Privacy Policy | Hotel Goldener Ochsen Goeppingen-Hohenstaufen

Overview

Privacy Policy

The processing of data on this website is carried out by the website operator. You can find the contact details in the section “Responsible body” in this privacy policy.

Overview of the legal basis for data processing

The processing of your personal data on this website is carried out in accordance with the applicable data protection requirements, in particular the GDPR.

Consent

If you have consented to processing, it is based on Article 6(1)(a) GDPR or, in the case of special categories of data, Article 9(2)(a) GDPR. In the case of explicit consent to the transfer of data to third countries, processing is additionally based on Article 49(1)(a) GDPR.

Cookies

We do not use cookies for tracking, analytics, or marketing purposes.

Technically necessary local caching (cache) by browsers / service workers may still occur independently of this.

In particular, no tracking, analytics, or marketing cookies are used.

External links and map services

Our website contains links to external third-party websites, for example Google Maps and Apple Maps for route planning, Wikipedia, DEHOGA Baden-Wuerttemberg, and timetable services of VVS and the district of Goeppingen. If you click such a link, you leave our website. In doing so, personal data may be transmitted to the respective provider, for example your IP address, technical connection data, and the accessed URL. Data processing by these external providers is governed exclusively by their respective privacy policies.

Please note that some external providers may also process data outside the European Union (EU) or the European Economic Area (EEA). In such cases, data processing takes place under the sole responsibility of the respective provider in accordance with its privacy policy and the legal bases stated there for international data transfers.

Special protection of your privacy: We deliberately do not embed map services and timetable tools directly into our website as interactive content, for example via iFrames or embedded scripts. Therefore, data is only transmitted to these services once you actively click the respective external link.

Contract-related data

If processing is necessary for the performance of a contract or for the implementation of pre-contractual measures, it is based on Article 6(1)(b) GDPR.

Legal obligation

Processing required by law is carried out in accordance with Article 6(1)(c) GDPR.

Legitimate interest

In certain cases, we base processing on our legitimate interest pursuant to Article 6(1)(f) GDPR. Further details on the respective legal basis can be found in the following sections of this privacy policy.

Responsible body

For room inquiries, please preferably call us by phone – this helps us coordinate arrival times (check-in) reliably.

Web hosting

This website is hosted by an external service provider. The personal data collected on this website is stored on the hoster’s servers. This primarily includes IP addresses in log files, meta and communication data, and contact requests.

Our hoster: Strato GmbH, Otto-Ostrowski-Strasse 7, 10249 Berlin.
We use Strato on the basis of Art. 6(1)(f) GDPR, based on our legitimate interest in a secure and fast provision of our online offer.

Data processing agreement: We have concluded a data processing agreement with Strato. This ensures that Strato processes your data only according to our instructions and in compliance with the GDPR.

Since we do not use tracking tools, analytics services, or third-party scripts and do not use non-essential cookies, no consent is required to visit our website. Consent would only be necessary if non-essential cookies or similar technologies were used in the future. Further information can be found in Strato’s privacy policy: https://www.strato.de/datenschutz/.

E-mail hosting and e-mail communication

For sending and receiving e-mails, we use the services of our hoster Strato GmbH, Otto-Ostrowski-Strasse 7, 10249 Berlin. If you send us an e-mail or we send you an e-mail, the e-mail addresses, the contents of the e-mails, and technical communication data such as sending date and server-side log information are processed on Strato’s systems. Processing serves to provide reliable and secure e-mail traffic, to handle your inquiries, and to fulfill our contractual obligations. The legal basis is Art. 6(1)(b) GDPR for inquiries or bookings related to a contract and Art. 6(1)(f) GDPR for general e-mail communication and our interest in efficient and secure communication.

Data processing agreement: We have concluded a data processing agreement with Strato.

