Terms of Use and Privacy Policy

General Terms and Conditions of Contract and Travel

General Terms and Conditions of Contract and Travel
The General Terms and Conditions (GTC) shall apply to all future services to be provided by CT for the benefit of legal entities or natural persons ("customer[s]").

• AGB Chur Tourismus

Privacy Policy

With this Privacy Policy, we inform you about the processing of personal data in connection with our activities and operations, including our chur.graubuenden.ch website. Specifically, we provide information on the purpose, manner, and location of our processing of personal data. We also inform individuals whose data we process about their rights.

Additional privacy policies or information on data protection may apply to individual or additional activities and operations.

We are subject to Swiss data protection law and, where applicable, to foreign data protection laws, particularly the European Union's (EU) General Data Protection Regulation (GDPR).

On July 26, 2000, the European Commission recognized that Swiss data protection law ensures adequate data protection. This adequacy decision was reaffirmed by the European Commission on January 15, 2024.

1. Contact Addresses

The party responsible in terms of data protection law is:

Chur Tourismus
Poststrasse 43
7000 Chur

info@churtourismus.ch

In individual cases, third parties may be responsible for processing personal data, or joint responsibility may exist with third parties. We will gladly inform affected persons upon request about the respective responsibility.

1.1 Data Protection Officer or Advisor

We have appointed the following data protection officer or advisor as a contact point for data subjects and authorities in connection with data protection matters:

Fabian Maasch
Chur Tourismus
Poststrasse 43
7000 Chur

info@churtourismus.ch

1.2 Data Protection Representative in the European Economic Area (EEA)

We have the following data protection representative in accordance with Art. 27 GDPR:

VGS Datenschutzpartner GmbH
Am Kaiserkai 69
20457 Hamburg
Germany

info@churtourismus.ch

The data protection representative serves as an additional contact point for data subjects and authorities within the European Union (EU) and the rest of the European Economic Area (EEA) regarding questions related to the GDPR.

2. Terms and Legal Bases

2.1 Terms

Data Subject: A natural person about whom we process personal data.

Personal Data: All information relating to an identified or identifiable natural person.

Special Categories of Personal Data: Data concerning trade union membership, political, religious or philosophical beliefs and activities, data relating to health, intimacy, ethnicity or race, genetic data, biometric data uniquely identifying a natural person, data concerning criminal or administrative sanctions or prosecutions, and data relating to measures of social assistance.

Processing: Any handling of personal data, regardless of the means and procedures used, such as querying, matching, adapting, archiving, storing, retrieving, disclosing, collecting, recording, deleting, organizing, structuring, saving, altering, disseminating, linking, destroying, or otherwise using personal data.

European Economic Area (EEA): Member States of the European Union (EU) as well as the Principality of Liechtenstein, Iceland, and Norway.

2.2 Legal Bases

We process personal data in accordance with Swiss law, in particular the Federal Act on Data Protection (FADP) and the Ordinance to the Federal Act on Data Protection (OFADP).

Where and to the extent that the European General Data Protection Regulation (GDPR) applies, we process personal data based on at least one of the following legal bases:

• Art. 6(1)(b) GDPR for the necessary processing of personal data to perform a contract with the data subject or to take pre-contractual measures.
• Art. 6(1)(f) GDPR for the necessary processing of personal data to safeguard legitimate interests – including the legitimate interests of third parties – provided that the fundamental freedoms, rights, and interests of the data subject do not prevail. Such interests include, in particular, the continuous, user-friendly, secure, and reliable performance of our activities, ensuring information security, preventing misuse, enforcing our own legal claims, and complying with Swiss law.
• Art. 6(1)(c) GDPR for the necessary processing of personal data to comply with a legal obligation under applicable law of the Member States of the European Economic Area (EEA).
• Art. 6(1)(e) GDPR for the necessary processing of personal data for the performance of a task carried out in the public interest.
• Art. 6(1)(a) GDPR for the processing of personal data based on the consent of the data subject.
• Art. 6(1)(d) GDPR for the necessary processing of personal data to protect the vital interests of the data subject or another natural person.
• Art. 9(2) ff. GDPR for the processing of special categories of personal data, in particular with the consent of the data subjects.

