract fulfillment. As far as necessary for contract fulfillment, we will also pass on the required information to possible third-party service providers (e.g., organizers or transport companies).
The provision of data that are not marked as mandatory is voluntary. We process this data to tailor our offer to your personal needs as best as possible, to facilitate contract processing, to contact you via an alternative communication channel if necessary for contract fulfillment, or for statistical recording and evaluation to optimize our offers. The legal basis for this data processing is your consent according to Art. 6 Para. 1 lit. a GDPR. You can revoke your consent at any time by notifying us.
For booking processing via our website, we use the CMS Contao https://www.contao.org
Information on the processing of data by third parties and any transfer abroad can be found in section 5 of this privacy policy. The legal basis for this data processing is the fulfillment of a contract with you according to Art. 6 Para.1 lit. b GDPR.

3.2.2 Booking via a Booking Platform

If you make bookings via a third-party platform (i.e., via Booking, Hotelcard, Expedia, HRS, etc.), we receive various personal data related to the booking from the respective platform operator. This usually involves the data listed in this privacy policy. In addition, requests concerning your booking may be forwarded to us. We will specifically process this data to record your booking as per your request and to provide the booked services. The legal basis for data processing for this purpose is the implementation of pre-contractual measures and the fulfillment of a contract according to Art. 6 Para. 1 lit. b GDPR. Finally, we may exchange personal data with the platform operators in connection with disputes or complaints related to a booking, as far as necessary to protect our legitimate interests. This may include data on the booking process on the platform or data regarding the booking or processing of services and your stay with us.

We process this data to safeguard our legitimate claims and interests in the handling and maintenance of our contractual relationships with the following platform operators:

* Booking.com, Oosterdokskade 163, 1011 DL, Netherlands. For more information on data processing in connection with Booking.com, visit: https://www.booking.com/content/privacy.en.html
* Hotelcard, Burgstrasse 18, 3600 Thun, Switzerland. For more information on data processing in connection with Hotelcard, visit: https://hotelcard.ch/en/pages/privacy-policy
* HRS, AG Walzmühlestrasse 48, 8504 Frauenfeld, Switzerland. For more information on data processing in connection with HRS, visit: https://www.hrs.com/privacypolicy
* Expedia, Seattle, Washington, United States. For more information on data processing in connection with Expedia, visit: https://www.expedia.ch/lp/b/lg-privacypolicy
Your data will be stored in the databases of the platform operators, which allows them access to your data. Information on the processing of data by third parties and any transfer abroad can be found in section 5 of this privacy policy.
The legal basis for data processing for this purpose lies in our legitimate interest according to Art. 6 Para. 1 lit. f GDPR.

3.3 Data Processing When Reserving a Table

On our website, you have the opportunity to request a table reservation at a restaurant mentioned on our website. For this, we collect the following data, where mandatory fields are marked with an asterisk (*) during the reservation via the website:
* First Name
* Last Name
* Number of Guests
* Email Address
* Phone Number
* Comment
* Date and Time of the Reservation
We collect and process the data to handle the reservation, especially to make your reservation request as per your wish and to contact you in case of uncertainties or problems. We store your data along with the marginal data of the reservation (e.g., date and time of entry, etc.), the data concerning the reservation, and details for the handling and fulfillment of the contract (e.g., receipt and handling of complaints) to ensure correct reservation processing and contract fulfillment.
For handling table reservations, we use the CMS Contao https://contao.org


Information on the processing of data by third parties and any transfer abroad can be found in section 5 of this privacy policy. The legal basis for data processing for this purpose is the fulfillment of a contract with you according to Art. 6 Para. 1 lit. b GDPR.

3.4 Data Processing During Payment Processing
3.4.1 Payment Processing at the Hotel

When you purchase products, avail services, or pay for your stay at our hotel using electronic payment methods, the processing of personal data is necessary. By using the payment terminals, you transmit the information stored in your payment instrument, such as the cardholder's name and card number, to the involved payment service providers (e.g., payment solution providers, credit card issuers, and credit card acquirers). They also receive information that the payment instrument was used at our hotel, the amount, and the time of the transaction. In turn, we only receive the credit of the amount of the payment at the corresponding time, which we can assign to the relevant receipt number, or information that the transaction was not possible or was canceled. Always take note of the information of the respective company, especially the privacy policy and the general terms and conditions. For payment processing, we use a software application from Worldline Switzerland AG, Hardturmstrasse 201, 8005 Zurich, Switzerland. Therefore, your data may be stored in a database of Worldline Switzerland AG, which can allow Worldline Switzerland AG to access your data if necessary for the provision of the software and for assistance in using the software. Information about the processing of data by third parties and any transfer abroad can be found under item 5 of this privacy policy. The legal basis of our data processing lies in the fulfillment of a contract with you according to Art. 6 para. 1 lit. b GDPR.

