Data Protection Policy

Data protection has a high priority at Zürich Tourism. With this privacy policy, we inform you which personal data we process in connection with our activities and operations.

We naturally comply with the legal provisions of the Federal Act on Data Protection ("FADP"), the Data Protection Ordinance ("DPO") and, where applicable, other data protection provisions, in particular the General Data Protection Regulation ("GDPR") of the European Union.

1. Content of this Privacy Policy

Zürich Tourism (hereinafter "we") is an association based in Switzerland, Gessnerallee 3, 8001 Zürich, registered in the Commercial Register of the Canton of Zürich under number CHE-105.846.358.

This privacy policy applies to the digital offerings of Zürich Tourism, which are accessible under the domain name ➡ www.zuerich.com and its subdomains, as well as for the iOS and Android application "Zürich City Guide App" (hereinafter "our websites").

2. Controller

For the data processing described in this privacy policy, Zürich Tourism is the data controller under data protection law. We will indicate if there are other controllers for the processing of personal data in individual cases.

If you have questions about data protection, if you want information or if you want to request the deletion of your personal data, please contact us in writing at the following address:

Zürich Tourism
Gessnerallee 3
CH - 8001 Zürich
+41 44 215 40 00
datenschutz@zuerich.com

3. Data Protection Representative

You can reach our EU Data Protection Representative at:

MLL EU-GDPR GmbH
Ganghoferstrasse 33
DE – 80339 München

4. Your Data - Your Rights

The following rights are available to you with regard to your data, provided the legal requirements are met. You can exercise them at any time.

• Right of access: You have the right to request free access at any time to your personal data stored by us if we process it. This gives you the opportunity to check which personal data we process about you and that we use it in accordance with the applicable data protection regulations.
• Right to rectification: You have the right to have inaccurate or incomplete personal data rectified and to be informed about the rectification. In this case, we will inform the recipients of the affected data about the adjustments made, unless this is impossible or involves disproportionate effort.
• Right to erasure: You have the right to have your personal data erased, provided this is compatible with other legal obligations. In particular, in the case of legal retention obligations, the right to erasure may be excluded. In this case, the erasure may be replaced by a restriction of processing under certain conditions.
• Right to restriction of processing: Under certain conditions, you have the right to request that the processing of your personal data be restricted.
• Right to data portability: You have the right to receive from us free of charge the personal data you have provided to us in a readable format.
• Right to lodge a complaint with a supervisory authority: You have the right to lodge a complaint with a competent supervisory authority regarding the manner in which your personal data is processed.
• Right to withdraw consent: You generally have the right to withdraw consent given at any time. However, your withdrawal does not make processing activities based on your consent in the past unlawful.
• Right to object: You have the right to object to the processing of your data, in particular for direct marketing purposes, profiling carried out for direct marketing purposes, and other overriding interests in processing.

5. Retention Periods

We store personal data only as long as necessary to carry out the processing explained in this privacy policy as part of our legitimate interest or according to your consent.

Please note that special legal retention periods may apply to certain data. This data must be stored by us until the end of the retention period. According to these regulations, business communications, concluded contracts and accounting documents must be retained for up to 10 years. We block such data in our system and use it exclusively to fulfil our legal obligations or to defend and enforce our legal interests. Deletion of the data takes place as soon as there is no longer any retention obligation or overriding interest in retention.

6. Data Security

We protect your personal data through appropriate security measures. We follow the appropriate technical and organizational measures required by Swiss and European data protection legislation to protect personal data against loss and unlawful processing. Nevertheless, it is not possible to guarantee the absolute security of personal data. In this context, please also note that data transmitted via an open network such as the Internet or an email service can potentially be intercepted and read by unauthorized persons. We cannot guarantee the confidentiality of messages or content shared via these networks.

We also take internal data protection very seriously. Our employees and the service companies we commission are obliged by us to maintain confidentiality and comply with data protection.

7. Disclosure of Data to Third Parties

Without the support of other companies, we could not provide our products and services in the desired form. In order for us to use the services of these companies, it is necessary to a certain extent to disclose your personal data to these companies. Disclosure is made to selected third-party service providers and only to the extent necessary for the optimal provision of our services.

Various third-party service providers are explicitly mentioned in this privacy policy and in our cookie banner in the respective sections, such as regarding chat functions or surveys.

Furthermore, for the use and management of our infrastructure and the exercise of internal functions, recourse to service providers is indispensable, and therefore third parties may have access to your data to the extent necessary for the use of the services, such as software solution providers (e.g., for word processing or email sending), IT service providers (e.g., hosting providers, telecommunications providers such as Internet access services), agencies (e.g., in the field of marketing), or security services. A list of third-party service providers with potential access to certain personal data can be found in Section 10 of this privacy policy. The legal basis for this data processing is our legitimate interest within the meaning of Art. 31 Para. 2 FADP in using third-party services.

