(Version 1.7. Last update: August 2023)
Since May 25, 2018, the provisions of the EU General Data Protection Regulation (hereinafter, the GDPR) have applied throughout Europe. In this Privacy Policy, we would like to inform you about how Tourlane GmbH processes personal data in accordance with this new regulation (see Art. 13 GDPR). Please read our Privacy Policy carefully. If you have any questions or comments about this Privacy Policy, you can contact us at any time at the email address provided in Section 2.
1. Overview
The following data protection notice explains the nature and extent of the processing of so-called personal data by Tourlane GmbH. Personal data is information that is or can be directly or indirectly assigned to your person.
What is personal data?
Personal data is any information that relates to an identified or identifiable natural person (hereinafter, the "data subject"). This includes information such as your name, address, postal address, IP address, telephone number and email address. Information that is not directly associated with your real identity (such as favorite websites or number of users of a website) is not considered to be personal data.
What is anonymized data?
Every time you access the content of our website, general information is automatically stored (e.g., the number of users and the amount of time they spend on individual pages, etc.). This data is not personal, as it does not relate to an identified or identifiable natural person. This data is therefore processed in anonymized form. Information of this type is used exclusively for statistical purposes and is used by us to optimize the performance of our website.
Data processing via the Tourlane website can essentially be divided into two categories:
For the purpose of providing our services, namely for the preparation of customized travel offers and for the implementation of travel, Tourlane processes all data required for this purpose. This allows us to ensure that we can offer our customers and potential customers the best possible service. If third parties, for example tour operators, subcontractors, etc., are involved in an order or the implementation of your trip, your data will be passed on to these third parties to the extent necessary.
When you access the website, various types of information are exchanged between your end device and our server. This information may also be personal data. The information collected in this way is used, for example, to optimize our website or to display advertising in your browser.
In accordance with the provisions of the GDPR, you have various rights, which you can assert with respect to us. This includes, for example, the right to object to selected data processing, in particular data processing for advertising purposes. The option to object is highlighted in print. If you have any questions about our data protection notice, please feel free to contact our data protection officer at any time. You will find the contact details below.
2. Name and contact details of the controller and the data protection officer.
This Privacy Policy applies to data processing by Tourlane GmbH, Prinzessinnenstrasse 19-20, 10969 Berlin, Germany, and to our website. The Tourlane GmbH data protection officer can be contacted at the above address, at the attention of the Department of Data Protection or at datenschutz@tourlane.de.
3. The purposes of data processing, legal bases and legitimate interests of Tourlane or a third party, and categories of data recipients
3.1. Visiting our website
When you visit our website, your browser automatically sends information to our website server, where it is stored temporarily in a log file. We have no influence on the sending and storing of this information. The following information is collected without your intervention and stored until it is automatically deleted:
the IP address of the requesting Internet-connected device
the date and time of access,
the website from which the access was made (referrer URL),
your own campaign ID,
the type of browser you are using and, if applicable, the operating system of your Internet-connected computer and the name of your access provider.
The legal basis for the processing of your IP address is Art. 6 (1) (f) GDPR. Our legitimate interest results from the purposes of data collection listed below. At this point, we would like to note that we are not able to draw any conclusions about your identity from the data we collect, nor will we do so.
We use the IP address of your device and the other data listed above for the following purposes:
ensuring a smooth connection to our website,
ensuring the comfortable use of our website,
evaluating system security and stability and
for other administrative purposes.
The data is stored for the duration of the session and is automatically deleted when you close your browser. Furthermore, we use cookies, tracking tools and a CRM system for our website. The exact procedures involved and how your data is used for this purpose are explained in more detail in Section 3.4 below.
3.2. Data processing for the provision of our services and for the performance of contracts.
In order to provide our infrastructure, we use various hosting services and tools on the basis of Art. 6 (1) (b) and (f) GDPR. The services we use are for the provision of the following services: infrastructure and platform services, computing capacity, storage space and database services, security services, BI services and technical maintenance services that we use for the purpose of operating our website.
In this context, we process the business data, inventory data, contact data, content data, contract data, usage data, metadata and communication data of the users of our websites. The secure processing of data and the safeguarding of our business operations are thereby to be recognized as our legitimate interests. We take the utmost care to ensure that these providers meet our high data protection standards and have concluded a contract with each of these providers for commissioned processing in accordance with Art. 28 GDPR, in which the providers undertake to process the data received only in accordance with our instructions and to comply with the EU level of data protection. More detailed information on data protection can be found in the privacy policies of the providers.
3.2.1. Data processing in the questionnaire to determine travel preferences
The purpose of Tourlane's activity is to offer customized trips to worldwide destinations. The goal is to be able to offer our customers individual trips based on their preferences and needs. For this purpose, we provide a questionnaire on our website, through which customers can provide information about their individual travel preferences. In this context, we process the data required for the preparation of travel offers. This data includes:
First name, last name,
contact details,
gender,
information about travel preferences,
browser information,
host name (IP address) of the computer used to access the website,
time of the server request.
The legal basis for this is Art. 6 (1) (b) GDPR. If we do not use your contact data for advertising purposes (see 3.3. below), we store the data collected via the questionnaire until the expiry of the statutory limitation provisions. After expiry of this period, we retain the contract information required by commercial and tax law for the periods determined by law. For this period (usually ten years from the conclusion of the contract), the data will be processed again solely in the event of an audit by the tax authorities.
3.2.2. Data processing for individual travel advice.
If you have decided to use our services for individual travel advice and planning, together with you, we will attempt to identify the key data and circumstances for travel planning that are important to you on the basis of Art. 6 (1) (a) and (b) GDPR. The purpose of this processing is to be able to offer you the best possible service. In particular, the following data may be processed:
master data such as age and name,
type of trip (round trip, safari, golf vacation, etc.),
expected travel time,
number of travelers,
preferred travel destinations,
type of accommodation,
food preferences,
details about those who are traveling with you, and
other details if they may be relevant to the planned trip, e.g., activities by helicopter.
We store the data collected in this way until the expiry of the statutory limitation provisions. After expiry of this period, we retain the contract information required by commercial and tax law for the periods determined by law. For this period (usually ten years from the conclusion of the contract), the data will be processed again solely in the event of an audit by the tax authorities.
3.2.3. Data processing for the provision of individual travel brochures via Wetu
In order to provide our customers with a brochure containing comprehensive information for the trip they have booked, we use the Wetu content management and presentation tool, a service of Wetu B.V., Overschiestraat 184-B, 1062 XK, Amsterdam, Netherlands (hereinafter "Wetu") on the basis of Art. 6 (1) (b) GDPR. For this purpose, we transmit the following data to Wetu:
the advertisement through which the visitor reached us,
travel details,
details of the trip,
email address,
so that we can send our customers an email containing comprehensive information, such as photos, videos, descriptions, documentation, travel tips, etc., for the upcoming trip before the start of the trip via this service. This data processing helps to optimize our services, and in particular, the smooth processing of travel, which is to be regarded as our legitimate interest. If you have any questions about data protection, you can send your request directly to Wetu's data protection officer, who can be reached at privacy@wetu.com, or you can send your request to the provider's address above. More detailed information on data protection at Wetu can be found in the provider’s privacy policy.
3.2.4. Data processing for booking flights via Conso
If a customer decides to book a flight, we transmit the data required for this purpose on the basis of Art. 6 (1) (b) GDPR and, in the case of "co-booked" persons, on the basis of Art. 6 (1) (f) GDPR for the purpose of booking flights, such as:
first name, last name and address of the air travelers,
gender of the air travelers,
dates of birth of the air travelers,
passport numbers of the air travelers,
contact details,
the requested flight data, such as travel dates, departure and destination airports of the trip, etc.,
luggage information,
information on special needs, if any,
to our booking partner for Flugreisen Conso, a service of Aerticket GmbH, Boppstrasse 10, 10967 Berlin, Germany (hereinafter, "Conso"). The data will be used by Conso exclusively for the processing of our request and for the implementation and making of the flight booking and will be transmitted securely via SSL encryption. If the data required for this purpose is not collected directly from the data subject, the data processing is used for the fulfillment of our contractual obligations, namely the processing of the request and the booking of the flight, which is to be regarded as our legitimate interest. You can object to this data processing at any time by informing us that you no longer wish to have your personal data processed in the future. For this purpose, please use the contact options provided for our data protection officer. Furthermore, you can also send your request directly to the provider's data protection officer, Dr. Charlotte Lauser, who can be reached at Datenschutz@lauser-nhk.de or at the address Dr. Gerhard-Hanke-Weg 31, 85221 Dachau, Germany. More detailed information on data protection at Conso can be found in the provider’s privacy policy.
