Data protection
Introduction and overview
We have written this data protection declaration (version 07/28/2022 - 122055658 [last update/change on 06/30/2022]) in order to provide you with information in accordance with the requirements of General Data Protection Regulation (EU) 2016/679 and applicable national laws to explain which personal data (data for short) we as the responsible party - and the processors commissioned by us (e.g. providers) - process, will process in the future and what legal options you have. The terms used are to be understood as gender-neutral.
Scope of application
This data protection declaration applies to all personal data processed by us in the commercial sector and to all personal data that companies commissioned by us (processors) process. By personal data we mean information within the meaning of Art. 4 No. 1 GDPR such as a person's name, e-mail address and telephone number. The processing of personal data ensures that we can offer and bill our services and products, whether online or offline. The scope of this privacy policy includes:
In short: The data protection declaration applies to all areas in which personal data is processed in a structured manner in our company via the channels mentioned.
Legal bases
In the following data protection declaration, we provide you with transparent information on the legal principles and regulations, i.e. the legal basis of the General Data Protection Regulation, which enable us to process personal data.
As far as EU law is concerned, we refer to the "Regulation (EU) 2016/679 of the European Parliament and of the Council" of April 27, 2016. You can of course read this EU General Data Protection Regulation online at EUR Lex, access to EU law.
We only process your data if at least one of the following conditions applies:
In addition to the EU regulation, national laws also apply. In Austria, this is the federal law for the protection of natural persons when processing personal data (data protection law), DSG for short.
Contact details of those responsible
If you have any questions about data protection or the processing of personal data, you will find the contact details of the person responsible below:
Nadine Liebl – Lassallestrasse 2/25 – 1020 Vienna
E-mail: backend@wienernimmerland.at
Phone number: +4369919227642
Storage duration
The fact that we only store personal data for as long as is absolutely necessary for the provision of our services is a general criterion for us. This means that we delete personal data as soon as the reason for the data processing no longer exists. In some cases, we are legally obliged to store certain data even after the original purpose has ceased to exist, for example for accounting purposes.
If you wish your data to be deleted or revoke your consent to data processing, the data will be deleted as quickly as possible and provided there is no obligation to store it.
Rights under the General Data Protection Regulation (GDPR)
According to Article 13, 14 GDPR we inform you about the following rights to which you are entitled. In this way we ensure fair and transparent processing of data:
In a nutshell: You have rights - do not hesitate to contact our responsible data protection officer! You can find the contact details above in this Privacy Policy.
If you believe that the processing of your data violates data protection law or your data protection rights have been violated in any other way, you can complain to the supervisory authority. Submit your complaint to the data protection authority by email or post. The following data protection authority is responsible for our business:
Data Protection Authority of Austria
leader: Mag. Dr. Andrea Jelinek
Address: Barichgasse 40-42, 1030 Vienna
Phone number.: +43 1 52 152-0
E-mail address: dsb@dsb.gv.at
site: https://www.dsb.gv.at/
Security of data processing
General
In order to protect personal data, we have implemented both technical and organizational measures. Where possible, we encrypt or pseudonymise personal data.
Art. 25 GDPR speaks here of “data protection through technology design and through data protection-friendly default settings” and means that one always thinks of security and corresponding security both with software (e.g. forms) and hardware (e.g. access to the server room). measures. One of these measures is TLS encryption.
TLS encryption with https
We use HTTPS (the Hypertext Transfer Protocol Secure stands for "secure hypertext transfer protocol") to transmit data securely on the Internet. This means that the complete transmission of all data from your browser to our web server is secured - nobody can "eavesdrop".
We have thus introduced an additional security layer and comply with data protection by design (Article 25 paragraph 1 GDPR). By using TLS (Transport Layer Security), an encryption protocol for secure data transmission on the Internet, we can ensure the protection of confidential data.
You can recognize the use of this protection for data transmission by the small lock symbol in the top left corner of the browser, to the left of the Internet address (e.g. examplepage.de) and the use of the scheme https (instead of http) as part of our internet address.
Order processing contract (AVV)
Like most companies, we do not work alone, but also use the services of other companies or individuals ourselves. By involving various service providers, we may pass on personal data for processing (e.g. in the booking system). These partners then act as processors with whom we conclude a contract, the so-called data processing contract (AVV). The most important thing for you to know is that the processing of your personal data takes place exclusively according to our instructions and must be regulated by the AVV. According to the GDPR definition: any natural or legal person, authority, institution or other body that processes personal data on our behalf is considered a processor. Processors can therefore be service providers such as hosting or cloud providers, payment providers or large companies.
Communication
If you contact us and communicate by phone, WhatsApp, email or web form/online contact form, personal data may be processed. These data are processed for the handling and processing of your question and the possibly related booking process and consequently for the accounting.
