Privacy
Policy

Data protection is a matter of trust and your trust is important to us. We respect your privacy. The protection and legally compliant collection, processing and use of your personal data is therefore an important concern for us. To ensure that you feel safe when visiting our website, we strictly observe the statutory provisions when processing your personal data and would like to inform you here about our data collection and data use.

1. Anonymous data collection

We process personal data of website visitors only to the extent necessary to provide a functional website as well as our content and services.

You can visit our website without providing any personal information. For technical reasons, including ensuring a secure and stable internet presence, we only store so-called “server log files,” such as your IP address, your internet service provider, the browser you use, the page from which you visit us, the date and time of your access, or the name of the requested file.

The storage in “server log files” is carried out to ensure the functionality of the website and for security reasons, particularly to prevent and detect attacks on our website or fraud attempts. The data will be deleted as soon as it is no longer required to achieve the purpose for which it was collected. In the case of data collected to provide the website, this occurs when the respective session ends.

These data serve technical security purposes, especially for defending against and analyzing attacks on our IT systems. The legal basis for the temporary storage of data and “server log files” is Art. 6(1)(f) GDPR.

2. Collection and processing of personal data

If you wish to use a service of our company via our website, it cannot be ruled out that the processing of personal data will be necessary. The legal basis for processing operations for which we obtain your consent for processing purposes is Art. 6(1)(a) GDPR. If the processing of personal data is necessary for the performance of a contract or for pre-contractual measures (e.g., for the delivery of goods or the provision of services, or for inquiries about our products and services), the processing is carried out pursuant to Art. 6(1)(b) GDPR.

The personal data you provide, such as name, company, address, email, and telephone number, will be stored and used for the purpose of individual communication with you in accordance with the General Data Protection Regulation (GDPR) and the “BDSG (2018)”. Please note that you should generally not send any special categories of personal data.

The legal basis for processing data transmitted via email is Art. 6(1)(f) GDPR. If the email contact aims at concluding a contract, the additional legal basis for processing is Art. 6(1)(b) GDPR.

3. Customer Account and Thermen Cards

The processing serves to set up and manage the customer account, provide and use the Thermen Card as an access and billing tool, manage bookings, services, transactions, and credit, assign usage to the customer identity, and communicate with the customer.

The following data is processed in particular: master data (name, address, email address), account data (username, password hash), card ID and assignment to the customer account, usage data (check-in/check-out, use of services, length of stay), billing and transaction data (credit balance, purchases, booked services).

Processing is based on the consent of the data subject in accordance with Art. 6(1)(a) GDPR. Consent can be revoked at any time with effect for the future.

Data is processed as long as valid consent exists. After revocation, personal data will be deleted unless statutory retention periods (particularly tax and commercial law) require longer storage.
Personal data will only be shared if necessary for the technical provision of the system, payment processing, or legal requirements. Service providers are contractually bound in accordance with Art. 28 GDPR.

Providing the data is voluntary. However, without consent, the use of the customer account and thermal spa card is not possible.

Revoking consent will result in the customer account being deactivated, and in the event of loss, defect, or theft, no replacement can be provided.

4. Provision of the online offer and web hosting

To provide our website securely and efficiently, we use the services of a web hosting provider whose servers deliver our website. We have concluded a data processing agreement with the provider in accordance with Art. 28 GDPR. The legal basis for using web hosting services is Art. 6(1)(f) GDPR (legitimate interest).

5. Newsletter subscription

After you have explicitly subscribed to the newsletter, you will regularly receive interesting offers about our products, services, and promotions by email. Each email contains information on how you can unsubscribe from receiving emails with effect for the future. To register for the newsletter, providing your email address is sufficient, and the registration takes place using the so-called “double opt-in” procedure. After registration, you will automatically receive an email asking you to confirm/activate your subscription by clicking a link. This ensures that a third party does not misuse your email address and subscribe to our newsletter without your knowledge. When you subscribe to our newsletter, we store your IP address, the date, and the time of your registration as proof of the registration process in accordance with legal requirements.

