Privacy Policy | Castendieck

Note: This is a machine-translated version of the German Datenschutzerklärung. It is provided for informational purposes only. In case of any discrepancies, the German version is the legally binding document.

1. Name and address of the data controller

The controller within the meaning of the General Data Protection Regulation (GDPR) and other national data protection laws of the member states as well as other data protection provisions is:

Hotel & Restaurant Castendieck Owner: Martina Finkenstedt Bremer Str. 20 49356 Diepholz Germany

Phone: +49 5441 2064 Email: info@castendieck-diepholz.de

USt-IdNr.: DE278592676

Contact for data protection inquiries:

For questions regarding data protection or to exercise your rights, please contact the address above with the subject line “Data Protection”.

2. General information on data processing

2.1 Scope of processing of personal data

We generally process personal data of our users only to the extent necessary to provide a functional website. The processing of personal data is based on a legal basis pursuant to Art. 6 GDPR. This includes in particular processing for the performance of a contract (Art. 6(1)(b) GDPR), for the protection of legitimate interests (Art. 6(1)(f) GDPR), or with your consent (Art. 6(1)(a) GDPR).

2.2 Legal basis for the processing of personal data

Insofar as we obtain the consent of the data subject for processing operations of personal data, Art. 6(1)(a) of the EU General Data Protection Regulation (GDPR) serves as the legal basis.

For the processing of personal data necessary for the performance of a contract to which the data subject is a party, Art. 6(1)(b) GDPR serves as the legal basis.

Insofar as processing of personal data is necessary for compliance with a legal obligation to which our company is subject, Art. 6(1)(c) GDPR serves as the legal basis.

If processing is necessary for the purposes of the legitimate interests pursued by our company or by a third party, and the interests, fundamental rights, and freedoms of the data subject do not override the former interest, Art. 6(1)(f) GDPR serves as the legal basis for processing.

3. Provision of the website and creation of log files

3.1 Description and scope of data processing

Each time our website is accessed, our system automatically collects data and information from the computer system of the accessing device. The following data is collected:

IP address of the user
Date and time of access
Pages visited
Amount of data sent in bytes
Browser type and version
Operating system of the user
Referrer URL (the previously visited page)
Hostname of the accessing device

The data is stored in the log files of our hosting provider Netlify. This data is not merged with other data sources.

3.2 Legal basis for data processing

The legal basis for the temporary storage of data and log files is Art. 6(1)(f) GDPR.

3.3 Purpose of data processing

The temporary storage of the IP address by the system is necessary to enable delivery of the website to the user’s device. For this purpose, the user’s IP address must be stored for the duration of the session.

Storage in log files is carried out to ensure the functionality of the website. In addition, the data serves to optimize the website and to ensure the security of our information technology systems. An evaluation of the data for marketing purposes does not take place in this context.

These purposes also constitute our legitimate interest in data processing pursuant to Art. 6(1)(f) GDPR.

3.4 Duration of storage

The data is deleted as soon as it is no longer necessary for the purpose of its collection. In the case of data collected for the provision of the website, this is the case when the respective session has ended.

In the case of storage of data in log files, this is the case after no more than 30 days.

3.5 Right to object and removal

The collection of data for the provision of the website and the storage of data in log files is essential for the operation of the website. Consequently, there is no possibility of objection on the part of the user.

4. Hosting

Hosting by Netlify

Our website is hosted by Netlify. The provider is Netlify, Inc., 2325 3rd Street, Suite 296, San Francisco, California 94107, USA (“Netlify”).

All data collected on our website is processed on Netlify’s servers. In the context of the aforementioned services, data may also be transferred to Netlify servers in the USA for further processing.

We have concluded a data processing agreement (“Data Processing Agreement”) with Netlify, in which we oblige the provider to protect our users’ data and not to pass it on to third parties. The Data Processing Agreement can be viewed at: https://www.netlify.com/pdf/netlify-dpa.pdf

Netlify is certified under the EU-US Data Privacy Framework (DPF) and the UK Extension to the EU-US DPF, ensuring an adequate level of data protection when transferring personal data to the USA.

