Since May 25, 2018, the provisions of the EU General Data Protection Regulation (hereinafter: GDPR) apply throughout Europe. Below we would like to inform you about the processing of personal data by Tourlane GmbH in accordance with this new regulation (see Art. 13 GDPR). Please read our Privacy Policy carefully. If you have any questions or comments regarding this Privacy Policy, you can send them at any time to the email address provided in Section 2.

3.1. Accessing Our Website

When you access our website, information is automatically sent by the browser on your device to our website server and temporarily stored in a so-called log file. We have no influence on this. The following information is collected without your intervention and stored until it is automatically deleted:

• the IP address of the requesting internet-enabled device,

• the date and time of access,

• the website from which access was made (referrer URL),

• own campaign ID,

• the browser you use and, if applicable, the operating system of your internet-enabled computer and the name of your access provider.

The legal basis for processing the IP address is Art. 6(1)(f) GDPR. Our legitimate interest follows from the purposes of data collection listed below. At this point, we would like to point out that the data collected does not allow us to draw any conclusions about your identity and we do not draw any such conclusions.

We use the IP address of your device and the other data listed above for the following purposes:

• ensuring a smooth connection setup,

• ensuring comfortable use of our website,

• evaluating system security and stability as well as

• other administrative purposes.

The data is stored for the duration of the respective session and is automatically deleted when the browser is closed. Furthermore, we use so-called cookies, tracking tools and a CRM system for our website. Details about these procedures and how your data is used for this purpose are explained in more detail below under Section 3.4.

3.2. Data Processing for the Provision of Our Services and for Contract Performance

To provide our infrastructure, we use various hosting services and tools based on Art. 6(1)(b) and (f) GDPR. The services we use are for the provision of the following services: infrastructure and platform services, computing capacity, storage space and database services, security services, BI services and technical maintenance services that we use for the purpose of operating our website.

In this context, business data, inventory data, contact data, content data, contract data, usage data, meta and communication data of users of our websites are processed. The secure data processing and the safeguarding of our business operations are to be recognized as our legitimate interests. We take the utmost care to ensure that these providers meet our high data protection requirements and have concluded a contract for commissioned processing in accordance with Art. 28 GDPR with each of these providers, in which the providers undertake to process the data received only in accordance with our instructions and to comply with the EU data protection level. More comprehensive information on data protection can be found in the providers' privacy policies.

3.2.1. Data Processing for Determining Travel Preferences in the Questionnaire

The subject of Tourlane's activity is offering customized trips to worldwide destinations. The goal is to be able to offer the interested party an individual trip tailored to their preferences and needs. For this purpose, we provide a questionnaire on our website through which the interested party can provide information about their individual travel preferences. In this context, we process the data required for the preparation of proposals. This includes:

• First name, last name of the interested party,

• the contact details provided,

• the stated gender,

• the information provided about travel preferences,

• browser information,

• hostname of the accessing computer (IP address),

• time of the server request.

The legal basis for this is Art. 6(1)(b) GDPR. To the extent that we do not use your contact data for advertising purposes (see below 3.3.), we store the data collected through the questionnaire until the expiry of the statutory limitation provisions. After expiry of this period, we retain the information required under commercial and tax law for the legally determined periods. For this period (regularly ten years from the conclusion of the contract), the data will be processed again solely in the event of an audit by the tax authorities.

3.2.2. Data Processing for Individual Travel Consultation

If you have decided to use the services for individual travel consultation and planning, we will try to identify with you the key data and circumstances for travel planning that are important to you on the basis of Art. 6(1)(a) and (b) GDPR. The purpose of this processing is to be able to offer you the best possible service. In particular, the following data may be processed:

• Master data such as age and name,

• Type of trip (tour, safari, golf vacation, etc.),

• Expected travel time,

• Number of travelers,

• Preferred destinations,

• Type of accommodation,

• Culinary preferences,

• Details about fellow travelers as well as

• other information if it may be relevant to the planned trip, e.g., helicopter activities.

We store the data collected in this way until the expiry of the statutory limitation provisions. After expiry of this period, we retain the information required under commercial and tax law for the legally determined periods. For this period (regularly ten years from the conclusion of the contract), the data will be processed again solely in the event of an audit by the tax authorities.

3.2.3. Data Processing for the Provision of Individual Travel Brochures via Wetu

To provide our customers with a brochure containing comprehensive information for the booked trip, we use the content management and presentation tool from Wetu, a service of Wetu B.V., Overschiestraat 184-B, 1062 XK, Amsterdam, Netherlands (hereinafter "Wetu") on the basis of Art. 6(1)(b) GDPR. For this purpose, we transmit the following data:

• the advertisement through which the visitor reached us,

• travel dates,

• trip details,

• email address

to Wetu, so that we can send our customers an email with comprehensive information material, such as photos, videos, descriptions, documentation, travel tips, etc., for the upcoming trip via this service before the start of the trip. This data processing therefore serves to optimize our services and in particular the smooth handling of travel, which is to be regarded as our legitimate interest. If you have any questions about data protection, you can direct your request directly to Wetu's data protection officer, who can be reached at privacy@wetu.com or at the provider's address above. More comprehensive information on data protection at Wetu can be found in the provider's privacy policy.

3.2.4. Data Processing for Flight Booking via Conso

If a customer decides on a flight, we transmit the data required for this purpose on the basis of Art. 6(1)(b) GDPR and, in the case of "co-booked" persons, on the basis of Art. 6(1)(f) GDPR for the purpose of the respective flight booking, such as:

• First name, last name and address of the air travelers,

• Gender of the air travelers,

• Dates of birth of the air travelers,

• Passport numbers of the air travelers,

• Contact details provided,

• the desired flight data, such as travel dates, departure and destination airports of the trip, etc.,

• the information provided about luggage,

• if applicable, information about special needs,

to our booking partner for flights Conso, a service of Aerticket GmbH, Boppstraße 10, 10967 Berlin (hereinafter: "Conso"). The data is used by Conso exclusively for processing our request and for implementing and realizing the respective flight booking and is transmitted securely via SSL encryption. If the data required for this purpose is not collected directly from the data subject, the data processing serves to fulfill our contractual obligations, namely processing the request and booking the flight, which is to be regarded as our legitimate interest. You can object to this data processing at any time by informing us that you no longer wish this processing to take place in the future. For this purpose, please use the contact options provided by our data protection officer. Furthermore, you can also direct your request directly to the provider's data protection officer, Dr. Charlotte Lauser, who can be reached at Datenschutz@lauser-nhk.de or at the address Dr. Gerhard-Hanke-Weg 31, 85221 Dachau. More detailed information on data protection at Conso can be found in the provider's privacy policy.

3.2.5. Provision of Travel Documents

For the optimal provision of travel documents to our customers, we use the service providers ODS Office Data Service, Ehrenbergstraße 16 A, 10245 Berlin (hereinafter "ODS") and the service provider Digital Express 24 GmbH & Co. KG, Hahnenstraße 47-49 50667 Cologne on the basis of Art. 6(1)(b) GDPR. For this purpose, we transmit in particular the customer master data and the respective travel details to the respective service provider to ensure that the documents required for the trip are sent to our customers completely and on time. We have concluded a contract for commissioned processing in accordance with Art. 28 GDPR with the service providers, in which the service providers undertake to process the data received only in accordance with our instructions and to comply with the EU data protection level. More comprehensive information on data protection at the service providers can be found in the respective privacy policies here and here.

