Hilfe - Alle Produkte & Anleitungen
Hilfe - Alle Produkte & Anleitungen
Breadcrumbs

Sample Privacy Notice for End Customers

Non-binding translation
This is an informational English translation. The legally binding version is the German original.

SAMPLE PRIVACY NOTICE FOR END CUSTOMERS AND GUESTS

[Note: Please adjust all entries in square brackets to your specific circumstances. Delete sections for modules/features that you do not use.]

Note: This document serves as a template for you, as the operator of a bessa software system, towards your end customers.

Privacy Notice

Last updated: [insert date]

1. Controller

The controller for the data processing is:

[Your company name]
[Your address]
[Postal code city]
[Country]

Contact:
Telephone: [Your telephone number]
E-mail: [Your e-mail address]
Website: [Your website]

[If applicable:]
Data Protection Officer:
[Name of the data protection officer]
E-mail: [E-mail of the DPO]

2. Overview of Data Processing

We take the protection of your personal data very seriously. This privacy notice informs you about which personal data we collect, for what purposes we use it, and what rights you have.

3. Data Collected and Processing Purposes

3.1 For Orders and Purchases

Data collected:

  • Last name, first name

  • Contact data (e-mail, telephone)

  • Delivery address (for deliveries)

  • Order data (products, quantities, prices)

  • Payment method and status

Payment processing: Sensitive payment data (credit card numbers, bank details) is processed exclusively via our PCI-DSS-certified payment service provider Stripe. We only store the payment method and payment status.

Purpose:

  • Performance of contract (order processing, delivery)

  • Invoicing

  • Customer service

  • Compliance with statutory retention obligations

Legal basis: Art. 6(1)(b) GDPR (performance of contract), Art. 6(1)(c) GDPR (legal obligation)

Storage period: Invoice data is retained for 7-10 years due to tax law requirements.

3.2 When Using Our Customer Loyalty Programmes

[Only if applicable:]

Data collected:

  • Registration data (last name, e-mail, optional: date of birth)

  • Point balances and transaction history

  • Redeemed vouchers and discounts

  • Preferences and favourites

Purpose:

  • Management of your customer account

  • Points administration and reward distribution

  • Personalised offers (with your consent)

Legal basis: Art. 6(1)(b) GDPR (performance of contract), Art. 6(1)(a) GDPR (consent for personalised offers)

Storage period: As long as the customer account is active; deletion 3 years after the last activity.

3.3 For Online Orders

[Only if applicable:]

Data collected:

  • IP address

  • Device information

  • Location data (for deliveries)

  • Order history

Purpose:

  • Technical provision of the ordering platform

  • Fraud prevention

  • Improvement of our service

Legal basis: Art. 6(1)(b) GDPR (performance of contract), Art. 6(1)(f) GDPR (legitimate interests)

Storage period: IP addresses are anonymised after 7 days; for order data, see 3.1.

3.4 For Newsletter Sign-Up

[Only if applicable:]

Data collected:

  • E-mail address

  • Name (optional)

  • Time of sign-up

  • IP address at sign-up

Purpose:

  • Sending newsletters and offers

  • Performance measurement (open / click rates)

Legal basis: Art. 6(1)(a) GDPR (consent)

Storage period: Until you withdraw your consent

3.5 When You Contact Us

Data collected:

  • Last name, e-mail address

  • Your message

  • Other data provided by you

Purpose:

  • Handling your enquiry

  • Customer service

Legal basis: Art. 6(1)(f) GDPR (legitimate interests), Art. 6(1)(b) GDPR (pre-contractual measures)

Storage period: 6 months after the conclusion of the communication

3.6 For Hotel Additional Services

[Only relevant for accommodation businesses / hotels:]

Data collected when using hotel services:

  • For billing: Last name, room number

  • Consumption: Restaurant, bar, spa, wellness, minibar

  • Additional services: Parking, laundry, telephone

  • For business travellers: Company name and billing address

IMPORTANT NOTE: Your guest data for accommodation (ID data, registration form, etc.) is NOT processed via our bessa software system, but via the separate hotel management system. Separate data protection notices apply to that data processing.

