Data protection
Created on: 28.07.2022
🔄 This privacy policy was completely revised on June 20, 2025.
Last modified: January 11, 2026
General information on data processing
Protecting your personal data is important to us – not just because it's required by law, but because we work with people we treat with respect. This privacy policy informs you about how we at Wiener Nimmerland handle personal data collected through our website or during bookings and communications.
Our data processing is governed by the provisions of the General Data Protection Regulation (GDPR), the Austrian Data Protection Act (DSG) and all other applicable provisions.
This statement applies to all processing operations in which we collect personal data – for example, when you visit our website, contact us, book a tour, or interact with us on social media. Data processing by third-party services we use is also described here.
If you have any questions or concerns, please feel free to contact us at any time – you will find contact details in the next section.
Responsibility for data protection
Responsible for the processing of personal data within the meaning of the GDPR is:
Responsible for data processing
Wiener Nimmerland
Sole proprietor: Martin Gerhard Klinger
Venediger Au 4, 1020 Vienna
E-mail: office@wienernimmerland.at
Contact person for data protection
Nadine Liebl
Lassallestrasse 2/25, 1020 Vienna
E-mail: backend@wienernimmerland.at
Phone number: +436707011176
What data we collect and for what purpose
We only process personal data when it is necessary for the use of our services – for example, for a booking, an inquiry, or a visit to our website. We always ensure that we only process the data we actually need.
Below you will find an overview of which types of data can be processed and what we use them for:
Visit the website
When you visit our website, technical information is automatically collected to display the site correctly and ensure its security. This includes, among other things:
This data is used for the technical provision and security of the website, as well as for anonymized usage analysis in order to improve our online offering. The processing is based on our legitimate interest in accordance with Art. 6 (1) (f) GDPR.
External media content and embedded elements
Our website uses embedded content in several places, such as videos, maps, or review components. Such content comes from external platforms such as Vimeo, OpenStreetMap, or Google. It is integrated directly into our website or activated via unique buttons.
If you interact with such content or actively access it (e.g. by clicking on a video or a map), the following personal data may be transferred to the respective providers:
An automatic connection will, where possible, only be established after active consent (e.g., clicking on "Play video" or "Open route on Google Maps"). Further information on the technical functionality and the privacy policies of the providers can be found in the section “Tools & Third-Party Services Used” this privacy policy.
This data is processed on the basis of our legitimate interest in accordance with Art. 6 (1) (f) GDPR, in particular for the user-friendly provision of multimedia content and to improve the functionality of our website.
Bookings via Bookeo
We use the online booking system Bookeo to process bookings. When you make a booking, the following data is processed:
From January 1st, 2026, due to applicable VAT regulations, we are obliged to issue invoices for companies and invoices with a total amount exceeding €400, including the full address.
The address data is processed exclusively for the purpose of legally required invoicing and tax documentation on the basis of Art. 6 para. 1 lit. c GDPR (legal obligation).
The remaining data is required to provide the booked service, inform you about relevant details, and facilitate organizational processes. This processing is based on Article 6(1)(b) GDPR (performance of a contract).
Bookeo acts as a processor in accordance with Art. 28 GDPR. Data is transmitted via an encrypted connection.
Order a voucher (via form on the website, email or phone)
When you order a voucher – whether via the form on the website, by email, or by telephone – we process the personal data you provide and then transfer it to our booking system. The following data is typically processed:
The web form on our website was programmed in-house – therefore, no external form services are used. Your data is transmitted encrypted (via HTTPS) and processed internally only. It is then securely transferred to Bookeo to generate the voucher code. This ensures that the code can be automatically recognized and redeemed for online bookings.
The data is processed on the basis of Art. 6 para. 1 lit. b GDPR (contractual necessity) in order to perform the service or to properly create the voucher.
payment processing
We offer the following options for paying for a booking:
During payment processing, the following data may be processed depending on the payment method:
We do not receive any credit card or account details, as these are processed directly through Stripe or PayPal. We use the payment information provided by these providers (e.g., transaction number, status, email) solely to allocate and confirm the payment. Further details about the data processing of the payment providers can be found in the section “Payment provider” this privacy policy.