3.5 Data Processing for Recording and Billing of Availed Services

If you avail services during your stay (e.g., additional nights, wellness, restaurant, activities), in addition to your contract data, the booking data (e.g., time and remarks) and the data regarding the booked and availed service (e.g., subject matter, price, and time of service usage) are recorded and further processed by us to handle the service, as described in items 3.2 and 3.3.
The legal basis of our data processing lies in the fulfillment of a contract according to Art. 6 para. 1 lit. b GDPR.

3.6 Data Processing During the Use of Our WiFi Network

In our hotel, you have the opportunity to use our WiFi network free of charge. To prevent abuse and to penalize unlawful behaviors, prior registration is required. You transmit the following data to us:
* Mobile phone number
* MAC address of the device (automatically)

In addition to the aforementioned data, data on the time and date of use as well as the used device are recorded every time the WiFi network is used. The legal basis for these processing is your consent according to Art. 6 para. 1 lit. a GDPR. You can revoke your consent at any time for the future. For the provision of our WiFi network, we work with
Swisscom, Alte Tiefenaustrasse 6, 3048 Ittigen, Switzerland. Therefore, your data may be stored in a Swisscom database, which can allow Swisscom access to your data if necessary for the provision of the software and for assistance in using the software. Information about the processing of data by third parties can be found under item 5 of this privacy policy. Further information about data processing by Swisscom can be found at https://www.swisscom.ch/en/residential/legal-information.html

3.7 Data Processing for Fulfilling Legal Reporting Obligations

Upon arrival at our hotel, we may need the following information from you and your accompanying persons, where mandatory information is marked with an asterisk (*) on the respective form:
* Salutation
* First and last name
* Billing address
* Date of birth
* Nationality
* Arrival and departure day
We collect this information to fulfill legal reporting obligations, which arise particularly from the hospitality or police law. As far as we are obligated by the applicable regulations, we forward this information to the responsible authority.
The legal basis for the processing of this data lies in our legitimate interest according to Art. 6 para. 1 lit. c GDPR in complying with our legal obligations.

3.8 Data Processing for Applications

You have the opportunity to apply to us spontaneously or for a specific job vacancy for employment in our company. We process the personal data you provide.
We use the data you provide to review your application and suitability for employment.
The data is only stored as an email. The legal basis for processing your data for this purpose lies in the handling of a contract (pre-contractual phase) according to Art. 6 para.1 lit. b GDPR.

 

4. Central data storage in the CRM system Fidelio reservation system


In cases where a clear association with your person is possible, we will store the data described in this privacy policy, i.e., particularly your personal details, your contacts, and your contract data in the database of the reservation system. This serves the efficient management of customer data, allows us to adequately process your concerns, and facilitates the efficient provision of the services you desire and the handling of the associated contracts. The legal basis for this data processing is our legitimate interest in accordance with Art. 6 para. 1 lit. f GDPR for the efficient management of user data. We further evaluate this data in order to continuously develop our offers based on your needs and to be able to show and suggest to you the most relevant information and offers. For central data storage in the CRM system, we use the micros Fidelio Suite V8 software application. The data will also be stored in the reservation system even after the fulfillment of the contract. The legal basis for these data processing actions is our legitimate interest under Art. 6 para. 1 lit. f GDPR in conducting marketing activities.

 

5. Disclosure and Transfer Abroad

 

5.1 Disclosure to Third Parties and Third Party Access


Without the support of other companies, we could not provide our services in the desired manner. In order to utilize the services of these companies, to a certain extent, the sharing of your personal data with these companies is necessary. Information is only shared with selected third-party service providers and only to the extent required for the optimal provision of our services. Various third-party service providers are explicitly mentioned in this privacy policy. Moreover, these service providers are:

* Booking.com, Oosterdokskade 163, 1011 DL, Netherlands. For further information about data processing in connection with Booking.com, please visit: https://www.booking.com/content/privacy.de.html
* HRS, AG Walzmühlestrasse 48, 8504 Frauenfeld, Switzerland. For further information about data processing in connection with HRS, please visit: https://www.hrs.de/privacypolicy
* Expedia, Seattle, Washington, United States. For further information about data processing in connection with Expedia, please visit: https://www.expedia.ch/lp/b/lg-privacypolicy

In these instances, the legal basis is the necessity of fulfilling a contract in the sense of Art. 6 para. 1 lit. b GDPR. Your data will also be shared wherever it is necessary to fulfill the services you requested, i.e., for instance, with restaurants or providers of other services for which you have made a reservation through us. The legal basis here is also the necessity of fulfilling a contract according to Art. 6 para. 1 lit. b GDPR. For these data processes, the third-party service providers are the responsible parties in the sense of the data protection laws, not us. It is the duty of these third-party service providers to inform you about their own data processing activities, which go beyond sharing data for the provision of services, and to comply with data protection laws.

