Book

Find your hotel:

General information about the processing of your data

We are obliged by law to inform you about the processing of your personal data (hereinafter referred to as “data”) when you use our website. This data protection notice informs you about the details of the processing of your data and about your legal rights in this regard. For terms such as “personal data” and “processing”, the legal definitions pursuant to Art. 4 GDPR apply. We reserve the right to adapt the privacy statement with future effect, in particular in the event of further development of the website, the use of new technologies or changes to the legal bases or the corresponding case law. We recommend that you read this privacy statement from time to time and take a printout or a copy for your records.

1. Controller

The following party is known as the controller under data protection law and therefore responsible for the processing of personal data within the scope of this privacy statement:

H-Hotels GmbH
Braunser Weg 12
34454 Bad Arolsen
Tel.: +49 (0) 551 3057100
Email: [email protected]

2. Questions about data protection

If you have any questions about data protection with regard to our company or our website, you can contact our data protection officer:

Stefan Burghardt, RKM Data GmbH
Bertha-von-Suttner-Str. 9
37085 Göttingen
Tel.: +49 (0) 551 707 280
Email: [email protected]

3. Security

We have taken comprehensive technical and organisational precautions to protect your personal data from unauthorised access, abuse, loss and other external disruption. To this end, we regularly review our security measures and adapt them to the latest standards.

4. Your rights

You have the following rights with regard to the personal data concerning you that you can assert against us:

  • Right of access: You can request access to the personal data concerning you which we process, as set forth in Art. 15 GDPR.
  • Right to rectification: If the information concerning you is not (or no longer) correct, you can request its rectification in accordance with Art. 16 GDPR. If your data is incomplete, you can request that it be completed.
  • Right to erasure: You may request the erasure of your personal data in accordance with Art. 17 GDPR.
  • Right to restriction of processing: Pursuant to Art. 18 GDPR, you have the right to demand that the processing of your personal data be restricted.
  • Right to object to processing: Pursuant to Art. 21(1) GDPR, you have the right to object at any time, for reasons arising from your particular situation, to the processing of your personal data which occurs based on Art. 6(1) Sentence 1(e) or (f) GDPR. If you object, we will not process your data further, unless we can prove compelling legitimate reasons for the processing which override your interests, rights and freedoms. Processing will also continue if the processing serves to establish and exercise or defend against legal claims (Art. 21(1) GDPR). Furthermore, under Art. 21(2) GDPR you have the right to object at any time to the processing of your personal data for direct marketing purposes, which includes profiling to the extent that this is related to such direct marketing. In this privacy statement, we draw your attention to this right to object when describing each processing operation.
  • Right to withdraw your consent: If you have given your consent for processing, you have a right to withdraw that consent under Art. 7(3) GDPR.
  • Right to data portability: You have the right to receive the personal data you have given us in a structured, commonly used, machine-readable format (“data portability”) and the right to transfer this data to another controller, if the prerequisites of Art. 20(1)(a), (b) GDPR are fulfilled (Art. 20 GDPR).

You can assert your rights by informing us using the contact details specified under “Controller” above or by contacting the data protection officer designated by us. If you believe that the processing of your personal data violates data protection law, then under Art. 77 GDPR you also have the right to lodge a complaint with a data protection supervisory authority of your choice. This includes the data protection supervisory authority responsible for the controller:

Hessian Commissioner for Data Protection and Freedom of Information
Postfach 31 63 
65021 Wiesbaden, 
Gustav-Stresemann-Ring 1 
65189 Wiesbaden
Telephone: +49 (0)611/14080
Email: [email protected], https://www.datenschutz.hessen.de

5. Using our website

In principle, you can use our website for purely informational purposes without disclosing your identity. When you access the individual pages of the website in this sense, this only results in access data being transferred to our web hosting service so that the website can be displayed to you. This involves the following data being processed:

  • Browser type/version
  • Operating system used
  • Language and version of the browser software
  • Date and time of access
  • Hostname of the accessing device
  • IP address.

It is necessary for this data to be processed temporarily in order to make it technically possible for you to visit our website and to deliver the website to your device. The access data is not used to identify individual users and is not combined with other data sources. The legal basis for the processing is Art. 6(1) Sentence 1(f) GDPR. We have legitimate interests in ensuring the functionality, integrity and security of the website. The access data will be erased as soon as it is no longer required for achieving the purpose of its processing. In the case of recording the data to provide the website, this is the case when you end your visit to the website.

You may object to the processing. Your right of objection exists if you have reasons arising from your particular situation. You may send us your objection using the contact details specified under “Controller” above.

6. Device information

In addition to the aforementioned access data, technologies are used when you use the website which store information on your device (such as desktop PC, laptop, tablet or smartphone) or access information which is already stored on your device. These technologies may include, for example, cookies, pixels, local storage, session storage, IndexedDB or browser fingerprinting technologies. These technologies can be used to recognise you across devices and websites.

According to Sect. 25(1) of the German Telecommunications and Telemedia Data Protection Act (TTDSG), we generally require your consent for the use of these technologies. According to Sect. 25(2) TTDSG, this is only not required if the technologies either enable the transmission of a message via a public telecommunications network or if they are absolutely necessary to provide a telemedia service that you have expressly requested:

6.1 Technically necessary device information

Some elements of our website serve the sole purpose of transmitting a message (Sect. (2) No. 1 TTDSG) or are absolutely necessary to provide you with our website or individual features thereof (Sect. 25(2) No. 2 TTDSG):

  • Language settings
  • Items in shopping basket
  • Login information.

The elements are erased after storage is no longer required. You can prevent processing by adjusting your browser settings accordingly. For elements whose storage duration is not limited to the session, you can adjust your browser settings so that the elements are erased after your session has expired.

6.2 Technically non-essential device information

Our website also uses elements that are not technically necessary. We only use these technologies with your consent in accordance with legal requirements. Information about the individual technologies and features can be found in our “privacy settings” as well as in the following information, which is sorted according to the individual features:

6.2.1 CookiePro consent management platform from by One Trust

We use CookiePro, a consent management tool provided by OneTrust, LLC (Dixon House, 1 Lloyd’s Avenue, London, EC3N 3DQ, [email protected], hereinafter referred to as “OneTrust”), on our website to make it easier for us to ask for your consent to the use of cookies or other tracking technologies so that we can process your device information and personal data. OneTrust gives you the opportunity to accept or decline the processing of your device information and personal data using cookies or other tracking technologies for the purposes listed in OneTrust. Such processing purposes may include the integration of external elements, integration of streamed content, statistical analysis, reach measurement, personalised product recommendations, and personalised advertising. You can use OneTrust to grant or refuse your consent for all features, or to grant or refuse your consent for individual purposes or third-party providers. You can change your settings again later on. The purpose of integrating OneTrust is to allow users of our website to decide whether to allow cookies and similar technologies, and to offer them the opportunity to change settings that they have already made when they continue to use our website. In particular, the “360yield” cookie is used to document your consent or refusal to have your device information processed and to take this decision into account when you use the website. The use of OneTrust involves the processing of personal data as well as information from the device being used, such as the IP address. The information about the settings you have made is also stored on your device. The legal basis for the processing is Art. 6(1) Sentence 1(c) GDPR in conjunction with Art. 7(1) GDPR, insofar as the processing serves to fulfil the legally standardised obligations to provide evidence for the granting of consent. Otherwise, Art. 6(1) Sentence 1(f) GDPR is the relevant legal basis. Our legitimate interests in this processing lie in the storage of users’ settings and preferences with regard to the use of cookies and the evaluation of consent rates. A new request for your consent will be made twelve months after you saved your user settings. Your user settings will then be saved again for this period, unless you delete the information about your user settings yourself beforehand in your device settings.

You may object to the processing, insofar as processing is based on Art. 6(1) Sentence 1(f) GDPR. Your right of objection exists if you have reasons arising from your particular situation. You may send us your objection using the contact details specified under “Controller” above.

6.3 Contacting our company

When you contact our company, for example by email, telephone or using the contact form on the website, we will process the personal data you provide so that we can respond to your request. In order for us to process enquiries submitted via the contact form, it is essential that you provide a salutation, a first and last name and a valid email address. At the time the message is sent to us, your IP address and the date and time of registration will be processed. The legal basis for this processing is Art. 6(1) Sentence 1(f) GDPR and Art. 6(1) Sentence 1(b) GDPR, if the contact is made with the intention of concluding a contract. If the request is aimed at concluding a contract, it is necessary for you to provide your data. If you do not provide your data, it will not be possible to conclude/execute a contract and process the request. The other data processed during the submission process serves to prevent any misuse of the contact form and to ensure the security of our information technology systems. In order to process your contact request, we process your personal data using the following systems:

  • Microsoft356, provided by Microsoft Corporation (Microsoft Ireland Operations, Ltd., One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18P521, Ireland and Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, US). Microsoft also processes the data in part in the US. The EU Commission has issued an adequacy decision for data transfers to the US. Microsoft is certified under this. In addition, so-called standard contractual clauses have been concluded with Microsoft Corporation in order to commit Microsoft Corporation to an appropriate level of data protection. A copy of the standard contractual clauses can be requested at: https://go.microsoft.com/fwlink/p/?linkid=2126612
  • Oracle OPERA 5, provided by ORACLE (ORACLE Deutschland B.V. & Co. KG, Riesstraße 25 80992 Munich and Oracle Corporation, 2300 Cloud Way Austin, TX 78741, US). For more information, please refer to the “Booking processing” section of this privacy statement.

As soon as processing is no longer necessary, we will erase the data generated here – usually two years after the end of the communication – or, if statutory retention obligations apply, restrict processing of the data.

You may object to the processing. Your right of objection exists if you have reasons arising from your particular situation. You may send us your objection using the contact details specified under “Controller” above.

6.4 Quicktext

If you have any questions about our hotels, accommodation offers, leisure offers, your booking, or our company, you can contact our virtual assistant via the Quicktext pop-up chat window provided by Quicktext SAS (64, Rue Jean-Pierre Timbaud, 75011 Paris, France; hereinafter referred to as “Quicktext”) and ask your questions there. The chat is powered by artificial intelligence. It does not allow you to communicate with a member of our staff. Before you start chatting, you will be asked for your name and email address to ensure that the chat works properly. The virtual assistant will respond as accurately as possible. You can check availability at the hotel of your choice and after answering a few questions relevant to the booking, you will be directed to the booking engine. Quicktext uses cookies (see “Device information” for more information) to enable you to use the chat. Some of the data mentioned under “Using our website” is transmitted to Quicktext. We use Quicktext to communicate with you better and more easily. As soon as processing is no longer necessary, we will erase the data generated in this context or, if statutory retention obligations apply, restrict processing of the data accordingly. The legal basis for this processing is Art. 6(1) Sentence 1(f) GDPR. We have legitimate interests in being able to offer you another communication channel and to improve our customer service. For more information about data protection and how long your data is stored, please refer to: https://www.quicktext.im/privacy-policy/

You may object to the processing. Your right of objection exists if you have reasons arising from your particular situation. You may send us your objection using the contact details specified under “Controller” above.

6.5 Jira

We use the Jira software, which is provided by Atlassian (Atlassian. Pty Ltd, 350 Bush Street, Floor 13, San Francisco, CA 94104, US; hereinafter referred to as “Jira” and “Atlassian”), for the purposes of conflict and project management. Jira is a web application for error management, troubleshooting and operational project management. We use Jira to manage tasks and requirements, improving our process management and internal workflow organisation. Customer emails are also fed into Jira for this purpose. The data you provide to us, such as your email address, your name and the contents of your email, is transmitted to Jira and processed on Jira servers, some of which are located in the US. The legal basis for this processing is Art. 6(1) Sentence 1(f) GDPR. We have legitimate interests in improving our internal processes and project management, and in managing and correcting errors and problems. Jira also processes the data in part in the US. The EU Commission has issued an adequacy decision for data transfers to the US. Jira and Atlassian are certified under the new adequacy decision. So-called standard contractual clauses have also been concluded with Atlassian in order to commit Atlassian to an appropriate level of data protection. You can obtain a copy of the standard contractual clauses at: Atlassian Data Processing Addendum. For further information about the protection of your data, in particular how long it is stored, please refer to: https://www.atlassian.com/legal/privacy-policy

You may object to the processing. Your right of objection exists if you have reasons arising from your particular situation. You may send us your objection using the contact details specified under “Controller” above.

6.6 DeepL/ DeepL Pro

We use the translation services of DeepL Pro. DeepL/DeepL Pro is a company specialising in the development of Artificial Intelligence for languages. DeepL Pro is a subscription service that provides access to the full capacity of DeepL's AI translation technology to handle business processes efficiently.

The controller in charge of data processing within the meaning of the GDPR, other data protection laws applicable in the member states of the European Union and other provisions related to data protection is DeepL SE, Maarweg 165, 50825 Cologne, Germany.

When using the translation service, DeepL collects and processes personal data in accordance with the statutory provisions, in particular the General Data Protection Regulation ("GDPR") and the Federal Data Protection Act ("BDSG"). In addition, DeepL/DeepL Pro may also store and, if necessary, process the entered data for its own purposes (AI training). DeepL may also store (encrypted) entered data in order to rectify errors. This data is automatically deleted after a maximum of 72 hours. Only metadata such as time of request, IP address or number of characters translated is stored for billing and statistical purposes. In addition, metadata is temporarily stored when documents are translated, such as

  • Status/progress of translation
  • Document file type
  • Language pair selected for translation
  • Estimated time required for translation
  • Reference to the glossary used (when using DeepL Pro)
  • Content of the glossary used (if using the Free Translator)
  • Number of calculated characters
  • Errors encountered during the translation process

Further information on data processing by DeepL can be found at the following link: https://www.deepl.com/en/privacy

7. Application process

As part of the application process, we process your contact details such as your name, email address, data from your application documents, in particular certificates, CV, cover letter, date of birth and gender, and, if applicable, special categories of personal data such as marital status and degree of disability. For this purpose, we use human resource management software provided by BITE GmbH, Filchnerstraße 16, 89231 Neu-Ulm. For more information about data processing by BITE GmbH, please click on the following link: https://www.b-ite.de/legal-notice.html

The purpose of this processing is to check your suitability for a position in our company and to conduct the application process. In the case of an (unsolicited) application by email, we also process metadata from your email, such as the date and time, in order to conduct the application process. If you apply via our careers portal on our website, the access data mentioned under “Using our website” will also be processed in order for you to be able to submit your application documents and other documents digitally to us within the application process.

We may also use messenger services to contact you directly during the application process, and interviews may be conducted by telephone or video conferencing. However, such contact will only be made following an application from you, or following a successful direct approach through a career network.

The legal basis for this processing is Art. 6(1) Sentence 1(b) GDPR in conjunction with Sect. 26(1) of the German Federal Data Protection Act (BDSG), insofar as the data processing is necessary for hiring you and for carrying out the employment relationship. If we process special categories of personal data, the legal basis is Art. 9(2)(b) GDPR in conjunction with Sect. 26(3) BDSG. The provision of your data is necessary and obligatory in order to conclude and execute the contract. You will not be able to apply for a job with us if you do not provide your data.

We will store your data for as long as necessary in connection with the employment relationship. As a rule, we will erase your personal data as soon as it is no longer required for the purposes mentioned above and unless otherwise required by law. In particular, we store personal data for as long as we need it to establish legal claims or to defend against claims. Accordingly, in the event of a rejection we will erase the data of applicants six months after sending the rejection notification. The legal basis for the processing for legal enforcement purposes is Art. 6(1) Sentence 1(b) GDPR in conjunction with Sect. 26(1) BDSG. If we process special categories of personal data, in particular data concerning disabilities, the legal basis is Art. 9(2)(b) GDPR in conjunction with Sect. 26(3) BDSG or Art. 9(2)(f) GDPR.

If you accept a job offer, we will store your data for the subsequent employment relationship within our employee data management system. Further details are available in the data protection information for employees.

