«THE OMNIA» DATENSCHUTZERKLÄRUNG

1. What is this privacy policy about?
2. Who is responsible for processing your personal data?
3. How do we process personal data in connection with our products and services?
4. How do we process personal data in connection with advertising?
5. How do we process personal data in connection with our website?
6. How do we process personal data via social media?
7. How do we work with service providers?
8. Who else do we disclose your personal information to?
9. Can we disclose personal data abroad?
10. Are there any other edits?
11. How long do we process personal data?
12. How do we protect your personal data?
13. Are there any other points that need to be considered?
14. What are your rights?
15. Can this privacy policy be changed?

Status: 17.06.2023

1. What is this privacy policy about?

"Personal data" is any information that can be associated with a specific individual, and "process" means any handling of it, such as obtaining, using and disclosing it. We explain in this privacy statement how we do this, primarily in the course of our business activities and in connection with our website https://www.the-omnia.com/. If you would like more information about our data processing, please feel free to contact us (section 2).

We have aligned this privacy policy with Swiss data protection law, to which we are primarily subject. However, it may be that we are also subject to the European General Data Protection Regulation (GDPR) for certain processing operations. In this case, you will find corresponding information in this data protection declaration. However, the applicability of the GDPR can only be assessed on a case-by-case basis. If you have any questions about this, please feel free to contact us.

2. Who is responsible for processing your personal data?

For data processing under this Privacy Policy, the following company is the "responsible party", i.e. the party primarily responsible under data protection law (also "we"):

THE OMNIA AG
Auf dem Fels
3920 Zermatt
Switzerland

If you have any questions about privacy, please feel free to contact us by mail or as follows:

info@the-omnia.com

You may provide us with personal data that also relates to other persons, such as family members or other persons for whom you book our services. We understand this as confirmation that this personal data is correct. Since we often have no direct contact with these third parties, we ask you to inform them about our processing of their personal data (e.g. by referring to this privacy policy).

3. How do we process personal data in connection with our products and services?

When you use our products and services (collectively "Services"), we process personal data for the preparation of the conclusion of the contract and for the performance of the corresponding contract:

• When we are in contact with you with regard to a contract, we process data, e.g. when you book a hotel room, make a reservation for our restaurant, order a voucher, or make use of other services during a stay with us. This mainly concerns data that you provide to us, e.g. name, contact details, date of birth, details of services requested and the date of contact. We also process your personal data if you contact us and this contact does not result in the conclusion of a contract, for example if you send us inquiries by telephone, WhatsApp, e-mail, via our chatbot on our website or via other means of communication. In this case, we also process data that you transmit to us, e.g. name, contact data, information on the content of the communication and the date of contact.
• If we conclude a contract with you, we process the personal data from the run-up to the conclusion of the contract (see above) and information on the conclusion of the contract itself (e.g. the conclusion date and the subject matter of the contract). Booking data for hotel stays are also forwarded to Zermatt Tourism and Bonfire AG (see section 8 below for details).
• We also process personal data during and after the term of the contract. This concerns, for example, data on the purchase of services, but also on payments, contacts with hotel staff, mutual claims, complaints, data on the termination of the contract and - if disputes arise in connection with the contract - also on these and corresponding procedures. We use this personal data because we cannot execute contracts without them. In this context, we may also process particularly sensitive personal data. This concerns in particular health data such as allergies, food intolerances, physical limitations or special medical needs. However, we generally only process particularly sensitive personal data if it is necessary for the provision of a service, you have provided us with this personal data of your own accord or you have consented to the processing.
• We also process the aforementioned personal data for statistical evaluations (e.g. which services are best received, in which regions and at what times the services are most popular, evaluations of customer groups, etc.). Such evaluations support the improvement and development of services and business strategies. We may also use them on a personal basis for marketing purposes; for this purpose, please refer to section 4 for further details. We may also advertise our services, e.g. through newsletters. You can also find more information on this under section 4.

