Privacy policy

This privacy policy applies to Rhaetian Railway Inc (RhB) (hereinafter “RhB” or “we”) with its registered office in Switzerland, Bahnhofstrasse 25, 7001 Chur, registered in the commercial register of the canton of Graubünden under the number CHE-105.956.490.
This privacy policy informs you about what data we process about you, why we need this data and how you can object to the collection of data. 
Public transport companies handle your data confidentially. 

Protecting your identity and privacy is important to us, public transport companies. We guarantee that your personal data will be processed in compliance with the law and in accordance with the applicable provisions of data protection legislation.

Public transport companies set an example for the trustworthy handling of your data by adhering to the following principles:

  • You decide how your personal data will be processed.
    You are within your legal rights to refuse to have your data processed at any time, to revoke your consent or to have your data deleted. You always have the option of travelling anonymously, i.e. without a company collecting your personal data. 
  • We offer you added value when it comes to processing your data.
    Public transport companies use your personal data to offer you added value along the mobility chain (e.g. tailor-made offers and information, support or compensation in the event of a malfunction). Your data will therefore only be used to help us develop, deliver, optimise and evaluate our services or to maintain customer relations. 
  • We will not sell your data.
    Your data will only be disclosed to the carefully selected third parties listed in this privacy statement and only for the purposes explicitly identified. If we commission third parties to process data, they are obliged by contract to comply with our data protection standards. 
  • We guarantee the security and protection of your data.
    Public transport companies guarantee the careful handling of customer data as well as the security and protection of your data. We have put in place appropriate organisational and technical measures to safeguard your data.

Please see below for more detailed information on how we handle your data.

Contents 

  • Who is responsible for data processing? 
  • Why do we collect personal data? 
  • What data is stored and what is it used for? 
  • How long is your data stored? 
  • Where is the data stored? 
  • What data is processed in connection with marketing? 
  • What data is processed for market research purposes? 
  • What rights do you have with regard to your personal data? 
  • What does “joint responsibility” mean? 
  • Will your data be passed on to third parties? 
  • How are tracking tools used?
  • What are cookies and when are they used? 
  • What are social plug-ins and how are they used? 
  • Advertisements on our websites and in our apps 
  • Data security 
  • Changes to this privacy policy 

Who is responsible for data processing? 

RhB is responsible for processing your data. As a public transport company, we are obliged by law to carry out direct services (NDS). To this end, certain data is exchanged among transport service providers (TSP) and public transport associations and with third parties who broker public transport products and is stored centrally in databases jointly operated by all transport service providers and public transport associations. We are therefore responsible for individual data processing together with these transport companies and associations. Further information on individual data processing operations can be found in the section “What does joint responsibility mean in public transport?”.

If you have any questions or suggestions regarding data protection, please do not hesitate to contact us at any time.

Either by post to: 

Rhätische Bahn AG 
Datenschutz 
Bahnhofstrasse 25 
CH-7001 Chur

or by e-mail to:
datenschutz(at)rhb.ch

Customers based in or with a registered office in an EU member state can also contact our EU representative: 

VGS Datenschutzpartner GmbH
Am Kaiserkai 69 
D-20457 Hamburg 
info(at)datenschutzpartner.eu  

Why do we collect personal data? 

We are aware of how important it is to you that your personal data is handled carefully. All data processing takes place only for specific purposes. These may arise, for example, from technical necessity, contractual requirements, statutory regulations, overriding interest, i.e. legitimate reasons, or from your express consent. We collect, store and process personal data where necessary, such as for managing the customer relationship, distributing our products and providing our services, processing orders and contracts, selling and invoicing, responding to questions and concerns, providing information about our products and services and marketing them, providing technical assistance, and evaluating and developing services and products. For more detailed information on which data is processed for which purposes, please read the following sections. 

What data is stored and what is it used for? 

When purchasing services

For contractual reasons, we require personal information when customers order or purchase certain services and products online in order to provide our services and process the contractual relationship. For example, when customers buy a season ticket or a single ticket. When personalised services are purchased, we collect the following data – depending on the product or service – with mandatory information marked with an asterisk (*) in the corresponding form:

  • Personal photo 
  • Gender, name, e-mail address of the person buying or travelling 
  • Other information such as postal address, date of birth 
  • Phone number 
  • Means/method of payment 
  • Consent to the General Terms and Conditions 

In order to fulfil contractual obligations, we also collect data on the services you have purchased (“service data”). Depending on the product or service, this includes the following information: 

  • Type of product or service purchased 
  • Price 
  • Place, date and time of purchase 
  • Purchase channel (Internet, ticket machine, counter, etc.) 
  • Travel date/period of validity and departure time 
  • Place of departure and destination 

To ensure that we can always reach you by post, we will compare your address – provided you have agreed to this with Swiss Post – with the post office and update it if necessary.

Please note that some of the services bookable via our website are not provided by us. For example, if you book an overnight stay, the corresponding service will be provided by the relevant service provider. It is one of our contractual partners. In order to process the order, we forward the personal data you entered on the order form to the relevant service provider for processing the booking.

