Data Protection Agreement

The operator of the websites acasasuites.com and restaurantacasa.ch, Consulta GmbH, is responsible for collecting, processing and using your personal data as well as for the compliance of this data processing with the data protection legislation which applies to the relevant websites.

Your trust is important to us, which is why we take data protection seriously and ensure the appropriate level of security. This privacy policy is designed to meet the requirements of the EU General Data Protection Regulation ("GDPR"), the Swiss Data Protection Act ("DPA") and the revised Swiss Data Protection Act ("revDSG"). However, whether and to what extent these laws are applicable depends on the individual case.

Please take note of the following information so that you are aware of the personal data we collect from you and the purposes for which we use it. For questions regarding data protection Ms. Sarah Thoma is at your disposal: welcome@acasasuites.com

1. Processing data in connection with our website

1.1 General

When you visit our website, certain technical protocol files are temporarily collected and stored. The following technical data is recorded automatically at that time, as is usually the case when you connect to any web server:

• Name und URL of the visited website
• IP address of the computer sending the query
• Date and time of access
• Name of the owner of the IP address area (usually your internet provider)
• Website from which access was gained (Referrer URL) with search term used if applicable
• Status-Code (i.e. error-message)
• operating system of your computer and browser used (type, version and language)
• Country, from where you were accessing
• Name of your internet access provider
• Transfer protocol used (i.e.. HTTP/1.1) and
• User name if you registered/logged in

This technical data is recorded automatically and stored until the next automatic erasure after 24 hours after the web statistics have been recorded. This data is collected and processed to allow users to use our websites (to establish a connection), to ensure permanent system security and stability, to enable us to optimise our online offering and for internal statistical purposes.

The IP address is also analysed together with the other data to investigate and prevent attacks on our network infrastructure or other unauthorised use or abuse of the websites and, if applicable, during criminal proceedings for identifying and prosecuting the relevant users under civil and criminal law.

1.2 Newsletter

To register for our newsletter we need the following information from you:

Email address

By registering, you give us your consent to process the data provided to regularly send the newsletter to the address you specified, to statistically analyse your usage behaviour and to optimise the newsletter. We commission third parties with the technical implementation of advertising initiatives and pass on your data for this purpose. The newsletter distribution and the necessary data processing herefor is done by the system Mailjet by Synch AB, Lidhagensgatan 74, Stockholm 11218, Sweden.

At the end of every newsletter, there is a link for you to unsubscribe from the newsletter at any time. When you unsubscribe you can give a reason if you wish. After you have unsubscribed from the newsletter, your personal data will be erased. It will only be processed further in an anonymised form to optimise our newsletter. This data processing is based on our legitimate interest in informing you about our services.

2. Booking on the website, via email correspondence, by calling or personally with us

When you book on our website, by corresponding with us (email, postmail), by calling or personally with us, we require the following data to process the contract:

• First name and surname
• Email address
• Credit card information

This data as well as voluntarily given information (i.e. telephone number, date of birth, postal address, arrival time, preferences, comments etc.) will only be used to process the contract unless otherwise specified in this privacy statement or unless you have given separate consent. In particular, we will process the data to enter your booking as required, to provide the booked services, to contact you in the event of problems and to ensure that the payment is correct. The booking through our website is made with the software travelclick (an Amadeus company) 55 W 46th Street , 27th Floor, New York, NY 10036, USA. The legal basis for processing the data for this purpose is the performance of a contract.

3. Cookies

In order to make your visit to our website more attractive and to enable certain functions, this website uses so called cookies. Cookies are information files that your web browser automatically saves to your computer’s hard drive when you visit our website.

Generally, we use cookies for the analysis of interests in our website as well as to enhance usability. You can use our website without cookies, which may however lead the website to not (fully) function.

By using our website, provided that cookies are accepted according to your browser settings, you agree with the use of cookies on it. Most browsers have activated cookies by default. You do have the option to configure your browser in the way that it shows cookies before storing them or to allow only certain cookies or to reject cookies in general.

We point out that these changes in settings always apply for the used browser. If you use several browsers or if you change the device you need to redo the changes in the settings. You can always delete cookies from your storage medium. Please read the information about the cookie settings, their change and the deletion of cookies in the help function of your web-browser.

There are session cookies and permanent cookies. Session cookies are temporary data (i.e. to avoid an additional login after change of site) and are deleted after logout or loose validity as soon as the session has ended. A permanent cookie stores a file during a suggested time period on your computer (i.e. to remember your settings for the next visit). The data processed by cookies are necessary for the above purposes to protect our legitimate interests.