Storage duration: As a rule, we store e-mails for as long as necessary to process your request. The exact duration depends on the content of the message. Pure information requests without a booking are deleted after the communication has ended and after a reasonable period of time, generally up to 6 months, in order to clarify possible follow-up questions. If an e-mail qualifies as commercial or business correspondence or as a tax-relevant document, we store it in accordance with statutory retention periods. Detailed information can be found in the section “Storage duration and retention periods”.

Service worker and offline functionality

We use a service worker on this website. This is a script that is executed by your browser in the background.

The service worker is used solely to improve technical performance and to store certain content locally in your browser for caching. This can help the website load faster even with poor internet connectivity or make previously visited information available offline.

Data processing: The service worker does not process personal data for identification purposes and does not transmit data to us or third parties. No user profiles are created and no tracking or analytics technologies are used. The service worker only stores static website files locally on your device. We do not have access to these local files.

Legal basis: The use of the service worker is based on Art. 6(1)(f) GDPR. Our legitimate interest is the technically error-free, secure, and optimized provision of our online offer.

Note: You can delete the local offline storage at any time via your browser settings, for example “Site data” or “Cache”.

This only deletes locally stored offline files of this website.

Cloud storage / data backup (STRATO HiDrive)

For the storage and backup of business documents as well as for technical backups of our website, we use the cloud storage service STRATO HiDrive of Strato GmbH, Otto-Ostrowski-Strasse 7, 10249 Berlin.

Server location: According to Strato, data processing takes place exclusively in ISO-certified data centers in Germany. No storage takes place on servers outside the EU.

Processing takes place for the purpose of secure storage, restoration, and traceability of documents as well as to ensure IT security and operability. Legal bases are, depending on the individual case, Art. 6(1)(b) GDPR, Art. 6(1)(c) GDPR, and Art. 6(1)(f) GDPR.

Data processing agreement: For the use of STRATO HiDrive, we have concluded a data processing agreement with Strato.

Storage duration: Personal data stored in STRATO HiDrive is stored in accordance with the storage durations and statutory retention periods stated in this privacy policy and is deleted after the relevant periods have expired, unless other legal reasons oppose this.

We do not store personal data in cloud storage services from Microsoft, Google, or Apple.

Data processing agreements

We have concluded a data processing agreement for the use of the above-mentioned services, including web hosting, e-mail hosting, e-mail communication, and cloud storage or data backup, with our hoster. This ensures that the provider processes personal data only according to our instructions and in compliance with the GDPR.

Server log files

We or our hosting provider collect data about every access to the website, so-called server log files. Access data includes in particular the name of the accessed website or file, date and time of access, amount of data transferred, message about successful access, browser type and version, user’s operating system, referrer URL, and the IP address.

Processing takes place for the purpose of the technical provision, stability, and security of the website and is based on Art. 6(1)(f) GDPR. This data is not merged with other data sources.

Storage duration: At our hosting provider Strato, non-anonymized IP addresses are stored only briefly for security reasons and then anonymized. Anonymized log data may remain available for a limited period for error analysis and statistical evaluation.

Security on the internet

Our web and mail servers are located in Germany. Nevertheless, routing of data traffic via transit routes outside Germany and the European Union cannot be excluded. We expressly point out that data transmission on the internet, especially communication by e-mail, may have security gaps and cannot be completely protected against access by third parties. For information requiring a particularly high level of confidentiality, we recommend the postal route or appropriate electronic protection measures.

SSL/TLS encryption

Our website is accessible via HTTPS / TLS encryption.

This means that all data transmitted between your browser and our server is encrypted.

Encryption protects personal data you submit to us when contacting us or making an inquiry from unauthorized access by third parties.

You can recognize an encrypted connection by the “https://” in your browser’s address bar and the lock symbol displayed there.

