Privacy Policy

Preamble

With the following privacy policy, we would like to inform you about the types of your personal data (hereinafter also referred to as “data”) that we process, for what purposes, and to what extent. This privacy policy applies to all processing of personal data carried out by us, both in the context of providing our services and in particular on our websites, in mobile applications, and within external online presences, such as our social media profiles (hereinafter collectively referred to as the “online offering”).

The terms used are gender-neutral.

Last updated: May 2, 2025

Verantwortlicher

Mühlentor Gastro GmbH

Mühlenstraße 10

55543 Bad Kreuznach

Authorized representatives: Jennifer Schirra and Frank Hilgert

E-Mail: info@das-muehlentor.com

Imprint: https://das-muehlentor.com/impressum

Overview of Processing Activities

The following overview summarizes the types of data processed, the purposes of processing, and refers to the affected persons.

Types of Data Processed

Inventory data.
Payment data.
Location Data .
Contact data.
Content Data.
Contract data.
Usage Data.Meta, communication and procedural data
.Applicant data
.Contact information (Facebook)
.Event data (Facebook)
.Log data
.

Special Categories of Data

Health data.

Purposes of Processing

Provision of contractual services and fulfillment of contractual obligations
Communication
Security measures
Direct marketing.
Reach measurement
Tracking.
Office and organizational procedures
Remarketing.
Conversion measurement.
Audience targeting
Affiliate tracking
Organizational and administrative procedures
Application processes
Feedback
Marketing.
Profiles with user-related information
Provision of our online offering and usability
IT infrastructure
Financial and payment management
Public relations
Sales promotion
Business processes and economic procedures

Maßgebliche Rechtsgrundlagen

Relevant legal bases under the GDPR: Below you will find an overview of the legal bases of the GDPR on which we process personal data. Please note that national data protection regulations may also apply in addition to the GDPR, depending on your or our place of residence or establishment. If more specific legal bases apply in individual cases, we will inform you of these in this privacy policy.

Consent (Art. 6 para. 1 lit. a GDPR)
Contract performance and pre-contractual inquiries (Art. 6 para. 1 lit. b GDPR)
Legal obligation (Art. 6 para. 1 lit. c GDPR)
Legitimate interests (Art. 6 para. 1 lit. f GDPR)
Application procedures as a pre-contractual or contractual relationship (Art. 6 para. 1 lit. b GDPR)
Where special categories of personal data pursuant to Art. 9 para. 1 GDPR (e.g. health data) are processed, this is done in accordance with Art. 9 para. 2 GDPR.
Legal obligation (Art. 6 para. 1 sentence 1 lit. c GDPR)
The processing is necessary for compliance with a legal obligation to which the controller is subject.
Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR)
The processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, provided that such interests are not overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
Application procedures as a pre-contractual or contractual relationship (Art. 6 para. 1 sentence 1 lit. b GDPR)
Insofar as special categories of personal data within the meaning of Art. 9 para. 1 GDPR (e.g. health data such as severe disability status or ethnic origin) are requested from applicants in the context of the application process in order for the controller or the data subject to exercise rights arising from employment law and the law of social security and social protection and to fulfil the respective obligations, such data is processed on the basis of Art. 9 para. 2 lit. b GDPR.

In the case of the protection of vital interests of applicants or other persons, processing is carried out pursuant to Art. 9 para. 2 lit. c GDPR. For purposes of preventive health care or occupational medicine, for the assessment of an employee’s working capacity, for medical diagnosis, health or social care or treatment, or for the management of health or social care systems and services, processing is carried out pursuant to Art. 9 para. 2 lit. h GDPR.

Where special categories of personal data are provided on the basis of voluntary consent, processing is carried out on the basis of Art. 9 para. 2 lit. a GDPR.

National Data Protection Regulations in Germany:
In addition to the data protection provisions of the GDPR, national data protection regulations apply in Germany. These include, in particular, the Act on Protection against the Misuse of Personal Data in Data Processing (Federal Data Protection Act – BDSG).

The BDSG contains, in particular, specific provisions regarding the right of access, the right to erasure, the right to object, the processing of special categories of personal data, processing for other purposes, as well as data transfers and automated decision-making in individual cases, including profiling.

In addition, state data protection laws of the individual German federal states may apply.

Applicable Legal Bases under the Swiss Data Protection Act:
If you are located in Switzerland, we process your personal data on the basis of the Federal Act on Data Protection (Swiss FADP). Unlike the GDPR, the Swiss FADP generally does not require that a specific legal basis for the processing of personal data be stated, provided that such processing is carried out in good faith, is lawful and proportionate (Art. 6 para. 1 and 2 Swiss FADP).

Furthermore, personal data is collected by us only for a specific purpose that is recognizable to the data subject and is processed only in a manner compatible with that purpose (Art. 6 para. 3 Swiss FADP).

Notice on the Applicability of the GDPR and the Swiss FADP:
These privacy notices serve to provide information both in accordance with the Swiss Federal Act on Data Protection (FADP) and the General Data Protection Regulation (GDPR). For this reason, and due to the broader territorial scope and greater comprehensibility, the terminology of the GDPR is used throughout.

In particular, instead of the terms used in the Swiss FADP such as “processing” of “personal data”, “overriding interest” and “particularly sensitive personal data”, the terms used in the GDPR, namely “processing” of “personal data”, “legitimate interest” and “special categories of data”, are applied.

However, the legal meaning of these terms continues to be determined in accordance with the Swiss FADP within the scope of its applicability.

Sicherheitsmaßnahmen

We implement appropriate technical and organizational measures in accordance with statutory requirements, taking into account the state of the art, implementation costs, and the nature, scope, context and purposes of processing, as well as the varying likelihood and severity of risks to the rights and freedoms of natural persons, in order to ensure a level of security appropriate to the risk.

These measures include, in particular, safeguarding the confidentiality, integrity and availability of data by controlling physical and electronic access to the data, as well as access to, input, disclosure, availability assurance and separation of the data. Furthermore, we have established procedures to ensure the exercise of data subject rights, the deletion of data and appropriate responses to data security risks. In addition, we take the protection of personal data into account already during the development or selection of hardware, software and procedures, in accordance with the principle of data protection by design and by default.

Securing Online Connections Using TLS/SSL Encryption Technology (HTTPS):
To protect user data transmitted via our online services against unauthorized access, we use TLS/SSL encryption technology. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are the cornerstones of secure data transmission on the internet. These technologies encrypt information transmitted between the website or app and the user’s browser (or between two servers), thereby protecting the data from unauthorized access.

TLS, as the more advanced and secure successor to SSL, ensures that all data transmissions meet the highest security standards. When a website is secured by an SSL/TLS certificate, this is indicated by the display of “HTTPS” in the URL. This serves as an indicator to users that their data is transmitted securely and in encrypted form.

Transfer of Personal Data

In the course of our processing of personal data, it may occur that such data is transferred to or disclosed to other entities, companies, legally independent organizational units or individuals. Recipients of such data may include, for example, service providers entrusted with IT-related tasks or providers of services and content that are integrated into a website. In such cases, we comply with the applicable legal requirements and, in particular, conclude appropriate contracts or agreements with the recipients of your data to ensure the protection of your personal data.

Data Transfers Within the Corporate Group:
We may transfer personal data to other companies within our corporate group or grant them access to such data. Such data transfers are carried out on the basis of our legitimate business and economic interests. These include, for example, the improvement of business processes, ensuring efficient and effective internal communication, the optimal use of our human and technological resources, and the ability to make well-informed business decisions.

In certain cases, the transfer of data may also be necessary to fulfil our contractual obligations, or it may be based on the consent of the data subjects or on a statutory authorization.

Data Transfers Within the Organization:
We may transfer personal data to other departments or units within our organization or grant them access to such data. Where such data transfers are carried out for administrative purposes, they are based on our legitimate business and economic interests. Alternatively, data transfers may be carried out where they are necessary for the fulfilment of our contractual obligations or where the data subject has given consent or where a statutory authorization exists.

International Data Transfers

Data Processing in Third Countries:
Where we transfer personal data to a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)), or where this occurs in the context of using third-party services or through the disclosure or transfer of data to other persons, entities or companies (as may be indicated by the postal address of the respective provider or where the privacy policy expressly refers to data transfers to third countries), such transfers are always carried out in compliance with the applicable legal requirements.

For data transfers to the United States, we primarily rely on the Data Privacy Framework (DPF), which was recognized as an adequate legal framework by an adequacy decision of the European Commission dated 10 July 2023. In addition, we have concluded Standard Contractual Clauses with the respective service providers in accordance with the requirements of the European Commission, which establish contractual obligations to protect your personal data.

This dual-layer protection ensures comprehensive safeguarding of your personal data: the Data Privacy Framework (DPF) constitutes the primary level of protection, while the Standard Contractual Clauses serve as an additional safeguard. Should there be any changes to the DPF, the Standard Contractual Clauses will apply as a reliable fallback mechanism. In this way, we ensure that your personal data remains adequately protected at all times, even in the event of political or legal changes.

For each individual service provider, we inform you whether they are certified under the Data Privacy Framework (DPF) and whether Standard Contractual Clauses are in place. Further information on the DPF and a list of certified companies can be found on the website of the U.S. Department of Commerce at https://www.dataprivacyframework.gov/ (in englischer Sprache).

For data transfers to other third countries, appropriate safeguards apply, in particular Standard Contractual Clauses, explicit consent, or transfers required by law. Information on transfers to third countries and applicable adequacy decisions can be found in the information provided by the European Commission at https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection_en?prefLang=de.

Disclosure of Personal Data Abroad:
In accordance with the Swiss Federal Act on Data Protection (FADP), we disclose personal data abroad only if adequate protection of the data subjects is ensured (Art. 16 Swiss FADP). Where the Swiss Federal Council has not determined an adequate level of protection (list available at: https://www.bj.admin.ch/bj/de/home/staat/datenschutz/internationales/anerkennung-staaten.html), we implement alternative safeguards..

For data transfers to the United States, we primarily rely on the Data Privacy Framework (DPF), which was recognized as an adequate legal framework by an adequacy decision of Switzerland dated 7 June 2024. In addition, we have concluded Standard Data Protection Clauses with the respective service providers, which have been approved by the Swiss Federal Data Protection and Information Commissioner (FDPIC) and establish contractual obligations to protect your personal data.

This dual-layer protection ensures comprehensive safeguarding of your personal data: the Data Privacy Framework (DPF) constitutes the primary level of protection, while the Standard Data Protection Clauses serve as an additional safeguard. Should there be any changes to the DPF, the Standard Data Protection Clauses will apply as a reliable fallback mechanism. In this way, we ensure that your personal data remains adequately protected at all times, even in the event of political or legal changes.

For each individual service provider, we inform you whether they are certified under the Data Privacy Framework (DPF) and whether Standard Data Protection Clauses are in place. A list of certified companies as well as further information on the DPF can be found on the website of the U.S. Department of Commerce at https://www.dataprivacyframework.gov/ (in English).

For data transfers to other third countries, appropriate safeguards apply, including international agreements, specific guarantees, Standard Data Protection Clauses approved by the Federal Data Protection and Information Commissioner (FDPIC), or binding corporate rules approved in advance by the FDPIC or a competent data protection authority of another country.

Allgemeine Informationen zur Datenspeicherung und Löschung

We delete personal data that we process in accordance with statutory requirements as soon as the underlying consent is withdrawn or no other legal basis for processing exists. This applies in particular where the original purpose of processing no longer applies or the data is no longer required. Exceptions apply where statutory retention obligations or overriding legitimate interests require longer storage or archiving of the data.

In particular, data that must be retained for commercial or tax law reasons, or whose storage is necessary for the assertion, exercise, or defense of legal claims or for the protection of the rights of other natural or legal persons, will be archived accordingly.

Our privacy notice contains additional information on the retention and deletion of data that applies specifically to certain processing operations.

Where multiple retention periods or deletion deadlines apply to a given set of data, the longest applicable period shall always prevail.

If a retention period does not explicitly begin on a specific date and lasts at least one year, it shall commence automatically at the end of the calendar year in which the event triggering the period occurred. In the case of ongoing contractual relationships in which data are stored, the triggering event is the effective date of termination or any other end of the contractual relationship.

