EnquireBook

Privacy Statement

Stuhl am Fenster mit gespiegeltem Bergblick im Almzimmer des Tannerhof
Privacy

Privacy Statement

This is a non-binding English translation provided for your convenience. The legally authoritative version of this privacy policy is the German version (“Datenschutzerklärung”). In the event of any discrepancy, the German text prevails.

1. Introduction

With the following information, we want to give you as a “data subject” an overview of how we process your personal data and of your rights under data protection law. As a rule, you can use our websites without entering any personal data. However, if you wish to use specific services offered by our company via our website, processing of personal data may become necessary. Where processing of personal data is necessary and there is no statutory basis for it, we generally obtain your consent.

The processing of personal data – for example your name, address, or email address – is always carried out in accordance with the General Data Protection Regulation (GDPR) and in compliance with the country-specific data protection provisions applicable to “‚Tannerhof‘ Dr. von Mengershausen GmbH & Co. KG”. By means of this privacy policy, we wish to inform you about the scope and purpose of the personal data we collect, use, and process.

As the controller, we have implemented numerous technical and organisational measures to ensure the most complete protection possible of the personal data processed via this website. Nevertheless, internet-based data transmissions can in principle have security gaps, so that absolute protection cannot be guaranteed. For this reason, you are free to transmit personal data to us by alternative means, for example by telephone or by post.

You can also take simple, easily implemented measures to protect yourself against unauthorised access by third parties to your data. We would therefore like to give you a few tips on the secure handling of your data:

  • Protect your account (login, user account, or customer account) and your IT system (computer, laptop, tablet, or mobile device) with secure passwords.
  • Only you should have access to your passwords.
  • Make sure that you use each password only for a single account (login, user account, or customer account).
  • Do not use one password for different websites, applications, or online services.
  • This applies in particular when using publicly accessible IT systems or systems shared with others: you should always log out after each session on a website, application, or online service.

Passwords should consist of at least 12 characters and be chosen so that they cannot easily be guessed. They should therefore not contain common everyday words, your own name, or the names of relatives, but rather a mix of upper- and lower-case letters, numbers, and special characters.

2. Controller

The controller within the meaning of the GDPR is:

‚Tannerhof‘ Dr. von Mengershausen GmbH & Co. KG

Tannerhofstraße 32, 83735 Bayrischzell, Germany

3. Data Protection Officer

You can reach our Data Protection Officer as follows:

Stephan Krischke, datenschutz@tannerhof.de

You may contact our Data Protection Officer directly at any time with any questions or suggestions regarding data protection.

4. Definitions

This privacy policy is based on the terms used by the European legislator when adopting the General Data Protection Regulation (GDPR). Our privacy policy is intended to be easy to read and understand both for the general public and for our customers and business partners. To ensure this, we would like to explain the terms used in advance.

In this privacy policy we use, among others, the following terms:

  1. Personal data – Personal data means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
  2. Data subject – A data subject is any identified or identifiable natural person whose personal data is processed by the controller (our company).
  3. Processing – Processing means any operation or set of operations performed on personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
  4. Restriction of processing – Restriction of processing means the marking of stored personal data with the aim of limiting their processing in the future.

5. Profiling

Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location, or movements.

6. Pseudonymisation

Pseudonymisation means the processing of personal data in such a way that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures ensuring that the personal data is not attributed to an identified or identifiable natural person.

7. Processor

A processor is a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.

8. Recipient

A recipient is a natural or legal person, public authority, agency, or other body to which personal data is disclosed, whether a third party or not. However, public authorities which may receive personal data in the context of a particular inquiry in accordance with Union or Member State law are not regarded as recipients.

9. Third party

A third party is a natural or legal person, public authority, agency, or body other than the data subject, the controller, the processor, and the persons who, under the direct authority of the controller or processor, are authorised to process the personal data.

10. Consent

Consent means any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which they, by a statement or by a clear affirmative action, signify agreement to the processing of personal data relating to them.

5. Legal basis for processing

Art. 6 Abs. 1 lit. a) DSGVO (in conjunction with § 25 Abs. 1 TDDDG (formerly TTDSG)) serves as the legal basis for processing operations for which we obtain consent for a specific processing purpose.

Where the processing of personal data is necessary for the performance of a contract to which you are a party – as is the case, for example, with processing operations necessary for the supply of goods or the provision of any other service or consideration – the processing is based on Art. 6 Abs. 1 lit. b) DSGVO. The same applies to processing operations necessary to carry out pre-contractual measures, for instance in the case of enquiries about our products or services.

Where our company is subject to a legal obligation requiring the processing of personal data, such as for the fulfilment of tax obligations, the processing is based on Art. 6 Abs. 1 lit. c) DSGVO.

In rare cases, the processing of personal data may become necessary to protect the vital interests of the data subject or of another natural person. This would be the case, for example, if a visitor were injured on our premises and their name, age, health insurance details, or other vital information had to be passed on to a doctor, a hospital, or other third parties. In that case the processing would be based on Art. 6 Abs. 1 lit. d) DSGVO.

Finally, processing operations may be based on Art. 6 Abs. 1 lit. f) DSGVO. This legal basis covers processing operations not covered by any of the aforementioned legal bases where the processing is necessary for the purposes of the legitimate interests pursued by our company or by a third party, provided that the interests, fundamental rights, and freedoms of the data subject are not overriding. Such processing operations are permitted in particular because they were specifically mentioned by the European legislator, who took the view that a legitimate interest could be assumed where you are a customer of our company (Recital 47, sentence 2 GDPR).

Our offering is generally directed at adults. Persons under the age of 16 may not transmit any personal data to us without the consent of a parent or legal guardian. We do not request personal data from children or minors, do not collect it, and do not pass it on to third parties.

6. Transfer of data to third parties

Your personal data is not transferred to third parties for purposes other than those listed below.

