I • AM VITAL LOUNGE

Privacy Policy

1. Data Controller

G + R Servicebetriebe GmbH

Erzherzog Johann-Straße 84

8054 Seiersberg, Austria

Phone: +43 316 281020

Email: graz@iamhotel.at

Responsible for the processing of personal data on this website.

2. Purposes and Legal Bases for Data Processing

We process personal data for the following purposes:

Website Provision and IT Security

(Server logs, necessary cookies)

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in secure operation).

User Accounts & Appointment Bookings

Data: Email, name, phone number, appointment details, motivation text.

Legal basis: Art. 6(1)(b) GDPR (contract performance).

Note: Free text entries ("motivation") may relate to health. We only process these with explicit consent (Art. 9(2)(a) GDPR).

Payment Processing (Stripe)

Data: Billing and payment data (amount, currency, billing address, payment references).

Legal basis: Art. 6(1)(b) GDPR (contract), Art. 6(1)(c) GDPR (legal retention obligations).

Invoicing & Accounting

Legal basis: Art. 6(1)(c) GDPR in conjunction with BAO/UGB (7-year retention).

Email Communication (Brevo/Sendinblue)

  • Appointment confirmations and reminders (Legal basis: Art. 6(1)(b) GDPR).
  • Newsletter only with consent (Legal basis: Art. 6(1)(a) GDPR; withdrawal possible at any time).

Content Management (Sanity)

Legal basis: Art. 6(1)(f) GDPR (efficient content management).

Google Tag Manager

We use Google Tag Manager provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

The Tag Manager serves to manage website tags through a unified interface. The tool itself (the Tag Manager) does not process personal data of users. It merely triggers other tags that may collect data (e.g., Google Analytics or Google Ads). Google Tag Manager does not access this data.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in efficient management of tracking tags).

Recipient: Google Ireland Limited; with possible transfer to Google LLC, USA based on EU Standard Contractual Clauses / Data Privacy Framework.

Further information: https://policies.google.com/privacy

Google Analytics (Analytics)

We use Google Analytics through Google Tag Manager to analyze and improve how our website is used.

  • pseudonymous usage data (page views, interactions)
  • truncated IP address (IP anonymization)
  • device / browser information

Legal basis: Art. 6(1)(a) GDPR (consent).

Recipient: Google LLC (USA). Transfer: based on EU Standard Contractual Clauses / EU-US Data Privacy Framework.

You can change your choice at any time via "Cookie Settings" in the footer.

Google Maps (interactive map)

  • On our contact page, you can load an interactive Google Maps map. It is only embedded after you click "Load map".
  • Data processing when loading the map:
  • > Transfer of your IP address to Google LLC, USA
  • > Possible storage of cookies by Google
  • > Processing according to Google's privacy policies
  • Legal basis: Art. 6(1)(f) GDPR (legitimate interest in displaying our location).
  • Objection: You can hide the map at any time by reloading the page.
  • More information: https://policies.google.com/privacy

Google reCAPTCHA (Spam Protection)

  • We use Google reCAPTCHA (version 3), provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, to protect our forms (registration, login, contact) against misuse by automated programs ('bots').
  • When using reCAPTCHA, usage data (e.g. IP address, mouse movements, time spent on the page, browser and device information) is transmitted to Google and analyzed to determine whether the interaction is made by a human. This process runs automatically in the background without displaying a 'I'm not a robot' checkbox.
  • Legal basis: Art. 6 (1) lit. f GDPR (legitimate interest in protecting the website from spam and abuse).
  • Recipient: Google Ireland Limited, with possible intra-group transfer to Google LLC, USA.
  • Safeguards: Use of EU Standard Contractual Clauses (SCCs) and additional organizational measures.
  • Further information: https://policies.google.com/privacy

2a. Newsletter (Email Marketing)

We, G + R Servicebetriebe GmbH (operator of the I AM Hotels and I AM Vital Lounge), use the Brevo service (formerly Sendinblue) of the Brevo Group as an external service provider for sending newsletters. The following applies:

  • By subscribing to our newsletter, you expressly consent to us sending you regular information about offers, news and events of our businesses (Hotel, Vital Lounge, etc.) by email. Registration takes place using the double opt-in procedure (you will receive a confirmation email with an activation link after registration).
  • The newsletter is only sent with your prior consent (Art 6 para 1 sentence 1 a GDPR). You can revoke your consent at any time with effect for the future (see point 8 "Data Subject Rights").
  • When registering via different channels (e.g. online form, QR code, form in the Vital Lounge, etc.), separate lists can be maintained (e.g. Hotel newsletter, Vital Lounge newsletter); data processing is carried out under the respective responsible party mentioned.
  • For sending and optimizing the newsletter, Brevo uses automated tracking measures (e.g. opening and click analysis). The data collected in this way is evaluated pseudonymously to improve delivery quality. You can object to this processing at any time.
  • Your email address and the associated registration data are stored as long as the consent exists or the newsletter is actively used. If consent is revoked, we delete or anonymize your data.
  • Every newsletter email contains an unsubscribe link. Alternatively, you can revoke your consent by email to graz@iamhotel.at or by phone at +43 316 281020. After the revocation takes effect, your data will be deleted or deactivated in our mailing list.
  • The processing of your data for newsletter delivery is based on your consent and within the framework of safeguarding your communication and information interests. There is a data processing agreement with Brevo in accordance with Art 28 GDPR. Further information about Brevo can be found at https://www.brevo.com/legal/termsofuse/.

3. Recipients / Data Processors

We use external service providers (data processors):

  • Vercel Inc., USA – Website hosting and delivery.
  • Stripe Payments Europe Ltd., Ireland – Payment processing; group transfer to Stripe, Inc., USA.
  • Brevo/Sendinblue – Email delivery (transactions & newsletter).
  • Sanity AS, Norway/USA – Headless CMS.
  • Google LLC, USA – Interactive maps (only with explicit user activation).
  • Google Ireland Limited / Google LLC, USA – Spam and abuse protection (reCAPTCHA v3).
  • Google Ireland Limited / Google LLC, USA – Tag Management (Google Tag Manager).

📄 We have concluded data protection agreements (DPA) with all providers. For transfers to third countries (USA), we use EU Standard Contractual Clauses (SCC) and implement additional protective measures (Art. 44 ff. GDPR).

4. Cookies and Similar Technologies

We use technically necessary cookies and – with your consent – optional cookies.

Necessary (always active)

On

Session cookie "vl_auth" (JWT token): for authentication, session cookie (standard - expires when browser closes) or 90 days (user with "Remember me" - survives browser restart), httpOnly, secure.

Optional cookies (e.g., Google Analytics for statistics) are only set with consent.

Cookies (examples)

  • _ga – distinguishes users (e.g., 2 years)
  • _ga_<ID> – session state/pageviews (e.g., 2 years)
  • _gid – distinguishes users (24 hours)
  • _gat – throttles requests (1 minute)

You can change your choice at any time via ‘Cookie Settings’ in the footer.

5. Storage Duration

  • User accounts & bookings: until deletion by user or purpose ceases to exist.
  • Invoice and payment data: 7 years (§ 132 BAO, § 212 UGB).
  • Newsletter data: until withdrawal of consent.
  • One-time code tokens: only for validity period (max. 10 minutes), then automatic deletion.
  • Rate-limiting signals (ipHash, counters): 14 days, then automatically deleted.
  • Transactional email logs: stored for technical reasons for up to 1 month and then automatically deleted.
  • Server logs: max. 30 days.

6. Deletion and Restriction

Users can delete their account at any time. This involves:

  • Profile data anonymized,
  • Sessions terminated,
  • Newsletter subscriptions cancelled,
  • Stripe customer data minimized or deleted.

⚠️ Invoice and accounting data remain stored for the legal duration (Art. 17(3)(b) GDPR).

7. Security

We implement technical and organizational measures such as TLS encryption, access restrictions, hashing of one-time codes, pseudonymization via ipHash, rate limiting, and regular backups.

8. Data Subject Rights

Under the GDPR, you have the right to:

  • Access (Art. 15),
  • Rectification (Art. 16),
  • Erasure (Art. 17),
  • Restriction (Art. 18),
  • Data portability (Art. 20),
  • Object (Art. 21),
  • Withdraw consent (Art. 7(3)).

9. Right to Complain

Data subjects have the right to lodge a complaint with the Austrian Data Protection Authority (DSB):

Barichgasse 40–42, 1030 Vienna, Austria

Email: dsb@dsb.gv.at, Web: dsb.gv.at

10. Changes

We reserve the right to modify this privacy policy as needed (e.g., for new services or legal requirements).

As of: 2025-10-24

Version: v2025-10-24