Privacy Policy of Alpine Pathways Austria

Effective date: 20 May 2026

1. Introduction and company information

This Privacy Policy explains how Alpine Pathways Austria (“we”, “us”, “our”) collects, uses, stores, and protects personal data in connection with our hiking-related services, including tour bookings, customer communication, website use, and related administrative activities.

Data controller: Alpine Pathways Austria
Address: Schönbrunner Straße 221, 1120 Wien, Austria
Email: [email protected]
Phone: +43 1 587 24 68

We process personal data in accordance with the General Data Protection Regulation (GDPR), the Austrian Data Protection Act (DSG), the Austrian Telecommunications Act (TKG), and other applicable Austrian and EU data protection laws.

2. Data collection and processing

We may collect and process the following categories of personal data, depending on your interaction with us:

• Identification and contact data: name, address, email address, telephone number, country of residence.
• Booking and service data: requested hiking tours, booking dates, participant details, preferences, special requests, emergency contact details if provided.
• Payment and billing data: invoice details, payment status, transaction references, bank or card-related information processed through payment providers.
• Communication data: messages sent to us by email, contact forms, phone, or other channels.
• Technical and usage data: IP address, browser type, device information, operating system, access times, and website usage data collected through logs and cookies where applicable.
• Special categories of data: health-related information or dietary/fitness information only if you voluntarily provide it and only where necessary for the safe organization of hiking activities.

We generally collect personal data directly from you. In some cases, we may receive data from third parties such as booking platforms, payment service providers, travel agents, or group organizers acting on your behalf.

3. Purpose of data processing

We process personal data for the following purposes:

• to manage inquiries and communicate with prospective customers;
• to process bookings, reservations, and customer accounts;
• to organize and deliver hiking services and related support;
• to verify participant suitability and ensure safety during outdoor activities;
• to process payments, issue invoices, and manage accounting;
• to comply with legal obligations, including tax and commercial record-keeping requirements;
• to handle complaints, claims, and customer support requests;
• to maintain and improve our website, services, and internal operations;
• to send service-related information and, where permitted, marketing communications;
• to protect our rights, property, and the safety of our guests, staff, and partners.

4. Legal basis for processing

We process personal data only where a lawful basis under the GDPR applies. Depending on the context, the legal bases may include:

• Article 6(1)(b) GDPR – performance of a contract: for booking and providing hiking services, customer support, and related pre-contractual measures.
• Article 6(1)(c) GDPR – legal obligation: for tax, accounting, commercial, and other statutory obligations under Austrian law.
• Article 6(1)(f) GDPR – legitimate interests: for secure operation of our website, fraud prevention, internal administration, service improvement, and limited direct communication with existing customers where permitted.
• Article 6(1)(a) GDPR – consent: for optional communications, cookies or similar technologies requiring consent, and for processing special categories of data where consent is appropriate.
• Article 9(2)(a) GDPR – explicit consent: where we process health-related information or other special categories of data that you voluntarily provide for safety and organizational purposes.

Where processing is based on legitimate interests, we have balanced our interests against your rights and freedoms. You may object to such processing in accordance with Section 8 below.

5. Data sharing and third parties

We may share personal data with third parties only where necessary and lawful. These recipients may include:

• Service providers and processors: IT hosting providers, email providers, website maintenance providers, booking system providers, customer support tools, and analytics providers acting on our instructions.
• Payment service providers: for processing payments and refunds.
• Accounting, tax, and legal advisors: where necessary for compliance and professional support.
• Public authorities and courts: where required by law or to assert, exercise, or defend legal claims.
• Local partners and guides: where necessary to deliver hiking services safely and effectively.

We require our processors to handle personal data in accordance with applicable data protection law and to implement appropriate technical and organizational measures.

6. Data transfer to third countries

As a rule, we aim to process personal data within the European Economic Area (EEA). If personal data is transferred to a country outside the EEA, we will ensure that an adequate level of protection is in place, for example through:

• an adequacy decision by the European Commission;
• standard contractual clauses approved by the European Commission;
• additional technical and organizational safeguards where necessary;
• your explicit consent, where legally permitted and appropriate.

Where required, we will inform you about relevant safeguards for such transfers.

7. Storage duration

We store personal data only for as long as necessary for the purposes for which it was collected, or as required by law. The retention period depends on the type of data and the legal obligations applicable to us.

• Booking and contract data: retained for the duration of the contractual relationship and thereafter as required for legal claims and record-keeping.
• Accounting and tax records: retained in accordance with Austrian statutory retention periods, typically up to 7 years or longer where legally required.
• Communication records: retained as long as necessary to handle your request and for documentation purposes.
• Consent-based data: retained until you withdraw consent or the purpose no longer applies.
• Website logs and technical data: retained for a limited period necessary for security, troubleshooting, and analytics.

After the applicable retention period expires, personal data will be deleted or anonymized in accordance with legal requirements.

8. User rights

Under the GDPR, you have the following rights regarding your personal data, subject to legal limitations:

• Right of access: to obtain confirmation whether we process your personal data and to receive a copy of that data.
• Right to rectification: to request correction of inaccurate or incomplete personal data.
• Right to erasure: to request deletion of your personal data where the legal conditions are met.
• Right to restriction: to request limitation of processing in certain circumstances.
• Right to data portability: to receive certain data in a structured, commonly used, machine-readable format and, where technically feasible, to have it transmitted to another controller.
• Right to object: to object to processing based on legitimate interests or to direct marketing at any time.

To exercise your rights, please contact us using the details in Section 12. We may need to verify your identity before responding. We will respond within the time limits set by applicable law.

9. Withdrawal of consent

Where processing is based on your consent, you may withdraw that consent at any time with effect for the future. The withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

You can withdraw consent by contacting us at [email protected]. If you withdraw consent, certain services or features may no longer be available if the relevant processing is necessary for their provision.

10. Right to complain

If you believe that the processing of your personal data violates applicable data protection law, you have the right to lodge a complaint with the competent supervisory authority.

In Austria, the competent authority is:

Österreichische Datenschutzbehörde
Barichgasse 40–42
1030 Vienna, Austria
Website: https://www.dsb.gv.at

You may also contact us first so that we can address your concerns directly.

11. Data security

We implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures may include:

• access controls and role-based permissions;
• encryption where appropriate;
• secure hosting and backup procedures;
• regular updates and security monitoring;
• confidentiality obligations for staff and contractors;
• procedures for handling data breaches.

While we take reasonable steps to protect your data, no method of transmission over the internet or electronic storage is completely secure.

12. Contact information

If you have questions about this Privacy Policy or the processing of your personal data, please contact:

Alpine Pathways Austria
Schönbrunner Straße 221, 1120 Wien, Austria
Email: [email protected]
Phone: +43 1 587 24 68

13. Changes to privacy policy

We may update this Privacy Policy from time to time to reflect changes in legal requirements, our services, or our data processing practices. The current version published on our website applies at the time of your visit or use of our services.

Where appropriate, we will inform you of material changes by suitable means. We encourage you to review this Privacy Policy regularly.