Weingut Römmert – Hotel Volkach

Privacy Policy

Privacy at a Glance

The protection of your personal data is of great importance to us. We want you to feel safe on our website and to be transparently informed about how we handle your data.

We deliberately rely on data-minimising technologies. Our website uses only technically necessary cookies and completely forgoes tracking cookies, Google Analytics, Facebook Pixel or comparable tracking services. For web analytics we use Plausible Analytics, a privacy-friendly solution that works without cookies, does not store IP addresses and does not require consent. Fonts are loaded locally from our servers, so no connections to Google servers are established.

When you visit our website, personal data is processed on the basis of the General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG) and the German Telecommunications Digital Services Data Protection Act (TTDSG). Below we inform you in detail about the nature, scope and purpose of data processing.

Controller and Data Protection Officer

Controller

The controller within the meaning of the GDPR and other national data protection laws of the member states as well as other data protection provisions is:

Sonnenhotels Nord GmbH & Co. KG Nordhäuser Str. 1 D-38667 Bad Harzburg

Commercial register: Amtsgericht Braunschweig, HRA 201829

Phone: +49 (0) 5321 68554 0 Email: info@sonnenhotels.de Website: www.sonnenhotels.de

Data Protection Officer

We have appointed an external data protection officer:

DataCo GmbH Sandstraße 33, 80335 München Phone: +49 89 7400 45840 Website: www.dataguard.de

If you have any questions about data protection or wish to exercise your data subject rights, you can contact our data protection officer at any time.

Legal Bases for Processing

The processing of personal data on our website is always carried out on the basis of a legal ground pursuant to Art. 6(1) GDPR. The following legal bases apply in particular:

  • Consent (Art. 6(1)(a) GDPR): Where we obtain your consent for the processing of personal data, for example for sending our newsletter. You may revoke any consent given at any time with effect for the future.
  • Performance of a contract (Art. 6(1)(b) GDPR): Where the processing is necessary for the performance of a contract or for the implementation of pre-contractual measures, in particular for hotel bookings and payment processing.
  • Legal obligation (Art. 6(1)(c) GDPR): Where we are subject to a legal obligation, for example the retention of business documents under commercial and tax law.
  • Legitimate interest (Art. 6(1)(f) GDPR): Where the processing is necessary to protect our legitimate interests or those of a third party and the interests, fundamental rights and freedoms of the data subject do not prevail.

Your Rights as a Data Subject

Right of Access (Art. 15 GDPR)

You have the right to obtain information about the personal data we process concerning you. This includes in particular information about the purposes of processing, the categories of personal data, the recipients and the planned retention period.

Right to Rectification (Art. 16 GDPR)

You have the right to request the immediate rectification of inaccurate personal data or the completion of incomplete personal data.

Right to Erasure (Art. 17 GDPR)

You have the right to request the erasure of your personal data, provided that no statutory retention obligations or other exceptions apply.

Right to Restriction of Processing (Art. 18 GDPR)

You have the right to request the restriction of the processing of your personal data, for example if you contest the accuracy of the data.

Right to Data Portability (Art. 20 GDPR)

You have the right to receive the personal data concerning you in a structured, commonly used and machine-readable format or to request the transfer to another controller.

Right to Object (Art. 21 GDPR)

Where we process your personal data on the basis of legitimate interests pursuant to Art. 6(1)(f) GDPR, you have the right to object to the processing pursuant to Art. 21 GDPR.

Right to Withdraw Consent (Art. 7(3) GDPR)

You may withdraw any consent given at any time with effect for the future. The lawfulness of processing carried out on the basis of consent before its withdrawal shall not be affected.

Right to Lodge a Complaint with a Supervisory Authority (Art. 77 GDPR)

You have the right to lodge a complaint with a data protection supervisory authority about the processing of your personal data by us. The supervisory authority responsible for us is the State Commissioner for Data Protection of Lower Saxony, Prinzenstraße 5, 30159 Hannover.

A list of all data protection supervisory authorities in Germany can be found at: https://www.bfdi.bund.de/DE/Service/Anschriften/Laender/Laender-node.html

Provision of the Website and Server Log Files

Each time our website is accessed, the system automatically collects technical data from the requesting computer: IP address, date and time of access, page accessed, referrer URL, browser and operating system, access provider and HTTP status code.

The temporary storage is technically necessary to enable the delivery of the website and to ensure system security.

Legal basis: Art. 6(1)(f) GDPR. Retention period: Log files are deleted after no more than 30 days.

Hosting

Our website is hosted on our own servers in Germany (self-hosting). No transfer of your data to third countries takes place in connection with hosting. The servers are operated by us and are located in a German data centre.

