Privacy Policy

As of August 2023

A. Principle
This privacy policy informs you about the type, scope, and purpose of the collection and use of personal data on the website www.kartause.ch and provides information about your rights.

The entity responsible for data processing and privacy matters on this website is:
Stiftung Kartause Ittingen
8532 Warth
Switzerland
Email datenschutz@kartause.ch
Phone +41 52 748 44 11

We respect your privacy and protect your personal data in accordance with the legal provisions of the Swiss Federal Act on Data Protection (FADP), its implementing regulations in the Ordinance to the FADP (DPO), and other applicable data protection laws of Swiss or EU law, particularly the General Data Protection Regulation (GDPR).

1. What are personal data?
Personal data are all information relating to an identified or identifiable person. This includes, in addition to contact details such as name, telephone number, address, and email address, as well as other information, potentially also the IP address we record when you visit our website.

2. How do we collect your data?
On the one hand, we collect your data when you provide them to us, for example, when you use our contact form, make a booking/reservation, apply for a job with us, or shop in our store. Other data are automatically collected by our IT systems when you visit the website. These are primarily technical data.

B. Data Processing in Connection with Our Website 
1. Visiting Our Website
When you visit our website, our servers temporarily store each access in a log file. The following technical data are collected automatically, as is generally the case with any connection to a web server, without your intervention and stored until automatic deletion:

  • the IP address of the requesting computer,

  • the name of the owner of the IP address range (usually your internet access provider),

  • the date and time of access,

  • the website from which access occurred (referrer URL), possibly including the search term used,

  • the name and URL of the retrieved file,

  • the status code (e.g., error message),

  • your computer’s operating system,

  • the browser you are using (type, version, and language),

  • the transmission protocol used (e.g., HTTP/1.1), and

  • possibly your username from a registration/authentication.

The collection and processing of this data serve the purpose of enabling the use of our website (establishing a connection), ensuring long-term system security and stability, enabling optimization of our internet offerings, and for internal statistical purposes. This constitutes our legitimate interest in data processing under Art. 6(1)(f) GDPR.

The IP address is also evaluated together with other data in the event of attacks on the network infrastructure or other unauthorized or abusive use of the website for investigation and defense, and may be used in the context of criminal proceedings to identify and pursue civil or criminal action against the relevant users. This constitutes our legitimate interest in data processing under Art. 6(1)(f) GDPR.

2. Use of Our Contact Form
You have the option to use a contact form to get in touch with us. For this, we require the following mandatory information:

  • First and last name

  • Phone number

  • Email address

  • Message

We use this data to respond to your contact request as effectively and personally as possible. Processing this data is therefore necessary under Art. 6(1)(b) GDPR for the performance of pre-contractual measures or falls within our legitimate interest under Art. 6(1)(f) GDPR.

3. Subscription to Our Newsletter
On our website, you have the option to subscribe to our newsletter. Registration is required for this. The following data must be provided during registration:

  • Title

  • First and last name

  • Email address

The above data is necessary for data processing. In addition, you can voluntarily provide further data (company, address, postcode, town). We process this data exclusively to personalise the information and offers sent to you and to better tailor them to your interests.

By registering, you give us your consent to process the data provided for the regular dispatch of the newsletter to the address you have provided and for the statistical evaluation of usage behaviour and the optimisation of the newsletter. This consent constitutes our legal basis for processing your email address within the meaning of Art. 6(1)(a) GDPR. We are entitled to commission third parties with the technical implementation of advertising measures and are entitled to pass on your data for this purpose (see section 13 below).

At the end of each newsletter, there is a link that you can use to unsubscribe from the newsletter at any time. When unsubscribing, you can voluntarily tell us the reason for unsubscribing. After unsubscribing, your personal data will be deleted. Further processing will only take place in anonymised form for the purpose of optimising our newsletter.

4. Hotel bookings
If you make bookings via our website, by correspondence (e-mail or post) or by telephone, we require the following information in order to process the contract:

  • Title

  • First and last name

  • Postal address

  • Country

  • Credit card information

  • Email address

Additional data protection provisions from Hotelnetsolutions can be found at https://hotelnetsolutions.de/datenschutz/.

5. Table reservations

If you make table reservations either via our website, by correspondence (e-mail or post) or by telephone, we require the following information to process your reservation:

  • First and last name

  • Email address

  • Telephone

Your details (verbal or written) regarding individual requests concerning menus, intolerances or personal diets will be recorded by us in the reservation system. If you do not wish this, please let us know when making your reservation.

Additional data protection provisions from Aleno can be found at https://www.aleno.me/de/policy#Dataprivacy.

