THE MANDALA SUITES - Data Privacy Policy

We are pleased that you are visiting our homepage and thank you for your interest. Dealing with the data of website visitors, but also of our customers and business partners, is a matter of trust. The trust placed in us is very important to us and therefore the significance and obligation to handle your data with care and to protect it from misuse.

THE MANDALA SUITES specifically follows the EU General Data Protection Regulation (GDPR) as well as the current Federal Data Protection Act (BDSG). To protect your personal data during internet use, we comply with Germany's Telecommunications and Digital Services Data Protection Act (TDDDG). In the following, we explain what information we collect during your visit to our website and how it is used. In the following, we explain what information we collect during your visit to our website and how it is used.

In addition, we would also like to inform you about how we store and use personal data that we have obtained via other channels.

The responsible person in the sense of the GDPR and other data protection regulations is the:

The Mandala Suites GmbH

Friedrichstrasse 185-190

D-10117 Berlin

Tel.: +49 (0) 30 20 29 20

Mail: suites@themandala.de

The data protection officer of the data controller is:

Andreas Thurmann

DataSolution LUD GmbH

Isarstr. 13

D-14974 Ludwigsfelde

Mail: mail@hoteldatenschutz.de

Scope of the processing of personal data

As a matter of principle, we collect and use personal data of our users only insofar as this is necessary for the provision of a functional website as well as our contents and services. The collection and use of our users' personal data regularly only takes place with the user's consent. An exception applies in cases where it is not possible to obtain prior consent for actual reasons and the processing of the data is permitted by legal regulations.

Legal basis for the processing of personal data

Insofar as we obtain the consent of the data subject for processing operations of personal data, Art. 6 (1) lit. a GDPR serves as the legal basis. When processing personal data that is necessary for the performance of a contract to which the data subject is a party, Art. 6 (1) (b) GDPR serves as the legal basis. This also applies to processing operations that are necessary for the performance of pre-contractual measures. If processing of personal data is necessary to comply with a legal obligation (statutory provisions) to which our company is subject (e.g. federal registration laws), Art. 6 (1) c GDPR serves as the legal basis. If the processing is necessary to protect a legitimate interest of our company or a third party and the interests, fundamental rights and freedoms of the data subject do not outweigh the first-mentioned interest, Art. 6 (1) f GDPR serves as the legal basis for the processing.

Data deletion and storage period

The personal data of the data subject shall be deleted or blocked as soon as the purpose of the storage no longer applies. Storage may also take place if this has been provided for by the European or national legislator in Union regulations, laws or other provisions to which the person responsible is subject. The data will also be blocked or deleted if a storage period prescribed by the aforementioned standards expires, unless there is a necessity for the continued storage of the data for the conclusion or fulfilment of a contract.

The object of THE MANDALA hotel group is the operation of multiple hotels in Berlin (Germany) under joint responsibility. The collection, processing, and use of data are carried out to fulfill the stated purpose.

Hotels, guesthouses, and other accommodation establishments are permitted to collect and store their guests’ personal data through automated procedures, as far as necessary within the framework of the accommodation contract. This typically includes billing data related to food and beverages, telephone calls made from the room, and/or other hotel-specific services. Hotels and accommodation establishments are legally obligated under national registration regulations to request guest information such as first and last name, date of birth, place of residence, and nationality.

The Mandala Management GmbH, Friedrichstraße 185-190, 10117 Berlin, is responsible for central reservation management. To enhance our services, we manage all collected data within our central hotel software. The responsible entity is the hotel at which the booking is made. The respective booking data is only accessible to the responsible entity. The master data of a guest is used jointly to make a reservation at another hotel at a later date, to reschedule a booking, or to carry out centralized marketing activities. For this purpose, central services such as reservations and marketing access this data. The legal basis for data processing is our legitimate interest in data processing within the scope of centralized management and utilization of customer and business partner data within the hotel group.

Service Utilization

If service benefits are claimed, only the data necessary for the provision of the services will generally be collected. Should additional data be collected, it constitutes voluntary information. The processing of personal data is carried out solely to fulfill the requested service and to safeguard legitimate business interests.

Contact information of guests may later be used by the sales department for advertising purposes, mainly through mailings. The use of the email address requires the guest's consent.

Data processing for other purposes than those mentioned will only take place if these processes are permissible under Art. 6 (4) GDPR and are compatible with the original purposes of the contractual relationship. We will inform you of any such further data processing prior to its execution.

Legal Basis for Data Processing

The legal basis for data processing is the conclusion of an accommodation contract with the guest. The transmitted data is stored in our hotel software and used to execute the contract. Should no contractual relationship be established, the data will be deleted one year after the end of the calendar year.

Data Subjects, Data, and Data Categories

To fulfill the specified purpose, the following categories of personal data are collected, processed, and used:

• Guest data (e.g., first and last name, address data, contact data, reservation data, guest preferences, billing data)

• Other customer data (e.g., address data, billing and service data)

• Prospective customer data (e.g., accommodation interest, address data)
  

Recipients of the Data

Data may be communicated to the following recipients:

• Internal departments involved in the execution and fulfillment of the respective business processes (e.g., hotels within the hotel group, central reservation, accounting, sales & marketing, IT organization)

• Public authorities that receive data due to legal regulations (e.g., law enforcement authorities, public sector authorities)

• External contractors according to Art. 28 GDPR (service providers)

• Other external entities (e.g., credit institutions, companies, if the data subject has given written consent or if transmission is permissible based on an overriding legitimate interest)
  

Purpose of Data Processing

The primary purpose of collecting, processing, or using personal data is to manage, serve, and accommodate guests within the framework of the accommodation contract.

Data Retention Period

The law prescribes various retention obligations and periods. Once these periods expire, the respective data and records are routinely deleted or anonymized, provided they are no longer required for contract fulfillment. Commercial or financially relevant data of a completed fiscal year will be deleted after an additional ten years in compliance with legal requirements, unless longer retention periods are prescribed or justified for other reasons. Reservation documents may be destroyed after six years, while special registration forms will be deleted at the end of the year after one year.

Right to Object

You have the right to object to the processing of your data at any time. For this purpose, we have set up the following email address: widerruf@themandala.de

During your stay at our hotel, we collect and process guest information in our hotel software. Data from the following groups of individuals may be stored:

• Guests, business partners, companies

• Prospective and potential clients (e.g., inquiries regarding offers)
  

The stored data may include:

• First and last name

• Date of birth

• Contact details (phone, email address)

• Address

• Nationality

• Company

• ID and passport details

• Data on service utilization

• Billing data

• Payment processing data (e.g., credit card information)

• Video recordings for evidence collection in cases of vandalism, burglary, robbery, or other criminal offenses

If you made your booking via a hotel portal, travel operator, or travel agency, your data will be forwarded to us by these providers to fulfill the concluded contract.

Purposes and Legal Basis for Data Processing

We use the personal data you provide solely for the purpose of fulfilling the agreed contractual services, namely managing, accommodating, and catering to guests within the framework of the accommodation contract.

