Privacy Policy

With this Privacy Policy we provide information about the processing of personal data in connection with our activities and operations, including our website under the domain name hotelschlossragaz.ch. In particular, we inform you about what personal data we process, for what purposes, how, and where. We also inform you about the rights of persons whose data we process.

For individual or additional activities and operations, we may publish further privacy policies or other information relating to data protection.

We are subject to Swiss law as well as any applicable foreign law, in particular that of the European Union (EU) with the European General Data Protection Regulation (GDPR).

By decision of 26 July 2000 , the European Commission recognized that Swiss data protection law ensures an adequate level of data protection. With its report of 15 January 2024 , the European Commission confirmed this adequacy decision.

Table of Contents

• 1. Contact Details
• Data Protection Officer or Data Protection Advisor
• 2. Definitions and Legal Bases
• 2.1 Definitions
• 2.2 Legal Bases
• 3. Nature, Scope and Purpose of the Processing of Personal Data
• 4. Disclosure of Personal Data
• 5. Communication
• 6. Applications
• 7. Data Security
• 8. Personal Data Abroad
• 9. Rights of Data Subjects
• 9.1 Data Protection Claims
• 9.2 Legal Remedies
• 10. Use of the Website
• 10.1 Cookies
• 10.2 Logging
• 10.3 Tracking Pixels
• 11. Notifications and Messages
• 11.1 Success and Reach Measurement
• 11.2 Consent and Objection
• 11.3 Service Providers for Notifications and Messages
• 12. Social Media
• 13. Third-Party Services
• 13.1 Digital Infrastructure
• 13.2 Map Material
• 13.3 Fonts
• 13.4 E-Commerce
• 13.5 Payments
• 13.6 Advertising
• 14. Website Extensions
• 15. Success and Reach Measurement
• 16. Video Surveillance
• 17. Final Notes on the Privacy Policy

1. Contact Details

The controller within the meaning of data protection law is:

Hotel Schloss Ragaz AG
Schloss-Strasse 1
7310 Bad Ragaz

info@hotelschlossragaz.ch

In individual cases, third parties may be responsible for the processing of personal data or there may be joint responsibility with third parties. Upon request, we will gladly provide data subjects with information about the respective responsibility.

Data Protection Officer or Data Protection Advisor

We have appointed the following data protection officer or data protection advisor as a point of contact for data subjects and authorities for inquiries related to data protection:

Patrick Zettel
Hotel Schloss Ragaz AG
Schloss-Strasse 1
7310 Bad Ragaz

info@hotelschlossragaz.ch

2. Definitions and Legal Bases

2.1 Definitions

Data Subject: A natural person whose personal data we process.

Personal Data: Any information relating to an identified or identifiable natural person.

Special Categories of Personal Data: Data concerning trade union, political, religious or philosophical views and activities, data concerning health, private life or affiliation with an ethnicity or race, genetic data, biometric data that uniquely identify a natural person, data concerning criminal and administrative sanctions or prosecutions, and data concerning social assistance measures.

Processing: Any handling of personal data, regardless of the means and procedures used, such as querying, comparing, adapting, archiving, storing, retrieving, disclosing, obtaining, recording, collecting, erasing, revealing, arranging, organizing, storing, altering, disseminating, linking, destroying and using personal data.

European Economic Area (EEA): Member States of the European Union  (EU) as well as the Principality of Liechtenstein, Iceland and Norway.

2.2 Legal Bases

We process personal data in accordance with Swiss law, in particular the Federal Act on Data Protection (Data Protection Act, FADP) and the Ordinance on Data Protection (Data Protection Ordinance, DPO).