In addition, we analyze user behavior in connection with our newsletters. This includes, in particular, whether and when a newsletter was opened and which links were clicked. These evaluations are carried out on a personal basis and serve to optimize the content of our newsletter offering as well as for statistical analysis.

No further data is collected by us and is used exclusively for receiving our newsletter.
You can cancel your newsletter subscription at any time with effect for the future. Details can be found in the confirmation email and in each individual newsletter.

During the registration process, your consent is obtained for the processing of the data, and reference is made to this privacy policy. The legal basis for processing the data after the user subscribes to the newsletter is Art. 6(1)(a) GDPR if the user has given consent. The data will be deleted as soon as it is no longer necessary to achieve the purpose for which it was collected. Your email address will therefore be stored as long as the newsletter subscription is active.

6. Use of the Newsletter Tool Maileon

For sending and managing our newsletter, we use the Maileon system, operated by XQueue GmbH, Christian-Pleß-Straße 11–13, 63069 Offenbach am Main.

The data collected during newsletter registration (in particular your email address) is processed on the servers of XQueue GmbH in Germany and used exclusively for sending our newsletter.

In addition, we use Maileon to analyze user behavior related to our newsletters. This includes, in particular, whether and when a newsletter was opened and which links were clicked. These evaluations are carried out on a personal basis and serve to optimize the content of our newsletter offering as well as for statistical analysis.

The legal basis for sending the newsletter and the associated tracking is your consent pursuant to Art. 6(1)(a) GDPR. You can revoke your consent at any time with effect for the future, for example via the unsubscribe link at the end of each newsletter or by contacting the address provided in the imprint.

7. Cookies

When visiting our website, “cookies” are used. Cookies are small files that are stored on your device during a website visit. They can indicate, for example, whether there has already been a connection between the device and the website, take your preferred language or other settings into account, offer you certain functionalities, or recognize your interests based on usage.

Cookies may also contain personal data. Whether and which cookies are used during your visit to our website depends on which areas and functions of our website you use and whether you consent to the use of cookies that are not technically necessary in our cookie settings (cookie banner).

The use of cookies also depends on the settings of the web browser you use (e.g., Microsoft Edge, Google Chrome, Apple Safari, Mozilla Firefox). Most web browsers are preset to automatically accept certain types of cookies; however, you can usually change this setting. You can delete existing cookies at any time.
Consent to, as well as rejection or deletion of cookies, is tied to the device used and the respective web browser. If you use multiple devices or browsers, you can make decisions or settings differently for each. If you choose not to use cookies or delete them, some functions of our website may not be available or may only be available to a limited extent. The legal basis for processing personal data using technically necessary cookies / session cookies is Art. 6(1)(f) GDPR (legitimate interest in ensuring the functionality and security of our website). The legal basis for processing personal data using cookies for analysis purposes or so-called third-party cookies is your consent pursuant to Art. 6(1)(a) GDPR.

For information on the cookies used, please refer to the cookie settings.

8. Use of tools and plugins on our website

• Use of Google Analytics

To measure reach and analyze the usage behavior of visitors to our website, we use “Google Analytics.” The service provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. The legal basis is Art. 6(1)(a) GDPR. You can revoke your consent at any time with effect for the future via our cookie banner. With your consent, usage-related information (IP address, location, time, frequency of visits to our website) is transmitted to a Google server – which may also be located outside the EU/EEA – and stored there. These data are used to provide us with an analysis of visits to our website and user activities.
To fully comply with legal data protection requirements, we have concluded a data processing agreement with Google pursuant to Art. 28 GDPR.
You can prevent Google Analytics from collecting your data by not consenting to the cookie or by clicking the following link: https://tools.google.com/dlpage/gaoptout?hl=de. An opt-out cookie will be set to prevent data collection during future visits.
Google’s privacy policy can be found at https://policies.google.com/privacy.

• Use of Adobe Typekit Fonts

To display fonts on our website, we use Adobe Typekit Fonts. The provider is Adobe Systems Software Ireland Limited, 4-6 Riverwalk, Citywest Business Campus, Dublin 24, Ireland. When you visit our website, your IP address and other technical data are transmitted to the provider. The legal basis is Art. 6(1)(f) GDPR (our legitimate interest in a uniform and appealing presentation of our website). More information about Adobe Typekit Web Fonts can be found at https://typekit.com/. Adobe’s privacy policy can be found at https://www.adobe.com/de/privacy.html.

• Use of Polylang Pro

To offer multilingual functionality on our website, we use the WordPress plugin “Polylang Pro.” The provider is WP SYNTEX, 28, rue Jean Sebastien Bach, 38090 Villefontaine, France. Polylang cookies are used exclusively to detect and store the language selected by the user. These cookies remain stored for one year and are then deleted. More information on compliance can be found at https://polylang.pro/doc/is-polylang-compatible-with-the-eu-cookie-law/.

• Use of Real Cookie Banner

To document consent for cookies requiring approval in compliance with data protection regulations, we use “Real Cookie Banner.” The provider is devowl.io GmbH, Tannet 12, 94539 Grafling. The legal basis is Art. 6(1)(c) GDPR (obtaining legally required consents for certain analysis/tracking technologies).
When you visit our website, the following personal data is transmitted to Real Cookie Banner:

• Your consent(s) or withdrawal of consent(s)
• Your IP address
• Information about your browser and device
• Time of visit
  Real Cookie Banner stores a cookie in your browser to assign consents or withdrawals. More details can be found in the “Cookies” section of this privacy policy.

• Use of Facebook Pixel
We use the “Facebook Pixel” on our website. The provider is Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA; in the EU, the service is operated by Facebook Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland. The legal basis is Art. 6(1)(f) GDPR (legitimate interest in analyzing, optimizing, and economically operating our website). This tool is a JavaScript code snippet that allows us to track visitor activities on our website (conversion tracking). This helps us display interest-based ads (“Facebook Ads”) on Facebook and measure their effectiveness.
If you have given consent via our cookie banner (Art. 6(1)(a) GDPR), Facebook Pixel collects and processes the following information:

• Actions and activities of website visitors
• Pixel-specific information (Pixel ID, Facebook cookie)
• Clicked buttons
• HTTP header information (IP address, browser details, page location, referrer)
• Status of ad tracking restrictions
  Some of these data are stored on your device. Facebook Pixel also uses cookies. Storage or access occurs only with your consent.
  More information: https://www.facebook.com/about/privacy. You can opt out via https://www.facebook.com/settings.

• Use of Google Tag Manager

We use Google Tag Manager, provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
Google Tag Manager helps us integrate tools on our website. It does not create user profiles, store cookies, or perform independent analyses. It only manages and deploys integrated tools. However, it collects your IP address, which may be transferred to Google’s parent company in the USA.
The legal basis is Art. 6(1)(f) GDPR (legitimate interest in efficient integration and management of tools).

• Use of YouTube

This website integrates videos from the YouTube platform. The operator of the platform is Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland.
When you visit one of our pages that includes YouTube videos, a connection to YouTube servers is established. The YouTube server is informed which of our pages you have visited.
Furthermore, YouTube may store various cookies on your device or use similar recognition technologies (e.g., device fingerprinting). This allows YouTube to collect information about visitors to this website. These data are used, among other things, to compile video statistics, improve user experience, and prevent fraud attempts.

If you are logged into your YouTube account, YouTube can directly associate your browsing behavior with your personal profile. You can prevent this by logging out of your YouTube account.
The use of YouTube is in the interest of an attractive presentation of our online offerings. This constitutes a legitimate interest within the meaning of Art. 6(1)(f) GDPR. If consent has been requested, processing is based exclusively on Art. 6(1)(a) GDPR; consent can be revoked at any time.

Further information on how user data is handled can be found in YouTube’s privacy policy: https://policies.google.com/privacy?hl=de.

• Integration of Third-Party Services and Content

Our pages may include content from third parties, such as videos and/or graphics from other websites. This is based on our legitimate interests (interest in analysis, optimization, and economic operation of our online offering pursuant to Art. 6(1)(f) GDPR). This always requires that the providers of such content (“third-party providers”) perceive the user’s IP address, as the IP address is necessary to deliver the content to the user’s browser. We strive to use only content whose providers use the IP address solely for content delivery. However, we have no control if third-party providers store the IP address for statistical purposes. Where known, we inform users accordingly.

