PRIVACY NOTICE
Last updated: February 2026
Mountains & Lakes Chalets & Apartments
Last updated: February 2026
Controller
Tatschl‑Unterberger Eva & Tatschl David GesbR
Business name: Mountains & Lakes Chalets & Apartments
Dobrovastraße 5
9500 Villach, Austria
Phone: +43 664 966 2529
Email: office@mountainsandlakes.at
VAT number: ATU74078589
Management: Dipl.-Ing. David Tatschl
There is no legal obligation for us to appoint a Data Protection Officer.
1. General Information
We process personal data in accordance with the General Data Protection Regulation (GDPR) and the Austrian Data Protection Act (DSG) in order to operate our website securely and efficiently, provide our accommodation services, and fulfil contracts with guests.
Legal Bases Overview
- Contract performance / pre‑contractual measures (booking, stay, communication) – Art. 6(1)(b) GDPR
- Legal obligations (guest registration, tourist tax, accounting) – Art. 6(1)(c) GDPR
- Legitimate interests (operation, IT security, server log files, performance) – Art. 6(1)(f) GDPR
- Consent (analytics, marketing, Google Maps, certain AI functions) – Art. 6(1)(a) GDPR
2. Hosting & Infrastructure
2.1 Hosting & Delivery via Vercel
Our website is hosted by Vercel Inc., 340 S Lemon Ave #4133, Walnut, CA 91789, USA.
When visiting our website, server log files (e.g., IP address, browser type, timestamp) are automatically processed by your browser.
Purpose: secure and fast website delivery, stability, error diagnostics
Legal basis: Art. 6(1)(f) GDPR
Data transfer: USA; according to Vercel’s current policy, Vercel is EU–US Data Privacy Framework (DPF) certified (adequate protection).
2.2 Sanity.io (CMS & Image CDN)
We use Sanity AS, Thorvald Meyers gate 11, 0555 Oslo, Norway to manage and deliver content/images (Content Delivery Network).
Data processed: IP address (technically required for CDN delivery)
Legal basis: Art. 6(1)(f) GDPR (efficient, fast media delivery)
Storage location: Norway (EEA, GDPR‑compliant)
3. AI Functions (Vercel AI SDK / Google Gemini)
We use AI‑powered features (e.g., chat or automated response generation) through the Vercel AI SDK in combination with Google Gemini.
Data processed: user inputs/prompts
Legal basis:
- Art. 6(1)(a) GDPR (consent), or
- Art. 6(1)(f) GDPR (legitimate interest in user‑friendly interaction)
Important: Please do not enter sensitive data (e.g., health or payment data).
International transfers: User prompts may be transmitted to Google (USA). DPF safeguards apply; additional SCC measures may be used.
4. Analytics & Tracking
4.1 Google Analytics 4 (GA4)
Used only with consent via our cookie banner.
Data processed: usage data, event data, device information, truncated IP address
Legal basis: Art. 6(1)(a) GDPR
Retention: usually up to 14 months
Transfer: Google Ireland Ltd. (EU) and Google LLC (USA), covered by the EU–US DPF
Note: IP anonymisation takes place within the EU/EEA.
4.2 PostHog (Cloud EU)
We use PostHog Cloud EU (Frankfurt, Germany) for additional product and usage analytics.
Purpose: anonymous usage statistics, interaction analysis for improvement
Legal basis: Art. 6(1)(a) or Art. 6(1)(f) GDPR
Data storage: exclusively within the EU
No third‑country transfers
4.3 Vercel Analytics & Speed Insights
We use Vercel Analytics/Speed Insights for:
- performance analysis (load times, technical metrics)
- anonymised visitor counting
Characteristics:
No persistent cookies, no profiling.
Legal basis: Art. 6(1)(f) GDPR
5. Maps & Embeds
5.1 OpenFreeMap / MapLibre GL
Used to display interactive map data.
Data processed: IP address (required for map tile retrieval)
Legal basis: Art. 6(1)(f) GDPR
5.2 Google Maps
Loaded only after explicit consent (2‑click solution).