In addition, your data may be disclosed, in particular to authorities, legal advisors, or collection agencies, if we are legally obliged to do so or if this is necessary to protect our rights, in particular to enforce claims arising from our relationship with you. Data may also be disclosed if another company intends to acquire our company or parts thereof and such disclosure is necessary to conduct due diligence or to complete the transaction.

The legal basis for this data processing is our legitimate interest within the meaning of Art. 31 Para. 2 FADP in protecting our rights and complying with our obligations or the sale of our company or shares thereof.

It may be that the data recipients mentioned in this privacy policy want to use certain data for their own purposes (e.g., for statistical analyses for product optimization or disclosure to third parties such as authorities based on national legal regulations). For this data processing, these companies are data controllers and must ensure compliance with data protection laws in connection with this data processing. Information about this data processing can be found in their privacy policies.

8. Transfer of Personal Data Abroad

We may transfer your data to third parties located abroad for the purposes of the data processing described in this privacy policy.

Please refer in particular to the respective sections of this privacy policy and the information in our cookie banner. The legal provisions on the disclosure of personal data to third parties are naturally observed. The countries to which data is transferred include those that, according to decisions by the Federal Council and the EU Commission, have an adequate level of data protection (such as the member states of the EEA or, from the EU's perspective, Switzerland), but also those countries (such as the USA) whose level of data protection is not considered adequate (see Annex 1 of the Data Protection Ordinance (DPO) and the EU Commission website (Link: https://commission.europa.eu/law/law-topic/data-protection/internationa…).

If the country in question does not have an adequate level of data protection, we ensure, unless otherwise stated in individual cases or you have separately consented to it, through appropriate guarantees that your data is adequately protected at these companies. These are, unless otherwise stated, the selection of companies certified under the Privacy Framework Agreement (Link: https://www.dataprivacyframework.gov/s/) or standard contractual clauses that can be accessed on the websites of the Federal Data Protection and Information Commissioner (FDPIC) (Link: https://www.edoeb.admin.ch/edoeb/de/home/datenschutz/arbeit_wirtschaft/…) and the EU Commission. If you have questions about the measures taken, please contact our data protection contact person. 

9. Notes on Data Transfers to the USA

Some of the third-party service providers mentioned in this privacy policy are based in the USA. For the sake of completeness, we would like to point out to users residing or domiciled in Switzerland or the EU that surveillance measures by US authorities exist in the USA, which generally enable the storage of all personal data of all persons whose data has been transferred from Switzerland or the EU to the USA. This takes place without differentiation, limitation, or exception based on the pursued objective and without an objective criterion that makes it possible to limit the access of US authorities to the data and their subsequent use to very specific, strictly limited purposes that can justify the interference associated with both the access to this data and its use. Furthermore, we point out that in the USA there are no legal remedies or effective judicial protection for data subjects from Switzerland or the EU against general access rights of US authorities that allow them to obtain access to data concerning them and to obtain their rectification or erasure. We explicitly point out this legal and factual situation to enable you to make an appropriately informed decision to consent to or object to the use of your data.

We also point out to users residing in Switzerland or an EU member state that the USA, from the perspective of the European Union and Switzerland – among other things due to the statements made in this section – does not have a sufficient level of data protection. Insofar as we have explained in this privacy policy that recipients of data (such as Google) are based in the USA, we will ensure through the selection of companies certified under the Privacy Framework Agreement (➡ Link: https://www.dataprivacyframework.gov/s/) or contractual arrangements with these companies and, if necessary, additional appropriate guarantees that your data is adequately protected at our third-party service providers.

10. Central Storage and xRM Data Processing

We store the personal data covered by and mentioned in these privacy provisions, i.e., in particular your personal details, your contact requests, your contract data, and your browsing behaviour in a central electronic data processing system.

For this purpose, we use the marketing automation system Microsoft Dynamics 365 of Microsoft Corporation (One Microsoft Way, Redmond, WA 98052-6399, USA), which may enable Microsoft to access your data and an associated transfer of data to the USA if this is necessary for the provision of the software and for support in using the software. Microsoft is certified under the Privacy Framework Agreement (https://www.dataprivacyframework.gov/). Information on the processing of data by third parties and the transfer abroad, especially to the USA, can be found in Sections 7-9 of this privacy policy. Further information on data protection at Microsoft can be found in Microsoft's privacy policy at the link (https://privacy.microsoft.com/de-de/privacystatement).

The use of Microsoft Dynamics 365 serves the efficient management of customer data, allows us to adequately handle your concerns, and enables the efficient provision of the services you desire and the processing of the associated contracts. This processing is based on our legitimate interest within the meaning of Art. 31 Para. 2 FADP for customer-friendly and efficient management of customer data.

We use Microsoft Dynamics 365 to carry out marketing activities, for analytical purposes, and for target group-specific addressing of (potential) customers and to display interest-based content.

