Privacy Policy

1. General information

The protection of your personal data is important to us. Below we inform you about which personal data is processed when you visit our website, contact us, make bookings, stay in our accommodation, make payments, use guest contribution systems, technical systems or external booking platforms.

Personal data means any information that can identify you personally or make you identifiable, for example name, address, email address, telephone number, booking data, payment data, stay data, technical usage data or device information.

We process personal data only where there is a legal basis for doing so. This may include, in particular, the performance of a contract or pre-contractual measures, compliance with legal obligations, consent or legitimate interests.

2. Controller

The controller within the meaning of the General Data Protection Regulation is:

Bentcrest, owner Jan-Niklas Bente
Rolfsbütteler Str. 32
38543 Hillerse
Germany

Email: stay@bentcrest.com
Telephone: +49 15563 699420

3. Data protection officer

No data protection officer has currently been appointed, as according to our current assessment there is no legal obligation to appoint one. For any questions regarding data protection, you may contact us at any time using the contact details stated above.

4. Legal bases for processing

We process personal data in particular on the basis of the following provisions:

• Art. 6(1)(a) GDPR – consent, for example for non-essential cookies, analytics tools, external media or newsletter registration
• Art. 6(1)(b) GDPR – performance of a contract or pre-contractual measures, for example bookings, enquiries, payment processing and guest communication
• Art. 6(1)(c) GDPR – legal obligations, for example tax retention obligations, invoicing, guest contributions, spa taxes, tourism levies or statutory registration obligations
• Art. 6(1)(f) GDPR – legitimate interests, for example technical security, protection against misuse, damage prevention, energy management, operational optimisation, legal defence and efficient management of our accommodation

Where we process data on the basis of legitimate interests, you may object to such processing on grounds relating to your particular situation.

5. Website operation, hosting and server log data

Our website is operated using the Smoobu Website Builder. The domain is managed by Bitpalast GmbH and forwarded to the Smoobu website via CNAME entry.

When visiting our website, technically necessary data may be processed, in particular:

• IP address
• date and time of access
• browser type and browser version
• operating system used
• pages and files accessed
• referrer URL
• amount of data transferred
• status messages and technical error data

The processing is carried out for the technical provision, stability, security and error analysis of the website on the basis of Art. 6(1)(f) GDPR. Our legitimate interest lies in providing a secure, stable and technically functional online offering.

6. Cookies, similar technologies and consent management with Cookiebot

Our website uses cookies and similar technologies. Cookies are small text files that are stored on your device. Similar technologies may include local storage technologies, pixels, tags, scripts or other technical identifiers.

We use the consent management service Cookiebot by Usercentrics to manage cookie consents and comparable consents.

Provider:
Usercentrics A/S
Havnegade 39
1058 Copenhagen
Denmark
Company registration number: DK34624607

Cookiebot helps us to transparently inform visitors to our website about the cookies and similar technologies used, obtain consent, document consent and make cookie settings manageable.

6.1 Categories of cookies and technologies

Depending on the technical setup of our website, the following categories of cookies and comparable technologies may be used:

• Necessary cookies: These are required for the website to function technically, to provide basic security functions, to enable booking functions or to store your cookie settings.
• Preference cookies: These enable comfort functions, such as language settings or display options.
• Statistics cookies: These help us understand how our website is used so that we can improve it technically and content-wise.
• Marketing cookies: These may be used to measure content, campaigns or advertising or to display content in a more user-oriented way.
• External media and services: These may include embedded services such as maps, booking functions, external platforms or other third-party content.

6.2 Legal bases

Necessary cookies and comparable technologies that are required for the operation of the website or for functions expressly requested by you are used on the basis of Section 25(2) TDDDG and Art. 6(1)(f) GDPR. Our legitimate interest lies in the secure, stable and functional provision of our website.

Non-essential cookies and comparable technologies, in particular for statistics, analytics, marketing or external media, are only used if you have given your prior consent. The legal basis is Section 25(1) TDDDG and Art. 6(1)(a) GDPR.

You may withdraw or change any consent you have given at any time with effect for the future. This is possible via the cookie banner or the cookie settings on our website.

