privacy policy

Information on the Processing of Your Data

In accordance with Article 12 of the General Data Protection Regulation (GDPR), we are obliged to inform you about the processing of your data when you use our website. We take the protection of your personal data very seriously. This privacy policy provides detailed information about how your data is processed and about your legal rights. The policy applies regardless of the platforms and devices (e.g. desktop / mobile) on which the online service is accessed.

We reserve the right to update this privacy policy in the future, particularly in case of further development of our website, implementation of new technologies, or changes in legal requirements or case law.

Please check this page occasionally to stay informed. We recommend printing or saving a copy for your records.

The terms used are based on the definitions in Article 4 of the GDPR.

Personal data refers to all information relating to an identified or identifiable natural person, such as your name, address and contact details, email address, or user behavior.

Processing means any operation or set of operations performed on personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment, restriction, erasure or destruction.

Data subject is any identified or identifiable person whose personal data is processed by the controller.

Controller means the natural or legal person, authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

User refers to all categories of data subjects, including our customers, guests, and visitors to our website.

1. Controller

BoxHotel GmbH
Badenstedter Straße 42
30453 Hannover, Germany
Phone: +49 (0) 511-51949890
Email: info[at]boxhotel.de
Managing Director: Oliver Blume

2. Data Protection Officer

For all data protection concerns, you may contact our Data Protection Officer:
Email: datenschutz[at]boxhotel.de
Or via postal mail to our address, with the note “Attn: Data Protection Officer”.
According to Art. 37 GDPR and § 38 BDSG, the appointment of a data protection officer is not mandatory.

3. Processing of Personal Data

3.1 Visiting Our Website

3.1.1 Scope of Processing

When visiting our website, your browser automatically transmits certain data to our web server (server log files):

• IP address

• Date and time of request

• Time zone difference to GMT

• Specific page requested

• Operating system and HTTP status code

• Transferred data volume

• Referrer URL

• Browser, language, and version

3.1.2 Purpose

These log files are stored to ensure functionality, security, and optimization of the website.

3.1.3 Legal Basis

The legal basis is our legitimate interest according to Art. 6(1)(f) GDPR.

3.1.4 Retention Period

Log files are stored for up to 12 months and then deleted.

3.1.5 Objection Option

This data collection is technically necessary for the website’s operation; objection is not possible.

3.2 Online Booking

3.2.1 Scope of Processing

When you book a room online, we collect the following data:

Salutation, first and last name, email address, phone number, street, house number, postal code, city, country, nationality, names of travel companions.

3.2.2 Purpose

These data are required to complete your booking.

3.2.3 Legal Basis

Art. 6(1)(b) GDPR – contractual necessity.

3.2.4 Retention Period

Data will be deleted when no longer required and if not subject to legal retention obligations.

Retention periods:

• 6 years (commercial correspondence – § 257 HGB)

• 10 years (tax documents – § 147 AO)

3.2.5 Objection Option

Due to legal obligations, objection is not possible.

3.3 Cookies

3.3.1 Scope of Processing

Our website uses cookies (small text files) stored on your device. They help recognize your browser and improve usability.

We use both session cookies (deleted when browser is closed) and persistent cookies (stored longer depending on cookie settings).

3.3.2 Purpose

Cookies support features like bookings and logins, and improve your user experience.

3.3.3 Legal Basis

Art. 6(1)(f) GDPR – legitimate interest.

3.3.4 Retention Period

• Session cookies: deleted after session

• Persistent cookies: deleted after expiration

3.3.5 Objection Option

You can disable cookies via your browser settings.

Note: Some website functions may then be unavailable.

3.4 Newsletter

3.4.1 Scope of Processing

You can subscribe to our free newsletter. We collect:

• Email address

• Salutation, first and last name (for personal address)

• Optional: private or business use

We use a double opt-in process to confirm your registration and document your consent (incl. timestamp and IP address).

3.4.2 Recipients

Our marketing department and:

Newsletter2Go GmbH (Germany), Köpenicker Str. 126, 10179 Berlin

https://www.newsletter2go.de/datenschutz

3.4.3 Purpose

To send personalized newsletters.

