Data privacy statement

This privacy policy was created and published by Andermatt Sedrun Disentis Marketing AG, Oberalppass, Berggasthaus Piz Calmot, 6490 Andermatt, Switzerland, registered in the Commercial Register of the Canton of Uri under the number CHE-413.104.183. Andermatt Sedrun Disentis Marketing AG is the marketer of the Andermatt+Sedrun+Disentis destination and its two service providers, Andermatt-Sedrun Sport AG and Bergbahnen Disentis AG.

Andermatt Sedrun Disentis Marketing AG is legally responsible for the collection, processing, and use of your personal data and for lawful data processing on this website. Personal data includes all information relating to an identified or identifiable natural person. This includes details that allow conclusions to be drawn about your identity (e.g., name, postal address, email address, and telephone numbers).

Your trust is important to us, which is why we take data protection seriously and ensure appropriate security measures. We naturally comply with the legal provisions of the Swiss Federal Act on Data Protection (FADP), the Ordinance to the Federal Act on Data Protection (OFADP), the Telecommunications Act (TCA), and other applicable data protection provisions of Swiss or EU law, in particular the General Data Protection Regulation (GDPR).
To ensure that you know what personal data we collect from you and for what purposes we use it, please read the following information. Please note that the following information may be reviewed and amended from time to time. We therefore recommend that you regularly review this privacy policy. Furthermore, for certain data processing operations listed below, other companies are legally responsible for data protection or jointly responsible with us, so in these cases the information provided by these providers is also decisive.

Contact details of the data controller and the EU representative

If you have questions about data protection or wish to exercise your rights, please contact our data protection officer:

Andermatt Sedrun Disentis Marketing AG c/o Andermatt-Sedrun Sport AG Oberalppass Berggasthaus Piz Calmot 6490 Andermatt

Phone: +41 58 200 68 68 Email: info@asd-marketing.ch

Our EU representative pursuant to Art. 27 GDPR is:

MLL EU-GDPR GmbH Ganghoferstrasse 33 DE - 80339 Munich

andermattswissalpsag(at)mll-gdpr.com

A. Data processing on the websites

1. Accessing our websites (including associated microsites)

In order to establish a connection to our websites or any microsites, your browser transmits certain data to the servers of our hosting provider, which temporarily records each access in a log file. The following data is collected automatically without your intervention and stored until automatic deletion:

IP address of the requesting device,
Name of the owner of the IP address range,
Date and time of your request,
Type of your operating system,
Name and URL of the requested data,
The website from which our domain was accessed,
Country from which access to our websites occurs,
Status code,
Browser used,
Transmission protocol used

The collection and processing of this data is intended to enable the use of our websites, ensure system security and stability, optimize our online offerings, and for internal statistical purposes.

The IP address is also evaluated together with other data in case of attacks on the network infrastructure or other unauthorized or abusive use of the website for clarification and defense, and may be used in criminal proceedings to identify and take civil and criminal action against the respective users.

For the above-described purposes, our legitimate interest in data processing exists pursuant to Art. 6(1)(f) GDPR.

2. Contact via telephone or email

On various parts of our websites, you have the option to contact us by telephone or email, for example to ask questions about website functionalities, bookings, or services.

We only collect the data that you disclose to us. Consequently, you are responsible for the content of your message and decide which information you provide. We recommend that you do not send sensitive information. To answer your questions, we may ask you to provide additional information (e.g., your address, email address, etc.). We will only collect the data necessary to respond to your inquiries or provide the services you requested.

In processing your inquiry, our legitimate interest exists pursuant to Art. 6(1)(f) GDPR.

3. Opening a customer account

To make bookings on our websites, you can book as a guest or create a customer account. When registering for a customer account, we collect the following data. Mandatory fields are marked with an asterisk (*):

Salutation
First and last name*
Postal address
Country
Date of birth
Phone number
Email address*
Password*
Language

The collection of this data, as well as any additional data you voluntarily provide, is intended to provide you with password-protected access to your stored basic data. You can view past and current bookings or manage and update your personal information. You can also request complete deletion of the customer account.

