Data protection declaration Leoganger Bergbahnen GmbH Hütten 39 5771 Leogang

1.General

The protection of your personal data is of particular concern to us. We therefore process your data exclusively in a lawful manner on the basis of the statutory provisions (GDPR, DSG 2018, TKG 2021). In this privacy policy, we inform you about the most important aspects of data processing – type, scope and purposes of the collection and use of personal data – in the context of the use of our website and in the context of other services of our company.

Only the German version of our privacy policy is legally binding text. The English translation serves as a legally non-binding information. Deviations of the English text or how it could be understood do not affect the exclusive legal validity of the German text and its meaning.

The responsible person (“controller” within the meaning of Art. 4 no. 7 GDPR) of the processing of your personal data (“personal data” within the meaning of Art. 4 no. 1 GDPR) is:

Leoganger Bergbahnen GmbH Hütten 39 A-5771 Leogang T +43 6583 8219 E-Mail:  info@leoganger-bergbahnen.at

2. General Information

The Leoganger Bergbahnen GmbH need in the course of the registration of your personal account and for the processing of a possible future business agreement the following personal data:

Types of processed data

  • Inventory data (e.g. names, addresses, date of birth)

  • Contact data (e.g. E-Mail, telephone numbers)

The following data is processed additionally

  • Content data (e.g. text entries, photographs, videos)

  • Usage data (e.g. websites visited, interest in content, access times)

  • Meta/communication data (e.g. device information, IP addresses)

Fulfilment of the agreement

  • Provision of the online offer, its functions, and contents

  • Responding to contact requests and communication with users

  • Security measures

  • Audience measurements

Terms used "Personal data" means any information relating to an identified or identifiable natural person (hereinafter referred to as "data subject"); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g. a cookie) or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person

"Processing" means any operation or set of operations which is performed upon personal data, whether or not by automatic means. The term is having a broad meaning and covers virtually all data processing

The "body responsible" is the natural or legal person, public authority, agency, or other body which alone or jointly with others determines the purposes and means of the processing of personal data.

Relevant legal basis In accordance with Art. 13 GDPR, we inform you of the legal basis of our data processing. If the legal basis is not stated in the data protection declaration, the following applies: The legal basis for obtaining consent is Art. 6 Para. 1 lit. a and Art. 7 GDPR, the legal basis for processing for the purpose of fulfilling our services and implementing contractual measures and answering enquiries is Art. 6 Para. 1 lit. b GDPR, the legal basis for processing for the purpose of fulfilling our legal obligations is Art. 6 Para. 1 lit. c GDPR, and the legal basis for processing for the purpose of safeguarding our legitimate interests is Art. 6 Para. 1 lit. f GDPR. If vital interests of the data subject or another natural person require the processing of personal data, Art. 6 para. 1 lit. d GDPR serves as the legal basis.

Security measures We kindly ask you to inform yourself regularly about the content of our Data Protection Declaration. We will adapt the Data Protection Declaration as soon as we make necessary changes in data processing. We will inform you as soon as the changes made, mean it is necessary for you to take action to cooperate (e.g. to give your consent) or to receive other individual notification.

Cooperation with processors and third parties If, in the course of our processing, we disclose data to other persons and companies (processors or third parties), transfer it to them or otherwise grant them access to the data, this is only done on the basis of a legal authorisation (e.g. if the data must be transferred to third parties, such as payment service providers, in accordance with Art. 6 Para. 1 letter b GDPR for the fulfilment of the contract), if you have given your consent, if a legal obligation provides for this or on the basis of our legitimate interests (e.g. when using agents, web hosts, etc.).

If we commission third parties to process data based on a so-called "contract processing agreement", this is done based on Art. 28 GDPR.

3. Order data processors involved

Online-Ticketshop: Alturos Destinations GmbH, Lakeside B03, 9020 Klagenfurt

Public WIFI at lift stations: Loop21 Mobile Net GmbH, Hirschstettner Straße 19-21 L1, 1220 Wien

4. Data processing details

Transfers to third countries If we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA) or if this is done in the context of using the services of third parties or disclosure or transfer of data to third parties, this will only take place if it is done to fulfil our (pre-)contractual obligations, on the basis of your consent, on the basis of a legal obligation or on the basis of our legitimate interests. Subject to legal or contractual permissions, we will only process or transfer the data in a third country if the special conditions of Art. 44 ff. GDPR. Through the services Mailchimp Newsletter, Google Analytics, Google Remarketing, Facebook-Pixel and Facebook-Conversion as well as Youtube, which are integrated in this website, your data will (at least in some cases) also be transferred to the USA. Authorities or secret services in the USA can access your data without legal possibilities. The ECJ has therefore found that there is no sufficient level of data protection in the sense of Art 45ff GDPR for data transfers from the EU to the USA. For this reason, the legal basis for the use of this service is your express consent pursuant to Art. 49 (1) lit. a GDPR ivm. Art. 6 para. 1 lit. a GDPR.

The rights of people concerned You have the right to obtain confirmation as to whether or not data in question is being processed and to obtain information about this data and to receive further information and a copy of the data in accordance with Art. 15 GDPR. In accordance with Art. 16 GDPR, you have the right to request the completion of data concerning you or the correction of incorrect data concerning you. In accordance with Art. 17 GDPR, you have the right to demand that data relating to you be deleted immediately or, alternatively, in accordance with Art. 18 GDPR, to demand that the processing of the data be restricted. You have the right to demand that the data concerning you which you have made available to us be received in accordance with Art. 20 GDPR and to demand that it be passed on to other responsible parties. You also have the right under Art. 77 GDPR to lodge a complaint with the competent supervisory authority.

Right of revocation You have the right to revoke consent you have given in accordance with Art. 7 para. 3 GDPR with effect for the future.

Right of objection You can object to the future processing of data concerning you at any time in accordance with Art. 21 GDPR. In particular, you may object to processing for the purposes of direct advertising.

