Privacy Policy

PRIVACY POLICY

Hotel BOLLWERK Immenstadt & Guest WebApp (straiv)
Version: October 2025

1. Data Protection at a Glance

1.1 General Information

The following information provides a straightforward overview of what happens to your personal data when you visit our website or use the Guest WebApp. Personal data refers to all data that can be used to identify you personally. This privacy policy explains what data we collect and how we use it. It also explains how and for what purposes this occurs.

Please note that data transmission over the internet (e.g. when communicating via email) may be subject to security vulnerabilities. A complete protection of data against access by third parties is not possible.

1.2 Data Collection on the Website and WebApp

Controller responsible for data processing:
g²hotels GmbH, Keltenstraße 17, 72320 Wendlingen
Phone: +49 7022 90504-200
Email: info@g2hotels.de

Data Protection Officer: Reachable via the contact details above.

The controller is the natural or legal person who alone or jointly with others determines the purposes and means of processing personal data (e.g. names, email addresses, etc.).

How do we collect your data?
Some data is collected when you provide it to us directly (e.g. via a contact form or during digital check-in via the WebApp). Other data is automatically collected by our IT systems when you visit the website or use the WebApp (e.g. IP address, browser type, time of access).

What do we use your data for?
To provide technical functionality, analyze user behavior, manage bookings, and communicate with you.

What rights do you have regarding your data?
You have the right to obtain information free of charge at any time about the origin, recipients, and purpose of your stored personal data. You also have the right to request the correction or deletion of your data. If you have given consent to data processing, you may withdraw this consent at any time for the future. Additionally, you have the right, under certain circumstances, to request the restriction of processing your personal data. Furthermore, you have the right to lodge a complaint with the competent supervisory authority.

You may contact us at any time with questions regarding data protection.

2. Hosting and Data Processing on Behalf

Our website is externally hosted by Ratiokontakt GmbH, Biegenhofstraße 13, 96103 Hallstadt. The Guest WebApp is operated externally by straiv GmbH, Industriestraße 23, 70565 Stuttgart.

We have entered into data processing agreements in accordance with Art. 28 GDPR with both providers.

Personal data collected on this website is stored on the servers of the hosting providers. This may include IP addresses, contact requests, metadata and communication data, contract data, contact details, names, website accesses, and other data generated via the website.

External hosting is carried out:

• for the performance of a contract with potential and existing customers (Art. 6(1)(b) GDPR),
• in the interest of secure, fast, and efficient provision of our online services (Art. 6(1)(f) GDPR),
• and, where consent is obtained, based exclusively on Art. 6(1)(a) GDPR in conjunction with § 25(1) TTDSG, especially when cookies or device access are involved.

Consent may be revoked at any time. Our hosting providers process your data only as necessary for fulfilling their service obligations and follow our instructions regarding such data.

3. General Notes on Data Processing and Mandatory Information

3.1 Legal Basis for Data Processing

The operators of these pages take the protection of your personal data very seriously. We treat your personal data confidentially and in accordance with applicable data protection laws and this privacy policy. Data processing is always based on one of the following legal grounds:

• Art. 6(1)(a) GDPR: Consent
• Art. 6(1)(b) GDPR: Contract performance / pre-contractual measures
• Art. 6(1)(c) GDPR: Legal obligation
• Art. 6(1)(f) GDPR: Legitimate interest

Legal Basis for Data Processing on this Website

If you have given your consent to the processing of your data, we process your personal data based on Art. 6(1)(a) GDPR or, if special categories of data are processed, Art. 9(2)(a) GDPR. If you have expressly consented to the transfer of personal data to third countries, the data processing is also based on Art. 49(1)(a) GDPR. If you have consented to the storage of cookies or access to information on your device (e.g. via device fingerprinting), data processing is also based on § 25(1) TTDSG. Consent can be revoked at any time.

If your data is necessary for the performance of a contract or for pre-contractual measures, we process your data based on Art. 6(1)(b) GDPR. If required for compliance with a legal obligation, we process your data based on Art. 6(1)(c) GDPR. Data processing may also be carried out based on our legitimate interest pursuant to Art. 6(1)(f) GDPR. The relevant legal basis in each individual case is explained in the sections of this privacy policy.

3.2 Retention Period

Unless a more specific retention period is specified in this privacy policy, your personal data will remain with us until the purpose for the data processing no longer applies. If you request the deletion of your data or revoke your consent, your data will be deleted unless we are legally obliged to retain it (e.g. tax or commercial law retention periods). In such cases, deletion takes place after the expiry of the statutory retention periods.

