We take data protection seriously

Protecting your privacy when processing personal data is an important concern for us. When you visit our website, our web servers store the IP of your Internet service provider, the website from which you visit us, the web pages you visit on our site and the date and duration of your visit as standard. This information is essential for the technical transmission of the web pages and secure server operation. There is no personalized evaluation of this data.

If you send us data via the contact form, this data is stored on our servers as part of the data backup process. Your data will only be used by us to process your request. Your data will be treated as strictly confidential. It will not be passed on to third parties.

Responsible party:

ADAPURA Hotelbetreibungs GmbH
Austrasse 2a
A-6352 Ellmau

Phone: +43 50 3636 0
E-mail: welcome@adapura-wagrain.com

Personal data

Personal data is data about your person. This includes your name, your address and your e-mail address. You do not have to disclose any personal data in order to visit our website. In some cases, we need your name and address as well as other information in order to be able to offer you the requested service.

The same applies if we supply you with information material on request or if we answer your inquiries. In these cases, we will always point this out to you. Furthermore, we only store the data that you have transmitted to us automatically or voluntarily.

If you use one of our services, we generally only collect the data that is necessary to provide you with our service. We may ask you for further information, but this is voluntary. Whenever we process personal data, we do so in order to be able to offer you our service or to pursue our commercial objectives.

Contacting us

When contacting us (e.g. via contact form, email, telephone or social media), the details of the person making the inquiry are processed insofar as this is necessary to respond to the contact inquiry and any measures requested.

Contact inquiries are answered in the context of contractual or pre-contractual relationships in order to fulfil our contractual obligations or to respond to (pre)contractual inquiries and otherwise on the basis of legitimate interests in responding to the inquiries.

• Processed data types: Inventory data (e.g. names, addresses), Contact data (e.g. e-mail, telephone numbers), Content data (e.g. entries in online forms).
• Data subjects: Communication partners.
• Purposes of processing: Contact requests and communication.
• Legal bases: Contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 lit. b. GDPR), Legitimate interests (Art. 6 para. 1 lit. f. GDPR).

Automatically stored data

Server log files

The provider of the pages automatically collects and stores information in so-called server log files, which your browser automatically transmits to us. These are

• Date and time of the request
• Name of the requested file
• Page from which the file was requested
• Access status (file transferred, file not found, etc.)
• Web browser and operating system used
• Complete IP address of the requesting computer
• Volume of data transferred

This data is not merged with other data sources. Processing is carried out in accordance with Art. 6 para. 1 lit. f GDPR on the basis of our legitimate interest in improving the stability and functionality of our website.

For reasons of technical security, in particular to defend against attempted attacks on our web server, this data is stored by us for a short period of time. It is not possible for us to draw conclusions about individual persons from this data. After seven days at the latest, the data is anonymized by shortening the IP address at domain level so that it is no longer possible to establish a link to the individual user. The data is also processed in anonymized form for statistical purposes; it is not compared with other data sets or passed on to third parties, even in excerpts.

Processing of personal data during the booking process

As part of the booking process on our website, we collect and process the personal data required to process your reservation. This includes in particular

• Title, first name, surname

• E-mail address and telephone number

• Address (street, zip code, town, country)

• Details of fellow travelers (if specified)

• Payment information (depending on the selected payment method)

• Voluntary information such as comments or requests (types of diet etc.)

This data is processed on the basis of Art. 6 para. 1 lit. b GDPR to carry out pre-contractual measures and to fulfill the booking contract.

The data is stored for the duration of the booking process and in accordance with statutory retention obligations and then deleted. If you have expressly consented to the sending of information and offers as part of the booking process, additional processing is carried out on the basis of Art. 6 para. 1 lit. a GDPR (consent). This consent can be revoked at any time.

We use the re:Guest service and communication system from Zublena GmbH, Italy, to process booking inquiries, offers and reservations. This is used as part of order processing in accordance with Art. 28 GDPR.

We use the services of vioma GmbH, Industriestraße 27, 77656 Offenburg, Germany, to provide our online booking platform, inquiry forms and, if applicable, voucher or evaluation functions. These services are used as part of order processing in accordance with Art. 28 GDPR.

