The Mandala Hotel - Data Privacy Policy

• Name and address of the person responsible
• Name and address of the data protection officer
• General information on data processing
• Contact form/e-mail contact
• Online booking via the website
• Online booking via other websites
• Purchase of a voucher via the website
• Support, advice and advertising for corporate clients
• Online reviews
• Newsletter service
• Our BLOG
• Application in our company
• Provision of the website and creation of log files
• Use of cookies
• Use of a cookie banner
• Use of analysis and tracking tools
• Use of Google services
• Use of social media plugins
• CrazyEgg
• Cognito Forms
• MailChimp
• Protection of minors
• Rights of the data subject
• Right to complain to a supervisory authority
• Security
• Updating and amendment

• Updated: February 2022

We use anonymized usage data from Google Analytics for the continuous improvement of our online services. You have the option to disable this feature here.

• Deactivate Google Analytics

Information on data processing according to Art. 13, 14 GDPR

We are pleased that you are visiting our website and thank you for your interest. Handling the data of website visitors as well as our customers and business partners is a matter of trust. The trust placed in us is very important to us and we are therefore committed to handling your data with care and protecting it from misuse.

In particular, THE MANDALA HOTEL complies with the EU General Data Protection Regulation (GDPR) and the current German Federal Data Protection Act (BDSG). When using the Internet, we are guided by the Telecommunications Digital Services Data Protection Act (TDDDG) of the Federal Republic of Germany to protect your personal data. In the following, we explain what information we collect during your visit to our website and how it is used. In the following, we explain what information we collect during your visit to our websites and how it is used.

We would also like to inform you about how we store and use personal data that we have received via other channels.

The responsible person in the sense of the GDPR and other data protection regulations is the:

The Mandala Hotel GmbH, Potsdamer Str. 3, D-10785 Berlin, Germany

• +49 (0) 30 590 05 00 00
• welcome@themandala.de

The Data Controller's Data Protection Officer is:

Andreas Thurmann, DataSolution Thurmann GbR, Isarstrasse 13, D-14974 Ludwigsfelde, Germany

• mail@hoteldatenschutz.de

Scope of the processing of personal data

As a matter of principle, we collect and use personal data of our users only insofar as this is necessary for the provision of a functional website as well as our contents and services. The collection and use of our users' personal data regularly only takes place with the user's consent. An exception applies in cases where it is not possible to obtain prior consent for actual reasons and the processing of the data is permitted by legal regulations.

Legal basis for the processing of personal data

Insofar as we obtain the consent of the data subject for processing operations of personal data, Art. 6 (1) lit. a GDPR serves as the legal basis. When processing personal data that is necessary for the performance of a contract to which the data subject is a party, Art. 6 (1) (b) GDPR serves as the legal basis. This also applies to processing operations that are necessary for the performance of pre-contractual measures. If processing of personal data is necessary to comply with a legal obligation (statutory provisions) to which our company is subject (e.g. federal registration laws), Art. 6 (1) c GDPR serves as the legal basis. If the processing is necessary to protect a legitimate interest of our company or a third party and the interests, fundamental rights and freedoms of the data subject do not outweigh the first-mentioned interest, Art. 6 (1) f GDPR serves as the legal basis for the processing.

Data deletion and storage period

The personal data of the data subject shall be deleted or blocked as soon as the purpose of the storage no longer applies. Storage may also take place if this has been provided for by the European or national legislator in Union regulations, laws or other provisions to which the person responsible is subject. The data will also be blocked or deleted if a storage period prescribed by the aforementioned standards expires, unless there is a necessity for the continued storage of the data for the conclusion or fulfilment of a contract.

• +49 (0) 30 590 05 00 00
• welcome@themandala.de

Description and scope of data processing

Our website contains a contact form that can be used to contact us electronically. If you use this option, the data entered in the input mask will be transmitted to us and stored. These data are: First and last name, e-mail address and request.

Alternatively, it is possible to contact us via the e-mail address provided. In this case, the personal data transmitted with the e-mail will be stored.

Legal basis for data processing

The legal basis for the processing of the data is firstly our legitimate interest in the processing of data in the context of contacting the enquirer. If the contact is aimed at the conclusion of a contract, the additional legal basis for processing is in the context of a contractual relationship.

Purpose of the data processing

The processing of the personal data from the input mask serves us solely to process the contact. In the case of contact by e-mail, this also constitutes the necessary legitimate interest in processing the data. The data is used exclusively for processing the booking and for communication.

The other personal data processed during the sending process serve to prevent misuse of the contact form and to ensure the security of our information technology systems.

Duration of storage

The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. For personal data sent by e-mail, this is the case when the respective conversation with the user has ended. The conversation is ended when the circumstances indicate that the matter in question has been conclusively clarified.

If the contact is a pre-contractual relationship (offer or reservation request), the transmitted data will also be stored in our hotel software and used to execute the contract. If there is no contractual relationship, we delete the data after one year at the end of the year.

Possibility of objection

You have the option to object to the processing of your data at any time. We have set up the e-mail address widerruf@themandala.de for this purpose. We would like to point out that in the event of an objection, the conversation cannot be continued or we cannot create any offers etc.

All personal data stored in the course of contacting us will be deleted in this case.

The subject of the hotel group THE MANDALA is the operation of several hotels in Berlin (Germany) under shared responsibility. Data collection, processing, and usage are carried out in pursuit of this stated purpose.

Hotels, guesthouses, and other accommodation providers are permitted to collect and store personal data of their guests through automated processes, insofar as this is necessary within the framework of the accommodation contract. This generally includes billing data for food and beverages, telephone calls made from the room, and/or other hotel-specific services. Hotels and accommodation providers are also obligated under national registration laws to collect information such as a guest’s first and last name, date of birth, place of residence, and nationality.

The Mandala Management GmbH, Friedrichstraße 185–190, 10117 Berlin, is the responsible entity for carrying out centralized reservations. To enhance our services, we manage all collected data in our central hotel software. The responsible entity is the hotel at which the booking is made. The respective booking data is only accessible to the responsible entity. However, access to a guest’s master data is shared to facilitate, for example, future bookings at another hotel, reservation changes, or centralized marketing activities. Central services such as reservations and marketing may access this data. The legal basis for this data processing is our legitimate interest in the centralized administration and use of our customers’ and business partners’ data within the hotel group.

If services are used, only the data necessary for the provision of those services will generally be collected. Any additional data is provided voluntarily. The processing of personal data is carried out exclusively for the fulfillment of the requested service and for the protection of our own legitimate business interests.

Guest contact information may be used by our Sales department for marketing purposes at a later date. Marketing measures include, in particular, direct mailings. The use of email addresses for such purposes requires the guest’s prior consent.

Processing of your data for purposes other than those stated above will only occur if such processing is permitted under Article 6 (4) of the GDPR and is compatible with the original purposes of the contractual relationship. Should such further processing occur, we will inform you about it in advance.

Legal Basis for Data Processing

The legal basis for the processing of data is the conclusion of an accommodation contract with the guest.

The transmitted data will be stored in our hotel software and used for the execution of the contract. If no contractual relationship is established, the data will be deleted after one year at the end of the calendar year.

Groups of Data Subjects, Data, and Categories of Data

For the fulfillment of the purposes outlined above, the following categories of personal data are collected, processed, and used:

• Guest data (especially first and last name, address data, contact details, reservation data, guest preferences, billing data)

• Other customer data (especially address data, billing and service-related data)

• Prospective customer data (especially accommodation interests, address data)

Recipients of Data

Data may be shared with the following recipients:

• Internal departments involved in carrying out and fulfilling the relevant business processes (e.g. hotels within the group, central reservations, accounting, sales & marketing, IT department)

• Public authorities who receive data due to legal requirements (e.g. law enforcement agencies, public authorities)

• External service providers as defined in Article 28 GDPR (e.g. service companies)

• Other external parties (e.g. financial institutions, companies where the data subject has provided written consent or where sharing is permitted due to overriding legitimate interests)

Purpose of Data Processing

The main purpose of collecting, processing, or using personal data is the management, support, and hospitality of guests in accordance with the accommodation contract.

Duration of Data Storage

Legislation stipulates various retention obligations and periods. After these periods expire, the relevant data and data records are routinely deleted or anonymized, provided they are no longer required to fulfill the contract. For example, commercial or financial data from a completed fiscal year is deleted after ten years, in accordance with legal requirements, unless longer retention periods are prescribed or necessary for legitimate reasons. Reservation records may be destroyed after 6 years; special registration forms are deleted after one year at the end of the calendar year.

