Privacy Policy

Tourismusverband Innsbruck und seine Feriendörfer
Public law corporation
Burggraben 3
6020 Innsbruck
[email protected]
Legal notice: https://www.innsbruck.info/en/imprint
Tel.-Nr. +43 512 5356
VAT ID No.: ATU43994406

Contact details of the Data Protection Officer
[email protected]
Data processing activities specifically identified as such are carried out under joint responsibility, in accordance with Article 26 of the GDPR, together with: 

Innsbruck Information und Reservierung GmbH
Burggraben 3
6020 Innsbruck
[email protected]
Legal notice: www.innsbruck.info/reservierung-incoming/imprint.html
Tel.-Nr. +43 512 5356
VAT ID No.:  ATU53742801

Further information on joint controllership pursuant to Article 26 of the GDPR is available on request from our Data Protection Officer ([email protected]) in accordance with the EDPB Guidelines 07/2020, version 2.0, paragraph 181. For reference, see: https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-072020-concepts-controller-and-processor-gdpr_en
 

Relevant legal bases under the GDPR (EU General Data Protection Regulation): The following provides an overview of the GDPR legal bases we rely on when processing personal data. Please note that, in addition to the GDPR, national data protection regulations also apply. For Austria, these are set out in the Austrian Data Protection Act (Datenschutzgesetz – DSG). The Data Protection Act includes, in particular, specific provisions regarding the right of access, the right to rectification or erasure, the processing of special categories of personal data, processing for additional purposes, data transfers and automated decision-making in individual cases. 

Note on the applicability of the GDPR and the Swiss Federal Act on Data Protection (FADP): This privacy notice is designed to meet the requirements of both the Swiss Federal Act on Data Protection (FADP) and the EU General Data Protection Regulation (GDPR). As the GDPR has broader territorial scope and provides greater clarity, this notice generally uses the terminology found in the GDPR. In particular, where the Swiss FADP refers to concepts such as “overriding interest” and “particularly sensitive personal data”, this notice uses the GDPR equivalents “legitimate interest” and “special categories of personal data”. However, where the Swiss FADP applies, the legal meaning of these terms continues to be governed by the Swiss FADP.

We protect personal data using technical and organisational measures. In doing so, we comply with all applicable legal requirements. We take into account the current state of technology, the costs, the purpose of each data processing activity and the potential risks to data subjects.  

Our measures include: 

• Protecting digital and physical data against unauthorised access.
• Controlling who is permitted to enter or share data.
• Maintaining procedures for deleting data (right to erasure) and for exercising data subject rights.
• Establishing measures that enable rapid data recovery in the event of technical issues.
• Ensuring the necessary separation of different processing activities.
• Considering data protection requirements when selecting or developing software, hardware and processes (data protection by design and by default).
• IP addresses processed by our data processors or other service providers are shortened where the full address is not strictly required. This makes identification difficult or even impossible. 

Our websites use TLS/SSL encryption (recognisable by "https:” in the address bar). This ensures that your data is transmitted securely and in encrypted form.    

Data processing in third countries: If we transfer data to a third country (i.e., a country outside the European Union (EU) or the European Economic Area (EEA)), or if this occurs through the use of third-party services or through the disclosure or transmission of data to other persons, entities or companies (which is recognisable from the respective provider’s address or when a privacy policy explicitly refers to data transfers to third countries), such transfers are always carried out in accordance with legal requirements.

For transfers of data to the USA, we primarily rely on the Data Privacy Framework (DPF), which was recognised as an adequate and secure legal framework by an adequacy decision of the European Commission on 10 July 2023. In addition, we have concluded Standard Contractual Clauses (SCCs) with the relevant providers. These clauses comply with the requirements of the European Commission and impose contractual obligations for the protection of your data. 

This dual safeguard ensures comprehensive protection of your data: The DPF forms the primary basis for protection, while the Standard Contractual Clauses serve as an additional layer of security. Should any changes occur under the Data Privacy Framework (DPF), the Standard Contractual Clauses act as a reliable fallback mechanism. This ensures that your data remains adequately protected even in the event of political or legal developments. 

For each service provider, we indicate whether they are DPF-certified and whether Standard Contractual Clauses are in place. Further information about the DPF and a list of certified companies can be found on the website of the U.S. Department of Commerce at https://www.dataprivacyframework.gov/. 

For data transfers to other third countries, appropriate safeguards apply, in particular standard contractual clauses, explicit consent or legally required transfers. Information on third-country transfers and applicable adequacy decisions can be found in the European Commission’s information service: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection_en

(Last accessed on 22.05.2025).

We delete personal data in accordance with legal requirements as soon as the underlying consent is withdrawn or no other legal basis for processing exists. This applies where the original purpose for processing no longer exists or the data is no longer required. Exceptions apply where legal obligations or legitimate interests require longer retention or archiving of the data.

In particular, data that must be retained for commercial or tax law purposes, or data that must be stored for legal proceedings or to protect the rights of natural or legal persons, will be archived accordingly.

Our privacy policy also contains information on retention and deletion that applies to specific processing activities. If multiple retention periods or deletion deadlines apply to particular data, the longest period always prevails.

If a retention period of at least one year does not explicitly begin on a specific date, it automatically starts at the end of the calendar year in which the event triggering the period occurred. For ongoing contractual relationships under which data is stored, the event triggering the period is the effective date of termination or any other dissolution of the contractual relationship.

Data that is no longer retained for the original purpose, but is kept due to legal requirements or other reasons, is processed exclusively for the reasons and purposes that justify its retention.

Further information on processing activities, procedures and services:

Data retention and deletion
The following general retention periods apply under Austrian law for the storage and archiving of data.
 

3 years – Data required to consider potential warranty or damage claims and similar contractual claims and rights, as well as data required to process related enquiries, based on past business experience and standard industry practice, are stored for the duration of the statutory limitation period of three years (§§ 1478, 1480 Austrian Civil Code (ABGB)).
 
7 years – Retention period for books and records, annual financial statements, inventories, management reports, opening balance sheets, accounting documents and invoices, as well as all required work instructions and other organisational documents (Federal Fiscal Code (BAO §132), Austrian Commercial Code (UGB §§190-212)). This also includes other business documents: received commercial or business letters, copies of sent commercial or business letters and any other documents relevant for tax purposes. This includes, for example, time sheets and payroll records, provided they are not already accounting records (BAO §132; UGB §§190-212).
 
30 years – Employment certificates and the data required to issue them (such as name, last known address, period of employment and job role) must be retained until the end of the general limitation period (ABGB §§ 1163 and 1478).

We encourage you to regularly review the content of our Privacy Policy. We update this Privacy Policy when necessary to reflect changes in our data processing activities. If a change requires action on your part (e.g. renewed consent), or if an individual notification is otherwise required, we will inform you accordingly.

Where this Privacy Policy includes addresses or contact details of companies or organisations, please note that such information may change over time. We therefore ask that you check these details before making contact.

As a data subject, you have various rights under the GDPR, in particular the rights set out in Articles 15 to 21 GDPR:

Right to object
You have the right to object at any time, on grounds relating to your particular situation, to the processing of your personal data where the processing is based on Article 6(1)(e) or (f) GDPR. This also applies to any profiling based on those provisions. If your personal data is processed for direct marketing purposes, you have the right to object to such processing at any time. This right also applies to profiling to the extent that it is related to direct marketing.

Right to withdraw consent
You have the right to withdraw any consent you have given at any time.

Right of access
You have the right, in accordance with legal requirements, to request confirmation as to whether your personal data is being processed and, where this is the case, to access that data and receive further information and a copy of the data.

Right to rectification
You have the right, in accordance with legal requirements, to request the correction of inaccurate personal data concerning you and the completion of incomplete data.

Right to erasure and restriction of processing
You have the right, in accordance with legal requirements, to demand that personal data concerning you be deleted immediately or, alternatively, to demand that the processing of the data be restricted in accordance with legal requirements.

Right to data portability
You have the right, in accordance with legal requirements, to receive, in a structured, commonly used and machine-readable format, the personal data concerning you that you have provided to us, or to request that this data be transferred to another controller.

Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority if you believe that the processing of your personal data infringes the GDPR. You may do so in particular in the Member State of your habitual residence, your place of work, or the place of the alleged infringement. Our competent supervisory authority is the Austrian Data Protection Authority (Österreichische Datenschutzbehörde).

For any data protection enquiries, please contact our Data Protection Officer at [email protected] as your first point of contact.

We process user data in order to provide our online services. For this purpose, we process users’ IP addresses because they are required to deliver the content and functions of our online services to the user’s browser or device.

Categories of data processed:

• Usage data (e.g. page views, time spent on pages, click paths, usage frequency and intensity, device types and operating systems used, interactions with content and functions); metadata, communication data and procedural data (e.g. IP addresses, timestamps, identifiers, persons involved); log data (e.g. log files relating to logins, data retrieval or access times); content data (e.g. text or image-based messages and posts, and related information such as authorship details and creation timestamps).
• Data subjects: Users (e.g. website visitors, users of online services).
• Purposes of processing: Provision of our online services and improvement of the user experience; IT infrastructure (operation and provision of information systems and technical equipment such as computers, servers, etc.); security measures; Content Delivery Network (CDN); firewall.
• Retention and deletion: Deletion is carried out in accordance with the section “General information on data storage and deletion”.
• Legal basis: Legitimate interests (Article 6(1)(f) GDPR).

Further information on processing activities, procedures and services: 

• Provision of online services using rented hosting infrastructure: To provide our online services, we use hosting infrastructure, computing capacity and software that we rent from a server provider (also referred to as a “web host”) or obtain from other sources.
• Legal basis: Legitimate interests (Article 6(1)(f) GDPR).
• Collection of access data and log files: Access to our online services is logged in the form of “server log files”. These log files may include the address and name of the web pages and files accessed, the date and time of access, the amount of data transferred, notifications of successful access, browser type and version, the user’s operating system, the referrer URL (the previously visited page) and, as a rule, IP addresses and the requesting provider. Server log files may be used for security purposes, for example to prevent server overload (in particular in the event of malicious attacks such as DDoS attacks), and to ensure the performance and stability of our systems.
  Legal basis: Legitimate interests (Article 6(1)(f) GDPR). Deletion of data: Log file information is stored for a maximum of 30 days and is then deleted or anonymised. Data that must be retained for evidentiary purposes is exempt from deletion until the relevant incident has been fully resolved.

• Email transmission and hosting: The web hosting services we use also include the sending, receiving, and storage of emails. For these purposes, the email addresses of recipients and senders, other information relating to email transmission (e.g. the providers involved) and the content of the respective emails are processed. The aforementioned data may also be processed for the purpose of detecting spam. Please note that emails sent over the internet are generally not encrypted. In most cases, emails are encrypted during transmission, but (unless end-to-end encryption is used) they are not encrypted on the servers from which they are sent or received. We therefore cannot accept responsibility for the security of emails during transmission between the sender and our servers.
  Legal basis: Legitimate interests (Article 6(1)(f) GDPR).
• Content Delivery Network: We use a Content Delivery Network (CDN) operated by our data processor. A CDN is a service that enables the faster and more secure delivery of online content, particularly large media files such as graphics or programme scripts, using regionally distributed servers connected via the internet.
  Legal basis: Legitimate interests (Article 6(1)(f) GDPR).

