Book now

Privacy Policy

With this Privacy Policy, we inform about the personal data we process in connection with our activities and operations, including our website. We particularly inform about the purposes, methods, and locations of the personal data processing. Additionally, we provide information about the rights of individuals whose data we process.

For individual or additional activities and operations, additional privacy policies as well as other legal documents such as General Terms and Conditions (GTC), Terms of Use, or Participation Conditions may apply.

We are subject to Swiss data protection law as well as, where applicable, foreign data protection law, especially that of the European Union (EU) with the General Data Protection Regulation (GDPR). The European Commission acknowledges that Swiss data protection law ensures adequate data protection.

1. Contact Details

Responsibility for the processing of personal data:

Conda SA
Plaz 2
7524 Zuoz

In individual cases, there may be other responsible parties for the processing of personal data or joint responsibility with at least one other controller.

1.1 Data Protection Officers or Advisors

We have the following data protection officer or advisor as a contact person for data subjects and authorities regarding data protection inquiries:

Rita Klarer
Conda SA
Plaz 2
7524 Zuoz

1.2 Data Protection Representation in the European Economic Area (EEA)

We have the following data protection representation according to Art. 27 GDPR:

VGS Datenschutz­partner GmbH
Am Kaiserkai 69
20457 Hamburg

The data protection representation serves as an additional point of contact for inquiries related to the GDPR for data subjects and authorities in the European Union (EU) and the rest of the European Economic Area (EEA).

2.1 Definitions

Personal data refers to any information relating to an identified or identifiable natural person. A data subject is a person about whom we process personal data.

Processing includes any operation or set of operations performed on personal data, regardless of the means or methods used, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction of personal data.

The European Economic Area (EEA) comprises the Member States of the European Union (EU) as well as the Principality of Liechtenstein, Iceland, and Norway. The General Data Protection Regulation (GDPR) refers to the processing of personal data as processing of personal data.

We process personal data in accordance with Swiss data protection law, including in particular the Federal Act on Data Protection (Datenschutzgesetz, DSG) and the Ordinance to the Federal Act on Data Protection (Datenschutzverordnung, DSV).

Where and to the extent the General Data Protection Regulation (GDPR) applies, we process personal data according to at least one of the following legal bases:

  • Art. 6(1)(b) GDPR for the necessary processing of personal data for the performance of a contract with the data subject or for the implementation of pre-contractual measures.
  • Art. 6(1)(f) GDPR for the necessary processing of personal data to protect our legitimate interests or those of third parties, unless the fundamental rights and freedoms of the data subject override those interests. Legitimate interests include, in particular, our interest in exercising our activities and operations permanently, user-friendly, safely, and reliably, as well as communicating about them, ensuring information security, protecting against misuse, enforcing our own legal claims, and complying with Swiss law.
  • Art. 6(1)(c) GDPR for the necessary processing of personal data to comply with a legal obligation to which we are subject under any applicable law of a Member State of the European Economic Area (EEA).
  • Art. 6(1)(e) GDPR for the necessary processing of personal data for the performance of a task carried out in the public interest.
  • Art. 6(1)(a) GDPR for the processing of personal data with the consent of the data subject.
  • Art. 6(1)(d) GDPR for the necessary processing of personal data to protect vital interests of the data subject or another natural person.

3. Nature, Scope, and Purpose

We process those personal data that are necessary to permanently, user-friendly, safely, and reliably conduct our activities and operations. Such personal data may include, in particular, categories of inventory and contact data, browser and device data, content data, meta or marginal data, and usage data, location data, sales data, as well as contract and payment data.

We process personal data for the duration necessary for the respective purpose(s) or as required by law. Personal data no longer needed for processing will be anonymized or deleted.

We may have personal data processed by third parties. We may process personal data jointly with third parties or disclose them to third parties. Such third parties are particularly specialized providers whose services we use. We also ensure data protection with such third parties.

We generally process personal data only with the consent of the data subjects. To the extent that processing is permissible for other legal reasons, we may waive obtaining consent. For example, we may process personal data without consent to fulfill a contract, to comply with legal obligations, or to safeguard overriding interests.

