Privacy Policy explanation of Guggach AG

(translated from german version, relevant is the german version)

Guggach AG (Guggach Apartments or Guggach Apartôtel), Hofwiesenstrasse 135, 8057 Zurich (hereinafter referred to as "we" or "us") operates a house with furnished serviced apartments in Zurich. In addition, we rent out apartments and commercial premises in other properties. Guggach AG is the operator of the website www.guggach.com. Therefore we are responsible for the collection and processing of personal data.

Your trust is important to us. That is why we take the issue of data protection seriously and ensure the appropriate treatment and security of your data. Of course, we comply with the legal provisions of the revised Data Protection Act of Switzerland (revDSG of 1.9.2023) and where applicable additionally to the European Data Protection Regulation DSGVO.

This declaration is intended to make our data processing and its purpose transparent to you and to inform you accordingly. Furthermore, the data processing and your rights are listed:

1. What data processing takes place?

1.1 Use of the website

1.1.1 Log data on web server

The use of most websites is possible for anyone worldwide without login or registration. This data includes the IP address and the operating system of your device, the data, the access time, the type of browser and the browser request including the origin of the request (referrer). These are automatically deleted after 6 months.

The data is used internally for forensic investigations in the event of hack attacks or for other security-related analyses. In this way, we guarantee the security of your data on our systems and ensure that in cases of suspicion, countermeasures are quickly taken to protect your data. At the same time, anonymous page usage statistics are created from this data.

The lawfulness of this processing results from Art. 6 para. 1 lit. f DSGVO.

1.1.2. Cookies, Google Analytics, Google Maps

a) Cookies:

Our web system creates its own session cookie. This is technically necessary, for example, to send the correct filter result or form back to your browser. This session cookie is automatically deleted after a short time.

b) Google Analytics

We use Google Analytics to analyze website usage. The data obtained from this is used to optimize our website as well as advertising measures.

Google Analytics is provided to us by Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland). Google processes website usage data on our behalf and is contractually committed to measures to ensure the security and confidentiality of the data processed.

  • Pages accessed
  • The achievement of "website goals" (for example, contact inquiries or bookings)
  • Your behavior on the pages (for example, dwell time, clicks,)
  • Your approximate location (country and city)
  • Your IP address (in shortened form, so that no clear assignment is possible)
  • Technical information such as browser, Internet provider, terminal device and screen resolution
  • Source of origin of your visit (i.e. via which website or advertising medium you came to us)

Personal data such as name, address or contact details are never transferred to Google Analytics.

This data is transferred to Google servers in the USA. We would like to point out that the same level of data protection cannot be guaranteed in the USA as within the EU.

Google Analytics stores cookies in your web browser for a period of two years since your last visit. These cookies contain a randomly generated user ID with which you can be recognized during future website visits.

The information transfer to Google only takes place if you as a user agree to the cookie banner and consent to the action. We thank you if you allow Google Analytics and thus help to improve the site structure.

The legal basis for processing the data for this purpose is your consent in accordance with Art. 6 para. 1 lit. a DSGVO. The consent can be revoked at any time with effect for the future.

c) Google Maps

We use Google Maps API (Application Programming Interface, "Google Maps") from Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, on our website for the visual display of geographical information (location maps). By using Google Maps, information about the use of our website, including your IP address, is transmitted to a Google server in the USA and stored there.

The legal basis for processing the data for this purpose is our legitimate interest according to Art. 6 para. 1 lit. f DSGVO.

d) Google Ads Remarketing

We use Google Ads Remarketing on our website. Google Ads Remarketing is an online advertising program of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google"). In this context, we use the remarketing function. This allows us to use cookies to present users of our website with advertisements based on their interests. For this purpose, the user's interaction on our website is analyzed, e.g. which offers the user was interested in, in order to be able to display targeted advertising to users on other pages even after they have visited our website. The cookies used serve to uniquely identify a web browser on a specific computer and not to identify a person. According to Google, no personal data is stored.

The legal basis for processing the data for this purpose lies in your consent according to Art. 6 para. 1 lit. a DSGVO. The consent can be revoked at any time with effect for the future.

1.1.3 Use contact form

You can communicate with us via a contact form your request on the website. The form contains the following information (* = mandatory): Reason for contact, title*, surname*, first name, street, postcode/city*, email address*, telephone number, message*. The form will be sent to us by e-mail.

We use the data only to be able to give you the best possible answer. The processing of this data is therefore necessary within the meaning of Art. 6 para. 1 lit. b DSGVO for the implementation of pre-contractual measures or is in our legitimate interest pursuant to Art. 6 para. 1 lit. f DSGVO.

