Data protection

We, the work and residential community of Schlosshotel Leuk, operate the Schlosshotel Leuk (Hotel) and the website www.schlosshotel-leuk.ch (Website) and, unless otherwise specified in this privacy policy, are responsible for the data processing listed in this privacy policy.

To ensure that you know which personal data we collect from you and for what purposes we use it, please take note of the following information. We adhere primarily to the legal requirements of Swiss data protection law, particularly the Federal Act on Data Protection (FADP), as well as the GDPR, whose provisions may be applicable in individual cases.

Please note that the following information may be reviewed and amended from time to time. Therefore, we recommend that you regularly review this privacy policy. Furthermore, for some of the data processing listed below, other companies are either independently or jointly responsible for data protection with us, so the information provided by these providers is also relevant in these cases.

If you have any questions about data protection or wish to exercise your rights, please contact our data protection officer by sending an email to the following address: datenschutz@schlosshotel-leuk.ch

3.1 Data Processing When Contacting Us

When you contact us via our contact addresses and channels (e.g., email, phone, or contact form), your personal data will be processed. This includes the data you provide to us, such as your name, email address, phone number, and your inquiry. Additionally, the time of receipt of the request is documented. Mandatory fields in contact forms are marked with an asterisk (*). We process this data to address your concern (e.g., providing information about our hotel, assisting with contract processing such as inquiries about your booking, incorporating your feedback to improve our services, etc.).

To handle contact requests via the contact form, we use a software application from Seekda GmbH, Neubaugasse 10/15, 1070 Vienna, Austria. Therefore, your data may be stored in a Seekda GmbH database, which can give Seekda GmbH access to your data if necessary for providing the software and supporting its use. Information on data processing by third parties and any possible transfer abroad can be found in Section 5 of this privacy policy.

Seekda GmbH may use some of this data for its own purposes (e.g., to send marketing emails or for statistical analyses). Seekda GmbH is responsible for this data processing and must ensure compliance with data protection laws regarding this data processing. Information on data processing by Seekda GmbH can be found at https://www.seekda.com/en/terms-and-conditions.

3.2 Data Processing for Bookings

3.2.1 Booking via Our Website

On our website, you have the opportunity to book an overnight stay. For this, we collect the following data, with mandatory fields marked with an asterisk (*) during the booking process:

  • Salutation
  • First name
  • Last name
  • Billing address
  • Date of birth
  • Company, company address, and VAT number for business customers
  • Phone number
  • Email
  • Payment method
  • Booking details
  • Comments
  • Confirmation of the accuracy of the provided information
  • Confirmation of acknowledgment and agreement with the terms and conditions and privacy policy

We use this data to verify your identity before concluding a contract. We need your email address to confirm your booking and for future communication necessary for contract processing. We store your data along with the booking details (e.g., room category, stay period, service description, price, and features), payment data (e.g., selected payment method, payment confirmation and time; see also Section 3.7.2), and information on contract processing and fulfillment (e.g., receipt and handling of complaints) in our CRM database (see Section 4) to ensure correct booking processing and contract fulfillment.

If necessary for contract fulfillment, we will also share the required information with third-party service providers (e.g., event organizers or transport companies).

Providing data not marked as mandatory is voluntary. We process this data to tailor our offer to your personal needs as best as possible, to facilitate contract processing, to contact you via an alternative communication channel if necessary for contract fulfillment, or for statistical recording and evaluation to optimize our offers.

For booking processing via our website, we use a software application from Seekda GmbH, Neubaugasse 10/15, 1070 Vienna, Austria. Therefore, your data may be stored in a Seekda GmbH database, which can give Seekda GmbH access to your data if necessary for providing the software and supporting its use. Information on data processing by third parties and any possible transfer abroad can be found in Section 5 of this privacy policy.

Seekda GmbH may use some of this data for its own purposes (e.g., to send marketing emails or for statistical analyses). Seekda GmbH is responsible for this data processing and must ensure compliance with data protection laws regarding this data processing. Information on data processing by Seekda GmbH can be found at https://www.seekda.com/en/terms-and-conditions.

