Our Privacy Policy

Roam Around London Ltd. is the owner of the registered trade name roamaround.com.  We’re a company registered in England and Wales with company number 14472056, whose registered address is at 24 Ladbroke Road, London, W11 3NN.  In this privacy notice, we will refer to ourselves as ‘we’, ‘us’, or ‘our’.

You can get in touch with us in any of the following ways:

(a)          by phoning us on +44 (0) 20 3713 0155;

(b)          by e-mailing us at customerservice@roamaroundlondon.com; or

(c)          by writing to us at 24 Ladbroke Road London, W11 3NN

We take the privacy, including the security, of personal information we hold about you seriously.  This privacy notice is designed to inform you about how we collect personal information about you and how we use that personal information.  You should read this privacy notice carefully so that you know and can understand why and how we use the personal information we collect and hold about you.

We do not have a Data Protection Officer, but if you have any questions about this privacy notice or issues arising from it then you should contact Jimmy Raza, who is responsible for matters relating to data protection at our organisation, including any matters in this privacy notice.  You can contact them using the details set out above.

We may issue you with other privacy notices from time to time, including when we collect personal information from you.  This privacy notice is intended to supplement these and does not override them.

We may update this privacy notice from time to time.  This version was last updated on 14/09/2022.

 Key Definitions

The key terms that we use throughout this privacy notice are defined below, for ease:

Data Controller: under UK data protection law, this is the organisation or person responsible for deciding how personal information is collected and stored and how it is used. 

Data Processor: a Data Controller may appoint another organisation or person to carry out certain tasks in relation to the personal information on behalf of, and on the written instructions of, the Data Controller. (This might be the hosting of a site containing personal data, for example, or providing an email marketing service that facilitates mass distribution of marketing material to a Data Controller’s customer-base.)

Personal Information: in this privacy notice we refer to your personal data as ‘personal information’. ‘Personal information’ means any information from which a living individual can be identified.  It does not apply to information which has been anonymised.

Special Information – certain very sensitive personal information requires extra protection under data protection law.  Sensitive data includes information relating to health, racial and ethnic origin, political opinions, religious and similar beliefs, trade union membership, sex life and sexual orientation and also includes genetic information and biometric information. 

  1. Subject of data protection

The subject of data protection is personal data, i.e. all information relating to an identified or identifiable natural person. Personal data is also referred to simply as data in the following.

  1. Automated data collection

When accessing our website, your end device automatically transmits data for technical reasons. The following data is stored separately from other data that you may transmit to us:

    • URL of the page accessed
    • Latency of the network connection
    • Date and time

We store this data for the following purposes:

    • for load balancing, i.e. to distribute access to our website across several devices and to be able to offer you the fastest possible loading times;
    • to ensure the security of our IT systems, e.g. to defend against specific attacks on our systems and to recognise attack patterns;
    • to ensure the proper operation of our IT systems, e.g. if errors occur that we can only rectify by storing the IP address;
    • to enable criminal prosecution, averting of danger or legal prosecution in the event of specific indications of criminal offences.

Your IP address is only stored for a period of 30 days.

In this case, the processing is carried out to ensure the security of the processing in accordance with Art. 32 GDPR, as well as on the basis of our legitimate interest in protecting ourselves against misuse of our service (Art. 6 para. 1 lit. f GDPR).

  1. Roamaroundlondon.com’s account
    • Registration

You have the option to create a Roamaroundlondon customer account, for example to manage bookings, save favourites or view past bookings. To do so, you need to provide the following mandatory information:

      • Surname/first name
      • E-mail address
      • Passwords

Alternatively, you can log in with your Facebook, Google or Apple account. In this case, we receive the following personal data from Facebook or Google or Apple in order to create a user account for you:

      • Name
      • E-mail address
      • Photo (Facebook only)
      • an authentication token

Your registration data is required to set up and manage a user account for you. In this case, you conclude a (free) user agreement with us, on the basis of which we collect this data (Art. 6 para. 1 lit. b GDPR).

In order to conclude the agreement, you must provide us with this data. However, you are neither contractually nor legally obliged to conclude the agreement and thus to provide the data.