The processing is carried out to fulfill the contract in accordance with Art. 6 (1) (b) GDPR.
Contact us by email or phone
When you contact us, by email or phone, we process the information you provide. This typically means:
We need this data to process and respond to your inquiry effectively. Depending on the nature of the inquiry, processing is based on our legitimate interest (Art. 6 (1) (f) GDPR) or to initiate or process a contractual relationship (Art. 6 (1) (b) GDPR).
Public Relations & Media Content
As part of our educational work and prevention projects, we occasionally document tours in the form of photos, videos or short reports – for example, for our website, social media or project reports.
Such content will only be published:
We place particular emphasis on child protection, dignity, and context sensitivity. Media content is carefully reviewed and never published without prior approval.
The creation and processing of media content is based on Art. 6 (1) (a) GDPR (consent), as media content such as photos, videos, or audio is only created with consent. The creation of this media serves to document Wiener Nimmerland's educational work and represents a legitimate interest within the meaning of Art. 6 (1) (f) GDPR.
Legal basis for data processing
Your personal data will only be processed on a legally permissible basis. Depending on the specific case, different provisions of the General Data Protection Regulation (GDPR) apply:
consent
(Art. 6 (1) (a) GDPR)
In certain cases, we only process personal data if you have given us your express prior consent – for example, if you activate an embedded video or provide certain voluntary information.
This consent is, of course, voluntary and can be revoked at any time. The revocation takes effect from the moment you express it; processing prior to this remains lawful.
Fulfillment of a contract or pre-contractual measures
(Art. 6 (1) (b) GDPR)
When you book a tour or contact us with an inquiry, we process your data to fulfill this contract or to carry out pre-contractual measures (e.g. booking request, booking confirmation).
Legal obligations
(Art. 6 (1) (c) GDPR)
We are legally obliged to retain certain personal data – for example, for proper accounting or to comply with tax retention obligations (e.g. invoices or booking confirmations).
From January 1, 2026, we are also legally obliged to address invoices to companies and invoices with a total amount exceeding €400 with a full address.
Legitimate interest
(Art. 6 (1) (f) GDPR)
We process some data based on our legitimate interest – for example:
We take great care to ensure that your rights or freedoms are not unduly affected.
Further legal bases
In addition to the General Data Protection Regulation, national data protection regulations also apply to us. In Austria, this is particularly the Data Protection Act (DSG), which applies in addition to the GDPR.
Cooperation with service providers and sharing of data
As part of our activities, we work with selected external service providers to provide you with a functioning, secure, and user-friendly website and to ensure smooth processing of inquiries and bookings. It may be necessary to share certain personal data with these partners.
The transfer will only take place if:
Order processing according to Art. 28 GDPR
Some of our external service providers are based or have servers located outside the European Union or the European Economic Area. In these cases, we take particular care to ensure that processing is carried out in compliance with European data protection standards.
Typical data processors include:
All processors used are carefully selected and contractually obliged to comply with data protection regulations.
Data transfer to countries outside the EU
Some of our external service providers are based or have servers located outside the European Union or the European Economic Area. This applies, for example: Bookeo, Stripe, PayPal, Google, Vimeo.
In these cases, the transmission of personal data is based on Standard contractual clauses pursuant to Art. 46 GDPRto ensure an appropriate level of data protection. Details about the individual providers can be found in the section “Tools & Third-Party Services Used” this privacy policy.
No disclosure for advertising purposes
One Transfer of your data to third parties for marketing or advertising purposes This does not occur – neither as part of cooperations nor for payment. Profiling in the sense of automated decision-making is also not intentionally carried out by us.
Storage period and deletion of data
We generally only store personal data for as long as it is necessary for the respective purposes – for example, to process a booking, to fulfill legal obligations or to answer an inquiry.
Principles of data storage
As soon as the purpose for storage no longer applies, the corresponding data is either deleted or anonymized. Longer retention may be legally or organizationally necessary in the following cases:
Specific storage periods
The length of time personal data is stored depends on the purpose of the processing and the applicable statutory deadlines. As a general rule, the following guidelines apply:
| Data type | Storage duration |
|---|---|
| Booking and contact details | 7 years (required, according to § 132 BAO) |
| Billing and payment information | 7 years (required, according to § 132 BAO) |
| Website access data (IP, browser, etc.) | max. 14 days (anonymized only) |
| Anonymous feedback (feedback form) | no personal data |
| Email correspondence | depending on the occasion, usually between 1–3 years |
Right to erasure
You can request the deletion of your personal data stored by us at any time, unless there is a legal obligation to retain dataIn this case, the data will be blocked until the expiry of the statutory period.
