The protection of personal data and the privacy of users is an integral part of Escapio’s corporate philosophy. Compliance with legal data protection regulations and the sensitive handling of our user’s information and data is therefore also important to Escapio. Please refer to our contact form for questions and/or suggestions.
Data Protection Declaration
Address of the office responsible
Am Treptower Park 28
12435 Berlin / Germany
Authorized Managing Director: Alexander Igor Schwartinski
Register court: Amtsgericht Berlin Charlottenburg
Registration number: HRB 94491 B
Name and address of the data protection officer
You can contact our data protection team at firstname.lastname@example.org at any time for general questions about data protection and to enforce your rights.
For direct contact with our data protection officer, please send your request by post to the address below with the note “For the attention of the data protection officer”:
At Treptower Park 28
12435 Berlin / Germany
Types of data processed:
- Inventory data (e.g., names, addresses)
- Contact information (e.g., e-mail, phone numbers)
- Content data (e.g., text entries, photographs, videos)
- Contract data (e.g., subject matter, duration, and customer category of the contract)
- Payment data (e.g., bank details, payment history)
- Usage data (e.g., accessed websites, interest in content, access times)
- Meta and communication data (e.g., device information, IP addresses)
Processing of special categories of data (Article 9 (1) GDPR):
- No special categories of data are processed.
Categories of processed data subjects:
- Customers / Interested parties / Suppliers
- Online visitors and online users of the online services
Hereafter referred to as “users”.
Purpose of processing:
- Provision of the online service, its contents and functions
- Provision of contractual services, provision of services and customer care
- Answering contact requests and communicating with users
- Marketing, advertising and market research
- Security measures
Effective as of: July 15, 2020
1. Relevant legal bases
In accordance with Article 13 of the GDPR, we inform you about the legal basis of our data processing. Unless the legal basis in the data protection declaration is mentioned, the following applies: The legal basis for obtaining consent is Article 6 (1) (a) and Article 7 of the GDPR, the legal basis for the processing for the performance of our services and the execution of contractual measures as well as the response to inquiries is Article 6 (1) (b) GDPR, the legal basis for processing in order to fulfill our legal obligations is Article 6 (1) (c) GDPR, and the legal basis for processing in order to safeguard our legitimate interests is Article 6 (1) (f) GDPR. In the event that vital interests of the data subject or another natural person require the processing of personal data, Article 6 (1) (d) GDPR serves as legal basis.
3. Security measures
3.1. We take appropriate technical and organization measures in accordance with Article 32 GDPR, taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of the processing as well as the risk of varying likelihood and severity of the risk for the rights and freedoms of natural persons to ensure a level of protection appropriate to the risk. Measures include, in particular, ensuring the confidentiality, integrity and availability of data by controlling physical access to the data, as well as access, input, disclosure, security, assurance of availability and separation. In addition, we have established procedures that ensure exercising the rights of the data subjects, data erasure, and data vulnerability. Furthermore, we consider the protection of personal data already in the development, for example through the selection of hardware, software and procedures, according to the principles of data protection by technology design and by privacy-friendly default settings as per Article 25 of the GDPR.
3.2. One of the security measures pertains, in particular, to the encrypted transfer of data between your browser and our server.
4. Cooperation with external contract processors and third parties
4.1. If, in the context of our processing, we disclose data to other persons and companies (contract processors or third parties), transmit data to them or otherwise grant them access to the data, this will only be done on the basis of legal permission (e.g. if a transmission of the data to third parties is required by payment service providers, pursuant to Article 6 (1) (b) GDPR for the performance of a contract), or if you have consented to a legal obligation, or based on our legitimate interests (e.g. the use of agents, web hosts / web hosting providers, etc.).
4.2. If we commission third parties to process data on the basis of a so-called “data processing agreement,” this is done on the basis of Article 28 GDPR.
