Terms of Use and Privacy Policy

General Terms and Conditions of Contract and Travel

General Terms and Conditions of Contract and Travel
The General Terms and Conditions (GTC) shall apply to all future services to be provided by CT for the benefit of legal entities or natural persons ("customer[s]").

• AGB Chur Tourismus

Privacy Policy

With this Privacy Policy, we inform you about the processing of personal data in connection with our activities and operations, including our chur.graubuenden.ch website. Specifically, we provide information on the purpose, manner, and location of our processing of personal data. We also inform individuals whose data we process about their rights.

Additional privacy policies or information on data protection may apply to individual or additional activities and operations.

We are subject to Swiss data protection law and, where applicable, to foreign data protection laws, particularly the European Union's (EU) General Data Protection Regulation (GDPR).

On July 26, 2000, the European Commission recognized that Swiss data protection law ensures adequate data protection. This adequacy decision was reaffirmed by the European Commission on January 15, 2024.

1. Contact Addresses

Responsible for the processing of personal data:

Chur Tourism
Poststrasse 43
7000 Chur

info@churtourismus.ch

In some cases, third parties may be responsible for processing personal data, or joint responsibility may exist with third parties.

1.1 Data Protection Officer or Data Protection Advisor

We have the following data protection officer or advisor as a point of contact for affected individuals and authorities for inquiries regarding data protection:

Fabian Maasch
Chur Tourism
Poststrasse 43
7000 Chur

info@churtourismus.ch

1.2 Data Protection Representation in the European Economic Area (EEA)

We have the following data protection representative according to Art. 27 GDPR:

VGS Datenschutzpartner GmbH
Am Kaiserkai 69
20457 Hamburg
Germany

info@churtourismus.ch

The data protection representative serves as an additional point of contact for affected individuals and authorities in the European Union (EU) and the rest of the European Economic Area (EEA) regarding GDPR inquiries.

2. Terms and Legal Bases

2.1 Terms

Affected Person: A natural person whose personal data we process.

Personal Data: Any information related to an identified or identifiable natural person.

Special Categories of Personal Data: Data concerning trade union membership, political, religious, or philosophical views and activities, health data, private life, ethnic or racial origin, genetic data, biometric data uniquely identifying a natural person, data on criminal or administrative sanctions or prosecutions, and data on social assistance measures.

Processing: Any handling of personal data, regardless of the means and methods used, such as querying, matching, adjusting, archiving, storing, reading, disclosing, acquiring, recording, collecting, deleting, disclosing, organizing, structuring, storing, modifying, distributing, linking, destroying, and using personal data.

European Economic Area (EEA): Member states of the European Union (EU) as well as the Principality of Liechtenstein, Iceland, and Norway.

2.2 Legal Bases

We process personal data in accordance with Swiss data protection law, such as the Federal Act on Data Protection (Data Protection Act, DPA) and the Data Protection Ordinance (DPO).

If and to the extent that the European General Data Protection Regulation (GDPR) applies, we process personal data or personally identifiable data under at least one of the following legal bases:

• Art. 6 (1)(b) GDPR for necessary processing of personal data to fulfill a contract with the affected person and to carry out pre-contractual measures.
• Art. 6 (1)(f) GDPR for necessary processing of personal data to safeguard legitimate interests – also the legitimate interests of third parties – unless the fundamental freedoms, rights, and interests of the affected person prevail. Such interests include, in particular, the sustainable, human-friendly, secure, and reliable conduct of our activities and operations, ensuring information security, protection against misuse, enforcement of our legal claims, and compliance with Swiss law.
• Art. 6 (1)(c) GDPR for necessary processing of personal data to fulfill a legal obligation that we are subject to under the laws of the European Economic Area (EEA).
• Art. 6 (1)(e) GDPR for necessary processing of personal data to carry out a task in the public interest.
• Art. 6 (1)(a) GDPR for the processing of personal data with the consent of the affected person.
• Art. 6 (1)(d) GDPR for necessary processing of personal data to protect the vital interests of the affected person or another natural person.
• Art. 9 (2) GDPR for processing special categories of personal data, particularly with the consent of the affected persons.

