Privacy Policy

Legal Basis for Data Processing on This Website

If you have consented to data processing, we will process your personal data on the basis of Art. 6 (1) (a) GDPR or Art. 9 (2) (a) GDPR if special categories of data pursuant to Art. 9 (1) GDPR are processed. If you have explicitly consented to the transfer of personal data to third countries, data will also be processed on the basis of Art. 49 (1) (a) GDPR. If you have consented to cookies being stored or to accessing information on your terminal device (such as via device fingerprinting), the data will be processed on the basis of Art. 6 (1) (a) GDPR. You can revoke your consent at any time. If your data is required for implementing a contract or pre-contractual measures, we will process your data on the basis of Art. 6 (1) (b) GDPR. Moreover, we will process your data if this is necessary for complying with a legal obligation on the basis of Art. 6 (1) (c) GDPR. In addition, the data may be processed on the basis of our legitimate interest according to Art. 6 (1) (f) GDPR. Information on the relevant legal basis in each individual case is provided in the following paragraphs of this privacy policy.

 

 

No Obligation to Provide Data

You are under no legal or contractual obligation to provide us with data. However, some services can only be rendered if you have provided the data we require.

 

 

Data Transfer to the USA and Other Third Countries

Some of the tools we use are from companies based in the USA or other third countries that are not governed by data protection law. When these tools are active, your personal data may be transferred to these third countries for processing. Please note that a level of data protection comparable to that in the EU cannot be guaranteed in these countries. For example, companies in the USA are obliged to hand over personal data to security authorities without the data subject being able to take legal action to prevent this. For this reason, it cannot be ensured that US authorities (e.g. intelligence services) will not process, evaluate or store your data for an extended period on servers in the USA for surveillance purposes. We have no influence over these processing activities. Where our service providers are already certified for the adequacy decision agreed on 10/07/2023 (EU-US Data Privacy Framework), we use this basis to secure your personal data.

 

 

Revoking Your Consent to Data Processing

Many data processing operations are only possible with your explicit consent. You can revoke consent you have already given at any time (Art. 7 (3) GDPR). The legality of data processing performed until the revocation shall remain unaffected by the revocation.

 

 

Right to Object to the Collection of Data in Special Cases and to Direct Advertising

If data is processed on the basis of Art. 6 (1) (f) GDPR, you have the right to object to the processing of your personal data at any time for reasons arising from your particular situation; this also applies to any profiling based on these provisions. The legal basis for each kind of processing is found in this privacy policy. If you object, we will no longer process your personal data – unless we are able to demonstrate compelling, legitimate reasons for such processing that override your interests, rights and freedoms, or if the data processing serves to assert, exercise or defend against legal claims (Art. 21 (1) GDPR).

 

 

Right of Appeal to a Supervisory Authority

In the event of GDPR breaches, data subjects have a right of appeal to a supervisory authority (EU) or the Information Commissioner’s Office (ICO-UK) under Art. 77 GDPR.

 

 

Data Portability
You have the right to data portability if you have consented to the processing of your data or have concluded a contract with us (Art. 20 (1) GDPR).

 

 

Information, Erasure and Correction

Within the framework of the applicable legal provisions, you have at any time – free of charge – the right to information about your stored personal data, its origin and recipients and the purpose of processing the data (Art. 15 (1) GDPR), along with a right to have this data corrected (Art. 16 GDPR) or erased (Art. 17 (1) GDPR) if you desire. You can contact us at any time about the above or any other questions you may have on the subject of personal data.

 

 

Right to Restriction of Processing

You have the right to demand that the processing of your personal data be restricted (Art. 18 (1) GDPR). You can contact us at any time in this regard. You are entitled to restrict such processing in the following cases:

 

• If you dispute the accuracy of your personal data in our possession, we will usually need time to verify this. Until we have done so, you will have the right to demand that the processing of your personal data be restricted.
• If your personal data is (being) processed unlawfully, you can request that the processing of your data be restricted instead of having it erased.
• If we no longer need your personal data, but you still need it to exercise, defend or enforce legal claims, you have the right to demand that the processing of your personal data be restricted instead of having it erased.
• If you have lodged an objection according to Art. 21 (1) GDPR, a balance must be struck between your interests and ours. Until it has been determined whose interests prevail, you will have the right to demand that the processing of your personal data be restricted.

 

If you have restricted the processing of your personal data, such data may – apart from being stored – only be processed with your consent or for asserting, exercising or defending legal claims or for protecting the rights of another natural person or legal entity or for reasons of important public interest of the European Union or a Member State.

 

 

Retention Period

Unless a more specific retention period is stated within this privacy policy, we will retain your personal data until the purpose for processing the data no longer applies. If you assert a justified request for erasure or revoke your consent for data processing, your data will be erased unless we have other legally permissible reasons for retaining your personal data (e.g., retention periods under tax or commercial law); in the latter case, the data will be erased once these reasons no longer apply.

We host the content of our websites at the following providers:

 

Domainfactory GmbH

c/o WeWork

Neuturmstraße 5

80331 München

(www.amanogroup.com)

 

Host Europe GmbH

Hansestraße 111

51149 Köln

(www.josephberlin.de)

 

Usage is based on Art. 6 (1) (f) GDPR. We have a legitimate interest in ensuring that the presentation of our website is as reliable as possible. If corresponding consent has been requested, the data will be processed exclusively on the basis of Art. 6 (1) (a) GDPR; this also applies if the consent includes the storage of cookies or access to information on the user’s terminal device (such as for device fingerprinting). You can revoke your consent at any time.

 

We have concluded a contract on order processing for using each of the above-mentioned services. This is a contract required by data protection law, which ensures that the host will only process personal data from our website visitors in line with our instructions and in compliance with the GDPR.

 

 

SSL and TLS Encryption

This website uses SSL or TLS encryption for security reasons and in order to protect the transfer of confidential content, such as orders or enquiries that you send to us, the site operator. You can recognise an encrypted connection by the fact that the address line of the browser changes from “http://” to “https://” and by the lock symbol in your browser line.

 

If SSL or TLS encryption is activated, the data you transmit to us cannot be read by third parties.