If you provide us with the link to your LinkedIn profile (LinkedIn Corporation, 2029 Stierlin Court, Mountain View CA 94043, US) or your XING profile (XING SE, Dammtorstraße 29-32, 20354 Hamburg, Germany) in the course of your application, we will also process the data stored in your profile (such as names, photos, profile slogans and your current position as well as the email address associated with your LinkedIn or XING account). The processing takes place on the basis of the consent you give when forwarding the information, and therefore on the legal basis of Art. 6(1) Sentence 1(a) GDPR.

You can withdraw your consent to the processing of your LinkedIn data and XING data at any time by sending us a message ([email protected]). Please note that this will not affect the lawfulness of the processing before your withdrawal. In addition, you have the right to object to the processing of your other data, if the processing is based on the legal basis from Art. 6(1) Sentence 1(f) GDPR. Your right of objection exists if you have reasons arising from your particular situation. You may send us your objection using the contact details specified under “Controller” above.

If you have agreed to be included in our applicant pool, we will process your application documents so that we can contact you in the event of a vacancy. The legal basis is your consent pursuant to Art. 6(1) Sentence 1(a) GDPR. If our last contact with you (for example, by email or telephone) was more than twenty-four months ago, we will remove your details from the applicant pool. 

You can withdraw your consent to the processing at any time by sending us a message ([email protected]). Please note that this will not affect the lawfulness of the processing before your withdrawal.

8. Processing for contractual purposes

We process your personal data if and to the extent necessary for the initiation, creation, execution and/or termination of a legal transaction with our company. The legal basis for this results from Art. 6(1) Sentence 1(b) GDPR. It is necessary for you to provide your data in order to conclude the contract and you are contractually obliged to provide your data. If you do not provide your data, it will not be possible to conclude and/or execute a contract. Once the purpose has been achieved (for example, contract processing), the personal data will be blocked for further processing or erased, unless we are entitled to keep processing the data on the basis of a consent granted by you (for example, consent to the processing of your email address for sending promotional emails), a contractual agreement, a statutory authorisation (such as authorisation to send direct marketing) or on the basis of justified interests (such as retention for asserting claims).

Your personal data will be passed on to third parties if

  • It is necessary for the creation, execution or termination of legal transactions with our company (for example, when transmitting data to a payment service provider / a shipping company to process a contract with you or partner programmes, such as Miles & More or PAYBACK), in accordance with Art. 6(1) Sentence 1(b) GDPR), or
  • A subcontractor or party we use to perform our obligations, which we use exclusively within the framework of providing the offers or services requested by you, needs this data (unless you are expressly informed otherwise, such auxiliary parties are only entitled to process the data insofar as this is necessary for the provision of the offer or service), or
  • There is an enforceable official order (Art. 6(1) Sentence 1(c) GDPR), or
  • There is an enforceable court order (Art. 6(1) Sentence 1(c) GDPR), or
  • We are legally obliged to do so (Art. 6(1) Sentence 1(c) GDPR), or
  • The processing is necessary in order to protect the vital interests of the data subject or another natural person (Art. 6(1) Sentence 1(d) GDPR), or
  • This is necessary for the performance of a task carried out in the public interest or in the exercise of official authority (Art. 6(1) Sentence 1(e) GDPR), or
  • We can cite our overriding legitimate interests, or those of a third party, in the disclosure (Art. 6(1) Sentence 1(f) GDPR).

Your personal data will not be transmitted to other persons, companies or bodies unless you have effectively consented to such transmission. The legal basis for the processing is then Art. 6(1) Sentence 1(a) GDPR. In this privacy statement, we draw your attention to the respective recipients when describing each processing operation.

9. Voucher shop 

If you wish to place orders in our voucher shop at https://www.h-hotels.com/en/hotel-voucher and https://gutscheine.h-hotels.com/en, it is necessary and obligatory for the initiation and conclusion of the contract that you provide personal data such as your first and last name, your address, your telephone number and your email address. Mandatory information required to process the booking and contract is marked as such; any other information you provide is voluntary. If you do not provide this mandatory information, it will not be possible to conclude a contract with you through our voucher shop. We will also process any data you may have provided for your message on the voucher. We process your data for order processing purposes. In particular, we will forward payment data to your chosen payment service provider or to our main bank. The legal basis for the data processing is Art. 6(1) Sentence 1(b) GDPR. To prevent unauthorised third parties from accessing your personal data, the order process on the website is encrypted using SSL technology. As soon as storage is no longer necessary, we will erase the data generated in this context or, if statutory retention obligations apply, restrict processing of the data. Due to mandatory commercial and tax regulations, we are obliged to keep your address, payment and order data for a period of up to ten years. Two years after termination of the contract, we will restrict the processing and reduce it to compliance with our legal obligations.

In order to offer the voucher shop, we use the ordering system of INCERT eTourismus GmbH & Co KG (Wirtschaftspark Lederfabrik, Leonfeldnerstraße 328, 4040 Linz, Austria) to provide you with an optimised booking process. The processing of the aforementioned data and your access data takes place on the servers of INCERT eTourismus GmbH & Co KG in Austria. The legal basis for this processing is Art. 6(1) Sentence 1(f) GDPR. We have legitimate interests in optimising the ordering process. For information about the protection of data and how long INCERT eTourismus GmbH & Co. KG stores your data, please refer to: https://www.incert.at/en/data-protection/

You may object to the processing, insofar as it is based on Art. 6(1) Sentence 1(f) GDPR. Your right of objection exists if you have reasons arising from your particular situation. You may send us your objection using the contact details specified under “Controller” above. 

10. Booking

If you wish to make a booking on our website, it is necessary and obligatory for the initiation and conclusion of the contract that you provide personal data such as your first and last name, your email address and your payment details. Mandatory information required to process the booking and contract is marked as such; any other information you provide (such as your salutation, your address or your membership number) is voluntary. We process your data for the purpose of processing your booking and will, in particular, forward payment data to your chosen payment service provider or our main bank for this purpose.

Within the online booking system, you also have the option of collecting miles in your Miles & More status or mileage account. If you voluntarily provide your Miles & More service card number during the booking process, 250 miles will be credited to your Miles & More status/mileage account for each night at the hotel. For this purpose, once the booking has been completed, we will send the service card number you have provided, the date of the booking, the travel period, the name of the hotel booked and the amount of the room booking to our partner Miles & More GmbH (MAC Main Airport Centre, Unterschweinstiege 8, 60549 Frankfurt/Main), who will process this information to credit the miles to your mileage account. For more information about data protection in connection with the Miles & More programme, please refer to: https://www.miles-and-more.com/de/en/general-information/privacy-statement/privacy-statement-of-the-miles-and-more-programme.html

You can also collect or redeem PAYBACK points when you make a booking. If you voluntarily enter your PAYBACK number during the booking process, you will earn PAYBACK points for the booking. For this purpose, once the booking has been completed, we will send the PAYBACK number you have provided, the date of the booking, the travel period, the name of the hotel booked and the amount of the room booking to our partner PAYBACK (PAYBACK GmbH, Theresienhöhe 12, 80339 Munich), who will process this information to credit the points to your account. For more information about data protection in connection with the PAYBACK programme, please refer to: https://www.payback.de/info/datenschutz

You can voluntarily create a customer account in which we store your data for future visits to the website. When you create a customer account, the data you enter is processed. Once you have successfully registered, you can edit or erase all further data independently in your customer account. For more information, please refer to the “HotMiles account” section.

Whether or not you have a customer account, you can also view your reservation on our website under “My reservation”. To view your reservation, you will need to enter your reservation number, your email address and your first and last name.

We use the following service providers to process your personal data as part of the aforementioned data processing for the purpose of managing bookings:

  • Oracle OPERA 5, provided by ORACLE (ORACLE Deutschland B.V. & Co. KG, Riesstraße 25 80992 Munich and Oracle Corporation, 2300 Cloud Way Austin, TX 78741, US). For more information, please refer to the “PMS” section.
  • HOTEL.PROFI, provided by DATAreform GmbH (Nexöer Str. 2, 17438 Wolgast).
  • Jitterbit Harmony, provided by Jitterbit, Inc. (1101 Marina Village Pkwy UNIT 201, Alameda, CA 94501, US) and Salesforce, Inc. (415 Mission St Fl 3, San Francisco, California, 94105, US). Salesforce also processes the data in part in the US. The EU Commission has issued an adequacy decision for data transfers to the US. Salesforce is certified under this. We have also concluded so-called standard contractual clauses with Salesforce in order to commit Salesforce to an appropriate level of data protection. A copy is of course available on request. For more information about the storage period, please refer to the Salesforce privacy policy at: https://www.salesforce.com/company/privacy/

The legal basis for the processing is Art. 6(1) Sentence 1(f) GDPR or Art. 6(1) Sentence 1(b) GDPR, if the processing of your data takes place in the context of the conclusion or execution of a contract. The provision of your data is then necessary and obligatory in order to conclude and execute the contract. If you do not provide your data, it will not be possible to conclude and/or execute a contract. We also have legitimate interests in processing bookings quickly and in a customer-friendly manner. To prevent unauthorised third parties from accessing your personal data, the booking process on the website is encrypted using SSL technology.

As soon as storage is no longer necessary, we will erase the data generated in this context or, if statutory retention obligations apply, restrict processing of the data. Due to mandatory commercial and tax regulations, we are obliged to keep your address, payment and booking data for a period of up to ten years.

10.1 Group booking platform (vistabus GmbH)

If you wish to use our services as part of a group booking, your personal data will be processed by vistabus GmbH, Altenilper Str. 1a, 57392 Schmallenberg, Germany.

The service provider vistabus GmbH assists us by providing information technology infrastructure and related services (such as storage space and/or computing capacity).

The following types of data are collected and processed: inventory and contact data (such as name, address, email, telephone number); usage data (such as interest in content, access times). In this context, the data subjects may be customers, prospects, business partners and contractual partners with a customer account.

We only use your personal data for the purposes of providing contractual services and fulfilling contractual obligations, security measures, contact enquiries and communications, office and organisational procedures, administration and responding to enquiries.

Legal basis for the processing: contract performance and taking steps at the request of the data subject (Art. 6(1) Sentence 1(b) GDPR); legal obligation (Art. 6(1) Sentence 1(c) GDPR); legitimate interests (Art. 6(1) Sentence 1(f) GDPR).

We have concluded a data processing agreement with this service provider. More information about the service provider and its privacy policy can be found at: https://www.vistabus.de/datenschutz/

10.2 Customer account (group booking platform)

It is necessary to create a customer account in order to make full use of our online services. You will need to register to do this. Personal data such as your first name, last name and email address is collected as part of this registration. Customer accounts are not public and cannot be indexed by search engines. In the context of registration and subsequent logins and use of the customer account, we will store some data – for example, access times, in order to be able to prove registration and prevent any misuse of the customer account.

If the customer account is cancelled, the stored data will be erased after the date of cancellation, unless it is stored for purposes other than the provision of the customer account or must be stored for legal reasons (such as internal storage of customer data, order processes or invoices). The data is not backed up, so if you want to continue using it, you should back it up yourself.

Legal bases: contract performance and taking steps at the request of the data subject (Art. 6(1) Sentence 1(b) GDPR).

11. Collection of access data and log files

Server log files are used to record access to our online services. The server log files may include the address and name of the web pages and files accessed, date and time of access, data volumes transferred, notification of successful retrieval, browser type and version, the user’s operating system, referrer URL (the page visited previously) and, as a rule, IP addresses and the requesting provider. Server log files may for example be used for security purposes, such as preventing server overload (particularly in the case of denial-of-service attacks), ensuring server utilisation and stability.

Legal bases: legitimate interest (Art. 6(1) Sentence 1(f) GDPR).

Erasure of data: Log file information is stored for a maximum of 30 days and then erased or anonymised. Data whose further storage is required for evidence is excluded from erasure until the incident in question has been finally clarified.

12. H-Hotels app

The H-Hotels app can be used and operated on both Android and iOS devices. You can find more details about data processing in the following points.

12.1 Data processing by Apple App Store

To make the app available to users, we offer it in the Apple App Store. For more information about Apple’s data processing and how personal data is collected and processed, please refer to: https://www.apple.com/de/legal/privacy/data/de/app-store/

12.2 Data processing by Google Play Store

To make the app available to Android users (smartphones and tablets from manufacturers such as Samsung, LG, OnePlus and Xiaomi) as well, we also offer it in the Google Play Store. For more information about data processing in this context, please refer to: https://support.google.com/googleplay/android-developer/answer/10787469?hl=en

13. Google Firebase

Our website and app use Google Firebase technologies. Google Firebase is a service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google Firebase is a development platform offering a range of services. You can find an overview of the services offered by Google Firebase at: https://firebase.google.com/terms/

In some cases, Google Firebase services integrate so-called “Instance IDs”. Instance IDs are unique identifiers that are provided with a time stamp and thus make it possible to link different events or processes in connection with the website or app. This data is used to analyse and improve user activity, for example to evaluate crash reports. According to Google, Instance IDs do not process any personally identifiable data.

We also use the following services in connection with Google Firebase:

13.1 Firebase Analytics

We use the analytics service Firebase Analytics on our website and in our app to monitor and evaluate how people use our app. Mobile applications do not use cookies, but instead use identifiers (ad IDs). These are issued by the mobile device’s operating system and can be reset by the user. We use these ad IDs to track user activity, and use the information for advertising purposes.

When using the standard version of Firebase Analytics, the following types of data are processed: number of users and sessions, session duration, operating systems, device models, region, initial launches, app executions, app updates and in-app purchases.

A complete list of the automatically recorded events and user properties of Google Firebase can be found at: https://support.google.com/firebase/answer/6318039 or https://support.google.com/analytics/answer/9268042?hl=en

We process the data collected through the use of Firebase Analytics to optimise our marketing because we have an overriding interest in doing so (Art. 6(1) Sentence 1(f) GDPR).

You can withdraw your consent to the collection of data by Google at any time with effect for the future. All you need to do is disable the collection of data for Firebase Analytics in the application settings or restrict the use of the ad ID in the device settings of your mobile device.

If you have an Android device, you can find this option in your device settings as follows: Settings > Google > Ads > Reset advertising ID.

If you have an iOS device, you can find the option here: Settings > Privacy & Security > Apple Advertising > Turn off Personalized Ads.

However, the use of Firebase Analytics may involve the transfer of processed data to the US.

You can find additional information about data protection for Google Firebase at: https://firebase.google.com/support/privacy/

14. HotMiles account / loyalty programme

The controller of the processing activities within the HotMiles programme within the meaning of Art. 4(7) GDPR is: 

My H-Hotels GmbH 
Braunser Weg 12 
34454 Bad Arolsen 
Germany.

To create a HotMiles account independently of a booking, you will need to register by providing the following details:

  • Email address
  • Password chosen by you
  • First and last name
  • Salutation.

You can voluntarily enter your address and choose a username. When you register, the date and time of registration will also be processed. We use a double opt-in procedure for registration. After you have submitted the data required for registration, you will receive an email containing an activation link. Access to your customer account will only be created and registration successfully completed once the link has been activated by clicking on it. In order to log in on subsequent occasions, you will need to enter your login details (user ID and password) you selected when you first registered. If you do not confirm using the link we send you within 24 hours, we will block the information transferred to us and erase it as soon as it is no longer required for achieving the purpose of the processing. This is the case for the data collected during the registration process if the registration on the website is cancelled or modified.

The following functions are available to you in the login area:

  • Edit your profile data
  • View past orders/bookings
  • Manage HotMiles newsletter subscription
  • Give or deny permission for location tracking.

If you use the login area of the website, for example to edit your profile data or to view your previous bookings, we also process the data about your person required for the initiation or performance of the contract, in particular address data and information about the payment method.

You will receive the benefits of our loyalty programme (“HotMiles”) if you have logged into your user account before or during the booking process. You will receive discounts or other status benefits (silver, gold and platinum) on your next bookings. We will process your login details and your booking information. If you wish to redeem the points you have earned when you make a booking, we will process the above information in order to process the booking. You can find out more about our loyalty programme in your customer account under “Dashboard” and at: https://www.h-hotels.com/en/hotmiles.

