Terms of Use and Privacy Policy

General Terms and Conditions of Contract and Travel

General Terms and Conditions of Contract and Travel
The General Terms and Conditions (GTC) shall apply to all future services to be provided by CT for the benefit of legal entities or natural persons ("customer[s]").

• AGB Chur Tourismus

1. Contact Addresses

Responsibility for the processing of personal data:

Chur Tourism
Poststrasse 43
7000 Chur

info@churtourismus.ch

In individual cases, there may be other responsible parties for the processing of personal data or joint responsibility with at least one other responsible party.

1.1 Data Protection Officer or Advisor

We have the following data protection officer or advisor as a contact point for affected individuals and authorities for inquiries related to data protection:

Fabian Maasch
Chur Tourism
Poststrasse 43
7000 Chur

info@churtourismus.ch

1.2 Data Protection Representation in the European Economic Area (EEA)

We have the following data protection representation according to Art. 27 GDPR:

VGS Datenschutzpartner GmbH
Am Kaiserkai 69
20457 Hamburg
Germany

info@churtourismus.ch

The data protection representation serves affected individuals and authorities in the European Union (EU) and the rest of the European Economic Area (EEA) as an additional contact point for inquiries related to the GDPR.

2. Terms and Legal Bases

2.1 Terms

Personal data are all information relating to an identified or identifiable natural person. An affected person is a person about whom we process personal data.

Processing includes any handling of personal data, regardless of the means and procedures used, such as querying, matching, adjusting, archiving, storing, reading, disclosing, obtaining, collecting, deleting, revealing, ordering, organizing, storing, altering, distributing, linking, destroying, and using personal data.

The European Economic Area (EEA) includes the Member States of the European Union (EU) as well as the Principality of Liechtenstein, Iceland, and Norway.

The General Data Protection Regulation (GDPR) refers to the processing of personal data as the processing of personal data and the processing of particularly sensitive personal data as the processing of special categories of personal data (Art. 9 GDPR).

2.2 Legal Bases

We process personal data in accordance with Swiss data protection law, in particular the Federal Act on Data Protection (Data Protection Act, FADP) and the Ordinance on Data Protection (Data Protection Ordinance, DPO).

Where applicable, we process personal data in accordance with the General Data Protection Regulation (GDPR) based on at least one of the following legal bases:

• Art. 6 para. 1 lit. b GDPR for the necessary processing of personal data for the performance of a contract with the affected person or to carry out pre-contractual measures.
• Art. 6 para. 1 lit. f GDPR for the necessary processing of personal data to protect the legitimate interests of us or third parties, provided that the fundamental freedoms and rights and interests of the affected person do not prevail. Legitimate interests are in particular our interest to carry out our activities and operations permanently, user-friendly, secure, and reliable and to communicate about it, ensuring information security, protection against misuse, enforcement of our own legal claims, and compliance with Swiss law.
• Art. 6 para. 1 lit. c GDPR for the necessary processing of personal data to fulfill a legal obligation to which we are subject under any applicable law of Member States in the European Economic Area (EEA).
• Art. 6 para. 1 lit. e GDPR for the necessary processing of personal data for the performance of a task carried out in the public interest.
• Art. 6 para. 1 lit. a GDPR for the processing of personal data with the consent of the affected person.
• Art. 6 para. 1 lit. d GDPR for the necessary processing of personal data to protect the vital interests of the affected person or another natural person.

3. Type, Scope, and Purpose

We process those personal data that are necessary to carry out our activities and operations in a permanent, user-friendly, secure, and reliable manner. Such personal data can fall into the categories of inventory and contact data, browser and device data, content data, meta or peripheral data, usage data, location data, sales data, as well as contract and payment data.

We process personal data for the duration necessary for the respective purpose or purposes or as required by law. Personal data that is no longer necessary to process is anonymized or deleted.

We may have personal data processed by third parties. We may process personal data together with third parties or transmit it to third parties. These third parties are particularly specialized providers whose services we use. We also ensure data protection with such third parties.

We principally process personal data only with the consent of the affected individuals. To the extent that processing for other legal reasons is permissible, we may forego obtaining consent. For example, we may process personal data without consent in order to fulfill a contract, comply with legal obligations, or safeguard overriding interests.

We also process personal data that we receive from third parties, obtain from publicly accessible sources, or collect in the course of carrying out our activities and operations, to the extent that such processing is permissible for legal reasons.

4. Communication

We process personal data in order to communicate with third parties. In this context, we particularly process data transmitted by an affected person when making contact, for example, by postal mail or email. We may store such data in an address book or with similar tools.

