Privacy Policy

1. Introduction

We appreciate your interest in our website www.h24hotels.com (hereinafter “Website”). This website is operated by H24HotelManagementGmbH (hereinafter “H24 Hotels”) and offers you, as a user (hereinafter “User”), the opportunity to learn about our hotel offers, room categories, and locations, make bookings, and contact us.

The protection of your personal data is of utmost importance to us. We treat your data confidentially and in accordance with applicable data protection laws, in particular the General Data Protection Regulation (GDPR). Below, we inform you about the nature, scope, and purpose of the processing of personal data, as well as your rights.

You can revoke any consent you have given at any time with future effect. If you have any questions about the processing of your data, please contact us.

Please note that legal changes or changes to our internal processes may require us to adapt this Privacy Policy. The current version can be viewed at any time at https://h24hotels.com/en/privacy-policy/.

Reference to further data protection declarations:

In addition to this privacy policy for our website, you will find additional information on the processing of personal data in the following areas:

• Privacy policy for guests, applicants, and business partners
• Privacy policy for our social media presences

These contain specific information on data processing outside of website use. Please refer to these separate pages if necessary.

2. Responsible party and scope

Responsible person within the meaning of the GDPR:

H24 Hotel Management GmbH
Herzbergstraße 139

10365 Berlin
Telefon: 03338 914 1658
E-Mail: [email protected]
Web: www.h24hotels.com

This privacy policy applies to the website www.h24hotels.com as well as to its subpages and subdomains operated by H24 Hotel Management GmbH.

3. Data Protection Officer

You can reach our data protection officer at: [email protected]

Principles of data processing

Personal data is all information relating to an identified or identifiable natural person, e.g., name, address, telephone number, IP address, or user behavior. Data that is anonymized or can only be assigned to an individual with disproportionate effort is not considered personal data.

Your data is processed either on the basis of legal permission or your consent. The data will be deleted as soon as it is no longer required for the respective purpose and there are no statutory retention periods.

In this privacy policy, we provide you with detailed information below about the individual processing operations, their purpose, legal basis, and storage period.

4. Provision and use of the website

a. Hosting

This website is hosted externally. The personal data collected on this website is stored on the servers of the hosting provider listed below. This includes, in particular:

• IP addresses
• Contact requests
• Meta and communication data
• Contract data
• Contact details
• Names
• Website accesses
• Other data generated through website use

Hosting is provided for the purpose of fulfilling our contract with our potential and existing customers (Art. 6 (1) (b) GDPR) and in the interest of ensuring the secure, fast, and efficient provision of our online services by a professional provider (Art. 6 (1) (f) GDPR). If consent has been requested (e.g., as part of a cookie banner), processing is carried out exclusively on the basis of Art. 6 (1) (a) GDPR in conjunction with Section 25 (1) TTDSG. Consent can be revoked at any time.

Our hoster processes your data only to the extent necessary to fulfill its service obligations and follows our instructions in accordance with a data processing agreement required by data protection law (Art. 28 GDPR).

Hosting provider used:
hostNET Medien GmbH
Osterdeich 107
28205 Bremen
www.hostnet.de

b. Access data and log files

When you visit our website, we automatically collect certain personal data that your browser transmits to our server. This data is technically necessary for us to display the website to you and ensure its stability and security:

• IP address of the requesting computer
• Date and time of access
• Name and URL of the retrieved file
• Website from which access was made (referrer URL)
• Browser used and, if applicable, the operating system of your computer
• Name of your access provider

The data is temporarily stored in log files and automatically deleted after 30 days at the latest. This server log data is not merged with other data sources or analyzed for personal purposes. The log files are used exclusively for technical analysis in the event of errors and to ensure the proper operation of the website.

Legal basis:

• Art. 6 (1) (f) GDPR – our legitimate interest in a secure and stable presentation of the website.