Data that are no longer required for the originally intended purpose, but are retained due to legal requirements or other reasons, are processed solely for the purposes that justify their retention.

Additional information on processing activities, procedures and services:

Retention and deletion of data: The following general retention periods apply to the storage and archiving of data under German law:
- 10 years – Retention period for books and records, annual financial statements, inventories, management reports, opening balance sheets, as well as the work instructions and other organizational documents necessary for their understanding (Section 147 (1) no. 1 in conjunction with (3) of the German Fiscal Code (AO), Section 14b (1) of the German Value Added Tax Act (UStG), Section 257 (1) no. 1 in conjunction with (4) of the German Commercial Code (HGB)).
- 8 years – Accounting records, such as invoices and expense receipts (Section 147 (1) nos. 4 and 4a in conjunction with sentence 1 of subsection (3) of the German Fiscal Code (AO) and Section 257 (1) no. 4 in conjunction with (4) of the German Commercial Code (HGB)).
- 6 years – Other business records: received commercial or business correspondence, copies of sent commercial or business correspondence, and other documents insofar as they are relevant for taxation purposes, such as hourly wage slips, operating cost statements, calculation documents, price labels, as well as payroll documents insofar as they are not already accounting records, and cash register receipts (Section 147 (1) nos. 2, 3 and 5 in conjunction with subsection (3) of the German Fiscal Code (AO) and Section 257 (1) nos. 2 and 3 in conjunction with subsection (4) of the German Commercial Code (HGB)).
- 3 years – Data required to consider potential warranty and compensation claims or similar contractual claims and rights, as well as to process related inquiries, are stored for the duration of the regular statutory limitation period of three years, based on prior business experience and customary industry practices (Sections 195 and 199 of the German Civil Code (BGB)).
Retention and deletion of data: The following general periods apply to the retention and archiving of data under Swiss law:
- 10 years – Retention period for books and records, annual financial statements, inventories, management reports, opening balance sheets, accounting records and invoices, as well as all required work instructions and other organizational documents (Art. 958f of the Swiss Code of Obligations (CO)).
- 10 years – Data required to consider potential claims for damages or similar contractual claims and rights, as well as to process related inquiries, are retained for the statutory limitation period of ten years, based on prior business experience and standard industry practices, unless a shorter limitation period of five years applies in specific cases (Art. 127, 130 CO).
  
  After five years, claims relating to rent, lease and interest payments as well as other periodic payments, claims arising from the delivery of foodstuffs, catering and hospitality services, craftsman’s work, retail sales of goods, medical services, professional services provided by lawyers, legal agents, attorneys-in-fact and notaries, and claims arising from employment relationships become time-barred (Art. 128 CO).

Rights of Data Subjects

Rights of data subjects under the GDPR:
As a data subject, you are entitled to various rights under the GDPR, which arise in particular from Articles 15 to 21 GDPR:

Right to object:
You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you that is carried out on the basis of Article 6(1)(e) or (f) GDPR; this also applies to profiling based on these provisions.
Where personal data concerning you are processed for the purposes of direct marketing, you have the right to object at any time to the processing of personal data concerning you for such marketing purposes; this also applies to profiling insofar as it is related to such direct marketing.
Right to withdraw consent:
You have the right to withdraw any consent you have given at any time.
Right of access:
You have the right to request confirmation as to whether personal data concerning you are being processed, and, if so, to obtain access to such data as well as further information and a copy of the data in accordance with the statutory provisions.
Right to rectification:
In accordance with the statutory provisions, you have the right to request the completion of personal data concerning you or the correction of inaccurate personal data.
Right to erasure and restriction of processing:
In accordance with the statutory provisions, you have the right to request the immediate deletion of personal data concerning you or, alternatively, to request the restriction of the processing of such data.
Right to data portability:
You have the right, in accordance with the statutory provisions, to receive the personal data concerning you that you have provided to us in a structured, commonly used and machine-readable format, or to request that such data be transmitted to another controller.
Right to lodge a complaint with a supervisory authority:
In accordance with the statutory provisions, and without prejudice to any other administrative or judicial remedy, you also have the right to lodge a complaint with a data protection supervisory authority, in particular with a supervisory authority in the Member State of your habitual residence, your place of work, or the place of the alleged infringement, if you believe that the processing of personal data relating to you infringes the GDPR.

Rights of data subjects under the Swiss Data Protection Act (Swiss DSG):

As a data subject, you have the following rights in accordance with the provisions of the Swiss Data Protection Act (Swiss DSG):

Right of access: You have the right to request confirmation as to whether personal data concerning you are being processed, and to receive the information necessary to enable you to exercise your rights under this Act and to ensure transparent data processing.
Right to data release or transfer: You have the right to request the release of your personal data that you have provided to us in a commonly used electronic format.
Right to rectification: You have the right to request the correction of inaccurate personal data relating to you.
Right to object, erasure and destruction: You have the right to object to the processing of your data and to request that your personal data be erased or destroyed.

Business Services

We process data of our contractual and business partners, such as customers and prospective customers (collectively referred to as “contractual partners”), within the scope of contractual and comparable legal relationships as well as related measures, and for the purpose of communication with contractual partners (or pre-contractually), for example to respond to inquiries.

We use this data to fulfill our contractual obligations. This includes, in particular, the obligation to provide the agreed services, any update obligations, and remedies in the event of warranty claims or other service-related disruptions.

In addition, we use the data to safeguard our rights and for the administrative tasks associated with these obligations as well as for the organization of our company. We also process the data on the basis of our legitimate interests in proper and economically sound business management and in security measures to protect our contractual partners and our business operations from misuse, threats to their data, secrets, information, and rights (e.g. through the involvement of telecommunications, transport, and other auxiliary service providers and subcontractors, banks, tax and legal advisors, payment service providers, or financial authorities).

Within the scope of applicable law, we only disclose the data of contractual partners to third parties to the extent necessary for the purposes described above or to fulfill legal obligations. Contractual partners are informed about further forms of processing, such as processing for marketing purposes, within the scope of this privacy policy.

Which data is required for the aforementioned purposes is communicated to our contractual partners in advance or at the time of data collection, for example in online forms, by means of special markings (such as colors) or symbols (such as asterisks), or personally.

We delete the data after the expiry of statutory warranty and comparable obligations, generally after four years, unless the data is stored in a customer account, for example for as long as it must be retained for statutory archiving purposes (such as tax purposes, usually ten years). Data disclosed to us by the contractual partner in the course of an assignment is deleted in accordance with the applicable requirements and, as a rule, after the end of the assignment.

Types of data processed: Inventory data (e.g. full name, residential address, contact details, customer number, etc.); payment data (e.g. bank details, invoices, payment history); contact data (e.g. postal and email addresses or telephone numbers); contract data (e.g. subject matter of the contract, term, customer category).
Special categories of personal data: Health data.
Data subjects: Service recipients and clients; prospective customers; business and contractual partners.
Purposes of processing: Provision of contractual services and fulfilment of contractual obligations; communication; office and organisational procedures; organisational and administrative procedures; business processes and commercial operations.
Storage and deletion: Deletion in accordance with the information provided in the section “General information on data storage and deletion”.
Legal bases: Performance of a contract and pre-contractual enquiries (Art. 6(1) sentence 1 lit. b GDPR); legal obligation (Art. 6(1) sentence 1 lit. c GDPR); legitimate interests (Art. 6(1) sentence 1 lit. f GDPR).

Additional information on processing activities, procedures and services:

Consulting:
We process the data of our clients, prospective clients and other principals or contractual partners (collectively referred to as “clients”) in order to provide our services to them. The processes involved in and for the purposes of consulting include in particular: contacting and communicating with clients; conducting needs and requirements analyses; planning and implementing consulting projects; documenting project progress and results; collecting and managing client-specific information and data; scheduling and organising appointments; providing consulting resources and materials; billing and payment management; post-processing and follow-up of consulting projects; as well as quality assurance and feedback processes.

The data processed, as well as the type, scope, purpose and necessity of the processing, are determined by the underlying contractual and client relationship.

Where necessary for the performance of our contractual obligations, for the protection of vital interests, where required by law, or where the clients have given their consent, we disclose or transfer client data to third parties or service providers in compliance with applicable professional regulations. This may include, for example, public authorities, subcontractors, or providers of IT, office or comparable services.

Legal basis: Performance of a contract and pre-contractual enquiries (Art. 6(1) sentence 1 lit. b GDPR).
Hospitality, hotel and accommodation services:
We process the information provided by our guests, visitors and prospective customers (collectively referred to as “guests”) in order to provide our accommodation services as well as related tourism or gastronomic services, and to invoice the services rendered.

In the course of our engagement, it may be necessary for us to process special categories of data within the meaning of Art. 9(1) GDPR, in particular information relating to a person’s health or information concerning their religious beliefs.
Such processing is carried out in order to protect the health interests of our guests (e.g. in the case of allergy information) or otherwise to accommodate their physical or mental needs at their request and with their consent.

Where necessary for the performance of the contract, required by law, based on the guests’ consent, or on the basis of our legitimate interests, we disclose or transfer guests’ data, for example, to service providers involved in the provision of our services, to authorities, billing entities, as well as to providers in the areas of IT, office, or comparable services.
Legal basis: performance of a contract and pre-contractual inquiries (Art. 6(1) sentence 1 lit. b GDPR).

Business Processes and Procedures

Personal data of service recipients and contracting parties – including customers, clients or, in specific cases, principals, patients or business partners, as well as other third parties – are processed within the scope of contractual and comparable legal relationships and pre-contractual measures, such as the initiation of business relationships. This data processing supports and facilitates business operations in areas such as customer management, sales, payment processing, accounting, and project management.

The collected data is used to fulfill contractual obligations and to ensure the efficient organization of operational processes. This includes the handling of business transactions, the management of customer relationships, the optimization of sales strategies, and the assurance of internal accounting and financial processes. In addition, the data supports the safeguarding of the controller’s rights and facilitates administrative tasks as well as the overall organization of the company.

Personal data may be disclosed to third parties where this is necessary to fulfill the purposes stated above or to comply with legal obligations. Once statutory retention periods have expired or the purpose of the processing no longer applies, the data will be deleted. This also includes data that must be stored for a longer period due to tax law requirements or other statutory documentation obligations.

Types of data processed:
Inventory data (e.g. full name, residential address, contact details, customer number, etc.);
Payment data (e.g. bank details, invoices, payment history);
Contact data (e.g. postal and email addresses or telephone numbers);
Content data (e.g. text or image messages and contributions as well as related information such as authorship or time of creation);
Contract data (e.g. subject matter of the contract, duration, customer category);
Log data (e.g. log files relating to logins, data retrieval or access times);
Usage data (e.g. page views and length of stay, click paths, intensity and frequency of use, device types and operating systems used, interactions with content and functions);
Meta, communication and procedural data (e.g. IP addresses, time stamps, identification numbers, persons involved).
Data subjects:
Recipients of services and contracting parties; prospective customers; communication partners; business and contractual partners; third parties; users (e.g. website visitors, users of online services); employees (e.g. staff members, applicants, temporary workers and other employees).
Purposes of processing:
Provision of contractual services and fulfilment of contractual obligations; office and organisational procedures; business processes and commercial operations; communication; marketing; sales promotion; public relations; financial and payment management; information technology infrastructure (operation and provision of information systems and technical equipment such as computers, servers, etc.).
Retention and deletion:
Deletion in accordance with the information provided in the section “General information on data storage and deletion.”
Legal bases:
Performance of a contract and pre-contractual inquiries (Art. 6(1) sentence 1 lit. b GDPR);
Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR);
Legal obligation (Art. 6(1) sentence 1 lit. c GDPR).