We store your data in our hotel software as well as in reservation, billing, and payment applications. In addition to your personal data, this may include billing data for food and beverages, telephone calls made from the room, and/or other hotel-specific services.

Hotels are legally required by registration regulations (§ 29 ff. Federal Registration Act) to have foreign guests complete a registration form either on-site or online. This form includes, in addition to first and last names and address, information about the date of birth, nationality, and accompanying family members. We must also request an ID number. All other information is voluntary.

If service benefits are claimed, only the data necessary for the provision of the services will generally be collected. If additional data is collected, it constitutes voluntary information. The processing of personal data is carried out exclusively to fulfill the requested services and to safeguard legitimate business interests pursuant to Art. 6 para. 1 lit. f GDPR.

Data is used for the following purposes:

• Registration upon arrival and departure, including completion of the registration form

• Issuance of the room card for yourself and fellow travelers

• Execution of requested services

• Payment processing

• Storing preferences for future hotel stays

Guest contact information may later be used for advertising purposes. The use of the email address requires your consent.

Data processing for other purposes will only take place if such processing is permitted under Art. 6 para. 4 GDPR and compatible with the original purposes of the contractual relationship. We will inform you of any such further data processing prior to its execution.

Recipients of the Data

Data may be communicated to the following recipients:

• Public authorities that receive data based on legal regulations (e.g., law enforcement authorities, public sector bodies)

• Internal departments involved in the execution and fulfillment of the respective business processes (e.g., administration, accounting, sales & marketing, IT organization)

• External contractors in accordance with Art. 28 GDPR (service providers)

• Other external entities (e.g., credit institutions)
  

Data Deletion

The legislator has enacted various retention obligations and periods. After these periods expire, the respective data and records are routinely deleted if they are no longer required for contract fulfillment. Commercial or financially relevant data of a completed fiscal year will be deleted after an additional ten years, in accordance with legal requirements, unless longer retention periods are prescribed or justified for other reasons. Reservation documents may be destroyed after six years, while the registration form will be deleted at the end of the year following a one-year retention period. If data is not affected by these requirements, it will be deleted as soon as the stated purposes no longer apply.

Video recordings are stored for 72 hours.

We would like to send a welcome email to guests who have provided their email address during the booking process or whose email address we already possess. A few days before arrival, these guests receive a reservation overview by email and are asked to register online. The data collected during the online check-in can be used by us to generate an electronic registration form.

These emails are sent via the Code2Order platform of straiv GmbH, Industriestraße 23, 70565 Stuttgart, Germany. Straiv has committed to handling your data in compliance with data protection regulations and takes all organizational and technical measures to protect your data. For more information on data protection, please refer to straiv’s privacy policy.

When using the software, personal data is processed. This may include the following personal data:

• Basic and communication data (e.g., first and last name, email address, phone number)

• Address data (e.g., street, house number, postal code, city, country)

• Booking and travel data (e.g., arrival and departure dates, booking number, room number)

• Registration form data (e.g., nationality, date of birth, passport number, digital signature)

• Billing data (e.g., billing address, prices, booked services such as parking, gym)

• Usage data (e.g., start, duration, and end of use, used feature, language, browser, and operating system)

• Geodata (e.g., GPS location)

Not every data category listed above is collected or queried during each software use. This depends on the individual settings we have made or the services we use. The software can generally be used without user registration.

Legal Basis for Data Processing

The legal basis for data processing is our legitimate interest in data processing within the framework of the booking. For data processing arising from communication, we have a legitimate interest in processing the data in accordance with legal requirements, for internal review, or for the specific communication purpose, as long as the communication does not serve to fulfill the contractual relationship.

The personal data we collect during online check-in is intended to complement your data for contract fulfillment in our hotel software. Additionally, if applicable, the data may be used to open the room door via an app. A system check ensures that you are authorized to request or use a provided service.

If we are legally required to collect and store personal data (e.g., registration form data), we base the processing on fulfilling a legal obligation, in the case of the registration form on § 29 ff. of the Federal Registration Act (BMG).

If we request your consent for certain processing operations, we rely on the legal basis of consent for processing these personal data. You can withdraw your consent at any time. Withdrawal does not affect the legality of processing carried out based on consent before the withdrawal.

Purpose of Data Processing

By contacting you, we aim to inform you prior to your upcoming stay and give you the opportunity to check in in advance and fill out the electronic registration form.

Categories of Recipients

• Straiv as the software provider and its subcontractors for hosting, SMS, email distribution, and chatbot provision. If necessary and consented to, data processors in third countries (e.g., USA) may also be involved.

• Other service providers we engage (e.g., hotel reservation system, door system, chatbot, operations & communication software)

• Payment service providers

• Other external entities, if the data subject has given consent or if transmission is permissible due to overriding interest

• Public authorities in case of legal obligations: We may disclose information about you to legitimately acting authorities or law enforcement agencies if required by law (legal basis: Art. 6 (1) lit. c) GDPR).

Data Deletion

The data will be deleted as soon as it is no longer necessary for the purpose. Video recordings are stored for 72 hours.

Use of Cookies and Similar Technologies by Straiv

The software uses cookies and similar technologies to enhance user-friendliness. You can generally disable the use of cookies by configuring your browser accordingly. You can also change your preferences at any time. The following technically necessary cookies and similar technologies (local storage) are used:

• straiv.io, swVersion, stores the Service Worker version or current software version, validity: 1 year

• straiv.io, current_version, stores software version, validity: 1 year

• straiv.io, current_guest, stores current guest session, validity: 1 year

• straiv.io, current_business, stores hotel information: name, address, geo-position, time zone, media links (logo, icon), contact data, activated languages, validity: 1 year

• straiv.io, secure_ls__metadata, encryption, validity: 1 year

Third-party analytical cookies:

• Google Maps, validity: 3 months (Google Ireland Limited)

• App Monitoring, Error Tracking & Real User Monitoring (SmartBear Software Inc.)

• Product Analytics (PostHog Inc., Datadog, Inc.)

Legal basis for the use of cookies is your consent, which can be revoked at any time.

Communication via WhatsApp

If you consent to receiving messages via WhatsApp, we will process your personal data (e.g., name, phone number, message content) through WhatsApp Ireland Limited. Straiv uses Bird B.V. as a subcontractor according to Art. 28 GDPR. The WhatsApp LLC is certified under the Trans-Atlantic Data Privacy Framework (TADPF). You can revoke your consent at any time by sending a message with 'WIDERRUF' or via email.

Chatbot Use

We may use a chatbot provided by straiv GmbH on our website to answer questions about our hotel and your stay. The chatbot processes personal data such as first name, age, reservation number, arrival, and departure dates. You can withdraw your consent at any time by closing the chat window. The chat data will be deleted after one year.

Right to Object

You have the right to object to the processing of your data at any time. Please use the following email address: widerruf@themandala.de

Description and Scope of Data Processing

For the support, consulting, and advertising of corporate clients, we collect and use, in addition to the business partner or potential business partner, the contact person’s name, phone number, and postal address. We obtain this information from various sources, either through an inquiry (by email or phone) or from events, trade fairs, business cards received by our sales staff, etc.