We disclose your personal data to third parties only where:

  1. you have given us your express consent to do so pursuant to Art. 6 Abs. 1 lit. a) DSGVO,
  2. the disclosure is permissible pursuant to Art. 6 Abs. 1 lit. f) DSGVO to safeguard our legitimate interests and there is no reason to assume that you have an overriding interest worthy of protection in your data not being disclosed,
  3. in the event that a legal obligation to disclose exists pursuant to Art. 6 Abs. 1 lit. c) DSGVO, and
  4. this is legally permissible and necessary pursuant to Art. 6 Abs. 1 lit. b) DSGVO for the performance of contractual relationships with you.

To protect your data and, where applicable, to enable us to transfer data to third countries (outside the EU/EEA), we have concluded data processing agreements on the basis of the European Commission’s Standard Contractual Clauses. Where the Standard Contractual Clauses are not sufficient to establish an adequate level of security, your consent pursuant to Art. 49 Abs. 1 lit. a) DSGVO may serve as the legal basis for the transfer to third countries. This may not apply to a data transfer to third countries for which the European Commission has issued an adequacy decision pursuant to Art. 45 DSGVO.

In the course of the processing operations described in this privacy policy, personal data may be transferred to the USA. Companies in the USA have an adequate level of data protection only where they are certified under the EU-US Data Privacy Framework, such that the adequacy decision of the EU Commission pursuant to Art. 45 DSGVO applies. We have expressly indicated this for the relevant service providers in this privacy policy. To protect your data in all other cases, we have concluded data processing agreements on the basis of the European Commission’s Standard Contractual Clauses. Where the Standard Contractual Clauses are not sufficient to establish an adequate level of security, your consent pursuant to Art. 49 Abs. 1 lit. a) DSGVO may serve as the legal basis for the transfer to third countries. This may not apply to a data transfer to third countries for which the European Commission has issued an adequacy decision pursuant to Art. 45 DSGVO.

7. Technology

7.1 SSL/TLS encryption

To ensure the security of data processing and to protect the transmission of confidential content – such as orders, login data, or contact requests that you send to us as the operator – this site uses SSL or TLS encryption. You can recognise an encrypted connection by the fact that the browser’s address bar shows “https://” instead of “http://”, and by the padlock symbol in your browser bar.

We use this technology to protect the data you transmit.

7.2 Data collection when visiting the website

When you use our website purely for information purposes – that is, when you do not register or otherwise transmit information to us and do not give consent to processing operations that require it – we collect only such data as is technically necessary for the provision of the service. This is generally data that your browser transmits to our server (in so-called server log files). Each time a page is accessed by you or an automated system, our website records a range of general data and information. This general data and information is stored in the server’s log files. The following may be recorded:

  1. the browser types and versions used,
  2. the operating system used by the accessing system,
  3. the website from which an accessing system reaches our website (so-called referrer),
  4. the sub-pages accessed via an accessing system on our website,
  5. the date and time of access to the website,
  6. an Internet Protocol address (IP address), and
  7. the internet service provider of the accessing system.

When using this general data and information, we do not draw any conclusions about you as a person. Rather, this information is needed in order to:

  1. deliver the content of our website correctly,
  2. optimise the content of our website and the advertising for it,
  3. ensure the continued functionality of our IT systems and the technology of our website, and
  4. provide law enforcement authorities with the information necessary for prosecution in the event of a cyberattack.

This collected data and information is therefore evaluated by us both statistically and with the aim of increasing data protection and data security in our company, in order ultimately to ensure an optimal level of protection for the personal data we process. The server log file data is stored separately from all personal data provided by a data subject.

The legal basis for the data processing is Art. 6 Abs. 1 S. 1 lit. f) DSGVO. Our legitimate interest follows from the purposes for data collection listed above.

7.3 Amazon CloudFront (Content Delivery Network)

We use Amazon CloudFront, a web service of Amazon Web Services Inc., 410 Terry Avenue North, 98109, Seattle, Washington, USA.

Amazon CloudFront is a content delivery network (CDN). It routes the transfer of information between your browser and our website via the CloudFront network. This reduces the latency with which we can deliver static and dynamic web content. It also improves the security of our website through traffic encryption and access controls.

CloudFront also stores cookies on your device to optimise the service. You can delete cookies in your browser, allow cookies only on a case-by-case basis, and enable the automatic deletion of cookies when you close the browser.

Amazon Web Services receives and processes personal data as our processor under the EU Standard Contractual Clauses. CloudFront collects statistical data about visits to our website. This includes, among other things:

  • IP address
  • Website accessed
  • Referrer URL
  • Browser type
  • Operating system
  • Device type

If you have consented to the use of CloudFront, the legal basis for the processing of personal data is Art. 6 Abs. 1 lit. a DSGVO. It is also in our legitimate interest within the meaning of Art. 6 Abs. 1 lit. f DSGVO to use CloudFront in order to optimise our website, make it more secure, and avoid having to operate a content delivery network ourselves. The personal data is retained by Amazon Web Services for as long as necessary to achieve the purpose described.

Amazon Web Services Inc. is certified under the EU-US Data Privacy Framework. An adequacy decision pursuant to Art. 45 DSGVO therefore exists, so that personal data may be transferred without further guarantees or additional measures.

More detailed information on CloudFront can be found at: https://aws.amazon.com/de/cloudfront/.

7.4 Cloudflare (Content Delivery Network)

Our website uses functions of CloudFlare. The provider is CloudFlare, Inc., 665 3rd St. #200, San Francisco, CA 94107, USA.

CloudFlare provides a globally distributed content delivery network with DNS. Technically, the transfer of information between your browser and our website is routed via the CloudFlare network. CloudFlare is thereby able to analyse the data traffic between users and our websites, for example to detect and defend against attacks on our services. CloudFlare may also store cookies on your device for optimisation and analysis purposes.

You can configure your browser so that you are informed about the setting of cookies and allow cookies only on a case-by-case basis, exclude the acceptance of cookies for certain cases or in general, and enable the automatic deletion of cookies when the browser is closed. Disabling cookies may limit the functionality of this website.

