Privacy Policy

With this Privacy Policy We inform you about the processing of personal data in connection with our Activities and activities including our Website under the domain name cm-lodge.com. We provide information about, for what purpose, how, and where we process which personal data. We also provide information about the rights of individuals whose data we process.

We may publish additional privacy statements or other data protection information for individual or additional activities and operations.

We are subject to Swiss data protection law and, where applicable, to applicable foreign data protection law, in particular that of the European Union (EU) with the European General Data Protection Regulation (GDPR).

The European Commission recognized Decision of 26 July 2000that Swiss data protection law ensures adequate data protection. Report from January 15, 2024 The European Commission confirmed this adequacy decision.

1. Contact addresses

Responsibility for the processing of personal data:

Conrad's Mountain Lodge AG
Via dal Farrer 1
7513 Silvaplana
Switzerland

mail@cm-lodge.com

In individual cases, third parties may be responsible for the processing of personal data or there may be joint responsibility with third parties.

1.1 Data protection officer or data protection advisor

We have the following data protection officer or data protection advisor as a contact point for data subjects and authorities with inquiries related to data protection:

Franca Chiesa
Conrad's Mountain Lodge AG
Via dal Farrer 1
7513 Silvaplana
Switzerland

mail@cm-lodge.com

1.2 Data protection representation in the European Economic Area (EEA)

We have the following data protection representation according to Art. 27 GDPR:

VGS Data Protection Partner GmbH
Am Kaiserkai 69
20457 Hamburg
Germany

mail@cm-lodge.com

The Data Protection Representation serves data subjects and authorities in the European Union (EU) and the rest of the European Economic Area (EEA) as additional Contact point for inquiries related to the GDPR.

2. Terms and legal bases

2.1 Terms

Affected person: Natural person about whom we process personal data.

Personal data: All Information relating to an identified or identifiable natural person.

Particularly sensitive personal data: Data concerning trade union, political, religious or ideological views and activities, data concerning health, privacy or ethnic or racial affiliation, genetic data, biometric data that uniquely identify a natural person, data on criminal and administrative sanctions or prosecutions, and data on social assistance measures.

Edit: Everyone Handling of personal data, independent the means and procedures used, such as querying, comparing, adapting, archiving, storing, retrieving, disclosing, obtaining, recording, collecting, deleting, disclosing, arranging, organizing, storing, altering, disseminating, linking, destroying and using personal data.

European Economic Area (EEA): Member States of the European Union (EU) as well as the Principality of Liechtenstein, Iceland and Norway.

2.2 Legal basis

We process personal data in accordance with Swiss data protection law, in particular the Federal Data Protection Act (Data Protection Act, DSG) and the Data Protection Regulation (Data Protection Regulation, DSV).

We process – if and to the extent that the European General Data Protection Regulation (GDPR) is applicable – personal data or personal data in accordance with at least one of the following legal bases:

• Art. 6 (1) (b) GDPR for the necessary processing of personal data to fulfill a contract with the data subject and to carry out pre-contractual measures.
• Art. 6 (1) (f) GDPR for the necessary processing of personal data to protect legitimate interests – including the legitimate interests of third parties – unless the fundamental freedoms and rights and the interests of the data subject override these interests. Such interests include, in particular, the permanent, humane, secure, and reliable performance of our activities and operations, ensuring information security, protecting against misuse, enforcing our own legal claims, and compliance with Swiss law.
• Art. 6 (1) (c) GDPR for the necessary processing of personal data to fulfill a legal obligation to which we are subject under applicable law of Member States in the European Economic Area (EEA).
• Art. 6 (1) (e) GDPR for the necessary processing of personal data to perform a task carried out in the public interest.
• Art. 6 (1) (a) GDPR for the processing of personal data with the consent of the data subject.
• Art. 6 (1) (d) GDPR for the necessary processing of personal data to protect the vital interests of the data subject or of another natural person.
• Art. 9 para. 2 ff. GDPR for the processing of special categories of personal data, in particular with the consent of the data subjects.

The European General Data Protection Regulation (GDPR) defines the processing of personal data as processing of personal data and the processing of particularly sensitive personal data as processing of special categories of personal data (Article 9 GDPR).

