We are delighted that you are visiting our website and thank you for your interest in our boarding house. The protection of personal data is a matter of great importance to us. Therefore, the processing of personal data, such as the name, address, email address or telephone number of a data subject, is carried out in accordance with applicable European and national legislation.

If the processing of personal data is necessary and there is no legal basis for such processing, we generally seek the consent of the data subject.

In the following, RIMC Hotel Management GmbH (hereinafter referred to as “we”, “us”, etc.) wishes to inform the public about the nature, scope and purpose of the personal data it processes. Furthermore, this privacy policy informs data subjects of their rights.

Right to withdraw consent given for data processing

If data processing is carried out on the basis of Article 6(1)(a) of the GDPR, i.e. your explicit consent, you have the right to withdraw this consent at any time (in accordance with Article 7(3), first sentence, of the GDPR). You can find the specific legal basis on which processing is based in this privacy policy.

The lawfulness of the data processing carried out prior to the withdrawal remains unaffected by the withdrawal (in accordance with Article 7(3), second sentence, of the GDPR).

Right to object to data collection in specific cases and to direct marketing

IF DATA PROCESSING IS BASED ON ARTICLE 6(1)( E OR F OF THE GDPR, YOU HAVE THE RIGHT AT ANY TIME TO OBJECT TO THE PROCESSING OF YOUR PERSONAL DATA ON GROUNDS RELATING TO YOUR PARTICULAR SITUATION; THIS ALSO APPLIES TO PROFILING BASED ON THESE PROVISIONS. PLEASE REFER TO THIS PRIVACY POLICY FOR THE SPECIFIC LEGAL BASIS ON WHICH PROCESSING IS BASED. IF YOU OBJECT, WE WILL NO LONGER PROCESS YOUR PERSONAL DATA, UNLESS WE CAN DEMONSTRATE COMPELLING LEGITIMATE GROUNDS FOR THE PROCESSING WHICH OVERRIDE YOUR INTERESTS, RIGHTS AND FREEDOMS, OR THE PROCESSING IS NECESSARY FOR THE ESTABLISHMENT, exercise or defence of legal claims (objection pursuant to Article 21(1) of the GDPR).

IF YOUR PERSONAL DATA IS PROCESSED FOR THE PURPOSE OF DIRECT MARKETING, YOU HAVE THE RIGHT TO OBJECT AT ANY TIME TO THE PROCESSING OF YOUR PERSONAL DATA FOR SUCH MARKETING PURPOSES; THIS ALSO APPLIES TO PROFILING, INSOFAR AS IT IS RELATED TO SUCH DIRECT MARKETING. IF YOU OBJECT, YOUR PERSONAL DATA WILL NO LONGER BE USED FOR THE PURPOSES OF DIRECT MARKETING (OBJECTION PURSUANT TO ART. 21(2) GDPR).

Definitions

Our privacy policy is based on the terminology used by the European legislators and regulators when enacting the EU General Data Protection Regulation (hereinafter referred to as the “GDPR”). Our privacy policy is intended to be easy to read and understand for the general public as well as for our customers and business partners. To ensure this, we would like to explain the terms used in advance.

In this privacy policy and on our website, we use the following terms, amongst others:

Personal data refers to any information relating to an identified or identifiable natural person (hereinafter referred to as the “data subject”). A natural person is considered to be identifiable if they can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

A data subject is any identified or identifiable natural person whose personal data is processed by the controller.

Processing means any operation or set of operations which is performed on personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or any other form of making available, alignment or combination, restriction, erasure or destruction.

Restriction of processing means the marking of stored personal data with the aim of limiting their future processing.

Profiling means any form of automated processing of personal data consisting of the use of such personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, whereabouts or movements.

Pseudonymisation is the processing of personal data in such a way that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data is not attributed to an identified or identifiable natural person.

The controller is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

A processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

A recipient is a natural or legal person, public authority, agency or other body to whom personal data are disclosed, irrespective of whether or not they are a third party. However, public authorities which may receive personal data in the course of a specific investigation mandate under Union law or the law of the Member States are not considered recipients.

A third party is a natural or legal person, public authority, agency or other body other than the data subject, the controller, the processor and the persons who, under the direct authority of the controller or the processor, are authorised to process the personal data.

Consent means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Rights of the data subject
As a data subject whose data is being processed, you may exercise certain rights against us under the GDPR and other relevant data protection regulations. Under the GDPR, you are entitled to the following rights in particular as a data subject:

Right of access
You may request information from us at any time regarding the data we hold about you. This information includes, amongst other things, the categories of data we process, the purposes for which we process them, the source of the data (if we did not collect it directly from you), and, where applicable, the recipients to whom we have disclosed your data. You may obtain a copy of your data from us free of charge. Should you be interested in further copies, we reserve the right to charge you for these.