3.2.5. Provision of travel documents
For the optimal provision of travel documents to our customers, on the basis of Art. 6 (1) (b) GDPR, we use the service provider ODS Office Data Service, Ehrenbergstrasse 16 A, 10245 Berlin, Germany (hereinafter, "ODS") and the service provider Digital Express 24 GmbH & Co. KG, Hahnenstrasse 47-49
50667 Cologne, Germany. For this purpose, we transmit in particular the customer master data and the travel details to the service provider to ensure that all documents required for the trip are sent to our customers on time. We have concluded a contract with the service providers for commissioned processing in accordance with Art. 28 GDPR, in which the service providers undertake to process the data received only in accordance with our instructions and to comply with the EU level of data protection. More detailed information on data protection at the service providers can be found in their privacy policies here and here.
3.2.6. Data processing via Apify
To ensure the smooth operation of our business and, in particular, for data extraction, we use the Apify platform, a service provided by Apify Technologies s.r.o., Lucerna Palace, Štěpánská 704/61, 11000 Prague 1, Czech Republic (hereinafter, "Apify"). We use this tool to automatically record customer data and travel details, and to be able to issue the secured payment certificate required for the trip. The legal basis for this is Art. 6 (1) (b) GDPR.
We have concluded a contract with Apify for commissioned processing in accordance with Art. 28 GDPR, in which Apify undertakes to process the data received only in accordance with our instructions and to comply with the EU level of data protection. More detailed information on data protection at Apify can be found in the provider’s privacy policy.
3.2.7. ConvertAPI
To ensure the smooth operation of our business and, in particular, to process secured payment certificates and air tickets, we use the Convert API platform, a service provided by UAB Baltsoft, Kosciuskos 26-17, Vilnius, LT-01100, Lithuania (hereinafter, "Baltsoft"). We use this tool to automatically merge and generate secured payment certificates and/or flight tickets. The legal basis for this is Art. 6 (1) (b) GDPR.
We have concluded a contract with Baltsoft for commissioned processing in accordance with Art. 28 GDPR, in which Baltsoft undertakes to process the data received only in accordance with our instructions and to comply with the EU level of data protection. More detailed information on data protection at Baltsoft can be found in the provider's privacy policy.
3.2.8. Data processing for contract performance
If you decide to book an individual trip offered by us, we will use the data you have provided on the basis of Art. 6 (1) (b) GDPR for the performance of the contract, i.e., in particular to plan and prepare your flights and other planned activities. We will transfer the necessary data required for this purpose, such as:
first and last names of the persons traveling,
their addresses,
dates of birth,
dates of arrival and departure,
a copy of their passports,
payment and booking details,
to the companies involved, such as affiliated tour operators, airlines, hotels, on-site activity organizers and shuttle services. This data transfer is necessary in order to carry out the individual activities and thus helps to ensure the smooth processing of the contract. We have concluded an order processing contract with all our partners in accordance with the GDPR, which means that your data will only be processed in accordance with our instructions. We store this master travel data until the expiry of the statutory limitation provisions. After expiry of this period, we retain the contract information required by commercial and tax law for the periods determined by law. For this period (usually ten years from the conclusion of the contract), the data will be processed again solely in the event of an audit by the tax authorities.
3.2.9. Data processing for billing purposes via Billomat
To prepare our invoices, on the basis of Art. 6 (1) (b) GDPR, we use the accounting services of Billomat GmbH & Co. KG, Barbiergasse 6, 90443 Nuremberg, Germany (hereinafter, "Billomat"). If you book a trip through us, we create the necessary invoice documents via the online Billomat application. For this purpose, the necessary data is processed via the servers of Billomat, in particular,
name,
address,
email address,
booking details.
We have concluded a contract with Billomat for commissioned data processing in accordance with Art. 28 GDPR, in which Billomat undertakes to process user data only in accordance with our instructions and to comply with the EU level of data protection. The data will be deleted after expiry of the retention obligations under commercial and tax law. Additional information about Billomat and the provider's data protection can be found in their privacy policy. In addition, if you have any questions about data processing at Billomat, you can contact Billomat's data protection officer, Dominik Fünkner, at any time at: datenschutz@billomat.com.
3.2.10. Data processing for payment processing and invoicing via JustOn
For the processing of credit card payments and invoice management, we use Juston, a service of JustOn GmbH, Mälzerstrasse 3, 07745 Jena, Germany (hereinafter, "JustOn "), on the basis of Art. 6 (1) (b) GDPR. If you make a credit card payment or receive an invoice from us, the data required for this purpose, such as name, address, billing and payment details are processed via the servers of JustOn. We have concluded a contract with JustOn for commissioned data processing in accordance with Art. 28 GDPR, in which JustOn undertakes to process the aforementioned data only in accordance with our instructions and to comply with the EU level of data protection. The data will be deleted after expiry of the retention obligations under commercial and tax law. Additional information about JustOn and the provider's data protection can be found in their privacy policy. In addition, if you have any questions about data processing at JustOn, you can contact JustOn's data protection officer at any time at datenschutz@juston.com.
3.2.11. Data processing for payment processing and invoicing via Stripe.
To ensure smooth payment processing via credit card, on the basis of Article 6 (1) (b) GDPR, we use the service of Stripe, The One Building, 1 Grand Canal Street Lower, Dublin 2, Ireland (hereinafter, "Stripe") or PayPal (Europe) S.à.r.l. & Cie. S.C.A., 22-24 Boulevard Royal, 2449 Luxembourg (hereinafter, "Stripe"). For this purpose, the payment data provided by the customer, such as name, address, account number, bank routing number, credit card number, invoice amount, currency and transaction number are transmitted to Stripe via SSL encryption. In order to protect its legitimate interest in determining the customer's ability to pay, Stripe reserves the right to perform a credit check based on mathematical and statistical methods. For the purpose of a credit check, Stripe may transmit personal data received in the course of payment processing to selected credit agencies. The credit report may contain probability values (so-called score values). If score values are included in the result of the credit report, these values are based on a scientifically recognized mathematical and statistical procedure. The calculation of the score values includes, but is not limited to, address data. Stripe uses the result of the credit check in relation to the statistical probability of non-payment for the purpose of deciding whether to initiate payment for the selected payment method.
We have concluded a contract with Stripe for commissioned processing in accordance with Art. 28 GDPR, in which Stripe undertakes to process the data received only in accordance with our instructions and to comply with the EU level of data protection.
You can object to this processing of your data at any time by sending a message to Stripe or to the commissioned credit agencies. However, Stripe may still be entitled to process your personal data if this is necessary to process payments in accordance with the contract.
Stripe is certified according to PCI DSS (the Payment Card Industry Data Security Standard). More detailed information about Stripe's privacy practices can be found in the privacy policy of the relevant provider:or you can contact the data protection officer directly at privacy@stripe.com.
3.2.12. Data processing via the Tourlane Customer Portal
If you have chosen to complete our Questionnaire according to Section 3.2.2, we will provide you with access to our Customer Portal for better management of your data and travel on the basis of Art. 6 (1) (b) GDPR. The purpose of this processing is to provide you with the best possible service by allowing you to manage and edit your data, your trip and your preferences yourself. In particular, the following data may be processed for this purpose:
The data provided by you in accordance with Section 3.2.2,
other information provided by you and stored in the Customer Portal.
We store the data collected in this way until the expiry of the statutory limitation provisions. After expiry of this period, we retain the contract information required by commercial and tax law for the periods determined by law. For this period (usually ten years from the conclusion of the contract), the data will be processed again solely in the event of an audit by the tax authorities.