Your rights regarding personal data
As a data subject, you have certain rights under the General Data Protection Regulation (GDPR) that guarantee transparent and fair data processing. You can contact us at any time if you wish to exercise any of the following rights:
Information
(Art. 15 GDPR)
You have the right to know whether we process your personal data. If so, you will receive an overview of what data is stored, for what purpose, and on what basis.
Correction
(Art. 16 GDPR)
If data is incorrect or incomplete, you can request correction at any time.
deletion
(Art. 17 GDPR)
You can request that your data be deleted, provided there is no legal obligation to retain it or no other legitimate interest on our part prevails.
Restriction of processing
(Art. 18 GDPR)
In certain cases, you can request that your data be stored but not further processed (e.g. during a review phase).
Data portability
(Art. 20 GDPR)
You have the right to receive your data in a structured, common and machine-readable format.
Contradiction
(Art. 21 GDPR)
If we process your data on the basis of a legitimate interest, you can object to this processing at any time – especially in connection with direct communication or internal analysis purposes.
Right to lodge a complaint with the data protection authority
If you believe that the processing of your data violates data protection law, you have the right to lodge a complaint with the competent authority. In Austria, the following supervisory authority is responsible:
Data Protection Authority
Barichgasse 40-42, 1030 Vienna
Phone number: +43 1 52 152-0
E-mail: dsb@dsb.gv.at
site: https://www.dsb.gv.at/
Security measures for data processing
We implement comprehensive technical and organizational measures to protect your personal data as best as possible. These measures are based on the current state of the art and are regularly reviewed and adjusted as needed.
In accordance with Art. 25 GDPR, which prescribes data protection through technical design and data protection-friendly default settings, we take security aspects into account when selecting our software and hardware. An example of this is the implementation of TLS encryption.
Encryption & transmission security
Our website is fully accessible via HTTPS (TLS encryption) This means that all data transmitted between your device and our server is encrypted and protected from unauthorized access.
You can recognize a secure connection by the lock symbol in the address bar of your browser and by the address bar that begins with https:// begins.
Access control & data access internally
Access to personal data is limited to those who actually need it to perform their duties. All internal systems are secured with strong passwords, role-based access policies, and—where appropriate—two-factor authentication.
Data access occurs exclusively on protected devices and – especially in the case of sensitive data – is handled via secure connections.
Protection of IT systems
Our systems are protected against unauthorized access and malware through regular updates, firewalls, and security mechanisms. External servers (e.g., web hosting) are operated exclusively by providers that comply with applicable data protection and security standards.
Data backup & reliability
To prevent data loss, we perform regular backups. The data is stored encrypted on external servers within Germany, operated by Hetzner Online GmbH, and is only accessible internally. Hetzner acts as a GDPR-compliant data processor in this process.
No automated decision-making
We do not conduct automated decisions or profiling. All decisions—especially those related to communication or booking processing—are made by humans.
Cookies and local storage
Our website is coming without the use of tracking cookies or third-party cookies We attach great importance to respecting your privacy – that's why we deliberately do not use any analysis or advertising tools that would require your consent.
No cookies requiring consent
The storage duration of these cookies varies: some are deleted after your session ends, others may remain on your device for a longer period to save your preferences for future visits. You have control over these cookies and can delete or block them at any time via your browser settings. This may limit the functionality of our webshop; for more information, see the section “Necessary cookies in the webshop” this privacy policy.
Local storage by the browser
In some cases, your use of the website may affect certain settings (e.g. language selection, display options) locally in your browser's memory This information is not transmitted to us and does not leave your device. You can delete this local storage at any time in your browser settings.
No cookie banner necessary
Since we no analysis or advertising cookies, no social media trackers and consciously no integrations with automatically active data transfer , no cookie banner is required. We intentionally refrain from using such tools for reasons of simplicity, user-friendliness, and data protection compliance.