We further evaluate this data to develop our products and services according to needs and to display and suggest the most relevant information and offers to you. We also use methods that predict possible interests and future orders based on your use of our website. Part of these analyses may also be assessed as profiling (with or without high risk).

The legal basis for this data processing is our legitimate interest within the meaning of Art. 31 Para. 2 FADP in conducting marketing activities.

For the setup and operation of our xRM software, we use the services of ORBIS Schweiz AG (https://www.orbisag.ch/), Neuhofstrasse 24, 6340 Baar, Switzerland, which is why ORBIS Schweiz AG may also have access to personal data if this is necessary for the provision of services. Information on the processing of data by third parties and the transfer abroad, especially to the USA, can be found in Sections 7-9 of this privacy policy. Further information on data protection at ORBIS Schweiz AG can be found in the privacy policy of ORBIS Schweiz AG at the link (Link: https://www.orbisag.ch/datenschutz.html).

The legal basis for this data processing is our legitimate interest within the meaning of Art. 31 Para. 2 FADP in using third-party services.

Regarding email marketing, we refer to the following section. Furthermore, when using Microsoft Dynamics 365, cookies are used, which we provide more information about in our cookie banner.

11. Email Marketing

If you register for our email newsletter, various data is collected from you. The mandatory information in the registration form is marked accordingly.

The following data is usually collected:

• First and last name
• Email address
• Language

Additionally, you can voluntarily provide us with the following data:

• Salutation
• Country
• Date of birth
• Interests

By expressly registering for the newsletter, you give us your consent to use the personal data you have provided for advertising purposes and to send you emails with personalized advertising content. The emails may also include invitations to participate in competitions or surveys, to provide feedback, or to rate our products and services. In addition to your email address, we collect further data to link the registration with other data, e.g., from orders, and thereby personalize the content of marketing emails and make content more relevant to you, e.g., to send you the newsletter (where possible) in your language and to provide topics tailored to your country and age.

To prevent abuse and to ensure that the owner of an email address has given consent themselves, we use the so-called double opt-in for registration. After submitting the registration, you will receive an email from us containing a confirmation link. To definitively register for the newsletter, you must click this link. If you do not click on the confirmation link within the specified period, your data will be deleted again, and our newsletter will not be sent to this address.

Your consent constitutes the legal basis for processing the data within the meaning of Art. 31 Para. 1 FADP. You have the option to unsubscribe from the newsletter at any time by clicking the corresponding link in the newsletter and thereby withdraw your consent. After unsubscribing, your personal data will be deleted.

Our marketing emails may contain a so-called web beacon or 1x1 pixel (tracking pixel) or similar technical aids. A web beacon is an invisible graphic linked to the user ID of the respective newsletter subscriber. For each marketing email sent, we receive information about which addresses have not yet received the email, to which addresses it was sent, and for which addresses sending failed. It also shows which addresses opened the email and for how long and which links they clicked on. Finally, we also receive information about which addresses have unsubscribed. We use this data for statistical purposes and to optimize the advertising emails with regard to frequency, timing, structure, and content of the emails. This way, we can better tailor the information and offers in our emails to the individual interests of the recipients.

By registering for the newsletter, you also consent to the statistical evaluation of user behaviour for the purpose of optimizing and adapting the newsletter. This consent constitutes our legal basis for processing the data within the meaning of Art. 31 Para. 1 FADP. The web beacon is deleted when you delete the email. To prevent the use of the web beacon in our marketing emails and thereby withdraw your consent, please set the parameters of your email program so that HTML is not displayed in messages, if this is not already the default setting. In the help sections of your email software, you will find information on how to configure this setting.

For email marketing, we use the software from Microsoft Dynamics 365 for Marketing (see Section 10). Therefore, your data may be stored in a Microsoft database, which may enable Microsoft to access your data if this is necessary for the provision of the software and for support in using the software. Information on the processing of data by third parties and the transfer abroad, especially to the USA, can be found in Sections 7-9 of this privacy policy. The legal basis for this processing is our legitimate interest within the meaning of Art. 31 Para. 2 FADP in using the services of third-party providers.

12. Contact

If you contact us via our contact addresses and channels (e.g., by email, telephone, or contact form), your personal data will be processed. The data you have provided to us will be processed and stored. Which data is collected in the case of a contact form is evident from the respective form, e.g., your message/inquiry (such as event inquiry, publication, first and last name, company, etc.).

We process this data exclusively to implement your request (e.g., providing information, responding to an event inquiry, incorporating your feedback into improving our products and services, etc.).

Please note the following regarding event inquiries: If event inquiries are made for an event at one of our partners, your inquiry will be forwarded directly to the partner and processed further by them.

The legal basis for this data processing is our legitimate interest within the meaning of Art. 31 Para. 2 FADP in implementing your request or, if your inquiry is directed at concluding or processing a contract, the necessity for carrying out the required contractual measures.

You are responsible for the communications and/or content you submit to us. We recommend that you do not submit any confidential data. 

