The main reason why City Pop collects User data is to promote, organise and provide its services to Guests. This page presents the User and Guests who use the City Pop services, including the use of the app of the same name and browsing on the “Website” (www.citypop.com), with the information necessary to enable us to process users’ personal data in full transparency.
1. Who is the Data Controller?
City Pop AG, based in Bernerstrasse Süd 169 CH-8048 Zurich, controls the ways in which users’ personal data are collected, and establishes the purposes and means for which such data are used. The Data Controller has organised its services to the User by committing to process their personal data in compliance with the data protection principles established by Swiss (“SDPA”) and European Union legislation (“General Data Protection Regulation” or “GDPR”).
2. What personal data does City Pop collect?
The Data Controller collects personal data of Users, Guests and Visitors, during the use of the City Pop app, with the browsing of and interaction with the websites, as well as during the registration, booking and use of the City Pop services.
City Pop only collects the data that it can legitimately use, which it is authorised to collect, which are necessary for the purposes described below, and always within the limits thereof.
2.1 Is it mandatory to provide data?
City Pop has organised the activity by limiting the collection of personal data according to a principle of minimisation and strict necessity. However, for most of the purposes described below (e.g. filling in forms), failure to provide the data indicated as necessary may make it impossible to access the City Pop services, and/or conclude the requested operations.
The acquisition of contact data does not imply automatic consent to carry out marketing activities, which shall be carried out as indicated in point 3.5. In particular, any consent given for the performance of marketing activities can be withdrawn at any time in the app settings. The user may also revoke the authorisations granted or express their right of opposition through the links in the footer of the emails sent by City Pop AG.
3. Purpose of data collection
The User’s data may be processed for the following purposes, in compliance with what is indicated in the descriptions.
3.1 Browsing data
The browsing data relating to the activities carried out by the User in the use of the site and the app are collected and processed through the use of specific tracking tools (e.g. pixels, cookies) for technical, statistical, functional and marketing purposes. All operations are carried out to the extent permitted by the User. For more details, you can consult the Cookie Policy at the following link: https://citypop.com/cookie-policy-eu/
3.2 Creation and management of accounts
To complete a reservation or start using the City Pop services, you must create your account on the platform, or register it through authentication with a Google, Facebook or Apple profile.
Legal basis: Contract (request to use the City Pop services)
Retention period: The data relating to the registered account shall be kept until the request for deletion by the user, through the “Delete account” function accessible in the app settings and preferences, in the “Security & Privacy” section. Following the request to delete the account, the Data Controller may keep some data relating to the User where necessary or mandatory for different purposes (e.g. storage of administrative and accounting data).
3.3 Management of reservations and City Pop services
The data of registered users shall be processed in the management, provision and maintenance of City Pop services in accordance with the provisions of the Terms and Conditions (https://citypop.com/terms-conditions/), mainly for the performance of front-office activities (e.g. providing support to the user during their stay, providing information on check-in and check-out, responding to requests for information), back-office (e.g. administrative and accounting management, activity planning), for sending communications for purely organisational and service purposes (e.g. app updates, computer security, privacy, maintenance work of flats or common areas) or to enable the use of technologies and services made available during their stay in a City Pop property.
Legal basis: Contract (Terms and conditions)
Retention period: The data shall be stored for these purposes up to a maximum of 10 years after the termination of use of the services. To avoid any inconvenience, at the end of the stay, Guests are always invited to disconnect their profiles from any interactive services (e.g. smart TV) used during their stay in a City Pop property.
3.4 Security and legal obligations
- Safety management and transmission of personal data to the competent Authorities
The personal and sensitive data of the Guests may be processed in the performance of operations aimed at guaranteeing security within the property or for the prevention, management and documentation of offences or accidents/injuries. City Pop is also required to collect personal data to comply with the specific legal requirements of the location of the City Pop property.
Legal basis: Legal obligations.
Retention period: For the times necessary and sufficient to document compliance with the law.
- Video surveillance
The images of the Guests and Visitors taken by the video surveillance systems installed at the City Pop facilities shall be processed for the protection of the spaces and assets of City Pop and in order to protect the physical safety of the Guests.
Legal basis: Legitimate interest of the Data Controller.
Retention period: Up to 96 hours from registration, except for special needs related to the management of offences.
3.5 Marketing
- Direct marketing
The contact data of the Users shall be used to send messages relating to reminders, promotions and suggestions, through communications by email or through push notifications containing, for example, invitations to participate in surveys and competitions, information on events organised by City Pop, news about new services and initiatives, occasions and promotions also referring to third party services.
Legal basis: Consent to “marketing”, which can be granted or revoked at any time by accessing the app settings.
Retention period: Until withdrawal of consent.
- Analysis of preferences
Subject to the User’s specific consent, the data relating to the analysis carried out through the app and during the stay shall be processed and analysed to recognise the User’s tastes and preferences and adapt the offers and promotions sent through the direct marketing channels.