Third parties transmitting data about other persons are obliged to ensure data protection towards such affected persons. Among other things, this requires ensuring the accuracy of the transmitted personal data.

We use selected services from suitable providers to better communicate with third parties.

We particularly use:

• Google Forms: Online form service; Provider: Google; Google Forms-specific information on data protection: "Security, Compliance, and Privacy".
• Microsoft Forms: Online form service; Provider: Microsoft; Microsoft Forms-specific information on data protection: "Privacy and Compliance", "Security and Privacy".

5. Data Security

We take appropriate technical and organizational measures to ensure data security appropriate to the respective risk. With our measures, we ensure in particular the confidentiality, availability, traceability, and integrity of the processed personal data, although we cannot guarantee absolute data security.

Access to our website and other online presence is secured via transport encryption (SSL / TLS, especially with the Hypertext Transfer Protocol Secure, abbreviated as HTTPS). Most browsers indicate transport encryption with a small padlock in the address bar.

Our digital communication is – like essentially all digital communication – subject to mass surveillance without cause and suspicion by security authorities in Switzerland, the rest of Europe, the United States of America (USA), and other countries. We cannot directly influence the respective processing of personal data by intelligence services, police stations, and other security authorities. We also cannot exclude the possibility that individual affected persons are being monitored specifically.

6. Personal Data Abroad

We principally process personal data in Switzerland and the European Economic Area (EEA). However, we can also export or transmit personal data to other countries, in particular, to process it or have it processed there.

We can export personal data to all states and territories on Earth and elsewhere in the universe, provided that the respective law ensures adequate data protection according to the decision of the Swiss Federal Council and – to the extent that the General Data Protection Regulation (GDPR) is applicable – according to the decision of the European Commission.

We can transmit personal data to countries whose law does not ensure adequate data protection if data protection is guaranteed for other reasons, in particular based on standard data protection clauses or with other suitable guarantees. Exceptionally, we can export personal data to countries without adequate or suitable data protection if the special data protection legal requirements are met, for example, the explicit consent of the affected persons or a direct connection with the conclusion or performance of a contract. We gladly provide affected persons with information about any guarantees upon request or provide a copy of any guarantees.

7. Rights of Affected Persons

7.1 Data Protection Legal Claims

We grant affected individuals all claims according to applicable data protection law. Affected individuals have in particular the following rights:

• Access: Affected individuals can request information on whether we process personal data concerning them, and if so, what personal data. Furthermore, affected individuals receive the information necessary to assert their data protection legal claims and ensure transparency. This includes the processed personal data itself, but also, among others, information on the purpose of processing, the duration of storage, any disclosure or possible export of data to other states, and the source of the personal data.
• Correction and Restriction: Affected individuals can correct inaccurate personal data, complete incomplete data, and restrict the processing of their data.
• Deletion and Objection: Affected individuals can have personal data deleted ("right to be forgotten") and object to the processing of their data with effect for the future.
• Data Release and Data Transfer: Affected individuals can request the release of personal data or the transfer of their data to another controller.

We may postpone, limit, or deny the exercise of rights by affected individuals within the legally permissible framework. We may inform affected individuals about any conditions that must be met for the exercise of their data protection legal claims. For example, we may partially or completely refuse to provide information referring to trade secrets or the protection of other persons. Similarly, we may also partially or completely refuse the deletion of personal data referring to statutory retention obligations.

We may exceptionally charge fees for the exercise of rights. We will inform affected individuals in advance about any possible costs.

We are required to identify affected individuals who request information or assert other rights with appropriate measures. Affected individuals are obliged to cooperate.

7.2 Legal Protection

Affected individuals have the right to enforce their data protection legal claims through legal proceedings or to file a complaint with a competent data protection supervisory authority.

The data protection supervisory authority for complaints by affected individuals against private controllers and federal bodies in Switzerland is the Federal Data Protection and Information Commissioner (FDPIC).

European data protection supervisory authorities for complaints by affected individuals – to the extent that the General Data Protection Regulation (GDPR) is applicable – are organized as members in the European Data Protection Board (EDPB). In some member states in the European Economic Area (EEA), the data protection supervisory authorities are federally structured, especially in Germany.

8. Use of the Website

8.1 Cookies

We may use cookies. Cookies – both our own cookies (First-Party Cookies) and cookies from third parties whose services we utilize (Third-Party Cookies) – are data stored in the browser. Such stored data need not be limited to traditional text-form cookies.

