Privacy policy

Responsible for Data Processing:

SOJOURN GmbH

Innsbrucker Strasse 83,

6060 Hall in Tirol,

Austria

Phone: +43 664 822 5132

Email: sojourn@sojourn-xo.com

We appreciate your visit to our website/online shop and your interest in our company and our products. We take the protection of your personal data seriously and want you to feel comfortable when visiting our website and/or when contacting us through our various channels. Protecting your privacy when processing personal data is a major concern for us, which we take into account in our business processes. We process personal data collected when you visit our website in accordance with data protection regulations. The website may contain links to other providers' websites that are not covered by this privacy policy.

This privacy policy describes how SOJOURN GmbH (the "Website," "we," "us," or "our") collects, uses, and discloses your personal data when you visit www.sojourn-xo.com (the "Website"), use our services, make a purchase, or otherwise communicate with us (collectively, the "Services"). For the purposes of this privacy policy, "you" and "your" refer to you as a user of the Services, whether you are a customer, website visitor, or any other person whose information we have collected in accordance with this privacy policy.

Please read this privacy policy carefully. By using and accessing any of the Services, you agree to the collection, use, and disclosure of your information as described in this privacy policy. If you do not agree to this privacy policy, please do not use or access any of the Services.

1. WHO WE ARE

The data controller is SOJOURN GmbH, Innsbrucker Straße 83, 6060 Hall in Tirol, Austria. You can reach us at sojourn@sojourn-xo.com or +43-664-822-5132. Company details can be found in the imprint.

2. DEFINITIONS

This privacy policy is based on the terminology of the European General Data Protection Regulation (GDPR) and aims to be easily readable and understandable for the public, our customers, and business partners. To ensure this, we would like to clarify the terminology used.

Personal Data

Personal data refers to any information relating to an identified or identifiable natural person ("data subject"). An identifiable person is someone who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, online identifier, or to one or more specific characteristics that express the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

Data Subject

A data subject is any identified or identifiable natural person whose personal data is processed by the controller.

Processing

Processing refers to any operation or set of operations performed on personal data, whether or not by automated means, such as the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, deletion, or destruction of personal data.

Restriction of Processing

Restriction of processing is the marking of stored personal data with the aim of limiting its processing in the future.

Profiling

Profiling refers to any form of automated processing of personal data that involves using that personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning work performance, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements of that natural person.

Pseudonymisation

Pseudonymisation is the processing of personal data in such a way that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures that ensure that the personal data is not attributed to an identified or identifiable natural person.

Controller

The controller is the natural or legal person, authority, agency, or other body that alone or jointly with others determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by Union law or the law of the Member States, the controller or the specific criteria for its designation may be provided for by Union law or the law of the Member States.

Processor

A processor is a natural or legal person, authority, agency, or other body that processes personal data on behalf of the controller.

Recipient

A recipient is a natural or legal person, authority, agency, or other body to whom personal data is disclosed, whether a third party or not. However, authorities that may receive personal data under a particular investigation mandate in accordance with Union law or the law of the Member States are not considered recipients.

Third Party

A third party is a natural or legal person, authority, agency, or other body, other than the data subject, the controller, the processor, and the persons who, under the direct authority of the controller or the processor, are authorized to process the personal data.

Consent

Consent is any freely given, specific, informed, and unambiguous indication of the data subject's wishes, in the form of a statement or a clear affirmative action, which signifies the data subject's agreement to the processing of personal data relating to them.

3. NAME AND CONTACT DETAILS OF THE CONTROLLER AND THE DATA PROTECTION OFFICER

The controller responsible for processing personal data pursuant to Art. 4 No. 7 GDPR is:

SOJOURN GmbH
Dr. Alexander Hofer
Innsbrucker Strasse 83
A-6060 HALL in Tirol, Austria
Tel. +43 (0)664 822 5132
Email: sojourn@sojourn-xo.com

You can reach our Data Protection Officer as follows:

SOJOURN GmbH
Innsbrucker Strasse 83
A-6060 HALL in Tirol, Austria
Tel. +43 (0)664 822 5132
Email: sojourn@sojourn-xo.com

4. PERSONAL DATA WE COLLECT

4.1 We are pleased that you are visiting our website and thank you for your interest. Below, we inform you about how your personal data is processed when you visit our website. Personal data refers to any data that can be used to identify you personally.

4.2 We process personal data exclusively within the legal framework of applicable statutory regulations and, if necessary, with your consent. Personal data includes any information relating to an identified or identifiable natural person and allows for inferences about their personality.

Processing includes any operation or set of operations performed on personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, deletion, or destruction.

The types of personal information we collect about you depend on how you interact with our website and use our services. When we use the term "personal information," we refer to information that identifies you, relates to you, describes you, or can be associated with you. The following sections describe the categories and specific types of personal information we collect.

