Privacy Policy

Privacy policy and additional privacy information

As of January 22, 2026 Version 2.4

Information on the handling of your personal data at Mainau GmbH

1. a first overview 

When we collect your data, we must inform you in a clear and comprehensible manner about how we handle your personal data. You will find a brief overview here and detailed information in the following sections,

• who our company is and how you can contact us or our data controller; we will provide you with the relevant contact details there;

• the purpose for which we will use your personal data;

• which categories of your personal data we process;

• the legal basis on which we process your personal data;

• how long we store your personal data;

• which recipients may receive your personal data;

• whether the personal data will be transferred to a country outside the EU;

• that you have basic rights in the area of data protection, e.g. in relation to:

• Information

• Correction

• Deletion

• Restriction of processing

• Data portability

• Contradiction or

• detailed information on automated decision-making.

You will also find further information on the handling of data from external and internal applicants,

• on the handling of data in the context of the use of our websites, our web stores and online presences on social media portals,

• on the handling of your data when using our newsletter service,

• for the use of cloud services,

• and for the use of GPS location and movement data when using our "Digital visitor information" web application.

Please remember that personal data is required as part of our business activities. Without personal data, we will not be able to fulfill your wishes, manage you as a contractual partner or provide you with information about our activities, services or our company. Naturally, we will only collect the data required for this purpose. If we request additional data from you, we will inform you of this and point out that this information is voluntary. Incidentally, we do not carry out any automated decision-making processes. 

Data protection is very important to us. We would therefore like to inform you comprehensively and comprehensibly about how we process your personal data - naturally in compliance with the applicable legal provisions, such as the European General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG) and all other relevant data protection regulations. We have defined how we handle personal data in our data protection management system and act accordingly.

If you think that our privacy policy could be improved, we would be pleased to receive your comments and suggestions.

In addition, you can contact us directly at any time or the responsible data protection supervisory authority (Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg, Postfach 10 29 32, 70025 Stuttgart, Germany, phone: +49 (0)711/61 55 41-0, email:poststelle@lfdi.bwl.de, https://www.baden-wuerttemberg.datenschutz.de/) and lodge a complaint there if necessary.

Our privacy policy and the other information on data protection are regularly reviewed and adapted as part of our data protection management. The latest version will be published on this page.

2. detailed information:

Contact details

Contact details of the person responsible

Mainau GmbH

78465 Mainau Island

Germany

Phone: 07531-303-0

E-Mail: info@mainau.de

Contact details of the data protection officer

A legally prescribed data protection officer has been appointed for our company and can be contacted by post at the address of the controller given above with the addition DATA PROTECTION or by e-mail at the e-mail address:

datenschutz@mainau.de

reachable.

3. purpose

Which data we process in detail and for what purpose we use it depends on the services you use with us. Details on the purposes of our data processing can be found in the respective contract documents, forms, declarations of consent and other information provided to you in this context. This data protection information is part of our contractual texts, website or other documents that we provide or have provided to you. Essentially, we process personal data by default for the following purposes:

• Customer and supplier management

• Visitor management

• Applicant management

• Employee administration

• Order management/order processing

• Operation of our websites and our web stores 

• Publications on our websites and on social media portals

• Management of training and event participants

In addition, we process your data in the cases listed below for the purpose of

• the dispatch (by post, e-mail, etc.) of company information, 

• Communication with you (analog and digital) 

• obtaining information from credit agencies

• the use of your e-mail address for marketing purposes, newsletters, competitions, etc., provided you have given us your consent to do so 

• the fulfillment of legal requirements, such as tax laws, compulsory insurance, etc.

• the fulfillment of legal safety, control and reporting obligations

• the archiving of data for security purposes and to fulfill obligations to provide evidence

• disclosure in the context of official/judicial measures

• the implementation of video conferences 

• to provide location-based digital visitor information based on your GPS location and movement data, provided you have given us your consent to do so 

4. categories

Data categories of personal data that we can process from you are, depending on your use of our offer or the existing contractual relationship with you, the following:

• Master data (e.g. name, telephone number, e-mail address, postal address, etc.), of customers (including potential customers), suppliers and service providers (including potential suppliers), of visitors, of employees within the scope of the employment relationship, of applicants, training and event participants, other interested parties and other categories of persons associated with the aforementioned persons who may be involved within the scope of the respective affiliations (e.g. family members, employees of service providers and/or suppliers, etc.).

