Privacy Policy

Name and address of the controller

The controller is the entity which, alone or jointly with others, determines the purposes and means of the processing of personal data. The controller within the meaning of the General Data Protection Regulation and other national data protection laws of the member states as well as other data protection regulations is:

Hotel Fulda Mitte

Venus Hotel- und Gaststättenbetriebsgesellschaft mbH & Co. KG

Represented by: Dr. John Armbrecht

Lindenstraße 45 | 36037 Fulda | Germany

Phone: +49 661 8330-0 | E-Mail: info@hotel-fulda-mitte.de | Website: www.hotel-fulda-mitte.de

Contact details of the data protection officer

We have appointed an external data protection officer:

BerIsDa GmbH | Website: www.berisda.de

You can reach the data protection officer by post at Hotel Fulda Mitte, for the attention of the data protection officer, Lindenstraße 45, 36037 Fulda or by e-mail at datenschutz@berisda.de.

I. General information on data processing

1. Scope of personal data processing

The controller collects and uses personal data of its users (hereinafter also referred to as “data subject”, “data subject” or “visitor”) only to the extent necessary to provide a functional website and to present the content and services. The collection and processing of users’ personal data for other purposes is usually only carried out with the user’s consent. An exception applies in cases where prior consent cannot be obtained for factual reasons, the processing is carried out on the basis of pre-contractual or contractual measures, the processing of the data is permitted by law and/or there is a legitimate interest of the controller in the processing.

Your personal data is generally collected directly from you, e.g. when you contact us, consent to services on this site or use forms on this website. In addition, technical data that is absolutely necessary for the operation of the site is automatically collected when you enter the site.

2. Legal basis for processing personal data

To the extent that the controller obtains the consent of the data subject for the processing of personal data, Art. 6 (1) sentence 1 (a) of the EU General Data Protection Regulation (GDPR) serves as the legal basis for the processing of personal data. If special categories of data are processed in accordance with Art. 9 (1) GDPR, Art. 9 (2) (a) GDPR applies as the legal basis. For any transfer to a non-secure third country by means of consent, the processing is carried out on the basis of Art. 49 (1) sentence 1 lit. a GDPR. If you have consented to the storage of cookies or access to information in your device, data processing is also carried out on the basis of § 25 para. 1 TDDDG.

In the case of the processing of personal data that is necessary for the performance of a contract to which the data subject is a party, Art. 6 (1) sentence 1 (b) GDPR serves as the legal basis. This also applies to processing operations that are necessary for the implementation of pre-contractual measures. Ifthe person is the contact person of a (potential) business partner (customer, supplier, partner), the legal basis for (pre-)contractual measures is Art. 6 para. 1 sentence 1 lit. f GDPR.

Insofar as the processing of personal data is necessary for the fulfilment of a legal obligation to which the controller is subject, Art. 6 (1) sentence 1 (c) GDPR serves as the legal basis.

In the event that the vital interests of the data subject or another natural person necessitate the processing of personal data, Art. 6 (1) sentence 1 (d) GDPR serves as the legal basis.

If the processing is necessary to safeguard a legitimate interest of the controller or a third party and the interests, fundamental rights and freedoms of the data subject do not outweigh the first-mentioned interest, Art. 6 (1) sentence 1 (f) GDPR serves as the legal basis for the processing.

3. Data deletion and duration of processing

If no exact storage period has been specified in this data protection information, the personal data of our site visitors will remain with us until the purpose for the data processing no longer applies. The personal data of the data subject will be deleted or blocked as soon as the purpose of storage no longer applies, or a consent given by the data subject is revoked, or the processing is objected to. Storage can also take place if this has been provided for by the European or national legislator in EU regulations, laws or other regulations to which the controller is subject. The data will also be blocked or deleted if a storage period prescribed by the aforementioned standards expires, unless there is a need for further storage of the data for the conclusion or performance of a contract.

4. Data transfer to a third country or an international organization

The European General Data Protection Regulation (GDPR) requires that the transfer of personal data that is already being processed or is to be processed after its transfer to a third country or an international organisation is only permissible if a level of data protection comparable to the requirements of the GDPR is guaranteed. If it is ensured that the provisions of the GDPR are complied with – this may include, for example, the existence of an adequacy decision by the EU Commission within the meaning of Art. 45 (1) and (3) GDPR or the introduction of internal data protection regulations approved by a supervisory authority (so-called “appropriate safeguards”, Art. 46 (2), (3) GDPR). If there is no level of data protection comparable to the requirements of the GDPR, there may be risks associated with processing in a third country.

Risks of a transfer to a non-secure third country: Personal data could possibly be passed on by the provider to other third parties who use the data, e.g. for advertising purposes, beyond the actual purpose of fulfilling the order. In addition, an effective enforcement of any rights of data subjects against the provider is unlikely to be possible. There may be. a higher probability that incorrect data processing may occur, as the technical and organizational measures of the provider for the protection of personal data do not fully comply with the requirements of the GDPR in terms of quantity and quality. It is also possible for government agencies to access the personal data provided without the data subject being aware of it. In principle, this also corresponds to the European legal regulations, e.g. for the purpose of averting danger. However, the permissibility threshold for such data processing is higher in the European Union than in the country of the data recipient concerned. In summary, there is no level of data protection comparable to the requirements of the GDPR in non-secure third countries.

On our website, we use, among other things, tools from providers whose headquarters or the headquarters of the parent company (or their affiliated companies) are located in a third country from a data protection point of view. We also transfer data to the USA. A transfer of the data to the USA is permissible if the recipient has a certification under the “EU-US Data Privacy Framework” (DPF) or has suitable additional guarantees. The DPF is an (individual) agreement between the European Union and the USA, which is intended to ensure compliance with European data protection standards for data processing in the USA. Every DPF-certified company is committed to complying with these data protection standards. The list of certified companies can be found at: https://www.dataprivacyframework.gov/list. There you can search for the provider name and view the certification directly. If data is transmitted to a provider that is certified according to the DPF, a separate notice can be found at the respective service provider.

In addition, tools from other providers from third countries and US providers that are not certified according to the EU-US Data Privacy Framework (DPF) are also used on our site. The transfer and processing of personal data of data subjects in connection with these tools takes place under the conditions of Art. 49 (1) sentence 1 (a) GDPR – on the basis of consent given by the data subject. If data is transmitted on the basis of consent to a provider whose processing takes place in a non-secure third country, a separate notice can be found at the respective service provider.

If data is transferred to a third country or an international organisation, we will inform you of this by means of a separate notice in this data protection information at the time of the respective processing.

