Legal
Privacy Policy
Your data matters to us. Here you can find out how we process it.
Last updated: June 2026
Data Protection at a Glance
General information
The following information provides a simple overview of what happens to your personal data when you visit our website. Personal data is any data by which you can be personally identified. For detailed information on the subject of data protection, please refer to our privacy policy set out below this text.
Responsible party
The party responsible for data processing on this website within the meaning of the General Data Protection Regulation (GDPR / DSGVO) is:
Biohotel Schweitzer
Pirktl Holiday GmbH & Co KG
Obermieming 141
6414 Mieming in Tyrol, Austria
Phone: +43 5264-5285
E-mail: info@biohotel.at
Website: www.biohotel.at
The responsible party is the natural or legal person who alone or jointly with others determines the purposes and means of processing personal data (e.g. names, e-mail addresses or the like).
How do we collect your data?
On the one hand, your data is collected when you provide it to us. This may, for example, be data that you enter into a contact or booking form.
Other data is collected automatically by our IT systems when you visit the website. This is primarily technical data (e.g. internet browser, operating system or the time of the page view). This data is collected automatically as soon as you enter our website.
What do we use your data for?
Some of the data is collected to ensure the error-free provision of the website. Other data may – provided you give your consent – be used to analyse your user behaviour.
What rights do you have regarding your data?
You have the right at any time to obtain information free of charge about the origin, recipients and purpose of your stored personal data. You also have the right to request the correction or deletion of this data. If you have given consent to data processing, you can revoke this consent at any time with effect for the future. In addition, you have the right, under certain circumstances, to request the restriction of the processing of your personal data. Furthermore, you have a right to lodge a complaint with the competent supervisory authority. You can find details on this in the section “Your Rights”.
SSL or TLS encryption
For security reasons and to protect the transmission of confidential content, such as bookings or enquiries that you send to us as the site operator, this site uses SSL or TLS encryption. You can recognise an encrypted connection by the fact that the address line of the browser changes from “http://” to “https://” and by the lock symbol in your browser line.
When SSL or TLS encryption is activated, the data you transmit to us cannot be read by third parties.
Hosting & Server Log Files
External hosting (Netlify)
This website is hosted by an external service provider. The provider is Netlify, Inc., 512 2nd Street, Suite 200, San Francisco, CA 94107, USA (“Netlify”). The personal data collected when you visit this website is processed on Netlify’s servers or its content delivery network. This may primarily concern IP addresses, contact requests, meta and communication data, access data and other data generated via a website.
Netlify is used in the interest of a secure, fast and reliable provision of our online offering by a professional provider (Art. 6 (1) (f) GDPR). We have concluded a data processing agreement (DPA) with Netlify that ensures the protection of your data. Insofar as personal data is transferred to the USA in this context, this transfer is based on the standard contractual clauses of the EU Commission pursuant to Art. 46 GDPR.
Server log files
The provider of the pages automatically collects and stores information in so-called server log files, which your browser automatically transmits to us. This information is:
- Browser type and browser version
- Operating system used
- Referrer URL
- Host name of the accessing computer
- Time of the server request
- IP address
This data is not merged with other data sources.
This data is collected on the basis of Art. 6 (1) (f) GDPR. The website operator has a legitimate interest in the technically error-free presentation and optimisation of its website – to this end, the server log files must be collected.
Data Collection on Our Website
Cookies and comparable technologies
Our web pages partly use so-called cookies as well as comparable technologies (e.g. the local browser storage). Cookies are small text files that are stored on your device and do not cause any harm. They serve to make our offering more user-friendly, effective and secure.
We distinguish between technically necessary and non-necessary storage processes. Technically necessary cookies or storage entries are required for the operation of the website – this includes in particular the saving of the selection you made in the consent dialog. These are set on the basis of our legitimate interest in a functioning website (Art. 6 (1) (f) GDPR) or, where the law so provides, for the provision of the service you have expressly requested.
Non-necessary cookies or technologies serve purposes beyond this, in particular statistics, reach measurement and marketing. We use such technologies exclusively after your express consent (see below “Consent with our cookie tool” as well as the section “Analysis Tools and Advertising”). You can also set your browser so that you are informed about the setting of cookies, allow cookies only in individual cases or exclude them in general. When cookies are deactivated, the functionality of this website may be limited.
