HomePrivacy Policy

Privacy Policy

Information on the protection of your personal data

Last updated: June 2026

Notice: this page still contains placeholders

Before launch all [bracketed placeholders] must be replaced with real company data. This box hides automatically once the env var `NEXT_PUBLIC_LEGAL_COMPLETE=true` is set.

1. Controller

The controller for data processing on this website is:

Stephanus und Christopher Farjou GbR
Reichenberger Str. 18
71638 Ludwigsburg, Germany
E-Mail: datenschutz@hotelvisor.de

Authorized partners: Stephanus Farjou, Christopher Farjou

2. Data Protection Officer

We are not legally required to appoint a Data Protection Officer. For questions about data protection or to exercise your rights, please contact us at:
E-Mail: datenschutz@hotelvisor.de

3. Principles of Data Processing

We process personal data only to the extent necessary to provide a functional website and our content and services. Processing is based on consent (Art. 6(1)(a) GDPR), contract performance or pre-contractual measures (Art. 6(1)(b) GDPR), legal obligation (Art. 6(1)(c) GDPR), or legitimate interests (Art. 6(1)(f) GDPR).

4. Data Collection When Visiting Our Website

4.1 Server Log Files

Each time you access our website, the following data is automatically transmitted and stored:

IP address of the requesting device (anonymized after 30 days)
Date and time of access
Name and URL of the retrieved file
Referring website (referrer URL)
Browser used and operating system

Legal basis: Art. 6(1)(f) GDPR. Our legitimate interest is ensuring trouble-free operation and the security of our systems.

4.2 Hosting (Vercel)

Our website is hosted by Vercel Inc., 440 N Barranca Ave #4133, Covina, CA 91723, USA. On our behalf, Vercel processes the data required to deliver the website (in particular access data). A Data Processing Agreement (DPA) pursuant to Art. 28 GDPR is in place. For data transfers to the USA, see section 8.

Legal basis: Art. 6(1)(f) GDPR (secure and efficient provision).

4.3 Database, Authentication & Storage (Supabase)

For our database, user accounts (authentication) and storage of uploaded files we use Supabase Inc. The servers are located in the European Union (Frankfurt am Main region). A Data Processing Agreement (DPA) pursuant to Art. 28 GDPR is in place.

Legal basis: Art. 6(1)(b) and (f) GDPR.

4.4 Reach Measurement (Plausible Analytics)

For statistical analysis of website usage we use Plausible Analytics, a service provided by Plausible Insights OÜ, Västriku tn 2, 50403 Tartu, Estonia (EU). Plausible works without cookies and without any access to your device. No cross-device profiles are created, and your IP address is not stored permanently (it is used only to generate an anonymous, daily-rotating hash and is then discarded). Data is processed exclusively on servers within the EU.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in privacy-friendly reach measurement). As no access to your device takes place, no consent under § 25 TDDDG is required.

4.5 Bot and Abuse Protection (Cloudflare Turnstile)

To protect our forms (in particular when submitting reviews) from automated access and abuse, we use “Turnstile” by Cloudflare, Inc., 101 Townsend St, San Francisco, CA 94107, USA. This processes technical information such as the IP address and browser/device characteristics in order to distinguish human users from bots. Turnstile largely avoids analyzing user behavior. For data transfers to the USA, see section 8.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in preventing spam and abuse).

5. Data Processing When Using Our Services

5.1 Submitting Hotel Reviews

When you submit a review, we process:

Review text, title, rating categories and overall rating
Travel period and travel type
Email address (optional, for follow-up questions)
IP address and browser fingerprint (to detect abuse and duplicate submissions)

Legal basis: Art. 6(1)(b) GDPR (contract performance) and Art. 6(1)(f) GDPR (legitimate interest in quality assurance and fraud prevention).

5.2 Booking Proofs (Proof Uploads)

To verify reviews, booking proofs may be uploaded. These are stored in private, access-restricted storage (Supabase Storage, EU server location) accessible only to the verification team.

Important notes:

Bank details, credit card numbers and home address may and should be redacted.
Your name and hotel details (hotel name, stay date, booking number) must remain visible.
Proofs are automatically and irrevocably deleted after 90 days.
Early deletion is possible at any time upon request.

Legal basis: Art. 6(1)(a) GDPR (consent upon upload).

5.3 Add Hotel / Claim Hotel / Badge Application

When using our forms, we process:

Hotel name, address, contact details
Name, email address and phone number of the contact person
For claims: uploaded proof documents
Free-text messages

Legal basis: Art. 6(1)(b) GDPR (pre-contractual measures) and Art. 6(1)(a) GDPR (consent).

5.4 Contact

When you contact us by email or contact form, your information is stored for processing the inquiry. We do not share this data without your consent.

Legal basis: Art. 6(1)(b) GDPR or Art. 6(1)(f) GDPR.

5.5 Email Dispatch (Resend)

For sending system and notification emails (e.g. confirmations, status messages) as well as operational communications, we use the Resend service provided by Plus Five Five, Inc., 2261 Market Street #5039, San Francisco, CA 94114, USA. We process the email address, name and message content. To ensure deliverability, we may measure whether an email was opened or a link within it was clicked. Every email contains an unsubscribe link; you may object to such analysis at any time. A Data Processing Agreement (DPA) pursuant to Art. 28 GDPR is in place. For data transfers to the USA, see section 8.

Legal basis: Art. 6(1)(b) GDPR (transactional emails) and Art. 6(1)(f) GDPR (operational communication, deliverability measurement).

6. Cookies, Local Storage & Consent

We use only technically necessary cookies and local storage required to operate the website, in particular for login/session, storing your language and theme (light/dark) preference, the last selected hotel, and storing your cookie decision. These are exempt from consent under § 25(2) TDDDG.

We do not use tracking or advertising cookies and do not create cross-device profiles. For reach measurement we use only the cookieless tool Plausible (see section 4.4), which operates without access to your device and without consent. We currently do not use any marketing trackers.

7. Disclosure of Data to Third Parties

Your personal data is only transferred to third parties if:

You have given your express consent (Art. 6(1)(a) GDPR),
Transfer is necessary for contract performance (Art. 6(1)(b) GDPR),
A legal obligation exists (Art. 6(1)(c) GDPR),
Transfer is necessary to protect legitimate interests and there is no overriding interest on your part (Art. 6(1)(f) GDPR).

Where we use service providers as processors (e.g. hosting, database, email dispatch, bot protection), this is based on agreements pursuant to Art. 28 GDPR.

8. Data Transfer to Third Countries

Some of the services we use process data (also) in the USA, namely Vercel (hosting), Cloudflare (bot protection) and Resend (email dispatch). Where personal data is transferred to the USA or other third countries, this is based on an adequacy decision of the EU Commission (Art. 45 GDPR, EU-US Data Privacy Framework, where the provider is certified) and/or on EU Standard Contractual Clauses (Art. 46(2)(c) GDPR) together with supplementary safeguards.

9. Retention Periods

Data Type	Retention Period
Reviews	Permanent (until deletion upon request)
Booking proofs	90 days after upload, then automatic deletion
IP addresses (server logs)	30 days, then anonymization
IP addresses / fingerprint (abuse protection)	30 days, then anonymization
Contact inquiries	6 months after completion of processing
Hotel claim proofs	90 days after review
Email logs (delivery, opens/clicks)	12 months
User account data	Until the account is deleted
Invoicing / contract data	Statutory retention period (usually 10 years, § 147 AO)

10. Your Rights as a Data Subject

You have the following rights regarding your personal data:

Right of access (Art. 15 GDPR): You may request information about your processed data.
Right to rectification (Art. 16 GDPR): You may request correction of inaccurate data.
Right to erasure (Art. 17 GDPR): You may request deletion of your data, provided no retention obligations apply.
Right to restriction (Art. 18 GDPR): You may request restriction of processing.
Right to data portability (Art. 20 GDPR): You may request your data in a machine-readable format.
Right to object (Art. 21 GDPR): You may object to processing based on Art. 6(1)(f) GDPR at any time.
Right to withdraw consent (Art. 7(3) GDPR): You may withdraw consent at any time with effect for the future.
Right to lodge a complaint (Art. 77 GDPR): You have the right to lodge a complaint with a supervisory authority.

To exercise your rights, please contact: datenschutz@hotelvisor.de

We will process your request without undue delay, at the latest within one month (Art. 12(3) GDPR).

11. Supervisory Authority

The data protection supervisory authority responsible for us is:

State Commissioner for Data Protection and Freedom of Information Baden-Württemberg
Lautenschlagerstraße 20
70173 Stuttgart, Germany
www.baden-wuerttemberg.datenschutz.de

Notwithstanding the above, you may also contact the supervisory authority at your habitual place of residence.

12. Protection of Minors

Our services are intended for persons aged 16 and over. We do not knowingly collect data from children under 16. If we become aware of such data, we will delete it immediately.

13. Automated Decision-Making

No automated decision-making producing legal effects or similarly significant effects within the meaning of Art. 22(1) and (4) GDPR takes place.

14. SSL/TLS Encryption

This website uses SSL/TLS encryption for security purposes. You can recognize an encrypted connection by “https://” in the address bar and the lock icon in your browser.

15. Changes to This Privacy Policy

We reserve the right to update this privacy policy to comply with current legal requirements. The updated version will apply to your subsequent visits.