    • Wish lists

After you have created a customer account, you have the option to create wish lists with activities and tours and to share these wish lists with other users. Your data is processed for these purposes in order to be able to provide you with the corresponding functions (Art. 6 para. 1 lit. b GDPR).

  1. Reviews and ratings

Our website offers the possibility to rate and comment on tours or activities. After you have completed a tour booked via our website, we may ask you to rate it accordingly. Submitting a rating is, of course, voluntary. When you submit a rating, we collect the data you enter in order to process it according to the function you use and publish it on our website. You can have a rating deleted at any time by contacting our customer service.

The processing of your data for these purposes is done to protect our legitimate interest in providing our users with as much information as possible about the tours we offer. User ratings are also in the interest of all users. Accordingly, the processing is based on Art. 6 para. 1 lit. f GDPR.

  1. Customer support
    • Improvement of customer service

In order to continuously improve our customer service, we analyse enquiries sent to us on the basis of certain parameters and keywords. Although, as a matter of principle, no analysis is carried out on the basis of personal data, it cannot be ruled out that, in individual cases, personal data may also be processed within this context. The processing required within this context serves our legitimate interest as well as that of our customers in the continuous improvement of our customer service (Art. 6 para. 1 lit. f GDPR).

    • Translations

In certain cases, it is necessary for us to translate incoming requests into a specific language. This may require the processing of personal data necessary to protect our legitimate interest in providing international customer service, Art. 6 para. 1 lit. f GDPR. Storage and evaluation of telephone calls

Telephone calls are only stored and analysed if you have given us your prior consent. We will only use this data for the purpose of improving our customer service. The recordings will be deleted after three months. The legal basis is Art. 6 para. 1 lit. a GDPR. You have the option to revoke your consent at any time by contacting one of the contact channels mentioned in this privacy policy. This will not affect the lawfulness of the processing carried out by us until your revocation.

  1. Technical service providers

We use technical service providers for hosting and some of the services required for the website. Accordingly, the processing of data takes place on the servers of these service providers. These service providers only process the data according to our explicit instructions and are obliged to guarantee sufficient technical and organisational measures for data protection. Consequently, our service providers act for us as so-called processors within the meaning of Art. 28 GDPR.

    • Hosting of the website

For the hosting of our website, we use the services of A2 Hosting based in EU. Accordingly, when you interact with our website or provide personal data, it is processed on a2hosting.net servers. we have concluded the standard contractual clauses approved by the EU Commission with AWS in accordance with Art. 46 para. 2 lit. c GDPR.

    • E-mail system

For sending emails, we use the cloudaccess.net based in the USA.There is no adequacy decision for the USA. We have therefore concluded the standard contractual clauses approved by the EU Commission pursuant to Art. 46 para. 2 lit. c GDPR with Twilio.

  1. Newsletter

You have the option on our website to register for our newsletter. With our newsletter, we would like to send you information on offers, tours, activities or special promotions that is as personalised as possible. By registering for our newsletter, you therefore consent to us processing your email address for the purpose of sending the newsletter. The legal basis for this processing is Art. 6 para. 1 lit a GDPR. You can revoke your consent at any time by unsubscribing from our newsletter. To do this, you can use the unsubscribe link contained in every email or send us a message using the link https://www.roamaroundlond.com/contact/. To verify your e-mail address, you will first receive a registration e-mail, which you must confirm via a link (double opt-in). When you register for the newsletter, we store the IP address and the date and time of registration. The processing of this data is necessary in order to be able to prove that consent has been given. The legal basis results from our legal obligation to prove your consent (Art. 6 para. 1 lit. c in conjunction with Art. 7 para. 1 GDPR).

If you have booked a tour via our website or created a roamaroundlondon account, we will send you our newsletter based on our legitimate interest in promoting similar services to your bookings or account (Art. 6 para. 1 lit. f GDPR, § 7 para. 3 UWG), unless you have objected to this use. If cookies are used for personalisation, we will obtain your separate consent.

You can object to this at any time – even during registration – by deselecting the corresponding checkbox or clicking the unsubscribe link in the respective e-mails.

