Information on the Collection of Personal Data

(1) The following information explains how we collect personal data when you use our website. Personal data means any information that can be related to you personally, e.g. your name, address, e-mail addresses or user behaviour.

(2) The controller pursuant to Art. 4(7) of the EU General Data Protection Regulation (GDPR) is

Escape Stories ist eine Marke der Final Escape 2.4 GmbH
Mäuerchen 43, 42103 Wuppertal
+49 (0) 202 25314151
info @ escape-stories.de

Vertretungsberechtigter Geschäftsführer: Herr Dr. Simon Kösters und Dr. Michael Meinke

Handelsregisternummer: HRB 28514
Handelsregistergericht: Amtsgericht Wuppertal

USt-IdNr.: DE315126410
(siehe unser Impressum).

You can reach our data protection officer at:

or at our postal address, marked for the attention of 'the Data Protection Officer'.

(3) When you contact us by e-mail or via a contact form, the data you provide (your e-mail address, and where applicable your name and telephone number) will be stored by us in order to answer your enquiry. We will delete the data arising in this context once storage is no longer necessary, or restrict processing where statutory retention obligations apply.

(4) Where we use commissioned service providers for individual functions of our offering, or where we wish to use your data for advertising purposes, we will inform you in detail below about the respective processes and state the specified criteria for the retention period.

Your Rights

(1) You have the following rights with regard to personal data concerning you:

• – Right of access,
• – Right to rectification or erasure,
• – Right to restriction of processing,
• – Right to object to processing,
• – Right to data portability.

(2) You also have the right to lodge a complaint with a data protection supervisory authority about our processing of your personal data.

Collection of Personal Data When Visiting Our Website

(1) When you use the website for information purposes only, i.e. when you do not register or otherwise transmit information to us, we collect only the personal data that your browser transmits to our server. When you wish to view our website, we collect the following data, which is technically necessary for us to display our website to you and to ensure stability and security (the legal basis is Art. 6(1)(1)(f) GDPR):

• – IP address
• – Date and time of the request
• – Time zone difference to Greenwich Mean Time (GMT)
• – Content of the request (specific page)
• – Access status / HTTP status code
• – Amount of data transferred in each case
• – Website from which the request originates
• – Browser
• – Operating system and its interface
• – Language and version of the browser software.

(2) In addition to the data mentioned above, cookies are stored on your device when you use our website.

(3) Third-party content such as videos, map services, RSS feeds or graphics from other websites is embedded on the website. This integration always requires that the providers of this content ('third-party providers') receive the IP addresses of users, because without the IP address they cannot send the content to the respective user's browser. The IP address is therefore required for the display of this content.

We endeavour to use only content from third-party providers who process IP addresses solely for the purpose of delivering the content. However, we have no influence over whether the third-party providers process the IP addresses for statistical purposes, for example. Where this is known to us, we will inform you of this below.

For some third-party providers, data processing outside the European Union may take place.

You can object by installing a JavaScript blocker such as the browser plug-in 'NoScript' (www.noscript.net) or by disabling JavaScript in your browser.

This may, however, result in functional limitations on the website.

Processing of (Personal) Data by the Operator of the Mobile Funnel

General
This website uses a Mobile Funnel (hereinafter: Funnel), operated by Perspective Software GmbH (hereinafter: Perspective), a company based in Germany that provides software for creating and operating Mobile Funnels (https://perspective.co/impressum). Data entered through the use of Mobile Funnels is transmitted via SSL encryption and stored in a database. The operator of this website alone is responsible for this data within the meaning of Art. 24 GDPR. Perspective is merely the operator of the software and, in that context, a processor within the meaning of Art. 28 GDPR. The basis for processing by Perspective is a data processing agreement between the controller and Perspective. In addition, Perspective Software GmbH processes further data – which may in part also constitute personal data – in the course of providing its services, in particular for the operation of the Mobile Funnel. This is discussed in more detail below.