3.4.4 Legal Basis

Art. 6(1)(a) GDPR – your consent.

3.4.5 Retention Period

Data are stored only while your subscription is active.

3.4.6 Objection Option

You can unsubscribe anytime via the link in each newsletter.

3.5 Contact Form & Email

3.5.1 Scope of Processing

When using our contact form or emailing us, we collect:

Name, email, phone number, your message, date and time.

3.5.2 Purpose

To respond to your inquiry and prevent misuse of the contact form.

3.5.3 Legal Basis

Art. 6(1)(b) GDPR – contract initiation or inquiry processing.

3.5.4 Retention Period

Your data will be deleted once your inquiry is resolved.

3.5.5 Objection Option

You can revoke consent at any time by emailing: info[at]boxhotel.de

If you object, we can no longer continue the correspondence.

3.6 Applications

3.6.1 Scope of Data Processing

If you are interested in an open position at one of our BoxHotels, you can apply online. Please send your meaningful application, including the advertised position in the subject line with the subject “Application,” to info[at]boxhotel.de.

If you apply to us via email, we will process the data you have provided for the purpose of conducting the standard application process. Your personal data may be viewed by our HR department and the department responsible for filling the position.

3.6.2 Purpose of Data Processing

We process your personal data for the purpose of deciding whether to establish an employment relationship at BoxHotel, specifically for selecting suitable candidates and administratively managing the application process.

3.6.3 Legal Basis of Data Processing

The legal basis is Section 26 (1) BDSG (new).

3.6.4 Duration of Storage

If the application results in employment, we will process your data to manage the employment relationship. Your personal data will then be transferred to our HR management system.

If the application does not lead to employment, your data will be deleted six months after the application process is completed, unless you give us your consent in accordance with Art. 6 (1) (a) and Art. 7 GDPR to retain your personal data for a longer period so we may contact you for future job openings.

3.6.5 Right to Object and Removal

You may update or delete the information you have submitted to us at any time upon request. Please send us an email for this purpose. This does not apply if you are currently in an ongoing application process for a specific position. In this case, we retain your information until the expiry of the statutory filing deadlines (especially Section 15 AGG).

3.7 Web Analysis Using Google Analytics

3.7.1 Scope of Data Processing

This website uses features of the web analytics service Google Analytics, provided by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States (“Google”).

Google analyzes your use of our website on our behalf using cookies, among other things.

You can find more about what cookies are and how to delete them in section 3.3 “Cookies.”

The information collected by Google regarding your use of our website (e.g., pages you visited) is transferred to a Google server in the USA, stored there, analyzed, and the results are made available to us in anonymized form.

We use Google’s IP anonymization on our website. This means that your IP address is shortened by Google within member states of the EU or in other contracting states of the Agreement on the European Economic Area before being transmitted. Only in exceptional cases is the full IP address sent to a Google server in the USA and shortened there.

Google is certified under the EU-US Privacy Shield, which ensures an adequate level of data protection for data processed in the USA.

3.7.2 Purpose of Data Processing

We use the data collected by Google to analyze the usage of our website and to generate reports on user activity, enabling us to improve the online experience and user-friendliness of our website.

3.7.3 Legal Basis of Data Processing

Our legitimate interest in the data processing by Google Analytics is based on the aforementioned purposes. The legal basis is Art. 6 (1) (f) GDPR.

3.7.4 Duration of Storage

Campaigns and sessions are automatically terminated after a specified time. Without activity, sessions end after 30 minutes by default. Campaigns end after a maximum of six months. The time limit for campaigns can be up to two years.

3.7.5 Right to Object and Removal

The IP address transmitted by your browser is not merged with other Google data. You can prevent the storage of cookies by adjusting your browser settings, as described in section 3.3. If you also want to prevent Google from collecting and processing data about your use of our website via cookies, you can download and install the Google browser plug-in:

https://tools.google.com/dlpage/gaoptout?hl=en.