4.3 Information We Collect Directly From You

Information you provide directly through our services may include:

• Basic contact details such as your name, address, phone number, and email address.
• Order information such as your name, billing address, shipping address, payment confirmation, email address, and phone number.
• Account information such as your username, password, and security questions.
• Shopping information such as the items you view, add to your cart, or save to your wish list.
• Customer support information, including the information you provide in communications with us, such as when you send a message through the services.

Some features of the services require you to provide certain information about yourself directly. You may choose not to provide this information, but this may prevent you from using or accessing these features.

When accessing our publication app, information is automatically sent from the browser and/or application (app) on your device to the server of our app. This information is temporarily stored in a so-called log file.

The following information is collected and stored without your intervention until it is automatically deleted:

• IP address of the requesting device (browser and mobile app),
• Date and time of access (browser and mobile app),
• Name and URL of the retrieved file (browser),
• Website from which access is made (referrer URL) (browser),
• Names of publications and content (browser and mobile app),
• Manufacturer, type, and operating system of your device, as well as the name of your access provider (mobile app),
• Browser used and, if applicable, the operating system of your computer, as well as the name of your access provider (browser).

We process the above data for the following purposes:

• Ensuring a smooth connection of the app,
• Ensuring comfortable use of our app,
• Evaluating system security and stability, and
• Other administrative purposes.

The legal basis for this data processing is Art. 6(1)(f) GDPR. Our legitimate interest arises from the purposes listed above for data collection. In no case do we use the collected data to draw conclusions about your identity.

Furthermore, we process the personal data you provide during the registration process. The following information is collected and stored until it is automatically deleted:

• Email address
• Password

The legal basis for this data processing is Art. 6(1)(a) GDPR. We process this personal data to fulfill the contract or pre-contractual relationship with you.

For convenient access to the service, we store information in the device storage of your device. This is intended to save you from having to repeatedly enter your personal data—if necessary—in forms or in the login area. You can remove this data using the relevant functions of your device.

Additionally, we use cookies and analytics services when you visit our app. Further explanations can be found below in this privacy policy.

Data Sharing

In addition to Shopify, we use a qualified service provider (PressMatrix GmbH, Friedrichstraße 171, 10117 Berlin, Germany) for the operation, optimization, and security of our publication app. We only share personal data with them to the extent necessary for the provision and use of the app and its functions, to pursue legitimate interests, or if you have consented. Your personal data will not be transmitted to third parties for any purposes other than those specified in this privacy notice.

Your personal data will not be shared with third parties for any purposes other than those listed below. We only share your personal data with third parties if:

• You have given your explicit consent pursuant to Art. 6(1)(a) GDPR,
• The disclosure is necessary pursuant to Art. 6(1)(f) GDPR for the establishment, exercise, or defense of legal claims, and there is no reason to assume that you have a prevailing legitimate interest in not disclosing your data,
• There is a legal obligation to disclose pursuant to Art. 6(1)(c) GDPR, or
• This is legally permissible and necessary pursuant to Art. 6(1)(b) GDPR for the fulfillment of contractual relationships with you.

4.4 When you visit the website, we automatically collect certain information about your device, including information about your web browser, your IP address, your time zone, and some of the cookies installed on your device. Additionally, as you browse the website, we collect information about the individual web pages or products you view, the websites or search terms that led you to the website, and information about how you interact with the website. We refer to this automatically collected information as "device information."

5.0 INFORMATION WE RECEIVE FROM THIRD PARTIES

Finally, we may receive information about you from third parties, including providers and service providers that collect information on our behalf, such as:

• Companies that support our website and services, such as Shopify (see also 4.3).
• Our payment processors, who collect payment information (e.g., bank account, credit or debit card information, billing address) to process your payment, fulfill your orders, and provide you with the products or services you requested, in order to fulfill our contract with you.

When you visit our website, open or click on emails we send, or interact with our services or advertisements, we or third parties with whom we collaborate may automatically collect certain information using online tracking technologies such as pixels, web beacons, software development kits, third-party libraries, and cookies.

All information we receive from third parties will be treated in accordance with this privacy policy. We are not responsible or liable for the accuracy of the information provided to us by third parties and do not assume any responsibility for the policies or practices of third parties. For more information, please refer to the section below on Third-Party Websites and Links.

6.0 HOW DO WE USE YOUR PERSONAL DATA?

6.1 Providing Products and Services. We use your personal information to provide you with services in order to fulfill our contract with you, including processing your payments, fulfilling your orders, sending notifications regarding your account, purchases, returns, exchanges, or other transactions, creating, maintaining, and managing your account, organizing shipping, enabling returns and exchanges, and allowing you to submit reviews.

