We are obliged by law to inform you about the processing of your personal data (hereinafter referred to as “data”) when you use our website. This data protection notice informs you about the details of the processing of your data and about your legal rights in this regard. For terms such as “personal data” and “processing”, the legal definitions pursuant to Art. 4 GDPR apply. We reserve the right to adapt the privacy policy with future effect, in particular in the event of further development of the website, the use of new technologies or changes to the legal bases or the corresponding case law. We recommend that you read this privacy policy from time to time and take a printout or a copy for your records.
This privacy policy applies to all pages of hopper.de. It does not cover any linked websites of other providers.
The following party is known as the controller under data protection law and therefore responsible for the processing of personal data within the scope of this privacy policy:
LFPI Hotels Management Deutschland II GmBH
Hopper Hotel St. Josef
Dreikönigenstraße 1-2
50678 Cologne
Tel.: +49221 998000
Email: st.josef@hopper.de
If you have any questions about data protection with regard to our company or our website, you can contact our data protection officer:
SPIRIT LEGAL Rechtsanwaltsgesellschaft mbH
Attorney-at-law and data protection officer
Peter Hense
Postal address:
Data protection officer
c/o Hopper Hotel St. Josef, Dreikönigenstraße 1-2, 50678 Cologne
Contact via encrypted online form:
Contact data protection officer
We have taken comprehensive technical and organisational precautions to protect your personal data from unauthorised access, abuse, loss and other external disruption. To this end, we regularly review our security measures and adapt them to the latest standards.
You have the following rights with regard to the personal data concerning you that you can assert against us:
You can assert your rights by informing us using the contact details specified under “Controller” above or by contacting the data protection officer designated by us.
If you believe that the processing of your personal data violates data protection law, then under Art. 77 GDPR you also have the right to lodge a complaint with a data protection supervisory authority of your choice. This includes the data protection supervisory authority responsible for the controller:
North Rhine-Westphalia State Commissioner for Data Protection and Freedom of Information, Postfach 200444, 40102 Düsseldorf, or: Kavalleriestraße 2-4, 40213 Düsseldorf, phone: +49211/38424-0, email: poststelle@ldi.nrw.de, https://www.ldi.nrw.de
In principle, you can use our website for purely informational purposes without disclosing your identity. When you access the individual pages of the website in this sense, this only results in access data being transferred to our web hosting service so that the website can be displayed to you. This involves the following data being processed:
It is necessary for this data to be processed temporarily in order to make it technically possible for you to visit our website and to deliver the website to your device. The access data is not used to identify individual users and is not combined with other data sources. The legal basis for the processing is Art. 6(1) Sentence 1(f) GDPR. We have legitimate interests in ensuring the functionality, integrity and security of the website.
You may object to the processing. Your right of objection exists if you have reasons arising from your particular situation. You may send us your objection using the contact details specified under “Controller” above.
In addition to the aforementioned access data, technologies are used when you use the website which store information on your device (e.g. desktop PC, laptop, tablet or smartphone) or access information which is already stored on your device. These technologies may include, for example, cookies, pixels, local storage, session storage, IndexedDB or browser fingerprinting technologies. These technologies can be used to recognise you across devices and websites.
According to Sect. 25(1) of the German Telecommunications and Digital Services Data Protection Act (TDDDG), we generally require your consent for the use of these technologies. According to Sect. 25(2) TDDDG, this is only not required if the technologies either enable the transmission of a message via a public telecommunications network or if they are absolutely necessary to provide a telemedia service that you have expressly requested:
Some elements of our website serve the sole purpose of transmitting a message (Sect. 25(2) No. 1 TDDDG or are absolutely necessary to provide you with our website or individual features thereof (Sect. 25(2) No. 2 TDDDG). The elements are erased after storage is no longer required.
You can prevent processing by adjusting your browser settings accordingly. For elements whose storage duration is not limited to the session, you can adjust your browser settings so that the elements are erased after your session has expired.
Our website also uses elements that are not technically necessary. We only use these technologies with your consent in accordance with legal requirements. Information about the individual technologies and features can be found in our “settings” within the consent management platform (Cookiebot) as well as in the following information, which is sorted according to the individual features.
