Privacy Policy Matterhorn App

1. Scope

This Data Protection Statement applies to use of the Matterhorn App (hereafter the “App”).

The App is operated by Zermatt Tourism, Bahnhofplatz 5, 3920 Zermatt, Switzerland, represented by Herr Daniel Luggen, Director. Zermatt Tourism is responsible for collecting, processing and using your personal data. Zermatt Tourism is therefore also responsible for all data processing taking place in accordance with applicable law.  

Protection of your personal data is very important to us. We take the subject of data protection seriously and pay attention to your data’s security. We observe all the applicable statutory regulations, in particular the Swiss Data Protection Act (DSG) and the Ordinance to this Act (VDSG), as well as the provisions of the Swiss Telecommunications Act (FMG). Insofar as applicable, we also comply with the provision of the European Union General Data Protection Regulation (GDPR).

We want you to know which personal data we collect from you, how we do this, how this data is processed and for what purposes. By using this App, you are consenting to all this data processing within the terms of Art. 6 (1a) GDPR. Please read the following information carefully.

 

2. Which data do we process when you use the App?

The interactive Matterhorn App is your customised mobile companion for experiencing a perfect summer and winter in Zermatt. The following data supplied by you may be processed when using the App: customer address details, contact information, payment method, transaction data and transaction history when purchasing tickets and items, or making reservations, as well as location data. Your data will be linked to your profile. You will be stored in the App database and deleted in the event of profile deletion, which you can request us to perform at any time. The legal basis for this processing of data lies in fulfilment of a contract (Art. 6 (1b) GDPR).

If you wish to avoid location data being transmitted, please deactivate your device’s GPS function, either by rejecting use of the function when you first install the App, or later by adjusting your device and App settings.

When you use the App, further information will be collected every time you open it. This concerns information about the App version, device, device network, operating system, screen information, location (only if GPS function is activated) and IP address. This information is used to make our service more user friendly, more effective and safer. If personal data is processed in this regard, this is necessary to uphold our overriding legitimate interests (Art. 6 (1f) GDPR).

 

3. Which external service providers are used to operate the App?

We work with miscellaneous external service providers for specific purposes such as analytics, contacting customers, registration and authentication, payments processing, infrastructure monitoring, creating and managing back-up copies, hosting and back-end infrastructure, tag management, location-related interactions, user database management and performance testing of content and functions. Below please find an overview of these service providers:

 

App evaluation/analysis/monitoring

We collaborate with “AppFigures” ((AppFigures, Inc., 133 Chrystie St. 3rd Fl., New York, NY 10002) for evaluation, analysis and monitoring of our App. Store accounts are linked to AppFigures. AppFigures provides us, as the App Owner, with statistics from Apple, Google and other app stores, to allow us to better evaluate the success of our App. Further information can be found at https://appfigures.com/.

If personal data is processed in this regard, this is necessary to uphold our overriding legitimate interests (Art. 6 (1f) GDPR).

 

Advertising and information campaigns

"Braze" (Braze Inc., 318 West 39th Street, 5th Floor, New York, New York 10018; formerly Appboy Inc.) is an analysis tool that processes personal data and user activity, so that we can provide you with personalised advertising and information campaigns. Data is processed in the USA, so Braze Inc. is certified under what is known as the “Privacy Shield” (www.privacyshield.gov). Further information can be found at www.braze.com/legal/.

If personal data is processed in this regard, this is necessary to uphold our overriding legitimate interests (Art. 6 (1f) GDPR).

Opt out: If you do not want to receive push notifications in the Android or iOS App, you can block them in your smartphone’s system settings. 

 

Infrastructure monitoring

The App uses the “Crashlytics” error diagnosis service from Google Inc., 1600 Amphitheatre Parkway, Mountain View, California 94043, USA. If the App crashes during use, or if unexpected errors occurs, specific information (device type, operating system version, error date and time, country from which the request came and operating system language setting) is sent to Crashlytics.  Crashlytics is used without recording your IP address. Data is processed in the USA, so Google is certified under what is known as the “Privacy Shield” (www.privacyshield.gov). Further information can be found at https://try.crashlytics.com/.

Processing takes place in order to record and analyse errors. The information obtained is used to maintain and improve our App. If personal data is processed in this regard, this is necessary to uphold our overriding legitimate interests (Art. 6 (1f) GDPR).

You can refuse data processing by Crashlytics by switching off collection and transmission of usage information and diagnosis data by Crashlytics in the App’s settings. This option is activated when the App is supplied. The analysis data processed and stored using Crashlytics is automatically erased after a specific period of time.

 

Registration and authentication

We use the "Auth0” authentication service (10900 NE 8th Street Suite 700, Bellevue, Washington 98004), to which we transmit images, cookies, e-mail, surname, password and IP address. The service ensures that the right person accesses your account. Data is processed in the USA, so Auth0 is certified under what is known as the “Privacy Shield” (www.privacyshield.gov). Further information can be found at https://auth0.com/privacy/.

If personal data is processed in this regard, this is necessary to uphold our overriding legitimate interests (Art. 6 (1f) GDPR).

 

Facebook authentication

You also have the option of logging in to the App via your Facebook account. By linking the App to your Facebook account, it is no longer necessary to input separate login data; this then takes place using your Facebook user data. In return, however, Facebook receives information about your use of the App.

In the process your browser establishes a connection to the respective social network, so data about your use of our website is shared with Facebook and stored on the corresponding servers. Facebook can publish data about your use of our site (e.g. share it with your friends, followers, etc.) and/or use this data for advertising purposes (targeted advertising, market research, etc.). Please therefore consult carefully Facebook’s data privacy policy that describes in greater detail the extent of the data processing that takes place. If you want to prevent this data being processed, we recommend that you do not log on to our site using a social network account.

