Privacy Policy

Controller

Data Collected

When you visit this website, your browser transmits technical data to our server (IP address, browser type, pages visited, date and time). This data is processed on the basis of Art. 6 (1)(f) GDPR (legitimate interest in operating and securing the website). Data is not stored beyond server log retention periods.

Cookies and Analytics

In addition to technically necessary cookies, this website uses cookies and comparable technologies for reach and usage analysis (Google Analytics 4). These are set exclusively after your prior, explicit consent. Without your consent, no analytics or tracking cookies are used.

Google Analytics 4

This website uses Google Analytics 4 (GA4), a web analytics service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”). Google Analytics uses cookies and comparable technologies that enable an analysis of your use of our website.

Purpose: We use Google Analytics to statistically evaluate the reach and use of our website (reach and usage analysis) in order to optimise our offering and make it more user-friendly.

Data processed: In particular, the following data is processed: pages and interactions, date and time of access, approximate location (region), device and browser information, referrer, and your IP address. Before any storage or further processing, your IP address is shortened/anonymised by Google so that no direct reference to your IP address can be established. We do not merge this data with other data about you.

Legal basis: The use of Google Analytics, as well as the storage of and access to information on your device required for this purpose, is based exclusively on your consent pursuant to Art. 6 (1)(a) GDPR in conjunction with Section 25 (1) of the German Telecommunications Digital Services Data Protection Act (TDDDG).

Consent and withdrawal:Processing of your data by Google Analytics only takes place after you have actively and explicitly given your consent via our cookie banner. Before your consent, no analytics tag is loaded and no analytics cookies are set. Your consent is voluntary and can be withdrawn at any time with effect for the future via the “Cookie settings” link in the footer of our website. The lawfulness of processing carried out up to the point of withdrawal remains unaffected.

Recipient and data processing agreement: The recipient of the data is Google acting as a processor. We have concluded a data processing agreement with Google pursuant to Art. 28 GDPR.

Retention period: Data collected at user level via Google Analytics is automatically deleted after the retention period we have set of 14 months. The analytics cookies set on your device each have a limited storage duration and are deleted at the latest upon expiry of that period or upon withdrawal of your consent.

Transfer to the USA: When using Google Analytics, personal data may be transferred to Google LLC, based in the USA. An adequacy decision of the European Commission of 10 July 2023 exists for the USA on the basis of the EU-US Data Privacy Framework (DPF). Google LLC is certified under the EU-US Data Privacy Framework, so the transfer takes place on this basis pursuant to Art. 45 GDPR. We point out that, despite the adequacy decision, a residual risk remains with a transfer to the USA, in particular regarding possible access by US authorities. Should no adequacy decision apply, we additionally base the transfer on your explicit consent pursuant to Art. 49 (1)(a) GDPR.

Further information: For more details on how Google handles your data, please see Google’s privacy policy at https://policies.google.com/privacy.

Room booking via SiteMinder (direct booking)

To display real-time availability and to enable direct room bookings, we use the booking engine (“The Booking Button”) provided by SiteMinder Limited, Level 7, Suite 7.01, 155 Clarence Street, Sydney NSW 2000, Australia. The booking widget is embedded in our website via the domain direct-book.com. When you make a booking, you enter your data directly into this booking engine.

Purpose: Real-time display of available rooms and rates, acceptance and processing of your room booking, and the subsequent administration of your accommodation contract. SiteMinder also acts as our channel manager, synchronising availability across our booking channels.

Data processed: First and last name, contact details (email, phone, address where applicable), stay dates (arrival/departure), room and rate selection, number of guests, any special requests or remarks, and payment-related information where applicable. In addition, technical data required to operate the embedded widget are processed (e.g. IP address, time of access, browser/device information).

Legal basis: Processing of your booking data is carried out to perform pre-contractual measures and to fulfil the accommodation contract pursuant to Art. 6(1)(b) GDPR. Insofar as the embedded booking widget stores cookies or accesses information on your device that is strictly necessary to provide the booking function you have expressly requested, we rely on Section 25(2)(2) TDDDG. Any access that is not strictly necessary takes place only with your consent under Section 25(1) TDDDG in conjunction with Art. 6(1)(a) GDPR.