Cloudflare:

A Content Delivery Network (CDN) service that enables the faster and more secure delivery of online content, particularly large media files such as graphics or programme scripts, using regionally distributed servers connected via the internet.
Service provider: Cloudflare, Inc., 101 Townsend St, San Francisco, CA 94107, USA
Legal basis: Legitimate interests (Article 6(1)(f) GDPR)
Website: https://www.cloudflare.com
Privacy Policy: https://www.cloudflare.com/privacypolicy/
Data Processing Agreement: https://www.cloudflare.com/cloudflare-customer-dpa/
Legal basis for third-country data transfers: Data Privacy Framework (DPF), Standard Contractual Clauses (https://www.cloudflare.com/cloudflare-customer-scc/),

 
Wordfence:

Firewall, security and error-detection services used to identify and prevent unauthorised access attempts and technical vulnerabilities that could enable such access. For these purposes, cookies and similar storage technologies may be used, and security logs may be generated during monitoring, in particular in the event of unauthorised access. In this context, users’ IP addresses, a user identification number and user activities, including the time of access, are processed and stored, compared with data provided by the firewall and security service provider, and transmitted to that provider.
Service provider: Defiant, Inc., 800 5th Ave Ste 4100, Seattle, WA 98104, USA
Legal basis: Legitimate interests (Article 6(1)(f) GDPR)
Website: https://www.wordfence.com
Privacy Policy: https://www.wordfence.com/privacy-policy/
Legal basis for third-country data transfers: Standard Contractual Clauses (https://www.wordfence.com/standard-contractual-clauses/, 
Further information: https://www.wordfence.com/help/general-data-protection-regulation/.

We process application users’ data where necessary to provide and operate the application and its features, maintain its security, and support its ongoing development. We may also contact users, in accordance with applicable legal requirements, where such communication is required for the administration or use of the application. For further information about how we process personal data, please refer to the relevant sections of this Privacy Policy.

Legal bases: Data processing that is necessary to provide the functions of the application is carried out for the performance of a contract. This includes cases where the provision of features requires user permissions (e.g. access to device functions). Where data processing is not strictly necessary for the provision of the application but is required to ensure its security or to pursue our legitimate commercial interests (e.g. the collection of data for application optimisation or security purposes), such processing is carried out on the basis of our legitimate interests. Where users are expressly asked for their consent for specific processing activities, the relevant data is processed on the basis of that consent. 

• Categories of data processed: Account data (e.g. full name, residential address, contact information, customer number, etc.); usage data (e.g. page views, time spent on pages, click paths, usage frequency and intensity, device types and operating systems used, interactions with content and functions); metadata, communication data and procedural data (e.g. IP addresses, timestamps, identifiers, persons involved); location data (information relating to the geographic location of a device or person).
• Data subjects: Users (e.g. website visitors, users of online services).
• Purposes of processing: Performance of a contract and provision of contractual services; security measures; provision of our online services and improvement of the user experience.
• Retention and deletion: Deletion is carried out in accordance with the section “General information on data storage and deletion”.
  Legal bases: Performance of a contract and pre-contractual measures (Article 6(1)(b) GDPR); Legitimate interests (Article 6(1)(f) GDPR).

Further information on processing activities, procedures and services:

• Device permissions granting access to functions and data: To use our application or enable certain features, the user may be required to grant permission for the application to access specific functions of their device or data stored on, or accessible through, that device. These permissions must be granted by users and may be withdrawn at any time in the settings of the respective device. The exact procedure for managing app permissions may vary depending on the user’s device and software. Users may contact us if they require further clarification. Please note that denying or withdrawing permissions may affect the functionality of the application.
• Processing of location data: When using our application, location data collected by the user’s device or otherwise provided by the user may be processed. The use of location data requires user permission, which may be withdrawn at any time. Location data is used solely to provide the relevant functions of our application, as described to users and in line with its typical and expected operation.
• No location history and no movement profiles: Location data is used only for specific purposes and is not processed to create a location history or movement profile of the device or its user.

Users may create a user account. During registration, users are required to provide certain mandatory information, which is processed for the purpose of providing the user account on the basis of the performance of a contract. The data processed includes, in particular, login credentials (username, password and email address).

When users access our registration and login functions and use their user account, we record and store the IP address and the time of each relevant user action. This storage is carried out on the basis of our legitimate interests and those of our users in preventing misuse or unauthorised access. Such data is not normally shared with third parties unless this is necessary for the establishment, exercise or defence of legal claims, or where we are required to do so by law.

Users may receive email notifications relating to their user account, for example regarding technical changes. 

• Categories of data processed: Account data (e.g. full name, residential address, contact information, customer number, etc.); contact data (e.g. postal addresses, email addresses or telephone numbers); content data (e.g. text or image-based messages and posts, and related information such as authorship details and creation timestamps); usage data (e.g. page views, time spent on pages, click paths, usage frequency and intensity, device types and operating systems used, interactions with content and functions); log data (e.g. log files relating to logins, data retrieval or access times).
• Data subjects: Users (e.g. website visitors, users of online services).
• Purposes of processing: Performance of a contract and provision of contractual services; security measures; organisational and administrative procedures; provision of our online services and improvement of the user experience.
• Retention and deletion: Deletion in accordance with the section “General information on data storage and deletion”; deletion upon termination of the user account.
  Legal bases: Performance of a contract and pre-contractual measures (Article 6(1)(b) GDPR); Legitimate interests (Article 6(1)(f) GDPR).

Further information on processing activities, procedures and services: 

• Registration under real names: Due to the nature of our community, we ask that users use our services under their real names. The use of pseudonyms is not permitted.
  Legal basis: Performance of a contract and pre-contractual measures (Article 6(1)(b) GDPR).
• User profiles are not public: User profiles are not publicly visible or accessible.
• Deletion of data following termination: When users terminate their user account, personal data associated with the account is deleted, unless further retention is permitted or required by law, or the user has provided consent for continued storage.
  Legal basis: Performance of a contract and pre-contractual measures (Article 6(1)(b) GDPR).
• No obligation to retain data: Users are responsible for securing or backing up their data prior to termination of the contract. Upon termination, we are entitled to permanently and irretrievably delete all data stored by the user during the term of the contract.
  Legal basis: Performance of a contract and pre-contractual measures (Article 6(1)(b) GDPR).

We operate blogs and other comparable means of online communication and publication (hereinafter referred to as “publication media”). The personal data of readers is processed only to the extent necessary to operate the publication media, to enable communication between authors and readers, and for security purposes. For further information about how we process the personal data of visitors to our publication media, please refer to the relevant sections of this Privacy Policy.

Categories of data processed:

• Account data (e.g. full name, residential address, contact information, customer number, etc.)
• Contact data (e.g. postal addresses, email addresses or telephone numbers)
• Content data (e.g. text or image-based messages and posts, and related information such as authorship details and creation timestamps)
• Usage data (e.g. page views, time spent on pages, click paths, usage frequency and intensity, device types and operating systems used, interactions with content and functions)
• Metadata, communication data and procedural data (e.g. IP addresses, timestamps, identifiers, persons involved).

Data subjects: Users (e.g. website visitors, users of online services)

Purposes of processing:

• Feedback (e.g. collection of feedback via online forms)
• Provision of our blog and improvement of the user experience
• User profiles (creation of profiles with user-related information)
• Audience measurement (e.g. access statistics, recognition of returning visitors)
• Tracking (e.g. interest-based and behaviour-based profiling, use of cookies)
• Conversion measurement (measurement of the effectiveness of marketing measures)
• Audience segmentation

Retention and deletion: Deletion is carried out in accordance with the section “General information on data storage and deletion”.
Legal bases: Legitimate interests (Article 6(1)(f) GDPR); Consent (Article 6(1)(a) GDPR).

Further information on processing activities, procedures and services:

INSTAGRAM PLUGINS AND CONTENT

This may include, for example, content such as images, videos, text and buttons that allow users to share content from this website within Instagram. 

We act as joint controllers with Meta Platforms Ireland Limited for the collection or receipt by way of transmission (but not the subsequent processing) of “event data” that Facebook collects or receives by way of transmission via Instagram features (e.g. content embedding functions) implemented on our online services, for the following purposes:
 

1.  Display of content and advertising information aligned with users’ presumed interests.
2.  Delivery of commercial and transactional messages (e.g. contacting users via Facebook Messenger).
3. Improvement of ad delivery and personalisation of features and content (e.g. improving recognition of content or advertising likely to be of interest to users).
    

We have entered into a special agreement with Facebook (“Controller Addendum”, https://www.facebook.com/legal/controller_addendum) that specifically outlines the security measures that Facebook must implement (https://www.facebook.com/legal/terms/data_security_terms) and under which Facebook has agreed to comply with data subject rights (for example, users may submit access or deletion requests directly to Facebook).

Note: When Facebook provides us with metrics, analyses and reports (which are aggregated, meaning they do not contain information about individual users and are anonymised for us), this processing does not take place under joint controllership, but on the basis of a data processing agreement (“Data Processing Terms”, ​​https://www.facebook.com/legal/terms/dataprocessing), “Data Security Terms” (https://www.facebook.com/legal/terms/data_security_terms) and, with regard to processing in the United States, on the basis of Standard Contractual Clauses (“Facebook EU Data Transfer Addendum”, https://www.facebook.com/legal/EU_data_transfer_addendum).

The data subject rights of users (in particular the rights of access, erasure, objection and to lodge a complaint with the competent supervisory authority) are not restricted by the agreements with Facebook.
 

Service provider:
Meta Platforms Ireland Limited
Merrion Road
Dublin 4, D04 X2K5
Ireland

Legal basis: Legitimate interests (Article 6(1)(f) GDPR)

Website: https://www.instagram.com
Privacy Policy: https://privacycenter.instagram.com/policy/
 

FACEBOOK ADVERTISEMENTS

Placement of advertisements within the Facebook platform and evaluation of advertising results.

Service provider:
Meta Platforms Ireland Limited
Merrion Road
Dublin 4, D04 X2K5
Ireland

Legal basis: Consent (Article 6(1)(a) GDPR)
Website: https://www.facebook.com
Privacy Policy: https://www.facebook.com/privacy/policy/
Legal basis for third-country data transfers: Data Privacy Framework (DPF)
Right to object (opt-out): Users should consult the privacy and advertising settings available in their user profile on Facebook platforms, as well as Facebook’s consent procedures and contact options for exercising rights of access and other data subject rights, as described in Facebook’s Privacy Policy.

FURTHER INFORMATION

User event data, including behavioural and interest data, is processed for targeted advertising and audience building under the joint controllership agreement (“Controller Addendum”, https://www.facebook.com/legal/controller_addendum). Joint controllership is limited to the collection and transmission of data to Meta Platforms Ireland Limited, a company located in the EU. All further processing of the data is the sole responsibility of Meta Platforms Ireland Limited, in particular any transfer of the data to its parent company, Meta Platforms, Inc., in the United States (carried out on the basis of Standard Contractual Clauses concluded between Meta Platforms Ireland Limited and Meta Platforms, Inc.).