 

 

Server Log Files

You can always use our website for purely informational purposes without disclosing your identity. If so, when you call up individual pages of the website, only access data will be transmitted to our web space provider in order to display the website to you. This includes the following data:

 

• Browser type and version
• Operating system used
• Referrer URL
• Host name of the accessing computer
• Access date and time
• IP address of the requesting computer

 

Temporary processing of the IP address by the system is required to enable the technical delivery of the website to your computer. To do this, it is necessary to process your IP address for the duration of the session. The legal basis for such processing is Art. 6 (1) sentence 1 (f) GDPR.

 

The access data will not be used to identify individual users or be merged with other data sources. The access data will be erased once it is no longer needed for achieving the purpose of processing it. In the case where data is collected to provide the website, this occurs when you end your visit to the website.

 

IP addresses are stored in log files to ensure the functionality of the website. In addition, we also use the data to optimise our website and safeguard the security of our information technology systems. The data collected in this context is not analysed for marketing purposes either.

 

The data is generally deleted after seven days at the latest, although processing beyond this time is possible in individual cases. When this occurs, the IP address is deleted or altered to prevent the calling client from being identified.

 

Details can be found in the privacy policies of Domainfactory (https://www.df.eu/de/datenschutz/) and Host Europe (https://www.hosteurope.de/AGB/Datenschutzerklaerung/).

Our Internet pages make use of “cookies”. Cookies are small data packets and do not cause any harm to your end device. They are stored either temporarily for the duration of a session (session cookies) or permanently (permanent cookies) on your terminal device. Session cookies are automatically deleted at the end of your visit. Permanent cookies remain stored on your terminal device until you delete them yourself or until they are automatically deleted by your web browser.

 

Cookies can come directly from us (first-party cookies) or from third-party companies (third-party cookies). Third-party cookies enable the integration of certain third-party services within websites (e.g. cookies for processing payment services).

 

Cookies have various functions. Many cookies are technically necessary, as certain website functions would not work without them (such as the shopping cart function or the displaying of videos). Other cookies may be used to evaluate user behaviour or for advertising purposes.

 

Cookies necessary for the electronic communication process, for providing certain functions you have requested (such as the shopping cart function) or for optimising the website (such as cookies to measure the web audience) (necessary cookies) are stored on the basis of Art. 6 (1) (f) GDPR if no other legal basis is specified. The website operator has a legitimate interest in storing necessary cookies for the purpose of providing technically error-free and optimised services.

 

If consent has been requested for the storage of cookies and comparable recognition technologies, data will be processed exclusively on the basis of this consent (Art. 6 (1) (a) GDPR); this consent can be revoked at any time.

 

You can set your browser to inform whenever cookies are set and to only allow cookies in individual cases, prevent cookies from being accepted for certain cases or in general and activate the automatic deletion of cookies when the browser is closed. Deactivating cookies may limit the functionality of this website.

 

 

Consent with OneTrust

Our website uses OneTrust’s consent technology to obtain your consent to store certain cookies on your terminal device or to use certain technologies and document this in a manner compliant with data protection regulations. This technology is provided by:

 

OneTrust Technology Limited

82 St John St, Farringdon

London EC1M 4JN

United Kingdom (UK)

(hereinafter OneTrust)

 

When you enter our website, a connection is established with OneTrust’s servers in order to obtain your consent and other declarations regarding cookie use. OneTrust then saves a cookie in your browser in order to assign the consent granted or its revocation to you. The data collected in this way is stored until you ask us to delete it, delete the Consent Manager Provider cookie yourself or until the purpose for storing the data no longer applies. Mandatory statutory retention obligations shall remain unaffected by this.

 

OneTrust is employed in order to obtain the legally required consent for using cookies. The legal basis for this is Art. 6 (1) (c) GDPR.

 

We have concluded a contract on order processing for using the above-mentioned service. This is a contract required by data protection law, which ensures that the host will only process personal data from our website visitors in line with our instructions and in compliance with the GDPR.

When you visit this website, your surfing behaviour may be statistically analysed. This is done mainly by means of analysis programmes.

 

 

Google Tag Manager

We use the Google Tag Manager. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

 

Google Tag Manager is a tool that allows us to integrate tracking or statistical tools and other technologies on our website. The Google Tag Manager itself does not create any user profiles, does not store any cookies and does not carry out any independent analyses. It is only used to manage and display the tools integrated via it. However, Google Tag Manager records your IP address, which may also be transmitted to Google's parent company in the United States.

Google Tag Manager is used on the basis of Art. 6 para. 1 lit. f GDPR. The website operator has a legitimate interest in the fast and uncomplicated integration and management of various tools on its website.

We use Google Enhanced Conversions within the Google Tag Manager as a tag management system. If you have been redirected to our website by a Google advert, we send a hashed identifier and information about possible purchases to Google, provided you have given your consent via the consent banner. The secure one-way hash algorithm SHA256 is used for this purpose. The hash data is a cryptic string of numbers and characters generated by the algorithm from the details of your e-mail address and your telephone number (which you entered on our website when you made your purchase/booking). If you have a Google account and are logged into your Google account during your purchase on our site, Google matches this hashed data with your hashed account user data. Google processes the data to understand which ad you clicked on, to measure its success and to provide us with this information in aggregated form. This allows us to track leads statistically and measure the success of adverts - without interfering with your end device and without any personal reference to you. Google stores the data for a period of 20 days.

 

Google information on enhanced conversions: https://support.google.com/google-ads/answer/9888656?hl=de

 

If a corresponding consent has been requested, the processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a GDPR, this also applies insofar as the consent includes the storage of cookies or access to information in the user's end device (e.g. device fingerprinting) within the meaning of the TDDDG. Consent can be revoked at any time.

 

Google Analytics

This website uses functions of the web analysis service Google Analytics. The provider is Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland.

 

Tracking via Google Analytics and Google Ads only takes place if you have given your consent (opt-in) via the cookie banner.

If you do not give your consent, only ping information is sent to Google without any personal reference and without interfering with your end device. The so-called pings work without cookies. They may contain information such as the timestamp and the referrer URL. No personally identifiable information is stored. In addition, the pings enable the website operator to compare the opt-in and opt-out rates. This information is then used to model conversions of users who have rejected the cookie banner.

