Users confirm that they have read and understood this privacy policy and expressly grant their consent to the collection and processing of their data as described.

City Pop AG, Metallstrasse 4, 6300 Zug, operates the website and controls the data collected therein.

City Pop AG is responsible for the collection, processing, and use of user data required to carry out its business activities. Data processing includes the collection, storage, management, use, transfer, disclosure, and eventual deletion of data.

Data processing serves the operational needs of City Pop AG, which are geared towards satisfying user wishes. Data collected will be used to improve the user experience, better meet user needs, develop new, modern services, optimise the booking and ordering processes, and develop communication capabilities.

A – Automatically collected connection details


Accessing the website and making use of its content and features results in the following processes subject to data protection:

  • creation of a log file, including the IP address of the device accessing the site, the date and time of access, the location of the device, the name and URL of any files retrieved, the size of data transmitted, the referring website, the operating system and browser used, users’ language settings, and the name of the internet service provider.

The purpose of storing this data is:

to make information and services available on our website

  • to create internal usage statistics for our own commercial purposes, in particular to improve our offers and services
  • to identify the language region of the accessing device in order to display the contents of the site in the corresponding language automatically
  • to use cookies and trackers to facilitate the display of personalised content of both a commercial and non-commercial nature.

B – Customer account, data provided by users


A customer account must be opened to order services. All data collected during contract initiation, the opening of the customer account, and fulfilment of the contract is collected and processed according to applicable data protection legislation.

Each time we request personal data from users, for example, in contact or booking forms, we will specify the purpose of the processing or it will be self-evident from the context.

The fields requesting such data will be marked accordingly to indicate whether the data requested is necessary for the transaction or voluntary. If required data is not provided, we will, in general, be unable to achieve the purpose for which we requested the data and not be able to enter into a business relationship with or provide our services to you.

Opening a customer account and ordering services from us will require communication necessary for the business transaction. You will also be given the opportunity to sign up for our newsletter. The newsletter can be cancelled at any time. The content of the newsletter provides information about opportunities of both a commercial (other paid offers) and non-commercial nature (e.g. event notices) related to our services. Contractually required notifications are not made via the newsletter, but instead directly.

C – Data from processing the business relationship


When making a booking, you must electronically provide the documents (identity papers, visas, etc.) necessary for the business relationship. You authorise us to forward this data to government authorities and/or present your query to the same. You also authorise us to check your creditworthiness.

The use of services on site as well as any communications with the operator or service providers will result in a data trail (e.g. security cameras in the entrance area, retrieval of services, automatic logins, etc.). This data is collected and processed to meet our operational and legal requirements. In particular, this data is used to bill for services ordered from the operator or service providers arranged by the operator (suppliers, etc.).

All service providers and suppliers bear their own legal responsibility for their data collection and processing. The operator has no information about the data collected, processed, or managed directly by such service providers or suppliers, due to a lack of access and availability. Requests for information must be addressed directly to the respective service provider or supplier. The operator requires all of its providers and suppliers by contract to comply with applicable data protection legislation. However, due to the lack of access and monitoring options, the operator cannot guarantee that they will be in proper compliance with their data protection obligations at all times.

D – Creation of usage profiles for direct marketing purposes


For advertising and analytics purposes, usage profiles are created. The purpose of such usage profiles is to improve our services. Cookies are also used for marketing purposes (e.g. re-targeting, Google AdWords remarketing, double-click by Google, etc.).

Cookies are primarily used to ensure that our services are provided optimally. Cookies are also used to better understand user needs, which can lead to more personalised offerings. Cookies are bound to specific devices and record the actions of all who have access to the device. Users can delete cookies or prevent their storage by changing their browser settings accordingly. Blocking cookies may prevent or make use of the website highly difficult; the operator may not be held responsible for this consequence.

Tracking tools (web analytics tools) are used to improve our performance and services. The usually statistical and/or graphical evaluation of user actions is done by external service providers such as Google Analytics and Hubspot on servers at any location in the world that cannot be known in advance. The analytical activities are those that are globally customary. Google Analytics offers users tools to prevent data from being sent to Google. The operator is not responsible for the functionality of such tools.

The operator uses social plug-ins such as those for Facebook, Twitter, and Google+. The current social plug-ins offered can be seen on the site. The provider of the social plug-in can recognise your access of this website. If you are logged into the plug-in provider or log in later, your visit to this site can be assigned to your profile at that social media outlet. The social plug-ins are solely the responsibility of the respective providers. Data protection-relevant questions and technical settings are to be clarified directly externally with the respective providers.

E – Disclosure of data to third parties in Germany or abroad


Personal data will be passed on to third parties or government authorities as required. Your data may be disclosed to our domestic or foreign contractual partners or government authorities, for example, if we need it:

  • to make filings required by law (e.g. to the residents’ registration office)
  • for legal action
  • to provide services
  • for billing
  • for debt collection
  • to analyse usage behaviour
  • for direct marketing purposes.