To make it easier for us to ask for your consent to the use of cookies or other tracking technologies so that we can process your device information and personal data when you visit our website, we use the consent tool Cookiebot. Cookiebot gives you the opportunity to accept or decline the processing of your device information and personal data using cookies or other tracking technologies for the purposes listed in Cookiebot. Such processing purposes may include the integration of external elements, integration of streamed content, statistical analysis, reach measurement, personalised product recommendations, or personalised advertising. You can change your settings again later on. The purpose of integrating Cookiebot is to allow users of our website to decide whether to allow cookies and similar technologies, and to offer them the opportunity to change settings that they have already made when they continue to use our website. When Cookiebot is used, we process personal data as well as information from the devices used. Your data will also be sent to Cookiebot (Usercentrics A/S, København K 1058 (København), Havnegade 39 , CVR 34, Denmark). The information about the settings you have made is also stored on your device. The legal basis for the processing is Art. 6(1) Sentence 1(c) GDPR in conjunction with Art. 7(1) GDPR, insofar as the processing serves to fulfil the legally standardised obligations to provide evidence for the granting of consent. Otherwise, Art. 6(1) Sentence 1(f) GDPR is the relevant legal basis. Our legitimate interests in this processing lie in the storage of users’ settings and preferences with regard to the use of cookies and the evaluation of consent rates. Your user settings will be stored until they are no longer required for the purposes for which they were collected, unless you delete the information about your user settings using the device functions provided for that purpose beforehand.
You may object to the processing, insofar as processing is based on Art. 6(1) Sentence 1(f) GDPR. Your right of objection exists if you have reasons arising from your particular situation. You may send us your objection using the contact details specified under “Controller” above.
When you contact our company, e.g. by email, we will process the personal data provided by you so that we can respond to your request. The legal basis of this processing is Art. 6(1) Sentence 1(f) GDPR and Art. 6(1) Sentence 1(b) GDPR, if the contact is made with the intention of concluding a contract. If the request is aimed at or relates to the conclusion of a contract, it is necessary for you to provide your data. If you do not provide your data, it will not be possible to conclude/execute a contract and process the request. As soon as processing is no longer necessary, we will erase the data generated here – usually after three years after the end of the communication – or, if statutory retention obligations apply, restrict processing of the data.
You may object to the processing. Your right of objection exists if you have reasons arising from your particular situation. You may send us your objection using the contact details specified under “Controller” above.
We process your personal data if and to the extent necessary for the initiation, creation, execution and/or termination of a legal transaction with our company. The legal basis for this results from Art. 6(1) Sentence 1(b) GDPR. It is necessary for you to provide your data in order to conclude the contract and you are contractually obliged to provide your data. If you do not provide your data, it will not be possible to conclude and/or execute a contract. Once the purpose has been achieved (e.g. handling the contract), the personal data will be blocked for further processing or erased, unless we are obliged to continue storing it due to statutory retention obligations, for example.
We also process personal data for the establishment, exercise or defence of legal claims. The legal basis for this processing is Art. 6(1) Sentence 1(c) GDPR and Art. 6(1) Sentence 1(f) GDPR. In these cases, we have a legitimate interest in the assertion or defence of claims.
You may object to the processing. Your right of objection exists if you have reasons arising from your particular situation. You may send us your objection using the contact details specified under “Controller” above.
We may also process the aforementioned personal data to fulfil other legal obligations, in particular if there is an enforceable official or court order or if we are obliged to do so by law. The legal basis in such cases is Art. 6(1) Sentence 1(c) GDPR.
Commercial accommodations, to which we belong as hotels, are obliged according to Sect. 30 of the German Federal Act on Registration (BMG) to process the following data of the guest, in particular on the day of arrival, as part of the registration form:
We are legally obliged to keep registration forms available and to collect, process and pass on this data within the framework of the BMG. The legal basis for the processing results from Art. 6(1) Sentence 1(c) GDPR in conjunction with Art. 30(1) BMG. You are required by law to provide your data. If you do not provide your data, it will not be possible to conclude the contract or carry out the stay. We will erase your registration data after 15 months at the latest (see Sect. 30(4) BMG).