The legal basis for the processing is Art. 6(1) Sentence 1(b) GDPR. The provision of your data is necessary and obligatory in order to conclude and execute the contract. If you do not provide your data, you will not be able to register or use the login area, which means that it will not be possible to conclude and/or execute a contract. Your data will be erased as soon as it is no longer required for the processing purpose. This is the case after deletion of the customer account, unless we are obliged to retain the data due to legal regulations. In such cases we restrict the processing. Due to mandatory commercial and tax regulations, we are obliged to keep your address, payment and booking data for a period of up to ten years. We will process your data for the purposes of our loyalty programme until you delete your customer account.

15. StudentBeans

We also work with StudentBeans, a solution for generating savings on products and services, which is provided by The Beans Group Limited (1 Vincent Square, London, SW1P 2PN, United Kingdom, hereinafter referred to as “StudentBeans”). StudentBeans gives students the opportunity to receive a discount when booking on our website by entering a discount code in the shopping basket or at check-out, which was previously generated when creating a personal customer account with StudentBeans. Once you have entered the discount code on our website, the data provided at the time of booking, in particular the discount code you have entered and the booking details, such as time of booking or redemption of the discount code, will be passed on to StudentBeans for the purpose of processing and documenting the redemption of the code. It would not be not possible to grant the discount when completing the booking via our website or to verify the booking for StudentBeans without transmitting the data to StudentBeans. The legal basis for the processing is Art. 6(1) Sentence 1(b) GDPR. The provision of your data is necessary and obligatory in order to conclude and execute the contract. If you do not provide your data, it will not be possible to conclude and/or execute a contract, specifically in the form of granting a discount. Your data will be erased as soon as it is no longer required for the processing purpose. This is the case after execution of the booking, unless we are obliged to retain the data due to legal regulations. In such cases we restrict the processing. Due to mandatory commercial and tax regulations, we are obliged to keep your address, payment and booking data for a period of up to ten years.

16. Booking processing via PMS

As part of the booking process, we use the hotel property management systems (PMS) Suite 8 (via SmartHOTEL) and OPERA 5, provided by ORACLE (ORACLE Deutschland B.V. & Co. KG, Riesstraße 25, 80992 Munich and Oracle Corporation, 2300 Cloud Way Austin, TX 78741, US; hereinafter referred to as “OPERA” and “Oracle”) for the purposes of managing bookings and our hotel properties and services generally. The data you provide when booking, such as your first and last name, address, email address and/or telephone number, will be processed. The legal basis for using Oracle systems is Art. 6(1) Sentence 1(f) GDPR. We have a legitimate interest in using Oracle in order to provide a customer-friendly and speedy booking process and to manage our properties and services. Your data processed in this context will be erased as soon as it is no longer required for the processing purpose. Oracle also processes your personal data in the US. Standard data protection clauses have been concluded with Oracle in order to commit Oracle to an appropriate level of data protection. You can view a copy of the standard data protection clauses on the Oracle website at: https://www.oracle.com/fr/a/ocom/docs/corporate/privacy-shield-statement-071720.pdf. Further information about the purpose and scope of processing by Oracle can be found at: https://www.oracle.com/uk/legal/privacy/

You may object to the processing. Your right of objection exists if you have reasons arising from your particular situation. You may send us your objection using the contact details specified under “Controller” above.

17. Processing of personal data under Sect. 30 of the Federal Act on Registration (BMG)

Under Sect. 30 of the German Federal Act on Registration (BMG), commercial providers of accommodation, such as hotels in particular, are obliged to collect the following data from guests on the day of their arrival and to have the registration form signed by hand:

  • Date of arrival and planned departure
  • Surname
  • Given names
  • Date of birth
  • Nationalities
  • Address
  • Number of persons travelling together and their nationalities, in the cases of Sect. 29(2), second and third sentences, and,
  • In the case of foreign nationals, serial number of the recognised and valid passport or passport substitute.
  • If applicable, further data for collecting tourist and resort taxes.

We will erase this data or restrict its processing as soon as this is permitted under the provisions of the BMG and if you have not given your consent (Art. 6(1) Sentence 1(a) GDPR) and there is no other legitimate interest on our part in continued processing.

As part of this data processing, we use the Ariane check-in system, which is provided by Ariane Systems (23 rue Baudin, 93310 Le Pré Saint-Gervais, Paris, France). As well as self-check-in on the hotel’s own computers, you can also use mobile check-in with your own device. You will automatically receive a QR code via email or SMS when your room is ready. You can then use this QR code to collect your key from reception or receive your mobile key via the integrated mobile key app. The data you provide on the registration form as well as your email address and/or telephone number will be processed. We are obliged to collect, process and forward this data within the framework of the BMG. The legal basis for the processing results from Art. 6(1) Sentence 1(c) GDPR. You are required by law to provide your data. If you do not provide your data, it will not be possible to conclude or execute a contract.

18. Email marketing

18.1 Advertising to existing customers

We reserve the right to use the email address you provide when booking in accordance with the statutory provisions in order to send you the following content by email at the time of or after your booking, unless you have already objected to this processing of your email address:

  • Interesting aspects and information from our portfolio, in particular on holiday regions, hotels and accommodation, leisure activities and musicals, conference and catering services
  • Special/time-limited offers, in particular highlights and deals
  • Personalised customer advice and support
  • Invitations to company events
  • Customer feedback/satisfaction queries
  • Information on arriving by public transport.

The legal basis of the data processing is Art. 6(1) Sentence 1(f) GDPR. Our legitimate interests in the processing described lie in enhancing and optimising our services, conducting direct marketing and ensuring customer satisfaction. We will erase your data as soon as it is no longer required for the processing purpose. We use external email marketing services and an external provider of customer feedback, opinion and market research surveys to send emails. For more information about these service providers, please refer to the “Email marketing service” and “Customer feedback management” sections.

We would like to point out that you can object to receiving direct marketing and to the processing of the data for direct marketing purposes at any time without incurring any costs other than the transmission costs according to the basic rates. Here you have a general right of objection without giving reasons (Art. 21(2) GDPR). To do this, click on the unsubscribe link in the relevant email or send us your objection to the contact details provided under “Controller” above.

18.2 Newsletter

You have the possibility to subscribe to our email newsletter on the website, which we use to inform you regularly about the following content:

  • Interesting aspects and information from our portfolio, in particular on holiday regions, hotels and accommodation, leisure activities and musicals, conference and catering services
  • Special/time-limited offers, in particular highlights and deals
  • Personalised customer advice and support
  • Invitations to company events
  • Customer feedback/satisfaction queries
  • Information on arriving by public transport.

In order to receive the newsletter, you will need to provide your salutation, first name, last name and a valid email address. We process the email address for the purpose of sending our email newsletter and for as long as you have subscribed to the newsletter.

You can withdraw your consent to the processing of your email address for the purpose of sending you the newsletter at any time, either by clicking directly on the unsubscribe link in the newsletter or by sending us a message using the contact details provided under “Controller”. This will not affect the lawfulness of the processing carried out on the basis of the consent prior to the withdrawal.

In order to document your newsletter registration and to prevent misuse of your personal data, we use what is known as a double opt-in procedure for email newsletter registrations. Once you have entered the data marked as mandatory, we will send you an email to the email address you have provided, in which we ask you to expressly confirm your subscription to the newsletter by clicking on a confirmation link. We process your IP address, the date and time of your registration for the newsletter and the time of your confirmation. This is how we ensure that you really want to receive our email newsletter. We are legally obliged to be able to demonstrate that you have consented to the processing of your personal data in connection with registering for the newsletter (Art. 7(1) GDPR). Due to this legal obligation, this data processing is carried out on the basis of Art. 6(1) Sentence 1(c) GDPR.

If you do not provide the required personal data during the registration process, we may not be able to process your subscription or process it in full. If you do not confirm your newsletter subscription within 24 hours, we will block the information transmitted to us and erase it as soon as it is no longer required for the purpose of the processing. Once you confirm your registration, we will process your data for as long as you have subscribed to the newsletter.

You may object to the processing. Your right of objection exists if you have reasons arising from your particular situation. You may send us your objection using the contact details specified under “Controller” above.

We will also process the aforementioned data for the establishment, exercise or defence of legal claims. The legal basis for this processing is Art. 6(1) Sentence 1(c) GDPR and Art. 6(1) Sentence 1(f) GDPR. In these cases, we have a legitimate interest in the assertion or defence of claims.

You may object to the processing. Your right of objection exists if you have reasons arising from your particular situation. You may send us your objection using the contact details specified under “Controller” above.

We also statistically evaluate newsletter opening rates, the number of clicks on links in newsletters and the reading time, measure the reach of our newsletters, and adapt the offers and information sent to your personal interests. For this purpose, user activity on our websites and within the newsletters we send out is evaluated on the basis of device-specific information (such as email client used and software settings). For this analysis, the emails sent out contain so-called web beacons or tracking pixels, which constitute single-pixel image files that are also embedded on our website. For the purpose of measuring reach, we measure the number of visitors who have come to our websites by clicking on links and who perform certain actions there, such as redeeming promotional codes. Depending on specific reading behaviour, we also form target groups to whom we then send newsletter content tailored to the identified user interest. In order to be able to adapt our newsletter even better to your interests, we associate your email address and your user profile with other user profiles within our database. The legal basis of the processing is Art. 6(1) Sentence 1(a) GDPR. We will erase your data if you unsubscribe from the newsletter.

You can withdraw your consent at any time, either by sending us a message (see the contact details under “Controller”) or by clicking directly on the unsubscribe link in the newsletter. This will not affect the lawfulness of the processing carried out on the basis of the consent prior to the withdrawal.

18.3 Customer feedback management with Customer Alliance

For our customer feedback requests, we use Customer Alliance, a service provided by CA Customer Alliance GmbH (Ullsteinstr. 130, Tower B, 12109 Berlin; hereinafter referred to as “Customer Alliance”). If you have made a booking on our website, the relevant data (in particular product, name and email address) will be transmitted to Customer Alliance and stored and processed on its servers in Germany. Customer Alliance processes this information for sending and analysing the requests for feedback on our behalf. The purpose of this processing is the regular improvement of our products and purchasing in our online shop. The legal basis of the processing is Art. 6(1) Sentence 1(f) GDPR. Our legitimate interests are in receiving customer feedback to regularly improve our products and services. For more information, including about the storage period, please refer to the Customer Alliance privacy policy at: https://www.customer-alliance.com/en/privacy-policy/

You may object to the processing. Your right of objection exists if you have reasons arising from your particular situation. You may send us your objection using the contact details specified under “Controller” above.

18.4 Email marketing services

We use the following email marketing services:

  • Salesforce, provided by Salesforces.com, Inc. (Salesforce Tower, 415 Mission Street, 3rd Floor, San Francisco, CA 94105, US, hereinafter referred to as “Salesforce”); Salesforce also processes your data in the US. The EU Commission has issued an adequacy decision for data transfers to the US. Salesforce is certified under this. We have also concluded so-called standard contractual clauses with Salesforce in order to commit Salesforce to an appropriate level of data protection. A copy is of course available on request. For more information about the storage period, please refer to the Salesforce privacy policy at: https://www.salesforce.com/company/privacy/
  • Oaky, provided by Oaky B.V. (Leidseplein 1-3, 1017 PR, Amsterdam, Netherlands; hereinafter referred to as “Oaky”); Oaky also processes your data in Singapore. No EU Commission adequacy decision exists for data transfers to Singapore. We have concluded so-called standard contractual clauses with Oaky in order to commit Oaky to an appropriate level of data protection. A copy is of course available on request. For more information about the storage period, please refer to the Oaky privacy policy at: https://oaky.com/en/security?page=privacy-policy
  • Point4More, provided by Convercus GmbH (Alte Bergstr. 145, 84028 Landshut, Germany; hereinafter referred to as “Point4More”). For more information about the storage period, please refer to the Point4More privacy policy at: https://www.point4more.com/privacy/
  • Optimizely, provided by Optimizely, Inc. (119 5th Ave 7th floor, New York, NY 10003, US; hereinafter referred to as “Optimizely”); Optimizely also processes your data in the US. The EU Commission has issued an adequacy decision for data transfers to the US. Optimizely is certified under this. We have also concluded so-called standard contractual clauses with Optimizely in order to commit Optimizely to an appropriate level of data protection. You can request a copy of the standard data protection clauses from Optimizely by sending an email to: [email protected]. For more information about the storage period, please refer to the Optimizely privacy policy at: https://www.optimizely.com/legal/privacy-notice/

If you have subscribed to the newsletter, the data provided when registering as well as the data processed when you use our newsletters are processed on the servers of our aforementioned email marketing services. Each email marketing service acts as our processor and is contractually limited in its authority to use your personal data for purposes other than to provide services to us in accordance with the applicable data processing agreement. The legal basis of the processing is Art. 6(1) Sentence 1(f) GDPR. Our legitimate interest in using an external email marketing service lies in the optimisation and more targeted control and monitoring of our newsletter content

You may object to the processing. Your right of objection exists if you have reasons arising from your particular situation. You may send us your objection using the contact details specified under “Controller”.

19. Payment service providers (PSPs)

19.1 PayPal

On our website we give you the option of paying via PayPal. This payment service is provided by PayPal (Europe) S.à.r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg (hereinafter referred to as “PayPal”). For payment you have to log in to your PayPal account. The payment data you provide to PayPal will be processed by PayPal for the purpose of payment processing. For more information about data processing by PayPal, please refer to: https://www.paypal.com/us/legalhub/privacy-full. In order to be able to identify your payment, we will process your delivery/invoice address, email address and the selected payment method. As soon as storage is no longer necessary, we will erase the data generated in this context or, if statutory retention obligations apply, restrict processing of the data. Due to mandatory commercial and tax regulations, we are obliged to keep your address, payment and booking or order data for a period of up to ten years. Two years after termination of the contract, we will restrict the processing and reduce it to compliance with our legal obligations. The legal basis is Art. 6(1) Sentence 1(b) GDPR. The provision of your payment data is necessary and obligatory in order to conclude and execute the contract. If you do not provide payment data, it will not be possible to conclude and/or execute a contract using the PayPal payment method.

19.2 Nexi

The WeChat Pay, Alipay and credit card payment options are provided by Nexi Deutschland GmbH (Helfmann-Park 7, 65760 Eschborn; hereinafter referred to as “Nexi”). If you select one of the aforementioned payment options, your payment data provided during the booking process together with information about your booking will be passed on to Nexi for the purpose of payment processing. This processing occurs on the basis of Art. 6(1) Sentence 1(b) GDPR. The provision of your payment data is necessary and obligatory in order to conclude and execute the contract. If you do not provide payment data, it will not be possible to conclude and/or execute a contract using the payment method you have selected. The data required for payment processing is transmitted securely using SSL encryption and processed exclusively for payment processing. As soon as storage is no longer necessary, we will erase the data generated in this context or, if statutory retention obligations apply, restrict processing of the data. Due to mandatory commercial and tax regulations, we are obliged to keep your address, payment and order data for a period of up to ten years. Two years after termination of the contract, we will restrict the processing and reduce it to compliance with our legal obligations.

19.2.1 WeChat Pay

On our website we give you the option of paying via WeChat Pay. This payment service is provided by Tencent Holdings Ltd. (Tencent Seafront Towers, 33 Tian Er Road, Nanshan, Shenzhen, People’s Republic of China, hereinafter referred to as “WeChat Pay”). For payment you have to log in to your WeChat Pay account. The payment data you provide to WeChat Pay will be processed by WeChat Pay for the purpose of payment processing. In order to be able to identify your payment, we will process your delivery/invoice address, email address and the selected payment method. As soon as storage is no longer necessary, we will erase the data generated in this context or, if statutory retention obligations apply, restrict processing of the data. Due to mandatory commercial and tax regulations, we are obliged to keep your address, payment and order data for a period of up to ten years. Two years after termination of the contract, we will restrict the processing and reduce it to compliance with our legal obligations. The legal basis for this is Art. 6(1) Sentence 1(b) GDPR. The provision of your payment data is necessary and obligatory in order to conclude and execute the contract. If you do not provide payment data, it will not be possible to conclude and/or execute a contract using the WeChat Pay payment method. WeChat Pay also processes your data in China. No EU Commission adequacy decision exists for data transfers to China. So-called standard contractual clauses have been concluded with WeChat Pay in order to commit WeChat Pay to an appropriate level of data protection. A copy is of course available on request.