 

Google Analytics enables the website operator to analyse the behaviour of website visitors. In doing so, the website operator receives various usage data, such as page views, length of visit, operating systems used and origin of the user. This data is summarised in a user ID and assigned to the respective end device of the website visitor. We can also use Google Analytics to record your scrolling movements and clicks, among other things. Google Analytics also uses various modelling approaches to supplement the recorded data records and uses machine learning technologies for data analysis.

 

Google Analytics uses technologies that enable the recognition of the user for the purpose of analysing user behaviour (e.g. cookies or device fingerprinting). The information collected by Google about the use of this website is generally transmitted to a Google server in the USA and stored there. The use of this service is based on your consent in accordance with Art. 6 para. 1 lit. a GDPR. Consent can be revoked at any time. We have concluded an order processing contract with Google and fully implement the strict requirements of the German data protection authorities when using Google Analytics. Data transfer to the USA is based on the standard contractual clauses of the EU Commission. You can find details here: https://business.safety.google/adscontrollerterms/sccs/.

 

We have activated the IP anonymisation function on this website. This means that your IP address will be truncated by Google within member states of the European Union, in the UK and in other signatory states to the Agreement on the European Economic Area before being transmitted to the USA. Google will use this information on behalf of the operator of this website to analyse your use of the website, to compile reports on website activity and to provide the website operator with other services relating to website activity and internet usage. The IP address transmitted by your browser as part of Google Analytics will not be merged with other Google data.

 

We use Google signals. When you visit our website, Google Analytics records your location, search history and YouTube history as well as demographic data (visitor data), among other things. This data can be used for personalised advertising with the help of Google Signal. If you have a Google account, the visitor data from Google Signal is linked to your Google account and used for personalised advertising messages. The data is also used to compile anonymised statistics on the user behaviour of our users.

This website uses the ‘demographic characteristics’ function of Google Analytics in order to be able to display suitable adverts to website visitors within the Google advertising network. This allows reports to be generated that contain statements about the age, gender and interests of site visitors. This data comes from interest-based advertising from Google and from visitor data from third-party providers. This data cannot be assigned to a specific person. You can deactivate this function at any time via the ad settings in your Google account.

This website uses the ‘e-commerce measurement’ function of Google Analytics. With the help of e-commerce measurement, the website operator can analyse the purchasing behaviour of website visitors to improve its online marketing campaigns. Information such as orders placed, average order values, shipping costs and the time from viewing to purchasing a product is recorded. This data can be summarised by Google under a transaction ID that is assigned to the respective user or their device.

You can prevent the collection and processing of your data by Google by downloading and installing the browser plugin available at the following link: https://tools.google.com/dlpage/gaoptout?hl=de.

You can find more information on how Google Analytics handles user data in Google's privacy policy: https://support.google.com/analytics/answer/6004245?hl=de.

Google Ads

The website operator uses Google Ads. Google Ads is an online advertising programme of Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland.

 

Google Ads enables us to display adverts in the Google search engine or on third-party websites when the user enters certain search terms into Google (keyword targeting). Furthermore, targeted adverts can be displayed based on the user data available at Google (e.g. location data and interests) (target group targeting). As the website operator, we can evaluate this data quantitatively by analysing, for example, which search terms led to the display of our advertisements and how many advertisements led to corresponding clicks.

The use of this service is based on your consent in accordance with Art. 6 para. 1 lit. a GDPR pursuant to § 25 para. 1 TDDDG. Consent can be revoked at any time.

 

We use Google Enhanced Conversions within the Google Tag Manager as a tag management system.

When you visit our website and are redirected from a Google ad, we send a hashed identifier and information about possible purchases to Google. For this purpose, the secure one-way hash algorithm SHA256 is applied to your e-mail address and telephone number collected by us before it is sent to Google. The hash data is then matched with logged-in Google accounts. Google processes the data to understand which ad you clicked on, measure its success and provide us with this information in aggregated form. This allows us to track leads and measure the success of adverts. Google stores the data for a period of 20 days.

 

Depending on how you interact with our content banner, the tag adjusts whether marketing cookies should be used as usual (with your consent) or whether conversions should only be assigned using pings (without personal reference and without interfering with your end device).

If you do not give your consent, only ping information will be sent to Google without any personal reference and without interfering with your end device. The so-called pings work without cookies. They may contain information such as the timestamp and the referrer URL. No personally identifiable information is stored. In addition, the pings enable the website operator to compare the opt-in and opt-out rates. This information is then used to model conversions of users who have rejected the cookie banner.

 

The data transfer to the USA is based on the standard contractual clauses of the EU Commission. Details can be found here: https://policies.google.com/privacy/frameworks and https://privacy.google.com/businesses/controllerterms/mccs/.

 

Google Ads Remarketing

This website uses the functions of Google Ads Remarketing. The provider is Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland.

 

We can use Google Ads Remarketing to assign people who interact with our online offer to specific target groups. One tool we use to form target groups is the customer matching function of Google Ads Remarketing. If the customers in question are Google users and logged into their Google account, they will be shown suitable advertising messages within the Google network (such as on YouTube, by Gmail or in the search engine).

 

What is more, the advertising target groups created with Google Ads Remarketing can also be linked using Google’s cross-device functions. This way, based on your previous usage and surfing behaviour, interest-based and personalised advertising messages adapted to your preferences on one end device (such as your mobile phone) can also be displayed on another of your end devices (such as your tablet or PC).

 

Target group with Customer Match:

Among other things, we use Google Ads Remarketing customer matching to create target groups. Here we transfer certain customer data (e.g. email addresses) from our customer lists to Google. The data is imported in pseudonymised form using the secure SHA256 hash algorithm. Customer Match compares these pseudonymised email lists with its own database of registered Google users. If the customers in question are Google users and logged into their Google account, they are shown suitable advertising messages within the Google network (e.g. on YouTube, Gmail or in the search engine). In addition, Google can also track down similar customers with similar interests for us based on the uploaded user lists. Once the customer match lists have been created, the encrypted customer data is automatically deleted by Google. Google provides information on the handling of uploaded data files at the following link: https://support.google.com/google-ads/answer/6334160?sjid=8885968457536723958-EU

 

If you have a Google account, you can block personalised advertising at the following link: https://www.google.com/settings/ads/onweb/.