5. Data Transfer for Bookings
5.1. Tour Operators and Agents
When making a booking using our product listing pages, it is necessary for the contract initiation and conclusion that you provide personal data such as your name, address and e-mail address. In the course of your booking or booking request, the booking information is also shared with the respective tour operator or agent, e.g. Hideaways AS, for the fulfillment or preparation of your contract, so that they can further process your booking. These Third Parties Providers will then use your personal data in accordance with their own privacy policies and on their own authority.
5.2. Transfers of data to third countries
If we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or in the context of the use of third party services or disclosure or transmission of data to third parties, this will only be done if it is to fulfill our (pre) contractual obligations, on the basis of your consent, on the basis of a legal obligation or on the basis of our legitimate interests. Subject to legal or contractual permissions, we process or have the data processed in a third country only in the presence of the special conditions of Article 44 et seq. GDPR. That is, the processing is based, for example, on particular guarantees, such as the officially recognized level of data protection (e.g. for the US through the Privacy Shield) or compliance with and based on the observance of the officially recognized special contractual obligations (so-called “standard contractual clauses”).
6. Rights of the persons concerned / data subjects
6.1. You have the right, upon request, to obtain confirmation as to whether or not the data in question is being processed and for information about this data as well as for further information and a copy of the data in accordance with Article 15 GDPR.
6.2. In accordance with Article 16 GDPR, you have the right to obtain the rectification of the data concerning you and you have the right to have incomplete personal data completed.
6.3. In accordance with Article 17 GDPR, you have the right to request that the data in question be erased without undue delay, or alternatively, in accordance with Article 18 GDPR, to demand a restriction of the processing of data.
6.4. You have the right to demand that the data relating to you, which you have provided to us, be obtained in accordance with Article 20 GDPR and to request its transmission to another controller or persons responsible.
6.5. According to Article 77 GDPR, you also have the right to lodge a complaint with the relevant supervisory authority.
7. Right of withdrawal
You have the right to revoke granted consent in accordance with Article 7 (3) GDPR with immediate future effect.
8. Right of objection
You may object to the future processing of your data in accordance with Article 21 GDPR at any time. In particular, the objection may be made against processing for direct marketing purposes.
9. Cookies and the right to object to direct marketing
10. Erasure of data
10.2. According to legal requirements, the storage takes place in particular for 6 years in accordance with 257 (1) HGB (trading books, inventories, opening balance sheets, annual accounts, trade letters, accounting documents, etc.) and for 10 years in accordance with section 147 (1) AO (books, records, management reports , etc.)
11. Provision of contractual services
11.1. We process inventory data (e.g., names and addresses as well as contact information of users), contract data (e.g., services used, names of contacts, payment information) for the purpose of fulfilling our contractual obligations and services in accordance with Article 6 (1) (b) GDPR. The entries marked as obligatory in online forms are required for the completion and conclusion of the contract.
11.2. We process user data (e.g., the visited web pages of our online services, interest in our products) and content data (e.g., entries typed into contact forms or user profiles) for advertising purposes in a user profile to inform the user e.g. to display product instructions based on the user’s previous activities.
11.3. The erasure takes place after the expiry of legal warranty and comparable obligations, the necessity of keeping the data is checked every three years; in the case of legal archiving obligations, the erasure takes place after its expiry (end of commercial law (6 years) and tax law (10 years) retention obligation); information in the customer account remains until its erasure.
12. Contacting us
12.1. When contacting us (via contact form or e-mail), the information provided by the user is processed in order to process the contact request and its resolution in accordance with Article 6 (1) (b) GDPR.
12.2. User information is stored in our customer relationship management system (“CRM System”) or comparable system.
12.3. We erase contact requests, if and when they are no longer required. We check the necessity every two years; requests from users who have an account with us, we store permanently and refer to the erasure on the details of the user account. In the case of legal archiving obligations, the erasure takes place after its expiry (end of commercial law (6 years) and tax law (10 years) retention obligation).