Cookies

Our website uses so-called cookies. Cookies are small data packets that do not cause any damage to your computer. They are stored on your end device either temporarily for the duration of a session (session cookies) or permanently (permanent cookies). Session cookies are automatically deleted at the end of your visit. Permanent cookies remain stored on your end device until you delete them yourself or your web browser automatically deletes them.

Cookies may originate from us (first-party cookies) or from third-party companies (so-called third-party cookies). Third-party cookies enable the integration of certain services from third-party companies within websites (e.g. cookies for processing payment services).

Cookies have different functions. Many cookies are technically necessary, as certain website functions would not work without them (e.g. the shopping cart function or the display of videos). Other cookies can be used to analyze user behavior or for advertising purposes.

Cookies that are required to carry out the electronic communication process, to provide certain functions that you have requested (e.g. for the shopping cart function) or to optimize the website (e.g. cookies to measure the web audience) (necessary cookies) are stored on the basis of Art. 6 para. 1 lit. f GDPR, unless another legal basis is specified. The website operator has a legitimate interest in the storage of necessary cookies for the technically error-free and optimized provision of its services. Insofar as consent to the storage of cookies and comparable recognition technologies has been obtained, the processing is carried out exclusively on the basis of this consent (Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TDDSG); consent can be revoked at any time.

You can set your browser so that you are informed about the setting of cookies and only allow cookies in individual cases, exclude the acceptance of cookies for certain cases or in general and activate the automatic deletion of cookies when closing the browser. If cookies are deactivated, the functionality of this website may be restricted. You can find out which cookies and services are used on this website in this privacy policy.

You can change your settings for the use of cookies here at any time:

Consent Manager Platform (CMP)

We use a consent management service ("Consent Manager Platform (CMP)") on our website to inform you about the cookies and other technologies we use on our website and to obtain, manage and document any consent you may have given to the processing of your personal data by these technologies. This is necessary pursuant to Art. 6 para. 1 sentence 1 lit. c GDPR to fulfill our legal obligation pursuant to Art. 7 para. 1 GDPR to be able to prove your consent to the processing of your personal data to which we are subject. The Consent Manager Platform (CMP) used is an offer from Pandectes, Harju maakond, Kuusalu vald, Pudisoo küla, Männimäe/1 74626, Estonia, which processes your data on our behalf.

After you submit your cookie declaration on our website, the web server stores the following data IP address, device information, browser information, set language, accessed website or its URL, date and time of your declaration of consent and information about your consent behavior.

In addition, the following technologies are used, which contain information about your consent behavior: Cookies.

The data is stored exclusively in a cookie; personal data is not transmitted to the provider of the Consent Manager Platform (CMP). Your data will be deleted after one year, unless you have expressly consented to further use of your data in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR or we reserve the right to use data beyond this, which is permitted by law and about which we inform you in this declaration.

We have concluded an order processing contract (AV) in accordance with Art. 28 GDPR with the above-mentioned provider. This is a contract prescribed by data protection law, which ensures that the provider processes the personal data of our website visitors only in accordance with our instructions and in compliance with the GDPR.

Google Analytics (4)

This website uses functions of the web analysis service Google Analytics, which is provided by Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland.

Google Analytics enables the website operator to analyze the behavior of website visitors. In doing so, the website operator receives various usage data, such as page views, length of visit, operating systems used and origin of the user. This data is summarized in a user ID and assigned to the respective end device of the website visitor.

We can also use Google Analytics to record your mouse and scroll movements and clicks, among other things. Google Analytics also uses various modeling approaches to supplement the collected data records and uses machine learning technologies for data analysis.

Google Analytics uses technologies that enable the recognition of the user for the purpose of analyzing user behavior (e.g. cookies or device fingerprinting). The information collected by Google about the use of this website is generally transmitted to a Google server in the USA and stored there. The use of this service is based on your consent in accordance with Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TDDDG. Consent can be revoked at any time.

Data transfer to the USA is based on the standard contractual clauses of the EU Commission. You can find details here: https://privacy.google.com/businesses/controllerterms/mccs/.

Google is also certified in accordance with the "EU-US Data Privacy Framework" (DPF). The DPF is an agreement between the European Union and the USA, which is intended to ensure compliance with European data protection standards for data processing in the USA. Every company certified in accordance with the DPF undertakes to comply with these data protection standards.

