Privacy Policy

With this Privacy Policy , we inform you which personal data we process in connection with our activities and operations, including our https://www.mountainflair.ch/ website. In particular, we explain for what purposes, how, and where we process which personal data. We also inform you about the rights of individuals whose data we process. Additional privacy policies and other legal documents such as General Terms and Conditions (GTC), Terms of Use, or Participation Conditions may apply to individual or additional activities and operations. Additional privacy policies and other legal documents such as General Terms and Conditions (GTC), Terms of Use, or Participation Conditions may apply to individual or additional activities and operations. We are subject to Swiss data protection law and, where applicable, foreign data protection law, such as that of the European Union (EU) with the General Data Protection Regulation (GDPR). The European Commission recognizes that Swiss data protection law provides adequate data protection.

1. Contact Addresses

Responsible for processing personal data: Mountain Flair GmbH Via dal Bagn 1 7500 St. Moritz info@mountainflair.ch We will indicate if there are other responsible parties for processing personal data in individual cases.

1.1 Data Protection Officer

We have the following data protection officer as the point of contact for affected persons and authorities regarding inquiries related to data protection: Sven Arquisch Via dal Bagn 1 7500 St. Moritz sven@mountainflair.ch

1.2 Data Protection Representation in the European Economic Area (EEA)

We have the following data protection representation in accordance with Art. 27 GDPR: VGS Datenschutzpartner GmbH Am Kaiserkai 69 20457 Hamburg Germany info@datenschutzpartner.eu
The data protection representation serves as an additional point of contact for affected persons and authorities in the European Union (EU) and the rest of the European Economic Area (EEA) for inquiries related to the GDPR.

2. Terms and Legal Basis

2.1 Terms

Personal data includes all information that relates to an identified or identifiable natural person. A data subject is a person whose personal data we process. Processing covers all handling of personal data, regardless of the methods and procedures used, such as querying, matching, adjusting, archiving, storing, reading, disclosing, procuring, recording, collecting, deleting, revealing, arranging, organizing, storing, modifying, disseminating, linking, destroying, and using personal data. The European Economic Area (EEA) includes the member states of the European Union (EU) as well as the Principality of Liechtenstein, Iceland, and Norway. The General Data Protection Regulation (GDPR) refers to the processing of personal data as the processing of personal data.

2.2 Legal Basis

We process personal data in accordance with Swiss data protection law, particularly the Federal Act on Data Protection (Data Protection Act, DPA) and the Data Protection Ordinance (Data Protection Ordinance, DPO). If and to the extent that the General Data Protection Regulation (GDPR) applies, we process personal data according to at least one of the following legal bases:

• Art. 6 para. 1 lit. b GDPR for the necessary processing of personal data to fulfill a contract with the data subject or to carry out pre-contractual measures.
• Art. 6 para. 1 lit. f GDPR for the necessary processing of personal data in order to protect the legitimate interests of us or third parties, unless the fundamental freedoms and rights and interests of the data subject prevail. Legitimate interests are, in particular, our interest in being able to carry out our activities and operations in a permanent, user-friendly, secure and reliable manner and to communicate about them, to ensure information security, to protect against misuse, to enforce our own legal claims and to comply with Swiss law.
• Art. 6 para. 1 lit. c GDPR for the necessary processing of personal data to fulfill a legal obligation to which we are subject under any applicable law of member states in the European Economic Area (EEA).
• Art. 6 para. 1 lit. e GDPR for the necessary processing of personal data for the performance of a task carried out in the public interest.
• Art. 6 para. 1 lit. a GDPR for the processing of personal data with the consent of the data subject.
• Art. 6 para. 1 lit. d GDPR for the necessary processing of personal data in order to protect the vital interests of the data subject or another natural person.

3. Nature, Extent, and Purpose

We process the personal data that are necessary to carry out our activities and operations on a permanent, user-friendly, secure, and reliable basis. Such personal data may fall into categories such as inventory and contact data, browser and device data, content data, meta or margin data, usage data, location data, sales data, and contract and payment data. We process personal data for the duration required for the respective purpose or as required by law. Personal data that is no longer needed is anonymized or deleted. We may have personal data processed by third parties. We may process personal data together with third parties or transfer it to third parties. These third parties are particularly specialized providers whose services we use. We ensure data protection even with such third parties. We process personal data primarily with the consent of the data subjects. If and to the extent that processing is permitted on other legal grounds, we may dispense with obtaining consent. We may process personal data without consent, for example, to fulfill a contract, comply with legal obligations, or protect overriding interests. In this context, we particularly process information that a data subject voluntarily provides to us when contacting us—e.g., by letter, email, instant messaging, contact form, social media, or telephone—or when registering for a user account. We may store such information in an address book, a Customer Relationship Management System (CRM system), or similar tools. If we receive data about other persons, the persons providing the data must ensure data protection and the accuracy of this personal data. We also process personal data that we obtain from third parties, publicly accessible sources, or in the course of our activities and operations, if and to the extent that such processing is legally permissible.