To prevent future data collection by Google Analytics across all your devices, you must perform the opt-out on each device. This includes mobile devices such as smartphones or tablets.

Please note that the opt-out cookie will only prevent tracking as long as it remains stored and undeleted.

Further information about Google Analytics can be found in the Google Analytics Terms of Use and Google’s Privacy Policy.

To deactivate Google Analytics tracking, click this link: Google Analytics – Deactivate Tracking

4. Data Security

4.1 Technical, Contractual & Organizational Measures

We take technical, contractual, and organizational security measures according to the current state of the art to ensure compliance with data protection laws, especially the GDPR, and to protect data processed by us against loss, unauthorized access, destruction, and alteration. These include encrypted data transmission between your browser and our servers.

Note that SSL encryption is only active when the key symbol appears in your browser’s status bar and the address begins with “https://”. SSL (Secure Socket Layer) encrypts data transmissions to prevent unauthorized access. If SSL is not available, you may opt not to send sensitive data via the internet.

Unless otherwise stated, all data you transmit to us is stored on servers located in Germany.

5. Disclosure of Data to Third Parties & Processors

We only disclose personal data to third parties within the scope of legal requirements, for example under Art. 6 (1) (b) GDPR for contract purposes or on the basis of legitimate interests under Art. 6 (1) (f) GDPR.

We engage subcontractors under data processing agreements according to Art. 28 GDPR, especially for operating, maintaining, and hosting IT systems. Legal and technical measures ensure the protection of your personal data.

The following service providers are used:

• Channel Manager: Availpro, WeWork Sony Center Potsdamer Platz, Kemperpl. 1, 10785 Berlin

• Mobile App & Key Management: hotelbird GmbH, Sonnenstr. 23, 80331 Munich

• Hotel Management System: Infor (Deutschland) GmbH, Hollerithstr. 7, 81829 Munich

Data processing takes place in Germany.

6. External Services & Content on Our Website

We integrate external services or content based on our legitimate interest in analyzing, optimizing, and economically operating our online offer (Art. 6 (1) (f) GDPR).

Technical usage may require your communication data (e.g., IP address, date, time) to be exchanged with external providers. This is especially true for IP addresses, required to display content in your browser.

External providers may process this data for their own purposes. We have no influence over their data processing practices. For detailed information, consult the respective provider’s privacy policies.

We currently use the following social media plugins: Facebook, Instagram, Twitter, and YouTube. When visiting our website, no personal data is initially transmitted to plugin providers. You can recognize the providers by their logos in the website footer.

We do not control the collected data or processing by these providers. Plugin providers may store usage profiles for advertising and market research purposes.

You have a right to object to such profiling. Please contact the plugin providers to exercise this right.

If you are logged into one of these networks, data collected by our site may be linked to your user account. We recommend logging out after using social networks, especially before clicking on buttons.

Plugin Providers:

• Facebook: Privacy Policy | Data Info

• Instagram: Privacy Policy

• Twitter: Privacy Policy

• YouTube (Google): Privacy Policy | Ads Settings

• PayPal: PayPal (Europe) S.à.r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg

If using payment services like PayPal, Visa, Mastercard, Maestro, or American Express, please refer to the terms and privacy policies of our payment provider Saferpay.

7. Your Rights

If we process personal data about you, you are a “data subject” under the GDPR, and you have the following rights:

• Right of access (Art. 15 GDPR)

• Right to rectification (Art. 16 GDPR)

• Right to erasure (Art. 17 GDPR)

• Right to restrict processing (Art. 18 GDPR)

• Right to data portability (Art. 20 GDPR)

• Right to object (Art. 21 GDPR)

• Right to lodge a complaint with a supervisory authority (Art. 77 GDPR)

8. Online Dispute Resolution

Online Dispute Resolution (Art. 14 (1) ODR Regulation)

The European Commission provides a platform for online dispute resolution, available at:

http://ec.europa.eu/consumers/odr

For initial questions about a possible dispute resolution, you can contact us at info[at]boxhotel.de.
*Regulation (EU) No 524/2013 on Online Dispute Resolution in Consumer Matters