Privacy policy of the Hotel Hatillo Management Corporation S.R.L.

Hotel Hatillo Management Corporation S.R.L. attaches great importance to the protection of your personal data. In this privacy policy, we explain how we collect and process personal data. We do not sell your data. This is not an exhaustive description. Further information can be found in our General Terms and Conditions. Personal data refers to all information relating to an identified or identifiable person.

If you provide us with the personal data of other persons (e.g. customers, employees or acquaintances), please ensure that these persons are aware of this privacy policy. Only share their personal data with us if you are permitted to do so and if this personal data is correct.

This privacy policy is based on the Swiss Data Protection Act (DSG) and the EU General Data Protection Regulation (GDPR).

​

1. Who is responsible for data protection in our company? Who is our EU representative?

Dr. Matthias Michlig, Michlig Knutti Partner AG, Seidengasse 15, 8001 Zurich

​

2. How do we collect and process personal data in general?

We primarily process the personal data that we receive from our customers and other business partners as part of our business relationship with them and other persons involved or that we collect from their users when operating our websites and other applications.

Insofar as this is permitted, we also obtain certain data from publicly accessible sources (e.g. debt collection registers, land registers, commercial registers, press, internet) or receive this data from authorities and other third parties (Art. 19 FADP, Art. 14 GDPR). In addition to the data that you provide to us directly, the categories of personal data that we receive about you from third parties include, in particular, information from public registers, information that we obtain in connection with official and court proceedings, information in connection with your professional functions and activities (so that we can, for example, conduct business with your company with your help) and information that we receive from third parties.information about you in correspondence and meetings with third parties, creditworthiness information (insofar as we conduct business with you personally), information about you provided to us by people close to you (family, advisors, legal representatives, etc.) so that we can conclude and process contracts with you.) so that we can conclude or process contracts with you or with your involvement (e.g. references, your address for deliveries, powers of attorney, information on compliance with legal requirements, such as the fight against money laundering, information from banks, insurance companies, sales and other contractual partners of ours on the use or provision of services by you (e.g. payments made, purchases made).information from the media and the Internet about your person (insofar as this is indicated in the specific case, e.g. in the context of an application, marketing/sales, etc.), your addresses and, if applicable, interests and other socio-demographic data (for marketing), data in connection with the use of the websites.

Our website is hosted by WIX, based in Israel, which also processes the above data as a processor.

What happens when you use our website purely for information purposes?

If you use our website purely for information purposes, i.e. if you do not register as a user or otherwise transmit information, we collect the following data from you: IP address, date and time of the request, time zone difference to Greenwich Mean Time (GMT), content of the request (specific page), access status/HTTP status code, amount of data transferred in each case, website from which the request comes, browser, operating system and its interface, language and version of the browser software. We receive this data via cookies and directly from your browser. The purpose of this processing is to provide our website and for statistical analysis. The legal basis for this is Art. 6 para. 3 FADP, Art. 6 para. 1 sentence 1 lit. f GDPR, according to which the processing of personal data is also possible without the consent of the data subject if the processing is necessary to safeguard the legitimate interests of the controller or a third party, unless the interests or fundamental rights and freedoms of the data subject, which require the protection of personal data, prevail, in particular if the data subject is a child. The aforementioned purposes are in our interest. Insofar as we use cookies, we refer to our explanations under point 4.

​

2.1 Integration of third-party services and content

On the basis of our legitimate interests (i.e. interest in the analysis, optimization and economic operation of our online offer within the meaning of Art. 6 para. 3 DSG, Art. 6 para. 1 lit. f. DSGVO), we use content or service offers from third-party providers within our online offer in order to integrate their content or services, such as videos or map functions. GDPR) content or service offers from third-party providers in order to integrate their content and services, such as videos or map functions. The third-party providers may collect data about you, use cookies, embed additional third-party tracking services and record your interaction with this embedded content, including your interaction with the embedded content if you have an account and are logged in to this website.

