Privacy Policy

We are pleased about your interest in Yours Truly Hotel and our website. The protection of your personal data is a matter of great importance to us, TheNew Munich GmbH, as the operator of the Yours Truly Hotel in Munich. We handle your personal data confidentially and in accordance with legal data protection regulations, in particular the EU General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG). Below, we inform you transparently about which personal data we collect and for what purposes we process it – for example, when you visit our website, when making a booking through our systems or third-party providers, during your hotel stay (check-in/check-out, guest communication, Wi-Fi usage, video surveillance), as well as your related rights. This privacy policy applies to all processing activities carried out by us in connection with our hotel services. Please read this information carefully. If you have any questions about data protection, you can contact us at any time (contact details below).

1. Name and contact details of the controller

Controller pursuant to the GDPR is:

TheNew Munich GmbH (Hotel "Yours Truly")

Schützenstraße 1

80335 Munich

Germany

Phone: +49 89 21 530 533 0

Email: dataprotection[at]yourstrulyhotel[.]com

Represented by the Managing Directors: Konstantin Irnsperger, Markus Sutor.

2. Data protection contact

We are not legally required to appoint a data protection officer. However, if you have any concerns regarding data protection, you can contact us at any time using the above contact details, mentioning the keyword "data protection." We will handle your request confidentially.

3. Processing operations and purposes in detail

Below we explain which data we process for which purposes and on what legal basis.

3.1 Visiting our website – server log files

When you visit our website, we collect technically necessary data in so-called server log files. This includes, for example, your IP address, date and time of the request, the page/file accessed, the amount of data transferred, notification of successful retrieval, browser type and version, the operating system of your device, and the previously visited page (referrer URL). We process this data to ensure the functionality and security of the website (e.g. defense against attempted attacks, error analysis) and to statistically evaluate the use of our website. This log data is not merged with other data sources, and we do not draw any direct conclusions about you from the log files.

Legal basis: Art. 6 (1) (f) GDPR (legitimate interest in the secure provision of the website). Our legitimate interest arises from the need to ensure the stable and secure operation of our website.

Storage period: Log files are only stored for a limited period of time (usually a maximum of 30 days) and then automatically deleted or anonymized. Longer storage only occurs in exceptional cases if this is necessary for evidentiary purposes in the event of attacks or security-related incidents (then until the matter is finally clarified).

3.2 Cookies and consent management

Our website uses cookies and similar technologies to provide certain functions and improve your user experience. These include technically necessary cookies (e.g. for settings or the booking process), as well as cookies for analysis and tracking purposes (see Google Analytics and Microsoft Clarity below). We only use non-essential cookies (particularly for analysis/tracking) with your express consent. When you first visit our website, we will ask for your consent via a cookie banner. You can revoke or change your consent at any time via our cookie settings on the website (a link to this is provided in the footer of the website). You can generally view our website without cookies; however, not all functions may then be fully usable (e.g. the booking engine). You can also prevent cookies from being set or delete cookies that have already been set using your browser settings. Please note, however, that this may limit functionality.

Legal basis: We process technically necessary cookies on the basis of Art. 6 (1) (f) GDPR (legitimate interest in providing a functioning and user-friendly website). We only use analysis/tracking cookies on the basis of your consent in accordance with Art. 6 (1) (a) GDPR, if applicable in conjunction with Section 25 (1) TTDSG (for reading/storing information on your device).

3.3 Use of Google Analytics

Our website uses Google Analytics 4, a web analysis service of Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland. Google Analytics uses cookies (see above), which enable an analysis of your use of the website. We have configured Google Analytics in such a way that anonymized evaluation takes place. In particular, your IP address is shortened before any further processing (so-called IP anonymization), so that a direct personal reference is excluded. Google Analytics collects, among other things, the following data: information about your device and browser, the pages you visit and your interactions (e.g. click paths), approximate geographic region, technical performance data of the website, and similar usage data. We use Google Analytics to better understand visitor behavior on our website and to optimize our offer accordingly. Google will evaluate this information on our behalf in order to compile reports on website activity and to provide us with further services.

Legal basis: Your consent (Art. 6 para. 1 lit. a GDPR). You decide via the cookie banner whether you allow Google Analytics. Without your consent, Google Analytics remains deactivated. You can revoke your consent at any time with effect for the future by deactivating the Analytics option in the cookie settings.

Recipient and third country transfer: Google Ireland Ltd. initially processes the data within the EU. However, it cannot be ruled out that Google LLC, based in the USA, may gain access to the data. Google is certified under the EU-US Data Privacy Framework, which guarantees an adequate level of data protection. In addition, we have concluded so-called EU standard contractual clauses with Google to ensure a high level of data protection in the event of data transfers to third countries.

Storage period: We have limited the storage period for usage data offered by Google to 14 months. This means that Analytics data older than 14 months is automatically deleted or only retained in aggregated form. Further information can be found in Google’s privacy policy and the Google Analytics terms of use.

