CONTACT ADDRESS
Hotel Kristall-Saphir AG
Talstrasse 43
3905 Saas-Almagell
Switzerland

COMMERCIAL REGISTER ENTRY
Registered company name: Hotel Kristall-Saphir AG

Number: CHE-113.287.863

 

1. person responsible and content of this privacy policy

We, Hotel Kristall-Saphir AG, Talstrasse 43, 3905 Saas-Almagell, Switzerland, are the operator of the Hotel Kristall-Saphir and the website www.kristall.ch and, unless otherwise stated in this privacy policy, are responsible for the data processing listed in this privacy policy.

So that you know what personal data we collect from you and for what purposes we use it, please take note of the following information. When it comes to data protection, we are primarily guided by the legal requirements of Swiss data protection law, in particular the Federal Act on Data Protection(FADP), as well as the GDPR, the provisions of which may be applicable in individual cases.

Please note that the following information may be reviewed and amended from time to time. We therefore recommend that you consult this privacy policy regularly. Furthermore, other companies are responsible or jointly responsible with us under data protection law for individual data processing operations listed below, so that in these cases the information provided by these providers is also authoritative.

2. contact person for data protection

If you have any questions about data protection or wish to exercise your rights, please contact our data protection contact person by sending an e-mail to the following address: kristall@kristall.ch

You can reach our EU data protection representative at:

Hotel Kristall-Saphir AG, Talstrasse 43, 3905 Saas-Almagell, Switzerland

kristall@kristall.ch

3. scope and purpose of the collection, processing and use of personal data

3.1 Data processing when contacting us

If you contact us via our contact addresses and channels (e.g. by e-mail, telephone or contact form), your personal data will be processed. We process the data that you have provided to us, such as your name, your e-mail address or telephone number and your request. In addition, the time of receipt of the request is documented. Mandatory information is marked with an asterisk (*) in contact forms. We process this data in order to implement your request (e.g. providing information about our hotel, support in contract processing such as questions about your booking, incorporating your feedback into the improvement of our services, etc.).

We use a software application from myls-mylokalesuche, Winkelweg 5, 3422 Rüdtligen-Alchenflüh, Switzerland, to process contact requests via the contact form. Therefore, your data may be stored in a myls database, which may enable myls to access your data if this is necessary for the provision of the software and for support in the use of the software. Information on the processing of data by third parties and any transfer abroad can be found in section 5 of this privacy policy.

The legal basis for this data processing is our legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR in the implementation of your request or, if your request is aimed at the conclusion or execution of a contract, the necessity for the implementation of the necessary measures within the meaning of Art. 6 para. 1 lit. b GDPR.

3.2 Data processing for orders via our online store

On our website you have the opportunity to order products, services and vouchers. We collect the following data for this purpose, whereby mandatory information is marked with an asterisk (*) during the ordering process:

  • Salutation
  • First name
  • Last name
  • Billing and delivery address
  • Phone number
  • e-mail
  • Payment method
  • Shipping method
  • Information on the subscription to marketing e-mails
  • Confirmation of the accuracy of the information provided
  • Confirmation of acknowledgement and approval regarding General terms and conditions and data protection regulations

We use the data to establish your identity before concluding a contract. We need your e-mail address to confirm your order and for future communication with you that is necessary to process the contract. We store your data together with the order details (e.g. name, price and features of the products ordered), payment details (e.g. payment method selected, confirmation of payment and time; see also section 3.7.2) and information on the processing and fulfillment of the contract (e.g. receipt and handling of complaints) in our CRM database (see section 4) so that we can ensure correct order processing and contract fulfillment.

The legal basis for this data processing is the fulfillment of a contract with you in accordance with Art. 6 para. 1 lit. b GDPR.

The provision of data that is not marked as mandatory is voluntary. We process this data in order to tailor our offer to your personal needs in the best possible way, to facilitate the processing of contracts, to contact you via an alternative communication channel if necessary with a view to fulfilling the contract or for statistical recording and evaluation to optimize our offers.

The legal basis for this data processing is your consent within the meaning of Art. 6 para. 1 lit. a GDPR. You can revoke your consent at any time by sending us a message.

 

For the provision of the online store, we use a software application from Incert eTourismus GmbH & Co KG, Leonfeldnerstr. 328, 4040 Linz, Austria. Therefore, your data may be stored in a database of Incert, which may allow Incert to access your data if this is necessary for the provision of the Software and for support in the use of the Software. Information on the processing of data by third parties and any transfer abroad can be found in section 5 of this privacy policy.

The legal basis for this data processing is the fulfillment of a contract with you in accordance with Art. 6 para. 1 lit. b GDPR.

Incert may wish to use some of this data for its own purposes (e.g. to send marketing e-mails or for statistical analyses). Incert is responsible for this data processing and must ensure compliance with data protection laws in connection with this data processing. Information on data processing by Incert can be found at https://www.incert.at/datenschutz/.