Moreover, your data might be shared, especially with authorities, legal advisors or debt collection agencies, if we are legally obliged to do so, or if this is necessary to protect our rights, particularly to enforce claims arising from the relationship with you. Data can also be shared if another company intends to acquire our company or parts of it, and such sharing is necessary to conduct a due diligence review or to execute the transaction. For these data processes, our legitimate interest in the sense of Art. 6 para. 1 lit. f GDPR in protecting our rights and fulfilling our duties or selling our company or parts thereof forms the legal basis.

 

5.2 Transfer of Personal Data Abroad

We are authorized to transfer your personal data to third parties abroad if this is necessary for the data processing mentioned in this privacy policy. Individual data transfers have been mentioned previously in clause 3. The legal provisions for disclosing personal data to third parties are, of course, observed. The states to which data is transferred include those that, according to decisions by the Federal Council and the EU Commission, have an adequate level of data protection (such as the EEA member states or Switzerland from the EU's perspective) but also those states (such as the USA) whose level of data protection is not considered to be adequate (see Annex 1 of the Data Protection Ordinance (DSV) and the website of the EU Commission). If the concerned country does not have an adequate level of data protection, we ensure, unless an exception (see Art. 49 GDPR) is indicated in individual cases, through appropriate guarantees that your data are adequately protected at these companies. Unless otherwise stated, these are standard contractual clauses within the meaning of Art. 46 para. 2 lit. c GDPR, which can be accessed on the websites of the Federal Data Protection and Information Commissioner (FDPIC) and the EU Commission. If you have any questions about the measures taken, please contact our data protection contact person (see clause 2).

5.3 Notes on Data Transfers to the USA

Some of the third-party service providers mentioned in this privacy policy are based in the USA. For the sake of completeness, we point out to users residing or based in Switzerland or the EU that in the USA, surveillance measures exist by US authorities that generally allow the storage of all personal data of all individuals whose data has been transferred from Switzerland or the EU to the USA. This is done without differentiation, limitation, or exception based on the pursued goal and without an objective criterion that would limit the access of US authorities to the data and their subsequent use to very specific, strictly limited purposes that could justify both the access to this data and its use. Furthermore, we point out that in the USA, there are no legal remedies or effective judicial protection against general access rights of US authorities for the affected individuals from Switzerland or the EU, which would allow them to gain access to their data and seek its correction or deletion. We explicitly draw your attention to this legal and factual situation to enable you to make an informed decision to consent to the use of your data. We also inform users residing in Switzerland or an EU member state that, from the perspective of the European Union and Switzerland – among other things due to the explanations made in this clause – the USA does not have an adequate level of data protection. As far as we have explained in this privacy policy that recipients of data (e.g., Google) are based in the USA, we will ensure through contractual arrangements with these companies and possibly additional necessary suitable guarantees that your data are adequately protected at our third-party service providers.

6. Background Data Processing on our Website

6.1 Data Processing During Your Visit to Our Website (Log File Data)
When you visit our website, the servers of our hosting provider LTC Logic Tide GmbH, Haltenstrasse 27, 3906 Saas-Fee, Switzerland, temporarily store every access in a log file (logfile). The following data is recorded without your intervention and stored by us until automated deletion:

- IP address of the requesting computer;
- Date and time of access;
- Name and URL of the retrieved file;
- Website from which access was made, possibly with the used search term;
- Possibly the operating system of your computer and the browser you used (including type, version, and language settings);
- Device type in case of access through mobile phones;
- City or region from where access took place;

The collection and processing of this data serves the purpose of enabling the use of our website (establishing a connection), ensuring the system security and stability permanently, facilitating the error and performance analysis, and optimizing our website (see also section 6.4 on the last points).
In the event of an attack on the network infrastructure of the website or suspicion of other unauthorized or abusive use of the website, the IP address and other data are evaluated to clarify and fend off the situation, and possibly used in civil or criminal proceedings to identify against the respective user. In the previously described purposes, our legitimate interest lies in accordance with Art. 6 para. 1 lit. f GDPR, which constitutes the legal basis for data processing.
Lastly, when visiting our website, we use cookies as well as applications and tools based on the use of cookies. In this context, the data described here can also be processed. You can find more detailed information on this in the following sections of this privacy policy, especially in the subsequent section 6.2.