6.2 We also use this order information for:

• Communication with You. We use your personal information to provide customer support and improve our services. This is in our legitimate interest to be responsive to you, provide you with effective services, and maintain our business relationship with you.

• Marketing and Advertising. We use your personal information for marketing and advertising purposes, such as sending marketing, promotional, and advertising communications via email, SMS, or mail, as well as displaying ads for products or services. This may include using your personal information to better tailor services and advertisements on our website and other websites to you.

6.3 Verifying Our Orders for Security and Potential Risks or Fraud. We use your personal information to detect, investigate, or take action against possible fraudulent, illegal, or harmful activities. When you choose to use the services and register for an account, you are responsible for keeping your account access credentials secure. We strongly recommend that you do not share your username, password, or other access information with third parties. If you believe your account has been compromised, please contact us immediately.

6.4 We use the device information we collect to verify potential risks and fraud (especially your IP address) and generally to improve and optimize our website (e.g., by analyzing our customers' browsing behavior and interactions with the website, as well as assessing the success of our marketing and advertising campaigns).

We share your personal information with third parties that assist us in using your personal information as described above. For example, we use Shopify to operate our online store. More information about how Shopify uses your personal information can be found here: https://www.shopify.com/legal/privacy. We also use Google Analytics to understand how our customers use the website. More information about how Google uses your personal data can be found here: https://policies.google.com/privacy?hl=en. You can opt out of Google Analytics here: https://tools.google.com/dlpage/gaoptout.

6.5 Finally, we may also share your personal information to comply with applicable laws and regulations, respond to a subpoena, search warrant, or other lawful requests for information, or to protect our rights.

BEHAVIORAL ADVERTISING

As described above, we use your personal information to provide you with targeted advertising or marketing communications that we believe may be of interest to you. For more information about how targeted advertising works, visit the educational page of the Network Advertising Initiative ("NAI"): http://www.networkadvertising.org/understanding-online-advertising/how-does-it-work.

You can opt out of targeted advertising here:

• FACEBOOK – https://www.facebook.com/settings/?tab=ads

• GOOGLE – https://www.google.com/settings/ads/anonymous

• BING – https://advertise.bingads.microsoft.com/en-us/resources/policies/personalized-ads

Additionally, you can opt out of some of these services through the Digital Advertising Alliance's Opt-Out Portal: http://optout.aboutads.info.

DO NOT TRACK

Please note that we do not alter our data practices when we receive a "Do Not Track" signal from your browser.

7.0 ANALYTICS TOOLS AND ADVERTISING

The tracking measures listed below and used by us are based on Article 6(1)(f) of the GDPR. With the tracking measures used, we aim to ensure that our website and apps are tailored to meet demand and are continuously optimized. Furthermore, we use the tracking measures to statistically record and evaluate the use of our app and website to optimize our offerings for you. These interests are considered legitimate in the sense of the aforementioned provision.

The specific data processing purposes and categories of data can be found in the corresponding tracking tools.

7.1 Google Analytics

For the purpose of demand-oriented design and continuous optimization of our pages, we use Google Analytics, a web analytics service provided by Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; hereinafter "Google"). In this context, pseudonymized usage profiles are created, and cookies (see above) are used. The information generated by the cookie about your usage of this app, such as:

• Browser type/version,
• Operating system used,
• Referrer URL (the previously visited page),
• Hostname of the accessing computer (IP address),
• Time of the server request,

is transmitted to a server in the USA and stored there. The legal basis for processing personal data is Article 45 of the GDPR (EU-U.S. Privacy Shield). Google LLC is a certified member of the EU-U.S. Privacy Shield. The information is used to evaluate the usage of the app, compile reports on app activities, and provide further services related to app usage and internet usage for market research purposes and to tailor these internet pages to demand. These pieces of information may also be transmitted to third parties if required by law or if third parties process these data on behalf of Google. Under no circumstances will your IP address be merged with other data from Google. IP addresses are anonymized so that assignment is not possible (IP masking).

You can prevent the installation of cookies by adjusting the settings of your browser software; however, we would like to point out that in this case, you may not be able to use all the features of this app to their full extent. Additionally, you can prevent the collection of data generated by the cookie related to your usage of the app (including your IP address) and the processing of this data by Google by downloading and installing a browser add-on: https://tools.google.com/dlpage/gaoptout?hl=en.

As an alternative to the browser add-on, especially for browsers on mobile devices, you can prevent the collection by Google Analytics by clicking on this link. An opt-out cookie will be set, which prevents future collection of your data when visiting this app. The opt-out cookie is only valid in this browser and only for our app, and will be stored on your device. If you delete the cookies in this browser, you will need to set the opt-out cookie again. For more information about data protection related to Google Analytics, please refer to the Google Analytics Help page: https://support.google.com/analytics/answer/6004245?hl=en.