Further information on processing activities, procedures, and services:

Contact management and contact maintenance:
Processes required for the organization, maintenance and safeguarding of contact information (e.g. setting up and maintaining a central contact database, regular updates of contact details, monitoring data integrity, implementing data protection measures, ensuring access controls, performing backups and restoring contact data, training employees in the effective use of contact management software, regularly reviewing communication histories and adjusting contact strategies);
Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6(1) sentence 1 lit. b GDPR), Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR).
General payment processing:
Processes required for carrying out payment transactions, monitoring bank accounts and controlling cash flows (e.g. preparation and review of bank transfers, processing of direct debits, review of bank statements, monitoring incoming and outgoing payments, chargeback management, account reconciliation, cash management);
Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6(1) sentence 1 lit. b GDPR), Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR).
Accounting, accounts payable and accounts receivable:
Processes required for recording, processing and monitoring business transactions in the areas of accounts payable and accounts receivable (e.g. preparation and review of incoming and outgoing invoices, monitoring and management of open items, execution of payment transactions, dunning and receivables management, account reconciliation in relation to receivables and liabilities, accounts payable and accounts receivable accounting);
Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6(1) sentence 1 lit. b GDPR), Legal obligation (Art. 6(1) sentence 1 lit. c GDPR), Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR).
Financial accounting and taxation:
Processes required for the recording, management and monitoring of finance-related business transactions, as well as for the calculation, reporting and payment of taxes (e.g. account assignment and posting of business transactions, preparation of quarterly and annual financial statements, execution of payment transactions, dunning procedures, account reconciliation, tax advice, preparation and submission of tax returns, handling of tax matters);
Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6(1) sentence 1 lit. b GDPR), Legal obligation (Art. 6(1) sentence 1 lit. c GDPR), Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR).
Marketing, advertising and sales promotion:
Processes required in the context of marketing, advertising and sales promotion (e.g. market analysis and target group definition, development of marketing strategies, planning and implementation of advertising campaigns, design and production of promotional materials, online marketing including SEO and social media campaigns, event marketing and trade fair participation, customer loyalty programs, sales promotion measures, performance measurement and optimisation of marketing activities, budget management and cost control);
Legal basis: Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR).
Public relations:
Processes required in the context of public relations and communications (e.g. development and implementation of communication strategies, planning and execution of PR campaigns, creation and distribution of press releases, maintenance of media relations, monitoring and analysis of media coverage, organisation of press conferences and public events, crisis communication, creation of content for social media and corporate websites, and management of corporate branding);
Legal basis: Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR).

Einsatz von Online-Plattformen zu Angebots- und Vertriebszwecken

We offer our services on online platforms operated by other service providers. In this context, the privacy policies of the respective platforms apply in addition to our own privacy notices. This applies in particular with regard to the processing of payments and the procedures used on the platforms for reach measurement and interest-based marketing.

Types of data processed:
Inventory data (e.g. full name, residential address, contact details, customer number, etc.);
payment data (e.g. bank details, invoices, payment history);
contact data (e.g. postal and email addresses or telephone numbers);
contract data (e.g. subject matter of the contract, term, customer category);
usage data (e.g. page views and length of stay, click paths, intensity and frequency of use, device types and operating systems used, interactions with content and functions);
meta, communication and procedural data (e.g. IP addresses, time data, identification numbers, persons involved).
Data subjects:
Recipients of services and contracting entities;
business and contractual partners;
prospective customers / interested parties.
Purposes of processing:
Provision of contractual services and fulfillment of contractual obligations;
marketing;
business processes and commercial management procedures;
affiliate tracking;
conversion tracking (measurement of the effectiveness of marketing measures);
provision of our online services and ensuring user-friendliness.
Retention and deletion:
Deletion in accordance with the information provided in the section “General information on data storage and deletion.”
Legal bases:
Performance of a contract and pre-contractual inquiries (Art. 6(1) sentence 1 lit. b GDPR);
Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR).

Further information on processing activities, procedures, and services:

Booking.com Partner Program: Affiliate marketing partner program;
Service provider: Booking.com B.V., Herengracht 597, 1017 CE Amsterdam, Netherlands;
Legal basis: Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR);
Website: https://www.booking.com. Privacy Policy: https://www.booking.com/content/privacy.de.html.
Airbnb: Rental and booking of accommodations, experiences and activities; management of reservations; communication between hosts and guests; payment processing;
Service provider: Airbnb Ireland UC, 8 Hanover Quay, D02 DP23 Dublin 2, Ireland;
Legal basis: Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR);
Website https://www.airbnb.de. Datenschutzerklärung: https://www.airbnb.de/help/article/2855/datenschutzerklärung.

Service Providers and Services Used in the Course of Business Activities

In the course of our business activities, and in compliance with the applicable legal requirements, we use additional services, platforms, interfaces or plug-ins provided by third parties (collectively referred to as “services”). Their use is based on our interests in the proper, lawful and economically efficient operation of our business and internal organisation.

Types of data processed:
Inventory data (e.g. full name, residential address, contact details, customer number, etc.);
Payment data (e.g. bank details, invoices, payment history);
Contact data (e.g. postal and email addresses or telephone numbers);
Content data (e.g. text or image-based messages and contributions, as well as related information such as authorship details or time of creation);
Contract data (e.g. subject matter of the contract, duration, customer category).
Data subjects:
Recipients of services and clients;
Prospective customers;
Business and contractual partners.
Purposes of processing:
Provision of contractual services and fulfilment of contractual obligations;
Office and organisational procedures;
Business processes and commercial operations.
Retention and deletion:
Deletion in accordance with the information provided in the section “General information on data storage and deletion.”
Legal basis:
Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR).

Provision of the Online Offering and Web Hosting

We process users’ data in order to provide our online services. For this purpose, we process the user’s IP address, which is necessary to deliver the content and functions of our online services to the user’s browser or device.

Types of data processed:
Usage data (e.g. page views and length of stay, click paths, intensity and frequency of use, device types and operating systems used, interactions with content and functions);
meta, communication and procedural data (e.g. IP addresses, time data, identification numbers, involved persons);
log data (e.g. log files relating to logins or the retrieval of data or access times);
content data (e.g. textual or visual messages and posts as well as information relating to them, such as details of authorship or the time of creation).
Data subjects:
Users (e.g. website visitors, users of online services);
business and contractual partners.
Purposes of processing:
Provision of our online services and user-friendliness;
information technology infrastructure (operation and provision of information systems and technical equipment such as computers and servers);
security measures;
performance of contractual services and fulfillment of contractual obligations.
Retention and deletion:
Deletion in accordance with the information provided in the section “General information on data storage and deletion.”
Legal basis:
Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR).

Additional information on processing activities, procedures and services:

Provision of the online service on rented hosting infrastructure:
For the provision of our online services, we use storage space, computing capacity and software that we rent or otherwise obtain from a suitable server provider (also referred to as a “web host”);
Legal basis: legitimate interests (Art. 6(1) sentence 1 lit. f GDPR).
Collection of access data and log files:
Access to our online services is logged in the form of so-called “server log files.” These server log files may include the address and name of the accessed websites and files, date and time of access, volume of data transferred, notification of successful retrieval, browser type and version, the user’s operating system, referrer URL (the previously visited page), and, as a rule, IP addresses and the requesting provider.

Server log files are used, on the one hand, for security purposes, for example to prevent server overload (in particular in the event of abusive attacks such as so-called DDoS attacks), and on the other hand to ensure server utilization and system stability.
Legal basis: legitimate interests (Art. 6(1) sentence 1 lit. f GDPR).

Deletion of data:
Log file information is stored for a maximum period of 30 days and is then deleted or anonymized. Data whose further retention is required for evidentiary purposes is excluded from deletion until the respective incident has been fully clarified.
1&1 IONOS: Services in the field of providing information technology infrastructure and related services (e.g. storage space and/or computing capacity); service provider: 1&1 IONOS SE, Elgendorfer Str. 57, 56410 Montabaur, Germany; legal basis: legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR); website:: https://www.ionos.de; Privacy Policy: https://www.ionos.de/terms-gtc/terms-privacy. Data processing agreement: https://www.ionos.de/hilfe/datenschutz/allgemeine-informationen-zur-datenschutz-grundverordnung-dsgvo/auftragsverarbeitung/.
All in One WP Security & Firewall: Protection against brute-force attacks, monitoring of user activity, firewall functions to block suspicious IP addresses, detection and prevention of database attacks, securing login pages, management of file permissions, blacklist and whitelist management for IP addresses, use of cookies (storage for up to 90 days); service provider: Updraft WP Software Ltd, Tramshed Tech Old Station Building, Queensway, NP20 4AX Newport, United Kingdom; legal basis: legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR); website: https://aiosplugin.com/. Privacy Policy: https://aiosplugin.com/privacy-policy/.

Use of Cookies

The term “cookies” refers to functions that store information on users’ end devices and read it from them. Cookies may also be used for different purposes, such as ensuring functionality, security and convenience of online services, as well as for creating analyses of visitor traffic. We use cookies in accordance with legal requirements. Where necessary, we obtain users’ consent in advance. If consent is not required, we rely on our legitimate interests. This applies where the storage and reading of information is essential in order to provide content and functions that have been expressly requested. This includes, for example, the storage of settings and ensuring the functionality and security of our online services. Consent can be withdrawn at any time. We provide clear information about the scope of consent and which cookies are used.

Information on data protection legal bases: Whether we process personal data using cookies depends on consent. If consent has been given, it serves as the legal basis. Without consent, we rely on our legitimate interests, which are explained above in this section and in the context of the respective services and procedures.

Storage duration: With regard to storage duration, the following types of cookies are distinguished:

Temporary cookies (also known as session cookies): Temporary cookies are deleted at the latest when a user leaves an online service and closes their device (e.g. browser or mobile application).
Permanent cookies: Permanent cookies remain stored even after the device is closed. For example, the login status can be saved and preferred content can be displayed directly when the user visits a website again. Usage data collected via cookies may also be used for reach measurement. If we do not provide users with explicit information about the type and storage duration of cookies (e.g. when obtaining consent), they should assume that these cookies are permanent and that the storage period may be up to two years.

General information on withdrawal and objection (opt-out): Users may withdraw any consent they have given at any time and may also object to the processing of their data in accordance with the statutory provisions, including by using their browser’s privacy settings.

Processed data types: Meta, communication and procedural data (e.g. IP addresses, timestamps, identification numbers, involved persons).

Data subjects: Users (e.g. website visitors, users of online services)

Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR). Consent (Art. 6 para. 1 sentence 1 lit. a GDPR).

Additional information on processing activities, procedures and services:

Processing of cookie data based on consent:
We use a consent management solution to obtain users’ consent for the use of cookies or for the procedures and providers specified within the consent management solution. This procedure serves to obtain, document, manage and revoke consent, in particular with regard to the use of cookies and comparable technologies that are used to store, read and process information on users’ devices.

As part of this procedure, users’ consent is obtained for the use of cookies and the associated processing of information, including the specific processing activities and providers named within the consent management process. Users also have the option to manage and revoke their consent at any time.

The consent declarations are stored in order to avoid repeated requests and to be able to provide proof of consent in accordance with legal requirements. Storage takes place server-side and/or in a cookie (so-called opt-in cookie) or by means of comparable technologies, in order to be able to assign the consent to a specific user or their device.

If no specific information about the providers of consent management services is available, the following general information applies: The consent is stored for a period of up to two years. In this context, a pseudonymous user identifier is created and stored together with the time of consent, information on the scope of the consent (e.g. relevant categories of cookies and/or service providers), as well as information about the browser, the system and the device used.

Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a GDPR).
BorlabsCookie: Consent management: Procedures for obtaining, documenting, managing and revoking consent, in particular for the use of cookies and similar technologies for storing, reading and processing information on users’ devices as well as their processing; Service provider: Execution on servers and/or computers under the provider’s own data protection responsibility; Website: https://de.borlabs.io/borlabs-cookie/. Further information: An individual user ID, language, types of consent and the time they were given are stored server-side and in a cookie on the users’ device.

Blogs and Publishing Media

We use blogs or comparable means of online communication and publication (hereinafter referred to as “publication medium”). Readers’ data are processed for the purposes of the publication medium only to the extent necessary for its presentation and for communication between authors and readers, or for security reasons. Otherwise, we refer to the information on the processing of visitors to our publication medium provided in these privacy notices.

