Data privacy

We are aware that conscientious handling of your personal data is important to you. All data processing is only carried out for specific purposes. This could result from, for example, technical necessity, contractual requirements, legal provisions, prevailing interests, i.e. legitimate reasons, or your express consent. We collect, store and process personal data where this is necessary, for example, for initiating, managing and handling the customer relationship, communication with you, marketing purposes and relationship management, as well as for market research and the further development of services and products.

That way, some of your personal characteristics can be automatically evaluated for the purposes mentioned above ("profiling"), if we want to determine preference data, but also to identify misuse and security risks, perform statistical evaluations, or for operational planning purposes. We can also create profiles for the same purposes. This means we can combine behavioural and preference data but also master and contract data and technical data assigned to you to better understand you as a person with your various interests and other characteristics. However, we can also create anonymous mobility profiles for you and – with your consent – personalised mobility profiles. 

In certain situations, for reasons of efficiency and the uniformity of decision-making processes, it may be necessary that we automate discretionary decisions that affect you and have legal implications or possibly significant disadvantages ("automated individual decisions," such as the automatic acceptance of orders by our web store). In this case, we will inform you accordingly and ensure compliance with measures required by the applicable law.

For detailed information on which data are processed for which purposes, please read the following sections.

We will pass on your personal data to third parties in Switzerland and abroad in connection with our contracts, the website, our products and services, our legal obligations or for the protection of our legitimate interests and the other listed purposes. The third parties include the following categories of recipients in particular:
 

• Group companies: You can find a list of group companies here. Group companies may use the data in accordance with this privacy policy for the same purposes as we do.
   
• Service providers: We work with service providers in Switzerland and abroad who process data about you on our behalf or in joint responsibility with us, or who receive data about you from us for which they are solely responsible (e.g. IT providers, shipping companies (such as Swiss Post), address management service providers, marketing service providers, including providers of tracking tools and web store providers, social plug-ins and advertising, as well as market research service providers, security companies, banks, insurers). Our central IT and customer management service providers, including for ticket sales and reservations, are Microsoft Ireland Operation Limited and Zendesk, Inc., San Francisco, US. 
   
• Integrated subcontractors in our "cariboo" web store: cariboo is an open digital ecosystem that links to third-party systems via interfaces. At the front end, cariboo is a "one-stop shop", for all the tourism services of a destination, with a booking process, a shopping basket and a payment process. The following subcontractors are deployed within the cariboo digital ecosystem for BLS Schifffahrt AG:
   
  • We use the services of Digital Ocean (101 Sixth Ave, New York, NY 10013, United States). DigitalOcean is used to host the cariboo backend including the databases of orders and users. Data is stored on EU servers (in Frankfurt).
  • Auth0 is a service provided by Okta Inc. 100 First Street, 6th Floor San Francisco, CA 94105, USA. It is used to authenticate users (by email and password or via social login). Data is stored on EU servers.
  • Cloudinary is a service operated by Cloudinary Inc., 111 W Evelyn Ave, Suite 206, Sunnyvale, CA 94086, USA. It is a CDN (Content Delivery Network) for images, which is used for images that are uploaded directly to cariboo. Data is stored on EU servers.
  • Sendgrid is a subsidiary of Twilio, 1801 California St Ste 500, Denver, CO 80202, United States. Sendgrid is a service that is used to send emails from cariboo (e.g. booking confirmations). Certain data for sending emails (e.g. booking confirmations) is stored in the USA.
  • Sentry is a service provided by Functional Software Inc., 45 Fremont Street, 8th Floor, San Francisco, CA 94105, USA. The Sentry monitoring tool is used to recognise any errors in the system in good time and thus ensure the secure operation of the SaaS solution. The IP address is stored in the USA.
  • Cloudflare: Cloudflare 101 Townsend St, San Francisco, CA 94107, USA, is used to protect cariboo from DDOS attacks. Data is stored on EU servers.
     
• Transport companies and associations (public transport sector): See Section C. 
   