We use the following third-party booking systems on our website:

  • TrekkSoft AG, 3800 Interlaken
  • Alturos Destinations AG, 8808 Pfäffikon
  • E-GUMA, Idea Creation GmbH, 8006 Zurich

Various displayed offers can be booked using the booking systems listed above. When booking via one of the above booking systems, the personal data you provide as per the input mask will be passed on to the relevant booking platform for the purpose of processing the booking.

Data generated when purchasing services is stored in a central database (see the section on joint responsibility in public transport) and processed for other purposes, including marketing and market research purposes (for more information, please refer to the relevant sections of this privacy policy). In addition, the data is used as part of ticket inspection to identify the holder of a personalised ticket and to prevent misuse (for more information, please refer to the section “When checking services” and the section on joint responsibility in public transport). The data is also used to provide our after-sales service in order to identify and support you in the event of concerns or difficulties and to process any claims for compensation. The data is used to distribute the revenue generated by the purchase of tickets fairly among the companies and associations of the National Direct Service.

Finally, we evaluate your data anonymously in order to be able to further develop the overall public transport system in line with needs. Insofar as the EU GDPR is applicable, our legitimate interest and the necessity to perform the contract form the legal basis for this processing of personal data. 

When checking services 
Customer and travelcard data is required and processed for the purposes of securing revenue (checking the validity of tickets or discount passes, collection, countering misuse). The transport companies and associations are therefore entitled to process all data (ticket and control data and possibly particularly sensitive data in connection with all types of travel without a valid ticket, such as passengers with a partially valid ticket, passengers with an invalid ticket or passengers with forgotten tickets and discounts and any misuse) of the passengers or contract partners for the entire inspection and debt collection process, and to store it for the periods defined by data protection law and share it with other transport companies and associations (also cross-border in the case of international tickets or discounted tickets). 

The following provisions apply to individual services or data media: 

SwissPass card
No control data is stored when the SwissPass card is used as a data medium (see SwissPass Mobile for an exception). 

SwissPass Mobile 
When using the SwissPass Mobile application, the provisions that are taken into account when activating SwissPass Mobile apply (see separate privacy policy). The following data is processed in this regard: Registration, activation and control data generated when using SwissPass Mobile. As soon as SwissPass Mobile is used, this data is also collected from the SwissPass card. The storage period for registration data is up to 18 months after deactivation of SwissPass Mobile or after expiry of the SwissPass card. The activation and control data for SwissPass Mobile and the SwissPass card is stored on inspection devices for one day and in the control database for 30 days. If there is evidence of misuse, the maximum retention period for activation and control data is 90 days. Passengers who misuse SwissPass Mobile will be banned from using the app for 12 months. Users will be able to access SwissPass Mobile again after this time. The passenger file containing details of this ban will be deleted after a further 12 months. 

Electronic tickets
When using electronic tickets (e-tickets), control data is stored in the central control data server at SBB. This data is stored for 360 days in order to combat misuse and to take measures to prevent misuse and fraudulent refunds. Insofar as the EU GDPR is applicable, our legitimate interest and the necessity to perform the contract form the legal basis for this processing of personal data.

In the event of misuse 
In the event of travel without a valid ticket, the data is stored in a separate database and in a jointly operated register. The passenger or contractual partner acknowledges that if any misuse or falsifications are discovered, the transport service providers are authorised to provide all internal departments affected by the misuse and other transport service providers with the relevant personal data so that misuse can be ruled out or confirmed and further misuse prevented. According to the Federal Act on Passenger Transport (PBG), different time limits apply to the processing of the aforementioned data. The data is deleted as soon as it is established that the data subject has not caused any loss of income, and after two years if the data subject has paid the supplements and has not demonstrably travelled without a valid ticket during this period. The data may be retained for a maximum of ten years if it is necessary for the enforcement of claims against that person. 
Insofar as the EU GDPR is applicable, Art. 20a of the Federal Act on Passenger Transport (PBG) and Art. 58a of the Ordinance on Passenger Transport (VPB) form the legal basis for this processing of personal data. 

When using the website www.rhb.ch 
When you visit our website, the servers of our hosting provider temporarily store each access in a log file. The following technical data is collected: 

  • IP address of the requesting computer
  • Date and time of access 
  • Website from which access was made, possibly with the search word used 
  • Name and URL of the retrieved file 
  • Performed searches (timetable, general search function on website, products, etc.) 
  • The operating system of your computer (provided by the user agent) 
  • The browser you are using (provided by the user agent) 
  • Device type in the case of mobile phone access 
  • Transmission protocol used 

This data is collected and processed for the security and stability of the system and for error and performance analysis as well as for internal statistical purposes and enables us to optimise our website. In addition, this allows us to design our website to be target-group-specific, i.e. to provide targeted content or information that may be of interest to you. The aforementioned information is not linked to or stored with personal data. The IP address is also used to preset the language of the website. In addition, it is evaluated, together with other data, in the event of attacks on the network infrastructure or other unauthorised or improper use of the website for clarification and defence purposes, and, where necessary, is used in criminal proceedings to identify the perpetrators and in civil and criminal proceedings against the users concerned. 