7.2 Google Analytics for Firebase (Google LLC)

Google Analytics for Firebase or Firebase Analytics is an analytics service provided by Google LLC. For more information about how Google uses data, please refer to Google’s Partner Policies. Firebase Analytics may share data with other tools provided by Firebase, such as Crash Reporting, Authentication, Remote Config, or Notifications. The user can refer to this privacy policy for a detailed explanation of the other tools used by the provider. This application uses identifiers for mobile devices (including Android Advertising ID or Advertising Identifier for iOS) and cookie-like technologies to run the Google Analytics for Firebase service. Users can disable certain Firebase features through the appropriate mobile device settings, such as the advertising settings of the mobile device, or by following the instructions in other sections of this privacy policy regarding Firebase. Collected personal data: Cookie, unique device identifier for advertising (e.g., Google Advertising ID or IDFA), and usage data. Processing location: United States – Privacy Policy. The legal basis for processing personal data is Article 45 of the GDPR (EU Adequacy Decision). Google LLC is a certified member of the EU-U.S. Data Privacy Framework.

7.3 Personalized Advertising with Additional Google Services

We also use Google Analytics in conjunction with Google services such as "Google Ads," "Tag Manager 360," and "Data Studio." This allows us to send you interest-based, personalized advertising messages based on your previous usage and browsing behavior on a device (e.g., mobile phone) and display them on the same or another of your devices (e.g., tablet or PC). To support these functions, Google Analytics collects authenticated user IDs from Google, which may be temporarily linked to our Google Analytics data to define and create audiences for cross-device display advertising. This constitutes profiling.

Your usage and search behavior are tracked by placing cookies on your device or in your browser and using similar technologies, thereby transmitting data as described in the list under section 7.1 above to Google.

Cross-device personalized advertising is enabled by Google linking your web and app browser history with your user account created for any other Google service (e.g., Gmail). This allows the same personalized advertising messages to be displayed on any device where you are logged in with your Google account.

The legal basis for this is your consent pursuant to Article 49(1)(a) of the GDPR.

The recipient is Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland. We have entered into a data processing agreement with Google for the use of Google Analytics, see Article 28 of the GDPR. Google processes the data on our behalf to analyze your usage of the website, compile reports on website activities for us, and provide us with further services related to website usage and internet usage. Google may transfer this information to third parties if required by law or if third parties process this data on behalf of Google.

In the context of data processing, Google is entitled to engage subprocessors. A list of these subprocessors can be found at: https://privacy.google.com/businesses/subprocessors/.

The data is transferred to a Google server in the USA and stored there. The transfer of personal data is based on Article 46 and/or Article 49(1)(a) of the GDPR.

The data will be deleted as soon as they are no longer necessary for the purpose for which they were collected. In addition, the data will be deleted if you withdraw your consent or request the deletion of your personal data.

You can prevent the storage of cookies by adjusting the settings of your browser software; however, we would like to point out that in this case, you may not be able to fully utilize all features of this website.

7.4 Facebook Tools and Personalized Advertising

Our pages integrate tools (so-called pixels) from the social network Facebook. The provider of these tools is Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Dublin, D02X525, Ireland (hereinafter "Facebook"). These tools place cookies on your device or in your browser and use similar technologies, thereby transmitting data, particularly as described in the list under section 5 above, to Facebook.

The legal basis for processing is your consent pursuant to Article 49(1)(a) of the GDPR.

For more information, please refer to Facebook's privacy policies regarding Facebook services at: https://www.facebook.com/policy.php.

Facebook uses this information to evaluate the usage of the website by website visitors for us. Your data may be linked by Facebook with information from other sources.

In addition, you may be shown interest-based, personalized advertising messages on the Facebook platform or other platforms within the "Meta" corporate group, to which Facebook belongs, based on your previous usage and browsing behavior. This constitutes profiling.

According to Facebook, the data transmitted to Facebook is stored for 180 days by the Facebook pixel. After this period, your data will be encrypted and anonymized by Facebook. For more information on the retention period, see "Data Retention, Deactivation, and Deletion of Accounts" at: https://www.facebook.com/about/privacy/.

For more detailed information on the use of Facebook tools and the associated data processing, please visit the websites of the "Meta" corporate group or Facebook: https://www.facebook.com/about/privacy; https://www.facebook.com/legal/technology_terms; https://www.facebook.com/legal/terms/dataprocessing/update; https://www.facebook.com/policies/cookies/.

