Data Protection & nDSG
CampOne processes personal data of your guests on your behalf. This page describes how we implement Switzerland’s revised Data Protection Act (nDSG, in force since 1 September 2023).
Note: This page is a technical and organisational summary, not legal advice. For a binding assessment of your specific situation, consult a Swiss data-protection counsel.
Roles under nDSG
Section titled “Roles under nDSG”| Role | Who |
|---|---|
| Controller | You as the campsite operator |
| Processor | CampOne |
| Sub-processors | Supabase (database), Vercel (frontend hosting), Railway (backend hosting), Stripe (payments), per-operator SMTP provider, optional Groq (AI assistant) |
The full, current sub-processor list is at Sub-Processors (machine-readable version at /legal/sub-processors.json). You will be notified in writing of any change.
Which data
Section titled “Which data”| Data type | Source | Purpose |
|---|---|---|
| Booking data (name, email, phone, address) | Guest booking | Contract performance |
Guest registration / Meldeschein (passport / ID number, birth date, nationality) | Check-in | Statutory reporting (cantonal police and tourism law) |
| Payment data | Stripe / TWINT / QR-Bill | Payment processing — card data is not stored at CampOne, only a Stripe payment-intent reference |
| Staff accounts | Tenant-admin setup | Contract performance with you as operator |
Retention windows
Section titled “Retention windows”| Data type | Window | What happens after |
|---|---|---|
| Booking master data | 730 days after check-out | Anonymisation of personal-data fields |
| Guest registration records | 730 days (statutory minimum in most cantons) | Anonymisation |
| Financial / accounting records | 10 years (Swiss Code of Obligations Art. 958f) | Anonymised retention of the receipt data |
Login logs (UserLoginLog) | 90 days (in preparation) | Deletion |
Message logs (MessageLog) | 365 days (in preparation) | Deletion |
| Booking audit logs | per booking window, PII redacted on anonymisation | Audit event preserved without readable personal data |
The anonymisation runs as a scheduled background job. Each run is recorded in SupportAuditEvent with timestamp and number of processed records.
Data-subject rights (nDSG Art. 25–32)
Section titled “Data-subject rights (nDSG Art. 25–32)”| Right | How to exercise |
|---|---|
| Access (Art. 25) | Request to privacy@campone.ch or via the tenant admin. Response within 30 days with a structured data export (JSON or CSV). |
| Rectification (Art. 32) | Directly in the admin dashboard under Bookings → Edit guest. |
| Erasure (Art. 32) | Self-service via the guest portal profile page (backend endpoint DELETE /api/v1/profile/delete/, password-confirmed) or by request to privacy@campone.ch. Mandatory financial records remain in anonymised form. A “Delete account” button is being rolled out across tenant guest portals. |
| Data portability (Art. 28) | Structured export in the same format as the access right. |
| Objection (Art. 30) | Marketing emails (e.g. seasonal offers) can be turned on and off per guest. |
CampOne as processor provides the controller (you) with the technical means to satisfy these rights. Responding to the data subject remains legally your responsibility — we provide the data and tools.
Data residency
Section titled “Data residency”| Component | Location |
|---|---|
| Database | Supabase Postgres, AWS Frankfurt region (eu-west-1, Ireland) — EU/EEA |
| File storage | Supabase S3, EU region |
| Backend application | Railway, EU region |
| Frontend CDN | Vercel, global, primary cache EU |
| Optional AI assistant | Groq, USA — only on explicit per-tenant activation |
| Email delivery | per operator via own SMTP provider |
For transfers to third countries without a Swiss adequacy decision (in particular the USA), we use the EU Standard Contractual Clauses combined with additional measures (encryption in transit). Signed data-processing agreements with sub-processors are being finalised through Q2 2026 and will be linked from the page above.
Data breaches (Art. 24)
Section titled “Data breaches (Art. 24)”In the event of a personal-data breach, we notify you as controller as quickly as possible, generally within 24 hours of becoming aware. You then assume the obligation to notify the FDPIC within the statutory 72-hour window, where required.
CampOne maintains an internal incident-response procedure with the following steps:
- Containment and impact assessment.
- Notification of affected controllers with the available information.
- Forensic analysis using the audit logs.
- Post-mortem report within 14 days.
Records of processing (Art. 12)
Section titled “Records of processing (Art. 12)”An internal record of processing activities is maintained and made available on request. It contains, for each processing activity: purpose, legal basis, data categories, recipients, retention window, technical and organisational measures.
Data-protection impact assessment (Art. 22)
Section titled “Data-protection impact assessment (Art. 22)”A DPIA is performed for the processing of guest-registration data (passport / ID numbers). A summary is provided to interested controllers on request.
Contact
Section titled “Contact”- General privacy enquiries: privacy@campone.ch
- Data breaches / security disclosures: security@campone.ch
- Legal / DPO: legal@campone.ch
Response time: 5 working days for general enquiries, 24 hours for urgent security issues.