Privacy Policy
1. Controller
The controller responsible for the processing of personal data on luxrem.de and in connection with bookings via Luxrem Apartments is:
Luxrem Apartments
[PLATZHALTER: vollständiger rechtlicher Name des Betreibers / Unternehmens]
[PLATZHALTER: Rechtsform]
Inhaber: Siran Klaus Paramajeyakumar
[PLATZHALTER: ladungsfähige Anschrift]
Email: Booking@luxrem.de
Phone Germany: +49 2118 1995950
Phone Switzerland: +41 79 933 38 40
[ANWALT PRÜFEN: Falls es für Deutschland und Schweiz zwei getrennte Rechtsträger gibt, müssen die Verantwortlichkeiten je Standort/Buchung getrennt dargestellt werden.]
2. Data Protection Officer / Data Protection Contact
[PLATZHALTER: Datenschutzbeauftragter, falls bestellt]
[PLATZHALTER: Datenschutzkontakt, falls kein Datenschutzbeauftragter bestellt ist]
[ANWALT PRÜFEN: Ob nach DSGVO/BDSG oder Schweizer DSG ein Datenschutzbeauftragter, Vertreter oder eine Kontaktstelle erforderlich bzw. sinnvoll ist.]
3. Applicable Data Protection Regulations
For guests, interested parties and website visitors from Germany, the EU and the EEA, the applicable regulations include in particular the General Data Protection Regulation (DSGVO), the Federal Data Protection Act (BDSG) and the Telecommunications-Digital Services-Data Protection Act (TDDDG). For processing relating to Switzerland, the Swiss Federal Act on Data Protection (DSG/revDSG) and the Data Protection Ordinance (DSV) also apply.
Where bookings concern a German location (Luxrem 1–3, Remscheid) and a Swiss location (Luxrem 4–6, Biel/Bienne), both legal systems may be relevant. In cases of doubt, the specific attribution must be reviewed by legal counsel.
4. Categories of Data
We process in particular the following categories of data:
- Contact data: name, address, email address, phone number.
- Booking data: accommodation booked, stay period, number of guests, price, currency, booking status, special requests, messages.
- Guest data: names of accompanying persons, registration form / identity data where legally required or necessary for contract performance.
- Payment data: payment status, payment references, invoice/receipt data, deposit and refund information. Full card or account data is processed by Stripe.
- Website usage data: IP address, date/time, pages visited, referrer, user agent, technical log data.
- Cookie and consent data: consent status, cookie categories, timestamps, technical identifiers.
- Calendar and availability data: iCal synchronisation with booking platforms such as Booking.com and Airbnb, in particular occupancy, booking references and availability.
- Communication data: emails, telephone notes, service and support communications.
- Archive data: cash receipts and associated booking/payment records archived in Paperless (self-hosted).
5. Purposes and Legal Bases
Booking, Contract Performance and Guest Services
We process booking, contact, guest and communication data to respond to enquiries, accept bookings, organise stays, facilitate check-in/check-out, invoice services and fulfil contractual obligations.
Legal bases under DSGVO: Art. 6(1)(b) DSGVO (contract and pre-contractual measures), Art. 6(1)(c) DSGVO (legal obligations), Art. 6(1)(f) DSGVO (legitimate interests in efficient administration, customer communication and record-keeping).
Switzerland: Processing for contract performance, fulfilment of legal obligations and in the context of legitimate operational interests under DSG/revDSG.
Payment Processing via Stripe
For online payments, payment data is processed via Stripe. We use Stripe Hosted Checkout. The entry and processing of full payment data takes place at Stripe. We receive in particular payment status, transaction references and billing information.
Legal bases under DSGVO: Art. 6(1)(b) DSGVO, Art. 6(1)(c) DSGVO, Art. 6(1)(f) DSGVO.
[ANWALT PRÜFEN: Konkrete Stripe-Vertragspartei, Stripe-Unternehmen, Drittlandtransfer, Standardvertragsklauseln und Link zur Stripe-Datenschutzerklärung ergänzen.]
Website Operation, Hosting and Server Logs
The website runs as a Next.js application on an Infomaniak VPS in Geneva, Switzerland and is delivered via bunny.net as an EU CDN. When the website is accessed, technically necessary data is processed, in particular IP address, timestamp, URL accessed, referrer, user agent and technical error/security logs.
Legal bases under DSGVO: Art. 6(1)(f) DSGVO (stable, secure website operation, abuse prevention, error analysis), and where applicable Art. 6(1)(b) DSGVO for booking-related use.
For technically necessary storage or access to terminal devices, § 25(2) TDDDG applies; for non-essential cookies/technologies, consent under § 25(1) TDDDG and Art. 6(1)(a) DSGVO applies.
Calendar Synchronisation with Booking.com / Airbnb
To avoid double bookings, we synchronise availability and booking periods via iCal with booking platforms such as Booking.com and Airbnb. Calendar data, booking references, stay periods and, depending on the iCal content, guest/booking details may be processed.