5. Recipients of personal data

Within our organisation, access to your personal data is generally granted to those departments and departments that need it in the context of our activities and for the purposes described in each case and that are authorised to process this data.

As part of our service provision, we commission processors who contribute to the fulfilment of contractual obligations. We work together with service providers, such as service providers for IT maintenance services, video conferencing tools or newsletter dispatch (so-called processors). These service providers only act according to our instructions and are contractually obliged to comply with the applicable data protection requirements. To this end, we conclude corresponding order processing agreements with these service providers in writing. If certain processors are used to process personal data, we will inform you of this by means of a separate notice in this data protection information at the time of the respective processing.

We may transmit personal data to courts, supervisory authorities or law firms insofar as there is a legal obligation to do so pursuant to Art. 6 (1) sentence 1 (c) GDPR or is necessary pursuant to Art. 6 (1) sentence 1 (f) GDPR for the assertion, exercise or defence of legal claims and there is no reason to assume that our data subjects have an overriding interest worthy of protection in the non-disclosure of the data.

6. Necessity of providing personal data

The provision of your personal data is generally neither required by law nor by contract. There is no obligation to make it available. However, failure to provide them may result in you not being able to make use of functions, services, forms and other processing on our website. We recommend that you only provide personal data that, for example, are necessary to process your request, to carry out your desired offer and to use the functions we offer. If the provision of your personal data is required by law or contract, we will inform you of this by means of a separate notice in this data protection information during the respective processing.

The collection of technical data (and possibly the recording of your IP address as personal data) for the provision of the website and the storage of the data in log files is absolutely necessary for the operation of the website and takes place automatically when you enter this website. If you do not wish this, then you must leave this page.

II. Rights of the data subject

If we process your personal data, you as a data subject have the following rights vis-à-vis us as the controller:

1. Right to information, Art. 15 GDPR

Within the framework of the applicable legal provisions, you have the right to (free of charge) information about your collected and stored personal data at any time. This includes, among other things, information about their processing purposes, their origin and recipients, the storage period and the existence of various rights.

2. Right to rectification, Art. 16 GDPR

You have the right to have your data corrected (also in the sense of completion) if the processed personal data concerning you is inaccurate or incomplete for the purpose of the processing. The controller must make the correction without delay.

3. Right to erasure, Art. 17 GDPR

Under the conditions of Art. 17 GDPR, you can request the deletion of your personal data at any time, unless circumstances still apply that entitle or oblige the controller to continue processing your personal data (such as statutory retention obligations).

4. Right to restriction of processing, Art. 18 GDPR

If the legal requirements are met, you can request a restriction of the processing of your personal data within the scope of Art. 18 GDPR.

5. Right to information, Art. 19 GDPR

If your personal data has been processed by recipients to whom the Controller has disclosed the data, the Controller is obliged to inform them of your requests for rectification, deletion or restriction of processing, unless this proves impossible or involves disproportionate effort. You can request that the controller inform you about these recipients.

6. Right to data portability, Art. 20 GDPR

If you have provided us with personal data, and if automated processing is carried out on the basis of your consent or on the basis of a contract, you have a right to transfer the data you have provided within the scope of Art. 20 GDPR, provided that this does not adversely affect the rights and freedoms of other persons. It is provided in a common, machine-readable format. If you request the direct transfer of the data to another controller, this will only be done to the extent that it is technically feasible.

7. Right to object, Art. 21 GDPR

You have the right to object to the processing of your data at any time, provided that the processing is carried out on the basis of a balancing of interests. This is the case if the controller invokes the public interest or its legitimate interest for processing (see Art. 6 para. 1 sentence 1 lit e and f). The prerequisite is that you assert reasons arising from your particular situation that outweigh the interest of the controller. The controller will no longer process the personal data concerning you unless it can demonstrate compelling legitimate grounds for the processing that outweigh your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.

Art. 21 para. 2 GDPR contains a special, deviating regulation if the personal data concerning you  is used for direct marketing. Here you have the right to object to the processing of personal data concerning you at any time without further conditions. The personal data concerning you will no longer be processed for the purpose of direct marketing. If profiling is associated with direct advertising, you can also object to it.

You have the possibility to exercise your right to object in connection with the use of information society services by means of automated procedures using technical specifications.

8. Automated decision in individual cases, Art. 22 GDPR

In accordance with Art. 22 GDPR, you have the right that decisions that produce legal effects against you or similarly affect you are not based exclusively on automated processing – including profiling. Exceptions may exist if appropriate measures are taken to protect your person, and there are necessary contractual arrangements or legal provisions, or if you have given your express consent.

9. Right to withdraw your consent, Art. 7 para. 3 GDPR

You have the right to revoke your declaration of consent under data protection law at any time. The lawfulness of the data processing carried out up to the time of revocation remains unaffected by the revocation. You can send the revocation to the controller by e-mail or by post.

10. Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a data protection supervisory authority, in particular in the Member State of your residence, your place of work or the place of the alleged infringement, if you believe that the processing of personal data concerning you infringes the GDPR.

The supervisory authority responsible for us is the Hessian Commissioner for Data Protection and Freedom of Information. If you are in another federal state or not in Germany, you can

III. SSL/TLS encryption

This website uses SSL/TLS encryption for security reasons and to protect the transmission of confidential content, such as enquiries that you send to us as a data subject. An encrypted connection can be recognized by the fact that the address bar of the browser changes from “http://” to “https://” and by the lock symbol in the browser line. If SSL/TLS encryption is activated, the data you transmit to us cannot be read by third parties.

IV. External Hosting

1. Description and scope of data processing

This website is hosted by an external service provider (so-called hoster). The personal data collected on this website is stored on the hoster’s servers. This can include, but is not limited to, IP addresses, contact requests, meta and communication data, contract data, contact data, names, page views and other data generated via a website.

2. Legal basis for data processing

The legal basis for data processing is Art. 6 para. 1 sentence 1 lit. f GDPR for the provision of the website.

3. Purpose of data processing

The hoster is used for the purpose of a secure, fast and efficient provision of our online offer as well as the reliable presentation and provision of our website by a professional provider. Our legitimate interest lies in these purposes.

4. Duration of storage, possibility of objection and removal

The data will be deleted as soon as it is no longer necessary to achieve the purpose for which it was collected. In the case of the collection of data for the provision of the website, this is the case when the respective session has ended.

