DATA PROTECTION

Privacy Policy Hotel Alpenrose Table of Contents

1. Controller and Content of this Privacy Policy 2

2. Contact Person for Data Protection 2

3. Scope and Purpose of Collection, Processing, and Use of Personal Data 2 3.1 Data Processing when Contacting Us 2 3.2 Data Processing when Using Our Chat Function 3 3.3 Data Processing for Bookings 4 3.4 Data Processing for Payment Processing 6 3.5 Data Processing for Recording and Billing of Related Services 8 3.6 Data Processing for Email Marketing 8 3.7 Data Processing for Using Our WiFi Network 9 3.8 Data Processing to Fulfill Legal Reporting Obligations 10 3.9 Data Processing for Job Applications 11

4. Central Data Storage and Analysis in the CRM System 11

5. Disclosure and International Transfer 12 5.1 Disclosure to Third Parties and Third-Party Access 12 5.2 Transfer of Personal Data Abroad 13 5.3 Information on Data Transfers to the USA 13

6. Background Data Processing on Our Website 14 6.1 Data Processing when Visiting Our Website (Logfile Data) 14 6.2 Cookies 15 6.3 Google Custom Search Engine 16 6.4 Tracking and Web Analysis Tools 16 6.5 Social Media 18 6.6 Online Advertising and Targeting 20

7. Retention Periods 21

8. Data Security 22

9. Your Rights 22

@internal: Legend: Green Marking: Points required only under the GDPR

1. Controller and Content of this Privacy Policy We, Carole, Michel, and Yasmin von Siebenthal, residing at Dorfstrasse 14, 3778 Schönried, SWITZERLAND, operate the Hotel Alpenrose located at Dorfstrasse 14, 3778 Schönried, SWITZERLAND, as well as the website www.hotelalpenrose.ch. Unless otherwise indicated in this Privacy Policy, we are responsible for the data processing activities listed in this Privacy Policy. To understand what personal data we collect from you and how we use it, please review the following information. In terms of data protection, we primarily adhere to the legal requirements of Swiss data protection laws, especially the Federal Act on Data Protection (DSG), as well as the GDPR, which may be applicable in specific cases. Please note that the information provided below may be reviewed and changed periodically. Therefore, we recommend that you regularly review this Privacy Policy. Additionally, for some of the data processing activities listed below, other companies may be legally responsible or jointly responsible for data protection. In these cases, the information provided by those providers is also relevant.

2. Contact Person for Data Protection If you have questions about data protection or would like to exercise your rights, please contact our data protection contact person by sending an email to the following address: info@hotelalpenrose.ch. You can reach our EU Data Protection Representative at: Yasmin von Siebenthal, Dorfstrasse 14, 3778 Schönried info@hotelalpenrose.ch Will be forwarded to our contact at Damke Rechtsanwälte as needed.

3. Scope and Purpose of Collection, Processing, and Use of Personal Data 3.1 Data Processing when Contacting Us When you get in touch with us through our contact addresses and channels (e.g., email, phone, or contact form), we process your personal data. The processed data includes the information you provide us, such as your name, email address, phone number, and your inquiry. Additionally, the time of receiving the inquiry is documented. Mandatory fields are marked with an asterisk (*). We process this data to address your inquiries (e.g., providing information about our hotel, assisting with contract processing such as booking questions, incorporating your feedback to improve our services, etc.). For processing contact inquiries through the contact form, we use a software application from Wix.com. Therefore, your data might be stored in a database by Wix.com, allowing them access for software provisioning and support. Information about third-party data processing and potential international transfers can be found in Section 5 of this Privacy Policy. The legal basis for these data processing activities is our legitimate interest according to Art. 6(1)(f) GDPR in addressing your inquiries, or if your inquiry relates to the conclusion or performance of a contract, the necessity for the performance of measures prior to entering into a contract according to Art. 6(1)(b) GDPR. Wix.com might want to use some of this data for its own purposes (e.g., sending marketing emails or statistical analysis). Wix.com is the controller for these data processing activities and must ensure compliance with data protection laws in relation to these activities. Information about data processing by Wix.com can be found at https://www.wix.com/about/privacy.