4. Applications

We process personal data about applicants insofar as it is necessary to assess their suitability for employment or to carry out an employment contract. The required personal data results primarily from the information requested, such as in a job advertisement. We also process personal data that applicants voluntarily disclose or publish, particularly as part of cover letters, CVs, and other application documents, as well as online profiles. If and to the extent that the General Data Protection Regulation (GDPR) applies, we process personal data about applicants according to Art. 9 Abs. 2 lit. b DSGVO .

5. Personal Data Abroad

We generally process personal data in Switzerland and the European Economic Area (EEA). However, we may also export or transfer personal data to other countries, particularly for processing there. We may export personal data to all countries and territories on Earth and elsewhere in the universe , provided that the applicable law provides adequate data protection according to a decision by the Swiss Federal Council and, if and to the extent that the GDPR applies, according to a decision by the European Commission. We may transfer personal data to countries whose law does not provide adequate data protection, provided that data protection is ensured for other reasons, particularly based on standard data protection clauses or other suitable guarantees. Exceptionally, we may export personal data to countries without adequate or appropriate data protection if the specific data protection requirements are met, such as the explicit consent of the data subjects or a direct connection with the conclusion or fulfillment of a contract. We are happy to provide information on request about any guarantees or supply a copy of any guarantees.

6. Rights of Data Subjects

6.1 Data Protection Claims

We grant data subjects all claims according to applicable data protection law. Data subjects, in particular, have the following rights:

• Access: Data subjects can request information on whether we process personal data about them and, if so, which personal data. Data subjects also receive the information necessary to assert their data protection claims and ensure transparency. This includes the processed personal data as such, but also, among other things, information on the processing purpose, retention period, any disclosure or export of data to other countries, and the origin of the personal data.
• Correction and Restriction: Data subjects can correct incorrect personal data, complete incomplete data, and restrict the processing of their data.
• Deletion and Objection: Data subjects can have personal data deleted (“Right to be Forgotten”) and object to the processing of their data with future effect.
• Data Release and Transfer: Data subjects can request the release of personal data or the transfer of their data to another controller.

We may defer, restrict, or deny the exercise of data subjects’ rights to the extent legally permissible. We may inform data subjects of any conditions that may need to be met to exercise their data protection claims. For example, we may deny access by referring to business secrets or protecting other persons. We may also refuse to delete personal data with reference to legal retention obligations. We may exceptionally charge for the exercise of rights. We will inform data subjects in advance of any costs. We are required to identify data subjects who request information or assert other rights using reasonable measures. Data subjects are obliged to cooperate.

6.2 Right to Complain

Data subjects have the right to enforce their data protection claims in court or file a complaint with a competent data protection supervisory authority. The data protection supervisory authority for private controllers and federal agencies in Switzerland is the Federal Data Protection and Information Commissioner (FDPIC). If and to the extent that the General Data Protection Regulation (GDPR) applies, data subjects have the right to file a complaint with a competent European data protection supervisory authority.

7. Data Security

We take appropriate technical and organizational measures to ensure data security appropriate to the respective risk. However, we cannot guarantee absolute data security. Access to our website is secured with transport encryption (SSL / TLS, particularly with Hypertext Transfer Protocol Secure, abbreviated as HTTPS). Most browsers indicate transport encryption with a padlock in the address bar. Our digital communication is subject to mass surveillance without cause or suspicion, as is generally the case with any digital communication, as well as other surveillance by security authorities in Switzerland, Europe, the United States of America (USA), and other countries. We have no direct influence on the corresponding processing of personal data by intelligence services, police, and other security authorities.

8. Use of the Website

8.1 Cookies

We may use cookies. Cookies—both our own cookies (first-party cookies) and cookies from third parties whose services we use (third-party cookies)—are data stored in the browser. Such stored data does not have to be limited to traditional text-based cookies. Cookies can be temporarily stored as “session cookies” in the browser or for a specified period as so-called permanent cookies. “Session cookies” are automatically deleted when the browser is closed. Permanent cookies have a specific storage period. Cookies make it possible, among other things, to recognize a browser on the next visit to our website and thus, for example, measure the reach of our website. Permanent cookies can also be used for online marketing. Cookies can be completely or partially disabled and deleted in the browser settings at any time. Without cookies, our website may no longer be fully available. We request active explicit consent to use cookies—at least when required. For cookies used for success and reach measurement or advertising, a general objection (“opt-out”) is possible for many services via AdChoices (Digital Advertising Alliance of Canada), the Network Advertising Initiative (NAI), YourAdChoices , or Your Online Choices (European Interactive Digital Advertising Alliance, EDAA).

