Privacy Policy di GR Engadin SA

pursuant to the Swiss Federal Act on Data Protection (nFADP) and Regulation (EU) 2016/679 (GDPR)

  1. Data Controller
    The Data Controller is:
    GR Engadin SA
    Registered office: Via Farrer 16 – Silvaplana
    Email: governance@gr-mountain.ch
    Phone: +41 81 834 30 55

Where applicable, the Controller also acts as a controller under Regulation (EU) 2016/679 for users located within the European Economic Area.
No Data Protection Officer (DPO) has been appointed, as the legal requirements for such appointment are not met.
Competent supervisory authority in Switzerland: Federal Data Protection and Information Commissioner (FDPIC).

  1. Scope of Application
    This Privacy Policy applies exclusively to personal data relating to natural persons, in accordance with the nFADP and, where applicable, the GDPR. It does not apply to data relating to legal entities.
  2. Categories of Data Processed
    The Controller may process the following categories of personal data:
    • identification data (first name, last name);
    • contact data (email, phone number, address);
    • booking and service-related data (date, time, type of activity, preferences);
    • payment and billing data (payment method, amount, tax data – without storing full card details);
    • technical and usage data (IP address, log files, browser, device);
    • any information voluntarily provided by the user via forms or communications.

Any data relating to sporting level or physical conditions is processed only when necessary for the provision of the service and in accordance with applicable law.

  1. Methods of Data Collection
    Data is provided directly by the user or collected automatically during website navigation.
    Providing data marked as mandatory is required for the provision of services; failure to provide such data may prevent the services from being delivered.
  2. Purposes of Processing
    Personal data is processed for the following purposes:
    • management and execution of bookings and requested services;
    • contractual and pre-contractual obligations;
    • accounting, tax, and legal obligations;
    • operational communications relating to the services;
    • management of requests via contact forms;
    • anonymous statistical analyses;
    • promotional and marketing activities, subject to the user’s explicit consent;
    • protection of the Controller’s rights in legal proceedings.
  3. Legal Basis for Processing
    Processing is carried out in accordance with the principles of lawfulness, proportionality, and purpose limitation under the nFADP and – where applicable – the GDPR, based on the following legal grounds:
    • consent of the data subject;
    • performance of a contract;
    • legal obligation;
    • legitimate interests of the Controller;
    • fulfilment of pre-contractual requests.
  4. Processing Methods
    Processing is carried out using IT and electronic tools with appropriate technical and organisational measures to ensure data security and confidentiality.

Access to data may be granted to authorised personnel or external service providers acting as processors, such as:
• IT and hosting providers;
• payment service providers;
• legal and tax consultants;
• marketing service providers.

An updated list of processors is available upon request from the Controller.

  1. Data Retention Period
    Personal data is retained for as long as necessary for the purposes for which it was collected, in particular:
    • contractual and tax-related data: 10 years;
    • marketing data: until consent is withdrawn;
    • technical and log data: up to 12 months;
    • contact requests: up to 24 months.

After these periods, data will be deleted or anonymised.

  1. Data Recipients
    Data may be disclosed to:
    • technology service providers;
    • banks and payment processors;
    • authorised professionals;
    • public authorities where required by law.
  2. Data Transfers Abroad
    Data may be transferred to EU/EEA countries or third countries.
    For transfers to countries without an adequacy decision, the Controller implements Standard Contractual Clauses or other appropriate safeguards pursuant to the nFADP.
  3. Cookies
    This website uses technical cookies and – with the user’s consent – profiling cookies. For more information, please refer to the dedicated Cookie Policy.
  4. Rights of the Data Subject
    Users may exercise the following rights at any time:
    • right of access;
    • right to rectification;
    • right to deletion;
    • right to restriction of processing;
    • right to object;
    • right to data portability;
    • right to withdraw consent;
    • right to lodge a complaint with the FDPIC or the competent EU supervisory authority.

Requests may be sent to: governance@gr-mountain.ch.
A response will be provided within 30 days.

  1. Data Security
    The Controller implements appropriate technical and organisational measures to prevent unauthorised access, loss, or misuse of data.
  2. Legal Defence
    Data may be used to protect the Controller’s rights in legal proceedings.
  3. Amendments to this Privacy Policy
    The Controller reserves the right to amend this Privacy Policy.
    Any changes will be published on this page along with the date of the update.

Last updated: 24 November 2025