Privacy Policy
Last updated [DATE placeholder]. This is a standard template — have it reviewed by Austrian legal/Datenschutz counsel before launch.
1. Controller
The controller for the processing of your personal data is:
Eva Pump
Grubberg 27a, 8511 St. Stefan ob Stainz, Austria
E-mail: eva@mosthutte.com
Phone: +43 3463 00000 (placeholder — to be updated)
2. Data We Collect and Why
Booking inquiries
When you submit an inquiry or booking request, we collect your name, email address, phone number, requested dates, number of guests, and any message you include. We process this data to respond to your inquiry and, where a contract is concluded, to fulfil the rental agreement. The lawful basis is Art. 6(1)(b) GDPR (performance of a contract or pre-contractual measures).
Newsletter and marketing communications
If you sign up for our newsletter or marketing updates, we collect your email address. The lawful basis is your consent under Art. 6(1)(a) GDPR. You may withdraw your consent at any time by clicking the unsubscribe link in any email or by contacting us directly.
Cookies and analytics
We use cookies and similar technologies. Strictly necessary cookies (e.g. theme preference, consent record) are set without consent. Analytics and advertising cookies (Google Analytics, Google Ads, Meta Pixel) are only set after you give your consent via our cookie banner. See our Cookie Policy for full details. The lawful basis for analytics and advertising is Art. 6(1)(a) GDPR (consent).
Server logs
Our hosting provider (Cloudflare) automatically records standard server log data including your IP address, browser type, pages visited, and timestamps. This is processed for security and technical operation purposes under Art. 6(1)(f) GDPR (legitimate interest in operating a secure website).
WhatsApp and SMS
If you contact us via WhatsApp or SMS, we process your phone number and the content of your messages in order to respond to your enquiry. The lawful basis is Art. 6(1)(b) GDPR (pre-contractual communication).
3. Service Providers and Processors
We use the following third-party processors. Each is bound by a data processing agreement:
- Cloudflare, Inc. (USA) — website hosting, CDN, edge computing (Cloudflare Pages, Workers), database (D1), object storage (R2), and key-value storage (KV). Transfer to the USA under Standard Contractual Clauses (SCCs).
- Resend, Inc. (USA) — transactional and marketing email delivery. Transfer to the USA under SCCs.
- Stripe, Inc. (USA) — payment processing. Stripe processes payment card data on our behalf. Transfer to the USA under SCCs. See Stripe's privacy policy.
- Google LLC (USA) — Google Analytics (website analytics) and Google Ads (advertising), only activated with your consent. Transfer to the USA under SCCs. See Google's privacy policy.
- Meta Platforms Ireland Ltd. (Ireland / USA) — Meta Pixel (advertising attribution), only activated with your consent. See Meta's privacy policy.
- Twilio, Inc. (USA) — SMS and WhatsApp messaging. Transfer to the USA under SCCs.
- Anthropic, PBC and DeepSeek / OpenRouter (USA) — AI assistant used on the administrative side for internal query handling; guest messages may be processed by these systems. Transfer to the USA under SCCs.
4. International Data Transfers
Several of our service providers are based in the United States. Transfers are carried out on the basis of the European Commission's Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR. You may request a copy of the applicable safeguards by contacting us.
5. Retention Periods
- Booking and guest data: retained for 7 years to comply with Austrian tax and accounting obligations, then deleted.
- Inquiry data (no booking concluded): deleted within 12 months of the last contact.
- Newsletter subscriber data: retained until you unsubscribe or withdraw consent.
- Server logs: retained for up to 90 days by Cloudflare.
- Cookie consent records: retained for 12 months from the date of consent.
6. Your Rights
Under the GDPR, you have the following rights in relation to your personal data:
- Right of access (Art. 15 GDPR) — to obtain a copy of the data we hold about you.
- Right to rectification (Art. 16 GDPR) — to correct inaccurate data.
- Right to erasure (Art. 17 GDPR) — to request deletion of your data in certain circumstances.
- Right to restriction of processing (Art. 18 GDPR) — to limit how we use your data.
- Right to data portability (Art. 20 GDPR) — to receive your data in a structured, machine-readable format.
- Right to object (Art. 21 GDPR) — to object to processing based on legitimate interests or for direct marketing.
- Right to withdraw consent (Art. 7(3) GDPR) — where processing is based on consent, to withdraw it at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, contact us at eva@mosthutte.com. We will respond within one month.
7. Right to Lodge a Complaint
You have the right to lodge a complaint with the Austrian supervisory authority:
Österreichische Datenschutzbehörde (DSB)
Barichgasse 40–42, 1030 Wien, Austria
www.dsb.gv.at
E-mail: dsb@dsb.gv.at
You may also contact the supervisory authority in your country of residence within the EU.
8. Changes to This Policy
We may update this privacy policy from time to time. The current version is always available at /privacy. Material changes will be communicated by updating the "last updated" date at the top of this page.
See also: Cookie Policy · Impressum