The European General Data Protection Regulation (GDPR) defines the processing of personal data as the processing of identifiable personal data and the processing of special categories of personal data as processing of sensitive personal data (Art. 9 GDPR).

3. Type, Scope and Purpose of Processing Personal Data

We process those personal data that are necessary to carry out our activities and operations in a sustainable, user-friendly, secure, and reliable manner. The processed personal data may, in particular, fall into the categories of browser and device data, content data, communication data, metadata, usage data, master data (including inventory and contact data), location data, transaction data, contract data, and payment data. The personal data processed may also include special categories of personal data.

We also process personal data obtained from third parties, publicly accessible sources, or collected during the course of our activities and operations, where such processing is lawful.

We process personal data as necessary with the consent of the data subjects. In many cases, we may process personal data without consent, for example, to comply with legal obligations or to protect overriding interests. We may also request consent from data subjects even when not legally required.

We process personal data for the duration necessary for the respective purpose. We anonymize or delete personal data in accordance with statutory retention and limitation periods.

4. Disclosure of Personal Data

We may disclose personal data to third parties, have it processed by third parties, or process it jointly with third parties. Such third parties may include specialized providers whose services we use.

In the context of our activities and operations, we may disclose personal data, in particular, to banks and other financial institutions, authorities, educational and research institutions, consultants and lawyers, interest groups, IT service providers, cooperation partners, credit and business information agencies, logistics and shipping companies, marketing and advertising agencies, media, parent, sister, and subsidiary companies, organizations and associations, social institutions, telecommunications companies, insurance providers, and payment service providers.

5. Communication

We process personal data to communicate with individuals, authorities, organizations, and companies. In particular, we process data provided by a data subject during contact, for example, by postal mail or email. We may store such data in an address book or comparable systems.

Third parties who transmit data to us about other persons are obliged to ensure the data protection of those individuals independently. In particular, they must ensure that such data are accurate and may be lawfully transmitted.

We use selected services from suitable providers to enable and improve communication with individuals and other communication partners. These services may also allow us to manage and process data of affected persons beyond direct communication.

In particular, we use:

• Google Forms: Online form service; Provider: Google; Google Forms-specific privacy information: “Security, compliance, and privacy”.
• Microsoft Forms: Online form service; Provider: Microsoft; Microsoft Forms-specific privacy information: “Privacy and compliance”, “Security and privacy”.
• SurveyMonkey: Online form and survey service; Providers: SurveyMonkey Inc. (USA) / SurveyMonkey Europe UC (Ireland), as well as other SurveyMonkey entities and partners; Privacy information: “SurveyMonkey and privacy”, Privacy Policy, “Region-specific privacy statement”, “Security policies”.

6. Applications

We process personal data of applicants to the extent necessary to assess their suitability for an employment relationship or to implement an employment contract thereafter. The required personal data arise in particular from the requested information, for example, within a job advertisement. We may publish job postings with the help of suitable third parties, for example, in electronic and printed media or on job portals and platforms.

We also process personal data that applicants voluntarily provide or publish, particularly as part of cover letters, CVs, other application materials, or online profiles.

Where and to the extent that the General Data Protection Regulation (GDPR) applies, we process personal data of applicants, in particular, in accordance with Art. 9(2)(b) GDPR.

We use selected third-party services to publish job openings and to manage and facilitate applications through e-recruitment systems.

In particular, we use:

• Ostendis: E-recruitment; Provider: Ostendis AG (Switzerland); Privacy information: Privacy Policy.

7. Data Security

We take appropriate technical and organisational measures to ensure a level of data security appropriate to the respective risk. With our measures, we particularly ensure the confidentiality, availability, traceability, and integrity of the processed personal data, although absolute data security cannot be guaranteed.