Netlify automatically stores server log files that your browser automatically transmits. These are:

Browser type and version
Operating system used
Referrer URL
Hostname of the accessing device
Time of the server request
IP address

This data is not merged with other data sources. Data processing is carried out on the basis of Art. 6(1)(f) GDPR. The legitimate interest lies in ensuring the stability and security of our IT systems and defending against attacks.

Storage is carried out for security purposes to ensure stability and operational safety. Log files are automatically deleted after no more than 30 days.

Further information on Netlify and data protection can be found at:

Transport encryption

This website uses SSL/TLS encryption for security purposes and to protect the transmission of confidential content. You can recognize an encrypted connection by the browser address bar changing from “http://” to “https://” and by the lock icon in your browser bar.

When SSL encryption is activated, the data you transmit to us cannot be read by third parties.

5. Email contact

5.1 Description and scope of data processing

Our website provides an email address for contacting us. In this case, the personal data of the user transmitted with the email will be stored.

In this context, the data is not passed on to third parties. The data is used exclusively for processing the conversation.

5.2 Legal basis for data processing

The legal basis for processing data with the consent of the user is Art. 6(1)(a) GDPR.

The legal basis for processing data transmitted in the course of sending an email is Art. 6(1)(f) GDPR. If the email contact aims at concluding a contract, Art. 6(1)(b) GDPR additionally serves as the legal basis for processing.

5.3 Purpose of data processing

The processing of personal data from the contact form serves solely to process the inquiry. In the case of contact by email, this also constitutes the necessary legitimate interest in processing the data.

The other personal data processed during the sending process serve to prevent misuse of the contact form and to ensure the security of our information technology systems.

5.4 Recipients of data

All email communication, except for inquiries received via the contact form, is handled through netcup:

netcup GmbH, Daimlerstraße 25, 76185 Karlsruhe, Germany (email hosting, POP and SMTP servers)

For email inquiries received via the contact form, see Section 6 (Form Processing).

A data processing agreement exists with netcup.

5.5 Duration of storage

Personal data transmitted in the course of contact, reservation, or booking inquiries by email are not immediately deleted but are stored for the duration necessary to process the inquiry, carry out the reservation, and for possible follow-up questions.

Emails are regularly reviewed and deleted as soon as they are no longer required for the stated purposes, unless statutory retention periods apply.

Longer storage may be necessary in particular to trace reservation changes or cancellations, or to assert, exercise, or defend legal claims.

5.6 Right to object and removal

The user has the right to revoke their consent to the processing of personal data at any time. If the user contacts us by email, they may object to the storage of their personal data at any time. In such a case, the conversation cannot be continued.

Revocation should be directed by email to info@castendieck-diepholz.de

All personal data stored in the course of the contact will be deleted in this case.

6. Form processing

6.1 Description and scope of data processing

On our website, we use various forms to collect and submit inquiries. All forms are processed via Google Apps Script, stored in Google Sheets for management, and sent to us by email via Gmail. Email reception and sending are handled via the POP and SMTP servers of netcup GmbH in Germany.

a) Table reservation

When using the table reservation form, the following personal data is processed:

Name
Email address
Phone number
Date of reservation
Time
Number of guests
Special requests (free text field)

b) Hotel reservation

When using the hotel reservation form, the following personal data is processed:

Name
Email address
Phone number
Arrival date
Departure date
Number of guests
Room type
Number of rooms
Breakfast selection
Comments (free text field)

c) Other contact form

When using the other contact form, the following personal data is processed:

Name
Email address
Phone number
Subject
Topic of inquiry
Message (free text field)

In addition, the following technical data is processed for all forms:

IP address
Date and time of submission

6.2 Legal basis for data processing

Data processing is carried out:

for other inquiries on the basis of Art. 6(1)(f) GDPR (legitimate interest in processing your inquiry),
for table or hotel reservations and corresponding inquiries on the basis of Art. 6(1)(b) GDPR (implementation of pre-contractual measures or contract performance).

6.3 Purpose of data processing

The processing of personal data serves exclusively to handle your inquiry and, in the case of reservations, to organize and carry out table or hotel bookings.

6.4 Recipients of data

All forms (table reservation, hotel reservation, other contact form) are processed by:

Google Ireland Limited, Ireland (Apps Script, Sheets, Gmail via Google)
netcup GmbH, Germany (POP and SMTP servers for email reception and sending)

Inquiries received via the forms and resulting email conversations are processed in Google Mail, Google Sheets, and Apps Script. The POP and SMTP servers of netcup are used for receiving and sending emails.

