PRIVACY POLICY

Information obligation pursuant to Article 13 of the GDPR

DAS ALPSPITZ  As of May 2026

Name of the controller: Das Alpspitz, Nadin Luttinger

Address: Prof Giemsa Weg 2, 6633 Biberwier, Austria

Email: info@alpspitz.at

Telephone: +43 5673 2972

The following sections describe all processing purposes, the data processed in this context, and the respective legal basis in accordance with Article 6 of the GDPR.

Booking processing and reservation management

Purpose of processing

Receipt, administration and confirmation of hotel reservations; drawing up the accommodation contract; room allocation; administration of cancellations and changes.

Legal basis

Article 6(1)(b) GDPR – performance of a contract (accommodation contract) or pre-contractual measures at the request of the data subject.

Legal basis

Section 6(1)(b) GDPR; Sections 1090 et seq. of the Austrian Civil Code (ABGB) (existing contract).

Types of data processed

First name, surname, title, email, telephone number, address, nationality, arrival/departure date, room category, number of guests, booking amount, reservation ID, booking channel, special requests.

Retention period / storage

Booking data is retained for the duration of the stay and for a further 7 years (tax retention obligation pursuant to Section 132 of the Austrian Federal Tax Code (BAO)).

Systems used: Apaleo PMS, Like Magic, SiteMinder (channel manager), booking portals (Booking.com, Expedia, Airbnb etc. as independent data controllers).

Online check-in, check-out and guest processes

Purpose of processing

Digital handling of the check-in and check-out process; provision of the digital guest folder; management of service requests and housekeeping tasks during the stay.

Legal basis

Art. 6(1)(b) GDPR – Performance of the accommodation contract.

Legal basis

Sections 1090 et seq. of the Austrian Civil Code (ABGB).

Types of data processed

First name, surname, date of birth, nationality, email, telephone number, room/stay details, communication content (automated messages), upselling preferences.

Retention period / storage

For the duration of the stay; communication logs for a maximum of 6 months after departure; deletion thereafter unless further retention obligations apply.

Systems used: Like Magic (LikeMagic AG, Switzerland), Apaleo PMS.

Statutory guest registration (registration system)

Purpose of processing

Electronic transmission of registration data for all hotel guests and accompanying travellers to the relevant local authority; requesting and managing registration numbers; transmission of overnight stay statistics.

Legal basis

Art. 6(1)(c) GDPR – compliance with a legal obligation to which the controller is subject.

Legal basis

Registration Act 1991 (MeldeG), Federal Law Gazette No. 9/1992 as amended, in particular Section 7 (Accommodation Providers), Section 8 (Registration Forms) and, where applicable, Section 15 MeldeG (Registration Obligation for Accommodation Establishments); Federal Statistics Act 2000; relevant provincial registration regulations.

Types of data processed

First name, surname, residential address (street, town, country), date of birth, gender (where collected), nationality, passport number, issuing country, expiry date of travel document, date of arrival, date of departure, number of nights, registration number (assigned by the local authority).

Retention period / storage

Registration data is retained in accordance with the statutory retention periods (7 years pursuant to Section 10(2) of the Registration Act 1991); thereafter, deletion in accordance with data protection regulations.

Systems used: Like Magic (collection of registration data), Apaleo PMS, FRIVA Digital Solutions GmbH (transmission interface), Feratel Media Technologies AG (tourism data platform), municipal programme of the local registration authority.

Payment processing

Purpose of processing

Processing of all payment transactions in connection with the booking and stay; authorisation, capture and reversal of payments; invoicing; fraud prevention; chargeback management.

Legal basis

Art. 6(1)(b) GDPR – performance of a contract (accommodation contract); Art. 6(1)(c) GDPR – compliance with tax obligations (obligation to issue receipts pursuant to Section 132a BAO, UStG).