Cookies and right of objection for direct advertising

"Cookies" are small files that are stored on the user's computer. Different information can be stored within the cookies. A cookie is primarily used to store information about a user (or the device on which the cookie is stored) during or after his visit to an online offer. Temporary cookies, or "session cookies" or "transient cookies", are cookies that are deleted after a user leaves an online offer and closes his browser. Permanent" or "persistent" cookies are those that remain stored even after the browser is closed. Cookies can store the interests of users, which are used for coverage measurement or marketing purposes. Third-party cookies" are cookies that are offered by providers other than the person responsible for the online offer (otherwise, if it is only their cookies, it is referred to as "first-party cookies"). We may use temporary and permanent cookies and provide information on this in our data protection declaration.

If users do not want cookies to be stored on their computer, they are asked to deactivate the corresponding option in the system settings of their browser. Stored cookies can be deleted in the system settings of the browser. The exclusion of cookies can lead to functional restrictions of our online offer. A general objection to the use of cookies used for online marketing purposes can be declared for many services, particularly in the case of tracking, via the US site Aboutads or the EU site Your Online Choices. Furthermore, the storage of cookies can be achieved by deactivating them in the browser settings. Please note that it may not be possible to use all the functions of this online service.

Deletion of data The data processed by us will be deleted, made anonymous or restricted in their processing in accordance with articles 17 and 18 of the GDPR. Unless expressly stated in this data protection declaration, the data stored by us will be deleted or anonymised as soon as they are no longer required for their intended purpose and no legal storage obligations stand in the way of deletion/anonymisation. If the data is not deleted/anonymised because it is required for other and legally permissible purposes, its processing is restricted. This means that the data is blocked and not processed for other purposes. This applies, for example, to data that must be retained for commercial or tax law reasons.

According to legal requirements in Austria, the storage is carried out in particular for 7 J according to § 132 (1) BAO (bookkeeping documents, records/invoices, accounts, vouchers, business documents, statement of income and expenditure, etc.), for 22 years in connection with real estate and for 10 years for documents in connection with electronically provided services, telecommunications, radio and television services provided to non-entrepreneurs in EU Member States and for which the Mini-One-Stop-Shop (MOSS) is used.

Business-related processing In addition, we process contract data (e.g. subject matter of the contract, duration, customer category) as well as payment data (e.g. bank details, payment history) of our customers, interested parties and business partners for the purpose of providing contractual services, service and customer care, marketing, advertising and market research.

Requests for information If you wish to exercise your right to information, we will be pleased to inform you within the statutory period for reply what personal data we have about you and in what form we process it. Please send us an Email for this purpose.

Hosting The hosting services we use serve to provide the following services: Infrastructure and platform services, computing capacity, storage space and database services, security services and technical maintenance services that we use for the purpose of operating this online service. For this purpose, we or our hosting provider process inventory data, contact data, content data, contract data, usage data, meta and communication data of customers, interested parties and visitors to this online service on the basis of our legitimate interests in the efficient and secure provision of this online service in accordance with Art. 6 Para. 1 letter f GDPR in conjunction with Art. 28 GDPR (conclusion of contract processing agreement)

Collection of access data and log files We, or our hosting provider, on the basis of our legitimate interests in the sense of Art. 6 Par. 1 lit. f. GDPR data about every access to the server on which this service is located (so-called server log files). The access data includes the name of the website accessed, file, date and time of access, amount of data transferred, notification of successful access, browser type and version, the user's operating system, referrer URL (the website previously visited), IP address and the requesting provider. For security reasons (e.g. to clarify misuse or fraud), log file information is stored for a maximum of 7 days and then deleted. Data whose further storage is required for evidence purposes is excluded from deletion until the respective incident has been finally clarified.

Economic analyses and market research In order to run our business economically, to identify market trends, customer and user wishes, we analyse the data available to us on business transactions, contracts, enquiries, etc. In doing so, we process inventory data, communication data, contract data, payment data, usage data, metadata on the basis of Art. 6 Paragraph 1 lit. f. GDPR, whereby the persons concerned include customers, interested parties, business partners, visitors and users of the online offer.

The analyses are carried out for the purpose of business management evaluations, marketing, and market research. The analyses serve us to increase user-friendliness, to optimise our offer and for business management purposes. The analyses serve only us and are not disclosed externally unless they are anonymous analyses with summarised values.

5. Contact management

Administration, financial accounting, office organisation & contact management

We process data within the framework of administrative tasks as well as the organisation of our operations, financial accounting, and compliance with legal obligations, such as archiving. In doing so, we process the same data that we process within the scope of providing our contractual services. The basis for processing is Art. 6 Para. 1 lit. c. GDPR, Art. 6 para. 1 lit. f. GDPR. Customers, interested parties, business partners and website visitors are affected by the processing. The purpose of and our interest in the processing is administration, financial accounting, office organisation, archiving of data, i.e. tasks which serve to maintain our business activities, perform our tasks, and provide our services. The deletion of data regarding contractual services and contractual communication is in accordance with the information provided in these processing activities.

In doing so, we disclose or transfer data to the tax authorities, consultants, such as tax advisors or auditors, as well as other fee-paying agencies and payment service providers.

Furthermore, we store information on suppliers, event organisers and other business partners based on our business interests, e.g. for the purpose of contacting them at a later date. We store these mostly company-related data permanently.

For the rest, the macroeconomic analyses and general trend determinations are prepared anonymously wherever possible.

Bookings on our booking platform & direct enquiries We process the data of our customers within the framework of bookings, brochure or availability requests via our booking system in order to enable them to book the selected services, as well as to pay for or execute them or to send you the requested information.

The processed data includes inventory data, communication data, contract data, payment data. The persons affected by the processing include our customers, interested parties and other business partners. The processing is carried out for the purpose of providing contractual services in the context of operating a booking portal, invoicing, delivery, and customer services. For this purpose, we set session cookies for the storage of the shopping basket contents.

