Privacy Policy

Last updated: 30. August 2025

1. Who we are (Controller)

Bay One Hospitality Group AG (“stay sunday”), Hauptstrasse 30, 8268 Mannenbach‑Salenstein, Switzerland, Email: info@staysunday.com.

This Privacy Policy explains how we process personal data when you visit our websites, make a booking, stay with us, or contact us. We comply with the Swiss Federal Act on Data Protection (FADP) and, where applicable, the EU/UK General Data Protection Regulation (GDPR/UK GDPR).

2. Contact for privacy matters

If you have questions or wish to exercise your rights, please contact us at the above address (“Data Protection Contact”). If you are in the EEA/UK, you also have the right to lodge a complaint with your local supervisory authority (see Section 12).

3. What data we process and from which sources

  • Booking and guest data: name, contact details, booking details, payment status, preferences (e.g., room type), accompanying guests, communication history.
  • Identification data for digital check‑in (via LikeMagic app): information from a valid ID (e.g., type, number, name, date of birth) to meet legal obligations and verify identity.
  • Website and usage data: IP address, device/browser data, pages viewed, time stamps, cookie IDs, consent choices.
  • Payment data: masked card data, transaction IDs, payment status (processed via payment service providers).
  • Operational data during your stay: incident/maintenance reports, key or code logs, Wi‑Fi login logs (technical).
  • Communication data: your requests via email, phone or forms; reviews/feedback.

We collect data directly from you, from booking platforms you use, from corporate bookers, and from service providers involved in fulfilling your booking.

4. Purposes of processing and legal bases

We process personal data for the following purposes and on these legal bases (Art. 6 GDPR; analogous principles under the FADP):

  • Booking, check‑in/out, and performance of the accommodation contract (Art. 6(1)(b) GDPR).
  • Identity verification, guest registration and legal retention (legal obligations; Art. 6(1)(c) GDPR; cantonal hotel registration laws; Swiss accounting obligations).
  • Customer service and communication (contract and/or legitimate interests; Art. 6(1)(b),(f) GDPR).
  • Operation, security and improvement of our websites, apps and services (legitimate interests; Art. 6(1)(f) GDPR).
  • Payment processing and fraud prevention (contract, legal obligations, legitimate interests).
  • Marketing with your consent (Art. 6(1)(a) GDPR) or based on legitimate interests where permitted (Art. 6(1)(f) GDPR).

Where we rely on legitimate interests, we balance our interests with your rights and expectations.

5. Cookies and similar technologies

We use necessary cookies to operate the site. With your consent, we may use analytics and/or marketing cookies. You can manage your choices in our cookie banner and your browser settings. For details on types, purposes and storage periods, see our cookie tool when you visit the site.

6. Disclosures (recipients) and processors

We may share data with hosting, IT and security providers; booking, property‑management and guest‑journey tools (e.g., digital check‑in via LikeMagic app); payment service providers and banks; professional advisors (e.g., auditing, legal); and authorities/courts where required by law. All processors act on our instructions and are contractually bound to appropriate safeguards.

7. International data transfers

We mainly process data in Switzerland and the EEA. Where data is transferred to countries without an adequate level of protection, we implement appropriate safeguards (e.g., EU Standard Contractual Clauses and, where required, UK IDTA/Addendum) and conduct risk assessments. Switzerland benefits from EU adequacy, and the UK recognises Switzerland as adequate; nonetheless, we apply safeguards for other third countries when needed.

8. Retention

We retain personal data only as long as necessary for the purposes set out above or to comply with legal obligations. Typical periods include:

  • Booking/contract data: generally 10 years (statutory retention under Swiss commercial/tax law).
  • Guest registration/ID data: per applicable cantonal requirements (usually up to 12 months unless a longer legal period applies).
  • Technical logs and security data: typically 6–24 months.

When data is no longer required, we delete or anonymise it.

9. Your rights

Subject to legal requirements and restrictions, you may request access to and a copy of your data; request rectification or erasure; request restriction of processing; object to processing based on legitimate interests (including direct marketing); withdraw consent at any time; and receive data you provided in a portable format (where applicable). To exercise your rights, contact us (Section 2). We may verify your identity.

10. Required data

For bookings and stays, certain data is necessary (e.g., identity and contact information). Without this data, we may not be able to accept or execute your booking.

11. Security

We implement appropriate technical and organisational measures to protect personal data, including access controls, encryption in transit, secure storage, role‑based access, and regular reviews of our safeguards.

12. Supervisory authorities and complaints

EEA: You may lodge a complaint with your local EU authority (see e.g., edpb.europa.eu). UK: Information Commissioner’s Office (ico.org.uk). Switzerland: Federal Data Protection and Information Commissioner (edoeb.admin.ch).

13. Children

Our accommodation is intended for adults (see our Terms). We do not knowingly collect personal data from minors without consent of a legal guardian.

14. Changes to this Policy

We may update this Policy from time to time. The version and “Last updated” date are indicated at the top. Material changes will be highlighted on our website.

×