Privacy Policy

We manage our websites in accordance with the principles set out below:

We undertake to comply with the statutory provisions on data protection and endeavor to always take into account the principles of data avoidance and data minimization.

1. Name and address of the data controller

The data controller within the meaning of the General Data Protection Regulation and other national data protection laws of the member states of the European Union as well as other data protection regulations is:

Dr. Hövener Nachfolger Immobilien GmbH

Rothenburg 20/21
48143 Münster
Tel. +49 (0)251.29790370

E-mail: info@dr-hoevener.de
Website https://boardinghouse.jos-buero.de

2. Explanation of terms

3. Legal basis for processing data

a) Processing of personal data under GDPR

We only process your personal data, such as your surname and first name, your e-mail address and IP address, etc., if there is a legal basis for doing so. Under the General Data Protection Regulation, the following regulations apply here in particular:

6 (1)(1)(a) GDPR: The data subject has given consent to the processing of their personal data for one or more specific purposes.
6 (1)(1)(b) GDPR: The processing is necessary for the performance of a contract to which the data subject is party or for the implementation of pre-contractual measures taken at the data subject's request.
6 (1)(1)(c) GDPR: Processing is necessary for compliance with a legal obligation to which the data controller is subject
6 (1)(1)(d) GDPR: Processing is necessary in order to protect the vital interests of the data subject or of another natural person
6 (1)(1)(e) GDPR: processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller
6 (1)(1)(f) GDPR: processing is necessary due to the legitimate interests of the data controller or a third party, unless such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular when the data subject is a child.

However, we will point out the legal basis on which your personal data is processed once again in the relevant sections of this privacy policy.

b) Consent of the legal guardian pursuant to Art. 8 (1)(2)(2) GDPR

A parent or guardian must consent to all data processing on this website that requires the consent of a minor under the age of 16.

Information on the individual data processing operations, their purposes and the categories of data concerned, for which the consent of the data subject is required, can be found in the privacy policy.

You can revoke your consent at any time by sending a written revocation notice to the contact details of the data controller. Processing shall remain lawful until revocation.

c) Processing information pursuant to Section 25 (1) TTDSG (German Federal Act on Privacy in Telecommunications and Telemedia)

We also process information pursuant to Section 25 (1) of the TTDSG by storing information on your terminal equipment or accessing information that is already stored on your terminal equipment. This can be both personal information and non-personal information, e.g. cookies, browser fingerprints, advertising IDs, MAC addresses and IMEI numbers. Terminal equipment is any equipment connected directly or indirectly to the interface of a public telecommunications network for the transmission, processing or reception of messages, as set out in Section 2 (2) (6) TTDSG.

As a rule, we process this information on the basis of your consent, as set out in Section 25 (1) TTDSG.

If an exception exists pursuant to Section 25 (2) (1) and (2) TTDSG, we do not require consent. Such an exception exists, if we access or store information solely for the purpose of transmitting a message via a public telecommunications network or when it is strictly necessary for us to provide a telemedia service that you have specifically requested. You can revoke your consent at any time.

We would like to inform you that the revocation of consent does not affect the lawfulness of the processing carried out on the basis of the consent prior to the revocation.

4. Disclosure of personal data

The disclosure of personal data also constitutes processing within the meaning of the previous section 3. We would, however, like to inform you again about the issue of passing on information to third parties. Protecting your personal data is very important to us. For this reason, we are particularly careful when it comes to passing on your data to third parties.

We will therefore only disclose data to third parties if there is a legal basis for the processing. We will, for instance, disclose personal data to persons or companies that act as data processors for us pursuant to Art. 28 GDPR. A data processor is any person who processes personal data on our behalf – i.e. in particular someone in a relationship of instruction and control with us.

In accordance with the requirements of the GDPR, we conclude a contract with each of our data processors to oblige them to comply with data protection regulations to ensure comprehensive protection of your data.

5. Storage period and deletion

We will delete your personal data if it is no longer required for the purposes for which it was collected or otherwise processed; we will also delete your data if processing it is not necessary to exercise the right to freedom of expression and information, to comply with a legal obligation, for reasons of public interest or for the establishment, exercise or defense of legal claims.

