// //

Privacy Policy

Section I – Data Controller and Contacts

Art. (1) The data controller responsible for collecting, processing, and storing your personal data is:

Legal Name: Le Rucher d'Evolène SA
Company Number: CHE-436.917.429
Registered Office: 3 Route du Contor, 1983 Evolène, Switzerland
Phone: +41 79 376 49 14
Email: bonjour@rucher.com
Website: https://rucher-evolene.com/ 

(2) For all matters relating to the protection of your personal data, you can contact us using the above contact details. We are committed to responding to your inquiries within 30 days.

(3) As we do not process Personal Data on a large scale, we have not appointed a dedicated Data Protection Officer. All data protection responsibilities are handled by our management team.

Art. 2 (1) If you believe your data protection rights have been violated, you may have the right to lodge a complaint with:

Swiss Federal Data Protection and Information Commissioner (FDPIC)
 (Le Préposé fédéral à la protection des données et à la transparence - PFPDT)
Address: Feldeggweg 1, CH-3003 Berne, Switzerland
Phone: +41 (0)58 462 43 95
Email: info@edoeb.admin.ch
Website: www.edoeb.admin.ch

(2) In addition, you may have the right to lodge a complaint with the supervisory authority in your country of residence. A complete list of EU Data Protection Authorities is available at:
https://www.edpb.europa.eu/about-edpb/about-edpb/members_en

(3) Lodging a complaint with a supervisory authority is free of charge and does not affect your right to seek judicial remedies.

Section II – Definitions and Principles

Art. 3 For the purposes of this Privacy Policy, the following terms have the meanings set out below:

"Data Controller" means the natural or legal person, public authority, agency, or other body which determines the purposes and means of Processing Personal Data. In the context of this Policy, the Data Controller is Le Rucher d'Evolène SA.

"Personal Data" means any information relating to an identified or identifiable natural person. An identifiable person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, identification number, location data, online identifier, or other factors specific to their physical, physiological, genetic, mental, economic, cultural, or social identity. Examples include: name, email address, phone number, booking details, IP address.

"Processing" means any operation performed on Personal Data, whether automated or not, including collection, recording, organization, storage, adaptation, use, disclosure, transmission, restriction, erasure, or destruction. In our hotel, Processing includes all activities necessary to manage bookings, provide accommodation, and deliver services.

"Data Subject" means any natural person whose personal data is processed by the Data Controller. In this Policy, data subjects include hotel guests (registered and non-registered), prospective guests, and newsletter subscribers.

"Recipient" means any natural or legal person, public authority, agency, or other body to whom personal data is disclosed. Recipients may include courier services, payment processors, accounting firms, and IT service providers who assist us in operating our hotel.

"Consent" means any freely given, specific, informed, and unambiguous indication of the data subject's wishes by which they signify agreement to the processing of their personal data. Consent must be given by a clear affirmative action (e.g., ticking a checkbox).

"Processor" means any natural or legal person, public authority, agency, or other body that processes personal data on behalf of the Data Controller. Processors act only on documented instructions from the Controller and are contractually bound to implement appropriate data protection measures.

Section III – Categories of Data and Legal Bases

Art. 4 (1) The Data Controller processes Personal Data exclusively in connection with the operation of the hotel, including reservation management, provision of accommodation services, guest relationship management, and fulfillment of legal obligations. The scope of data collection is limited to what is strictly necessary to deliver high-quality hospitality services and maintain operational efficiency.

(2) All Processing activities are grounded in one of the lawful bases established by the Swiss Federal Act on Data Protection (revDSG) and the General Data Protection Regulation (GDPR).

(3) In accordance with the principle of data minimization, the Data Controller collects only the minimum amount of Personal Data necessary to achieve the specified and legitimate purposes. This means that the Data Controller refrains from collecting data that is merely convenient or potentially useful in the future, focusing instead on what is genuinely required for the provision of services or compliance with legal obligations.

