Privacy Policy
Last updated: March 31, 2025
Data protection at a glance
Privacy Policy | Sonnenhotels GmbH
Last updated: 31.03.2025
Who we are
The controller within the meaning of the General Data Protection Regulation (GDPR) and other data protection provisions is:
Sonnenhotels GmbH
Nordhäuser Str. 1
38667 Bad Harzburg
Germany
+49 (0) 5321 68554 0
info@sonnenhotels.de
On this page we inform you about the processing of your personal data on this website.
How we collect and use your personal data depends on how you interact with us and which services you use. We only collect, use or share your personal data where we have a legitimate purpose and a legal basis for doing so.
What do we mean by legal basis?
Consent (Art. 6 (1) sentence 1 lit. a GDPR) – You have given us your consent to process your personal data for the specific purpose we have explained to you. You have the right to withdraw your consent at any time. Further information on how to withdraw your consent can be found in the subsections “Exercising your rights” in the following sections of this privacy policy.
Contract (Art. 6 (1) sentence 1 lit. b GDPR) – We need to use your data in order to perform a contract you have with us. Alternatively, it is necessary to use your data because we have asked you to take certain steps, or you yourself have taken certain steps, before entering into that contract.
Legal obligation (Art. 6 (1) sentence 1 lit. c GDPR) – We need to use your data in order to comply with the law.
Vital interests (Art. 6 (1) sentence 1 lit. d GDPR) – Processing your data is necessary to protect your vital interests or those of another person, for example to protect you from serious physical harm.
Public task (Art. 6 (1) sentence 1 lit. e GDPR) – Processing your data is necessary for the performance of a task carried out in the public interest, or because it is covered by a task laid down by law, e.g. for a statutory function.
Legitimate interests (Art. 6 (1) sentence 1 lit. f GDPR) – Processing your data is necessary to support a legitimate interest that we or another party have, but only where your own interests do not override that interest.
Please note that if your data is processed for the performance of a contract or to comply with a legal obligation and you do not provide the requested data, we may not be able to provide you with our website services.
Data sharing and international transfers
As explained in this privacy policy, we use various service providers who help us deliver our services and keep your data secure. When we use these service providers, it is necessary for us to share your personal data with them.
We have concluded agreements with all service providers with whom we share your data, obliging them to protect your data.
If your personal data is shared outside the EU, we ensure that your personal data receives an equivalent level of protection, either because the country to which your data is transferred has an “adequate” data protection standard according to the European Commission, or by applying another safeguard, such as an enhanced contractual arrangement, i.e. the Standard Contractual Clauses (SCCs) adopted by the European Commission.
For example, where we use US service providers, we rely, depending on the provider, either on the SCCs or on the EU-US Data Privacy Framework. You can request a copy of the SCCs we have concluded with our service providers by sending an email to the email address stated in this privacy policy.
Controller
Contacting the Data Protection Officer
If personal data concerning you is processed, you are a data subject within the meaning of the GDPR and you have the following rights vis-à-vis the controller:
1. The right of access (Art. 15 GDPR)
You have the right to obtain confirmation from us as to whether personal data concerning you is being processed. If this is the case, you have a right of access to this data and to the following information:
- Purposes of processing
- Categories of personal data
- Recipients or categories of recipients
- Envisaged storage period or the criteria used to determine that period
- The existence of the rights to rectification, erasure, restriction or objection
- The right to lodge a complaint with the competent supervisory authority
- Where applicable, the origin of the data (if collected from a third party)
- Where applicable, the existence of automated decision-making, including profiling, with meaningful information about the logic involved as well as the significance and the envisaged consequences
- Where applicable, the transfer of personal data to a third country or an international organisation
2. Right to rectification (Art. 16 GDPR)
If your personal data is inaccurate or incomplete, you have the right to request the immediate rectification or completion of your personal data.
3. Right to restriction of processing (Art. 18 GDPR)
You have the right to request the restriction of the processing of your personal data if one of the following conditions is met:
- You contest the accuracy of your personal data, for a period enabling us to verify the accuracy of the personal data.
- In the case of unlawful processing, you oppose the erasure of the personal data and request the restriction of its use instead.
- We no longer need your personal data for the purposes of processing, but you require it for the establishment, exercise or defence of your legal claims, or
- after you have objected to the processing, pending verification of whether our legitimate grounds override yours.
4. Right to erasure (“right to be forgotten”) (Art. 17 GDPR)
You have the right to request the immediate erasure of your personal data if one of the following grounds applies:
- Your data is no longer necessary for the purposes for which it was originally collected.
- You withdraw your consent and there is no other legal basis for the processing.
- You object to the processing and there are no overriding legitimate grounds for the processing, or you object pursuant to Art. 21 (2) GDPR.
- Your personal data is being processed unlawfully.
- Erasure is necessary to comply with a legal obligation under Union law or the law of the Member State to which we are subject.
- The personal data was collected in relation to information society services offered in accordance with Art. 8 (1) GDPR.
Please note that the above grounds do not apply to the extent that processing is necessary:
- To exercise the right of freedom of expression and information;
- To comply with a legal obligation or to perform a task carried out in the public interest to which we are subject.
- For reasons of public interest in the area of public health.
- For archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes.
- for the establishment, exercise or defence of legal claims.
5. Right to data portability (Art. 20 GDPR)
You have the right to receive your personal data in a structured, commonly used and machine-readable format, or to request that it be transmitted to another controller.
6. Right to object to certain data processing (Art. 21 GDPR)
You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is based on Art. 6 (1) sentence 1 lit. e or f GDPR. This also applies to profiling based on those provisions.
If personal data concerning you is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for the purposes of such marketing; this also applies to profiling to the extent that it is related to such direct marketing.
7. Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority if you consider that the processing of personal data concerning you infringes the GDPR.
The supervisory authority with which the complaint has been lodged shall inform the complainant of the progress and the outcome of the complaint, including the possibility of a judicial remedy pursuant to Art. 78 GDPR.
A list of the supervisory authorities with local jurisdiction in Germany is available on the website of the Federal Commissioner for Data Protection at the following link: https://www.bfdi.bund.de/DE/Service/Anschriften/Laender/Laender-node.html
1. Description and scope of data processing
Each time our website is accessed, our system automatically collects data and information from the computer system of the accessing device.
The following data is collected:
- Information about the browser type and the version used
This data is stored in the log files of our system.
This does not include the user’s IP addresses or other data that would make it possible to attribute the data to a user. This data is not stored together with other personal data of the user.
This data is not stored together with other personal data of the user.
2. Purpose of data processing
Storage in log files takes place in order to ensure the functionality of the website. The data also helps us to optimise the website and to ensure the security of our IT systems. The data is not analysed for marketing purposes in this context.
3. Legal basis for data processing
The legal basis for the temporary storage of the data and the log files is Art. 6 (1) sentence 1 lit. f GDPR.
4. Duration of storage
The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. Where data is collected for the provision of the website, this is the case when the respective session has ended.
Where data is stored in log files, this is the case after no more than seven days. Storage beyond this period is possible. In this case, the users’ IP addresses are deleted or obfuscated so that it is no longer possible to attribute them to the accessing client.
5. Exercising your rights
The collection of data for the provision of the website and the storage of the data in log files is strictly necessary for the operation of the website. The user may object to this. Whether the objection is successful must be determined as part of a balancing of interests.
1. Description and scope of data processing
When you visit our website, we use technical tools for various functions, in particular cookies, which may be stored on your device. When you access our website, and at any time thereafter, you can choose whether to allow the setting of cookies in general or which individual additional functions you wish to select. You can make changes in your browser settings or via our consent manager.
Cookies are text files or information in a database that are stored on your hard drive and assigned to the browser you are using, so that certain information can flow to the entity setting the cookie. Below we describe the types of cookies we use:
We use technically necessary cookies that are required for the technical structure of the website. Without these cookies, our website cannot be displayed (fully and correctly) or the support functions are not available.
The following data is stored and transmitted by the technically necessary cookies:
- Language settings
We also use cookies on our website that are not technically necessary. Cookies that are not technically necessary are text files that do not serve solely to ensure the functionality of the website but also collect other data.
By setting cookies that are not technically necessary, the following data is processed:
- Location of the internet user
2. Purpose of data processing
The purpose of using technically necessary cookies is to ensure the functionality of our website. Some functions of our website cannot be offered without the use of cookies. For these, it is necessary for the browser to be recognised even after a page change.
We require the technically necessary cookies for the following applications:
- Functionality of the website
Cookies that are not technically necessary are used for the purpose of improving the quality of our website, its content and thus our reach and profitability. By setting these cookies, we learn how the website is used and can continually optimise our offering. In particular, these cookies serve the following purposes:
Cookies that are not technically necessary are used to improve the user experience, to enable statistical analyses and to provide personalised content and advertising.
3. Legal basis for data processing
The storage of information on the end user’s terminal equipment and/or access to information already stored on the end user’s terminal equipment is governed by the provisions of the German Telecommunications-Telemedia Data Protection Act (TTDSG). Where the setting and reading of cookies is technically necessary, this is done in order to ensure the functionality of our website. In this case, the storage of and access to cookies on your terminal equipment is based on § 25 (2) no. 2 TTDSG. This storage of and access to the information on your terminal equipment serve to make it easier for you to use our website and to enable us to offer you our services as requested by you. Some functions of our website also do not work without the use of these cookies and could therefore not be offered. Cookies are generally deleted at the end of the session (e.g. when you log out or close the browser) or after a specified period has expired. Information on differing storage periods for cookies can be found in the following sections of this privacy policy.
Where cookies are used that are not technically necessary, this is done on the basis of your express consent, which you can give via the cookie banner. In this case, the basis for the storage of and access to information is § 25 (1) TTDSG in conjunction with Art. 6 (1) lit. a), Art. 7 GDPR. You can withdraw your consent at any time with effect for the future, or grant it again later, by configuring your cookie settings accordingly. Alternatively, you can prevent the storage of cookies by making the appropriate settings in your browser software. Please note that browser settings only ever apply to the browser used in each case. If personal data is processed following the storage of and access to the information on your terminal equipment, the provisions of the GDPR apply. Information on this can be found in the following sections of this privacy policy.
4. Exercising your rights
You can withdraw your consent to the use of cookies at any time and manage your consent preferences at the following link: https://www.sonnenhotels.de/datenschutz/
On our website we offer the option of booking hotel rooms.
For this purpose, we use the Software as a Service (SaaS) rented shop system of a service provider commissioned by us.
The name of our rented shop system as well as the name and address of the service provider are:
of the provider vioma GmbH Industriestraße 27 77656 Offenburg Germany. Further information can be found in the provider’s privacy policy: https://www.vioma.de/de/datenschutz/
The servers automatically collect and store information in so-called server log files, which your browser automatically transmits when you visit the website. The stored information is:
This data is not combined with other data sources. This data is collected on the basis of Art. 6 (1) lit. f GDPR. The website operator has a legitimate interest in the technically error-free presentation and the optimisation of its website – for this purpose, the server log files must be collected.
We have concluded a data processing agreement with the relevant service provider, in which we oblige the service provider to protect user data and not to pass it on to third parties.
The server of the website is geographically located in Germany.
1. Description and scope of data processing
We offer our customers various payment options for processing their orders. Depending on the payment option, we redirect customers to the platform of the relevant payment service provider. After completion of the payment process, we receive the customers’ payment data from the payment service providers or from our bank and process it in our systems for invoicing and accounting purposes.
Payment by credit card
It is possible to complete the payment process by credit card.
If you have chosen to pay by credit card, payment data is passed on to payment service providers for payment processing. All payment service providers comply with the requirements of the Payment Card Industry (PCI) Data Security Standards and have been certified by an independent PCI Qualified Security Assessor.
The following data is regularly transmitted in the course of payment by credit card:
- Purchase amount
- Date and time of the purchase
- First name and surname
- Address
- Email address
- Credit card number
- Validity period of the credit card
- Security code (CVC)
- IP address
- Telephone number / mobile number
Payment data is passed on to the following payment service providers:
- Hobex of the provider hobex AG Josef-Brandstätter-Straße 2b 5020 Salzburg Austria. Further information about the processing of your data by Hobex can be found in Hobex’s privacy policy at: https://www.hobex.at/datenschutz/.
Payment via PayPal
It is possible to process the payment via the payment service provider PayPal. In addition to a direct payment method, PayPal also offers purchase on account, direct debit, credit card and payment in instalments.
The European operating company of PayPal is PayPal (Europe) S.à.r.l. & Cie. S.C.A., 22-24 Boulevard Royal, 2449 Luxembourg.
If you choose PayPal as your payment method, the data required for the payment process is automatically transmitted to PayPal.
This particularly concerns the following data:
- Name
- Address
- Email address
- Telephone/mobile number
- IP address
- Bank details
- Card number
- Expiry date and CVC code
- Number of items
- Item number
- Data on goods and services
- Transaction amount and taxes
- Information on previous purchasing behaviour
The data transmitted to PayPal may be transmitted by PayPal to credit reference agencies. The purpose of this transmission is to verify identity and creditworthiness.
PayPal may also pass on your data to third parties where this is necessary for the fulfilment of contractual obligations or where the data is to be processed on its behalf. Where your personal data is transferred within companies affiliated with PayPal, the Binding Corporate Rules approved by the competent supervisory authorities apply. You can find them here:
https://www.paypal.com/de/webapps/mpp/ua/bcr
Other data transfers may be based on contractual safeguards. For further information, please contact PayPal.
All PayPal transactions are subject to PayPal’s privacy policy. You can find it at:
Payment via Sofortüberweisung (instant bank transfer)
It is possible to pay via Sofortüberweisung (instant bank transfer). In this case, the data is collected by Sofort GmbH, Theresienhöhe 12, 80339 München.
The controller does not collect or store the data itself.
By issuing a Sofortüberweisung transfer, you instruct Sofort GmbH to automatically check whether your account covers the amount to be transferred (account balance check) and whether any Sofortüberweisung transfers from your account in the last 30 days have been carried out successfully, and, following a positive check, to transmit the transfer order you have approved to your bank in electronic form, and to inform us, as the payee you have selected (online provider), of the successful placement of the transfer.
For this purpose, Sofort GmbH requires the IBAN as well as the PIN and TAN of your online banking account. During the ordering process, you are automatically redirected to the secure payment form of Sofort GmbH.
Immediately afterwards, you receive confirmation of the transaction. We then directly receive the transfer credit.
Sofortüberweisung can be used as a payment method by anyone who has an activated online banking account with a PIN/TAN procedure.
Please note that a small number of banks do not yet support payment via Sofortüberweisung.
Further information on the stored data is available at https://www.sofort.com/ger-DE/general/fuer-kaeufer/fragen-und-antworten/.
2. Purpose of data processing
The transmission of payment data to payment service providers serves to process the payment, e.g. when you purchase a product and/or use a service.
3. Legal basis for data processing
The legal basis for the data processing is Art. 6 (1) sentence 1 lit. b GDPR, as the processing of the data is necessary for the performance of the purchase contract concluded.
4. Duration of storage
All payment data as well as data on any chargebacks that may occur are only stored for as long as they are required for payment processing, for the possible handling of returned direct debits and debt collection, and for the prevention of misuse.
Furthermore, payment data may be stored beyond this period if and for as long as this is necessary to comply with statutory retention periods or to pursue a specific case of misuse.
Your personal data will be deleted upon expiry of the statutory retention obligations, i.e. after no more than 10 years.
5. Exercising your rights
If the data is required for the performance of a contract or for the implementation of pre-contractual measures, early deletion of the data is only possible to the extent that no contractual or statutory obligations prevent deletion.
1. Description and scope of data processing
On our website, you can subscribe to a free newsletter. When you register for the newsletter, the data from the input form is transmitted to us.
In order to provide this service, we collect the following data from you:
- Email address
Your consent is obtained for the processing of the data during the registration process, and reference is made to this privacy policy.
No data is passed on to third parties in connection with the data processing for sending newsletters. The data is used exclusively for sending the newsletter.
2. Purpose of data processing
The user’s email address is collected in order to deliver the newsletter.
The collection of other personal data during the registration process serves to prevent misuse of the services or of the email address used.
3. Legal basis for data processing
The legal basis for the processing of data after the user has registered for the newsletter is Art. 6 (1) sentence 1 lit. a GDPR, provided the user has given their consent.
4. Duration of storage
The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. The user’s email address is therefore stored for as long as the newsletter subscription is active.
Other personal data collected during the registration process is generally deleted after a period of seven days.
5. Exercising your rights
The newsletter subscription can be cancelled by the user concerned at any time. Each newsletter contains a corresponding link for this purpose.
This also makes it possible to withdraw consent to the storage of the personal data collected during the registration process.
1. Description and scope of data processing
Our website contains a contact form that can be used for electronic contact. If a user makes use of this option, the data entered in the input form is transmitted to us and stored.
At the time the message is sent, the following data is stored:
- Email address
2. Purpose of data processing
The processing of personal data from the input form of the contact form or via the email address provided serves solely to handle the contact request.
The other personal data processed during the sending process serves to prevent misuse of the contact form and to ensure the security of our IT systems.
3. Legal basis for data processing
The legal basis for the processing of data transmitted in the course of sending an email is Art. 6 (1) sentence 1 lit. f GDPR. Our legitimate interest lies in responding optimally to the enquiry you send us via the contact form. If the email contact is aimed at the conclusion of a contract, the additional legal basis for the processing is Art. 6 (1) sentence 1 lit. b GDPR.
4. Duration of storage
The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. For personal data from the input form of the contact form and data sent by email, this is the case when the respective conversation with the user has ended. The conversation has ended when the circumstances indicate that the matter in question has been conclusively resolved.
The additional personal data collected during the sending process will be deleted no later than after a period of seven days.
5. Exercising your rights
If the user contacts us via the input form in the contact form, they may object to the storage of their personal data at any time, in the following manner:
Every user is free to publish personal data through their activities. Insofar as we process your personal data in order to analyse your online behaviour, to offer you prize draws or to run lead campaigns, this is done on the basis of your express declaration of consent, Art. 6 (1) sentence 1 lit. a, Art. 7 GDPR. The legal basis for the processing of personal data for the purpose of communicating with customers and interested parties is Art. 6 (1) sentence 1 lit. f GDPR. Our legitimate interest lies in responding optimally to your enquiry and in being able to provide the requested information. If the contact is aimed at the conclusion of a contract, the additional legal basis for the processing is Art. 6 (1) lit. b GDPR. The data generated through the corporate presence is not stored in our own systems.
In this case, all personal data stored in the course of the contact will be deleted.
Instagram, Part of Meta Platforms Ireland Ltd., 4 Grand Canal Square Grand Canal Harbour, Dublin 2, Ireland
On our company page, we provide information and offer Instagram users the opportunity to communicate with us.
If you carry out an action on our Instagram company presence (e.g. comments, posts, likes, etc.), you may make personal data (e.g. your real name or a photo from your user profile) publicly available.
However, as we generally or largely have no influence on the processing of your personal data by Instagram, we cannot make any binding statements about the purpose and scope of the processing of your data.
We use our corporate presence on social networks for communication and the exchange of information with (potential) customers. In particular, we use the corporate presence for:
– Marketing & advertising – promoting offers, seasonal specials and last-minute deals.
– Brand building – presenting the hotels, the locations and the special range of services.
– Customer acquisition & retention – directly addressing potential guests and interacting with existing customers.
– Storytelling & inspiration – sharing holiday experiences, hotel insights and travel tips.
– Customer service – answering questions and responding to feedback or complaints.
– Recruiting – attracting new team members through targeted employer branding.
Publications via the corporate presence may include the following content:
- Information about products
- Information about services
- Prize draws
- Advertising
Every user is free to publish personal data through their activities.
Insofar as we process your personal data in order to analyse your online behaviour, to offer you prize draws or to run lead campaigns, this is done on the basis of your express declaration of consent, Art. 6 (1) sentence 1 lit. a, Art. 7 GDPR.
The legal basis for the processing of personal data for the purpose of communicating with customers and interested parties is Art. 6 (1) sentence 1 lit. f GDPR. Our legitimate interest lies in responding optimally to your enquiry and in being able to provide the requested information.
If the contact is aimed at the conclusion of a contract, the additional legal basis for the processing is Art. 6 (1) lit. b GDPR.
The data generated through the corporate presence is not stored in our own systems.
For the processing of your personal data in third countries, we have provided appropriate safeguards in the form of standard data protection clauses pursuant to Art. 46 (2) lit. c GDPR. A copy of the standard data protection clauses can be requested from us.
You can object at any time to the processing of your personal data that we collect in the course of your use of our corporate presence, and assert your rights as a data subject as set out in the section “Your Rights” in this privacy policy. To do so, simply send us an informal email to datenschutz@sonnenhotels.de. Further information on the processing of your personal data by Instagram and the corresponding objection options can be found here:
Instagram: https://help.instagram.com/519522125107875
YouTube
YouTube LLC, 901 Cherry Ave., San Bruno, CA 94066, United States
On our company page, we provide information and offer YouTube users the opportunity to communicate with us.
If you carry out an action on our YouTube company presence (e.g. comments, posts, likes, etc.), you may make personal data (e.g. your real name or a photo from your user profile) publicly available.
However, as we generally or largely have no influence on the processing of your personal data by YouTube, we cannot make any binding statements about the purpose and scope of the processing of your data.
We use our corporate presence on social networks for communication and the exchange of information with (potential) customers. In particular, we use the corporate presence for:
– Brand building – presenting the hotels, the locations and the special range of services.
– Customer acquisition & retention – directly addressing potential guests
– Storytelling & inspiration – sharing holiday experiences, hotel insights and travel tips.
Publications via the corporate presence may include the following content:
- Information about products
- Information about services
- Prize draws
- Advertising
Every user is free to publish personal data through their activities.
Insofar as we process your personal data in order to analyse your online behaviour, to offer you prize draws or to run lead campaigns, this is done on the basis of your express declaration of consent, Art. 6 (1) sentence 1 lit. a, Art. 7 GDPR.
The legal basis for the processing of personal data for the purpose of communicating with customers and interested parties is Art. 6 (1) sentence 1 lit. f GDPR. Our legitimate interest lies in responding optimally to your enquiry and in being able to provide the requested information.
If the contact is aimed at the conclusion of a contract, the additional legal basis for the processing is Art. 6 (1) lit. b GDPR.
For the processing of your personal data in third countries, we have provided appropriate safeguards in the form of standard data protection clauses pursuant to Art. 46 (2) lit. c GDPR. A copy of the standard data protection clauses can be requested from us.
You can object at any time to the processing of your personal data that we collect in the course of your use of our corporate presence, and assert your rights as a data subject as set out in the section “Your Rights” in this privacy policy. To do so, simply send us an informal email to datenschutz@sonnenhotels.de. Further information on the processing of your personal data by YouTube and the corresponding objection options can be found here:
1. Scope of data processing
The corporate presence is used for job applications, information/PR and active sourcing. We have no information about the processing of your personal data by the companies jointly responsible for the corporate presence. Further information can be found in the privacy policy of:
On our page, we provide information and offer users the opportunity to communicate with us.
The corporate presence is used for job applications, information/PR and active sourcing.
We have no information about the processing of your personal data by the companies jointly responsible for the corporate presence. Further information can be found in the privacy policy of:
LinkedIn:
https://www.linkedin.com/legal/privacy-policy
XING:
If you carry out an action on our corporate presence (e.g. comments, posts, likes, etc.), you may make personal data (e.g. your real name or a photo from your user profile) publicly available.
2. Legal basis for data processing
The legal basis for the processing of personal data for the purpose of communicating with customers and interested parties is Art. 6 (1) sentence 1 lit. f GDPR. Our legitimate interest lies in responding optimally to your enquiry and in being able to provide the requested information.
If the contact is aimed at the conclusion of a contract, the additional legal basis for the processing is Art. 6 (1) lit. b GDPR.
3. Purpose of data processing
Our corporate presence serves to inform users about our services. Every user is free to publish personal data through their activities.
4. Duration of storage
The data generated through the corporate presence is not stored in our own systems.
5. Exercising your rights
You can object at any time to the processing of your personal data that we collect in the course of your use of our corporate presence, and assert your rights as a data subject as set out in the section “Your Rights” in this privacy policy. To do so, simply send us an informal email to the email address stated in this privacy policy.
Further information on exercising your rights can be found here:
LinkedIn:
https://www.linkedin.com/legal/privacy-policy
XING:
The website is hosted on servers of a service provider commissioned by us.
Our service provider is:
raidboxes GmbH of the provider Raidboxes GmbH Hafenstraße 32 48153 Münster. Further information can be found in the provider’s privacy policy: https://raidboxes.io/legal/privacy/
The servers automatically collect and store information in so-called server log files, which your browser automatically transmits when you visit the website. The stored information is:
- Information about the browser type and the version used
- The user’s operating system
- Date and time of access
- Websites from which the user’s system reaches our website
- Websites accessed by the user’s system via our website
This data is not combined with other data sources. This data is collected on the basis of Art. 6 (1) lit. f GDPR. Our legitimate interest in processing this data lies in displaying our website without errors and in optimising its functions.
The server of the website is geographically located in Germany.
We use the IP address and other information provided by the user (in particular the postcode provided during registration or ordering) for regional audience targeting (so-called “geotargeting”).
Regional audience targeting serves, for example, to automatically show you regional offers or advertising that is often more relevant to users. The legal basis for the use of the IP address and, where applicable, other information provided by the user (in particular the postcode) is Art. 6 (1) lit. f GDPR, based on our interest in ensuring more precise audience targeting and thus providing offers and advertising with greater relevance for users.
Only part of the IP address and the additional information provided by the user (in particular the postcode) are merely read and are not stored separately.
You can prevent geotargeting by using, for example, a VPN or proxy server that prevents precise localisation. In addition, depending on the browser you use, you can also deactivate location detection in the relevant browser settings (where supported by the respective browser).
We use geotargeting on our website for the following purposes:
- Advertising purposes
We use various service providers in order to deliver the services we offer on the website.
In general, we have a legitimate interest in sharing your data with the relevant service providers where these services are essential for the provision of the basic service offered on the website, in order to provide the relevant website service.
Where such services are required for additional services, extended functions or additional purposes, your personal data will only be shared with service providers if you give your consent.
Here you can withdraw your consent to the use of integrated third-party services at any time and manage your consent settings: https://www.sonnenhotels.de/datenschutz/
Use of Bing Ads
1. Scope of the processing of personal data
We use the conversion tracking tool Bing Ads of Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA (hereinafter: Microsoft). Bing Ads stores a cookie on your computer if you have reached our online presence via a Bing Ads advert. As a result, personal data may be stored and analysed, in particular the user’s activity (in particular which pages have been visited and which elements have been clicked on), device and browser information (in particular the IP address and the operating system), data about the adverts displayed (in particular which adverts were displayed and whether the user clicked on them) and also data from advertising partners (in particular pseudonymised user IDs). We only learn the total number of users who clicked on a Bing advert and were then redirected to the conversion page. Further information on the processing of data by Microsoft is available here: https://privacy.microsoft.com/de-de/privacystatement
2. Purpose of data processing
In this way, Microsoft Bing and we can recognise that someone clicked on an advert, was redirected to our online presence and reached a previously defined target page (conversion page).
3. Legal basis for the processing of personal data
The legal basis for the processing of users’ personal data is generally the user’s consent pursuant to Art. 6 (1) sentence 1 lit. a GDPR.
4. Duration of storage
Your personal information will be stored for as long as is necessary to fulfil the purposes described in this privacy policy or as required by law, e.g. for tax and accounting purposes.
5. Exercising your rights
You have the right to withdraw your declaration of consent under data protection law at any time. The withdrawal of consent does not affect the lawfulness of the processing carried out on the basis of the consent up to the point of withdrawal. You can prevent the collection and processing of your personal data by Microsoft by preventing the storage of third-party cookies on your computer, using the “Do Not Track” function of a supporting browser, deactivating the execution of script code in your browser or installing a script blocker such as NoScript (https://noscript.net/) or Ghostery (https://www.ghostery.com) in your browser. You can deactivate the use of your personal data by Microsoft via the following link: https://account.microsoft.com/privacy/ad-settings/ Further information on objection and removal options vis-à-vis Microsoft can be found at: https://privacy.microsoft.com/de-de/privacystatement .
Use of Bootstrap
1. Scope of the processing of personal data
We use the open-source framework Bootstrap. It is loaded via the content delivery network of bootstrapcdn.com. The provider of this service is MaxCDN DBA StackPath, 2021 McKinney Ave., Suite 1100, Dallas, TX 75201, USA (hereinafter: StackPath). Through the use of BootstrapCDN, cookies are set on your computer and usage data is stored. As a result, personal data may be stored and analysed, in particular the user’s activity (in particular which pages have been visited and which elements have been clicked on) as well as device and browser information (in particular the IP address and the operating system). Further information on the processing of data by StackPath is available here: https://www.bootstrapcdn.com/privacy-policy/
2. Purpose of data processing
Bootstrap is used to improve our online presence and its user-friendliness.
3. Legal basis for the processing of personal data
The legal basis for the processing is Art. 6 (1) sentence 1 lit. f GDPR. Our legitimate interest lies in the purposes of data processing stated under 2.
4. Duration of storage
Your personal information will be stored for as long as is necessary to fulfil the purposes described in this privacy policy or as required by law, e.g. for tax and accounting purposes.
5. Exercising your rights
You can prevent the collection and processing of your personal data by StackPath by preventing the storage of third-party cookies on your computer, using the “Do Not Track” function of a supporting browser, deactivating the execution of script code in your browser or installing a script blocker such as NoScript (https://noscript.net/) or Ghostery (https://www.ghostery.com) in your browser. Further information on objection and removal options vis-à-vis StackPath can be found at: https://www.bootstrapcdn.com/privacy-policy/
Use of the Google Marketing Platform
1. Scope of the processing of personal data
We use the Marketing Platform of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA and its representative in the Union, Google Ireland Ltd., Gordon House, Barrow Street, D04 E5W5, Dublin, Ireland (hereinafter: Google). Google sets a cookie on your computer. As a result, personal data may be stored and analysed, in particular the user’s activity (in particular which pages have been visited and which elements have been clicked on), device and browser information (in particular the IP address and the operating system), data about the adverts displayed (in particular which adverts were displayed and whether the user clicked on them) and also data from advertising partners (in particular pseudonymised user IDs). Due to the marketing tools used, your browser automatically establishes a direct connection with Google’s server. We have no influence on the scope and further use of the data collected by Google through the use of this tool and therefore inform you according to our state of knowledge. If you are registered with a Google service, Google can associate your visit with your account. Even if you are not registered with Google or have not logged in, it is possible that the provider may obtain and store your IP address. Further information on the processing of data by Google is available here: https://policies.google.com/privacy?gl=DE&hl=de
2. Purpose of data processing
The Google Marketing Platform is used to show users relevant adverts, to improve campaign performance reports and to avoid a user seeing the same adverts more than once.
3. Legal basis for the processing of personal data
The legal basis for the processing of users’ personal data is generally the user’s consent pursuant to Art. 6 (1) sentence 1 lit. a GDPR.
4. Duration of storage
The Google Marketing Platform stores your data until the stated purpose has been fulfilled, with a maximum storage period of 18 months.
5. Exercising your rights
You have the right to withdraw your declaration of consent under data protection law at any time. The withdrawal of consent does not affect the lawfulness of the processing carried out on the basis of the consent up to the point of withdrawal. You can prevent the collection and processing of your personal data by Google by preventing the storage of third-party cookies on your computer, using the “Do Not Track” function of a supporting browser, deactivating the execution of script code in your browser or installing a script blocker such as NoScript (https://noscript.net/) or Ghostery (https://www.ghostery.com) in your browser. You can deactivate the use of your personal data by Google via the following link: https://adssettings.google.de Further information on objection and removal options vis-à-vis Google can be found at: https://policies.google.com/privacy?gl=DE&hl=de
Use of the Facebook Pixel
1. Scope of the processing of personal data
We use the Facebook pixel of Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA and its representative in the Union, Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal H , D2 Dublin, Ireland (hereinafter: Facebook) on our online presence. With its help, we can track the actions of users after they have seen or clicked on a Facebook advert. As a result, personal data may be stored and analysed, in particular the user’s activity (in particular which pages have been visited and which elements have been clicked on), device and browser information (in particular the IP address and the operating system), data about the adverts displayed (in particular which adverts were displayed and whether the user clicked on them) and also data from advertising partners (in particular pseudonymised user IDs). This allows us to measure the effectiveness of Facebook adverts for statistical and market research purposes. Data may be transferred to Facebook servers in the USA. The data collected in this way is anonymous to us, i.e. we do not see the personal data of individual users. However, this data is stored and processed by Facebook. Facebook may link this data to your Facebook account and also use it for its own advertising purposes, in accordance with Facebook’s data use policy. Further information on the processing of data by Facebook is available here: https://de-de.facebook.com/policy.php
2. Purpose of data processing
The Facebook pixel is used to analyse and optimise advertising measures.
3. Legal basis for the processing of personal data
The legal basis for the processing of users’ personal data is generally the user’s consent pursuant to Art. 6 (1) sentence 1 lit. a GDPR.
4. Duration of storage
Your personal information will be stored for as long as is necessary to fulfil the purposes described in this privacy policy or as required by law, e.g. for tax and accounting purposes.
5. Exercising your rights
You have the right to withdraw your declaration of consent under data protection law at any time. The withdrawal of consent does not affect the lawfulness of the processing carried out on the basis of the consent up to the point of withdrawal. You can prevent the collection and processing of your personal data by Facebook by preventing the storage of third-party cookies on your computer, using the “Do Not Track” function of a supporting browser, deactivating the execution of script code in your browser or installing a script blocker such as NoScript (https://noscript.net/) or Ghostery (https://www.ghostery.com) in your browser. Further information on objection and removal options vis-à-vis Facebook can be found at: https://de-de.facebook.com/policy.php
Use of Google Analytics 4 (GA 4)
1. Scope of the processing of personal data
We use Google Analytics, a web analytics service of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (hereinafter: Google).
Google Analytics examines, among other things, how website visitors use our site. Google sets cookies on your device. During the visit, user behaviour is recorded in the form of “events”. As a result, personal data may be stored and analysed, including:
- First visit to the website
- Interaction with the website, usage path
- Clicks on external links
- Video usage
- File downloads
- Ad impressions and clicks
- Scroll behaviour (when scrolling to the end of the page)
- Searches on the website
- Language selection
- Page visits
- Location (region)
- Your IP address (in shortened form)
- Technical information about your browser and the devices you use (e.g. language setting, screen resolution)
- Your internet provider
- Referrer URL
IP address anonymisation is activated by default in GA 4. This means that your IP address is shortened by Google within the Member States of the European Union or in other contracting states of the Agreement on the European Economic Area. Only in rare exceptional cases is the full IP address transferred to a Google server in the USA and shortened there. Google states that the IP address transmitted by your browser as part of Google Analytics is not merged with other Google data.
Further information on the processing of data by Google is available here: https://policies.google.com/privacy
2. Purpose of data processing
We use GA 4 to analyse the use of our online presence and to generate reports on the activities on our website. The reports serve to analyse the performance of our website and to deliver targeted advertising to people who have already expressed an initial interest through their visit to the site.
3. Legal basis for the processing of personal data
The legal basis for the processing of users’ personal data is generally the user’s consent pursuant to Art. 6 (1) sentence 1 lit. a) GDPR.
4. Duration of storage
Your personal data will be deleted after a period of 2 months. This deletion takes place automatically once a month.
5. Exercising your rights
You have the right to withdraw your declaration of consent under data protection law at any time. The withdrawal of consent does not affect the lawfulness of the processing carried out on the basis of the consent up to the point of withdrawal. You can withdraw your consent via our cookie consent tool.
You can prevent the collection and processing of your personal data by Google by preventing the storage of third-party cookies on your computer, using the “Do Not Track” function of a supporting browser, deactivating the execution of script code in your browser or installing a script blocker such as NoScript (https://noscript.net) or Ghostery (https://www.ghostery.com) in your browser.
Further information on objection and removal options vis-à-vis Google can be found at: https://policies.google.com/technologies/partner-sites
You can also prevent the collection of the data generated by the cookie and relating to your use of the online presence (including your IP address) by Google, as well as the processing of this data by Google, by downloading and installing the browser plugin available at the following link: https://tools.google.com/dlpage/gaoptout?hl=de
You can deactivate the use of your personal data by Google via the following link: https://adssettings.google.de
Use of Google Webfonts
1. Scope of the processing of personal data
We use Google Webfonts of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA and its representative in the Union, Google Ireland Ltd., Gordon House, Barrow Street, D04 E5W5, Dublin, Ireland (hereinafter: Google). When the page is accessed, the web fonts are transferred to the browser cache so that they can be used for the visually improved presentation of various information. If the browser does not support Google Webfonts or blocks access, the text is displayed in a standard font. No cookies are stored on the visitor’s device when the page is accessed. Data transmitted in connection with the page view is sent to resource-specific domains such as https://fonts.googleapis.com or https://fonts.gstatic.com. As a result, personal data may be stored and analysed, in particular the user’s activity, in particular which pages have been visited and which elements have been clicked on, and device and browser information, in particular the IP address and the operating system. The data is not linked to data that may be collected or used in connection with the parallel use of authenticated Google services such as Gmail. Further information on the processing of data by Google is available here: https://policies.google.com/privacy?gl=DE&hl=de
2. Purpose of data processing
Google Webfonts are used to present our texts in an appealing way. If your browser does not support this function, a standard font from your computer is used for the display.
3. Legal basis for the processing of personal data
The legal basis for the processing of users’ personal data is generally the user’s consent pursuant to Art. 6 (1) sentence 1 lit. a GDPR.
4. Duration of storage
Your personal information will be stored for as long as is necessary to fulfil the purposes described in this privacy policy or as required by law, e.g. for tax and accounting purposes.
5. Exercising your rights
You can prevent the collection and processing of your personal data by Google by preventing the storage of third-party cookies on your computer, using the “Do Not Track” function of a supporting browser, deactivating the execution of script code in your browser or installing a script blocker such as NoScript (https://noscript.net/) or Ghostery (https://www.ghostery.com) in your browser. You can deactivate the use of your personal data by Google via the following link: https://adssettings.google.de Further information on objection and removal options vis-à-vis Google can be found at: https://policies.google.com/privacy?gl=DE&hl=de
Use of Brevo
1. Scope of the processing of personal data
We use the service provider Brevo of Sendinblue SAS, 106 boulevard Haussmann, 75008 Paris, France (hereinafter: Brevo) to send our newsletters. Brevo is a provider of email and SMS marketing and enables us to communicate directly with potential customers via email and SMS newsletters. When you register for the newsletter, the data you enter during the newsletter registration is transferred to Brevo and stored there. As a result, further personal data may be stored and analysed, in particular the user’s activity (in particular which pages have been visited and which elements have been clicked on) and device and browser information (in particular the IP address and the operating system). For this purpose, your data is also stored by Brevo. Your data is not passed on to third parties for the purpose of receiving the newsletter, and Brevo does not acquire any right to pass on your data. After registration, Brevo sends you an email to confirm your registration. Brevo also offers various analysis options regarding how the newsletters sent are opened and used, e.g. how many users an email or SMS was sent to, whether emails or SMS were rejected and whether users unsubscribed from the list after receiving an email or SMS.
Further information on the processing of data by Brevo is available here:
https://www.brevo.com/de/legal/privacypolicy/
2. Purpose of data processing
The personal data collected when registering for the newsletter is used exclusively to send our newsletter, possibly to invite you to events and, if you are already our customer, for our customer mailing. Furthermore, newsletter subscribers may be informed by email where this is necessary for the operation of the newsletter service or a related registration, as may be the case in the event of changes to the newsletter offering or changes to the technical circumstances.
3. Legal basis for the processing of personal data
The legal basis for the processing of users’ personal data is generally the user’s consent pursuant to Art. 6 (1) sentence 1 lit. a GDPR.
4. Duration of storage
Your personal information will be stored for as long as is necessary to fulfil the purposes described in this privacy policy or as required by law. In addition, you can contact Brevo and request the deletion of your data.
5. Exercising your rights
You have the right to withdraw your declaration of consent under data protection law at any time. The withdrawal of consent does not affect the lawfulness of the processing carried out on the basis of the consent up to the point of withdrawal.
You can withdraw your consent to the storage of your data and its use for sending the newsletter via Brevo at any time. You can exercise your withdrawal at any time by sending an email to Brevo or by clicking on the link provided in every newsletter.
Further information on objection and removal options vis-à-vis Brevo can be found at:
Use of Google Tag Manager
1. Scope of the processing of personal data
We use the Google Tag Manager (https://www.google.com/intl/de/tagmanager/) of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA and its representative in the Union, Google Ireland Ltd., Gordon House, Barrow Street, D04 E5W5, Dublin, Ireland (hereinafter: Google). With Google Tag Manager, tags from Google services and third-party providers can be managed and embedded in a bundled way on an online presence. Tags are small code elements on an online presence that serve, among other things, to measure visitor numbers and behaviour, to record the impact of online advertising and social channels, to use remarketing and audience targeting, and to test and optimise online presences. When a user visits the online presence, the current tag configuration is sent to the user’s browser. It contains instructions on which tags are to be triggered. Google Tag Manager triggers other tags, which in turn may collect data. Information on this can be found in the passages on the use of the relevant services in this privacy policy. Google Tag Manager does not access this data. Further information on Google Tag Manager can be found at https://www.google.com/intl/de/tagmanager/faq.html and in Google’s privacy policy: https://policies.google.com/privacy?hl=de
2. Purpose of data processing
The purpose of processing the personal data lies in the consolidated and clear management as well as the efficient integration of third-party services.
3. Legal basis for the processing of personal data
The legal basis for the processing of users’ personal data is generally the user’s consent pursuant to Art. 6 (1) sentence 1 lit. a GDPR.
4. Duration of storage
Your personal information will be stored for as long as is necessary to fulfil the purposes described in this privacy policy or as required by law. Advertising data in server logs is anonymised, with Google stating that it deletes parts of the IP address and cookie information after 9 and 18 months respectively.
5. Exercising your rights
You have the right to withdraw your declaration of consent under data protection law at any time. The withdrawal of consent does not affect the lawfulness of the processing carried out on the basis of the consent up to the point of withdrawal. You can prevent the collection and processing of your personal data by Google by preventing the storage of third-party cookies on your computer, using the “Do Not Track” function of a supporting browser, deactivating the execution of script code in your browser or installing a script blocker such as NoScript (https://noscript.net/) or Ghostery (https://www.ghostery.com) in your browser. You can also prevent the collection of the data generated by the cookie and relating to your use of the online presence (including your IP address) by Google, as well as the processing of this data by Google, by downloading and installing the browser plugin available at the following link: https://tools.google.com/dlpage/gaoptout?hl=de You can deactivate the use of your personal data by Google via the following link: https://adssettings.google.de Further information on objection and removal options vis-à-vis Google can be found at: https://policies.google.com/privacy?gl=DE&hl=de
Use of Borlabs Cookie
1. Scope of the processing of personal data
We use functionalities of the cookie consent solution Borlabs Cookie of the provider Borlabs – Benjamin A. Bornschein, Georg-Wilhelm-Str. 17, 21107 Hamburg, Germany (hereinafter: Borlabs). Borlabs enables us to obtain, manage and document users’ consent to data processing in a legally compliant manner. For this purpose, Borlabs sets cookies on the user’s device.
The following data is processed:
- Cookie duration
- Cookie version
- Domain and path of the website
- Opt-in and opt-out data
- UID (randomly generated user ID)
Further information on the processing of data by Borlabs is available here: https://de.borlabs.io/datenschutz/
2. Purpose of data processing
The processing of the personal data serves to comply with the legal obligations under the GDPR and the German Federal Data Protection Act (BDSG).
3. Legal basis for the processing of personal data
The legal basis for the processing of users’ personal data is Art. 6 (1) sentence 1 lit. f GDPR. Our legitimate interest lies in the purposes stated under 2.
4. Duration of storage
Your personal information will be stored for as long as is necessary to fulfil the purposes described in this privacy policy, or as required by law.
5. Objection and removal options
You can prevent the collection and processing of your personal data by Borlabs by preventing the storage of third-party cookies on your computer, using the “Do Not Track” function of a supporting browser, deactivating the execution of script code in your browser or installing a script blocker such as NoScript (https://noscript.net/) or Ghostery (https://www.ghostery.com/) in your browser.
Further information on objection and removal options vis-à-vis Borlabs can be found at: https://de.borlabs.io/datenschutz/
This privacy policy was created with the support of DataGuard.