13. Comments and posts
13.1. If users leave comments or other contributions, their IP addresses, based on our legitimate interests within the meaning of Article 6 (1) (f) GDPR, are stored for seven (7) days.
13.2. This is for our own safety, in case someone shares illegal content in the form of comments and contributions (insults, prohibited political propaganda, etc.). In such a case, we may face prosecution for the comment or post and are, therefore, interested in the identity of the author.
14. Collection of access data and log files
14.1. Based on our legitimate interests in the legal sense within the meaning of Article 6 (1) (f) GDPR we collect data of every access to the server on which this service is located (so-called server log files). The access data includes the name of the retrieved web page, file, date and time of retrieval, amount of data transferred, message about successful retrieval, browser type and version, the user’s operating system, referrer URL (the previously visited page), IP address and the requesting provider.
14.2. Log file information is stored for security purposes (for example, to investigate abusive or fraudulent activities) for a maximum of seven (7) days after which it is then deleted. Data whose further retention is required for evidential purposes shall be exempted from the deletion or erasure until final clarification of the incident.
15. Online presence in social media
15.1. We maintain an online presence within social networks and platforms in order to communicate with customers, prospective customers and users who are active there and to inform them about our services. By using the respective networks and platforms, the terms and conditions of their respective operators and the data processing guidelines apply.
16. Cookies and reach measurement
16.1. Cookies are information transmitted from our web server or third-party web servers to users’ web browsers and stored there for later retrieval. Cookies can be small files or other types of information storage.
16.2. We use “session cookies” that are only stored for the duration of the current visit to our online platform (for example, to enable the storage of your login status or the shopping cart function and to thus enable the use of our online services). In a session cookie, a randomly generated unique identification number is stored, a so-called session ID. This type of cookie contains information about its origin and its retention period. These cookies cannot save any other data. Session cookies will be erased when you have finished using our online service and you have, for example, logged out of your account or closed the browser window.
17. Google Analytics
17.2. Google is certified under the Privacy Shield Agreement, which provides a guarantee to comply with European privacy legislation and data protection law (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).
17.3. Google will use this information on our behalf to evaluate the use of our online services by users, to compile reports on the activities within this online service and to provide us with further services related to the use of this online service and the internet usage. In doing so, pseudonymous usage profiles of the users can be created from the processed data.
17.4. We use Google Analytics to display advertisements displayed within Google and its affiliate advertising services only to those users who have shown an interest in our online services or who have certain characteristics (e.g. interests in specific topics or products, which are determined by the web pages visited by them), which we submit to Google (so-called “remarketing” or “Google Analytics audiences”). With Remarketing Audiences, we also want to make sure that our advertisements are in line with the potential interest of our users and are not annoying.
17.5. We only use Google Analytics with activated IP anonymization. This means that the IP address of the users will be shortened by Google within member states of the European Union or in other contracting states of the agreement on the European Economic Area. Only in exceptional cases will the full IP address be sent to a Google server in the US and shortened there.
17.6. The IP address submitted by the user’s browser will not be merged with other data provided by Google. Users can prevent the storage of cookies by setting their browser software accordingly; users may also prevent the collection by Google of the data generated from cookies and related to their use of online services as well as the processing of this data by Google by downloading and installing the browser plug-in available under the following link: https://tools.google.com/dlpage/gaoptout?hl=en.
18. Google Re/Marketing Services
18.1. On the basis of our legitimate interests (i.e. interest in the analysis, optimization, commercial, and economic operation of our online services within the context and meaning of Article 6 (1) (f) GDPR) we use the marketing and remarketing services (“Google Marketing Services “) of Google LLC, 1600 Amphitheater Parkway, Mountain View, CA 94043, USA, (“Google”).
18.2. Google is certified under the Privacy Shield Agreement, which provides a guarantee to comply with European privacy legislation (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).