The legal basis for processing this data for this purpose is your consent pursuant to Art. 6(1)(a) GDPR. You can withdraw your consent at any time with future effect.

5. Booking on our websites, via correspondence, or by telephone

If you make bookings via our websites, through correspondence (email or postal mail), or by telephone, we require personal data from you to process the contract. Depending on the order and product, the necessary data may vary. Possible mandatory fields are marked with an asterisk (*):

Salutation*
First and last name*
Date of birth* Postal address*
Phone number*
Language*
Payment method*
Email address*
Password*

This data, along with any additional information you voluntarily provide (e.g., expected arrival time, vehicle license plate, preferences, remarks), will only be used to process the contract, unless otherwise stated in this privacy policy or unless you have given separate consent. We will process the data by name to record your booking as requested, provide the booked services, contact you in case of issues or questions, and ensure correct payment.

If necessary, personal data may be shared with companies involved in processing this contract, e.g., service providers such as hotels or financial institutions for payment processing.

The legal basis for processing this data for this purpose is the fulfillment of a contract pursuant to Art. 6(1)(b) GDPR.

6. Purchasing products or vouchers

If you purchase products or order vouchers via our websites, we require the following data to process the contract. Mandatory fields are marked with an asterisk (*):

Salutation
First and last name*
Date of birth* Company
Postal address*
Country
Phone number
Payment method*
Email address*
Shipping method*
Billing address

This data, along with any additional information you voluntarily provide, will only be used to process the contract, unless otherwise stated in this privacy policy or unless you have given separate consent. We will process the data by name to record your order as requested, deliver the purchased products or vouchers, contact you in case of issues or questions, and ensure correct payment.

If necessary, personal data may be shared with companies involved in processing this contract, e.g., service providers such as hotels or financial institutions for payment processing.

On our websites, we link to a voucher shop operated by E-Guma. E-Guma is operated by Idea Creation GmbH, Walchestrasse 15, 8006 Zurich, Switzerland. The information you provide when purchasing vouchers is used for contact, execution, and fulfillment of the contractual service, as well as to comply with related legal obligations. Payment service providers assist us in processing purchases.

The legal basis for processing this data for this purpose is the fulfillment of a contract pursuant to Art. 6(1)(b) GDPR.

7. Ticket purchases

If you purchase tickets via our websites (e.g., for events, mountain lifts, etc.), we require the following data to process the contract. Mandatory fields are marked with an asterisk (*):

Ticket type*
Ticket holder (postal address, email, phone number)*
Ticket category*
Date of birth*
Date*
Billing address*
Payment method*

This data, along with any additional information you voluntarily provide, will only be used to process the contract, unless otherwise stated in this privacy policy or unless you have given separate consent. We will process the data by name to record your order as requested, deliver the purchased tickets, contact you in case of issues or questions, and ensure correct payment.

If necessary, personal data may be shared with companies involved in processing this contract, e.g., service providers such as hotels or financial institutions for payment processing.

The legal basis for processing this data for this purpose is the fulfillment of a contract pursuant to Art. 6(1)(b) GDPR.

8. Registration of a user account

On our websites, such as www.andermatt-sedrun-disentis.ch, you can create a user account. When registering for a user account, we collect the following data. Mandatory fields are marked with an asterisk (*):

First and last name*
Email address*
Password*
I would like to receive regular news
I accept the Terms of Use and Privacy Policy*

The collection of this data, as well as any additional data you voluntarily provide, is intended to provide you with password-protected access to your stored basic data. You can view your past and current purchases or manage and update your personal information. You can also request complete deletion of the user account.

The legal basis for processing this data for this purpose is your consent pursuant to Art. 6(1)(a) GDPR. You can withdraw your consent at any time with future effect.

