1. Privacy Policy

We appreciate your interest in our website and holiday apartments. Protecting your privacy is very important to us. The following information provides an overview of what happens to your personal data when you visit this website. Personal data is any data that can be used to personally identify you. Below, we inform you in detail about how we handle your data in accordance with Article 13 of the GDPR.

Data collection on this website

Who is responsible for data collection on this website?

Data processing on this website is carried out by the website operator. Their contact details can be found in the section "Information on the responsible body".

How do we collect your data? Your data is collected in two ways: firstly, when you provide it to us, for example, by entering information into a contact form; and secondly, automatically or with your consent when you visit our website, through our IT systems in server log files. This primarily includes technical data such as your internet browser, operating system, and the time of your visit. This data is collected automatically as soon as you access our website.

What do we use your data for?

Some data is collected to ensure the website functions correctly. Other data may be used to analyse your user behaviour.

Data collection for contract processing and when contacting us: We collect personal data when you provide it to us in connection with your booking or when contacting us (e.g., via contact form, online check-in, or email). This typically includes: name, address, email address, telephone number, identification data (e.g., ID card details), nationality, birth and travel dates, as well as order and other data related to fulfilling our contractual obligations (e.g., payment orders).

Purpose of processing

We process personal data in accordance with the provisions of the European General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG):

a. to fulfill contractual obligations (Art. 6 para. 1 b GDPR)

We process this personal data, which we receive from you and other data subjects for the provision of the service and within the framework of our business relationship, for the execution of the contract, for processing your requests, for carrying out administration and needs analyses.

Examples:

• Review and optimisation of procedures for needs analysis for the purpose of direct customer contact,
• Advertising or market and opinion research, unless you have objected to the use of your data,
• Assertion of legal claims and defence in legal disputes, video surveillance to protect property rights, to collect evidence in cases of robbery and fraud or to prove access and entry (see also Section 4 BDSG),
• Measures for building and plant security (e.g. access controls),

b. within the framework of the balancing of interests (Art. 6 para. 1 f GDPR)

Where necessary, we process your data beyond the actual fulfillment of the contract to protect our legitimate interests or those of third parties. Examples:

• other payment and booking service providers or similar institutions to which we transfer personal data in order to carry out the business relationship with you (depending on the contract, e.g. Smoobu or Stripe)
• Service providers that we engage within the framework of data processing agreements. Other data recipients may be those entities to which you have given us your consent to transfer data or to which we are authorised to transfer personal data based on a balancing of interests.

c. based on your consent (Art. 6 para. 1 a GDPR)

If you have given us your consent to process your personal data for specific purposes (e.g., using your telephone and email address for advertising and newsletter distribution), the lawfulness of this processing is based on your consent. You can withdraw your consent at any time. This also applies to the withdrawal of declarations of consent that were given to us before the GDPR came into effect, i.e., before May 25, 2018. The withdrawal of consent does not affect the lawfulness of the data processing carried out before the withdrawal.

Data collection during booking

Due to local legal regulations in Italy, we are obliged to process and forward your data for the following purposes:

• Alloggiati Web: Notification of your personal details to the Italian Ministry of the Interior (Questura) pursuant to Art. 109 T.U.L.P.S.
• Ross 1000 / ISTAT: Statistical report of guest arrivals.
• Imposta di Soggiorno: For the purpose of calculating the tourist tax, the necessary data will be transmitted to the municipality of Lonato del Garda.

The legal basis for this data processing is the fulfillment of legal obligations to which we, as landlords in Italy, are subject (Art. 6 para. 1 lit. c GDPR).

Data transfer via tools in third countries or international organisations

Data is transferred to entities in countries outside the European Union (so-called third countries) to the extent that

• it is necessary for the execution of your orders (e.g. payment orders via Stripe and Swikly)
• If necessary, your personal data may be transferred to an IT service provider in the USA or another third country to ensure IT operations in compliance with the European level of data protection.

Analytics tools and third-party tools

When you visit this website, your browsing behaviour may be statistically analysed. This is done primarily using so-called analytics programs.

Detailed information about these analytics programs can be found in the following privacy policy.

You can contact us at any time with regard to this and other questions concerning data protection.

2. Hosting

SMOOBU

The provider is SMOOBU GmbH, Pappelallee 78/79, 10437 Berlin, Germany (hereinafter referred to as SMOOBU). When you visit our website, SMOOBU collects various log files, including your IP address. For details, please see SMOOBU's privacy policy: https://www.smoobu.com/en/privacy-policy/

The use of SMOOBU is based on Article 6(1)(f) GDPR. We have a legitimate interest in ensuring the most reliable presentation of our website possible. If corresponding consent has been requested, processing is carried out exclusively on the basis of Article 6(1)(a) GDPR and Section 25(1) TDDDG, insofar as the consent includes the storage of cookies or access to information on the user's device (e.g., device fingerprinting) within the meaning of the TDDDG. Consent can be withdrawn at any time.