Legal basis

Sections 1090 et seq. of the Austrian Civil Code (ABGB); Value Added Tax Act 1994 (UStG); Section 132 of the Federal Tax Code (BAO) (retention obligation for 7 years); PCI-DSS standard (Payment Card Industry Data Security Standard).

Types of data processed

Billing address, VAT ID (for business customers), transaction amount, currency, transaction history, payment status; via Adyen (PCI-DSS certified): credit card type, masked card number, expiry date, cardholder name, 3DS authentication data.

Retention period / storage

Billing data: 7 years (Section 132 BAO); payment card data is deleted or tokenised by Adyen upon completion of the transaction in accordance with PCI DSS requirements; CVV/CVC codes are not stored after authorisation.

Systems used: Adyen N.V. (Amsterdam, Netherlands) – PCI-DSS-certified payment service provider; Apaleo PMS.

Newsletters and marketing communications

Purpose of processing

Sending personalised offers, special promotions and newsletters via email or WhatsApp; building customer loyalty; invitations to submit reviews.

Legal basis

Art. 6(1)(a) GDPR – Consent of the data subject (voluntary, revocable at any time). For existing customers (previous booking): Art. 6(1)(f) GDPR in conjunction with Section 174 TKG 2021 (legitimate interest, direct marketing for similar services, opt-out option required).

Legal basis

Section 174 TKG 2021 (Telecommunications Act – direct marketing by email); GDPR Art. 7 (conditions for consent); UWG Section 107 (prohibition of unsolicited messages).

Types of data processed

First name, surname, email address, telephone number, language, nationality (if available), booking amount, check-in/check-out date, room category, consent status (opt-in/opt-out with timestamp).

Retention period / storage

Until consent is withdrawn; upon withdrawal, immediate deletion from mailing lists (within a maximum of 30 days); proof of consent is retained for 3 years following withdrawal.

Systems used: Smartness / Smartpricing S.r.l. (Bolzano, Italy) – SmartConnect (newsletter, WhatsApp, automated messages), SmartChat (chatbot), SmartReputation/Revyoos (review requests).

Note on the right to withdraw consent: Consent to receive marketing communications may be withdrawn at any time without giving reasons – by email to the data controller (see above), via the unsubscribe link in the newsletter, or directly to the hotel. Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal.

Revenue management and dynamic pricing

Purpose of processing

Analysis of occupancy data, historical booking data and market data for the automated calculation and publication of optimised room rates across all sales channels.

Legal basis

Art. 6(1)(f) GDPR – Legitimate interest of the controller (revenue optimisation, competitiveness). The processing primarily concerns aggregated booking data; individual personal data is used only in anonymised/aggregated form for price calculations.

Legal basis

Art. 6(1)(f) GDPR.

Types of data processed

Aggregated booking data (occupancy, booking period, room category, booking amount) – without direct reference to individuals in the price calculation.

Retention period / storage

Aggregated analysis data is stored for a maximum of 3 years.

Systems used: Smartness / Smartpricing S.r.l. (SmartPricing), SiteMinder (channel transmission of updated prices), Apaleo PMS.

Review management and online reputation

Purpose of processing

Automated collection of guest reviews from OTA platforms (Booking.com, Google, TripAdvisor, etc.); sending review requests after the stay; responding to reviews.

Legal basis

Art. 6(1)(f) GDPR – Legitimate interest (reputation management, quality assurance); for sending the review request by email, additionally Art. 6(1)(a) GDPR (consent) or Section 174 TKG 2021 (existing customer provision).

Legal basis

Section 174 of the Telecommunications Act 2021; Article 6(1)(f) of the GDPR.

Types of data processed

Email address, first name, location data (for personalised review requests); public review content from platforms (aggregated, without personal references in the analysis).

Retention period / storage

Review request logs: max. 6 months; aggregated review data: max. 3 years.

Systems used: Smartness / Smartpricing S.r.l. (Smart Reputation, Revyoos).

