Privacy Policy
Badrutt’s Palace Hotel AG, Via Serlas 27, 7500 St. Moritz, Switzerland (registered with the Commercial Register of the Canton of Graubünden under the number CHE-105.980.962; “we”, “our”, etc.) runs the restaurant “Paradiso Mountain Club”, and is also the operator of the website www.paradiso-stmoritz.com (“website”). Therefore, we are responsible for the collection, processing and use of your personal data and the compli-ance with the applicable data protection law.
Your trust is important to us, which is why we take the subject of data privacy seriously and ensure a corresponding level of security. Of course, we comply with the legal provi-sions of the Federal Act on Data Protection (FADP), the Ordinance to the Federal Act on Data Protection (OFADP), the Telecommunications Act (TCA) and any other applicable data privacy provisions under Swiss or EU law, particularly the EU General Data Protec-tion Regulation (GDPR), where applicable. To be aware on which personal data we col-lect from you and what purposes we use it for, please acknowledge the following infor-mation. Please note that the following information is reviewed and changed from time to time. We therefore recommend that you regularly review this Privacy Policy. Further-more, for some of the data processing listed below, other companies are responsible under data protection law or jointly responsible with us, which means that in these cases the information provided by these providers is also relevant.
The address of our representative in the EU is: MLL Bruxelles SPRL, 222 Avenue Louise, 1050 Bruxelles, Belgien ([email protected]).
A. Data processing associated with our website
1. Accessing our website
In order for you to establish a connection to our websites or to any microsites, your browser sends certain data to the servers of our hosting provider (WP Engine located in Irongate House, 22-30 Duke’s Place, London, EC3A 7LP United Kingdom), which tem-porarily records each access in a log file. The following data is collected without your intervention and stored until automated deletion by us:
– The IP address of the requesting computer;
– The name of the owner of the IP address (normally your internet access provider);
– The date and time of the access;
– The website from which the access was made (referrer URL), where ap-plicable with the search word used;
– The name and the URL of the accessed file;
– The status code (e.g. error report);
– The operating system of your computer;
– The browser you use (type, version and language);
– The transfer log used (e.g. HTTP/1.1); and where applicable your user name from registration/authentication;
– The host header name;
– The number of bytes sent by the server;
– The number of bytes received and processed by the server;
– The duration of access;
– The requested verb or word, such as the GET method (GETlocation);
– The goal of the requested verb or word, e.g. Default.htm.
The collection and processing of this data is done with the purpose of allowing the use of the website (establishing a connection), ensuring permanent system security and stability and optimising the website, as well as for internal statistical purposes. This represents our legitimate interest in data processing in accordance with Art. 6, paragraph 1 f, GDPR.
The IP address is also evaluated together with other data, in the event of attacks on the network infrastructure or other illegal or abusive use of the website to resolve the issue and defend against it, and, if necessary, within the scope of criminal proceedings, for identification purposes and for civil and criminal proceedings against the affected user. This represents our legitimate interest in data processing in accordance with Art. 6, para-graph 1 f, GDPR.
2. Contact by phone or e-mail
At various places on our website, you have the opportunity to contact us by phone or e-mail and ask us, for example, questions about website functionalities, reservations or services.
We only collect data that you disclose to us. Consequently, you are responsible for the content of your communication and have control over what information you submit to us. We recommend that you do not submit sensitive information. To answer your questions, we may ask you to provide us with additional information (e.g., your address, email ad-dress, etc.). We will only collect the information that is necessary to answer your ques-tions or to provide the services you request.
This processing of this data is therefore required in accordance with Art. 6, paragraph 1 b, GDPR to execute pre-contractual measures, or is in our legitimate interest as per Art. 6, paragraph 1 f, GDPR.
3. Reserving a table
On our website you have the opportunity to reserve a table at Paradiso Mountain Club. We require the following details for the reservation (* mandatory):
– First name and surname of the person making the reservation*
– Number of guests*
– E-mail address*
– Telephone number*
– The choice of area (“Mountain Club” or “Music Deck”)*
– Date and time of the reservation*
– Comment
– I accept Terms & Conditions*
– Sign up for our newsletter
We only collect and process the data to handle the reservation, particularly to compile your reservation enquiry according to your request, to make the reservation and to contact you in the event of uncertainty or problems.
