Privacy Policy

Preamble

This Privacy Policy is intended to inform you about the types of your personal data (hereinafter also referred to as “data”) that we process, the purposes for which such data are processed, and the extent of such processing. This Privacy Policy applies to all processing of personal data carried out by us, both in connection with the provision of our services and, in particular, through our websites, mobile applications, and external online presences, such as our social media profiles (hereinafter collectively referred to as the “Online Services”).

Inhalt

The terms used in this Privacy Policy are intended to be gender-neutral.

Last updated: 7 July 2026


Table of Contents

  • Preamble
  • Controller
  • Overview of Processing Activities
  • Applicable Legal Bases
  • Security Measures
  • International Data Transfers
  • General Information on Data Retention and Erasure
  • Rights of Data Subjects
  • Business Services
  • Provision of the Online Services and Web Hosting
  • Use of Cookies
  • Blogs and Publishing Media
  • Contact and Enquiry Management
  • Newsletters and Electronic Notifications
  • Web Analytics, Monitoring and Optimisation
  • Affiliate Programmes and Affiliate Links
  • Social Media Presences
  • Plug-ins, Embedded Features and Content
  • Privacy Information for Whistleblowers
  • Amendments and Updates
  • Definitions

Controller

Sarah Siegesleitner
Blindendorf 3
4772 Lambrechten
Austria

Email: design.siegesleitner@gmail.com

Legal Notice (Imprint): https://travel-like-local.com/impressum/


Overview of Processing Activities

The following overview summarises the categories of personal data processed, the purposes for which such data are processed, and the categories of data subjects concerned.

Categories of Personal Data Processed

  • Identity data
  • Employee data
  • Payment data
  • Location data
  • Contact data
  • Content data
  • Contract data
  • Usage data
  • Metadata, communication data and procedural data
  • Log data

Categories of Data Subjects

  • Customers and clients
  • Employees
  • Prospective customers
  • Communication partners
  • Users
  • Business and contractual partners
  • Third parties
  • Whistleblowers

Purposes of Processing

  • Provision of contractual services and fulfilment of contractual obligations
  • Communication
  • Security measures
  • Direct marketing
  • Audience measurement
  • Tracking
  • Office and organisational procedures
  • Remarketing
  • Audience segmentation
  • Affiliate tracking
  • Organisational and administrative procedures
  • Feedback
  • Marketing
  • Creation of user-related profiles
  • Provision and user-friendly operation of our Online Services
  • Information technology infrastructure
  • Whistleblower protection
  • Public relations
  • Business operations and commercial administration

Applicable Legal Bases

Legal Bases under the General Data Protection Regulation (GDPR)

Below is an overview of the legal bases under the General Data Protection Regulation (GDPR) on which we rely when processing personal data. Please note that, in addition to the provisions of the GDPR, national data protection legislation applicable in your country of residence or establishment, or in ours, may also apply. Where more specific legal bases are relevant in individual cases, we will inform you accordingly in this Privacy Policy.

Consent (Article 6(1)(a) GDPR)

The data subject has given consent to the processing of their personal data for one or more specific purposes.

Performance of a Contract and Pre-contractual Measures (Article 6(1)(b) GDPR)

Processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract.

Compliance with a Legal Obligation (Article 6(1)(c) GDPR)

Processing is necessary for compliance with a legal obligation to which the Controller is subject.

Legitimate Interests (Article 6(1)(f) GDPR)

Processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a third party, provided that such interests are not overridden by the interests, fundamental rights and freedoms of the data subject which require the protection of personal data.

Austrian Data Protection Legislation

In addition to the provisions of the GDPR, national data protection legislation applies in Austria. In particular, this includes the Austrian Data Protection Act (Datenschutzgesetz – DSG), which contains specific provisions concerning, among other things, the right of access, the right to rectification and erasure, the processing of special categories of personal data, processing for purposes other than those originally intended, data transfers, and automated decision-making in individual cases.

Security Measures

We implement appropriate technical and organisational measures in accordance with the applicable legal requirements, taking into account the state of the art, the costs of implementation, the nature, scope, context and purposes of the processing, as well as the varying likelihood and severity of the risks to the rights and freedoms of natural persons, in order to ensure a level of security appropriate to the risk.

These measures include, in particular, safeguarding the confidentiality, integrity and availability of personal data by controlling physical and electronic access to the data, as well as access to, input of, disclosure of, availability of and separation of such data. Furthermore, we have implemented procedures to ensure the exercise of data subjects’ rights, the erasure of personal data and appropriate responses to data security incidents. We also take the protection of personal data into account during the development and selection of hardware, software and processing procedures in accordance with the principles of data protection by design and data protection by default.

Protection of Online Connections באמצעות TLS/SSL Encryption (HTTPS)

To protect users’ data transmitted through our Online Services against unauthorised access, we use TLS/SSL encryption technology. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are the cornerstone technologies for secure data transmission over the Internet. These technologies encrypt the information exchanged between a website or application and the user’s browser (or between two servers), thereby preventing unauthorised access to the transmitted data. TLS, the more advanced and secure successor to SSL, ensures that all data transmissions comply with the highest security standards. A website secured by an SSL/TLS certificate can be identified by the use of “HTTPS” in the URL, indicating that communications are encrypted and transmitted securely.


International Data Transfers

Transfers of Personal Data to Third Countries

Where we transfer personal data to a third country (i.e. a country outside the European Union (EU) or the European Economic Area (EEA)), or where such transfers occur in the course of using third-party services or disclosing or transferring personal data to other individuals, organisations or companies (which may be identified by the provider’s registered address or expressly stated in this Privacy Policy), such transfers are carried out exclusively in accordance with the applicable legal requirements.

For transfers of personal data to the United States, we primarily rely on the EU–U.S. Data Privacy Framework (DPF), which was recognised as providing an adequate level of protection by the European Commission’s adequacy decision of 10 July 2023. In addition, we have concluded the European Commission’s Standard Contractual Clauses (SCCs) with the respective service providers, establishing contractual obligations to safeguard your personal data.

This dual protection mechanism ensures a comprehensive level of protection. The DPF serves as the primary legal basis for transfers, while the Standard Contractual Clauses provide an additional safeguard. Should the legal framework governing the DPF change, the Standard Contractual Clauses will continue to provide a reliable alternative transfer mechanism. In this way, we seek to ensure that your personal data remains adequately protected even in the event of legal or political changes.

For each individual service provider, we will indicate whether the provider is certified under the DPF and whether Standard Contractual Clauses have been concluded where applicable.

Further information on the Data Privacy Framework, including a list of certified organisations, is available on the website of the U.S. Department of Commerce:

https://www.dataprivacyframework.gov/

Where personal data are transferred to other third countries, appropriate safeguards are implemented, including, where applicable, Standard Contractual Clauses, your explicit consent, or transfers otherwise authorised by law. Further information regarding international data transfers and adequacy decisions adopted by the European Commission is available at:

https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection_en


General Information on Data Retention and Erasure

We erase personal data processed by us in accordance with the applicable legal requirements as soon as any consent on which the processing is based has been withdrawn or no other legal basis for processing exists. This applies where the original purpose of processing no longer exists or where the personal data are no longer required.

Exceptions apply where statutory obligations or overriding legitimate interests require the retention or archiving of personal data for a longer period.

In particular, personal data that must be retained for accounting or tax purposes, or where storage is necessary for the establishment, exercise or defence of legal claims or for the protection of the rights of other natural or legal persons, will be retained in accordance with the applicable legal requirements.

Our privacy notices may contain additional information regarding retention periods and deletion practices that apply specifically to individual processing activities.

Where multiple retention periods or deletion deadlines apply, the longest applicable period shall prevail. Personal data retained beyond the original processing purpose solely due to statutory obligations or other legitimate reasons will be processed exclusively for the purposes justifying such retention.

Statutory Retention Periods under Austrian Law

The following general retention periods apply under Austrian law where personal data must be retained to comply with legal obligations or to safeguard legitimate interests.

Seven years

Personal data processed in connection with tax-relevant business records are retained for seven years in accordance with Section 132 of the Austrian Federal Fiscal Code (Bundesabgabenordnung – BAO) and Sections 190–212 of the Austrian Commercial Code (Unternehmensgesetzbuch – UGB). This includes, in particular, accounting records, annual financial statements, inventories, management reports, opening balance sheets, accounting documents, invoices, incoming and outgoing business correspondence, and all other records relevant for tax purposes. The retention period begins at the end of the calendar year in which the final entry was made and may be extended where such records remain relevant to pending tax proceedings.

Three years

Personal data required for the establishment, exercise or defence of warranty claims, claims for damages or other contractual claims are retained for the duration of the applicable statutory limitation period. Unless longer statutory retention obligations apply, this period is generally three years in accordance with Section 1489 of the Austrian Civil Code (Allgemeines Bürgerliches Gesetzbuch – ABGB).

Commencement of Retention Periods

Unless a statutory provision expressly provides otherwise, any retention period of one year or longer begins at the end of the calendar year in which the event giving rise to the retention obligation occurred. For ongoing contractual relationships involving the storage of personal data, the relevant event is the effective date of termination or any other legal end of the contractual relationship.


Rights of Data Subjects

As a data subject, you are entitled to the rights provided under the GDPR, in particular those set out in Articles 15 to 21 GDPR.

Right to Object

You have the right, on grounds relating to your particular situation, to object at any time to the processing of your personal data where such processing is based on Article 6(1)(e) or Article 6(1)(f) GDPR. This also applies to profiling based on those provisions. Where personal data are processed for direct marketing purposes, you have the right to object at any time to such processing, including profiling insofar as it relates to direct marketing.

Right to Withdraw Consent

Where processing is based on your consent, you have the right to withdraw that consent at any time with effect for the future.

Right of Access

You have the right to obtain confirmation as to whether we process your personal data and, where that is the case, to request access to such personal data together with further information and a copy of the personal data in accordance with the applicable legal requirements.

Right to Rectification

You have the right to request the correction of inaccurate personal data concerning you and, taking into account the purposes of the processing, to have incomplete personal data completed.

Right to Erasure and Restriction of Processing

Subject to the applicable legal requirements, you have the right to request the erasure of your personal data without undue delay or, alternatively, to request the restriction of the processing of your personal data.

Right to Data Portability

You have the right to receive the personal data concerning you that you have provided to us in a structured, commonly used and machine-readable format and, where technically feasible, to request that those data be transmitted directly to another controller.

Right to Lodge a Complaint with a Supervisory Authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or the place of the alleged infringement, if you consider that the processing of your personal data infringes the provisions of the GDPR.

Business Services

We process the personal data of our contractual and business partners, including customers, clients, prospective customers, suppliers and other cooperation partners (collectively referred to as “Contractual Partners”), for the purposes of establishing, performing and administering contractual relationships and comparable legal relationships. This also includes pre-contractual measures taken at the request of the data subject, as well as communication relating to the relevant contractual relationship.

Processing is carried out primarily for the performance of our contractual obligations and ancillary duties. This includes the provision of the agreed services, compliance with update and information obligations where applicable, the handling of warranty claims and other service-related issues, the administration of withdrawals, termination of continuing contractual relationships, contract reversals, refunds, and the processing of other contract-related declarations and enquiries. This applies to both one-off contracts and ongoing contractual relationships.

The categories of personal data processed include, in particular, identity data such as name, postal address and, where applicable, company details; contact data such as email address and telephone number; contractual and service-related data such as the subject matter and duration of the contract, order or reference numbers, usage and service data; payment and billing information; as well as the content and history of communications. Where necessary, we also process personal data disclosed or transmitted to us in the course of carrying out a specific assignment.

We further process personal data where necessary to protect our legal rights and to comply with statutory obligations. This includes, in particular, obligations relating to commercial and tax law, documentation requirements, and any applicable obligations relating to accountability or the provision of evidence. Processing may also be carried out on the basis of our legitimate interests in ensuring the proper management of our business operations, internal administration, risk management, IT security, and the protection of our business operations and contractual partners against misuse, data security risks, unauthorised disclosure of confidential information, and other legal risks. For these purposes, we may engage external service providers, including IT and telecommunications providers, transport and logistics companies, payment service providers, banks, tax advisers, legal advisers and other contractors where necessary for the performance of the contract or compliance with legal obligations.

Personal data will only be disclosed to third parties where this is necessary for the performance of a contract, the implementation of pre-contractual measures, the protection of legitimate interests or compliance with legal obligations. Any processing beyond these purposes, particularly for marketing purposes, is described separately in this Privacy Policy.

The specific personal data required in each individual case will be indicated to Contractual Partners at the time of collection, for example by means of mandatory fields in online forms or during personal communication.

Personal data will be erased as soon as they are no longer required for the purposes described above and no statutory retention obligations prevent their deletion. Statutory retention periods, particularly those arising under commercial and tax legislation, may require longer retention. Personal data submitted in connection with a specific assignment will be erased following completion of the assignment and expiry of any applicable statutory retention periods, unless further legal or contractual obligations require continued storage.

Processing is carried out pursuant to Article 6(1)(b) GDPR where necessary for the implementation of pre-contractual measures or the performance of a contract, pursuant to Article 6(1)(c) GDPR where necessary to comply with legal obligations, and, where applicable, pursuant to Article 6(1)(f) GDPR on the basis of our legitimate interests. Such legitimate interests include ensuring an efficient and lawful business organisation, internal administration and documentation of business transactions, the establishment, exercise and defence of legal claims, safeguarding IT and data security, preventing misuse and fraud, and supporting the commercial management and continued development of our business operations. These interests exist in particular to ensure secure and legally compliant business operations and to safeguard our entrepreneurial capacity.

Categories of Personal Data Processed

  • Identity data (e.g. full name, residential address, contact details, customer number)
  • Payment data (e.g. bank account details, invoices, payment history)
  • Contact data (e.g. postal address, email address and telephone number)
  • Contract data (e.g. subject matter of the contract, contract term, customer category)

Categories of Data Subjects

  • Customers and clients
  • Prospective customers
  • Business and contractual partners

Purposes of Processing and Legitimate Interests

  • Provision of contractual services and fulfilment of contractual obligations
  • Communication
  • Office and organisational procedures
  • Organisational and administrative procedures
  • Business operations and commercial administration

Retention and Erasure

Personal data are erased in accordance with the provisions set out in the section “General Information on Data Retention and Erasure.”

Legal Bases

  • Article 6(1)(b) GDPR (Performance of a Contract and Pre-contractual Measures)
  • Article 6(1)(c) GDPR (Compliance with a Legal Obligation)
  • Article 6(1)(f) GDPR (Legitimate Interests)

Provision of the Online Services and Web Hosting

We process users’ personal data in order to make our Online Services available to them. For this purpose, we process the user’s IP address, which is required to transmit the content and functionality of our Online Services to the user’s browser or end device.

Categories of Personal Data Processed

  • Usage data (e.g. page views, duration of visits, click paths, frequency and intensity of use, device types and operating systems used, interactions with content and functions)
  • Metadata, communication data and procedural data (e.g. IP addresses, timestamps, identification numbers and parties involved)
  • Log data (e.g. server log files relating to logins, data retrieval and access times)

Categories of Data Subjects

  • Users (e.g. website visitors and users of online services)

Purposes of Processing and Legitimate Interests

  • Provision and user-friendly operation of our Online Services
  • Information technology infrastructure (operation and provision of information systems and technical equipment, including servers and computers)
  • Security measures

Retention and Erasure

Personal data are erased in accordance with the provisions set out in the section “General Information on Data Retention and Erasure.”

Legal Basis

  • Article 6(1)(f) GDPR (Legitimate Interests)

Additional Information Regarding Processing Activities

Provision of the Online Services via Hosted Infrastructure

To provide our Online Services, we use hosting services including storage capacity, computing resources and software supplied by an external hosting provider.

Legal basis: Article 6(1)(f) GDPR (Legitimate Interests).

Collection of Access Data and Server Log Files

Access to our Online Services is recorded in so-called server log files. These may include the names and URLs of accessed webpages and files, the date and time of access, the volume of data transferred, confirmation of successful retrieval, browser type and version, the user’s operating system, the referring URL (the previously visited webpage), IP addresses and the requesting internet service provider.

Server log files are processed for security purposes, including the prevention of server overload and protection against abusive activities such as distributed denial-of-service (DDoS) attacks. They are also used to ensure the stability, availability and efficient operation of our servers.

Legal basis: Article 6(1)(f) GDPR (Legitimate Interests).

Retention period: Server log data are retained for a maximum period of 30 days before being erased or anonymised. Data required for evidential purposes in connection with a security incident are excluded from deletion until the matter has been fully resolved.

Web Hosting Provider – ALL-INKL

We use ALL-INKL.COM – Neue Medien Münnich, Proprietor: René Münnich, Hauptstraße 68, 02742 Friedersdorf, Germany, as our hosting provider for the provision of information technology infrastructure and related hosting services, including server capacity and storage space.

Legal basis: Article 6(1)(f) GDPR (Legitimate Interests).

Website: https://all-inkl.com/

Privacy Policy: https://all-inkl.com/datenschutzinformationen/

Data Processing Agreement (DPA): A data processing agreement is provided by the service provider in accordance with Article 28 GDPR.

Use of Cookies

The term “cookies” refers to technologies that store information on users’ end devices and retrieve information from those devices. Cookies may be used for a variety of purposes, including ensuring the functionality, security and convenience of online services, as well as generating analytics regarding visitor activity and website usage.

We use cookies in accordance with the applicable legal requirements. Where required by law, we obtain users’ prior consent before placing or accessing cookies. Where consent is not required, we rely on our legitimate interests. This applies where the storage of, or access to, information on a user’s device is strictly necessary to provide content and functionality expressly requested by the user, such as storing user preferences or ensuring the functionality and security of our Online Services.

Any consent provided may be withdrawn at any time. We provide clear information regarding the scope of the consent requested and the cookies used.

Legal Basis for Cookie Processing

Whether we process personal data by means of cookies depends on the applicable legal basis. Where users have provided their consent, such consent constitutes the legal basis for processing. Where consent is not required, processing is based on our legitimate interests, as described in this section and in connection with the respective services and processing activities.

Cookie Retention Periods

Cookies are distinguished according to their storage duration as follows:

Temporary Cookies (Session Cookies)

Temporary cookies are automatically deleted no later than when the user leaves the Online Services and closes their browser or other end device.

Persistent Cookies

Persistent cookies remain stored on the user’s device even after it has been closed. They may, for example, retain a user’s login status or display preferred content when the user revisits the website. Information collected through persistent cookies may also be used for audience measurement and website analytics. Unless we expressly specify the type and retention period of individual cookies (for example when obtaining consent), users should assume that such cookies are persistent and may remain stored for up to two years.

Withdrawal of Consent and Right to Object (Opt-out)

Users may withdraw any consent they have given at any time. In addition, users may object to the processing of their personal data in accordance with the applicable legal requirements, including by adjusting the privacy settings of their web browser.

Categories of Personal Data Processed

  • Metadata, communication data and procedural data (e.g. IP addresses, timestamps, identification numbers and parties involved)

Categories of Data Subjects

  • Users (e.g. website visitors and users of online services)

Legal Basis

  • Article 6(1)(f) GDPR (Legitimate Interests)

Additional Information Regarding Processing Activities, Procedures and Services

Complianz

We use Complianz to obtain, manage and document users’ consent regarding the use of cookies and the processing of personal data. The service records users’ consent decisions, displays privacy and cookie notices, and enables users to withdraw or modify their consent preferences at any time.

Service provider: The service is operated on servers and/or computer systems under the provider’s own responsibility for data protection compliance.

Website: https://complianz.io/

Privacy Policy: https://complianz.io/legal/

Additional information: A unique user identifier, the user’s selected language, the categories of consent granted, and the date and time on which consent was provided are stored both on the server and in a cookie placed on the user’s device.

Blogs and Publishing Media

We operate blogs and comparable means of online communication and publication (hereinafter referred to as the “Publishing Media”). Personal data relating to readers are processed only to the extent necessary to provide the Publishing Media, facilitate communication between authors and readers, or ensure the security of the service. For all other processing activities, please refer to the relevant provisions of this Privacy Policy concerning visitors to our Publishing Media.

Categories of Personal Data Processed

  • Identity data (e.g. full name, residential address, contact details, customer number)
  • Contact data (e.g. postal address, email address and telephone number)
  • Content data (e.g. text and image submissions, comments, posts, and related information such as authorship and the date of creation)
  • Usage data (e.g. page views, duration of visits, click paths, frequency and intensity of use, device types, operating systems and interactions with content and functionality)
  • Metadata, communication data and procedural data (e.g. IP addresses, timestamps, identification numbers and parties involved)

Categories of Data Subjects

  • Users (e.g. website visitors and users of online services)

Purposes of Processing and Legitimate Interests

  • Collecting and processing feedback (e.g. via online forms)
  • Providing and improving our Online Services and user experience
  • Implementing security measures
  • Organisational and administrative procedures

Retention and Erasure

Personal data are retained and erased in accordance with the provisions set out in the section “General Information on Data Retention and Erasure.”

Legal Basis

  • Article 6(1)(f) GDPR (Legitimate Interests)

Additional Information Regarding Processing Activities

Comments and User Contributions

Where users publish comments or other contributions through our Publishing Media, we may store their IP addresses on the basis of our legitimate interests. This serves our security interests in the event that unlawful content (such as defamatory statements, prohibited political propaganda or other illegal content) is published. In such cases, we may ourselves be held legally responsible for the content and therefore have a legitimate interest in identifying the author.

Furthermore, we reserve the right to process user data for the purpose of spam detection based on our legitimate interests.

Where polls or surveys are conducted, we may also store users’ IP addresses for the duration of the relevant survey and use cookies to prevent multiple submissions by the same user.

Personal information disclosed in comments or contributions, including contact details, website information and the content of the contribution itself, will remain publicly available and stored until the respective user objects to such processing.

Legal Basis: Article 6(1)(f) GDPR (Legitimate Interests).


Contact and Enquiry Management

Where you contact us—for example by post, contact form, email, telephone or via social media—or within the context of an existing customer or business relationship, we process the personal data you provide to the extent necessary to respond to your enquiry and to carry out any requested measures.

Categories of Personal Data Processed

  • Contact data (e.g. postal address, email address and telephone number)
  • Content data (e.g. messages, enquiries, images and associated information)
  • Metadata, communication data and procedural data (e.g. IP addresses, timestamps, identification numbers and parties involved)

Categories of Data Subjects

  • Communication partners

Purposes of Processing and Legitimate Interests

  • Communication
  • Organisational and administrative procedures
  • Collection of feedback
  • Provision and optimisation of our Online Services

Retention and Erasure

Personal data are retained and erased in accordance with the provisions set out in the section “General Information on Data Retention and Erasure.”

Legal Bases

  • Article 6(1)(b) GDPR (Performance of a Contract and Pre-contractual Measures)
  • Article 6(1)(f) GDPR (Legitimate Interests)

Additional Information Regarding Processing Activities

Contact Forms and General Enquiries

Where you contact us via our contact form, by email or through any other communication channel, we process the personal data you provide solely for the purpose of responding to and handling your enquiry. This will generally include your name, contact details and any additional information required to process your request appropriately. Such personal data are used exclusively for the purpose of communication and responding to your enquiry.

Legal Bases:

  • Article 6(1)(b) GDPR (Performance of a Contract and Pre-contractual Measures)
  • Article 6(1)(f) GDPR (Legitimate Interests)

Newsletters and Electronic Notifications

We send newsletters, emails and other electronic communications (hereinafter collectively referred to as “Newsletters”) only where recipients have provided their consent or where another lawful basis permits such communications.

Where the content of the Newsletter is described during the subscription process, that description forms the basis of the user’s consent. In general, only an email address is required to subscribe to our Newsletter. However, in order to provide a more personalised service, we may also request your name to address you personally within the Newsletter or other information where this is necessary for the specific purpose of the Newsletter.

Retention and Restriction of Processing

Following unsubscription, we may retain email addresses for up to three years on the basis of our legitimate interests in order to demonstrate that valid consent had previously been obtained. Processing of such data is strictly limited to the establishment, exercise or defence of legal claims.

Users may request the deletion of their email address at any time, provided that the previous existence of consent is simultaneously confirmed.

Where we are legally required to permanently respect objections to marketing communications, we reserve the right to retain the email address solely for this purpose in a suppression list (also referred to as a “blocklist”).

The subscription process is logged on the basis of our legitimate interests in order to demonstrate that the subscription procedure was carried out correctly and lawfully.

Where we engage an external service provider to distribute Newsletters, this is done on the basis of our legitimate interests in operating an efficient, reliable and secure email delivery system.

Newsletter Content

Our newsletters contain information about our business and updates regarding new blog articles.

Categories of Personal Data Processed

  • Identity data (e.g. full name, residential address, contact details, customer number)
  • Contact data (e.g. postal address, email address and telephone number)
  • Metadata, communication data and procedural data (e.g. IP addresses, timestamps, identification numbers and parties involved)
  • Usage data (e.g. page views, duration of visits, click paths, frequency and intensity of use, device types, operating systems and interactions with content and functionality)

Categories of Data Subjects

  • Communication partners

Purpose of Processing

  • Direct marketing (e.g. by email or post)

Legal Basis

  • Article 6(1)(a) GDPR (Consent)

Right to Withdraw Consent (Opt-out)

You may unsubscribe from our Newsletter at any time by withdrawing your consent or objecting to future communications. An unsubscribe link is included at the end of every Newsletter. Alternatively, you may contact us using any of the contact details provided above, preferably by email.

Additional Information Regarding Processing Activities

Measurement of Open and Click Rates

Our Newsletters contain so-called web beacons (small pixel-sized image files). When you open a Newsletter, the web beacon is retrieved from our server or, where applicable, from the server of our email service provider. During this process, technical information is collected, including details about your browser, operating system, IP address and the time at which the Newsletter was opened.

This information is used exclusively to improve our Newsletter services based on technical performance data, recipient behaviour and geographical distribution.

Legal Basis: Article 6(1)(a) GDPR (Consent).


Web Analytics, Monitoring and Optimisation

Web analytics (also referred to as audience measurement) enables us to analyse visitor activity within our Online Services and may include behavioural, interest-based or demographic information relating to visitors, such as age or gender, in pseudonymised form.

Audience measurement enables us, for example, to determine when our Online Services, individual features or specific content are accessed most frequently and to identify areas that require improvement. It also assists us in evaluating user engagement and optimising our Online Services.

In addition to web analytics, we may conduct tests, including A/B testing, in order to compare different versions of our Online Services or individual components and determine which version performs more effectively.

Unless otherwise stated below, we may create user profiles by combining data relating to individual usage sessions and may store information on, and retrieve information from, users’ browsers or end devices for these purposes. The information collected may include, in particular, visited websites, the features used, browser type, operating system, device information and the time of access. Where users have consented to the processing of location data by us or by the providers of the services we use, location data may also be processed.

Users’ IP addresses are also processed. However, to protect users’ privacy, we employ IP masking, whereby the IP address is shortened and thereby pseudonymised. As a general rule, we do not store directly identifying information (such as names or email addresses) within the context of web analytics, A/B testing or optimisation activities. Instead, only pseudonymised information is processed. Neither we nor the providers of the analytics software are able to identify individual users directly; only pseudonymised user profiles are available for the purposes described above.

Legal Basis

Where we request users’ consent for the use of third-party analytics services, the legal basis for processing is Article 6(1)(a) GDPR (Consent).

Where consent is not required, processing is carried out on the basis of our legitimate interests pursuant to Article 6(1)(f) GDPR, namely our interest in providing efficient, economically viable and user-friendly Online Services.

For further information, please also refer to the section “Use of Cookies” in this Privacy Policy.

Categories of Personal Data Processed

  • Usage data (e.g. page views, duration of visits, click paths, frequency and intensity of use, device types, operating systems and interactions with content and functionality)
  • Metadata, communication data and procedural data (e.g. IP addresses, timestamps, identification numbers and parties involved)

Categories of Data Subjects

  • Users (e.g. website visitors and users of online services)

Purposes of Processing

  • Audience measurement (e.g. visitor statistics and recognition of returning users)
  • Creation of user profiles
  • Remarketing
  • Provision and optimisation of our Online Services

Retention and Erasure

Personal data are retained and erased in accordance with the provisions set out in the section “General Information on Data Retention and Erasure.” Unless otherwise stated, cookies and comparable storage technologies may remain stored on users’ devices for up to two years.

Security Measures

  • IP masking (pseudonymisation of IP addresses)

Legal Bases

  • Article 6(1)(a) GDPR (Consent)
  • Article 6(1)(f) GDPR (Legitimate Interests)

Additional Information Regarding Processing Activities

Matomo

We use Matomo, an open-source web analytics platform, to analyse the use of our Online Services and measure website traffic. During the use of Matomo, cookies are placed on users’ devices. The data collected through Matomo are processed exclusively by us and are not shared with third parties.

Matomo cookies are stored for a maximum period of 13 months.

Legal Basis: Article 6(1)(a) GDPR (Consent).

Retention Period: Cookies are automatically deleted after a maximum of 13 months.

Further information is available at:

https://matomo.org/faq/general/faq_146/

VG WORT – METIS Audience Measurement System

We participate in the METIS audience measurement system operated by VG WORT in order to measure access to online texts made available through our Online Services. This enables the statistical determination of the probability that published texts are copied, which forms the basis for the lawful distribution of copyright remuneration to authors and publishers under the German Copyright Act (Urheberrechtsgesetz – UrhG).

For this purpose, a unique counting marker is embedded in the source code of each participating online text. This identifier enables the system to count accesses to the respective text. In addition, a client ID is generated and a METIS session cookie is placed on the user’s device. This allows the system to determine whether the same user has already accessed the relevant text during the current browser session, thereby preventing duplicate counts.

Neither the session cookie nor any other element of the METIS audience measurement process processes personal data. Individual users are never identified, and user identities remain fully protected. The system is used exclusively for anonymous statistical measurement and does not display advertising.

Service Provider

VG WORT (Verwertungsgesellschaft WORT)

Untere Weidenstraße 5

81543 Munich

Germany

Legal Basis: Article 6(1)(f) GDPR (Legitimate Interests).

Website: https://vgwort.de/

Privacy Policy: https://vgwort.de/datenschutz.html

 

Affiliate-Programme und Affiliate-Links

Auf unserer Website verwenden wir Affiliate-Links (z. B. über Travelpayouts). Wenn Sie über einen solchen Link eine Buchung oder einen Kauf tätigen, erhalten wir gegebenenfalls eine Provision. Für Sie entstehen dadurch keine zusätzlichen Kosten.

Zur Zuordnung einer Vermittlung können technische Informationen wie Referrer, Zeitstempel oder eine anonyme Kennung verarbeitet und in Cookies gespeichert werden. Diese Daten dienen ausschließlich der Abrechnung von Provisionen.

Verarbeitete Daten:

  • Nutzungsdaten
  • Vertragsdaten
  • Meta- und Kommunikationsdaten (z. B. IP-Adresse)

Betroffene Personen:

  • Websitebesucher
  • Interessenten

Zweck der Verarbeitung:

  • Abrechnung von Affiliate-Provisionen

Rechtsgrundlagen:

  • Einwilligung (Art. 6 Abs. 1 lit. a DSGVO), soweit erforderlich
  • Berechtigtes Interesse (Art. 6 Abs. 1 lit. f DSGVO)

Präsenzen in sozialen Netzwerken (Social Media)

Wir betreiben Profile auf sozialen Netzwerken, um mit Interessierten zu kommunizieren und über unsere Angebote zu informieren.

Bitte beachten Sie, dass die Betreiber dieser Plattformen personenbezogene Daten eigenverantwortlich verarbeiten. Dabei können Daten auch außerhalb der Europäischen Union verarbeitet und für Analyse- oder Werbezwecke verwendet werden.

Für Informationen zur Datenverarbeitung sowie zu Ihren Widerspruchs- und Datenschutzrechten verweisen wir auf die Datenschutzerklärungen der jeweiligen Anbieter.

Verarbeitete Daten:

  • Kontaktdaten
  • Inhaltsdaten
  • Nutzungsdaten

Betroffene Personen:

  • Nutzer unserer Social-Media-Kanäle

Zwecke der Verarbeitung:

  • Kommunikation
  • Öffentlichkeitsarbeit
  • Feedback

Rechtsgrundlage:

  • Berechtigtes Interesse (Art. 6 Abs. 1 lit. f DSGVO)

Eingesetzte Plattformen

Instagram

Facebook

Für unsere Facebook-Seite besteht eine gemeinsame Verantwortlichkeit mit Meta hinsichtlich der Erhebung bestimmter Nutzungsdaten (Seiten-Insights). Weitere Informationen finden Sie in den Datenschutzinformationen von Facebook.

Pinterest


Plug-ins und eingebettete Inhalte

Wir binden auf unserer Website Inhalte und Funktionen externer Anbieter ein, beispielsweise Karten, Videos oder Schriftarten. Damit diese Inhalte dargestellt werden können, wird Ihre IP-Adresse an den jeweiligen Anbieter übermittelt.

Je nach eingebundenem Dienst können zusätzlich Cookies gesetzt oder weitere technische Informationen verarbeitet werden. Soweit erforderlich, erfolgt dies erst nach Ihrer Einwilligung.

Verarbeitete Daten:

  • Nutzungsdaten
  • Meta- und Kommunikationsdaten
  • Standortdaten (bei Karten)

Betroffene Personen:

  • Websitebesucher

Zwecke der Verarbeitung:

  • Bereitstellung der Website
  • Verbesserung der Nutzerfreundlichkeit
  • Reichweitenmessung
  • Marketing
  • Tracking

Rechtsgrundlagen:

  • Einwilligung (Art. 6 Abs. 1 lit. a DSGVO)
  • Berechtigtes Interesse (Art. 6 Abs. 1 lit. f DSGVO)

Eingesetzte Dienste

Google Fonts

Zur einheitlichen Darstellung von Schriftarten werden Google Fonts verwendet. Dabei kann Ihre IP-Adresse an Google übertragen werden.

Font Awesome

Zur Darstellung von Symbolen verwenden wir Font Awesome, das lokal auf unserem Server gehostet wird. Dabei werden keine personenbezogenen Daten an den Anbieter übertragen.

Google Maps

Zur Darstellung interaktiver Karten verwenden wir Google Maps.

Pinterest-Plugins

Auf einzelnen Seiten können Inhalte oder Schaltflächen von Pinterest eingebunden sein.

YouTube

Zur Einbindung von Videos verwenden wir YouTube.

Weitere Informationen zu den Datenschutz- und Werbeeinstellungen von Google finden Sie unter:

Privacy Information for Whistleblowers

This section explains how we process personal data relating to individuals who submit reports (whistleblowers), as well as persons concerned and other parties involved in our whistleblowing procedure.


Categories of Personal Data Processed

We may process the following categories of personal data:

  • Identity data, such as full name, residential address, contact details, and customer number;
  • Employment data, including information relating to employees and other individuals within an organisation;
  • Contact data, such as postal and email addresses;
  • Content data, including written or visual communications and related information (e.g., authorship);
  • Usage data, such as page views, session duration, click paths, frequency and intensity of use, device types, and operating systems.

Categories of Data Subjects

This processing may relate to the following categories of individuals:

  • Customers and clients;
  • Employees (including applicants, temporary staff, and contractors);
  • Third parties;
  • Whistleblowers.

Purposes of Processing

Personal data are processed for the following purposes:

  • Receiving, reviewing, and investigating whistleblower reports;
  • Protecting whistleblowers;
  • Conducting internal investigations;
  • Complying with applicable legal obligations.

Legal Bases for Processing

Processing is carried out on the following legal bases under the General Data Protection Regulation (GDPR):

  • Consent (Article 6(1)(a) GDPR);
  • Compliance with a legal obligation (Article 6(1)(c) GDPR);
  • Legitimate interests (Article 6(1)(f) GDPR).

Where special categories of personal data are processed, Article 9(2)(g) GDPR may also apply.


Legal Basis under Austrian Law

Where we process personal data to comply with our obligations under the Austrian Whistleblower Protection Act (HinweisgeberInnenschutzgesetz – HSchG), the legal basis is Article 6(1)(c) GDPR and, where special categories of personal data are involved, Article 9(2)(g) GDPR, each in conjunction with Section 8 HSchG.

This includes the establishment and operation of an internal whistleblowing reporting channel, the fulfilment of its statutory responsibilities, and the conduct of follow-up investigations where appropriate.


Categories of Personal Data Collected During the Reporting Procedure

As part of receiving and handling whistleblower reports, we may collect personal data including:

  • The name, contact details, and location of the reporting person;
  • The names and details of potential witnesses or other persons affected by the report;
  • The names and details of persons against whom the report is made;
  • Information concerning the alleged misconduct;
  • Any other information relevant to the investigation.

Special Categories of Personal Data

Where necessary, reports may contain special categories of personal data, including:

  • Health-related information;
  • Data revealing racial or ethnic origin.

Such data are processed only where permitted by applicable law and where necessary for handling the report.


Anonymous Reporting

Reports may be submitted anonymously.

Unless prohibited by applicable national law, we recommend providing your name and contact details. This enables us to investigate your report more effectively and, where appropriate, communicate with you regarding your report.

Where you choose to disclose your identity, your personal data will be treated with strict confidentiality.


Use of Our Online Reporting Forms

To enhance the protection of your privacy when using our online reporting forms, we recommend accessing them in your browser’s Incognito or Private Browsing mode.

You can enable private browsing as follows:

  • Windows: Press Ctrl + Shift + N.
  • macOS: Press Command + Shift + N.
  • Mobile devices: Open your browser’s tab menu and switch to Private or Incognito mode.

Legal Basis: Legitimate interests (Article 6(1)(f) GDPR).


Disclosure of Personal Data

Personal data relating to whistleblower reports are disclosed to third parties only where:

  • you have given your explicit consent; or
  • disclosure is required by applicable law.

Recipients may include:

  • Public authorities;
  • Governmental, regulatory, or tax authorities;
  • External legal counsel and professional advisers engaged to investigate alleged misconduct and advise on appropriate follow-up measures, including disciplinary or legal proceedings;
  • Carefully selected service providers (such as operators of web-based whistleblowing platforms) acting on our behalf under data processing agreements and subject to appropriate confidentiality and data protection obligations.

Data Retention and Deletion

Personal data are retained only for as long as necessary to fulfil the purposes described above and in accordance with the section “General Information on Data Retention and Deletion.”

Once the personal data are no longer required, they will be securely deleted unless a longer retention period is required or permitted by law.


Technical and Organisational Measures

We have implemented appropriate contractual, technical, and organisational measures to safeguard all personal data processed in connection with the whistleblowing procedure.

These measures are designed to protect personal data against unauthorised access, disclosure, alteration, or destruction and to ensure that the data are processed exclusively for the purposes described in this Privacy Notice.


Changes and Updates

We encourage you to review this Privacy Notice regularly to remain informed about how we process personal data.

We will update this Privacy Notice whenever changes to our data processing activities make this necessary. Where such changes require your consent or another form of action on your part, or where individual notification is legally required, we will inform you accordingly.

If this Privacy Notice contains addresses or contact details of companies or organisations, please note that such information may change over time. We therefore recommend verifying the relevant contact details before making contact.

Definitions

This section provides an overview of the terms used in this Privacy Notice. Where these terms are defined by applicable law, the statutory definitions shall apply. The explanations below are intended to facilitate a better understanding of the terminology used.


Affiliate Tracking

Affiliate tracking refers to the recording of links through which referring websites direct users to websites offering products or services. Operators of referring websites may receive a commission if users follow these affiliate links and subsequently purchase products or use services.

To enable this functionality, affiliate links contain specific identifiers that allow providers to determine whether a user accessed an offer through a particular referral. These identifiers may be embedded in the link itself or stored by other means, such as cookies. They may include, for example, the referring website (referrer), timestamps, identifiers of the referring website and the advertised offer, user identifiers, advertising material IDs, partner IDs, and category identifiers.


Employees

Employees are individuals engaged in an employment relationship, including employees, workers, applicants, temporary staff, contractors, or persons in comparable positions.

An employment relationship is a legal relationship between an employer and an employee established by an employment contract or similar agreement. It includes the employer’s obligation to remunerate the employee in exchange for the employee’s work.

Employee data include all personal data relating to individuals in the context of their employment, such as identification details, personnel numbers, salary and banking information, working hours, leave entitlements, health-related information, and performance evaluations.


Identity Data

Identity data include essential information required to identify and manage contractual partners, user accounts, profiles, or similar relationships.

Such data may include names, contact details (such as postal addresses, telephone numbers, and email addresses), dates of birth, and unique identifiers (such as user IDs).


Content Data

Content data comprise information created, processed, or published in connection with content of any kind.

This includes text, images, audio recordings, videos, and other multimedia content, as well as associated metadata such as tags, descriptions, authorship information, and publication dates.


Contact Data

Contact data are information used to communicate with individuals or organisations.

They include telephone numbers, postal addresses, email addresses, social media identifiers, and instant messaging identifiers.


Metadata, Communication Data and Procedural Data

Metadata, communication data, and procedural data describe how data are processed, transmitted, and managed.

Metadata include information describing other data, such as file size, creation date, document author, and version history.

Communication data relate to the exchange of information through channels such as emails, telephone calls, social networks, and chat services, including details of participants, timestamps, and transmission methods.

Procedural data describe workflows, business processes, transaction records, activity logs, and audit trails used for operational and compliance purposes.


Usage Data

Usage data describe how users interact with digital products, services, or online platforms.

They may include information such as page visits, session duration, navigation paths, frequency of use, timestamps, IP addresses, device information, operating systems, and, where applicable, location data.

Usage data are used to analyse user behaviour, improve user experience, personalise content, optimise services, and identify trends or technical issues.


Personal Data

“Personal data” means any information relating to an identified or identifiable natural person (“data subject”).

An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, online identifier (for example, a cookie), or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person.


Profiles Containing User-Related Information

The processing of profiles containing user-related information (“profiling”) refers to any form of automated processing of personal data used to analyse, evaluate, or predict certain personal aspects relating to an individual.

Depending on the purpose, profiling may involve analysing demographic information, behaviour, interests, website interactions, purchasing behaviour, or location data.

Profiling commonly involves the use of cookies and web beacons.


Log Data

Log data consist of information automatically recorded about events or activities within a system or network.

Typical log data include timestamps, IP addresses, user activities, error messages, and other information relating to the operation or use of a system.

Log data are commonly used for troubleshooting, security monitoring, and performance analysis.


Reach Measurement (Web Analytics)

Reach measurement, also referred to as web analytics, is used to analyse visitor traffic on online services.

It may include evaluating visitor behaviour and interests, such as which pages are visited, when they are accessed, and how users navigate through a website.

Pseudonymous cookies and web beacons are frequently used to recognise returning visitors and improve analytical accuracy.


Remarketing

Remarketing (or retargeting) refers to the practice of recording a user’s interest in products or services on one website in order to display relevant advertisements to that user on other websites.


Location Data

Location data are generated when a mobile device or another location-enabled device connects to a mobile network, Wi-Fi network, or similar positioning technology.

These data indicate the geographical location of the device and may be used to provide maps, location-based services, or geographically relevant information.


Tracking

Tracking refers to monitoring user behaviour across multiple online services.

Typically, information about users’ behaviour and interests is stored using cookies or on the servers of providers offering tracking technologies. This information may subsequently be used, for example, to display personalised advertisements based on a user’s likely interests.


Controller

The “Controller” is the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of processing personal data.


Processing

“Processing” means any operation or set of operations performed on personal data, whether or not by automated means.

Processing includes virtually every activity involving personal data, including collection, recording, organisation, storage, adaptation, retrieval, consultation, use, disclosure, transmission, restriction, erasure, or destruction.


Contract Data

Contract data comprise information relating to the establishment, performance, and management of contractual relationships.

This may include the identities of the contracting parties, contract commencement and termination dates, agreed products or services, pricing, payment terms, termination rights, renewal options, and other contractual conditions.

Contract data serve as the legal basis for contractual relationships and support the enforcement of rights and obligations.


Payment Data

Payment data include all information required to process payment transactions between customers and service providers.

Examples include payment card details, bank account information, payment amounts, transaction records, invoice information, authorisation details, payment status, refunds, chargebacks, and transaction fees.


Audience Creation

Audience creation (commonly referred to as Custom Audiences) involves defining target groups for advertising purposes.

For example, a user’s interest in particular products or services may be used to display advertisements for similar products or services.

Lookalike Audiences are created by identifying users whose characteristics or interests are similar to those of an existing target audience.

Custom Audiences and Lookalike Audiences are commonly created using cookies and web beacons.

Created using the free Privacy Policy Generator by Dr. Thomas Schwenke (Datenschutz-Generator.de).

Inhalt

📖