Privacy Policy

1. Data controller

The data controller under the General Data Protection Regulation (GDPR) and other national data protection laws is:

2. Collection and storage of personal data

Personal data is any information that relates to an identified or identifiable natural person. We only collect and process personal data to the extent necessary to provide our services or where you have given your explicit consent.

The legal basis for processing is Art. 6 (1) lit. a GDPR (consent), Art. 6 (1) lit. b GDPR (contract performance) and Art. 6 (1) lit. f GDPR (legitimate interest).

3. Server log files

When you visit our website, your browser automatically transmits data to our server. This data is temporarily stored in so-called server log files:

• Browser type and version
• Operating system used
• Referrer URL (the page previously visited)
• Host name of the accessing computer
• Time of the server request
• IP address (anonymised)

This data cannot be assigned to a specific person and is not combined with other data sources. The legal basis is Art. 6 (1) lit. f GDPR (legitimate interest in the secure and stable operation of the website). The data is deleted no later than 7 days after collection.

4. Booking inquiry / contact form

When you submit a request through our booking inquiry form, we collect the following data:

• First and last name (mandatory)
• E-mail address (mandatory)
• Phone number (optional)
• Travel details: arrival, departure, room type, number of guests
• Breakfast preference
• Baby cot request (optional)
• Postal address: street, postcode, city (optional)
• Free text / special requests (optional)

For enquiries via the trade fair form, we additionally collect:

• Company name and billing address (mandatory for invoicing)
• Names of travelling guests (optional)

This data is sent by e-mail to info@ma-cityhotel.de and used exclusively to process your inquiry and a possible contract initiation. The legal basis is Art. 6 (1) lit. a GDPR (your consent by submitting the form) and Art. 6 (1) lit. b GDPR (contract initiation). The data is deleted after your inquiry has been fully processed, unless statutory retention obligations require otherwise.

Spam and abuse protection: To protect against automated spam inquiries and the use of disposable e-mail addresses, the e-mail address you provide is checked technically upon submission. For this purpose, the e-mail address is transmitted to the service validator.pizza (operated in the EU), which only checks whether it is a disposable address. This service does not store the data permanently for advertising purposes. The legal basis is Art. 6 (1) lit. f GDPR (legitimate interest in preventing spam and abuse). If this check fails technically, your inquiry will still be processed normally.

Alternatively, you can contact us at any time by e-mail or phone. In this case, the personal data you provide will be stored to process your inquiry.

5. Google Fonts

This website uses Google Fonts, a service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google Fonts loads fonts from Google servers. In doing so, your IP address is transmitted to Google.

The legal basis is Art. 6 (1) lit. f GDPR (legitimate interest in a consistent and professional presentation of our website). Information on data protection at Google can be found at: https://policies.google.com/privacy .

6. Google Analytics

This website uses Google Analytics, a web analytics service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google Analytics analyses visitor behaviour statistically to help us continuously improve our website.

We use Google Analytics 4 (GA4). In GA4, the IP address is truncated before storage and is not stored in full. The data collected (e.g. page views, session duration, device type) may be transferred to Google servers in the USA. Google LLC has accepted the EU Standard Contractual Clauses, ensuring an adequate level of data protection (Art. 46 (2) lit. c GDPR).

The legal basis is Art. 6 (1) lit. f GDPR (legitimate interest in analysing and optimising our website). You can object to data collection by Google Analytics by installing the browser add-on: https://tools.google.com/dlpage/gaoptout . Alternatively, you can block cookies or disable JavaScript in your browser.

Further information on data processing by Google: https://policies.google.com/privacy .

7. OpenStreetMap / Leaflet & Routing

For the interactive maps on our website we use the open-source library Leaflet.js. Map tiles are provided by CARTO (Carto B.V., Keizersgracht 488, 1017 EH Amsterdam, Netherlands) and are based on map data from the OpenStreetMap Foundation (St John's Innovation Centre, Cowley Road, Cambridge, CB4 0WS, United Kingdom).

When you consent to use of the interactive map, your browser establishes direct connections to CARTO's tile servers (basemaps.cartocdn.com). Technical data (including your IP address and browser information) is transmitted to these servers. We have no influence over the data processing carried out there. Google Maps is not used by us. Privacy information from CARTO: carto.com/privacy.

On the trade fair page, the routing service OSRM (Open Source Routing Machine) is used to display the driving route. When the map loads, a request is sent to router.project-osrm.org, which may receive technical data including your IP address. Further information: project-osrm.org.

The map is only loaded after your explicit consent through the privacy notice on our website. The legal basis is Art. 6 (1) lit. a GDPR (consent). You may withdraw your consent at any time by clearing the local storage of your browser (see section 8). Privacy policy of OpenStreetMap: wiki.osmfoundation.org/wiki/Privacy_Policy .

8. Cookies & local storage

Our website does not use any tracking or advertising cookies. To save your privacy consent (section 7) we use the local storage of your browser. A single value is stored that only records whether you have allowed or declined the use of the interactive map. No personal data is stored.

This entry remains in your browser until you delete it manually (via your browser settings → "Clear site data" or "Clear local storage"). After deletion, the privacy notice will appear again on your next visit. The legal basis is Art. 6 (1) lit. f GDPR (legitimate interest in storing your consent to avoid asking again on every page load).

9. Your rights as a data subject

You have the following rights regarding your personal data:

• Right of access (Art. 15 GDPR): You can request information about the data we hold about you free of charge.
• Right to rectification (Art. 16 GDPR): You can request the correction of inaccurate data.
• Right to erasure (Art. 17 GDPR): You can request the deletion of your data unless legal retention obligations apply.
• Right to restriction of processing (Art. 18 GDPR)
• Right to data portability (Art. 20 GDPR)
• Right to object (Art. 21 GDPR): You can object to the processing of your data at any time.
• Right to withdraw consent at any time with effect for the future.

To exercise your rights, please contact: info@ma-cityhotel.de

In addition, you have the right to lodge a complaint with a data protection supervisory authority. The competent authority in Lower Saxony is:

10. Data security

We use technical and organisational security measures to protect your data against accidental or intentional manipulation, loss, destruction or unauthorised access. Our security measures are continuously improved in line with technological developments.

Form data on our website is transmitted using encrypted HTTPS protocol.

11. Validity of this privacy policy

This privacy policy is currently valid, dated May 2026. Due to further development of our website or changes in legal or regulatory requirements, it may become necessary to amend this privacy policy. The current version can be viewed at any time at ma-cityhotel.de/en/privacy.html.