Finally, when you visit our website, we use cookies as well as applications and tools that are based on the use of cookies. For more information, please refer to the sections on cookies, tracking tools, advertisements and social plug-ins in this privacy policy. Insofar as the EU GDPR is applicable, our legitimate interest forms the legal basis for this processing of personal data. In the case of third-party websites that are linked to our website, no liability is assumed for compliance with data protection regulations.

When using a contact form
You have the option of using a contact form to get in touch with us. The following personal data must be entered: 

  • Title 
  • First name* 
  • Last name* 
  • Street 
  • Postcode 
  • Town/city 
  • Country 
  • Telephone 
  • E-mail address* 
  • Topic* 
  • Subject* 
  • Your opinion / requests / questions / suggestions* 

We use this and other data entered voluntarily (such as title, address and telephone number) only in order to be able to respond to your enquiries in the best possible way and in a personalised manner. Any voluntary information about how you became aware of our offer will also be used for statistical purposes internally. Insofar as the EU GDPR is applicable, our legitimate interest and the necessity to perform the contract form the legal basis for this processing of personal data. 

When using our online shop for merchandise items

We operate an online shop for our merchandise items (https://www.rhb-shop.ch/en/). For this purpose, we use an external service provider, PANDINAVIA AG, Industriestrasse 30, 8302 Kloten, Switzerland. They process your data on our behalf or receive user data from us as a separate controller. The handling of your personal data is governed by a data processing agreement (DPA). Further information can be found in the privacy policy at https://www.pandinavia.ch/de/datenschutzerklarung/

Service providers are used to process payments. These process the user data as part of the ordering processes in the online shop in order to enable users to select and order the desired products and services, as well as to pay for and have the products delivered or the services performed. The processed data includes master data (inventory data), communication data, contract data and payment data. The persons affected by the processing include customers, interested parties and other business partners. In this context, we use session cookies, e.g. to store the contents of the shopping cart, and permanent cookies, e.g. to store the login status.

Credit card payments made via the website are processed via Saferpay (Worldline AG) and are encrypted using SSL technology. Worldline processes the user data on behalf of and in connection with the payments made by the user. The user data is only used to process the user’s payment instructions and will not be made available to any third party other than the financial institutions responsible for the respective payment method. The user is likely to see “Worldline” or “Saferpay” on their credit card or account statement in connection with their order.

Payment transactions are subject to the terms and conditions and privacy policy of the respective payment service providers. These can be accessed on the respective website or in transaction applications. We also refer to these terms and conditions as well as the privacy policy for the purpose of further information and to assert the rights of revocation, information and other rights of data subjects. Further information can be found in the Saferpay/Worldline Privacy Notice (https://worldline.com/en/compliancy/privacy)

In the context of the fulfilment of contracts, we use payment service providers on the basis of the Swiss Data Protection Ordinance and, where necessary, Art. 6 (1) (b) EU GDPR. We also use external payment service providers on the basis of our legitimate interests in accordance with the Swiss Data Protection Ordinance and, where necessary, in accordance with Art. 6 (1) (f) of the EU GDPR in order to offer our users effective and secure payment options.

When creating a SwissPass login/customer account at www.swisspass.ch 
You can create a customer account at swisspass.ch. We require the following data from you: 

  • Last name and first name 
  • Date of birth 
  • Address (street, postcode, town/city and country)
  • Customer number (if you already have a public transport travelcard) 
  • E-mail address and password (login data) 

Registering enables you to use your login details (SwissPass login) to access the numerous online services (web shops and apps) of public transport service providers and associations and to obtain services from them without having to complete the entire registration process again. Services that you purchase using the SwissPass login (in particular public transport tickets/season tickets/travelcards) are recorded in your customer account and in a central database (“NDS database”). This data processing is necessary for the performance of the contract on the use of the SwissPass and therefore has this as its legal basis. You can find more information about this in the sections on joint responsibility in public transport and on disclosure to third parties in this privacy policy and in the privacy policy at swisspass.ch

E-Recruiting

By submitting your personal data, you agree to the processing and storage of this data in accordance with the conditions set out below. Your data will only be disclosed to third parties with your express permission. Our company accepts no liability for damages arising from data transmission via the Internet.
Within the scope of e-recruiting, we use smahrt consulting AG’s “Talentsoft” tool/applicant portal. Smahrt consulting AG is a company based in Zurich.

Applying for a job vacancy / speculative application
By applying for a job vacancy or submitting a speculative application, you consent to us collecting your personal data and using it for application/recruitment purposes. We collect and process the following data: title, first name and surname, postal address, mobile number, e-mail address, date of birth (hereinafter referred to as “data”). The data transmitted to us during the job application process will be permanently deleted as soon as it is clear that the position advertised has been filled. The data transmitted to us upon submitting a speculative application will be stored for a period of six months. At the end of this period, you will receive an e-mail requesting you to confirm your data. If you do not respond to this request within ten days, your data will be permanently deleted.