Data processing agreements exist with both providers. The transfer of data to Google in Ireland is based on EU Standard Contractual Clauses.

Further information:

Google Privacy: https://workspace.google.com/intl/en/terms/dpa_terms.html
Google Data Privacy Framework: https://www.dataprivacyframework.gov/s/participant-search/participant-detail?id=a2zt000000001L5AAI

6.5 Duration of storage

Data submitted via the forms (table reservation, hotel reservation, other contact form) is stored in Google Sheets and remains there as long as necessary to process your inquiry. The storage duration depends on the respective purpose:

For general inquiries: Deletion after processing the inquiry, typically within a few days to weeks
For reservation inquiries (table or hotel): Storage until the reservation is carried out and completed, including possible follow-up processing
In case of cancellation or rejection: Prompt deletion after completion of communication

Email conversations resulting from the forms in Gmail (Google) are handled according to our general email retention guidelines (see Section 5.5) and deleted as soon as they are no longer required for the stated purposes, unless statutory retention periods apply.

6.6 Right to object and removal

The user has the right to revoke their consent to the processing of personal data at any time. In such a case, the inquiry cannot be processed.

Revocation should be directed by email to info@castendieck-diepholz.de

7. Use of cookies and local storage

7.1 Cookies

Our website does not use cookies.

7.2 Local storage

Description and scope of data processing

Our website uses Local Storage, a browser technology for locally storing data on your device. The following data is stored in Local Storage:

Your preference for the website’s color scheme (Light Mode / Dark Mode)

This setting is stored exclusively locally in your browser and is not transmitted to our servers or third parties. The data serves solely to restore your chosen display preference on your next visit to the website.

Legal basis for data processing

The storage of this technical setting is based on Art. 6(1)(f) GDPR. Our legitimate interest lies in providing you with a user-friendly website that takes into account your individual display settings.

Purpose of data processing

The storage of the color scheme preference serves solely to provide you with a consistent display tailored to your preferences on repeat visits to our website.

Duration of storage

The data stored in Local Storage remains on your device until you manually delete it. You can do this at any time in your browser settings.

Right to object and removal

You can delete the data stored in Local Storage at any time:

Chrome/Edge: Settings → Privacy and Security → Clear Browsing Data → “Cookies and other site data”

Firefox: Settings → Privacy & Security → Cookies and Site Data → Clear Data

Safari: Settings → Privacy → Manage Website Data

Alternatively, you can reset the theme setting by using your browser’s default setting (light/dark).

Please note that after deletion, your color scheme preference will no longer be automatically restored on your next visit.

8. Dynamic Content

For the dynamic display of website content (e.g. notification banners, seasonal information), the service ToggleBird is used.

Processed data: IP address, time of the request

Purpose: Decision on the display and provision of current content

Legal basis: Legitimate interest (Art. 6(1)(f) GDPR)

We maintain publicly accessible profiles on social networks. The specific social networks we use can be found below.

Social networks such as Facebook, Instagram, etc. can generally analyze your user behavior comprehensively when you visit their website or a website with integrated social media content (e.g., like buttons or advertising banners). Visiting our social media presences triggers numerous data protection-relevant processing operations.

If you are logged into your social media account and visit our social media presence, the operator of the social media portal can assign this visit to your user account. Your personal data may, however, also be collected if you are not logged in or do not have an account with the respective social media portal. In this case, data collection takes place, for example, via cookies stored on your device or by recording your IP address.

With the help of the data collected in this way, the operators of the social media portals can create user profiles in which your preferences and interests are stored. In this way, interest-based advertising can be displayed to you both inside and outside the respective social media presence. If you have an account with the respective social network, the interest-based advertising can be displayed on all devices on which you are or were logged in.

We also point out that, as the provider of the pages, we do not receive knowledge of the content of the transmitted data or its use by the operators. For further information, please refer to the privacy policy of the respective social media portal.

Legal basis

Our social media presences are intended to ensure the widest possible presence on the internet. This constitutes a legitimate interest within the meaning of Art. 6(1)(f) GDPR.