1.1.4. Booking on our website

For booking we need the same information as for the contact form plus additionally the move-in and move-out date, date of birth, nationality, language and name of additional persons in the apartment. In addition, the indication that the terms and conditions have been read and that you agree with the data processing.

The purpose of the data is the preparation of the accommodation contract and the preparation of the invoice. The legal basis is the fulfillment of the contract according to Art. 6 para. 1 lit. b DSGVO.

1.2 Contact / booking by correspondence, by phone or in person on site

You have the option to contact us by phone, letter or in person and ask us questions about bookings or services or book directly.

We collect only those personal data that you disclose to us. Consequently, you are responsible for the content of your communication and it is up to you what information you provide to us. We recommend that you do not submit sensitive information. In order to answer your questions, we may ask you to provide us with additional information (e.g., your address, email address, etc.). We will only collect the personal data from you that is necessary to answer your questions or to provide the services you have requested.

If you wish to make a booking in this way, we require the data according to point 3 Data in connection with your stay.

In the processing of your telephone inquiry is our legitimate interest within the meaning of Art. 6 para. 1 lit. f DSGVO.

1.3. Data processing related to your stay in an apartment

a) Data processing for the fulfillment of legal registration obligations

At the latest upon arrival at our apartment house, we require the following data from you and your accompanying persons: First name, last name, current domicile address, date of birth, place of birth, nationality, e-mail address, telephone number, official identification card with number, motor vehicle number if applicable, credit card number if applicable. In addition, we must ask and record whether you register as a domicile with the city of Zurich.

In addition, we process contractual data such as apartment number, arrival and departure dates, additional services, prices.

We collect this information in order to fulfill legal reporting obligations, which arise in particular from police law (cantonal hotel control) and the personal registration office of the city of Zurich and to provide you with the desired service.

The processing of this data is based on a legal obligation within the meaning of Art. 6 Para. 1 lit. b/c DSGVO.

b) Recording of purchased services

If you obtain additional services as part of your stay (e.g. fitness room, Internet access), we will record the subject of the service and the time at which it was obtained for billing purposes.

c) Credit card transaction

The card payment can be made at the terminal with the physical card or online on the processor's infrastructure. In our company, only the date, time, transaction number, card provider, the last 4 digits of the card and the amount are recorded and kept on the paper receipts.

The processing of this data is necessary in the sense of Art. 6 para. 1 lit. b and c DSGVO to process the contract with us.

1.4. Application for long-term renting of a rented apartment

For long-term living under the stricter rental law, applications must be carefully selected. For this process we need more data: the same information as in point 1.3 "Data related to your stay in an apartment" serves as a basis. In addition, we need a debt collection statement, source of income, approximate annual income, occupation, name of employer, marital status, family relationship, number of people in the household, contact details of previous landlord or management, current rent, reason for moving, facts causing noise.

These data are treated confidentially and are only used for decision making. In case of a negative decision, all data will be professionally deleted or shredded.

If a contract is signed, the data is used for the creation and support of the contractual relationship. The family relationship is important because the ZGB differentiates between family housing or normal shared housing. In this case, all data is archived until 10 years after the end of the tenancy (GeBüV).

1.5 Physical visit to Guggach House, Guggach Parking Garage

Surveillance cameras are installed in the underground car park, at the entrances and in the reception. These record in the event of movements.

The purpose of the camera recordings is preventive protection against damage to property and persons. In the event of an incident, the recordings are handed over to the police and judicial authorities. This knowledge increases the feeling of security among our guests. The recordings are automatically deleted between 48 and 72 hours, depending on the camera. The duration has to do with the weekends, because damage is often only detected afterwards.

2. Storage and exchange of data with third parties

2.1 Booking via booking platforms

If you make bookings via a third-party platform (booking.com, HRS, Immoscout24, Homegate, etc.), we receive various personal information from the respective platform operator in connection with the booking or rental application made. This is usually the data listed in sections 1.4 or 4 of these data protection declarations. In addition, inquiries about your booking may be forwarded to us. We will process this data by name in order to record your booking as requested and to provide the booked services. The legal basis of data processing for this purpose lies in the implementation of pre-contractual measures and the fulfillment of a contract in accordance with Art. 6 para. 1 lit. b DSGVO.

Finally, we may be informed by the platform operators about disputes in connection with a booking. In the process, we may also receive data about the booking process, which may include a copy of the booking confirmation as proof of the actual booking completion. We process this data to protect and enforce our claims. This is our legitimate interest within the meaning of Art. 6 para. 1 lit. f DSGVO.

Please also note the privacy policy of the respective booking platform.