Contacting us

When contacting us, for example by letter, telephone, or e-mail, the user’s details are stored for the purpose of processing the request and in the event that follow-up questions arise. Personal data is collected by us when you provide it to us voluntarily, for example when you contact us. We will of course use the personal data transmitted to us in this way exclusively for the purpose for which you made it available to us when contacting us. The provision of this information is expressly voluntary and with your consent. Insofar as this concerns details on communication channels, for example e-mail address or telephone number, you also consent to us contacting you via this communication channel, if necessary, in order to answer your request. Data processing is carried out in accordance with Art. 6(1)(b) GDPR if your request is related to the performance of a contract or pre-contractual measures. In all other cases, processing is based on our legitimate interest in the efficient processing of your inquiries pursuant to Art. 6(1)(f) GDPR or on your consent pursuant to Art. 6(1)(a) GDPR, if such consent has been obtained. You may revoke your consent at any time. The data sent to us via contact inquiries remains with us until you request its deletion, revoke your consent to storage, or the purpose for storage no longer applies. Mandatory statutory provisions, in particular statutory retention periods, remain unaffected.

No use of generative AI for inquiries and reservations

We do not use chatbots, generative AI systems, or automated response systems for the processing of personal data in the context of inquiries and reservations, for example name, phone number, or reservation details.

Your information is processed personally by us. We do not pass on your inquiry or reservation data for the training of generative AI systems.

Note: Technical protection mechanisms such as spam or abuse filters used by e-mail and hosting services may employ automated processes to protect systems. This concerns technical provision, not the substantive processing of your inquiry by us.

Note on messenger services and social media

For inquiries, reservations, and other business correspondence, we use exclusively the official contact channels mentioned in this privacy policy, in particular telephone, e-mail, and post. Messenger services such as WhatsApp as well as Facebook or Instagram Messenger are not used by us as an official communication channel for business operations.

Therefore, please do not send any personal data, for example booking data, copies of identity documents, or payment information, via WhatsApp or social media messengers. Should we nevertheless receive messages via such services, we may not be able to process them for organizational and data protection reasons and will refer you to the official contact channels.

Any social media presence that may exist serves exclusively to provide public information about our business. There is no obligation to communicate via social media messages. For data processing by the respective platform providers, their own privacy policies apply.

Storage duration and statutory retention periods

We adhere to the principles of data avoidance and data minimization. We store personal data only for as long as is necessary to achieve the purposes stated here or as required by statutory retention periods.

Once the respective purpose no longer applies or statutory periods have expired, the corresponding data is routinely blocked or deleted in accordance with statutory provisions. If we must retain data due to legal obligations, this is done on the basis of Art. 6(1)(c) GDPR.

• Tax and accounting-related documents:
  We are obliged to retain certain tax and accounting-related documents in accordance with statutory requirements.
  Retention periods: 6 / 8 / 10 years (depending on the type of document).
• Commercial and business correspondence:
  Received commercial and business letters as well as reproductions of sent commercial and business letters are retained in accordance with statutory requirements. This may also include e-mails if they serve the initiation, execution, or settlement of a business transaction, for example reservations or contractual arrangements.
  Retention periods: 6 / 8 / 10 years (depending on the type of document).
• Registration forms (accommodation reporting obligation):
  For accommodation guests, we keep registration forms insofar and to the extent that we are obliged to do so under the applicable provisions of the Federal Registration Act.
  Legal basis: Art. 6(1)(c) GDPR in conjunction with the relevant legal provisions.
  Retention and destruction: The registration forms are retained in accordance with statutory requirements and are then destroyed in a data protection-compliant manner, unless other statutory retention obligations apply.
• Inquiries without booking:
  E-mail inquiries that do not lead to a booking or contractual relationship are deleted after the communication has ended and after a reasonable period, generally up to 6 months, in order to clarify possible follow-up questions.

Transfer to tax advisor

In order to fulfill our tax and commercial law obligations as well as for proper accounting and tax advice, we transfer the necessary data to our tax advisor.

The tax advisor generally processes this data as an independent controller within the meaning of the GDPR. Processing takes place in particular for the purposes of accounting, preparation of tax returns, and tax advice.

