With this privacy policy, we provide information about the processing of personal data in connection with our activities and operations, including our website under the domain name alpenrose-ai.ch. In particular, we explain for what purposes, how, and where we process which personal data. We also inform about the rights of individuals whose data we process.
For specific or additional activities and operations, we may publish further privacy policies or other data protection information.
We are subject to Swiss data protection law as well as any applicable foreign data protection law, in particular that of the European Union (EU) with the General Data Protection Regulation (GDPR).
The European Commission recognized in its decision of July 26, 2000 that Swiss data protection law ensures an adequate level of data protection. In its report of January 15, 2024, the European Commission reaffirmed this adequacy decision.
Gasthaus Alpenrose
Schwendetalstrasse 97
9057 Wasserauen
info@alpenrose-ai.ch
In certain cases, third parties may be responsible for processing personal data, or there may be joint responsibility with third parties.
2. Terms and Legal Basis
2.1 Terms
Data Subject: A natural person whose personal data we process.
Personal Data: Any information relating to an identified or identifiable natural person.
Special Categories of Personal Data: Data about trade union membership, political, religious or philosophical beliefs and activities, data about health, the intimate sphere, or the belonging to an ethnicity or race, genetic data, biometric data that uniquely identify a natural person, data about criminal and administrative sanctions or prosecutions, and data about social assistance measures.
Processing: Any handling of personal data, regardless of the means and procedures used, such as querying, matching, adjusting, archiving, storing, reading, disclosing, obtaining, collecting, capturing, deleting, revealing, arranging, organizing, saving, modifying, spreading, linking, destroying, and using personal data.
European Economic Area (EEA): Member states of the European Union (EU) as well as the Principality of Liechtenstein, Iceland, and Norway.
2.2 Legal Basis
We process personal data in accordance with Swiss data protection law, in particular the Federal Act on Data Protection (Data Protection Act, FADP) and the Ordinance on Data Protection (Data Protection Ordinance, DPO).
If and to the extent that the European General Data Protection Regulation (GDPR) applies, we process personal data based on at least one of the following legal bases:
- Art. 6 para. 1 lit. b GDPR for the processing of personal data necessary for the performance of a contract with the data subject or for carrying out pre-contractual measures.
- Art. 6 para. 1 lit. f GDPR for the processing of personal data necessary to safeguard legitimate interests – including the legitimate interests of third parties – unless the fundamental rights and freedoms of the data subject outweigh these interests. Such interests include, in particular, the continuous, user-friendly, secure, and reliable operation of our activities, ensuring information security, protection against misuse, enforcement of our own legal claims, and compliance with Swiss law.
- Art. 6 para. 1 lit. c GDPR for the processing of personal data necessary to fulfill a legal obligation to which we are subject under applicable law of a member state in the European Economic Area (EEA).
- Art. 6 para. 1 lit e GDPR for the processing of personal data necessary for performing a task carried out in the public interest.
- Art. 6 para. 1 lit. a GDPR for the processing of personal data with the data subject's consent.
- Art. 6 para. 1 lit. d GDPR for the processing of personal data necessary to protect the vital interests of the data subject or another natural person.
- Art. 9 para. 2 ff. GDPR for the processing of special categories of personal data, in particular with the data subject's consent.
The European General Data Protection Regulation (GDPR) refers to the processing of personal data as the processing of personal data and the processing of special categories of personal data as the processing of special categories of personal data (Art. 9 GDPR).
3. Type, Scope, and Purpose of Processing Personal Data
We process personal data that is necessary to conduct our activities and operations in a sustainable, user-friendly, secure, and reliable manner. The processed personal data may particularly fall into the categories of browser and device data, content data, communication data, metadata, usage data, master data including inventory and contact data, location data, transaction data, contract data, and payment data.
We also process personal data that we receive from third parties, obtain from publicly accessible sources, or collect in the course of our activities and operations, provided such processing is legally permitted.
We process personal data where necessary with the consent of the data subjects. In many cases, we may process personal data without consent, for example, to fulfill legal obligations or to protect overriding interests. We may also ask data subjects for their consent even if it is not legally required.
We process personal data for the duration necessary for the respective purpose. We anonymize or delete personal data, particularly in accordance with legal retention and statutory limitation periods.
4. Disclosure of Personal Data
We may disclose personal data to third parties, have it processed by third parties, or process it jointly with third parties. Such third parties primarily include specialized service providers whose services we utilize.
