Privacy Policystay! Hotel and Boardinghouse Hamburg

Privacy Policy (English)

1. Introduction

This website is operated by: Boardinghouse Stay! Hotel GmbH.

It is very important to us to handle the data of our website visitors in a trustworthy manner and protect it as best as possible. For this reason, we make every effort to meet the requirements of the GDPR.

Below we explain how we process your data on our website. We use the clearest and most transparent language possible so that you truly understand what happens with your data.

2. General Information

2.1 Processing of personal data and other terms

Data protection applies to the processing of personal data. Personal means all data with which you can be personally identified. For example, this is the IP address of the device (PC, laptop, smartphone, etc.) you are currently using. Such data is processed when “something happens to it.” Here, for example, the browser transmits the IP to our provider and it is automatically stored there. That is processing (under Art. 4 No. 2 GDPR) of personal data (under Art. 4 No. 1 GDPR).

These and further legal definitions can be found in Art. 4 GDPR.

2.2 Applicable regulations/laws – GDPR, BDSG and TDDDG

The scope of data protection is regulated by laws. In this case, these are the GDPR (General Data Protection Regulation) as a European regulation and the BDSG (Federal Data Protection Act) as a national law.

In addition, the TDDDG supplements the provisions of the GDPR insofar as cookies are used.

2.3 The Controller

The party responsible for data processing on this website is the controller within the meaning of the GDPR. This is the natural or legal person who alone or jointly with others determines the purposes and means of processing personal data.

You can reach the controller at:

Boardinghouse Stay! Hotel GmbH

Kreuzweg 12 20099 Hamburg

info@stay-hotel.de

2.4 How data is generally processed on this website

As we have already noted, there are data (e.g., IP address) that are collected automatically. These data are primarily required for the technical provision of the homepage. Insofar as we use personal data beyond this or collect other data, we will inform you about it or request your consent.

Other personal data you provide to us deliberately.

You will find detailed information on this below.

2.5 Your Rights

The GDPR provides you with comprehensive rights. These include, for example, free information about the origin, recipients and purpose of your stored personal data. You can also request the correction, blocking or deletion of these data or lodge a complaint with the competent data protection supervisory authority. You can revoke consent you have given at any time.

You will find details of these rights and how to exercise them in the last section of this privacy policy.

2.6 Data protection – our view

For us, data protection is more than just an annoying obligation! Personal data has great value, and careful handling of this data should be a matter of course in our digital world. In addition, you as a website visitor should be able to decide for yourself what, when and by whom something “happens” to your data. Therefore, we undertake to comply with all legal requirements, collect only the data necessary for us, and of course treat them confidentially.

2.7 Disclosure and deletion

Disclosure and deletion of data are also important and sensitive topics. Therefore, we would like to briefly inform you in advance about our general approach to this.

Data is only disclosed on the basis of a legal basis and only when unavoidable. This can be the case in particular if it is a so-called processor and a data processing agreement has been concluded in accordance with Art. 28 GDPR.

We delete your data when the purpose and legal basis for processing cease to apply and no other legal obligations oppose deletion. Art. 17 GDPR also provides a good overview of this.

Please refer to this privacy policy for all further information and contact the controller if you have specific questions.

2.8 Hosting

This website is externally hosted. The personal data collected on this website are stored on the servers of the host provider. This includes, on the one hand, the automatically collected and stored log files (see below for details), as well as all other data provided by website visitors.

External hosting is performed for the purpose of providing our website in a secure, fast and reliable manner and, in this context, serves the fulfillment of contracts with our potential and existing customers.

The legal basis for processing is Art. 6(1)(a), (b) and (f) GDPR, as well as Section 25(1) TDDDG, insofar as consent includes the storage of cookies or access to information on the end device of the website visitor or user within the meaning of the TDDDG.

Our host processes only such data as are necessary to fulfill its performance obligations and acts as our processor, i.e., it is subject to our instructions. We have concluded a corresponding data processing agreement with our host.