• Contact details for the aforementioned categories of persons (addresses, telephone numbers, e-mail addresses, etc.) 

• Transaction data relating to the aforementioned categories of persons (interests, orders, participation in training courses and events of all kinds, etc.) 

• Position and movement data (GPS tracking)

• Bank details and data on payments and, if applicable, creditworthiness

• Date of birth 

• Usage data on websites, web stores and customer portals offered by us (IP address, time of accessing pages, pages visited, etc.)

• Consent data, for the documentation of granted / revoked consent

   

5. legal basis

If you are in an employment relationship with us, we process your personal data for the establishment, execution and termination of the associated contractual relationship on the basis of Art. 6 para. 1 lit. b in conjunction with Art. 88 GDPR and §26 BDSG.

If we are in another contractual relationship or communicate in the context of pre-contractual measures, the processing of personal data takes place for the execution of related contracts, implementation of measures and activities in this context. This processing is based on Art. 6 para. 1 lit. b GDPR.

In addition, we process your data for the purposes listed below on the basis of the following legal bases:

• Customer management (Art. 6 para. 1 lit. b GDPR) 

• Visitor management (Art. 6 para. 1 lit. b and f GDPR)

• Supplier management (Art. 6 para. 1 lit. b GDPR)

• Employee administration (Art. 6 para. 1 lit. c GDPR)

• Applicant management (Art. 6 para. 1 lit. a and b GDPR in conjunction with Art. 88 GDPR, § 26 BDSG)

• Administration (Art. 6 para. 1 lit. c GDPR)

• Operation and hosting of the company's websites and web stores, in particular to provide you with the requested page content and to ensure the necessary security during their operation (Art. 6 para. 1 lit. f GDPR)

• Publication of photos on the websites and social media portals (Art. 6 para. 1 lit. a GDPR), provided you have given us your consent to do so

• Market and opinion research (Art. 6 para. 1 lit. a GDPR), provided you have given us your consent to do so

• Use of your e-mail address for marketing purposes, newsletter (Art. 6 para. 1 lit. a GDPR), provided you have given us your consent to do so

• Provision of location-based digital guest information based on your GPS position and movement data (Art. 6 para. 1 lit. a GDPR), provided you have given us your consent to do so

• Compliance with legal requirements, such as tax laws, etc. (Art. 6 para. 1 lit. c GDPR)

• Fulfillment of legal control and reporting obligations (Art. 6 para. 1 lit. e GDPR)

• Age verification when ordering in our online store to comply with the Youth Protection Act, legal obligation (Art. 6 para. 1 lit. c GDPR)

• Archiving of data for security purposes (Art. 6 para. 1 lit. c and, if applicable, f GDPR)

• Fulfillment of obligations to provide evidence (Art. 6 para. 1 lit. c GDPR)

• Disclosure in the context of official/judicial measures (Art. 6 para. 1 lit. e GDPR)

In the event that we process further personal data about you on the basis of Art. 6 para. 1 lit. f GDPR - in the sense of a balancing of interests - we will inform you separately in advance.

6. storage

We only process and store your data for as long as is necessary for our activities and purposes or as required by legal retention obligations (e.g. HGB, AO, etc.). In individual cases, this may result in personal data being stored for several years. 

7th recipient

In principle, your personal data will only be made available to internal or external recipients who need it to fulfill contractual or legal obligations or to perform their tasks. This means that data is only passed on or disclosed

• to entities that process data as processors or in joint responsibility with us (e.g., in the areas of HR, data centers, accounting, data disposal, administration, marketing, sales, information and communication technology, website and web shop management and hosting, cash register systems, applicant management, etc.)

• in the case of a legitimate interest to authorities, lawyers, associations, courts, experts, credit agencies, debt collection agencies, etc.

• in the event of a legal obligation to authorities, public bodies, social security institutions, etc. 

• to any other third parties if you have given us your express consent to do so.

We will not pass on your data beyond this. Information on the possible transfer of data outside the EU can be found in section 8.

Service providers that we have commissioned as part of order processing or in the sense of joint responsibility may only use the data for the purposes for which we have passed it on to them. This is contractually regulated with these service providers and the data processing is subject to the same legal requirements as ours.

8. data transfer outside the EU

Data is not usually transferred to locations in countries outside the European Union (EU) or the European Economic Area (EEA) (so-called third countries). However, when data is collected in connection with visits to our websites and web shops, the use of cloud services, and visits to our social media pages, data transfer to third countries (including unsafe third countries) cannot be ruled out. Please refer to the relevant information in this privacy policy.