To process your reservation, we work with a tool of the company aleno AG, Aeger-tenstrasse 6, 8003 Zürich, Switzerland. The reservation data is stored on servers at the
following location: [technical application of Aleno AG, Steinackerweg 18, 8047 Zürich, Switzerland, to process the reservation. Your data is therefore also forwarded to Aleno AG, Steinackerweg 18, 8047 Zürich, Switzerland. Further information about the transfer and processing of data by third parties can be found, on the one hand, in point D.3. of this privacy policy, and on the other hand on the website of aleno AG in its privacy policy. Furthermore, we will require you to provide your credit card information. This infor-mation will only be needed in case of a no-show to charge you with the respective fee. In this case, we forward your credit card information to your credit card issuer and the credit card acquirer. If you decide to make a payment by credit card, you will be requested to enter all the mandatory information. To process the payment, we work with a the compa-ny Datatrans AG, Kreuzbühlstrasse 26, 8008 Zürich, Switzerland. Regarding the pro-cessing of your credit card information by these third parties, we request that you also read the general terms and conditions and the data privacy statement of your credit card issuer.
The legal basis for the processing of your data for this purpose lies in the fulfilment of a contract as per Art. 6, paragraph 1 b, GDPR.
4. Registering for our newsletter
If you register for our email newsletter, the following data will be collected. Mandatory data is marked with an asterisk (*) in the registration form:
– Email-address*
– Name*
– Sign up to our newsletter*
By registering, you consent to the processing of this data in order to receive messages from us about us, our offers and related products and services. The collection of name allows us to verify the association of the registration with a possibly already existing cus-tomer account and to personalise the content of the mails. The link to a customer account helps us to make the offers and content contained in the newsletter that more relevant to you and better tailored to your potential needs.
We will use your data until you revoke your consent. Revocation is possible at any time, in particular via the unsubscribe link in all our marketing emails.
Our marketing emails may contain a so-called web beacon or 1×1 pixel (tracking pixel) or similar technical tools. A web beacon is an invisible graphic that is linked to the user ID of the respective newsletter subscriber. For each marketing email sent, we receive infor-mation on which addresses have not yet received the email, to which addresses it was sent and for which addresses the sending failed. We also see which addresses have opened the email, for how long and which links they have clicked on. Finally, we also receive infor-mation about which addresses have unsubscribed. We use this data for statistical purposes and to optimise the promotional emails in terms of frequency, timing, structure and con-tent. This allows us to better tailor the information and offers in our emails to the individ-ual interests of the recipients.
The web beacon is deleted when you delete the email. To prevent the use of the web bea-con in our marketing emails, please set the parameters of your email program so that HTML is not displayed in messages if this is not already the case by default. In the help
sections of your email software you will find information on how to configure this set-ting, e.g. here for Microsoft Outlook.
By subscribing to the newsletter, you also consent to the statistical evaluation of user behaviour for the purpose of optimising and adapting the newsletter. This consent consti-tutes our legal basis for the processing of the data within the meaning of Art. 6, paragraph 1 a, GDPR.
We use the email marketing software Cendyn, 980 N Federal Hwy Ste 200, Boca Raton, FL 33432 US or marketing emails. Therefore, your data will be stored in a database of Cendyn, which allows Cendyn to access your data if this is necessary for the provision of the software and for support in the use of the software. The legal basis for this processing is our legitimate interest within the meaning of Art. 6, paragraph 1 f, GDPR in the use of third-party services.
5. Cookies
Along with many other things, cookies help us to make your visit to our website easier, more pleasant and effective. Cookies are information files which your web browser au-tomatically saves on the hard drive of your computer, when you visit our website.
We use cookies, for example, to temporarily save the selected services and details when completing a form on the website, so that you do not have to repeat the input when visit-ing another sub-page. Cookies are also used, where applicable, to be able to identify you as a registered user after you have registered on the website, without having to log in again when visiting another sub-page.
Most internet browsers accept cookies automatically. You can, however, configure your browser so that no cookies are saved on your computer, or a warning is always shown when you receive a new cookie. On the following pages you can find explanations of how to configure the handling of cookies with the most popular browsers:
– Microsofts Edge
– Microsofts Edge for mobile
– Mozilla Firefox
– Google Chrome for Desktop
– Google Chrome for Mobile
– Apple Safari for Desktop
– Apple Safari for Mobile
The deactivation of cookies may, however, mean that you are not able to use all of the functions of our website.
6. Tracking tools and re-targeting
a. Google Analytics
To allow us to design our website to meet your needs and to continually optimise our website, we use the web analysis service of Google Analytics provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland respectively Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA (“Google”). Consequently, pseudonymised usage profiles are created and cookies are used (see above). The information generated by the cookie about your use of this website is transferred to a server of Google in the USA and processed there. In addition to the data listed under point 1, we also may receive the following information:
– The navigation path which the website visitor took,
– The time spent on the website or sub-page,
– The sub-page on which the website was exited,
– The country, region or city in which access was made,
– The end user device (type, version, colour depth, resolution, width and height of the browser window) and whether it was a repeat or new visitor.