• Contracting partners: Recipients also include contracting partners with whom we cooperate in the following areas and to whom we consequently pass on data about you:
   
  • If you use offers with a Swisspass partner using your Swisspass, data on any benefits you may have acquired from us (e.g. a GA, half-fare or regional point-to-point travelcard) may be transmitted to the Swisspass partners in order to check whether you can benefit from a specific offer from the Swisspass partner (e.g. discount for GA travelcard holders). In the event of loss, theft, misuse or forgery, or card replacement after the purchase of a service, the partner concerned will be informed. This data processing is necessary for the execution of the contract for the use of the Swisspass and therefore stems from this legal basis. You can find more information in the data privacy statement at swisspass.ch.
  • Leisure partners in connection with the use of joint offers
  • Service providers in connection with the arrangement of travel. If your journey involves foreign transport companies, the data will also be passed on to the respective foreign providers/transport companies. However, this will only be to the extent necessary to check the validity of the tickets and to prevent misuse.
  • Third-party systems connected to cariboo (our web store): We use various third-party systems connected to cariboo to generate online bookings and have direct contracts with the following third-party systems:
    • BiLL GmbH, Sonnenbodenstrasse 7a, CH-3076 Worb, Switzerland, offers distribution systems for public transport. Booking data for booked tickets is transmitted to BiLL.
    • Trekksoft AG, Hauptstrasse 15, 3800 Matten bei Interlaken, Switzerland, offers a platform for booking management in the tourism sector and specialises in outdoor activities. Booking data for booked experiences is transmitted to Trekksoft.
    • BpEvent is a software solution from Bankettprofi GmbH, Johannesstrasse 13, 67346 Speyer, Germany, for the organisation of business events and conferences. Booking data for table reservations is transmitted to BpEvent.
    • e-guma is a platform from Idea Creation GmbH, Walchestrasse 15, 8006 Zurich, Switzerland, for the sale of vouchers and gift cards for companies in various sectors. Booking data is transmitted to e-guma when vouchers or experiences are purchased.
       
• Authorities: We may forward personal data to government departments, courts or other authorities in Switzerland and abroad if we are legally obliged or authorised to do so or if we deem this necessary in the protection of our legitimate interests. The authorities are solely responsible for any processing of the data about you that they receive from us.
   
• Your personal data will not be disclosed to other third parties outside the public transport sector. The only exceptions are Swisspass partners (to the extent described below) and companies that have been authorised by the public transport companies, on the basis of a contractual agreement, to act as intermediaries for public transport services. These intermediaries only receive access to your personal data if you wish to obtain a public transport service through them and have given them your consent for access. Even in this case, they will only have access to your data to the extent necessary to determine whether you already have tickets or travel cards for the planned travel period that are relevant to your journey or the service you want from the third party. The legal basis for this data processing is therefore your consent. You can withdraw your consent at any time with effect for the future.

As explained in Clause 3, we also disclose your data to other organisations. These organisations are not exclusively based in Switzerland. Consequently, your data may be processed in both Europe and in a third country, for example the USA.

If a recipient is situated in a country without appropriate legal data protection, we contractually require the recipient to adhere to applicable data protection standards (to this end we use the revised standard contractual clauses of the European Commission, which can be viewed here), insofar as the recipient is not already subject to a legally recognised set of regulations for ensuring data protection and we cannot rely on an exemption clause. An exception may apply in particular in the case of legal proceedings abroad, but also in cases of overriding public interests or if the processing of a contract requires such disclosure, if you have consented to the disclosure, or if it is a matter of data that you have made generally accessible and to the processing of which you have not objected. 

We use cookies in certain cases. Cookies are small files that are stored on your computer or mobile device when you visit or use one of our websites. Cookies store certain settings about your browser and data about exchanges with the website through your browser. When a cookie is activated, it can be assigned an identification number that identifies your browser and allows the information contained in the cookie to be used. You can configure your browser to display a warning on the screen before saving a cookie. You can also choose not to take advantage of personal cookies. Certain services cannot be used in this case.

We use cookies to evaluate general user behaviour. The aim is to optimise the digital presences. These are to be made easier to use and the content more intuitive to find. The aim is to structure them in a more comprehensible way. It is important to us to make the digital presences user-friendly according to your needs. This allows us to optimise the website by providing targeted content or information on the website that may be of interest to you.

You can configure your cookies using the following consent management tools: 

Piwik PRO GmbH, Kurfürstendamm 21, 10719 Berlin

Disabling cookies may result in you not being able to use all the functions of our website. 

Insofar as the EU GDPR is applicable, our legitimate interest forms the legal basis for this processing of personal data.