Right to rectification
You may request that we rectify your data. We will take reasonable steps to ensure that the data we hold and process about you is accurate, complete and up to date, based on the most recent information available to us.

Right to erasure
You may request that we erase your data, provided that the legal requirements for this are met. In accordance with Article 17 of the GDPR, this may be the case, for example, if:

• the data is no longer necessary for the purposes for which it was collected or otherwise processed;
• you withdraw your consent, which forms the basis for the data processing, and there is no other legal basis for the processing;
• you object to the processing of your data and there are no overriding legitimate grounds for the processing, or you object to the processing of your data for direct marketing purposes;
• the data has been processed unlawfully;
• provided that the processing is not necessary
  to ensure compliance with a legal obligation requiring us to process your data; in particular with regard to
• statutory retention periods;
• to assert, exercise or defend legal claims.

Right to restriction of processing
You may request that we restrict the processing of your data if:

• you contest the accuracy of the data, for the period we need to verify the accuracy of the data;
• the processing is unlawful and you object to the erasure of your data and instead request the restriction of use;
• we no longer need your data, but you need it to assert, exercise or defend legal claims;
• you have objected to the processing, as long as it has not yet been established whether our legitimate grounds override yours.

Right to data portability
Upon your request, we will transfer your data – insofar as this is technically possible – to another data controller. However, you are only entitled to this right if the data processing is based on your consent or is necessary for the performance of a contract. Instead of receiving a copy of your data, you may also ask us to transfer the data directly to another data controller specified by you.

Right to object
You may object to the processing of your data at any time on grounds relating to your particular situation, provided that the data processing is based on your consent or on our legitimate interests or those of a third party. In this case, we will no longer process your data. The latter does not apply if we can demonstrate compelling legitimate grounds for the processing which override your interests, or if we need your data to establish, exercise or defend legal claims.

Right to withdraw consent
You have the right to withdraw your consent to the processing of personal data at any time.

Right to lodge a complaint with a supervisory authority

You have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, your place of work or the place where the alleged infringement occurred, if you consider that the processing of your personal data infringes the EU General Data Protection Regulation (GDPR), other data protection laws applicable in the Member States of the European Union, or other provisions of a data protection nature. A list of the state data protection officers and their contact details can be found at the following link:

https://www.bfdi.bund.de/DE/Service/Anschriften/anschriften_table.html

The data protection supervisory authority responsible for us is:

The State Data Protection Commissioner of Lower Saxony
PO Box 221
30002 Hanover
or
Prinzenstraße 5
30159 Hanover
Telephone: +49 5 11 120-45 00
Email: poststelle@lfd.niedersachsen.de

Legal basis for the processing of personal data
Where we obtain the data subject’s consent for the processing of personal data, Article 6(1)(a) of the GDPR serves as the legal basis.

Where the processing of personal data is necessary for the performance of a contract to which the data subject is a party, Article 6(1)(b) of the GDPR serves as the legal basis. This also applies to processing operations necessary for the implementation of pre-contractual measures.

Where the processing of personal data is necessary for compliance with a legal obligation to which we are subject, Article 6(1)(c) of the GDPR serves as the legal basis.

Where processing is necessary to safeguard a legitimate interest of our company or of a third party, and the interests, fundamental rights and freedoms of the data subject do not override the former interest, Article 6(1)(f) of the GDPR serves as the legal basis for the processing.

Routine deletion and blocking of personal data
The data controller processes (in this context, also: stores) the data subject’s personal data only for the period necessary to fulfil the purpose of storage, or insofar as this is provided for by the European legislator or another legislator in laws or regulations to which the data controller is subject.

If the purpose of storage ceases to apply or if a retention period prescribed by the European legislator or another competent legislator expires, the personal data shall be routinely blocked or deleted in accordance with the statutory provisions.

Cooperation with data processors and third parties
Where, in the course of our data processing activities, we disclose data to other individuals or organisations (data processors or third parties), transfer it to them or otherwise grant them access to the data, this is done only on the basis of a legal authorisation (e.g. where the transfer of data to third parties, such as payment service providers, is necessary for the performance of a contract pursuant to Article 6(1)(b) of the GDPR), you have given your consent, a legal obligation requires it, or on the basis of our legitimate interests (e.g. when using agents, web hosts, etc.).

Where we engage third parties to process data on the basis of a so-called ‘data processing agreement’, this is done in accordance with Article 28 of the GDPR.