B. Data processing outside the websites

1. General

Andermatt Sedrun Disentis Marketing AG also collects personal data from you outside of the website. This may occur, for example, if you contact us via email or telephone independently of the website, and we need to record data to process your inquiries and get in touch with you.

Personal data is also collected by Andermatt Sedrun Disentis Marketing AG when you register on-site for events or book accommodation. The same types of data are generally collected as when booking on the website.

The legal basis for processing this data is the fulfillment of your contact requests, constituting a legitimate interest pursuant to Art. 6(1)(f) GDPR, or the fulfillment of a contract pursuant to Art. 6(1)(b) GDPR.

For third-party services, Andermatt Sedrun Disentis Marketing AG acts solely as an intermediary and makes bookings on behalf of the service providers. Data is forwarded to the selected service providers for booking purposes, who are responsible for further data processing under data protection law. For more information on how these providers handle personal data, please consult the privacy policy of the respective service provider.

2. Data processing to fulfill legal reporting obligations

Upon arrival at our accommodations, we may require the following information from you and your accompanying persons. Mandatory fields are marked with an asterisk (*):

First and last name*
Postal address*
Date of birth*
Place of birth / hometown
Nationality*
Official ID*
Check-in and check-out dates*
Vehicle license plate
Name of accommodation*

This information is collected to comply with legal reporting obligations, particularly arising from hospitality or police regulations. If required by applicable law, we forward this information to the competent police authority.

The processing of this data is based on a legal obligation pursuant to Art. 6(1)(c) GDPR.

3. Recording of used services

If you use additional services during your stay (e.g., wellness, restaurant, activities), the service and the time of use are recorded by us for billing purposes.

The processing of this data is necessary for contract fulfillment with us pursuant to Art. 6(1)(b) GDPR.

4. Storage of your personal data in a central database of Andermatt Sedrun Disentis Marketing AG

The personal data mentioned in this privacy policy is centrally stored and processed by Andermatt Sedrun Disentis Marketing AG. The data is stored in a central electronic data processing system (CRM). Your data is systematically recorded, linked, and analyzed to process inquiries and manage services (e.g., to offer personalized services or product information, to improve products and services, etc.). User profiles may be created based on this data. Data may also be enriched with publicly available information (e.g., from the press or internet). For this, we use the software Azure by Microsoft, South County Business Park, Leopardstown, Dublin 18, Ireland, as well as Braze, 330 West 34th Street, 18th Floor, New York, NY 10001 USA, by Alturos Destinations Lakeside, B03, 9020 Klagenfurt, Austria, and Salesforce, Salesforce UK Limited, Village 9, Floor 26, Salesforce Tower, 110 Bishopsgate, London, UK, EC2N 4AY. The processing of this data through the software is based on our legitimate interest pursuant to Art. 6(1)(f) GDPR in customer-friendly and efficient data management, as well as on contractual measures pursuant to Art. 6(1)(b) GDPR.

If you have consented to the processing of your personal data for advertising purposes, we may also use the collected data for marketing. This consent constitutes the legal basis for processing under Art. 6(1)(a) GDPR. You can withdraw your consent at any time with future effect.

5. Use of our apps

In addition to our online services, we provide a mobile app that you can download to your device. When downloading the MountainAccess app, the necessary information is transmitted to the app store, including username, email address, account number, download time, device IMEI, mobile number (MSISDN), MAC address for Wi-Fi use, and IMSI. We have no influence over this data collection and are not responsible for it. We process this data only to enable app downloads and do not store it further.

If you log in via the app or place orders, we collect the following additional personal data to enable these services. Mandatory fields are marked with an asterisk (*):

First and last name
Address
Phone number (if applicable)
Email*
Username*
Customer number
Password*
Date of birth

The legal basis for processing this data is the fulfillment of a contract pursuant to Art. 6(1)(b) GDPR or your consent pursuant to Art. 6(1)(a) GDPR. You may withdraw your consent at any time with future effect.