Job subscription
By registering for the job subscription, you consent to us storing your e-mail address and using it to send you regular notifications.
At the end of every job subscription notification, you will find a link for unsubscribing at any time. Once unsubscribed, your personal data will be permanently deleted.

Processing customer details
We also collect customer data outside our website environment, e.g. when you make a purchase at one of our sales desks. The following data, in particular, is collected:

  • Title
  • First name
  • Last name
  • Date of birth
  • Address
  • Postal code
  • Town/city
  • Country
  • Telephone
  • E-mail
  • Details in connection with the payment (depending on the chosen payment method).

The legal basis for processing the data in the above case is the performance of a contract pursuant to Art. 6 para. 1 lit. b of the GDPR. 

How long is your data stored?

We only store personal data for as long as it is necessary 

  • to provide services that you have requested or to which you have given your consent to the extent specified in this privacy policy. 
  • to use the tracking services referred to in this privacy policy within the scope of our legitimate interest. 

We store contractual data for as long as required by statutory retention obligations. Requirements obliging us to retain data arise from accounting and tax regulations. 

To the list of database storage durations in public transport.

Where is the data stored? 

Your data is generally stored in databases within Switzerland. However, in some of the cases listed in this privacy policy, the data will also be passed on to third parties who have their registered office outside Switzerland. If the country in question does not have an adequate level of data protection, we ensure by contractual arrangements with these companies that your data is adequately protected by those companies.

To the list of database storage durations in public transport.

Transfer of personal data abroad

We are permitted to forward your data to third-party companies abroad if this is necessary in connection with the processing of your requests, to provide services and for marketing campaigns. These third-party companies are obliged to respect user privacy to the same extent as we do ourselves. If, in a certain country, the level of data protection is deemed inappropriate by Swiss standards or according to the provisions of the EU General Data Protection Regulation (GDPR), we will ensure by contractual means that your personal data is protected at all times in accordance with Swiss guidelines and/or the GDPR.

Various third-party service providers and the addresses of their head offices have already been mentioned in the section above (“Forwarding of data to third parties"). Some of the third-party service providers mentioned in this privacy policy have their place of residence in the USA (see “Tracking tools”, “Re-targeting”). Further details on the transfer of data to the USA can be found in the section “Tracking tools”. 

What data is processed in connection with marketing? 

If you agree, we use your customer data (name, gender, date of birth, address, customer number, e-mail address), your service data (data about purchased services such as season tickets/travelcards or single tickets) and your click behaviour on our websites or in e-mails you have received from us for marketing purposes. With regard to evaluating click behaviour, please also refer to the section on tracking tools. 

We evaluate this data in order to further develop our services according to your needs and to send or display the most relevant information and offers to you (via e-mail, letter, text message, push messages in the app and personalised teasers on the web, in person at the counter). For this purpose, we only use the data that we can clearly assign to you, for example because you have logged in or identified yourself on our website with your SwissPass login and purchased a ticket. We also use methods that predict possible future buying behaviour based on your current buying behaviour. The legal basis for this processing is our legitimate interest. In certain cases, SBB or another company involved in direct transport may also contact you under strict conditions. Please note the information in the section on joint responsibility in public transport. 

You can refuse to be contacted by SBB (e.g. in connection with your GA travelcard or Half-Fare travelcard) or other public transport companies at any time. The following options are available: 

  • Every e-mail you receive from us or other public transport companies contains an unsubscribe link that allows you to unsubscribe from further messages. 
  • If you have a SwissPass login, you can log in at www.swisspass.ch and manage your settings for receiving messages in your user account at any time. 
  • You can also subscribe or unsubscribe at any counter or by telephone or e-mail.

Please also note the information on the right to object with regard to the evaluation of click behaviour in the section on tracking tools. 

What data is processed for market research purposes? 

In order to continuously improve the quality of our services and offers, we conduct regular market research. If you agree, we may use your contact details for customer surveys (e.g. online surveys). If you do not wish to be invited to take part in such surveys, you have the following options: 

  • Every e-mail you receive from us or other public transport companies contains an unsubscribe link that allows you to unsubscribe from further messages. 
  • If you have a SwissPass login, you can log in at www.swisspass.ch and manage your settings for receiving messages in your user account at any time. 
  • You can also subscribe or unsubscribe at any counter or by telephone or e-mail. 

What rights do you have with regard to your personal data? 

With regard to your personal data, you have the following rights: 

  • You can request information about the personal data stored about you. 
  • You may request that your personal data be corrected, supplemented, blocked or deleted. The deletion shall be replaced by blocking if there are legal obstacles to the deletion (e.g. statutory retention obligations). 
  • If you have set up a customer account, you can delete it or have it deleted. 
  • You may object to the use of your data for marketing purposes. 
  • You may revoke your consent at any time with effect for the future. 
  • You may request the transmission of your data. 

