Hotel Vorab

Privacy Policy

With this Privacy Policy, we inform you about the personal data we process in connection with our activities and operations, including our website. We especially inform about why, how, and where we process which personal data. We also inform about the rights of individuals whose data we process.

For individual or additional activities and operations, other privacy policies and other legal documents such as Terms and Conditions (T&C), Terms of Use or Participation Terms may apply.

We are subject to Swiss data protection law and, if applicable, foreign data protection law, in particular that of the European Union (EU) with the General Data Protection Regulation (GDPR). The European Commission acknowledges that Swiss data protection law ensures adequate data protection.

1. Contact Addresses

Responsible for the processing of personal data:

Hotel Vorab AG
Via Nova 38
7017 Flims Dorf

We point out if there are other parties responsible for the processing of personal data in individual cases.

1.1 Data Protection Officer or Data Protection Consultant

We have the following data protection officer or the following data protection consultant as a contact point for affected persons and authorities with inquiries related to data protection:

Gian-Reto Meiler
Hotel Vorab AG
Via Nova 38
7017 Flims Dorf

1.2 Data Protection Representation in the European Economic Area (EEA)

We have the following data protection representation according to Art. 27 GDPR:

VGS Datenschutz­partner GmbH
Am Kaiserkai 69
20457 Hamburg

The data protection representation serves affected persons and authorities in the European Union (EU) and in the rest of the European Economic Area (EEA) as an additional contact point for inquiries related to the GDPR.

2. Definitions and Legal Bases

2.1 Definitions

Personal data refers to all information relating to an identified or identifiable natural person. A data subject is a person whose personal data we process.

Processing encompasses every handling of personal data, irrespective of the means and methods used, for example querying, matching, adjusting, archiving, storing, reading, disclosing, obtaining, recording, collecting, deleting, revealing, arranging, organizing, storing, altering, disseminating, linking, destroying, and using personal data.

The European Economic Area (EEA) includes the Member States of the European Union (EU) as well as the Principality of Liechtenstein, Iceland, and Norway. The General Data Protection Regulation (GDPR) refers to the processing of personal data as the processing of personal data.

2.2 Legal Bases

We process personal data in accordance with Swiss data protection law, particularly the Federal Act on Data Protection (Data Protection Act, DSG) and the Ordinance on Data Protection (Data Protection Ordinance, DSV).

If and to the extent that the General Data Protection Regulation (GDPR) applies, we process personal data based on at least one of the following legal bases:

  • Art. 6 para. 1 lit. b GDPR for the necessary processing of personal data for the performance of a contract with the data subject and for taking pre-contractual measures.
  • Art. 6 para. 1 lit. f GDPR for the necessary processing of personal data to safeguard our or a third party’s legitimate interests, provided the fundamental freedoms and rights and interests of the data subject do not prevail. Legitimate interests particularly include our interest in being able to carry out our activities and operations permanently, user-friendly, securely, and reliably, ensuring information security, protection against misuse, enforcing our own legal claims, and complying with Swiss law.
  • Art. 6 para. 1 lit. c GDPR for the necessary processing of personal data to fulfill a legal obligation to which we are subject under any applicable law of member states in the European Economic Area (EEA).
  • Art. 6 para. 1 lit. e GDPR for the necessary processing of personal data for the performance of a task carried out in the public interest.
  • Art. 6 para. 1 lit. a GDPR for processing personal data with the consent of the data subject.
  • Art. 6 para. 1 lit. d GDPR for the necessary processing of personal data to protect vital interests of the data subject or another natural person.

3. Type, Scope and Purpose

We process those personal data that are necessary to carry out our activities and operations consistently, user-friendly, safely, and reliably. Such personal data can particularly fall into categories such as inventory and contact data, browser and device data, content data, meta or marginal data, usage data, location data, sales data, and contract and payment data.

We process personal data for the duration necessary for the respective purpose or purposes or as required by law. Personal data whose processing is no longer necessary are anonymized or deleted.

We can have personal data processed by third parties. We can process personal data together with third parties or transfer it to third parties. These third parties, in particular, are specialized providers whose services we use. We also ensure data protection with such third parties.