Tools & third-party services used
To ensure our website functions properly, bookings are possible, and communication runs smoothly, we use various technical systems and external service providers. In this section, we describe exactly which tools and providers we use, why we use them, what data is processed, and how we ensure data protection.
Web hosting: Helloly
Our website is hosted by Helloly GmbH, based in Linz. Helloly provides us with storage space, database, and server infrastructure, thus taking over the technical operation of our website—including email delivery, server maintenance, and system availability.
All data you enter or submit through our website is stored on servers in Austria. These servers are subject to Austrian data protection law and are regularly backed up, maintained, and protected from unauthorized access.
The processing is based on our legitimate interest in the secure and reliable operation of the website pursuant to Art. 6 (1) (f) GDPR. Helloly was a Data processing agreement completed.
Further information can be found in the Helloly's privacy policy.
Server infrastructure & automation: Hetzner Online GmbH
To protect data and for internal automation, we operate a virtual server at Hetzner Online GmbH (Industriestr. 25, 91710 Gunzenhausen, Germany). These servers are used exclusively for processing internal workflows (e.g., automated invoice generation, email distribution, creation of appointment lists) and for the secure storage of backups.
Hetzner complies with all GDPR requirements and operates data centers exclusively within the EU (Germany). Data processing is carried out under a data processing agreement in accordance with Article 28 GDPR. No data is shared with third parties – access is strictly internal and technically limited.
Content Management System: WordPress.org
Our website is based on the content management system WordPress.orgWordPress itself does not automatically process personal data; functionality is extended via plugins. We take great care to use only plugins that are GDPR-compliant and do not cause unnecessary or uncontrolled transfer of personal data.
To the extent that plugins process data, this is done either entirely locally or via data protection-compliant connections to third-party providers. The following plugins are actively in use:
| plug-in | Function / data protection-relevant information |
|---|---|
| WooCommerce | Webshop operation (shop items) – local processing of all order data on our server |
| Flexible Shipping | Shipping/delivery logic in the WooCommerce system – local data processing |
| Payment plugins Stripe for WooCommerce | Online payment via Stripe – transfer of data via secure connection to the Stripe payment gateway |
| Payment Gateway Plugin for PayPal WooCommerce | Online payment via PayPal – transfer of data via secure connection to the PayPal payment gateway |
| GP Premium (GeneratePress Pro) | Theme for Layout & Design – does not process any personal data |
| Simple CSS | Local CSS customization – no data storage or processing |
| Stackable – Gutenberg Blocks | Frontend layout – no personal data usage |
| Reviews and Rating – Google Reviews | Display of Google reviews through direct display – no connection to Google |
| The SEO Framework | Search engine optimization – operated locally on the server, no personal data |
| TranslatePress – Multilingual | Translate the website (e.g. English) – local storage of the language selection in the browser |
Further details on data processing by WordPress.org can be found in the WordPress Privacy Policy.
Further information on data processing by WooCommerce can be found in the Automattic's privacy policy.
Booking system: Bookeo
To manage bookings we use the booking system Bookeothat is operated by a provider based in Australia. Since there is no general EU adequacy decision for Australia, Bookeo was chosen as a special agreement to comply with the EU General Data Protection Regulation (GDPR) This also includes the application of the Standard Contractual Clauses (SCC) pursuant to Art. 46 GDPR.
Bookeo processes personal data such as:
Furthermore, we access Bookeo via secure interfaces (APIs and webhooks) to automatically process bookings – for example, for invoicing, appointment management, or notifications. The processes used for this are based on self-developed program code, which are carried out under our responsibility on servers of a data processor commissioned by us (Hetzner Online GmbH). No processing via additional external automation or third-party platforms takes place. Data processing is carried out exclusively. on secure, contractually guaranteed systems.
Further information can be found in the Bookeo privacy policy:
Payment provider
We offer several payment options:
With Stripe and PayPal, personal payment data is processed directly through their platforms. We only receive the information necessary to assign the payment (e.g., transaction ID, name, payment status).
Stripe is used as a payment service provider to process credit card payments and Klarna Sofortüberweisung (formerly “Sofort”) and EPS Even if the payments are technically made via Stripe, these providers can own data processing make.