In order to exercise your rights, you can contact us in writing: 

Either by post to: 

Rhätische Bahn AG 
Datenschutz 
Bahnhofstrasse 25 
CH-7001 Chur

or by e-mail to:
datenschutz(at)rhb.ch

If you would like to request data protection information or the deletion of your personal data on the entire public transport system, you can contact SBB in writing. Requests for information and/or deletion must be made to the following address: SBB AG, Recht & Compliance, Fachstelle Datenschutz, Hilfikerstrasse 1, CH-3000 Bern 65. 

Furthermore, you have the right to lodge a complaint with a data protection authority at any time. 

What does “joint responsibility in public transport” mean? 

RhB is responsible for processing your data. As a public transport company, we are obliged by law to provide transport services together with other transport companies and associations (“Direct Service”, Art. 16 and 17 of the Federal Act on Passenger Transport). To make this possible, for example, data that comes from contacting you or from your purchased services is passed on nationally within the National Direct Service (NDS), an association of more than 240 transport service providers (TSP) and public transport associations. The individual transport service providers and associations are listed here in German, French and Italian [link to: https://www.allianceswisspass.ch/de/informationen-ov-nutzende/Datenschutz]. 

The data is stored in the central database NOVA, which is managed by SBB on behalf of the NDS and for which we are responsible together with the other service providers and associations of the NDS. NOVA is a technical platform for the distribution of public transport services. It contains all the key elements for the sale of public transport services, such as the customer database. The scope of access to the common databases by the individual transport service providers and associations is governed by a joint agreement. The forwarding of the data and its processing by the transport service providers and associations that takes place with the central storage is limited to the following purposes:

Provision of the transport service
To ensure that your journey runs smoothly, your travel and purchase data is forwarded within the NDS. 

Contract performance
We process this data in order to draft, manage and perform the contract. 

Customer relations management and support
We process your data for the purposes of communicating with you, in particular to answer enquiries and assert your rights, to identify you across public transport in the event of concerns or difficulties and to provide you with the best possible support, as well as to process any claims for compensation. 

Ticket inspection and revenue protection
Customer and travelcard data is required and processed for the purposes of securing revenue (checking the validity of tickets or discount passes, collection, countering misuse). 
Incidents of trips without a valid ticket or with a ticket which is only partially valid can be recorded via the national register. 

Distribution of revenue
The office of the Alliance SwissPass, managed by ch-integral, fulfils the statutory mandate defined in the Swiss Federal Act on Passenger Transport to collect travel data for the correct distribution of revenue. The office acts as the mandate holder for the distribution of revenue in the National Direct Service on behalf of the companies that are members of the NDS. 

Identification as part of the authentication of the SwissPass login (SSO) 
For services that you purchase using the SwissPass login, the data is then stored in the central customer database (NOVA). In order to enable you to use single sign-on (SSO) (one login for all applications that offer the use of their services with the SwissPass login), the aforementioned login, card, customer and service data are also exchanged between the central SwissPass login infrastructure and us as part of the authentication process. 

Joint marketing and market research activities 
In addition, the data collected when purchasing public transport services may also be processed for marketing purposes in some cases. If your consent has been obtained and your data has been processed or you have been contacted for this purpose, this will only be carried out by the transport company or the association from which you purchased the corresponding public transport service. The other transport service providers and associations associated with the NDS will only process your data or contact you in exceptional circumstances and under strict conditions, and only if an analysis of the data shows that a particular public transport service would be beneficial for you as a customer. Contact and processing by SBB is an exception to this rule. SBB undertakes the marketing for NDS services (such as GA and Half-Fare travelcards) on behalf of NDS and may contact you at regular intervals in connection with these services. We also process your data for market research, to improve our services and for product development. 

Further development of public transport systems with anonymous data
We evaluate your data anonymously in order to be able to further develop the overall public transport system in line with needs.

Will your data be passed on to third parties? 

Your data will not be resold by us. Your personal data will then only be passed on to selected service providers and only to the extent necessary for the provision of the service. These include IT support service providers, issuers of season tickets/travelcards, shipping service providers (such as Swiss Post), service providers who are tasked with allocating traffic revenues to the transport service providers involved (in particular in the course of creating distribution keys within the meaning of the Swiss Federal Act on Passenger Transport), our hosting provider (see “Using the website”) and the providers mentioned in the sections on tracking tools, social plug-ins and advertisements. With regard to service providers based abroad, please also note the information in the section “Where is the data stored?”. 

In addition, your data may be passed on if we are legally obliged to do so or if this is necessary to safeguard our rights, in particular to enforce claims arising from the relationship with you. If you book cross-border journeys, the data will also be forwarded to the respective foreign providers. However, this only takes place to the extent necessary to check the validity of the tickets and to prevent misuse. Our legitimate interest forms the legal basis for the data processing mentioned here. 

Your personal data will not be disclosed to other third parties outside of public transport. The only exceptions are SwissPass partners (to the extent described below) and companies approved by the public transport companies for the purpose of arranging public transport services on the basis of a contractual agreement. These intermediaries will only have access to your personal data if you wish to obtain a public transport service from them and have given them your consent for access. Even so, they will only have access to your data to the extent necessary to determine whether you already have tickets or season tickets for the planned travel period that are relevant to your trip and the third-party service you have requested. Your consent forms the legal basis for this data processing. You may revoke your consent at any time with effect for the future (see above). 