Data Protection in Relation to Job Applications and the Recruitment Process
The data controller collects and processes applicants’ personal data for the purpose of managing the recruitment process. Processing may also take place electronically. This is particularly the case where an applicant submits the relevant application documents to the data controller electronically, for example by email. If the data controller enters into an employment contract with an applicant, the data submitted will be stored for the purpose of managing the employment relationship in accordance with the statutory provisions. If the controller does not conclude an employment contract with the applicant, the application documents will be automatically deleted six months after notification of the rejection decision, provided that no other legitimate interests of the controller preclude such deletion. Other legitimate interests in this context include, for example, a duty to provide evidence in proceedings under the General Equal Treatment Act (AGG).

Security
We take a range of technical and organisational measures to protect your personal data against accidental or unlawful destruction, alteration, loss, unauthorised disclosure or unauthorised access.

However, internet-based data transmissions, for example, may inherently contain security vulnerabilities, meaning that absolute protection cannot be guaranteed. For this reason, any data subject is free to provide us with personal data via alternative means, such as by telephone.

There has recently been an increase in cyberattacks on online booking platforms and other service providers involved in the booking process. Please be cautious, particularly when providing your credit card details. We will never ask you for payment details via WhatsApp, email or telephone.

Encryption
For security reasons and to protect the transmission of confidential content, such as the enquiries you send to us as the website operator, this site uses TLS encryption. You can recognise an encrypted connection by the fact that the address bar of the browser changes from “http://” to “https://” and by the padlock symbol in the browser bar.

When encryption is enabled, the data you transmit to us cannot be read by third parties.

Collection of general data and information
Every time a data subject or an automated system accesses our website, our website collects a range of general data and information. This general data and information is stored in the server’s log files. The following may be collected:

• the browser types and versions used
• the operating system used by the accessing system
• the website from which an accessing system reaches our website (so-called referrer)
• the sub-websites accessed via an accessing system on our website
• the date and time of access to the websitea web protocol address (IP address)
• the internet service provider of the accessing system
• other similar data and information used for security purposes in the event of attacks on our information technology systems

We do not draw any conclusions about the data subject when using this general data and information. Rather, this information is required in order to:

• deliver the content of our website correctly
• optimise the content of our website and, where applicable, the advertising on it
• ensure the ongoing functionality of our IT systems and the technology of our website
• provide law enforcement authorities with the information necessary for criminal prosecution in the event of a cyber attack

We therefore analyse this collected data and information statistically and, furthermore, with the aim of enhancing data protection and data security within our company, ultimately to ensure an optimal level of protection for the personal data we process. The anonymous data from the server log files is stored separately from any personal data provided by a data subject.

This data is not combined with other data sources.

The collection of this data is based on Article 6(1)(f) of the GDPR. The website operator has a legitimate interest in the technically error-free presentation and optimisation of its website – for this purpose, the server log files must be collected.

Enquiries by email, telephone or fax
If you contact us by email, telephone or fax, your enquiry, including all personal data contained therein (name, enquiry), will be stored and processed by us for the purpose of handling your request. We will not pass on this data without your consent.

The processing of this data is based on Article 6(1)(b) of the GDPR, provided that your enquiry relates to the performance of a contract or is necessary for the implementation of pre-contractual measures. In all other cases, processing is based on our legitimate interest in the effective handling of enquiries addressed to us (Article 6(1)(f) of the GDPR) or on your consent (Article 6(1)(a) of the GDPR), provided that this has been requested.

The data you send to us via contact enquiries will remain with us until you request its deletion, withdraw your consent to its storage, or the purpose for storing the data no longer applies (e.g. once your enquiry has been fully processed). Mandatory legal provisions – in particular statutory retention periods – remain unaffected.

Data transmission via forms
The data subject has the option of registering on the data controller’s website to submit data via forms, providing personal data in the process. The specific personal data transmitted to the data controller in this context is determined by the respective input form used for the entries. The personal data entered by the data subject is collected and stored exclusively for internal use by the data controller and for its own purposes. Data transmission via forms is always encrypted.

The data controller may arrange for the data to be passed on to one or more processors (for example, a parcel delivery service), who will also use the personal data exclusively for internal purposes attributable to the data controller.

When data is transmitted via the data controller’s website, the IP address assigned by the data subject’s internet service provider (ISP), as well as the date and time of the transmission, are also stored. This data is stored on the basis that this is the only way to prevent misuse of the services offered, and that, if necessary, this data enables the investigation of criminal offences and copyright infringements. In this respect, the storage of this data is necessary to protect the data controller. This data is not disclosed to third parties as a matter of principle, unless there is a legal obligation to do so or the disclosure serves the purposes of criminal or legal proceedings.