3.2.6. Data Processing via Apify

To ensure smooth business operations and in particular for data extraction, we use the Apify platform, a service of Apify Technologies s.r.o., Lucerna Palace, Štěpánská 704/61, 11000 Prague 1, Czech Republic (hereinafter "Apify"). We use the tool to automatically collect customer data and the respective travel details and to be able to issue the insurance certificates required for the trip. The legal basis for this is Art. 6(1)(b) GDPR.

We have concluded a contract for commissioned processing in accordance with Art. 28 GDPR with Apify, in which Apify undertakes to process the data received only in accordance with our instructions and to comply with the EU data protection level. More comprehensive information on data protection at Apify can be found in the provider's privacy policy.

3.2.7. ConvertAPI

To ensure smooth business operations and in particular for processing insurance certificates and flight tickets, we use the Convert API platform, a service of UAB Baltsoft, Kosciuskos 26-17, Vilnius, LT-01100, Lithuania (hereinafter "Baltsoft"). We use the tool to automatically merge and generate insurance certificates and/or flight tickets. The legal basis for this is Art. 6(1)(b) GDPR.

We have concluded a contract for commissioned processing in accordance with Art. 28 GDPR with Baltsoft, in which Baltsoft undertakes to process the data received only in accordance with our instructions and to comply with the EU data protection level. More comprehensive information on data protection at Baltsoft can be found in the provider's privacy policy.

3.2.8. Data Processing for Contract Performance

If you decide to book an individual trip proposed by us, we will use the data you have provided on the basis of Art. 6(1)(b) GDPR for contract fulfillment, i.e., in particular to plan and prepare your flights and other planned activities. The data required for this purpose, such as:

• First name, last name of the traveling persons

• their addresses,

• dates of birth,

• arrival and departure dates,

• a copy of passport,

• payment and booking details

will be transmitted by us to the companies involved, such as affiliated tour operators, airlines, hotels, activity organizers on site, shuttle services, to the extent necessary. The transfer is necessary to carry out the individual activities and thus serves the smooth processing of the contract. With all partners, we have concluded a contract for commissioned processing designed in accordance with the GDPR, which means that your data will only be processed in accordance with our instructions. We store this master travel data until the expiry of the statutory limitation provisions. After expiry of this period, we retain the information required under commercial and tax law for the legally determined periods. For this period (regularly ten years from the conclusion of the contract), the data will be processed again solely in the event of an audit by the tax authorities.

3.2.9. Data Processing for Billing Purposes via Billomat

To create our invoices, we use the accounting services of Billomat GmbH & Co. KG, Barbiergasse 6, 90443 Nuremberg (hereinafter: "Billomat") on the basis of Art. 6(1)(b) GDPR. If you book a trip through us, we create the required invoice documents via the Billomat online application. For this purpose, the data required for the respective execution is processed via Billomat's servers, in particular:

• Name,

• Address,

• Email address,

• Booking details.

We have concluded a contract for commissioned data processing in accordance with Art. 28 GDPR with Billomat, whereby Billomat undertakes to process user data only in accordance with our instructions and to comply with the EU data protection level. The data will be deleted after expiry of the retention obligations under commercial and tax law. Additional information about Billomat and the provider's data protection can be found in their privacy policy. In addition, if you have any questions about data processing at Billomat, you can contact Billomat's data protection officer, Mr. Dominik Fünkner, directly at any time: datenschutz@billomat.com.

3.2.10. Data Processing for Payment Processing and Invoicing via JustOn

For processing credit card payments and invoice management, we use JustOn, a service of JustOn GmbH, Mälzerstraße 3, 07745 Jena (hereinafter: "JustOn") on the basis of Art. 6(1)(b) GDPR. If you make a credit card payment or receive an invoice from us, the data required for this purpose, such as name, address, invoice and payment details, is processed via JustOn's servers. We have concluded a contract for commissioned data processing in accordance with Art. 28 GDPR with JustOn, whereby JustOn undertakes to process the aforementioned data only in accordance with our instructions and to comply with the EU data protection level. The data will be deleted after expiry of the retention obligations under commercial and tax law. Additional information about JustOn and the provider's data protection can be found in their privacy policy. In addition, if you have any questions about data processing at JustOn, you can contact JustOn's data protection officer directly at any time: datenschutz@juston.com.

3.2.11. Data Processing for Payment Processing and Invoicing via Stripe

To ensure smooth payment processing via credit card, we use the service of Stripe, The One Building, 1 Grand Canal Street Lower, Dublin 2, Ireland (hereinafter "Stripe") or PayPal (Europe) S.à.r.l. & Cie. S.C.A., 22-24 Boulevard Royal, 2449 Luxembourg (hereinafter "Stripe") on the basis of Article 6(1)(b) GDPR. The payment data provided by the customer, such as name, address, account number, bank code, credit card number if applicable, invoice amount, currency and transaction number are transmitted to Stripe via SSL encryption. Stripe reserves the right to carry out a credit check based on mathematical-statistical procedures in order to protect its legitimate interest in determining the customer's creditworthiness. Stripe may transmit the personal data necessary for a credit check and received in the course of payment processing to selected credit agencies. The credit report may contain probability values (so-called score values). To the extent that score values are included in the result of the credit report, these are based on a scientifically recognized mathematical-statistical procedure. The calculation of score values includes, among other things, but not exclusively, address data. Stripe uses the result of the credit check regarding the statistical probability of non-payment for the purpose of deciding whether to initiate payment for the selected payment method.

We have concluded a contract for commissioned processing in accordance with Art. 28 GDPR with Stripe, in which Stripe undertakes to process the data received only in accordance with our instructions and to comply with the EU data protection level.

You can object to this processing of your data at any time by sending a message to Stripe or the commissioned credit agencies. However, Stripe may remain entitled to process your personal data if this is necessary for contractual payment processing.

Stripe is certified according to PCI DSS (Payment Card Industry Data Security Standard). More detailed information on data protection at Stripe can be found in the respective provider's privacy policy or directly via the data protection officer at privacy@stripe.com.

3.2.12. Data Processing via the Tourlane Customer Portal

If you have decided to complete our questionnaire according to Section 3.2.2, we will provide you with access to our Customer Portal for better management of your data and trip on the basis of Art. 6(1)(b) GDPR. The purpose of this processing is to be able to offer you the best possible service by allowing you to manage and edit your data, trip and preferences yourself. In particular, the following data may be processed:

• The data transmitted by you according to Section 3.2.2,

• Other information provided by you and stored in the Customer Portal

We store the data collected in this way until the expiry of the statutory limitation provisions. After expiry of this period, we retain the information required under commercial and tax law for the legally determined periods. For this period (regularly ten years from the conclusion of the contract), the data will be processed again solely in the event of an audit by the tax authorities.

3.2.13. Database Integration via Zapier

For the integration of different databases and tools, we use Zapier, a service of Zapier Inc., 548 Market St #62411, San Francisco, California 94104, USA (hereinafter: "Zapier") on the basis of Art. 6(1)(f) GDPR. Zapier enables us to efficiently structure the tools we use to ensure effective and timely business operations, which is to be recognized as our legitimate interest. When using Zapier, customer master data, such as name, address, email address, telephone number, travel request details, etc., are processed via a Zapier server and stored there.

We have concluded a contract for commissioned processing in accordance with Art. 28 GDPR with Zapier, in which Zapier undertakes to process the data received only in accordance with our instructions and to comply with the EU data protection level. Additional information about Zapier and data protection can be found in the provider's privacy policy. You have the option to object to this data processing at any time by informing us that you no longer wish this processing to take place in the future. For this purpose, please use the contact options provided by our data protection officer.