6.3 Processing by Cookiebot

When using Cookiebot, the following data in particular may be processed:

• IP address or shortened IP address
• date and time of consent or refusal
• selected cookie and consent settings
• consent ID or consent record
• domain or website on which the consent was given
• browser and device information
• technical log data

The processing serves to technically implement, document and verify your consent decision. Cookiebot documents consents in a consent log so that consent decisions can be traced and proven if necessary.

The legal basis for the use of Cookiebot is Art. 6(1)(c) GDPR insofar as we are legally obliged to prove consents, as well as Art. 6(1)(f) GDPR based on our legitimate interest in legally secure, user-friendly and verifiable consent management. Where Cookiebot itself stores or reads technically necessary information, this is done on the basis of Section 25(2) TDDDG.

6.4 Data processing agreement

Where Usercentrics A/S processes personal data on our behalf, this is done on the basis of a data processing agreement pursuant to Art. 28 GDPR.

Usercentrics A/S processes the data generally according to our instructions and only for the agreed purposes. Further information can be found in the privacy information and contractual documents of Cookiebot/Usercentrics:

• https://www.cookiebot.com/en/privacy-policy/
• https://www.cookiebot.com/en/data-processing-agreement/

6.5 Changing and withdrawing cookie settings

You may change your cookie settings at any time via the cookie banner or the cookie settings on our website, or withdraw any consent you have given with effect for the future. Withdrawal does not affect the lawfulness of processing carried out on the basis of consent before its withdrawal.

A current overview of the cookies and comparable technologies used is displayed in the cookie banner or in the cookie settings, insofar as this is technically provided.

7. Contact by email, telephone, contact form or messenger

If you contact us via contact form, email, telephone, WhatsApp or other communication channels, we process the data you provide to handle your enquiry and communicate with you afterwards.

The following data in particular may be processed:

• name
• contact details, in particular email address and telephone number
• content of the enquiry
• booking or stay reference
• communication history
• technical metadata of the communication

Depending on the content of the enquiry, processing is carried out on the basis of Art. 6(1)(b) GDPR where it concerns a booking, stay or pre-contractual measures, or on the basis of Art. 6(1)(f) GDPR due to our legitimate interest in handling enquiries.

When communicating via WhatsApp or comparable messenger services, data may be processed by the respective provider. For users in the European Economic Area, the provider of WhatsApp is generally WhatsApp Ireland Limited. The privacy information of the respective messenger provider also applies.

8. Direct bookings, booking management and guest communication via Smoobu

For direct bookings, booking management, occupancy calendars, guest communication, automated messages, website booking functions, channel management, invoicing or booking processes and organisational workflows, we use Smoobu in particular.

Provider:
Smoobu GmbH
Pappelallee 78/79
10437 Berlin
Germany

The following data in particular may be processed:

• name and contact details
• booking and stay data
• arrival and departure dates
• number of persons and age groups
• accommodation, prices and booked services
• payment status
• messages and guest communication
• technical usage and log data

The processing is carried out for the performance of the accommodation contract and management of the stay on the basis of Art. 6(1)(b) GDPR, as well as for efficient organisation, prevention of double bookings, communication and technical provision on the basis of Art. 6(1)(f) GDPR.

Smoobu processes personal data to the extent necessary for the functions we use. Where Smoobu acts as a processor, processing is carried out on the basis of a data processing agreement pursuant to Art. 28 GDPR.

Further information can be found in Smoobu’s privacy policy:
https://www.smoobu.com/en/privacy-policy/

9. Smoobu Dynamic Pricing and price automation

We may use Smoobu Dynamic Pricing or comparable price automation functions to dynamically adjust overnight prices based on factors such as season, demand, occupancy, availability, booking time, market data, length of stay and comparable accommodation offers.

In this context, accommodation, calendar, availability, price, booking and stay data in particular may be processed. Price optimisation serves market-based pricing, occupancy management and economically efficient operation.

Processing is carried out on the basis of Art. 6(1)(b) GDPR where it is necessary for booking and performance of the contract, as well as on the basis of Art. 6(1)(f) GDPR. Our legitimate interest lies in market-based, efficient and economically sound price and occupancy management.