At the beginning of app use, the apps request the following access rights for the purposes indicated:

Location data (via GPS and anonymized IP address): To receive personalized location-based messages
Camera: To scan barcodes for reserving services/items or obtaining related information
Photos/Media/Files: Related to the use of the camera for barcode scanning
Device ID and call information: Used by app stores for statistics
Fingerprint/Biometric information: For convenient login and purchase via fingerprint or facial recognition
App history

If you deny this, the app will not use these data, but the corresponding functions cannot be used. You can grant or revoke access later in the app settings. Data is transmitted to our servers only as necessary to provide functionality and is treated confidentially and deleted when no longer required or legal retention obligations do not exist.

This consent constitutes the legal basis for processing under Art. 6(1)(a) GDPR and can be revoked at any time with future effect.

If necessary, personal data may be shared with companies involved in providing services, e.g., service providers such as hotels or credit card institutions for payment processing.

6. Push notifications

If you have consented, Andermatt Sedrun Disentis Marketing AG can send notifications to your device (e.g., smartphone, tablet). The MountainAccess app uses push notifications to inform you about topics related to the Andermatt+Sedrun+Disentis destination (e.g., products, promotions, contests) and partner offers. Your data is not shared with these partners.

If enabled, we also use location data from your device. Location information is used to track movements and send notifications. Within a defined "Geo Fence" near the destination, push notifications alert you to current offers.

You can configure push notification settings at any time via your operating system or within the MountainAccess app under "Settings."

This consent constitutes the legal basis for processing under Art. 6(1)(a) GDPR and can be revoked at any time with future effect.

7. Booking platforms

If you make bookings through third-party platforms, we receive various personal information from the platform operator, generally including the data listed in this privacy policy related to the booking. Additionally, inquiries regarding your booking may be forwarded to us. This data is processed to record your booking as requested and provide the booked services. The legal basis for this processing is the fulfillment of a contract pursuant to Art. 6(1)(b) GDPR.

We may also receive information from platform operators regarding disputes related to bookings. This may include booking-related data, such as a copy of the booking confirmation. We process this data to protect and enforce our rights, constituting a legitimate interest pursuant to Art. 6(1)(f) GDPR.

Please also review the privacy information of the respective booking platform.

C. Tools and tracking technologies

1. Cookies

Cookies help make your visit to our website easier, more enjoyable, and more meaningful in many ways. Cookies are information files automatically stored on your device's hard drive by your web browser when you visit our website.

We use cookies, for example, to temporarily save your selected services and entries when filling out a form on the website, so that you do not have to repeat the input when navigating to another page. Cookies may also be used to identify you as a registered user after registration without requiring you to log in again on another page.

Most internet browsers automatically accept cookies. However, you can configure your browser so that no cookies are stored on your computer or so that a notification appears whenever a new cookie is received. The following links provide instructions on how to manage cookie processing in the most common browsers:

Disabling cookies may prevent you from using all functions of our website.

2. Tracking tools

a. Google Analytics

We use Google Analytics, a web analytics service by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, or Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA ("Google"). Google Analytics uses methods that allow an analysis of website usage, such as cookies. Information generated by the cookie about your use of our website, such as

Navigation path taken by a visitor on the website,
Time spent on the website or individual pages,
The page from which the website is exited,
Country, region, or city of access,
Device (type, version, color depth, resolution, browser window size),
Returning or new visitor,
Browser type/version,
Operating system used,
Referrer URL (previously visited website),
Hostname of the accessing computer (IP address), and
Time of the server request,

is generally transmitted to a Google server in the USA and stored there. IP anonymization ("anonymizeIP") is enabled on this website to shorten the IP address before transmission within the EU or other states of the European Economic Area or Switzerland. The masked IP address transmitted by your browser to Google is not combined with other data from Google. Only in exceptional cases is the full IP address transmitted to a Google server in the USA, where it is shortened. In these cases, we ensure through contractual guarantees that Google maintains an adequate level of data protection.

The information is used to evaluate website usage, compile reports about website activities, and provide additional services related to website usage and internet usage for market research and optimal website design. The data may also be transmitted to third parties if required by law or processed by third parties on our behalf.