The data subject’s voluntary provision of personal data enables the data controller to offer the data subject content or services which, by their very nature, can only be made available to such users.

The processing of this data is based on Article 6(1)(b) of the GDPR, provided that your enquiry relates to the performance of a contract or is necessary for the implementation of pre-contractual measures. In all other cases, processing is based on our legitimate interest in the effective handling of enquiries addressed to us (Article 6(1)(f) of the GDPR) or on your consent (Article 6(1)(a) of the GDPR), provided that this has been requested.

The data you send to us via contact enquiries will remain with us until you request its deletion, withdraw your consent to its storage, or the purpose for storing the data no longer applies (e.g. once your enquiry has been fully processed). Mandatory legal provisions – in particular statutory retention periods – remain unaffected.

MEWS Booking System
For online room bookings, we use the “MEWS” service provided by Mews System B.V., headquartered in Amsterdam with offices at Wibautstraat 137D, 1097DN Amsterdam, Netherlands. Clicking the relevant button will open a browser window that redirects you to the MEWS website.

If you wish to book a room with us, it is necessary for the conclusion of the contract that you provide your personal data, which we require to process your booking. Mandatory information required for the processing of contracts is marked separately; further details are optional. The data is entered into a form, transmitted to us and stored.

Data may also be passed on to the relevant payment service providers. Data will only be passed on to third parties if this is necessary for the purpose of contract processing, billing or collecting payment, or if you have given your express consent. In this regard, we only pass on the data that is strictly necessary. The recipients of the data are: the relevant delivery/shipping company (disclosure of name and address), debt collection agencies where payment needs to be recovered (disclosure of name, address, order details), payment institutions for the purpose of collecting debts where you have chosen direct debit as your payment method, and payment service providers – depending on the payment method selected.

The legal basis is Article 6(1)(b) of the GDPR. With regard to voluntary data, the legal basis for processing the data is Article 6(1)(a) of the GDPR.

The mandatory information collected is necessary for the performance of the contract with the user (for the purpose of providing the goods or services and confirming the terms of the contract). We therefore use the data to respond to your enquiries, to process your booking, where necessary to check creditworthiness or to recover a debt, and for the technical administration of the websites. Voluntary information is provided to prevent misuse and, where necessary, to investigate criminal offences.

The data will be deleted as soon as it is no longer required to fulfil the purpose for which it was collected. We are obliged under commercial and tax law to store your address, payment and order details for a period of ten years following the fulfilment of the contract. However, after six years, we restrict the processing of your data, meaning it will only be used to comply with legal obligations. Where a continuing contractual relationship exists between us and the user, we store the data for the entire duration of the contract and for a further period of 10 years thereafter (see above). With regard to data provided voluntarily, we will delete the data six years after the contract has been fulfilled, provided that no further contract is concluded with the user during this period; in this case, the data will be deleted six years after the last contract has been fulfilled.

If the data is required for the performance of a contract or for the implementation of pre-contractual measures, early deletion of the data is only possible provided that no contractual or legal obligations prevent such deletion. Otherwise, you are free to request that the personal data provided during registration be completely deleted from the data controller’s database. With regard to voluntary data, you may withdraw your consent at any time by notifying the data controller. In this case, the voluntary data will be deleted immediately.

Information on MEWS’s data protection policy can be found here: https://app.mews.com/Platform/Document/PrivacyPolicy?language=de 

Links to other websites
This website contains links to other websites (so-called external links).

As the provider of our own content, we are responsible in accordance with applicable European and national legislation. A distinction must be made between this own content and links to content provided by other providers. We have no influence over whether the operators of other websites comply with applicable European and national legal provisions. Please refer to the privacy policies provided on the respective websites for further information.

Cookies
We use cookies to make our website user-friendly and to tailor it optimally to your needs. Cookies are small text files that are sent from a web server to your browser and stored locally on your device (PC, laptop, tablet, smartphone, etc.) as soon as you visit a website.

Numerous websites and servers use cookies. Many cookies contain a so-called cookie ID. A cookie ID is a unique identifier for the cookie. It consists of a string of characters that allows websites and servers to associate the specific web browser in which the cookie was stored. This enables the visited websites and servers to distinguish the individual browser of the data subject from other web browsers that contain different cookies. A specific web browser can be recognized and identified via the unique cookie ID. This information is used to automatically recognize you when you visit the website again with the same device and to facilitate your navigation.