3. Type, scope and purpose of processing personal data

We process personal data that necessary in order to be able to carry out our activities and operations in a sustainable, humane, secure, and reliable manner. The personal data processed may, in particular, fall into the categories of browser and device data, content data, communication data, metadata, usage data, master data including inventory and contact data, location data, transaction data, contract data, and payment data.

We also process personal data that we receive from third parties, obtain from publicly accessible sources or collect in the course of our activities, provided that such processing is permitted for legal reasons.

Where necessary, we process personal data with the consent of the data subjects. In many cases, we may process personal data without consent, for example, to comply with legal obligations or to protect overriding interests. We may also request the consent of data subjects when their consent is not required.

We process personal data for the Length of timethat is necessary for the respective purpose. We anonymize or delete personal data, particularly depending on statutory retention and limitation periods.

4. Disclosure of personal data

We may process personal data disclose to third parties, have it processed by third parties, or process it jointly with third parties. Such third parties include, in particular, specialized providers whose services we utilize.

We may, for example, disclose personal data to banks and other financial service providers, public authorities, educational and research institutions, consultants and lawyers, interest groups, IT service providers, cooperation partners, credit and credit agencies, logistics and shipping companies, marketing and advertising agencies, media, organizations and associations, social institutions, telecommunications companies and insurance companies.

5. Communication

We process personal data in order to communicate with individuals as well as with authorities, organizations, and companies. In particular, we process data that a data subject sends to us when contacting us, for example, by post or email. We may store such data in an address book or using similar tools.

Third parties who transmit data about other individuals to us are obligated to independently ensure the data protection of these data subjects. In particular, they must ensure that such data is correct and permitted to be transmitted.

We use selected services from suitable providers to enable and improve communication with individuals and other communication partners. With such services, we can also manage and otherwise process the data of data subjects beyond direct communication.

6. Applications

We process personal data about applicants to the extent necessary to assess their suitability for an employment relationship or for the subsequent execution of an employment contract. The required personal data arises, in particular, from the information requested, for example, in the context of a job advertisement. We may publish job advertisements with the assistance of suitable third parties, for example, in electronic and print media or on job portals and platforms.

We also process the personal data that applicants voluntarily communicate or publish, in particular as part of cover letters, CVs and other application documents as well as online profiles.

We process – if and to the extent that the General Data Protection Regulation (GDPR) is applicable – personal data about applicants, in particular in accordance with Art. 9 (2) (b) GDPR.

We may enable applicants to submit their information in our Talent pool to be considered for future vacancies. We may also use such information to maintain contact and provide updates. If we believe that an applicant is suitable for a vacant position based on the information provided, we may inform the applicant accordingly.

7. Data security

We take appropriate technical and organizational measures to ensure data security appropriate to the respective risk. These measures specifically ensure the confidentiality, availability, traceability, and integrity of the personal data processed, but cannot guarantee absolute data security.

Access to our website and our other online presence is via transport encryption (SSL / TLS, especially with the Hypertext Transfer Protocol Secure, abbreviated HTTPS). Most browsers warn against visiting websites without transport encryption.

Our digital communication is subject to – as basically Any digital communication – subject to mass surveillance without cause or suspicion by security authorities in Switzerland, the rest of Europe, the United States of America (USA), and other countries. We cannot directly influence the corresponding processing of personal data by intelligence agencies, police departments, and other security authorities. We also cannot rule out the possibility that a data subject may be subject to targeted surveillance.

8. Personal data abroad

We process personal data basically in Switzerland and the European Economic Area (EEA). However, we may also export or transfer personal data to other countries, in particular to process it or have it processed there.

We may transfer personal data to any States on Earth and elsewhere in universe export, provided that the law there allows Decision of the Swiss Federal Council and – if and to the extent that the General Data Protection Regulation (GDPR) is applicable – also in accordance with Decision of the European Commission ensures adequate data protection.

We may transfer personal data to countries whose laws do not guarantee adequate data protection, provided that data protection is guaranteed for other reasons, in particular on the basis of standard data protection clauses or other appropriate safeguards. Exceptionally, we may export personal data to countries without adequate or suitable data protection if the specific data protection requirements are met, for example, the express consent of the data subjects or a direct connection with the conclusion or performance of a contract. Upon request, we will be happy to provide data subjects with information about any safeguards or a copy of any safeguards.