19.2.2 Alipay

On our website we give you the option of paying via Alipay. This payment service is provided by Hanbao China Holding Limited (c/o Alibaba Group Services Limited, 26/F Tower One, Tunes Square, 1 Matheson Street, Causeway Bay, Hong Kong, hereinafter referred to as “Alipay”). For payment you have to log in to your Alipay account. The payment data you provide to Alipay will be processed by Alipay for the purpose of payment processing. In order to be able to identify your payment, we will process your delivery/invoice address, email address and the selected payment method. As soon as storage is no longer necessary, we will erase the data generated in this context or, if statutory retention obligations apply, restrict processing of the data. Due to mandatory commercial and tax regulations, we are obliged to keep your address, payment and order data for a period of up to ten years. Two years after termination of the contract, we will restrict the processing and reduce it to compliance with our legal obligations. The legal basis for this is Art. 6(1) Sentence 1(b) GDPR. The provision of your payment data is necessary and obligatory in order to conclude and execute the contract. If you do not provide payment data, it will not be possible to conclude and/or execute a contract using the Alipay payment method. Alipay also processes your data in China. No EU Commission adequacy decision exists for data transfers to China. So-called standard data protection clauses have been concluded with Alipay in order to commit Alipay to an appropriate level of data protection. A copy is of course available on request. For more information about the storage period, please refer to the Alipay privacy policy at: https://global.alipay.com/docs/ac/platform/privacy

19.2.3 Credit card payment

For the purpose of payment processing, we transmit the payment data required for the credit card payment to the bank commissioned with the payment or, if applicable, to the payment and invoicing service provider commissioned by us. Payment data is also sent to the payment service provider Nexi, which is provided by Nexi Deutschland GmbH (Helfmann-Park 7, 65760 Eschborn; hereinafter referred to as “Nexi”), for the purpose of payment processing. This processing occurs on the basis of Art. 6(1) Sentence 1(b) GDPR. The provision of your payment data is necessary and obligatory in order to conclude and execute the contract. If you do not provide payment data, it will not be possible to conclude and/or execute a contract by means of credit card payment. The data required for payment processing is transmitted securely using SSL encryption and processed exclusively for payment processing. As soon as storage is no longer necessary, we will erase the data generated in this context or, if statutory retention obligations apply, restrict processing of the data. Due to mandatory commercial and tax regulations, we are obliged to keep your address, payment and order data for a period of up to ten years. Two years after termination of the contract, we will restrict the processing and reduce it to compliance with our legal obligations.

19.3 Enforcement of rights, address investigation, debt collection

In the event of non-payment, we reserve the right to pass on the data provided at the time of ordering to a lawyer and/or to external companies (such as Verband der Vereine Creditreform e.V., Hellersbergstraße 12, 41460 Neuss, Germany) in order to ascertain an address and/or enforce our rights. The legal basis of the processing is Art. 6(1) Sentence 1(f) GDPR. Our legitimate interests lie in fraud prevention and avoiding default risks. In addition, we may pass on your data to the extent necessary in order to safeguard our rights, as well as the rights of our affiliates, our partners, our employees and/or users of our website. Under no circumstances will we sell or rent your data to third parties. The legal basis for the processing is Art. 6(1) Sentence 1(f) GDPR. We have a legitimate interest in the processing for the purpose of enforcing our rights. As soon as storage is no longer necessary, we will erase the data generated or, if statutory retention obligations apply, restrict processing of the data.

You may object to the processing. Your right of objection exists if you have reasons arising from your particular situation. You may send us your objection using the contact details specified under “Controller” above.

20. Hosting

We use external hosting services from the providers Cloudfront, which is provided by Amazon Web Services, Inc. (440 Terry Ave N, Seattle, WA 98109, US; hereinafter referred to as “Cloudfront” and “Amazon”); IONOS, which is provided by IONOS SE (Elgendorfer Str. 57, 56410 Montabaur; hereinafter referred to as “IONOS”); Hetzner Online GmbH (Industriestr. 25, 91710 Gunzenhausen, hereinafter referred to as “Hetzner”); hosttech GmbH (Im Mediapark 8, 50670 Cologne; hereinafter referred to as “hosttech”); and OMCnet Internet Service GmbH (Ernst-Abbe-Straße 10, 25451 Quickborn; hereinafter referred to as “OMC”) on our website for the purpose of allowing our website to be displayed more quickly. When you visit our website, a library is loaded and temporarily stored on your device in order to avoid reloading the content. This involves your IP address being processed by the provider. CloudFront processes your data in part in the US. The EU Commission has issued an adequacy decision for data transfers to the US. Amazon is certified under this. We have also concluded so-called standard contractual clauses with Amazon in order to commit Amazon to an appropriate level of data protection. A copy is of course available on request. The legal basis of the data processing is Art. 6(1) Sentence 1(f) GDPR. By using the hosting provider, we are pursuing our legitimate interest in faster website retrieval as well as a more effective and improved presentation of our website. Further information, in particular on the storage period, can be found at: https://aws.amazon.com/de/privacy/, https://support.hosttech.de/knowledge-base/sind-die-produkte-von-hosttech-dsgvo-konform-und-wird-ein-vertrag-zur-auftragsdatenverarbeitung-bereitgestellt/, https://www.ionos.de/hilfe/datenschutz/, https://www.hetzner.com/legal/privacy-policy/ and https://www.omc.net/company/privacy/

You may object to the processing, insofar as it is based on Art. 6(1) Sentence 1(f) GDPR. Your right of objection exists if you have reasons arising from your particular situation. You may send us your objection using the contact details specified under “Controller” above.

21. Content delivery network

21.1 Cloudflare

In addition, we use the services of the content delivery network (CDN) of Cloudflare, Inc. (101 Townsend St., San Francisco, CA 94107, US; hereinafter referred to as “Cloudflare”) on our website for the purpose of allowing our website to be displayed more quickly. During this process, your IP address is transmitted to the provider in the US. Cloudflare processes your data in part in the US. The EU Commission has issued an adequacy decision for data transfers to the US. Cloudflare is certified under this. We have also concluded so-called standard contractual clauses with Cloudflare in order to commit Cloudflare to an appropriate level of data protection. A copy is of course available on request. The legal basis of the processing is Art. 6(1) Sentence 1(f) GDPR. By using Cloudflare, we are pursuing our legitimate interest in faster website retrieval as well as a more effective and improved presentation of our website. For further information about the protection of your data and how long Cloudflare stores your data, please refer to: https://www.cloudflare.com/en-gb/privacypolicy/

You may object to the processing, insofar as it is based on Art. 6(1) Sentence 1(f) GDPR. Your right of objection exists if you have reasons arising from your particular situation. You may send us your objection using the contact details specified under “Controller”.

21.2 Integration of third-party content

The website integrates third-party content such as videos and graphics from other websites. This integration always requires that the providers of this content (“third-party providers”) perceive the IP addresses of users. This is because without the IP address they would not be able to send the content to the browser of the individual user. As such, the IP address is required to display this content. In the following, we inform you about the services from external providers currently in use on our website, about the related processing in each case, and about how you can object or withdraw your consent.

21.2.1 AWIN

Our website uses tracking functions of the affiliate network AWIN AG (Eichhornstraße 3, 10785 Berlin; formerly “Digital Window”, hereinafter referred to as “AWIN”). A so-called tracking pixel is used to measure the reach of our ads and to allocate the success of an ad. In relation to the data of the advertising campaigns, we can determine how successful the individual advertising activities are in the context of the specific affiliate programme. Web beacons (tracking pixels) are used to set a cookie on the user’s device for the purpose of recognising the user. AWIN uses the cookies to process the information generated by your device about interactions with our ads (such as retrieval of a particular web page or click on an ad) as well as the data mentioned under “Using our website” for the purpose of analysing the reach and success of our ads. The legal basis of this processing of your data is Art. 6(1) Sentence 1(a) GDPR. The storage period for processing in the context of AWIN is two months. For more information about data protection and how long your data is stored, please refer to: https://www.awin.com/de/rechtliches/privacy-policy-DACH

You can withdraw your consent to the processing at any time by moving the slider back in the consent tool privacy settings. This does not affect the lawfulness of the processing carried out on the basis of the consent prior to the withdrawal.

21.2.2 Idealo

Our website also displays the logo of our partner idealo (idealo internet GmbH, Ritterstraße 11, 10969 Berlin; hereinafter referred to as “idealo”). idealo is an online price comparison portal where we are listed. When you access our website, your browser automatically transmits your personal data to the idealo server, such as your IP address, the date and time of access, the name and URL of the file accessed, the website from which you came (referrer URL), the browser used and the name of your access provider, in order to display the logo on our website. The temporary storage of the IP address by the idealo system is necessary to display the logo. This requires storing the user’s IP address for the duration of the session. Log files are kept to ensure the security of idealo’s information technology systems. This data will not be merged with other personal data. The legal basis for the data processing is Art. 6(1) Sentence 1(f) GDPR. We have legitimate interests in displaying the logo and our partner, specifically in providing users with transparent information about the partnership. idealo will store your data for fourteen days. For more information about the protection of your data and how long idealo stores your data, please refer to: https://www.idealo.de/preisvergleich/Datenschutz.html

You may object to the processing. Your right of objection exists if you have reasons arising from your particular situation. You may send us your objection using the contact details specified under “Controller” above.

21.2.3 Google reCAPTCHA

We use Google reCAPTCHA on our website. This service is provided by Google (Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland and Google, LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, US; hereinafter referred to as “Google” and “reCAPTCHA”). reCAPTCHA is used to check whether data entered on the website (for example, in a contact form) is provided by a person or by an automated program. To do this, reCAPTCHA analyses various aspects of the way in which the visitor to the website behaves. This analysis starts automatically as soon as the user accesses the website. For the purpose of this analysis, reCAPTCHA evaluates various information (such as IP address, time spent by the visitor on the website or mouse movements made by the user). The data collected during the analysis is forwarded to Google. Google also processes your personal data in the US. The EU Commission has issued an adequacy decision for data transfers to the US. Google is certified under this. So-called standard contractual clauses have been concluded with Google, LLC in order to commit Google, LLC to an appropriate level of data protection. You can obtain a copy of the standard contractual clauses at: https://cloud.google.com/terms/sccs. This data processing occurs on the basis of Art. 6(1) Sentence 1(f) GDPR. We have a legitimate interest in protecting our website from abusive automated spying and unsolicited email advertising (spam). For more information about reCAPTCHA and how long the data is stored, please refer to Google’s privacy statement: https://policies.google.com/privacy

You may object to the processing. Your right of objection exists if you have reasons arising from your particular situation. You may send us your objection using the contact details specified under “Controller” above.

21.2.4 YouTube videos

Our website uses plug-ins from the video platform YouTube.de or YouTube.com, a service provided by YouTube LLC (head office at 901 Cherry Avenue, San Bruno, CA 94066, US; hereinafter referred to as “YouTube”), for which Google (Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland, fax: +353 (1) 436 1001) is responsible as the controller under data protection law. We use this processing of data by the plug-ins to pursue the purpose of integrating visual content (videos) on the website that we have published on YouTube.de or YouTube.com. The videos are all embedded in “extended privacy mode”, which means that no data about you as a user will be transferred to YouTube if you do not play the videos. When videos are played on our website, YouTube receives the information that you have retrieved the corresponding page of our website. In addition, some of the data mentioned under “Using our website” is transmitted to Google. This occurs regardless of whether YouTube provides a user account that you are logged in with or whether no user account exists. If you are logged in to Google, your data will be directly associated with your account. If you do not wish for this data to be associated with your YouTube profile, you must log out before activating the button. YouTube stores your data as user profiles and processes it, regardless of whether you have a Google account, for the purposes of advertising, market research and/or the demand-oriented design of its website. With regard to the storage of and access to information on your device, your consent is the legal basis pursuant to Sect. 25(1) of the Telecommunications and Telemedia Data Protection Act (TTDSG); for further processing, your consent is also the legal basis pursuant to Art. 6(1) Sentence 1(a) GDPR. Google also processes the data in part in the US. The EU Commission has issued an adequacy decision for data transfers to the US. Google is certified under this. So-called standard contractual clauses have also been concluded with Google, LLC in order to commit Google, LLC to an appropriate level of data protection. You can obtain a copy of the standard contractual clauses at: https://cloud.google.com/terms/sccs. For more information about the purpose and scope of data processing by YouTube and how long YouTube stores such data, please refer to the privacy information at: https://policies.google.com/privacy.

You can withdraw your consent to the processing at any time by moving the slider back in the consent tool privacy settings. This does not affect the lawfulness of the processing carried out on the basis of the consent prior to the withdrawal.

21.2.5 Google Tag Manager

We use Google Tag Manager, which is a service provided by Google (Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland and Google, LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043, US; hereinafter referred to as “Google” and “Google Tag Manager”). Google Tag Manager is a solution that allows website tags and other elements to be managed through a single interface.

Firstly, when you visit the website with Google Tag Manager, an HTTP request is sent to Google. As a result, device information and personal data – such as your IP address and information about your browser settings – are transmitted to Google. We use Google Tag Manager to facilitate electronic communications by providing information to third-party providers, including through programming interfaces. Google Tag Manager implements the respective tracking codes of the third-party providers without us having to go to the effort of changing the source code of the website ourselves. Instead, integration is performed by a container that places what is known as placeholder code in the source code. Google Tag Manager also enables the exchange of users’ data parameters in a certain order, in particular by ordering and systematising the data packets. In isolated cases, your data will also be transferred to the US. The EU Commission has issued an adequacy decision for data transfers to the US. Google is certified under this. So-called standard contractual clauses have also been concluded with Google, LLC in order to commit Google, LLC to an appropriate level of data protection. You can obtain a copy of the standard contractual clauses at: https://cloud.google.com/terms/sccs. The legal basis for the data processing is Art. 6(1) Sentence 1(f) GDPR. We have legitimate interests in the processing for the purposes of facilitating and carrying out electronic communication by identifying communication endpoints, control options, exchanging data elements in a defined order, and identifying transmission errors. Google Tag Manager does not initiate data storage. For further information about privacy at Google, please refer to: http://www.google.de/intl/en/policies/privacy.

You may object to the processing, insofar as it is based on Art. 6(1) Sentence 1(f) GDPR. Your right of objection exists if you have reasons arising from your particular situation. You may send us your objection using the contact details specified under “Controller” above.

You can prevent the processing by deleting the browser history and other website data in your browser settings or by opening your browser in “private mode”.

On the other hand, Google Tag Manager integrates tags from third-party providers for example, such as tracking codes or tracking pixels, on our website. The tool triggers other tags, which in turn record your data; our privacy statement explains this separately in each case. Google Tag Manager itself does not evaluate the device information and personal data of users collected by the tags. Rather, your data is forwarded to the specific third-party service for the purposes specified in our consent management tool. We have configured Google Tag Manager to work with our consent management tool in such a way that triggering certain third-party services in Google Tag Manager depends on the selections you make in our consent management tool, so that only those tags from third-party providers trigger data processing for which you have given consent. The use of Google Tag Manager is subject to your consent for the specific third-party service. With regard to the storage of and access to information on your device, your consent is the legal basis pursuant to Sect. 25(1) of the Telecommunications and Telemedia Data Protection Act (TTDSG); for further processing, your consent is also the legal basis pursuant to Art. 6(1) Sentence 1(a) GDPR. Google also processes the data in part in the US. No EU Commission adequacy decision exists for data transfers to the US. So-called standard contractual clauses have been concluded with Google, LLC in order to commit Google, LLC to an appropriate level of data protection. You can obtain a copy of the standard contractual clauses at: https://cloud.google.com/terms/sccs. The following descriptions of the individual third-party services specify how long your data will be stored in each case. For further information about privacy at Google, please refer to: http://www.google.de/intl/en/policies/privacy

You can withdraw your consent to the processing at any time by moving the slider back in the consent tool privacy settings. This does not affect the lawfulness of the processing carried out on the basis of the consent prior to the withdrawal.