3.2 Data Processing when Using Our Chat Function When you contact us through our chat function, we process your personal data. The processed data includes the information you provide us, such as your company name, your name, your role, your email address, and your inquiry. Additionally, the time of receiving the inquiry is documented. Mandatory fields are marked with an asterisk (*). We process this data solely to address your inquiries (e.g., providing information about our hotel, assisting with contract processing such as booking questions, incorporating your feedback to improve our services, etc.). For communication through the chat function, we use a software application from wix.com. Therefore, your data might be stored in a database by wix.com, allowing them access for software provisioning and support. Information about third-party data processing and potential international transfers can be found in Section 5 of this Privacy Policy. The legal basis for these data processing activities is our legitimate interest according to Art. 6(1)(f) GDPR in utilizing contemporary communication technologies, or if your inquiry relates to the conclusion or performance of a contract, the necessity for the performance of measures prior to entering into a contract according to Art. 6(1)(b) GDPR. Wix.com might want to use some of this data for its own purposes (e.g., sending marketing emails or statistical analysis). Wix.com is the controller for these data processing activities and must ensure compliance with data protection laws in relation to these activities. Information about data processing by wix.com can be found at https://www.wix.com/about/privacy.

3.3 Data Processing for Bookings 3.3.1 Booking through Our Website On our website, you have the option to make a reservation. For this purpose, we collect the following data, with mandatory fields marked during the booking process with an asterisk (*):

• Title

• First Name

• Last Name

• Billing Address

• Date of Birth

• Company, Company Address, and VAT Number for Business Customers

• Phone Number

• Email

• Payment Method

• Booking Details

• Comments

• Confirmation of the Accuracy of the Provided Information

• Confirmation of Awareness and Agreement regarding Terms and Privacy Policy We use this data to verify your identity before concluding a contract. We require your email address to confirm your booking and for future communication necessary for contract processing. We store your data together with booking details (e.g., room category, stay period

• 3. Data Processing for Booking and Payment Processing

• 3.4 Data Processing for Payment Processing

• 3.4.1 Payment Processing at the Hotel

• When you make purchases, receive services, or pay for your stay at our hotel using electronic payment methods, the processing of personal data is necessary. By using the payment terminals, you transmit information stored in your payment method, such as the cardholder's name and card number, to the involved payment service providers (e.g., payment solution providers, credit card issuers, and credit card acquirers). Additionally, they receive information that the payment method was used at our hotel, along with the transaction amount and time. In return, we only receive confirmation of the payment amount credited at the relevant time, which we can associate with the corresponding receipt number, or information that the transaction was not possible or was canceled. Always refer to the information provided by the respective company, especially the privacy policy and terms and conditions.

• For payment processing using the contact form, we use a software application from Hotelspider. Therefore, your data may be stored in a Hotelspider database, which allows Hotelspider to access your data if necessary for software provision and support. Information about data processing by third parties and possible transfers abroad can be found in Section 5 of this privacy policy.

• The legal basis for our data processing activities is the fulfillment of a contract with you according to Art. 6(1)(b) GDPR.

• Hotelspider may want to use some of this data for its own purposes (e.g., sending marketing emails or conducting statistical analyses). Hotelspider is responsible for these data processing activities and must ensure compliance with data protection laws in relation to these activities. Information about data processing by Hotelspider can be found at https://www.hotel-spider.com/en/privacy-policy.

• 3.4.2 Online Payment Processing

• When you make paid bookings on our website, order services or products, additional data may be required depending on the product, service, and desired payment method. This includes, in addition to the information mentioned in Section 3.3.1, providing additional data such as your credit card information or logging in to your payment service provider. This information, along with the fact that you have purchased a service from us at the relevant amount and time, will be transmitted to the respective payment service providers (e.g., payment solution providers, credit card issuers, and credit card acquirers). Always refer to the information provided by the respective company, especially the privacy policy and terms and conditions.

• The legal basis for our data processing activities is the fulfillment of a contract according to Art. 6(1)(b) GDPR.

• We reserve the right to store a copy of credit card information for security purposes. To prevent payment defaults, it may also be necessary to transmit the necessary data, particularly your personal data, to a credit agency for automated credit assessment. In this context, the credit agency may assign you a so-called score value, an estimated value of the future risk of payment default, expressed as a percentage. This value is determined using mathematical-statistical methods and by incorporating data from the credit agency and other sources. Based on the obtained information, we reserve the right not to offer you the "invoice" payment option.

• The legal basis for this data processing is our legitimate interest according to Art. 6(1)(f) GDPR in preventing payment defaults.

• 3.5 Data Processing for Recording and Billing of Consumed Services

• If you receive services during your stay with us (e.g., additional nights, wellness, restaurant, activities), in addition to your contractual data, we will collect and process data related to the booking (e.g., timing and remarks) as well as data related to the booked and consumed service (e.g., type of service, price, and timing of service consumption) for the purpose of processing the service, as described in Section 3.3.