Where and insofar as the European General Data Protection Regulation (GDPR) is applicable, we process personal data on the basis of at least one of the following legal bases:

• Art. 6 para. 1 lit. b GDPR for the processing of personal data necessary for the performance of a contract with the data subject and for the implementation of pre-contractual measures.
• Art. 6 para. 1 lit. c GDPR for the processing of personal data necessary to comply with a legal obligation to which we are subject under applicable law of member states in the European Economic Area (EEA).
• Art. 6 para. 1 lit. e GDPR for the processing of personal data necessary for the performance of a task carried out in the public interest.
• Art. 6 para. 1 lit. a GDPR for the processing of personal data with the consent of the data subject.
• Art. 6 para. 1 lit. d GDPR for the processing of personal data necessary to protect vital interests of the data subject or another natural person.
• Art. 9 para. 2 et seq. GDPR for the processing of special categories of personal data, in particular with the consent of the data subjects.

The European General Data Protection Regulation (GDPR) refers to the processing of personal data as the processing of personal data and to the processing of special categories of personal data as the processing of special categories of personal data (Art. 9 GDPR) .

3. Nature, Scope and Purpose of the Processing of Personal Data

We process personal data that are necessary to perform our activities and operations on a permanent, user-friendly, secure and reliable basis. The personal data processed may in particular fall into the categories of browser and device data, content data, communication data, metadata, usage data, master data including inventory and contact data, location data, transaction data, contract data and payment data. The personal data may also constitute special categories of personal data.

We also process personal data that we receive from third parties, obtain from publicly accessible sources or collect in the course of our activities and operations, insofar as such processing is permissible.

We process personal data, where required, with the consent of the data subjects. In many cases, we may process personal data without consent, for example to comply with legal obligations or to safeguard overriding interests. We may also ask data subjects for their consent even if consent is not required.

We process personal data for the duration required for the respective purpose. In particular, we anonymize or delete personal data depending on statutory retention and limitation periods.

4. Disclosure of Personal Data

We may disclose personal data to third parties, have personal data processed by third parties, or process personal data jointly with third parties. Such third parties may include, for example, specialized providers whose services we use.

In the course of our activities and operations, we may disclose personal data in particular to banks and other financial service providers, authorities, educational and research institutions, consultants and lawyers, interest groups, IT service providers, cooperation partners, credit and business information agencies, logistics and shipping companies, marketing and advertising agencies, media, parent, sister and subsidiary companies, organizations and associations, social institutions, telecommunications companies, insurance companies and payment service providers.

5. Communication

We process personal data in order to communicate with individuals as well as with authorities, organizations and companies. In doing so, we process in particular data that a data subject transmits to us when making contact, for example by postal mail or e-mail. We may store such data in an address book or with comparable tools.

Third parties who transmit data to us about other persons are obliged to independently ensure the data protection of such data subjects. In particular, they must ensure that such data are accurate and may be transmitted.

We use selected services from suitable providers to enable and improve communication with individuals and other communication partners. With such services, we may also manage and otherwise process the data of data subjects beyond direct communication.

6. Applications

We process personal data of applicants insofar as they are necessary to assess suitability for an employment relationship or for the subsequent performance of an employment contract. The required personal data result in particular from the requested information, for example in the context of a job advertisement. We may publish job advertisements with the assistance of suitable third parties, for example in electronic and printed media or on job portals and recruitment platforms.

We also process personal data that applicants voluntarily provide or publish, in particular as part of cover letters, curricula vitae and other application documents as well as online profiles.

Where and insofar as the General Data Protection Regulation (GDPR) is applicable, we process personal data of applicants in particular in accordance with Art. 9 para. 2 lit. b GDPR .

7. Data Security

We take appropriate technical and organizational measures to ensure a level of data security appropriate to the respective risk. With our measures, we ensure in particular the confidentiality, availability, traceability and integrity of the processed personal data, without being able to guarantee absolute data security.

Access to our website and our other digital presence is carried out using transport encryption SSL/TLS , in particular with the Hypertext Transfer Protocol Secure, abbreviated HTTPS ) .Most browsers warn against visiting a website without transport encryption.