System automation and workflow integration

Purpose of processing

Automated transfer of non-personal or pseudonymised operational data between systems (e.g. daily order lists to suppliers, operational notifications). Where personal data is processed via automation in individual cases, the respective processing purpose set out in sections 2.1 to 2.7 applies.

Legal basis

Art. 6(1)(b) or (f) GDPR – depending on the specific automation process.

Legal basis

Art. 6(1)(b) and (f) GDPR.

Types of data processed

Depending on the specific workflow; predominantly operational data without direct reference to individuals. For workflows involving personal data: booking details, room numbers, guest names.

Retention period / storage

Temporary processing data is deleted upon completion of the workflow (max. 30 days’ log storage).

Systems used: Make / Celonis Inc. (New York, USA) – automation platform; Celonis SE (Munich) – EU-based data processor.

Your personal data will be disclosed to the following recipients:

Recipient / Category

Purpose of disclosure

Legal basis

apaleo GmbH, Munich (DE)

Operation of the central PMS, data storage, automation

Art. 28 GDPR (Processing on behalf of the controller)

LikeMagic AG, Dübendorf (CH)

Guest journey, check-in/out, registration data collection

Art. 28 GDPR (data processing); transfer to a third country: adequacy decision CH

SiteMinder Ltd., Sydney (AU)

Booking transmission via sales channels

Art. 28 GDPR; transfer to third countries: SCCs pursuant to EU 2021/914

Smartpricing S.r.l. (Smartness), Bolzano (IT)

Newsletters, marketing, revenue management, reviews

Art. 28 GDPR (Processing on behalf of the controller)

Adyen N.V., Amsterdam (Netherlands)

Payment processing (PCI DSS certified)

Article 28 GDPR (data processing)

FRIVA Digital Solutions GmbH, Gerasdorf (AT)

Electronic guest registration

Art. 28 GDPR (data processing)

Feratel Media Technologies AG, Innsbruck (AT)

Transfer of registration data to the local authority

Art. 28 GDPR; Art. 6(1)(c) (Registration Act)

Municipality of registration (Austrian local authority)

Fulfilment of the statutory registration obligation

Art. 6(1)(c) GDPR; Section 7 of the Registration Act 1991

Celonis Inc. / Make, New York (USA)

System automation and workflow integration

Art. 28 GDPR; transfer to a third country: DPF / SCC in accordance with EU 2021/914

Booking platforms (Booking.com, Expedia, Airbnb, etc.)

Booking agency; acting as an independent controller

Art. 6(1)(b) GDPR; the platforms’ own privacy policies

The following transfers of personal data to countries outside the European Economic Area (EEA) take place:

Recipients

Third country

Transfer mechanism

Primary source

LikeMagic AG

Switzerland

EU Commission adequacy decision (initial decision 26 July 2000; confirmed under the GDPR on 15 January 2024)

edoeb.admin.ch/en/adequacy; EUR-Lex 32000D0518

SiteMinder Ltd.

Australia

EU Standard Contractual Clauses (SCCs) pursuant to Implementing Decision (EU) 2021/914 of 4 June 2021 – no adequacy decision for Australia

siteminder.com/legal/privacy/ and siteminder.com/legal/data-security/

Celonis Inc. (Make)

USA

Primary: EU-US Data Privacy Framework (DPF) – Adequacy decision by the European Commission of 10 July 2023 (for DPF-certified US companies). Secondary: SCCs pursuant to (EU) 2021/914, Module 2

make.com/data-processing-agreement.pdf; make.com/standard-contractual-clauses.pdf

Personal data is not stored for longer than is necessary for the respective processing purpose. The specific retention periods are based on the statutory minimum and maximum retention periods:

Data category

Retention period

Legal basis for the retention obligation

Booking and invoicing data

7 years

Section 132 of the Federal Tax Code (BAO)

Registration data (guest registration)