In the case of contractual partners that are companies, we process in particular data of the contact persons with whom we are in contact, e.g. name, contact details, professional details and details from communication, and details of management persons etc. as part of the general information about companies with which we work.

4. How do we process personal data in connection with advertising?

We also process personal data to advertise our services:

• Newsletters: We send electronic newsletters that contain advertising for our services and offers. We ask for your consent beforehand, except when we promote certain offers to existing customers. In this context, in addition to your name and e-mail address, we may also process information about which services you have already used, whether you open our newsletters and which links you click on. For this purpose, our e-mail dispatch service provider provides a function that essentially works with invisible image data that is loaded from a server via a coded link and thereby transmits the relevant information. This is a common method that helps us assess the effect of newsletters and optimize our newsletters. You can avoid this measurement by setting your e-mail program accordingly (e.g. by switching off the automatic loading of image files).
• Market research: We also process personal data to improve services and develop new products, e.g. information about your response to newsletters or information from customer surveys and polls or from social media, media monitoring services and public sources.

5. How do we process personal data in connection with our website?

5.1 General notes

As a rule, you can use our website without disclosing any personal data to us. In this case, we can assign the accruing data to certain visitors, but not to persons known by name. In this sense, the corresponding data is generally not personal. However, if you provide us with your name, an e-mail address or other personal data via our website, we process this personal data and can thus establish a link between you and otherwise non-personal online data. In this case, we may also collect Online Data in connection with your continued use of the Site, and we may combine Online Data with other Personal Data about you in our systems and process it on a personal basis for additional purposes.

5.2 What personal data do we process in connection with our website?

Every time you use our website, certain data is collected for technical reasons and temporarily stored in log files (log data), in particular the IP address of the end device, information about the Internet service provider and about the operating system of your end device, information about the referring URL, information about the browser used, date and time of access, and content accessed when visiting the website. We use this data so that our website can be used, to ensure system security and stability and to optimize our website, and for statistical purposes. Insofar as the GDPR is applicable, the legal basis is Art. 6 para. 1 lit. b and lit. f GDPR (user agreement, legitimate interest).

We collect further data about your behavior in connection with the use of our website. We also use cookies for this purpose. These are small text files that are stored in the browser or end device and are read when the website is accessed again. Cookies usually contain an anonymous identification number, so that we can recognize returning visitors as such, and other information about the visitors' behavior or settings on the website. Depending on the purpose of use, a distinction can be made between necessary cookies, performance cookies and marketing cookies:

• Necessary cookies are necessary for the functioning of the website.
• Performance cookies collect and analyze information about the use of our website so that we can improve content and presentation and tailor it to users.
• Marketing cookies are used by us and advertising contractors to track content viewed and other actions taken within the website.

If you do not agree with the use of cookies, you can configure your browser so that it generally does not accept cookies or no cookies from us. Our website remains usable, but certain functions may not be available or only to a limited extent.

Other technologies have a similar goal as cookies and can also record behavior within the website. "Fingerprinting", for example, combines certain information (such as your IP address and information about the browser, screen resolution or language selection). This combination is more or less unique, so we can associate related behavioral data with individual - but not necessarily named - users. In the case of "pixels," invisible image files are loaded in a website or an e-mail via a coded link from a server that records the corresponding call and the data transmitted with the link. This can also be used to record behavior within the website.

5.3 For what purposes do we process this personal data?

We process online data in particular for the following purposes:

• Operation of the website and its content, including content from third parties (see para. 5.6 for further details).
• Provision of certain content and functions and communication with you (e.g. contact form, registration for newsletter, chatbot).
• Safety and stability.
• Statistics, measurement and improvement of offers (aggregated evaluations of the use of the website. We also use performance and marketing cookies for this purpose; you can find more information on this under para. 5.4)
• Market research and marketing (e.g. newsletters, display of advertising within the website and on third-party sites, also personalization of content; we also use performance and marketing cookies for this purpose; for further details, please refer to para. 5.5).
• Compliance with legal and regulatory requirements.
• Defense and enforcement of claims.