​

2.2 What happens when you use our contact fields?

When you communicate with us via our contact fields, we collect the following data:

• Name,

• First name,

• Company name

• E-mail address,

• Subject and content of the message,

which you enter via the contact form.

As far as a specific contractual relationship is concerned, whether in connection with the initiation, execution or termination, the legal basis for the processing is Art. 6 para. 3 FADP, Art. 6 para. 1 lit. b GDPR. In this case, we store the data until the end of the statutory retention period. In all other cases, the legal basis is Art. 6 para. 3 FADP, Art. 6 para. 1 sentence 1 lit. f GDPR, according to which the processing of personal data is also possible without the consent of the data subject if the processing is necessary to safeguard the legitimate interests of the controller or a third party, unless the interests or fundamental rights and freedoms of the data subject, which require the protection of personal data, prevail, in particular if the data subject is a child. Communication outside of a contractual relationship is in our mutual interest.

We store your data until the purpose resulting from the legitimate interest has been fulfilled.

​

2.3 What data do we process from you when you register as a user on our website?

If you have an account and you log in to this website, we will set a temporary cookie to determine whether your browser accepts cookies. This cookie does not contain any personal data and will be discarded when you close your browser.

When you log in, we will set up some cookies to store your login information and display options. Login cookies expire after two days and cookies for display options after one year. If you select "Stay logged in" when you log in, your login will be maintained for two weeks. When you log out of your account, the login cookies are deleted.

When you edit or publish an article, an additional cookie is stored in your browser. This cookie does not contain any personal data and only refers to the post ID of the article you have just edited. The cookie expires after one day.

For users who register on our website, we also store the personal information they provide in their user profiles. All users can view, change or delete their personal information at any time (the user name cannot be changed). Website administrators can also view and change this information.

​

2.4 How do we use Google Analytics?

1) We may use Google Analytics, a web analytics/tracking service provided by Google LLC ("Google"), on our websites/apps. Google Analytics uses "cookies", which are text files placed on your computer, to help the website analyze how users use the site. The information generated by the cookie about your use of this website is usually transmitted to a Google server in the USA and stored there. However, if IP anonymization is activated on this website, your IP address will be truncated by Google beforehand. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. The service provider does not receive any personal data from us (and does not store any IP addresses), but can track your use of the website, combine this information with data from other websites that you have visited and which are also tracked by the service provider, and use these findings for its own purposes (e.g. control of advertising). If you have registered with the service provider yourself, the service provider also knows you. The processing of your personal data by the service provider is then the responsibility of the service provider in accordance with its data protection provisions. The service provider only informs us how our respective website is used (no information about you personally).

The legal basis and revocation option for this data processing is your consent, Art. 6 para. 1 sentence 1 lit. a GDPR. You can withdraw your consent at any time with effect for the future by accessing the cookie settings and changing your selection there. We delete the data after 14 months at the latest.

(2) The IP address transmitted by your browser as part of Google Analytics will not be merged with other Google data.

(3) You may refuse the use of cookies by selecting the appropriate settings on your browser, however please note that if you do this you may not be able to use the full functionality of this website/apps. You can also prevent Google from collecting the data generated by the cookie and relating to your use of the website (including your IP address) and from processing this data by Google by downloading and installing the browser plug-in available at the following link: http://tools.google.com/dlpage/gaoptout?hl=de.

(4) We use Google Analytics to analyze and regularly improve the use of our website. We can use the statistics obtained to improve our offer and make it more interesting for you as a user. Google LLC also processes your personal data in the USA and has therefore agreed to standard contractual clauses, according to which the transfer to the USA is justified after a risk assessment has been carried out ( Art. 16 para. 2 lit. d FADP, Art. 46 GDPR).

(5) Information from the third-party provider: Google LLC (formerly known as Google Inc.),1600 Amphitheatre Parkway, Mountain View, California 94043, USA. Terms of use: http://www.google.com/analytics/terms/de.html, overview of data protection: https://policies.google.com/?hl=de and the privacy policy: https://policies.google.com/privacy?hl=de .