FACEBOOK PAGES:
Profiles within the Facebook social network 

We act as joint controllers with Meta Platforms Ireland Limited for the collection (but not the further processing) of data from visitors to our Facebook page (“Fan Page”). This data includes information about the types of content users view or interact with, the actions taken by users (see “Things you and others do and provide” in the Facebook Data Policy: https://www.facebook.com/privacy/policy/), and information about the devices used by users (e.g. IP addresses, operating system, browser type, language settings, cookie data; see “Device Information” in the Facebook Data Policy: https://www.facebook.com/privacy/policy/).
As described in the Facebook Data Policy under “How do we use this information?”, Facebook collects and uses this information to provide page administrators with analytics services (“Page Insights”), which enable page administrators to understand how users interact with their pages and related content. We have entered into a special agreement with Facebook (“Information about Page Insights Data”, https://www.facebook.com/legal/controller_addendum) that specifically outlines the security measures that Facebook must implement and under which Facebook has agreed to comply with data subject rights (for example, users may submit access or deletion requests directly to Facebook). The data subject rights of users (in particular the rights of access, erasure, objection and to lodge a complaint with the competent supervisory authority) are not restricted by the agreements with Facebook. Further information can be found in “Information about Page Insights Data” (https://www.facebook.com/legal/terms/information_about_page_insights_data). Joint controllership is limited to the collection and transmission of data to Meta Platforms Ireland Limited, a company located in the EU. All further processing of the data is the sole responsibility of Meta Platforms Ireland Limited, in particular any transfer of the data to its parent company, Meta Platforms, Inc., in the United States.
 

Service provider:
Meta Platforms Ireland Limited
Merrion Road
Dublin 4, D04 X2K5
Ireland

Legal basis: Legitimate interests (Article 6(1)(f) GDPR)
Website: https://www.facebook.com
Privacy Policy: https://www.facebook.com/privacy/policy/
Legal basis for third-country data transfers: Data Privacy Framework (DPF) Standard Contractual Clauses (https://www.facebook.com/legal/EU_data_transfer_addendum)

When users contact us (e.g. by post, contact form, email, telephone or via social media), and within the context of existing user and business relationships, the information provided by the enquiring persons is processed to the extent necessary to respond to the enquiry and to carry out any requested actions.

Categories of data processed:

• Account data (e.g. full name, residential address, contact information, customer number, etc.)
• Contact data (e.g. postal addresses, email addresses or telephone numbers)
• Content data (e.g. text or image-based messages and posts, and related information such as authorship details and creation timestamps)
• Usage data (e.g. page views, time spent on pages, click paths, usage frequency and intensity, device types and operating systems used, interactions with content and functions)
• Metadata, communication data and procedural data (e.g. IP addresses, timestamps, identifiers, persons involved)

Data subjects: Communication partners
Purposes of processing: 

• Communication
• Organisational and administrative procedures
• Feedback (e.g. collection of feedback via online forms)
• Provision of our online services and improvement of the user experience

Retention and deletion: Deletion is carried out in accordance with the section “General information on data storage and deletion”.

Legal bases: Legitimate interests (Article 6(1)(f) GDPR); Performance of a contract and pre-contractual measures (Article 6(1)(b) GDPR).

Further information on processing activities, procedures and services:

Contact form: When users contact us via our contact form, by email or through other communication channels, we process the personal data transmitted to us for the purpose of responding to and handling the respective request.

This generally includes information such as

• Name
• Contact details and, where applicable, other information that is provided by the user and is necessary for proper handling of the request. We use this data solely for the stated purpose of communication and responding to enquiries.

Legal bases:

• Performance of a contract and pre-contractual measures (Article 6(1)(b) GDPR)
• Legitimate interests (Article 6(1)(f) GDPR)

We use messenger services for communication purposes and therefore ask that users take note of the following information regarding the functionality of the messenger services, encryption, the processing of communication metadata, and your rights to object.
You may also contact us via alternative methods, such as by telephone or email. Please use the contact details provided or those listed within our online services.

Where content is protected by end-to-end encryption (i.e. the content of messages and attachments), this means that the communication content (i.e. the message text and any attached images) is encrypted from end to end. As a result, the content of messages cannot be accessed, not even by the messenger service providers themselves. Users should always use the latest version of the relevant messenger services with encryption enabled to ensure that message content remains encrypted. 

However, communication partners should also note that although messenger service providers cannot access the content of communications, they may determine that and when communication takes place with us and may process technical information about the devices used by communication partners and, depending on device settings, location information (so-called metadata).

Legal bases: Where we request permission from communication partners prior to communicating via messenger services, the legal basis for processing their data is their consent. In other cases, where no prior consent is requested or where users contact us on their own initiative, messenger services are used in relation to our contractual partners and in the context of contract initiation as a contractual measure, and in the case of other interested parties and communication partners on the basis of our legitimate interests in fast and efficient communication and in meeting the communication needs of our communication partners. Furthermore, please note that we do not transmit contact details provided to us to messenger service providers for the first time without consent.

Withdrawal of consent, objection and deletion: You can withdraw your consent at any time and object to communication via messenger services at any time. In the case of communication via messenger services, messages are deleted in accordance with our general deletion policies (e.g. as described above, following the end of contractual relationships, in the context of archiving requirements, etc.) and otherwise as soon as it can reasonably be assumed that the enquiries from the communication partners have been addressed, provided that no further reference to a previous conversation is expected and that no statutory retention obligations prevent deletion.

Reservation of the right to use alternative communication channels: To ensure your security, in certain cases we may be unable to respond to enquiries via messenger services. This applies to situations where, for example, contractual details require heightened confidentiality or where a response via messenger services does not meet formal requirements. In such cases, users will be asked to use more suitable communication channels.

Categories of data processed:

• Contact data (e.g. postal addresses, email addresses or telephone numbers)
• Content data (e.g. text or image-based messages and posts, and related information such as authorship details and creation timestamps)
• Usage data (e.g. page views, time spent on pages, click paths, usage frequency and intensity, device types and operating systems used, interactions with content and functions)
• Metadata, communication data and procedural data (e.g. IP addresses, timestamps, identifiers, persons involved)

Data subjects: Communication partners

Purposes of processing: Communication; direct marketing (e.g. by email or post)
Retention and deletion: Deletion is carried out in accordance with the section “General information on data storage and deletion”.

Legal bases:

• Consent (Article 6(1)(a) GDPR)
• Performance of a contract and pre-contractual measures (Article 6(1)(b) GDPR)
• Legitimate interests (Article 6(1)(f) GDPR)

Further information on processing activities, procedures and services:

INSTAGRAM

Messaging via the Instagram social network

Service provider:
Meta Platforms Ireland Limited
Merrion Road
Dublin 4, D04 X2K5, Ireland
Legal bases: Legitimate interests (Article 6(1)(f) GDPR)
Website: https://www.instagram.com/
Privacy Policy: https://privacycenter.instagram.com/policy/

FACEBOOK MESSENGER

• Sending and receiving text messages
• Making voice and video calls
• Creating group chats
• Sharing files and media
• Transmitting location information
• Synchronising contacts
• Encrypting messages

Service provider:
Meta Platforms Ireland Limited
Merrion Road
Dublin 4, D04 X2K5
Ireland

Legal basis: Legitimate interests (Article 6(1)(f) GDPR)
Website: https://www.facebook.com
Privacy Policy: https://www.facebook.com/privacy/policy/
Data Processing Agreement: https://www.facebook.com/legal/terms/dataprocessing
Legal basis for third-country data transfers: Data Privacy Framework (DPF), Standard Contractual Clauses (https://www.facebook.com/legal/EU_data_transfer_addendum),
 

MICROSOFT TEAMS:

• Chat
• Audio and video conferencing
• File sharing
• Integration with Office 365 applications
• Real-time document collaboration, calendar features, task management, screen sharing, optional recording

Service provider:

Microsoft Ireland Operations Limited
One Microsoft Place
South County Business Park, Leopardstown
Dublin 18, D18 P521
Ireland

Legal bases: Legitimate interests (Article 6(1)(f) GDPR)
Website: www.microsoft.com/de-de/microsoft-365
Privacy Policy: https://privacy.microsoft.com/de-de/privacystatement
Security information: https://www.microsoft.com/de-de/trustcenter
Legal basis for third-country data transfers: Data Privacy Framework (DPF), Standard Contractual Clauses (https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA)

WHATSAPP: 
Text messaging

• Voice and video calls
• Sending pictures, videos and documents
• Group chat function
• End-to-end encryption for enhanced security
   

Service provider:

WhatsApp Ireland Limited
Merrion Road
Dublin 4, D04 X2K5
Ireland

Legal basis: Legitimate interests (Article 6(1)(f) GDPR)
Website: https://www.whatsapp.com/
Privacy Policy: https://www.whatsapp.com/legal
Legal basis for third-country data transfers: Data Privacy Framework (DPF),

We provide online chat and chatbot features as communication tools (collectively referred to as “chat services”). A chat is an online conversation conducted in near real time. A chatbot is software designed to respond to user enquiries or provide information via messages. If you use our chat services, your personal data may be processed.
 

Where chat services are used within an online platform, the relevant platform-specific user identification number is also stored. We may additionally collect information about which users interact with our chat services and when. In addition, we store the content of conversations conducted via the chat services, and registration and consent processes are logged in order to demonstrate compliance with applicable legal requirements. 

Users should be aware that the relevant platform provider may determine that and when users communicate with our chat services, may collect technical information relating to the device used and, depending on device settings, may collect location data (so-called metadata) for the purposes of service optimisation and security. Communication metadata generated through the use of chat services (i.e. information about who communicated with whom) may also be processed by the relevant platform providers, in accordance with their own terms and privacy policies (which we reference for further information) for marketing purposes or for the display of interest-based advertising.

Where users agree to receive information from a chatbot via recurring messages, they may unsubscribe from such chatbot messages at any time. The chatbot provides instructions on how and with which commands users may unsubscribe. Upon unsubscribing from chatbot messages, the user’s data is deleted from the distribution list.

We use the aforementioned information to operate and manage our chat services, for example to address users personally, to answer their enquiries and to provide any requested content, as well as to improve our chat services (for example by “teaching” chatbots the answers to frequently asked questions or identifying unanswered enquiries).

Information on legal bases:
Where we obtain users’ prior consent for data processing in connection with our chat services (this applies to cases where users are asked for their consent, e.g. so a chatbot can send them recurring messages), we operate our chat services on the basis of consent. Where chat services are used to respond to user enquiries concerning our services or our organisation, processing is carried out for the purposes of contract performance and pre-contractual communication. In all other cases, the chat services are operated on the basis of our legitimate interests, in particular in the optimisation of our chat services, their commercial and operational efficiency, and the improvement of the user experience.

Withdrawal of consent, objection and deletion:
You can withdraw your consent at any time and can object to the processing of your data in connection with our chat services at any time.

Categories of data processed:

• Contact data (e.g. postal addresses, email addresses or telephone numbers)
• Content data (e.g. text or image-based messages and posts, and related information such as authorship details and creation timestamps)
• Usage data (e.g. page views, time spent on pages, click paths, usage frequency and intensity, device types and operating systems used, interactions with content and functions)
   

Data subjects: Communication partners
Purposes of processing: Communication.
Retention and deletion: Deletion is carried out in accordance with the section “General information on data storage and deletion”.
Legal bases: Consent (Article 6(1)(a) GDPR); Performance of a contract and pre-contractual measures (Article 6(1)(b) GDPR); Legitimate interests (Article 6(1)(f) GDPR).

Further information on processing activities, procedures and services:

ZENDESK: 

• Customer support management
• Ticket management
• Multi-channel communication
• Knowledge base creation
• Customer feedback collection and analysis
• Support process automation
• Reporting and analysis on performance monitoring
  
  Service provider:

Zendesk, Inc.
989 Market Street #300
San Francisco, CA 94102
USA

Legal bases: Performance of a contract and pre-contractual measures (Article 6(1)(b) GDPR)
Legitimate interests (Article 6(1)(f) GDPR)
Website: https://www.zendesk.de
Privacy Policy: https://www.zendesk.de/company/customers-partners/privacy-policy/
Data processing agreement: https://www.zendesk.de/company/data-processing-form/
Legal basis for third-country data transfers: Data Privacy Framework (DPF), 

We use hosting services provided by third-party service providers to make our audio content available for streaming and download. For this purpose, we use platforms that support the uploading, storage and distribution of audio content. 

Categories of data processed

• Usage data (e.g. page views, time spent on pages, click paths, usage frequency and intensity, device types and operating systems used, interactions with content and functions)
• Metadata, communication data and procedural data (e.g. IP addresses, timestamps, identifiers, persons involved)
• Log data (e.g. log files relating to logins, data retrieval or access times) 

Data subjects: Users (e.g. website visitors, users of online services) 

Purposes of processing:

• Audience measurement (e.g. access statistics, recognition of returning visitors)
• Conversion measurement (measurement of the effectiveness of marketing measures)
• User profiles (creation of profiles with user-related information)
• Provision of our online services and improvement of the user experience
• Tracking (e.g. interest-based and behaviour-based profiling, use of cookies)
• Audience segmentation
• Marketing 

 
Retention and deletion: Deletion is carried out in accordance with the section “General information on data storage and deletion”. 

Legal bases:

• Legitimate interests (Article 6(1)(f) GDPR)
• Consent (Article 6(1)(a) GDPR) 
   

Further information on processing activities, procedures and services: 
 

Spotify
Podcast hosting, publication and management of podcast content, analysis of listening behaviour and statistics, monetisation options for podcasters

Service provider
Spotify AB
Regeringsgatan 19
SE-111 53 Stockholm
Sweden

Legal basis: Legitimate interests (Article 6(1)(f) GDPR)
Website: https://podcasters.spotify.com/
Privacy Policy: https://www.spotify.com/de/legal/privacy-policy/

YouTube videos
Our online services include embedded videos hosted on YouTube. These YouTube videos are integrated using YouTube’s Privacy Enhanced Mode via the “youtube-nocookie” domain.
In this privacy-enhanced mode, until a video is played, only limited information such as your IP address, browser type and device details may be stored on your device using cookies or similar technologies. This information is required by YouTube to deliver, manage and optimise video playback. Once the video is played, additional information may be processed by YouTube for the analysis of user behaviour, storage in user profiles and personalisation of content and advertising. Cookies may be stored for up to two years.

Service provider:
Google Ireland Limited
Gordon House, Barrow Street
Dublin 4
Ireland

Legal bases: Consent (Article 6(1)(a) GDPR)
Website: https://www.youtube.com
Privacy Policy: https://policies.google.com/privacy
Legal basis for third-country data transfers: Data Privacy Framework (DPF), 
Further information: https://support.google.com/youtube/answer/171780?hl=en-en

We send newsletters, emails and other electronic communications (hereinafter referred to as “newsletter(s)”) only with the recipient’s consent or where otherwise permitted by law. Where the content of the newsletter is specified at the time of subscription, that description determines the scope of the recipient’s consent. To subscribe to our newsletter, it is generally sufficient to provide an email address. However, in order to offer a more personalised experience, we may request your name so that we can address you personally in the newsletter, or request additional information where this is necessary for the purposes of the newsletter. 

Deletion and restriction of processing:
Unsubscribed email addresses may be retained for up to three years on the basis of our legitimate interests, in order to be able to demonstrate that valid consent was previously obtained. Processing of this data is restricted to the purpose of the potential defence of legal claims. An individual deletion request may be submitted at any time, provided that the prior existence of consent is confirmed at the same time. Where we are subject to an ongoing obligation to respect objections, we reserve the right to retain the relevant email address solely for this purpose in a so-called suppression list (“blocklist”). 

The subscription process is logged on the basis of our legitimate interests for the purpose of demonstrating proper compliance. Where we use a service provider to distribute emails, this is done on the basis of our legitimate interests in operating an efficient and secure email delivery system. 

Content:  Promotion of tourism-related products, services, offerings and attractions in the “Innsbruck und seine Feriendörfer” region.
Categories of data processed:

• Account data (e.g. full name, residential address, contact information, customer number, etc.)
• Contact data (e.g. postal addresses, email addresses or telephone numbers)
• Metadata, communication data and procedural data (e.g. IP addresses, timestamps, identifiers, persons involved)
• Usage data (e.g. page views, time spent on pages, click paths, usage frequency and intensity, device types and operating systems used, interactions with content and functions) 

Data subjects: Communication partners 
Purposes of processing: Direct marketing (e.g. by email or post) 
Legal basis: Consent (Article 6(1)(a) GDPR) 

Right to object (opt-out):
You can unsubscribe from our newsletter at any time, i.e. withdraw your consent or object to further receipt. An unsubscribe link is included at the end of each newsletter. Alternatively, you may use any of the contact details provided above, preferably email. 

Further information on processing activities, procedures and services: 

Mailworx Suite:
Distribution of informational newsletters to different user groups

Service provider:
eworx Network; Internet GmbH 
Hanriederstraße 25
A-4150 Rohrbach-Berg
Austria
[email protected] 
+43 7289 200 72
Website: https://www.eworx.at/marketing-suite/en/
Privacy Policy: https://www.eworx.at/marketing-suite/en/privacy-policy

Measurement of open and click rates:
Our newsletters contain a so-called “web beacon”, i.e. a pixel-sized file that is accessed when a newsletter is opened, either from our server or, where applicable, from the server of our service provider. When the web beacon is accessed, technical information (such as browser and system data), your IP address and the time of access are collected. This information is used for technical improvement of our newsletter based on technical data and for analysis of target groups and their reading behaviour based on access location (which may be inferred from the IP address) and access times. The analysis includes determining whether and when the newsletter is opened and which links are clicked. The data is assigned to individual newsletter recipients and stored in their profiles until deletion. The analysis helps us understand our users’ reading habits and either adapt our content accordingly or send different content aligned with user interests. The measurement of open and click rates, the storage of measurement results in user profiles and the further processing of this information are all carried out on the basis of user consent. Separate withdrawal of consent for performance measurement is not possible; in such cases, the entire newsletter subscription must be cancelled or objected to. Upon cancellation, the stored profile data is deleted.

Legal basis: Consent (Article 6(1)(a) GDPR)

We process the personal data of participants in competitions, contests, prize draws and sweepstakes in accordance with applicable data protection regulations, where such processing is contractually necessary for the organisation, execution and fulfilment of the relevant activity, where participants have given their consent, or where processing is carried out on the basis of our legitimate interests (for example, to ensure the security of the activity or to protect our interests against misuse, including through the collection of IP addresses when entries are submitted).

Where entries submitted by participants are published as part of a competition, contest, prize draw or sweepstake (for example, in connection with voting, presentation of entries or winners, or reporting on the activity), participants’ names may also be published.
Participants may object to such publication at any time.

Where a competition, contest, prize draw or sweepstake is conducted via an online platform or social network (e.g. Facebook or Instagram, hereinafter referred to as an “online platform”), the terms of use and privacy policies of the relevant platforms also apply. In such cases, we remain responsible for the personal data provided by participants in connection with the competition, contest, prize draw or sweepstake, and any enquiries relating to the competition, contest, prize draw or sweepstake should be directed to us.

Participant data is deleted as soon as the relevant competition, contest, prize draw or sweepstake has ended and the data is no longer required either for informing the winners or as no further enquiries regarding the competition, contest, prize draw or sweepstake are expected. In general, participant data is deleted no later than six months after the end of the competition, contest, prize draw or sweepstake. Winners’ data may be retained for a longer period, for example to respond to enquiries regarding prizes or to fulfil prize obligations. In such cases, the retention period depends on the nature of the prize and may extend for up to three years, for example in the case of goods or services in order to handle warranty claims. Participant data may also be retained for longer periods where required, for example in the form of reports about the competition, contest, prize draw or sweepstake in online and offline media.

Where data collected in connection with a competition, contest, prize draw or sweepstake is also processed for other purposes, the processing and retention of such data is governed by the privacy information applicable to those purposes (for example, where a participant subscribes to a newsletter as part of a competition, contest, prize draw or sweepstake).

Categories of data processed:

• Account data (e.g. full name, residential address, contact information, customer number, etc.)
• Contact data (e.g. postal addresses, email addresses or telephone numbers)
• Content data (e.g. text or image-based messages and posts, and related information such as authorship details and creation timestamps)
• Data subjects: Participants in competitions, contests, prize draws and sweepstakes.

Purposes of processing:

• Conducting and administering competitions, contests, prize draws and sweepstakes.

Retention and deletion: Deletion is carried out in accordance with the section “General information on data storage and deletion”.

Legal bases:

• Performance of a contract and pre-contractual measures (Article 6(1)(b) GDPR)
• Legitimate interests (Article 6(1)(f) GDPR)

Further information on processing activities, procedures and services:

Competitions, contests, prize draws and sweepstakes:
We process the personal data (hereinafter also referred to as “data”) of participants in competitions, contests, prize draws and sweepstakes only in accordance with the applicable data protection regulations, where such processing is necessary for the provision, execution and handling of the relevant competition, contest, prize draw or sweepstake (Article 6 (1) (b) GDPR), where participants have consented to the processing (Article 6(1)(a) GDPR), or where processing is carried out on the basis of our legitimate interests (Article 6(1)(f) GDPR) (in particular to ensure the security of the competition, contest, prize draw or sweepstake and to protect our interests against misuse, including through the collection of IP addresses and timestamps at the time competition entries are submitted).

• Participant data is disclosed to third parties only where such disclosure is necessary for the execution of the competition, contest, prize draw or sweepstake (for example, for the delivery of prizes or to technical service providers or agencies engaged in connection with implementation of the competition) or where the participant has provided their consent.
• Participants are informed within the scope of the competition, contest, prize draw or sweepstake, which personal data is required for participation.
• Participant data is deleted as soon as the relevant competition, contest, prize draw or sweepstake has ended and the data is no longer required either for informing the winners or as no further enquiries regarding the competition, contest, prize draw or sweepstake are expected. In general, participant data is deleted no later than six months after the end of the competition, contest, prize draw or sweepstake. Winners’ data may be retained for a longer period, for example to respond to enquiries regarding prizes or to fulfil prize obligations. In such cases, the retention period depends on the nature of the prize and may extend for up to three years, for example in the case of goods or services in order to handle warranty claims.

Where data collected in connection with a competition, contest, prize draw or sweepstake is also processed for other purposes, the processing and retention of such data is governed by the privacy information applicable to those purposes (for example, where a participant subscribes to a newsletter as part of a competition, contest, prize draw or sweepstake).

TVB acts as a co-organiser – prizes are provided by sponsors.
Users submit their data via the website. The data of valid participants (winners and non-winners) is transferred from there to Mailworx and retained or deleted in accordance with the participant’s consent.

Following the conclusion of a competition, contest, prize draw or sweepstake, participant data is deleted after six months. Only data for which individuals have consented to further processing remains stored in Mailworx.

Service provider:
Different competitions, contests, prize draws and sweepstakes may be organised by different sponsors. These can be found in the relevant announcements.
Website: https://www.innsbruck.info/en/competitions/
Privacy Policy: https://www.innsbruck.info/en/privacy-policy.html

Web analytics (also referred to as “audience measurement”) is used to evaluate visitor activity on our online services and may include pseudonymous data relating to visitor behaviour, interests and demographic information such as age and gender. Audience measurement enables us, for example, to determine when our online services, their features and content are used most frequently, to encourage repeat visits, and to identify areas requiring optimisation.

In addition to web analytics, we may use testing procedures to test and optimise different versions of our online services or individual components thereof.

Unless otherwise stated below, profiles compiled from data aggregated during a user session may be created for these purposes, and information may be stored on and retrieved from a browser or device. The data collected includes, in particular, websites visited and elements used on those sites, as well as technical information such as the browser used, the operating system, and information relating to usage times. Where users have consented to the collection of location data, either by us or by the providers of the services we use, such location data may also be processed.

Users’ IP addresses are also stored. However, we apply an IP masking procedure (i.e. pseudonymisation by truncation of the IP address) in order to protect users. As a general rule, no directly identifiable user data (such as email addresses or names) is stored within the scope of web analytics, A/B testing or optimisation. Instead, pseudonymous identifiers are used. This means that neither we nor the providers of the software used can directly identify individual users; access is limited to the information stored in their profiles for the purposes of the respective processes.

Legal bases:
Where we request user consent for the use of third-party services, the legal basis for processing is consent. In all other cases, user data is processed on the basis of our legitimate interests (i.e. our interest in providing efficient, economical and user-friendly services). In this context, please also refer to the information on the use of cookies in this Privacy Policy.

Categories of data processed:

• Usage data (e.g. page views, time spent on pages, click paths, usage frequency and intensity, device types and operating systems used, interactions with content and functions)
• Metadata, communication data and procedural data (e.g. IP addresses, timestamps, identifiers, persons involved)
• Data subjects: Users (e.g. website visitors, users of online services).

Purposes of processing:

• Remarketing
• Audience segmentation
• Audience measurement (e.g. access statistics, recognition of returning visitors)
• User profiles (creation of profiles with user-related information)
• Provision of our online services and improvement of the user experience
• Tracking (e.g. interest-based and behaviour-based profiling, use of cookies); click tracking; A/B testing; heatmaps (aggregated visual representations of user interaction, such as mouse movements)
• Marketing

Retention and deletion: Deletion is carried out in accordance with the section “General information on data storage and deletion”. Cookies are stored for up to two years (cookies and similar storage technologies may be stored on users’ devices for up to two years, unless otherwise specified).
Security measures: IP masking (pseudonymisation of the IP address).
Legal bases: Consent (Article 6(1)(a) GDPR); Legitimate interests (Article 6(1)(f) GDPR).

Further information on processing activities, procedures and services:

GOOGLE ANALYTICS

We use Google Analytics to measure and analyse the use of our online services on the basis of a pseudonymous user identification number. This identification number does not contain any directly identifiable information such as names or email addresses. It is used to associate analysis data with a specific device in order to determine, for example, which content users access during one or more sessions, which search terms they use, whether they revisit such content, and how they interact with our online services. The time and duration of use, the sources from which users access our online services, and technical information about users’ devices and browsers are also recorded.

Pseudonymous user profiles may be created using information collected across different devices, and cookies may be used for this purpose.

Google Analytics does not log or store individual IP addresses for EU users. However, Analytics provides approximate geographic location data by deriving the following metadata from IP addresses:

• City (and the derived latitude and longitude of the city)
• Continent
• Country
• Region
• Sub-continent (and ID-based counterparts)

For EU data traffic, IP address data is used solely for the derivation of geolocation data and is deleted immediately thereafter. IP addresses are not logged, are not accessible and are not used for any other purposes. When Google Analytics collects measurement data, all IP lookups are processed on EU-based servers before the traffic is forwarded to Analytics servers for further processing.

Service provider:

Google Ireland Limited
Gordon House
Barrow Street
Dublin 4
Ireland

Legal basis: Consent (Article 6(1)(a) GDPR)
Website: https://marketingplatform.google.com/intl/en/about/analytics/
Security measures: IP masking (pseudonymisation of the IP address)
Privacy Policy: https://policies.google.com/privacy
Data Processing Agreement: Google Ads Data Processing Terms
Legal basis for third-country data transfers: Data Privacy Framework (DPF) Standard Contractual Clauses Google Ads Data Processing Terms

Right to object (opt-out): Opt-out plugin: https://tools.google.com/dlpage/gaoptout?hl=en
Ads personalisation settings: https://myadcenter.google.com/personalizationoff
Further information: https://business.safety.google/adsservices/ (types of processing and categories of data processed).

GOOGLE SIGNALS (Google Analytics feature):

Google Signals are session data from sites and apps that Google associates with users who have signed in to their Google accounts, and who have turned on ads personalisation. This association of data with these signed-in users is used to enable cross-device reporting, cross-device remarketing and cross-device conversion measurement.

This includes:
Cross-platform reporting – Linking data relating to devices and activities from different sessions using your user ID or Google Signals data, enabling an understanding of user behaviour throughout the entire conversion process, from initial contact to conversion and beyond.
Remarketing with Google Analytics – Creating remarketing audiences from Google Analytics data and sharing these audiences with linked advertising accounts.
Demographics and interests – Google Analytics collects additional information about the demographics and interests of users who are signed in to their Google accounts and have enabled ads personalisation.

Service provider:

Google Ireland Limited
Gordon House
Barrow Street
Dublin 4
Ireland

Legal basis: Consent (Article 6(1)(a) GDPR)
Website: https://support.google.com/analytics/answer/7532985?hl=en
Privacy Policy: https://policies.google.com/privacy
Data Processing Agreement: https://business.safety.google/adsprocessorterms
Legal basis for third-country data transfers: Data Privacy Framework (DPF) Standard Contractual Clauses https://business.safety.google/adsprocessorterms

Further information: https://business.safety.google/adsservices/ (types of processing and categories of data processed)

Target audience creation with Google Analytics:

We use Google Analytics to display advertisements placed through Google’s advertising services and those of its partners to users who have previously shown interest in our online offerings or who exhibit certain characteristics (e.g. interests in specific topics or products, determined based on the websites they have visited). This data is transmitted to Google as part of “remarketing” or “Google Analytics Audiences”. The purpose of using remarketing audiences is to ensure that advertisements are aligned as closely as possible with users’ potential interests.

Service provider:

Google Ireland Limited
Gordon House
Barrow Street
Dublin 4
Ireland

Legal basis: Consent (Article 6(1)(a) GDPR)
Website: marketingplatform.google.com
Legal basis: business.safety.google/adsprocessorterms/
Privacy Policy: policies.google.com/privacy
Data Processing Agreement: business.safety.google/adsprocessorterms/
Legal basis for third-country data transfers: Data Privacy Framework (DPF)


Further information:
Types of processing and categories of data processed: business.safety.google/adsservices/; Google Ads Data Processing Terms and Standard Contractual Clauses for third-country data transfers: business.safety.google/adsprocessorterms.

Google Tag Manager:

We use Google Tag Manager, which is software provided by Google that enables the central management of website tags via a user interface. Tags are small code elements on our website that are used to record and analyse visitor activity. This technology helps us improve our website and the content made available on it. Google Tag Manager itself does not create user profiles, store cookies containing user profiles or perform independent analyses. Its function is limited to simplifying and streamlining the integration and management of the tools and services used on our website. However, when Google Tag Manager is used, users’ IP addresses are transmitted to Google, which is technically necessary to implement the services we use. Cookies may also be set. This data processing only takes place where services are integrated via Google Tag Manager. For further details about these services and their data processing, please refer to the subsequent sections of this Privacy Policy.

Service provider:

Google Ireland Limited
Gordon House
Barrow Street
Dublin 4
Ireland


Legal basis: Consent (Article 6(1)(a) GDPR)
Website: marketingplatform.google.com
Privacy Policy: policies.google.com/privacy
Data Processing Agreement: business.safety.google/adsprocessorterms
Legal basis for third-country data transfers: Data Privacy Framework (DPF) Standard Contractual Clauses (https://business.safety.google/adsprocessorterms)

Hotjar Observe:

Software for analysing and optimising online services based on pseudonymous measurements and analyses of user behaviour, including A/B testing (measuring the popularity and user-friendliness of different content and functions), measurement of click paths, and interaction with content and functions of the online service (so-called heatmaps and recordings).

Service provider:
Hotjar Ltd.,
3 Lyons Range,
20 Bisazza Street,
Sliema SLM 1640, Malta.

Legal basis: Consent (Article 6(1)(a) GDPR).
Website: www.hotjar.com.
Privacy Policy: www.hotjar.com/legal/policies/privacy.
Deletion of data: Cookies used by Hotjar have different lifespans; some remain valid for up to 365 days, others only for the duration of the current visit.
Cookie Policy: www.hotjar.com/legal/policies/cookie-information.
Right to object (opt-out): www.hotjar.com/legal/compliance/opt-out.

Matomo (without cookies):

Matomo is privacy-friendly web analytics software that does not use cookies. It recognises returning users using a “digital fingerprint”, which is stored anonymously and changed every 24 hours. The “digital fingerprint” records user activity using pseudonymised IP addresses in combination with user-side browser settings, making individual user identification impossible. Data collected via Matomo is processed only by us and is not shared with third parties.

Legal basis: Legitimate interests (Article 6(1)(f) GDPR).
Website: matomo.org.
Security measures: IP masking (pseudonymisation of the IP address).

Sojern:
Data-driven travel marketing solutions, targeted personalisation of advertising campaigns, real-time insights into travel behaviour, and multi-channel marketing across display, video, mobile devices and social media platforms. Provision of features for the display of personalised advertising based on interest-based and behaviour-based information, including users’ demographic characteristics, interests and browsing history, as stored in user profiles.

Service provider:
Sojern, Inc.,
545 Market Street, Floor 4,
San Francisco,
CA 94105, USA.

