Privacy policy Holidu

Introduction and general information

Thank you for your interest in our website. The protection of your personal data is very important to us. In the following, you will find information on how we handle your data that is collected through your use of our website, as well as information on how we handle your data if you are a customer, interested party or business partner. Your data will be processed in accordance with the legal regulations on data protection.

Person responsible within the meaning of the DSGVO

Holidu GmbH    
Riesstraße 24    
80992 Munich    
service@holidu.com

Contact details of the data protection officer

Proliance GmbH / www.datenschutzexperte.de
Data Protection Officer    
Leopoldstrasse 21    
80802 Munich    
datenschutzbeauftragter@datenschutzexperte.de

When contacting the Data Protection Officer, please state the company to which your enquiry relates. Please refrain from enclosing sensitive information, such as a copy of an ID card, with your request.

Definitions

Our privacy policy is intended to be simple and understandable for everyone. In this privacy policy, the official terms of the General Data Protection Regulation (DSGVO) are generally used. The official definitions are explained in Art. 4 DSGVO.

Access to and storage of information in terminal equipment

By using our website, information (e.g. IP address) may be accessed or stored (e.g. cookies) in your terminal equipment. This access or storage may involve further processing of personal data within the meaning of the GDPR.    
In cases where such access to information or such storage of information is absolutely necessary for the technically error-free provision of our services, this is done on the basis of § 25 para. 1 sentence 1, para. 2 no. 2 TDDDG.    
In cases where such a process serves other purposes (e.g. the needs-based design of our website), this will only be carried out on the basis of Section 25 (1) TDDDG with your consent in accordance with Article 6 (1) a DSGVO. The consent can be revoked at any time for the future. The provisions of the DSGVO and the Federal Data Protection Act (BDSG) apply to the processing of your personal data.    
For further information on the processing of your personal data and the relevant legal bases in this context, please refer to the following sections on the specific processing activities on our website.

Web hosting

This website is hosted by an external service provider (Amazon Web Services). This website is hosted in Ireland. Personal data collected on this website is stored on the host's servers. This may include, but is not limited to, IP addresses, contact requests, meta and communication data, website traffic and other data generated by this website.    
We collect the listed data in order to be able to guarantee a smooth connection setup of the website and a technically error-free provision of our services. The processing of this data is absolutely necessary to provide you with the website. The legal basis for the processing of the data is our legitimate interest in the correct presentation and functionality of our website in accordance with Art. 6 (1) lit. f DSGVO.    
We have concluded an order processing contract with the external service provider in accordance with the requirements of Art. 28 DSGVO, in which we oblige the external service provider to protect our customers' data and not to pass it on to third parties.

Server log files

When you access our website, it is technically necessary for data to be transmitted to our web server via your internet browser. The following data is recorded during an ongoing connection for communication between your internet browser and our web server:

  • Date, time and duration of the request
  • Name of the requested file
  • Page from which the file was requested
  • Access status
  • Web browser and operating system used
  • (Complete) IP address of the requesting computer
  • Transmitted data volume
  • Http referrer and http-method

We collect the listed data in order to be able to guarantee a smooth connection setup of the website and a technically error-free provision of our services. The processing of this data is absolutely necessary to provide you with the website. The log files are used to evaluate system security and stability as well as for administrative purposes. The legal basis for the processing of the data is our legitimate interest in the protection and functionality of our website in accordance with Art. 6 para. 1 lit. f DSGVO.

For reasons of technical security, in particular to defend against attempted attacks on our web server, we store this data for a short period of time. After 90 days at the latest, the data is anonymised by shortening the IP address at domain level, so that it is no longer possible to establish a link to the individual user.

In addition, the data is processed anonymously for statistical purposes, if necessary. This data is never stored together with other personal data of the user, compared with other data or passed on to third parties.

Registration

You have the option to register for certain services provided on our website and thus create a user profile. Here you have the option of creating a customer profile in order to search for and book holiday homes on the website.

If you would like to register as a host, you can do so via Holidu Hosts GmbH at https://www.holidu.com/host.

In the course of the regular registration and set-up for the Holidu GmbH offer, we collect and use the following personal data:

  • First and last name or nickname
  • E-mail address
  • Date and time of registration

With your user account, you are given the opportunity to use further parts of our website and to log in for offers. The legal basis for data processing is Art. 6 para. 1 lit. a DSGVO in the case of consent or Art. 6 para. 1 lit. b DSGVO if processing is necessary to provide the requested services. Your data will be deleted as soon as the user account on our website is deleted and insofar as no legal retention obligations exist. You can initiate a change and/or deletion of your user account including the data you have provided by sending a corresponding message to the responsible person mentioned at the beginning.

Facebook, Apple and Google Sign-In 

If you wish to log in or register on our website via Facebook or Google, you will be redirected to the provider's website where you can enter your usage data and thus log in. This links personal data that you use for your account and other profile information to our service.

We receive the following personal data automatically via Facebook:

  • Your Facebook name
  • Your stored e-mail address
  • Your place of residence and your chosen language
  • Your profile picture

We receive the following personal data automatically via Google:

  • E-mail address
  • First and last name
  • Your Google ID
  • Your profile picture
  • Gender 

We use this data exclusively to complete your user profile and insofar as the information is necessary to identify you. The transfer of the registration/login data to us takes place on the basis of the consent granted by you within the meaning of Art. 6 Para. 1 lit. a) DSGVO. The consent is obtained in the context of the use of the registration by the provider. The use of this registration and login option is voluntary, you can alternatively register yourself directly with us at any time.

As the providers are headquartered in the USA and a transfer of personal data to the USA may occur, further protection mechanisms are required to ensure the level of data protection of the GDPR. To ensure this, we have agreed standard data protection clauses with the provider in accordance with Art. 46 (2) lit. c DSGVO. These oblige the recipient of the data in the USA to process the data in accordance with the level of protection in Europe. In cases where this cannot be ensured even through this contractual extension, we endeavour to obtain additional regulations and commitments from the recipient in the USA.