• The legal basis for our data processing activities is the fulfillment of a contract with you according to Art. 6(1)(b) GDPR.

• 3.6 Data Processing for Email Marketing

• When you register for our marketing emails (e.g., during registration, within your customer account, or as part of an order, booking, or reservation), the following data will be collected. Mandatory information is marked with an asterisk (*):

• Email address

• Salutation

• First and last name

• To prevent abuse and ensure that the owner of an email address has indeed given their consent to receive marketing emails, we use the double opt-in method during registration. After submitting the registration, you will receive an email from us with a confirmation link. To definitively register for marketing emails, you must activate this link. If you do not confirm your email address by clicking the confirmation link within the specified period, your data will be deleted, and no marketing emails will be sent to that address.

• By registering, you consent to the processing of this data to receive marketing emails about our hotel and related information about products and services. These marketing emails may also include invitations to participate in contests, provide feedback, or rate our products and services. Collecting salutation and first and last name allows us to associate the registration with an existing customer account, enabling us to personalize the content of marketing emails. Linking with a customer account allows us to make the offers and content in marketing emails more relevant to you and better aligned with your potential needs.

• We will use your data for sending marketing emails until you withdraw your consent. Withdrawal is possible at any time, especially through the unsubscribe link included in all marketing emails. 

• Section 3: Data Processing

• 3.1 Data Processing for Reservation and Contract Fulfillment

• When making a reservation, we collect and process the following data:

• Title

• First and last name

• Address

• Email address

• Telephone number

• Credit card information

• The legal basis for this data processing is the fulfillment of a contract with you according to Article 6(1)(b) of the GDPR. Non-mandatory information is provided voluntarily. We process this data to tailor our offerings to your needs, facilitate contract processing, contact you through alternative communication methods if necessary for contract fulfillment, or for statistical analysis to optimize our offerings. The legal basis for this data processing is your consent according to Article 6(1)(a) of the GDPR. You can revoke this consent at any time.

• 3.2 Booking through a Booking Platform

• When booking through third-party platforms, we receive various personal data from the platform operators related to your booking. We process these data to register your booking and provide the booked services. The legal basis for this data processing is the performance of pre-contractual measures and contract fulfillment according to Article 6(1)(b) of the GDPR. We might exchange data with platform operators in case of disputes or complaints to protect our legitimate interests.

• 3.3 Data Processing for Payment Transactions

• We process data for payment transactions when you purchase products, services, or settle your stay using electronic payment methods. This data includes payment details and is processed to fulfill the contract. The legal basis for this data processing is the fulfillment of a contract with you according to Article 6(1)(b) of the GDPR. We might store credit card information for security purposes and assess creditworthiness through automated processes to prevent payment defaults. The legal basis for this processing is our legitimate interest according to Article 6(1)(f) of the GDPR.

• 3.4 Data Processing for Email Marketing

• Our marketing emails may contain web beacons or similar tools. We use these for statistical purposes and optimization of our marketing emails. The legal basis for this data processing is your consent according to Article 6(1)(a) of the GDPR. Our marketing emails may be provided through a software application from Wix, and Wix might use data for its own purposes. More information on this can be found on Wix's privacy page.

• 3.5 Data Processing for WiFi Usage

• To use our WiFi network, registration is required. Data collected for registration includes your mobile phone number and device's MAC address. These data are processed based on your consent. We work with Swisscom for WiFi provision, and Swisscom's legal obligations might require data disclosure.

• 3.6 Data Processing for Legal Reporting

• We collect information from guests upon arrival to fulfill legal reporting requirements, including personal data such as name, address, birthdate, nationality, and more. This processing is based on our legal obligation according to Article 6(1)(c) of the GDPR.

• 3.7 Data Processing for Job Applications

• When applying for a job, we process the provided personal data to assess your suitability for the position. This processing is based on contract fulfillment and the application process according to Article 6(1)(b) of the GDPR.

• 4. Central Data Storage and Analysis in CRM System

• We store and link the mentioned data in a central database for efficient customer data management and to offer relevant information. We analyze this data to develop tailored offers and predict future orders.

• 5. Sharing and Transfer Abroad

• We share data with selected third-party service providers to offer our services. These third parties include platforms like Booking.com and Expedia. Data transfer is based on the performance of a contract.