Legal bases: Consent (Article 6(1)(a) GDPR), Legitimate interests (Article 6(1)(f) GDPR).
Website: www.sojern.com.
Privacy Policy: www.sojern.com/privacy/privacy-center.

Within our online offerings, we incorporate affiliate links and other references (which may include search boxes, widgets, or discount codes) to offers and services provided by third-parties (collectively referred to as “affiliate links”). If users follow these affiliate links and subsequently make use of the associated offers and services, we may receive a commission or other form of compensation (collectively referred to as “commission”) from the relevant third-party providers.

In order to determine whether users have made use of an offer or service accessed via an affiliate link, it is necessary for the relevant third-party providers to be informed that a user has followed an affiliate link contained within our online offerings. The attribution of affiliate links to specific transactions or other actions (e.g. purchases) serves exclusively for the purpose of calculating commissions and is deleted as soon as it is no longer required for that purpose.

For the purposes of this attribution, affiliate links may be supplemented with certain values ​​that are either included in the link itself or stored by other means, e.g. in a cookie. These values ​​may include, in particular, the referring website, the time of access, an online identifier of the operator of the website on which the affiliate link was placed, an online identifier of the relevant offer or service, the type of link used, the type of offer or service, and an online identifier associated with the user.

Legal bases: Where we request user consent for the use of third-party services, the legal basis for processing is consent. In all other cases, user data is processed on the basis of our legitimate interests (i.e. our interest in providing efficient, economical and user-friendly services). In this context, please also refer to the information on the use of cookies set out elsewhere in this Privacy Policy.

Categories of data processed:

• Contract data (e.g. subject of the contract, contract duration, customer category)
• Usage data (e.g. page views, time spent on pages, click paths, usage frequency and intensity, device types and operating systems used, interactions with content and functions)
• Metadata, communication data and procedural data (e.g. IP addresses, timestamps, identifiers, persons involved)
  
  Data subjects:
• Prospective customers
• Users (e.g. website visitors, users of online services)

Purposes of processing: Affiliate tracking
Retention and deletion: Deletion is carried out in accordance with the section “General information on data storage and deletion”.
Legal bases:

• Consent (Article 6(1)(a) GDPR);
• Legitimate interests (Article 6(1)(f) GDPR).

 
Further information on processing activities, procedures and services:

Booking.com partner programme:
Affiliate marketing partner programme

Service provider:

Booking.com B.V.
Herengracht 597
1017 CE Amsterdam
The Netherlands

Legal basis: Legitimate interests (Article 6(1)(f) GDPR)
Website: https://www.booking.com
Privacy Policy: https://www.booking.com/content/privacy.en-gb.html​​​​​​​

We participate in review and rating processes in order to evaluate, optimise and promote our services. When users submit ratings or feedback via participating rating platforms or processes, the terms and conditions and privacy policies of the relevant providers also apply. In most cases, users must register with the respective provider in order to submit a rating.
To ensure that reviews are submitted only by users who have actually used our services, we transmit, with the customer’s consent, the data required for verification relating to the customer and the service used to the relevant rating platform. This may include the user’s name, email address, and order number or item number). This data is used solely for the purpose of verifying the authenticity of the user.

Categories of data processed:

• Contract data (e.g. subject of the contract, contract duration, customer category)
• Usage data (e.g. page views, time spent on pages, click paths, usage frequency and intensity, device types and operating systems used, interactions with content and functions)
• Metadata, communication data and procedural data (e.g. IP addresses, timestamps, identifiers, persons involved)
• Account data (e.g. full name, residential address, contact information, customer number, etc.)
• Contact data (e.g. postal addresses, email addresses or telephone numbers)
• Content data (e.g. text or image-based messages and posts, and related information such as authorship details and creation timestamps)

Data subjects:

• Service recipients and contracting parties
• Users (e.g. website visitors, users of online services)
• Prospective customers

Purposes of processing:

• Feedback (e.g. collecting feedback via online forms)
• Marketing
  Legal basis: Legitimate interests (Article 6(1)(f) GDPR)

Further information on processing activities, procedures and services:

Rating widgets:

We integrate rating widgets into our online services. A widget is a functional and content element embedded within our online services that displays dynamic information, for example in the form of a seal or similar element, sometimes also called a “badge”. Although the widget content is displayed within our online services, it is retrieved directly from the servers of the respective widget provider at the time of access. This ensures that the information displayed, in particular the current rating, is always up to date. For this purpose, a data connection is established between the webpage accessed within our online services and the widget provider’s server. The widget provider receives certain technical data (access data, including the IP address), which is required to deliver the widget content to the user’s browser. In addition, the widget provider receives information indicating that users have visited our online services. This information may be stored in a cookie and used by the widget provider to identify which participating online services have been visited by the user. The information may also be stored in a user profile and used for advertising or market research purposes.

Legal basis: Legitimate interests (Article 6(1)(f) GDPR)

TrustYou:
Conducting surveys, questionnaires and feedback management

Service provider:

TrustYou GmbH
Steinerstraße 15
81369 Munich
Germany

Legal basis: Legitimate interests (Article 6(1)(f) GDPR)
Website: https://www.trustyou.com
Privacy Policy: Privacy Policy - TrustYou

We maintain online presences on various social media platforms and process user data in this context in order to communicate with users who are active on these platforms and to provide information about our organisation.

Please note that, in this context, user data may be processed outside the European Union. This may entail risks for users, as it may, for example, make the enforcement of data subject rights more difficult.

As a rule, user data on social networks is also processed for market research and advertising purposes. For example, user profiles may be created on the basis of usage behaviour and inferred interests. These profiles may then be used to display advertising tailored to users’ presumed interests, both on and outside the respective networks. For this purpose, cookies are typically stored on users’ devices to record usage behaviour and interests. In addition, user profiles may contain data that is not associated with one specific device (in particular where users are registered with the respective platforms and logged in).

For a detailed description of the relevant processing operations and the available options for objecting or opting-out, please refer to the privacy policies and information provided by the operators of the respective social networks.

With regard to requests for access to information and the exercise of data subject rights, please note that these can generally be handled most effectively by contacting the respective platform providers directly. Only those providers have access to the relevant user data and are able to take appropriate measures or provide information directly. If further assistance is required, you may also contact us.

Categories of data processed:

• Contact data (e.g. postal addresses, email addresses or telephone numbers)
• Content data (e.g. text or image-based messages and posts, and related information such as authorship details and creation timestamps)
• Usage data (e.g. page views, time spent on pages, click paths, usage frequency and intensity, device types and operating systems used, interactions with content and functions)
• Metadata, communication data and procedural data (e.g. IP addresses, timestamps, identifiers, persons involved)
• Account data (e.g. full name, residential address, contact information, customer number, etc.)

Data subjects: Users (e.g. website visitors, users of online services).

Purposes of processing:

• Communication
• Feedback (e.g. collection of feedback via online forms)
• Public relations
• Provision of our online services and improvement of the user experience
• IT infrastructure (operation and provision of information systems and technical equipment such as computers, servers, etc.)

Retention and deletion: Deletion is carried out in accordance with the section “General information on data storage and deletion”.
Legal bases:

• Legitimate interests (Article 6(1)(f) GDPR)
• Consent (Article 6(1)(a) GDPR)

Further information on processing activities, procedures and services:

INSTAGRAM

A social network that enables users to share photos and videos, comment on and like posts, send messages, and follow profiles and pages.

Service provider:
Meta Platforms Ireland Limited
Merrion Road
Dublin 4, D04 X2K5
Ireland

Legal basis: Legitimate interests (Article 6(1)(f) GDPR)
Website: https://www.instagram.com
Privacy Policy: https://privacycenter.instagram.com/policy/
Legal basis for third-country data transfers: Data Privacy Framework (DPF)

FACEBOOK pages:

Profiles within the Facebook social network
We act as joint controllers with Meta Platforms Ireland Limited for the collection (but not the further processing) of data from visitors to our Facebook page (“Fan Page”).

This data includes information about the types of content users view or interact with, the actions taken by users (see “Things you and others do and provide” in the Facebook Data Policy: https://www.facebook.com/privacy/policy/), and information about the devices used by users (e.g. IP addresses, operating system, browser type, language settings, cookie data; see “Device Information” in the Facebook Data Policy: https://www.facebook.com/privacy/policy/).

As described in the Facebook Data Policy under “How do we use this information?”, Facebook collects and uses this information to provide page administrators with analytics services (“Page Insights”), which enable page administrators to understand how users interact with their pages and related content. We have entered into a special agreement with Facebook (“Information about Page Insights Data”, https://www.facebook.com/legal/terms/page_controller_addendum) that specifically outlines the security measures that Facebook must implement and under which Facebook has agreed to comply with data subject rights (for example, users may submit access or deletion requests directly to Facebook).

The data subject rights of users (in particular the rights of access, erasure, objection and to lodge a complaint with the competent supervisory authority) are not restricted by the agreements with Facebook.

Further information can be found in “Information about Page Insights Data” (https://www.facebook.com/legal/terms/information_about_page_insights_data). Joint controllership is limited to the collection and transmission of data to Meta Platforms Ireland Limited, a company located in the EU. All further processing of the data is the sole responsibility of Meta Platforms Ireland Limited, in particular any transfer of the data to its parent company, Meta Platforms, Inc., in the United States.

Service provider:

Meta Platforms Ireland Limited
Merrion Road
Dublin 4, D04 X2K5
Ireland

Legal basis: Legitimate interests (Article 6(1)(f) GDPR)
Website: https://www.facebook.com
Privacy Policy: https://www.facebook.com/privacy/policy/
Legal basis for third-country data transfers: Data Privacy Framework (DPF), Standard Contractual Clauses (https://www.facebook.com/legal/EU_data_transfer_addendum)

FACEBOOK groups:

We use the "Groups" feature of the Facebook platform to create interest-based groups in which Facebook users can connect with one another or with us and exchange information. In this context, we process the personal data of our group members to the extent necessary for group operation, use and moderation. Our group rules or guidelines may contain additional information and instructions regarding use of the relevant group. The data processed in this context may include first and last names, content published or shared privately, group membership status, and group-related activities such as joining or leaving the group, as well as the associated timestamps.

Please also note the processing of user data carried out by Facebook itself. This data includes information about the types of content users view or interact with, the actions taken by users (see “Things you and others do and provide” in the Facebook Data Policy: https://www.facebook.com/privacy/policy/), and information about the devices used by users (e.g. IP addresses, operating system, browser type, language settings, cookie data; see “Device Information” in the Facebook Data Policy: https://www.facebook.com/privacy/policy/).

As described in the Facebook Data Policy under “How do we use this information?”, Facebook collects and uses this information to provide page administrators with analytics services (“Insights”), which enable group administrators to understand how users interact with their groups and related content.

Service provider:
Meta Platforms Ireland Limited
Merrion Road
Dublin 4, D04 X2K5
Ireland

Legal basis: Legitimate interests (Article 6(1)(f) GDPR)
Website: https://www.facebook.com
Privacy Policy: https://www.facebook.com/privacy/policy/
Legal basis for third-country data transfers: Data Privacy Framework (DPF), 

LinkedIn: Social network 

We act as joint controllers with LinkedIn Ireland Unlimited Company for the collection (but not the further processing) of visitor data used to generate “Page Insights” (statistics) for our LinkedIn profiles.