3.3 Transfer of Data to the USA and Other Third Countries

We use tools provided by companies based in the USA or other countries that do not provide a level of data protection comparable to that of the EU. When these tools are active, your personal data may be transferred to and processed in those countries. Please note that in such countries, adequate data protection standards cannot be guaranteed. For example, U.S. companies may be required to disclose personal data to security authorities without any legal recourse available to the data subject.

It cannot be ruled out that U.S. authorities (e.g. intelligence services) process, evaluate, and store your data located on U.S. servers for surveillance purposes. We have no control over such processing.

3.4 Revocation of Your Consent to Data Processing

Many data processing operations are only possible with your express consent. You may revoke your consent at any time. The lawfulness of processing carried out up to the time of revocation remains unaffected.

Right to Object to Data Collection in Special Cases and to Direct Marketing (Art. 21 GDPR)
If data processing is based on Art. 6(1)(e) or (f) GDPR, you have the right to object to the processing of your personal data at any time on grounds relating to your particular situation. This also applies to profiling based on these provisions. The respective legal basis for processing can be found in this privacy policy.

If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for processing that override your interests, rights, and freedoms or the processing is for the establishment, exercise, or defense of legal claims (objection pursuant to Art. 21(1) GDPR).

Where your personal data is processed for direct marketing purposes, you have the right to object at any time to processing of your personal data for such marketing, including profiling related to such marketing. If you object, your personal data will no longer be used for direct marketing purposes (objection pursuant to Art. 21(2) GDPR).

1. Data Collection and Usage

4.1 On the Hotel Website

We use various tools and plugins:

Cookies
Our website uses “cookies.” Cookies are small data packets that do not cause any harm to your device. They may be stored temporarily for the duration of a session (session cookies) or permanently (persistent cookies) on your device. Session cookies are automatically deleted after your visit. Persistent cookies remain stored on your device until you delete them manually or your browser deletes them automatically.

Cookies from third-party companies (third-party cookies) may also be stored on your device when you access our website. These cookies enable us or you to use specific services offered by the third-party company (e.g., cookies for processing payment services).

Cookies serve various functions. Many cookies are technically necessary, as certain website functions would not work without them (e.g., the shopping cart function or video display). Other cookies are used to analyze user behavior or display advertisements.

Cookies that are necessary for the electronic communication process, for providing certain functions requested by you (e.g., shopping cart function), or for optimizing the website (e.g., audience measurement cookies) are stored based on Art. 6(1)(f) GDPR, unless another legal basis is specified. The website operator has a legitimate interest in the storage of necessary cookies to ensure the technically error-free and optimized provision of its services. Where consent for the storage of cookies and similar recognition technologies has been requested, processing is based solely on this consent (Art. 6(1)(a) GDPR and § 25(1) TTDSG); the consent can be revoked at any time.

You can configure your browser to inform you about the use of cookies, allow cookies only in individual cases, exclude the acceptance of cookies for specific cases or in general, and activate automatic deletion of cookies when closing the browser. Disabling cookies may restrict the functionality of this website.

If cookies from third-party companies or for analytical purposes are used, you will be informed about this separately in this privacy policy, and consent may be requested.

Consent Tool
This website uses the Complianz consent management tool (Complianz B.V., Kalmarweg 14-5, 9723 JG Groningen, Netherlands). Complianz stores your consent locally in a cookie.
Legal basis: Art. 6(1)(c) GDPR
More information: https://complianz.io/legal/

Complianz is hosted on our servers, so no connection is established with the provider’s servers. Complianz stores a cookie in your browser to assign the given consents or revocations. The collected data is stored until you request its deletion, delete the Complianz cookie yourself, or the purpose for storage no longer applies. Mandatory legal retention obligations remain unaffected.

Analytics and Tracking Tools

• Google Analytics (Google Ireland Limited): Usage data, behavior, device information. Art. 6(1)(a) GDPR.
  This website uses the functions of the web analytics service Google Analytics. Provider: Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland.

Google Analytics allows the website operator to analyze the behavior of website visitors. This includes data such as page views, time spent on site, operating systems used, and the user’s origin. These data are assigned to the user’s respective device. No assignment to a user ID is made.

We can also record mouse and scroll movements and clicks with Google Analytics. Additionally, Google Analytics uses modeling techniques and machine learning to supplement the collected data.

