Skip to main content

Privacy Policy

We appreciate your interest in our website and the services we offer. In this privacy policy, we explain which personal data we process, for what purposes and to what extent.

Controller

Urlaub an der Ostsee GmbH

Lienaustraße 8

23730 Neustadt

+49 (0) 45 61 – 61 39 39 0
info@urlaubanderostsee.de

Data Protection Officer

DATENDO GmbH

Hohenzollernring 55

50672 Köln

dsgvo@datendo.de

www.datendo.de

General Information on Data Processing

We process personal data of our users only to the extent necessary to provide a functional website and our content and services. Processing is only carried out on the basis of a legal permission or after consent of the data subject. Where we obtain consent, Art. 6(1)(a) GDPR serves as the legal basis. For processing to fulfil a contract, Art. 6(1)(b) GDPR applies. For processing to fulfil legal obligations, Art. 6(1)(c) GDPR applies. For processing based on our legitimate interests, Art. 6(1)(f) GDPR applies.

Security Measures

We take extensive technical and organisational security measures in accordance with Art. 32 GDPR to protect your personal data against loss, destruction, unauthorised access, alteration or dissemination. We use modern encryption methods, in particular SSL/TLS, for data transmission. Our security measures are regularly reviewed and adapted to technological progress.

Web Hosting and Server Provision

This website is operated via the Google Cloud Platform. Provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. When you visit our website, your data is processed on Google servers. Personal data may also be transferred to the parent company Google LLC in the USA. The transfer to the USA is secured by the EU-US Data Privacy Framework, for which Google is certified. The legal basis is Art. 6(1)(f) GDPR (legitimate interest in the secure and efficient provision of our online offering). We have concluded a data processing agreement (DPA) with Google.

Access Data and Server Log Files

When you access our website, your browser automatically sends information to the server, which is temporarily stored in server log files. The following data is recorded: IP address, date and time of access, name and URL of the retrieved file, amount of data transferred, notification of successful retrieval, browser type and version, operating system, referrer URL and the requesting provider. Storage is based on our legitimate interest pursuant to Art. 6(1)(f) GDPR. Log files are automatically deleted after 7 days at the latest, unless longer retention is required for evidence purposes in the event of security incidents.

Contact

When you contact us via a contact form, email or telephone, we process the data you provide (e.g. name, email address, telephone number, message content) to handle your enquiry. The legal basis is Art. 6(1)(b) GDPR for contract-related enquiries, otherwise Art. 6(1)(f) GDPR (legitimate interest in efficient communication). Your data will be deleted after your enquiry has been fully processed, unless statutory retention obligations apply.

Booking a Holiday Accommodation

When making a booking, we process your personal data such as title, name, address, email address, telephone number and travel dates to carry out the booking. This data is processed via the booking platform vOffice (provider: vOffice GmbH, Germany) and passed on to the respective owner or operator of the accommodation. The legal basis is Art. 6(1)(b) GDPR (performance of a contract). Booking data is stored for the duration of the statutory retention periods (generally 10 years pursuant to HGB/AO).

Data from Landlords and Owners

When landlords or owners offer their holiday property via our website, we process their personal data (name, contact details, bank details, property data) for the presentation and management of the property and for the provision of our rental services. The legal basis is Art. 6(1)(b) GDPR. The data is stored for the duration of the business relationship and beyond in accordance with statutory retention periods.

Cookies and Tracking

Our website uses cookies and similar technologies. Cookies are small text files stored on your device. Some cookies are technically necessary (Art. 6(1)(f) GDPR), others are only set with your consent (Art. 6(1)(a) GDPR).

Consent Management

To manage your cookie consents, we use our own consent tool. Your consent is stored in a cookie (meerfun_consent) for 1 year. The legal basis is Art. 6(1)(c) GDPR (fulfilment of the legal obligation to obtain and document consents). You can change your settings at any time via the link in the footer of our website or the cookie icon at the bottom left.

Google Tag Manager

We use Google Tag Manager (GTM), a service of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. GTM is a technical tool that allows us to centrally manage and control other services (e.g. Google Analytics, Google Ads). GTM itself does not set its own cookies and does not process personal data. It merely acts as a container that triggers the integrated tags. The legal basis is Art. 6(1)(f) GDPR (legitimate interest in the efficient and central management of website services).

Google Analytics 4 (via GTM)

Via Google Tag Manager, we integrate Google Analytics 4, a web analytics service of Google Ireland Limited. Google Analytics uses cookies that enable an analysis of your use of the website. The information generated is usually transferred to a Google server in the USA and stored there. The transfer is secured by the EU-US Data Privacy Framework. We use Google Analytics with activated IP anonymisation. Processing takes place exclusively after your consent pursuant to Art. 6(1)(a) GDPR. You can revoke your consent at any time via our cookie settings. Upon revocation, existing Google Analytics cookies (_ga, _gid, _gat) are automatically deleted. Storage duration: _ga: 2 years, _gid: 24 hours, _gat: 1 minute.

