Privacy Policy

Last updated: 8 June 2026. This privacy policy describes how Alpenroute Editorial AG ("we", "us", "the desk") collects, stores, uses and discloses personal data in connection with the website kunshauses.sbs and the editorial services described on it. It applies to all visitors, whether based in Switzerland, the European Union or elsewhere.

We take data protection seriously. Our operating model — reader-funded, commission-free, independent — means we have no commercial incentive to profile you or sell your data to advertisers. The following sections explain exactly what data we touch and why.

1. Who we are (the data controller)

The data controller is:

For data-protection enquiries you may write to the postal address above, clearly marked "Data Protection", or use the email address [email protected] with subject line "Privacy enquiry".

2. Legal framework

Our primary legal framework is the Swiss Federal Act on Data Protection (revFADP / nFADP), which came into force on 1 September 2023. Because we receive visitors and enquiries from the European Union and European Economic Area, we additionally comply with the EU General Data Protection Regulation (GDPR, Regulation EU 2016/679) where it applies to EU data subjects. References to "applicable law" in this policy cover both instruments.

Switzerland is recognised by the EU as a country providing an adequate level of data protection for the purposes of Article 45 GDPR, meaning no special transfer mechanism is required for data flows between the two.

3. What personal data we collect and how

We collect personal data in the following ways:

3.1 Contact and enquiry form

When you complete the contact form on the contact page, we collect: your full name; your email address; the plan tier you selected; the Swiss region you indicated; and the text of your message. This data is submitted via an encrypted HTTPS POST request and stored in our internal correspondence log. We do not collect your IP address in connection with form submissions.

3.2 Direct email

If you email us directly at [email protected], we receive your email address, any name or contact details you include, and the content of your message. Email is stored on our hosted mail server in a Swiss data centre.

3.3 Paid plan subscriptions

If you purchase a Route Plan or Full Itinerary subscription, we collect billing name, email address and payment confirmation data. We do not store credit card numbers or payment credentials ourselves; payment processing is handled by our payment provider, which operates under its own privacy policy. We receive only a transaction reference and the plan tier purchased.

3.4 Server access logs

Our web server maintains standard access logs that record the IP address, requested URL, HTTP status code, timestamp and user-agent string for each request. These logs are retained for 30 days for the purpose of diagnosing technical errors and detecting abuse. They are not used for profiling, advertising or behavioural analysis, and are not shared with third parties except as required by law.

3.5 Cookies and tracking

This website does not deploy advertising cookies, tracking pixels, analytics cookies or third-party profiling scripts of any kind. We do not use Google Analytics, Facebook Pixel, Google Tag Manager, or any similar service. The only cookies that may be set are strictly essential session cookies created by the web server. These are temporary, contain no personal identifiers, and are deleted when you close your browser. You do not need to accept or decline a cookie banner to use this site normally, because no consent-requiring cookies are placed.

4. How we use your data

We use the data we collect for the following purposes and no others:

• Responding to your enquiry and delivering the travel guidance you requested;
• Administering your subscription plan, including delivery of itinerary documents;
• Issuing invoices and processing refunds where applicable;
• Diagnosing and correcting technical problems with the website;
• Detecting and preventing fraudulent or abusive access.

We do not use your data for automated decision-making, profiling, or marketing communications. We do not send newsletters or promotional emails. If you enquire about a specific itinerary, we may send one follow-up email if we need additional information to complete your request. We will not contact you after your enquiry has been resolved unless you write to us again.

5. Legal bases for processing

Under the GDPR (for EU residents), our legal bases for processing are:

• Contract performance (Article 6(1)(b) GDPR): for processing your name, email and plan details to deliver the service you paid for or requested;
• Legitimate interests (Article 6(1)(f) GDPR): for server access logs used solely for technical security and error diagnosis, where this does not override your fundamental rights;
• Consent (Article 6(1)(a) GDPR): when you tick the consent checkbox on the contact form, you consent to us storing your enquiry details for the purpose of responding.

Under the Swiss nFADP, our legal bases are the same in substance: contractual necessity, overriding legitimate interests, and your explicit consent as applicable.

6. Retention periods

We keep data only for as long as necessary for the purpose for which it was collected:

• Enquiry correspondence: retained for 24 months from the date of the last message in the thread, then deleted;
• Subscription and billing records: retained for 10 years to comply with Swiss accounting and VAT record-keeping obligations (OR Art. 958f; MWSTG Art. 70);
• Server access logs: deleted automatically after 30 days;
• Abandoned draft forms: not stored — form data is only processed on submission.

