Privacy Policy

With this Privacy Policy, we inform you about the personal data we process in connection with our activities and services, including our glacierbiketour.ch-website. We particularly inform about the purposes, methods, and locations of processing personal data. We also inform about the rights of individuals whose data we process.

For individual or additional activities and services, further privacy policies as well as other legal documents such as General Terms and Conditions (GTC), Terms of Use, or Participation Conditions may apply.

We are subject to Swiss data protection law and any applicable foreign data protection law, especially that of the European Union (EU) with the General Data Protection Regulation (GDPR). The European Commission recognizes that Swiss data protection law ensures adequate data protection.

1. Contact Addresses

Responsibility for the processing of personal data:

Graubünden Ferien
Alexanderstrasse 24
7001 Chur
Switzerland

contact@graubuenden.ch

In individual cases, there may be other responsible parties for the processing of personal data or joint responsibility with at least one other responsible party.

1.1 Data Protection Officer or Data Protection Advisor

We have appointed the following data protection officer or advisor as the contact point for affected individuals and authorities for inquiries related to data protection:

Manuela Ruinatscha
Graubünden Ferien
Alexanderstrasse 24
7001 Chur
Switzerland

manuela.ruinatscha@graubuenden.ch

1.2 Data Protection Representation in the European Economic Area (EEA)

We have appointed the following data protection representation according to Art. 27 GDPR:

VGS Datenschutzpartner GmbH
Am Kaiserkai 69
20457 Hamburg
Germany

datenschutz@graubuenden.ch

The data protection representation serves as an additional contact point for individuals and authorities in the European Union (EU) and the rest of the European Economic Area (EEA) for inquiries related to the GDPR.

2. Terms and Legal Bases

2.1 Terms

Personal data are all information relating to an identified or identifiable natural person. An affected person is a person about whom we process personal data.

Processing includes any handling of personal data, regardless of the means and procedures used, such as querying, matching, adjusting, archiving, storing, retrieving, disclosing, obtaining, recording, collecting, deleting, making available, arranging, organizing, preserving, altering, distributing, linking, destroying, and using personal data.

The European Economic Area (EEA) comprises the Member States of the European Union (EU) as well as the Principality of Liechtenstein, Iceland, and Norway. The General Data Protection Regulation (GDPR) refers to the processing of personal data as the processing of personal data.

2.2 Legal Bases

We process personal data in accordance with Swiss data protection law, in particular the Federal Act on Data Protection (Data Protection Act, DPA) and the Ordinance on Data Protection (Data Protection Ordinance, DPO).

We process – insofar and as long as the General Data Protection Regulation (GDPR) is applicable – personal data according to at least one of the following legal bases:

• Art. 6 (1) lit. b GDPR for processing personal data necessary for the performance of a contract with the data subject or to take steps at the request of the data subject prior to entering into a contract.

• Art. 6 (1) lit. f GDPR for processing personal data necessary to protect the legitimate interests of us or a third party, unless the fundamental freedoms and rights and interests of the data subject prevail. Legitimate interests include, in particular, our interest in carrying out our activities and services permanently, user-friendly, securely, and reliably, as well as being able to communicate about them, ensuring information security, protection against misuse, enforcement of our own legal claims, and compliance with Swiss law.

• Art. 6 (1) lit. c GDPR for processing personal data necessary for compliance with a legal obligation to which we are subject under the law of member states in the European Economic Area (EEA).

• Art. 6 (1) lit. e GDPR for processing personal data necessary for the performance of a task carried out in the public interest.

• Art. 6 (1) lit. a GDPR for processing personal data with the consent of the data subject.

• Art. 6 (1) lit. d GDPR for processing personal data necessary to protect the vital interests of the data subject or of another natural person.

3. Type, Scope, and Purpose

We process the personal data that is necessary to be able to carry out our activities and services permanently, user-friendly, securely, and reliably. Such personal data may fall into the categories of inventory and contact data, browser and device data, content data, meta/communication data, usage data, location data, sales data, as well as contract and payment data.

We process personal data for the duration necessary for the respective purpose or purposes or as required by law. Personal data that is no longer necessary to be processed will be anonymized or deleted.

We may have personal data processed by third parties. We may process personal data together with third parties or transfer personal data to third parties. These third parties are particularly specialized providers whose services we use. We also ensure data protection with such third parties.

We generally process personal data only with the consent of the data subjects. To the extent and as long as the processing is permitted for other legal reasons, we may refrain from obtaining consent. For example, we may process personal data without consent to fulfill a contract, comply with legal obligations, or protect overriding interests.

We also process personal data that we receive from third parties, obtain from publicly accessible sources, or collect in the exercise of our activities and services, to the extent and as long as such processing is permitted for legal reasons.

