Privacy Policy Hotel Goldener Ochsen Goeppingen-Hohenstaufen

Overview:

Privacy Policy:

The processing of data on this website is carried out by the website operator. You can find the contact details in the section “Name and address of the responsible body” in this privacy policy.

Overview of the legal basis for data processing:

The processing of your personal data on this website is carried out in accordance with the applicable data protection requirements, in particular the GDPR.

Consent:

If you have consented to the processing, it is based on Article 6(1)(a) or, in the case of special categories of data, pursuant to Article 9(2)(a) GDPR. In the case of explicit consent to the transfer of data to third countries, the processing is additionally based on Article 49(1)(a) GDPR.

Cookies:

We do not use cookies for tracking, analytics, or marketing purposes.

Technically necessary local caching (cache) by browsers / service workers may still occur independently of this.

In particular, no tracking, analytics, or marketing cookies are used.

External links and map services:

Our website contains links to external third-party websites (e.g., Google Maps and Apple Maps for route planning, Wikipedia, DEHOGA Baden-Wuerttemberg, as well as timetable services of VVS and the district of Goeppingen). If you click on such a link, you leave our website. In doing so, personal data may be transmitted to the respective provider (e.g., your IP address, technical connection data, and the accessed URL). The data processing by these external providers is governed by their respective privacy policies.

Please note that some external providers may also process data outside the European Union (EU) or the European Economic Area (EEA). In such cases, the data processing takes place under the sole responsibility of the respective provider in accordance with its privacy policy and the legal bases stated there for international data transfers.

Special protection of your privacy: We deliberately do not embed map services and timetable tools directly into our website as interactive content (e.g., via iFrame or embedded scripts). Therefore, data is only transmitted to these services once you actively click the respective external link.

Contract-related data:

If processing is necessary for the performance of a contract or for the implementation of pre-contractual measures, it is based on Article 6(1)(b) GDPR.

Legal obligation:

Processing required by law is carried out in accordance with Article 6(1)(c) GDPR.

Legitimate interest:

In certain cases, we base the processing on our legitimate interest pursuant to Article 6(1)(f) GDPR. Further details on the respective legal basis can be found in the following sections of this privacy policy.

Name and address of the responsible body:

For room inquiries, please preferably call us by phone – this helps us coordinate arrival times (check-in) reliably.

Web hosting:

This website is hosted by an external service provider (hoster). The personal data collected on this website is stored on the hoster’s servers. This primarily includes IP addresses (in log files), meta and communication data, and contact requests.

Our hoster: Strato GmbH, Otto-Ostrowski-Strasse 7, 10249 Berlin.
We use Strato on the basis of Art. 6(1)(f) GDPR (legitimate interest in a secure and fast provision of our online offer).

Data processing agreement: We have concluded a Data Processing Agreement (DPA) with Strato. This ensures that Strato processes your data only according to our instructions and in compliance with the GDPR.

Since we do not use tracking tools, analytics services, or third-party scripts and do not use non-essential cookies, no consent is required to visit our website.
Consent would only be necessary if non-essential cookies or similar technologies (e.g., tracking or analytics tools) were used in the future.
Further information can be found in Strato’s privacy policy: https://www.strato.de/datenschutz/.

E-mail hosting and e-mail communication:

For sending and receiving e-mails, we use the services of our hoster Strato GmbH, Otto-Ostrowski-Strasse 7, 10249 Berlin (hereinafter “Strato”). If you send us an e-mail or we send you an e-mail, the e-mail addresses, the contents of the e-mails, and technical communication data (e.g., sending date and server-side log information) are processed on Strato’s systems. The processing of this data serves to provide reliable and secure e-mail traffic, to handle your inquiries, and to fulfill our contractual obligations to you. The legal basis for this processing is Art. 6(1)(b) GDPR (contract performance or pre-contractual measures) for inquiries or bookings related to a contract, and Art. 6(1)(f) GDPR (legitimate interest) for general e-mail communication and our interest in efficient and secure communication.

Data processing agreement: We have concluded a Data Processing Agreement (DPA) with Strato, which ensures that Strato processes personal data only in accordance with our instructions and in compliance with strict German and European data protection standards. Further information on data protection at Strato can be found at: https://www.strato.de/datenschutz/.

Storage duration: As a rule, we store e-mails for as long as necessary to process your request. The exact duration depends on the content of the message. Pure information requests without a booking are deleted after the communication has ended and after a reasonable period of time (generally up to 6 months) in order to clarify possible follow-up questions. If an e-mail qualifies as commercial or business correspondence or as a tax-relevant document (e.g., in connection with a reservation), we store it in accordance with statutory retention periods. Detailed information can be found in the section “Storage duration and retention periods”.

