Data Protection Declaration
HolidayPirates GmbH Data Protection Declaration
Data protection is a matter of trust, and your trust is very important to us – we respect your privacy. Therefore, protecting personal data and collecting, processing and using them in conformity with the law is our number one concern. We want you to feel safe with us; we strictly comply with the legal provisions for the processing of your data and would like to provide you with details concerning the data we collect and use on this page.
We take appropriate technical and organisational measures intended to prevent unlawful processing of personal data and their accidental loss, destruction or damage.
1. Responsible Body
HolidayPirates GmbH, Neue Grünstraße 18, 10179 Berlin, is the responsible body for the collection, processing and use of your personal data pursuant to the European General Data Protection Regulation (EU GDPR) and the German Federal Data Protection Act (BDSG).
Should you object to the collection, processing and use of your personal data in part or full, you can send your objection by letter or email to the following contact:
HolidayPirates GmbH
Neue Grünstraße 18
10179 Berlin
You can also find our contact details in our legal notice.
2. Processed Data
HolidayPirates GmbH must receive or collect information to operate, provide, improve, understand, customise, support, and market our services. This takes place, for example, when you install, use or access our services. The types of information we receive and collect depend on how you use our services.
2.1. User Account
If you wish to make a user account on our website, the following information is required:
Email address
Username
Password
Provided by you voluntarily:
Profile picture
Name
Date of birth
Travel destination preferences for our Travel Alerts such as departure times, destinations, travel months, budgets and travel categories.
You also have the option to link your user account with your Facebook, Google or Apple account. In this case, you share the following information with us:
Name
Email address
Profile picture
Age range
Language
Country and further data visible to the public on your Facebook profile.
Purpose: To write comments on the website and receive personalised offers
Creating a user account is completely voluntary. These data are only used to design your profile based on your consent in accordance with Art. 6 para. 1 (a) GDPR.
These data are stored until you delete your user account from our website. You can delete the account you created at any time. To do so, log into our website and click on ‘Delete user account’ under ‘Account Settings’.
2.2. Newsletter Subscription
The technical service provider Iterable Inc., 71 Stevenson Street, 3rd Floor, San Francisco, CA 94105, USA are our processors for sending newsletters.
Purpose: For advertising campaigns and sending offers from our website
Processed data:
Email address (required)
First and last name (voluntary)
Subscription date (automatically collected)
The country selected for the subscription (automatically collected)
IP address (for users subscribing through Wisepops pop up)
When you subscribe to the newsletter, your behaviour in our newsletter is recorded (tracking the opening of emails and clicks on links). As soon as you open, and/or click on a newsletter, pseudonymised data will be saved. In this case, we are using the data for the optimization of our website contents and offers. In order to be able to adapt our newsletter to your needs, we use cookies which track your links if necessary (retargeting). In this way, you will receive special offers and information that fit your actual interest. By subscribing to our newsletter, you agree to this procedure. Of course, you always have the opportunity to contradict this.
The legal basis for sending the newsletter is your consent in accordance with Art. 6 para. 1 (a) GDPR.
The processing of data by Iterable Inc. constitutes a transfer to a third country within the meaning of the GDPR. Iterable Inc. is certified under the EU-US Data Privacy Framework, meaning that the transfer is legitimised by an effective adequacy decision within the meaning of Art. 45(1) sentence 1 GDPR.
You can unsubscribe from our newsletter at any time; the link to do so is at the end of every newsletter. As soon as you have unsubscribed from the newsletter, you will no longer receive any offers from us. Your personal data will not be reused and are blocked immediately. Your data will be saved for another 3 years before it will be deleted. Legal basis for saving the data is our entitled interest of proving that the delivery of emails happened with your consent in order to ward off potential claims.
2.3. RCS Messenger-Service (Rich Communication Services)
The technical service provider Vonage B.V., 23 Main Street, Holmdel, New Jersey 07733, USA, is used as a processor for sending offers.
Purpose: Direct communication and sending of offers from our website.
Processed data:
Telephone number (required)
Click behaviour (optional) – if you click on one of the offers sent, the click on the respective offer will be processed and stored anonymously
Last interaction time (optional) – we store the times when you last interacted with the channel or the last offer we sent
Your messages sent to us
By sending a start message to Urlaubspiraten, you consent in accordance with Art. 6 (1) (a) GDPR to the sender using your personal data (see above) for direct communication and the data processing required for this purpose using the selected messaging service. As soon as you open and/or click on a link, pseudonymised data is stored. This data is used exclusively to optimise our offers. Registration for the RCS Messenger service is logged. The legal basis for logging the registration is our legitimate interest in proving that the message was sent with your consent.
Your consent to this data processing can be revoked at any time by entering the word ‘Stop’ in the respective messaging app. Once you have unsubscribed from the RCS Messenger service, you will no longer receive any further offers from us. Your personal data will no longer be used and will be deleted within 30 days.
2.4. Contact using our Contact Form or Email
Processed data:
First and last name
Email address
Messages that are sent to us
Purpose: The processing of personal data serves to handle contact requests, prevent misuse of the contact form and ensure the security of our IT systems. The legal basis for the processing of the data is your consent and our legitimate interest pursuant to Art. 6 (1) lit. af) GDPR. If you actively decide to contact us, we have a legitimate interest in reading your message and responding to it if necessary. This interest outweighs your legitimate interests (especially due to your contact). If your contact is aimed at initiating a contract with us (e.g. in the form of a travel booking), the legal basis is primarily the necessity to carry out pre-contractual measures in accordance with Art. 6 (1) lit. b) GDPR.
Your messages and our replies are stored for a period of three years for the purpose of proving the provision of proper information.
2.5. Customer Service
Processed data:
Name
Messages
Phone number (if you contacted us by phone)
Purpose: The processing of personal data serves to handle contact requests, prevent misuse and ensure security. The legal basis for the processing of the data is your consent in accordance with Art. 6 (1) (a) GDPR. Insofar as the processing of the data is necessary for the conclusion or fulfilment of a contract already concluded or in the process of being concluded between you and us, Art. 6 (1) (b) GDPR serves as the permission standard for data processing.
2.6. Commentary Function on the Blog
Processed data:
Username (required)
Profile picture (if provided)
Time and date of your comment
Content of the comment
Writing comments is completely voluntary. The collection of the above-mentioned user data is intended to prevent misuse of the services. The legal basis for the data processing after a comment has been written by the user is based on our legitimate interests pursuant to Art. 6 para. 1 (f) GDPR and ensures our security as a website operator.
If you delete your account on our website, the comments will no longer be marked with usernames or profile pictures; the comments themselves shall remain.
2.7. Data processing in connection with our partners
Data collection by partners: If you booked a trip with one of our partners, TripX Travel AB (Hyllie Boulevard 34, 215 32 Malmö, Sweden), your data will be collected and transferred to this partner for the purpose of processing the booked trip. Depending on the consent you have given, partners may also collect analysis data about the progress of your booking process (completed or not completed) using tools such as Google Analytics. In its role as a tour operator, such a partner acts as an independent data controller within the meaning of the GDPR data protection law. More detailed information on the type and manner of data processing can be found in the privacy policy of the respective partner, which will be displayed to you directly by the partner during the booking process.