Types of data processed: Inventory data (e.g. full name, residential address, contact details, customer number, etc.); contact data (e.g. postal and email addresses or telephone numbers); content data (e.g. textual or visual messages and contributions and the related information, such as details of authorship or time of creation); usage data (e.g. page views and time spent on pages, click paths, intensity and frequency of use, device types and operating systems used, interactions with content and functions); meta, communication and procedural data (e.g. IP addresses, time information, identification numbers, involved persons).
Affected persons: Users (e.g. website visitors, users of online services).
Purposes of processing: Feedback (e.g. collecting feedback via online forms). Provision of our online offering and user-friendliness.
Retention and deletion:
Deletion in accordance with the information provided in the section “General information on data storage and deletion.”
Legal basis:
Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR).

Additional information on processing activities, procedures and services:

Retrieval of WordPress emojis and smilies: Within our WordPress blog, graphic emojis (smilies), i.e. small graphic files that express emotions, are used for the purpose of efficiently integrating content elements. These are loaded from external servers. The server providers collect users’ IP addresses. This is necessary in order to deliver the emoji files to the users’ browsers; service provider: Automattic A8C Ireland Ltd., Grand Canal Dock, 25 Herbert Pl, Dublin, D02 AY86, Ireland; legal basis: legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR); website: https://automattic.com privacy policy: https://automattic.com/privacy data processing agreement: provided by the service provider. Basis for third-country transfers: EU/EEA – Data Privacy Framework (DPF), standard contractual clauses (provided by the service provider); Switzerland – Data Privacy Framework (DPF), standard contractual clauses (provided by the service provider).
https://automattic.com/
https://automattic.com/privacy

Contact and Inquiry Management

When contacting us (e.g. by post, contact form, email, telephone or via social media) as well as within existing user and business relationships, the information provided by the requesting persons is processed insofar as this is necessary to respond to the contact enquiries and any requested measures.

Types of data processed: Inventory data (e.g. full name, residential address, contact details, customer number, etc.); contact data (e.g. postal and email addresses or telephone numbers); content data (e.g. textual or visual messages and contributions and the related information, such as details of authorship or time of creation); usage data (e.g. page views and time spent on pages, click paths, intensity and frequency of use, device types and operating systems used, interactions with content and functions); meta, communication and procedural data (e.g. IP addresses, time information, identification numbers, involved persons).
Affected persons: Communication partners. Users (e.g. website visitors, users of online services).
Purposes of processing: Communication; organisational and administrative procedures; feedback (e.g. collecting feedback via online forms); provision of our online services and user-friendliness; marketing.
Retention and deletion:
Deletion in accordance with the information provided in the section “General information on data storage and deletion.”
Legal bases: Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR). Performance of a contract and pre-contractual enquiries (Art. 6(1) sentence 1 lit. b GDPR).

Further information on processing operations, procedures and services:

Contact form: When you contact us via our contact form, by email or through other communication channels, we process the personal data you provide in order to respond to and handle your request. This generally includes information such as your name, contact details and, where applicable, any additional information you share that is necessary for appropriate processing. We use this data exclusively for the stated purpose of contacting you and communicating with you; legal bases: performance of a contract and pre-contractual enquiries (Art. 6 para. 1 sentence 1 lit. b GDPR), legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).
Gravity Forms: Creation and evaluation of online forms, surveys and feedback forms, as well as the acceptance of payments and the implementation of automated workflows; service provider: operated on servers and/or computers under the provider’s own data protection responsibility; legal basis: legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR). Website: https://www.gravityforms.com/ .

Eventbrite

Tool for booking tickets for various events
Who processes your data?

Eventbrite, Inc., Delaware, 155 5th Street, Floor 7, San Francisco, CA 94103, USAFurther information on data protection at Eventbrite can be found at

https://www.eventbrite.de/support/articles/de/Troubleshooting/datenschutzrichtlinie-von- eventbrite?lg=de

When you book a ticket, Eventbrite collects the data you provide, payment data, IP address and additional metadata (browser, operating system, version, device).
On the basis of the adequacy decision of the European Commission and the corresponding certification of the company.
How long do we store your data? We delete your data as soon as one of the following applies: the purpose of data processing no longer applies, you request the deletion of the data, or you revoke your consent to storage.
This does not apply if we are legally obliged to retain the data. On what legal basis do we process your data? We have a legitimate interest in providing a straightforward ticket booking system. Data processing is therefore carried out on the basis of Art. 6 para. 1 lit. f) GDPR. If you have consented to the storage of your data, Art. 6 para. 1 lit. a) GDPR is the sole legal basis. In this case, you may revoke your consent at any time with effect for the future.

Newsletter and Electronic Notifications

We send newsletters, emails and other electronic notifications (hereinafter referred to as “newsletters”) only with the consent of the recipients or on the basis of a legal permission. If the content of the newsletter is specified during registration, this content is decisive for the user’s consent. As a rule, providing your email address is sufficient to subscribe to our newsletter. In order to offer you a personalized service, we may also ask for your name for personal addressing in the newsletter or for additional information if this is necessary for the purpose of the newsletter.

Deletion and restriction of processing: We may store unsubscribed email addresses for up to three years on the basis of our legitimate interests before deleting them, in order to be able to prove that consent was previously given. The processing of these data is limited to the purpose of a potential defense against claims. An individual request for deletion is possible at any time, provided that the former existence of consent is confirmed at the same time. In the case of obligations to permanently observe objections, we reserve the right to store the email address solely for this purpose in a suppression list (so-called “blocklist”).

The logging of the registration process is carried out on the basis of our legitimate interests for the purpose of demonstrating its proper execution. Where we commission a service provider to send emails, this is done on the basis of our legitimate interests in an efficient and secure delivery system.

Content:

Information about us, our services, promotions and offers.

Types of data processed: Inventory data (e.g. full name, residential address, contact details, customer number, etc.); contact data (e.g. postal and email addresses or telephone numbers); meta, communication and procedural data (e.g. IP addresses, time information, identification numbers, involved persons); usage data (e.g. page views and time spent on pages, click paths, intensity and frequency of use, device types and operating systems used, interactions with content and functions).
Affected persons: communication partners.
Purposes of processing: direct marketing (e.g. via email or post).
Legal bases: consent (Art. 6 para. 1 sentence 1 lit. a GDPR). Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).
Right to object (opt-out): You can unsubscribe from our newsletter at any time, i.e. withdraw your consent or object to further receipt. You will find an unsubscribe link at the end of each newsletter, or you can alternatively use one of the contact options listed above, preferably by email.

Additional information on processing activities, procedures and services:

Measurement of open and click rates: Our newsletters contain so-called web beacons, i.e. pixel-sized files that are retrieved from our server or, if we use a mailing service provider, from their server when the newsletter is opened. As part of this retrieval, technical information such as details about the browser and system used, as well as the IP address and the time of access, are initially collected. This information is used to technically improve our newsletter based on technical data or to analyse target groups and their reading behaviour, for example based on their locations of access (which can be determined using the IP address) or access times. This analysis also includes determining whether and when newsletters are opened and which links are clicked. The information is assigned to individual newsletter recipients and stored in their profiles until deletion. The evaluations are used to understand our users’ reading habits and to tailor our content to them or to send different content according to users’ interests. The measurement of open and click rates, the storage of the measurement results in user profiles and their further processing are carried out on the basis of the users’ consent. Unfortunately, a separate withdrawal of consent for performance measurement is not possible; in this case, the entire newsletter subscription must be cancelled or objected to. In this case, the stored profile information will be deleted. Legal basis: consent (Art. 6 para. 1 sentence 1 lit. a GDPR).
Cleverreach GmbH & Co. KG, //CRASH Building, Schafjückenweg 2, 26180 Rastede, Deutschland
Where can I find information on Cleverreachs Privacy Policy? https://www.cleverreach.com/de/funktionen/datenschutz-sicherheit/ and https://www.cleverreach.com/de/datenschutz/
How do we process your data? We use CleverReach to send our newsletter. The service manages the data of our newsletter subscribers, sends our newsletters and analyses our newsletter campaigns. If you would like to receive our newsletter, we require your email address. We will also verify that you are the owner of this email address by means of a confirmation email (double opt-in procedure). We do not collect any further data, or only on a voluntary basis. Your data is used exclusively for sending the newsletter. When we send a newsletter via CleverReach and you open it, a file contained in the newsletter automatically connects to CleverReach’s servers. This allows the service to recognise that the newsletter has been opened and to record all clicks on the links contained in it. In addition, CleverReach collects technical information such as the time of access, IP address, browser type and operating system. You can unsubscribe from the newsletter at any time.
How long do we store your data?
After you unsubscribe, your data will be deleted from the newsletter distribution list. In some cases, we may also add your email address to a blacklist, for example if we have received an objection to receiving advertising from you. In that case, the data is stored on the legal basis of Article 6(1)(f) GDPR. We also reserve the right to delete the data at any time once the purpose for which it was collected no longer applies, or at our own discretion.
On what legal basis do we process your data?
By signing up to the subscriber list, you consent to the processing of your data by CleverReach. This processing is therefore lawful on the basis of Article 6(1)(a) GDPR. You can withdraw your consent by unsubscribing from the newsletter or by sending us an informal notice. For us, this means that from that point on we are no longer permitted to send you newsletters.

Web Analytics, Monitoring and Optimization

Web analytics (also referred to as “reach measurement”) is used to evaluate visitor traffic on our online offering and may include pseudonymous data about visitors’ behavior, interests, or demographic information, such as age or gender. With the help of reach measurement, we can, for example, identify when our online offering, its functions, or its content are used most frequently, or encourage users to return. It also enables us to understand which areas need optimization.

In addition to web analytics, we may also use testing procedures to test and optimize different versions of our online offering or individual components of it.

Unless otherwise stated below, profiles may be created for these purposes, meaning data that is consolidated into a single usage process, and information may be stored in a browser or on an end device and then read out. The information collected includes, in particular, websites visited and elements used there, as well as technical details such as the browser used, the computer system used, and information about usage times. If users have consented to the collection of their location data either to us or to the providers of the services we use, the processing of location data is also possible.

In addition, users’ IP addresses are stored. However, we use an IP masking procedure (i.e., pseudonymization by shortening the IP address) to protect users. In general, no directly identifiable user data (such as email addresses or names) is stored in the context of web analytics, A/B testing, and optimization, but rather pseudonyms. This means that neither we nor the providers of the software used know the users’ actual identity, only the information stored in their profiles for the respective purposes.

Information on legal bases: If we ask users for their consent to use third-party providers, the legal basis for processing the data is consent. Otherwise, user data is processed on the basis of our legitimate interests (i.e., our interest in providing efficient, cost-effective, and user-friendly services). In this context, we would also like to refer you to the information on the use of cookies in this privacy policy.

Types of data processed: Usage data (e.g., page views and time spent on pages, click paths, intensity and frequency of use, device types and operating systems used, interactions with content and features); metadata, communication and procedural data (e.g., IP addresses, time information, identification numbers, persons involved); content data (e.g., text or image messages and posts, and information relating to them, such as authorship details or time of creation).

Event data (Facebook): “Event data” is information that is sent to Meta, for example via the Meta Pixel (whether via apps or other channels), and relates to individuals or their actions. This includes, for instance, details about website visits, interactions with content and functions, app installations, and product purchases. Event data is processed for the purpose of creating target groups for content and advertising messages (Custom Audiences). It is important to note that event data does not include actual content such as written comments, login information, or contact information such as names, email addresses, or telephone numbers. Event data is deleted by Meta after a maximum of two years, and the audiences created from it disappear when our Meta user accounts are deleted.
Affected persons: Users (e.g. website visitors, users of online services).
Purposes of processing: reach measurement (e.g., access statistics, recognition of returning visitors); profiles with user-related information (creation of user profiles); tracking (e.g., interest- and behavior-based profiling, use of cookies); conversion measurement (measuring the effectiveness of marketing measures); audience creation; marketing; provision of our online offering and user-friendliness; remarketing.
Retention and deletion: Deletion in accordance with the information in the section “General information on data storage and deletion.” Cookies are stored for up to two years (unless stated otherwise, cookies and similar storage methods may be stored on users’ devices for a period of two years).
Security measures: IP masking (pseudonymization of the IP address).
Legal bases: consent (Art. 6 para. 1 sentence 1 lit. a GDPR). Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).