Cookies can be stored in the browser temporarily as "Session Cookies" or for a specific period as so-called permanent cookies. "Session Cookies" are automatically deleted when the browser is closed. Permanent cookies have a specific storage duration. Cookies, in particular, enable a browser to be recognized on a subsequent visit to our website and thereby, for example, measure the reach of our website. However, permanent cookies can also be used for online marketing.

Cookies can be deactivated and deleted in the browser settings in whole or in part at any time. Without cookies, our website may no longer be fully available. We request – at least to the extent necessary – active express consent to the use of cookies.

For cookies used for success and reach measurement or for advertising, a general objection ("Opt-out") for many services is possible via AdChoices (Digital Advertising Alliance of Canada), the Network Advertising Initiative (NAI), YourAdChoices (Digital Advertising Alliance) or Your Online Choices (European Interactive Digital Advertising Alliance, EDAA).

8.2 Logging

We can log at least the following information for each access to our website and other online presences, provided such information is transmitted to our digital infrastructure during such accesses: date and time including timezone, IP address, access status (HTTP status code), operating system including user interface and version, browser including language and version, accessed individual sub-page of our website including transmitted data volume, last webpage called in the same browser window (referrer).

We log such information, which can also include personal data, in log files. This information is necessary to be able to provide our online presence in a permanent, user-friendly, and reliable manner. The information is also necessary to ensure data security – also by third parties or with the help of third parties.

8.3 Tracking Pixels

We may incorporate tracking pixels into our online presence. Tracking pixels are also referred to as web beacons. Tracking pixels – including those from third parties whose services we utilize – are usually small, invisible images or scripts formulated in JavaScript, which are automatically retrieved when accessing our online presence. Tracking pixels can capture at least the same information as logged in log files.

9. Notifications and Communications

We send notifications and communications via email and other communication channels such as instant messaging or SMS.

9.1 Success and Reach Measurement

Notifications and communications can contain weblinks or tracking pixels that capture whether an individual message was opened and which weblinks were clicked. Such weblinks and tracking pixels can also capture the use of notifications and communications in relation to specific individuals. We require this statistical capture of usage for success and reach measurement, to be able to send notifications and communications effectively and user-friendly based on the needs and reading habits of the recipients, and to ensure they are sent securely and reliably.

9.2 Consent and Objection

You must principally consent to the use of your email address and other contact addresses, unless the use is permitted for other legal reasons. To potentially obtain confirmed consent, we can use the "Double Opt-in" procedure. In this case, you will receive a message with instructions for double confirmation. We may log obtained consents including IP address and timestamp for proof and security reasons.

You can principally object to receiving notifications and communications such as newsletters at any time. With such an objection, you can simultaneously object to the statistical capture of usage for success and reach measurement. This does not affect mandatory notifications and communications related to our activities and operations.

9.3 Service Providers for Notifications and Communications

We send notifications and communications with the help of specialized service providers.

We particularly use:

• Mailchimp: Communication platform; Provider: The Rocket Science Group LLC DBA Mailchimp (USA) as a subsidiary of Intuit Inc. (USA); Privacy information: Privacy Policy (Intuit) including "Country and Region-Specific Terms", "Frequently Asked Questions about Privacy at Mailchimp", "Mailchimp and European Data Transfers", "Security", Cookie Policy, "Privacy Rights Requests", "Legal Terms".
• MAILINGWORK: Email marketing platform; Provider: Mailingwork GmbH (Germany); Privacy information: Privacy Policy, "Privacy Policy and Newsletter Dispatch – What needs to be considered?".

10. Social Media

We are present on social media platforms and other online platforms to communicate with interested individuals and to inform about our activities and operations. In connection with such platforms, personal data may also be processed outside of Switzerland and the European Economic Area (EEA).

The general terms and conditions (GTC), terms of use, privacy policies, and other provisions of the individual operators of these platforms also apply. These provisions specifically inform about the rights of affected individuals directly against the respective platform, which includes, for example, the right to information.

For our social media presence on Facebook including the so-called page insights, we are – to the extent that the General Data Protection Regulation (GDPR) is applicable – jointly responsible with Meta Platforms Ireland Limited (Ireland). Meta Platforms Ireland Limited is part of the Meta companies (including in the USA). Page insights provide information on how visitors interact with our Facebook presence. We use page insights to effectively and user-friendly provide our social media presence on Facebook.

Further information about the type, scope, and purpose of data processing, information about the rights of affected individuals, and the contact details of Facebook as well as Facebook's data protection officer can be found in the Facebook Privacy Policy. We have concluded the so-called "Controller Addendum" with Facebook, thereby agreeing in particular that Facebook is responsible for ensuring the rights of affected individuals. For the so-called page insights, the corresponding information can be found on the page "Information about Page Insights" including "Information about Page Insights Data".

