Privacy policy

Welcome to holidayheroes and our online presence, especially at www.holidayheroes.de

We are pleased that we have aroused your interest in our region and our offers. We are very concerned about protecting your privacy and your personal data. The collection and use of your data is therefore always in accordance with the provisions of the General Data Protection Regulation (EU) 2016/679 (GDPR), the Federal Data Protection Act (BDSG), the Telemedia Act (TMG) and the Data Protection and Privacy Act in telecommunications and telemedia (TTDSG).

Below we will inform you about what data we collect and how we process this data.

In addition, we may require to collect additional data about you when you apply for our deferred payment services, and more information is available in paragraph 37.

In the following, we therefore inform you about which data we collect and how we process this data.

1. Person responsible

The person responsible for this online presence within the meaning of the General Data Protection Regulation and other national data protection laws of the member states as well as other data protection regulations is:

holidayheroes

TRAVELSTORE sprl, a limited liability company under Belgian law, Managing Director: Mr. Yoni Alhadeff (Directeur Général), registered office: 11/4, Avenue Docteur Lemoine, 1070 Brussels, telephone 32.2.2621355, e-mail address team@holidayheroes.de

(hereinafter abbreviated as "holidayheroes")

The operation of our Facebook fan page constitutes processing under joint responsibility pursuant to Art. 26 GDPR. We ourselves have no influence on the processing of data by Facebook. The responsibility for the processing of the so-called Insights data and the fulfillment of corresponding obligations under the GDPR is assumed by Facebook. You can find further information at:

https://www.facebook.com/legal/terms/page_controller_addendum and at:

https://de-de.facebook.com/help/pages/insights

2. Personal data

Personal data within the meaning of Art. 4 No. 1 GDPR means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Personal data is only stored insofar as this is necessary for the provision of the booked service, for compliance with legal requirements or for the purpose stated below.

3. Purpose of the collection of personal data

Personal data is processed on the following legal bases or for the following purposes:

a. Insofar as we obtain the consent of the data subject for the processing of personal data, Art. 6 para. 1 lit. a GDPR serves as the legal basis. The lawfulness of the processing is given on the basis of your consent.

You can withdraw your consent at any time. We would like to point out that the revocation is effective for the future and processing that took place before the revocation is not affected.

b. When processing personal data that is necessary for the performance of a contract to which the data subject is a party, Art. 6 para. 1 lit. b GDPR serves as the legal basis. This also applies to processing operations that are necessary for the performance of pre-contractual measures.

c. Insofar as the processing of personal data is necessary to fulfill a legal obligation to which our company is subject, Art. 6 para. 1 lit. c GDPR serves as the legal basis

d. In the event that vital interests of the data subject or another natural person require the processing of personal data, Art. 6 para. 1 lit. d GDPR serves as the legal basis,

e. Insofar as the protection of our legitimate interests is required, Art. 6 para. 1 lit. f GDPR serves as the legal basis.

This applies in particular to the following groups of cases:

Examination and optimization of procedures for needs analysis and direct customer approach,
Advertising, provided you have not objected to the use of your data,
Ensuring IT security and IT operations,
Prevention and investigation of criminal offenses,
Measures for business management and further development of services and products.

f. We also use the personal data stored by us to maintain customer relationships, for customer support (e.g. information on the course of your stay), to carry out our own advertising and marketing measures (e.g. sending catalogs or other postal advertising mailings) and for order processing. The legal basis for sending promotional emails in connection with bookings and orders is Section 7 (3) UWG.

g. Through your use of social media companies, usage profiles are created based on your usage behavior and used for the use of advertisements. Cookies are usually stored on your computer for this purpose. If the processing is necessary to safeguard a legitimate interest of our company or a third party and if the interests, fundamental rights and freedoms of the data subject do not outweigh the first-mentioned interest, Art. 6 para. 1 lit. f GDPR serves as the legal basis for the processing.

h. Special information concerning our website:

The collection of personal data becomes essential if you wish to book a stay or other service via our portal or use offers from us for the processing of which personal data is essential. This also includes voucher purchases and participation in competitions.

In accordance with the statutory regulations and in the interests of data economy, we only collect data that is required for the provision of this particular service. If we ask you to provide further information in our forms, this is always voluntary and marked as such.

If you book a stay or other service, the data collected will be used to process this booking, for advertising purposes and for statistical purposes in accordance with legal requirements.

4. Disclosure of personal data to third parties

Your personal data will only be passed on within the framework of the relevant regulations, in particular those relating to competition and data protection.

Insofar as this is necessary for the provision of the contractual service owed by us or legal obligations, your data will also be passed on to subcontractors or service providers to provide the service in our name or on our behalf (e.g. technical processing of postal and e-mail dispatch, customer service).

In addition, the data will be passed on to persons or companies to process your booking, in particular to hosts, hotels, local service providers and authorities, etc.

Your data will also be disclosed and transferred to third parties if we are obliged to do so by law or on the basis of legally binding court proceedings.

You have the right to receive the personal data concerning you that you have provided to us in a structured, commonly used and machine-readable format. You also have the right to transmit this data to another controller without hindrance from the controller to which the personal data has been provided.

5. Transfer of the data to a third country or to an international organization

Data will only be transferred to third countries (countries outside the European Economic Area - EEA) if this is necessary for the execution of our offers, required by law or if you have given us your consent. If required by law, we will inform you of the details.

Among other things, we use tools from companies based in the USA or other third countries that are not secure under data protection law. If these tools are active, your personal data may be transferred to these third countries and processed there.

We would like to point out that a level of data protection comparable to that in the EU cannot be guaranteed in these countries. For example, US companies are obliged to hand over personal data to security authorities without you as the data subject being able to take legal action against this. It cannot be ruled out that US authorities, such as secret services, may process, evaluate and permanently store your data on US servers for surveillance purposes. We have no influence on this processing activity.

6. Security measures

We take appropriate technical and organizational measures to ensure a level of protection appropriate to the risk within the meaning of Art. 32 GDPR.

7. Storage and deletion of data

Your personal data will be stored for the purposes stated under "Purpose of collecting personal data". The personal data of the data subject will be deleted or blocked as soon as the purpose of storage no longer applies. Data may also be stored if this has been provided for by the European or national legislator in EU regulations, laws or other provisions to which the controller is subject. The data will also be blocked or deleted if a storage period prescribed by the aforementioned standards expires, unless there is a need for further storage of the data in accordance with Art. 17 para. 3 GDPR. If the data is not deleted because it is required for other and legally permissible purposes, its processing is restricted, i.e. the data is blocked and not processed for other purposes. This includes data that must be retained for tax law reasons.

8. Use of cookies and comparable technologies

Our Internet pages use so-called "cookies". Cookies are small text files and do not cause any damage to your end device. They are stored on your device either temporarily for the duration of a session (session cookies) or permanently (permanent cookies). Session cookies are automatically deleted at the end of your visit. Permanent cookies remain stored on your device until you delete them yourself or they are automatically deleted by your web browser. In some cases, cookies from third-party companies may also be stored on your device when you use our online services (third-party cookies). These enable us or you to use certain services of the third-party company (e.g. cookies for processing payment services).

