Privacy Notice

Principles

We at Mountains&Lakes are pleased about your interest in our services. The protection of your personal data is very important to us, and we take all necessary measures to ensure that you feel comfortable using our services and website. Your privacy is our top priority. Therefore, we strictly adhere to the legal data protection regulations. Our employees are regularly trained in data protection and data security. Below, we would like to explain how we handle and protect your personal data within the framework of our website as well as our digital content and products.

Controller

Data Protection Officer: David Tatschl
Contact: david.tatschl@mountainsandlakes.at

Scope of Data Processed

We process personal data of our users only to the extent necessary to provide a functional website as well as our offered content and services. The processing of personal data is based on the currently applicable legal foundations.

Types of Data Processed

• Inventory data (e.g., first name, last name)
• Contact data (e.g., email, phone number)
• Address data (e.g., street, house number, city, postal code, country)
• Content data (e.g., text entries, photos, videos)
• Usage data (e.g., visited websites, interest in content, access times)
• Meta/communication data (e.g., browser, device information, IP addresses)

Categories of Data Subjects

• Visitors and users of our website
• Users of other digital services, content, and products

Purpose of Processing

• Conducting business operations
• Providing and operating our offerings, their functions, and content
• Responding to contact inquiries and communication
• Security measures
• Reach measurement and marketing

We process the data of our visitors, users, and customers within the scope of our contractual services. This includes the operation of Mountains&Lakes, the execution of campaigns, communication within this framework, the optimization of our services, server administration, as well as data analysis and statistics. The purpose of this data processing is to provide contractual services, billing, our customer service (including analysis, statistics, and optimization), as well as security measures. We only process the data necessary for the establishment and fulfillment of contractual services and indicate the necessity of their provision. Data is only transferred to external parties if required within the scope of an order. When processing data entrusted to us within the scope of an order, we act in accordance with the instructions of the clients and the legal requirements of order processing pursuant to Art. 28 GDPR. The data is processed exclusively for the purposes specified in the order.

Administration, Financial Accounting, Office Organization, Contact Management

We process data within the scope of administrative tasks, the organization of our operations, financial accounting, and to fulfill legal obligations, such as archiving. In doing so, we use the same data that is also processed within the scope of our contractual services. This processing affects customers, interested parties, business partners, users, and visitors of our website. The purpose and our interest in this data processing lie in administration, financial accounting, office organization, and data archiving – tasks that serve to maintain our business operations, fulfill our duties, and provide our services. The deletion of data related to contractual services and communication is carried out in accordance with the specifications mentioned in these processing activities. We transfer data to the tax authorities, advisors such as tax consultants or auditors, as well as other fee offices and payment service providers. Additionally, we store information on suppliers, event organizers, and other business partners within the scope of our business interests, for example, for later contact. These predominantly company-related data are generally stored permanently.

Disclosure of Personal Data

We only disclose your personal data to third parties if:

• it is necessary for the performance of a contract with you,
• it is required to protect our legitimate interests or those of a third party, provided that your interests or fundamental rights and freedoms, which require the protection of personal data, do not override,
• we are legally obligated to do so,
• it is necessary to enforce our claims and rights,
• we receive requests from governmental authorities (e.g., supervisory authorities or law enforcement agencies, if the disclosure is necessary to avert dangers to public safety and order or to prosecute criminal offenses).

In the context of such disclosure, personal data may only be used for the respective purpose.

Security Measures

In accordance with Article 32 of the GDPR, we implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk for personal data. In doing so, we take into account the state of the art, the costs of implementation, as well as the nature, scope, context, and purposes of the data processing. We also assess the likelihood and severity of potential risks to the rights and freedoms of natural persons.

These measures include, in particular:

• Ensuring the confidentiality, integrity, and availability of data by controlling physical access and access to the data.
• Controlling data entry, transmission, ensuring data availability, and data separation.
• Procedures for exercising data subject rights, deleting data, and responding to data threats.

Additionally, we consider data protection in the development and selection of hardware, software, and procedures, in accordance with the principle of data protection by design and by default.

Transfers to Third Countries

If we process data in a third country (outside the EU or EEA) or if this occurs in the context of using third-party services or disclosing or transferring data to third parties, this only happens under certain conditions. These conditions are:

• Fulfillment of our (pre)contractual obligations,
• Your consent,
• A legal obligation, or
• Our legitimate interests.

The processing is carried out, for example, on the basis of special guarantees, such as:

• The officially recognized determination of a data protection level corresponding to that of the EU (e.g., through the “Privacy Shield” for the USA) or
• Compliance with officially recognized special contractual obligations (so-called “standard contractual clauses”).