4. Tracking-tools

4.1 General

For the purpose of designing our website to meet our needs and those of our users, and for the ongoing optimisation of the website, we use the Google Analytics web analysis service. The measures allow us to statistically record and evaluate the use of our website. This is a legitimate interest of ours. In this context, pseudonymised user profiles are created and small text files that are stored on your computer (‘cookies’) are used. The information generated by the cookie about your use of this website is transmitted to the servers of the providers of these services, stored there and processed for us. In addition to the data listed under 1 above, this may provide us with the following information:

• Navigation path taken by a visitor to the site
• Length of stay on the website or sub-page
• The sub-page on which the website is exited
• The country, region or city from which the site is accessed
• End device (type, version, colour depth, resolution, width and height of the browser window) and returning or new visitor.

The information is used to evaluate the use of the website, to compile reports on website activities and to provide other services associated with website and internet usage for the purpose of market research and tailoring the design of this website to suit our needs and those of users. This information may also be shared with third parties if required by law or if third parties are processing these data on our behalf.

Google Analytics is provided by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, (subsequent «Google»), a company of the holding company Alphabet Inc., which is based in the USA. For the Member States of the European Union or for other parties to the Agreement on the European Economic Area, the IP address is truncated before the data is transmitted to the provider due to the activation of IP anonymisation on our website. Google will use this information on our behalf for the purpose of evaluating your use of the website, compiling reports on website activity for website operators and providing other services relating to website activity and internet usage. Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google's behalf. Google does not associate the anonymised IP address transmitted by your browser for Google Analytics with any other data held by Google.

Visit the Google Analytics website to find out more about the web analytics service we use. You can find instructions on how to prevent your data being processed by the web analytics service here: http://tools.google.com/dlpage/gaoptout?hl=de

For the purpose of designing and continuously optimising our website, we also use the Convert website tool Triptease (Triptease Ltd, 15 Bishopsgate London, UK, EC2N 3AR). This is a legitimate interest of ours. In this context, pseudonymised usage profiles are created and small text files that are stored on your computer ("cookies") are used. The information generated by the cookie about your use of this website is transmitted to the servers of the providers of these services, stored there and processed for us. In addition to the data listed under point 1, we may receive the following information as a result:

• Booking information (Refential ID; Total amount; check-in date; check-out date, booking date)
• Anonyme identification (session; browser)
• Browsing activity (visited sites, time stamps)
• Search information (i.e. dates, search criteria)
• Guest information: Name, email, address, phone number (email if this is activated the the clients platform)

The information is used to evaluate the use of the website, to compile reports on website activity and to provide other services associated with the use of the website and the internet for the purposes of market research and demand-oriented design of this website. This information may also be transferred to third parties if this is required by law or if third parties process this data on our behalf.

4.2 Re-targeting

«Re-targeting» technology may be used on the websites. «Re-targeting» technology may be used on the websites. This technology analyses your user behaviour on our websites to offer you tailor-made advertising on later visits, including to partner websites. Your user behaviour is recorded with a pseudonym. Most re-targeting technology operates using cookies (see no. 3). You can prevent re-targeting at any time by refusing or deactivating the relevant cookies in your web browser’s menu bar.

Our website uses among other technologies Google-AdWords-Remarketing a service by von Google for the placement of advertisements based on the use of previously visited websites. For this purpose, Google uses the DoubleClick cookie, which enables recognition of your browser when you visit other websites. The information generated by the cookie about your visit to these websites (including your IP address) is transmitted to a Google server in the USA and stored there. Google uses the so-called DoubleClick-Cookie, which enables recognition of your browser when you visit other websites. The information generated by the cookie about the visit to our websites (including your IP address) is sent to and stored by Google servers in the USA.

In addition, we use Google Tag Manager to manage the services for usage-based advertising. The Tag Manager tool itself is a cookieless domain and does not collect any personal data. The tool rather ensures the activation of other tags which, for their part, collect data under certain circumstances (see above with respect to this). If you have applied the deactivation setting at the domain or cookie level, this will remain in place for all tracking tags implemented using Google Tag Manager.