13. Log File Data

When visiting our digital offerings – even without registration and login – our servers temporarily store each access in a log file. The following data is collected without your intervention and stored by us until automated deletion, at the latest after 24 months:

• IP address
• Name of the Internet access provider
• Date and time of access
• Name and URL of the retrieved file
• Page and address of the website from which you were redirected to the websites (referrer) and, if applicable, the search term used
• Country, region, or city from which access occurs
• Operating system and browser used (provider, version, and language)
• Transfer protocol

The collection and processing of this data is carried out for the purpose of enabling the use of our websites (connection establishment), permanently ensuring system security and stability, and optimizing our offering based on statistical evaluations.

Only in the event of an attack on the network infrastructure of the website or app or in case of suspicion of other unauthorized or abusive website/app use will the IP address be evaluated for clarification and defence and, if necessary, used within the framework of criminal proceedings to identify and take civil and criminal action against the relevant users.

In the purposes described above lies our legitimate interest in data processing within the meaning of Art. 31 Para. 2 FADP and thus the legal basis for data processing.

For the operation of our website, we rely on the services of our hosting provider: Platform.sh GmbH, Koblenzer Str. 11, 50968 Cologne, Germany, and Content Delivery Network (CDN) provider: Fastly, Inc., PO Box 78266, San Francisco, CA 94107, USA. While Platform.sh provides us with web servers and makes our website available for retrieval, Fastly ensures that the retrieval of our website, especially larger content, is optimally distributed across various servers ("performance optimization"). Both result in the aforementioned data being transmitted to the two providers.

Therefore, your data may be stored in a database of Platform.sh or Fastly, which may enable Platform.sh or Fastly to access your data if this is necessary for the provision of the software and for support in using the software.

Information on the processing of data by third parties and any transfer abroad can be found in Sections 7 and 8 of this privacy policy. Further information on data processing in connection with Platform.sh can be found at https://platform.sh/ and with Fastly at https://www.fastly.com/de/. The legal basis for this processing is our legitimate interest within the meaning of Art. 31 Para. 2 FADP in using the services of third-party providers.

14. Cookies

Cookies are information files that your web browser stores on the hard drive or memory of your computer when you visit our website. Cookies are assigned identification numbers through which your browser is identified and the information contained in the cookie can be read.

Cookies help, among other things, to make your visit to our website easier, more pleasant, and more meaningful. We use cookies for various purposes that are necessary for your desired use of the website, i.e., "technically necessary." For example, we use cookies to provide website elements such as the ordering function, so that your entries when filling out a form on the website are temporarily saved so that you do not have to repeat the entry when calling up another subpage. Furthermore, cookies also take over other technical functions necessary for the operation of the website, such as so-called load balancing, i.e., the distribution of the performance load of the page across different web servers to relieve the servers. Cookies are also used for security purposes, e.g., to prevent the unauthorized posting of content. Finally, we also use cookies in the design and programming of our website, e.g., to enable the uploading of scripts or codes.

The legal basis for this data processing is our legitimate interest within the meaning of Art. 31 Para. 2 FADP in providing a user-friendly and contemporary website.

When accessing our digital offerings, we ask for your consent to the technically non-essential cookies we use, especially when using cookies from third-party providers for marketing purposes. The legal basis for this data processing is your consent within the meaning of Art. 31 Para. 1 FADP. Via the corresponding buttons in the cookie banner or via the link in the footer, you can make the desired settings, adjust them at any time, and withdraw your consent.

When using cookies, data may be transferred to third-party providers in potentially all countries of the world, especially in countries without adequate data protection such as the USA. In addition to the information in the cookie banner, please also note the sections on the processing of data by third parties and the transfer abroad in Sections 7-9 of this privacy policy.

You can also configure your browser so that no cookies are stored on your computer or a notice always appears when you receive a new cookie. However, the deletion or blocking of cookies may restrict the usability of the website.

Information on managing cookies can be found in the help functions of your respective browser.

15. Tracking and Web Analysis Tools

For the purpose of needs-based design and continuous optimization of our website, we use web analytics services. In this context, pseudonymized usage profiles are created and cookies are used. Details on the processed data and providers are contained in our cookie banner. Please also note the section on cookies (Section 14) in this privacy policy. The providers will evaluate the use of the website for us to compile reports on website activities and to provide other services related to website use and Internet use for market research purposes and needs-based website design. Part of the data processing may also be assessed as profiling (with or without high risk), which is also covered by your consent. For this processing, we and the providers may be considered jointly responsible controllers under data protection law to a certain extent.