 

Use of this service is based on your consent according to Art. 6 (1) (a) GDPR. You can revoke your consent at any time.

 

More information and the data protection provisions are found in Google’s privacy policy at: https://policies.google.com/technologies/ads?hl=de.

 

 

Google Conversion Tracking

This website uses Google conversion tracking. The provider is Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland.

 

Google conversion tracking allows Google and us to see whether a user has taken certain actions. For example, we can evaluate which buttons on our website were clicked how often and which products were viewed or purchased particularly frequently. This information is used to create conversion statistics, which show us the total number of users who have clicked on our ads and what actions they have taken. We do not receive any information with which we can personally identify the user. Google itself uses cookies or comparable recognition technologies for identification purposes.

 

Use of this service is based on your consent according to Art. 6 (1) (a) GDPR. You can revoke your consent at any time.

 

You can find more information about Google conversion tracking in Google’s privacy policy.: https://policies.google.com/privacy?hl=de.

 

Bing Ads

This website uses Bing Ads. The provider is Microsoft Corporation (One Microsoft Way, Redmond, WA 98052-6399, hereinafter “Microsoft”).

 

Microsoft stores a cookie on the user's computer in order to analyse the use of our online offering. In this way, Microsoft and we can recognise that someone has clicked on an ad, has been redirected to our online offering and has reached a predetermined target page. We also use Microsoft Ads Enhanced Conversions within the Google Tag Manager. The prerequisite for both is that the user has reached our website via a Microsoft Bing Ads advert.

 

With Microsoft Ads Enhanced Conversions, the secure one-way hash algorithm SHA256 is applied to your email address and telephone number collected by us before it is sent to Microsoft. The hash data is then matched with logged-in Microsoft accounts. Microsoft processes the data to understand which ad you clicked on, measure its success and provide us with this information in aggregated form. This allows us to track leads and measure the success of adverts. Microsoft stores the data for a period of 90 days. We only learn the total number of users who clicked on a Bing advert and were then forwarded to the target page (conversions). No IP addresses are stored. Due to the marketing tools used, your browser automatically establishes a direct connection with the Microsoft server. We have no influence on the scope and further processing of the data initiated by the use of Bing Ads.

The use of this service is based on your consent in accordance with Art. 6 para. 1 lit. a GDPR pursuant to § 25 para. 1 TDDDG. Consent can be revoked at any time.

Further information on data protection at Microsoft can be found at: https://privacy.microsoft.com/de-de/privacystatement.

 

LinkedIn Insight Tag

This website uses the Insight Tag of LinkedIn. The provider of this services is LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland.

 

By using the LinkedIn Insight Tag, we receive information about the visitors to our website. If a website visitor is registered with LinkedIn, we can analyse the key professional data (such as career level, company size, country, location, industry and job title) of our website visitors and thus better tailor our site to the respective target groups, among other things. Moreover, we can also use LinkedIn Insight Tags to measure whether visitors to our websites make a purchase or take any other action (conversion measurement). Conversion measurement can also extend across devices (such as from a PC to a tablet). LinkedIn Insight Tags also offer a retargeting function allowing us to display targeted off-site advertising to visitors to our website – LinkedIn affirms that it does not identify the recipients of its ads.

 

In addition, LinkedIn directly collects log files (URL, referrer URL, IP address, device and browser properties and time of access). IP addresses are shortened or (if they are used to reach LinkedIn members across devices) hashed (pseudonymised). Direct identifiers of LinkedIn members are deleted by LinkedIn after seven days. The remaining pseudonymised data is then deleted within 180 days.

 

The data collected by LinkedIn cannot be used by us, the website operator, to identify specific individuals. LinkedIn stores the personal data collected from website visitors on its servers in the USA and uses it for its own advertising measures. Details can be found in the privacy policy of LinkedIn at https://www.linkedin.com/legal/privacy-policy#choices-oblig.

 

If your consent has been obtained, the above-mentioned service is used exclusively on the basis of Art. 6 (1) (a) GDPR. You can revoke your consent at any time. If no consent has been obtained, this service is used on the basis of Art. 6 (1) sentence 1 (f) GDPR; the website operator has a legitimate interest in effective advertising measures, including the use of social media.

 

We have concluded a contract on order processing for using the above-mentioned service. This is a contract required by data protection law, which ensures that the host will only process personal data from our website visitors in line with our instructions and in compliance with the GDPR.

 

Data transfer to the USA is governed by the standard contractual clauses of the EU Commission. For details, go to: https://www.linkedin.com/legal/l/dpa and  https://www.linkedin.com/legal/l/eu-sccs.

 

You can opt out of usage behaviour analysis and targeted advertising by LinkedIn at the following link: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.

 

Moreover, LinkedIn members can also control the use of their personal data for advertising purposes in the account settings. To prevent LinkedIn from linking data collected on our website to your LinkedIn account, you must log out of your LinkedIn account before visiting our website.

 

THN – THE HOTELS NETWORK

 

This website uses the software of THE HOTELS NETWORK (THN) (https://www.thehotelsnetwork.com, Muntaner 262, 3º, 08021 Barcelona, Spain).

 

With the help of this software, we are able to analyse user behaviour in an anonymized way. This enables us to better understand how users interact with our website and to offer them relevant user experiences. To do this, THN generates a backend hash on our behalf using the website users' data. The hash (cryptic string of characters and numbers) is formed solely from the website visitor's data that is required to deliver the website: IP addresses, MAC addresses. This hash is not reversible, which means that it cannot be assigned to a person. However, it enables us to create anonymous analyses and statistics on how and how often website visitors use our website. It is not possible for us or our service provider to identify users personally. If a user is not re-identified as a visitor to the website within a maximum of two years, their backend hash is deleted.

 

The THN service is used on the basis of your consent in accordance with Art. 6 para. 1 lit. a GDPR, this also applies insofar as the consent includes the storage of cookies or access to information in the user's end device (e.g. device fingerprinting) within the meaning of the TDDDG. Consent can be revoked at any time.