We use the following hosting provider:
Amazon Web Services (AWS) Germany GmbH
Krausenstr. 38
10117 Berlin
Germany


The servers used by Amazon Web Services for data storage are located within the territory of the Federal Republic of Germany in Frankfurt/Main and are subject to the data protection laws of both national and European legislators. Amazon Web Services also handles your data in accordance with the relevant legal provisions. The privacy policy of Amazon Web Services can be accessed via the following link: https://aws.amazon.com/privacy/

2.9 Legal bases

The processing of personal data always requires a legal basis. Article 6(1), first sentence, GDPR provides for the following possibilities:

a) The data subject has given consent to the processing of his or her personal data for one or more specific purposes;

b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

c) processing is necessary for compliance with a legal obligation to which the controller is subject;

d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;

e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

f) processing is necessary for the purposes of the legitimate interests of the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

In the following sections, we will state the specific legal basis for the respective processing.

3. What happens on our website

By visiting our website, we process personal data about you.

To best protect these data against unauthorized interference by third parties, we use SSL or TLS encryption. You can recognize this encrypted connection by the fact that “https://” or a lock symbol is displayed in your browser’s address bar.

Below you will learn which data are collected when you visit our website, for what purpose this occurs, and on which legal basis.

3.1 Data collection when calling up the website

When the website is accessed, information is automatically stored in so-called server log files. This information includes:

Browser type and browser version

Operating system used

Referrer URL

Hostname of the accessing computer

Time of the server request

IP address

These data are temporarily needed to be able to display our website to you permanently and without problems. In particular, these data serve the following purposes:

System security of the website

System stability of the website

Error resolution on the website

Establishing a connection to the website

Display of the website

Data processing is carried out pursuant to Art. 6(1)(f) GDPR and based on our legitimate interest in processing these data, in particular our interest in the website’s functionality and security.

These data are stored in a pseudonymized manner where possible and deleted after the respective purpose has been achieved.

Insofar as the server log files allow the identification of the data subject, the data are stored for a maximum period of 14 days. An exception applies if a security-relevant event occurs. In that case, the server log files are stored until the security-relevant event has been remedied and conclusively clarified.

Beyond this, no merging with other data takes place.

3.2 Cookies

3.2.1 General

This website uses so-called cookies. These are data records—pieces of information—that are stored in your device’s browser and relate to our website.

By setting cookies, website navigation can be made easier for visitors.

In our cookie consent tool you will find all information about the cookies we use on our website (if applicable, after your consent).

3.2.2 Rejecting cookies

All cookies that are not technically necessary can be managed directly via our cookie consent tool.

The setting of cookies can be prevented by adjusting your browser settings.

Here you will find the corresponding links to commonly used browsers:

Mozilla Firefox: https://support.mozilla.org/de/kb/cookies-und-website-daten-in-firefox-loschen?redirectslug=Cookies+l%C3%B6schen&redirectlocale=de

Google Chrome: https://support.google.com/chrome/answer/95647?co=GENIE.Platform%3DDesktop&hl=de

Microsoft Edge: https://support.microsoft.com/de-de/windows/l%C3%B6schen-und-verwalten-von-cookies-168dab11-0753-043d-7c16-ede5947fc64d

Safari: https://support.apple.com/de-de/guide/mdm/mdmf7d5714d4/web and https://support.apple.com/de-de/guide/safari/sfri11471/mac . If you use a different browser, it is advisable to enter the name of your browser and ‘delete and manage cookies’ in a search engine and follow the official link to your browser.

Alternatively, you can also manage your cookie settings at www.aboutads.info/choices/ or www.youronlinechoices.com .

However, we must point out that comprehensive blocking/deletion of cookies may lead to impairments when using the website.

3.2.3 Technically necessary cookies

We use technically necessary cookies on this website so that our website functions correctly and in accordance with applicable laws. They help to make the website user-friendly. Some functions of our website cannot be displayed without the use of cookies.