3.2.2 Booking via a Booking Platform

If you make bookings through a third-party platform (i.e., Booking, Hotel, Escapio, Expedia, Holidaycheck, Hotel Tonight, HRS, Kayak, Mr. & Mrs. Smith, Splendia, Tablet Hotels, Tripadvisor, Trivago, Weekend4Two, etc.), we receive various personal data related to the booking from the respective platform operator. This usually includes the data listed in Section 3.7.2 of this privacy policy. Additionally, any inquiries regarding your booking may be forwarded to us. We will process this data to record your booking as requested and to provide the booked services.

3.3 Data Processing for Payment Transactions

3.3.1 Payment Processing at the Hotel

When you purchase products, receive services, or pay for your stay at our hotel using electronic payment methods, the processing of personal data is necessary. By using the payment terminals, the information stored in your payment method, such as the cardholder’s name and card number, is transmitted to the involved payment service providers (e.g., payment solution providers, credit card issuers, and credit card acquirers). They also receive information that the payment method was used at our hotel, the amount, and the time of the transaction. Conversely, we only receive the credit for the amount of the successful payment at the respective time, which we can assign to the corresponding receipt number, or information that the transaction was not possible or was canceled. Always also consider the information provided by the respective company, particularly the privacy policy and the general terms and conditions.

Concardis nets group may use some of this data for its own purposes (e.g., sending marketing emails or statistical analysis). Concardis nets group is responsible for this data processing and must ensure compliance with data protection laws in connection with this data processing. Information on data processing by Concardis nets group can be found at https://www.concardis.com/ch-de/datenschutz.

3.4 Data Processing for Recording and Billing Services

If you receive services during your stay (e.g., additional overnight stays, wellness, restaurant, activities), in addition to your contract data, the booking data (e.g., time and comments) and the data related to the booked and received service (e.g., service item, price, and time of service receipt) will be recorded and further processed by us for service execution.

3.5 Data Processing When Using Our WiFi Network

In our hotel, you have the option to use the WiFi network operated by Ocom AG, Kantonsstrasse 51, 3902 Brig-Glis, Switzerland, free of charge. To prevent abuse and to sanction illegal behavior, prior registration is required. During this process, you transmit the following data to Ocom AG:

  • Mobile phone number
  • MAC address of the device (automatically)

In addition to the aforementioned data, data on the time and date of use, the network used, and the device are recorded each time the WiFi network is used. The legal basis for this processing is your consent in accordance with Art. 6 (1) (a) GDPR. You can withdraw this consent at any time for the future.

Ocom AG is responsible for this data processing. During registration, you give your consent to Ocom AG and must accept the terms of use and privacy policy of Ocom AG.

Ocom AG must comply with the legal obligations of the Federal Law on the Surveillance of Post and Telecommunications Traffic (BÜPF) and the associated ordinance. If the legal requirements are met, the operator of the WiFi network must monitor the use of the Internet or data traffic at the request of the competent authority. The operator of the WiFi network may also be required to disclose the contact, usage, and marginal data of the hotel guest to the authorized authorities. The contact, usage, and marginal data are stored for 6 months in a personalized manner and then deleted.

3.6 Data Processing to Fulfill Legal Reporting Obligations

Upon arrival at our hotel, we may need the following information from you and your companions, with mandatory fields marked with an asterisk (*) on the respective form:

  • Salutation
  • First and last name
  • Billing address
  • Date of birth
  • Nationality
  • Identity card or passport
  • Arrival and departure day

We collect this information to fulfill legal reporting obligations that arise particularly from hospitality or police laws. If required by applicable regulations, we forward this information to the competent authority.

If a clear assignment to your person is possible, we will store and link the data described in this privacy policy, i.e., in particular, your personal details, your contact information, your contract data, and your browsing behavior on our websites in a central database. This serves the efficient management of customer data, allows us to process your concerns adequately, and enables the efficient provision of the services you desire and the execution of the related contracts.

The legal basis for this data processing is our legitimate interest in accordance with Art. 6 (1) (f) GDPR in the efficient management of user data.