The European General Data Protection Regulation (GDPR) refers to the processing of personal data as processing of personal data and the processing of special categories of personal data as processing of special categories of personal data (Art. 9 GDPR).

3. Nature, Scope, and Purpose of the Processing of Personal Data

We process the personal data that is necessary to sustainably, humanely, securely, and reliably carry out our activities and operations. The personal data processed may particularly fall into the categories of browser and device data, content data, communication data, metadata, usage data, master data including inventory and contact data, location data, transaction data, contract data, and payment data.

We also process personal data that we receive from third parties, obtain from publicly available sources, or collect in the course of carrying out our activities and operations, as long as such processing is legally permissible.

We process personal data where necessary with the consent of the affected individuals. In many cases, we can process personal data without consent, such as to fulfill legal obligations or safeguard overriding interests. We may also seek consent from affected individuals even when consent is not required.

We process personal data for the duration necessary for the respective purpose. We anonymize or delete personal data, particularly depending on statutory retention and limitation periods.

4. Disclosure of Personal Data

We may disclose personal data to third parties, have it processed by third parties, or process it jointly with third parties. Such third parties include specialized providers whose services we use.

We may, for example, disclose personal data to banks and other financial service providers, authorities, educational and research institutions, consultants and lawyers, interest groups, IT service providers, cooperation partners, credit and business information agencies, logistics and shipping companies, marketing and advertising agencies, media, organizations and associations, social institutions, telecommunications companies, and insurers.

5. Communication

We process personal data to communicate with third parties. In this context, we particularly process data provided by an affected individual when contacting us, for example, by postal mail or email. We may store such data in an address book or similar tools.

Third parties who transmit data about other individuals are required to ensure data protection for such affected persons. Among other things, this includes ensuring the accuracy of the transmitted personal data.

We use selected services from appropriate providers to communicate better with third parties.

We particularly use:

• Google Forms: Online form service; provider: Google; Google Forms-specific privacy information: “Security, Compliance, and Privacy”.
• Microsoft Forms: Online form service; provider: Microsoft; Microsoft Forms-specific privacy information: “Privacy and Compliance”, “Security and Privacy”.
• SurveyMonkey: Online service for forms and surveys; providers: SurveyMonkey Inc. (USA) / SurveyMonkey Europe UC (Ireland) and other SurveyMonkey companies and partners; privacy information: “SurveyMonkey and Privacy”, Privacy Policy, “Region-Specific Privacy Statement”, “Security Policies”.

6. Data Security

We take appropriate technical and organizational measures to ensure data security that is commensurate with the respective risks. With our measures, we ensure in particular the confidentiality, availability, traceability, and integrity of the processed personal data, although we cannot guarantee absolute data security.

Access to our website and our other online presence is made using transport encryption (SSL / TLS, particularly with the Hypertext Transfer Protocol Secure, abbreviated HTTPS). Most browsers warn against visiting websites without transport encryption.

Our digital communication is generally subject to mass surveillance without cause or suspicion by security authorities in Switzerland, the rest of Europe, the United States of America (USA), and other countries. We have no direct influence on the corresponding processing of personal data by intelligence agencies, police, or other security authorities. We also cannot exclude that a specific affected person is monitored.

7. Personal Data Abroad

We process personal data primarily in Switzerland and the European Economic Area (EEA). However, we may export or transfer personal data to other countries, particularly for processing there or having it processed.

We can export personal data to all countries on Earth and elsewhere in the universe, provided that the law there ensures adequate data protection according to a decision by the Swiss Federal Council and – if and to the extent that the GDPR applies – also according to a decision by the European Commission.