For the dispatch of our newsletter and the personalisation of content, we use the services of the provider Braze Inc. based in the USA (“Braze”). There is no EU Commission adequacy decision for the USA. We have therefore concluded the standard contractual clauses approved by the EU Commission with Braze in accordance with Art. 46 para. 2 lit. c GDPR.

  1. Bookings & payments
    • Bookings

When you book a tour, activity or similar on our site, we collect the data required to carry out the tour. This usually includes the following information: First and last name, billing address, email address, telephone number, number of participants, date and time. Depending on the activity booked, it may also be necessary for us to collect further information, such as your flight number or the age of the participants. The processing that takes place in connection with this is based on Art. 6 para. 1 lit. b GDPR. To the extent necessary, we will transfer your data to the body responsible for the tour or activity. If a transfer to a third country outside the European Economic Area is necessary, this is based on Art. 49 para. 2 lit. b, c GDPR. If you make bookings via partner sites, we receive the data required to make the booking from the partner.

    • Payments

You have various options for paying for your booking. In doing so, we will process the data required in each case depending on the selected payment method. Within this context, your personal data will be processed as described below, which is based on Art. 6 para. 1 lit. b GDPR and is necessary to carry out the payment method you have chosen.

      • Credit card payments

For the processing of payments by credit card, we use the service provider Stripe. (“Stripe”), which is based in Dublin, Ireland. The data provided during your payment will be forwarded by Stripe to the respective banks or financial institutions for the purpose of processing the payment. In the case of payments by credit card, we only receive the information that a payment has or has not been made. We therefore have no knowledge of your credit card number.

      • Payment via PayPal

If you have a PayPal account, you can also process your payment via PayPal. In this case, we receive from PayPal not only the information that a payment has been made, but also the e-mail address and address you have registered with PayPal.

      • Chargebacks

In the event of chargebacks, we will transfer the necessary data to Global Merchant Risk Technologies trading as The Chargeback Company (Chargebacks911) based in Ireland to process a chargeback. The required data includes your name, booking information, telephone number and payment information. Chargebacks911 will then process the chargeback with your bank or PayPal or Stripe. The processing is carried out within the context of the execution of the contract (Art. 6 para. 1 lit. b GDPR) as well as on the basis of our legitimate interest in the effective processing of chargebacks (Art. 6 para. 1 lit. f GDPR).

  1. Cookies

We use so-called “cookies” to offer certain functions of our website and to optimise the use of our website. “Cookies” are small files that are stored on your device with the help of your internet browser.

Specifically, we use (unless other cookies are specified elsewhere in this privacy policy or our cookie consent) the following cookies:

    • Session cookies: These cookies are needed to store certain technical data during your visit to our website, e.g. to determine whether you have logged in.
    • Persistent cookies: These cookies are needed to store data beyond a browser session if you wish to do so.

The legal basis for the use of these cookies is Art. 6 para. 1 b GDPR, insofar as they are necessary for the use of our website and the functions you have accessed. Otherwise, we use cookies – as described below – on the basis of your consent. You can revoke your consent at any time via our Change preferences

  1. Marketing and remarketing services
    1. Evaluation of advertising on the web and on social media platforms

We place advertisements, widgets, paid links, etc. on third-party sites on the web and on social media platforms. In order to measure the success of our advertisements, cookies are set – insofar as you have consented – when you are redirected from the relevant third-party site to our website in order to use them to analyse click behaviour for billing purposes. The use of the cookies and the analysis of your click behaviour is based on your consent, which we obtain before the respective cookie is set (Art. 6 para. 1 lit. a GDPR). You can revoke your consent at any time via our Cookie Consent Manager. This does not affect the lawfulness of the processing carried out until your revocation.

With regard to our social media advertising, we use a service provided by Smartly.io Solutions Oy, based in Finland, to analyse the success of our advertisements.

    1. Google services

We use the services of Google LLC, 1600 Amphitheatre Pkwy Mountain View, California 94043, USA (“Google”) described below. There is no EU Commission adequacy decision for the USA. We have therefore concluded the standard contractual clauses approved by the EU Commission with Google in accordance with Art. 46 para. 2 lit. c GDPR.

Basic information on the processing of your personal data by Google can be found here: https://policies.google.com/privacy?hl=en.