Further information on processing activities, procedures, and services:

1&1 IONOS WebAnalytics: Reach measurement and web analytics; service provider: 1&1 IONOS SE, Elgendorfer Str. 57, 56410 Montabaur, Germany; legal basis: consent (Art. 6(1) sentence 1 lit. a GDPR); website: https://www.ionos.de privacy policy: https://www.ionos.de/terms-gtc/datenschutzerklaerung/ data processing agreement: https://www.ionos.de/hilfe/datenschutz/allgemeine-informationen-zur-datenschutz-grundverordnung-dsgvo/auftragsverarbeitung/ further information: Data is collected either via a pixel or via a log file, without the use of cookies; visitors’ IP addresses are transmitted when a page is accessed, anonymized immediately after transmission, and then processed further without any personal reference. Data processing is carried out on the basis of a data processing agreement.
Google Analytics: We use Google Analytics to measure and analyze the use of our online offering on the basis of a pseudonymous user identification number. This identification number does not contain any directly identifiable data such as names or email addresses. It is used to assign analytics information to an end device in order to determine which content users accessed within one or multiple usage sessions, which search terms they used, whether they returned to that content, or how they interacted with our online offering. The time and duration of use are also stored, as well as the sources that referred users to our online offering and technical details about their devices and browsers.
In doing so, pseudonymous user profiles are created using information from the use of different devices, and cookies may be used. Google Analytics does not log or store individual IP addresses for EU users. However, Analytics provides approximate geographic location data by deriving the following metadata from IP addresses: city (and the derived latitude and longitude of the city), continent, country, region, and subcontinent (and their ID-based counterparts). For EU traffic, IP address data is used solely for this derivation of geolocation data and is then deleted immediately. It is not logged, is not accessible, and is not used for any other purposes. When Google Analytics collects measurement data, all IP lookups are performed on EU-based servers before the traffic is forwarded to Analytics servers for processing; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; legal basis: consent (Art. 6(1) sentence 1 lit. a GDPR); website: Website: https://marketingplatform.google.com/intl/de/about/analytics/ security measures: IP masking (pseudonymization of the IP address); privacy policy: https://policies.google.com/privacy data processing agreement: https://business.safety.google/adsprocessorterms/ basis for third-country transfers: EU/EEA – Data Privacy Framework (DPF), Standard Contractual Clauses (https://business.safety.google/adsprocessorterms); Switzerland – Data Privacy Framework (DPF), Standard Contractual Clauses (https://business.safety.google/adsprocessorterms); opt-out option: opt-out browser add-on: https://tools.google.com/dlpage/gaoptout?hl=de ad personalization settings: https://myadcenter.google.com/personalizationoff Further information: https://business.safety.google/adsservices/ (Types of processing and data processed).
Notes on consent recipients and cookieless analytics

Notes on consent recipients: The consent granted by users as part of a consent dialog (also known as “cookie opt-in/consent,” “cookie banner,” etc.) serves multiple purposes. First, it helps us meet our obligation to obtain consent for the storing and reading of information on and from users’ devices (in accordance with ePrivacy guidelines). Second, it covers the processing of users’ personal data in line with data protection requirements. In addition, this consent also applies to Google, as the company is required under the Digital Markets Act to obtain consent for personalized services. Therefore, we share the consent status provided by users with Google. Our consent management software informs Google whether consent has been granted or not. The aim is to ensure that users’ consent choices, or the absence of consent, are taken into account when using Google Analytics and when integrating features and external services. This allows users’ consent and its withdrawal to be adjusted dynamically within our online offering for Google Analytics and other Google services, depending on the user’s selection.
Cookieless analytics: We use the advanced implementation of Google Analytics Consent Mode. This means that if users do not give consent to store and read information on their devices, in particular regarding cookies, then no cookies or comparable information will be stored on users’ devices. Likewise, no user profiles will be created.
In this case, Google’s code generates a random identification number on the user’s device and transmits it to Google (a so-called “ping”). This identification is not stored in the user’s browser, apps, or other devices. This identification number is unique to each page view, meaning that users’ behavior or interests cannot be tracked across devices or across sites. Only a minimum amount of information about user activity is sent. This includes information about the consent status and information for conversion measurement, i.e., whether a user was directed to our online offering via a Google advertisement.
In addition, the following information may be transmitted, where available:
a) Function-related information such as headers (technical details transmitted by the browser),
b) Timestamps (date and time of access),
c) User agent (information about the browser and device used, web only),
d) Referrer URL (the URL of the page the user came from),
e) Aggregated/pseudonymous information: This includes an indication of whether the current page or a previous page in the user’s navigation path contains ad click information in the URL (e.g., GCLID/DCLID, special Google tracking codes), a random number generated each time a page loads, and information about the consent management platform used by the website owner (e.g., developer ID); service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; legal basis: legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); website: https://support.google.com/analytics/answer/9976101?hl=de. Privacy Policy: https://policies.google.com/privacy.
Google Tag Manager: We use Google Tag Manager, software provided by Google that enables us to manage so-called website tags centrally via a user interface. Tags are small code elements on our website that are used to record and analyze visitor activity. This technology helps us improve our website and the content offered on it. Google Tag Manager itself does not create user profiles, does not store cookies containing user profiles, and does not perform any independent analyses. Its function is limited to simplifying and making more efficient the integration and management of the tools and services we use on our website. Nevertheless, when using Google Tag Manager, users’ IP addresses are transmitted to Google, which is technically necessary in order to implement the services we use. Cookies may also be set in this context. However, this data processing only takes place if services are integrated via Tag Manager. For more detailed information about these services and their data processing, we refer you to the further sections of this privacy policy; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; legal basis: consent (Art. 6(1) sentence 1 lit. a GDPR); website: https://marketingplatform.google.com; Privacy Policy: https://policies.google.com/privacy; Data processing agreement (DPA):
https://business.safety.google/adsprocessorterms. Basis for third-country transfers: EU/EEA – Data Privacy Framework (DPF), Standard Contractual Clauses (SCCs). (https://business.safety.google/adsprocessorterms), Schweiz – Data Privacy Framework (DPF), Standard Contractual Clauses (SCCs) ( https://business.safety.google/adsprocessorterms).
Meta Pixel and audience creation (Custom Audiences): With the help of the Meta Pixel (or comparable functions for transmitting event data or contact information via interfaces in apps), Meta is able, on the one hand, to identify visitors to our online offering as a target group for the display of ads (so-called “Meta Ads”). Accordingly, we use the Meta Pixel to ensure that the Meta Ads we run are shown only to those users on Meta platforms and within the services of partners cooperating with Meta (the so-called “Audience Network” …) https://www.facebook.com/audiencenetwork/ ) …to users who have also shown an interest in our online offering or who have certain characteristics (e.g., an interest in specific topics or products, which can be inferred from the websites visited) that we transmit to Meta (so-called “Custom Audiences”). We also use the Meta Pixel to ensure that our Meta Ads match users’ potential interests and do not appear intrusive. In addition, the Meta Pixel allows us to track the effectiveness of Meta Ads for statistical and market research purposes by seeing whether users were redirected to our website after clicking on a Meta Ad (so-called “conversion measurement”); service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; legal basis: consent (Art. 6(1) sentence 1 lit. a GDPR); website: https://www.facebook.com; Privacy Policy: https://www.facebook.com/privacy/policy/; Data Processing Agreement (DPA): https://www.facebook.com/legal/terms/dataprocessing; Basis for third-country transfers: EU/EEA – Data Privacy Framework (DPF), Standard Contractual Clauses (SCCs) (https://www.facebook.com/legal/EU_data_transfer_addendum), Switzerland – Data Privacy Framework (DPF), Standard Contractual Clauses (SCCs) (https://www.facebook.com/legal/EU_data_transfer_addendum); Further information: Users’ event data, i.e., information about behavior and interests, is processed for the purposes of targeted advertising and audience creation on the basis of the agreement on joint controllership (“Controller Addendum,” …) https://www.facebook.com/legal/controller_addendum…is processed. The joint controllership is limited to the collection of data and its transfer to Meta Platforms Ireland Limited, a company based in the EU. Any further processing of the data is the sole responsibility of Meta Platforms Ireland Limited, which in particular includes the transfer of data to its parent company Meta Platforms, Inc. in the USA (on the basis of the Standard Contractual Clauses concluded between Meta Platforms Ireland Limited and Meta Platforms, Inc.).

Online Marketing

We process personal data for the purpose of online marketing. This may include, in particular, the marketing of advertising space or the display of promotional and other content (collectively referred to as “content”) based on users’ potential interests, as well as measuring its effectiveness.

For these purposes, so-called user profiles are created and stored in a file (a so-called “cookie”), or similar methods are used to store information about the user that is relevant for displaying the content mentioned above. This may include, for example, content viewed, websites visited, online networks used, as well as communication partners and technical information such as the browser used, the computer system used, and details about usage times and functions used. If users have consented to the collection of their location data, this data may also be processed.

Users’ IP addresses are also stored. However, we use available IP masking procedures (i.e., pseudonymization by shortening the IP address) to protect users. In general, no directly identifiable user data (such as email addresses or names) is stored as part of online marketing processes, but rather pseudonyms. This means that neither we nor the providers of the online marketing services know the users’ actual identity, only the information stored in their profiles.

The information contained in the profiles is generally stored in cookies or by means of similar procedures. These cookies can later also be read on other websites that use the same online marketing method and analyzed for the purpose of displaying content, as well as supplemented with additional data and stored on the server of the online marketing service provider.

In exceptional cases, it may be possible to associate directly identifiable data with the profiles, primarily if users are, for example, members of a social network whose online marketing tools we use and the network links the user profiles with the information mentioned above. Please note that users may enter into additional arrangements with the providers, for example by giving consent as part of the registration process.

As a rule, we only receive access to aggregated information about the success of our advertisements. However, as part of so-called conversion measurement, we can check which of our online marketing methods led to a so-called conversion, i.e., for example, the conclusion of a contract with us. Conversion measurement is used solely to analyze the effectiveness of our marketing measures.

Unless stated otherwise, please assume that any cookies used are stored for a period of two years.

Information on legal bases: If we ask users for their consent to use third-party providers, the legal basis for processing the data is consent. Otherwise, users’ data is processed on the basis of our legitimate interests (i.e., our interest in providing efficient, cost-effective, and user-friendly services). In this context, we would also like to refer you to the information on the use of cookies in this privacy policy.

Notes on withdrawal and objection:

We refer to the privacy notices of the respective providers and the opt-out options specified for those providers (so-called “opt-out”). If no explicit opt-out option is provided, you can, on the one hand, disable cookies in your browser settings. However, this may restrict functions of our online offering. We therefore also recommend the following opt-out options, which are offered in summarized form for the respective regions:

a) Europe: https://www.youronlinechoices.eu.
b) Canada: https://www.youradchoices.ca/choices.
c) USA: https://www.aboutads.info/choices.
d) region-wide: https://optout.aboutads.info.

Types of data processed: Content data (e.g., text or image messages and posts, and information relating to them, such as authorship details or time of creation); usage data (e.g., page views and time spent on pages, click paths, intensity and frequency of use, device types and operating systems used, interactions with content and features); metadata, communication and procedural data (e.g., IP addresses, time information, identification numbers, persons involved); event data (Facebook) (“event data” is information that is sent to Meta, for example via the Meta Pixel (whether via apps or other channels), and relates to individuals or their actions. This includes, for instance, details about website visits, interactions with content and features, app installations, and product purchases. Event data is processed for the purpose of creating target groups for content and advertising messages (Custom Audiences). It is important to note that event data does not include actual content such as written comments, login information, or contact information such as names, email addresses, or telephone numbers. Event data is deleted by Meta after a maximum of two years, and the audiences created from it disappear when our Meta user accounts are deleted.); contact information (Facebook) (“contact information” is data that clearly identifies data subjects, such as names, email addresses, and telephone numbers, which may be transmitted to Facebook, e.g., via the Facebook Pixel or by upload for matching purposes in order to create Custom Audiences. After matching for the purpose of creating audiences, the contact information is deleted).
Affected persons: Users (e.g. website visitors, users of online services).
Purposes of processing: Reach measurement (e.g., access statistics, recognition of returning visitors); tracking (e.g., interest- and behavior-based profiling, use of cookies); conversion measurement (measuring the effectiveness of marketing measures); audience creation; marketing; profiles with user-related information (creation of user profiles); provision of our online offering and user-friendliness.
Retention and deletion: Deletion in accordance with the information in the section “General information on data storage and deletion.” Cookies are stored for up to two years (unless stated otherwise, cookies and similar storage methods may be stored on users’ devices for a period of two years).
Security measures: IP masking (pseudonymization of the IP address).
Legal bases: consent (Art. 6 para. 1 sentence 1 lit. a GDPR). Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).