9. rights of data subjects

You can assert your data protection rights against us under certain conditions:

• You have the right to receive information about your data stored by us in accordance with the rules of Art. 15 GDPR - with restrictions if necessary.

• If your data stored by us is inaccurate or incorrect, you can request that it be corrected in accordance with Art. 16 GDPR.

• In accordance with Art. 17 GDPR, you can request that the personal data stored about you be deleted. However, this only applies as long as no other legal provision precludes deletion.

• If the requirements of Art. 18 GDPR are met, you can request that the processing of your data be restricted.

• Under certain circumstances, you have the right that we must provide you with your personal data under the conditions of Art. 20 GDPR.

• You have the right to withdraw your consent at any time with effect for the future in accordance with Art. 7 (3) GDPR. From this point on, your personal data will no longer be processed for the purposes to which you object. The objection can be made informally.

  For example, if you have expressly consented in accordance with Art. 6 para. 1 lit. a GDPR, we will use your email address to send you our newsletter on a regular basis. You can unsubscribe at any time, for example via a link at the end of each newsletter. Alternatively, you can also send your unsubscribe request at any time to info@mainau.de by e-mail.

  As part of the existing contractual relationships with our customers, we send contract and/or service-related information by email to the contact email addresses we have stored as customer information, especially in the service area. This includes, for example, information on events or changes to opening hours. If you do not wish to receive this information, you can inform us at any time by sending an e-mail to info@mainau.de or by clicking on the unsubscribe link provided in every customer information.

• In accordance with Art. 77 GDPR, you have the right to lodge a complaint with a supervisory authority. As a rule, you can contact the supervisory authority of your usual place of residence or workplace or our company headquarters.

• If your personal data is processed on the basis of legitimate interests in accordance with Art. 6 para. 1 sentence 1 lit. f GDPR, you have the right to object to the processing of your personal data in accordance with Art. 21 GDPR, provided that there are reasons for this arising from your particular situation or the objection is directed against direct advertising. In the latter case, you have a general right to object, which will be implemented by us without specifying a particular situation.

If you wish to make use of one of the aforementioned rights, please contact us in writing at the address of the controller given above (see contact details) or contact us directly by e-mail at info@mainau.de to contact us.

10. additional information regarding data from external and internal applicants

Personal data relating to you is generally collected directly from you - e.g. as part of the application process - on the basis of Art. 88 GDPR, Section 26 (1) BDSG.

In addition, we may also have received data from third parties (e.g. job exchanges such as Indeed, Stepstone or similar recruitment agencies).

We may also process personal data that we obtain from publicly accessible sources (e.g. professional social networks), insofar as this is permitted in individual cases.

The processed categories of personal data of applicants include in particular your master data (such as first name, surname, name affixes, nationality, personnel number), contact data (such as private address, (mobile) telephone number, e-mail address) as well as the data of the entire application process (cover letter, CV, work or other certificates, proof of qualifications). 

If you have also voluntarily provided special categories of personal data (such as health data, degree of disability, religious affiliation) in your letter of application or during the application process, processing will only take place if you have expressly consented to this (Art. 9 para. 2 lit. a GDPR).

We process personal employee and applicant data on the basis of and in compliance with the European General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG) and all other relevant provisions of German labor law (e.g. AGG, BetrVG, SGB).

The primary purpose of processing your personal data as part of the application process is to carry out the application procedure, in particular to determine your suitability for the advertised position. The processing of your applicant data is necessary for the decision on the establishment of an employment relationship. The primary legal basis for this is Art. 88 GDPR in conjunction with Section 26 (1) BDSG.

10.1 Data transfer for internal and external applicants

Within our company, only those persons and departments that need your personal data to make a decision about your employment and to fulfill our legal and contractual obligations will receive it. Outside our company, we only disclose your personal data to entities that process this data as data processors (applicant management).

In deviation from this, we only transfer your personal data - e.g. to investigating authorities - if we are legally obliged to do so.

10.2 Storage period for internal and external applicants

Personal applicant data transmitted to us will be deleted as soon as it is no longer required for the above-mentioned purposes, usually after 6 months. This does not apply if you have expressly consented to a longer storage period, if storage is necessary for evidence purposes or if statutory regulations prevent deletion. For example, we store your applicant data for as long as there is a possibility that you may assert legal claims against us, e.g. due to a breach of the provisions of the AGG.

