Responsible for data processing on this website:

Zur Sonne Hotel & Restaurant

TP Birks
Moltkestraße 4
79410 Badenweiler

Telefon: +49 7632 75080
E-Mail: hotel@zur-sonne.de
Website: www.zur-sonne.de

(Hereinafter "we" or "the hotel".)

No data protection officer required.

As a small business, we are not required to appoint a data protection officer. For data protection enquiries, please contact us directly at the email address above.

Overview

This privacy policy informs you about which personal data we collect on our website www.zur-sonne.de and in our booking system, the purposes and legal bases for processing, how long we store it, and your rights as a data subject.

Personal data means any information that makes a natural person identifiable (Art. 4(1) GDPR).

When you access our website, your browser automatically transmits technical information to our server, which is stored in server log files:

• Browser type and version
• Operating system used
• Referrer-URL
• Hostname of the accessing device
• Time of the server request
• IP-Adresse

Legal basis: Art. 6(1)(f) GDPR (legitimate interest). Our legitimate interest lies in the technically secure and error-free provision of the website and the detection and prevention of attacks.

This data is not merged with other data sources or passed on to third parties. No merging with personal data from the booking system takes place.

Our website uses cookies — small text files stored by your browser on your device.

Technically necessary cookies

These cookies are strictly required for the operation of the website (e.g. session cookies for the booking system, language selection, security tokens for forms). They are set on the basis of Art. 6(1)(f) GDPR without prior consent and are automatically deleted at the end of your session.

Optional cookies (with consent only)

For analytics and marketing purposes, we only set further cookies when you have consented via our cookie banner (Art. 6(1)(a) GDPR). You may withdraw your consent at any time with effect for the future by revisiting our cookie settings.

You may also delete cookies or disable them entirely in your browser at any time. This may limit the functionality of our website.

For security reasons, this website uses SSL/TLS encryption for all connections. An encrypted connection is indicated by "https://" in the address bar and the padlock symbol in your browser. Data transmitted via an encrypted connection cannot be read by third parties.

When you contact us by email, telephone, or via a contact form on our website, the data you provide (name, email address, telephone number, message content) is stored and used exclusively to process your enquiry. It is not passed on to third parties.

Legal basis:

- Art. 6 Abs. 1 lit. b GDPR, where your enquiry relates to a contractual relationship or pre-contractual measures

- Art. 6 Abs. 1 lit. f GDPR (legitimate interest in effectively handling enquiries) for general enquiries without a contractual context

Retention period: Data is deleted once the enquiry has been fully processed and no statutory retention obligations apply.

Our online booking system is operated on our own infrastructure. No booking data is shared with external booking platforms or third-party systems.

To process your booking, we require the following information:

• Title, first and last name
• Email address
• Telephone number (for queries in unforeseen circumstances)
• Arrival and departure dates, room category, number of persons (and, where applicable, children's ages for correct pricing)
• Arrival and departure dates, room category, number of persons (and, where applicable, children's ages for correct pricing)
• Selected payment method and — for advance payments — payment details

Additional voluntary information such as special requests or comments is used solely for the processing of your stay.

The processing of your data serves the fulfilment of the accommodation contract and the implementation of pre-contractual measures (booking enquiries, quotes).

Legal basis: Art. 6(1)(b) GDPR.

Payment data (e.g. credit card details) is transmitted exclusively via an encrypted SSL/TLS connection and stored in encrypted form. Storage is limited to the duration required to process the relevant booking. Payment data is then irreversibly deleted. No data is passed on to external payment service providers.

Legal basis: Art. 6(1)(b) GDPR (contract fulfilment).

Our website and booking system are hosted by: Websache GmbH (technical service provider)

The server infrastructure is operated by Websache GmbH on servers of Hetzner Online GmbH (Industriestr. 25, 91710 Gunzenhausen). Hetzner operates its data centres in Germany and Finland — data therefore remains within the EU/EEA.

Both service providers process data exclusively on our behalf on the basis of data processing agreements pursuant to Art. 28 GDPR.

Booking data is retained for as long as required for contract fulfilment and subsequent guest communication. Documents relevant for tax and commercial law purposes are subject to statutory retention periods (generally 10 years pursuant to §§ 147 AO, 257 HGB).

This website uses Google Analytics 4, a web analytics service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google").

Google Analytics enables analysis of user behaviour on our website. The service uses technologies such as cookies or device fingerprinting to recognise users. The information collected (e.g. page views, time on site, approximate location, devices used) is generally transmitted to Google servers in the USA and stored there.

In Google Analytics 4, the IP address of visitors is not stored in full by default. No merging with personal data from the booking system takes place.

Legal basis: Art. 6(1)(a) GDPR (consent). Data is only processed if you have consented via the cookie banner. Consent may be withdrawn at any time.

Data transfer to the USA: Transfer is made on the basis of the EU Commission's Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR. Details: business.safety.google/controllerterms/

Opt-out: You can prevent collection by Google Analytics by installing the browser opt-out plugin: tools.google.com/dlpage/gaoptout

Data processing agreement: We have concluded a data processing agreement (DPA) with Google pursuant to Art. 28 GDPR.

Further information: policies.google.com/privacy

We use Google Tag Manager, provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

Google Tag Manager is a management service through which we integrate and control tracking and analytics tools on our website. The Tag Manager itself does not create user profiles, does not store cookies, and does not carry out independent analyses. It serves solely to manage and deploy the tools integrated through it. However, Google Tag Manager does capture your IP address, which may also be transferred to Google servers in the USA.

