Privacy policy
Habyt GmbH and our affiliated subsidiaries (hereinafter jointly referred to as "the company", "we" or "us") take the protection of your personal data seriously and we would like to inform you at this point about the way in which your personal data is processed by us in the context of your visit to our website at www.habyt.com and with regard to booking our living offers.
1. Controller
The controller for the processing of your personal data within the meaning of Art. 4 (7) of the EU General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”) is:
Habyt GmbH
Kronenstr. 63
10117 Berlin
phone: +49 15737854920
hallo@habyt.com
2. Data Protection Officer
If you have any questions on the subject of data protection at our company our external data protection officer is available to you. You can reach him under the following e-mail:
mailto:datenschutz.hamburg@mazars.de
3. Data processing when visiting the website
When you visit our website, we process your personal data.
3.1. Logfiles
When you visit our website, a so-called log data record (so-called server log files) is stored temporarily and anonymously on our web server. This consists of:
- the page from which the page was requested (so-called referrer URL)
- the name and URL of the requested page
- the date and time of the request
- the description of the type, language and version of the web browser used
- the IP address of the requesting computer, which is shortened so that a personal reference can no longer be established
- the amount of data transferred
- the operating system
- the message whether the request was successful (access status/http status code)
- the GMT time zone difference
The processing of log data serves statistical purposes and to improve the quality of our website, in particular the stability and security of the connection as well as purposes of identifying and tracing unauthorised access to the web server and other criminal offences
The legal basis for the data processing is Art. 6 (1)(1)(f) GDPR. Our legitimate interests for the temporary storage of technical access data are to be able to provide you with a technically functional and user-friendly website and to be able to guarantee the security of our systems.
The recipients of the data are our hosting service providers.
Log file information is stored from the end of your website visit for a maximum of 30 days and is then deleted.
The data processing is necessary for the operation of our website. If you wish to object to data processing, you can do so by not visiting our website.
The provision of personal data is neither legally nor contractually required, but it is necessary for the functioning of our website.
3.2. General information about cookies
We use cookies on our websites. Cookies are small text files that are assigned to the browser you are using and stored on your hard drive by means of a characteristic character string and through which certain information flows to the body that sets the cookie. Cookies cannot execute programs or transfer viruses to your computer and therefore cannot cause any damage. They serve to make the Internet offer as a whole more user-friendly and effective, i.e. more pleasant for you.
Cookies can contain data that make it possible to recognize the device used. In some cases, however, cookies only contain information on certain settings that cannot be related to a specific person. However, cookies cannot directly identify a user.
A distinction is made between session cookies, which are deleted as soon as you close your browser, and permanent cookies, which are stored beyond the individual session. With regard to their function, a distinction is made between cookies:
- Technical cookies: these are required to navigate the website, use basic features and ensure the security of the website; they do not collect information about you for marketing purposes, nor do they store which web pages you have visited;
- Performance cookies: these collect information about how you use our website, which pages you visit and, for example, whether errors occur during website use; they do not collect information that could identify you - all information collected is anonymous and is only used to improve our website and find out what interests our users;
- Advertising cookies, targeting cookies: these are used to provide the website user with tailored advertising on the website or offers from third parties and to measure the effectiveness of these offers; advertising and targeting cookies are stored for a maximum of 13 months;
- Sharing cookies: These are used to improve the interactivity of our website with other services (e.g. social networks); Sharing cookies are stored for a maximum of 13 months.
Any use of cookies that is not absolutely technically necessary constitutes data processing that is only permitted with your consent pursuant to Art. 6 (1) (1) (a) GDPR. This applies in particular to the use of advertising, targeting or sharing cookies. In addition, we will only share your personal data processed through cookies with third parties if you have given your consent to do so pursuant to Art. 6 (1) (1) (a) GDPR. In the following, we name the legal bases in connection with the respective service.
We only store your data for as long as it is required to fulfil the stated purposes. Afterwards, the cookies will be deleted.
The storage of information on a device used by you and the reading of this information takes place independently of the technology used for this purpose (cookies, object storage, pixels, web beacons, etc.) on the basis of your consent pursuant to Section 25 (1) of the Act on Data Protection and the Protection of Privacy in Telecommunications and Digital Services (TDDDG), which you declare by means of an opt-in. You can revoke your consent declared in this way at any time via the cookie settings.
Insofar as your consent pursuant to Art. 6 (1) (1) (a) GDPR constitutes the legal basis for the data processing, you have the right to withdraw your consent at any time. You can do this by deleting the cookies in your browser.
The provision of your personal data is neither legally nor contractually required. However, without the provision, the functionality of our website may not be guaranteed. In addition, it is possible that individual services or services will not be available.
3.3. Analysis and Tracking
This website uses the following analysis and tracking tools:
Google Optimize
We use Google Optimize of the company Google Inc., respectively Google Ireland Limited [Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland; Tel: +353 1 543 1000, Fax: +353 1 686 5660, E-Mail: support-deutschland@google.com ("Google")] on our website.
Google Optimize is a support service of Google Analytics. The service enables us to test design variants of our web pages and determine their effect. Among other things, this serves the purpose of making new web designs, layouts, content and similar presentation options available to certain user groups on a test basis. The tests are evaluated by us via Universal Analytics or Google Analytics 4. The service thus provides us with information on how we can optimize our web offering.
Cookies are used to obtain the above information. These are text files that are stored on your device and allow an analysis of the use, by you visited websites. The following data is processed:
- IP address (anonymized)
- User behavior
The storage of information on a device used by you and the reading of this information takes place independently of the technology used for this purpose (cookies, object storage, pixels, web beacons, etc.) on the basis of your consent pursuant to Section 25 (1) TDDDG, which you declare by means of an opt-in. You can revoke your consent declared in this way at any time via the cookie settings.
