City Pop AG, Metallstrasse 4, 6300 Zug, operates the citypop.com website and controls the data collected therein.
City Pop AG is responsible for the collection, processing, and use of user data required to carry out its business activities. Data processing includes the collection, storage, management, use, transfer, disclosure, and eventual deletion of data.
Data processing serves the operational needs of City Pop AG, which are geared towards satisfying user wishes. Data collected will be used to improve the user experience, better meet user needs, develop new, modern services, optimise the booking and ordering processes, and develop communication capabilities.
A – Automatically collected connection details
Accessing the website and making use of its content and features results in the following processes subject to data protection:
- creation of a log file, including the IP address of the device accessing the site, the date and time of access, the location of the device, the name and URL of any files retrieved, the size of data transmitted, the referring website, the operating system and browser used, users’ language settings, and the name of the internet service provider.
The purpose of storing this data is:
to make information and services available on our website
- to create internal usage statistics for our own commercial purposes, in particular to improve our offers and services
- to identify the language region of the accessing device in order to display the contents of the site in the corresponding language automatically
B – Customer account, data provided by users
A customer account must be opened to order services. All data collected during contract initiation, the opening of the customer account, and fulfilment of the contract is collected and processed according to applicable data protection legislation.
Each time we request personal data from users, for example, in contact or booking forms, we will specify the purpose of the processing or it will be self-evident from the context.
The fields requesting such data will be marked accordingly to indicate whether the data requested is necessary for the transaction or voluntary. If required data is not provided, we will, in general, be unable to achieve the purpose for which we requested the data and not be able to enter into a business relationship with or provide our services to you.
Opening a customer account and ordering services from us will require communication necessary for the business transaction. You will also be given the opportunity to sign up for our newsletter. The newsletter can be cancelled at any time. The content of the newsletter provides information about opportunities of both a commercial (other paid offers) and non-commercial nature (e.g. event notices) related to our services. Contractually required notifications are not made via the newsletter, but instead directly.
C – Data from processing the business relationship
When making a booking, you must electronically provide the documents (identity papers, visas, etc.) necessary for the business relationship. You authorise us to forward this data to government authorities and/or present your query to the same. You also authorise us to check your creditworthiness.
The use of services on site as well as any communications with the operator or service providers will result in a data trail (e.g. security cameras in the entrance area, retrieval of services, automatic logins, etc.). This data is collected and processed to meet our operational and legal requirements. In particular, this data is used to bill for services ordered from the operator or service providers arranged by the operator (suppliers, etc.).
All service providers and suppliers bear their own legal responsibility for their data collection and processing. The operator has no information about the data collected, processed, or managed directly by such service providers or suppliers, due to a lack of access and availability. Requests for information must be addressed directly to the respective service provider or supplier. The operator requires all of its providers and suppliers by contract to comply with applicable data protection legislation. However, due to the lack of access and monitoring options, the operator cannot guarantee that they will be in proper compliance with their data protection obligations at all times.
D – Creation of usage profiles for direct marketing purposes
For advertising and analytics purposes, usage profiles are created. The purpose of such usage profiles is to improve our services. Cookies are also used for marketing purposes (e.g. re-targeting, Google AdWords remarketing, double-click by Google, etc.).
Cookies are primarily used to ensure that our services are provided optimally. Cookies are also used to better understand user needs, which can lead to more personalised offerings. Cookies are bound to specific devices and record the actions of all who have access to the device. Users can delete cookies or prevent their storage by changing their browser settings accordingly. Blocking cookies may prevent or make use of the website highly difficult; the operator may not be held responsible for this consequence.
Tracking tools (web analytics tools) are used to improve our performance and services. The usually statistical and/or graphical evaluation of user actions is done by external service providers such as Google Analytics and Hubspot on servers at any location in the world that cannot be known in advance. The analytical activities are those that are globally customary. Google Analytics offers users tools to prevent data from being sent to Google. The operator is not responsible for the functionality of such tools.
The operator uses social plug-ins such as those for Facebook, Twitter, and Google+. The current social plug-ins offered can be seen on the site. The provider of the social plug-in can recognise your access of this website. If you are logged into the plug-in provider or log in later, your visit to this site can be assigned to your profile at that social media outlet. The social plug-ins are solely the responsibility of the respective providers. Data protection-relevant questions and technical settings are to be clarified directly externally with the respective providers.
E – Disclosure of data to third parties in Germany or abroad
Personal data will be passed on to third parties or government authorities as required. Your data may be disclosed to our domestic or foreign contractual partners or government authorities, for example, if we need it:
- to make filings required by law (e.g. to the residents’ registration office)
- for legal action
- to provide services
- for billing
- for debt collection
- to analyse usage behaviour
- for direct marketing purposes.
If we disclose your data to direct contractual partners abroad, we have signed contracts with them to ensure at least the same level of data protection as offered in Switzerland and have placed the same requirements on any further subcontracting. There can be no guarantee, however, that these agreements will have the desired effect. The operator, like all other market participants, lacks the legal, technical, and economically feasible options to ensure effective and error-free compliance with such agreements by foreign contractors.
There is no guarantee that the foreign levels of data protection offered on linked websites and web partners will comply with domestic legal requirements. Each content provider, whether at home or abroad, is independently responsible for the respective compliance with all applicable data protection requirements.
In addition, it must be assumed that the data collection activities of global internet companies takes place on an immense scale and that users are essentially unable to prevent such massive data collection. In particular, data which is deliberately or unknowingly transmitted to the United States is not subject to storage and/or processing restrictions comparable to those applicable in Switzerland, regardless of the nature of the data concerned. The operator of the website is not responsible for this situation and therefore disclaims all liability.
F – Data security
Appropriate technological and organisational measures have been implemented to protect sensitive personal data against unauthorised access, processing, use, manipulation, and loss. This level of protection applies only to data once under the control of the operator. If you use an unsecured route to transmit your data, there is no technological nor organisational opportunity to secure the data. Internal or external data processors are contractually obliged to keep personal information confidential and to use it for no other purpose.
G – Data retention
The storage of personal data takes place within the context of the purpose disclosed to users when they give their consent as well as according to legal requirements. Obsolete data will be deleted automatically. All data will be deleted after 10 years at the latest, if the statutory retention period has not already expired and the data was previously deleted accordingly. Once deleted, you will no longer be able to review said data.
H – Data subject rights
Users have the right to receive free information about the personal data we have stored about them. Users also have the right to correct or supplement incorrect data (or data which has become obsolete). Furthermore, users have the right to request the deletion of data, if there are no statutory obligations for its continued retention; they also have the right to receive information on the remaining duration of such retention.
Users may request information about the purpose of the data processing, the categories of personal data processed, and about the parties processing, receiving, and/or supplying the data. In addition, users may revoke any or all of their consents previously granted, which will stop any processing of such data and lead to its deletion if the operator is not required to retain it. Any data previously provided may be requested by users.
If the operator becomes aware of a breach of data security within its control, those users affected will be informed in a suitable manner; no further request for information will be necessary.
Enquiries should preferably be made electronically (e.g. email). If there is any doubt as to the identity of the requesting party, the operator may, at its discretion, claim appropriate proof of identification or rely on the information provided. The time it takes the operator to process such enquiries or notifications may vary. Information will normally be sent electronically, if possible.
I – Contact options
If there are any ambiguities or questions, users may use the following contact information: [email address]. The operator endeavours to answer enquiries quickly, but cannot be more specific as to its response times. This will, among other things, depend on the current workload at the time of the request.