Service worker and offline functionality:

We use a service worker on this website. This is a script that is executed by your browser in the background.

The service worker is used solely to improve technical performance and to store certain content locally in your browser (caching). This can help the website load faster even with poor internet connectivity or make previously visited information available offline.

Data processing: The service worker does not process personal data for identification purposes and does not transmit data to us or third parties. No user profiles are created and no tracking or analytics technologies are used. The service worker only stores static website files locally on your device (browser cache/offline storage); we do not have access to these local files.

Legal basis: The use of the service worker is based on Art. 6(1)(f) GDPR. Our legitimate interest is the technically error-free, secure, and optimized provision of our online offer.

Note: You can delete the local offline storage at any time via your browser settings (e.g., “Site data” / “Cache”).

(This only deletes locally stored offline files of this website.)

Cloud storage / data backup (STRATO HiDrive):

For the storage and backup of business documents (e.g., invoices, receipts, correspondence) as well as for technical backups (e.g., backups of our website), we use the cloud storage service STRATO HiDrive of Strato GmbH, Otto-Ostrowski-Strasse 7, 10249 Berlin.

Server location: According to Strato, data processing takes place exclusively in ISO-certified data centers in Germany. No storage takes place on servers outside the EU.

Processing takes place for the purpose of secure storage, restoration, and traceability of documents as well as to ensure IT security and operability. Legal bases are – depending on the individual case – Art. 6(1)(b) GDPR (contract / pre-contractual measures), Art. 6(1)(c) GDPR (legal obligation, e.g., tax and commercial retention obligations), and Art. 6(1)(f) GDPR (legitimate interest in secure IT organization and data backup).

Data processing agreement: For the use of STRATO HiDrive, we have concluded a Data Processing Agreement (DPA) with Strato. Strato processes the data exclusively according to our instructions and in compliance with the GDPR.

Storage duration: Personal data stored in STRATO HiDrive is stored in accordance with the storage durations and statutory retention periods stated in this privacy policy and is deleted or destroyed after the periods have expired, unless other legal reasons oppose this.

We do not store personal data in cloud storage services from Microsoft, Google, or Apple.

Data processing agreements:

We have concluded a Data Processing Agreement (DPA) for the use of the above-mentioned services (web hosting, e-mail hosting, e-mail communication, and cloud storage / data backup) with our hoster. This is a legally required data protection agreement that ensures the provider processes personal data only according to our instructions and in compliance with the GDPR.

Server log files:

We (or our hosting provider) collect data about every access to the website (so-called server log files). Access data includes in particular: name of the accessed website or file, date and time of access, amount of data transferred, message about successful access (HTTP status code), browser type and version, user’s operating system, referrer URL, and the IP address.

Processing takes place for the purpose of the technical provision, stability, and security of the website (e.g., to detect and defend against attacks) and is based on Art. 6(1)(f) GDPR. This data is not merged with other data sources.

Storage duration: At our hosting provider Strato, non-anonymized IP addresses are stored only briefly for security reasons and then anonymized. Anonymized log data may – depending on the hoster’s technical and organizational requirements – remain available for a limited period for error analysis and statistical evaluation.

Security on the internet:

Our web and mail servers are located in Germany. Nevertheless, routing of data traffic via transit routes outside Germany and the European Union cannot be excluded. We expressly point out that data transmission on the internet (e.g., communication by e-mail) may have security gaps and cannot be completely protected against access by third parties. For information requiring a particularly high level of confidentiality, we recommend the postal route or appropriate electronic protection measures.

SSL/TLS encryption:

Our website is accessible via HTTPS/TLS encryption.

This means that all data transmitted between your browser and our server is encrypted.

Encryption protects in particular personal data that you submit to us when contacting us or making an inquiry from unauthorized access by third parties.

You can recognize an encrypted connection by the “https://” in your browser’s address bar and the lock symbol displayed there.