Legal Basis for Data Processing

The legal basis for processing the data is our legitimate interest in data processing. If the contact aims to conclude a contract, the additional legal basis for processing is the contractual relationship.

To enhance our services, we manage all collected data in the CRM module of our central hotel software within THE MANDALA. The responsible entity is the hotel with which a business contact exists. Central services such as sales, banquet, reservations, and marketing access these data. The legal basis for data processing is our legitimate interest in data processing within the framework of centralized management and utilization of our customers' and business partners' data within the hotel group.

Purpose of Data Processing

We use these contact data exclusively for our own purposes and to tailor our sales activities to specific needs.

Data Retention Period

Generally, no deletion period is specified. However, if our sales department has had no contact with the corporate contact within three years, a decision will be made by the sales team as to whether the corporate contact person should be deleted.

If the contact represents a pre-contractual relationship (offer, booking, or reservation inquiry), the transmitted data are additionally stored in our hotel software and used for contract fulfillment. If no contractual relationship is established, we delete the data after one year at the end of the year.

Right to Object

As a contact person of a corporate client, you have the right to object to the processing of your data at any time. To do so, please use the following email address: widerruf@themandala.de. In this case, all personal data of the contact person stored in connection with the business partner will be deleted.

Description and scope of data processing

Former guests can leave a review at our hotel after check-out. For this purpose, we would like to send you an email within 14 days after departure to ask you to submit a hotel review. Each evaluation can be published anonymously upon request. If you did not feel comfortable in our hotel, we would like to take the opportunity to contact you.

If you submit an online rating on our website, the data will be stored in the rating tool of CA Customer Alliance GmbH, Ullsteinstr. 118, Turm B, D-12109 Berlin, Germany. CA Customer Alliance GmbH has undertaken to handle your transmitted data in accordance with data protection regulations. It takes all organisational and technical measures to protect your data.

If you, as a former guest, take advantage of this online evaluation option, your data will be stored in the evaluation mask. These data are: E-mail address as well as voluntary details such as first name, last name, language and the details of the rating.

Legal basis for data processing

The legal basis for the processing of the data is our legitimate interest in the processing of the data in connection with § 7 para 3 UWG (Unfair Competition Act).

Purpose of the data processing

The purpose of the hotel evaluation is to communicate and summarise opinions of hotel guests via our website, so that interested parties can form their own opinion about our services. In addition, the results serve our internal quality management.

The data will only be used for the publication of the rating and for arbitration in case of bad ratings.

Duration of storage

The data will not be deleted.

Possibility of objection and removal

It is possible to have the publication of the rating deleted at any time (right to be forgotten). We have set up the e-mail address widerruf@themandala.de for this purpose. Please let us know which rating you are referring to.

Description and scope of data processing

On our website, you have the option of subscribing to our newsletter service in various ways. If you take advantage of this option, the data entered in the input mask will be transmitted to us and stored. These data are: E-mail address, if applicable first name, last name, language and interest in one or more topics.

If you register for a newsletter from our websites, the data will be stored in our newsletter tool by Mailchimp, The Rocket Science Group LLC, 675 Ponce de Leon Ave NE, Suite 5000, Atlanta, GA 30308, USA. For further information on data protection, please see the FAQ on the GDPR.

If we otherwise receive an email address where the recipient clearly tells us that they would like to receive our newsletter, we will collect their details via the input mask on our website.

Legal basis for data processing

The legal basis for the processing of the data is the existence of the recipient's consent. This is ensured by a double-opt-in procedure.

Purpose of the data processing

The processing of personal data is solely for the purpose of sending individual newsletters.

Duration of storage

The data will be deleted as soon as the newsletter service is cancelled.

Possibility of objection

You have the option to object to the processing of your data at any time. You can unsubscribe from the newsletter service with each newsletter. In addition, we have set up the e-mail address widerruf@themandala.de. Please let us know the e-mail address here.

Description and scope of data processing

On our website, you have the option of commenting on one of our entries. If you take advantage of this option, the data entered in the input mask will be transmitted to us, stored and published on our website. These data are: Name, e-mail address and the comment.

Legal basis for data processing

The legal basis for the processing of the data is initially our legitimate interest in the data processing as well as the existence of the user's consent by accepting our conditions for data processing.

Purpose of the data processing

The processing of personal data is solely for the purpose of publishing comments on our contributions.

Duration of storage

The data will be deleted if the processing or publication of the data is objected to (right to be forgotten).

Possibility of objection and removal

You have the option to object to the publication of your comments for the future at any time. For this purpose, we have set up the e-mail address widerruf@themandala.de.

Description and scope of data processing

You have the option of applying for a job or sending us a speculative application. You can do this preferably via our website, by e-mail or in paper form. From our website you can access our job advertisements. If you take this opportunity, we will store general information about you in an administration programme. These data are:

• First name, last name
• E-mail address
• Phone
• Application date
• For which position applied
• Curriculum vitae and other application documents (upload)
• Your message to us

In addition, we may forward your application internally to the responsible head of department. The data will not be passed on to third parties in this context. The data will only be used for processing the application and for communication.

Legal basis for data processing

The legal basis for the processing of the data is the processing for a contract initiation relationship or contractual relationship.

Purpose of the data processing

The processing of personal data is solely for the purpose of processing the application.

Duration of storage

The data will be deleted as soon as it is no longer required to achieve the purpose for which it was collected. If you are not hired by our company, we will delete all data and documents relating to your application after 6 months at the latest. Should we wish to retain your documents for longer due to your qualifications, we will obtain your permission to do so.

Possibility of objection

You have the option to object to the processing of your data at any time. To do so, please contact the e-mail address: widerruf@themandala.de. Please note that in the event of an objection, the application cannot be completed or the conversation cannot be continued.

Description and scope of data processing

Each time our website is accessed, our system automatically collects data and information from the computer system of the accessing computer. The following data is collected:

• Information about the browser type and version used
• The operating system of the user
• The IP address of the user
• Date and time of access
• Websites from which the user's system accesses our website
• Websites that are accessed by the user's system via our website

The data is also stored in the log files of our system. This data is not stored together with other personal data of the user. Personal user profiles cannot be formed. The stored data is only evaluated for statistical purposes.

Legal basis for data processing

The legal basis for the temporary storage of the data and the log files is the processing to protect our legitimate interest.

Purpose of the data processing

The temporary storage of the IP address by the system is necessary to enable delivery of the website to the user's computer. For this purpose, the user's IP address must remain stored for the duration of the session.

The storage in log files is done to ensure the functionality of the website. In addition, we use the data to optimise the website and to ensure the security of our information technology systems. An evaluation of the data for marketing purposes does not take place in this context.

Our legitimate interest in data processing also lies in these purposes.

Duration of storage

The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. In the case of the collection of data for the provision of the website, this is the case when the respective session has ended.

In the case of storage of data in log files, this is the case after seven days at the latest. Storage beyond this period is possible. In this case, the IP addresses of the users are deleted or alienated so that an assignment of the calling client is no longer possible.

Possibility of objection and removal

The collection of data for the provision of the website and the storage of the data in log files is absolutely necessary for the operation of the website. Consequently, there is no possibility for the user to object.