However, if your application leads to the establishment of an employment contract with you, your data will be stored for the purposes of the usual administrative and organizational processes and for the implementation of the employment relationship.

11. additional information on the collection and storage of personal data when visiting our websites and web stores

When you visit our website, the browser used on your device automatically sends information to the server of our website and our customer portal. This information is temporarily stored in a so-called log file. The following information is recorded without any action on your part and stored until it is automatically deleted:

• IP address of the requesting computer,

• Host name of the requesting computer,

• Date and time of access,

• Website from which access is made (referrer URL),

• Browser used and the browser version and operating system of your computer 

We process the aforementioned data for the following purposes:

• Ensuring a smooth connection to the website,

• To ensure a comfortable use of our website,

• Evaluation of system security and stability and

• for other administrative purposes.

The legal basis for data processing is Art. 6 para. 1 lit. f GDPR. Our legitimate interest lies in the operation of our website and the associated presentation of our company. Under no circumstances do we use the data collected for the purpose of drawing conclusions about your person.

Your data will be deleted as soon as it is no longer required for the stated purposes, at the latest after 6 months.

11.1 Cookies, analysis tools, plugins and other third-party elements

We use cookies on our website. These are small files that your browser automatically creates and that are stored on your end device (laptop, tablet, smartphone, etc.) when you visit our website. Cookies do not cause any damage to your end device and do not contain any viruses, Trojans or other malware. Cookies are small text files that are stored on your hard disk assigned to the browser you are using and through which certain information flows to the body that sets the cookie (in this case us). Cookies cannot execute programs or transmit viruses to your computer. They are used to make the website more user-friendly and effective overall.

Information is stored in the cookie that results in each case in connection with the specific end device used. However, this does not mean that we obtain direct knowledge of your identity.

Our website uses cookies to the following extent:

• Transient cookies (temporary use)

• Persistent cookies (time-limited use)

Transient cookies are automatically deleted as soon as you close the browser. These include session cookies in particular. These store a so-called session ID, with which various requests from your browser can be assigned to the joint session. This allows your computer to be recognized when you return to the website.

Persistent cookies are automatically deleted after a specified period, which may vary depending on the cookie. You can delete cookies at any time in your browser's security settings.

11.1.1 Required first-party cookies

The use of our required first-party cookies serves on the one hand to make the use of our website more pleasant for you. For example, we use so-called session cookies to recognize that you have already visited individual pages of our website. These are automatically deleted after you leave our site.

In addition, we also use temporary cookies to optimize user-friendliness, which are stored on your end device for a specified period of time. If you visit our site again to use our services, it is automatically recognized that you have already visited us and which entries and settings you have made so that you do not have to enter them again. This data is deleted after 6 months at the latest.

We process your data on the basis of our legitimate interest in the external presentation of our company via the website you have accessed and to promote user-friendliness. The legal basis for the processing is Art. 6 para. 1 sentence 1 lit. f GDPR. 

Most browsers accept cookies automatically. However, you can configure your browser so that no cookies are stored on your computer or a message always appears before a new cookie is created. However, completely deactivating cookies may mean that you cannot use all the functions of our website.

This stored information is stored separately from any other data transmitted to us. In particular, cookie data is not linked to your other data (e.g., contact requests or online applications).

11.1.2 Third-party cookies, plugins and other third-party elements

The third-party cookies, plugins and other third-party elements listed below and used by us are only used with your express consent and thus on the basis of Art. 6 para. 1 sentence 1 lit. a GDPR. You can revoke your consent at any time with effect for the future. Failure to grant or revoke consent may result in the website not being displayed correctly or you not being able to use all the functions of the website.

With the third-party cookies, plugins or other third-party elements used, we want to ensure a needs-based design and the continuous optimization of our website.

The respective function descriptions, any recipients of the data, information on possible transfers to a third country and the storage period can be found in the following information on the individual processing processes provided with third-party cookies, plug-ins or other third-party elements. 

Google Analytics

We use Google Analytics on our website, a web analysis service of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA ("Google"), provided that you give us your consent in accordance with Art. 49 para. 1 lit. a GDPR. Cookies are used in this context. The information generated by the cookie about the use of the online offer by the user is usually transmitted to a Google server in the USA and stored there.

Google will use this information on our behalf to evaluate the use of our online offer by users, to compile reports on the activities within this online offer and to provide us with further services associated with the use of this online offer and the use of the Internet. Pseudonymous user profiles can be created from the processed data.