For further information on Google Sign-In and data protection at Google, please refer to the provider's data protection statement: https://business.safety.google/privacy/ 

For further information on Facebook Sign-In and data protection at Facebook, please refer to the provider's data protection statement: https://www.facebook.com/privacy/policy?_rdr

Zendesk for answering customer queries

If you send us a request via the Website or by email, we use the ticketing system "Zendesk" to process these requests, a service provided by Zendesk Inc, 989 Market Street 300, San Francisco, CA 94102.

The data you initially provided in your enquiry will be recorded in Zendesk. This is at least your first and last name, your email address and/or your telephone number. If you have also provided us with your address and other personal data in the course of your enquiry, these will also be processed in the ticketing system. The legal basis for the processing of your data in Zendesk is Art. 6 para. 1 lit. f) DSGVO, our legitimate interest in the efficient processing of customer enquiries.

In principle, your personal data is processed in the EU, but since Zendesk is a provider with headquarters in the USA, a transfer of personal data to the USA cannot be ruled out. Accordingly, further protection mechanisms are required to ensure the level of data protection of the GDPR. To ensure this, we have agreed standard data protection clauses with the provider in accordance with Art. 46 (2) lit. c DSGVO. These oblige the recipient of the data in the USA to process the data in accordance with the level of protection in Europe. In cases where this cannot be ensured even through this contractual extension, we endeavour to obtain additional regulations and commitments from the recipient in the USA.

For more information about Zendesk's data processing, please see Zendesk's privacy policy at: http://www.zendesk.com/company/privacy.    

Customer service via WhatsApp Business

We use WhatsApp Business, a service provided by WhatsApp Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, for communication purposes.

You can contact us, for example, via a button on the website. In doing so, your contact data in the form of your telephone number will be processed, as well as meta/communication data (e.g. device information, IP addresses).

We would like to point out that the communication content (i.e. the content of the message and attached images) is encrypted from end to end. This means that the content of the messages cannot be viewed, not even by WhatsApp Ireland Limited itself. You should always use an up-to-date version of Messenger with encryption enabled to ensure that message content is encrypted.

However, we would also like to point out that although the messenger providers cannot view the content, they can find out that you are communicating with us and when, as well as technical information about the device used and, depending on the settings of your device, location information (so-called metadata) is processed.

If we ask you for permission before communicating with you via Messenger, the legal basis for our processing of your data is consent pursuant to Art. 6 para. 1 p. 1 lit. a. DSGVO. Otherwise, if we do not ask for permission and you contact us, for example, of your own accord, we use WhatsApp in relation to our contractual partners and in the context of initiating a contract as a contractual measure pursuant to Art. 6 para. 1 p. 1 lit. b. DSGVO and in the case of other interested parties on the basis of our legitimate interests pursuant to Art. 6 para. 1 p. 1 lit. f. DSGVO in fast and efficient communication.

We have concluded an order processing contract with the service provider in which we oblige them to protect our customers' data and not to pass it on to third parties.

As a transfer of personal data to the USA takes place, further protection mechanisms are required to ensure the level of data protection of the GDPR. To ensure this, we have agreed standard data protection clauses with the provider in accordance with Art. 46 (2) lit. c DSGVO. These oblige the recipient of the data in the USA to process the data in accordance with the level of protection in Europe. In cases where this cannot be ensured even through this contractual extension, we endeavour to obtain additional regulations and commitments from the recipient.

WhatsApp's terms of use and information on data protection can be accessed via the following links:

You can revoke any consent given and object to communication with us and WhatsApp at any time. In this case, we delete the messages in accordance with our general deletion guidelines (i.e., e.g., as described above, after the end of contractual relationships in the context of archiving requirements, etc.) and otherwise as soon as we can assume that we have answered any information you may have provided, if no reference back to a previous conversation is to be expected and the deletion does not conflict with any statutory retention obligations.

Finally, we would like to point out that we reserve the right not to answer enquiries via WhatsApp for reasons of your security. This is the case if, for example, internal contractual information requires special confidentiality or an answer via WhatsApp does not meet the formal requirements. In such cases, we will refer you to more adequate communication channels.

Sending applications

If you apply to us via our careers page or by e-mail, we collect personal data. This includes, in particular, your contact details (such as first and last name, telephone number and user email address) as well as other data you provide about your background (e.g. curriculum vitae, qualifications, degrees and work experience) and yourself (e.g. covering letter, personal interests). This may also include special categories of personal data (e.g. information on a severe disability).

As a rule, your personal data will be collected directly from you as part of the application process and encrypted during electronic transmission. The primary legal basis for this is Section 26 (1) BDSG. In addition, consent pursuant to Art. 6 Para. 1 lit. a DSGVO in conjunction with § 26 Para. 2 BDSG can be used as a data protection permission provision. If the processing of your data is based on consent, you have the right to revoke your consent at any time with effect for the future.

Within our company, only those persons and departments (e.g. Human Resources) that absolutely need it to carry out the application process or to fulfil our legal obligations have access to your personal data. If necessary, your applications will be forwarded to the relevant responsible persons for examination. Under no circumstances will your personal data be passed on to third parties without authorisation.

We use the order processor "Personio" from Personio GmbH & Co. KG, Rundfunkplatz 4, 80335 Munich, to view and process applications. We have concluded an order processing agreement with this company in accordance with Art. 28 DSGVO to ensure that the security of your personal data is guaranteed.

