Casa Habicht
Johanna Brecher
Habichtsgasse 6
A-6167 Neustift im Stubaital
Tyrol/Austria
+43 650 5111295
[email protected]

Protecting your personal data is a matter of great importance to us. We therefore process your data exclusively in accordance with the applicable legal regulations (GDPR, TKG 2003). In this privacy policy, we inform you about the most important aspects of data processing on our website, our booking system, inquiries, voucher purchases, newsletter registration, as well as the use of our social media channels (e.g. Facebook, Instagram, etc.).

We are committed to providing you with outstanding quality and the best possible service. To ensure this, we collect and process personal data in the course of our business operations – particularly in the following cases:

– Inquiries via the contact form or by email
– Bookings made through our website or third-party platforms
– Visits to our website (e.g. IP address, cookies, usage behavior, etc.)
– Use of our newsletter or social media channels

The processing of this data is carried out in accordance with Article 6(1)(b) GDPR (performance of a contract or pre-contractual measures) as well as Article 6(1)(f) GDPR (legitimate interest in effective and customer-friendly communication and presentation of our services).

Your personal data is treated with strict confidentiality and will not be disclosed to third parties unless there is a statutory obligation to do so or you have provided your explicit consent in accordance with applicable data protection regulations.

Notice: This website uses SSL encryption (HTTPS) to ensure the secure transmission of your personal data.

Website:
When you visit our website, we collect technically necessary data that is automatically transmitted to our server. This includes, but is not limited to:
– IP address of the requesting device
– Date and time of access
– Type of device used
– Access status / HTTP status code
– Browser type, language, and version of the browser software
– Operating system used

This data is technically necessary to correctly display our website to you. Furthermore, we use this information to ensure the stability and security of the website, as well as to continuously develop and adapt our online services to better meet your expectations.
The legal basis for this data processing is Article 6(1)(f) GDPR (legitimate interest).

Forms & Email contact:
If you contact us via a form on our website or by email, submit an inquiry, or make a booking, we process the personal data that you voluntarily provide to us. This includes, in particular:
– Name (first and last name)
– Postal address
– Email address
– Telephone number
– Individual content of your message or inquiry
– If applicable, your interests (e.g. preferred travel dates, number of guests, accommodation preferences)

This data is necessary in order to respond to your inquiry and/or process your booking. We store and process your information exclusively for this purpose.
Your data will not be disclosed to third parties, except to companies acting on our behalf as data processors (e.g. IT service providers, booking systems). We have concluded data processing agreements with these companies, obligating them to handle your data with the same care and in full compliance with applicable data protection laws as we do ourselves.

The specific service providers acting as data processors are listed further below in this privacy policy.

Personal data
First and last name, full address, all contact information (e.g., email address, telephone number), information about the type of agreement and its contents.

Other personal datayou provide or a third party provides with your consent, or data that is otherwise permitted at the time you initiate the agreement, throughout the contractual relationship (e.g., when the guest card is issued), or for the purpose of complying with statutory regulations:
Date of birth or age, marital status, gender, profession, identification card details, bank account information, signatory or representative authority, contractual obligation, cancellation deadlines, or other personal information you have provided yourself.

Use of processors
Protecting your data is very important to us. Even if we use a processor, we ensure that the data is processed within the European Union.

Our processors
- Feratel - guest register in accordance with § 19 MeldeV (German Registration Regulation)
- easyGuestmanagement GmbH
- Sendinblue GmbH (called Brevo)
– Firma Cloudflare Inc. (Webseite-Sicherheit & Performance)
- If applicable, other service providers involved in hosting, IT support, or booking systems, each with a data processing agreement in accordance with Art. 28 GDPR (General Data Protection Regulation)

1. Registration data

1.1 Registration obligation
According to the Austrian Registration Law, you are required to register with us and provide us with the data specified in § 5 and § 10 of the Austrian Registration Law. This applies to the following data:
Name, date of birth, gender, nationality, country of origin, and address with postal code. Foreign guests are also required to provide the type of travel document they are traveling with, its number, place of issue and issuing authority, as well as date of arrival and departure.