3.3 Data processing for bookings

3.3.1 Booking via our website

On our website you have the possibility to book an overnight stay. We collect the following data for this purpose, whereby mandatory information is marked with an asterisk (*) during the booking process:

  • Salutation
  • First name
  • Last name
  • Billing address
  • Birthday
  • Company, company address and VAT no. for corporate clients
  • Phone number
  • e-mail
  • Payment method
  • Booking details
  • Remarks
  • Confirmation of the accuracy of the information provided
  • Confirmation of acknowledgement and approval regarding General terms and conditions and data protection regulations

We use the data to establish your identity before concluding a contract. We need your e-mail address to confirm your booking and for future communication with you that is necessary to process the contract. We store your data together with the peripheral data of the booking (e.g. room category, period of stay as well as description, price and characteristics of the services), the data for payment (e.g. selected payment method, confirmation of payment and time; see also section 3.7.2) as well as the information on the processing and fulfillment of the contract (e.g. receipt and handling of complaints) in our CRM database (see section 4) so that we can ensure correct booking processing and contract fulfillment.

Insofar as this is necessary for the fulfillment of the contract, we will also pass on the required information to any third-party service providers (e.g. event organizers or transport companies).

The legal basis for this data processing is the fulfillment of a contract with you in accordance with Art. 6 para. 1 lit. b GDPR.

The provision of data that is not marked as mandatory is voluntary. We process this data in order to tailor our offer to your personal needs in the best possible way, to facilitate the processing of contracts, to contact you via an alternative communication channel if necessary with a view to fulfilling the contract or for statistical recording and evaluation to optimize our offers.

The legal basis for this data processing is your consent within the meaning of Art. 6 para. 1 lit. a GDPR. You can revoke your consent at any time by sending us a message.

We use a software application from Seekda, Neubaugasse 10, 1070 Vienna, Austria, to process bookings via our website. Therefore, your data may be stored in a Seekda database, which may enable Seekda to access your data if this is necessary for the provision of the software and for support in the use of the software. Information on the processing of data by third parties and any transfer abroad can be found in section 5 of this privacy policy.

The legal basis for this data processing is the fulfillment of a contract with you in accordance with Art. 6 para. 1 lit. b GDPR.

Seekda may wish to use some of this data for its own purposes (e.g. to send marketing e-mails or for statistical analyses). Seekda is responsible for this data processing and must ensure compliance with data protection laws in connection with this data processing. Information on data processing by Seekda can be found at https://www.seekda.com/cookie-policy.

3.3.2 Booking via a booking platform

If you make bookings via a third-party platform (i.e. via Booking, Hotel, Escapio, Expedia, Holidaycheck, Hotel Tonight, HRS, Kayak, Mr. & Mrs. Smith, Splendia, Tablet Hotels, Tripadvisor, Trivago, Weekend4Two etc.), we receive various personal data from the respective platform operator in connection with the booking made. As a rule, this is the data listed in section 3.7.2 of this privacy policy. In addition, we may receive inquiries about your booking. We will process this data by name in order to record your booking as requested and to provide the booked services.

The legal basis for data processing for this purpose is the implementation of pre-contractual measures and the fulfillment of a contract in accordance with Art. 6 para. 1 lit. b GDPR.

Finally, we may exchange personal data with the platform operators in connection with disputes or complaints in connection with a booking, insofar as this is necessary to protect our legitimate interests. This may also include data relating to the booking process on the platform or data relating to the booking or processing of services and the stay with us. We process this data to safeguard our legitimate claims and interests in the processing and maintenance of our contractual relationships with the following platform operators:

  • Booking Holdings, Expedia Group, Freedreams, SmartBox, Jochen Schweizer, Opari, TUI, keytel, etc.

Your data is stored in the databases of the platform operators, which enables them to access your data. Information on the processing of data by third parties and any transfer abroad can be found in section 5 of this privacy policy.

The legal basis for data processing for this purpose is our legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR.

3.4 Data processing when reserving a table

On our website you have the possibility to reserve a table in a restaurant mentioned on our website. For this purpose, we collect the following data – depending on the respective offer – whereby mandatory information is marked with an asterisk (*) when making a reservation via the website:

  • First name
  • Last name
  • Number of guests
  • E-mail address
  • Phone number
  • Menu or offer type
  • Comment
  • Date and time of reservation

We collect and process the data to process the reservation, in particular to make your reservation request according to your wishes and to contact you in the event of ambiguities or problems. We store your data together with the marginal data of the reservation (e.g. date and time of receipt etc.), the reservation data (e.g. allocated table) and information on the processing and fulfillment of the contract (e.g. receipt and handling of complaints) in our CRM database (see section 4) so that we can guarantee correct reservation processing and contract fulfillment.

We use a software application from Lunchgate AG Reservationssystem & Menümarketing für Restaurants, Badenerstrasse 255, 8003 Zurich, Switzerland, to process table reservations. Therefore, your data may be stored in a Lunchgate database, which may enable Lunchgate to access your data if this is necessary for the provision of the software and for support in the use of the software. Information on the processing of data by third parties and any transfer abroad can be found in section 5 of this privacy policy.

The legal basis for this data processing is the fulfillment of a contract with you in accordance with Art. 6 para. 1 lit. b GDPR.

Lunchgate may wish to use some of this data for its own purposes (e.g. to send marketing e-mails or for statistical analyses). Lunchgate is responsible for this data processing and must ensure compliance with data protection laws in connection with this data processing. Information about data processing by Lunchgate can be found at https://www.lunchgate.ch/datenschutz/.