The collection of data for the provision of the website and the storage of the data in log files is absolutely necessary for the operation of the website. Consequently, there is no possibility of objection on the part of the user

5. Conclusion of a contract for order processing

In connection with the data processing described above, the data is passed on and processed by our external hoster: Web and Host, Lohrhaupter Straße 11, 63637 Jossgrund. We have concluded a contract with our hoster for order processing. This is a contract required by data protection law that ensures that our hoster only processes the personal data of our site visitors in accordance with our instructions and in compliance with the data protection regulations (GDPR, BDSG, etc.).  processed.

V. Provision of the website and creation of log files

1. Description and scope of data processing

Every time our website is accessed, our system automatically collects data and information from the system of the accessing device.

The following data is collected:

• Information about the browser type and version used
• The user’s operating system
• The user’s IP address
• Hostname of the accessing system
• Date and time of access
• Websites from which the user’s system reaches our website

The data is also stored in the log files of our system. This data is not stored together with other personal data of the user.

2. Legal basis for data processing

The legal basis for the temporary storage of data and log files is Art. 6 para. 1 sentence 1 lit. f GDPR.

3. Purpose of data processing

The temporary storage of the IP address by the system is necessary to enable the website to be delivered to the user’s computer. For this purpose, the user’s IP address must be stored for the duration of the session.

The data is stored in log files to ensure the functionality of the website. In addition, the data is used to optimize the website and to ensure the security of our information technology systems. An evaluation of the data for marketing purposes does not take place in this context.

These purposes also constitute our legitimate interest in data processing in accordance with Art. 6 (1) sentence 1 (f) GDPR.

4. Duration of storage, possibility of objection and removal

The data will be deleted as soon as it is no longer necessary to achieve the purpose for which it was collected. In the case of the collection of data for the provision of the website, this is the case when the respective session has ended.

If the data is stored in log files, this is the case after [seven days] at the latest. Storage beyond this is possible. In this case, the IP addresses of the users are deleted or alienated so that it is no longer possible to assign the calling device.

The collection of data for the provision of the website and the storage of the data in log files is absolutely necessary for the operation of the website. Consequently, there is no possibility of objection on the part of the user.

VI. Use of cookies

1. Description and scope of data processing

Our website uses cookies. Cookies are text files that are stored in the Internet browser or by the Internet browser on the user’s system. When a user accesses our website, a cookie may be stored on the user’s operating system. This cookie contains a characteristic string of characters that allows the browser to be uniquely identified when you return to the website.

When accessing our website, users will be informed about the use of cookies by a consent management system of the provider Borlabs and referred to this privacy policy. Further information on the consent management used can be found under point VII of this data protection information.

We use cookies to make our website more user-friendly. Some elements of our website require that the accessing browser can be identified even after a page has changed. In summary, these cookies are technically necessary for the operation of our website.

The following data is stored and transmitted in the cookies: language settings, consent via consent management.

We also use cookies on our website that enable an analysis of the surfing behaviour of the users.

In this way, the following data can be transmitted: user behaviour on the website, search terms entered, frequency of website visits, use of website functions.

When accessing our website, the user is informed about the use of cookies for analysis purposes and their consent to the processing of personal data used in this context is obtained. In this context, reference is also made to this data protection information.

Transfer to a third country: The data collected through the aforementioned cookies for analysis purposes may be transferred to a service provider based in a third country. For more information, please refer to this privacy policy at the applicable service provider. Further information on the transfer to a third country can be found in this data protection information under “I. General information on data processing – 4. Data transfer to a third country or an international organisation”.

In principle, you can prevent or block the storage of cookies in your device in the settings of your browser. To do this, you have to call up the respective settings of your browser. In addition, you can delete your stored cookie data in your browser settings.

2. Legal basis for data processing

The legal basis for the processing of personal data using technically necessary cookies is Art. 6 para. 1 sentence 1 lit. f GDPR; the cookies are stored in your device on the basis of § 25 para. 2 no. 2 TDDDG.

The legal basis for the processing of personal data using cookies for analysis purposes is the existence of your consent in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR; for a transfer to a third country additionally on the basis of Art. 49 para. 1 lit. a GDPR. The cookie is stored in your device on the basis of § 25 para. 1 sentence 1 TDDDG. The storage of your consent for verification purposes and defense against liability claims (e.g. the storage of your revocation) is based on Art. 6 para. 1 sentence 1 lit. f GDPR. The storage of your consent and your revocation takes place in order to be able to prove (formerly) given consent, even after revocation, and thus to ward off any liability claims. Our legitimate interest lies in these purposes.

3. Purpose of data processing

The purpose of the use of technically necessary cookies is to simplify the use of the website for you. Some functions of our website cannot be offered without the use of cookies. For these, it is necessary that the browser is recognized even after a change of website. In addition, cookies are needed to manage your consents and refusals.

We need cookies for the following applications:

• Maintaining the session
• Adoption of language settings / font size settings
• Consent management

In these purposes, our legitimate interest also lies in the processing of personal data in accordance with Art. 6 para. 1 sentence 1 lit. f GDPR. The user data collected by technically necessary cookies is not used to create user profiles.

The analysis cookies are used for the purpose of improving the quality of our website and its content. The analysis cookies tell us how the website is used and can thus constantly optimise our offer.

You can also find more detailed information about cookies in the consent management (button at the bottom left of the website).

4. Duration of storage, possibility of objection, revocation and removal

Cookies are stored on the user’s computer and transmitted from him to our website. Therefore, you as a user also have full control over the use of cookies. By changing the settings in your internet browser, you can disable or restrict the transmission of cookies. Cookies that have already been stored can be deleted at any time. This can also be done automatically. If cookies are deactivated for our website, it may no longer be possible to use all functions of the website to their full extent.

The cookies we use are stored for the following period:

borlabs-cookie-gcs (consent management) – storage period: 6 months

borlabs-cookie (consent management) – storage period: 6 months

wp-wpml-current_language (Language Settings) – Storage Duration: End of Session

_ga_# (Google IDs) – Storage period: 400 days

_fbp (Facebook Pixel) – Storage period: 90 days

_gat_gtag_UA_# (Google Tag Manager) – Storage Duration: End of Session

_ga (Google IDs) – Storage period: 400 days

_gid (Google IDs) – Storage period: 1 day

As a user, you have the right to revoke your declaration of consent under data protection law for cookies that are not technically necessary at any time. The withdrawal of consent does not affect the lawfulness of the processing carried out on the basis of the consent before the withdrawal. You can revoke the consent you have given at any time via the button at the bottom left of the page. Your consent will be stored for verification purposes and defence against liability claims for three years after revocation or cessation of purpose (§§ 195, 199 BGB).

