Skip to main content
Hotel Das Saal exterior view with modern wooden facade against the majestic backdrop of the Steinberge

Privacy Policy DAS SAAL

Privacy Policy

Your data in good hands.

Last updated: February 2026

1.Data Controller and Data Protection Officer

Here you can find out who is responsible for protecting your data on this website and whom you can contact with questions.

Hotel DAS SAAL Widerhofer Hotelbetriebsgesellschaft m.b.H.

Mittergasse 21b, 5760 Saalfelden, Österreich

Managing Director

Stefan Widerhofer

VAT Number

ATU80056145

Court of Jurisdiction

Handelsgericht Wien

Data Protection Officer

Stefan Widerhofer - info@das-saal.com

2.Your Rights at a Glance

You have extensive rights when it comes to your personal data. Here is an overview - we explain everything in detail further below.

Access

You can find out at any time what data we have stored about you.

Rectification

Something not right? We will correct it.

Erasure

You can request that we delete your data (provided there are no legal retention obligations).

Restriction

You can request that we restrict the processing of your data.

Data Portability

You can receive your data in a commonly used format.

Objection

You can object to the processing of your data.

Withdrawal

You can withdraw your consent at any time. This applies from the moment of withdrawal, not retroactively.

Right to Complain

You can file a complaint with the Austrian Data Protection Authority (Österreichische Datenschutzbehörde):

Österreichische Datenschutzbehörde

Barichgasse 40-42, 1030 Wien

dsb@dsb.gv.at

3.Hosting and Technical Infrastructure

Our website is operated on our own server within the European Union. Here we explain which technical services are used.

Web Server

ServerOwn server in the EU
Data CollectedEach time a page is accessed, technical data is automatically collected (so-called server log files): IP address, browser type, operating system, page visited, date and time
PurposeTechnical operation and security of the website
Legal BasisLegitimate interest (Art. 6(1)(f) GDPR)We need this data for the website to function and to detect attacks.
Storage Period14 days, then automatically deleted

Cloudflare (CDN and Security)

Cloudflare Inc., USA

PurposeWebsite acceleration (Content Delivery Network) and protection against attacks (DDoS protection)
DataIP address, access data
Legal BasisLegitimate interest (Art. 6(1)(f) GDPR)Security and performance of our website.
Data Transfer USAStandard Contractual Clauses pursuant to Art. 46(2)(c) GDPR
More information

Fonts

All fonts are loaded locally from our server. No connection to external font services (such as Google Fonts) is established.

4.Cookies and Consent

Cookies are small text files stored on your device. Some are necessary for the website to function, others are only set with your permission.

Strictly Necessary Cookies

ConsentSet without consent
PurposeBasic website functions (e.g. session management, remembering cookie settings)
Legal BasisLegitimate interest (Art. 6(1)(f) GDPR)

Analytics and Marketing Cookies

ConsentOnly set after explicit consent
WithdrawalYou can withdraw your consent at any time via our cookie consent tool
Legal BasisConsent (Art. 6(1)(a) GDPR)

5.Web Analytics and Tracking

We analyse how our website is used in order to improve it. We use various tools for this purpose - all only after your consent, with the exception of our own tracking system.

5aGoogle Server-Side Tagging

We use Google Server-Side Tagging. This means: tracking data is not sent directly from your browser to Google, but first to our own server in the EU. There, your IP address is anonymised before the data is forwarded. This is a significantly more privacy-friendly approach than conventional tracking.

Server LocationOwn server in the EU
Services via SSTGoogle Analytics 4, Google Ads Conversion Tracking, Meta/Facebook Pixel

5bGoogle Analytics 4

Google LLC, USA (data is pre-processed via our SST server in the EU)

PurposeAnalysis of website usage, visitor statistics, optimisation of our services
DataPage views, time on site, visitor origin, device information
IP AnonymisationYes, in the SST container before data is sent to Google
Legal BasisConsent (Art. 6(1)(a) GDPR)
Data Transfer USAStandard Contractual Clauses
Storage PeriodPer GA4 default settings (14 months)
More information

5cGoogle Ads Conversion Tracking

Google LLC, USA (via SST)

PurposeMeasuring whether our Google advertisements lead to bookings or enquiries
IP AnonymisationYes, in the SST container
Legal BasisConsent (Art. 6(1)(a) GDPR)
Data Transfer USAStandard Contractual Clauses

5dMeta/Facebook Pixel

Meta Platforms Ireland Ltd. / Meta Platforms Inc., USA

The Meta Pixel runs on our site both client-side (directly in the browser) and server-side (via our SST container). With the server-side variant, the IP address is anonymised before data is forwarded to Meta.