Description and scope of data processing

Cookies are small text files that are sent by us to the browser of your end device when you visit our website and are stored there. As an alternative to the use of cookies, information can also be stored in the local storage of your browser. Some functions of our website cannot be offered without the use of cookies or local storage (technically necessary cookies). Other cookies, however, enable us to carry out various analyses, so that we are able, for example, to recognise the browser you are using when you visit our website again and to transmit various information to us (non-essential cookies). With the help of cookies, we can, among other things, make our website more user-friendly and effective for you, for example by tracking your use of our website and determining your preferred settings (e.g. country and language settings). If third parties process information via cookies, they collect the information directly via your browser. Cookies do not cause any damage to your end device. They cannot execute programs or contain viruses.

We provide information about the respective services for which we use cookies in the individual processing operations. You can find detailed information on the cookies used in the cookie declaration.

We also use cookies on our website that enable an analysis of the user's surfing behaviour. The following data can be transmitted in this way: Search terms entered, frequency of page views, use of website functions. The user data collected in this way is pseudonymised by technical precautions. Therefore, it is no longer possible to assign the data to the calling user. The data is not stored together with other personal data of the user. When calling up our website, the user is informed about the use of cookies for analysis purposes and his or her consent to the processing of the personal data used in this context is obtained. In this context, a reference to this data protection declaration is also made.

Legal basis for data processing

The legal basis for the processing of personal data using technically necessary cookies is our legitimate interest in data processing. The legal basis for the processing of personal data using cookies for analysis purposes is the existence of a relevant consent of the user.

Purpose of the data processing

The purpose of using technically necessary cookies is to simplify the use of websites for users. Some functions of our website cannot be offered without the use of cookies. For these, it is necessary that the browser is recognised even after a page change. The user data collected through technically necessary cookies are not used to create user profiles.

Analysis cookies are used to improve the quality of our website and its content. Through the analysis cookies, we learn how the website is used and can thus constantly optimise our offer.

Duration of storage, possibility of objection and elimination

Cookies are stored on the user's computer and transmitted to our site by the user. Therefore, you as a user also have full control over the use of cookies. By changing the settings in your internet browser, you can deactivate or restrict the transmission of cookies. Cookies that have already been stored can be deleted at any time. This can also be done automatically. If cookies are deactivated for our website, it may no longer be possible to use all the functions of the website to their full extent.

Description and Scope of Data Processing

Our website loads the Consent Manager from Cybot A/S, Havnegade 39, 1058 Copenhagen (hereinafter: cookiebot.com). We use this service to ensure both the full functionality of our website and the data protection-compliant use of marketing and tracking tools on our website. In this context, your browser may transmit personal data to cookiebot.com.

Legal Basis and Purpose for Data Processing

The legal basis for data processing is Article 6 (1) lit. f GDPR. The legitimate interest lies in the error-free functioning of the website. The data will be deleted as soon as the purpose of their collection has been fulfilled. Further information on how the transmitted data is handled can be found in cookiebot.com's pricacy policy. You can prevent the collection and processing of your data by cookiebot.com by disabling the execution of script code in your browser or by installing a script blocker in your browser.

The following information is stored in our Cookiebot account:

• The user’s IP address in anonymized form (the last three digits are set to "0").

• Date and time of consent.

• The user’s browser.

• The URL from which the consent was sent.

• An anonymous, random, and encrypted key value.

• The user's consent status, serving as proof of consent.

The key and consent status are also stored in the user’s browser in the "CookieConsent" cookie so that the website can automatically read and respect the user’s consent during all subsequent page requests and future user sessions for up to 12 months. You can view and change your consent level at any time. You will find this option at the bottom of this page.

According to the law, we may store cookies on your device if they are strictly necessary for the operation of this site. The use of the service is based on the legally required consent to use cookies in accordance with Article 6 (1) lit. c GDPR and § 25 (2) No. 2 TDDDG. For all other types of cookies, we need your permission. This site uses different types of cookies. Some cookies are placed by third parties that appear on our pages. You can change or withdraw your consent at any time from the cookie declaration on our website.

The specific retention period of the processed data is not under our control but is determined by Cybot A/S. For more details, please refer to the pricacy policy of Cookiebot.

Google Analytics

Our website uses Google Analytics 4, a web analytics service provided by Google LLC. The responsible entity for users in the EU/EEA and Switzerland is Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland ("Google").

Google Analytics uses cookies that enable the analysis of your use of our websites. The information collected through the cookies about your use of this website is generally transmitted to a Google server in the USA and stored there.

We use the User-ID function. The User ID allows us to assign one or more sessions (and the activities within these sessions) to a unique, persistent ID and analyze user behavior across devices.

We also use Google Signals. This collects additional information in Google Analytics about users who have enabled personalized ads (interests and demographic data), and ads can be delivered to these users in cross-device remarketing campaigns.

In Google Analytics 4, IP address anonymization is enabled by default. Due to IP anonymization, your IP address will be truncated by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and truncated there. According to Google, the IP address transmitted by your browser within the scope of Google Analytics will not be merged with other Google data.

During your website visit, your user behavior is recorded as "events." Events may include:

• Page views

• First-time visit to the website

• Start of a session

• Your "click path," interaction with the website

• Scrolls (whenever a user scrolls to the page end (90%))

• Clicks on external links

• Internal searches

• Interaction with videos

• File downloads

• Viewed/clicked ads

• Language settings

Additionally, the following is recorded:

• Your approximate location (region)

• Your IP address (in truncated form)

• Technical information about your browser and the devices you use (e.g., language settings, screen resolution)

• Your internet provider

• The referrer URL (the website/advertisement that led you to this site)

Purpose of Processing

On our behalf, Google processes the transmitted information to evaluate website use by visitors and compile reports on website activities. The reports provided by Google Analytics help us analyze website performance.

Recipients

Recipients of the data may include:

• Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (as a data processor under Art. 28 GDPR)

• Google LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043, USA

• Alphabet Inc., 1600 Amphitheatre Parkway Mountain View, CA 94043, USA

It cannot be ruled out that US authorities may access data stored by Google.

Third-Country Transfer

If data is processed outside the EU/EEA and an adequate level of data protection is not guaranteed, we have entered into EU standard contractual clauses (EU-Standardvertragsklauseln) with the service provider to establish a reasonable level of data protection. The parent company of Google Ireland, Google LLC, is based in California, USA. A transfer of data to the USA and access by US authorities to the data stored by Google cannot be excluded. From a data protection perspective, the USA is currently considered a third country. You do not have the same rights there as within the EU/EEA. Legal remedies against authorities' access may not be available.

Retention Period

The data we send and link with cookies will be automatically deleted after 14 months. The deletion of data that has reached the retention period occurs automatically once a month.

Legal Basis and Withdrawal

We process your data using Google Analytics 4 based on your consent according to Art. 6 (1) lit. a GDPR in conjunction with § 25 TTDSG. You provide your consent through the cookie settings (cookie banner/consent manager), which you can revoke at any time with future effect pursuant to Art. 7 (3) GDPR.