For example, we may disclose personal data to banks and other financial service providers, authorities, educational and research institutions, consultants and lawyers, interest groups, IT service providers, cooperation partners, credit and business information agencies, logistics and shipping companies, marketing and advertising agencies, media, organizations and associations, social institutions, telecommunications companies, and insurance providers.
5. Communication
We process personal data to communicate with individuals as well as with authorities, organizations, and companies. In doing so, we primarily process data provided to us by a data subject when contacting us, for example, by postal mail or email. We may store such data in an address book or similar tools.
Third parties who transmit data about other individuals to us are responsible for ensuring the privacy of those affected. In particular, they must ensure that such data is accurate and may be lawfully transmitted.
6. Data Security
We take appropriate technical and organizational measures to ensure a level of data security appropriate to the respective risk. Our measures particularly ensure the confidentiality, availability, traceability, and integrity of the processed personal data, although absolute data security cannot be guaranteed.
Access to our website and other online services is carried out using transport encryption (SSL / TLS, particularly with the Hypertext Transfer Protocol Secure, abbreviated HTTPS). Most browsers warn users before accessing websites without transport encryption.
Our digital communication is subject to mass surveillance without cause or suspicion by security authorities in Switzerland, the rest of Europe, the United States of America (USA), and other countries – as is generally the case with any digital communication. We have no direct influence over the corresponding processing of personal data by intelligence services, law enforcement agencies, and other security authorities. We also cannot rule out the possibility that a data subject may be specifically monitored.
7. Personal Data Abroad
We generally process personal data in Switzerland and the European Economic Area (EEA). However, we may also export or transfer personal data to other countries, particularly to process or have it processed there.
We may export personal data to any country on Earth and elsewhere in the universe, provided that the legal framework in that location ensures adequate data protection according to the decision of the Swiss Federal Council and – where applicable under the General Data Protection Regulation (GDPR) – also according to the decision of the European Commission.
We may transfer personal data to countries where the legal framework does not ensure adequate data protection, provided that data protection is guaranteed by other means, particularly through standard data protection clauses or other appropriate safeguards. In exceptional cases, we may export personal data to countries without adequate or appropriate data protection if specific data protection conditions are met, such as the explicit consent of the data subjects or a direct connection to the conclusion or execution of a contract. Upon request, we are happy to provide affected individuals with information about any guarantees or supply a copy of such guarantees.
8. Rights of Data Subjects
8.1 Data Protection Claims
We grant data subjects all claims in accordance with the applicable data protection law. In particular, data subjects have the following rights:
- Access: Data subjects may request information about whether we process personal data about them and, if so, what personal data is involved. They also receive the necessary information to assert their data protection rights and ensure transparency. This includes the personal data processed, as well as details about the purpose of processing, the retention period, any disclosure or transfer of data to other countries, and the origin of the personal data.
- Correction and Restriction: Data subjects may correct inaccurate personal data, complete incomplete data, and request the restriction of the processing of their data.
- Deletion and Objection: Data subjects may request the deletion of their personal data ("right to be forgotten") and object to the processing of their data with effect for the future.
- Data Release and Transfer: Data subjects may request the release of personal data or the transfer of their data to another controller.
We may defer, restrict, or deny the exercise of data subjects' rights to the extent permitted by law. We may also inform data subjects of any conditions that need to be met for exercising their data protection rights. For example, we may refuse access to data, in whole or in part, by referring to confidentiality obligations, overriding interests, or the protection of other persons. Likewise, we may refuse to delete personal data, in whole or in part, by referring to legal retention obligations.
We may exceptionally charge fees for the exercise of rights. Data subjects will be informed in advance of any potential costs.
We are obligated to take reasonable measures to verify the identity of data subjects who request access or assert other rights. Data subjects are required to cooperate in this process.
8.2 Legal Remedies
Data subjects have the right to enforce their data protection claims through legal proceedings or to file a report or complaint with a data protection supervisory authority.
The data protection supervisory authority for private controllers and federal agencies in Switzerland is the Swiss Federal Data Protection and Information Commissioner (FDPIC).
European data protection supervisory authorities are organized as members of the European Data Protection Board (EDPB). In some member states of the European Economic Area (EEA), data protection supervisory authorities have a federal structure, especially in Germany.