Browser plugin [MOU1]

You can prevent the collection and processing of your data by Google by downloading and installing the browser plugin available at the following link: https://tools.google.com/dlpage/gaoptout?hl=de. You can find more information on how Google Analytics handles user data in Google's privacy policy: https://support.google.com/analytics/answer/6004245?hl=de.

Google signals [MOU2]

We use Google signals. When you visit our website, Google Analytics collects data such as your location, search history and YouTube history as well as demographic data (visitor data). This data can be used for personalized advertising with the help of Google Signal. If you have a Google account, the visitor data from Google Signal is linked to your Google account and used for personalized advertising messages. The data is also used to compile anonymized statistics on the user behavior of our users.

Google Analytics e-commerce measurement [MOU3]

This website uses the "e-commerce measurement" function of Google Analytics. With the help of e-commerce measurement, the website operator can analyze the purchasing behavior of website visitors to improve its online marketing campaigns. Information such as orders placed, average order values, shipping costs and the time from viewing to purchasing a product is recorded. This data can be summarized by Google under a transaction ID that is assigned to the respective user or their device.

YouTube

This website integrates videos from the YouTube website. The operator of the website is Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland.

When you visit one of our websites on which YouTube is integrated, a connection to the YouTube servers is established. This tells the YouTube server which of our pages you have visited.

Furthermore, YouTube can store various cookies on your device or use comparable technologies to recognize you (e.g. device fingerprinting). In this way, YouTube can obtain information about visitors to this website. This information is used, among other things, to record video statistics, improve user-friendliness and prevent fraud attempts.

If you are logged into your YouTube account, you enable YouTube to assign your surfing behavior directly to your personal profile. You can prevent this by logging out of your YouTube account.

The use of YouTube is in the interest of an appealing presentation of our online offers. This constitutes a legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR. If a corresponding consent has been requested, the processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TDDDG, insofar as the consent includes the storage of cookies or access to information in the user's terminal device (e.g. device fingerprinting) within the meaning of the TDDDG. Consent can be revoked at any time.

Further information on the handling of user data can be found in YouTube's privacy policy at: https://policies.google.com/privacy?hl=de.

The company is certified in accordance with the "EU-US Data Privacy Framework" (DPF). The DPF is an agreement between the European Union and the USA that is intended to ensure compliance with European data protection standards for data processing in the USA. Every company certified under the DPF undertakes to comply with these data protection standards. Further information on this can be obtained from the provider at the following link: https://www.dataprivacyframework.gov/participant/5780.

Elfsight

On our website, we use functions of the provider Elfsight, Elfsight LLC, 300 Delaware Avenue, Suite 210, Wilmington, DE 19801, USA. Elfsight provides interactive widgets with which external content (e.g. social media feeds, maps, ratings) can be integrated.

When a page with an Elfsight widget is called up, connections to Elfsight servers or third parties (e.g. Meta, Google) may be established, depending on the configuration. In particular, the IP address, browser information and usage behavior may be recorded and processed.

The integration only takes place with your prior consent in accordance with Art. 6 para. 1 lit. a GDPR in conjunction with. § 25 para. 1 TTDSG, insofar as technically necessary data is read out or stored by the end device (e.g. through integrated third-party content). Your consent is obtained via our consent banner and can be revoked there at any time.

Please note that the use of certain widgets also means that the transfer of personal data to the USA cannot be ruled out. Elfsight itself is certified in accordance with the EU-U.S. Data Privacy Framework, so that an appropriate level of data protection is guaranteed.

You can find further information at: https://elfsight.com/privacy-policy/

Mailchimp newsletter

This website uses the services of Mailchimp to send newsletters. The provider is Rocket Science Group LLC, 675 Ponce De Leon Ave NE, Suite 5000, Atlanta, GA 30308, USA.

Mailchimp is a service with which, among other things, the sending of newsletters can be organized and analyzed. If you enter data for the purpose of subscribing to the newsletter (e.g. e-mail address), this data is stored on Mailchimp's servers in the USA.

With the help of Mailchimp, we can analyze our newsletter campaigns. When you open an email sent with

Mailchimp, a file contained in the email (known as a web beacon) connects to Mailchimp's servers in the USA. This makes it possible to determine whether a newsletter message has been opened and which links, if any, have been clicked on. Technical information is also collected (e.g. time of access, IP address, browser type and operating system). This information cannot be assigned to the respective newsletter recipient. It is used exclusively for the statistical analysis of newsletter campaigns. The results of these analyses can be used to better adapt future newsletters to the interests of the recipients.