9. Data subject rights

As a data subject, you have the right to access (Art. 15 GDPR), rectification (Art. 16 GDPR), erasure (Art. 17 GDPR), restriction of processing (Art. 18 GDPR), and data portability (Art. 20 GDPR). We do not engage in automated decision-making or profiling (Art. 22 GDPR).

In addition, pursuant to Art. 21 GDPR, you have the right to object at any time, on grounds relating to your particular situation, to the processing of your personal data carried out on the basis of a legitimate interest (Art. 6(1)(f) GDPR). This applies in particular if the processing is not necessary for the performance of a contract. If you exercise your right to object, please state your reasons. We will then no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing that override your interests and rights. Please send your objection to the contact address provided above.

If you believe that the processing of your data violates data protection law or that your data protection rights have otherwise been infringed, you may lodge a complaint with a supervisory authority (Art. 77 GDPR).

Right of Withdrawal (Art. 7(3) GDPR)

If you have consented to the processing of your personal data, you have the right to withdraw your consent at any time. The withdrawal does not affect the lawfulness of processing based on consent before its withdrawal. Further processing based on another legal ground, such as compliance with legal obligations (e.g., statutory retention periods), remains unaffected.

To exercise your rights, please contact the address mentioned above. Requests submitted electronically will generally be answered electronically. Information, communications, and measures provided under the GDPR, including the exercise of data subject rights, are generally free of charge. Only in cases of manifestly unfounded or excessive requests are we entitled to charge a reasonable fee or refuse to act (Art. 12(5) GDPR).

If there are reasonable doubts about your identity, we may request additional information for identification purposes. If identification is not possible, we are entitled to refuse to process your request. We will inform you separately about the inability to identify you, where possible (Art. 12(6) and Art. 11 GDPR).

Requests for information will generally be processed without undue delay, within one month of receipt. This period may be extended by two further months if necessary, considering the complexity and/or number of requests; in case of an extension, we will inform you within one month of receipt of your request about the reasons for the delay. If we do not act on your request, we will inform you within one month of receipt of the request about the reasons and your right to lodge a complaint with a supervisory authority or seek judicial remedy (Art. 12(3) and (4) GDPR).

Please note that you can exercise your rights only within the limitations and restrictions provided by the Union or Member States (Art. 23 GDPR).

10. Data security

We secure our website and other systems through technical and organizational measures against loss, destruction, access, alteration, or distribution of your data by unauthorized persons. We use SSL encryption for our website.

11. Deletion and restriction (blocking) of personal data

The deletion and restriction (blocking) of your personal data takes place once the purpose for which it was collected no longer applies, provided the data is no longer required for the performance or initiation of a contract, and subject to retention periods required by law and/or tax regulations.

12. Contact possibility

We offer you the option to contact us via email on our website. In this case, the personal data transmitted by you in the email will be stored. This serves solely to process your inquiry. The legal basis for processing the data transmitted in the course of sending an email is Art. 6(1)(f) GDPR. The data will be deleted as soon as it is no longer necessary to achieve the purpose for which it was collected and no retention periods apply.

13. Public Social Media Profiles

This privacy policy applies to our social media presences on Facebook, LinkedIn, Instagram, YouTube, and TikTok.

Social networks can usually analyze your user behavior extensively when you visit their website or a website with integrated social media content (e.g., like buttons or advertising banners). Visiting our social media profiles triggers numerous data processing operations relevant to data protection.

Specifically: If you are logged into your social media account and visit our profile, the operator of the social media platform can associate this visit with your user account. Your personal data may also be collected even if you are not logged in or do not have an account with the respective platform. This data collection may occur, for example, via cookies stored on your device or by capturing your IP address.

Using the collected data, social media operators can create user profiles that include your preferences and interests. This allows interest-based advertising to be displayed to you both within and outside the respective social media presence. If you have an account with the respective network, this advertising can appear on all devices where you are or were logged in.