16. Online Advertising and Targeting

We use services from various companies to present you with interesting offers online. In doing so, your user behaviour on our website and websites of other providers is analysed, possibly across devices, in order to subsequently display online advertising individually tailored to you. Details on the processed data and providers are contained in our cookie banner. Please also note the section on cookies (Section 14) in this privacy policy. We and our service providers use the data to identify whether you belong to the target group we are addressing and take this into account when selecting the advertisements. For example, after you have visited our site, when you visit other sites, you may be shown advertisements for the products or services you consulted ("re-targeting"). Depending on the scope of the data, a user profile may also be created that is automatically evaluated, and the advertisements are selected according to the information stored in the profile, such as membership in certain demographic segments or potential interests or behaviours. Such advertisements can be presented to you on various channels, which in addition to our website or apps also include advertisements mediated via the online advertising networks we use, such as Google.

The data on user behaviour also reaches those involved in the advertising networks, especially their operators. In certain campaigns, the data is also transmitted to our partner companies. The data can then be evaluated for the purpose of billing with the service provider as well as for assessing the effectiveness of advertising measures in order to better understand the needs of our users and customers and to improve future campaigns. This may also include the information that the performance of an action (e.g., visiting certain sections of our website or submitting information) is attributable to a specific advertisement. Furthermore, we receive aggregated reports from service providers on advertising activities and information about how users interact with our website and our advertisements. Part of the data processing may also be assessed as profiling (with or without high risk), which is also covered by your consent.

17. Social Media Plugins

We use social media plugins to make it easier for you to share content from our website. The social media plugins help us increase the visibility of our content in social networks and thus contribute to better marketing. Details on the processed data and providers are contained in our cookie banner. Please also note the section on cookies (Section 14) in this privacy policy. If you give us your consent via the banner or by clicking the buttons of the plugins, the content of the plugin is transmitted directly from the social network to your browser and integrated into the website by it. We have no influence on the scope of data that the provider collects with the plugin, although we may be considered jointly responsible with the providers under data protection law to a certain extent. They may publish your data (e.g., that you like a product or service from us) on the social network and possibly make it available to other users of the social network. The provider of the social network may use this information to display advertising and design its offering according to needs. Part of the data processing may also be assessed as profiling (with or without high risk), which is also covered by your consent. If you do not want the provider of the social network to associate the data collected via our web presence with your user account, you must log out of the social network before activating the plugins.

18. Links to Our Social Media Presence

On our websites, we have set up links to our social media presence on the following social networks:

If you click on the corresponding symbols of the social networks, you will be automatically redirected to our profile on the corresponding social network. To use the functions of the respective network there, you must partially log in to your user account for the respective network.

If you open a link to one of our social media profiles, a direct connection is established between your browser and the server of the relevant social network. As a result, the network receives, in particular, the data described in the section on log files (Section 13), i.e., especially the information that you visited our website with your IP address and accessed the link. If you access a link to a network while you are logged into your account on the relevant network, the content of our page can be linked to your network profile, i.e., the network can directly link your visit to our website with your user account. The respective provider is the data controller for the associated data processing. Please therefore note the privacy notices on the network's website.

The legal basis for data processing that may be attributed to us is our legitimate interest within the meaning of Art. 31 Para. 2 FADP in using and promoting our social media profiles.

If you want to prevent this, you should log out before clicking on the corresponding links. An association occurs in any case if you log into the relevant network after clicking the link.

We currently use the following social media management software:

• Hootsuite: The data made available to us by the social media networks is processed at our end in the social media management software "Hootsuite" from Hootsuite Inc., 5 East 8th Avenue, Vancouver, V5T 1R6, Canada.
• Crowdriff: We use Crowdriff, a service of CrowdRiff Inc, 116 Spadina Ave., Suite 600 Toronto, ON M5V 1V6, Canada.
• Iconosquare: The data made available to us by the social media networks is processed in the social media analysis and management software "Iconosquare" from ICONOSQUARE GmbH, Skalitzer Str. 104, 10997 Berlin, Germany.
• influData: We use influData, an influencer marketing and analysis service from weCreate Data GmbH, Obere Augartenstrasse 2/24, 1020 Vienna, Austria. This involves processing data from social media networks.

19. Use of Artificial Intelligence

We use artificial intelligence (AI) in certain areas to support our digital offerings and make processes more efficient.

The use of AI can be associated with particular risks and uncertainties. Therefore, we have internal guidelines as well as technical and organizational measures to ensure legally, ethically, and data protection-compliant handling of AI. If an AI we deploy interacts directly with users, we indicate this transparently.

19.1 Chat Function: AI-Concierge from Goodguys GmbH

To provide a modern chat function, we use the AI-Concierge from Goodguys GmbH (Moeringgasse 20/1, Door 2, 1150 Vienna). This is an artificial intelligence (AI) from Austria that finds answers to your questions from the content of our websites together with publicly available content.

Personal data arising in the context of the chats is processed exclusively on servers of the Austrian data processor of Goodguys GmbH. This data includes the data transmitted by users, users' IP addresses, and a session ID to distinguish the chat history of different users. This data is deleted at the end of the chat session and can then no longer be assigned to individual users. Inquiry content is stored and can be used for function control and further development of chat functions. Furthermore, when using the chat function, cookies are used, which we provide more information about in our cookie banner.