21.3 Services for statistical, analysis and marketing purposes

We use services from third parties for statistical, analysis and marketing purposes. This enables us to offer you a user-friendly, optimised experience when visiting the website. The third-party providers use cookies, pixels, browser fingerprinting or other tracking technologies to control their services. In the following, we inform you about the services from external providers currently in use on our website, about the related processing in each case, and about how you can withdraw your consent.

21.3.1 Adfarm

Our website uses the services of Adfarm, which is provided by Adition Technologies AG (Oststraße 55, 40211 Düsseldorf, hereinafter referred to as “Adfarm”). Adfarm stores a cookie on the user’s device to analyse website use, measure the reach of our ads and to enable us to attribute the success of an ad. The Adfarm online advertising service uses technologies such as cookies, tracking pixels and device fingerprinting in order to serve ads that are relevant to users and to improve campaign performance reports. This involves processing information that is stored on users’ devices. Adfarm makes it possible to display interest-based ads to users. Ads may also refer to products and services that users have already viewed on our website. For this purpose, analyses are first performed of user interaction on our website, for example which offers users are interested in, so that we can display targeted advertising to the users on other sites after they have left our website. When users visit our website, Adfarm stores a cookie on the user’s device. Adform uses cookies and tracking pixels to process the information generated by users’ devices about the use of our website and interactions with our website as well as access data, in particular the IP address, browser information, the website visited before and the date and time of the server request, across devices for the purpose of serving and analysing personalised ads. In addition, the Adfarm online advertising service allows us to measure the reach of our ads and to track the success of a particular ad. This involves using “ad server cookies”, which can be used to measure certain reach measurement parameters, such as the display of ads, how long they were viewed, or clicks by users. With regard to the storage of and access to information on your device, your consent is the legal basis pursuant to Sect. 25(1) of the Telecommunications and Telemedia Data Protection Act (TTDSG); for further processing, your consent is also the legal basis pursuant to Art. 6(1) Sentence 1(a) GDPR. The storage period is three months. For more information about privacy at Adfarm, please refer to: https://www.adition.com/en/privacy/

You can withdraw your consent to the processing at any time by moving the slider back in the consent tool privacy settings. This does not affect the lawfulness of the processing carried out on the basis of the consent prior to the withdrawal.

21.3.2 Adobe Audience (Demdex)

Our website also uses the services of the Demdex data marketing platform, which is provided Adobe (Adobe, Inc., 345 Park Avenue, San Jose, CA 95110-2704, US; hereinafter referred to as “Demdex”). The Demdex data marketing platform is used to analyse, organise and personalise marketing campaigns. For this purpose, the tool collects, analyses and categorises incoming information generated by the user’s device about the use of our website and interactions with our website as well as access data – in particular the IP address, browser information, the website visited previously and the date and time of the server request – from various sources (such as websites, apps and social media channels) in order to support the serving of personalised ads on websites. For this purpose, Demdex uses cookies, pixel tags (tracking pixels), browser fingerprints and similar technologies that store or read information on users’ devices when they visit our website. This allows data to be transferred to Demdex and used as the basis for statistical analysis and reach measurement. In this way, we can test and implement user-based advertising campaigns. The legal basis of this processing of the data is Art. 6(1) Sentence 1(a) GDPR. Demdex also processes your data in the US. No EU Commission adequacy decision exists for data transfers to the US. We have concluded so-called standard contractual clauses with Demdex in order to commit Demdex to an appropriate level of data protection. A copy is of course available on request. Demdex erases the cookies after twelve months at the latest. For more information about Demdex, please refer to: https://www.adobe.com/privacy.html

You can withdraw your consent to the processing at any time by moving the slider back in the consent tool privacy settings. This does not affect the lawfulness of the processing carried out on the basis of the consent prior to the withdrawal.

21.3.3 Adform

The supply-side platform Adform (Wildersgade 10B, 1408 Copenhagen, Denmark; hereinafter referred to as “Adform”) is used to offer ad space on other websites and in apps on demand-side platforms in a real-time bidding process for the purpose of serving personalised ads. We are thus able to recognise users of our website and apps on other websites within the Adform advertising network and present ads tailored to their interests. This requires an exchange of user information (cookie ID or user ID) between the demand-side platform of Optomaton and Adform. Adform uses tracking technologies such as cookies and tracking pixels to process the information generated by users’ devices about the use of websites and apps with available ad space. This involves interactions with these websites and apps as well as the cookie ID, in some cases the operating system-specific advertising IDs of mobile devices, and access data, in particular the IP address, browser information, the website visited before and the date and time of the server request. This data is processed for the purposes of cross-device analysis of user activity, and serving and measuring personalised ads. For these purposes, it is also possible to determine whether different devices belong to you or to your household. Using these technologies allows us to measure certain parameters for evaluating actions during use, such as the display of ads, how long they were viewed, or clicks by users. This also enables reporting on the success of the ad placement. With regard to the storage of and access to information on your device, your consent is the legal basis pursuant to Sect. 25(1) of the Telecommunications and Telemedia Data Protection Act (TTDSG); for further processing, your consent is also the legal basis pursuant to Art. 6(1) Sentence 1(a) GDPR. Adform will store your data for two months. For more information about the protection of your data and how long Adform stores your data, please refer to: https://site.adform.com/privacy-center/gdpr/

You can withdraw your consent to the processing at any time by moving the slider back in the consent tool privacy settings. This does not affect the lawfulness of the processing carried out on the basis of the consent prior to the withdrawal.

21.3.4 AdMatic

Our website also uses the analysis and retargeting features of Admatic Media Inc. (İçerenköy Mh. Çayır Cd. No:7 Üçgen Plaza K:11, D:12, 34746 Ataşehir/İstanbul, Turkey; hereinafter referred to as “AdMatic”). In particular, AdMatic uses cookies to process the information generated about how your device uses our website, in order to record specific user activity on our website. This also involves processing information that is stored on users’ devices, such as in particular IP addresses, browser information, login data, information about the operating system used and other data mentioned under “Using our website”. In addition, the time of the visit, the IDs of the products viewed, searched for or purchased, the URLs of the pages viewed, possible search terms and/or the IDs of the categories visited are stored in order to provide more relevant advertising content. We have the option of performing such retargeting for up to 90 days after you visit our website. With regard to the storage of and access to information on your device, the legal basis is Sect. 25(1) TTDSG; for further processing, the legal basis is Art. 6(1) Sentence 1(a) GDPR. AdMatic also transfers your data to Turkey. No EU Commission adequacy decision exists for data transfers to Turkey. We have concluded so-called standard data protection clauses with AdMatic in order to commit AdMatic to an appropriate level of data protection. A copy is of course available on request. For more information about the protection of your data and how long AdMatic stores your data, please refer to: https://admatic.com.tr/en/privacy-policy.html

You can withdraw your consent to the processing at any time by moving the slider back in the consent tool privacy settings. This does not affect the lawfulness of the processing carried out on the basis of the consent prior to the withdrawal.

21.3.5 AdScale

In order to tailor our website perfectly to user interests, we use AdScale, a web analytics service provided by Ströer SSP GmbH (St.-Martin-Straße 106, 81669 Munich; hereinafter referred to as “AdScale”). AdScale uses so-called cookies, which are stored on your device for recognition purposes, as well as similar tracking methods for the purpose of device recognition such as tracking pixels, device fingerprinting and programming interfaces (such as APIs and SDKs) in order to process information from your device. For this purpose, your device is assigned a randomly generated identification number (cookie ID / device ID). AdScale uses these technologies to process the information generated about the use of our website by your device as well as access data for the purpose of statistical analysis – such as the fact that you have visited a certain page; the number of unique visitors; entry and exit pages; time spent by the visitor on the website; clicking, swiping and scrolling activity; activation of buttons; registration for the newsletter; bounce rate; and similar user interactions. For this purpose, it is also possible to determine whether different devices belong to you or to your household. Access data includes in particular the IP address, browser and device information, cookie ID / device ID, the website visited before and the date and time of the server request. AdScale will process this information for the purpose of evaluating your use of this website, compiling reports for us on website activity, and – where we point this out separately – providing us with other services relating to website usage. With regard to the storage of and access to information on your device, your consent is the legal basis pursuant to Sect. 25(1) of the Telecommunications and Telemedia Data Protection Act (TTDSG); for further processing, your consent is also the legal basis pursuant to Art. 6(1) Sentence 1(a) GDPR. Your data processed in connection with AdScale will be erased after two years at the latest. For further information about privacy at AdScale, please refer to: https://www.stroeer.de/werben-mit-stroeer/onlinewerbung/crossmedia/stroeer-ssp/stroeer-ssp-datenschutz/#c4981

You can withdraw your consent to the processing at any time by moving the slider back in the consent tool privacy settings. This does not affect the lawfulness of the processing carried out on the basis of the consent prior to the withdrawal.

21.3.6 BidSwitch

Using BidSwitch (BidSwitch GmbH, Bahnhofstraße 28, CH-207.878.967 and IPONWEB Limited, 10 Bloomsbury Way, London England WC1A2SL, hereinafter referred to as “BidSwitch”) allows us to acquire available ad space on other websites and apps, enabling us to place personalised ads that match the ad space. The infrastructure provider BidSwitch in turn uses technology platforms such as supply-side platforms and demand-side platforms, for example from Optomaton (Optomaton UG, Friederike-Nadig-Straße 13, 64807 Dieburg, Germany), which enable the automated and auction-based purchase of online ad space and the automated serving of personalised ads on websites and in apps in real time. We are thus able to recognise users of our website and apps on other websites within the BidSwitch advertising network and present ads tailored to their interests. BidSwitch uses tracking technologies such as cookies and tracking pixels to process the information generated by users’ devices about the use of websites and apps with available ad space. This involves interactions with these websites and apps as well as the cookie ID, in some cases the operating system-specific advertising IDs of mobile devices, and access data, in particular the IP address, browser information, the website visited before and the date and time of the server request. This data is processed for the purposes of cross-device analysis of user activity, and serving and measuring personalised ads. For these purposes, it is also possible to determine whether different devices belong to you or to your household. If users access a website, or open an app, where there is available ad space, then a connection is automatically established between the user’s browser and a supply-side platform, via which ad space on other websites and in apps is offered in a real-time bidding process for the purpose of serving personalised ads. The supply-side platform starts a real-time bidding process, for which purpose it transmits user information (cookie ID or user ID) to BidSwitch. As an infrastructure platform, BidSwitch forwards this user information and existing user profiles to various demand-side platforms in order to auction ad space based on user information that matches our advertising. The user profiles may also contain socio-demographic information about age, place of residence, marital status and household size, which may indicate your interests. Examples include cruises for over-50s, men living in southeastern Germany who are interested in sportswear, or families who like to shop at a particular supermarket. BidSwitch passes on the relevant ads and user information to the supply-side platform in order to conduct the real-time auction of the ad space. After the ad space has been auctioned, BidSwitch transmits the ad and user information to the operator of the website or app so that the ad can be placed when the website is accessed or the app opened. Using ad servers allows us to measure certain parameters for evaluating actions during use, such as the display of ads, how long they were viewed, or clicks by users. This also enables reporting on the success of the ad placement. With regard to the storage of and access to information on your device, your consent is the legal basis pursuant to Sect. 25(1) of the Telecommunications and Telemedia Data Protection Act (TTDSG); for further processing, your consent is also the legal basis pursuant to Art. 6(1) Sentence 1(a) GDPR. BidSwitch also transfers your data to the US. We have concluded so-called standard data protection clauses with BidSwitch in order to commit BidSwitch to an appropriate level of data protection. A copy is of course available on request. In addition, BidSwitch will process your data in Switzerland. An EU Commission adequacy decision exists for transfers of personal data to Switzerland as a third country. The storage period for BidSwitch tracking technologies is one year. For more information about the protection of your data and how long BidSwitch stores your data, please refer to: https://www.iponweb.com/policies-legal/bidswitch-privacy-policy/

You can withdraw your consent to the processing at any time by moving the slider back in the consent tool privacy settings. This does not affect the lawfulness of the processing carried out on the basis of the consent prior to the withdrawal.

21.3.7 CasaleMedia

We use CasaleMedia, a service provided by Casale Media, Inc. (74 Wingold Avenue, Toronto, Ontario M6B1P5 Canada; hereinafter referred to as “CasaleMedia”). CasaleMedia allows us to recognise users of our website on other websites and present ads tailored to their interests. Ads may also refer to products and services that you have already viewed on our website. For this purpose, analyses are performed of user interactions on our website, such as which offers a user was interested in, so that we can display targeted advertising to users on other sites after they have left our website. CasaleMedia uses cookies to process the information generated by your device about the use of our website and interactions with our website as well as the data mentioned under “Using our website”, in particular your IP address, browser information, the website visited before and the date and time of the server request, for the purpose of serving personalised ads. For this purpose, it is also possible to determine whether different devices belong to you or to your household. With regard to the storage of and access to information on your device, your consent is the legal basis pursuant to Sect. 25(1) of the Telecommunications and Telemedia Data Protection Act (TTDSG); for further processing, your consent is also the legal basis pursuant to Art. 6(1) Sentence 1(a) GDPR. CasaleMedia also processes the data in part in Canada. The EU Commission has issued an adequacy decision for data transfers to Canada. For further information about the protection of your data and how long CasaleMedia stores your data, please refer to: http://www.casalemedia.com/

You can withdraw your consent to the processing at any time by moving the slider back in the consent tool privacy settings. This does not affect the lawfulness of the processing carried out on the basis of the consent prior to the withdrawal.

21.3.8 CuteStat

We use the services of CuteStat (CuteStat.com, Menlo Park, 1601 Willow Rd, US; hereinafter referred to as “CuteStat”) for statistical analysis purposes. CuteStat uses cookies, which are stored on your device. CuteStat uses the cookies to process the information generated about the use of our website by your device – such as the fact that you have visited a certain page – and process, among other things, the data mentioned under “Using our website”, in particular your IP address, browser information, the website visited before and the date and time of the server request, for the purpose of statistical analysis of how people use our website. With regard to the storage of and access to information on your device, your consent is the legal basis pursuant to Sect. 25(1) of the Telecommunications and Telemedia Data Protection Act (TTDSG); for further processing, your consent is also the legal basis pursuant to Art. 6(1) Sentence 1(a) GDPR. CuteStat also transfers your data to the US. We have concluded so-called standard data protection clauses with CuteStat in order to commit CuteStat to an appropriate level of data protection. A copy is of course available on request. CuteStat cookies are stored for 390 days. For more information, please refer to: https://www.cutestat.com/

You can withdraw your consent to the processing at any time by moving the slider back in the consent tool privacy settings. This does not affect the lawfulness of the processing carried out on the basis of the consent prior to the withdrawal.

21.3.9 Criteo

Our website uses the online advertising service Criteo (Criteo SA, 32 Rue Blanche, 75009 Paris, France; hereinafter referred to as “Criteo”). With the help of Criteo, it is possible to acquire ad space for the purpose of displaying interest-based ads in an automated and optimised manner in real time and to determine how successful individual advertising activities are in relation to the advertising campaign data. Users of our website can be recognised on other websites within the Criteo advertising network and served ads tailored to their interests. For this purpose, Criteo uses tracking technologies such as cookies, device fingerprinting and so-called web beacons (tracking pixels) to process the information generated by the user’s device about how our website is used and interactions with our website as well as access data, in particular the IP address, browser information, the website visited before, and the date and time of the server request, for the purpose of displaying and analysing personalised ads. Using these tracking technologies allows us to measure certain reach measurement parameters, such as the display of ads, how long they were viewed, or clicks by users. This also enables reports. With regard to the storage of and access to information on your device, your consent is the legal basis pursuant to Sect. 25(1) of the Telecommunications and Telemedia Data Protection Act (TTDSG); for further processing, your consent is also the legal basis pursuant to Art. 6(1) Sentence 1(a) GDPR. Criteo will store your data for thirteen months. For further information about the protection of your data and how long Criteo stores your data, please refer to: https://www.criteo.com/privacy/

You can withdraw your consent to the processing at any time by moving the slider back in the consent tool privacy settings. This does not affect the lawfulness of the processing carried out on the basis of the consent prior to the withdrawal.