6. SSL or TLS encryption

This website uses SSL or TLS encryption for security reasons and to protect the transmission of confidential content, such as enquiries that you send to us as the website operator. You can recognize an encrypted connection when the address line of the browser changes from "http://" to "https://" and by the lock symbol in your browser line.

If SSL or TLS encryption is activated, the data you transmit to us cannot be read by third parties.

7. Cookies

We use cookies on our website. Cookies are small data packets that your browser automatically creates and that are stored on your terminal device when you visit our website. These cookies are used to store information in connection with the end device used.

When cookies are used, a distinction is made between technically necessary cookies and "other" cookies. Technically necessary cookies are absolutely necessary to provide you with an information society service that you have specifically requested.

a) Technically necessary cookies

In order to make our services more pleasant for you to use, we use technically necessary cookies; these might include session cookies (e.g. language and font selection, shopping cart, etc.), consent cookies, cookies to ensure server stability and security, or others. The legal basis for using cookies can be found in Art. 6 (1) (1) (f) GDPR, and results from our legitimate interest in the error-free operation of the website and the interest in providing our services to you in an optimized manner.

b) Other cookies

Other cookies include cookies for statistical, analysis, marketing and retargeting purposes.

We use these cookies for you based on your consent pursuant to Section 6 (1) (1) (a) GDPR.

You can revoke your consent on the use of cookies at any time.

We would like to inform you that the revocation of consent does not affect the lawfulness of the processing carried out on the basis of the consent prior to the revocation.

To revoke your consent, you can either edit your cookie settings on our website, deactivate the use of cookies in your browser settings (this may, however, restrict the functionality of our online service) or set an opt-out for the relevant service in individual cases.

Our privacy policy explains the legal basis on which specific data is processed for any given service.

Change cookie settings

8. Cookie banner

To obtain consent for the cookies we use, we use the cookie banner of the service provider devowl.io GmbH, Tannet 12, 94539 Grafling
Germany. This service sets a consent cookie in order to query and process the respective status of consent. This consent cookie is technically necessary and is therefore used on the basis of our legitimate interest pursuant to Art. 6 (1) (1) (f) GDPR, Section 25 (1) TTDSG.

9. Collection and storage of personal data, their type and purpose of use

a) External hosting

Our website is hosted by Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany. For this reason, all personal data collected on our website is stored on our host’s servers, unless an external service of a third party is involved. This may include the IP address, your e-mail address, communication data or similar. In the following, we explain what specific personal data is involved for the individual functions and services. If we use an external third-party service, this will be stated clearly in the description of the respective service or tool.

The host only processes your data on our instructions and to the extent to which it is necessary to fulfil the services on the website. The host does not process any data for its own purposes. We have concluded a data processing contract with the host.

b) Contractual relationship

(1) Booking requests

You can book apartments via our website. Within the scope of the establishment of the contractual relationship, only personal data absolutely necessary for the performance of the contract is processed pursuant to Art. 6 (1) (1) (b) GDPR.

In order to use the booking form, it is necessary to enter a booking period, a first and last name so the system can determine a personal salutation, and a valid e-mail address, any additional optional services desired as well as the desired payment method, so that we know who the booking comes from and are able to process your booking.

In addition, you can send us further data, such as your telephone number, your address, preferred check-in times and a personal message. We use this voluntarily provided information to offer a customer-friendly service and to constantly improve it.

We process this data on the basis of your consent pursuant to Art. 6 (1) (1) (a) GDPR. You can revoke this consent at any time for the future. The processing of your data shall remain lawful until we receive your revocation.

We use the booking system provided by Smoobu GmbH
Pappelallee 78/79, 10437 Berlin for our apartment bookings. The data you provide will therefore also be processed by our booking provider while operating the booking system. Furthermore, other cookies may be set by the booking system. For this reason, we have concluded a contract for commissioned data processing with the booking system provider.

Further information on data protection can be found at:
https://www.smoobu.com/de/datenschutz/

We also pass on the data collected during the booking process (your first and last name and your booking period) to our service provider ebuero AG, Hauptstraße 8, 10827 Berlin, which provides call center services for us. This service provider has been contracted by us to answer questions about your booking outside of our business hours. For this reason, we have concluded a contract for commissioned data processing with this provider as well, pursuant to Art. 28 (3) GDPR.