Google Ads (Conversion Tracking via GTM)

Via Google Tag Manager, we integrate Google Ads, an advertising service of Google Ireland Limited. Google Ads uses cookies to measure the effectiveness of our advertising campaigns and to show you more relevant advertising. The information generated is usually transferred to a Google server in the USA. The transfer is secured by the EU-US Data Privacy Framework. Processing takes place exclusively after your consent pursuant to Art. 6(1)(a) GDPR. You can revoke your consent at any time via our cookie settings. Upon revocation, existing Google Ads cookies (_gcl_au, _gcl_aw) are automatically deleted. Storage duration: _gcl_au: 3 months, _gcl_aw: 3 months.

Google Consent Mode v2

We use Google Consent Mode v2. Google Tag Manager loads with consent signals denied by default. Until you give your consent, no analytics or marketing cookies are set and no personal data is transmitted to Google. Only after your active consent via our cookie banner are the corresponding consent signals updated and the respective tags activated.

Technically Necessary Cookies

Technically necessary cookies enable basic functions such as language settings, favourites storage and the cookie consent itself. They are set without consent as they are essential for the operation of the website.

Local Storage (localStorage)

Our website uses the localStorage technology of your browser to provide certain functions. Unlike cookies, this data is not transmitted to our servers but remains exclusively on your device. We store the following information: your favourites list (saved accommodations), your cookie consent decision and an anonymous visitor ID to avoid multiple counts of page views. The legal basis is Art. 6(1)(f) GDPR (legitimate interest in providing user-friendly functions). You can delete localStorage data at any time via your browser settings.

External Services and Content

Mapbox

For the display of interactive maps, we use Mapbox (Mapbox Inc., 740 15th Street NW, Suite 500, Washington, DC 20005, USA). When loading the maps, your IP address is transmitted to Mapbox servers. The legal basis is Art. 6(1)(f) GDPR (legitimate interest in the appealing display of location information). The transfer to the USA is secured by standard contractual clauses pursuant to Art. 46(2)(c) GDPR.

vOffice (vOffice GmbH)

For the management of accommodations, availability and bookings, we use the vOffice platform of vOffice GmbH, Germany. For booking enquiries and price queries, the required data (e.g. travel period, number of persons, and for bookings also your contact details) is transmitted to vOffice. The legal basis is Art. 6(1)(b) GDPR (performance of a contract) or Art. 6(1)(f) GDPR (legitimate interest in the efficient management of our accommodation offering). We have concluded a data processing agreement with vOffice.

Google Cloud

We use Google Cloud services to store accommodation data and availability. Provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Personal booking data is only stored in anonymised form (without customer names or contact details). The legal basis is Art. 6(1)(f) GDPR. We have concluded a data processing agreement with Google.

Social Media

We maintain company profiles on Facebook and Instagram. For data processing on these platforms, Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, is responsible. Regarding the Facebook fan page, there is joint responsibility pursuant to Art. 26 GDPR. Meta only provides us with anonymised statistics on page views and interactions (so-called Page Insights). Our website only contains links to our social media profiles. When you click on these links, you are redirected to the respective platform; only then does data processing by Meta take place.

Data Transfer to Third Countries

Some of the services we use are based in the USA (Google, Mapbox). The USA has had an adequacy decision from the EU Commission since 10 July 2023 (EU-US Data Privacy Framework). Google is certified under the Data Privacy Framework, ensuring an adequate level of data protection. For services without DPF certification, we use standard contractual clauses pursuant to Art. 46(2)(c) GDPR as a safeguard.

Storage Duration

We store personal data only as long as necessary for the respective processing purpose or as required by statutory retention periods. Specifically: server log files are deleted after 7 days. Booking data is retained for 10 years (commercial and tax law retention obligations pursuant to §§ 147 AO, 257 HGB). Contact enquiries are deleted after completion of processing, unless retention obligations apply. Cookie consents are stored for 1 year. Newsletter data is deleted immediately after unsubscription.

Your Rights

You have the following rights regarding your personal data:

  • Right of access to your stored data (Art. 15 GDPR)
  • Right to rectification of inaccurate data (Art. 16 GDPR)
  • Right to erasure of your data (Art. 17 GDPR)
  • Right to restriction of processing (Art. 18 GDPR)
  • Right to data portability in a machine-readable format (Art. 20 GDPR)
  • Right to object to processing (Art. 21 GDPR)
  • Right to withdraw consent with effect for the future (Art. 7(3) GDPR)
  • Right to lodge a complaint with a supervisory authority (Art. 77 GDPR)

Special Note on the Right to Object (Art. 21 GDPR)

Where your personal data is processed on the basis of legitimate interests pursuant to Art. 6(1)(f) GDPR, you have the right to object to the processing pursuant to Art. 21 GDPR, provided there are grounds relating to your particular situation. If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the establishment, exercise or defence of legal claims. To exercise your right to object, you can contact us using the contact details above.

Competent Supervisory Authority

Independent Centre for Data Protection Schleswig-Holstein

Holstenstraße 98

24103 Kiel

04 31 / 988-12 00
mail@datenschutzzentrum.de

Last updated: April 2026

Privacy Policy | meerfun.de