The legal basis for the processing is your consent pursuant to Art. 6 (1) (1) (a) GDPR, which you can withdraw at any time in the cookie settings.
Google deletes your personal data as soon as it is no longer needed for the processing purpose. Information stored in cookies is deleted after two years and 29 days at the latest.
The data transferred to Google LLC is predominantly stored on servers managed by Google Ireland Limited (Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland) in the European Economic Area (EEA). However, it cannot be ruled out that your personal data may also be stored on servers located outside the EEA in the USA. After the EU-US Privacy Shield has ceased to apply, a transfer of data to the USA can at best be based on standard contractual clauses and further guarantees issued by the EU Commission. Although the transfer of personal data is based on standard contractual clauses, this does not rule out the possibility that the U.S. security authorities, which have extensive powers, can access your personal data at any time and without any reason. This applies even if the servers are located in Europe. As a U.S. company, Google may also be required to transfer personal data of EU citizens to the U.S. security authorities that is located on servers in the EU or the EEA. There are no effective legal remedies available to you against this.
Click here to read Google's privacy policy
https://policies.google.com/privacy?hl=de
Click here to read Google's cookie policy
https://policies.google.com/technologies/cookies?hl=de
Click here to opt-out on all Google domains:
https://safety.google/privacy/privacy-controls/
Google Analytics 4
We use Google Analytics 4 to analyze and improve the use of our website.
Google Analytics 4 is a web analytics and tracking service provided by Google LLC ("Google"). Google Analytics 4 may use so-called "cookies" if we activate the cookie function. In addition, Google Analytics 4 uses a standard anonymized user and client ID generated by our website or app as well as Google signals to identify users.
The anonymized user ID is assigned to a logged-in user after the user has been uniquely identified beforehand. With the help of the user ID, users can be identified regardless of the device they are using. For example, if users access the website or app via both smartphones and tablets, we can analyze the user paths using the user ID in a holistic overview of the data.
The client ID is a unique, randomly generated string that acts as a pseudo-anonymized identifier and anonymously identifies a browser instance. It is stored in the browser cookies so that subsequent calls to the same website can be assigned to the same user.
Google signals are session data from websites and apps that Google links to users who are logged into their Google account and have activated personalized advertising. Linking data to these logged-in users enables cross-device reporting, cross-device remarketing, and the export of cross-device usage results (known as "conversions") to Google Ads.
The data processed by Google Analytics 4 is personal data within the meaning of Art. 4 (1) GDPR. Google Analytics 4 collects personal data in the form of user characteristics and event data, among other things. The latter are automatically recorded events (user activities, number of sessions, clicks on ads, which ads are viewed, removal or deletion of credentials, crashes of websites or apps, completion or cancellation of subscriptions, clicks on links, scrolling behavior, ends of videos viewed, etc.), events optimized for analytics (number of sessions, clicks on ads, which ads are viewed, removal or deletion of credentials, crashes of websites or apps, completion or cancellation of subscriptions, clicks on links, scrolling behavior, ends of videos viewed, etc.), events optimized for analytics (page views, scrolls, actuation of external links, website searches, playing videos, file downloads, etc.), recommended (purchase process on the website, travel offers, games), and custom events (events that are neither automatically captured nor recommended). Session data is also collected, such as multiple page views, events (see above), social interactions, and e-commerce transactions.
User properties are attributes of the users who interact with your app or website. They are used to describe user segments such as language preference or geographic location. Some user properties are automatically logged in Google Analytics 4.
The information generated by the cookie, the user ID and Google signals about your use of this website is usually transmitted to a Google server in the USA and stored there. In case of activation of IP anonymization, your IP address will be shortened beforehand by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. Google uses this information to evaluate your use of the website, to compile reports on website activity, to make a forecast regarding your future web behavior and to provide other services to the website operator related to website and Internet use. User ID data collected in one website or app cannot be shared or combined with data from another website or app. Data about devices and activities from different sessions on a website or app, on the other hand, can be merged and combined using the User ID or Google signals. Collecting and combining the data is likely to create usage profiles about you.
The storage of information on a device used by you and the reading of this information takes place independently of the technology used for this purpose (cookies, object storage, pixels, web beacons, etc.) on the basis of your consent pursuant to Section 25 (1) TDDDG, which you declare by means of an opt-in. You can revoke your consent declared in this way at any time via the cookie settings.
The legal basis for the processing of data using Google Analytics 4 is your consent pursuant to Art. 6 (1) (a) GDPR.
You can withdraw your consent to the processing of your personal data through the use of Google Analytics 4 at any time by changing your cookie settings accordingly.
You may also refuse the use of cookies by selecting the appropriate settings on your browser, however, please note that if you do this you may not be able to use the full functionality of this website. You can also prevent the collection of data generated by the cookie and related to your use of the website (including your IP address) to Google and the processing of this data by Google by downloading and installing the browser plugin available at the following link:
tools.google.com/dlpage/gaoptout
You can prevent the collection of your data by Google Analytics by setting an opt-out cookie that will prevent the collection of your data during future visits to this website:
We use Google Analytics with the extension "_anonymizeIp()". This shortens the IP addresses (so-called IP masking).
Hotjar
We use Hotjar (Hotjar Ltd. Level 2, At. Julian's Business Centre, 3, Elia Zammit Street, St Julien's STJ 1000, Malta) on our Website in order to statistically analyze visitor data and optimize the offer and experience on this website. Using Hotjar's technology, we can analyze your behavior and feedback on our website to get a better understanding of how our website is used. (e.g. how much time you spend on which pages, which links you click, what you like and dislike, etc.). For this purpose, Hotjar processes the following data:
- Your IP address (collected and stored only in anonymized form during your website usage).
- screen size
- Device type (unique device identifiers)
- Information about the browser used
- Location (country only)
- language preferred for viewing our website.