We can transfer personal data to countries whose law does not ensure adequate data protection, provided that data protection is guaranteed for other reasons, particularly based on standard data protection clauses or other appropriate safeguards. Exceptionally, we may export personal data to countries without adequate or appropriate data protection if the special data protection legal requirements are met, such as the explicit consent of the affected individuals or a direct connection to the conclusion or execution of a contract. We are happy to provide information about any guarantees or provide copies of any guarantees upon request.

8. Rights of Affected Individuals

8.1 Data Protection Rights

We grant affected individuals all rights under applicable data protection law. Affected individuals have, in particular, the following rights:

• Access: Affected individuals may request information on whether we process personal data about them and, if so, what personal data is involved. Affected individuals also receive the information necessary to assert their data protection rights and ensure transparency. This includes the personal data processed as such, but also information about the processing purpose, the retention period, any disclosure or transfer of data to other countries, and the source of the personal data.
• Correction and Restriction: Affected individuals may correct incorrect personal data, complete incomplete data, and restrict the processing of their data.
• Deletion and Objection: Affected individuals may request the deletion of personal data (“Right to be Forgotten”) and object to the processing of their data with effect for the future.
• Data Delivery and Data Transfer: Affected individuals may request the delivery of personal data or the transfer of their data to another responsible party.

We may defer, restrict, or deny the exercise of affected individuals' rights to the extent legally permissible. We may inform affected individuals of any conditions that must be met to exercise their data protection rights. For example, we may deny access, citing confidentiality obligations, overriding interests, or the protection of others. We may also deny the deletion of personal data, citing, for instance, statutory retention obligations.

In exceptional cases, we may charge for the exercise of rights. We will inform affected individuals of any costs in advance.

We are required to take reasonable measures to identify affected individuals requesting information or exercising other rights. Affected individuals are required to cooperate in this process.

8.2 Legal Protection

Affected individuals have the right to assert their data protection rights through legal action or file complaints with a data protection supervisory authority.

The data protection supervisory authority for private data controllers and federal bodies in Switzerland is the Federal Data Protection and Information Commissioner (FDPIC).

European data protection supervisory authorities are organized as members of the European Data Protection Board (EDPB). In some member states of the European Economic Area (EEA), the data protection supervisory authorities are federally structured, particularly in Germany.

9. Website Use

9.1 Cookies

We may use cookies. Cookies – both first-party cookies and third-party cookies whose services we use – are data stored in the browser. Such stored data does not necessarily have to be limited to traditional text-based cookies.

Cookies may be stored temporarily in the browser as "Session Cookies" or for a specified period as so-called persistent cookies. "Session Cookies" are automatically deleted when the browser is closed. Persistent cookies have a set storage period. Cookies make it possible, for example, to recognize a browser upon the next visit to our website and thereby, for example, measure the reach of our website. Persistent cookies can also be used for online marketing.

Cookies can be disabled or deleted at any time in the browser settings. Without cookies, our website may not be fully functional. We request active and explicit consent to the use of cookies where necessary.

For cookies used for success and reach measurement or advertising, a general objection ("opt-out") is possible for numerous services via the AdChoices (Digital Advertising Alliance of Canada), the Network Advertising Initiative (NAI), YourAdChoices (Digital Advertising Alliance), or Your Online Choices (European Interactive Digital Advertising Alliance, EDAA).

9.2 Logging

We may log the following information for each access to our website and other online presence, provided such information is transmitted to our digital infrastructure during such access: date and time including time zone, IP address, access status (HTTP status code), operating system including user interface and version, browser including language and version, individual subpage of our website accessed including data volume transmitted, and the last website accessed in the same browser window (referrer).

We log such information, which may also constitute personal data, in log files. The information is necessary to ensure our online presence is provided sustainably, humanely, and reliably. The information is also required to ensure data security – either by us or with the help of third parties.

9.3 Tracking Pixels

We may integrate tracking pixels into our online presence. Tracking pixels, also known as web beacons, are typically small, invisible images or JavaScript scripts that are automatically retrieved when accessing our online presence. Tracking pixels can capture at least the same information as log files.