Where we use dynamic pricing, no pricing is based on special categories of personal data, no individual creditworthiness assessment is carried out and no automated decision with legal effect within the meaning of Art. 22 GDPR takes place. However, displayed prices may change depending on booking time, demand and availability.

10. Bookings via Airbnb, Booking.com and other external platforms

Our accommodation may also be bookable via external booking platforms such as Airbnb, Booking.com, FeWo-direkt, Expedia, Vrbo or comparable platforms.

If you book via such a platform or communicate with us through such a platform, the respective platform initially processes personal data under its own responsibility. The privacy information, terms of use, payment terms and cookie notices applicable there are decisive.

As part of booking processing, the platforms may transmit to us in particular the following data:

• name
• contact details, insofar as released by the platform
• booking number and platform ID
• booking, stay and payment status data
• arrival and departure dates
• number of persons and, where applicable, age details
• messages via the platform
• reviews or publicly visible profile information, insofar as provided by the platform

We process this data to carry out the stay, communicate, invoice, collect guest contributions and fulfil legal obligations on the basis of Art. 6(1)(b) and (c) GDPR. Where processing serves organisation, documentation, quality assurance or legal defence, it is carried out on the basis of Art. 6(1)(f) GDPR.

Privacy information of the platforms can be found here in particular:

• Airbnb: https://www.airbnb.com/help/article/3175
• Booking.com: https://www.booking.com/content/privacy.html

11. Online check-in, guest contributions, spa taxes, tourism levies and guest cards

For the performance of the stay, online check-in, creation of digital guest cards, invoicing of guest contributions, spa taxes, tourism levies or comparable municipal charges, we process the personal data required for this purpose.

The following data in particular may be processed:

• name and contact details
• address
• date of birth or age group
• nationality, where required
• arrival and departure dates
• number and age of accompanying persons
• reasons for reductions or exemptions
• guest card or registration data

Depending on the accommodation location and local requirements, data may be transmitted to responsible towns, municipalities, spa administrations, tourism offices or technical service providers for guest contribution systems. In particular, feratel may be used for the processing of guest contributions and guest cards.

Processing is carried out to comply with statutory or municipal obligations on the basis of Art. 6(1)(c) GDPR and to perform the stay on the basis of Art. 6(1)(b) GDPR.

12. Statutory registration obligations and identity verification

For German citizens, there is currently no special federal hotel registration obligation. However, municipal registration obligations, guest contribution obligations, spa tax obligations or tourism levy obligations remain unaffected insofar as they apply at the respective accommodation location.

Guests who do not hold German citizenship may be legally obliged, on the day of arrival, to provide the required information, sign a special registration form and present a valid identity document, in particular a passport or passport substitute.

Where legally required or necessary for the secure performance of the stay, we may verify identity data. A copy, photo or digital transmission of an identity document will only be requested or stored insofar as this is legally permissible and necessary.

The legal basis is Art. 6(1)(c) GDPR where legal obligations exist, as well as Art. 6(1)(b) or (f) GDPR where processing is necessary for contract performance, security, fraud prevention or legal defence.

13. Invoices, accounting and tax obligations

We process personal data to create invoices, payment overviews, booking records, credit notes, tax documents and to comply with our accounting and retention obligations.

For this purpose, we use Lexware Office in particular and, where applicable, bnbbills or comparable invoicing and automation services.

The following data in particular may be processed:

• name and billing address
• email address
• booking and stay data
• invoice amounts and payment status
• tax and accounting data
• communication regarding invoices and payments

Processing is carried out on the basis of Art. 6(1)(b) GDPR for contract performance and on the basis of Art. 6(1)(c) GDPR to comply with statutory accounting, tax and retention obligations.

14. Payment providers Stripe and PayPal

We may use external payment service providers for payment processing, in particular Stripe and PayPal. Depending on the selected payment method, payment data will be transmitted to the respective payment service provider or processed directly by that provider.

The following data in particular may be processed:

• name
• email address
• billing and payment data
• payment amount
• payment method
• transaction number
• technical payment and security data

Processing is carried out for the payment and thus for the performance of the accommodation contract on the basis of Art. 6(1)(b) GDPR. Where processing is necessary for fraud prevention, payment security or legal defence, it is additionally carried out on the basis of Art. 6(1)(f) GDPR.

Payment providers may also process personal data under their own responsibility. The privacy information of the respective payment service provider also applies:

• Stripe: https://stripe.com/privacy
• Stripe Privacy Center: https://stripe.com/legal/privacy-center
• PayPal: https://www.paypal.com/de/legalhub/paypal/privacy-full

15. Smart home systems, sensors and technical energy management

Technical devices and sensors may be used in our accommodation to increase security, prevent damage, use energy efficiently, ensure smooth operation and protect the accommodation against misuse.

These may include in particular the following systems:

• presence sensors
• window and door contacts
• connected smoke detectors
• smart heating thermostats
• leakage sensors
• temperature and humidity sensors
• devices for purely measuring noise levels in decibels
• technical controls for heating, energy and security

Depending on the device used, technical status data may be processed, for example presence detected/not detected, window or door open/closed, temperature, humidity, heating status, water leakage, smoke alarm, battery status, device status, connection status or noise level in decibels.

There is no video surveillance inside the accommodation. There is no audio recording, no voice recording and no analysis of conversations. Noise sensors, where used, are used exclusively to measure technical decibel values and not to record or evaluate conversation content.

The systems are not used to monitor the personal behaviour of individual guests and not to create personal movement, stay or behavioural profiles. No automated decision with legal effect within the meaning of Art. 22 GDPR takes place.

The legal basis is Art. 6(1)(b) GDPR insofar as processing is necessary for carrying out the stay or providing the accommodation, as well as Art. 6(1)(f) GDPR based on our legitimate interests in security, damage prevention, energy efficiency, protection of the accommodation, compliance with house rules and proper operation. Where legal obligations, in particular fire safety or traffic safety obligations, are concerned, processing is carried out on the basis of Art. 6(1)(c) GDPR.

Only authorised persons at Bentcrest and technical service providers used by us have access to this data, insofar as this is necessary for operation, maintenance, troubleshooting, security, damage clarification or energy optimisation.

Pure operating and status data is generally processed only for as long as necessary for the respective purposes. Longer storage takes place only insofar as this is necessary to clarify security incidents, damage, technical faults, legal claims, cases of misuse or legal obligations.

16. Smart Life, Tuya and comparable smart home service providers

Depending on the accommodation and technical equipment, services such as Smart Life, Tuya or comparable technical platforms may be used to control or manage individual smart home devices. The systems actually used depend on the equipment of the respective accommodation.

Depending on the app, device, region and configuration, providers may include in particular Tuya Smart Inc., Tuya GmbH, Volcano Technology Limited or companies affiliated with them.

These services may process in particular technical device, status, usage, connection and event data, for example device status, sensor values, times of events, technical identifiers, IP address, network and connection data as well as location or region settings insofar as this is necessary for operation.

Processing is carried out for the technical provision of smart home functions, security, damage prevention, energy efficiency and operational optimisation on the basis of Art. 6(1)(b) and Art. 6(1)(f) GDPR.

Depending on the provider, app, device settings and technical infrastructure, personal data may also be processed outside the European Union or the European Economic Area. Where a third-country transfer takes place, this is carried out in accordance with the legal requirements, in particular on the basis of an adequacy decision, appropriate safeguards, standard contractual clauses or other permissible transfer mechanisms.

When selecting and configuring the systems, we aim to use settings that are as data-minimising as possible, restrict access and avoid processing unnecessary personal data. Guests do not receive direct app access to our internal smart home management systems unless expressly provided for.

Further information can be found in the privacy information of the respective providers:

• Smart Life Privacy Policy: https://developerapp.tuyaus.com/protocol/1a824d962b40000b?lang=en
• Tuya Data Privacy / Trust Center: https://www.tuya.com/trustcenter/data_privacy

17. Wi-Fi and internet use in the accommodation

Where Wi-Fi is provided in the accommodation, technical connection data may be processed when it is used. This may include in particular IP addresses, MAC addresses, device identifiers, connection times, transmitted data volumes and technical log data.

Processing is carried out to provide internet access, ensure network security, troubleshoot errors and prevent misuse on the basis of Art. 6(1)(b) and Art. 6(1)(f) GDPR.

