Privacy Policy

Last updated: May 2026

With this privacy policy, we inform you about the processing of personal data when you visit our website, use our online services (newsletter, bookings, voucher purchases, ticketing) and when you contact us. This policy is based on the revised Swiss Federal Act on Data Protection (revFADP, in force since 1 September 2023) and – where applicable to you – on the EU General Data Protection Regulation (GDPR).

1. Data Controller

The controller responsible for data processing within the meaning of Art. 5 lit. j revFADP and Art. 4 no. 7 GDPR is:

KriSTALL Guttannen
c/o Hotel Bären Guttannen
CH-3864 Guttannen
Switzerland

Email: post@kristall-guttannen.ch 
UID: CHE-305.952.808

For data protection inquiries, please contact: post@kristall-guttannen.ch 

We are not required to appoint a data protection officer or advisor. Data protection inquiries are handled by the contact point listed above.

2. Definitions and Legal Bases

Personal data means any information relating to an identified or identifiable natural person.

We process personal data on the following legal bases:

• Consent (Art. 6 para. 6 and 7 revFADP; Art. 6 para. 1 lit. a GDPR) – e.g. for non-essential cookies, the newsletter, marketing tracking.
• Performance of a contract (Art. 31 para. 2 lit. a revFADP; Art. 6 para. 1 lit. b GDPR) – e.g. to process bookings, voucher and ticket purchases.
• Legal obligation (Art. 31 para. 1 revFADP; Art. 6 para. 1 lit. c GDPR) – e.g. retention obligations under the Swiss Code of Obligations.
• Overriding legitimate interest (Art. 31 para. 2 revFADP; Art. 6 para. 1 lit. f GDPR) – e.g. to ensure the operation of our website, for fraud prevention, or for direct customer communication.

3. Your Rights

You have the following rights regarding your personal data:

• Right of access to the data concerning you
• Rectification of inaccurate data
• Erasure or restriction of processing
• Objection to certain processing activities
• Data release / portability in a commonly used electronic format
• Withdrawal of consent given, with effect for the future
• Lodging a complaint with the competent supervisory authority

To exercise your rights, an informal notification to the contact point named in section 1 is sufficient. We may request appropriate evidence to verify your identity.

Supervisory authorities:

• Switzerland: Federal Data Protection and Information Commissioner (FDPIC), Feldeggweg 1, 3003 Bern
• EU/EEA: The national supervisory authority competent for your place of residence

4. Data Collection When Visiting Our Website

4.1 Server Log Files

When you access our website, the hosting provider automatically records technical data in so-called server log files:

• IP address (truncated or anonymised)
• Date and time of the request
• Page/file accessed
• Volume of data transferred
• Browser type, operating system, referrer URL

This data is used exclusively to ensure smooth operation and to defend against attacks. The legal basis is our overriding legitimate interest. The logs are generally deleted automatically after 14 days, unless a specific security incident requires longer retention.

4.2 SSL/TLS Encryption

For security reasons, this website uses SSL/TLS encryption. You can recognise an encrypted connection by the “https://” in the address bar and the padlock symbol displayed by your browser.

4.3 Cookies and Consent Management (Complianz)

Our website uses cookies and similar technologies (LocalStorage, pixels, etc.). Cookies are small text files stored on your device.

We distinguish between:

• Strictly necessary cookies, without which the website cannot function (e.g. language setting, shopping cart, consent storage). These are set without consent.
• Statistics, marketing, and convenience cookies, which are only set with your explicit consent.

We obtain your consent via the Complianz consent management tool. When you first visit our website, a banner appears in which you can make your selection. Your settings are stored in a strictly necessary cookie. You can revoke or change your consent at any time via the “Cookie Settings” link in the footer.

A detailed list of the cookies used, including provider, purpose and storage period, can be found here.

5. Contact Form and Email Communication

On our website, we use Gravity Forms (self-hosted on our server at cyon) for contact and inquiry forms. The data you enter (e.g. name, email address, message) is used exclusively to process your inquiry and is not passed on to third parties without your consent.

When you communicate with us by email, we process the data you provide (sender address, content) in order to respond to your inquiry.

Legal basis: Performance of a contract or pre-contractual measures, or our overriding legitimate interest in responding to your inquiry.

Storage period: Until your inquiry has been handled, then in accordance with statutory retention periods (generally 10 years for business-relevant correspondence under the Swiss Code of Obligations).

Google reCAPTCHA

To protect our forms from automated input (spam bots), we use Google reCAPTCHA from Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland), parent company: Google LLC, USA. reCAPTCHA checks whether input is made by a human or by an automated program. In doing so, IP address, time spent on the page, mouse movements and similar data are transmitted to Google.

Legal basis: Overriding legitimate interest in protection against misuse; where consent is required, on that basis. Further information: policies.google.com/privacy and policies.google.com/terms.

6. Newsletter (rapidmail)

For the dispatch of our newsletter, we use the service rapidmail GmbH, Augustinerplatz 2, 79098 Freiburg im Breisgau, Germany.