We also process personal data that we receive from third parties, obtain from publicly available sources, or collect in the course of our activities and operations, to the extent that such processing is permissible for legal reasons.

4. Communication

We process personal data to be able to communicate with third parties. In this context, we process in particular data that a data subject transmits when contacting us, for example, by postal mail or email. We may store such data in an address book or similar tools.

Third parties transmitting data about other individuals are obligated to ensure data protection for such affected individuals. This includes, among other things, ensuring the accuracy of the transmitted personal data.

5. Data Security

We implement appropriate technical and organizational measures to ensure data security appropriate to the respective risk. With our measures, we ensure in particular the confidentiality, availability, traceability, and integrity of the processed personal data, but we cannot guarantee absolute data security.

Access to our website and other online presence is via transport encryption (SSL / TLS, especially with the Hypertext Transfer Protocol Secure, abbreviated HTTPS). Most browsers indicate transport encryption with a small padlock icon in the address bar.

Our digital communication is subject – like all digital communication – to mass surveillance without cause or suspicion by security authorities in Switzerland, the rest of Europe, the United States of America (USA), and other countries. We cannot directly influence the corresponding processing of personal data by intelligence services, police authorities, and other security authorities. Nor can we rule out that individual affected individuals are monitored.

6. Personal Data Abroad

We generally process personal data in Switzerland and the European Economic Area (EEA). However, we may also export or transfer personal data to other states, particularly to process them there or have them processed.

We may export personal data to all countries and territories on Earth and elsewhere in the Universe, provided that the local law ensures adequate data protection according to a decision of the Swiss Federal Council and – where and to the extent the General Data Protection Regulation (GDPR) applies – according to a decision of the European Commission.

We may transfer personal data to states whose law does not ensure adequate data protection if data protection is ensured for other reasons, especially based on standard data protection clauses or other suitable safeguards. Exceptionally, we may export personal data to states without adequate or suitable data protection if the special data protection requirements are met, for example, the explicit consent of the data subjects or a direct connection with the conclusion or performance of a contract. Upon request, we will gladly provide affected individuals with information about any guarantees or provide a copy of any guarantees.

7. Rights of Data Subjects

7.1 Data Protection Claims

We grant data subjects all rights under applicable data protection law. Data subjects particularly have the following rights:

  • Information: Data subjects can request information about whether we process personal data about them and, if so, what personal data is involved. Data subjects also receive the necessary information to assert their data protection rights and ensure transparency. This includes the processed personal data as such, but also, among other things, information about the processing purpose, the duration of storage, any disclosure or export of data to other states, and the origin of the personal data.
  • Correction and Restriction: Data subjects can correct inaccurate personal data, complete incomplete data, and have the processing of their data restricted.
  • Deletion and Objection: Data subjects can have personal data deleted (“right to be forgotten”) and object to the processing of their data with effect for the future.
  • Data Disclosure and Data Portability: Data subjects can request the disclosure of personal data or the transfer of their data to another controller.

We may postpone, restrict, or refuse the exercise of data subjects’ rights within the legally permissible framework. We may inform data subjects about any requirements they need to fulfill to exercise their data protection rights. For example, we may refuse information with reference to business secrets or the protection of other persons, in whole or in part. For example, we may also refuse the deletion of personal data with reference to legal retention obligations, in whole or in part.

We may exceptionally impose costs for exercising rights. We will inform data subjects in advance of any costs.

We are obligated to identify data subjects who request information or exercise other rights with appropriate measures. Data subjects are obliged to cooperate.

Data subjects have the right to enforce their data protection claims through legal channels or to file a complaint with a competent data protection supervisory authority.

The data protection supervisory authority for complaints by data subjects against private controllers and federal agencies in Switzerland is the Federal Data Protection and Information Commissioner (FDPIC).

European data protection supervisory authorities for complaints by data subjects – where and to the extent the General Data Protection Regulation (GDPR) applies – are organized as members of the European Data Protection Board (EDPB). In some member states of the European Economic Area (EEA), data protection supervisory authorities are federally structured, especially in Germany.

8. Use of the Website

8.1 Cookies

We may use cookies. With cookies – both our own cookies (first-party cookies) and cookies from third parties whose services we use (third-party cookies) – data is stored in the browser. Such stored data does not necessarily have to be limited to traditional text cookies.