9. Rights of data subjects

9.1 Data protection claims

We grant data subjects all rights under applicable data protection law. Data subjects have, in particular, the following rights:

• Information: Data subjects can request information about whether we process personal data about them and, if so, what personal data is involved. Data subjects will also receive the information necessary to assert their data protection rights and ensure transparency. This includes the personal data processed as such, but also, among other things, information about the purpose of processing, the retention period, any disclosure or export of data to other countries, and the origin of the personal data.
• Correction and restriction: Data subjects can correct inaccurate personal data, complete incomplete data and have the processing of their data restricted.
• Deletion and objection: Data subjects can have their personal data deleted (“right to be forgotten”) and object to the processing of their data with effect for the future.
• Data release and data transfer: Data subjects may request the disclosure of personal data or the transfer of their data to another controller.

We may postpone, restrict, or refuse the exercise of data subjects' rights within the legally permissible framework. We may inform data subjects of any conditions that may need to be met to exercise their data protection rights. For example, we may refuse to provide information in whole or in part, citing confidentiality obligations, overriding interests, or the protection of other persons. We may also refuse to delete personal data in whole or in part, particularly with reference to statutory retention periods.

We may exercise your rights exceptionally We will inform data subjects in advance of any costs.

We are obligated to take appropriate measures to identify data subjects who request information or assert other rights. Data subjects are obligated to cooperate.

9.2 Legal protection

Data subjects have the right to enforce their data protection claims through legal action or to file a complaint with a data protection supervisory authority.

The data protection supervisory authority for private controllers and federal bodies in Switzerland is the Federal Data Protection and Information Commissioner (FDPIC).

European data protection authorities are Members of the European Data Protection Board (EDPB). In some Member States in the European Economic Area (EEA), the data protection supervisory authorities are federally structured, especially in Germany.

10. Use of the website

10.1 Cookies

We may use cookies. Cookies—both our own cookies (first-party cookies) and cookies from third-party services we use (third-party cookies)—are data stored in your browser. Such stored data need not be limited to traditional text cookies.

Cookies can be stored temporarily in the browser as "session cookies" or for a specific period of time as so-called permanent cookies. "Session cookies" are automatically deleted when the browser is closed. Permanent cookies have a specific storage period. In particular, cookies make it possible to recognize a browser the next time you visit our website and thus, for example, to measure the reach of our website. Permanent cookies can also be used for online marketing, for example.

Cookies can be fully or partially deactivated or deleted at any time in your browser settings. Without cookies, our website may no longer be fully available. We actively request your express consent to the use of cookies – at least where and to the extent necessary.

For cookies used for success and reach measurement or for advertising, a general objection («opt-out») is possible for numerous services via the AdChoices (Digital Advertising Alliance of Canada), the Network Advertising Initiative (NAI), YourAdChoices (Digital Advertising Alliance) or Your Online Choices (European Interactive Digital Advertising Alliance, EDAA) is possible.

We use the consent tool "Real Cookie Banner" to manage the cookies and similar technologies used (tracking pixels, web beacons, etc.) and related consents. Details on how "Real Cookie Banner" works can be found at https://devowl.io/rcb/data-processing/.

The legal basis for the processing of personal data in this context is Art. 6 (1) (c) GDPR and Art. 6 (1) (f) GDPR. Our legitimate interest is the management of the cookies and similar technologies used and the related consents.

Providing personal data is neither contractually required nor necessary for entering into a contract. You are not obligated to provide personal data. If you do not provide personal data, we cannot manage your consent.

10.2 Logging

We may log at least the following information for each access to our website and our other online presence, provided that this information is transmitted to our digital infrastructure during such access: Date and time including time zone, IP address, access status (HTTP status code), operating system including user interface and version, browser including language and version, individual sub-page of our website accessed including amount of data transferred, last website accessed in the same browser window (referrer).

We log such information, which may also constitute personal data, in log files. This information is necessary to provide our online presence in a permanent, user-friendly, and reliable manner. Furthermore, this information is required to ensure data security – including through or with the assistance of third parties.