Legal basis: Consent to the “analysis of preferences”, which can be granted or revoked at any time by accessing the app settings.
Retention period: Until withdrawal of consent or after two years from the opening of the last email.
- Soft spam
The contact data of Users who have interacted with the interactive services of City Pop, for example by making reservations, requesting specific services and information through the channels and websites of City Pop AG, entries in waiting lists, downloading catalogues, etc., may be used for the execution of occasional marketing activities, at low frequency, and strictly referring to the services with which the User has interacted (so-called “Soft spam”).
Legal basis: Legitimate interest of the Data Controller – activity organised with a logic and method that does not cause interference or prejudice to the fundamental rights of the User.
Retention period: Until request for opposition.
- Involvement in communication projects
Participation in gatherings, events, contests or other initiatives organised by City Pop may involve the collection of images and videos of participants. With the involvement and consent of the participants in these initiatives, and without prejudice to the right of opposition of the data subjects, the multimedia material produced may be destined for publication on the web and through social media channels.
Legal basis: Consent (e.g. video interviews), contract (e.g. participation in a contest) or legitimate interest (e.g. organised events), depending on the type of project.
Retention period: Until request for opposition.
3.6 Data transmission to third parties
Subject to the User’s specific consent, their personal data may be shared with professionals, companies or entities with which City Pop AG has entered into commercial agreements and/or conventions (belonging to the following categories: communication and marketing, legal, financial, insurance, art and culture, tourism, education and training, IT/technology, socio-humanitarian, property, entertainment, television and film production, and health and personal services), in order to enable the start of their direct marketing purposes through automated tools.
Legal basis: Consent to “Data sharing”, which can be granted or revoked at any time by accessing the app settings.
Retention period: Until withdrawal of consent or after two years from the opening of the last email.
3.7 Monitoring and reporting
The data of Users and Guests, including personal information and payment information for the services used, shall be collected and processed with adequate protection measures for monitoring and reporting purposes, through statistical analysis, and in aggregate form. These analyses may be shared with the other companies of the City Pop group and partners (e.g. investment funds) for the monitoring of the City Pop services, strategic planning and continuous improvement of City Pop services.
Legal basis: Legitimate interest of the Data Controller – data processed mainly in aggregate form, with methods and logic not aimed at identifying the individual person.
Retention period: Up to 10 years from the end of the use of City Pop services.
3.8 Applications and start of collaborations
In the event of submission of one’s application or proposals for collaboration for a job position, the data contained in the candidate’s curriculum vitae, diplomas, references, and photos shall be processed for the management of the selection processes.
Legal basis: Pre-contractual measures.
Retention period: Up to a maximum of 2 years.
3.9 Pursuit of justice and legal defence purposes
The personal data collected in the pursuit of the other purposes may be processed by City Pop AG to ascertain, exercise or defend its legitimate right.
Legal basis: Legitimate interest of the data controller.
Retention period: Up to a maximum of 10 years from their collection or from the achievement of the purpose for which they were originally collected.
3.10 AI Assistant – Customer service
In order to improve the user experience, City Pop provides a virtual assistant (chatbot) based on artificial intelligence on specific pages of the website or app. The chatbot provides real-time assistance on City Pop services, based on the contents of the service documentation (e.g. FAQs, brochures, Terms and Conditions). If necessary, it will direct the user to more detailed instructions and all necessary contact information. Although it is configured to provide accurate and useful answers, there may be instances where the answers provided are incomplete, inaccurate or out of date. Users are advised to check the information in the linked official sources and use caution and discretion when interpreting and acting on the chatbot’s answers. The service does not require authentication and conversation data will not be used for training the artificial intelligence model. The conversations may be recorded and reviewed by our team in order to improve the quality of the answers provided and to identify and close any gaps in the operation of the service.
Legal basis: Legitimate interest of the owner – the user is always free to use alternative support channels . In particular, the user can always open a support ticket at the appropriate section in the App or can contact customer service at [email protected].
The use of the chatbot does not entail any automated decisions with legal effects or significantly affecting users within the meaning of Art. 22 GDPR. The chatbot acts solely as a support tool and, in case of unresolved requests, the handling is transferred to the human support team.
Retention period: Conversations are retained for a maximum period of 12 months for quality and security monitoring of the service. After this period, the data is anonymised or deleted.
4. How is the data processed?
All data collected for the aforementioned purposes are processed through computer and electronic systems, supports and infrastructures, taking into account suitable and secure tools that enable organization strictly related to the processing purposes set out above. The operations carried out by City Pop may provide for the use of automated processes, always within the limits and with reference only to the purposes described above (in particular, for administrative management operations, carrying out marketing operations, and for the provision of the services provided for by the Terms and Conditions). Data subjects always maintain the right to request the support and intervention of competent personnel – in any case bound by compliance with precise confidentiality obligations and instructed in this regard.
