Bestprice Guarantee
Book Now

Data Protection


This Privacy Policy explains to you the type, scope, and purpose of the processing of personal data (hereinafter referred to as "data") on our website and the associated websites, functions and content, as well as external online presences, such as our social media profile (hereinafter jointly referred to as the "online offer"). With regard to the terms used, such as "processing" or "data controller", we refer to the definitions in Article 4 of the General Data Protection Regulation (GDPR).

Types of data processed:

– Inventory data (e.g., names, addresses).
– Contact data (e.g., email, phone numbers).
– Content data (e.g., text input, photographs, videos).
– Usage data (e.g., websites visited, interest in content, access times).
– Meta/communication data (e.g., device information, IP addresses).

Categories of data subjects

Visitors and users of the online offer (data subjects will hereinafter also be referred to as "users").

Purpose of processing

– Provision of the online offer, its functions and content.
– Answering contact enquiries and communication with users.
– Security measures.
– Reach measurement/marketing

Terms used

"Personal data" refers to all information relating to an identified or identifiable natural person (hereinafter referred to as "data subject"); a natural person is regarded as identifiable if he can be directly or indirectly identified, especially by means of association with an identifier such as a name, with an identification number, with location data, with an online identifier (e.g., cookies) or with one or several special features reflecting the physical, physiological, genetic, psychological, economic, cultural, or social identity of that natural person.

"Processing" means any operation carried out with or without the aid of automated procedures or any such series of operations in connection with personal data. The term is broad and covers virtually every aspect of dealing with data.

"Pseudonymisation" means the processing of personal data in such a way that the personal data can no longer be attributed to a specific data subject without additional information, provided that this additional information is kept separately and is subject to technical and organisational measures ensuring that the personal data are not attributed to an identified or an identifiable natural person.

"Profiling" means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location, or movements.

"Data controller" refers to the natural or legal person, public authority, agency, or any other body that alone or jointly with others determines the purposes and means of the processing of personal data.

A "processor " is a natural or legal person, public authority, agency or other body that processes personal data on behalf of the data controller.

Applicable legal bases

In accordance with Article 13 GDPR, we are informing you of the legal basis of our data processing. If the legal basis is not mentioned in the Privacy Policy, the following applies: the legal basis for obtaining consent is Article 6 (1) (a) and Article 7 GDPR, the legal basis for processing for the fulfilment of our services and the execution of contractual measures as well as for replying to enquiries is Article 6 (1) (b) GDPR, the legal basis for processing to fulfil our legal obligations is Article 6 (1) (c) GDPR, and the legal basis for processing to protect our legitimate interests is Article 6 (1) (f) GDPR. In the event that vital interests of the data subject or another natural person require the processing of personal data, Article 6 (1) (d) GDPR applies as the legal basis.

Security measures

In accordance with Article 32 GDPR, we take appropriate technical and organisational measures to ensure a level of protection appropriate to the risk, taking into account current technology, implementation costs, the nature, scope, context, and purposes of processing, and the varying likelihood and severity of the risk to the rights and freedoms of natural persons.

These measures include, in particular, ensuring the confidentiality, integrity, and availability of data by controlling both physical access to the data and associated access, input, transmission, security of availability, and its separation. We have also established procedures that guarantee the exercise of the rights of data subjects, deletion of data, and reaction to risks concerning the data. In addition, we take the protection of personal data into account as early as the development or selection of hardware, software and procedures, in accordance with the principle of data protection through technology design and data protection-friendly defaults (Article 25 GDPR).

Cooperation with data processors and third parties

If we disclose data to other persons and companies (data processors or third parties) within the scope of our processing, transmit the data to them or otherwise grant them access to the data, this shall only take place on the basis of a legal permission (e.g., if a transmission of the data to third parties, such as payment service providers, in accordance with Article 6 (1) (b) GDPR is required for contract fulfilment), you have consented, a legal obligation provides for this or on the basis of our legitimate interests (e.g., when using agents, web hosts, etc.).

If we commission third parties with the processing of data on the basis of a so-called "order processing contract", this is done on the basis of Article 28 GDPR.

Transmission to third countries

If we process data in a third country (i.e., outside the European Union (EU) or the European Economic Area (EEA)) or if this occurs in the context of the use of third-party services or data disclosure or transfer to third parties, this will only take place to fulfil our (pre)contractual obligations, based on your consent, based on a legal obligation, or based on our legitimate interests. Subject to legal or contractual permissions, we process or have the data processed in a third country only if the particular requirements of Article 44 ff. GDPR are met. This means, for example, that the processing is carried out on the basis of special guarantees, such as the officially recognised determination of a data protection level equivalent to that of the EU (e.g., through the "Privacy Shield" for the USA) or compliance with officially recognised special contractual obligations (so-called "standard contractual clauses").