Art. 5 The table below provides a structured overview of the categories of Personal Data processed by the hotel and the specific purposes for which such data is used.

Data Category Data Collected Purpose of Processing Legal Basis (revDSG / GDPR)
Booking & Accommodation Data Full name, email, phone number, postal address, stay dates, number of guests, special requests Reservation management, communication with guests, provision of accommodation revDSG Art. 6(2)(b) / GDPR Art. 6(1)(b) – performance of a contract
Payment Data Payment method, last four digits of credit card, transaction reference numbers, IBAN, billing address, company details Processing payments, issuing invoices, compliance with accounting and tax obligations Contract: revDSG Art. 6(2)(b) / GDPR Art. 6(1)(b)
Legal obligation: revDSG Art. 6(2)(c) / GDPR Art. 6(1)(c)
Identification Data (Check-In) ID type, number, issuing country, expiry date, nationality Mandatory guest registration, public safety, compliance with Swiss hotel laws revDSG Art. 6(2)(c) / GDPR Art. 6(1)(c) – legal obligation
Marketing & Loyalty Data Booking history, stay preferences, service preferences, communication channel preferences, marketing engagement data (if Consented) Direct marketing, personalized offers, loyalty program management revDSG Art. 6(6) / GDPR Art. 6(1)(a) – explicit consent
Technical & Security Data IP address, device type, operating system, browser version, server logs, referral sources, timestamps Website security, detection of cyber threats, ensuring stability and performance revDSG Art. 6(2)(f) / GDPR Art. 6(1)(f) – legitimate interest
Guest Communication Data Name, contact details, content of emails/messages, logged phone inquiries, communication records linked to bookings Managing inquiries, complaints, service quality, handling pre-contractual requests Contract: revDSG Art. 6(2)(b) / GDPR Art. 6(1)(b)
Legitimate interest: revDSG Art. 6(2)(f) / GDPR Art. 6(1)(f)
Special Categories of Data Health data disclosed voluntarily (allergies, mobility needs, medical dietary requirements) Providing special accommodations and tailored services revDSG Art. 6(7) / GDPR Art. 9(2)(a) – explicit consent
Profiling (non-automated) Booking patterns, preferences, stay frequency, general geographic info Personalized recommendations and offers (no significant effects) Explicit consent of the data subject

Art. 6 (1) The Data Controller does not collect or process special categories of Personal Data unless strictly necessary. The hotel’s systems and procedures are designed to operate without requiring such sensitive information.

(2) Limited health-related data may be processed only when the Data Subject voluntarily provides it to enable specific accommodations (e.g., accessible rooms or dietary requirements).

(3) Such data is processed exclusively on the basis of explicit Consent and only for the stated purpose. Access is strictly limited, the data is encrypted, and it is deleted shortly after Check-out unless required for legal claims.

Art. 7 (1) The Data Controller processes children’s data only as necessary for family reservations, typically limited to name, age, and stay-related requirements.

(2) For children under 16, Processing occurs only with Consent from a parent or legal guardian, confirmed during the booking process. Parents and guardians may exercise all applicable data protection rights on behalf of their children, and verification may be requested to ensure lawful access.

Section IV – Retention Periods

Art. 8  (1) The Data Controller retains Personal Data only for as long as necessary to fulfill the purposes for which it was collected or as required by applicable law. Different categories of data are subject to different retention periods based on their purpose and the legal basis for Processing.

(2) Retention periods are determined based on the legal basis for Processing, statutory retention obligations under Swiss commercial and tax law, limitation periods for legal claims, and the operational needs of the hotel business. The Data Controller maintains internal policies documenting these retention periods and regularly reviews them to ensure continued compliance.

(3) The table below outlines the specific retention periods applicable to each category of Personal Data processed by the Data Controller.

