Privacy Policy

1. Scope

In this Privacy Policy, we provide information about the processing of personal data in connection with our activities and operations, including our website at the domain name appenberg.ch. In particular, we explain why, how, and where we process which personal data. We also provide information about the rights of individuals whose data we process.

For specific or additional activities and operations, we may publish further privacy policies or other information regarding data protection.

2. Contact Information

Responsibility for the processing of personal data:

Appenberg AG
Appenbergstrasse 36
3532 Zäziwil
Switzerland

info@appenberg.ch

In certain cases, third parties may be responsible for processing personal data, or there may be joint responsibility with third parties.

3. Definitions and Legal Basis

3.1 Definitions

Data Subject: A natural person whose personal data we process.

Personal data (data subject): Any information relating to an identified or identifiable natural person.

Personal data requiring special protection: Data regarding trade union, political, religious, or ideological views and activities; data regarding health, privacy, or membership in an ethnic or racial group; genetic data; biometric data that uniquely identifies a natural person; data regarding criminal and administrative sanctions or proceedings, and data regarding social assistance measures.

Processing: Any handling of personal data, regardless of the means and methods used, such as retrieving, comparing, modifying, archiving, storing, reading, disclosing, obtaining, collecting, collection, deletion, disclosure, classification, organization, storage, modification, dissemination, linking, destruction, and use of personal data.

3.2 Legal Basis

We process personal data in accordance with Swiss data protection law, in particular the Federal Data Protection Act (Data Protection Act, DSG) and the Data Protection Regulation (Data Protection Regulation, DPR). To the extent that the European General Data Protection Regulation (GDPR) applies to data processing, the processing of your personal data is based on the legal basis cited in each instance.

4. Nature, Scope, and Purpose of the Processing of Personal Data

We process the personal data necessary to carry out our activities and operations in a sustainable, user-friendly, secure, and reliable manner. The personal data we process falls primarily into the following categories: browser and device data, content data, communication data, metadata, usage data, master data (including inventory and contact information), location data, transaction data, contract data, and payment data.

We also process personal data that we receive from third parties, obtain from publicly available sources, or collect in the course of our activities and operations, to the extent that such processing is permitted by law.

We process personal data, where necessary, with the consent of the data subjects. In many cases, we may process personal data without consent, for example, to comply with legal obligations or to protect legitimate interests. We may also ask data subjects for their consent even when it is not required.

We process personal data for as long as is necessary for the respective purpose. We anonymize or delete personal data, in particular, in accordance with statutory retention and statute of limitations periods.

5. Disclosure of Personal Data

We may disclose personal data to third parties, have it processed by third parties, or process it jointly with third parties. Such third parties include, in particular, specialized service providers whose services we use.

We may disclose personal data to banks and other financial service providers, government agencies, educational and research institutions, consultants and attorneys, IT service providers, credit and business credit bureaus, marketing and advertising agencies, organizations and associations, telecommunications companies, and insurance companies.

6. Communication

We process personal data in order to communicate with third parties. In this context, we process, in particular, data that a data subject provides when contacting us, for example by mail or email. We may store such data in an address book or using similar tools.

Third parties who transmit data about other individuals are required to ensure data protection for those individuals. To this end, they must, among other things, ensure the accuracy of the personal data transmitted.

7. Data Security

We implement appropriate technical and organizational measures to ensure data security commensurate with the respective risk. Through these measures, we ensure, in particular, the confidentiality, availability, traceability, and integrity of the personal data we process; however, we cannot guarantee absolute data security.

Access to our website and other online presence is secured using transport encryption (SSL / TLS, especially with the Hypertext Transfer Protocol Secure, abbreviated as HTTPS). Most browsers warn users against visiting websites without transport encryption.

Our digital communications—like all digital communications, in principle—are subject to mass surveillance without cause or suspicion by security agencies in Switzerland, the rest of Europe, the United States of America (USA), and other countries. We have no direct influence over the processing of personal data by intelligence agencies, police departments, and other security agencies. Nor can we rule out the possibility that a data subject may be specifically monitored.

8. Personal Data Abroad

As a general rule, we process personal data in Switzerland. However, we may also disclose or export personal data to other countries, in particular to process it there or have it processed there.

We may transfer personal data to all Countries on Earth announce, provided that the law of that jurisdiction, in accordance with Resolution of the Swiss Federal Council ensures adequate data protection.