Access to our website and other digital presence is secured using transport encryption (SSL / TLS, in particular via Hypertext Transfer Protocol Secure (HTTPS)). Most browsers warn users before visiting a website without transport encryption.

Our digital communications are subject – as is generally the case with all digital communication – to mass surveillance without cause or suspicion by security authorities in Switzerland, the rest of Europe, the United States of America (USA), and other countries. We have no direct influence over the corresponding processing of personal data by intelligence services, police, or other security authorities. Nor can we exclude the possibility that an affected individual may be specifically targeted for surveillance.

8. Personal Data Abroad

We generally process personal data in Switzerland and in the European Economic Area (EEA). However, we may also export or transfer personal data to other countries, in particular to process or have them processed there.

We may transfer personal data to all countries of the world and elsewhere in the universe, provided that the local law ensures adequate data protection according to a decision by the Swiss Federal Council and – where and to the extent the General Data Protection Regulation (GDPR) applies – also according to a decision by the European Commission.

We may transfer personal data to countries whose legislation does not guarantee adequate data protection, provided that data protection is ensured for other reasons, particularly based on standard data protection clauses or other appropriate safeguards. In exceptional cases, we may export personal data to countries without adequate or appropriate data protection if the specific data protection requirements are met, for example, the explicit consent of the data subject or a direct connection with the conclusion or performance of a contract. Upon request, we will gladly inform affected persons about existing guarantees or provide a copy thereof.

9. Rights of Data Subjects

9.1 Data Protection Claims

We grant data subjects all rights to which they are entitled under applicable law. In particular, data subjects have the following rights:

• Access: Data subjects may request information as to whether we process personal data about them, and if so, which personal data. They also receive information necessary to assert their data protection rights and to ensure transparency, including the processed personal data as such, the purpose of processing, retention period, any disclosure or transfer to other countries, and the source of the personal data.
• Rectification and Restriction: Data subjects may have incorrect personal data corrected, incomplete data completed, and the processing of their data restricted.
• Right to be heard and human review: Data subjects may express their point of view and request a human review in decisions based solely on automated processing of personal data that have legal consequences or significantly affect them (automated individual decisions).
• Erasure and Objection: Data subjects may request the deletion of personal data (“right to be forgotten”) and object to the processing of their data with future effect.
• Data Portability: Data subjects may request the release of their personal data or the transfer of their data to another controller.

We may postpone, restrict, or refuse the exercise of data subject rights within the legally permissible framework. We may also inform data subjects of conditions that must be met to exercise their data protection rights. For example, we may refuse disclosure based on confidentiality obligations, overriding interests, or the protection of other persons. Likewise, we may refuse deletion, particularly where legal retention obligations apply.

We may, in exceptional cases, charge costs for exercising rights. Data subjects will be informed in advance about any possible costs.

We are obliged to identify data subjects requesting information or exercising their rights using appropriate measures. Data subjects are required to cooperate in this identification process.

9.2 Legal Remedies

Data subjects have the right to enforce their data protection rights through legal proceedings or to file a report or complaint with a data protection supervisory authority.

The data protection supervisory authority for private controllers and federal bodies in Switzerland is the Federal Data Protection and Information Commissioner (FDPIC).

European data protection supervisory authorities are organised as members of the European Data Protection Board (EDPB). In some Member States of the European Economic Area (EEA), data protection authorities have a federal structure, particularly in Germany.

10. Use of the Website

10.1 Cookies

We may use cookies. Cookies – both our own (first-party cookies) and those from third parties whose services we use (third-party cookies) – are data stored in the browser. Such stored data are not necessarily limited to traditional text-based cookies.

Cookies may be stored temporarily in the browser as “session cookies” or for a defined period as so-called “persistent cookies.” Session cookies are automatically deleted when the browser is closed. Persistent cookies have a specified retention period. Cookies make it possible, in particular, to recognise a browser upon the next visit to our website and thereby, for example, to measure reach. Persistent cookies can also be used for online marketing.

