The Boas Group (Boas-Yakhin Holding SA and its subsidiaries) is the operator of the websites and is therefore responsible for the collection, processing and use of your personal data. The Boas Group is therefore responsible for the compliance of the data processing with the applicable data protection legislation.
Your trust is important to us, which is why we take data protection very seriously and ensure appropriate security. It goes without saying that we comply with the legal provisions of the Federal Data Protection Act (DPA), the Ordinance on the Federal Data Protection Act (FDPA), the Federal Telecommunications Act (FTA) and other data protection provisions of any applicable Swiss or EU legislation, in particular the General Data Protection Regulations (GDPR).
If you would like to find out what personal data (about you) we collect and for what purposes we use it, please read the information below carefully.
Our data protection department can be reached at the following address: privacy@boas.ch


I. Data processing in connection with our websites


1. Consultation of our websites


When you visit our sites, our servers temporarily record each access in a log file. The following technical data is then recorded, in principle as with any connection to a web server, without any intervention on your part and stored by us until it is automatically deleted after 12 months at the latest:
    - The IP address of the computer accessing the website,
    - the date and time of access,
    - the website from which you accessed our site (original URL) and possibly the search keywords used,
    - the name and URL of the file being viewed,
    - the status indicator (e.g. error message),
    - the name of the country,
    - the browser you are using (type, version and language),
    - the communication protocol used (e.g. HTTP/1.1)
The purpose of collecting and processing this data is to enable the use of our websites (establishment of a connection), to guarantee the long-term security and stability of the system and to enable the optimisation of our online offer, as well as for internal statistical purposes. These processing operations are based on our legitimate interest in accordance with Art. 6 para. 1 let. f GDR.
In addition, the IP address is analysed together with other data for the purposes of recognition and defence in the event of attacks on the network infrastructure or other unauthorised or abusive use of the website, and may be used in legal proceedings for the purpose of identification and civil and criminal action against the user in question. Such processing is based on our legitimate interest under Art. 6 para. 1 let. f GDR.

2. Connection to third party websites


Our websites contain links to third party sites that may be of interest to you. By activating these links, you may leave our sites. The Boas Group has no control over the websites of third parties and cannot be held responsible for the content and operation of these websites. The risk or danger that may arise from the connection to or consultation of third party websites is solely the responsibility of the user.


3. Use of our contact form


You can use a form to contact us. To do so, the following information is mandatory:
    - first name and surname
    - home address
    - email address
    - message
We only use this data, as well as your telephone number (optional fields), in order to be able to respond to your contact request in the best and most personalised way possible. The processing of this data is therefore necessary for the execution of pre-contractual measures in accordance with Art. 6 para. 1 let. b GDR or is based on our legitimate interest in accordance with Art. 6 para. 1 let. f GDR, respectively.


4. Subscribe to our newsletter


You have the possibility, on our sites, to subscribe to our newsletter. To do so, you must register and provide the following data:
    - title
    - first and last name
    - email address
    - language
    - company
The above data are essential for data processing, but only the email address is mandatory (the other fields are optional) . We process this data exclusively in order to personalize the information and offers we send you and to better adapt them to your interests.
By registering, you consent to the processing of the data you have provided in this context, for the purpose of sending the newsletter to the address you have provided on a regular basis, but also for the statistical analysis of your user habits and the optimisation of the newsletter. This consent represents our legal basis for the processing of your email address in accordance with Art. 6 para. 1 let. a GDR. We are entitled to use third parties for the technical implementation of advertising campaigns and are entitled to pass on your data for this purpose (Chapter III section 5 below).
At the end of each newsletter you will find a link to unsubscribe at any time. When you unsubscribe, you can tell us the reason for doing so on a voluntary basis. Your personal data will be deleted after you unsubscribe.