Right to Object

You may object to the processing of your data at any time. For this purpose, we have set up the email address: widerruf@themandala.de

During your stay at our hotel, we collect and process guest information using our hotel software. Data from the following groups of individuals may be stored:

• Guests, business partners, companies

• Interested parties and potential customers (e.g. in case of inquiries or quote requests)

The data that may be stored includes:

• First and last name

• Date of birth

• Contact information (telephone number, email address)

• Address

• Nationality

• Company affiliation

• ID or passport information

• Data related to services used

• Billing information

• Payment processing data (e.g. credit card details)

• Video recordings for the purpose of collecting evidence in cases of vandalism, burglary, assault, or other criminal offenses

If you made your booking via a hotel portal, a tour operator, or a travel agency, your data will be forwarded to us by these providers for the fulfillment of the concluded contract.

Purpose and Legal Basis for Data Processing

The personal data you provide is used exclusively to fulfill the agreed contractual services, namely the management, support, and hospitality of guests within the framework of the accommodation agreement.

We store your data in our hotel software as well as in our reservation, billing, and payment systems. This may include, in addition to your personal details, billing data related to food and beverages, phone calls made from your room, and/or other hotel-specific services.

We are legally required under registration law (§ 29 ff. of the German Federal Registration Act) to have international guests complete a registration form, either in person or online. This form includes, in addition to first and last name and address, the date of birth, nationality, and names of accompanying family members. We are also required to request an ID number. All other details are voluntary.

If service offerings are used, only the data necessary to deliver the service will generally be collected. If further data is collected, it is provided voluntarily. The processing of personal data is carried out solely for the purpose of fulfilling the requested services and to safeguard our legitimate business interests in accordance with Art. 6 (1) lit. f of the GDPR.

Data is used for the following purposes:

• Guest registration at check-in and check-out, including completion of the registration form

• Issuance of room keys for you and any accompanying guests

• Provision of requested services

• Processing of payment transactions

• Storing preferences for future hotel stays

• Guest contact details may be used at a later time for marketing purposes. The use of your email address for such purposes requires your prior consent.

Processing of your data for purposes other than those mentioned above will only occur if such processing is permissible under Art. 6 (4) GDPR and is compatible with the original purposes of the contractual relationship. We will inform you in advance of any such further processing.

Recipients of Data

Data may be shared with the following recipients:

• Public authorities who receive data due to legal obligations (e.g. law enforcement agencies, regulatory bodies)

• Internal departments involved in carrying out and fulfilling business processes (e.g. administration, accounting, sales & marketing, IT)

• External service providers in accordance with Art. 28 GDPR (e.g. service companies)

• Other external parties (e.g. financial institutions)

Data Deletion

Legislation requires various retention obligations and periods. After these periods expire, the corresponding data and records are routinely deleted, provided they are no longer necessary for contract fulfillment. For example, commercial or financial data from a completed fiscal year is deleted in accordance with legal requirements after ten additional years, unless longer retention is prescribed or justified by legitimate reasons. Reservation records may be destroyed after 6 years; registration forms are deleted one year after the end of the quarter in which they were collected. Any data not subject to these retention requirements will be deleted without request as soon as the purpose for storing them no longer applies.

Video recordings are stored for 72 hours.

Description and scope of data processing

On our website there is the possibility to book rooms and arrangements for THE MANDALA. If you use this option, the data entered in the input mask will be transmitted to us and stored. These data are: Title, first name, last name, initials, e-mail address, dates of arrival, wishes, payment data, company if applicable, address, telephone, payment data (credit card).

If you make an online booking from our websites, this is done through the online reservation system synxis of Design Hotels AG, Stralauer Allee 2c, D-10245 Berlin, Germany. All booking data entered by you is transmitted in encrypted form. Our contractual partner has undertaken to handle your transmitted data in accordance with data protection regulations. It takes all organisational and technical measures to protect your data.

Legal basis for data processing

The legal basis for the processing of the data is the conclusion of an accommodation contract. The transmitted data will be stored in our hotel software and used for the execution of the contract.

To increase our services, we manage all data received in our central hotel software within THE MANDALA. The responsible body is the hotel in which the booking is made. The respective booking data can only be viewed by the responsible body. Access to a guest's master data is used together, e.g. to make a reservation for another hotel at a later date, to rebook or to carry out marketing activities in a centralised manner. For this purpose, central services such as reservation and marketing access this data. The legal basis for processing the data is our legitimate interest in data processing within the framework of central administration and use of the data of our customers and business partners within the hotel group.

Purpose of the data processing

The processing of the personal data from the input mask serves us solely to process the booking request and to handle the payment transaction. The data is used exclusively for processing the booking and for communication.

If there is a legitimate interest in obtaining information about the accessibility of natural persons who are commercially active and legal entities, and information about their creditworthiness, we can carry out an information request with IHD Gesellschaft für Kredit- und Forderungsmanagement mbH, Augustinusstr. 11 B, 50226 Frechen. You can find out more about this in IHD's data protection regulations.

Duration of storage

The data will be deleted as soon as it is no longer required to achieve the purpose for which it was collected. In the case of a contractual relationship, we will delete the data received as soon as national, commercial law, statutory or contractual retention requirements have been fulfilled. If there is no contractual relationship, we will delete the data after one year at the end of the year.

Possibility of objection

You have the option to object to the processing of your data at any time. We have set up the e-mail address widerruf@themandala.de for this purpose. We would like to point out that in the event of an objection, the booking cannot be completed or the conversation cannot be continued.

Description and scope of data processing

It is possible to book rooms and arrangements via hotel reservation portals (third-party providers). If you take advantage of this option, the data entered in the input mask will be transmitted to us and stored to the extent permitted by the respective hotel reservation portal in accordance with its own data protection regulations. Data can be: first name, last name, e-mail address, telephone, address, number of fellow travellers, expected time of arrival, wishes, payment data (credit card).

Legal basis for data processing

The legal basis for the processing of the data is the conclusion of an accommodation contract. The transmitted data will be stored in our hotel software and used for the execution of the contract.

To increase our services, we manage all data received in our central hotel software within THE MANDALA. The responsible body is the hotel in which the booking is made. The respective booking data can only be viewed by the responsible body. Access to a guest's master data is used together, e.g. to make a reservation for another hotel at a later date, to rebook or to carry out marketing activities in a centralised manner. For this purpose, central services such as reservation and marketing access this data. The legal basis for processing the data is our legitimate interest in data processing within the framework of central administration and use of the data of our customers and business partners within the hotel group.

Purpose of the data processing

The processing of the personal data transmitted to us is solely for the purpose of processing the booking request and handling payment transactions. The data is used exclusively for processing the booking and for communication.

If there is a legitimate interest in obtaining information about the accessibility of natural persons who are commercially active and legal entities, and information about their creditworthiness, we can carry out an information request with IHD Gesellschaft für Kredit- und Forderungsmanagement mbH, Augustinusstr. 11 B, 50226 Frechen. You can find out more about this in IHD's data protection regulations.

Duration of storage

The data will be deleted as soon as it is no longer required to achieve the purpose for which it was collected. In the case of a contractual relationship, we will delete the data received as soon as national, commercial law, statutory or contractual retention requirements have been fulfilled. If there is no contractual relationship, we will delete the data after one year at the end of the year.

THE MANDALA has no influence on the storage periods of the respective hotel reservation portal.

Possibility of objection

You have the option to object to the processing of your data at any time. We have set up the e-mail address widerruf@themandala.de for this purpose. We would like to point out that in the event of an objection, the booking cannot be completed or the conversation cannot be continued.

We aim to send a welcome email to guests prior to their arrival, inviting them to complete the online check-in process, provided that we have received their email address as part of the booking or already have it on file. A few days before arrival, these guests receive a reservation summary by email and are asked to register online. The data collected through the online check-in process may be used to generate an electronic registration form.

These emails are sent via the Code2Order platform, provided by straiv GmbH, Industriestraße 23, 70565 Stuttgart, Germany. straiv is committed to handling your data in compliance with data protection regulations and takes all necessary organizational and technical measures to protect your data. For more information, please refer to straiv’s Privacy Policy

Personal Data Processed When Using the Software

The use of the software involves the processing of personal data. This may include:

• Master and contact data (e.g., first and last name, email address, phone number)

• Address data (e.g., street, house number, postal code, city, country)

• Booking and travel data (e.g., arrival and departure dates, booking number, room number)

• Registration form data (e.g., nationality, date of birth, passport number, digital signature)

• Billing data (e.g., billing address, prices, booked services such as parking or gym access)

• Usage data (e.g., start, duration, and end of use, features used, selected language, browser and operating system used)

• Geolocation data (e.g., GPS position)

Not every category of data listed above is collected or requested during each use of the software. This depends on the specific settings we have configured or the services we use. The software can generally be used without user registration.

Legal Basis for Data Processing

The legal basis for processing your data is primarily our legitimate interest in handling data in the context of a booking. In the case of communication-related data, we have a legitimate interest in processing this data in accordance with legal requirements, for internal reviews, or for communication purposes, unless the communication serves to fulfill the contractual relationship.

The personal data collected during the online check-in process is used to supplement your contract-related information in our hotel management system. In certain cases, this data may also be used to enable app-based room access. Our system verifies whether you are authorized to request or use specific services.