We process personal data primarily with the consent of the affected individuals. If and insofar as processing is permissible for other legal reasons, we may waive obtaining consent. For example, we can process personal data without consent to fulfill a contract, to meet legal obligations, or to safeguard predominant interests.

In this context, we particularly process data that an affected person voluntarily submits to us when making contact – for example, by mail, email, instant messaging, contact form, social media, or telephone – or when registering for a user account. We can store such data, for instance, in an address book, a Customer Relationship Management System (CRM system), or using similar tools. If we receive data about other persons, the transmitting persons are obliged to ensure data protection towards these persons and to ensure the accuracy of this personal data.

We also process personal data that we obtain from third parties, procure from publicly accessible sources, or collect when carrying out our activities and operations, as long as such processing is legally permissible.

4. Personal Data Abroad

We process personal data primarily in Switzerland and in the European Economic Area (EEA). However, we can also export or transfer personal data to other states, especially to have them processed there or be processed by others.

We can export personal data to all countries and territories on Earth and elsewhere in the Universe, provided the local law, according to the decision of the Swiss Federal Council, ensures adequate data protection and, if and as far as the General Data Protection Regulation (GDPR) applies, in accordance with the decision of the European Commission, guarantees adequate data protection.

We can transfer personal data to states whose law does not ensure adequate data protection if data protection is guaranteed for other reasons, particularly based on standard data protection clauses or with other suitable guarantees. Exceptionally, we can export personal data to states without adequate or suitable data protection if the special data protection legal prerequisites are met, for instance, the express consent of the affected persons or a direct connection with the conclusion or handling of a contract. We gladly provide affected persons with information about any guarantees upon request or deliver a copy of any guarantees.

5. Rights of Affected Persons

5.1 Data Protection Rights

We grant affected individuals all rights according to the applicable data protection law. Affected individuals, in particular, have the following rights:

  • Information: Affected individuals can request information about whether we process personal data about them and, if so, which personal data is involved. They also receive the information required to assert their data protection rights and ensure transparency. This includes the processed personal data as such, but also, among other things, details about the processing purpose, the duration of storage, any disclosure or potential export of data to other countries, and the origin of the personal data.
  • Correction and Restriction: Affected individuals can correct incorrect personal data, complete incomplete data, and have their data processing restricted.
  • Deletion and Objection: Affected individuals can have personal data deleted (“right to be forgotten”) and object to the processing of their data with future effect.
  • Data Release and Data Transfer: Affected individuals can request the release of personal data or the transfer of their data to another responsible party.

We may postpone, limit, or deny the exercise of the rights of affected individuals within the legally permissible framework. We may inform affected individuals about any prerequisites that may need to be met for the exercise of their data protection rights. For example, we can partially or wholly refuse to provide information citing business secrets or the protection of other individuals. We can also partially or wholly refuse the deletion of personal data, citing statutory retention obligations.

We may exceptionally set charges for exercising the rights. We will inform affected individuals in advance about any possible costs.

We are obligated to identify affected individuals who request information or assert other rights using appropriate measures. Affected individuals are obligated to cooperate.

5.2 Right to Complain

Affected individuals have the right to enforce their data protection rights through legal means or to file a complaint with a competent data protection supervisory authority.

The data protection supervisory authority for private responsible parties and federal bodies in Switzerland is the Federal Data Protection and Information Commissioner (FDPIC).

Affected individuals have – if and insofar as the General Data Protection Regulation (GDPR) applies – the right to file a complaint with a competent European data protection supervisory authority.

6. Data Security

We implement suitable technical and organizational measures to ensure data security commensurate with the respective risk. However, we cannot guarantee absolute data security.

Access to our website is secured using transport encryption (SSL / TLS, especially with the Hypertext Transfer Protocol Secure, abbreviated HTTPS). Most browsers indicate transport encryption with a padlock in the address bar.

Our digital communication is – as is fundamentally the case with any digital communication – subject to mass surveillance without cause or suspicion, as well as other monitoring by security authorities in Switzerland, the rest of Europe, the United States of America (USA), and other countries. We have no direct influence over the respective processing of personal data by intelligence services, police stations, and other security agencies.