The processing is based on Art. 6 para. 1 lit. b (execution of ordering processes) and c (legally required archiving) GDPR. In this context, the information marked as required is required for the establishment and performance of the contract. We disclose the data to third parties only within the scope of delivery, payment or within the scope of the legal permits and obligations to legal advisors and authorities. The data will only be processed in third countries if this is necessary for the fulfilment of the contract (e.g. on customer request for delivery or payment). Within the framework of the booking, the users are informed of the required mandatory data.

The anonymisation of data from regular online bookings is carried out 18 months after the date of departure. In the case of package bookings, the data will be anonymised after expiry of statutory archiving obligations. Critical data (e.g. credit card data) is deleted 30 days after the date of departure.

Contact When contacting us (e.g. by contact form, e-mail, telephone or via social media), the user's details are processed for the purpose of handling the contact request and its processing in accordance with Art. 6 Para. 1 lit. b) GDPR. The user's details may be stored in a customer relationship management system ("CRM system") or comparable enquiry organisation.

We delete the requests if they are no longer necessary. We review the necessity every two years; furthermore, the statutory archiving obligations apply.

Data protection notices in the application procedure We process the applicant data only for the purpose and within the scope of the application procedure in accordance with the legal requirements. The applicant data is processed for the purpose of fulfilling our (pre-)contractual obligations within the scope of the application procedure in accordance with Art. 6 Para. 1 lit. b. GDPR Art. 6 para. 1 lit. f. GDPR if the data processing becomes necessary for us, e.g. within the framework of legal procedures.

The application procedure requires applicants to provide us with their application details. If we offer an online form, the necessary applicant data is marked, otherwise it is derived from the job description and basically includes personal details, postal and contact addresses and the documents belonging to the application, such as cover letter, CV and certificates. In addition, applicants can voluntarily provide us with additional information.

By submitting their application to us, applicants agree to the processing of their data for the purposes of the application procedure in accordance with the type and scope described in this data protection declaration.

Insofar as special categories of personal data within the meaning of Art. 9 Para. 1 GDPR are voluntarily communicated as part of the application procedure, their processing is additionally carried out in accordance with Art. 9 Para. 2 letter b GDPR (e.g. health data, such as severely disabled status or ethnic origin). Insofar as special categories of personal data within the meaning of Article 9 paragraph 1 GDPR are requested from applicants in the course of the application procedure, their processing is additionally carried out in accordance with Article 9 paragraph 2 letter a GDPR (e.g. health data if this is necessary for the exercise of the profession).

If made available, applicants can submit their applications to us by means of an online form on our website. The data will be transmitted to us in encrypted form according to the state of the art.

Applicants can also send us their applications by e-mail. Please note, however, that e-mails are generally not sent in encrypted form and that the applicants themselves must ensure that they are encrypted. We can therefore not take any responsibility for the transmission path of the application between the sender and the receipt on our server and therefore recommend rather to use an online form or the postal dispatch. This is because instead of applying via the online form and e-mail, applicants still have the option of sending us their application by post.

The data provided by applicants may be further processed by us for the purposes of the employment relationship in the event of a successful application. Otherwise, if the application for a job offer is not successful, the applicants' data will be deleted in accordance with legal requirements. Applicants' data will also be deleted if an application is withdrawn, which applicants are entitled to do at any time.

Subject to a justified revocation by the applicants, the deletion will take place after the expiry of a period of six months so that we can answer any follow-up questions regarding the application and meet our obligations to provide evidence under the Equal Treatment Act. Invoices for any reimbursement of travel expenses will be archived in accordance with tax law requirements.

6. Online shops/booking portals

The company Alturos Destinations GmbH collects the customer data in the ski ticket shop and these data are stored for the validity of the lift ticket for the purpose of fraud prevention. To create the ticket, the personal data is transferred to the Skidata system. The legal basis for data processing in this case is the fulfilment of the contract Art. 6 (1) lit. b GDPR. We would like to point out that ticket purchasers who order tickets not only for themselves but also for other persons are responsible for processing the personal data of these persons only with their consent. To purchase season tickets, the address and a recent photograph are required. We would like to point out that the address will be automatically deleted after expiry plus 1250 days, and the photo after expiry plus 240 days, and access will be anonymised. Due to the defined "offset time", the season ticket holder can purchase a ticket again in the following year without having to re-enter his data and photo. In this regard, the guest will receive a letter including an order form from the lift company before the new validity period begins. The season ticket holder's data will be used exclusively for the lift companies in the Skicircus Saalbach Hinterglemm Leogang Fieberbrunn and will not be passed on to third parties. The order forms, if necessary, including credit card numbers, will be deleted, or properly disposed of after three months at the latest. Skidata - Customer data for ski tickets (purchases online or at the cash desk) For ski passes of 9 days or more, photos (taken at the ticket office) are required. These photos will be deleted after their validity expires. To purchase season tickets, the address and a current photo are required. Please note that the address will be automatically deleted at the end of the validity period plus 1250 days, and the photo at the end of the validity period plus 240 days. Due to the defined "offset time", the season ticket holder can purchase a ticket again in the following year without having to re- enter his data and photo. In this regard, the guest will receive a letter including an order form from the lift company before the new validity period begins. The season ticket holder's data will be used exclusively for the lift companies in the Skicircus Saalbach Hinterglemm Leogang Fieberbrunn and will not be passed on to third parties. The order forms, if necessary, including credit card numbers, will be deleted, or properly disposed of after three months at the latest. External payment service providers To pay for the order processes / bookings, we use external payment service providers on the legal basis of Art. 6 (1) lit. b GDPR (fulfilment of the contract), via whose platforms you can make your payments. The payment data entered by you as part of the order (e.g. account numbers, credit card numbers including check digits, passwords / TANs, etc.) are processed exclusively by our payment service providers and are not visible to us. We only receive a confirmation of the payment made or information from our payment service providers that the payment could not be made. Further information on the data protection and terms and conditions of our payment service providers can be found at: Datatrans AG, Kreuzbühlstrasse 26, CH-8008 Zürich. Tel. +41 44 256 81 91 E-Mail: info@datatrans.ch https://www.datatrans.ch/de/datenschutzbestimmungen/ Hobex AG, Josef.Branstätter-Straße 2b, A-5020 Salzburg Tel: +43 662 2255-0 E-Mail: office@hobex.at https://www.hobex.at/at/service/datenschutz-kunden/