If you use our online booking system on the website, for example to book a room in our hotel or to enquire about availability in our hotel, it is necessary and obligatory for the initiation and conclusion of the contract that you provide personal data such as a form of address, your first and last name, contact details (email address), your address, the travel period, payment information and details of the persons travelling with you (e.g. first name, last name, email address); further information, such as your telephone number, is provided voluntarily. Mandatory information required to process the booking and contract is marked as such; any other information you provide (such as the selection of additional services) is voluntary. The legal basis for the processing of the contract or booking data provided by you for preparing and carrying out the booking process is Art. 6(1) Sentence 1(b) GDPR. In this case, the provision of your personal data is necessary and obligatory, as otherwise it is not possible to conclude a contract. To prevent unauthorised third parties from accessing your personal data, the order process on the website is encrypted using SSL technology. To clearly display available hotel rooms and to process your booking or reservation request, we use the OnePageBooking booking system, which is provided by HotelNetSolutions GmbH (Genthiner Str. 8, 10785 Berlin; hereinafter referred to as: “OnePageBooking”), which acts as the recipient of your personal data in this context. The booking information you provide is therefore processed by both us and OnePageBooking. We process your data for booking and payment purposes. If you do not provide the mandatory information, it will not be possible to conclude a contract or make a booking. We will erase the data processed in connection with the booking after storage is no longer necessary, or restrict its processing to compliance with statutory retention obligations. Due to mandatory commercial and tax regulations, we are obliged to keep your booking and invoice information for a period of ten years. Two years after termination of the contract, we will restrict the processing and reduce it to compliance with our legal obligations.
We reserve the right to use the email address you provide when booking in accordance with the statutory provisions in order to send you emails during or after the booking or your stay with feedback requests about your stay, suggestions for improvement, etc., unless you have already objected to this processing of your email address.
The legal basis of the data processing is Art. 6(1) Sentence 1(f) GDPR. Our legitimate interests in the processing described lie in enhancing and optimising our services and ensuring customer satisfaction. We will erase your data when you stop using the service, but no later than three years after termination of the contract. We use an external provider specialising in customer feedback to send the emails. For more information about this service provider, please refer to the “Customer feedback management” section.
We would like to point out that you can object to receiving direct marketing and to the processing of the data for direct marketing purposes at any time without incurring any costs other than the transmission costs according to the basic rates. Here you have a general right of objection without giving reasons (Art. 21(2) GDPR). To do this, click on the unsubscribe link in the relevant email or send us your objection to the contact details provided under “Controller”.
For managing customer feedback and the centralised sending of feedback emails, we use the services of TrustYou GmbH (Schmellerstraße 9, 80337 Munich; hereinafter referred to as: “TrustYou”). If you have made a booking in our online shop, the relevant data (in particular the travel period, your name and email address) will be transmitted to TrustYou and stored on its servers. TrustYou acts as our processor and is contractually limited in its authority to use your personal data for purposes other than to provide services to us in accordance with the data processing agreement entered into. For further information about the protection of your data and how long TrustYou stores your data, please refer to TrustYou’s privacy policy: www.trustyou.com
For the purpose of payment processing, we transmit the payment data required for the credit card payment to the bank commissioned with the payment or, if applicable, to the payment and invoicing service provider commissioned by us. This processing occurs on the basis of Art. 6(1) Sentence 1(b) GDPR. The provision of your payment data is necessary and obligatory in order to conclude and execute the contract. If you do not provide payment data, it will not be possible to conclude and/or execute a contract by means of credit card payment. The data required for payment processing is transmitted securely using SSL encryption and processed exclusively for payment processing. As soon as storage is no longer necessary, we will erase the data generated in this context or, if statutory retention obligations apply, restrict processing of the data. Due to mandatory commercial and tax regulations, we are obliged to keep your address, payment and order data for a period of up to ten years. Two years after termination of the contract, we will restrict the processing and reduce it to compliance with our legal obligations.