To regulate data protection aspects when using Facebook tools, a data processing agreement and an addendum for joint responsibility with Facebook have been concluded. These documents are available at the following links: https://www.facebook.com/legal/terms/dataprocessing/update and https://www.facebook.com/legal/controller_addendum. In addition, an addendum for data transfer to the USA has been concluded with Facebook. This addendum is available at the following link: https://www.facebook.com/legal/EU_data_transfer_addendum.

7.5 LinkedIn

Our pages integrate tools (so-called pixels) from the social network LinkedIn. The provider of these tools is LinkedIn Ireland Unlimited Company, Wilton Place

8.0 COOKIES

To make visiting our website more attractive and to enable the use of certain features, we use cookies, which are small text files stored on your device. Some of these cookies are automatically deleted after you close your browser (so-called “session cookies”), while others remain on your device for a longer period and allow you to save page settings (so-called “persistent cookies”). You can view the storage duration in the overview of the cookie settings in your web browser. For more information about the cookies we use in connection with Shopify and our publishing app, as well as how to disable them, please visit http://www.allaboutcookies.org.

We use cookies to operate and improve our website and services (including storing your actions and preferences), to conduct analyses, and to better understand user interactions with our services (in our legitimate interest to manage, improve, and optimize the services). We may also allow third parties and service providers to use cookies on our website to better customize services, products, and advertisements on our website and others.

If personal data is also processed by individual cookies we use, the processing is carried out in accordance with Art. 6(1)(b) GDPR for the performance of the contract, according to Art. 6(1)(f) GDPR for the protection of our legitimate interests in the optimal functionality of the website, as well as in a customer-friendly and effective design of the site visit.

Most browsers automatically accept cookies by default, but you can configure your browser to remove or reject cookies. Please note that removing or blocking cookies may negatively affect your user experience and may cause some services, including certain features and general functionality, not to work properly or become unavailable.

Blocking cookies may also not fully prevent how we share information with third parties such as our advertising partners.

“Log files” record actions on the website and collect information such as IP address, browser type, Internet Service Provider, referring/exit pages, and date/time stamps.

“Web beacons,” “tags,” and “pixels” are electronic files used to collect information about how you navigate the website.

In addition, we collect certain information about you when you make a purchase or attempt to make a purchase on the website. This includes name, billing address, shipping address, payment information (including credit card numbers), email address, and phone number. We refer to this information as “order information.”

In this privacy policy, “personal information” refers to both device information and order information.

8.1 Newsletter via MailChimp

We use the MailChimp service for sending newsletters. The provider is Rocket Science Group LLC, 675 Ponce De Leon Ave NE, Suite 5000, Atlanta, Georgia 30308, USA (hereinafter referred to as “MailChimp”). MailChimp allows the organization and analysis of newsletter dispatch. When you enter data for the purpose of subscribing to the newsletter (e.g., email address), this data is transmitted to MailChimp and stored on their servers in the USA. With the help of MailChimp, we can analyze our newsletter campaigns, for example, we can determine through cookies and similar technologies (e.g., so-called “web beacons”) whether a newsletter message was opened and which links were clicked. Your subsequent browsing behavior on our website may also be tracked by MailChimp by placing cookies on your device when you visit our website. The functionalities of MailChimp may also be combined with other tools we use. In this case, your email address and the mentioned data are processed and transmitted to MailChimp. The results of these analyses can be used to better tailor future newsletters to the interests of the recipients.

The legal basis for the processing is Art. 49(1)(a) GDPR. For the processing of data for proof purposes of consent and, if applicable, the revocation, Art. 6(1)(f) GDPR may also be the legal basis, as we have a legitimate interest in being able to prove the consent or revocation due to the statutory documentation obligations of the GDPR.

Your data is stored on the servers of MailChimp in the USA for the purpose of newsletter subscription. The transmission of personal data is based on Art. 49 and/or Art. 46 GDPR.

If you do not want MailChimp to conduct analyses, you must unsubscribe from the newsletter, which will revoke your consent. Consent is obtained in writing (including email) or by selecting a checkbox (e.g., when signing up for the newsletter online). Granted consents can be revoked at any time by written notification (email suffices) via the contact options mentioned in section B. 7. A revocation can also be done via a link available in each newsletter email. The legality of the data processing carried out based on the consent until the revocation remains unaffected by such a revocation.

The provision of your personal data is neither legally nor contractually required, nor is it necessary for the conclusion of a contract. You are also not otherwise obligated to provide personal data. However, the non-provision would mean that we cannot offer you a newsletter and thus cannot send it to you.

To regulate the data protection aspects of using MailChimp tools, a data processing agreement has been concluded with the MailChimp provider. This agreement is available at the following link: https://mailchimp.com/de/legal/data-processing-addendum/. For more information on data processing by MailChimp, please refer to MailChimp's privacy and cookie policies at https://mailchimp.com/de/legal/terms/ and https://mailchimp.com/legal/cookies/.