18.3. Google Marketing Services allows us to better target advertisements for and on our website so that we only present advertisements that potentially match their interests to users. When a user is, for example, shown advertisements for products they have shown an interest in on other websites, this is called remarketing. For these purposes, when Google and our or other websites that are running Google Marketing Services are activated or directly accessed by Google, a code will be executed by Google and so-called (re) marketing tags (invisible graphics or code, etc., also called “web beacons”) are added and incorporated into the website. With their help, the user is provided with an individual cookie, viz. a small file is saved (instead of cookies, comparable technologies can also be used). The cookies can be set by different domains, including google.com, doubleclick.net, invitemedia.com, admeld.com, googlesyndication.com or googleadservices.com. In this file is noted which web pages users visited, what content users are interested in and what offers users have clicked on, as well as technical information about the browser and operating system, referring web pages, visit time and other information with regards to the use of the online service. The IP address of the users is also recorded, whereby in the context of Google Analytics the IP address is shortened within member states of the European Union or other contracting states of the agreement on the European Economic Area. Only in exceptional cases data is transmitted to a Google server in the US and shortened there. The IP address will not be merged with data of the user within other offers from Google. The information mentioned above may also be linked by Google with information from other sources. If the user then visits other websites, they will be displayed according to the user’s interests with tailored, customized advertising.
18.4. The data of the users are pseudonymized and processed in the context of the Google marketing services. That is, Google does not store or process, for example, the name or e-mail address of the users, but rather the relevant data cookie-related within pseudonymous user profiles. That means, from the perspective of Google, the advertisements are not managed and displayed to a specifically identifiable person, but to the cookie owner, regardless of who that cookie owner is. This does not apply if a user has explicitly allowed Google to process the data without this pseudonymization. The information collected about users through Google Marketing Services is transmitted to Google and stored on Google’s servers in the United States.
18.5. Among the Google marketing services we use is the online advertising program, “Google AdWords”. In the case of Google AdWords, each advertiser receives a different “conversion cookie”. Cookies cannot be tracked through AdWords advertisers’ websites. The information collected by means of cookies is used to generate conversion statistics for AdWords advertisers who have opted for conversion tracking. Advertisers will see the total number of users who clicked on their advertisements and were redirected to a conversion tracking tag page. However, they do not receive any information that personally identifies users.
18.8. Likewise, we use the service “Google Optimizer”. Google Optimizer allows us to understand how various changes to a website (such as changes to the input fields, the design, etc.) take place in so-called “A/B testings”. Cookies are stored on users’ devices for these purposes. We only process pseudonymous data.
18.9. In addition, we use the “Google Tag Manager” to integrate and manage the Google analytics and marketing services on our website.
18.11. If you wish to opt-out of interest-based advertising through Google Marketing Services, you may take advantage of Google’s settings and opt-out options: https://adssettings.google.com/authenticated.
19. Facebook, Custom Audiences and Facebook Marketing Services
19.1. Based on our legitimate interests in the analysis, optimization, commercial, and economic operation of our online service, we use the so-called “Facebook pixel” of the social network Facebook, which is owned by Facebook Inc., 1 Hacker Way, Menlo Park, CA 94025, USA, or, if you are located in the EU, Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbor, Dublin 2, Ireland (“Facebook”) on our website and online service.
19.2. Facebook is certified under the Privacy Shield Agreement, which provides a guarantee to comply with European privacy legislation (https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active).
19.3. With the help of the Facebook pixel, it is on the one hand possible for Facebook to determine the visitors to our online service as a target group for the presentation and display of advertisements (so-called “Facebook ads”). Accordingly, we use the Facebook Pixel to display the Facebook Ads we have been sent only to those Facebook users who have shown an interest in our online service or who have certain features (e.g. interests in certain topics or products determined by the web pages visited by them), which we transmit to Facebook (so-called “Custom Audiences”). With the help of the Facebook pixel, we also want to make sure that our Facebook ads are in line with the potential interest of users and are not annoying. With the help of the Facebook pixel we can also determine the effectiveness of the Facebook ads for statistical and market research purposes, in which we can determine whether users were redirected to our website after clicking on a Facebook ad (so-called “conversion”).
