Privacy Policy

The data controller responsible for data processing on this website is: Broski GmbH Hans Kappacherstraße 12A 5600 St. Johann im Pongau, Austria Email: info@broski.at

Our website is hosted by Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany. We have a data processing agreement (Art. 28 GDPR) with Hetzner. Hetzner processes technical server log files on our behalf, for example: • IP address • Date and time • Pages accessed • User-Agent • Error messages (if applicable) This data is necessary for the secure operation of the website and is stored for a maximum of 7 days. Server location: Germany (EU).

We use only technically necessary cookies to enable the use of the website. Authentication Cookie / Session Cookie This cookie is required to log in users after a booking and make the account accessible. • Purpose: Authentication, session management • Storage duration: Until the end of the session • Legal basis: Art. 6 para. 1 lit. b GDPR

For payment processing, we use: Stripe Payments Europe, Ltd. 1 Grand Canal Street Lower Grand Canal Dock Dublin, Ireland Stripe processes, among other things: • Payment information • IP address • Device information • Invoice data • Email address Stripe may transfer data to the USA or other third countries. Processing is based on: • Contract fulfillment (Art. 6 para. 1 lit. b GDPR) • Standard Contractual Clauses (SCCs) of the EU Commission Stripe Privacy Policy: https://stripe.com/privacy

Data is only shared when: • it is necessary for contract fulfillment (e.g., Stripe), • we are legally obligated to do so, • you have consented. We do not sell personal data and do not share it for marketing purposes.

We store personal data only as long as necessary or legally required. • Booking & invoice data: 7 years (according to § 132 BAO - Austria) • Customer account data: until account deletion • Server logs: max. 7 days • Payment data: according to legal obligations (max. 7 years)

You have the following rights according to Art. 15-21 GDPR: • Access • Rectification • Erasure • Restriction of processing • Data portability • Objection You also have the right to lodge a complaint with the competent supervisory authority: Austrian Data Protection Authority (DSB) Barichgasse 40-42 1030 Vienna Web: https://www.dsb.gv.at

For questions regarding data processing: Martin Kosecky Email: mkosecky@broski.at

We collect anonymous usage data to improve our website and booking process. This data collection does not require your consent as it is fully anonymous and cannot be used to identify you. What we collect: • Page views (which pages are visited) • Step completion in the booking flow (aggregate counts) • Time spent on pages (average times, not per-user) • Validation errors (to identify form issues) • Booking events (creation, success, failure) • Payment events (success, failure) • Availability checks How it works: • Each event gets a unique anonymous ID • No persistent session tracking • No user identification possible • No linking between events • Data is aggregated for analysis What we do NOT collect: • Personal identifiers • Session IDs that could track you • User journeys across sessions • Return visitor information • Any data that could identify individual users Purpose: • Improve website usability • Identify technical issues • Understand booking flow performance • Optimize the booking process Legal basis: Art. 6 para. 1 lit. f GDPR (legitimate interest: website optimization and error prevention) Storage duration: Up to 30 days for analysis purposes Your rights: Since the data is anonymous and cannot be linked to you, individual data subject rights (access, deletion, etc.) do not apply. However, you can contact us if you have questions about our analytics practices.