Before being transferred to Google, the IP address is abbreviated by activating the IP anonymising function (“anonymizeIP”) on this website within a Member State of the European Union or in another EEC state respectively Switzerland. The masked IP address transferred by your browser due to Google Analytics is not compiled with other data from Google. Only in exceptions the full IP address is transferred to a server of Google in the USA and abbreviated there. In these cases we ensure, by undertaking contractual guaran-tees, that Google maintains an adequate level of data protection.
The information is used to evaluate the use of the website, to compile reports about web- site activities and to provide other services associated with the use of the website and the internet, for the purpose of market research and designing this website to meet your needs. This information is also transferred to third parties if necessary, if this is specified by law or if third parties process this data on our behalf.
The legal basis for processing data for these purposes is your consent in accordance with Art. 6, paragraph 1 a, GDPR. The consent can be revoked at any time with effect for the future.
Users can prevent the collection of data generated by the cookie and related to the website usage by the respective user (incl. the IP address) to Google as well as the processing of such data by Google by downloading and installing the browser plugin available at the following link: https://tools.google.com/dlpage/gaoptout?hl=en
Further information about the web analysis service can be found on the website of Google Analytics.
b. Google Tag Manager
We use Google Tag Manager by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland respectively Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA (“Google”) on our website. Google Tag Manager is a solution that allows marketers to manage website tags through one interface. The Tag Manager tool is a cookie-less domain and does not collect any personal data. The tool takes care of trig-gering other tags, which in turn collect personal data. Google Tag Manager does not ac-cess this data, according to Google. If a deactivation has been made at the domain or cookie level, this remains in place for all tracking tags implemented with Google Tag Manager. You can prevent the setting of tags at any time.
The legal basis for processing the data for this purpose is our legitimate interest according to Art. 6, paragraph 1 f, GDPR.
c. Soundcloud Widget
On our website, we use the widget from Soundcloud by Soundcloud Global Limited & Co. KG, Rheinsberger Str. 76/77, 10115 Berlin, Germany, for the purpose of making our content interactive. When you visit a page on our website that contains such a widget, your browser will connect directly to Soundcloud servers. The content of the widget is transmitted by Soundcloud directly to your browser and integrated into the page. By inte-grating the widget, Soundcloud receives the information that your browser has called up the corresponding page of our website, even if you do not have a profile or are not logged in at the moment. This information (including your IP address) is transmitted by your browser directly to a server of Soundcloud and stored there.
If you are logged in with your Soundcloud profile, Soundcloud can directly assign the visit to our website to your profile. When you interact with the widget, for example when you play content, the corresponding information is also transmitted directly to a server of Soundcloud and stored there. The information can also be published in Soundcloud and displayed to your contacts.
The legal basis for processing data for these purposes is your consent in accordance with Art. 6, paragraph 1 a, GDPR. The consent can be revoked at any time with effect for the future.
The purpose and scope of data collection and the further processing and use of data by Soundcloud, as well as a contact option and your rights and settings options for the pro-tection of your privacy, can be found in the privacy policy of Soundcloud.
d. Adobe Typekit
For uniform representation of fonts, our website uses web fonts provided by Adobe Inc., 345 Park Avenue San Jose, CA 95110, USA. When you open a page, your browser loads the required web fonts into your browser cache to display texts and fonts correctly. For this purpose your browser has to establish a direct connection to Adobes servers. Adobe thus becomes aware that our website was accessed with your IP address. The use of Ado-be Web fonts is done in the interest of a uniform and attractive presentation of our web-site. If your browser does not support web fonts, a standard font will be used by your computer.
The legal basis for processing the data for this purpose is our legitimate interest according to Art. 6, paragraph 1 f, GDPR.
Further information about handling user data, can be found in the Adobe Typekit privacy policy.
e. Facebook Custom Audience
We use a communication tool called Facebook Custom Audience. In general, a non-reversible and non-personal related test value (fingerprint) is generated from your usage data by Custom Audience, which can be sent to Facebook for analysis and marketing purposes (using a so-called Facebook cookie).
Custom Audience is a service of Facebook Inc., 1601 S California Ave, Palo Alto, CA 94304, USA or, if you are a resident in the EU, Facebook Ireland Ltd., 4 Grand Canal
Square, Grand Canal Harbour, Dublin 2, Ireland. Further information about the re- target-ing tool used can be found on the website of Facebook.
f. Links to our social media channels
On our website we have links to our social media profiles. The links lead to the following networks:
– Facebook of Meta Platforms Inc., One Hacker Way Menlo Park, CA 94025, USA or, if you are a resident in the EU, Meta Platforms Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland: and
– Instagram of Instagram Inc., 1601 Willow Road, Menlo Park, CA 94025, USA.