3.5 Data processing during payment processing

3.5.1 Payment processing at the hotel

If you purchase products, obtain services or pay for your stay in our hotel using electronic means of payment, the processing of personal data is required. By using the payment terminals, you transmit the information stored in your means of payment, such as the name of the cardholder and the card number, to the payment service providers involved (e.g. payment solution providers, credit card issuers and credit card acquirers). They also receive the information that the means of payment was used in our hotel, the amount and the time of the transaction. Conversely, we only receive a credit note for the amount of the payment made at the relevant time, which we can assign to the relevant voucher number, or information that the transaction was not possible or was canceled. Please always note the information provided by the respective company, in particular the privacy policy and the general terms and conditions.

3.5.2 Online payment processing

If you make chargeable bookings on our website or order services or products, depending on the product or service and the desired payment method – in addition to the information specified in section 3.5.1 – you may be required to provide further data, such as your credit card details or the login for your payment service provider. This information and the fact that you have purchased a service from us at the relevant amount and time will be forwarded to the respective payment service providers (e.g. providers of payment solutions, credit card issuers and credit card acquirers). Please always note the information provided by the respective company, in particular the privacy policy and the general terms and conditions.

The legal basis for our data processing is the fulfillment of a contract pursuant to Art. 6 para. 1 lit. b GDPR.

We reserve the right to store a copy of the credit card information as security. In order to avoid payment cases, the necessary data, in particular your personal details, may also be transmitted to a credit agency for an automated assessment of your creditworthiness. In this context, the credit agency can assign you a so-called score value. This is an estimate of the future risk of a payment default, e.g. based on a percentage. The value is calculated using mathematical-statistical methods and taking into account credit agency data from other sources. We reserve the right, according to the information received, not to offer you the payment method “invoice”.

The legal basis for this data processing is our legitimate interest pursuant to Art. 6 para. 1 lit. f. GDPR in the avoidance of payment defaults.

The legal basis for this data processing is our legitimate interest pursuant to Art. 6 para. 1 lit. f. GDPR in the avoidance of payment defaults.

3.6 Data processing for the recording and invoicing of purchased services

If you purchase services as part of your stay (e.g. additional overnight stays, wellness, restaurant, activities), we will collect and process – in addition to your contract data – the data relating to the booking (e.g. time and comments) and the data relating to the booked and purchased service (e.g. subject matter of the service, price and time of purchase of the service) in order to process the service, as described in sections 3.5 and 3.6.

The legal basis for our data processing is the fulfillment of a contract pursuant to Art. 6 para. 1 lit. b GDPR.

3.7 Data processing for email marketing

If you register for our marketing e-mails (e.g. when opening, within your customer account or as part of an order, booking or reservation), the following data will be collected. Mandatory information is marked with an asterisk (*) during registration:

  • E-mail address
  • First and last name

After submitting your registration, you will receive an e-mail from us with a confirmation link. To definitely register for the marketing e-mails, you must click on this link.

By registering, you consent to the processing of this data in order to receive marketing emails from us about our hotel and related information on products and services. These marketing emails may also include invitations to take part in competitions, to provide feedback or to rate our products and services. The collection of the first and last name allows us to assign the registration to a possibly already existing customer account and thus to personalize the content of the marketing e-mails. The link to a customer account allows us to make the offers and content contained in the marketing emails more relevant to you and better tailored to your potential needs.

We will use your data to send you marketing emails until you withdraw your consent. Withdrawal is possible at any time, in particular via the unsubscribe link contained in all marketing e-mails.

Our marketing emails may contain a so-called web beacon, 1×1 pixel (tracking pixel) or similar technical aids. A web beacon is an invisible graphic that is linked to the user ID of the respective subscriber. For each marketing email sent, we receive information on which email addresses it was successfully sent to, which email addresses have not yet received the marketing email and which email addresses failed to receive the email. It also shows which email addresses have opened the marketing email, for how long and which links have been clicked on. Finally, we also receive information about which subscribers have unsubscribed from the mailing list. We use this data for statistical purposes and to optimize the marketing e-mails in terms of frequency and time of sending as well as the structure and content of the marketing e-mails. This allows us to better tailor the information and offers in our marketing emails to the individual interests of the recipients.

The web beacon is deleted when you delete the marketing email. You can prevent the use of web beacons in our marketing e-mails by setting the parameters of your e-mail program so that HTML is not displayed in messages. You can find information on how to configure this setting in the help section of your email software application, e.g. here for Microsoft Outlook.

By subscribing to the marketing e-mails, you also consent to the statistical analysis of user behavior for the purpose of optimizing and adapting the marketing e-mails.

We use a software application from Casablanca Hotelsoftware GmbH to provide marketing e-mails. Therefore, your data may be stored in a Casablanca database, which may allow Casablanca to access your data if this is necessary for the provision of the software and for support in the use of the software. Information on the processing of data by third parties and any transfer abroad can be found in section 5 of this privacy policy.

Your consent constitutes the legal basis for the processing of data within the meaning of Art. 6 para. 1 lit. a GDPR. You can revoke your consent at any time for the future.

Casablanca may wish to use some of this data for its own purposes (e.g. to send marketing e-mails or for statistical analyses). Casablanca is responsible for this data processing and must ensure compliance with data protection laws in connection with this data processing. Information on data processing by Casablanca can be found at https://www.casablanca.at/datenschutzerklaerung/.

3.8 Data processing when submitting reviews

To help other users with their decision and to support our quality management (in particular when processing negative feedback), you have the opportunity to rate your stay with us on our website. The data that you have made available to us will be processed and published on the website, i.e. in addition to your rating and its time, possibly also a comment that you have added to your rating or the name you have given.