Cookies have various functions. Many cookies are technically necessary, as certain website functions would not work without them (e.g. the shopping cart function or the display of videos). Other cookies are used to evaluate user behavior or display advertising.

Cookies that are required to carry out the electronic communication process, to provide certain functions that you have requested (e.g. for the shopping cart function) or to optimize the website (e.g. cookies to measure the web audience) (necessary cookies) are stored on the basis of Art. 6 para. 1 lit. f GDPR, unless another legal basis is specified. The website operator has a legitimate interest in the storage of necessary cookies for the technically error-free and optimized provision of its services. If consent to the storage of cookies and comparable recognition technologies has been requested, the processing is carried out exclusively on the basis of this consent (Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TTDSG); the consent can be revoked at any time.

You can set your browser so that you are informed about the setting of cookies and only allow cookies in individual cases, exclude the acceptance of cookies for certain cases or in general and activate the automatic deletion of cookies when closing the browser. If cookies are deactivated, the functionality of this website may be restricted.

If cookies are used by third-party companies or for analysis purposes, we will inform you about this separately in this privacy policy and, if necessary, request your consent.

9. Newsletter

You have the option of registering for our newsletter on our website. We process the personal data transmitted via the registration form in order to send you the individual newsletters. For the purpose of measuring reach and evaluating our email marketing campaigns, we collect data on your use of our newsletters, e.g. whether, how often and for how long you read them and which links you click on.

The legal basis for the processing of your personal data is Art. 6 para. 1 sentence 1 lit. a GDPR, if applicable in conjunction with. § Section 7 para. 2 no. 3 UWG. We may also send you certain information by email on the basis of legal permission in accordance with Section 7 (3) UWG. You can revoke your consent at any time with effect for the future (e.g. via the "unsubscribe" link in the newsletter). If you exercise your right of revocation, we will delete the data concerned immediately, unless further processing can be based on a legal basis for processing without consent. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

The data you provide us with for the purpose of subscribing to the newsletter will be stored by us or the newsletter service provider until you unsubscribe from the newsletter and deleted from the newsletter distribution list after you unsubscribe from the newsletter or after the purpose no longer applies. We reserve the right to delete or block e-mail addresses from our newsletter distribution list at our own discretion within the scope of our legitimate interest in accordance with Art. 6 para. 1 lit. f GDPR. You can object to the storage if your interests outweigh our legitimate interest.

a.Hubspot

On our website, we use a cookie from the service provider Hubspot of HubSpot Inc, 25 First Street, Cambridge, MA 02141, USA or, in the case of use within the EU, HubSpot Ireland Limited, HubSpot House, One Sir John Rogerson's Quay, Dublin 2, Ireland (hereinafter "HubSpot") to record the individual websites and topics that a registered user views during their visits. Hubspot is an integrated software solution that we use to cover various aspects of our online marketing. By registering on our homepage, we enable users to learn more about our company. For example, you can download content and provide your contact information. This information and the content of our website is stored on HubSpot's servers. We use all information collected exclusively to optimize our marketing measures.

You can view Hubspot's privacy policy at:

https://legal.hubspot.com/privacy-policy?_ga=2.49766949.2042516961.1652774786-968170581.1652774786

Information on Hubspot's EU data protection regulations can be found at:

https://www.hubspot.com/de/data-privacy/privacy-shield

Information on the cookies used by HubSpot can be found at:

https://legal.hubspot.com/de/cookie-policy

The legal basis for the processing is your consent in accordance with Art. 6 para. 1 lit. a GDPR. If you do not want Hubspot to collect and process the aforementioned data, you can refuse your consent or revoke it at any time with effect for the future. The personal data will be stored for as long as it is necessary to fulfill the purpose of processing. The data will be deleted as soon as it is no longer required to achieve the purpose.

As part of processing via HubSpot, data may be transferred to the USA. The security of the transfer is ensured by so-called standard contractual clauses, which guarantee that the processing of personal data is subject to a level of security that corresponds to that of the GDPR. If the standard contractual clauses are not sufficient to establish an adequate level of security, your consent may serve as the legal basis for the transfer to third countries in accordance with Art. 49 para. 1 lit. a GDPR.

b. ActiveTrail

We use ActiveTrail from ACTIVE TRAIL LTD - 513921072 Drech Begen 48 ,Tel Aviv - Jaffa, IL, to send our newsletter.
This enables us to contact subscribers directly. In addition, we analyze your usage behavior in order to optimize our offer. The following personal data is passed on to ActiveTrail, among others: E-mail address, name.

ActiveTrail is the recipient of your personal data and acts as a processor for us when it comes to sending our newsletter.

In addition, ActiveTrail collects the following personal data using cookies and other tracking methods: Information about your end device (IP address, device information, operating system, browser ID, information about the application you use to read your emails and other information about hardware and internet connection. In addition, usage data such as date and time, when you opened the email / campaign and browser activities (e.g. which emails / websites were opened) are collected. ActiveTrail requires this data to ensure the security and reliability of the systems, compliance with the terms of use and the prevention of misuse. This corresponds to the legitimate interest of ActiveTrail (pursuant to Art. 6 para. 1 lit. f GDPR) and serves the execution of the contract (pursuant to Art. 6 para. 1 lit. b GDPR). ActiveTrail also analyzes performance data, such as email delivery statistics and other communication data. This information is used to compile usage and performance statistics for the services.

ActiveTrail also collects information about you from other sources. In an unspecified period and scope, personal data is collected via social media and other third-party data providers. We have no influence on this process.The legal basis for this processing is your consent in accordance with Art. 6 para. 1 lit. a GDPR. You can withdraw your consent to the processing of your personal data at any time. The declaration of revocation does not affect the legality of the processing carried out to date. Your data will be processed for as long as we have your consent to do so. They will be deleted after termination of the contract between us and ), unless legal requirements make further storage necessary.

Further information on objection and removal options vis-à-vis ActiveTrail and the privacy policy can be found at:

https://www.activetrail.com/activetrail-general-data-protection-regulation-gdpr/

10. Contact form

If you send us inquiries via the contact form, your details from the inquiry form, including the contact data you provide there, will be stored by us for the purpose of processing the inquiry and in the event of follow-up questions. We will not pass on this data without your consent.

This data is processed on the basis of Art. 6 para. 1 lit. b GDPR if your request is related to the fulfillment of a contract or is necessary for the implementation of pre-contractual measures. In all other cases, the processing is based on our legitimate interest in the effective processing of the inquiries addressed to us (Art. 6 para. 1 lit. f GDPR) or on your consent (Art. 6 para. 1 lit. a GDPR) if this has been requested; consent can be revoked at any time.

We will retain the data you provide on the contact form until you request its deletion, revoke your consent for its storage, or the purpose for its storage no longer pertains (e.g. after fulfilling your request). Mandatory statutory provisions - in particular retention periods - remain unaffected.