7. Links to other external shops

Feratel DESKLINE online bookings, booking requests and brochure orders of the Saalfelden Leogang Touristik GmbH For the processing of online bookings, brochure orders and inquiries, we process your personal data in order to be able to provide you with the booked services with the help of our service provider feratel Media Technologies AG (Maria-Theresien-Straße 8, A-6020 Innsbruck). For this purpose, we store and process inventory data, communication data, contract data, payment data of our customers, interested parties and other business partners. The processing takes place for the purpose of providing contractual services or for the fulfilment of pre-contractual services on the basis of the legal basis of Art. 6 para. 1 lit. b GDPR (booking processes, answering requests for quotations and sending brochures) as well as Art. 6 (1) lit. c GDPR (legally required retention periods of bookings or invoices). For this purpose, the data fields marked as required are required for the establishment and fulfilment of the contract. We disclose your personal data in the context of this data processing to third parties (hotel partners or other tourist service providers) on the basis of the legal basis of Art. 6 (1) lit. b GDPR (if it is necessary for the processing of a booking process), or on the basis of our legitimate interest according to Art. 6 (1) lit. f GDPR for the use of appropriate booking software. We have concluded a corresponding agreement with feratel in accordance with Art. 28 GDPR as a data processor, which ensures that your data is processed exclusively within the scope of our order. Further information on the data protection of feratel under: https://www.feratel.com/en/privacy-policy.html. Feratel Webshop of the Saalfelden Leogang Touristik GmbH To process the order/booking of holiday vouchers, merchandising articles and tourist services, we use the system of feratel Media Technologies AG (Maria-Theresien-Straße 8, A-6020 Innsbruck) as our data processor. For the processing of orders/bookings the following information is required: salutation, first and last name, address, e-mail address. We have concluded a corresponding agreement with feratel in accordance with Art. 28 GDPR as a data processor, which ensures that your data is processed exclusively within the scope of our order. Further information on feratel's data protection can be found at: https://www.feratel.com/en/privacy-policy.html . Sale of Flying Fox Tickets For the sale of Flying Fox tickets from Flying Fox XXL GmbH (Hütten 39, 5771 Leogang) as well as for the sale of Flying Fox XXL vouchers, we link to the online ticket shop of Flying Fox XXL GmbH on our website. This link is integrated into our site using an HTML link. By clicking on the link, a new window of the browser opens and the page of the online ticket shop of Flying Fox XXL GmbH opens. The further processing of your personal data in the context of the Flying Fox ticket purchase is the responsibility of the data controller Flying Fox XXL GmbH. Further information on the data protection of Flying Fox XXL GmbH can be found at: https://shop.fly-xxl.at/texts/8164/ .

8. Skidata - customer dara for ski tickets (purchase online or at the cash desk)

For ski passes of 9 days or more, photos (taken at the ticket office) are required. These photos will be deleted after their validity expires. To purchase season tickets, the address and a current photo are required. Please note that the address will be automatically deleted at the end of the validity period plus 1250 days, and the photo at the end of the validity period plus 240 days. Due to the defined "offset time", the season ticket holder can purchase a ticket again in the following year without having to re- enter his data and photo. In this regard, the guest will receive a letter including an order form from the lift company before the new validity period begins. The season ticket holder's data will be used exclusively for the lift companies in the Skicircus Saalbach Hinterglemm Leogang Fieberbrunn and will not be passed on to third parties. The order forms, if necessary, including credit card numbers, will be deleted, or properly disposed of after three months at the latest.

9. Group information

For example, in order to receive special discounts for bus groups, children & youth groups as well as school groups, it is necessary to present a list of participants, including their dates of birth, when purchasing. These lists will be deleted or disposed of immediately after the respective season. Address data of the respective group leaders and the organisation/school are used for marketing purposes.

10. Photocompare - Information according to §24 DSH 2000

Please note that for the purpose of access control, a reference photo of the ski pass holder is taken every day when passing through a turnstile equipped with a camera for the first and last time. This reference photo will be compared by the employees of the cable cars with the photos that are taken each time the ski pass holder passes through a turnstile equipped with a camera. These reference photos are stored for a maximum of 7 days and then deleted; the other photos are deleted at the latest 30 minutes after each passage through a turnstile. In case of suspicion (abuse), the photo can be saved manually. Please note that it is also possible to purchase 1-day ski passes, which are technically configured in such a way that no photo is taken when passing through the turnstile, but in this case random checks by the staff of the lift companies must be expected.

11. Skiing accidents - reports

The lift companies reserve the right to charge for the use of the piste rescue service. The injured person's information (name, address, date of birth, accommodation, ski pass number, accident circumstances, type of injury, accident site, transport, costs, piste & weather conditions, witness details ;) will be stored for 3.5 years for the purpose of issuing the invoice and for possible legal claims.

12. Photopoint and phototrap

We provide a variety of photo points and photo traps distributed through the area which can be used to shoot photos. By using one of these photo points, a photo is immediately taken and published online. You can delete at any time the photos which you have taken. Please consult us via our email info@leoganger-bergbahnen.at in order to do so. Some of the photo points are operated by Alturos Destinations GmbH (Skiline). These are not treated or dealt with in our Data Protection Declaration and are not within the area of responsibility of Leoganger Bergbahnen GmbH. For that reason, the Leoganger Bergbahnen GmbH cannot assume any liability for the data protection measures and regulations of the operator.