• "To inform about data processing beyond the transmission of data for service provision and to comply with data protection laws. In addition, your data may be disclosed to authorities, legal advisors, or debt collection agencies if we are legally obligated to do so or if it is necessary to protect our rights, especially to enforce claims arising from the relationship with you. Data may also be disclosed when another company intends to acquire our company or parts thereof, and such disclosure is necessary for conducting a due diligence examination or for completing the transaction. The legal basis for these data processing activities is our legitimate interest pursuant to Art. 6(1)(f) of the General Data Protection Regulation (GDPR) in protecting our rights and fulfilling our obligations, or in the sale of our company or parts thereof.

• 1.1 Transfer of Personal Data Abroad We are entitled to transfer your personal data to third parties abroad if this is necessary for the data processing activities mentioned in this privacy policy. Specific data transfers have been mentioned in section 3 above. The legal regulations for disclosing personal data to third parties are naturally complied with. The states to which data is transferred include those that, according to a decision by the Federal Council and the EU Commission, have an adequate level of data protection (such as EEA member states or, from the EU's perspective, Switzerland), but also states (such as the USA) whose data protection level is not considered adequate (see Annex 1 of the Data Protection Ordinance (DSV) and the EU Commission's website). If the respective country does not have an adequate level of data protection, we will ensure, unless an exception is indicated in individual data processing cases (see Art. 49 GDPR), that your data is adequately protected at these companies through suitable guarantees. These guarantees, unless otherwise indicated, are standard contractual clauses within the meaning of Art. 46(2)(c) of the GDPR, which can be accessed on the websites of the Federal Data Protection and Information Commissioner (FDPIC) and the EU Commission. If you have questions about the measures taken, please contact our data protection contact (see section 2).

• 1.2 Information on Data Transfers to the USA Some of the third-party service providers mentioned in this privacy policy are located in the USA. For users residing in Switzerland or the EU, we would like to inform you for the sake of completeness that surveillance measures by US authorities exist in the USA, which generally enable the storage of all personal data of individuals whose data has been transferred from Switzerland or the EU to the USA. This happens without differentiation, restriction, or exception based on the pursued goal and without an objective criterion that would allow access by US authorities to the data and their subsequent use to be limited to very specific, strictly limited purposes that could justify the intrusion associated with accessing and using the data. Furthermore, we point out that there are no legal remedies or effective judicial protection for affected individuals from Switzerland or the EU against general access rights of US authorities, which would allow them to access the data concerning them and to request their correction or deletion. We explicitly inform you of this legal and factual situation in order to enable you to make an informed decision regarding your consent to the use of your data. For users residing in Switzerland or an EU member state, we also point out that the USA, from the perspective of the European Union and Switzerland, does not have an adequate level of data protection. To the extent that we have explained in this privacy policy that data recipients (such as Google) are based in the USA, we will ensure through contractual arrangements with these companies, as well as any additional necessary appropriate safeguards, that your data is adequately protected at our third-party service providers.

• Background Data Processing on Our Website 2.1 Data Processing when Visiting Our Website (Logfile Data) When you visit our website, the servers of our hosting provider wix.com temporarily record every access in a log file (logfile). The following data is recorded without your intervention and stored by us until it is automatically deleted:

• IP address of the requesting computer;

• Date and time of access;

• Name and URL of the accessed file;

• Website from which access was made, if applicable with the used search word;

• Operating system of your computer and the browser you used (including type, version, and language settings);

• Device type in the case of access via mobile phones;

• City or region from which access was made; and

• Name of your internet access provider. The collection and processing of this data serve the purpose of enabling the use of our website (establishing a connection), ensuring the long-term security and stability of the system, enabling error and performance analysis, and optimizing our website (see also sections 6.4 regarding the latter points). In the event of an attack on the website's network infrastructure or in case of suspicion of other unauthorized or abusive use of the website, the IP address as well as the other data will be evaluated for investigation and defense purposes, and if necessary, used in the context of civil or criminal proceedings for identification of the respective user. The legitimate interest for the purposes described above constitutes the legal basis for data processing pursuant to Art. 6(1)(f) of the GDPR.

• Finally, we use cookies and applications/tools based on the use of cookies when visitors access our website. In this context, the data described here can also be processed. More detailed information on this can be found in the subsequent sections of this privacy policy, particularly section 6.2.