Cookies can be stored in the browser temporarily as “session cookies” or for a specific period as so-called permanent cookies. “Session cookies” are automatically deleted when the browser is closed. Permanent cookies have a specific storage period. Cookies allow, in particular, to recognize a browser on the next visit to our website and thus, for example, to measure the reach of our website. Permanent cookies can also be used, for example, for online marketing purposes.

Cookies can be deactivated or deleted entirely or partially in the browser settings at any time. Without cookies, our website may not be fully available. We request – at least if and to the extent necessary – active consent to the use of cookies.

For cookies used for success and reach measurement or for advertising, a general objection (“opt-out”) is possible for numerous services via the AdChoices (Digital Advertising Alliance of Canada), the Network Advertising Initiative (NAI), YourAdChoices (Digital Advertising Alliance), or Your Online Choices (European Interactive Digital Advertising Alliance, EDAA).

8.2 Logging

We may log at least the following information for each access to our website and our other online presence, provided that this information is transmitted to our digital infrastructure during such accesses: date and time including time zone, IP address, access status (HTTP status code), operating system including user interface and version, browser including language and version, individual sub-page of our website accessed including the amount of data transferred, last visited website in the same browser window (referer).

We log such information, which may also constitute personal data, in log files. The information is necessary to be able to provide our online presence permanently, user-friendly, and reliably. The information is also necessary to ensure data security – also by third parties or with the help of third parties.

8.3 Tracking Pixels

We may integrate tracking pixels into our online presence. Tracking pixels are also called web beacons. With tracking pixels – also from third parties whose services we use – it usually involves small, invisible images or scripts formulated in JavaScript, which are automatically retrieved when accessing our online presence. Tracking pixels can capture at least the same information as in log files.

9. Notifications and Messages

We send notifications and messages by email and through other communication channels such as instant messaging or SMS.

9.1 Success and Reach Measurement

Notifications and messages may contain web links or tracking pixels that record whether an individual message has been opened and which web links were clicked. Such web links and tracking pixels can also capture the use of notifications and messages on a personal basis. We need this statistical recording of usage for success and reach measurement in order to be able to send notifications and messages effectively and user-friendly, as well as permanently, securely, and reliably based on the needs and reading habits of the recipients.

As a rule, you must consent to the use of your email address and other contact addresses, unless the use is permitted for other legal reasons. For the possible obtaining of a double-confirmed consent, we can use the “double opt-in” procedure. In this case, you will receive a notification with instructions for double confirmation. In this case, we may log obtained consents, including IP address and timestamp, for evidence and security reasons.

As a rule, you can object to the receipt of notifications and messages such as newsletters at any time. With such an objection, you can also object to the statistical recording of usage for success and reach measurement. Necessary notifications and messages in connection with our activities and operations remain reserved.

10. Social Media

We are present on social media platforms and other online platforms in order to communicate with interested individuals and to inform about our activities and operations. In connection with such platforms, personal data may also be processed outside of Switzerland and the European Economic Area (EEA).

The general terms and conditions (GTC) and terms of use as well as privacy policies and other provisions of the individual operators of such platforms also apply. These provisions provide information in particular about the rights of affected individuals directly against the respective platform, including the right to information, for example.

For our Facebook social media presence, including so-called page insights, we are – if and to the extent the General Data Protection Regulation (GDPR) applies – jointly responsible with Meta Platforms Ireland Limited (Ireland). Meta Platforms Ireland Limited is part of the Meta companies (including in the USA). The page insights provide information on how visitors interact with our Facebook presence. We use page insights to effectively and user-friendly provide our social media presence on Facebook.

Further information on the type, scope, and purpose of data processing, information on the rights of affected individuals, as well as contact details of Facebook as well as the data protection officer of Facebook can be found in the Facebook Privacy Policy. We have concluded the so-called “Addendum for Controllers” with Facebook, thereby agreeing in particular that Facebook is responsible for ensuring the rights of affected individuals. For the so-called page insights, the corresponding information can be found on the page “Information on Page Insights” including “Information about Page Insights Data”.