Contacting us:

When contacting us (for example by letter, telephone, or e-mail), the user’s details are stored for the purpose of processing the request and in the event that follow-up questions arise. Personal data is collected by us when you provide it to us voluntarily, for example when you contact us. We will of course use the personal data transmitted to us in this way exclusively for the purpose for which you made it available to us when contacting us. The provision of this information is expressly voluntary and with your consent. Insofar as this concerns details on communication channels (for example e-mail address or telephone number), you also consent to us contacting you via this communication channel, if necessary, in order to answer your request. Data processing is carried out in accordance with Art. 6(1)(b) GDPR if your request is related to the performance of a contract or pre-contractual measures. In all other cases, processing is based on our legitimate interest in the efficient processing of your inquiries (Art. 6(1)(f) GDPR) or on your consent (Art. 6(1)(a) GDPR), if such consent has been obtained. You may of course revoke your declarations of consent at any time. The data sent to us via contact inquiries remains with us until you request its deletion, revoke your consent to storage, or the purpose for storage no longer applies (e.g., after your request has been fully processed). Mandatory statutory provisions – in particular statutory retention periods – remain unaffected.

No use of generative AI for inquiries and reservations:

We do not use chatbots, generative AI systems (LLMs), or automated response systems for the processing of personal data in the context of inquiries and reservations (e.g., name, phone number, reservation details).

Your information is processed personally by us. We do not pass on your inquiry or reservation data for the training of generative AI systems.

Note: Technical protection mechanisms (e.g., spam or abuse filters) used by e-mail and hosting services may employ automated processes to protect systems. This concerns technical provision, not the substantive processing of your inquiry by us.

Note on messenger services and social media (WhatsApp / Facebook):

For inquiries, reservations, and other business correspondence, we use exclusively the official contact channels mentioned in this privacy policy (in particular telephone, e-mail, and post). Messenger services such as WhatsApp as well as Facebook or Instagram Messenger are not used by us as an official communication channel for business operations.

Therefore, please do not send any personal data (e.g., booking data, copies of identity documents, payment information) via WhatsApp or social media messengers. Should we nevertheless receive messages via such services, we may not be able to process them for organizational and data protection reasons and will refer you to the official contact channels.

Any social media presence that may exist serves exclusively to provide public information about our business. There is no obligation to communicate via social media messages. For data processing by the respective platform providers, their own privacy policies apply.

Storage duration and statutory retention periods:

We adhere to the principles of data avoidance and data minimization. We store personal data only for as long as is necessary to achieve the purposes stated here or as required by statutory retention periods.

Once the respective purpose no longer applies or statutory periods have expired, the corresponding data is routinely blocked or deleted in accordance with statutory provisions.

Insofar as we must retain data due to legal obligations, this is done on the basis of Art. 6(1)(c) GDPR.

• Tax and accounting-related documents:
  We are obliged to retain certain tax and accounting-related documents (e.g., invoices, booking receipts, cash/payment receipts, and other tax-relevant documents) in accordance with statutory requirements.
  Retention periods: 6 / 8 / 10 years (depending on the type of document). This applies in particular to data arising in connection with room bookings, restaurant invoices, or other services.
• Commercial and business correspondence:
  Received commercial and business letters as well as reproductions of sent commercial and business letters are retained in accordance with statutory requirements. This may also include e-mails if they serve the initiation, execution, or settlement of a business transaction (e.g., reservations, contractual arrangements, complaints).
  Retention periods: 6 / 8 / 10 years (depending on the type of document).
• Registration forms (accommodation reporting obligation):
  For accommodation guests, we keep registration forms insofar and to the extent that we are obliged to do so under the respectively applicable provisions of the Federal Registration Act (BMG) (in particular for certain groups of guests). We process only the information required by law and use it exclusively to fulfill the reporting obligation.
  Legal basis: Art. 6(1)(c) GDPR in conjunction with the relevant provisions of the BMG.
  Retention and destruction: The registration forms are retained in accordance with statutory requirements and are then destroyed within the statutory periods in a data protection-compliant manner, unless other statutory retention obligations apply.
• Inquiries without booking:
  E-mail inquiries that do not lead to a booking or contractual relationship (e.g., pure availability inquiries that were answered negatively) are deleted after the communication has ended and after a reasonable period (generally up to 6 months) in order to clarify possible follow-up questions.

Transfer to tax advisor:

In order to fulfill our tax and commercial law obligations as well as for proper accounting and tax advice, we transfer the necessary data (e.g., invoice data, receipts, booking information, and related correspondence) to our tax advisor.

The tax advisor generally processes this data as an independent controller within the meaning of the GDPR. Processing takes place in particular for the purposes of accounting, preparation of tax returns, and tax advice.

The legal basis is Art. 6(1)(c) GDPR (fulfillment of legal obligations) and – insofar as necessary in individual cases – Art. 6(1)(b) GDPR (contract / pre-contractual measures).