Further information on data protection can be found at: https://www.ebuero.de/datenschutz

(2) Disclosure of data when using online payment service providers

Should you decide to pay with one of the online payment service providers available in the booking process, our booking system will transmit your contact details to the respective provider as part of the reservation made by you. The legitimacy of forwarding this data results from Art. 6 (1) (1) (b) GDPR, for the implementation of the payment method selected by you as well as from our legitimate interests pursuant to Art. 6 (1) (1) (f) GDPR to enable user-friendly and uncomplicated payment processing.

Personal data transmitted to the online payment service provider is usually a person’s first name, last name, address, telephone number, IP address, e-mail address, or other data required to process a reservation, as well as data related to the reservation, such as booked service, invoice amount and taxes in percent, invoice information, etc.

This transmission is necessary to process your reservation with the payment method you have selected, in particular to confirm your identity, to process your payment and to manage customer relations.

However, please note: Personal data may also be disclosed by the online payment service provider to other service providers, subcontractors or other affiliated companies, if this is necessary to fulfil the contractual obligations arising from your reservation or if the online payment service provider commissions a data processor to process personal data.

Depending on the selected payment method, e.g. invoice or direct debit, the provider will transmit the personal data collected in this process to credit agencies. This transmission serves to check your identity and creditworthiness in relation to the reservation you have made. You can find out which credit agencies are involved and which data is generally collected, processed, stored and passed on by the respective provider in the respective providers’ data protection declarations:

PayPal
PayPal (Europe) S.à.r.l. & Cie. S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg unter https://www.paypal.com/de/webapps/mpp/ua/privacy-full

Stripe
Stripe Payments Europe, Ltd, Grand Canal Street Lower, Grand Canal Dock, Dublin, Irland, dpo@stripe.com, https://stripe.com/de/privacy

(3) Credit card payment

If you choose to pay by credit card, your personal data will be processed by the provider of our booking system and will be forwarded to the card-issuing institution to process your payment and to meet legal requirements, such as customer authentication in accordance with the EU Payment Services Directive PSD2. This is data required by the MV 3-D Secure Protocol and Core Functions Specification.

This data is forwarded to process your payment pursuant to Art. 6 (1) (1) (b) GDPR as well as to fulfil our legal obligation to carry out strong customer authentication pursuant to Art. 6 (1) (1) (c) GDPR in conjunction with Directive EU 2015/2366 (PSD 2) or the Payment Services Supervision Act (Zahlungsdiensteaufsichtsgesetz - ZAG) for anti-money laundering and criminal prosecution.

Technical processing of credit card payments is carried out by the payment service provider

Stripe Payments Europe, Ltd, Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland. This service was commissioned for the technical control of payment transactions including the implementation of the 3D Secure 2.0 procedure pursuant to Art. 28 GDPR. Other recipients of the data are the banks involved (the card-issuing bank/ the issuer and the merchant's credit card-accepting bank/ the acquirer).

You can find Stripe's privacy policy at https://stripe.com/de/privacy.

c) Contact form

We provide a form on our website to enable you to contact us at any time. In order to use the contact form, it is necessary to enter a name so the system can determine a personal salutation; a valid e-mail address is also required, so that we know who the inquiry comes from, can contact you and are able to process your inquiry.

If you send us inquiries via the contact form, your details provided in the enquiry form, including contact details and your IP address, will be processed in accordance with Art. 6 (1) (1) (b) and f GDPR for the purpose of carrying out pre-contractual measures in response to your inquiry or for the exercise of our legitimate interest, i.e. to carry out our business activities.

The inquiries and the data provided in this context, will be deleted 3 months after receipt at the latest, unless they are required for a further contractual relationship.

d) Reviews

Our website offers the possibility to leave a review for our apartments after your visit. If you would like to write a review, your name, email address, visitor category, travel period and rating of price/performance, facilities and location will be requested and processed. You can also leave a comment.

The legal basis results from Art. 6 (1) (1) (f) GDPR to exercise legitimate interests: the storage of this data is necessary for our security as we can be prosecuted for unlawful content on our website.

e) Use of Google Maps

Our website uses the Google Maps API. When using Google Maps, information about your use of this website (including your IP address) may be transmitted to and stored by Google (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland) on servers in the United States.