Registration is carried out using a double opt-in procedure: after your registration, you will receive a confirmation email in which you must confirm the dispatch of the newsletter. This ensures that only you can register your own email address for the newsletter.

For registration, we collect your email address as well as the date, time and IP address of the registration and confirmation (proof of consent). Optionally, we collect salutation and name for personalised addressing.

We evaluate the open and click rates of our newsletters in order to improve their quality and relevance for you. rapidmail prepares the corresponding statistical analyses.

You can unsubscribe from the newsletter at any time, either via the unsubscribe link in each newsletter or by notifying us. Upon unsubscription, your consent lapses.

Legal basis: Your consent.
Data processing on our behalf: A data processing agreement is in place with rapidmail. Data is processed on servers in Germany.
rapidmail privacy policy

7. Analytics Tools and Advertising

For statistics, reach measurement and online advertising, we use the following services. All non-essential tools are activated only after your consent via our consent banner.

7.1 Google Tag Manager

We use Google Tag Manager from Google Ireland Limited for the centralised management of the tracking and analytics tools used on our website. The Tag Manager itself does not create user profiles and does not store cookies, but it loads – after your consent – the tools listed below.

7.2 Google Analytics 4 (GA4)

We use Google Analytics 4 to analyse user behaviour on our website. GA4 works event-based and with IP anonymisation (IP truncation is performed by default by Google). This provides us with aggregated statistics on page views, time spent, device and location information (at country/region level).

Legal basis: Your consent.

7.3 Google Ads and Conversion Tracking

Our website includes Google Ads conversion tracking from Google Ireland Limited. If you reach our website via one of our Google ads, Google sets a cookie that enables us to measure the success and reach of our advertising campaigns (e.g. whether a purchase, booking or newsletter sign-up has occurred via an ad).

We only receive aggregated, non-personal statistics from Google. We cannot identify individual users.

Legal basis: Your consent.

7.4 Meta Pixel (Facebook/Instagram)

We use the Meta Pixel from Meta Platforms Ireland Limited (4 Grand Canal Square, Dublin 2, Ireland). The pixel enables us to measure the effectiveness of our advertising on Facebook and Instagram and to reach visitors to our website for so-called custom audience marketing.

Joint Controllership: For the collection of data via the pixel and its transmission to Meta, we are jointly responsible together with Meta (Art. 26 GDPR). The essential contents of the corresponding agreement can be found at: www.facebook.com/legal/controller_addendum. The further processing of the data is then carried out by Meta alone.

Legal basis: Your consent.

Meta privacy policy: www.facebook.com/privacy/policy

8. Embedded Third-Party Content

8.1 Vimeo

We embed videos from Vimeo, Inc., 555 West 18th Street, New York, New York 10011, USA, on our website. When you access a page with an embedded video, a connection is established with Vimeo’s servers. Vimeo then learns which page you have accessed and may set a cookie on your device.

We use Vimeo videos – where technically available – in the extended data protection mode (“Do Not Track”), which according to Vimeo restricts the evaluation of your behaviour for advertising purposes.

Legal basis: Your consent via our consent banner.
Vimeo privacy policy: vimeo.com/privacy

8.2 SBB Timetable Widget

To display current connection information, we embed the timetable widget of Swiss Federal Railways SBB (Hilfikerstrasse 1, 3000 Bern 65, Switzerland). When accessed, technical data (IP address, browser information) is transmitted to SBB. Processing is carried out under Swiss law.

Legal basis: Overriding legitimate interest in providing practical travel information; where consent is required, on that basis.
SBB privacy policy: www.sbb.ch/en/data-protection

8.3 Links to Google Maps

We do not actively embed Google Maps on our website; we only link to Google’s map or route planning pages. Data is only transmitted to Google when you click such a link. Google’s data protection terms then apply: policies.google.com/privacy

9. Booking, Voucher and Ticketing System (e-guma)

For the online sale of vouchers and tickets, as well as for processing bookings, we use the platform of e-guma AG, Industriestrasse 25, 3178 Bösingen, Switzerland.

When making a booking or purchase, the data required for contract performance (name, contact details, order details, payment data) is processed on e-guma’s servers in Switzerland. The e-guma privacy policy also applies to data processing within the e-guma system: www.e-guma.ch/datenschutz

Legal basis: Performance of a contract as well as statutory retention obligations.
Storage period: Booking and invoice data is retained within the framework of legal obligations (10 years under the Swiss Code of Obligations).

10. Payment Processing (Worldline)

Card payment processing on-site and in online sales is handled by Worldline Schweiz AG, Hardturmstrasse 201, 8005 Zurich, Switzerland. Worldline is independently responsible for the processing of payment data as a separate data controller.

We only receive the information necessary for our accounting (e.g. transaction confirmation, last four digits of the card number). Complete card data is not stored on our systems.