If we disclose your data to direct contractual partners abroad, we have signed contracts with them to ensure at least the same level of data protection as offered in Switzerland and have placed the same requirements on any further subcontracting. There can be no guarantee, however, that these agreements will have the desired effect. The operator, like all other market participants, lacks the legal, technical, and economically feasible options to ensure effective and error-free compliance with such agreements by foreign contractors.

There is no guarantee that the foreign levels of data protection offered on linked websites and web partners will comply with domestic legal requirements. Each content provider, whether at home or abroad, is independently responsible for the respective compliance with all applicable data protection requirements.

In addition, it must be assumed that the data collection activities of global internet companies takes place on an immense scale and that users are essentially unable to prevent such massive data collection. In particular, data which is deliberately or unknowingly transmitted to the United States is not subject to storage and/or processing restrictions comparable to those applicable in Switzerland, regardless of the nature of the data concerned. The operator of the website is not responsible for this situation and therefore disclaims all liability.

F – Data security


Appropriate technological and organisational measures have been implemented to protect sensitive personal data against unauthorised access, processing, use, manipulation, and loss. This level of protection applies only to data once under the control of the operator. If you use an unsecured route to transmit your data, there is no technological nor organisational opportunity to secure the data. Internal or external data processors are contractually obliged to keep personal information confidential and to use it for no other purpose.

G – Data retention


 The storage of personal data takes place within the context of the purpose disclosed to users when they give their consent as well as according to legal requirements. Obsolete data will be deleted automatically. All data will be deleted after 10 years at the latest, if the statutory retention period has not already expired and the data was previously deleted accordingly. Once deleted, you will no longer be able to review said data.

H – Data subject rights


Users have the right to receive free information about the personal data we have stored about them. Users also have the right to correct or supplement incorrect data (or data which has become obsolete). Furthermore, users have the right to request the deletion of data, if there are no statutory obligations for its continued retention; they also have the right to receive information on the remaining duration of such retention.

Users may request information about the purpose of the data processing, the categories of personal data processed, and about the parties processing, receiving, and/or supplying the data. In addition, users may revoke any or all of their consents previously granted, which will stop any processing of such data and lead to its deletion if the operator is not required to retain it. Any data previously provided may be requested by users.

If the operator becomes aware of a breach of data security within its control, those users affected will be informed in a suitable manner; no further request for information will be necessary.

Enquiries should preferably be made electronically (e.g. email). If there is any doubt as to the identity of the requesting party, the operator may, at its discretion, claim appropriate proof of identification or rely on the information provided. The time it takes the operator to process such enquiries or notifications may vary. Information will normally be sent electronically, if possible.

I – Contact options

If there are any ambiguities or questions, users may use the following contact information: [email address]. The operator endeavours to answer enquiries quickly, but cannot be more specific as to its response times. This will, among other things, depend on the current workload at the time of the request.

City Pop AG controls the way your personal data are collected and the purposes for which your data are used. City Pop AG respects and complies with the General Data Protection Regulation (GDPR), with the purpose of the protection of persons regarding the processing of personal data.

By downloading, browsing, accessing or using the mobile application of City Pop or even when browsing the Website of City Pop, you agree to be bound by these Terms of Service. If you disagree with this Privacy Policy, you must interrupt the use of the mobile application or the website immediately. By continuing with the use of the mobile application or the Website, you accept our Privacy Policy.

Personal data that we collect

When speaking about data, we mean your personal information that you are providing to us during a visit to our mobile application, our Website or during a booking process. For example, to complete a booking you need to create your own account (or you also have the possibility to access directly with your Google, Facebook and Apple accounts).

The main reason why we need to collect your data is to provide you, as our guest, with our service. If you decide to not provide us with this personal data, we might not be able to provide you with the service as our guest. We collect data for explicit and specified purposes only, so that you know which data you are providing us. We only collect data that we are allowed to collect according to the law and especially that we may legitimately use, in order to ensure that you have a living space in our buildings and to deliver the service you are asking for. 

Depending on if you are a guest or a visitor, City Pop may collect the following data about you (only if provided by you): name, email address, telephone number, address, payment information (payment method details), your profession, your nationality, passport/ID, in case you book a parking place we might also ask you about your car and plate’s number.

Why we collect your data

We will mainly use your data for the purpose of our business operations; for example, we use your email address to communicate with you about your booking, about the services you have booked, or from time to time, for informing you about our events and special offers.

  • Specifically, we process your data for the following purposes:

    • Normal business purposes according to our day-to-day business activity, for example:
      • supporting you by asking questions about our service or your (potential) booking,
      • supporting you during your stay,
      • informing you about your check-in and check-out,
      • planning,
      • financial reporting,
      • marketing materials (such as survey, contest, etc.),
      • informing you about the events that we organise,
      • informing you about maintenance works in your apartment or in the common areas,
      • news about our service (new services, etc.).
    • We will use your personal data to improve your experience at City Pop, sending you tailored notifications through the mobile application or analysing your response to our survey about our services, furniture, etc.
    • If you are applying for a job, you will provide us with your information including your CV, diplomas, references, photographs.
    • We collect data to ensure security within our buildings. We are required to collect personal data to be compliant with the legal enforcement specific to the location of the City Pop building.
    • If you choose to click on a link of a business partner that cooperates with City Pop, you are aware that you are browsing a page outside City Pop.