Consent with our cookie tool
Our website uses a self-operated consent tool to obtain your consent to the storage of certain cookies and comparable technologies and to document this in a data-protection-compliant manner. Your selection is stored in versioned form exclusively locally in your browser (in the so-called “localStorage”) and is not transmitted to us or to third parties. Technically, we use Google Consent Mode v2: analysis and marketing services are only enabled or loaded once you have consented to the respective category. Without your consent, the website remains free of statistics and marketing services.
You can revoke or change your consent at any time with effect for the future. To do so, open the cookie settings again via the button below or the “Privacy settings” link in the footer and adjust your selection. Alternatively, you can delete the stored selection yourself in your browser.
Consent to the setting of non-necessary cookies or to access to information on your device is given on the basis of Section 165 (3) of the Austrian Telecommunications Act 2021 (TKG 2021) as well as Art. 6 (1) (a) GDPR. In order to fulfil our obligations to provide proof, we document your consent or its revocation; mandatory statutory retention periods remain unaffected.
Enquiry by e-mail, telephone or contact form
If you contact us by e-mail, telephone or via a contact form, your enquiry including all the personal data resulting from it (name, e-mail address, telephone number if applicable, your concern) will be stored and processed by us for the purpose of handling your concern. We do not pass on this data without your consent.
This data is processed on the basis of Art. 6 (1) (b) GDPR, provided your enquiry is connected with the performance of a contract or is necessary for the implementation of pre-contractual measures. In all other cases, the processing is based on our legitimate interest in the effective handling of the enquiries addressed to us (Art. 6 (1) (f) GDPR) or on your consent (Art. 6 (1) (a) GDPR), provided this was requested.
The data you send us remains with us until the purpose for storing the data no longer applies (e.g. after your concern has been fully processed) or you ask us to delete it. Mandatory statutory provisions – in particular statutory retention periods – remain unaffected.
Online booking and booking enquiry
Via our website, you can check availability and make a booking or booking enquiry. To process this, we require your form of address, your first and last name, your e-mail address, your travel dates (arrival and departure) as well as the chosen product/arrangement. In individual cases, your telephone number is requested in order to be able to contact you quickly, in particular in the event of unforeseeable circumstances affecting your booking.
For the calculation of the applicable travel price, the details of the stay, the chosen product, the number of travelling persons as well as the information on whether they are adults or children (for children additionally the age) are required. Further information in the form is provided on a voluntary basis.
The booking is processed via our own booking backend; the database and server infrastructure used for this (provider: Supabase, server location within the European Union) processes your data as a processor on our behalf. In order to carry out your booking, we also transmit the necessary data to our hotel management system. With the service providers used, we have concluded data processing agreements where necessary.
The processing of your data for the booking or booking enquiry is carried out on the basis of Art. 6 (1) (b) GDPR and serves the performance of a contract or the implementation of pre-contractual measures. The transmitted data remains with us until the purpose for storing the data no longer applies. Mandatory statutory provisions – in particular statutory retention periods – remain unaffected.
Email delivery (Resend)
For sending transactional emails – in particular booking, offer and cancellation confirmations as well as messages relating to your enquiry – we use the email delivery service Resend. The provider is Plus Five Five, Inc., 2261 Market Street #5039, San Francisco, CA 94114, USA (“Resend”). The data required for delivery is processed, in particular your name, your email address and the content of the respective message (e.g. your booking details).
Resend processes and stores this data on our behalf on servers in the USA. We have concluded a data processing agreement (DPA) with Resend; the transfer to the USA is based on the standard contractual clauses of the EU Commission pursuant to Art. 46 GDPR. The legal basis for the processing is Art. 6 (1) (b) GDPR (performance of a contract or implementation of pre-contractual measures) as well as our legitimate interest in reliable and secure email delivery (Art. 6 (1) (f) GDPR).
Payment processing via payment service provider (Stripe)
For the online payment of your booking, we use the payment service provider Stripe. The provider for users in the European Economic Area is Stripe Payments Europe, Limited, 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland. Payment is made via an encrypted payment field embedded directly in our booking process; depending on the chosen payment method (e.g. EPS, iDEAL, TWINT, PayPal), you will be redirected briefly to your payment provider for confirmation.