Rights of the data subjects

You have the right to request confirmation as to whether the data concerned are being processed and to request information about these data as well as further information and a copy of the data in accordance with Article 15 GDPR.

In accordance with Article 16 GDPR, you have the right to request the completion of data concerning you or the correction of inaccurate data concerning you.

In accordance with Article 17 GDPR, you have the right to demand that relevant data be deleted immediately or, alternatively, to demand a restriction on the processing of the data in accordance with Article 18 GDPR.

You have the right to request the data concerning you that you have provided to us in accordance with Article 20 GDPR and to request their transmission to other controllers.

In accordance with Article 77 GDPR, you have the further right to lodge a complaint with the responsible supervisory authority.

Right of withdrawal

You have the right to withdraw your consent in accordance with Article 7 (3) GDPR with effect for the future.

Right to object

You can object to the future processing of the data concerning you in accordance with Article 21 GDPR at any time. You can in particular object to processing for the purposes of direct advertising.

Cookies and right of objection to direct advertising

Cookies are small files stored on users' computers. A variety of data can be stored within cookies. A cookie serves primarily to save the data of a user (or the device on which the cookie is stored) during or after their visit to an online offering. Temporary cookies, as well as "session cookies" or "transient cookies", are cookies which are deleted after a user leaves an online offering and closes their browser. For example, the content of a shopping cart in an online shop or a login status can be stored in a cookie of this kind. Cookies are referred to as "permanent" or "persistent" if they remain stored even after the browser has been closed. For example, this allows the login status to be saved if users visit the site again after several days. Likewise, users' interests may be stored in a cookie of this nature and used for measuring reach or marketing purposes. "Third-party cookies" are cookies that are offered by providers other than the data controller who operates the website (if it's only the data controller's cookies, they are referred to as "first-party cookies").

We may use temporary and permanent cookies and clarify this within the framework of our Privacy Policy.

If users do not want cookies to be stored on their computer, they are asked to deactivate the corresponding option in the system settings of their browser. Cookies that are already stored can be deleted in the system settings of the browser at any time. The exclusion of cookies can lead to functional restrictions of this website.

Users can declare a general objection to the use of cookies used for online marketing purposes for a large number of services, and in particular in the case of tracking, via either the US site or the EU site The storage of cookies can also be disabled in the browser settings. Please note that this may prevent the use of all functions of this online offering.

Deletion of data

The data processed by us shall be deleted or their processing restricted in accordance with Article 17 and 18 GDPR. Unless expressly stated in this Privacy Policy, the data stored by us shall be deleted as soon as they are no longer required for their intended purpose and the deletion does not conflict with any statutory storage obligations. If the data is not deleted because it is required for other legally permissible purposes, the processing of the data will be restricted. This means that the data will be blocked and not processed for any other purposes. This applies, for example, to data which must be retained for commercial or tax reasons.

In particular, pursuant to legal requirements in Germany, storage lasts for 10 years pursuant to §§ 147 (1) AO (Revenue Code), 257 (1) no. 1 and 4, (4) HGB (German Commercial Code) (books, records, management reports, accounting records, trading books, documents relevant for taxation, etc.) and for 6 years in accordance with § 257 (1) nos. 2 and 3, (4) HGB (commercial letters).

In particular, pursuant to legal requirements in Austria, storage lasts for 7 years in accordance with § 132 (1) BAO (Austrian Federal Revenue Code) (accounting documents, receipts/invoices, accounts, receipts, business papers, statement of income and expenditure, etc.), for 22 years in connection with properties, and for 10 years for documents in connection with electronically provided services, telecommunications, radio and television services provided to non-entrepreneurs in EU Member States and for which the Mini-One-Stop-Shop (MOSS) is used.


When contacting us (for example, by contact form, email, telephone or via social media), the user's details are processed for the handling of the contact enquiry in accordance with Article 6 (1) (b) GDPR. User information can be stored in a Customer Relationship Management System ("CRM System") or comparable ticket system.

We delete the enquiries if they are no longer necessary. We review as to whether they are required every two years; the legal archiving obligations also apply.

Hosting and sending emails

The hosting services we use serve to provide the following services: infrastructure and platform services, computing capacity, storage space and database services, email delivery, security services and technical maintenance services that we use for the purpose of operating this online offering.

In this regard, either we or our hosting provider process the inventory data, contact data, content data, contract data, usage data, as well as the meta and communication data of customers, interested parties and visitors of this online offering based on our legitimate interests in the efficient and secure provision of this website, in accordance with Article 6 (1) (f) GDPR in conjunction with Article 28 GDPR (conclusion of order processing agreement).