PurposeRemarketing (showing you relevant advertisements on Facebook/Instagram), creation of custom audiences, conversion measurement
Legal BasisConsent (Art. 6(1)(a) GDPR)
Data Transfer USAStandard Contractual Clauses
NoteEvents are deduplicated between client-side and server-side to avoid double counting
More information

5eOwn First-Party Tracking

Own tracking server in the EU

PurposeWebsite analysis and optimisation, independent of third-party providers
DataPage views, time on site, click behaviour
SharingNo sharing with third parties
Legal BasisLegitimate interest (Art. 6(1)(f) GDPR)We have a legitimate interest in improving our website, and the data does not leave our server.
Storage PeriodMax. 12 months

6.Contact Forms and Enquiries

When you contact us via one of our forms, we process the data you provide. Here we explain for each form exactly what data is involved and what happens with it.

All form data is sent via the email service Resend (Resend Inc., USA). Resend processes the data solely for the purpose of email delivery and deletes it afterwards. Standard Contractual Clauses are in place. Additionally, enquiry data is stored in our own database on our EU server.

6aGeneral Contact Form

DataName, email address, message
PurposeResponding to your enquiry
Legal BasisPre-contractual measures (Art. 6(1)(b) GDPR) for enquiries about our services, otherwise legitimate interest (Art. 6(1)(f) GDPR)
Storage PeriodMax. 1 year after the enquiry is concluded

6bGroup Enquiry Form

DataType of group trip, number of guests, number of rooms, travel dates, half-board preference, coach parking requirement, company name, country, contact person, email, phone, programme preferences
PurposePreparing a customised group offer
Legal BasisPre-contractual measures (Art. 6(1)(b) GDPR)You are requesting an offer, and we need this data to prepare it.
Storage PeriodMax. 1 year after the enquiry is concluded

6cMICE/Seminar Enquiry Form

DataEvent type, number of participants, date, room requirements, company name, contact person, email, phone
PurposePreparing an event offer
Legal BasisPre-contractual measures (Art. 6(1)(b) GDPR)
Storage PeriodMax. 1 year after the enquiry is concluded

6dRestaurant Table Reservation

DataName, preferred date, time, number of guests, contact details, special requests
PurposeProcessing the table reservation
Legal BasisPre-contractual measures (Art. 6(1)(b) GDPR)
Storage PeriodMax. 1 year

6eJob Application Form

DataName, contact details, CV, cover letter, certificates and other application documents
PurposeConducting the application process
Legal BasisPre-contractual measures (Art. 6(1)(b) GDPR) in conjunction with § 10 DSG (Austrian Data Protection Act)
Storage Period6 months after the application process is concluded. With consent to join our talent pool: until withdrawal, maximum 2 years.

Your application data is used internally only for the specific process and is not shared with third parties.

7.Booking System and Hotel Management

When you book a room, your data passes through our booking system and hotel software. Here we explain which systems are involved.

7aSiteMinder (Booking Widget)

SiteMinder Ltd., Australia

PurposeOnline room booking via our website
DataName, address, contact details, travel dates, room selection, payment information
Legal BasisPerformance of a contract (Art. 6(1)(b) GDPR)You are entering into an accommodation agreement.
Data Transfer AustraliaStandard Contractual Clauses pursuant to Art. 46(2)(c) GDPR
NoteBooking data is forwarded by SiteMinder to our hotel management system (Protel).
More information

7bProtel / Planet (Property Management System)

Planet (formerly Protel Hotelsoftware GmbH), a company of the Planet Group. Protel Cloud, hosted on EU servers.