Legal basis:Art. 6(1)(a) GDPR
Data transfer: Google Ireland Ltd. → Google LLC (USA), protected via EU–US DPF
Consent can be withdrawn anytime in the cookie settings.
6. Booking & Payment Processing (Hospitality‑Specific)
6.1 Booking System – Easybooking (Zadego GmbH)
Purpose: managing inquiries, bookings, offers, stays, invoicing
Data: personal, contact, stay, payment, communication data
Legal basis: Art. 6(1)(b) & (c) GDPR
Processor role: Agreement in place
Storage: EU
6.2 Payment Provider – hobex AG
Purpose: processing electronic payments (terminal/online)
Data: transaction data, tokenised card data, invoice data
Legal basis: Art. 6(1)(b) GDPR
Retention: 7 years (under Austrian tax law)
6.3 Electronic Access System – Nuki
Purpose: access control with time‑limited digital codes
Data: access logs (time/code), permissions
Legal basis: Art. 6(1)(f) GDPR
Retention: max. 30 days
6.4 Booking Platforms
Platforms such as Booking.com, Airbnb, Expedia, FeWo, Landsichten, Feratel act as their own controllers.
They transmit booking data to us for contract performance (Art. 6(1)(b)).
International transfers may occur depending on the provider.
7. Guest Registration & Tourist Tax (All Locations)
We are legally required to register all guests in accordance with the Austrian Registration Act and local tourism/tax regulations.
Locations:
- Villach – Maria Gail
- Velden am Wörthersee
- Rust am Neusiedlersee
Data processed:
Names of all travellers, address, date of birth, nationality, arrival/departure dates, travel document details where legally required.
Recipients:
- Municipality of Villach & Tourism Region Villach
- Municipality of Velden am Wörthersee & Wörthersee–Rosental Tourism Board
- Free City of Rust & Neusiedler See – Seewinkel Tourism Board
Legal basis: Art. 6(1)(c) GDPR
8. Video Surveillance (Parking Area, Staircase)
Purpose: protection of guests/staff, safeguarding property, incident clarification
Legal basis: Art. 6(1)(f) GDPR
Retention: max. 72 hours (longer only for documented incidents)
Recipients: authorities when legally required
9. Communication (Contact Form, Email, Telephone)
Data processed: name, contact details, message content, metadata (timestamp/IP)
Purpose: processing inquiries and (pre‑)contractual communication
Legal basis: Art. 6(1)(b) or Art. 6(1)(f) GDPR
Deletion: no later than 12 months after completion, unless statutory retention applies
10. Cookies, Consent & Google Consent Mode
We use a Consent Management Platform (CMP).
- Non‑essential services (analytics, marketing, Google Maps) are loaded only after consent.
- Consent may be changed or withdrawn at any time under “Cookie Settings”.
- Categories: necessary, functional, statistics, marketing
- Google Consent Mode v2 controls signals sent to Google services based on user consent
11. Retention Periods (Overview)
- Booking/invoicing data: 7 years
- Contact inquiries: 12 months
- Nuki access logs: 30 days
- Video recordings: 72 hours
- Analytics/marketing data: until withdrawal of consent or tool‑specific retention
12. Recipients & International Transfers
We work with processors for hosting, booking, payment, content delivery, analytics.
Where required, international transfers rely on:
- the EU–US Data Privacy Framework (DPF), or
- Standard Contractual Clauses (SCCs) + supplementary measures.
13. Your Rights
Under the GDPR, you have rights to:
- Access (Art. 15)
- Rectification (Art. 16)
- Erasure (Art. 17)
- Restriction of processing (Art. 18)
- Data portability (Art. 20)
- Objection (Art. 21)
- Withdrawal of consent at any time (Art. 7(3))
You also have the right to lodge a complaint with:
Austrian Data Protection Authority,
Barichgasse 40–42, 1030 Vienna
Email: dsb@dsb.gv.at
14. Security
We use TLS/HTTPS and appropriate technical and organisational measures (TOMs) to ensure a risk‑adequate level of security.
15. Changes
This Privacy Notice may be updated if new services, legal requirements, or technical developments make it necessary.
Status: 13 February 2026