This privacy policy describes how and for what purpose Gletschergarten Luzern processes personal data. It regulates the forwarding of data and the storage or deletion of personal data. The central concern is to protect the privacy of customers, suppliers and employees. In the following, the term "user" is used for all affected groups of persons.

1. FUNDAMENTALS AND PRINCIPLES

The processing of personal data is limited to the data required to provide a functional website and to ensure its operation. We collect, process and use personal data in accordance with the content of these data protection provisions and the applicable data protection regulations, in particular the Swiss Data Protection Act (DPA). When processing data, we take into account the processing principles of lawfulness, proportionality, purpose limitation, data security, transparency and compliance with information obligations. These data protection provisions regulate which personal data we collect and process about our users. We therefore recommend that you read the following information carefully.

2. DESCRIPTION AND SCOPE OF DATA PROCESSING

For the purposes of this Privacy Policy, personal data means any information relating to an identified or identifiable natural person (hereinafter "data subject"). This includes in particular names, gender, title, e-mail addresses, postal addresses and telephone numbers as well as credit card and account data. In the case of registered merchants, we also record their VAT details.

Personal data also includes information about the use of our website. In this context, we collect personal data as follows: Information about visits to our website, such as the scope of data transfer, the location from which users retrieve data from our website and other connection data and sources that are retrieved. This is usually done through the use of log files and cookies. Further information can be found below.

We do not pass on personal data to third parties. The exceptions are Users have consented to the transfer of data or we are entitled or obliged to transfer data due to legal provisions and/or official or court orders. In particular, this may involve the disclosure of information for the purposes of criminal prosecution, to avert danger or to enforce intellectual property rights. We store personal data for as long as it is needed for the purpose for which it was collected, or for as long as we are obliged to do so under applicable laws, regulations or contractual agreements and for as long as we have an overriding interest in storing it. The data will then be deleted.

3. PURPOSE OF USE

We use personal data for the following purposes:

• - To provide the services requested by customers (information, shopping cart functions).
• - To ensure that our website is presented in the most effective and interesting way possible.
• - To enable participation in interactive offers, if this is requested.
• - To inform you about changes to our services.
• - For statistical surveys and evaluations.
• - To fulfill our contractual and legal obligations.

4. INFORMATION ABOUT SERVER LOG FILES AND COOKIES

• Each time our website is accessed, we collect the IP address of the computer, the browser request and the time of this request. In addition, the status and the amount of data transferred are recorded as part of this request. We also record the website from which our site was accessed. The IP address of your computer is only stored in server log files for the duration of your use of the website and is then immediately deleted or anonymized by shortening it. We use this data for the operation of our website, in particular to detect and eliminate errors on the website, to determine the utilization of the website and to make adjustments or improvements. The data collected also enables a more precise examination in the event of suspected unlawful use of our website.

Our website uses cookies and similar technologies. If the settings of the user's device allow it, we use cookies to provide an optimal browsing experience. Cookies are information files that the user's web browser automatically saves on their computer's hard disk when they visit our website. They help to make your visit to our website easier, more pleasant and more useful. We use cookies to temporarily store selected services and entries when filling out a form on the website so that entries do not have to be repeated when another subpage is called up.

If the use of browser cookies is not desired, you can set your browser so that the storage of cookies is not accepted. Please note that in this case our website can only be used to a limited extent or not at all. If only our own cookies are to be accepted, but not the cookies of our service providers and partners, you can select the "Block third-party cookies" setting in your browser.

5. TECHNOLOGIES & PLUGINS FROM THIRD-PARTY PROVIDERS

Social media channels

We use links to refer to our social media channels such as Facebook, Instagram and YouTube. The purpose and scope of data collection and the processing of personal data by the provider as well as the rights and settings to protect your privacy can be found in the data protection notices of the respective providers.

Pimcore CMS / CRM / CoreShop

Our website and CRM are operated via the Pimcore CMS, which is based on the Symfony framework. Our provider ensures that the latest version of the framework is always used in order to benefit from the latest security improvements.

Our website not only functions as an information platform, but also offers a webshop where you can purchase tickets for museum admission and various events. When ordering, you have the choice of either setting up a customer account or completing the order as a guest by entering your name, e-mail address and billing address. When setting up a customer account, you can voluntarily provide additional information that is not absolutely necessary. This enables us to offer a more personalized service. You can have your user account deleted at any time by contacting us in accordance with the final provisions below.

Our CRM system enables us to maintain and effectively manage customer relationships. We can collect, analyze and use relevant data to provide you with a better service and provide you with relevant information. We enable customer support, send relevant marketing communications and track interactions with our customers. We also generally use the collected data to improve our services. For this purpose, we collect the following personal data via our CRM system

Name and contact details (e.g. address, telephone number, e-mail address)

Information about interactions (e.g. purchases made, inquiries)

Preferences for marketing communications (e.g. newsletter subscriptions)

We have implemented appropriate security measures to ensure the security of your data in the CRM system. This includes protection against unauthorized access, loss, misuse or disclosure. We only share your data with authorized employees who are entitled to process this data within the scope of their duties.