VII. Consent management with Borlabs Cookie (Consent Management Platform)

1. Description and scope of data processing

Our website uses the cookie consent technology of Borlabs Cookie to obtain consent to the storage of certain cookies on the end device of data subjects or to the use of certain technologies and to document them in compliance with data protection regulations. The provider of this technology is Borlabs GmbH, Hamburger Str. 11, 22083 Hamburg.

When data subjects enter our website, a Borlabs cookie is stored in their browser, in which the consents given or the withdrawal of these consents are stored. The following information is stored in the borlabs-cookie cookie: cookie duration, cookie version, domain and path of the website, consents and UID (randomly generated ID without personal data).

This data will not be passed on to the provider of Borlabs Cookie.

Borlabs Cookie does not process any personal data.

2. Legal basis for data processing

The use of the Borlabs cookie consent technology is to obtain the legally required consents for the use of cookies. The legal basis for this is Art. 6 para. 1 sentence 1 lit. c GDPR.  The cookie is stored in your device on the basis of § 25 para. 2 no. 2 TDDDG.

3. Purpose of data processing

The processing of personal data serves to comply with the legal requirements of the GDPR and the TDDDG for obtaining and documenting consent.

4. Duration of storage, possibility of objection and removal

The data collected will be stored until the data subject asks us to delete it, or the Borlabs cookie itself is deleted or the purpose for which the data is stored no longer applies. Mandatory statutory retention periods remain unaffected.

Details on the data processing of Borlabs Cookie can be found under https://de.borlabs.io/kb/welche-daten-speichert-borlabs-cookie/

VIII. Contact by e-mail and/or phone

1. Description and scope of data processing

Our website and our signatures provide e-mail addresses and telephone numbers through which contact can be made electronically and/or by telephone. In this case, the personal data of the data subject transmitted by the e-mail will be stored. In the event of contact by telephone, personal data may also be stored in order to process your request.

In this context, the data will not be passed on to third parties. The data is used exclusively for contacting and conducting the conversation.

2. Legal basis for data processing

The legal basis for the processing of data transmitted in the course of sending an e-mail or in the context of a telephone call is Art. 6 para. 1 sentence 1 lit. f GDPR. If the contact is aimed at concluding a contract, the additional legal basis for the processing is Art. 6 (1) sentence 1 (b) GDPR; Ifthe contact person is the contact person of a (potential) business partner (customer, supplier, partner), the legal basis for (pre-)contractual measures is Art. 6 para. 1 sentence 1 lit. f GDPR.

3. Purpose of data processing

The processing of personal data serves us solely to process the contact. This also establishes the necessary legitimate interest in the processing of the data.

4. Duration of storage, possibility of objection and removal

The data will be deleted as soon as it is no longer necessary to achieve the purpose for which it was collected. For the personal data sent by e-mail or transmitted by telephone, this is the case when the respective conversation with the data subject has ended. The conversation is ended when it can be inferred from the circumstances that the facts in question have been conclusively clarified. If a contract is concluded as a result of the contact, the corresponding (legal) retention obligations and regulations apply.

If a data subject contacts us by e-mail or telephone, he or she can object to the storage of his or her personal data at any time. In such a case, the conversation cannot be continued. In this case, all personal data stored in the course of contacting us will be deleted.

IX. Contact Forms

1. Description and scope of data processing

There are various contact forms on our website, which you can use to contact us electronically. If a user makes use of this option, the data entered in the input mask will be transmitted to us and stored.

General contact form

Data: subject, first name, last name, email address, telephone number, message, checkbox – “Emails in copy”, checkbox – “Callback”

Order form breakfast

Data: first name, last name, number of persons, time, room number, date, selection of dishes, additional information

In addition, the following data is stored when using the forms:

• IP address of the user
• Date and time of contact

For the processing of the data, reference is made to this data protection information as part of the sending process. The data is used exclusively for the processing of the conversation.

Optional registration for our newsletter:  It is possible to subscribe to our newsletter via some of the forms. Further information on our newsletter can be found in this data protection information under XIII.

2. Legal basis for data processing

The legal basis for the processing of the data transmitted via the contact form is Art. 6 para. 1 sentence 1 lit. f GDPR. If the contact is aimed at concluding a contract, the additional legal basis for the processing is Art. 6 (1) sentence 1 (b) GDPR; Ifthe user is the contact person of a (potential) business partner (customer, supplier, partner), the legal basis for (pre-)contractual measures is Art. 6 para. 1 sentence 1 lit. f GDPR.

The legal basis for the processing of all other personal data processed during the submission process and transmitted via the contact form is Art. 6 para. 1 sentence 1 lit. f GDPR.

The legal basis for the processing of the data is Art. 6 para. 1 sentence 1 lit. a If the user has consented, the storage of your consent for verification purposes and defense against liability claims (e.g. the storage of your revocation) is based on Art. 6 para. 1 sentence 1 lit. f GDPR. The storage of your consent and your revocation takes place in order to be able to prove (formerly) given consent, even after revocation, and thus to ward off any liability claims. Our legitimate interest lies in these purposes.

3. Purpose of data processing

The processing of the personal data from the input mask serves us solely to process the contact. The other personal data processed during the submission process serves to prevent misuse of the contact form and to ensure the security of our information technology systems. Our legitimate interest also lies in these purposes.

4. Duration of storage, possibility of objection, revocation and removal

The data will be deleted as soon as it is no longer necessary to achieve the purpose for which it was collected. For the personal data from the input mask of the contact form, this is the case when the respective conversation with the user has ended. The conversation is ended when it can be inferred from the circumstances that the facts in question have been conclusively clarified.

If a user contacts us via the form, he or she can object to the storage of his or her personal data at any time. In such a case, the conversation cannot be continued. In this case, all personal data stored in the course of contacting us will be deleted.

As a user, you have the right to revoke your declaration of consent under data protection law at any time. The revocation of consent does not affect the lawfulness of the processing carried out on the basis of the consent before the revocation. You can revoke the consent you have given at any time by e-mail or post. Your consent will be stored for verification purposes and defence against liability claims for three years after revocation or cessation of purpose (§§ 195, 199 BGB).

