Privacy Policy for the Use of Personal Data on casamundo.com
1. Overview
The following Privacy Policy contains information about the way and extent to which personal data is processed by Casamundo. Personal data is information that can be directly or indirectly attributed to or associated with you personally, such as your name or your email address.
2. Name and contact details of the controller responsible for processing
This Privacy Policy applies to the data processing performed by Casamundo GmbH, Pappelallee 78/79, 10437 Berlin, Germany (the "controller", hereinafter "Casamundo"), to be contacted at [email protected] and for the following website or application: www.casamundo.com.
Casamundo’s data protection officer may be contacted at [email protected] (appointed is Waterside DS GmbH, Bergstr. 28, 22095 Hamburg).
3. The purposes for which data is processed, the legal basis and legitimate interests pursued by Casamundo or a third party, as well as categories of recipients.
3.1. Accessing our website/application
When you access our website/application, the browser used on your device automatically sends information to the server of our website/application and temporarily stores it in what is known as a log file. We have no control over this. The following information will also be collected without any action on your part and be stored until it is automatically deleted:
- the IP address of the requesting internet-enabled device
- the date and time of access
- the name and URL of the retrieved file
- the website/application from which access took place (the Referrer URL)
- the browser you are using, and potentially the operating system of your internet-enabled computer, as well as the name of your access provider
- the device used (e.g., a desktop computer or a smartphone)
- the language of the browser you are using
The legal basis for processing your IP address is Article 6 (1) (f) of the General Data Processing Regulation (GDPR). Our legitimate interest is based on the purposes of data collection listed below. We would like to point out that we are unable to draw any direct conclusions regarding your identity from the data that is collected, and that we refrain from doing so.
We use the IP address of your device and the other data listed above for the following purposes:
- ensuring that a trouble-free connection is established
- ensuring the comfortable use of our website/application
- the evaluation of system security and stability
The data will be erased as soon as it is no longer required for the purpose of its initial collection. In the case of data collection to enable making the website available, this is the case when the respective session end. The data is stored in log-files for a period of up to 6 weeks and is then deleted automatically so that it is no longer possible to allocate the user.
We also use what are known as cookies for our website/application, as well as tracking tools, targeting methods and social media plug-ins. The exact procedures used and how your data are used for this purpose are explained in more detail below.
3.2. Creating and using a user account; bookings and booking inquiries
3.2.1. Creating an account
When you create a user account with us, we process personal data in the following alternative manner:
- when logging in using Google (social login), your Gmail address and the information transmitted from your Google account (names, profile picture, link to your Google account and top-level domain, gender and hosted domain)
- when logging in using Facebook (social login: Facebook Connect), your email address and the public information from your Facebook account (names, profile picture, age range, gender, language, country and other public information)
- when logging in using your email, your email address
Likewise, a user account is created when you enter your email address and then make a booking or booking inquiry through our website (see section 3.2.2.). These services require the setup of a user account for technical reasons, storing email address, name and travel dates.
Each time you log in, technical information is stored about your device and your browser, as well as information about your searches. This helps us to improve your overall user experience on the website, as well as the overall services.
The legal basis for this is Article 6 (1) (b) and (f) of the GDPR. You provide us with data based on the contractual relationship between you and us. Our legitimation is also derived from the protection of your identity and the prevention of fraudulent activity.
We will delete the collected data no later than your termination of our platform’s usage contract.
3.2.2. Bookings and booking inquiries as well as payment processing
We do not offer travel services ourselves. Rather, we enable you to book travel services offered by our partners.
When a booking inquiry is received, we collect the following data in order to forward it to our partners and provide our Direct Booking services:
· the desired arrival and departure dates
· your first and last name
· the number of guests
· your email address
· (optionally) your message to the landlord
When you make a booking, we additionally collect the following data:
· the arrival and departure dates
· your address
· your phone number
· (optionally) selected extras
· the payment method, whereby payment processing is – unless otherwise indicated – performed by Datatrans payment service (Datatrans AG, Kreuzbühlstrasse 26, 8008 Zurich, Switzerland), with whom we have concluded a data processing agreement
The collection of the aforementioned data and its transmission to our partners is a pre-contractual step that is required to enter into the contract with your respective partner (Article 6 (1) (b) GDPR).
When you make a booking via Casamundo’s Direct Booking the payment processing may alternatively be performed by a payment service provider with whom we have concluded a data processing agreement. This payment service provider processes all data (name, payment details such as credit card/bank transfer information, billing address, cookie information or other data) necessary for the secure and valid payment transaction, fraud detection, risk assessment, or settlement method for the purpose of carrying out the payment within a booking by paying out the applicable amount to the correct partner and the service fee, if applicable, to Casamundo. The reverse mechanism applies for cancellations, if a full or partial refund is instructed the payment service uses your payment data in order to pay the amount of the refund back to your account used initially for the payment.
The legal basis for processing your payment data is Article 6 (1) (f) GDPR. Our legitimate interest is based on our business interest to provide the Direct Booking services to you while we protect your personal data through a data processing agreement with the payment service provider. We would like to point out that we do not collect your sensitive payment information like your credit card details. Transactions are processed by the aforementioned PCI-compliant payment service. By clicking on one of the offered payment methods (e.g. credit card, invoice) you consent to the use of the payment service, the outsourcing of such service, and the related transfer and processing of your data.
To be able to offer Klarna’s payment methods to you, we pass your personal contact data (such as name, address and email) – with your consent – to Klarna, so that Klarna may assess whether you qualify for their payment methods and to tailor those payment methods for you. The personal data transferred is processed as described in Klarna’s privacy policy: https://www.klarna.com/international/privacy-policy/.