Where we are legally obliged to collect and store personal data (e.g., registration form data), we rely on legal obligations as the legal basis, particularly § 29 et seq. of the German Federal Registration Act (Bundesmeldegesetz – BMG).

In cases where your consent is required for specific data processing activities, the processing is based on your consent. Please note that you can revoke your consent at any time. The legality of data processing carried out based on your consent remains unaffected until the time of revocation.

Purpose of Data Processing

We contact you to inform you about your upcoming stay and offer the convenience of checking in online and completing the electronic registration form in advance.

Categories of Data Recipients

• straiv as the software provider and its subcontractors for services such as hosting, SMS, email distribution, and chatbot provision. If you have given consent and it is necessary for the use of specific features, processors in third countries (e.g., the USA) may also be involved. straiv enters into contracts with these subcontractors to ensure GDPR-compliant data processing. A full list of subcontractors is available here.

• Other service providers we commission, such as hotel reservation systems, door systems, chatbots, operations & communication software, etc.

• Payment service providers

• Other external parties, provided the guest has given consent or there is a legitimate interest in the data transfer

Public Authorities

If legally required, we may disclose information about you to public authorities or law enforcement agencies acting within the law. The legal basis for such disclosure is Article 6(1)(c) GDPR (legal obligation).

Data Retention Period

Data is deleted as soon as it is no longer required for the purpose for which it was collected.

Use of Cookies and Similar Technologies by straiv

The software uses cookies and similar technologies to improve usability. You can prevent cookies from being stored in your browser settings. Preferences can also be adjusted at any time in the system settings. The following technically necessary cookies and similar technologies (local storage) are used:

• straiv.io, swVersion: stores service worker version or current software version, valid for 1 year

• straiv.io, current_version: stores software version, valid for 1 year

• straiv.io, current_guest: stores current guest session, valid for 1 year

• straiv.io, current_business: stores hotel information (e.g., name, address, location, timezone, media links, contact info, active languages), valid for 1 year

• straiv.io, secure_ls__metadata: performs encryption, valid for 1 year

These cookies are based on the legitimate interest of the controller in providing a secure and functional application.

Third-Party Analytics Cookies

• Google Maps, validity: 3 months — Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland

• App Monitoring, Error Tracking & Real User Monitoring — SmartBear Software Inc., 450 Artisan Way, Somerville, MA 02145, USA

• eu.datadog.com, Product Analytics — PostHog Inc, 2261 Market St #4008, San Francisco, CA 94114, USA

• eu.datadog.com, Product Analytics — Datadog, Inc., 620 8th Avenue, 45th Floor, New York, NY 10018, USA

The legal basis for these cookies is your consent, which can be revoked at any time. The revocation does not affect the legality of processing that occurred prior to revocation.

Messages via WhatsApp

If you consent to receiving messages via WhatsApp, you grant us permission to communicate with you via the instant messaging service "WhatsApp," including sending promotional messages on selected topics. Based on your consent, we process your personal data (e.g., name, phone number, message content) via WhatsApp Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.

To enable WhatsApp communication, straiv as our software provider and processor engages Bird B.V., Gelrestraat 16, 1079 MZ Amsterdam, as a sub-processor under Art. 28 GDPR. In some cases, WhatsApp LLC in the USA receives personal data (particularly communication metadata) from WhatsApp Ireland Ltd., which may be processed on servers outside the EU (e.g., the USA). WhatsApp may share this data within and outside the Meta (Facebook) Group. For more information, see the WhatsApp Privacy Policy. WhatsApp LLC is certified under the Trans-Atlantic Data Privacy Framework (TADPF), providing assurance of compliance with European data protection standards. You may revoke your consent at any time via notification settings, by sending a message with “REVOKE,” or by emailing one of the addresses provided above.

Chatbot

We may use a chatbot on our website provided by straiv GmbH, Industriestraße 23, 70565 Stuttgart, Germany (“straiv”) to answer questions about our hotel and your stay. To improve the quality of responses, the chatbot processes the following personal data: first name, age, reservation number, arrival and departure dates. Any personal data you enter into the chatbot will also be processed accordingly. straiv processes this data on our behalf solely for the purpose of answering your questions and does not use it for any other purposes. Chat data is deleted after one year. The legal basis for processing this data is your consent in accordance with Art. 6(1)(a) GDPR. You may withdraw your consent at any time by closing the chat window, which will apply to future interactions. Please note that withdrawal of consent does not affect the legality of any processing carried out prior to the withdrawal.

Right to Object

You may object to the processing of your data at any time. For this purpose, we have set up the email address: widerruf@themandala.de.

Description and scope of data processing

On our website there is the possibility to reserve a table for our restaurants. If you take advantage of this option, the data entered in the input mask will be transmitted to us. These data are: First name, last name, e-mail address, telephone number, details of the table reservation (day, time, number of people, restaurant) and optional details of special requests and occasion.

If you make a table reservation from our websites, this is done through the online reservation system of Seatris AI GmbH, Kantstr. 34, 10625 Berlin, Germany. All order data entered by you is transmitted in encrypted form. You can find out more about Seatris.ai in the data protection provisions.

Legal basis for data processing

The legal basis for the processing of data is firstly our legitimate interest in data processing as well as the existence of the user's consent by accepting our terms and conditions for data processing.

Purpose of data processing

The data will be used by us exclusively for table reservations. If you wish Seatris.ai to use your data for any other purpose, Seatris.ai will obtain a separate declaration of consent.

Duration of storage

The data will be deleted as soon as it is no longer required to achieve the purpose for which it was collected.

Possibility to object

You have the option to object to the publication of his comments for the future at any time. For this purpose, we have set up the e-mail address widerruf@themandala.de.

Description and scope of data processing

Our website offers the option of purchasing vouchers. If a user takes advantage of this option, the data entered in the input mask is transmitted to us and stored. These data are: Salutation/title, first name, last name, e-mail address, address, voucher value, wishes, payment data, password for individual user account and, if applicable, date of birth and telephone number.

If you make a voucher purchase from our websites, this is done through the online ordering platform of INCERT eTourismus Gmbh & Co KG, Leonfeldner Straße 328, A-4040 Linz, Austria. All order data entered by you is transmitted in encrypted form. INCERT is committed to handling your transmitted data in accordance with data protection regulations. INCERT takes all organisational and technical measures to protect your data.

Legal basis for data processing

The legal basis for the processing of the data is the conclusion of a purchase contract.

Purpose of the data processing

The processing of the personal data from the input mask serves us solely to process the voucher purchase and to handle the payment transaction.

If there is a legitimate interest in obtaining information about the accessibility of natural persons who are commercially active and legal entities, and information about their creditworthiness, we can carry out an information request with IHD Gesellschaft für Kredit- und Forderungsmanagement mbH, Augustinusstr. 11 B, 50226 Frechen. You can find out more about this in IHD's data protection regulations.

Duration of storage

The data will be deleted as soon as it is no longer required to achieve the purpose for which it was collected. In the case of a contractual relationship, we will delete the data received as soon as national, commercial law, statutory or contractual retention requirements have been fulfilled.

Possibility of objection

The user has the option to object to the processing of his or her personal data at any time. We have set up the e-mail address widerruf@themandala.de for this purpose.

Description and scope of data processing

For the support, advice and advertising of corporate customers, we collect and use the contact person, telephone number and postal address in addition to the business partner or potential business partner. We obtain the information from various sources, either through an enquiry (e-mail or telephone), but also via events, trade fairs, business cards that our sales staff receive, etc.

Legal basis for data processing

The legal basis for processing the data is our legitimate interest in data processing. If the contact is aimed at the conclusion of a contract, the additional legal basis for the processing is the contractual relationship.

To increase our services, we manage all data received in the CRM module of our central hotel software within THE MANDALA. The responsible entity is the hotel with which a business contact exists. Central services such as sales, banqueting, reservations and marketing access this data. The legal basis for processing the data is our legitimate interest in data processing within the framework of central administration and use of the data of our customers and business partners within the hotel group.

Purpose of the data processing

We use this contact data exclusively for our own purposes and for the needs-based design of our own sales activities.

Duration of storage

In principle, no deletion period is foreseen. However, if our sales department has not had any contact with the company contact within 3 years, the sales department will decide whether the contact person of the company contact will be deleted.

If the contact is a pre-contractual relationship (offer, booking or reservation request), the transmitted data will also be stored in our hotel software and used to execute the contract. If there is no contractual relationship, we delete the data after one year at the end of the year.

Possibility of objection

As the contact person of a company contact, you have the option to object to the processing of your data at any time. We have set up the e-mail address widerruf@themandala.de for this purpose. All personal data of the contact person that has been stored for the business partner will be deleted in this case.

Description and scope of data processing

Former guests can leave a review at our hotel after check-out. For this purpose, we would like to send you an email within 14 days after departure to ask you to submit a hotel review. Each evaluation can be published anonymously upon request. If you did not feel comfortable in our hotel, we would like to take the opportunity to contact you.