Cookies can be deactivated, restricted, or deleted at any time, wholly or partly, in the browser settings. Browser settings often also allow automatic deletion or other cookie management. Without cookies, our website may no longer function fully. Where required by applicable law, we actively request explicit consent for the use of cookies.

For cookies used for success and reach measurement or for advertising, a general opt-out is available through AdChoices (Digital Advertising Alliance of Canada), the Network Advertising Initiative (NAI), YourAdChoices (Digital Advertising Alliance), or Your Online Choices (European Interactive Digital Advertising Alliance, EDAA).

10.2 Logging

For each access to our website and other digital presence, we may log at least the following information, provided it is transmitted automatically or determined by our infrastructure: date and time including time zone, IP address, access status (HTTP status code), operating system including user interface and version, browser including language and version, individual subpages accessed on our website including data volume transmitted, and the previously visited website (referrer).

We record such data, which may also constitute personal data, in log files. This information is necessary to ensure the continuous, user-friendly, and reliable provision of our digital presence and to guarantee data security – including through third parties or with the help of third parties.

10.3 Tracking Pixels

We may integrate tracking pixels into our digital presence. Tracking pixels, also known as web beacons, are typically small, invisible images or JavaScript code snippets that are automatically loaded when accessing our digital presence. Tracking pixels – including those from third parties whose services we use – can collect at least the same information as recorded in log files.

11. Notifications and Communications

11.1 Success and Reach Measurement

Notifications and communications may contain web links or tracking pixels that record whether a message has been opened and which web links were clicked. Such links and pixels may also record the usage of notifications and communications on a personal basis. We use this statistical tracking to measure effectiveness and reach, ensuring our notifications and communications are sent effectively, in a user-friendly, secure, and reliable manner according to the recipients’ needs and reading habits.

11.2 Consent and Objection

You must generally consent to the use of your email address and other contact details, unless such use is permitted for other legal reasons. For obtaining double-confirmed consent, we may use a “double opt-in” procedure. In this case, you will receive a message with instructions for confirmation. We may log collected consents, including IP address and timestamp, for verification and security purposes.

You may generally object at any time to receiving notifications or communications such as newsletters. With such an objection, you may also object to the statistical tracking for success and reach measurement. Mandatory notifications and communications related to our activities and operations remain unaffected.

11.3 Service Providers for Notifications and Communications

We send notifications and communications with the help of specialized service providers.

12. Social Media

We are present on social media platforms and other online platforms to communicate with interested individuals and to provide information about our activities and operations. In connection with such platforms, personal data may also be processed outside Switzerland and the European Economic Area (EEA).

The respective terms of service, usage policies, privacy policies, and other provisions of each platform operator also apply. These provisions provide information, in particular, about the rights of data subjects directly vis-à-vis the respective platform, such as the right of access.

For our Facebook social media presence, including the so-called Page Insights, we – where and to the extent that the General Data Protection Regulation (GDPR) applies – are joint controllers with Meta Platforms Ireland Limited (Ireland). Meta Platforms Ireland Limited is part of the Meta Companies (including in the USA). Page Insights provide information about how visitors interact with our Facebook page. We use Page Insights to make our Facebook presence effective and user-friendly.

Further information on the nature, scope, and purpose of data processing, on the rights of data subjects, and on Facebook’s contact details, including its data protection officer, can be found in the Facebook Privacy Policy. We have entered into the “Controller Addendum” with Facebook, which defines, among other things, that Facebook is responsible for ensuring the rights of data subjects. For the so-called Page Insights, corresponding information can be found on the page “Information about Page Insights”, including “Information about Page Insights Data”.

13. Third-Party Services

We use services provided by specialized third parties to conduct our activities and operations on a sustainable, user-friendly, secure, and reliable basis. Such services may allow us to embed functions and content into our website. In doing so, these services must, for technical reasons, at least temporarily record the IP addresses of users.