Google Analytics uses technologies that allow user recognition for analyzing behavior (e.g., cookies or device fingerprinting). Information collected by Google is usually transmitted to and stored on Google servers in the United States.

The use of this service is based on your consent pursuant to Art. 6(1)(a) GDPR and § 25(1) TTDSG. You may revoke your consent at any time.

Data transfers to the USA are based on the EU Commission’s standard contractual clauses. Details: https://privacy.google.com/businesses/controllerterms/mccs/

• Google Analytics E-Commerce Tracking
  This website uses the “E-Commerce Tracking” feature of Google Analytics. This allows the website operator to analyze the purchasing behavior of website visitors to improve online marketing campaigns. This includes orders, average order values, shipping costs, and the time from product view to purchase. These data can be combined under a transaction ID.
• Google Ads: Conversion Tracking, Remarketing. Art. 6(1)(a) GDPR.
  We use Google Ads, an online advertising program from Google Ireland Limited. Google Ads allows the display of ads in Google’s search engine or on third-party websites when certain search terms are used (keyword targeting). It also enables ad targeting based on user data (e.g., location, interests).

We can evaluate the effectiveness of our ads, such as which keywords led to clicks. Use of this service is based on your consent pursuant to Art. 6(1)(a) GDPR and § 25(1) TTDSG. You may revoke your consent at any time.

Transfers to the USA are based on EU standard contractual clauses. Details: https://policies.google.com/privacy/frameworks and https://privacy.google.com/businesses/controllerterms/mccs/

• IP Anonymization: We use WP Statistics with anonymized IPs.
  • WP Statistics: Visitor statistics based on locally stored IPs. No third-country transfer. Art. 6(1)(f) GDPR.

We use the analytics tool WP Statistics, provided by Veronalabs, ARENCO Tower, 27th Floor, Dubai Media City, UAE.

WP Statistics helps us analyze website usage, including logs (IP address, referrer, browser used, user origin, search engine), and actions taken by visitors (e.g., clicks, views). The data is stored only on our server.

Use of this tool is based on Art. 6(1)(f) GDPR. We have a legitimate interest in anonymized analysis of user behavior to optimize both our website and advertising. Where user consent is required, processing is based on Art. 6(1)(a) GDPR and § 25(1) TTDSG. Consent can be withdrawn at any time.

• Browser Plugin: You can prevent Google from collecting and processing your data by installing the browser plugin: https://tools.google.com/dlpage/gaoptout?hl=en
  More info: https://support.google.com/analytics/answer/6004245?hl=en

Server Log Files
The site provider automatically collects and stores information in server log files that your browser automatically transmits to us:
• Browser type and version
• Operating system
• Referrer URL
• Hostname of the accessing computer
• Time of server request
• IP address

These data are not combined with other data sources.
The collection is based on Art. 6(1)(f) GDPR. The website operator has a legitimate interest in the technically error-free presentation and optimization of the website, which requires server log files.

Contact Form
When you send inquiries via the contact form, we store your information including the contact details you provide for the purpose of processing the inquiry and any follow-up questions. We do not share this data without your consent.

Processing is based on Art. 6(1)(b) GDPR if your request is related to a contract or pre-contractual measures. Otherwise, processing is based on our legitimate interest (Art. 6(1)(f) GDPR) or your consent (Art. 6(1)(a) GDPR), where applicable. Consent can be revoked at any time.

Data entered in the contact form remains with us until you request deletion, withdraw your consent, or the purpose for storage no longer applies. Mandatory legal provisions—especially retention periods—remain unaffected.

Inquiries via Email, Phone, or Fax
If you contact us via email, phone, or fax, your inquiry, including any resulting personal data (name, inquiry), will be stored and processed for the purpose of handling your request. We do not share this data without your consent.

Processing is based on Art. 6(1)(b) GDPR if your inquiry relates to a contract or pre-contractual steps. In all other cases, processing is based on our legitimate interest (Art. 6(1)(f) GDPR) or your consent (Art. 6(1)(a) GDPR), where applicable. Consent can be revoked at any time.

Your data from contact inquiries will remain with us until you request deletion, withdraw your consent, or the purpose for storing the data ceases. Legal retention obligations remain unaffected.

Google Forms
We use Google Forms provided by Google Ireland Limited to collect structured input from visitors (e.g., messages, inquiries). Entries are processed on Google’s servers.

Google Forms stores a cookie containing a unique ID (NID cookie), which includes info like language preferences.