8.2 Our Profiles on Social Media Platforms

SOJOURN GmbH maintains profiles/accounts/company pages on the following social media platforms:

8.2.1 Facebook

When you visit or follow our Facebook company page, Facebook processes personal data to provide us with insights into anonymized statistics. This allows us to gain insights into the types of actions people take on our page (so-called “Facebook Insights”). Facebook processes information about how you interact with our Facebook company page, for example, whether you are a follower of our Facebook company page. This processing of personal data in the context of Facebook Insights is carried out by Facebook and us as joint controllers. We have entered into a joint controller agreement with Facebook that regulates the allocation of data protection obligations between us and Facebook. This agreement is available at the following link: https://www.facebook.com/legal/controller_addendum.

8.2.2 Instagram

When you visit or follow our Instagram company page, Facebook processes personal data to provide us with insights into anonymized statistics. This allows us to gain insights into the types of actions people take on our page (so-called “Instagram Insights”). Facebook processes information about how you interact with our Instagram company page, for example, whether you are a follower of our Instagram company page. This processing of personal data in the context of Instagram Insights is carried out by Facebook and us as joint controllers. We have entered into a joint controller agreement with Facebook that regulates the allocation of data protection obligations between us and Facebook, and we believe it also applies to data processing in the context of Instagram Insights. This agreement is available at the following link: https://www.facebook.com/legal/controller_addendum.

For more information about data processing on Instagram, please visit the following link: https://help.instagram.com/.

8.2.3 LinkedIn

When you visit our LinkedIn company page or our LinkedIn event pages, or if you follow them, LinkedIn processes personal data to provide us with insights into anonymized statistics. This allows us to gain insights into the types of actions people take on our page (so-called “Page Insights”). LinkedIn processes information about how you interact with our LinkedIn company page, for example, whether you are a follower of our LinkedIn company page. This processing of personal data in the context of Page Insights is carried out by LinkedIn and us as joint controllers. We have entered into a joint controller agreement with LinkedIn that regulates the allocation of data protection obligations between us and LinkedIn. Information obligations are fulfilled by LinkedIn. The agreement is available at the following link: https://legal.linkedin.com/pages-joint-controller-addendum.

As a data subject, you can assert your rights under the GDPR against both companies, irrespective of the terms of the agreement with LinkedIn.

8.3 Embedded Services: Video Channel YouTube

Our website features embedded videos from the video portal YouTube. These services are provided by YouTube, LLC, 901 Cherry Ave., San Bruno, CA 94066, USA (hereinafter referred to as "YouTube"). Before you can watch an embedded video, you must give your consent, as the service providers place cookies or use similar technologies when the video is played, which transmits data, especially as listed in section 7.1, to the service providers.

The legal basis for processing your personal data is our legitimate interest according to Art. 6(1)(f) GDPR.

Your data will be deleted as soon as it is no longer necessary for the purpose for which it was collected. In addition, the data will be deleted if you revoke your consent or request the deletion of personal data.

The provision of your personal data is neither legally nor contractually required, nor is it necessary for the conclusion of a contract. You are not obligated to provide the personal data. However, the non-provision may result in your inability to use this function of our website or to use it fully.

For more information on how user data is handled, please refer to YouTube's privacy policy: https://policies.google.com/privacy?hl=en.

8.4 Online Shop and Payment Service Providers

We use your personal data to process your online purchases with SOJOURN GmbH (your orders and returns are processed through our online services) and to send notifications about the delivery status or notifications in case of problems with the delivery of your items. Additionally, we use your personal data to process your payments. Furthermore, we use your data to handle complaints and product warranty claims. Your personal data is used to verify your identity, ensure that you have reached the legal minimum age for online purchases, and match your address with external partners. We aim to offer you multiple payment methods and conduct analyses to determine which payment options are available to you, including your payment history and credit checks.

If you choose one of the online payment service providers we offer during the ordering process, your contact details will be transmitted to them as part of the triggered order. The legality of the data transfer is based on Art. 6(1)(b) GDPR for the execution of the payment method you have chosen, as well as our legitimate interests according to Art. 6(1)(f) GDPR, to enable user-friendly and straightforward payment processing.

The personal data transmitted to the online payment service provider primarily includes first name, last name, address, IP address, email address, or other data required for order processing. This also includes service-related data such as the type of service, the identity of the recipient, invoice amount, and taxes as a percentage, billing information, etc.

This transmission is necessary for the execution of the service with the payment method you have chosen, particularly to confirm your identity, manage your payment, and handle the customer relationship.

Please note, however, that personal data may also be shared by the online payment service provider with service providers, subcontractors, or other affiliated companies, as far as this is necessary to fulfill the contractual obligations arising from your order or when the personal data is to be processed on behalf.