• 2.2 Cookies Cookies are information files that your web browser stores on the hard drive or in the memory of your computer when you visit our website. Cookies are assigned identification numbers through which your browser is identified, and the information contained in the cookie can be read. Cookies help make your visit to our website easier, more pleasant, and more meaningful. We use cookies for various purposes that are necessary for the desired use of the website, i.e., 'technically necessary.' For example, we use cookies to identify you as a registered user after logging in, without needing to log in again as you navigate through different subpages. The provision of order and booking functions is also based on the use of cookies. Furthermore, cookies are used for other necessary technical functions of the website's operation, such as load balancing, which distributes the performance load of the page to various web servers to relieve the servers. Cookies are also used for security purposes, such as preventing unauthorized posting of content. Finally, we also use cookies in the design and programming of our website, for example, to enable the uploading of scripts or codes. The legal basis for these data processing activities is our legitimate interest pursuant to Art. 6(1)(f) of the GDPR in providing a user-friendly and contemporary website. Most internet browsers automatically accept cookies. However, when you access our website, we ask for your consent to the use of technically unnecessary cookies we employ, especially in the case of third-party cookies used for marketing purposes. You can make the desired settings through the corresponding buttons in the cookie banner. Details about the services associated with each cookie and data processing can be found within the cookie banner and in the subsequent sections of this privacy policy. You may also be able to configure your browser to prevent cookies from being stored on your computer or to receive a notification whenever you receive a new cookie. Instructions on how to configure the processing of cookies in selected browsers can be found on the following pages:

• Google Chrome for Desktop

• Google Chrome for Mobile

• Apple Safari

• 6.4 Web Analytics and Online Advertising 6.4.1 Web Analytics We use the services of various providers to analyze the use of our website. For this purpose, the providers use various technologies that collect and store data about the behavior of visitors to our website. These data include:

• Subpage from which the website is exited;

• Country, region, or city from which an access is made;

• End device (type, version, color depth, resolution, width, and height of the browser window); and

• Returning or new visitor.

• On our behalf, the provider will use this information to evaluate the use of the website, especially to compile website activities and to provide further services related to website usage and internet usage for market research and the customized design of these websites. For these processing activities, we and the providers can be considered as joint controllers to a certain extent.

• The legal basis for these data processing activities with the following services is your consent within the meaning of Art. 6 (1) lit. a GDPR. You can withdraw your consent at any time or reject the processing by rejecting or deactivating the relevant cookies in your web browser settings (see section 6.2) or by using the service-specific options described below.

• For further processing of the data by the respective provider as the data protection (sole) controller, including a possible transfer of this information to third parties, such as authorities due to national legal regulations, please refer to the respective privacy policies of the provider.

• 6.4.2 Google Analytics We use the web analytics service Google Analytics from Google Ireland Limited (Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland) or Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (Google).

• Contrary to the description in section 6.4.1, IP addresses are not logged or stored in Google Analytics (using the version "Google Analytics 4" as mentioned here). For access from the EU, IP address data is only used to derive location data and is immediately deleted thereafter. When collecting measurement data in Google Analytics, all IP lookups are done on EU-based servers before the traffic is forwarded to Analytics servers for processing. Google Analytics uses regional data centers. When connecting to the nearest available Google data center in Google Analytics, measurement data is sent to Analytics via an encrypted HTTPS connection. The data is further encrypted in these centers before being transmitted to Analytics processing servers and made available on the platform. IP addresses are used to determine the most suitable local data center. This may also involve the transfer of data to servers abroad, such as in the USA (see section 5.2 regarding the absence of an adequate level of data protection and the intended safeguards).

• We also use the technical extension "Google Signals," which enables cross-device tracking. This means that a single website visitor can be associated with different devices. However, this only happens if the visitor is logged into a Google service during website visits and has also enabled the "personalized advertising" option in their Google account settings. Even then, no personal data or user profiles become accessible to us; they remain anonymous. If you do not wish to use "Google Signals," you can deactivate the "personalized advertising" option in your Google account settings.

• Users can prevent Google from collecting the data generated by the cookie and related to their website use (including the IP address) as well as the processing of this data by Google by downloading and installing the browser plugin available under the following link: http://tools.google.com/dlpage/gaoptout?hl=en.

• In addition to the browser plugin, users can click this link to prevent future data collection by Google Analytics on the website. An opt-out cookie will be stored on the user's device. If users delete cookies (see section 6 on cookies), they need to click the link again.

• 6.4.3 Wix.com We use the web analytics service Wix.com. The described data about the use of the website can be transmitted to Wix.com's servers in the EU for the stated processing purposes (see section 5).