To formulate the answers of the AI-Concierge, parts of the inquiries are also forwarded to servers of Google and OpenAI. The data transmitted to these providers do not contain any parameters that would enable Google or OpenAI to identify individual persons. This is therefore anonymous data. The assignment of answers to users is done exclusively by the IT systems of Goodguys GmbH.

However, it is not possible with technical means to filter out content that makes identification possible based on the data entered by the user themselves. Therefore, please be sure not to enter any information about yourself such as your name, email address, phone number, etc. in the chat window when using the chat.

The legal basis for this data processing is our legitimate interest within the meaning of Art. 31 Para. 2 FADP in providing a contemporary online presence. When processing particularly sensitive personal data, we obtain your express consent.

Further information on AI-Concierge or Goodguys GmbH can be found in the privacy policy of Goodguys GmbH (Link: ➡ https://goodguys.ai/DSGVO-DSE-goodguys-v230.pdf). Please also note the information on the processing of data by third parties and the transfer abroad, especially to the USA, which can be found in Sections 7-9 of this privacy policy.

19.2 Chat Function: AI-based Local Guides (Joaia / Holoai AG)

To provide a modern chat function, we use the AI-Concierge from Goodguys GmbH (Moeringgasse 20/1, Door 2, 1150 Vienna). This is an artificial intelligence (AI) from Austria that finds answers to your questions from the content of our websites together with publicly available content.

Personal data arising in the context of the chats is processed exclusively on servers of the Austrian

To provide a modern chat function, we use AI-based Local Guides from Holoai AG (Schumacherstrasse 1, 6037 Root, Switzerland). This is an artificial intelligence that generates answers to tourism-relevant questions from the content we provide as well as other curated and controlled information sources.

Personal data arising in the context of the chats is processed exclusively on servers of Holoai AG in the EU region. This data includes the data transmitted by users, users' IP addresses, as well as a session ID or a user ID generated via cookies to distinguish the chat history of different users. Inquiry content is stored and can be used for function control, analysis, and further development of the chat function. Furthermore, when using the chat function, cookies are used, which we provide more information about in our cookie banner. If users expressly consent to location processing, location data may also be processed.

The assignment of answers to users is done exclusively via the IT systems of Holoai AG. Personal data is not sold. Data may be processed by commissioned service providers as data processors insofar as this is necessary for the operation, monitoring, or optimization of the chat function. All service providers process the data exclusively in the EU region.

It is not technically possible to filter out content that enables identification based on the data entered by users themselves. Therefore, please be sure not to enter any information about yourself such as your name, email address, or phone number in the chat window when using the chat function.

The legal basis for this data processing is our legitimate interest within the meaning of Art. 31 Para. 2 FADP in providing a contemporary online presence. When processing particularly sensitive personal data, we obtain your express consent.

Further information on AI-based Local Guides from Holoai AG can be found in the privacy policy of Holoai AG (https://www.joaia.app/privacy-policy). Please also note the information on the processing of data by third parties and the transfer abroad, especially to the USA, which can be found in Sections 7-9 of this privacy policy.

20. Registration for a Customer Account

If you open a customer account on our digital channels, we collect the following data:

• Salutation
• First and last name
• Company
• Position
• Country
• Language
• Email address

In the course of using the customer account, you can store additional optional information in your account for a simplified and personalized user experience, e.g.:

• Date of birth
• Travel dates
• Type of travel
• Fellow traveller
• Interests / preferences
• Payment information

The mandatory information is marked in the corresponding form.

We need the mentioned data for the processing and administration of our website, to check the entered data for plausibility, i.e., to establish, substantively design, process, and modify the contractual relationships concluded with you via your user account. The email address and password together form the login credentials. Your data in the customer account can be viewed and changed at any time.

To prevent abuse, you must always treat your login credentials confidentially and should close the browser window when you have finished communicating with us, especially if you share the computer with others.

The legal basis for processing your data for the aforementioned purpose is your consent pursuant to Art. 31 Para. 1 FADP. You can withdraw your consent at any time by removing the information from the customer account or deleting your customer account or by notifying us to have it deleted.

21. Bookings or Reservations on the Website and Apps

On our website, there are various options to make bookings or reservations or to request other services. The respective services are each provided by third parties.

Those entries that are necessary for the smooth booking process are marked accordingly as mandatory entries. Entering other information is optional and has no impact on the use of our websites and apps or on the booking you have made.

The following data is usually collected:

• Salutation
• First and last name
• Date of birth
• Address
• Countr
• Language
• Email address
• Phone number
• Travel dates
• Payment information

In the app, you also have the option to record additional travellers with their first and last name as well as date of birth for the booking. If you are logged in, this data is stored in your profile (discover.swiss). Alternatively, the storage is done locally at Zürich Tourism.

