hoteleo’s privacy policy This privacy statement is valid for the all websites hosted by hoteleo. In the following, we provide information about the collection of personally identifiable information while using our website. Personally identifiable information is all data that relates to you personally, such as name, address, e-mail addresses, or user behavior. The protection of your personally identifiable information is very important to us. If you have any questions or would like more information about hoteleo's data protection, please contact info@hoteleo.net with the subject ‘Privacy Query’. Continuous technological development, changes in our services or the legal situation, and other reasons may require adjustments to our data protection notice. We therefore reserve the right to change this privacy statement at any time and ask that you regularly keep yourself informed of the current state.

1 Party responsible for data processing The responsible party, according to Article 4 (7) of the EU General Data Protection Regulation (GDPR), is hoteleo Ltd. & Co. KG, Potsdamer Platz 1, 10785 Berlin, Germany, Phone: +49 (0) 30 55570752, E-Mail: info@hoteleo.net.

2 Data protection officer point of contact You can reach our data protection officer at info@hoteleo.com or our mailing address by adding “Datenschutz / Data Privacy”.

3 Your rights You have the following rights with respect to the personally identifiable information concerning you:

3.1 General rights You have the right to information, correction, deletion, limitation of processing, opposition to processing, and data portability. If processing is based on your consent, you have the right to revoke it with effect for the future.

3.2 Rights in the processing of data based on legitimate interests According to Article 21 (1) of the GDPR, you have the right to file an objection at any time for reasons arising out of your particular situation against the processing of personally identifiable information relating to you, pursuant to Article 6 (1) of the GDPR (data processing in the public interest) or Article 6 par. 1 f GDPR (data processing for the protection of a legitimate interest); this also applies to a profiling based on this provision. In the event of your objection, we will no longer process your personally identifiable information unless we can establish compelling and legitimate grounds for processing that outweigh your interests, rights and freedoms, or if the processing aids the enforcing, exercising or defending of legal claims.

3.3 Rights in direct advertising If we process your personally identifiable information for the purpose of direct advertising, you have the right according to Article 21 par. 2 GDPR to object at any time to the processing of personally identifiable information relating to you for the purpose of such advertising; this also applies to profiling, where appropriate, insofar as it is associated with such direct advertising. In the event of your objection to processing for the purpose of direct advertising, we will no longer process your personally identifiable information for these purposes.

3.4 Right to complain to a supervisory authority You also have the right to complain to a relevant data protection supervisory authority about our processing of your personally identifiable information.

4 The collection of personally identifiable information when visiting our website If you are only using the website for informational purposes, i.e., if you do not enroll or otherwise provide us with information, we will only collect the personally identifiable information that your browser transmits to our server. If you wish to view our website, we collect the following data that is technically necessary for us to display our website and ensure its stability and security. Only in the case of suspected misuse in connection with bookings would we use this link information to facilitate the identification of the person responsible. The legal basis for this is Article 6 (1) (f) GDPR: –IP address, date and time of the inquiry, time difference to Greenwich Mean Time (GMT), content of the request (concrete page), access status/HTTP status code, amount of data transferred in each case, website that receives the request, browser, operating system and its interface, language, and browser software version.

5 Contact by e-mail or contact form When you contact us by e-mail or through a contact form, we will store the data you provide (your e-mail address, possibly your name and telephone number) so we can answer your questions. Insofar as we use our contact form to request entries that are not required for contacting you, we have always marked these as optional. This information serves to substantiate your inquiry and improve the handling of your request. A statement of this information is expressly provided on a voluntary basis and with your consent, art. 6 par. 1a GDPR. As far as this concerns information about communication channels (such as your e-mail address or telephone number), you also agree that we may also, where appropriate, contact you via this communication channel to answer your request. You may of course revoke this consent for the future at any time. We delete the data that arises in this context after saving is no longer required, or limit processing if there are statutory retention requirements.

6 Account You have the opportunity to enroll with us and create a hoteleo user account. We collect and save the following data for enrollment: - E-mail - Password The specification of the aforementioned data is compulsory; all other information you can provide voluntarily by using our portal. After enrollment, you will receive personal, password-protected access and can view and manage the data you have stored. Enrollment is voluntary but may be required to use our services. If you decide to be an active participant in the hoteleo Community, e.g., by uploading photos or creating texts such as review ratings and descriptions, you decide yourself which personally identifiable information is visible to hoteleo N.V. and all the visitors on the platform. You can modify these settings at any time. hoteleo does not publish any personally identifiable information without receiving your express consent to do so. If you participate in the hoteleo Content Community, your bank account details will be needed in order to pay out the miles you’ve earned. We need these so we can disburse the equivalent of the accumulated miles at your request. Alternatively, you can select PayPal or Skrill as payment options. hoteleo user accounts and the information contained therein are password-protected so that only the user has access to this personally identifiable information. Users can change their user profiles at any time. We will save this information until you permanently delete your access. We will still save the data that you provided on a voluntary basis for the time of your use of the portal, if you do not delete this in advance. You can manage and modify all information in your protected user account. The legal basis is article 6, par. 1 a, b, and f of the GDPR.