On our website, we link to the following social networks or our corresponding profiles on the sites:
 

• Facebook: Facebook is operated at www.facebook.com by Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA, and at www.facebook.de by Facebook Ireland Limited, Hanover Reach, 5-7 Hanover Quay, Dublin 2, Ireland ("Facebook"). You can find an overview of the Facebook plugins and their appearance here. You can find information on data protection at Facebook here.
• Google+ and YouTube: Google+ is operated by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA ("Google"). You can find an overview of the Google+ plugins and their appearance here and information on data protection at Google+ here.
• Instagram: Instagram is operated by Instagram LLC., 1601 Willow Road, Menlo Park, CA 94025, USA ("Instagram"). You can find an overview of the Instagram plugins and their appearance here; information on data protection at Instagram is available here.
• LinkedIn: For users based in Europe, the responsible entity for operating the platform is LinkedIn Ireland Unlimited Company, Dublin, Ireland. Their privacy policy can be found here.

Either the plugins are only displayed as graphics or with a link on our website, or the plugins are deactivated on our websites and therefore do not send any data to the social networks. When you click on the graphic or the plugin, you will be forwarded to the respective social media platform and the aforementioned provisions of the respective provider apply (see bullet points). Or you can activate all plugins by clicking on the "Activate plugins" button (so-called two-click solution). The plugins can, of course, be deactivated again with one click.

If the plugins are activated, your browser will establish a direct connection with the servers of the respective social network as soon as you access our website. The content of the plugin is transmitted directly to your browser by the social network and integrated into the website by it.

By integrating the plugins, the respective provider receives the information that your browser has accessed the corresponding page of our website, even if you do not have an account with this social network or are not currently logged in to it. This information (including your IP address) is transmitted from your browser directly to a server of the provider (usually in the USA) and stored there. We therefore have no influence on the scope of the data that the provider collects with the plug-in.

If you are logged in to the social network, it can assign the visit to our website directly to your user account. If you interact with the plug-ins, the corresponding information will also be transmitted directly to a server of the provider and stored there. The information can also be published on the social network and, under certain circumstances, may be displayed to other users of the social network.

The provider of the social network may use this information for the purposes of advertising, market research, and to customise the design of the respective offering. For this purpose, usage, interest and relationship profiles could be created, for example, to evaluate your use of our website with regard to the advertisements displayed to you on the social network, to inform other users about your activities on our website and to provide other services associated with the use of the social network.

The purpose and scope of the data collection and further processing and use of data by the providers of the social networks and the relevant rights and settings to protect your privacy can be found in the data protection information of the relevant providers.

If you do not want the provider of the social network to assign the data collected via our website to your user account, you must log out of the social network before activating the plugins.

Insofar as the EU GDPR is applicable, our legitimate interest forms the legal basis for this processing of personal data. 

We do not use third-party providers (ad servers) to place and use personalised adverts on our website bls-schiff.ch.

With regard to your personal data, you have the following rights:

• You can request information about your stored personal data.
• You can request a correction, completion, restriction of use, or deletion of your personal data. The use of data will be restricted rather than deleting the data outright if there are legal obstacles to deletion (for example, legal obligations to retain data).
• You may request that we provide certain personal data in a commonly used electronic format or transfer it to another controller.
• If you have set up a customer account, you can delete this or request that it be deleted.
• You can decline the use of your data for marketing and market research purposes.
• You can withdraw your consent at any time with effect for the future.
• In the case of automated, individual decisions, you have the right to express your point of view and request that the decision in question be reviewed by a natural person.

If you wish to exercise the above-mentioned rights against us or one of our group companies, please contact us in writing or send us an email; our contact information can be found in Section B. In order for us to rule out any potential misuse, we must identify you (e.g. with a copy of your ID, if this is not possible via any other method).

If you wish to request information or deletion of the data stored about you in the entire public transport system, you can do so in writing and with a copy of your ID card to SBB (SBB AG, Recht & Compliance, Fachstelle Datenschutz, Hilfikerstrasse 1, CH-3000 Bern 65). You can find further details of the information and deletion process within Public Transport Switzerland here.

Requests for information from the information system on travellers without a valid ticket in accordance with Art. 20a of the Swiss Federal Law on Passenger Transport (Bundesgesetzes über die Personenbeförderung, PGB) should be sent to the operator of the system at the following address:

PostAuto AG, 'SynServ', Pfingstweidstrasse 60b, CH-8080 Zurich

or via e-mail to: synserv@postauto.ch 

If you do not agree with our handling of your rights or data protection, please communicate this to us. In particular, if you are located in the EEA, in the United Kingdom or in Switzerland, you also have the right to complain to the data protection supervisory authority within your country.

You can find a list of the authorities within the EEA here. 

You can reach the supervisory authority of the United Kingdom here. 

Changes to this privacy policy may be necessary from time to time. BLS Schifffahrt reserves the right to amend this data privacy statement at any time with effect from a future date. The version published on this website is the currently applicable version.