If you click on symbols of the social networks, you are automatically forwarded to our profile page on the respective network. This establishes a direct connection between your browser and the server of the respective social network. As a result, the network receives the information that you have visited our website with your IP address and clicked on the link.
If you click on a link to a network while you are logged into your user account with the respective network, the content of our website may be linked to your profile, so that the network can assign your visit to our website directly to your account. If you want to pre-vent that, you should log out before clicking on the corresponding links. A connection between your access to our website and your user account takes place in any case if you log in to the respective network after clicking on the link. The respective provider is re-sponsible under data protection law for the associated data processing. Please therefore note the information on the website of the network.
The legal basis for any data processing attributed to us is our legitimate interest within the meaning of Art. 6, paragraph 1 f, GDPR in the use and promotion of our social media profiles.
g. Gravity Forms
On our website we use a plugin called Gravity Forms by Rocketgenius, Inc., 1620 Cen-terville Turnpike, Suite 102, Virginia Beach VA 23464-6500,USA, to power any forms seen on our website. Data captured through Gravity Forms will be used to contact you to respond to your enquiry. A backup of your data will also be stored in the database of our website, but will be automatically deleted after 30 days. Only authorised individuals will be able to access your data, and it will not be disclosed to third parties.
This processing of this data is therefore required in accordance with Art. 6, paragraph 1 b, GDPR to execute pre-contractual measures, or is in our legitimate interest as per Art. 6, paragraph 1 f, GDPR.
Further information about handling user data, can be found in the privacy policy for Gravity Forms.
h. Yoast SEO
On our website we use a plugin called Yoast SEO by Yoast BV, Don Emanuelstraat 3, 6602 GX Wijchen, The Netherlands. The Yoast SEO plugin is responsible for the entire technical optimisation of our websites for search engines. It also plays a role in the devel-opment of content.
The legal basis for any data processing attributed to us is our legitimate interest with-in the meaning of Art. 6, paragraph 1 f, GDPR in the optimization of our website for search engines to ensure that our customers can better find us online.
Further information about handling user data, can be found in the privacy policy for Yoast SEO.
B. Data processing associated with your visit
1. Data processing to perform other services
If you use extra services during your visit (e.g. buy items) the subject of the service and the time of the service are recorded by us for invoicing purposes. This processing of this data is therefore required for us to execute the contract in accordance with Art. 6, para-graph 1 b, GDPR.
C. Further information
1. Central saving and linking of data
We store the data specified in this privacy policy in a central electronic data processing system (so-called CRM). The data relating to you is systematically recorded and linked for the purpose of processing and handling the contractual services. Within the frame-work of data protection regulations, we also enrich the data with data from publicly ac-cessible sources (e.g. press or Internet). For this purpose, we use software from Cendyn, 980 N Federal Hwy Ste 200, Boca Raton, FL 33432 US.
The processing of this data as part of the CRM is based on our legitimate interest within the meaning of Art. 6, (1) f DSGVO in a customer-friendly and efficient customer data management.
2. Duration of storage
The maximum storage time for personal data is as long as a business relationship is main-tained, in order to use the afore-mentioned tracking services as well as the further pro-cessing within the scope of our legitimate interest. Contract data is stored for us for a longer period of time, if this is specified by legal obligations. Such obligations which oblige us to store data, arise from the provisions concerning bookkeeping, invoicing and tax law. According to these provisions, business communication, concluded contracts and accounting documents have to be stored for up to 10 years. If we no longer require this data to provide the services for you, data is blocked. This means that data can only be used for invoicing and tax purposes.
3. Forwarding of data to third parties
We only forward your personal data if you have explicitly agreed to it, if there is a legal obligation to do so, or if this is necessary to assert our rights, in particular to assert claims from the contractual relationship. Furthermore, we forward your data to third parties if this is necessary within the scope of the use of the website and the processing of the con- tract (also outside of the website), namely the processing of your reservations.
Various third-party service providers have been mentioned explicitly in this privacy poli-cy (e.g. aleno AG, Google etc.) and the purpose of the transfer of data has been men-tioned. Another service provider to whom personal data is forwarded or who has or could have access, is our web hosting company WP Engine located in Irongate House, 22-30 Duke’s Place, London, EC3A 7LP United Kingdom. The transfer of data is done with the purpose of providing and maintaining the functions of our website. The legal basis for processing data for this purpose is our legitimate interest according to Art. 6, paragraph 1 f, GDPR.