8.2 Server Log Files

We may collect the following data for each access to our website, provided that these are transmitted from your browser to our server infrastructure or can be determined by our web server: date and time, including time zone, Internet Protocol (IP) address, access status (HTTP status code), operating system including user interface and version, browser including language and version, accessed individual sub-page of our website including the transferred data volume, the last website visited in the same browser window (referer). We store such information, which may also be considered personal data, in server log files. This information is necessary to make our website available permanently, user-friendly, and reliably and to ensure data security, particularly the protection of personal data—also through third parties or with the help of third parties.

8.3 Tracking Pixels

We may use tracking pixels on our website. Tracking pixels are also known as web beacons. Tracking pixels—also from third parties whose services we use—are small, usually invisible images automatically retrieved when visiting our website. With tracking pixels, the same data can be collected as in server log files.

9. Notifications and Messages

We send notifications and messages via email and other communication channels, such as instant messaging or SMS.

9.1 Success and Reach Measurement

Notifications and messages may contain weblinks or tracking pixels that record whether an individual message was opened and which links were clicked. Such links and tracking pixels can also record the usage of notifications and messages personally. We need this statistical recording of usage for success and reach measurement to send notifications and messages effectively and user-friendly and permanently, securely, and reliably based on recipients’ needs and reading habits.

9.2 Consent and Objection

You generally must explicitly consent to using your email address and other contact addresses unless the use is permitted for other legal reasons. If possible, we use the “double opt-in” procedure for any consent, which means you receive an email with a link that you must click to confirm to prevent misuse by unauthorized third parties. We may record such consent, including the Internet Protocol (IP) address and date and time, for evidence and security reasons. You can generally object to receiving notifications and messages such as newsletters at any time. Such an objection also allows you to object to the statistical recording of usage for success and reach measurement. Required notifications and messages related to our activities and operations remain unaffected.

9.3 Service Providers for Notifications and Messages

We send notifications and messages with the help of specialized service providers. We use in particular:

• Mailchimp: Communication platform; provider: The Rocket Science Group LLC DBA Mailchimp (USA), a subsidiary of Intuit Inc. (USA); Data protection information: Privacy Policy (Intuit) including “Country and Region-Specific Terms,” “Frequently Asked Questions about Mailchimp Privacy” , “Mailchimp and European Data Transfers” , “Security” , Cookie Policy , “Privacy Rights Requests” , “Legal Terms”.

10. Social Media

We are present on social media platforms and other online platforms to communicate with interested parties and inform about our activities and operations. In connection with such platforms, personal data may also be processed outside Switzerland and the European Economic Area (EEA). The general terms and conditions (GTC), terms of use, privacy policies, and other terms of the respective operators of such platforms apply. These terms inform, in particular, about the rights of data subjects directly against the respective platform, including the right to access. For our social media presence on Facebook, including the so-called page insights, we are—if and to the extent that the General Data Protection Regulation (GDPR) applies—jointly responsible with Meta Platforms Ireland Limited (Ireland). Meta Platforms Ireland Limited is part of the Meta companies (including the USA). Page insights provide information about how visitors interact with our Facebook presence. We use page insights to provide our social media presence on Facebook effectively and user-friendly. Further information on the nature, extent, and purpose of data processing, information on the rights of data subjects, and the contact details of Facebook and Facebook’s data protection officer can be found in the Facebook Privacy Policy. We have concluded the so-called “Addendum for Controllers” with Facebook, agreeing that Facebook is responsible for ensuring the rights of data subjects. For page insights, the relevant information is available on the page “Information on Page Insights” including “Information on Page Insights Data”.

11. Third-Party Services

We use services from specialized third parties to carry out our activities and operations on a permanent, user-friendly, secure, and reliable basis. These services enable us to embed functions and content into our website. For such embedding, the services used must collect at least temporarily the Internet Protocol (IP) addresses of users for technical reasons. For necessary security, statistical, and technical purposes, third parties whose services we use may process data related to our activities and operations in aggregated, anonymized, or pseudonymized form. These are, for example, performance or usage data required to provide the respective service. We use in particular:

• Google Services: Providers: Google LLC (USA) / Google Ireland Limited (Ireland) for users in the European Economic Area (EEA) and Switzerland; general data protection information: “Privacy and Security Principles”, Privacy Policy, “Google’s Commitment to Complying with Applicable Data Protection Laws”, “Privacy Guide in Google Products”, “How Google Uses Data from Sites or Apps that Use Our Services” (Google Information), “Types of Cookies Used by Google and Other Technologies”, “Personalized Advertising” (Enable / Disable / Settings).

11.1 Digital Infrastructure

We use services from specialized third parties to obtain the necessary digital infrastructure for our activities and operations. This includes, for example, hosting and storage services from selected providers.

11.2 Contact Options

We use services from selected providers to communicate better with third parties, such as potential and existing customers.