Additional information on processing activities, procedures and services:

Meta Pixel and audience creation (Custom Audiences): With the help of the Meta Pixel (or comparable functions for transmitting event data or contact information via interfaces in apps), Meta is able, on the one hand, to identify visitors to our online offering as a target group for the display of ads (so-called “Meta Ads”). Accordingly, we use the Meta Pixel to ensure that the Meta Ads we run are shown only to those users on Meta platforms and within the services of partners cooperating with Meta (the so-called “Audience Network” …) https://www.facebook.com/audiencenetwork/ ) …to users who have also shown an interest in our online offering or who have certain characteristics (e.g., an interest in specific topics or products, which can be inferred from the websites visited) that we transmit to Meta (so-called “Custom Audiences”). We also use the Meta Pixel to ensure that our Meta Ads match users’ potential interests and do not appear intrusive. In addition, the Meta Pixel allows us to track the effectiveness of Meta Ads for statistical and market research purposes by seeing whether users were redirected to our website after clicking on a Meta Ad (so-called “conversion measurement”); service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; legal basis: consent (Art. 6(1) sentence 1 lit. a GDPR); website: https://www.facebook.com; Privacy Policy: https://www.facebook.com/privacy/policy/; Data Processing Agreement (DPA): https://www.facebook.com/legal/terms/dataprocessing; Basis for third-country transfers: EU/EEA – Data Privacy Framework (DPF), Standard Contractual Clauses (SCCs) (https://www.facebook.com/legal/EU_data_transfer_addendum), Switzerland – Data Privacy Framework (DPF), Standard Contractual Clauses (SCCs) (https://www.facebook.com/legal/EU_data_transfer_addendum); Further information: Users’ event data, i.e., information about behavior and interests, is processed for the purposes of targeted advertising and audience creation on the basis of the agreement on joint controllership (“Controller Addendum,” …) https://www.facebook.com/legal/controller_addendum…is processed. The joint controllership is limited to the collection of data and its transfer to Meta Platforms Ireland Limited, a company based in the EU. Any further processing of the data is the sole responsibility of Meta Platforms Ireland Limited, which in particular includes the transfer of data to its parent company Meta Platforms, Inc. in the USA (on the basis of the Standard Contractual Clauses concluded between Meta Platforms Ireland Limited and Meta Platforms, Inc.).
Advanced matching for the Meta Pixel: In addition to the processing of event data when using the Meta Pixel (or comparable functions, e.g., in apps), contact information (data identifying individuals, such as names, email addresses, and telephone numbers) is also collected by Meta within our online offering or transmitted to Meta. The processing of contact information serves the creation of audiences (so-called “Custom Audiences”) for displaying content and advertising information based on users’ presumed interests. The collection or transmission and matching with data already held by Meta does not take place in plain text, but in the form of so-called “hash values,” i.e., mathematical representations of the data (this method is used, for example, when storing passwords). After matching for the purpose of creating audiences, the contact information is deleted; legal basis: consent (Art. 6(1) sentence 1 lit. a GDPR); privacy policy: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; data processing agreement: https://www.facebook.com/legal/terms/dataprocessing; Basis for third-country transfers: EU/EEA – Data Privacy Framework (DPF), Standard Contractual Clauses (SCCs) (https://www.facebook.com/legal/EU_data_transfer_addendum), Swizerland – Data Privacy Framework (DPF),Standard Contractual Clauses (SCCs) (https://www.facebook.com/legal/EU_data_transfer_addendum). Further information: https://www.facebook.com/legal/terms/data_security_terms.
Facebook ads: Placement of advertisements within the Facebook platform and evaluation of ad results; service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; legal basis: consent (Art. 6(1) sentence 1 lit. a GDPR); website: https://www.facebook.com; Privacy Policy: https://www.facebook.com/privacy/policy/; Basis for third-country transfers: EU/EEA – Data Privacy Framework (DPF), Switzerland – Data Privacy Framework (DPF); opt-out option: We refer to the privacy and advertising settings in users’ profiles on the Facebook platforms, as well as Facebook’s consent procedures and contact options for exercising the right of access and other data subject rights, as described in Facebook’s privacy policy; further information: Users’ event data, i.e., information about behavior and interests, is processed for the purposes of targeted advertising and audience creation on the basis of the agreement on joint controllership (“Controller Addendum,” …) https://www.facebook.com/legal/controller_addendum…is processed. The joint controllership is limited to the collection of data and its transfer to Meta Platforms Ireland Limited, a company based in the EU. Any further processing of the data is the sole responsibility of Meta Platforms Ireland Limited, which in particular includes the transfer of data to its parent company Meta Platforms, Inc. in the USA (on the basis of the Standard Contractual Clauses concluded between Meta Platforms Ireland Limited and Meta Platforms, Inc.).
Google Ad Manager: We use the “Google Ad Manager” service to place ads within Google’s advertising network (e.g., in search results, in videos, on websites, etc.). Google Ad Manager is characterized by displaying ads in real time based on users’ presumed interests. This enables us to show ads for our online offering to users who may have a potential interest in our offer or who have previously shown interest, and to measure the success of the ads; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; legal basis: legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); website: https://marketingplatform.google.com; Privacy Policy: https://policies.google.com/privacy; Basis for third-country transfers: EU/EEA – Data Privacy Framework (DPF), Switzerland – Data Privacy Framework (DPF); Further information: Types of processing and data processed: https://business.safety.google/adsservices/; Data Processing Terms for Google advertising products: Information on the services, the data processing terms between controllers, and the Standard Contractual Clauses for third-country data transfers: https://business.safety.google/adscontrollerterms. …where Google acts as a processor: Data Processing Terms for Google advertising products and Standard Contractual Clauses for third-country data transfers: https://business.safety.google/adsprocessorterms.
Google AdSense with personalized ads: We integrate the Google AdSense service, which enables personalized ads to be placed within our online offering. Google AdSense analyzes user behavior and uses this data to deliver targeted advertising tailored to the interests of our visitors. For each ad placement or other types of use of these ads, we receive financial remuneration; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; legal basis: consent (Art. 6(1) sentence 1 lit. a GDPR); website:: https://marketingplatform.google.com; Privacy Policy: https://policies.google.com/privacy; Basis for third-country transfers: EU/EEA – Data Privacy Framework (DPF), Switzerland – Data Privacy Framework (DPF); Further information: Types of processing and data processed: https://business.safety.google/adsservices/. Data Processing Terms for Google advertising products: Information on the services, the data processing terms between controllers, and the Standard Contractual Clauses for third-country data transfers: https://business.safety.google/adscontrollerterms.
Google AdSense with non-personalized ads: We use the Google AdSense service to display non-personalized ads within our online offering. These ads are not based on individual user behavior, but are selected based on general characteristics such as the content of the page or your approximate geographic location. We receive remuneration for the display or other use of these ads; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; legal basis: consent (Art. 6(1) sentence 1 lit. a GDPR); website:: https://marketingplatform.google.com; Privacy Policy: https://policies.google.com/privacy; Basis for third-country transfers: EU/EEA – Data Privacy Framework (DPF), Switzerland – Data Privacy Framework (DPF); Further information: Types of processing and data processed: https://business.safety.google/adsservices/. Data Processing Terms for Google advertising products: Information on the services, the data processing terms between controllers, and the Standard Contractual Clauses for third-country data transfers: https://business.safety.google/adscontrollerterms.
Instagram ads: Placement of advertisements within the Instagram platform and evaluation of ad results; service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; legal basis: consent (Art. 6(1) sentence 1 lit. a GDPR); website: https://www.instagram.com; Privacy Policy: https://privacycenter.instagram.com/policy/; Basis for third-country transfers: EU/EEA – Data Privacy Framework (DPF), Switzerland – Data Privacy Framework (DPF); opt-out option: We refer to the privacy and advertising settings in users’ profiles on the Instagram platform, as well as Instagram’s consent procedures and Instagram’s contact options for exercising the right of access and other data subject rights as described in Instagram’s privacy policy; further information: Users’ event data, i.e., information about behavior and interests, is processed for the purposes of targeted advertising and audience creation on the basis of the agreement on joint controllership (“Controller Addendum,” …) https://www.facebook.com/legal/controller_addendum…is processed. The joint controllership is limited to the collection of data and its transfer to Meta Platforms Ireland Limited, a company based in the EU. Any further processing of the data is the sole responsibility of Meta Platforms Ireland Limited, which in particular includes the transfer of data to its parent company Meta Platforms, Inc. in the USA (on the basis of the Standard Contractual Clauses concluded between Meta Platforms Ireland Limited and Meta Platforms, Inc.).

Online Reservation

We use the online reservation system Zenchef provided by Zenchef SAS, 60 rue François 1er, 75008 Paris, France, on our website to enable you to make table reservations electronically. If you make a reservation via our website, the personal data you enter (e.g., name, email address, telephone number, desired date/time, number of people, and any special requests) is transmitted directly to Zenchef and processed there.
Zenchef processes the data for the purpose of receiving, managing, and confirming your reservation and for fulfilling the contract concluded with you regarding the reservation service (legal basis: Art. 6(1)(b) GDPR or corresponding national data protection law). Zenchef processes the transmitted data as an independent controller. Further information on how Zenchef processes personal data can be found in Zenchef’s privacy policy: https://www.zenchef.com/privacy-policy.
Embedding and technical data: The reservation function may be integrated into our website via embedded content (e.g., an iFrame or JavaScript). In this case, technical information (e.g., IP address, browser information, device information) is transmitted to Zenchef as soon as this content is loaded. The legal basis for this transmission may, in addition to contract performance, also be a legitimate interest within the meaning of Art. 6(1)(f) GDPR (e.g., providing a user-friendly function).
Server locations and international data transfers: Zenchef may use servers located outside the European Union. If personal data is processed outside the EU, this will only take place on the basis of appropriate safeguards (e.g., EU Standard Contractual Clauses) in accordance with Art. 46 GDPR.

Customer Reviews and Rating Procedures

We participate in review and rating procedures in order to evaluate, improve, and promote our services. If users rate us or otherwise provide feedback via the review platforms or procedures involved, the providers’ additional terms of service or usage terms and privacy notices also apply. As a rule, submitting a review also requires registration with the respective providers.

To ensure that the reviewers have actually used our services, we transmit the data required for this purpose regarding the customer and the service used to the respective review platform with the customer’s consent (including name, email address, and order number or item number). This data is used solely to verify the authenticity of the user.

Types of data processed: Contract data (e.g., subject matter of the contract, term, customer category); usage data (e.g., page views and time spent on pages, click paths, intensity and frequency of use, device types and operating systems used, interactions with content and features); metadata, communication and procedural data (e.g., IP addresses, time information, identification numbers, persons involved); inventory/master data (e.g., full name, residential address, contact details, customer number, etc.); payment data (e.g., bank details, invoices, payment history); contact data (e.g., postal and email addresses or telephone numbers).
Data subjects: Service recipients and clients; users (e.g., website visitors, users of online services); prospects; business and contractual partners.
Purposes of processing: Feedback (e.g., collecting feedback via an online form); marketing; performance of contractual services and fulfillment of contractual obligations; conversion measurement (measuring the effectiveness of marketing measures); provision of our online offering and user-friendliness; affiliate tracking.
Legal basis:
Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR).