Booking processing

We have concluded a data processing agreement (DPA) for the use of the aforementioned service. This is a legally required contract under data protection law, which ensures that the service provider processes the personal data of our website visitors only according to our instructions and in compliance with the GDPR.

3. General information and mandatory disclosures

Note regarding the responsible body

The responsible entity for data processing on this website is: Villa 5 (trading name) - Petra Wieckhorst, Gert-Marcus-Str. 17, 22529 Hamburg, Germany, Telephone: 49 (0) 40 422 11 95, Contact: wieckhorstpetra (a) gmail.com, Tax ID: WCKPTR68H45Z112E, Regional Identification Code:[CIR], CIN (National Identification Code):[CIN]

The responsible entity is the natural person who, alone or jointly with others, decides on the purposes and means of processing personal data (e.g. names, email addresses, etc.).

SSL or TLS encryption

This site uses SSL/TLS encryption for security reasons and to protect the transmission of confidential information, such as orders or inquiries that you send to us as the site operator. You can recognise an encrypted connection by the fact that the browser's address bar changes from "http://" to "https://" and by the lock symbol in your browser's address bar.

When SSL or TLS encryption is enabled, the data you send to us cannot be read by third parties.

Objection to advertising emails

The use of contact details published as part of the legal notice for sending unsolicited advertising and informational materials is hereby prohibited. The operators of these pages expressly reserve the right to take legal action in the event of unsolicited advertising, such as spam emails.

4. Data collection on this website

Cookies

Our website uses so-called "cookies." Cookies are small data packets and do not harm your device. They are stored on your device either temporarily for the duration of a session (session cookies) or permanently (persistent cookies). Session cookies are automatically deleted after you leave our website. Persistent cookies remain stored on your device until you delete them yourself or until they are automatically deleted by your web browser.

Cookies can originate from us (first-party cookies) or from third-party companies (so-called third-party cookies). Third-party cookies enable the integration of certain services from third-party companies within websites (e.g., cookies for processing payment services).

Cookies serve various functions. Many cookies are technically necessary, as certain website functions would not work without them (e.g., the shopping cart function or the display of videos). Other cookies can be used to analyse user behaviour or for advertising purposes.

Cookies that are necessary for carrying out electronic communication, providing certain functions you have requested, or optimising the website (e.g., cookies for measuring website traffic) (necessary cookies) are stored on the basis of Article 6(1)(f) GDPR, unless another legal basis is specified. The website operator has a legitimate interest in storing necessary cookies to ensure the technically flawless and optimised provision of its services. If consent to the storage of cookies and similar recognition technologies has been requested, processing is carried out exclusively on the basis of this consent (Article 6(1)(a) GDPR and Section 25(1) TDDDG); this consent can be revoked at any time.

You can configure your browser to notify you when cookies are set and to allow cookies only in individual cases, to accept cookies in certain cases or to generally reject them, and to automatically delete cookies when you close your browser. Disabling cookies may limit the functionality of this website.

You can find information about which cookies and services are used on this website in this privacy policy.

Server log files

The website provider automatically collects and stores information in so-called server log files, which your browser automatically transmits to us. This information includes:

• Browser type and browser version
• Operating system used
• Referrer URL
• Hostname of the accessing computer
• Time of server request
• P-Address

This data will not be combined with other data sources.

This data is collected on the basis of Article 6(1)(f) GDPR. The website operator has a legitimate interest in the technically flawless presentation and optimisation of its website – for this purpose, the server log files must be recorded.

Contact form, inquiry via email or telephone

When you contact us via contact form, email, or telephone, your inquiry, including all resulting personal data (name, inquiry), will be stored and processed by us for the purpose of handling your request. We will not share this data without your consent.

The processing of this data is based on Article 6(1)(b) GDPR if your request is related to the performance of a contract or is necessary for taking steps prior to entering into a contract. In all other cases, processing is based on our legitimate interest in the effective handling of inquiries addressed to us (Article 6(1)(f) GDPR) or on your consent (Article 6(1)(a) GDPR), if such consent has been obtained; you may withdraw your consent at any time.

The data you send us via contact requests will remain with us until you request its deletion, revoke your consent to its storage, or the purpose for data storage no longer applies (e.g., after your request has been processed). Mandatory legal provisions – in particular, statutory retention periods – remain unaffected.

5. Social Media

Instagram

This website integrates features of the Instagram service. These features are offered by Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland.

When the social media element is active, a direct connection is established between your device and the Instagram server. Instagram then receives information about your visit to this website.

If you are logged into your Instagram account, you can link the content of this website to your Instagram profile by clicking the Instagram button. This allows Instagram to associate your visit to this website with your user account. Please note that as the provider of this website, we have no knowledge of the content of the transmitted data or its use by Instagram.

The use of this service is based on your consent pursuant to Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TDDDG. This consent can be revoked at any time.