3.2.13. Database integration via Zapier
For the integration of various databases and tools, we use Zapier, a service of Zapier Inc, 548 Market St #62411, San Francisco, California 94104, USA (hereinafter, "Zapier"), on the basis of Art. 6 (1) f) GDPR. Zapier enables us to efficiently structure the tools we use to ensure effective and timely business operations, which is to be recognized as our legitimate interest. When using Zapier, customer master data, such as name, address, email address, telephone number, travel request details, etc., are processed through and stored on a Zapier server.
We have concluded a contract with Zapier for commissioned processing in accordance with Art. 28 GDPR, in which Zapier undertakes to process the data received only in accordance with our instructions and to comply with the EU level of data protection. Additional information about Zapier and data protection can be found in the provider's privacy policy. You have the option to object to this data processing at any time by informing us that you no longer wish to have your personal data processed in the future. For this purpose, please use the contact options provided for our data protection officer.
3.3. Data processing for customer support, customer care, feedback and for sending our newsletter.
3.3.1. Registering for our newsletter via double opt-in
On our website, we offer you the option to register for our newsletter. In order to be able to ensure that no mistakes have been made when entering the email address and that it can also be assigned to the actual owner, we use a double opt-in procedure: after you have entered your email address in the registration field, we will send you a confirmation link. When you click on this confirmation link, your email address will be added to our mailing list. You can withdraw the consent which you have given in this way at any time with effect for the future. For this purpose, sending a short note by email to the email address provided under Section 2 is sufficient.
3.3.2. Feedback via Trustpilot
The satisfaction of our customers is our ultimate goal. Therefore, we occasionally ask our customers for their feedback after they return from traveling. To obtain customer reviews, on the basis of Art. 6 (1) (f) GDPR, we use the Trustpilot review service, a service of Trustpilot, Inc., 245 5th Avenue, 5th floor, New York, NY 10016, USA (hereinafter, "Trustpilot") via an interface. You are, of course, free to submit a review. If you help us with a review of your trip, the data generated in the process, such as, in particular, your
name,
email address,
if available, the Trustpilot profile photo,
the contents of the review,
will be processed via Trustpilot's servers in the USA and stored there. If you wish to avoid this type of data processing, you should not participate in this type of survey. This data processing for the purpose of improving our products and services is to be regarded as our legitimate interest. If you submit the review by clicking on the link contained in our invitation, you agree to the Trustpilot privacy policy and the Trustpilot terms and conditions. If you participate in this feedback system, your review will be published on our website and on Trustpilot's website. Your data will not be passed on to third parties. We have concluded a contract with Trustpilot for this commissioned data processing, in order to guarantee the European standards for legally compliant data processing. Additional information about Trustpilot and data protection can be found in the provider's privacy policy. You can also object to this data processing at any time. To do so, please use the contact options for our data protection officer or contact Trustpilot directly at: support@trustpilot.com
3.3.3. Feedback, scheduling and communication via Typeform
We use the Typeform survey tool, a service of Typeform S.L., Carrer Bac de Roda 163, 08018 Barcelona, Spain (hereinafter, "Typeform"), on the basis of Art. 6 (1) (f) GDPR to conduct surveys, to record the user experience, to communicate during pre-sales or to arrange meetings. If you use our survey tool or wish us to call you back, the data generated in this process, such as, in particular, your
name,
email address,
reference number,
telephone number,
booking number,
destination,
the contents of the review or input and the individual reviews,
the telephone number you have provided, if applicable,
will be processed via Typeform's servers and stored there. This data processing for the purpose of improving our products and services is to be regarded as our legitimate interest. If you wish to avoid this type of data processing, you should not participate in this type of survey. This data processing for the purpose of improving our products and services is to be regarded as our legitimate interest. When you participate in a survey system, the data generated through this activity will be published on our website, as well as on Typeform's server. Your data will not be passed on to third parties. We have concluded a contract with Typeform for this commissioned data processing, in order to guarantee the European standards for legally compliant data processing. Additional information about Typeform and data protection can be found in the provider's privacy policy. You can also object to this data processing at any time. To do so, please contact Typeform directly by using the contact form.
3.3.4. Falcon
In order to optimize our social media presences, we use the Falcon social media management tool, a service of Falcon.io ApS, H.C. Andersens boulevard 27, 1st floor, 1553 Copenhagen V, Denmark (hereinafter, "Falcon"), on the basis of Art. 6 (1) (f) GDPR. Falcon enables us to centrally manage and maintain our social media presences and to plan, create and publish content on specific networks, platforms and channels, as well as to process user reactions, search social networks and platforms for mentions, and to analyze all interactions with us and with the measures we take. The above uses are to be recognized as our legitimate interests.
If a user interacts with our social media presences, the data generated thereby as well as the publicly accessible data of the profiles used, such as name, gender, profile picture, profile URL, content and time of the respective post, etc., are transmitted to a Falcon server and stored there. We have concluded a contract with Falcon for commissioned processing in accordance with Art. 28 GDPR, in which Falcon undertakes to process the data received only in accordance with our instructions and to comply with the EU level of data protection. Additional information about Falcon and data protection at Falcon can be found in the provider's Privacy Policy. You can object to this data processing at any time by informing us that you no longer wish to have your personal data processed in the future. For this purpose, please use the contact options provided for our data protection officer.
3.3.5. Facebook and Instagram Fan Pages
For marketing purposes and to communicate with our customers via Facebook, we maintain fan pages on the Facebook and Instagram platforms operated by Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland (hereinafter, "Meta"). According to the data protection authorities, we are jointly responsible with Meta for the data processing carried out via these platforms in accordance with Art. 26 GDPR. Therefore, we have jointly determined the purposes and means of processing with the provider. We use the fan pages in particular for statistical evaluation, and also for communication with our customers. Thus, in particular, the following information can be assigned to a specific profile and processed by us and by Meta:
if you mark our fan pages with "like" and "follow" these fan pages,
any reviews you leave and any comments you make,
"sharing" our posts or posts that link to our fan pages,
"checking in" when using our guest network at the Berlin Office.
Other aggregated statistical information, such as the number of visitors, actions on the fan page, etc., can not be assigned by us to any specific or identifiable person, and therefore, we do not consider this to be personal data. The legal basis for the aforementioned processing is Article 6 (1) (b) GDPR. We have no influence on the further data processing carried out by Meta. For the purpose and scope of the data collection by Meta and the further processing and use of the data, as well as your rights in this regard and setting options for protecting your privacy, please refer to Meta's data protection notice.
3.3.6. Optilyz
In order to optimize our mailing campaigns, on the basis of Art. 6 (1) (f) GDPR, we use the services of optilyz GmbH, Neue Schönhauser Str. 19, 10178 Berlin, Germany (hereinafter, "Optilyz"). For this purpose, we transmit customer master data to Optilyz, in particular, name, address, email address, booking number, Tourlane ID and destination. Optilyz enables us to measure and continuously optimize the effectiveness of our mailing campaigns, which is to be recognized as our legitimate interest.
We have entered into a contract with Optilyz for commissioned processing in accordance with Art. 28 GDPR, in which Optilyz undertakes to process the data received only in accordance with our instructions and to comply with the EU level of data protection. Additional information about Optilyz and data protection can be found in the provider’s privacy policy.You have the option to object to this data processing at any time by informing us that you no longer wish to have your personal data processed in the future. For this purpose, please use the contact options provided for our data protection officer.
3.3.7. Timekit
In order to simplify the scheduling of customer and consultation meetings, on the basis of Art. 6 (1) (b) GDPR, we use the services of Timekit Inc., 325 9th Street, San Francisco, CA 94103, USA (hereinafter, "Timekit"). Timekit provides an external platform for making and scheduling appointments. When you provide your phone number, we store the information collected and provided during the making and scheduling of appointments on Timekit servers. In particular, this data includes:
the email address you provide,
name,
telephone number you provide,
IP address.