If you submit an online rating on our website, the data will be stored in the rating tool of CA Customer Alliance GmbH, Ullsteinstr. 118, Turm B, D-12109 Berlin, Germany. CA Customer Alliance GmbH has undertaken to handle your transmitted data in accordance with data protection regulations. It takes all organisational and technical measures to protect your data.

If you, as a former guest, take advantage of this online evaluation option, your data will be stored in the evaluation mask. These data are: E-mail address as well as voluntary details such as first name, last name, language and the details of the rating.

Legal basis for data processing

The legal basis for the processing of the data is our legitimate interest in the processing of the data in connection with § 7 para 3 UWG (Unfair Competition Act).

Purpose of the data processing

The purpose of the hotel evaluation is to communicate and summarise opinions of hotel guests via our website, so that interested parties can form their own opinion about our services. In addition, the results serve our internal quality management.

The data will only be used for the publication of the rating and for arbitration in case of bad ratings.

Duration of storage

The data will not be deleted.

Possibility of objection and removal

It is possible to have the publication of the rating deleted at any time (right to be forgotten). We have set up the e-mail address widerruf@themandala.de for this purpose. Please let us know which rating you are referring to.

Description and scope of data processing

On our website, you have the option of subscribing to our newsletter service in various ways. If you take advantage of this option, the data entered in the input mask will be transmitted to us and stored. These data are: E-mail address, if applicable first name, last name, language and interest in one or more topics.

If you register for a newsletter from our websites, the data will be stored in our newsletter tool by Mailchimp, The Rocket Science Group LLC, 675 Ponce de Leon Ave NE, Suite 5000, Atlanta, GA 30308, USA. For further information on data protection, please see the FAQ on the GDPR.

If we otherwise receive an email address where the recipient clearly tells us that they would like to receive our newsletter, we will collect their details via the input mask on our website.

Legal basis for data processing

The legal basis for the processing of the data is the existence of the recipient's consent. This is ensured by a double-opt-in procedure.

Purpose of the data processing

The processing of personal data is solely for the purpose of sending individual newsletters.

Duration of storage

The data will be deleted as soon as the newsletter service is cancelled.

Possibility of objection

You have the option to object to the processing of your data at any time. You can unsubscribe from the newsletter service with each newsletter. In addition, we have set up the e-mail address widerruf@themandala.de. Please let us know the e-mail address here.

Description and scope of data processing

On our website, you have the option of commenting on one of our entries. If you take advantage of this option, the data entered in the input mask will be transmitted to us, stored and published on our website. These data are: Name, e-mail address and the comment.

Legal basis for data processing

The legal basis for the processing of the data is initially our legitimate interest in the data processing as well as the existence of the user's consent by accepting our conditions for data processing.

Purpose of the data processing

The processing of personal data is solely for the purpose of publishing comments on our contributions.

Duration of storage

The data will be deleted if the processing or publication of the data is objected to (right to be forgotten).

Possibility of objection and removal

You have the option to object to the publication of your comments for the future at any time. For this purpose, we have set up the e-mail address widerruf@themandala.de.

Description and scope of data processing

You have the option of applying for a job or sending us a speculative application. You can do this preferably via our website, by e-mail or in paper form. From our website you can access our job advertisements. If you take this opportunity, we will store general information about you in an administration programme. These data are:

• First name, last name
• E-mail address
• Phone
• Application date
• For which position applied
• Curriculum vitae and other application documents (upload)
• Your message to us

In addition, we may forward your application internally to the responsible head of department. The data will not be passed on to third parties in this context. The data will only be used for processing the application and for communication.

Legal basis for data processing

The legal basis for the processing of the data is the processing for a contract initiation relationship or contractual relationship.

Purpose of the data processing

The processing of personal data is solely for the purpose of processing the application.

Duration of storage

The data will be deleted as soon as it is no longer required to achieve the purpose for which it was collected. If you are not hired by our company, we will delete all data and documents relating to your application after 6 months at the latest. Should we wish to retain your documents for longer due to your qualifications, we will obtain your permission to do so.

Possibility of objection

You have the option to object to the processing of your data at any time. To do so, please contact the e-mail address: widerruf@themandala.de. Please note that in the event of an objection, the application cannot be completed or the conversation cannot be continued.

Description and scope of data processing

Each time our website is accessed, our system automatically collects data and information from the computer system of the accessing computer. The following data is collected:

• Information about the browser type and version used
• The operating system of the user
• The IP address of the user
• Date and time of access
• Websites from which the user's system accesses our website
• Websites that are accessed by the user's system via our website

The data is also stored in the log files of our system. This data is not stored together with other personal data of the user. Personal user profiles cannot be formed. The stored data is only evaluated for statistical purposes.

Legal basis for data processing

The legal basis for the temporary storage of the data and the log files is the processing to protect our legitimate interest.

Purpose of the data processing

The temporary storage of the IP address by the system is necessary to enable delivery of the website to the user's computer. For this purpose, the user's IP address must remain stored for the duration of the session.

The storage in log files is done to ensure the functionality of the website. In addition, we use the data to optimise the website and to ensure the security of our information technology systems. An evaluation of the data for marketing purposes does not take place in this context.

Our legitimate interest in data processing also lies in these purposes.

Duration of storage

The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. In the case of the collection of data for the provision of the website, this is the case when the respective session has ended.

In the case of storage of data in log files, this is the case after seven days at the latest. Storage beyond this period is possible. In this case, the IP addresses of the users are deleted or alienated so that an assignment of the calling client is no longer possible.

Possibility of objection and removal

The collection of data for the provision of the website and the storage of the data in log files is absolutely necessary for the operation of the website. Consequently, there is no possibility for the user to object.

Description and scope of data processing

Cookies are small text files that are sent by us to the browser of your end device when you visit our website and are stored there. As an alternative to the use of cookies, information can also be stored in the local storage of your browser. Some functions of our website cannot be offered without the use of cookies or local storage (technically necessary cookies). Other cookies, however, enable us to carry out various analyses, so that we are able, for example, to recognise the browser you are using when you visit our website again and to transmit various information to us (non-essential cookies). With the help of cookies, we can, among other things, make our website more user-friendly and effective for you, for example by tracking your use of our website and determining your preferred settings (e.g. country and language settings). If third parties process information via cookies, they collect the information directly via your browser. Cookies do not cause any damage to your end device. They cannot execute programs or contain viruses.

We provide information about the respective services for which we use cookies in the individual processing operations. Detailed information on the cookies used can be found in the cookie statement.

We also use cookies on our website that enable an analysis of the user's surfing behaviour. The following data can be transmitted in this way: Search terms entered, frequency of page views, use of website functions. The user data collected in this way is pseudonymised by technical precautions. Therefore, it is no longer possible to assign the data to the calling user. The data is not stored together with other personal data of the user. When calling up our website, the user is informed about the use of cookies for analysis purposes and his or her consent to the processing of the personal data used in this context is obtained. In this context, a reference to this data protection declaration is also made.

Legal basis for data processing

The legal basis for the processing of personal data using technically necessary cookies is our legitimate interest in data processing. The legal basis for the processing of personal data using cookies for analysis purposes is the existence of a relevant consent of the user.

Purpose of the data processing

The purpose of using technically necessary cookies is to simplify the use of websites for users. Some functions of our website cannot be offered without the use of cookies. For these, it is necessary that the browser is recognised even after a page change. The user data collected through technically necessary cookies are not used to create user profiles.

Analysis cookies are used to improve the quality of our website and its content. Through the analysis cookies, we learn how the website is used and can thus constantly optimise our offer.

Duration of storage, possibility of objection and elimination

Cookies are stored on the user's computer and transmitted to our site by the user. Therefore, you as a user also have full control over the use of cookies. By changing the settings in your internet browser, you can deactivate or restrict the transmission of cookies. Cookies that have already been stored can be deleted at any time. This can also be done automatically. If cookies are deactivated for our website, it may no longer be possible to use all the functions of the website to their full extent.

It is also possible to use our offers without cookies and scripts. You can deactivate the storage of cookies and scripts in your browser, restrict them to certain websites or set your browser to notify you as soon as a cookie is sent. You can also delete cookies from your PC's hard drive at any time.

Description and scope of data processing

Our website loads the consent manager of the company Cybot A/S, Havnegade 39, 1058 Copenhagen (hereinafter: cookiebot.com). We use this service to ensure, on the one hand, the full functionality of our website and, on the other hand, the privacy-compliant use of marketing and tracking tools on our website. In this context, your browser may transmit personal data to cookiebot.com.

Legal basis and purpose for data processing

The legal basis for data processing is Art. 6 para. 1 lit. f GDPR. The legitimate interest lies in the error-free functioning of the website. The data is deleted as soon as the purpose of its collection has been fulfilled. Further information on the handling of the transmitted data can be found in the privacy policy of cookiebot.com. You can prevent the collection and processing of your data by cookiebot.com by deactivating the execution of script code in your browser or installing a script blocker in your browser.