If you use offers from a SwissPass partner while using your SwissPass, data about any services you may have purchased from us (e.g. a GA travelcard, Half-Fare travelcard or point-to-point travelcard) may be transmitted to the SwissPass partners in order to check whether you can benefit from a specific offer from the SwissPass partner (e.g. discount for GA travelcard holders). The relevant partner will be informed in the event of loss, theft, misuse, forgery or replacement of a card after the purchase of a service. This data processing is necessary for the performance of the contract on the use of the SwissPass and therefore has this as its legal basis. Further information can be found in the privacy policy at swisspass.ch and in the privacy policy of the respective SwissPass partner. 

A service provider to whom personal data collected on the website is forwarded, or who has or could have access to personal data, is our website hosting company Unic AG Zürich, Baslerstrasse 60, CH-8048 Zurich. The website is hosted on servers in Switzerland. The data is shared for the purpose of providing and maintaining the functions of our website. This constitutes our legitimate interest within the meaning of Art. 6 para. 1 lit. f of the GDPR.

How are tracking tools used? 

We use the following web analytics services for the purpose of tailoring and continuously optimising our websites, apps and e-mails. Our legitimate interest forms the legal basis for the data processing described below. 

Tracking on websites 
In connection with our websites, pseudonymised user profiles are created and small text files (“cookies”) stored on your computer are used (see below “What are cookies and when are they used?”). The information generated by cookies about your use of this website is transmitted to the servers of the providers of these services, stored there and prepared for us. In addition to the data listed above (see “What data is processed when you use our website?”), we receive the following information: 

  • Navigation path taken by a visitor to the website 
  • Time spent on the website or subsite 
  • Subsite from which the website is left 
  • Country, region or city from which access is made 
  • Device (type, version, colour depth, resolution, width and height of the browser window) 
  • Recurring or new visitor 
  • Browser type/version 
  • Operating system used 
  • Referrer URL (previous page visited) 
  • Host name of the accessing computer (IP address) 
  • Time of the server request 

The information is used to evaluate the use of the website.

E-mail marketing
On our website, we give you the opportunity to subscribe to our newsletter. To do this, you will need to register and provide us with the following details:

  • E-mail address
  • First name and last name

This data is needed for data processing purposes. We process this data for the sole purpose of personalising the information and offers we send out and to better tailor the information to your individual interests. Furthermore, we are authorised to entrust the technical development of marketing campaigns to third parties and are thus entitled to share your personal data with third parties to that end. We use the e-mail marketing service Braze, 330 West 34th Street, 18th Floor, New York, NY 10001, USA, to send our newsletters.

When sending e-mails, we use e-mail marketing services from third parties. Our e-mails may therefore contain a web beacon (tracking pixel) or similar technical means. A web beacon is an invisible 1x1-pixel graphic image that is associated with the user ID of the respective e-mail subscriber. 

For each newsletter sent, we collect information on the address file used, the subject and the number of newsletters sent so far. In addition, we can see which addresses have not yet received a newsletter, to which address the newsletter was sent, and for which addresses the dispatch failed. It is usually also possible to ascertain the opening rate, including information on which addresses have opened the newsletter and which addresses have unsubscribed from the newsletter mailing list. 

The use of corresponding services enables the evaluation of the information listed above. Furthermore, click behaviour can also be recorded and evaluated. We use this data for statistical purposes and to optimise the content of our messages. This enables us to better tailor the information and offers in our e-mails to the individual interests of the respective recipient. The tracking pixel is deleted when you delete the e-mail. 

If you wish to prevent the use of the web beacon in our e-mails, please set your e-mail program so that no HTML is displayed in messages – if this is not already the case by default. For example, you can find instructions on how to do this here

Find out more about our tracking tools below: 

Google Analytics
Our website uses Google Analytics, a web analysis service provided by Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA and Google Ireland Limited, Gordon House Barrow St, Dublin 4, Ireland. Google Analytics uses methods that enable an analysis of the use of the website, such as cookies (see below “What are cookies and when are they used?”). The information generated by a cookie about your use of this website, as described above, is transmitted to and stored on servers operated by Google, a company of the holding company Alphabet Inc., in the USA. Before this data is transmitted to locations within the member states of the European Union or other states that are party to the agreement on the European Economic Area and Switzerland, the IP address is truncated through this website’s IP anonymisation process (“anonymizeIP”). Google will not associate the anonymised IP address transmitted by your browser through Google Analytics with any other data held by Google. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and truncated there. In cases such as these, we use contractual guarantees to ensure that Google Inc. maintains an adequate level of data privacy. 

The information is used to analyse the use of the website, to compile reports on the activities on the website and to provide other services related to the use of the website and the use of the Internet for the purposes of market research and tailored design of the website. This information may also be forwarded to third parties where required by law or if third parties have been commissioned to process this data. Under the terms of Google, under no circumstances will the IP address be used in connection with other data relating to the user. 