In addition, data such as name and telephone number can be sent by e-mail (to the customer) and stored to answer enquiries. The data will be deleted as soon as the business case has ended and legal requirements permit.
Legal bases
The processing of the data is based on the following legal bases:
Cookies
Our website uses HTTP cookies to store user-specific data. Most websites store small text files in your browser. These files are called cookies. These cookies store certain user data from you, such as language or personal page settings.
The question of which cookies we use in particular depends on the respective services. There are 4 types of cookies:
Essential cookies
These cookies are necessary to ensure basic functions of the website. For example, these cookies are needed if a user has selected a tour, then continues surfing on another page and only later completes the booking. These cookies do not delete the selection even if the user closes their browser window.
Functional cookies
These cookies collect information about user behavior and whether the user receives any error messages. In addition, these cookies are also used to measure the loading time and behavior of the website in different browsers.
Targeting cookies
These cookies ensure a better user experience. For example, entered locations, font sizes or form data are saved.
Advertising cookies
These cookies are also called targeting cookies. They are used to provide the user with individually tailored advertising.
Usually, when you visit a website for the first time, you will be asked which of these types of cookies you would like to allow. And of course this decision is also stored in a cookie.
The storage period depends on the respective cookie. Some cookies are deleted after less than an hour, others can remain stored on a computer for several years. You can also influence the storage period yourself and delete all cookies manually at any time via your browser.
Web hosting – domain technology
The code of the website is stored on the web server. The operation of a web server is a complicated and time-consuming task, which is why this is usually taken on by professional providers, the providers. For Wiener Nimmerland this is taken over by the provider Domaintechnik.
Personal data may be processed when the browser on your computer (desktop, laptop, tablet or smartphone) connects and during data transfer to and from the web server. On the one hand, your computer stores data, on the other hand, the web server must also store data for a period of time in order to be able to guarantee professional hosting of the website, safeguarding operations and maintaining operational and IT security.
The web server on which this website is stored usually automatically stores data such as the complete Internet address, browser and browser version, operating system, the address of the previously visited page, the host name and the IP address of the access device, date and time. As a rule, this data is stored for two weeks and then automatically deleted.
In a nutshell: Your visit will be logged by our provider (the company Domaintechnik, which runs our website on special computers/servers), but we will not pass on your data without your consent!
Legal bases
The lawfulness of the processing of personal data in the context of web hosting results from Article 6 Paragraph 1 lit. f GDPR (protection of legitimate interests), because the use of professional hosting with a provider is necessary to make the company safe and user-friendly on the Internet present and to be able to pursue attacks and claims from this if necessary.
There is a contract between us and the hosting provider for order processing in accordance with Art. 28 f. GDPR, which ensures compliance with data protection and guarantees data security.
Web hosting provider Domaintechnik privacy policy
Below you will find the contact details of our hosting provider, where you can find out more about data processing, in addition to the information above:
Ledl.net GmbH
Lederergasse 6
5204 Strasswalchen
You can find out more about data processing at this provider in their Data protection.
Website building block system – WordPress
We use the WordPress modular website system for our website.
As a rule, technical usage information such as the operating system, browser, screen resolution, language and keyboard settings, hosting provider and the date of your website visit are collected. Tracking data (e.g. browser activity, clickstream activities, session heat maps, etc.) can also be processed. In addition, personal data can also be recorded and stored. This is mostly contact information such as email address, telephone number (if you have provided it), IP address and geographic location data. You can find out exactly what data is stored in the WordPress Privacy Policy.
We have a legitimate interest in using a modular website system to optimize our online service and present it in an efficient and user-friendly way for you. The corresponding legal basis for this is Article 6 (1) (f) GDPR (legitimate interests). However, we only use the modular system if you have given your consent. Insofar as the processing of data is not absolutely necessary for the operation of the website, the data will only be processed on the basis of your consent. This applies in particular to tracking activities. In this respect, the legal basis is Article 6 (1) (a) GDPR.
WordPress.com Privacy Policy
We use WordPress.com, a website construction kit, for our website. The WordPress service provider is the American company Automattic Inc. (60 29th Street #343, San Francisco, CA 94110, USA).
WordPress also processes your data in the USA, among other places. We would like to point out that, according to the European Court of Justice, there is currently no adequate level of protection for data transfer to the USA. This can be associated with various risks for the legality and security of data processing.
WordPress uses so-called standard contractual clauses (= Art. 46 Para. 2 and 3 GDPR) as the basis for data processing by recipients based in third countries (outside the European Union, Iceland, Liechtenstein, Norway, i.e. in particular in the USA) or data transfer there. Standard Contractual Clauses (SCC) are templates provided by the EU Commission and are intended to ensure that your data also comply with European data protection standards if they are transferred to third countries (such as the USA) and stored there. Through these clauses, WordPress undertakes to comply with European data protection standards when processing your relevant data, even if the data is stored, processed and managed in the USA. These clauses are based on an implementation decision of the EU Commission. You can find the Order and the relevant Standard Contractual Clauses, among others here.
