Data Protection Policy

Zürich Tourism takes data protection very seriously. In this data protection policy, we inform which personal data we process in connection with our activities.

Of course, we comply with the statutory provisions of the Swiss data protection legislation (in particular, the Swiss Federal Act on Data Protection, FADP, and the Ordinance to the Federal Act on Data Protection, OFADP), as well as any other applicable data protection provisions of Swiss and European law (in particular the EU General Data Protection Regulation (GDPR)).

General information

1. Content of this data privacy policy

Zürich Tourismus (hereinafter also referred to as «we») is an association with its headquarters at Gessnerallee 3, 8001 Zurich, Switzerland, and registered in the Commercial Register of the Canton of Zurich under number CHE-105.846.358.

This data protection policy applies to the digital services of Zürich Tourism, which can be accessed under the domain name ➡ www.zuerich.com and its subdomains, and to the iOS and Android application Zürich City Guide App (hereinafter “our websites”).

This data protection policy is an integral component of the General Terms & Conditions, which can be found here

2. Responsible contact

Unless indicated otherwise, such as in other privacy policies, on forms or in contracts, Zürich Tourismus is the controller responsible for the data processing described in this privacy policy. We shall make it clear if a different controller is responsible for processing personal data in a specific case.

If you have any questions about data protection or wish to exercise your data protection rights, please contact our contact person for data protection law by sending an e-mail to:

Zürich Tourismus
Gessnerallee 3
CH - 8001 Zurich
+41 44 215 40 00
datenschutz@zuerich.com

3. Contact person for data protection

You can reach our EU data protection representative at:

MLL EU-GDPR GmbH
Ganghoferstrasse 33
DE – 80339 München

4. Your data, Your rights

If the statutory requirements are met, you have the following rights as a data subject. You can exercise them at any time.

Right of access: You have the right to access your personal data that we store at any time free of charge if we are processing this data. You have the opportunity to check which of your personal data we process and that we comply with the applicable data protection regulations.
Right to rectification: You have the right to have incorrect or incomplete personal data rectified and to be notified of the rectification. In this case, we notify the recipients of the data of any changes made, unless this is impossible or would be unreasonably difficult.
Right to erasure: You have the right to erasure of your personal data in certain circumstances. It may not be possible to exercise the right to erasure in certain situations, especially when there are statutory retention periods. In this case, the data may be blocked instead of erased if requirements are met.
Right to restriction of processing: You have the right to request restriction of the processing of your personal data.
Right to data portability: You have the right to receive from us the personal data you have provided to us in a readable format free of charge.
Right to lodge a complaint: You have the right to lodge a complaint with a responsible supervisory authority, about the type or means of processing of your personal data.
Right to withdraw consent: You have the right to withdraw consent at any time. Processing activities based on your past consent are not made unlawful by your revocation.
Right to object: You have the right to object to the processing of your data, in particular those for direct marketing purposes, profiling carried out for direct marketing and other legitimate interests in the processing.

5. Retention period

We only stores personal data as long as is needed to carry out the processing within the limits of our legitimate interest as described in this Data Protection Policy.

Please note that certain data may be subject to special statutory retention periods. We are required to store this data until the end of the retention period. Under these provisions, business correspondence, contracts entered into, and accounting records must be retained for up to 10 years. We block such data in our system and use it exclusively to comply with our legal obligations or to defend and enforce our legal interests. The data is erased as soon as a retention obligation or legitimate interest in retention no longer exists.

6. Data security

We take the appropriate measures to protect your personal data. We take the technical and organizational measures prescribed under Swiss and European data protection law to prevent unauthorized processing. However, it is not possible to guarantee the absolute security of personal data. You should also be aware that data transmitted over an open network such as the internet or an email service may be intercepted and read by unauthorized persons. We cannot guarantee the confidentiality of any messages or content exchanged over these networks.

We also take internal data protection very seriously. Our employees and the service companies commissioned by us are obliged by us to maintain confidentiality and data protection. Moreover, these persons are only granted access to personal data to the extent necessary for the performance of their tasks.

7. Sharing your data with third parties

Without the support of other companies, we would not be able to provide our products and services in the form desired. In order for us to use the services of these companies, it is necessary for us to share some of your personal data with them. Your information will only be shared with selected third-party service providers to the extent necessary to optimize the provision of our services.