You may prevent or deactivate the retargeting at any time by adjusting the settings in the cookie settings on our websites, or by modifying or turning off the relevant cookies in the menu bar of your web browser (also see section 6 below). In addition, you may request an opt-out for the other named advertising and retargeting tools through the website of Digital Advertising Alliance at optout.aboutads.info

5. Processsing data in connection with your stay

5.1 Processing data to comply with statutory notification

When you arrive at our hotels, we may require the following information from you and the people accompanying you:

• First name and surname
• Postal address and canton/state
• Date of birth
• Place of birth
• Nationality
• Official form of identification and number
• Arrival and departure day
• Room number

We collect this information to comply with statutory notification obligations arising from hotel and catering industry and police legislation in particular. Insofar as we are obliged to do so by the applicable provisions, we will forward this information to the relevant police authority. The basis for data processing is the fulfilment of legal obligations in connection with a contract with you.

5.2 Recording services received

If you receive additional services during your stay (e.g. Restaurant, wellness treatment), the service and the time it was received will be recorded and processed by us for billing purposes and to provide the booked service. The processing of this data is necessary for processing the contract with us.

6. Social media

We have included links to our social media profiles on our websites. The links may lead to the following networks:

• Facebook Inc., 1601 S California Ave, Palo Alto, CA 94304,USA
• Instagram Inc., 1601 Willow Road, Meno Park, CA 94025, USA
• Pinterest Inc., 635 High Street, Palo Alto, CA, 94301, USA
• LinkedIn Irleand Unlimited Company, Dublin 2, Ireland

If you click on the relevant symbols of the social networks, you will automatically be redirected to our profiles on the respective networks. The responsibility for data protection-compliant operation lies with the respective providers. Data is only transferred to the providers mentioned if you are logged in with your profile on the corresponding platform. We have neither influence nor access to cookies that are set by social network providers. For this reason, we refer you to the respective data protection declarations of the corresponding providers.

7. Storing and exchanging data with third parties

7.1 Booking platforms

If you book via a third-party platform, we receive various personal information from the relevant platform operator. This is generally the data listed in no. 2 of this privacy statement. Any requests concerning your booking are also forwarded to us. In particular, we will process the data to enter your booking as required and to provide the booked services. The legal basis for processing the data for this purpose is the performance of a contract.

Finally, we may be informed by the platform operators about disputes in connection with a booking. If so, we may also receive data concerning the booking process in some cases, which may include a copy of the booking confirmation to serve as evidence of the booking actually being completed. We process this data to safeguard and enforce our claims. This is our legitimate interest.

Please also observe the privacy information of the relevant provider.

7.2 Hotel bookings and guest management

The data submitted for hotel bookings are stored in a central electronic data processing system. Your personal data is systematically recorded and combined to process your bookings and perform the contractual services. We use the software StayNtouch (Netherlands Headquarters Turfstekerstraat 6, 1431 GD Aalsmeer), a software by MCR Hotels Marketing Group.

7.3 Restaurant reservations and guest management

For restaurant reservations (online, per telephone or email) the following personal data are collected:

• Title
• First name and family name
• Email address
• Phone number

The processing of date for restaurant reservations is done by the system The Fork, a Tripadvisor Company, La Fourchette Suisse SA, Rue du Lac 10, 1207 Genf, Schweiz. The processing of reservation data via our software application partners is based on our justified interest in customer-friendly and efficient customer data management.

7.4 HR management

For personnel administration and payroll accounting, we work with the company Mirus Software AG, Tobelmühlestrasse 11, 7270 Davos Platz, Switzerland. All personal data of our employees required for personnel and payroll administration are processed in the corresponding software (first and last name, date of birth, entry date, exit date, salary data, addresses, telephone numbers, AHV numbers, ID/passport dataas well as other information such as bank account information, PF, etc.). All personal data that we receive in the course of recruitment is stored in a protected manner and is destroyed in accordance with the law after the recruitment period has expired.

7.5 Retention period

We only store personal data for as long as is necessary to use the tracking services mentioned above and to make use of the further processing for our legitimate interests. Contract data is stored by us for longer as this is required by statutory retention obligations. Retention obligations that oblige us to retain data arise from provisions regarding notification legislation and accounting and from tax legislation. In accordance with these provisions, business communications, contracts concluded and booking documents must be retained for up to 10 years. If we no longer require this data to perform services for you, the data will be blocked. This means that the data may then only be used for accounting and tax purposes.