21.3.10 Mediavine

In connection with Criteo, we use the services of Mediavine, Inc. (160 W. Camino Real #504, Boca Raton, FL 33432, US: hereinafter referred to as “Mediavine”). Mediavine is an advertising service that takes into account the content of the target website when selecting advertising. Cookies and so-called tracking pixels are used to display personalised ads, to measure the reach of our ads and to attribute the success of an ad. In relation to the data of the advertising campaigns, we can determine how successful the individual advertising activities are in the context of the specific affiliate programme. Web beacons (tracking pixels) are used to set a cookie on the user’s device for the purpose of recognising the user. Mediavine uses the cookies and device fingerprinting to process the information generated by your device about interactions with our ads (such as retrieval of a particular web page or click on an ad) as well as the data mentioned under “Using our website” for the purposes of personalised advertising and analysing the reach and success of our ads.

With regard to the storage of and access to information on your device, your consent is the legal basis pursuant to Sect. 25(1) of the Telecommunications and Telemedia Data Protection Act (TTDSG); for further processing, your consent is also the legal basis pursuant to Art. 6(1) Sentence 1(a) GDPR. Mediavine also transfers your data to the US. We have concluded so-called standard data protection clauses with Mediavine in order to commit Mediavine to an appropriate level of data protection. A copy is of course available on request. The storage period for processing in the context of Mediavine is thirteen days. For more information about data protection and how long your data is stored, please refer to: https://www.mediavine.com/privacy-policy/

You can withdraw your consent to the processing at any time by moving the slider back in the consent tool privacy settings. This does not affect the lawfulness of the processing carried out on the basis of the consent prior to the withdrawal.

21.3.11 Facebook Custom Audiences

The website also uses Facebook’s “Website Custom Audiences” feature. The provider is Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland and Meta Platforms, Inc. 1601 Willow Rd, Menlo Park, California, US, email: [email protected]; hereinafter referred to as “Facebook”. So-called web beacons, such as the “Facebook pixel”, are used to record information about how you use our website, which is then processed by Facebook. This makes it possible to display interest-based ads (“Facebook Ads”) to users of the website, and users of Facebook who belong to a comparable target group, when they visit the Facebook social network. Your browser uses Facebook pixels (small graphics that are also embedded on our website, are automatically loaded when you visit our website, and enable tracking of user activity) to automatically establish a direct connection with the Facebook server. Embedding Facebook pixels allows Facebook to process the information generated by cookies about the use of our website by your device – such as the fact that you have visited a certain page – and process, among other things, the data mentioned under “Using our website”, in particular your IP address, browser information, the website visited before, the Facebook ID and the date and time of the server request, for the purpose of serving personalised ads. For this purpose, it is also possible to determine whether different devices belong to you or to your household. If you are registered with a Facebook service, Facebook can associate the information recorded with your account. Even if you are not registered with Facebook or have not logged in, it is possible that the provider will still obtain and process your IP address and other identifying information. With regard to the storage of and access to information on your device, your consent is the legal basis pursuant to Sect. 25(1) of the Telecommunications and Telemedia Data Protection Act (TTDSG); for further processing, your consent is also the legal basis pursuant to Art. 6(1) Sentence 1(a) GDPR. Facebook also processes the data in part in the US. The EU Commission has issued an adequacy decision for data transfers to the US. Meta Platforms, Inc. is certified under this. Standard data protection clauses have also been concluded with Meta Platforms, Inc. in order to commit Meta Platforms, Inc. to an appropriate level of data protection. You can request a copy of the standard data protection clauses from Facebook at: https://www.facebook.com/help/contact/341705720996035. The information in Facebook cookies will be stored for a maximum of three months. For further information about the protection of your data and how long Facebook stores your data, please refer to: https://www.facebook.com/privacy/explanation and https://www.facebook.com/policies/cookies/

You can withdraw your consent to the processing at any time by moving the slider back in the consent tool privacy settings. This does not affect the lawfulness of the processing carried out on the basis of the consent prior to the withdrawal.

21.3.12 Google Ads Remarketing

We use the Google Ads tool with the Dynamic Remarketing feature, which is provided by Google (Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland and Google, LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043, US; hereinafter referred to as “Google” and “Google Ads”). The Dynamic Remarketing feature allows us to recognise users of our website on other websites within the Google advertising network (in Google Search or on YouTube, so-called Google Ads, or on other websites) and present ads tailored to their interests. Ads may also refer to products and services that you have already viewed on our website. For this purpose, analyses are performed of user interactions on our website, such as which offers a user was interested in, so that we can display targeted advertising to users on other sites after they have left our website. When you visit our website, Google Ads stores a cookie on your device. Google uses cookies to process the information generated by your device about the use of our website and interactions with our website as well as the data mentioned under “Using our website”, in particular your IP address, browser information, the website visited before and the date and time of the server request, for the purpose of serving personalised ads. For this purpose, it is also possible to determine whether different devices belong to you or to your household. If a user is registered with a Google service, Google can associate the visit with the user’s account and create and evaluate user profiles across applications. With regard to the storage of and access to information on your device, your consent is the legal basis pursuant to Sect. 25(1) of the Telecommunications and Telemedia Data Protection Act (TTDSG); for further processing, your consent is also the legal basis pursuant to Art. 6(1) Sentence 1(a) GDPR. Google also processes the data in part in the US. The EU Commission has issued an adequacy decision for data transfers to the US. Google is certified under this. So-called standard contractual clauses have also been concluded with Google, LLC in order to commit Google, LLC to an appropriate level of data protection. You can obtain a copy of the standard contractual clauses at: https://cloud.google.com/terms/sccs. The maximum storage period with Google is fourteen months. For further information about the protection of your data and how long Google stores your data, please refer to: https://policies.google.com/privacy

You can withdraw your consent to the processing at any time by moving the slider back in the consent tool privacy settings. This does not affect the lawfulness of the processing carried out on the basis of the consent prior to the withdrawal.

21.3.13 Google Ads Conversion

We use Google Ads, which is a service provided by Google (Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland and Google, LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043, US; hereinafter referred to as “Google” and “Google Ads”), in order to use ads (formerly known as “Google AdWords”) to draw attention to our attractive services on external websites. In relation to the data of the advertising campaigns, we can determine how successful the individual advertising activities are. These ads are delivered by Google via so-called ad servers. For this purpose, we use ad server cookies, which can be used to measure certain parameters for reach measurement, such as the display of ads or clicks by users. If you reach our website via a Google ad, Google Ads stores a cookie on your device. Google uses the cookies to process the information generated by your device about interactions with our ads (retrieval of a particular web page or clicking on an ad), and the data mentioned under “Using our website” – in particular the IP address, browser information, the website visited before and the date and time of the server request – for the purpose of analysing and visualising the reach measurement of our ads. For this purpose, it is also possible to determine whether different devices belong to you or to your household. Due to the marketing tools used, your browser automatically establishes a direct connection to the Google server. If you are registered with a Google service, Google can associate the visit with your account. Even if you are not registered with Google or have not logged in, it is possible that the provider will still obtain and process your IP address. We only receive statistical analyses from Google for the purpose of measuring the success of our ads. With regard to the storage of and access to information on your device, your consent is the legal basis pursuant to Sect. 25(1) of the Telecommunications and Telemedia Data Protection Act (TTDSG); for further processing, your consent is also the legal basis pursuant to Art. 6(1) Sentence 1(a) GDPR. Google also processes the data in part in the US. The EU Commission has issued an adequacy decision for data transfers to the US. Google is certified under this. So-called standard contractual clauses have also been concluded with Google, LLC in order to commit Google, LLC to an appropriate level of data protection. You can obtain a copy of the standard contractual clauses at: https://cloud.google.com/terms/sccs. The maximum storage period with Google is fourteen months. For further information about the protection of your data and how long Google stores your data, please refer to: https://policies.google.com/privacy.

You can withdraw your consent to the processing at any time by moving the slider back in the consent tool privacy settings. This does not affect the lawfulness of the processing carried out on the basis of the consent prior to the withdrawal.

21.3.14 Google Analytics 4

In order to tailor our website perfectly to user interests, we use Google Analytics, a web analytics service from Google (Google Ireland, Ltd., Gordon House, Barrow Street, Dublin 4, Ireland and Google, LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, US; hereinafter referred to as “Google” and “Google Analytics 4”). Google Analytics 4 uses so-called cookies, which are stored on your device for recognition purposes, as well as similar tracking methods for the purpose of device recognition such as tracking pixels, device fingerprinting and programming interfaces (such as APIs and SDKs) in order to process information from your device. For this purpose, your device is assigned a randomly generated identification number (cookie ID / device ID). Google uses these technologies to process the information generated about the use of our website by your device as well as access data for the purpose of statistical analysis – such as the fact that you have visited a certain page; the number of unique visitors; entry and exit pages; time spent by the visitor on the website; clicking, swiping and scrolling activity; activation of buttons; registration for the newsletter; bounce rate; and similar user interactions. For this purpose, it is also possible to determine whether different devices belong to you or to your household. Access data includes in particular the IP address, browser and device information, cookie ID / device ID, the website visited before and the date and time of the server request. In Google Analytics 4 systems, no individual IP addresses are logged or stored. At the time of collection of your IP address by Google in dedicated local data centres in the EU, your IP address will be used to determine location information. The IP address is then erased before the access data is stored in a data centre or on a server for Google Analytics 4. In Google Analytics 4, no precise data about the geographical location is provided, but only general location information such as the region and city of the device’s location derived from the IP address. Google will process this information for the purpose of evaluating your use of this website, compiling reports for us on website activity, and – where we point this out separately – providing us with other services relating to website usage. If you are registered with a Google service, Google can associate the visit with your account and create and evaluate user profiles across applications. In addition, a cross-platform analysis of usage behaviour is carried out on websites and apps that use Google Analytics 4 technologies. This enables equal recording, measurement and comparison of usage behaviour across different environments. For example, user scrolling events are automatically recorded to provide a better understanding of how websites and apps are used. For this purpose, different cookie IDs / device IDs are used for different devices. Subsequently, we are provided with anonymised statistics on the use of the various platforms, compiled according to selected criteria. With the help of Google Analytics 4, target groups are automatically created for specific cookie IDs / device IDs or mobile advertising IDs, which are later used for targeted personalised advertising. Target group criteria may include but are not limited to: users who have viewed products but not added them to a shopping cart or have added them to a shopping cart but not completed the purchase OR users who have purchased certain items. A target group comprises at least 100 users. With the help of the Google Ads tool, interest-based ads can then be displayed in search results. Similarly, it is possible to recognise users of websites on other websites within the Google advertising network (in Google Search, on YouTube, so-called Google Ads, or on other websites) and present them with ads tailored to the specified target group criteria. With regard to the storage of and access to information on your device, your consent is the legal basis pursuant to Sect. 25(1) of the Telecommunications and Telemedia Data Protection Act (TTDSG); for further processing, your consent is also the legal basis pursuant to Art. 6(1) Sentence 1(a) GDPR. Google also processes the data in part in the US. The EU Commission has issued an adequacy decision for data transfers to the US. Google is certified under this. So-called standard contractual clauses have also been concluded with Google, LLC in order to commit Google, LLC to an appropriate level of data protection. You can obtain a copy of the standard contractual clauses at: https://cloud.google.com/terms/sccs. Your data processed in connection with Google Analytics 4 will be erased after fourteen months at the latest. For further information about privacy at Google, please refer to: http://www.google.de/intl/en/policies/privacy.

You can withdraw your consent to the processing at any time by moving the slider back in the consent tool privacy settings. This does not affect the lawfulness of the processing carried out on the basis of the consent prior to the withdrawal.

21.3.15 Google DoubleClick

Our website also uses DoubleClick, which is an online marketing tool provided by Google (Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland and Google, LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043, US; hereinafter referred to as “DoubleClick”). DoubleClick uses cookies to display relevant ads to users, improve campaign performance reports, and prevent a user from seeing the same ads more than once. Google uses cookies (see “Cookies” above) to record which ads are displayed in which browser and can thus prevent them from being displayed more than once. Google uses cookies to process the information generated by your device about the use of our website and interactions with our website as well as the data mentioned under “Using our website”, in particular your IP address, browser information, the website visited before and the date and time of the server request, for the purpose of deploying personalised ads. This allows Google and its partner sites to display ads based on previous visits to websites. In addition, DoubleClick can use cookies to record conversions related to ad requests. This happens for example when a user sees a DoubleClick ad and later visits the advertiser’s website with the same browser and buys something there. By integrating DoubleClick, Google receives the information that you have retrieved the corresponding part of our website, or that you have clicked on one of our ads. If you are registered with a Google service, Google can associate the visit with your account. Even if you are not registered with Google or have not logged in, it is possible that the provider will still obtain and store your IP address. The legal basis of the processing is Art. 6(1) Sentence 1(f) GDPR. We are pursuing our legitimate interests in recognising users of our website on other websites, showing them advertising that is of interest to them, and making our website more interesting for our users. In addition, we have a legitimate interest in measuring the reach of ads and optimising them as well as in the traceability and improvement of advertising expenditure. Google also processes your data in the US. The EU Commission has issued an adequacy decision for data transfers to the US. Google is certified under this. So-called standard contractual clauses have also been concluded with Google, LLC in order to commit Google, LLC to an appropriate level of data protection. You can obtain a copy of the standard contractual clauses at: https://cloud.google.com/terms/sccs. The maximum storage period with Google is thus thirteen months. For further information about the protection of your data and how long Google stores your data, please refer to: https://policies.google.com/privacy.

You may object to the processing, insofar as it is based on Art. 6(1) Sentence 1(f) GDPR. Your right of objection exists if you have reasons arising from your particular situation. You may send us your objection using the contact details specified under “Controller” above.

21.3.16 Google Floodlight

We use Floodlight, which is a service provided by Google (Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland and Google, LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043, US; hereinafter referred to as “Google” and “Floodlight”). Floodlight is a conversion tracking system for the Google Marketing Platform. In relation to the data of the advertising campaigns, we can determine how successful the individual advertising activities are. If you reach our website via a Google ad, Floodlight stores a cookie on your device. Google uses the cookies to process the information generated by your device about interactions with our ads (retrieval of a particular web page or clicking on an ad), and the data mentioned under “Using our website” – in particular the IP address, browser information, the website visited before and the date and time of the server request – for the purpose of analysing and visualising the reach measurement of our ads. For this purpose, it is also possible to determine whether different devices belong to you or to your household. Due to the marketing tools used, your browser automatically establishes a direct connection to the Google server. If you are registered with a Google service, Google can associate the visit with your account. Even if you are not registered with Google or have not logged in, it is possible that the provider will still obtain and process your IP address. We only receive statistical analyses from Google for the purpose of measuring the success of our ads. With regard to the storage of and access to information on your device, your consent is the legal basis pursuant to Sect. 25(1) of the Telecommunications and Telemedia Data Protection Act (TTDSG); for further processing, your consent is also the legal basis pursuant to Art. 6(1) Sentence 1(a) GDPR. Google also processes the data in part in the US. The EU Commission has issued an adequacy decision for data transfers to the US. Google is certified under this. So-called standard contractual clauses have also been concluded with Google, LLC in order to commit Google, LLC to an appropriate level of data protection. You can obtain a copy of the standard contractual clauses at: https://cloud.google.com/terms/sccs. The maximum storage period with Google is fourteen months. For further information about the protection of your data and how long Google stores your data, please refer to: https://policies.google.com/privacy.