The legal basis for this is, depending on the individual case, Art. 6(1)(b), (c) and/or (f) GDPR.

3.2.4 Technically non-essential cookies

We also use cookies on our website that are not technically necessary. These cookies are used, among other things, to analyze the surfing behavior of website visitors or to offer website functions that are not technically essential.

The legal basis for this is your consent in accordance with Art. 6(1)(a) GDPR.

Technically non-essential cookies are set only with your consent, which you can revoke at any time in the cookie consent tool.

3.3 Data processing through user input

3.3.1 Own data collection

We offer the following service on our website: Reservation inquiries via web form.

For this we collect the following data:

Name

Email address

Address

Telephone number

The legal basis for this data processing is Art. 6(1)(b) GDPR.

The data will be deleted as soon as the respective purpose no longer applies and this is permitted in accordance with legal requirements.

3.3.2 Contact

a) Email

If you contact us by email, we process your email address and, if applicable, other data contained in the email. These are stored on the mail server and partly on the respective end devices. Depending on the request, the legal basis for this is regularly Art. 6(1)(f) GDPR or Art. 6(1)(b) GDPR. The data will be deleted as soon as the respective purpose no longer applies and this is permitted under legal requirements. 

b) Telephone

If you contact us by telephone, the call data may be stored in a pseudonymized form on the respective end device and at the telecommunications provider used. Personal data collected during the telephone conversation are processed exclusively to handle your request. Depending on the request, the legal basis for this is regularly Art. 6(1)(f) GDPR or Art. 6(1)(b) GDPR. The data will be deleted as soon as the respective purpose no longer applies and this is permitted under legal requirements. 

c) Contact form

We provide a contact form, which serves to contact our company. 

In this form, we generally process your first and last name, your telephone number, your email address, a postal address, and the content of the message. The data are stored on our web server and forwarded internally to the respective responsible email addresses. 

The legal basis for data processing is Art. 6(1)(f) GDPR, since we have a legitimate interest in answering your request and offering an uncomplicated means of contact. If the contact aims at concluding a contract, the additional legal basis for the processing is Art. 6(1)(b) GDPR.

We delete these data no later than 3 months after receipt, unless they are required for an existing contractual relationship.

The contact form on our website is based on our own development. No transfer of data to third parties takes place.

3.4 Cookie consent tool

3.4.1 Cookiebot

To ensure that only cookies for which there is a legal basis are set on our website, we use the consent management tool “Cookiebot” from Cybot A/S, Havnegade 39, 1058 Copenhagen, Denmark. 

This service is used to obtain the website visitor’s consent to store certain cookies in their browser or to use certain technologies and to document this in a manner compliant with data protection law. 

When this website is accessed, the consent granted by the website visitor or the withdrawal of consent is stored as a Cookiebot cookie in the website visitor’s browser. For this purpose, a connection to Cookiebot’s servers is established. 

The legal basis is Art. 6(1)(c) GDPR. Cookiebot is used to obtain the legally required consent for the use of cookies. 

Until the website visitor asks us to delete it or Cookiebot deletes it itself or the purpose for storing the data no longer applies, the collected data will be stored. Mandatory statutory retention periods remain unaffected. 

3.5 Website builder system

3.5.1 hellohotel.io

We use the website builder hellohotel.io for the setup and management of our website. The service is operated by hello again GmbH, Hafenstraße 47–51, 4020 Linz, Austria.

hellohotel.io provides a cloud-based website builder system tailored in particular to the needs of hotels, guesthouses and hospitality businesses. It enables the simple creation, maintenance and publication of website content, including booking functions, image galleries and forms.

In the course of use, personal data are processed, in particular IP address, device and browser information, language settings, referrer URL, time of access, and, where applicable, content from forms or booking inquiries submitted via the website.

The purpose of processing is the technical operation and presentation of our website, including the options for interaction with website visitors.