You can also manage your consent to or refusal of cookies—including for web tracking—through your web browser settings. You can configure your browser to generally refuse cookies or to notify you in advance when a cookie is about to be stored. In this case, however, the functionality of the website may be impaired (for example, when placing orders). Your browser also offers a function to delete cookies (for example, via “Clear browsing data”). This is possible in all common web browsers. You can find further information on this in the user manual or in your browser’s settings.

First-party cookies: First-party cookies are persistent cookies that are stored on your computer and remain valid until their assigned expiration date has passed. The term “party” refers to the domain from which the cookie originates. Unlike third-party cookies, first-party cookies usually originate from the website operator itself. As a result, they are not accessible across domains by browsers. For example, Website A sets a cookie A, which is not recognized by Website B but can only be recognized by Website A. Data cannot thus be passed on to third parties.

Third-Party Cookies: A third-party cookie is set and tracked by a third party. These cookies are mostly used by advertisers who collect information about website visitors through their ads placed on other websites. These are data records that are stored in the user’s web browser when they visit a page containing the ad. If they visit a page with an ad from the same provider again, they are recognized.

Google Tag Manager
We use Google Tag Manager. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

Google Tag Manager is a tool that allows us to integrate tracking or statistics tools and other technologies into our website. Google Tag Manager itself does not create user profiles, store cookies, or perform independent analyses. It serves solely to manage and deploy the tools integrated through it. However, Google Tag Manager records your IP address, which may also be transferred to Google’s parent company in the United States.

Google bases the transfer of data to the United States on the European Commission’s EU-U.S. Data Privacy Framework.

The use of Google Tag Manager is based on Article 6(1)(f) of the GDPR. The website operator has a legitimate interest in the quick and straightforward integration and management of various tools on its website. If consent has been requested, processing is carried out exclusively on the basis of Article 6(1)(a) of the GDPR and Section 25(1) of the TDDDG, insofar as the consent covers the storage of cookies or access to information on the user’s device (e.g., device fingerprinting) within the meaning of the TDDDG. Consent may be revoked at any time with future effect.

For further information on Google Tag Manager and Google’s privacy policy, please visit the following link: https://policies.google.com/privacy

Google Analytics 4
If you have given your consent, this website uses Google Analytics 4, a web analytics service provided by Google LLC. The data controller for users in the EU/EEA and Switzerland is Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland (“Google”).

Nature and Purpose of Processing
Google Analytics uses cookies that enable an analysis of your use of our websites. The information collected via the cookies regarding your use of this website is generally transmitted to a Google server in the United States and stored there.

In Google Analytics 4, IP address anonymization is enabled by default. Due to IP anonymization, your IP address is truncated by Google within member states of the European Union or in other signatory states to the Agreement on the European Economic Area. Only in exceptional cases is the full IP address transmitted to a Google server in the United States and truncated there. According to Google, the IP address transmitted by your browser as part of Google Analytics is not merged with other Google data.

During your visit to the website, your user behavior is recorded in the form of “events.” Events may include:

• Page views
• First visit to the website
• Start of the session
• Webpages visited
• Your “click path,” interaction with the website
• Scrolls (whenever a user scrolls to the bottom of the page (90%))
• Clicks on external links
• Internal search queries
• Interaction with videos
• File downloads
• Ads viewed/clicked
• Language setting

The following is also recorded:

• Your approximate location (region)
• Date and time of the visit
• Your IP address (in truncated form)
• Technical information about your browser and the devices you use (e.g., language setting, screen resolution)
• Your internet service provider
• The referrer URL (which website or advertising medium you used to reach this website)

Purposes of Processing
On behalf of the operator of this website, Google will use this information to evaluate your use of the website and to compile reports on website activity. The reports provided by Google Analytics are used to analyze the performance of our website and the success of our marketing campaigns.

Recipients
Recipients of the data are/may be:

Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (as a processor pursuant to Art. 28 GDPR)

Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA

Alphabet Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA

Transfers to Third Countries
On July 10, 2023, the European Commission adopted its adequacy decision for the United States. Google LLC is certified under the EU-US Privacy Shield Framework. Since Google’s servers are located worldwide and transfers to third countries (such as Singapore) cannot be entirely ruled out, we have also entered into the EU Standard Contractual Clauses with the provider.

Retention Period
The data we send and that is linked to cookies is automatically deleted after 14 months. The maximum lifespan of Google Analytics cookies is 2 years. Data that has reached its retention period is automatically deleted once a month.

Legal basis
The legal basis for this data processing is your consent pursuant to Art. 6(1)(a) GDPR and § 25(1) TTDSG.