3.4 Use of Microsoft Clarity

We also use Microsoft Clarity on our website, a web analysis and session recording service from Microsoft Corporation. Microsoft Clarity records the behavior of website visitors in anonymized form, e.g. mouse movements, clicks, scrolling behavior, and interactions. This helps us to understand how users use our pages, where usability problems may arise, and how we can improve user-friendliness. Clarity also uses cookies/tracking technologies. When using Clarity, information such as your shortened IP address, device type, browser, length of stay, interaction events, etc. may be recorded.

Important: Clarity automatically masks sensitive data fields, i.e. any entries in password or credit card fields are not recorded. Content of messages or personal entries is also hidden as far as possible to protect your privacy. We only see anonymized recordings that cannot be directly linked to a person.

Legal basis: Your consent (Art. 6 para. 1 lit. a GDPR), which you can give via our cookie banner. Without your consent, Clarity is not activated. You can adjust your decision at any time via the cookie settings.

Recipient and third country transfer: Clarity is provided by Microsoft Ireland Operations Ltd., One Microsoft Place, Dublin, Ireland. However, the analysis may be carried out via servers of Microsoft Corporation in the USA. Microsoft states that it has also joined the EU-US Data Privacy Framework. We have also concluded standard data protection clauses with Microsoft to ensure an adequate level of protection.

Storage period: According to Microsoft, the session data recorded by Clarity is automatically deleted after 3 months. We do not store this data locally ourselves but only access the analyses provided by Microsoft. Further details on data protection at Clarity can be found in the Microsoft privacy policy and the Clarity FAQs.

3.5 Contact (email, telephone, etc.)

If you contact us – for example by email to our official address or by telephone – we process the personal data you provide (such as your name, email address, telephone number, and the content of your inquiry) in order to process and respond to your request.

Purpose: Responding to inquiries, reservation requests, general messages, and communication with (potential) guests, suppliers, or other persons who contact us.

Legal basis: Art. 6 para. 1 lit. b GDPR, provided your inquiry is aimed at concluding a contract or is related to an existing booking/reservation (e.g. inquiry about room availability, request to change an existing booking). In all other cases, we base the processing on Art. 6 para. 1 lit. f GDPR – our legitimate interest in answering inquiries from interested parties or third parties and ensuring smooth communication.

Storage period: We only store contact details and correspondence for as long as necessary to process your request. Once communication has been fully concluded and no further exchange is expected, we delete the data after 12 months at the latest. If a contractual relationship results from the inquiry (e.g. booking), the data will be transferred to the corresponding contract documentation and stored in accordance with the applicable deadlines (see the section on storage period below).

3.6 Online booking via our website (myIBE booking engine)

If you make a room reservation directly via our hotel website, this is done via our integrated internet booking engine "myIBE" from detco GmbH (a partner connected to our hotel management system). As part of the booking process, various personal data is collected that is necessary to process the reservation, in particular:

Guest data: Title, first and last name, date of birth (if required for check-in), address (if required), email address, telephone number.
Booking data: Period of stay (arrival/departure date), number of guests (adults, children), room type/category, special requests or comments, estimated time of arrival.
Payment data: Depending on the selected rate, credit card details may be collected to guarantee the booking or payment (cardholder, card number, validity, CVC). These entries are encrypted; we use a PCI-DSS-compliant solution so that payment data is processed and stored securely (usually as a token).

This data is collected directly by the booking engine on our behalf and seamlessly transferred to our central property management system (PMS) Apaleo (see section 3.8). detco GmbH acts as our processor in accordance with Art. 28 GDPR. We have concluded a corresponding data processing agreement (DPA) with detco, which ensures that your data is used exclusively to process the booking and processed in accordance with current security standards (including PCI DSS and PSD2 for payment data).

Purposes: We use the data you enter to process your reservation, send you a booking confirmation by email, hold the booked room for you, and fulfill the accommodation contract with you. Without the provision of this mandatory information, we cannot process your booking. We use voluntary information (e.g. comments on special requirements or the reason for your trip) to best accommodate your wishes (e.g., taking allergies into account or providing a baby bed).

Legal basis: Art. 6 para. 1 lit. b GDPR (implementation of pre-contractual measures and fulfillment of the hotel accommodation contract). If you voluntarily provide us with special categories of personal data (e.g., health information such as allergies or a disability that is relevant to your accommodation), we will process this data on the basis of your implied consent in accordance with Art. 9 para. 2 lit. a GDPR solely for the purpose of preparing your stay.

Storage period: We initially store booking data until your stay has been fully processed. In addition, relevant booking and invoice data is retained for 10 years in accordance with statutory retention periods (tax and commercial law) (see the Storage Period section for details).

Note on payment processing: Any online payments or credit card guarantees are encrypted. Your credit card details are not stored in plain text by us, but are securely forwarded to our PCI-certified payment service (possibly part of Apaleo Pay or a connected payment solution). We process payment data only to the extent necessary to process the payment (e.g., debiting in advance or authorization as a booking guarantee). The legal basis for this is also Art. 6 para. 1 lit. b GDPR.

3.7 Bookings via third-party platforms (Booking.com, Expedia, etc.)

Our hotel cooperates with online travel platforms such as Booking.com and Expedia. If you make a room reservation in our hotel via such a third-party provider, the respective provider initially collects and processes your personal data as its own controller. The booking portals then transmit to us the data required for your reservation.