Use of Google Forms is based on our legitimate interest (Art. 6(1)(f) GDPR) in user-friendly form processing. If consent is requested, processing is based solely on Art. 6(1)(a) GDPR and § 25(1) TTDSG. Consent can be revoked at any time.

Data entered in forms will remain with us until deletion is requested, consent is withdrawn, or the purpose of processing no longer exists. Legal retention obligations remain unaffected.

More information: https://policies.google.com/

Google Fonts (Local Hosting)
To ensure uniform font presentation, this site uses locally hosted Google Fonts. No connection to Google servers is established.
More info: https://developers.google.com/fonts/faq and https://policies.google.com/privacy?hl=en

ManageWP
We manage our site using ManageWP (GoDaddy.com WP Europe, Trg republike 5, 11000 Belgrade, Serbia).

ManageWP allows us to monitor performance and security and create backups. It has access to all website content and databases.

Use is based on Art. 6(1)(f) GDPR. The website operator has a legitimate interest in effective and secure website operation. Where applicable, processing is based on Art. 6(1)(a) GDPR and § 25(1) TTDSG.

Consent can be revoked at any time.

5. Cookies and Tracking Technologies

Our website and WebApp use cookies and similar technologies. Technically necessary cookies are stored without consent (Art. 6(1)(f) GDPR). All other cookies are stored only with your consent (Art. 6(1)(a) GDPR; Sec. 25(1) TTDSG). You may withdraw your consent at any time.

Complianz Consent Tool

We use the Complianz Consent Management Tool to obtain and document your cookie preferences in a legally compliant manner.

• Provider: Complianz B.V., Kalmarweg 14-5, 9723 JG Groningen, Netherlands
• Hosting: Locally hosted on our server — no connection to external servers is made.
• Data: A cookie stores your consent or withdrawal.
• Storage duration: Data is stored until its purpose no longer applies, you delete the cookie, or request deletion.
• Legal basis: Art. 6(1)(c) GDPR

6. Cookies & Technologies in the Guest WebApp (straiv)

Technically Necessary Cookies / Local Storage

Name	Purpose	Duration	Provider
swVersion	Stores Service Worker version	1 year	straiv GmbH
current_version	Stores software version	1 year	straiv GmbH
current_guest	Stores guest session	1 year	straiv GmbH
current_business	Stores hotel info (name, address, media links)	1 year	straiv GmbH
_secure__ls__metadata	Stores encrypted metadata	1 year	straiv GmbH

• Legal basis: Legitimate interest pursuant to Art. 6(1)(f) GDPR

Third-Party Cookies (Analytics & Tracking via straiv)

Tool	Purpose	Duration	Provider
Google Maps	Map display	3 months	Google Ireland Ltd.
SmartBear	App monitoring / error logs	Session	SmartBear Software (USA)
PostHog	Product analytics	Session	PostHog Inc. (USA)
Datadog	Analytics & monitoring	Session	Datadog Inc. (USA)

• Legal basis: Consent under Art. 6(1)(a) GDPR

7. Social Media

Social Media Elements via Shariff

Our website integrates social media elements (e.g., Facebook, Twitter, Instagram, Pinterest, XING, LinkedIn, Tumblr). These elements are implemented using the “Shariff” solution to ensure privacy.

Only when you actively click on a social media button is a connection established with the provider’s server (implying your consent). When activated, the provider may receive your IP address and may link your website visit with your user account.

• Legal basis: Consent under Art. 6(1)(a) GDPR and Sec. 25(1) TTDSG
• This consent can be revoked at any time.

8. Data Disclosure to Third Parties

Your personal data will only be disclosed to third parties in the following cases:

• For contract fulfillment (e.g., payment service providers)
• To processors (e.g., straiv, hosting providers)
• Based on legal obligations
• With your explicit consent

Transfers to third countries (e.g., USA) only occur with appropriate safeguards such as EU Standard Contractual Clauses or if the recipient participates in the EU-U.S. Data Privacy Framework.

9. eCommerce and Payment Providers

9.1 Processing of Customer and Contract Data

We collect, process, and use personal customer and contract data for the purpose of initiating, fulfilling, and terminating contractual relationships. Usage data is collected only as necessary to enable and bill the use of our services.

• Legal basis: Art. 6(1)(b) GDPR
• Retention: Customer data will be deleted once the contract has ended and any statutory retention periods have expired.

10. Data Retention

Personal data will be deleted once the purpose for processing has ceased, or you have withdrawn your consent. Statutory retention periods (e.g., under tax law) remain unaffected.