Various third-party service providers are specifically mentioned in this data protection policy and in our cookie banner in the relevant sections, e.g. regarding the chat feature or surveys.

In addition, to use and administer our infrastructure and to perform internal functions, we require the use of service providers. Therefore, third parties may have access to your data to the extent necessary to provide the services. These may include software providers (e.g. for word processing or emailing), IT service providers (e.g. hosting providers, telecommunications service providers, such as internet service providers), agencies (e.g. in the area of marketing) or security service providers. A list of third-party service providers who may have access to certain personal data is provided in section 10 of this data protection policy. The legal basis for this data processing is our legitimate interest within the meaning of Art. 6 para 1(f) GDPR in the use of third-party services.

In addition, your data may be passed on, in particular to authorities, legal advisers or debt collection agencies, if we are legally obliged to do so or if this is necessary to protect our rights, in particular to enforce claims arising from the relationship with you. Data may also be disclosed if another company intends to acquire our business or any part of it and such disclosure is necessary to carry out due diligence or to complete the transaction.

The legal basis for this data processing is our legitimate interest within the meaning of Art. 6 para 1(f) GDPR in the protection of our rights and the fulfillment of our obligations or the sale of our company or parts thereof.

The data recipients named in this data protection policy may wish to use certain data for their own purposes (e.g. for statistical analysis for product optimization or disclosure to third parties, such as authorities, pursuant to national legal regulations). For the purpose of these data processing operations, these companies are considered controllers under data protection law and must ensure compliance with data protection laws in connection with these data processing operations. Information about these data processing operations can be found in the relevant data protection policies.

8. Transfer of personal data abroad

We may transfer your data to third parties located abroad for the purposes of the data processing described in this data protection policy.

Please refer in particular to the relevant sections of this data protection policy and the information in our cookie banner. The legal provisions governing the disclosure of personal data to third parties are observed in such cases as a matter of course. The countries to which data is transferred include those that the Swiss Federal Council and the European Commission have determined to have an adequate level of data protection (such as the member states of the EEA or, from the EU’s point of view, Switzerland), but also countries (such as the US) whose level of data protection is not considered adequate (see Annex 1 of the Swiss Data Protection Ordinance (DPO) and the website of the European Commission

If the country in question does not provide an adequate level of data protection, we will guarantee through appropriate safeguards that your data is adequately protected at these companies, unless an exception is specified for individual data processing in individual cases (see Art. 49 GDPR). Unless otherwise indicated, this concerns the selection of companies that are certified under the Data Privacy Framework or concerns standard contractual clauses within the meaning of Art. 46 para 2(c) GDPR, which can be found on websites of the Federal Data Protection and Information Commissioner (FDPIC) and the European Commission. If you have any questions about the measures taken, please contact our Data Protection Officer.

9. Information about data transfers to the US

Some of the third-party service providers mentioned in this data protection policy are located in the US. In the interest of completeness, we point out to users based or resident in Switzerland or the EU that monitoring measures in the US by the US authorities generally permit the storage of all personal data of anyone whose data is sent from Switzerland or the EU to the US. This is done without differentiation, restriction or exception on the basis of the pursued objective and without any objective criteria that would restrict access to the data and its subsequent use by the US authorities to very specific and limited purposes that would justify the intervention associated with access and use of this data. We would also like to point out that there are no legal remedies or effective legal protection in the US for data subjects from Switzerland or the EU against general access rights of US authorities that allow them to access, rectify or erase their data. We expressly make you aware of these laws and circumstances, in order that you can make an informed decision about consent or objection to the use of your data.

We additionally make residents of Switzerland and EU member states aware that compared with the European Union and Switzerland, the US does not offer an adequate level of data protection due, inter alia, to the reasons mentioned in this section. To the extent that we have disclosed in this data protection policy that recipients of data (such as Google) are located in the US, we will ensure that your data is adequately protected by our third-party service providers by selecting companies that are certified under the Data Privacy Framework or by entering into contractual arrangements with such companies and, where necessary, by implementing additional appropriate safeguards.

Scope and purpose of the collection, processing and use of personal data

10. Central storage and xRM data processing

We store the personal data affected by and mentioned in this data protection policy, in particular your personal data, your contact with us, your contract data, and your surfing behavior, in a central electronic data processing system.