7 Use of cookies Cookies will be stored on your device during the use of our website. Cookies are small text files that are stored on your hard drive assigned to the browser you use, and through which the place where the cookie is set accrues certain information. Cookies cannot run any programs or transmit any viruses to your device. They serve to make the website more user-friendly and efficient overall. We also use cookies to be able to identify you in subsequent visits. This website uses the following types of cookies, whose extent and function are explained in the following:

7.1 Transient cookies These cookies are automatically deleted when you close your browser. This includes session cookies in particular. These save a “session ID” with which different requests from your browser can be assigned to the joint session. This allows your device to be recognized again when you return to our website. Session cookies are deleted when you log out or close your browser.

7.2 Persistent cookies These cookies are automatically deleted after a set duration that can vary depending on the cookie. You can delete cookies in your browser security settings at any time.

7.3 Legal bases and storage period The legal bases for possible processing of personally identifiable information and its storage period vary and are described in the following sections.

8 Analysis For the purposes of analyzing and optimizing our websites, we use different services that are described in the following. This allows us to analyze, for example, how many users visit our site, which information is requested the most, and how users find the website. The data that we collect includes the websites from which a person in question arrives at a website (“referrer”), which subpages on the website are accessed and how often, and the length of time for which a subpage is viewed. This helps us to develop and improve our website to be more user- friendly. The data collected does not serve to personally identify individual users. Anonymous or highly pseudonymous data will be collected. The legal basis for this is article 6, par. 1 f of the GDPR.

8.1 Google Analytics This website uses Google Analytics, a web analysis service of Google Inc (1600 Amphitheatre Parkway Mountain View, CA 94043, USA). This use covers the Universal Analytics operating mode. This makes it possible to assign data, sessions, and interactions across multiple devices to a pseudonymous user ID and thus analyze a user’s activities across devices. Google Analytics uses cookies that allow your use of the website to be analyzed. The information generated by the cookie through your use of this website is generally transmitted to a Google server in the USA and stored there. If IP anonymization is activated on this website, however, your IP address will be truncated in advance within the member states of the European Union or other contracting states party to the Agreement on the European Economic Area. Only in exceptional circumstances will the full IP address be transmitted to a Google server in the USA and truncated there. The IP address transmitted from your browser in the context of Google Analytics will not be conflated with other Google data. Google will use this information in this website operator’s order to evaluate your use of the website so that reports about website activity can be compiled and other services connected to website and internet use can be rendered for the website operator. Our legitimate interest in data processing is also for these purposes. The legal basis for the use of Google Analytics is article 6, par. 1 f of the GDPR. The data sent by us and connected to cookies, user information (such as user ID), and promotional IDs are deleted after 14 months after the last use of our services. Data whose storage period has expired is automatically deleted once a month. More information on the terms and conditions of use and data protection can be found at https://www.google.com/analytics/terms/us.html and https://policies.google.com/?hl=en. You can prevent cookies from being stored through the relevant setting in your browser software; however, please note that if you do so, not all functions of the website may be able to be used to their full extent. You can also prevent the data generated by the cookie and related to your use of the website (including your IP address) from being collected and processed by Google by downloading and installing https://tools.google.com/dlpage/ gaoptout?hl=en. Opt-out cookies prevent the future collection of your data when visiting this website. To prevent Universal Analytics collection across various devices, you must perform the opt-out on all systems in use. Set the opt-out cookie by clicking here: Deactivate Google Analytics.

9 Data transmission Your data will not be transmitted to third parties as a general rule unless we are legally obligated to do so or the transfer of data is necessary for implementing the contractual relationship or you have given prior express consent to have your data transferred. External service providers and affiliated companies, such as online payment vendors communication agents, will only receive your data to the extent necessary to process your request. In these cases, however, the extent of data transmitted is kept to the necessary minimum. If our service providers come into contact with your personally identifiable information, we will make sure that this complies with the regulations of data protection laws in the same way through the course of processing the order in accordance with article 28 of the GDPR. Please note the vendor’s respective data privacy policy as well. The respective vendor is responsible for the content of third-party services, although we review services for compliance with legal requirements to a reasonable extent. We emphasize processing your data within the EU/EEA. However, it may happen that we use service providers who process data outside the EU/EEA. In these cases, we make sure that a reasonable level of data protection is established with the recipient before transmitting your personally identifiable information. This means that a level of data protection is reached through EU standard contracts or an adequacy decision that is comparable to the standard within the EU.

10 Data security We have taken extensive technical and operational security precautions to protect your data from being accidentally or intentionally manipulated, lost, destroyed, or accessed by unauthorized persons. Our security measures are reviewed regularly and updated in keeping with technological advances.

Last updated August 2018