3.3. Data Processing for Customer Support, Customer Care, Feedback or Newsletter Dispatch

3.3.1. Newsletter Registration via Double Opt-In

On our website, we offer you the option to register for our newsletter. To ensure that no errors have been made when entering the email address and that it can be assigned to the actual owner, we use the so-called double opt-in procedure: After you have entered your email address in the registration field, we will send you a confirmation link. Only when you click on this confirmation link will your email address be added to our distribution list. You can revoke the consent you have given in this way at any time with effect for the future. For this purpose, a short notice by email to the email address indicated under 2 is sufficient.

3.3.2. Feedback via Trustpilot

The satisfaction of our customers is our highest goal. We therefore occasionally ask our customers for their feedback after returning from their trip. To obtain customer reviews, we use the Trustpilot review service via an interface on the basis of Art. 6(1)(f) GDPR, a service of Trustpilot, Inc., 245 5th Avenue, 5th floor, New York, NY 10016, USA (hereinafter: "Trustpilot"). You are of course free to submit a review. If you help us with a review of your trip, the data generated in the process, such as in particular:

• Name,

• Email address,

• if available, the Trustpilot profile photo,

• the content of the review,

will be processed via Trustpilot's servers in the USA and stored there. If you wish to avoid this type of data processing, you should not participate in such a survey. This data processing for the improvement of our products and services is to be regarded as our legitimate interest. If the review is submitted by clicking on the link contained in our invitation, you agree to Trustpilot's privacy policy and general terms and conditions. If you participate in this feedback system, your review will be published on our website as well as on Trustpilot's websites. The data will not be passed on to third parties. We have concluded a contract with Trustpilot for this commissioned data processing, so that the European standards for legally compliant data processing are guaranteed. Additional information about Trustpilot and data protection can be found in the provider's privacy policy. You can also object to this data processing at any time. For this purpose, please use the contact options provided by our data protection officer or contact Trustpilot directly: support@trustpilot.com

3.3.3. Feedback, Scheduling and Communication via Typeform

For conducting surveys, capturing user experience, for pre-sales communication or for arranging meetings, we use the Typeform survey tool, a service of Typeform S.L., Carrer Bac de Roda 163, 08018 Barcelona, Spain (hereinafter: "Typeform") on the basis of Art. 6(1)(f) GDPR. If you use our survey tool or wish us to call you back, the data generated in the process, such as in particular:

• Name,

• Email address,

• Reference number,

• Telephone number,

• Booking number,

• Destination,

• the content of the review or input and the individual reviews,

• the telephone number provided, if applicable

will be processed via Typeform's servers and stored there. This data processing for the improvement of our products and services is to be regarded as our legitimate interest. If you wish to avoid this type of data processing, you should not participate in such a survey. This data processing for the improvement of our products and services is to be regarded as our legitimate interest. When participating in a survey system, the data generated through this will be published on our website, as well as on Typeform's servers. The data will not be passed on to third parties. We have concluded a contract with Typeform for this commissioned data processing, so that the European standards for legally compliant data processing are guaranteed. Additional information about Typeform and data protection can be found in the provider's privacy policy. You can also object to this data processing at any time. To do so, please contact Typeform directly by using the contact form.

3.3.4. Falcon

To optimize our social media presences, we use the Falcon social media management tool, a service of Falcon.io ApS, H.C. Andersens boulevard 27, 1st floor, 1553 Copenhagen V, Denmark (hereinafter: "Falcon") on the basis of Art. 6(1)(f) GDPR. Falcon enables us to centrally manage and maintain our social media presences and to plan, create and publish content specifically for networks, platforms and channels, as well as to process user reactions, search social networks and platforms for mentions, and analyze all interactions with us and our measures. These aforementioned areas of use are to be recognized as our legitimate interests.

If a user interacts with our social media presences, the data generated thereby as well as the publicly accessible data of the profiles used, such as name, gender, profile picture, profile URL, content and time of the respective post, etc., are transmitted to a Falcon server and stored there. We have concluded a contract for commissioned processing in accordance with Art. 28 GDPR with Falcon, in which Falcon undertakes to process the data received only in accordance with our instructions and to comply with the EU data protection level. Additional information about Falcon and data protection at Falcon can be found in the provider's privacy policy. You can object to this data processing at any time by informing us that you no longer wish this processing to take place in the future. For this purpose, please use the contact options provided by our data protection officer.

3.3.5. Facebook and Instagram Fan Pages

For marketing purposes and to communicate with our customers via Facebook, we maintain so-called fan pages on the Facebook and Instagram platforms operated by Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland (hereinafter "Meta"). According to the data protection authorities, we are jointly responsible with Meta for the data processing carried out via these platforms in accordance with Art. 26 GDPR. Therefore, we have jointly determined the purposes and means of processing with the provider. We use the fan pages in particular for statistical evaluation, but also for communication with our customers. In particular, the following information can be assigned to a specific profile and processed by us and by Meta:

• When you mark our fan pages with "like" and "follow" them,

• given ratings and comments,

• "sharing" our posts or posts that link to our fan pages,

• "checking in" when using our guest network at the Berlin office,

Other aggregated statistical information, such as visitor numbers, actions on the fan page, etc., cannot be assigned by us to any specific or identifiable person and is therefore not personal data for us. The legal basis for the aforementioned processing is Article 6(1)(b) GDPR. We have no influence on the further data processing carried out by Meta. For the purpose and scope of data collection by Meta and the further processing and use of the data as well as your rights in this regard and setting options for protecting your privacy, please refer to Meta's data protection notices.

3.3.6. Optilyz

To optimize our mailing campaigns, we use the services of optilyz GmbH, Neue Schönhauser Str. 19, 10178 Berlin (hereinafter: "Optilyz") on the basis of Art. 6(1)(f) GDPR. For this purpose, we transmit customer master data to Optilyz, in particular name, address, email address, booking number, Tourlane ID and destination. Optilyz enables us to measure and continuously optimize the effectiveness of our mailing campaigns, which is to be recognized as our legitimate interest.

We have concluded a contract for commissioned processing in accordance with Art. 28 GDPR with Optilyz, in which Optilyz undertakes to process the data received only in accordance with our instructions and to comply with the EU data protection level. Additional information about Optilyz and data protection can be found in the provider's privacy policy. You have the option to object to this data processing at any time by informing us that you no longer wish this processing to take place in the future. For this purpose, please use the contact options provided by our data protection officer.

3.3.7. Timekit

To simplify the scheduling of customer and consultation meetings, we use the services of Timekit Inc., 325 9th Street, San Francisco, CA 94103, USA (hereinafter referred to as "Timekit") on the basis of Art. 6(1)(b) GDPR. Timekit offers an external platform for appointment scheduling and planning. When you provide your telephone number, we store the information collected and provided on Timekit servers. This includes in particular:

• the email address you provide,

• Name,

• telephone number provided,

• IP address.

This data processing by Timekit significantly simplifies our scheduling, which constitutes our legitimate interest. The data provided will not be passed on to third parties at any time and will only be used for appointment scheduling and planning as well as internal statistics. We have concluded a contract for commissioned processing in accordance with Art. 28 GDPR with Timekit, in which Timekit undertakes to process the data received only in accordance with our instructions and to comply with the EU data protection level. Additional information about Timekit and data protection at Timekit can be found in the provider's privacy policy. If you have any questions about data processing at Timekit, you can also contact the provider directly at any time: yourfriends@timekit.io.

