Privacy Policy

Privacy Policy (GDPR)

Last updated: 07 January 2026

We process personal data (hereinafter referred to as “data”) exclusively in accordance with the applicable legal provisions, in particular the General Data Protection Regulation (GDPR) and the Austrian Data Protection Act (DSG).

With this Privacy Policy, we inform you about the nature, scope, purpose, legal basis, and storage duration of data processing in connection with our website and our apartment rental services.

 

  1. Controller

Elena’s Apartments Betriebs GmbH
Rockhgasse 6/6
1010 Vienna
Austria

Company Register No.: FN 467297 b
VAT ID: ATU72233914
Tel.: +43 660 6614006
Email: office@citystayvienna.at

Data protection contact: office@citystayvienna.at

(A Data Protection Officer will only be appointed if legally required. Currently, no Data Protection Officer has been appointed.)

 

  1. Rights of Data Subjects

Data subjects have the following rights in particular:

  • Right of access (Art. 15 GDPR)
  • Right to rectification (Art. 16 GDPR)
  • Right to erasure (Art. 17 GDPR)
  • Right to restriction of processing (Art. 18 GDPR)
  • Right to data portability (Art. 20 GDPR)
  • Right to object to processing based on legitimate interests (Art. 21 GDPR)
  • Right to withdraw consent at any time with effect for the future (Art. 7(3) GDPR)

To exercise your rights, an informal notification to the following address is sufficient:
office@citystayvienna.at

Right to Lodge a Complaint

You have the right to lodge a complaint with the competent supervisory authority:

Austrian Data Protection Authority (DSB)
Barichgasse 40–42
1030 Vienna
Austria
Website: https://www.dsb.gv.at

 

  1. Data Processing When Visiting the Website (Server Log Files)

When you access our website, data that your browser transmits to our server or hosting provider is processed for technical reasons (so-called server log files). This includes in particular:

  • IP address
  • Date and time of access
  • Accessed page or URL
  • Referrer URL
  • Browser type and version
  • Operating system

Purpose:
Ensuring the stable and secure operation of the website, error analysis, and prevention of misuse.

Legal basis:
Art. 6(1)(f) GDPR (legitimate interest).

Storage period:
Generally 7 to 30 days; in the case of security-relevant incidents, until final clarification.

 

  1. Cookies and Consent Management

Our website may use cookies and comparable technologies.

  • Technically necessary cookies are required to provide essential website functions.
    Legal basis: Art. 6(1)(f) GDPR or Art. 6(1)(b) GDPR.
  • Optional cookies (e.g. statistics or marketing cookies) are only set with your explicit consent.
    Legal basis: Art. 6(1)(a) GDPR.

If a cookie consent tool is used, it stores your selection (e.g. consent status and time) in order to document your decision in a legally compliant manner.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in fulfilling accountability obligations under Art. 7(1) GDPR).

Storage period:
Typically up to 12 months.

You can change or withdraw your consent at any time via the cookie settings on the website.

 

  1. Contact (Email / Contact Form)

If you contact us by email or via a contact form, we process the data you provide (e.g. name, email address, telephone number, message content).

Purpose:
Handling your inquiry and communication.

Legal basis:

  • Art. 6(1)(b) GDPR (pre-contractual measures), if the inquiry is aimed at concluding a contract
  • Art. 6(1)(f) GDPR (legitimate interest in responding to general inquiries)

Storage period:
Until the inquiry has been fully processed; beyond that only insofar as statutory retention obligations apply.

 

  1. Bookings, Contract Processing, and Guest Data

In the context of booking inquiries and concluded contracts, we process personal data such as name, contact details, stay details, billing data, and contract-related communication.

Purpose:
Preparation of offers, contract performance, customer support, and fulfillment of legal obligations.

Legal basis:

  • Art. 6(1)(b) GDPR (contract / pre-contractual measures)
  • Art. 6(1)(c) GDPR (legal obligations)

Storage period:
Billing and accounting-relevant data is generally stored for 7 years in accordance with statutory requirements (in particular the Austrian Federal Fiscal Code (BAO) and the Commercial Code (UGB)).

 

  1. Recipients / Categories of Recipients

We use selected service providers to deliver our services. Recipients may include in particular:

  • Hosting and IT service providers
  • Booking and channel management systems
  • Booking platforms (acting as independent controllers)
  • Payment service providers
  • Tax advisors and accounting services
  • Authorities, where legally required

Data processing agreements pursuant to Art. 28 GDPR are concluded with processors.

 

  1. Data Transfers to Third Countries

If personal data is transferred to countries outside the European Economic Area in the course of using services, this is carried out exclusively on the basis of permissible transfer mechanisms, in particular:

  • Adequacy decisions of the European Commission, or
  • Standard Contractual Clauses pursuant to Art. 46 GDPR.

 

  1. Applications

If applications are received, the transmitted data is processed exclusively for the purpose of carrying out the application procedure.

Legal basis:
Art. 6(1)(b) GDPR and Art. 6(1)(f) GDPR.

Storage period:
Generally up to 6 months after completion of the application process.

 

  1. External Services

Depending on the technical setup, external services (e.g. web analytics, maps, fonts, or security services) may be integrated.

Where required, these services are only activated with your consent and are transparently displayed via the cookie settings.

 

  1. Social Media

If we operate social media presences, personal data is processed in the course of communication and public relations activities.

The respective platform processes data under its own responsibility. Where applicable, there is partial joint controllership pursuant to Art. 26 GDPR. The essential content of the corresponding agreements is provided by the platform operators.

Legal basis:
Art. 6(1)(f) GDPR (legitimate interest).

 

  1. Data Security

Our website uses TLS/SSL encryption to protect data during transmission as effectively as possible.

In addition, we implement appropriate technical and organizational measures to protect the processed data.

 

  1. Updates to This Privacy Policy

We reserve the right to amend this Privacy Policy if legal, technical, or organizational changes make this necessary.