You also have the following setting options with Google:

      • Google Analytics 360

If you have consented, we use Google Analytics 360, a web analytics service. Google Analytics 360 collects pseudonymous data from you about the use of our website, including your shortened IP address, and uses cookies. This data is transmitted to a Google server in the USA and stored there. Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity, and providing other services relating to website activity and internet usage. Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google’s behalf.

Your data will be stored by Google Analytics for a period of 14 months. After this period, the data is deleted and only aggregated statistics are kept.

The use of Google Analytics is based on your consent (Art. 6 para. 1 lit. a GDPR).

You can revoke your consent at any time and deactivate Google Analytics using a browser add-on. You can download this here: http://tools.google.com/dlpage/gaoptout. Alternatively, you can revoke your consent as described here: https://developers.google.com/analytics/devguides/collection/analyticsjs/user-opt-out. You can also revoke your consent via our Change preferences This does not affect the lawfulness of the processing carried out until your revocation.

      • Google Remarketing & Advertising Personalisation on the Google Network

If you have consented, we use remarketing services from Google. Google uses cookies to record your usage behaviour on our website in order to display interest-based advertising for our products on other pages within the Google advertising network across devices. This includes Google search and other sites operated by Google and its subsidiaries, as well as sites operated by Google’s advertising partners. The information is transmitted accordingly to Google and Google’s partners. Additional data processing will only take place if you have consented to Google linking your browsing history to your Google Account and using information from your Google Account to personalise the ads you see on the web. In this case, Google will use your data together with Google Analytics data to create and define target group lists for remarketing. To do this, your personal data will be temporarily linked by Google with Google Analytics data to form target groups.

The use of these services is based on your consent (Art. 6 para. 1 lit. a GDPR).

You can revoke your consent via our Change preferences This does not affect the lawfulness of the processing carried out until your revocation. Furthermore, the remarketing cookie is automatically deleted as soon as it is no longer necessary for the purposes for which we collected or used it in accordance with the above paragraphs.

    1. Facebook services

We use the services of Facebook Ireland Limited (“Facebook”) described below. Please note that this may also involve processing by Facebook Inc. based in the USA. There is no EU Commission adequacy decision for the USA. In this case, Facebook will use the standard contractual clauses approved by the EU Commission, which constitute a suitable guarantee within the meaning of Art. 46 para. 2 lit. c GDPR for the transfer to third countries.

Basic information on the further processing and use of your data by Facebook as well as your setting options for protecting your privacy with Facebook can be found in Facebook’s privacy policy at https://www.facebook.com/privacy/explanation.

      • Facebook pixel

If you have consented, the Facebook pixel is used on our website. This is a Javascript code. The Facebook pixel records when you perform certain actions on our website or visit certain areas on our website. The Facebook pixel also collects usage data (such as URL, referrer URL, IP address, device and browser characteristics and timestamp). The Facebook pixel generates a checksum (hash value) from this information and transmits this hash value to Facebook. If available, the Facebook cookie is also addressed and your Facebook ID is transmitted. If you have a Facebook profile and log in there, you can be presented with targeted personalised advertising on Facebook based on the data transmitted by the pixel. Data from users who do not have a Facebook profile is discarded by Facebook without being used.

We use the Facebook pixel on the basis of your consent (Art. 6 para. 1 lit. a GDPR). You can revoke your consent at any time via our Change preferences This does not affect the lawfulness of the processing carried out until your revocation.

      • Facebook Server-to-Server

This technology is based neither on cookies nor on pixels. When you use our website and are redirected by Facebook, we send your Facebook Click-ID and information about possible purchases and other actions on our website to Facebook. Facebook will use this information to understand which ad you clicked, to measure the success of certain ads and to provide us with this information in aggregate form. Facebook will not use the data to serve targeted ads to you or other users. We transmit this data on the basis of our legitimate interest in controlling our marketing activities (Art. 6 para. 1 lit. f GDPR).

