GDPR Privacy Statement of NextGuest
We take the protection of personal data very seriously. If you are in the European Economic Area and we collect personal data relating to you in the context of the offering of goods or services, even if provided free of cost, or if we collect data when monitoring your behavior which takes place within the European Economic Area, your personal data will be subject to Regulation (EU) 2016/679 (General Data Protection Regulation, “GDPR”).
In this Privacy Statement we, NextGuest, One Penn Plaza, 48th Fl, New York, NY 10119, USA, and NextGuest CRM (Serenata IntraWare GmbH) (“We” or “NxG”) will inform you about how we process and use personal data which is subject to the GDPR and on the specific rights you have in connection with your personal data which is subject to the GDPR.
Please note that the GDPR Privacy Statement applies only to personal data which is subject to the GDPR and therefore expressly does not apply to (a) data which is not personal data such as data on corporations or other legal entities, and (b) personal data not falling within the scope of the GDPR such as personal data of data subjects who are not in the European Economic Area.
One of the main purposes of this Privacy Statement is to fulfil transparency obligations under Regulation (EU) 2016/679 (General Data Protection Regulation, “GDPR”). For this reason, we use certain technical terms also used in the GDPR in the context of this Privacy Statement. These and other terms repeatedly used in this Privacy Statement will be explained to you below in Section 3.
Many of our customers are organizations and companies (so-called legal entities). If you contact us as an employee of an organization or a company, we will store and process the categories of data described herein below generally in relation to this organization or company, but may link it to the information that you are employed by such organization or company and are our contact person.
1. Name and address of the data controller (NextGuest) and the representative in the European Union, supervisory authority
1.1. This Privacy Statement describes the data processing for which NextGuest or NextGuest CRM is the controller within the meaning of the GDPR. You will find NextGuest’s contact details below:
1.2. NextGuest has designated a representative in the European Union in accordance with Art. 27 of the GDPR.
The representative has been mandated to be addressed in addition to NextGuest or instead of NextGuest by, in particular, supervisory authorities and data subjects, on all issues related to processing, for the purposes of ensuring compliance with the GDPR. The designation of a representative is without prejudice to legal actions which could be initiated against us directly.
You can contact NextGuest’s representative in the European Union at any time with any questions about data protection. The representative’s name and address are as follows:
NextGuest Digital Europe
Katusepapi 4, 3rd. floor, 11412
1.3. The data protection supervisory authority responsible for our representative in the European Union is: Estonian Data Protection Inspectorate
19 Väike-Ameerika St., 10129 Tallinn, Estonia
Phone: +372 627 4135
2. Name and address of the data controller (NextGuest CRM), contact details for the data protection officer, and supervisory authority
2.1. This Privacy Statement also describes the data processing for which NextGuest CRM (Serenata) is the controller within the meaning of the GDPR. You will find NextGuest CRM’s contact details below:
2.2. You can contact NextGuest CRM’s data protection officer at any time with any questions about data protection. The data protection officer’s contact details are as follows:
Data Protection Officer
Tel: +49 89 / 92 90 03 - 0
2.3. The data protection supervisory authority responsible for us is: Bavarian State Office for Data Protection Supervision (Bayerisches Landesamt für Datenschutzaufsicht)
Promenade 27 (Schloss)
Germany Postal address:
Telephone: +49 (0) 981 53 1300
Fax: +49 (0) 981 53 98 1300
If you wish to file a complaint, you can also use the complaint form available at https://www.lda.bayern.de/de/beschwerde.html.
We use various technical terms in this Privacy Statement which have the following meaning throughout this Privacy Statement:
|anonymisation||means rendering personal data anonymous in such a manner that the data subject is not or no longer identifiable taking into account all means reasonably likely to be used, such as singling out, either by the controller or by another person, to identify the natural person directly or indirectly.|
|Consent||is your clear affirmative act establishing a freely given, specific, informed and unambiguous indication of your agreement to the processing of your personal data. For clarification: If processing requires consent, we will obtain this separately. Taking note of this Privacy Statement does not replace consent.|
|controller||is us as the entity which, alone or jointly with others, determines the purposes and means of the processing of personal data.|
|data subject||is you, i.e. the natural person to whom the personal data refers.|
|direct marketing||is any marketing by which we approach you directly, for example by post or (if permissible) by telephone, e-mail or fax;|
|GDPR||is Regulation (EU) 2016/679, also known as the General Data Protection Regulation. You can find the full text here: https://gdpr-info.eu/|
|group of undertakings||comprises Hospitality Tech Holdings LLC (d.b.a NextGuest Technologies), One Penn Plaza, 48th Fl, New York, NY 10119 and all of its subsidiaries (as we are one).|
|guarantee(s)||includes standard data protection clauses adopted by the Commission, codes of conduct approved by the supervisory authority, and, in relation to the USA, the Privacy Shield Program, and all other measures intended to ensure an adequate level of protection with respect to data protection.|
information society service
also referred to as a “web service” in this Privacy Statement.
|is any service normally provided for remuneration, at a distance (i.e. without the parties being simultaneously present), by electronic means (i.e. by means of electronic equipment for the processing (including digital compression) and storage of data) and at the individual request of a recipient of services.|
|personal data||is any information relating to an identified or identifiable data subject. The term “identifiable” refers to those who can be identified directly or indirectly, especially by assignment to an identifier or to one or more special characteristics|
|processing||means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.|
|processors||are other entities which process personal data on our behalf.|
|profiling||is any form of automated processing of your personal data evaluating personal aspects, in particular to analyze or predict aspects concerning your personal preferences or interests, reliability or behaviour, location or movements.|
|pseudonymisation||means the processing of personal data in such a manner that it can no longer be attributed to a specific data subject without the use of additional information, whereby this additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.|
|recipients||are other entities to which we may disclose personal data, irrespective of whether they are third parties.|
|restriction of processing||is the restriction on the processing of stored personal data such that they are only processed with your consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest and that you are informed before this restriction is lifted.|
|third party||is anyone who is not a data subject, a controller or a processor;|
4. Scope: Processing Services for Hospitality Providers
We offer software and related services (software as a service, hosting, support) to hotels, agencies and other hospitality industry customers (collectively “Hospitality Provider(s)”). In the context of those services we process personal data of travelers, guests and other customers of the Hospitality Providers on behalf of those Hospitality Providers (“Processing Services”) on the basis of contract processing agreements which provide that personal data are processed only on behalf of, and in accordance with the instructions of, the Hospitality Providers.
We subcontract Processing Services to NextGuest Digital Europe, Tallinn, Estonia (“NextGuest Europe”), a member of our group of undertakings. We have concluded a contract processing agreement with NextGuest Europe to ensure that personal data are processed only on behalf of, and in accordance with the instructions of, the Hospitality Providers.
This Privacy Statement therefore does not apply to any Processing Services and such Processing Services are exclusively governed by the data protection policies of the respective Hospitality Provider. For further information you must refer to the privacy statement of the respective Hospitality Provider.
5. Processing in the Context our Website, Newsletters and Other Web Services
In this Section we will inform you about how we process and use personal data in relation to you which we collect in connection with our website at www.nextguest.com, the dispatch of newsletters and other web services, and on the specific rights you have in this respect.
5.1. Processing in the Context of Visiting our Website
5.1.1. Information We Collect
When you visit our website, our web server will temporarily record the domain name or IP address of the requesting computer, the access date, the file request of the client (file name and URL), the HTTP response code and the website from which you are visiting us, the number of bytes transferred during the connection and, if applicable, other technical information that we use and statistically evaluate for the technical implementation of the website’s use (delivery of the content, guaranteeing the website’s functionality and security, protection against cyber attacks and other abuses).
It is necessary to store and process the information referred to above for the duration of your session in order to deliver our website content to your computer. We also store some of this information in the log files of our servers. We will not combine this information with your IP address or other personal data relating to you except as disclosed below.
This processing will take place for the fulfillment of the existing contract of use with you, as far as it serves the purpose of the technical implementation of the website’s use (legal basis for processing: Art. 6 no. 1 lit. b) of the GDPR) and to otherwise protect our legitimate interest in making our website as user-friendly, safe and attractive as possible and in promoting the sale of our products and services (legal basis for processing: Art. 6 no. 1 lit. f) of the GDPR). We will assume that your interests do not conflict with this, because the measures described below are taken in order to limit processing to an appropriate degree.