1.2. Guest register
We are required by law to keep this data in a guest register as stipulated by § 19 of the Austrian Registration Law and save it for seven (7) years unless it is processed for a longer period of time for other reasons specified by this privacy policy. We administer the guest register electronically and forward the data to an IT processor, where the data is saved locally. The data is not transferred to a third country.

1.3. Forwarding of data
Arrival and departure data, together with country of origin, is forwarded in accordance with § 6 of the Regulation on Tourism Statistics (Tourismus-Statistik-Verordnung) to the municipality in which our tourist accommodation establishment is located. Aggregated data about the total number of overnight stays and the names of persons required to pay a local tourist tax are also forwarded to the respective tourism association Stubai Tirol to which we belong. This is done in accordance with § 9 of the Tyrolean Regulation on Local Tourist Tax (Tiroler Aufenthaltsabgabegesetz).

1.4 Legal basis for data processing
The processing of data as specified above in items 1.1 to 1.3 is based on Art. 6, para. 1, lit. c GDPR (fulfillment of legal obligation).

1.5 Additional data forwarded to the tourism association/municipality
We also forward your postal code and year of birth (in pseudonymized and anonymized form) to our municipality and our tourism association. This is done for statistical purposes so that the tourism association can create and evaluate statistics on country of origin and age. The data is forwarded in accordance with Art. 6, para. 1, lit. e (public interest) and lit. f (legitimate prevailing interests) GDPR. You can file an objection at any time for reasons resulting from your particular situation (Art. 21, para. 1 GDPR).

2. Guest card

2.1 General information
You can make use of a guest card. A guest card offers discounts and/or services provided by various regional businesses (e.g., discounted admission). The guest card is valid for the duration of your stay with us.

2.2 Issuing of guest cards
Guest cards are issued by the accommodation provider upon request only. Depending on the guest card system used by the tourist association and/or tourist accommodation establishment, you will be issued one of the following:
- Electronically generated guest card,
- Electronically generated guest card,
- Carbon copy of the registration form.
ausgestellt.

2.3 Processed personal data
For both the electronically generated and manually created guest card, the following personal data, which is taken from the registered data (see item 1 above), is processed:
First name, last name, date of birth and duration of stay (arrival/departure), country of origin, postal code.
If the guest card is issued as a carbon copy of the registration form, it includes information as stipulated in § 5 in conjunction with § 9 of the Austrian Registration Law (see 1.1 Registration data). In this case, the data is not processed electronically for guest card purposes.
The following additional personal data is processed when the guest card is used: data about the card's usage frequency, services used, bookings, transaction logging, billing data, reference to registered data and the tourist accommodation establishment.
This data is required to determine, on the one hand, your identity, and on the other hand, to determine the guest card's duration of validity at the respective service provider's establishment. It also facilitates the settlement of discounts between the service providers, the tourism association, and if need be, the tourist accommodation establishments.

2.4 Legal basis for data processing
Data is processed for guest card purposes, based either on your consent (Art. 6, para. 1, lit. a GDPR) or, for the purpose of contractual performance (Art. 6, para. 1, lit. b GDPR), if the guest card is part of service provisioning as specified in the accommodation agreement.
You may revoke your consent at any time by notifying the accommodation provider verbally or by sending an email to the following address: [email protected].

2.5 Guest card system administration
The guest card system is managed by the local tourism association. Other parties involved are the local tourist accommodation establishments and local companies (service providers).
Data that is processed for guest cards is deleted after forty-eight (48) months.