We also evaluate this data to develop our offers in a needs-oriented manner and to be able to display and suggest the most relevant information and offers to you. We also use methods that predict possible interests and future orders based on your use of our website.

For central data storage and analysis in the CRM system, we use a software application from HS/3 Hotelsoftware GmbH & Co. KG, Leonardo-da-Vinci-Weg 3, 32760 Detmold, Germany. Therefore, your data may be stored in a database of HS/3, which may allow HS/3 to access your data if necessary for providing the software and supporting its use. Information on data processing by third parties and possible transmission abroad can be found in section 5 of this privacy policy. Further information on data processing in connection with HS/3 can be found at https://www.hs3-hotelsoftware.de/datenschutz/.

5.1 Disclosure to Third Parties and Third-Party Access

Without the support of other companies, we would not be able to provide our offers in the desired form. To utilize the services of these companies, the disclosure of your personal data to these companies is necessary to a certain extent. Disclosure is made to selected third-party service providers only to the extent necessary for the optimal provision of our services.

Your data is also disclosed if it is necessary to fulfill the services you requested, e.g., to restaurants or providers of other services for which you made a reservation through us. In these cases, the necessity to fulfill a contract in accordance with Art. 6 (1) (b) GDPR is the legal basis. These third-party service providers are responsible for these data processing operations under data protection law and not us. It is the task of these third-party service providers to inform you about their own data processing operations beyond the data transfer for service provision and to comply with data protection laws.

Furthermore, your data may be disclosed, particularly to authorities, legal advisors, or collection agencies if we are legally obliged to do so or if it is necessary to protect our rights, especially to enforce claims arising from our relationship with you. Data may also be disclosed if another company intends to acquire our company or parts thereof, and such disclosure is necessary for due diligence or for the execution of the transaction.

5.2 Transfer of Personal Data Abroad

We are entitled to transfer your personal data to third parties abroad if it is necessary for the data processing described in this privacy policy. Individual data transfers have been mentioned previously in section 3. We comply with the legal provisions on the disclosure of personal data to third parties. The countries to which data is transferred include those with an adequate level of data protection according to the Federal Council and the EU Commission (e.g., EEA member states or Switzerland from the EU’s perspective) and those with a level of data protection not considered adequate (e.g., the USA). If the country in question does not have an adequate level of data protection, we ensure that your data is adequately protected at these companies through appropriate guarantees unless an exception applies in individual cases (see Art. 49 GDPR). Unless otherwise specified, these are standard contractual clauses in accordance with Art. 46 (2) (c) GDPR, which can be accessed on the websites of the Federal Data Protection and Information Commissioner (FDPIC) and the EU Commission. If you have any questions about the measures taken, please contact our data protection contact person (see section 2).

5.3 Information on Data Transfers to the USA

Some third-party service providers mentioned in this privacy policy are based in the USA. For users residing in Switzerland or the EU, we point out that US authorities may take surveillance measures that generally enable the storage of all personal data of all persons whose data has been transferred from Switzerland or the EU to the USA. This is done without differentiation, limitation, or exception based on the objective pursued and without an objective criterion that allows limiting the access of US authorities to the data and its subsequent use to specific, strictly limited purposes that justify the associated intervention. We also point out that there are no effective legal remedies or effective judicial redress available in the USA for data subjects from Switzerland or the EU that would allow them to access their data, correct it, or delete it.

Users residing in Switzerland or an EU member state are additionally informed that, from the European Union’s and Switzerland’s perspective, the USA does not provide an adequate level of data protection, among other things, due to the explanations made in this section. If we have explained in this privacy policy that data recipients (such as Google) are based in the USA, we will ensure through contractual agreements with these companies and, if necessary, additional appropriate guarantees that your data is adequately protected with our third-party service providers.