The legal basis for processing this data is your consent pursuant to Art. 6(1)(a) GDPR, which you may revoke at any time with future effect.

Users can prevent the collection of data generated by the cookie and related to their website usage (including the IP address) by Google and the processing of these data by installing the browser plugin available at: tools.google.com/dlpage/gaoptout

Further information about Google and how Google processes data can be found here.

b. Google Tag Manager

We use Google Tag Manager from Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, or Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA ("Google"). Google Tag Manager allows marketers to manage website tags via an interface. Tag Manager itself is a cookie-free domain and does not collect personal data. It triggers other tags that may collect personal data, but Google Tag Manager does not access this data. Any deactivation at domain or cookie level persists for all tracking tags implemented via Google Tag Manager. You can prevent tag placement at any time.

The legal basis for processing these data is our legitimate interest pursuant to Art. 6(1)(f) GDPR.

c. Google Ads Remarketing

We use Google Ads Remarketing, an online advertising program by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, or Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA ("Google"). Using the remarketing function, we can display interest-based ads to website users via cookies. User interactions on our website are analyzed to show targeted ads on other sites based on interests. Cookies uniquely identify a web browser but not a person. According to Google, no personal data is stored.

The legal basis for processing this data is your consent pursuant to Art. 6(1)(a) GDPR, which can be revoked at any time with future effect.

You can disable Google cookies via the following link and download the provided plugin: tools.google.com/dlpage/gaoptout.

Further information about Google and how Google processes data can be found here.

d. Google Ads Conversion Tracking

We use Google Ads from Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, or Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA ("Google"). Google Ads allows advertisers to display ads in Google search results and across the Google advertising network. Ads are triggered based on predefined keywords to show relevant results. Conversion cookies track whether specific pages on our site were visited and whether revenue was generated. These cookies expire after 30 days and do not identify individuals.

The legal basis for processing this data is your consent pursuant to Art. 6(1)(a) GDPR, which can be revoked at any time with future effect.

You can disable Google cookies via the following link and download the provided plugin: tools.google.com/dlpage/gaoptout.

Further information about Google and how Google processes data can be found here.

e. Facebook Pixel

We use the "Facebook Pixel" from Facebook, operated by Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland, or Meta Platforms Inc., 1601 Willow Road, Menlo Park, CA 94025, USA. The Facebook Pixel allows Facebook to identify website visitors as target audiences for ads ("Facebook Ads"). We use it to show ads only to users who have shown interest in our website or match certain characteristics (e.g., interests in topics/products inferred from visited pages) transferred to Facebook ("Custom Audiences").

The pixel also ensures that ads match potential user interests and are not intrusive. It allows tracking ad effectiveness for statistical and market research purposes (conversion tracking). Data collected by Facebook is anonymized for us, but Facebook may link it to user profiles for its own purposes.

If data is transmitted to Facebook for matching purposes, it is encrypted in the browser and sent via secure HTTPS connection to Facebook.

We also use the "Advanced Matching" feature to create target groups (Custom Audiences or Lookalike Audiences) using encrypted data.

Data processing by Facebook follows Facebook's privacy policy. More details on the Facebook Pixel can be found in Facebook's help section.

You can opt out of Facebook Pixel tracking and use of your data for Facebook Ads. Settings for interest-based ads can be configured via Facebook. Cookie-based ad tracking can also be disabled via: www.aboutads.info/choices and www.youronlinechoices.com/uk/your-ad-choices/.

The legal basis for this data processing is your consent under Art. 6(1)(a) GDPR, which can be revoked at any time with future effect.

f. Tracking with fusedeck

This Website uses “fusedeck”, a tracking solution provided by cptr AG (hereinafter referred to as “cptr”). cptr is a Swiss company having its registered office in Zurich which, on behalf of its customers, measures website usage in the context of engagements and events. Tracking is anonymous so that it is impossible to attribute any information gained to any identified or identifiable persons.

