Skip to content

Privacy Policy

Version: 18 June 2026. This is a courtesy English translation. The binding version is the German original.

Controller

The controller for the processing of personal data on this website under the GDPR is:

PASSION4IT GmbH represented by Christian Kirsch Postackerweg 9 94234 Viechtach Germany

[email protected] · www.passion4it.de

All further mandatory disclosures (commercial register, management, professional liability insurance) can be found in the legal notice.

Data protection officer

We have appointed an external data protection officer whom you can contact directly:

Stefan Köster eConsulting Stefan Köster Op de Elg 13a 22393 Hamburg Germany

[email protected] · koester-eConsulting.com

What we process and why

We only process personal data where there is a legal basis — typically your consent (Article 6(1)(a) GDPR), contractual initiation (b), a legal obligation (c) or our legitimate interest in operating a secure and functioning website (f). Personal data means any information that can identify you — for example, name, email address, phone number, IP address or the content of an enquiry.

We aim for data minimisation: standard technical data on each page request, plus what you actively share with us via the contact form, by email or when booking the room. Nothing more.

Hosting and delivery — Cloudflare Pages

This website runs on Cloudflare Pages and is delivered via the Cloudflare CDN. Provider is Cloudflare, Inc., 101 Townsend Street, San Francisco, CA 94107, USA. When a page is requested, Cloudflare processes technical connection data (in particular your IP address, browser/device information, referrer, date and time of request) to deliver the content, balance load, mitigate DDoS attacks and provide TLS encryption.

Legal basis: Article 6(1)(f) GDPR (legitimate interest in secure, performant delivery). We have concluded a data processing agreement with Cloudflare including the EU standard contractual clauses; Cloudflare is certified under the EU-U.S. Data Privacy Framework. For details see the Cloudflare privacy policy.

We use cookies and comparable technologies only where they are technically necessary or where you have actively consented. On your first visit a consent banner appears with two categories:

  • Necessary — always active. Stores your consent decision and basic functions (such as language selection).
  • Analytics — optional. We currently do not enable any services in this category; it is reserved as a placeholder for future reach measurement and remains inactive without your consent. Should we enable analytics services, we will update this privacy policy accordingly.

The consent banner is built on the open-source library vanilla-cookieconsent v3. It runs entirely in your browser, does not transmit anything to third parties and stores your decision locally in a first-party cookie. You can change or fully revoke your consent at any time — the lawfulness of processing carried out before revocation remains unaffected.

Legal basis for the storage of optional cookies and comparable technologies: § 25(1) of the German Telecommunications-Digital Services Data Protection Act (TDDDG) in conjunction with Article 6(1)(a) GDPR (consent). For technically necessary cookies we rely on § 25(2)(2) TDDDG.

Server log files

Every page request causes your browser to automatically transmit technical data to our hoster Cloudflare. The following data is collected in particular:

  • IP address (truncated as soon as no longer needed for delivery)
  • Date and time of the request
  • Requested URL and HTTP status
  • Browser type, browser version and operating system
  • Referrer URL (the page you came from)

This data is technically required to deliver the website, detect security attacks (e.g. DDoS) and fix errors. Legal basis: Article 6(1)(f) GDPR. We do not merge server logs with other data sources and do not create personal profiles from them.

Fonts — self-hosted

We use the “Inter” typeface family. The fonts are served directly from our servers (via the Cloudflare CDN) — no connection to third parties such as Google Fonts or Adobe Fonts takes place.

Room booking via anny

Booking the RiverRoom runs via the external booking platform anny (anny.co). anny is not embedded on our website — only when you actively click “Book the room” or “Book now” do you leave our website and switch to the anny booking page. From that point on, the anny privacy policy applies. We process the data you provide there when booking (e.g. name, email address, booking period) in order to carry out the booking; legal basis is Article 6(1)(b) GDPR (performance of a contract).

Contact form

On our contact page you can send us your first name, last name, email address and your message via a form. When you submit the form, this information is transmitted to our server (a function on Cloudflare Pages) and delivered from there as an email to our mailbox. For the technical delivery of the email we use the service Brevo (Sendinblue SAS, 106 boulevard Haussmann, 75008 Paris, France). Brevo processes the transmitted data solely to deliver the email and not for its own purposes; we have concluded a data processing agreement with Brevo and processing takes place within the EU. We process the data solely to respond to your enquiry and do not pass it on to any further third parties. Legal basis: Article 6(1)(b) GDPR if your enquiry relates to entering into a contract (e.g. a room booking), otherwise Article 6(1)(f) GDPR (legitimate interest in responding to your enquiry). We store your enquiry until it has been fully processed.

YouTube in extended privacy mode

On the homepage we embed the RiverRoom trailer as a YouTube video. We use the extended privacy mode of YouTube via the youtube-nocookie.com domain. In addition, we apply a “click-to-load” pattern: as long as you do not actively start the video, no connection to YouTube or Google servers is established — what you see is only a locally stored preview image.

