Privacy Policy

By means of this privacy policy, we inform you about the personal data (hereinafter referred to as “Personal Data”) processing when using the ARTEL App. Personal data means information that relates to an identified or identifiable person. This includes, above all, information that allows direct conclusions to be drawn about your identity, for example your name or your e-mail address. However, certain identifiers such as your IP address or the Firebase installation ID, trough which you may only indirectly be identified, are also personal data. As regards data protection, we are primarily guided by the legal requirements of Swiss data protection law, in particular the Federal Act on Data Protection (“FADP”), and the EU General Data Protection Regulation (“GDPR”), the provisions of which may be applicable in individual cases.

Content of this Privacy Policy

1. Controller, Contact Person and Data Protection Officer
2. Contact
3. Data Processing before and during Use of the App
3.1 App installation
3.2 Connection data
3.3 App permissions
3.4 Registration for use and login to the App
3.5 Logfiles
3.6 Bookings
3.7 Image upload for The Frame
3.8 Stripe
3.9 Hetzner Online GmbH
3.10 Seven communications
3.11 Glutz
4. Disclosure of Data
5. Data Transfer to Third Countries
6. Storage Period
7. Your Rights, in particular Withdrawal and Objection
8. Changes to the Privacy Policy

1. Controller, Contact Person and Data Protection Officer

When using this App within the meaning of the General Data Protection Regulation (GDPR), the contact person, and so-called controller for the processing (hereinafter referred to as “Processing”) of your personal data, is:
‍ARTEL AG
‍Dolderstrasse 107
CH-8001 Zurich
Switzerland
If you have any questions or suggestions on the subject of data protection, please do not hesitate to contact us. You are welcome to send your data protection concerns by e-mail to datenschutz@artel.travel. You may also find our full contact details in our legal notice under:

2. Contact

You have the possibility to get in contact with us. In this regard, we process your data exclusively for the purpose of communicating with you. The legal basis for processing is Article 6(1)(f) GDPR. Our legitimate interest is for you to contact us and for us to be able to respond to your enquiry.

3. Data Processing before and during Use of the App

3.1 App installation

In order to download and install our App from an app store, you shall first register with the provider of the respective app store (e.g. Apple App Store or Google Play) with an account and conclude a corresponding user agreement. We have no influence on this, in particular we are not a party to such a user agreement.
When downloading and installing the App, the necessary information is transmitted to the respective app store, in particular your name, your e-mail address and the number of your account, the time of the download, payment information and the individual device identifier.
‍
We have no influence on this data collection and we are not responsible for it. We only process this provided data insofar as this is necessary for downloading and installing the App on your mobile end-device (e.g. smartphone, tablet). Beyond that, this data is not stored any further.
‍
The legal basis for data processing in our area of responsibility is Article 6(1)(f) GDPR. Our legitimate interest is to enable the provision of the App. For data processing, which is the sole responsibility of the app store operator, we refer to their privacy policies:

Our App may be found in the app stores at the following addresses:

Google Play:
Apple App Store:

3.2 Connection data

When you use the App, we process connection data that your App automatically transmits to enable you to use it. This connection data comprises the so-called HTTP header information, including the user agent, and includes in particular:

IP address of the requesting end-device;
method (e.g. GET, POST), as well as date and time of the request;
address and path of the requested files;
previously accessed addresses (HTTP referrers), if applicable;
information about the operating system (designation and version, e.g. “Android 11” or “iOS 15”);
information of the app (name, version, app ID);
version of the HTTP protocol, HTTP status code, size of the delivered file;
request information such as language, type of content, encoding of content, character sets.

The processing of this access data is absolutely necessary in order to technically enable the functions of the App, to ensure the long-term functionality, availability and security of our systems, as well as for the general administrative maintenance of our App.
‍
The connection data is also stored in internal server log files for the purposes described above, temporarily and limited to the most necessary content, in order to find the cause of and take action against repeated or criminal intentions that may endanger the stability and security of our App or our internal systems and servers.
‍
In addition, log files are sometimes automatically created on your device by your mobile end-device, which may contain various information of a technical nature (such as the type of message, date and time of the message, trigger of the message (e.g. an error, an app call), app used, indication of the content of the message). This is necessary for technical reasons so that the App works properly and you are able to use the services you want.
‍
The legal basis is Article 6(1)(f) GDPR. Our legitimate interest is to enable the provision and functions of the App and to ensure the long-term functionality and security of our systems.