Bentcrest does not monitor the content of internet use. However, we reserve the right to take technical security measures where necessary to prevent unlawful or abusive use.

18. Google Analytics

This website may use Google Analytics, a web analytics service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

Google Analytics uses cookies and similar technologies to evaluate the use of the website, create reports on website activity and improve our online offering. In particular, usage data, device information, browser information, approximate location data, referrer information and interactions with the website may be processed.

Google Analytics is used exclusively on the basis of your consent pursuant to Art. 6(1)(a) GDPR in conjunction with Section 25(1) TDDDG. You may withdraw your consent at any time via the cookie settings with effect for the future.

Google may also process data in third countries, in particular the USA. Where data is transferred to the USA or other third countries, this is done in accordance with the legal requirements.

Further information can be found at Google:
https://policies.google.com/privacy
https://support.google.com/analytics/answer/12017362

19. Google Maps

Maps from the Google Maps service may be embedded on our website. Provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

When you access a page with an embedded Google Maps map or activate a map, personal data may be transferred to Google. This may include, in particular, IP address, location data, device information, browser information and usage data.

Use of Google Maps takes place, insofar as it is not technically strictly necessary, on the basis of your consent pursuant to Art. 6(1)(a) GDPR in conjunction with Section 25(1) TDDDG. Insofar as Google Maps is used to display our location and provide user-friendly arrival information, there is also a legitimate interest pursuant to Art. 6(1)(f) GDPR.

Google may also process data in third countries, in particular the USA. Further information can be found in Google’s privacy policy:
https://policies.google.com/privacy

20. Social media, external links and embedded content

Our website may contain links to external services and platforms, for example Instagram, Facebook, WhatsApp, Airbnb, Booking.com, Google Maps or other external providers.

If you click on an external link or activate embedded external content, you leave our area of responsibility. The respective provider may process personal data under its own responsibility. The privacy information of the respective provider applies.

Where external content is not technically necessary, it will only be loaded after your consent, insofar as this is technically possible via the consent management system used.

21. Newsletter and email marketing

If we offer a newsletter or email marketing in the future, we will send it only with your express consent or where this is legally permitted.

For registration, in particular name, email address, time of registration, IP address, consent record and technical sending data may be processed. Processing is carried out on the basis of Art. 6(1)(a) GDPR.

You may withdraw any consent given at any time with effect for the future, for example via an unsubscribe link in the newsletter or by notifying us.

If we use external newsletter service providers, we will inform you about the respective provider during registration or in this privacy policy.

22. Reviews and guest feedback

After a stay, we may ask you for a review or feedback. In this context, name, accommodation, stay period, rating, text content, platform reference and communication data may be processed.

Processing is carried out for quality assurance, improvement of our offering, communication with guests and external presentation on the basis of Art. 6(1)(f) GDPR. Our legitimate interest lies in improving and transparently presenting our services.

Reviews on external platforms such as Airbnb or Booking.com are additionally subject to the privacy and terms of use of the respective platform.

23. Recipients and categories of recipients

Personal data may be transmitted to the following categories of recipients where necessary:

• booking and property management systems, in particular Smoobu
• external booking platforms, in particular Airbnb, Booking.com, FeWo-direkt, Expedia or Vrbo
• payment service providers, in particular Stripe and PayPal
• invoicing, accounting and automation services, in particular Lexware Office and bnbbills
• tourism, guest contribution and guest card systems, in particular feratel
• smart home and IoT service providers, in particular Smart Life, Tuya or comparable providers
• hosting, domain, IT and maintenance service providers
• communication services and email providers
• cleaning, service or support partners, insofar as required for the stay
• tax advisors, legal advisors, insurers and authorities, insofar as required or legally prescribed

Data is transmitted only insofar as this is necessary to fulfil the respective purpose, there is a legal obligation, you have given your consent or there is a legitimate interest.

24. Processing on behalf of the controller

Where service providers process personal data on our behalf, we conclude data processing agreements with these service providers pursuant to Art. 28 GDPR where required.

Processors may generally process personal data only according to our instructions and only for the agreed purposes. Where service providers process personal data under their own responsibility, their own privacy information also applies.