  1. Integrated third-party content

We have also integrated third-party content on our website. This content is loaded from the servers of the respective providers, so that your end device transmits certain technically necessary data to the third-party provider. In particular, it cannot be ruled out that these providers may take note of the IP address assigned to you. Insofar as personal data is processed, this is done on the basis of the privacy policies of the respective third-party providers. The integration by us is based on our legitimate interests in being able to provide our users with the corresponding content and functionalities and to be able to operate our website economically, Art. 6 para. 1 lit. f GDPR. In detail, we integrate the following third-party content:

    • Contentstack: We have integrated content from the content delivery network Contentstack of Contentstack LLC, which is based in the USA. Please note that there is no EU Commission adequacy decision for the USA. We have therefore concluded the standard contractual clauses approved by the EU Commission with Contentstack LLC in accordance with Art. 46 para. 2 lit. c GDPR. For more information on data protection at Contentstack LLC, please visit: https://www.contentstack.com/privacy.
  1. Social media

We operate pages or profiles on various social media platforms. Within this context, personal data is processed as described below.

If you interact with us via our social media sites or our posts, we will collect and process the information you provide in connection with this, including your user name and any profile photo, if applicable, for example if you mark a post with “Like”, share or “retweet”, comment or provide other content. The data processing in this regard is regularly carried out on the basis of our legitimate interest in providing the corresponding functions on our social media pages (Art. 6 para. 1 lit. f GDPR) and, if applicable, on the basis of your consent vis-à-vis the operator of the respective network (Art. 6 para. 1 lit. a GDPR) or your contractual relationship with the operator (Art. 6 para. 1 lit. b GDPR). Please also note that this content is published on our relevant social media sites according to your account settings and can be accessed by anyone worldwide.

Further data processing by us may take place in order to be able to accept and process enquiries or messages via our social media sites (Art. 6 para. 1 lit. b GDPR).

In addition, the respective operators collect and process personal data from you in their own data protection responsibility when you visit our social media sites and/or interact with them or our posts. This applies in particular if you are registered or logged in to the relevant network. Even if you are not logged in to a network, the operators collect certain personal data when you access the page, such as unique identifiers that are linked to your browser or device. Please note that this data may be aggregated across different platforms and services if they are operated by the same operator. For example, both Facebook and Instagram are operated by Facebook Ireland Limited. Further information can be found in the data protection notices of the respective operators, to which we refer below.

Specifically, we operate the following social media presences:

    1. Facebook

You can find our Facebook fan page at: https://www.facebook.com/roamaroundlondon/

Facebook is operated by Facebook Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland (“Facebook”). If you visit or like our Facebook page as a registered Facebook user, Facebook collects personal data from you. Even if you are not registered with Facebook and visit our Facebook page, Facebook may collect pseudonymous usage data from you. For more information, please see Facebook’s data policy at https://www.facebook.com/about/privacy/ and at https://www.facebook.com/legal/terms/information_about_page_insights_data. In the data policy, you will also find information on the settings options for your Facebook account.

Your personal data may also be provided to other Facebook companies. This may involve the transfer of personal data to the USA and other third countries for which there is no EU Commission adequacy decision. In this case, Facebook will use the standard contractual clauses approved by the EU Commission. Further information can also be found in Facebook’s data policy.

In addition, as part of the operation of our Facebook page, we are jointly responsible with Facebook for the processing of so-called page insights. With the help of these page insights, Facebook analyses the behaviour on our Facebook page and provides us with this information in non-personal form. For this purpose, we have concluded a joint data protection responsibility agreement with Facebook Ireland, which you can view at the following link: https://www.facebook.com/legal/terms/page_controller_addendum. In this agreement, Facebook undertakes, among other things, to assume primary responsibility under the GDPR for the processing of Page Insights and to comply with all obligations under the GDPR with regard to the processing of Page Insights.

    1. Instagram

Our Instagram page can be found at: https://www.instagram.com/roamarounlondon/

Instagram is operated by Facebook Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland (“Facebook Ireland”). The Instagram privacy policy can be found at: https://help.instagram.com/519522125107875. In it you will also find information on the settings options for your account.

Your personal data may also be made available to other Facebook or Instagram companies. This may involve the transfer of personal data to the USA and other third countries for which there is no EU Commission adequacy decision. In this case, Facebook will use the standard contractual clauses approved by the EU Commission. Further information can also be found in the Instagram Privacy Policy.