Sharing data with HolidayPirates: Our partners Lastminute (Bravonext S.A., Vicolo de’ Calvi 2, 6830 Chiasso, Switzerland), weg.de (COMVEL GmbH, Elsenheimerstr. 49, 80687 Munich, Germany), TripX (TripX Travel AB, Hyllie Boulevard 34, 215 32 Malmö, Sweden) and PerfectStay (PERFECTSTAY.COM SAS, 10 rue de Penthièvre, 75008 Paris, France) , weg.de, TripX and PerfectStay share certain data collected from you with us, provided that you have given your consent to these partners or that the respective partners have a different basis for processing, as evidenced by their privacy policies.
Purpose: In these cases, HolidayPirates uses the transmitted data to send you personalised travel offers in the form of email and WhatsApp newsletters (detailed information can be found in section 2.2 of this privacy policy) and for the purpose of comprehensive usage and booking analysis and improvement of its own offers.
Legal basis: In these cases, further processing by Holidaypirates is based on the consent you have given to the relevant partner in accordance with Art. 6(1)(a) GDPR. If partners use a different basis for processing and/or the processing purposes described here are not covered by your consent, we process on the basis of Art. 6(1)(f) GDPR. In these cases, our legitimate interests in analysing usage and generally optimising our offers outweigh your legitimate interests, among other things because a business relationship already exists between you and HolidayPirates and HolidayPirates has established contact between you and the respective partner.
Sharing data with partners: If you have consented to the collection of your personal data for the purpose of analysing your usage behaviour (see section 5 of this privacy policy), you also consent to HolidayPirates sharing certain data collected and processed by Google Analytics with its partners Lastminute. weg.de and TripX (the addresses of the partners can be found in the previous section ‘Sharing data with Holidaypirates’).
The transfer of personal data to our partner Lastminute constitutes a transfer to Switzerland, i.e. a third country within the meaning of the GDPR. There is an effective adequacy decision between the EU and Switzerland within the meaning of Art. 45(1) sentence 1 GDPR, so that the transfer is legitimate in this respect.
Purpose: In these cases, the relevant partners use the data for the purpose of complete booking analysis and improvement of their own offerings.
2.8. Content Delivery Network (Cloudflare)
To provide our website, we use a content delivery network (CDN) to deliver large media files such as graphics or programme scripts more quickly and securely using regionally distributed servers connected via the internet. The legal basis for this is our legitimate interests pursuant to Art. 6(1)(f) GDPR, which outweigh your legitimate interests due to the importance of the processing for the stable provision of our website. For this purpose, we use the service provider Cloudflare Inc. as a processor pursuant to Art. 28 GDPR.
Processed data:
Browser type and browser version
Operating system used
Referrer URL (previously visited website)
Host name of the accessing computer
Date and time of the server request, IP address
Address: Cloudflare, Inc., 101 Townsend St., San Francisco, CA 94107, USA.
The processing of data by Cloudflare constitutes a transfer to a third country within the meaning of the GDPR. Cloudflare is certified under the EU-US Data Privacy Framework, meaning that the transfer is legitimised by an effective adequacy decision within the meaning of Art. 45(1) sentence 1 GDPR.
2.9. Storage of image files
We use the service provider Cloudinary Inc. as a processor in accordance with Art. 28 GDPR to store profile pictures for users who have created an account on our website. These images are stored on the basis of your consent given when you created your account and uploaded your image in accordance with Art. 6 (1) (a) GDPR.
Processed data:
Photographs that may allow conclusions to be drawn about your identity.
Address: Cloudinary Inc., Suite 220, 6201 America Centre Dr, San Jose, CA 95002, USA.
The processing of data by Cloudinary constitutes a transfer to a third country within the meaning of the GDPR. Cloudinary is certified under the EU-US Data Privacy Framework, so that the transfer is legitimised by an effective adequacy decision within the meaning of Art. 45 (1) sentence 1 GDPR.
2.10. Competitions
Gleam: When conducting competitions, we collect the personal data you enter to participate in a competition for the purpose of secure execution (including customer support) and subsequent analysis. For this purpose, we use the widget of the service provider Crowd9 PTY LTD. (‘Gleam’), which is our processor in accordance with Art. 28 GDPR. The legal basis for the collection and processing of this personal data is your consent in accordance with Art. 6(1)(a) GDPR.
Processed data: name, email address, IP address (including geodata collected from it), browser type and browser version, date of birth, consent status, profile data of specified social networks (URL, username, photo), transmitted campaign data (photo, video and audio recordings, if applicable)
Address: Crowd9 PTY LTD, 16 Jacaranda Crescent, Mornington, VIC 3931, Australia
The processing of data by Gleam constitutes a transfer to a third country within the meaning of the GDPR. As part of our DPA with Gleam, we have concluded the EU Commission's Standard Contractual Clauses (SCCs) with Gleam. The transfer is therefore legitimised under Art. 46(2)(c) GDPR.
JotForm: We also use the widget provided by the service provider JotForm Inc, which acts as a processor for us in accordance with Art. 28 GDPR, to conduct competitions. The legal basis for the collection and processing of this personal data is your consent in accordance with Art. 6 (1) (a) GDPR.
Processed data: Data entered into the widget to participate in the competition, e.g. name, email address, date of birth and profile data of specified social networks (URL, username, photo).
Address: JotForm Inc., 4 Embarcadero Ctr Suite 780, San Francisco, CA 94111, USA
The processing of data by JotForm constitutes a transfer to a third country within the meaning of the GDPR. JotForm is certified under the EU-US Data Privacy Framework, so that the transfer is legitimised by an effective adequacy decision within the meaning of Art. 45 (1) sentence 1 GDPR.
RTL: To send prizes after you've taken part in competitions we run, we use RTL interactive GmbH as a service provider, which acts as a processor for us in line with Article 28 of the GDPR. The legal basis for the collection and processing of this personal data is Art. 6 (1) (b) GDPR, as we are acting to fulfil our obligation arising from a contractual relationship in connection with the competition.
Processed data: Name, postal address, telephone number, email address.
Address: RTL interactive GmbH, Picassoplatz 1, 50679 Cologne
The data will be deleted no later than four weeks after the end of the prize processing.
2.11. Data centres used
We use servers provided by the service provider Hetzner Online GmbH, which acts as a processor for us in accordance with Art. 28 GDPR, to host our website and store the personal data of our website visitors and customers.
Address: Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen
The legal basis for the storage of personal data depends on the specific processing activity (as described in this privacy policy) for which the data was collected.
2.12. Customer reviews
If you write a customer review about our services in response to our invitation, we will process your personal data in this context. For this purpose, we use TrustPilot as a processor in accordance with Art. 28 GDPR.
Processed data:
Name
Email address
Individual reference number (e.g. booking number)
Personal data that you disclose in the content of your review.
Address: Trustpilot A/S, Pilestræde 58 5, 1112 Copenhagen, Denmark
The legal basis for the storage, publication and analysis of your customer review is the consent you have given in accordance with Art. 6 (1) (a) GDPR.
