Privacy Policy

Updated: May 25, 2018

The protection and security of your information is an important concern for us, the Herden Tours & Tickets GmbH, and we take it into account in all our business processes. In this privacy policy, we would therefore like to provide you with an overview of those aspects of our online offer that are related to privacy and data protection.

In the following, we will explain what information we collect when you use the online services of Herden Tours & Tickets GmbH and

for what purposes this information is processed by us and third parties.

what rights and choices you have in regard to the processing of your information.

how to contact us regarding data protection.

1. When does this privacy policy apply?

This privacy policy applies to the online services of Herden Tours & Tickets GmbH under the domains of and, including any subdomains (hereafter called “websites”), as well as our social media sites on Facebook, and Instagram, hereafter called “social media sites”). Personal data are information that relate to an identified or identifiable person. This includes, in particular, information that makes it possible to deduce your identity, for example your name, telephone number, address or e-mail address. Statistical data that we collect when you, for example, visit our website and that cannot be associated with your person, are not included under the term “personal data”. You can print or save this privacy policy through the usual means contained within your browser.

2. Responsibility and contact persons

Responsible for the processing of your personal information when visiting this website in accordance with the EU General Data Protection Regulation (GDPR) is

Herden Tours & Tickets GmbH
Feurigstr. 54
10827 Berlin
Telephone: +49 (0)30 2000 69 81-0

If you have any questions concerning data protection in connection with our products or the use of our website, you can contact us at any time.

3. Data processing on our website

3.1. Accessing our website / automatically collected access data

You are able to visit our websites without disclosing any information about your person. Only access data that are automatically transferred by your browser will then be collected. The access data include, in particular:

the IP address of the device used for access, the date and time of access, the address of the visited website and the requesting website, information about the used browser and the operating system, online identifiers (for example device IDs, session IDs).

The data processing of this access data is necessary to enable the visit to the website and to ensure the long term functionality and security of our systems. The access data are also temporarily stored in internal log files for the aforementioned purposes in order to create statistical data about the use of our website, to further develop our website regarding the usage habits of our visitors (for example, when the share of mobile devices being used to access the website increases) and to maintain our website in the general administrative sense. The legal basis is Art. 6 para. 1 lit. b and f of the GDPR. The information stored in the log files does not allow any direct conclusion to your person – in particular, we only store the IP addresses in a shortened, anonymized form. The log files are stored for 30 days and will be archived after subsequent anonymization.

3.2. Contact

You have several different options for contacting us. These include our contact form, our e-mail address and our telphone hotline. In this context, we process data exclusively for the purpose of communicating with you. The legal basis is Art. 6 para. 1 lit. b of the GDPR. The data we collect through the contact form will be automatically deleted after the complete processing of your request, unless we require your request to be able to fulfill our contractual or legal obligations (see the section “storage duration”).

3.3. Orders and Bookings

During an order process, we collect necessary data for the execution of the contractual agreement (order and booking information):
first and last name, address, telephone number, e-mail address
The legal basis for the afore mentioned processing is Art. 6 para. 1 lit. b of the GDPR, based on the legitimate interest in providing a simple and user-friendly registration process for our clients. These data are required for processing, concluding and administrating your order (see 3.5)

3.4. Payments

Upon completing an order you can choose between various payment options. To ensure this, we offer different payment methods and cooperate with various payment service providers. In particular, we have entrusted the following service providers to process the payments:
when paying by PayPal: PayPal (Europe) S.à r.l. et Cie, S.C.A, 22-24 Boulevard Royal, L-2449 Luxembourg, Luxembourg,
when paying by Group Pay: mamooble SARL, 54, rte de Mondorf, L-3260 Bettembourg, Luxembourg.
Any information you provide to the afore mentioned service providers will not be forwarded to us by them. The only information we receive is that the payment has been completed. In the case of payment by credit card, you enter the required payment information (credit card details) directly on our website. We will in this case forward you to the following payment service provider:
Concardis GmbH, Helfmann-Park 7, 65760 Eschborn, Germany
The processing of data by the afore mentioned payment service providers is based on our legitimate interest, according to Art. 6 para. 1 lit. b and f of the GDPR, in providing our clients with comfortable and secure payment through a service provider of their choice.