The legal basis for processing is Art. 6(1)(f) GDPR, based on our legitimate interest in a professional and functional web presence. If interactions with users take place (e.g., through inquiries or bookings), Art. 6(1)(b) GDPR additionally applies.

hellohotel.io may use cookies for technical function, optimization and analysis of user behavior. These cookies are set only with consent. The legal basis for this is Art. 6(1)(a) GDPR in conjunction with Section 25(1) TDDDG.

As of now, no data transfer to a third country takes place; processing occurs within the EU.

Data are deleted as soon as they are no longer required to achieve the purpose and no statutory retention obligations exist.

Further information on data processing by hellohotel.io can be found in the provider’s privacy policy.

3.6 Analytics and tracking tools

3.6.1 Google Analytics

We use Google Analytics on this website. Google Analytics is a web analytics service provided by Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland.

Google Analytics uses cookies to recognize the user and thus analyze usage behavior. These cookies are set only with consent. Consent can be revoked at any time and managed in our cookie consent tool.

The legal basis for processing is Art. 6(1)(a) GDPR and Section 25(1) TDDDG.

The information collected here is generally transferred to a Google server in the USA and stored there. On July 10, 2023, the European Commission adopted an adequacy decision for the USA. Google LLC is certified under the EU-U.S. Data Privacy Framework. Since Google servers are located worldwide and data transfers to third countries (e.g., Singapore) cannot be ruled out, the EU Commission’s Standard Contractual Clauses (SCC) apply.

When using Google Analytics, IP anonymization applies. The IP address of the respective user is shortened on servers within the EU (or the European Economic Area) so that tracing back to a natural person is no longer possible. In addition, Google undertakes to ensure adequate data protection under the Google Ads Data Processing Terms and generates an evaluation of website usage and activity and provides the services associated with this usage. The Google Ads Data Processing Terms apply to companies subject to the GDPR in the EEA, the California Consumer Privacy Act (CCPA) or similar regulations. 

By means of an additional browser plugin, it can be prevented that the collected information (such as the IP address) is sent to Google and used by Google. You can find the plugin and further information at https://tools.google.com/dlpage/gaoptout?hl=de

Otherwise, the storage period depends on the type of data processed. Each customer can choose how long Google Analytics stores data before they are automatically deleted. The maximum lifetime of a Google Analytics cookie is two years.

Further information on Google’s use of data can also be found at https://support.google.com/analytics/answer/6004245?hl=de . For all further inquiries, you can also contact support-deutschland@google.com directly.

3.6.2 Google Consent Mode

We use Google Consent Mode on our website to adjust the use of Google services based on your consent. This means that, depending on consent, we either use the full functionalities of these services or only carry out limited data collection.

Google Consent Mode allows certain data processing even when consent has been refused, but in anonymized form.

We use the Basic Consent Mode. This enables us to continue collecting aggregated data even if you have not consented to certain cookies. IP addresses may be transmitted to Google in the process. Processing is carried out to improve our website and to analyze conversion events in anonymized form, enabling us to better assess the performance of our marketing measures.

Processing is carried out on the basis of our legitimate interest in better controlling and using certain consent-required Google services deployed on the website. The legal basis for processing is Art. 6(1) sentence 1 (f) GDPR.

Further information on Google Consent Mode can be found at: https://support.google.com/analytics/answer/9976101.

3.6.3 Google Maps

We use Google Maps on this website. Google Maps is a web mapping service provided by Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland.

When using Google Maps, the IP address is stored. These data are usually transferred to a Google server in the USA and stored there. We have no influence on this. Google may use Google Fonts for uniform display. These fonts are loaded into the website visitor’s browser cache.

Google Maps uses cookies. These cookies are set only with corresponding consent. Consent can be withdrawn at any time.

The legal basis is Art. 6(1)(a) GDPR and Section 25(1) TDDDG, insofar as this consent includes access to information on the user’s end device or the storage of cookies within the meaning of the TDDDG.