The following information is stored in our Cookiebot account:

• The user's IP address in anonymised form (the last three digits are set to "0").
• Date and time of consent.
• User's browser.
• The URL from which the consent was sent.
• An anonymous, random and encrypted key value.
• The user's state of consent, which serves as proof of consent.

The key and consent status are also stored in the user's browser in the “CookieConsent” cookie, allowing the website to automatically read and respect the user's consent for all subsequent page requests and future user sessions for up to 12 months. You can view and adjust your consent settings at any time. This option can be found further down on this page.

According to the law, we may store cookies on your device if they are strictly necessary for the operation of this site. The use of the service is based on the legally required consent to the use of cookies pursuant to Art. 6(1)(c) GDPR and § 25(2)(2) of the German Telecommunications Digital Services Data Protection Act (TDDDG). For all other types of cookies, we require your permission. This site uses different types of cookies. Some cookies are placed by third parties that appear on our pages. You can change or withdraw your consent at any time from the cookie declaration on our website.

The specific retention period for the data processed is not determined by us but is set by Cybot A/S. For more information, please refer to the Cookiebot Privacy Policy.

Google Analytics
Our website uses Google Analytics 4, a web analytics service provided by Google LLC. For users in the EU/EEA and Switzerland, the data controller is Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland ("Google").
Google Analytics uses cookies that enable an analysis of your use of our websites. The information collected through the cookies about your use of this website is generally transferred to a Google server in the USA and stored there.

We use the User-ID feature. With the help of the User ID, we can assign a unique, persistent ID to one or more sessions (and the activities within those sessions) and analyze user behavior across devices.

We also use Google Signals. Google Analytics thereby collects additional information about users who have activated personalized ads (interests and demographic data), and ads can be delivered to these users in cross-device remarketing campaigns.

With Google Analytics 4, IP anonymization is activated by default. Due to IP anonymization, your IP address will be shortened by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. According to Google, the IP address transmitted by your browser as part of Google Analytics is not merged with other Google data.

During your website visit, your user behavior is recorded in the form of "events." Events can include:

• Page views

• First visit to the website

• Start of session

• Your “click path,” interaction with the website

• Scrolls (each time a user scrolls to the bottom of the page (90%))

• Clicks on external links

• Internal searches

• Interaction with videos

• File downloads

• Viewed/clicked ads

• Language setting

Additionally, the following is recorded:

• Your approximate location (region)

• Your IP address (in shortened form)

• Technical information about your browser and the devices you use (e.g., language setting, screen resolution)

• Your internet provider

• The referrer URL (via which website/advertising medium you came to this website)

Purposes of Processing
Google processes the transmitted information on our behalf to evaluate the use of the website by visitors and to compile reports on website activity. The reports provided by Google Analytics are used to analyze the performance of our website.

Recipients
Recipients of the data are/may be:

• Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (as processor pursuant to Art. 28 GDPR)

• Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA

• Alphabet Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA

It cannot be ruled out that US authorities access data stored by Google.

Data Transfer to Third Countries
Where data is processed outside the EU/EEA and there is no data protection level equivalent to the European standard, we have concluded EU Standard Contractual Clauses with the provider. The parent company of Google Ireland, Google LLC, is based in California, USA. A transfer of data to the USA and access by US authorities to data stored by Google cannot be ruled out. From a data protection perspective, the USA is currently considered a third country. You do not have the same rights there as within the EU/EEA. Legal remedies against access by authorities may not be available to you.

Storage Duration
The data we send and which is linked to cookies will be automatically deleted after 14 months. Data that has reached its retention period is deleted automatically once a month.

Legal Basis and Withdrawal
We process your data using Google Analytics 4 based on your consent pursuant to Art. 6(1)(a) GDPR in conjunction with § 25 TTDSG. You give your consent via cookie settings (cookie banner / consent manager), where you may also withdraw your consent at any time with effect for the future in accordance with Art. 7(3) GDPR.

You can also prevent the storage of cookies from the outset by setting your browser accordingly. If you configure your browser to reject all cookies, this may result in restricted functionality on this and other websites. Furthermore, you can prevent the collection of data generated by the cookie and related to your use of the website (including your IP address) to Google and the processing of this data by Google by (I) not giving your consent to set the cookie or (II) downloading and installing the browser add-on to deactivate Google Analytics HERE.

More information is available in Google's Terms of Service and Privacy Policy.

Google Tag Manager
We use the Google Tag Manager. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

Google Tag Manager is a tool that allows us to integrate tracking or statistics tools and other technologies on our website. Google Tag Manager itself does not create user profiles, store cookies, or carry out any independent analyses. It only serves to manage and play out the tools integrated via it. However, Google Tag Manager does collect your IP address, which may also be transferred to Google's parent company in the United States.

The use of Google Tag Manager is based on Art. 6(1)(f) GDPR. The website operator has a legitimate interest in the fast and uncomplicated integration and management of various tools on their website. If corresponding consent has been requested, processing is carried out exclusively on the basis of Art. 6(1)(a) GDPR and § 25(1) TTDSG, insofar as the consent includes the storage of cookies or access to information on the user's device (e.g., device fingerprinting) within the meaning of the TTDSG. Consent can be revoked at any time.

Further information: https://marketingplatform.google.com/about/tag-manager/

Google Ads and Conversion Tracking
This website uses Google Ads. Google Ads is an online advertising program of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

Within Google Ads, we use so-called conversion tracking. When you click on an ad placed by Google, a cookie is set for conversion tracking. These cookies expire after 30 days and are not used for personal identification of users. If the user visits certain pages of this website and the cookie has not yet expired, Google and we can recognize that the user clicked on the ad and was redirected to this page.

Each Google Ads customer receives a different cookie. Cookies cannot be tracked through the websites of Ads customers. The information obtained using the conversion cookie is used to create conversion statistics for Ads customers who have opted for conversion tracking. Customers learn the total number of users who clicked on their ad and were redirected to a page with a conversion tracking tag. However, they do not receive information that personally identifies users.

The use of this service is based on your consent pursuant to Art. 6(1)(a) GDPR and § 25(1) TTDSG. Consent can be revoked at any time.

More information on Google Ads and Google Conversion Tracking can be found in the Google Privacy Policy.

Google DoubleClick
This website uses the online marketing tool Google DoubleClick. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

DoubleClick is used to display interest-based advertisements to users across the Google advertising network. Ads can be tailored to the interests of the respective viewer using DoubleClick. For this purpose, DoubleClick uses cookies that recognize whether a user has already visited a particular website and what content has been viewed. The cookies do not contain any personal data but assign a pseudonymous identification number to the browser to recognize it.

The information generated by the cookies is transferred to and stored on a Google server in the USA. Data processing is based on your consent pursuant to Art. 6(1)(a) GDPR and § 25(1) TTDSG. You can revoke your consent at any time.

Further information can be found in the Google Privacy Policy.

Google Maps
This site uses the mapping service Google Maps. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

To use the functions of Google Maps, it is necessary to store your IP address. This information is usually transmitted to a Google server in the USA and stored there. The provider of this site has no influence over this data transmission. When Google Maps is activated, Google may use Google Fonts to display map content in a uniform font. When you access Google Maps, your browser loads the required web fonts into its browser cache to display text and fonts correctly.

The use of Google Maps is in the interest of an appealing presentation of our online offerings and an easy location of the places we indicate on the website. This constitutes a legitimate interest within the meaning of Art. 6(1)(f) GDPR. If corresponding consent has been obtained, the processing is based exclusively on Art. 6(1)(a) GDPR and § 25(1) TTDSG. Consent can be revoked at any time.

More information on handling user data can be found in the Google Privacy Policy and the Terms of Use for Google Maps.

We have integrated Microsoft Advertising on our website. Microsoft Advertising is a service provided by Microsoft Corporation to display targeted advertising to users. Microsoft Advertising uses cookies and other browser technologies to analyze user behavior and recognize users.

Microsoft Advertising collects information about visitor behavior across various websites. This information is used to optimize the relevance of advertisements. Furthermore, Microsoft Advertising delivers targeted advertising based on behavioral profiles and geographic location. The provider receives your IP address and other identifying characteristics such as your user agent.

In this case, your data is transmitted to the operator of Microsoft Advertising, Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, United States.

The use of Microsoft Advertising is based on your consent in accordance with Art. 6 (1) (a) GDPR and § 25 (1) TTDSG.

We intend to transfer personal data to third countries outside the European Economic Area, particularly the USA. The data transfer to the USA is based on Art. 45 (1) GDPR, in accordance with the adequacy decision of the European Commission. The participating U.S. companies and/or their U.S. subcontractors are certified under the EU-U.S. Data Privacy Framework (EU-U.S. DPF).