You can also prevent the storage of cookies from the outset by configuring your browser software accordingly. However, if you set your browser to reject all cookies, this may restrict functionalities on this and other websites.

Furthermore, you can prevent the collection of data generated by the cookie and related to your website usage (including your IP address) by Google and the processing of this data by Google by (I) not giving your consent to set the cookie or (II) downloading and installing the browser add-on to deactivate Google Analytics HERE.

For more detailed information, please refer to the Terms of Use and the Privacy Policy.

Google Tag Manager

We use Google Tag Manager from Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google Tag Manager is used to manage website tags through an interface and enables us to control the precise integration of services on our website.

This allows us to flexibly integrate additional services to evaluate user access to our website.

The use of Google Tag Manager is based on your consent pursuant to Art. 6 (1) lit. a GDPR and § 25 (1) TTDSG.

We intend to transfer personal data to third countries outside the European Economic Area, particularly the USA. The data transfer to the USA is carried out in accordance with Art. 45 (1) GDPR based on the adequacy decision of the European Commission. The participating US companies and/or their US subcontractors are certified under the EU-U.S. Data Privacy Framework (EU-U.S. DPF).

In cases where no adequacy decision by the European Commission exists (including US companies not certified under the EU-U.S. DPF), we have entered into other appropriate safeguards with the recipients of the data in accordance with Art. 44 et seq. GDPR. These are - unless otherwise stated - the EU Commission’s Standard Contractual Clauses (SCC) according to Implementing Decision (EU) 2021/914 of June 4, 2021.

Additionally, we obtain your consent before such third-country transfer in accordance with Art. 49 (1) sentence 1 lit. a GDPR, which you provide through the consent manager (or other forms, registrations, etc.). Please note that there may be specific unknown risks associated with third-country transfers (e.g., data processing by security authorities of the third country, whose exact scope and consequences for you are not known, beyond our control, and of which you may not be aware).

The specific retention period of the processed data is not within our control but is determined by Google Ireland Limited. Further information can be found in the Google Tag Manager Privacy Policy.

Google DoubleClick

We have integrated components from Google DoubleClick on our website. DoubleClick is a brand of Google that primarily markets specialized online marketing solutions to advertising agencies and publishers. DoubleClick by Google transmits data to the DoubleClick server with every impression, click, or other activity.

Each of these data transfers triggers a cookie request to the browser of the affected person. If the browser accepts this request, DoubleClick sets a cookie in your browser.

DoubleClick uses a cookie ID required for the technical process. For example, the cookie ID is needed to display an advertisement in a browser. Additionally, DoubleClick can use the cookie ID to track which advertisements have already been displayed in a browser, preventing duplicate displays. Furthermore, the cookie ID allows DoubleClick to record conversions. Conversions are recorded, for example, when a user has previously seen a DoubleClick advertisement and subsequently makes a purchase on the advertiser’s website using the same internet browser.

A DoubleClick cookie does not contain personal data but may include additional campaign identifiers. A campaign identifier helps to identify the campaigns you have previously interacted with on other websites. In the context of this service, Google obtains data that also serves to create commission statements. Among other things, Google can track that you have clicked on certain links on our website. In this case, your data is forwarded to the operator of DoubleClick, Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Further information and the applicable privacy policy of DoubleClick by Google can be found at Google Privacy Policy.

We process your data using the DoubleClick cookie to optimize and display advertisements based on your consent according to Art. 6 (1) lit. a GDPR and § 25 (1) TTDSG. The cookie is used, among other things, to display user-relevant advertising, compile reports on advertising campaigns, and improve them. Additionally, the cookie helps avoid multiple displays of the same advertisement. Each time you access one of the individual pages of our website that has a DoubleClick component integrated, your browser is automatically triggered by the respective DoubleClick component to transmit data to Google for the purpose of online advertising and commission accounting.

There is no legal or contractual obligation to provide your data. If you do not give your consent, you can still visit our website without any restrictions, but some features may not be available in full.

We intend to transfer personal data to third countries outside the European Economic Area, particularly the USA. The data transfer to the USA is carried out in accordance with Art. 45 (1) GDPR based on the adequacy decision of the European Commission. The participating US companies and/or their US subcontractors are certified under the EU-U.S. Data Privacy Framework (EU-U.S. DPF).

In cases where no adequacy decision by the European Commission exists (including US companies not certified under the EU-U.S. DPF), we have entered into other appropriate safeguards with the recipients of the data in accordance with Art. 44 et seq. GDPR. These are - unless otherwise stated - the EU Commission’s Standard Contractual Clauses (SCC) according to Implementing Decision (EU) 2021/914 of June 4, 2021.

Additionally, we obtain your consent before such third-country transfer in accordance with Art. 49 (1) sentence 1 lit. a GDPR, which you provide through the consent manager (or other forms, registrations, etc.). Please note that there may be specific unknown risks associated with third-country transfers (e.g., data processing by security authorities of the third country, whose exact scope and consequences for you are not known, beyond our control, and of which you may not be aware).

The specific retention period of the processed data is not within our control but is determined by Google Ireland Limited. Further information can be found in the Google DoubleClick Privacy Policy.

Google Ads

We have integrated Google Ads on our website. Google Ads is a service from Google Ireland Limited that displays targeted advertisements to users. Google Ads uses cookies and other browser technologies to analyze user behavior and recognize users.

Google Ads collects information about visitor behavior on various websites. This information is used to optimize the relevance of advertisements. Furthermore, Google Ads delivers targeted advertising based on behavioral profiles and geographic location. The provider receives your IP address and other identifiers such as your User-Agent.

If you are registered with a service from Google Ireland Limited, Google Ads can associate the visit with your account. Even if you are not registered or logged in, the provider may identify and store your IP address and other identifiers.

In this case, your data is forwarded to the operator of Google Ads, Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

The use of Google Ads is based on your consent in accordance with Art. 6 (1) lit. a GDPR and § 25 (1) TTDSG.

We intend to transfer personal data to third countries outside the European Economic Area, particularly the USA. The data transfer to the USA is carried out according to Art. 45 (1) GDPR based on the adequacy decision of the European Commission. The participating US companies and/or their US subcontractors are certified under the EU-U.S. Data Privacy Framework (EU-U.S. DPF).

In cases where no adequacy decision by the European Commission exists (including US companies not certified under the EU-U.S. DPF), we have entered into other appropriate safeguards with the recipients of the data according to Art. 44 et seq. GDPR. These are - unless otherwise stated - the EU Commission’s Standard Contractual Clauses (SCC) according to Implementing Decision (EU) 2021/914 of June 4, 2021.

Additionally, we obtain your consent before such third-country transfer in accordance with Art. 49 (1) sentence 1 lit. a GDPR, which you provide through the consent manager (or other forms, registrations, etc.). Please note that there may be specific unknown risks associated with third-country transfers (e.g., data processing by security authorities of the third country, whose exact scope and consequences for you are not known, beyond our control, and of which you may not be aware).

The specific retention period of the processed data is not within our control but is determined by Google Ireland Limited. Further information can be found in the Google Ads Privacy Policy.