3.3.8. Scheduling and Management with Yoummday and q experiences

To be able to offer our customers the best possible telephone service, e.g., for individual travel consultation, we use the specialists from Yoummday GmbH, Belgradstrasse 68, 80804 Munich and from Q Experience Palmotićeva ul. 56, 10000, Zagreb, Croatia (hereinafter collectively referred to as "Service Providers") on the basis of Art. 6(1)(b) GDPR. If we arrange such an appointment with our customers, the data required for the appointment, such as name, email address, scheduling, telephone number or travel requests, is transferred to a server of the above-mentioned service providers and processed there. The transmitted data will not be passed on to third parties and will be used exclusively for appointment scheduling and planning as well as internal statistics. For this purpose, we have concluded a contract for commissioned processing in accordance with Art. 28 GDPR with each of the service providers, in which they have undertaken to process the data received only in accordance with our instructions and to comply with the EU data protection level. Additional information about the service providers and data protection can be found in the providers' privacy policies.

3.3.9. Salesforce

To manage our customer data and prospects, we use the CRM platform Salesforce, a service of salesforce.com Inc., The Landmark One Market Suite 300, San Francisco, CA 94105, USA (hereinafter: "Salesforce"). This helps us to record customer data, communicate with customers, document this contact, and create offers according to their wishes. If you have contacted us, e.g., via the questionnaire, the following data will be processed via Salesforce servers:

• Name,

• Email address,

• Travel request (destination, travel time, type of travel),

• Offers for the customer,

• Data that the customer transmitted by telephone,

• Data about interactions with emails from Tourlane

This processing is based on Art. 6(1)(b) and (f) GDPR and serves to improve our services and customer support, which is to be regarded as our legitimate interest. In addition, we have concluded a contract for commissioned processing in accordance with Art. 28 GDPR with Salesforce, in which Salesforce undertakes to process the data received only in accordance with our instructions and to comply with the EU data protection level. Additional information about Salesforce and data protection at Salesforce can be found in Salesforce's privacy policy. You can object to this processing at any time. For this purpose, please use the contact options provided by our data protection officer.

3.3.10. ActiveCampaign

To organize and analyze our mailing campaigns, we use the services of ActiveCampaign LLC, 150 N. Michigan Ave Suite 1230, Chicago, IL, USA (hereinafter: "ActiveCampaign") on the basis of Art. 6(1)(a) GDPR in conjunction with § 25(1) sentence 1 TTDSG. When you open an email sent with ActiveCampaign, a file contained in the email (web beacon) connects to the ActiveCampaign servers, so that mail-related data, such as in particular:

• Information about the newsletter,

• Name,

• Email address,

• Opening and click rates,

• IP address,

• Browser type and operating system

is processed via ActiveCampaign's servers in the USA and stored there. This makes it possible to determine whether a mail has been opened and which links, if any, have been clicked. This information can be assigned to the respective recipient. They are used exclusively for the statistical analysis of our mailing campaigns. The results of these analyses can be used to make our campaigns more attractive, avoid harassment and better adapt future newsletters to the interests of recipients. The campaign analysis and optimization is to be regarded as our legitimate interest. In addition, we have concluded a contract for commissioned processing in accordance with Art. 28 GDPR with ActiveCampaign, in which ActiveCampaign undertakes to process the data received only in accordance with our instructions and to comply with the EU data protection level. Additional information about ActiveCampaign and data protection at ActiveCampaign can be found in the provider's privacy policy as as well as in the further explanations on GDPR and GDPR compliance. If you have any questions about data processing at ActiveCampaign, you can also contact the data protection officer at ActiveCampaign directly: info@activecampaign.com.

If you do not wish to be analyzed by ActiveCampaign, you can object to this data processing at any time by clicking the unsubscribe button contained in the email or simply clicking this link. Alternatively, you can also inform us of your wish not to receive any more mailings from us in the future. For this purpose, please use the contact options of our company data protection officer or contact the provider directly: info@activecampaign.com.

3.3.11. SendGrid

For email communication with customers and interested parties, such as registration and appointment confirmations, we use the SendGrid dispatch software, a service of SendGrid Inc., 1801 California Street, Denver, CO 80202, USA (hereinafter: "SendGrid") on the basis of Art. 6(1)(b) and (f) GDPR. In this process, the following data:

• Email address,

• Last name, first name,

• Opening and click rates,

• Content of the respective transaction,

• IP address,

• Login process,

is processed via SendGrid's servers in the USA. SendGrid serves to process customer inquiries and is part of our service as well as customer support, which is to be regarded as our legitimate interest. In addition, we have concluded a contract for commissioned processing in accordance with Art. 28 GDPR with SendGrid, in which SendGrid undertakes to process the data received only in accordance with our instructions and to comply with the EU data protection level. Additional information about SendGrid and data protection at SendGrid can be found in the provider's privacy policy. You can object to this data processing at any time by informing us that you no longer wish this processing to take place in the future. For this purpose, please use the contact options provided by our data protection officer.

3.3.12. Twilio

To announce upcoming consultations by our travel experts and to conduct calls (telephony and video calls), we use the Twilio tool, a service of Twilio Ireland Limited, 25-28 North Wall Quay, Dublin 1, Ireland (hereinafter "Twilio") on the basis of Art. 6(1)(b) GDPR. Twilio is a customer engagement platform that makes communication programmable and through which the sending and receiving of SMS messages can be controlled.

If communication takes place via SMS or calls, we transmit your mobile phone number to Twilio. The date and communication taking place via this is processed via Twilio's servers and stored there on the basis of Art. 6(1) sentence 1(b) GDPR.

We have concluded a contract for commissioned processing in accordance with Art. 28 GDPR with Twilio, in which Twilio undertakes to process the data received only in accordance with our instructions and to comply with the EU data protection level. Additional information about Twilio and data protection at the provider can be found in the privacy policy.

3.3.13. Creation of Travel Vouchers via Voucherify

For the creation and dispatch of travel vouchers and promotional material to existing and new customers, we use Voucherify, a service of rspective P. Rychlik sp. j., Porcelanowa 23, bud. A4, 40-246 Katowice, Poland (hereinafter "Voucherify") on the basis of Art. 6(1)(b) GDPR. To provide promotional materials and discount codes, we transmit the customer master data required for this purpose, such as in particular name, address, email address, telephone number and other data required for providing the materials to Voucherify.

We have concluded a contract for commissioned processing in accordance with Art. 28 GDPR with Voucherify, in which Voucherify undertakes to process the data received only in accordance with our instructions and to comply with the EU data protection level. Additional information about Voucherify and data protection can be found in the provider's privacy policy.

3.3.14. Customer Referral Program via MentionMe

To provide our customer referral program, we use MentionMe, a service of Mention Me Ltd, Kennington Park, 1-3 Brixton Rd, London, SW9 6DE, England (hereinafter: "MentionMe") on the basis of Art. 6(1)(a) GDPR, which we have integrated into our websites for customer recommendations using JavaScript. With the help of these services, customers can recommend our services to friends and family members via various communication channels, such as sharing a link via email. For this purpose, the referrer enters their own name and email address in the form provided for recommendation and subsequently receives a link that they can share with friends for the purpose of recommendation. The recommendation is transmitted via MentionMe, whereby the email address, name and IP address of the referrer, and the email address and IP address of the referee (the person receiving the recommendation) are processed. If the referee accepts the recommendation, they receive a reward for the recommendation, which is sent by MentionMe.

For this purpose, we have concluded a contract for commissioned processing in accordance with Art. 28 GDPR with MentionMe, in which MentionMe undertakes to process the data received only in accordance with our instructions and to comply with the EU data protection level.