Controller
The controller within the meaning of data protection law is: Perspective Software GmbH, Müggelstraße 22, 10247 Berlin, e-mail: privacy@perspective.co

Access logs ('server logs')
Each time the Funnel is accessed, general log data – so-called server logs – is automatically recorded. These data are generally pseudonymous and therefore do not permit any conclusions about a natural person. Without these data it would technically be partially impossible to deliver and display the contents of the software. Processing of these data is also strictly necessary for security reasons, in particular for access, input, transfer and storage control. In addition, the anonymous information may be used for statistical purposes and for the optimisation of the offering and the technology. Furthermore, the log files may be subsequently checked and evaluated if there is suspicion of unlawful use of the software. The legal basis for this is found in § 15(1) of the German Telemedia Act (TMG) and Art. 6(1)(f) GDPR. The data recorded generally includes the domain name of the website, the web browser and web browser version, the operating system and the time stamp of access to the software. The user's IP address is not stored. However, the user is assigned a so-called session ID. The scope of this logging does not exceed the usual scope of any other website on the internet. The retention period for these access logs is up to 7 days. No right to object exists.

Collection of user behaviour data
The data recorded generally includes the domain name of the website, the web browser and web browser version, the operating system, the user's session ID and the time stamp of access to the software. All data entered by the user when using the Funnel (e.g. answers to form fields; use of interactive components) are assigned to the user via a session ID and made available to the operator of this website. It is the responsibility of the operator of this website to delete, store and further process this personal data in accordance with applicable law.

Use of cookies
So-called cookies are used in the Funnels. These are small text files that are stored on the device used to access the Funnel. The cookies used serve to ensure security when visiting a website ('strictly necessary'), to implement certain functionalities such as default language settings ('functional') and to improve the user experience or performance on the website ('performance'). Within the Funnel, strictly necessary, functional and performance cookies are used, in particular to implement certain presettings such as language, to save given answers even with poor internet connections, or to analyse the performance of a Funnel and the channel through which a user accessed the Funnel. The use of cookies is strictly necessary for the provision of our services and thus for the performance of the contract (Art. 6(1)(b) GDPR). Retention period: up to 1 month or until the end of the browser session. Right to object: You can use your browser settings to decide for yourself whether to allow cookies or to object to the use of cookies. Please note that deactivation of cookies may result in restricted or completely prevented functionality of the Funnel. The operator of this website has the ability to decide individually for each Funnel used what choices regarding the use of cookies are given to the user. It is the responsibility of the website operator to use cookies in compliance with applicable legal restrictions. If the website operator uses extensions from external companies within the Funnel, it is the responsibility of the website operator to inform the user accordingly.

Data subject rights
Where Perspective Software GmbH as controller processes personal data, you as a data subject have, depending on the legal basis and purpose of the processing, certain rights under Chapter III of the EU General Data Protection Regulation (GDPR), including in particular the right of access (Art. 15 GDPR), the right to rectification (Art. 16 GDPR), the right to erasure (Art. 17 GDPR), the right to restriction of processing (Art. 18 GDPR), the right to data portability (Art. 20 GDPR) and the right to object (Art. 21 GDPR). Where the processing of personal data is based on your consent, you have the right under Art. 7(3) GDPR to withdraw that consent at any time. Please contact the data protection officer of Perspective Software GmbH (see item B.) to exercise your data subject rights with respect to data processed for the operation of the Funnel.

Final provisions
Perspective reserves the right to amend this privacy policy at any time to ensure that it always meets current legal requirements or to reflect changes to its services in the privacy policy, e.g. upon the introduction of new services. Your next visit to the Funnel will then be subject to the new privacy policy.

Google Web Fonts

This website uses so-called 'web fonts' provided by Google (see above) to ensure the consistent display of typefaces. This is based on a legitimate interest (Art. 6(1)(1)(f) GDPR) in presenting text and fonts correctly when you visit our website. When a page loads, your browser automatically loads the required fonts into your browser cache for this purpose.

We do regularly host these fonts on our own servers; however, your browser may still connect to Google's servers for this purpose. This allows Google to learn that our website has been accessed via your IP address or that of your browser. The use of Google Web Fonts is in the interest of a consistent and attractive presentation of our online offerings.

If your browser does not support web fonts, a default font from your computer will be used.

For further information about Google Web Fonts, please visit https://developers.google.com/fonts/faq and Google's privacy policy at https://www.google.com/policies/privacy/.

Web Analytics

This website uses the web analytics service 'Google Analytics', provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (hereinafter: 'Google'), on the basis of a data processing agreement (cf. Art. 28 et seq. GDPR). Google Analytics uses so-called 'cookies', text files that are stored on your computer and enable an analysis of your use of the website. The legal basis for the use of Google Analytics is your consent via our 'cookie consent box', which regularly appears when our website is first accessed, see 'Cookies' below, on the basis of Art. 49(1)(a) GDPR. Data transfer to a third country is legitimised by a contractual agreement with Google (EU SCCs – EU Standard Contractual Clauses or 'Standard Data Protection Clauses') pursuant to Art. 46(2)(c) GDPR.

The information generated by the cookie about your use of this website (e.g. browser type and version, operating system, referrer URL (the page previously visited by you), hostname of the accessing computer or router (IP address), date and time of the server request) is regularly transferred to a Google server in the USA and stored there. Google will use this information on behalf of the operator of this website to evaluate your use of the website, to compile reports on website activity and to provide other services relating to website and internet use to the website operator. Google may also transfer this information to third parties where required by law or where such third parties process the data on Google's behalf. The IP address transmitted by your browser within the framework of Google Analytics will not be merged with other Google data.

IP anonymisation is active on this website, i.e. the Google tracking codes on this website use the '_anonymizeIp()' function, so that IP addresses are only processed in truncated form to exclude direct personal identification. Only in exceptional cases will the full IP address be transferred to a Google server in the USA and truncated there.

You can prevent the storage of cookies by adjusting your browser software settings or by refusing or withdrawing your consent in our cookie consent box (see 'Cookies' below); please note, however, that in this case you may not be able to make full use of all the functions of this website.

You can also prevent the collection of data generated by the cookie and related to your use of the website (including your IP address) by Google, and the processing of such data by Google, by downloading and installing the browser plug-in available here. This will place an 'opt-out cookie' on your system in relation to your browser and our website in order to activate the aforementioned function. Please note that if you change your system and/or browser or delete this cookie, you will need to set the opt-out cookie again in the manner described above.

Google Tag Manager

We use Google Tag Manager on our website. Google Tag Manager is a solution that allows marketers to manage website tags through an interface. The Tag Manager tool itself (which implements the tags) is a cookie-free domain and does not collect any personal data. The tool triggers other tags which may in turn collect data. Google Tag Manager does not access this data. If a deactivation has been carried out at domain or cookie level, this will remain in place for all tracking tags implemented with Google Tag Manager.

YouTube

We embed videos from YouTube (belonging to Google, see above) on our websites via the corresponding plug-ins as part of our online offering, based on your consent pursuant to Art. 49(1)(a) GDPR. These videos are regularly stored on www.youtube.com and can be played directly from our website. These are primarily embedded in 'extended data protection mode', meaning that no data about you as a user is transferred to YouTube if you do not play the videos. The data referred to in the following paragraph is only transferred when you play the videos. We have no influence over this data transfer itself.

You grant your consent through the so-called 'double-click' solution, meaning that as long as you do not click on a correspondingly marked YouTube video, it will neither be played nor will any data be transferred to the YouTube servers. Only when you explicitly click on the video (again) does the streaming service start. A connection to the YouTube servers in the USA is then established and YouTube receives the information that you have accessed the relevant sub-page of our website. This occurs regardless of whether YouTube provides a user account through which you are logged in or whether no user account exists. If you are logged in to YouTube/Google, your data will be assigned directly to your account. If you do not wish your data to be associated with your YouTube profile, you must log out of your account before activating the video. YouTube stores your data as user profiles and uses them, for example, for its own purposes of advertising, market research and/or tailored website design. Such analysis takes place in particular (even for users who are not logged in) to serve needs-based advertising and to inform other users of the social network about your activities on our website. You have the right to object to the formation of these user profiles, and to exercise this right you must contact YouTube or Google.

For further information on the purpose and scope of data collection and its processing by YouTube, please refer to their privacy policy. You will also find further information on your rights and settings options to protect your privacy at the current link www.google.de/intl/de/policies/privacy.