For this purpose, we use the Microsoft Dynamics 365 marketing automation system of Microsoft Corporation (One Microsoft Way, Redmond, WA 98052-6399, United States), which may enable Microsoft to access your data and the associated transfer of data to the US if this is necessary for the provision of the software and for support with the use of the software. Microsoft is certified under the Data Privacy Framework. Information about the processing of data by third parties and the transfer of data abroad, in particular to the US, can be found in section 7-9 of this data protection policy. You can find more information about data protection at Microsoft in the Microsoft privacy statement at the following link

The use of Microsoft Dynamics 365 enables efficient management of customer data, allows us to competently process your requests, and enables efficient provision of your requested services and processing of the associated contracts. This processing is based on our legitimate interest within the meaning of Art. 6 para 1(f) GDPR in the customer-friendly and efficient management of customer data.

We use Microsoft Dynamics 365 to conduct marketing activities, for analytics purposes and to target (potential) customers and display interest-based content.

We also analyze this data to continue refining our products and services based on your needs and to display and recommend to you the most relevant information and offers. We also use methods that predict possible interests and future orders based on your use of our website. Some of these analyses may be considered profiling (with or without high risk).

The legal basis for this data processing is our legitimate interest within the meaning of Art. 6 para 1(f) GDPR in carrying out marketing activities.

For the development and operation of our xRM software, we use the services of Ambit Group AG, Motorenstrasse 35, 8620 Wetzikon, Switzerland. As such, Ambit AG may also have access to personal data if this is necessary to provide the services. Information about the processing of data by third parties and the transfer of data abroad, in particular to the US, can be found in section 7-9 of this data protection policy. You can find more information about data protection at Microsoft in the Ambit AG privacy policy at the following link

The legal basis for this data processing is our legitimate interest within the meaning of Art. 6 para 1(f) GDPR in the use of third-party services.

With regard to email marketing, please see the following section. In addition, cookies are employed when using Microsoft Dynamics 365, which we explain in more detail in our cookie banner.

11. Email marketing

If you sign up for our email newsletter, we collect a variety of data from you. Required information is marked as such in the registration form.

Typically, the following data is collected:

First name, last name
Email address
Language

You also have the option of sending us the following additional details:

Title
Country
Date of birth
Interests

By explicitly subscribing to the newsletter, you consent to our use of the personal data you have provided for marketing purposes and to send you emails with personalized marketing content. The emails may also include invitations to participate in competitions or surveys, to provide feedback or to rate our products and services. In addition to the email address, we collect further data to associate the registration with other data, such as from orders, and thus to personalize the content of the marketing emails and make it more relevant to you, such as sending the newsletter in your language (where possible) and providing topics tailored to your country and age.

To prevent abuse and to ensure that the owner of an email address has actually consented, we use a “double opt-in” for subscribing. After sending the subscription request, you will receive an email from us containing a confirmation link. You must click the link to subscribe to the newsletter. If you do not click the confirmation link within the stated time period, your data will be erased and our newsletter will not be sent to that address.

This consent constitutes the lawful basis for processing of the data within the meaning of Art. 6 para 1(a) GDPR. You have the option to unsubscribe from the newsletter at any time by clicking on the corresponding link in the newsletter. After you have unsubscribed, your personal data will be erased.

Our marketing emails may contain a web beacon or 1×1 pixel (tracking pixel) or similar technology. A web beacon is an invisible graphic that is linked to the user ID of the newsletter subscriber. For each marketing email sent, we receive information about which addresses have not yet received the email, which addresses it was sent to and which addresses failed to receive it. We also see which addresses have opened the email, for how long and which links they have clicked on. Finally, we also receive information about which addresses have unsubscribed. We use this data for statistical purposes and to optimize the advertising emails in terms of frequency, timing, structure, and content. This allows us to better align the information and offers in our emails with the individual interests of recipients.

By subscribing to our newsletter, you also consent to the statistical analysis of user behavior for purposes of optimizing and customizing the newsletter. This consent constitutes the lawful basis for processing of the data within the meaning of Art. 6 para 1(a) GDPR. The web beacon is deleted when you delete the email. To prevent the use of the web beacon in our marketing emails, thereby revoking your consent, please set the parameters of your email program not to display HTML in messages if this is not already the case by default. You can find information on how to configure this setting in the help sections of your email software.