6.1 Data Processing When Visiting our Website (Logfile Data)

When you visit our website, the servers of our hosting provider Novatrend Services GmbH, Bahnhofstrasse 19, 6340 Baar, temporarily store each access in a log file. The following data is collected automatically and stored by us until automated deletion:

  • IP address of the requesting computer;
  • Date and time of access;
  • Name and URL of the accessed file;
  • Website from which access was made, possibly with used search word;
  • Operating system of your computer and the browser you used (including type, version, and language settings);
  • Device type in the case of mobile phone accesses;
  • City or region from where the access was made; and
  • Name of your Internet access provider.

The collection and processing of this data serve the purpose of enabling the use of our website (establishing a connection), permanently ensuring system security and stability, enabling error and performance analysis, and optimizing our website (see also section 6.4 regarding the latter points).

In the event of an attack on the website’s network infrastructure or suspicion of other unauthorized or abusive use of the website, the IP address and other data will be evaluated for clarification and defense purposes, and if necessary, used in civil or criminal proceedings for identification against the relevant user.

Finally, we use cookies and applications and tools based on the use of cookies when visiting our website. In this context, the data described here may also be processed. For more details, please refer to the following sections of this privacy policy, especially section 6.2.

6.2 Cookies

Cookies are information files that your web browser stores on the hard drive or memory of your computer when you visit our website. Cookies are assigned identification numbers through which your browser is identified, and the information contained in the cookie can be read.

Among other things, cookies help to make your visit to our website easier, more pleasant, and more meaningful. We use cookies for various purposes that are necessary for the use of the website as desired by you, i.e., “technically necessary.” For example, we use cookies to identify you as a registered user after login, without requiring you to log in again when navigating through various subpages. The provision of order and booking functions also relies on the use of cookies. Furthermore, cookies perform other technical functions necessary for the operation of the website, such as load balancing, which distributes the load of the page across different web servers to relieve the servers. Cookies are also used for security purposes, for example, to prevent unauthorized posting of content. Finally, we also use cookies in the context of designing and programming our website, for example, to enable the uploading of scripts or codes.

The legal basis for these data processing activities is our legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR in providing a user-friendly and contemporary website.

Most internet browsers accept cookies automatically. However, when accessing our website, we ask for your consent to the use of technically unnecessary cookies that we use, especially when using third-party cookies for marketing purposes. You can make the desired settings via the corresponding buttons in the cookie banner. Details about the services associated with each cookie and their data processing can be found within the cookie banner and in the following sections of this privacy policy.

You may be able to configure your browser to reject all cookies, or to provide a notification when a cookie is set. The following pages provide instructions on how to configure cookie processing for selected browsers:

  • Google Chrome for Desktop
  • Google Chrome for Mobile
  • Apple Safari
  • Microsoft Windows Internet Explorer
  • Microsoft Windows Internet Explorer Mobile
  • Mozilla Firefox

Disabling cookies may prevent you from using all functions of our website.

6.3 Google Custom Search Engine

This website uses the Programmable Search Engine from Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (Google). This allows us to provide an efficient search function on our website.

By pressing the Enter key or clicking the search button, the search function is activated, and the search results from Google are displayed on the search results page using an embedding (iFrame). When retrieving search results, a connection is established with Google’s servers, and your browser may transmit the log file data listed in section 6.1 (including IP address) and the search term you entered to Google. This may also involve the transmission of data to servers abroad, e.g., to the USA (see also, especially regarding the lack of an adequate level of data protection and the intended guarantees, sections 5.2 and 5.3).

The legal basis for this data processing is our legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR in providing an efficient website search function.

For further processing of data by Google, please refer to Google’s privacy policy: www.google.com/intl/de_de/policies/privacy.

6.4 Tracking and Web Analytics Tools

6.4.1 General Information on Tracking

For the purpose of needs-based design and continuous optimization of our website, we use the web analytics services listed below. In this context, pseudonymized usage profiles are created, and cookies are used (see also section 6.2). The information generated by the cookie about your use of this website, including the log file data listed in section 6.1, is generally transmitted to a server of the service provider, stored there, and processed. This may also involve a transfer to servers abroad, e.g., to the USA (see also, especially regarding the lack of an adequate level of data protection and the intended guarantees, sections 5.2 and 5.3).