Google Analytics

Based on our legitimate interests (i.e., interests in the analysis, optimisation, and economical operation of our website in accordance with Article 6 (1) (f) GDPR), we use Google Analytics, a web analytics service provided by Google LLC ("Google"). Google uses cookies. The information generated by the cookie about the user's use of the website is generally transmitted to and stored on a Google server in the USA.

Google has become subject to the Privacy Shield agreement, thereby offering a guarantee of compliance with European data protection law (

On our behalf, Google will use this information to evaluate the use of our online offering by the user, to compile reports on the activities within this online offering and to provide us with other services related to the use of this online offering and the internet. Pseudonymous usage profiles of users may be created from the data processed.

We only use Google Analytics with IP anonymisation active. This means that users' IP addresses are shortened by Google within EU member states or other countries party to the Agreement on the European Economic Area. Only in exceptional cases will the entire IP address be transmitted to a Google server in the USA and truncated there.

The IP address sent by your browser will not be associated with other data held by Google. The user may refuse the use of cookies by selecting the appropriate settings in their browser; the user can also prevent Google from collecting the data generated by the cookie regarding your use of the contents data and the processing of this data by Google by downloading and installing the browser plugin available via the following link:

Further information on the use of data by Google, as well as options for settings and objections, can be found in Google's privacy policy ( and in the settings for the displaying of ads by Google (

Users' personal data will be deleted or anonymised after 14 months.

Online social media presence

We maintain online presences on social networks and platforms in order to communicate with active customers, interested parties, and users and to inform them about our services. When accessing the respective networks and platforms, the terms and conditions and the data processing guidelines of their respective operators apply.

Unless otherwise stated in our Privacy Policy, we process the data of users who communicate with us on social networks and platforms, e.g., write posts on our pages or send us messages.

Integration of third-party services and content

On the basis of our legitimate interests (i.e., interest in the analysis, optimisation, and economic operation of our website within the meaning of Article 6 (1) (f) GDPR), we include content or service offerings from third parties so that we can incorporate their content and services, such as videos or fonts (hereinafter uniformly referred to as "content").

This always requires that the third-party providers of this content can see the IP address of users, since without the IP address, they would not be able to send the content to the users' browsers. Your IP address is therefore necessary in order to display this content. We strive to only use content whose respective provider uses the IP address solely for the delivery of content. Third-party providers may also use so-called pixel tags (invisible graphics, also known as web beacons) for statistical or marketing purposes. "Pixel tags" can be used to analyse information such as visitor traffic on the pages of this website. The pseudonymous information may also be stored in cookies on the user's device and may include technical information about the browser and operating system, referring websites, visiting time, and other information about the use of our website. It may also be linked to such information from other sources.


We integrate videos from the platform "YouTube" provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Privacy policy:, Opt out:

Google Fonts

We integrate fonts ("Google Fonts") provided by the third-party provider Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Privacy policy:, Opt out:

Google Maps

We integrate maps from the service "Google Maps" by the provider Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. The processed data may include, in particular, IP addresses and location data of the users, which, however, are not collected without their consent (as a rule within the framework of the settings of their mobile devices). The data may be processed in the USA. Privacy policy:, Opt out:

Created with by Attorney Dr Thomas Schwenke


Your booking data is also processed as follows: 

  • Your booking data (e.g. title, first name, last name, nationality, language, e-mail address, mobile telephone number, postal address, number of persons, arrival date, departure date, number of nights of stay and any visitor’s tax exemption) are forwarded to Bonfire AG and Zermatt Tourism (either by us or via our electronic booking system).
  • Your booking data is recorded in a central database by Bonfire AG and/or Zermatt Tourism. If accommodation providers take part in Zermatt Tourism e-mail marketing, the guest data is likewise stored with the third-party provider «Salesforce» and used as part of the business relationship between the accommodation provider and the guest.
  • Your booking data is processed exclusively in Switzerland and the EU.
  •  Based on this, Zermatt Tourism settles the visitor's tax owed and collects the corresponding amount from the service partners.
  • Zermatt Tourism also reports information to the Federal Statistical Office.
  • Bonfire AG and Zermatt Tourism grant the police access to the database with booking data so that the police can access relevant booking data for missing persons, for example.
  • Zermatt Tourism uses the booking data to collect statistics (in particular regarding occupancy, length of stay, number of arrivals, etc.).

The legal basis for this data processing is the fulfilment of a legal obligation within the meaning of Art. 6 para. 1 (c) GDPR (billing and collection of visitor's tax/reporting to the Federal Statistical Office) and in the sense of Art. 6 para. 1 (f) GDPR (granting access to the police/collection of statistics). 

Your booking data is only used for direct marketing purposes (e.g. newsletter distribution) if you have given us your consent for this.

More information on the processing of your data by Zermatt Tourism or Bonfire AG can be found in the Zermatt Tourism privacy policy: