1. Introduction

The protection of your personal data is of utmost importance. This privacy policy explains the nature, scope, and purpose of the processing of personal data (hereinafter referred to as "data") in connection with the online services. This includes the associated website, functions, and content, as well as external online presences, such as social media profiles (hereinafter collectively referred to as "online services").

Your personal data will be treated confidentially, and we will strictly adhere to the statutory data protection regulations and the provisions of this privacy policy. General Information This privacy policy provides you with a comprehensive overview of what happens to your personal data when you visit this website. Personal data is any information that can be used to personally identify you. For detailed information on data protection, please refer to this complete privacy policy.

Data Controller

Data processing on this website is carried out by the website operator. You can find the contact details of the data controller in the "Data Controller" section of this privacy policy. Collection of Your Data Personal data is collected, on the one hand, when you actively provide it, e.g., by filling out a contact form. Other data is collected automatically or with your consent by the controller's IT systems when you visit the website. This is primarily technical data (e.g., internet browser, operating system, or time of page access). This data collection occurs automatically as soon as you access the website.

Use of your data:

Some data is collected to ensure the website functions correctly. Other data may be used to analyze your user behavior in order to optimize the website and tailor it to your needs. Data transfer to external parties: In the course of the controller's business activities, it may be necessary to transfer personal data to external parties. This transfer only occurs under certain conditions: if the transfer is necessary for the performance of a contract, if there is a legal obligation, for example, to tax authorities, if there is a legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR, or if another legal basis permits the data transfer. When using external service providers for data processing, the transfer of personal data only takes place on the basis of a valid data processing agreement pursuant to Art. 28 GDPR. If data is processed jointly with other entities, a joint processing agreement will be concluded in accordance with Article 26 GDPR.

Withdrawal of consent to data processing:

Certain data processing activities can only take place with your explicit consent. This consent can be withdrawn at any time. The lawfulness of the data processing carried out before the withdrawal remains unaffected. Right to object to specific data processing and advertising measures (Article 21 GDPR): If your personal data is processed on the basis of Article 6(1)(e) or (f) GDPR, you have the right to object to this processing at any time, provided you have grounds relating to your particular situation. This also applies to profiling based on these provisions. The specific legal basis for data processing can be found in this privacy policy. If you object, the controller will no longer process your personal data unless compelling legitimate grounds for the processing can be demonstrated which override your interests, rights and freedoms, or the processing serves the purpose of establishing, exercising or defending legal claims (objection pursuant to Article 21(1) GDPR). If your personal data is used for direct marketing purposes, you have the right to object to this processing at any time. This also applies to profiling insofar as it is related to direct marketing. After your objection, the controller will no longer use your personal data for these marketing purposes (objection pursuant to Article 21(2) GDPR). Rights under the General Data Protection Regulation: You have the right to lodge a complaint with a competent supervisory authority if you believe that the GDPR has been violated. This right can be exercised in particular in the Member State of your habitual residence, your place of work or the place of the alleged infringement. This does not affect any other administrative or judicial remedies. Personal data processed automatically based on consent or for the performance of a contract can be requested in a structured, commonly used, and machine-readable format. Upon request, this data can also be transmitted directly to another controller, provided this is technically feasible. Every data subject has the right to obtain information free of charge about their stored personal data, its origin, recipients, and the purpose of the data processing. Furthermore, there is a right to rectification or erasure of this data, provided that legal provisions permit this. For further questions or concerns regarding personal data, the controller can be contacted at any time. There is a right to request the restriction of the processing of personal data if the accuracy of the data is contested and a verification is pending. In cases of unlawful processing, restriction of data processing can also be requested instead of erasure. Furthermore, restriction can be requested if the data is no longer needed but is required for the establishment, exercise, or defense of legal claims. In the event of an objection to processing pursuant to Article 21(1) GDPR, the right to restriction of processing also exists until it has been clarified whose interests prevail. If the processing of personal data is restricted, it may, apart from storage, only be processed with the consent of the data subject or for the establishment, exercise or defense of legal claims, for the protection of the rights of other natural or legal persons or for reasons of important public interest of the EU or of a Member State.

2. Data Controller

The data controller for this website within the meaning of the General Data Protection Regulation (GDPR) is: Jennifer and Christian Knapp Address: Zur Steinwiese 8, 64711 Erbach Website: https://das-blockhaus-im-odenwald.de Email: ferienhaus-elsbach@outlook.de Telephone: 49 1523 36414883. Data Processors We collaborate with various data processors who process data on our behalf. These service providers are contractually obligated to treat the data confidentially and to use it exclusively within the scope of their respective services. In addition, there are cases in which responsibility for data processing is shared with other parties. In such cases, responsibilities are transparently regulated and documented to ensure compliance with data protection requirements.
4. Definitions
To ensure the transparency of this privacy policy and to make it understandable for everyone, this policy primarily uses terms that are also defined in the General Data Protection Regulation (GDPR). The complete legal definitions can be found in Article 4 of the GDPR. The following explains the most important terms in connection with this privacy policy: Personal data: This includes all information relating to an identified or identifiable natural person (hereinafter referred to as "data subject"). A person is considered identifiable if they can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g., a cookie), or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person. Processing: This term includes any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means. This may include the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction of data. Controller: This is the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Processor: A natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller. Consent: Any freely given, specific, informed, and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. Website: The website refers to the entire online presence provided by the controller under a specific URL. This includes all content, information, functions, and services published by the controller and made available to the user via this URL. The website serves as a digital platform for providing information, services, and for interaction between the controller and users. Terminal device: A terminal device is an electronic device capable of accessing the internet and loading web pages. This includes, but is not limited to, computers, laptops, tablets, and smartphones. These definitions help you better understand the privacy policy and the meaning of the terms used.

5. Hosting

This website is hosted on the servers of an external service provider to ensure reliable and secure use of this online service. Data processing by the hosting provider is carried out in accordance with Art. 6 Para. 1 lit. f GDPR, as the controller has a legitimate interest in providing a stable and secure website. Should it be necessary to obtain the user's consent (for example, for the use of certain cookies or tracking technologies), data processing is based on the user's consent in accordance with Art. 6 Para. 1 lit. a GDPR and Section 25 Para. 1 TTDSG. You can withdraw your consent at any time with effect for the future. The hosting provider is: Smoobu. Details on data processing and data protection can be found in the hosting provider's privacy policy. To ensure that your data is processed in accordance with applicable data protection regulations, a data processing agreement (DPA) has been concluded with the hosting provider. This contract obligates the hosting provider to process the personal data of website visitors exclusively according to the instructions of the data controller and in compliance with the GDPR. The hosting provider guarantees comprehensive protection of your data through technical and organizational measures.

6. Legal Basis for Data Processing

Your personal data is processed on the basis of the General Data Protection Regulation (GDPR) and other relevant legal provisions. Different legal bases apply depending on the purpose of the data processing. If you have consented to the processing of your personal data, this is based on your consent pursuant to Art. 6 para. 1 lit. a GDPR. This applies in particular to the processing of special categories of personal data pursuant to Art. 9 para. 2 lit. a GDPR and to the transfer of personal data to third countries pursuant to Art. 49 para. 1 lit. a GDPR. You can withdraw your consent at any time. The processing of your data may be necessary for the performance of a contract or for taking steps prior to entering into a contract and in this case is based on Art. 6 para. 1 lit. b GDPR. Furthermore, processing may be necessary to comply with legal obligations, which is then carried out in accordance with Article 6(1)(c) GDPR. In certain cases, processing is carried out to protect the legitimate interests of the controller or a third party, unless your interests or fundamental rights and freedoms override those interests. This processing is based on Article 6(1)(f) GDPR. For certain processing activities, national regulations may also apply, such as Section 25 of the German Telecommunications and Telemedia Data Protection Act (TTDSG) regarding the storage of cookies or access to information on your device. The applicable legal bases are explained in detail in the specific sections of this privacy policy. If your data is required for the performance of a contract or for taking steps prior to entering into a contract, your data will be processed on the basis of Article 6(1)(b) GDPR. For compliance with a legal obligation, data processing is based on Article 6(1)(c) GDPR. In addition, data processing may be carried out on the basis of legitimate interests pursuant to Article 6(1)(f) GDPR. The specific legal bases in each individual case are explained in the following sections of this privacy policy.

7. Data transfer to insecure third countries and non-DPF-certified US companies. If this website uses tools from companies located in third countries with insecure data protection, or US tools whose providers are not certified under the EU-US Data Privacy Framework (DPF), your personal data may be transferred to and processed in these countries. Please note that a level of data protection equivalent to that of the EU cannot be guaranteed in third countries with insecure data protection. For the USA, as an insecure third country, a level of data protection comparable to that of the EU is generally not guaranteed. Data transfers to the USA are therefore only permitted if the recipient either has certification under the "EU-US Data Privacy Framework" (DPF) or has suitable additional safeguards in place. Detailed information on possible transfers to third countries, including data recipients, can be found in this privacy policy.

8. Data Retention Period: Unless a more specific retention period is stated within this privacy policy, personal data remains with the controller until the purpose for data processing no longer applies. If a legitimate request for erasure is made or consent to data processing is withdrawn, the data in question will be deleted, provided there are no other legally permissible grounds for storing the personal data (e.g., tax or commercial law retention periods). In these cases, the data will be deleted once these grounds cease to apply. The controller stores personal data only as long as it is necessary to fulfill the respective purposes for which the data was collected. These include, in particular, the fulfillment of contractual obligations, compliance with statutory retention periods, and the protection of the controller's legitimate interests, such as IT security and protection against misuse. If the processing of personal data is based on consent, the data will be stored until the data subject withdraws this consent. Such withdrawal is possible at any time with effect for the future. Afterwards, the data will be deleted immediately, unless there are statutory retention obligations or other overriding legal reasons that necessitate further storage. In summary, personal data will be deleted after the purpose for which it was stored has been fulfilled or the legal basis for its storage no longer applies, unless there are continuing legal obligations or legitimate interests that justify further storage.