We may disclose personal data to countries whose laws do not provide adequate data protection, provided that adequate data protection is ensured for other reasons, in particular on the basis of standard data protection clauses or other appropriate safeguards. In exceptional cases, we may transfer personal data to countries without adequate or appropriate data protection if the specific requirements under data protection law are met, such as the explicit consent of the data subjects or a direct connection to the conclusion or performance of a contract. Upon request, we are happy to provide data subjects with information about any safeguards or to supply a copy of such safeguards.

9. Rights of Data Subjects

9.1 Claims Under Data Protection Law

We grant data subjects all rights provided for under applicable data protection law. In particular, data subjects have the following rights:

Right of Access: Data subjects may request information regarding whether we process personal data about them and, if so, what personal data is involved. Data subjects will also receive the information necessary to assert their data protection rights and to ensure transparency. This includes the personal data being processed as such, but also, among other things, details regarding the purpose of processing, the duration of storage, any disclosure or export of data to other countries, and the origin of the personal data.

Correction and Restriction: Data subjects may correct inaccurate personal data, complete incomplete data, and request that the processing of their data be restricted.

Deletion and Objection: Data subjects may request the deletion of their personal data (“right to be forgotten”) and object to the processing of their data with future effect.

Data Disclosure and Data Transfer: Data subjects may request the disclosure of their personal data or the transfer of their data to another data controller.

We may defer, restrict, or deny the exercise of data subjects’ rights to the extent permitted by law. We may inform data subjects of any prerequisites that must be met in order to exercise their rights under data protection law. For example, we may refuse to provide information in whole or in part, citing confidentiality obligations, overriding interests, or the protection of other individuals. We may also, for example, refuse to delete personal data in whole or in part, particularly by citing statutory retention obligations.

In exceptional cases, we may charge a fee for the exercise of these rights. We will inform the individuals concerned in advance of any such fees.

We are required to take appropriate measures to identify data subjects who request information or exercise other rights. Data subjects are required to cooperate.

9.2 Legal Protection

Data subjects have the right to enforce their data protection rights through legal action or to file a report or complaint with a data protection supervisory authority.

The data protection supervisory authority for private data controllers and federal agencies in Switzerland is the Swiss Federal Data Protection and Information Commissioner (EDÖB).

10. Use of the Website

10.1 Cookies

We may use cookies. Cookies—including our own cookies (first-party cookies) and cookies from third parties whose services we use (third-party cookies)—are data stored in the browser. Such stored data is not necessarily limited to traditional text-based cookies.

Cookies can be stored temporarily in the browser as “session cookies” or for a specific period of time as so-called persistent cookies. “Session cookies” are automatically deleted when the browser is closed. Persistent cookies have a specific retention period. In particular, cookies make it possible to recognize a browser the next time it visits our website and, for example, to measure our website’s reach. However, persistent cookies can also be used for online marketing, for example.

Cookies can be disabled entirely or partially, or deleted, at any time in your browser settings. Without cookies, our website may no longer be fully accessible. We actively seek your explicit consent to the use of cookies—at least to the extent necessary.

For cookies used to measure performance and reach or for advertising, many services offer a general opt-out option via the AdChoices (Digital Advertising Alliance of Canada), which Network Advertising Initiative (NAI), YourAdChoices (Digital Advertising Alliance) or Your Online Choices (European Interactive Digital Advertising Alliance, EDAA).

10.2 Logging

For every visit to our website and other online presence, we may log at least the following information, provided that it is transmitted to our digital infrastructure during such visits: date and time, including time zone, IP address, access status (HTTP status code), operating system, including user interface and version; browser, including language and version; individual subpages of our website that were accessed, including the amount of data transferred; and the last webpage accessed in the same browser window (referrer).

We record such information—which may also constitute personal data—in log files. This information is necessary to ensure that our website remains available, user-friendly, and reliable at all times. This information is also necessary to ensure data security—including through third parties or with the assistance of third parties.

10.3 Counting Pixels

We may incorporate tracking pixels into our website. Tracking pixels are also known as web beacons. Tracking pixels—including those from third parties whose services we use—are typically small, invisible images or JavaScript scripts that are automatically loaded when you access our website. Tracking pixels can collect at least the same information as log files.