11. Request by e-mail, telephone or instant messaging services

If you contact us by e-mail, telephone or fax, we will store and process your request, including all personal data (name, request), for the purpose of processing your request. We will not pass on this data without your consent.

The data you send to us via contact requests will remain with us until you ask us to delete it, revoke your consent to storage or the purpose for data storage no longer applies (e.g. after your request has been processed). Mandatory statutory provisions - in particular statutory retention periods - remain unaffected.

12. Newsletter - Unsubscription

If you no longer wish to receive our newsletter or our advertising emails, click on the link: "Unsubscribe newsletter", which is included at the bottom of all emails we send.

13. Automated decision in individual cases

A fully automated decision means that decisions are made by technical means without the direct involvement of a person.

Automated decision-making in accordance with Art. 22 GDPR does not take place on our website. In the event that we use this procedure in individual cases, we will inform you of this separately if required by law.

14. Use of data for profiling

Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.

We do not process your data with the aim of evaluating certain personal aspects (profiling).

15. Use of Google Analytics

This website uses Google Analytics, a web analytics service provided by Google Inc. Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google"). Google Analytics uses "cookies", which are text files placed on your computer, to help the website analyze how users use the site. The information generated by the cookie about your use of the website (including your IP address) will be transmitted to and stored by Google on servers in Ireland. Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity for website operators and providing other services relating to website activity and internet usage. Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google's behalf. Google will not associate your IP address with any other data held by Google. You may refuse the use of cookies by selecting the appropriate settings on your browser, however please note that if you do this you may not be able to use the full functionality of this website. By using this website, you consent to the processing of data about you by Google in the manner and for the purposes set out above.

The Google tracking codes on this website use the "anonymizeIp()" function, which means that IP addresses are only processed in abbreviated form in order to prevent them being directly linked to individuals. You can object to the collection and storage of data at any time with effect for the future. For the objection to be permanent, the browser used must accept cookies. Alternatively, you can object to the collection of data by using a Google browser plugin to prevent the information collected by cookies (including your IP address) from being sent to Google Ireland Limited and used by Google Ireland Limited. The following link will take you to the corresponding plugin: https://tools.google.com/dlpage/gaoptout?hl=de

The legal basis for the use of Google Analytics is our legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR.

You can find the privacy policy at:

https://policies.google.com/privacy?hl=en

16. Use of Google Web Fonts

Our online presence uses Google Fonts and the Google Fonts API to visually display fonts and symbols. When using Google Fonts, Google also collects, processes and uses data about the use of the fonts functions by visitors to the websites, unless the data is stored on the local servers of our online presence.

You can find more information about data processing by Google in Google's privacy policy at http://www.google.com/privacypolicy.html entnehmen. You can also change your settings there in the data protection center so that you can manage and protect your data.

The use of Google Web Fonts is based on Art. 6 para. 1 lit. f GDPR. The website operator has a legitimate interest in the uniform presentation of the typeface on its website. If a corresponding consent has been requested, the processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TTDSG, insofar as the consent includes the storage of cookies or access to information in the user's terminal device within the meaning of the TTDSG. Consent can be revoked at any time.

If your browser does not support web fonts, a standard font will be used by your computer.

Data transfer to the USA is based on the standard contractual clauses of the EU Commission. You can find details here:

https://privacy.google.com/businesses/gdprcontrollerterms/

https://privacy.google.com/businesses/gdprcontrollerterms/sccs/

You can find more information on the handling of user data in Google's privacy policy:

https://policies.google.com/privacy?hl=de

17. Use of Google Maps

Our online presence uses Google Maps and the Google Maps API to visually display a map and geographical information. When Google Maps is used, Google also collects, processes and uses data about the use of the Maps functions by visitors to the websites. The use of Google Maps is in the interest of an appealing presentation of our online offers and to make it easy to find the places we have indicated on the website. This constitutes a legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR.

If a corresponding consent has been requested, the processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TTDSG, insofar as the consent includes the storage of cookies or access to information in the user's terminal device (e.g. device fingerprinting) within the meaning of the TTDSG. Consent can be revoked at any time.

Data transfer to the USA is based on the standard contractual clauses of the EU Commission. Details can be found here:

https://privacy.google.com/businesses/gdprcontrollerterms/

https://privacy.google.com/businesses/gdprcontrollerterms/sccs/

You can find more information on the handling of user data in Google's privacy policy:

https://policies.google.com/privacy?hl=de

18. Use of Mixpanel

Our online presence uses Mixpanel, of the company Mixpanel Inc, One Front Street, Floor 28, San Francisco, CA 94111, USA. Mixpanel supports us in the statistical evaluation of the use of our website in order to constantly optimize our Internet presence and make it more appealing to you as a user.

Mixpanel uses pixels that are integrated into our website for analysis purposes. Personal data such as the anonymized IP address, browser, browser version and operating system used are collected.

Mixpanel processes personal data in the USA, among other places. The data transfer to the USA is based on the standard contractual clauses of the EU Commission. You can find details here: https://mixpanel.com/legal/dpa/.

The legal basis for the use is our legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR

If a corresponding consent has been requested, the processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TTDSG, insofar as the consent includes the storage of cookies or access to information in the user's terminal device within the meaning of the TTDSG. Consent can be revoked at any time.

Further information can be found in Mixpanel's privacy policy: https://mixpanel.com/legal/privacy-policy/ .

19. Reviews via Trusted Shops

If you have given us your express consent to this during or after your order by activating a corresponding checkbox or clicking on a button provided for this purpose ("Rate later"), we will send your e-mail address to Trusted Shops GmbH, Subbelrather Str. 15c, 50823 Cologne (www.trustedshops.de) as a reminder to submit a rating of your order so that they can remind you by e-mail of the opportunity to submit a rating. This consent can be revoked at any time by sending a message to the contact option described below or directly to Trusted Shops.

You can access the privacy policy of trustedshops at:

https://www.trustedshops.de/impressum-datenschutz/

20. Use of Facebook

Elements of the social network Facebook are integrated on this website. The provider of this service is Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland. However, according to Facebook, the data collected is also transferred to the USA and other third countries.

An overview of the Facebook social media elements can be found here:

https://developers.facebook.com/docs/plugins/?locale=de_DE

When the social media element is active, a direct connection is established between your end device and the Facebook server. Facebook receives the information that you have visited this website with your IP address. If you click on the Facebook "Like" button while you are logged into your Facebook account, you can link the content of this website to your Facebook profile. This allows Facebook to associate your visit to this website with your user account. We would like to point out that, as the provider of the pages, we have no knowledge of the content of the transmitted data or its use by Facebook.

Further information on this can be found in Facebook's privacy policy at:

https://de-de.facebook.com/privacy/explanation.

If consent has been obtained, the above-mentioned service is used on the basis of Art. 6 para. 1 lit. a GDPR and § 25 TTDSG. Consent can be revoked at any time. If no consent has been obtained, the service is used on the basis of our legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR in the widest possible visibility in social media.