By processing the data, we obtain, among other things, the following information:

  • Navigation path taken by a visitor on the site (including viewed content and selected or purchased products or booked services);
  • Duration of stay on the website or subpage;
  • Subpage where the website is left;
  • Country, region, or city from which access is made;
  • Device (type, version, color depth, resolution, width, and height of the browser window); and
  • Returning or new visitor.

On our behalf, the provider will use this information to evaluate the use of the website, in particular to compile website activity reports and to provide other services associated with website use and internet use for purposes of market research and needs-based design of these websites. For these processing activities, we and the providers may be considered joint controllers to a certain extent under data protection law.

The legal basis for these data processing activities with the following services is your consent pursuant to Art. 6 para. 1 lit. a GDPR. You can revoke your consent at any time or refuse processing by rejecting or disabling the relevant cookies in your web browser settings (see section 6.2) or by using service-specific options described below.

For further processing of data by the respective provider as the data protection (sole) controller, including any disclosure of this information to third parties, such as authorities based on national legal regulations, please refer to the respective privacy policies of the provider.

6.4.2 Google Analytics

We use the Google Analytics web analytics service provided by Google Ireland Limited (Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland) or Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (Google).

In deviation from the description in section 6.4.1, in Google Analytics (in the version used here “Google Analytics 4”), IP addresses are not logged or stored. For accesses originating from the EU, IP address data is only used to derive location data and is immediately deleted thereafter. When collecting measurement data in Google Analytics, all IP lookups are performed on EU-based servers before the traffic is forwarded to Analytics servers for processing. Regional data centers are used in Google Analytics. When a connection is established to Google’s nearest available data center, the measurement data is sent to Analytics via an encrypted HTTPS connection. In these centers, the data is further encrypted before being forwarded to Analytics processing servers and made available on the platform. The most suitable local data center is determined based on IP addresses. This may also involve a transfer of data to servers abroad, e.g., to the USA (see also, especially regarding the lack of an adequate level of data protection and the intended guarantees, sections 5.2).

We also use the technical extension “Google Signals,” which enables cross-device tracking in Google Analytics. This allows for the association of a single website visitor with different devices. However, this only happens if the visitor has logged into a Google service during website visits and has also activated the “personalized advertising” option in their Google account settings. Even then, no personal data or user profiles are accessible to us; they remain anonymous to us. If you do not wish to use “Google Signals,” you can deactivate the “personalized advertising” option in your Google account settings.

Users can prevent Google from collecting data generated by the cookie and related to their use of the website (including IP address) and from processing this data by Google by downloading and installing the browser plugin available at the following link: http://tools.google.com/dlpage/gaoptout?hl=en.

Alternatively, users can click this link to prevent future collection by Google Analytics on the website. An opt-out cookie will be stored on the user’s device. If users delete cookies (see section 6 Cookies), the link must be clicked again.

6.5 Online Advertising and Targeting

6.5.1 In General

We use services from various companies to present online offers that are of interest to you. Your user behavior on our website and websites of other providers is analyzed to subsequently display online advertising tailored to you individually.

Most tracking technologies for tracking your user behavior (tracking) and for targeted advertising display (targeting) work with cookies (see also section 6.2), which enable your internet browser to be recognized. Here, too, personal data is usually not collected directly; rather, it is stored under a pseudonym. This data is not merged with other personal data about you without your explicit consent.

The legal basis for this data processing is your consent pursuant to Art. 6 para. 1 lit. a GDPR. You can revoke your consent at any time or refuse processing by rejecting or disabling the relevant cookies in your web browser settings (see section 6.2) or by using service-specific options described below.

For further processing of data by the respective provider as the data protection (sole) controller, including any disclosure of this information to third parties, such as authorities based on national legal regulations, please refer to the respective privacy policies of the provider.

6.5.2 Google Ads

We use the Google Ads service of Google Ireland Limited (Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland) or Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (Google).