For data transfers to the USA, the EU Commission’s Standard Contractual Clauses (SCC) apply.

Further details:

https://privacy.google.com/businesses/gdprcontrollerterms/ and

https://privacy.google.com/businesses/gdprcontrollerterms/sccs/

https://policies.google.com/privacy?hl=de .

3.6.4 Google Tag Manager

We use Google Tag Manager on this website. Google Tag Manager is a web analytics service offered by Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland.

Google Tag Manager does not store cookies and does not perform its own analysis. It is used solely to manage the tools integrated via it. However, the IP address of the website visitor is collected and may be transferred to Google’s parent company in the USA.

The legal basis for processing is Art. 6(1)(f) GDPR. We have a legitimate interest in easily integrating and managing various tools on our website.

Further details:

https://policies.google.com/privacy?hl=en .

3.7 Social media profiles

In addition to our website, we are also present on social networks with our company. In doing so, we want to present our company and create the opportunity to get in touch with us.

We also use the option to place advertisements and job postings on social media.

Below we inform you which data we and the respective social network process when visiting and interacting with our profile.

3.7.1 Facebook

We operate a Facebook fan page at https://www.facebook.com/. This social network is operated by Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.

a) Interaction with our company profile

When visiting our Facebook profile and interacting with us via it, we process personal data. On the one hand, the publicly available data on the profile. On the other hand, the personal data contained in posts, comments or direct messages to us. Through interactions such as liking or sharing, we can see the user profile with the public information.

The legal basis for this processing is Art. 6(1)(f) GDPR. It is in our legitimate interest to provide relevant and interesting content and to enable the use and functionality of our Facebook profile.

Insofar as a request is related to the performance of a contract or is necessary to carry out pre-contractual measures, our processing is based on Art. 6(1)(b) GDPR.

b) Page Insights

As explained in Meta’s Privacy Policy under “How do we use your information?”, Meta also collects and uses information to provide analytics services, known as Page Insights, for page operators. This also applies to our Facebook page.

Page Insights are aggregated statistics created from certain interactions of visitors with pages and the content associated with them (e.g., viewing a page or a video, subscribing to a page, liking or unliking a page, etc.) and logged by Meta servers.

In connection with Page Insights, Meta provides us with aggregated statistics and insights that tell us how people interact with our company page. We do not receive access to personal data, only to aggregated Page Insights. With Page Insights, we can view anonymous statistics, e.g., the reach of our account, page views, likes, etc. These also include evaluations by age, gender and location of users (as provided by them in their respective Facebook profiles). For the evaluation of reach, we can make settings or set corresponding filters regarding the selection of a period, the consideration of a particular post as well as demographic groupings. These data are anonymized. We cannot draw conclusions about specific individuals.

The processing of these data serves the purpose of analyzing our reach and adapting our content and advertisements to user interests so that visitors can derive the greatest possible benefit from them. Based on the evaluations of these data, we can see how our content, our profile and our advertising are consumed. This enables us to create target group-oriented content and place advertising to better market our company and our services.

Processing is based on our legitimate interest under Art. 6(1) sentence 1 (f) GDPR.

When processing personal data as part of the so-called Page Insights, this is done under joint controllership with Facebook pursuant to Art. 26(1) GDPR.

For this purpose, we have concluded a corresponding agreement with Facebook, which can be viewed here ( https://www.facebook.com/legal/terms/page_controller_addendum).

The contact details for Facebook are:

Online contact: https://www.facebook.com/help/contact/1650115808681298

By post: Meta Platforms Ireland Limited, ATTN: Privacy Operations, Merrion Road, Dublin 4, D04 X2K5, Ireland.

You can contact Facebook’s data protection officer at the following link:

https://www.facebook.com/help/contact/540977946302970.

