top of page

Privacy policy


Mistery Escape Room (hereinafter also “we“, “us“) obtains and processes personal data relating to you or also other persons (so-called “third parties“). We use the term “data” here synonymously with “personal data”. Personal data means data relating to specific or identifiable persons (i.e., conclusions about their identity are possible on the basis of the data itself or with corresponding additional data). “Processing” means any handling of personal data, e.g., obtaining, storing, using, adapting, disclosing and deleting.

In this Privacy Policy, we describe what we do with your information when you use our website  (hereinafter “Website“), obtain our services or products, otherwise interact with us under a contract, communicate with us or otherwise deal with us. Where appropriate, we will inform you of additional processing activities not mentioned in this privacy policy.

If you transmit or disclose data about other persons such as family members, work colleagues, etc., we assume that you are authorised to do so and that this data is correct. By submitting data about third parties, you confirm this. Please also ensure that these third parties are informed about this privacy policy.

This privacy policy is designed to meet the requirements of the EU General Data Protection Regulation (“GDPR“), the Swiss Data Protection Act (“DSG“) and the revised Swiss Data Protection Act (“revDSG“), which comes into force on 1 September 2023. However, whether and to what extent these laws are applicable depends on the individual case.


Responsible for the data processing described in this privacy policy is:

Mistery Escape Room Lugano, Taverne , Locarno

If you have any questions about this privacy policy or other data protection concerns and/or wish to exercise your rights under section 9, you can contact us at the addresses above.


We process different categories of data about you. The main categories are as follows:

  • Technical data:When you use our website or other electronic offerings, we collect the IP address of your end device and other technical data (e.g., MAC address of the smartphone or computer, operating system used, host name of the accessing device, time of server request) to ensure the functionality and security of these offerings. This data also includes logs in which the use of our systems is recorded. We generally retain technical data for [6] months. In order to ensure the functionality of these offers, we may also assign an individual code to you or your end device (e.g., in the form of a cookie, see section 5). The technical data in itself does not allow any conclusions to be drawn about your identity. However, in the context of the processing of contracts, they can be linked with other data categories (and thus possibly with your person).

  • Communication data: If you are in contact with us via the contact form, email, telephone, letter or other means of communication, we collect the data exchanged between you and us, including your contact details and the marginal data of the communication. If we record or listen in on telephone conversations or video conferences, e.g., for training and quality assurance purposes, we will specifically draw your attention to this. Such recordings may only be made and used in accordance with our internal guidelines. You will be informed if and when such recordings take place, e.g., by a display during the video conference in question. If you do not wish to be recorded, please inform us or end your participation. If you simply do not want your image to be recorded, please turn off your camera. If we want or need to establish your identity, e.g., in the case of a request for information made by you, we collect data to identify you (e.g., a copy of an ID card). We usually keep this data for [12] months from the last exchange with you. This period may be longer where this is necessary for reasons of proof or to comply with legal or contractual requirements, or for technical reasons. Emails in personal mailboxes and written correspondence are generally kept for at least [10] years. Recordings of (video) conferences and chats are usually kept for [24] months.

  • Master data: We use the term master data to refer to the basic data that we need, in addition to the contractual data (see below), to process our contractual and other business relationships or for marketing and advertising purposes, such as name, contact details and information e.g., about your role and function, your bank account(s), your date of birth and customer history. We process your master data if you are a customer or other business contact or are working for one (e.g. as a contact person of the business partner), or because we want to address you for our own purposes or the purposes of a contractual partner (e.g. as part of marketing and advertising, with invitations to events, vouchers, newsletters etc.). We receive master data from yourself (e.g., in the context of a request for a quote or the processing of a contractual or other business relationship) or from third parties, such as our contractual partners, and from publicly accessible sources, such as public registers or the Internet (websites, social media, etc.). We may also process information about third parties as part of master data. We generally keep this data for [10] years from the last exchange with you, but at least from the end of the contract. This period may be longer if this is necessary for reasons of proof or to comply with legal or contractual requirements or for technical reasons. For pure marketing and advertising contacts, the period is usually much shorter, usually no more than [2] years since the last contact.

  • Contract data:This is data that arises in connection with the conclusion or processing of a contract, e.g., information about contracts and the services to be provided or provided, as well as data from the run-up to the conclusion of a contract and the information required or used for processing and information about reactions (e.g., complaints or information about satisfaction, etc.). We generally collect this data from you, from contractual partners and from third parties involved in the processing of the contract, but also from third party sources (e.g., providers of creditworthiness data) and from publicly accessible sources. We generally keep this data for [10] years from the last contractual activity, but at least from the end of the contract. This period may be longer insofar as this is necessary for reasons of evidence or to comply with legal or contractual requirements or for technical reasons.