Withdrawal
You may withdraw your consent at any time with future effect by accessing the cookie settings at the bottom left of the screen and changing your selection there. The lawfulness of the processing carried out on the basis of your consent until its withdrawal remains unaffected.

You can also prevent cookies from being stored in the first place by adjusting your browser settings accordingly. However, if you configure your browser to reject all cookies, this may result in limited functionality on this and other websites. You can also prevent the collection of data generated by the cookie and related to your use of the website (including your IP address) by Google, as well as the processing of this data by Google, by:

1. not giving your consent to the setting of the cookie, or
2. downloading and installing the browser add-on to disable Google Analytics HERE.

For more information on the terms of use of Google Analytics and Google’s privacy policy, please visit https://marketingplatform.google.com/about/analytics/terms/de/ and https://policies.google.com/?hl=de.

Google Ads with Enhanced Conversions
We use the remarketing and conversion tracking features of Google Ads, a service provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (hereinafter referred to as “Google”), on our website.

The remarketing feature is used to present interest-based ads to website visitors within the Google advertising network. The conversion tracking feature, in turn, allows us to measure how effective the ads we place and that website visitors click on are.

When using Google Ads, the following data is collected and transmitted to Google in the United States: device and browser data (hostname, browser type, referrer, language), IP address, and the respective user interaction on our website as well as on other websites where our ads are displayed (e.g., which page a user visits or which ads a user clicks on). In addition, a random, pseudonymous ID is assigned to a user via a cookie, to which the aforementioned information is linked.

To this end, we have set up Enhanced Conversions.

Enhanced Conversions is a feature that improves the accuracy of conversion tracking while protecting user privacy by supplementing existing conversion tags with hashed first-party conversion data from the website. Hashing the first-party data before sending it to Google Ads ensures data protection, as personal information such as (here: email address) is converted into a hashed/pseudonymized (SHA256) string.

The legal basis for the use of Google Ads is your consent pursuant to Art. 6(1)(a) GDPR and § 25(1) TDDDG.

The storage and processing of the collected data take place in the United States, a third country for which no adequacy decision has been issued by the European Commission.

However, Google bases the data transfer to the U.S. on the European Commission’s EU-U.S. Data Privacy Framework.

Information on data protection for Google Ads is available at: https://ads.google.com/intl/de_de/home/ads-experts-support/

DialogShift Chat Application on Our Website
Our website uses the chat application provided by DialogShift GmbH, Rheinsberger Str. 76/77, 10115 Berlin. This application processes (and, in this sense, also stores) data for the purposes of web analytics, operating the chat application, and responding to inquiries.

To operate the chat function, chat texts are stored and a cookie with a unique ID is set—this is used to recognize you as a customer.

A cookie is a small text file that is stored locally in the cache on your device. With the help of this cookie, our application recognizes the device and can retrieve past chat logs. This cookie is stored for 90 days from the last use. You can disable the storage of cookies in your browser settings. However, the chat function cannot be used without cookies.

The disclosure of information such as your name, email address, or phone number is voluntary and implies your consent to the temporary use and storage of this data for the purpose of establishing contact until the end of the interaction. This personal data is deleted after 90 days.

DialogShift provides further information at https://www.dialogshift.com/datenschutz regarding the processing (including collection and use) of data, as well as your rights and options for protecting your privacy.

Google Fonts
Google Fonts (https://fonts.google.com/) are used to enhance the visual presentation of various information on this website. When the page is loaded, the web fonts are transferred to the browser’s cache so they can be used for display.

No cookies are stored on the website visitor’s device when the page is loaded. Data transmitted in connection with the page load is sent to resource-specific domains such as fonts.googleapis.com or fonts.gstatic.com. This data is not linked to any data that may be collected or used in connection with the concurrent use of authenticated Google services such as Gmail.

The collected data is stored and processed in the United States, a third country for which no adequacy decision has been issued by the European Commission.

However, Google bases the transfer of data to the U.S. on the European Commission’s EU-U.S. Data Privacy Framework.

You can prevent this web service from collecting and processing your data by refusing to give your consent when you visit the website, disabling the service in your browser, or installing a script blocker in your browser. If your browser does not support Google Fonts or if you block access to Google’s servers, the text will be displayed in the system’s default font.

The legal basis for the use of this web service is your consent pursuant to Art. 6(1)(a) GDPR and § 25(1) TDDDG.