The legal basis for the storage of the required cookie is your consent pursuant to Section 25 (1) TDDDG, which you declare by opting in.
The further processing of your personal data after the storage or readout is also based on your consent pursuant to Art. 6 para. 1 p. 1 lit. a DSGVO.
You can declare your consent in accordance with Section 25 (1) TDDDG and Art. 6 (1) p. 1 lit. a DSGVO with a single click on the corresponding button in our cookie banner.
You can find more information in the privacy policy of Hotjar: https://www.hotjar.com/legal/policies/privacy/de/.
3.4. Social Media Plug-ins
Our website also uses other services that do not use cookies, but through other technologies, such as Javascript codes, web beacons, tags, other identifiers supported by AI-based technology that read data from or store data in visitors' devices.
On our website, we have integrated functions from Twitter in the form of a button (Twitter plug-ins). Twitter is both a short message service and a social media platform with blog-like functions of the company Twitter Inc, 1355 Market Street, Suite 900, San Francisco, CA 94103, USA with a branch office at One Cumberland Place, Fenian Street, Dublin 2 D02 AX07, Ireland. On Twitter, users can exchange short messages or upload text, image or video content and make it visible to an unspecified number of users.
The integration of Twitter functions serves the purpose of offering our services via various channels and communicating with our customers or interested parties.
Cookies are set via Twitter buttons or widgets integrated into websites as soon as you activate the functions. Through the use of cookies, it is possible for Twitter to record your visits to these websites and assign them to your Twitter profile. The following data is collected:
- Usage data
- Browser data (language settings etc.)
- Browser cookie IDs
- ID of your cell phone
- E-mail addresses
This data is evaluated in particular (also for users who are not logged in) for the display of tailored advertising and to inform other users of the social network about your activities on our website. You have the right to object to the creation of these user profiles, whereby you must contact the respective plug-in provider to exercise this right. The data transfer takes place regardless of whether you have an account with the plug-in provider and are logged in there. If you are logged in to the plug-in provider, your data collected from us will be directly assigned to your existing account with the plug-in provider. If you click the activated button and link to the page, for example, the plug-in provider also saves this information in your user account and shares it publicly with your contacts.
The storage of information on a device used by you and the reading of this information takes place independently of the technology used for this purpose (cookies, object storage, pixels, web beacons, etc.) on the basis of your consent pursuant to Section 25 (1) TDDDG, which you declare by means of an opt-in. You can revoke your consent declared in this way at any time via the cookie settings.
The legal basis for the use of the Twitter plug-in is your consent pursuant to Art. 6 (1) (a) GDPR, which you can withdraw at any time in the cookie settings.
Information about this and the available setting options can be found on the following Twitter support pages:
https://help.twitter.com/de/using-twitter/tailored-suggestions
https://help.twitter.com/de/rules-and-policies/twitter-cookies
Twitter shares your personal data with its processors and third-party service providers that are located outside the European Economic Area ("EEA"), where they set their own cookies, such as Google LLC. These providers process the personal data obtained in this way for their own purposes, e.g. analysis and marketing as well as your usage behavior on external and their own websites. Profiling is also not excluded.
The personal data collected from you and from third-party providers is transmitted to servers managed by Twitter, most of which are located in the USA. Following the discontinuation of the EU-US Privacy Shield, a transfer of data to the USA can at best be based on standard contractual clauses issued by the EU Commission and further guarantees. Although the transfer of personal data is based on standard contractual clauses, this does not rule out the possibility that the U.S. security authorities, which have extensive powers, can access your personal data at any time and without any reason. This applies even if the servers are located in Europe. There are no effective legal remedies available to you against this.
The data collected via our website will be deleted, summarized or otherwise obscured by Twitter after a maximum of 30 days. Twitter may store your personal data until it is no longer useful to the company or there is a legal deadline for deletion.
Facebook plugin
Our website uses so-called social plugins ("plugins") of the social network Facebook, which is operated by Meta Platforms Inc, 1601 S. California Ave, Palo Alto, CA 94304, USA ("Facebook"). The plugins are marked with a Facebook logo. An overview of the Facebook plug-ins and their appearance can be found here: https://developers.facebook.com/docs/plugins.
When you call up a page of our website that contains such a plug-in, your browser establishes a direct connection to Facebook's servers via cookies stored on your device. The content of the plug-in is transmitted by Facebook directly to your browser and integrated into the page. Through this integration, Facebook receives the information that your browser has accessed the corresponding page of our website, even if you do not have a Facebook profile or are not currently logged into Facebook. This information (including your IP address) is transmitted by your browser directly to a Facebook server in the USA and stored there. If you are logged in to Facebook, Facebook can directly assign your visit to our website to your Facebook profile. If you interact with the plugins, for example by clicking the "Like" button or posting a comment, this information is also transmitted directly to a Facebook server and stored there. The information is also published on your Facebook profile and displayed to your Facebook friends.
The purpose and scope of the data collection as well as the further processing and use of the data by Facebook as well as your rights in this regard and setting options for protecting your privacy can be found in Facebook's privacy policy: http://www.facebook.com/policy.php. If you do not want Facebook to directly assign the data collected via our website to your Facebook profile, you must log out of Facebook before visiting our website. You can also completely prevent the loading of Facebook plugins with add-ons for your browser, e.g. for
Mozilla Firefox: https://addons.mozilla.org/de/firefox/addon/facebook-blocker/
for Opera: https://addons.opera.com/de/extensions/details/facebook-blocker/?display=en
for Chrome: https://chrome.google.com/webstore/detail/facebook-blocker/chlhacbfddknadmnmjmkdobipdpjakmc?hl=de
The storage of information on a device used by you and the reading of this information takes place independently of the technology used for this purpose (cookies, object storage, pixels, web beacons, etc.) on the basis of your consent pursuant to Section 25 (1) TDDDG, which you declare by means of an opt-in. You can revoke your consent declared in this way at any time via the cookie settings.