The data required for the payment (e.g. name, payment or credit card data, invoice amount) is processed by Stripe within its own area of responsibility in accordance with Stripe’s data protection provisions, which you can view at stripe.com/de/privacy. At the same time, Stripe processes this data to fulfil its own legal and regulatory obligations as well as for fraud prevention. Insofar as data is also transferred to third countries (in particular the USA) within the Stripe group of companies, Stripe bases this on the standard contractual clauses of the EU Commission.
The legal basis for the data processing is Art. 6 (1) (b) GDPR (performance of a contract). Payment transactions are carried out exclusively via an encrypted SSL or TLS connection. Your data is only passed on to Stripe insofar as this is necessary for the payment processing.
Local fonts
For the uniform display of fonts, this website uses exclusively font files (web fonts) stored locally on our server. When a page is called up, these fonts are loaded from our own server. No connection to third-party servers (such as Google Fonts) takes place in the process; no personal data is transmitted to third parties.
Analysis Tools and Advertising
We use the analysis, reach measurement and marketing services described below exclusively on the basis of your consent pursuant to Art. 6 (1) (a) GDPR. Before you give your consent in the cookie dialog, these services are neither loaded nor executed. Your consent can be revoked at any time with effect for the future (see “Consent with our cookie tool”). The integration is technically carried out via Google Consent Mode v2. Insofar as personal data is transferred to the USA, we point out the respective transfer basis stated in each case.
Google Analytics 4
This website uses – after your consent to the category “Statistics & Analysis” – functions of the web analytics service Google Analytics 4. The provider is Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland.
Google Analytics enables us to analyse the behaviour of website visitors. In doing so, we receive various usage data, such as page views, dwell time, operating systems used and the origin of the user. Google Analytics uses technologies that enable the recognition of the user for the purpose of analysing user behaviour (e.g. cookies or device fingerprinting). The information collected by Google about the use of this website is generally transmitted to a Google server in the USA and stored there.
The use is based on your consent pursuant to Art. 6 (1) (a) GDPR and Section 165 (3) TKG 2021. The consent can be revoked at any time. We have concluded a data processing agreement with Google. The data transfer to the USA is based on the EU-US Data Privacy Framework; the parent company Google LLC is certified thereunder (adequacy decision of the EU Commission pursuant to Art. 45 GDPR).
Google Signals
If you have additionally consented to the category “Marketing”, we use Google Signals. This allows Google Analytics to collect, among other things, location, search history and YouTube history as well as demographic data (visitor data). If you have a Google account and have consented there to personalised advertising, this visitor data can be linked to your Google account across devices and sessions and used for personalised advertising. The legal basis is your consent pursuant to Art. 6 (1) (a) GDPR.
You can find more information on the handling of user data at Google Analytics in Google’s privacy policy: https://support.google.com/analytics/answer/6004245?hl=de.
Google Ads with conversion tracking
After your consent to the category “Marketing”, we use Google Ads. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google Ads enables us to display advertisements in the Google search engine or on third-party websites and, by means of conversion tracking, to measure whether users who reached our website via a Google ad have carried out a certain action (e.g. a booking).
If you reach our website via a Google ad, a conversion cookie is set, which loses its validity after a certain time and does not serve to personally identify you. Neither we nor other Google advertising customers receive information by means of which you could be identified. In the process, personal data, including your IP address, may be transferred to Google in the USA.
The legal basis is your consent pursuant to Art. 6 (1) (a) GDPR and Section 165 (3) TKG 2021; the consent can be revoked at any time. The data transfer to the USA is based on the EU-US Data Privacy Framework (Google LLC is certified thereunder). You can find more information at https://business.safety.google/privacy/.
Microsoft Clarity
After your consent to the category “Statistics & Analysis”, we use Microsoft Clarity, an analysis and session recording service. The provider for users in the European Economic Area is Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland.
With Microsoft Clarity, we can better understand the use of our website by evaluating interactions such as mouse and scroll movements, clicks as well as page views in the form of aggregated statistics and pseudonymised session replays. Entries in form fields are masked by default in the process. Data processing may also take place on servers in the USA.