X. Booking rooms

1. Description and scope of data processing

On our website, we offer users the opportunity to book rooms and other services by providing personal data. The data is entered into an input mask and transmitted to us and stored. The following data is collected as part of the booking process:

Arrival date, departure date, number of travellers (adults and children), number of rooms, room selection, billing address (first name, last name, e-mail, street, HNr., zip code, city, country), booking type, checkbox – terms and conditions, selection of extras, comments and other wishes, telephone number, mobile number, guest data (salutation, first name, last name), in the case of business billing address (company name, company VAT ID, contact person first name, contact person last name), checkbox – regular information about offers by e-mail, checkbox – registration and storage of data for future bookings, guaranteed booking (credit card number, validity (MM, YY), CVC code, card holder)

At the time of sending the booking, the following data will also be stored:

• IP address of the user
• Date and Time

We use the service provider Mews Systems B.V., a Dutch company, Wibautstraat 137D, Scalehub 2nd floor, 1097DN Amsterdam, the Netherlands (hereinafter referred to as “MEWS”) to provide the booking form and the underlying management system. MEWS acts as a processor for us. Through the integration of MEWS into our website, services and servers of MEWS and its partners are accessed directly by the browser of our website visitors. A connection is established between the users’ end devices and the servers of the following service providers and the user’s IP address is transmitted:

MEWS, LaunchDarkly (Catamorphic Co., USA), Visualstudio (Microsoft Ireland Operations Limited / Microsoft Corporation USA), “aptrinsic” / Gainsight, Inc. (USA).

The processing thus also takes place in a third country (USA). The US providers are certified according to the “EU-US Data Privacy Framework” (DPF). Further information on the DPF can be found in this data protection information under “I. General information on data processing – 4. Data transfer to a third country or an international organisation”.

2. Legal basis for data processing

The processing of your data from the booking form serves the performance of a contract to which the user is a party or the implementation of pre-contractual measures, so the additional legal basis for the processing of the data is Art. 6 para. 1 sentence 1 lit. b GDPR; if the user is the contact person of a (potential) business partner (customer, supplier, partner), the legal basis for (pre-)contractual measures is Art. 6 para. 1 sentence 1 lit. f GDPR.

The legal basis for the processing of all other personal data processed during the provision and the sending process is Art. 6 para. 1 sentence 1 lit. f GDPR.

The legal basis for the processing to ensure legal requirements and evidence is Art. 6 para. 1 sentence 1 lit. c GDPR.

In addition, guest data is reported to the respective responsible registration authority in order to meet legal requirements in accordance with GDPR Art. 6 para. 1 lit. c in conjunction with §§ 29, 30 of the Federal Registration Act (BMG).

3. Purpose of data processing

The purpose of processing the data from the booking form is the establishment and execution of the accommodation contract by means of our online booking system.

The other personal data processed during the provision of the booking form and the submission process serve to prevent misuse of the form and to ensure the security and availability of our information technology systems. Our legitimate interest also lies in these purposes.

4. Duration of storage, possibility of objection, revocation and removal

The data will be deleted as soon as they are no longer required to achieve the purpose for which they were collected (performance of the contract) and the deletion is not precluded by any statutory retention obligations. The retention periods under commercial and tax law in connection with the accommodation contract are six years (§ 257 para. 1 HGB) and ten years (§ 147 para. 1 AO). The registration forms required by the Federal Registration Act are kept for one year after the registration in accordance with the requirements of Section 30 of the Federal Registration Act and are destroyed within three months of the expiry of the retention period.

If the data is necessary for the performance of a contract or for the implementation of pre-contractual measures, early deletion of the data is only possible unless contractual or legal obligations preclude deletion.

XI. Conference request

1. Description and scope of data processing

On our website, we offer users the opportunity to request conferences and other services without obligation by providing personal data. The data is entered into an input mask and transmitted to us and stored. The following data will be collected in the context of the enquiry:

First name, last name, e-mail, company, telephone number, first day of the event, last day of the event, number of people, time of event, number of conference rooms, desired seating, need for hotel rooms, other

At the time of sending the request, the following data will also be stored:

• IP address of the user
• Date and Time

We use the service provider “Event Temple”, Event Temple Labs Inc., #901 525 Seymour St, Vancouver, BC V6B 3H7, Canada (hereinafter referred to as “Event Temple”) to provide the enquiry form and the underlying management system. Event Temple acts as a processor for us. Through the integration of Event Temple into our website, services and servers of Event Temple and its partners are called up after confirmation (consent) by the website visitor. A connection is established between the users’ end devices and the servers of the following service providers and the user’s IP address is transmitted:

Event Temple (Canada) and Google (Fonts and CDN) – Google Ireland Limited / Google LLC (USA)

The processing thus also takes place in a third country (USA). The US providers are certified according to the “EU-US Data Privacy Framework” (DPF). Further information on the DPF can be found in this data protection information under “I. General information on data processing – 4. Data transfer to a third country or an international organisation”.

2. Legal basis for data processing

The legal basis for the processing of the data transmitted by means of the inquiry form is Art. 6 para. 1 sentence 1 lit. f GDPR. If the request is aimed at concluding a contract, the additional legal basis for the processing is Art. 6 (1) sentence 1 (b) GDPR; if the user is the contact person of a (potential) business partner (customer, supplier, partner), the legal basis for (pre-)contractual measures is Art. 6 para. 1 sentence 1 lit. f GDPR.

The legal basis for the processing of the data is Art. 6 para. 1 sentence 1 lit. a and Art. 49 (1) sentence 1 (a) GDPR. The storage of your consent for verification purposes and defense against liability claims (e.g. the storage of your revocation) is based on Art. 6 para. 1 sentence 1 lit. f GDPR. The storage of your consent and your revocation takes place in order to be able to prove (formerly) given consent, even after revocation, and thus to ward off any liability claims. Our legitimate interest lies in these purposes.

The legal basis for the processing of all other personal data processed during the provision of the form and the submission process is Art. 6 para. 1 sentence 1 lit. f GDPR. The legal basis for the processing to ensure legal requirements and evidence is Art. 6 para. 1 sentence 1 lit. c GDPR.

3. Purpose of data processing

The processing of the personal data from the enquiry form serves us solely to process the enquiry. The other personal data processed during the provision of the form and the submission process serve to prevent misuse of the contact form and to ensure the availability and security of our information technology systems. Our legitimate interest also lies in these purposes.

4. Duration of storage, possibility of objection, revocation and removal

The data will be deleted as soon as it is no longer necessary to achieve the purpose for which it was collected. For the personal data from the input mask of the contact form, this is the case when the respective conversation with the user has ended. The conversation is ended when it can be inferred from the circumstances that the facts in question have been conclusively clarified.

If a conference has been booked, the data will be deleted as soon as they are no longer required to achieve the purpose for which they were collected (performance of the contract) and the deletion is not precluded by any statutory retention obligations (10-year retention periods under commercial and tax law).