This usually includes: your name, the booked stay dates (arrival and departure, room category, price), the number of guests, any special requests, and contact information (such as email address or phone number, if forwarded to us by the portal). We generally do not receive payment or credit card data directly from Booking.com/Expedia, as payment is either processed via the portal or only a token/virtual card is provided to us for charging.

Purposes: We process the data received from the booking portal to create your reservation in our system (PMS), provide the room, check you in, and fulfill the accommodation contract with you. If necessary, we use your contact details to contact you prior to arrival or to clarify questions (e.g., in case of ambiguities in the booking).

Legal basis: Art. 6 para. 1 lit. b GDPR (contract performance). Even if you conclude the contract via an agent, the data is necessary to fulfill the accommodation contract between you and us. Please note that the privacy policies of Booking.com, Expedia & Co. apply independently. These portals process your data (especially during booking on their website) under their own responsibility. Please refer to the respective provider’s privacy policy (e.g., the privacy policy of Booking.com or Expedia). As soon as we receive your data from the portal, we process it as described in this privacy policy.

Transfer and order processing: The mentioned booking platforms do not act as processors on our behalf, but as independent controllers. Nevertheless, we have agreements with these providers that regulate the exchange of booking information. Once received, we treat your data confidentially; it will not be passed on to unrelated third parties, except in the cases described in this declaration (e.g., to our PMS or due to legal obligations).

3.8 Hotel Management System (PMS Apaleo)

We use the cloud-based Property Management System (PMS) “Apaleo,” provided by Apaleo GmbH (Oskar-von-Miller-Ring 29, 80333 Munich, Germany), for the central management of all reservations and guest data. In Apaleo, all personal data necessary for hotel operations is stored and processed, including:

Master data: Name, contact information, possibly address and date of birth, nationality (if required for registration), preferences or notes you have shared with us (e.g., room preferences, allergies – if recorded).

Booking and stay data: Booking number, booked room and rate, length of stay, fellow travelers, check-in and check-out date/time, billing information (services, prices, payment method, billing address if different).

Communication history: Relevant emails or messages related to the reservation may be noted in the PMS (e.g., special arrangements, complaints, requests).

Registration form data: If you are subject to registration requirements (see section 3.10), the data from the registration form (address, ID number for foreign guests, etc.) may also be recorded or linked in the PMS.

Purposes: Apaleo enables us to efficiently handle all hotel processes – from reservation and check-in to invoicing. Specifically, we use the PMS to manage bookings, assign rooms, record services, create invoices, and fulfill legal record-keeping requirements. It also serves as a guest management system, e.g., to recognize returning guests and offer improved service on future stays (e.g., by considering existing preferences).

Legal basis: Primarily Art. 6 para. 1 lit. b GDPR (fulfillment of the hotel contract and pre-contractual measures). Data processing in the PMS is an integral part of the contract. To the extent that we store certain information beyond contract performance (e.g., voluntary information on preferences for future stays), we base this on Art. 6 para. 1 lit. f GDPR (legitimate interest in personalized, high-quality guest service). You can object to this further storage at any time (see rights, particularly the right to object in section 5). Legal obligations (e.g., retention of invoice data in accordance with Art. 6 para. 1 lit. c GDPR in conjunction with HGB/AO) remain unaffected.

Order processing and data security: Apaleo GmbH processes the data on our behalf and exclusively in accordance with our instructions (Art. 28 GDPR). A corresponding data processing agreement (DPA) has been concluded. Apaleo hosts the platform in highly secure data centers – according to Apaleo, within the EU – and maintains strict technical and organizational measures to protect data (including encryption, access controls, regular security audits). Apaleo is also PCI-DSS compliant (for payment data) and holds modern security certifications (SOC 2, etc.). Only our authorized employees have password-protected access to the PMS, and every access is logged.

Interfaces to other systems: Apaleo enables two-way interfaces to various connected systems (“apps”) that we use – e.g., the booking engine (myIBE), the guest messaging system Bookboost, or the digital check-in solution Straiv. Necessary data is transmitted automatically and securely via these interfaces. We ensure that each connected application also complies with data protection standards and is contractually bound (see the respective tool sections in this privacy policy).

3.9 CRM and guest communication (Bookboost)

In order to efficiently communicate with our guests before, during, and after their stay, we use the Customer Relationship Management (CRM) and multi-channel messaging system Bookboost, provided by Bookboost AB (Anckargripsgatan 3, 211 19 Malmö, Sweden). Bookboost allows us to reach guests via various communication channels – in particular via email, SMS, or WhatsApp (via the WhatsApp Business API) – to provide them with important information about their stay.

Processed data: Bookboost generally imports your name, the booked stay period, and contact details (email address and/or mobile number) from our PMS. The system also saves the history of communication with you (content of messages sent and your replies, if applicable). This gives our staff a unified “guest inbox” so they can always track what has already been communicated. Bookboost can also display your booking details (via PMS integration), e.g., arrival and departure dates, room category, booking number, so that we can send contextual messages (such as "Your room will be ready from 3 p.m." on arrival day).