On the basis of the GDPR, we have concluded a corresponding data processing agreement, or agreement under the EU Standard Contractual Clauses, with Cloudflare. Cloudflare collects statistical data about visits to this website. The access data includes: the name of the web page accessed, the file, the date and time of access, the volume of data transferred, notification of successful access, browser type and version, the user’s operating system, referrer URL (the previously visited page), IP address, and the requesting provider. Cloudflare uses the log data for statistical analyses for the purposes of operation, security, and optimisation of its offering.

If you have consented to the use of Cloudflare, the legal basis for the processing of personal data is Art. 6 Abs. 1 lit. a) DSGVO. We also have a legitimate interest in using Cloudflare to optimise our online offering and make it more secure. The corresponding legal basis for this is Art. 6 Abs. 1 lit. f) DSGVO. The personal data is retained for as long as necessary to fulfil the processing purpose. The data is deleted as soon as it is no longer required for the achievement of the purpose.

This US company is certified under the EU-US Data Privacy Framework. An adequacy decision pursuant to Art. 45 DSGVO therefore exists, so that personal data may be transferred without further guarantees or additional measures.

Further information on CloudFlare can be found at: https://www.cloudflare.com/privacypolicy/.

7.5 Hosting by Webflow

We host our website with Webflow, Inc., 398 11th St., Floor 2, San Francisco, CA 94103, USA (hereinafter “Webflow”).

When you visit our website, your personal data (e.g. IP addresses in log files) is processed on Webflow’s servers.

The use of Webflow is based on Art. 6 Abs. 1 lit. f) DSGVO. We have a legitimate interest in the most reliable presentation, provision, and security of our website.

We have concluded a data processing agreement (AVV) pursuant to Art. 28 DSGVO with Webflow. This is a contract required under data protection law, which ensures that Webflow processes the personal data of our website visitors only in accordance with our instructions and in compliance with the GDPR.

Further information on Webflow’s data protection provisions can be found at: https://webflow.com/legal/privacy.

7.6 jsDelivr

Components of jsDelivr, operated by the provider Prospect One, Królewska 65A/1, PL-30-081 Kraków, Poland, are integrated into our website.

We use the open-source service jsDelivr on our website in order to deliver the content of our website to users’ various end devices as quickly and technically flawlessly as possible.

jsDelivr is a content delivery network (CDN) that distributes the content on our website across various servers in order to ensure optimal worldwide availability. A CDN generally uses servers located geographically close to the respective website user. It can therefore be assumed that users within the EU are served content via servers within the EU. To provide the content, jsDelivr records user data such as the IP address.

According to the provider, jsDelivr does not use cookies or similar tracking technologies; it is necessary only for the technical reasons mentioned above.

The data processing is carried out on the basis of your consent pursuant to Art. 6 Abs. 1 lit. a) DSGVO.

You can view jsDelivr’s data protection provisions at: https://www.jsdelivr.com/terms/privacy-policy-jsdelivr-net.

7.7 UNPKG

On our website we display icons (favicons) using the content delivery network (CDN) “UNPKG”. This is an open-source CDN operated by CloudFlare, Inc., 665 3rd St. #200, San Francisco, CA 94107, USA. When a page is accessed, your browser loads the required icons into your browser cache so that they are displayed correctly.

For this purpose, the browser you use must establish a connection to UNPKG’s servers. UNPKG thereby becomes aware that our website was accessed via your IP address.

The display of favicons using the CDN is carried out in the interest of a uniform and appealing presentation of our online offerings. This constitutes a legitimate interest within the meaning of Art. 6 Abs. 1 lit. f DSGVO. Where corresponding consent has been requested, the processing is carried out exclusively on the basis of Art. 6 Abs. 1 lit. a) DSGVO.

Further information on the display of favicons using the UNPKG CDN can be found at: https://unpkg.com/browse/@mdi/svg@7.2.96/.

7.8 jQuery

To properly provide the content of our website, we use the jQuery CDN. The jQuery CDN is a service of jQuery that functions as a content delivery network (CDN) on our website.

A CDN helps to deliver the content of our online offering – in particular files such as graphics or scripts – more quickly using regionally or internationally distributed servers. When you access this content, you establish a connection to jQuery’s servers, whereby your IP address and, where applicable, browser data such as your user agent are transmitted. This data is processed exclusively for the purposes mentioned above and to maintain the security and functionality of the jQuery CDN.

The use of the content delivery network is based on our legitimate interests, i.e. an interest in the secure and efficient provision and optimisation of our online offering pursuant to Art. 6 Abs. 1 lit. f. DSGVO.

We have no influence over the specific retention period of the processed data; this is determined by jQuery. Further information can be found in the privacy policy for the jQuery CDN: https://www.stackpath.com/legal/privacy-statement/.

7.9 Resend

We use the service Resend provided by Plus Five Five, Inc., 2261 Market Street #5039, San Francisco, CA 94114, USA, for sending system and transactional emails (e.g. order confirmations or technical notifications). In this context we process the recipient’s email address, the content of the message, and technical dispatch and delivery information (e.g. timestamps, status data). The processing is carried out to perform pre-contractual measures or to fulfil a contract pursuant to Art. 6 Abs. 1 lit. b DSGVO, as well as on the basis of our legitimate interest in reliable and secure email communication pursuant to Art. 6 Abs. 1 lit. f DSGVO. A transfer of personal data to the USA cannot be ruled out. Further information on data protection at Resend can be found at: https://resend.com/legal/privacy-policy.

7.10 Native forms

On our website we use forms provided by the Webflow platform (Webflow, Inc., 398 11th Street, 2nd Floor, San Francisco, CA 94103, USA) to receive enquiries, job applications, and other submissions. The data you enter is processed via Webflow’s infrastructure. The processing is carried out to handle your enquiry or to perform pre-contractual measures or contractual services (Art. 6 Abs. 1 lit. b DSGVO), as well as on the basis of our legitimate interest in efficient communication (Art. 6 Abs. 1 lit. f DSGVO). Further information: https://webflow.com/legal/privacy.

