Privacy notice

Hotel Zum Riesen GmbH, Heumarkt 8, 63450 Hanau, Germany. Contact: hanau@trip-inn.com.

• Account data (name, email, phone, password hash).
• Booking data (dates, room, guests, rate, payment, invoices).
• Device and session data (IP, user agent, cookies).
• Communication records (messages, call notes).
• ID document data (at check-in, encrypted, short retention).

• Art. 6(1)(b) contract — to provide the booking you asked for.
• Art. 6(1)(c) legal obligation — tax, GoBD, money-laundering checks.
• Art. 6(1)(f) legitimate interest — fraud prevention, service security.
• Art. 6(1)(a) consent — marketing emails, cookies beyond essential.

• Booking records and invoices: 10 years (German tax law).
• Guest PII (non-booking): 36 months default, or as you request.
• Audit logs: 7 years.
• Raw payment data: 18 months (PCI scope minimization).
• ID scans: the legal retention period of the jurisdiction + 30 days.

You can exercise any of these rights via the Privacy & data panel in your account, or by emailing us.

• Art. 15 — access / export
• Art. 16 — rectification
• Art. 17 — erasure (subject to retention laws)
• Art. 18 — restriction
• Art. 20 — portability
• Art. 21 — objection

Data is hosted in the EU by default (Frankfurt). Non-EU sub-processors operate only under Standard Contractual Clauses and a Transfer Impact Assessment.

• Stripe Payments Europe Ltd. (Ireland) — payments.
• SendGrid GmbH (Germany) — transactional email.
• Twilio Ireland Ltd. — SMS.
• Cloudflare Germany GmbH — CDN, WAF.
• AWS EMEA SARL (Frankfurt region) — hosting.

You can lodge a complaint with the Hessian Commissioner for Data Protection and Freedom of Information (HBDI), or any EU authority where you live or work.