top of page

Privacy Policy

Hotel Bavaria Oberstaufen

1. Data Controller

Hotel Bavaria Oberstaufen
Bergstraße 12
87534 Oberstaufen, Germany

Phone: +49838693250
Email: privacy@bavaria-oberstaufen.de

The controller in the sense of the General Data Protection Regulation (GDPR) is Hotel Bavaria Oberstaufen.

 

2. General Information on Data Processing

The protection of your personal data is very important to us. We process personal data exclusively within the framework of the applicable data protection laws, in particular:

  • General Data Protection Regulation (GDPR)

  • German Federal Data Protection Act (BDSG)

  • Telecommunications and Digital Services Data Protection Act (TDDDG)

This privacy policy provides information about what data we collect, how we use it, and what rights you have.

To secure your data, we use appropriate technical and organizational measures (TOMs) to protect it from loss, misuse, or unauthorized access.

3. Purposes and Legal Bases of Processing

We only process personal data when permitted. This includes, in particular, the following purposes:

  • Operation, maintenance, and security of our website

  • Communication with guests, prospective customers, and partners

  • Processing of bookings, handling of the stay, and billing

  • Fulfillment of legal obligations (e.g., registration law, tax law)

  • Marketing, analysis, and advertising purposes (only with consent)

  • Safeguarding legitimate interests (e.g., IT security, service optimization)

 

Legal bases according to Art. 6 (1) GDPR:

  • lit. a – Consent

  • lit. b – Contract / pre-contractual steps

  • lit. c – Legal obligation

  • lit. f – Legitimate interest

 

4. Website hosting

Our website is operated by:

Wix.com Ltd.
40 Namal Tel Aviv St., Tel Aviv 6350671, Israel
EU establishment: Wix Online Platforms Ltd., 1 Grant’s Row, Dublin 2, Ireland

Purpose: Hosting, operation, delivery, and maintenance of the website.
Legal basis: Art. 6 (1) (f) GDPR (legitimate interest in secure operation).

Israel has an adequate level of data protection recognized by the EU; further transfers are secured by Standard Contractual Clauses (SCC).

More info: https://www.wix.com/about/privacy

5. Consent Management with Usercentrics

We use the tool:

Usercentrics GmbH, Sendlinger Straße 7, 80331 Munich, Germany

Purpose: Management and documentation of cookie and tracking consents.

Data processed:
Consent ID, timestamp, consent status, browser & device information, truncated IP address.

Legal bases:

  • Art. 6 (1) (c) GDPR (legal obligation),

  • Art. 6 (1) (f) GDPR (obligation to provide proof),

  • for voluntary cookies: Art. 6 (1) (a) GDPR.

More info: https://usercentrics.com/privacy-policy


6. Security and Encryption

Our website uses SSL/TLS encryption (HTTPS).
Server logs (IP address, timestamp, browser data, referrer) are used for security, error analysis, and system maintenance.

Legal basis: Art. 6 (1) (f) GDPR.
 

7. Web Analytics & Tag Management

a) Google Analytics

Provider: Google Ireland Ltd., Dublin
Data: Usage data, pseudonymized IP address (IP masking).
Purpose: Statistical analysis of website usage.
Legal basis: Consent (Art. 6 (1) (a) GDPR).
Transfer to the USA is based on SCC.

More info: https://policies.google.com/privacy


b) Google Tag Manager

Purpose: Management of tracking scripts.
The Google Tag Manager itself does not process any personal data.
Legal basis: Art. 6 (1) (f) GDPR.

c) Microsoft Clarity

Provider: Microsoft Corporation, USA.
Data: Pseudonymized interaction data (scrolls, clicks, mouse movements).
Input in forms is masked.
Legal basis: Consent (Art. 6 (1) (a) GDPR).
USA transfer: SCC.

More info: https://privacy.microsoft.com/en-us/privacystatement

8. Online Marketing Tools

a) Google Ads / Conversion Tracking

Used for the analysis and optimization of our advertising campaigns.
Legal basis: Consent (Art. 6 (1) (a) GDPR).
Transfer to the USA: SCC.

b) Meta Pixel (Facebook / Instagram)

Purpose: Evaluation and optimization of campaigns.
Legal basis: Consent.
More info: https://www.facebook.com/privacy/policy

c) TikTok Pixel

Purpose: Measurement of advertising effectiveness.
Legal basis: Consent.
More info: https://www.tiktok.com/legal/privacy-policy

9. Email Marketing / Newsletter (Brevo / Sendinblue)

 

Provider: Brevo GmbH, Köpenicker Straße 126, 10179 Berlin, Germany

Data: Email address, name, time of the double opt-in, analysis (with consent).
Purpose: Sending newsletters and providing proof of consent.
Legal bases:

  • Art. 6 (1) (a) GDPR

  • Art. 6 (1) (b) GDPR (contractual communication)

More info: https://www.brevo.com/legal/privacypolicy/


10. Fonts (Adobe Fonts / Local)

For the display of the website, we use Adobe Fonts or locally hosted web fonts.

Legal basis: Art. 6 (1) (f) GDPR (legitimate interest).

More info: https://www.adobe.com/privacy/policies/adobe-fonts.html


11. Booking and Guest Management Systems

11.1 Online Booking & Channel Management (DIRS21 / DIRS Channelmanager)

We use DIRS21 and the DIRS Channelmanager to process online bookings and synchronize availabilities.

Data processed:
Name, contact details, stay data, payment information, booking details.

Purpose: Execution and management of bookings.
Legal basis: Art. 6 (1) (b) GDPR.

More info: https://www.dirs21.de/datenschutz (Link is in German)

11.2 Property Management System (PMS)

We use a Property Management System to manage the processes related to your stay.

Data processed:
Guest master data, reservation data, billing data, payment information, communication, check-in/check-out, log data.

Purpose: Fulfillment of the accommodation contract, billing, guest services, statutory documentation obligations.

Legal bases:

  • Art. 6 (1) (b) GDPR

  • Art. 6 (1) (c) GDPR

 

11.3 Guest Registration System (Germany)

We transmit legally required registration data in accordance with the German Federal Registration Act (BMG).

Data:
Name, address, date of birth, nationality, travel dates, number of accompanying persons.

Recipients:
Registration authority of the municipality of Oberstaufen, and tourist organizations if applicable.

Legal basis: Art. 6 (1) (c) GDPR.

12. Recipients of Data

Recipients may include:

  • Processors (e.g., Wix, Usercentrics, Brevo, DIRS, PMS provider)

  • Legal bodies and authorities

  • Payment service providers

  • IT and support service providers

All processors are contractually bound according to Art. 28 GDPR.

13. Storage Period & Deletion

We store personal data only as long as it is necessary for the fulfillment of the purposes or as required by law.

Typical periods in Germany:

  • Accounting records: 10 years

  • Registration data: according to BMG

  • Technical server logs: max. 6 months

After the period expires, the data is deleted or anonymized.


14. Rights of the Data Subject

You have the right to:

  • Access (Art. 15 GDPR)

  • Rectification (Art. 16 GDPR)

  • Erasure (Art. 17 GDPR)

  • Restriction of processing (Art. 18 GDPR)

  • Data portability (Art. 20 GDPR)

  • Object (Art. 21 GDPR)

  • Withdraw your consent (Art. 7 (3) GDPR)

Contact: privacy@bavaria-oberstaufen.de

 

15. Right to Lodge a Complaint

The competent supervisory authority is:

Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)
[Bavarian State Office for Data Protection Supervision]
Promenade 27
91522 Ansbach, Germany
Web: https://www.lda.bayern.de

16. Changes to this Privacy Policy

We reserve the right to update this privacy policy if legal, technical, or organizational changes make it necessary.

bottom of page