 

We have concluded an order processing contract with THN in accordance with Art. 28 GDPR, which you can view here: https://info.thehotelsnetwork.com/thn-data-processing-agreement-general-tcs

 

The following THN services for relevant user experiences are used on our website:

 

• Personalised campaigns

Using the backend hash described above in combination with the information in our booking forms, we can offer our users relevant price advantages and discount campaigns, for example.

 

• Price comparison

When users request their price comparison by e-mail in the price comparison function, they receive the price comparison at the e-mail address they have requested. The sender domain of this e-mail is THN as our processor. THN stores the e-mail addresses in encrypted form so that they can be made available to us on request.

Processing of Customer and Contractual Data

We collect, process and use personal customer and contractual data for the purpose of establishing, defining the content of and modifying our contractual relationships. We collect, process and use personal data about the use of this website (usage data) only insofar as this is necessary to enable the user to use the service or to be billed for it. The legal basis for this is Art. 6 (1) (b) GDPR.

 

The customer data collected will be deleted after the order is completed or the business relationship has come to an end and after any existing legal retention periods have expired. Statutory retention periods shall remain unaffected by this.

 

 

Data Transmission upon Conclusion of a Contract for Services

We only transmit personal data to third parties if this is necessary for processing the contract, such as crediting the institution commissioned with processing payments.

 

The data will not be transmitted further unless you have expressly consented to this. Your data will not be passed on to third parties without your express consent, such as for advertising purposes.

 

The legal basis for processing your data is Art. 6 (1) sentence 1 (b) GDPR, which permits data processing in order to implement a contract or pre-contractual measures.

 

 

Processing and Forwarding of Personal Data

If you wish to make a booking in our online booking system, you will need to provide personal data such as your name, address and e-mail address to initiate and conclude the contract. The details required for processing the booking and contract are clearly marked; other details are provided voluntarily.

 

We process your data to complete the booking; in particular, we forward payment data to your chosen payment service provider or our main bank. As part of your booking or booking request, the booking information is also transferred to external Internet booking engine operators [TravelClick, Inc, (“Amadeus”), 75 New Hampshire Avenue, Portsmouth, NH 03801, USA] for to implement or prepare the contract. The legal basis for processing your data is Art. 6 (1) sentence 1 (b) GDPR.

 

To prevent unauthorised third parties from accessing your personal data, the booking process on the website is encrypted using SSL/TLS technology.

 

You can voluntarily create a customer account where we will store your data for future visits to the website. When you create a customer account, the data you provide will be processed. You can edit or delete all other data, including your customer account, yourself after you have registered successfully.

 

We will delete the data collected in this context after storing it is no longer required or restrict its processing if there are statutory retention obligations. Due to mandatory commercial and tax regulations, we are obliged to retain your address, payment and booking data for a period of ten years. Two years after the contract comes to an end, we will restrict the processing of your data to what is necessary to comply with existing legal obligations.

 

 

Encrypted Payment Transactions on This Website

If, after a fee-based contract is concluded, there is an obligation to provide us with your payment data (such as your account number for direct debit authorisation), this data is required for us to process payments.

 

Payment transactions with common means of payment (Visa, MasterCard, AMEX, Diners Club, JCB, Paypal) are exclusively made using an encrypted SSL or TLS connection. You can recognise an encrypted connection by the fact that the address line of the browser changes from “http://” to “https://” and by the lock symbol in your browser line.

 

Thanks to encrypted communication, your payment data that you transmit to us cannot be read by third parties.

We use the table reservation platform Open Table on our website. The provider of Open Table is:

 

Open Table GmbH

Schumannstraße 27

60325 Frankfurt

(hereinafter “Open Table”)

 

When you use the reservation system, Open Table GmbH receives your contact details and the information required to process the reservation (date of stay, accommodation, etc.). In addition, the data mentioned in the “Access Data” section is also transmitted to Open Table, while cookies may be used as described in the “Cookies” section.

 

Open Table stores your data and processes it for booking and advertising, market research and/or needs-based website design. Your data may also be transferred outside the EU, particularly to the USA. For this reason, we have concluded “Data Processing Agreements” with Open Table in order to oblige Open Table to maintain an appropriate level of data protection. We will provide you with a copy of the agreement upon request.

 

More information and Open Table’s valid privacy policy can be found at https://www.opentable.de/legal/privacy-policy.

 

The legal basis for processing your data is Art. 6 (1) sentence 1 (f) GDPR. The purpose of processing personal data is to make our website design more appealing and offer you additional services. We have no knowledge of what the retention period at Open Table is and no possibility of influencing it.

Requests

You can use the forms provided on the websites to request the creation of vouchers or make group reservations or rental requests for event or design spaces.

 

If you send us requests via the contact form, your information from the request form, including the contact data you have provided there, will be stored by us for the purpose of processing the request and for any follow-up requests. We will not pass on this data without your consent.

 

This data will be processed on the basis of Art. 6 (1) (b) GDPR if your request is related to the performance of a contract or is necessary for implementing pre-contractual measures. In all other cases, the processing of your data will be based on our legitimate interest in effectively handling the requests addressed to us (Art. 6 (1) (f) GDPR) or on your consent (Art. 6 (1) (a) GDPR) if this has been requested; consent can be revoked at any time.

 

We will retain the data you enter in the contact form until you ask us to delete it, revoke your consent to our storing it or if the purpose for storing the data no longer applies (such as after we have completed processing your request). Mandatory statutory provisions – particularly retention periods – shall remain unaffected by this.

Request by E-Mail or Telephone

If you contact us by e-mail or telephone, your request and all resulting personal data (name, request) will be stored and processed by us in order to handle your request. We will not pass on this data without your consent.

 

This data will be processed on the basis of Art. 6 (1) (b) GDPR if your request is related to the performance of a contract or is necessary for implementing pre-contractual measures. In all other cases, the processing of your data will be based on our legitimate interest in effectively handling the requests addressed to us (Art. 6 (1) (f) GDPR) or on your consent (Art. 6 (1) (a) GDPR) if this has been requested; consent can be revoked at any time.

 

We will retain the data passed on to us until you ask us to delete it, revoke your consent to our storing it or if the purpose for storing the data no longer applies (such as after we have completed processing your request). Mandatory statutory provisions – particularly statuory retention periods – shall remain unaffected by this.

 

 

E-Mail Reservation Assistant HERA Resbot

When you e-mail us, particularly with booking requests, the e-mail and its metadata may also be shared with external operators of third-party software that assists us in responding to e-mails. The provider is:

 

Hotel Res Bot UG

Mönchsgasse 48

50737 Köln

Germany

 

Personally identifiable information (PII), including your e-mail address and the content of the e-mail, will then be processed and a response e-mail generated by this system. The legal basis for processing your data is Art. 6 (1) sentence 1 (b) GDPR.

 

Received or sent e-mails are automatically deleted after 5 days. Cached personal data, which includes the content of the e-mail and the offer details, will be deleted 2 weeks after the requested departure date for booking requests or 2 weeks after the e-mail was received for other requests.

 

Automated decision-making is used to suggest the most suitable products (room and rate types) to the agent based on the written request. Your data will be shared in a secure manner with third-party processors (such as AWS, where the app is hosted, or an e-mail service provider for sending and receiving e-mails). There is nothing specifying that your personal data will be transferred to a country outside the EU or UK.

 

To prevent unauthorised third parties from accessing your personal data, your e-mail will be encrypted for transport in standy mode.

 

 

E-Marketing Platform TravelClick GMS | Pre-Stay and Post-Stay E-Mails

Your e-mail address will be processed with TravelClick in order to send e-mails before your stay and feedback requests after your stay. The provider is:

 

TravelClick, Inc. (“Amadeus”)

75 New Hampshire Ave

Portsmouth, NH 03801, USA

(hereinafter TravelClick)

 

Your e-mail address and name will be stored on TravelClick’s servers in the USA. TravelClick processes this information to send and evaluate the e-mails on our behalf and to optimise or improve its own services, such as by technically optimising how it sends and presents the content and guest surveys.

 

Technical information, such as information on the browser and your system, your IP address and the time of the retrieval, is initially collected when the e-mails are opened. This information is processed to improve the services based on the technical data or the target groups and improve reading behaviour based on their retrieval locations (which can be determined by the IP address) or access times.

 

An additional order processing agreement lays out the conditions applicable for TravelClick’s processing of personal data under the contract. This is to ensure that processing will be carried out in accordance with UK data protection legislation. The legal basis for such processing is Art. 6 (1) sentence 1 (f) GDPR. We have no knowledge of what the retention period at Travelclick is and no possibility of influencing it. We process this data for marketing purposes until two years after the contract has come to an end.

 

More information and TravelClick’s valid privacy policy can be found at https://www.amadeus-hospitality.com/travelclick-legal/terms-and-conditions/#all.

 

 

E-Marketing Platform TravelClick GMS |  E-Mail Marketing (Existing Customer Advertising)

While implementing the contract or afterwards, we reserve the right to process the e-mail address provided by you during booking or via the form for our guest WLAN in accordance with the statutory provisions in order to send you the following content – among other things – by e-mail, provided that you have not already objected to our processing of your e-mail address:

other interesting offers from our portfolio, information on events organised by our company and by third parties, an overview of possible leisure offers, special or time-limited offers, upselling e-mails, feedback surveys, feedback links to Tripadvisor or Google, invitations to events.

 

The legal basis for processing your data is Art. 6 (1) sentence 1 (f) GDPR. We perform the aforementioned processing for the purpose of customer care and expanding our services.

 

Please note that you can object to receiving direct advertising at any time without incurring any costs other than transmission costs according to basic rates. You have a general right to object without needing to specify reasons (Art. 21 (2) GDPR).

 

 

EasyWay Messenger Service

We use the platform of EasyWay Technologies Ltd. in selected hotels to communicate with you. The provider is:

 

EasyWay Technologies Ltd.

Allenby 87

6513427 Tel Aviv

Israel

 

EasyWay enables communication between the hotel and you via text message and/or WhatsApp. EasyWay is a processor that works on the basis of an agreement pursuant to Art. 28 GDPR.

 

The hotel uses EasyWay to collect, store and use data for the purpose of establishing communication between the hotel and the guest. A data transfer to Canada is also governed by the European Commission’s adequacy decision according to Art. 45 GDPR. Your personal data is processed for the purpose of communication according to Art. 6 (1) sentence 1 (b) GDPR, as this is necessary for the hotel to initiate/implement a contract.

 

Your personal data is also used for informing you about services provided by the hotel or other services (such as evaluation requests). The hotel has a legitimate interest in such direct advertising according to Art. 6 (1) sentence 1 (f) GDPR. You can object to this processing of your data at any time by sending a message directly to the hotel. Through the use of the EasyWay platform, the following categories of your personal data will be processed:

name, mobile phone number / contact details of the messaging service used (such as WhatsApp), arrival and departure dates, data relating to the stay such as room number, language.

 

It may happen that other personal data or special categories of personal data within the meaning of Art. 9 GDPR will be processed if your messages to the hotel contain this data (such as messages about food intolerances or religious customs). The hotel will never expressly ask you to submit such data. If you do so anyway, you consent to allow the hotel to process it further according to the information in this notice immediately after you have sent it.

 

The hotel has activated the EasyWay function to send automatic replies. The content of the guest’s message is analysed, and predefined answers to standard questions are sent out. The hotel has also activated the EasyWay function to check the language and translate messages. The content of the message will be analysed to identify the language used. If there is a discrepancy between the language used and the languages set as standard by the hotel, the message will be translated. Your personal data processed when using the EasyWay platform will be deleted three days after the end of your stay at the hotel.

 

Please note that you can object to receiving direct advertising and the processing of data for the purpose of direct advertising at any time without incurring any costs other than transmission costs according to basic rates. You have a general right to object without needing to specify reasons (Art. 21 (2) GDPR). After you have exercised your right to object, we will delete your data in connection with existing customer advertising. To do this, click on the unsubscribe link in the respective e-mail or send your objection to the contact details listed in the “Responsible Provider” section.

Whenever you rate us through participating review platforms or processes such as Google, Booking.com or TripAdvisor, we will manage and analyse these hotel reviews through the Revinate Reputation platform. The provider is:

 

Revinate Inc.