In cases where no adequacy decision from the European Commission exists (including U.S. companies not certified under the EU-U.S. DPF), we have agreed with the recipients of the data on other suitable safeguards pursuant to Art. 44 ff. GDPR. These are—unless otherwise specified—the EU Standard Contractual Clauses as per Implementing Decision (EU) 2021/914 of June 4, 2021. A copy of these Standard Contractual Clauses can be viewed at:
https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32021D0914.

Additionally, before such a third-country transfer, we obtain your consent under Art. 49 (1) (a) GDPR, which you provide via the consent manager (or other forms, registrations, etc.). We would like to inform you that third-country transfers may entail unknown risks (e.g., data processing by security authorities of the third country, the exact scope and consequences of which we do not know, over which we have no influence, and of which you may not become aware).

The specific retention period of the processed data is not within our control but is determined by Microsoft Corporation. Further information can be found in the Microsoft Advertising Privacy Policy.

Social Media Fan Pages / Accounts

We maintain fan pages, accounts, or channels on the social networks listed below to provide you with information and offers within social networks, offer additional ways to contact us, and keep you informed about our services. Below, we inform you about which data we and the respective social network process in connection with your visit and use of our fan pages/accounts.

Data We Process from You

If you contact us via messenger or direct message on the respective social network, we typically process your username and may store additional information you provide if necessary to handle your request.

Legal basis: Art. 6 (1) (f) GDPR (processing is necessary to safeguard the legitimate interests of the controller).

(Static) Usage Data We Receive from Social Networks

We receive automated statistics about our accounts via insights functionalities. These statistics include, among other things:

• Total page views

• Likes

• Page activity and post interactions

• Reach

• Video views

• Gender distribution of our followers

The statistics contain only aggregated, non-personally identifiable data. We cannot identify individuals from this information.

Data Processed by Social Networks

To view the content of our fan pages/accounts, you do not need to be a member of the respective social network or have an account.

However, please note that social networks collect and store data from website visitors even without an account (e.g., technical data to display the website) and use cookies and similar technologies, over which we have no control. For details, please refer to the privacy policies of the respective social network (see links below).

If you wish to interact with our content (e.g., comment, share, or like posts) or contact us via messenger functions, registration with the respective social network and the provision of personal data are required.

We have no control over data processing by social networks when you use their services. To our knowledge, your data is stored and processed primarily to provide the social network’s services, analyze user behavior (using cookies, pixels/web beacons, and similar technologies), and display interest-based advertising both within and outside the respective platform.

Your data may be stored outside the EU/EEA and shared with third parties.

For details on the scope, purposes, storage duration/deletion, and cookie policies, please refer to the privacy policies of the respective social networks. You will also find information about your rights and objection options there.

Facebook

When visiting our Facebook page, Facebook (Meta) collects, among other things, your IP address and other cookie-based information from your device. This data is used to provide us, as the page operator, with statistical insights about page usage.

More information is available here:
https://www.facebook.com/help/pages/insights

The statistics do not allow us to identify individual users. We use them only to tailor our content to user interests and improve our online presence.

We collect your data via our fan page solely to enable communication and interaction with us. This typically includes:

• Your name

• Message content

• Comment content

• Publicly available profile information

Legal basis:

• Art. 6 (1) (f) GDPR (legitimate interest in providing an information and communication channel).

• If you have consented to data processing by the social network provider, Art. 6 (1) (a), Art. 7 GDPR applies.

Since data processing is conducted by the social network provider, our access to your data is limited. Only the provider can fully access your data and fulfill user rights (access, deletion, objection, etc.). Therefore, asserting these rights is most effective when done directly with the provider.

We are jointly responsible with Facebook for the personal content on our fan page. You may exercise your rights with Meta Platforms Ireland Ltd. or with us.

Facebook assumes primary responsibility for Insights data processing under GDPR and complies with all GDPR obligations. Meta Platforms Ireland Ltd. provides the Page Insights Supplement to data subjects.

We do not make decisions regarding Insights data processing or cookie storage duration.

For more details, see:

• Facebook Page Controller Addendum: https://www.facebook.com/legal/terms/page_controller_addendum

• Facebook Privacy Policy: https://www.facebook.com/privacy/policy

• Facebook Cookie Policy: https://www.facebook.com/policies/cookies

Facebook Fanpage

Our Facebook fanpage (https://www.facebook.com/themandala.de/) uses plugins provided by Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA. Visiting our page transmits data to Facebook’s servers, including information about your visit.

If you are logged into Facebook, your activity may be linked to your account. If you interact with our page (e.g., clicking "Like" or commenting), this data is published on your profile. To prevent this, log out of Facebook before visiting.

We do not know exactly what data Facebook stores. Assume that Facebook records all interactions on our page.

Legal basis: Art. 6 (1) (a), (f) GDPR.

Right to Object (Images/Posts)

If you appear in any content (e.g., photos) and wish to object to its publication, contact us at widerruf@themandala.de. The objection applies to future use.

If we accidentally publish content without consent, we will take immediate action to comply with your request. For group photos, we reserve the right to blur faces.

Instagram

When visiting our Instagram page (https://www.instagram.com/themandalahotel/), Instagram (Meta) collects your IP address and cookie data to provide us with statistical insights.

For details, see:
https://www.facebook.com/help/pages/insights (Note: This Facebook link also applies to Instagram.)

We use this data only to improve our content and cannot identify individual users.

Data collected for communication includes:

• Your name

• Messages/comments

• Public profile details

Legal basis:

• Art. 6 (1) (f) GDPR (legitimate interest).

• If you consented to processing, Art. 6 (1) (a), Art. 7 GDPR applies.

We have joint responsibility with Instagram for fan page content. Rights may be asserted with Meta Platforms Ireland Ltd. or us.

Instagram handles Insights data compliance under GDPR.

For more information:

• Instagram Help Center: https://help.instagram.com/519522125107875

• Instagram Privacy Policy: https://help.instagram.com/581066165581870

YouTube Video

We have integrated YouTube Video (a service of YouTube, LLC) to embed videos on our website.

YouTube uses cookies and tracking technologies to analyze user behavior, recognize users, and create profiles. Registered YouTube users may have viewed videos linked to their accounts.

When accessing YouTube content, your IP address and browser data (e.g., user agent) are transmitted to:
Google Ireland Ltd., Gordon House, Barrow St, Dublin 4, Ireland.

Legal basis: Your consent under Art. 6 (1) (a) GDPR and § 25 (1) TTDSG.

International Data Transfers

We may transfer data to third countries (e.g., USA). For transfers to the U.S., we rely on:

• The EU-U.S. Data Privacy Framework (DPF) (Art. 45 (1) GDPR).

• For non-DPF-certified companies, EU Standard Contractual Clauses (https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32021D0914).

You consent to such transfers via our Consent Manager (Art. 49 (1) (a) GDPR).

Note: Third-country transfers may involve risks (e.g., government access to data).

Storage Duration

YouTube, LLC determines data retention. For details, see YouTube’s Privacy Policy.

Google Analytics

Our website uses Google Analytics, a web analytics service provided by Google, Inc. ("Google"). Google Analytics uses "cookies", which are text files placed on your computer, to help the website analyse how users use the site. The information generated by the cookies about the use of this website by the users is usually transmitted to a Google server in the USA and stored there. In the event that IP anonymisation is activated on this website, however, Google will truncate the user's IP address beforehand within member states of the European Union or in other contracting states to the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. IP anonymisation is active on this website.

On behalf of the operator of this website, Google will use this information for the purpose of evaluating the use of the website by users, compiling reports on website activity and providing other services relating to website activity and internet usage to the website operator. The IP address transmitted by your browser as part of Google Analytics will not be merged with other Google data.

Users may refuse the use of cookies by selecting the appropriate settings on their browser, however please note that if you do this you may not be able to use the full functionality of this website. Users may also prevent the collection of data generated by the cookie and relating to their use of the website (including their IP address) by Google and the processing of this data by Google by downloading and installing the browser plug-in available at the following link: https://tools.google.com/dlpage/gaoptout?hl=de. As an alternative to the browser add-on or within browsers on mobile devices, please click this link to prevent the collection of data by Google Analytics within this website in the future. This will place an opt-out cookie on your device. If you delete your cookies, you must click this link again.

Deactivation of Google advertising

(https://www.google.com/privacy_ads.html) or on the deactivation page of the Network Advertising Initiative (https://www.networkadvertising.org/managing/opt_out.asp).

Google Tag Manager

We use Google Tag Manager provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google Tag Manager is used to manage website tags through one interface and allows us to control the exact integration of services on our website

This allows us to flexibly integrate additional services to evaluate user access to our website.

The use of Google Tag Manager is based on our legitimate interests, i.e. interest in optimising our services.

The concrete storage period of the processed data cannot be influenced by us, but is determined by Google Ireland Limited. Further information can be found in the privacy policy for Google Tag Manager.