Objection to advertising e-mails:

As part of the statutory imprint obligation, we must publish our contact details. These are occasionally used by third parties to send unsolicited advertising and information. We hereby object to any sending of advertising material of any kind that has not been expressly authorized by us. We also expressly reserve the right to take legal action against the unsolicited and uninvited sending of advertising material. This applies in particular to so-called spam e-mails, spam letters, and spam faxes. We point out that the unauthorized transmission of advertising material may give rise to competition law, civil law, and criminal law consequences. Spam e-mails and spam faxes in particular can lead to substantial claims for damages if they disrupt business operations by overloading inboxes or fax machines.

Asserting your rights:

You may assert your rights as a data subject at any time using the contact details provided in this privacy policy.

Is personal data passed on to third parties?

Your data will be processed and used for advisory, advertising, or market research purposes only with your explicit consent. Your data will not be sold, rented, or otherwise made available to third parties. Personal data will only be transmitted to government agencies and authorities within the framework of mandatory national legal provisions.

Your rights as a data subject:

As a data subject, you have various rights under the GDPR. You can assert these rights at any time against the responsible body. Please direct your requests to the contact address stated in this privacy policy or in the imprint.

Right of access (Art. 15 GDPR):

You have the right to request confirmation as to whether personal data concerning you is being processed by us. If this is the case, you have the right to obtain access to these data as well as further information, in particular on the purposes of processing, the categories of personal data, the recipients or categories of recipients, the planned storage period or the criteria for determining the storage period, and your further rights.

Right to rectification (Art. 16 GDPR):

You have the right to obtain from us without undue delay the rectification of inaccurate personal data concerning you. Taking into account the purposes of processing, you also have the right to have incomplete personal data completed – including by means of a supplementary declaration.

Right to erasure (“right to be forgotten”) (Art. 17 GDPR):

You have the right to request the erasure of your personal data, provided that the statutory requirements are met. This is the case in particular if (1) the data are no longer necessary for the purposes for which they were collected or processed, (2) you withdraw consent and there is no other legal basis for processing, (3) you object to the processing and there are no overriding legitimate grounds, or (4) the processing is unlawful. The right to erasure does not apply insofar as the processing is necessary, among other things, to comply with a legal obligation or for the establishment, exercise, or defense of legal claims.

Right to restriction of processing (Art. 18 GDPR):

You have the right to request the restriction of processing of your personal data where one of the following applies: you contest the accuracy of the personal data (for the period of verification); the processing is unlawful and you oppose erasure and request restriction instead; we no longer need the personal data for processing purposes, but you require them for the establishment, exercise, or defense of legal claims; or you have objected to processing pursuant to Art. 21 GDPR, pending the verification whether our legitimate grounds override yours. Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise, or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the EU or of a Member State. We will inform you before the restriction is lifted.

Right to data portability (Art. 20 GDPR):

You have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used, and machine-readable format, and you have the right to transmit those data to another controller without hindrance from us, where the processing is based on consent (Art. 6(1)(a) GDPR or Art. 9(2)(a) GDPR) or on a contract (Art. 6(1)(b) GDPR) and the processing is carried out by automated means. In exercising your right to data portability, you have the right to have the personal data transmitted directly from us to another controller, where technically feasible.

Right to object (Art. 21 GDPR):

You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you, which is based on Art. 6(1)(e) GDPR (task in the public interest or exercise of official authority) or Art. 6(1)(f) GDPR (legitimate interest). If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms, or the processing serves the establishment, exercise, or defense of legal claims.

Withdrawal of consent (Art. 7(3) GDPR):

If the processing is based on your consent, you may withdraw this consent at any time with effect for the future. The lawfulness of processing carried out up to the withdrawal remains unaffected. You may direct your withdrawal informally to the contact details given in this privacy policy or in the imprint.

Right to lodge a complaint with a supervisory authority (Art. 77 GDPR):

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, your place of work, or the place of the alleged infringement, if you consider that the processing of personal data relating to you infringes the GDPR. The supervisory authority with which the complaint has been lodged shall inform the complainant of the status and outcome of the complaint including the possibility of a judicial remedy pursuant to Art. 78 GDPR.

Competent supervisory authority for Baden-Wuerttemberg:

Protection of minors:

Our offer is generally aimed at adults. Persons under the age of 18 may not, in principle, transmit personal data to our websites without the consent of their parents or legal guardians. We will never knowingly collect, use in any way, or disclose to third parties personal data obtained from children or minors with limited legal capacity without authorization.