  • Behavioural and preference data: Depending on our relationship with you, we try to get to know you and better tailor our products, services and offers to you. To do this, we collect and use data about your behaviour (e.g., whether and when you opened an email or location data when you use our website) and preferences. We do this by evaluating information about your behaviour in our area, and we may also supplement this information with information from third parties, including publicly available sources. Based on this, we can calculate, for example, the probability that you will use certain services or behave in a certain way. Some of the data processed for this purpose is already known to us (e.g., when you use our services), or we obtain this data by recording your behaviour (e.g., how you navigate on our website). We anonymise or delete this data when it is no longer meaningful for the purposes pursued, which may be between [2-3] weeks and [24] months (for product and service preferences) depending on the nature of the data. This period may be longer where necessary for evidential purposes or to comply with legal or contractual requirements, or for technical reasons. We describe how tracking works on our website in section 5.


First and foremost, we process your data in connection with the provision of our services, communication with you and the conclusion, administration and processing of contractual relationships with our customers and other business partners as well as the operation of our website. We then process your data for marketing purposes and to maintain relationships, e.g., to send our customers and other contractual partners personalised advertising about our products and services. This may take the form of newsletters and other regular contacts (electronically, by post, by telephone), via other channels for which we have contact information from you, but also as part of individual marketing campaigns (e.g., events, competitions etc.) and may also include free benefits (e.g., invitations, vouchers etc.). You can refuse such contacts at any time (see at the end of this section 4) or refuse or revoke your consent to be contacted for advertising purposes.

We may also process your data for other purposes insofar as this is permitted by law and we have a legitimate interest in the corresponding data processing (e.g., market and opinion research, offering and further developing our services, guaranteeing our operation [in particular of the IT and our website] and asserting legal claims).

With your data (see section 3) we may automatically assess certain of your personal attributes for the purposes set out in this section 4 (“profiling”), if we want to determine preference data, but also to determine abuse and security risks, to carry out statistical evaluations or for operational planning purposes. For the same purposes, we can also create profiles, i.e., we can combine behavioural and preference data, but also master and contract data and technical data assigned to you, in order to better understand you as a person with your different interests and other characteristics.

In both cases, we pay attention to the proportionality and reliability of the results and take measures against misuse of these profiles or profiling. If these can have legal effects or significant disadvantages for you, we generally provide for a manual review.

Insofar as you have given us consent to process your data for certain purposes (e.g., registration to receive newsletters or consent to other regular contacts; consent to automated data processing, where applicable), we process your data within the scope of and based on this consent, insofar as we have no other legal basis and we require such a basis. Consent given can be revoked at any time, but this has no effect on data processing that has already taken place (see also point 9).


On our website, we use cookies and similar techniques to identify your browser or device. Cookies are individual codes (e.g., a serial number) which our server or a server of our service providers or advertising contractors transmits to your system when you connect to our website and which your system (browser, mobile) accepts and stores until the programmed expiry time. With each subsequent access, your system transmits these codes to our server or the server of the third party. In this way, you are recognised even if your identity is unknown.

We use cookies so that we can distinguish access by you (via your system) from access by other users, so that we can ensure the functionality of the website and make the user experience more efficient.

You can deactivate cookies completely or partially at any time in the settings of your browser. If cookies are deactivated, you may no longer be able to use all the functions of our website.

In accordance with the law, we may store cookies on your device if they are absolutely necessary for the operation of our website. We need your permission to store all other types of cookies if you access our website from outside Switzerland. You can program your browser to block or deceive certain cookies or alternative techniques, or to delete existing cookies. You can also enhance your browser with software that blocks tracking by certain third parties. You can find more information about this on the help pages of your browser (usually under the keyword “data protection”) or on the websites of the third parties that we list below. Visitors who access our website from outside Switzerland can change or revoke their consent to cookies at any time on our website or in their browser settings.

A distinction is made between the following cookies (techniques with comparable functions such as fingerprinting are included here):

  • Necessary cookies: Some cookies are necessary for the website to function as such or for certain functions. For example, they ensure that you can switch between pages without losing information entered in a form. They also ensure that you remain logged in. These cookies are only temporary (“session cookies”). If you block them, the website may not work. Other cookies are necessary so that the server can save decisions or entries made by you beyond one session (i.e., one visit to the website) if you use this function (e.g., language selected, consent given, the function for automatic login etc.). These cookies have an expiry date of up to [24]

  • Statistics cookies:Statistics cookies help website owners understand how visitors interact with websites by collecting and reporting information anonymously.