Recipients / processing on our behalf: SiteMinder processes the booking data on our behalf and on our instructions as a processor within the meaning of Art. 28 GDPR, under a data processing agreement. SiteMinder may additionally act as an independent controller for the operation of its own technical platform.

International data transfers: SiteMinder is a company based in Australia and processes data through SiteMinder group companies and service providers worldwide, including in the USA (where its cloud storage is located). No EU adequacy decision exists for Australia, and only a limited one applies to the USA. Transfers are therefore based on Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR, which SiteMinder has concluded with the relevant group companies and service providers. Despite these safeguards, a residual risk cannot be entirely excluded, as authorities in third countries may under certain circumstances access data without a level of protection equivalent to EU law being enforceable in every case.

Retention period: Booking data are stored for the duration of the contractual relationship and beyond, within the scope of statutory retention obligations (in particular commercial and tax law, generally up to ten years), after which they are deleted.

Further information: For details on SiteMinder’s data processing, please see the provider’s privacy policy at https://www.siteminder.com/legal/privacy/.

Payment processing via Stripe

For the online payment of breakfast bookings made by our day guests, we use the payment service provider Stripe. The provider for customers within the European Economic Area is Stripe Payments Europe, Limited, 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland (“Stripe”). Stripe Payments Europe, Limited is part of Stripe, Inc., based in the USA.

Purpose: We use Stripe to process the online payment you have chosen for a breakfast booking, to allocate the payment, and to prevent payment defaults and fraud.

Data processed: In the course of payment processing, in particular the following data is processed: payment and card data (e.g. card number, expiry date, security code or the details of the payment method used), name, e-mail address, invoice amount and booking reference, as well as technical transaction data (e.g. timestamp, IP address and fraud-prevention data). The card and payment data are processed directly by Stripe; we ourselves do not receive this payment data in plain text, but only information on the status and allocation of the payment.

Legal basis: The legal basis for processing in order to carry out the payment is Art. 6(1)(b) GDPR (performance of the contract concluded with you or implementation of pre-contractual measures). Insofar as Stripe processes data for the purposes of fraud prevention and the security of payment transactions, this is based on the legitimate interest in secure and abuse-free payment processing pursuant to Art. 6(1)(f) GDPR.

Recipient and responsibility: The recipient of the payment data is Stripe. Stripe processes the data required to carry out the payment partly on our behalf and partly under its own data protection responsibility (in particular to comply with legal and regulatory obligations and for fraud prevention). Insofar as Stripe acts as a processor, a data processing agreement pursuant to Art. 28 GDPR is in place.

Transfer to the USA: In the course of payment processing, personal data may be transferred to Stripe, Inc., based in the USA. An adequacy decision of the European Commission of 10 July 2023 exists for the USA on the basis of the EU-US Data Privacy Framework (DPF); insofar as Stripe, Inc. is certified under the EU-US Data Privacy Framework, the transfer takes place on this basis pursuant to Art. 45 GDPR. In addition, Stripe bases transfers to third countries on standard contractual clauses adopted by the European Commission pursuant to Art. 46(2)(c) GDPR. We point out that, despite the adequacy decision, a residual risk remains with a transfer to the USA, in particular regarding possible access by US authorities.

Retention period:We store the payment-related data for as long as is necessary to process the booking and as long as statutory retention obligations (in particular commercial and tax retention periods) apply. The duration of processing at Stripe is governed by the provisions of Stripe’s privacy policy.

Further information: For more details on how Stripe handles your data, please see Stripe’s privacy policy at https://stripe.com/privacy.

Your Rights

You have the right to access, rectification, erasure, restriction of processing, data portability, and objection (Arts. 15–21 GDPR). To exercise these rights, contact us at the address above. You also have the right to lodge a complaint with a supervisory authority.