2.13. Referral programmes
If you participate in referral programmes that we offer from time to time, we process personal data in this context. For this purpose, we use Viral Loops Technologies Inc. as our processor in accordance with Art. 28 GDPR.
Processed data:
Email addresses
Address: Viral Loops Technologies Inc., 422 Richards St., Suite 170, Vancouver, BC V6B 2Z4, Canada
The legal basis for data processing in this context is your consent given when participating in the referral programme in accordance with Art. 6(1)(a) GDPR.
2.14. Data orchestration
In order to simplify and automate the internal processing of data collected from our customers and website visitors, we use the service provider Y42-Intelligence as a processor in accordance with Art. 28 GDPR.
Processed data:
Name
Email address
Postal address
Customer history
Customer correspondence and other interactions.
Address: Y42-Intelligence GmbH, Charlottenstr. 4, 10969 Berlin, Germany
The legal basis for the storage of personal data depends on the specific processing activity (as described in this privacy policy) for which the data was collected.
4. HolidayPirates App
4.1. Notifications
We use so-called App notifications for the provision of the App and services.The legal basis for sending app notifications is your consent pursuant to Art. 6 para. 1 lit. a) GDPR. Consent can be revoked at any time in the device settings.
The technical service provider Braze is our processor for sending push notifications.
Address : Braze Inc., 318 West 39th Street, New York, NY 10018
Purpose: Advertising campaigns, sending offers from our website; onboarding tour and helpful tips for those who use our website to improve their user experience.
Processed data:
Analysis of user behaviour in the App to receive personalised offers.
If you are a registered user, information about your profile is shared (email, username, profile picture and notification settings).
Braze also only stores basic non-identifiable information from the device (country, language, time zone, operating system, App version and device ID).
We also store and process information about the offers you have placed on the favourites list.
In cases where the user is logged in – we can identify them as the same user (on the web and in the App) and correlate data across platforms to send more targeted messages.
Braze is only used if you gave your consent when you opened the app for the first time, according to Art. 6 para. 1 (a) GDPR. Your consent can be revoked at any time in the app settings.
The processing of data by Braze constitutes a transfer to a third country within the meaning of the GDPR. Braze is certified under the EU-US Data Privacy Framework, meaning that the transfer is legitimised by an effective adequacy decision within the meaning of Art. 45(1) sentence 1 GDPR.
These data are stored until you unsubscribe from App notifications which you can do at any time in the App settings. As soon as you have unsubscribed, you shall no longer receive any offers from us, and your personal data will no longer be used and are deleted immediately.
4.2. Analytical & Performance Cookies
We collect user data to improve the performance of the app and perform business-related analytics. Analytical cookies are used to understand how customers use the app, to improve the website, apps and communications. We use information about previous actions and interactions to display personalised content and relevant advertising on third-party websites and apps. This data also helps to measure the effectiveness of ads and to facilitate the billing of advertising. Recent searches are stored to facilitate the use of the apps. The legal basis for the processing of the data is your consent pursuant to Art. 6 (1) a) GDPR. Your consent can be revoked at any time in the app settings.
a. Firebase, FirebaseAuth, Firebase Crashlytics and Google Analytics SDK
These services collect analytics data to track and monitor user behaviour during sessions.
Address : 188 King St., San Francisco, CA 94107, USA
Purpose of processing: Analyse user behaviour in the App to:
Develop new products and services
Optimise existing products or services
Find and fix error messages on the blog
Measure and plan marketing campaigns
Firebase is a sub-service of Google Analytics. When Firebase is used in the app, the data is forwarded to Google Analytics via Google Tag Manager. This enables us to offer login options and store individual users' login information in Firebase. Error messages and crash reports are also collected in the app. The data is then also read by Adjust. You can find more information on the operating principle in the section entitled ‘Adjust’.
Firebase is only used if you gave your consent when you opened the app for the first time, according to Art. 6 para. 1(a) GDPR. Your consent can be revoked at any time in the app settings.
Personal data relating to the user are deleted after 38 months.
b. Braze Analytics SDK and Braze SDK
Braze is a mobile engagement and messaging system. It collects analytics data to track and monitor user session behaviour in our mobile app to enable the targeting and delivery of push notifications and in-app messages.
For more information, see the ‘Notifications’ section above.
c. Adjust SDK
Address: Adjust GmbH, Saarbrücker Str. 37A, 10405 Berlin, Germany
Purpose of processing: Support in identifying behaviour in the mobile application in order to prepare decisions on targeted marketing; support in the efficient handling and optimisation of mobile campaigns for social networks and elsewhere on the Internet.
Processed data:
Cookie ID, ad ID and device ID used by a specific person, events in the mobile app relating to the use of the mobile app by a specific user (in particular login, successful completion of the transaction, country, language, local settings, app version), but no payment or financial data, content of the advertising to be delivered to a specific user and the advertising group to which this person belongs.
HTTP headers, IP address, MAC address (Media Access Control address is the hardware address of each individual network adapter, which serves as a unique identifier for the device in a computer network), information about the user's devices and web activities.
If you are registered as a user, your profile information will be shared (email, username, profile picture and notification settings).
d. UXCam
As part of the HolidayPirates app, we use the UXCam service as a processor in accordance with Art. 28 GDPR to analyse the specific use of our app.
Purpose of processing: The continuous improvement of the user-friendliness of the design and functionalities of our app.
Processed data:
Session recordings
Interaction data
Usage processes.
The legal basis for the associated data processing is your express consent in accordance with Art. 6(1)(a) GDPR.
Address: UXCam Inc., 505 Montgomery Street, 10th & 11th floor, San Francisco, CA 94111, USA
The processing of data by UXCam constitutes a transfer to a third country within the meaning of the GDPR. As part of our DPA with UXCam, we have concluded the EU Commission's Standard Contractual Clauses (SCCs). The transfer is therefore legitimised under Art. 46(2)(c) GDPR.
4.3. Single Sign On Cookies
The data collected by these services is used to enable users to log into their Urlaubspiraten account with existing accounts at other providers via ‘single sign-on’. The associated data processing is justified in accordance with Art. 6(1)(fa) GDPR by consent given when using the app.
a. Facebook Login SDK
This integration allows you to log in to your account using your Facebook account details.
b. Google SignIn SDK
This integration allows you to log in to your account using your Google account details.
c. Apple SSO SDK
This integration allows you to log in to your Urlaubspiraten account using your Google account details.
5. Analysis of User Behaviour on our Website
5.1. HolidayPirates Website Tracking (Google Tag Manager)
HolidayPirates Website Tracking is our name for Google Tag Manager, a web analysis service from Google Ireland Ltd.
The Google Tag Manager itself does not collect any personal data but rather facilitates the integration and management of our tags. Tags are small pieces of code that can be used, among other things, to measure traffic and visitor behaviour, track the impact of online advertising and social channels, set up remarketing and audience targeting, and test and optimise websites. Google Tag Manager does not access this data.