We will also use the data described above to draw conclusions about your interests from your use and to adapt our website’s offerings according to your interests (profiling) in order to make our website as user-friendly, safe and attractive as possible and thus promote the sale of our products and services. We do this for the preservation of our aforementioned legitimate interests (legal basis for processing: Art. 6 no. 1 lit. f) of the GDPR) and, where applicable, on the basis of your consent as described in Sec. 5.1.2 (legal basis for processing: Art. 6 no. 1 lit. a) of the GDPR). For further information please refer to the following Section 5.1.2.
5.1.2. Cookies, Analysis and Tracking
22.214.171.124. Types of Cookies
There are two different types of cookies used:
Session Cookies: Also called transient cookies, are cookies that are temporarily stored in your browser for the duration of a browser session, and they typically will store information in the form of a session identification an no further information personally identifying you.
Persistent Cookies: Also called permanent or stored cookies, are cookies that are stored on your hard drive until they expire (persistent cookies are set with expiration dates) or until you delete the cookie. Persistent cookies are used to collect identifying information, such as web surfing behavior or user preferences for a specific web site.
We employ the following types of cookies:
- Required Cookies (see Sec. 126.96.36.199)
- Functionality Cookies (see Sec. 188.8.131.52)
- Targeting / Advertising Cookies (see Sec. 184.108.40.206).
These cookies are a mixture of first party cookies, which we set ourselves, and third-party cookies, which are set by other websites.
220.127.116.11. Cookie Functions
- Personalization – For example, your language preference is remembered.
- Session Management - To ensure that your session is routed to the correct system for the duration of your visit.
- Usage Tracking – We use the analytics described in Sec. 5.3 to provide analysis of our users’ on-going usage of the website. This allows us to adapt our website’s offerings according to our users’ interests and facilitates on-going improvements to the website.
- AB Testing / Multivariate Testing - We can display multiple versions of a page to a user to assess which generates the best user experience.
- Advertising - We can display advertising content depending on location, language, and your past browsing history.
18.104.22.168. Required Cookies
We use a number of cookies which are strictly necessary to allow you to access our websites, to move between pages and to receive services which you have requested.
The types of data collected are:
- session identifier
- IP address, and information generated from anonymized IP address that includes
- a computer host name
- geographic location
- time of visit
- webpage URL
- referring website
- security tokens (for authentication and information submission, like RFP forms)
The following is an example of a strictly necessary cookie which we use:
- Authentication Cookies: Provide an authentication method of a secure log-in.
22.214.171.124. Functionality Cookies
We use functionality cookies to allow us to remember your preferences. For example, cookies save you the trouble of selecting your language or currency every time you access the website and recall your customization preferences.
We utilize other cookies to analyze how our visitors use our websites and to monitor website performance. This allows us to provide a high-quality experience by customizing our offering and quickly identifying and fixing any issues that arise. For example, we might use performance cookies to keep track of which pages are most popular, which method of linking between pages is most effective, and to determine why some pages are receiving error messages.
The following is an example of a functionality cookie which we use:
- Adobe Website Analytics: Refer to Section 5.3 for more details.
In order to maximize your user experience NextGuest collects, analyzes and stores information such as time on site, pages visited, bookings initiated and completed, traffic type (paid organic, etc.), geographic and demographic information and web browser and device type in order to offer you more relevant content when you re-visit our sites. In order to protect your privacy, this information is processed to make it less personally identifying, e.g. IP addresses are truncated (the trailing octet of the IP address is replaced with 0's) before geo-coding and storing, email addresses and other personally identifying information is hashed in an irreversible manner, etc.
We also allow certain third-party advertisers and partners to collect information about your use of the website through first and third-party cookies in order to serve adverts to you. They may also analyze this data in order to serve adverts to you on other third-party websites.
We also work with advertisers in order to display our advertisements on third party websites, based on cookies set on your visit to this website. Advertising/targeting cookies may also be used to track your responses to particular adverts, which helps advertisers ensure that you see the most relevant advertisements in future on third party websites.