If you do not wish to be analyzed by Mailchimp, you must unsubscribe from the newsletter. We provide a link for this purpose in every newsletter message. Data processing takes place on the basis of your consent (Art. 6 para. 1 lit. a GDPR). You can revoke this consent at any time by unsubscribing from the newsletter. The legality of the data processing operations that have already taken place remains unaffected by the revocation.

The data you provide us with for the purpose of subscribing to the newsletter will be stored by us or the newsletter service provider until you unsubscribe from the newsletter and deleted from the newsletter distribution list after you unsubscribe from the newsletter. Data stored by us for other purposes remains unaffected by this.

You can obtain further information on this from the provider at the following link: https://www.dataprivacyframework.gov/s/participant-search/participant-detail?contact=true&id=a2zt0000000TXVKAA4&status=Active

For more information, please refer to Mailchimp's privacy policy at

https://mailchimp.com/legal/terms/.

We have concluded a data processing agreement (DPA) in accordance with Art. 28 GDPR with the above-mentioned provider. This is a contract prescribed by data protection law, which ensures that the provider processes the personal data of our website visitors only in accordance with our instructions and in compliance with the GDPR.

Online presence on social media

If you have given your consent to the respective social media operator in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR, your data will be automatically collected and stored for market research and advertising purposes when you visit our online presences on our social media channels, from which user profiles are created using pseudonyms. These can be used, for example, to place advertisements within and outside the platforms that presumably correspond to your interests. Cookies are generally used for this purpose. For detailed information on the processing and use of the data by the respective social media operator as well as a contact option and your rights and setting options for protecting your privacy, please refer to the respective linked data protection notices of the providers on their websites. If you still need help in this regard, you can contact us.

Storage period

We generally store personal data for as long as it is necessary for the purposes of the corresponding processing, statutory or regulatory retention periods exist or we have a legitimate interest in storing the data or have the corresponding consent of the data subject.

We store certain data in accordance with the following rules for the duration specified in each case and delete or destroy it after the specified storage period has expired:

• If the processing is based on your consent, we will delete the data concerned after you withdraw your consent

• If none of the following retention periods apply, we delete the data after the purpose of the processing has expired

• 3 years: Data and content relating to legal transactions (including their preparation) to the extent necessary for information and defense as well as for the assertion or defense of claims. This also includes data for marketing and customer support, unless they also fall under a category for a longer storage period.

• 6 years: Commercial letters received and sent (§257 para. 1 no. 2 and 3, para. 4 HGB)

• 10 years: documents relevant for taxation, accounting vouchers, trading books (§§ 147 para. 1 AO, 257 para. 1 no. 1 and 4, para. 4 HGB).

• 30 years: Data that is stored due to special circumstances in our own or third party interests, as there are corresponding limitation periods or special retention periods (e.g. enforcement orders, special limitation periods).

Recipients of personal data

Personal data is regularly processed by us as the controller. However, processing by transferring or disclosing personal data to third parties may be necessary in the course of carrying out our activities, in particular if one of the following reasons exists based on the stated legal basis:

• It is necessary for the performance of a contract with the data subject or the implementation of pre-contractual measures at their request (Art. 6 para. 1 lit. b GDPR).

• The disclosure is necessary for the assertion, exercise or defense of legal claims and there is no reason to assume that the data subject has an overriding interest worthy of protection in not disclosing their data (Art. 6 para. 1 lit. f GDPR).

• There is a legal obligation to pass on the data (Art. 6 para. 1 lit. c GDPR).

• We have a valid consent (Art. 6 para. 1 lit. a GDPR).

Categories of recipients in the context of our activities and operations may include, in particular

• Postal, telecommunications and transportation service providers

• Payment and financial service providers

• Sales and business partners and other persons and companies involved in the provision of services

• Authorities, courts, opposing parties, other parties involved

In addition, we point out in the individual processing operations if other recipients come into consideration.

Order processing by service providers

To carry out our activities in the context of processing personal data, we also use service providers bound by instructions as processors in accordance with Art. 28 GDPR, who are also considered recipients of the data within the meaning of data protection. A contract for order processing ensures in particular that the processing is carried out on the basis of our instructions, that there are sufficient guarantees to comply with suitable technical and organizational measures and that the rights of data subjects are guaranteed.