3.3. Social logins (logging in with Facebook or Google)
3.3.1. Facebook Connect
When you log in through Facebook Connect, a direct connection is created to the servers at Facebook, 1601 South California Avenue, Palo Alto, CA 94304, USA ("Facebook"). Facebook detects that you have used your login information from Casamundo as part of this process.
If you have expressly given your consent to Facebook pursuant to Article 6 (1) (a) of the GDPR, your personal data will be transmitted to us as part of the registration process via the social login. We use the following information from the transmitted data, which is stored by us until it is automatically deleted:
· your email address
· your Facebook profile name (first and last name)
· the profile and wallpaper image you use on Facebook
· your age group (over 18, over 21 years old)
· a link to your Facebook account
· your gender
· the top-level domain of your logged-in Facebook account
· the time zone in which you are on Facebook
This data is used to
· identify you as our contractual partner
· set up your user account
· check the entered data for plausibility
The legal basis for the use of this data is Article 6 (1) (b) GDPR. Using this data enables us to fulfill our contractual obligations which arise from our Terms of Service (Article 6 (1) (b) GDPR). We will delete the collected data no later than your termination of our platform’s usage contract.
You can block the connection within your Facebook account.
Please refer to Facebook’s privacy policy for details regarding the purpose and scope of the data collection and further processing and use of the data by your service provider, as well as regarding your associated rights and the settings options you can use to protect your privacy (https://www.facebook.com/about/privacy).
3.3.2. Logging in with Google
When you log in with Google by selecting "G continue with Google", a direct connection is established with the servers of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google"). Google detects that you have used your login information from Casamundo as part of this process. We do not obtain your Google Account information. Google then informs you that data from your Google Account will be made available to us and indicates the specific data in question.
Registration with and the use of Google are governed by Google's privacy policy and terms of service (https://policies.google.com/privacy?hl).
If you have expressly given your consent to Google pursuant to Article 6 (1) (a) of the GDPR, your personal data will be transmitted to us as part of the registration process via Google. We use the following information from the transmitted data, which is stored by us until it is automatically deleted:
· your email address
· your name on your Google account (first and last name)
· the profile image (or the avatar) used on Google
· a link to your Google account
· your gender
· the top-level domain of your logged-in Google account
· the user domain you manage on Google (hosted domain, HD)
This data is used to
· enable us to identify you as our contractual partner
· set up your user account
· check the entered data for plausibility
The legal basis for the use of this data is Article 6 (1) (b) GDPR. Using this data enables us to fulfill our contractual obligations which arise from our Terms of Service (Article 6 (1) (b) GDPR). We will delete the collected data no later than your termination of our platform’s usage contract.
You can block the connection within your Google account.
Please refer to Google’s privacy policy for details regarding the purpose and scope of the data collection and further processing and use of the data by Google, as well as regarding your associated rights and the settings options you can use to protect your privacy (https://policies.google.com/privacy?hl).
3.4. Data processing for advertising purposes
3.4.1. Newsletter
On our website, we offer you the opportunity to sign up for our newsletter. In order to be sure that no errors have occurred when entering your email address, we use what is known as the double opt-in process: after you have entered your email address in the registration field, we send you a confirmation link. Your email will only be added to our mailing list after you click on this confirmation link. You can revoke your consent provided in this manner at any time with effect for the future. To do so, you need only click the unsubscribe link.
3.4.2. Product recommendations
We send you emails which contain product recommendations. You will receive these product recommendations regardless of whether you have subscribed to a newsletter. We do so in order to provide you with information about products from our offerings that may interest you based on your recent searches.
If you do not want to receive product recommendations from us, you can let us know at any time. You can find our contact details under section 2. Naturally, you will also find an unsubscribe link in every email.
3.4.3. Interest-based advertising
In order for you to receive information that is likely to be of interest to you, we categorize your user profile. To do so, we use information about your searches to customize the newsletter articles and promotional emails we send you. The goal is to send you advertising that is oriented towards your actual needs and to avoid sending unnecessary advertising.
The legal basis for the aforementioned processing is Article 6 (1) (f) GDPR. Processing existing customer data this way for advertising purposes is deemed to be a legitimate interest.
3.4.4. Email service
We use the SendGrid service of Twilio / SendGrid, Inc., 1801 California Street, Suite 500, Denver, Colorado 80202, USA, to send some emails (booking and inquiry confirmations and notifications, as well as advertising). Your email address and your first and last name will be processed to personalize the emails sent. A data processing relationship is in place with Twilio / SendGrid.
The legal basis for this is the fulfillment of our contractual obligations pursuant to Article 6 (1) (b) GDPR or the consent pursuant to Article 6 (1) (a) GDPR that you may revoke any time. The lawfulness of the data processing already carried out remains unaffected by the revocation. There is a legitimate interest to process data through Twilio / SendGrid pursuant to Article 6 (1) (f) GDPR.
Further information can be found in Twilio / SendGrid’s Privacy Policy (https://sendgrid.com/policies/privacy/).
3.4.5 Right to object
You have the right, at any time and at no charge, to object to data processing for the aforementioned purposes, separately for each respective communication channel, and with effect for the future. To do so, you need only send an email to [email protected] or send a letter to the Casamundo address mentioned in section 2 above.
In the event that you object, the relevant contact address will be blocked for further promotional processing. We point out that, in exceptional cases, advertising material may temporarily continue to be sent to you even after your objection has been received. This is due to technical reasons related to the lead time required for advertisements and does not mean that your objection will not be observed by us. Thank you for your understanding.