Our digital communication is subject – like generally any digital communication – to mass surveillance without cause or suspicion by security authorities in Switzerland, in the rest of Europe, in the United States of America (USA) and in other countries. We have no direct influence on the corresponding processing of personal data by intelligence services, police authorities and other security authorities. We also cannot rule out that a data subject may be subject to targeted surveillance.

8. Personal Data Abroad

We process personal data primarily in Switzerland and in the European Economic Area (EEA). However, we may also export or transfer personal data to other countries, in particular in order to process it there or have it processed there.

We may export personal data to all countries of the world and elsewhere in the universe , provided that the law applicable there ensures an adequate level of data protection in accordance with the decision of the Swiss Federal Council and – insofar as and to the extent that the General Data Protection Regulation (GDPR) is applicable – also in accordance with the decision of the European Commission .

We may transfer personal data to countries whose laws do not provide an adequate level of data protection, provided that data protection is ensured for other reasons, in particular on the basis of standard data protection clauses or with other appropriate safeguards. Exceptionally, we may export personal data to countries without adequate or appropriate data protection if the special data protection requirements are met, for example the explicit consent of the data subjects or a direct connection with the conclusion or performance of a contract. Upon request, we will gladly provide data subjects with information about any safeguards or provide a copy of such safeguards.

9. Rights of Data Subjects

9.1 Data Protection Claims

We grant data subjects all rights in accordance with applicable law. In particular, data subjects have the following rights:

• Right of access: Data subjects may request information as to whether we process personal data concerning them and, if so, which personal data. Data subjects also receive the information necessary to assert their data protection claims and to ensure transparency. This includes the personal data processed as such, but also, among other things, information on the purpose of processing, the duration of storage, any disclosure or export of data to other countries, and the origin of the personal data.
• Rectification and restriction: Data subjects may have inaccurate personal data corrected, incomplete data completed, and the processing of their data restricted.
• Right to express one’s own point of view and to human review: In the case of decisions that are based exclusively on automated processing of personal data and that entail legal consequences for data subjects or significantly affect them (automated individual decisions), data subjects may express their own point of view and request a review by a human.
• Erasure and objection: Data subjects may have personal data erased (“right to be forgotten”) and may object to the processing of their data with effect for the future.
• Data disclosure and data portability: Data subjects may request the disclosure of personal data or the transfer of their data to another controller.

We may defer, restrict or refuse the exercise of the rights of data subjects within the legally permissible framework. We may inform data subjects of any requirements that must be met in order to exercise their data protection claims. For example, we may wholly or partially refuse to provide information by reference to confidentiality obligations, overriding interests or the protection of other persons. We may also, for example, wholly or partially refuse the erasure of personal data, in particular by reference to statutory retention obligations.

We may exceptionally provide for costs for the exercise of rights. We will inform data subjects in advance of any such costs.

We are obliged to identify data subjects who request information or assert other rights using appropriate measures. Data subjects are obliged to cooperate.

9.2 Legal Remedies

Data subjects have the right to enforce their data protection claims through legal proceedings or to lodge a complaint with a data protection supervisory authority.

The data protection supervisory authority for private controllers and federal bodies in Switzerland is the Federal Data Protection and Information Commissioner (FDPIC) .

European data protection supervisory authorities are organised as members of the European Data Protection Board (EDPB). In some member states of the European Economic Area (EEA), data protection supervisory authorities are structured federally, in particular in Germany .

10. Use of the Website

10.1 Cookies

We may use cookies. Cookies – both our own cookies (first-party cookies) and cookies from third parties whose services we use (third-party cookies) – are data stored in the browser. Such stored data is not limited to traditional text-based cookies.

Cookies may be stored in the browser temporarily as “session cookies” or for a specific period as so-called persistent cookies. “Session cookies” are automatically deleted when the browser is closed. Persistent cookies have a defined storage period. Cookies make it possible, in particular, to recognise a browser on the next visit to our website and thus, for example, to measure the reach of our website. Persistent cookies may also be used, for example, for online marketing.