10. Notifications and Communications

10.1 Success and Reach Measurement

Notifications and communications may contain web links or tracking pixels that capture whether an individual message has been opened and which web links were clicked. Such web links and tracking pixels may also track the use of notifications and communications on a personal basis. We need this statistical tracking of usage for success and reach measurement to send notifications and communications effectively and humanely and to do so sustainably, securely, and reliably according to the recipients' needs and reading habits.

10.2 Consent and Objection

You must generally consent to the use of your email address and other contact addresses unless their use is permitted for other legal reasons. For obtaining double-confirmed consent, we may use the "double opt-in" procedure. In this case, you will receive a message with instructions for the double confirmation. We may log obtained consents, including the IP address and timestamp, for evidence and security reasons.

You may generally object to receiving notifications and communications, such as newsletters, at any time. Such an objection may also be combined with an objection to the statistical tracking of usage for success and reach measurement. Required notifications and communications related to our activities and operations remain reserved.

10.3 Service Providers for Notifications and Communications

We send notifications and communications with the help of specialized service providers.

We particularly use:

• Mailchimp: Communication platform; provider: The Rocket Science Group LLC DBA Mailchimp (USA) as a subsidiary of Intuit Inc. (USA); privacy information: Privacy Policy (Intuit) including "Country and Region-Specific Terms", "Mailchimp Intuit Privacy FAQ", "Security", Cookie Policy, "Privacy Rights Requests", "Legal Terms".

11. Social Media

We are present on social media platforms and other online platforms to communicate with interested individuals and provide information about our activities and operations. In connection with such platforms, personal data may also be processed outside Switzerland and the European Economic Area (EEA).

The general terms and conditions (T&Cs), usage conditions, privacy policies, and other provisions of the respective platform operators apply. These provisions inform affected individuals about their rights directly from the respective platform, including, for example, the right of access.

For our social media presence on Facebook, including so-called page insights, we are – to the extent that the GDPR applies – jointly responsible with Meta Platforms Ireland Limited (Ireland). Meta Platforms Ireland Limited is part of the Meta companies (including in the USA). Page insights provide insights into how visitors interact with our Facebook presence. We use page insights to ensure the effective and human-friendly provision of our social media presence on Facebook.

Further information on the nature, scope, and purpose of data processing, information on the rights of affected individuals, as well as contact information for Facebook and Facebook's data protection officer, can be found in the Facebook Privacy Policy. We have entered into the so-called "Addendum for Controllers" with Facebook and, in particular, agreed that Facebook is responsible for ensuring the rights of affected individuals. For so-called page insights, the corresponding information is available on the page "Information about Page Insights" including "Information about Page Insights Data".

12. Third-Party Services

We use services from specialized third parties to carry out our activities and operations sustainably, humanely, securely, and reliably. With such services, we can embed features and content into our website. For such embedding, the services used may collect at least temporarily the IP addresses of users for technical reasons.

For necessary security-related, statistical, and technical purposes, third parties whose services we use may process data in connection with our activities and operations in an aggregated, anonymized, or pseudonymized form. These may include performance or usage data required to provide the respective service.

We particularly use:

• Google Services: Providers: Google LLC (USA) / Google Ireland Limited (Ireland) for users in the European Economic Area (EEA) and Switzerland; general privacy information: "Privacy and Security Principles", "How Google Uses Personal Data", Privacy Policy, "Google is Committed to Compliance with Applicable Privacy Laws", "Guide to Privacy in Google Products", "How We Use Data from Sites or Apps that Use Our Services", "Types of Cookies and Similar Technologies Used by Google", "Ads You Can Influence".
• Microsoft Services: Providers: Microsoft Ireland Operations Limited (Ireland) for users in the European Economic Area (EEA), Switzerland, and the United Kingdom / Microsoft Corporation (USA) for users in the rest of the world; general privacy information: "Microsoft Privacy", "Privacy and Trust", Privacy Statement, "Data and Privacy Settings".