25. Third-country transfers

Some of the providers used by us or our service providers may process personal data outside the European Union or the European Economic Area, in particular in the USA, the United Kingdom, Switzerland or, depending on the smart home provider and technical configuration, in other countries.

Such a transfer takes place only if the legal requirements are met. This may be the case in particular if there is an adequacy decision by the European Commission, appropriate safeguards such as EU standard contractual clauses have been agreed, additional safeguards exist, express consent has been given or another statutory exception applies.

For services from the USA, a transfer may in particular take place on the basis of the EU-U.S. Data Privacy Framework if the respective provider is certified accordingly. If no such certification exists, we rely, where necessary, in particular on EU standard contractual clauses and additional protective measures.

Despite such safeguards, it cannot be completely excluded that foreign authorities may access data under the legal requirements applicable there. We take this into account when selecting, configuring and using services and aim for settings that are as data-minimising as possible.

26. Storage period

We store personal data only for as long as necessary for the respective purposes or as long as statutory retention obligations exist.

Booking, invoice, payment and tax-relevant data may generally be stored for up to 10 years due to statutory retention obligations.

Communication data is stored for as long as necessary to handle the enquiry, perform the stay, document matters or defend legal claims.

Data in connection with guest contributions, spa taxes, tourism levies, registration data or guest cards is stored in accordance with the applicable statutory or municipal requirements.

Technical smart home, sensor, security and log data is generally stored only for as long as necessary for operation, security, damage prevention, error analysis or documentation. Longer storage occurs only in the event of specific incidents, damage, technical faults, legal claims or legal obligations.

Where data is processed on the basis of consent, we generally store it only until consent is withdrawn or as long as the respective purpose continues to exist.

27. Data security

We take appropriate technical and organisational measures to protect personal data against loss, misuse, unauthorised access, alteration or disclosure.

These include, in particular, access restrictions, secure passwords, role-based access, encrypted transmission, regular review of services used, data-minimising configuration and restriction of access rights to authorised persons.

Please note that data transmission on the internet, in particular by email or messenger, may have security gaps. Complete protection against access by third parties is not possible.

28. Obligation to provide data

The provision of certain personal data is necessary for booking, contract conclusion, stay, payment processing, collection of guest contributions or legal obligations.

If required data is not provided, this may mean that a booking cannot be completed, check-in cannot be carried out, a guest card cannot be created or a stay cannot be properly processed.

29. No automated decision-making

Automated decision-making including profiling within the meaning of Art. 22 GDPR does not take place.

Where dynamic pricing is used, it serves general price and occupancy management based on market, calendar, demand and availability data. No automated decision with legal effect concerning individual guests takes place and no pricing is based on special categories of personal data.

30. Your rights

Within the scope of the statutory requirements, you have the following rights at any time:

• right of access to the personal data processed by us
• right to rectification of inaccurate or incomplete data
• right to erasure of personal data
• right to restriction of processing
• right to data portability
• right to withdraw consent given with effect for the future
• right to object to processing based on legitimate interests
• right to lodge a complaint with a data protection supervisory authority

You may additionally change or withdraw any cookie consent you have given at any time via the cookie settings on our website.

To exercise your rights, you may contact us at any time:
stay@bentcrest.com

31. Right to object pursuant to Art. 21 GDPR

If we process personal data on the basis of Art. 6(1)(f) GDPR, you have the right to object to this processing at any time on grounds relating to your particular situation.

If you object, we will no longer process the personal data concerned unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms, or the processing serves the establishment, exercise or defence of legal claims.

If personal data is processed for direct marketing purposes, you have the right to object at any time to processing for such marketing purposes.

32. Right to lodge a complaint with a supervisory authority

You have the right to lodge a complaint with a data protection supervisory authority if you believe that the processing of your personal data violates data protection law.

The competent authority may in particular be the data protection supervisory authority of your place of stay, your place of residence, your workplace or the place of the alleged infringement.

33. Validity and amendments to this privacy policy

We reserve the right to amend this privacy policy if legal, technical or organisational changes arise, new services are used or our data processing changes.

The current version published on our website applies.