This data processing by Timekit significantly simplifies our scheduling, which is our legitimate interest. The data you provide will not be disclosed to third parties at any time and will only be used for making and scheduling appointments, and for internal statistics. We have concluded a contract with Timekit for commissioned processing in accordance with Art. 28 GDPR, in which Timekit undertakes to process the data received only in accordance with our instructions and to comply with the EU level of data protection. Additional information about Timekit and data protection at Timekit can be found in the provider's privacy policy. In addition, if you have any questions about data processing at Timekit, you can contact the provider directly at any time at: yourfriends@timekit.io.
3.3.8. Scheduling and management with Yoummday and q experiences
In order to provide our customers with the best possible telephone service, e.g., for individual travel advice, we use the specialists at Yoummday GmbH, Belgradstrasse 68, 80804 Munich, Germany and at Q Experience Palmotićeva, ul. 56, 10000, Zagreb, Croatia (hereinafter collectively referred to as the "Service Providers''). If we arrange an appointment with our customers, the data required for the appointment, such as name, email address, scheduling, telephone number or travel requests are transmitted to a server of the above-mentioned service providers and is processed there. The transmitted data will not be passed on to third parties and will be used exclusively for making and scheduling appointments, and for internal statistics. For this purpose, we have concluded a contract with each of the service providers for commissioned processing in accordance with Art. 28 GDPR, in which these providers have undertaken to process the data received only in accordance with our instructions and to comply with the EU level of data protection. Additional information on these service providers and data protection can be found in the providers’ privacy policies.
3.3.9. Salesforce
To manage our customer data and prospects, we use the CRM platform Salesforce, a service provided by salesforce.com Inc, The Landmark One Market Suite 300, San Francisco, CA 94105, USA (hereinafter, "Salesforce"). This platform helps us to record customer data, to communicate with our customers, to document this contact, and to create offers according to customer preferences. If you contact us, e.g., via the questionnaire, the following data will be processed via the Salesforce servers:
name,
email address,
travel request (destination, travel time, type of travel),
offers for the customer,
data provided by the customer by means of a telephone call,
data on interactions with emails from Tourlane
This processing is based on Art. 6 (1) (b) and (f) GDPR and helps us to improve our services and customer support, which is to be regarded as our legitimate interest. We have concluded a contract with Salesforce for commissioned processing in accordance with Art. 28 GDPR, in which Salesforce undertakes to process the data received only in accordance with our instructions and to comply with the EU level of data protection. Additional information about Salesforce and data protection at Salesforce can be found in the Salesforce privacy policy. You can object to this processing at any time. For this purpose, please use the contact options provided for our data protection officer.
3.3.10. ActiveCampaign
To organize and analyze our mailing campaigns, on the basis of Art. 6 (1) a) GDPR in connection with Art. 25 (1) S.1 TTDSG, we use the services of ActiveCampaign LLC, 150 N. Michigan Ave Suite 1230, Chicago, IL, USA (hereinafter, "ActiveCampaign"). When you open an email sent via ActiveCampaign, a file contained in the email (a web-beacon) connects to the servers of ActiveCampaign, so that the email-related data, such as, in particular,
information about the newsletter,
name,
email address,
opening and click-through rates,
IP address,
browser type and operating system,
are processed via ActiveCampaign's servers in the USA and stored there. This makes it possible for us to determine whether an email has been opened and which links, if any, have been clicked on. This information can be assigned to the respective recipient. This is used exclusively for the statistical analysis of our emailing campaigns. The results of these analyses can be used to make our campaigns more attractive, to avoid annoyance and to better adapt future newsletters to the interests of the recipients. This campaign analysis and optimization is thereby considered our legitimate interest. We have also concluded a contract with ActiveCampaign for commissioned processing in accordance with Art. 28 GDPR, in which ActiveCampaign undertakes to process the data received only in accordance with our instructions and to comply with the EU level of data protection Additional information on ActiveCampaign and data protection at ActiveCampaign can be found in the provider’s privacy policy and in the additional explanations in the GDPR and GDPR compliance. If you have any questions about data processing at ActiveCampaign, you may also contact the ActiveCampaign data protection officer directly at info@activecampaign.com.
If you do not wish to be analyzed by ActiveCampaign, you can object to this data processing at any time by using the unsubscribe buttons included in the email or by simply clicking this link. Alternatively, you can also inform us of your wish not to receive any more emails from us in the future. For this purpose, please use the contact options for our company's data protection officer or contact the provider directly at: info@activecampaign.com.
3.3.11. SendGrid
For email communication with customers and interested parties, such as for confirming registrations and appointments, we use SendGrid dispatch software, a service of SendGrid Inc, 1801 California Street, Denver, CO 80202, USA (hereinafter, "SendGrid"), on the basis of Art. 6 (1) (b) and (f) GDPR. In this context, the following data:
email address,
last name, first name,
opening and click-through rates,
contents of the respective transaction,
IP address,
login process,
is processed via the servers of SendGrid in the United States. SendGrid helps us to process customer requests and is part of our service as well as customer support, which is to be regarded as our legitimate interest.. We have also concluded a contract with SendGrid for commissioned processing in accordance with Art. 28 GDPR, in which SendGrid undertakes to process the data received only in accordance with our instructions and to comply with the EU level of data protection. Additional information about SendGrid and data protection at SendGrid can be found in the provider's privacy policy. You can object to this data processing at any time by informing us that you no longer wish to have your personal data processed in the future. For this purpose, please use the contact options provided for our data protection officer.
3.3.12. Twilio
To announce upcoming consultations by our travel experts and to conduct the calls (telephone and video calls), on the basis of Art. 6 (1) (b) GDPR, we use the Twilio tool, a service of Twilio Ireland Limited, 25-28 North Wall Quay, Dublin 1, Ireland (hereinafter, "Twilio"). Twilio is a customer engagement platform that makes communication programmable and through which the sending and receiving of SMS messages can be controlled.
If a communication takes place via SMS or calls, we transmit your mobile phone number to Twilio. The date and the communication taking place via SMS or calls is processed via the servers of Twilio and stored there on the basis of Art. 6 (1) p. 1 (b) GDPR.
We have concluded a contract with Twilio for commissioned processing in accordance with Art. 28 GDPR, in which Twilio undertakes to process the data received only in accordance with our instructions and to comply with the EU level of data protection. Additional information about Twilio and data protection at the provider can be found in the privacy policy.
3.3.13. Creation of travel vouchers via Voucherify
In order to create and send travel vouchers and promotional material to existing and new customers, on the basis of Art. 6 (1) (b) GDPR, we use Voucherify, a service provided by rspective P. Rychlik sp. j., Porcelanowa 23, bud. A4, 40-246 Katowice, Poland (hereinafter, "Voucherify''). In order to provide promotional materials and discount codes, we transmit the customer master data required for this purpose, such as, in particular, name, address, email address, telephone number and other data required to provide the materials to Voucherify.
We have concluded a contract with Voucherify for commissioned processing in accordance with Art. 28 GDPR, in which Voucherify undertakes to process the data received only in accordance with our instructions and to comply with the EU level of data protection. Additional information about Voucherify and data protection can be found in the provider’s privacy policy.
3.3.14. Customer referral program via Mention Me
To provide our customer recommendation program, on the basis of Art. 6 (1) a) GDPR, we use MentionMe, a service of Mention Me Ltd, Kennington Park, 1-3 Brixton Rd, London, SW9 6DE, England (hereinafter, "MentionMe"), which we have integrated by means of Javascript into our web pages for customer recommendations. By using these services, customers can recommend our services to friends and family via various communication channels, such as sharing a link via email. For this purpose, referrers enter their own names and email addresses in the form provided for the recommendation and a link is then sent that referrers can share with friends for the purpose of recommendation. The recommendations are transmitted via Mention Me, whereby the email address, name and IP address of the referrer, and the email address and IP address of the referee (the person receiving the recommendation), are processed. If a referee accepts a recommendation, the referrer receives a reward for the recommendation, which is sent by Mention Me..
For this purpose, we have concluded a contract with Mention Me for commissioned processing in accordance with Art. 28 GDPR, in which Mention Me undertakes to process the data received only in accordance with our instructions and to comply with the EU level of data protection.