Social Media

The content on our pages can be shared in social networks such as Facebook, Google or YouTube in a privacy-compliant manner. Direct contact between the networks and users is only established when the user actively clicks on one of these buttons.

User data is not automatically transferred to the operators of these platforms. If the user is registered with one of the social networks, an information window appears when links on Facebook, Twitter, YouTube & Co. are shared, in which the user can confirm the text before sending.

Our users can share the content of this page in social networks in a privacy-compliant manner without complete browsing profiles being created by the network operators.

Further Functions and Offerings of Our Website

(1) In addition to the purely informational use of our website, we offer various services that you can use if you are interested. To do so, you will generally be required to provide further personal data, which we use to provide the respective service and to which the data processing principles mentioned above apply.

(2) In some cases, we use external service providers to process your data. These have been carefully selected and engaged by us, are bound by our instructions and are regularly monitored.

(3) Furthermore, we may share your personal data with third parties where promotions, competitions, contract conclusions or similar services are offered jointly with partners. You will receive more detailed information on this when you provide your personal data or in the description of the offering below.

(4) Where our service providers or partners are based in a country outside the European Economic Area (EEA), we will inform you of the implications of this circumstance in the description of the offering.

Note on data transfer to the USA
Among other things, this website incorporates tools from companies based in the USA. When these tools are active, your personal data may be transferred to the US servers of the respective companies. We draw your attention to the fact that the USA is not a safe third country within the meaning of EU data protection law. US companies are obliged to hand over personal data to the security authorities without you as the data subject being able to take legal action against this. It cannot therefore be excluded that US authorities (e.g. intelligence services) may process, evaluate and permanently store your data located on US servers for surveillance purposes. We have no influence over these processing activities.

Objection or Withdrawal of Consent to the Processing of Your Data

(1) If you have given consent to the processing of your data, you may withdraw it at any time. Such a withdrawal affects the permissibility of the processing of your personal data after you have communicated it to us.

(2) To the extent that we base the processing of your personal data on a balancing of interests, you may object to the processing. This is the case where the processing is in particular not necessary for the performance of a contract with you, as we will indicate in the description of the respective functions below. When exercising such an objection, we ask you to set out the reasons why we should not process your personal data as we have done. In the event of your reasoned objection, we will review the situation and will either discontinue or adjust the data processing or show you our compelling legitimate grounds on the basis of which we continue the processing.

(3) Of course, you may object to the processing of your personal data for advertising and data analysis purposes at any time. You can inform us of your advertising objection using the following contact details: info@escape-stories.de.

Newsletter

(1) With your consent, you can subscribe to our newsletter, through which we inform you about our current interesting offers. The goods and services advertised are named in the declaration of consent.

(2) We use the so-called double opt-in procedure for newsletter sign-ups. This means that after you have registered, we will send you an e-mail to the e-mail address provided, in which we ask you to confirm that you wish to receive the newsletter. In addition, we store your IP addresses used and the time of registration and confirmation in each case. The purpose of the procedure is to prove your registration and, if necessary, to clarify any possible misuse of your personal data.

(3) The only mandatory information required to send the newsletter is your e-mail address. The provision of further data, marked separately, is voluntary and is used to be able to address you personally. After your confirmation, we store your e-mail address for the purpose of sending the newsletter. The legal basis is Art. 6(1)(1)(a) GDPR.

(4) You can withdraw your consent to receive the newsletter at any time and unsubscribe from the newsletter. You can declare your withdrawal by clicking on the link provided in each newsletter e-mail, by e-mail to info@escape-stories.de or by a message to the contact details given in the legal notice.

(5) We draw your attention to the fact that we evaluate your user behaviour when sending the newsletter. For this evaluation, the e-mails sent contain so-called web beacons or tracking pixels, which are one-pixel image files stored on our website. For the evaluations, we link the data mentioned in § 3 and the web beacons with your e-mail address and an individual ID. With the data thus obtained, we create a user profile in order to tailor the newsletter to your individual interests. In doing so, we record when you read our newsletters, which links you click on in them, and draw conclusions from this about your personal interests. We link this data with actions taken by you on our website.