8. Cookies

8.1 General information on cookies

Cookies are small files that your browser automatically creates and that are stored on your IT system (laptop, tablet, smartphone, or similar) when you visit our site.

Information is stored in the cookie that arises in each case in connection with the specific device used. This does not mean, however, that we thereby gain direct knowledge of your identity.

The use of cookies serves to make the use of our offering more pleasant for you. For example, we use so-called session cookies to recognise that you have already visited individual pages of our website. These are automatically deleted after you leave our site.

In addition, to optimise user-friendliness, we also use temporary cookies that are stored on your device for a defined period of time. If you visit our site again to make use of our services, it is automatically recognised that you have already been with us and what entries and settings you have made, so that you do not have to enter these again.

We also use cookies to record the use of our website statistically and to evaluate our offering for you for the purpose of optimisation. These cookies enable us to automatically recognise, when you visit our website again, that you have already visited it. The cookies set in this way are automatically deleted after a defined period in each case. The respective retention period of the cookies can be found in the settings of the consent tool used.

8.2 Legal basis for the use of cookies

The data processed by means of cookies that are required for the proper functioning of the website is necessary to safeguard our legitimate interests and those of third parties pursuant to Art. 6 Abs. 1 lit. f) DSGVO.

For all other cookies, you have given your consent via our opt-in cookie banner within the meaning of Art. 6 Abs. 1 lit. a) DSGVO.

8.3 Termly

We have integrated Termly into our website. Termly is a consent solution of Termly Inc., 906 W 2nd Ave, Spokane, WA 99201, USA, with which consent to the storage of cookies can be obtained and documented. Termly uses cookies or other web technologies to recognise users and to store the consent given or withdrawn.

The service is used on the basis of obtaining the legally required consent to the use of cookies pursuant to Art. 6 Abs. 1 lit. c. DSGVO and § 25 Abs. 2 Nr. 2 TDDDG.

We have no influence over the specific retention period of the processed data; this is determined by Termly Inc. Further information can be found in the privacy policy for Termly: https://termly.io/de/unsere-datenschutzpolitik/.

9. Content of our website

9.1 Order/booking processing

In the course of order or booking processing, we collect your personal data.

We pass on your payment data to the commissioned credit institution in the context of payment processing, where this is necessary for the payment. Where payment service providers are used, we provide explicit information on this below.

We process your personal data for the purpose of the booking/order or reservation in order to perform a contract with you pursuant to Art. 6 Abs. 1 lit. b DSGVO. There is a contractual obligation to provide your data insofar as the mandatory fields are concerned, since this information is necessary to identify you and for us to perform the contract. There is no statutory obligation to provide the data. Without the provision of this information, the booking/order and thus the conclusion of a contract is not possible. There is no obligation to provide the additional information given voluntarily. The booking/order is also possible without disclosing the voluntary information.

Your data is stored where statutory retention obligations (for example under tax and commercial law) exist.

Booking software & creation of offers

For our online bookings we use the booking software of HotelNetSolutions GmbH, Genthiner Str. 8, 10785 Berlin. Further information on the service and the data protection provisions can be found at: https://hotelnetsolutions.de/datenschutz/.

We use the Re:Guest service to process booking enquiries and to create individual offers. The provider is ReGuest AG, Kuperionstraße 34, 39012 Merano, Italy. In the course of use, the data you transmit (e.g. name, contact details, booking details) is processed in order to review your enquiry and create a suitable offer. Further information on data processing by Re:Guest can be found at: https://www.reguest.io/de/datenschutz.

Payment provider

For the payment processing of our online bookings we use the services of hobex AG, Josef-Brandstätter-Straße 2b, 5020 Salzburg, Austria. Further information on payment processing by hobex AG can be found at: https://www.hobex.at/de/service/datenschutz/.

9.2 Contact forms (vouchers, booking/reservation, enquiries)

In the course of contacting us (e.g. by contact form or email), personal data is collected. Which data is collected in the case of a contact form is apparent from the respective contact form. In addition, you may voluntarily provide further information that you consider necessary for processing your enquiry. When you contact us, your personal data is not passed on to third parties.

Your data is processed for the purpose of communication and processing your enquiry on the basis of your consent pursuant to Art. 6 Abs. 1 lit. a DSGVO. Insofar as your enquiry relates to an existing contractual relationship with us, the processing is carried out for the purpose of contract performance on the basis of Art. 6 Abs. 1 lit. b DSGVO. There is no statutory or contractual obligation to provide your data; however, processing your enquiry is not possible without the provision of the information in the mandatory fields. If you do not wish to provide this data, please contact us by other means.

Insofar as contact is made on the basis of your consent, we store the data collected for each enquiry for a period of three years, beginning with the completion of your enquiry or until you withdraw your consent.

Should contact be made in the context of a contractual relationship, we store the data collected for each enquiry for a period of three years from the end of the contractual relationship.

9.3 Application management

We collect and process the personal data of applicants. Such data processing may also be carried out by electronic means, for example where applicants submit application documents to us by email or via a web form located on our website. On our website we offer you the option of submitting applications for advertised job vacancies to us by email and via the Webflow application form.

Storage of your data in an applicant database beyond the current application procedure is also carried out only where you have given us your separate consent to do so.

The legal basis for the processing of your personal data in this application procedure is primarily Art. 6 Abs. 1 lit. b) DSGVO. Under this provision, the processing of data is permissible where it is necessary in connection with the decision on the establishment of an employment relationship. This also includes, where applicable, the use of the online applicant portal. Where special categories of personal data within the meaning of Art. 9 DSGVO are processed (e.g. health data), the legal basis is § 26 Abs. 3 BDSG or Art. 9 Abs. 2 lit. b) DSGVO in conjunction with Art. 6 Abs. 1 lit. b) DSGVO. In the event of your application documents being passed on to third parties, in particular to affiliated companies, as well as the storage of your data beyond the current application procedure, your data is processed on the basis of Art. 6 Abs. 1 Satz 1 lit. a DSGVO in conjunction with § 26 Abs. 2 BDSG. There is no statutory or contractual obligation to provide your data; however, processing your application is not possible without the provision of the information.