To the extent that personal data is collected on our website using the tool described here and forwarded to Facebook or Instagram, we and Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, are jointly responsible for this data processing (Art. 26 GDPR). This joint responsibility is limited exclusively to the collection of the data and its transfer to Facebook or Instagram. The subsequent processing by Facebook or Instagram is not part of this joint responsibility. Our joint obligations are set out in a joint controllership agreement. You can find the text of this agreement at: https://www.facebook.com/legal/controller_addendum. According to this agreement, we are responsible for providing data protection information when using the Facebook or Instagram tool and for ensuring the tool's data protection-compliant implementation on our website. Facebook is responsible for the data security of its products. You can assert your data subject rights (e.g., requests for access) regarding data processed by Facebook or Instagram directly with Facebook. If you assert your data subject rights with us, we are obliged to forward them to Facebook.

Data transfers to the USA are based on the EU Commission's Standard Contractual Clauses. Details can be found here: https://www.facebook.com/legal/EU_data_transfer_addendum, https://privacycenter.instagram.com/policy/ and https://de-de.facebook.com/help/566994660333381.

Further information can be found in Instagram's privacy policy: https://privacycenter.instagram.com/policy/.

The company is certified under the EU-US Data Privacy Framework (DPF). The DPF is an agreement between the European Union and the USA designed to ensure compliance with European data protection standards for data processing in the USA. Every company certified under the DPF commits to adhering to these data protection standards. Further information can be obtained from the provider at the following link: https://www.dataprivacyframework.gov/s/participant-search/participant-detail?contact=true&id=a2zt0000000GnywAAC&status=Active.

6. Third-party services and analytics

A. Google Fonts

We use Google Fonts on this website for the consistent display of fonts. These are provided by Google Ireland Limited (“Google”). Since local integration via the system used (Smoobu) is not possible, your browser establishes a connection to Google's servers when the page loads. This allows Google to know that our website was accessed via your IP address.

The legal basis for this is our legitimate interest in an appealing and consistent presentation of our website (Art. 6 para. 1 lit. f GDPR). If corresponding consent has been requested via our cookie banner, the processing is based on Art. 6 para. 1 lit. a GDPR; this consent can be revoked at any time.

B. Google Analytics 4

If you have given your consent (Art. 6 para. 1 lit. a GDPR), we use Google Analytics 4, a web analytics service provided by Google Ireland Limited. GA4 uses cookies that enable analysis of your website usage. We use the IP anonymization function. The collected data is generally transferred to Google servers in the USA. You can withdraw your consent at any time via the cookie banner.

C. OpenStreetMap

We use the map service from OpenStreetMap (OSM). We integrate the map data from OpenStreetMap on the server of the OpenStreetMap Foundation, St John’s Innovation Centre, Cowley Road, Cambridge, CB4 0WS, United Kingdom. The United Kingdom is considered a data protection-safe third country. This means that the United Kingdom has a level of data protection equivalent to that of the European Union. When using OpenStreetMap maps, a connection is established to the servers of the OpenStreetMap Foundation. This may involve transmitting your IP address and other information about your activity on this website to the OSMF. OpenStreetMap may store cookies in your browser or use similar recognition technologies for this purpose.

The use of OpenStreetMap is in the interest of presenting our online services in an appealing way and making it easy to find the locations we have indicated on the website. This constitutes a legitimate interest within the meaning of Article 6(1)(f) GDPR. If corresponding consent has been obtained, processing is carried out exclusively on the basis of Article 6(1)(a) GDPR and Section 25(1) TDDDG, insofar as the consent includes the storage of cookies or access to information on the user's terminal equipment (e.g., device fingerprinting) within the meaning of the TDDDG. Consent can be withdrawn at any time.

D. Video surveillance

For the safety of our guests and the property, the outdoor areas (entrance/parking lot) are under video surveillance.

• Legal basis: Legitimate interest (Art. 6 para. 1 lit. f GDPR) for exercising the right of domicile and for securing property.
• Data retention period: The data is automatically saved after 48 hours and then automatically deleted/overwritten. Audio signals are not recorded. Monitoring is solely for the purpose of protecting property and controlling access.
• Note: The monitored areas are marked on site by signs.

7. Payment processing (Stripe and Swikly)

If you choose a payment method from the service provider Stripe, the payment processing will be handled by the payment service provider Stripe Payments Europe Ltd.

Your data (name, address, account number, bank code, credit card number, invoice amount, currency) will be transmitted solely for the purpose of payment processing. Further information on Stripe's privacy policy can be found at https://stripe.com/de/privacy and for Swikly: https://swikly.com/privacy-policy/.

8. Rights of Data Subjects

You have the right to receive information free of charge about the data we have stored about you, as well as, where applicable, the right to rectification, restriction of processing, or erasure of this data. If you have any questions, please contact us directly.

In the event of violations of the GDPR, data subjects have the right to lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence. Since the data controller is based in Germany, the Hamburg State Data Protection Authority, which is responsible for your place of residence, is the primary competent authority. Complaints can also be addressed to the Italian data protection authority (Garante per la protezione dei dati personali) because the property is located in Italy.