Insofar as personal data is collected on our website with the help of the tool described here and forwarded to Facebook, there is joint responsibility (Art. 26 GDPR). The joint responsibility is limited exclusively to the collection of the data and its forwarding to Facebook. The processing carried out by Facebook after forwarding is not part of the joint responsibility. The joint obligations have been set out in an agreement on joint processing. You can access the agreement at:

https://de-de.facebook.com/legal/terms/page_controller_addendum

According to this agreement, we are responsible for providing data protection information when using the Facebook tool and for the secure implementation of the tool on our website in accordance with data protection law. Facebook is responsible for the data security of Facebook products. You can assert data subject rights (e.g. requests for information) regarding the data processed by Facebook directly with Facebook. If you assert your data subject rights with us, we are obliged to forward them to Facebook.

We would like to point out that user data may be processed outside the European Union. This may result in risks for users because, for example, it could make it more difficult to enforce users' rights. Furthermore, user data is generally processed within social networks for market research and advertising purposes.

21. Facebook Social Plugins

This website uses social plugins ("plugins") of the social network operated by Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland ("Facebook"). The plugins can be recognized by one of the Facebook logos (hand with raised thumb) or are marked with the addition "Facebook Social Plugin". The list and appearance of the Facebook social plugins can be viewed here:

https://developers.facebook.com/plugins

When a web page of this website containing such a plugin is accessed, the browser used establishes a direct connection with the Facebook servers. The content of the plugin is transmitted by Facebook directly to the browser used, which integrates it into the website. The provider therefore has no influence on the scope of the data that Facebook collects with the help of this plugin and therefore informs according to its level of knowledge: by integrating the plugins, Facebook receives the information that the corresponding page of our website has been accessed. If the visitor is logged in to Facebook, Facebook can assign the visit to their Facebook account. If the visitor interacts with the plugins (for example, by clicking the "Like" button or posting a comment), the corresponding information is transmitted directly from their browser to Facebook and stored there. If the visitor is not a member of Facebook, it is still possible for Facebook to find out their IP address and store it.

We use the social plug-ins to offer you a better user experience on our website and so that Facebook can optimize our advertisements.

The purpose and scope of the data collection and the further processing and use of the data by Facebook as well as the relevant rights and setting options for the protection of privacy can be found in Facebook's data protection information: https://www.facebook.com/policy.php If the visitor is a Facebook member and does not want Facebook to collect data about them via this website and link it to their member data stored on Facebook, the visitor must log out of Facebook before visiting this website. It is also possible to block Facebook social plugins with add-ons for the browser used, for example with the "Facebook Blocker".

https://de-de.facebook.com/legal/terms/page_controller_addendum

Further information on this can be found in Facebook's privacy policy at:

https://de-de.facebook.com/privacy/explanation.

22. Use of Twitter

Functions of the Twitter service are integrated on this website. These functions are offered by Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07, Ireland.

When the social media element is active, a direct connection is established between your device and the Twitter server. Twitter thereby receives information about your visit to this website. By using Twitter and the "Re-Tweet" function, the websites you visit are linked to your Twitter account and made known to other users. We would like to point out that, as the provider of the pages, we have no knowledge of the content of the transmitted data or its use by Twitter. Further information on this can be found in Twitter's privacy policy at:

https://twitter.com/de/privacy and at:

https://help.twitter.com/de/rules-and-policies/data-processing-legal-bases

Data transfer to the USA is based on the standard contractual clauses of the EU Commission. You can find details here:

https://gdpr.twitter.com/en/controller-to-controller-transfers.html.

You can change your data protection settings on Twitter in the account settings at:

https://twitter.com/account/settings

23. Use of Instagram

Functions of the Instagram service are integrated on this website. These functions are offered by Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.

When the social media element is active, a direct connection is established between your device and the Instagram server. Instagram then receives information about your visit to this website. If you are logged into your Instagram account, you can link the content of this website to your Instagram profile by clicking on the Instagram button. This allows Instagram to associate your visit to this website with your user account. We would like to point out that, as the provider of the pages, we have no knowledge of the content of the transmitted data or its use by Instagram. Insofar as consent has been obtained, the use of the above-mentioned service is based on Art. 6 para. 1 lit. a GDPR and § 25 TTDSG. Consent can be revoked at any time. If no consent has been obtained, the service is used on the basis of our legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR in the widest possible visibility in social media.

Insofar as personal data is collected on our website with the help of the tool described here and forwarded to Facebook or Instagram, there is joint responsibility in accordance with Art. 26 GDPR. The joint responsibility is limited exclusively to the collection of the data and its forwarding to Facebook or Instagram. The processing carried out by Facebook or Instagram after forwarding is not part of the joint responsibility. The obligations incumbent on us jointly have been set out in an agreement on joint processing. You can access the agreement at:

https://de-de.facebook.com/legal/terms/page_controller_addendum

According to this agreement, we are responsible for providing data protection information when using the Facebook or Instagram tool and for the secure implementation of the tool on our website in accordance with data protection law. Facebook is responsible for the data security of Facebook and Instagram products. You can assert data subject rights (e.g. requests for information) regarding the data processed by Facebook or Instagram directly with Facebook. If you assert your data subject rights with us, we are obliged to forward them to Facebook.

Further information on this can be found in Instagram's privacy policy:

https://instagram.com/about/legal/privacy/.

24. Use of Pinterest

On this website, we use elements of the social network Pinterest, which is operated by Pinterest Europe Ltd, Palmerston House, 2nd Floor, Fenian Street, Dublin 2, Ireland.

When you access a page that contains such an element, your browser establishes a direct connection to the Pinterest servers. This social media element transmits log data to the Pinterest server in the USA. This log data may contain your IP address, the address of the websites visited that also contain Pinterest functions, the type and settings of the browser, the date and time of the request, your use of Pinterest and cookies.

If consent has been obtained, the above-mentioned service is used on the basis of Art. 6 para. 1 lit. a GDPR and § 25 TTDSG. Consent can be revoked at any time. If no consent has been obtained, the service is used on the basis of our legitimate interest in the widest possible visibility in social media in accordance with Art. 6 para. 1 lit. f GDPR.

Further information on the purpose, scope and further processing and use of the data by Pinterest as well as your rights and options for protecting your privacy in this regard can be found in Pinterest's privacy policy:

https://policy.pinterest.com/de/privacy-policy

We would like to point out that user data may be processed outside the European Union. This may result in risks for users because, for example, it could make it more difficult to enforce users' rights. Furthermore, user data is usually processed within social networks for market research and advertising purposes.

25. Use of the Facebook conversion pixel

This website uses the "Facebook pixel" of Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland ("Facebook"). This allows the behavior of users to be tracked after they have seen or clicked on a Facebook ad. This process is used to evaluate the effectiveness of Facebook ads for statistical and market research purposes and can help to optimize future advertising measures.

The data collected is anonymous to us, so it does not allow us to draw any conclusions about the identity of users. However, the data is stored and processed by Facebook so that a connection to the respective user profile is possible and Facebook can use the data for its own advertising purposes in accordance with the Facebook privacy policy (https://www.facebook.com/about/privacy/) The user can enable Facebook and its partners to place advertisements on and outside of Facebook. It may also store a cookie on your computer for these purposes.
By visiting our website and our Facebook page, you consent to the use of cookies. To generally object to the use of cookies on the computer, the Internet browser can be set so that no more cookies can be stored on the computer in the future or cookies that have already been stored are deleted. However, deactivating all cookies may mean that some functions on our website can no longer be executed.