One Lettermann Drive

Bldg. C, Suite CM100

San Francisco, CA 94129.

 

Details can be found in the privacy policy of Revinate: https://www.revinate.com/privacy/.

 

An additional order processing agreement lays out the conditions applicable for Revinate’s processing of personal data under the contract. This is to ensure that processing will be carried out in accordance with data protection legislation of the European Union. The legal basis for such processing is Art. 6 (1) (f) GDPR. We have no knowledge of what the retention period at Revinate is and no possibility of influencing it.

We reserve the right to amend this privacy policy at any time. The current version of the privacy policy shall apply.

As part of the EU General Data Protection Regulation (GDPR), new obligations to provide information are being imposed on us, the controller responsible for processing personal data. We therefore want to inform you about the following points in accordance with Art. 13 and 14 of the GDPR:

 

Art. 6 (1) (a) GDPR authorises us to process your data on the basis of your consent for certain purposes, such as subscribing to our newsletter.

 

Art. 6 (1) (b) GDPR covers data processing necessary for the performance of a contract (accommodation contract) and for pre-contractual measures.

 

Art. 6 (1) (c) GDPR authorises us to process your data on the basis of a legal obligation, such as for a registration certificate or retention obligations under financial and tax law.

 

Art. 6 (1) (f) GDPR authorises us to process your personal data if we or a third party have legitimate interests in this processing and your interests, fundamental rights or freedoms do not conflict with them. For example:

• Online Check-In, Online Check-Out
• Advertising, feedback surveys
• Your preferences during your stay in our hotel, such as certain room categories
• Preventing damage and/or company liability through appropriate measures
• Establishing, asserting or defending against legal claims
• Video surveillance in order to exercise our domiciliary rights – video surveillance in the hotel is only recorded in publicly accessible areas (such as in the lobby).

We are legally obliged to request registration data from our hotel guests without German citizenship. If you do not provide us with this information, we will not be able to conclude an accommodation contract with you or allow you to stay with us. However, some services can only be provided if we have received the necessary data from you.

During the digital check-in, we collect your date of birth and email address for the following purposes:

It is necessary to enter your date of birth:

• for age verification, as only guests of legal age may check into our hotels
• to distinguish between bookings with the same name
• If guests require a new room card, we ask for the date of birth to ensure that it is the correct guest

It is necessary to provide your e-mail address:

• as part of our contemporary digital ‘guest journey’
• for sending invoices by email
• as a communication channel to our guests for important information during their stay in our hotels

General: Once the purpose of processing your data no longer applies and the statutory retention periods have expired, your personal data will be erased. Companies are generally obliged to keep records for 6 or 10 years.

 

Special retention period for:

• Video surveillance: 72 hours
• Reporting forms: 1 year and 3 months

 

If storage is based on your consent, we will erase the relevant personal data when you withdraw your consent.

 

In our company, only the employees who require this data to perform their tasks are given access to your personal data to the extent needed to do so.

 

Service providers may receive your data in order for them to be used for the purposes described above, provided that they comply with the confidentiality requirements of data protection law. For example, this may include companies in the following categories: IT services, online check-in and smart key services, property management system (PMS), central reservation system (CRS), payment service providers, customer relationship management (CRM, messenger services, e-mail automation), table reservation systems, corona contact tracking services, digital guest portfolio, hosting, printing and shipping services, marketing / PR / event agencies, ticket service portals, driving services, laundry services, data destruction.  These service providers are known as AV service providers (order processors), which are subject to special contractual obligations in accordance with legal requirements.

 

Your data will be transferred outside the EU/EEA/UK for the purposes of hotel reservations pursuant to an order processing agreement including concluded EU standard contractual clauses.

 

Data we receive about you from third parties:

• Personal master data
• Company data
• Reservation details
• Payment details
• Email address

 

The hotel can receive data from the following third parties:

• Meeting, conference, event portals
• Portals for requesting quotes
• Online travel booking portals
• Travel agencies
• People who book group stays with us

You may exercise the following rights in relation to your personal data with us:

 

• The right of access to your data according to Article 15 GDPR
• The right of having your data corrected according to Article 16 GDPR
• The right of having your data erased according to Article 17 GDPR
• The right of limiting processing of your data according to Article 18 GDPR
• The right of data portability according to Article 20 GDPR
• The right of appeal arising from Article 21 GDPR
• The right to revoke consent granted with future effect

 

You also have the right to lodge a complaint with a supervisory authority (EU) or the Information Commissioner’s Office (ICO UK) according to Article 77 GDPR.

We reserve the right to amend this privacy policy at any time. The current version of the privacy policy shall apply.

We offer you an opportunity to apply to join our team (such as by e-mail or post or via online platforms). In the following paragraphs, we will inform you about the scope, purpose and use of your personal data collected as part of the application process. We assure you that the collection, processing and use of your data will be done in accordance with applicable data protection law and all other statutory provisions and that your data will be treated in strict confidence.

 

The General Data Protection Regulation (GDPR) has imposed new obligations on us – the data controller responsible for processing personal data – to provide you with information. We therefore want to inform you about the following points in accordance with Art. 13 and 14 of the GDPR:

If you send us an application, we will process your personal data it contains (such as contact and communication data, application documents, notes taken during interviews, etc.) to the extent necessary to decide whether to establish an employment relationship. The legal basis for this is Art. 6 (1) (b) GDPR (general contract initiation) and – if you have given your consent – Art. 6 (1) (a) GDPR. You can revoke your consent at any time. Your personal data will only be forwarded to persons within our company who are involved in processing your application.

 

If the application is successful, the data submitted by you will be stored in our data processing systems on the basis of Art. 6 (1) (b) GDPR for the purpose of implementing the employment relationship.

 

If you have also voluntarily provided special categories of personal data (such as health data, religious affiliation, degree of disability) in your letter of application or during the application process, this data will only be processed if you have given your prior consent or if there is a legal reason allowing us to do so.