13. Newsletter and snow report

Email newsletter MailChimp The legal basis for sending the newsletter is your consent according to Art. 6 (1) lit. a GDPR. The registration for our newsletter takes place in the so-called double opt-in procedure. This ensures that no one can log in with foreign e-mail addresses (e.g. with your email address). Your consent can be revoked at any time free of charge by clicking on the "unsubscribe link" at the end of each mailing. The legality of the data processing operations already carried out up to that point remains unaffected by the revocation. After unsubscribing from your email address, we will store it for a period of 3 years on the basis of our legitimate interest (Art. 6 (1) lit. f GDPR) in order to obtain your original consent to be able to prove if necessary. To send out our newsletter, we use "MailChimp", a service of Rocket Science Group LLC, 675 Ponce De Leon Ave NE, Suite 5000, Atlanta, GA 30308, USA. With the help of MailChimp we can analyze our newsletter campaigns. When opening an e-mail sent with MailChimp, a connection is established with the MailChimp servers. This allows us to determine whether a newsletter message has been opened and which links have been clicked on, if any. In addition, technical information such as the time of retrieval, the IP address, browser type and operating system of the recipient are registered. This information is used exclusively for the statistical analysis of our newsletter. The purpose of these analyses is to better adapt future newsletters to the interests of the recipients. The legal basis for data transfers to the USA is the EU standard contractual clauses agreed with MailChimp in connection with our examination of the admissibility of these data transfers in the sense of a comprehensive risk assessment. We have concluded a data processing agreement in the meaning of Art. 28 GDPR with MailChimp ( https://mailchimp.com/legal/data-processing-addendum/ ). Further information on the legality of MailChimp's data transfers to the USA and the special security measures taken for this purpose can be found at: https://mailchimp.com/help/Mailchimp-european-data- transfers/ . General data protection information of MailChimp can be found at: https://mailchimp.com/legal/privacy/ .

14. Cookies

Cookie Banner - Cookies on our website Our website uses cookies, which help us to make our website more user-friendly and efficient for you, to carry out statistical analyses of the use of our website and also to show you content that is of interest to you on other websites. Cookies are small text files that are used to store information when visiting websites and are stored on the website visitor's computer. The legal basis for cookies, which are absolutely necessary for the proper operation of our website (e.g. shopping cart cookie), is § 165 (3) S 3 TKG 2021. Cookies that are not necessary for the function of our website (e.g. analysis or marketing cookies) are deactivated and will only be activated by your consent in accordance with Art 6 (1) lit. a GDPR in our cookie banner ("Accept"). By clicking on "Settings" you can activate or deactivate individual cookies or cookie groups. If you restrict the use of cookies on our website, you may no longer be able to use all functions of our website to their full extent. Detailed information and setting options for cookies for this website can be found at the end of the privacy policy.

Data transfer to the USA Through the services integrated in this website, Google Tag Manager, Google Analytics, Google Ads Conversion Tacking, Google Remarketing, Facebook Pixel, Pinterest Tag, Adobe Audience Manager, Social Media Like Buttons (Facebook, Twitter, Instagram, Linked-In), Google Maps, Vimeo and YouTube, your data will (at least in some cases) also be transferred to the USA. Authorities or secret services in the USA can access your data without giving you legal recourse. The ECJ has therefore determined that there is no sufficient level of data protection in the sense of Art. 44 to 50 GDPR for data transfers from the EU to the USA. For this reason, the legal basis for the use of this service is your express consent pursuant to Art. 49 (1) lit. a GDPR.

Change the cookie settings in your web browser How the web browser you are using handles cookies, i.e. which cookies are allowed or rejected, can be determined in the settings of your web browser. You can delete cookies already stored on your computer / device yourself at any time. Where exactly these settings are located depends on the respective web browser. Detailed information on this can be called up using the help function of the respective web browser. In addition, it is possible to generally object to cookies and similar tracking technologies using the services listed below by setting your individual preferences - which technologies you want to allow for usage and interest-based advertising: European Interactive Digital Advertising Alliance (EDAA): https://www.youronlinechoices.com/uk/your-ad-choices Network Advertising Initiative (NAI): https://optout.networkadvertising.org/?c=1#!%2F Further information about the cookies which are used, can be found on. https://www.saalfelden- leogang.com/en/service-info/data-protection

15. Web Analysis

Google Tag Manager We use the service of the provider Google Ireland Limited ("Google") (Gordon House, Barrow Street, Dublin 4, Ireland) to be able to manage website tags via a common tool of Google. The Google Tag Manager tool itself (which implements the tags) is a domain that does not set cookies and does not collect any other personal data. The tool triggers other tags, which in turn may collect data. Google Tag Manager does not access this data. If a deactivation has been made at the domain or cookie level,it will remain in place for all tracking tags implemented with Google Tag Manager. Further information on Google's data protection can be found at: https://policies.google.com/privacy?hl=en-GB .

Google Analytics This website uses functions of the web analysis service Google Analytics. The provider of this service is Google Ireland Limited ("Google") (Gordon House, Barrow Street, Dublin 4, Ireland). The legal basis for the use of this service is your consent in accordance with Art. 6 (1) lit a GDPR. Google Analytics uses cookies that are stored on the website visitor's computer and that enable an analysis of the use of our website by the site visitor. The information generated by the cookie about your use of our website is usually stored on European servers and only in exceptional cases transmitted to a Google server in the USA and stored there. We use Google Analytics with activated IP anonymization. This means that your IP address is usually shortened by Google within the European Union and only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. The IP address transmitted by the corresponding browser as part of Google Analytics will not be merged with other Google data. On our behalf, Google will use the resulting information to evaluate the use of the website in order to compile reports on website activity. The collection by Google Analytics can be prevented by the site visitor adjusting the cookie settings for this website. The collection and storage of the IP address and the data generated by cookies can also be objected to at any time with effect for the future. The corresponding browser plugin can be downloaded and installed under the following link: https://tools.google.com/dlpage/gaoptout . We have concluded a corresponding agreement with the provider of the service in accordance with Art. 28 GDPR as a data data processor, which ensures that your data is processed exclusively within the scope of our order. Further information on the use of data by Google, setting and objection options, can be found in Google's privacy policy ( https://policies.google.com/privacy ) as well as in the settings for the presentation of advertisements by Google ( https://adssettings.google.com/authenticated ).