​

2.5 How do we use social media?

We maintain online presences within social networks and platforms in order to communicate with the customers, interested parties and users active there and to inform them about our services. When accessing the respective networks and platforms, the terms and conditions and data processing guidelines of their respective operators apply.

Unless otherwise stated in our privacy policy, we process the data of
users if they communicate with us within the social networks and platforms, e.g. write posts on our online presences or send us messages

We may also use plug-ins from social networks such as Facebook, Instagram, LinkedIn and WhatsApp on our website www.iguana-libre.com. This is visible to you in each case (typically via corresponding icons). We have configured these elements so that they are deactivated by default. If you activate them (by clicking on them), the operators of the respective social networks can register that you are on our website www.iguana-libre.com and where, and can use this information for their purposes. The processing of your personal data is then the responsibility of this operator in accordance with its data protection provisions. We do not receive any information about you from them.

​

2.6 How do we use Google Maps?

(1) We use the Google Maps service on our website www.iguana-libre.com. This allows us to show you interactive maps directly on the website and enables you to use the map function conveniently.

(2) By visiting our website and using Google Maps via our map link, Google receives the information that you have accessed the corresponding subpage of our website. In addition, the data mentioned under paragraph (3) is transmitted. This occurs regardless of whether Google provides a user account through which you are logged in or whether no user account exists. If you are logged in to Google, your data will be assigned directly to your account. If you do not wish your data to be associated with your Google profile, you must log out before activating the button. Google stores your data as usage profiles and uses them for the purposes of advertising, market research and/or the needs-based design of its website. Such an evaluation is carried out in particular (even for users who are not logged in) to provide needs-based advertising and to inform other users of the social network about your activities on our website. You have the right to object to the creation of these user profiles, whereby you must contact Google to exercise this right.

(3) Further information on the purpose and scope of data collection and its processing by the plug-in provider can be found in the provider's privacy policy. There you will also find further information on your rights in this regard and setting options to protect your privacy: https://safety.google/privacy/privacy-controls/ Google LLC also processes your personal data in the USA and has therefore agreed to standard contractual clauses according to which the transfer to the USA is justified after a risk assessment has been carried out (Art. 46 GDPR).

(4) The legal basis is Art. 6 para. 3 FADP, Art. 6 para. 1 sentence 1 lit. f GDPR, according to which the processing of personal data is also possible without the consent of the data subject if the processing is necessary to safeguard the legitimate interests of the controller or a third party, unless the interests or fundamental rights and freedoms of the data subject, which require the protection of personal data, prevail, in particular if the data subject is a child. Here we refer to our interest in direct marketing in accordance with recital 47 GDPR. We delete the data as soon as the purpose no longer applies, at the latest if you object to the processing.

​

3. Purposes of data processing and legal basis

We primarily use the personal data we collect to conclude and process our contracts with our customers and business partners (Art. 6 para. 7 FADP, Art. 6 para. 1 lit. a GDPR), in particular in the context of initiating and concluding contracts with our customers and in the context of purchasing products and services from our suppliers and subcontractors, as well as to comply with our legal obligations in Switzerland and abroad. If you work for such a customer or business partner, your personal data may of course also be affected in this function.

In addition, we also process personal data of you and other persons for the following purposes, where permitted and where we deem it appropriate, in which we (and sometimes third parties) have a legitimate interest corresponding to the purpose:

• Offering and further developing our products and services, operating our website, app and other platforms on which we are present;

• Communication with third parties and processing their inquiries (e.g. applications, media inquiries);

• Examination and optimization of procedures for needs analysis for the purpose of direct customer contact and collection of personal data from publicly accessible sources for the purpose of customer acquisition;

• Advertising and marketing (including the organization of events), provided you have not objected to the use of your data (if we send you advertising as an existing customer, you can object to this at any time. We will then place you on a blocking list against further advertising mailings);

• Assertion of legal claims and defense in connection with legal disputes and official proceedings;

• Prevention and investigation of criminal offenses and other misconduct (e.g. conducting internal investigations, data analysis to combat fraud);

• guarantees of our operations, in particular IT;

If you have given us your consent to process your personal data for specific purposes, we will process your personal data within the scope of and based on this consent, unless we have another legal basis and require one. Consent that has been granted can be revoked at any time, but this has no effect on data processing that has already taken place.