For necessary security-related, statistical, and technical purposes, third parties whose services we use may process data related to our activities and operations in aggregated, anonymized, or pseudonymized form. Such data typically include performance or usage information required to operate the respective service.

In particular, we use:

• Google services: Providers: Google LLC (USA) / Google Ireland Limited (Ireland), partly for users in the European Economic Area (EEA) and Switzerland; General privacy information: “Privacy and security principles”, “Learn more about how Google uses personal data”, Privacy Policy, “Google’s commitment to data protection laws”, “Privacy Guide for Google Products”, “How we use data from sites or apps that use our services”, Cookie Policy, “Ads you control” (settings for personalised ads).
• Microsoft services: Providers: Microsoft Ireland Operations Limited (Ireland) for users in the EEA, Switzerland, and the United Kingdom / Microsoft Corporation (USA) for users elsewhere; General privacy information: Privacy Statement, “Privacy and trust center”, “Data and privacy settings”.

13.1 Digital Infrastructure

We use services provided by specialized third parties to access the necessary digital infrastructure for our activities and operations. These include, for example, hosting and storage services provided by selected suppliers.

In particular, we use:

• exigo: Hosting; Provider: exigo ag (Switzerland); Privacy information: Privacy Policy, “Privacy / Security”.

13.2 Appointment Scheduling

We use services provided by specialized third parties to arrange appointments online, for example, for meetings. In addition to this privacy policy, the visible terms and conditions or privacy policies of the respective services apply.

In particular, we use:

• Doodle: Online appointment scheduling; Provider: Doodle AG (Switzerland), a subsidiary of TX Group AG (Switzerland); Privacy information: Privacy Policy, “General Terms and Conditions for Data Processing”.

13.3 Online Collaboration

We use third-party services to enable online collaboration. In addition to this privacy policy, the respective usage terms or privacy policies of these services also apply.

In particular, we use:

• Microsoft Teams: Platform for productive collaboration, particularly for audio and video conferences; Provider: Microsoft; Teams-specific information: “Security and Compliance in Microsoft Teams,” especially “Privacy”.
• Slack: Platform for collaborative communication, especially via chat; Providers: Slack Technologies LLC (USA) for users in Canada and the USA / Slack Technologies Limited (Ireland) for users elsewhere; Privacy information: Privacy Policy, “Trust Center”, “Privacy FAQ”, “Data Management: Transparency and Clarity”, Cookie Policy.

13.4 Maps

We use third-party services to embed maps into our website.

In particular, we use:

• Google Maps including Google Maps Platform: Mapping service; Provider: Google; Google Maps-specific information: “How Google uses location information”.
• Outdooractive: Mapping service; Provider: Outdooractive AG (Germany); Privacy information: Privacy Policy.

13.5 Digital Content

We use services provided by specialized third parties to embed digital content into our website. Digital content includes, in particular, images and videos, music, and podcasts.

In particular, we use:

• Vimeo: Video platform; Provider: Vimeo Inc. (USA); Privacy information: Privacy Policy, “Private Video Hosting”.
• YouTube: Video platform; Provider: Google; YouTube-specific information: “Privacy and Safety Center”, “My Data on YouTube”.

13.6 Documents

We use third-party services to embed documents into our website. Such documents may include PDF files, presentations, spreadsheets, and text documents. We may also allow not only viewing but editing or commenting on these documents.

In particular, we use:

• Canva: Digital documents; Provider: Canva Pty Ltd (Australia); Privacy information: Privacy Policy, “Trust”, “Security at Canva”, Cookie Policy.

13.7 E-Commerce

We operate e-commerce and use third-party services to successfully offer services, content, or goods.

In particular, we use:

• Holidu Smart Destination: Booking platform; Provider: Holidu GmbH (Germany); Privacy information: Privacy Policy.