We use software from Microsoft Dynamics 365 for Marketing for email marketing (see section 9). Your data may therefore be stored in a Microsoft database, which may enable Microsoft to access your data if this is necessary for the provision of the software and for support with the use of the software. Information about the processing of data by third parties and the transfer of data abroad, in particular to the US, can be found in section 7-9 of this data protection policy. The legal basis for this processing is our legitimate interest within the meaning of Art. 6 para 1(f) EU GDPR in using the services of third-party providers.

12. Contact Us

If you contact us via our contact addresses and channels (e.g. by email, phone or contact form), your personal data will be processed. The data that will be processed and stored will be that which you have made available to us. The data collected via a contact form can be seen in the form in question, e.g. your message/request (such as event request, publication, first and last name, company, etc.).

We process this information only to fulfill your request (e.g. providing information, responding to an event request, incorporating your feedback to improve our products and services, etc.).

Please note the following for event requests: If the event request is about an event held by one of our partners, your request is forwarded directly to the partner and processed by them.

The legal basis for this data processing is our legitimate interest within the meaning of Art. 6 para 1(f) GDPR in the implementation of your request or, if your request is aimed at the conclusion or execution of a contract, the necessity for the implementation of the necessary contractual measures within the meaning of Art. 6 para 1(b) GDPR.

You are responsible for the communication and/or content that you send to us. We advise you not to communicate any confidential data.

13. Log File Date

When you visit our digital services – even without registering or logging in – our servers temporarily store each access in a log file. The following data is collected without any action on your part and stored by us until it is automatically deleted, at the latest after 24 months:

IP address
name of your Internet service provider
date and time of access
name and URL of the accessed file
website from which the access originated («referrer URL»), including any keywords used
country, region or city from which the access originated
operating system of the browser you are using (including type, version and language setting)
transmission control protocol

This data is collected and processed for the purpose of enabling the use of our websites and apps (establishing a connection), ensuring ongoing system security and stability, optimizing our offer, and for internal statistical purposes.

Only in the event of an attack on the website/app’s network infrastructure, or if it is suspected that the website/app is being misused or otherwise used unlawfully, will the IP address be analyzed for clarification and defense purposes, and if necessary used to identify or take civil or legal action against the user concerned.

The purposes described above constitute our legitimate interest in the processing of data within the meaning of Art. 6 para 1(f) GDPR and therefore the legal basis for data processing.

To operate our website, we use the services of our hosting provider: Platform.sh GmbH, Koblenzer Str. 11, 50968 Cologne, Germany, and of our content delivery network (CDN) provider: Fastly, Inc., PO Box 78266, San Francisco, CA 94107, United States. While Platform.sh provides us with web servers and makes our website available for access, Fastly ensures that the access to our website, especially to larger content, is distributed as optimally as possible across different servers (“performance optimization”). As a result, the above data is transferred to both providers.

Your data may therefore be stored in a database of Platform.sh or Fastly, which may allow Platform.sh or Fastly to access your data if this is necessary for the provision of the software and support with the use of the software.

Information on the processing of data by third parties and any transfer abroad can be found in sections 7 and 8 of this data protection policy. Further information on data processing in connection with Platform.sh can be found at the following link and in connection with Fastly at the following link. The legal basis for this processing is our legitimate interest within the meaning of Art. 6 para 1(f) EU GDPR in using the services of third-party providers.

14. Cookies

Cookies are information files your web browser stores on the hard drive or in the RAM of your computer when you visit our website. Cookies are assigned identification numbers that allow your browser to be recognized and allow information contained in the cookie to be read out.

Cookies allow us to make your visits to our website easier, more comfortable, and more useful. We use cookies for various purposes that are necessary for your desired use of the website, i.e. “technically necessary.” For example, we use cookies to provide website features such as the ordering feature, so that when you fill out a form on the site, your information is temporarily stored so that you do not have to enter it again when you visit another subpage. Furthermore, cookies also perform other technical functions required for the operation of the website, such as load balancing, i.e. the distribution of the page’s load among different web servers to relieve pressure on individual servers. Cookies are also used for security purposes, such as to prevent unauthorized posting of content. Finally, we also use cookies in the design and programming of our website, for example to enable upload of scripts or codes.

The legal basis for this data processing is our legitimate interest within the meaning of Art. 6 para 1(f) GDPR in providing a user-friendly and modern website.