The data you have entered is – depending on the type of service booked – either collected directly by the relevant provider or forwarded to them by us for certain offers. In the case of forwarding, the privacy policies of the respective provider apply.

The booking platforms are operated by the following companies, or we engage them for service processing:

• Switzerland Travel Center, Binzstrasse 38, 8045 Zürich, Schweiz. The privacy policy can be found at the following link.
  ➡ https://switzerlandtravelcentre.com/en-ch/privacy-policy
• TouristDataShop AG, Rue du Midi 3, 1860 Aigle, Schweiz. The privacy policy can be found at the following link.
  ➡ https://touristdatashop.ch/de/imprint.html
• Genossenschaft discover.swiss, Schaffhauserstrasse 14, 8006 Zürich, Schweiz. The privacy policy can be found at the following link.
  ➡ https://discover.swiss
• Liip AG, Limmatstrasse 183, 8005 Zürich, Schweiz. The privacy policy can be found at the following link.
  ➡ https://www.liip.ch/en/privacy-policy
• Binarium GmbH, Erlachstrasse 22, 8003 Zürich, Schweiz. The privacy policy can be found at the following link.
  ➡ https://www.binarium.ch/imprint
• Idea Creation GmbH, Walchestrasse 15, 8006 Zürich, Schweiz. The privacy policy can be found at the following link.
  ➡ https://www.e-guma.ch/en/data-privacy/

Unless stated otherwise in this privacy policy or you have not separately consented to it, we will use and in particular forward the aforementioned data to deliver the services you desire and provide the desired functionalities, process your orders, and ensure correct payment. Regarding the processing of your credit card information and its disclosure, please see Section 22 below.

The legal basis for data processing is therefore the performance of a contract pursuant to Art. 31 Para. 2 lit. a FADP.

22. Digital Payment Solution

If you make paid bookings on our website, depending on the service and desired payment method, the provision of further data is required, such as your credit card information or login at your payment service provider. This information as well as the fact that you have purchased a service from us for the relevant amount and time are forwarded to the respective payment service providers (e.g., providers of payment solutions, credit card issuers, and credit card acquirers). The legal basis for this transmission is the performance of a contract pursuant to Art. 31 Para. 2 lit. a FADP.

We only use payment service providers where adequate data protection is guaranteed. We use the following payment service providers:

• Stripe, 185 Berry Street, Suite 550, San Francisco, CA 94107, USA. The privacy policy can be found at the following link.
  ➡ https://stripe.com/gb/privacy
• Datatrans, Kreuzbühlstrasse 26, 8008 Zürich, Schweiz. The privacy policy can be found at the following link.
  ➡ https://datatrans.weareplanet.com/

For the further processing of data, please note the information of the respective company, in particular the privacy policy and the general terms and conditions. Please also note the information on the processing of data by third parties and the transfer abroad, especially to the USA, which can be found in Sections 7-9 of this privacy policy.

23. Contractual Services

We process the data of our contractual partners and clients to provide them with our contractual or pre-contractual services. The data processed, the type, scope, and purpose, and the necessity of their processing are determined by the underlying contractual relationship.

The data processed includes personal details, contact, contract, and payment data. We use your personal details to establish your identity before concluding a contract. We need your contact details to confirm your order and for future communication with you necessary for contract processing. We store your data together with the peripheral data of the order (e.g., time, order number, etc.), the data on the ordered services (e.g., description, price, and characteristics of the product; product data), the payment data (e.g., selected payment method, confirmation of payment and time; see also Section 22), as well as information on the processing and fulfillment of the contract (e.g., return of products, use of service or warranty services, etc.) in our xRM database (see Section 10) so that we can ensure correct order processing and contract fulfillment.

The legal basis for processing your data for this purpose is the performance of a contract pursuant to Art. 31 Para. 2 lit. a FADP.

24. Events

If we organize events (e.g., conferences or study trips), we process personal data. The data you have provided to us is processed.

The following data is usually collected:

• Salutation
• First and last name
• Company
• Position
• Address
• Country
• Language
• Email address
• Phone number

We process this information for the preparation, execution, and follow-up of events. Data relevant to the execution may also be passed on to third parties (e.g., hotels).

The legal basis for data processing is your consent within the meaning of Art. 31 Para. 1 FADP. Participants can withdraw their consent at any time by notifying us. Upon withdrawal, you are no longer entitled to participate in the event.

25. Event-App „Grip“ (Networking and Event Platform)

For conducting individual events, we use the event app "Grip" from Intros.at Ltd (Treviot House, 186–192 High Road, Ilford, Essex, England, IG1 1LR; hereinafter "Grip"). This is a mobile application that supports the organization, information, and networking of participants.

Personal data arising in the context of using Grip is processed by Grip and, if applicable, their commissioned service providers. This data includes in particular the data transmitted by users (e.g., first and last name, email address, company, position, photo, interests), technical data (e.g., device information, operating system, browser type, time zone setting), as well as usage and log data (e.g., interactions in the app, contact requests). If you link social media accounts in Grip, data from these accounts may also be processed.

