Privacy Policy

We are pleased that you are visiting our website. Protecting your personal data is very important to us. In this privacy policy, we explain which personal data we process, for what purposes, and on which legal basis.

As the controller, Ostseehaus Dreesen GmbH & Co. KG has implemented technical and organizational measures to protect personal data processed via this website. However, internet-based transmissions can contain security gaps; therefore, absolute protection cannot be guaranteed.

1. Definitions

This policy uses the terminology of the General Data Protection Regulation (GDPR). In particular:

  • Personal data: any information relating to an identified or identifiable natural person.
  • Data subject: the identified or identifiable natural person whose personal data is processed.
  • Processing: any operation performed on personal data (collection, storage, use, disclosure, deletion, etc.).
  • Controller: the entity determining purposes and means.
  • Processor: a natural or legal person processing data on behalf of the controller.
  • Consent: freely given, specific, informed, unambiguous will.

2. Name and Address of the Controller

Ostseehaus Dreesen GmbH & Co. KG

Strandstraße 155

23669 Timmendorfer Strand, Germany

Phone: +49 4503 7794

Email: info@ostseehaus-dreesen.de

3. Cookies

We only use strictly necessary cookies and similar storage technologies. We currently do not use analytics or marketing cookies.

In particular, we use the following cookies/functions:

  • cc_cookie: Stores proof that you have seen the cookie notice (legal basis: Art. 6(1)(c) or Art. 6(1)(f) GDPR, depending on context).
  • Session and security cookies (e.g. for authentication/admin contexts): Required for secure technical operation and access control (Art. 6(1)(f) GDPR).
  • Payment and booking context (Stripe): During card payments, technically required cookies may be processed by Stripe in the payment context to perform the booking/payment contract (Art. 6(1)(b) GDPR).
  • NEXT_LOCALE: Stores your actively selected language as a convenience preference (Art. 6(1)(f) GDPR; you can delete this cookie in your browser at any time).

You can delete or block cookies in your browser at any time. Please note that this may limit website functionality.

4. Collection of General Data and Information

When you access our website, we automatically collect technical data (e.g. browser type, operating system, referrer URL, IP address, date and time) in server log files. This data is required for secure and stable website operation and to detect abuse.

5. Hosting and Content Delivery Networks (CDN)

We host this website with Vercel Inc., 340 S Lemon Ave #4133, Walnut, CA 91789, USA. Vercel may process log data including IP addresses to provide secure and performant hosting.

Privacy Policy: https://vercel.com/legal/privacy-policy

We also use Cloudinary Ltd., 111 W Evelyn Ave, Suite 206, Sunnyvale, CA 94086, USA for media delivery and optimization.

Privacy Policy: https://cloudinary.com/privacy

6. Contact Possibilities via the Website

If you contact us by email or contact form, we process the data you provide to handle your request. For email transmission, we use technical service providers as processors. No further disclosure takes place without a legal basis.

7. Routine Deletion and Restriction of Personal Data

We process and store personal data only for as long as necessary for the purpose of processing or as required by statutory retention periods. After those periods expire, data is routinely deleted or restricted in accordance with legal requirements.

8. Rights of the Data Subject

You have the rights under Articles 15-22 GDPR, including: access, rectification, erasure, restriction of processing, data portability, objection, and withdrawal of consent at any time with future effect.

You also have the right to lodge a complaint with a supervisory authority.

9. Data Protection Regarding Facebook

We may link to or include Facebook content. The provider is Meta Platforms Ireland Ltd. (or Meta Platforms, Inc. where applicable). Facebook privacy information: https://de-de.facebook.com/about/privacy/.

10. Data Protection Regarding Instagram

We may link to or include Instagram content. The provider is Meta Platforms Ireland Ltd. (or Meta Platforms, Inc. where applicable). Instagram privacy information: https://help.instagram.com/155833707900388.

11. Booking System Smoobu

To manage occupancy and bookings, we use Smoobu (Smoobu GmbH, Pappelallee 78/79, 10437 Berlin, Germany).

If you use booking-related functions, data such as name, contact details, travel data, and technical data (e.g. IP address) may be transmitted to Smoobu. Processing is based on Art. 6(1)(b) GDPR and our legitimate interests under Art. 6(1)(f) GDPR.

We have concluded a data processing agreement (DPA/AVV) with Smoobu.

Privacy Policy: https://www.smoobu.com/de/datenschutz/

12. Payment Method: Stripe

For card payments, we use Stripe. Payment data entered by the data subject is transmitted directly to Stripe and is not stored on our servers.

Provider for EU/EEA users: Stripe Payments Europe, Ltd., 1 Grand Canal Street Lower, Dublin 2, Ireland; otherwise Stripe, Inc., 510 Townsend Street, San Francisco, CA 94103, USA.

Privacy Policy: https://stripe.com/de/privacy

13. Processing with Supabase (Database and Authentication)

We use services of Supabase, Inc., 970 Toa Payoh North #07-04, Singapore 318992, especially for database and authentication functions in booking and administration processes.

Depending on usage, this may include master/contact data, booking data, technical metadata, and authentication data. Processing is based on Art. 6(1)(b), Art. 6(1)(c), and Art. 6(1)(f) GDPR.

We have concluded a data processing agreement with Supabase.

Privacy Policy: https://supabase.com/privacy

14. Email Delivery via SMTP Service Providers

For contact and transactional emails (e.g. booking confirmations and technical notifications), we use external SMTP services. Required recipient and message metadata is processed for delivery, reliability, and traceability based on Art. 6(1)(b) and Art. 6(1)(f) GDPR.

15. Fallback Processing via Upstash QStash

To ensure resilient booking workflows, we use Upstash QStash for delayed/signed server callbacks in exceptional processing cases. Technical and process-related metadata (e.g. booking references, timestamps, status information, logs) may be processed. Legal basis: Art. 6(1)(f) GDPR and, where applicable, Art. 6(1)(b) GDPR.

16. Processing in the Context of Ostseecard Reporting

Where required for your stay, we process identification, contact, and stay-related data for Ostseecard reporting and related obligations. Legal basis: Art. 6(1)(b) GDPR and, where applicable, Art. 6(1)(c) GDPR.

17. Legal Basis of Processing

We process personal data based on consent (Art. 6(1)(a) GDPR), contract performance and pre-contractual measures (Art. 6(1)(b) GDPR), legal obligations (Art. 6(1)(c) GDPR), and legitimate interests (Art. 6(1)(f) GDPR), depending on the specific processing purpose.

18. Legitimate Interests

Where processing is based on Art. 6(1)(f) GDPR, our legitimate interests include secure and reliable operation of our website and booking systems, prevention of abuse, and efficient customer communication and service delivery.

19. Retention Period

Personal data is stored for as long as required for the respective purposes and statutory retention obligations. Once the purpose no longer applies and retention periods expire, data is deleted routinely.

20. Statutory or Contractual Requirement to Provide Data

Providing personal data may be legally required or necessary for concluding a contract. Without required data, we may be unable to provide requested services or complete a contract.

21. Automated Decision-Making

As a responsible company, we do not use automated decision-making or profiling as defined by Art. 22 GDPR.

For legal notices in German, see the original German privacy policy text. You can switch language at any time using the site language switcher.

Return to imprint.