3.3 App permissions

When installing or using our App, permissions of the end-device may be requested on a technical level. This includes in particular the following App permissions:

Retrieving data from the internet (e.g. for loading profile data and, if applicable, profile pictures of you and other participants);

Basically, these App permissions are necessary to provide our App. Access to and storage of information in the end-device is absolutely necessary in these cases and takes place on the basis of the implementation laws of the ePrivacy Directive of the EU member states, in Germany according to section 25, para. 2 TTDSG [German Telecommunications-Telemedia Data Protection Act]. The legal basis for the processing of personal data is then Article 6(1)(f) GDPR. Our legitimate interests are to enable the provision and basic functions of the App.
‍
These permissions are not a consent in the sense of data protection law. Insofar as, on the basis of the permissions granted, information is stored or read out in the end-device, which is not absolutely necessary for the provision of the App, or personal data is processed even if processing is not based on our legitimate interests, we shall obtain your consent separately. This is done on the basis of the implementation laws of the ePrivacy Directive of the EU member states, in Germany according to section 25, para. 1 TTDSG, or for the processing of personal data according to Article 6(1)(a) GDPR.

3.4 Registration for use and login to the App

Use of the App is voluntary. After registering for an event, you will receive an e-mail with a personalised link to register for using the App. You may then log in to the App with your account after installation. We have highlighted the data that you are required to enter by marking them as mandatory fields. Registration is not possible without this data. The following data may be processed in the course of registration:

Title;
First and last name;
E-mail address;
Password.

The legal basis for the data processing described is Article 6(1)(b) GDPR. Registration is a required pre-contractual measure for booking ARTELs.

3.5 Logfiles

Each time you use our App, we collect access data that our App automatically transmits to enable you to use it. The access data includes in particular:

Time (date and time) of the API request;
Agent Info (e.g. browser name or app);
Header information (app version, app platform, app language);
Request method (GET, POST, PUT, etc.);
Request URL of the resource;
Reply HTTP status code.

The data processing of this access data is absolutely necessary to enable the use of our App, to ensure the long-term functionality and security of our systems as well as for the general administrative maintenance of our App. The aforementioned data is also automatically stored temporarily in internal log files for the purposes described above, for example in order to find the cause of and take action against repeated or criminal intentions that may endanger the stability and security of our App. The log files are stored for 30 days and then deleted.
‍
Exceptionally, individual log files and IP addresses are retained longer in order to prevent further attacks from this IP address in the event of cyber attacks and/or to take action against the attackers by way of criminal prosecution.
‍
With Flutter Apps (Android / iOS), log files are automatically created on your device, which may contain various information of a technical nature (such as the type of message, date and time of the message, trigger of the message (e.g. an error, an app call), app used, indication of the message content). This is necessary for technical reasons so that the App works properly and you are able to use the services you want. These log files are evaluated exclusively for the detection and treatment of possible errors or crashes, provided that the device is physically available to the developers.
‍
The legal basis is Article 6(1), sentence 1(b) GDPR, if the App is used in the course of initiating or performing a contract, and otherwise Article 6(1), sentence 1(f) GDPR due to our legitimate interest in enabling the use of the App as well as the long-term functionality and security of our systems.

3.6 Bookings

Our website uses the services of Smoobu GmbH, Pappelallee 78/79, 10437 Berlin, Germany for the administration and booking of ARTELs. Smoobu is a software for landlords of holiday homes. The ARTELs on offer may be reserved and paid for via Smoobu’s booking function.
‍
Within the booking process, cookies may be set by Smoobu, e.g. to analyse user behaviour and to make the offer more user-friendly and effective. The cookies used include so-called “session cookies”, which are automatically deleted after the end of your visit. You may deselect or delete other cookies via the settings in your browser.
‍
The personal data collected when booking is necessary to enable the booking process.
‍
During the booking process, we collect the mandatory data required for the processing of the contract:

First and last name;
Date of birth;
E-mail address;
Billing and shipping address;
Payment information;
Period of stay;
Number of guests;
Selected ARTEL;
Booking date and time.

The indication of the telephone number is optional, so that we may contact you in case of further inquiries also on this way. The legal basis of the processing is Article 6(1)(b) GDPR.
‍
The legal basis for processing is Article 6(1)(b) GDPR, as the booking process is a pre-contractual measure.

3.7 Image upload for The Frame

When you upload an image via the App to be displayed via The Frame, processing of that image takes place on our servers.
‍
As soon as the booking period of your stay begins, the images shall be displayed on The Frame via our system. After your booking period has expired, the images will no longer be available on The Frame. Your images remain on our servers as long as you have not deleted the images via our App.
‍
The legal basis for the data processing is Article 6(1)(b) GDPR, as the processing of the image in our IT infrastructure is necessary for the performance of the contract.