2.2 Cloud storage and email

Part of the dossiers and all e-mail traffic are outsourced to Microsoft Ireland Operations Ltd, D18 P521 Dublin. All data is stored on servers at European locations (Amsterdam, Ireland). These are encrypted both in transit and at rest. Microsoft is ISO 27001 certified for data security. The access protection is done by the current state of the art.

2.3 Provider Website Hosting

A service provider to whom the personal data collected via the website is transferred or who has or may have access to it is our web hoster (Hoststar Multimedia Networks AG, 3312 Fraubrunnen). The website is hosted on servers in Switzerland. The data is transferred for the purpose of providing and maintaining the functionalities of our website.

The legal basis for processing the data for this purpose is our legitimate interest according to Art. 6 para. 1 lit. f DSGVO

2.4 Credit card transaction providers and acquirers

Payments at the terminal on site as well as online card payments are processed via our data provider Wallee Group AG in Winterthur. The acquirers (settlement towards merchants) are Postfinance, Concardis Schweiz AG and Worldline Schweiz AG. All have received the PCI DSS certificate from the card issuers.

3. Retention period

Unless otherwise mentioned in previous chapters, we store personal data only as long as it is necessary to use the tracking services mentioned above as well as the further processing within the scope of our legitimate interest.

Retention obligations that require us to retain data arise from regulations on reporting, on accounting, from tax law and from the Swiss Business Records Ordinance (GeBüV). According to these regulations, business correspondence, communication, concluded contracts and accounting vouchers must be retained for up to 10 years.

4. Data security

We use appropriate technical and organizational security measures to protect your personal data stored with us against manipulation, partial or complete loss and against unauthorized access by third parties. Our security measures are continuously improved in line with technological developments.

We also take internal data protection very seriously. Our employees and the service companies commissioned by us have been obligated by us to maintain confidentiality and to comply with the provisions of data protection law.

5. Your rights

You may object to data processing at any time, unless there are legal barriers or the request is disproportionate or vexatious. You can exercise the rights in writing, by email or in person. We are required to identify you by means of official identification. You also have the following rights:

  1. Right of access: you have the right to request access to your personal data held by us when we process it. This gives you the opportunity to check what personal data we are processing about you and that we are using it in accordance with applicable data protection regulations.
  2. Right to rectification: you have the right to have inaccurate or incomplete personal data rectified and to be informed about the rectification. In this case, we will inform the recipients of the data concerned of the adjustments made, unless this is impossible (e.g. prohibited by law) or would involve disproportionate effort.
  3. Right to erasure: You have the right to have your personal data deleted under certain circumstances. In individual cases, the right to deletion may be excluded, especially if other legal provisions preclude it.
  4. Right to lodge a complaint: You have the right to lodge a complaint with a competent supervisory authority against the way in which your personal data is processed.

6. Note: data transfer to the USA

Some of the third-party service providers mentioned in this privacy policy are based in the USA. For the sake of completeness, we would like to point out for users who are resident or domiciled in Switzerland or the EU that there are monitoring measures in place in the USA by US authorities which generally allow the storage of all personal data of all persons whose data has been transferred from Switzerland or the EU to the USA. This is done without any differentiation, limitation or exception based on the objective pursued and without any objective criterion that would make it possible to limit the access of the US authorities to the data and their subsequent use to very specific, strictly limited purposes that are capable of justifying the intrusion associated both with the access to these data and with their use. Furthermore, we would like to point out that in the U.S. there are no legal remedies available to data subjects from Switzerland or the EU that would allow them to obtain access to the data concerning them and to have it corrected or deleted, or that there is no effective judicial legal protection against general access rights of U.S. authorities. We explicitly draw the attention of data subjects to this legal and factual situation in order to make an appropriately informed decision to consent to the use of their data.

The US Cloud Act of 2018 obliges US providers to hand over data to government institutions, even if the data itself is stored on European servers. As recently as July 2020, the European Court of Justice (ECJ) ruled that the access possibilities of US authorities and intelligence services meant that data protection requirements were not guaranteed when personal data was transferred to third countries such as the US. In November 2020, Microsoft committed itself under the title "Defending your Data" to defend itself against unrestricted access by the U.S. authorities by implementing technical encryption on the one hand and taking legal action against it on the other. The affected customers will be informed transparently. (see how MS is dealing with the Cloud Act).

7. Contact

Responsible for data protection and data processing is

Guggach AG
Enrica Ruedin
044 363 32 10

datenschutz@guggach.com

Alternatively, you can use the contact form.

If you have any data protection concerns, you can contact the person mentioned.

8. Can this privacy policy be changed?

This privacy policy is not part of any contract with you. We can adapt it at any time. The version published on the website is always the current version.

Last updated: July 3, 2023