11. Third-Party Services

We use services from specialized third parties to be able to carry out our activities and operations in a permanent, user-friendly, secure, and reliable manner. Among other things, these services allow us to embed functions and content into our website. For technical reasons, when such embedding occurs, the used services at least temporarily capture the IP addresses of users.

For necessary security-related, statistical, and technical purposes, third parties whose services we use can process data related to our activities and operations in an aggregated, anonymized, or pseudonymized manner. This may include performance or usage data, to provide their respective service.

We particularly use:

• Google Services: Providers: Google LLC (USA) / Google Ireland Limited (Ireland) for users in the European Economic Area (EEA) and Switzerland; General privacy information: "Principles of Privacy and Security", Privacy Policy, "Google's commitment to complying with applicable data protection laws", "Privacy Guide for Google Products", "How Google uses data from sites or apps that use our services", "Types of cookies and similar technologies used by Google", "Advertising you can influence" ("Personalized advertising").
• Microsoft Services: Providers: Microsoft Ireland Operations Limited (Ireland) for users in the European Economic Area (EEA), Switzerland, and the United Kingdom / Microsoft Corporation (USA) for users in the rest of the world; General privacy information: "Privacy at Microsoft", "Privacy and data protection", Privacy Policy, "Data and privacy settings".

11.1 Digital Infrastructure

We use services from specialized third parties to access the necessary digital infrastructure related to our activities and operations. This includes, for example, hosting and storage services from selected providers.

We particularly use:

• exigo: Hosting; Provider: exigo ag (Switzerland); Privacy information: Privacy Policy, "Data Protection / Security".

11.2 Appointment Scheduling

We use services from specialized third parties to be able to schedule appointments online, for example, for meetings. In addition to this privacy policy, the conditions of the used services such as terms of use or privacy policies are also applicable.

We particularly use:

• Doodle: Online appointment scheduling; Provider: Doodle AG (Switzerland) as a subsidiary of TX Group AG (Switzerland); Privacy information: Privacy Policy, "General Terms and Conditions of the Processing of Personal Data".

11.3 Audio and Video Conferences

We use specialized services for audio and video conferences to be able to communicate online. This allows us to hold virtual meetings or conduct online teaching and webinars. Participation in audio and video conferences is subject to the legal texts of the individual services, such as privacy policies and terms of use.

We recommend, depending on the situation, to mute the microphone by default and to blur the background or use a virtual background when participating in audio or video conferences.

We particularly use:

• Zoom: Video conferences; Provider: Zoom Video Communications Inc. (USA); Privacy information: Privacy Policy, "Privacy at Zoom", "Legal Compliance Center".

11.4 Online Collaboration

We use third-party services to enable online collaboration. In addition to this privacy policy, the conditions of the used services such as terms of use or privacy policies are also applicable.

We particularly use:

• Asana: Platform for corporate collaboration; Provider: Asana Inc. (USA); Privacy information: "Trust at Asana", Privacy Policy, Bug Bounty Program.
• Slack: Platform for productive collaboration, especially via chat; Providers: Slack Technologies LLC (USA) for users in Canada and the USA / Slack Technologies Limited (Ireland) for users in the rest of the world; Privacy information: Privacy Policy, "Trust Center", "Frequently Asked Questions about Privacy", "Data Management: Transparency and Overview", Cookie Policy.

11.5 Map Material

We use third-party services to embed maps into our website.

We particularly use:

• Outdooractive: Map service; Provider: Outdooractive AG (Germany); Privacy information: Privacy Policy.

11.6 Digital Audio and Video Content

We use services from specialized third parties to enable direct playback of digital audio and video content such as music or podcasts.

We particularly use:

• Vimeo: Video platform; Provider: Vimeo Inc. (USA); Privacy information: Privacy Policy, "Private Video Hosting".
• YouTube: Video platform; Provider: Google; YouTube-specific information: "Privacy and Safety Center", "Your Data in YouTube".

11.7 Documents

We use third-party services to embed documents into our website. Such documents can include PDF files, presentations, spreadsheets, and text documents. This not only enables viewing but also editing or commenting on such documents.

11.8 E-Commerce

We operate e-commerce and use third-party services to successfully offer services, content, or goods.

We particularly use:

• TOMAS: Booking platform; Provider: my.IRS GmbH (Germany); Privacy information: Privacy Policy.

11.9 Payments

We use specialized service providers to securely and reliably process payments from our customers. The legal texts of each service provider, such as general terms and conditions (GTC) or privacy policies, apply additionally to the processing of payments.

