Data Protection Regulation
Responsible
SHH GmbH
Triesterstraße 377
8055 Graz, Austria
Telephone: +43 316 3410 11
Email: privacy@shh-hotels.com
SHH GmbH is responsible within the meaning of the General Data Protection Regulation (GDPR).
General information on data processing
The protection of your personal data is very important to us. We process personal data.
Data is processed exclusively within the framework of applicable data protection laws, in particular the GDPR.
Austrian Data Protection Act (DSG) and Telecommunications Act 2021 (TKG)
2021).
This privacy policy describes what data we collect, how we process it, and what
Rights you are entitled to.
We implement technical and organizational measures (TOMs) to protect your data from loss,
To protect against misuse, unauthorized access or disclosure.
Purposes and legal bases of processing
We process personal data exclusively for the following purposes:
-
Operation, security and optimization of our website
-
Communication with guests, prospective customers and partners
-
Booking, accommodation, billing and guest management
-
Fulfillment of legal obligations, in particular in registration and tax law
-
Marketing, analysis and advertising purposes (only with consent)
-
Safeguarding legitimate interests (e.g., IT security, improving service quality)
Legal basis according to Art. 6 para. 1 GDPR:
-
lit. a – Consent
-
lit. b – Contract/ pre-contractual measures
-
lit. c – legal obligation
-
lit. f – legitimate interest
Hosting via Wix
Our website is hosted on the servers of
Wix.com Ltd., 40 Namal Tel Aviv St., Tel Aviv 6350671, Israel
operated (EU branch: Wix Online Platforms Ltd., 1 Grant's Row, Dublin 2, Ireland).
Purpose: Operation, delivery and maintenance of the website.
Legal basis: Art. 6 para. 1 lit. f GDPR (legitimate interest in secure and stable operation).
Third-country transfer: Israel has an adequate level of data protection recognized by the EU;
Further data transfers are secured by Standard Contractual Clauses (SCCs).
More information: https://www.wix.com/about/privacy
Consent management with Usercentrics
We use the tool provided by Usercentrics GmbH, Sendlinger Straße 7, 80331 Munich, Germany.
to manage your consent to cookies and similar technologies.
Purpose: Obtaining, managing, and documenting consents.
Data: Consent status, timestamp, browser and device information, IP address (truncated), individual
Consent ID.
Legal basis: Art. 6 para. 1 lit. c GDPR (legal obligation) and Art. 6 para. 1 lit. f GDPR
(Legal interest in proof); for voluntary cookies Art. 6 para. 1 lit. a GDPR.
More information: https://usercentrics.com/privacy-policy
Security and encryption
Our website uses SSL/TLS encryption (HTTPS).
Server logs (e.g., IP address, timestamp, browser, referrer) are used for security, error analysis, and maintenance.
Legal basis: Art. 6 para. 1 lit. f GDPR. of our website.
Web analytics and tag management
a) Google Analytics 4
Provider: Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland.
We use Google Analytics 4 to create anonymous statistics about the use of our website.
IP addresses are anonymized (IP masking).
Legal basis: Consent (Art. 6 para. 1 lit. a GDPR).
Third-country transfer: USA (SCC).
More information: https://policies.google.com/privacy
b) Google Tag Manager
Manages and controls tracking scripts; does not process any personal data itself.
Legal basis: Art. 6 para. 1 lit. f GDPR.
c) Microsoft Clarity
Provider: Microsoft Corporation, One Microsoft Way, Redmond WA 98052, USA.
Captures pseudonymized interaction data (mouse movements, scrolling, clicks) to optimize the
User-friendliness.
Personal entries (form fields, etc.) are masked.
Legal basis: Consent (Art. 6 para. 1 lit. a GDPR).
Third country transfer: USA (SCC).
More information: https://privacy.microsoft.com/de-de/privacystatement
8. Online Marketing Tools
a) Google Ads / Conversion Tracking
Measuring and optimizing our advertising campaigns.
Legal basis: Consent (Art. 6 para. 1 lit. a GDPR).
Transmission: USA (SCC).
b) Meta pixels (Facebook / Instagram)
Provider: Meta Platforms Ireland Ltd., 4 Grand Canal Square, Dublin 2, Ireland.
Collects pseudonymous usage data for evaluation and campaign optimization.
Legal basis: Consent (Art. 6 para. 1 lit. a GDPR).
Transmission: USA (SCC).