Category of Data Retention Period
Booking and Accommodation Data 10 years
Identification Data 10 years
Payment and Financial Data 10 years
Marketing and Loyalty Data Until consent is withdrawn;
Consent logs retained 3 years after withdrawal
Technical Data and Logs Up to 12 months, longer only for security investigations
Guest Communication Records 3 years from last communication;
10 years if part of contractual or booking documentation
CCTV Recordings 30 days; longer only for legal or insurance purposes

Section V - Data Subject Rights

Art. 9 (1) As a Data Subject whose Personal Data is processed by the Data Controller, the individual has the right to exercise a comprehensive set of rights designed to ensure transparency, enable control over personal information, and provide remedies in case of improper Processing. These rights are established by the Swiss Federal Act on Data Protection and the General Data Protection Regulation and may be exercised at any time.

(2) To exercise any of these rights, the Data Subject should submit a written request to the Data Controller using the contact details provided in Article 1 of this Privacy Policy. Requests may be submitted by email to contact@rucher-evolene.ch, by phone at +41 79 376 49 14, or by postal mail addressed to Le Rucher d'Evolène SA, 3 Route du Contor, 1983 Evolène, Switzerland.

(3) Exercising these rights is free of charge for the Data Subject, except in cases where requests are manifestly unfounded, excessive, or repetitive, in which case the Data Controller may charge a reasonable administrative fee or refuse to act on the request. Before applying any such fee or refusal, the Data Controller will inform the Data Subject and provide an opportunity to withdraw or clarify the request.

(4) Among other things, Data Subjects whose data is processed are entitled under certain prerequisites to the following rights, it may exercise by submitting a written request to the Data Controller using the contact details provided in Article 1 of this Privacy Policy:

  • Right of access: Data Subjects may request confirmation of whether personal data concerning them is being processed. If such Processing takes place, they are entitled to receive access to that data as well as further information regarding the purposes, categories, recipients, retention periods, and other relevant aspects of the Processing.
  • Right to rectification: Data Subjects may request the correction of inaccurate or incomplete personal data concerning them.
  • Right to erasure (“right to be forgotten”): Individuals can request deletion when data is no longer necessary, consent is withdrawn, processing is unlawful, or they have successfully objected. 
  • Right to restrict processing: Individuals can request limitation of processing (without deletion) in specific cases, such as accuracy disputes, unlawful processing where deletion is not desired, or pending legal claims. 
  • Right to data portability: Individuals can obtain personal data they provided in a structured, commonly used, machine-readable format and request its transmission to another controller. 
  • Right to object: Individuals may object at any time to processing, including direct marketing. 
  • Right to withdraw consent: Data Subjects can revoke their consent for data processing at any time, using the same simple methods as when giving Consent (e.g., unsubscribe links in emails, adjusting cookie preferences, emailing, calling, or informing reception staff).
  • Right to lodge a complaint: If a Data Subject believes their data protection rights have been violated, they may file a complaint with the relevant supervisory authority (see Article 2 (1) and (2) above), regardless of other possible remedies or actions taken with the Data Controller. 

Section VI - Data Sharing and Recipients

Art. 10 The Data Controller discloses Personal Data to third parties only when necessary to fulfill the purposes described in Section III of this Privacy Policy or when required by applicable law. All Recipients who receive access to Personal Data are contractually bound to protect that data and to process it only in accordance with the Data Controller's documented instructions and applicable data protection regulations.

Art. 11 (1) The Data Controller engages payment service providers to securely process credit card transactions and other forms of electronic payment. These providers have access to payment information necessary to authorize and complete transactions but do not receive access to other guest data unrelated to the payment process. All payment processors maintain PCI-DSS certification and implement industry-standard security measures to protect financial data.

(2) The Data Controller is legally obligated to share certain Personal Data with Swiss governmental authorities, including the local police for guest registration purposes, tax authorities for verification of financial declarations, and other agencies when legally compelled by court order or statutory requirement. 