We only use Google Analytics with activated IP anonymization. This means that the IP address of the user is shortened by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and truncated there.

The IP address transmitted by the user's browser will not be merged with other Google data. Users can prevent the storage of cookies by setting their browser software accordingly; users can also prevent Google from collecting the data generated by the cookie and relating to their use of the online offer and from processing this data by Google by refusing to give their consent or by downloading and installing the browser plug-in available under the following link: http://tools.google.com/dlpage/gaoptout?hl=de.

Further information on the use of data by Google, setting and objection options, can be found in Google's privacy policy(https://policies.google.com/privacy) and in the settings for the display of advertisements by Google (https://adssettings.google.com/authenticated).

We have concluded a contract with Google for order processing within the meaning of Art. 28 GDPR. The appropriate level of data protection is guaranteed by the EU-U.S. Data Privacy Framework. Further information can be found in Google's privacy policy: https://policies.google.com/privacy

Users' personal data is deleted or anonymized after 14 months.

Google Tag Manager

We use Google Tag Manager on our website, a tag management system for the integration of tracking or statistical tools from Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA ("Google"), provided that you give us your consent in accordance with Art. 49 para. 1 lit. a GDPR. The Google Tag Manager itself does not create any user profiles, does not store any cookies to our knowledge and does not carry out any independent analyses. It is only used to manage and display the tools integrated via it. According to its own information, Google Tag Manager does not collect any IP addresses or other personal data (https://support.google.com/tagmanager/answer/9323295?hl=de).

We have concluded a contract with Google for order processing within the meaning of Art. 28 GDPR. The appropriate level of data protection is guaranteed by the EU-U.S. Data Privacy Framework. Further information can be found in Google's privacy policy: https://policies.google.com/privacy

Google Ads and Google Conversion Tracking

We use Google Ads on our website, an online advertising program provided by Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland ("Google").

We use conversion tracking as part of Google Ads. When you click on an ad placed by Google, a cookie is set for conversion tracking. Cookies are small text files that the browser stores on the user's computer. The cookies expire after 30 days and are not used to personally identify users. When visiting certain pages on this website, Google and we can recognize that the user has clicked on the ad and been redirected to this page, provided that the cookie has not yet expired. 

Each Google Ads customer receives a different cookie. Cookies cannot be tracked across the websites of Google Ads customers. The information collected using the conversion cookie is used to generate conversion statistics for Google Ads customers who have opted for conversion tracking. Customers learn the total number of users who clicked on the respective ad and were redirected to a page tagged with a conversion tracking tag. However, they do not receive any information that can be used to personally identify users. 

For more information about Google Ads and Google Conversion Tracking, please refer to Google's privacy policy: https://policies.google.com/privacy?hl=de 

Google is certified under the EU-U.S. Data Privacy Framework, ensuring an adequate level of data protection.

Hotjar

We use Hotjar on our website, an analysis software of Hotjar Ltd, St Julian's Business Centre, 3, Elia Zammit Street, St Julian's STJ 1000, Malta, Europe ("Hotjar"), provided that you give us your consent in accordance with Art. 49 para. 1 lit. a GDPR. Hotjar makes it possible to measure and evaluate usage behavior (e.g. clicks, mouse movements, etc.) combined with other information (e.g. device type and browser information, keystrokes, geographical location, etc.) on our website. The information generated about your visit to our website is transmitted to the Hotjar servers in Ireland and stored there. Hotjar uses this information to analyze your use of our website, to compile usage reports or to provide other services relating to the use of the website. 

Further information on the use of data by Hotjar, setting and objection options, can be found in Hotjar's privacy policy(https://help.hotjar.com/hc/de/sections/360007966773-Data-Privacy).

We have concluded an order processing contract with Hotjar. 

 Users' personal data will be deleted after 365 days at the latest.

