GDPR

Information on Consumer Dispute Resolution (§ 37 VSBG)

Pursuant to § 37 VSBG, we are obliged to inform you that dispute resolution/mediation bodies have been established for disputes between consumers and businesses.

We currently do not participate in any dispute resolution procedure before a consumer arbitration board and are not obliged to do so.

As a consumer, you can contact these bodies; however, participation in such a procedure is voluntary for both parties.

A. General Data Protection

With this data protection information, we inform you about the processing of your personal data in the context of our business relationship and when using our website.

We, as the provider of this website and the controller responsible for data protection (for detailed information, see Legal Notice), take data protection very seriously and design our services so that only necessary personal data is collected, processed and used.

Personal data will under no circumstances be rented or sold to third parties for advertising purposes.

In our organization, only persons who need this data to fulfill their duties, who have been informed about the legal data protection provisions, and who are obliged to act in accordance with the EU General Data Protection Regulation ("GDPR") have access to personal data.

Please also note the explanations in section B of this data protection information when using our website.

I. Data Collection, Legal Basis for Processing and Your Rights

1. Data collection and storage / use and transfer

1.1. We process personal data that we have received from you in the context of our business relationship and that we need, in particular, to process your (travel) requests and (travel) bookings in order to fulfill our duties.

1.2. The relevant personal data generally includes:

• Your booking and contact information (name, surname, address, email address, phone number),
• If necessary, data from your travel documents (passport number, passport information, date of birth),
• Data relating to your payment method,
• Other information necessary to fulfill our contractual obligations and to carry out your trip or other booked services smoothly.

1.3. Within the scope of our business relationship, you must only provide us with personal data that is necessary for establishing and conducting a business relationship or that we are legally obliged to collect. Without this data, we generally cannot fulfill your request or order, or we may have to terminate an existing contract. That is, the use of certain services or functions may depend on you providing the requested data.

2. Legal basis for processing

2.1. The personal data collected from you is collected and processed for different purposes. The concrete purposes of processing depend on each service to be provided by us.

2.2. The legal basis for processing your data arises in particular from Articles 6 and 9 of the GDPR:

• Article 6(1)(a) GDPR: This provision applies when we need or have obtained your express consent for a specific processing purpose.
• Article 6(1)(b) GDPR: This provision applies when the processing of personal data is necessary for the performance of a contract (e.g., processing your travel booking). The same applies to pre-contractual requests (e.g., information requests about our products and services).
• Article 6(1)(c) GDPR: This provision applies when there are legal obligations to which our organization is subject and that require the processing of personal data (e.g., tax obligations or special legal requirements when entering countries such as the USA).
• Article 6(1)(d) GDPR: In rare cases, processing of personal data may be necessary to protect the vital interests of the data subject or another natural person (e.g., in case of injury to a visitor at our facility and transfer of some personal data to health facilities for emergency medical intervention).
• Article 6(1)(f) GDPR: This provision applies when other provisions are not applicable, but processing is necessary to protect legitimate interests of ours or a third party and these interests override the fundamental rights and freedoms of the data subject.

2.3. In exceptional cases, if we need to process special categories of personal data about you (data about racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data or data concerning sex life or sexual orientation), one of the following legal bases must also be provided:

• You have given explicit consent (Article 9(2)(a) GDPR),
• You or another person are unable to give consent in a life-threatening situation and processing is necessary for vital interests (Article 9(2)(c) GDPR),
• You have made the relevant data public yourself (Article 9(2)(e) GDPR),
• Processing is necessary for the establishment, exercise or defense of legal claims (Article 9(2)(f) GDPR),
• Processing is necessary for reasons of substantial public interest under Union or Member State law and the relevant regulations respect the essence of the right to data protection and contain appropriate measures to safeguard fundamental rights and interests (Article 9(2)(g) GDPR).

2.4. The use of your personal data for advertising or market research purposes only occurs if you have previously given express consent to such use or if processing is necessary to protect legitimate interests of ours or third parties and your fundamental rights and freedoms do not override these interests.

3. Your Rights

3.1. As a data subject, you have the right to request information about what data is stored about you and to what extent this data is processed and transferred to third parties, and to receive a copy of the personal data stored about you.

3.2. You also have the right to request the immediate correction of incorrect personal data and the completion of incomplete data.