Controller and exercise of rights

When you visit one of our social media presences, we are jointly responsible with the operator of the social media platform for the data processing operations triggered during this visit. You can generally assert your rights (information, correction, deletion, restriction of processing, data portability, and complaint) both against us and against the operator of the respective social media portal.

We point out that, despite joint responsibility with the social media portal operators, we do not have full influence over the data processing operations of the social media portals. Our options are largely determined by the corporate policy of the respective provider.

Storage duration

The data collected directly by us via the social media presence is deleted from our systems as soon as you request deletion, revoke your consent to storage, or the purpose for data storage ceases to apply. Stored cookies remain on your device until you delete them. Mandatory legal provisions, in particular retention periods, remain unaffected.

We have no influence on the storage duration of your data stored by the operators of the social networks for their own purposes. For details, please contact the operators of the social networks directly.

Facebook and Instagram

We maintain profiles on Facebook and Instagram. The provider of these services is Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland (hereinafter “Meta”).

According to Meta, the collected data is also transferred to the USA and other third countries.

We have concluded a joint processing agreement (Controller Addendum) with Meta. This agreement specifies which data processing operations we or Meta are responsible for when you visit our Facebook or Instagram page. This agreement can be viewed at: https://www.facebook.com/legal/terms/page_controller_addendum

You can adjust your advertising settings independently in your user account. To do so, click on the following links and log in:

Facebook: https://www.facebook.com/settings?tab=ads
Instagram: https://www.instagram.com/accounts/privacy_and_security/

Details can be found in Meta’s privacy policy:

Facebook: https://www.facebook.com/privacy/explanation
Instagram: https://help.instagram.com/519522125107875

10. Rights of the data subject

If your personal data is processed, you are a data subject within the meaning of the GDPR and you have the following rights vis-à-vis the controller:

10.1 Right of access

You may request confirmation from the controller as to whether personal data concerning you is being processed by us.

If such processing is taking place, you may request information from the controller about the following:

the purposes for which the personal data is processed
the categories of personal data being processed
the recipients or categories of recipients to whom the personal data concerning you has been or will be disclosed
the planned duration of storage of the personal data concerning you or, if specific information is not possible, criteria for determining the storage duration
the existence of a right to rectification or erasure of personal data concerning you, a right to restriction of processing by the controller, or a right to object to such processing
the existence of a right to lodge a complaint with a supervisory authority
all available information about the origin of the data if the personal data is not collected from the data subject
the existence of automated decision-making including profiling

You have the right to request information about whether the personal data concerning you is transferred to a third country or to an international organization.

10.2 Right to rectification

You have the right to rectification and/or completion vis-à-vis the controller if the processed personal data concerning you is inaccurate or incomplete. The controller shall carry out the rectification without undue delay.

9.3 Right to restriction of processing

You may request the restriction of processing of your personal data under the following conditions:

if you contest the accuracy of the personal data concerning you for a period enabling the controller to verify the accuracy of the personal data
the processing is unlawful and you oppose the erasure of the personal data and instead request the restriction of the use of the personal data
the controller no longer needs the personal data for the purposes of processing, but you need it for the establishment, exercise, or defense of legal claims, or
if you have objected to the processing

10.4 Right to erasure

You may request the controller to erase the personal data concerning you without undue delay, and the controller shall be obliged to erase such data without undue delay if one of the following grounds applies:

The personal data concerning you is no longer necessary for the purposes for which it was collected or otherwise processed
You withdraw your consent on which the processing was based, and there is no other legal basis for the processing
You object to the processing and there are no overriding legitimate grounds for the processing
The personal data concerning you has been unlawfully processed
The erasure of the personal data concerning you is necessary for compliance with a legal obligation under Union or Member State law
The personal data concerning you has been collected in relation to information society services offered

10.5 Right to notification

If you have asserted the right to rectification, erasure, or restriction of processing vis-à-vis the controller, the controller is obliged to notify all recipients to whom the personal data concerning you has been disclosed of such rectification or erasure of the data or restriction of processing, unless this proves impossible or involves a disproportionate effort.

You have the right vis-à-vis the controller to be informed about these recipients.