10.3 Web beacons

We may integrate tracking pixels into our online presence. Tracking pixels are also known as web beacons. Tracking pixels – including those of third parties whose services we use – are typically small, invisible images or JavaScript scripts that are automatically retrieved when you access our online presence. Tracking pixels can collect at least the same amount of information as log files.

11. Notifications and communications

11.1 Success and reach measurement

Notifications and messages may contain web links or tracking pixels that record whether an individual message has been opened and which web links were clicked. Such web links and tracking pixels can also record the use of notifications and messages on a personal basis. We need this statistical recording of usage for success and reach measurement in order to be able to send notifications and messages effectively and humanely, as well as permanently, securely, and reliably, based on the needs and reading habits of the recipients.

11.2 Consent and objection

You must basically consent to the use of your email address and other contact details, unless the use is permitted for other legal reasons. We may use the "double opt-in" procedure to obtain double-confirmed consent. In this case, you will receive a notification with instructions for double confirmation. We may use consent obtained, including IP address and Timestamp recorded for evidential and security reasons.

You can basically You can object to receiving notifications and communications, such as newsletters, at any time. By objecting, you can also object to the statistical recording of usage for performance and reach measurement purposes. This does not apply to necessary notifications and communications related to our activities.

11.3 Service providers for notifications and communications

We send notifications and messages with the help of specialized service providers.

In particular, we use:

• Mailchimp: Communication platform; provider: The Rocket Science Group LLC DBA Mailchimp (USA) as subsidiary of Intuit Inc. (USA); Data protection information: Privacy Policy (Intuit) including «Country and Region-Specific Terms», Frequently Asked Questions about Mailchimp Privacy Policy (Mailchimp Privacy FAQs), “Mailchimp and European Data Transfers”, "Security", Cookie Policy, «Inquiries about data protection rights», «Legal provisions».
• Microsoft 365: Collaboration platform, productivity apps, email, scheduling, video meetings, chat, and corporate security for communicating with our customers; Provider: Microsoft Corporation
  One Microsoft Way Redmond, WA 98052-6399 USA; Privacy Policy: Privacy Policy

12. Social Media

We maintain a presence on social media platforms and other online platforms to communicate with interested parties and provide information about our activities. In connection with such platforms, personal data may also be processed outside of Switzerland and the European Economic Area (EEA).

The general terms and conditions (GTC) and terms of use, as well as privacy policies and other provisions of the individual operators of such platforms, also apply. These provisions provide information, in particular, about the rights of data subjects directly vis-à-vis the respective platform, including, for example, the right to information.

For our Social media presence on Facebook including the so-called Page Insights, we are – if and to the extent that the General Data Protection Regulation (GDPR) is applicable – jointly responsible with Meta Platforms Ireland Limited (Ireland). Meta Platforms Ireland Limited is part of Meta-company (including in the USA). Page Insights provide information about how visitors interact with our Facebook presence. We use Page Insights to provide our social media presence on Facebook in an effective and user-friendly manner.

Further information about the type, scope and purpose of data processing, information on the rights of data subjects as well as the contact details of Facebook and Facebook’s data protection officer can be found in the Facebook's privacy policyWe have partnered with Facebook to create the so-called «Addition for responsible persons» and thereby agreed in particular that Facebook is responsible for ensuring the rights of data subjects. For the so-called Page Insights, the relevant information can be found on the page «Information about Page Insights» including «Information about Page Insights data».

We also use in particular:

• TripAdvisor: The Tripadvisor platform allows our guests to rate our services. Provider: Tripadvisor Inc., 400 1st Avenue, Needham, MA 02494 USA; Privacy Policy: Privacy Policy

13. Third-party services

We use services from specialized third parties to be able to carry out our activities in a sustainable, human-friendly, secure, and reliable manner. With such services, we can, among other things, embed functions and content into our website. With such embedding, the services used, for technically necessary reasons, at least temporarily record the IP addresses of the users.

For necessary security-related, statistical, and technical purposes, third parties whose services we use may process data related to our activities in an aggregated, anonymized, or pseudonymized form. This includes, for example, performance or usage data in order to be able to provide the respective service.