Cookies can be disabled, restricted or deleted at any time in whole or in part via the browser settings. Browser settings often also allow automated deletion and other management of cookies. Without cookies, our website may no longer be fully available. We actively request explicit consent to the use of cookies – at least insofar as and to the extent required by applicable law.

For cookies that are used for performance and reach measurement or for advertising, a general objection (“opt-out”) is possible for numerous services via AdChoices (Digital Advertising Alliance of Canada), the Network Advertising Initiative (NAI), YourAdChoices (Digital Advertising Alliance) or Your Online Choices (European Interactive Digital Advertising Alliance, EDAA).

10.2 Logging

For each access to our website and our other digital presence, we may log at least the following information, insofar as this information is determined or transmitted to our digital infrastructure as standard during such access: date and time including time zone, IP Adresse , access status (HTTP status code) , operating system including user interface and version, browser including language and version, individual sub-page of our website accessed including amount of data transferred, previously visited web page in the same browser window (referer or referrer) .

We log such information, which may also constitute personal data, in log files. This information is required in order to be able to provide our digital presence on a permanent, user-friendly and reliable basis. The information is also required in order to ensure data security – including by or with the assistance of third parties.

10.3 Tracking Pixels

We may integrate tracking pixels into our digital presence. Tracking pixels are also referred to as web beacons. Tracking pixels – including those from third parties whose services we use – are usually small, invisible images or scripts written in JavaScript that are automatically retrieved when our digital presence is accessed. Tracking pixels can be used to collect at least the same information as is collected when logging in log files.

11. Notifications and Communications

11.1 Performance and Reach Measurement

Notifications and communications may contain web links or tracking pixels that record whether an individual communication has been opened and which web links were clicked. Such web links and tracking pixels may also record the use of notifications and communications on a personal basis. We require this statistical recording of use for performance and reach measurement in order to be able to send notifications and communications effectively and in a user-friendly manner, as well as on a permanent, secure and reliable basis, based on the needs and reading habits of recipients.

11.2 Consent and Objection

You must generally consent to the use of your email address and your other contact details, unless the use is permitted for other legal reasons. For the possible collection of double-confirmed consent, we may use the “double opt-in” procedure. In this case, you will receive a notification with instructions for double confirmation. We may log collected consents, including IP Adresse and timestamp , for evidentiary and security reasons.

You may generally object to receiving notifications and communications such as newsletters at any time. With such an objection, you may simultaneously object to the statistical recording of use for performance and reach measurement. Required notifications and communications in connection with our activities and operations remain reserved.

11.3 Service Providers for Notifications and Communications

We send notifications and communications with the assistance of specialised service providers.

In particular, we use:

• Mailchimp: Communication platform; provider: The Rocket Science Group LLC DBA Mailchimp (USA) as a subsidiary of Intuit Inc. (USA); information on data protection: Privacy Statement (Intuit) including “Country and Region-Specific Terms”, “Mailchimp Privacy FAQs” , “Mailchimp and European Data Transfers” , “Security” , Cookie Policy , “Privacy Rights Requests” , “Legal” .

12. Social Media

We are present on social media platforms and other online platforms in order to communicate with interested persons and to provide information about our activities and operations. In connection with such platforms, personal data may also be processed outside Switzerland and the European Economic Area (EEA).

The general terms and conditions (GTC), terms of use, privacy policies and other provisions of the respective operators of such platforms also apply. These provisions provide information in particular about the rights of data subjects directly vis-à-vis the respective platform, including, for example, the right of access.

For our social media presence on Facebook, including so-called Page Insights, we are – insofar as and to the extent that the General Data Protection Regulation (GDPR) is applicable – jointly responsible with Meta Platforms Ireland Limited (Ireland). Meta Platforms Ireland Limited is part of the Meta companies (including in the USA). Page Insights provide information about how visitors interact with our Facebook presence. We use Page Insights in order to be able to provide our social media presence on Facebook effectively and in a user-friendly manner.