Information on the privacy policy of Google Fonts is available at: https://developers.google.com/fonts/faq#Privacy

General information on data protection is available in the Google Privacy Center at: https://policies.google.com/privacy

Gstatic
A web service provided by Google Ireland Limited, Gordon House, Barrow Street, 4 Dublin, Ireland (hereinafter: Gstatic) is loaded on our website. We use this data to ensure the full functionality of our website. In this context, your browser may transmit personal data to Gstatic.

The collected data is stored and processed in the United States, a third country for which the European Commission has not issued an adequacy decision.

However, Google bases the transfer of data to the United States on the European Commission’s EU-U.S. Data Privacy Framework.

The legal basis for the use of this web service is your consent pursuant to Art. 6(1)(a) GDPR and § 25(1) TDDDG.

You can prevent the collection and processing of your data by Gstatic by refusing to give your consent when accessing the website, disabling the execution of script code in your browser, or installing a script blocker in your browser.

The data will be deleted as soon as the purpose for which it was collected has been fulfilled. For more information on how the transferred data is handled, please refer to Google’s Privacy Policy: https://policies.google.com/privacy

Google – Content Delivery Network (CDN)
We use the jQuery JavaScript library on our website. To speed up the loading time of our website and provide you with a better user experience, we use Google’s CDN (content delivery network) to load this library. It is very likely that you have already used jQuery from the Google CDN on another website. In that case, your browser can access the copy stored in the cache, and it does not need to be downloaded again. If your browser does not have a copy stored in the cache or downloads the file from the Google CDN for another reason, data will again be transmitted from your browser to Google Inc. (“Google”).

The storage and processing of the collected data take place in the United States, a third country for which no adequacy decision has been issued by the European Commission.

However, Google bases the data transfer to the United States on the European Commission’s EU-U.S. Data Privacy Framework.

The legal basis for data processing is Art. 6(1)(f) GDPR. The legitimate interest lies in optimizing the functionality and speed of our website.

Further information on Google’s Terms of Service and privacy policy can be found at https://www.google.com/analytics/terms/de.html or https://www.google.de/intl/de/policies

AWS CloudFront
We use AWS CloudFront to ensure the proper delivery of our website’s content. AWS CloudFront is a service provided by Amazon Web Services, Inc., P.O. Box 81226, Seattle, WA 98108-1226, USA, which functions as a Content Delivery Network (CDN) on our website.

A CDN helps to deliver content from our online offering—particularly files such as graphics or scripts—more quickly with the help of servers distributed regionally or internationally. When you access this content, you establish a connection to servers operated by Amazon Web Services, Inc., during which your IP address and, if applicable, browser data such as your user agent are transmitted. This data is processed exclusively for the purposes mentioned above and to maintain the security and functionality of AWS CloudFront.

The storage and processing of the collected data take place in the United States, i.e., a third country for which no adequacy decision has been issued by the European Commission.

However, Amazon Web Services, Inc. bases the data transfer to the United States on the European Commission’s EU-U.S. Data Privacy Framework.

The legal basis for the aforementioned data processing and the use of the Content Delivery Network is based on our legitimate interests pursuant to Art. 6(1)(f) GDPR, i.e., our interest in the secure and efficient provision and optimization of our online services.

We have no control over the specific retention period for the processed data; this is determined by Amazon Web Services, Inc.

For more information about AWS and data protection, please visit https://aws.amazon.com/de/compliance/gdpr-center/ and https://aws.amazon.com/de/privacy/

Sentry
We use the Sentry service provided by Functional Software Inc., 132 Hawthorne Street, San Francisco, California 94107, USA, to improve the technical stability of our service by monitoring system stability and identifying code errors. Sentry serves these purposes exclusively and does not analyze data for advertising purposes. User data, such as device information or the time of the error, is collected anonymously, is not used in a personally identifiable manner, and is subsequently deleted.

The storage and processing of the collected data take place in the United States, a third country for which no adequacy decision has been issued by the European Commission.

However, Sentry bases the data transfer to the United States on the European Commission’s EU-U.S. Data Privacy Framework.

The legal basis for the use of Sentry is a legitimate interest pursuant to Art. 6(1)(f) GDPR. Our legitimate interest consists in designing our offerings to meet user needs.

Further information on this can be found in Sentry’s Privacy Policy: https://sentry.io/privacy/ (in English)

Our Social Media Presence

Data Processing by Social Networks
We maintain publicly accessible profiles on social networks. The specific social networks we use are listed below.

Social networks such as Facebook, Twitter, etc., can generally analyze your user behavior in detail when you visit their website or a website with integrated social media content (e.g., “Like” buttons or advertising banners). Visiting our social media profiles triggers numerous data processing operations relevant to data protection. Specifically:

If you are logged into your social media account and visit our social media presence, the operator of the social media portal can associate this visit with your user account. However, your personal data may also be collected even if you are not logged in or do not have an account with the respective social media portal. In this case, data collection occurs, for example, via cookies stored on your device or by recording your IP address.