​

4. Do we use cookies or comparable tracking technologies?

We typically use "cookies" and similar technologies on our website to identify your browser or device. A cookie is a small file that is sent to your computer or automatically stored on your computer or mobile device by the web browser you use when you visit our website or install our app. This enables us to recognize you when you return to this website or use our app, even if we do not know who you are. In addition to cookies that are only used during a session and are deleted after your visit to the website ("session cookies"), cookies can also be used to store user settings and other information for a certain period of time (e.g. two years) ("permanent cookies"). However, you can set your browser so that it rejects cookies, only stores them for one session or otherwise deletes them prematurely. Most browsers are preset to accept cookies. We use permanent cookies to save user settings (e.g. language, autologin) so that we can better understand how you use our offers and content. Some of the cookies are set by us, some are also set by contractual partners with whom we work. If you block cookies, certain functionalities (e.g. forms, login process) may no longer work.

By using our website and consenting to receive newsletters and other marketing e-mails, you agree to the use of these technologies. If you do not want this, you can set your browser or e-mail program accordingly and/or withdraw your consent.

​

5. To whom do we disclose the data and is it transferred abroad

Your personal data will be treated as strictly confidential and will not be sold to third parties. In order to fulfill our contracts or initiate contracts with you, it is sometimes necessary to involve third parties or processors.

As part of our business activities and for the purposes set out in section 3, we also disclose data to third parties or processors to the extent permitted and deemed appropriate, either because they process it for us to fulfill our contracts or because they want to use it for their own purposes ( Art. 9, 19 FADP, Art. 13 No. 1 lit. e GDPR). This applies in particular to the following bodies:

• Service providers of ours (external partners such as tax consultants, auditors, banks, insurance companies), including contract processors (such as IT providers);

• Dealers, suppliers, subcontractors and other business partners;

• domestic and foreign authorities, official bodies or courts (where required by law);

• other parties in potential or actual legal proceedings (where required by law);

all recipients together.

These recipients are partly in Switzerland and partly abroad. Your data may be transferred to the following countries outside Switzerland in which our contractual partners are located, in which we are represented or to foreign authorities or companies in exceptional cases (where required by law):

​

Contractual partner, authority or company                              Country                                                    Guarantee or exception according to DSG

Microsoft Enterprise Service Privacy                                             USA                                                           Standard contractual clauses

Google Ireland Limited (incl. YouTube)                                          Ireland (data transfer: USA)             Standard contractual clauses

Facebook Ireland Ltd. (incl. Instagram)*                                       Ireland (data transfer: USA)            Standard contractual clauses

WhatsApp Ireland Limited                                                                  Ireland (data transfer: USA)            Standard contractual clauses

LinkedIn Ireland Unlimited Company                                              Ireland (data transfer: USA)            Standard contractual clauses

Hosting company WIX                                                                          Israel                                                       Standard contractual clauses

​

If we transfer data to a country without adequate statutory data protection, we ensure, as required by law, that the data is protected in accordance with a risk analysis and by using appropriate contracts (namely on the basis of the so-called standard contractual clauses of the European Commission, which are available at

https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2010:039:0005:0018:DE:PDF

and

https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32001D0497:DE:HTML

or the model contracts of the Federal Data Protection and Information Commissioner at www.edoeb.admin.ch ) or so-called Binding Corporate Rules for an adequate level of protection or rely on the legal exceptions of consent, contract processing, the establishment, exercise or enforcement of legal claims, overriding public interests, published personal data or because it is necessary to protect the integrity of the data subjects (see Art. 19 para. 4 FADP, Art. 13 no. 1 lit. f GDPR). You can obtain a copy of the aforementioned contractual guarantees at any time from the contact person named under point 1, unless already stated above. However, we reserve the right to redact copies for reasons of data protection or confidentiality or to provide only excerpts.