You can withdraw your consent to the processing at any time by moving the slider back in the consent tool privacy settings. This does not affect the lawfulness of the processing carried out on the basis of the consent prior to the withdrawal.

21.3.17 Media.net

We use the services of Media.net, which is provided by Media.net Advertising Ltd. (107/108, DIC Building 5, Dubai Internet City, Dubai, 215028, UAE; hereinafter referred to as “Media.net”). Media.net allows us to buy online ad space automatically via auctions, and to automatically control personalised ads on websites and in apps in real time. We are thus able to recognise users of our website and apps on other websites within the advertising network and present ads tailored to their interests. Media.net uses tracking technologies such as cookies and tracking pixels to process the information generated by users’ devices about the use of websites and apps with available ad space. This involves interactions with these websites and apps as well as the cookie ID, in some cases the operating system-specific advertising IDs of mobile devices, and access data, in particular the IP address, browser information, the website visited before and the date and time of the server request. This data is processed for the purposes of cross-device analysis of user activity, and serving and measuring personalised ads. For these purposes, it is also possible to determine whether different devices belong to you or to your household. If users access a website, or open an app, where there is available ad space, then a connection is automatically established with the user’s browser, via which ad space on other websites and in apps is offered in a real-time bidding process for the purpose of serving personalised ads. A real-time bidding process is started and user information (cookie ID or user ID) is processed by Media.net. The user profiles may also contain socio-demographic information about age, place of residence, marital status and household size, which may indicate your interests. Examples include cruises for over-50s, men living in southeastern Germany who are interested in sportswear, or families who like to shop at a particular supermarket. We use Media.net to conduct the real-time auction of the ad space. After the ad space has been auctioned, Media.net transmits the ad and user information to the operator of the website or app so that the ad can be placed when the website is accessed or the app opened. Using ad servers allows us to measure certain parameters for evaluating actions during use, such as the display of ads, how long they were viewed, or clicks by users. This also enables reporting on the success of the ad placement. With regard to the storage of and access to information on your device, your consent is the legal basis pursuant to Sect. 25(1) of the Telecommunications and Telemedia Data Protection Act (TTDSG); for further processing, your consent is also the legal basis pursuant to Art. 6(1) Sentence 1(a) GDPR. Media.net also processes your data in the United Arab Emirates. No EU Commission adequacy decision exists for data transfers to the United Arab Emirates. We have concluded so-called standard data protection clauses with Media.net in order to commit Media.net to an appropriate level of data protection. A copy is of course available on request. Media.net erases the cookies after twelve months at the latest. For more information about Media.net, please refer to: https://www.media.net/privacy-policy/.

You can withdraw your consent to the processing at any time by moving the slider back in the consent tool privacy settings. This does not affect the lawfulness of the processing carried out on the basis of the consent prior to the withdrawal.

21.3.18 MediaMath

Our website uses the services of MediaMath (Media Math, 4 World Trade Center, 150 Greenwich Street, 46th Floor, New York, NY 10007, US, hereinafter referred to as “MediaMath”). MediaMath allows us to buy online ad space automatically via auctions, and to automatically control personalised ads on websites and in apps in real time. We are thus able to recognise users of our website and apps on other websites within the advertising network and present ads tailored to their interests. MediaMath uses tracking technologies such as cookies and tracking pixels to process the information generated by users’ devices about the use of websites and apps with available ad space. This involves interactions with these websites and apps as well as the cookie ID, in some cases the operating system-specific advertising IDs of mobile devices, and access data, in particular the IP address, browser information, the website visited before and the date and time of the server request. This data is processed for the purposes of cross-device analysis of user activity, and serving and measuring personalised ads. For these purposes, it is also possible to determine whether different devices belong to you or to your household. If users access a website, or open an app, where there is available ad space, then a connection is automatically established with the user’s browser, via which ad space on other websites and in apps is offered in a real-time bidding process for the purpose of serving personalised ads. A real-time bidding process is started and user information (cookie ID or user ID) is processed by MediaMath. The user profiles may also contain socio-demographic information about age, place of residence, marital status and household size, which may indicate your interests. Examples include cruises for over-50s, men living in southeastern Germany who are interested in sportswear, or families who like to shop at a particular supermarket. We use MediaMath to conduct the real-time auction of the ad space. After the ad space has been auctioned, MediaMath transmits the ad and user information to the operator of the website or app so that the ad can be placed when the website is accessed or the app opened. Using ad servers allows us to measure certain parameters for evaluating actions during use, such as the display of ads, how long they were viewed, or clicks by users. This also enables reporting on the success of the ad placement. With regard to the storage of and access to information on your device, your consent is the legal basis pursuant to Sect. 25(1) of the Telecommunications and Telemedia Data Protection Act (TTDSG); for further processing, your consent is also the legal basis pursuant to Art. 6(1) Sentence 1(a) GDPR. MediaMath also processes your data in the US. The EU Commission has issued an adequacy decision for data transfers to the US. MediaMath is certified under this. So-called standard contractual clauses have also been concluded with MediaMath in order to commit MediaMath to an appropriate level of data protection. A copy is of course available on request. The storage period is thirteen months. For more information about privacy at MediaMath, please refer to: https://www.mediamath.com/blog/privacy-hub/.

You can withdraw your consent to the processing at any time by moving the slider back in the consent tool privacy settings. This does not affect the lawfulness of the processing carried out on the basis of the consent prior to the withdrawal.

21.3.19 Microsoft Ads

Our website uses the tracking features of Microsoft Ads, which is provided by Microsoft Corporation (One Microsoft Way, Redmond, WA 98052-6399, hereinafter referred to as “Microsoft”). Microsoft stores a cookie on the user’s device to measure the reach of our ads and to enable us to attribute the success of an ad. The Microsoft Ads online advertising service uses technologies such as cookies, tracking pixels and device fingerprinting in order to serve ads that are relevant to users and to improve campaign performance reports. This involves processing information that is stored on users’ devices. Microsoft Ads makes it possible to display interest-based ads to users that are related to search results in Bing and Yahoo search engines. Ads may also refer to products and services that users have already viewed on our website. For this purpose, analyses are first performed of user interaction on our website, such as which offers users are interested in, so that we can display targeted advertising to the users on other sites after they have left our website. When users visit our website, Microsoft Ads stores a cookie on the user’s device. Microsoft uses cookies and tracking pixels to process the information generated by users’ devices about the use of our website and interactions with our website as well as access data, in particular the IP address, browser information, the website visited before and the date and time of the server request, across devices for the purpose of serving and analysing personalised ads. For this purpose, it is also possible to determine whether different devices belong to you or to your household. In addition, the Microsoft Ads online advertising service allows us to measure the reach of our ads and to track the success of a particular ad. This involves using “ad server cookies”, which can be used to measure certain reach measurement parameters, such as the display of ads, how long they were viewed, or clicks by users. With regard to the storage of and access to information on your device, your consent is the legal basis pursuant to Sect. 25(1) of the Telecommunications and Telemedia Data Protection Act (TTDSG); for further processing, your consent is also the legal basis pursuant to Art. 6(1) Sentence 1(a) GDPR. Microsoft also processes the data in part in the US. The EU Commission has issued an adequacy decision for data transfers to the US. Microsoft is certified under this. So-called standard contractual clauses have also been concluded with Microsoft in order to commit Microsoft to an appropriate level of data protection. A copy is of course available on request. The information in Microsoft Ads cookies will be stored for a maximum of twelve months. For more information about the protection of your data and how long Microsoft Ads stores your data, please refer to: https://about.ads.microsoft.com/en-gb/policies/legal-privacy-and-security.

You can withdraw your consent to the processing at any time by moving the slider back in the consent tool privacy settings. This does not affect the lawfulness of the processing carried out on the basis of the consent prior to the withdrawal.

21.3.20 Microsoft Clarity

In order to optimise our web app in line with user interests, our website also uses the Microsoft Clarity analytics service, which is provided by Microsoft Corporation (One Microsoft Way, Redmond, WA 98052-6399, US; hereinafter referred to as “Microsoft” and “Microsoft Clarity”). Microsoft Clarity records movements on our website in so-called heatmaps. This helps us to understand how users perceive our site and how they interact with it, such as through mouse movements, clicks and scrolling. This allows us to make our website better and more customer-friendly by knowing which areas are most frequently clicked on. To analyse usage patterns and click activity, Microsoft Clarity uses cookies and other tracking technologies that are stored on your device and that technically enable analysis of how your device uses the website. The information generated by the cookie about your visit to our website is also transferred to and stored on Microsoft’s servers. In particular, information about your device is also processed, such as the IP address, device type and browser information, geographical location (country code only), language preference, pages visited, date and time of access. Microsoft will use this information to statistically analyse the use of our website and to compile usage reports. With regard to the storage of and access to information on your device, the legal basis is Sect. 25(1) TTDSG; for further processing, the legal basis is Art. 6(1) Sentence 1(a) GDPR. Microsoft also processes the data in part in the US. No EU Commission adequacy decision exists for data transfers to the US. So-called standard contractual clauses have been concluded with Microsoft Corporation in order to commit Microsoft Corporation to an appropriate level of data protection. A copy of the standard contractual clauses can be requested at: https://go.microsoft.com/fwlink/p/?linkid=2126612. The storage period is thirteen months. For further information about the protection of your data and how long Microsoft stores your data, please refer to: https://privacy.microsoft.com/en-gb/

You can withdraw your consent to the processing at any time by moving the slider back for the specific third-party provider in the consent tool privacy settings. Please note that this will not affect the lawfulness of the processing before your withdrawal.

21.3.21 Outbrain

Our website uses the analytics and tracking functions of Outbrain Amplify, which is provided by Outbrain Inc. (39 West 13th Street, 3rd Floor, New York, NY 10011, US; hereinafter referred to as “Outbrain”). The online advertising service “Outbrain” uses technologies such as cookies, tracking pixels (“Outbrain pixels”) and device fingerprinting to analyse how people use our website and our online ads, for example on Outbrain partner websites, user interactions on our website and elsewhere on the internet, and to measure the reach of our ads. The user’s browser uses the pixels – small graphics that are also embedded on our website, are automatically loaded when you visit our website, and enable tracking of user activity – to automatically establish a direct connection with the Outbrain server. If you come to our website via one of our ads which is deployed via a widget on the website of one of Outbrain’s partners, then Outbrain will store a cookie on your device. Outbrain uses the cookies to process the information generated by your device about interactions with our ads (viewing a particular website, clicking on an ad) as well as access data, in particular the IP address, for the purpose of analysing the reach measurement of our ads and to deploy cross-device, target group-specific ads to the individual user when they visit the website of another Outbrain partner. In addition, by analysing the click-through rates of our ads, we can measure the rate of users who have performed a particular action on our website, such as booking stays or ordering goods. If no Outbrain cookie has previously been placed on your device (for example, if you visit our website directly without first using an Outbrain partner website), then the Outbrain pixel does not process any data about you as a visitor to our website. With regard to the storage of and access to information on your device, the legal basis is Sect. 25(1) TTDSG; for further processing, the legal basis is Art. 6(1) Sentence 1(a) GDPR. Outbrain also processes your data in the US. The EU Commission has issued an adequacy decision for data transfers to the US. Outbrain is not certified under this. So-called standard contractual clauses have therefore been concluded with Outbrain in order to commit Outbrain to an appropriate level of data protection. A copy is of course available on request. Outbrain will store your data for ninety days. For more information about the protection of your data and how long Outbrain stores your data, please refer to: https://www.outbrain.com/legal/privacy#privacy-policy and https://www.outbrain.com/legal/privacy#cookies.

You can withdraw your consent to the processing at any time by moving the slider back for the specific third-party provider in the consent tool privacy settings. Please note that this will not affect the lawfulness of the processing before your withdrawal.

21.3.22 Oracle Bluekai

Our website also uses the services of the Bluekai data marketing platform, which is provided by Oracle (Oracle Corporation, 500 Oracle Parkway, Redwood Shores CA, 94065, US; hereinafter referred to as “Bluekai”). The Bluekai data marketing platform is used to analyse, organise and personalise marketing campaigns. For this purpose, the tool collects, analyses and categorises incoming information generated by the user’s device about the use of our website and interactions with our website as well as access data – in particular the IP address, browser information, the website visited previously and the date and time of the server request – from various sources (such as websites, apps and social media channels) in order to support the serving of personalised ads on websites. For this purpose, Bluekai uses cookies, pixel tags (tracking pixels), browser fingerprints and similar technologies that store or read information on users’ devices when they visit our website. This allows data to be transferred to Bluekai and used as the basis for statistical analysis and reach measurement. In this way, we can test and implement user-based advertising campaigns. With regard to the storage of and access to information on your device, your consent is the legal basis pursuant to Sect. 25(1) of the Telecommunications and Telemedia Data Protection Act (TTDSG); for further processing, your consent is also the legal basis pursuant to Art. 6(1) Sentence 1(a) GDPR. Bluekai also processes your data in the US. The EU Commission has issued an adequacy decision for data transfers to the US. Bluekai is not certified under this. So-called standard contractual clauses have therefore been concluded with Bluekai in order to commit Bluekai to an appropriate level of data protection. A copy is of course available on request. Your data will be stored for twelve months. For more information about data protection, please refer to: https://www.oracle.com/legal/privacy/.

You can withdraw your consent to the processing at any time by moving the slider back in the consent tool privacy settings. This does not affect the lawfulness of the processing carried out on the basis of the consent prior to the withdrawal.

21.3.23 Salesforce

Our website also uses the services of the Salesforce data marketing platform, which is provided by Salesforce, Inc. (Salesforce Tower, 415 Mission Street, 3rd Floor, San Francisco, CA 94105, US, hereinafter referred to as “Salesforce”). The Salesforce data marketing platform is used to analyse, organise and personalise marketing campaigns. For this purpose, the tool collects, analyses and categorises incoming information generated by the user’s device about the use of our website and interactions with our website as well as access data – in particular the IP address, browser information, the website visited previously and the date and time of the server request – from various sources (such as websites, apps and social media channels) in order to support the serving of personalised ads on websites. For this purpose, Salesforce uses cookies, pixel tags (tracking pixels), browser fingerprints and similar technologies that store or read information on users’ devices when they visit our website. This allows data to be transferred to Salesforce and used as the basis for statistical analysis and reach measurement. In this way, we can test and implement user-based advertising campaigns. With regard to the storage of and access to information on your device, your consent is the legal basis pursuant to Sect. 25(1) of the Telecommunications and Telemedia Data Protection Act (TTDSG); for further processing, your consent is also the legal basis pursuant to Art. 6(1) Sentence 1(a) GDPR. Salesforce also processes your data in the US. The EU Commission has issued an adequacy decision for data transfers to the US. Salesforce is certified under this. We have also concluded so-called standard contractual clauses with Salesforce in order to commit Salesforce to an appropriate level of data protection. A copy is of course available on request. Salesforce erases the cookies after twenty-four months at the latest. For more information about Salesforce, please refer to: https://www.salesforce.com/company/privacy/.

You can withdraw your consent to the processing at any time by moving the slider back in the consent tool privacy settings. This does not affect the lawfulness of the processing carried out on the basis of the consent prior to the withdrawal.

21.3.24 The Hotels Network

We use the services of The Hotels Network (Muntaner 262, 3º, 08021 Barcelona, Spain; hereinafter referred to as “The Hotels Network”) for statistical analysis purposes. The Hotels Network uses cookies, which are stored on your device. The Hotels Network uses the cookies to process the information generated about the use of our website by your device – such as the fact that you have visited a certain page – and process, among other things, the data mentioned under “Using our website”, in particular your IP address, browser information, the website visited before and the date and time of the server request, for the purpose of statistical analysis of how people use our website. With regard to the storage of and access to information on your device, your consent is the legal basis pursuant to Sect. 25(1) of the Telecommunications and Telemedia Data Protection Act (TTDSG); for further processing, your consent is also the legal basis pursuant to Art. 6(1) Sentence 1(a) GDPR. The Hotels Network cookies will be stored for twelve months. For further information about the protection of your data and how long The Hotels Network stores your data, please refer to: https://thehotelsnetwork.com/de/privacy-policy/.