• Users can prevent Wix.com from collecting the data generated by the cookie and related to their website use (including the IP address) as well as the processing of this data by Wix.com by clicking the following link and following the instructions: https://www.wix.com/about/privacy

• 6.5 Social Media 6.5.1 Social Media Profiles On our website, we have included links to our profiles on the social networks of the following providers:

• Meta Platforms Inc., 1601 S California Ave, Palo Alto, CA 94304, USA, Privacy Policy;

• When you click on the icons of the social networks, you will be automatically redirected to our profile on the respective network. This establishes a direct connection between your browser and the server of the respective social network. As a result, the network receives information that you have visited our website with your IP address and clicked on the link. This may also involve the transfer of data to servers abroad, such as in the USA (see sections 5.2 and 5.3 regarding the absence of an adequate level of data protection and the intended safeguards).

• If you click on a link to a network while logged into your user account on the respective network, the content of our website can be linked to your profile, allowing the network to directly associate your visit to our website with your account. If you want to prevent this, you should log out before clicking on the corresponding links. A connection between your access to our website and your user account always occurs if you log in to the network after clicking the link. The respective provider is responsible for the data processing associated with this and thus the data protection controller. Therefore, please refer to the privacy policies on the network's website.

• The legal basis for any data processing that may be attributed to us is our legitimate interest pursuant to Art. 6 (1) lit. f GDPR in the use and promotion of our social media profiles.

• 6.5.2 Social Media Plugins On our website, you can use social media plugins from the following providers:

• Meta Platforms Inc., 1601 S California Ave, Palo Alto, CA 94304, USA, Privacy Policy;

• We use social media plugins to facilitate the sharing of content from our website. These plugins help increase the visibility of our content in social networks and thus contribute to better marketing.

• The plugins are deactivated by default on our websites and therefore do not send data to the social networks when you simply visit our website. To increase data protection, we have integrated the plugins in such a way that a connection to the servers of the networks is not automatically established. Only when you activate the plugins by clicking on them and thus give your consent for data transmission and processing by the providers of the social networks, your browser establishes a direct connection to the servers of the respective social network.

• - Subpage on which the website is exited;
  - Country, region, or city from which access is made;
  - End device (type, version, color depth, resolution, width, and height of the browser window); and
  - Returning or new visitor.

• In our mandate, the provider will use this information to evaluate the use of the website, especially to compile website activities and provide other services related to website usage and internet usage for market research and customized design of these websites. For these processing activities, we and the providers may be considered joint controllers to some extent in terms of data protection.

• The legal basis for these data processing activities with the following services is your consent within the meaning of Art. 6(1)(a) of the GDPR. You can revoke your consent at any time by rejecting or deactivating the relevant cookies in your web browser settings (see Section 6.2) or by using the service-specific options described below.

• For the further processing of data by the respective provider as the data controller under data protection law, including the possible transmission of this information to third parties, such as authorities under national regulations, please refer to the respective data protection notices of the provider.

• 6.4.2 Google Analytics

• We use the web analytics service Google Analytics from Google Ireland Limited (Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland) or Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (Google).

• Contrary to the description in Section 6.4.1, IP addresses are not logged or stored in Google Analytics (in the version used here "Google Analytics 4"). For accesses from the EU, IP address data is only used to derive location data and is immediately deleted. When collecting measurement data in Google Analytics, all IP address lookups are performed on EU-based servers before the traffic is transferred to the analytics servers for processing. Google Analytics uses regional data centers. When a connection is established to the nearest available Google data center in Google Analytics, measurement data is sent to Analytics via an encrypted HTTPS connection. In these centers, the data is encrypted again before being transferred to the Analytics processing servers and made available on the platform. IP addresses determine the most suitable local data center. This can also result in data being transmitted to servers abroad, such as the United States (especially given the lack of an adequate data protection level and the guarantees provided, Section 5.2).

• In this context, we also use the technical extension "Google Signals," which allows for cross-device tracking, meaning tracking across multiple devices. This only occurs if the visitor is logged into a Google service during visits to websites and has enabled the "personalized advertising" option in their Google account settings. However, we do not have access to personal data or user profiles; they remain anonymous to us. If you do not want to use "Google Signals," you can disable the "personalized advertising" option in your Google account settings.

• Users can prevent Google from collecting data generated by the cookie and related to the use of the website by the user (including the IP address) as well as the processing of this data by Google by downloading and installing the browser add-on available at the following link: http://tools.google.com/dlpage/gaoptout?hl=en.

• As an alternative to the browser add-on, users can click this link to prevent Google Analytics from collecting data on the website in the future. An opt-out cookie is stored on the user's device. If users delete cookies (see Section 6.2), the link must be clicked again.

• 6.4.3 Wix.com

• We use the web analytics service from Wix.com. The data described about website usage may be transmitted to Wix.com servers within the EU for processing purposes (see Section 5).