Google Ads Conversion Tracking Our website uses the service "GoogleAds Conversion Tracking" of the provider Google Ireland Ltd. (Gordon House, Barrow Street, Dublin 4, Ireland). When we place advertising ads on Google, we use so-called conversion tracking. When you click on an ad placed by Google, a cookie is set for conversion tracking (storage period 30 days). This is how we recognize that you clicked on one of our ads and were redirected to our website. However, we do not receive any personal information, but only learn the total number of users who clicked on one of our ads and were redirected to our page with a conversion tracking tag. We use Google Ads Conversion Tracking on the legal basis of your consent (settings via our cookie banner) in accordance with Art. 6 (1) lit. a GDPR. Further information on the use of data by Google, setting and objection options, can be found in Google's privacy policy ( https://policies.google.com/privacy ) as well as in the settings for the presentation of advertisements by Google ( https://adssettings.google.com/authenticated ).

Matomo (On-Premise) Our website uses the open source web analysis service Matomo of the provider Innocraft Inc,150 Willis ST, 6011 Wellington, New Zealand). This enables us to carry out an anonymous analysis of the user behaviour of our website visitors in order to optimise both our website and our advertising. We have installed Matomo on our own servers. This means that no data will be passed on to Matomo. We process the following data: Your IP address (anonymized by shortening), Cookie (to distinguish differentvisitors - Matomo cookies remain on your device until you delete them), previously visited URL (referrer - if transmitted by the browser), name and version of your operating system as well as name, version and language setting of your browser. The storage of Matomo cookies is based on our legitimate interest acc. Art. 6 (1) lit f GDPR. Our legitimate interest lies in the anonymizedanalysis of the user behavior of our website visitors in order to optimize both our website and our advertising. You can object to the storage of the Matomo cookie by deactivating "Statistics and analysis cookies" in our cookie banner. Further information on Matomo's data protection can be found at: https://matomo.org/gdpr-analytics/ .

16. Webmarketing

Google Remarketing On the legal basis of your consent pursuant to Art. 6 (1) lit. a GDPR, our website uses the functions of "Google Analytics Remarketing" in conjunction with the cross-device functions of Google AdWords and Google DoubleClick. The provider is Google Ireland Ltd. (Gordon House, Barrow Street, Dublin 4, Ireland). This feature makes it possible to link the advertising target groups created with Google Analytics Remarketing with the cross-device functions of Google AdWords and Google DoubleClick. In this way, interest-based, personalized advertising messages that have been adapted to you depending on your previous usage and surfing behavior on one device (e.g. mobile phone) can also be displayed on another of your devices (e.g. tablet or PC). If you have given your consent, Google will link your web and app browsing history to your Google Account for this purpose. In this way, the same personalized advertising messages can be displayed on every device on which you sign in with your Google Account. To support this feature, Google Analytics collects Google-authenticated user IDs, which are temporarily linked to our Google Analytics data to define and create audiences for cross-device advertising. You can permanently object to cross-device remarketing/targeting by deactivating personalized advertising in your Google Account; follow this link here: https://www.google.com/settings/ads/onweb/ . The summary of the collected data in your Google Account takes place exclusively on the basis of your consent, which you can give or revoke with Google (Art. 6 (1) lit. a GDPR). Further information on Google's data protection can be found at: https://www.google.com/policies/privacy/ .

Facebook-Pixel In order to place target group-directed advertisements on Facebook and to be able to track the actions of users after they have seen or clicked on a Facebook advertisement, we use the Facebook pixel of Meta Platforms Ireland Ltd. (4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland). This allows us to display and evaluate or optimize our Facebook advertisements on Facebook that is of interest to you on Facebook with the data collected anonymously for us (we do not see any personal data of individual users, but only the overall effect). According to their data protection information, Facebook links this data to the Facebook account of Facebook users and can thus display content that corresponds to their interests. For specific information about how the Facebook pixel works, see the Facebook Help Center at: https://de-de.facebook.com/business/help/651294705016616 . You can make settings regarding usage-based advertising on Facebook yourself in your Facebook account: https://www.facebook.com/settings?tab=ads . Further information can be found in Facebook's privacy policy at: https://www.facebook.com/privacy/explanation .

Pinterest Tag (Pinterest Conversion Tracking) In order to optimize our Pinterest campaigns and to measure their conversion (effectiveness), we set the Pinterest Tag (Pinterest Conversion Tracking Pixel) of Pinterest Europe Ltd. (Palmerston House, 2nd Floor, Fenian Street, Dublin 2, Ireland) on the legal basis of Art. 6 (1) lit. a GDPR (consent). This allows us to display advertisements of interest to our website visitors, who are also Pinterest members, on Pinterest. It also allows us to track the actions of Pinterest members after they have seen or clicked on one of our Pinterest ads. The following personal data is processed: information about the type of hardware and operating system used, its IP address, the time of access to our website, the type and content of the advertisements we place and the reaction to our advertisements. These data are anonymous to us and do not allow us to draw any conclusions about the identity of the respective user. Pinterest may, according to its own information, connect this data to your Pinterest account and also use it for its own advertising purposes. For more information about Pinterest's privacy, visit: https://policy.pinterest.com/de/privacy-policy . Information on the individual setting of the data collected by Pinterest can be found at: https://help.pinterest.com/de/article/personalization-and- data .