7. Use of the Website

7.1 Cookies

We may use cookies. Cookies – both our own cookies (First-Party-Cookies) and cookies from third parties whose services we use (Third-Party-Cookies) – are data stored in the browser. Stored data does not necessarily have to be traditional text cookies.

Cookies can be stored temporarily in the browser as “session cookies” or for a specified period as so-called permanent cookies. “Session cookies” are automatically deleted when the browser is closed. Permanent cookies have a specific storage duration. Cookies particularly allow recognizing a browser during its next visit to our website and, for example, measuring the reach of our website. However, permanent cookies can also be used for online marketing.

Cookies can be deactivated or deleted entirely or partially in browser settings at any time. Without cookies, our website might not be fully accessible. We request – at least if and insofar as required – active explicit consent for the use of cookies.

For cookies used for success and reach measurement or advertising, a general objection (“opt-out”) is possible for numerous services through AdChoices (Digital Advertising Alliance of Canada), the Network Advertising Initiative (NAI), YourAdChoices (Digital Advertising Alliance) or Your Online Choices (European Interactive Digital Advertising Alliance, EDAA).

7.2 Server Log Files

We may collect the following information for each access to our website, provided it is transmitted by your browser to our server infrastructure or can be determined by our web server: date and time including timezone, IP address, access status (HTTP status code), operating system including user interface and version, browser including language and version, specific sub-page of our website accessed including transferred data volume, the last webpage visited in the same browser window (referer or referrer).

We store such information, which can also represent personal data, in server log files. This data is essential to provide our website permanently, user-friendly, and reliably, and to ensure data security, particularly protecting personal data – either by third parties or with the help of third parties.

7.3 Tracking Pixels

We may use tracking pixels on our website. Tracking pixels are also referred to as web beacons. Tracking pixels – including those from third parties whose services we use – are small, typically invisible images that are automatically fetched when visiting our website. With tracking pixels, the same information can be captured as in server log files.

8. Notifications and Communications

We send notifications and communications via email and through other communication channels, such as instant messaging or SMS.

8.1 Success and Reach Measurement

Notifications and communications can contain web links or tracking pixels that record whether an individual message was opened and which web links were clicked on. Such web links and tracking pixels can also capture the use of notifications and communications on a personal level. We require this statistical recording of usage for success and reach measurement, to send notifications and communications effectively and user-friendly based on the needs and reading habits of the recipients, and to do so consistently, securely, and reliably.

8.2 Consent and Objection

You must generally expressly consent to the use of your email address and your other contact addresses, unless the use is permitted for other legal reasons. Whenever possible, we use the “double opt-in” procedure for obtaining consent, which means you receive an email with a web link that you must click to confirm, ensuring there’s no misuse by unauthorized third parties. We can log such consents, including the IP address, date, and time, for evidence and security reasons.

You can generally object to receiving notifications and communications, such as newsletters, at any time. With such an objection, you can simultaneously object to the statistical recording of usage for success and reach measurement. This does not affect required notifications and communications related to our activities and operations.

8.3 Service Providers for Notifications and Communications

We send notifications and communications with the help of specialized service providers.

We use, in particular:

9. Social Media

We have a presence on social media platforms and other online platforms to communicate with interested individuals and to inform about our activities and operations. In the context of such platforms, personal data may also be processed outside Switzerland and the European Economic Area (EEA).

The general terms and conditions (GTC), terms of use, privacy policies, and other provisions of the individual operators of such platforms also apply. These provisions provide information about the rights of affected individuals, including, for example, the right to access.

For our Facebook social media presence, including the so-called page insights, we are jointly responsible with Meta Platforms Ireland Limited (Ireland) – as far as the General Data Protection Regulation (GDPR) is applicable. The Meta Platforms Ireland Limited is part of the Meta companies (among others in the USA). The page insights provide insights into how visitors interact with our Facebook presence. We use page insights to effectively and user-friendly design our Facebook presence.