The legal basis is Art. 6(1)(c) GDPR and, insofar as necessary in individual cases, Art. 6(1)(b) GDPR.

Objection to advertising e-mails

As part of the statutory imprint obligation, we must publish our contact details. These are occasionally used by third parties to send unsolicited advertising and information. We hereby object to any sending of advertising material of any kind that has not been expressly authorized by us. We also expressly reserve the right to take legal action against the unsolicited and uninvited sending of advertising material. This applies in particular to so-called spam e-mails, spam letters, and spam faxes.

Asserting your rights

You may assert your rights as a data subject at any time using the contact details provided in this privacy policy.

Is personal data passed on to third parties?

We do not sell, rent, or otherwise market personal data to third parties.

Personal data is only disclosed where this is necessary for the performance of a contract, to fulfill legal obligations, for the use of carefully selected service providers acting on our behalf, or where you actively use external links and services.

This may include, in particular, our hosting and e-mail provider, our tax advisor where legally required, and public authorities where we are obliged to do so by law.

Your rights as a data subject

As a data subject, you have various rights under the GDPR. You can assert these rights at any time against the responsible body. Please direct your requests to the contact address stated in this privacy policy or in the imprint.

Right of access (Art. 15 GDPR)

You have the right to request confirmation as to whether personal data concerning you is being processed by us. If this is the case, you have the right to obtain access to these data as well as further information, in particular on the purposes of processing, the categories of personal data, the recipients or categories of recipients, the planned storage period or the criteria for determining the storage period, and your further rights.

Right to rectification (Art. 16 GDPR)

You have the right to obtain from us without undue delay the rectification of inaccurate personal data concerning you. Taking into account the purposes of processing, you also have the right to have incomplete personal data completed, including by means of a supplementary declaration.

Right to erasure (Art. 17 GDPR)

You have the right to request the erasure of your personal data, provided that the statutory requirements are met. This is the case in particular if the data are no longer necessary for the purposes for which they were collected or processed, you withdraw consent and there is no other legal basis for processing, you object to the processing and there are no overriding legitimate grounds, or the processing is unlawful. The right to erasure does not apply insofar as the processing is necessary to comply with a legal obligation or for the establishment, exercise, or defense of legal claims.

Right to restriction of processing (Art. 18 GDPR)

You have the right to request the restriction of processing of your personal data where one of the following applies: you contest the accuracy of the personal data for the period of verification; the processing is unlawful and you oppose erasure and request restriction instead; we no longer need the personal data for processing purposes, but you require them for the establishment, exercise, or defense of legal claims; or you have objected to processing pursuant to Art. 21 GDPR pending verification whether our legitimate grounds override yours.

Right to data portability (Art. 20 GDPR)

You have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used, and machine-readable format, and you have the right to transmit those data to another controller without hindrance from us, where the processing is based on consent or on a contract and the processing is carried out by automated means.

Right to object (Art. 21 GDPR)

You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on Art. 6(1)(e) GDPR or Art. 6(1)(f) GDPR. If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms, or the processing serves the establishment, exercise, or defense of legal claims.

Withdrawal of consent (Art. 7(3) GDPR)

If processing is based on your consent, you may withdraw this consent at any time with effect for the future. The lawfulness of processing carried out up to the withdrawal remains unaffected. You may direct your withdrawal informally to the contact details given in this privacy policy or in the imprint.

Right to lodge a complaint with a supervisory authority (Art. 77 GDPR)

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, your place of work, or the place of the alleged infringement, if you consider that the processing of personal data relating to you infringes the GDPR.

Competent supervisory authority for Baden-Wuerttemberg

Protection of minors

Our offer is generally aimed at adults. Persons under the age of 18 may not, in principle, transmit personal data to our websites without the consent of their parents or legal guardians. We do not knowingly collect, use, or disclose to third parties personal data obtained from children or minors without authorization.