The legal basis is your consent pursuant to Art. 6 (1) (a) GDPR, which you can withdraw at any time in our cookie settings.
There is no legal obligation to provide your data. If you refrain from doing so, you cannot share our content directly via the share buttons.
Facebook Pixel
On our website, we use the Facebook pixel from Facebook (from Meta Platforms Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA, with another branch: Meta Platforms Ireland Limited 4 Grand Canal Square, Grand Canal Harbour, Dublin, D02, Ireland). For this purpose, we have inserted a code on our website. This is a JavaScript code (pixel) that enables certain functions on the page. If you have come to our website via Facebook ads, Facebook can track your usage actions via the Facebook pixel. For example, if you purchase a product on a website, the Facebook pixel is triggered and stores your actions on the website in one or more cookies. The following data is collected in the process:
- Viewed advertisements
- Viewed content
- Device information
- Geographic location
- HTTP headers
- Interactions with advertisements, services and products
- IP address
- Clicked items
- Marketing information
- Non-confidential custom data
- Pages visited
- Pixel ID
- Referrer URL
- Marketing campaign success
- Usage data
- User behavior
- Facebook cookie information
- Facebook user ID
- Usage/click behavior
- Browser information
If you have a Facebook account, it is possible for Facebook to match the data with your Facebook account data. This data collected via Facebook pixel is anonymous for us and only becomes usable for us when we want to place advertisements. If you are logged in as a Facebook user when you call up our website, your visit to our website will be assigned to your Facebook account.
The purpose of using the Facebook pixel is to better tailor our advertising measures to your wishes and interests. This enables us to show you personalized advertising. Facebook collects your data for the purpose of data analysis and tracking as well as to implement its own advertising measures.
The storage of information on a device used by you and the reading of this information takes place independently of the technology used for this purpose (cookies, object storage, pixels, web beacons, etc.) on the basis of your consent pursuant to Section 25 (1) TDDDG, which you declare by means of an opt-in. You can revoke your consent declared in this way at any time via the cookie settings.
The legal basis is your consent pursuant to Art. 6 (1) (a) GDPR, which you can withdraw at any time in our cookie settings.
There is no legal obligation to provide your data. If you refrain from doing so, you cannot share our content directly via the share buttons.
The data processed via the Facebook pixel is partly stored on servers in the European Economic Area ("EEA"). However, the data also reaches servers managed by Meta Platforms in the USA. Following the discontinuation of the EU-US Privacy Shield, a transfer of data to the USA can at best be based on standard contractual clauses issued by the EU Commission and further guarantees. It is true that the transfer of personal data is based on standard contractual clauses under which Meta Platforms undertakes to process personal data in accordance with European data protection standards. However, this does not exclude the possibility that the U.S. security authorities, which are equipped with comprehensive powers, may access your personal data at any time and without any reason. This applies even if the servers are located in Europe. As a U.S. company, Meta Platforms may also be required to transfer personal data of EU citizens to the U.S. security authorities that is located on servers in the EEA. There are no effective legal remedies available to you against this.
Meta Platforms will delete your personal data after 720 days at the latest.
You can get more information about the processing here: https://www.facebook.com/legal/terms/dataprocessing
General information about Facebook's privacy policy can be obtained here: https://www.facebook.com/policy.php
Instagram Social Plug-ins
Our website uses so-called social plugins ("plugins") from Instagram, which is operated by Instagram LLC., 1601 Willow Road, Menlo Park, CA 94025, USA ("Instagram"). The plugins are marked with an Instagram logo, for example in the form of an "Instagram camera". An overview of the Instagram plug-ins and their appearance can be found here: http://blog.instagram.com/post/36222022872/introducing-instagram-badges. When you call up a page of our website that contains such a plugin, your browser establishes a direct connection to the servers of Instagram. The content of the plugin is transmitted by Instagram directly to your browser and integrated into the page. Through this integration, Instagram receives the information that your browser has called up the corresponding page of our website, even if you do not have an Instagram profile or are not currently logged in to Instagram. This information (including your IP address) is transmitted by your browser via cookies directly to a server of Instagram and stored there. If you are logged in to Instagram, Instagram can directly assign your visit to our website to your Instagram account. If you interact with the plugins, for example by clicking the "Instagram" button, this information is also transmitted directly to an Instagram server and stored there. The information is also published on your Instagram account and displayed there to your contacts. Instagram processes your personal data for analysis and marketing purposes. Your usage behavior is also evaluated by Instagram.
The storage of information on a device used by you and the reading of this information takes place independently of the technology used for this purpose (cookies, object storage, pixels, web beacons, etc.) on the basis of your consent pursuant to Section 25 (1) TDDDG, which you declare by means of an opt-in. You can revoke your consent declared in this way at any time via the cookie settings.
The legal basis is your consent pursuant to Art. 6 (1) (a) GDPR, which you can withdraw at any time in the cookie settings.
There is no legal obligation to provide your data. If you refrain from doing so, you cannot share our content directly via the share buttons.
The data processed via the Instagram plug-in is stored on servers managed by Meta Platforms in the USA. After the discontinuation of the EU-US Privacy Shield, a transfer of data to the USA can at best be based on standard contractual clauses issued by the EU Commission and further guarantees. It is true that the transfer of personal data is based on standard contractual clauses under which Meta Platforms undertakes to process personal data in accordance with European data protection standards. However, this does not exclude the possibility that the U.S. security authorities, which are equipped with comprehensive powers, may access your personal data at any time and without any reason. This applies even if the servers are located in Europe. As a U.S. company, Meta Platforms may also be required to transfer personal data of EU citizens to the U.S. security authorities that is located on servers in the EEA. There are no effective legal remedies available to you against this.