Further information on the nature, scope and purpose of data processing, information on the rights of data subjects as well as the contact details of Facebook and Facebook’s data protection officer can be found in the Facebook Privacy Policy . We have concluded the so-called“Controller Addendum” with Facebook, thereby agreeing in particular that Facebook is responsible for ensuring the rights of data subjects. Information on Page Insights can be found on the page“Information about Page Insights” ,including“Information about Page Insights Data” .

13. Third-Party Services

We use services provided by specialised third parties in order to be able to carry out our activities and operations on a permanent, user-friendly, secure and reliable basis. With such services, we may, among other things, embed functions and content into our website. When such embedding takes place, the services used technically require the temporary collection of at least the IP addresses IP addresses

For necessary security-related, statistical and technical purposes, third parties whose services we use may process data in connection with our activities and operations in aggregated, anonymised or pseudonymised form. This may include, for example, performance or usage data in order to provide the respective service.

In particular, we use:

• Services from Google: Google LLC (USA) / Google Ireland Limited (Ireland), in part for users in the European Economic Area (EEA) and in Switzerland; general information on data protection: “Privacy & Security Principles” , “How Google uses personal data” , Privacy Policy , “Google’s compliance with applicable data protection laws” , “Privacy guide for Google products” , “How we use data from sites or apps that use our services” , Cookie Policy , “Ads you can control” (settings for personalised advertising).

13.1 Digital Infrastructure

We use services from specialised third parties in order to make use of required digital infrastructure in connection with our activities and operations. This includes, for example, hosting and storage services from selected providers.

In particular, we use:

• Cyon: Hosting; provider: cyon GmbH (Switzerland); data protection information: “Data Protection” , Privacy Policy .
• WordPress.com: Blog hosting and website builder; providers: Automattic Inc. (USA) / Aut O’Mattic A8C Ireland Ltd. (Ireland) for users, among others, in Europe; data protection information:Privacy Policy , Cookie Policy .

13.2 Maps

We use third-party services in order to embed maps into our website.

In particular, we use:

• Google Maps including the Google Maps Platform:  map service; provider: Google; Google Maps-specific information:“How Google uses location information” .
• Outdooractive: Map service; provider: Outdooractive AG (Germany); data protection information:Privacy Policy .

13.3 Fonts

We use services from third parties in order to embed selected fonts as well as icons, logos and symbols into our website.

In particular, we use:

• Google Fonts: Fonts; provider: Google; Google Fonts-specific information: “Your Privacy and Google Fonts” ,  “Privacy and data collection” (Google Fonts) .

13.4 E-Commerce

We operate e-commerce and use third-party services in order to successfully offer services, content or goods.

In particular, we use:

• Holidu Smart Destination: Booking platform; provider: Holidu GmbH (Germany); data protection information: Privacy Policy .

13.5 Payments

We use specialised service providers in order to process payments securely and reliably. For the processing of payments, the legal texts of the respective service providers also apply, such as general terms and conditions (GTC) or privacy policies.

In particular, we use:

• PostFinance: Payment processing; provider: PostFinance AG (Switzerland); data protection information: “Legal information and accessibility” ,  “Data Protection” (including privacy policies).
• TWINT: Payment processing in Switzerland; provider: TWINT AG (Switzerland); data protection information: Privacy Policy ,  “Security according to Swiss standards” .
• Worldline: Payment processing, in particular with mobile payment solutions; providers: Worldline SA (France), Worldline Switzerland AG (Switzerland) and other Worldline companies worldwide (including in the USA); data protection information: Privacy Policy , “Responsible Disclosure Program” ,  Cookie Policy .

13.6 Advertising

We use the option of displaying targeted advertising with third parties, such as social media platforms and search engines, for our activities and operations.

