Privacy Policy

Notice: This is a translation of the German original. In case of discrepancies, the German version is authoritative.

Your data security is of utmost importance to us. Below, we inform you about the key aspects of data processing carried out by us.

Our online services can generally be used without disclosing your identity. However, we note that data transmission over the Internet (e.g., when communicating via email) can have security gaps. Complete protection of data from third-party access is not possible.

Who is responsible?

The responsible entity for data processing on this website is:

Note: The above address is a pure postal address. It is not a business address. The address is solely for the purpose of fulfilling the legal obligation to provide an imprint according to §5 TMG.

The responsible entity is the natural (or legal) person who alone or jointly with others decides on the purposes and means of processing personal data (e.g., names, email addresses, etc.).

What data do we process?

We differentiate between contact data, booking process information, and usage and behavior data.

• Contact data - Email address or phone number you voluntarily provide. By providing it, you consent to being contacted by us.
• Booking process information - Details you provide for a booking, like your address, guest details, and other information. We assume you have the guests' consent to share their data with us.
• Usage and behavior data - Data generated automatically when using our online service (like your IP address), as well as additional behavior data we store anonymously. First-party cookies are used, which do not allow tracking beyond our site. You must expressly consent to any tracking.

We process your data exclusively based on legal provisions (GDPR, TKG 2003). We have implemented technical and organizational measures to comply with data protection regulations.

We protect your identity by not linking your details with our statistical evaluations and otherwise only sharing your information anonymously.

Further explanations follow.

Server Log Files and Collection of General Information

Our website's provider automatically collects and stores information in server log files, which your browser automatically transmits to us.

This includes the request's timestamp, the requesting device's shortened and thus anonymized IP address, the used HTTP method and version, the accessed URL, the HTTP response status, the amount of delivered bytes, the referrer (the URL of the page that linked to the accessed page), and the user agent (information about the used browser and operating system with version status).

This data cannot be attributed to specific individuals. We do not merge this data with other data sources.

We reserve the right to retrospectively check this data if concrete evidence of illegal use becomes known.

Behavioral Data

For the continuous improvement of our online offer, we use PostHog Cloud (EU) by PostHog, Inc. (with data storage in Europe) for statistical purposes.

PostHog anonymizes data that could allow conclusions about your identity (such as email address or booking number) already in the browser. This ensures that no sensitive data reach us or third parties.

To detect and rectify errors on our website at an early stage, we use Sentry. It may happen that your browser data is sent to Sentry's servers and stored along with the stack trace (error message) for a limited time. Sentry is configured by us to anonymize data, so no personal data should be present.

Beyond non-invasive tracking, we record "conversions," i.e., successful purchase completions, and send these events to our advertising partners.

How are data used?

In the following sections, we describe in which cases and why we process your personal data.

Contacting Us

If you contact us via form on the website or by email, your provided data will be stored for six months for the purpose of processing the request and in case of follow-up questions. If our correspondence leads to a business transaction, we are obligated to retain this information beyond that time due to our retention obligations.

We will not share this data without your consent.

Accessing our servers stores data for security purposes that allow possible identification (e.g., IP address, date, time, and viewed pages). There is no personal utilization of this data. For statistical purposes, these anonymous records may be evaluated. We use your personal information exclusively in the case of bookings and inquiries and only within our company. Without your explicit consent, we do not pass this data on to third parties.

Bookings & Booking Process

The information you provided during the booking process will primarily be used for the actual booking. This means we pass on guest data to airlines, hotels/hotel chains, and other service providers/vendors. This is necessary to provide you with travel services.

Furthermore, we conduct internal statistical evaluations to maintain our quality promises. We handle your data carefully and will never pass it on to third parties.

Advertising & Advertising Partners

We pass on individual events, such as the first website visit and purchase completions, without personal data to our advertising partners. Our advertising partners are listed further below.

This is only done with your explicit consent during the first website visit. Our goal is to better tailor advertising to our target audience and measure the success of our advertising campaigns.

Which Third Parties Receive Data?

Third-Party Content

We integrate third-party content to offer you additional services and products related to your trip. If you use these offers, the contract usually comes into effect directly with the service provider. Therefore, you enter your data directly on the corresponding third-party sites, or we transmit the data if you activate certain services by selection. The following offers are integrated into the website and have been (partially) adapted to appear uniformly:

• Stripe Elements & Checkout for processing credit card payments and other payment options.
• Mapbox SDK for displaying a map to better understand location information.

Our online offer contains links to other websites. We have no influence on whether their operators comply with data protection regulations.

Information to Third Parties

We generally do not provide information to third parties, not even to lawyers. Instead, we refer them to the competent investigative authorities.

Data Transfer to the USA

Certain third parties we work with process your data, including in the USA. We point out that, according to the European Court of Justice, there is currently no adequate level of protection for data transfer to the USA. This can involve various risks for the legality and security of data processing.