More information: https://www.facebook.com/privacy/policy
c) TikTok pixel
Provider: TikTok Technology Ltd., 10 Earlsfort Terrace, Dublin 2, Ireland.
Used to measure the success of advertisements.
Legal basis: Consent (Art. 6 para. 1 lit. a GDPR).
Transmission: outside the EEA (SCC).
More information: https://www.tiktok.com/legal/privacy-policy
Consent forwarded.
Email marketing / newsletter (Brevo – Sendinblue GmbH)
We use Brevo GmbH, Köpenicker Straße 126, 10179 Berlin, Germany.
for sending and evaluating newsletters and informational emails.
Data: Email, name, time of consent (double opt-in), open/click statistics (only for
Approval).
Purpose: Sending information and proof of consent.
Legal basis: Art. 6 para. 1 lit. a GDPR (consent), Art. 6 para. 1 lit. b GDPR (contractual).
Communication).
Security: Processing within the EU; SCC for sub-service providers in third countries.
More information: https://www.brevo.com/de/legal/privacypolicy
Fonts (Adobe Fonts / local)
We use Adobe Fonts (Typekit) for consistent presentation.
or locally stored web fonts.
Provider: Adobe Systems Software Ireland Ltd., 4–6 Riverwalk, Citywest Business Campus, Dublin 24,
Ireland.
Legal basis: Art. 6 para. 1 lit. f GDPR.
More information: https://www.adobe.com/de/privacy/policies/adobe-fonts.html
Booking and guest systems
11.1 DIRS21 and SiteMinder
Processing of online reservations (name, address, travel dates, payment information).
Purpose: To process bookings and synchronize channels (OTAs).
Legal basis: Art. 6 para. 1 lit. b GDPR.
Recipients: Our PMS software and affiliated partners.
Security: AVV, SCC for transfers to third countries.
DIRS21: https://www.dirs21.de/datenschutz
11.2 Property Management System (PMS) – Apaleo
Apaleo GmbH, Dingolfinger Straße 15, 81673 Munich, Germany.
Management of reservations, guest data, invoices, check-in/out.
Data: Master and invoice data, communication information, payment and log data.
Purpose: Handling of the accommodation contract, legal obligations.
Legal basis: Art. 6 para. 1 lit. b and c GDPR.
Security: AVV (Art. 28), SCC, GDPR and SOC 2 compliance.
More information: https://apaleo.com/privacy
11.3 Guest registration systems
Feratel Media Technologies AG, Maria-Theresien-Straße 8, 6020 Innsbruck, Austria.
Neuhold Datensysteme GmbH, Nordweg 9, 8077 Gössendorf, Austria.
Processing legally required registration data (name, date of birth, nationality, travel dates).
Purpose: To fulfill the reporting obligation in accordance with the Austrian reporting law.
Legal basis: Art. 6 para. 1 lit. c GDPR.
Recipients: Government agencies and tourism associations.
Security: AVV, server location Austria.
Recipients of data
Recipients are exclusively commissioned data processors (e.g. Wix, Usercentrics, Apaleo, Brevo)
as well as legally designated bodies (authorities).
All processors are contractually bound in accordance with Article 28 GDPR.
Storage period and deletion
Data is stored only as long as necessary for the respective purpose or as required by law.
Data is deleted or anonymized once the purpose for its collection no longer applies or the retention periods have expired.
Typical retention periods: 7 years (accounting), reporting data according to legal requirements, technical logs max. 6 years.
Months.
Rights of data subjects
You have the right to:
-
Right of access (Art. 15 GDPR)
-
Rectification (Art. 16 GDPR)
-
Erasure (Art. 17 GDPR)
-
Restriction (Art. 18 GDPR)
-
Data portability (Art. 20 GDPR)
-
Right to object to processing (Art. 21 GDPR)
-
Withdrawal of your consent with effect for the future (Art. 7 para. 3 GDPR)
To exercise your rights, please contact: privacy@shh-hotels.com
Right to complain
You have the right to lodge a complaint with the competent supervisory authority if you believe that
are that the processing of your data violates data protection regulations.
Responsible in Austria:
Austrian Data Protection Authority
Barichgasse 40 – 42
1030 Vienna
Tel.: +43 1 52 152-0
Email: dsb@dsb.gv.at
Website: https://www.dsb.gv.at
Changes to this privacy policy
We reserve the right to amend this privacy policy if there are changes in the legal situation,
This may be necessary due to technical changes or new service providers.