The processing of the aforementioned data is carried out via the servers in Mention Me on a voluntary basis and with the consent of the parties involved. The data will not be used for any other purposes and will not be disclosed to third parties without authorization. No other data is collected or processed via Mention Me. Consent can be withdrawn at any time with effect for the future. For this purpose, please use the contact options provided for our data protection officer. Additional information about Mention Me and data protection can be found in the provider’s privacy policy.
3.3.15 Runa
For the issuance of rewards earned through our customer referral program, in particular for the provision of a voucher, we use Runa, a service of Runa Network Ltd, 1st Floor, Buckhurst House, 42-44 Buckhurst Avenue, Sevenoaks, Kent, TN13 1LZ, England (hereinafter "Runa"), on the basis of Art. 6 (1) (b) GDPR. If a customer has earned a reward as a referrer and wishes to redeem the credit, the link provided will take him to the runa.io platform where he can redeem it. For this purpose, the data of the referrer required for this purpose, i.e. in particular name, address, e-mail address and amount of the reward will be transmitted to Runa and the data will be processed on Runa's servers. Runa will use this data to generate and provide the reward, for example in the form of a gift voucher.
For this purpose, we have concluded a contract with Runa for commissioned processing pursuant to Art. 28 GDPR, in which Runa undertakes to process the data received only in accordance with our instructions and to comply with the EU level of data protection.
Additional information about Runa and data protection can be found in the provider's privacy policy.
3.3.16 Braze
To optimize communication with our customers, we use the Braze platform, a service provided by Braze Inc., 318 W 39th St, 10018 New York City, USA, (“Braze”), on the basis of Article 6 (1) (b) GDPR. We use Braze to manage our email campaigns (newsletters, surveys, etc.) and to contact our customers as needed. This involves transferring data relevant for customer communication, in particular name, email address, contract data, time zone, device information, IP address, etc. to the Braze servers and storing it there.
We have agreed an order processing contract with Braze under Art. 28 GDPR, whereby the service provider is obliged to process the data received only in accordance with our instructions and to comply with the EU data protection level. Data is stored in accordance with the applicable statutory retention times and then erased. More comprehensive information on data protection at Braze can be found in Braze’s Privacy Policy.
3.4. Online presence and website optimization
3.4.1. Cookies – General Information
We use cookies on our website on the basis of Art. 6 (1) (f) GDPR. Our interest in optimizing our website is thereby to be regarded as legitimate within the meaning of the aforementioned provision. Cookies are small files which are automatically created by your browser and stored on your device (laptop, tablet, smartphone or similar device) when you visit our website. Cookies do not cause any damage to your device and do not contain viruses, Trojans or other malware. The cookie stores information that arises in connection with the specific device used. This does not mean, however, that we are able to gain direct knowledge of your identity. One of the purposes of cookies is to make the use of our website more pleasant for you.
3.4.2. Session cookies
When you visit our website, we use session cookies to recognize that you have already visited individual pages of our website. Session cookies are automatically deleted after you leave our website. Most browsers accept cookies automatically. However, you can configure your browser so that no cookies are stored on your computer or so that a message always appears before a new cookie is created. However, if you completely disable cookies, you may not be able to use all the features on our website. The storage period of cookies depends on their purpose and is not the same for all cookies.
3.4.3. Tourlane cookies
For the purpose of needs-based design and the continuous optimization of our websites, we use our own cookies on the basis of Art. 25 (2) No. 2 TTDSG. If you visit one of our websites, a pseudonymous identification number (ID) is assigned to your browser. This cookie does not process any personal information, but only technical data, such as:
session ID (cookie name: visit_id),
user ID (cookie name: tourlane_id),
referrer URL (the previously visited page),
URL of the visited website,
host name (IP address) of the computer used to access the website,
browser type/version,
device name,
operating system used,
time of the server request
This data is processed via our servers and stored there. The storage period is a maximum of 180 days. We use this information to evaluate the use of the website, to compile reports on activities and to provide other services associated with the use of our website and the Internet for the purposes of market research and the needs-based design of our websites, which is to be regarded as our legitimate interest. You can object to this processing at any time by either deleting the cookie from your device, downloading and installing a browser add-on, such as "Cookie AutoDelete," by using the Network Advertising Initiative disabling service or by informing us of your wish to object to this processing. For this purpose, please use the contact options for our company data protection officer: datenschutz@tourlane.de
3.4.4. FullStory
For the purpose of needs-based design and the continuous optimization of our websites, on the basis of Art. 6 para. 1 lit. a) GDPR in connection with Art. 25 (1) S.1 TTDSG, we use the FullStory analysis service, a service of FullStory, Inc, 818 Marietta Street, Atlanta, GA 30318, USA (hereinafter, "FullStory"). FullStory documents user behavior on our website in anonymized form, in particular the interactions, behaviors and types of use, such as entering information, the sequence of accessing certain pages of our website or the time sequences, such as the duration of visits to certain pages, etc.
The use of FullStory enables us to continuously improve the quality of our websites and their content, which is our legitimate interest.
The information generated by the use of FullStory is usually transmitted to a server of FullStory, Inc. in the United States and stored there. The storage period is a maximum of 180 days. We have concluded a contract with FullStory for commissioned processing in accordance with Art. 28 GDPR, in which FullStory undertakes to process the data received only in accordance with our instructions and to comply with the EU level of data protection. Additional information about FullStory and data protection can be found in the provider’s privacy policy. You may refuse the use of cookies by selecting the appropriate settings on your browser, however, please note that if you do this, you may not be able to use all the features of our website. You also have the option to object to the processing or your personal data at any time by following the provider's instructions for opting out, which you can access here: https://www.fullstory.com/optout.
3.4.5. LinkedIn pixels
In order to design our job postings in a needs-based manner, to further optimize these job postings and to measure their conversion, on the basis of Art. 6 (1) (a) GDPR in connection with Art. 25 (1) S.1 TTDSG, we use an individual visitor action pixel from LinkedIn, LinkedIn Corporation, 2029 Stierlin Court, Mountain View, CA 94043, USA (hereinafter, "LinkedIn"). This allows us to track the behavior of visitors to our website after they have been redirected to our recruiting pages by clicking on a LinkedIn ad. This allows us to evaluate the effectiveness of our LinkedIn ads for statistical purposes and to optimize future advertising measures. When using LinkedIn pixels, the following information in particular is processed:
timestamp,
referrer URL,
campaign-related information (in particular, specification of the impression, form field, activated button),
demographic information such as job title, seniority, company, company size, location and country
The data collected in this way is anonymous for us and therefore does not allow us to draw any conclusions about the identity of the user. The storage period is a maximum of 180 days. The data is also stored and processed by LinkedIn, so that a connection to the user profile is possible and so that LinkedIn can use the data for its own advertising purposes, in accordance with the LinkedIn privacy policy. We have also concluded a contract with LinkedIn for commissioned processing in accordance with Art. 28 GDPR, in which LinkedIn undertakes to process the data received only in accordance with our instructions and to comply with the EU level of data protection. Additional information about LinkedIn and data protection at LinkedIn can be found in the provider's privacy policy. You can object to this special data processing at any time by clicking this link and then selecting the "Opt Out" button.
3.4.6. Google Tag Manager
We use Google Tag Manager to manage website tags (website code). These tags make it easier for us to manage and develop our website and to shorten the time it takes for our website to load on your browser. The Google Tag Manager only implements website code. The Google Tag Manager itself does not place any cookies on your device and does not collect any personal data. The tool only integrates website code that we have stored elsewhere, which may be used to collect data. The tool thus only helps to make it easier to control the code, but does not itself access the data processed by the code. In this privacy policy, we inform you about all tags integrated in this way. On Google’s web pages, you can find more information about the Google Tag Manager as well as the usage guidelines.
3.4.7. Google Adwords conversion tracking
In order to control and improve our campaigns, on the basis of Art. 6 (1) (a) GDPR in connection with Art. 25 (1) S.1 TTDSG, we use the Google AdWords online advertising program and the Conversion Tracking analysis tool, a service of Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (hereinafter, "Google"). When you click on an ad placed by Google, a cookie for conversion tracking is placed on your computer. The information generated by the cookie:.
ad clicked on,
browser type/version,
operating system used,
location,
referrer URL (the previously visited page),
host name (IP address) of the computer used to access the website,
time of the server request,
are transmitted to a Google server in the United States and stored there. These cookies are no longer valid after 30 days, do not contain any personal data and are therefore not used for personal identification. If you visit certain pages of our website and the cookie has not yet expired, Google and we can recognize that you have clicked on the ad and that you have been redirected to this page. Each Google AdWords customer receives a different cookie. This means that there is no possibility that cookies can be tracked across the websites of AdWords customers. The information obtained by the cookie is used to create conversion statistics for us as AdWords customers. In this way, we can know the total number of users who clicked on our ad and were redirected to a page tagged with a conversion tracking tag. However, we do not receive any information by which users can be personally identified. We have also concluded a contract with Google for commissioned processing in accordance with Art. 28 GDPR, in which Google undertakes to process the data received only in accordance with our instructions and to comply with the EU level of data protection. You can prevent this processing in advance by generally preventing the installation of cookies through a setting in your browser (disable cookies option) or by setting your browser so that it does not accept cookies from the domain "googleleadservices.com." You can withdraw your consent to processing via this cookie at any time with effect for the future by switching the sliders in the Google settings to "Off."
3.4.8. Google Analytics
For the purpose of needs-based design and the continuous optimization of our websites, on the basis of Art. 6 (1) (a) GDPR in connection with Art. 25 (1) S.1 TTDSG, we use Google Analytics, the analysis service Google Analytics of Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (hereinafter, "Google"). In this context, pseudonymized usage profiles are created and cookies are used. The information generated by the cookie about your use of this website such as,
browser type/version,
device name,
operating system used,
referrer URL (the previously visited page),
keywords/specific search query,
service provider,
host name (IP address) of the computer used to access the website,
time of the server request,
are transmitted to a Google server in the United States and stored there. The information is used to evaluate the use of our website, to compile reports on activities and to provide other services associated with the use of our website and of the Internet for the purposes of market research and the needs-based design of these Internet pages. This information may also be transferred to third parties if this is required by law or if third parties process this data on our behalf. Under no circumstances will your IP address be merged with other Google data. The IP addresses are anonymized so that an assignment is not possible (IP masking). The storage period is a maximum of 180 days. You can object to this data processing at any time by preventing the installation of cookies by selecting the appropriate settings in your browser software; however, we would like to point out that if you prevent the installation of cookies, you may not be able to use all the features of our website. You can also prevent the collection of data generated by the cookie and related to your use of our website (including your IP address) and the processing of this data by Google by downloading and installing this browser add-on. As an alternative to the browser add-on, especially for browsers on mobile devices, you can also prevent the collection of data by Google Analytics by clicking this link. An opt-out cookie will be placed on your device that prevents future collection of your data when visiting this website. Please note that the opt-out cookie is only valid in the specific browser used and only for our website and is stored on your device. If you delete the cookies in this browser, you must set the opt-out cookie again. For more information on data protection in connection with Google Analytics, please visit the Google Analytics website.
3.4.9. Google dynamic remarketing
On the basis of Art. 6 (1) (a) GDPR in connection with Art. 25 (1) S.1 TTDSG, we use the remarketing or "similar target groups" tool of Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (hereinafter, "Google"). This function serves the purpose of analyzing visitor behavior and visitor interests. Google uses cookies to analyze website usage, which forms the basis for the creation of interest-based advertisements. The cookies are used to record visits to our website and to provide anonymized data about the use of the website. No personal data of the visitors to our website is stored. If you subsequently visit another website in the Google advertising network, you may be shown advertisements that are highly likely to take into account product and information areas you have previously accessed, and may be similar to these.
Your data may be processed via Google servers in the USA. The processing thus carried out for behavior and interest-based advertising purposes is to be regarded as our legitimate interest according to Recital 47 to the GDPR.
You can object to this data processing at any time by downloading and installing this browser add-on. You can also permanently disable the use of third-party cookies by configuring the Network Advertising Initiative disable page accordingly. For detailed information on Google Remarketing and the associated privacy policy, please visit: https://www.google.com/privacy/ads/
3.4.10. GA Audiences
For the purpose of enabling interest-based targeting of our campaigns within the Google advertising network, on the basis of Art. 6 (1) (a) GDPR in connection with Art. 25 (1) S.1 TTDSG, we use the GA Audiences web analytics service, a service of Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (hereinafter, "Google"). In this context, pseudonymized usage profiles may be created and cookies may be used. The information generated by the cookie about your use of this website such as,
browser type/version,
device name,
operating system used,
referrer URL (the previously visited page),
keywords/specific search query,
service provider,
host name (IP address) of the computer used to access the website,
time of the server request,
are transmitted to a Google server in the United States and stored there. The cookie makes it possible to recognize individual visitors when they access websites that belong to Google's advertising network. On these pages, the visitor can then be shown advertisements that relate to content that the visitor has previously accessed on websites that use Google's remarketing function. The storage period is a maximum of 180 days. The processing thus carried out for behavior and interest-based advertising purposes is to be regarded as our legitimate interest according to Recital 47 to the GDPR.You can object to this processing at any time. If you do not wish to receive interest-based advertising, you can disable Google's use of cookies for these purposes by following the instructions in this link.
3.4.11. Bing Ad conversion tracking and remarketing
On the basis of Art. 6 (1) (a) GDPR in connection with Art. 25 (1) S.1 TTDSG, we use the Bing conversion tracking and remarketing tool, a service of Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA (hereinafter, "Bing"). This function serves the purpose of analyzing visitor behavior and visitor interests in order to create and control needs-based campaigns for our products and to measure their effectiveness. If you access our website via a Bing advertisement, a cookie is placed on your device. Bing-UET Tag, i.e., a code snippet, is integrated on our website, via which data about the use of our website can be stored in connection with the cookie. This allows Bing and us to recognize that the visitor has reached us via the ad and a conversion page. In particular, the cookie processes the following anonymized data:
the advertisement through which the visitor reached us,
browser type/version,
device name,
operating system used,
referrer URL (the previously visited page),
keywords/specific search query,
service provider,
host name (IP address) of the computer used to access the website,
time of the server request,
time spent on the website and areas visited,
movement behavior on the website,
via Bing's servers and stores it there for a maximum of 180 days. The processing thus carried out for behavior and interest-based advertising purposes is to be regarded as our legitimate interest according to Recital 47 to the GDPR. You can prevent the collection of data generated by the cookie and related to your use of the website as well as the processing of this data even before the cookie is placed on your device by changing your browser settings and disabling the placing of cookies. You can also object to this data processing at any time by setting the switch to "Off" at this Link under "interest-based advertising: this browser." This places an opt-out cookie on the device used, which is only applicable for each browser and device. If you visit our website by using different browsers or devices, you must activate the opt-out cookie for each browser or device. Detailed information about Bing and the associated privacy policy can be found on the provider's product page or website.
3.4.12. Criteo
For marketing purposes, namely to enable interest-based targeting of our campaigns, on the basis of Art. 6 (1) (a) GDPR in connection with Art. 25 (1) S.1 TTDSG, we use the cookie technology of Criteo SA, Rue Blanche, 75009, Paris, France (hereinafter, "Criteo"). We use Criteo to be able to display targeted product recommendations on third-party websites (publishers) to our interested users. For this purpose, a cookie is set when you visit our website, which processes information about your visits to our website, in particular the offers you viewed, travel destinations, and browsing behavior. This data is processed in a purely anonymous form, i.e., the cookie can only be identified by a randomly generated ID. Thus, the information processed by the cookie cannot be used to assign the data to a specific person. The cookie has a maximum lifetime of six months and is then automatically deleted. The processing thus carried out for behavior and interest-based advertising purposes is to be regarded as our legitimate interest according to Recital 47 to the GDPR.
For more information about Criteo technology, please refer to the provider's privacy policy. You can also object to this anonymous data processing on our website at any time by setting the switches mentioned Section 2 to "On" at this link.Then a new opt-out cookie will be set so that no further data processing will take place via Criteo. Please note that the opt-out cookie is only valid for the browser and device used.