Google DoubleClick

We have integrated components of DoubleClick by Google on our website. DoubleClick is a brand of Google, under which mainly special online marketing solutions are marketed to advertising agencies and publishers. DoubleClick by Google transfers data to the DoubleClick server with each impression as well as with clicks or other activities.

Each of these data transfers triggers a cookie request to the browser of the data subject. If the browser accepts this request, DoubleClick sets a cookie in your browser.

DoubleClick uses a cookie ID, which is required to process the technical procedure. The cookie ID is required, for example, to display an advertisement in a browser. DoubleClick can also use the cookie ID to record which advertisements have already been displayed in a browser in order to avoid duplicate placements. Furthermore, the cookie ID enables DoubleClick to record conversions. Conversions are recorded, for example, if a DoubleClick advertisement has previously been displayed to a user and the user subsequently makes a purchase on the advertiser's website using the same internet browser.

A DoubleClick cookie does not contain any personal data, but may contain additional campaign identifiers. A campaign identifier serves to identify the campaigns with which you have already been in contact on other websites. As part of this service, Google obtains knowledge of data that Google also uses to generate commission statements. Among other things, Google can track that you have clicked on certain links on our website. In this case, your data will be passed on to the operator of DoubleClick, Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Further information and the applicable data protection provisions of DoubleClick by Google can be found at https://policies.google.com/privacy.

We process your data with the help of the Double-Click cookie for the purpose of optimising and displaying advertising based on your consent. You give your consent by setting the use of cookies (cookie banner / Consent Manager), with which you can also declare your revocation at any time with effect for the future in accordance with Art. 7 (3) GDPR. The cookie is used, among other things, to place and display user-relevant advertising and to create reports on advertising campaigns or to improve them. Furthermore, the cookie is used to avoid multiple displays of the same advertisement. Each time you call up one of the individual pages of our website on which a DoubleClick component has been integrated, your browser is automatically prompted by the respective DoubleClick component to transmit data to Google for the purpose of online advertising and the settlement of commissions. There is no legal or contractual obligation to provide your data. If you do not give us your consent, it will be possible to visit our website without restriction, but not all functions may be fully available.

The concrete storage period of the processed data cannot be influenced by us, but is determined by Google Ireland Limited. Further information can be found in the privacy policy for Google DoubleClick.

Gstatic

A web service of the company Google Ireland Limited, Gordon House, Barrow Street, 4 Dublin, Ireland (hereinafter: Gstatic) is reloaded on our website. We use this data to ensure the full functionality of our website. In this context, your browser may transmit personal data to Gstatic.

The legal basis for data processing is Art. 6 para. 1 lit. f GDPR. The legitimate interest lies in the error-free functioning of the website. The data is deleted as soon as the purpose of its collection has been fulfilled. Further information can be found in the privacy policy for Gstatic.

You can prevent the collection as well as the processing of your data by Gstatic by deactivating the execution of script code in your browser or by installing a script blocker in your browser.

Google Ads

We have integrated Google Ads on our website. Google Ads is a service provided by Google Ireland Limited to display targeted advertising to users. Google Ads uses cookies and other browser technologies to analyse user behaviour and recognise users.

Google Ads collects information about visitor behaviour on various websites. This information is used to optimise the relevance of advertising. Furthermore, Google Ads delivers targeted advertising based on behavioural profiles and geographical location. Your IP address and other identifiers such as your user agent are transmitted to the provider.

If you are registered with a Google Ireland Limited service, Google Ads can associate the visit with your account. Even if you are not registered with Google Ireland Limited or have not logged in, it is possible that the provider will find out and store your IP address and other identifying features.

In this case, your data will be passed on to the operator of Google Ads, Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

We process your data with the help of Google Ads for the purpose of optimising our website and for marketing purposes based on your consent.

The concrete storage period of the processed data cannot be influenced by us, but is determined by Google Ireland Limited. Further information can be found in the privacy policy for Google Ads.

Google Fonts

We use Google Fonts from Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, as a service to provide fonts for our online offer. To obtain these fonts, you establish a connection to servers of Google Ireland Limited, whereby your IP address is transmitted.

The use of Google Fonts is based on our legitimate interests, i.e. interest in a uniform provision and optimisation of our online offer.

The concrete storage period of the processed data cannot be influenced by us, but is determined by Google Ireland Limited. Further information can be found in the privacy policy for Google Fonts.

Google CDN

We use Google CDN to properly deliver the content of our website. Google CDN is a service of Google Ireland Limited, which acts as a content delivery network (CDN) on our website.

A CDN helps to provide content of our online offer, in particular files such as graphics or scripts, more quickly with the help of regionally or internationally distributed servers. When you access this content, you establish a connection to servers of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, whereby your IP address and possibly browser data such as your user agent are transmitted. This data is processed exclusively for the above-mentioned purposes and to maintain the security and functionality of Google CDN.

The use of the Content Delivery Network is based on our legitimate interests, i.e. interest in a secure and efficient provision and optimisation of our online offer.

The concrete storage period of the processed data cannot be influenced by us, but is determined by Google Ireland Limited. Further information can be found in the privacy policy for Google CDN.

Google reCAPTCHA

We have integrated components of Google reCAPTCHA on our website. Google reCAPTCHA is a service of Google Ireland Limited and enables us to distinguish whether a contact request originates from a natural person or is automated by means of a program. When you access this content, you establish a connection to servers of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, whereby your IP address and possibly browser data such as your user agent are transmitted. Furthermore, Google reCAPTCHA records the user's browsing time and mouse movements in order to distinguish automated requests from human ones. This data is processed exclusively for the above-mentioned purposes and to maintain the security and functionality of Google reCAPTCHA.

The service is used on the basis of our legitimate interests, i.e. for protection when submitting forms.

The concrete storage period of the processed data cannot be influenced by us, but is determined by Google Ireland Limited. Further information can be found in the privacy policy for Google reCAPTCHA.

Google Maps

This website uses Google Maps API, a mapping service provided by Google Inc. ("Google"), to display an interactive map and to create directions. Google Maps is operated by Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.

By using Google Maps, information about your use of this website (including your IP address) may be transmitted to a Google server in the USA and stored there. Google may transfer the information obtained through Maps to third parties where required to do so by law, or where such third parties process the information on Google's behalf.

Google will not associate your IP address with any other data held by Google. It is nevertheless technically possible that Google could identify at least individual users on the basis of the data received. It is possible that personal data and personality profiles of users of the website could be processed by Google for other purposes over which we have and can have no control.

The legal basis for the use of Google Maps is our legitimate interest in data processing.

The purpose of using Google Maps is to show the user our location on the website and to give him the possibility to determine different directions via the services of Google Maps.

You have the option of deactivating the Google Maps service and thus preventing the transfer of data to Google by deactivating JavaScript in your browser. However, we would like to point out that in this case you will not be able to use the map display on our website.

Facebook
Our website uses social plugins ("plugins") of the social network facebook.com, which is operated by Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA ("Facebook").

The plugins are marked with a corresponding logo. When you call up a web page of our website that contains such a plugin, your browser establishes a direct connection with the Facebook servers if the plugin is activated. The content of the plugin is transmitted by Facebook directly to your browser, which then integrates it into the website. By integrating the plugin, Facebook receives the information that you have accessed the corresponding page of our website. If you are logged in to Facebook, Facebook can assign the visit to your Facebook account. If you interact with the plugins or post a comment, the corresponding information is transmitted directly from your browser to Facebook and stored there. For the purpose and scope of the data collection and the further processing and use of the data by Facebook, as well as your rights in this regard and setting options for protecting your privacy, please refer to Facebook's privacy policy. If you do not want Facebook to collect data about you via our website, you must log out of Facebook before visiting our website.

You can find more information on this in Facebook's privacy policy. If you do not want Facebook to link your visit to our website with your Facebook user account, please log out of your Facebook account.

Facebook fan page

On our Facebook fan page at: https://www.facebook.com/themandala.de/ we use plugins from the provider Facebook.com, which are provided by the company Facebook Inc., 1601 S. California Avenue, Palo Alto, CA 94304 in the USA. By using the fan page, data is forwarded to the Facebook servers, which contain information about your visits to our fan page. For logged-in Facebook users, this means that the usage data is assigned to their personal Facebook account. As soon as you actively use the Facebook plugin as a logged-in Facebook user (e.g. by clicking on the "Like" button or using the comment function), this data is transferred to your Facebook account and published. You can only avoid this by logging out of your Facebook account first.

We do not know exactly what data Facebook stores and uses. As a user of the fan page, you must therefore expect that Facebook also stores your actions on the fan page without gaps.

In addition, the General Terms of Use of Facebook Ireland Limited, Hanover Reach, 5-7 Hanover Quay, Dublin 2, Ireland apply. With regard to data protection on Facebook, please note the following data protection information of Facebook Ireland Limited.

The legal basis for this data processing is Art. 6 para. 1 lit. a, f) GDPR.