6. Reservations and bookings

On our website www.h24hotels.com, we offer you the opportunity to book hotel rooms online. For this purpose, we use the booking platform of HotelNetSolutions GmbH, Genthiner Straße 8, 10785 Berlin.

If you click the “Book” button and select a location, you will be redirected to an external booking page where the booking process for the respective location is integrated.

The technical processing of this booking is carried out on behalf of the operating company of the respective location by HotelNetSolutions GmbH within the framework of data protection-compliant order processing in accordance with Art. 28 GDPR.

The responsible operating company and its contact details can be found in the imprint of the respective booking page or in the booking confirmation you receive after your reservation.

The following personal data, in particular, is processed during the booking process:

• First and last name
• Salutation and, if applicable, title
• Address (street, zip code, city, country)
• Telephone number
• Email address
• Date of stay (arrival, departure)
• Booked room category and additional services
• Payment details (e.g., credit card details, payment status)
• Company affiliation (if applicable)
• Personal comments (if applicable) (e.g., allergies, requests)

Payment processing

Depending on the payment method chosen, payment processing is carried out via one of the following service providers:

• Adyen N.V., Simon Carmiggeltstraat 6-50, 1011 DJ Amsterdam, Netherlands
• PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg

These providers are only provided with the information necessary to process the payment – ​​including the booking amount, payment details, and, if applicable, the IP address.

H24 Hotels itself does not store complete payment information (e.g., credit card numbers), but only receives payment status information.

Processing is carried out exclusively for the purpose of fulfilling the contract on the basis of Art. 6 (1) (b) GDPR.

The payment service providers act independently as data controllers. For further information on data processing, please refer to the respective privacy policies:

• Adyen: https://www.adyen.com/policies-and-disclaimer/privacy-policy
• PayPal: https://www.paypal.com/de/webapps/mpp/ua/privacy-full

The data will be processed to process the booking, carry out your stay and for billing purposes.

Storage period

Once the processing has been completed and any statutory retention periods have expired, your data will be deleted.
Typical retention periods:

• 6 years for business correspondence (Section 257 of the German Commercial Code)
• 10 years for tax-relevant documents (Section 147 of the German Fiscal Code)

Legal basis for processing

• Art. 6 (1) (b) GDPR – for the implementation of pre-contractual measures and the fulfillment of the accommodation contract
• Art. 6 (1) (f) GDPR – our legitimate interest in efficient booking processing
• Art. 6 (1) (a) GDPR – if consent is given for optional information (e.g., allergies, requests) or marketing use

Notes on order processing

HotelNetSolutions GmbH acts on our behalf and processes your data exclusively in accordance with our instructions.

A corresponding data processing agreement has been concluded in accordance with Art. 28 GDPR.

The technical infrastructure of the booking pages is provided by HotelNetSolutions GmbH.
The data protection responsibility for the processing of your booking data lies with the respective operating company of the location you have chosen.

H24 Hotel Management GmbH is responsible for the overall technical platform, but not for the independent processing of booking data for individual locations.

Note on the privacy policy

The respective controller provides the required data protection information directly within the booking form.

Please therefore note the information displayed there when making your booking.

7. Contact form and email contact

If you contact us via a contact form on the website or by email, we will process the personal data you provide to process your request.

In particular, the following data may be processed:

• First and last name
• Email address
• Telephone number (if provided)
• Content of your message
• Date and time of transmission (if applicable)
• IP address (for forms)

The data will be processed solely to process and respond to your inquiry. The data will not be passed on to third parties without your express consent.

Legal basis for processing:

• Art. 6 (1) (b) GDPR – if the request serves to carry out pre-contractual measures,
• Art. 6 (1) (f) GDPR – our legitimate interest in effective communication with website users.

After your request has been processed, the data will be deleted unless there are legal retention obligations or you have not expressly consented to further use.

The data transmitted via the contact form is transmitted using TLS encryption. Please note that complete data security cannot be guaranteed when transmitting via email. For confidential information, we therefore recommend an alternative, secure method of transmission, such as mail or encrypted communication.

8. Live chat

Our website offers a live chat feature that allows you to communicate with our team in real time. Live chat is provided by the service provider chatlyn, Renngasse 4 R4-4, 1010 Vienna, Austria.

When you use live chat, the following personal data is processed:

• Content of chat messages
• Date and time of chat
• IP address
• Browser and device type used
• If applicable, your email address or name (if provided voluntarily)

This data is processed solely for the purpose of answering your inquiries and communicating with you.

Legal basis for processing:

• Art. 6 (1) (f) GDPR – our legitimate interest in effective customer service,
• Art. 6 (1) (b) GDPR – if the communication serves to initiate or execute a contract.

chatlyn acts as a processor within the meaning of Art. 28 GDPR. A corresponding contract for order processing has been concluded. Data processing takes place exclusively within the European Union.

The data collected during the live chat will only be stored for as long as necessary to process your request. After the communication has ended, the data will be deleted unless legally required to retain it.

Please note that the use of the live chat is voluntary. Alternatively, you can also contact us by email or telephone.

9. Cookies and consent management

Our website uses so-called “cookies” and similar technologies (e.g., pixels, web storage) to provide certain functions, analyze usage, and, where appropriate, display personalized content.

General information about cookies:

Cookies are small data packets that are stored on your device either temporarily for the duration of a session (session cookies) or permanently (permanent cookies). Session cookies are automatically deleted after your visit. Persistent cookies remain on your device until you manually delete them or your browser automatically deletes them.

Cookies can either be set by us (first-party cookies) or by third-party companies (third-party cookies). The latter enable, for example, the integration of external services such as payment providers or analysis tools.

Types of cookies:

• Technically necessary cookies – required for the operation of the website (e.g., language selection, security, shopping cart function)
• Statistical cookies – help us understand the use of our website
• Marketing cookies – enable the display of interest-based advertising

Legal basis for processing:

• Art. 6 (1) (f) GDPR for technically necessary cookies – legitimate interest in a functional website
• Art. 6 (1) (a) GDPR in conjunction with Section 25 (1) TTDSG for all non-essential cookies – consent via the cookie banner

Your settings:

You can manage your cookie settings via our cookie banner (Consent Tool). Furthermore, your browser allows you to individually control cookies, delete them, or generally prevent them from being set. Disabling this option may limit the functionality of our website.

Use of Borlabs Cookies:

Our website uses the consent technology of Borlabs GmbH, Rübenkamp 32, 22305 Hamburg (“Borlabs”) to obtain your consent to the storage of certain cookies or the use of certain technologies and to document this consent in compliance with data protection regulations.

When you visit our website, a Borlabs cookie is stored in your browser, which stores the consent you have given or the revocation of your consent. This data is not transmitted to Borlabs.

You can change or revoke your stored consent at any time using the corresponding link on our website. Further information:

https://borlabs.io/kb/what-information-does-borlabs-cookie-store/

Legal basis for Borlabs Cookie:

• Art. 6 (1) (c) GDPR – legal obligation to obtain and document consent.

10. Tracking and analysis tools

To better understand user behavior on our website and continuously improve our offering, we use tracking and analysis tools. These tools help us statistically evaluate data such as visit numbers, length of stay, pages viewed, and navigation on the website.

a. Google Tag Manager

We use Google Tag Manager, a service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google Tag Manager is used exclusively to manage and integrate tracking tools and other services. Google Tag Manager itself does not process any personal data. However, your IP address may be recorded and transmitted to Google servers in the USA.

Further information on international data transfer can be found in the section “Data transfer to third countries / USA.”

This service is used on the basis of Art. 6 (1) (f) GDPR – our legitimate interest in the easy integration of tools. If consent has been requested, processing is carried out exclusively on the basis of Art. 6 (1) (a) GDPR in conjunction with Section 25 (1) TTDSG. Consent can be revoked at any time.

Google is certified according to the EU-US Data Privacy Framework (DPF):

https://www.dataprivacyframework.gov/s/participant-search/participant-detail?contact=true&id=a2zt000000001L5AAI&status=Active

b. Google Analytics

This website uses Google Analytics to analyze user behavior. The provider is also Google Ireland Limited, Dublin, Ireland.

Google Analytics collects, among other things, the following information:

• Page views and length of stay
• User origin (referrer)
• Operating system and device used
• Mouse movements, clicks, and scrolling behavior

Google uses cookies and other technologies (e.g., device fingerprinting) to recognize users. Google also uses modeling approaches and machine learning to evaluate usage behavior.

The information is generally transmitted to servers in the USA. The transmission is based on the EU Commission’s standard contractual clauses. Google is also DPF-certified.

Further information on international data transfer can be found in the section “Data transfer to third countries / USA.”

Legal basis:

• Art. 6 (1) (a) GDPR in conjunction with Section 25 (1) TTDSG – your consent via the cookie banner.

Possibility of objection:

You can prevent Google Analytics from collecting your data at any time:

• About our cookie settings
• Using a browser add-on: https://tools.google.com/dlpage/gaoptout?hl=de

Further information:

https://support.google.com/analytics/answer/6004245?hl=de

https://privacy.google.com/businesses/controllerterms/mccs/

https://www.dataprivacyframework.gov/s/participant-search/participant-detail?contact=true&id=a2zt000000001L5AAI&status=Active

11. Plugins and tools

General information on embedded content

Please note: Even when loading embedded content (e.g., map services, social media feeds, or plugins), technical information may be transferred to third-party platforms – even without your active intervention. This includes, in particular, your IP address, device type, browser used, and, if applicable, cookies. This data processing is carried out under the sole responsibility of the respective platform operator under data protection law.
For further information, please refer to the sections on the individual services.

a. Google Fonts (local hosting)

Our website uses Google Fonts, provided by Google, to ensure consistent font display. Google Fonts are installed locally on our server. There is no connection to Google servers.

Further information about Google Fonts can be found at: https://developers.google.com/fonts/faq

Google’s Privacy Policy:

https://policies.google.com/privacy?hl=en

b. Google Maps

This website uses the Google Maps map service. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

To use the features of Google Maps, it is necessary to save your IP address. This address is usually transmitted to Google servers in the USA. If Google Maps is activated, Google can also load Google Fonts for the purpose of consistent font display.

Further information on international data transfer can be found in the section “Data transfer to third countries / USA.”

Legal basis:

• Art. 6 (1) (f) GDPR – legitimate interest in an appealing presentation of our online offering and easy findability of our locations
• Art. 6 (1) (a) GDPR in conjunction with Section 25 (1) TTDSG – provided consent has been given for the reloading of content

Google is certified under the EU-US Data Privacy Framework. Further information:

https://privacy.google.com/businesses/gdprcontrollerterms

https://policies.google.com/privacy?hl=en

https://www.dataprivacyframework.gov/s/participant-search/participant-detail?contact=true&id=a2zt000000001L5AAI&status=Active

The general information on embedded content applies (see above).

c. Google reCAPTCHA

To protect our forms, we use Google reCAPTCHA. The provider is Google Ireland Limited, Dublin.

reCAPTCHA checks whether the data was entered by a human and analyzes, among other things, the IP address, mouse movements, and the length of time the user visits the site. This data is forwarded to Google and processed.

Further information on international data transfer can be found in the section “Data transfer to third countries / USA.”

Legal basis:

• Art. 6 (1) (f) GDPR – our legitimate interest in protection against misuse and automated access
• Art. 6 (1) (a) GDPR in conjunction with Section 25 (1) TTDSG – if consent for reCAPTCHA is requested

Further information:

https://policies.google.com/privacy?hl=en

https://policies.google.com/terms?hl=en

https://www.dataprivacyframework.gov/participant/5780

d. Instagram Feed

We integrate content from our Instagram channel on our website to give you an impression of our hotels and current activities. Content is embedded directly from the Instagram platform (Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland).

When loading this content, personal data—in particular your IP address, information about the browser used, and possibly other technical data—may be transmitted to Meta, even if you do not have an Instagram account or are not logged in. The content is loaded directly. If you do not want this to happen, do not reload the page or block social media content in your browser.

Further information on international data transfer can be found in the section “Data transfer to third countries / USA.”

Legal basis for processing:

• Art. 6 (1) (f) GDPR – our legitimate interest in an appealing presentation of our hotel brand and customer communication via social media,
• Art. 6 (1) (a) GDPR in conjunction with Section 25 (1) TTDSG – if consent is required to display embedded content.

Meta is certified under the EU-US Data Privacy Framework. Further information on data processing by Instagram/Meta can be found at:

https://privacycenter.instagram.com/policy

The general information on embedded content applies (see above).

e. Facebook Plugin

Our website contains a plug-in from the social network Facebook, operated by Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland. When you load a page with the integrated Facebook logo, your IP address may be transmitted to Facebook, even without you actively clicking on it. If you are logged in, Meta can assign the visit to your user account.

Further information on international data transfer can be found in the section “Data transfer to third countries / USA.”

Legal basis:

• Art. 6 (1) (f) GDPR – legitimate interest in our online presence
• Art. 6 (1) (a) GDPR in conjunction with Section 25 (1) TTDSG – if data is transferred without active interaction

Meta is certified under the EU-US Data Privacy Framework. Privacy Policy:

https://www.facebook.com/about/privacy

The general information on embedded content applies (see above).

f. TikTok Plugin

Our website also contains a plug-in from the social network TikTok (provider: TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, Ireland). Here, too, a connection to TikTok can be established when you access the page, and data (e.g., IP address, device information) can be transmitted.

Further information on international data transfer can be found in the section “Data transfer to third countries / USA.”

Legal basis:

• Art. 6 (1) (f) GDPR – legitimate interest in the distribution of our content
• Art. 6 (1) (a) GDPR in conjunction with Section 25 (1) TTDSG – for cookie- or tracking-based plugins

More information:

https://www.tiktok.com/legal/page/eea/privacy-policy/

The general information on embedded content applies (see above).

g. Instagram Footer-Link

At the bottom of the page, there’s a simple link to our Instagram profile. This link itself does not transfer any data. Only by actively clicking on it will you leave our website and be subject to Instagram’s privacy policy.

Instagram privacy policy:

https://privacycenter.instagram.com/policy

Note on external content:

Embedding social media content and map services may result in third-party providers collecting data from you – even without you actively interacting with the plugin. These data transfers are the sole responsibility of the respective providers. H24 Hotels has no influence on the scope, content, or storage duration of data processing by third-party platforms.

12. Links to external providers

In our online magazine at https://h24hotels.com/magazin/, we occasionally link to content and offers from third parties (e.g., external articles, recommendations, or partner sites). When you click on such links, you leave our website. From this point on, data processing takes place by the respective third party, over which we have no control.

Please note that this external content is exclusively subject to the privacy policies of the respective third parties. We recommend that you familiarize yourself with their handling of your personal data.

13. Newsletter

If you sign up for our newsletter, we will use your email address to regularly send you information about offers, news, and relevant content related to H24 Hotels.

We use a data protection-compliant double opt-in process for sending emails: After registering, you will receive an email with a confirmation link. Your registration will only become effective after you click this link. Your consent will be logged.

Data processed:

• Email address
• IP address at the time of registration
• Date and time of registration and confirmation

Legal basis:

• Art. 6 (1) (a) GDPR – your express consent

You can revoke your consent at any time with future effect, e.g., via the unsubscribe link in the newsletter or by contacting us directly.

For delivery, we use a specialized service provider with whom we have concluded a data processing agreement in accordance with Art. 28 GDPR. Data processing takes place exclusively within the EU.