3.4.13. Intent Media
In order to use our campaigns in a needs-based manner, to further optimize our campaigns and to measure their conversion, we use the Intent Media advertising network on the basis of Art. 6 (1) (a) GDPR in connection with Art. 25 (1) S.1 TTDSG, we use the Intent Media advertising network, a service of Intent Media, Inc., 315 Hudson Street, 9th Floor, New York, NY 10013 USA (hereinafter, "Intent Media"). Intent Media is a provider of personalized advertising, which makes it possible to offer users suitable offers based on their search behavior that matches their travel preferences. The processing thus carried out for behavior and interest-based advertising purposes is to be regarded as our legitimate interest according to Recital 47 to the GDPR. The data is stored in accordance with the legal retention periods and is then automatically deleted. These offers generated by Intent Media are either displayed in the form of ads directly on our websites or loaded in a separate tab or on a new page.
For the aforementioned purposes, Intent Media processes data on user activity, such as source and exit pages and number of clicks, date and time of the visit, as well as the IP address and assigns a random ID. This data is transferred to a server of Intent Media in the USA. We have also concluded a contract with Intent Media for commissioned processing in accordance with Art. 28 GDPR, in which Intent Media undertakes to process the data received only in accordance with our instructions and to comply with the EU level of data protection. Additional information about Intent Media and data protection can be found in the provider’s privacy policy.You have the option to object to this data processing at any time by following the provider's opt-out instructions, which you can access by clicking this link: https://intentmedia.com/opt-out/.
3.4.14. Outbrain conversion pixel
In order to use our campaigns in a needs-based manner, to further optimize our campaigns and to measure their conversion, we use the Intent Media advertising network on the basis of Art. 6 (1) (a) GDPR in connection with Art. 25 (1) S.1 TTDSG, we use an individual pixel from Outbrain Inc, 39 West 13th Street, New York, NY 10011, USA (hereinafter, "Outbrain"). This pixel is integrated into our website code. This allows us to ensure that the campaigns we initiate are only displayed to users who have also shown an interest in our offer. We also want to ensure that our campaigns correspond to the potential interest of each of our users and do not annoy them. This also allows us to track users' actions after they have seen or clicked on one of our campaigns. This helps us measure conversion for statistical, market research and billing purposes. When used, the following information is processed:
ad clicked on,
browser type/version,
operating system used,
location,
referrer URL (the previously visited page),
host name (IP address) of the computer used to access the website,
time of the server request.
The data collected in this way is anonymous for us and therefore does not allow us to draw any conclusions about the identity of the user. The storage period is a maximum of 180 days. The processing thus carried out for behavior and interest-based advertising purposes is to be regarded as our legitimate interest according to Recital 47 to the GDPR. The data is stored in accordance with the legal retention periods and is then automatically deleted. For more information on data protection at Outbrain, please see the Outbrain privacy policy. You can object to this special data processing at any time by clicking the opt-out button under Section 4.
3.4.15. DoubleClick
For the purpose of needs-based design and the continuous optimization of our websites, on the basis of Art. 6 (1) (a) GDPR in connection with Art. 25 (1) S.1 TTDSG, we use the DoubleClick analysis service, a service of Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (hereinafter, "DoubleClick"). In the process, a pseudonymous identification number (ID) is assigned to your browser in order to check which ads were displayed in your browser and which ads were viewed. These cookies do not contain any personal information. The use of DoubleClick cookies only enables Google and its partner websites to display ads based on previous visits to our website or to other websites on the Internet. The information generated by the cookie about your use of this website such as,
browser type/version,
operating system used,
referrer URL (the previously visited page),
host name (IP address) of the computer used to access the website,
time of the server request,
are transmitted to a Google server in the United States and stored there. The storage period is a maximum of 180 days. The information is used to evaluate the use of our website, to compile reports on activities and to provide other services associated with the use of our website and of the Internet for the purposes of market research and the needs-based design of these Internet pages. You can object to this processing at any time by either downloading and installing the browser add-on available at the following link or by disabling the DoubleClick cookies on the Digital Advertising Alliance webpage at the following link.
3.4.16. Pardot
For the purpose of needs-based design and the continuous optimization of our websites, on the basis of Art. 6 (1) (a) GDPR in connection with Art. 25 (1) S.1 TTDSG, we use the Pardot marketing tool, a service of Salesforce Inc, The Landmark at One Market, Suite 300, San Francisco, CA 94105, USA (hereinafter, "Pardot"). This tool helps us to better understand the usage behavior of our visitors and to gain insights for further optimization needs. Through the use of Pardot, the following data is processed:
data about the use of our website,
name,
email address,
travel request (destination, travel time, type of travel),
data on interactions with emails from Tourlane,
and transmitted via Pardot's servers in the USA and stored there. Based on this information, usage profiles can be created, which we use exclusively for the aforementioned purposes. This processing for the optimization of our offers is to be regarded as our legitimate interest. You can object to this data processing at any time by informing us that you no longer wish to have your personal data processed in the future. For this purpose, please use the contact options provided for our data protection officer.
3.4.17. Visual Website Optimizer
For the purpose of needs-based design and the continuous optimization of our websites, on the basis of Art. 6 (1) (a) GDPR in connection with Art. 25 (1) S.1 TTDSG, we use the Visual Website Optimizer analysis service, a service of the provider Wingify, 14th Floor, KLJ Tower North, Netaji Subhash Place, Pitam Pura, Delhi 110034, India (hereinafter, "Visual Website Optimizer"). This tool helps us to better understand the usage behavior of our visitors and to gain insights for further optimization needs. Through the use of Pardot, the following data is processed:
device information (type, brand, operating system),
the IP address of the device used,
data about the use of our website,
name of the provider (e.g., Vodafone),
and is transferred via the servers of Visual Website Optimizer and stored there. The storage period is a maximum of 180 days. Based on this information, anonymous usage profiles can be created, which we use exclusively for the aforementioned purposes. This processing for the optimization of our offers is to be regarded as our legitimate interest. You can object to this data processing at any time by activating the "Disable VWO" button via this opt-out link.
3.4.18. Facebook Custom Audiences
For the target group-optimized control of Facebook campaigns and to measure their conversion, on the basis of Art. 6 (1) f) GDPR, we use the option of forming so-called Facebook Lookalike Audiences, which is provided to us by Facebook Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, (hereinafter, "Facebook") For more information about Facebook Lookalike campaigns, please visit Facebook at: https://www.facebook.com/business/help/365463786964246 This processing for behavioral and interest-based advertising purposes is considered our legitimate interest under Recital 47 to the GDPR. In the event that you are part of the Facebook Lookalike Audience, we will transmit your email address and device ID to Facebook. You can object to this special data processing at any time by either changing your Facebook settings at: https://www.facebook.com/settings/?tab=ads or by informing us that you no longer wish this data to be processed in the future. For this purpose, please use the contact options provided for our data protection officer.
3.4.19. Google Maps integration
On our website, on the basis of Art. 6 (1) (f) GDPR, we use the Google Maps API of Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (hereinafter: "Google"). This allows us to display interactive maps directly on our website and enables you to comfortably use the map feature. In this context, a cookie may be used. The information generated by the cookie about your use of our website, such as,
the visit to the corresponding sub-page,
browser type/version,
operating system used,
referrer URL (the previously visited page),
host name (IP address) of the computer used to access the website,
time of the server request.
This processing to improve our website and the user experience is to be regarded as our legitimate interest. More information on data protection in connection with Google Maps can be found in the Google privacy policy. You can object to this data processing by changing the corresponding settings in the Google Privacy Center or Activity Settings.
3.4.20. Facebook Connect
In order to register for our offers as easily as possible, we enable you to log in with Facebook, via the Facebook login function, a service of Facebook Inc., 1601 South California Avenue, Palo Alto, CA 94304, USA (hereinafter, "Facebook"). This replaces registration, which would otherwise be necessary. To register, you will be redirected to Facebook's servers, where you can log in with your Facebook user data. This links your Facebook profile with our website. If you use this simplified login function, we will collect various types of master data from your publicly viewable profile, such as, in particular:
last name, first name,
location,
date of birth,
gender,
email address,
time zone,
friends or
profile photo.