Further information on Page Insights:

https://de-de.facebook.com/legal/terms/page_cntroller_addendum

c) Processing of personal data and cookies by Meta

When accessing a Facebook page, the IP address assigned to your end device is transmitted to Facebook. According to Facebook, this IP address is anonymized (for “German” IP addresses). Facebook also stores information about its users’ end devices (e.g., within the scope of the “login notifications” function); Facebook may thus be able to assign IP addresses to individual users. If you are currently logged in to Facebook as a user, there is a cookie with your Facebook identifier on your end device. This enables Facebook to track that you have visited this page and how you have used it. Through Facebook buttons embedded in websites, Facebook can record your visits to these websites and assign them to your Facebook profile. Based on these data, content or advertising can be offered tailored to you.

Information on how personal data can be managed or deleted can be found in Facebook’s Privacy Center:

https://www.facebook.com/privacy/center/.

Further information on how Facebook handles data can be found here:

http://de-de.facebook.com/about/privacy.

3.8 Third-party content

3.8.1 Google Fonts

We have integrated Google Fonts locally on our server. Therefore, despite their use, no data are transmitted to Google.

3.8.2 OpenStreetMap

We use OpenStreetMap on this website. OpenStreetMap is a plugin that enables the integration of map material on this website. This service is offered by the OpenStreetMap Foundation, St John’s Innovation Centre, Cowley Road, Cambridge, CB4 0WS, United Kingdom.

It is a collaborative project that aims to create and provide freely usable geographic data, such as street maps. As it is an open-source project, the data are contributed and updated by a community of mappers from around the world. These data can be used for various purposes, from displaying maps on websites to use in GIS applications, mobile apps and more.

When using the maps, a connection to the servers of the OpenStreetMap Foundation is established. No cookies are involved that are used for tracking website visitors, but at most those that are limited to the functionality of the website.

The legal basis for processing is Art. 6(1)(f) GDPR. We have a legitimate interest in showing locations or providing geographic information.

Further information:

https://wiki.osmfoundation.org/wiki/Privacy_Policy .

3.8.3 Google reCAPTCHA

This website uses Google reCAPTCHA. Google reCAPTCHA is a plugin offered by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

The service makes it possible to determine whether a data entry is made by a human or by an automated program. This analysis starts automatically in the background as soon as the website is entered. Various information is collected for this purpose and transmitted to Google. No explicit notice of this analysis is provided.

The legal basis for processing is Art. 6(1)(a) GDPR and Section 25(1) TDDDG. Consent can be withdrawn at any time.

Further details:

https://policies.google.com/privacy?hl=de

https://policies.google.com/terms?hl=de .

3.9 Data disclosure to providers on our platform

When you use our platform to receive services or purchase products, we pass on certain personal data to the providers (e.g., service providers, sellers) to enable the processing of the corresponding services. This data transfer is necessary so that the providers can provide their services or deliver products.

In doing so, we may pass on your name to identify you, contact details to reach out in case of questions or issues, your address for the provision of the service or delivery of products, order data to transmit details of the requested service or ordered products, and, if necessary, payment information to process payment (this is usually encrypted and according to applicable security standards) to the providers.

The legal basis for data transfer is Art. 6(1)(b) GDPR, as it is necessary for the fulfillment of the contractual relationship between you and the provider.

The providers are obliged to use the transmitted data solely for the processing of the requested services or deliveries and to protect the data in accordance with applicable data protection laws. The provider is a direct contractual partner and therefore bears its own responsibility for the processing of personal data. If you have questions about their data processing, you can contact the provider directly.

3.10 Payment services

3.10.1 PayPal

We use PayPal on our website. PayPal is a payment service provider. This service is offered by PayPal (Europe) S.a.r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg.

For the purpose of payment processing, the payment data of the website visitor are processed by the payment service provider as soon as a purchase is made via this website. The respective contractual and data protection provisions of the payment service provider apply to the respective transaction.

The legal basis is Art. 6(1)(b) GDPR. The data are processed for the purpose of (pre-)contractual obligations.

We also have a legitimate interest in processing this data within the meaning of Art. 6(1)(f) GDPR in order to ensure a fast and reliable payment process.