You can find further data protection information from Instagram here: https://help.instagram.com/155833707900388/.
If you do not want Instagram to directly assign the data collected via our website to your Instagram account, you must log out of Instagram before visiting our website. You can also completely prevent the loading of Instagram plugins with add-ons for your browser, e.g. with the script blocker "NoScript" (http://noscript.net/).
Instagram deletes or anonymizes your data after 90 days at the latest.
4. Data processing with regards to our offers
4.1. Contact requests
If you submit inquiries or feedback in the context of a personal conversation, by means of a telephone call, via our contact form, our ChatBot, WhatsApp, by post or other interfaces, the data transmitted thereby will be processed (e.g. gender, surname and first name, address, company, email address and the time of transmission).
If the purpose of the contact is to conclude a contract or to ask about an existing contract, the legal basis is Art. 6 (1) (1) (b) GDPR. Otherwise, the data is processed for the purpose of handling your enquiry. In this case, the legal basis of the processing is Art. 6 (1) (1) (f) GDPR.
Insofar as the processing of personal data is based on Art. 6 (1) (1) (f) GDPR, the aforementioned purposes also represent our legitimate interests.
Your data will only be processed for as long as necessary to achieve the processing purposes mentioned above.
Third parties engaged by us will store your data on their system for as long as it is necessary in connection with the provision of the services for us in accordance with the respective order.
There is no legal obligation to provide your data. However, if you do not provide us with your data, it will not be possible to contact you.
Amazon Web Services
We host our website on Amazon Web Services (Amazon Web Services, Inc., 410 Terry Avenue North, Seattle WA 98109, USA, represented by Amazon Web Services EMEA SARL, 38 Avenue John F. Kennedy, L-1855 Luxembourg).
When you visit our website, your personal data is processed on AWS servers.
The data is stored on servers managed by AWS in the EU or EEA. However, it should be noted that AWS is a US company. Therefore, it cannot be ruled out that your personal data will also be stored on servers located outside the EEA in the US. As a U.S. company, AWS may also be obliged to transfer personal data of EU citizens to the U.S. security authorities which is stored on servers in the EU or the EEA. There are no effective legal measures available to you for this.
AWS acts as a processor for us on a contractual basis and processes the data based on our documented instructions. AWS is integrated by us in a data protection compliant manner in accordance with Art. 28 GDPR.
Further information can be found in the AWS privacy policy: Datenschutzhinweis (amazon.com)
Freshdesk
We use the tool Freshdesk from the company Freshworks, Inc. (2950 S. Delaware Street, Suite 201, San Mateo, CA 94403, USA). Freshdesk is a helpdesk and ticketing software that assists us with customer support. The software allows us to store, track, respond to, and otherwise manage user requests.
To the extent you submit a request to us, the data you enter is transmitted to Freshdesk and processed by Freshdesk.
The data is stored on servers in the EU or the EEA. However, it should be noted that Freshworks is a U.Ss company. As a U.S. company, Freshworks may also be obliged to transfer personal data of EU citizens to the U.S. security authorities located on servers in the EU or the EEA. There are no effective legal measures available to you for this.
The storage of information on a device used by you and the reading of this information takes place independently of the technology used for this purpose (cookies, object storage, pixels, web beacons, etc.) on the basis of your consent pursuant to Section 25 (1) TDDDG, which you declare by means of an opt-in. You can revoke your consent declared in this way at any time via the cookie settings.
If you transmit your personal data to us, this is done on the basis of your consent pursuant to Art. 6 (1) p. 1 lit. a GDPR, which you declare by ticking a checkbox (opt-in). You can revoke your consent at any time by accessing the cookie settings.
Freshworks acts as a processor for us on a contractual basis and processes the data based on our documented instructions. Freshworks is integrated by us in a data protection compliant manner in accordance with Art. 28 GDPR.
Caya
We use the services of the Caya GmbH (Ritterstraße 24-27, 10969 Berlin). Caya is helping us to digitize our mail. If you write to us by post, your mail will be forwarded to Caya. Caya opens the mail automatically and scans it. The content of the letter is then made available to us digitally. In this context, Caya processes the personal data that you provide to us when you contact us.
Caya acts as a processor for us on a contractual basis and processes the data based on our documented instructions. Caya is integrated by us in a data protection compliant manner in accordance with Art. 28 GDPR.
4.2. Newsletter
You have the possibility to subscribe to our newsletter on our website, which informs you about Habyt’s latest news, updates, current offers and special promotions.
We use the double-opt-in procedure to register for our newsletter. After you have registered for the newsletter, you will receive an e-mail to the e-mail address provided, in which we ask you to confirm the subscription and to confirm that you are the owner of the corresponding e-mail address. The link provided is valid for 24 hours. If we do not receive a confirmation from you within this time, we will block your information and delete it after one month. When you confirm your e-mail address, we store your IP address and the time of registration and confirmation in order to be able to prove your registration and to clarify possible misuse of your personal data.
In order to send the newsletter, we need your e-mail address as well as first and last name, which we store for this purpose. The legal basis for the data processing is your consent pursuant to Art. 6 (1) (1) (a) GDPR.
We store your data until you withdraw your consent. You can withdraw your consent by clicking on the link provided in every newsletter e-mail, by e-mail to hello@habyt.com or by sending a message to the contact details published in the imprint.
There is no legal obligation to provide your data. However, if you do not provide us with your e-mail address, it will not be possible to subscribe to the newsletter.
4.3. Booking of our Living offers
We process personal data when you book our living offers
4.3.1. Contact by e-mail or telephone or post
You can contact us via our website using the e-mail address, telephone number and postal address provided by us. If you make use of this option, your personal data transmitted by e-mail or in a telephone call will be processed.