We process this information for the preparation, execution, and follow-up of events as well as to provide contemporary, user-friendly event organization and communication. Grip may also use this data to provide app functionalities (especially personalization and networking suggestions) as well as for analysis and optimization purposes. The data processing by Grip is based on a data processing agreement pursuant to Art. 9 FADP.

When using Grip, your profile may – depending on the respective event settings and your app settings – be displayed to other participants and interactions (e.g., contact requests) between participants may be enabled. You can adjust your profile visibility in the app settings at any time.

The legal basis for this data processing is our legitimate interest within the meaning of Art. 31 Para. 2 FADP in the efficient execution of our events and the provision of a contemporary event service as well as – where necessary – the performance of contractual measures within the meaning of Art. 31 Para. 2 FADP in connection with your event participation. When processing particularly sensitive personal data, we obtain your express consent.

Information on the processing of data by third parties and the transfer abroad, especially to the USA, can be found in Sections 7–9 of this privacy policy. The privacy policy can be found at the following link: https://www.grip.events/utility-pages/privacy-policy).                                                    

26. Contests and Competitions

On our website and in our apps, you have the option to participate in contests and competitions. If you participate in contests and competitions, we collect the personal data necessary to conduct the contest or competition. The data you have provided to us is processed.

The following data is usually collected:

• Salutation
• First and last name
• Address
• Country
• Language
• Email address
• Phone number

We use your data to establish your identity and verify the requirements for participation. The data is also recorded together with the name and validity period of the contest as well as information on the time of your participation in a central database (see Section 10). This data is used to process the contest, to contact you in the context of the contest, in particular to clarify information necessary for participation, to inform you about winning or not winning, and to transmit the prize. For participation, registration for our email newsletter and consent to the associated processing (including profiling with or without high risk) may be required (see Section 11). We may pass on your personal data to our contest and competition partners, e.g., to provide you with the prize.

The legal basis for data processing is your consent within the meaning of Art. 31 Para. 1 FADP. You can withdraw your consent at any time by notifying us with effect for the future and thereby waive participation in the contest. Please also note the information in the individual terms of participation for the contest.

27. Surveys and Questionnaires

We conduct surveys and questionnaires to collect information for the respective communicated survey or questionnaire purpose. If you participate in surveys, we collect the data necessary to conduct and evaluate the surveys, in particular answers, session ID and user identification in URL, time of response, duration of response, device information, and IP address. We store the data in a central database (see Section 10) and evaluate the data to improve our services (e.g., tours, tours, consulting services of our partners and guests) as well as our channels (website, app, email newsletter) with regard to information quality and user-friendliness. The legal basis for data processing is your consent within the meaning of Art. 31 Para. 1 FADP. You can withdraw your consent at any time by notifying us with effect for the future.

For conducting surveys, we use the following survey tools:

• Customer Voice: Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA. The privacy policy can be found at the following link.
  ➡ https://www.microsoft.com/en-us/privacy/privacystatement#page-top
• Qualtrics: Qualtrics LLC, 333 W River Park Drive, Provo, Utah 84604, USA. The privacy policy can be found at the following link.
  ➡ https://www.qualtrics.com/privacy-statement/

Therefore, your data may be stored in a database of these providers, which may enable them to access your data if this is necessary for the provision of the software and for support in using the software. Both companies are certified under the Privacy Framework Agreement. Information on the processing of data by third parties and the transfer abroad, especially to the USA, can be found in Sections 7-9 of this privacy policy. Furthermore, when conducting surveys, cookies are used, which we provide more information about in our cookie banner.

The legal basis for this processing is our legitimate interest within the meaning of Art. 31 Para. 2 FADP in using the services of third-party providers.

28. Application for an Open Position

On our website, you have the option to apply for open positions. For this purpose, we collect various data from you (e.g., your first and last name, your date of birth, your address, your email address, your submitted documents and certificates). We use this and other data you voluntarily provide to review your application, i.e., to correctly identify you and assess your suitability for the position, and to contact you with regard to the application process, i.e., for example, to invite you to an interview or to send a rejection.

We reserve the right to keep application documents even after completion of the application process with us for a maximum of 2 years so that we can contact applicants for filling further interesting positions. If applicants do not agree with this practice, we ask for corresponding notification.

In connection with your online application, we work with the tool CVdropper from Ostendis AG, Seetalstrasse 35, 5706 Boniswil AG, Switzerland. The data is stored by Datawire AG on a server in Switzerland. The two companies may therefore have access to your data if this is necessary for the provision of the software and for support in using the software. Information on the processing of data by third parties can be found in Section 7 of this privacy policy. Furthermore, when using the services, cookies are used, which we provide more information about in our cookie banner.

29. Amendment of the Privacy Policy

We reserve the right to adjust this policy at any time. The version published on this website applies in each case.

Last updated in January 2026.