AlpenkristallBad Wiessee

Privacy Policy

Datenschutzerklärung gemäß DSGVO / GDPR

Data Controller

Verantwortlicher gemäß Art. 4 Nr. 7 DSGVO

Kurhotel Alpenkristall Bad Wiessee GmbH

Seestraße 12 · 83707 Bad Wiessee · Deutschland

E-Mail: info@alpenkristall-badwiessee.de

Data We Collect

  • Booking data: first name, last name, email address, phone number, nationality, date of birth, billing address, and booking details (room, check-in/out dates, number of guests, total amount).
  • Registration form data (Bundesmeldegesetz): first and last name, date of birth, nationality, full address, identity document number (passport or ID card), co-travellers. This data is collected under a legal obligation (Art. 6(1)(c) GDPR in conjunction with § 30 BMG).
  • Health data (only with your explicit consent under Art. 9(2)(a) GDPR): allergies, preferences, disability status for reduced Kurtaxe. This data is stored only after consent is given and may be withdrawn at any time.
  • Contact form submissions: name, email address, message content.
  • Server log files: IP address, browser type, operating system, referrer URL, date and time of access. These are automatically collected by our hosting provider (Vercel) and deleted after 30 days.
  • Session cookies set by Supabase for authentication (staff login only). No tracking or advertising cookies are used.

Purposes of Processing

  • Booking and reservation data is processed to perform the accommodation contract (Art. 6(1)(b) GDPR).
  • Registration form data is collected and processed under a legal obligation pursuant to the Bundesmeldegesetz (Art. 6(1)(c) GDPR).
  • Health data (allergies, preferences, disability status) is processed exclusively on the basis of your explicit consent (Art. 9(2)(a) GDPR). Consent may be withdrawn at any time with effect for the future.
  • Contact form data is processed to respond to your enquiry (Art. 6(1)(b) GDPR).
  • Server logs are processed for security and troubleshooting (Art. 6(1)(f) GDPR — legitimate interest).
  • Authentication cookies are used exclusively for staff login (Art. 6(1)(b) GDPR).

Data Retention

We retain personal data only for as long as necessary for the respective purpose:

  • Guest profile data (name, email, phone, address): 3 years after the last stay, then anonymised.
  • Health data (allergies, preferences, disability status): 3 years after the last stay, or immediately on withdrawal of consent.
  • Registration form data: identity document details are anonymised after 1 year (§ 30 BMG). Remaining booking data is retained for 10 years (§ 147 AO, § 257 HGB).
  • Invoices and payment records: 10 years under § 147 AO and § 257 HGB (statutory commercial and tax retention obligation).
  • Contact enquiries: 2 years, then automatically deleted.
  • Server logs: 30 days (by Vercel). Application error logs: 90 days.

Your Rights

Under GDPR, you have the right to: access your personal data (Art. 15), rectify inaccurate data (Art. 16), erase your data (Art. 17 — "right to be forgotten"), restrict processing (Art. 18), data portability in machine-readable format (Art. 20), and object to processing (Art. 21). To exercise these rights, contact us by email or post using the details in the Impressum. We will process your request within 30 days. Identity verification may be required.

You also have the right to lodge a complaint with the competent supervisory authority. In Bavaria: Bayerisches Landesamt für Datenschutzaufsicht (BayLDA), Promenade 18, 91522 Ansbach, www.lda.bayern.de. Federal: Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI), www.bfdi.bund.de.

Data Processors & Third-Party Services

We use the following service providers, with whom we have entered or are entering into Data Processing Agreements (DPA) pursuant to Art. 28 GDPR:

  • Vercel Inc. (website hosting and delivery) — servers located in the EU. DPA in place.
  • Supabase Inc. (database and authentication) — EU region (Frankfurt, Germany). DPA in place.
  • Brevo (formerly Sendinblue SA) (transactional email delivery) — based in France (EU). First name, last name, email address, and booking details are transmitted for sending booking confirmations and guest journey emails. Legal basis: Art. 6(1)(b) GDPR (contract performance). DPA in place.
  • Stripe Inc. (payment processing for deposits) — based in the USA, EU servers available; data transfer on the basis of Standard Contractual Clauses (SCCs) under Art. 46 GDPR. Guest email address and booking amount are transmitted for payment processing. Card details are processed exclusively by Stripe and never touch our servers. DPA (Stripe Data Processing Addendum) in place.
  • Channex.io (channel manager for online travel agencies) — booking data (name, email, room type, dates) is synchronised from booking platforms (e.g. Booking.com, Expedia) via Channex. DPA in preparation.
  • fiskaly GmbH (Technical Security Device / TSE for KassenSichV compliance) — based in Germany. Only payment amounts and tax categories are transmitted; no personal data. DPA in place.

Security

We use HTTPS encryption for all data transmission (HSTS, TLS). Security HTTP headers (Content Security Policy, X-Frame-Options, etc.) are active. Access to personal data is restricted to authorised staff with role-based access control.

Data Protection Contact

For all data protection enquiries — in particular to exercise your data subject rights — please contact us by email or post using the details in the Impressum. Please include your email address and, if available, your booking reference so we can process your request promptly.

Last updated: May 2026 · Version 1.1