The legal basis for data processing is your consent within the meaning of Art. 6 para. 1 lit a GDPR. You can revoke your consent at any time and request the anonymization of your rating.

We reserve the right to delete unlawful reviews and to contact you in the event of suspicion and ask you to comment.

The legal basis for this processing is our legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR in the provision of a lawful and unbiased comment and rating function and the prevention of abuses in its use.

3.9 Data processing when submitting guest feedback

During your stay or afterwards, you have the opportunity to give us feedback (e.g. praise, criticism and suggestions for improvement) using a form. We collect the following data for this – depending on the – whereby mandatory information is marked with an asterisk (*) in the corresponding form:

  • First and last name
  • Age
  • Nationality
  • Duration of stay
  • Feedback

Your data is processed as part of our quality management and thus ultimately for the purpose of better tailoring our services and products to the needs of our guests. Specifically, your data will be processed for the following purposes:

  • Clarification of your concerns, i.e. e.g. obtaining statements from the employees and supervisors addressed or obtaining queries from you, etc;
  • Evaluation and analysis of your data, e.g. creation of satisfaction statistics, comparison of individual services, etc.; or
  • Taking organizational measures in accordance with the findings, e.g. remedying grievances/deficiencies/misconduct, for example by repairing defective equipment, instructing, praising or admonishing employees.

The legal basis for this processing is your consent in accordance with Art. 6 para. 1 lit. a GDPR. You can revoke this consent at any time for the future.

3.10 Data processing for video surveillance

To protect our guests and employees as well as our property and to prevent and punish unlawful behavior (in particular theft and damage to property), the entrance area and the publicly accessible areas of our hotel, with the exception of the sanitary facilities, may be monitored by cameras. The image data will only be viewed if there is a suspicion of unlawful conduct. Otherwise, the images will be automatically deleted after 2 years.

For the provision of the video surveillance system, we rely on a service provider Axis Communications, Lund, Sweden. Axis has access to the data insofar as this is necessary for the provision of the system. If the suspicion of unlawful conduct is substantiated, the data may be passed on to the extent necessary for the enforcement of claims or for the filing of charges to consulting firms (in particular to a law firm) and authorities. Information on the processing of data by third parties and any transfer abroad can be found in section 5 of this privacy policy. Further information about data processing in connection with Axis can be found at https://www.axis.com/de-ch/privacy.

The legal basis is our legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR to protect our guests, our employees and our property and to safeguard and enforce our rights.

3.11 Data processing for the fulfillment of legal reporting obligations

Upon arrival at our hotel or online check-in, we may require the following information from you and your accompanying persons, whereby mandatory information is marked with an asterisk (*) in the corresponding form:

  • Salutation
  • First and last name
  • Billing address
  • Date of birth
  • Nationality
  • Identity card or passport
  • Arrival and departure day

We collect this information to fulfill legal reporting obligations, which arise in particular from hospitality or police law. If we are obliged to do so under the applicable regulations, we will forward this information to the competent authority.

The legal basis for the processing of this data is our legitimate interest within the meaning of Art. 6 para. 1 lit. c GDPR to comply with our legal obligations.

3.12 Data processing for job applications

You have the opportunity to apply for a job in our company spontaneously or in response to a specific job advertisement. In doing so, we process the personal data provided by you.

We use the data you provide to assess your application and suitability for employment. Application documents of unsuccessful applicants will be deleted at the end of the application process, unless you explicitly consent to a longer retention period or we are legally obliged to retain them for a longer period.

The legal basis for processing your data for this purpose is the execution of a contract (pre-contractual phase) in accordance with Art. 6 para. 1 lit. b GDPR.

4. central data storage and analysis in the CRM system

If a clear assignment to your person is possible, we will process the data described in this data protection declaration, i.e. in particular your personal data. store and link your personal data, your contacts, your contract data and your surfing behavior on our websites in a central database. This serves the efficient administration of customer data, allows us to adequately process your requests and enables us to efficiently provide the services you require and process the associated contracts.

The legal basis for this data processing is our legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR on the efficient management of user data.

We also evaluate this data in order to further develop our offers in line with your needs and to be able to display and suggest the most relevant information and offers to you. We also use methods that predict possible interests and future orders based on your use of our website.

We use a software application from Casablanca Hotelsoftware GmbH for central data storage and analysis in the CRM system. Therefore, your data may be stored in a Casablanca database, which may allow Casablanca to access your data if this is necessary for the provision of the software and for support in the use of the software. Information on the processing of data by third parties and any transfer abroad can be found in section 5 of this privacy policy. Further information on data processing in connection with Casablanca can be found at https://www.casablanca.at/datenschutzerklaerung/.

The legal basis for this data processing is our legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR in the performance of marketing activities.

5. disclosure and transfer abroad

5.1 Disclosure to third parties and access by third parties

Without the support of other companies, we would not be able to provide our services in the desired form. In order for us to be able to use the services of these companies, it is also necessary to pass on your personal data to these companies to a certain extent. Data is passed on to selected third-party service providers and only to the extent necessary for the optimal provision of our services.

The various third-party service providers are already explicitly mentioned in this privacy policy.