3.8 Stripe

Stripe is an external payment service provider whose services we use to receive and process payments made to us, on our behalf. We do not retain personally identifiable information or financial information such as credit card numbers. Instead, the payment data (in particular contact and transaction data such as credit card details or bank account details) is passed through directly to Stripe.
‍
Stripe also processes the data to detect and prevent abusive financial transactions, to implement legal requirements in the financial sector and to analyse, develop and improve its products. This processing of your personal data by Stripe is governed by their privacy policy: https://stripe.com/privacy.
‍
The data processed includes, in particular, communication data (IP address, device identifier, operating system details).
‍
The legal basis is Article 6(1)(b) GDPR, in order to fulfil the payment within the framework of a contract with you, and otherwise Article 6(1)(f) GDPR, whereby the use of an external payment service provider is based on our legitimate interest in being able to offer you an additional payment option with Stripe.
‍
The data processing by Stripe partly takes place on servers in the USA. In the event that personal data is transferred to the USA or other third countries, we have concluded standard contractual clauses with Stripe in accordance with Article 46(2)(c) GDPR.
‍
For further information and guidance on data processing under Stripe’s own responsibility or for Stripe’s own purposes, please refer to Stripe’s privacy policy: https://stripe.com/privacy.

3.9 Hetzner Online GmbH

The App is made available on the server of Hetzner Online GmbH,
Industriestr. 25, 91710 Gunzenhausen, Germany.
‍
Hetzner Online GmbH processes technical connection data of the server access to monitor the technical function and to increase the operational security of our web server, delivery and provision of the ARTEL App and anonymisation and creation of statistics.
‍
The legal basis for this processing is Article 6(1)(b) GDPR, as the hosting is a pre-contractual measure.

3.10 Seven communications

We use the seven.io service provided by seven communications GmbH & Co. KG (hereinafter referred to as “seven.io”), Willestr. 4-6, 24103 Kiel, Germany.

Via seven.io, we may send you emails and/or text messages relating to the use of your ARTEL app user account, including for the purpose of activating or deleting the user account, resetting the password or communicating access codes.

For this purpose, we process your first and last name as well as the phone number and e-mail address that you have entered in the ARTEL app.

The legal basis for this data processing is Article 6(1)(b) GDPR, since contact by email and SMS is necessary for the performance of the contract.

seven.io acts exclusively as a service provider and does not process any personal data for its own purposes. Information on data protection at seven.io can be found at: https://www.seven.io/de/unternehmen/datenschutz/.

3.11 Glutz

We use a digital locking system from Glutz AG, Segetzstrasse 13, 4502 Solothurn, Switzerland to open and lock our ARTELs. The digital locking system used allows the door to be opened by means of a digital key via Near Field Communication, which is provided for your end-device, or alternatively via a six-digit PIN code. Both digital key and PIN code are only valid for the booking period. Log files are created when using digital key or PIN code. These log files record which digital key or PIN code was used. These log files are stored in the cloud at Glutz.
‍
The legal basis is Article 6(1)(b) GDPR, since the use of the locking system serves the fulfilment of the contract.

4. Disclosure of Data

The data we collect shall only be passed on if there is a legal basis for this under data protection law in the specific case, in particular if:

according to Article 6(1)(a) GDPR, you have given your express consent to this,
the transfer is necessary according to Article 6(1)(f) GDPR for the assertion, exercise or defence of legal claims and there is no reason to assume that you have an overriding interest worthy of protection in the non-disclosure of your data,
we are legally obliged to disclose data according to Article 6(1)(c) GDPR, in particular if this is necessary for legal prosecution or enforcement due to official requests, court decisions and legal proceedings, or
this is legally permissible and required in accordance with Article 6(1)(b) GDPR for the processing of contractual relationships with you or for taking steps prior to entering into a contract, that take place at your request.

Part of the data processing may be carried out by our service providers. In addition to the service providers mentioned in this privacy policy, this may include, in particular, data centres that store our App and databases, software providers, IT service providers that maintain our systems, agencies, market research companies, group companies and consulting companies. Should we disclose data to our service providers, they may use the data solely for the fulfilment of their tasks. The service providers were carefully selected and commissioned by us. They are contractually bound by our instructions, have appropriate technical and organisational measures in place to protect the rights of data subjects, and are regularly monitored by us.