The Data Processing Agreements, which correspond to the standard contractual clauses, can be found here.
You can learn more about the data processed by using WordPress.com in their Data protection.
Order processing agreement (AVV) WordPress.com
We have concluded an order processing contract (AVV) with WordPress.com in accordance with Article 28 of the General Data Protection Regulation (GDPR). This contract is required by law because WordPress.com processes personal data on our behalf. This clarifies that WordPress.com may only process data that you receive from us on our instructions and must comply with the GDPR. You can read more about the Data Processing Agreements, which correspond to the Standard Contractual Clauses here read
Web analytics
We use software on our website to evaluate the behavior of website visitors, referred to as web analytics or web analysis. In doing so, data is collected, which the respective analytical tool provider (also called tracking tool) stores, manages and processes. With the help of the data, analyzes of user behavior on our website are made and made available to us as the website operator. In addition, most tools offer various test options.
For example, we can see where our visitors come from, when our website is visited the most or which tours or dates are particularly popular. All this information helps us to optimize the website and thus adapt it to your needs, interests and wishes in the best possible way.
Google Analytics Privacy Policy
We use the analysis tracking tool Google Analytics (GA) from the American company Google Inc. on our website. The company Google Ireland Limited (Gordon House, Barrow Street Dublin 4, Ireland) is responsible for all Google services in Europe. Google Analytics collects data about your actions on our website.
Google Analytics is a tracking tool used to analyze traffic on our website. In order for Google Analytics to work, a tracking code is built into the code of our website. When you visit our website, this code records various actions that you take on our website. As soon as you leave our website, this data is sent to the Google Analytics servers and stored there.
Google processes the data and we receive reports on your user behavior. These reports may include the following:
Google Analytics uses a tracking code to create a random, unique ID that is linked to your browser cookie. This is how Google Analytics recognizes you as a new user. The next time you visit our site, you will be recognized as a "returning" user. All collected data is stored together with this user ID. This makes it possible to evaluate pseudonymous user profiles in the first place.
Google has distributed their servers all over the world. Most of the servers are located in America and consequently your data is mostly stored on American servers. here you can read exactly where the Google data centers are located. Your data is distributed across different physical media. This has the advantage that the data can be called up more quickly and is better protected against manipulation.
The retention period of the data is from 2 months to 50 months (sometimes freely selectable).
When the specified period has expired, the data will be deleted once a month.
Under European Union data protection law, you have the right to access, update, delete or restrict your data.
However, we only use Google Analytics if you have given your consent.
Google also processes your data in the USA, among other places. We would like to point out that, according to the European Court of Justice, there is currently no adequate level of protection for data transfer to the USA. This can be associated with various risks for the legality and security of data processing.
As the basis for data processing by recipients based in third countries (outside the European Union, Iceland, Liechtenstein, Norway, i.e. in particular in the USA) or data transfer there, Google uses so-called standard contractual clauses (= Art. 46 Para. 2 and 3 DSGVO). Standard Contractual Clauses (SCC) are templates provided by the EU Commission and are intended to ensure that your data also comply with European data protection standards if they are transferred to third countries (such as the USA) and stored there. Through these clauses, Google undertakes to comply with European data protection standards when processing your relevant data, even if the data is stored, processed and managed in the USA. These clauses are based on an implementation decision of the EU Commission. You can find the Order and the relevant Standard Contractual Clauses, among others here.
You can find the Google Ads Data Processing Terms, which correspond to the standard contractual clauses and also apply to Google Analytics here.
Order processing contract (AVV) Google Analytics
We have concluded an order processing contract (AVV) with Google in accordance with Article 28 of the General Data Protection Regulation (GDPR).
This contract is required by law because Google processes personal data on our behalf. This clarifies that Google may only process data that you receive from us according to our instructions and must comply with the GDPR. The link to the order processing contract (AVV) can be found under https://business.safety.google/adsprocessorterms.
Google Analytics reports on demographics and interests
We have activated the functions for advertising reports in Google Analytics. The Demographics and Interests reports include information about age, gender, and interests. This enables us to get a better picture of our users without being able to assign this data to individual persons. Learn more about the advertising features here.
You can easily control the use of your Google Account activity and information under “Advertising Settings”. here exit via checkbox.
Google Analytics IP anonymization
We have implemented Google Analytics IP address anonymization on this website. This function was developed by Google so that this website can comply with applicable data protection regulations and recommendations from local data protection authorities if they prohibit the storage of the full IP address.
You can find more information on IP anonymization here.