For more information on data protection and the rights which data subjects have in connection with “fusedeck”, including their right to “opt out” (right to object), please refer to the Privacy Policy and the Information on the Right to Object.

D. Additional information

1. Retention period

We store personal data only as long as necessary to perform the processing described in this privacy statement within the scope of our legitimate interest. Contract-related data is stored according to legal retention requirements, which include accounting and tax regulations. Business communication, concluded contracts, and booking records must be kept for up to 10 years. Once these data are no longer needed for providing our services, they are blocked, meaning they may only be used for compliance with retention obligations or the enforcement of legal interests. Data is deleted when no retention obligation or legitimate interest remains.

2. Disclosure of data to third parties

We only share your personal data if you have explicitly consented, if required by law, or if necessary to enforce our rights, particularly under contractual claims. We may also transmit your data to affiliated companies (see above). Data may be shared with third parties as required for website, app, or service use, contractual processing, or by law (e.g., law enforcement requests) or to enforce claims under contractual relationships (e.g., debt collection). Third-party use is strictly limited to the stated purposes.

Several third-party providers are explicitly mentioned in this privacy statement. Another provider with access to personal data is the website host, Alturos Destinations Lakeside B03, 9020 Klagenfurt, Austria. The servers are located in: [Switzerland]. The legal basis for this processing is our legitimate interest under Art. 6(1)(f) GDPR.

Credit card information is transmitted to your card issuer and the acquiring bank during payment on the website. Mandatory information will be requested for credit card payments. The legal basis for sharing data is the performance of a contract under Art. 6(1)(b) GDPR.

4. Transfer of personal data abroad

We are authorized to transfer personal data to third-party companies abroad, including group companies, if necessary for processing purposes. Legal requirements for transferring personal data to third parties are observed, and these parties are bound to comply with data protection obligations. If the data protection level in a country does not meet Swiss or EU standards, we ensure contractual safeguards to maintain equivalent protection.

5. Note on data transfer to the USA

Some third-party providers mentioned in this privacy statement are based in the USA. For users in Switzerland, it is noted that U.S. authorities may monitor data stored in the USA, including personal data transferred from Switzerland or the EU, without differentiation, restriction, or limitation. No legal remedies in the USA allow access, correction, or deletion of these data for EU/Swiss users. We highlight this so users can make informed consent decisions. Transfers to U.S. recipients like Google are secured by contractual and additional safeguards to ensure adequate data protection.

6. Data security

We use appropriate technical and organizational measures to protect personal data from manipulation, partial or complete loss, and unauthorized access. Security measures are continuously updated according to technological developments.

You should keep your access credentials confidential and close the browser window after communication, especially when sharing a computer with others.

Internal data protection is taken seriously. Our employees and service providers are bound to confidentiality and compliance with data protection regulations.

7. Your rights

You may object to data processing at any time. You also have the following rights:

Right of access: You may request free access to your personal data that we process, allowing you to verify which personal data we hold about you and ensure it is used according to data protection laws.
Right to correction: You have the right to correct inaccurate or incomplete personal data and to be informed about the correction. We will inform recipients of the corrected data unless impossible or disproportionate.
Right to deletion: You may request deletion of personal data under certain circumstances. This right may be excluded in specific cases.
Right to restrict processing: Under certain conditions, you may request limitation of the processing of your personal data.
Right to data portability: Users outside Switzerland may request their personal data in a readable format free of charge.
Right to complain: You may file a complaint with a competent supervisory authority regarding data processing.
Right to withdraw consent: You may withdraw consent at any time for future processing. Past processing based on consent remains lawful.

You can exercise your rights via email at info@asd-marketing.ch. We may request proof of identity at our discretion.

8. Minors

We do not intend to collect personal data from minors, but we cannot always verify the age of users accessing our websites/apps. If a minor provides data without parental consent, we request parents/guardians to contact us to delete the data and prevent future marketing material from being sent.

As of August 2022