6. Shop

All offers are only valid in Switzerland and the Principality of Liechtenstein.
If you make purchases via our website, by correspondence (e-mail or post) or by telephone, we require the following information in order to process the contract:

Billing address with

  • Title

  • First name and surname

  • Postal address

  • Credit card information

  • Email address

Delivery address with

  • Title

  • First and last name

  • Postal address

Additional data protection provisions from Shopify can be found at https://www.shopify.com/de/legal/datenschutz.

7. Vouchers

If you purchase vouchers either via our website, by correspondence (e-mail or post) or by telephone, we require the following data to process the contract:

  • Title

  • First and last name

  • Postal address

  • Country

  • Credit card information or billing address

  • Email address

Additional data protection provisions from E-Guma can be found at https://shop.e-guma.ch/kartause-ittingen/de/privacypolicy.

8. Ticketing

If you purchase tickets either via our website, by correspondence (e-mail or post) or by telephone, we require the following data to process the contract:

  • Title

  • First and last name

  • Postal address

  • Country

  • Credit card information

  • Email address

Additional data protection provisions from E-Guma can be found at https://shop.e-guma.ch/kartause-ittingen/de/privacypolicy.

9. Donations

If you make a donation to us either via our website, by correspondence (e-mail or post) or by telephone, we require the following information to process your donation:

  • Title

  • First and last name

  • Postal address

  • Credit card information

  • Email address

We will only use the data for hotel bookings, table reservations, shop, vouchers, ticketing and donations, as well as other information you have voluntarily provided, for the purpose of processing the contract, unless otherwise stated in this privacy policy or you have given your separate consent. We will process the data by name in order to record your booking as requested, to provide the booked services, to contact you in case of uncertainties or problems, and to ensure correct payment.

The legal basis for data processing for this purpose is the fulfilment of a contract in accordance with Art. 6 (1) (b) GDPR.

10. Jobs - job applications

If you apply for a job, you do so via our job portal. Please refer to the special privacy policy for this. For correspondence in connection with job vacancies or applications (e-mail or letter) or by telephone call, we require the following data for processing:

  • First and last name

  • Postal address

  • Telephone number

  • Email address

We would like to point out that data transmission via email may have security gaps. It is not possible to completely protect data from access by third parties via email.

11. Cookies

Cookies help in many ways to make your visit to our website easier, more enjoyable and more meaningful. Cookies are information files that your web browser automatically stores on your computer's hard drive when you visit our website.

We use cookies, for example, to temporarily store your selected services and entries when filling out a form on the website so that you do not have to repeat the entry when calling up another subpage. Cookies may also be used to identify you as a registered user after you have registered on the website, so that you do not have to log in again when calling up another subpage.

Most internet browsers automatically accept cookies. However, you can configure your browser so that no cookies are stored on your computer or so that a message always appears when you receive a new cookie. Deactivating cookies may mean that you cannot use all the functions of our website.

12. Tracking tools

a. General information

We use the web analysis service provided by Google Analytics for the purpose of designing our website in line with user requirements and continuously optimising it. In this context, pseudonymised usage profiles are created and small text files stored on your computer (‘cookies’) are used. The information generated by the cookie about your use of this website is transmitted to the servers of the providers of these services, stored there and processed for us. In addition to the data listed in section 1, we may also receive the following information:

  • Navigation path taken by a visitor on the site,

  • length of stay on the website or subpage,

  • the subpage from which the website is left,

  • the country, region or city from which access is made,

  • terminal device (type, version, colour depth, resolution, width and height of the browser window) and

  • returning or new visitor.

The information is used to evaluate the use of the website, to compile reports on website activity and to provide other services related to website activity and internet usage for the purposes of market research and the design of this website in line with requirements. This information may also be transferred to third parties if this is required by law or if third parties process this data on behalf of the website operator.

b. Google Analytics

Google Analytics is provided by Google Inc., a company belonging to the holding company Alphabet Inc, based in the USA. Before the data is transmitted to the provider, the IP address is truncated by activating IP anonymisation (‘anonymizeIP’) on this website within the member states of the European Union or in other signatory states to the Agreement on the European Economic Area. The anonymised IP address transmitted by your browser within the scope of Google Analytics is not merged with other Google data. Only in exceptional cases is the full IP address transmitted to a Google server in the USA and truncated there. In these cases, we ensure through contractual guarantees that Google Inc. maintains a sufficient level of data protection. According to Google Inc., the IP address will never be associated with other data relating to the user.