4. Communication

We process personal data to be able to communicate with third parties. In this context, we particularly process data transmitted by a data subject when making contact, for example, by mail or email. We may store such data in an address book or with similar tools.

Third parties transmitting data about other persons are obliged to ensure data protection towards such data subjects. Among other things, this includes ensuring the accuracy of the transmitted personal data.

5. Data Security

We take appropriate technical and organizational measures to ensure data security appropriate to the respective risk. With our measures, we ensure in particular the confidentiality, availability, traceability, and integrity of processed personal data, but cannot guarantee absolute data security.

Access to our website and other online presence is secured through transport encryption (SSL / TLS, especially with the Hypertext Transfer Protocol Secure, abbreviated HTTPS). Most browsers indicate transport encryption with a small padlock in the address bar.

Our digital communication is subject – like basically all digital communication – to mass surveillance without cause or suspicion by security authorities in Switzerland, the rest of Europe, the United States of America (USA), and other countries. We cannot directly influence the respective processing of personal data by intelligence agencies, police stations, and other security authorities. We also cannot exclude the possibility that individual affected persons are being monitored specifically.

6. Personal Data Abroad

We generally process personal data in Switzerland and the European Economic Area (EEA). However, we may also export or transmit personal data to other countries, in particular to process it or have it processed there.

We may export personal data to all countries and territories on Earth as well as elsewhere in the universe, provided that the law there ensures adequate data protection according to the decision of the Swiss Federal Council and – as far as the General Data Protection Regulation (GDPR) is applicable – according to the decision of the European Commission.

We may transmit personal data to countries whose law does not ensure adequate data protection, provided that data protection is guaranteed for other reasons, in particular based on standard data protection clauses or with other suitable guarantees. Exceptionally, we may export personal data to countries without adequate or appropriate data protection if the special data protection requirements are met, for example, the explicit consent of the affected persons or a direct connection with the conclusion or processing of a contract. We are happy to provide affected persons with information about any guarantees on request or deliver a copy of any guarantees.

7. Rights of Affected Persons

7.1 Data Protection Claims

We grant all claims according to the applicable data protection law to affected persons. Affected persons have, in particular, the following rights:

• Right to information: Affected persons can request information about whether we process personal data about them, and if so, what personal data. Furthermore, affected persons receive the necessary information to assert their data protection claims and ensure transparency. This includes the processed personal data itself, but also, among other things, information on the purpose of processing, the duration of storage, any disclosure or export of data to other countries, and the origin of the personal data.

• Correction and Restriction: Affected persons can correct inaccurate personal data, complete incomplete data, and request the restriction of the processing of their data.

• Deletion and Objection: Affected persons can have personal data deleted ("right to be forgotten") and object to the processing of their data with effect for the future.

• Data Provision and Data Portability: Affected persons can request the provision of personal data or the transfer of their data to another controller.

We may delay, limit, or deny the exercise of rights of affected persons within the legally permissible framework. We may point out to affected persons the conditions that must be met to exercise their data protection rights. For example, we may partially or completely refuse information with reference to trade secrets or the protection of other persons. For example, we may also partially or completely refuse the deletion of personal data with reference to statutory retention obligations.

We may exceptionally impose costs for exercising rights. We inform affected persons in advance about any costs.

We are obligated to identify affected persons who request information or assert other rights with reasonable measures. Affected persons are required to cooperate.

7.2 Legal Protection

Affected persons have the right to enforce their data protection claims through legal proceedings or to file a complaint with a competent data protection supervisory authority.

The data protection supervisory authority for complaints from affected persons against private controllers and federal bodies in Switzerland is the Federal Data Protection and Information Commissioner (FDPIC).

European data protection supervisory authorities for complaints from affected persons – as far as the General Data Protection Regulation (GDPR) is applicable – are organized as members in the European Data Protection Board (EDPB). In some member states in the European Economic Area (EEA), the data protection supervisory authorities are structured federally, particularly in Germany.

8. Use of the Website

8.1 Cookies

We may use cookies. Cookies – both our own cookies (First-Party Cookies) and those of third parties whose services we use (Third-Party Cookies) – are data stored in the browser. Such stored data need not be limited to traditional text-based cookies.

Cookies can be stored in the browser temporarily as "Session Cookies" or for a certain period as so-called permanent cookies. "Session Cookies" are automatically deleted when the browser is closed. Permanent cookies have a specific storage duration. Cookies, in particular, allow a browser to be recognized on the next visit to our website and thereby, for example, measure the reach of our website. However, permanent cookies can also be used for online marketing, for example.

Cookies can be deactivated and deleted in the browser settings at any time, either completely or partially. Without cookies, our website may not be fully available. We request – at least as far as necessary – explicit consent for the use of cookies.