The user can also deactivate the use of cookies by third-party providers such as Facebook on the following website of the Digital Advertising Alliance :

https://www.aboutads.info/choices/

https://de-de.facebook.com/legal/terms/page_controller_addendum

Further information on this can be found in Facebook's privacy policy at:

https://de-de.facebook.com/privacy/explanation.

26. Use of the Xing social plugin

This website uses social media plugins from the social network Xing, which is operated by XING AG, Dammtorstraße 29-32, 20354 Hamburg, Germany ("XING"). The "social plugins" are recognizable by the XING logo, a stylized "X" made of opposing arrows in green. When this website is accessed, a short-term connection to XING servers is established via the user's browser, with which the "XING share button" functions (in particular the calculation/display of the counter value) are provided. XING does not store any of the user's personal data when this service is accessed. In particular, XING does not store any IP addresses. There is also no evaluation of user behavior through the use of cookies in connection with the "XING Share Button". Users can access the latest data protection information on the "XING share button" and additional information on this website: https://www.xing.com/app/share?op=data_protection

If you have given us your consent, this consent is the legal basis for data processing in accordance with Art. 6 (1) GDPR. Your data will be stored and processed on the basis of our legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR.

We would like to point out that user data may be processed outside the European Union. This may result in risks for users because, for example, it could make it more difficult to enforce users' rights. Furthermore, user data within social networks is generally processed for market research and advertising purposes.

27. Use of the LinkedIn social plugin

This website uses plugins from the social network LinkedIn, which is operated by LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland ("LinkedIn"). Please note that the plugin establishes a connection between your internet browser and the LinkedIn server when you visit our website. LinkedIn is thus informed that this website has been visited with your IP address. If you click on the LinkedIn "Recommend button" and are logged into your LinkedIn account at the same time, you have the option of linking content from our website to your LinkedIn profile page. In doing so, you enable LinkedIn to associate your visit to our website with you or your user account. You should be aware that we have no knowledge of the content of the data transmitted or its use by LinkedIn.

For further details on the collection of data and your legal options and settings options, please contact LinkedIn at:

https://de.linkedin.com/legal/privacy-policy

We would like to point out that user data may be processed outside the European Union. This may result in risks for users because, for example, it could make it more difficult to enforce users' rights. Furthermore, user data within social networks is generally processed for market research and advertising purposes.

28. Use of etracker

Our website uses technologies from etracker GmbH, Erste Brunnenstraße 1, 20459 Hamburg, Germany (www.etracker.com) to collect and store data for marketing and optimization purposes. This data can be used to create user profiles under a pseudonym. Cookies can be used for this purpose. Cookies are small text files that are stored locally in the cache of the website visitor's Internet browser. Cookies make it possible to recognize the Internet browser. The data collected using etracker technologies will not be used to personally identify the visitor to this website and will not be merged with personal data about the bearer of the pseudonym without the separately granted consent of the person concerned.

The collection and storage of data can be revoked at any time with effect for the future. In order to revoke the collection and storage of your visitor data for the future, you can obtain an opt-out cookie from etracker under the following link, which means that no visitor data from your browser will be collected and stored by etracker in the future:

http://www.etracker.de/privacy?et=V23Jbb

This sets an opt-out cookie with the name "cntcookie" from etracker. Please do not delete this cookie as long as you wish to maintain your opt-out.

Further information can be found in etracker's privacy policy:

https://www.etracker.com/datenschutzerklaerung/

29. Use of YouTube

This website uses a link to YouTube from Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. We use the "extended data protection mode" when embedding, so that usage information is only transmitted when the video is started. In this case, the specific page of our website you visit and the video you watch are transmitted. If you are logged into your YouTube account, you enable YouTube to assign your page views directly to your personal profile.

If you want to ensure that no data about you is stored by YouTube, do not click on the embedded videos. The use of YouTube is in the interest of an appealing presentation of our online offers. This constitutes a legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR. If a corresponding consent has been requested, the processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TTDSG, insofar as the consent includes the storage of cookies or access to information in the user's terminal device within the meaning of the TTDSG. Consent can be revoked at any time.

Data transfer to the USA is based on the standard contractual clauses of the EU Commission. Details can be found here:

https://privacy.google.com/businesses/gdprcontrollerterms/ and

https://privacy.google.com/businesses/gdprcontrollerterms/sccs/.

Further information on the handling of user data can be found in Google's privacy policy at:

https://policies.google.com/privacy?hl=de

30. Use of Hotjar

This website uses the software Hotjar (Hotjar Ltd., Dragonara Business Centre, 5th Floor, Dragonara Road, Paceville St Julian's STJ 3141, Malta). Hotjar enables us to measure and evaluate user behavior (mouse movements, clicks, scroll height, etc.) on our website. For this purpose, Hotjar places cookies on users' end devices and can store user data such as browser information, operating system, time spent on the site, etc. in anonymized form. You can prevent this data processing by Hotjar by deactivating the use of cookies in your web browser settings and deleting cookies that are already active. You can find out more about data processing by Hotjar at:

https://www.hotjar.com/legal/policies/privacy/

31. Use of Lucky Orange

This website uses the web analysis tool Lucky Orange (Lucky Orange LLC, 8665 W 96th St Suite #100, Overland Park, KS 66212, USA).

Lucky Orange enables us to measure and evaluate user behavior on our website. For this purpose, Lucky Orange places cookies on users' end devices and can store user data and user behavior such as mouse movements, time spent on the site, etc. in anonymized form.

The use of Lucky Orange is in the interest of an appealing presentation of our website. This constitutes a legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR. If a corresponding consent has been requested, the processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TTDSG, insofar as the consent includes the storage of cookies or access to information in the user's terminal device within the meaning of the TTDSG. Consent can be revoked at any time.

Data transfer to the USA is based on the standard contractual clauses of the EU Commission.

If you wish to deactivate data collection by Lucky Orange, click on the following link and follow the instructions there: http://help.luckyorange.com

Further information on the handling of user data can be found in Lucky Orange's privacy policy: https://www.luckyorange.com/legal/privacy.

32. Use of Olark

This website uses the live chat of Olark, a service of Olark Inc, 427 N Tatnall St #63602, Wilmington, DE 19801, which allows us to contact and support visitors to the website. During the chat connection, the location, IP address, browser and website visited are displayed to us. Once the connection has ended, we no longer have access to this data.

Olark places cookies on your computer to make it easier for you to surf our website. You may refuse the use of cookies by selecting the appropriate settings on your browser, however please note that if you do this you may not be able to use the full functionality of this website.