Depending on the selected payment method, such as invoice or direct debit, the personal data transmitted to the provider may be forwarded by the provider to credit agencies. This transmission serves the purpose of identity and credit verification in connection with your order. Information about the types of data involved and the data collected, processed, stored, and disclosed by the respective providers can be found in the privacy policies of the providers:

• American Express Services Europe Limited: Branch Frankfurt am Main, Theodor-Heuss-Allee 112, 60486 Frankfurt am Main at https://www.americanexpress.com/de/legal/online-datenschutzerklarung.html
• Mastercard Europe SA: Chaussée de Tervuren 198A, B-1410 Waterloo, Belgium at https://www.mastercard.de/de-de/datenschutz.html
• Visa Europe Services Inc.: Branch London, 1 Sheldon Square, London W2 6TT, United Kingdom at https://www.visa.de/nutzungsbedingungen/visa-privacy-center.html
• PayPal Europe: S.à.r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg at https://www.paypal.com/de/webapps/mpp/ua/privacy-full

9.0 YOUR RIGHTS

If you are a resident of Europe, you have the right to access the personal data we hold about you and to request that it be corrected, updated, or deleted. If you wish to exercise this right, please contact us using the contact details provided below.

Additionally, we would like to point out that as a European resident, we process your information to fulfill contracts with you (for example, when you place an order through the website) or to pursue our legitimate business interests mentioned above. Furthermore, we want to inform you that your information may be transferred outside of Europe, including to Canada and the United States.

Right to Access

Under Art. 15 GDPR, you have the right to request information about your personal data that we process. In particular, you can request information regarding the purposes of processing, the categories of personal data, the categories of recipients to whom your data has been or will be disclosed, the planned storage duration, the existence of a right to rectification, erasure, restriction of processing, or objection, the existence of a right to lodge a complaint, the origin of your data if it was not collected from you, as well as the existence of automated decision-making, including profiling, and, where appropriate, meaningful information about the details thereof.

Rectification

Under Art. 16 GDPR, you have the right to request the immediate rectification of inaccurate or the completion of your personal data stored with us.

Erasure

Under Art. 17 GDPR, you have the right to request the erasure of your personal data stored with us, provided that processing is not necessary for exercising the right to freedom of expression and information, for compliance with a legal obligation, for reasons of public interest, or for the establishment, exercise, or defense of legal claims.

Restriction

Under Art. 18 GDPR, you have the right to request the restriction of processing your personal data, provided that the accuracy of the data is contested by you, the processing is unlawful but you refuse its erasure, we no longer need the data, but you need it for the establishment, exercise, or defense of legal claims, or you have lodged an objection to the processing in accordance with Art. 21 GDPR.

Data Portability

Under Art. 20 GDPR, you have the right to receive the personal data you provided to us in a structured, commonly used, and machine-readable format or to request the transmission to another controller.

Withdrawal of Consent

Under Art. 7(3) GDPR, you have the right to withdraw your consent at any time. This will result in us no longer being able to continue processing the data based on this consent in the future.

Right to Lodge a Complaint

Under Art. 77 GDPR, you have the right to lodge a complaint with a supervisory authority if you believe that the processing of your personal data violates data protection regulations. Generally, you can contact the supervisory authority of your usual residence or workplace or our company's registered office.

Right to Object

If your personal data is processed based on legitimate interests pursuant to Art. 6(1)(1)(f) GDPR, you have the right to object to the processing of your personal data in accordance with Art. 21 GDPR, provided there are reasons arising from your particular situation or if the objection is directed against direct marketing. In the latter case, you have a general right to object, which we will implement without the need to state a specific situation.

If you wish to exercise your right to withdraw consent or object, simply send us an email.

10.0 DATA STORAGE

When you place an order through the website, we store your order information for our records unless you request us to delete this information.

11.0 HOW WE DISCLOSE PERSONAL DATA

Under certain circumstances, we may disclose your personal data to third parties for legitimate purposes as outlined in this privacy policy. Such circumstances may include:

• With providers or other third parties that perform services on our behalf (e.g., IT management, payment processing, data analysis, customer support, cloud storage, fulfillment, and shipping).
• If you instruct us, request, or otherwise consent to share certain information with third parties, such as to ship products to you or through the use of social media widgets or login integrations, with your consent.
• With our affiliates or within our corporate group, in our legitimate interest to operate a successful business.
• In connection with a business transaction such as a merger or bankruptcy, to fulfill legal obligations (including responding to subpoenas, search warrants, and similar requests), to enforce applicable terms of service, and to protect or defend the services, our rights, and the rights of our users or others.