Purpose:

  • Billing of additional services

  • Allocation to the overall invoice

  • Tax documentation

Legal basis:

  • Art. 6(1)(b) GDPR (performance of contract)

  • Art. 6(1)(c) GDPR (tax law obligations)

Storage period:

  • Invoice data: 7-10 years (tax law)

  • Other data: 3 years after the last stay

4. Disclosure of Data

Your data is only disclosed in the following cases:

4.1 Processors

We use the following service providers, which process data on our behalf:

  • meisterwork GmbH (Austria): Operation of the bessa software system

  • Amazon Web Services (Germany): Hosting of the database

  • Stripe Payments Europe Ltd. (Ireland): Secure payment processing (PCI-DSS-certified)

  • [Add further service providers, such as delivery services, etc.]

We have concluded data processing agreements pursuant to Art. 28 GDPR with all processors.

4.2 Third-Party Providers

[Only if applicable:]

  • Delivery services (Foodora, Lieferando, Wolt, etc.): For handling deliveries

  • Payment service providers: For processing payments

  • Tax advisors / auditors: For fulfilling statutory obligations

4.3 Authorities

We disclose data to authorities (e.g. tax authorities, law enforcement authorities) where there is a statutory obligation or on the basis of legitimate interests.

5. Data Transfer to Third Countries

In principle, your data is only processed within the EU/EEA. [Or, if applicable: description of third-country transfers with legal bases]

6. Your Rights as a Data Subject

You have the following rights:

6.1 Right of Access (Art. 15 GDPR)

You may request information about the data we have stored about you.

6.2 Right to Rectification (Art. 16 GDPR)

You may request the rectification of inaccurate data.

6.3 Right to Erasure (Art. 17 GDPR)

You may request the erasure of your data, provided that no statutory retention obligations preclude this.

6.4 Right to Restriction (Art. 18 GDPR)

You may request the restriction of processing.

6.5 Right to Data Portability (Art. 20 GDPR)

You may request the transmission of your data in a structured format.

6.6 Right to Object (Art. 21 GDPR)

You may object to the processing of your data at any time, where the processing is based on Art. 6(1)(f) GDPR (legitimate interests).

You may withdraw consents you have given at any time with effect for the future.

6.8 Right to Lodge a Complaint (Art. 77 GDPR)

You have the right to lodge a complaint with a data protection supervisory authority:

[For Austria:] Österreichische Datenschutzbehörde
Barichgasse 40-42
1030 Vienna
https://www.dsb.gv.at

[For Germany:] [Insert competent state data protection authority]

7. Data Security

We employ technical and organisational security measures to protect your data:

  • SSL encryption for all data transmissions

  • Password-protected access

  • Regular data backups

  • Trained personnel

  • Access control and authorisation concepts

8. Cookies and Tracking

[If applicable – adjust to your circumstances:]

8.1 Necessary Cookies

We use technically necessary cookies for:

  • Shopping cart function

  • Login status

  • Language settings

Legal basis: Art. 6(1)(f) GDPR (legitimate interests)

8.2 Analytics Cookies

[Only with consent:] With your consent, we use analytics tools to improve our services.

Legal basis: Art. 6(1)(a) GDPR (consent)

9. Protection of Minors

Persons under the age of 16 may not transmit personal data to us without the consent of their legal guardians. [Or adjust according to national rules]

10. Automated Decision-Making

We do not use automated decision-making or profiling within the meaning of Art. 22 GDPR. [Or, if applicable: description of the processes]

11. Changes to This Privacy Notice

We reserve the right to amend this privacy notice. You can always find the current version [on our website / in the shop / in the app].

12. Contact for Data Protection Matters

For data protection questions, please contact:

[Your contact address for data protection]
E-mail: [Data protection e-mail]
Telephone: [Telephone number]

Notes on using this template:

  1. Adjustment required: Adjust all entries in square brackets to your circumstances.

  2. Inapplicable sections: Delete sections that are not relevant to your business.

  3. Additions: Add specific processing activities not listed here.

  4. Legal advice: This template does not replace legal advice. Have the customised version reviewed by a data protection expert.

  5. Updating: Review the privacy notice regularly and adjust it in case of changes.

  6. Availability: Make the privacy notice available to your customers: on your website (footer link), in your app, in the shop (notice or QR code), upon registration for customer loyalty programmes.

  7. Languages: Provide the privacy notice in the languages of your customers.

  8. Hotel-specific: Inform guests that only additional services are billed via bessa, refer to the separate privacy notice of your PMS system for accommodation data, and make both privacy notices available.