When you click on one of our ads, Google sets a cookie on your computer. The cookie enables the measurement of conversions. These cookies generally expire after 30 days and are not used for personal identification. If you visit certain pages of our website and the cookie has not yet expired, Google and we can recognize that you clicked on the ad and were directed to that page. Each Google Ads customer receives a different cookie. Cookies cannot therefore be tracked through the websites of Ads customers. The information collected through the conversion cookie is used to generate conversion statistics for Ads customers who have opted in to conversion tracking. This tells us the total number of users who clicked on our ad and were directed to a page tagged with a conversion tracking tag.

You can set your browser to block cookies from googleadservices.com, but this will prevent your use of conversion tracking. For more information about Google’s use of cookies and how to disable them, please visit https://policies.google.com/technologies/ads.

6.6 Social Media Plugins

We use social media plugins on our website from the providers listed below. You can recognize the plugins by the respective logo.

If you use our website and activate such a plugin (by clicking the button), a direct connection to the provider’s server (Facebook, Twitter, etc.) is established. The content of the plugin is transmitted directly from the provider to your browser and integrated into the website. By integrating the plugins, the provider receives the information that your browser has accessed the corresponding page of our website, even if you do not have a profile with the respective provider or are not currently logged in. This information (including your IP address) is transmitted directly from your browser to a server of the respective provider (possibly in the USA) and stored there. If you are logged in to one of the social networks, the providers can directly associate your visit to our website with your profile on Facebook, Twitter, etc. If you interact with the plugins, for example, by clicking the “Like” or “Share” button, the corresponding information is also transmitted directly to a server of the provider and stored there. The information is also published on the social network or on your Twitter account and shown to your contacts.

The purpose and scope of the data collection and the further processing and use of the data by the provider as well as your rights and setting options to protect your privacy can be found in the data protection information of the providers.

The legal basis for data processing is our legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR in maintaining social media presence to promote and disseminate our products and services.

We only store personal data for as long as necessary to carry out the processing described in this privacy policy within the scope of our legitimate interests. For contract data, storage is mandated by legal retention obligations. Requirements obligating us to retain data arise from accounting regulations and tax laws. According to these regulations, business communications, completed contracts, and booking documents must be retained for up to 10 years. Once we no longer need this data to provide services to you, the data will be blocked. This means the data may only be used if necessary to fulfill retention obligations or to defend and enforce our legal interests. Data will be deleted as soon as no retention obligation or legitimate interest in retention exists anymore.

We employ suitable technical and organizational security measures to protect your stored personal data from loss and unauthorized processing, including unauthorized access by third parties. Our employees and the service providers commissioned by us are obligated to maintain confidentiality and protect data privacy. Furthermore, access to personal data is only granted to these individuals to the extent necessary to fulfill their duties.

Our security measures are continuously adjusted in line with technological developments. However, transmitting information over the internet and electronic communication means always involves certain security risks, and therefore, we cannot provide an absolute guarantee for the security of information transmitted in this way.

If the legal prerequisites are met, you, as a data subject, have the following rights concerning data processing:

Right to Information:
You have the right to obtain information about your personal data stored by us at any time, free of charge, if we process this data. This gives you the opportunity to verify which personal data we process about you and whether we process it in accordance with applicable data protection regulations.

Right to Rectification:
You have the right to have incorrect or incomplete personal data corrected and to be informed about the correction. In this case, we will also inform recipients of the affected data about the adjustments made by us, unless this is impossible or involves disproportionate effort.

Right to Erasure:
Under certain circumstances, you have the right to request the deletion of your personal data. In individual cases, especially regarding legal retention obligations, the right to erasure may be excluded. In such cases, data may be blocked instead of deleted if the prerequisites are met.

Right to Restriction of Processing:
You have the right to request that the processing of your personal data be restricted.

Right to Data Portability:
You have the right to receive the personal data that you have provided to us in a readable format free of charge.

Right to Object:
You can object to data processing at any time, especially regarding data processing related to direct marketing (e.g., marketing emails).

Revocation right:
In principle, you have the right to withdraw any consent given at any time. However, the withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

To exercise these rights, please send us an email to the following address: datenschutz@schlosshotel-leuk.ch

Right to lodge a complaint:
You have the right to lodge a complaint with a supervisory authority, for example, regarding the manner in which your personal data is processed.