Unless you have activated the option at the bottom of the website under ‘Service Control’ or in our cookie banner, all tracking tags implemented with Google Tag Manager will be deactivated, with a few exceptions as listed below.
The following tracking services are integrated into Google Tag Manager:
Google Analytics
Google Analytics
Unless you have rejected ‘HolidayPirates Website Tracking’ at the bottom of the website in Service Control or activated it in our cookie banner by giving your consent, our website uses Google Analytics, a web analytics service provided by Google Ireland Ltd.
Address : Google Ireland Limited, Gordon House, Barrow Street, Dublin 4
Purpose: Analysing user behaviour on the website to:
Develop new products and services
Optimise existing products or services
Find and fix error messages on the blog
Measure and plan marketing campaigns
Processed data: Pseudonymised ID
Google Analytics uses ‘cookies’ – text files that are stored on your device and allow an analysis of the use of the website. The information collected by the cookies is generally sent to a Google server in the USA and stored there.
We have activated IP anonymisation. Your IP address will be shortened within the member states of the EU and the European Economic Area and in the other contracting states of the agreement. The IP address is only initially transferred unabridged to the United States to a Google server and shortened there in individual cases. Through this shortening, the personal reference to your IP address is omitted. The user’s IP address transmitted by the browser is not merged with other data stored by Google.
The information collected by Google on our behalf, as part of the contract processing agreement, is used to evaluate the use of the website by individual users, for example, to generate activity reports on the website in order to improve our website. This also makes it possible to assign data, sessions and interactions across multiple devices to a pseudonymous user ID and thus analyse a user’s activities across devices.
Personal data relating to the user are either deleted or anonymised after 38 months. You also have the option to deactivate the use of Google Analytics in our tool on the website; simply reject HolidayPirates Website Tracking in the Manage Services section.
Data processing is justified by your consent pursuant to Art. 6(1)(a) GDPR.
If you have refused or not yet given your consent via the cookie banner or service control, only anonymised, so-called ‘ping’ data will be collected.
Within Google Analytics we enable Google Signals function which, if you are signed in to your Google account, allows for collecting demographic data (your age, gender, travel interest and purchasing activities) for the purposes of re-marketing and personalizing our offers. You can object to data collection at any time.
Varify
If you have not rejected ‘HolidayPirates Website Tracking’ on the website at the bottom of the service control or in our cookie banner, Varify.io, an A/B testing tool from Varify GmbH, will be used on our website.
Address: Varify GmbH, Hohenzollernstraße 56, 75177 Pforzheim, Germany
Purpose: A/B testing and personalisation to optimise the user experience on our website.
Processed data:
IP address (anonymised)
Browser information (e.g. browser type, version)
Operating system
Screen resolution
Visitor interactions (e.g. clicks, time spent on certain pages)
Pseudonymised user ID
Functionality: Varify.io enables us to test different versions of our website in order to improve the user experience. Visitors are divided into different groups and receive customised content in order to analyse which version works better.
Legal basis: Varify.io is only used with your express consent in accordance with Art. 6 (1) (a) GDPR. You can revoke this consent at any time in the ‘Service Control’ section of our website.
Further information can be found in the Varify.io privacy policy.
5.2. Demographics:
Address : Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
Purpose:
Breaking down website visitors by age, gender and interests.
Better targeting of advertisements according to the target audience based on age, gender and dimensions of interests.
Processed data: Pseudonymised ID
Google Optimize is only used if you have provided your consent pursuant to Art. 6 para. 1 (a) GDPR in the Manage Services section on our website.
Personal data relating to the user are either deleted or anonymised after 38 months.
5.3. ABlyft:
Unless you have rejected ‘ABlyft’ in our service control or in our cookie banner by giving your consent, ABlyft, a website optimisation tool, is used on our website.
Address: Conversion Expert GmbH, Zeppelinring 52c, 24146 Kiel, Germany
Purpose:
Statistical evaluation of changes and new functionalities on the website, analysis of the use of different variants of our website
In order to improve the user experience and content of the website based on user behaviour, variations are played out for a percentage of users
Processed data: Pseudonymised ID
ABlyft is only used if you have given your consent in accordance with Art. 6 (1) (a) GDPR on our website in the service control.
You have the option to refuse the use of ABlyft in our tool at any time on the website, even retrospectively, by simply clicking on the ‘Service Control’ button below and refusing the service there.
Users' personal data is deleted or anonymised after 90 days.
5.4. Meta Pixel
Unless you have activated ‘Meta Pixel’ in the service control or our cookie banner by giving your consent, Facebook Pixel is used on our website. Since Facebook and Instagram belong together, the data is processed simultaneously by Instagram.
Address: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Irland
Address : Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA
Purpose:
Analysis of user behaviour to better understand the user and thus offer better content.
Use of Custom Audiences for advertising campaigns and personalised advertisements.
Processed data:
HTTP-Headers – everything that is present in HTTP-Headers (HTTP-Headers are standard web logs sent between every browser request and server on the Internet. HTTP headers include IP addresses, information about the web browser, page location, document, referrer and person using the site).
Pixel-specific data – this includes the pixel ID and the Facebook cookie (using Facebook Pixel, Facebook can identify you as a visitor to our website as a target group for displaying ads. Facebook Pixel allows us to check whether a user has been redirected to our website after clicking on our Facebook ads. Accordingly, we use Facebook Pixel to display Facebook ads placed by us only to Facebook users who have shown an interest in our online offers. The Facebook cookie provides information about your activities outside of Facebook – including information about your device, websites visited, purchases made, ads you have viewed, and the way in which you use Facebook services – regardless of whether you have a Facebook account or are signed in to Facebook).
Button Click Data – these include all buttons clicked by website visitors, the labels of those buttons and all pages that were called up as a result of the buttons (tracking user behaviour).
This data processing is justified by your explicit consent in accordance with Art. 6(1)(a) GDPR.
Personal data relating to the user are either deleted or anonymised after 180 days.
You also have the option to refuse the use of Facebook Pixel in our tool on the website at any time, even retrospectively, by simply clicking on the ‘Service Control’ button below and refusing the service there.
The processing of data by Instagram constitutes a transfer to a third country within the meaning of the GDPR. Meta Platforms Inc., as the parent company of Instagram, is certified under the EU-US Data Privacy Framework, so that the transfer is legitimised by an effective adequacy decision within the meaning of Art. 45 (1) sentence 1 GDPR.
5.5. Google Ads
Unless you have deactivated Google Ads in the service control or rejected our cookie banner, Google Ads tags are used on our website.
Address: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
Purpose:
Analysis of user behavior to better understand the user and thus offer better content.Use of Custom Audiences for advertising campaigns and personalized advertisements.
Processed data:
HTTP-Headers – everything that is present in HTTP-Headers (HTTP-Headers are standard web logs sent between every browser request and server on the Internet. HTTP headers include IP addresses, information about the web browser, page location, document, referrer and person using the site).
Tag-specific data – this includes the tag ID and the Google cookie (using Google Ads Tags, Google can identify you as a visitor to our website as a target group for displaying ads. Google Ads Tags allow us to check whether a user has been redirected to our website after clicking on our Google ads. Accordingly, we use Google Ads Tags to display Google ads placed by us only to users who have shown an interest in our online offers.