You can find Olark's privacy policy at:

https://www.olark.com/privacy-policy

33. Use of reCaptcha

We use the reCaptcha service of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland on our website. The purpose of using reCaptcha is to check whether the data entry on the homepage is made by a human or by an automated program. In doing so, reCaptcha analyzes the behavior of the website visitor based on various characteristics, whereby the analysis begins automatically as soon as the website visitor accesses the website. For the analysis, reCAPTCHA then evaluates various information such as IP address, time spent on the website by the website visitor, etc. The data collected during the analysis is forwarded to Google. reCAPTCHA analyses run in the background and website visitors are not informed that an analysis is taking place.

The data is stored and analyzed on the basis of Art. 6 para. 1 lit. f GDPR. The website operator has a legitimate interest in protecting its website from abusive automated spying and SPAM.

If a corresponding consent has been requested, the processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TTDSG, insofar as the consent includes the storage of cookies or access to information in the user's terminal device within the meaning of the TTDSG. Consent can be revoked at any time.

Data transfer to the USA is based on the standard contractual clauses of the EU Commission. Details can be found here:

https://privacy.google.com/businesses/gdprcontrollerterms/ and

https://privacy.google.com/businesses/gdprcontrollerterms/sccs/

Further information on the handling of user data can be found in Google's privacy policy at:

https://policies.google.com/privacy?hl=de

34. Right to information / right of revocation; further rights of data subjects

You have the right:

• to request information about your personal data processed by us in accordance with Art. 15 GDPR. In particular, you can request information about the purposes of processing, the category of personal data, the categories of recipients to whom your data has been or will be disclosed, the planned storage period, the existence of a right to rectification, erasure, restriction of processing or objection, the existence of a right of appeal, the origin of your data if it was not collected by us, and the existence of automated decision-making including profiling and, if applicable, meaningful information on its details; ;

• in accordance with Art. 16 GDPR, to immediately request the correction of incorrect or incomplete personal data stored by us;

• in accordance with Art. 17 GDPR, to request the erasure of your personal data stored by us, unless the processing is necessary for exercising the right of freedom of expression and information, for compliance with a legal obligation, for reasons of public interest or for the establishment, exercise or defense of legal claims;

• in accordance with Art. 18 GDPR, to demand the restriction of the processing of your personal data if the accuracy of the data is disputed by you, the processing is unlawful but you refuse to delete it and we no longer need the data, but you need it to assert, exercise or defend legal claims or you have lodged an objection to the processing in accordance with Art. 21 GDPR;

• in accordance with Art. 20 GDPR, to receive your personal data that you have provided to us in a structured, commonly used and machine-readable format or to request that it be transmitted to another controller;

• in accordance with Art. 7 para. 3 GDPR, to revoke your consent to us at any time. As a result, we may no longer continue the data processing that was based on this consent in the future and

• to lodge a complaint with a supervisory authority in accordance with Art. 77 GDPR. As a rule, you can contact the supervisory authority of your usual place of residence or workplace or our company headquarters.

Right to object to data collection in special cases and to direct advertising (Art. 21 GDPR):

If data processing is carried out on the basis of Art. 6 para. 1 lit. e or f GDPR, you have the right to object to the processing of your personal data at any time for reasons arising from your particular situation; this also applies to profiling based on this provision. The respective legal basis on which processing is based can be found in this privacy policy. If you object, we will no longer process your personal data concerned unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or the processing serves the establishment, exercise or defense of legal claims (objection pursuant to Art. 21 (1) GDPR).

If your personal data are processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for the purpose of such advertising; this also applies to profiling insofar as it is associated with such direct marketing. If you object, your personal data will subsequently no longer be used for the purpose of direct marketing (objection pursuant to Art. 21 (2) GDPR).

You are of course entitled to these rights free of charge. To revoke your consent to the use of data, to request information or the correction, blocking or deletion or to exercise the other rights of data subjects, please contact:

team@holidayheroes.de

We would like to point out that you can most easily assert your data subject rights in connection with your social media use against the social media companies and that you can make further settings options there to protect your privacy with the social media companies.

35. Competent supervisory authority

You can contact the supervisory authority responsible for you for complaints within the meaning of Art. 77 GDPR using the following contact details:

Bavarian State Office for Data Protection Supervision (BayLDA)

Promenade 18

91522 Ansbach

Telephone: +49 (0) 89 12 08 67 74

Fax: +49 (0) 89 12 08 67 74

E-Mail: poststelle@lda.bayern.de

36. Security, questions and suggestions

Security depends not least on your system. You should always treat your access information confidentially, never allow passwords to be saved by the web browser and close the web browser window when you end your visit to our website. This will make it more difficult for third parties to access your personal data.

Use an operating system that can manage user rights. Set up several users on your system, even within the family, and never use the Internet with administrator rights. Use security software such as virus scanners and firewalls and keep your system up to date.

37. Privacy information relating to deferred payment services

1. Holidayheroes / Travelstore (“Merchant”) offers customers online deferred payment services. If you select to pay using deferred payment services, the Merchant assumes the credit risk associated with the transaction and therefore may assign the purchase price claims to a Partnering Finance Provider (“Partnering Finance Provider '').

2. In doing so, Noosa the technical service provider (“Noosa”) processes personal data. This Data Privacy Statement provides comprehensive information on the processing of personal data and data protection rights when using the Merchant’s deferred payment services.

3. Insofar as the processing of payment transactions is affected, the Merchant is the data controller and the responsible party and Noosa is the data processor within the meaning of the EU Basic Data Protection Regulation (GDPR), Ritterstr. 12-14, D-10969 Berlin, Germany, registered in the Commercial Register of the Charlottenburg (Berlin) District Court under HRB 124156 B (“we”, “us” or “Merchant”).
Merchant deferred payment services are offered in cooperation with the Noosa and possibly with Partnering Finance Providers and therefore when processing the payment transactions, we transmit your personal data to Noosa and in the case of assignment of your claims arising from the purchase between you and us, Noosa as our data processor transmits the data to the Partnering Finance Providers,

4. Below you can find contact information for;
Noosa Innovation Contact Details
Noosa Innovation BV
27 Hamatzbeim St
Tel Aviv, 6993516
ISRAEL
+972-54-4620053
corporate-bv@noosa.io
Noosa Innovation EU Data Representative
Ametros Ltd
Unit 3D
North Point House
North Point Business Park
New Mallow Road
Cork
Ireland
gdpr@ametrosgroup.com
www.ametrosgroup.com

5. Why does Noosa process your data?
5.1 We provide you with deferred payment services for your order and our technology service provider needs to process your data accordingly.
5.2 Purchase price claims arising from the contract between you and us can be subsequently assigned to the Partnering Finance Provider (factoring).
5.3 Offering deferred payment services requires the processing of your data. You will find more detailed information on this in the following data privacy provisions.