9. Security Measures and Data Minimization Comprehensive technical and organizational measures are taken to effectively protect your personal data against accidental or unlawful destruction, loss, alteration, or unauthorized disclosure or access. Care is taken to ensure that only the data absolutely necessary for the respective purpose is collected and processed. This data minimization strategy helps to significantly reduce the risk of misuse and unauthorized access. The security measures are continuously adapted to the state of the art to ensure a consistently high level of data protection.

10. SSL/TLS Encryption: To protect the security of your data during transmission, state-of-the-art encryption methods (e.g., SSL or TLS) are used via HTTPS. SSL (Secure Socket Layer) and TLS (Transport Layer Security) are protocols for encrypting data transmissions on the internet. This ensures that the data exchanged between your browser and the server is protected from unauthorized access. You can recognize an encrypted connection by the fact that the browser's address bar changes from "http://" to "https://" and by the padlock symbol in your browser's address bar.

11. Inquiries via email or telephone

 It is possible to submit inquiries to the data controller via email or telephone. The personal data transmitted in this process (e.g., name, email address, telephone number, and the inquiry itself) will be processed and stored by the data controller solely for the purpose of handling the inquiry and any follow-up questions. The legal basis for this data processing is Article 6(1)(b) GDPR, as the processing is necessary for the performance of a contract or in order to take steps prior to entering into a contract. If the processing is not related to a contract, it is based on Article 6(1)(f) GDPR, as the data controller has a legitimate interest in processing and responding to inquiries.

12. Inquiries via WhatsApp

 It is possible to send inquiries to the data controller via WhatsApp. Please note that WhatsApp stores the transmitted data on servers in the USA. Therefore, no sensitive information should be transmitted via this channel. The personal data you transmit (e.g., name, telephone number, and the inquiry itself) will be processed and stored by the data controller solely for the purpose of handling your inquiry and any follow-up questions. The legal basis for this data processing is Article 6(1)(b) GDPR, as the processing is necessary for the performance of a contract or in order to take steps prior to entering into a contract. If the processing is not related to a contract, it is based on Article 6(1)(f) GDPR, as the data controller has a legitimate interest in processing and responding to inquiries. Additional information on the processing of your personal data by WhatsApp can be found in their privacy policy at: https://www.whatsapp.com/legal/. (Sending to existing customers without consent)

 Newsletters are sent to existing customers even without their explicit consent under certain conditions. This is permissible according to Art. 6 para. 1 lit. f GDPR if the following conditions are met: a) Existing customer status: The customer has provided their email address in connection with the sale of goods or services. b) Direct marketing for similar products or services: The newsletter contains only advertising for similar products or services. c) Notice of right to object: The customer was clearly and explicitly informed, both when their email address was collected and in every newsletter, that they can object to the use of their email address at any time without incurring any costs other than the transmission costs at basic rates. d) No objection from the customer: The customer has not objected to the use of their email address. This type of newsletter distribution is based on the legitimate interest of the data controller in informing existing customers about similar products or services and maintaining the business relationship. The data is processed in accordance with Art. 6 para. 1 lit. f GDPR. Of course, customers can object to the use of their email address for this purpose at any time. An informal notification via email to the data controller or the use of the "unsubscribe" link in the respective newsletter is sufficient.

13. Social Media Plugins

 This section informs you about the integration and use of social media on this website. This includes details on data processing and your rights in connection with the use of social media plugins and their functions.

14. Appointment Booking or Calendar Tool

This website uses an appointment booking or calendar tool to make it easier for you to plan and book appointments. This tool allows you to manage appointments and process your booking requests efficiently. The use of this appointment booking or calendar tool is based on your consent pursuant to Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TTDSG, as consent is required for the use of cookies and other tracking technologies. Your consent serves the efficient management and confirmation of your appointment bookings. Consent can be revoked at any time with effect for the future. Below you will find detailed information about the appointment booking or calendar tool: This website uses the following appointment booking or calendar tool: Smoobu Payment Service You have the option of paying for your purchases with the following payment service: _________

15. Map Service

This website uses a map service to provide you with geographical information and an interactive user experience. This service is integrated by a third-party provider who may process personal data when you use their service. Your data is processed based on Article 6(1)(b) GDPR for the performance of the contract, in particular for the provision of geographical information and services, as well as in the legitimate interest of a smooth, convenient, and secure user experience pursuant to Article 6(1)(f) GDPR. Where your consent is required for certain actions, data processing is based on Article 6(1)(a) GDPR. You can withdraw your consent at any time with effect for the future. Detailed information about the map service is provided below: Google Maps To provide maps and geographical information on this website, Google Maps is used. Google Maps is a service of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. When you visit a page with embedded Google Maps, a connection to Google's servers is established. Personal data such as your IP address and your interactions with the map may be transferred to Google. Google is certified under the EU-US Data Privacy Framework (DPF), which ensures adequate protection for the transfer of personal data from the EU to the USA. Further information about the EU-US DPF can be found at: https://www.dataprivacyframework.gov.

Further information about how Google Maps processes your personal data can be found in Google's Privacy Policy: https://policies.google.com/privacy.