(3) External accounting firms and tax advisors receive financial data, including guest names and invoice details, to enable the Data Controller to fulfill its statutory obligations under Swiss commercial and tax law. These professional service providers are bound by legal and contractual confidentiality obligations and process data solely for the purpose of providing accounting, bookkeeping, and tax compliance services.

Art. 12 (1) The Data Controller utilizes Amazon Web Services EMEA SARL, with registered offices at 38 avenue John F. Kennedy, L-1855 Luxembourg, to provide cloud hosting and data storage infrastructure. Data processed through AWS is stored on servers physically located in data centers within France, which is part of the European Economic Area. For compliance with GDPR, AWS implements the European Commission's Standard Contractual Clauses and participates in the EU-US Data Privacy Framework; for compliance with Swiss law, AWS participates in the Swiss-US Data Privacy Framework and benefits from Switzerland's recognition of the European Union as providing adequate data protection.

(2) For website analytics purposes, the Data Controller uses Matomo, operated by InnoCraft Ltd, 7 Waterloo Quay, PO Box 625, 6140 Wellington, New Zealand. Matomo processes aggregated usage statistics and technical data, with servers located in both New Zealand and Germany. The European Commission has issued an adequacy decision recognizing New Zealand as providing adequate data protection, and Switzerland similarly recognizes both New Zealand and the European Union as jurisdictions with sufficient protection, ensuring that data transfers to Matomo comply with both GDPR and Swiss requirements.

(3) The Data Controller engages Yellow Cactus, located at 10 bis rue du Bel Air, 92310 Sèvres, France, for specialized hotel technology services. As Yellow Cactus is established within France, data transfers benefit from Switzerland's recognition that the European Union guarantees an adequate level of protection, and any potential transfers to the United States are covered by the Swiss-US Data Privacy Framework.

Art. 13 (1) While the Data Controller prioritizes Processing Personal Data within Switzerland and the European Economic Area, certain third-party service providers that support hotel operations maintain infrastructure or Processing facilities in countries outside these jurisdictions. 

(2) For transfers to countries that have not received an adequacy decision from the European Commission or recognition from Switzerland, the Data Controller implements Standard Contractual Clauses adopted by the European Commission and approved by the Swiss Federal Data Protection Commissioner. These contractual clauses impose binding obligations on data Recipients to protect Personal Data according to European and Swiss standards, provide Data Subjects with enforceable rights, and establish audit mechanisms to verify compliance.

Art. 14 The Data Controller does not currently participate in any joint controllership arrangements, whereby two or more controllers jointly determine the purposes and means of Processing. 

Section VII - Security Measures

Art. 15 (1) The Data Controller implements appropriate technical and organizational security measures to protect Personal Data against unauthorized access, accidental loss, destruction, alteration, or unlawful disclosure. These measures are implemented in accordance with applicable data protection laws and are regularly reviewed and adapted in line with technological developments.

(2) Access to Personal Data is limited to individuals who require such access to perform their duties and are bound by confidentiality obligations.

(3) The Data Controller has procedures in place to identify, assess and handle data protection incidents in compliance with applicable laws.

Section VIII - Cookies and Online Tracking

Art. 16 (1) Our website uses cookies and similar technologies to ensure essential functionality and to improve the user experience. Essential cookies are necessary for the proper operation of the website and cannot be disabled.

(2) We may also use non-essential cookies (such as analytics or marketing cookies) to better understand how our website is used or to provide personalised content. The use of such cookies is voluntary and requires the Data Subject’s consent where required by applicable law.

(3) Consent for non-essential cookies may be withdrawn at any time by adjusting the browser settings, which allow users to block or delete cookies. Detailed information about all cookies used on the website – including analytics services and third-party providers – is available in our Cookie Policy.

Section IX - Policy Updates 

Art. 17 We may update this Privacy Policy from time to time to reflect changes in our data processing practices or legal requirements. The current version is published on our website.

Art. 18 This Privacy Policy enters into force on 17.02.2026 and supersedes all previous privacy notices, policies, or statements issued by the Data Controller.