12.1 Digital Infrastructure

We use services from specialized third parties to access the required digital infrastructure in connection with our activities and operations. These may include hosting and storage services from selected providers.

We particularly use:

• exigo: Hosting; provider: exigo ag (Switzerland); privacy information: Privacy Policy, "Data Protection / Security".

12.2 Appointment Scheduling

We use services from specialized third parties to schedule appointments online, for example, for meetings. In addition to this Privacy Policy, any directly visible terms of the services used, such as usage terms or privacy policies, also apply.

We particularly use:

• Doodle: Online appointment scheduling; provider: Doodle AG (Switzerland) as a subsidiary of TX Group AG (Switzerland); privacy information: Privacy Policy, "General Terms and Conditions of the Processing of Personal Data".

12.3 Audio and Video Conferences

We use specialized services for audio and video conferences to communicate online. This allows us, for example, to hold virtual meetings or provide online classes and webinars. Participation in audio and video conferences is subject to the legal texts of the individual services, such as privacy policies and usage terms.

Depending on your life situation, we recommend that you mute the microphone by default and blur the background or use a virtual background when participating in audio or video conferences.

We particularly use:

• Zoom: Platform for collaborative work, especially with video conferences; provider: Zoom Video Communications Inc. (USA); privacy information: "Zoom Privacy", Privacy Policy, "Legal Compliance".

12.4 Online Collaboration

We use services from third parties to enable online collaboration. In addition to this Privacy Policy, any directly visible terms of the services used, such as usage terms or privacy policies, also apply.

We particularly use:

• Asana: Collaboration platform for businesses; provider: Asana Inc. (USA); privacy information: "Trust at Asana", Privacy Policy, Bug Bounty Program.
• Microsoft Teams: Platform for productive collaboration, particularly with audio and video conferences; provider: Microsoft; Teams-specific information: "Security and Compliance in Microsoft Teams," particularly "Privacy".
• Slack: Platform for productive collaboration, particularly via chat; providers: Slack Technologies LLC (USA) for users in Canada and the USA / Slack Technologies Limited (Ireland) for users in the rest of the world; privacy information: Privacy Policy, "Trust Center", "Privacy FAQ", "Data Management: Transparency and Clarity", Cookie Policy.

12.5 Map Material

We use services from third parties to embed maps into our website.

We particularly use:

• Google Maps including Google Maps Platform: Map service; provider: Google; Google Maps-specific information: "How Google Uses Location Information".
• Outdooractive: Map service; provider: Outdooractive AG (Germany); privacy information: Privacy Policy.

12.6 Digital Content

We use services from specialized third parties to embed digital content into our website. Digital content includes, in particular, images, videos, music, and podcasts.

We particularly use:

• Vimeo: Video platform; provider: Vimeo Inc. (USA); privacy information: Privacy Policy, "Private Video Hosting".
• YouTube: Video platform; provider: Google; YouTube-specific information: "Privacy and Safety Center", "My Data on YouTube".

12.7 Documents

We use services from third parties to embed documents into our website. Such documents may include PDF files, presentations, spreadsheets, and text documents. This allows not only viewing but also editing or commenting on such documents.

12.8 E-Commerce

We operate e-commerce and use services from third parties to successfully offer services, content, or goods.

We particularly use:

• TOMAS: Booking platform; provider: my.IRS GmbH (Germany); privacy information: Privacy Policy.

12.9 Payments

We use specialized service providers to process payments from our customers securely and reliably. The terms of the individual service providers, such as general terms and conditions (T&Cs) or privacy policies, apply in addition to our Privacy Policy.

We particularly use:

• Payyo: Payment processing for marketplaces and platforms in the leisure and tourism industry; provider: TrekkSoft AG (Switzerland); privacy information: Privacy Policy.
• TWINT: Payment processing in Switzerland; provider: TWINT AG (Switzerland); privacy information: Privacy Policy, "Security According to Swiss Standards".
• Worldline: Payment processing, particularly with mobile payment solutions; providers: Worldline SA (France), Worldline Switzerland AG (Switzerland), and other Worldline companies worldwide (including the USA); privacy information: Privacy Policy, "Responsible Data Use Program", Cookie Policy.