The data collected in this context includes information about the types of content users view or interact with, as well as actions taken by users. In addition, information about the devices used is collected, such as IP addresses, operating system, browser type, language settings, and cookie data. The data may also include information from user profiles, such as job title, country, industry, seniority level, company size, and employment status. Further information on the processing of personal data by LinkedIn can be found in LinkedIn’s privacy policy: www.linkedin.com/legal/privacy-policy.

We have entered into a special agreement with LinkedIn Ireland (“Page Insights Joint Controller Addendum”, LinkedIn Pages Joint Controller Addendum) that specifically outlines the security measures that LinkedIn must implement and under which LinkedIn has agreed to comply with data subject rights (for example, users may submit access or deletion requests directly to LinkedIn).
The data subject rights of users (in particular the rights of access, erasure, objection and to lodge a complaint with the competent supervisory authority) are not restricted by the agreements with LinkedIn. Joint controllership is limited to the collection and transmission of data to LinkedIn Ireland Unlimited Company, a company located in the EU. All further processing of the data is the sole responsibility of LinkedIn Ireland Unlimited Company, in particular any transfer of the data to its parent company, LinkedIn Corporation, in the United States.

Service provider:
LinkedIn Ireland Unlimited Company
Wilton Place
Dublin 2
Ireland

Legal basis: Legitimate interests (Article 6(1)(f) GDPR)
Website: https://www.linkedin.com
Privacy Policy: https://www.linkedin.com/legal/privacy-policy
Legal basis for third-country data transfers: Data Privacy Framework (DPF), Standard Contractual Clauses (https://legal.linkedin.com/dpa),
Right to object (opt-out): https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.

Pinterest:
A social network that enables users to share photos, comment on posts, mark content as favourites, curate posts, send messages and follow profiles.

Service provider:
Pinterest Europe Limited
2nd Floor, Palmerston House
Fenian Street
Dublin 2
Ireland

Legal basis: Legitimate interests (Article 6(1)(f) GDPR)

Website: www.pinterest.com

Privacy Policy: policy.pinterest.com/en/privacy-policy

Threads:
Social network

Service provider:
Meta Platforms Ireland Limited
Merrion Road
Dublin 4, D04 X2K5
Ireland

Legal basis: Legitimate interests (Article 6(1)(f) GDPR)

Website: www.threads.net

Privacy Policy: help.instagram.com/515230437301944

TikTok:
A social network that enables users to share photos and videos, comment on content, mark content as favourites, send messages, and follow accounts.

Service provider:
TikTok Technology Limited
10 Earlsfort Terrace
Dublin, D02 T380
Ireland

and

TikTok Information Technologies UK Limited
Kaleidoscope
4 Lindsey Street
London, EC1A 9HP
United Kingdom

Legal basis: Consent (Article 6(1)(a) GDPR)

Website: www.tiktok.com

Privacy Policy: www.tiktok.com/legal/page/eea/privacy-policy/en

X:
Social network

Service provider:
Twitter International Company
One Cumberland Place
Fenian Street, Dublin 2, D02 AX07
Ireland

Legal basis: Legitimate interests (Article 6(1)(f) GDPR)
Website: https://x.com
Privacy Policy:

x.com/en/privacy

policies.google.com/privacy

: myadcenter.google.com/personalizationoff

We integrate functional and content elements into our online services that are obtained from the servers of their respective providers (hereinafter referred to as “third-party providers”). These elements may include, for example, graphics, videos or maps (hereinafter collectively referred to as “content”).
In order to enable this integration, the third-party providers must process users’ IP addresses, as content cannot be transmitted to users’ browsers without them. The IP address is therefore required in order to display this content and/or these functions. We endeavour to use only content from providers that process IP addresses solely for the purpose of delivering the requested content. However, third-party providers may also use so-called “pixel tags” (invisible graphics, also known as “web beacons”) for statistical or marketing purposes. These pixel tags make it possible to analyse information such as visitor traffic on the pages of this website. The information may also be processed in pseudonymised form and stored in cookies on the user’s device. It may contain details such as technical information concerning the browser and operating system, referring websites, the time of access and other information relating to the use of our online services. This information may also be combined with similar information from other sources.

Legal bases:
Where we request user consent for the use of third-party services, the legal basis for processing is consent. In all other cases, user data is processed on the basis of our legitimate interests (i.e. our interest in providing efficient, economical and user-friendly services). In this context, please also refer to the information on the use of cookies in this Privacy Policy.

Categories of data processed:

• Usage data (e.g. page views, time spent on pages, click paths, usage frequency and intensity, device types and operating systems used, interactions with content and functions)
• Metadata, communication data and procedural data (e.g. IP addresses, timestamps, identifiers, persons involved)
• Event data (Facebook) (“Event data” is information sent to the provider Meta via Meta pixels (whether through apps or other channels) and relates to individuals or their actions. This data may include information about website visits, interactions with content and features, app installations, and product purchases. Event data is processed for the purpose of creating target groups for content and advertising communications (custom audiences). It is important to note that event data does not include the actual content of communications, such as comments, nor does it include login details or contact information such as names, email addresses, or telephone numbers. “Event data” is deleted by Meta after a maximum retention period of two years. Any target groups created on the basis of this data disappear when our Meta user accounts are deleted.)
• Contact data (e.g. postal addresses, email addresses or telephone numbers)
• Content data (e.g. text or image-based messages and posts, and related information such as authorship details and creation timestamps)

Data subjects:

• Users (e.g. website visitors, users of online services)
• Purposes of processing:
• Provision of our online services and improvement of the user experience
• Audience measurement (e.g. access statistics, recognition of returning visitors)
• Tracking (e.g. interest-based and behaviour-based profiling, use of cookies)
• Audience segmentation
• Marketing
• User profiles (creation of profiles with user-related information)

Retention and deletion: Deletion is carried out in accordance with the section “General information on data storage and deletion”. Cookies are stored for up to two years (cookies and similar storage technologies may be stored on users’ devices for up to two years, unless otherwise specified).

Legal bases: Consent (Article 6(1)(a) GDPR); Legitimate interests (Article 6(1)(f) GDPR)

Further information on processing activities, procedures and services:

Integration of third-party software, scripts or frameworks (e.g. jQuery): We integrate third-party software components into our online services that are retrieved from external servers (e.g. software libraries used to support the presentation, functionality or user-friendliness of our online services). In this context, the respective providers receive the user’s IP address, which may be processed for the purpose of transmitting the software to the user’s browser, for security purposes, and for the evaluation and optimisation of their services. -
We integrate third-party software into our online services that is retrieved from external servers (e.g. software libraries used to support the presentation or user-friendliness of our online services). In this context, the respective providers receive the user’s IP address, which may be processed for the purpose of transmitting the software to the user’s browser, for security purposes, and for the evaluation and optimisation of their services.

Legal bases: Legitimate interests (Article 6(1)(f) GDPR)

Facebook plugins and content:

This may include, for example, content such as images, videos, text and buttons that allow users to share content from this website within Facebook. The list and appearance of Facebook social plugins can be found here: developers.facebook.com/docs/plugins/ -

We act as joint controllers with Meta Platforms Ireland Limited for the collection or receipt by way of transmission (but not the subsequent processing) of “event data” that Facebook collects or receives by way of transmission via Facebook social plugins (and content embedding functions) implemented on our online services, for the following purposes:
a) Display of content and advertising information aligned with users’ presumed interests.
b) Delivery of commercial and transactional messages (e.g. contacting users via Facebook Messenger).
c) Improvement of ad delivery and personalisation of features and content (e.g. improving recognition of content or advertising likely to be of interest to users).

We have entered into a special agreement with Facebook (“Controller Addendum”, https://www.facebook.com/legal/controller_addendum) that specifically outlines the security measures that Facebook must implement (https://www.facebook.com/legal/terms/data_security_terms) and under which Facebook has agreed to comply with data subject rights (for example, users may submit access or deletion requests directly to Facebook).
Note: When Facebook provides us with metrics, analyses and reports (which are aggregated, meaning they do not contain information about individual users and are anonymised for us), this processing does not take place under joint controllership, but on the basis of a data processing agreement (“Data Processing Terms”, ​​https://www.facebook.com/legal/terms/dataprocessing), “Data Security Terms” (https://www.facebook.com/legal/terms/data_security_terms) and, with regard to processing in the United States, on the basis of Standard Contractual Clauses (“Facebook EU Data Transfer Addendum”, https://www.facebook.com/legal/EU_data_transfer_addendum).
The data subject rights of users (in particular the rights of access, erasure, objection and to lodge a complaint with the competent supervisory authority) are not restricted by the agreements with Facebook.

Service provider:
Meta Platforms Ireland Limited
Merrion Road
Dublin 4, D04 X2K5
Ireland

Legal basis: Consent (Article 6(1)(a) GDPR)
Website: https://www.facebook.com
Privacy Policy: https://www.facebook.com/privacy/policy/
Legal basis for third-country data transfers: Data Privacy Framework (DPF), Data Privacy Framework (DPF).

Google Fonts (hosted on our own server):
Provision of font files for the user-friendly presentation of our online content.

Service provider:
The Google Fonts files are hosted on our server. No personal data is transmitted to Google.
Legal basis: Legitimate interests (Article 6(1)(f) GDPR)

Font Awesome (hosted on our own server):
Display of fonts and icons.
 

Service provider:
The Font Awesome icons are hosted on our server. No personal data is transmitted to Font Awesome or its provider.

Legal basis: Legitimate interests (Article 6(1)(f) GDPR)

Instagram plugins and content:
This may include, for example, content such as images, videos, text and buttons that allow users to share content from this website within Instagram.

We act as joint controllers with Meta Platforms Ireland Limited for the collection or receipt by way of transmission (but not the subsequent processing) of “event data” that Facebook collects or receives by way of transmission via Instagram features (e.g. content embedding functions) implemented on our online services, for the following purposes:
a) Display of content and advertising information aligned with users’ presumed interests.
b) Delivery of commercial and transactional messages (e.g. contacting users via Facebook Messenger).
c) Improvement of ad delivery and personalisation of features and content (e.g. improving recognition of content or advertising likely to be of interest to users).

We have entered into a special agreement with Facebook (“Controller Addendum”, https://www.facebook.com/legal/controller_addendum) that specifically outlines the security measures that Facebook must implement (https://www.facebook.com/legal/terms/data_security_terms) and under which Facebook has agreed to comply with data subject rights (for example, users may submit access or deletion requests directly to Facebook).
Note: When Facebook provides us with metrics, analyses and reports (which are aggregated, meaning they do not contain information about individual users and are anonymised for us), this processing does not take place under joint controllership, but on the basis of a data processing agreement (“Data Processing Terms”, ​​https://www.facebook.com/legal/terms/dataprocessing), “Data Security Terms” (https://www.facebook.com/legal/terms/data_security_terms) and, with regard to processing in the United States, on the basis of Standard Contractual Clauses (“Facebook EU Data Transfer Addendum”, https://www.facebook.com/legal/EU_data_transfer_addendum).