Applicants’ data is deleted six months after a rejection. In the event that you have consented to further storage of your personal data, we will transfer your data to our applicant pool. There, the data is deleted after 24 months.

9.4 Regulars’ Club (Guest Club)

This website uses KunLeiSys Guest Club software (regulars’ area). The provider is GASTROpoint GmbH, Pommernstraße 17, 83395 Freilassing, Germany. KunLeiSys Guest Club software is a service with which the guest club, offers, loyalty points, emails for special occasions, and newsletter dispatch are organised and managed. You can register for the guest club on our website. We use the data entered for this purpose only for the purpose of using the respective offer or service. The mandatory information requested at registration must be provided in full. Otherwise we will reject the registration. The processing of the data entered at registration is carried out on the basis of your consent (Art. 6 Abs. 1 lit. a DSGVO). You may withdraw any consent you have given at any time free of charge. You can do this via the unsubscribe link in the email or via the cancellation option in the guest club.

The data you provide to us for the purpose of the guest club is stored by us until you cancel and is deleted, after cancellation and deletion of the guest club account, both from our servers and from the servers of GASTROpoint GmbH. For important changes, for example to the scope of offerings or for technically necessary changes, we use the email address provided/stored at registration or in your profile to inform you in this way. Statutory retention periods remain unaffected. We have concluded a data processing agreement with GASTROpoint GmbH and fully implement the strict requirements of the data protection authorities when using KunLeiSys Guest Club software.

10. Newsletter dispatch

10.1 Promotional newsletter

On our website you are given the option of subscribing to our company’s newsletter. Which personal data is transmitted to us when ordering the newsletter is apparent from the input mask used for this purpose.

We inform our customers and business partners at regular intervals by means of a newsletter about our offerings. You can generally only receive our company’s newsletter if:

  1. you have a valid email address, and
  2. you have registered for the newsletter dispatch.

For legal reasons, a confirmation email is sent using the double opt-in procedure to the email address you first entered for the newsletter dispatch. This confirmation email serves to verify whether you, as the holder of the email address, have authorised receipt of the newsletter.

When you register for the newsletter, we also store the IP address of the IT system you used at the time of registration, as assigned by your internet service provider (ISP), as well as the date and time of registration. The collection of this data is necessary in order to be able to trace any (possible) misuse of your email address at a later point in time, and therefore serves our legal protection.

The personal data collected in the course of newsletter registration is used exclusively to send our newsletter. Newsletter subscribers may also be informed by email where this is necessary for the operation of the newsletter service or for a related registration, as could be the case with changes to the newsletter offering or with changes to the technical circumstances. The personal data collected in the course of the newsletter service is not passed on to third parties. You can cancel your subscription to our newsletter at any time. The consent to the storage of personal data that you have given us for the newsletter dispatch can be withdrawn at any time. For the purpose of withdrawing consent, a corresponding link can be found in every newsletter. It is also possible to unsubscribe from the newsletter at any time directly on our website or to notify us of this by other means.

The legal basis for data processing for the purpose of newsletter dispatch is Art. 6 Abs. 1 lit. a) DSGVO.

10.2 Newsletter tracking

Our newsletters contain so-called tracking pixels. A tracking pixel is a miniature graphic embedded in emails sent in HTML format to enable log file recording and log file analysis. This allows a statistical evaluation of the success or failure of online marketing campaigns. By means of the embedded tracking pixel, the company can recognise whether and when an email was opened by you and which of the links contained in the email were accessed by you.

Such personal data collected via the tracking pixels contained in the newsletters is stored and evaluated by us in order to optimise the newsletter dispatch and to tailor the content of future newsletters even better to your interests. This personal data is not passed on to third parties. Data subjects are entitled at any time to withdraw the separate declaration of consent given via the double opt-in procedure. Following a withdrawal, this personal data is deleted by us. We automatically interpret unsubscribing from the newsletter as a withdrawal.

Such an evaluation is carried out in particular pursuant to Art. 6 Abs. 1 lit. f) DSGVO on the basis of our legitimate interests in displaying personalised advertising, market research, and/or the needs-based design of our website.

10.3 Campaign Monitor

For sending newsletters we use the service “Campaign Monitor” of Campaign Monitor Pty Ltd., 631 Howard Street, Suite 100, San Francisco, CA 94105, USA.

Campaign Monitor is an all-in-one platform for the automation of marketing and sales processes. The platform makes it possible, among other things, to create emails and automated workflows in order to acquire potential customers and maintain customer relationships.

When using Campaign Monitor, various personal data may be collected, including:

  • Email address
  • Time of access
  • IP address
  • Browser type
  • Operating system

Further information on the Campaign Monitor service and its data protection provisions can be found at: https://www.campaignmonitor.com/policies/#privacy-policy?tid=134283177.

10.4 Marketing emails

To send our marketing emails we use Re:Guest, a service of ReGuest AG, Kuperionstr. 34, 39012 Merano, Italy. We send marketing emails only with your express consent pursuant to Art. 6 Abs. 1 lit. a DSGVO. In doing so we process in particular your email address and, where applicable, further voluntary information to personalise the content. You can withdraw your consent at any time with effect for the future, e.g. via the unsubscribe link in every email. The processing is carried out for the purpose of providing information about our services, offers, and news. Further information on data processing by Re:Guest can be found at: https://www.reguest.io/de/datenschutz.

11. Our activities on social networks

So that we can also communicate with you on social networks and inform you about our services, we maintain our own pages there. When you visit one of our social media pages, we are jointly responsible with the provider of the respective social media platform for the processing operations thereby triggered, within the meaning of Art. 26 DSGVO.