If we are unable to make you a job offer, if you reject a job offer or withdraw your application, we reserve the right to retain the data you have provided on the basis of our legitimate interests (Art. 6 (1) (f) GDPR) for up to 6 months from the end of the application process (rejection or withdrawal of the application). The data is then erased and the physical application documents destroyed. The main reason for retaining data is to use it as evidence in the event of a legal dispute. If it is evident that the data will be required after the 6-month period has expired (such as due to an impending or pending legal dispute), the data will not be erased until the purpose for continuing to retain it no longer applies.

 

The retention period may be even longer if you have given your consent (Art. 6 (1) (a) GDPR) or if legal data retention obligations prevent us from erasing it.

If we do not make you a job offer, we may be able to include you in our pool of applicants. If we do include you, all documents and details from the application process will be transferred to the applicant pool in order to contact you if any suitable vacancies arise.

 

You will only be included in the applicant pool if you have given your express consent (Art. 6 (1) (a) GDPR). Your consent is voluntary and not related to the current application process. You may revoke your consent at any time. In this case, your data will be irrevocably erased from the applicant pool, unless there are legal reasons for retaining it.

 

The data from the applicant pool will be irrevocably erased no later than two years after you have given your consent.

In our company, only the employees who require this data to perform their tasks will be given access to your personal data to the extent needed to do so.

 

Service providers may receive your data in order for them to be used for the purposes described above, provided that this is necessary and that they comply with the confidentiality requirements of data protection law (order processing contract). Your data will not be transferred outside the EU/EEA/UK.

 

If you have published profiles about yourself in business networks such as XING or LinkedIn, we will take a look at them.

You may exercise the following rights in relation to your personal data with us:

 

• The right of access to your data according to Article 15 GDPR
• The right of having your data corrected according to Article 16 GDPR
• The right of having your data erased according to Article 17 GDPR
• The right of limiting processing of your data according to Article 18 GDPR
• The right of data portability according to Article 20 GDPR
• The right of appeal arising from Article 21 GDPR
• The right to revoke consent granted with future effect

 

You also have the right to lodge a complaint with a supervisory authority (EU) or the Information Commissioner’s Office (ICO UK) according to Article 77 GDPR.

You are under no legal or contractual obligation to provide us with data. However, we can only consider your application if you have provided the data we require.

We offer our job vacancies in the career section of our website via links to the platform of the HOTELCAREER service provider. HOTELCAREER is a service of YOURCAREERGROUP GmbH, Völklinger Straße 1, in 40219 Düsseldorf.

 

If you use this method to apply, your data will be recorded by HOTELCAREER and transmitted to us in encrypted form. You can view YOURCAREERGROUP’s privacy policy at https://www.hotelcareer.de/datenschutzerklärung.

 

We will erase the information after the application process has ended if your application is unsuccessful. The legal basis for processing your applicant data is Art. 6 (1) sentence 1 (b) GDPR.

We reserve the right to amend this privacy policy at any time. The current version of the privacy policy shall apply.

The General Data Protection Regulation (GDPR) has imposed new obligations on us – the data controller responsible for processing personal data – to provide you with information. We therefore want to inform you about the following points in accordance with Art. 13 and 14 of the GDPR:

 

We use online conference tools to communicate with our business partners. The specific tools we use are listed below. If you communicate with us by video or audio conference via the Internet, your personal data will be collected and processed by us and by the provider of the respective conference tool.

 

The conference tools collect all data that you provide/enter to use the tools (e-mail address and/or your telephone number). In addition, the conference tools process the duration of the conference, the start and end (time) of participation in the conference, the number of participants and other “contextual information” related to the communication process (metadata).

 

Furthermore, the provider of the tool processes all technical data required for handling the online communication. Specifically, this data includes IP addresses, MAC addresses, device IDs, the device type, the operating system type and version, the client version, the camera type, the microphone or speaker and the type of connection.

 

If content is exchanged, uploaded or otherwise made available within the tool, this will also be stored on the servers of the tool providers. Such content includes, but is not limited to, cloud recordings, chat/instant messages, voicemails, uploaded photos and videos, files, whiteboards and other information shared while using the service.

 

Please note that we do not have full control over the data processing operations of the tools used. Our options are largely determined by the corporate policy of each provider. For more information on data processing performed by the conference tools, please refer to the data protection statements of the respective tools used, which are listed below this text.

 

The conference tools are used to communicate with prospective or existing contractual partners (Art. 6 (1) (b) GDPR). Furthermore, the purpose of these tools is the general simplification and streamlining of communication with us or our company (legitimate interest within the meaning of Art. 6 (1) (f) GDPR). Insofar as consent has been requested, the tools in question are used on the basis of this consent; consent can be revoked at any time with future effect.

 

The data collected directly by us using the video and conference tools will be erased from our systems as soon as you ask us to erase it, if you revoke your consent to store it or once the purpose for storing the data no longer applies. Stored cookies will remain on your terminal device until you delete them. Mandatory statutory retention periods remain unaffected by this.

 

We have no influence on the retention period of your data, which is stored by the operators of the conference tools for their own purposes. For details, please contact the operators of the conference tools directly.

We use Zoom. This service is provided by Zoom Communications Inc, San Jose, 55 Almaden Boulevard, 6th Floor, San Jose, CA 95113, USA. For details on data processing, please refer to Zoom’s privacy policy.: https://zoom.us/de-de/privacy.html.

 

Data transfer to the USA is governed by the standard contractual clauses of the EU Commission. For details, go to: https://zoom.us/de-de/privacy.html.

We use Google Meet. It is provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. For details on data processing, see Google’s privacy policy: https://policies.google.com/privacy?hl=de.

You may exercise the following rights in relation to your personal data with us:

 

• The right of access to your data according to Article 15 GDPR
• The right of having your data corrected according to Article 16 GDPR
• The right of having your data erased according to Article 17 GDPR
• The right of limiting processing of your data according to Article 18 GDPR
• The right of data portability according to Article 20 GDPR
• The right of appeal arising from Article 21 GDPR
• The right to revoke consent granted with future effect

 

You also have the right to lodge a complaint with a supervisory authority (EU) or the Information Commissioner’s Office (ICO UK) according to Article 77 GDPR.

We reserve the right to amend this privacy policy at any time. The current version of the privacy policy shall apply.