Legal basis: Art. 6(1)(f) GDPR. Our legitimate interest lies in the reliable, fast and secure provision of our website.

Content Delivery and Image Hosting

For the optimised delivery of images, we currently use Cloudinary Ltd., Santa Clara, USA. When loading images, your browser establishes a connection to Cloudinary servers, whereby your IP address and browser information are transmitted.

Legal basis: Art. 6(1)(f) GDPR. Data transfer to the USA: Safeguarded by Standard Contractual Clauses (SCCs). We have concluded a data processing agreement pursuant to Art. 28 GDPR.

Cookies

We deliberately refrain from using tracking cookies and only use technically necessary cookies. We use neither Google Analytics nor Facebook Pixel, Google Tag Manager or comparable tracking technologies.

The use of technically necessary cookies is permitted without consent pursuant to Section 25(2) No. 2 TTDSG. The corresponding legal basis is Art. 6(1)(f) GDPR. Since we exclusively use technically necessary cookies, no cookie consent banner is required.

Web Analytics with Plausible Analytics

We use Plausible Analytics for the statistical evaluation of website usage (self-hosted on our own servers). Plausible does not set cookies, does not store IP addresses and does not collect any personal data. Only aggregated, anonymous statistics are generated. No consent is required. Since we self-host Plausible, the data does not leave our servers in Germany.

Hotel Booking via Apaleo

For the processing of hotel bookings, we currently use Apaleo GmbH, Munich. When making a booking, your name, contact details, booking details and payment information are processed.

Legal basis: Art. 6(1)(b) GDPR. Data processing in the EU: Apaleo processes data exclusively within the EU. We have concluded a data processing agreement pursuant to Art. 28 GDPR. Retention period: In accordance with commercial and tax law retention periods, up to 10 years.

Payment Processing via Stripe

For payment processing, we currently use Stripe Payments Europe Ltd., Dublin, Ireland. Stripe is PCI DSS Level 1 certified. Payment data (card data, name, billing address) is processed directly by Stripe and is not stored on our servers.

Legal basis: Art. 6(1)(b) GDPR. Stripe generally processes data within the EU. Where a transfer to the US parent company takes place, it is safeguarded by SCCs. Retention period: Transaction references up to 10 years.

Contact Form

When you use our contact form, your details (name, email, message) are processed on our own servers in Germany. No data is transferred to third-party providers.

Legal basis: Art. 6(1)(b) GDPR for booking enquiries, Art. 6(1)(f) GDPR for other enquiries. Retention period: Until the enquiry has been fully dealt with; where related to a contract, up to 10 years.

Newsletter via Brevo

For sending our newsletter, we currently use Brevo (Sendinblue SAS), Paris, France. Registration is carried out using the double opt-in procedure.

Legal basis: Art. 6(1)(a) GDPR. Brevo processes data within the EU. Withdrawal: At any time via the unsubscribe link in every newsletter email or by email to info@sonnenhotels.de. We have concluded a data processing agreement pursuant to Art. 28 GDPR.

Social Media Presence

We maintain online presences on Instagram and Facebook (Meta Platforms Ireland Ltd.). When you visit our profiles, data is collected by Meta. We and Meta are joint controllers within the meaning of Art. 26 GDPR. Meta is certified under the EU-U.S. Data Privacy Framework. We do not embed social media plugins on our website. Data is only transferred to Meta if you actively visit our social media profiles.

Legal basis: Art. 6(1)(f) GDPR.

Data Transfers to Third Countries

Some services are based outside the EU. Overview:

  • Cloudinary (USA): SCCs
  • Meta (Ireland/USA): DPF + SCCs
  • Stripe (Ireland, possibly USA): SCCs

Services without third-country transfers: website hosting (own servers in Germany), Strapi CMS, Plausible Analytics, Apaleo, Brevo, contact form, Google Fonts (locally embedded).

Retention Periods

  • Server log files: up to 14 days
  • Booking data: up to 10 years (Section 147 AO)
  • Payment data: up to 10 years (Section 147 AO)
  • Contact enquiries: until completion of processing; where related to a contract, up to 10 years
  • Newsletter data: until withdrawal; consent records up to 3 years after unsubscription

Automated Decision-Making

Automated decision-making including profiling pursuant to Art. 22 GDPR does not take place.

Fonts

We use Google Fonts embedded locally on our own servers. When accessing our website, no connection to Google servers is established. No personal data is transferred to Google.

Changes to this Privacy Policy

We reserve the right to amend this privacy policy as required. The current version is always available on our website.

As of: April 2026. This privacy policy was prepared with technical assistance. A review by a data protection lawyer is recommended.