We are not the original provider of these pages, but merely use them within the scope of the options offered to us by the respective providers.

As a precaution, we therefore point out that your data may also be processed outside the European Union or the European Economic Area. Use may therefore involve data protection risks for you, since safeguarding your rights – e.g. to information, erasure, objection, etc. – could be more difficult, and processing on social networks is frequently carried out directly for advertising purposes or for the analysis of user behaviour by the providers, without this being something we can influence. Where usage profiles are created by the provider, cookies are frequently used, or the usage behaviour is attributed to your own member profile on the social network.

The described processing operations of personal data are carried out pursuant to Art. 6 Abs. 1 lit. f) DSGVO on the basis of our legitimate interest and the legitimate interest of the respective provider, in order to be able to communicate with you in a contemporary manner or to inform you about our services. Where you are required to give consent to data processing as a user to the respective providers, the legal basis is Art. 6 Abs. 1 lit. a) DSGVO in conjunction with Art. 7 DSGVO.

Since we have no access to the providers’ data holdings, we point out that you can best assert your rights (e.g. to information, rectification, erasure, etc.) directly with the respective provider. Further information on the processing of your data on social networks is set out below for each social network provider we use:

11.1 Facebook

(Joint) controller for data processing in Europe:

Meta Platforms Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland

Meta (Facebook) may, unless objected to, process content of adult users from the EU – e.g. photos, posts, or comments – to train its own AI models. The basis is a legitimate interest pursuant to Art. 6 Abs. 1 lit. f) DSGVO. We as a company have no influence over this specific data processing by Meta. Users can object to it via an online form on the Meta platforms.

Privacy policy (data policy): https://www.facebook.com/about/privacy

11.2 Instagram

(Joint) controller for data processing in Germany:

Meta Platforms Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland

Meta (Instagram) may, unless objected to, process content of adult users from the EU – e.g. photos, posts, or comments – to train its own AI models. We as a company have no influence over this specific data processing by Meta. The basis is a legitimate interest pursuant to Art. 6 Abs. 1 lit. f) DSGVO. Users can object to it via an online form on the Meta platforms.

Privacy policy (data policy): https://instagram.com/legal/privacy/

11.3 LinkedIn

(Joint) controller for data processing in Europe:

LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland

Privacy policy: https://www.linkedin.com/legal/privacy-policy

11.4 YouTube

(Joint) controller for data processing in Europe:

Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland

Privacy policy: https://policies.google.com/privacy

12. Web analytics

12.1 Meta Pixel (formerly Facebook Pixel)

This website uses the “Facebook Pixel” of Meta Platforms, Inc., 1 Hacker Way, Menlo Park, CA 94025, USA (“Meta”). Where express consent has been given, this can be used to track the behaviour of users after they have seen or clicked on a Facebook advertisement. This procedure serves to evaluate the effectiveness of Facebook advertisements for statistical and market research purposes and can help to optimise future advertising measures.

When visiting the website, the following data, among others, may be processed by the Meta Pixel:

  • IP address
  • Device information
  • Browsing history

The data is stored and processed by Meta so that a connection to the respective user profile is possible and Meta can use the data for its own advertising purposes, in accordance with the Meta (Facebook) Data Usage Policy (https://www.facebook.com/about/privacy/). This enables Meta and its partners to display advertisements on and outside Facebook. A cookie may also be stored on your device for these purposes.

The collected data is stored by Meta for a period of 180 days and is then removed if the user does not visit the website again.

These processing operations are carried out exclusively where express consent has been given pursuant to Art. 6 Abs. 1 lit. a) DSGVO.

This US company is certified under the EU-US Data Privacy Framework. An adequacy decision pursuant to Art. 45 DSGVO therefore exists, so that personal data may be transferred without further guarantees or additional measures.

12.2 Google Analytics 4 (GA4)

On our websites we use Google Analytics 4 (GA4), a web analytics service of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”).

In this context, pseudonymised usage profiles are created and cookies (see the “Cookies” section) are used. The information generated by the cookie about your use of this website may include, among other things:

  • a short-term recording of the IP address without permanent storage
  • location data
  • browser type/version
  • operating system used
  • referrer URL (previously visited page)

The pseudonymised data may be transferred by Google to a server in the USA and stored there.

The information is used to evaluate the use of the website, to compile reports on website activity, and to provide further services associated with website use and internet use for the purposes of market research and the needs-based design of these websites. This information may also be transferred to third parties where required by law or where third parties process this data on our behalf.

These processing operations are carried out exclusively where express consent has been given pursuant to Art. 6 Abs. 1 lit. a) DSGVO.

The retention period preset by Google is 14 months. Otherwise, the personal data is retained for as long as necessary to fulfil the processing purpose. The data is deleted as soon as it is no longer required for the achievement of the purpose.

The parent company Google LLC, as a US company, is certified under the EU-US Data Privacy Framework. An adequacy decision pursuant to Art. 45 DSGVO therefore exists, so that personal data may be transferred without further guarantees or additional measures.

Further information on data protection when using GA4 can be found at: https://support.google.com/analytics/answer/12017362?hl=de.

12.3 Microsoft Clarity

On our website we use the service Microsoft Clarity (“Clarity”), a web analytics service of Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland.

In this context, pseudonymised usage profiles are created and cookies are set on your device.

The data processed includes, among other things:

  • the browser type/version,
  • the operating system used,
  • the referrer URL (the previously visited page),
  • the host name of the accessing computer (IP address),
  • user behaviour on the website visited,
  • mouse movements and clicks,

The information is used to evaluate the use of the website, to compile reports on website activity, and to provide further services associated with website use and internet use for the purposes of market research and the needs-based design of our websites.

These processing operations are carried out exclusively where express consent has been given pursuant to Art. 6 Abs. 1 lit. a) DSGVO.