Google may transfer the information obtained through Maps to third parties where required to do so by law, or where such third parties process the information on Google's behalf. However, your IP address will under no circumstances be associated with any other data stored by Google. Nevertheless, we must point out that it is technically possible for Google to identify individual users on the basis of the data received.

We have no influence on whether your personal data and personality profiles are processed by Google for other purposes. If you want to avoid this by all means, you can deactivate the Google Maps service to prevent data from being transferred to Google. To do this, you simply need to deactivate JavaScript in your browser. In this case, no data will be transferred, but you will no longer be able to use the map display on our website.

You can find Google’s privacy policy hier. [https://www.google.com/policies/privacy/?hl=de]

The integration of Google Maps also results in Google Fonts being displayed by Google without intervention by the website operator or visitor. The integration of these web fonts takes place via a server call, usually a Google server in the USA. In the process, the following may be transmitted to the server and stored by Google:

Name and version of the browser used
Website the request was triggered from (referrer URL)
Operating system of your computer
Screen resolution of your computer
IP address of the requesting computer
Language settings of the browser or operating system the user is using

You can find more information in Google's privacy policy, which you can access here:

www.google.com/fonts#AboutPlace:about
www.google.com/policies/privacy/

The use of Google Maps is a service we offer so that you can see exactly where we are and, if necessary, plan your visit to us better. The use of Google Maps is based on your consent pursuant to Art. 6 (1) (1) (a) GDPR.

f) 360° videos

We offer 360° iFrame videos of our apartments on our website to provide our website visitors with virtual tours of our property.

We use the service Spacewerk service provided by RW Grundbesitz GmbH, Dahlweg 120a, 48153 Münster, who create the videos for us and embed them via iFrame.

The videos are integrated via the 3-D data platform Matterport, a service of Matterport, Inc, 352 E. Java Dr. Sunnyvale, CA 94089, USA.

When you visit one of our pages that contains such a virtual tour, a connection is established to Matterport's servers and Matterport receives your IP address in the process. The information collected by Matterport is transmitted to the Matterport server in the USA. If you are logged into your Matterport account, you enable Matterport to associate your surfing behavior directly with your personal profile. You can prevent this by logging out of your Matterport account.

By integrating Matterport, the Content Delivery Network services Embedly (A Medium Corporation, 799 Market St., 5th Floor San Francisco, CA 94103, USA) and Cloudflare (Cloudflare Inc., 101 Townsend St., San Francisco, CA 94107, USA) are also automatically integrated without the intervention of the website operator or visitor.

The Content Delivery Network services help deliver the 360-degree videos on our website properly, securely and faster using regionally or internationally distributed servers.
When you access the 360-degree videos, you connect to Embedly and Cloudflare servers, which also operate servers in the USA. Technically, the information transfer between your browser and our website is routed via the network of Embedly or Cloudflare. This enables Embedly and Cloudflare to analyze traffic between your browser and our website and act as a filter between our servers and potentially malicious traffic from the internet.

We have a legitimate interest in providing a website that is as error-free and secure as possible and in protecting our website from abusive data traffic.

To this end, Embedly and Cloudflare may also use cookies (see section 7) or other technologies (see also section 3 b) to recognize internet users, but these will only be used for the purpose described here. The information generated by the cookie about your use of this website such as

Name and version of the browser used
Betriebssystem Ihres Rechners
Webseite, von der aus der Zugriff erfolgt (Referrer-URL)
The IP address of the requesting computer
Time of the server request

are usually transferred to a server of Embedly or Cloudflare in the USA and stored there.

We have concluded the new standard contractual clauses with Embedly and Cloudflare.

Further information on data processing by Embedly is available at http://embed.ly/legal/privacy

For further information on data processing by Cloudflare, please visit https://www.cloudflare.com/de-de/privacypolicy/

The use of our 360° videos is based on your consent pursuant to Art. 6 (1) (p) (a) GDPR. You can revoke this consent at any time for the future. The processing of your data shall remain lawful until we receive your revocation.

We have concluded the new standard contractual clauses with Matterport. Matterport does not acquire any right to disclose your data.

For further information on data processing by Matterport, please visit https://matterport.com/legal/privacy-policy/.