3.5. Forwarding your data to the service partners you have selected

When you order services through our website we will forward your data necessary for the execution of the orders by e-mail to the respective service providers in order to fulfill our contractual agreements. According to our general terms and conditions, these service providers will become your direct contract partners after the confirmation of the booking, and will issue the invoices for their services directly to you.

3.6. Login area for regular customers and cooperation partners

You have the possibility to register for our login area so that you are able to enjoy the full functionality of our website. We have highlighted the data you are required to provide. Without these data, registration is not possible. Legal basis for processing is Art. 6 para. 1 lit. b of the GDPR.

3.7. Newsletter and advertising mailings

You have the possibility to sign up for our newsletter, in which we regularly inform you about news regarding our offers and promotions. For signing up to our newsletter, we use the so-called double opt-in procedure, which means that we will only send you newsletters by e-mail after you, by clicking a link in our notification e-mail, have confirmed that you are the owner of the given e-mail address. If you confirm your e-mail address, we will save your e-mail address, the time of registration and the IP address used for registration until you unsubscribe from the newsletter. The sole purpose of storing this information is to provide you with the newsletter and to prove your registration. You can unsubscribe from the newsletter at any time. A corresponding unsubscribe link can be found in every newsletter. A notification sent to the contact details mentioned above or in the newsletter (for example, via e-mail or by mail) is of course also sufficient. The legal basis for the processing is your consent in accordance with Art. 6 para. 1 lit. a of the GDPR. In addition, we also send out advertising mailings in connection with our services to you. The legal basis for this data processing is Art. 6 para. 1 lit. f of the GDPR, based on our interest in existing customer advertising. For the dispatch of our newsletter and our advertising mailings, we work together with service providers to whom we, among other things, send your e-mail address and the circumstances of your newsletter registration in order to be able to send you the newsletter and advertising mailings (for example, MailChimp of The Rocket Science Group LLC, 675 Ponce de Leon Ave NE, Suite 5000, Atlanta, GA 30308 USA). Additionally, our newsletter and advertising mailings will to a small extent adapt to the individual needs of our customers. For this, we use the services of Emarsys eMarketing Systems AG, Märzstraße 1, 1150 Vienna, Austria. On the basis of the booking data collected from you, we adapt, for example, the language settings in our mailings or indicate bookable additional services. The disclosure of data to our service providers in connection with newsletter distribution and advertising mailings is based on our legitimate interest in advertising our services to our customers in an interest-based manner. In our newsletters, we use commercially common technologies that measure the interaction with the newsletters (for example, the opening of e-mails, clicked links). We use this data in pseudonymous form for the purpose of general statistical evaluations as well as for the optimization and further development of our content and customer communication. This is done with the help of small graphics that are embedded in the newsletter (so-called pixels). These data are collected exclusively in pseudonymous form and are also not linked with your other personal information. Legal basis for this is our aforementioned legitimate interest in accordance with Art. 6 para. 1 lit. f of the GDPR. Through our newsletter, we aim to share content relevant to our customers and to better understand what readers are actually interested in. If you do not want to have your usage behavior analyzed, you can unsubscribe from the newsletter or deactivate graphics in your e-mail program. The data for the interaction with our newsletters are stored in pseudonymous form for 30 days and subsequently completely anonymized.

3.8. Google Maps

Our website uses the Google Maps mapping service of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”). In order for the Google Maps material we use to be included and displayed in your web browser, your web browser must be able to connect to a Google server, which may also be located in the US, when visiting the contact page. In the event that personal information is transferred to the US, Google has submitted to the EU-US Privacy Shield. This gives Google the information that the IP address of your device has been used to access the contact page of our website. The legal basis is Art. 6 para. 1 lit. f of the GDPR, based on our legitimate interest in the integration of a map service in order to establish contact. If you visit the Google Maps service on our website while logged in to your Google profile, Google may also link this event to your Google profile. If you do not want this linking with your Google profile to occur, you will need to log out of Google before visiting our contact page. Google stores your data and uses them for advertising, market research and personalized viewing of Google Maps. You may object to this data collection with Google. Further information about this can be found in the Privacy Policy of Google and the Additional Terms of Use for Google Maps.