In the event of non-payment, we reserve the right to pass on the data provided at the time of ordering to a lawyer and/or to external companies in order to ascertain an address and/or enforce our rights. The legal basis of the processing is Art. 6(1) Sentence 1(f) GDPR. Our legitimate interests lie in fraud prevention and avoiding default risks. In addition, we may pass on your data to the extent necessary in order to safeguard our rights, as well as the rights of our affiliates, our partners, our employees and/or users of our website. Under no circumstances will we sell or rent your data to third parties. The legal basis for the processing is Art. 6(1) Sentence 1(f) GDPR. We have a legitimate interest in the processing for the purpose of enforcing our rights. As soon as storage is no longer necessary, we will erase the data generated or, if statutory retention obligations apply, restrict processing of the data.
You may object to the processing. Your right of objection exists if you have reasons arising from your particular situation. You may send us your objection using the contact details specified under “Controller” above.
We use external hosting services provided by IONOS SE (Elgendorfer Str. 57, 56410 Montabaur, Germany), which serve to provide the following services: infrastructure and platform services, computing capacity, storage resources and database services. For these purposes, all of the data required for the operation and use of our website – including the access data mentioned under “Using our website” – is processed. The legal basis for this processing is Art. 6(1) Sentence 1(f) GDPR. By using hosting services, we are pursuing our legitimate interests in making our website efficient and secure. More information is available at: https://www.ionos.de/terms-gtc/datenschutzerklaerung
You may object to the processing. Your right of objection exists if you have reasons arising from your particular situation. You may send us your objection using the contact details specified under “Controller” above.
We use Google Tag Manager, which is a service provided by Google (Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland and Google, LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043, US; hereinafter referred to as: “Google” and “Google Tag Manager”). Google Tag Manager is a solution that allows website tags and other elements to be managed through a single interface.
Firstly, when you visit the website with Google Tag Manager, an HTTP request is sent to Google. As a result, device information and personal data – such as your IP address and information about your browser settings – are transmitted to Google. We use Google Tag Manager to facilitate electronic communications by providing information to third-party providers, including through programming interfaces. Google Tag Manager implements the respective tracking codes of the third-party providers without us having to go to the effort of changing the source code of the website ourselves. Instead, integration is performed by a container that places what is known as placeholder code in the source code. Google Tag Manager also enables the exchange of users’ data parameters in a certain order, in particular by ordering and systematising the data packets. In isolated cases, your data will also be transferred to the US. The EU Commission has issued an adequacy decision for data transfers to the US. Google, LLC is certified under this. So-called standard contractual clauses have been concluded with Google, LLC in order to commit Google, LLC to an appropriate level of data protection. You can obtain a copy of the standard contractual clauses at: https://cloud.google.com/terms/sccs The legal basis for the data processing is Art. 6(1) Sentence 1(f) GDPR. We have legitimate interests in the processing for the purposes of facilitating and carrying out electronic communication by identifying communication endpoints, control options, exchanging data elements in a defined order, and identifying transmission errors. Google Tag Manager does not initiate data storage. For further information about privacy at Google, please refer to: http://www.google.de/intl/en/policies/privacy
You may object to the processing, insofar as it is based on Art. 6(1) Sentence 1(f) GDPR. Your right of objection exists if you have reasons arising from your particular situation. You may send us your objection using the contact details specified under “Controller” above.
You can prevent the processing by deleting the browser history and other website data in your browser settings or by opening your browser in “private mode”.
On the other hand, Google Tag Manager integrates tags from third-party providers, such as tracking codes or tracking pixels, on our website. The tool triggers other tags, which in turn record your data; our privacy policy explains this separately in each case. Google Tag Manager itself does not evaluate the device information and personal data of users collected by the tags. Rather, your data is forwarded to the specific third-party service for the purposes specified in our consent management tool. We have configured Google Tag Manager to work with our consent management tool in such a way that triggering certain third-party services in Google Tag Manager depends on the selections you make in our consent management tool, so that only those tags from third-party providers trigger data processing for which you have given consent. The use of Google Tag Manager is subject to your consent for the specific third-party service. The legal basis of this processing is your consent under Art. 6(1) Sentence 1(a) GDPR. Google also processes the data in part in the US. The EU Commission has issued an adequacy decision for data transfers to the US. Google, LLC is certified under this. So-called standard contractual clauses have been concluded with Google, LLC in order to commit Google, LLC to an appropriate level of data protection. You can obtain a copy of the standard contractual clauses at: https://cloud.google.com/terms/sccs The following descriptions of the individual third-party services specify how long your data will be stored in each case. For further information about privacy at Google, please refer to: http://www.google.de/intl/en/policies/privacy
You can withdraw your consent to the processing at any time by moving the slider back for the specific third-party provider in the consent tool settings [insert link]. Please note that this will not affect the lawfulness of the processing before your withdrawal.