If the data is necessary for the performance of a contract or for the implementation of pre-contractual measures, early deletion of the data is only possible unless contractual or legal obligations preclude deletion.

XII. Facebook Pixel (Tracking Tool)

1. Description and scope of data processing

This website uses Facebook’s visitor action pixel to measure conversion. The provider of this service is Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland (hereinafter also referred to as Facebook). In this way, the behavior of site visitors can be tracked after they have been redirected to the provider’s website by clicking on a Facebook advertisement. This allows the effectiveness of Facebook ads to be evaluated for statistical and market research purposes and future advertising measures to be optimized.

The data collected is anonymous for us as the operator of this website, we cannot draw any conclusions about the identity of the users. However, the data is stored and processed by Facebook so that a connection to the respective user profile is possible and Facebook can use the data for its own advertising purposes, in accordance with the Facebook Data Use Policy. This allows Facebook to enable the placement of advertisements on Facebook websites as well as outside of Facebook. This use of the data cannot be influenced by us as the site operator.

Use of a provider based in a third country

Meta Platforms, Inc is the U.S. parent company of Meta Platforms Ireland Limited. The headquarters of Meta’s parent company is located in a third country from a data protection point of view. However, according to Facebook, the data collected will also be transferred to the USA and other third countries.

The provider is certified according to the “EU-US Data Privacy Framework” (DPF). Further information on the DPF can be found in this data protection information under “I. General information on data processing – 4. Data transfer to a third country or an international organisation”.

2. Legal basis for data processing

The legal basis for the processing of the data is the user’s consent in accordance with Art. 6 (1) sentence 1 (a) GDPR – as well as § 25 (1) sentence 1 TDDDG, insofar as the consent includes the storage of cookies or access to information in the user’s end device (e.g. device fingerprinting) within the meaning of the TDDDG.

3. Purpose of data processing

The processing is carried out to evaluate the effectiveness of Facebook ads and to optimize future advertising measures.

4. Duration of storage, possibility of objection, revocation and removal

You have the right to revoke your declaration of consent under data protection law at any time. The withdrawal of consent does not affect the lawfulness of the processing carried out on the basis of the consent before the withdrawal. You can revoke the consent you have given via consent management.

You can also turn off the Custom Audiences remarketing feature in the Ads Settings section of https://www.facebook.com/ads/preferences/?entry_product=ad_settings_screen. To do this, you must be logged in to Facebook. If you do not have a Facebook account, you can opt out of Facebook’s usage-based advertising on the European Interactive Digital Advertising Alliance website: http://www.youronlinechoices.com/de/praferenzmanagement/.

5. Shared responsibility

Insofar as personal data is collected on our website and forwarded to Facebook with the help of the tool described here, we and Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland are jointly responsible for this data processing (Art. 26 GDPR). Joint responsibility is limited exclusively to the collection of data and its disclosure to Facebook. The processing by Facebook after the transfer is not part of the joint responsibility. Our joint obligations have been set out in a joint processing agreement. The text of the agreement can be found at: https://www.facebook.com/legal/controller_addendum. According to this agreement, we are responsible for the provision of data protection information when using the Facebook tool and for the implementation of the tool on our website in a manner that is secure under data protection law. Facebook is responsible for the data security of Facebook products. You can assert the rights of data subjects (e.g. requests for information) regarding the data processed by Facebook directly with Facebook. If you assert your rights as a data subject with us, we are obliged to forward them to Facebook.

You can find further information on protecting your privacy in Facebook’s privacy policy: https://de-de.facebook.com/about/privacy/.

XIII. Google Analytics

1. Description and scope of data processing

This website uses functions of the web analysis service Google Analytics. The provider is Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland. Google Ireland Limited is a subsidiary of Google LLC. based in the USA.

Google Analytics enables the site operator to analyze the behavior of site visitors. In doing so, the site operator receives various usage data, such as website views, length of stay, operating systems used and origin of the user. The following personal data, among others, can be collected and evaluated: user activities, device and browser information (esp. IP address), data about the displayed advertisements (click rates) and data from advertising partners. Google may summarize this data in a profile that is assigned to the respective user or their device.

Google Analytics uses cookies and other browser technologies that enable the recognition of the user for the purpose of analyzing user behavior. This information is used, among other things, to compile reports on the activity of the website. Google also transfers your data to Google affiliates and other partners.

Use of a provider based in a third country

The information collected by Google about the use of this website is usually transmitted to a Google server in the USA and stored there. The parent company Google LLC. has certification according to the “EU-US Data Privacy Framework” (DPF). Further information on the DPF can be found in this data protection information under “I. General information on data processing – 4. Data transfer to a third country or an international organisation”.

IP Address Anonymization

We use Google Analytics 4 on this page. Your IP address will be automatically anonymized. Only in exceptional cases is the full IP address transmitted to a Google server in the USA and shortened there. On behalf of the operator of this website, Google will use this information to evaluate your use of the website, to compile reports on activities and to provide other services related to the use of the site and the Internet to the site operator. The IP address transmitted by your browser as part of Google Analytics will not be merged with other data held by Google.

How to use Google Consent Mode

In order to control and manage consent in Google services, we are obliged to use Google’s so-called “consent mode” and to transmit so-called “pings” to Google. The pings transmitted depend on your consents made in consent management. The transmission of pings will only take place after your consent to the use of the respective Google service.

By using consent mode and submitting pings, the following information may be transmitted to Google: consents and consent status; function-related information (browser header, timestamp, user-agent, referrer URL); Indicate whether the current page or a previous page in the user’s navigation history on the website contains information about the ad click in the URL (e.g., GCLID/DCLID); random number generated every time the page is loaded; Information about the consent management platform used by the website owner (e.g., developer ID); Google IDs; IP address.

2. Legal basis for data processing

The use of this analysis tool is based on your consent in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR – as well as § 25 para. 1 sentence 1 TDDDG, insofar as the consent includes the storage of cookies or access to information in the user’s end device (e.g. device fingerprinting) within the meaning of the TDDDG.

3. Purpose of data processing

The use of Google Analytics on our website serves to analyse the user behaviour of our site visitors in order to optimise and display both our website and our advertising.

4. Duration of storage, possibility of objection, revocation and removal

The data collected will be stored until you delete the cookies set by Google Analytics yourself or the purpose for which the data is stored no longer applies. As a user, you have the right to revoke your declaration of consent under data protection law at any time. The withdrawal of consent does not affect the lawfulness of the processing carried out on the basis of the consent before the withdrawal. You can revoke the consent you have given via consent management.