Your data relating to an application for a specific job advertisement will be stored and processed by us or in the Personio platform during the current application process. After completion of the application process (e.g. in the form of an acceptance or rejection), the application process including all personal data is deleted from the system no later than six months after completion of the application process. The data of selected applicants will be stored securely for up to 2 years, provided the applicants have given their consent to this in accordance with Art. 6 para. 1 p. 1 lit. a DSGVO in conjunction with § 26 para. 2 BDSG. You can revoke your consent at any time with effect for the future. An informal e-mail to the contact details of the responsible person listed above is sufficient for this purpose. In the event of an acceptance, your application documents will be transferred to the personnel file.

Writing reviews

On our website you have the possibility to leave reviews for the offered holiday homes. For this, we need your name or a pseudonym and your e-mail address (which will not be published). Furthermore, your IP address and the time of publication will be logged and stored for up to 4 weeks. This storage of the IP and email address is done for security reasons and in case the person concerned violates the rights of third parties or posts illegal content through a submitted comment.

Reviews can be submitted in such a way that it is not possible for other website users to identify you. It is up to you to decide whether you wish to provide personal details over and above the mandatory information. Please note that when choosing your pseudonym, as well as within the free text fields and when uploading photos, it is also possible to provide information that makes it possible to identify you personally. We recommend that you write your review text without providing personal data and design photos accordingly. We reserve the right not to publish or to (partially) anonymise reviews that contain personal data.

If the review contains personal data, the processing is based on your consent (Art. 6 para. 1 lit. a DSGVO). You can revoke your consent at any time. For this purpose, an informal communication by e-mail to us is sufficient. The legality of the data processing operations already carried out remains unaffected by the revocation. In the event of revocation of your consent, we will delete or anonymise the review.

When you send your review, we can assign it to a specific booking and thus also to your further customer data. However, this is only visible to us. The storage of additional information (IP address) is based on our legitimate interest pursuant to Art. 6 para. 1 lit. f DSGVO in the possibility of assigning the reviews to the authors. We reserve the right to delete comments if they are objected to by third parties as unlawful. The collected IP and email addresses are deleted after 4 weeks.

Newsletter (Airship)

If you would like to receive the newsletter offered on the website with regular information about our offers and products, we require your e-mail address as mandatory information.

We use the so-called double opt-in procedure for sending the newsletter. This means that we will only send you our newsletter by e-mail once you have expressly confirmed that you consent to receiving newsletters. In the first step, you will receive an e-mail with a link that you can use to confirm that you, as the owner of the corresponding e-mail address, wish to receive future newsletters. By confirming, you give us your consent in accordance with Art. 6 Para. 1 lit. a DSGVO that we may use your personal data for the purpose of sending the newsletter you requested.

When you register for the newsletter, in addition to the email address required for sending, we store the IP address via which you registered for the newsletter as well as the date and time of registration and confirmation in order to be able to track possible misuse at a later date. The legal basis for this is our legitimate interest according to Art. 6 Para. 1 lit. f DSGVO.

You can unsubscribe from the newsletter at any time via the link included in each newsletter or by sending an email to the responsible person named above. After unsubscribing, your email address will be immediately deleted from our newsletter distribution list, unless you have expressly consented to the continued use of the collected data or the continued processing is otherwise legally permitted.

Our e-mail newsletter is sent via a technical service provider to whom we pass on the data you provided when registering for the newsletter. We have concluded an order processing contract with our e-mail service provider in which we oblige them to protect our customers' data and not to pass it on to third parties.

Service provider: Airship

Address: Urban Airship Germany GmbH, Thurn-und-Taxis-Platz 6, 60313 Frankfurt, Germany

Privacy policy: https://www.airship.com/legal/privacy/

The service provider uses the information from the newsletter registration on the basis of your consent in accordance with Art. 6 Para. 1 lit. a DSGVO to send and statistically evaluate the newsletter on our behalf. For the evaluation, the emails sent contain so-called web beacons or tracking pixels, which are single-pixel image files stored on our website. This makes it possible to determine whether a newsletter message has been opened and which links, if any, have been clicked on. With the help of so-called conversion tracking, it can also be analysed whether a predefined action (e.g. purchase of a product on our website) has taken place after clicking on the link in the newsletter. In addition, technical information is recorded (e.g. time of retrieval, IP address, browser type and operating system). The data is collected exclusively in pseudonymised form and is not linked to your other personal data; direct personal reference is excluded. This data is used exclusively for the statistical analysis of newsletter campaigns. The results of these analyses can be used to better adapt future newsletters to the interests of the recipients.

If you wish to revoke your consent to data analysis for statistical evaluation purposes, you must unsubscribe from the newsletter.

Cookies

Our website uses so-called "cookies". Cookies are small text files that are stored either temporarily for the duration of a session (session cookies) or permanently (permanent cookies) on your terminal device. Session cookies are automatically deleted at the end of your visit. Permanent cookies remain stored on your end device until you delete them yourself or until they are automatically deleted by your web browser. 

Cookies have various functions. Many cookies are technically necessary, as certain website functions would not work without them (e.g. the shopping cart function or language settings). Other cookies are used to evaluate user behaviour or to display advertising. 

The processing of data through the use of absolutely necessary cookies is based on a legitimate interest pursuant to Art. 6 (1) lit. f DSGVO in the technically error-free provision of our services. For details on the processing purposes and legitimate interests, please refer to the explanations on the specific data processing.

The processing of personal data through the use of other cookies is based on consent pursuant to Art. 6 para. 1 lit. a DSGVO. The consent can be revoked at any time for the future. Insofar as such cookies are used for analysis and optimisation purposes, we will inform you separately about this within the framework of this data protection declaration and obtain consent in accordance with Art. 6 para. 1 lit. a DSGVO. 

You can set your browser so that you  

  • be informed about the setting of cookies      
  • Allow cookies only in individual cases    
  • Exclude the acceptance of cookies for certain cases or in general
  • Enable the automatic deletion of cookies when closing the browser.