Button Click Data – these include all buttons clicked by website visitors, the labels of those buttons and all pages that were called up as a result of the buttons (tracking user behavior).
This data processing is justified by your explicit consent in accordance with Art. 6(1)(a) GDPR.
Personal data relating to the user are either deleted or anonymised after 180 days. You have the option to deactivate the use of Google Ads Tags in our tool on the website; simply reject the service after clicking on the Manage Services button below.
The following tracking services are integrated into Google Ads:
Google Analytics 4
It means that Google Analytics audience lists will be published to the linked Google Ads accounts. Read more above under 5.1. Google Analytics.
Even if you do not give your consent, individual anonymised ‘ping’ data will be collected as part of Google Analytics 4. See the description in the ‘Google Analytics’ section for more information.
5.6. Pinterest
Address : Pinterest Europe Ltd., Palmerston House, 2nd Floor, Fenian Street, Dublin 2, Ireland
Purpose:
Providing the ‘Note’ buttons on the website and images to ensure the use of Pinterest for users and to enable the saving of images.
Analysis of the user behaviour of Pinterest users on our website in order to understand interests and to improve and expand our products.
By using Pinterest features on our website, data are automatically forwarded to Pinterest so that they have a better understanding of your interests to ensure better advertising.
Processed data:
Information outlining how often the button was clicked by users on our website and the URL of the landing page.
Log data, such as IP address, landing page URL with Pinterest functions, and the activities performed on it (such as the ‘Note’ button), search history, browser type and settings, the date and time of your request, how you use Pinterest (tracking of user behaviour) and cookie and device data (including device type, operating system, settings, unique device identifiers as well as crash data, which are useful when correcting errors) are automatically shared with Pinterest.
Cookie data for recording log data (if you use Pinterest, some information (log data, see above) is automatically stored, such as information that your browser automatically transmits when you visit a website, or information that your mobile App automatically sends when you use it. Cookies are also used to record log data, e.g. to save your language settings or other settings, so you do not have to set them every time you log in to Pinterest. Some cookies are associated with your Pinterest account (including your personal information such as the email address you provided), other cookies are not).
Device type
Pinterest is only used if you have provided your consent pursuant to Art. 6 para. 1 (a) GDPR in Manage Services on our website.
Personal data relating to the user are deleted after 30 days.
5.7. X (X Social Plugins)
Address : X Corp., 865 FM 1209, Building 2, Bastrop, TX 78602, USA
Purpose: The user has the option to share our offers directly to X. The data are used to improve X products and services and to deliver relevant advertising, including personalised suggestions and personalised ads.
Processed data: X may receive information such as the web pages you visit, your IP address, browser type, operating system and cookie information.
X is only used if you have given your consent in accordance with Art. 6 (1) (a) GDPR on our website in the service control or our cookie banner.
Users' personal data will be deleted or anonymised after 18 months.
The processing of data by X constitutes a transfer to a third country within the meaning of the GDPR. X is certified under the EU-US Data Privacy Framework, so that the transfer is legitimised by an effective adequacy decision within the meaning of Art. 45(1) sentence 1 GDPR.
5.8. Facebook Social Plugins (Facebook, Instagram)
Address: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Irland
Purpose: The data are used to improve Facebook products and services and to deliver relevant advertising.
Processed data: Facebook user ID, page URL, date and time and other browser information
Facebook social plugins are only used if you have given your consent in accordance with Art. 6 (1) (a) GDPR on our website in the service control or our cookie banner.
The data are saved until they are no longer needed to provide Facebook services and products, or until the account is deleted, depending on which occurs first. The search history is deleted after 6 months.
5.9 HolidayPirates Newsletter (Iterable)
Address: Iterable Inc., 71 Stevenson Street, 3rd Floor, San Francisco, CA 94105, USA
Purpose: For advertising campaigns and sending offers from our website.
Processed data:
Collection of user behaviour via a pseudonymised cookie ID, tracking behaviour on our website and sending these data to our newsletter data bank.
Tracking of user behaviour in our newsletter (opening of emails and clicks on links).
Iterable tracking is only used if you are subscribed to the newsletter and have provided your consent pursuant to Art. 6 para. 1 (a) GDPR in Manage Services on our website. Personal data relating to the user are deleted or anonymised within 30 days after the user has unsubscribed from our Newsletter.
The processing of data by Iterable constitutes a transfer to a third country within the meaning of the GDPR. Iterable is certified under the EU-US Data Privacy Framework, meaning that the transfer is legitimised by an effective adequacy decision within the meaning of Art. 45(1) sentence 1 GDPR.
5.10. HelpHero
Address : Help Hero Co., Suite 9429, 17B Farnham Street Parnell, Auckland 1052, New Zealand
Purpose: Introductory tour and helpful tips for users of our website to provide them with a better user experience.
Processed data: Pseudonymised ID
HelpHero is only used if you have provided your consent pursuant to Art. 6 para. 1 (a) GDPR in Manage Services on our website.
Personal data relating to the user are either deleted or anonymised after 30 days.
The processing of data by HelpHero constitutes a transfer to a third country within the meaning of the GDPR. An effective adequacy decision within the meaning of Art. 45(1) sentence 1 GDPR exists between New Zealand and the EU, so that the transfer is legitimate.
5.11. SurveyMonkey
Address : SurveyMonkey Inc., San Mateo, One Curiosity Way, California 94403
Purpose:
To implement online surveys and to better understand the user.
To reward users who wish to take part with a prize.
Processed data:
Email address (optional)
Demographic data (including age, gender, status; mandatory)
Psychographic data (including interests; mandatory)
Answers to questions based on opinions, tendencies and experiences depending on the survey (mandatory)
SurveyMonkey is only used if you expressly consent to this when participating in a survey, in accordance with Art. 6 (1) (a) GDPR.
Users' personal data will be deleted or anonymised after 90 days.
The processing of data by SurveyMonkey constitutes a transfer to a third country within the meaning of the GDPR. SurveyMonkey is certified under the EU-US Data Privacy Framework, so the transfer is legitimised by an effective adequacy decision within the meaning of Art. 45(1) sentence 1 GDPR.
5.12. HotJar
Address : Hotjar Ltd, Level 2, St. Julians Business Centre, 3 Elia Zammit Street, St. Julians STJ 1000, Malta
Purpose: Collection of data and analysis of user behaviour on our website to provide users with better content and simplified operations.
Processed data:
Browser type
Operating system
Device type,
URL(s) visited and duration of the visit
Hotjar is only used if you have provided your consent pursuant to Art. 6 para. 1 (a) GDPR in Manage Services on our website.
5.13.GetYourGuide Activity Widget
The GetYourGuide Activity Widget is only used if you have given your consent in accordance with Art. 6 (1) (a) GDPR in the cookie banner on our website. In this case, your personal data will be collected by our partner GetYourGuide.
