PRIVACY STATEMENT
(GET LOCAL AUSTRIA)

Release 30.09.2023

By using our website, you agree to this privacy policy and the use of cookies. Protecting your personal data is important to us. This privacy policy explains the nature, scope and purpose of the collection and use of data from visitors and users of www.get-local.com.

Responsible person and contact

The person responsible for processing your personal data is:

GET LOCAL AG
Gräbligasse 4

8001 Zurich
SWITZERLAND

Together with the sales/licensing company for Austria

GET LOCAL GMBH

Zetschegasse 15
1230 Vienna

AUSTRIA

With which an agreement on joint responsibility in accordance with Art 26 of the GDPR was concluded.

If you have any questions or suggestions regarding data protection or would like to assert your rights, please feel free to contact us at the following email: info@get-local.com

To provide clarity, any data processed by activity providers that offer their service on the GET LOCAL platform is subject to their respective privacy policies and is governed by their respective privacy statements. Activity providers act as separate data controllers.

2. Subject matter of data protection

The subject of data protection is personal data, i.e. all information relating to an identified or identifiable natural person. Personal data is also referred to simply as data below.

3. Automated data collection

When you access our website, your device automatically transmits data for technical reasons. The following data is stored separately from other data that you may transmit to us: URL of the retrieved page, latency of the network connection, date and time

We store this data for the following purposes:
for load balancing, i.e. to distribute access to our website across multiple devices and to be able to offer you the fastest possible loading times;
to ensure the security of our IT systems, e.g. to defend against specific attacks on our systems and to identify attack patterns;
ensuring the proper operation of our IT systems, e.g. when errors occur that we can only fix by saving the IP address;
to enable prosecution, security or legal prosecution in the event of specific evidence of criminal offences.

Your IP address is only stored for a period of 30 days.

In this case, processing is carried out to ensure the security of processing in accordance with Article 32 GDPR and on the basis of our legitimate interest in protecting us from misuse of our service (Article 6 (1) (f) GDPR).

4. GET LOCAL account

4.1. registry

Name/Surname
email address
password

Your registration data is required to set up and manage a user account for you. In this case, you conclude a (free) user contract with us, on the basis of which we collect this data (Art. 6 para. 1 lit. b GDPR). In order to be able to conclude the contract, you must provide us with this data. However, you are neither contractually nor legally obliged to conclude the contract and thus to provide the data.

4.2. favourites

After you have created a customer account, you can create favorite lists of activities and tours and share your favorites with other users. Your data is processed for these purposes in order to be able to provide you with the appropriate functions (Art. 6 para. 1 lit. b GDPR).

5. Requests/customer service

5.1. Processing inquiries

Your request will be processed by our contract processor, Mero Mobilitäts AG based in Switzerland. Mero Mobilitäts Services GmbH uses the services provided by Düzce Telefonzentrale Inc. based in Turkey (“Düzce”) to process inquiries. Your requests are therefore stored on Düzce's servers. There is no adequacy decision by the EU Commission for Turkey. We have therefore concluded the standard data protection clauses approved by the EU Commission in accordance with Art. 46 (2) lit. c GDPR. The data is also stored in Frankfurt, Germany (Amazon Web Services).

5.2. Storage and evaluation of telephone calls

Telephone calls will only be stored and evaluated if you have given us your prior consent. We will use this data exclusively for the purpose of improving our customer service. The recordings are deleted after three months. The legal basis is Article 6 (1) (a) GDPR. You have the option to withdraw your consent at any time by contacting one of the contact channels mentioned in this privacy policy. This does not affect the lawfulness of the processing carried out by us up to your withdrawal.

6. Technical service providers

We use technical service providers for hosting and some of the services required for the website. Accordingly, the data is processed on the servers of these service providers. These service providers only process the data in accordance with our express instructions and are required to ensure sufficient technical and organizational data protection measures. Our service providers therefore work for us as so-called contract processors within the meaning of Article 28 GDPR.

6.1. Website hosting

To host our website, we use the services of Amazon Web Services EMEA S.a.r.l. (“AWS”) based in Luxembourg. When you interact with our website or provide personal data, it is therefore processed on AWS servers. We only use servers located in the European Union. In order to cover remote maintenance and similar constellations, we have concluded the standard data protection clauses approved by the EU Commission in accordance with Art. 46 (2) lit. c GDPR.

6.2. email system

To send emails, we use the Sendgrid service from Twilio Inc based in the USA (“Twilio”). There is no adequacy decision for the USA. With Twilio, we have therefore concluded the standard data protection clauses approved by the EU Commission in accordance with Art. 46 (2) lit. c GDPR.

7. Bookings & payments

7.1. reservations

When you book a service, tour, activity or similar on our site, we collect the data necessary to carry out the tour. This usually includes the following information: first and last name, email address, telephone number, number of participants, date and time. Depending on the activity booked, it may also be necessary for us to collect further information, such as your flight number or the age of the participants. The processing carried out in connection with this is based on Art. 6 para. 1 lit. b GDPR. To the extent necessary, we will transfer your data to the provider responsible for the tour or activity, who will process your personal data as an independent data controller in accordance with their privacy policy. Insofar as this requires transfer to a third country outside the European Economic Area, this is based on Art. 49 para. 2 lit. b, c GDPR.
If you make bookings through partner sites, you will be redirected to provide your personal information — as described above — and complete the booking process on the GET LOCAL website. On some partner websites, your information is collected by the partner as a separate data controller in accordance with their privacy policies. We receive the data necessary to complete the booking from the partner.
On other websites that work with us to be able to integrate booking offers directly with them, both the partner and GET LOCAL act as separate data controllers for processing your personal data.

7.2. booking confirmations

To keep you up to date with your bookings, we'll send you booking confirmations as well as reminders and updates for upcoming bookings (such as when start times or meeting points have changed). This is how we ensure that you have all the information you need to take advantage of the booked service. Booking confirmations are delivered to your email address and/or sent as an SMS to the phone number you provided during the booking process. We process your personal data in order to be able to offer you these options of our service (Art. 6 para. 1 lit. b GDPR).

7.3. payments

You have various options for paying for your booking. Depending on the payment method selected, we process the required data. In this context, your personal data is processed as described below, each of which is based on Art. 6 para. 1 lit. b GDPR and is necessary to carry out the payment method you have chosen.

7.3.1. Credit card payments

To process payments by credit card, we use the service provider Adyen N.V. (“Adyen”) based in the Netherlands or Stripe Inc. (“Stripe” based in the USA. The data provided during your payment will be forwarded by Adyen or Stripe to the respective banks or financial institutions to process the payment. When paying by credit card, we only receive the information that a payment has been made or not — together with the last 4 digits of the credit card number. We therefore have no knowledge of your full credit card number.

7.3.2. Payment via PayPal

If you have a PayPal account, you can also process your payment via PayPal. In addition to information about a payment that has been made, we will receive from PayPal your e-mail address stored with PayPal and your address.

7.4. Chargebacks

In the event of chargebacks, we transfer the necessary data to Adyen or Stripe to process a chargeback. The required data includes your name, booking information, telephone number and payment information. Ayden or Stripe will then process the chargeback with your bank or PayPal, Ayden, Stripe. Processing is carried out as part of the execution of the contract (Art. 6 para. 1 lit. b GDPR) and on the basis of our legitimate interest in the effective processing of chargebacks (Art. 6 para. 1 lit. f GDPR).

8. fraud prevention

In order to protect us and the providers of activities from fraudulent bookings, we evaluate the information provided by our customers when booking, including the data transmitted technically from their device, insofar as this is necessary to protect our legitimate interest and that of the providers of activities in reliable bookings (Art. 6 para. 1 lit. f GDPR).
For this purpose, we use services from Adyen N.V. (Netherlands) and Stripe (USA). There is no adequacy decision by the EU Commission for the USA. We have therefore concluded standard data protection clauses approved by the EU Commission in accordance with Article 46 (2) lit. c GDPR with Stripe Inc.

9. cookies

We use so-called “cookies” to be able to offer certain features of our website and to optimize the use of our website. “Cookies” are small files that are stored on your device using your Internet browser.
Specifically, we use the following cookies (unless further cookies are specified elsewhere in this privacy policy or our cookie consent):
Session cookies: These cookies are required to store certain technical data during your visit to our website, for example to determine whether you have logged in.
Persistent cookies: These cookies are required to store data beyond a browsing session, if you wish.
The legal basis for the use of these cookies is § 15 para. 1 TMG and Art. 6 para. 1 lit. b DSGVO, insofar as they are necessary to use our website and the functions you have requested. In addition, we use cookies — as described below — on the basis of consent given by you. You can withdraw your consent at any time via our settings.