Facebook processes data in the USA, so Facebook is certified under what is known as the “Privacy Shield” (www.privacyshield.gov). Further information can be found at https://www.facebook.com/privacy/explanation.

 

Hosting and backend infrastructure

We collaborate with Amazon Web Services (AWS) and mLab (Amazon.com, Inc.,2021 Seventh Ave, Seattle, Washington 98121) for hosting and backend infrastructure. These services provide a secure platform for cloud services and offer processing and database storage, and provide content and other functions. Amazon may process data in the USA, so Amazon is certified under what is known as the “Privacy Shield” (www.privacyshield.gov). Further information can be found at https://aws.amazon.com/privacy/.

If personal data is processed in this regard, this is necessary to uphold our overriding legitimate interests (Art. 6 (1f) GDPR).

 

Creation and management of backup copies

We collaborate with Amazon Glacier (Amazon.com, Inc.,2021 Seventh Ave, Seattle, Washington 98121) for creation and management of backup copies. Amazon Glacier is a Cloud storage service for long-term security and archiving of data. Amazon may process data in the USA, so Amazon is certified under what is known as the “Privacy Shield” (www.privacyshield.gov). Further information can be found at https://aws.amazon.com/privacy/.

If personal data is processed in this regard, this is necessary to uphold our overriding legitimate interests (Art. 6 (1f) GDPR).

 

Handling and processing payments

Our App gives you the option of making bookings. For this purpose your data is also supplied to our payments service provider. Payment is possible only via the stated online payments process. Our credit card payments are processed by Concardis GmbH, whose registered office is at Helfmann-Park 7, 65760 Eschborn, Germany. Please refer to www.concardis.com for further information. If personal data is processed in this regard, this is necessary for performance of a contract (Art. 6 (1a) GDPR).

 

4. Is data passed to other third parties?

We only pass your personal data to additional third parties if you have expressly consented to this, there is a statutory obligation, or it is necessary in order to assert our rights, in particular to enforce claims arising from a contract. Furthermore, we pass your data on to third parties if necessary, within the scope of use of the App, to provide the services you require, and to analyse your user behaviour as described above.

In this regard we would like to draw it to your attention that we use software solutions from "Salesforce" (see www.salesforce.com) within the scope of data processing. Salesforce provides online tools which its customers use to operate certain areas of their businesses. These include customer relationship management tools, customer service, participation in social networks, development of communities, data analysis, management of employees and platforms for creation of online applications. By providing these tools, Salesforce processes data transmitted to its services and/or processes this data on its customers’ instructions and in their name. We use Salesforce’s services, for example, to combine data collected by the App with other data collected by Zermatt Tourism and/or Zermatt Bergbahnen AG and to store them in a standardised database. Detailed information about Salesforce’s data privacy can be found under the following link: https://www.salesforce.com/company/privacy/

 

5. www.matterhornparadise.ch and www.zermatt.ch websites

For the sake of completeness, we would like to draw it to your attention that personal data may also be processed when you visit www.matterhornparadise.ch and www.zermatt.ch. We would therefore be grateful if you would also read carefully the data privacy policies on these websites.

 

6. For how long do we store data?

If you register on the Matterhorn App, we store your data for as long as your account exists and in accordance with our legal obligations. In principle, we do not permanently store purely technical data on App use. It is only stored for longer if we detect attacks on our website and/or the App and have to take appropriate action.

In the process, generally we store personal data only for as long as is necessary

  • to use the stated tracking and analysis services within the scope of our legitimate interests,
  • in order to implement services that you require, or to which you have given your consent, to the abovementioned extent;
  • in order to fulfil our statutory obligations.

We store data in connection with conclusion or fulfilment of a contract for longer, as prescribed by the statutory duties of retention, for example in invoicing and tax law regulations.  According to these regulations, commercial communications, completed contracts and journal vouchers must be retained for up to 10 years. Fundamentally this data is blocked if we no longer need it to provide you with the services. This means that the data must then be used only for accounting and tax purposes.

 

7. Data security and confidentiality

We make use of appropriate technical and organisation security measures to protect your personal data that we store against manipulation, partial or complete loss, and against unauthorised third-party access. Our security measures are continually upgraded to the latest standards.

It is important that you always treat your payment information (especially credit card details) as confidential. We recommend closing your browser window if you have finished communicating with us, especially if use of a computer is shared with other people.

We also take internal company data protection very seriously. We oblige our employees and the service companies that we instruct to maintain confidentiality and comply with data protection law.

 

8. What are your rights?

You have the right to obtain free access to the personal data that we store about you on request. In addition, you have the right to rectification of inaccurate data and the right to erasure of your personal data, unless precluded by statutory duties of retention, or a legal justification that allows us to process the data. In accordance with Articles 18 and 21 GDPR, you also have the right to request restriction of data processing and to object to data processing. Furthermore, you have the right to request from us the data that you have furnished us (right to data portability). We will also forward the data to a third party of your choice on request. You have the right to receive the data in a commonly used format.

If data processing is based on your consent you can withdraw this consent at any time.

You can contact us for the abovementioned purposes at datenschutz@zermatt.swiss. You can also inform us what should happen to your data after your death, by giving us appropriate instructions. At our discretion we may request proof of identity in order to process your requests. If you contact us, we will endeavour to reply to you as quickly as possible and to take the desired steps.

If you are domiciled in an EU State, you have the right to lodge a complaint with a supervisory authority at any time.

 

Status: 07.12.2018