In addition, as part of the operation of our Instagram page, we are jointly responsible with Facebook for the processing of so-called Instagram Insights. With the help of these Instagram Insights, Facebook analyses the behaviour on our Instagram page and provides us with this information in non-personal form. For this purpose, we have concluded a joint data protection responsibility agreement with Facebook, which you can view at the following link: https://facebook.com/legal/terms/page_controller_addendum. In it, Facebook undertakes, among other things, to assume primary responsibility under the GDPR for the processing of Instagram Insights and to fulfil all obligations under the GDPR with regard to the processing of Page Insights.

    1. Twitter

You can find our Twitter account at: https://twitter.com/roamarounlondon/

For users outside the US, Twitter is operated by Twitter International Company, One Cumberland Place, Fenian Street Dublin 2, D02 AX07 Ireland (“Twitter International”). Twitter’s privacy policy can be found at: https://twitter.com/en/privacy. In it you will also find information on the settings options for your Twitter account.

Please note that Twitter International also transfers personal data to third countries outside the European Economic Area for which there is no EU Commission adequacy decision. Insofar as such a transfer occurs, Twitter will use the standard contractual clauses approved by the EU Commission.

We also use the Twitter Analytics function. As part of this function, we receive non-personal information from Twitter International about the use of our account. This information allows us to analyse and optimise the effectiveness of our Twitter activities. The processing that takes place within this context is based on our legitimate interest in optimising our Twitter activities (Art. 6 para. 1 lit. f GDPR).

    1. Pinterest

You can find our Pinterest page at: https://www.pinterest.com/roamaroundlondon/

Pinterest is operated by Pinterest Europe Ltd, Palmerston House, 2nd Floor, Fenian Street, Dublin 2, Ireland (“Pinterest”). Pinterest’s privacy policy can be found at: https://policy.pinterest.com/en/privacy-policy.

Please note that Pinterest also transfers personal data to third countries outside the European Economic Area for which there is no EU Commission adequacy decision. To the extent that such transfer occurs, Pinterest will take appropriate data protection measures, such as by entering into the standard contractual clauses approved by the EU Commission. For more information, please refer to Pinterest’s privacy policy.

Finally, we receive non-personal information and analytics from Pinterest about the use of our account. This information allows us to analyse and optimise the effectiveness of our Pinterest activities. The processing that takes place within this context is based on our legitimate interest in optimising our Pinterest activities (Art. 6 para. 1 lit. f GDPR).

    1. YouTube

You can find our YouTube page at: https://www.youtube.com/roamaroundlondon/

YouTube is operated by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”). You can find Google Ireland’s privacy policy at https://policies.google.com/privacy?hl=en. In it you will also find information on the settings options for your Google account. Please note that your Google account may be used for various Google services (e.g. Gmail, YouTube, Google Search) and Google Ireland may merge personal data relating to the Google services you use in accordance with your Google account settings.

Please note that Google also transfers personal data to the US-based Google LLC and that there is no EU Commission adequacy decision for the USA.

Finally, we receive non-personal information and analytics from Google about the use of our account or interactions with our videos. This information allows us to analyse and optimise the effectiveness of our YouTube activities. The processing that takes place within this context is based on our legitimate interest in optimising our YouTube activities (Art. 6 para. 1 lit. f GDPR).

    1. LinkedIn

You can find our LinkedIn account at: https://www.linkedin.com/company/roamaroundlondon/

For users located in the European Economic Area and Switzerland, LinkedIn is operated by LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland (“LinkedIn Ireland”). You can find LinkedIn’s data protection guidelines here: https://www.linkedin.com/legal/privacy-policy?trk=organization-guest_footer-privacy-policy. In it you will also find information on the settings options for your LinkedIn profile.

Please note that LinkedIn also transfers personal data to third countries outside the European Economic Area for which there is no EU Commission adequacy decision. Insofar as such a transfer occurs, LinkedIn will use the standard contractual clauses approved by the EU Commission. Corresponding information can be found at https://www.linkedin.com/help/linkedin/answer/62533.