Microsoft generally processes the data within the European Union under the so-called EU Data Boundary. To provide and secure the services and to fulfil legal obligations, Microsoft Ireland may transfer personal data to affiliated companies of Microsoft Corporation (Redmond, Washington, USA). The intra-group data transfer is carried out on the basis of Standard Contractual Clauses pursuant to Art. 46 Abs. 2 lit. c) DSGVO, as well as supplementary technical and organisational measures, as set out in the Microsoft Data Protection Addendum.

Microsoft Corporation is additionally certified under the EU-US Data Privacy Framework (DPF). An adequacy decision pursuant to Art. 45 DSGVO therefore exists for data transfers to the USA. Transfers of personal data to Microsoft in the USA are therefore permissible without further guarantees or additional measures.

You can view Microsoft’s data protection provisions at: https://privacy.microsoft.com/de-de/privacystatement.

12.3 Meta Conversions / Stape

On our website we use server-side tracking via the Meta Conversions API (CAPI) to analyse user interactions and improve the effectiveness of our marketing measures. In doing so, certain event data (e.g. page views, interactions, or conversions) is transmitted from our server to Meta’s servers. The provider for the European area is Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland; further processing may be carried out by Meta Platforms Inc., 1601 Willow Road, Menlo Park, CA 94025, USA. The implementation is carried out via the Meta Conversions API Gateway using the hosting infrastructure of the provider Stape. The provider is STAPE, INC., 8 The Green, Suite 12892, Dover, DE 19901, USA, as well as – depending on the hosting configuration – Stape Europe OÜ, Sepapaja tn 6, 15551 Tallinn, Estonia. In particular, technical usage data (e.g. IP address, user agent, device information) and, where applicable, hashed identifiers may be transmitted.

The processing is carried out exclusively on the basis of your consent pursuant to Art. 6 Abs. 1 lit. a DSGVO and § 25 Abs. 1 TDDDG. Without your consent, no data is transmitted to Meta. Further information on data protection can be found at: https://www.facebook.com/privacy/policy/ and at Stape: https://stape.io/privacy-policy.

13. Advertising

13.1 Google Ads (AdWords) Remarketing/Retargeting

We have integrated Google Ads into this website. The operating company of the Google Ads services is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”).

We use this to advertise this website in Google’s search results and on third-party websites. For this purpose, Google sets a cookie in your device’s browser which automatically enables interest-based advertising by means of a pseudonymous cookie ID and on the basis of the pages you have visited.

Processing beyond this only takes place if you have agreed with Google that your internet and app browsing history may be linked by Google to your Google account and that information from your Google account may be used to personalise advertisements that you view on the web. In this case, if you are logged in to Google while visiting our website, Google uses your data together with Google Analytics data to create and define audience lists for cross-device remarketing. For this purpose, your personal data is temporarily linked by Google with Google Analytics data in order to form audiences.

These processing operations are carried out exclusively where express consent has been given pursuant to Art. 6 Abs. 1 lit. a) DSGVO.

The parent company Google LLC, as a US company, is certified under the EU-US Data Privacy Framework. An adequacy decision pursuant to Art. 45 DSGVO therefore exists, so that personal data may be transferred without further guarantees or additional measures.

The data protection provisions and further information on Google Ads can be found at: https://www.google.com/policies/technologies/ads/

13.2 Google Ads with conversion tracking

We have integrated Google Ads into this website. The operating company of the Google Ads services is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google Ads is an internet advertising service that allows advertisers to place ads both in Google’s search engine results and in the Google advertising network. Google Ads enables an advertiser to define certain keywords in advance, by means of which an ad is displayed in Google’s search engine results only when the user retrieves a keyword-relevant search result using the search engine. In the Google advertising network, the ads are distributed to topic-relevant websites by means of an automatic algorithm and in accordance with the previously defined keywords.

The purpose of Google Ads is to advertise our website by displaying interest-relevant advertising on the websites of third-party companies and in the search engine results of the Google search engine, and to display third-party advertising on our website.

If you reach our website via a Google ad, a so-called conversion cookie is stored on your IT system by Google. A conversion cookie expires after thirty days and is not used to identify you. Via the conversion cookie, provided it has not yet expired, it is traced whether certain sub-pages – for example the shopping cart of an online shop system – were accessed on our website. By means of the conversion cookie, both we and Google can trace whether a user who reached our website via an AdWords ad generated revenue, i.e. completed or abandoned a purchase.

The data and information collected through the use of the conversion cookie is used by Google to compile visit statistics for our website. We in turn use these visit statistics to determine the total number of users referred to us via Ads, i.e. to determine the success or failure of the respective Ads ad and to optimise our Ads ads for the future. Neither our company nor other Google Ads advertising customers receive information from Google by means of which you could be identified.

By means of the conversion cookie, personal information – for example the websites you have visited – is stored. Each time you visit our websites, personal data, including the IP address of the internet connection you use, is therefore transmitted to Google in the United States of America. This personal data is stored by Google in the United States of America. Google may pass on this personal data collected via the technical procedure to third parties.

These processing operations are carried out exclusively where express consent has been given pursuant to Art. 6 Abs. 1 lit. a) DSGVO.

The parent company Google LLC, as a US company, is certified under the EU-US Data Privacy Framework. An adequacy decision pursuant to Art. 45 DSGVO therefore exists, so that personal data may be transferred without further guarantees or additional measures.

The data protection provisions and further information on Google AdSense can be found at: https://www.google.de/intl/de/policies/privacy/.

14. Plugins and other services

14.1 Google Tag Manager

On this website we use the Google Tag Manager service. The operating company of Google Tag Manager is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google Ireland Limited is part of the Google group of companies with headquarters at 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.

By means of this tool, “website tags” (i.e. keywords integrated into HTML elements) can be implemented and managed via an interface. Through the use of Google Tag Manager, we can automatically trace which button, link, or personalised image you actively clicked, and can thereby record which content of our website is of particular interest to you.

The tool also triggers other tags, which may in turn collect data. Google Tag Manager does not access this data. If you have carried out a deactivation at domain or cookie level, this remains in place for all tracking tags implemented with Google Tag Manager.