Further information about the nature, extent, and purpose of data processing, information about the rights of affected persons, and the contact details of Facebook as well as the data protection officer of Facebook can be found in the Facebook Privacy Policy. We have concluded the so-called “Addendum for Controllers” with Facebook and have agreed that Facebook is responsible for ensuring the rights of affected individuals. For the so-called page insights, the relevant information can be found on the page “Information on Page Insights” including “Information on Page Insights Data”.

10. Third-Party Services

We use services of specialized third parties to carry out our activities and operations in a sustainable, user-friendly, secure, and reliable manner. With such services, we can, among other things, embed functions and content into our website. In such an embedding, for technical reasons, the services used capture the IP addresses of users at least temporarily.

For required security-related, statistical, and technical purposes, third parties, whose services we use, can process data related to our activities and operations in an aggregated, anonymized, or pseudonymized manner. This includes, for example, performance or usage data to offer the respective service.

We particularly use:

10.1 Digital Infrastructure

We use services from specialized third parties to obtain the necessary digital infrastructure related to our activities and operations. This includes, for example, hosting and storage services from selected providers.

We particularly use:

10.2 Contact Options

We use services from selected providers to better communicate with third parties such as potential and existing customers.

10.3 Audio and Video Conferences

We use specialized services for audio and video conferences to communicate online. This allows us, for example, to hold virtual meetings or conduct online lessons and webinars. Participation in audio and video conferences is subject to the legal texts of each service, such as privacy policies and terms of use.

We recommend, depending on the situation, to mute the microphone by default when participating in audio or video conferences, to blur the background or to display a virtual background.

We particularly use:

10.4 Maps

We use third-party services to embed maps into our website.

We particularly use:

10.5 Fonts

We use third-party services to embed selected fonts as well as icons, logos, and symbols into our website.

We particularly use:

10.6 E-Commerce

We operate in e-commerce and use third-party services to successfully offer services, content, or goods.

10.7 Payments

We use specialized service providers to securely and reliably process payments from our customers. For payment processing, the legal texts of each provider, such as Terms and Conditions (T&C) or privacy policies, apply additionally.

We especially use:

10.8 Advertising

We utilize the opportunity to display advertisements for our activities and operations specifically to third parties, such as social media platforms and search engines.

With such advertising, we aim to reach individuals who are already interested in our activities and operations or could be interested (Remarketing and Targeting). For this purpose, we may transmit corresponding – possibly also personal – information to third parties that enable such advertising. We can also determine whether our advertising is successful, i.e., in particular, whether it leads to visits to our website (Conversion Tracking).

Third parties, on which we advertise and where you are registered as a user, may possibly assign the use of our online offer to your profile there.

We especially use:

  • Google Ads: Search engine advertising; Provider: Google; Google Ads-specific details: Advertising based on search queries, with different domain names – especially,, and – used for Google Ads, «Advertising» (Google)«Why do I see this ad?».

11. Measurement of Success and Reach

We aim to determine how our online offering is utilized. Within this framework, we can measure the success and reach of our activities and operations, for instance, the impact of third-party links on our website. Additionally, we can experiment with and compare how different parts or versions of our online offering are used (using the “A/B test” method). Based on the results of these measurements, we can fix errors, enhance popular content, or make improvements to our online offer.

For the purpose of success and reach measurement, the IP addresses of individual users are often stored. In this case, IP addresses are generally shortened (“IP-Masking”) to follow the principle of data economy through pseudonymization.

In measuring success and reach, cookies can be used, and user profiles may be created. Possible user profiles might include details like the individual pages visited or content viewed on our website, screen or browser window size, and the — at least approximate — location. Generally, any user profiles are exclusively pseudonymized and are not used to identify individual users. Some third-party services, where users might be logged in, could possibly associate the use of our online offer with the user’s account or profile with that service.


We especially use:

12. Final Provisions

We created this privacy statement with the Data Protection Generator by Data Protection Partner.

We can adjust and amend this privacy statement at any time. We will inform about such adjustments and additions in an appropriate manner, especially by publishing the updated privacy statement on our website.