​

6. How long do we store personal data? (Art. 25 para. 2 FADP, Art. 13 no. 2 lit. a GDPR)

We process and store your personal data for as long as is necessary for the fulfillment of our contractual and legal obligations or otherwise for the purposes pursued with the processing, i.e. for the duration of the entire business relationship (from the initiation, execution to the termination of a contract) as well as beyond that in accordance with the statutory retention and documentation obligations (generally 10 years for business books, accounting records and VAT-relevant receipts, 20 years or longer for certain documents). It is possible that personal data may be retained for the period during which claims can be asserted against our company and insofar as we are otherwise legally obliged to do so or legitimate business interests require this (e.g. for evidence and documentation purposes). As soon as your personal data is no longer required for the above-mentioned purposes, it will be deleted or anonymized as far as possible. For operational data (e.g. system protocols, logs), shorter retention periods of twelve months or less generally apply.

​

7. Do we guarantee sufficient data security?

We take appropriate technical and organizational security precautions to protect your personal data from unauthorized access and misuse, such as IT and network security solutions, access controls and restrictions, storage of data carriers and, if necessary, physical data material under lock and key, and encryption of data carriers and transmissions.

We always endeavor to ensure that no data breaches occur. Should a data breach nevertheless occur, we ensure that we recognize such a data breach at an early stage and, if necessary, report it immediately to you or the responsible supervisory authority (for Switzerland: Federal Data Protection and Information Commissioner), taking into account the respective data categories that are affected.

​

8. Is there an obligation to provide personal data (Art. 19 FADP, Art. 13 no. 2 lit. e GDPR)

As part of our business relationship, you must provide the personal data that is necessary for the establishment and execution of a business relationship and the fulfillment of the associated contractual obligations (as a rule, you do not have a legal obligation to provide us with data). Without this data, we will generally not be able to conclude or execute a contract with you (or the entity or person you represent). The website can also not be used if certain information to secure data traffic (such as IP address) is not disclosed.

​

9. What rights do you have as a data subject?

You have the right to information, correction, deletion, the right to restrict data processing and otherwise to object to our data processing as well as to the disclosure of certain personal data for the purpose of transfer to another body (so-called data portability) within the framework of the data protection law applicable to you and to the extent provided for therein:

• For persons domiciled or resident in Switzerland: Federal Act on Data Protection pursuant to Art. 25 et seq. DSG;

• For persons domiciled or resident in the EU/EFTA: Art. 13 no. 2 lit. b GDPR .

Please note, however, that we reserve the right to assert the restrictions provided for by law, for example if we are obliged to store or process certain data, have an overriding interest in doing so (insofar as we are entitled to invoke this) or require it for the assertion of claims. If you incur costs, we will inform you in advance. We have already informed you about the possibility of withdrawing your consent in section 3. Please note that exercising these rights may conflict with contractual agreements and may have consequences such as premature termination of the contract or cost consequences. We will inform you in advance if this is not already contractually regulated.

If you wish to invoke your rights, we ask you to submit your request in such a way that we can clearly prove your identity (by providing your personal details and enclosing a copy of your ID or by using alternatives that clearly identify you).

Every data subject also has the right to enforce their claims in court or to lodge a complaint with the competent data protection authority ( Art. 49 FADP, Art. 13 No. 2 lit. d GDPR). The competent data protection authority in Switzerland is the Federal Data Protection and Information Commissioner (http://www.edoeb.admin.ch).

​

10. Changes

We may amend this privacy policy at any time without prior notice. The current version published on our website shall apply. If the privacy policy is part of an agreement with you, we will inform you of the change by e-mail or other suitable means in the event of an update.

​

11. Entry into force

This privacy policy comes into force on November 1, 2023.

Zurich, November 1, 2023