For cookies used for success and reach measurement or for advertising, a general objection ("Opt-out") is possible for numerous services via AdChoices (Digital Advertising Alliance of Canada), the Network Advertising Initiative (NAI), YourAdChoices (Digital Advertising Alliance) or Your Online Choices (European Interactive Digital Advertising Alliance, EDAA).

8.2 Logging

We can log at least the following information for each access to our website and other online presence, as far as these are transmitted to our digital infrastructure during such access: date and time including time zone, IP address, access status (HTTP status code), operating system including user interface and version, browser including language and version, called individual sub-page of our website including transferred amount of data, last page called in the same browser window (referrer).

We log such information, which can also represent personal data, in log files. The information is necessary to be able to provide our online presence permanently, user-friendly, and reliably. The information is also necessary to ensure data security – also by third parties or with the help of third parties.

8.3 Tracking Pixels

We can integrate tracking pixels into our online presence. Tracking pixels are also known as web beacons. Tracking pixels – also from third parties whose services we use – are usually small, invisible images or scripts formulated in JavaScript that are automatically retrieved when accessing our online presence. Tracking pixels can collect at least the same information as is recorded in log files.

9. Services from Third Parties

We use services from specialized third parties to be able to carry out our activities and services permanently, user-friendly, secure, and reliably. With such services, we can, among other things, embed functions and content into our website. For such embedding, the services used technically necessarily capture at least temporarily the IP addresses of users for technical reasons.

For necessary security-related, statistical, and technical purposes, third parties whose services we use may process data related to our activities and services in an aggregated, anonymized, or pseudonymized manner. This refers, for example, to performance or usage data to provide the respective service.

We particularly use:

• Services from Google: Providers: Google LLC (USA) / Google Ireland Limited (Ireland) for users in the European Economic Area (EEA) and Switzerland; General information on data protection: "Principles of Privacy and Security", Privacy Policy, "Google is committed to complying with applicable data protection laws", "Privacy Guide for Google Products", "How we use data from websites or apps that use our services" (Information from Google), "Types of cookies and similar technologies used by Google", "Advertising you can control" ("Personalized Advertising").

9.1 Digital Infrastructure

We use services from specialized third parties to be able to use the required digital infrastructure in connection with our activities and services. This includes, for example, hosting and storage services from selected providers.

We particularly use:

• exigo: Hosting; Provider: exigo ag (Switzerland); Data protection information: Privacy Policy, "Data Protection / Security".

9.2 Map Material

We use services from third parties to be able to embed maps into our website.

9.3 Digital Audio and Video Content

We use services from specialized third parties to enable the direct playback of digital audio and video content such as music or podcasts.

We particularly use:

• YouTube: Video platform; Provider: Google; YouTube-specific information: "Privacy and Security Center", "My Data on YouTube".

9.4 Fonts

We use services from third parties to be able to embed selected fonts as well as icons, logos, and symbols into our website.

We particularly use:

• MyFonts (by Monotype): Fonts; Providers: Monotype Imaging Holdings Inc. (USA) / MyFonts Inc. (USA); Data protection information: "Your Privacy", Privacy Policy, "Privacy Policy for Web Font Tracking".

10. Success and Reach Measurement

We try to determine how our online offer is used. In this context, for example, we can measure the success and reach of our activities and services as well as the impact of third-party links on our website. We can also try and compare how different parts or versions of our online offer are used ("A/B testing" method). Based on the results of success and reach measurement, we can, in particular, fix errors, strengthen popular content, or make improvements to our online offer.

For success and reach measurement, the IP addresses of individual users are mostly stored. In this case, IP addresses are generally shortened ("IP masking") to follow the principle of data minimization through the corresponding pseudonymization.

For success and reach measurement, cookies may be used, and user profiles created. Potential user profiles may include, for example, the visited individual pages or viewed content on our website, information about the size of the screen or browser window, and the – at least approximate – location. Generally, any user profiles are created exclusively in a pseudonymized form and not used for identifying individual users. Individual services from third parties, where users are logged in, can possibly assign the use of our online offer to the user account or profile with the respective service.

We particularly use:

• Google Analytics: Success and reach measurement; Provider: Google; Google Analytics-specific information: Measurement across different browsers and devices (Cross-Device Tracking) as well as with pseudonymized IP addresses, which are only exceptionally transmitted completely to Google in the USA, "Privacy", "Browser Add-on to Disable Google Analytics".

• Google Tag Manager: Integration and management of other services for success and reach measurement as well as other services from Google and third parties; Provider: Google; Google Tag Manager-specific information: "Data collected by Google Tag Manager"; further data protection information can be found in the individual integrated and managed services.

11. Final Provisions

We have created this privacy policy with the Privacy Policy Generator from Datenschutzpartner. The present privacy policy is an unofficial translation from the original German version.

We may adjust and supplement this privacy policy at any time. We will inform about such adjustments and supplements in a suitable manner, in particular by publishing the respective current privacy policy on our website.