2.6 Data recipients
Data processed for guest card purposes is forwarded to the local tourism association to facilitate the billing of service providers and/or tourist accommodation establishments.
Individual service providers, who honor the guest card and offer discounted services, also receive this data when you use services provided by these establishments that are offered through the guest card.
To claim discounts, you must present the card containing this data to the service provider. The establishment then checks if the card is (still) valid, usually by scanning the barcode on the guest card and then by transferring the barcode data to our IT processor. At this time, personal data is also transfered to the establishment, in particular, data about your identity (to verify identity and date of birth).
If the guest card is a carbon copy of the registration form, the establishment verifies its validity by means of the carbon copy of the registration form.

3. Other processing of your data
As a rule, we process only data that is absolutely necessary to conclude and execute the agreement. However, upon your consent and until revoked, we will also provide you with information about our services. We will send you information via the following communication channels if you have given us the respective data:
Telephone, email, mobile number for texts, address, social media information

4. Confirmation of identity
To protect your rights and your privacy, we may request that you provide proof of identity in case of doubt.

5. Claim to rights for a fee
If the complaint is deemed manifestly unfounded or is lodged particularly often, we have the right to charge a reasonable processing fee or to reject complaint processing.

6. Responsibility to cooperate
As part of our responsibility to cooperate, we are obligated to provide data as stipulated by statutory regulations (e.g., Austrian Federal Fiscal Code (BAO), Austrian Registration Law (Meldegesetz), Austrian Code of Civil Procedure (ZPO), Austrian Code of Criminal Procedure (StPO), etc.) upon request.

In addition, all other provisions of this privacy policy apply to the processing of this data, in particular those in the above sections on registration data, guest cards, cookies, and order processing..

Our website uses Google Analytics, a web analytics service provided by Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland), to statistically evaluate the use of our website and to continuously optimize our online offering.

Google Analytics uses so-called “cookies,” which are text files stored on your device that enable an analysis of your use of the website. The information generated by the cookie about your use of this website (including your IP address) is generally transmitted to a Google server and stored there — potentially also in the United States.

However, we use Google Analytics with IP anonymization enabled (“_anonymizeIp()”). This means that your IP address is shortened by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area before transmission. Only in exceptional cases is the full IP address transmitted to a Google server in the United States and shortened there. As a result, any direct personal reference is excluded.

Google uses this information on our behalf to:
– analyze your use of the website
– compile reports on website activity
– provide other services related to website and internet usage to the website operator.

The IP address transmitted by your browser as part of Google Analytics will not be merged with other data held by Google.

Google is certified under the EU-U.S. Privacy Shield framework (www.privacyshield.gov).

For more information about Google’s terms of use, please visit:
www.google.com/analytics/terms/de.html

For more information about Google’s privacy policy, please visit:
www.google.com/intl/de/analytics/privacyoverview.html

Our website uses the map service Google Maps, provided by Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland). This enables us to display interactive maps directly on our website and to provide you with convenient use of the map features – for example, to help you plan your journey or find your way around.

When you access a page on which Google Maps is integrated, information — in particular your IP address of the requesting device is transmitted to Google servers. These servers may also be located in the USA . Google may combine this data with other information (e.g. your Google account, if you are logged in) and use it to create usage profiles.

You can prevent the transmission of data to Google by disabling JavaScript in your browser settings or by rejecting all cookies. However, please note that in this case, the services provided by Google Maps will no longer be available to you.

For more information about Google’s terms of use, please visit:
www.google.com/analytics/terms/de.html

For more information about Google’s privacy policy, please visit:
www.google.com/intl/de/analytics/privacyoverview.html

For more information about Google’s Maps terms of use, please visit:
www.google.com/intl/de_US/help/terms_maps.htm

On our website we use Google Fonts, a service of Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland), to ensure the consistent and visually appealing presentation of fonts.