11. Notices and Announcements

11.1 Measuring Success and Reach

Notifications and messages may contain web links or tracking pixels that track whether an individual message has been opened and which web links were clicked within it. Such web links and tracking pixels may also track the use of notifications and messages on a personal basis. We require this statistical tracking of usage to measure effectiveness and reach so that we can send notifications and messages in a way that is effective, user-friendly, sustainable, secure, and reliable, based on the needs and reading habits of the recipients.

11.2 Consent and Objection

You must generally consent to the use of your email address and other contact information, unless such use is permitted for other legal reasons. To obtain double-confirmed consent, if necessary, we may use the “double opt-in” procedure. In this case, you will receive a message with instructions for double confirmation. We may use the consent obtained, including IP address and Timestamp Record this for evidentiary and security reasons.

You may, in principle, opt out of receiving notifications and communications—such as newsletters—at any time. By opting out, you may also object to the collection of usage data for the purpose of measuring performance and reach. This does not apply to necessary notifications and communications related to our activities and operations.

11.3 Service Provider for Notifications and Announcements

We send out notifications and announcements through specialized service providers.

In particular, we use:

Mailchimp: Communication platform; Provider: The Rocket Science Group LLC, doing business as Mailchimp (U.S.), as Subsidiary Intuit Inc. (U.S.); Privacy Policy: Privacy Policy (Intuit) including “Country and Region-Specific Terms,” "Frequently Asked Questions About Data Protection at Mailchimp", "Mailchimp and European Data Transfers", "Security", Cookie Policy, "Privacy Rights Requests", "Legal Provisions".

12. Social Media

We maintain a presence on social media and other online platforms to communicate with interested individuals and provide information about our activities and operations. In connection with these platforms, personal data may also be processed outside of Switzerland.

The General Terms and Conditions (GTC), Terms of Use, privacy policies, and other provisions of the individual operators of such platforms also apply in each case. These provisions provide information, in particular, about the rights of data subjects directly vis-à-vis the respective platform, including, for example, the right of access.

13. Third-Party Services

We use services provided by specialized third parties to ensure that we can carry out our activities and operations in a sustainable, user-friendly, secure, and reliable manner. These services allow us, among other things, to embed features and content on our website. When content is embedded in this way, the services used collect—at least temporarily, for technical reasons—the IP addresses users.

For necessary security-related, statistical, and technical purposes, third parties whose services we use may process data related to our activities and operations in an aggregated, anonymized, or pseudonymized form. This includes, for example, performance or usage data necessary to provide the respective service.

In particular, we use:

Google Services: Providers: Google LLC (U.S.) / Google Ireland Limited (Ireland), in part for users in the European Economic Area (EEA) and Switzerland; General Information on Data Protection: "Principles of Data Protection and Security", "Information on how Google uses personal data", Privacy Policy, "Google is committed to complying with applicable data protection laws", "Guide to Data Protection in Google Products", "How we use data from websites or apps on or within which our services are used", "Types of Cookies and Similar Technologies Used by Google", "Advertising You Can Control" ("Personalized Advertising").

13.1 Digital Infrastructure

We use services provided by specialized third parties to access the digital infrastructure we need in connection with our activities and operations. These include, for example, hosting and storage services from selected providers.

In particular, we use:

Dato CMS: Website builder; Provider: Dato SRL (Italy); Privacy policy: Privacy Policy.

Cyon: Web hosting; Provider: Cyon AG (Basel); Privacy policy: Privacy Policy.

13.2 Social Media Features and Social Media Content

We use third-party services and plugins to embed features and content from social media platforms and to enable users to share content on social media platforms and through other channels.

In particular, we use:

Meta Platform (Instagram and Facebook): Embedding Instagram and Facebook content; Providers: Meta Platforms Ireland Limited (Ireland) and Other Meta companies (including the U.S.); Information on data protection: Privacy Policy (Instagram), Privacy Policy (Facebook).

LinkedIn platform: Embedding LinkedIn Content; Provider: LinkedIn Ireland Unlimited Company (Ireland); Privacy Policy: Privacy Policy (LinkedIn)

13.3 Fonts

We use third-party services to embed selected fonts, icons, logos, and symbols on our website.