In particular, we use:

• Google services: Providers: Google LLC (USA) / Google Ireland Limited (Ireland) partly for users in the European Economic Area (EEA) and Switzerland; General information on data protection: «Privacy and Security Principles», «More information about how Google uses personal data», Privacy Policy, “Google is committed to complying with applicable data protection laws”, «Guide to privacy in Google products», “How we use data from websites or apps where our services are used”, «Types of cookies and similar technologies Google uses», “Advertising you can influence” (“Personalised advertising”).

13.1 Digital infrastructure

We use services from specialized third parties to access the digital infrastructure required for our activities. This includes, for example, hosting and storage services from selected providers.

In particular, we use:

• Cyon: Hosting; Provider: cyon GmbH (Switzerland); Data protection information: «Data protection», Privacy Policy.
• WordPress.com: Blog hosting and website builder; providers: Automattic Inc. (USA) / Aut O'Mattic A8C Ireland Ltd. (Ireland) for users in Europe, among others; data protection information: Privacy Policy, Cookie Policy.

13.2 Maps

We use third-party services to embed maps into our website.

In particular, we use:

• Google Maps including Google Maps Platform: Map service; provider: Google; Google Maps-specific information: «How Google uses location information».

13.3 Fonts

We use third-party services to embed selected fonts as well as icons, logos and symbols into our website.

In particular, we use:

• Google Fonts: Fonts; Provider: Google; Google Fonts-specific information: «Your Privacy and Google Fonts», «Privacy and Data Collection» (Google Fonts).

13.4 E-commerce

We operate e-commerce and use third-party services to successfully offer services, content or goods.

• resmio: Reservation tool. Integrated into the website, the reservation tool allows guests to check availability and make reservations online. All table reservations are entered directly into a digital reservation book. Provider: resmio GmbH, headquarters: Katzwanger Straße 150, 90461 Nuremberg, branch: Gneisenaustraße 66-67, 10961 Berlin; Privacy policy: Privacy Policy.

13.5 Payments

We use specialized service providers to process payments securely and reliably. Payment processing is also subject to the legal texts of the individual service providers, such as general terms and conditions (GTC) or privacy policies.

In particular, we use:

• TWINT: Processing of payments in Switzerland; Provider: TWINT AG (Switzerland); Data protection information: Privacy Policy, «Security according to Swiss standards».
• Worldline: Processing of payments, in particular with mobile payment solutions; providers: Worldline SA (France), Worldline Schweiz AG (Switzerland) and other Worldline companies worldwide (including in the USA); data protection information: Privacy Policy, «Program for the responsible use of data», Cookie Policy.

14. Success and reach measurement

We attempt to measure the success and reach of our activities. In this context, we may also measure the impact of third-party feedback or examine how different parts or versions of our online offering are used ("A/B testing"). Based on the results of the success and reach measurements, we may, in particular, correct errors, strengthen popular content, or make improvements.

In most cases, the success and reach measurement is based on IP addresses from individual users. In this case, IP addresses are basically shortened (“IP masking”) in order to comply with the principle of data economy through the corresponding pseudonymization.

Cookies may be used to measure success and reach, and user profiles may be created. Any user profiles created may include, for example, the individual pages visited or content viewed on our website, information about the size of the screen or browser window, and the—at least approximate—location. Basically Any user profiles are created exclusively in pseudonymous form and are not used to identify individual users. Individual third-party services with which users are registered may, at most, assign the use of our online offering to the user account or user profile on the respective service.

In particular, we use:

• Google Marketing Platform: Success and reach measurement, especially with Google Analytics; Provider: Google; Google Marketing Platform-specific information: Measurement also across different browsers and devices (Cross-Device Tracking) with pseudonymized IP addresses that only exceptionally be transferred entirely to Google in the USA, Privacy Policy for Google Analytics, «Browser Add-on to deactivate Google Analytics».
• Google Tag Manager: Integration and management of Google and third-party services, particularly for performance and reach measurement; Provider: Google; Google Tag Manager-specific information: Privacy Policy for Google Tag ManagerFurther information on data protection can be found in the individual integrated and managed services.

15. Final notes on the data protection declaration

We have compiled this privacy statement with the Data protection generator from Data protection partner created.

We may update this privacy policy at any time. We will inform you about updates in an appropriate manner, in particular by publishing the latest privacy policy on our website.
.