The following is an example of a targeting/advertising cookie which we use:
- DoubleClick: These cookies may also be used by advertisers to allow third parties to serve advertisements to you when you are on other sites. These ads may be adapted to be relevant to you based on your use of the website. This is done on an anonymized basis, using non-personally identifiable information.
The types of data used include online identifiers, including cookie identifiers, IP addresses and device identifiers, imprecise location data (based on your IP address) or precise location data (if you have set your system to allow transmission of geolocation information), and client identifiers.
Types of targeting enacted based on cookies include:
- Demographics: Target ads based on how well products and services trend with users in certain locations, ages, genders, and device types.
- In-market: Show ads to users who have been searching for products and like-services.
- Custom intent audiences: Choose words or phrases related to the people that are most likely to engage with sites and make purchases by using "custom intent audiences."
- Similar audiences: Target users with interests related to those on remarketing lists.
- Remarketing: Target users that have already interacted with our ads, website, or app.
We do not control the information collected by such partners or advertiser in connection with our website or the further use of information we may provide to them for the aforementioned services, and they do not process such data on our behalf. Only the data protection policies of those third parties as the respective controllers of such data will apply to their processing of such data.
Please see the following sites for more information about specific advertisers and their data policies:
- Google: https://policies.google.com/technologies/ads
- Microsoft: https://privacy.microsoft.com/en-us/privacystatement.
5.1.3. Cookie Consent
You can prevent or restrict the storage of cookies on your hard disk by setting your browser not to accept cookies or to request your permission before setting cookies. Once cookies have been set, you can delete them at any time. Please refer to your browser's operating instructions to find out how this works. If you do not accept cookies, this can lead to restrictions in the use of our service.
5.1.4. Data Retention and Deletion
Log files are deleted after 120 days. Session cookies expire and are deleted at the end of your browser session. Persistent cookies (including the cookie described in Sec.126.96.36.199) may be set to expire from 30 days to 1 year depending on the function of the cookie. After expiry of those periods, information will be deleted or made anonymous.
5.1.5 Operation of NextGuest CRM’s Website by NextGuest
188.8.131.52. NextGuest CRM’s website is operated on our behalf by NextGuest, One Penn Plaza, 48th Fl, New York, NY 10119, USA. This means that NextGuest CRM (including your user account and registration information for newsletters) is physically hosted on servers operated for NextGuest by Amazon Web Services, Inc. (“AWS”) located in the USA.
184.108.40.206. NextGuest is a member of our group of undertakings. The USA is considered an unsafe third country as it pertains to the privacy of personal information. We have concluded a contract processing agreement with NextGuest to ensure that the website is operated, and personal data is processed, only on our behalf and in accordance with our instructions. The contract processing agreement contains guarantees for an adequate level of protection in the form of incorporation of the standard data protection clauses adopted by the Commission for this purpose.
220.127.116.11. NextGuest has similarly concluded a contract processing agreement with the Cloud Services Provider to ensure that the website is hosted, and personal data is processed, only on its behalf and in accordance with its instructions.
5.2 Use of Adobe Analytics
5.2.1. Our website uses Adobe Analytics, a web analysis service of Adobe Systems (https://www.adobe.com/about-adobe.html), 345 Park Avenue, San Jose, CA 95110-2704, USA ("Adobe").
5.2.2. You can find further information on how Adobe uses information from sites or apps that use its services here: https://www.adobe.com/privacy/marketing-cloud.html
5.2.3. Adobe Analytics uses so-called “cookies”, which are text files placed on your computer, to help the website analyze how users use the site (see Section 5.1). The information generated by the cookie about your use of this website such as
- browser type and version,
- operating system of your computer,
- referrer URL (i.e. the page last visited),
- host name of accessing computer (IP address),
- date and time of server request
is transferred to an Adobe server and stored there. In order to render the information stored on Adobe’s servers not personally identifying, we use Adobe Analytics with activation of the settings „Before Geo-Lookup: Replace visitor’s last IP octet with 0“. By activating „Before Geo-Lookup: Replace visitor’s last IP octet with 0“ we ensure that the user’s IP address is anonymized by replacing the last eight digits by zero prior to geo-localization. For statistical analysis the imprecise location of the user is added to the tracking package which includes the IP address.