Address: GetYourGuide Deutschland GmbH, Sonnenburger Straße 71-75, 10437 Berlin
Purpose and type of data collected: When you interact with the GetYourGuide widget, GetYourGuide may collect information about you, including personal data such as IP addresses, browsing activities or other identifiers, in order to provide you with GetYourGuide services and monitor the effectiveness of GetYourGuide marketing campaigns. GetYourGuide is solely responsible for the processing of this data.
For more information, please refer to GetYourGuide's privacy policy: https://www.getyourguide.de/c/privacy-policy
5.14. Playable ApS
Address:
Playable ApS, Tueager 1, Aarhus N, Jylland 8200, Denmark
GDPR Compliance: https://playable.com/privacy-policy-for-playable-aps/
Purpose: Playable is used to facilitate gamified marketing campaigns aimed at expanding our subscriber base.
Processed Data: Playable collects and processes personal data only as necessary to track participation, manage participant rewards, and measure campaign effectiveness, including:
First name
Email address
Game statistics
IP address
Playable ApS acts as our processor pursuant to Art. 28 GDPR.
The data will only be transferred to Playable ApS if you have given your consent in accordance with Art. 6 para. 1 lit. a) GDPR as part of your participation in a marketing campaign.
5.15. Wisepops
Adress: 87 boulevard Suchet 75016 Paris, France
Purpose: Wisepops offers a pop-up window to register for our channels (app, newsletter, WhatsApp) or to advertise special offers
Processed Data: For internal targeting purposes, we collect certain details about your browsing history on websites where Wisepops has been implemented. The details include:
Your last visit to the website
IP Address
The campaigns you have interacted with
Any additional information attached to your visit by our customer (e.g., your last purchase date)
Any additional information you share via the pop-up, e.g. your email address, name
The data shall only be transmitted to WisePops if you gave your consent pursuant to Art. 6 para. 1 (a) GDPR.
5.16. Taboola
Address: Headquarters, 16 Madison Square West, 7th fl., New York, NY, 10010
Purpose:
Taboola uses cookies to determine which content you use and which of our websites you visit. The cookie enables us to create pseudonymised user profiles by collecting device-related data and log data and to recommend content that matches your personal interests. This allows us to customise our offer for you. These user profiles do not allow any conclusions to be drawn about your identity.
Processed data includes, but is not limited to:
device and operating system,
IP address,
search history and user behavior
event information (e.g., system crashes)
general location information (e.g., city and state),
hashed email addresses (when made available by the User), and gender (when made available by the User).
in-app User behaviors (e.g. online status, browsing activity, and clicks) and implicit non-precise device location inferred from search queries (when enabled by the User) and SIM cards or IP addresses.
All this data collected by Taboola is pseudonymized, which means they do not know who you are because we nor Taboola don’t process your name, email address, or other identifiable data.
Taboola Pixel is only used if you have provided your consent pursuant to Art. 6 para. 1 (a) GDPR on our Cookie Banner. Further information about Taboola and the option to deactivate the Taboola cookie can be found here: https://www.taboola.com/privacy-policy.
You have the option to deactivate the use of the Taboola pixel in our tool at any time on the website; simply decline the service by clicking on the Manage Services button below or on our cookie banner.
The processing of data by Taboola constitutes a transfer to a third country within the meaning of the GDPR. As part of our DPA with Taboola, we have concluded the EU Commission's Standard Contractual Clauses (SCCs) with Taboola. The transfer is therefore legitimised under Art. 46(2)(c) GDPR.
5.17. TikTok Pixel
Address: TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland.
Purpose:
Storing or accessing information on an end device
Creation and use of profiles for personalised content and advertising
Measurement of advertising and content performance
Analysing target groups using statistics or combinations of data from different sources
Development and improvement of offers
Processed data:
IP Address
Device model, operating system and browser information.
Cookies, search history and user behavior
TikTok Pixel is only used if you have provided your consent pursuant to Art. 6 para. 1 (a) GDPR on our Cookie Banner. Further information can be found here: https://www.tiktok.com/legal/page/eea/privacy-policy/en
You have the option to disable the use of TikTok Pixel in our tool on the website; simply decline the service by clicking on the Manage Services button below or our cookie banner.
5.18. AdUp
The tracking of Ad Up, a technology and service provider of Axel Springer Teaser Ad GmbH (Axel-Springer-Strasse 65, 10969 Berlin), is integrated on our websites. By collecting anonymised and/or pseudonymous data, Ad Up will then be able to display interest-orientated advertisements for a specific time on websites. Ad Up uses cookies to provide advertisers with conversion tracking that determines the effectiveness of their ads and keywords. You can find more information on the data protection policy of Axel Springer Teaser Ad GmbH here: https://www.adup-tech.com/rechtliches/datenschutz/
Ad Up is only used if you have provided your consent pursuant to Art. 6 para. 1 (a) GDPR on our Cookie Banner.
Personal data relating to the user are either deleted or anonymised after 12 months.
Purpose:
Data collection from users on our website to display more targeted advertising (Retargeting)
Better understanding of reactions to ads allows us to offer more relevant advertising and not bother users with the same ads continuously
Analysing target groups using statistics or combinations of data from different sources
Processed data:
Information about the accessing end device and the software used
Date and time of access
Websites from which you access our website or which you access via our website
IP address - The processing of the IP address is absolutely necessary to enable the delivery of AdUp website to your end device and to measure the efficiency and performance of our website. Usage profiles are not created.
You also have the option of deactivating the use of the Adup Pixel in our tool on the website at any time; simply decline the service after clicking on the Manage Services button below or our cookie banner.
5.19. Outbrain
Address: Outbrain, The Place, 175 High Holborn, London WC1V 7AA, Uk
Purpose:
Data collection from users on our website to display more targeted advertising (Retargeting)
Creation of profiles for the personalisation of content
Better understanding of reactions to ads allows us to offer more relevant advertising and not bother users with the same ads continuously
Analysing target groups using statistics or combinations of data from different sources
To do or collect analyses about those users who interact with Outbrain's technology on Outbrain's partners' websites. If you do not want to see interest-based advertising, you can disable this feature here: (https://my.outbrain.com/recommendations-settings/home).
Processed data:
Outbrain UUID (unique user ID)
Visited sites, reference source, time stamp, page visits
Browser, device and operating system information. An estimate of the geographic location associated with the IP address and other information normally transmitted in HTTP requests.
IP address or other unique identifier for any computer, mobile device, or other technology used to access the site.
The recommendations integrated by Outbrain are determined on the basis of your previously read content. The content is technically controlled and delivered automatically by Outbrain. The content is displayed on a pseudonymous basis. To provide personalised recommendations, Outbrain collects certain information, such as the unique user ID (UUID) that it assigns to users when they see it on Outbrain's publisher website. Outbrain Pixel on our site only recognises the UUID and reports it to us. To select suitable content, the cookie uses information about the device source, the browser type and your IP address, which is completely anonymised by removing the last octet.
Further information on Outbrain's data protection can be found here: https://www.outbrain.com/legal/privacy#privacy-policy.
The Outbrain pixel is only used if you have given your consent in accordance with Art. 6 para. 1 (a) GDPR in the service control on our website. You can refuse tracking at any time, even retrospectively.