10. Marketing and remarketing services

10.1. Google services

We use the services described below from Google LLC, 1600 Amphitheatre Pkwy Mountain View, California 94043, USA (“Google”). There is no adequacy decision by the EU Commission for the USA. We have therefore concluded the standard data protection clauses approved by the EU Commission in accordance with Article 46 (2) lit. c GDPR.
Basic information about the processing of your personal data by Google can be found here: https://policies.google.com/privacy?hl=de.
You also have the following settings options on Google:
You can turn off personalized advertising from Google: https://adssettings.google.com/anonymous?hl=en&sig=ACi0TCie_PP0WXzD2NDiHGJny9ca0PSQVyMysggnxws0C7Hxy7edd8F9O3

gyme7jne3bplgplmt8pu3ifpjynpihlel7fsn5hxwg8eheqabcywx-v9new3m
You can turn off personalized advertising on a device-based basis: (https://support.google.com/ads/answer/1660762?hl=en-GB#mob)
You can disable personalized advertising on a browser-based basis: (http://optout.networkadvertising.org/?c=1)

10.1.1 Google Analytics 360

If you have agreed, we use Google Analytics 360, a web analysis service. Google Analytics 360 collects pseudonymous data from you about the use of our website, including your abbreviated IP address, and uses cookies. This data is transferred to a Google server in the USA and stored there. Google will use this information to evaluate your use of the website for us, to create reports on the use of our website and to generate further analyses and evaluations associated with the use of our website and Internet usage. Google may also transfer this information to third parties if this is required by law or if third parties process this data on behalf of Google.
Your data will be stored by Google Analytics for a period of 14 months. After this period, the data will be deleted and only aggregated statistics will be kept.
The use of Google Analytics is based on your consent (Art. 6 para. 1 lit. a GDPR).
You can withdraw your consent at any time and deactivate Google Analytics using a browser add-on. You can download it here: http://tools.google.com/dlpage/gaoptout?hl=de. Alternatively, you can withdraw your consent as described here: https://developers.google.com/analytics/devguides/collection/analyticsjs/user-opt-out. You can also withdraw your consent via our settings. This does not affect the lawfulness of the processing carried out up to your withdrawal.

10.2. linkedin
You can find our LinkedIn account at: https://www.linkedin.com/company/GET local-AG/
For users based in the European Economic Area and Switzerland, LinkedIn is operated by LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland (“LinkedIn Ireland”). LinkedIn's privacy policy can be found here: https://www.linkedin.com/legal/privacy-policy?trk=organization-guest_footer-privacy-policy. It also contains information about the settings options for your LinkedIn profile.
Please note that LinkedIn also transfers personal data to third countries outside the European Economic Area for which there is no adequacy decision by the EU Commission. Insofar as such a transfer takes place, LinkedIn will use the standard data protection clauses approved by the EU Commission. You can find relevant information under https://www.linkedin.com/help/linkedin/answer/62533.
Finally, we receive non-personal information and analyses from LinkedIn about the use of our account or about interactions with our contributions. With this information, we can analyze and optimize the effectiveness of our LinkedIn activities. The processing carried out in this context is based on our legitimate interest in optimising our LinkedIn activities (Article 6 (1) (f) GDPR).