The data processing serves the purpose of processing your enquiry.
If the contact is aimed at the conclusion of a contract, or if it is about an existing contract with you, Art. 6 para. 1 p. 1 lit. b GDPR is the legal basis for the processing.
In other cases, the legal basis for the processing of personal data relating to you is Art. 6 para. 1 p. 1 lit. f GDPR. The legitimate interest results from the necessity of processing your data in order to be able to answer your enquiry.
In the course of processing your enquiry, your data will be transferred to our IT service providers as well as to the relevant employees who process your enquiry.
We only store your data for as long as it is necessary for the purpose, i.e. until we have completely answered your enquiry.
There is no legal obligation to provide your personal data. However, if you do not wish to provide us with your data, it will not be possible to contact you.
Caya
We use Caya for digitizing our mail. Please see above (4.1) for more information on Caya.
4.3.2. Contact via contact form
If you have any questions about our Living offers, you can also contact us via the "Get in touch" button. If you make use of this option, the personal data you enter in the contact form will be processed by us. This includes the following necessary data:
First and last name
e-mail address
telephone number
Desired move-in date
Desired country and city
Further individual details
The data is processed for the purpose of handling your enquiry.
If the purpose of contacting you is to conclude a contract, or if it is about an existing contract with you, Art. 6 para. 1 p. 1 lit. b DSGVO is the legal basis for the processing.
In other cases, the legal basis for the processing of personal data relating to you is Art. 6 para. 1 p. 1 lit. f GDPR. The legitimate interest results from the necessity of processing your data in order to be able to answer your enquiry.
In the course of processing your enquiry, your data will be transferred to our IT service providers as well as to the relevant employees who process your enquiry.
We only store your data for as long as is necessary for the purpose, i.e. until we have completely answered your enquiry. The data is then deleted unless we need it to fulfil legal obligations.
There is no legal obligation to provide your personal data. However, if you do not wish to provide us with your data, it is not possible to contact you.
4.3.3. Registration and creating a profile
You have the option of registering for our login area and creating a profile in order to be able to use the full range of functions of our living offers. The following data is collected in connection with registration:
First and last name
Academic title (optional)
E-mail address
Your telephone number
Username
Password (optional)
address: Street, postcode and city, region, country
ID number or similar number of official document proving identity (such as passport or driving licence)
Nationality
Date of birth
Gender (male, female, other)
Type of employment
Income level
We need the data for the purpose of completing the registration, to maintain your account with us and to provide services and benefits to you including partnership promotions and conduct market research for future promotions, partnerships and rewards.
The legal basis for the processing is Art. 6 para. 1 p. 1 lit. b GDPR or Art. 6 para. 1 p. 1 lit. a GDPR.
Furthermore, your internet service provider (ISP) will store the assigned IP address, the date and time of your registration. We do this because, if necessary, this data enables us to investigate criminal offences that have been committed, so that misuse of our services can be prevented. The legal basis for the processing is Art. 6 para. 1 p. 1 lit. f GDPR.
In the course of processing your request, your data will be transmitted to our IT service providers and to the relevant employees who process your request.
We only store your data for as long as it is necessary for the purpose, i.e. until your profile is deleted. The data will then be deleted unless we need it to fulfil legal obligations.
There is no legal obligation to provide your personal data. However, if you do not wish to provide us with your data, registration is not possible.
Salesforce CRM System
We use the Salesforce service of the company salesforce.com Inc, The Landmark @ One Market Street, Suite 300, San Francisco, California 94105, USA, represented by Salesforce.com Germany GmbH, Erika-Mann-Str. 63, 80636 Munich, Germany. This is a service for our customer relationship management (CRM). Among other things, this service enables us to better manage our existing and potential customer relationships and to optimise sales and communication. In addition, the use of Salesforce enables us to analyse the administrative processes in our customer relationships.
When you provide us with personal data, such as when registering, booking or filling in other online forms, we process this data in the Salesforce CRM system by storing this data on the Salesforce Marketing Cloud and linking it to a Salesforce ID.
The data is stored on Salesforce managed servers in the EU or EEA. However, it should be noted that Salesforce is a US company. Therefore, it cannot be ruled out that your personal data will also be stored on servers located outside the EEA in the US. As a US company, Salesforce may also be obliged to transfer personal data of EU citizens to the US security authorities which is stored on servers in the EU or the EEA. There are no effective legal measures available to you for this.
The storage of information on a device used by you and the reading of this information takes place independently of the technology used for this purpose (cookies, object storage, pixels, web beacons, etc.) on the basis of your consent pursuant to Section 25 (1) TDDDG, which you declare by means of an opt-in. You can revoke your consent declared in this way at any time via the cookie settings.
If you transmit your personal data to us, this is done on the basis of your consent pursuant to Art. 6 para. 1 p. 1 lit. a GDPR, which you declare by placing a tick (opt-in) in a checkbox. You can revoke your consent at any time by accessing the cookie settings.
Salesforce acts as a processor for us on a contractual basis and processes the data on the basis of our documented instructions. Salesforce is integrated by us in a data protection-compliant manner in accordance with Art. 28 GDPR.
Further information can be found in the salesforce data protection declaration: Datenschutzerklärung - Salesforce
4.3.4. Booking of our living offers
If you would like to book one of our living offers, we need the following additional information from you:
Desired type of accommodation
Desired start of rental period
We need this data to process the contract.
The legal basis for the processing is Art. 6 para. 1 p. 1 lit. b DSGVO.
In the course of processing your enquiry, your data will be transferred to our IT service providers as well as to the relevant employees who process your enquiry.
We only store your data for as long as it is necessary for the purpose, i.e. until the end of the tenancy. The data is then deleted unless we need it to fulfil legal obligations.