The legal basis for the aforementioned processing is Article 6 (1) (a) GDPR. The processing thus carried out serves the purpose of simplified login as well as the establishment and performance of the contract or the provision of pre-contractual measures. The information processed in this way is needed to be able to identify you in order to conclude the contract. For the purpose and scope of data collection by Facebook and the further processing and use of the data, as well as your rights in this regard and for setting options for protecting your privacy, please refer to the privacy notices of Facebook and the provider's other notices about the Facebook Connect feature.
3.4.21. Unbounce
In order to provide our customers and interested parties with the best possible information, we use the analysis service of Unbounce Marketing Solutions Inc, Unit 415 -375 Water Street, Vancouver, BC, Canada V5T 4R4 (hereinafter, "Unbounce") on various landing pages for A/B testing, namely for the optimization and needs-based design of our actions and advertising campaigns, on the basis of Art. 6 (1) (f) GDPR. In doing so, individual platforms are hosted by Unbounce and used by us for our promotions and advertising campaigns. If you visit these landing pages, your browser communicates directly with the servers of Unbounce, so that technical and statistical information, in particular:
log data,
browser type/version,
device name,
operating system used,
referrer URL (the previously visited page),
host name (IP address) of the computer used to access the website,
the information provided by the user on the page,
your email address, if applicable,
can be processed via these servers and cookies can be set. We then receive an anonymous statistical evaluation of the user's activities on the platforms we use. This data processing by Unbounce allows us to improve our landing pages and our products, which is our legitimate interest. The storage period is a maximum of 180 days.
We have concluded a contract with Unbounce for commissioned processing in accordance with Art. 28 GDPR, in which Unbounce undertakes to process the data received only in accordance with our instructions and to comply with the EU level of data protection. In addition, the EU Commission has classified Canada as a safe third country, so that a level of data protection in line with the European standard is guaranteed for this data processing. More information about Unbounce and data protection at Unbounce can be found in the provider’s privacy policy. If you have any questions about data processing at Unbounce, you can also contact the provider directly at any time at: support@unbounce.com.
3.4.22 Microsoft Clarity
On our website we use "Clarity," a service of Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399 USA (hereinafter, "Clarity") for statistical analysis of user behavior and for analysis of the various types of user information collected and stored for optimization and marketing purposes. Clarity technology helps us to get a better understanding of the experiences of our users, for example, how much time users spend on each page, how far they scroll, and which links or areas are clicked on most often. The legal basis for this data processing is Art. 6 (1) (a) GDPR in connection with Art. 25 (1) S.1 TTDSG. The cookie set by Clarity processes the following data in particular:
IP address
location
browser information
screen resolution
language settings
visited website/subpages
date/time the website was accessed
clicks, scrolls, mouse movements
This cookie has a storage period of six months. We have also concluded a contract with Clarity for commissioned processing in accordance with Art. 28 GDPR, in which Clarity undertakes to process the data received only in accordance with our instructions and to comply with the EU level of data protection.
You can prevent this processing in advance by generally preventing the installation of cookies through a setting in your browser. If you have given your consent to this data processing, you can withdraw it at any time with effect for the future by clicking "Off" on the switch displayed at this link. More information on data protection at Clarity can be found in the provider's privacy policy.
3.4.23 Taboola pixel
On our website, we use the Taboola pixel, a service of Taboola, Inc, 1115 Broadway, 7th Floor, New York, NY 10010, USA (hereinafter, "Taboola") to measure conversions. This allows us to analyze the behavior of users. The legal basis for this data processing is Art. 6 (1) (a) GDPR in connection with Art. 25 (1) S.1 TTDSG.
This procedure helps us to evaluate the effectiveness of Taboola advertisements for statistical and market research purposes and can help to optimize future advertising measures. This cookie processes the following data in particular:
ad clicked on,
browser type/version,
operating system used,
location,
referrer URL (the previously visited page),
host name (IP address) of the computer used to access the website,
time of the server request.
The collected data is anonymous for us and therefore does not allow us to draw any conclusions about the identity of the users and is stored for a maximum of 180 days. We have also concluded a contract with Taboola for commissioned processing in accordance with Art. 28 GDPR, in which Taboola undertakes to process the data received only in accordance with our instructions and to comply with the EU level of data protection.
You can prevent this processing in advance by generally preventing the installation of cookies through a setting in your browser. If you have given your consent to this data processing, you can withdraw it at any time with effect for the future by clicking on "Opt Out" at this link. More information on data protection at Taboola can be found in the provider's privacy policy.
4. Recipients outside the EU
With the exception of the processing operations outlined under Section 2.4, we do not pass on your data to recipients based outside the European Union or outside the European Economic Area. The processing operations mentioned under Section 2.4 may result in a data transfer to the servers of the provider of web analytics technology (see above) commissioned by us.
The servers of these providers may be located in other EU countries. Such a transfer is permissible if the European Commission has determined that an adequate level of data protection is provided in that third country. In the absence of such an adequacy decision by the European Commission, personal data will only be transferred to a third country if appropriate safeguards are in place pursuant to Article 46 of the GDPR or if one of the conditions of Article 49 of the GDPR has been met.
Unless otherwise stated below, we use the EU standard contractual clauses for the transfer of personal data to processors in third countries as appropriate safeguards: https://eur-lex.europa.eu/legal-content/DE/TXT/?uri=CELEX%3A32010D0087.
If we obtain your consent to the transfer of personal data to third countries, the transfer will take place on the legal basis of Art. 49 (1) (a) GDPR.
5. Your Rights
5.1. Overview
In addition to the right to withdraw the consent you have given to us, you have the following additional rights if the respective legal requirements have been met:
The right to access your personal data stored by us in accordance with Art. 15 GDPR,
The right to rectify incorrect data or to complete correct data in accordance with Art. 16 GDPR,
The right to have your data stored by us erased in accordance with Art. 17 GDPR,
The right to restrict the processing of your data in accordance with Art. 18 GDPR,
The right to data portability in accordance with Art. 20 GDPR.
To assert your rights, a short note to our data protection officer is sufficient. Our data protection officer can be reached via email at datenschutz@tourlane.de or by postal mail at Tourlane GmbH, Attn: Data Protection Department, Prinzessinnenstrasse 19-20, 10969 Berlin, Germany.
5.2. The right to object
Under the conditions of Art. 21 (1) GDPR, data processing may be objected to for reasons arising from the data subject's particular situation.
The above general right to object applies to all processing purposes described in this Privacy Policy, which are processed on the basis of Art. 6 (1) (f) GDPR. Unlike the special right of objection directed at data processing for promotional purposes (see above), under the GDPR we are only obliged to implement such a general objection if you provide us with reasons of overriding importance for doing so (e.g., a possible risk to life or health). You also have the option of contacting the supervisory authority responsible for Tourlane (the Berlin Commissioner for Data Protection and Freedom of Information) at: Berliner Beauftragten für Datenschutz und Informationsfreiheit Friedrichstraße 219, 10969 Berlin, Germany.
6. Data deletion and storage period
Your personal data will be deleted or blocked as soon as the purpose of storage ceases to apply or you withdraw your consent. Your personal data may also be stored if this has been provided for by the European or national legislator in Union regulations, laws or other provisions to which the responsible party is subject. If the purpose of storage ceases to apply, if you withdraw your consent or if a storage period prescribed by the European Directive and Regulation Maker or another competent legislator expires, the personal data will be routinely blocked or deleted in accordance with the statutory provisions, unless there is a need for further storage of the data for the conclusion or performance of a contract.
7. Data security
All data transmitted by you personally, including your payment data, is transmitted using the generally accepted and secure SSL standard (Secure Socket Layer). SSL is a secure and proven standard that is also used, for example, in online banking. You can recognize a secure SSL connection, among other things, by the appended "s" after the http (i.e., https://...) in the address bar of your browser or by the lock symbol in the lower area of your browser.
We also use appropriate technical and organizational security measures in order to protect your personal data stored by us against manipulation, partial or complete loss and against unauthorized access by third parties.
TourlaneCare