19.4. The processing of the data by Facebook is part of Facebook’s data usage policy. Accordingly, general notes on how to display Facebook Ads, can be found in Facebook’s Data Usage Policy: https://www.facebook.com/policy.php. For specific information and more details about the Facebook Pixel and how it works, please refer to the help section on Facebook: https://www.facebook.com/business/help/651294705016616.
19.5. You may object to the capture by the Facebook Pixel and use of your data to display Facebook ads. In order to change the settings with regards to which types of ads you see on Facebook, you can go to the page set up by Facebook and follow the instructions for the usage-based advertising settings: https://www.facebook.com/settings?tab=ads. The settings are platform independent, which means they will be implemented across all devices, such as desktop computers or mobile devices.
19.6. You may also deactivate the use the cookies for distance measurement and promotional purposes via the deactivation page of the Network Advertising Initiative (https://optout.networkadvertising.org/?c=1) via the US website (http://www.aboutads.info/choices) or the European website (http://www.youronlinechoices.com/uk/your-ad-choices/).
20. Facebook social plugins
20.1. Based on our legitimate interests (i.e. interest in the analysis, optimization, commercial, and economic operation of our online service within the meaning of Article 6 (1) (f) GDPR) we use social plugins (“plugins”) of the social network facebook.com, which is operated by Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbor, Dublin 2, Ireland (“Facebook”). The plugins may be interactive elements or content (e.g. videos, graphics, copy, or text contributions) and can be recognized by one of the Facebook logos (white “f” on a blue tile, the terms “Like”, or a “thumbs up” sign) or are clearly marked with the add-on “Facebook Social Plugin”. A list and the appearance of Facebook Social Plugins can be viewed here: https://developers.facebook.com/docs/plugins/.
20.2. Facebook is certified under the Privacy Shield Agreement, which provides a guarantee to comply with European privacy legislation (https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active).
20.3. When a user visits our webpages or online services and / or calls up a feature of the online services that includes a plugin, the plugin establishes a direct connection between their browser and the Facebook server. The content of the plugin is transmitted by Facebook directly to the device of the user and incorporated into the online service. In the process, user profiles can be created from the processed data. We therefore have no influence on the amount of data that Facebook collects with the help of these plugins and therefore inform the users according to our knowledge.
20.4. By integrating the plugins, Facebook receives the information that a user has accessed the corresponding page of the online service. If the user is logged in to a Facebook account, Facebook can assign the visit to their (the user’s) Facebook account. If users interact with the plugins, for example, by pressing the Like button or leaving a comment, the information is transmitted from the user’s device directly to Facebook and stored there. If a user is not a member of Facebook, there is still the possibility that Facebook will identify and save the user’s IP address. According to Facebook, only an anonymous IP address is stored in Germany.
20.6. If a user is a Facebook member and does not want Facebook to collect data about them via our online service and link it to their member data stored on Facebook, the user must log out of their Facebook account and delete their cookies before using our online service. Other settings and revocations regarding the use of data for advertising purposes can be found and viewed on the Facebook profile settings: https://www.facebook.com/settings?tab=ads or via the US website http://www.aboutads.info/choices/ or the EU page http://www.youronlinechoices.com/. The settings are platform independent, which means they are adopted for and implemented across all devices, such as desktop computers or mobile devices.
21. Amazon affiliate program
22.1. In the following information, we inform you about the contents of our newsletter as well as the registration process, the mailing and the statistical evaluation procedures, as well as your right of objection. By subscribing to our newsletter, you agree to the receipt and the procedures described.
22.2. Content of the newsletter: We send newsletters, e-mails and other electronic notifications containing promotional or advertising information (hereafter “newsletter”) only with the consent of the recipient or a legal permission. Insofar as the contents of a newsletter are concretely described in detail, the description of the content is authoritative for the consent of the users. Furthermore, our newsletters contain information about our products, offers, promotions and our company.