When you visit our website, your browser loads the required web fonts directly from Google’s servers. In doing so, a connection is established to Google’s servers, which allows Google to receive and store your IP address. These servers may also be located in the USA . According to current information, no cookies are set in connection with the provision of Google Fonts. Google Web Fonts are hosted locally on our server to avoid data transmission to Google. In exceptional cases, if data is retrieved from Google servers, this is based on our legitimate interest pursuant to Art. 6 (1) lit. f GDPR.

Google is certified under the framework of the EU-U.S. Data Privacy Framework . This ensures an adequate level of data protection pursuant to Article 45 GDPR, even when data is transferred to the United States. Further information can be found at: https://www.dataprivacyframework.gov/

We use social media plugins on our website provided by the social network Facebook , operated by Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. You can recognize the integration of these plugins by typical symbols such as the “Like” button or other Facebook logos.

Social media plugins are disabled by default on this website and are only loaded after you have given your express consent (opt-in). If you visit a page that contains such a plugin and have previously given your consent, a direct connection is established between your browser and Facebook's servers. Information such as your IP address, the browser used, the operating system, the previously visited website, and the date and time of access is transmitted to Facebook. This data transfer takes place regardless of whether you have a Facebook account or are logged in. If you are logged in to Facebook while visiting our website, Facebook can directly associate your visit to our website with your user account.

The data collected in this manner is stored by Facebook as usage profiles and used for the purposes of advertising, market research, and the customized design of the Facebook platform. Even users who are not logged in may be affected by this data collection. We use these plugins to offer you an interactive user experience, to improve our online services, and to make our website more appealing. The legal basis for this use is Art. 6 Abs. 1 lit. f DSGVO, where our legitimate interest lies in optimizing our online presence and enhancing user-friendliness.

Please note that, as the provider of this website, we have no influence over the scope of the data collected and processed by Facebook through the use of this plugin. For more information about the purpose and scope of data collection, as well as the further processing and use of data by Facebook, please refer to Facebook’s privacy policy at:
https://www.facebook.com/privacy/explanation

Meta Platforms Inc. (formerly Facebook Inc.), based in the United States, is certified under the EU-U.S. Data Privacy Framework . This ensures an adequate level of data protection even when personal data is transferred to the United States. For more information, please visit:
https://www.dataprivacyframework.gov/

If you contact us via the contact form on our website or by email, we will process the personal data you provide (e.g., name, email address, message text) exclusively for the purpose of processing your inquiry and in the event of follow-up questions. The processing is based on our legitimate interest in efficiently handling your request in accordance with Art. 6 (1) lit. f GDPR or, if the purpose of the contact is to conclude a contract, for the implementation of pre-contractual measures in accordance with Art. 6 (1) lit. b GDPR. The data you provide will be stored for up to six months and then deleted, unless there are legal retention obligations. It will not be passed on to third parties without your express consent.

If you subscribe to the newsletter offered on our website, we will process your personal data (e.g., email address, IP address, time of registration) solely for the purpose of sending you the newsletter. Registration follows the double opt-in procedure: After submitting the form, you will receive an email asking you to verify your registration by clicking on a confirmation link. The date, time, and IP address of the registration and confirmation will be stored for verification purposes. Only after this confirmation will your email address be activated for the newsletter.

The legal basis for the processing of your data is your consent pursuant to Art. 6 (1) lit. a GDPR. Providing your consent is voluntary and can be revoked at any time with future effect—for example, via the unsubscribe link included in every newsletter. Unsubscribing is automatically considered a withdrawal of your consent. Upon withdrawal, your personal data will be promptly deleted, unless statutory retention obligations apply.

The newsletter is sent via the service provider Brevo (formerly Sendinblue), operated by Sendinblue GmbH, Köpenicker Straße 126, 10179 Berlin, Germany. We have entered into a data processing agreement with Brevo in accordance with Art. 28 GDPR. All data is processed exclusively on servers within the European Union. For more information on data protection at Brevo, please visit:
https://www.brevo.com/en/legal/privacypolicy/

To evaluate and improve our newsletter content, we use tracking pixels and link tracking. This allows us to record whether and when an email was opened and which links within the email were clicked. The evaluation is carried out in a pseudonymized form and serves to optimize the content and delivery rates of our newsletters. Your data will not be shared with third parties. You can also object to this use at any time.