The specific storage period of the processed data cannot be influenced by us, but is determined by Google Ireland Limited. Data stored by Google at user and event level that is linked to cookies, user IDs (e.g. user ID) or advertising IDs (e.g. DoubleClick cookies, Android advertising ID) will be anonymised or deleted after 14 months. Details can be found under the following link: https://support.google.com/analytics/answer/7667196?hl=de

For site visitors who do not want their data to be used in Google Analytics, Google has developed a browser add-on to opt out of Google Analytics. You can download and install the available browser plugin at the following link: https://tools.google.com/dlpage/gaoptout?hl=de

You can find more information on the handling of user data by Google Analytics in Google’s privacy policy: https://policies.google.com/privacy.

Further information on data protection can also be found in the privacy policy for Google Analytics: https://support.google.com/analytics/answer/6004245?hl=de.

XIV.     Google Marketing Platform (Doubleclick)

1. Description and scope of data processing

This website uses functions of Google DoubleClick. The provider is Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland. Google Ireland Limited is a subsidiary of Google LLC. based in the USA. (hereinafter referred to as “DoubleClick”).

DoubleClick is used to show you interest-based ads across the Google advertising network. With the help of DoubleClick, the advertisements can be tailored to the interests of the respective viewer. For example, our advertising may appear in Google search results or in banner ads associated with DoubleClick.

In order to be able to display interest-based advertising to users, DoubleClick must be able to recognize the respective viewer and assign the websites visited, clicks and other information about user behavior to him. For this purpose, DoubleClick uses cookies or comparable recognition technologies (e.g. device fingerprinting). The information collected is combined into a pseudonymous user profile in order to display interest-based advertising to the user concerned. It cannot be ruled out that your data will also be processed on servers in the USA.

Use of a provider based in a third country

The provider is certified according to the “EU-US Data Privacy Framework” (DPF). Further information on the DPF can be found in this data protection information under “I. General information on data processing – 4. Data transfer to a third country or an international organisation”.

2. Legal basis for data processing

Doubleclick is used on the basis of your consent in accordance with Art. 6 (1) sentence 1 (a) GDPR and Art. 49 (1) sentence 1 (a) GDPR – as well as Section 25 (1) sentence 1 TDDDG, insofar as the consent includes the storage of cookies or access to information in the user’s end device (e.g. device fingerprinting) within the meaning of the TDDDG.

3. Purpose of data processing

Doubleclick is used to display and implement targeted advertising measures.

4. Duration of storage, possibility of objection, revocation and removal

Your personal information will be retained for as long as necessary to fulfill the purposes described above or as required by law.

You have the right to revoke your declaration of consent under data protection law at any time. The withdrawal of consent does not affect the lawfulness of the processing carried out on the basis of the consent before the withdrawal. You can revoke the consent you have given via consent management.

For more information on how to object to the ads displayed by Google, please refer to the following links: https://policies.google.com/technologies/ads  and https://adssettings.google.com/authenticated.

XV. Google Maps

1. Description and scope of data processing

This website uses Google Maps to provide map services (including route planning, etc.). The provider is Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland. Google Ireland Limited is a subsidiary of Google LLC. based in the USA.

Google Maps is a service that enables map services such as route planning, views of satellite images and other actions such as searching for restaurants, public buildings, sights, etc. To learn more about Google Maps features, visit: https://support.google.com/maps/

The data transmitted by you for the purpose of using these map services is stored on the servers of Google LLC in the USA. Google Ireland Limited has entered into a contract with Google LLC pursuant to Standard Contractual Clauses (https://privacy.google.com/businesses/gdprcontrollerterms/ ). For information on data protection, please refer to the Google Maps privacy policy at https://policies.google.com/privacy?hl=de

In order to use all functions of Google Maps, your IP address is stored and sent to the servers of Google LLC in the USA. As the provider of the site, we have no influence  on this data transfer.Google Maps uses various browser technologies that enable the recognition of the user for the purpose of analyzing user behavior. This information is used, among other things, to compile reports on the activity of the website. Google also transfers your data to Google affiliates and other partners.

Upstream User Action

If you have not consented to the processing of your data for the use of Google Maps within the consent management process, the map that is integrated into our website will not be opened immediately. You can also give your consent afterwards directly on the card by means of an upstream action.

Use of a provider based in a third country

The information collected by Google about the use of this website is usually transmitted to a Google server in the USA and stored there. The parent company Google LLC. has certification according to the “EU-US Data Privacy Framework” (DPF). Further information on the DPF can be found in this data protection information under “I. General information on data processing – 4. Data transfer to a third country or an international organisation”.

2. Legal basis for data processing

The legal basis for the processing of the data is the user’s consent in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR – as well as § 25 para. 1 sentence 1 TDDDG, insofar as the consent includes the storage of cookies or access to information in the user’s end device (e.g. device fingerprinting) within the meaning of the TDDDG.

3. Purpose of data processing

The purpose of data processing is to present our company and to make it easy to find our company.

4. Duration of storage, possibility of objection, revocation and removal

Your personal information will be retained for as long as necessary to fulfill the purposes described above or as required by law.

You have the right to revoke your declaration of consent under data protection law at any time. The withdrawal of consent does not affect the lawfulness of the processing carried out on the basis of the consent before the withdrawal. You can revoke the consent you have given via consent management.

XVI. Google Tag Manager

1. Description and scope of data processing

This website uses Google Tag Manager. The provider is Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland. Google Ireland Limited is a subsidiary of Google LLC. based in the USA.

Google Tag Manager is a tool that allows us to integrate tracking, statistics and other technologies on our website. The Google Tag Manager itself does not create user profiles, does not store cookies and does not carry out any independent analyses. It is only used to manage and display the tools integrated via it.

Use of a provider based in a third country

However, Google Tag Manager does collect your IP address, which can also be transmitted to servers in the United States. The parent company Google LLC. has certification according to the “EU-US Data Privacy Framework” (DPF). Further information on the DPF can be found in this data protection information under “I. General information on data processing – 4. Data transfer to a third country or an international organisation”.

2. Legal basis for data processing

The use of Google Tag Manager is based on your consent in accordance with Art. 6 (1) sentence 1 lit. a. GDPR – as well as § 25 (1) sentence 1 TDDDG, insofar as the consent includes the storage of cookies or access to information in the user’s end device (e.g. device fingerprinting) within the meaning of the TDDDG.

3. Purpose of data processing

Google Tag Manager is used to manage website tags through an interface. This enables us to control the precise integration of services on our website. This allows us to flexibly integrate additional services in order to evaluate our users’ access to our website.