• Users can prevent the collection of data generated by the cookie and related to the use of the website by the user (including the IP address) as well as the processing of this data by Wix.com by clicking on the following link and following the instructions: https://www.wix.com/about/privacy.

• 6.5 Social Media

• 6.5.1 Social Media Profiles

• On our website, we have integrated links to our profiles on the social media networks of the following providers:

• - Meta Platforms Inc., 1601 S California Ave, Palo Alto, CA 94304, USA, Privacy Notice.
  When you click on the social media icons, you will be automatically redirected to our respective profile on the social network. This establishes a direct connection between your browser and the corresponding social network server. The network then receives information that you have visited our website with your IP address and that you have clicked the link. This can also result in data being transmitted to servers abroad, such as the United States (see Sections 5.2 and 5.3).

• If you click on a link to a social network while being logged into your user account on the corresponding social network, the content of our website can be associated with your profile, allowing the network to attribute your visit to our website directly to your account. If you want to avoid this, you must log out before clicking on the corresponding links. A connection between your access to our website and your user account takes place in any case if you log into the network after clicking on the link. The network provider is responsible for data protection for the associated data processing. Therefore, please refer to the respective privacy notices of the corresponding network.

• The legal basis for any processing that may be attributed to us is our legitimate interest within the meaning of Art. 6(1)(f) of the GDPR in the use and promotion of our social media profiles.

• 6.5.2 Social Media Plugins

• On our website, you can use social media plugins from the following providers:

• - Meta Platforms Inc., 1601 S California Ave, Palo Alto, CA 94304, USA, Privacy Notice.
  We use social media plugins to facilitate the sharing of content from our website. Social media plugins help us increase the visibility of our content on social networks and thereby contribute to better marketing.

• The plugins are deactivated by default on our websites and therefore do not send data to social networks when you simply visit our website. To increase data protection, we have integrated the plugins in a way that does not automatically establish a connection to the servers of the networks. Only when you activate the plugins by clicking on them and thereby give your consent for data transmission and processing by the providers of the social networks does your browser establish a direct connection to the servers of the respective social network.

• The content of the plugin is transmitted directly from the social network to your browser and integrated into the website. As a result, the respective provider receives information that your browser has accessed the corresponding page of our website, even if you do not have an account on that social network or are not currently logged into it. This information (including your IP address) is sent directly to a server of the provider (usually in the USA) by your browser and stored there (see Sections 5.2 and 5.3). We do not have control over the extent of data that the provider collects with the plugin. From a data protection perspective, we may be considered joint controllers with the providers up to a certain extent.

• If you are logged into the social network, it can associate your visit to our website directly with your user account. When you interact with the plugins, the corresponding information is also transmitted directly to a server of the provider and stored there. The information (e.g., that you like a product or service from us) may also be published on the social network and may be shown to other users of the social network. The provider of the social network may use this information for the purpose of displaying advertisements and customizing the respective offer. For this purpose, usage, interest, and relationship profiles could be created, e.g., to evaluate your use of our website in relation to the ads displayed to you on the social network, inform other users about your activities on our website, and provide other services related to the use of the social network. You can find out about the purpose and scope of data collection and further processing and use of data by the providers of the social networks, as well as your rights and options for protecting your privacy, in the privacy notices of the respective providers.

• If you do not want the provider of the social network to associate the data collected from our website with your user account, you must log out of the social network before activating the plugins. Your consent is the legal basis for the processing activities described (Art. 6(1)(a) of the GDPR). You can revoke your consent at any time by informing the plugin provider in accordance with their privacy notices.

• 6.6 Online Advertising and Targeting

• 6.6.1 In General

• We use services from various companies to present you with interesting online offers. Your user behavior on our website and websites of other providers is analyzed in order to subsequently display online advertising that is tailored to you.

• Most tracking and targeting technologies work with cookies (see Section 6.2) that allow your browser to be recognized across various websites. Depending on the service provider, it is also possible for you to be recognized online when using different devices (e.g., laptop and smartphone). This may occur, for example, if you have registered for a service that you use with multiple devices.

• In addition to the data already mentioned that arises when websites are accessed (log file data, see Section 6.1) and when cookies are used (Section 6.2) and which can be transferred to the companies participating in the advertising networks, the following data, in particular, flow into the selection of potentially the most relevant advertising for you:

• - Personal information that you have provided when registering for or using a service from advertising partners (e.g., gender, age group); and
  - User behavior (e.g., search queries, interactions with advertising, types of visited websites, viewed and purchased products or services, subscribed newsletters).