3.3. Under certain legal conditions, you have the right to request the immediate deletion of personal data stored about you. Please note that your right to deletion may be subject to exceptions. For example, we do not have to delete data that we cannot delete due to legal retention periods or that is necessary for the establishment, exercise or defense of legal claims.

3.4. Under certain conditions, you have the right to request restriction of processing of your personal data (i.e., marking the data to restrict future processing).

3.5. You can address all your requests to the controller named in our Legal Notice.

3.6. In addition, without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority in the Member State where you have your residence, place of work or the place of the alleged infringement if you consider that the processing of your personal data violates the GDPR. The competent supervisory authority will inform you about the status and outcome of the complaint, including the possibility of a judicial remedy under Article 78 GDPR.

4. Your Right to Object

4.1. You have the right to object at any time, for reasons arising from your particular situation, to the processing of your personal data if we process this data for the performance of a task in the public interest or in the exercise of official authority or to protect legitimate interests. You also have an unconditional right to object to the processing of your personal data for direct marketing purposes.

4.2. In the event of an objection, we will no longer process your data, unless we can demonstrate compelling legitimate grounds for processing that override your interests, rights and freedoms, or if processing serves the establishment, exercise or defense of legal claims.

4.3. The objection can be made without observing any particular form (informally).

5. Transfer of Your Data / Transfer Outside the European Economic Area

5.1. Due to the scope and complexity of data processing, we cannot list every single recipient of your personal data; therefore, only recipient categories are generally specified.

5.2. Your personal data is generally only transferred to third parties if it is necessary for contract performance, we or a third party have a legitimate interest in the data transfer, or you have given express consent to this transfer. In addition, data may also be transferred to third parties due to legal regulations or enforceable official or judicial decisions.

Third parties to whom we may transfer your data include, for example:

• Providers of booked services (tour operators, airlines, car rental companies, hotels, visa service providers, insurance companies, etc.),
• External advisors (lawyers, tax advisors, auditors, etc.),
• Authorities (e.g., tax office, police, public prosecutor's office)
• Courts
• And other parties to whom you have personally instructed the transfer of data or to whom you have given express consent.

5.3. Service providers (processors) working on our behalf may also have access to the data for these purposes. For example, when making bookings through tourism booking systems such as Amadeus Germany GmbH or Schmetterling International GmbH & Co. KG, your booking data is transmitted to the respective booking system provider, and these companies then forward the data to the respective tour operator/service provider. Service providers providing server infrastructure also fall into this category.

5.4. The transfer of your personal data to countries outside the European Economic Area (EEA) only occurs if the data transfer to the third country in question is necessary for contract performance (Article 49 GDPR) or is mandatory under official/administrative national legal regulations. For example, when traveling to the USA, public authorities such as the Department of Homeland Security may access your passenger data through the airline you booked.

II. Changing Processing Purposes and Data Use

Due to technological developments and organizational changes, our data processing methods may change or evolve over time. We therefore reserve the right to adapt this data protection information to new technical and organizational conditions.

We therefore ask you to review our data protection information again at regular intervals. When you contact us or our website again, the updated data protection information will apply.

B. Specific Provisions for Our Website

I. Booking Systems and Links

1. Booking Systems ("IBE")

1.1. Our website and the online booking systems (IBE) integrated on our site, for example via iFrame, collect a number of general data and information each time they are accessed. This general data and information is stored in the log files of the servers used. The data that may be collected includes:

• The browser types and versions used,
• The operating system used by the accessing system,
• The website from which the accessing system reached our site (referrer),
• The subpages visited on our site via the accessing system,
• The date and time of access,
• The IP address,
• The Internet service provider (ISP) of the accessing system,
• And similar other data necessary to ensure security against attacks on our IT systems.

1.2. We do not draw any conclusions about the identity of the data subject from this general data and information. This information is used:

• To correctly provide the content of our website,
• To optimize content and advertising,
• To ensure the permanent functionality of our IT systems and our website,
• To provide law enforcement agencies with the necessary information and logs in case of a cyber attack.

1.3. Within this context, data collected anonymously or under a pseudonym (pseudonymized) is analyzed statistically and to increase data security. In this way, we aim to achieve the highest possible level of security for the personal data we process. The anonymous data in the server log files is stored separately from other personal data provided by the data subject.