22.3. Double opt-in and logging: The registration for our newsletter takes place in a so-called double-opt-in procedure. After registration, you will receive an e-mail asking you to confirm your registration. This confirmation is necessary so that nobody can register with external e-mail addresses. The registration for the newsletter will be logged in order to prove the registration process according to legal requirements. This includes the storage of the login and the confirmation time, as well as the IP address. Similarly, changes to your data stored with the mailing service provider will be logged.
22.6. Furthermore, the mailing service provider may, according to its own information, transmit these data in pseudonymous form, i.e. without assignment to a user, to optimize or improve their own services, e.g. for the technical optimization of the dispatch and the presentation of the newsletters or for statistical purposes, to determine from which countries the recipients come. However, the shipping service provider does not use the data of our newsletter recipients to contact them or to pass them or their information on to third parties.
22.7. Credentials: To subscribe to the newsletter, providing your valid e-mail address is sufficient. We ask you to provide a name in the newsletter in order to address you personally, but this is optional.
22.8. Measuring success – The newsletters contain a so-called “web beacon”, that is to say, a pixel-sized file that is retrieved from the mailing service provider’s server when the newsletter is opened. This will initially collect technical information, such as information about the browser and your system, as well as your IP address and time of retrieval. This information is used to improve the technical performance of services based on their specifications or audience and their reading habits, based on their locations (which can be determined using the IP address) or access times. Statistical surveys also include determining if the newsletters were opened, when they were opened and which links were clicked. This information can be allocated to individual newsletter recipients for technical reasons. However, it is neither our endeavor nor that of the shipping service provider to observe individual users. The evaluations serve us much more to recognize the reading habits of our users and to adapt our content to them or to send different content according to the interests of our users.
22.9. The dispatch of the newsletter and the performance measurement are based on the consent of the recipient(s) in accordance with Article 6 (1) (a), Article 7 GDPR in connection with Section 7 (2) Nr. 3 Act Against Unfair Competition (AAUC) or on the basis of the statutory permission pursuant to Article 7 (3) AAUC.
22.10. The logging of the registration process is based on our legitimate interests in accordance with Article 6 (1) (f) GDPR and serves as proof of consent to the receipt of the newsletter.
22.11. Termination / Revocation – You may terminate the receipt of our newsletter at any time, i.e. revoke your consent to receive our newsletter. A link to cancel the newsletter can be found at the end of each newsletter.
23. Integration of services and content of third parties
23.1. Based on our legitimate interests (i.e. interest in the analysis, optimization, commercial, and economic operation of our online service within the meaning of Article 6 (1) (f) GDPR), we make use of content or services offered by third-party providers in order to provide their content and services, such as videos or fonts (hereafter collectively referred to as “content”). The inclusion of content from third-party providers always requires that the third-party providers of this content perceive the IP address of the users, since they need these IP addresses in order to send content to the users’ browser. The IP address is therefore required for the presentation of this content. We strive towards only using content whose respective providers use the IP address, solely for the delivery of the content. Third parties may also use so-called pixel tags (invisible graphics, also referred to as “web beacons”) for statistical or marketing purposes. The “pixel tags” can be used to evaluate information such as visitor traffic on the pages of this website and online services. The pseudonymous information may also be stored in cookies on the user’s device and may include, but is not limited to, technical information about the browser and operating system, referring web sites, visit times, and other information regarding the use of our online service.
23.2. The following presentation provides an overview of third-party providers and their contents, as well as links to their data protection statements, which contain further details on the processing of data and, as already mentioned here, revocation possibilities (so-called opt-out):
- Within our online service prices of the service, or rather the platform, Hotelscombined is included (hereafter referred to as “Hotelscombined”). Hotelscombined is an offer by HotelsCombined Pty Ltd, Suite 1, Level 1, 7 Kelly Street, Ultimo, 2007, NSW Sydney, Australia.