The data subject rights of users (in particular the rights of access, erasure, objection and to lodge a complaint with the competent supervisory authority) are not restricted by the agreements with Facebook.

Service provider:
Meta Platforms Ireland Limited
Merrion Road
Dublin 4, D04 X2K5
Ireland

Legal basis: Legitimate interests (Article 6(1)(f) GDPR)
Website: https://www.instagram.com
Privacy Policy: https://privacycenter.instagram.com/policy/

OpenStreetMap:
We integrate maps from the “OpenStreetMap” service, which is provided by the OpenStreetMap Foundation (OSMF) under the Open Data Commons Open Database License (ODbL). OpenStreetMap processes user data solely for the purpose of displaying map content and for the temporary storage of selected settings. The data processed may include, in particular, users’ IP addresses and location data, however this is not collected without the user’s consent (typically granted through the user’s device or browser settings).

Service provider:
OpenStreetMap Foundation (OSMF)

Legal basis: Legitimate interests (Article 6(1)(f) GDPR)
Website: https://www.openstreetmap.de
Privacy Policy: https://osmfoundation.org/wiki/Privacy_Policy

YouTube videos:
Video content

Service provider:
Google Ireland Limited
Gordon House, Barrow Street
Dublin 4
Ireland

Legal basis: Consent (Article 6(1)(a) GDPR)
Website: https://www.youtube.com
Privacy Policy: https://policies.google.com/privacy
Legal basis for third-country data transfers: Data Privacy Framework (DPF)
Right to object (opt-out): Opt-out plugin: https://tools.google.com/dlpage/gaoptout?hl=en, Ads personalisation settings: https://myadcenter.google.com/personalizationoff


Vimeo video player:
Integration of a video player

Service provider:
Vimeo Inc.
Attn: Legal Department, 555 West 18th Street New York, New York 10011, USA

Legal basis: Legitimate interests (Article 6(1)(f) GDPR)
Website: https://vimeo.com
Privacy Policy: https://vimeo.com/privacy
Data Processing Agreement: https://vimeo.com/enterpriseterms/dpa
Legal basis for third-country data transfers: Standard Contractual Clauses (https://vimeo.com/enterpriseterms/dpa), Standard Contractual Clauses (https://vimeo.com/enterpriseterms/dpa)

In the context of our whistleblowing procedure (https://www.innsbruck.info/compliance.html), we engage external service providers (see below). We comply with all applicable legal requirements and ensure that our external service providers also comply with the technical and organisational security measures implemented by us.

Categories of data processed:

• Account data (e.g. full name, residential address, contact information, customer number, etc.)
• Employee data (information relating to employees and other persons in an employment or comparable working relationship)
• Contact data (e.g. postal addresses, email addresses or telephone numbers)
• Content data (e.g. text or image-based messages and posts, and related information such as authorship details and creation timestamps)
• Usage data (e.g. page views, time spent on pages, click paths, usage frequency and intensity, device types and operating systems used, interactions with content and functions)
  
  Data subjects:
• Employees (e.g. staff members, applicants, temporary workers and other personnel)
• Third parties Whistleblowers

Purposes of processing: Whistleblower protection.
Retention and deletion: Deletion is carried out in accordance with the section “General information on data storage and deletion”.

Legal bases:

• Consent (Article 6(1)(a) GDPR)
• Legal obligation (Article 6(1)(c) GDPR)
• Legitimate interests (Article 6(1)(f) GDPR).
•  

Further information on processing activities, procedures and services:
Submission of whistleblower reports (anonymous or non-anonymous)

Service provider:
Dr. Werner Pilgermair
Maria-Theresien-Straße 7/1
A-6020 Innsbruck Austria

Website: www.hinweisgeberschutz.at
Privacy Policy: www.hinweisgeberschutz.at/#/datenschutz

The term “cookies” refers to technologies that store information on, or access information from, users’ devices. Cookies may serve various purposes, including ensuring the functionality, security, and user-friendliness of online services, as well as analysing usage behaviour. We use cookies in accordance with applicable legal requirements. Where required, we obtain users’ consent in advance. Where consent is not required, processing is carried out on the basis of our
legitimate interests. This applies in particular where the storage and access of information is strictly necessary in order to provide explicitly requested content and functions, such as saving user settings or ensuring the functionality and security of our online services. Users may withdraw their consent at any time. We provide clear information about the scope of consent and the cookies used.

Information on data protection legal bases: Whether we process personal data using cookies depends on consent. Where users have provided consent, that consent constitutes the legal basis for processing. Where consent is not required, processing is carried out on the basis of our legitimate interests, as described above in this section and in the context of the relevant services and processing operations.

Storage duration: cookies are classified according to their storage duration:

• Temporary cookies (also known as session cookies): Temporary cookies are deleted at the latest when users leave an online service and close the browser or application through which it was accessed.
• Persistent cookies: Persistent cookies remain stored even after the browser or application is closed. They allow, for example, login status to be saved and preferred content to be displayed when users revisit a website. Data collected using cookies may also be used for audience measurement. Unless users are provided with explicit information about the type and storage duration of cookies (e.g. when consent is obtained), users should assume that cookies are persistent cookies and may be stored for a period of up to two years.

General information on revocation and objection (opt-out): Users may withdraw their consent at any time and may object to the processing of their personal data in accordance with applicable legal requirements, including by managing or restricting the use of cookies through the privacy settings of their browser.

Categories of data processed:

• Metadata,
• communication data and
• procedural data (e.g. IP addresses, timestamps, identifiers, persons involved);
• content data (e.g. text or image-based messages and posts, and related information such as authorship details and creation timestamps);
• usage data (e.g. page views, time spent on pages, click paths, usage frequency and intensity, device types and operating systems used, interactions with content and functions).

Data subjects: Users (e.g. website visitors, users of online services).
Purposes of processing: Provision of our online services and improvement of the user experience; IT infrastructure (operation and provision of information systems and technical equipment such as computers, servers, etc.)
Retention and deletion: Deletion is carried out in accordance with the section “General information on data storage and deletion”.
Legal bases: Legitimate interests (Article 6(1)(f) GDPR); Consent (Article 6(1)(a) GDPR).

Further information on processing activities, procedures and services:

Processing of cookie data on the basis of consent:
We use a consent management solution to obtain users’ consent for the use of cookies, as well as for the processing operations and service providers specified within the consent management solution. This process is used to obtain, document, manage, and enable the withdrawal of consent, in particular in relation to the use of cookies and comparable technologies used to store, access, and process information on users’ devices. As part of this process, users’ consent is obtained for the use of cookies and the associated processing of information, including the specific processing activities and service providers identified within the consent management process. Users also have the option to manage and withdraw their consent. Consent declarations are stored in order to avoid repeated requests and to provide proof of consent in accordance with legal requirements. Storage takes place server-side and/or in a cookie (so-called opt-in cookie) or by means of similar technologies in order to assign the consent to a specific user or device. Where no specific information is available regarding the providers of consent management services, the following general information applies: Consent records are stored for a period of up to two years. A pseudonymous user identifier is created and stored together with the time of consent, details regarding the scope of consent (e.g. cookie categories and/or service providers), and information about the browser, operating system, and device used.

Legal basis: Consent (Article 6(1)(a) GDPR)

Typo3
Content management, website creation and administration, multilingual content support, user and rights management, integration of extensions and plugins, search engine optimisation, responsive design support, workflow management, content versioning.
Service provider: Processing is carried out on servers and/or systems under the organisation’s own responsibility as a data controller.
Legal basis: Legitimate interests (Article 6(1)(f) GDPR)
Website

: typo3.com

Google Analytics

This website uses Google Analytics, a web analytics service provided by Google Inc. (“Google”), 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Google Analytics uses cookies that enable an analysis of how users interact with the website. 

Information generated by cookies about the use of this website is generally transmitted to and stored on Google servers in the United States. The European Commission has adopted an adequacy decision for the transfer of personal data to the USA. Google processes the transmitted data on behalf of the website operator in order to evaluate website usage, compile reports on website activity, and provide other services related to website activity and internet usage.

Google may also transfer this data to third parties where required to do so by law or where such third parties process the data on Google’s behalf. 

Where IP anonymisation is enabled on this website, users’ IP addresses are shortened by Google within the European Union or the European Economic Area prior to transmission. Only in exceptional cases is the full IP address transmitted to Google servers in the United States and shortened there. IP anonymisation is enabled by default on this website.

Users may prevent the storage of cookies by Google Analytics by adjusting their browser settings accordingly. However, this may result in limited website functionality. Users may also prevent Google from collecting and processing data generated by cookies and related to their use of the website by downloading and installing the browser plug-in available at: tools.google.com/dlpage/gaoptout.

Further information on the terms of service and data protection for Google Analytics can be found at https://marketingplatform.google.com/about/analytics/terms/gb/.

Google Remarketing 

This website uses Google Remarketing. Google Remarketing is an advertising service provided by Google that enables previous visitors to this website to be targeted with interest-based advertising. 

Third-party providers, including Google, display advertisements on numerous websites across the internet. For this purpose, cookies are stored on users’ devices and used during subsequent visits to other websites in order to display advertisements based on users’ previous interactions with this website. Users are identified via cookies placed in the web browsers. The cookies allow analysis of users’ behaviour when visiting this website and may subsequently be used for targeted product recommendations and interest-based advertising. 

If users do not wish to receive interest-based advertising, they may disable Google’s use of cookies for these purposes, and customise advertising in the Google Display Network via the Ads Settings Manager by visiting the DoubleClick opt-out page. Alternatively, users may disable the use of third-party cookies by visiting the Network Advertising Initiative opt-out page or by disabling cookies in their browser settings. 

Further information is available at support.google.com/adwords/answer/2453998

Hotjar 

To improve the user experience on this website, the website operator uses Hotjar, a feedback and analytics service provided by Hotjar Ltd. (“Hotjar”), Level 2, St Julians Business Centre, 3, Elia Zammit Street, St Julians STJ 1000, Malta, Europe. 

Hotjar enables the website operator to measure and analyse user behaviour on the website (e.g. mouse movements, clicks, scroll depth, etc.). For this purpose, Hotjar places cookies on users’ devices and transmits user’s IP addresses to a Hotjar server, where they are stored in anonymised form for a maximum period of one year. 

Further information on data processing by Hotjar is available at: https://www.hotjar.com/legal/policies/privacy

Users may opt out of Hotjar tracking via the following link: https://www.hotjar.com/opt-out

In addition, users may prevent the storage of cookies by Hotjar by adjusting their browser settings accordingly. In such cases, the functionality of this website may be limited.

Server log files

The website provider automatically collects and stores information transmitted by users’ browsers in so-called server log files. This information includes:

• Browser type and version
• Operating system
• Referrer URL
• Hostname of the accessing device
• Time of the server request

​​​​​​​This data is not assigned to specific individuals and is not combined with other data sources. We reserve the right to review this data retrospectively where there are concrete indications of unlawful use.

Open cookie settings