Please note that we cannot fully track all processing operations on social media platforms. Depending on the provider, additional processing may occur. For details, please refer to the terms of use and privacy policies of the respective platforms.

Our social media presence aims to ensure the broadest possible visibility online. This constitutes a legitimate interest under Art. 6(1)(f) GDPR. The analysis processes initiated by social networks may rely on different legal bases, which must be specified by the operators (e.g., consent under Art. 6(1)(a) GDPR).

When you visit one of our social media profiles, we are jointly responsible with the platform operator for the data processing triggered during your visit. You can generally exercise your rights (access, rectification, erasure, restriction, data portability, and complaint) both against us and against the platform operator (e.g., Facebook).

Please note that despite joint responsibility, we have limited influence over the data processing by social media platforms. Our options depend largely on the policies of the respective provider.

Data collected directly by us via our social media presence will be deleted from our systems once you request deletion, revoke your consent, or the purpose for storage no longer applies. Stored cookies remain on your device until you delete them. Mandatory legal provisions, especially retention periods, remain unaffected.

We have no control over the storage duration of your data by social media operators for their own purposes. For details, please check directly with the operators (e.g., in their privacy policies).

Instagram: https://www.instagram.com/carolusthermen/

Provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland.
Data transfers to the USA are based on EU Standard Contractual Clauses. Details:
https://www.facebook.com/legal/EU_data_transfer_addendum,
https://privacycenter.instagram.com/policy/,
https://de-de.facebook.com/help/566994660333381.
Privacy policy: https://privacycenter.instagram.com/policy/.
Meta is certified under the EU-US Data Privacy Framework (DPF):
https://www.dataprivacyframework.gov/s/participant-search/participant-detail?contact=true&id=a2zt0000000GnywAAC&status=Active.

LinkedIn: https://www.linkedin.com/company/kur–und-badegesellschaft-mbh

Provider: LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland.
LinkedIn uses advertising cookies. Opt-out:
https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.
Data transfers to the USA are based on EU Standard Contractual Clauses. Details:
https://www.linkedin.com/legal/l/dpa,
https://www.linkedin.com/legal/l/eu-sccs.
Privacy policy: https://www.linkedin.com/legal/privacy-policy.

Facebook: https://www.facebook.com/CarolusThermen/

Provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland.
Data transfers to the USA and other third countries occur.
We have concluded a Controller Addendum with Meta:
https://www.facebook.com/legal/terms/page_controller_addendum.
Adjust ad settings: https://www.facebook.com/settings?tab=ads.
Details: https://www.facebook.com/legal/EU_data_transfer_addendum,
https://de-de.facebook.com/help/566994660333381.
Privacy policy: https://www.facebook.com/about/privacy/.
Meta is certified under the EU-US Data Privacy Framework:
https://www.dataprivacyframework.gov/s/participant-search/participant-detail?contact=true&id=a2zt0000000GnywAAC&status=Active.

YouTube: https://www.youtube.com/@carolusthermen

We have a profile on YouTube. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Details on how they handle your personal data can be found in YouTube’s privacy policy:
https://policies.google.com/privacy?hl=de.

The company is certified under the “EU-US Data Privacy Framework” (DPF). The DPF is an agreement between the European Union and the USA that ensures compliance with European data protection standards for data processing in the USA. Each company certified under the DPF commits to adhering to these standards. Further information is available here:
https://www.dataprivacyframework.gov/s/participant-search/participant-detail?contact=true&id=a2zt000000001L5AAI&status=Active.

TikTok: https://www.tiktok.com/@carolusthermen

We have a profile on TikTok. The provider is TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland. Details on how they handle your personal data can be found in TikTok’s privacy policy:
https://www.tiktok.com/legal/privacy-policy?lang=de.
Data transfers to non-secure third countries are based on the EU Commission’s Standard Contractual Clauses. Details:
https://www.tiktok.com/legal/privacy-policy?lang=de.

14. Modification and update of the privacy policy

Changes and updates to our privacy policy may occur due to changes in data processing carried out by us, or changes in the law, court rulings, changes in contact information of our company, etc.. Therefore, we ask you to regularly inform yourself about the content of our privacy policy.