Messengers and communication
We offer various options on our website (e.g. WhatsApp message, contact form, e-mail or telephone) to communicate with us. Your data will also be processed and stored insofar as it is necessary to answer your inquiry and our subsequent measures. In addition to classic means of communication such as e-mail, contact forms or telephone, we also use WhatsApp Messenger. It is currently the most frequently used messenger.
With the practical messenger & communication functions, you can always choose the ones you like best. In exceptional cases, however, it can also happen that we do not answer certain questions via the messenger. This is the case when it comes to internal contractual matters, for example. Here we recommend other communication options such as e-mail or telephone.
We generally assume that we remain responsible under data protection law, even if we use the services of a social media platform. However, the European Court of Justice has decided that in certain cases the operator of the social media platform can be jointly responsible with us within the meaning of Art. 26 DSGVO. If this is the case, we will point this out separately and work on the basis of a relevant agreement. The essence of the agreement is reproduced below for the platform concerned.
Please note that when using our built-in elements, your data may also be processed outside the European Union, since many providers, such as WhatsApp, are American companies. As a result, you may not be able to claim or enforce your rights in relation to your personal data as easily.
In principle, data such as name, address, telephone number, e-mail address and content data such as all information that you enter in a contact form are processed. Personal data will only be processed for as long as is necessary to provide our services.
You also have the right and the option to revoke your consent to the use of cookies or third-party providers at any time. Since cookies can be used for messenger and communication functions, we also recommend our general data protection declaration on cookies.
If you have agreed that your data can be processed and stored by integrated messenger and communication functions, this consent is the legal basis for data processing (Art. 6 Para. 1 lit. a DSGVO). We process your request and manage your data within the framework of contractual or pre-contractual relationships in order to fulfill our pre-contractual and contractual obligations or to answer inquiries. The basis for this is Article 6 Paragraph 1 Clause 1 Letter b. GDPR. In principle, if you have given your consent, your data will also be stored and processed on the basis of our legitimate interest (Art. 6 Para. 1 lit. f GDPR) in quick and effective communication with you or other customers and business partners.
WhatsApp Privacy Policy
On our website we offer to contact us via the WhatsApp instant messaging service. The service provider is the American company WhatsApp Inc., a subsidiary of Meta Platforms Inc. (until October 2021 Facebook Inc.). WhatsApp Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland is responsible for the European area.
WhatsApp also processes your data in the USA, among other places. We would like to point out that, according to the European Court of Justice, there is currently no adequate level of protection for data transfer to the USA. This can be associated with various risks for the legality and security of data processing.
WhatsApp uses so-called standard contractual clauses (= Art. 46 Para. 2 and 3 GDPR) as the basis for data processing by recipients based in third countries (outside the European Union, Iceland, Liechtenstein, Norway, i.e. in particular in the USA) or data transfer there. Standard Contractual Clauses (SCC) are templates provided by the EU Commission and are intended to ensure that your data also comply with European data protection standards if they are transferred to third countries (such as the USA) and stored there. Through these clauses, WhatsApp undertakes to comply with European data protection standards when processing your relevant data, even if the data is stored, processed and managed in the USA. These clauses are based on an implementation decision of the EU Commission. You can find the Order and the relevant Standard Contractual Clauses, among others here.
You will find information on data transmission at WhatsApp, which corresponds to the standard contractual clauses here.
We hope we have brought you the most important information about the use and data processing by WhatsApp. You can find out more about the data processed through the use of WhatsApp in their Privacy Policy.
Payment provider
We use online payment systems on our website, which enable us and you to make a secure and smooth payment process. Among other things, personal data can be sent to the respective payment provider, stored and processed there.
In principle, data such as name, address, bank details (account number, credit card number, passwords, TANs, etc.) are stored by the payment providers. This is necessary data in order to be able to carry out a transaction at all. In addition, any contract data and user data, such as when you visit our website, what content you are interested in or which subpages you click on, can also be stored. Most payment providers also store your IP address and information about the computer you are using. The data is usually stored and processed on the servers of the payment providers. As the website operator, we do not receive this data. We are only informed whether the payment worked or not.
In general, we only process personal data for as long as is absolutely necessary for the provision of our services and products. If it is required by law, for example in the case of accounting, this storage period can also be exceeded. We keep accounting documents (invoices, contractual documents, account statements, etc.) belonging to a contract for 10 years (§ 147 AO) and other relevant business documents for 6 years (§ 247 HGB) after they have been incurred.
You always have the right to information, correction and deletion of your personal data. If you have any questions, you can also contact the person responsible for the payment provider used at any time.
We therefore offer other payment service providers in addition to the conventional bank/credit institutions for the processing of contractual or legal relationships (Art. 6 Para. 1 lit. b DSGVO). The data protection declarations of Stripe and PayPal offer you a detailed overview of data processing and data storage.#
eps transfer privacy policy
On our website we use eps transfer, a service for online payment methods. Service provider is the Austrian company Stuzza GmbH, Frankgasse 10/8, 1090 Vienna, Austria. You can find out more about the data processed by using eps transfer in the data protection declaration https://eservice.psa.at/de/datenschutzerklaerung.html.