11. Sharing data

In addition to the cases described, your personal data will only be passed on without your express prior consent in the following cases:
If it is necessary to investigate illegal use of our services or for legal prosecution, personal data will be forwarded to law enforcement authorities and, where appropriate, to injured third parties. However, this only happens if there is concrete evidence of illegal or abusive conduct. Disclosure may also take place if this serves to enforce terms of use or other agreements. We are also required by law to provide information to certain public authorities upon request. These are law enforcement agencies, authorities that prosecute administrative offenses subject to fines, and tax authorities.
This data is passed on on the basis of our legitimate interest in combating misuse, prosecuting criminal offences and securing, asserting and enforcing claims and provided that your rights and interests in protecting your personal data do not prevail, Art. 6 para. 1 lit. f DSGVO, or due to a legal obligation under Art. 6 para. 1 lit. c GDPR.
We share personal data with auditors, accounting service providers, lawyers, banks, tax advisors and similar bodies, insofar as this is necessary for the provision of our services (Art. 6 para. 1 lit. b GDPR) or for proper business operations (Art. 6 para. 1 lit. c GDPR).
We rely on contractually affiliated external companies and external service providers (“contract processors”) to provide the services. In such cases, personal data is passed on to these contract processors to enable them to continue processing. These processors are carefully selected by us and regularly reviewed to ensure that your rights and freedoms are protected. The contract processors may only use the data for the purposes specified by us and are also contractually obliged by us to process your data exclusively in accordance with this privacy policy and German data protection laws.
The transfer of data to contract processors is based on Article 28 (1) GDPR.
As part of the development of our business, the structure of GET LOCAL may change by changing the legal form, establishing, buying or selling subsidiaries, parts of companies or components. In such transactions, customer information is shared together with the part of the company to be transferred. Any transfer of personal data to third parties to the extent described above, we will ensure that this is done in accordance with this privacy policy and the relevant data protection laws.
Any transfer of personal data is justified by the fact that we have a legitimate interest in adapting our corporate form to economic and legal circumstances as required (Art. 6 para. 1 lit. f GDPR).

12. Deleting your data

We delete or anonymize your personal data as soon as it is no longer necessary for the purposes for which we collected or used it in accordance with the preceding paragraphs. We will also continue to store your data if we are required to do so for legal reasons or if the data is needed for a longer period of time for criminal prosecution or to secure, assert or enforce legal claims.
If you delete your user account, your profile will be completely and permanently deleted. However, we keep backup copies of your data to the extent and for as long as this data is required for legal reasons or for criminal prosecution or to secure, assert or enforce legal claims.
If data must be stored for legal reasons, processing will be restricted. The data is then no longer available for further use.
Storage beyond the contractual relationship is based on our aforementioned legitimate interests in accordance with Art. 6 para. 1 lit. f DSGVO.

13. Your rights as a data subject

With regard to the processing of your personal data, you have the rights described below. To assert your rights, you can submit a request here, by post or by e-mail to the address given above.

13.1. Right to information

You have the right to receive information from us at any time upon request about the personal data processed by us and concerning you to the extent and under the conditions of Article 15 GDPR and Section 34 BDSG.

13.2. Right to correct incorrect data

You have the right to request us to correct personal data concerning you without undue delay if it is incorrect.

13.3. Right to delete

You have the right to request that we delete personal data concerning you under the conditions described in Article 17 GDPR and Section 35 BDSG. In particular, these requirements provide for a right of deletion if the personal data are no longer necessary for the purposes for which they were collected or otherwise processed and in cases of unlawful processing, the existence of an objection or the existence of an obligation to delete under Union law or the law of the Member State to which we are subject.

13.4. Right to restrict processing

You have the right to request that we restrict processing in accordance with Article 18 GDPR. This right exists in particular if the accuracy of the personal data is disputed between the user and us, for the period required to verify the accuracy, and in the event that the data subject requests restricted processing in the event of an existing right to deletion instead of deletion; furthermore in the event that the data is no longer required for the purposes pursued by us but the user needs it to assert, exercise or defend legal claims, as well as if the successful The exercise of an objection between us and the user is still disputed.

13.5. Right to data portability

You have the right to receive from us the personal data concerning you, which you have provided to us, in a structured, commonly used, machine-readable format in accordance with Article 20 GDPR.

13.6. Right of objection

For reasons arising from your particular situation, you have the right to object at any time to the processing of personal data concerning you, which is based, among other things, on the basis of Article 6 (1) (e) or (f) GDPR. We will then stop processing your personal data unless we can demonstrate compelling legitimate grounds for processing that outweigh your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.

13.7. Right to lodge a complaint

If you have a complaint, you have the right to contact a supervisory authority of your choice.

13.8. Data processing when exercising your rights

Finally, we would like to point out that we process the personal data you provide when exercising your rights in accordance with Articles 15 to 22 GDPR for the purpose of implementing these rights and to be able to provide proof of this. This processing is based on the legal basis of Article 6 (1) (c) GDPR in conjunction with Articles 15 to 22 GDPR and Section 34 (2) BDSG.

14. Changes to this privacy statement

The current version of this privacy policy is always available at https://get-local.com/privacy retrievable.

As of September 30, 2023