5. Creating a Customer Account


To make reservations on our sites, you can place an order as a visitor or open a customer account. When you register for a customer account, the following data is obligatorily collected:
    - title
    - first and last name
    - home address
    - date of birth
    - contact number
    - email address
    - customer account password.
This data, together with other optional information (e.g. company name), is collected for the purpose of providing you with direct, password-protected access to your master data stored in our system. Here you can view your previous and current bookings or manage or change your personal data.
Your consent in accordance with Art. 6 para. 1 let. a GDR is the legal basis for data processing for this purpose.


6. Booking on the websites, by mail or by telephone


If you make reservations via our sites, by correspondence (email or mail) or by telephone, you will be asked for the following data for the execution of the contract:
    - title
    - first and last name
    - home address
    - date of birth
    - contact number
    - language
    - credit card information
    - email address
    - stay date
    - headcount
We use this data, as well as other optional information you provide (e.g. estimated time of arrival, motor vehicle license plate, preferences, remarks), only for the performance of the contract, unless otherwise stated in this Privacy Policy or you have given your separate consent. We will process this data in particular in order to enter your reservation in accordance with your request, to provide the booked services, to contact you in the event of uncertainties or problems, and to ensure that payment is made correctly.
The fulfilment of a contract in accordance with Art. 6 para. 1 let. b GDR is the legal basis for processing data for this purpose.

7. Cookies


Cookies help in many ways to make your visit to our sites simpler, more enjoyable and more useful. Cookies are files containing information that your web browser automatically saves on your computer's hard drive when you visit our sites. During your first visit to our websites, you will be asked to express yourself by authorising or not authorising cookies, via the banner cookie.
For example, we use cookies to temporarily store your selected services and information entered when you fill out a form on our sites so that you do not have to enter it a second time when you visit a subpage. In addition, cookies can also be used to identify you as a registered user following your registration on our sites. This saves you from having to log in again when you visit another subpage.
In rare cases, we may use cookies for test purposes via the Google Optimize service.
Most web browsers automatically accept cookies. However, you can set your browser to not store any cookies on your computer or to display a message each time you receive a new cookie. On the following pages you will find explanations on how to configure cookie processing for the most commonly used browsers:
    - Microsoft Windows Internet Explorer
    - Microsoft Windows Internet Explorer Mobile
    - Mozilla Firefox
    - Google Chrome for Desktop
    - Google Chrome for mobile
    - Apple Safari for desktop
    - Apple Safari for mobile
Disabling cookies may prevent you from using the full functionality of our sites.


II. Processing of data in connection with your stay


1. Data processing to meet legal obligations to inform


Concerning the Hotel Universe, when you arrive, we need the following information about you and the people accompanying you:
    - first name and surname
    - postal address and canton
    - date of birth
    - place of birth
    - nationality
    - official identity document and number
    - day of arrival and departure
    - room number
We collect this information in order to meet legal obligations to provide information arising in particular from police and hotel legislation. Insofar as we are obliged to do so according to the applicable provisions, we forward this information to the competent police authority.
We have a legitimate interest under Art. 6 para. 1 let. f GDR to fulfil the legal provisions.
Concerning the services related to thermal, fitness and aquarium-vivarium centres, we need the following information, in particular when establishing a subscription:
    - first name and surname
    - postal address and canton
    - date of birth
    - place of birth
    - nationality
    - official identity document and number
    - Photo
We collect this information in order to meet the legal obligations arising from the contract established at the time the subscription is created. This information also makes it possible to modify or block the subscription in the event of loss or theft of the subscriber's card, as well as to formally identify the owner of the subscription in question.
We have a legitimate interest under Art. 6 para. 1 let. f GPRD in complying with the legal provisions.

2. Entry of services provided


If you receive additional services during your stay (e.g. use of the mini bar, etc.), we will record the purpose of the service and the date on which you received it for billing purposes. The processing of this data is necessary for the execution of your contract with us in accordance with Art. 6 para. 1 let. b RGPD.


