Data protection

PRIVACY POLICY

The operators of these pages take the protection of your personal data very seriously. We treat your personal data confidentially and in accordance with statutory data protection regulations as well as this privacy policy.

When you use this website, various personal data are collected. Personal data are data with which you can be personally identified, e.g., your name and address, but also, for example, your Internet address (IP address) with which you are currently browsing the web. This privacy policy explains which data we collect and what we use it for. It also explains how and for what purpose this happens.

CONTROLLER (RESPONSIBLE PARTY)

The controller responsible for data processing on this website as well as all integrated webpages is:

Brigitte von Oven GmbH & Co. KG
Strandallee 141
23669 Timmendorfer Strand
Phone: +49 4503 601640
E-mail: info@appartement-hotel-timmendorf.de
Website: www.appartement-hotel-timmendorf.de

The responsible party is the natural or legal person who alone or together with others decides on the purposes and means of processing personal data.

QUESTIONS ABOUT DATA PROTECTION

If you have questions regarding data protection in relation to our company or our websites, we will be pleased to answer them at any time.

You can address your concerns to our Data Protection Officer using the following contact details:

Data Protection Officer of Brigitte von Oven GmbH & Co. KG
c/o adasis GmbH
Am Kaiserkai 69
20457 Hamburg
E-mail: datenschutz@seeschloesschen.de

YOUR RIGHTS

You have the following rights regarding your personal data:

Right of access (Art. 15 GDPR)
You have the right to obtain free information at any time about your stored personal data, their origin and recipient, and the purpose of the data processing, including a copy of the personal data that is subject to processing.

Right to rectification (Art. 16 GDPR)
You have the right to demand the immediate correction of inaccurate personal data or to have incomplete personal data completed.

Right to erasure (Art. 17 GDPR)
We will delete your personal data without delay if:
– you withdraw your consent for the lawful processing and there are no other legal grounds for retention,
– you object to the processing, and while the objection is maintained and unresolved, your data will be blocked. You can lift your objection by written consent,
– the data is no longer necessary for the purposes for which it was collected or otherwise processed,
– the processing is inadmissible for other legal reasons.

Right to restriction of processing (Art. 18 GDPR)
You have the right to have the processing of your personal data restricted if
– you contest the accuracy of the personal data, for a period enabling us to verify its accuracy,
– the processing is unlawful, but you oppose the deletion and request the restriction instead,
– we no longer need the data for the purposes, but you require them for the establishment, exercise or defense of legal claims,
– you have objected to the processing and it is not yet clear whether our legitimate grounds outweigh yours.
You can lift this restriction in writing.

Right to data portability (Art. 20 GDPR)
You have the right to obtain your personal data that you have provided to us or to request the transfer to another controller, where the conditions of Art. 20(1) GDPR are met.

Right to object to processing (Art. 21 GDPR)
You have the right at any time, for reasons arising from your particular situation, to object to the processing of personal data concerning you that is based on Art. 6(1)(e) or (f) GDPR; this also applies to profiling based on those provisions.
The controller shall then no longer process the personal data unless compelling legitimate grounds for the processing override your interests, rights and freedoms or the processing is for the establishment, exercise or defense of legal claims.
If the personal data are processed for direct marketing purposes, you have the right to object at any time to the processing for such advertising; this also applies to profiling related to such direct marketing.
If you object to processing for direct marketing purposes, your personal data will no longer be processed for these purposes.
You may exercise your right to object by automated means using technical specifications, regardless of Directive 2002/58/EC.

Right to revoke consent (Art. 7(3) GDPR)
You have the right to withdraw your consent at any time. The lawfulness of processing based on consent before its withdrawal remains unaffected.

Automated individual decision-making, including profiling (Art. 22 GDPR)
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects you.
This does not apply if the decision

  1. is necessary for entering into, or performance of, a contract between you and the controller,
  2. is permitted by Union or Member State law and these laws provide suitable measures to safeguard your rights and freedoms and legitimate interests, or
  3. is based on your express consent.
    Such decisions may not be based on special categories of personal data unless appropriate protection measures are in place.

Right to lodge a complaint with a supervisory authority (Art. 77 GDPR)
You can complain at any time to the relevant data protection supervisory authority. A list of supervisory authorities (for the non-public sector) with addresses can be found here: https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html.

If you wish to assert any of your rights against us, please let us know using the contact details in the sections “Controller (Responsible Party)” or “Questions about Data Protection”.

ASSERTION OF DATA SUBJECT RIGHTS

If, as a data subject, you wish to exercise one or more rights against the controller, you can contact the controller at any time. Please use the contact details in the “Questions about Data Protection” section.

DISCLOSURE OF DATA TO THIRD PARTIES

Your personal data will not be passed on to third parties for any purposes other than those listed below.

We only share your personal data with third parties if:

  1. You have given your explicit consent in accordance with Art. 6(1)(a) GDPR,
  2. the transfer is permissible to protect our legitimate interests pursuant to Art. 6(1)(f) GDPR and there is no reason to assume you have overriding interests in not sharing your data,
  3. there is a legal obligation to do so under Art. 6(1)(c) GDPR, or
  4. it is legally permissible and necessary for handling contractual relations with you according to Art. 6(1)(b) GDPR.

For some processing we use external service providers (so-called processors), who are carefully selected, bound by instructions, and contractually obliged under Art. 28 GDPR or based on EU standard contractual clauses to implement appropriate technical and organizational measures. Data processing only takes place on the basis of this contract to ensure your data is protected.

Data may be passed on to third-party service providers and their assistants, some of whom offer cloud-based software and data processing solutions for the hotel, and who process guest data on the hotel’s behalf for booking facilitation and management, guest stay management, aligning services with guest wishes/preferences; the ability to offer future services in line with guest preferences; hotel services marketing, evaluations, and improvements (e.g., guest surveys).

Within these and other described processing operations, personal data may be transferred to the USA. Companies in the USA have an adequate level of data protection if they are certified under the EU-US Data Privacy Framework, in which case the EU Commission’s adequacy decision under Art. 45 GDPR applies. We have specifically named such providers. In all other cases, we have standard contractual clauses in place. If those are not sufficient, your consent under Art. 49(1)(a) GDPR may serve as the legal basis for transfers to third countries. This does not apply to transfers to countries for which the European Commission has issued an adequacy decision.

ENCRYPTION

For security reasons and to protect the transmission of confidential content, such as requests you send to us, this website uses TLS encryption. You can recognize an encrypted connection by the browser’s address line switching from “http://” to “https://” and by the lock symbol in your browser line.

When TLS encryption is active, data you send to us cannot be read by third parties.

Hosting by UD Media
We host our website with UD Media GmbH, Kölner Straße 28, 41812 Erkelenz (hereafter “web hosting provider”).
When you visit our website, your personal data (e.g., IP address in log files) are processed on the servers of our web hosting provider.

The use of this provider is based on Art. 6(1)(f) GDPR. We have a legitimate interest in a reliable, secure, and consistent provision of our website.

We have concluded a data processing agreement (DPA) according to Art. 28 GDPR with the provider. This contract ensures that the provider only processes users’ personal data in accordance with our instructions and complies with the GDPR.

Further information can be found at: https://udmedia.de/service/datenschutz/.

Server Log Files
Our webspace provider automatically collects and stores information in server log files. The following data, transmitted automatically by your browser, may be processed and stored:
– Browser type and version
– Operating system
– Referrer URL (website from which you reached us)
– Hostname of the accessing computer (IP address)
– Time of the server request

Temporary IP address processing is necessary for delivering the website to your device. Processing is required during the session. The legal basis is Art. 6(1)(f) GDPR.
This data will not be merged with other data sources and is only stored temporarily to optimize and ensure the security of our IT systems.

Cloudflare
We use the Content Delivery Network (CDN) from Cloudflare Germany GmbH, Rosental 7, c/o Mindspace, 80331 Munich, Germany (“Cloudflare”), to increase website security and delivery speed. This is in our legitimate interest (Art. 6(1)(f) GDPR). A CDN is a global network of servers designed to deliver content to website users. For this purpose, personal data may be processed in Cloudflare server log files.

Cloudflare is the recipient of your personal data and acts as a processor for us. This represents our legitimate interest under Art. 6(1)(f) GDPR as we do not run our own CDN.

You have the right to object to this processing. The success of your objection will be determined in a balancing of interests.

Processing the above data is neither legally nor contractually required. The functionality of the website is not guaranteed without it.
Cloudflare stores your data as long as necessary for the described purposes.
For further information, see the Cloudflare DPA.
Cloudflare is certified under the EU-US Data Privacy Framework. Thus, an adequacy decision exists according to Art. 45 GDPR and a transfer may take place without further safeguards or measures.

COOKIES

Our website uses cookies. Cookies are small text files stored on the user’s system by the browser. When a user accesses a website, a cookie can be stored on the user’s operating system, containing a unique character string for browser identification on revisits.

Cookies are stored on your device, so you have full control. You can set your browser to notify you before cookies are set and to accept cookies on a case-by-case basis, or to block cookies entirely. You can delete cookies at any time. However, if you do, some website functions may not be fully available.

Below are links on managing (including disabling) cookies in major browsers:
Chrome: https://support.google.com/accounts/answer/61416?hl=de
Internet Explorer: https://support.microsoft.com/de-de/help/17442/windows-internet-explorer-delete-manage-cookies
Mozilla Firefox: https://support.mozilla.org/de/kb/cookies-erlauben-und-ablehnen
Safari: https://support.apple.com/de-de/guide/safari/manage-cookies-and-website-data-sfri11471/mac

Technically Necessary Cookies
Unless otherwise stated herein, we only use technically necessary cookies to make our service more user-friendly, effective, and secure. Cookies also allow our systems to recognize your browser after a page change, and offer you services accordingly. Some website functions cannot be provided without cookies. For these, your browser must be recognized after a page change.

The use of such cookies is based on § 25(2) TDDDG. Processing of your personal data is based on Art. 6(1)(f) GDPR from our overriding legitimate interest in ensuring optimal website functionality and a user-friendly, effective service. You have the right to object at any time, for reasons arising from your special situation.

Cookie Consent Manager (CCM19)
We use CCM19 to obtain and document your consent for storing cookies or the use of certain technologies. Provider is Papoo Software & Media GmbH, Auguststr. 4, 53229 Bonn (“CCM19”).

When visiting our website, a connection to CCM19 servers is established to record your consent or withdrawal declarations for cookie use. The following data is transmitted to CCM19:

  • Your IP address (also used to determine your country)
  • Browser
  • Language
  • The website accessed
    CCM19 then stores a cookie in your browser’s local storage to assign the given consents or their withdrawals. This cookie “CCM_CONSENT” is stored for one year.

The data is stored until you request deletion, delete the CCM19 cookie, or the purpose for storage ceases to apply. Statutory retention periods remain unaffected.
You can modify or withdraw consent at any time via the icon at the bottom left of your browser.

We have a DPA with the provider to ensure they only process personal data per our instructions and GDPR.

We are legally required to obtain consent for the use of cookies and cookie-based applications, for which we use CCM19. This is also our legitimate interest in accordance with Art. 6(1)(f) GDPR.

LINKS TO OTHER WEBSITES

Our website can contain links to other providers’ websites. We cannot influence their compliance with privacy regulations; our privacy policy does not extend to them.

CONTENT OF OUR WEBSITE

Contact Form
You can send us inquiries via the contact form on our website. The form contains mandatory and optional fields.
Your information will be processed solely for handling your inquiry. These data will not be passed to third parties or processed for other purposes without your explicit consent. When you submit your inquiry, the controller will receive an e-mail with your data to promptly handle your request.

Legal basis: Art. 6(1)(a) GDPR or Art. 6(1)(b) GDPR if the request is about a contract or pre-contractual measures.

Voucher Orders
You can purchase various value vouchers via our website. We collect various data via the voucher form to handle your request. These data will not be passed to third parties or processed for other purposes without your consent.
We use the online service Jotform Ltd. (Jotform), 4 Embarcadero Center, Suite 780, San Francisco CA 94111, USA. Data are processed by Jotform in the USA on our behalf/instructions.
Jotform is subject to the EU-U.S. Privacy Shield. For details: https://www.privacyshield.gov/welcome. Standard contractual clauses are in place as required.
Legal basis: Art. 6(1)(b) GDPR.

Direct Booking and Availability Inquiry
You can book rooms and services or check availability via the website. Alternatively, inquiries can also be made via phone or e-mail. We process your data solely for establishing, performing, and completing the contract as well as under the Federal Registration Act (BMG). Providing additional information is voluntary.

We use the direct booking system OnePageBooking by HotelNetSolutions GmbH, Genthiner Str. 8, 10785 Berlin.
For sending reservation offers in response to phone or e-mail inquiries and other booking related messages, we use the Revenue Management System of Hotelpartner Deutschland GmbH, Steinstraße 27, 20095 Hamburg.
Processors are bound by data processing agreements per Article 28 GDPR.

Data are deleted when no longer required or processing is restricted where legal retention periods apply.

Legal basis: Art. 6(1)(b) GDPR.

MEWS
For reservation management (including online bookings), customer management, contractual obligations towards customers, and internal process optimization, we use services from MEWS (Mews Systems B.V., Wibautstraat 137D, Scalehub 2. Floor, 1097DN, Amsterdam, Netherlands).
The following data may be processed:

  • Name, address, e-mail, and phone
  • Date of birth, gender, nationality
  • ID/passport number
  • Payment data (e.g., credit card info)
  • Stay data (e.g., booking, check-in/out)
  • Preferences and communication logs
  • License plate number
  • Company, tax number
  • Language
  • IP address and technical info (e.g., browser, OS)

Legal grounds:

  • Contract performance per Art. 6(1)(b) GDPR
  • Legal obligations per Art. 6(1)(c) GDPR
  • Legitimate interests per Art. 6(1)(f) GDPR

See “Your Rights” for more information.
More info and privacy policy: https://www.mews.com/privacy.

Processing by MEWS is GDPR compliant.

REGISTRATION FORM (Meldeschein)
The hotel is legally obliged (§30(1) BMG) to keep special registration forms, to be filled and signed. For this purpose, your name, address, date of birth, nationality, check-in and check-out dates may be pre-entered and other details added at arrival. Without these data, accommodation may not be possible. The retention period per §30(4) BMG is one year.

For collecting spa contributions and issuing spa cards (Ostseecard), registration forms are also used; names and birthdates of all other guests are collected. The forms are created via the spa administration platform, operated by AVS Abrechnungs- und Verwaltungs-Service GmbH, Josephsplatz 8, 95444 Bayreuth. Data are transferred to the spa administration. Legal basis: §10(1) LMG Schleswig-Holstein.

SATISFACTION SURVEY
After your stay, we may use your e-mail and name (provided with booking) to send a satisfaction survey. You may receive a link to either a survey or a public review portal at random. This is solely for the evaluation and improvement of our customer relationships—our legitimate interest (Art. 6(1)(f) GDPR & §7(3) UWG).

You can object to this use at any time per Art. 21(3) GDPR & §7(3) UWG.

NEWSLETTER
To subscribe to our newsletter, you must supply an e-mail address. Subscription uses a double opt-in process. After entering your details, you are sent a confirmation e-mail. No other data are collected.

Our e-mail newsletter is sent by The Rocket Science Group, LLC d/b/a MailChimp, 675 Ponce de Leon Ave NE, Suite 5000, Atlanta, GA 30308, USA (MailChimp), to whom your data are transferred and processed as per a DPA. Note your data will often be transmitted and stored in the USA.

MailChimp uses your data for sending and statistically analyzing newsletters using web beacons/pixels. This helps us learn which newsletters are opened/clicked, and certain technical information is collected (e.g., timing, IP, browser/OS). Data is pseudonymized—no personal linkage.

You can object to statistical analysis by unsubscribing from the newsletter.

You may withdraw consent at any time, e.g. by unsubscribing. You can also block cookie storage, JavaScript, or tracking pixels in your browser.

MailChimp may also use data for legitimate interests per Art. 6(1)(f) GDPR (e.g. country statistics), but not to contact recipients or pass data to third parties.

MailChimp is certified under the EU-US Data Privacy Framework.
Privacy Policy: https://mailchimp.com/legal/privacy/
Legal basis: Art. 6(1)(a) GDPR.

WEB ANALYSIS

Google Analytics
We use Google Analytics from Google Ireland Limited (Barrow Street, Dublin 4, Ireland). Pseudonymous user profiles are created and cookies used. Information about your use of the website (browser, OS, referrer, IP, time) is transmitted to and stored by Google in the USA. Information is used to evaluate website use, compile reports, and provide further market research/internet related services. Your IP is anonymized (IP masking) and not linked to other data. Data collection is only based on your explicit consent per Art. 6(1)(a) GDPR.

You may block cookies in your browser, but this may limit some website functions.

You can prevent data collection by Google Analytics using a browser add-on: https://tools.google.com/dlpage/gaoptout?hl=de
Alternatively, click on the link “Deactivate Google Analytics” to set an opt-out cookie for our site.

Google Analytics privacy policy: https://support.google.com/analytics/answer/6004245?hl=de

PLUGINS AND OTHER SERVICES

Google Maps
We use Google Maps (Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) to display interactive maps. Processing/transmission of your data (IP, connection data) to Google is based on your explicit consent (Art. 6(1)(a) GDPR).

If you are signed in to Google, data is assigned to your account. Details: https://www.google.com/privacypolicy.html.
Google is certified under the EU-US Data Privacy Framework; data may also be transferred on the basis of your consent (Art. 49(1)(a) GDPR).
Deactivate JavaScript in your browser if you don’t consent; maps won’t display.
Google’s terms: https://www.google.de/intl/de/policies/terms/regional.html
Additional Google Maps terms: https://www.google.com/intl/de_US/help/terms_maps.html

Google Fonts
Our website uses Google Web Fonts for standardized font display by Google Ireland Limited (Barrow Street, Dublin 4, Ireland), part of Google LLC. For this purpose, your browser establishes a connection to Google’s servers, which may receive your IP. Using Google Web Fonts is in the interest of a consistent, attractive website.
Google Web Fonts FAQ & Privacy Policy: https://developers.google.com/fonts/faq ; https://www.google.com/policies/privacy/
This only occurs with express consent (Art. 6(1)(a) GDPR).

Google Tag Manager
We use Google Tag Manager (Google Ireland Limited, Barrow Street, Dublin 4, Ireland) to integrate and manage website tags. The tool may trigger other tags that collect data, but Google Tag Manager itself does not access this data. Disabling at cookie or domain level will apply to all tracking tags implemented via Tag Manager.
More info: https://www.google.com/intl/de/policies/privacy/
Processing only with express consent (Art. 6(1)(a) GDPR).

YouTube (Videos)
We have integrated YouTube (YouTube, LLC, 901 Cherry Ave., San Bruno, CA 94066, USA; subsidiary of Google Ireland Limited). YouTube allows the publication and viewing of various videos. Each time you visit a page on which a YouTube video is integrated, your browser connects to YouTube.
If you are logged in to YouTube, YouTube and Google register which page you visit. If you don’t want this, log out of YouTube before visiting.

YouTube and Google learn you have visited our site through the YouTube component; this applies whether you click a video or not and regardless of your YouTube login status.

Privacy Policy: https://www.google.de/intl/de/policies/privacy/
Processing only with express consent (Art. 6(1)(a) GDPR).

Vimeo (Videos)
We include plugins from Vimeo (Vimeo, LLC, 555 West 18th Street, New York, NY 10011, USA). When visiting a site with such a plugin, your browser connects directly to Vimeo. Information (including your IP) goes to Vimeo servers, usually in the USA.

If you are logged in to Vimeo, visit data are assigned to your Vimeo account. Interacting with plugins (e.g., clicking play) also transmits info to Vimeo. If you do not want Vimeo to link the data to your account, log out before visiting.

Vimeo videos may also be tracked by Google Analytics.
Privacy Policy: https://vimeo.com/privacy
Processing only with express consent (Art. 6(1)(a) GDPR).

WPML
We use WPML (OnTheGoSystems Limited, 22/F 3 Lockhart Road, Wanchai, Hong Kong) to offer the website in various languages. WPML stores a cookie to save language preference. Personal data may be processed—primarily user activity and device/browser info (especially IP and OS). More details at “Privacy Policy and GDPR Compliance – WPML”.

Legal basis: Art. 6(1)(f) GDPR. Our legitimate interest is addressing website users in their native language.

Pop-Up Builder
We use Pop-Up Builder by Popup-Maker Code Atlantic LLC | 266 Turner Rd. East Palatka, Florida, 32131, USA. We use anonymous cookies to prevent users from seeing the same pop-up repeatedly, improving user experience and delivering timely messages. Popup Maker does not send user data from your website externally.

Used Cookies:

Cookie Name Purpose Duration
pum-18448 Used to prevent repeated display of popup windows 1 year
pum-18485 Used to prevent repeated display of popup windows 1 month

CHANGES TO THIS PRIVACY POLICY
We reserve the right to update this privacy policy in the future, especially in connection with website development, new technologies, or changes in law or case law.

Date: August 2025