The processing of data by Outbrain constitutes a transfer to a third country within the meaning of the GDPR. There is an effective adequacy decision between the EU and the United Kingdom within the meaning of Art. 45 (1) sentence 1 GDPR, so that the transfer is legitimate.
5.20. AWS Personalize
To provide a more personalised experience, our website and applications uses AWS Personalize, a service provided by Amazon Web Services, Inc. ("AWS"). This service helps us deliver content and recommendations tailored to your interests based on your interactions with our website, mobile website and applications (iOS / Android).
Address: Amazon Web Services, Inc. 410 Terry Avenue North, Seattle, WA 98109-5210, U.S.A.
Processed Data:
Analysis of user behaviour in the App to receive personalized offers
User Unique ID
AWS Personalise is only used if you have given your consent in accordance with Art. 6 (1) (a) GDPR in the ‘Manage Services’ area or on our cookie banner on our website or in the applications.
You can deactivate the use of AWS Personalise at any time; simply decline the service by clicking on the ‘Service Control’ button below or on our cookie banner and declining it there.
The processing of data by AWS constitutes a transfer to a third country within the meaning of the GDPR. AWS is certified under the EU-US Data Privacy Framework, so the transfer is legitimised by an effective adequacy decision within the meaning of Art. 45(1) sentence 1 GDPR.
5.21. Adverity
To analyse marketing campaigns, we use Adverity Datatap and Adverity Insights from Advereity GmbH, which acts as our processor in accordance with Art. 28 GDPR.
Address: Adverity GmbH, Museumstraße 3/A2, 1070 Vienna, Austria
Processed data: Reporting data from marketing campaigns carried out
Processing is based on your consent in accordance with Art. 6 (1) (a) GDPR in connection with specific marketing measures.
5.22. INFOnline
We use the service provider INFOnline GmbH as a processor in accordance with Art. 28 GDPR to measure the reach and other usage of our website and app.
Address: INFOnline GmbH, Brühler Str. 9, 53119 Bonn, Germany
Processed data: IP address, browser fingerprint, installation ID, advertising ID, Android ID, cookie ID, vendor ID.
The legal basis for carrying out this processing is the consent you have given in accordance with Art. 6 (1) (a) GDPR.
5.23. remerge
For the retargeting of advertisements, we use the service provider remerge GmbH, which acts as a processor for us in accordance with Art. 28 GDPR.
Address: remerge GmbH, Oranienburger Str. 27, 10117 Berlin, Germany.
Processed data: Advertising identifiers (e.g. IDFA, AAID), usage data relating to the HolidayPirates app.
The legal basis for carrying out this processing is the consent you have given in accordance with Art. 6(1)(a) GDPR.
5.24. smartlook
We use the service provider Smartlook.com, s.r.o., which acts as a processor for us in accordance with Art. 28 GDPR, for the qualitative and quantitative analysis of user interaction with our website and the HolidayPirates app.
Address: Smartlook.com, s.r.o., Šumavská 524/31, Veveří, 602 00 Brno, Czechia.
Processed data: Visited web page and referral URL; time and date of website visit; mouse movements and clicks; information about operating system, browser, device and technical details such as screen resolution, location data, IP address, email address, name.
The legal basis for carrying out this processing is the consent you have given in accordance with Art. 6 (1) (a) GDPR.
6. Application as a Tester for HolidayPirates GmbH
If you apply as a Tester for HolidayPirates, the following data are collecting in accordance with Art. 6 para. 1 (a) GDPR:
Email address and name (required)
Browser type, operating system, device type, web URL(s) visited and duration of the visit
Demographic data (including age, gender, status, marital status; mandatory)
Psychographic data (including interests; mandatory)
Answers to questions based on opinions, tendencies and experiences depending on the survey (mandatory)
Purpose:
To implement surveys and to better understand the user.
To reward users who wish to participate with a prize.
After completion of the survey, these data will be blocked from further use and deleted after 12 months.
7. Applying to HolidayPirates GmbH
If you apply for a job position at HolidayPirates, the following personal data are collected for the purpose of the evaluation process in accordance with Section 26 BDSG. The data you provide in your application are exclusively used for filling the advertised position and the review and processing. After completion of the application process, these data will be blocked for further use and deleted after 6 months, unless you consent to any further or other processing.
Personio
To process your data we cooperate with the service provider Personio GmbH. The service provider Personio GmbH is used as our order processor pursuant to Art. 28 GDPR. Personio is used for the implementation of a fast and effective application process. The legal grounds for this are in particular Art. 6 para. 1 (b) GDPR and Section 26 BDSG.
Address : Personio GmbH, Buttermelcherstr. 16, 80469 Munich Germany
Purpose: Storage and processing of applicant data for the purpose of the application.
Processed data: Contact data, master data, data related to the position (e.g. from the CV)
We would like to inform you that some data on the Personio recruiting page are collected for its own purposes as the responsible body:
1.) Server Logs
When accessing the recruiting site, general log data – so-called sever logs – are automatically collected. These data are generally pseudonymous and therefore cannot be associated with any natural person. Without these data, it would not be completely possible to deliver and present the contents of the software for technical reasons. In addition, the processing of these data is absolutely necessary for security reasons, in particular to control access, input, transfer and storage. In addition, the anonymous information can be used for statistical purposes as well as for optimising the offer and technology. In addition, the log files can be subsequently checked and evaluated if there is a suspicion of illegal use of the software. The legal grounds for this can be found in Section 25(2)(2) TDDDG and Art. 6 para. 1 (f) GDPR. The data collected are general, such as the domain name of the website, the web browser and web browser version, the operating system, the IP address and the time stamp of the access to the software. The scope of this logging does not go beyond the usual scope of any other website on the Internet. The storage of this access log may be up to 7 days. There is no right of objection.
2.) Error Logs
For the purpose of error identification and correction, so-called error logs are created. This is absolutely necessary in order to be able to react as quickly as possible to potential problems in the presentation and implementation of content (legitimate interest). These data are generally pseudonymous and therefore cannot be associated with any natural person. The legal grounds for this are grounded in Section 25(2)(2) TDDDG and Art. 6 para. 1 (f) GDPR. When an error report appears, general data such as the domain name of the website, the web browser and web browser version, the operating system, the IP address and the time stamp for when the corresponding error message/specification occurred are collected. The storage of the error log may be up to 7 days. There is no right of objection.
3.) Cookies
On the recruiting site, it is generally only absolutely necessary, functional and performance cookies that are used. These are particularly used to implement certain default settings such as language, to identify the application channel, or to analyse the performance of a job position that a user used to access the recruiting side. The use of cookies is mandatory for the provision of our services and thus for the fulfilment of the contract (Section 25(2)(2) TDDDG). Period of storage: You have the right to object for up to 1 month or until the end of the browser session: you can determine for yourself via your browser settings whether you want to allow or refuse the use of cookies. Please note that deactivating cookies can lead to limited or completely inhibited functionality of the recruiting page.