Akamai Content Delivery Network

We use the Content Delivery Network (CDN) from Akamai Technologies GmbH, Parkring 20, 85748 Garching, Germany (Akamai) on our website, provided that you give us your consent in accordance with Art. 49 (1) (a) GDPR. A CDN is a network of global servers that is capable of delivering optimized content to website users. For this purpose, the following personal data may be processed in Akamai's server log files: your IP address, URLs of visited pages, date and time of access, location (based on your IP address and the location of the Akamai server), telemetry data (e.g., mouse clicks, movement sequences, and associated browser data). Data transfer outside the EU cannot be ruled out in this context. We have concluded a contract with Akamai for order processing within the meaning of Art. 28 GDPR. The appropriate level of data protection is guaranteed by the EU-U.S. Data Privacy Framework. For more information, please refer to Google's privacy policy: https://policies.google.com/privacy

Bitly 

We use the short URL service Bitly (Bitly Inc., 139 5th Avenue, 5th Floor, News York, NY 10010) on our website. A short URL service, URL Shortener, is a service that provides a second, alternative URL for any URLs of existing websites. This alias URL leads to the original website via an HTTP redirect. The frequency with which this shortened link was clicked can be determined. By using Bitly, we are able to determine how interesting our offers are for website visitors. We have concluded a contract with Bitly for order processing within the meaning of Art. 28 GDPR. The appropriate level of data protection is guaranteed by the EU-U.S. Data Privacy Framework. Further information can be found in Google's privacy policy: https://policies.google.com/privacy

Online store Shopify

We use the Shopify platform to operate our online store. The provider is Shopify International Ltd., Victoria Buildings, 2nd Floor, 1-2 Haddington Road, Dublin 4, D04 XN32, Ireland.

Shopify provides the technical infrastructure, shop software, and hosting services, and processes personal data (e.g., customer master data, order data, payment information, communication data) on our behalf. We remain the controller for the processing within the meaning of the GDPR, while Shopify acts as the processor.

Processing is carried out on the basis of Art. 6 (1) (b) GDPR (performance of a contract or pre-contractual measures) and, where legally required, on the basis of Art. 6 (1) (c) GDPR (legal obligations, e.g., tax and commercial law retention obligations).

Shopify uses subcontractors (e.g., IT service providers, data centers) to provide its services. Data may also be transferred to third countries, in particular to the US and Canada. The EU Commission has issued an adequacy decision for Canada. For transfers to the USA, standard contractual clauses (SCCs) and the EU-US Data Privacy Framework are used to ensure an adequate level of data protection.

For more information about data processing by Shopify, please refer to Shopify's privacy policy: https://www.shopify.com/legal/privacy

12. external payment service providers

We use external payment service providers through whose platforms users and we can carry out payment transactions: 

PayPal (https://www.paypal.com/de/webapps/mpp/ua/privacy-full)

Payone (https://www.payone.com/DE-de/datenschutz)

Mastercard (https://www.mastercard.de/de-de/datenschutz.html)

Visa (https://www.visa.de/nutzungsbedingungen/visa-globale-datenschutzmitteilung.html)

Klarna (https://www.klarna.com/de/datenschutz/)

We use these payment service providers on the basis of Art. 6 para. 1 lit. b GDPR for the fulfillment of contracts. In addition, we use external payment service providers on the basis of our legitimate interests pursuant to Art. 6 para. 1 lit. b GDPR in order to offer our users effective and secure payment options.

The data processed by the payment service providers includes inventory data, such as name and address, bank details, such as account numbers or credit card numbers, passwords, TANs, and checksums, as well as contract, sum, and recipient-related information. This information is required in order to carry out the transactions. However, the data entered is only processed and stored by the payment service providers. This means that we do not receive any account or credit card-related information, but only information confirming or denying the payment. Under certain circumstances, the data may be transmitted by the payment service providers to credit agencies. The purpose of this transmission is to verify identity and creditworthiness. For more information, please refer to the terms and conditions and privacy policy of the payment service providers.

Payment transactions are subject to the terms and conditions and data protection notices of the respective payment service providers, which can be accessed on the respective websites or transaction applications. We also refer to these for further information and the assertion of rights of revocation, information and other rights of data subjects.

PayPal

On our website we offer, among other things, payment via PayPal. The provider of this payment service is PayPal (Europe) S.à.r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg (hereinafter referred to as "PayPal").

If you select payment via PayPal, the payment data you enter will be transmitted to PayPal.

The transmission of your data to PayPal is based on Art. 6 para. 1 lit. b GDPR (processing for the performance of a contract).

For details on paying with PayPal, please refer to PayPal's Terms and Conditions and Privacy Policy at: https://www.paypal.com/myaccount/privacy/privacyhub. 

Payone

On our website, we also offer payment using the services of Payone. The provider of this payment service is Paydirekt PAYONE GmbH, Lyoner Straße 9, 60528 Frankfurt am Main, Germany (hereinafter referred to as "Payone").

If you make your payment via Payone, Payone collects various transaction data and forwards it to the bank with which you are registered with Payone. In addition to the data required for the payment, Payone may collect further data as part of the transaction processing, such as the delivery address or individual items in the shopping cart.