11. Communication via WhatsApp and Chatbot

WhatsApp Communication
We contact guests and offer the possibility to communicate with us via the WhatsApp messenger service.

Provider: WhatsApp Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.

In this process, personal data is processed, particularly: name, telephone number, message content, and possibly booking details. WhatsApp LLC (USA) is certified under the EU-U.S. Data Privacy Framework (DPF).

Legal basis: Your consent pursuant to Art. 6 (1) lit. a GDPR. You may revoke this consent at any time with effect for the future – e.g., by sending a message containing the word “REVOKE” or via email to us.

To offer communication via WhatsApp, the software provider straiv GmbH employs Bird B.V., Gelrestraat 16, 1079 MZ, Amsterdam, as a sub-processor pursuant to Art. 28 GDPR. In some cases, WhatsApp LLC (USA) receives personal data (especially communication metadata) from WhatsApp Ireland Ltd., which may be processed on servers located outside the EU (e.g., in the USA). WhatsApp shares this data with other companies within and outside the Meta Group. Further details are available in WhatsApp’s Privacy Policy: https://www.whatsapp.com/legal/#privacy-policy.

Chatbot
Our website may use a chatbot provided by straiv GmbH, Industriestraße 23, 70565 Stuttgart, Germany. The chatbot is used to answer questions regarding our hotel and your stay. To optimize its responses, the chatbot processes the following personal data: first name, age, reservation number, arrival and departure dates. Any additional personal data you enter into the chatbot will also be processed.

Straiv processes this data solely to respond to inquiries and does not use the data for its own purposes. Chat data is deleted after one year.

Legal basis: Your consent pursuant to Art. 6 (1) lit. a GDPR. You can revoke this consent at any time by closing the chatbot window. The lawfulness of processing based on consent prior to revocation remains unaffected.

12. Job Applications

12.1 We process application data pursuant to Section 26 BDSG in conjunction with Art. 6 (1) lit. b GDPR.

Rejected applications will be deleted after 6 months, unless a longer retention period is required by consent or legal obligation.

We offer you the opportunity to apply with us (e.g., via email, postal mail, or online application form). Below we inform you of the scope, purpose, and use of the personal data collected as part of the application process. We assure you that your data will be collected, processed, and used in accordance with applicable data protection laws and all other statutory provisions, and will be treated as strictly confidential.

12.2 Scope and Purpose of Data Collection
When you submit an application, we process the related personal data (e.g., contact and communication data, application documents, interview notes, etc.), as required to make a hiring decision.

Legal basis: Section 26 BDSG (initiation of an employment relationship), Art. 6 (1) lit. b GDPR (general contractual initiation), and – if consent has been given – Art. 6 (1) lit. a GDPR. Consent may be revoked at any time. Within our company, your data will only be shared with those involved in the hiring process.

If your application is successful, the submitted data will be stored for employment purposes in our data systems under Section 26 BDSG and Art. 6 (1) lit. b GDPR.

12.3 Retention Period for Application Data
If we cannot offer you a position or if you reject an offer or withdraw your application, we reserve the right to retain the data you provided based on our legitimate interests (Art. 6 (1) lit. f GDPR) for up to six months after the conclusion of the application process. Thereafter, the data will be deleted, and any physical documents will be destroyed. Retention serves as evidence in the event of legal claims. If it is apparent that the data will still be needed after the six-month period (e.g., due to pending litigation), deletion will occur once the purpose no longer applies.

Longer retention may also occur if you have provided consent (Art. 6 (1) lit. a GDPR) or if statutory retention obligations prevent deletion.

13. Obligation to Provide Data
    Providing personal data in the guest web app is mandatory for check-in, registration, and payment. Without this information, a stay at Hotel BOLLWERK is not possible.
14. Right to Object
    If we process your personal data based on a balancing of interests, you may object to such processing at any time. The legitimate interests are specified in each case in this privacy policy. If you object, please provide reasons why your personal data should not be processed as described. We will examine your objection and either stop or adjust data processing, or explain our compelling legitimate grounds.

You may object to the processing of your personal data for direct marketing purposes (including related profiling) at any time without providing reasons. Your data will no longer be processed for these purposes.

You can notify us of your objection via the contact details provided above.

15. Changes to this Privacy Policy
    This privacy policy is current as of October 2025. As software evolves or legal/regulatory requirements change, it may become necessary to amend this policy. The German-language version is legally binding.