Legal basis: Performance of a contract and legal obligations.
Worldline privacy policy

11. Application Data

We welcome applications for advertised positions as well as unsolicited applications, in particular from individuals who can imagine guiding tours with us or contributing in another way.

Which Data We Process

In the course of the application procedure, we process the data you voluntarily provide, in particular:

• Basic personal details (last name, first name, address, date of birth where applicable)
• Contact details (email, telephone number)
• Application documents (cover letter, curriculum vitae, certificates, diplomas, references, work samples)
• Information on qualifications, language skills and professional experience
• Photo, if you include one
• Other information voluntarily provided by you

If your application voluntarily contains sensitive personal data (e.g. health information, religious or philosophical beliefs, trade union membership), we process this exclusively in connection with your application. We ask you to provide such information only to the extent that it is relevant to the activity in question.

Purpose and Legal Basis

We process your application data to assess your suitability for the advertised position or – in the case of unsolicited applications – for any future positions that may be suitable, as well as to conduct the application procedure.

Legal basis: Pre-contractual measures (Art. 31 para. 2 lit. a revFADP; Art. 6 para. 1 lit. b GDPR); for sensitive data, additionally your implied consent through submitting the application (Art. 6 para. 7 revFADP; Art. 9 para. 2 lit. a GDPR).

Transmission Channel

You can send us your applications by email. Please note that unencrypted email transmission is not consistently secured end-to-end. For sensitive content, we recommend that you contact us beforehand so that we can suggest a protected transmission channel.

Recipients of the Data

Within KriSTALL Guttannen, only those persons involved in the selection and decision-making process have access to your application data. Data is not passed on to third parties unless you have expressly consented to this.

Storage Period

In the case of a successful application, the data is transferred to your personnel file and stored for the duration of the employment or contractual relationship as well as in accordance with statutory retention obligations thereafter.

In the case of rejection or withdrawal of the application, we delete or destroy the documents no later than 6 months after conclusion of the procedure, unless you expressly consent to longer storage (e.g. for inclusion in a talent pool).

For unsolicited applications, we retain the documents for a maximum of 12 months in order to be able to contact you on suitable occasions. You may object to further storage at any time by informal notification; we will then delete the data without delay.

Your Rights

The rights listed in section 3 (in particular access, rectification, erasure, objection and withdrawal) apply in full to application data as well.

12. Data Processors / Overview of Service Providers Used

The following service providers process personal data on our behalf. Where required, a data processing agreement (DPA) has been concluded with each of them:

• cyon GmbH, Brunngässlein 12, 4052 Basel | Web hosting, email | Switzerland
• rapidmail GmbH, Freiburg i.Br. | Newsletter dispatch | Germany (EU)
• e-guma AG, Bösingen | Booking, voucher and ticketing platform | Switzerland
• Worldline Schweiz AG, Zurich | Payment processing | Switzerland / EU
• Microsoft Corporation (Microsoft 365) | Internal office communication, email | EU/EEA (with possible access from the USA)
• Google Ireland Limited / Google LLC | Tag Manager, Analytics, Ads, reCAPTCHA | EU / USA
• Meta Platforms Ireland Ltd. | Facebook/Instagram pixel | EU / USA
• Vimeo, Inc. | Embedded videos | USA

For Gravity Forms (self-hosted WordPress plugin), no data is transmitted to third parties; the data remains on our hosting at cyon.

13. International Data Transfers

Where we transfer personal data to service providers outside Switzerland or the EEA (in particular to the USA: Google, Meta, Vimeo, and where applicable Microsoft), this takes place on one of the following bases:

• Adequacy decision for the USA (EU-US Data Privacy Framework as well as the Swiss-US Data Privacy Framework recognised by the Swiss Federal Council, in force since 15 September 2024) for certified recipients;
• Standard Contractual Clauses of the European Commission, supplemented by Swiss adaptations, where no adequacy decision applies;
• Your explicit consent as part of our consent banner.

We point out that, in particular for data transfers to the USA, US authorities may under certain conditions demand access to data, and that the enforcement of rights may be difficult for data subjects.

14. Storage Period

We process personal data only for as long as is necessary for the respective purpose or required by statutory retention obligations. In particular:

Accounting and business records: 10 years (Art. 958f Swiss Code of Obligations)
Server log files: 14 days
Newsletter data: until withdrawal of consent
Inquiries via contact form / email: until completion, then in accordance with statutory periods
Cookies: according to the individual cookie lifetime (see consent banner)

15. Data Security

We take appropriate technical and organisational measures to protect your data against unauthorised access, loss, misuse or destruction. This includes in particular SSL/TLS encryption, access controls, regular backups, and the use of current software versions. However, absolute security of data transmission over the internet cannot be guaranteed.

16. No Automated Individual Decision-Making

We do not use automated procedures for individual decision-making that produce legal effects concerning you or significantly affect you.

17. Changes to This Privacy Policy

We reserve the right to amend this privacy policy in order to adapt it to changes in the legal situation or to changes in our services. The applicable version is always the one published on this website.