1.4. The transmission of sensitive personal data between your device and our servers (or the servers of our service providers) takes place during booking and payment processes via SSL encryption (Secure Socket Layer). This prevents third parties from reading your data during transmission. In addition, various security mechanisms are implemented to prevent unauthorized access by third parties to our servers.

1.5. We also apply organizational and technical protection measures that we regularly evaluate and update as necessary to protect the stored and processed personal data.

2. Links to Other Websites

We use external links on our website that lead to other websites of third parties. We have no control over the content and design of these sites. Therefore, this data protection information does not apply to these linked sites of other providers.

II. Use of Cookies

1. General Information about Cookies

We use "cookies" on our website to adapt and optimize the user experience and online usage time to personal preferences.

A cookie is a small text file stored in the temporary memory of your computer (session cookie) or on the hard disk (persistent cookie). Cookies may contain information such as previous visits by the user to the relevant server, which offers and pages were previously viewed.

Cookies are not used to run programs on your computer or install viruses. The main purpose is to present you with a personalized online offer and make the use of our services as comfortable as possible.

2. Avoiding Cookies

Visitors have the option to refuse the use of cookies at any time. This can usually be done via the settings of the Internet browser used or via the cookie information/banner area that appears when accessing our site.

Detailed information on deactivating cookies via browser settings or the cookie banner can be found in the help menu of the browser you are using.

Deactivating cookies may partially restrict the functional scope of our services and have negative effects on the use of some functions on our site.

III. Newsletter / Contact Form / Guestbook

1. Our Newsletter

1.1. On our website, we offer the opportunity to subscribe to our newsletter. Which personal data is transmitted when subscribing to the newsletter is evident from the input fields of the registration form.

1.2. We inform our customers and business partners regularly in the newsletter about current offers from our company. To receive our newsletter, you need a valid email address and must register for the newsletter.

1.3. For legal reasons, we apply the double opt-in procedure. This means that after registration, a confirmation email is sent to the email address you entered. This email serves to verify whether the email address actually belongs to you.

1.4. We also store the IP address assigned to you by your Internet service provider (ISP), as well as the date and time of newsletter registration. This is necessary to secure evidence and legal protection in case of possible misuse.

1.5. The personal data collected in the context of newsletter registration is used exclusively for sending the newsletter. Subscribers may be informed by email if the newsletter service or technical circumstances change.

1.6. Our company uses the CleverReach service for sending email newsletters. Service provider: CleverReach GmbH & Co. KG, Schafjückenweg 2, 26180 Rastede, Germany. The data you enter when registering for the newsletter (e.g., your email address) is stored on CleverReach's servers.

1.7. Newsletter delivery via CleverReach also enables statistical analysis of newsletters. Data such as how many recipients opened the newsletter and how frequently which links were clicked can be analyzed. With the help of conversion tracking, it can also be analyzed whether a previously defined action was performed after clicking on a link in the newsletter. Technical information is also transmitted; however, all this data is only processed pseudonymously and not combined with users' personal data. No direct identification takes place.

1.8. If you do not want these analyses, you must cancel your newsletter subscription. Each newsletter email contains a link to unsubscribe. When you cancel the newsletter, your data is also deleted from CleverReach servers.

1.9. Our company has concluded a data processing agreement with CleverReach and fulfills all strict requirements prescribed by the German data protection authorities for this service. For more information on CleverReach's data protection provisions, visit: https://www.cleverreach.com/de/datenschutz/

IV. Use of Third-Party Programs and Social Media Tools

To continuously improve our services, we conduct analyses on how visitors use our site. For this purpose, mostly anonymous or pseudonymous user profiles are created. In addition, various social media functions are used on our site.

The tools/services used for this include (Google Analytics, Google Ads, Tag Manager, Maps, Facebook, Facebook Pixel, Twitter, Instagram, YouTube, rankingCoach, etc.).

(The following points are translations of the technical and legal explanations from the German text; company/product names and links have been left in their original form.)

1. Google Analytics (with Anonymization Function)

Google Analytics, provided by Google Ireland Limited, is a web analytics service. IP addresses are anonymized within the EU/EEA. Google Analytics collects data on which pages are accessed how frequently and for how long, where users come from, and uses this to analyze website performance and advertising effectiveness.

Data collected via cookies may be transmitted to Google servers in the USA. You can block cookie use in your browser settings or prevent data collection with the browser plugin provided by Google (https://tools.google.com/dlpage/gaoptout).