Additional information on processing activities, procedures and services:

Review widget: We integrate so-called “review widgets” into our online offering. A widget is a functional and content element embedded in our online offering that displays information which can change. For example, it may appear as a seal or a comparable element, sometimes also referred to as a “badge.” The widget content is displayed within our online offering, but it is retrieved at that moment from the servers of the respective widget provider. This is the only way to ensure that the most up-to-date content is shown, in particular the current rating. For this purpose, a data connection must be established from the website accessed within our online offering to the widget provider’s server, and the widget provider receives certain technical data (access data, including the IP address) that is necessary to deliver the widget content to the user’s browser. In addition, the widget provider receives information that users have visited our online offering. This information may be stored in a cookie and used by the widget provider to recognize which online offerings participating in the review process have been visited by the user. The information may be stored in a user profile and used for advertising or market research purposes; legal basis: legitimate interests (Art. 6(1) sentence 1 lit. f GDPR).
Google Customer Reviews: Service for collecting and/or displaying customer satisfaction and customer opinions; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; legal basis: legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); website: https://www.google.com/; Privacy Policy: https://policies.google.com/privacy; Basis for third-country transfers: EU/EEA – Data Privacy Framework (DPF), Switzerland – Data Privacy Framework (DPF); Further information: As part of collecting customer reviews, an identification number and the time of the transaction to be reviewed are processed, and for review requests sent directly to customers, the customer’s email address and their country of residence, as well as the review information itself, are processed; Further details on the types of processing and the data processed: https://business.safety.google/adsservices/. Data Processing Terms for Google advertising products: Information on the services, the data processing terms between controllers, and the Standard Contractual Clauses for third-country data transfers: https://business.safety.google/adscontrollerterms.
Airbnb: Rental and booking of accommodations, experiences and activities; management of reservations; communication between hosts and guests; payment processing;
Service provider: Airbnb Ireland UC, 8 Hanover Quay, D02 DP23 Dublin 2, Ireland;
Legal basis: Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR);
Website https://www.airbnb.de. Datenschutzerklärung: https://www.airbnb.de/help/article/2855/datenschutzerklärung.
Booking.com Partner Program: Affiliate marketing partner program;
Service provider: Booking.com B.V., Herengracht 597, 1017 CE Amsterdam, Netherlands;
Legal basis: Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR);
Website: https://www.booking.com. Privacy Policy: https://www.booking.com/content/privacy.de.html.

Social Media Presences

We maintain online presences within social networks and, in this context, process user data in order to communicate with users active there or to provide information about us.

We would like to point out that user data may be processed outside the European Union. This can entail risks for users, as it may, for example, make it more difficult to enforce users’ rights.

Furthermore, users’ data within social networks is generally processed for market research and advertising purposes. For example, usage profiles may be created based on users’ behavior and the interests derived from it. These profiles may in turn be used, for instance, to display advertisements within and outside the networks that presumably match users’ interests. For this purpose, cookies are generally stored on users’ computers in which users’ behavior and interests are stored. In addition, data may also be stored in the usage profiles regardless of the devices used by users (in particular if they are members of the respective platforms and logged in there).

For a detailed description of the respective processing activities and the options to object (opt-out), we refer to the privacy policies and information provided by the operators of the respective networks.

In the case of requests for information and the assertion of data subject rights, we also point out that these can be exercised most effectively with the providers. Only the providers have access to the user data in each case and can take appropriate measures directly and provide information. However, if you still need assistance, you can contact us.

Types of data processed: Contact data (e.g., postal and email addresses or telephone numbers); content data (e.g., text or image messages and posts, and information relating to them, such as authorship details or time of creation); usage data (e.g., page views and time spent on pages, click paths, intensity and frequency of use, device types and operating systems used, interactions with content and features); inventory/master data (e.g., full name, residential address, contact details, customer number, etc.); payment data (e.g., bank details, invoices, payment history); contract data (e.g., subject matter of the contract, term, customer category); metadata, communication and procedural data (e.g., IP addresses, time information, identification numbers, persons involved).
Data subjects: Users (e.g., website visitors, users of online services); service recipients and clients; prospects; business and contractual partners.
Purposes of processing: Communication; feedback (e.g., collecting feedback via an online form); public relations; performance of contractual services and fulfillment of contractual obligations; conversion measurement (measuring the effectiveness of marketing measures); marketing; provision of our online offering and user-friendliness; affiliate tracking.
Retention and deletion:
Deletion in accordance with the information provided in the section “General information on data storage and deletion.”
Legal basis:
Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR).

Additional information on processing activities, procedures and services:

Instagram: Social network that enables sharing photos and videos, commenting on and liking posts, sending messages, and following profiles and pages; service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; legal basis: legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); website: https://www.instagram.com; Pricavy Policy: https://privacycenter.instagram.com/policy/.Basis for third-country transfers: EU/EEA – Data Privacy Framework (DPF), Switzerland – Data Privacy Framework (DPF).
Facebook Pages: Profiles within the social network Facebook – We are jointly responsible with Meta Platforms Ireland Limited for the collection (but not the further processing) of data of visitors to our Facebook page (so-called “Fanpage”). This data includes information about the types of content users view or interact with, or the actions they take (see “Things you and others do and provide” in Facebook’s Data Policy: …) https://www.facebook.com/privacy/policy/), …as well as information about the devices used by users (e.g., IP addresses, operating system, browser type, language settings, cookie data; see “Device information” in Facebook’s Data Policy: …) https://www.facebook.com/privacy/policy/). As explained in Facebook’s Data Policy under “How do we use this information?”, Facebook also collects and uses information to provide analytics services, so-called “Page Insights,” to page operators, so that they can gain insights into how people interact with their pages and with the content associated with them. We have entered into a specific agreement with Facebook (“Page Insights information,” …) https://www.facebook.com/legal/terms/page_controller_addendum) which regulates in particular what security measures Facebook must observe, and in which Facebook has agreed to fulfill data subject rights (i.e., users can, for example, direct requests for information or deletion directly to Facebook). Users’ rights (in particular the right of access, deletion, objection, and the right to lodge a complaint with the competent supervisory authority) are not restricted by the agreements with Facebook. Further information can be found in the “Page Insights information”
( https://www.facebook.com/legal/terms/information_about_page_insights_data).
The joint controllership is limited to the collection of data and its transfer to Meta Platforms Ireland Limited, a company based in the EU. Any further processing of the data is the sole responsibility of Meta Platforms Ireland Limited, which in particular includes the transfer of the data to its parent company Meta Platforms, Inc. in the USA; service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; legal basis: legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); website: https://www.facebook.com; Privacy Policy: https://www.facebook.com/privacy/policy/. Basis for third-country transfers: EU/EEA – Data Privacy Framework (DPF), Standard Contractual Clauses (SCCs) ( https://www.facebook.com/legal/EU_data_transfer_addendum), Switzerland – Data Privacy Framework (DPF), Standard Contractual Clauses (SCCs) (https://www.facebook.com/legal/EU_data_transfer_addendum).
Airbnb: Rental and booking of accommodations, experiences and activities; management of reservations; communication between hosts and guests; payment processing;
Service provider: Airbnb Ireland UC, 8 Hanover Quay, D02 DP23 Dublin 2, Ireland;
Legal basis: Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR);
Website https://www.airbnb.de. Datenschutzerklärung: https://www.airbnb.de/help/article/2855/datenschutzerklärung.
Booking.com Partner Program: Affiliate marketing partner program;
Service provider: Booking.com B.V., Herengracht 597, 1017 CE Amsterdam, Netherlands;
Legal basis: Legitimate interests (Art. 6(1) sentence 1 lit. f GDPR);
Website: https://www.booking.com. Privacy Policy: https://www.booking.com/content/privacy.de.html.

Plugins and Embedded Functions and Content

We integrate functional and content elements into our online offering that are obtained from the servers of their respective providers (referred to below as “third-party providers”). These may include, for example, graphics, videos, or city maps (collectively referred to below as “content”).

Integrating such content always requires that the third-party providers of this content process users’ IP addresses, because without an IP address they would not be able to deliver the content to users’ browsers. The IP address is therefore necessary for displaying this content or these functions. We endeavor to use only content whose respective providers use the IP address solely for delivering the content.

Third-party providers may also use so-called pixel tags (invisible graphics, also known as “web beacons”) for statistical or marketing purposes. These “pixel tags” can be used to evaluate information such as visitor traffic on the pages of this website. The pseudonymous information may also be stored in cookies on users’ devices and may include, among other things, technical information about the browser and operating system, referring websites, time of visit, and further details about the use of our online offering, and may also be combined with such information from other sources.

Types of data processed: Usage data (e.g., page views and time spent on pages, click paths, intensity and frequency of use, device types and operating systems used, interactions with content and features); metadata, communication and procedural data (e.g., IP addresses, time information, identification numbers, persons involved); location data (information about the geographic position of a device or a person).
Affected persons: Users (e.g. website visitors, users of online services).
Purposes of processing: Provision of our online offering and user-friendliness.
Retention and deletion: Deletion in accordance with the information in the section “General information on data storage and deletion.” Cookies are stored for up to two years (unless stated otherwise, cookies and similar storage methods may be stored on users’ devices for a period of two years).
Legal bases: consent (Art. 6 para. 1 sentence 1 lit. a GDPR). Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).

Additional information on processing activities, procedures and services:

Integration of third-party software, scripts, or frameworks (e.g., jQuery): We integrate software into our online offering that we retrieve from servers of other providers (e.g., function libraries that we use for the presentation or user-friendliness of our online offering). In doing so, the respective providers collect users’ IP addresses and may process them for the purpose of transmitting the software to users’ browsers, for security purposes, and for evaluating and optimizing their services; legal basis: legitimate interests (Art. 6(1) sentence 1 lit. f GDPR).
Google Maps: We integrate maps from the “Google Maps” service provided by Google. The data processed may include, in particular, users’ IP addresses and location data; service provider: Google Cloud EMEA Limited, 70 Sir John Rogerson’s Quay, Dublin 2, Ireland; legal basis: consent (Art. 6(1) sentence 1 lit. a GDPR); website: https://mapsplatform.google.com/; Privacy Policy: https://policies.google.com/privacy. Basis for third-country transfers: EU/EEA – Data Privacy Framework (DPF), Switzerland – Data Privacy Framework (DPF).
Adobe Fonts: Provision of fonts for integration into web and print designs, synchronization of fonts across devices, access to a library of licensed fonts for creative projects, and management and organization of fonts within projects; service provider: Adobe Systems Software Ireland, 4-6 Riverwalk Drive, Citywest Business Campus, Brownsbarn, Dublin 24, D24 DCW0, Ireland; legal basis: legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); website: https://www.adobe.com/de/; Privacy Policy: https://www.adobe.com/de/privacy.html; Basis for third-country transfers: EU/EEA – Data Privacy Framework (DPF), Switzerland – Data Privacy Framework (DPF). Further information: https://www.adobe.com/de/privacy/policies/adobe-fonts.html.

Application Process

The application process requires applicants to provide us with the data necessary for their assessment and selection. Which information is required results from the job description or, in the case of online forms, from the information provided there.

As a rule, the required information includes personal details such as name, address, and a way to contact the applicant, as well as proof of the qualifications required for the position. Upon request, we are also happy to inform you which details are needed.

If available, applicants are welcome to submit their applications via our online form, which is encrypted according to the latest state of the art. Alternatively, applications can also be sent to us by email. However, we would like to point out that emails are generally not sent in encrypted form on the internet. Although emails are usually encrypted during transmission, this does not apply on the servers from which they are sent and received. Therefore, we cannot assume responsibility for the security of the application during its transmission between the sender and our server.

For the purposes of recruiting candidates, receiving applications, and selecting applicants, we may, in compliance with legal requirements, use applicant management or recruitment software, as well as platforms and services provided by third parties.

Applicants are welcome to contact us regarding how to submit their application, or to send their application to us by post.

Processing of special categories of data: If, within the application process, special categories of personal data (Art. 9(1) GDPR, e.g., health data such as severe disability status, or ethnic origin) are requested from applicants or provided by them, such data is processed so that the controller or the data subject can exercise the rights arising from labor law and the law on social security and social protection and comply with the corresponding obligations, or in order to protect the vital interests of applicants or other persons, or for purposes of preventive health care or occupational medicine, for assessing the employee’s working capacity, for medical diagnosis, for the provision of health or social care or treatment, or for the management of systems and services in the health or social care sector.