7.6 Passing data on to third parties

We only pass on your personal data if you have explicitly given your consent, if there is a statutory obligation to do so or if it is necessary to enforce our rights, in particular to enforce claims arising from the contractual relation. We also pass your data on to third parties if it is required for using the website and processing the contract, such as to process your booking or to analyse your user behaviour. Third parties include service providers such as booking partners, IT-providers, agencies as well as authorities and law enforcement bodies.

Provided that it is required for the purposes specified above, disclosure may also be sent to a foreign country. If the websites contain links to websites of third parties, once such links are clicked, we no longer have any control over the collection, processing, storage or use of personal data by the third parties, and do not accept any responsibility in this regard.

Service providers to which the personal data collected via the website is passed on respectively which may have access to the personal data, are our web hosting provider cyon GmbH, Brunngässlein 12, 4052 Basel, Schweiz as well as our web agency Media Motion AG, Arbonstrasse 6, 9300 Wittenbach, Schweiz. The website is hosted on servers in Switzerland. The data is passed on for the purpose of providing and maintaining our website’s functions. This is our legitimate interest.

Finally, we forward your credit card information to your credit card issuer and the credit card acquirer when you pay by credit card on the website. If you choose to pay by credit card, you will be asked to enter all the necessary information each time. The legal basis for passing on the data is the performance of a contract. For information about the processing of your credit card information by these third parties, please also read the general terms and conditions and privacy statement of your credit card issuer.

7.7 Transmitting personal data to another country

We are entitled to transmit your personal data, including to external companies (commissioned service providers) in another country, for the data processing described in this privacy statement. These companies are subject to the same data protection obligations as we are. If the level of data protection in a country is not equivalent to that of Switzerland or Europe, we ensure by means of a contract that the protection of your personal data is equivalent to the protection provided in Switzerland and/or in the EU.

8. FURTHER INFORMATION

8.1 Right to access, rectification, erasure and restriction of processing; right to data portability

You have the right to receive access to the personal data that we store about you on request. You also have the right to rectification of incorrect data and the right to erasure of your personal data if this is not precluded by any statutory retention obligation or permission which allows us to process the data.

In certain cases provided for by law, you also have the right to ask us to return the data you have submitted to us. We will potentially also pass the data on to a third party of your choice on request. You have the right to receive the data in a commonly used file format.

You can contact us using the email address welcome@acasasuites.com for the purposes specified above. We reserve the right to ask for proof of your identity to process your requests.

8.2 Data security

We implement technical and organisational security measures that are suitable for us to protect your personal data that we store from manipulation, partial or total loss and unauthorised access by third parties. Our security measures are improved on an ongoing basis in line with technological development.

You should always keep your login details confidential and close the browser window when you have finished communicating with us, especially if you share your computer with others.

We also take data protection within the company very seriously. Our employees and the service providers commissioned by us are subject to confidentiality obligations and are obliged to comply with data protection provisions.

8.3 Consent to data processing

Data processing based on obtained declarations of content are only carried out based on these declarations subsidiarily and only to the extent of the obtained consents if there is not another (primary) legal bases mentioned in the data protection agreement for this.

8.4 Note on transmitting data to the USA

For the sake of completeness, we wish to point out that, in the USA, US authorities carry out monitoring activities which allow all personal data belonging to all persons whose data has been transmitted from Switzerland to the USA to be stored as a general rule. These activities are carried out without differentiation, restriction or exception based on the aim pursued and with no objective criterion that makes it possible to restrict the US authorities’ access to the data and its subsequent use to specifically defined, strictly limited purposes which are able to justify the intrusion associated with both access to this data and to its use. We also wish to point out that, in the USA, there are no legal remedies available to the data subjects from Switzerland that enable them to receive access to the data concerning them and to have it rectified or erased, and no effective judicial protection from the general access rights of US authorities. We explicitly make data subjects aware of these facts and the legal situation so that they can make a suitably informed decision about giving their consent to the use of their data.

We wish to point out that, from the perspective of Switzerland and the European Union, the USA does not have an adequate level of data. Insofar as we have specified in this privacy statement that data recipients (e.g. Google) are based in the USA, we will ensure adequate protection of your personal data by requiring recipients to comply with binding contractual obligations in accordance with applicable standards approved by the relevant supervisory authorities or by relying on other safeguards approved by the relevant supervisory authorities, such as self-certification. You may contact us to obtain a copy of the contractual and other safeguards.

9. Right to lodge a complaint with a data protection authority

You have the right to lodge a complaint with a data protection authority at any time.

Responsible for data processing is Consulta GmbH, Hammergut 9, 6330 Cham.