Adobe Audience Manager In order to display interest-based and usage-based advertising to our website visitors on other platforms, we use the Adobe Audience Manager of Adobe Systems Software Ireland Ldt. (4-6 Riverwalk, City West Business Campus, Dublin 24, Ireland). For this purpose, a tracking pixel is called up by the Adobe servers when you visit our website. This allows us to show you on other websites as well as on other devices that you use (e.g. PC, tablet or smartphone) advertisements that are relevant to you. The following personal data is processed: Information on the type of device and operating system used, IP-address, the time of access to our website and the content of the pages of our website accessed. The legal basis for this processing of your personal data is your consent in accordance with Art. 6 (1) lit. a GDPR. For more information about privacy and Adobe, please visit: http://www.adobe.com/de/privacy.html . Further information on data processing and the possibility of objecting to this data processing can be found at: https://www.adobe.com/de/privacy/opt-out.html

17. Social media plug-ins

We use so-called "embedded" social media plug-ins (interfaces to social networks) on our website. When you call up individual pages of our website on which these plug-ins are embedded, connections to the servers of the respective plug-in providers can be established via software and data about your use of our website can be transmitted to their servers. In this way, we give you the opportunity to share our website content with others via social networks and, if necessary, we can provide you with the opportunity to share content with others via social networks. also display content of interest to you on these social networks. The legal basis for this data processing is your consent in accordance with Art. 6 (1) lit. a GDPR. We embedded these plug-ins via the Shariff solution embedded. As a result, direct contact between you and the social media platform is only established when you actively click on the button (HTML link). Information on the purpose and scope of the further processing and use of the data by the providers of the embedded social networks as well as further information according to Art. 13 and 14 GDPR can be found under the information links listed below. The following social networks are embedded in our website:

Facebook-Plug-Ins (Like & Share-Button) Facebook Inc., 1 Hacker Way, Menlo Park, California 94025, USA. An overview of the Facebook plugins can be found here: https://developers.facebook.com/docs/plugins/ . Further information can be found in Facebook's privacy policy at: https://www.facebook.com/privacy/explanation .

Twitter Plug-In Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA. Further information can be found in Twitter's privacy policy at: https://twitter.com/privacy . You can change your privacy settings on Twitter in the account settings under https://twitter.com/account/settings .

Instagram Plug-In Instagram Inc., 1601 Willow Road, Menlo Park, CA 94025, USA. Further information can be found in Instagram's privacy policy: https://instagram.com/about/legal/privacy/ .

Pinterest Plug-In Pinterest Inc., 808 Brannan Street, San Francisco, CA 94103-490, USA. For more information, see Pinterest's privacy policy: https://about.pinterest.com/de/privacy-policy .

LinkedIn Plug-In LinkedIn Corporation, 2029 Stierlin Court, Mountain View, CA 94043, USA. Further information can be found in LinkedIn's privacy policy at: https://www.linkedin.com/legal/privacy-policy.

Social Media Aggregator walls.io This website uses the social media aggregator walls.io. Walls.io is a service of Walls.io GmbH (Schönbrunnerstraße 213/215, A-1120 Vienna). For more information on data processing by Walls.io, please refer to Walls.io's privacy policy at: https://walls.io/privacy

18. Integration of other third-party services and content

We integrate content or functions of third parties within our website. This always presupposes that the providers of this content or functions perceive the IP address of the users. Without the IP address, they would not be able to send the content to the browser of the respective user. The IP address is therefore required for the presentation of this content. We endeavor to use only such content whose respective providers use the IP address only for the delivery of the content. However, we have no influence on whether the third-party providers store the IP address, e.g. for statistical purposes. The legal basis for the use of these services, insofar as they are necessary for the functioning of our website, is our legitimate interest in accordance with Art. 6 (1) lit. f GDPR, otherwise your consent according to Art. 6 (1) lit a GDPR. Information on the purpose and scope of the further processing and use of the data by the providers of the embedded services/content as well as further information within the meaning of the Art. 13 and 14 GDPR can be found under the information links listed below. The following services/content are embedded in our website:

Google Maps Our website uses the Google Maps service of the provider Google Ireland Ltd. (Gordon House, Barrow Street, Dublin 4, Ireland). This function makes it possible to display corresponding map material within our website. Your IP address as well as information about the browser version and language settings are transmitted to the servers of Google Ireland Ltd. According to Google's own information, the data is stored by Google for 1 year. There is a legitimate interest on our part within the meaning of the Art. 6 (1) lit. f GDPR for the use of Google Maps. Our legitimate interest lies in an appealing presentation of our online offer or the geographical presentation of the offers of our region. However, we only use Google Maps if you have given your consent. The legal basis for the processing of your data is therefore your consent in accordance with Art. 6 (1) lit. a GDPR. For more information about Google's privacy policy, please visit: https://policies.google.com/privacy .

Outdoor Active We use for the cartographic representation of tours (e.g. hiking tours, ski tours, bicycle and bike tours, etc.) the service "Outdoor Active" of Outdooractive GmbH & Co. KG (Missener Straße 18, D-87509 Immenstadt). For this purpose, the map material is loaded from the Server of Outdoor Active. The following data is transmitted to Outdoor Active: the visited page of our website, the IP address of your device, content of the request, location data, operating system as well as language and version of the browser software. Outdoor Active uses cookies for the evaluation of your request, which are stored on your browser. The legal basis for the processing of your data is Art. 6 (1) lit. f GDPR (legitimate interest). Our legitimate interest consists in an appealing presentation of our online offer or the geographical presentation of the offers of our region. In the case of location data from mobile devices, the legal basis is your consent under Art. 6 (1) lit. a GDPR by releasing the transfer of location data on your mobile device. Further information on Outdoor Active's data protection can be found at: https://corporate.outdooractive.com/en/privacy-policy/?noredirect=en_US.

Intermaps We use the service "Intermaps" of INTERMAPS Software GmbH (Schönbrunner Straße 80/6, A-1050 Vienna) for the cartographic representation of our region. For this purpose, the map material is loaded from the Intermaps server. The following data is transmitted to Intermaps: the visited page of our website, the IP address of your device, content of the request, location data, operating system as well as language and version of the browser software. Intermaps uses cookies for the evaluation of your request, which are stored on your browser. The legal basis for the processing of your data is Art. 6 (1) lit. f GDPR (legitimate interest). Our legitimate interest consists in an appealing presentation of our online offer or the geographical presentation of the offers of our region. In the case of location data from mobile devices, the legal basis is your consent under Art. 6 (1) lit. a GDPR by releasing the transfer of location data on your mobile device. Further information on Intermaps' privacy policy can be found at: https://www.intermaps.com/en/Privacy.html .