• We and our service providers use this data to determine whether you belong to the target group we are addressing and take this into account when selecting advertisements. For example, after visiting our site, when you visit other sites, you may be shown ads for products or services that you have consulted (re-targeting). Depending on the extent of the data, a user profile may also be created, which is automatically evaluated, with ads selected based on the information stored in the profile, such as affiliation with specific demographic segments or potential interests or behaviors. Such ads can be shown to you on various channels, including our website or app (as part of on-site and in-app marketing) as well as advertisements mediated by online advertising networks we use, such as Google.

• The data can then be evaluated for the purpose of settlement with the service provider and to assess the effectiveness of advertising measures, thus better understanding the needs of our users and customers and improving future campaigns. This may also include information that the performance of an action (e.g., visiting specific sections of our website or submitting information) can be attributed to a specific advertising display. Furthermore, we receive aggregated reports of advertising activities and information about how users interact with our website and ads from service providers.

• Your consent is the legal basis for these data processing activities (Art. 6(1)(a) of the GDPR). You can revoke your consent at any time by rejecting or deactivating the relevant cookies in your web browser settings (see Section 6.2). Further options for blocking advertising are also available in the information provided by the respective service provider, such as Google.

• 6.6.2 Google Ads

• This website uses the services of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (Google), for online advertising as explained in Section 6.6.1. Google uses cookies (see the list here) to recognize your browser when you visit other websites. The information generated by the cookies about your visit to these websites (including your IP address) is transferred to a Google server in the USA and stored there (see Sections 5.2 and 5.3). Further information about data protection at Google can be found here.

• Your consent is the legal basis for these data processing activities (Art. 6(1)(a) of the GDPR). You can revoke your consent at any time by rejecting or deactivating the relevant cookies in your web browser settings (see Section 6.2). Further options for blocking advertising are also available here.

• 7. Retention Periods

• We store personal data only as long as necessary to carry out the processing activities explained in this privacy policy within the scope of our legitimate interest. For contract-related data, storage is required by legal retention obligations. Requirements that obligate us to retain data result from provisions on accounting and tax regulations. In accordance with these regulations, business communications, completed contracts, and booking documents must be retained for up to 10 years. If we no longer need this data to perform services for you, the data will be blocked. This means that the data may only be used if it is necessary to fulfill the retention obligations or to defend and enforce our legal interests. Deletion of the data will occur as soon as no retention obligation and no legitimate interest in retention exist.

• 8. Data Security

• We use appropriate technical and organizational security measures to protect your stored personal data from loss and unauthorized processing, especially unauthorized access by third parties. Our employees and the service providers commissioned by us are obliged by us to maintain confidentiality and to comply with data protection. Furthermore, these individuals are granted access to personal data only to the extent necessary to fulfill their tasks.

• Our security measures are continuously adjusted in accordance with technological developments. However, the transmission of information over the Internet and electronic communication means always involves certain security risks, and therefore we cannot guarantee the absolute security of information transmitted in this way.

• 9. Your Rights

• As an affected individual by data processing, you have the following rights if the legal requirements are met:

• - Right of access: You have the right to request free access to your personal data stored by us, if we process such data. This gives you the opportunity to review the personal data we process about you and whether we process it in accordance with applicable data protection regulations.
  - Right to rectification: You have the right to have incorrect or incomplete personal data corrected and to be informed about the correction. In this case, we also inform recipients of the data concerned about the adjustments we have made, unless this is impossible or involves disproportionate effort.
  - Right to erasure: You have the right for your personal data to be deleted under certain circumstances. In individual cases, especially in the case of legal retention obligations, the right to erasure may be excluded. In this case, data blocking may take place instead of erasure.
  - Right to restriction of processing: You have the right to request that the processing of your personal data be restricted.
  - Right to data portability: You have the right to receive the personal data you have provided to us in a readable format, free of charge.
  - Right to object: You can object to data processing at any time, particularly for data processing related to direct marketing (e.g., marketing emails).
  - Right to withdraw consent: You generally have the right to withdraw consent you have given at any time. However, processing activities that were based on your consent in the past will not become unlawful due to your withdrawal.

• To exercise these rights, please send us an email to the following address: info@hotelalpenrose.ch.

• Right to Lodge a Complaint: You have the right to lodge a complaint with a competent supervisory authority, for example, concerning the manner in which your personal data is processed.

• Please note that this translation is based on the provided text and might not capture all legal nuances. If you have any legal concerns, it's advisable to consult with a legal professional.