7 years

Section 10 of the Registration Act 1991; BAO

Payment card data

Tokenised/deleted after transaction completion in accordance with PCI-DSS; CVV/CVC not stored

PCI-DSS standard; Adyen guidelines

Communication data (emails, messages)

Max. 6 months after departure

Art. 5(1)(e) GDPR (data minimisation)

Marketing consent (proof)

3 years after withdrawal

Art. 7(1) GDPR (duty to provide evidence)

Contract data (hotel operator)

10 years after the end of the contract

Section 1489 of the Austrian Civil Code (ABGB) (general limitation period)

Technical logs / records

Max. 30–90 days

Art. 5(1)(e) GDPR

Applicant data (where collected)

6 months after rejection

Art. 6(1)(f) GDPR

No fully automated decision-making within the meaning of Art. 22 GDPR takes place that produces legal effects concerning you or similarly significantly affects you.

Note: Adyen uses automated risk analysis systems (RevenueProtect) as part of its fraud prevention measures. These are used solely for payment security and may trigger a manual review, but do not result in any final legal decisions regarding the data subjects.

Cookies and similar technologies are used on the hotel website and in the online booking engine (operated via SiteMinder / Like Magic):

Cookie category

Purpose

Provider

Legal basis

Technically necessary cookies

Website operation, session management, security

Own systems, SiteMinder, Like Magic

Art. 6(1)(b)/(f) GDPR; Section 165 TKG 2021

Analytics cookies (pseudonymised)

Performance monitoring, user behaviour analysis

Datadog, Hotjar

Article 6(1)(a) of the GDPR (consent via cookie banner)

Analytics cookies (anonymised)

User behaviour analysis

Google

Not relevant due to anonymisation

Marketing/tracking cookies

Retargeting, conversion optimisation

Possibly Google Ads (via SiteMinder Demand Plus)

Article 6(1)(a) of the GDPR (consent)

You can adjust your cookie settings at any time via the cookie banner on our website.

Under the GDPR, you have the following rights vis-à-vis the controller:

Right

Content

Restrictions

Right of access (Art. 15 GDPR)

You may request information about the personal data stored about you, its origin, recipients and the purpose of processing.

Rights of third parties; trade and business secrets

Rectification (Art. 16 GDPR)

You may have inaccurate or incomplete data rectified at any time.

–

Erasure (Art. 17 GDPR)

Under certain conditions, you may request the erasure of your data (‘right to be forgotten’).

Statutory retention obligations (Section 132 BAO, MeldeG) may prevent immediate erasure.

Restriction (Art. 18 GDPR)

You may request the restriction of the processing of your data (e.g. whilst a correction is being verified).

–

Data portability (Art. 20 GDPR)

You may receive your data in a structured, machine-readable format or request its transfer to another controller.

Applies only to data processed automatically on the basis of consent or a contract.

Objection (Art. 21 GDPR)

You may object at any time to the processing of your data on the basis of Article 6(1)(f) GDPR (legitimate interest), in particular to direct marketing.

Withdrawal of consent (Art. 7(3) GDPR)

Consents (e.g. for newsletters) may be withdrawn at any time without giving reasons. Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal.

–

Complaint to the supervisory authority (Art. 77 GDPR)

You have the right to lodge a complaint with the Austrian Data Protection Authority.

Austrian Data Protection Authority, Barichgasse 40-42, 1030 Vienna; dsb.gv.at

If you have any questions regarding data protection or the exercise of your rights, please contact:

Contact

Details

Hotel data protection contact

See contact details at the top of the page (Data Controller)

Austrian Data Protection Authority

Barichgasse 40-42, 1030 Vienna | Tel: +43 1 531 15-202525 | Email: dsb@dsb.gv.at | Website: www.dsb.gv.at

This privacy policy complies with the requirements of Article 13 of the GDPR (duty to provide information when collecting data from the data subject) and is regularly reviewed to ensure it remains up to date. Last updated: May 2026. Any changes will be announced on the website.