9. Use of the Website
9.1 Cookies
We may use cookies. Cookies – both first-party cookies and third-party cookies from services we use – are data stored in the browser. Such stored data is not necessarily limited to traditional text-based cookies.
Cookies can be stored in the browser temporarily as "session cookies" or for a specified period as so-called permanent cookies. "Session cookies" are automatically deleted when the browser is closed. Permanent cookies have a defined storage duration. Cookies allow, in particular, a browser to be recognized on a subsequent visit to our website, thereby enabling, for example, the measurement of our website’s reach. However, permanent cookies may also be used for online marketing.
Cookies can be deactivated or deleted entirely or partially at any time in the browser settings. Without cookies, our website may not be fully available. At a minimum, where necessary, we actively request explicit consent for the use of cookies.
For cookies used for performance and reach measurement or for advertising, a general opt-out is available for many services through AdChoices (Digital Advertising Alliance of Canada), the Network Advertising Initiative (NAI), YourAdChoices (Digital Advertising Alliance), or Your Online Choices (European Interactive Digital Advertising Alliance, EDAA).
9.2 Logging
We may log at least the following information for each access to our website and other online presence, provided that such information is transmitted to our digital infrastructure: date and time, including time zone, IP address, access status (HTTP status code), operating system, including user interface and version, browser, including language and version, accessed subpage of our website, including transferred data volume, and the last webpage accessed in the same browser window (referrer).
We log such data, which may also constitute personal data, in log files. This data is necessary to ensure that our online presence remains permanently available, user-friendly, and reliable. Furthermore, this information is required to ensure data security – also through third parties or with the assistance of third parties.
9.3 Tracking Pixels
We may embed tracking pixels in our online presence. Tracking pixels, also known as web beacons, are typically small, invisible images or JavaScript scripts that are automatically retrieved when accessing our online presence. These tracking pixels – including those from third parties whose services we use – can capture at least the same data as log files.
We are present on social media platforms and other online platforms to communicate with interested individuals and provide information about our activities. In connection with such platforms, personal data may also be processed outside of Switzerland and the European Economic Area (EEA).
The terms and conditions, privacy policies, and other provisions of the respective platform operators also apply. These policies inform users about their rights, such as the right to access their data.
For our social media presence on Facebook, including so-called Page Insights, we – insofar as the General Data Protection Regulation (GDPR) applies – are jointly responsible with Meta Platforms Ireland Limited (Ireland). Meta Platforms Ireland Limited is part of the Meta group of companies (including in the USA). Page Insights provide insights into how visitors interact with our Facebook presence. We use Page Insights to manage our social media presence on Facebook effectively and in a user-friendly manner.
Further details about the type, scope, and purpose of data processing, users' rights, and Facebook’s contact information, including its Data Protection Officer, can be found in the Facebook Privacy Policy. We have concluded the so-called "Controller Addendum" with Facebook, which, among other things, specifies that Facebook is responsible for ensuring the rights of data subjects. Information regarding Page Insights can be found on the "Page Insights Information" page, including "Information about Page Insights Data".
11. Third-Party Services
We use services from specialized third parties to ensure our activities remain permanently available, user-friendly, secure, and reliable. These services allow us to integrate functionalities and content into our website. The services we use may collect the IP addresses of users for technical reasons.
For security, statistical, and technical purposes, third parties whose services we use may process data related to our activities in an aggregated, anonymized, or pseudonymized manner. This includes performance or usage data necessary to provide the respective service.
We particularly use:
Digital Infrastructure
We use services from specialized third parties to obtain the necessary digital infrastructure for our activities. This includes, for example, hosting and storage services from selected providers.
12. Website Extensions
We use extensions on our website to enable additional functionalities. We may use selected services from suitable providers or deploy such extensions on our own digital infrastructure.
We particularly use:
We aim to measure the success and reach of our activities. In this context, we may also assess the impact of third-party referrals or test different versions of our online offerings ("A/B testing"). The insights gained allow us to fix errors, enhance popular content, and implement improvements.
For performance and reach measurement, IP addresses of individual users are typically collected. These IP addresses are generally truncated ("IP masking") to ensure pseudonymization in line with data minimization principles.
Cookies and user profiles may be used in performance and reach measurement. These profiles may include visited pages, viewed content, screen or browser window size, and approximate location. Generally, user profiles are created pseudonymously and are not used for individual identification. However, some third-party services may link online activity to a user account if the user is logged in.
We particularly use:
