General information
The following information provides a simple overview of how we handle your personal data – as a website visitor, as an enquirer and guest on site, as an applicant or as an audio or video conference participant with us (see navigation below: WEBSITE VISITORS, GUESTS ON SITE, APPLICATIONS, AUDIO & VIDEO CONFERENCES).
Personal data is any data that can be used to identify you personally.
Responsible for data processing
R&S Hotelbetriebsgesellschaft mbH,
Spichernstrasse 24,
D-10777 Berlin
AMANO München GmbH,
Spichernstrasse 24,
D-10777 Berlin
AREVITHO GmbH
Marburger Straße 2
D-10789 Berlin
AMANO Operations Limited
c/o Pkf Littlejohn
15 Westferry Circus Canary Wharf
London E14 4HD
United Kingdom (UK)
Email: amano@amanogroup.com
Further legal information on the responsible parties can be found in our legal notice Impressum.
Data protection officer
We have appointed mb-datenschutz GmbH https://mb-datenschutz.de/ as our data protection officer.
For enquiries about data protection, please use the following e-mail address: dataprotection@amanogroup.com
Data protection-compliant use of service providers
When we mention service providers in our privacy policy, we have concluded a contract with them for order processing in accordance with Art. 28 GDPR for the use of the services mentioned. This is a contract required by data protection law, which ensures that the service provider processes the personal data of our website visitors only in accordance with our instructions and in compliance with the GDPR. With service providers outside the EU, we agree on EU standard data protection clauses that guarantee a level of data protection appropriate to the EU.
When using US service providers, we pay particular attention to ensuring that the respective companies are certified under the EU-US Data Privacy Framework (DPF). The DPF is an agreement between the European Union and the US that is intended to ensure compliance with European data protection standards when processing data in the US. Every company certified under the DPF undertakes to comply with these data protection standards. Further information on this can be obtained from the provider at the following link: https://www.dataprivacyframework.gov/participant/5780
Storage period
Unless a more specific storage period is specified in this privacy policy, your personal data will remain with us until the purpose for data processing no longer applies. If you assert a legitimate request for deletion or revoke your consent to data processing, your data will be deleted unless we have other legally permissible reasons for storing your personal data (e.g. tax or commercial law retention periods); in the latter case, deletion will take place once these reasons no longer apply.
Your data protection rights
In addition, you have the right to lodge a complaint with a supervisory authority (EU) or The Information Commissioner's Office (ICO UK) in accordance with Article 77 GDPR.
Amendments to the Privacy Policy
We reserve the right to amend this Privacy Policy at any time. The current version shall apply.
Status of this Privacy Policy: 17.10.2025
The following only applies to reservations made before 13:00 on 27 November 2025.
This is what happened:
On 26 November 2025 and 27 November 2025, a successful cyber attack was carried out against our company, which we discovered at around 14:00 on 4 December. As a result, reservation data fell into the hands of the attacker.
It cannot be ruled out that the following personal data may have been affected by this attack:
First and last names, email address, telephone number, addresses, nationality
Anonymised payment data: card type, card number (only the last 4 digits), expiry date.
This is what may happen:
You may receive a WhatsApp/SMS message, or possibly an email or phone call, urging you to visit the following websites (please do not click on them!) under time pressure in order to confirm your reservation and, if applicable, your payment details, etc.:
https://booking.stay2209.live/ (please do not click on it!)
https://hotelAMANO.roomcloud.live/ (please do not click!)
https://amano.accessunin.rest/ (please do not click!)
https://hotel.access-unin.rest/ (please do not click!)
https://hotel.staydirect.help/ (please do not click!)
Please do not comply with such requests on any channels (WhatsApp, SMS, telephone, email, etc.). We, as AMANO Group, will never ask you to re-enter your payment details or reconfirm bookings.
What you should do immediately:
If you receive such a text message, email, WhatsApp message or phone call
We have taken the following measures:
If you nevertheless notice any irregularities, please let us know. To do so, please use the email address dataprotection@amanogroup.com.
We will keep you updated about this case here and deeply regret that this data incident has occurred.
What happened:
Unfortunately, one of our employees' email accounts was hacked. As a result, email addresses from this employee's email correspondence were used in a phishing attack on 8 December 2025 at around 1:30 p.m.
The content of this email asks the recipient to open a document shared via Microsoft. The document is a recognisable Word document with the file name ‘Amano Group cooperation offer’. Attached you will find a screenshot of this fake email.
Even though we assume that you would not fall for this, we would like to urge you not to follow this request!
We have taken the following measures:
We deactivated the employee's access immediately after discovering the incident and initiated the appropriate forensic investigations. We have informed our data protection officer and will report this incident to the data protection supervisory authority. In addition, we will file a complaint.
What can happen:
You receive an increasing number of phishing emails. These are emails that urge you – usually under time pressure – to do the following, for example:
If you comply with the sender's requests, your login details and systems may be compromised.
You should do the following immediately:
Be very vigilant when receiving emails
If in doubt, it is better to delete such emails!
If you notice any irregularities in your email account that could be related to this incident, please inform us by email at dataprotection@amanogroup.com
We will keep you updated about this case here and deeply regret that this data incident has occurred.
Data Protection Information regarding Our Website
General Information:
How do we collect your data?
Your data is collected, on the one hand, by you providing it to us. This may, for example, be data that you enter into a contact form.
Other data is collected automatically or after your consent when you visit the website. This primarily includes technical data (e.g. internet browser, operating system, or time of page access). The collection of such data takes place automatically as soon as you enter the website.
A portion of the data is collected to ensure the error-free functioning of the website. Other data may be used to analyse your user behaviour.
Legal Bases for Data Processing on this Website
If you have given your consent to data processing, we process your personal data on the basis of Art. 6 (1)(a) GDPR.
In the case of explicit consent to the transfer of personal data to third countries, the processing is also carried out on the basis of Art. 49 (1)(a) GDPR.
If you have consented to the storage of cookies or to access information on your end device (e.g. via device fingerprinting), the processing of data is based on Section 25 (1) TDDDG.
Consent may be withdrawn at any time.
If your data is required for the performance of a contract or for pre-contractual measures, we process your data on the basis of Art. 6 (1)(b) GDPR.
Furthermore, we process your data where this is necessary for compliance with a legal obligation on the basis of Art. 6 (1)(c) GDPR.
Data processing may also be based on our legitimate interest pursuant to Art. 6 (1)(f) GDPR.
The respective applicable legal basis is specified in the following sections of this data protection declaration.
Tracking & Analytics
When visiting this website, your browsing behaviour may be statistically evaluated. This is primarily done using analytics programmes.
Detailed information about these programmes can be found in the following privacy policy.
We host the content of our websites with the following providers:
Domainfactory GmbH
c/o WeWork
Neuturmstraße 5
D-80331 München
(www.amanogroup.com)
Host Europe GmbH
Hansestraße 111
D-51149 Köln
(www.josephberlin.de)
SSL and TLS Encryption
This website uses SSL or TLS encryption for security reasons and to protect the transmission of confidential content, such as bookings or enquiries that you send to us as the website operator.
A secure connection can be recognised by the change of the browser address line from “http://” to “https://” and by the lock symbol in your browser’s address bar.
When SSL or TLS encryption is active, the data you transmit to us cannot be read by third parties.
Server Log Files
You can generally use our website for purely informational purposes without disclosing your identity.
When accessing the individual pages of the website for this purpose, only access data is transmitted to our web hosting provider to display the website for you. These data include:
The temporary processing of the IP address by the system is necessary to technically deliver the website to your computer. Processing of your IP address for the duration of the session is required for this purpose. The legal basis for this processing is Art. 6 (1) sentence 1 lit. f GDPR.
The access data is not used to identify individual users and is not merged with other data sources.
IP addresses are stored in log files to ensure the functionality of the website. In addition, the data are used to optimise the website and to ensure the security of our information technology systems. An evaluation of the data for marketing purposes does not take place in this context.
Data are generally deleted no later than seven days; further processing may be possible in individual cases. In such cases, the IP address will be deleted or anonymised so that a connection to the calling client is no longer possible.
Details can be found in the privacy policy of Domainfactory (https://www.df.eu/de/datenschutz/) and Host Europe (https://www.hosteurope.de/AGB/Datenschutzerklaerung/).
Our websites use so-called “cookies”. Cookies are small data packages and do not cause any damage to your device. They are either stored temporarily for the duration of a session (session cookies) or permanently (persistent cookies) on your device. Session cookies are automatically deleted after the end of your visit. Persistent cookies remain stored on your device until you delete them yourself or until they are automatically deleted by your web browser.
Cookies can originate from us (first-party cookies) or from third-party companies (so-called third-party cookies). Third-party cookies enable the integration of certain services from third-party companies within websites (e.g., cookies for processing payment services).
Cookies serve different functions. Many cookies are technically necessary because certain website functions would not work without them (e.g., the shopping cart function or video display). Other cookies can be used to analyse user behaviour or for advertising purposes.
Cookies that are necessary for the execution of the electronic communication process, for providing certain functions requested by you (e.g., for the shopping cart function), or for optimising the website (e.g., cookies for measuring web traffic) (necessary cookies) are stored based on Art. 6 (1) lit. f GDPR, unless another legal basis is specified. The website operator has a legitimate interest in storing necessary cookies to provide its services in a technically error-free and optimised manner.
If consent has been requested for the storage of cookies and comparable recognition technologies, processing takes place exclusively based on this consent (Art. 6 (1) lit. a GDPR and § 25 (1) TDDDG); consent can be revoked at any time for the future.
You can configure your browser so that you are informed about the setting of cookies and allow cookies only on a case-by-case basis, exclude the acceptance of cookies for certain cases or in general, and activate the automatic deletion of cookies when closing the browser. Disabling cookies may limit the functionality of this website.
Consent Banner
Our website uses consent technology to obtain your consent for storing certain cookies on your device or for using certain technologies and to document this in compliance with data protection regulations. The provider of this technology is:
OneTrust Technology Limited
82 St John St, Farringdon
London EC1M 4JN
United Kingdom (UK)
(hereinafter referred to as OneTrust)
When you visit our website, a connection is established with OneTrust’s servers to obtain your consents and other declarations regarding the use of cookies. Afterwards, OneTrust stores a cookie in your browser to be able to assign the consents granted or their revocation to you. The data collected in this way is stored until you request its deletion, the consent manager provider cookie is deleted by you, or the purpose for data storage no longer applies. Mandatory statutory retention obligations remain unaffected.
The use of consent technology serves to obtain the legally required consents for the use of cookies. The legal basis for this is Art. 6 (1) lit. c GDPR.
When you visit this website, your browsing behavior may be statistically analyzed. This is primarily done using so-called analytics programs.
Google Tag Manager
We use Google Tag Manager. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
Google Tag Manager is a tool that allows us to integrate tracking or analytics tools and other technologies on our website. The Google Tag Manager itself does not create user profiles, does not store cookies, and does not perform independent analyses. It is only used to manage and deploy the tools integrated through it. However, Google Tag Manager does collect your IP address, which may also be transmitted to Google’s parent company in the United States.
The use of Google Tag Manager is based on Art. 6(1)(f) GDPR. The website operator has a legitimate interest in the quick and uncomplicated integration and management of various tools on its website.
Within Google Tag Manager as a tag management system, we use Google Enhanced Conversions. If you were redirected to our website through a Google ad, we send – provided you have consented via the consent banner – a hashed identifier and information about possible purchases to Google. The secure one-way hash algorithm SHA256 is used for this. The hashed data is a cryptic series of numbers and characters generated from the information you provided, such as your email address and phone number entered during a purchase/booking on our website. If you have a Google account and are logged in during your purchase, Google compares this hashed data with your hashed account user data. Google processes this data to understand which ad you clicked on, to measure its success, and to provide us with this information in aggregated form. This allows us to statistically track leads and measure ad performance – without affecting your device and without any personal reference. Google stores this data for 20 days.
More information on Google Enhanced Conversions: https://support.google.com/google-ads/answer/9888656?hl=en
If applicable consent has been obtained, processing is exclusively based on Art. 6(1)(a) GDPR, which also applies to consent covering the storage of cookies or access to information on the user’s device (e.g., device fingerprinting) in accordance with the TDDDG. Consent can be revoked at any time for the future.
Google Analytics
This website uses features of the web analytics service Google Analytics. The provider is Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland.
Tracking via Google Analytics and Google Ads only takes place if you have given your consent (opt-in) through the consent banner.
If you do not give your consent, only ping-based information without personal reference and without affecting your device will be sent to Google. These so-called ping information works without cookies. They may contain information such as the timestamp and referring URL. No personally identifiable information is stored. Additionally, the ping information allows the website operator to compare opt-in and opt-out rates. Using this information, conversions from users who rejected the consent banner are then modeled.
Google Analytics enables the website operator to analyze the behavior of website visitors. The website operator receives various usage data, such as page views, duration of visits, operating systems used, and user origin. These data are compiled into a user ID and assigned to the respective visitor’s device.
Furthermore, Google Analytics allows us to track scroll movements and clicks. Google Analytics also uses various modeling approaches to supplement collected datasets and employs machine learning technologies in data analysis.
Google Analytics uses technologies that enable the recognition of users for the purpose of analyzing user behavior (e.g., cookies or device fingerprinting). The information collected by Google about the use of this website is generally transmitted to a Google server in the United States and stored there. Use of this service is based on your consent under Art. 6(1)(a) GDPR. Consent can be revoked at any time for the future.
Data transfer to Google is based on the EU Commission’s standard contractual clauses. Details can be found here: https://business.safety.google/adscontrollerterms/sccs/
We have activated IP anonymization on this website. Your IP address will therefore be truncated by Google within the EU member states, the UK, and other contracting states of the European Economic Area before being transmitted to the USA. On behalf of the website operator, Google will use this information to evaluate your website usage, compile reports on website activity, and provide other services related to website and internet usage. The IP address transmitted by your browser via Google Analytics will not be merged with other Google data.
Google-Signale
When you visit our website, Google Analytics collects, among other things, your location, search history, and YouTube history, as well as demographic data (visitor data). These data can be used for personalized advertising through Google Signals. If you have a Google account, the visitor data from Google Signals is linked to your Google account and used for personalized advertising. The data is also used to generate anonymized statistics on our users’ behavior.
This website uses Google Analytics’ “demographics” feature to show website visitors relevant ads within the Google advertising network. This allows reports containing information on age, gender, and interests of website visitors. These data originate from Google interest-based advertising and from third-party visitor data. These data cannot be attributed to a specific person. You can disable this feature at any time in your Google account ad settings.
Google Analytics “E-commerce Tracking”
E-commerce tracking enables the website operator to analyze visitors’ purchasing behavior to improve online marketing campaigns. Information such as completed orders, average order values, shipping costs, and time from product view to purchase is collected. These data may be aggregated by Google under a transaction ID, which is assigned to the respective user or device.
You can prevent the collection and processing of your data by Google by downloading and installing the browser plugin available at the following link: https://tools.google.com/dlpage/gaoptout?hl=en
More information on handling user data in Google Analytics can be found in Google’s privacy policy: https://support.google.com/analytics/answer/6004245?hl=en
Google Ads
Google Ads is an online advertising program provided by Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland.
Google Ads enables us to display advertisements in the Google search engine or on third-party websites when users enter certain search terms on Google (keyword targeting). In addition, targeted advertisements can be displayed based on user data available at Google (e.g., location data and interests) (audience targeting). As the website operator, we can analyze this data quantitatively, for example by examining which search terms triggered our ads and how many ads led to corresponding clicks.
The use of this service is based on your consent in accordance with Art. 6(1)(a) GDPR and § 25(1) TDDDG. Consent can be revoked at any time for the future.
Within the Google Tag Manager as a tag management system, we use Google Enhanced Conversions.
If you visit our website via a Google ad, we transmit a hashed identifier and information about potential purchases to Google. For this purpose, the secure one-way hash algorithm SHA256 is applied to your email address and phone number collected by us before transmission to Google. The hash data is then matched with logged-in Google accounts. Google processes this data to understand which ad you clicked on, measure its success, and provide us with this information in aggregated form. This allows us to track leads and measure the success of ads. Google stores the data for a period of 20 days.
Depending on how you interact with our consent banner, the tag adjusts whether marketing cookies are used as usual (based on your consent) or conversions are attributed solely via ping information (without personal reference and without affecting your device).
If you do not provide consent, only ping-based information without personal reference and without intervention on your device is sent to Google. This ping information functions without cookies and may contain information such as timestamp and referrer URL. No personally identifiable information is stored. Additionally, the ping information allows the website operator to compare opt-in and opt-out rates. Using this information, conversions from users who declined the cookie banner are then modeled.
Google Ads Remarketing
This website uses the functions of Google Ads Remarketing. The provider is Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland.
With Google Ads Remarketing, we can assign persons who interact with our online offerings to specific target groups. For audience creation, we use, among other methods, the Customer Match feature of Google Ads Remarketing. If the respective customers are Google users and logged into their Google account, they are shown relevant advertisements within the Google network (e.g., on YouTube, Gmail, or in the search engine).
Furthermore, the advertising audiences created with Google Ads Remarketing can be linked across devices using Google’s cross-device features. In this way, interest-based, personalized ads that were adapted to you based on your previous usage and browsing behavior on one device (e.g., smartphone) can also be displayed on another of your devices (e.g., tablet or PC).
Audience creation using Customer Match
For audience creation, we use, among other methods, the Customer Match feature of Google Ads Remarketing. In this process, we transmit certain customer data (e.g., email addresses) from our customer lists to Google. The import is carried out in a pseudonymized form using the secure SHA256 hash algorithm. Customer Match compares these pseudonymized email lists with Google’s own database of registered Google users. If the respective customers are Google users and logged into their Google account, they are shown relevant advertisements within the Google network (e.g., on YouTube, Gmail, or in the search engine).
In addition, Google can use the uploaded pseudonymous user lists to identify similar customers with comparable interests for us. After the creation of Customer Match lists, the encrypted customer data is automatically deleted by Google. Google provides information on handling uploaded data files at the following link: https://support.google.com/google-ads/answer/6334160?sjid=8885968457536723958-EU.
If you have a Google account, you can opt out of personalized advertising at the following link: https://www.google.com/settings/ads/onweb/.
The use of this service is based on your consent according to Art. 6(1)(a) GDPR and § 25(1) TDDDG. Consent can be revoked at any time for the future.
Further information and Google’s privacy policies can be found in Google’s privacy statement at: https://policies.google.com/technologies/ads?hl=de.
Google Conversion Tracking
This website uses Google Conversion Tracking. The provider is Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland.
With the help of Google Conversion Tracking, Google and we can determine whether a user has completed specific actions. For example, we can analyze which buttons on our website are clicked most frequently and which products are viewed or purchased most often. This information is used to create conversion statistics. We learn the total number of users who clicked on our ads and what actions they performed. We do not receive information that allows us to personally identify the users. Google itself uses cookies or similar recognition technologies for identification.
The use of this service is based on your consent according to Art. 6(1)(a) GDPR and § 25(1) TDDDG. Consent can be revoked at any time for the future.
More information on Google Conversion Tracking can be found in Google’s privacy policies: https://policies.google.com/privacy?hl=de
Bing Ads
This website uses Bing Ads. The provider is Microsoft Corporation (One Microsoft Way, Redmond, WA 98052-6399, hereinafter “Microsoft”).
Microsoft stores a cookie on the user’s computer to enable an analysis of the use of our online services. Microsoft and we can thus determine that someone clicked on an ad, was redirected to our online offering, and reached a previously defined target page. Within the Google Tag Manager, we also use Microsoft Ads Enhanced Conversions. Both functions require that the user reached our website via a Microsoft Bing Ads advertisement.
For Microsoft Ads Enhanced Conversions, the secure one-way hash algorithm SHA256 is applied to your email address and phone number collected by us before being sent to Microsoft. The hashed data is then matched with registered Microsoft accounts. Microsoft processes the data to understand which ad you clicked on, to measure its success, and to provide us with this information in aggregated form. This allows us to track leads and measure the success of ads. Microsoft stores the data for a period of 90 days. We only receive the total number of users who clicked on a Bing ad and were subsequently redirected to the target page (conversions). No IP addresses are stored. Due to the marketing tools used, your browser automatically establishes a direct connection with Microsoft’s server. We have no influence over the scope or further processing of the data collected through the use of Bing Ads.
The use of this service is based on your consent according to Art. 6(1)(a) GDPR and § 25(1) TDDDG. Consent can be revoked at any time for the future.
Further information on privacy at Microsoft can be found here: https://privacy.microsoft.com/de-de/privacystatement.
LinkedIn Insight Tag
This website uses the LinkedIn Insight Tag. The provider of this service is LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland.
With the help of the LinkedIn Insight Tag, we receive information about visitors to our website. If a website visitor is registered with LinkedIn, we can, among other things, analyze professional information (e.g., career level, company size, country, location, industry, and job title) of our website visitors and tailor our site to the respective target groups. Furthermore, the LinkedIn Insight Tag allows us to measure whether visitors perform a purchase or other action on our websites (conversion tracking). Conversion tracking can also occur across devices (e.g., from PC to tablet). The LinkedIn Insight Tag also provides a retargeting function, which allows us to show targeted advertising to website visitors outside our website, with LinkedIn stating that the advertiser cannot identify the individual user.
LinkedIn also collects so-called log files (URL, referrer URL, IP address, device and browser characteristics, and access time). IP addresses are shortened or, if used to reach LinkedIn members across devices, hashed (pseudonymized). Direct identifiers of LinkedIn members are deleted by LinkedIn after seven days. The remaining pseudonymized data is then deleted within 180 days.
The data collected by LinkedIn cannot be assigned to individual persons by us as the website operator. LinkedIn will store the collected personal data of website visitors on its servers in the USA and use it for its own advertising purposes. Details can be found in LinkedIn’s privacy policy: https://www.linkedin.com/legal/privacy-policy#choices-oblig.
If consent has been obtained, the use of the above-mentioned service is based exclusively on Art. 6(1)(a) GDPR and § 25 TDDDG. Consent can be revoked at any time for the future. If no consent has been obtained, the service is used on the basis of Art. 6(1)(f) GDPR, as the website operator has a legitimate interest in effective advertising measures, including social media.
The data transfer to LinkedIn is based on the Standard Contractual Clauses of the European Commission. Details can be found here: https://www.linkedin.com/legal/l/dpa and https://www.linkedin.com/legal/l/eu-sccs.
You can object to LinkedIn’s analysis of user behavior and targeted advertising at the following link: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.
Furthermore, LinkedIn members can manage the use of their personal data for advertising purposes in their account settings. To prevent LinkedIn from linking data collected on our website with your LinkedIn account, you must log out of your LinkedIn account before visiting our website.
THN – THE HOTELS NETWORK
This website uses the software of THE HOTELS NETWORK (THN) (https://www.thehotelsnetwork.com, Muntaner 262, 3º, 08021 Barcelona, Spain).
With the help of this software, we are able to analyze user behavior in an anonymized manner. This allows us to better understand how users interact with our website and, at the same time, offer them relevant user experiences. For this purpose, THN generates a backend hash on our behalf using the data of website users. The hash (a cryptic string of numbers and characters) is created solely from the data of the website visitor that is necessary for delivering the website: IP addresses, MAC addresses. This hash is irreversible, which means it cannot be assigned to any individual. However, it allows us to perform anonymous analyses and statistics regarding how and how often visitors use our website. Personal identification of users is not possible for us or our service provider. If a user is not identified again as a visitor of the website within a maximum of 2 years, their backend hash will be deleted.
The use of the THN service is based on Art. 6(1)(a) GDPR, which also applies if consent covers the storage of cookies or access to information on the user’s device (e.g., via device fingerprinting) under § 25 TDDDG. Consent can be revoked at any time for the future.
The following THN services are used on our website to provide relevant user experiences:
Processing of Customer and Contract Data
We collect, process, and use personal customer and contract data for the establishment, content-related structuring, and modification of our contractual relationships. Personal data regarding the use of this website (usage data) is collected, processed, and used only to the extent necessary to enable the user to make use of the service or to bill for it. The legal basis for this is Art. 6(1)(b) GDPR.
The collected customer data will be deleted after the completion of the order or termination of the business relationship and after any applicable statutory retention periods have expired.
Data Transfer
We only transfer personal data to third parties if this is necessary for the execution of the contract, for example to the financial institution responsible for processing payments.
Further transfer of data does not take place, or only occurs if you have explicitly consented to the transfer. Your data will not be shared with third parties without your explicit consent, for example for advertising purposes.
The legal basis for data processing is Art. 6(1)(b) GDPR, which permits the processing of data for the performance of a contract or pre-contractual measures.
Processing and Transfer of Personal Data
If you wish to make a booking in our online booking system, it is necessary for the initiation and conclusion of the contract that you provide personal data such as your name, address, email address, and telephone number. The mandatory information required for the booking and contract processing is marked separately; any additional information is provided voluntarily.
We process your data for booking management. In particular, we will forward payment data to the payment service provider you have chosen or to our house bank. In connection with your booking or booking request, booking information is also transmitted to the external operator Mews Systems BV, Wibautstraat 137 D, Scalehub 2nd floor, 1097DN Amsterdam, Netherlands for the purpose of contract performance or preparation. The legal basis for this processing is Art. 6(1)(b) GDPR.
To prevent unauthorized third-party access to your personal data, the booking process on the website is encrypted using SSL/TLS technology.
Data collected in this context is deleted once storage is no longer required, or processing is restricted if statutory retention obligations exist. Due to mandatory commercial and tax regulations, we are obliged to retain your address, payment, and booking data in accordance with § 147 AO and § 257 HGB. Two years after the end of the contract, we restrict processing and reduce it to compliance with existing legal obligations.
Encrypted Payment Transactions on this Website
If, following the conclusion of a paid contract, you are required to provide us with your payment data (e.g., account number for direct debit), this data is necessary for payment processing.
Payment transactions via common payment methods (Visa, MasterCard, AMEX, Diners Club, JCB, and in the future also PayPal) are carried out exclusively via an encrypted SSL or TLS connection. An encrypted connection can be identified by the browser address bar changing from “http://” to “https://” and by the lock symbol in your browser.
During encrypted communication, your payment data transmitted to us cannot be read by third parties.
On our website, we use the table reservation platform Open Table. The provider of Open Table (for our locations in Germany and the UK) is:
Open Table GmbH
Schumannstraße 27
D-60325 Frankfurt
(hereinafter “Open Table”)
In the UK, we also use the table reservation platform The Fork:
La Fourchette SAS
70 rue Saint-Lazare
F-75009 Paris
By using these reservation systems, the providers receive your contact details as well as the information required to process the reservation (e.g., date of visit, accommodation). In this context, the data mentioned under the section “Access Data” is also transmitted to the respective service provider, and cookies may be used in accordance with the section “Cookies”.
The service providers process your data for the purposes of reservation management, their own advertising, market research, and/or to optimize their own websites. Your data may also be transferred outside the EU, in particular to the USA.
Further information and the applicable privacy policies can be found for Open Table at https://www.opentable.de/legal/privacy-policy and for The Fork at https://www.thefork.de/legal#datenschutzerklarung-und-cookie-richtlinien.
The legal basis for processing is Art. 6(1)(f) GDPR. Processing serves to make our web offering more attractive and to provide you with additional services. We have no knowledge of or influence on the storage period at Open Table.
If you do not agree with the processing of your data by these service providers, you can also contact us via email. These contact details are available on our restaurant websites.
If you make a table reservation via Open Table GmbH or The Fork, you have the option to consent to subscribe to our newsletter.
With your consent, you will receive our newsletters containing information about special offers and events. Each newsletter includes an option to unsubscribe.
The following service providers receive your email address for newsletter distribution:
In DE und UK:
TravelClick, Inc. („Amadeus“)
75 New Hampshire Ave
Portsmouth, NH 03801
USA
Additionally in UK:
Intuit Mailchimp
405 N Angier Ave
NE Atlanta, GA 30308
USA
When opening the emails, technical information such as details about your browser and system, as well as your IP address and the time of access, is initially collected. This information is processed to improve the services based on the technical data or target groups, as well as your reading behavior, determined by the access locations (which can be identified using the IP address) or the access times.
Inquiries
You can submit inquiries via the forms provided on the websites for the creation of vouchers, group reservations, or rental requests for event or promotional spaces.
If you submit an inquiry via a contact form, the information you provide in the form, including your contact details, will be stored for the purpose of processing your request and for any follow-up questions.
The processing of this data is based on Art. 6(1)(b) GDPR if your inquiry is related to the performance of a contract or is necessary for pre-contractual measures. In all other cases, the processing is based on our legitimate interest in the effective handling of inquiries addressed to us (Art. 6(1)(f) GDPR) or on your consent (Art. 6(1)(a) GDPR) if requested; consent can be revoked at any time for the future.
For rental inquiries for event or promotional spaces in the UK, your data will be forwarded to our service provider:
Event Temple
525 Seymour St #901
Vancouver, BC V6B3H6
Canada
The EU has issued an adequacy decision for Canada. This means that the level of data protection in Canada corresponds to that of the EU.
Inquiries via E-Mail or Telephone
If you contact us by e-mail or telephone, your inquiry, including all personal data resulting from it (name, telephone number, e-mail/IP address, inquiry text), will be stored and processed by us for the purpose of handling your request. We will not share this data without your consent.
The processing of this data is based on Art. 6(1)(b) GDPR if your inquiry is related to the performance of a contract or is necessary for pre-contractual measures. In all other cases, the processing is based on our legitimate interest in the effective handling of inquiries addressed to us (Art. 6(1)(f) GDPR) or on your consent (Art. 6(1)(a) GDPR) if requested; consent can be revoked at any time for the future.
The data you provide to us will remain with us until you request its deletion, revoke your consent to storage, or the purpose for data storage no longer applies (e.g., after your request has been fully processed). Mandatory legal provisions—especially statutory retention periods—remain unaffected.
Chatbot
You can use our chatbot on our website. This is provided by the following service provider:
D3x - Akin Labs, Inc.
440 N Barranca Ave #2546, Covina, CA, 91723
USA (California)
Chat histories may be used by us for tracking guest services (e.g., handling complaints).
Data Protection Information for Guests at the Hotel, Restaurant or an Event
Your data are processed for the purposes of initiating and performing the accommodation contract, fulfilling registration, financial, and tax law obligations, exercising house rules, asserting and exercising or defending legal claims, online check-in, online check-out, providing special guest services (e.g., mobility service, preferences such as room/pillow requests), complaint management, satisfaction surveys, as well as advertising.
GDPR Art. 6 (1) a) allows us to process your data based on your consent for specific purposes, e.g., subscribing to our newsletter.
GDPR Art. 6 (1) b) covers data processing that is necessary for the performance of a contract (accommodation contract) as well as for pre-contractual measures.
GDPR Art. 6 (1) c) allows us to process your data based on a legal obligation, e.g., registration form (§ 29 ff BMG) or retention obligations under financial and tax law.
GDPR Art. 6 (1) f) allows us to process your personal data when we or a third party have a legitimate interest in this processing and your interests, fundamental rights, or freedoms do not oppose it, e.g.:
Within our company, employees only have access to your personal data to the extent necessary for the performance of their duties. All employees are obliged to maintain confidentiality and comply with data protection requirements.
Service providers may receive your data so that they can be used for the purposes described above, provided they comply with the confidentiality requirements of data protection law. These include, for example, companies in the following categories: IT services, online check-in, online check-out, smart key services, property management system (PMS), reservation system, payment service providers, customer relationship management (CRM, messenger services, e-mail automation), table reservation systems, digital guest directories, hosting, printing and mailing services, marketing / PR / event agencies, ticket service portals, transportation services, laundry service, and data destruction. These service providers are designated as data processors (processors) and are subject to specific contractual obligations under statutory requirements.
Other Recipients
The hotel may receive data from the following third parties:
Data categories in this context regularly include:
Data Protection Information for Applications
General information:
We offer you the opportunity to apply for a position with us (e.g. by email, mail or via online platforms). Below, we provide information about the scope, purpose and use of your personal data collected during the application process. We assure you that your data will be collected, processed and used in accordance with applicable data protection law and all other legal provisions, and that your data will be treated as strictly confidential.
If you send us an application, we will process your personal data it contains (such as contact and communication data, application documents, notes taken during interviews, etc.) to the extent necessary to decide whether to establish an employment relationship. The legal basis for this is Art. 6 (1) (b) GDPR (general contract initiation) and – if you have given your consent – Art. 6 (1) (a) GDPR. You can revoke your consent at any time. Your personal data will only be forwarded to persons within our company who are involved in processing your application.
If the application is successful, the data submitted by you will be stored in our data processing systems on the basis of Art. 6 (1) (b) GDPR for the purpose of implementing the employment relationship.
If you have also voluntarily provided special categories of personal data (such as health data, religious affiliation, degree of disability) in your letter of application or during the application process, this data will only be processed if you have given your prior consent or if there is a legal reason allowing us to do so.
If we are unable to make you a job offer, if you reject a job offer or withdraw your application, we reserve the right to retain the data you have provided on the basis of our legitimate interests (Art. 6 (1) (f) GDPR) for up to 6 months from the end of the application process (rejection or withdrawal of the application). The data is then erased and the physical application documents destroyed. The main reason for retaining data is to use it as evidence in the event of a legal dispute. If it is evident that the data will be required after the 6-month period has expired (such as due to an impending or pending legal dispute), the data will not be erased until the purpose for continuing to retain it no longer applies.
The retention period may be even longer if you have given your consent (Art. 6 (1) (a) GDPR) or if legal data retention obligations prevent us from erasing it.
If we do not make you a job offer, we may be able to include you in our pool of applicants. If we do include you, all documents and details from the application process will be transferred to the applicant pool in order to contact you if any suitable vacancies arise.
You will only be included in the applicant pool if you have given your express consent (Art. 6 (1) (a) GDPR). Your consent is voluntary and not related to the current application process. You may revoke your consent at any time. In this case, your data will be irrevocably erased from the applicant pool.
The data from the applicant pool will be irrevocably erased no later than two years after you have given your consent.
In our company, only the employees who require this data to perform their tasks will be given access to your personal data to the extent needed to do so.
Service providers may receive your data in order for them to be used for the purposes described above, provided that this is necessary and that they comply with the confidentiality requirements of data protection law (order processing contract). Your data will not be transferred outside the EU/EEA/UK.
You are under no legal or contractual obligation to provide us with data. However, we can only consider your application if you have provided the data we require.
If you have published profiles about yourself in business networks such as XING or LinkedIn, we will take a look at them.
We offer our job vacancies in the career section of our website via links to the platform of the HOTELCAREER service provider. HOTELCAREER is a service of YOURCAREERGROUP GmbH, Völklinger Straße 1, in 40219 Düsseldorf.
If you use this method to apply, your data will be recorded by HOTELCAREER and transmitted to us in encrypted form. You can view YOURCAREERGROUP’s privacy policy at https://www.hotelcareer.de/datenschutzerklärung.
We will erase the information after the application process has ended if your application is unsuccessful. The legal basis for processing your applicant data is Art. 6 (1) sentence 1 (b) GDPR.
Data Protection Information for Audio and Video Conferences
General information:
We use online conference tools to communicate with our business partners. The specific tools we use are listed below. If you communicate with us by video or audio conference via the Internet, your personal data will be collected and processed by us and by the provider of the respective conference tool.
The conference tools collect all data that you provide/enter to use the tools (e-mail address and/or your telephone number). In addition, the conference tools process the duration of the conference, the start and end (time) of participation in the conference, the number of participants and other “contextual information” related to the communication process (metadata).
Furthermore, the provider of the tool processes all technical data required for handling the online communication. Specifically, this data includes IP addresses, MAC addresses, device IDs, the device type, the operating system type and version, the client version, the camera type, the microphone or speaker and the type of connection.
If content is exchanged, uploaded or otherwise made available within the tool, this will also be stored on the servers of the tool providers. Such content includes, but is not limited to, cloud recordings, chat/instant messages, voicemails, uploaded photos and videos, files, whiteboards and other information shared while using the service.
Please note that we do not have full control over the data processing operations of the tools used. Our options are largely determined by the corporate policy of each provider. For more information on data processing performed by the conference tools, please refer to the data protection statements of the respective tools used, which are listed below this text.
The conference tools are used to communicate with prospective or existing contractual partners (Art. 6 (1) (b) GDPR). Furthermore, the purpose of these tools is the general simplification and streamlining of communication with us or our company (legitimate interest within the meaning of Art. 6 (1) (f) GDPR). Insofar as consent has been requested, the tools in question are used on the basis of this consent; consent can be revoked at any time with future effect.
The data collected directly by us using the video and conference tools will be erased from our systems as soon as you ask us to erase it, if you revoke your consent to store it or once the purpose for storing the data no longer applies. Stored cookies will remain on your terminal device until you delete them. Mandatory statutory retention periods remain unaffected by this.
We have no influence on the retention period of your data, which is stored by the operators of the conference tools for their own purposes. For details, please contact the operators of the conference tools directly.
We use Zoom. This service is provided by Zoom Communications Inc, San Jose, 55 Almaden Boulevard, 6th Floor, San Jose, CA 95113, USA. For details on data processing, please refer to Zoom’s privacy policy.: https://zoom.us/de-de/privacy.html.
Data transfer to the USA is governed by the standard contractual clauses of the EU Commission. For details, go to: https://zoom.us/de-de/privacy.html.
We use Google Meet. It is provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. For details on data processing, see Google’s privacy policy: https://policies.google.com/privacy?hl=de.
We use Microsoft Teams. The provider is Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland. Details on data processing can be found in the Microsoft Teams privacy policy: https://privacy.microsoft.com/de-de/privacystatement.
The company is certified under the EU-US Data Privacy Framework (DPF). The DPF is an agreement between the European Union and the USA that aims to ensure compliance with European data protection standards when processing data in the USA. Every company certified under the DPF undertakes to comply with these data protection standards. Further information on this can be obtained from the provider at the following link: https://www.dataprivacyframework.gov/participant/6474.