7. Third parties and data sharing

We do not sell, rent, or trade your personal data to any third party under any circumstances. We share data with third parties only in the following limited cases:

• Payment processor: to process subscription payments, we pass billing name, email and plan amount to our payment provider. This provider is contractually bound to process your data only for the transaction and may not use it for its own marketing purposes;
• Hosting provider: our web server and mail server are operated by a Swiss data-centre provider acting as a data processor under a data-processing agreement. They access server infrastructure but do not access the content of your messages;
• Legal requirement: we will disclose data if required to do so by a valid Swiss court order, a lawful request from a Swiss authority with jurisdiction, or equivalent EU/EEA legal process applicable to us. We will notify you of any such request unless prohibited by law from doing so.

We do not use any third-party analytics, advertising networks, social media pixels, or content delivery networks that set cookies or transmit personal data to their servers.

8. International data transfers

Our web server and mail server are located in Switzerland. Subscription billing data is processed by our payment provider, which may be headquartered or have data centres in another country. Any transfer outside Switzerland and the EEA is conducted under appropriate safeguards: either the recipient country has been recognised as adequate by the Swiss Federal Council and/or the EU Commission, or we rely on Standard Contractual Clauses approved for use under GDPR and/or the Swiss equivalent approved by the Federal Data Protection and Information Commissioner (FDPIC).

9. Your rights

Depending on your country of residence, you have the following rights in relation to your personal data. Swiss residents' rights derive from nFADP; EU/EEA residents' rights derive from the GDPR. In practice we honour all of the following regardless of your location:

• Right of access: you may request a copy of the personal data we hold about you and information about how it is used;
• Right to rectification: you may ask us to correct inaccurate personal data or complete incomplete data;
• Right to erasure: you may ask us to delete your personal data when there is no longer a legal basis for retaining it. Note that billing records must be kept for 10 years under Swiss commercial law — we cannot delete these even upon request, but we can restrict processing beyond accounting purposes;
• Right to restriction of processing: you may ask us to pause active processing of your data while a dispute about accuracy or legal basis is resolved;
• Right to object: where processing is based on legitimate interests, you may object and we will cease processing unless we can demonstrate compelling legitimate grounds that override your interests;
• Right to data portability: where processing is based on consent or contract and carried out by automated means, you may request a machine-readable copy of the data you provided;
• Right to withdraw consent: where processing is based on your consent, you may withdraw it at any time without affecting the lawfulness of processing that took place before withdrawal;
• Right to lodge a complaint: you have the right to lodge a complaint with the Swiss Federal Data Protection and Information Commissioner (FDPIC) at www.edoeb.admin.ch, or with the supervisory authority of your EU member state if you are an EU resident.

To exercise any of these rights, contact us at [email protected] with the subject line "Data rights request". We will respond within 30 days, which may be extended to 60 days in complex cases with prior notice to you. We will not charge a fee for reasonable requests.

10. Data security

We implement technical and organisational measures to protect your personal data against unauthorised access, accidental loss, destruction or alteration. Specific measures include: HTTPS encryption for all data in transit; encrypted storage at rest on the hosting server; access to correspondence logs restricted to staff members who need it to respond to enquiries; password-protected and two-factor-authenticated administrative access. No system is perfectly secure; if we become aware of a personal data breach that poses a risk to your rights and freedoms, we will notify the FDPIC within 72 hours of becoming aware of it and, where required by law, will inform affected individuals directly.

11. Children's data

This website and its services are directed at adults planning personal or family travel. We do not knowingly collect personal data from children under the age of 16 without verifiable parental consent. If you believe a child has submitted personal data to us, please contact us at [email protected] and we will delete it promptly. For family travel enquiries, the parent or guardian completing the form is the data subject, not the child.

12. Changes to this policy

We may update this privacy policy from time to time to reflect changes in our practices or applicable law. The date at the top of the policy reflects the most recent revision. We will not retroactively reduce your rights under any version of this policy that was in force when you provided your data. If we make material changes, we will note them clearly at the top of this page for a period of at least 30 days. We encourage you to review this page periodically. Continued use of the website after a revision constitutes acceptance of the updated policy.

13. How to contact the data controller

For any privacy-related question, concern or rights request, contact us using any of the details below. Please mark your communication clearly as a data-protection matter so it is routed to the right person without delay.

You also have the right to escalate unresolved concerns to the Swiss Federal Data Protection and Information Commissioner (FDPIC) at Feldeggweg 1, 3003 Bern, Switzerland, or at www.edoeb.admin.ch.