Privacy Policy
1. Introduction and Data Controller
Protecting your privacy is a priority for Télé Leysin Col des Mosses La Lécherette SA (hereinafter “the Company” or “TLML”). This policy explains which data we collect, why we collect it, how we protect it, and which rights you have.
It complies with the revised Swiss Federal Act on Data Protection (FADP), in force since 1 September 2023, and with the European Union’s General Data Protection Regulation (GDPR), applicable to individuals residing in the EU.
Data Controller
| Company | Télé Leysin Col des Mosses La Lécherette SA |
| Address | Route du Belvédère 8, 1854 Leysin, Vaud, Switzerland |
| IDE | CHE‑335.140.293 |
| Data Protection Contact | rgpd@tlml.ch — subject: Data Protection |
| Phone number | +41 24 494 16 35 |
| Important Note: By accessing our website, you do not automatically accept all data processing activities. Only processing operations strictly necessary for the functioning of the site occur without prior consent. Analytics and marketing cookies are activated only after your explicit approval via our consent banner. |
2. Data Collected
Identity and Contact Data
Collected when creating an account, placing an order or making a booking: first name, last name, email address, phone number, postal address.
Transaction Data
Linked to your purchases: type and amount of ordered products (ski passes, tickets, food services, events), date and time of the transaction, payment method used. Credit card data is processed directly by Adyen (PCI‑DSS certified) and never passes through our servers.
Browsing Data
Automatically collected during your visit: IP address (anonymised), device and browser type, pages visited, visit duration, referral source. These data are processed via Google Analytics 4.
Geolocation Data
Only with your explicit consent, via our mobile apps or your browser, to personalise certain services (real‑time slope conditions, nearby offers).
Marketing Data
Communication preferences, newsletter subscription (managed via Mailchimp), history of interactions with our communications.
Social Media Data
If you interact with our Facebook, Instagram or YouTube pages, or use social plug‑ins on our site, the transmitted data is subject to the privacy policies of the respective platforms.
3. Purposes of Processing
We use your data exclusively for the following purposes:
- Order and booking management — processing online purchases, sending confirmations and electronic tickets
- Customer relations — responding to your requests, handling complaints, support
- Accounting and legal obligations — invoicing, mandatory tax archiving
- Communication and marketing — sending newsletters (subscription‑based only), personalised offers based on your preferences
- Website analysis and improvement — anonymised audience measurement, user experience optimisation
- Targeted advertising — retargeting via Meta Pixel and Google Ads (only with consent)
- Security — fraud prevention, access protection
We collect only the data strictly necessary for these purposes (principle of data minimisation).
4. Legal Bases for Processing
| Purpose | Legal Basis (GDPR / FADP) |
| Order processing | Contract performance (Art. 6.1.b. GDPR) |
| Invoicing & archiving | Legal obligation (Art. 6.1.c GDPR / Swiss CO Art. 962) |
| Customer relations & after‑sales service | Legitimate interest (Art. 6.1.f GDPR) |
| Newsletter (subscribers) | Consent (Art. 6.1.a GDPR) |
| Analytics & audience measurement | Consent (Art. 6.1.a GDPR) |
| Targeted advertising & remarketing | Consent (Art. 6.1.a GDPR) |
| Security & fraud prevention | Legitimate interest (Art. 6.1.f GDPR) |
5. Data Sharing and Processors
TLML SA does not sell your personal data to third parties. Your data may be shared only with:
Technical processors (with signed DPA)
| Provider | Role | Country |
| SPOTLIO Inc. | Development, CRM, e‑commerce | USA / EU |
| Infomaniak Network SA | Website and data hosting | Switzerland |
| Google LLC (GA4) | Audience analytics (anonymised) | USA |
| Meta Platforms Inc. | Advertising pixel, social plug‑ins | USA |
| Mailchimp (Intuit Inc.) | Newsletter management | USA |
| Adyen N.V. | Secure payment processing (PCI‑DSS) | Netherlands / EU |
Other recipients
- Legal authorities — when required by Swiss or European judicial or legal obligations
- Magic Pass SA — for Magic Pass ski passes sold through us, strictly within the scope needed to validate the transportation ticket
All our processors are bound by a Data Processing Agreement (DPA) compliant with Article 28 GDPR. They are not allowed to use your data for purposes other than those defined by TLML.