The transfer is based on the Standard contractual clauses of the EU CommissionBoth providers are considered independent controllers within the meaning of the GDPR. You can find more information in the respective privacy policies of the payment providers:
Online map services: OpenStreetMap & Google Maps
Our website uses the map service OpenStreetMapThe maps are integrated directly when you access the respective page. This establishes a connection to the OpenStreetMap servers, which may transmit data such as your IP address, device information, and browser type.
Further information can be found in the OpenStreetMap privacy policy.
There Google Maps is much more well-known and preferred by many, we also offer a manual link to Google Maps in addition to the privacy-friendly OpenStreetMap display. Clearly marked buttons such as “Location on Google Maps” You can decide for yourself whether you want to access Google Maps. Only by clicking on such a button will a connection to Google's servers be established, which may result in the transfer of personal data.
Further information can be found in the Google privacy policy.
Video platform: Vimeo
Some videos on our website are stored directly on our server and played locally. No data is transferred to third parties.
Other videos are available via the platform Vimeo embedded. For data protection reasons, this content is not loaded automatically. Before such a video is played, you must actively agree to a notice informing you that a connection to the servers of Vimeo Inc. (USA) will be established upon launch. This may involve the transmission of personal data such as your IP address, device data, or usage behavior.
The transmission of personal data is based on the terms accepted by Vimeo Standard contractual clauses of the EU Commission on the protection of personal data in accordance with Art. 46 GDPR.
Further information can be found in the Vimeo privacy policy.
Review platforms: Google
Via review platforms such as Google ReviewsOur tours and Wiener Nimmerlnad can be rated. Many participants share their feedback there publicly to help others make their decisions. Some of these reviews are displayed directly on our website, in compliance with data protection regulations and without establishing a connection to the platform.
When using this platform, personal data (e.g., IP address, device data, location) is processed by Google. Submitting a review is subject to the platform's privacy policy and terms of service.
You can find more information in the Google Reviews Privacy Policy.
Fonts: Google Fonts
Our website does not load fonts from external servers such as Google Fonts. Instead, all fonts used integrated locally on our web server, so that no automatic connection to Google or other third parties.
This is done in accordance with data protection-friendly design in accordance with Art. 25 GDPR.
Online communication: WhatsApp Business
You can also contact us via WhatsApp Business contact us, for example to arrange an appointment or to clarify organizational questions. We may process the following data:
Communication is voluntary. Please note that WhatsApp also processes data outside the EU, in particular on servers of Meta Platforms Inc. (USA). We would like to point out that by using WhatsApp, you accept their privacy policy.
For further information, please see the WhatsApp Privacy Policy (Meta).
Webshop & order processing
processing of order data
When you order products in our webshop, we collect and process the following personal data:
We need this data to process your order, to communicate with you in case of queries and for invoicing.
The legal basis for this data processing is Art. 6 (1) (b) GDPR (fulfillment of a contractual relationship).
payment processing
For payment processing in the webshop we use the external payment service providers Stripe and PayPal. For orders placed by email, payment can be made by PayPal or Transfer.
When paying via Stripe or PayPal, the required payment data (e.g., credit card or account information, amount, IP address, and invoice number, if applicable) is transmitted to the respective provider. We do not have full access to your payment data (e.g., we cannot view credit card numbers), but we do receive transaction confirmations for payment allocation.
The processing is based on Art. 6 (1) (b) GDPR (performance of the contract) as well as in relation to security and fraud prevention measures based on our legitimate interest pursuant to Art. 6 (1) (f) GDPR.
Further details about payment providers can be found in the section “Payment provider”.
transfer to shipping service providers
To deliver the ordered products, we will pass on your name and delivery address to our shipping partners. We usually ship with Hermes, in individual cases also with post, DHL or DPD.
The transfer takes place exclusively for the purpose of fulfilling the contract in accordance with Art. 6 (1) (b) GDPR.
You can find more information about how Hermes handles data in the Hermes privacy policy.
Necessary cookies in the webshop
In our webshop we only use technically necessary cookies which ensure smooth technical operation and use of the webshop:
For more information, see the section “Cookies” this privacy policy.
Deutsch 