Finally, we receive non-personal information and analytics from LinkedIn about the use of our account or interactions with our posts. This information allows us to analyse and optimise the effectiveness of our LinkedIn activities. The processing that takes place within this context is based on our legitimate interest in optimising our LinkedIn activities (Art. 6 para. 1 lit. f GDPR).

    1. WhatsApp

You can also contact us with enquiries via WhatsApp. WhatsApp is operated by Facebook Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland (“Facebook Ireland”). The privacy policy for WhatsApp can be found at: https://www.whatsapp.com/legal/privacy-policy-eea?lang=en. In it you will also find information on the settings options for your account.

Your personal data may also be provided to other Facebook companies. This may involve the transfer of personal data to the USA and other third countries for which there is no EU Commission adequacy decision. In this case, Facebook will use the standard contractual clauses approved by the EU Commission. Further information can also be found in Facebook’s data policy.

The processing takes place in order to be able to deal with the enquiries you send to us (Art. 6 para. 1 lit. b GDPR). Further storage of the data transmitted within the context of your enquiry is based on our legitimate interest in the proper documentation of our business operations and the safeguarding of our legal positions (Art. 6 para. 1 lit. f GDPR) and, if applicable, for the fulfilment of legal obligations (Art. 6 para.1 lit. c GDPR).

    1. Competitions

Occasionally, we also run competitions via our social media site. To participate, you must, for example, comment on certain content, “like” us or tag us. We process the data you provide within this context in order to run the competition and notify the winner(s) (Art. 6 para. 1 lit. b GDPR).

    1. Social Media Management

In order to measure the success of our social media activities, we also record when we are tagged on social media networks. Within this context, we also process information about the people who tag us. The processing that takes place within this context is based on our legitimate interest in optimising our social media activities (Art. 6 para. 1 lit. f GDPR).

    1. Analysis of our social media activities

We also evaluate the success of our social media postings. We analyse how often individual postings are clicked. For this purpose, we use the services of Looker Data Sciences, Inc. based in the USA. The data processing is based on our legitimate interest in analysing our reach and the success of our social media activities. There is no EU Commission adequacy decision for the USA. We have therefore concluded the standard contractual clauses approved by the EU Commission with Looker Data Sciences, Inc. pursuant to Art. 46 para. 2 lit. c GDPR. On the other hand, we use Google Analytics for these purposes (see the separate section on Google Analytics).

  1. CRM system

To manage our customer relationships, we store your personal data in our CRM system. This enables us to answer any enquiries in a targeted manner and to send you contextual advertising within the permissible framework. The processing that takes place within this context is based on our legitimate interest in managing our customer relationships, Art. 6 para. 1 lit. f GDPR. For this purpose, we use the services of the provider Braze, Inc. based in the USA (“Braze”). There is no EU Commission adequacy decision for the USA. We have therefore concluded the standard contractual clauses approved by the EU Commission with Braze in accordance with Art. 46 para. 2 lit. c GDPR.

  1. Product development

We also process our customer data in order to continuously develop our products. In doing so, we use pseudonymous profiles to analyse how our products and our advertising are received by certain target groups. Your data is processed on the basis of our legitimate interest in improving our products and measuring the success of our business operations (Art. 6 para. 1 lit. f GDPR). Where necessary, we will also ask you for your consent (Art. 6 para. 1 lit. a GDPR). You can revoke any consent you may have given for this purpose at any time with effect for the future. For this purpose, you can, for example, contact us using the contact details above. A revocation does not affect the processing that took place until your revocation.

  1. Personalisation of website content

We also process your data in order to display personalised content on our website. The legal basis for this is our legitimate interest in showing you tours and activities that are relevant to you, Art. 6 para. 1 lit. f GDPR.

  1. Passing on of data

Beyond the cases described, your personal data will only be passed on without your express prior consent in the following cases:

    • If it is necessary for the clarification of an illegal use of our services or for legal prosecution, personal data will be forwarded to the law enforcement authorities and, if necessary, to injured third parties. However, this only happens if there are specific indications of unlawful or abusive behaviour. A transfer may also take place if this serves to enforce terms of use or other agreements. We are also legally obliged to provide information to certain public authorities upon request. These are law enforcement agencies, authorities that prosecute administrative offences subject to fines and the tax authorities.