Vimeo We integrate videos of the platform "Vimeo" of the provider Vimeo Inc. (555 West 18th Street, New York 10011, USA). The implementation takes place on the basis of Art. 6 (1) lit. f GDPR, whereby our legitimate interest lies in the smooth integration of the videos and the thus appealing design of our website. However, we only use Vimeo if you have given your consent. The legal basis for the processing of your data is therefore your consent in accordance with Art. 6 (1) lit. a GDPR. When you visit a page in which we have embedded a Vimeo video, a connection to the Vimeo servers is established and the content is displayed on the website by notifying your browser. According to Vimeo, your data (in particular which of our websites you have visited) as well as device-specific information including the IP address will only be transmitted to the Vimeo server when you watch the video. By clicking on the video, you consent to this transmission. For more information on Vimeo's privacy policy, please visit: https://vimeo.com/privacy .

Wordlift Our website uses the WordLift plugin to analyse the content and to display metadata in the source code of our website for search engines on the basis of our legitimate interest in accordance with Art. 6 (1) lit. f GDPR. Our legitimate interest lies in a better ranking of our website on various search engines. The WordLift plugin is a service of the provider WordLift s.r.l (Via Giulia117, 00186 Rome, Italy). The application does not collect any personal data, the IP address of your browser is not stored by WordLift. For more information on WordLift's privacy policy, please visit : https://wordlift.io/gdpr/ . For information about WordLift data security, see: https://docs.wordlift.io/en/latest/faq.html#is- wordlift-secure .

YouTube We integrate videos from the platform "YouTube" of the provider Google Ireland Ltd. (Gordon House, Barrow Street, Dublin 4, Ireland) in extended data protection mode. The implementation takes place on the legal basis of Art. 6 (1) lit. f GDPR, whereby our interest lies in the smooth integration of the videos and the thus appealing design of our website. However, we only use YouTube if you have given your consent. The legal basis for the processing of your data is therefore your consent in accordance with Art. 6 (1) lit. a GDPR. When you visit a page in which we have embedded a YouTube video, a connection to the Google servers is established and the content is displayed on the website by notifying your browser. According to Google's information, in the extended data protection mode, your data (in particular which of our websites you have visited) as well as device-specific information including the IP address will only be transmitted to the YouTube server when you watch the video. In some cases, information is transmitted to the parent company Google Inc., based in the USA, to other Google companies and to external partners of Google, each of which may be located outside the European Union. By clicking on the video, you consent to this transmission. If you are logged in to Google at the same time, this information will be assigned to your Google member account. You can prevent this by logging out of your member account before visiting our website or by making individual settings in your Google account under the following link: https://adssettings.google.com/authenticated . Further information on YouTube's privacy policy can be found at:

Sound Cloud We have integrated music from the platform "SoundCloud" of the provider SoundCloud Ltd. (Berners House, 47-48 Berners Street, London W1T 3NF, United Kingdom) on our website. Clicking on a piece of the playlist establishes a direct connection between your browser and the SoundCloud server. SoundCloud receives the information that you have visited our website with your IP address. If you click on the "Like" or "Share" button while logged in to your SoundCloud user account, you can share the contents of our site via social media, which allows SoundCloud to associate your visit to our website with your user account. If you want to prevent this, log out of your SoundCloud account before activating content from our SoundCloud playlist. The further processing of your personal data is within the responsibility of SoundCloud Ltd. For more information about SoundCloud's privacy, please visit: https://soundcloud.com/pages/privacy .

Spotify We have integrated music from the platform "Spotify" of the provider Spotify AB (Regeringsgatan 19, SE-111 53 Stockholm, Sweden) on our website. Clicking on a piece of the playlist establishes a direct connection between your browser and the Spotify server. Spotify receives the information that you have visited our website with your IP address. If you click on the "Like" or "Share" button while logged in to your Spotify cookie, you can share the contents of our site via social media, which allows Spotify to associate your visit to our website with your user account. If you want to prevent this, log out of your Spotify user account before activating content from our SoundCloud playlist. The further processing of your personal data is the responsibility of Spotify AB. Further information on Spotify's data privacy policy can be found at: https://www.spotify.com/de/legal/privacy-policy/ .

19. Sweeptakes

Your personal data provided for participation in our competitions (e-mail address, name, address) will be used by us exclusively to identify a winner, inform him of the prize and send him prizes. Your data will not be passed on to third parties. The legal basis for the processing of your personal data is the fulfilment of the contract in accordance with Article 6 (1) lit. b GDPR. There is no legal or contractual obligation to provide the personal data. Failure to provide the data will only result in you not being able to participate in the competition. Your data will be stored for the duration of the competition and – for the processing of any prizes and claims for damages – for a maximum of 3 years thereafter and then deleted. By participating, you also agree that your name will be published on our website as well as on our public social media channels in the event of winning.

20. Activities and events

Photos and videos which are generated in the course of events or activities can be published on our website or in our social media channels (Facebook, Instagram, Google Plus, Youtube, Twitter and Flickr). If you do not agree to such photos being published, you can at any time revoke permission for them to be shown by contacting us at info@leoganger-bergbahnen.at .

21. Your rights

You have fundamental rights as regards the information, correction, deletion, limitation, transferability and revocation of your data. If you believe the processing of your data violates data protection laws or your own claims to data protection rights in some way, you can lodge a complaint at the authoritative governmental body. In Austria, this is the Data Protection Agency (Datenschutzbehörde) Hohenstaufengasse 3 1010 Wien dsb@dsb.gv.at www.dsb.gv.at To assert your claims to data protection rights, we require clear identification of the person involved. You can reach on the following address: Leoganger Bergbahnen GmbH Hütten 39 5771 Leogang Telefon: +43-6583-8219 Fax: +43-6583-8219-233 E-Mail: info@leoganger-bergbahnen.at Kto. 11.247, BLZ 35031 Raiffeisenbank Leogang IBAN: AT92 3505 3000 3401 1247 BIC: RVSAAT2S053 UID: ATU 33491307

EXTERNAL_SPLITTING_BEGIN EXTERNAL_SPLITTING_END