6.2 Cookies
Cookies are information files that your web browser stores on your computer's hard drive or memory when you visit our website. Cookies are assigned identification numbers through which your browser is identified, and the information contained in the cookie can be read.
Cookies help to make your visit to our website simpler, more pleasant, and more meaningful, among other things. We use cookies for various purposes that are necessary for the desired use of the website, i.e., "technically necessary". For example, we use cookies to identify you as a registered user after a login without you having to log in again when navigating the various sub-pages. The provision of the order and booking functions is also based on the use of cookies. Furthermore, cookies also take over other technical functions necessary for the operation of the website, such as so-called load balancing, i.e., the distribution of the page's performance load on different web servers to relieve the servers. Cookies are also used for security purposes, e.g., to prevent unauthorized posting of content. Finally, we use cookies in the design and programming of our website, e.g., to enable the uploading of scripts or codes.
The legal basis for this data processing is our legitimate interest according to Art. 6 para. 1 lit. f GDPR in providing a user-friendly and modern website. Most internet browsers accept cookies automatically. However, when accessing our website, we ask for your consent for the technically unnecessary cookies we use, especially when using third-party cookies for marketing purposes. You can make the desired settings using the corresponding buttons in the cookie banner. You can find details on the services and data processing associated with individual cookies within the cookie banner and in the following sections of this privacy policy.
You can possibly also configure your browser so that no cookies are stored on your computer or a message always appears when you receive a new cookie. The following pages provide explanations on how to configure the processing of cookies for selected browsers:

- Google Chrome for Desktop
- Google Chrome for Mobile
- Apple Safari
- Microsoft Windows Internet Explorer
- Microsoft Windows Internet Explorer Mobile
- Mozilla Firefox

Disabling cookies may result in you not being able to use all the functions of our website.

 

6.3 Google Custom Search Engine

On this website, we use the Programmable Search Engine from Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (Google). This enables us to provide you with an efficient search function on our website.
By pressing the enter key or clicking the search button, the search function is activated, and the search results from Google are displayed on the search results page via an embedding (iFrame). When retrieving the search results, a connection is established with Google's servers, and your browser may transmit the log file data listed in section 6.1 (including IP address) and the search term you entered to Google. This may also involve data transfer to servers abroad, e.g., the USA (see in this regard, especially regarding the lack of an adequate level of data protection and the intended guarantees, sections 5.2 and 5.3). The legal basis for this data processing is our legitimate interest according to Art. 6 para. 1 lit. f GDPR in providing an efficient website search function. For the further processing of data by Google, please note Google's privacy policy: www.google.com/intl/de_de/policies/privacy.

6.4 Web Analysis Tools
We currently do not use any web analysis service.

6.5 Social Media Profiles

On our website, we have embedded links to our profiles on the social networks of the following providers:
- Meta Platforms Inc., 1601 S California Ave, Palo Alto, CA 94304, USA, Privacy Notice; https://www.meta.com/de-de/help/quest/articles/accounts/privacy-information-and-settings/meta-privacy-policies/
When you click on the icons of the social networks, you are automatically redirected to our profile on the respective network. This establishes a direct connection between your browser and the server of the respective social network. Consequently, the network receives information that you have visited our website with your IP address and clicked on the link. This may also involve data transfer to servers abroad, e.g., the USA (see in this respect, especially regarding the lack of an adequate level of data protection and the intended guarantees, sections 5.2 and 5.3).
If you click on a link to a network while logged into your user account on that network, the content of our website can be linked to your profile, allowing the network to directly associate your visit to our website with your account. If you want to prevent this, you should log out before clicking the respective links. A connection between your access to our website and your user account takes place in any case when you log in to the respective network after clicking the link. The respective provider is responsible for the associated data processing according to data protection laws. Please, therefore, observe the privacy notices on the network's website.
The legal basis for any data processing attributed to us is our legitimate interest under Art. 6 para. 1 lit. f GDPR in utilizing and promoting our social media profiles.