This data is disclosed on the basis of our legitimate interest in combating abuse, prosecuting criminal offences and securing, asserting and enforcing claims and provided that your rights and interests in the protection of your personal data are not overridden, Art. 6 para. 1 lit. f GDPR or on the basis of a legal obligation pursuant to Art. 6 para. 1 lit. c GDPR.

    • We disclose personal data to auditors, accounting service providers, lawyers, banks, tax consultants and similar bodies insofar as this is necessary for the provision of our services (Art. 6 para. 1 lit. b GDPR) or the proper operation of our business (Art. 6 para. 1 lit. f GDPR) or we are obliged to do so (Art. 6 para. 1 lit. c GDPR).
    • We rely on contractually affiliated third-party companies and external service providers (“processors”) to provide the services. In such cases, personal data is passed on to these processors to enable them to continue processing. These processors are carefully selected and regularly reviewed by us to ensure that your rights and freedoms are protected. The processors may only use the data for the purposes specified by us and are also contractually obliged by us to treat your data exclusively in accordance with this privacy policy and the German data protection
  1. Erasure of your data

We delete or anonymise your personal data as soon as it is no longer necessary for the purposes for which we collected or used it in accordance with the above paragraphs. We also continue to retain your data if we are obliged to do so for legal reasons or if the data is needed for a longer period of time for criminal prosecution or to secure, assert or enforce legal claims.

If you delete your user account, your profile will be deleted completely and permanently. However, we will retain backup copies of your data to the extent and for as long as this data is required for legal reasons or for criminal prosecution or to secure, assert or enforce legal claims.

If data must be retained for legal reasons, processing will be restricted. The data is then no longer available for further use.

Storage beyond the contractual relationship is based on our aforementioned legitimate interests according to Art. 6 para. 1 lit. f GDPR.

  1. Your rights as a data subject

You have the rights described below with regard to the processing of your personal data. To exercise your rights, you can make a request here, by post or by email to the address above.

    1. Right of access to information

You have the right to receive information from us at any time, upon request, about the personal data we process that concerns you, to the extent and subject to the conditions of Art. 15 GDPR and § 34 BDSG.

    1. Right to correct incorrect data

You have the right to request that we correct personal data relating to you without delay if it is inaccurate.

    1. Right to erasure

You have the right to demand that we delete the personal data concerning you under the conditions described in Art. 17 GDPR and § 35 BDSG. These conditions provide in particular for a right to erasure if the personal data is no longer necessary for the purposes for which it was collected or otherwise processed, as well as in cases of unlawful processing, the existence of an objection or the existence of an obligation to erasure under Union law or the law of the Member State to which we are subject.

    1. Right to restriction of processing

You have the right to demand that we restrict processing in accordance with Art. 18 GDPR. This right exists in particular if the accuracy of the personal data is disputed between the user and us, for the duration that the verification of the accuracy requires, as well as in the event that the data subject requests restricted processing instead of erasure in the case of an existing right to erasure; furthermore, in the event that the data is no longer required for the purposes pursued by us, but the user requires it for the assertion, exercise or defence of legal claims, as well as if the successful exercise of an objection is still disputed between us and the user.

    1. Right to data portability

You have the right to receive from us the personal data relating to you that you have provided to us in a structured, commonly used, machine-readable format in accordance with Art. 20 GDPR.

    1. Right to object

You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is carried out, inter alia, on the basis of Art. 6 para. 1 lit. e or f GDPR, in accordance with Art. 21 GDPR. We will then stop processing your personal data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.

    1. Right of appeal

You have the right to contact a supervisory authority of your choice in case of complaints.

    1. Data processing when exercising your rights

Finally, we would like to point out that we process the personal data provided by you when exercising your rights pursuant to Art. 15 to 22 of the GDPR for the purpose of implementing these rights and to be able to provide evidence thereof. This processing is based on the legal basis of Art. 6 para. 1 lit. c GDPR in conjunction with Art. 15 to 22 GDPR and § 34 para. 2 BDSG.

 14472056

Verified by MonsterInsights