When you access our digital services, we ask you for your consent to the cookies we use that are not technically necessary, especially to the use of cookies of third-party providers for marketing purposes. The legal basis for this data processing is your consent within the meaning of Art. 6 para 1(a) GDPR. You can use the buttons in the cookie banner or the link in the footer to set your preferences, change them at any time, and revoke your consent.

When cookies are used, data may be transferred to third parties in potentially any country in the world, including countries without adequate data protection, such as the US. In addition to the information in the cookie banner, please refer to the sections on data processing by third parties and data transfers abroad in sections 7–9 of this data protection policy.

You can also configure your browser so that no cookies are stored on your computer or a notification appears whenever you receive a new cookie. However, deleting or blocking cookies may restrict the functionality of the website.

On the following pages, you can find explanations of how to configure the handling of cookies in most common browsers:

15. Tracking and web analysis tools

For the purpose of demand-oriented design and continuous optimization of our website, we use the web analysis services listed below. In this context, pseudonymous user profiles are created and cookies are used. Details on the data processed and the providers can be found in our cookie banner. Please also refer to the section on cookies (section 14) in this data protection policy. The providers will analyze the use of the website on our behalf in order to compile reports on website activities and to provide other services associated with the use of the website and the internet for the purposes of market research and needs-based website design. Some of the data processing operations may be considered profiling (with or without high risk), to which your consent also applies. For these processing operations, we and the providers may to some extent be considered joint controllers under data protection law.

16. Online advertising and targeting

We use services of various companies to provide you with interesting offers online. This involves analyzing your use of our website and other providers’ websites, possibly across different devices, in order to subsequently provide you with online advertising that is tailored to you. Details on the data processed and the providers can be found in our cookie banner. Please also refer to the section on cookies (section 14) in this data protection policy. We and our service providers use the data to determine whether you are a member of our target audience and to take this into account when selecting ads. For example, after visiting our site, you may be shown ads for the products or services you have viewed when you visit other sites (“re-targeting”). Depending on the scope of the data, a user profile may also be created, which is automatically evaluated and the ads selected according to the information stored in the profile, such as membership in certain demographic segments or potential interests or behaviors. Such ads may be displayed to you through a variety of channels, including our website, apps, and ads served through the online advertising networks we use, such as Google.

The user behavior data will also be shared with the parties involved in the advertising networks, in particular their operators. For certain campaigns, the data is also transferred to our partner companies. The data may then be analyzed for the purpose of billing the service provider and to assess the effectiveness of advertising measures in order to better understand the needs of our users and customers and to improve campaigns. This may also include information that attributes the performance of an action (e.g. visiting certain sections of our website or sending information) to a specific ad. We also receive aggregated reports from the service providers on ad activities and information about how users interact with our website and our ads. Some of the data processing operations may be considered profiling (with or without high risk), to which your consent also applies.

17. Social media plugins

We use social media plugins to make it easier for you to share content from our website. These social media plugins help us to increase the visibility of our content on social networks and thus contribute to better marketing. Details on the data processed and the providers can be found in our cookie banner. Please also refer to the section on cookies (section 14) in this data protection policy. If you give us your consent via banners or by clicking on the plugin buttons, the content of the plugin is transferred directly from the social network to your browser and integrated by your browser into the website. We have no influence on the scope of the data that the provider collects with the plugin, although we and the providers may to some extent be considered joint controllers under data protection law. They may post your data (e.g. that you like one of our products or services) on the social network and may make it available to other users of the social network. The social network provider may use this information to place ads and tailor the relevant service to your needs. Some of the data processing operations may be considered profiling (with or without high risk), to which your consent also applies. If you do not want the social network provider to associate the data collected through our site with your user account, you must log out of the social network before activating the plugins.