6.5.1 Social Media Links

On our website, you can use social media plugins from the following listed providers:
- Meta Platforms Inc., 1601 S California Ave, Palo Alto, CA 94304, USA, Privacy Notice; https://www.meta.com/de-de/help/quest/articles/accounts/privacy-information-and-settings/meta-privacy-policies/
We use the social media links to facilitate the sharing of content from our website. The social media links help us increase the visibility of our content on social networks and thus contribute to better marketing.
The links are deactivated by default on our websites and therefore do not send data to the social networks when simply accessing our website. To enhance privacy, we have integrated the links in such a way that a connection to the network servers is not automatically established. Only when you activate the links by clicking on them and thereby give your consent for data transmission and further processing by the providers of the social networks, does your browser establish a direct connection to the servers of the respective social network. The content of the link is transmitted directly to your browser by the social network. This way, the respective provider receives information that your browser has accessed the respective page of our web presence, even if you do not have an account on this social network or are not currently logged into it. This information (including your IP address) is transmitted directly from your browser to a server of the provider (usually in the USA) and stored there (see in this respect, especially regarding the lack of an adequate level of data protection and the intended guarantees, sections 5.2 and 5.3). We have no control over the extent of data collected by the provider using the link, although we may be considered jointly responsible with the providers to a certain extent from a data protection perspective. If you are logged into the social network, it can directly associate your visit to our website with your user account. If you interact with the link, the corresponding information is also transmitted directly to a server of the provider and stored there. The information (e.g., that you like a product or service of ours) may also be published on the social network and possibly shown to other users of the social network. The provider of the social network may use this information for the purpose of placing ads and tailoring the respective offer to your needs. This could involve creating usage, interest, and relationship profiles, for example, to evaluate your use of our website with regard to the advertisements displayed to you on the social network, to inform other users about your activities on our website, and to provide other services associated with the use of the social network. The purpose and scope of data collection and further processing and use of data by the providers of the social networks, as well as your rights in this regard and setting options for protecting your privacy, can be taken directly from the privacy notices of the respective provider.
If you do not want the provider of the social network to associate the data collected via our web presence with your user account, you must log out of the social network before activating the links. In the described data processing, your consent under Art. 6 para. 1 lit. a GDPR forms the legal basis. You can revoke your consent at any time by declaring your revocation to the link provider according to the information in its privacy notices.

7. Retention Periods

We store personal data only as long as necessary to perform the processing explained in this privacy policy within the scope of our legitimate interest. The storage of contract data is prescribed by legal retention obligations. Obligations requiring us to retain data arise from accounting provisions and tax regulations. According to these regulations, business communications, completed contracts, and booking receipts must be retained for up to 10 years. As soon as we no longer need this data to provide services for you, the data will be blocked. This means that the data may then only be used if this is necessary to fulfill the retention obligations or to defend and enforce our legal interests. Data deletion will take place as soon as there are no retention obligations and no legitimate interest in retaining the data anymore.

8. Datasecurity


We employ appropriate technical and organizational security measures to protect your personal data stored with us against loss and unlawful processing, specifically unauthorized access by third parties. Our employees and the service companies commissioned by us are obliged by us to maintain confidentiality and to adhere to data protection regulations. Furthermore, these individuals are only granted access to personal data to the extent necessary to fulfill their duties.
Our security measures are continuously adapted according to technological developments. However, the transmission of information over the internet and electronic communication methods always entails certain security risks, and we can therefore not provide an absolute guarantee for the security of information transmitted in this manner.

9. Your rights

 

If the legal requirements are met, you as a person affected by data processing have the following rights:

Right to Information: You have the right to request access at any time to the personal data we store and process about you, free of charge. This allows you to check what personal data we are processing about you and whether we are processing it in accordance with applicable data protection regulations.

Right to Rectification: You have the right to have incorrect or incomplete personal data corrected and to be informed about the correction. In this case, we also inform the recipients of the affected data about the adjustments we have made, unless this is impossible or involves disproportionate effort.

Right to Erasure: You have the right to have your personal data deleted under certain circumstances. In individual cases, particularly in the case of statutory retention obligations, the right to erasure may be excluded. In this case, under certain conditions, a block on the data can be imposed instead of deletion.

Right to Restriction of Processing: You have the right to request that the processing of your personal data be restricted.

Right to Data Portability: You have the right to receive the personal data that you have provided to us, free of charge, in a readable format.

Right to Object: You can object to data processing at any time, especially in cases of data processing associated with direct marketing (e.g., marketing emails).

Right to Withdraw Consent: You generally have the right to withdraw consent at any time. However, processing activities based on your consent in the past are not made unlawful by your withdrawal.

To exercise these rights, please send us an email at the following address:
info@hotelmarmotte.ch

Right to Lodge a Complaint: You have the right to lodge a complaint with a competent supervisory authority, e.g., against the manner of the processing of your personal data.