We particularly use:

• Payyo: Payment processing for marketplaces and platforms in the leisure and tourism industry; Provider: TrekkSoft AG (Switzerland); Privacy information: Privacy Policy.
• TWINT: Payment processing in Switzerland; Provider: TWINT AG (Switzerland); Privacy information: Privacy Policy, "Security according to Swiss standards".
• Worldline: Payment processing, especially with mobile payment solutions; Providers: Worldline SA (France), Worldline Switzerland AG (Switzerland), and other Worldline companies worldwide (including in the USA); Privacy information: Privacy Policy, "Responsible Disclosure Program", Cookie Policy.

11.10 Advertising

We utilize the opportunity to display targeted advertising on third-party platforms such as social media platforms and search engines for our activities and operations.

We specifically aim to reach individuals already interested in our activities and operations or those who might be interested (remarketing and targeting). For this purpose, we may transmit corresponding – possibly personal – information to third parties that enable such advertising. We can also determine whether our advertising is successful, specifically whether it leads to visits to our website (conversion tracking).

Third parties, where we advertise and where you as a user are registered, may possibly associate the use of our website with your profile there.

We particularly use:

• Facebook Advertising (Facebook Ads): Social media advertising; Providers: Meta Platforms Ireland Limited (Ireland) and other Meta companies (including in the USA); Privacy information: Remarketing and targeting particularly with the Facebook Pixel and Custom Audiences including Lookalike Audiences, Privacy Policy, "Ad Preferences" (User login required).
• Google Ads: Search engine advertising; Provider: Google; Google Ads-specific information: Advertising based on search queries, using various domain names – particularly doubleclick.net, googleadservices.com, and googlesyndication.com – for Google Ads, "Advertising" (Google), "Manage ads you see".
• Instagram Ads: Social media advertising; Providers: Meta Platforms Ireland Limited (Ireland) and other Meta companies (including in the USA); Privacy information: Remarketing and targeting particularly with Facebook Pixel and Custom Audiences including Lookalike Audiences, Privacy Policy (Instagram), Privacy Policy (Facebook), "Ad Preferences" (Instagram) (User login required), "Ad Preferences" (Facebook) (User login required).

12. Success and Reach Measurement

We attempt to determine how our online offer is used. In this context, for example, we can measure the success and reach of our activities and operations as well as the impact of third-party links on our website. We can also try out and compare how different parts or versions of our online offer are used («A/B testing» method). Based on the results of success and reach measurement, we can especially fix errors, strengthen popular content, or make improvements to our online offer.

For success and reach measurement, the IP addresses of individual users are stored in most cases. In this case, IP addresses are basically shortened ("IP masking") to follow the principle of data minimization through corresponding pseudonymization.

In success and reach measurement, cookies may be used, and user profiles created. Possibly created user profiles include, for example, the visited individual pages or viewed contents on our website, information on the size of the screen or browser window, and the at least approximate location. Basically, any user profiles are created exclusively pseudonymized and not used for identifying individual users. Individual services of third parties, where users are registered, can possibly associate the use of our online offer with the user account or profile at the respective service.

We particularly use:

• Google Analytics: Success and reach measurement; Provider: Google; Google Analytics-specific information: Measurement also across different browsers and devices (cross-device tracking) as well as with pseudonymized IP addresses, which are only exceptionally transmitted in full to Google in the USA, "Privacy", "Browser Add-on for Disabling Google Analytics".
• Google Tag Manager: Integration and management of other services for success and reach measurement as well as other Google and third-party services; Provider: Google; Google Tag Manager-specific information: "Data collected by Google Tag Manager"; further privacy information is available for the individually integrated and managed services.

13. Video Surveillance

We use video surveillance for the prevention of crimes and for evidence in the event of crimes, for exercising, asserting, or defending legal claims, as well as for exercising our property rights. Where the General Data Protection Regulation (GDPR) is applicable, this constitutes a legitimate interest according to Art. 6 Para. 1 lit. f GDPR, with special protection of personal data referred to in Art. 9 Para. 2 lit. f GDPR.

We store recordings from our video surveillance as long as they are necessary for evidence purposes. Typically, the recordings are deleted or overwritten after 24 hours.

We may secure recordings based on legal obligations, to enforce our own legal claims, and in case of suspicion of criminal activities, and transmit them to competent authorities such as courts or law enforcement agencies.

14. Final Provisions

We created this privacy policy using the Data Protection Generator by Datenschutzpartner. The present privacy policy is an unofficial translation from the original German version.

We may adjust and supplement this privacy policy at any time. We will inform about such adjustments and supplements in an appropriate form, especially by publishing the respective current privacy