Privacy Policy
1. Controller
The controller responsible for data processing on this website is:
Swiss Travel System AG
Lagerstrasse 33
CH-8004 Zürich
travelswitzerland.com
Email: info(at)travelswitzerland.com
If you have any questions about this Privacy Policy or the processing of your personal data, please contact us using the details above.
Data Protection Officer:
Swiss Travel System AG
Datenschutz
Lagerstrasse 33
CH-8004 Zürich
Email: services(at)travelswitzerland.com
2. Scope
This Privacy Policy explains how we process personal data when you visit our website, use our online services, submit forms, subscribe to our newsletter, or otherwise interact with us online.
This website is primarily intended for business partners and industry users in the travel sector. However, this Privacy Policy also applies to private individuals who access the website.
3. Categories of personal data
Depending on how you use our website, we may process the following categories of personal data:
Technical and access data: IP address, browser type and version, device type and operating system, language settings, referrer URL, date and time of access, pages visited, and server log data.
Usage and behavior data: Page views, clicks, scroll behavior, session duration, heat maps, screen recordings, and approximate geolocation derived from IP-based tools.
Communication data: Information you provide when submitting a sponsorship inquiry or otherwise contacting us.
Newsletter data: Email address, subscription status, time of registration, double opt-in confirmation, and interaction data (e.g. opens and clicks).
Consent and preference data: Whether and when you have given or withdrawn consent via our consent management platform, and your preferences regarding cookies and tracking.
Bot protection data: Technical data processed to verify that an interaction is performed by a human user.
4. Purposes and legal bases
4.1 Website delivery and security
We process technical data and server log information to operate the website, ensure its stability, prevent misuse, and resolve technical issues.
Legal basis: Article 6(1)(f) GDPR — legitimate interest in the secure and reliable operation of the website.
4.2 Consent management
We use a consent management platform (OneTrust) to record and manage your consent preferences and to document consent for accountability purposes.
Legal basis: Article 6(1)(c) GDPR for compliance obligations; Article 6(1)(f) GDPR for managing consent records.
4.3 Analytics and website optimization
Subject to your consent, we process usage data to understand how visitors interact with our website, improve content and usability, and optimize our services.
Legal basis: Article 6(1)(a) GDPR — consent.
4.4 Marketing and reach measurement
Subject to your consent, we process data using marketing measurement tools to analyze the effectiveness of campaigns and better understand our reach.
Legal basis: Article 6(1)(a) GDPR — consent.
4.5 Contact and sponsorship requests
When you submit a sponsorship inquiry, we process the data you provide to handle your request and communicate with you.
Legal basis: Article 6(1)(b) GDPR where the inquiry relates to pre-contractual measures; otherwise Article 6(1)(f) GDPR — legitimate interest in handling business inquiries.
4.6 Newsletter
When you subscribe to our newsletter, we process your email address and subscription data to send you newsletters and measure performance.
If you subscribe to our newsletter, we use a double opt-in process. You will receive a confirmation email containing a link you must click to verify your subscription. We retain a record of the registration and confirmation as evidence of valid consent.
You may unsubscribe at any time using the unsubscribe link at the bottom of any newsletter. The lawfulness of processing before withdrawal remains unaffected.
Legal basis: Article 6(1)(a) GDPR — consent. You may withdraw your consent at any time using the unsubscribe link in any newsletter.
4.7 Video content (YouTube)
Our website embeds videos from YouTube (operated by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland). We use a two-click solution: no connection to YouTube's servers is made when you first load a page. Only when you actively click on the video player is a connection to YouTube established and data — including your IP address and information about the page you are viewing — transmitted to Google/YouTube.
Please note: Even though no data is transmitted on page load, you should be aware that activating the video player constitutes a transfer of data to Google, which may include servers in the United States.
Legal basis: Article 6(1)(a) GDPR — consent.
For more information on how Google processes personal data, please refer to Google's Privacy Policy: https://policies.google.com/privacy
5. Cookies and similar technologies
We use cookies and similar technologies on our website. Some are technically necessary for the operation of the website, while others are used for analytics, marketing, or preference management.
Non-essential cookies and similar technologies are only placed or activated if you have given your prior consent through our consent management platform (OneTrust).
You can view, adjust, or withdraw your consent at any time via the cookie settings available on this website.
6. Services and recipients
6.1 Hosting and infrastructure
Netlify, Inc.
Website hosting and deployment.
Hostpoint AG
Hosting of certain supporting services, including form handling and video delivery. Hostpoint's data centers are located in Switzerland.
Cloudflare, Inc.
Content delivery network (CDN) and DNS services. For this website, Cloudflare is used without reverse proxying, meaning visitor IP addresses are not masked by Cloudflare on the origin server.
6.2 Consent management
OneTrust LLC
We use OneTrust to manage cookie and tracking consent, store user preferences, and document consent records.
6.3 Bot protection
Friendly Captcha GmbH
We use Friendly Captcha to protect our website forms from automated abuse and spam. Friendly Captcha is a privacy-friendly alternative to traditional CAPTCHA services and does not use behavioral tracking or require the user to solve visual puzzles.
Legal basis: Article 6(1)(f) GDPR — legitimate interest in protecting our services from misuse.
6.4 Analytics tools
The following analytics tools are used subject to your consent. They are loaded via Google Tag Manager only after the relevant consent has been granted.
Google Analytics (Google Ireland Limited)
Web analytics service for measuring website usage, traffic sources, and user behavior.
Microsoft Clarity (Microsoft Ireland Operations Limited)
Behavioral analytics including heatmaps and session recordings.
Matomo (self-hosted, on-premise)
Open-source web analytics software hosted on our own servers. No data is shared with Matomo.org or third parties. Because Matomo is self-hosted, personal data processed by this service remains within our infrastructure.