3.9. Usage of own cookies

For some of our services, it is necessary that we make use of so-called cookies. A cookie is a small text file that is stored by the browser on your device. Cookies are not used to run programs or to download viruses onto your computer. The main purpose of our cookies is rather to provide you with a tailor made offer and to make the use of our services as time-saving as possible. Most browsers are set to accept cookies by default. You can however change your browser settings to refuse cookies or to only save them with prior consent. If you disable cookies, this will mean that not all our services will work properly for you. We use cookies, in particular, for log in authentication, for load distribution, to save your language settings, to note that you have seen certain information placed on our website – so that it will not be displayed again the next time you visit the website. Through this, we want to enable a more comfortable and individual use of our website. These services are based on our afore mentioned legitimate interests, legal basis is Art. 6 para. 1 lit. f of the GDPR. Additionally, we use cookies and similar technologies (such as web beacons) from partners for analysis and marketing purposes. This will be described in more detail in the following sections.

3.10. Use of cookies and similar technologies for analysis

To improve our website, we make use of cookies and similar technologies (such as web beacons) to statistically collect and analyze general usage patterns based on access data. We also use analysis services to evaluate the use of our various marketing channels. The legal basis for the data processing described in the following section is Art. 6 para. 1 lit. f of the GDPR, based on our legitimate interest in the needs-based design and continuous optimization of our website.

In the following list of technologies used by us, you will also find information on the possible contradictions with regard to our analysis measures using a so-called opt-out cookie. Please note that after deleting all cookies in your browser or later use of another browser and/or profile, an opt-out cookie must be set once again. We, in particular, make use of the following services: Google Analytics of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”) to analyze and improve our website based on your user behavior. However, your IP address is shortened before the usage statistics are evaluated so that no conclusions can be made about your identity. For this purpose, Google Analytics has been enhanced on our website with the code “anonymizeIP” to secure the anonymous collection of IP addresses. You can prevent Google from processing these data by installing a browser add-on provided by Google. As an alternative to a browser add-on or if you access our website from a mobile device, please use this opt-out link. You will find further information on data processing through this service in the Privacy Policy of Google Analytics. Pingdom of Solarwinds Inc., 7171 Southwest Parkway, Bldg 400, Austin, Texas 78735. You can prevent data processing by pressing the following button: OPT-OUT. Further information on data processing through this service can be found in the Privacy Policy of Solarwinds.

3.11. Google Tag Manager

Our website uses the Google Tag Manager, a service of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”). The Tag Manager is used to manage tracking tools and other services, so-called website tags. A tag is an element that is stored in the source code of our website in order to record, for example, predefined usage data. The Google Tag Manager does not require the use of cookies. The Google Tag Manager ensures that the usage data needed by our partners (see data processing procedures described above) are forwarded to them. Some of the data are processed on a Google server in the US. In the event that personal data are transferred to the US, Google has submitted to the EU-US Privacy Shield. The legal basis is Art. 6 para. 1 lit. f of the GDPR, based on our legitimate interest in integrating and managing several tags on our website in an uncomplicated manner. For more information, see Google’s information about the Tag Manager.

4. Cooperation with partners

Basically, we only process data that we receive directly from you. However, we also work together with various cooperation partners who provide us with prospects for our products. These include in particular travel agencies and tour operators as well as tourism offices. We will only process personal data that we permissibly receive (for example, on the basis of contracts or your consent) from our cooperation partners.