18. Links to our social media profiles

Our websites contain links to our social media profiles. The links lead to the following networks:

Facebook Meta Platforms Inc. (USA) / Meta Platforms Ireland Ltd. (Ireland):	Data protection policy
Instagram Meta Platforms Inc. (USA) / Meta Platforms Ireland Ltd. (Ireland):	Data protection policy
WhatsApp Meta Platforms Inc. (USA) / Meta Platforms Ireland Ltd. (Ireland):	Data protection policy
LinkedIn LinkedIn Corporation (USA) / LinkedIn Ireland Unlimited Company (Ireland):	Data protection policy
X (former name Twitter) X Corporation (USA) / Twitter International Unlimited Company (Ireland):	Data protection policy
TikTok TikTok Technology Limited (USA) / TikTok Technology Limited(Ireland) and Tiktok Information Technologies UK Limited (United Kingdom):	Data protection policy
Pinterest Pinterest Inc. (USA) / Pinterest Europe Limited (Ireland):	Data protection policy
Crowdriff CrowdRiff Inc (Canada):	Data protection policy
Threads Meta Platforms Inc. (USA) / Meta Platforms Ireland Ltd. (Ireland):	Data protection policy
Flickr Flickr, Inc. (USA):	Data protection policy
YouTube Google Limited (Ireland):	Data protection policy
Vimeo Vimeo.com, Inc. (USA):	Data protection policy
Komoot komoot Ltd. (Germany):	Data protection policy
Tripadvisor Tripadvisor Inc. (USA):	Data protection policy

If you click on the symbols of the social networks, you will be connected to the social network to perform the selected function. However, you must log into your user account for this purpose if you are not already logged in.

If you choose one of the available functions and click the symbol of the social network, a direct connection is established between your browser and the server of the social network. As a result, the network receives, in particular, the data described in the section on log files (section 13), i.e. the information that you have visited our website with your IP address and accessed the link. If you access a link to a network while logged into your account for that network, the content of our site may be linked to your profile on the network, i.e. the network can directly associate your visit to our website with your user account. The provider in question is the controller under data protection law for the associated data processing. Therefore, please read the data protection information on the network’s website.

The legal basis for the data processing attributed to us is our legitimate interest within the meaning of Art. 6 para 1(f) GDPR in the use and promotion of our social media profiles.

If you wish to prevent this, you should log out before clicking on any such links. Your visit will definitely be associated with your user account if you log into the network after clicking on the link.

We are currently using the following social media management software:

Hootsuite: We process the data social media networks provided to us in the social media management software “Hootsuite” of Hootsuite Inc., 5 East 8th Avenue, Vancouver, V5T 1R6, Canada.
Crowdriff: We use Crowdriff, a service provided by CrowdRiff Inc, 116 Spadina Ave., Suite 600, Toronto, ON M5V 1V6, Canada.

19. Chat feature

We use AI-Concierge from Goodguys GmbH (Moeringgasse 20/1, Tür 2, 1150 Vienna, Austria) to provide a modern chat feature. This is an artificial intelligence (AI) solution from Austria that finds answers to your questions based on the content of our websites, together with publicly available content.

The personal data collected in the chats is processed exclusively on the servers of the Austrian processor Goodguys GmbH. This data includes the data transmitted by the users, the IP address of the users and a session ID to distinguish between the chat histories of different users. This data is deleted at the end of the chat session and can then no longer be assigned to individual users. The content of requests is stored and may be used to test functionality and further develop chat features. In addition, cookies are employed when using the chat feature, which we explain in more detail in our cookie banner.

In order to formulate AI-Concierge’s responses, portions of the requests are also sent to Google and OpenAI servers. The data sent to these providers does not contain any parameters that would allow Google or OpenAI to identify individuals. It is therefore anonymous data. Answers are assigned to users solely by the IT systems of Goodguys GmbH.

However, it is not technically possible to filter out identifiable content based on the data entered by the user. Therefore, when using the chat, please ensure that you do not enter any personal data such as your name, email address, phone number, etc. in the chat window.

The legal basis for this data processing is our legitimate interest within the meaning of Art. 6 para 1(f) GDPR in providing a modern online presence. You can find more information about AI-Concierge and Goodguys GmbH in the data protection declaration of Goodguys GmbH. Please also note the information about the processing of data by third parties and the transfer of data abroad, in particular to the US, which can be found in section 7-9 of this data protection policy.

20. Registration for a customer account

If you open a customer account on our digital channels, we collect various data from you:

Title
First name, last name
Organization/Company
Job title
Country
Language
E-Mail

While using the customer account, you can store further optional information in your account to create a simplified and personalized user experience, e.g.

Date of birth
Travelling dates
Type of journey
Travelling companions
Interests / preferences
Payment information

Mandatory information is indicated in the form.