Payone then authenticates the transaction using the authentication procedure deposited with the bank for this purpose. The payment amount is then transferred from your account to our account. Neither we nor third parties have access to your account details.

The transfer of your data to Payone is based on Art. 6 para. 1 lit. b GDPR (processing for the performance of a contract).

For details on payment with Payone, please refer to Payone's terms and conditions and privacy policy at:https://www.payone.com/DE-de/datenschutz.

KLARNA (incl. instant bank transfer)

On our website we offer, among other things, payment with the services of Klarna. The provider is Klarna AB, Sveavägen 46, 111 34 Stockholm, Sweden (hereinafter referred to as "Klarna").

Klarna offers various payment options (e.g., installment purchase or instant bank transfer). If you choose to pay with Klarna (Klarna checkout solution), Klarna will collect various personal data from you. You can find details on this in Klarna's privacy policy at the following link: https://www.klarna.com/de/datenschutz/.

Klarna uses cookies to optimize the use of the Klarna checkout solution. The optimization of the checkout solution constitutes a legitimate interest within the meaning of Art. 6 (1) (f) GDPR. Cookies are small text files that are stored on your device and do not cause any damage. They remain on your device until you delete them. Details on the use of Klarna cookies can be found at the following link: https://cdn.klarna.com/1.0/shared/content/policy/cookie/de_de/checkout.pdf.

The transfer of your data to Klarna is based on Art. 6 (1) (b) GDPR (processing for the performance of a contract) and Art. 6 (1) (f) GDPR (processing for the optimization of the checkout solution). 

13. online presences on social media portals 

We maintain online presences within social networks and platforms such as LinkedIn, Facebook, Instagram and Twitter/X in order to communicate with the customers, interested parties and users active there and to inform them about our services and our company. With regard to the operation of these online presences, we are jointly responsible with the aforementioned providers.

We would like to point out that user data may be processed outside of the European Union, particularly on LinkedIn, Facebook, Instagram and YouTube. This may result in risks for users because, for example, it could make it more difficult to enforce users' rights.

Furthermore, user data is generally processed by the platforms for market research and advertising purposes. For example, usage profiles can be created based on user behavior and the resulting interests. The user profiles can in turn be used, for example, to place advertisements within and outside the platforms that are presumed to correspond to the interests of the users. For these purposes, cookies are usually stored on the users' computers, in which the usage behavior and interests of the users are stored. Furthermore, data can also be stored in the usage profiles independently of the devices used by users (especially if users are members of the respective platforms and are logged in to them). We do not have any access to the actual usage data. We only use general usage statistics to check the effectiveness of usage.

The processing of users' personal data is based on our legitimate interests in effective user information and communication with users in accordance with Art. 6 para. 1 lit. f GDPR. 

For a detailed description of the respective processing and the opt-out options, we refer to the following linked information from the providers.

In the case of requests for information and the assertion of user rights, we would also like to point out that these can be asserted most effectively with the providers. Only the providers have access to the users' data and can take appropriate measures and provide information directly. If you still need help, you can contact us.

• LinkedIn (LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland) - Privacy Policy: https://de.linkedin.com/legal/privacy-policy?trk=homepage-basic_footer-privacy-policy

• Facebook (Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland) - Privacy Policy: https://de-de.facebook.com/privacy/policy/https://www.facebook.com/policy.php

• Twitter (Twitter International Unlimited Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07, Ireland) - Privacy Policy: https://twitter.com/de/privacy

• Instagram (Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland) - Privacy Policy: https://privacycenter.instagram.com/policy

14. newsletter 

You will only receive our newsletter if you give us your consent in accordance with Art. 6 para. 1 lit. a GDPR, i.e. if you agree to receive our newsletter. We use the service provider Sendinblue GmbH, Köpenicker Straße 126, 10179 Berlin, Germany, to send the newsletter. 