Further information about the web analysis service used can be found on the Google Analytics website. Instructions on how to prevent the web analysis service from processing your data can be found at http://tools.google.com/dlpage/gaoptout?hl=de.

c. Facebook plugins (Like button)

Plugins from the social network Facebook, 1601 South California Avenue, Palo Alto, CA 94304, USA, are integrated into our pages. You can recognise the Facebook plugins by the Facebook logo or the ‘Like’ button on our page. An overview of the Facebook plugins can be found here: https://developers.facebook.com/docs/plugins. When you visit our pages, the plugin establishes a direct connection between your browser and the Facebook server. This tells Facebook that you have visited our site with your IP address. If you click the Facebook ‘Like’ button while you are logged into your Facebook account, you can link the content of our pages to your Facebook profile. This allows Facebook to associate your visit to our pages with your user account. We would like to point out that, as the provider of the pages, we have no knowledge of the content of the data transmitted or its use by Facebook. For more information, please see Facebook's privacy policy at https://www.facebook.com/about/privacy. If you do not want Facebook to be able to assign your visit to our pages to your Facebook user account, please log out of your Facebook user account.

d. Instagram plugins

Our pages incorporate functions of the Instagram service. These functions are offered by Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA. If you are logged into your Instagram account, you can link the content of our pages to your Instagram profile by clicking on the Instagram button. This allows Instagram to associate your visit to our pages with your user account. We would like to point out that, as the provider of the pages, we have no knowledge of the content of the data transmitted or its use by Instagram. For more information, please see Instagram's privacy policy: http://instagram.com/about/legal/privacy/.

e. Use of the Meta Pixel (Facebook Pixel)

We place advertisements on Facebook and Instagram. In this context, we have integrated the ‘Meta Pixel’ into our website.

The Meta Pixel enables us to:

  • Measure the success of Facebook advertising campaigns.

  • Reach visitors to our website again with advertisements on Facebook and Instagram.

  • Personalise the advertisements to the previously viewed pages or products.

The Meta Pixel is provided to us by Meta Platforms Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland).

During your visit to our website, the following data, among other things, is transmitted to Meta:

  • Pages or URLs accessed

  • The achievement of ‘website goals’

  • Your internet connection data (IP address)

  • Technical information such as browser, device and screen resolution

  • A randomly generated user ID

  • A randomly generated ad click ID if you arrived at our website via an advertisement.

This data may also be transferred to Meta servers in the United States. Meta stores cookies in your web browser for a period of one year from your last visit. These cookies contain a randomly generated user ID that can be used to recognise you on future visits to the website. If you are logged into Meta platforms such as Facebook/Instagram, Meta can also associate your visit with your Facebook/Instagram account.

If you do not agree to this collection, you can prevent it by installing a tracking blocker add-on in your browser or by rejecting cookies via our cookie settings dialogue.

C. Data processing in connection with your stay

1. Data processing for the fulfilment of statutory reporting obligations

Upon arrival at our hotel, we may require the following information from you and your companions:

  • First and last name

  • Postal address and county

  • Date of birth

  • Nationality

  • Official identification document and number

  • Arrival and departure dates

Room number

We collect this information to comply with legal reporting requirements, which arise in particular from hospitality or police law. Insofar as we are obliged to do so under the applicable regulations, we forward this information to the competent police authority.

In fulfilling the legal requirements, we have a legitimate interest within the meaning of Art. 6 (1) (f) GDPR.

2. Recording of services purchased

If you purchase additional services during your stay (e.g. from the mini bar, restaurant consumption, etc.), we will record the service and the time of purchase for billing purposes. The processing of this data is necessary for the performance of the contract with us within the meaning of Art. 6 (1) (b) GDPR.

D. Storage and exchange of data with third parties

3. Booking platforms

If you make bookings via a third-party platform, we receive various personal information from the respective platform operator. This usually includes the data listed in section 5 of this privacy policy. In addition, enquiries regarding your booking may be forwarded to us. We will process this data by name in order to record your booking as requested and to provide the booked services. The legal basis for data processing for this purpose is the fulfilment of a contract in accordance with Art. 6 para. 1 lit. b GDPR.

Finally, we may be informed by the platform operators about disputes in connection with a booking. In this context, we may also receive data relating to the booking process, which may include a copy of the booking confirmation as proof of the actual booking. We process this data to protect and enforce our claims. This constitutes our legitimate interest within the meaning of Art. 6(1)(f) GDPR.

Please also note the data protection information provided by the respective provider.

4. Central storage and linking of data

We store the data specified in sections 2-10 and 13-15 in a central electronic data processing system. The data relating to you is systematically collected and linked for the purpose of processing your bookings and handling the contractual services. The processing of this data within the software is based on our legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR in customer-friendly and efficient customer data management.

5. Retention period

We only store personal data for as long as is necessary to use the above-mentioned tracking services and for further processing within the scope of our legitimate interest. We store contract data for longer, as this is required by statutory retention obligations. Retention obligations that require us to store data arise from regulations on reporting rights, accounting and tax law. According to these regulations, business communications, concluded contracts and accounting documents must be stored for up to 10 years. If we no longer need this data to perform services for you, the data will be blocked. This means that the data may then only be used for accounting and tax purposes.