Every person depicted as well as other third parties have the possibility to object to the publication of their personal data (photos) at any time. We have set up the e-mail address widerruf@themandala.de for this purpose. The right to object applies in particular to the publication of images for the future.

It can always happen that we accidentally publish pictures of people where no consent has been given. If publication is not desired, we will immediately do everything possible to comply with your right. In the case of group pictures, we reserve the right to distort faces.

Instagram

The "Instagram button" is used on this website. When you access this website, your browser establishes a connection to servers of the social network Instagram, offered by Instagram Inc, 1601 Willow Road, Menlo Park, CA, 94025, USA.

When you visit our pages on https://www.instagram.com/themandalahotel/, a direct connection is established between your browser and the Instagram server. Instagram thereby receives the information that you have visited our site with your IP address. If you click the Instagram button while you are logged into your Instagram account, you can link the content of our pages on your Instagram profile. This allows Instagram to associate the visit to our pages with your user account. We would like to point out that we, as the provider of the pages, have no knowledge of the content of the transmitted data or its use by Instagram.

For more information, please see Instagram's privacy policy.

Instagram API

We use Instagram API from Instagram, Inc., 1 Hacker Way, Menlo Park, CA 94025, USA, to access additional services and data from Instagram, Inc. This involves a transfer of your IP address to Instagram, Inc. Please note that there is a separate section in this privacy policy for each additional service we use from Instagram, Inc.

Purpose and legal basis

The use of Instagram API is based on your consent.

Duration of storage

The concrete storage period of the processed data cannot be influenced by us, but is determined by Instagram, Inc. Further information can be found in the privacy policy for Instagram API.

Youtube video

We have integrated YouTube Video on our website. YouTube Video is a component of the video platform of YouTube, LLC, on which users can upload content, share it over the internet and receive detailed statistics.

YouTube Video allows us to integrate content from the platform into our website.

YouTube Video uses cookies and other browser technologies to analyse user behaviour, recognise users and create user profiles. This information is used, among other things, to analyse the activity of the content listened to and to create reports. If a user is registered with YouTube, LLC, YouTube Video can associate the videos played with the profile.

When you access this content, you establish a connection to servers of YouTube, LLC, whereby your IP address and possibly browser data such as your user agent are transmitted.

The use of the service is based on our legitimate interests, i.e. interest in a platform-independent provision of content.

The concrete storage period of the processed data cannot be influenced by us, but is determined by YouTube, LLC. Further information can be found in the privacy policy for YouTube Video.

We have integrated components of Hotelcareer Widget on our website. Hotelcareer Widget is a service provided by StepStone GmbH, Axel-Springer-Straße 65, 10969 Berlin, Germany, which offers applicant and HR management software.

Hotelcareer Widget is used in connection with application processes to optimize applicant management, for example, through automated analysis of work references. Additionally, Hotelcareer Widget enables us to create and evaluate job postings.

The use of this service is based on our legitimate interests, i.e., our interest in optimizing our application processes in accordance with Art. 6 (1) (f) GDPR.

The specific retention period of the processed data is not determined by us but by StepStone GmbH. For further information, please refer to the Hotelcareer Widget Privacy Policy: https://www.hotelcareer.com/en/privacy-policy.

We use Crazy Egg by Crazy Egg, Inc. to conduct A/B testing on our online services. This involves simultaneously publishing different versions of our online content and measuring which version is more user-friendly.

When testing these versions, data such as the operating system used, the browser's user agent, and the time of access may be collected to measure the success of each version.

Web tracking technologies are used to associate the aforementioned data with the version of our online service being tested.

The use of Crazy Egg is based on your consent in accordance with Art. 6 (1) (a) GDPR and § 25 (1) TTDSG (German Telecommunications and Telemedia Data Protection Act).

The specific retention period of the processed data is not determined by us but by Crazy Egg, Inc. For further information, please refer to the Crazy Egg Privacy Policy: https://www.crazyegg.com/privacy.

We have integrated components of Cognito Forms on our website. Cognito Forms is a service provided by Cognito LLC and offers marketing automation software.

Cognito Forms allows us to create and display online forms and pop-ups on our website. Additionally, Cognito Forms is used to process data entered in forms, such as when contacting us via a contact form or signing up for our newsletter.

Cognito Forms uses cookies and other browser technologies to analyze user behavior and recognize returning users. This information is used, among other things, to compile reports on website activity.

In this case, your data is shared with the operator of Cognito Forms, Cognito LLC, 929 Gervais Street, Suite D, Columbia, SC 29201, United States.

The use of Cognito Forms is based on your consent in accordance with Art. 6 (1) (a) GDPR and § 25 (1) TTDSG (German Telecommunications and Telemedia Data Protection Act).

The specific retention period of the processed data is not determined by us but by Cognito LLC. For further information, please refer to the Cognito Forms Privacy Policy: https://www.cognitoforms.com/privacy.

We have integrated components of the Mailchimp service on our website. Mailchimp is a service provided by The Rocket Science Group, LLC that offers marketing automation for businesses.

Mailchimp is used to store and transmit data entered in forms using cookies, send marketing emails and automated messages, and create targeted campaigns.

Additionally, Mailchimp provides us with the ability to analyze whether sent emails were opened, how many users received an email, and whether users unsubscribed from the newsletter after receiving an email.

In this case, your data will be shared with the operator of Mailchimp, The Rocket Science Group, LLC, 675 Ponce de Leon Ave NE, Suite 5000, Atlanta, GA 30308, United States.

The use of Mailchimp is based on your consent in accordance with Art. 6 (1) (a) GDPR and § 25 (1) TTDSG (German Telecommunications and Telemedia Data Protection Act).

The specific retention period of the processed data is not determined by us but by The Rocket Science Group, LLC. For further information, please refer to the Mailchimp Privacy Policy: https://www.mailchimp.com/legal/privacy/.

We have integrated components of Stripe Payments on our website. Stripe Payments is a service provided by Stripe, Inc. that offers global online payment solutions.

When you select Stripe Payments as your payment method, the data required for processing the payment will be automatically transmitted to Stripe, Inc., San Francisco, California, USA.

As part of this process, the following data is typically collected: Name, address, company (if applicable), email address, phone and mobile number, and IP address.

The use of this service is based on contract execution, i.e., for processing payment transactions.

The specific retention period of the processed data is not determined by us but by Stripe, Inc. For further information, please refer to the Stripe Privacy Policy: https://stripe.com/privacy.

This service is mainly aimed at adults. We do not currently market any specific areas for children. Accordingly, we do not knowingly collect age-identifying information, nor do we knowingly collect personal information from children under the age of 16. However, we caution all visitors to our website under the age of 16 not to disclose or provide any personally identifiable information through our service. In the event that we discover that a child under the age of 16 has provided us with personal information, we will delete the child's personal information from our files to the extent technically feasible.

If your personal data is processed, you are a data subject within the meaning of the GDPR and you have the following rights vis-à-vis the controller:

• You have a right to information about the personal data stored about you, about the purposes of processing, about any transfers to other bodies and about the duration of storage.

• If data is inaccurate or no longer necessary for the purposes for which it was collected, you may request that it be corrected, erased or restricted from processing. Where provided for in the processing procedures, you may also consult your data yourself and correct them if necessary.

• Should grounds against the processing of your personal data arise from your particular personal situation, you may, insofar as the processing is based on a legitimate interest, object to it. The controller shall no longer process the personal data concerning you unless it can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the purpose of asserting, exercising or defending legal claims.

• If the personal data concerning you is processed for the purpose of direct marketing, you have the right to object at any time to the processing of personal data concerning you for the purpose of such marketing; this also applies to profiling insofar as it is related to such direct marketing. If you object to the processing for direct marketing or profiling purposes, the personal data concerning you will no longer be processed for these purposes.

You have the right to revoke your declaration of consent under data protection law at any time. The revocation of consent does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation. For this purpose, we have set up the e-mail address widerruf@themandala.de.

As a data subject, without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a data protection supervisory authority, in particular in the Member State of your residence or of the place of the alleged infringement, if you consider that the processing of personal data relating to you infringes data protection.

The supervisory authority to which the complaint is submitted will inform you of the status and outcome of your complaint, including the possibility of a judicial remedy.

You can find more information on the website of the Federal Commissioner for Data Protection and Freedom of Information.

Where personal data is processed outside the European Union, you can find this information in the previous sections.

We use technical and organisational security measures in accordance with Art. 32 GDPR to protect your data managed by us against accidental or intentional manipulation, loss, destruction or against access by unauthorised persons. Our security measures are continuously improved in line with technological developments. Access is only possible for a few authorised persons and persons who are obliged to provide special data protection and who are involved in the technical, administrative or editorial care of data.

We reserve the right to change, update or amend this privacy information at any time. Any revised privacy statement will only apply to personal data collected or modified after the effective date of the revised statement.

We reserve the right to change, update or amend this Privacy Notice at any time. Any revised information on data processing will only apply to personal data collected or modified after the effective date.

Status | May 2025