Hotjar Ltd.
Behavioral analytics, heatmaps, and session recordings.
6.5 Tag management
Google Tag Manager (Google Ireland Limited)
We use Google Tag Manager to manage and deploy scripts and tracking tags on our website. Google Tag Manager itself does not set cookies or collect personal data for its own purposes, but it activates other services that may do so. Non-essential tags are only fired after the relevant consent has been granted.
6.6 Marketing measurement
LinkedIn Insight Tag (LinkedIn Ireland Unlimited Company)
Subject to your consent, we use the LinkedIn Insight Tag to measure the reach and effectiveness of LinkedIn campaigns and to analyze website interactions.
6.7 Newsletter
CleverReach GmbH & Co. KG
We use CleverReach to manage newsletter subscriptions and send newsletters. When you subscribe, your email address and related data are transmitted to and processed by CleverReach.
6.8 Video content
YouTube (Google Ireland Limited)
Our website embeds videos from YouTube using a two-click solution. No data is transmitted to YouTube until you actively click the video player. Upon activation, your IP address and technical request data are transmitted to Google/YouTube servers, which may include servers outside the European Economic Area.
6.9 Digital publications
Yumpu (i-magazine AG)
We embed digital publications (e.g. brochures, magazines) on our website using the Yumpu platform, operated by i-magazine AG, Gewerbestrasse 3, 9444 Diepoldsau, Switzerland.
When you access a page containing a Yumpu reader, a connection to Yumpu's servers is established. Yumpu may process technical data including your IP address, browser information, and usage data in order to display the publication.
Yumpu is headquartered in Switzerland. Switzerland has been recognized by the European Commission as a country providing an adequate level of data protection pursuant to Article 45 GDPR. No additional transfer mechanism is therefore required.
Legal basis: Article 6(1)(f) GDPR — legitimate interest in providing accessible digital publications; or Article 6(1)(a) GDPR — consent, if Yumpu is loaded via the consent management platform.
7. International data transfers
Some of the service providers listed in this Privacy Policy are based in the United States or process personal data on servers located in the United States or other third countries outside the European Economic Area.
Where personal data is transferred to a third country, we ensure that appropriate safeguards are in place as required by Chapter V GDPR, in particular:
an adequacy decision by the European Commission, where applicable;
EU Standard Contractual Clauses (SCCs) pursuant to Article 46(2)(c) GDPR;
or the EU-US Data Privacy Framework (DPF), where the recipient is certified.
The relevant transfer mechanism for each provider is documented in the respective Data Processing Agreement. You can request further information by contacting us as described in Section 1.
8. Forms and communication
Our sponsorship inquiry form transmits the data you enter to our hosting infrastructure (Hostpoint), where it is processed and forwarded by email to the responsible team. Form submissions are not stored in a dedicated website database.
Please note that email communication may not always be fully secure. We recommend that you do not transmit sensitive personal data via the contact form unless necessary.
9. Log data and retention
When you access our website, our hosting providers (Netlify, Hostpoint) automatically collect server log data, including IP addresses, access times, requested URLs, referrer information, status codes, and browser data.
This data is used to ensure technical operation, detect errors, and maintain security. It is not combined with other personal data for identification purposes, unless this is required in the context of a specific security incident.
Log data is retained for the default retention periods of the respective hosting provider, unless a longer retention period is required for security or legal reasons.
10. Retention periods
We retain personal data only for as long as necessary for the purpose for which it was collected, or as required by applicable law:
Consent records are retained for the duration of the consent relationship and for as long as necessary to fulfill accountability obligations.
Newsletter subscription data is retained until you unsubscribe or withdraw consent, unless statutory retention requirements apply.
Sponsorship inquiry data is retained for the duration of the communication and any follow-up, and thereafter for the statutory retention period applicable to business correspondence.
Analytics and marketing data is retained in accordance with the settings of the respective service and your consent choices.
Log data is retained for the default periods of the hosting providers.
11. Your rights
If the GDPR applies to the processing of your personal data, you have the following rights:
Right of access (Article 15 GDPR)
Right to rectification (Article 16 GDPR)
Right to erasure (Article 17 GDPR)
Right to restriction of processing (Article 18 GDPR)
Right to data portability (Article 20 GDPR)
Right to object (Article 21 GDPR)
Right to withdraw consent at any time with effect for the future (Article 7(3) GDPR)
Right to lodge a complaint with a supervisory authority (Article 77 GDPR)
To exercise your rights, please contact us using the details provided in Section 1.
Supervisory authority: You may lodge a complaint with any EU data protection supervisory authority. In Switzerland, the competent authority is the Federal Data Protection and Information Commissioner (FDPIC): https://www.edoeb.admin.ch
12. Right to object
Where we process your personal data based on legitimate interests under Article 6(1)(f) GDPR, you have the right to object at any time on grounds relating to your particular situation.
If personal data is processed for direct marketing purposes, you may object at any time without giving reasons.
13. Automated decision-making and profiling
We do not use automated decision-making within the meaning of Article 22(1) GDPR that produces legal effects or similarly significant effects on you.
Certain analytics tools may process behavioral data in an aggregated or pseudonymized way for statistical purposes. This does not constitute automated decision-making in the sense of Article 22 GDPR.
14. Changes to this Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in legal requirements, our services, or our data processing practices. The current version of this Privacy Policy is always available on this page. We recommend that you review this page periodically to stay informed about how we protect your data.
The date of the most recent update is indicated at the top of this Privacy Policy.
Sign up for our Trade Newsletter
Our regular newsletter for the travel trade industry contains the latest sales and product updates regarding Swiss public transport. Sign up and receive our newsletter four times a year.