This privacy policy informs you about the type, scope, and purpose of the processing of personal data (hereinafter referred to as "data") within our online offer and its associated websites, features, and content, as well as external online presences, such as our social media profiles (hereinafter collectively referred to as "online offer"). Regarding the terminology used, such as "processing" or "controller," we refer to the definitions in Art. 4 of the General Data Protection Regulation (GDPR).

Types of data processed:

- Inventory data (e.g., names, addresses)
- Contact data (e.g., email, phone numbers)
- Content data (e.g., text entries, photographs, videos)
- Usage data (e.g., visited websites, interest in content, access times)
- Meta/communication data (e.g., device information, IP addresses)

Categories of affected persons:

Visitors and users of the online offer (hereinafter we refer to the affected persons collectively as "users").

Purpose of processing:

- Provision of the online offer, its functions, and content
- Responding to contact requests and communication with users
- Security measures
- Reach measurement/marketing

Terminology used:

- Personal data refers to all information that relates to an identified or identifiable natural person (hereinafter "data subject"); a natural person is considered identifiable if they can be identified directly or indirectly, particularly by association with a name, identification number, location data, or online identifier (e.g., cookie) or one or more specific characteristics that are an expression of the physical, physiological, genetic, psychological, economic, cultural, or social identity of that natural person.

- Processing refers to any operation or set of operations carried out with or without the aid of automated procedures in connection with personal data. The term is broad and covers practically every handling of data.

- Pseudonymization is the processing of personal data in such a way that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures that ensure that the personal data is not attributed to an identified or identifiable natural person.

- Profiling refers to any type of automated processing of personal data involving the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects related to the individual's work performance, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.

- Controller refers to the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

- Processor refers to a natural or legal person, public authority, agency, or other body that processes personal data on behalf of the controller.

Legal basis for processing:

In accordance with Art. 13 GDPR, we inform you about the legal basis of our data processing activities. If the legal basis is not mentioned in the privacy policy, the following applies: The legal basis for obtaining consent is Art. 6(1)(a) and Art. 7 GDPR; the legal basis for processing to fulfill our services and perform contractual measures, as well as responding to inquiries, is Art. 6(1)(b) GDPR; the legal basis for processing to comply with our legal obligations is Art. 6(1)(c) GDPR; and the legal basis for processing to safeguard our legitimate interests is Art. 6(1)(f) GDPR. If the processing of personal data is necessary to protect the vital interests of the data subject or another natural person, Art. 6(1)(d) GDPR serves as the legal basis.

Security measures:

We take appropriate technical and organizational measures in accordance with Art. 32 GDPR, considering the state of the art, implementation costs, and the nature, scope, circumstances, and purposes of the processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons, to ensure a level of security appropriate to the risk.

The measures include, in particular, ensuring the confidentiality, integrity, and availability of data by controlling physical access to the data, as well as access to, input into, transfer of, securing availability of, and separation of the data. We have also established procedures to ensure the exercise of data subject rights, data deletion, and responses to data compromise. Furthermore, we consider the protection of personal data in the development, or selection, of hardware, software, and procedures, in accordance with the principle of data protection through technology design and privacy-friendly default settings (Art. 25 GDPR).

Collaboration with processors and third parties:

If, in the course of our processing, we disclose data to other persons and companies (processors or third parties), transmit it to them, or otherwise grant them access to the data, this is done only on the basis of legal permission (e.g., if a transfer of data to third parties, such as payment service providers, is necessary for the performance of the contract in accordance with Art. 6(1)(b) GDPR), you have given your consent, a legal obligation provides for this, or based on our legitimate interests (e.g., when using agents, web hosts, etc.).

If we commission third parties to process data based on a so-called "data processing agreement," this is done based on Art. 28 GDPR.

The company Schönegg Zermatt AG is authorized to transmit personal data of the client, especially reservation data (e.g., title, first name, last name, date of birth, nationality, language, email address, mobile number, arrival and departure dates, number of people, nights, and potential exemption from tourist tax) to Zermatt Tourism. This personal data is stored and centrally recorded by Zermatt Tourism (and/or persons responsible for data processing on behalf of Zermatt Tourism). In this context, information and/or newsletters may be sent directly by Zermatt Tourism and/or Schönegg Zermatt AG to the client. It is also possible that such information is technically generated by Zermatt Tourism (and/or persons responsible for data processing on behalf of Zermatt Tourism) in the name of Schönegg Zermatt AG. This includes pre-stay and post-stay emails. More information on how Zermatt Tourism and Bonfire AG handle your data can be found in the Zermatt Tourism Privacy Policy: https://www.zermatt.ch/en/Media/Privacy-Policy-of-Zermatt-Tourism.

Transfers to third countries:

If we process data in a third country (i.e., outside the European Union (EU) or the European Economic Area (EEA)) or if this occurs in the context of the use of third-party services or disclosure, or transmission of data to third parties, this is done only if it is necessary to fulfill our (pre-)contractual obligations, based on your consent, due to a legal obligation, or based on our legitimate interests. Subject to legal or contractual permissions, we process or allow data to be processed in a third country only under the special conditions of Art. 44 et seq. GDPR. This means that the processing takes place based on special guarantees, such as the officially recognized level of data protection corresponding to the EU (e.g., for the USA through the "Privacy Shield") or compliance with officially recognized specific contractual obligations (so-called "standard contractual clauses").

‍