Deletion of data: The data provided by applicants may be further processed by us for the purposes of the employment relationship in the event of a successful application. Otherwise, if an application for a job posting is not successful, the applicants’ data will be deleted. Applicants’ data will also be deleted if an application is withdrawn, which applicants are entitled to do at any time. Deletion takes place, subject to a justified withdrawal by the applicants, no later than after a period of six months, so that we can answer any follow-up questions regarding the application and fulfill our documentation obligations under regulations on equal treatment of applicants. Invoices for any travel expense reimbursements are archived in accordance with tax law requirements.

Inclusion in an applicant pool: Inclusion in an applicant pool, if offered, is based on consent. Applicants are informed that their consent to be included in the talent pool is voluntary, has no effect on the ongoing application process, and that they can withdraw their consent at any time with effect for the future.

Types of data processed: Inventory/master data (e.g., full name, residential address, contact details, customer number, etc.); contact data (e.g., postal and email addresses or telephone numbers); content data (e.g., text or image messages and posts, and information relating to them, such as authorship details or time of creation); applicant data (e.g., personal details, postal and contact addresses, application documents and the information contained therein, such as cover letter, CV/resume, references/certificates, as well as other information provided by applicants regarding a specific position or voluntarily provided information about their person or qualifications); usage data (e.g., page views and time spent on pages, click paths, intensity and frequency of use, device types and operating systems used, interactions with content and features); metadata, communication and procedural data (e.g., IP addresses, time information, identification numbers, persons involved).
Data subjects: Applicants; users (e.g., website visitors, users of online services).
Purposes of processing: Application process (establishing and, where applicable, subsequent implementation as well as possible later termination of the employment relationship); communication; marketing.
Retention and deletion:
Deletion in accordance with the information provided in the section “General information on data storage and deletion.”
Legal bases: Application process as a pre-contractual or contractual relationship (Art. 6(1) sentence 1 lit. b GDPR); legitimate interests (Art. 6(1) sentence 1 lit. f GDPR).

Additional information on processing activities, procedures and services:

Gravity Forms: Creation and evaluation of online forms, surveys and feedback forms, as well as the acceptance of payments and the implementation of automated workflows; service provider: operated on servers and/or computers under the provider’s own data protection responsibility; legal basis: legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR). Website: https://www.gravityforms.com/ .

Amendments and Updates

We ask you to regularly review the content of our privacy policy. We will update the privacy policy whenever changes to our data processing activities make this necessary. We will inform you as soon as any changes require action on your part (e.g., consent) or any other individual notification.

If we provide addresses and contact details of companies and organizations in this privacy policy, please note that these addresses may change over time and we ask you to verify the information before contacting them.

Definitions of terms

In this section you will find an overview of the terms used in this privacy policy. Where terms are defined by law, those legal definitions apply. The explanations below are primarily intended to aid understanding.

Affiliate tracking: As part of affiliate tracking, links that are used by linking websites to refer users to websites with product or other offers are logged. The operators of the respective linking websites may receive a commission if users follow these so-called affiliate links and subsequently make use of the offers (e.g., purchase goods or use services). For this purpose, it is necessary for providers to be able to track whether users who are interested in certain offers subsequently take advantage of these offers as a result of the affiliate links. Therefore, for affiliate links to function, they must be supplemented with certain values that become part of the link or are stored in another way, e.g., in a cookie. These values include, in particular, the originating website (referrer), the time, an online identifier of the operator of the website on which the affiliate link was located, an online identifier of the respective offer, an online identifier of the user, as well as tracking-specific values such as an advertising material ID, partner ID, and categorizations.
Employees: Employees are persons who are in an employment relationship, whether as workers, salaried employees, or in similar positions. An employment relationship is a legal relationship between an employer and an employee that is defined by an employment contract or an agreement. It includes the employer’s obligation to pay remuneration while the employee provides their work. The employment relationship covers various phases, including its establishment (when the employment contract is concluded), its performance (when the employee carries out their work), and its termination (when the employment relationship ends, whether by notice of termination, a termination agreement, or otherwise).

Employee data is all information relating to these persons in the context of their employment. This includes aspects such as personal identification data, identification numbers, salary and bank details, working hours, vacation entitlements, health data, and performance evaluations.
Master data (inventory data): Master data includes essential information that is necessary for identifying and managing contractual partners, user accounts, profiles, and similar assignments. This data may include, among other things, personal and demographic information such as names, contact details (addresses, telephone numbers, email addresses), dates of birth, and specific identifiers (user IDs). Master data forms the basis for any formal interaction between individuals and services, organizations, or systems by enabling clear identification and communication.
Content data: Content data includes information that is generated in the course of creating, editing, and publishing content of any kind. This category of data may include text, images, videos, audio files, and other multimedia content published on various platforms and media. Content data is not limited to the content itself, but also includes metadata that provides information about the content, such as tags, descriptions, author information, and publication dates.
Contact data: Contact data is essential information that enables communication with individuals or organizations. It includes, among other things, telephone numbers, postal addresses, and email addresses, as well as communication channels such as social media handles and instant messaging identifiers.
Conversion measurement: Conversion measurement (also referred to as “visit action evaluation”) is a method used to determine the effectiveness of marketing measures. As a rule, a cookie is stored on users’ devices on the websites where the marketing measures take place and is then retrieved again on the target website. This allows us, for example, to track whether the ads we place on other websites were successful.
Metadata, communication, and procedural data: Metadata, communication, and procedural data are categories that contain information about how data is processed, transmitted, and managed. Metadata, also known as data about data, includes information that describes the context, origin, and structure of other data. It may include details such as file size, creation date, the author of a document, and change histories.

Communication data records the exchange of information between users via various channels, such as email correspondence, call logs, messages on social networks, and chat histories, including the persons involved, timestamps, and transmission paths.

Procedural data describes processes and workflows within systems or organizations, including workflow documentation, logs of transactions and activities, and audit logs used to track and verify events.
Usage data: Usage data refers to information that captures how users interact with digital products, services, or platforms. This data covers a broad range of information showing how users use applications, which features they prefer, how long they stay on certain pages, and which paths they take through an application. Usage data can also include frequency of use, activity timestamps, IP addresses, device information, and location data. It is particularly valuable for analyzing user behavior, optimizing user experiences, personalizing content, and improving products or services. In addition, usage data plays a key role in identifying trends, preferences, and potential problem areas within digital offerings.
Personal data: “Personal data” means any information relating to an identified or identifiable natural person (hereinafter “data subject”). A natural person is considered identifiable if they can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g., a cookie), or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
Profiles with user-related information: The processing of “profiles with user-related information,” or “profiles” for short, includes any form of automated processing of personal data in which such personal data is used to analyze, evaluate, or predict certain personal aspects relating to a natural person (depending on the type of profiling, this may involve different information relating to demographics, behavior, and interests, such as interactions with websites and their content, etc.), for example interests in certain content or products, click behavior on a website, or a person’s location. Cookies and web beacons are often used for profiling purposes.
Log data: Log data is information about events or activities that have been recorded in a system or network. This data typically includes information such as timestamps, IP addresses, user actions, error messages, and other details about the use or operation of a system. Log data is often used to analyze system issues, monitor security, or generate performance reports.
Reach measurement: Reach measurement (also referred to as web analytics) is used to evaluate visitor traffic to an online offering and may include visitors’ behavior or interests in certain information, such as website content. With the help of reach analysis, operators of online offerings can, for example, determine when users visit their websites and which content they are interested in. This allows them, for instance, to adapt website content more effectively to visitors’ needs. For reach analysis purposes, pseudonymous cookies and web beacons are often used to recognize returning visitors and thus obtain more accurate analyses of how an online offering is used.
Remarketing: “Remarketing” or “retargeting” refers to, for example, recording which products a user was interested in on a website for advertising purposes in order to remind the user of these products on other websites, e.g., through advertisements.
Location data: Location data is generated when a mobile device (or another device with the technical capability to determine location) connects to a cell tower, Wi-Fi network, or similar technical means and location services. Location data indicates the geographically determinable position on earth where the respective device is located. Location data may be used, for example, to display map functions or other location-based information.
Tracking: “Tracking” refers to the ability to follow users’ behavior across multiple online offerings. As a rule, behavioral and interest information relating to the online offerings used is stored in cookies or on the servers of the providers of tracking technologies (so-called profiling). This information can then be used, for example, to show users advertisements that are likely to match their interests.
Controller: The “controller” is the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Processing: “Processing” means any operation or set of operations performed on personal data, whether or not by automated means. The term is broad and covers virtually any handling of data, such as collection, analysis, storage, disclosure/transmission, or deletion.
Contract data: Contract data is specific information relating to the formalization of an agreement between two or more parties. It documents the terms under which services or products are provided, exchanged, or sold. This category of data is essential for managing and fulfilling contractual obligations and includes both the identification of the contracting parties and the specific terms and conditions of the agreement. Contract data may include contract start and end dates, the type of services or products agreed, pricing arrangements, payment terms, termination rights, renewal options, and special terms or clauses. It serves as the legal basis for the relationship between the parties and is crucial for clarifying rights and obligations, enforcing claims, and resolving disputes.
Payment data: Payment data includes all information required to process payment transactions between buyers and sellers. This data is essential for e-commerce, online banking, and any other form of financial transaction. It includes details such as credit card numbers, bank details, payment amounts, transaction data, verification numbers, and billing information. Payment data may also include information about payment status, chargebacks, authorizations, and fees.
Audience creation: Audience creation (in English “Custom Audiences”) refers to defining target groups for advertising purposes, e.g., for displaying ads. For example, based on a user’s interest in certain products or topics on the internet, it may be inferred that this user is interested in ads for similar products or for the online shop where they viewed the products. “Lookalike Audiences” (or similar audiences) refers to showing content that is considered suitable to users whose profiles or interests presumably correspond to those of the users for whom the original profiles were created. Cookies and web beacons are generally used for the creation of Custom Audiences and Lookalike Audiences.

Privacy Policy

Preamble

Table of Contents

Verantwortlicher

Overview of Processing Activities

Types of Data Processed

Special Categories of Data

Categories of Data Subjects

Purposes of Processing

Maßgebliche Rechtsgrundlagen

Sicherheitsmaßnahmen

Transfer of Personal Data

International Data Transfers

Allgemeine Informationen zur Datenspeicherung und Löschung

Rights of Data Subjects

Business Services

Business Processes and Procedures

Einsatz von Online-Plattformen zu Angebots- und Vertriebszwecken

Service Providers and Services Used in the Course of Business Activities

Provision of the Online Offering and Web Hosting

Use of Cookies

Blogs and Publishing Media

Contact and Inquiry Management

Newsletter and Electronic Notifications

Web Analytics, Monitoring and Optimization

Online Marketing

Online Reservation

Customer Reviews and Rating Procedures

Social Media Presences

Plugins and Embedded Functions and Content

Application Process

Amendments and Updates

Definitions of terms

Newsletter

Erfahren Sie zuerst von exklusiven Angeboten

Privacy Policy

Preamble

Table of Contents

Verantwortlicher

Overview of Processing Activities

Types of Data Processed

Special Categories of Data

Categories of Data Subjects

Purposes of Processing

Maßgebliche Rechtsgrundlagen

Sicherheitsmaßnahmen

Transfer of Personal Data

International Data Transfers

Allgemeine Informationen zur Datenspeicherung und Löschung

Rights of Data Subjects

Business Services

Business Processes and Procedures

Einsatz von Online-Plattformen zu Angebots- und Vertriebszwecken

Service Providers and Services Used in the Course of Business Activities

Provision of the Online Offering and Web Hosting

Use of Cookies

Blogs and Publishing Media

Contact and Inquiry Management

Newsletter and Electronic Notifications

Web Analytics, Monitoring and Optimization

Online Marketing

Online Reservation

Customer Reviews and Rating Procedures

Social Media Presences

Plugins and Embedded Functions and Content

Application Process

Amendments and Updates

Definitions of terms

Lunch & TIME

Weekly changing lunch menu