5. Data Transfer to Third Countries

As explained in this privacy policy, we also use services whose providers are partly located in so-called third countries (outside the European Union or the European Economic Area) or process personal data there, i.e. countries whose level of data protection does not correspond to that of the European Union. Insofar as this is the case and the European Commission has not issued an adequacy decision for these countries (Article 45 GDPR), we have taken appropriate precautions to ensure an adequate level of data protection for any data transfers. These include, among others, the European Union’s standard contractual clauses and binding data protection corporate rules.
‍
Where this is not possible, we base the data transfer on exceptions of Article 49 GDPR, in particular your explicit consent or the necessity of the transfer for the performance of the contract or for taking steps prior to entering into a contract.
‍
Where a third country transfer is envisaged and no adequacy decision or appropriate safeguards are in place, it is possible and there is a risk that authorities in the relevant third country (e.g. intelligence services) may gain access to the transferred data to collect and analyse it and that enforceability of your data subject rights may not be guaranteed. You shall also be informed of this when your consent is obtained.
‍
Switzerland is one of the countries for which the EU Commission has determined that they have an adequate level of data protection (Adequacy Decision).
‍
For Switzerland: Some of the recipients to whom we disclose personal data may be located abroad. Insofar as this is the case and no exception applies, including in particular your consent or the necessity of the disclosure for the fulfilment of the contract and that Federal Council has not determined that adequate protection is guaranteed for these countries, we have taken appropriate precautionary measures to ensure appropriate data protection for any data disclosures abroad. These include standard data protection clauses that have been approved, issued or recognised in advance by the Federal Data Protection and Information Commissioner or binding internal company data protection regulations that have been approved.

6. Storage Period

In principle, we only store personal data for as long as is necessary to fulfil the purposes for which we collected data. We then erase the data immediately, unless we still need the data until the expiry of the statutory limitation period for evidence purposes regarding claims under civil law, due to statutory retention obligations or unless there is another legal basis under data protection law for the continued processing of your data in the specific individual case.
‍
For evidence purposes, we shall retain in particular contract data for three years from the end of the year in which the business relationship with you ends. Any claims shall become statute-barred at the earliest on this date in accordance with the standard statutory limitation period.
‍
Even after that, we still shall store some of your data for accounting reasons. We are obliged to do so due to statutory documentation obligations that may arise from the German Commercial Code, the German Fiscal Code, the German Banking Act, the German Money Laundering Act and the German Securities Trading Act. The time limits specified there for the retention of documents are two to ten years.

7. Your Rights, in particular Withdrawal and Objection

You are entitled, at any time and subject to the respective legal requirements, to the rights set out in Article 7(3), Articles 15-21 and Article 77 of GDPR:

Right to withdraw your consent (Article 7(3) GDPR);
Right to object against the processing of your personal data (Article 21 GDPR);
Right to information about your personal data processed by us (Article 15 GDPR);
Right to rectification of your personal data stored by us that is incorrect (Article 16 GDPR);
Right to erasure of your personal data (Article 17 GDPR);
Right to restriction of your personal data processing (Article 18 GDPR);
Right to data portability of your personal data (Article 20 GDPR);
Right to lodge a complaint with a supervisory authority (Article 77 GDPR).

In order to assert your rights described here, you may contact us at any time using the contact details above. This also applies if you wish to receive copies of guarantees demonstrating an adequate level of data protection. Provided that the respective legal requirements are met, we shall comply with your data protection request.
‍
Your enquiries regarding the assertion of data protection rights and our responses to them shall be stored for documentation purposes for a period of up to three years and, on a case-by-case basis, for longer should legal claims be asserted, exercised or defended. The legal basis is Article 6(1)(f) GDPR, based on our interest in defending against any civil claims under Article 82 GDPR, avoiding fines under Article 83 GDPR and fulfilling our accountability obligations under Article 5(2) GDPR.

You have the right to withdraw consent once given to us at any time. This lead to the consequence that we shall no longer continue the data processing based on this consent for the future. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
‍
Where we process your data on the basis of legitimate interests, you have the right to object to the processing of your data at any time on grounds relating to your specific situation. If you object to the processing of data for direct marketing purposes, you have a general right to object, which will also be implemented by us without giving reasons.
‍
If you wish to exercise your right of withdrawal or objection, it is sufficient to send an informal message to the above contact details.

Finally, you have the right to complain to a data protection supervisory authority. You may exercise this right, for example, with a supervisory authority in the Member State of your residence, workplace or the place of the alleged infringement. In Zurich, where our registered office is located, the competent supervisory authority is the Federal Data Protection and Information Commissioner FDPIC, Feldeggweg 1, CH - 3003 Bern, Switzerland.

8. Changes to the Privacy Policy

We occasionally update this privacy policy, for example, when we adapt our App or when legal or regulatory requirements change.

Version: 1.0 / As of: August 2023