There is no legal obligation to provide your personal data. However, if you do not wish to provide us with your data, a booking is not possible.
Eversign
We use the Eversign service of the company Stack Holdings GmbH (Elisabehtstraße 15/5A+B, 1010 Vienna, Austria). This is a service that enables us to have all required documents digitally and legally signed.
Eversign acts as a processor for us on a contractual basis and processes the data on the basis of our documented instructions. Eversign is integrated by us in a data protection compliant manner in accordance with Art. 28 DSGVO.
For further information, please refer to the Eversign privacy policy: Privacy Policy - eversign
Juro
We use Juro, a contract management tool provided by Juro Online Limited (1 Edge Street, London, W8 7PN), to manage the contracts that we conclude. This is a service that enables us to edit contracts in a document that is accessible to all parties of the contract and subsequently store them on Juro's platform.
Juro acts as a processor for us on a contractual basis and processes the data on the basis of our documented instructions. Juro is integrated by us in a data protection compliant manner in accordance with Art. 28 DSGVO.
Further information can be found in Juro's privacy policy: https://juro.com/privacy
4.3.5. Payment
You can pay either by SEPA direct debit or by credit card.
a) Direct debit as payment method
If you pay by SEPA direct debit, the following data will be collected:
Name of the account holder
IBAN
Information on the booking and payment (amount, subject, date).
The data is processed for the purpose of executing the contract.
The legal basis for the processing is Art. 6 para. 1 p. 1 lit. b GDPR.
We only store your data for as long as it is necessary for the purpose, i.e. until the payment has been completed. The data is then deleted unless we need it to fulfil legal obligations.
To process your payment, we use the Payments platform of the company Stripe, Inc.(354 Oyster Point Boulevard, South San Francisco, California, 94080, USA). You can find the data protection information of Stripe under the following link: https://stripe.com/de/privacy.
b) Credit card as payment method
If you pay by credit card, the following data will be collected:
Name of the credit card holder
credit card number
Period of validity of the credit card
type of card
Authorisation code
CVC/CVV code
Information on the booking and payment (amount, subject, date).
The data is processed for the purpose of executing the contract.
The legal basis for the processing is Art. 6 para. 1 p. 1 lit. b GDPR.
We only store your data for as long as is necessary for the purpose, i.e. until the payment has been completed. The data is then deleted unless we need it to fulfil legal obligations.
Stripe
To process your payment, we use the Payments platform of the company Stripe, Inc. (354 Oyster Point Boulevard, South San Francisco, California, 94080, USA). For customers within the EU, Stripe Payments Europe (Europe Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland) is the controller. For this purpose, the data required for the payment process is forwarded to Stripe and stored by Stripe.
Stripe is a global company and the data may be stored in any country in which Stripe operates. Stripe is a US company, so it cannot be ruled out that your personal data may also be stored on servers located outside the EEA, e.g. in the USA. As a US company, Stripe may also be obliged to transfer personal data of EU citizens to the US security authorities, which is stored on servers in the EU or the EEA. There are no effective legal measures available to you for this.
The storage of information on a device used by you by Stripe and the reading of this information takes place independently of the technology used for this purpose (cookies, object storage, pixels, web beacons, etc.) on the basis of your consent pursuant to Section 25 (1) TDDDG, which you declare by means of an opt-in. You can revoke your consent declared in this way at any time via the cookie settings.
If you transmit your personal data to us, this is done on the basis of your express consent pursuant to Art. 6 para. 1 p. 1 lit. a DSGVO, which you declare by placing a tick (opt-in) in a checkbox. You can revoke your consent at any time by accessing the cookie settings.
Stripe acts as a processor for us on a contractual basis and processes the data on the basis of our documented instructions. Stripe is integrated by us in a data protection compliant manner in accordance with Art. 28 DSGVO.
You can find the data protection information of Stripe under the following link: https://stripe.com/de/privacy.
4.3.6 Promotional activities and recommendations
We also process personal data that you have provided to us as part of promotional activities for Habyt partnerships or that we have received from third parties (e.g. online travel agencies, business partners) as a reference.
The legal basis for the processing is your consent pursuant to Art. 6 para. 1 p. 1 lit. a GDPR.
5. Transfer of personal data to third parties
The following categories of recipients may receive access to your personal data:
- Service providers for the operation of our website and the processing of data stored or transmitted by the systems (e.g. for data center services, payment processing, IT security or tool providers). The legal basis for the transfer is then Art. 6 (1) (1) (f) GDPR, insofar as it does not involve processors;
- Government agencies/authorities, insofar as this is necessary for the fulfillment of a legal obligation. The legal basis for the transfer is then Art. 6 (1) (1) (c) GDPR;
- Persons employed to carry out our business operations (e.g. auditors, banks, insurance companies, legal advisors, supervisory authorities, parties involved in company acquisitions or the establishment of joint ventures). The legal basis for the disclosure is then Art. 6 (1) (1) (b) or (f) GDPR;
- Other entities within the Habyt group. The legal basis for the transfer is then Art. 6 (1) (1) (f) GDPR, insofar as it does not involve processors.
In addition, we will only share your personal data with third parties if you have given your consent to do so in accordance with Art. 6 para. 1 p. 1 lit. a GDPR.
6. Data deletion and storage period
For the processing operations carried out by us, we indicate in each case how long the data will be stored by us and when it will be deleted or blocked. If no explicit retention period is specified, your personal data will be deleted or blocked as soon as the purpose or legal basis for the storage no longer applies. In principle, your data will only be stored on our servers in Germany, subject to any transfer that may take place that will be specified elsewhere.