The cookie settings can be managed under the following links for the respective browsers: 

You can also manage cookies of many companies and functions used for advertising individually. To do this, use the corresponding user tools, available at https://www.aboutads.info/choices/ or http://www.youronlinechoices.com/uk/your-ad-choices.  

Most browsers also offer a so-called "do-not-track function". When this function is activated, the respective browser tells advertising networks, websites and applications that you do not want to be "tracked" for the purpose of behavioural advertising and the like. 

 For information and instructions on how to edit this function, depending on your browser provider, see the links below:  

In addition, you can prevent the loading of so-called scripts by default. "NoScript" allows JavaScripts, Java and other plug-ins to be executed only on trusted domains of your choice. Information and instructions on how to edit this function can be obtained from the provider of your browser (e.g. for Mozilla Firefox at: https://addons.mozilla.org/en-GB/firefox/addon/noscript/)./

Please note that if you deactivate cookies, the functionality of our website may be limited.  

Change cookie settings

You can revoke or change your cookie settings at any time.

Google Analytics 

Our website uses Google Analytics, an internet analysis service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google"). Google Analytics uses so-called "cookies".

Google will use this information on behalf of the operator of this website for the purpose of evaluating your use of the website, compiling reports on website activity and providing other services relating to website activity. Google will also use this information to provide the website operator with other services related to the use of the website and the internet. The IP address sent by your browser as part of Google Analytics will not be combined with any other data held by Google. The processing is carried out in accordance with Art. 6 para. 1 lit. a DSGVO on the basis of the consent you have given.

We only use Google Analytics with IP anonymisation activated. This means that your IP address is only processed by Google in a shortened form.

We have concluded an order processing contract with the service provider in which we oblige them to protect our customers' data and not to pass it on to third parties.

As there is a transfer of personal data to the USA, further protection mechanisms are required to ensure the level of data protection of the GDPR. To ensure this, we have agreed standard data protection clauses with the provider in accordance with Art. 46 (2) lit. c DSGVO. These oblige the recipient of the data in the USA to process the data in accordance with the level of protection in Europe. In cases where this cannot be ensured even through this contractual extension, we endeavour to obtain additional regulations and commitments from the recipient in the USA.

The Google Analytics terms of use and information on data protection can be accessed via the following links:

The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. Deletion of user and event level data linked to cookies, user identifiers (e.g. User ID) and advertising IDs (e.g. DoubleClick cookies, Android advertising ID, IDFA [Apple identifier for advertisers]) takes place no later than 2 months after their collection.

You can prevent cookies from being saved by adjusting the settings of your browser software accordingly. However, we would like to point out that in this case you may not be able to use all functions of this website without restrictions. You can also prevent Google from collecting the data generated by the cookie and from analysing your use of the website (including your IP address) and from processing this data by Google by downloading and installing the browser plug-in available at https://tools.google.com/dlpage/gaoptout?hl=en-GB.

Google Ads

We use "Google Ads" on our website, a service provided by Google Ireland Limited, Google Building Gordon House, Barrow St, Dublin 4, Ireland (hereinafter referred to as "Google"). We use Google Ads for marketing and optimisation purposes, in particular to serve ads that are relevant and interesting to you.

If you have given us your consent to do so pursuant to Art. 6 (1) p. 1 lit. a DSGVO, we can use Google Ads to draw attention to our attractive offers on external websites. This allows us to determine how successful individual advertising measures are.

These advertisements are delivered by Google via so-called "AdServers". We use so-called AdServer cookies for this purpose, which can be used to measure certain parameters for measuring success, such as the display of ads or clicks by users.

If you access our website via a Google ad, Google Ads will store a cookie on your PC. These cookies usually lose their validity after 30 days. They are not intended to identify you personally. The following information is usually stored as analysis values for this cookie: unique cookie ID, number of ad impressions per placement (frequency), last impression (relevant for post-view conversions), opt-out information (marking that the user no longer wishes to be addressed). These cookies enable Google to recognise your web browser. If a user visits certain pages of an Ads customer's website and the cookie stored on their computer has not yet expired, Google and the customer will be able to recognise that the user clicked on the ad and was redirected to that page. A different cookie is assigned to each Ads customer. Cookies can therefore not be tracked via the websites of Ads customers. We ourselves do not collect or process any personal data in the aforementioned advertising measures. We only receive statistical evaluations from Google. These evaluations enable us to recognise which of the advertising measures used are particularly effective. We do not receive any further data from the use of the advertising media; in particular, we cannot identify the users on the basis of this information.

Due to the marketing tools used, your browser automatically establishes a direct connection with the Google server. We have no influence on the scope and further use of the data collected by Google through the use of Google Ads. To the best of our knowledge, Google receives the information that you have called up the relevant part of our website or clicked on one of our ads. If you have a user account with Google and are registered, Google can assign the visit to your user account. Even if you are not registered with Google or have not logged in, it is possible that Google will obtain and store your IP address.

As there is a transfer of personal data to the USA, further protection mechanisms are required to ensure the level of data protection of the GDPR. To ensure this, we have agreed standard data protection clauses with the provider in accordance with Art. 46 (2) lit. c DSGVO. These oblige the recipient of the data in the USA to process the data in accordance with the level of protection in Europe. In cases where this cannot be ensured even through this contractual extension, we endeavour to obtain additional regulations and commitments from the recipient in the USA.

Further information on data use by Google, on setting and objection options and on data protection can be found on the following Google web pages:

You can prevent the installation of cookies by deleting existing cookies and deactivating the storage of cookies in the settings of your web browser. We would like to point out that in this case you may not be able to use all the functions of our website to their full extent. It is also possible to prevent the storage of cookies by setting your web browser to block cookies from the domain "www.googleadservices.com" (https://www.google.de/settings/ads). We would like to point out that this setting will be deleted when you delete your cookies. In addition, you can deactivate interest-based ads via the link http://optout.aboutads.info. Please note that this setting will also be deleted when you delete your cookies.