III. Storage and exchange of data with third parties


1. Monitoring tools


Google Analytics
In order to present our websites in an appropriate manner and to continuously optimise them, we use the Google Analytics audience analysis service. In this way, we create pseudonymised user profiles and use small text files stored on your computer ("cookies"). The information generated by the cookie about your use of these sites is transmitted to the servers of the providers of these services and stored and processed for us. Details of the data collected by the Google Analytics service can be viewed at support.google.com/analytics .
The information is used to analyse the use of the website, to compile reports on website activities and to provide other services relating to the use of the website and the use of the Internet for market research purposes and for the purpose of presenting the website appropriately. This information may also be passed on to third parties insofar as this is prescribed by law or insofar as third parties are commissioned to process this data.

The provider of Google Analytics is Google Inc, a company of the US-based holding company Alphabet Inc. Prior to the transmission of data to the provider, the IP address is abbreviated by activating IP anonymization ("anonymizeIP") on this website within the Member States of the European Union or in other States that have signed the Agreement on the European Economic Area. Google does not combine the anonymized IP address (transmitted by your browser) with other data within the scope of Google Analytics. In exceptional cases, the complete IP address is transmitted to a Google server in the USA and then abbreviated. In this case, we ensure through contractual guarantees that Google Inc. complies with a sufficient level of data protection. According to Google Inc. the IP address will not be combined with any other data concerning the user.
Further information on the web analytics service used can be found on the Google Analytics website. You can find out how you can prevent the processing of your data by the web analytics service at tools.google.com/dlpage/gaoptout.
Evaluation of newsletter usage
We use the email marketing services of third parties to send our newsletter. For this reason, our newsletter may include a web beacon (invisible GIF) or similar technical means. A web beacon is an invisible image called a monopixel (1x1) that is linked to the newsletter subscriber's user ID.
The use of this type of service makes it possible to evaluate whether emails containing our newsletter have been opened. In addition, it also makes it possible to detect and evaluate the clicks made by the newsletter recipient. We use this data for statistical purposes and to optimise the newsletter in terms of content and structure. This enables us to better tailor the information and offers in our newsletter to the interests of the respective recipient. The invisible GIF is deleted when you delete the newsletter.
If you would like more information, please visit https://mailchimp.com/legal/cookies .
To prevent tracking pixels from appearing in our newsletter, please configure your email so that your messages are not displayed in HTML.
Social Media Plug-Ins
The Social Media Plug-Ins described below are used on our websites. The plug-ins are disabled by default on our websites and therefore do not transmit any data. You can activate the plug-ins by clicking on the button of the relevant social network.
When these plug-ins are activated, your browser establishes a direct connection to the servers of the relevant social network as soon as you open one of the pages on our websites. The content of the plug-in is transmitted directly from the social network to your browser and integrated by it into the web page. With a single click you can deactivate the plug-ins again.