5.2.4. We use Adobe Analytics for the purposes set forth in Section 5.1 and the preservation of our legitimate interest described therein (legal basis for processing: Art. 6 no. 1 lit. f) of the GDPR) and, where applicable, on the basis of your consent as described in Sec. 5.1.3 (legal basis for processing: Art. 6 no. 1 lit. a) of the GDPR).
5.2.5. We have concluded a contract processing agreement with Adobe Systems Software Ireland Limited to ensure that personal data is processed only on our behalf and in accordance with our instructions. The contract processing agreement with Adobe contains guarantees for an adequate level of protection in the form of Adobe's participation in the Privacy Shield Program.
5.3 Use of Marketo Marketing Automation
5.3.1. Our website uses the marketing automation system of Marketo EMEA Ltd., Cairn House, South County Business Park, Leopardstown Road, Dublin 18, Ireland (“Marketo“) for functionality of our website such as the collection and processing of information you submit through a form, for statistical analysis of user access and – with your consent (Sec. 5.1.3) - also to provide individualized content to you based on tracking your use of the website through a “cookie”, which is a text file placed on your computer (see Section 5.1).
5.3.2. We use Marketo marketing automation for the purposes set forth in Section 5.1 and the preservation of our legitimate interest described therein (legal basis for processing: Art. 6 no. 1 lit. f) of the GDPR) and, where applicable, on the basis of your consent as described in Sec. 5.1.3 (legal basis for processing: Art. 6 no. 1 lit. a) of the GDPR).
5.3.3. We have concluded a contract processing agreement with Marketo to ensure that personal data is processed only on our behalf and in accordance with our instructions.
5.4 Processing in the Context of Newsletters
5.4.1. If you register via our website or by other means to receive electronic newsletters, we will store and process your registration data (the registration form will show you which registration data we collect and store and whether entries are mandatory or voluntary) for an unlimited period of time until you unsubscribe or we cancel the newsletter dispatch in order to fulfil the existing contract with you for the receipt of the newsletter (legal basis for processing: Art. 6 no. 1 lit. b) of the GDPR). The IP address assigned to you by the internet service provider (ISP), and the date and time of registration will also be stored when you register. The purpose of this is to protect our legitimate interest in preventing and, if necessary, prosecuting misuse of our services (legal basis for processing: Art. 6 no. 1 lit. f) of the GDPR). In addition, we will store and process your consent to receive the newsletter for the retention period specified below. This serves to protect our legitimate interest in being able to prove in the event of a dispute that you wished to receive the newsletter (legal basis for processing: Art. 6 no. 1 lit. f) of the GDPR).
After termination of your registration for the receipt of newsletters, we will retain the registration data, the IP address, date and time of registration and your consent for up to six months. This serves to protect our legitimate interest in being able to restore this data in the event of unintentional deletion; or in establishing, exercising or defending legal claims in connection with the registration for, and consent to, receipt of newsletters (legal basis for processing: Art. 6 no. 1 lit. f) of the GDPR). We will assume that your interests do not conflict with this, because the retention period is appropriate with respect to the interests to be protected.
5.4.2. The registration for our newsletter which is powered by Marketo Marketing Automation (see Sec. 5.3) takes place in a so-called double opt-in procedure. This means that after registration you will receive an e-mail asking you to confirm your registration. This confirmation is necessary to prevent unauthorized use of your e-mail address by another person.
5.5 Processing in the Context of Registration or Use of the Contact Form
5.5.1. If you register on our website and create a user account (the registration form will show you which registration data we collect and store and whether entries are mandatory or voluntary), all personal data collected in connection with this user account will be stored in this user account until you request to delete the user account or until we cancel the user account for the performance of our contractual relationship on use of the respective website or web service (legal basis for processing: Art. 6 no. 1 lit. b) of the GDPR). The IP address assigned to you by your internet service provider (ISP), and the date and time of registration will also be stored when you register. The purpose of this is to protect our legitimate interest in preventing and, if necessary, prosecuting misuse of our services (legal basis for processing: Art. 6 no. 1 lit. f) of the GDPR).