We use services from third parties for statistical, analysis and marketing purposes. This enables us to offer you a user-friendly, optimised experience when visiting the website. The third-party providers use cookies, pixels, browser fingerprinting or other tracking technologies to control their services. In the following, we inform you about the services from external providers currently in use on our website, about the related processing in each case, and about how you can withdraw your consent.
In order to tailor our website perfectly to user interests, we use Google Analytics, a web analytics service from Google (Google Ireland, Ltd., Gordon House, Barrow Street, Dublin 4, Ireland and Google, LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, US; hereinafter referred to as: “Google” and “Google Analytics 4”). Google Analytics 4 uses so-called cookies, which are stored on your device for recognition purposes, as well as similar tracking methods for the purpose of device recognition such as tracking pixels, device fingerprinting and programming interfaces (e.g. APIs and SDKs) in order to process information from your device. For this purpose, your device is assigned a randomly generated identification number (cookie ID / device ID).
Google uses these technologies to process the information generated about the use of our website by your device as well as access data for the purpose of statistical analysis – e.g. the fact that you have visited a certain page; the number of unique visitors; entry and exit pages; time spent by the visitor on the website; clicking, swiping and scrolling behaviour; activation of buttons; registration for the newsletter; bounce rate; and similar user interactions. For this purpose, it is also possible to determine whether different devices belong to you or to your household. Access data includes in particular the IP address, browser and device information, cookie ID / device ID, the website visited before and the date and time of the server request.
In Google Analytics 4 systems, no individual IP addresses are logged or stored. At the time of collection of your IP address by Google in dedicated local data centres in the EU, your IP address will be used to determine location information. The IP address is then erased before the access data is stored in a data centre or on a server for Google Analytics. In Google Analytics 4, no precise data about the geographical location is provided, but only general location information such as the region and city of the device’s location derived from the IP address. Google will process this information for the purpose of evaluating your use of this website, compiling reports for us on website activity, and – where we point this out separately – providing us with other services relating to website usage. If you are registered with a Google service, Google can associate the visit with your account and create and evaluate user profiles across applications.
In addition, a cross-platform analysis of usage behaviour is carried out on websites and apps that use Google Analytics 4 technologies. This enables equal recording, measurement and comparison of usage behaviour across different environments. For example, user scrolling events are automatically recorded to provide a better understanding of how websites and apps are used. For this purpose, different cookie IDs / device IDs are used for different devices. Subsequently, we are provided with anonymised statistics on the use of the various platforms, compiled according to selected criteria.
With the help of Google Analytics 4, target groups are automatically created for specific cookie IDs / device IDs or mobile advertising IDs, which are later used for targeted personalised advertising. Target group criteria may include but are not limited to: users who have viewed products but not added them to a shopping cart or have added them to a shopping cart but not completed the purchase OR users who have purchased certain items. A target group comprises at least 100 users. With the help of the Google Ads tool, interest-based ads can then be displayed in search results. Similarly, it is possible to recognise users of websites on other websites within the Google advertising network (in Google Search, on YouTube, so-called Google Ads, or on other websites) and present them with ads tailored to the specified target group criteria.
With regard to the storage of and access to information on your device, your consent is the legal basis pursuant to Sect. 25(1) TDDDG; for further processing, your consent is also the legal basis pursuant to Art. 6(1) Sentence 1(a) GDPR. Google also processes the data in part in the US. The EU Commission has issued an adequacy decision for data transfers to the US. Google, LLC is certified under this. So-called standard contractual clauses have been concluded with Google, LLC in order to commit Google, LLC to an appropriate level of data protection. You can obtain a copy of the standard contractual clauses at: https://cloud.google.com/terms/sccs Your data processed in connection with Google Analytics 4 will be erased after 26 months at the latest. For further information about privacy at Google, please refer to: http://www.google.de/intl/en/policies/privacy
You can withdraw your consent to the processing at any time by moving the slider back in the consent tool settings [insert link]. This does not affect the lawfulness of the processing carried out on the basis of the consent prior to the withdrawal.