In the case of these transfers, the necessity for the fulfillment of a contract within the meaning of Art. 6 para. 1 lit. b GDPR is the legal basis.

Your data will also be passed on if this is necessary to fulfill the services you have requested, e.g. to restaurants or providers of other services for which you have made a reservation through us. In the case of these transfers, the necessity for the fulfillment of a contract within the meaning of Art. 6 para. 1 lit. b GDPR is the legal basis. The third-party service providers are responsible for this data processing within the meaning of the Data Protection Act and not us. It is the responsibility of these third-party service providers to inform you about their own data processing – beyond the transfer of data for the provision of services – and to comply with data protection laws.

In addition, your data may be passed on, in particular to authorities, legal advisors or debt collection agencies, if we are legally obliged to do so or if this is necessary to protect our rights, in particular to enforce claims arising from the relationship with you. Data may also be disclosed if another company intends to acquire our company or parts thereof and such disclosure is necessary to carry out a due diligence review or to complete the transaction.

For this data processing, our legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR in the protection of our rights and compliance with our obligations or the sale of our company or shares thereof.

5.2 Transfer of personal data abroad

We are also entitled to transfer your personal data to third parties abroad if this is necessary to carry out the data processing mentioned in this privacy policy. Individual data transfers are described above in Section. 3 has been mentioned. It goes without saying that the legal regulations on the disclosure of personal data to third parties are complied with. The countries to which data is transferred include those that the Federal Council and the EU Commission have decided have an adequate level of data protection (such as the member states of the EEA or, from the EU’s point of view, Switzerland), but also countries (such as the USA) whose level of data protection is not considered adequate (cf. Annex 1 of the General Data Protection Regulation (GDPR) and the website of the EU Commission). If the country in question does not have an adequate level of data protection, we ensure that your data is adequately protected by these companies through appropriate guarantees, unless an exception is specified for individual data processing (see Art. 49 GDPR). Unless otherwise stated, these are standard contractual clauses within the meaning of Art. 46 para. 2 lit. c GDPR, which are published on the websites of the Eidg. Data Protection and Information Commissioner (FDPIC) and the EU Commission. If you have any questions about the measures taken, please get in touch with our contact person for data protection (see section 2).

5.3 Notes on data transfers to the USA

Some of the third-party service providers mentioned in this privacy policy are based in the USA. For the sake of completeness, we would like to point out to users residing or domiciled in Switzerland or the EU that there are surveillance measures by US authorities in the USA that generally allow the storage of all personal data of all persons whose data has been transferred from Switzerland or the EU to the USA. This is done without differentiation, restriction or exception on the basis of the objective pursued and without an objective criterion that makes it possible to restrict the access of the US authorities to the data and their subsequent use to very specific, strictly limited purposes that can justify the interference associated with both access to these data and their use. We would also like to point out that there are no legal remedies or effective legal protection in the USA for data subjects from Switzerland or the EU against general access rights of US authorities that would allow them to gain access to the data concerning them and to obtain its correction or deletion. We explicitly draw your attention to this legal and factual situation in order to enable you to make an appropriately informed decision to consent to the use of your data.

We would also like to point out to users residing in Switzerland or a member state of the EU that the USA does not have an adequate level of data protection from the perspective of the European Union and Switzerland – partly due to the statements made in this section. Insofar as we have explained in this privacy policy that recipients of data (such as Google) are based in the USA, we will ensure that your data is adequately protected by our third-party service providers through contractual arrangements with these companies and any additional appropriate guarantees that may be required.

6. background data processing on our website

6.1 Data processing when visiting our website (log file data)

When you visit our website, the servers of our hosting provider myls – mylokalesuche, Winkelweg 5, 3422 Rüdtlingen-Alchenflüh, Switzerland, temporarily store every access in alog file. The following data is collected without any action on your part and stored by us until it is automatically deleted:

  • IP address of the requesting computer;
  • Date and time of access;
  • Name and URL of the retrieved file;
  • Website from which the access was made, with the search term used;
  • Your computer’s operating system and the browser you are using (incl. type, version and language setting);
  • Device type in the event of access by cell phones;
  • the city or region from which the access was made; and
  • Name of your Internet access provider.

This data is collected and processed for the purpose of enabling the use of our website (connection establishment), ensuring system security and stability in the long term, enabling error and performance analysis and optimization of our website (see also section 6.4 for the last points).

In the event of an attack on the network infrastructure of the website or in the event of suspicion of other unauthorized or improper use of the website, the IP address and other data will be evaluated for clarification and defense purposes and, if necessary, used to identify the user concerned in the context of civil or criminal proceedings.

The purposes described above constitute our legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR and thus the legal basis for data processing.

Finally, when you visit our website, we use cookies as well as applications and tools that are based on the use of cookies. The data described here may also be processed in this context. You will find more detailed information on this in the following sections of this privacy policy, in particular section 6.2 below.

6.2 Cookies

Cookies are information files that your web browser stores on your computer’s hard disk or memory when you visit our website. Cookies are assigned identification numbers that identify your browser and allow the information contained in the cookie to be read.