Google Pay Privacy Policy
We use the online payment provider Google Pay on our website. The service provider is the American company Google Inc. The company Google Ireland Limited (Gordon House, Barrow Street Dublin 4, Ireland) is responsible for all Google services in Europe.
Google also processes your data in the USA, among other places. We would like to point out that, according to the European Court of Justice, there is currently no adequate level of protection for data transfer to the USA. This can be associated with various risks for the legality and security of data processing.
As the basis for data processing by recipients based in third countries (outside the European Union, Iceland, Liechtenstein, Norway, i.e. in particular in the USA) or data transfer there, Google uses so-called standard contractual clauses (= Art. 46 Para. 2 and 3 DSGVO). Standard Contractual Clauses (SCC) are templates provided by the EU Commission and are intended to ensure that your data also comply with European data protection standards if they are transferred to third countries (such as the USA) and stored there. Through these clauses, Google undertakes to comply with European data protection standards when processing your relevant data, even if the data is stored, processed and managed in the USA. These clauses are based on an implementation decision of the EU Commission. You can find the decision and the relevant Standard Contractual Clauses here, among others: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=de
The data processing conditions for Google advertising products (Google Ads Controller-Controller Data Protection Terms), which refer to the standard contractual clauses, can be found at https://business.safety.google/adscontrollerterms/.
You can find out more about the data processed through the use of Google Pay in the Privacy Policy https://policies.google.com/privacy
Klarna
We use the Klarna online payment system from the Swedish company Klarna Bank AB on our website. Klarna Bank has its main office at Sveavägen 46, 111 34 Stockholm, Sweden. If you decide to use this service, personal data, among other things, will be sent to Klarna, stored and processed.
Klarna is a payment system for orders or bookings online and subsequent online immediate payment. The user selects the payment method and Klarna takes over the entire payment process.
As soon as you opt for the Klarna payment service and pay using the Klarna instant payment method, you also transmit personal data to the company. On the Klarna site, technical data such as browser type, operating system, our Internet address, date and time, language settings, time zone settings and IP address are collected from you and transmitted to the Klarna servers and stored there. This data is also saved if you have not yet completed a booking.
If you book a tour through our website, you must enter information about yourself in the fields provided. This data is processed by Klarna for payment processing. The following personal data (as well as general information about the booking) can be stored and processed by Klarna for credit and identity checks:
When data is automatically entered into a form, cookies are always involved. If you do not want to use this function, you can deactivate these cookies at any time. If you choose the payment method “Klarna Sofort” and click on “Confirm booking”, you will be redirected to the Sofort website. After the successful payment you will come to our website.
Klarna endeavors to store your data only within the EU or the European Economic Area (EEA). However, data may also be transferred outside the EU/EEA. When that happens, Klarna ensures that data protection is in line with the GDPR and the third country is subject to an adequacy decision by the European Union. The data is always stored as long as Klarna needs it for the processing purpose.
You can revoke your consent to Klarna processing personal data at any time. You always have the right to information, correction and deletion of your personal data. All you have to do is email the company or the company's privacy team data protection@klarna.de to contact. Via the Klarna website "My privacy request" you can also contact Klarna directly.
If you want to find out more about how your data is handled, we recommend the Klarna data protection declaration below https://cdn.klarna.com/1.0/shared/content/legal/terms/0/de_at/privacy.
PayPal Privacy Policy
We use the online payment service PayPal on our website (which is made available via the Stripe payment tool). The service provider is the American company PayPal Inc. The company PayPal Europe (S.à rl et Cie, SCA, 22-24 Boulevard Royal, L-2449 Luxembourg) is responsible for the European area.
PayPal also processes your data in the USA, among other places. We would like to point out that, according to the European Court of Justice, there is currently no adequate level of protection for data transfer to the USA. This can be associated with various risks for the legality and security of data processing.
PayPal uses so-called standard contractual clauses (= Art. 46. Para. 2 and 3 GDPR) as the basis for data processing for recipients based in third countries (outside the European Union, Iceland, Liechtenstein, Norway, i.e. in particular in the USA) or data transfer there. Standard Contractual Clauses (SCC) are templates provided by the EU Commission and are intended to ensure that your data also comply with European data protection standards if they are transferred to third countries (such as the USA) and stored there. Through these clauses, PayPal undertakes to comply with European data protection standards when processing your relevant data, even if the data is stored, processed and managed in the USA. These clauses are based on an implementation decision of the EU Commission. You can find the Order and the relevant Standard Contractual Clauses, among others here.