6. International Data Transfers
Some of our service providers are located outside Switzerland or the European Union, particularly in the United States. These transfers are governed by:
- The EU–US Data Privacy Framework (DPF) for certified providers (Google, Meta, Mailchimp)
- Standard Contractual Clauses (SCCs) approved by the European Commission for other providers
- The EU adequacy decision concerning Switzerland
| Data hosted in Switzerland — Transaction and billing data are stored on Infomaniak servers in Switzerland and benefit from the protection of the FADP. A complete list of guarantees per provider is available upon request at rgpd@tlml.ch. |
7. Data Retention Periods
We retain your data only for as long as is necessary for the purposes for which it was collected:
| Data Category | Duration | Basis |
| Order and billing data | 10 years | Legal obligation (Swiss CO Art. 962) |
| Customer account / user profile | 3 years after last activity | Legitimate interest |
| Analytics cookies (GA4) | 13 months | Consent |
| Newsletter — active subscribers | Until unsubscribed | Consent |
| Remarketing data (Meta, Google) | 90 days | Consent |
| Geolocation data | Session only | Consent |
| Complaints and disputes | 5 years after closure | Legitimate interest / legal obligation |
| Security logs | 12 months | Legitimate interest |
After these periods, data is irreversibly deleted or permanently anonymised.
8. Your Rights
Under the revised FADP and GDPR, you have the following rights:
| Right of access | Obtain confirmation of whether your data is processed and receive a copy. |
| Right to rectification | Correct inaccurate or incomplete personal data. |
| Right to erasure | Request deletion in cases permitted by law. |
| Right to object | Object to the use of your data for direct marketing. |
| Right to portability | Receive your data in a structured, machine‑readable format (JSON, CSV). |
| Right to restriction | Request restriction of processing in certain circumstances. |
| How to exercise your rights? Send your request to rgpd@tlml.ch (subject: “Data Protection Rights Request”). Proof of identity may be required. We will respond within 30 days (extendable to 60 days for complex requests, with prior notice). |
If you believe your rights are not respected, you may file a complaint with the Swiss Federal Data Protection and Information Commissioner (FDPIC): www.edoeb.admin.ch.
EU residents may contact the supervisory authority of their country of residence.
9. Cookies and Tracking Tools
Our website uses cookies and similar technologies. During your first visit, a banner allows you to accept or refuse each category. You can modify your preferences at any time via the “Manage my cookies” link at the bottom of each page.
No non‑essential cookie is placed without your consent.
| Essential | Site operation: user session, shopping cart, security, language preference. Cannot be disabled. |
| Analytics | Google Analytics 4 — anonymised audience measurement (truncated IP). Duration: 13 months. Requires consent. |
| Advertising | Meta Pixel & Google Ads — retargeting, conversion tracking. Duration: 90 days. Requires consent. |
| Social networks | Facebook, Instagram, YouTube plug‑ins. Set directly by these platforms upon activation. Requires consent. |
10. Data Security
We implement technical and organisational measures to protect your data:
- HTTPS (TLS) encrypted communications
- Restricted data access for authorised employees only
- Confidentiality obligations for all staff and service providers
- Regular review of permissions and access rights
- Payment data processed by Adyen, PCI‑DSS Level 1 certified — we never store full card numbers
In the event of a data breach that may pose a risk to your rights, we commit to notifying the competent authorities and, if necessary, the affected individuals, within the deadlines required by the FADP and GDPR.
11. Changes to This Policy
TLML SA reserves the right to modify this policy at any time, particularly to reflect legal changes or the introduction of new services.
In the event of significant changes, you will be notified by email (if you are a registered customer) or via a visible notification on the website. The update date is indicated at the top of this page.
12. Contact — Data Protection
For any questions regarding this policy or to exercise your rights:
Dedicated Contact
| Email (personal data) | rgpd@tlml.ch — Subject: Data Protection |
| Postal address | TLML SA — Data Protection Route du Belvédère 8, 1854 Leysin, Switzerland |
| Supervisory authority (CH) |