5. Disclosure of data

The data collected by us will only be passed on if:

  • you have given your explicit consent in accordance with Art. 6 para. 1. lit. a of the GDPR, especially in context with 3.5. of this statement (see above)
  • the disclosure in accordance with Art. 6 para. 1 lit. f of the GDPR is necessary in order to assert, exercise or defend legal claims and there is no reason to assume that you have an overriding interest worthy of protection in not disclosing your data,
  • we are legally obliged in accordance with Art. 6 para. 1 lit. c of the GDPR to disclosure or
  • this is permitted by law and, in accordance with Art. 6 para. 1 lit. b of the GDPR, is required for the execution of contractual relationships with you or for the execution of precontractual measures, which will be carried out upon your request.

  • Part of the data processing can be carried out by our service providers. In addition to the service providers mentioned in this privacy policy, these may include data centers that store our website and our databases, IT service providers that maintain our systems as well as consulting firms. If we pass on data to our service providers, they may use the data exclusively for the fulfillment of their tasks. The service providers have been carefully selected and commissioned by us. The providers are contractually bound by our instructions, they have appropriate technical and organizational measures in effect in order to protect the rights of the persons concerned and are regularly monitored by us. In addition, the data may be passed on in connection with official inquires, court orders and legal proceedings if they are necessary for legal prosecution or enforcement.

    6. Storage duration

    Principally, we only store personal information for as long as it is necessary to fulfill the contractual or statutory obligations for which we have collected the data. Thereafter, we immediately delete the information, unless we need the data for purposes of proof for civil law claims or due to statutory retention obligations. For evidence purposes, we must keep contractual data for another three years starting from the end of the year in which the business relationship with you ends. Any claims become statute-barred after the legal limitation period, earliest at this point in time. Even after this period, we still need to store some of your data for accounting purposes. We are required to do so by legal requirements on documentation that may arise from the German Commercial Code, the Fiscal Code, the Banking Act, the Money Laundering Act and the Securities Trading Act. The time periods specified there for retention of documents are two to ten years.

    7. Your rights

    You have the right to request information about the processing of your personal data by us at any time. We will explain the data processing and provide you with an overview of the data stored about you as part of the provision of information. If data stored with us are incorrect or no longer up to date, you have the right to have this information corrected. Furthermore, you have the right to request the deletion of your data. Should the deletion in exceptional cases not be possible due to other legal provisions, the data will be blocked so that they are only available for this legal purpose. Furthermore, you may also have the processing of your data restricted, for example, if you believe the data we have stored are incorrect. You also have the right to data portability, meaning that we would send you a digital copy of the personal data you have provided upon your request. To exercise your rights as described here, you can contact us at any time using the aforementioned contact details. This is also the case if you wish to receive copies of warranties to prove an adequate level of data protection. In addition, you have the right to object to data processing based on Art. 6 para. 1 lit. e or f of the GDPR. Finally, you have the right to file a complaint with the data protection authority responsible for our supervision. You may exercise this right before a supervisory authority in the member state in which you are staying, working or in the place of the alleged violation. In Berlin, the responsible supervisory authority is:

    Berliner Beauftragte für Datenschutz und Informationsfreiheit, Friedrichstr. 219, 10969 Berlin (Berlin Data Protection and Freedom of Information Commissioner).

    9. Data security

    We maintain updated technical measures to guarantee data security and, in particular, to protect your personal data from dangers during data transfers as well as from the acquisition of data by third parties. These measures are adjusted and updated to the newest technological standards for each of them. In order to secure the personal information you provide via our website, we use Transport Layer Security (TLS), which encrypts the information you enter.

    10. Changes to the privacy policy

    From time to time, we may update this privacy policy, for example, when we make changes to our website or if the legal or regulatory requirements change.

    11. Translation

    The original German version of our privacy policy has been translated into English. The translated version is a courtesy and office translation only and you cannot derive any rights from the translated version. In the event of a dispute about the contents or interpretation of our privacy policy or inconsistency or discrepancy between the German and the English version of these privacy policy, the German version to the extent permitted by law shall apply, prevail and be conclusive.