These processing operations are carried out exclusively where express consent has been given pursuant to Art. 6 Abs. 1 lit. a) DSGVO.

The parent company Google LLC, as a US company, is certified under the EU-US Data Privacy Framework. An adequacy decision pursuant to Art. 45 DSGVO therefore exists, so that personal data may be transferred without further guarantees or additional measures.

Further information on Google Tag Manager and Google’s privacy policy can be found at: https://www.google.com/intl/de/policies/privacy/.

14.2 Google WebFonts

Our website uses so-called web fonts for the uniform display of fonts. The Google WebFonts are provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google Ireland Limited is part of the Google group of companies with headquarters at 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.

These processing operations are carried out exclusively where express consent has been given pursuant to Art. 6 Abs. 1 lit. a) DSGVO.

The parent company Google LLC, as a US company, is certified under the EU-US Data Privacy Framework. An adequacy decision pursuant to Art. 45 DSGVO therefore exists, so that personal data may be transferred without further guarantees or additional measures.

Further information on Google WebFonts and Google’s privacy policy can be found at: https://developers.google.com/fonts/faq ; https://www.google.com/policies/privacy/.

14.3 Re:Guest Messenger

We have integrated components of the customer communication platform Re:Guest into our website. The Messenger is a service of ReGuest AG and offers us the possibility of communicating with visitors to our website via chat and providing targeted help with questions. The Messenger uses cookies and other browser technologies to evaluate user behaviour and recognise users. The Messenger is also used to store and transmit data entered in chats by means of cookies, including your IP address. In this case, your data is passed on to the operator, ReGuest AG, Kuperionstr. 34, 39012 Merano, Italy.

The use of the Messenger is based on your consent pursuant to Art. 6 Abs. 1 lit. a. DSGVO and § 25 Abs. 1 TDDDG. Further information can be found in the privacy policy: https://www.reguest.io/de/information/datenschutzerkl%C3%A4rung/5-0.html.

14.4 TagEmbed

On our website we use a social media widget of the Tagembed service to integrate Instagram content. The provider is Social Scape Tech LLP, a company based in India (the provider makes a specific service address publicly available only to a limited extent). When a page with an integrated widget is accessed, personal data – in particular the IP address, browser information (user agent), and other technical connection data – is transmitted to the provider’s servers through the reloading of external content. Cookies and comparable technologies may also be used.

The integration and data processing is carried out exclusively on the basis of your consent pursuant to Art. 6 Abs. 1 lit. a DSGVO and § 25 Abs. 1 TDDDG. The widget is therefore only loaded after your express consent via our consent management tool. Without your consent, no data is transmitted in connection with this service. Further information on data processing by Tagembed can be found in the provider’s privacy policy at: https://tagembed.com/privacy-policy/.

15. Your rights as a data subject

15.1 Right to confirmation

You have the right to obtain confirmation from us as to whether personal data concerning you is being processed.

15.2 Right of access – Art. 15 DSGVO

15.3 Right to rectification – Art. 16 DSGVO

You have the right to request the rectification of inaccurate personal data concerning you. Furthermore, taking into account the purposes of the processing, you have the right to request the completion of incomplete personal data.

15.4 Erasure – Art. 17 DSGVO

You have the right to request that we erase the personal data concerning you without undue delay, where one of the legally provided grounds applies and insofar as the processing or storage is not necessary.

15.5 Restriction of processing – Art. 18 DSGVO

You have the right to request that we restrict processing where one of the legal conditions is met.

15.6 Data portability – Art. 20 DSGVO

You have the right to receive the personal data concerning you which you have provided to us in a structured, commonly used, and machine-readable format. You also have the right to transmit this data to another controller without hindrance from us, to whom the personal data has been provided, where the processing is based on consent pursuant to Art. 6 Abs. 1 lit. a) DSGVO or Art. 9 Abs. 2 lit. a) DSGVO or on a contract pursuant to Art. 6 Abs. 1 lit. b) DSGVO and the processing is carried out by automated means, provided that the processing is not necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us.

Furthermore, in exercising your right to data portability pursuant to Art. 20 Abs. 1 DSGVO, you have the right to have the personal data transmitted directly from one controller to another, where technically feasible and provided that this does not adversely affect the rights and freedoms of others.

15.7 Objection – Art. 21 DSGVO

You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is carried out on the basis of Art. 6 Abs. 1 lit. e) (processing in the public interest) or f (processing on the basis of a balancing of interests) DSGVO.

This also applies to profiling based on these provisions within the meaning of Art. 4 Nr. 4 DSGVO.

If you lodge an objection, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms, or where the processing serves the establishment, exercise, or defence of legal claims.

In individual cases we process personal data in order to carry out direct marketing. You may object at any time to the processing of personal data for the purposes of such advertising. This also applies to profiling insofar as it is connected with such direct marketing. If you object to us regarding processing for direct marketing purposes, we will no longer process the personal data for these purposes.

In addition, you have the right, on grounds relating to your particular situation, to object to the processing of personal data concerning you which is carried out by us for scientific or historical research purposes or for statistical purposes pursuant to Art. 89 Abs. 1 DSGVO, unless such processing is necessary for the performance of a task carried out in the public interest.

You are free, in connection with the use of information society services and notwithstanding Directive 2002/58/EC, to exercise your right to object by automated means using technical specifications.

15.8 Withdrawal of consent under data protection law

You have the right to withdraw consent to the processing of personal data at any time with effect for the future.

15.9 Complaint to a supervisory authority

You have the right to lodge a complaint with a supervisory authority responsible for data protection regarding our processing of personal data.

16. Duration of storage of personal data

The criterion for the duration of storage of personal data is the respective statutory retention period. After the period expires, the corresponding data is routinely deleted, provided it is no longer required for the performance or initiation of a contract.

17. Currency and amendment of this privacy policy

This privacy policy is currently valid and has the status: June 2026.