10.6 Right to data portability

You have the right to receive the personal data concerning you, which you have provided to the controller, in a structured, commonly used, and machine-readable format. You also have the right to transmit this data to another controller without hindrance from the controller to whom the personal data was provided, where:

the processing is based on consent pursuant to Art. 6(1)(a) GDPR or Art. 9(2)(a) GDPR or on a contract pursuant to Art. 6(1)(b) GDPR, and
the processing is carried out by automated means

10.7 Right to withdraw consent

You have the right to withdraw your data protection consent at any time. The withdrawal of consent does not affect the lawfulness of processing carried out on the basis of consent before its withdrawal.

10.8 Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement, if you consider that the processing of personal data concerning you infringes the GDPR.

The supervisory authority with which the complaint has been lodged shall inform the complainant of the status and outcome of the complaint, including the possibility of a judicial remedy pursuant to Art. 78 GDPR.

Competent supervisory authority:

Die Landesbeauftragte für den Datenschutz Niedersachsen (State Commissioner for Data Protection of Lower Saxony) Prinzenstraße 5 30159 Hannover Phone: 0511 120-4500 Email: poststelle@lfd.niedersachsen.de Website: https://lfd.niedersachsen.de

11. Right to object

IF WE PROCESS YOUR PERSONAL DATA ON THE BASIS OF OUR OVERRIDING LEGITIMATE INTEREST WITHIN THE FRAMEWORK OF A BALANCING OF INTERESTS, YOU HAVE THE RIGHT AT ANY TIME TO OBJECT TO SUCH PROCESSING WITH FUTURE EFFECT FOR REASONS ARISING FROM YOUR PARTICULAR SITUATION.

IF YOU EXERCISE YOUR RIGHT TO OBJECT, WE WILL CEASE PROCESSING THE DATA CONCERNED. HOWEVER, FURTHER PROCESSING IS RESERVED IF WE CAN DEMONSTRATE COMPELLING LEGITIMATE GROUNDS FOR THE PROCESSING WHICH OVERRIDE YOUR INTERESTS, FUNDAMENTAL RIGHTS, AND FUNDAMENTAL FREEDOMS, OR IF THE PROCESSING SERVES TO ASSERT, EXERCISE, OR DEFEND LEGAL CLAIMS.

IF YOUR PERSONAL DATA IS PROCESSED BY US FOR DIRECT MARKETING PURPOSES, YOU HAVE THE RIGHT TO OBJECT AT ANY TIME TO THE PROCESSING OF PERSONAL DATA CONCERNING YOU FOR THE PURPOSE OF SUCH MARKETING. YOU MAY EXERCISE THE OBJECTION AS DESCRIBED ABOVE.

IF YOU EXERCISE YOUR RIGHT TO OBJECT, WE WILL CEASE PROCESSING THE DATA CONCERNED FOR DIRECT MARKETING PURPOSES.

11.1 Automated decision-making

No automated decision-making including profiling pursuant to Art. 22 GDPR takes place on our website. All inquiries and reservations are processed manually by our staff.

12. Duration of storage of personal data

The duration of storage of personal data is determined by the respective legal basis, the processing purpose, and, where applicable, additionally by the respective statutory retention period (e.g., commercial and tax retention periods).

When processing personal data on the basis of explicit consent pursuant to Art. 6(1)(a) GDPR, this data is stored until the data subject withdraws their consent.

If statutory retention periods exist for data processed in the context of legal or quasi-legal obligations on the basis of Art. 6(1)(b) GDPR, this data is routinely deleted after expiry of the retention periods, provided it is no longer required for the performance or initiation of a contract and/or there is no legitimate interest on our part in continued storage.

When processing personal data on the basis of Art. 6(1)(f) GDPR, this data is stored until the data subject exercises their right to object pursuant to Art. 21(1) GDPR, unless we can demonstrate compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject, or the processing serves to assert, exercise, or defend legal claims.

When processing personal data for the purpose of direct marketing on the basis of Art. 6(1)(f) GDPR, this data is stored until the data subject exercises their right to object pursuant to Art. 21(2) GDPR.

Unless otherwise stated in the other information in this declaration regarding specific processing situations, stored personal data is otherwise deleted when it is no longer necessary for the purposes for which it was collected or otherwise processed.