Google reCAPTCHA

We use "Google reCAPTCHA" (hereinafter "reCAPTCHA") on our website. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google").

The purpose of reCAPTCHA is to verify whether data entry on our website (e.g. in a contact form) is made by a human or by an automated program. For this purpose, reCAPTCHA analyses the behavior of the website visitor based on various characteristics. This analysis starts automatically as soon as the website visitor enters the website. For the analysis, reCAPTCHA evaluates various information, e.g.

  •  IP address
  • length of time the website visitor spends on the website
  • mouse movements made by the user

The data collected during the analysis is forwarded to Google.

The reCAPTCHA analyses might run in the background. Website visitors might not be made aware that an analysis is taking place. The data processing is based on Art. 6 para. 1 lit. f GDPR.

We have a legitimate interest in protecting our website from abusive automated spying and from unwanted automated mailings (spam).

Since a transfer of personal data to the U.S. takes place, further appropriate safeguards are required to ensure the level of data protection under the GDPR. To guarantee this, we have concluded standard contractual clauses with the provider in accordance with Art. 46 Para. 2 lit. c GDPR. These oblige the recipient of the data in the U.S. to process the data according to the level of protection in Europe. In cases in which this cannot be guaranteed even by this contractual extension, we endeavour to obtain additional regulations and commitments from the recipient in the U.S.

We do not store any personal data from the use of reCAPTCHA. In general, personal data of the data subject will be deleted or blocked as soon as the purpose of the storage no longer applies.

Further information about Google reCAPTCHA and Google's privacy policy can be found under the following links: 

Facebook Pixel

We use "Facebook Pixel" on our website, a service provided by Meta Platforms Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour Dublin 2, Ireland (hereinafter referred to as: "Facebook").

If you have given us your consent in accordance with Art. 6 para. 1 lit. a DSGVO, we use Facebook Pixel for marketing and optimisation purposes, in particular to place relevant and interesting adverts for you on Facebook and thus improve our offer, make it more interesting for you as a user and avoid annoying adverts.

Facebook Pixel enables Facebook to display our adverts on Facebook, so-called "Facebook Ads", only to those Facebook users who were visitors to our internet presence, in particular who have shown interest in our online offer. In this case, Facebook Pixel also makes it possible to check whether a user was redirected to our website after clicking on our Facebook Ads. Facebook Pixel uses, among other things, cookies, i.e. small text files that are stored locally in the cache of your web browser on your end device. If you are logged into your Facebook user account, your visit to our website will be recorded in your user account. The data collected about you is anonymous for us, so it does not allow us to draw any conclusions about the identity of the user. However, this data can be linked by Facebook to your user account there. If you have a user account with Facebook and are registered, Facebook can assign the visit to your user account.

As there is a transfer of personal data to the USA, further protection mechanisms are required to ensure the level of data protection of the GDPR. To ensure this, we have agreed standard data protection clauses with the provider in accordance with Art. 46 (2) lit. c DSGVO. These oblige the recipient of the data in the USA to process the data in accordance with the level of protection in Europe. In cases where this cannot be ensured even through this contractual extension, we endeavour to obtain additional regulations and commitments from the recipient in the USA.

Further information from the third-party provider on data protection can be found on the following Facebook website: https://www.facebook.com/about/privacy.

Information on the Facebook pixel can be found on the following Facebook website: https://www.facebook.com/business/help/651294705016616.

You can adjust the relevant settings as to which types of advertisements are displayed to you within Facebook at the following Facebook website: https://www.facebook.com/settings?tab=ads.

Please note that this setting will be deleted when you delete your cookies. In addition, you can deactivate cookies that are used for range measurement and advertising purposes via the following websites:

Please note that this setting will also be deleted when you delete your cookies.

Facebook Custom Audiences

We use "Facebook Custom Audiences" on our website, a remarketing tool of Meta Platforms Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour Dublin 2, Ireland (hereinafter referred to as "Facebook").

Facebook Custom Audiences enables us to display interest-based advertisements, so-called "Facebook Ads", to visitors to our website when they visit the social network Facebook or when they visit other websites that also use Facebook Custom Audiences. For this purpose, a pixel (Facebook Pixel) of the provider Facebook of the same name (see above) is used.

Through the use of "Facebook Custom Audiences" in conjunction with Facebook Pixel, your web browser automatically establishes a direct connection with the Facebook server. We have no influence on the scope and further use of the data collected by Facebook through the use of Facebook Custom Audiences. As far as we are aware, Facebook receives the information that you have accessed the relevant part of our website or clicked on one of our ads. If you have a user account with Facebook and are registered, Facebook can assign the visit to your user account. Even if you are not registered with Facebook or have not logged in, it is possible that Facebook will learn and store your IP address and possibly other identifying features.

We use Facebook Custom Audiences for marketing and optimisation purposes, in particular to display ads that are relevant and interesting for you and thus improve our offer and make it more interesting for you as a user. The legal basis for Facebook Custom Audiences and the Facebook Pixel is Art. 6 para. 1 p. 1 lit. a DSGVO (consent).

We have concluded an order processing agreement with our service provider Facebook, in which we oblige them to protect our customers' data and not to pass it on to third parties.

As a transfer of personal data to the USA takes place, further protection mechanisms are required to ensure the level of data protection of the GDPR. To ensure this, we have agreed standard data protection clauses with the provider in accordance with Art. 46 (2) lit. c DSGVO. These oblige the recipient of the data in the USA to process the data in accordance with the level of protection in Europe. In cases where this cannot be ensured even through this contractual extension, we endeavour to obtain additional regulations and commitments from the recipient in the USA.