We generally use service providers for the following processing purposes:

• Hosting of our online services/websites with providers (infrastructure and platform services, computing capacity, storage space and database services).
• Care, maintenance and servicing of the online offers/websites.
• Implementation, care, maintenance and servicing of IT systems.
• Document and information management.
• Communication, contact and conference systems (e-mail, contacts, appointments, messenger, video conferencing, etc.).
• File and data carrier destruction

Processing of personal data for advertising purposes

You can object to the use of your personal data for advertising purposes at any time, either as a whole or for individual measures, without incurring any costs other than the transmission costs according to the basic rates.

Subject to the legal requirements of Section 7 (3) UWG, we are entitled to use the e-mail address you provided when concluding the contract for direct advertising for our own similar goods or services. You will receive these product recommendations from us regardless of whether you have subscribed to a newsletter.

If you do not wish to receive such recommendations from us by e-mail, you can object to the use of your address for this purpose at any time without incurring any costs other than the transmission costs according to the basic rates. A message in text form is sufficient for this. Of course, an unsubscribe link is always included in every e-mail.

Security

We have taken technical and administrative security precautions to protect your personal data against loss, destruction, manipulation and unauthorized access. All our employees and service providers working for us are obliged to comply with the applicable data protection laws.

Whenever we collect and process personal data, it is encrypted before it is transferred. This means that your data cannot be misused by third parties. Our security precautions are subject to a continuous improvement process and our data protection declarations are constantly being revised. Please ensure that you have the latest version.

Rights of data subjects

You have the right to information, correction, deletion or restriction of the processing of your stored data, a right to object to the processing and a right to data portability and to lodge a complaint at any time in accordance with the requirements of data protection law.

Right to information:

You can request information from us as to whether and to what extent we process your data.

Right to rectification:

If we process your data that is incomplete or incorrect, you can request that we correct or complete it at any time.

Right to erasure:

You can demand that we erase your data if we process it unlawfully or if the processing disproportionately interferes with your legitimate protection interests. Please note that there may be reasons that prevent immediate erasure, e.g. in the case of statutory retention obligations.

Irrespective of the exercise of your right to erasure, we will erase your data immediately and completely, provided that there is no legal or statutory retention obligation to the contrary.

Right to restriction of processing:

You can demand that we restrict the processing of your data if

• you contest the accuracy of the data, for a period enabling us to verify the accuracy of the data
• the processing of the data is unlawful, but you oppose the erasure of the data and request the restriction of its use instead
• we no longer need the data for the intended purpose, but you still need this data to assert or defend legal claims, or
• you have objected to the processing of the data.

Right to data portability:

You may request that we provide you with the data you have provided to us in a structured, commonly used and machine-readable format and that you may transmit this data to another controller without hindrance from us, provided that

• we process this data on the basis of your revocable consent or for the performance of a contract between us, and
• this processing is carried out by automated means.

If technically feasible, you can request that we transfer your data directly to another controller.

Right to object:

If we process your data on the basis of legitimate interest, you can object to this data processing at any time; this would also apply to profiling based on these provisions. We will then no longer process your data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or the processing serves the establishment, exercise or defense of legal claims. You can object to the processing of your data for the purpose of direct advertising at any time without giving reasons.

Right to lodge a complaint:

If you are of the opinion that we are violating German or European data protection law when processing your data, please contact us so that we can clarify any questions. Of course, you also have the right to contact the supervisory authority responsible for you, the respective state office for data protection supervision.

If you wish to assert one of these rights against us, please contact our data protection officer. In case of doubt, we may request additional information to confirm your identity.

Changes to this privacy policy

We reserve the right to amend our privacy policy should this be necessary due to new technologies. Please ensure that you have the latest version. If fundamental changes are made to this privacy policy, we will announce these on our website.

All interested parties and visitors to our website can contact us regarding data protection issues at

Mr. Christian Volkmer

Project 29 GmbH & Co KG
Ostengasse 14
93047 Regensburg

Phone: 0941 2986930
Fax: 0941 29869316
E-Mail: anfragen@projekt29.de
Internet: www.projekt29.de