4. Duration of storage, possibility of objection, revocation and removal

You have the right to revoke your declaration of consent under data protection law at any time. The withdrawal of consent does not affect the lawfulness of the processing carried out on the basis of the consent before the withdrawal. You can revoke the consent you have given via consent management.

The specific storage period of the processed data cannot be influenced by us, but is determined by Google Ireland Limited. For more information, please see the privacy policy for Google Tag Manager: https://marketingplatform.google.com/about/analytics/tag-manager/use-policy/.

XVII. User behavior analysis with Hotjar

1. Description and scope of data processing

This website uses Hotjar. The provider is Hotjar Ltd., Level 2, St Julians Business Centre, 3, Elia Zammit Street, St Julians STJ 1000, Malta (https://www.hotjar.com). For more information about Hotjar and the data collected, please refer to Hotjar’s privacy policy at the following link: https://www.hotjar.com/privacy

Hotjar is a tool for analysing your user behaviour on our website. With Hotjar, we can, among other things: Record your mouse and scroll movements and clicks. Hotjar can also determine how long you have stayed on a certain spot with the mouse pointer. Hotjar uses this information to create so-called heat maps, which can be used to determine which areas are preferred by site visitors.

We can also determine how long you stayed on a page and when you left it. We can also determine at which point you have abandoned your entries in a contact form (so-called conversion funnels). In addition, Hotjar can be used to obtain direct feedback from site visitors. This function serves to improve our online offerings.

Hotjar uses technologies that enable the recognition of the user for the purpose of analysing user behaviour (e.g. cookies or the use of device fingerprinting).

Disabling Hotjar

If you want to deactivate Hotjar’s data collection, click on the following link and follow the instructions there: https://www.hotjar.com/policies/do-not-track/ Please note that deactivating Hotjar must be done separately for each browser or device.

2. Legal basis for data processing

The legal basis for the processing of the data is the user’s consent in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR – as well as § 25 para. 1 sentence 1 TDDDG, insofar as the consent includes the storage of cookies or access to information in the user’s end device (e.g. device fingerprinting) within the meaning of the TDDDG.

3. Purpose of data processing

The data processing is carried out for the evaluation and analysis of our visitors as well as for the optimisation of the website and for a target group-oriented approach on our website.

4. Duration of storage, revocation and removal option

The data will be deleted as soon as it is no longer necessary to achieve the purpose for which it was collected. You have the right to revoke your declaration of consent under data protection law at any time. The withdrawal of consent does not affect the lawfulness of the processing carried out on the basis of the consent before the withdrawal. You can revoke the consent you have given via

XVIII. HOTELSTARS.EU – Widget

1. Description and scope of data processing

This website uses HOTELSTARS.EU to display the hotel classification via a widget. The provider is DEHOGA Deutsche Hotelklassifikation GmbH, Am Weidendamm 1A, 10117 Berlin, www.hotelstars.eu.

When the website is accessed, the widget is loaded via the provider HOTELSTARS.EU. A connection to the provider’s servers (hotelclass.eu, hotelclass.info) is established and the IP address of the website visitor is transmitted in order to load content.

To learn more about HOTELSTARS.EU’s features, visit: https://www.hotelstars.eu/germany/de/datenschutz

2. Legal basis for data processing

The use of HOTELSTARS.EU is based on our legitimate interest in providing our website in a user-friendly manner (Art. 6 para. 1 sentence 1 lit. f GDPR).

3. Purpose of data processing

The processing serves to present the classification of our hotel according to the Europe-wide, uniform, transparent rating system of HOTELSTARS.EU.

Our legitimate interest also lies in these purposes.

4. Duration of storage

We do not store any personal data in connection with the display of the widgets. For more information from HOTELSTAR.EU, please visit: https://www.hotelstars.eu/germany/de/datenschutz.

XIX. TRUSTYOU – Widget

1. Description and scope of data processing

TRUSTYOU uses this website to display the TRUSYOU rating via a widget. The provider is Trustyou GmbH, Schmellerstraße 9, 80337 Munich, Germany, https://www.trustyou.com/de/ .

When the website is accessed, the widget is loaded via the provider TRUSTYOU. A connection to the provider’s servers (cdn.trustyou.com, cdn-api.trustyou.com, analytics.trustyou.com) is established and the IP address of the website visitor is transmitted in order to load content.

For more information on the functions and processing of TRUSTYOU, please visit: https://www.trustyou.com/de/privacy-policy/

2. Legal basis for data processing

The use of TRUSTYOU is based on our legitimate interest in providing our website in a user-friendly manner (Art. 6 para. 1 sentence 1 lit. f GDPR).

3. Purpose of data processing

The processing is used to display the rating of our hotel by users of the TRUSTYOU rating system.

Our legitimate interest also lies in these purposes.

4. Duration of storage

We do not store any personal data in connection with the display of the widgets. For more information from TRUSTYOU, please visit: https://www.trustyou.com/de/privacy-policy/.

XX. Guest Reviews – TrustIndex Widgets

1. Description and scope of data processing

This website uses TrustIndex to display guest reviews via widgets. Trustindex  Ltd., 1095 Budapest, Hungary, Lechner Ödön fasor 3, https://www.trustindex.io/ .

When the website is called up and after consent by the website visitor, the widgets are loaded via the provider TrustIndex. A connection to the provider’s servers (trustindex.io) and the respective rating platforms (Booking.com / Bstatic.com and Google / googleusercontent.com) is established and the IP address of the website visitor is transmitted in order to load content.

For more information on the functions and processing of TRUSTYOU, please visit: https://www.trustindex.io/terms-of-use/ and https://www.trustindex.io/privacy-policy/

The processing thus also takes place in a third country (USA). The US providers are certified according to the “EU-US Data Privacy Framework” (DPF). Further information on the DPF can be found in this data protection information under “I. General information on data processing – 4. Data transfer to a third country or an international organisation”.

2. Legal basis for data processing

The legal basis for the processing of the data is the existence of the user’s consent in accordance with Art. 6 (1) sentence 1 (a) GDPR – as well as § 25 (1) sentence 1 TDDDG, insofar as the consent includes the storage of cookies or access to information in the user’s end device (e.g. device fingerprinting) within the meaning of the TDDDG.

3. Purpose of data processing

The processing is used to display the rating of our hotel with TrustIndex-integrated platforms.

4. Duration of storage

We do not store any personal data in connection with the display of the widgets. For more information from TrustIndex , please visit: https://www.trustindex.io/privacy-policy/.