14. Data transfer to third countries / USA

This section supplements the information in the sections on Google, Meta, TikTok, and other US service providers.

Some of the services used on our website are provided by companies based outside the European Union or the European Economic Area, particularly in the USA (e.g., Google, Meta). Using these services may therefore result in the transfer of personal data to so-called third countries.

For the USA, the European Commission has had an adequacy decision in place since July 10, 2023, within the framework of the EU-U.S. Data Privacy Framework (DPF). Companies such as Google and Meta have joined this framework and thus offer an adequate level of data protection within the meaning of Art. 45 GDPR.

The data transfer to these certified providers is therefore based on this adequacy decision. Information on certification can be found at:

https://www.dataprivacyframework.gov/s/participant-search

If a provider is not certified, we base the transmission on standard contractual clauses of the EU Commission in accordance with Art. 46 (2) (c) GDPR, supplemented by additional protective measures (e.g. encryption, pseudonymization) to ensure an appropriate level of protection.

15. Your rights as a data subject

As a data subject within the meaning of the GDPR, you have the following rights in connection with the processing of your personal data by us:

Information (Article 15 GDPR):

You have the right to request information about whether and which of your personal data we process. This includes, among other things, information about the purposes of processing, the categories of personal data, the recipients, and the planned storage period.

Recognition (Article 16 GDPR):

You have the right to request the immediate rectification of inaccurate personal data or the completion of incomplete personal data.

Erasure (Article 17 GDPR):

You have the right to request the erasure of your personal data, provided that there are no statutory retention periods or other legitimate reasons that prevent erasure.

Restriction of processing (Article 18 GDPR):

You can request the restriction of the processing of your personal data if, for example, you dispute the accuracy of the data or the processing is unlawful.

Data portability (Article 20 GDPR):

You have the right to receive your personal data in a structured, common, and machine-readable format or to request that it be transmitted to another controller.

Right to object (Article 21 GDPR):

If we process your data based on a legitimate interest, you have the right to object to the processing for reasons related to your particular situation.

Revocation of consent (Article 7 (3) GDPR):

You can revoke your consent at any time with future effect. The processing carried out up to that point remains lawful.

Right to lodge a complaint with a supervisory authority (Article 77 GDPR):

You have the right to lodge a complaint with a data protection supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement.

To exercise your rights, an informal notification to us is sufficient. You can find our contact details in the Legal Notice and at the beginning of this Privacy Policy.

16. Right of objection

If we process your personal data on the basis of legitimate interests pursuant to Art. 6 (1) (f) GDPR, you have the right to object to the processing at any time for reasons related to your particular situation. This also applies to profiling based on this provision.

If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or unless the processing serves to assert, exercise, or defend legal claims.

If your personal data is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for the purposes of such advertising. This also applies to profiling insofar as it is related to such direct marketing.

After you object, the personal data will no longer be processed for direct marketing purposes.

The objection can be made informally and should, if possible, be addressed to the contact details provided above.

17. Data security and technical protective measures

We take appropriate technical and organizational security measures to protect your personal data from loss, misuse, unauthorized access, disclosure, alteration, or destruction.

These include, among others:

• Encrypted transmission of data via our website using TLS/SSL encryption (recognizable by “https://” in your browser’s address bar),
• Access restrictions and controls at the server and database level,
• Regular security updates and system audits,
• Employee awareness and training on data protection and IT security,
• Conclusion of data processing agreements with external service providers.

Please note that data transmission over the Internet (e.g., when communicating via email) may be subject to security vulnerabilities. Absolute protection of data from third-party access is not possible. We therefore recommend that you transmit particularly confidential information securely (e.g., by mail or encrypted data transfer).

18. Changes to this privacy policy

Due to further developments of our website, the technologies used, changes in legal or regulatory requirements, it may become necessary to amend this privacy policy. The current version of the privacy policy is available at any time on https://h24hotels.com/en/privacy-policy/.

We recommend that you regularly inform yourself about the current status of our privacy policy.