Purposes: We use Bookboost exclusively for transactional and service-related communication, not for unsolicited marketing. This includes:

Booking and reservation confirmations: You will receive a confirmation from us with the key information shortly after your booking (unless already sent by the booking portal).

Pre-arrival messages: Before your arrival, we may send you information about check-in, directions, parking, or a link to the online check-in option (see Straiv, section 3.10).

During your stay: For example, we may inform you about the availability of your room on arrival day or communicate via WhatsApp/SMS if you wish – to answer questions or fulfill service requests (e.g., extra pillow, wake-up call).

Post-stay: After departure, we may send you a thank-you message and your invoice by email if needed. We may also ask for feedback, but only if you agree; we do not send automated marketing newsletters.

Legal basis: Communication via Bookboost, to the extent necessary for contract fulfillment with you, is based on Art. 6 para. 1 lit. b GDPR (contractual communication is part of the service). This applies especially to booking confirmations, arrival information, and responses to your inquiries. If we send you additional service information not strictly required by contract (e.g., voluntary satisfaction survey), we base this on our legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR in providing excellent customer service. In any case, we respect your preferences: If you do not wish to use certain communication channels, you can let us know at any time. For promotional content (e.g. newsletters, offers), we would obtain your explicit consent in advance (Art. 6 para. 1 lit. a GDPR).

Communication channels and third-party providers:

Email: Emails are sent either directly via Bookboost or, where applicable, via our other system Straiv. Please note that emails may be unencrypted; for highly sensitive information, we only use email when necessary and with appropriate security measures.
SMS: If you provided a mobile number during booking, we may send you important short messages via SMS (e.g. if we cannot reach you at short notice to clarify an urgent question). These are sent via the Bookboost service, which uses telecommunications providers (SMS gateways) for delivery. Your phone number is transmitted to the SMS service for this purpose.
WhatsApp: We offer communication with guests via WhatsApp, as many find this convenient. If you have already contacted us via WhatsApp or told us that we may write to you via WhatsApp, we use this channel. Your phone number is then passed on to the WhatsApp Business service (operated by WhatsApp Ireland Ltd., Dublin or WhatsApp LLC/Meta Platforms in the USA). WhatsApp necessarily receives the metadata of each message (sender/recipient, time) and also stores the message content (encrypted on WhatsApp servers). Please note that WhatsApp has its own privacy policies over which we have no control. We use WhatsApp exclusively for individual communication (no group chats) and only for transactional content (no advertising). If you do not wish this, simply let us know or use email/SMS as alternatives.

Order processing: We have concluded a data processing agreement pursuant to Art. 28 GDPR with Bookboost AB (Sweden). This contract obliges Bookboost to protect our guests’ data, process it only according to our instructions, and not to disclose it unlawfully to third parties. Bookboost stores the data within the EU.

Storage period: Messages and chat histories sent via Bookboost are stored in our Bookboost account so that we can track the communication history. We generally delete or anonymize this communication data when it is no longer required for its original purpose. As a rule, we store guest correspondence for up to 6 years, since business communications must be retained as part of business records under commercial law. Longer storage may occur in individual cases if necessary for the assertion, exercise, or defense of legal claims. At your explicit request, we can delete personal chat histories earlier, provided no retention obligations prevent this.

3.10 Digital guest services and online check-in (Straiv by CODE2ORDER)

We offer our guests digital check-in/check-out and other digital services via the Straiv by CODE2ORDER platform, operated by CODE2ORDER GmbH (Eichenwiesenring 4F, 70567 Stuttgart, Germany). Straiv allows you to complete check-in formalities conveniently on your smartphone before arrival or while on the go – similar to self-check-in at the airport. We also provide a digital guest folder and, where applicable, additional services via Straiv (e.g., information about your stay, room feedback, optional digital check-out).

Process and processed data: If you have booked with us, we may send you an email (or SMS/WhatsApp via Bookboost) shortly before arrival with a link to online check-in. This link leads to the Straiv web interface, where you identify your reservation (usually by entering your last name and reservation number or a code). There you can enter or verify the data required for the official registration form:

Full name, address, date of birth, nationality.
For foreign guests: serial number of the identity document (passport/ID card) and issuing authority.
Signature: You can digitally sign on your smartphone/tablet to fulfill the legal registration form requirement.
Optionally, additional data may be requested: e.g. vehicle license plate (if using parking), estimated time of arrival, and confirmation of consent to the general terms and conditions/hotel rules.
Corona status [Note: currently no longer relevant]: Straiv also had the option to upload COVID vaccination/test certificates – this is no longer required and not used by us.

The data you enter will be encrypted and transmitted to our PMS (Apaleo) and used there to prepare your check-in. Straiv generates the official registration form digitally. Where permitted, the entire check-in process is paperless; in some cases (especially for foreign guests), we may need to print your digital signature or have you sign again on-site if legally required.

Registration obligation: According to the German Federal Registration Act, accommodation providers are required to collect certain information from guests. From January 1, 2025, German citizens are no longer required to complete a registration form. Foreign guests (non-Germans), however, remain subject to the registration obligation – we must record their name, date of birth, address, nationality, and the serial number of their identity document, and they must sign the registration form. With Straiv, we can collect this data in advance, which speeds up your check-in process. Upon arrival of foreign guests, we typically check the original ID document and confirm the accuracy of the information. Your digital registration form data is stored electronically with us; we only keep a printout if required for legal reasons. Registration forms (whether digital or paper) are retained for one year from the arrival date in accordance with legal requirements and are then destroyed or deleted (see storage period).

Additional Straiv features: Through Straiv, we may also provide you with a digital guest folder (information about the hotel, breakfast times, local tips, etc.) or enable digital service requests (e.g. room service orders). If you use such functions, Straiv processes corresponding transaction data (e.g., which information pages you visit or which services you order). This data is used exclusively to carry out the requested services and to improve our offering.

Legal basis: Your data is processed via Straiv to fulfill our contract and legal obligations: Art. 6 para. 1 lit. b GDPR (check-in and services as part of the accommodation contract) and Art. 6 para. 1 lit. c GDPR (legal registration obligation under the Federal Registration Act for foreign guests). If Straiv uses cookies or tracking to provide and analyze the service, Straiv may separately obtain your consent (Art. 6 para. 1 lit. a GDPR) – however, this primarily concerns the technical provision of the web service. Your use of the platform is voluntary; of course, you may complete check-in entirely at the reception without using Straiv. Services may then be available in analog form (paper or in person).

Order processing: CODE2ORDER GmbH operates Straiv on our behalf. We have concluded a data processing agreement pursuant to Art. 28 GDPR. Among other things, this agreement stipulates that your data will only be processed for the specified purposes and protected according to state-of-the-art standards. Straiv hosts the data on servers in Germany. Straiv does not share your data with third parties unless instructed by us or required by law (e.g. in exceptional cases to authorities – see recipients below).

Recipients: Within our hotel, only authorized employees have access to Straiv data (e.g., reception staff who manage online check-ins). Outside of our organization, only you (via the web interface) and we have access to your data. Public authorities such as the police/registration authorities may request access to registration form data within the framework of statutory provisions – we only comply with such requests if there is a legal obligation.

Storage period: Your check-in data and the digital registration form are retained in Straiv/Apaleo for as long as required to fulfill the registration law retention obligation (1 year for registration forms from the date of arrival). After this period, the data will be deleted. Transaction and usage data from the Straiv platform (e.g. which services were used) will be anonymized or deleted once the purpose has been fulfilled.

3.11 Video surveillance in the hotel

Where and what is recorded:
In certain publicly accessible areas of our hotel, we use video surveillance via security cameras (e.g., entrance area/lobby, reception). These cameras are clearly visible. There is no video surveillance in private areas (especially not in guest rooms or restroom areas). The cameras generally record continuously and save image material to an internal storage system. These are purely image recordings; sound is not recorded.

Purposes:
Video surveillance serves the safety of guests, employees, and property. Specifically, we pursue the following legitimate interests: prevention and investigation of theft, vandalism or other crimes; protection of our property and facilities; ensuring security in and around the hotel (especially at night); and enforcing house rules. The presence of cameras is intended to have a potential deterrent effect and, if necessary, provide evidence to clarify incidents.

Legal basis:
Art. 6 para. 1 lit. f GDPR (legitimate interest). Our legitimate interest in surveillance arises from the aforementioned security purposes. We have carefully considered the relevant factors and ensure that any infringement on the personal rights of those affected is kept to a minimum – for example, by using limited camera perspectives (general overview shots only) and short storage periods (see below). In addition, guests and visitors are informed of video surveillance by pictograms/signs at the entrance to ensure transparency.

Storage and deletion:
Surveillance camera recordings are only stored temporarily. There is no routine evaluation of all recordings – the material is only viewed in the event of an incident. Unnecessary video material is automatically deleted. Specifically, recordings are overwritten/deleted after 10 days at the latest. We have set this retention period to ensure sufficient time to detect and evaluate any incidents (e.g., if a guest only reports a theft a few days after departure). This exceeds the 72-hour period often recommended by data protection supervisory authorities but is justified by the practical requirements of hotel operations.

Longer storage only occurs in exceptional cases if a specific incident has been identified: in this case, the relevant video material can be isolated and stored until the matter is clarified (e.g., until it is handed over to the police/insurance company or a legal dispute is concluded). Once this is concluded, this material will also be deleted immediately.

Access to recordings:
The video recordings are protected from unauthorized access. Only the management or persons authorized by them (e.g., security officer) may view the recordings if necessary. In the event of a relevant security incident, the recordings can be transmitted to law enforcement authorities (police) if this is necessary for legal prosecution. They will not be passed on to third parties beyond this. The recordings will not be displayed publicly or used for marketing purposes.

3.12 Use of guest Wi-Fi

Our hotel provides guests with free Wi-Fi. When you use this guest Wi-Fi, a small amount of technical connection data that is generated when you use the internet is collected and stored:

Device identifier: the MAC address of your device (network adapter address) and, if applicable, the device name, assigned IP address in the Wi-Fi,

Connection times: time of login to the Wi-Fi, duration of the connection, volume of data transferred if applicable,

Network protocol data: e.g. which internal Wi-Fi access points were used.

We do not record the specific content of your internet usage (i.e., we do not log which websites you visit or which data you download, apart from the IP addresses required for technical reasons within the context of the internet connection).

This data is automatically generated as soon as your device is connected to our Wi-Fi. We use it to ensure the operation and security of our Wi-Fi network. In particular, in the event of misuse (e.g., legal violations via our internet access, such as downloading illegal content), we can use the log data to trace which device used the Wi-Fi and at what time. This serves to protect against misuse and to investigate any incidents, as we, as the connection owner, may be required to provide information to investigative authorities.

Legal basis:
Art. 6 para. 1 lit. f GDPR (legitimate interest). Our legitimate interest lies in the secure provision of internet access and the prevention and prosecution of misuse (e.g., criminal offenses or significant violations of our Wi-Fi terms of use). The data will not be used to spy on the surfing behavior of ordinary users; they serve purely to protect against and respond to security-relevant events.

No sharing/monitoring:
We do not share Wi-Fi usage data with third parties unless we are legally obliged to do so (e.g., requests for information from law enforcement authorities in the event of specific suspicion of a crime, or with a court order). We do not actively monitor your communications. However, we would like to point out that data transmission on open Wi-Fi networks is not necessarily encrypted – therefore, please use your own protection (VPN, SSL pages) for confidential information.

Storage period:
Connection logs are stored briefly and automatically deleted unless a security-relevant incident has been detected. Wi-Fi log data is generally deleted after 30 days. Should an incident become known within this period that requires longer retention (e.g., official investigations), the data in question will be isolated and retained until the matter is resolved. All other log data will continue to be deleted as scheduled.

3.13 No newsletters or direct advertising without consent
We do not use your contact details for newsletters, promotional emails, or other direct marketing measures unless you have expressly and separately consented to this. In particular, we do not operate a loyalty program or regular marketing mailings in which we would use your data. Should you voluntarily ask us to be added to a newsletter distribution list or to receive offers in the future, we will only do so after documenting your consent. In such a case, we would clearly inform you of the purpose and content when collecting your email address and give you the opportunity to revoke your consent at any time. However, since we do not currently send a newsletter, you will not receive any promotional messages from us. So you need not worry that your data will be misused for marketing purposes.

Please note: This does not affect service-oriented messages in connection with an existing booking (see guest communication above). Such messages are not for advertising purposes, but for contract execution or customer service and are therefore sent without separate consent.

3.14 Make.com

We use the integration platform Make.com, operated by Celonis Inc., 1 World Trade Center, 87th Floor, New York, NY 10007, USA, to automate workflows, such as guest communications.

In the course of these automations, personal data (e.g. names, email addresses, booking data) may be transmitted and processed via Make.com servers. This processing is carried out exclusively on our behalf and according to our instructions, based on a Data Processing Agreement (DPA) in accordance with Art. 28 GDPR. We have a legitimate interest in automating processes and communication with our clients.

Make.com complies with the requirements of the GDPR and participates in the EU-U.S. Data Privacy Framework (DPF), which ensures an adequate level of data protection for transfers to the United States in accordance with Art. 45 GDPR.

Further information on data processing by Make.com can be found at: https://www.make.com/en/privacy-notice

3.15 Schulte-Schlagbaum AG

We use systems from Schulte-Schlagbaum AG to enable electronic access control in our hotel. In doing so, personal data such as room numbers, names, and dates of stay are processed. This data is used exclusively for access control and to ensure the security of our premises.

Legal basis: Art. 6 (1) (f) GDPR (legitimate interest)

3.16 Payjim UG

For digital check-out and self-service invoice data processing, we provide our guests with a solution from Payjim UG. Through this service, guests can independently update their billing address and complete the check-out process – without waiting at the reception.

Processed data: Name, email address, booking reference, billing address, check-out time
Purpose of processing: Self-service check-out, guest-side invoice data processing
Legal basis: Art. 6 (1) (b) GDPR (performance of a contract)

3.17 Speed-U-Up GmbH

Speed-U-Up GmbH is our technical service provider for the operation and management of Amazon Alexa devices in our hotel rooms. These voice assistants allow our guests to access hotel information via voice, control music and lights, or request weather updates.

Processed data: Device ID, room number, usage time, technical voice command data (forwarded to Amazon)

Purpose of processing: Provision and management of in-room voice-controlled services

Legal basis:
– Art. 6 (1) (f) GDPR (legitimate interest in digital guest services)
– Art. 6 (1) (a) GDPR (consent upon use)

Note: Voice commands are transmitted directly to Amazon Alexa, a service of Amazon Europe Core S.à r.l. The processing of this data is subject to Amazon’s privacy policies.
Company address: Speed-U-Up GmbH, Joseph-Dollinger-Bogen 14, 80807 Munich, Germany

4. Data transfer and recipients

We treat your personal data confidentially. Data will only be transferred to third parties if this is necessary for contract execution or based on legal permission, if you have consented, or if we are legally obligated to do so. Possible recipients or categories of recipients of your data include, in particular:

Processors: We use external service providers who process data on our behalf (IT service providers, booking system providers, communication platforms, etc.). A contract in accordance with Art. 28 GDPR has been concluded with all data processors, which ensures the careful handling of your data. We have already named the most important data processors we use in this declaration (Apaleo, Bookboost, Straiv, detco/myIBE, Make.com, etc.). These companies are not permitted to use the data for their own purposes and are subject to our instructions and strict contractual data protection requirements.