Insofar as the GDPR applies, the legal basis is Art. 6 para. 1 lit. a (consent, in particular for the purposes of marketing and statistical analysis using performance and marketing cookies) and for existing customers Art. 6 para. 1 lit. f GDPR (legitimate interest). You can revoke your consent at any time with effect for the future.

5.4 How do we obtain evaluations and statistics?

We use service providers to analyze the behavior of visitors to our website. They may receive log data and other online data from us and may themselves use cookies and similar technologies to collect online data about our website:

Google Analytics: We use the analysis service "Google Analytics" operated by a company of Google in Ireland ("Google"). In the process, performance cookies (para. 5.2), data about the behavior on our website is recorded (duration and frequency of page views, content accessed, geographical origin of access, etc.), and on this basis Google creates evaluations of the use of our website for us. Google uses Google LLC in the USA as an order processor, whereby IP addresses (this makes it most likely that individual persons can be identified) are shortened before being forwarded to Google LLC. Nevertheless, we cannot rule out the possibility that Google may use the collected online data for its own purposes to draw conclusions about the identity of visitors, create personal profiles and link this data to Google accounts. If you agree to the use of Google Analytics, you expressly consent to such processing, which also includes the transfer of online data to the USA. Information about Google Analytics privacy can be found at https://support.google.com/analytics/answer/6004245, and if you have a Google account, you can find information about Google's processing at https://policies.google.com/technologies/partner-sites?hl=de. You can disable Google Analytics by installing a browser extension at the following link: https://tools.google.com/dlpage/gaoptout?hl=de.

5.5 How do we do online marketing?

We and our advertising partners (currently in particular Google Ads and Facebook) have an interest in controlling online advertising for specific target groups, i.e. to show only those people whom we want to address the advertising. For this purpose, we and our advertising contract partners - if you consent - also use cookies that can be used to record the content accessed. This enables us and our advertising partners to display advertising online that we believe will be of interest to you on our website, but also on third-party websites that display advertising from us or our advertising partners.

5.6 How do we integrate third-party content into our website?

We may embed content from third-party providers on our website, e.g. fonts, images, videos, etc. The respective providers can thereby record the IP address of the users, among other things. They may also set their own cookies and use the users' data for their own purposes. This concerns the following providers in particular:

• Google Fonts and Youtube: Fonts and videos from Google, Inc, USA.
  Privacy policy: http://www.google.com/policies/privacy;
  Opt-out: https://www.google.com/settings/ads.
• reCAPTCHA from Google to be able to recognize machine input;
• Google Tag Manager by Google to manage Google Analytics and Google Ads. Usage guidelines: http://www.google.com/intl/de/tagmanager/use-policy.html.
• Facebook Pixel by Meta. Information https://www.facebook.com/policy.php.

6. How do we process personal data via social media?

We operate our own presences on social networks and other platforms (currently a Facebook fan page, an Instagram account and a YouTube channel). If you communicate with us there or comment on or disseminate content, we collect information, which we use primarily for communication with you, for marketing purposes and for statistical evaluations (see para. 5.4). The platforms may collect further online data, e.g. log data (para. 5.2) and other data. On this basis, these platforms can evaluate how you use our online offer (e.g., which content you view, what you comment on, "like" or forward, etc.), and they can combine this behavioral data with other information about you (e.g., information about age or gender) and thereby create profiles about you and statistics about the use of the appearances. The platforms use this information to personalize advertising and content, for market and user research and to provide us and third parties with statistical user information. The respective providers also collect and use online data for their own purposes, possibly together with other data known to them, e.g. for marketing purposes or to personalize content. Insofar as we are jointly responsible with the provider, we enter into a corresponding agreement, about which you can obtain information from the respective provider.

We process the data we receive from the platforms for the purposes described in section 4, especially for communication, marketing purposes and market research. Content published by you (e.g. comments) may be redistributed by us (e.g. in our advertising on the platform or elsewhere), and we and the provider may delete content in accordance with the usage policy.

Further information about the processing of the platform operators (e.g. to which countries personal data is disclosed or which data subject rights you have) can be found in the privacy policy of the respective provider.