We sometimes use Google Analytics or similar services on our websites. This is a service provided by third parties that may be located in any country in the world (in the case of Google Analytics, it is Google Ireland [based in Ireland], Google Ireland relies on Google LLC [based in the USA] as an order processor [both “Google”],, with which we can measure and evaluate the use of the website (not on a personal basis). Permanent cookies set by the service provider are also used for this purpose. We have configured the service so that the IP addresses of visitors are shortened by Google in Europe before being forwarded to the USA and thus cannot be traced. We have switched off the “Data sharing” and “Signals” settings. Although we can assume that the information we share with Google is not personal data for Google, it is possible that Google can draw conclusions about the identity of visitors from this data for its own purposes, create personal profiles and link this data to the Google accounts of these individuals. If you have registered with the service provider yourself, the service provider also knows you. The processing of your personal data by the service provider then takes place under the responsibility of the service provider in accordance with its data protection regulations. The service provider only informs us how our respective website is used (no information about you personally).

We then use cookies and other tracking technologies in our marketing communications (e.g., marketing emails) that allow us to assess whether marketing emails have been opened, replied to or forwarded and links followed, etc. We also use Facebook, Instagram and Tripadvisor plugins on our website. When you interact with these platforms, the relevant information is forwarded and your visit is recognised by Facebook, Instagram or Tripadvisor.

  • Marketing cookies: We have an interest in targeting advertising, i.e., displaying it as far as possible only to the people we want to address. For this purpose, we may – if you consent – also use cookies that can be used to record the content accessed or contracts concluded. This enables us to display advertising that we can assume will interest you, on our website, but also on other websites that display advertising from us. These cookies have an expiry period of between a few days and [12] months depending on the situation. If you consent to the use of these cookies, you will be shown appropriate advertising. If you do not consent to these cookies, you will not see less advertising, but simply any other advertising.


In the course of our business activities and the processing of data in accordance with this privacy policy, we may – to the extent permitted by law and necessary – disclose data to trusted third parties (hereinafter “<strong>Third Party Recipients</strong>”) who process your data for us. In particular, these may be service partners of ours (e.g., IT service providers, third parties involved in the implementation or organisation of events, providers of support services).

The third-party recipients may be located in Switzerland or abroad. If the country in question does not offer adequate legal data protection, we ensure an adequate level of protection as provided for by law by using appropriate contracts (namely on the basis of the so-called standard contractual clauses of the European Commission) or so-called Binding Corporate Rules or rely on an exception provision. An exception may apply in particular in the case of legal proceedings abroad, but also in cases of overriding public interests or if the performance of a contract requires such disclosure, if you have consented or if it is a matter of data that you have made generally accessible and you have not objected to its processing.


We process your data for as long as our processing purposes, the statutory retention periods and our legitimate interests in processing for documentation and evidence purposes require or storage is technically necessary. Further information on the respective storage and processing periods can be found for the individual data categories in section 3 and for the cookie categories in section 5. If there are no legal or contractual obligations to the contrary, we delete or anonymise your data after the storage or processing period has expired as part of our normal processes.


We take appropriate technical and organisational security measures to maintain the confidentiality, integrity and availability of your data, to protect it against unauthorised or unlawful processing and to protect against the risks of loss, accidental alteration, unauthorised disclosure or access.


Within the framework of the data protection law applicable to you and insofar as provided therein, you have the right to information, correction, deletion, the right to restrict data processing and otherwise to object to our data processing as well as to the surrender of certain data for the purpose of transfer to another body (so-called data portability). You also have the right to revoke your consent, insofar as our processing is based on your consent (see in particular section 4). However, when exercising your rights, please note that we reserve the right to assert the restrictions provided for by law, for example if we are obliged to retain or process certain data, have an overriding interest in doing so (insofar as we are entitled to rely on this) or require it for the assertion of claims. If you incur any costs, we will inform you in advance. Please note that the exercise of these rights may conflict with contractual agreements and may have consequences such as early termination of the contract or costs. We will inform you in advance if this is not already contractually regulated.

The exercise of such rights usually requires that you clearly prove your identity (e.g., by a copy of your ID card where your identity is otherwise not clear or cannot be verified). To exercise your rights, you can contact us at the address set forth in section 2.

In addition, every data subject has the right to enforce his or her claims in court or to lodge a complaint with the competent data protection authority. The competent data protection authority in Switzerland is the Federal Data Protection and Information Commissioner (


This privacy policy does not form part of any contract with you. We may amend this privacy policy at any time. The version published on this website is the current version.

Last updated: 31.10.2023

bottom of page