With such advertising, we aim in particular to reach persons who are already interested in our activities and operations or who may be interested in them ( remarketing and targeting). For this purpose, we may transmit corresponding – possibly also personal – information to third parties that enable such advertising. We may also determine whether our advertising is successful, meaning in particular whether it leads to visits to our website (conversion tracking).

Third parties with whom we advertise and with whom you are registered as a user may possibly associate the use of our website with your profile there.

In particular, we use:

• Google Ads: Search engine advertising; provider: Google; Google Ads-specific information: advertising based, among other things, on search queries, whereby various domain names – in particular doubleclick.net, googleadservices.com and googlesyndication.com – are used for Google Ads, Advertising Privacy Policy ,  “Manage ads directly from ads” .
• Meta Ads: Social media advertising on Facebook and Instagram; providers: Meta Platforms Ireland Limited (Ireland) and other Meta companies (including in the USA); data protection information: targeting, including retargeting, in particular with the Meta-Pixel  and with  Custom Audiences , including Lookalike Audiences ,  Privacy Policy ,  “Ad Preferences” (login as a user required).

14. Website Extensions

We use extensions for our website in order to be able to use additional functions. We may use selected services from suitable providers or operate such extensions on our own digital infrastructure.

In particular, we use:

• Google reCAPTCHA: Spam protection (distinguishing desired content from humans from unwanted content from bots and spam); provider: Google; Google reCAPTCHA-specific information:“What is reCAPTCHA?” .

15. Performance and Reach Measurement

We seek to measure the performance and reach of our activities and operations. In this context, we may also measure the effectiveness of third-party references or test how different parts or versions of our digital presence are used (“A/B testing”). Based on the results of performance and reach measurement, we may in particular correct errors, strengthen popular content or make improvements.

For performance and reach measurement, the IP addresses of individual users are recorded in most cases. In this case, IP addresses are generally shortened (“IP masking”) in order to comply with the principle of data minimisation through corresponding pseudonymisation.

Cookies may be used for performance and reach measurement and user profiles may be created. Any user profiles created may include, for example, the individual pages visited or content viewed on our digital presence, information on screen size or browser window size and the – at least approximate – location. Generally, any user profiles are created exclusively in pseudonymised form and are not used to identify individual users. Individual third-party services with which users are logged in may possibly associate the use of our online offering with the user account or user profile of the respective service.

In particular, we use:

• Google Marketing Platform: Performance and reach measurement, in particular with Google Analytics ; ; provider: Google; Google Marketing Platform-specific information: measurement across different browsers and devices (cross-device tracking) with pseudonymised IP addresses, which are only exceptionally transmitted in full to Google in the USA, Google Analytics Privacy Policy , “Browser add-on to opt out of Google Analytics” .
• Google Tag Manager: Integration and management of services from Google and third parties, in particular for performance and reach measurement; provider: Google; Google Tag Manager-specific information:Google Tag Manager Privacy Policy ; further data protection information can be found for the individual integrated and managed services.

16. Video Surveillance

We use video surveillance for the prevention of criminal offences, for securing evidence in the event of criminal offences, for exercising and asserting our own legal claims, for defending against third-party legal claims and for exercising our house rights. Insofar as and to the extent that the General Data Protection Regulation (GDPR) is applicable, this constitutes overriding legitimate interests pursuant to  Art. 6(1)(f) GDPR , and in the case of particularly sensitive personal data with reference to Art. 9(2)(f) GDPR .

We store recordings from our video surveillance for as long as they are required for evidentiary purposes or another stated purpose.

We may secure recordings from our video surveillance and transmit them to competent authorities, in particular courts or law enforcement authorities, provided that such transmission is required for a stated purpose, in our other overriding legitimate interests or due to statutory obligations.

17. Final Notes on the Privacy Policy

We have prepared this privacy policy using the Privacy Policy Generator of Datenschutzpartner . The present privacy policy is an unofficial translation from the original German version.

We may update this privacy policy at any time. We will inform you of updates in an appropriate manner, in particular by publishing the current version of the privacy policy on our website.