For data transfer to the USA, the EU Commission’s Standard Contractual Clauses (SCC) apply.

https://www.paypal.com/de/webapps/mpp/ua/pocpsa-full .

3.10.2 Apple Pay

We use Apple Pay on this website. Apple Pay is a payment service provider. This service is offered by Apple Inc., Infinite Loop, Cupertino, CA 95014, USA.

For the purpose of payment processing, the payment data of the website visitor are processed by the payment service provider as soon as a purchase is made via this website. The respective contractual and data protection provisions of the payment service provider apply to the respective transaction.

The legal basis is Art. 6(1)(b) GDPR. The data are processed for the purpose of (pre-)contractual obligations.

We also have a legitimate interest in processing these data within the meaning of Art. 6(1)(f) GDPR in order to ensure a fast and reliable payment process.

Further details:

https://www.apple.com/legal/privacy/de-ww/ .

3.10.3 Google Pay

We use Google Pay on this website. Google Pay is a payment service provider. This service is offered by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

For the purpose of payment processing, the payment data of the website visitor are processed by the payment service provider as soon as a purchase is made via this website. The respective contractual and data protection provisions of the payment service provider apply to the respective transaction.

The legal basis is Art. 6(1)(b) GDPR. The data are processed for the purpose of (pre-)contractual obligations.

We also have a legitimate interest in processing these data within the meaning of Art. 6(1)(f) GDPR in order to ensure a fast and reliable payment process.

Further details:

https://policies.google.com/privacy .

3.10.4 American Express

We use American Express on this website. American Express is a payment service provider. This service is offered by American Express Europe S.A., Theodor-Heuss-Allee 112, 60486 Frankfurt am Main, Germany.

For the purpose of payment processing, the payment data of the website visitor are processed by the payment service provider as soon as a purchase is made via this website. The respective contractual and data protection provisions of the payment service provider apply to the respective transaction.

The legal basis is Art. 6(1)(b) GDPR. The data are processed for the purpose of (pre-)contractual obligations.

We also have a legitimate interest in processing these data within the meaning of Art. 6(1)(f) GDPR in order to ensure a fast and reliable payment process.

American Express may transfer data to the parent company in the USA. For this purpose, American Express has Binding Corporate Rules (BCR).

Further details:

https://www.americanexpress.com/de/legal/online-datenschutzerklarung.html

3.10.5 Mastercard

We use Mastercard on this website. Mastercard is a payment service provider. This service is offered by Mastercard Europe SA, Chaussée de Tervuren 198A, B-1410 Waterloo, Belgium.

For the purpose of payment processing, the payment data of the website visitor are processed by the payment service provider as soon as a purchase is made via this website. The respective contractual and data protection provisions of the payment service provider apply to the respective transaction.

The legal basis is Art. 6(1)(b) GDPR. The data are processed for the purpose of (pre-)contractual obligations.

We also have a legitimate interest in processing these data within the meaning of Art. 6(1)(f) GDPR in order to ensure a fast and reliable payment process.

Mastercard may transfer data to the parent company in the USA. For this purpose, Mastercard has Binding Corporate Rules (BCR).

Further details:

https://www.mastercard.us/content/dam/mccom/global/documents/mastercard-bcrs.pdf

https://www.mastercard.de/de-de/datenschutz.html .

3.10.6 VISA

We use VISA on this website. VISA is a payment service provider. This service is offered by Visa Europe Services Inc., London Branch, 1 Sheldon Square, London W2 6TT, United Kingdom.

For the purpose of payment processing, the payment data of the website visitor are processed by the payment service provider as soon as a purchase is made via this website. The respective contractual and data protection provisions of the payment service provider apply to the respective transaction.

The legal basis is Art. 6(1)(b) GDPR. The data are processed for the purpose of (pre-)contractual obligations.

We also have a legitimate interest in processing these data within the meaning of Art. 6(1)(f) GDPR in order to ensure a fast and reliable payment process.