     How we protect your data

    The confidentiality of the data we collect is a fundamental aspect for us. When you provide us with your personal data through our mobile application or our Website, we process them respecting high-security standards.

    Your personal data are stored and held in our secured systems, and we do not disclose your data to third parties.

    We are extremely precise when processing data, and we respect the following principles while doing it:

    • Lawfulness, fairness and transparency;
    • We respect the purpose of limitation, meaning that we process data for legitimate purposes, and these are specified to you as well;
    • Data minimization: only the data necessary for a specific purpose are processed – nothing more;
    • We do not forward your data to third parties, the purpose is only internal to City Pop AG or the Group;
    • The collection of data is accurate and up to date;
    • Integrity and confidentiality in processing data.


    Through our Website or mobile application, we provide links to third parties’ websites. These Websites are not controlled by City Pop and are subject to different Privacy Policies from this Policy presented by City Pop. For more information about the Privacy Policies of these third parties we invite you to visit their Policy on Privacy.


    In addition, in some instances, we are obliged to share some personal data of our customers (see point “Sharing personal data”) with a third party, such as for example the authority of the City where City Pop is located, and we have limited information and access according to how data are protected and processed by these parties.


    Your rights about data protection:

    The GDPR or further data protection laws provide you with specific rights, to help you to have control of your personal data. We also would like to support you by exercising your rights. The Customer Care of City Pop is the point of contact for all your questions regarding the processing of your personal data. Please consider that to support you in exercising your rights we need to identify you. Among your rights, there are:

    • Right to request which data we collect about you:
      • The personal data that we collected about you,
      • The purposes for which we are collecting your data.
    • Right to request that we delete, modify or restrict the use of your data:
      • If you wish us to delete your data we will do so as soon as we do not need them any more to fulfil our purposes mentioned in this policy and when there is a legal obligation to do so.
        • If you believe that the data we have about you are incorrect or not complete, you can request that we modify some information about you.
        • If you wish us to store your data but we do not use it. In some instances, you might ask City Pop to keep your data for your own legal purposes.
        • If you wish, you can unsubscribe from our newsletter and ask City Pop not to use your data any more.
        • If you do not want to appear in some video or pictures about an official event of City Pop in which you took part, please let us know.
        • We give below some hints for you to protect your data:
          • When creating an account for City Pop, we suggest you set a strong and secure password, only used for this account and do not share your password with anyone. If you suspect that someone else knows your password, make sure that you change it immediately.
          • If you are suspicious about an email that you received but you are not sure if this is coming from City Pop – for example referring to your booking number or your stay, please inform us as soon as possible. In addition, do not answer the email and do not provide any personal data.
          • When informing you about our special offers or about our events, we will always communicate with you through our official communication channels (email account, notification in the mobile application, social media) and we will never ask you about your personal data in such emails.
          • If you have doubts about a communication, a post on the social media or a notification you have seen, you can verify the authenticity of this information on our Website, or you can easily send an email to the Customer Care of City Pop.


        Sharing personal data

        As previously mentioned in this Policy, we do not forward or share your data with third parties outside the Group. We might share your data within our Group but for business purposes only.


        In some cases, we might have to share your personal data for different reasons; for example, by completing some business process (payments, execution of services, etc.), for security reasons or because they have been requested by competent public authorities:

        • Disclose your name, your previous address, the period of your stay at City Pop (meaning check-in date and check-out date), and number of your Pop.
        • We are supported by external operators to complete the payments between you (by means of your credit card) and City Pop. The external operators might know the information you provide about your credit card. In addition, we are also supported by external parties for the supply of specific services (e.g. laundry service).

         Updates to our Privacy Policy

        From time to time, to ensure that our Policy is always correct and up to date, we reserve the right to modify it when there is a change in the way we process data. Any new version will be available on our Website or mobile application and shall take effect from the date of such posting.


        If you have questions, feedback or any question regarding this Policy, you can contact us through the following email:

         Applicable law and jurisdiction

        Exclusively the law of the country where the City Pop building operates is applicable and will apply to all matters according to use of the mobile App or Website of City Pop.

        Exclusive and sole place of jurisdiction worldwide are the courts of the City in which the City Pop building operates. If proceedings are brought in other jurisdictions, no defence will be offered. Arbitration tribunals and other alternative litigation procedures are expressly excluded.

        Should City Pop incur costs as a result of unauthorised claims by the guest at other places of jurisdiction, at arbitration tribunals or other alternative litigation, the guest is obliged to fully pay all costs incurred in connection therewith, regardless of the cost regulation provisions of the other, inadmissible procedure.