7. How do we work with service providers?

We use various services from third parties, especially IT services (examples are providers of hosting and data analysis services, the reservation platform for our restaurant, the booking platform we use for the hotel, the chatbot integrated on our website), logistics services and services from banks, the post office, consultants, etc. In doing so, these service providers may also process personal data to the extent necessary. For service providers for our website, e.g. for statistical purposes, for optimization and personalization of the content and for online marketing, please refer to section 5.

8. Who else do we disclose your personal information to?

We primarily provide data to service providers pursuant to section 7 disclosed. If you book services from partner companies through us (e.g. transport services or tourist services from third parties), we forward the data required for booking to these third parties.

Your booking data will also be processed as follows:

• Your booking data will be forwarded to Bonfire AG and Zermatt Tourism (either by us or via our electronic booking system).
• Your booking data is recorded in a central database by Bonfire AG and/or Zermatt Tourism.
• Based on this, Zermatt Tourism shall settle the tourist tax owed and collect the corresponding amount from the service partners.
• Zermatt Tourism also reports to the Swiss Federal Statistical Office.
• Bonfire AG and Zermatt Tourism grant the police access to the database with booking data so that the police can, for example, retrieve the corresponding booking data in the case of missing persons.
• Zermatt Tourism uses the booking data to collect statistics (in particular regarding occupancy, length of stay, number of arrivals, etc.).

The legal basis for this data processing lies in the fulfillment of a legal obligation within the meaning of Art. 6 para. 1 lit. c GDPR (billing and collection of tourist tax / reporting to the Federal Statistical Office) or in the protection of a legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR (granting access to the police / collection of statistics).

We may also otherwise disclose your personal data to authorities and agencies, e.g. in connection with the exercise of rights, the defense of claims and the fulfillment of legal requirements, such as in the context of official, judicial and pre- and extrajudicial proceedings and in the context of legal obligations to provide information and to cooperate.

9. Can we disclose personal data abroad?

Yes. The recipients of personal data are not only located in Switzerland. This applies in particular to certain service providers (e.g. IT service providers). These have locations both within the EU or the EEA, but also in other countries worldwide, such as Google (section 3). We may also transfer personal data to authorities and other persons abroad if we are legally obliged to do so or, for example, in the context of a company sale or legal proceedings (see section 10).

Not all of these countries have adequate data protection. We compensate for the lower level of protection through appropriate contracts, especially the so-called standard contractual clauses of the European Commission, which can be accessed here. In certain cases, we may transfer personal data in accordance with data protection requirements even without such contracts, e.g. if you have consented to the corresponding disclosure or if the disclosure is necessary for the performance of the contract, or the establishment, exercise or enforcement of legal claims or for overriding public interests.

10. Are there any other edits?

Yes, because very many processes are not possible without processing personal data, including common and even unavoidable internal processes. This cannot always be precisely determined in advance, nor the extent of the data processed in the process, but you will find details of typical (though not necessarily frequent) cases below:

• Communication: When we are in contact with you (for example, when you write to us or use a contact form or chatbot on our website), we process communication content information about the nature, timing and location of the communication. For your identification, we may also process information about proof of identity.
• Prevention: We process personal data to prevent criminal offenses and other violations, e.g., in the context of fraud prevention or internal investigations.
• Statistics: We process personal data for statistical evaluations to measure and improve offers and processes (not only, but also about the use of our website; for more information, please refer to para. 5.4).
• Legal proceedings: To the extent that we are involved in legal proceedings (e.g., a court or administrative proceedings), we process personal data, e.g., about parties to the proceedings and other persons involved, such as witnesses or respondents, and disclose personal data to such parties, courts and authorities, possibly also abroad.
• IT security: We also process personal data for monitoring, controlling, analyzing, securing and reviewing our IT infrastructure, as well as for backups and archiving data.
• Competition: We process personal data about our competitors and the market environment in general. We may also process personal data about key individuals, in particular name, contact details, role or function and public statements.
• Transactions: If we sell or acquire receivables, other assets, business units or companies, we process personal data to the extent necessary to prepare and execute such transactions, e.g. information about customers or their contact persons or employees, and also disclose corresponding personal data to buyers or sellers.
• Other purposes: We process personal data to the extent necessary for other purposes such as training and education, administration (e.g. contract management, accounting, enforcement and defense of claims, evaluation and improvement of internal processes, preparation of anonymous statistics and evaluations; acquisition or disposal of receivables, businesses, parts of businesses or companies and safeguarding other legitimate interests).