The processing of the aforementioned data takes place via the servers at MentionMe on a voluntary basis and with the consent of the parties involved. The data will not be used for any other purposes and will not be passed on to third parties without authorization. In addition, no data is collected or processed via MentionMe. Consent can be withdrawn at any time with effect for the future. For this purpose, please use the contact options provided by our data protection officer. Additional information about MentionMe and data protection can be found in the provider's privacy policy.

3.3.15. Runa

To provide the rewards earned through our referral program, in particular for creating a voucher, we use Runa, a service of Runa Network Ltd., 1st Floor, Buckhurst House, 42-44 Buckhurst Avenue, Sevenoaks, Kent, TN13 1LZ, England (hereinafter "Runa") on the basis of Art. 6(1)(b) GDPR. If a customer has received a reward through a successful referral and wishes to redeem it for a voucher, they can access the runa.io platform via the provided link where they can claim the voucher. For this purpose, the data required for this purpose of the advertising customer, in particular name, address, email address and value of the reward, is transmitted to Runa. The transmitted data is then processed on Runa's servers. Runa uses this data to provide the rewards, e.g., in the form of a gift voucher, to the customer.

For this purpose, we have concluded a commissioned processing contract in accordance with Art. 28 GDPR with Runa, in which Runa undertakes to process the data received only in accordance with our instructions and to comply with EU data protection regulations.

Additional information about Runa and data protection can be found in the provider's privacy policy.

3.3.16. Braze

To optimize our communication with our customers, we use the Braze platform, a service of Braze Inc., 318 W 39th St, 10018 New York City, USA, ("Braze") on the basis of Article 6(1)(b) GDPR. We use Braze for managing our email campaigns (newsletters, surveys, etc.) and for needs-based communication with our customers. For this purpose, data relevant for customer communication, in particular name, email address, contract data, time zone, device information, IP address, etc., is transmitted to Braze servers and stored there.

We have concluded a contract for commissioned processing in accordance with Art. 28 GDPR with Braze, in which the service provider undertakes to process the data received only in accordance with our instructions and to comply with the EU data protection level. The data is stored in accordance with the applicable statutory retention periods and then deleted. More comprehensive information on data protection at Braze can be found in Braze's privacy policy.

3.4.1. Cookies – General Information

We use so-called cookies on our website on the basis of Art. 6(1)(f) GDPR. Our interest in optimizing our website is to be regarded as legitimate within the meaning of the aforementioned provision. Cookies are small files that are automatically created by your browser and stored on your device (laptop, tablet, smartphone or similar) when you visit our website. Cookies do no harm to your device and contain no viruses, Trojans or other malware. Information is stored in the cookie that arises in connection with the specific device used. However, this does not mean that we gain direct knowledge of your identity. The use of cookies serves on the one hand to make the use of our offer more pleasant for you.

3.4.2. Session Cookies

When visiting our website, we use so-called session cookies to recognize that you have already visited individual pages of our website. These are automatically deleted after leaving our website. Most browsers accept cookies automatically. However, you can configure your browser so that no cookies are stored on your computer or so that a notice always appears before a new cookie is created. However, the complete deactivation of cookies may mean that you cannot use all functions of our website. The storage duration of cookies depends on their purpose and is not the same for all.

3.4.3. Tourlane Cookie

For the purpose of needs-based design and continuous optimization of our websites, we use our own cookie on the basis of Art. 25(2) No. 2 TTDSG. When you visit one of our websites, a pseudonymous identification number (ID) is assigned to your browser. The cookie does not process any personal information, but only technical data, such as:

• Session ID (cookie name: visit_id),

• User ID (cookie name: tourlane_id),

• Referrer URL (the previously visited page),

• URL of the visited website,

• Hostname of the accessing computer (IP address),

• Browser type/version,

• Device name,

• Operating system used,

• Time of the server request

The data is processed via our servers and stored there. The storage period is a maximum of 180 days. We use this information to evaluate the use of the website, to compile reports on activities and to provide other services related to website use and internet use for the purposes of market research and needs-based design of our websites, which is to be regarded as our legitimate interest. You can object to this processing at any time by either deleting the cookie from your device, downloading and installing a browser add-on such as "Cookie AutoDelete", using the Network Advertising Initiative deactivation service or informing us of your wish. For this purpose, please use the contact options of our company data protection officer: datenschutz@tourlane.de

3.4.4. FullStory

For the purpose of needs-based design and continuous optimization of our websites, we use the FullStory analysis service, a service of FullStory, Inc., 818 Marietta Street, Atlanta, GA 30318, USA (hereinafter "FullStory") on the basis of Art. 6(1)(a) GDPR in conjunction with § 25(1) sentence 1 TTDSG. FullStory documents user behavior on our website in anonymized form, in particular interactions, behaviors and types of use, such as making entries, the sequence of accessing certain pages of our websites or the time sequences, such as duration of visits to certain pages, etc.

The use of FullStory enables us to continuously improve the quality of our websites and their content, which is our legitimate interest.

The information generated by the use of FullStory is usually transmitted to a server of FullStory, Inc. in the USA and stored there. The storage period is a maximum of 180 days. We have also concluded a contract for commissioned processing in accordance with Art. 28 GDPR with FullStory, in which FullStory undertakes to process the data received only in accordance with our instructions and to comply with the EU data protection level. Additional information about FullStory and data protection can be found in the provider's privacy policy. You can prevent data processing by FullStory by adjusting your browser software settings accordingly; however, we would like to point out that in this case you may not be able to use all functions of our websites to their full extent. You also have the option to object to this data processing at any time by following the provider's opt-out instructions, which you can access here: https://www.fullstory.com/optout.

3.4.5. LinkedIn Pixel

To design our job postings in a needs-based manner, to further optimize them and to measure their conversion, we use an individual visitor action pixel from LinkedIn, LinkedIn Corporation, 2029 Stierlin Court, Mountain View, CA 94043, USA (hereinafter "LinkedIn") on the basis of Art. 6(1)(a) GDPR in conjunction with § 25(1) sentence 1 TTDSG. This allows the behavior of site visitors to be tracked after they have been redirected to our recruiting pages by clicking on a LinkedIn ad. This enables us to evaluate the effectiveness of our LinkedIn ads for statistical purposes and to optimize future advertising measures. In particular, the following information is processed during use:

• Timestamp,

• Referrer URL,

• Campaign-related information (in particular specification of the impression, form field, activated button),

• Demographic information such as job title, seniority, company, company size, location and country

The data collected in this way is anonymous for us and therefore does not allow us to draw any conclusions about the identity of the respective user. The storage period is a maximum of 180 days. The data is also stored and processed by LinkedIn, so that a connection to the respective user profile is possible and LinkedIn can use the data for its own advertising purposes, in accordance with the LinkedIn privacy policy. We have also concluded a contract for commissioned processing in accordance with Art. 28 GDPR with LinkedIn, in which LinkedIn undertakes to process the data received only in accordance with our instructions and to comply with the EU data protection level. Additional information about LinkedIn and data protection at LinkedIn can be found in the provider's privacy policy. You can object to this special data processing at any time by clicking this link and then selecting the "Decline" button.

3.4.6. Google Tag Manager

We use Google Tag Manager to manage website tags (website code). These make it easier for us to manage and develop our offering and shorten your loading time. Google Tag Manager only implements website code. Google Tag Manager itself does not set cookies and does not collect personal data. The tool merely integrates website code that we have stored elsewhere, through which data may be collected. The tool therefore only serves to facilitate the control of the respective code, but does not itself access the data processed by the code. We inform you about all tags integrated in this way in this privacy policy. You can find more information about Google Tag Manager and the usage guidelines on Google's pages.