Facebook, Instagram, Sofort-Gutschein, WhatsApp

(1) Links to the aforementioned services are provided on our website. We do not share your personal data. Social plug-ins are not used on our site, meaning that if you do not expressly follow the relevant links, no data will be transferred to the services mentioned.

(2) When you follow these links, your browser establishes a connection to the respective social network or service. In doing so, data such as your IP address is transferred, enabling these services to associate the visit to our page with your user account, if one exists. You can prevent this association by logging out of your respective user account.

(3) For the chat function on our website, we use WhatsApp technology. When using the chat function, your contact details and chat content are processed. To use the chat function, you must have WhatsApp installed on your smartphone and agree to WhatsApp's privacy policy. The legal basis for the processing of your personal data is consent pursuant to Art. 6(1)(a), which you must grant before using the function.

When you use WhatsApp, you agree to WhatsApp's terms of service. These can be found here: https://www.whatsapp.com/legal/?l=en#terms-of-service

Online Booking

(1) To enable you to book our offerings conveniently online, we use the booking engine of QuinBook (WOIZZER AG).

Your data is collected, processed and used exclusively for the purpose of

• – establishing, performing and processing the contractual relationship created by the booking, and
• – any possible pre- and post-stay mailing.

Our partner companies ensure that processing and use of your data for the purposes of advisory services, advertising and market research only takes place with your express consent. You may object to the use of your data by our partner companies at any time.

(2) When you wish to book a service with us online, it is necessary for the conclusion of the contract that you provide your personal data, which we require to process your order. Mandatory information required for the processing of the contracts is marked separately; all further information is voluntary. We process the data you provide to process your order. For this purpose, we may share your payment data with our principal bank. The legal basis for this is Art. 6(1)(1)(b) GDPR.

(3) We are obliged by commercial and tax law requirements to store your address, payment and order data for a period of ten years. After two years, however, we apply a restriction on processing, meaning your data will only be used to fulfil statutory obligations.

Scope and Purpose of Video Surveillance

(1) The premises of ESCAPE STORIES are subject to video surveillance within the statutory limits, in particular those of the Federal Data Protection Act (BDSG, new version) and the EU General Data Protection Regulation (GDPR).

(2) Video surveillance is only permissible to the extent required by ESCAPE STORIES' interests and where no legitimate interests of guests conflict with this. Within the game rooms, video surveillance is required for the smooth running of the game and serves the purpose of live monitoring by the game master.

(3) Any video surveillance that is in place is always made apparent to the persons concerned. It is always clear which video camera is active at any given time.

(4) Compliance with the rights of data subjects pursuant to Arts. 14 to 21 GDPR is ensured.

(5) The legal basis for the processing of your data is Art. 6(1)(1)(f) GDPR (Art. 13(1)(d) GDPR).

(6) All rights pursuant to § 2 of this privacy policy, in particular the right of access and right to lodge a complaint, remain unaffected for you (Art. 13(1) and (2) GDPR).

(7) No recording of video footage from the game rooms takes place.

Contact Form

(1) You have the option of contacting us via our contact form. The entry of data is expressly on a voluntary basis. The personal data provided will be treated confidentially and used for the intended purpose in accordance with the applicable data protection provisions. Data will not be passed on to third parties outside our company.

(2) We are obliged by commercial and tax law requirements to store your address, payment and order data for a period of ten years. After two years, however, we apply a restriction on processing, meaning your data will only be used to fulfil statutory obligations; see § 13.

Security

ESCAPE STORIES uses technical and organisational security measures to protect the data you provide against accidental or deliberate manipulation, loss, destruction or access by unauthorised persons. These security measures are continuously improved in line with technological developments. Furthermore, all employees and vicarious agents are bound by the data secrecy obligation of the Federal Data Protection Act.

Changes to This Privacy Policy

ESCAPE STORIES reserves the right to amend this privacy policy. The current version of the privacy policy is always available on the ESCAPE STORIES website at https://www.escape-stories.de/informieren/datenschutz/.

Version: August 2021

Escape Stories