Using the data collected in this way, social media platform operators can create user profiles that store your preferences and interests. This allows them to display interest-based advertising to you both on and off the respective social media platform. If you have an account with the respective social network, interest-based advertising may be displayed on all devices on which you are currently logged in or have previously been logged in.

Please also note that we cannot track all processing activities on social media platforms. Depending on the provider, additional processing operations may therefore be carried out by the operators of the social media platforms. For details, please refer to the terms of use and privacy policies of the respective social media platforms.

Legal Basis
Our social media presence is intended to ensure the broadest possible online presence. This constitutes a legitimate interest within the meaning of Article 6(1)(f) of the GDPR. The analysis processes initiated by the social networks may be based on different legal grounds, which must be specified by the operators of the social networks (e.g., consent within the meaning of Article 6(1)(a) of the GDPR).

Data Controller and Exercising Rights
When you visit one of our social media profiles (e.g., Facebook), we are jointly responsible with the operator of the social media platform for the data processing operations triggered by that visit. You may generally exercise your rights (right of access, rectification, erasure, restriction of processing, data portability, and the right to lodge a complaint) both against us and against the operator of the respective social media portal (e.g., against Facebook).

Please note that, despite our joint responsibility with the social media portal operators, we do not have full control over the data processing operations of the social media portals. Our options depend largely on the corporate policies of the respective provider.

Retention Period
Data collected directly by us through our social media presence is deleted from our systems as soon as the purpose for its storage no longer applies, you request its deletion, you revoke your consent to its storage, or the purpose for storing the data no longer applies. Stored cookies remain on your device until you delete them. Mandatory legal provisions—in particular retention periods—remain unaffected.

We have no influence over the storage period of your data that is stored by the operators of social networks for their own purposes. For details, please contact the operators of the social networks directly (e.g., in their privacy policy, see below).

LinkedIn
We have a profile on LinkedIn. The provider is LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland. LinkedIn uses advertising cookies. If you wish to disable LinkedIn advertising cookies, please use the following link: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out

Facebook
We maintain a profile on Facebook. The provider of this service is Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland (hereinafter referred to as “Facebook”). According to Facebook, the data collected is also transferred to the United States and other third countries.

We have entered into a joint processing agreement (Controller Addendum) with Facebook.

This agreement specifies which data processing operations we and Facebook are responsible for when you visit our Facebook page. You can view this agreement at the following link: https://www.facebook.com/legal/terms/page_controller_addendum

You can adjust your ad settings yourself in your user account. To do so, click on the following link and log in: https://www.facebook.com/settings?tab=ads

For details, please refer to Facebook’s Privacy Policy: https://www.facebook.com/privacy/center/

Name and address of the data controller:
The data controller within the meaning of the EU General Data Protection Regulation (GDPR), other data protection laws applicable in the Member States of the European Union, and other provisions relating to data protection is:

Quartier 96 Boardinghouse
RIMC Hotel Management GmbH
Heimhuder Straße 36
20148 Hamburg
Tel. +49 4921 997127-0
Fax: +49 4921 997127-1
Email: info@quartier96-emden.de
Managing Director:
Marek N. Riegger

Name and address of the Data Protection Officer:
SHIELD GmbH
Martin Vogel
Ohlrattweg 5
25497 Prisdorf
Tel.: +49 4101 80 50 600

Email: info@shield-datenschutz.de

Right to lodge a complaint with a supervisory authority
You have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, your workplace, or the place where the alleged infringement occurred, if you believe that the processing of your personal data violates the EU General Data Protection Regulation (GDPR), other data protection laws applicable in the Member States of the European Union, or other provisions of a data protection nature. A list of state data protection commissioners and their contact details can be found at the following link: https://www.bfdi.bund.de/DE/Service/Anschriften/anschriften_table.html

The data protection supervisory authority responsible for us is:

The Hamburg Commissioner for Data Protection and Freedom of Information
Ludwig-Erhard-Str. 22
20459 Hamburg
Phone: +49 (0)40 42854-4040
Email: mailbox@datenschutz.hamburg.de

Changes to the Privacy Policy
We reserve the right to modify our privacy practices and this Privacy Policy to adapt them to changes in relevant laws or regulations, or to better meet your needs. Any changes to our privacy practices will be announced here accordingly. Please note the current version date of the Privacy Policy.
Hamburg, January 2025