If you make a booking through our website, a connection to our external booking system will be established for technical processing. In this context, the personal data you provide (e.g., name, contact details, booking information) will be transmitted to the service provider’s server and processed there in accordance with the applicable data protection regulations. Data processing takes place exclusively for the purpose of carrying out pre-contractual measures or fulfilling a contract pursuant to Art. 6 (1) lit. b GDPR. Your data will not be passed on to third parties beyond this, unless this is necessary for the fulfillment of the contract or you have expressly consented to such transfer. We retain your booking data only for as long as is necessary to process your booking and to comply with any applicable legal retention requirements.

Your master data and other personal data will be deleted when it is no longer required for the purpose for which it was stored – generally after seven (7) years in accordance with Section 132(1) of the Austrian Federal Tax Code (BAO) – or when storage becomes inadmissible for legal reasons.

Instead of deletion, the data can also be anonymized, which means that any personal references are irretrievably removed.

Under the General Data Protection Regulation (GDPR), you as a data subject have comprehensive rights regarding your personal data. These rights are intended to ensure transparency and give you control over how your data is processed.

Right of Access:
You have the right to request confirmation from us as to whether we are processing personal data concerning you. If this is the case, you may request access to this data and the following information: the purposes of the processing; the categories of personal data concerned; the recipients or categories of recipients to whom the personal data has been or will be disclosed (particularly in the case of transfers to third countries); the envisaged period for which the data will be stored (or, if not possible, the criteria used to determine that period); the existence of automated decision-making, including profiling; and, where the personal data was not collected directly from you, any available information about the source of the data.

Right to Rectification:
If your data is inaccurate or incomplete, you have the right to request its prompt rectification or completion.

Right to Erasure (“Right to be Forgotten”):
You have the right to request the erasure of your personal data, provided that the legal requirements are met – for example, if the data is no longer needed for its original purposes, you have withdrawn your consent, or the data was processed unlawfully. Erasure will not take place if statutory retention obligations or other legal grounds prevent it.

Right to Restriction of Processing:
You may request the restriction of processing if you contest the accuracy of the data, if the processing is unlawful and you oppose the erasure of the data, if we no longer need the data but you require it for the establishment, exercise, or defense of legal claims, or if you have objected to the processing and a verification of overriding legitimate interests is still pending.

Right to Data Portability:
You have the right to receive the personal data that you have provided to us in a structured, commonly used, and machine-readable format and to transmit this data to another controller, provided that the processing is based on your consent or a contract and is carried out by automated means. Where technically feasible, you also have the right to have the data transmitted directly from one controller to another.

Right to Object:
You have the right to object at any time, on grounds relating to your particular situation, to the processing of your personal data where such processing is based on Article 6(1)(e) or (f) GDPR. This also applies to profiling based on these provisions. Following your objection, your personal data will no longer be processed unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms, or the processing is necessary for the establishment, exercise, or defense of legal claims.

Right to Withdraw Consent:
If the processing is based on your consent, you may withdraw it at any time with effect for the future. The lawfulness of the processing carried out before the withdrawal remains unaffected.

Right to Lodge a Complaint with a Supervisory Authority:
If you believe that the processing of your personal data violates data protection regulations, you have the right to lodge a complaint with the competent supervisory authority. In Austria, this is the Austrian Data Protection Authority (Datenschutzbehörde), Barichgasse 40-42, 1030 Wien, www.dsb.gv.at.

If you have any questions regarding this privacy statement or the processing of your personal data by us, please feel free to contact us via email at: [email protected].

This privacy policy is effective as of August 15, 2025, and replaces the existing privacy policy.

Neustift im Stubaital, August 15, 2025