Finally, for payments by credit card made on our website, we forward your credit card information to your credit card issuer and the credit card acquirer. We use the software of the company Datatrans AG, Kreuzbühlstrasse 26, 8008 Zürich, Switzerland. If you decide to make a payment by credit card, you will be requested to enter all the mandatory infor-mation. The legal basis for the transfer of data is the fulfilment of a contract according to Art. 6, paragraph 1 b, GDPR. With regards to the processing of your credit card infor-mation by these third parties, we request that you also read the general terms and condi-tions and the data privacy statement of your credit card issuer.
4. Transfer of personal data abroad
We are permitted to also transfer your personal data to third-party companies (commis-sioned service providers) for the purpose of data processing described in this privacy policy. They are obliged to maintain the same level of data protection as we have. If the level of data protection in a particular country does not correspond to the Swiss or Euro-pean level, we will ensure by means of a contract (incl. additional adequate measures), that the protection of your personal data meets the level of protection in Switzerland or the EU at all times.
5. Note on the transfer of data to the USA
Some of the third-party service providers mentioned in this privacy policy have their reg-istered office in the USA. For the sake of completeness, we would like to point out for users who are resident or domiciled in Switzerland or the EU that monitoring measures are in place in the USA carried out by US authorities, which generally enable the storage of all personal data of all persons whose data has been transferred from Switzerland or the EU to the USA. This is done without any differentiation, limitation or exception based on the objective pursued and without any objective criterion that would make it possible to limit the access of the USA authorities to the data and their subsequent use to very specif-ic, strictly limited purposes that are capable of justifying the interference associated both with the access to these data and with their use. Furthermore, we would like to point out that in the USA, data subjects from Switzerland or the EU do not have any legal remedies that would allow them to obtain access to the data relating to them and to have it correct-ed or deleted, nor is there any effective legal protection against general access rights of US authorities. We explicitly draw the attention of the data subjects to this legal and fac-
tual situation in order to enable them to make an appropriately informed decision regard-ing consent to the use of their data.
We would like to point out to users who are resident in Switzerland or a member state of the EU that, from the perspective of the European Union and Switzerland, the USA does not have a sufficient level of data protection – among other things, due to the issues men-tioned in this section. To the extent that we have explained in this privacy policy that recipients of data (such as Google) are based in the USA, we will ensure that your data is protected at an appropriate level with our partners through contractual arrangements with these companies as well as any additional appropriate safeguards required to protect the rights of persons whose personal data is transferred to a third country.
6. Your rights
Provided that the legal requirements are met, you have the following rights as a data sub-ject:
Right of access: You have the right to request access to your personal data stored by us at any time and free of charge when we process it. This gives you the opportunity to check what personal data we process about you and that we use it in accordance with applicable data protection regulations.
Right to rectification: You have the right to have inaccurate or incomplete personal data rectified and to be informed of the rectification. In this case, we will inform the recipients of the data concerned of the rectifications made, unless this is impossible or involves disproportionate effort.
Right to erasure: You have the right to have your personal data erased under certain circumstances. In individual cases, especially in the case of legal retention obligations, the right to deletion may be excluded. In this case, the deletion may be replaced by a blocking of the data if the conditions are met.
Right to restrict processing: You have the right to request that the processing of your personal data be restricted.
Right to data transmission: You have the right to obtain from us, free of charge, the personal data you have provided to us in a readable format.
Right to object: You can object to data processing at any time, in particular for data pro-cessing in connection with direct advertising (e.g. advertising emails).
Right of withdrawal: In principle, you have the right to withdraw your consent at any time. However, processing activities based on your consent in the past do not become unlawful because of your revocation.
To exercise these rights, please send us an email to the following address:
[email protected]
Right of complaint: You have the right to lodge a complaint with a competent superviso-ry authority, e.g. against the way your personal data is processed.
7. Data security
We take appropriate technical and organisational security measures, to protect your per-sonal data we have saved from manipulation, full or partial loss and unauthorised third-party access. Our safety measures are continually adapted in line with the development of technology.
We also take the protection of data in our own company very seriously. Our employees and the service providers commissioned by us have been obliged to confidentiality and to comply with the legal provisions concerning data protection.
8. Contact
If you have any questions regarding data protection on our website, would like to request more information or would like to have your data deleted, please contact us by sending an email to [email protected]
Please send your request by letter to the following address:
Badrutt’s Palace Hotel AG Data Protection Via Serlas 27 7500 St. Moritz Switzerland
Updated: August 2022