Technology partners (third-party providers): Some of the tools mentioned (e.g., Google Analytics, Microsoft Clarity, WhatsApp) do not act on our behalf, but as independent entities if you use them or consent to them. Even in such cases, data may be transmitted to the operators of these services. We have explained this in the respective sections.

Authorities: If legally obliged, personal data may be passed on to public authorities. Examples: Registration form data to the registration authority (upon request, e.g., information to the local residents' registration office or the police within the framework of legal provisions), release of video recordings on official orders, information to law enforcement authorities during investigations (e.g., regarding Wi-Fi usage or guest lists), transmission of tax-relevant data to tax authorities or auditors. In all of these cases, the transfer takes place exclusively on the basis of a legal obligation (Art. 6 para. 1 lit. c GDPR).

Consultants/service providers: In rare cases, it may be necessary to pass on data to our legal advisors, auditors, or insurance companies, e.g., in the event of legal disputes, insurance claims, or audits. In these cases, we also ensure confidentiality and comply with legal requirements.

No other transfer to third parties (e.g., address dealers, marketing companies) takes place.

5. Data transfer to countries outside the EU

If we use service providers based outside the European Union (EU) or the European Economic Area (EEA) or transfer data to such a third country, we ensure that an appropriate level of data protection is guaranteed at the recipient before your personal data is transferred. This may result in particular from:

an adequacy decision of the EU Commission for the respective country (e.g. the EU-US Data Privacy Framework adequacy decision for certified US companies), or

the agreement of EU standard contractual clauses with the recipients and, if necessary, additional protective measures, or

binding internal data protection rules at the recipient (Binding Corporate Rules), or

your express consent (Art. 49 para. 1 lit. a GDPR), provided that none of the above mechanisms applies and an exception is permissible (however, this only applies to WhatsApp communication in our hotel operations). If you wish to actively use this channel, you are implicitly consenting to communication via the WhatsApp/Meta (USA) servers.

In concrete terms, this means, for example:
Our most important systems (Apaleo, Bookboost, Straiv, Make) are hosted in the EU. The analysis tools Google Analytics and Microsoft Clarity are US-based services, but both companies are currently certified under the EU-US Data Protection Framework, which guarantees a recognized level of protection. In addition, we have concluded standard contractual clauses with these providers. For WhatsApp as a possible communication channel, we draw your attention to the servers located in the USA – if you use this channel, you consent to the associated data transfer. If you have any questions about the specific guarantees associated with a specific transmission, please feel free to contact us using the contact details provided. We will also provide you with copies of the relevant contractual agreements upon request (as far as reasonable and without violating any confidentiality obligations towards third parties).

6. Duration of storage / deletion periods

We only store your personal data for as long as it is necessary for the respective purposes and as long as we have a legal basis for doing so. After that, the data is deleted or anonymized in accordance with legal regulations. The following deletion periods and criteria apply to us:

Booking and contract data: We retain data on completed reservations and stays (including invoice data) for up to 10 years after the end of the calendar year in which your stay ended, in accordance with statutory retention periods (obligation under Section 257 of the German Commercial Code (HGB), Section 147 of the German Tax Code (AO) for commercial and tax documents such as invoices). As a rule, we restrict processing after the stay (the data is archived and used only for archiving purposes).

Registration form/registration forms: We are required to retain the registration data of foreign guests for one year from the date of arrival (Section 30 (4) of the Federal Registration Act). After this period, they are deleted or destroyed. For German guests, the registration requirement is waived – we no longer collect address data; if it is available (e.g., for booking purposes), the usual deadlines apply as for booking data.

Communication data: Business correspondence via email, messaging, or letter (e.g., booking confirmations, correspondence with guests) is stored as commercial letters, typically for 6 years, in accordance with commercial retention periods (Section 257 of the German Commercial Code). Irrespective of this, we will, of course, delete irrelevant communication or private correspondence earlier upon request, provided there are no legal obligations to the contrary.

Contact details of interested parties: If you have contacted us without a booking being made, we will delete your data as soon as it is clear that no contract is concluded and no further communication is desired. Depending on the context, this can occur immediately after the conversation has ended or after several months (but no later than one year of inactivity).

Video recordings: see section 3.11 – usually stored for a maximum of 10 days and automatically deleted; longer retention only in the event of a relevant incident until the matter is resolved.

Wi-Fi log data: see section 3.12 – usually stored for approximately 30 days, then deleted, except in the event of an incident (in which case targeted retention is limited to the incident).

Website logs: as described in 3.1 – approximately 30 days until deleted.

Cookies/Analytics data: Cookies can remain on your device for different lengths of time depending on the type (session cookies until you close your browser, persistent cookies for several months or years unless you delete them beforehand). You can delete these yourself in your browser at any time. The anonymized usage data stored in Google Analytics is automatically deleted after 14 months (see 3.3). Clarity data after 3 months (see 3.4).

Guest profile in the PMS: Your basic profile (name, contact details, historical booking patterns) can remain in our PMS to identify returning guests. We review this data regularly. If you have not made a booking for more than 3 years and it is not foreseeable that you will be our guest again, we will delete or anonymize your profile, provided there are no statutory retention periods to the contrary. Of course, you can also actively request the deletion of your profile. In this case, we will – as far as legally possible – remove your personal data so that only anonymized booking statistics remain.

Regardless of the specified deadlines, you can request the deletion of your data at any time (see Rights of the Data Subject). We will then immediately check whether deletion conflicts with any legal or contractual obligations. If this is not the case, we will comply with your request.

7. Your rights as a data subject

As a data subject, you are entitled to various rights under the GDPR and the BDSG, which you can assert against us. Below we inform you about these rights:

Right to information (Art. 15 GDPR)
You have the right to receive information about whether we process your personal data. If this is the case, you can request information about this data as well as further information, e.g. the purposes of processing, the categories of data, the recipients (or categories of recipients) and the planned storage period or criteria for determining this. Upon request, we will provide you with a copy of the data we have stored about you.

Right to rectification (Art. 16 GDPR)
You have the right to immediately request the rectification of inaccurate personal data concerning you. You can also request that incomplete data be completed – also by providing a supplementary declaration.

Right to erasure (Art. 17 GDPR)
You have the "right to be forgotten." We are therefore obligated to delete your personal data as soon as the purpose for processing no longer applies and there is no legal basis (or no longer exists). We must also delete it at your request if the requirements of Art. 17 GDPR are otherwise met. This may be the case, for example, if you revoke your consent and there is no other legal basis, or if you have effectively objected to processing (see Right of Objection below). Please note that the right to erasure may be restricted if, for example, we must fulfill statutory retention periods or we need your data to assert, exercise, or defend legal claims. In such cases, blocking/restriction may take effect instead of erasure.

Right to restriction of processing (Art. 18 GDPR)
You have the right to request that the processing of your data be restricted. This means that we are no longer permitted to process the data – apart from storing it. This right exists, in particular, as long as the accuracy of the data you have contested is still being verified, or if, in the case of an existing right to erasure, you alternatively wish to restrict processing.

Right to data portability (Art. 20 GDPR)
You have the right to receive the personal data concerning you that you have provided to us in a common, machine-readable format. You can also request that we transmit this data directly to another controller (e.g. another hotel or a booking portal), provided this is technically feasible. However, this right only applies to data that is based on your consent or a contract and is processed using automated procedures.

Right to object (Art. 21 GDPR)
You have the right to object at any time to the processing of personal data concerning you, for reasons related to your particular situation, provided that we process it on the basis of a legitimate interest (Art. 6 para. 1 lit. f GDPR). If you object, we will no longer process your data for these purposes unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or the processing serves to assert, exercise, or defend legal claims.

Note: In particular, you can object to processing for advertising purposes – in this case, we will no longer use your personal data for marketing or profiling in connection with advertising. In theory, you could also object to video surveillance; in practice, however, we continue this for overriding security interests (in specific individual cases, you can of course speak to us if you feel uncomfortable – we will then seek amicable solutions).

Right to withdraw consent (Art. 7 para. 3 GDPR)
If we process your personal data on the basis of consent you have given, you have the right to withdraw this consent at any time with future effect. The withdrawal of consent does not affect the legality of the processing carried out on the basis of the consent up to the time of withdrawal.

Right to lodge a complaint with a supervisory authority (Art. 77 GDPR)
If you believe that we are violating data protection regulations when processing your data, you have the right to lodge a complaint with a data protection supervisory authority at any time.

Example:

Bavarian State Office for Data Protection Supervision (BayLDA),

Promenade 27

91522

Ansbach, Germany

email: poststelle@lda.bayern.de.

This right exists without prejudice to any other administrative or judicial remedies.

Exercising your rights:
To assert your rights, you can contact us informally – the easiest way is by email todataprotection[at]yourstrulyhotel[.]com or by post to our address (see above). Please indicate which right you wish to exercise and provide as much information as possible so that we can process your request. We will respond to your request promptly, at the latest within the statutory period of one month.

8. Data security

We take the protection of your data very seriously and implement extensive technical and organizational measures to protect your personal information from unauthorized access, loss, alteration, or publication. This includes access restrictions, encryption (HTTPS, VPN/TLS), firewalls, antivirus software, backups, employee training, and privacy-friendly configuration of our systems. Our service providers are contractually obliged to adhere to high security standards.

However, absolute IT security can never be guaranteed. Especially when communicating over the Internet (e.g., by email), there may always be security gaps beyond our control. Please also take care not to send any confidential data unprotected.

9. Currentness and changes to this privacy policy

This privacy policy is dated April 2025. We review it regularly and adapt it as soon as changes to our processing or the legal framework make this necessary. We will inform you in a timely manner on our website about any significant changes (in particular changes of purpose or introduction of new processing).
The current version of the privacy policy can be accessed at any time on our website under the “Data Protection” section.