Data related to performance and analytics cookies will only be processed in accordance with Art. 6 para. 1 (a) GDPR based on the consent you provided during the application process. You may revoke your consent at any time (see Section 11 Rights of Data Subjects).
9. How we use information
We use the information provided to us (subject to the decisions made by you, e.g. in the context of Manage Services on our website or the cookie banner) to provide and improve our services. This helps us understand how our users avail of our services and in turn, we use this information to improve our services and perform troubleshooting activities.
We verify accounts and activities and promote security within and outside our services. This is achieved, for example, by investigating suspicious activities or violations of our terms and conditions and ensuring that our services are used in compliance with the law.
For all those who conclude a contract with us, we process information which is necessary for the fulfilment of such contracts. The core data are used:
To provide, improve and adjust our services. Please also see ‘Our Services’ below.
To maintain the IT security and operational reliability of our services.
To communicate with you in relation to service problems.
For the collection and use of information that you provide to us when activating the device-based settings (e.g. access to your camera or photos if, for example, you upload a photo to your user account), we may provide the features and services described when activating the settings.
In addition, all information is processed for the following:
For analytical data collection and other services where we use data for control and improvement.
To provide reports showing our partners the usage of our broad range of services.
In the interest of companies and other partners, so that they can better understand their customers and, if necessary, improve their business model. This concerns, for example, price models to be adjusted or user interactions.
To send you the best and newest offers.
You have the right to object to or restrict such processing at any time. To do this, please read the paragraph entitled ‘Rights of Data Subjects’.
We only store your personal data only for as long as it is necessary to fulfil the purposes for which they were collected. Personal data are deleted as soon as they are no longer required and once there are no legal retention periods in force.
Our website is delivered using Secure HTTP Protocol. This SSL encryption ensures that no third party can read or change transmitted data according to the current state of technology. This applies both to the content of the site and to data transmitted through the use of forms.
10. Rights of Data Subjects
In accordance with the Basic Data Protection Regulation and other applicable laws, you have the right to access, rectify, transfer or delete your information and the right to restrict or object to certain processing of your information. This also includes the right to object to our processing of your information for direct marketing purposes.
Revocation and Opposition Rights
"Regardless of the explanations above, you may object to the use of your information at any time and revoke any consent to the use of your information at any time.” Here, the right of objection under Art. 21 para. 1 and 2 GDPR applies to the processing of your data in connection with direct advertisement, if this is performed on the basis of a balance of interests.
If you revoke your consent to data processing or object to the use of the data, this does not affect the lawfulness of the data processing until the time of the revocation.
Legal basis:
Right to withdraw consent (Art. 7(3) GDPR ‘Conditions for consent’)
Right to object (Art. 21 GDPR ‘Right to object’)
Right to Rectification, Deletion, Blocking and Restriction
Furthermore, you have the right to rectify, block or delete the data which are collected and stored by us at any time. We expressly point out that there may be legal obligations or practical considerations to further store data. In this case, the data can only be blocked.
Legal basis:
Right to rectification (Art. 16 GDPR ‘Right to rectification’)
Right to erasure (Art. 17 GDPR ‘Right to be forgotten’)
Right to restriction (Art. 18 GDPR ‘Right to restriction of processing’)
Right to Data Transferability and Complaining to a Supervisory Authority
If you suspect that the processing of your data violates data protection law or that your data protection claims have otherwise been violated in any way, you can lodge a complaint with the responsible supervisory authority.
In the case of HolidayPirates GmbH, this is the responsible supervisory authority:
Berliner Beauftragte für Datenschutz und Informationsfreiheit
Friedrichstr. 219
10969 Berlin
Phone: +49 30/13889-406
Email: [email protected]
Legal basis:
Right to data portability (Art. 20 GDPR ‘Right to data portability’)
Right to lodge a complaint with a supervisory authority (Art. 77 GDPR ‘Right to lodge a complaint with a supervisory authority’).
Right to Information
You have the right to know which data we store about you (right to information).
Please note that we may require proof from you in the event of a request for information that has not been made in writing, proving your identity.
Legal basis:
Right of access (Art. 15 GDPR ‘Right of access by the data subject’)
Contact Person for Asserting the Rights of Data Subjects:
To assert the rights outlined above, please contact:
HolidayPirates GmbH
Neue Grünstraße 18
10179 Berlin
Email: [email protected]
11. Managing and Deleting your Data
If you would like to manage, change, restrict or delete your information and data, we provide the following features:
User Account: You can manage all information concerning your profile in your account. This may include your travel preferences, username, profile picture, or email address.
Delete Account: You can delete your profile on the website or in the App via your user account.
Unsubscribing from the Newsletter: You can unsubscribe from our newsletter at any time; the link to do so is at the end of every newsletter. As soon as you have unsubscribed from the newsletter, you will no longer receive any offers from us. Your personal data will not be reused and are deleted immediately.
Unsubscribing from the Messenger Service: You can unsubscribe from our messenger service at any time, to do so, simply send a message with ‘STOP’ via our channel in the respective messenger.
Data Analysis: You can deactivate tracking in the App settings. Please note, however, that deactivation may result in service limitations on your travel preferences. You can deactivate the collection of cookies on the website by clicking below on the Manage Services button.
12. Data Protection Officer and Contact Information
If you have any questions about our privacy policy, please contact our Data Protection Officer, Mr Roman Maczkowsky: [email protected].
Or write to us at:
HolidayPirates GmbH
Neue Grünstraße 18
10179 Berlin
Email: [email protected]
You can also reach us using the contact form on our website.
We value your privacy
We use cookies to enhance your browsing experience, serve personalised content, and analyse our traffic. By clicking "Accept All" you accept this and consent that we share this information with third parties and that your data may be processed in the USA. For more information, please read our .
You can adjust your preferences at any time. If you deny, we will use only the essential cookies and unfortunately, you will not receive any personalized content.
8. Social Media Fan Pages
We present online offers on different social media platforms to provide information and to facilitate contact with you.
We have no influence on the processing of personal data by the respective platform operator in their capacity as the responsible body. As a rule, when you visit our social media services, the platform operator stores cookies in your browser, in which your usage behaviour or interests are stored for market research and advertising purposes. The (mostly cross-device) user profiles are used by the platform operators to display personalised advertising. Under certain circumstances, you have also given a platform operator consent to data processing, for which case Art. 6 para. 1 (a) GDPR is the legal basis.
Data processing may also affect those who are not registered as users with the respective social media platform. In some instances, your data may be processed outside the territory of the European Union, which may complicate enforcement of your rights.
Facebook and Instagram Fan Pages
Address: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Irland
Data processing is based on an agreement on the joint processing of personal data pursuant to Art. 26 GDPR(https://www.facebook.com/legal/terms/page_controller_addendum).
If we process your personal data ourselves, we do so under our own responsibility. In this case, the processing is performed based on our legitimate interests (pursuant to Art. 6 para. 1 (f) GDPR) in a diverse external presentation of our company and the use of an effective information opportunity and communication with you.
Detailed information regarding data processing in the data protection area the platform operator is responsible for, opt-out options and the assertion of data subjects' rights can be found in the data protection policy of the relevant platform operator.