For more information on the Standard Contractual Clauses and the data processed through the use of PayPal Marketing Solutions, please see the Privacy Policy from PayPal.
Stripe Privacy Policy
We use a payment tool from the American technology company and online payment service Stripe on our website. Stripe Payments Europe (Europe Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland) is responsible for customers within the EU. This means that if you choose Stripe as your payment method, your payment will be processed via Stripe Payments. Data required for the payment process is forwarded to Stripe and stored.
The technology company Stripe offers payment solutions for online payments. With Stripe it is possible to accept credit card payments in our webshop. Stripe handles the entire payment process. A big advantage of Stripe is that you never have to leave our website or shop during the payment process and the payment is processed very quickly.
If you choose Stripe as the payment method, which means credit card payment, your personal data will also be transmitted to Stripe and stored there. This is transaction data. This data includes, for example, the payment method (i.e. credit card number), bank code, currency, amount and date of payment. A transaction may also include your name, email address, billing or shipping address, and sometimes your transaction history. This data is required for authentication. In addition to technical data about your device (such as IP address), Stripe may also collect name, address, telephone number and your country for fraud prevention, financial reporting and in order to be able to offer its own services in full.
Stripe does not sell any of your data to independent third parties, such as marketing agencies or other companies unrelated to Stripe.
Personal data is generally stored for the duration of the service provision. This means that the data will be stored until we terminate the cooperation with Stripe.
Please note that when using this tool, your data may also be stored and processed outside the EU. Most third countries (including the USA) are not considered secure under current European data protection law. Data may not simply be transferred to unsafe third countries, stored there and processed unless there are suitable guarantees (such as EU standard contractual clauses) between us and the non-European service provider.
You always have the right to information, correction and deletion of your personal data. If you have any questions, you can also contact the Stripe team at any time, you will find the contact details here.
Legal basis
In addition to the conventional bank/credit institutions, we also offer the payment service provider Stripe for the processing of contractual or legal relationships (Art. 6 Para. 1 lit. b DSGVO). The successful use of the service also requires your consent (Art. 6 Para. 1 lit. a GDPR), insofar as the use of cookies is necessary for the use.
Stripe also processes your data in the USA, among other places. We would like to point out that, according to the European Court of Justice, there is currently no adequate level of protection for data transfer to the USA. This can be associated with various risks for the legality and security of data processing.
Stripe uses so-called standard contractual clauses (= Art. 46 Para. 2 and 3 GDPR) as the basis for data processing by recipients based in third countries (outside the European Union, Iceland, Liechtenstein, Norway, i.e. in particular in the USA) or data transfer there. Standard Contractual Clauses (SCC) are templates provided by the EU Commission and are intended to ensure that your data also comply with European data protection standards if they are transferred to third countries (such as the USA) and stored there. Through these clauses, Stripe undertakes to comply with European data protection standards when processing your relevant data, even if the data is stored, processed and managed in the USA. These clauses are based on an implementation decision of the EU Commission. You can find the Order and the relevant Standard Contractual Clauses, among others here.
You can find more information about the standard contractual clauses and the data that is processed using Stripe in the Privacy Policy by Stripe.
Rating platforms
You can rate our tours on the TripAdvisor and Google customer reviews platforms. There is also the possibility to be asked for a review (which is processed via Bookeo) after a tour, which is then published on our website and would therefore fall under our data protection regulations. However, if you rate us via one of the rating platforms, the data protection declaration and the general terms and conditions of the respective rating service apply. Rating technologies (widgets) can also be integrated into our website. By using such an integrated tool, data is also transmitted to the relevant provider, processed and stored.
Rating platforms collect feedback and ratings about our tours. Thanks to your ratings, we quickly receive appropriate feedback and can improve our tours much more efficiently. The ratings therefore help us on the one hand to optimize and on the other hand they give future customers a good overview of the tours.
Most of the personal information collected by Tripadvisor and Google Customer Reviews from you is: contact information, including name, phone number, postal and email addresses, billing or payment information, username and password, photos, reviews, forum and social media posts, and Videos you available there, geolocation information, device information, internet browser used, preferred languages, online activities including the pages you have visited
The evaluation platform used in each case is responsible for the personal data collected. Personal data that is mentioned in a rating is usually anonymized by employees of the platform used and is therefore only visible to company administrators. The data collected is stored on the providers' servers and deleted from most providers after the end of the order.
Legal basis
If you have agreed that an evaluation platform may be used, the legal basis for the corresponding data processing is this consent. According to Art. 6 Para. 1 lit. a GDPR (consent), this consent represents the legal basis for the processing of personal data, as it may occur when it is collected by a rating portal.
We also have a legitimate interest in using an evaluation platform to optimize our online service. The corresponding legal basis for this is Article 6 (1) (f) GDPR (legitimate interests). However, we only use an evaluation platform if you have given your consent. Further information can be found below in the data protection texts or in the linked data protection declarations of the company.