11.3 Maps

We use third-party services to embed maps into our website. We use in particular:

• OpenStreetMap (OSM): Map service; provider: OpenStreetMap Foundation (UK); privacy information: Privacy Policy.
• Google Maps: Map service; provider: Google LLC (USA) / Google Ireland Limited (Ireland) for users in the European Economic Area (EEA) and Switzerland; privacy information: Privacy Policy, Google Maps Controller Terms.

11.4 Digital Audio and Video Content

We use specialized third-party services to enable the direct playback of digital audio and video content, such as music or podcasts.

11.5 Documents

We use third-party services to embed documents into our website. Such documents may include forms, PDF files, presentations, spreadsheets, and text documents. We may allow not only viewing but also editing or commenting on such documents.

11.6 Payments

We use specialized service providers to handle payments from our customers securely and reliably. For the processing of payments, the legal texts of the respective service providers, such as general terms and conditions (GTC) or privacy policies, apply additionally. We use in particular:

• Stripe: Payment processing; provider: Stripe, Inc. (USA); privacy information:: Privacy Center.

11.7 Advertising

We use the opportunity to display targeted advertising for our activities and operations on third-party platforms, such as social media platforms and search engines. We aim to reach people who are already interested in or might be interested in our activities and operations (Remarketing and Targeting). To this end, we may transmit corresponding—possibly also personal—information to third parties that enable such advertising. We can also determine whether our advertising is successful, meaning whether it leads to visits to our website (Conversion Tracking). Third parties where we advertise, and where you are logged in as a user, may link the use of our website to your profile there. We use in particular:

• Google Ads: Search engine advertising; provider: Google; specific information about Google Ads: advertising, including based on search queries, using various domain names—particularly doubleclick.net, googleadservices.com, and googlesyndication.com—for Google Ads, , “Advertising” (Google), “Why am I seeing a particular ad?”.

11.8 Consent management platform (Usercentrics)

We use the Consent Management Platform (CMP) Usercentrics to obtain and manage the necessary consents for the processing of personal data on our website through the use of cookies or comparable technologies. With the help of Usercentrics, you can manage your consent to the use of cookies and other technologies that involve the processing of personal data and change or revoke it at any time.

Your data is processed on the basis of Art. 6 para. 1 lit. a GDPR (consent) and Art. 6 para. 1 lit. f GDPR (legitimate interest). Consent is stored as proof of the obligation to give consent in accordance with Art. 7 para. 1 GDPR. The use of CMP ensures that cookies are only set if the respective consent has been given.

Further information about data protection at Usercentrics can be found in their privacy policy.

We have integrated Usercentrics on our website as follows:

• Responsible party: Usercentrics GmbH, Sendlinger Straße 7, 80331 Munich, Germany
• Processing purposes: Management of cookie consents
• Legal basis: Art. 6 para. 1 lit. c GDPR (legal obligation) and Art. 6 para. 1 lit. f GDPR (legitimate interest)
• Data storage: Storage of cookie consents until revoked by the user.
• Data concerned: Consent data (IP address, time stamp, user data)

11.8.1 Functionalities of Usercentrics

The CMP from Usercentrics allows you to make detailed settings for the use of cookies and tracking tools on our website. This allows you to decide whether and what data is collected from you when you use our website. The cookie settings can be adjusted at any time in the cookie banner.

12. Success and Reach Measurement

We attempt to determine how our online offering is used. In this context, we can measure, for example, the success and reach of our activities and operations and the impact of third-party links on our website. We can also test and compare how different parts or versions of our online offering are used (“A/B testing” method). Based on the results of success and reach measurement, we can fix errors, strengthen popular content, or make improvements to our online offering. For success and reach measurement, the Internet Protocol (IP) addresses of individual users are usually stored. IP addresses are generally shortened (“IP masking”) in this case to follow the principle of data minimization through the corresponding pseudonymization. Cookies can be used in success and reach measurement, and user profiles can be created. Any created user profiles may include, for example, the individual pages visited or viewed content on our website, information on the size of the screen or browser window, and the—at least approximate—location. Generally, any created user profiles are exclusively pseudonymized and not used to identify individual users. Individual services of third parties where users are logged in may link the use of our online offering to the user account or profile with the respective service. We use in particular:

• Google Analytics: Success and reach measurement; provider: Google; specific information about Google Analytics: measurement also across different browsers and devices (Cross-Device Tracking) and with pseudonymized Internet Protocol (IP) addresses that are only exceptionally fully transmitted to Google in the USA, “Privacy”, “Browser Add-on to Deactivate Google Analytics”.

13. Final Provisions

We have created this privacy policy using the Privacy Policy Generator from Data Protection Partner. We may adapt and supplement this privacy policy at any time. We will inform about such changes and additions in an appropriate form, particularly by publishing the current privacy policy on our website.