Google Ads Remarketing
We use the Google Ads tool with the Dynamic Remarketing feature, which is provided by Google (Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland and Google, LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043, US; hereinafter referred to as “Google” and “Google Ads”). The Dynamic Remarketing feature allows us to recognise users of our website on other websites within the Google advertising network (in Google Search or on YouTube, so-called Google Ads, or on other websites) and present ads tailored to their interests. Ads may also refer to products and services that you have already viewed on our website. For this purpose, analyses are performed of user interactions on our website, e.g. which offers a user was interested in, so that we can display targeted advertising to users on other sites after they have left our website. When you visit our website, Google Ads stores a cookie on your device. Google uses cookies to process the information generated by your device about the use of our website and interactions with our website as well as the data mentioned under “Using our website”, in particular your IP address, browser information, the website visited before and the date and time of the server request, for the purpose of serving personalised ads. For this purpose, it is also possible to determine whether different devices belong to you or to your household. If a user is registered with a Google service, Google can associate the visit with the user’s account and create and evaluate user profiles across applications. With regard to the storage of and access to information on your device, your consent is the legal basis pursuant to Sect. 25(1) TDDDG; for further processing, your consent is also the legal basis pursuant to Art. 6(1) Sentence 1(a) GDPR. Google also processes the data in part in the US. The EU Commission has issued an adequacy decision for data transfers to the US. Google, LLC is certified under this. So-called standard contractual clauses have been concluded with Google, LLC in order to commit Google, LLC to an appropriate level of data protection. You can obtain a copy of the standard contractual clauses at: https://cloud.google.com/terms/sccs The maximum storage period with Google is 24 months. For further information about the protection of your data and how long Google stores your data, please refer to: https://policies.google.com/privacy
You can withdraw your consent to the processing at any time by moving the slider back in the consent tool settings [insert link]. This does not affect the lawfulness of the processing carried out on the basis of the consent prior to the withdrawal.
Google Ads Conversion
We use Google Ads, which is a service provided by Google (Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland and Google, LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043, US; hereinafter referred to as: “Google” and “Google Ads”), in order to use ads (formerly known as “Google AdWords”) to draw attention to our attractive services on external websites. In relation to the data of the advertising campaigns, we can determine how successful the individual advertising activities are. These ads are delivered by Google via so-called ad servers. For this purpose, we use ad server cookies, which can be used to measure certain parameters for reach measurement, such as the display of ads or clicks by users. If you reach our website via a Google ad, Google Ads stores a cookie on your device. Google uses the cookies to process the information generated by your device about interactions with our ads (retrieval of a particular web page or clicking on an ad), and the data mentioned under “Using our website” – in particular the IP address, browser information, the website visited before and the date and time of the server request – for the purpose of analysing and visualising the reach measurement of our ads. For this purpose, it is also possible to determine whether different devices belong to you or to your household. Due to the marketing tools used, your browser automatically establishes a direct connection to the Google server. If you are registered with a Google service, Google can associate the visit with your account. Even if you are not registered with Google or have not logged in, it is possible that the provider will still obtain and process your IP address. We only receive statistical analyses from Google for the purpose of measuring the success of our ads. With regard to the storage of and access to information on your device, your consent is the legal basis pursuant to Sect. 25 TDDDG; for further processing, your consent is also the legal basis pursuant to Art. 6(1) Sentence 1(a) GDPR. Google also processes the data in part in the US. The EU Commission has issued an adequacy decision for data transfers to the US. Google, LLC is certified under this. So-called standard contractual clauses have been concluded with Google, LLC in order to commit Google, LLC to an appropriate level of data protection. You can obtain a copy of the standard contractual clauses at: https://cloud.google.com/terms/sccs The maximum storage period with Google is fourteen months. For further information about the protection of your data and how long Google stores your data, please refer to: https://policies.google.com/privacy
You can withdraw your consent to the processing at any time by moving the slider back in the consent tool settings [insert link]. This does not affect the lawfulness of the processing carried out on the basis of the consent prior to the withdrawal.