In the past 12 months, we have disclosed the following categories of personal data and sensitive personal data (marked with *) about users for the purposes outlined above in “How We Collect and Use Personal Data” and “How We Disclose Personal Data”:

Category:

• Identifiers such as basic contact details and certain order and account information
• Commercial information such as order information, purchase information, and customer support information
• Internet or other similar network activity, such as usage data

Categories of Recipients:

• Providers and third parties that perform services on our behalf (e.g., internet service providers, payment processors, fulfillment partners, customer support partners, and data analysis providers)
• Business and marketing partners
• Affiliates

We do not use or disclose sensitive personal data to infer characteristics about you.

Category of Personal Data:

• Identifiers such as basic contact details and certain order and account information
• Commercial information such as records of purchased products or services and purchase information
• Internet or other similar network activity, such as usage data

User-Generated Content:

The services may allow you to post product reviews and other user-generated content. If you choose to submit user-generated content in a public area of the services, this content is public and accessible to anyone.

We have no control over who has access to the information you make available to others and cannot ensure that parties who have access to such information will respect or ensure your privacy. We are not responsible for the privacy or security of information you make publicly available, or for the accuracy, use, or misuse of information you provide to third parties or receive from third parties.

12.0 WEBSITES AND LINKS TO THIRD PARTIES

Our website may contain links to websites or other online platforms operated by third parties. If you follow links to websites that are not affiliated with us or controlled by us, you should review their privacy and security policies, as well as other terms of service. We do not guarantee and are not responsible for the privacy or security of such websites, including the accuracy, completeness, or reliability of the information found on these websites. Information that you provide in public or semi-public areas, including information that you share on third-party social networking platforms, may also be viewed by other users of the services and/or users of these third-party platforms without any limitations regarding their use by us or by third parties. Our inclusion of such links does not automatically imply approval of the content of such platforms or their owners or operators, except as stated on the services.

13.0 DATA FROM MINORS

The services are not intended for use by children, and we do not knowingly collect personal data from children. If you are a parent or guardian of a child who has provided us with personal data, you may contact us using the contact details provided below to request the deletion of this data.

As of the date of this privacy policy coming into effect, we have no actual knowledge that we "share" or "sell" personal data from individuals under the age of 16 (as these terms are defined in applicable law).

14.0 CHANGES TO THE PRIVACY POLICY

This privacy policy is currently valid. Due to the ongoing development of our website, app, and related offerings, or for other operational, legal, or regulatory reasons, it may be necessary to change this privacy policy. The current privacy policy can be accessed and printed at any time through our website and app. We may update this privacy policy from time to time, including to reflect changes in our practices or for other operational, legal, or regulatory reasons. We will publish the revised privacy policy on the website, update the "Last Updated" date, and take any other legally required steps.

15.0 COMPLAINTS

If you have any complaints regarding how we process your personal data, please contact us using the contact details provided below. If you are not satisfied with our response to your complaint, you have the right, depending on your location, to challenge our decision by contacting us using the contact details provided below or by submitting your complaint to your local data protection authority.

16.0 INTERNATIONAL USERS

Please note that we may transfer, store, and process your personal data outside of the country in which you reside, including the United States. Your personal data may also be processed by employees, third parties, and partners in these countries.

When we transfer your personal data from Europe, we will rely on recognized transfer mechanisms such as the Standard Contractual Clauses of the European Commission or equivalent contracts issued by the competent authority of the United Kingdom, unless the data transfer is made to a country that provides an adequate level of protection.

17.0 DATA SECURITY

In addition, we use appropriate technical and organizational security measures to protect your data against accidental or intentional manipulation, partial or complete loss, destruction, or unauthorized access by third parties. Our security measures are continuously improved in line with technological developments.

18.0 CONTACT

If you need more information about our data protection practices, have questions, or would like to submit a complaint, please call +43 664 822 5132 or contact us via email at sojourn@sojourn-xo.com or by mail at: Innsbrucker Strasse 83, 6060 Hall in Tirol, Tirol, Austria.

19.0 RIGHTS OF THE DATA SUBJECT

The applicable data protection law grants you the following rights (access and intervention rights) regarding the processing of your personal data by the controller, with reference to the legal bases specified for each exercise:

• Right of access under Art. 15 GDPR;
• Right to rectification under Art. 16 GDPR;
• Right to erasure under Art. 17 GDPR;
• Right to restriction of processing under Art. 18 GDPR;
• Right to notification under Art. 19 GDPR;
• Right to data portability under Art. 20 GDPR;
• Right to withdraw consent given under Art. 7 (3) GDPR;
• Right to lodge a complaint under Art. 77 GDPR.

This does not affect the lawfulness of data processing carried out prior to this point. Furthermore, you have the right to lodge a complaint with the Austrian Data Protection Authority or another data protection supervisory authority in the EU, particularly at your place of residence or workplace.