Users can prevent Google from collecting and processing the data generated by the cookie relating to their use of the website (including their IP address) by downloading and installing the browser plug-in from the following link: https://tools.google.com/dlpage/gaoptout?hl=en-GB 

Capture Media
The tracking solution fusedeck from Capture Media AG, Löwenstrasse 3, CH-8001 Zurich (hereinafter referred to as “Capture”) is integrated into our websites. Capture Media is a Swiss company having its registered office in Zurich which, on behalf of its customers, measures website usage in the context of engagements and events. Tracking is anonymous so that it is impossible to attribute any information gained to any identified or identifiable persons. Capture’s tracking script measures and analyses anonymous user interactions on the website. These user interactions include sessions, visit durations, clicks, hovers, scroll depths, element visibilities and other engagements. The integration of Capture meets the economic interest of optimising the website and media purchasing in advertising campaigns. Capture stores all interaction data anonymously. This means that Capture cannot assign the collected data to a specific person.

The data collected by Capture is stored on the servers of Amazon Web Services Ireland Limited, One Burlington Plaza, Burlington Road, Dublin 4, Ireland. Further information on data protection and the rights of data subjects in connection with fusedeck, including the “opt-out” option (objection option), can be found in the privacy policy and objection policy. LinkThis data processing constitutes a legitimate interest on our part within the meaning of Art. 6 para. 1 lit. f of the GDPR. Your options for opting out were explained above.

Facebook Pixel
On our website we use the Facebook pixel provided by Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA (“Facebook”). This allows us to monitor a user's actions after the user has clicked on or viewed a Facebook promotion or advertisement. The bounce rate and the duration of the visit, for example, are measured. This allows us to assess the effectiveness of Facebook publicity for statistical and marketing purposes. The data gathered is anonymous to us, so we cannot link the data to an individual user. However, we do point out that Facebook does save and process the data. Facebook can associate this data with your Facebook account and use it for its own publicity purposes in accordance with the Facebook privacy policy. The data can permit Facebook and its partners to activate marketing communications both within and outside of Facebook. Furthermore, a cookie may be saved on your computer for these purposes.You can prevent this tracking at any time by blocking or deactivating the relevant cookies in the menu bar of your web browser (see section 1.3 above).This data processing constitutes a legitimate interest on our part within the meaning of Art. 6 para. 1 lit. f of the GDPR. Your options for opting out were explained above.

Google Retargeting 
We use retargeting technologies on our website. Your user behaviour on our website is analysed to enable partner websites to offer you advertising individually tailored to your preferences. Your user behaviour will be recorded under a pseudonym.  Most retargeting technologies use cookies (see section 1.3 above). This website uses Doubleclick by Google, services provided by Google Inc. (“Google”) to display ads based on your use of previously visited websites. For this purpose, Google uses the so-called double-click cookie, which allows your browser to be recognised when you visit other websites. The information generated by the cookie about your visit to these websites (including your IP address) is transmitted to a Google server in the United States and stored there (more information on transfers of personal data to the USA can be found in section 1.4.1 above). Google will use this information for the purpose of evaluating your use of the website in terms of the advertisements to be displayed, to compile reports for the website operator on website activities and ads, and to perform other services associated with website and Internet usage. Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google's behalf. However, Google will never associate your IP address with other Google data. You can prevent this retargeting at any time by rejecting or deactivating the relevant cookies in the menu bar of your web browser (see section 1.3 above). This data processing constitutes a legitimate interest on our part within the meaning of Art. 6 para. 1 lit. f of the GDPR. Your options for opting out were explained above.

Google Tag Manager
We also use Google Tag Manager to manage the usage-based advertising services. The tool Tag Manager itself is a cookie-less domain and does not collect any personal data. Instead, the tool is responsible for triggering other tags that may themselves collect data in some circumstances. If you have opted out at the domain or cookie level, it will remain in effect for all tracking tags implemented with Google Tag Manager.

Facebook Custom Audience
To promote interest-based advertisements to visitors to our website while visiting Facebook, we use “Custom Audiences Pixel” provided by Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA (“Facebook”). We have implemented a Facebook pixel on our website, which connects directly to the Facebook servers when you visit our website. The information that you have visited our website is transmitted to the Facebook server and Facebook assigns this information to your personal Facebook user account. For more information on the collection and use of data by Facebook, your rights in this regard and how you can protect your privacy, please see Facebook’s privacy policy here. If you wish to reject the connection with Facebook described above, simply block or deactivate the relevant pixels in your browser (see section 1.3 above). This data processing constitutes a legitimate interest on our part within the meaning of Art. 6 para. 1 lit. f of the GDPR. Your options for opting out were explained above.

Campaign-related pixels and cookies
In some marketing campaigns, which each run for a few weeks only, we use pixels or cookies of various providers such as Adello or Tradedoubler. We use these pixels or cookies for retargeting purposes, i.e. we install a cookie that helps us to display on your computer advertising communications on the respective campaign on partner websites. You can prevent this retargeting at any time by deactivating the relevant pixels and cookies (see section 1.3 above). This data processing constitutes a legitimate interest on our part within the meaning of Art. 6 para. 1 lit. f of the GDPR. Your options for opting out were explained above.