13.8 Payments

We use specialized service providers to process payments securely and reliably. The legal documents of each provider, such as terms of service or privacy policies, also apply to payment processing.

In particular, we use:

• Payyo: Payment processing for marketplaces and platforms in the leisure and tourism industry; Provider: TrekkSoft AG (Switzerland); Privacy information: Privacy Policy.
• PostFinance: Payment processing; Provider: PostFinance AG (Switzerland); Privacy information: “Legal Notice and Accessibility”, “Data Protection” (including privacy statements).
• SumUp: Card payment processing; Providers: SumUp Payments Limited (United Kingdom) / SumUp Limited (Ireland) / SumUp EU Payments UAB (Lithuania); Privacy information: Privacy Policy, Cookie Policy, “Security & Privacy”.
• TWINT: Payment processing in Switzerland; Provider: TWINT AG (Switzerland); Privacy information: Privacy Policy, “Security according to Swiss Standards”.
• Worldline: Payment processing, particularly via mobile payment solutions; Providers: Worldline SA (France), Worldline Switzerland AG (Switzerland), and other Worldline entities worldwide (including in the USA); Privacy information: Privacy Policy, “Responsible Disclosure Program”, Cookie Policy.

13.9 Advertising

We use the option to display targeted advertising by third parties, such as on social media platforms and search engines, to promote our activities and operations.

Through such advertising, we aim to reach individuals who are already interested in or might be interested in our activities and operations (remarketing and targeting). For this purpose, we may transmit relevant – in some cases personal – data to third parties that enable such advertising. We may also determine whether our advertising is successful, i.e. whether it leads to visits to our website (conversion tracking).

Third parties with whom we advertise and with whom you are registered as a user may potentially associate the use of our website with your respective profile.

In particular, we use:

• Google Ads: Search engine advertising; Provider: Google; Google Ads-specific information: advertising based on search queries, using domains such as doubleclick.net, googleadservices.com, and googlesyndication.com; Advertising Privacy Policy, “Manage ads directly via Ad Settings”.
• Meta Ads: Social media advertising on Facebook and Instagram; Providers: Meta Platforms Ireland Limited (Ireland) and other Meta companies (including in the USA); Privacy information: Targeting, including retargeting, with the Meta Pixel and Custom Audiences, including Lookalike Audiences; Privacy Policy, “Ad Preferences” (user login required).

14. Success and Reach Measurement

We measure the success and reach of our activities and operations. In this context, we may also evaluate the impact of third-party references or test how different parts or versions of our digital presence are used (“A/B testing”). Based on these results, we can correct errors, strengthen popular content, or make improvements.

For success and reach measurement, the IP addresses of individual users are typically recorded. IP addresses are generally truncated (“IP masking”) to follow the principle of data minimization through pseudonymization.

Cookies may be used, and user profiles may be created for success and reach measurement. Such user profiles may include, for example, visited subpages or viewed content, information about the size of the screen or browser window, and the – at least approximate – location. As a rule, user profiles are created exclusively in pseudonymized form and not used to identify individual users. Certain third-party services where users are logged in may link the use of our online offering to the respective account or profile.

In particular, we use:

• Google Marketing Platform: Success and reach measurement, particularly with Google Analytics; Provider: Google; Platform-specific details: measurement across browsers and devices (cross-device tracking) using pseudonymized IP addresses, which are transmitted in full to Google in the USA only in exceptional cases; Privacy Policy for Google Analytics, “Browser Add-on to Disable Google Analytics”.
• Google Tag Manager: Integration and management of Google and third-party services, particularly for success and reach measurement; Provider: Google; Specific details: Privacy Policy for Google Tag Manager; further privacy information is available from the integrated and managed services.

15. Final Notes on the Privacy Policy

This privacy policy was created using the Privacy Policy Generator by Datenschutzpartner. The present privacy policy is an unofficial translation from the original German version.

We may update this privacy policy at any time. We will provide information about updates in an appropriate manner, particularly by publishing the current version on our website.