5. Where is the data processed and stored?
The data shall be stored and processed at the physical offices and IT infrastructures of the Data Controller or its authorised suppliers, in Swiss territory, within the EU and in the USA (to subjects who have adhered to the “Data Privacy Framework”), within the scope of their respective authorisations and in compliance with the constraints on Data Processors pursuant to Article 28 GDPR, and implementing only safe and lawful transfer operations.
Except for specific initiatives based on the User’s authorisation (e.g. participation in a contest, involvement in communication projects with multimedia material and personal images of the Guest, etc.), no information dissemination or distribution operations are envisaged.
6. With whom is the data shared?
City Pop AG may share user data with external parties, limited to:
- Professionals, companies and undertakings providing services in support of City Pop’s activities (e.g. data centres, IT platforms, messaging and mailing systems, consultancy companies in the field of computer security or hardware and software maintenance, service providers strictly connected to the stay in City Pop – e.g. laundry, cleaning and maintenance companies), in their role as Data Processor pursuant to Article 28 GDPR;
- other Group companies solely for purely organisational and/or administrative purposes;
- owners of the building where a Pop is booked, to enable them to fulfil regulatory obligations, including registering guests with the competent authorities, complying with tax and security management regulations;
- payment service operators, who may become aware of the information relating to the credit cards and payment systems used, processing the data as independent Data Controllers and as indicated in the respective information notices.
As part of its marketing communications, City Pop may share links to third-party websites. These websites are not controlled by City Pop and may be subject to privacy policies other than those described in this City Pop Policy. For further information on the privacy policies of these third parties, the user is invited to consult the relevant privacy policies.
In certain cases, City Pop is also obliged to share Guest data with public authorities for security purposes and as required by law (e.g. the Municipality of the specific location of the City Pop property in which you reside), and has limited information and access in relation to the methods of data protection and processing implemented by these third parties.
7. User rights in relation to data protection
The rules on the protection of personal data guarantee the User specific rights that enable them to control their personal data. City Pop also wishes to support the user in the exercise of their rights. City Pop customer support is the point of contact for all questions regarding the processing of personal data. City Pop must identify the user in order to support them in the exercise of their rights. User rights include:
- Right to be informed about what data is collected:
- The user’s personal data collected by City Pop,
- The purposes for which such data is collected.
- Right to request that their data be deleted or modified or that their use be limited:
- If the user expresses their will in this regard, City Pop shall delete the data as soon as it is no longer necessary to fulfil the purposes indicated in this Policy and when there is a legal obligation to do so.
- If the user considers their personal data to be incorrect or incomplete, they may request the modification of some of the information.
- Where the user wishes their data to be stored but not used. In certain cases, the user may request that City Pop retain the data for the legal purposes of the former.
- If desired, the user can unsubscribe from the newsletter and ask City Pop to no longer use their data.
- If the user does not wish to appear in videos or photos of official City Pop events in which the same has taken part, the user is invited to notify City Pop.
- Right to lodge a complaint with the competent Data Protection Authority. You can always contact your local supervisory authority. However, we encourage you to contact us first so we can directly assist you.
- Here are some tips to protect your data:
- When creating an account for City Pop, set a strong and secure password, which should be used exclusively for that account and not be shared with anyone. If you suspect that someone else knows the password, be sure to change it immediately.
- If you receive a suspicious email and are not sure that it has come from City Pop, for example in reference to the reservation number or stay, the user is invited to promptly notify City Pop. It is recommended not to reply to the email and not to provide personal data.
- City Pop’s communications relating to special offers or events will always take place through the official channels (email account, notification on the mobile app, social media) and in such emails no personal data will ever be requested from the user.
- In case of any doubt relating to a communication, a social media post or a notification received, it is possible to verify its authenticity on the City Pop website or send an email to City Pop customer support.
8. Contacts and support
The user may contact the Data Controller by writing to the email: [email protected].
City Pop AG has also appointed its own Data Protection Officer (“DPO”) – pursuant to the GDPR and SDPA. The DPO supports the Data Controller in compliance with regulations and in the protection of users’ data protection rights. They may be contacted to request information, support and clarification on issues relating to privacy and data management, by writing to the email: [email protected].
Finally, we inform you that, for their respective activities and skills, City Pop AG and the DPO regularly interface with the designated EU Representative, contactable by all users and Guests in EU territory at [email protected].
9. Updates to the privacy policy
To ensure that the Policy is always correct and up-to-date, City Pop AG reserves the right to make the necessary changes to adapt it to any changes in the methods of data processing. Each new version shall be available on the City Pop website or mobile app and shall take effect from the date of publication.
This policy was updated on 20 March 2025. You can keep track of all substantial updates to our data processing policies at this page: [https://www.citypop.com/privacy-policy-update].