The legal basis is your consent pursuant to Art. 6 (1) (a) GDPR and Section 165 (3) TKG 2021; the consent can be revoked at any time. Any data transfer to the USA is safeguarded by Microsoft’s certification under the EU-US Data Privacy Framework. You can find more information in Microsoft’s privacy policy: https://privacy.microsoft.com/de-de/privacystatement.
PostHog
After your consent to the category “Statistics & Analysis”, we use the product analytics service PostHog. The provider is PostHog, Inc., 2261 Market Street #4008, San Francisco, CA 94114, USA. We operate PostHog via the provider’s US cloud infrastructure; the processing takes place on servers in the USA.
With PostHog, we evaluate the use of our website in pseudonymised form (e.g. pages viewed, buttons clicked and the usage history within the booking flow) in order to improve our offering. Entries in form fields are not captured in the process. The legal basis is your consent pursuant to Art. 6 (1) (a) GDPR and Section 165 (3) TKG 2021; the consent can be revoked at any time. The transfer of personal data to the USA associated with this use is based on the standard contractual clauses of the EU Commission pursuant to Art. 46 GDPR. You can find more information at https://posthog.com/privacy.
Your Rights
Information, deletion and correction
Within the framework of the applicable statutory provisions, you have the right at any time to free information about your stored personal data, its origin and recipients and the purpose of the data processing and, if applicable, a right to correction or deletion of this data. For this and for further questions on the subject of personal data, you can contact us at any time at the address given in the imprint.
Right to restriction of processing
You have the right to request the restriction of the processing of your personal data. To do so, you can contact us at any time at the address given in the imprint. The right to restriction of processing exists in the following cases:
If you dispute the accuracy of the personal data stored by us, we generally need time to check this. For the duration of the check, you have the right to request the restriction of the processing of your personal data. If the processing of your personal data took/takes place unlawfully, you can request the restriction of the data processing instead of deletion.
If we no longer need your personal data but you need it to exercise, defend or assert legal claims, you have the right to request the restriction of the processing of your personal data instead of deletion. If you have lodged an objection pursuant to Art. 21 (1) GDPR, a balancing of your and our interests must be carried out. As long as it has not yet been determined whose interests prevail, you have the right to request the restriction of the processing of your personal data.
If you have restricted the processing of your personal data, this data – apart from its storage – may only be processed with your consent or for the assertion, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of an important public interest of the European Union or a Member State.
Revocation of your consent to data processing
Many data processing operations are only possible with your express consent. You can revoke consent you have already given at any time. The lawfulness of the data processing carried out up to the revocation remains unaffected by the revocation.
Right to object to data collection in special cases and to direct advertising (Art. 21 GDPR)
If the data processing is based on Art. 6 (1) (e) or (f) GDPR, you have the right at any time, for reasons arising from your particular situation, to object to the processing of your personal data; this also applies to profiling based on these provisions. You can find the respective legal basis on which processing is based in this privacy policy. If you object, we will no longer process your affected personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the assertion, exercise or defence of legal claims (objection pursuant to Art. 21 (1) GDPR).
If your personal data is processed for the purpose of direct advertising, you have the right to object at any time to the processing of personal data concerning you for the purpose of such advertising; this also applies to profiling insofar as it is connected with such direct advertising. If you object, your personal data will subsequently no longer be used for the purpose of direct advertising (objection pursuant to Art. 21 (2) GDPR).
Right to lodge a complaint with the competent supervisory authority
In the event of violations of the GDPR, data subjects have the right to lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence, their place of work or the place of the alleged violation. The right to lodge a complaint exists without prejudice to other administrative or judicial remedies. The competent supervisory authority in Austria is:
Österreichische Datenschutzbehörde (Austrian Data Protection Authority)
Barichgasse 40–42
1030 Wien
E-mail: dsb@dsb.gv.at
Website: www.dsb.gv.at
Right to data portability
You have the right to have data that we process automatically on the basis of your consent or in performance of a contract handed over to you or to a third party in a common, machine-readable format. If you request the direct transfer of the data to another controller, this will only take place insofar as it is technically feasible.