PurposeManagement of reservations, guest data, check-in/check-out, invoicing, guest communication
DataName, address, contact details, booking details, payment information, stay data
Legal BasisPerformance of a contract (Art. 6(1)(b) GDPR) and legal retention obligations (Art. 6(1)(c) GDPR)
Storage PeriodBooking and invoice data is retained for 7 years in accordance with the Austrian Federal Fiscal Code (Bundesabgabenordnung/BAO). Guest data beyond this is deleted.
Data TransferNo data transfer to third countries (EU servers)

8.Email Delivery (Resend)

We use the service Resend for sending form confirmations and emails.

Resend Inc., USA

PurposeTechnical delivery of emails (form data, confirmations, newsletters)
DataRecipient's email address, email content
NoteResend processes the data exclusively for the purpose of email delivery
Legal BasisLegitimate interest (Art. 6(1)(f) GDPR) for transactional emails, consent (Art. 6(1)(a) GDPR) for marketing emails
Data Transfer USAStandard Contractual Clauses
More information

9.Newsletter and Email Marketing

If you wish, we will keep you informed by email. You decide whether and which emails you would like to receive from us.

Sent viaResend (see Section 8)
TypesNewsletter with news about DAS SAAL, offers and promotions, post-stay emails after your visit, notification when the restaurant menu changes
DataEmail address, optionally name, selected preferences
Legal BasisConsent (Art. 6(1)(a) GDPR)You will only receive marketing emails if you have actively signed up for them.
UnsubscribeAt any time via the unsubscribe link at the bottom of each email or by emailing info@das-saal.com
Storage PeriodUntil withdrawal of consent

10.YouTube Embeds

On some pages we embed videos from YouTube.

YouTube (Google LLC, USA)

EmbeddingIn enhanced privacy mode (youtube-nocookie.com) where possible. In this mode, data is only transmitted to YouTube when you actively play the video.
DataIP address, cookie data, device information upon playback
Legal BasisConsent (Art. 6(1)(a) GDPR)YouTube is only loaded after you give consent via the cookie consent tool.
Data Transfer USAStandard Contractual Clauses
More information

11.Data Transfers to Third Countries

Some of the services we use are based outside the EU. Here we explain which ones and how we protect your data in the process.

Service

Google (Analytics, Ads)

Location

USA

Safeguard

Standard Contractual Clauses + IP anonymisation via SST

Service

Meta (Facebook Pixel)

Location

USA

Safeguard

Standard Contractual Clauses + IP anonymisation via SST

Service

Cloudflare

Location

USA

Safeguard

Standard Contractual Clauses

Service

Resend

Location

USA

Safeguard

Standard Contractual Clauses

Service

SiteMinder

Location

Australia

Safeguard

Standard Contractual Clauses

All the above services have contractually committed to complying with European data protection standards. Where possible, we employ additional technical measures (such as IP anonymisation via Server-Side Tagging).

The following services process data exclusively within the EU:

  • Protel/Planet (hotel management)
  • Own web server
  • Own first-party tracking
  • Own cookie consent tool

12.Storage Periods Overview

We only store your data for as long as necessary. Here is an overview.

Data Type

Server log files

Storage Period

14 days

Data Type

Contact enquiries

Storage Period

Max. 1 year

Data Type

Group enquiries

Storage Period

Max. 1 year

Data Type

MICE enquiries

Storage Period

Max. 1 year

Data Type

Table reservations

Storage Period

Max. 1 year

Data Type

Job applications

Storage Period

6 months (up to 2 years with consent)

Data Type

Booking/invoice data

Storage Period

7 years (legal obligation)

Data Type

Newsletter data

Storage Period

Until withdrawal

Data Type

Analytics data

Storage Period

14 months (GA4 default)

Data Type

First-party tracking

Storage Period

Max. 12 months

Data Type

Cookie settings

Storage Period

12 months

13.Changes to This Privacy Policy

We update this privacy policy as needed, for example when we introduce new services or when the legal situation changes. The current version can always be found on this page.