3.4.7. Google AdWords Conversion Tracking

To control and improve our campaigns, we use the online advertising program "Google AdWords" and the Conversion Tracking analysis tool, a service of Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (hereinafter: "Google") on the basis of Art. 6(1)(a) GDPR in conjunction with § 25(1) sentence 1 TTDSG. When you click on an ad placed by Google, a cookie for conversion tracking is placed on your computer. The information generated by the cookie:

• Clicked ad,

• Browser type/version,

• Operating system used,

• Location,

• Referrer URL (the previously visited page),

• Hostname of the accessing computer (IP address),

• Time of the server request

is transmitted to a Google server in the USA and stored there. These cookies expire after 30 days, contain no personal data and are therefore not used for personal identification. If you visit certain internet pages of our website and the cookie has not yet expired, Google and we can recognize that you clicked on the ad and were redirected to this page. Each Google AdWords customer receives a different cookie. This means that cookies cannot be tracked across AdWords customers' websites. The information obtained using the cookie is used to create conversion statistics for us as AdWords customers. This allows us to know the total number of users who clicked on our ad and were redirected to a page with a conversion tracking tag. However, we do not receive any information that personally identifies users. We have also concluded a contract for commissioned processing in accordance with Art. 28 GDPR with Google, in which Google undertakes to process the data received only in accordance with our instructions and to comply with the EU data protection level. You can prevent this processing in advance by generally preventing the installation of cookies through a corresponding browser setting of your browser (deactivation option) or by setting it so that cookies from the domain "googleleadservices.com" are not accepted. You can revoke your consent to processing via this cookie at any time with effect for the future by switching the slider in the Google settings to "Off".

3.4.8. Google Analytics

For the purpose of needs-based design and continuous optimization of our websites, we use Google Analytics, the analysis service of Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (hereinafter: "Google") on the basis of Art. 6(1)(a) GDPR in conjunction with § 25(1) sentence 1 TTDSG. In this context, pseudonymized usage profiles are created and cookies are used. The information generated by the cookie about your use of this website such as:

• Browser type/version,

• Device name,

• Operating system used,

• Referrer URL (the previously visited page),

• Keywords/specific search query,

• Service provider,

• Hostname of the accessing computer (IP address),

• Time of the server request

is transmitted to a Google server in the USA and stored there. The information is used to evaluate the use of the website, to compile reports on activities and to provide other services related to website use and internet use for the purposes of market research and needs-based design of these internet pages. This information may also be transferred to third parties if required by law or if third parties process this data on our behalf. Under no circumstances will your IP address be merged with other Google data. The IP addresses are anonymized so that assignment is not possible (so-called IP masking). The storage period is a maximum of 180 days. You can object to this data processing at any time by preventing the installation of cookies by adjusting your browser software settings accordingly; however, we would like to point out that in this case you may not be able to use all functions of our website to their full extent. You can also prevent the collection of data generated by the cookie and related to your use of the website (including your IP address) and the processing of this data by Google by downloading and installing this browser add-on. As an alternative to the browser add-on, especially for browsers on mobile devices, you can also prevent collection by Google Analytics by clicking this link. An opt-out cookie will be set that prevents future collection of your data when visiting this website. Please note that the opt-out cookie is only valid in the browser used and only for our website and is stored on your device. If you delete the cookies in this browser, you must set the opt-out cookie again. For more information on data protection in connection with Google Analytics, please visit the Google Analytics website.

3.4.9. Google Dynamic Remarketing

We use the remarketing or "similar audiences" tool from Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (hereinafter: "Google") on the basis of Art. 6(1)(a) GDPR in conjunction with § 25(1) sentence 1 TTDSG. This function serves the purpose of analyzing visitor behavior and visitor interests. To carry out the analysis of website use, which forms the basis for creating interest-based advertisements, Google uses cookies. The cookies are used to record visits to the website as well as anonymized data about the use of the website. No personal data of website visitors is stored. If you subsequently visit another website in the Google advertising network, advertisements may be displayed to you that are highly likely to take into account previously accessed product and information areas and may be similar to them.

Your data may be processed via Google servers in the USA. The processing thus carried out for behavior- and interest-based advertising purposes is to be regarded as our recognized legitimate interest according to Recital 47 to the GDPR.

You can object to this data processing at any time by downloading and installing this browser add-on. You can also permanently deactivate the use of third-party cookies by configuring the Network Advertising Initiative deactivation page accordingly. Detailed information on Google Remarketing and the associated privacy policy can be found at: https://www.google.com/privacy/ads/

3.4.10. GA Audiences

For the purpose of enabling interest-based control of our campaigns within the Google advertising network, we use the GA Audiences web analytics service, a service of Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (hereinafter: "Google") on the basis of Art. 6(1)(a) GDPR in conjunction with § 25(1) sentence 1 TTDSG. In this context, pseudonymized usage profiles may be created and cookies may be used. The information generated by the cookie about your use of this website such as:

• Browser type/version,

• Device name,

• Operating system used,

• Referrer URL (the previously visited page),

• Keywords/specific search query,

• Service provider,

• Hostname of the accessing computer (IP address),

• Time of the server request

is transmitted to a Google server in the USA and stored there. The cookie makes it possible to recognize the visitor when they access websites that belong to Google's advertising network. On these pages, the visitor can then be shown advertisements that relate to content that the visitor has previously accessed on websites that use Google's remarketing function. The storage period is a maximum of 180 days. The processing thus carried out for behavior- and interest-based advertising purposes is to be regarded as our recognized legitimate interest according to Recital 47 to the GDPR. You can object to this processing at any time. If you do not wish to receive interest-based advertising, you can deactivate Google's use of cookies for these purposes by following the instructions at this link.

3.4.11. Bing Ad Conversion Tracking and Re-Marketing

We use the conversion tracking and remarketing tool from Bing, a service of Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA (hereinafter: "Bing") on the basis of Art. 6(1)(a) GDPR in conjunction with § 25(1) sentence 1 TTDSG. This function serves the purpose of analyzing visitor behavior and visitor interests in order to create and control needs-based campaigns for our products and to measure their effectiveness. If you access our website via a Bing advertisement, a cookie is set on your device. Our website has integrated Bing-UET Tag, i.e., a code snippet that can store data about the use of the website in connection with the cookie. This allows Bing and us to recognize that the visitor reached us via the ad and a conversion page. The cookie processes in particular the following anonymized data:

• the advertisement through which the visitor reached us,

• Browser type/version,

• Device name,

• Operating system used,

• Referrer URL (the previously visited page),

• Keywords/specific search query,

• Service provider,

• Hostname of the accessing computer (IP address),

• Time of the server request,

• Duration on the website and areas visited,

• Movement behavior on the website

via Bing's servers and stores it there for a maximum of 180 days. The processing thus carried out for behavior- and interest-based advertising purposes is to be regarded as our recognized legitimate interest according to Recital 47 to the GDPR. You can prevent the collection of data generated by the cookie and related to your use of the website as well as the processing of this data even before the cookie is set by changing the browser settings and deactivating the setting of cookies. You can also object to this data processing at any time by setting the switch to "Off" at this link under "Interest-based advertising: This browser". This will set a so-called opt-out cookie on the device used, which is only relevant per browser and device. If you visit our website with different browsers or devices, you must activate the opt-out cookie per browser or device. Detailed information about Bing and the associated privacy policy can be found on the product page or the provider's website.