Further information can be found in the respective data protection declarations of Facebook, Twitter and Instagram.
Facebook/Instagram Social Plug-ins
Facebook Social Plug-Ins can be used on our websites to customize the entry page. We use the "LOVE" or "SHARE" button to do this. This is an offer from the American company Facebook Inc. 1601 S. California Ave, Palo Alto, CA 94304, USA.
Thanks to the integration of plug-ins, Facebook receives the information that your browser has accessed the corresponding page on our websites, even if you do not have a Facebook account or are not logged in to Facebook at that time. This information (including your IP address) is transmitted directly from your browser to a Facebook server in the United States for storage.
If you are logged in to Facebook, Facebook can directly associate your visit to our websites with your Facebook account. When you interact with the plug-ins, for example by using the "LOVE" or "SHARE" button, the corresponding information is directly transmitted to a Facebook server for storage. The information is also published on Facebook and visible to your Facebook friends.
Facebook may use this information for advertising, market research and to create appropriate Facebook Pages. For this purpose, usage, interest and relationship profiles are created on Facebook, for example to evaluate your use of our Sites in connection with Facebook advertisements, to inform other Facebook users of your activities on our Sites, and to provide other services related to Facebook usage.
If you do not want Facebook to attribute data collected through our websites to your Facebook account, you should log out of Facebook before visiting our websites.
For more information about the purpose and scope of this data collection, further processing and use of such data by Facebook, as well as your rights and settings options regarding privacy control, please refer to the Facebook Privacy Statement.
Twitter Social Plug-ins
Our websites can integrate plug-ins from the SMS messaging network Twitter Inc, 795 Folsom St., Suite 600, San Francisco, CA 94107, USA.
The Twitter plug-ins (Tweet button) can be recognized by the Twitter logo on our pages. As long as you have activated the Social Plugins, a direct connection is established between your browser and the Twitter server. Twitter thus receives the information that you have visited our sites with your IP address. If you click on Twitter's "Tweet button" while logged into your Twitter account, you can connect the contents of our pages to your Twitter profile. In this way, Twitter can associate the visit to our pages with your user account. We would like to point out that our company, as the provider of the pages concerned, does not receive any information about the content of the data transmitted and its use by Twitter.

You can find further information on this subject in the Twitter data protection declaration.
If you do not want Twitter to be able to link visits to our pages to your account, please log out of your Twitter user account.
Re-Targeting
We potentially use Re-Targeting technologies for our websites. As such, your user habits are analysed so that we can also offer you personalised advertisements on our partners' websites. Your user habits are entered pseudonymously.
The most important re-targeting technologies use cookies.
Our websites may use Google AdWords Remarketing, a service of Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043,USA ("Google") to place ads based on previously visited websites.
Google will use this information to analyse your use of the website and to help it to select the advertisements to be placed, to compile reports on website activity and advertisements for the website owner, and to provide other services relating to your use of the website and your browsing habits. Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google's behalf. However, Google will under no circumstances associate your IP address with other Google data.
In addition, we use Google Tag Manager to administer the services associated with the placement of ads based on user habits. The Tag Manager itself is a cookie-free domain and does not collect any personal data. Rather, the tool ensures the activation of other tags which in turn collect data in certain circumstances. When you have undertaken a deactivation at the domain or cookie level, this remains valid for all tracking tags implemented with Google Tag Manager.
You can prevent Re-Targeting at any time by refusing or disabling the relevant cookies in the menu bar of your web browser.


2. Reservation Platforms


If you make reservations via a third party platform, the operator of the platform in question sends us various personal information. In principle, this is the data indicated in Chapter I Section 6 of this Privacy Policy. In addition, we may also receive requests concerning your reservation. In particular, we process this data in order to record your booking in accordance with your request and to provide the booked services. The legal basis for processing data for this purpose is the fulfilment of a contract in accordance with Art. 6 para. 1 let. b GDR.
Finally, the operators of the platforms inform us of potential disputes in connection with a booking. They also provide us with data on the booking process, for which a copy of the booking confirmation can be used as proof of the actual closing of the booking. We process this data for the protection and observance of our rights.

For these treatments we rely on our legitimate interest in accordance with Art. 6 para. 1 let. f GPRD.
Please also take note of the privacy policies of the respective providers.


3. Storage and linking of data


We record the data indicated in Chapter I sections 3-6, Chapter II sections 1-2 and Chapter III section 2 in an electronic data processing system. Your data is then systematically collected and combined for the purpose of processing your bookings and the execution of the contractual services. The processing of this data is based on our legitimate interest in accordance with Art. 6 para. 1 let. f GDR.


4. Retention period


We only store personal data for as long as is necessary for the use of the above-mentioned monitoring services and for further processing based on our legitimate interest. We store contract data for a longer period of time if this is prescribed by legal retention obligations. The retention obligations that oblige us to retain data derive from the provisions on the right to notify the authorities, financial accounting and tax law. In accordance with these provisions, business communications, concluded contracts and accounting records must be retained for up to 10 years. Insofar as we no longer need this data for the performance of services, it will be blocked. This means that this data may only be used for accounting and tax purposes.