Further information from Facebook on data protection can be found on the following Facebook website: https://www.facebook.com/about/privacy.

Information on the Facebook pixel can be found on the following Facebook website: https://www.facebook.com/business/help/651294705016616.

Deactivating Facebook Custom Audiences via Pixel is possible for logged-in users at https://www.facebook.com/settings/?tab=ads#.

In addition, you can deactivate cookies that are used for range measurement and advertising purposes via the following websites:

Please note that this setting will also be deleted when you delete your cookies.

Microsoft Advertising (formerly Bing Ads)

On our pages we use the conversion tracking of Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA.

If you have given us your consent in accordance with Art. 6 para. 1 lit. a DSGVO, Microsoft Advertising will store a cookie ("conversion cookie") on your computer if you have accessed our website via a Microsoft Advertising ad. These cookies lose their validity after 13 months and are not used for personal identification. In this way, Microsoft and we can recognise that someone has clicked on an advertisement, been redirected to our online offer and reached a previously determined target page (so-called conversion measurement). Each Microsoft Advertising customer receives a different cookie. Cookies cannot therefore be tracked across Microsoft Advertising customers' websites. The information collected using the conversion cookie is used to create conversion statistics for Microsoft Advertising customers who have opted in to conversion tracking. Microsoft Advertising clients will learn the total number of users who clicked on their ad and were directed to a page tagged with a conversion tracking tag. However, they do not receive information that personally identifies users.

You can also disable this personalised advertising directly from Microsoft at: https://about.ads.microsoft.com/en-gb/resources/policies/personalized-ads.

As there is a transfer of personal data to the USA, further protection mechanisms are required to ensure the level of data protection of the GDPR. To ensure this, we have agreed standard data protection clauses with the provider in accordance with Art. 46 (2) lit. c DSGVO. These oblige the recipient of the data in the USA to process the data in accordance with the level of protection in Europe. In cases where this cannot be ensured even through this contractual extension, we endeavour to obtain additional regulations and commitments from the recipient in the USA.

For more information on privacy and cookies used by Microsoft and Bing Ads, please visit Microsoft's website at https://privacy.microsoft.com/en-gb/privacystatement.

Pinterest tag

We use the Pinterest Ads service of the provider Pinterest Europe Limited, 2nd Floor, Palmerston House, Fenian Street, Dublin 2, Ireland ("Pinterest") on our website. Pinterest uses a so-called tag for this purpose, which we have implemented on our website. In the event that you have given your express consent pursuant to Art. 6 (1) lit. a DSGVO, this establishes a connection with the Pinterest servers when you visit our website in order to track your behaviour on our website. In addition, cookies are used through the use of the service, via which information is stored on the terminal device you are using. In addition, personal data such as the IP address and other information such as device ID, device type, operating system, time of calling up our offer, type and content of the campaign and the reaction to the respective campaign (e.g. clicking a button) may also be transmitted to Pinterest.

With the help of the Pinterest tag, it is possible for Pinterest to determine you as a visitor to our online offer as a target group for the display of advertisements (so-called "Pinterest ads"). Accordingly, we use the Pinterest tag to display the Pinterest ads placed by us only to those Pinterest users who have also shown an interest in our online offer or who have certain characteristics (e.g. interests in certain topics or products determined on the basis of the websites visited) that we transmit to Pinterest (so-called "ActALike Audiences").

With the help of the Pinterest tag, we can further track the effectiveness of the Pinterest ads for statistical purposes by seeing whether users were redirected to our website after clicking on a Pinterest ad (so-called "conversion"). Pinterest uses email or other login or device information to identify users of our website and associate their actions with a Pinterest user account. Pinterest uses this data to display targeted and personalised advertising to its users and to create interest-based user profiles. The data collected is anonymous and not visible to us and is only used to measure the effectiveness of ad placements.

The use of the Pinterest tag may result in a transfer of personal data to third countries outside the EU. In these cases, the adoption of further protective mechanisms is necessary to ensure the level of data protection in accordance with the requirements of the GDPR. To ensure this, the provider states that it uses standard data protection clauses in accordance with Art. 46(2)(c) DSGVO or a substitute mechanism approved under EU law. These oblige the recipient in the third country to process the data in accordance with the level of protection in the EU.

For more information on how Pinterest processes personal data, including the legal basis on which Pinterest relies and how you can exercise your rights against Pinterest, please visit: https://policy.pinterest.com/en/privacy-policy.

Adyen

On our website, we offer you the option to complete your payment via SEPA Sofortüberweisung (Klarna) or credit card. In order to do this, we work together with the payment service provider Adyen N.V. (hereinafter "Adyen"), Simon Carmiggeltstraat 6-50, 1011 DJ, Amsterdam, the Netherlands. Adyen is a payment service provider that handles the processing of payments for us.

Depending on the type of payment you have chosen, the data required for the type of payment will be transmitted to Adyen, unless this data is collected directly from the payment service. This is the following data:

  • First and last name
  • Address
  • Payment data
  • Invoice amount
  • Transaction data
  • Information about your order

This is necessary to verify your identity and process the payment. The legal basis for the processing of your personal data is Art. 6 para. 1 lit. b DSGVO, the necessity of the payment for the conclusion of a contract with us, as well as Art. 6 para. 1 lit f DSGVO, our legitimate interest in using a payment service provider for the easier administration of payments on our website.

In the context of an identity and credit check based on your data, Adyen and we have a legitimate interest in the transmission of the personal data of the user concerned. Adyen and we require this in order to obtain information from credit agencies for the purpose of the identity and credit check (Art. 6 para. 1 sentence 1 lit. f) DSGVO). We delete the data accruing in this context after the storage is no longer necessary or restrict the processing if there are statutory retention obligations.