Legal bases under DSGVO: Art. 6(1)(b) DSGVO and Art. 6(1)(f) DSGVO.
[ANWALT PRÜFEN: Tatsächliche iCal-Felder prüfen und Datenschutzhinweise der OTA-Plattformen verlinken.]
Cash Receipts and Paperless Archive
Cash receipts and associated records are archived in Paperless (self-hosted) to fulfil tax, accounting and record-keeping obligations.
Legal bases under DSGVO: Art. 6(1)(c) DSGVO (statutory retention obligations), Art. 6(1)(f) DSGVO (record-keeping and proper accounting).
Cookies and Consent
luxrem.de uses a cookie consent mechanism with the categories necessary, preferences, statistics and marketing. Statistics and marketing services are not loaded prior to consent.
Legal bases: § 25 TDDDG, Art. 6(1)(a) DSGVO for cookies/technologies requiring consent; Art. 6(1)(f) DSGVO and § 25(2) TDDDG for technically necessary processes. Further details are set out in the Cookie Policy.
6. Recipients and Processors
Personal data may be transmitted to the following recipients or service providers:
- Infomaniak Network SA, Switzerland: hosting/VPS.
- bunny.net / BunnyWay d.o.o. or the relevant group company: CDN, website delivery and protection. [ANWALT PRÜFEN: genaue Vertragspartei und Datenstandorte.]
- Stripe: payment processing via Hosted Checkout. [ANWALT PRÜFEN: genaue Stripe-Vertragspartei.]
- Booking.com and Airbnb: booking platforms/iCal synchronisation, insofar as guests book via these platforms or calendar data is synchronised.
- Paperless (self-hosted): archiving of cash receipts and records within the operator's own infrastructure.
- Tax advisors, legal advisors, authorities and courts, insofar as legally required or necessary for the enforcement of legal claims.
Where service providers process personal data on a contracted basis, data processing agreements or equivalent data protection arrangements are concluded as required.
7. Third-Country Transfers
Processing takes place in particular in Germany, Switzerland and the EU/EEA. From an EU perspective, Switzerland has an adequacy decision. For service providers such as Stripe, Booking.com, Airbnb or CDN/infrastructure services, data may also be transferred to third countries, in particular the USA.
Where personal data is transferred to countries without an adequate level of data protection, this is done only on the basis of appropriate safeguards, e.g. EU standard contractual clauses, additional protective measures or statutory exceptions. [ANWALT PRÜFEN: konkrete Transfermechanismen je Anbieter ergänzen.]
8. Retention Periods
We store personal data only for as long as necessary for the respective purposes or as required by statutory retention obligations.
- Enquiries without a booking: [PLATZHALTER: Speicherfrist, z. B. 6 Monate].
- Booking and contract data: [PLATZHALTER: Speicherfrist nach handels-/steuerrechtlichen Vorgaben DE/CH].
- Invoices, receipts and accounting documents: [PLATZHALTER: gesetzliche Aufbewahrungsfristen Deutschland/Schweiz].
- Server logs: [PLATZHALTER: konkrete Log-Speicherfrist, z. B. 7-30 Tage].
- Cookie consent records: [PLATZHALTER: Speicherfrist].
- iCal/OTA data: [PLATZHALTER: Speicherfrist und Löschlogik].
9. Data Subject Rights
Under the DSGVO, data subjects have in particular the rights of access, rectification, erasure, restriction of processing, data portability, objection to processing based on legitimate interests, and withdrawal of consent with effect for the future.
Under Swiss DSG/revDSG, data subjects have in particular the rights of access, release or transfer of personal data, rectification, erasure or cessation of unlawful processing, to the extent the legal requirements are met.
To exercise these rights, a message to Booking@luxrem.de is sufficient.
10. Withdrawal of Consent
Consent granted, in particular for cookies in the statistics or marketing categories, may be withdrawn at any time with effect for the future. Withdrawal is as straightforward as granting consent, in particular via the cookie settings on the website.
11. Right to Lodge a Complaint
Data subjects have the right to lodge a complaint with a data protection supervisory authority.
For Germany: [PLATZHALTER: zuständige Datenschutzaufsichtsbehörde, voraussichtlich Landesbeauftragte/r für Datenschutz und Informationsfreiheit Nordrhein-Westfalen, anwaltlich prüfen.]
For Switzerland: Federal Data Protection and Information Commissioner (FDPIC), Feldeggweg 1, 3003 Berne, Switzerland, https://www.edoeb.admin.ch/
12. Obligation to Provide Data
Certain data is required for a booking and the conduct of the stay. Without such data, we may be unable to process enquiries, complete bookings, fulfil legal obligations or provide services. Optional details are indicated as such or apparent from the context.
13. Automated Decisions
No automated individual decision-making including profiling within the meaning of Art. 22 DSGVO takes place according to the current draft. [ANWALT/TECHNIK PRÜFEN: Falls dynamische Preisbildung, Betrugsprüfung, automatisierte Ablehnung oder Scoring eingesetzt wird, ergänzen.]
Source Basis
Sources and review notes: see README.md.