6. What data is processed?
6.1 For the above-mentioned purposes Noosa collects and processes the following data about you:
6.1.1 Personal data: First and last name, date of birth, address, e-mail address and telephone number.
6.1.2 Account data (for direct debits): Account holder, IBAN, BIC/SWIFT, bank.
6.1.3 Order data: Data on your current, past and/or future orders placed with the Merchant.
6.1.4 Creditworthiness data: Data, in particular from credit agencies and other cooperation partners, which provide information about your creditworthiness, such as details of enforceable claims against you and other creditworthiness data, always subject to the proviso that the use of this data is permitted under data protection law.
6.1.5 Sanction and PEP lists: Comparison of your data with lists of sanctioned and politically exposed persons. These lists contain information such as name, date of birth, place of birth, profession or position and the reason for inclusion in the list.
6.1.6 Technical data: Data on characteristics of the terminal device used by you, such as the IP address, browser version, language settings (“device-specific data”) and data on the use of the marketplace websites.
6.2 We the merchant collect this data primarily to process your order in accordance with your desire to pay using deferred payment services. Noosa as the data processor collects data on the creditworthiness of credit agencies and information from service providers for the purposes of combating fraud.

7. Credit Risk analysis
7.1 As part of our risk analysis, Noosa processes your data to determine whether you will be able to meet your payment obligations and to protect you from fraudsters who may attempt to use your data to commit crimes. To do this, we determine the likelihood of proper payment in connection with the deferred payment services we offer you.
7.2 In order to carry out this credit risk analysis, we transmit your data to Noosa. Depending on the result of the risk analysis, you can use the relevant deferred payment services. If we use the so-called ‘regular customer concept’, data on your previous purchases are transmitted to Noosa by us to reduce risk and thus increase the approval of your deferred payment services request. We are the data controller and, thus, responsible for the transmission and processing of personal data within the course of the regular customer concept. Noosa solely processes your personal data in this regard as a data processor on our behalf as the Merchant.
7.3 In the case the claim is assigned, the Partnering Finance Provider receives from Noosa the results of these credit risk analyses to the respective deferred payment services required prior to the assignment of the claim, and when we have assigned the claim in question, the Partnering Finance Provider becomes a processor of the data and Noosa then becomes the data sub-processor post assignment of the claim to the Partnering Finance Provider.
7.4 When conducting the risk analysis, Noosa determines the probability of proper payment (the “analysis result”). The analysis result is determined based on Noosa experience in the mathematical-statistical evaluation of the following data:
7.4.1 Information on the current order (price of the goods or services, details of the buyer or the person using the service, shopping basket level, technical data),
7.4.2 Information on orders already placed with the Merchant using the deferred payment services.
7.4.3 details of your address,
7.4.4 Information from credit agencies, so-called “credit scores” (e.g. Schufa), as well as creditworthiness information. When using deferred payment services, creditworthiness data is stored in Noosa’s systems for a period of up to 12 months and used for risk assessment. In contrast, negative characteristics transmitted by credit agencies are used in Noosa’s systems for a maximum of 48 hours. The further use of the data in the productive systems serves to avoid multiple queries with credit agencies.
7.5 Based on the analysis result, we, the Merchant will decide whether the desired deferred payment services can be offered to you. To this end, Noosa informs us whether the result of the credit risk analysis is positive or negative. In certain cases, Noosa also informs us of the reason for a negative analysis result (e.g. an incorrect address entry or insufficient creditworthiness). This transmission enables us to avoid unnecessary rejection regarding the selected deferred payment services, for example by informing customers of errors in entering an address. We have no access at any time to the data on which the credit risk analysis was based unless he or she has submitted it to Noosa himself or herself.
7.6 By processing your data for credit risk analysis purposes, we protect you against possible over-indebtedness, fraudulent use of your personal data and ourselves against the risk of default. The processing of data is carried out in accordance with Art. 6 para. 1 lit. f) GDPR based on legitimate interests.

8. Cooperation with credit agencies
8.1 In addition to the other categories of data mentioned above, the analysis result is also based on the scores and ratings of credit agencies. Scoring and ratings are statistically based estimates of the future risk of a person defaulting on payments and are presented as a numerical value. In order to obtain these ratings from the credit agencies, Noosa first provides the credit agencies with data in connection with the conclusion of your contract with us.
8.2 If the payment to us in connection with the deferred payment services is not executed correctly, Noosa transmits the information on this delay to the credit agencies. This processing is in the interest of all participants in economic life, the avoidance of payment default and the overindebtedness of consumers and debtors and is therefore based on Art. 6 para. 1 lit. f) GDPR.
8.3 The list of credit agencies with which data can be exchanged can be found below;
● Crif GMBH
info.de@crif.comwww.crif.de/
● Schufa Holding AG
query form
www.schufa.de
● Creditreform e.V
info@creditreform.dewww.creditreform.com
● Seon Technologies
info@seon.iowww.seon.io
● Trulioo
info@trulioo.comwww.trulioo.com

9. Data processing in the performance of the contract
9.1 In order to enforce outstanding claims that were transferred to the Partnering Finance Provider, your data may be further transferred to collection agencies, which will then take over debt collection on their own responsibility. The legal basis of the processing is our and the Partnering Finance Provider legitimate interest in the collection of open claims according to Art. 6 para. 1 lit. f) GDPR.

10. Measures to combat fraud
10.1 In order to prevent the misuse of your data and to avoid financial losses, Noosa processes your data to detect fraudulent actions based on unusual usage behavior. In order to select service providers and to be able to detect and prevent fraud in advance, Noosa may transmit your data to service providers with whom Noosa works, who will use the technical data and order data to a plausibility check, for example to assess the risk of fraud when ordering from another address. To improve fraud detection, detected cases of fraud may be reported back to service providers.
10.2 Fraud prevention measures are based on information on this subject:
10.2.1 whether the User’s terminal device is currently communicating through a proxy connection or has done so in the past,
10.2.2 whether the terminal equipment has recently dialed in through different ISPs,
10.2.3 whether the geo-referencing of the terminal equipment changes frequently,
10.2.4 how many Internet transactions have recently been made through the device (without the ability to determine the nature of the transactions),
10.2.5 the likelihood that the terminal listed in the service provider’s database is actually the user’s terminal; and
10.2.6 whether information provided by the customer is plausible and conclusive
10.3 Processing for the purpose of fraud prevention shall be based on legitimate interests pursuant to Art. 6 para. 1 lit. f) GDPR, in particular with regard to our obligations to prevent fraud as a payment service provider. Processing is also carried out in the interest of protecting your personal data from unauthorized use by third parties and in Merchant’s interest in avoiding bad debts.

11. Other processing purposes and service providers
11.1 In order to comply with our legal obligation to check incoming payments for suspicion of money laundering, Noosa uses different service providers. These service providers are contractually obliged to process payment data exclusively in accordance with our instructions. Otherwise, processing for the purpose of checking for suspicion of money laundering is necessary to fulfill our legal obligations and is based on Art. 6 para. 1 lit. c) GDPR in conjunction with the duties of care arising from the Money Laundering Act.
11.2 To the extent permitted by data protection law, Noosa may also use your data for new purposes, such as the performance of data analyses and or providing, further developing and securing their services and content. In addition, Noosa may use your data in compliance with relevant data protection laws for product development, optimization of business processes and the needs-based design of our services processed. The prerequisite for this is that these new purposes for which the data is to be used were not yet established or could not be foreseen when the data in question was collected and that the new purposes are compatible with those for which the data in question was originally collected. For example, new developments in the legal or technical field and new business models and services may lead to new processing purposes.
11.3 In order to provide the contractually specified services, Noosa uses software and IT service providers who act as processors and provide the necessary server and IT capacities. Noosa has set out the contractual obligations in respective data processing agreements. The processors are bound by Noosa instructions and may only process your data to fulfill the purposes specified in the respective data processing agreement.