5. Passing on data to third parties


We only pass on your personal data if you have expressly consented to this, if we are under a legal obligation to do so or if this is necessary to enforce our rights, in particular to enforce our rights arising from the contractual relationship. Furthermore, we pass on your data to third parties insofar as this is necessary for the use of the websites and the execution of the contract (including outside the websites), in particular for the processing of your bookings.
Our web host, Infomaniak, is a service provider who has access or may have access to personal data collected via the websites. The websites are hosted on servers in Switzerland. The purpose of data transmission is to provide and maintain the functionalities of our sites. This processing is based on our legitimate interest in accordance with Art. 6 para. 1 let. f GDR.
Finally, we transmit your credit card information to the issuer and acquirer of your credit card when you pay by credit card on our sites. If you choose to pay by credit card, you must enter all the necessary information. The legal basis for the transmission of data is the fulfilment of a contract in accordance with Art. 6 para. 1 let. b GDSG. Regarding the processing of your credit card information by these third parties, please also read the general terms and conditions as well as the privacy policy of your credit card issuer.

Please also note the information in Chapter II, Section 1 and Chapter III, Sections 1-3 regarding the transfer of data to third parties.


6. Transmission of personal data abroad


We are also entitled to pass on your personal data to third party companies (commissioned service providers) abroad for the data processing specified in this privacy policy. These companies are subject to the same level of data protection as we are. If the level of data protection in a given country does not correspond to the Swiss or European level, we ensure by contract that the protection of your personal data corresponds to that of Switzerland or the EU.


IV. Further information


1. Right to information, rectification, erasure and restriction of processing; right to portability of data.


You have the right to obtain, on request, information about the personal data we store about you. Furthermore, you have the right to correct incorrect data and to have your personal data deleted, provided that there is no legal obligation to retain the data or no legal basis for us to process the data.
You also have the right to demand the return of the data that you have transmitted to us (right to data portability). On request, we will also pass on the data to a third party of your choice. You have the right to obtain the data in a standard format.
You can contact us for the above-mentioned purposes at the following email address privacy@boas.ch. We may ask you for proof of identity in order to process your requests.


2. Data security


We use appropriate technical and organisational security measures to protect the personal data we store about you against manipulation, partial or total loss and against unauthorised access by third parties. Our security measures are constantly improved in line with technological progress.
You should always keep your access data confidential and close the browser window when you have finished communicating with us, especially if you are not the only person using the computer.
We also take data protection within our company very seriously. Our employees and the service providers we commission are subject to secrecy and to compliance with the legal provisions on data protection.


3. Note on data transfers to the USA


For the sake of completeness, we would like to inform users whose domicile or registered office is in Switzerland that the United States is subject to surveillance measures by the US authorities. These generally allow the recording of all personal data of persons whose data has been transmitted from Switzerland to the USA. This is done without any differentiation, limitation or exception based on the purpose and without any objective criteria to limit the access of the US authorities to the data and their further use. Furthermore, we would like to inform you that in the United States there is no legal recourse for data subjects from Switzerland to access, correct or delete your data, nor is there effective judicial protection against general access rights of the US authorities. We explicitly draw the data subject's attention to this legal and factual situation so that he or she can make an informed decision about consenting to the use of such data.

Users domiciled in an EU Member State are informed that, according to the EU, the US - in particular due to the issues discussed in this section - does not have a sufficient level of data protection. Insofar as we have explained in this privacy policy that certain data recipients (e.g. Google) are based in the USA, we will ensure either by means of contractual arrangements with these companies or by means of their certification according to the EU-US or Swiss-US Privacy Shield that your data are afforded a reasonable level of protection by our partners.


Last update: 23.05.2018