3.4.12. Criteo

For marketing purposes, namely to enable interest-based targeting of our campaigns, we use the cookie technology of Criteo SA, Rue Blanche, 75009, Paris, France (hereinafter: "Criteo") on the basis of Art. 6(1)(a) GDPR in conjunction with § 25(1) sentence 1 TTDSG. We use Criteo to be able to display targeted product recommendations to our interested users on third-party websites (so-called publishers). For this purpose, when you visit our website, a cookie is set that processes information about your visits to our website, in particular about the offers viewed, destinations, and browsing behavior. This data processing takes place in purely anonymized form, i.e., the cookie can only be identified via a randomly generated ID. Thus, the information processed by the cookie cannot be used to identify a specific person. The cookie has a maximum lifetime of 6 months and is then automatically deleted. The processing thus carried out for behavior- and interest-based advertising purposes is to be regarded as our recognized legitimate interest according to Recital 47 to the GDPR.

For more information about Criteo technology, please see the provider's privacy policy. You can also object to this anonymous data processing on our website at any time by setting the switches under Section 2 to "On" at this link. A new opt-out cookie will then be set so that no further data processing via Criteo takes place. Please note that the opt-out cookie is only valid for the browser and device used.

3.4.13. Intent Media

To use our campaigns in a needs-based manner, to further optimize them and to measure their conversion, we use the Intent Media advertising network, a service of Intent Media, Inc., 315 Hudson Street, 9th Floor, New York, NY 10013 USA (hereinafter "Intent Media") on the basis of Art. 6(1)(a) GDPR in conjunction with § 25(1) sentence 1 TTDSG. Intent Media is a provider of personalized advertising that makes it possible to offer users suitable offers based on their search behavior that match their travel preferences. The processing thus carried out for behavior- and interest-based advertising purposes is to be regarded as our recognized legitimate interest according to Recital 47 to the GDPR. The data is stored in accordance with the legal retention periods and then automatically deleted. The offers generated by Intent Media are displayed either in the form of ads directly on our websites or loaded in a separate tab or on a new page.

For the aforementioned purposes, Intent Media processes data on user activity such as source and exit pages and number of clicks, date and time of visit as well as the IP address and assigns a random ID. This data is transmitted to an Intent Media server in the USA. We have also concluded a contract for commissioned processing in accordance with Art. 28 GDPR with Intent Media, in which Intent Media undertakes to process the data received only in accordance with our instructions and to comply with the EU data protection level. Additional information about Intent Media and data protection can be found in the provider's privacy policy. You have the option to object to this data processing at any time by following the provider's opt-out instructions, which you can access by clicking this link: https://intentmedia.com/opt-out/.

3.4.14. Outbrain Conversion Pixel

To use our campaigns in a needs-based manner, to further optimize them and to measure their conversion, we use an individual pixel from Outbrain Inc., 39 West 13th Street, New York, NY 10011, USA (hereinafter: "Outbrain") on the basis of Art. 6(1)(a) GDPR in conjunction with § 25(1) sentence 1 TTDSG. This pixel is embedded in our website code. On the one hand, this allows us to ensure that the campaigns we initiate are only displayed to users who have also shown an interest in our offer. We also want to ensure that our campaigns correspond to the potential interest of the respective user and do not harass them. On the other hand, this allows us to track users' actions after they have seen or clicked on one of our campaigns. This helps us measure conversion for statistical and market research purposes as well as billing purposes. During use, the following information is processed:

• Clicked ad,

• Browser type/version,

• Operating system used,

• Location,

• Referrer URL (the previously visited page),

• Hostname of the accessing computer (IP address),

• Time of the server request,

The data collected in this way is anonymous for us and therefore does not allow us to draw any conclusions about the identity of the respective user. The storage period is a maximum of 180 days. The processing thus carried out for behavior- and interest-based advertising purposes is to be regarded as our recognized legitimate interest according to Recital 47 to the GDPR. The data is stored in accordance with the legal retention periods and then automatically deleted. More information on data protection at Outbrain can be found in their privacy policy. You can object to this special data processing at any time by clicking the opt-out button under Section 4.

3.4.15. DoubleClick

For the purpose of needs-based design and continuous optimization of our websites, we use the DoubleClick analysis service, a service of Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (hereinafter: "DoubleClick") on the basis of Art. 6(1)(a) GDPR in conjunction with § 25(1) sentence 1 TTDSG. A pseudonymous identification number (ID) is assigned to your browser to check which ads were displayed in your browser and which ads were viewed. The cookies contain no personal information. The use of DoubleClick cookies only enables Google and its partner websites to display ads based on previous visits to our or other websites on the Internet. The information generated by the cookie about your use of this website such as:

• Browser type/version,

• Operating system used,

• Referrer URL (the previously visited page),

• Hostname of the accessing computer (IP address),

• Time of the server request,

is transmitted to a Google server in the USA and stored there. The storage period is a maximum of 180 days. The information is used to evaluate the use of the website, to compile reports on activities and to provide other services related to website use and internet use for the purposes of market research and needs-based design of these internet pages. You can object to this processing at any time by either downloading and installing the browser add-on available at the following link or deactivating the DoubleClick cookies on the Digital Advertising Alliance page at the following link.

3.4.16. Pardot

For the purpose of needs-based design and continuous optimization of our websites, we use the Pardot marketing tool, a service of Salesforce Inc., The Landmark at One Market, Suite 300, San Francisco, CA 94105, USA (hereinafter: "Pardot") on the basis of Art. 6(1)(a) GDPR in conjunction with § 25(1) sentence 1 TTDSG. The tool helps us to better understand the usage behavior of our visitors and to gain insights for further optimization needs. Through the use of Pardot, the following data is processed:

• Data about the use of our website,

• Name,

• Email,

• Travel request (destination, travel time, type of travel),

• Data about interactions with emails from Tourlane

and transmitted via Pardot's servers in the USA and stored there. From this, usage profiles can be created, which we use exclusively for the aforementioned purposes. This processing for the optimization of our offers is to be regarded as our recognized legitimate interest. You can object to this data processing at any time by informing us that you no longer wish this processing to take place in the future. For this purpose, please use the contact options provided by our data protection officer.

3.4.17. Visual Website Optimizer

For the purpose of needs-based design and continuous optimization of our websites, we use the Visual Website Optimizer analysis service, a service of provider Wingify, 14th Floor, KLJ Tower North, Netaji Subhash Place, Pitam Pura, Delhi 110034, India (hereinafter: Visual Website Optimizer) on the basis of Art. 6(1)(a) GDPR in conjunction with § 25(1) sentence 1 TTDSG. The tool helps us to better understand the usage behavior of our visitors and to gain insights for further optimization needs. Through the use of Visual Website Optimizer, the following data is processed:

• Device information (type, brand, operating system),

• the IP address of the device used,

• Data about the use of our website,

• Name of provider (e.g., Vodafone),

and transmitted via Visual Website Optimizer's servers and stored there. The storage period is a maximum of 180 days. From this, anonymous usage profiles can be created, which we use exclusively for the aforementioned purposes. This processing for the optimization of our offers is to be regarded as our recognized legitimate interest. You can object to this data processing at any time by clicking the "Disable VWO" button via this opt-out link.

3.4.18. Facebook Custom Audiences

For target group-optimized control of Facebook campaigns and to measure their conversion, we use the option of forming so-called Facebook Lookalike Audiences, which is offered to us by Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, (hereinafter "Facebook") on the basis of Art. 6(1)(f) GDPR. More information about Facebook's Look-Alike campaigns can be found at Facebook at: https://www.facebook.com/business/help/365463786964246 This processing for behavior- and interest-based advertising purposes is to be regarded as our recognized legitimate interest according to Recital 47 to the GDPR. In the event that you belong to the Facebook Look-Alike Audience, we transmit your email address and device ID to Facebook. You can object to this special data processing at any time by either changing your Facebook settings: https://www.facebook.com/settings/?tab=ads or by informing us that you no longer wish this processing to take place in the future. For this purpose, please use the contact options provided by our data protection officer.