Our provider: Swiss-Development GmbH, Bahnhofstrasse 7, 5400 Baden.

Use of Google reCAPTCHA

We use "Google reCAPTCHA" (hereinafter "reCAPTCHA") on our website. The provider is Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland.

The purpose of reCAPTCHA is to check whether the data input on this website (e.g. in a contact form) is made by a human or by an automated program. For this purpose, reCAPTCHA analyzes the behavior of the website visitor based on various characteristics. This analysis begins automatically as soon as the website visitor enters the website. For the analysis, reCAPTCHA evaluates various information (e.g. IP address, time spent on the website by the website visitor or mouse movements made by the user). The data collected during the analysis is forwarded to Google. The reCAPTCHA analyses run completely in the background. Website visitors are not informed that an analysis is taking place.

Use of Google Maps

Our website uses Google Maps API to display geographical information visually. When Google Maps is used, Google also collects, processes and uses data about the use of the map functions by visitors. Further information about data processing by Google can be found in Google's privacy policy. There you can also adjust your personal data protection settings in the data protection center.

Detailed instructions on managing your own data in connection with Google products can be found here: Link to the Google Privacy Notice.

Please note that by using the Google Maps functions on this website, you consent to the collection, processing and use of data by Google.

We have no direct influence on the data collected or the data processing operations of Google. We only receive statistical evaluations from Google Maps. We cannot rule out the possibility that Google may pass the data on to third parties. It cannot be ruled out that this data will be processed in the USA.

The legal basis for the use of Google Maps is Art. 6 para. 1 lit. f GDPR. Our legitimate interest lies in optimizing the functionality of our website.

Use of Google Analytics

Our website uses Google Analytics, a web analytics service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google"). Google Analytics uses cookies, which are stored on your computer and enable your use of the website to be analyzed. The information generated by the cookies about your use of this website is usually transmitted to a Google server in the USA and stored there.

However, if IP anonymization is activated on this website, your IP address will be shortened by Google beforehand within member states of the European Union or in other contracting states of the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and truncated there.

The IP address transmitted by your browser as part of Google Analytics will not be merged with other Google data. You may refuse the use of cookies by selecting the appropriate settings on your browser, however please note that if you do this you may not be able to use the full functionality of this website.

Use of PHP sessions for login

In order to provide you with a secure and user-friendly login to our website, we use PHP sessions. These sessions make it possible to securely manage your login information and ensure that you remain logged in during your visit to the website.

During your session, temporary cookies are stored on your device which are used to store your login information and session data. These cookies are automatically deleted as soon as you log out or end your session.

Credit card payments

Our online store allows you to make purchases conveniently and securely with credit cards. To ensure the security of your payments, we work together with SIX Worldpay.

When processing credit card payments, our payment service provider collects the following information from you

• Name of the cardholder
• Credit card number
• Expiration date of the credit card
• Security code (CVV)
• This information is transmitted in encrypted form and used exclusively for the purpose of processing the payment. We do not store any credit card information on our own servers. Please note that the processing of your credit card data by our payment service provider is subject to the respective data protection regulations and security measures of the service provider.

Newsletter

If you would like to receive the newsletter offered on the website, we require an e-mail address from you as well as information that allows us to verify that you are the owner of the e-mail address provided and that you agree to receive the newsletter. No further data is collected, or only on a voluntary basis.

6. DATA SECURITY

Information that you transmit to us is stored on servers within Switzerland/European Union. Unfortunately, the transmission of information via the Internet is not completely secure, which is why we cannot guarantee the security of data transmitted to our website via the Internet. However, we take technical and organizational measures to protect our website and other systems against loss, destruction, access, modification or dissemination of your data by unauthorized persons. In particular, your personal data is transmitted to us in encrypted form. We use the SSL (Secure Socket Layer) [or TLS (Transport Layer Security)] coding system.

7 YOUR RIGHTS

You have the right to request information about your personal data processed by us. In particular, you may request information about the personal data as such, the purpose of processing, the storage period or, if this is not possible, the criteria for determining this period, the origin of your data if it was not collected from you, the existence of an automated individual decision and, if applicable, the recipients or categories of recipients to whom personal data is disclosed.

You also have the right to withdraw your consent to the use of your personal data at any time. You can assert your rights at any time by contacting us at the address given below.

If you are of the opinion that the processing of your personal data by us is contrary to the applicable data protection provisions, you have the option of lodging a complaint with the Federal Data Protection and Information Commissioner.

8. FINAL PROVISIONS

We are responsible for data processing in accordance with this privacy policy, unless otherwise specified. Inquiries about data protection can be sent to us via the contact form on our website or by post. In the case of questions about a specific person, requests for rectification or requests for erasure, a copy of the ID or passport identifying the user must be enclosed.

Postal address: Gletschergarten Lucerne Andreas Burri Denkmalstrasse 4 6006 Lucerne

We reserve the right to amend these data protection provisions at any time with effect for the future. A current version is always available on the website. Please visit the website regularly and inform yourself about the applicable data protection provisions.

Lucerne, August 30, 2023