You have the right to object on grounds relating to your particular situation, unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or where the processing is necessary for the establishment, exercise or defence of legal claims (Art. 21(1) GDPR). However, Adyen remains entitled to process and transmit the customer data if this is necessary for the contractual processing of payments or is required by law or by official or judicial authorities. Contact can be made with Adyen at https://www.adyen.com/en_GB/contact

For more information on how Adyen processes your data, please visit: https://www.adyen.com/en_GB/policies-and-disclaimer/privacy-policy.

External links

Social networks (Instagram, Facebook, LinkedIn, Google, Github) are only integrated on our website as links to the corresponding services. After clicking on the embedded text/image link, you will be redirected to the page of the respective provider. User information is only transferred to the respective provider after the forwarding. For information on the handling of your personal data when using these websites, please refer to the respective data protection provisions of the providers you use

Data sharing and recipients

Your personal data will not be transferred to third parties, unless

  • we have explicitly referred to this in the description of the respective data processing,
  • you have given your express consent to this in accordance with Art. 6 Para. 1 S. 1 lit. a DSGVO,
  • disclosure is necessary in accordance with Art. 6 (1) p. 1 lit. f DSGVO for the assertion, exercise or defence of legal claims and there is no reason to assume that you have an overriding interest worthy of protection in the non-disclosure of your data,
  • in the event that a legal obligation exists for the disclosure pursuant to Art. 6 para. 1 sentence 1 lit. c DSGVO and
  • insofar as this is necessary for the processing of contractual relationships with you in accordance with Art. 6 para. 1 p. 1 lit. b DSGVO.

In addition, we use external service providers for the processing of our services, which we have carefully selected, commissioned in writing and with whom we have concluded order processing agreements in accordance with Article 28 of the GDPR, if necessary. These service providers are bound by our instructions and are regularly monitored by us. These are, among others, service providers for hosting, sending e-mails as well as maintenance and care of our IT systems, etc. The service providers will not pass this data on to third parties.

Data security

We take appropriate technical and organisational measures to ensure a level of protection appropriate to the risk in accordance with Article 32 of the GDPR, taking into account the state of the art, the costs of implementation and the nature, scope, circumstances and purposes of the processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons. This website uses SSL encryption for security reasons and to protect the transmission of confidential content.

Duration of the storage of personal data

The duration of the storage of personal data is determined by the relevant statutory retention periods (e.g. from commercial law and tax law). After expiry of the respective period, the corresponding data is routinely deleted. If data is required to fulfil or initiate a contract or if we have a legitimate interest in continuing to store it, the data will be deleted when it is no longer required for these purposes or you have exercised your right of revocation or objection.

Your rights

In the following, you will find information on which data subject rights the applicable data protection law grants you and the controller with regard to the processing of your personal data:

The right to request information about your personal data processed by us in accordance with Art. 15 DSGVO. In particular, you can request information about the processing purposes, the category of personal data, the categories of recipients to whom your data has been or will be disclosed, the planned storage period, the existence of a right to rectification, erasure, restriction of processing or objection, the existence of a right of complaint, the origin of your data if it has not been collected by us, as well as the existence of automated decision-making, including profiling, and, if applicable, meaningful information about its details.

The right to request the correction of inaccurate or incomplete personal data stored by us without delay in accordance with Art. 16 DSGVO.

The right to request the erasure of your personal data stored by us in accordance with Article 17 of the GDPR, unless the processing is necessary for the exercise of the right to freedom of expression and information, for compliance with a legal obligation, for reasons of public interest or for the assertion, exercise or defence of legal claims.

The right to request the restriction of the processing of your personal data in accordance with Art. 18 DSGVO, insofar as the accuracy of the data is disputed by you, the processing is unlawful, but you object to its erasure and we no longer require the data, but you need it for the assertion, exercise or defence of legal claims or you have objected to the processing in accordance with Art. 21 DSGVO.

The right, in accordance with Art. 20 DSGVO, to receive your personal data that you have provided to us in a structured, commonly used and machine-readable format or to request that it be transferred to another controller.

The right to complain to a supervisory authority in accordance with Art. 77 DSGVO. As a rule, you can contact the supervisory authority of the federal state where our registered office is located or, if applicable, that of your usual place of residence or workplace.

The right to revoke consent given in accordance with Art. 7 (3) DSGVO: You have the right to revoke consent to the processing of data once given at any time with effect for the future. In the event of revocation, we will immediately delete the data concerned unless further processing can be based on a legal basis for processing without consent. The revocation of the consent does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation.

Right of objection

Insofar as your personal data is processed by us on the basis of legitimate interests pursuant to Art. 6 (1) p. 1 lit. f DSGVO, you have the right to object to the processing of your personal data pursuant to Art. 21 DSGVO, insofar as this is done for reasons arising from your particular situation. Insofar as the objection is directed against the processing of personal data for the purpose of direct marketing, you have a general right of objection without the requirement to specify a particular situation.

If you would like to exercise your right of revocation or objection, simply send an e-mail to service@holidu.com.

Legal obligations

The provision of personal data for the decision on the conclusion of a contract, the fulfilment of a contract or for the implementation of pre-contractual measures is voluntary. However, we can only make the decision in the context of contractual measures if you provide such personal data that is required for the conclusion of the contract, the performance of the contract or pre-contractual measures.

Automated decision making

Automated decision-making or profiling in accordance with Art. 22 DSGVO does not take place.

 

Additional information for customers, interested parties, hosts and business partners

Purposes and legal bases of the processing of customer, prospective customer and business partner data

We process your personal data in accordance with the provisions of the European Data Protection Regulation (DSGVO) and the German Federal Data Protection Act (BDSG), insofar as this is necessary for the establishment, implementation or fulfilment of a contract or for the implementation of pre-contractual measures. Insofar as personal data is required for the initiation or implementation of a contractual relationship or in the context of the implementation of pre-contractual measures, processing is lawful pursuant to Art. 6 (1) lit. b DSGVO.