Deletion of Data

Unless otherwise stated in this privacy policy, we delete the data stored by us as soon as they are no longer needed for their purpose and no legal retention obligations exist. If the data are not deleted because they are required for other legally permissible purposes, their processing will be restricted. This means the data will be blocked and not processed for other purposes. This applies, for example, to data that must be retained for commercial or tax law reasons.

Rights of Data Subjects

• Right of Access (Art. 15 GDPR): You can request confirmation as to whether your data are being processed and obtain information about these data.
• Right to Rectification (Art. 16 GDPR): You can request the completion or correction of your inaccurate data.
• Right to Erasure (Art. 17 GDPR): You can request the immediate deletion of your data. Alternatively, you can request a restriction of processing according to Art. 18 GDPR.
• Right to Data Portability (Art. 20 GDPR): You can request that the data you have provided be transferred to you or another controller in a structured, commonly used, and machine-readable format.
• Right to Withdraw Consent (Art. 7(3) GDPR): You can withdraw your consent at any time with effect for the future.
• Right to Object (Art. 21 GDPR): You can object to the future processing of your data at any time, particularly against processing for direct marketing purposes.

Cookies

Cookies are small text files stored on your device to enhance the user experience. There are different types of cookies:

• Session Cookies: Temporary cookies that are deleted once you close the browser (e.g., shopping cart contents).
• Persistent Cookies: Remain stored even after closing the browser (e.g., login status).
• First-Party Cookies: Set by the visited website.
• Third-Party Cookies: Set by third parties.

We use both temporary and persistent cookies. These help us personalize content and ads, provide social media features, and analyze traffic to our website. We share information about your use of our website with our social media, advertising, and analytics partners.

Your Rights and Settings

You can disable or delete cookies in your browser settings.

Disabling cookies may limit the functionality of our website.

For non-essential cookies, we require your consent, which you can change or withdraw at any time.

For more information, please refer to our privacy policy.

Contact

If you contact us (e.g., via contact form, email, phone, or social media), we process the information you provide to handle your request. These data may be stored in a help desk, CRM system, or similar request management system.

We delete inquiries once they are no longer necessary and review this every two years. We also comply with statutory archiving obligations.

Google Analytics

We use Google Analytics based on our legitimate interests to analyze and optimize our online offering. Google Analytics uses cookies that generate information about your use of our website. This data is usually transmitted to a Google server in the USA and stored there.

Google is certified under the Privacy Shield agreement, ensuring compliance with European data protection law. Google uses this information on our behalf to evaluate the use of our website, create reports, and provide other services. Pseudonymous usage profiles can be created in this process.

We use Google Analytics with IP anonymization enabled, so your IP address is shortened within the EU or EEA. Only in exceptional cases is the full IP address transmitted to a Google server in the USA and shortened there. Your IP address is not merged with other Google data.

You can prevent the storage of cookies by adjusting your browser settings. Additionally, you can prevent the collection and processing of data generated by the cookie by Google by downloading and installing the browser plugin available at the following link.

For more information on how Google uses data and your settings and opt-out options, please refer to Google’s privacy policy and the settings for Google ads.

Online Presence in Social Media

We operate online presences on social networks and platforms such as Instagram to communicate with customers, interested parties, and users and to inform them about our services. When visiting these networks and platforms, the terms and conditions and data processing policies of the respective operators apply.

Unless otherwise stated in our privacy policy, we process data when you communicate with us within these networks, e.g., by posting on our pages or sending us messages.

Integration of Third-Party Content and Services

We use content and services from third-party providers, such as videos or fonts, based on our legitimate interests to improve our online offering. For this, it is necessary that the third-party providers process your IP address, as they cannot send the content to your browser without it.

We strive to use only content from providers who use the IP address solely to deliver the content. Third-party providers may also use pixel tags (invisible graphics, also known as “web beacons”) for statistical or marketing purposes. These pixel tags allow the evaluation of visitor traffic on our website. The pseudonymous information collected may be stored in cookies and include technical information such as browser, operating system, referring websites, visit time, and other usage data. This information may also be combined with data from other sources.

Google Maps

We use Google Maps from Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. IP addresses and location data may be processed, but only with your consent (usually through your mobile device settings). The data may be processed in the USA. For more information, please refer to Google’s privacy policy. Opt-out options are also available.

Changes to the Privacy Notice

We reserve the right to adapt this privacy notice when introducing new services and products to comply with current legal requirements. The current version applies to your next visit to our website or use of our services.

Questions and Comments

If you have any questions or suggestions regarding data protection at Mountains&Lakes, please feel free to contact our data protection officer by email.