Tripadvisor Privacy Policy
We also use the Tripadvisor platform for our business, especially the rating option. This service provider is operated by the American company Tripadvisor, LLC. As such, Tripadvisor LLC is the controller of the personal data that is collected. However, in accordance with the applicable data protection regulations, representatives within the European Union have been appointed. For Europe, this is the company Tripadvisor Ireland Limited (70 Sir John Rogerson's Quay, Dublin 2, D02 R296, Ireland). The functions of Tripadvisor Ireland Limited are limited to being the contact person for questions about data protection from European citizens and supervisory authorities. For the avoidance of doubt, Tripadvisor Ireland Limited may engage in other communications or legal process on behalf of Tripadvisor LLC.
You also have rights under the GDPR in relation to your personal data. Such as the right to access, rectification, erasure, objection, restriction and data portability. For more information, see Tripadvisor's Europe Privacy Policy (link is at the bottom of this post).
In accordance with the GDPR, Tripadvisor uses your personal data where Tripadvisor needs to perform the contract they have with you and/or where it is necessary for the purposes of protecting Tripadvisor’s legitimate interests (or the interests of a third party) and/or where Tripadvisor is required to comply with a legal or comply with a regulatory obligation and/or with your consent.
Your personal information may be transferred to, or held in, countries outside the EEA (see Tripadvisor's Privacy Policy for further details on the purposes set out. Whenever Tripadvisor stores or transfers your personal information to countries outside the EEA, they will always do so in accordance with the applicable Laws and ensure that appropriate safeguards are in place to provide an adequate level of protection.By using Tripsadvisor, you acknowledge that your personal information may be transferred to Tripadvisor's facilities and third party facilities.
You can learn more about the data processed through the use of Tripadvisor in their Data protection. The data protection declaration for Europe on the General Data Protection Regulation (“GDPR declaration”) is particularly relevant, which is listed at the bottom, because it applies to people in the European Economic Area.
Google Customer Reviews Privacy Policy
We also use the Google Customer Reviews rating platform for our website. The service provider is the American company Google Inc. The company Google Ireland Limited (Gordon House, Barrow Street Dublin 4, Ireland) is responsible for all Google services in Europe.
Google also processes your data in the USA, among other places. We would like to point out that, according to the European Court of Justice, there is currently no adequate level of protection for data transfer to the USA. This can be associated with various risks for the legality and security of data processing.
As the basis for data processing by recipients based in third countries (outside the European Union, Iceland, Liechtenstein, Norway, i.e. in particular in the USA) or data transfer there, Google uses so-called standard contractual clauses (= Art. 46 Para. 2 and 3 DSGVO). Standard Contractual Clauses (SCC) are templates provided by the EU Commission and are intended to ensure that your data also comply with European data protection standards if they are transferred to third countries (such as the USA) and stored there. Through these clauses, Google undertakes to comply with European data protection standards when processing your relevant data, even if the data is stored, processed and managed in the USA. These clauses are based on an implementation decision of the EU Commission. You can find the Order and the relevant Standard Contractual Clauses, among others here.
You can find the data processing conditions for Google advertising products (Google Ads Controller-Controller Data Protection Terms), which correspond to the standard contractual clauses and also apply to Google customer reviews here.
You can find out more about the data processed by using Google in their Data protection.
Online map service – Google Maps
We also use the online map service Google Maps for our website as an extended service. This is probably the service that is most familiar to everyone. With this integrated map service, you no longer have to leave our website, for example to view the route to a location. If you use the built-in map offer, data will also be transferred to the tool used and stored there. This data may also include personal data.
Google Maps Privacy Policy
We use Google Maps from Google Inc. on our website. The company Google Ireland Limited (Gordon House, Barrow Street Dublin 4, Ireland) is responsible for all Google services in Europe. With Google Maps we can show you locations better and thus adapt our service to your needs. By using Google Maps, data is transmitted to Google and stored on the Google servers.
You can use Google Maps to find the exact location of any city, attraction, lodging, or business online. If companies are represented on Google My Business, additional information about the company is displayed in addition to the location. By integrating Google Maps, we can provide you with the most important information about various locations. You can see at a glance where the tour starts. The route description always shows you the best or fastest way to us. For us, providing Google Maps is part of our customer service.
In order for Google Maps to be able to fully offer its service, the company must collect and store data from you. This includes, among other things, the search terms entered, your IP address and also the latitude and longitude coordinates. If you use the route planner function, the start address entered will also be saved. However, this data storage happens on the Google Maps website. We can only inform you about this, but have no influence.
Google servers are located in data centers around the world. However, most of the servers are located in America. For this reason, your data is also increasingly stored in the USA. here you can read exactly where the Google data centers are located.