We require the aforementioned data for the processing and administration of our website, for checking the plausibility of the data entered, i.e. to establish, draft the content of, process and amend the contractual relationships concluded with you via your user account. Your email address and password together form your login data. Your data in the customer account can be viewed and changed at any time.

To prevent misuse, you should always keep your login information confidential and close the browser window when you have finished communicating with us, especially if you share your computer with others.

The legal basis for the processing of your data for the aforementioned purpose is your consent pursuant to Art. 6 para 1(a) GDPR. You can revoke your consent at any time by removing the data from your customer account or by deleting your customer account or having it deleted by sending us a message.

21. Bookings or reservations on the website and the apps

Our website offers various options for making bookings or reservations or requesting other services. These services are provided by third parties.

The details necessary to complete a booking are marked with as mandatory. The provision of other information is optional and will not affect the use of our websites and apps or your booking.

Typically, the following data is collected:

Title
First name, last name
Date of birth
Addresses
Country
Language
E-Mail
Phone number
Travelling dates
Payment information

In the app, you can also enter the first names, last names, and dates of birth of additional travelers for the booking. If you are logged in, this data is stored in your profile (discover.swiss). Alternatively, it may be stored locally by Zürich Tourism.

Depending on the type of service booked, the details entered by you will either be collected directly from the provider in question or forwarded to the provider by us. In the latter case, the data protection policy of the provider will apply.

The booking platforms are operated by the following companies and/or we rely on these companies for service processing:

Switzerland Travel Center, Binzstrasse 38, 8045 Zurich, Switzerland. Its data protection policy can be found via the following link
TouristDataShop AG, Rue du Midi 3, 1860 Aigle, Switzerland. Its data protection policy can be found via the following link
Cooperative Society discover.swiss, Schaffhauserstrasse 14, 8006 Zurich, Switzerland. Its data protection policy can be found via the following link
Liip Ltd, Limmatstrasse 183, 8005 Zurich, Switzerland. Its data protection policy can be found via the following link
Binarium GmbH, Erlachstrasse 22, 8003 Zurich, Switzerland. Its data protection policy can be found via the following link
Idea Creation GmbH, Walchestrasse 15, 8006 Zurich, Switzerland. Its data protection policy can be found via the following link

Unless specified otherwise in this data protection policy, or where you have not specifically provided consent, we will use and, in particular, share the data in order to supply the requested services, provide the desired functionality, process your order, and ensure correct payment. For details of how your credit card information is processed and shared, see section 23 below.

The performance of a contract pursuant to Art. 6 para 1(b) GDPR therefore forms the legal basis for processing of the data.

22. Digital payment solution

If you make a payable booking on our website, you may need to provide additional data, such as your credit card information or the login for your payment service provider, depending on the service and the payment method requested. This information and the fact that you have purchased a service from us for the relevant amount and at the relevant time will be passed to the relevant payment service providers (e.g. payment solution providers, credit card issuers, and credit card acquirers). The performance of a contract pursuant to Art. 6 para 1(b) GDPR therefore forms the legal basis for this transfer.

We only use payment service providers that guarantee an adequate level of data protection. We use the following payment service providers:

Stripe, 185 Berry Street, Suite 550, San Francisco, CA 94107, United States. Its data protection policy can be found via the following link
Datatrans, Kreuzbühlstrasse 26, 8008 Zurich, Switzerland. Its data protection policy can be found via the following link

For further data processing, please refer to the information provided by the respective company, in particular the data protection policy and the general terms and conditions. Please also note the information about the processing of data by third parties and the transfer of data abroad, in particular to the US, which can be found in section 7-9 of this data protection policy.

23. Contractual services

We process the data of our contractual partners and other clients, in order to provide them with our contractual or pre-contractual services. The data processed in this context, the nature, scope and purpose and the necessity of their processing, are determined by the underlying contractual relationship.

The data processed includes personal data, contact data, contract data, and payment data. We use the personal data to verify your identity before entering into a contract. We use your contact data to confirm your order and for future communications with you that are necessary to process the contract. We store your data together with the peripheral data of the order (e.g. time, order number, etc.), the data on the services ordered (e.g. name, price, and features of the product; product data), the payment data (e.g. selected payment method, confirmation of payment and time; see also section 10), and the data relating to the processing and performance of the contract (e.g. return of products, use of support or warranty services, etc.) in our xRM database (see section 10) so that we can ensure correct order processing and performance of the contract.