For further information on data processing by Spacewerk, please visit https://www.spacewerk.de/datenschutzerklrung

10. Rights of the data subject

You have the following rights:

a) Information

In accordance with Art. 15 GDPR, you have the right to request information about your personal data processed by us. This right to information includes information about:

Processing purposes
Categories of personal data
The recipients or categories of recipients to whom your data have been or will be disclosed
The planned storage period or at least the criteria for determining the storage period
The existence of a right to rectification, erasure, restriction of processing or objection
The existence of a right of appeal to a supervisory authority
The origin of your personal data, if it has not been collected by us
The existence of automated decision-making, including profiling, and, if applicable, meaningful information about its details

b) Correction

In accordance with Art. 16 GDPR, you have the right to have incorrect or incomplete personal data stored by us corrected without delay.

c) Deletion

In accordance with Art. 17 GDPR, you have the right to request immediate deletion of your personal data stored by us, if further processing is not necessary for one of the following reasons:

The personal data is still necessary for the purposes for which they were collected or otherwise processed
To exercise the right to freedom of expression and information
To comply with a legal obligation which requires processing under the law of the European Union or the Member States to which the data controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller
For reasons of public interest in the area of public health pursuant to Art. 9 (2) (h) and (i) and Art. 9 (3) GDPR
To achieve purposes in the public interest, scientific or historical research purposes or statistical purposes pursuant to Art. 89 (1) GDPR, if the right referred to in section a) is likely to render impossible or seriously prejudice the achievement of the purposes of such processing
To assert, exercise or defend legal claims

(d) Restriction of processing

In accordance with Art. 18 GDPR, you may request the restriction of the processing of your personal data for one of the following reasons:

You dispute the accuracy of your personal data.
The processing is unlawful and you object to the erasure of your personal data.
We no longer need your personal data for the purposes of processing, but you need it to assert, exercise or defend legal claims.
• You object to the processing pursuant to Art. 21 (1) GDPR.

e) Information

If you have requested rectification or erasure of your personal data or a restriction of processing pursuant to Art. 16, Art. 17 or Art. 18 GDPR, we will notify all recipients to whom your personal data has been disclosed unless this proves impossible or involves a disproportionate effort. You can request that we tell you who these recipients are.

f) Transmission

You have the right to receive the personal data you have provided to us in a structured, commonly used and machine-readable format.

You also have the right to request that this data be transferred to a third party if the processing was carried out with the aid of automated procedures and is based on consent pursuant to Art. 6 (1) (1) (a) or Art. 9 (2) (a) or based on a contract pursuant to Art. 6 (1) (1) (b) GDPR.

g) Revocation

In accordance with Art. 7 (3) GDPR, you have the right to revoke your consent at any time. A revocation of consent does not affect the lawfulness of data processing carried out on the basis of your consent prior to the revocation. In the future, we may no longer continue data processing that was based on your revoked consent.

h) Complaint

In accordance with Art. 77 GDPR, you have the right to complain to a supervisory authority if you believe that the processing of your personal data violates the GDPR.

(i) Contradiction

If your personal data is processed on the basis of legitimate interests pursuant to Art. 6 (1) (1) (f) GDPR, you have the right to object to the processing of your personal data pursuant to Art. 21 GDPR, if there are grounds for doing so that arise from your particular situation or the objection relates to direct advertising. In the latter case, you have a general right of objection, which is implemented by us without specifying the particular situation. If you wish to exercise your right of revocation or objection, simply send an e-mail to info@dr-hoevener.de.

j) Automated decision in individual cases including profiling

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or that significantly affect you in a similar fashion. This shall not apply if the decision

is necessary for the conclusion or performance of a contract between you and us
is permitted by legislation of the European Union or of the Member States to which we are subject and that legislation contains appropriate measures to safeguard your rights and freedoms and your legitimate interests
is taken with your explicit consent

However, these decisions must not be based on special categories of personal data pursuant to Art. 9 (1) GDPR, unless Art. 9 (2)(a) or (g) GDPR applies and appropriate measures have been taken to protect the rights and freedoms and your legitimate interests.

With regard to the cases referred to in i) and iii), we shall take reasonable measures to safeguard all rights and freedoms and your legitimate interests, including at least the right to demand that one of our agents take action, to express your point of view and to contest the decision.

11. Amendment of the privacy policy

Should any changes to the privacy policy be made, we will indicate these changes on the website.

Dated: June 7, 2023