For data transfer to the USA, the EU Commission’s Standard Contractual Clauses (SCC) apply.

Further details:

https://www.visa.de/nutzungsbedingungen/visa-privacy-center.html .  

3.11 Cloud backups

We use cloud backup functions on our website to protect the data and content of the website from data loss, corruption or security incidents. This ensures that, in the event of a server failure, a hacker attack or other unforeseen events, the website can be restored quickly and completely.

Insofar as personal data are stored on our website, they are transferred to the servers of the respective provider during backups. The legal basis for data processing is Art. 6(1)(f) GDPR, as we have a legitimate interest in securing our data.

We use the following cloud backup service:

AWS

Amazon Europe Core S.à r.l., 38 avenue John F. Kennedy, L-1855 Luxembourg.

https://aws.amazon.com/de/compliance/data-privacy/ .

4. Other important information

In conclusion, we would like to inform you comprehensively and in detail about your rights and tell you how you will be informed about changes to data protection requirements.

4.1 Your rights in detail

4.1.1 Right of access pursuant to Art. 15 GDPR

You can request information as to whether personal data concerning you are being processed. If this is the case, you can request further information about the nature and manner of processing. A detailed list can be found in Art. 15(1)(a) to (h) GDPR.

4.1.2 Right to rectification pursuant to Art. 16 GDPR

This right includes the correction of inaccurate data and the completion of incomplete personal data.

4.1.3 Right to erasure pursuant to Art. 17 GDPR

This so-called “right to be forgotten” gives you the right, under certain conditions, to request the controller to delete personal data. This is generally the case if the purpose of data processing has ceased, if consent has been revoked or if the initial processing took place without a legal basis. A detailed list of reasons can be found in Art. 17(1)(a) to (f) GDPR. This “right to be forgotten” also corresponds with the controller’s obligation under Art. 17(2) GDPR to take appropriate measures to bring about a general deletion of the data.

4.1.4 Right to restriction of processing pursuant to Art. 18 GDPR

This right is subject to the conditions pursuant to Art. 18(1)(a) to (d) GDPR.

4.1.5 Right to data portability pursuant to Art. 20 GDPR

This provides for the basic right to receive your own data in a commonly used format and to transmit it to another controller. However, this applies only to data processed on the basis of consent or contract under Art. 20(1)(a) and (b) and insofar as this is technically feasible.

4.1.6 Right to object pursuant to Art. 21 GDPR

You may object to the processing of your personal data as a matter of principle. This applies in particular if your interest in objecting outweighs the controller’s legitimate interest in processing and when processing relates to direct marketing and/or profiling.

4.1.7 Right to “individual decision-making” pursuant to Art. 22 GDPR

You have the right, as a rule, not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects concerning you or similarly significantly affects you. This right also finds limitations and supplements in Art. 22(2) and (4) GDPR.

4.1.8 Further rights

The GDPR includes comprehensive rights to inform third parties whether and how you have exercised rights under Art. 16, 17 or 18 GDPR. However, this only applies insofar as this is possible or can be implemented with a reasonable effort.

At this point we would like to again draw your attention to your right to withdraw consent under Art. 7(3) GDPR. However, this does not affect the lawfulness of the processing carried out up to that point.

We would also like to point out your rights under Sections 32 et seq. BDSG, which, however, are largely identical in content to the rights just described.

4.1.9 Right to lodge a complaint pursuant to Art. 77 GDPR

You also have the right to lodge a complaint with a data protection supervisory authority if you believe that processing of personal data concerning you infringes this Regulation.

5. What if the GDPR is abolished tomorrow or other changes occur?

The current status of this privacy policy is 01/09/2025. From time to time, it is necessary to adjust the content of the privacy policy to respond to actual and legal changes. We therefore reserve the right to change this privacy policy at any time. We will publish the amended version in the same place and recommend that you read the privacy policy regularly.

Created with the kind support of Dieter macht den Datenschutz