Google distributes the data on different data carriers. As a result, the data can be called up more quickly and is better protected against any attempts at manipulation. Each data center also has special emergency programs. If, for example, there are problems with the Google hardware or a natural disaster paralyzes the servers, the data will almost certainly remain protected.
Google stores some data for a fixed period of time. For other data, Google only offers the option of manually deleting it. The company also anonymizes information (such as advertising data) in server logs by deleting part of the IP address and cookie information after 9 and 18 months, respectively.
With the automatic deletion of location and activity data introduced in 2019, information on location determination and web/app activity is stored for either 3 or 18 months – depending on your decision – and then deleted. You can also manually delete this data from the history at any time via the Google account.
Legal basis
If you have consented to the use of Google Maps (by actively using the Google Maps map), the legal basis for the corresponding data processing is this consent. According to Article 6 Paragraph 1 lit.
We also have a legitimate interest in using Google Maps to optimize our online service. The corresponding legal basis for this is Article 6 (1) (f) GDPR (legitimate interests). However, we only use Google Maps if you have given your consent.
Google also processes your data in the USA, among other places. We would like to point out that, according to the European Court of Justice, there is currently no adequate level of protection for data transfer to the USA. This can be associated with various risks for the legality and security of data processing.
As the basis for data processing by recipients based in third countries (outside the European Union, Iceland, Liechtenstein, Norway, i.e. in particular in the USA) or data transfer there, Google uses so-called standard contractual clauses (= Art. 46 Para. 2 and 3 DSGVO). Standard Contractual Clauses (SCC) are templates provided by the EU Commission and are intended to ensure that your data also comply with European data protection standards if they are transferred to third countries (such as the USA) and stored there. Through these clauses, Google undertakes to comply with European data protection standards when processing your relevant data, even if the data is stored, processed and managed in the USA. These clauses are based on an implementation decision of the EU Commission. You can find the Order and the relevant Standard Contractual Clauses, among others here.
The Google Ads Data Processing Terms, which correspond to the standard contractual clauses, can be found here here.
If you want to learn more about data processing by Google, we recommend the in-house Company Privacy Policy.
Online booking system – Bookeo
In order for you to be able to make bookings via our website, we use the Bookeo booking system from Bookeo Pty Ltd based in Australia. Bookeo is a software application integrated into our website that displays free appointments and through which you can book and pay directly online. Personal data is collected from you and stored at Bookeo.
Booking with Bookeo works like this: You will find the booking system on our website, in which you can book an appointment for a tour directly with a mouse click and enter your data and pay immediately or later (by bank transfer). You have to enter a few details (name, e-mail address, telephone number & country (whereby this is optional)) about yourself in the form fields. Please be aware that any data you enter may be stored in a customer database at Bookeo and managed by us.
Bookeo is a booking system that makes it as easy as possible for you (and us) to book tours. In addition to the conventional booking function, Bookeo also offers a range of other features. Bookeo has integrated an online payment system (credit card payment, PayPal, Klarna, EPS, GooglePay, ApplePay, etc.), allows external payment (such as independent bank transfers or cash payments) and has integrated a calendar synchronization function. Data such as names, e-mail addresses, telephone numbers and other information that you may have entered in the web form will be saved. Credit card data and billing addresses are also recorded, but not stored, but transmitted securely and encrypted to the payment gateway for the sole purpose of payment processing. A customer's credit card details are never fully displayed to us. The payment gateway is responsible for securely storing such credit card information and restricting its access to authorized users. In addition, the IP address, name and contact details, technical information about your device and the time of a booking are processed. We recommend that you read Bookeo's data protection declaration carefully so that you know which of your data is specifically processed. In principle, personal data is only stored for as long as is absolutely necessary to provide the services.
If you have consented to data processing by Bookeo, you always have the option and the right to revoke this consent. If you do not want personal data to be processed, then no personal data may be processed.
Legal basis
If you have consented to the use of the Bookeo booking system, the legal basis for the corresponding data processing is this consent. According to Art. 6 Para. 1 lit. a GDPR (consent), it represents the legal basis for the processing of personal data, as can occur through booking systems.
Furthermore, we also have a legitimate interest in using Bookeo because we use it to expand our customer service on the one hand and optimize our internal booking organization on the other. The corresponding legal basis for this is Article 6 (1) (f) GDPR (legitimate interests).
You will receive specific information on Bookeo's data protection regulations here.
Bookeo data protection team contact details:
E-mail of the data protection team: privacy@bookeo.com
E-mail of the data protection officer: dpo@bookeo.com
Alternatively, you can contact the GDPR representative for European affairs immediately.
Representative according to 27 GDPR:
Rickert Rechtsanwaltsgesellschaft mbH
Colmantstrasse 15
53225 Bonn, Germany
The data protection declaration was Imprint generator created by AdSimple and then modified.
Deutsch 