12. Fulfillment of legal obligations
12.1 The merchant (us) and Noosa may disclose required information to authorities such as the police, tax authorities or other bodies, insofar as it is legally obliged to do so or the Merchant, Noosa and the Partnering Finance Provider have a legitimate interest in the disclosure. An example of such legally required disclosures is disclosure for the purpose of combating money laundering and terrorism.
12.2 Insofar as the merchant, Noosa and the Partnering Finance Provider are legally obliged to provide notification, the processing is based on Art. 6 para. 1 lit. c) GDPR. In all other respects, the merchant, Noosa and the Partnering Finance Provider legitimate interest pursuant to Art. 6 para. 1 lit. f) GDPR is the basis of the processing.

13. Consent
If you have given us your consent to the processing of personal data in accordance with Art. 6 para. 1 lit. a) GDPR, your consent is primarily the basis of the Merchant data processing. Which of your data the Merchant process based on your consent depends on such assessment.

14. Transfer of data outside the EEA
In some cases, the Merchant and or Noosa may require to transfer your data outside of the European Economic Area (EEA). If personal data is transferred to countries outside the European Economic Area (EEA) and no adequacy decision of the European Commission is available for this, we use standard contractual clauses of the European Commission or there are binding internal data protection regulations to ensure an adequate level of data protection, a copy of which can be requested via the above-mentioned contact details, or we rely on the exemptions of Article 49 (1) of the GDPR.

15. Retention and storage of data
15.1 The Merchant and Noosa will retain the data collected about you in connection with the initiation and processing of the Agreement for a period of five years. This period begins at the end of the year in which the contract was concluded or at least initiated, and corresponds to the statutory period of limitation for civil law claims and therefore complies with the statutory retention obligations. The legal basis under data protection law for storing the data is Art. 6 (1) lit. c) GDPR in conjunction with the statutory retention obligations. In addition, the data is stored for the enforcement, defense and assertion of legal claims. The legal basis for storage for this purpose is in the legitimate interest of the Merchant and Noosa in this regard (Art. 6 para. 1 lit. f) GDPR).
15.2 Access to this data is subject to strict restrictions. In principle, any of our and Noosa’s employees have no access to creditworthiness information. However, information relating to payment transactions in connection with claims assigned to the Partnering Finance Provider may be made available to such payment partners upon request, if and to the extent that the Partnering Finance Provider requires such information in order to comply with a legal obligation or official order. This shall only apply in cases in which an assignment of the corresponding claim is made to the Partnering Finance Provider. The legal basis for processing is the legitimate interest in this respect (Art. 6 para. 1 lit. f) GDPR).
15.3 After expiry of the retention period, your personal data will generally be blocked and, after expiry of the commercial and tax regulations applicable to us and/or other statutory retention obligations, will be permanently deleted or made anonymous. After that it is no longer possible to draw conclusions about your person. However, the anonymised data helps us to constantly optimize our credit risk analysis and our business model. The Merchant and Noosa therefore have a justified interest in the subsequent anonymisation of the data (Art. 6 Para. 1 lit. f) GDPR)

16. Your rights with regard to data processing
16.1 Right of access to your processed data (Art. 15 GDPR) You have the right to receive information about which of your data is processed by the Merchant and Noosa to receive further information in accordance with Art. 15 GDPR in connection with data processing. On request, we will be pleased to provide you with this data and information as well as copies of the data.
16.2 Right to correction of your data (Art. 16 GDPR)
You have the right to ask for the rectification of your data if they are incorrect or – taking into account the purposes of the processing – incomplete.
16.3 Right of deletion (Art. 17 DPA)
You have the right to erase if data is no longer needed, if their processing is unlawful or if one of the other cases mentioned in Art. 17 GDPR applies. In these cases the Merchant and Noosa will delete your data immediately.
16.4 Right to restrict the processing of your data (Art. 18 GDPR)
You have the right to request the restriction of the processing of your data in the cases mentioned in art. 18 GDPR. This includes, among other things, the case that the merchant and Noosa process data at places or to an extent that makes the processing of data no longer lawful. Furthermore, the fact that data is subject to a retention obligation and that the Merchant and Noosa cannot therefore delete this data without further ado may be relevant. In this case, the Merchant and Noosa will restrict data processing as far as possible. In general, a “restriction” means that the data is still stored, but employees no longer have access to this data.
16.5 Right to data transferability (Art. 20 GDPR)
The “right to data transferability” gives you the right to receive the personal data concerning you that you have provided to us in the format described in Art. 20 GDPR. However, this does not include data that the Merchant and Noosa obtain as a result of processing (so-called processing results).
16.6 Right of objection to the types of processing based on Art. 6 para. 1 letter f) GDPR (Art. 21 GDPR)
The Merchant and Noosa will cease processing data based on Art. 6 para. 1 letter f) GDPR if you object to the processing (e.g. by e-mail or telephone) and your objection is justified.
16.7 Right of withdrawal (Art. 7 GDPR)
You may revoke the consent you gave the Merchant and Noosa at the time of the conclusion of the contract between you, the Merchant and Noosa at any time by notifying the merchant (e.g. by e-mail). If you revoke your consent, your data will no longer be processed based on this consent. The permissibility of data processing carried out based on your consent prior to revocation is not affected by the revocation; likewise, the permissibility of data processing on another legal basis is not affected by the revocation.
16.8 Right of appeal (Art. 77 GDPR)
You have the right to file a complaint with the Berlin data protection authority (Berlin Commissioner for Data Protection and Freedom of Information) or any other authority responsible for data protection.

17. Information in case of a rejection
17.1 How can a refusal be made?
Based on the credit risk assessment, the Merchant automatically decides whether to accept or reject your deferred payment request. It is possible that the deferred payment for processing your purchase may not be available for your order. Apart from reasons relating to creditworthiness, there may also be other reasons for this:
17.1.1 The combination of your name and address could not be found. This may be due to typing errors, relocation or marriages.
17.1.2 You have entered a different delivery address, a packing station or a company address instead of your registered address as billing address.
17.1.3 The personal shopping limit was exceeded with the order request. This can happen if there are still too many unpaid orders.
17.2 What can you do in case of rejection?
If your deferred payment services are not available, you can of course use another payment method offered by the Merchant. If you suspect that the rejection is due to incorrect data entry, for example, you can place the order again with the online merchant and enter the correct data. If there are still open or unpaid orders, please check and settle them. Contact the credit agency directly and check whether the data processed there is up-to-date and correct. If the reason for the rejection is still unclear from your point of view, you can approach the Merchant. Please use the contact form on our website for your inquiry.

Privacy policy

Some inspiration for your next holidays

holidayheroes®

Support

Legal

More