Google Maps

We use the Google Maps service to create directions. Google Maps is a service provided by Google Ireland Limited, which displays a map on our website.

When you access this content on our website, a connection to the servers of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, is established, transmitting your IP address and possibly browser data such as your User-Agent. These data are processed solely for the aforementioned purposes and to maintain the security and functionality of Google Maps.

The use of Google Maps is based on your consent in accordance with Art. 6 (1) lit. a GDPR and § 25 (1) TTDSG.

We intend to transfer personal data to third countries outside the European Economic Area, particularly the USA. The data transfer to the USA is carried out according to Art. 45 (1) GDPR based on the adequacy decision of the European Commission. The participating US companies and/or their US subcontractors are certified under the EU-U.S. Data Privacy Framework (EU-U.S. DPF).

In cases where no adequacy decision by the European Commission exists (including US companies not certified under the EU-U.S. DPF), we have entered into other appropriate safeguards with the recipients of the data according to Art. 44 et seq. GDPR. These are - unless otherwise stated - the EU Commission’s Standard Contractual Clauses (SCC) according to Implementing Decision (EU) 2021/914 of June 4, 2021.

Additionally, we obtain your consent before such third-country transfer in accordance with Art. 49 (1) sentence 1 lit. a GDPR, which you provide through the consent manager (or other forms, registrations, etc.). Please note that there may be specific unknown risks associated with third-country transfers (e.g., data processing by security authorities of the third country, whose exact scope and consequences for you are not known, beyond our control, and of which you may not be aware).

The specific retention period of the processed data is not within our control but is determined by Google Ireland Limited. Further information can be found in the Google Maps Privacy Policy.

We have integrated Bing Ads on our website. Bing Ads is a service provided by Microsoft Corporation to display targeted advertisements to users. Bing Ads uses cookies and other browser technologies to analyze user behavior and recognize users.

Bing Ads collects information about visitor behavior on various websites. This information is used to optimize the relevance of advertisements. Furthermore, Bing Ads delivers targeted advertising based on behavioral profiles and geographic location. Your IP address and other identification features, such as your User-Agent, are transmitted to the provider.

In this case, your data will be transmitted to the operator of Bing Ads, Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, United States.

The use of Bing Ads is based on your consent in accordance with Art. 6 (1) lit. a GDPR and § 25 (1) TTDSG.

We intend to transfer personal data to third countries outside the European Economic Area, particularly the USA. The data transfer to the USA is carried out according to Art. 45 (1) GDPR based on the adequacy decision of the European Commission. The participating US companies and/or their US subcontractors are certified under the EU-U.S. Data Privacy Framework (EU-U.S. DPF).

In cases where no adequacy decision by the European Commission exists (including US companies not certified under the EU-U.S. DPF), we have entered into other appropriate safeguards with the recipients of the data according to Art. 44 et seq. GDPR. These are - unless otherwise stated - the EU Commission’s Standard Contractual Clauses (SCC) according to Implementing Decision (EU) 2021/914 of June 4, 2021.

Additionally, we obtain your consent before such third-country transfer in accordance with Art. 49 (1) sentence 1 lit. a GDPR, which you provide through the consent manager (or other forms, registrations, etc.). Please note that there may be specific unknown risks associated with third-country transfers (e.g., data processing by security authorities of the third country, whose exact scope and consequences for you are not known, beyond our control, and of which you may not be aware).

The specific retention period of the processed data is not within our control but is determined by Microsoft Corporation. Further information can be found in the Privacy Policy for Bing Ads.

We maintain so-called fan pages, accounts, or channels on the social networks listed below to provide you with information and offers within social networks and to offer you additional ways to contact us and learn about our services. Below, we inform you about which data we or the respective social network process from you in connection with accessing and using our fan pages/accounts.

Data we process from you

If you wish to contact us via messenger or direct message through the respective social network, we generally process your username through which you contact us and may store other data provided by you to the extent necessary to process/respond to your request.

The legal basis is Art. 6 (1) sentence 1 (f) GDPR (processing is necessary to safeguard the legitimate interests of the controller).

(Static) Usage data we receive from social networks

We receive automatically provided statistics regarding our accounts via insights functionalities. The statistics include, among other things, the total number of page views, likes, page activity and post interactions, reach, video views, and information on the proportion of men/women among our fans/followers.

The statistics only contain aggregated data that is not attributable to individual persons. We cannot identify you through this information.

Which data social networks process from you

You do not have to be a member of the respective social network to view the content of our fan pages or accounts, and no user account is required for the respective social network.

Please note, however, that social networks collect and store data from website visitors without a user account when accessing the respective social network (e.g., technical data to display the website), and use cookies and similar technologies, over which we have no control. Details can be found in the privacy policies of the respective social network.

Facebook

When visiting our Facebook page, Facebook (Meta) collects, among other things, your IP address and other information stored on your PC in the form of cookies. These details are used to provide us, as operators of the Facebook pages, with statistical information about the use of the Facebook page. More information is available from Facebook at the following link: https://facebook.com/help/pages/insights.

The transmitted statistical information does not allow us to draw conclusions about individual users. We use this information solely to better understand our users' interests, continuously improve our online presence, and ensure its quality.

We only collect your data via our fan page to enable possible communication and interaction with us. This usually includes your name, message content, comment content, and the profile information you have publicly shared.

The processing of your personal data for our aforementioned purposes is based on our legitimate economic and communicative interest in offering an information and communication channel pursuant to Art. 6 (1) (f) GDPR. If you, as a user, have given consent to the respective social network provider for data processing, the legal basis extends to Art. 6 (1) (a), Art. 7 GDPR.

Since the actual data processing is carried out by the social network provider, our access to your data is limited. Only the social network provider is authorized to fully access your data. Therefore, only the provider can directly take appropriate measures to fulfill your user rights (information request, deletion request, objection, etc.). The most effective way to assert your rights is to contact the respective provider directly.

We are jointly responsible with Facebook for the personal content of the fan page. Data subject rights can be asserted with Meta Platforms Ireland Ltd. as well as with us.

The primary responsibility for processing insights data lies with Facebook according to the GDPR, and Facebook fulfills all obligations under the GDPR regarding the processing of insights data. Meta Platforms Ireland Ltd. provides the essential aspects of the Page Insights supplement to the data subjects.

We do not make any decisions regarding the processing of insights data and the storage duration of cookies on user devices.

Further information can be found directly on Facebook (Supplementary agreement with Facebook): https://www.facebook.com/legal/terms/page_controller_addendum.

For more information, including the exact scope and purposes of processing your personal data, the storage period/deletion, and guidelines on the use of cookies and similar technologies in connection with registration and use, please refer to Facebook's privacy policies/cookie policies: https://www.facebook.com/privacy/policy/?entry_point=data_policy_redirect&entry=0 and https://www.facebook.com/policies/cookies.

