Privacy Policy of the Boutique Hotel Rosengarten

With the following information, we would like to give you an overview of the processing of your personal data in connection with the use of our website and during a stay in our hotel and to inform you about your rights under data protection law.

I. Information on the processing of personal data

We would like to begin by drawing your attention to our extensive information on transparency in accordance with Articles 13 and 14 of the GDPR.

1. Responsible body

The person responsible for data processing on this website in accordance with Art. 4 No. 7 GDPR and the provider of the website (service provider) within the meaning of the Telemedia Act (TMG) is

Hotel Rosengarten GmbH

Poppenbüttler Landstraße 10b 22391 Hamburg Phone: 49 40 608 714-0 Fax: 49 40 608 714-37 Email: info@Hotel-Rosengarten-Hamburg.de Web: https://Hotel-Rosengarten-Hamburg.de

Complete information according to § 5 TMG (Imprint)

2. Purposes and legal bases for the processing of personal data

We process your personal data in accordance with the provisions of the EU General Data Protection Regulation (GDPR), the new Federal Data Protection Act (BDSG-new) and all other relevant laws for the following purposes and on the following legal basis:

(a) To process and manage reservation requests and reservations as well as to provide our services within the framework of the accommodation contract, including the processing of your hotel stay, payment processing and tracking your use of our services, e.g. telephone, to carry out check-in and manage access to the rooms - the legal basis for this is Art. 6 (1) (b) GDPR.

(b) To fulfill a legal obligation to which our company is subject as the controller (e.g. due to reporting laws, tax laws, accounting obligations, etc.) – the legal basis for this is Art. 6 (1) (c) GDPR.

(c) Sending our email newsletter, including managing your newsletter subscription – the legal basis for this is your consent in accordance with Art. 6 (1) (a) GDPR.

(d) To carry out and manage your participation in our planned loyalty program – the legal basis for this is your consent in accordance with Art. 6 (1) (a) GDPR.

(e) To maintain, guarantee and improve the quality of our products and services, in particular by conducting and analyzing satisfaction surveys and guest comments, by processing your personal data in our guest database, which enables us to recognize you as a returning guest, better assess your needs and wishes, improve the quality and individuality of our communication with you and create offers tailored to you - the legal basis for this is Art. 6 (1) (f) GDPR. Our interests arise from the accommodation contract we have with you, which represents a relevant and appropriate relationship within the meaning of Recital 47 of the GDPR, and from the fact that this type of data processing is customary in the hotel industry and corresponds to the reasonable expectations of the majority of guests.

(f) For advertising to existing customers for our offers and services – the legal basis for this is Art. 6 (1) (f) GDPR. Further information on advertising to existing customers can be found in Part II, No. 2 of this privacy policy.

(g) To protect our house rules, to prevent and investigate criminal offenses (particularly through video surveillance), to assert and defend legal claims and to protect our interests in legal disputes, to ensure IT security and IT operations, and to identify credit risks - the legal basis for this is Art. 6 (1) (f) GDPR. Our overriding legitimate interests arise from our obligation to ensure a safe stay for our guests in the hotel, as well as from our interest in enforcing our material and immaterial claims and exercising our rights, as well as defending against unjustified claims. Furthermore, the processing of personal data to the extent absolutely necessary to prevent fraud also represents a legitimate interest of our company in accordance with Recital 47 of the GDPR.

(h) To process the purchase of a voucher - the legal basis for this is Art. 6 (1) (b) GDPR.

Minors

Minors are not permitted to submit personal data to us without the consent of their legal guardians. We do not knowingly process personal data from minors on our website.

3. Categories of recipients of personal data

If and to the extent necessary for the purposes stated above under Section 3, we will also disclose your personal data to the following recipients or categories of recipients in accordance with Art. 4 No. 9 GDPR:

Within our company, only those departments that need your data to fulfill our contractual and legal obligations will have access to it (to the extent necessary).

To the extent that your personal data is processed in our central guest database. When conducting existing customer advertising measures, your personal data will only be disclosed to those employees of our company who have access to our central guest database. Service providers we employ (e.g., as part of contract processing pursuant to Art. 28 GDPR) and vicarious agents may also receive personal data for these purposes. These include companies in the categories of credit services and payment processing, IT services, cleaning services, logistics, printing services, telecommunications, debt collection, advice and consulting, as well as sales and marketing.

Furthermore, data may be passed on to public bodies and institutions if there is a legal obligation to do so (e.g. tax authorities, law enforcement authorities). Other data recipients may be those bodies for which you have given us your consent to transmit data.

4. Transfer of personal data to a third country

Personal data will be transferred to locations in countries outside the European Union (so-called third countries) if this is required by law or if you have given us your consent.

5. Duration of storage of personal data and criteria for determining this duration

We process and store your personal data for as long as necessary to fulfill our contractual and legal obligations. If the data is no longer required to fulfill contractual obligations, it is regularly deleted, unless its temporary further processing is required due to retention periods under commercial and tax law (including the German Commercial Code (HGB) and the German Fiscal Code (AO). The retention or documentation periods specified therein are two to ten years.

6. Your rights as a data subject

Every data subject whose personal data is processed has the right to information from the controller about the personal data concerned pursuant to Art. 15 GDPR, the right to rectification pursuant to Art. 16 GDPR, the right to erasure pursuant to Art. 17 GDPR, the right to restriction of processing pursuant to Art. 18 GDPR, the right to object to processing pursuant to Art. 21 GDPR, and the right to data portability pursuant to Art. 20 GDPR. The restrictions pursuant to Sections 34 and 35 of the new Federal Data Protection Act (BDSG) also apply to the right to information and the right to erasure.

Further information on your right to object to processing in accordance with Art. 21 GDPR.

If the processing of your personal data is based on consent given to us, you have the right to revoke your consent at any time without affecting the legality of the processing carried out on the basis of the consent until the revocation. Furthermore, you have the right to lodge a complaint with the competent data protection supervisory authority in accordance with Art. 77 GDPR in conjunction with Section 19 of the new BDSG.

7. Obligation to provide data

As part of our contractual relationship, you must provide the personal data that is necessary for establishing and executing the accommodation contract or that we are legally obligated to collect. Without this data, we will generally not be able to conclude or execute the contract with you. In particular, according to Section 30 Paragraph 2 of the Federal Registration Act, we are obligated to collect certain personal data about you as part of the registration form. If you do not provide us with the necessary information, we may not be able to provide the services you request, or not be able to provide them in full.

8. Automated decision-making and profiling

When establishing and implementing our contractual relationship, you will not be subjected to any decision based solely on automated processing – including profiling – pursuant to Art. 22 GDPR that has legal effects on you or significantly affects you in a similar way.

9. Additional information about your right of objection pursuant to Art. 21 GDPR

You have the right to object at any time to the processing of personal data concerning you which is based on Art. 6 (1) (e) GDPR (data processing in the public interest) or Art. 6 (1) (f) GDPR (data processing on the basis of a balance of interests), for reasons arising from your particular situation; this also applies to profiling based on this provision in accordance with Art. 4 (4) GDPR. If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which outweigh your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims. If your personal data is processed by us in order to conduct advertising to existing customers, you have the right to object at any time to the processing of personal data concerning you for the purpose of such advertising; This also applies to profiling insofar as it is related to such existing customer advertising. The objection is possible without any form and should be addressed to us directly.

10. Video surveillance:

For video surveillance in some public areas, the following applies to the associated processing of personal data:

(a) Purposes of data processing: Exercising house rules, preventing criminal offenses (e.g. damage to property or theft), ensuring criminal prosecution

(b) Legal basis for data processing: Art. 6 (1) (f) GDPR. The overriding legitimate interests of our company arise from our obligation to ensure a safe stay for our guests in the hotel, as well as from our interest in enforcing our material and immaterial claims and exercising our rights, as well as in defending against unjustified claims.

(c) Categories of recipients of personal data: Potential recipients of the data are law enforcement authorities and persons or companies we commission to exercise our rights (such as lawyers). We do not intend to transfer the data to a third country or an international organization.

(d) Duration of storage of personal data: If surveillance recordings are made, the recordings in question will be deleted after 72 hours at the latest. After this storage period, only data required to investigate specific incidents or to enforce claims based on a specific event (e.g., a criminal offense) will be stored. This data will also be deleted once the purpose for its continued storage no longer applies.

II. Additional information on data processing on this website

1. SSL or TLS encryption

For security reasons and to protect the transmission of confidential content, such as orders or inquiries that you send to us as the site operator, this site uses SSL or TLS encryption. You can recognize an encrypted connection by the fact that the address line of your browser changes from "http://" to "https://" and by the lock symbol in your browser's address bar.

If SSL or TLS encryption is activated, the data you send to us cannot be read by third parties.

Encrypted payment transactions on this website

If, after concluding a paid contract, you are obliged to provide us with your payment details (e.g. account number for direct debit authorization), these details will be required for payment processing.

Payment transactions using common payment methods (Visa/MasterCard, direct debit) are carried out exclusively via an encrypted SSL or TLS connection. You can recognize an encrypted connection by the browser's address line changing from "http://" to "https://" and by the lock symbol in your browser's address bar. With encrypted communication, your payment data that you transmit to us cannot be read by third parties.

Contact us

When you contact us (for example via contact form or email), the user's details will be stored for the purpose of processing the request and in case follow-up questions arise.

2. Email newsletter and existing customer advertising

E-Mail-Newsletter

With the e-mail newsletter we will regularly inform you about offers and information about special offers, services, promotions and services of Hotel Rosengarten GmbH, in particular regarding your stay, best price offers and on the occasion of your birthday as well as invitations to events.

If you would like to receive the email newsletter, we require a valid email address from you. We use the so-called double opt-in process to register for our newsletter. This means that after you register, we will send you an email to the email address you provided, asking you to confirm that you wish to receive the newsletter. If you do not confirm your registration within two weeks, your information will be blocked and automatically deleted after one month.

In addition, we store your IP addresses and the times of registration and confirmation. The purpose of this process is to verify your registration and, if necessary, to investigate any possible misuse of your personal data.

You can revoke your consent at any time. The legality of the processing until your revocation remains unaffected. To exercise your right of revocation, you can click on the unsubscribe link in the respective message or send us a message to info@Hotel-Rosengarten-Hamburg.de.

Existing customer advertising

We reserve the right to send our guests offers from our range of services via email as part of our existing customer marketing. Our legitimate interest in conducting existing customer marketing lies in being able to offer our guests customized, target-group-oriented offers based on a previous booking (transaction) or existing customer relationship.

We may process your personal data that you provide to us when making a booking for the purpose of sending you marketing to existing customers for 12 months after a previous transaction. If you do not make a new booking or make any other transaction within this period,

Your personal data will no longer be processed for the purpose of advertising to existing customers and will be deleted accordingly unless you have subscribed to a newsletter or your personal data must continue to be stored due to other regulations.

You can object to the use of your email address for sending advertising to existing customers at any time without incurring any costs other than the transmission costs according to the basic rates. Further information on exercising your right to object to the use of your email address for direct marketing purposes can be found in Part I, No. 10 of this privacy policy.

3. Cookies

We use cookies on our website. These are small files that your browser automatically creates and that are stored on your device (laptop, tablet, smartphone, etc.) when you visit our site. Cookies do not cause any damage to your device and do not contain viruses, Trojans, or other malware. Information related to the specific device used is stored in the cookie. However, this does not mean that we thereby directly learn your identity. The use of cookies serves, on the one hand, to make the use of our services more pleasant for you; on the other hand, we use cookies to statistically record the use of our website and to evaluate it for the purpose of optimizing our services for you. We use cookies for the following purposes:

• Necessary functions: These cookies contribute significantly to improving your browsing and booking experience on our website. Basic functionalities and applications such as shopping carts or electronic billing processes are optimized and their handling is made easier. These cookies do not collect any information about you that could be used for marketing campaigns or statistical analyses. These cookies are necessary for the use of the website; the legal basis for these cookies is Art. 6 (1) (b) GDPR.
• Statistical analysis: Statistical analysis is the processing and presentation of data about user actions and interactions on websites and apps (e.g., number of page visits, number of unique visitors, number of returning visitors, entry and exit pages, length of stay, bounce rate, button presses) and, if necessary, the classification of users into groups based on technical data about the software settings used (e.g., browser type, operating system, language settings, screen resolution). The legal basis for these cookies is consent pursuant to Art. 6 (1) (a) GDPR.
• Reach measurement: Reach measurement is the evaluation of visit actions by analyzing usage behavior in relation to the identification of specific user actions and measuring the effectiveness of online advertising. The number of visitors who, for example, have reached websites or apps by clicking on advertisements is measured. Furthermore, the rate of users who perform a specific action (e.g., registering for the newsletter, ordering goods) can be measured. The legal basis for these cookies is consent in accordance with Art. 6 (1) (a) GDPR.
• Personalized advertising: Certain features of websites and apps are designed to show users personalized advertising (ads or commercials) in other contexts, for example on other websites, platforms, or apps. For this purpose, conclusions about users' interests are drawn from demographic information, search terms used, contextual content, user behavior on websites and in apps, or the location of users. Based on these interests, advertising will be selected in the future and displayed by other online content providers. The legal basis for these cookies is consent in accordance with Art. 6 (1) (a) GDPR.

Setting cookies via our Cookie Consent Tool

To adjust your cookie settings, you can use our Cookie Consent Tool at any time. To do so, you can access the tool via the following link and configure the above-mentioned cookie categories by granting or denying consent to the use of these cookies in your browser. Under Section II 4 of this Privacy Policy, you can see which partner companies and third-party providers use cookies on our website and which of the categories from II 3 they are assigned to.

Setting cookies via the browser

You can set your browser to only store cookies if you agree. Most browsers accept cookies automatically. However, you can configure your browser so that no cookies are stored on your computer or so that a warning message always appears before a new cookie is created. However, completely deactivating cookies may mean that you cannot use all of the features of our website. If you only want to accept our cookies and not cookies from partners, please select the "Block third-party cookies" option in your browser. The help function in your web browser's menu bar will show you how to reject new cookies and deactivate those already received. We recommend that you always log off completely when you have finished using a shared computer that accepts cookies and so-called Flash cookies.

4. Providers of cookies

Google Analytics

This website also uses Google Analytics, a web analytics service provided by Google Inc., Mountain View, USA ("Google"). Google Analytics uses "cookies," which are text files placed on your computer, to help the website analyze how users use the site. The information generated by the cookie about your use of the website is typically transferred to and stored by Google on servers in the United States.

Recipient: Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland, Fax: 353 (1) 436 1001).

How it works: The web analysis service “Google Analytics” uses technologies such as “cookies”, “tracking pixels” and “device fingerprinting” to track certain user behavior on websites. This also processes information stored on users’ end devices. With the help of the “tracking pixels” integrated into websites and the “cookies” stored on users’ end devices, “Google” processes the information generated about the use of our website by users’ end devices – e.g. that a certain web page has been accessed – and access data for the purpose of measuring the reach of website usage. The access data includes in particular the IP address, browser information, the previously visited website and the date and time of the server request. “Google Analytics” is used with the extension “anonymizeIp()”. This means that IP addresses are further processed in a shortened form to make it significantly more difficult to identify individuals. According to “Google”, the IP addresses are shortened beforehand within member states of the European Union.

However, since IP anonymization (so-called IP masking) provided by Google is activated on this website (by extending Google Analytics with the code "gat._anonymizeIp();"), your IP address will be shortened and thus anonymized by Google within the European Union or in other contracting states to the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. On behalf of the operator of this website, Google will use the information collected by Google Analytics to evaluate your use of the website, to compile reports on website activity and to provide the website operator with other services relating to website activity and internet usage. The IP address transmitted by your browser as part of Google Analytics will not be merged with other Google data. Further information can be found in the Google Analytics Terms of Use and Privacy Policy.

Google Maps

This website uses the Google Maps map service via an API. The provider is Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. To use the functions of Google Maps, it is necessary to save your IP address. This information is usually transferred to a Google server in the USA and stored there. The provider of this site has no influence on this data transfer. Google Maps is used in the interest of an attractive presentation of our online services and to make the locations we specify on the website easy to find. This represents a legitimate interest within the meaning of Art. 6 (1) (f) GDPR. Further information on how user data is handled can be found in Google's privacy policy.

Facebook

This website uses social plugins ("plugins") from the social network facebook.com, which is operated by Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA ("Facebook"). The plugins can be recognized by one of the Facebook logos (a white "f" on a blue tile or a "thumbs up" sign) or are marked with the addition "Facebook Social Plugin." The list and appearance of Facebook Social Plugins can be viewed here: https://developers.facebook.com/docs/plugins/. When a user visits a website on this website that contains such a plugin, their browser establishes a direct connection to the Facebook servers. The content of the plugin is transmitted directly from Facebook to your browser, which then integrates it into the website. The provider therefore has no influence on the extent of the data that Facebook collects with the help of this plugin and therefore informs users according to their level of knowledge: By integrating the plugin, Facebook receives the information that a user has accessed the corresponding page of the offer. If the user is logged in to Facebook, Facebook can assign the visit to their Facebook account. If users interact with the plugin, for example by clicking the Like button or leaving a comment, the corresponding information is transmitted directly from your browser to Facebook and stored there. If a user is not a member of Facebook, it is still possible that Facebook will find out and store their IP address. According to Facebook, only an anonymized IP address is stored in Germany. The purpose and scope of the data collection and the further processing and use of the data by Facebook as well as the related rights and setting options for protecting the privacy of users can be found in Facebook's privacy policy. If a user is a Facebook member and does not want Facebook to collect data about them via this offer and link it to their member data stored on Facebook, they must log out of Facebook before visiting the website. It is also possible to block Facebook social plugins with add-ons for your browser, for example with the "Facebook Blocker".

Cloudbeds

The "Book now" button redirects visitors to the Cloudbeds website. The provider is Cloudbeds, established at 3033 5th Ave. Ste 100, San Diego, CA 92103, USA. To use the booking functions, it is necessary to save your IP address. If you enter and submit a booking request, this data is generally transferred to a Cloudbeds server and stored there. The provider of this site has no influence on this data transfer. It is used in the interest of being able to process booking requests. This represents a legitimate interest within the meaning of Art. 6 (1) (f) GDPR. Further information on how Cloudbeds handles user data can be found in the privacy policy.

TripAdvisor

This site embeds a TripAdvisor widget for displaying reviews. The provider is TripAdvisor LLC, 400 1st Avenue, Needham, MA 02494 USA (https://tripadvisor.mediaroom.com/DE-contact-us). To use the functions of the TripAdvisor widget, it is necessary to save your IP address. This information is usually transferred to a TripAdvisor server in the USA and stored there. The provider of this site has no influence on this data transfer. The TripAdvisor widget is used in the interest of presenting the reviews of our hotel submitted on TripAdvisor. This represents a legitimate interest within the meaning of Art. 6 (1) (f) GDPR. More information on how TripAdvisor handles user data can be found in TripAdvisor's privacy policy: https://tripadvisor.mediaroom.com/us-privacy-policy .

How it works:

Marketing tools for personalized advertising all work in a similar way from a technical perspective, so the following text refers to this functionality for the providers mentioned above. Providers of personalized advertising use technologies such as "cookies," "tracking pixels," and "device fingerprinting" to display ads relevant to users and improve campaign performance reports. With the help of these providers, interest-based advertisements can be displayed on the providers' websites as well as on our website. Information stored on users' end devices is also processed. The providers provide functions for this purpose that are generally referred to as "remarketing." With remarketing, website users can be recognized on other websites within the provider's advertising network and advertisements tailored to their interests can be presented. The advertisements can also relate to products and services that users have already viewed on our website. For this purpose, the interaction of users on our website is analyzed, e.g. which offers users are interested in, in order to be able to show users targeted advertising on other sites even after they have visited our website. When users visit our website, the respective provider stores a "cookie" on the user's device. With the help of "cookies" and "tracking pixels", the provider processes the information generated by the user's device about the use of our website and interactions with our website as well as access data, in particular the IP address, browser information, the previously visited website and the date and time of the server request, for the purpose of displaying and analyzing personalized advertisements. Furthermore, the aforementioned providers also use the "conversion" function to draw attention to our attractive offers using advertising material on external websites. In relation to the data from the advertising campaigns, we can determine the success of the individual advertising measures. These advertising materials are delivered by the providers via so-called "ad servers". For this purpose, we use "ad server cookies" through which certain parameters for measuring reach - e.g. display of ads, duration of viewing or clicks by users - can be measured. Information stored on users' devices is also processed in the process. If users access our website via an ad from the provider, the provider will store a "cookie" on the user's device. With the help of "cookies" and "tracking pixels," the provider processes the information generated by the user's device about interactions with our advertising materials (accessing a specific website or clicking on an advertisement) and user access data, in particular IP address, browser information, the previously visited website, and the date and time of the server request, for the purpose of analyzing and visualizing the reach measurement of our advertisements. Due to the marketing tools used, the user's browser automatically establishes a direct connection to the provider's server.

5. Integration of services and content from third-party providers

(Collection of IP address by third-party services)

Third-party content (hereinafter referred to as "third-party providers") is integrated into the website. To use such content, the transmission of the user's IP address to the respective third-party provider is technically necessary. Without the IP address, the third-party providers could not send the content embedded in the website to the user's browser. Examples include videos from YouTube, maps from Google Maps, RSS feeds, or graphics from others. We endeavor to only use content whose respective providers use the IP address solely to deliver the content. However, we have no influence over whether the third-party providers store the IP address, e.g., for statistical purposes. If we are aware of this, we will inform users.

6. Integration of payment service providers in online payments

To process online payments with Cloudbeds Payment Service, we also use the external payment service provider Stripe, German Branch, Jägerstraße 27, 10117 Berlin, via whose platforms you can initiate payment transactions at your own discretion. If you wish to make an online payment, this can be done either integrated into the booking process or via an email address you provide by sending a corresponding link. If you use such a link, you will be redirected to the payment platform's website. Further details on how your personal data is handled in this context can be found here.

Status and update of the data protection information

This privacy policy is effective from September 15, 2022. We will update this privacy policy from time to time in response to relevant changes to our website, the processing of personal data, or changes to legal regulations. The revised version will apply from the published effective date. If there are material changes to this privacy policy, we will notify you in a timely manner before the changes come into effect by posting a notice on our website. We may also inform our guests of the changes by email or other means.