For example, US companies are obliged to disclose personal data to security authorities without you being able to take legal action against it. Therefore, it cannot be ruled out that US authorities (e.g., intelligence services) may process, evaluate, and permanently store your data stored on US servers for surveillance purposes. We have no influence on these processing activities.

For data processing involving recipients located in third countries (outside the European Union, Iceland, Liechtenstein, Norway) or data transfer to such countries, third parties use so-called standard contractual clauses (= Art. 46 para. 2 and 3 GDPR). Standard Contractual Clauses (SCC) are template provisions provided by the EU Commission and are designed to ensure that your data also meet European data protection standards when transferred to and stored in third countries (such as the USA).

By these clauses, third parties commit to maintaining the European level of data protection when processing your relevant data, even if the data is stored, processed, and managed in the USA. These clauses are based on an implementing decision by the EU Commission. You can find the decision and the corresponding Standard Contractual Clauses here: https://eurlex.europa.eu/eli/dec_impl/2021/914/oj?locale=en.

The use of third parties outside the EU is based on Art. 6 para. 1 GDPR, and the legitimate interest is named for the processors and third parties.

Cooperation with Processors and Third Parties

If, in the course of our processing, we disclose data to other persons and companies (processors or third parties), transmit it to them, or otherwise grant them access to the data, this is done only based on a legal permission (e.g., if a transmission of data to third parties, such as to payment service providers, is required according to Art. 6 para. 1 lit. b GDPR for contract fulfillment), you have consented, a legal obligation provides for it, or based on our legitimate interests (e.g., when using agents, web hosts, etc.).

If we commission third parties to process data on the basis of a so-called "processing agreement," this is done based on Art. 28 GDPR.

We use the following third-party services that could receive access to personal data to provide our services:

• Vercel, a cloud deployment platform, for operating our website. Provider is Vercel, Inc., 440 N Barranca Ave #4133 Covina, CA 91723, USA. Vercel has a Data Processing Addendum (data processing terms) that corresponds to the EU standard contractual clause. The primary data processing takes place in Europe. More about this in Vercel's Privacy Policy.
• Upstash for storing any data related to bookings. Provider is Upstash, Inc., USA. The data is stored in Frankfurt (Main) and not transferred to third countries. Personal data are encrypted on the application side and stored in this manner. Upstash has a Data Processing Agreement with us and theoretically has no access to the data since only we possess the keys for encryption. More about data protection in Upstash's Privacy Policy.
• Stripe for processing payments and (storing) payment data. Payment provider is Stripe, Inc., 510 Townsend Street, San Francisco, CA 94103, USA. Stripe has a Data Processing Agreement with us. More about this in Stripe's Privacy Policy.
• Mapbox for displaying maps. Provider is Mapbox, Inc., USA. Mapbox has a Data Processing Addendum, which corresponds to the EU standard contractual clause. More information about data protection in Mapbox's Product Privacy Policy.
• PostHog (Cloud EU) for improving our online offer by recording anonymized behavioral & browser data. Provider is PostHog Inc., 2261 Market Street #4008, San Francisco, CA 94114, USA. When you use our service, your data is stored on PostHog Cloud EU servers. The data is stored in Frankfurt (Main) and not transferred to third countries. More about data protection in PostHog's Privacy Policy.
• Sentry for detecting errors on the website by recording anonymized error & browser data. Provider is Functional Software, Inc., 45 Fremont Street, 8th Floor, San Francisco, CA 94105, USA. Stripe has a Data Processing Addendum (data processing terms), which corresponds to the EU standard contractual clause. More about protecting your data in Sentry's Privacy Policy.

Furthermore, we reserve the right to share individual data with further third parties in the case of a booking, to fulfill our contractual obligations. These could be, for example, hotels, which we could not list individually here.

Third-party providers are contractually prohibited from passing on or reselling your data.

What rights do I have?

You fundamentally have the right to access, rectification, deletion, restriction, data portability, withdrawal, and objection. Use the contact details provided on this page for this purpose.

If you believe that the processing of your data violates data protection law or your data protection claims have otherwise been violated in some way, you can complain to the supervisory authority. In Germany, this is the Federal Data Protection Officer (at the federal level) or the data protection authority in the respective federal state.

Data Deletion and Storage Duration

Personal data collected by us will be deleted or locked as soon as the purpose of storage ceases to apply. Storage may also take place if this has been provided for by the European or national legislator in EU regulations, laws, or other provisions to which the responsible person is subject. Data will also be blocked or deleted when a storage period prescribed by the mentioned standards expires unless there is a necessity for further storage of the data for the conclusion or fulfillment of a contract.

Changes to Our Privacy Policy

We reserve the right to adjust this privacy policy occasionally so that it always complies with current legal requirements or to implement changes to our services in the privacy policy, e.g., when introducing new services. The new privacy policy will then apply for your next visit.

Protecting your data is important to us! For questions, suggestions, or comments on privacy or security, please contact us by email at support[ät]writemaxi.com.

Last updated: January 30, 2024