However, storage may take place beyond the specified time in the event of a (threatened) legal dispute with you or other legal proceedings, or if storage is required by legal regulations to which we are subject as the responsible party [e.g. § 257 German Commercial Code (HGB), § 147 German Tax Code (AO)]. If the storage period prescribed by the statutory provisions expires, the personal data will be blocked or deleted unless further storage by us is necessary and there is a legal basis for this.
7. Data security
We use appropriate technical and organizational security measures to protect your data against accidental or intentional manipulation, partial or complete loss, destruction, or against unauthorized access by third parties (e.g., TSL encryption for our website), taking into account the state of the art, implementation costs, and the nature, scope, context, and purpose of the processing, as well as the existing risks of a data breach (including its probability and impact) for the data subject. Our security measures are continuously improved in line with technological developments.
8. Cooperation with processors
We use external domestic and foreign service providers (e.g. for IT, logistics, telecommunications, sales and marketing) to process our business transactions. They will only act on our instructions and have been contractually obligated to comply with the data protection provisions in accordance with Art. 28 GDPR.
If personal data from you is passed on by us to our subsidiaries or is passed on to us by our subsidiaries (e.g. for advertising purposes), this is done on the basis of existing processing relationships.
9. Transfer of personal data to so-called third countries
In the course of our business relationships, your personal data may be transferred or disclosed to third party companies. These may also be located outside the European Economic Area (EEA), i.e. in third countries. Such processing is carried out exclusively for the fulfillment of contractual and business obligations and to maintain your business relationship with us. We will inform you about the respective details of the transfer at the relevant points.
Some third countries are certified by the European Commission through so-called adequacy decisions to have data protection comparable to the EEA standard (a list of these countries as well as a copy of the adequacy decisions can be found here: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en). However, in other third countries to which personal data may be transferred, there may not be a consistently high level of data protection due to a lack of legal provisions. If this is the case, we ensure that data protection is adequately guaranteed. This is possible via binding company regulations, standard contractual clauses of the European Commission for the protection of personal data, certificates or recognized codes of conduct. With regard to the individual services, we will inform you at the appropriate point about the requirements for data transfer to third countries.
From time to time, we may engage external debt collection service providers to recover outstanding payments owed under our agreements with you. In such instances, we may transfer certain personal data necessary for the collection process to the service provider. The processing of this personal data is carried out on the following legal basis: Article 6(1)(b) GDPR (performance of a contract) and Article 6(1)(f) GDPR (legitimate interests pursued by us, which include ensuring the enforcement of our contractual rights and the recovery of debts owed to us).
We will ensure that any transfer of personal data to debt collection service providers complies with applicable data protection laws and only involves the minimum data necessary for these purposes.
10. No automated decision-making (including profiling).
We do not ourselves intend to use any personal data collected from you for any automated decision-making process (including profiling).
11. No obligation to provide personal data.
We do not make the conclusion of contracts with us dependent on you providing us with personal data in advance. As a customer, you are under no legal or contractual obligation to provide us with your personal data; however, we may only be able to provide certain services to a limited extent or not at all if you do not provide the necessary data. If this should exceptionally be the case in the context of the products we offer, you will be informed of this separately.
12. Legal obligation to transfer certain data.
We may be subject to a specific legal or statutory obligation to provide lawfully processed personal data to third parties, in particular public bodies (Art. 6 (1) (1) (c) GDPR).
13. Your rights
You may assert your rights as a data subject regarding your processed personal data at any time by contacting us using the contact details provided at the beginning. As a data subject, you have the right:
- to request information about your data processed by us in accordance with Art. 15 GDPR. In particular, you can request information about the processing purposes, the category of data, the categories of recipients to whom your data has been or will be disclosed, the planned storage period, the existence of a right to rectification, erasure, restriction of processing or objection, the existence of a right of complaint, the origin of your data if it has not been collected by us, as well as the existence of automated decision-making, including profiling, and, if applicable, meaningful information about its details;
- in accordance with Art. 16 GDPR, to demand the correction of incorrect data or the completion of your data stored by us without delay;
- pursuant to Art. 17 GDPR, to request the deletion of your data stored by us, unless the processing is necessary for the exercise of the right to freedom of expression and information, for compliance with a legal obligation, for reasons of public interest or for the assertion, exercise or defense of legal claims;
- pursuant to Art. 18 GDPR, to request the restriction of the processing of your data, insofar as the accuracy of the data is disputed by you or the processing is unlawful;
- pursuant to Art. 20 GDPR, to receive your data that you have provided to us in a structured, common and machine-readable format or to request the transfer to another controller ("data portability");
- object to the processing in accordance with Art. 21 GDPR, provided that the processing is based on Art. 6 (1) p. 1 lit. e or lit. f GDPR. This is particularly the case if the processing is not necessary for the performance of a contract with you. Unless it is an objection to direct marketing, when exercising such an objection, we ask you to explain the reasons why we should not process your data as we have done. In the event of your justified objection, we will review the merits of the case and either discontinue or adjust the data processing or show you our compelling legitimate grounds on the basis of which we will continue the processing;
- in accordance with Article 7 (3) GDPR, to withdraw your consent given once (also before the GDPR came into force, i.e. before 25.5.2018) - i.e. your voluntary will, made understandable in an informed manner and unambiguously by means of a declaration or other unambiguous confirming act, that you agree to the processing of the personal data in question for one or more specific purposes - at any time towards us, if you have given such consent. This has the consequence that we may no longer continue the data processing based on this consent in the future, and that
- complain to a data protection supervisory authority about the processing of your personal data in our company in accordance with Art. 77 GDPR.
14. Changes to the data protection notice
Due to changes in legal or official requirements as well as the further development of technical standards and our offer, adjustments to this privacy policy may be necessary, which is why it is regularly reviewed to determine whether it needs to be adapted. The privacy policy can therefore be changed at any time with effect for the future.
This privacy policy is last updated in November 2024.