In particular, we use:

Adobe Fonts: Fonts; Providers: Adobe Inc. (U.S.) for users in North America / Adobe Systems Software Ireland Limited (Ireland) for users in the rest of the world; Privacy information: "Adobe Privacy Center", Privacy Policy (Adobe Fonts), Privacy Policy (Adobe), "Questions about data protection?", "Adobe Privacy Settings".

Google Fonts: Fonts; Provider: Google; Google Fonts-specific information: "Your Privacy and Google Fonts", "Data Protection and Data Collection" (on Google Fonts).

Good Type Foundry: Fonts; Provider: Good Type Foundry; Good Type Foundry-specific information: "User License Agreement"

14. Website Extensions

We use extensions on our website to provide additional functionality. We may use selected services from appropriate providers or implement such extensions on our own digital infrastructure.

In particular, we use:

Google reCAPTCHA: Spam protection (distinguishing between desired content from humans and unwanted content from bots and spam); Provider: Google; Google reCAPTCHA-specific information: "What is reCAPTCHA?".

15. Measuring Success and Reach

We strive to measure the success and reach of our activities and operations. Within this framework, we can also measure the impact of third-party links or test how different parts or versions of our online platform are used (the “A/B testing” method). Based on the results of these success and reach measurements, we can, in particular, fix errors, enhance popular content, or make improvements.

In most cases, the following are used to measure success and reach: IP addresses collected from individual users. In this case, IP addresses are always truncated (“IP masking”) in order to comply with the principle of data minimization through the corresponding pseudonymization.

Cookies may be used to measure success and reach, and user profiles may be created. Any user profiles created may include, for example, the individual pages visited or content viewed on our website, information about the size of the screen or browser window, and the user’s location (at least approximately). As a general rule, any user profiles created are exclusively pseudonymized and are not used to identify individual users. Certain third-party services with which users are registered may, in some cases, associate the use of our online service with the user’s account or profile on the respective service.

In particular, we use:

Google Analytics by Google Ireland Limited, located at Gordon House, Barrow Street, Dublin 4, Ireland, or Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (Google).

16. Note on Data Transfers to the United States

For the sake of completeness, we would like to point out to users residing or having their registered office in Switzerland that U.S. authorities have surveillance measures in place that generally allow for the storage of all personal data of any individuals whose data has been transferred from Switzerland to the United States. This occurs without differentiation, restriction, or exception based on the intended purpose and without an objective criterion that would allow the U.S. authorities’ access to the data and its subsequent use to be limited to very specific, strictly limited purposes that could justify the intrusion associated with both access to and use of this data. Furthermore, we note that in the United States, there are no legal remedies available to data subjects from Switzerland that would allow them to obtain access to the data concerning them and to have it corrected or deleted, nor is there any effective judicial protection against the general access rights of U.S. authorities. We explicitly draw the data subject’s attention to this legal and factual situation so that they may make a fully informed decision regarding consent to the use of their data.

We would like to inform users residing in an EU member state that, from the European Union’s perspective—based, among other things, on the issues mentioned in this section—the United States does not provide an adequate level of data protection. To the extent that we have explained in this Privacy Policy that recipients of data (such as Google) are based in the United States, we will ensure—either through contractual arrangements with these companies or by verifying their certification under the EU-U.S. or Swiss-U.S. Privacy Shield—that your data is protected to an adequate standard by our partners.

17. Scope and Purpose of the Collection, Processing, and Use of Personal Data

17.1 Data Processing When Booking an Overnight Stay Through Our Website

You can book a room on our website. To do so, we collect the following information; required fields are marked with an asterisk (*) during the booking process:

Salutation
First Name
Last Name
Birthday
Place of Birth
Phone number
Email
Country or Nationality
Payment Method
Card number, verification number, name on the card
Booking Details
Special Requests
Confirmation of Marketing Email
Confirmation of Acknowledgment and Consent Regarding the Terms and Conditions and Privacy Policy

We use this information to verify your identity before entering into a contract. We need your email address to confirm your reservation and for future communication with you—as required for contract fulfillment. We store your data along with the booking details (e.g., room category, length of stay, and the description, price, and features of the services), payment information (e.g., selected payment method, payment confirmation, and date and time) as well as information regarding the processing and fulfillment of the contract (e.g., receipt of and handling of complaints) in our PMS so that we can ensure proper booking processing and contract fulfillment.

To the extent necessary for the performance of the contract, we will also share the required information with any third-party service providers (e.g., event organizers or transportation companies).