The legal basis for processing your data for this purpose is the fulfillment of a contract according to Art. 6 para.1 lit. b GDPR.

24. Events

When we hold events and study trips, we also process personal data. The data processed will be that which you have provided to us.

Typically, the following data is collected:

Title
First name, last name
Organization/Company
Job title
Address
Country
Language
E-mail
Phone number

We process this information for the preparation, implementation and follow-up of the events. Data relevant to the implementation of the event may also be passed on to third parties (e.g. hotels, host destination).

The legal basis for processing your data for this purpose is the fulfillment of a contract according to Art. 6 para.1 lit. b GDPR. Participants may revoke their consent at any time by notifying us. Upon revocation, you are no longer entitled to participate in the event.

25. Sweepstakes and contests

On our website and in our apps, you have the option of taking part in competitions. If you take part in competitions and contests, we collect the personal data that is required to carry out the competition or contest. The data processed will be that which you have provided to us.

Typically, the following data is collected:

Title
First name, last name
Address
Country
Language
E-mail
Phone number

We use your data to establish your identity and to check the requirements for participation. The data is also recorded in a central database together with the name and validity period of the competition and details of the time of your participation (see section 0). This data is used to process the competition, to contact you in connection with the competition, in particular to clarify information required for participation, to inform you whether or not you have won, and to send you your prize. Registration for our email newsletter and consent to the associated processing (including profiling with or without high risk) may be required for participation (see section Error! Reference source not found.). We may pass on your personal data to our competition and contest partners, e.g. to send you your prize.

The legal basis for data processing is your consent within the meaning of Art. 6 para 1(a) GDPR. You can withdraw your consent at any time with effect for the future by notifying us and thus forgo participation in the competition. Please also note the information in the individual terms and conditions of the competition.

26. Surveys and polls

We conduct surveys and polls to collect information for the respective communicated survey or poll purpose. If you participate in surveys, we collect the data necessary to conduct and evaluate the surveys, particularly answers, session ID and user ID in the URL, time of response, duration of response, device information, and IP address. We store the data in a central database (see section ) and evaluate the data in order to improve our services (e.g. tours, guided tours, advice from our partners and guests) and our channels (website, app, email newsletter) in terms of information quality and user-friendliness. The legal basis for data processing is your consent within the meaning of Art. 6 para 1 GDPR. You may withdraw your consent at any time with effect for the future by notifying us.

We use the following survey tools to conduct surveys:

Customer Voice: Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA. Its data protection policy can be found via the following link
Qualtrics: Qualtrics LLC, 333 W River Park Drive, Provo, Utah 84604, USA. Its data protection policy can be found via the following link

Your data may therefore be stored in a database maintained by these providers, which may provide them with access to your data if this is necessary for the provision of the software and support with the use of the software. Both companies are certified under the Data Privacy Framework. Information about the processing of data by third parties and the transfer of data abroad, in particular to the US, can be found in section 7-9 of this data protection policy. In addition, cookies are employed when using surveys, which we explain in more detail in our cookie banner.

The legal basis for this processing is our legitimate interest within the meaning of Art. 6 para 1(f) EU GDPR in using the services of third-party providers.

27. Applications for job advertisements

On our website, you have the option of applying for job vacancies. For this purpose, we collect a variety of data from you (e.g. your first and last name, date of birth, address, email address, documents and certificates you submit). We use this and other data you voluntarily provide to review your application, i.e. to correctly identify you and assess your suitability for the position, and to contact you regarding the application process, e.g. to invite you to an interview or to send you a rejection.

We reserve the right to store application documents for a maximum of 2 years after completion of the application process so that we can contact applicants again when other interesting positions become vacant. If applicants do not consent to this practice, they are requested to inform us accordingly.

We work with the tool CVdropper, provided by Ostendis AG, Seetalstrasse 35, 5706 Boniswil AG, Switzerland, to process your online application. Datawire AG stores the data on a server in Switzerland. Both companies may therefore have access to your data if this is necessary for the provision of the software and support with the use of the software. Information about the processing of data by third parties can be found in section 7 of this data protection policy. In addition, cookies are employed when using the services, which we explain in more detail in our cookie banner.

28. Adaptation of the data privacy policy

We reserve the right to adapt this statement at any time. The version published on this website shall apply.

Last updated in July 2024.