You can withdraw your consent to the processing at any time by moving the slider back in the consent tool privacy settings. This does not affect the lawfulness of the processing carried out on the basis of the consent prior to the withdrawal.

21.3.25 The Reach Group GmbH

Our website uses cookies to enable the delivery of retargeting campaigns by The Reach Group GmbH (Am Karlsbad 16, 10785 Berlin, Germany). The data stored in the cookie is only an encrypted, pseudonymised user ID. The ad serving technology used uses a shortened and hashed IP address to evaluate geographic region, access speed and internet provider. In addition, the time of the visit, the IDs of the products viewed, searched for or purchased, the URLs of the pages viewed, possible search terms and/or the IDs of the categories visited are stored in order to provide more relevant advertising content. IP or browser data will only be stored in Germany and only for the purpose of compiling anonymous visitor statistics and allocating transactions. At no time is it possible to draw conclusions about specific individuals, their exact address, whereabouts or other personal data. There is no explicit transfer of IP data to third parties. All information also has an expiry date of no more than 90 days, after which your browser will automatically delete the stored data. You may prevent the storage of cookies by selecting the appropriate settings in your browser. Furthermore, you can prevent the recording of data generated by the cookie about your use of the website by activating the opt-out function at the following link: https://hal9000.redintelligence.net/privacy/8lcfmzhxc8d6/.

For more information about privacy at The Reach Group GmbH, please refer to: https://trg.de/datenschutzerklarung/

This opt-out will remain in effect until the associated opt-out cookie is deleted. This cookie is set for the domain, per browser and per user of a device. Therefore, if you access our website from multiple devices and browsers, you will need to opt out of data collection separately and repeatedly on each of those devices and browsers.

21.3.26 TravelClick

Our website uses TravelClick, a tool provided by Amadeus IT Group SA (Salvador de Madariaga 1, 28027 Madrid, Spain; hereinafter referred to as “TravelClick”). We use TravelClick for the purpose of serving personalised advertising. For this purpose, TravelClick stores a cookie on your device. TravelClick uses cookies to process the information generated by your device about the use of our website and interactions with our website as well as the data mentioned under “Using our website”, in particular your IP address, browser information, the website visited before and the date and time of the server request, for the purpose of serving personalised ads. With regard to the storage of and access to information on your device, your consent is the legal basis pursuant to Sect. 25(1) of the Telecommunications and Telemedia Data Protection Act (TTDSG); for further processing, your consent is also the legal basis pursuant to Art. 6(1) Sentence 1(a) GDPR. For more information about the protection of your data and how long TravelClick stores your data, please refer to: https://amadeus.com/en/policies/privacy-policy.

You can withdraw your consent to the processing at any time by moving the slider back in the consent tool privacy settings. This does not affect the lawfulness of the processing carried out on the basis of the consent prior to the withdrawal.

21.3.27 Tremor Video

We use the Tremor Video service, which is provided by Tremor Video, Inc. (240 Richmond St W, STE 4-103, Toronto, ON M5V 1V6, Canada; hereinafter referred to as “Tremor Video”). Tremor Video allows us to present advertising videos tailored to the interests of the user. Videos may also refer to products and services that you have already viewed on our website. For this purpose, analyses are performed of user interactions on our website, such as which offers you as a user were interested in, so that we can serve you targeted ads on other sites after you have left our website. Tremor Video uses cookies to process the information generated by your device about the use of our website and interactions with our website as well as the data mentioned under “Using our website”, in particular your IP address, browser information, the website visited before and the date and time of the server request, for the purpose of serving personalised ads. For this purpose, it is also possible to determine whether different devices belong to you or to your household. With regard to the storage of and access to information on your device, your consent is the legal basis pursuant to Sect. 25(1) of the Telecommunications and Telemedia Data Protection Act (TTDSG); for further processing, your consent is also the legal basis pursuant to Art. 6(1) Sentence 1(a) GDPR. Tremor Video also processes the data in part in Canada. The EU Commission has issued an adequacy decision for data transfers to Canada. For further information about the protection of your data and how long Tremor Video stores your data, please refer to: https://www.tremorvideo.com/privacy-policy/.

You can withdraw your consent to the processing at any time by moving the slider back in the consent tool privacy settings. This does not affect the lawfulness of the processing carried out on the basis of the consent prior to the withdrawal.

21.3.28 Trivago

The tracking features of the hotel booking platform Trivago (Trivago N.V., Kesselstraße 5-7, 40221 Düsseldorf; hereinafter referred to as “Trivago”) use tracking pixels and programming interfaces (such as APIs) to collect information generated by users’ devices about the retrieval of our website, or opening of our app, during or after a booking made via the Trivago booking platform. This involves meta information about the booking such as price, currency, region, date and time, number of guests, room category as well as information from devices such as device type, user agent (browser, email programs, etc.), IP address (with the final octet removed), clicks made in our offers on the Trivago hotel booking platform as well as on our website and in our app (such as calling up a specific subpage) as well as access data, in particular the IP address, browser information, the website visited before and the date and time of the server request. When our website or app is called up or opened, this is logged and assigned to a transaction on the Trivago hotel booking platform. In relation to the data of the advertising campaigns, we can determine how successful our website or app and individual advertising activities are in the context of the Trivago hotel booking platform. The processing is carried out for the purpose of measuring reach in the context of using the Trivago hotel booking platform, in particular correctly assigning the success of a booking for the referral to our offered services and products as well as for billing within the framework of the Trivago hotel booking platform. With regard to the storage of and access to information on your device, your consent is the legal basis pursuant to Sect. 25(1) of the Telecommunications and Telemedia Data Protection Act (TTDSG); for further processing, your consent is also the legal basis pursuant to Art. 6(1) Sentence 1(a) GDPR. For more information about the protection of your data and how long Trivago stores your data, please refer to: https://www.trivago.de/datenschutzerklaerung

You can withdraw your consent to the processing at any time by moving the slider back in the consent tool privacy settings. This does not affect the lawfulness of the processing carried out on the basis of the consent prior to the withdrawal.

21.3.29 Triptease

We use the services of the data marketing platform Triptease (c/o Knotel, Floor 7, 43 W24th Street, New York, NY, 10010, US; hereinafter referred to as “Triptease”). The Triptease data marketing platform is used to analyse, organise and personalise marketing campaigns. For this purpose, the tool collects, analyses and categorises incoming information generated by the user’s device about the use of our website and interactions with our website as well as access data – in particular the IP address, browser information, the website visited previously and the date and time of the server request – from various sources (such as websites, apps and social media channels) in order to support the serving of personalised ads on websites. For this purpose, Triptease uses cookies, pixel tags (tracking pixels), browser fingerprints and similar technologies that store or read information on users’ devices when they visit our website. This allows data to be transferred to Triptease and used as the basis for statistical analysis and reach measurement. In this way, we can test and implement user-based advertising campaigns. With regard to the storage of and access to information on your device, your consent is the legal basis pursuant to Sect. 25(1) of the Telecommunications and Telemedia Data Protection Act (TTDSG); for further processing, your consent is also the legal basis pursuant to Art. 6(1) Sentence 1(a) GDPR. Triptease also processes your data in the US. The EU Commission has issued an adequacy decision for data transfers to the US. Triptease is not certified under this. So-called standard contractual clauses have therefore been concluded with Triptease in order to commit Triptease to an appropriate level of data protection. A copy is of course available on request. Triptease erases the cookies after twelve months at the latest. For more information about Triptease, please refer to: https://triptease.com/en/privacy-policy/

You can withdraw your consent to the processing at any time by moving the slider back in the consent tool privacy settings. This does not affect the lawfulness of the processing carried out on the basis of the consent prior to the withdrawal.

21.3.30 Xandr (AppNexus)

To deploy and measure usage-based advertising, we also use Xandr, an advertising service provider and operator of a bidding platform provided by AppNexus Inc (28 W 23rd Street, 4th floor, New York, US; hereinafter referred to as “Xandr”). Xandr offers an online ad exchange for websites and apps with available ad space and enables us to place personalised ads that match the ad space of several website and app providers. The online ad exchange Xandr in turn uses technology platforms such as supply-side platforms and demand-side platforms, for example from Optomaton (Optomaton UG, Friederike-Nadig-Straße 13, 64807 Dieburg, Germany), which enable the automated and auction-based purchase of online ad space and the automated serving of personalised ads on websites and in apps in real time. This enables us to recognise users of our website and apps on other websites inside and outside the Xandr advertising network and to serve them ads tailored to their interests. Xandr uses tracking technologies such as cookies and tracking pixels to process the information generated by users’ devices about the use of websites and apps with available ad space. This involves interactions with these websites and apps as well as the cookie ID, in some cases the operating system-specific advertising IDs of mobile devices, and access data, in particular the IP address, browser information, the website visited before and the date and time of the server request. This data is processed for the purposes of cross-device analysis of user activity, and serving and measuring personalised ads. For these purposes, it is also possible to determine whether different devices belong to you or to your household. If users access a website, or open an app, where there is available ad space, then a connection is automatically established between the user’s browser and a supply-side platform, via which ad space on other websites and in apps is offered in a real-time bidding process for the purpose of serving personalised ads. The supply-side platform starts a real-time bidding process, for which purpose it transmits user information (cookie ID or user ID) to Xandr. As an online ad exchange, Xandr forwards this user information and existing user profiles to various demand-side platforms in order to auction ad space based on user information that matches our advertising. The user profiles may also contain socio-demographic information about age, place of residence, marital status and household size, which may indicate your interests. Examples include cruises for over-50s, men living in southeastern Germany who are interested in sportswear, or families who like to shop at a particular supermarket. Xandr passes on the relevant ads and user information to the supply-side platform in order to conduct the real-time auction of the ad space. After the ad space has been auctioned, Xandr transmits the ad and user information to the operator of the website or app so that the ad can be placed when the website is accessed or the app opened. Using ad servers allows us to measure certain parameters for evaluating actions during use, such as the display of ads, how long they were viewed, or clicks by users. This also enables reporting on the success of the ad placement. With regard to the storage of and access to information on your device, your consent is the legal basis pursuant to Sect. 25(1) of the Telecommunications and Telemedia Data Protection Act (TTDSG); for further processing, your consent is also the legal basis pursuant to Art. 6(1) Sentence 1(a) GDPR. Xandr also processes your data in the US. The EU Commission has issued an adequacy decision for data transfers to the US. Xandr is not certified under this. So-called standard contractual clauses have therefore been concluded with Xandr in order to commit Xandr to an appropriate level of data protection. A copy is of course available on request. Xandr erases the cookies after three months at the latest. For more information about the protection of your data and how long Xandr stores your data, please refer to: https://www.xandr.com/privacy/

You can withdraw your consent to the processing at any time by moving the slider back in the consent tool privacy settings. This does not affect the lawfulness of the processing carried out on the basis of the consent prior to the withdrawal.

21.3.31 Yahoo Web Analytics

In order to tailor our website perfectly to user interests, we use Yahoo Web Analytics, a web analytics service provided by Yahoo! Inc. (701 First Avenue Sunnyvale, CA 94089, US; hereinafter referred to as “Yahoo Web Analytics” or “Yahoo”). Yahoo Web Analytics uses cookies, which are stored on your device. Yahoo Web Analytics uses the cookies to process the information generated about the use of our website by your device – such as the fact that you have visited a certain page – and process, among other things, the data mentioned under “Using our website”, in particular your IP address, browser information, the website visited before and the date and time of the server request, for the purpose of statistical analysis of how people use our website. If a user is registered with a Yahoo service, Yahoo can associate the visit with the user’s account and create and evaluate user profiles across applications. With regard to the storage of and access to information on your device, your consent is the legal basis pursuant to Sect. 25(1) of the Telecommunications and Telemedia Data Protection Act (TTDSG); for further processing, your consent is also the legal basis pursuant to Art. 6(1) Sentence 1(a) GDPR. Yahoo also processes the data in part in the US. The EU Commission has issued an adequacy decision for data transfers to the US. Yahoo is not certified under this. So-called standard contractual clauses have therefore been concluded with Yahoo in order to commit Yahoo to an appropriate level of data protection. A copy is of course available on request. Your data will be stored for twelve months. For further information about privacy at Yahoo, please refer to: https://legal.yahoo.com/us/en/yahoo/privacy/topics/analytics/index.html.

You can withdraw your consent to the processing at any time by moving the slider back in the consent tool privacy settings. Please note that this will not affect the lawfulness of the processing before your withdrawal.

21.3.32 Yahoo Advertising

We use the Yahoo Advertising web analytics service, which is provided by Yahoo!, Inc. (701 First Avenue Sunnyvale, CA 94089, US; hereinafter referred to as “Yahoo Advertising” or “Yahoo”) in order to use ads to draw attention to our attractive services on external websites. In relation to the data of the advertising campaigns, we can determine how successful the individual advertising activities are. For this purpose, we use cookies, which can be used to measure certain parameters for reach measurement, such as the display of ads or clicks by users. If you reach our website via a Yahoo ad, Yahoo stores a cookie on your device. Yahoo uses the cookies to process the information generated by your device about interactions with our ads (retrieval of a particular web page or clicking on an ad), and the data mentioned under “Using our website” – in particular the IP address, browser information, the website visited before and the date and time of the server request – for the purpose of analysing and visualising the reach measurement of our ads. For this purpose, it is also possible to determine whether different devices belong to you or to your household. Due to the marketing tools used, your browser automatically establishes a direct connection to the Yahoo server. We receive statistical analyses from Yahoo for the purpose of measuring the success of our ads. With regard to the storage of and access to information on your device, your consent is the legal basis pursuant to Sect. 25(1) of the Telecommunications and Telemedia Data Protection Act (TTDSG); for further processing, your consent is also the legal basis pursuant to Art. 6(1) Sentence 1(a) GDPR. Yahoo also processes the data in part in the US. The EU Commission has issued an adequacy decision for data transfers to the US. Yahoo is not certified under this. So-called standard contractual clauses have therefore been concluded with Yahoo in order to commit Yahoo to an appropriate level of data protection. A copy is of course available on request. Your data will be stored for twelve months. For further information about privacy at Yahoo, please refer to: https://legal.yahoo.com/us/en/yahoo/privacy/topics/analytics/index.html

You can withdraw your consent to the processing at any time by moving the slider back in the consent tool privacy settings. Please note that this will not affect the lawfulness of the processing before your withdrawal.

21.3.33 Matomo web analytics software

We use Matomo, which is open-source web analytics software, to statistically analyse the number of visitors to our website in order to make our website better and more user-friendly. The provider is Innocraft (Innocraft Ltd., 150 Willis Street, 6011 Wellington, New Zealand, [email protected]). Matomo is open-source software that enables statistical evaluations on our website, especially regarding visitor numbers, page views, downloads and websites visited previously, and for measuring the success of entries in search engines. The analysed information and statistics are processed exclusively on our own web servers and in our databases. The Matomo tool uses technologies such as fingerprinting to record, analyse and categorise the information generated by the user’s device about the use of our website and interactions with our website as well as access data – in particular the IP address, browser information, the website visited previously, and the date and time of the server request – for the purpose of statistical analysis and measuring the reach of ads in search engines. With regard to the storage of and access to information on your device, your consent is the legal basis pursuant to Sect. 25(1) of the Telecommunications and Telemedia Data Protection Act (TTDSG); for further processing, your consent is also the legal basis pursuant to Art. 6(1) Sentence 1(a) GDPR. We use Matomo with an extension, which means that IP addresses are shortened before processing them further in order to make it more difficult to identify individuals. The storage period is six months.

You can withdraw your consent to the processing at any time by moving the slider back in the consent tool privacy settings. Please note that this will not affect the lawfulness of the processing before your withdrawal.

Book now