After de-registration of your user account, we will retain all data for up to six months. This serves to protect our legitimate interest in being able to restore this data in the event of unintentional deletion; or in establishing, exercising or defending legal claims in connection with our contractual relationship (legal basis for processing: Art. 6 no. 1 lit. a) of the GDPR). We will assume that your interests do not conflict with this because the retention period is appropriate with respect to the interests to be protected.
5.5.2. Our website contains a contact form, powered by Marketo Marketing Automation (see Sec. 5.4), which you can use to submit communications to us. When submitting information through the contact form, you are required to enter certain information which we will use for responding to your request. The contact form enables you to submit additional information on a voluntary basis.
5.5.3. If you provide us with personal data via the user account or the contact form for a purpose beyond the use of the website or respective web service, such as sending us an offer or product information, we will also store and process this data for this purpose. In order to find more information on how we store and process such data, you will need to refer to the Section of this Privacy Statement that is pertinent to the respective purpose (especially Sections 7 and 8 et seq.).
5.6. Additional Recipients and Guarantees
5.6.1. We share data with other companies of our group of undertakings. For further information on this and on the safeguards, we have put in place in this respect, please refer to Sec. 12 below.
5.6.2. Newsletters will be sent to the e-mailed address you have provided. If your e-mail provider is located in an unsafe third country, the transfer will nonetheless be made to fulfill the contract with you and in accordance with your instructions.
5.7. Additional Information on Purposes and Retention Periods
If you register to use the website or receive a newsletter or complete a contact form and you are already a customer, or if a customer relationship is subsequently established, the information from the registration or contact form for your customer account will be saved and the information in Section 8 shall apply.
Even if a customer relationship does not exist and is not subsequently established, we will also store your registration and the object of your interest in our database of prospective customers and the information in Section 7 will then apply.
6. Processing in the Context of our Telephone Hotline
6.1. In this Section we will inform you about how we process and use personal data in relation to you that we collect in connection with calls to our telephone hotline and on the specific rights you have in this respect.
6.2. When you call our hotline, our representative will record your name, the date and time of your call and the content of your request in a call log. If you are registered with us in the customer database, this information will be stored in your customer account and the information in Section 8 will then apply. If you express interest in a product or service and there is no customer relationship, this information will be stored in our database of prospective customers and the information in Section 7 will then apply. In all other cases we will record your details in a separate database for call logs.
We will store and process the above information to perform the contractual relationship with you with respect to the delivery or service to which the call relates on the one hand (legal basis for processing: Art. 6 no. 1 lit. b) of the GDPR),Sect and on the other hand, to safeguard our legitimate interest, in view of your request, in improving our deliveries and services to meet your individual requirements and thus promote the sale of our products and services, if necessary to offer you additional products or services in line with your interests, to document the content of your request for the establishment, exercise or defense of legal claims (legal basis for processing: Art. 6 no. 1 lit. f) of the GDPR). Unless a longer retention period described in Sec. 14 applies, call logs will be retained for 6 months after the call.
6.3. We share data with other companies of our group of undertakings. For further information on this and on the safeguards, we have put in place in this respect, please refer to Secs. 12 and 16 below.
7. Processing in the Context of our Database of Prospective Customers
7.1. In this Section we will inform you about how we process and use the personal data in relation to you that we collect when you express an interest in our products or services and on the specific rights you have in this respect.
7.2. If you express your interest in our products or services by making an enquiry (e.g. at a trade fair or conference, by e-mail, or via the contact form), we will store your contact data and the subject of your interest in a separate database for prospective customers.
7.3. We will store and process this data in order to process your inquiry and also to safeguard our legitimate interest, in view of your request, in improving our deliveries and services to meet your individual requirements and to thus promote the sale of our products and services and, if necessary, to offer you additional products or services in line with your interests (legal basis for processing: Art. 6 no. 1 lit. f) of the GDPR).
7.4. If your request results in a customer relationship, the data will be transferred to our customer database (cf. Section 8). If no customer relationship is established, the data will be deleted 2 years after the last correspondence with you.
7.5. We share data with other companies of our group of undertakings. For further information on this and on the safeguards, we have put in place in this respect, please refer to Sec. 12 below.
7.6. We refer to Sections 13 et seq. for further regarding the possible recipients and storage periods of the above information.
7.7. You can object to the use of your data for direct marketing purposes at any time (cf. Section 15.7).