Legal basis: Art. 6(1)(a) GDPR (consent), where consent-required services are integrated via the Tag Manager; otherwise Art. 6(1)(f) GDPR (legitimate interest in efficient management of tools in use).

Data transfer to the USA: Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR.

Data processing agreement: We have concluded a DPA with Google pursuant to Art. 28 GDPR.

Further information: marketingplatform.google.com/about/analytics/tag-manager/use-policy/

We use Google Ads and conversion tracking provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

Google Ads enables us to display ads in Google Search and on partner websites when users enter certain search terms or are identified as a relevant target audience based on interest profiles.

Google Conversion Tracking enables us to measure whether users carried out a specific action on our website after clicking one of our ads (e.g. completing a booking). Google uses cookies or comparable recognition technologies for identification. We do not receive any information that would allow us to personally identify individual users.

Legal basis: Art. 6(1)(a) GDPR (consent). Consent may be withdrawn at any time.

Data transfer to the USA: Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR.

Details: business.safety.google/controllerterms/

Further information: policies.google.com/privacy

This website uses the remarketing function of Google, provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

Google Remarketing analyses your usage behaviour on our website (e.g. pages visited, offers viewed) and assigns you to advertising audiences. When you visit other websites, ads tailored to your prior behaviour are then displayed to you. The audiences created may be linked with Google's cross-device features, enabling personalised advertising messages to be shown across multiple devices.

Legal basis: Art. 6(1)(a) GDPR (consent). Consent may be withdrawn at any time.

Data transfer to the USA: Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR.

Opt-out: If you have a Google account, you can object to personalised advertising at: https://www.google.com/settings/ads/onweb/

Further information: policies.google.com/technologies/ads

Our website embeds videos from YouTube, provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

We use YouTube in enhanced privacy mode. This mode means that YouTube does not store any information about visitors to this website before a video is actively played. Data sharing with YouTube partners is not entirely excluded in enhanced privacy mode — YouTube may establish a connection to the Google network when the page loads

Once a video is started, your browser transmits information to YouTube servers. If you are logged into your YouTube account, YouTube may associate your browsing behaviour with your profile. You can prevent this by logging out of your YouTube account.

After a video starts, additional cookies may be set or comparable recognition technologies used.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in the appealing presentation of our services). Where consent has been requested, processing takes place exclusively on the basis of Art. 6(1)(a) GDPR; consent may be withdrawn at any time.

Further information: policies.google.com/privacy

You have the right to request at any time whether and which personal data we hold about you, where it originates, for what purpose it is processed, and to whom it may have been disclosed.

You have the right to have inaccurate data corrected and incomplete data completed without undue delay.

You may request the erasure of your personal data, provided no statutory retention obligations or other legitimate grounds preclude deletion.

In certain cases (e.g. where you dispute the accuracy of the data or the processing is unlawful), you may request that the processing of your data be restricted to mere storage.

You have the right to receive data that you have provided to us and which we process automatically on the basis of your consent or for contract fulfilment, in a common machine-readable format, or to have it transferred directly to another controller.

You may withdraw any consent you have given at any time with effect for the future. The lawfulness of processing carried out prior to withdrawal remains unaffected.

WHERE DATA PROCESSING IS BASED ON ART. 6(1)(E) OR (F) GDPR, YOU HAVE THE RIGHT TO OBJECT AT ANY TIME, ON GROUNDS RELATING TO YOUR PARTICULAR SITUATION, TO THE PROCESSING OF YOUR PERSONAL DATA; THIS ALSO APPLIES TO PROFILING BASED ON THOSE PROVISIONS. WE WILL THEN NO LONGER PROCESS YOUR DATA UNLESS WE CAN DEMONSTRATE COMPELLING LEGITIMATE GROUNDS FOR PROCESSING WHICH OVERRIDE YOUR INTERESTS, RIGHTS AND FREEDOMS, OR THE PROCESSING SERVES THE ESTABLISHMENT, EXERCISE, OR DEFENCE OF LEGAL CLAIMS (OBJECTION PURSUANT TO ART. 21(1) GDPR).

WHERE YOUR PERSONAL DATA IS PROCESSED FOR DIRECT MARKETING PURPOSES, YOU HAVE THE RIGHT TO OBJECT AT ANY TIME TO PROCESSING FOR SUCH MARKETING; THIS ALSO APPLIES TO PROFILING INSOFAR AS IT IS RELATED TO SUCH DIRECT MARKETING. IF YOU OBJECT, YOUR DATA WILL NO LONGER BE USED FOR DIRECT MARKETING PURPOSES (OBJECTION PURSUANT TO ART. 21(2) GDPR).

In the event of GDPR violations, you have the right to lodge a complaint with the competent data protection supervisory authority. The competent authority for Badenweiler is:

Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg (LfDI)
State Commissioner for Data Protection and Freedom of Information Baden-Württemberg (LfDI)

Königstraße 10a
70173 Stuttgart

https://www.baden-wuerttemberg.datenschutz.de

To exercise any of the rights listed above, please contact us at:

E-Mail: hotel@zur-sonne.de

Post:  Zur Sonne Hotel & Restaurant, Moltkestraße 4, 79410 Badenweiler

We endeavour to respond to your request within 30 days (Art. 12(3) GDPR).

_This privacy policy was last updated in Mai 2026._