11. How long do we process personal data?

We process your personal data as long as it is necessary for the purpose of processing (in the case of contracts, usually for the duration of the contractual relationship), as long as we have a legitimate interest in storing it (e.g. to enforce legal claims, for archiving and or to ensure IT security) and as long as personal data is subject to a retention obligation. For contractual data, for example, a legal obligation to retain data may apply, e.g. for accounting records (storage period of 10 years). The duration of our processing of personal data therefore depends on legal and internal regulations and on the processing purposes, which also include the protection of our interests, e.g. to enforce or defend claims or for documentation and evidence purposes. After these periods have expired, we delete or anonymize your personal data.

12. How do we protect your data?

We treat personal data confidentially and take appropriate security measures of a technical and organizational nature to maintain the confidentiality, integrity and availability of your personal data, to protect it against unauthorized or unlawful processing and to counteract the risk of loss, unintentional modification, unintentional disclosure or unauthorized access. Our employees and the service providers commissioned by us are obliged to maintain confidentiality.

However, we would like to draw your attention to the fact that despite extensive technical and organizational security precautions, the possibility exists that personal data may be lost or intercepted and/or manipulated by third parties. We accept no liability in the event that a third party modifies, views, adopts, uses or exploits the data entered by you or by us. In particular, you should keep payment information confidential and close the browser window when you have finished communicating with us.

13. Are there any other points to consider?

Depending on the applicable law, data processing is only permitted if the applicable law specifically allows it. This does not apply under the Swiss Data Protection Act, but does apply under the GDPR, for example, insofar as it applies (which can only be determined on a case-by-case basis). In this case, we base the processing of your personal data on the fact that it is necessary for the preparation and execution of contracts (section 3), that it is necessary for legitimate interests of us or third parties, e.g. for statistical evaluations (section 3) or for marketing purposes (section 4), that it is required or permitted by law, or that you have separately consented to the processing. You will find the relevant provisions in Art. 6 and 9 of the GDPR.

14. What are your rights?

To help you control the processing of your personal data, you have various rights in connection with our data processing under applicable law:

• the right to request information from us as to whether and which of your personal data we process;
• the right to have us correct personal data if it is inaccurate;
• the right to object to our processing for specific purposes and to request the restriction or deletion of personal data, unless we are obliged or entitled to continue processing;
• the right to request that we provide certain personal data in a commonly used electronic format or transfer it to another controller;
• the right to withdraw consent, insofar as our processing is based on your consent.

Applicable data protection law also grants you the right to object to the processing of your personal data under certain circumstances, in particular for direct marketing purposes, profiling used for direct marketing and other legitimate interests.

Please note that certain requirements may need to be met in order to exercise your rights and that exceptions or limitations may apply (e.g., to protect third parties or trade secrets).

If you wish to exercise any rights against us, please contact us in writing (see section 2). In order for us to be able to exclude misuse, we must identify you.

If you do not agree with our handling of your rights or data protection, please let us know at the contact points listed in section 2.

You also have the right to complain about our data processing to the competent supervisory authority, in Switzerland the FDPIC: (http://www.edoeb.admin.ch/edoeb/de/home/der-edoeb/kontakt/adresse.html).

15. Can this privacy policy be changed?

This privacy policy is not part of any contract with you. We may amend this privacy policy at any time. The version published on this website is the current version.

DISCLAIMER: The English version is a translation of the original in German for information purposes only. In case of a discrepancy, the German original will prevail.