11. Third-Party Services

We use services from specialized third parties in order to be able to exercise our activities and operations permanently, user-friendly, securely, and reliably. With such services, we can embed functions and content into our website. In the case of such embedding, the services used capture the IP addresses of the users at least temporarily for technical reasons.

For necessary security-related, statistical, and technical purposes, third parties whose services we use may process data in connection with our activities and operations in an aggregated, anonymized, or pseudonymized form. This includes, for example, performance or usage data in order to be able to offer the respective service.

We use in particular:

11.1 Digital Infrastructure

We use services from specialized third parties in order to be able to use the necessary digital infrastructure in connection with our activities and operations. This includes, for example, hosting and storage services from selected providers.

We use in particular:

11.2 Social Media Features and Content

We use services and plugins from third parties in order to embed features and content from social media platforms and to enable the sharing of content on social media platforms and in other ways.

We use in particular:

11.3 Map Material

We use services from third parties in order to be able to embed maps into our website.

We use in particular:

11.4 Fonts

We use services from third parties in order to be able to embed selected fonts as well as icons, logos, and symbols into our website.

We use in particular:

11.5 E-Commerce

We operate e-commerce and use services from third parties in order to be able to offer services, content, or goods successfully.

11.6 Payments

We use specialized service providers to process payments from our customers securely and reliably. For the processing of payments, the legal texts of the individual service providers such as General Terms and Conditions (GTC) or Privacy Policies also apply.

We use in particular:

11.7 Advertising

We utilize the opportunity to display targeted advertisements with third parties, such as social media platforms and search engines, for our activities and operations.

With such advertising, we aim to reach individuals who are already interested in or may be interested in our activities and operations (remarketing and targeting). For this purpose, we may transmit corresponding – possibly also personal – information to third parties that enable such advertising. Additionally, we may ascertain whether our advertising is successful, particularly whether it leads to visits to our website (conversion tracking).

Third parties with whom we advertise and with whom you, as a user, are logged in may potentially associate the use of our website with your profile there.

We use in particular:

12. Website Extensions

We use extensions for our website to access additional features. We may use selected services from suitable providers or use such extensions on our own server infrastructure.

We use in particular:

  • Google reCAPTCHA: Spam protection (distinguishing between desired content from humans and unwanted content from bots and spam); Provider: Google; Google reCAPTCHA-specific information: “What is reCAPTCHA?”.

13. Success and Reach Measurement

We try to determine how our online offering is used. In this context, we can, for example, measure the success and reach of our activities and operations as well as the impact of third-party links on our website. However, we may also experiment with and compare how different parts or versions of our online offering are used (“A/B test” method). Based on the results of success and reach measurement, we can particularly fix errors, strengthen popular content, or make improvements to our online offering.

For success and reach measurement, the IP addresses of individual users are usually stored. In this case, IP addresses are basically shortened (“IP masking”) to follow the principle of data minimization through the corresponding pseudonymization.

Cookies may be used for success and reach measurement, and user profiles may be created. Any user profiles created may include, for example, the individual pages visited or content viewed on our website, information about screen size or browser window, and the – at least approximate – location. Basically, any user profiles created are exclusively pseudonymized and not used to identify individual users. Individual services from third parties, where users are logged in, may potentially associate the use of our online offering with the user account or profile with the respective service.

We use in particular:

  • Google Analytics: Success and reach measurement; Provider: Google; Google Analytics-specific information: Measurement across different browsers and devices (Cross-Device Tracking) as well as with pseudonymized IP addresses, which are only exceptionally fully transmitted to Google in the USA, “Privacy”, “Browser Add-on to Disable Google Analytics”.
  • Google Tag Manager: Integration and management of other services for success and reach measurement as well as other services from Google as well as from third parties; Provider: Google; Google Tag Manager-specific information: “Data Collected with Google Tag Manager”; further information on data protection can be found with the individual integrated and managed services.

14. Final Provisions

We have created this privacy policy with the Privacy Policy Generator from Datenschutzpartner. The present privacy policy is an unofficial translation from the original German version.

We reserve the right to adjust and supplement this privacy policy at any time. We will inform about such adjustments and supplements in an appropriate manner, particularly by publishing the respective current privacy policy on our website.