Among other things, cookies help to make your visit to our website easier, more pleasant and more meaningful. We use cookies for various purposes that are necessary, i.e. “technically necessary”, for your desired use of the website. For example, we use cookies to identify you as a registered user after you have logged in, without you having to log in again each time you navigate the various subpages. The provision of the ordering and booking functions is also based on the use of cookies. Cookies also perform other technical functions required for the operation of the website, such as load balancing, i.e. the distribution of the performance load of the site to different web servers in order to reduce the load on the servers. Cookies are also used for security purposes, e.g. to prevent the unauthorized posting of content. Finally, we also use cookies as part of the design and programming of our website, e.g. to enable the uploading of scripts or codes.

The legal basis for this data processing is our legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR in the provision of a user-friendly and up-to-date website.

Most Internet browsers accept cookies automatically. However, when accessing our website, we ask for your consent to the cookies we use that are not technically necessary, in particular when using third-party cookies for marketing purposes. You can make your desired settings using the corresponding buttons in the cookie banner. Details on the services and data processing associated with the individual cookies can be found within the cookie banner and in the following sections of this privacy policy.

You may also be able to configure your browser so that no cookies are stored on your computer or so that a message always appears when you receive a new cookie. On the following pages you will find explanations of how you can configure the processing of cookies in selected browsers.

If you deactivate cookies, you may not be able to use all the functions of our website.

6.3 Google Custom Search Engine

This website uses the Programmable Search Engine of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA(Google). This enables us to provide you with an efficient search function on our website.

By pressing the enter key or clicking on the search button, the search function is activated and the search results from Google are displayed on the search results page by means of an embedding(iFrame). When the search results are retrieved, a connection is established with Google’s servers and your browser may send the log file data listed in section 6.1 (including IP address) and the search term you entered to Google. This may also result in data being transferred to servers abroad, e.g. in the USA (see sections 5.2 and 5.3, in particular on the lack of an adequate level of data protection and the guarantees provided).

The legal basis for this data processing is our legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR in the provision of an efficient website search function.

For further processing of data by Google, please refer to Google’s privacy policy: www.google.com/intl/de_de/policies/privacy.

6.4 Tracking and web analysis tools

6.4.1 General information on tracking

We use the web analysis services listed below for the purpose of designing and continuously optimizing our website to meet your needs. In this context, pseudonymized user profiles are created and cookies are used (please also refer to section 6.2). The information generated by the cookie about your use of this website is usually transmitted to a server of the service provider together with the log file data listed under section 6.1, where it is stored and processed. This may also result in a transfer to servers abroad, e.g. the USA (see, in particular, the lack of an adequate level of data protection and the guarantees provided, sections 5.2 and 5.3).

By processing the data, we obtain the following information, among other things:

  • Navigation path that a visitor takes on the site (incl. content viewed and products selected or purchased or services booked);
  • Time spent on the website or subpage;
  • Subpage on which the website is left;
  • Country, region or city from where access is made;
  • terminal device (type, version, color depth, resolution, width and height of the browser window); and
  • returning or new visitors.

On our behalf, the provider will use this information to evaluate the use of the website, in particular to compile website activities and to provide further services associated with the use of the website and the Internet for the purposes of market research and the needs-based design of these websites. For these processing operations, we and the providers can be regarded as joint controllers under data protection law up to a certain extent.

The legal basis for this data processing with the following services is your consent within the meaning of Art. 6 para. 1 lit. a GDPR. You can revoke your consent or refuse processing at any time by rejecting or deactivating the relevant cookies in the settings of your web browser (see section 6.2) or by making use of the service-specific options described below.

For the further processing of the data by the respective provider as the (sole) controller under data protection law, in particular any disclosure of this information to third parties, e.g. to authorities due to national legal regulations, please refer to the respective data protection information of the provider.

6.4.2 Google Analytics

We use the web analysis service Google Analytics from Google Ireland Limited (Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland) or Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA(Google).

Contrary to the description in section 6.4.1, IP addresses are not logged or stored in Google Analytics (in the “Google Analytics 4” version used here). For access originating from the EU, IP address data is only used to derive location data and then deleted immediately. When collecting measurement data in Google Analytics, all IP searches are carried out on EU-based servers before the traffic is forwarded to Analytics servers for processing. Regional data centers are used in Google Analytics. If a connection to the nearest available Google data center is established in Google Analytics, the measurement data is sent to Analytics via an encrypted HTTPS connection. In these centers, the data is further encrypted before it is forwarded to the Analytics processing servers and made available on the platform. The IP addresses are used to determine the most suitable local data center. This may also result in data being transferred to servers abroad, e.g. in the USA (see Section 5.2, in particular on the lack of an adequate level of data protection and the guarantees provided).

We also use the technical extension “Google Signals”, which enables cross-device tracking. This allows an individual website visitor to be assigned to different end devices. However, this only happens if the visitor has logged into a Google service when visiting the website and has also activated the “personalized advertising” option in their Google account settings. Even then, however, no personal data or user profiles become accessible to us; they remain anonymous to us. If you do not wish to use “Google Signals”, you can deactivate the “personalized advertising” option in your Google account settings.

Users can prevent Google from collecting the data generated by the cookie and relating to the use of the website by the user concerned (including the IP address) and from processing this data by Google by downloading and installing the browser plug-in available under the following link: http://tools.google.com/dlpage/gaoptout?hl=de.

As an alternative to the browser plugin, users can click this link to prevent Google Analytics from collecting data on this website in the future. An opt-out cookie is stored on the user’s device. If users delete cookies (see section 6 Cookies), the link must be clicked again.

Provider.