12.10 Advertising

We use the possibility of displaying advertising on third-party platforms, such as social media platforms and search engines, to promote our activities and operations.

We aim to reach individuals who are already interested in our activities and operations or who may be interested in them (remarketing and targeting). For this purpose, we may transmit relevant – possibly personally identifiable – data to third parties who enable such advertising. We may also determine whether our advertising is successful, i.e., whether it leads to visits to our website (conversion tracking).

Third parties where we advertise, and where you are registered as a user, may link the use of our website to your profile there.

We particularly use:

• Google Ads: Search engine advertising; provider: Google; Google Ads-specific information: advertising based on search queries, using various domain names – particularly doubleclick.net, googleadservices.com, and googlesyndication.com – for Google Ads, Privacy Policy for Advertising, "Manage Ads Directly Through Ad Settings".
• Meta Ads: Social media advertising on Facebook and Instagram; providers: Meta Platforms Ireland Limited (Ireland) and other Meta companies (including in the USA); privacy information: targeting, including retargeting, particularly with the Meta Pixel and Custom Audiences including Lookalike Audiences, Privacy Policy, "Ad Preferences" (login required).

13. Success and Reach Measurement

We strive to measure the success and reach of our activities and operations. In this context, we may also measure the effectiveness of third-party referrals or test how different parts or versions of our online offerings are used ("A/B test" method). Based on the results of success and reach measurement, we can fix errors, strengthen popular content, or make improvements.

For success and reach measurement, the IP addresses of individual users are usually captured. In this case, IP addresses are generally truncated ("IP masking") to follow the principle of data minimization through corresponding pseudonymization.

In success and reach measurement, cookies may be used, and user profiles may be created. Any user profiles created may include, for example, the specific pages visited or content viewed on our website, information about the screen size or browser window, and the – at least approximate – location. Generally, any user profiles are created exclusively pseudonymized and not used to identify individual users. Certain services of third parties, where users are registered, may link the use of our online offerings to the user account or user profile with the respective service.

We particularly use:

• Google Marketing Platform: Success and reach measurement, particularly with Google Analytics; provider: Google; Google Marketing Platform-specific information: measurement also across browsers and devices (cross-device tracking) with pseudonymized IP addresses, which are only in exceptional cases fully transferred to Google in the USA, Privacy Policy for Google Analytics, "Browser Add-on to Disable Google Analytics".
• Google Tag Manager: Embedding and management of Google services and third parties, particularly for success and reach measurement; provider: Google; Google Tag Manager-specific information: Privacy Policy for Google Tag Manager; further privacy information can be found with the individual embedded and managed services.

14. Video Surveillance

We use video surveillance to prevent crimes, secure evidence in the event of crimes, exercise and assert our legal rights, defend against legal claims, and enforce our house rules. This constitutes – to the extent that the GDPR applies – overriding legitimate interests according to Art. 6 (1)(f) GDPR, in the case of special categories of personal data with reference to Art. 9 (2)(f) GDPR.

We store recordings from our video surveillance as long as necessary for evidence or other purposes. Typically, the recordings are deleted or overwritten after 24 hours.

We may secure recordings from our video surveillance and transmit them to competent authorities, such as courts or law enforcement authorities, if such transmission is necessary for a stated purpose, in our legitimate overriding interest, or based on legal obligations.

15. Final Provisions

We have created this Privacy Policy using the Privacy Policy Generator from Datenschutzpartner. The present privacy policy is an unofficial translation from the original German version.

We may adjust and supplement this Privacy Policy at any time. We will inform about such adjustments and supplements in an appropriate form, particularly by publishing the current version of the Privacy Policy on our website.