Sendinblue is a service that can be used to organize and analyze the sending of newsletters, among other things. The legal basis for the use of Sendinblue is your consent in accordance with Art. 6 (1) (a) GDPR. When you enter your data for the purpose of receiving our newsletter (usually your email address), it is stored on Sendinblue's servers in Germany. Sendinblue enables us to analyze our newsletter campaigns. When you open an email sent with Sendinblue, a file contained in the email (known as a web beacon) connects to Sendinblue's servers. This allows us to determine whether a newsletter message has been opened and which links, if any, have been clicked on. Technical information is also collected (e.g., time of retrieval, IP address, browser type, and operating system). This information cannot be assigned to the respective newsletter recipient. It is used exclusively for statistical analysis of newsletter campaigns. The results of these analyses can be used to better tailor future newsletters to the interests of the recipients.  Sendinblue also allows us to divide newsletter recipients into different categories ("clusters"). Newsletter recipients can be divided according to the selection of the desired newsletters. In this way, newsletters can be better tailored to the respective target groups.

If you do not agree with this analysis by Sendinblue, you can withdraw your consent at any time and unsubscribe from our newsletter. For this purpose, we provide you with a corresponding link in every newsletter; alternatively, you can send an e-mail at any time to info@mainau.de to unsubscribe. The legality of data processing operations that have already taken place remains unaffected by the revocation. The data you provide us with for the purpose of subscribing to the newsletter will be stored by us or the newsletter service provider until we receive your revocation and your unsubscription from the newsletter and will be deleted from the newsletter distribution list after you unsubscribe from the newsletter. Data stored by us for other purposes remains unaffected by this.

15. cloud services

We use software services accessible via the Internet and running on the servers of their providers (so-called "cloud services", also referred to as "software as a service"), e.g. "Microsoft Teams" for the following purposes: Exchange of documents, content and information with specific recipients or for authenticated and 2-factor-secured login of users as well as chats and participation in audio and video conferences.

In this context, personal data may be processed and stored on the servers of the providers, insofar as these are part of communication processes with us or are otherwise processed by us as set out in this privacy policy. This data may include, in particular, master data and contact data of users, data on transactions, contracts, other processes and their content. Cloud service providers also process usage data and metadata that they use for security purposes and to optimize their services. In this context, personal data may be transferred to cloud service providers in insecure third countries such as the USA. For this reason, we have concluded order processing contracts with the providers to ensure an adequate level of data protection. We only use service providers that are licensed in accordance with the EU-U.S. Data Privacy Framework.

If we use cloud services to provide forms or other documents and content to other users or publicly accessible websites, the providers may store cookies on users' devices for web analysis purposes or to remember user settings (e.g., in the case of media control).

Notes on legal bases: If we ask for consent to the use of cloud services, the legal basis for processing is consent in accordance with Art. 6 para. 1 lit. a GDPR. Furthermore, their use may be part of our (pre-)contractual services in accordance with Art. 6 para. 1 lit. b GDPR, provided that the use of the cloud services has been agreed in this context. Otherwise, user data is processed on the basis of our legitimate interests pursuant to Art. 6 para. 1 lit. f GDPR (i.e. interest in efficient and secure administration and collaboration processes).

Types of data processed: Inventory data (e.g., names, addresses), contact data (e.g., email, phone numbers), content data (e.g., text entries, photographs, videos), usage data (e.g., websites visited, interest in content, access times), meta/communication data (e.g., device information, IP addresses).

Affected persons: Customers, employees (e.g., employees, applicants, former employees), interested parties, communication partners.

Purposes of processing: Office and organizational procedures.

Services used and service providers:

Microsoft cloud services: Cloud storage services; Service provider: Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399 USA; Website: microsoft.com; Security information: www.microsoft.com/de-de/trustcenter.

16. use of GPS data (location and movement information) as part of the use of our web application "Digital Visitor Information"

If you have called up the "Digital Visitor Information" web application on your mobile device and given your consent, we will use your location and movement information to optimize your visitor experience on Mainau Island. You can withdraw your consent at any time in the web application by clicking on the "Stop tracking" button or closing the application, in which case GPS data will no longer be recorded. When you leave the island of Mainau, GPS tracking is automatically terminated as soon as a narrowly defined distance radius is reached, without you having to take any action yourself. It will only be reactivated on subsequent visits after you have given your renewed consent. The location and movement information will be anonymized after your visit, i.e. evaluated without the use of personal data and used to further optimize our offer. 

17 Rights of use Imprint data

We expressly object to the use of our contact data published in the context of the imprint obligation by third parties for sending unsolicited advertising and information material.

We expressly reserve the right to take legal action in the event of the unsolicited sending of advertising information, such as spam e-mails.

18. creation

This declaration has been prepared in cooperation with: 
 

Dapro Serv GmbH Phone : +49 (0) 241-55967796 

Auf der Hüls 128 Email: info@daproserv.com

52068 Aachen Website: www.daproserv.com