6.4.3 Etracker

The provider of this website uses the services of etracker GmbH from Hamburg, Germany(www.etracker.com) to analyze usage data. We do not use cookies for web analysis by default. If we use analysis and optimization cookies, we will obtain your explicit consent separately in advance. If this is the case and you agree, cookies are used to enable a statistical analysis of the reach of this website, to measure the success of our online marketing measures and test procedures, e.g. to test and optimize different versions of our online offer or its components. Cookies are small text files that are stored by the Internet browser on the user’s end device. etracker cookies do not contain any information that enables a user to be identified.

The data generated with etracker is processed and stored by etracker on behalf of the provider of this website exclusively in Germany and is therefore subject to the strict German and European data protection laws and standards. etracker has been independently tested, certified and awarded the ePrivacyseal data protection seal of approval.

Data processing is carried out on the basis of the legal provisions of Art. 6 para. 1 lit. f (legitimate interest) of the General Data Protection Regulation (GDPR). Our concern within the meaning of the GDPR (legitimate interest) is the optimization of our online offer and our website. Since the privacy of our visitors is important to us, the data that may allow a reference to an individual person, such as the IP address, login or device identifiers, are anonymized or pseudonymized as soon as possible. No other use, merging with other data or forwarding to third parties takes place.

You can object to the data processing described above at any time. The objection has no negative consequences.

Further information on data protection at etracker can be found here.

6.5 Social media

6.5.1 Social media profiles

We have included links to our profiles in the social networks of the following providers on our website:

  • Meta Platforms Inc, 1601 S California Ave, Palo Alto, CA 94304, USA, privacy policy;
  • Twitter Inc. with registered office at 1355 Market Street, Suite 900, San Francisco, CA 94103, USA, Privacy Policy;
  • LinkedIn Unlimited Company, Wilton Place, Dublin 2, Ireland, Privacy Policy.

If you click on the social network icons, you will be automatically redirected to our profile in the respective network. This establishes a direct connection between your browser and the server of the respective social network. This provides the network with the information that you have visited our website with your IP address and clicked on the link. This may also result in data being transferred to servers abroad, e.g. in the USA (see sections 5.2 and 5.3, in particular on the lack of an adequate level of data protection and the guarantees provided).

If you click on a link to a network while you are logged into your user account with the network in question, the content of our website can be linked to your profile so that the network can assign your visit to our website directly to your account. If you want to prevent this, you should log out before clicking on the relevant links. A connection between your access to our website and your user account always takes place when you log in to the respective network after clicking on the link. The respective provider is responsible under data protection law for the associated data processing. Please therefore note the data protection information on the network’s website.

The legal basis for any data processing attributed to us is our legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR to the use and advertising of our social media profiles.

6.5.2 Social media plugins

You can use social media plugins from the providers listed below on our website:

  • Meta Platforms Inc, 1601 S California Ave, Palo Alto, CA 94304, USA, privacy policy;
  • Twitter Inc, 1355 Market Street, Suite 900, San Francisco, CA 94103, USA, privacy policy;
  • LinkedIn Unlimited Company, Wilton Place, Dublin 2, Ireland, Privacy Policy.

We use social media plugins to make it easier for you to share content from our website. The social media plugins help us to increase the visibility of our content in social networks and thus contribute to better marketing.

The plugins are deactivated on our websites by default and therefore do not send any data to the social networks when you simply visit our website. To increase data protection, we have integrated the plugins in such a way that a connection is not automatically established with the servers of the networks. Your browser only establishes a direct connection to the servers of the respective social network when you activate the plugins by clicking on them and thus give your consent to data transmission and further processing by the providers of the social networks.

The content of the plugin is transmitted directly from the social network to your browser, which integrates it into the website. As a result, the respective provider receives the information that your browser has accessed the corresponding page of our website, even if you do not have an account with this social network or are not currently logged in to it. This information (including your IP address) is transmitted by your browser directly to a server of the provider (usually in the USA) and stored there (see, in particular, the lack of an adequate level of data protection and the guarantees provided, sections 5.2 and 5.3). We have no influence on the scope of the data that the provider collects with the plugin, although we can be considered jointly responsible with the providers to a certain extent from a data protection perspective.

If you are logged in to the social network, it can assign your visit to our website directly to your user account. If you interact with the plugins, the corresponding information is also transmitted directly to a server of the provider and stored there. The information (e.g. that you like a product or service from us) may also be published on the social network and may be displayed to other users of the social network. The provider of the social network may use this information for the purpose of placing advertisements and tailoring the respective offer. For this purpose, usage, interest and relationship profiles may be created, e.g. to evaluate your use of our website with regard to the advertisements displayed to you on the social network, to inform other users about your activities on our website and to provide other services associated with the use of the social network. The purpose and scope of the data collection and the further processing and use of the data by the providers of the social networks as well as your rights in this regard and setting options to protect your privacy can be found directly in the data protection information of the respective provider.

If you do not want the provider of the social network to assign the data collected via our website to your user account, you must log out of the social network before activating the plugins. For the data processing described, your consent within the meaning of Art. 6 para. 1 lit. a GDPR is the legal basis. You can revoke your consent at any time by declaring your revocation to the provider of the plugin in accordance with the information in its data protection information.

6.6 Online advertising and targeting

6.6.1 In general

We use the services of various companies to provide you with interesting offers online. Your user behavior on our website and websites of other providers is analyzed in order to be able to display online advertising tailored to you.