If you give us express consent to process personal data for specific purposes (e.g. forwarding to third parties, evaluation for marketing purposes or advertising by e-mail), this processing is lawful on the basis of your consent pursuant to Art. 6 (1) a DSGVO. Consent given can be revoked at any time with effect for the future (see section 9 of this data protection information).

If necessary and legally permissible, we process your data beyond the actual contractual purposes for the fulfilment of legal obligations pursuant to Art. 6 para. 1 lit. c DSGVO. In addition, processing may be carried out to protect the legitimate interests of us or third parties and to defend and assert legal claims in accordance with Art. 6 (1) f DSGVO. If necessary, we will inform you separately, stating the legitimate interest, insofar as this is required by law.

Categories of data processed

We only process data that is related to the establishment of the contract or the pre-contractual measures. This can be general data about you or persons in your company (name, address, contact details, etc.) as well as any other data that you provide to us in the context of establishing the contract.

Data sources

We process personal data that we receive from you in the course of contacting you or establishing a contractual relationship or in the course of pre-contractual measures or that you provide via our website or forms. In some cases, we also process data from publicly accessible sources.

Recipient of the data

We only pass on your personal data within our company to those areas and persons who need this data to fulfil contractual and legal obligations or to implement our legitimate interest.

We may transfer your personal data to our affiliates to the extent permitted by the purposes and legal bases set out in section 3 of this privacy notice.

Your personal data is processed on our behalf on the basis of order processing contracts in accordance with Art. 28 DSGVO. In these cases, we ensure that the processing of personal data is carried out in accordance with the provisions of the GDPR. The categories of recipients in this case are CRM system providers, telephony providers, newsletter dispatch service providers, payment providers.

Otherwise, data is only forwarded to recipients outside the company if this is permitted or required by law, if the forwarding is necessary for the processing and thus the fulfilment of the contract or, at your request, for the implementation of pre-contractual measures, if we have your consent or if we are authorised to provide information. Under these conditions, recipients of personal data may be, for example:

  • External tax consultant
  • Public bodies and institutions (e.g. public prosecutor's office, police, supervisory authorities, tax office) if there is a legal or official obligation,
  • Recipients to whom the disclosure is directly necessary to establish or fulfil the contract, such as partners.

Transfer to a third country

A transfer to a third country is not intended. If one of our processors is located in a third country, we ensure that either an adequacy decision of the European Commission is in place or, in the case of transfers pursuant to Art. 46 et seq. appropriate safeguards such as standard contractual clauses are in place to ensure an essentially equivalent level of protection for your personal data.

Duration of data storage of customer, prospective customer and business partner data

As far as necessary, we process and store your personal data for the duration of our business relationship or for the fulfilment of contractual purposes. This also includes, among other things, the initiation and execution of a contract.

In addition, we are subject to various storage and documentation obligations, which result, among other things, from the German Commercial Code (HGB) and the German Fiscal Code (AO). The periods prescribed there for storage and documentation are two to ten years.

Finally, the storage period also depends on the statutory limitation periods, which, for example, according to §§ 195 et seq. of the German Civil Code (BGB), are usually three years, but in certain cases can be up to thirty years.

Your rights as a customer, interested party or business partner

You have a number of data protection rights that you can assert against us. You can find a detailed list in the section "Your rights" above in this data protection declaration.

Necessity of the provision of personal data

The provision of personal data for the decision on the conclusion of a contract, the fulfilment of a contract or for the implementation of pre-contractual measures is voluntary. However, we can only make a decision within the framework of contractual measures if you provide such personal data that is required for the conclusion of the contract, the fulfilment of the contract or pre-contractual measures.

Automated decision-making in connection with customer, prospect and business partner data

For the establishment, fulfilment or implementation of the business relationship as well as for pre-contractual measures, we generally do not use fully automated decision-making pursuant to Art. 22 DSGVO. Should we use these procedures in individual cases, we will inform you about this separately or obtain your consent if this is required by law.

Property Management Platform

As a host, your user account gives you the opportunity to use our Property Management Platform.

When you make full use of our property management platform, the following data will be processed in addition to the data you provided during registration:

  • Holiday home data (e.g. address, equipment, object pictures)
  • Invoice address
  • Bank details
  • VAT number

The legal basis for data processing is Art. 6 para. 1 lit. a DSGVO in the case of consent or Art. 6 para. 1 lit. b DSGVO if processing is necessary to provide the requested services. Your data will be deleted as soon as the user account is deleted and insofar as no legal retention obligations exist.

Existing customer advertising

We reserve the right to process the e-mail address provided by you in the context of the booking in accordance with the statutory provisions in order to send you the following content, among other things, by e-mail during or following the processing of the contract, provided you have not already objected to this processing of your e-mail address:

- other interesting offers from our portfolio,
- Overview of possible leisure activities.

The legal basis for the processing is Art. 6 para. 1 p. 1 lit. f) DSGVO. We carry out the aforementioned processing for customer care and to increase our services. We delete your data when you terminate the newsletter subscription, but no later than two years after termination of the contract.
We would like to point out that you can object to receiving direct advertising at any time without incurring any costs other than the transmission costs according to the basic rates. You have a general right to object without giving reasons (Art. 21 (2) DSGVO). To do so, click on the unsubscribe link in the newsletter or send us your objection to the contact details listed in the "Person responsible" section.

Subject to change

We reserve the right to adapt or update this data protection declaration if necessary in compliance with the applicable data protection regulations. In this way, we can adapt it to the current legal requirements and take into account changes to our services, e.g. when introducing new services. The current version applies to your visit.

 

Status of this privacy policy: 23.05.2023