What are cookies and when are they used? 

Cookies are small files that are stored on your computer or mobile device when you visit or use one of our websites. Cookies store certain settings via your browser and data about the exchange with the website via your browser. When a cookie is activated, it can be assigned an identification number that identifies your browser and uses the information contained in the cookie. You can define a setting in your browser so that a warning appears on the screen before a cookie is stored. You can also opt out of the advantages of personal cookies. Certain services cannot be used in this case. 

We use cookies to evaluate general user behaviour. The aim is to optimise our digital presence, which should be made easier to use and the content more intuitive to find. The digital presence should be able to be set up and structured in a more comprehensible way. It is important to us to make our digital presence user-friendly according to your needs. This allows us to optimise the website with targeted content or information on the website that may be of interest to you. 

Most web browsers accept cookies automatically. However, you can configure your browser to block cookies or issue a warning message whenever a new cookie arrives. The following sites explain how to configure the processing of cookies: 

Deactivating cookies may mean that some of the functions on our website will not work properly. Our legitimate interest forms the legal basis for the data processing described above. 

What are social plug-ins and how are they used? 

You can use the following social plug-ins on our website: 

  • Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA 
  • Twitter Inc.,1355 Market Street, Suite 900, San Francisco, CA 94103, USA 
  • Instagram LLC, 1601 Willow Rd, Menlo Park CA 94025, USA 
  • YouTube LLC, 901 Cherry Ave, San Bruno, CA 94066, USA 

If the plug-ins are activated, your browser establishes a direct connection to the servers of the respective social network as soon as you visit our website. The content of the plug-in is transmitted by the social network directly to your browser and integrated into the website. 

The integration of the plug-ins results in the respective provider receiving the information that your browser has accessed the corresponding page of our website, even if you do not have an account on this social network or are not currently logged in to it. This information (including your IP address) is transmitted by your browser directly to a server of the provider (usually in the USA) and stored there. We therefore have no influence on the scope of the data that the provider collects with the plug-in. 

If you are logged in to the social network, it can directly associate your visit to our website with your user account. If you interact with the plug-ins, the corresponding information is also transmitted directly to a server of the provider and stored there. The information may also be published on the social network and may be displayed to other users of the social network. 

The provider of the social network may use this information for the purposes of advertising, market research and tailored design of the respective offer. Usage, interest and relationship profiles may be created for this purpose, for example to evaluate your use of our website with regard to the advertisements displayed to you on the social network, to inform other users about your activities on our website and to provide other services associated with the use of the social network.  The purpose and scope of the data collection and the further processing and use of the data by the providers of the social networks as well as your rights in this regard and settings options to protect your privacy can be found directly in the privacy policy of the respective provider. If you do not want the provider of the social network to associate the data collected via our website with your user account, you must log out of the social network before activating the plug-ins. Our legitimate interest forms the legal basis for the data processing described above.

Yawave Share Buttons 

We have integrated social media share buttons provided by yawave, Sälihügel 1, CH-6005 Lucerne in our website. You will recognise the button in the form of a Facebook, Twitter, Whatsapp or e-mail icon. When you click on one of the corresponding buttons, an input mask will appear in which you can enter a message. The moment you click on the “Share” button, you will be relayed to the login page of the corresponding social media platform (Facebook and Twitter). You will then need to log in to your account in order to share your message. You can prevent this flow of information to the relevant social media network by not logging in (and not clicking on “Share”). If you visit our website while already logged in to a social media account, the data will be exchanged the moment you click on “Share”. The personal data you enter will be processed by yawave. You will find more information on this subject here. Data processing for the above purpose is founded on the consent – within the meaning of Art. 6 para. 1 lit. a of the GDPR – you give us when you click on the button, enter your message in the mask, and log in to your social media account after clicking on “Share”.

Please note that sharing information by e-mail and Whatsapp is permissible only if you have received the consent of the message recipient to process his/her e-mail address or Whatsapp identification number for this purpose. By entering the e-mail address or sharing via Whatsapp, you ensure that this is the case.

Data security

We use suitable technical and organisational security measures to protect your personal data stored by us against manipulation, partial or complete loss, and unauthorised access by third parties. Our security measures are continuously improved in line with technological developments. We also take internal company data protection very seriously. Our employees and the external service providers commissioned by us have undertaken to maintain confidentiality and to comply with data protection regulations. We take reasonable precautions to protect your data. However, the transmission of information via the Internet and other electronic means always entails certain security risks and we cannot guarantee the security of information transmitted in this way. 

Applicable law and place of jurisdiction 

All and any disputes that might arise between visitors/users of the website and Rhaetian Railway Inc with respect to the use of the website shall be subject to the exclusive jurisdiction of the courts of law of the registered place of business of Rhaetian Railway Inc in Chur, Switzerland. The laws of Switzerland shall apply exclusively. 

© Rhaetian Railway Inc, May 2024