Most technologies fortracking your user behavior(tracking) and for the targeted display of advertising(targeting) work with cookies (see also section 6.2), with which your browser can be recognized via various websites. Depending on the service provider, it is also possible for you to be recognized online even when using different end devices (e.g. laptop and smartphone). This may be the case, for example, if you have registered with a service that you use with several devices.

In addition to the data already mentioned, which is generated when websites are accessed(log file data, see section 6.1) and when cookies are used (section 6.2) and which may be passed on to the companies involved in the advertising networks, the following data in particular is used to select the advertising that is potentially most relevant to you:

  • information about you that you have provided when registering or using a service from advertising partners (e.g. your gender, your age group); and
  • User behavior (e.g. search queries, interactions with advertising, types of websites visited, products or services viewed and purchased, newsletters subscribed to).

We and our service providers use this data to recognize whether you belong to the target group we are addressing and take this into account when selecting advertisements. For example, after you have visited our site, you may be shown advertisements for the products or services you have consulted when you visit other sites(re-targeting). Depending on the scope of the data, a user’s profile may also be created, which is automatically evaluated, with the ads being selected according to the information stored in the profile, such as membership of certain demographic segments or potential interests or behaviors. Such ads may be displayed to you on various channels, including our website or app (as part of on-site and in-app marketing) as well as ads placed via the online advertising networks we use, such as Google.

The data can then be analyzed for the purpose of billing the service provider and to assess the effectiveness of advertising measures in order to better understand the needs of our users and customers and to improve future campaigns. This may also include the information that the performance of an action (e.g. visiting certain sections of our websites or sending information) is attributable to a specific advertisement. We also receive aggregated reports from the service providers on advertising activities and information on how users interact with our website and our advertisements.

The legal basis for this data processing is your consent within the meaning of Art. 6 para. 1 lit. a GDPR. You can withdraw your consent at any time by rejecting or deactivating the relevant cookies in the settings of your web browser (see section 6.2). Further options for blocking advertising can also be found in the information provided by the respective service provider, e.g. Google.

6.6.2 Google Ads

This website uses the services of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA(Google) for online advertising, as explained in Section 6.6.1. Google uses cookies for this purpose (see the list here), which enable your browser to be recognized when you visit other websites. The information generated by the cookies about your visit to this website (including your IP address) is transmitted to a Google server in the USA and stored there (see, in particular, the lack of an adequate level of data protection and the guarantees provided, sections 5.2 and 5.3). Further information on data protection at Google can be found here.

The legal basis for this data processing is your consent within the meaning of Art. 6 para. 1 lit. a GDPR. You can withdraw your consent at any time by rejecting or deactivating the relevant cookies in the settings of your web browser (see section 6.2). You can find further options for blocking advertising here.

7. retention periods

We only store personal data for as long as is necessary to carry out the processing described in this privacy policy within the scope of our legitimate interest. In the case of contract data, storage is prescribed by statutory retention obligations. Requirements that oblige us to store data result from accounting and tax regulations. According to these regulations, business communications, concluded contracts and accounting documents must be stored for up to 10 years. If we no longer need this data to perform the services for you, the data will be blocked. This means that the data may then only be used if this is necessary for the fulfillment of retention obligations or for the defense and enforcement of our legal interests. The data will be deleted as soon as there is no longer an obligation to retain it and there is no longer a legitimate interest in retaining it.

8. data security

We use suitable technical and organizational security measures to protect your personal data stored by us against loss and unlawful processing, in particular unauthorized access by third parties. Our employees and the service companies commissioned by us are obliged by us to maintain confidentiality and data protection. Furthermore, these persons are only granted access to personal data to the extent necessary to fulfill their tasks.

Our security measures are continuously adapted in line with technological developments. However, the transmission of information via the Internet and electronic means of communication always involves certain security risks and we can therefore not provide an absolute guarantee for the security of information transmitted in this way.

9. your rights

If the legal requirements are met, you have the following rights as a person affected by data processing:

Right to information: You have the right to request access to your personal data stored by us at any time free of charge if we process it. This gives you the opportunity to check what personal data we process about you and whether we process it in accordance with the applicable data protection regulations.

Right to rectification: You have the right to have inaccurate or incomplete personal data rectified and to be informed of the rectification. In this case, we will also inform the recipients of the data concerned about the adjustments we have made, unless this is impossible or involves disproportionate effort.

Right to erasure: You have the right to have your personal data erased under certain circumstances. In individual cases, particularly in the case of statutory retention obligations, the right to erasure may be excluded. In this case, the data may be blocked instead of deleted if the conditions are met.

Right to restriction of processing: You have the right to request that the processing of your personal data be restricted.

Right to data portability: You have the right to receive from us, free of charge, the personal data that you have provided to us in a readable format.

Right to object: You can object to data processing at any time, particularly in the case of data processing in connection with direct marketing (e.g. marketing e-mails).

Right of withdrawal: In principle, you have the right to withdraw your consent at any time. However, processing activities based on your consent in the past will not become unlawful as a result of your withdrawal.

To exercise these rights, please send us an e-mail to the following address: kristall@kristall.ch

Right to lodge a complaint: You have the right to lodge a complaint with a competent supervisory authority, e.g. against the way in which we process your personal data.