Facebook Fan Page

On our Facebook fan page at: https://www.facebook.com/themandala.de/, we use plugins provided by Facebook.com, operated by Facebook Inc., 1601 S. California Avenue, Palo Alto, CA 94304, USA. By using the fan page, data is transmitted to Facebook's servers containing information about your visits to our page. For users logged into Facebook, this means that usage data can be associated with their personal Facebook accounts. If you actively use the Facebook plugin as a logged-in user (e.g., by clicking the "Like" button or using the comment function), this data will be transmitted to your Facebook account and published. You can prevent this by logging out of your Facebook account beforehand.

We do not know exactly what data Facebook stores and uses. As a user of the fan page, you should therefore assume that Facebook stores all your interactions on the fan page comprehensively.

Furthermore, the general terms of use of Facebook Ireland Limited, Hanover Reach, 5-7 Hanover Quay, Dublin 2, Ireland apply. For information about privacy on Facebook, please refer to the following data policy of Facebook Ireland Limited:

➡ https://www.facebook.com/privacy/policy

The legal basis for this data processing is Art. 6 para. 1 lit. a, f) GDPR.

Any depicted person as well as any other third party has the right at any time to object to the publication of their personal data (photos). For this purpose, we have set up the email address: widerruf@themandala.de. The right to object applies particularly to the future publication of images.

It may occasionally happen that we publish images of individuals without having received explicit consent. If publication is not desired, we will immediately take all necessary steps to comply with your rights. For group photos, we reserve the right to blur or distort faces.

Instagram

When visiting our Instagram page at: https://www.instagram.com/themandalahotel/, Instagram (Meta) collects, among other things, your IP address and other information stored in the form of cookies on your device. This information is used to provide us, as operators of the Instagram page, with statistical insights into the use of the Instagram page. Instagram provides more information on this under the following link (note: clicking the link takes you to the Facebook website, which is also part of the Meta group. The information applies equally to the social network Instagram):
➡ https://facebook.com/help/pages/insights

The transmitted statistical data does not allow us to draw conclusions about individual users. We use this data solely to better address the interests of our users, to continuously improve our online presence, and to ensure its quality.

We collect your data via our fan page only to enable communication and interaction with us. This generally includes your name, message content, comment content, and publicly available profile information.

The processing of your personal data for the above purposes is based on our legitimate business and communication interests in offering an information and communication channel pursuant to Art. 6 para. 1 f) GDPR. If you as a user have given consent to data processing to the provider of the social network, the legal basis extends to Art. 6 para. 1 a), Art. 7 GDPR.

As the actual data processing is carried out by the provider of the social network, our access to your data is limited. Only the provider of the social network has full access to your data. Therefore, only the provider can take appropriate measures to fulfill your user rights (e.g., right to access, deletion requests, objections, etc.). As such, the most effective way to exercise your rights is to contact the provider directly.

We are jointly responsible with Instagram for the personal content on the fan page. Data subject rights can be asserted with Meta Platforms Ireland Ltd. as well as with us.

According to the GDPR, the primary responsibility for processing Insights data lies with Instagram, and Instagram fulfills all obligations under the GDPR regarding the processing of Insights data. Meta Platforms Ireland Ltd. provides the essential content of the Page Insights Addendum to the data subjects:

➡ https://www.facebook.com/legal/terms/page_controller_addendum

We do not make decisions regarding the processing of Insights data or the duration of cookie storage on user devices.

Further information, including details about the scope and purpose of processing your personal data, data retention/deletion, as well as policies on cookies and similar technologies used during registration and usage, can be found in Instagram’s data and cookie policies (note: clicking the link will take you to the Facebook website):

➡ https://help.instagram.com/519522125107875/?helpref=uf_share

This information is also available in Instagram’s Help Center under the following link:

➡ https://help.instagram.com/581066165581870

Further details can be found in Instagram's privacy policy.

YouTube Video

We have integrated YouTube videos into our website. YouTube Video is a component of the video platform operated by YouTube, LLC, where users can upload content, share it online, and access detailed statistics.

YouTube Video allows us to embed content from the platform directly into our website. YouTube uses cookies and other browser technologies to analyze user behavior, recognize users, and create user profiles. This information is used, among other things, to analyze content activity and generate reports. If a user is registered with YouTube, LLC, YouTube can associate the played videos with the user's profile.

By accessing this content, a connection is established with the servers of YouTube, LLC, operated by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. In doing so, your IP address and possibly other browser data, such as your user agent, are transmitted.

The use of this service is based on your consent pursuant to Art. 6 para. 1 lit. a GDPR and § 25 para. 1 of the German Telecommunications-Digital Services Data Protection Act (TDDDG).

We intend to transfer personal data to third countries outside the European Economic Area, particularly the USA. Data transfers to the USA are carried out under Art. 45 para. 1 GDPR on the basis of the adequacy decision of the European Commission. The involved U.S. companies and/or their subcontractors are certified under the EU-U.S. Data Privacy Framework (EU-U.S. DPF).

In cases where no adequacy decision by the European Commission exists (including U.S. companies not certified under the EU-U.S. DPF), we have agreed on other appropriate safeguards with the data recipients in accordance with Art. 44 et seq. GDPR. Unless otherwise stated, these safeguards are the Standard Contractual Clauses of the European Commission pursuant to Implementing Decision (EU) 2021/914 of 4 June 2021. A copy of these Standard Contractual Clauses can be found at:
➡ https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32021D0914

Furthermore, before any such transfer to a third country takes place, we obtain your consent pursuant to Art. 49 para. 1 sentence 1 lit. a GDPR, which you give via our consent manager (or other forms, registrations, etc.).
Please note that data transfers to third countries may carry unknown risks, such as potential processing by security authorities in the destination country, the scope and consequences of which are not known to us, cannot be influenced by us, and may not be made known to you.

The specific storage duration of the processed data is not determined by us but by YouTube, LLC. For further information, please refer to the privacy policy for YouTube Video:

➡ https://policies.google.com/privacy

We have integrated components of the Hotelcareer Widget on our website. Hotelcareer Widget is a service provided by StepStone GmbH, Axel-Springer-Straße 65, 10969 Berlin, Germany, which offers applicant and personnel management software.

Hotelcareer Widget is used in connection with recruitment processes to optimize applicant management, for example through the automated analysis of employment references. In addition, the service enables us to create and evaluate job postings.

The use of this service is based on our legitimate interests, i.e. our interest in optimizing our recruitment processes, in accordance with Art. 6 para. 1 lit. f GDPR.

The specific storage duration of the processed data is not determined by us but by StepStone GmbH. Further information can be found in the privacy policy for Hotelcareer Widget:

➡ https://www.hotelcareer.de/datenschutzerklärung (Note: currently available in German only.)

We use Crazy Egg, a service provided by Crazy Egg, Inc., to conduct so-called A/B tests on our online offering. This involves simultaneously publishing different versions of our website to determine which version is more user-friendly.

During testing, data such as the operating system used, the browser’s user agent, and the time of access may be collected to evaluate the performance of each version.

Web tracking technologies are used to associate the above-mentioned data with the specific version of our online offering being tested.

The use of Crazy Egg is based on your consent pursuant to Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TDDDG.