6. Disclosure of data to third parties

We will only disclose your personal data if you have expressly consented to this, if there is a legal obligation to do so, or if this is necessary to enforce our rights, in particular to enforce claims arising from the contractual relationship. In addition, we pass on your data to third parties to the extent necessary for the use of the website and the execution of contracts (including outside the website), namely the processing of your bookings.

One service provider to whom the personal data collected via the website is passed on or who has or may have access to it is our web host BOLD AG Kommunikationsagentur, Konsumstrasse 20, 3007 Bern, Switzerland. The data is passed on for the purpose of providing and maintaining the functionalities of our website. This constitutes our legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR.

Finally, when you pay by credit card on the website, we forward your credit card information to your credit card issuer and the credit card acquirer. If you choose to pay by credit card, you will be asked to enter all the necessary information. The legal basis for the transfer of data is the fulfilment of a contract in accordance with Art. 6(1)(b) GDPR. With regard to the processing of your credit card information by these third parties, we ask that you also read the general terms and conditions and the privacy policy of your credit card issuer.

Please also note the information in sections 12-13 and 15-16 regarding the transfer of data to third parties.

7. Transfer of personal data abroad

We are also entitled to transfer your personal data to third-party companies (contracted service providers) abroad for the purposes of data processing as described in this privacy policy. These companies are subject to the same data protection obligations as we are. If the level of data protection in a country does not correspond to that in Switzerland or the EU, we will ensure by contract that the protection of your personal data corresponds to that in Switzerland or the EU at all times.

E. Further information

8. Right to information, correction, deletion and restriction of processing; right to data portability

You have the following rights with regard to your data, provided that we have been able to duly verify your identity:

  • Right to information

  • Right to rectification and erasure

  • Right to restriction of processing

  • Right to object to processing

  • Right to notification

  • Right to data portability

You also have the right to assert your claims in court and to complain to a data protection supervisory authority about our processing of your data.

We will comply with your request for deletion, provided that it does not violate any obligation to retain data or that we do not need the data to assert, exercise or defend our legal claims.

You can revoke your consent to the processing of your data at any time for the future. Such revocation does not affect the lawfulness of the processing carried out on the basis of the consent until revocation.

If we base the processing of your data on our legitimate interests or those of a third party after weighing up the interests, you can object to such processing. In such a case, we will review your objection and either stop or adjust the data processing or show you our compelling, legitimate interests that justify our desire to continue processing. These must outweigh your interests, rights and freedoms, or the processing must serve to assert, exercise or defend legal claims.

You are not obliged to provide us with your data. However, it is possible that certain functions of our online offering may not be available or may only be available to a limited extent if you do not provide any data. Furthermore, it is possible that we will not be able to enter into an employment relationship with you without the relevant data.

If you have any questions about data protection or if you wish to exercise your rights, revoke your consent or object to data processing, please contact: datenschutz@kartause.ch.

9. Data security

We use appropriate technical and organisational security measures to protect your personal data stored with us against manipulation, partial or complete loss and unauthorised access by third parties. Our security measures are continuously improved in line with technological developments.

In cooperation with our hosting providers, we endeavour to protect the databases as well as possible against unauthorised access, loss, misuse or falsification. We would like to point out that data transmission over the Internet (e.g. when communicating by e-mail) can have security gaps. Complete protection of data against access by third parties is not possible.

You should always treat your access data as confidential and close the browser window when you have finished communicating with us, especially if you share your computer with others.

We also take internal data protection very seriously. Our employees and the service providers we commission are bound by us to maintain confidentiality and comply with data protection regulations.

10. Note on data transfers to the USA

For the sake of completeness, we would like to point out to users residing or based in Switzerland that US authorities have surveillance measures in place that generally allow the storage of all personal data of all persons whose data has been transferred from Switzerland to the USA. This is done without differentiation, restriction or exception based on the objective pursued and without an objective criterion that would allow access by US authorities to the data and its subsequent use to be limited to very specific, strictly limited purposes that would justify the interference associated with both access to and use of this data.

We would also like to point out that in the USA, affected persons from Switzerland have no legal remedies that allow them to access data concerning them and to have it corrected or deleted, nor is there any effective legal protection against general access rights of US authorities. We explicitly draw the attention of the persons concerned to this legal and factual situation so that they can make an informed decision about consenting to the use of their data.

We would like to point out to users residing in an EU member state that, from the perspective of the European Union, the USA does not have an adequate level of data protection, among other things due to the issues mentioned in this section. Insofar as we have explained in this privacy policy that recipients of data (such as Google) are based in the United States, we will ensure that your data is protected at an appropriate level by our partners, either through contractual arrangements with these companies or by ensuring that these companies are certified under the EU-US Privacy Shield or Swiss-US Privacy Shield.

11. Right to lodge a complaint with a data protection supervisory authority

You have the right to lodge a complaint with a data protection supervisory authority such as the Federal Data Protection and Information Commissioner (FDPIC) at any time.

As of August 2023