Once you click “Play”, the YouTube embed loads. At that point, data is transmitted to YouTube (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; parent company Google LLC, USA) — typically IP address, browser/device information and the requested video ID. If you are signed in to your YouTube/Google account, YouTube can associate the access with your account. Legal basis is your consent through the active click on “Play” (Article 6(1)(a) GDPR) or our legitimate interest in presenting our content (Article 6(1)(f) GDPR). Transfers to the USA are based on the EU-U.S. Data Privacy Framework and the standard contractual clauses. For more see the Google privacy policy.

Map display — OpenStreetMap

On our home page we embed a map from OpenStreetMap to help you find your way to us. The provider is the OpenStreetMap Foundation (OSMF), St John’s Innovation Centre, Cowley Road, Cambridge, CB4 0WS, United Kingdom. When you open the home page, your browser loads the map tiles directly from the OSMF servers; this technically transmits your IP address, without which the map cannot be delivered. For the map display itself, OpenStreetMap does not set tracking cookies and does not create an advertising user profile.

Legal basis is our legitimate interest in providing an easy-to-find route description (Article 6(1)(f) GDPR). For the United Kingdom there is an adequacy decision by the EU Commission under Article 45 GDPR, so the data transfer takes place at a recognised adequate level of data protection. For more see the OpenStreetMap Foundation privacy policy.

Enquiries by email or phone

If you contact us by email or phone, we process your contact details and the content of your enquiry in order to respond. Legal basis is Article 6(1)(b) GDPR, where your enquiry aims at a contract (e.g. a room booking); otherwise Article 6(1)(f) GDPR (legitimate interest in efficient handling). We store this data until the purpose has been fulfilled or statutory retention periods (e.g. § 257 HGB, § 147 AO) require longer storage.

Microsoft 365 and Microsoft Teams

For internal office communication and, where applicable, online meetings we use Microsoft 365 and Microsoft Teams. Provider is Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland.

When we conduct an online meeting with you, Microsoft typically processes: display name, email address, meeting metadata (date, time, meeting ID), and during the meeting audio/video/chat content. We do not record meetings unless we have expressly agreed this with you in advance. Legal basis: Article 6(1)(b) GDPR (contract initiation/performance) or Article 6(1)(f) GDPR (efficient conduct of meetings). We have concluded a data processing agreement with Microsoft.

Transfers to third countries

Several of the services listed above (Cloudflare, Microsoft, YouTube/Google) transfer data to group companies outside the EU/EEA — in particular to the USA. We base these transfers on:

  • the EU standard contractual clauses under Article 46(2)(c) GDPR (incorporated into the respective data processing agreements),
  • the EU-U.S. Data Privacy Framework, where the respective provider is certified (Article 45 GDPR),
  • if applicable, your express consent under Article 49(1)(a) GDPR for services that are loaded exclusively on a consent basis.

We point out that a level of data protection comparable to that of the EU cannot be guaranteed in third countries. Access by state authorities (e.g. US security agencies) to personal data cannot be fully excluded.

Storage periods

We store personal data only for as long as necessary for the respective purpose. Contact enquiries are deleted after the case is closed; contractual and booking data is retained in accordance with commercial and tax retention obligations (6 to 10 years under § 257 HGB and § 147 AO).

Your rights

You have the right at any time to:

  • Access the personal data stored about you (Article 15 GDPR),
  • Rectification of inaccurate data (Article 16 GDPR),
  • Erasure, where no retention obligation applies (Article 17 GDPR),
  • Restriction of processing (Article 18 GDPR),
  • Data portability in a machine-readable format (Article 20 GDPR),
  • Object to processing based on Article 6(1)(f) GDPR and to direct marketing (Article 21 GDPR),
  • Withdraw consent already given, with effect for the future (Article 7(3) GDPR).

Send an informal message to [email protected] or contact our data protection officer directly. In addition, you have the right to lodge a complaint with the competent data protection supervisory authority (for PASSION4IT GmbH: Bayerisches Landesamt für Datenschutzaufsicht, BayLDA, Promenade 18, 91522 Ansbach, Germany).

SSL / TLS encryption

The entire website is delivered exclusively over HTTPS (TLS). Your browser indicates this with the padlock symbol and the https:// prefix in the address bar. Transmissions from your browser to our server are therefore encrypted and cannot be read by third parties.

Advertising emails

The use of contact data published in the legal notice for the purpose of sending unsolicited advertising and information materials is hereby objected to. We reserve the right to take legal action in the event of unsolicited advertising — for example by spam email.

Changes to this privacy policy

We update this privacy policy when we introduce new services, when legal requirements change or when existing processing operations cease. The version applicable at any time is the version published on this page. Material changes are marked with an updated “Version” date at the top.