The specific storage duration of the processed data is not determined by us but is defined by Crazy Egg, Inc. Further information can be found in the privacy policy for Crazy Egg:

➡ https://www.crazyegg.com/privacy

We have integrated components of Cognito Forms into our website. Cognito Forms is a service provided by Cognito LLC, which offers marketing automation software.

Cognito Forms allows us to create and display online forms and pop-ups on our website. In addition, Cognito Forms is used to process data entered in forms, for example when contacting us via a contact form or subscribing to a newsletter.

Cognito Forms uses cookies and other browser technologies to analyze user behavior and recognize users. This information is used, among other things, to compile reports on website activity.

In this case, your data is shared with the operator of Cognito Forms:
Cognito LLC, 929 Gervais Street, Suite D, Columbia, SC 29201, United States.

The use of Cognito Forms is based on your consent pursuant to Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TDDDG.

The specific storage duration of the processed data is not determined by us but is defined by Cognito LLC. Further information can be found in the privacy policy for Cognito Forms:

➡ https://www.cognitoforms.com/privacy

We have integrated components of the MailChimp service into our website. MailChimp is a service provided by The Rocket Science Group, LLC, which offers marketing automation for businesses.

MailChimp is used to store and transmit data entered into forms via cookies, to send marketing emails and automated messages, and to create targeted campaigns.

In addition, MailChimp provides us with the ability to analyze whether emails have been opened, how many users received an email, and whether users unsubscribed from the newsletter after receiving an email.

In this case, your data is shared with the operator of MailChimp:
The Rocket Science Group, LLC, 675 Ponce de Leon Ave NE, Suite 5000, Atlanta, GA 30308, United States.

The use of MailChimp is based on your consent pursuant to Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TDDDG.

The specific storage duration of the processed data is not determined by us but is defined by The Rocket Science Group, LLC. Further information can be found in the privacy policy for MailChimp:

➡ https://www.intuit.com/privacy/statement/
(Note: MailChimp is now part of Intuit.)

We have integrated components of the customer communication platform Zendesk Chat into our website. Zendesk Chat is a service provided by Zendesk, Inc., and enables us to communicate with visitors to our website via live chat and provide targeted assistance with questions.

Zendesk Chat uses cookies and other browser technologies to analyze user behavior and recognize users. In addition, Zendesk Chat is used to store and transmit data entered in chat windows via cookies, including your IP address.

In this case, your data is shared with the operator of Zendesk Chat:
Zendesk, Inc., 989 Market Street #300, San Francisco, CA 94102, United States.

The use of Zendesk Chat is based on your consent pursuant to Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TDDDG.

The specific storage duration of the processed data is not determined by us but is defined by Zendesk, Inc. Further information can be found in the privacy policy for Zendesk Chat:

➡ https://www.zendesk.com/company/agreements-and-terms/privacy-notice/

We use Zendesk CDN to ensure the proper delivery of content on our website. Zendesk CDN is a service provided by Zendesk, Inc. and functions as a content delivery network (CDN) on our website in order to support the functionality of other services provided by Zendesk, Inc. These other services are described in separate sections of this privacy policy. This section refers solely to the use of the CDN.

A CDN helps deliver content from our online offering—particularly files such as graphics or scripts—more quickly using servers that are regionally or internationally distributed. When you access this content, you establish a connection to servers operated by Zendesk, Inc., 989 Market Street #300, San Francisco, CA 94102, United States, during which your IP address and possibly browser data such as your user agent are transmitted. This data is processed solely for the purposes mentioned above and to maintain the security and functionality of Zendesk CDN.

The use of this content delivery network is based on our legitimate interest in a secure, efficient, and optimized provision of our online offering pursuant to Art. 6 para. 1 lit. f GDPR.

The specific storage duration of the processed data is not determined by us but is defined by Zendesk, Inc. Further information can be found in the privacy policy for Zendesk CDN:

➡ https://www.zendesk.com/company/agreements-and-terms/privacy-notice/

We have integrated components of Stripe Payments into our website. Stripe Payments is a service provided by Stripe, Inc. and offers online payment solutions worldwide.

If you choose Stripe Payments as your payment method, the data required to process the payment will automatically be transmitted to Stripe, Inc., San Francisco, California, US.

In this context, the following data is typically collected:
Name, address, company (if applicable), email address, telephone and mobile number, and IP address.

The use of this service is based on the performance of a contract, i.e. for the purpose of processing payment transactions.

The specific storage duration of the processed data is not determined by us but is defined by Stripe, Inc. Further information can be found in the privacy policy for Stripe Payments:

➡ https://stripe.com/privacy

This service is mainly aimed at adults. We do not currently market any specific areas for children. Accordingly, we do not knowingly collect age-identifying information, nor do we knowingly collect personal information from children under the age of 16. However, we caution all visitors to our website under the age of 16 not to disclose or provide any personally identifiable information through our service. In the event that we discover that a child under the age of 16 has provided us with personal information, we will delete the child's personal information from our files to the extent technically feasible.

If your personal data is processed, you are a data subject within the meaning of the GDPR and you have the following rights vis-à-vis the controller:

• You have a right to information about the personal data stored about you, about the purposes of processing, about any transfers to other bodies and about the duration of storage.

• If data is inaccurate or no longer necessary for the purposes for which it was collected, you may request that it be corrected, erased or restricted from processing. Where provided for in the processing procedures, you may also consult your data yourself and correct them if necessary.

• Should grounds against the processing of your personal data arise from your particular personal situation, you may, insofar as the processing is based on a legitimate interest, object to it. The controller shall no longer process the personal data concerning you unless it can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the purpose of asserting, exercising or defending legal claims.

• If the personal data concerning you is processed for the purpose of direct marketing, you have the right to object at any time to the processing of personal data concerning you for the purpose of such marketing; this also applies to profiling insofar as it is related to such direct marketing. If you object to the processing for direct marketing or profiling purposes, the personal data concerning you will no longer be processed for these purposes.

You have the right to revoke your declaration of consent under data protection law at any time. The revocation of consent does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation. For this purpose, we have set up the e-mail address widerruf@themandala.de.

As a data subject, without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a data protection supervisory authority, in particular in the Member State of your residence or of the place of the alleged infringement, if you consider that the processing of personal data relating to you infringes data protection.

The supervisory authority to which the complaint is submitted will inform you of the status and outcome of your complaint, including the possibility of a judicial remedy.

You can find more information on the website of the Federal Commissioner for Data Protection and Freedom of Information. Follow the link.

Where personal data is processed outside the European Union, you can find this information in the preceding sections.

We use technical and organisational security measures in accordance with Art. 32 GDPR to protect your data managed by us against accidental or intentional manipulation, loss, destruction or against access by unauthorised persons. Our security measures are continuously improved in line with technological developments. Access is only possible for a few authorised persons and persons who are obliged to provide special data protection and who are involved in the technical, administrative or editorial care of data.

We reserve the right to change, update or amend this privacy information at any time. Any revised privacy statement will only apply to personal data collected or modified after the effective date of the revised statement.

We reserve the right to change, update or amend this Privacy Notice at any time. Any revised information on data processing will only apply to personal data collected or modified after the effective date.

Status | May 2025