I'll translate this German privacy policy document into English for the US. Here's the translation:

3.4.19. Google Maps Integration

On our website, we use the Google Maps API from Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (hereinafter: "Google") based on Article 6(1)(f) GDPR. This allows us to display interactive maps directly on the website and enables you to conveniently use the map function. In this context, a cookie may be used. The information generated by the cookie about your use of our website includes:

• Visiting the corresponding subpage

• Browser type/version

• Operating system used

• Referrer URL (the previously visited page)

• Hostname of the accessing computer (IP address)

• Time of server request

This processing to improve our site and user experience is considered our legitimate interest. For more information about data protection in connection with Google Maps, please see Google's privacy policy. You can object to this data processing by changing the corresponding settings in the privacy center or Google's activity settings.

3.4.20. Facebook Connect

To make registration for our services as barrier-free as possible, we enable you to log in via Facebook, the so-called Facebook login function, a service from Facebook Inc., 1601 South California Avenue, Palo Alto, CA 94304, USA (hereinafter "Facebook"). This replaces the otherwise necessary registration. To log in, you will be redirected to Facebook servers, where you can log in with your Facebook credentials. This links your Facebook profile with our service. When using this simplified login function, we collect various basic data from your publicly visible profile, including:

• First name, last name

• Location

• Birthday

• Gender

• Email address

• Time zone

• Friends

• Profile picture

The legal basis for the aforementioned processing is Article 6(1)(a) GDPR. This processing serves the purpose of simplified login and contract initiation and execution or the provision of pre-contractual measures. This processed information is necessary for contract conclusion to identify you. For the purpose and scope of data collection by Facebook and the further processing and use of the data, as well as your related rights and setting options to protect your privacy, please refer to Facebook's privacy notices and the provider's additional information about the Facebook Connect function.

3.4.21. Unbounce

To best inform our customers and prospects, we use the analytics service from Unbounce Marketing Solutions Inc., Unit 415-375 Water Street, Vancouver, BC, Canada V5T 4R4 (hereinafter: "Unbounce") on various landing pages for A/B testing, specifically for optimization and needs-based design of our campaigns and advertising campaigns, based on Article 6(1)(f) GDPR. Individual platforms for our campaigns are hosted by Unbounce and used by us. When you visit these landing pages, your browser communicates directly with Unbounce's servers, so that technical and statistical information is processed, including:

• Log data

• Browser type/version

• Device name

• Operating system used

• Referrer URL (the previously visited page)

• Hostname of the accessing computer (IP address)

• Information provided by the user on the page

• Your email address, if applicable

Cookies may be set through these servers. We subsequently receive an anonymous statistical evaluation of user activities on the platforms we use. Through this data processing by Unbounce, we can improve our landing pages and products, which constitutes our legitimate interest. The storage period is a maximum of 180 days.

We have concluded a data processing agreement with Unbounce according to Article 28 GDPR, in which Unbounce commits to processing the received data only according to our instructions and complying with the EU data protection level. Additionally, the EU Commission has classified Canada as a safe third country, ensuring that this data processing maintains a level of data protection corresponding to European standards. For more information about Unbounce and data protection at Unbounce, please see the provider's privacy policy. If you have questions about data processing at Unbounce, you can also contact the provider directly at any time: support@unbounce.com.

3.4.22. Microsoft Clarity

On our website, we use "Clarity," a service from Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399 USA (hereinafter "Clarity") to collect and store various user information for statistical analysis of user behavior and for optimization and marketing purposes. Clarity's technology helps us better understand our users' experiences, for example, how much time users spend on which pages, how far they scroll, and which links or areas are clicked most frequently. The legal basis for this data processing is Article 6(1)(a) GDPR in conjunction with Section 25(1) Sentence 1 TTDSG. The cookie set by Clarity processes the following data in particular:

• IP address

• Location

• Browser information

• Screen resolution

• Language settings

• Visited website/subpages

• Date/time of website access

• Clicks, scrolls, mouse movements

This cookie has a storage duration of 6 months. We have also concluded a data processing agreement with Clarity according to Article 28 GDPR, in which Clarity commits to processing the received data only according to our instructions and complying with the EU data protection level.

You can prevent this processing in advance by generally preventing the installation of cookies through a corresponding browser setting. If you have given your consent to this data processing, you can revoke it at any time with effect for the future by clicking on the switch to "Off" displayed at this link. For more information about data protection at Clarity, please see the provider's privacy policy.

3.4.23. Taboola Pixel

On our website, we use the Taboola pixel for conversion measurement, a service from Taboola, Inc., 1115 Broadway, 7th Floor, New York, NY 10010, USA (hereinafter: "Taboola"). This allows user behavior to be analyzed. The legal basis for this data processing is Article 6(1)(a) GDPR in conjunction with Section 25(1) Sentence 1 TTDSG.

This process serves to evaluate the effectiveness of Taboola advertisements for statistical and market research purposes and can help optimize future advertising measures. The cookie processes the following data in particular:

• Clicked advertisement

• Browser type/version

• Operating system used

• Location

• Referrer URL (the previously visited page)

• Hostname of the accessing computer (IP address)

• Time of server request

The collected data is anonymous to us, providing no conclusions about the identity of users and is stored for a maximum of 180 days. We have also concluded a data processing agreement with Taboola according to Article 28 GDPR, in which Taboola commits to processing the received data only according to our instructions and complying with the EU data protection level.

You can prevent this processing in advance by generally preventing the installation of cookies through a corresponding browser setting. If you have given your consent to this data processing, you can revoke it at any time with effect for the future by clicking on "Opt Out" at this link. For more information about data protection at Taboola, please see the provider's privacy policy.

5.1. Overview

In addition to the right to revoke consents you have given us, you have the following additional rights if the respective legal requirements are met:

• Right to information about your personal data stored with us according to Article 15 GDPR

• Right to correction of incorrect data or completion of correct data according to Article 16 GDPR

• Right to deletion of your data stored with us according to Article 17 GDPR

• Right to restriction of processing of your data according to Article 18 GDPR

• Right to data portability according to Article 20 GDPR

To exercise your rights, a brief notice to our data protection officer is sufficient. They can be reached via email at datenschutz@tourlane.de or by mail at Tourlane GmbH, Attn: Data Protection Department, Prinzessinnenstr. 19-20, 10969 Berlin.

5.2. Right to Object

Under the conditions of Article 21(1) GDPR, data processing can be objected to for reasons arising from the particular situation of the data subject.

The above general right to object applies to all processing purposes described in this privacy policy that are processed based on Article 6(1)(f) GDPR. Unlike the special right to object directed at data processing for advertising purposes (see above), we are only obligated under the GDPR to implement such a general objection if you provide us with reasons of overriding importance (e.g., a possible danger to life or health). Furthermore, you have the possibility to contact the supervisory authority responsible for Tourlane, the Berlin Commissioner for Data Protection and Freedom of Information, Friedrichstraße 219, 10969 Berlin.

7. Data Security

All data personally transmitted by you, including your payment data, is transmitted using the generally standard and secure SSL (Secure Socket Layer) standard. SSL is a secure and proven standard that is also used in online banking, for example. You can recognize a secure SSL connection by the s appended to the http (i.e., https://...) in your browser's address bar or by the lock symbol in the lower area of your browser.